31 research outputs found
Learning with Errors is easy with quantum samples
Learning with Errors is one of the fundamental problems in computational
learning theory and has in the last years become the cornerstone of
post-quantum cryptography. In this work, we study the quantum sample complexity
of Learning with Errors and show that there exists an efficient quantum
learning algorithm (with polynomial sample and time complexity) for the
Learning with Errors problem where the error distribution is the one used in
cryptography. While our quantum learning algorithm does not break the LWE-based
encryption schemes proposed in the cryptography literature, it does have some
interesting implications for cryptography: first, when building an LWE-based
scheme, one needs to be careful about the access to the public-key generation
algorithm that is given to the adversary; second, our algorithm shows a
possible way for attacking LWE-based encryption by using classical samples to
approximate the quantum sample state, since then using our quantum learning
algorithm would solve LWE
Perfect zero knowledge for quantum multiprover interactive proofs
In this work we consider the interplay between multiprover interactive
proofs, quantum entanglement, and zero knowledge proofs - notions that are
central pillars of complexity theory, quantum information and cryptography. In
particular, we study the relationship between the complexity class MIP, the
set of languages decidable by multiprover interactive proofs with quantumly
entangled provers, and the class PZKMIP, which is the set of languages
decidable by MIP protocols that furthermore possess the perfect zero
knowledge property.
Our main result is that the two classes are equal, i.e., MIP
PZKMIP. This result provides a quantum analogue of the celebrated result of
Ben-Or, Goldwasser, Kilian, and Wigderson (STOC 1988) who show that MIP
PZKMIP (in other words, all classical multiprover interactive protocols can be
made zero knowledge). We prove our result by showing that every MIP
protocol can be efficiently transformed into an equivalent zero knowledge
MIP protocol in a manner that preserves the completeness-soundness gap.
Combining our transformation with previous results by Slofstra (Forum of
Mathematics, Pi 2019) and Fitzsimons, Ji, Vidick and Yuen (STOC 2019), we
obtain the corollary that all co-recursively enumerable languages (which
include undecidable problems as well as all decidable problems) have zero
knowledge MIP protocols with vanishing promise gap
Two Combinatorial MA-Complete Problems
Despite the interest in the complexity class MA, the randomized analog of NP,
just a few natural MA-complete problems are known. The first problem was found
by (Bravyi and Terhal, SIAM Journal of Computing 2009); it was then followed by
(Crosson, Bacon and Brown, PRE 2010) and (Bravyi, Quantum Information and
Computation 2015). Surprisingly, two of these problems are defined using
terminology from quantum computation, while the third is inspired by quantum
computation and keeps a physical terminology. This prevents classical
complexity theorists from studying these problems, delaying potential progress,
e.g., on the NP vs. MA question.
Here, we define two new combinatorial problems and prove their
MA-completeness. The first problem, ACAC, gets as input a succinctly described
graph, with some marked vertices. The problem is to decide whether there is a
connected component with only unmarked vertices, or the graph is far from
having this property. The second problem, SetCSP, generalizes standard
constraint satisfaction problem (CSP) into constraints involving sets of
strings.
Technically, our proof that SetCSP is MA-complete is based on an observation
by (Aharonov and Grilo, FOCS 2019), in which it was noted that a restricted
case of Bravyi and Terhal's problem (namely, the uniform case) is already
MA-complete; a simple trick allows to state this restricted case using
combinatorial language. The fact that the first, more natural, problem of ACAC
is MA-hard follows quite naturally from this proof, while the containment of
ACAC in MA is based on the theory of random walks.
We notice that the main result of Aharonov and Grilo carries over to the
SetCSP problem in a straightforward way, implying that finding a
gap-amplification procedure for SetCSP (as in Dinur's PCP proof) is equivalent
to MA=NP. This provides an alternative new path towards the major problem of
derandomizing MA.Comment: Minor changes; Published in the proceedings of ITCS 202
QMA with subset state witnesses
The class QMA plays a fundamental role in quantum complexity theory and it
has found surprising connections to condensed matter physics and in particular
in the study of the minimum energy of quantum systems. In this paper, we
further investigate the class QMA and its related class QCMA by asking what
makes quantum witnesses potentially more powerful than classical ones. We
provide a definition of a new class, SQMA, where we restrict the possible
quantum witnesses to the "simpler" subset states, i.e. a uniform superposition
over the elements of a subset of n-bit strings. Surprisingly, we prove that
this class is equal to QMA, hence providing a new characterisation of the class
QMA. We also prove the analogous result for QMA(2) and describe a new complete
problem for QMA and a stronger lower bound for the class QMA
Encryption with Quantum Public Keys
It is an important question to find constructions of quantum cryptographic
protocols which rely on weaker computational assumptions than classical
protocols. Recently, it has been shown that oblivious transfer and multi-party
computation can be constructed from one-way functions, whereas this is
impossible in the classical setting in a black-box way. In this work, we study
the question of building quantum public-key encryption schemes from one-way
functions and even weaker assumptions. Firstly, we revisit the definition of
IND-CPA security to this setting. Then, we propose three schemes for quantum
public-key encryption from one-way functions, pseudorandom function-like states
with proof of deletion and pseudorandom function-like states, respectively.Comment: This paper is subsumed and superseded by arXiv:2303.0208
Quantum security of subset cover problems
The subset cover problem for hash functions, which can be seen as
an extension of the collision problem, was introduced in 2002 by Reyzin and
Reyzin to analyse the security of their hash-function based signature scheme
HORS.
The security of many hash-based signature schemes relies on this problem or a
variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, \dots).
Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset
cover problem, called restricted subset cover, and proposed a quantum algorithm
for this problem. In this work, we prove that any quantum algorithm needs to
make queries to the underlying hash functions to
solve the restricted subset cover problem, which essentially matches the query
complexity of the algorithm proposed by Yuan, Tibouchi and Abe.
We also analyze the security of the general -subset cover problem,
which is the underlying problem that implies the unforgeability of HORS under a
-chosen message attack (for ). We prove that a generic quantum
algorithm needs to make queries to the underlying
hash functions to find a -subset cover.
We also propose a quantum algorithm that finds a -subset cover making
queries to the hash functions
Post-Quantum Zero-Knowledge with Space-Bounded Simulation
The traditional definition of quantum zero-knowledge stipulates that the knowledge gained by any quantum polynomial-time verifier in an interactive protocol can be simulated by a quantum polynomial-time algorithm. One drawback of this definition is that it allows the simulator to consume significantly more computational resources than the verifier. We argue that this drawback renders the existing notion of quantum zero-knowledge not viable for certain settings, especially when dealing with near-term quantum devices.
In this work, we initiate a fine-grained notion of post-quantum zero-knowledge that is more compatible with near-term quantum devices. We introduce the notion of space-bounded quantum zero-knowledge. In this new notion, we require that an -qubit malicious verifier can be simulated by a quantum polynomial-time algorithm that uses at most -qubits, for some function , and no restriction on the amount of the classical memory consumed by either the verifier or the simulator. We explore this notion and establish both positive and negative results:
- For verifiers with logarithmic quantum space and (arbitrary) polynomial classical space, we show that -space-bounded QZK, for , can be achieved based on the existence of post-quantum one-way functions. Moreover, our protocol runs in constant rounds.
- For verifiers with super-logarithmic quantum space , assuming the existence of post-quantum secure one-way functions, we show that -space-bounded QZK protocols, with fully black-box simulation (classical analogue of black-box simulation) can only be achieved for languages in BQP