Upload
preston-singleton
View
227
Download
0
Tags:
Embed Size (px)
Citation preview
Dominique Unruh
Non-interactivequantum zero-knowledge proofs
Dominique UnruhUniversity of Tartu
Quantum
“Fiat-Shamir”
Dominique Unruh Quantum NIZK with random oracle 2
Intro: Proof systems
P V
Statement xWitness w
Statement x
• Soundness: Verifier accepts only true statements
• Zero-knowledge: Verifier learns nothing
Dominique Unruh Quantum NIZK with random oracle 3
Intro: Proof systems
Sigma-protocols
P V
commitment
challenge
response
• Specific 3-round proofs• Versatile combiners• Simple to analyze• Weak security
Non-interactive ZK
P Vproof
• Ease of use– Concurrency, offline
• Need RO or CRS• Lack of combiners• Specific languages
Dominique Unruh Quantum NIZK with random oracle 4
Intro: Best of two worlds
Fiat-Shamir: Convert sigma-proto into NIZK
• Ease of use (concurrent, offline)• Versatile combiners• Simple analysis• Uses random oracle
P V
commitment
challenge
response
P Vcom, H(com), resp
Dominique Unruh Quantum NIZK with random oracle 5
Intro: Best of two world (ctd.)
• Fiat-Shamir also implies:– Sigma-proto signatures (in RO)
• Fischlin’s scheme:– Also: sigma-proto NIZK (in RO)– No rewinding (online extraction)– Less efficient
Dominique Unruh Quantum NIZK with random oracle 6
Post-quantum security
Quantum computers• Potential future threat• Not there yet,
but we need to be prepared
Post-quantum cryptography• Classical crypto,
secure against quantum attack• Is Fiat-Shamir post-quantum secure?
Dominique Unruh Quantum NIZK with random oracle 7
Fiat-Shamir soundness
Fiat-Shamir:
Can be seen as:
• Rewinding Get two responses• “Special soundness” of sigma-proto
Compute witness
P Vcom, H(com), resp
PH
comchal := H(com)
response V
Quantum
Superpositionqueries
messed-up state
Dominique Unruh Quantum NIZK with random oracle 8
Saving (quantum) Fiat-Shamir?
• Existing quantum rewinding techniques– Watrous / Unruh– Do not work with superposition queries
• Ambainis, Rosmanis, Unruh:– No relativizing security proof
• Consequence: Avoid rewinding!
Dominique Unruh Quantum NIZK with random oracle 9
NIZK without rewinding
Fischlin’s scheme:• No rewinding• Online extraction: List of queries Witness• But again: No relativizing security proof• List of queries:– Not well-defined: need to measure to get them– Disturbs state
Dominique Unruh Quantum NIZK with random oracle 10
Quantum online-extraction
Idea:
• Make RO invertible(for extractor)
• Ensure:all needed outputscontained in proof
P HProver:
Extractor:
𝑥𝐻 (𝑥)
proof
H -1
𝑥witness
Dominique Unruh Quantum NIZK with random oracle 11
Protocol construction
𝑐 𝑜𝑚1
¿¿
𝑐𝑜𝑚2
¿⋮¿
𝑐𝑜𝑚𝑡
⋮
𝑐 h𝑎𝑙11𝑐h𝑎𝑙12
⋮𝑐 h𝑎𝑙1𝑚
𝑟 𝑒𝑠𝑝11𝑟𝑒𝑠𝑝12
⋮𝑟𝑒𝑠𝑝1𝑚
𝑐 h𝑎𝑙21𝑐h𝑎𝑙22
⋮𝑐 h𝑎𝑙2𝑚
𝑟 𝑒𝑠𝑝21𝑟𝑒𝑠𝑝22
⋮𝑟𝑒𝑠𝑝2𝑚
𝑐 h𝑎𝑙𝑡1𝑐 h𝑎𝑙𝑡2
⋮𝑐 h𝑎𝑙𝑡𝑚
𝑟 𝑒𝑠𝑝𝑡 1
𝑟𝑒𝑠𝑝𝑡2
⋮𝑟𝑒𝑠𝑝𝑡𝑚
𝑥𝑥𝑥hash invertibly( )
Hash to get selection what to open(Fiat-Shamir style)
𝑟𝑒𝑠𝑝12
𝑟𝑒𝑠𝑝2𝑚
𝑟𝑒𝑠𝑝𝑡 1
all this togetheris the proof
• W.h.p. at least one has two valid
• Extractor gets them by inverting hash
• Two witness
Dominique Unruh Quantum NIZK with random oracle 12
Invertible random oracle
• Random functions: not invertible• Zhandry: RO -wise indep. Function
Idea: Use invertible -wise indep. functionProblem: None knownSolution: Degree polynomials• Almost invertible ( candidates)• Good enough
Dominique Unruh Quantum NIZK with random oracle 13
Final result
Theorem:
If the sigma-protocol has:• Honest verifier zero-knowledge• Special soundness
Then our protocol is:• Zero-knowledge• Simulation-sound online extractable
Dominique Unruh Quantum NIZK with random oracle 14
Further results
• Strongly unforgeable signatures(implied by the NIZK)
• New results for adaptive programming of quantum random oracle
• Invertible oracle trick(also used for variant of Fujisaki-Okamoto)
Dominique Unruh Quantum NIZK with random oracle 15
Saving Fiat-Shamir?
PH
¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V
Superposition queries,as many as P wants
• Zero-knowledge: yes (same as for our proto)• Soundness: no [Ambainis Rosmanis U]– Measuring disturbs state
• Hope: Soundness if underlying sigma-protocol has “strict soundness” / “unique responses”
Dominique Unruh Quantum NIZK with random oracle 16
Strict soundness
• Strict soundness: Given com, chall: at most one possible resp
• Helped before, for “proofs of knowledge”– Measuring response not disturbing (much)
PH
¿𝑐𝑜𝑚 ⟩| h𝑐 𝑎𝑙 ⟩≔∨𝐻 (𝑐𝑜𝑚) ⟩𝑟𝑒𝑠𝑝 V
Superposition queries,as many as P wants
Dominique Unruh Quantum NIZK with random oracle 17
Saving Fiat-Shamir now?
• With strict soundness: no counterexample
• Proof still unclear(how to rewinding without disturbing quantum queries)
• Can be reduced to query-complexity problem
Dominique Unruh Quantum NIZK with random oracle 18
The query complexity problem
• Let be a quantum circuit,using random oracle ,implementing a projective measurement
• Game 1: State , apply .
• Game 2: State , apply , apply .
• Show:
Dominique Unruh
I thank for yourattention
This research was supported by European Social Fund’s
Doctoral Studies and Internationalisation
Programme DoRa