28 research outputs found
Post-quantum Zero Knowledge in Constant Rounds
We construct a constant-round zero-knowledge classical argument for NP secure
against quantum attacks. We assume the existence of Quantum Fully-Homomorphic
Encryption and other standard primitives, known based on the Learning with
Errors Assumption for quantum algorithms. As a corollary, we also obtain a
constant-round zero-knowledge quantum argument for QMA.
At the heart of our protocol is a new no-cloning non-black-box simulation
technique
A Black-Box Approach to Post-Quantum Zero-Knowledge in Constant Rounds
In a recent seminal work, Bitansky and Shmueli (STOC \u2720) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks.
However, their construction has several drawbacks compared to the classical counterparts.
Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation.
In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called -zero-knowledge.
Concretely, we construct the following protocols:
- We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box -zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions.
Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC \u2796) though the proof of -zero-knowledge property against quantum adversaries requires novel ideas.
- We construct a constant round interactive argument for NP that satisfies computational soundness and black-box -zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions.
At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier\u27s internal state in an appropriate sense
On the Impossibility of Post-Quantum Black-Box Zero-Knowledge in Constant Rounds
We investigate the existence of constant-round post-quantum black-box
zero-knowledge protocols for . As a main result, we show that
there is no constant-round post-quantum black-box zero-knowledge argument for
unless . As constant-round
black-box zero-knowledge arguments for exist in the classical
setting, our main result points out a fundamental difference between
post-quantum and classical zero-knowledge protocols. Combining previous
results, we conclude that unless ,
constant-round post-quantum zero-knowledge protocols for exist if
and only if we use non-black-box techniques or relax certain security
requirements such as relaxing standard zero-knowledge to
-zero-knowledge. Additionally, we also prove that three-round and
public-coin constant-round post-quantum black-box -zero-knowledge
arguments for do not exist unless .Comment: 46 page
Asynchronous Multi-Party Quantum Computation
Multi-party quantum computation (MPQC) allows a set of parties to securely compute a quantum circuit over private quantum data. Current MPQC protocols rely on the fact that the network is synchronous, i.e., messages sent are guaranteed to be delivered within a known fixed delay upper bound, and unfortunately completely break down even when only a single message arrives late.
Motivated by real-world networks, the seminal work of Ben-Or, Canetti and Goldreich (STOC\u2793) initiated the study of multi-party computation for classical circuits over asynchronous networks, where the network delay can be arbitrary. In this work, we begin the study of asynchronous multi-party quantum computation (AMPQC) protocols, where the circuit to compute is quantum.
Our results completely characterize the optimal achievable corruption threshold: we present an n-party AMPQC protocol secure up to t < n/4 corruptions, and an impossibility result when t ? n/4 parties are corrupted. Remarkably, this characterization differs from the analogous classical setting, where the optimal corruption threshold is t < n/3
One-Way Functions Imply Secure Computation in a Quantum World
We prove that quantum-hard one-way functions imply simulation-secure quantum
oblivious transfer (QOT), which is known to suffice for secure computation of
arbitrary quantum functionalities. Furthermore, our construction only makes
black-box use of the quantum-hard one-way function.
Our primary technical contribution is a construction of extractable and
equivocal quantum bit commitments from quantum-hard one-way functions in the
standard model. Instantiating the Bennet-Brassard-Cr\'epeau-Skubiszewska
(CRYPTO 91) framework with these commitments yields simulation-secure quantum
oblivious transfer
Certified Everlasting Zero-Knowledge Proof for QMA
In known constructions of classical zero-knowledge protocols for NP, either
of zero-knowledge or soundness holds only against computationally bounded
adversaries. Indeed, achieving both statistical zero-knowledge and statistical
soundness at the same time with classical verifier is impossible for NP unless
the polynomial-time hierarchy collapses, and it is also believed to be
impossible even with a quantum verifier. In this work, we introduce a novel
compromise, which we call the certified everlasting zero-knowledge proof for
QMA. It is a computational zero-knowledge proof for QMA, but the verifier
issues a classical certificate that shows that the verifier has deleted its
quantum information. If the certificate is valid, even unbounded malicious
verifier can no longer learn anything beyond the validity of the statement. We
construct a certified everlasting zero-knowledge proof for QMA. For the
construction, we introduce a new quantum cryptographic primitive, which we call
commitment with statistical binding and certified everlasting hiding, where the
hiding property becomes statistical once the receiver has issued a valid
certificate that shows that the receiver has deleted the committed information.
