Dominique Unruh

Non-interactivequantum zero-knowledge proofs

Dominique UnruhUniversity of Tartu

Quantum

“Fiat-Shamir”

Dominique Unruh Quantum NIZK with random oracle 2

Intro: Proof systems

P V

Statement xWitness w

Statement x

• Soundness: Verifier accepts only true statements

• Zero-knowledge: Verifier learns nothing

Dominique Unruh Quantum NIZK with random oracle 3

Intro: Proof systems

Sigma-protocols

P V

commitment

challenge

response

• Specific 3-round proofs• Versatile combiners• Simple to analyze• Weak security

Non-interactive ZK

P Vproof

• Ease of use– Concurrency, offline

• Need RO or CRS• Lack of combiners• Specific languages

Dominique Unruh Quantum NIZK with random oracle 4

Intro: Best of two worlds

Fiat-Shamir: Convert sigma-proto into NIZK

• Ease of use (concurrent, offline)• Versatile combiners• Simple analysis• Uses random oracle

P V

commitment

challenge

response

P Vcom, H(com), resp

Dominique Unruh Quantum NIZK with random oracle 5

Intro: Best of two world (ctd.)

• Fiat-Shamir also implies:– Sigma-proto signatures (in RO)

• Fischlin’s scheme:– Also: sigma-proto NIZK (in RO)– No rewinding (online extraction)– Less efficient

Dominique Unruh Quantum NIZK with random oracle 6

Post-quantum security

Quantum computers• Potential future threat• Not there yet,

but we need to be prepared

Post-quantum cryptography• Classical crypto,

secure against quantum attack• Is Fiat-Shamir post-quantum secure?

Dominique Unruh Quantum NIZK with random oracle 7

Fiat-Shamir soundness

Fiat-Shamir:

Can be seen as:

• Rewinding Get two responses• “Special soundness” of sigma-proto

Compute witness

P Vcom, H(com), resp

PH

comchal := H(com)

response V

Quantum

Superpositionqueries

messed-up state

Dominique Unruh Quantum NIZK with random oracle 8

Saving (quantum) Fiat-Shamir?

• Existing quantum rewinding techniques– Watrous / Unruh– Do not work with superposition queries

• Ambainis, Rosmanis, Unruh:– No relativizing security proof

• Consequence: Avoid rewinding!

Dominique Unruh Quantum NIZK with random oracle 9

NIZK without rewinding

Fischlin’s scheme:• No rewinding• Online extraction: List of queries Witness• But again: No relativizing security proof• List of queries:– Not well-defined: need to measure to get them– Disturbs state

Dominique Unruh Quantum NIZK with random oracle 10

Quantum online-extraction

Idea:

• Make RO invertible(for extractor)

• Ensure:all needed outputscontained in proof

P HProver:

Extractor:

𝑥𝐻 (𝑥)

proof

H -1

𝑥witness

Dominique Unruh Quantum NIZK with random oracle 11

Protocol construction

𝑐 𝑜𝑚1

¿¿

𝑐𝑜𝑚2

¿⋮¿

𝑐𝑜𝑚𝑡

⋮

𝑐 h𝑎𝑙11𝑐h𝑎𝑙12

⋮𝑐 h𝑎𝑙1𝑚

𝑟 𝑒𝑠𝑝11𝑟𝑒𝑠𝑝12

⋮𝑟𝑒𝑠𝑝1𝑚

𝑐 h𝑎𝑙21𝑐h𝑎𝑙22

⋮𝑐 h𝑎𝑙2𝑚

𝑟 𝑒𝑠𝑝21𝑟𝑒𝑠𝑝22

⋮𝑟𝑒𝑠𝑝2𝑚

𝑐 h𝑎𝑙𝑡1𝑐 h𝑎𝑙𝑡2

⋮𝑐 h𝑎𝑙𝑡𝑚

𝑟 𝑒𝑠𝑝𝑡 1

𝑟𝑒𝑠𝑝𝑡2

⋮𝑟𝑒𝑠𝑝𝑡𝑚

𝑥𝑥𝑥hash invertibly( )

Hash to get selection what to open(Fiat-Shamir style)

𝑟𝑒𝑠𝑝12

𝑟𝑒𝑠𝑝2𝑚

𝑟𝑒𝑠𝑝𝑡 1

all this togetheris the proof

• W.h.p. at least one has two valid

• Extractor gets them by inverting hash

• Two witness

Dominique Unruh Quantum NIZK with random oracle 12

Invertible random oracle

• Random functions: not invertible• Zhandry: RO -wise indep. Function

Idea: Use invertible -wise indep. functionProblem: None knownSolution: Degree polynomials• Almost invertible ( candidates)• Good enough

Dominique Unruh Quantum NIZK with random oracle 13

Final result

Theorem:

If the sigma-protocol has:• Honest verifier zero-knowledge• Special soundness

Then our protocol is:• Zero-knowledge• Simulation-sound online extractable

Dominique Unruh Quantum NIZK with random oracle 14

Further results

• Strongly unforgeable signatures(implied by the NIZK)

• New results for adaptive programming of quantum random oracle

• Invertible oracle trick(also used for variant of Fujisaki-Okamoto)

Dominique Unruh Quantum NIZK with random oracle 15

Saving Fiat-Shamir?

PH

¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V

Superposition queries,as many as P wants

• Zero-knowledge: yes (same as for our proto)• Soundness: no [Ambainis Rosmanis U]– Measuring disturbs state

• Hope: Soundness if underlying sigma-protocol has “strict soundness” / “unique responses”

Dominique Unruh Quantum NIZK with random oracle 16

Strict soundness

• Strict soundness: Given com, chall: at most one possible resp

• Helped before, for “proofs of knowledge”– Measuring response not disturbing (much)

PH

¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V

Superposition queries,as many as P wants

Dominique Unruh Quantum NIZK with random oracle 17

Saving Fiat-Shamir now?

• With strict soundness: no counterexample

• Proof still unclear(how to rewinding without disturbing quantum queries)

• Can be reduced to query-complexity problem

Dominique Unruh Quantum NIZK with random oracle 18

The query complexity problem

• Let be a quantum circuit,using random oracle ,implementing a projective measurement

• Game 1: State , apply .

• Game 2: State , apply , apply .

• Show:

Dominique Unruh

I thank for yourattention

This research was supported by European Social Fund’s

Doctoral Studies and Internationalisation

Programme DoRa