dominique unruh non-interactive zero-knowledge with quantum random oracles dominique unruh...
TRANSCRIPT
![Page 1: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/1.jpg)
Dominique Unruh
Non-interactive zero-knowledgewith quantum random oracles
Dominique UnruhUniversity of Tartu
With Andris Ambainis, Ansis Rosmanis
Estonian Theory Days
WORK IN PROGRESS!
![Page 2: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/2.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 2
ClassicalCrypto
(Quick intro.)
![Page 3: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/3.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 3
Non-interactive zero-knowledge (NIZK)
Statement x (math. fact)
Witness w (proof of fact) P ZK proof of x
Zero-knowledge
Proof leaks nothingabout witness
Soundness
Hard to provewrong statements
Uses: Proving honest behavior, signatures, …
![Page 4: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/4.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles
Towards efficient NIZK: Sigma protocols
commitment
challenge
responseProver
“Special soundness”: Two different responsesallow to compute witness
⇒ For wrong statement, prover fails w.h.p.
Verifier
![Page 5: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/5.jpg)
Dominique Unruh 5
Toward efficient NIZK: Random Oracles
• Model hash function as random function H• Many useful proof techniques
Hx
H(x)
Learn queries
Insert “special” answers
(“programming”)
Rewind andre-answer
![Page 6: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/6.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 6
NIZK with random oracles
Fiat-Shamir Fischlincom
chal
respProver
H(com)
• NIZK consists ofcom,chal,resp
• Prover can’t cheat:H is like a verifier
• Security-proof:Rewinding
Fix comTry different chal, resp until H(chal,resp)=xxx000Proof := com,chal,resp
• Need to query severalchal,resp
• Implies existenceof witness
![Page 7: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/7.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 7
Quantum!Classical security easy.
But if adversary has aquantum computer?
![Page 8: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/8.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 8
The “pick-one trick” (simplified)
• Given a set S• can encode it as
a quantum state |Ψ⟩• s.t. for any set Z• you find one x1∈S∩Z
• but not two x1,x2∈S
S
Z
x1 x2
![Page 9: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/9.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 9
Attacking Fischlin
Fix comTry different chal, resp until H(chal,resp)=xxx000Proof = com,chal,resp
S={chal,resp}
Z={H(·)=xxx000}
Valid fake NIZK
Without knowingwitness!
(Because we haveonly one S-element)
[Fiat-Shamir attacked similarly]
![Page 10: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/10.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 10
How does “one-pick trick” work?
• Grover: Quantum algorithm for searching
• Observation:– First step of Grover produces a state
encoding the search space
• This state (plus modified Grover)implements “one-pick trick”
• Hard part: Prove “can’t find two x1,x2∈S”
![Page 11: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/11.jpg)
Dominique Unruh Non-interactive ZK with Quantum Random Oracles 11
No efficient quantum NIZK?
• All random oracle NIZKbroken?
• No: under extra conditions,Fiat-Shamir and Fischlinmight work (no proof idea)
• We found a provable new construction(less efficient)
![Page 12: Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649caf5503460f9497241a/html5/thumbnails/12.jpg)
Dominique Unruh
I thank for yourattention
This research was supported by European Social Fund’s
Doctoral Studies and Internationalisation
Programme DoRa