We construct commitment with statistical binding and certified everlasting
hiding from quantum encryption with certified deletion by Broadbent and Islam
[TCC 2020] (in a black box way), and then combine it with the quantum
sigma-protocol for QMA by Broadbent and Grilo [FOCS 2020] to construct the
certified everlasting zero-knowledge proof for QMA. Our constructions are
secure in the quantum random oracle model. Commitment with statistical binding
and certified everlasting hiding itself is of independent interest, and there
will be many other useful applications beyond zero-knowledge.Comment: 33 page
New Constructions of Collapsing Hashes
Collapsing is a post-quantum strengthening of collision resistance, needed to lift many classical results to the quantum setting. Unfortunately, the only existing standard-model proofs of collapsing hashes require LWE. We construct the first collapsing hashes from the quantum hardness of any one of the following problems:
- LPN in a variety of low noise or high-hardness regimes, essentially matching what is known for collision resistance from LPN.
- Finding cycles on exponentially-large expander graphs, such as those arising from isogenies on elliptic curves.
- The optimal hardness of finding collisions in *any* hash function.
- The *polynomial* hardness of finding collisions, assuming a certain plausible regularity condition on the hash.
As an immediate corollary, we obtain the first statistically hiding post-quantum commitments and post-quantum succinct arguments (of knowledge) under the same assumptions. Our results are obtained by a general theorem which shows how to construct a collapsing hash from a post-quantum collision-resistant hash function , regardless of whether or not itself is collapsing, assuming satisfies a certain regularity condition we call semi-regularity
On the Concurrent Composition of Quantum Zero-Knowledge
We study the notion of zero-knowledge secure against quantum polynomial-time
verifiers (referred to as quantum zero-knowledge) in the concurrent composition
setting. Despite being extensively studied in the classical setting, concurrent
composition in the quantum setting has hardly been studied. We initiate a
formal study of concurrent quantum zero-knowledge. Our results are as follows:
-Bounded Concurrent QZK for NP and QMA: Assuming post-quantum one-way
functions, there exists a quantum zero-knowledge proof system for NP in the
bounded concurrent setting. In this setting, we fix a priori the number of
verifiers that can simultaneously interact with the prover. Under the same
assumption, we also show that there exists a quantum zero-knowledge proof
system for QMA in the bounded concurrency setting.
-Quantum Proofs of Knowledge: Assuming quantum hardness of learning with
errors (QLWE), there exists a bounded concurrent zero-knowledge proof system
for NP satisfying quantum proof of knowledge property. Our extraction mechanism
simultaneously allows for extraction probability to be negligibly close to
acceptance probability (extractability) and also ensures that the prover's
state after extraction is statistically close to the prover's state after
interacting with the verifier (simulatability). The seminal work of [Unruh
EUROCRYPT'12], and all its followups, satisfied a weaker version of
extractability property and moreover, did not achieve simulatability. Our
result yields a proof of quantum knowledge system for QMA with better
parameters than prior works
Non-Destructive Zero-Knowledge Proofs on Quantum States, and Multi-Party Generation of Authorized Hidden GHZ States
Due to the special no-cloning principle, quantum states appear to be very
useful in cryptography. But this very same property also has drawbacks: when
receiving a quantum state, it is nearly impossible for the receiver to
efficiently check non-trivial properties on that state without destroying it.
In this work, we initiate the study of Non-Destructive Zero-Knowledge Proofs
on Quantum States. Our method binds a quantum state to a classical encryption
of that quantum state. That way, the receiver can obtain guarantees on the
quantum state by asking to the sender to prove properties directly on the
classical encryption. This method is therefore non-destructive, and it is
possible to verify a very large class of properties. For instance, we can force
the sender to send different categories of states depending on whether they
know a classical password or not. Moreover, we can also provide guarantees to
the sender: for example, we can ensure that the receiver will never learn
whether the sender knows the password or not.
We also extend this method to the multi-party setting. We show how it can
prove useful to distribute a GHZ state between different parties, in such a way
that only parties knowing a secret can be part of this GHZ. Moreover, the
identity of the parties that are part of the GHZ remains hidden to any
malicious party. A direct application would be to allow a server to create a
secret sharing of a qubit between unknown parties, authorized for example by a
third party Certification Authority.
Finally, we provide simpler "blind" versions of the protocols that could
prove useful in Anonymous Transmission or Quantum Onion Routing, and we
explicit a cryptographic function required in our protocols based on the
Learning With Errors hardness problem.Comment: 50 page