quantum proofs of knowledge
DESCRIPTION
Quantum Proofs of Knowledge. Dominique Unruh University of Tartu. Tartu, April 12, 2012. Why quantum ZK?. Zero-knowledge: Central tool in crypto Exhibits many issues “in the small case” Post-quantum crypto: Classical protocols secure against quantum adversaries - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/1.jpg)
Dominique Unruh
Quantum Proofs of Knowledge
Dominique UnruhUniversity of Tartu
Tartu, April 12, 2012
![Page 2: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/2.jpg)
Dominique Unruh Quantum Proofs of Knowledge 2
Why quantum ZK?
Zero-knowledge:• Central tool in crypto• Exhibits many issues “in the small case”
Post-quantum crypto:• Classical protocols
secure against quantum adversaries• If the quantum computer comes…• Building blocks in quantum protocols
![Page 3: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/3.jpg)
Dominique Unruh Quantum Proofs of Knowledge 3
Zero-knowledge: how to show?
• Given only malicious verifier:simulate interaction
• Quantum case: Rewinding = state copying!
commitment
challenge
response
Guess challenge
Retry if wrong
Verifier
![Page 4: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/4.jpg)
Dominique Unruh Quantum Proofs of Knowledge 4
Watrous’ quantum rewinding
• Cannot copy state have to restore it
• Allows “oblivious” rewinding:Simulator rewinds, but forgets everything
Sim Measure: success?
Sim-1
stuff
[Watrous 09]
![Page 5: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/5.jpg)
Dominique Unruh Quantum Proofs of Knowledge 5
Quantum ZK solved?
• Watrous’ rewindingcovers many important ZK proofs:
• (But not all…)
• And not: Proofs of knowledge
![Page 6: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/6.jpg)
Dominique Unruh Quantum Proofs of Knowledge 6
Proofs of knowledge
• Example: Want to prove age (e.g., e-passport)
ProverVerifier
I know a government-signature ondocument stating that I’m ≥ 18
![Page 7: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/7.jpg)
Dominique Unruh Quantum Proofs of Knowledge 7
Proofs of knowledge – definition
If prover is successful:
there is an extractor that,
given provers state,
outputs witness
![Page 8: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/8.jpg)
Dominique Unruh Quantum Proofs of Knowledge 8
Constructing extractors
“Special soundness”: Two different responses allow to compute witness
• E.g., isomorphisms from J to G and Hgive isomorphis between G and H
commitment
challenge 1
response 1
challenge 2
response 2rew
ind
J
G H
Prover
![Page 9: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/9.jpg)
Dominique Unruh Quantum Proofs of Knowledge 9
Quantum extractors?
• Quantum case:Rewinding = copying. Not possible
• Watrous “oblivious” rewinding does not work:Forgets response 1
commitment
challenge 1
response 1
challenge 2
response 2rew
ind
Prover
![Page 10: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/10.jpg)
Dominique Unruh Quantum Proofs of Knowledge 10
Canonical extractor
1. Run prover, measure commitment
2. Run prover on “challenge 1”,measure response 1
3. Run inverse prover
4. Run prover on “challenge 2”,measure response 2
M
M
M
com
chal. 1
chal. 1-1
chal. 2
res 1
res 2
![Page 11: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/11.jpg)
Dominique Unruh Quantum Proofs of Knowledge 11
Canonical extractor (ctd.)
• Does it work?
• Measuring “response 1”disturbs state
• Rewinding fails…
M
M
M
com
chal. 1
chal. 1-1
chal. 2
res 1
res 2
![Page 12: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/12.jpg)
Dominique Unruh Quantum Proofs of Knowledge 12
Making extraction work
• Thought experiment:“response” was only 1 bit
• Then: measuring “res 1”disturbs only moderately
• Extraction would work
12
M
M
M
com
chal. 1
chal. 1-1
chal. 2
res 1
res 2
moderatedisturbance
![Page 13: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/13.jpg)
Dominique Unruh Quantum Proofs of Knowledge 13
Making extraction work (ctd.)
• Idea: Make “response”effectively be 1 bit
• “Strict soundness”: For anychallenge, exists at most 1valid response
• Given strict soundness,canonical extractor works!
M
M
M
com
chal. 1
chal. 1-1
chal. 2
res 1
res 2
moderatedisturbance
![Page 14: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/14.jpg)
Dominique Unruh Quantum Proofs of Knowledge 14
Main result
Assume: Special soundness, strict soundness
Then
• Classical: no , exponent 2.• But good enough
![Page 15: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/15.jpg)
Dominique Unruh Quantum Proofs of Knowledge 15
Achieving strict soundness
• Graph Isomorphism proof does nothave strict soundness– Unless graphs are “rigid”
• Discrete log proof has
• Alternative trick (for #challenges poly):– Commit to all responses in advance– Need: “Strict binding” for unique unveil
![Page 16: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/16.jpg)
Dominique Unruh Quantum Proofs of Knowledge 16
Plugging things together
• Proof system for Hamiltonian cycles• Commitments from injective OWFs
Assuming injective quantum OWFs,
quantum ZK proofs of knowledge
exist for all NP languagesCaveat: No candidates for injective OWFs known.
![Page 17: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/17.jpg)
Dominique Unruh Quantum Proofs of Knowledge 17
Future work
• Generalizations: Computational,more than 3 messages
• Other rewinding techniques?– Lunemann, Nielsen 11; Hallgren, Smith, Song 11
rewind in coin-toss for CRS
• Candidates for injective OWFs?
![Page 18: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/18.jpg)
Thank you for your attention!
This research was supported by European Social Fund’sDoctoral Studies and Internationalisation Programme DoRa
![Page 19: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/19.jpg)
![Page 20: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/20.jpg)
Dominique Unruh Quantum Proofs of Knowledge 20
Zero Knowledge
2 :, , , n n nx x yy z n z But I don’t want to tell you the proof!
Zero Knowledge Proof:• Prover cannot prove wrong statement• Verifier does not learn anything
ProverVerifier
![Page 21: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/21.jpg)
Dominique Unruh 21Quantum Proofs of Knowledge
Zero Knowledge
• Powerful tool• Combines privacy + integrity• Test-bed for cryptographic techniques
The drosophilia of cryptography
![Page 22: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/22.jpg)
Dominique Unruh 22Quantum Proofs of Knowledge
Zero Knowledge: How?
Graphs G and H are isomorphic
Permute G Permuted graph J
Pick G or HG or H
Iso between J and G or J and H
ProverVerifier
![Page 23: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/23.jpg)
Dominique Unruh 23Quantum Proofs of Knowledge
Zero Knowledge: How?
Permute G Permuted graph J
Pick G or HG or H
Iso between J and G or J and H
G and H not isomorphic Prover will get stuck with probability ½
Verifier does not learn anything:Could produce iso and J on his own
![Page 24: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/24.jpg)
Dominique Unruh 24Quantum Proofs of Knowledge
Zero Knowledge
Zero knowledge proofs are possible…
…for all statements in NP
![Page 25: Quantum Proofs of Knowledge](https://reader031.vdocuments.net/reader031/viewer/2022012917/568166fa550346895ddb5c63/html5/thumbnails/25.jpg)
Dominique Unruh Quantum Proofs of Knowledge 25
Proofs of knowledge – definition
If prover is successful:prover knows witnesscould output witnessthere is an extractor that,given provers state,outputs witness