Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh

Non-interactive zero-knowledgewith quantum random oracles

Dominique UnruhUniversity of Tartu

With Andris Ambainis, Ansis Rosmanis

Estonian Theory Days

WORK IN PROGRESS!

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 2

ClassicalCrypto

(Quick intro.)

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 3

Non-interactive zero-knowledge (NIZK)

Statement x (math. fact)

Witness w (proof of fact) P ZK proof of x

Zero-knowledge

Proof leaks nothingabout witness

Soundness

Hard to provewrong statements

Uses: Proving honest behavior, signatures, …

Dominique Unruh Non-interactive ZK with Quantum Random Oracles

Towards efficient NIZK: Sigma protocols

commitment

challenge

responseProver

“Special soundness”: Two different responsesallow to compute witness

⇒ For wrong statement, prover fails w.h.p.

Verifier

Dominique Unruh 5

Toward efficient NIZK: Random Oracles

• Model hash function as random function H• Many useful proof techniques

Hx

H(x)

Learn queries

Insert “special” answers

(“programming”)

Rewind andre-answer

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 6

NIZK with random oracles

Fiat-Shamir Fischlincom

chal

respProver

H(com)

• NIZK consists ofcom,chal,resp

• Prover can’t cheat:H is like a verifier

• Security-proof:Rewinding

Fix comTry different chal, resp until H(chal,resp)=xxx000Proof := com,chal,resp

• Need to query severalchal,resp

• Implies existenceof witness

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 7

Quantum!Classical security easy.

But if adversary has aquantum computer?

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 8

The “pick-one trick” (simplified)

• Given a set S• can encode it as

a quantum state |Ψ⟩• s.t. for any set Z• you find one x1∈S∩Z

• but not two x1,x2∈S

S

Z

x1 x2

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 9

Attacking Fischlin

Fix comTry different chal, resp until H(chal,resp)=xxx000Proof = com,chal,resp

S={chal,resp}

Z={H(·)=xxx000}

Valid fake NIZK

Without knowingwitness!

(Because we haveonly one S-element)

[Fiat-Shamir attacked similarly]

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 10

How does “one-pick trick” work?

• Grover: Quantum algorithm for searching

• Observation:– First step of Grover produces a state

encoding the search space

• This state (plus modified Grover)implements “one-pick trick”

• Hard part: Prove “can’t find two x1,x2∈S”

Dominique Unruh Non-interactive ZK with Quantum Random Oracles 11

No efficient quantum NIZK?

• All random oracle NIZKbroken?

• No: under extra conditions,Fiat-Shamir and Fischlinmight work (no proof idea)

• We found a provable new construction(less efficient)

Dominique Unruh

I thank for yourattention

This research was supported by European Social Fund’s

Doctoral Studies and Internationalisation

Programme DoRa