dominique unruh non-interactive zero-knowledge with quantum random oracles dominique unruh...
TRANSCRIPT
Dominique Unruh
Non-interactive zero-knowledgewith quantum random oracles
Dominique UnruhUniversity of Tartu
With Andris Ambainis, Ansis Rosmanis
Estonian Theory Days
WORK IN PROGRESS!
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 2
ClassicalCrypto
(Quick intro.)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 3
Non-interactive zero-knowledge (NIZK)
Statement x (math. fact)
Witness w (proof of fact) P ZK proof of x
Zero-knowledge
Proof leaks nothingabout witness
Soundness
Hard to provewrong statements
Uses: Proving honest behavior, signatures, …
Dominique Unruh Non-interactive ZK with Quantum Random Oracles
Towards efficient NIZK: Sigma protocols
commitment
challenge
responseProver
“Special soundness”: Two different responsesallow to compute witness
⇒ For wrong statement, prover fails w.h.p.
Verifier
Dominique Unruh 5
Toward efficient NIZK: Random Oracles
• Model hash function as random function H• Many useful proof techniques
Hx
H(x)
Learn queries
Insert “special” answers
(“programming”)
Rewind andre-answer
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 6
NIZK with random oracles
Fiat-Shamir Fischlincom
chal
respProver
H(com)
• NIZK consists ofcom,chal,resp
• Prover can’t cheat:H is like a verifier
• Security-proof:Rewinding
Fix comTry different chal, resp until H(chal,resp)=xxx000Proof := com,chal,resp
• Need to query severalchal,resp
• Implies existenceof witness
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 7
Quantum!Classical security easy.
But if adversary has aquantum computer?
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 8
The “pick-one trick” (simplified)
• Given a set S• can encode it as
a quantum state |Ψ⟩• s.t. for any set Z• you find one x1∈S∩Z
• but not two x1,x2∈S
S
Z
x1 x2
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 9
Attacking Fischlin
Fix comTry different chal, resp until H(chal,resp)=xxx000Proof = com,chal,resp
S={chal,resp}
Z={H(·)=xxx000}
Valid fake NIZK
Without knowingwitness!
(Because we haveonly one S-element)
[Fiat-Shamir attacked similarly]
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 10
How does “one-pick trick” work?
• Grover: Quantum algorithm for searching
• Observation:– First step of Grover produces a state
encoding the search space
• This state (plus modified Grover)implements “one-pick trick”
• Hard part: Prove “can’t find two x1,x2∈S”
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 11
No efficient quantum NIZK?
• All random oracle NIZKbroken?
• No: under extra conditions,Fiat-Shamir and Fischlinmight work (no proof idea)
• We found a provable new construction(less efficient)
Dominique Unruh
I thank for yourattention
This research was supported by European Social Fund’s
Doctoral Studies and Internationalisation
Programme DoRa