dominique unruh non-interactive quantum zero-knowledge proofs dominique unruh university of tartu...
TRANSCRIPT
![Page 1: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/1.jpg)
Dominique Unruh
Non-interactivequantum zero-knowledge proofs
Dominique UnruhUniversity of Tartu
Quantum
“Fiat-Shamir”
![Page 2: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/2.jpg)
Dominique Unruh Quantum NIZK with random oracle 2
Intro: Proof systems
P V
Statement xWitness w
Statement x
• Soundness: Verifier accepts only true statements
• Zero-knowledge: Verifier learns nothing
![Page 3: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/3.jpg)
Dominique Unruh Quantum NIZK with random oracle 3
Intro: Proof systems
Sigma-protocols
P V
commitment
challenge
response
• Specific 3-round proofs• Versatile combiners• Simple to analyze• Weak security
Non-interactive ZK
P Vproof
• Ease of use– Concurrency, offline
• Need RO or CRS• Lack of combiners• Specific languages
![Page 4: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/4.jpg)
Dominique Unruh Quantum NIZK with random oracle 4
Intro: Best of two worlds
Fiat-Shamir: Convert sigma-proto into NIZK
• Ease of use (concurrent, offline)• Versatile combiners• Simple analysis• Uses random oracle
P V
commitment
challenge
response
P Vcom, H(com), resp
![Page 5: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/5.jpg)
Dominique Unruh Quantum NIZK with random oracle 5
Intro: Best of two world (ctd.)
• Fiat-Shamir also implies:– Sigma-proto signatures (in RO)
• Fischlin’s scheme:– Also: sigma-proto NIZK (in RO)– No rewinding (online extraction)– Less efficient
![Page 6: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/6.jpg)
Dominique Unruh Quantum NIZK with random oracle 6
Post-quantum security
Quantum computers• Potential future threat• Not there yet,
but we need to be prepared
Post-quantum cryptography• Classical crypto,
secure against quantum attack• Is Fiat-Shamir post-quantum secure?
![Page 7: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/7.jpg)
Dominique Unruh Quantum NIZK with random oracle 7
Fiat-Shamir soundness
Fiat-Shamir:
Can be seen as:
• Rewinding Get two responses• “Special soundness” of sigma-proto
Compute witness
P Vcom, H(com), resp
PH
comchal := H(com)
response V
Quantum
Superpositionqueries
messed-up state
![Page 8: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/8.jpg)
Dominique Unruh Quantum NIZK with random oracle 8
Saving (quantum) Fiat-Shamir?
• Existing quantum rewinding techniques– Watrous / Unruh– Do not work with superposition queries
• Ambainis, Rosmanis, Unruh:– No relativizing security proof
• Consequence: Avoid rewinding!
![Page 9: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/9.jpg)
Dominique Unruh Quantum NIZK with random oracle 9
NIZK without rewinding
Fischlin’s scheme:• No rewinding• Online extraction: List of queries Witness• But again: No relativizing security proof• List of queries:– Not well-defined: need to measure to get them– Disturbs state
![Page 10: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/10.jpg)
Dominique Unruh Quantum NIZK with random oracle 10
Quantum online-extraction
Idea:
• Make RO invertible(for extractor)
• Ensure:all needed outputscontained in proof
P HProver:
Extractor:
𝑥𝐻 (𝑥)
proof
H -1
𝑥witness
![Page 11: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/11.jpg)
Dominique Unruh Quantum NIZK with random oracle 11
Protocol construction
𝑐 𝑜𝑚1
¿¿
𝑐𝑜𝑚2
¿⋮¿
𝑐𝑜𝑚𝑡
⋮
𝑐 h𝑎𝑙11𝑐h𝑎𝑙12
⋮𝑐 h𝑎𝑙1𝑚
𝑟 𝑒𝑠𝑝11𝑟𝑒𝑠𝑝12
⋮𝑟𝑒𝑠𝑝1𝑚
𝑐 h𝑎𝑙21𝑐h𝑎𝑙22
⋮𝑐 h𝑎𝑙2𝑚
𝑟 𝑒𝑠𝑝21𝑟𝑒𝑠𝑝22
⋮𝑟𝑒𝑠𝑝2𝑚
𝑐 h𝑎𝑙𝑡1𝑐 h𝑎𝑙𝑡2
⋮𝑐 h𝑎𝑙𝑡𝑚
𝑟 𝑒𝑠𝑝𝑡 1
𝑟𝑒𝑠𝑝𝑡2
⋮𝑟𝑒𝑠𝑝𝑡𝑚
𝑥𝑥𝑥hash invertibly( )
Hash to get selection what to open(Fiat-Shamir style)
𝑟𝑒𝑠𝑝12
𝑟𝑒𝑠𝑝2𝑚
𝑟𝑒𝑠𝑝𝑡 1
all this togetheris the proof
• W.h.p. at least one has two valid
• Extractor gets them by inverting hash
• Two witness
![Page 12: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/12.jpg)
Dominique Unruh Quantum NIZK with random oracle 12
Invertible random oracle
• Random functions: not invertible• Zhandry: RO -wise indep. Function
Idea: Use invertible -wise indep. functionProblem: None knownSolution: Degree polynomials• Almost invertible ( candidates)• Good enough
![Page 13: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/13.jpg)
Dominique Unruh Quantum NIZK with random oracle 13
Final result
Theorem:
If the sigma-protocol has:• Honest verifier zero-knowledge• Special soundness
Then our protocol is:• Zero-knowledge• Simulation-sound online extractable
![Page 14: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/14.jpg)
Dominique Unruh Quantum NIZK with random oracle 14
Further results
• Strongly unforgeable signatures(implied by the NIZK)
• New results for adaptive programming of quantum random oracle
• Invertible oracle trick(also used for variant of Fujisaki-Okamoto)
![Page 15: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/15.jpg)
Dominique Unruh Quantum NIZK with random oracle 15
Saving Fiat-Shamir?
PH
¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V
Superposition queries,as many as P wants
• Zero-knowledge: yes (same as for our proto)• Soundness: no [Ambainis Rosmanis U]– Measuring disturbs state
• Hope: Soundness if underlying sigma-protocol has “strict soundness” / “unique responses”
![Page 16: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/16.jpg)
Dominique Unruh Quantum NIZK with random oracle 16
Strict soundness
• Strict soundness: Given com, chall: at most one possible resp
• Helped before, for “proofs of knowledge”– Measuring response not disturbing (much)
PH
¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V
Superposition queries,as many as P wants
![Page 17: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/17.jpg)
Dominique Unruh Quantum NIZK with random oracle 17
Saving Fiat-Shamir now?
• With strict soundness: no counterexample
• Proof still unclear(how to rewinding without disturbing quantum queries)
• Can be reduced to query-complexity problem
![Page 18: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/18.jpg)
Dominique Unruh Quantum NIZK with random oracle 18
The query complexity problem
• Let be a quantum circuit,using random oracle ,implementing a projective measurement
• Game 1: State , apply .
• Game 2: State , apply , apply .
• Show:
![Page 19: Dominique Unruh Non-interactive quantum zero-knowledge proofs Dominique Unruh University of Tartu Quantum “Fiat-Shamir”](https://reader033.vdocuments.mx/reader033/viewer/2022050805/5697c00b1a28abf838cc80dc/html5/thumbnails/19.jpg)
Dominique Unruh
I thank for yourattention
This research was supported by European Social Fund’s
Doctoral Studies and Internationalisation
Programme DoRa