Quantum zero-knowledge from Locally Simulatable Proofs Alex - - PowerPoint PPT Presentation

Quantum zero-knowledge from Locally Simulatable Proofs

Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782

Quantum found. Crypto TCS

QZK

2 / 19

Interactive proofs

3 / 19

Interactive proofs

L ∈ NP V 0/1 P

for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects

3 / 19

Interactive proofs

L ∈ NP L ∈ IP V 0/1 P V 0/1 P ...

for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects whp

3 / 19

Interactive proofs

L ∈ NP L ∈ IP = PSPACE V 0/1 P V 0/1 P ...

for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects whp

3 / 19

Zero-knowledge

V 0/1 P ...

4 / 19

Zero-knowledge

˜ V P ...

4 / 19

Zero-knowledge

˜ V X P ...

4 / 19

Zero-knowledge

˜ V X P ... S ˜

V

4 / 19

Zero-knowledge

˜ V X P ... S ˜

V

Y

4 / 19

Zero-knowledge

˜ V X P ... S ˜

V

Y

Computational zero-knowledge

X and Y cannot be efficiently distinguished:

4 / 19

Zero-knowledge

˜ V X P ... S ˜

V

Y

Computational zero-knowledge

X and Y cannot be efficiently distinguished: ∀ poly-time A : |Prx∼DX [A(x) = 1] − Pry∼DY [A(y) = 1]| ≤ negl(n)

4 / 19

Zero-knowledge

˜ V X P ... S ˜

V

Y

Computational zero-knowledge

X and Y cannot be efficiently distinguished: ∀ poly-time A : |Prx∼DX [A(x) = 1] − Pry∼DY [A(y) = 1]| ≤ negl(n) Fundamental notion in modern cryptography!

4 / 19

Example: ZK for 3-coloring

V

A F E G B D C

5 / 19

Example: ZK for 3-coloring

P V

A F E G B D C

5 / 19

Example: ZK for 3-coloring

V

5 / 19

Example: ZK for 3-coloring

V

Completeness ✓ Soundness ✓ ZK ✗

5 / 19

Example: ZK for 3-coloring

P V

A F E G B D C

6 / 19

Example: ZK for 3-coloring

P V

A F E G B D C

6 / 19

Example: ZK for 3-coloring

P V

A F E G B D C

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966

V

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966

V

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966 {A, C}

V

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966 {A, C} 564651, 984565

V

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966 {A, C} 564651, 984565

V

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966 {A, C} 564651, 984565

V

bit-commitment

6 / 19

Example: ZK for 3-coloring

P

A → 564651 B → 867132 C → 984565 D → 894102 E → 069732 F → 873210 G → 897966 {A, C} 564651, 984565

V

bit-commitment

Completeness ✓ Soundness ✓ CZK ✓

6 / 19

Quantum proofs

7 / 19

Quantum proofs

L ∈ QMA L ∈ QIP V 0/1 P V 0/1 P ...

for x ∈ L, ∃P V accepts whp for x ∈ L, ∀P V rejects whp for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects whp

7 / 19

Quantum proofs

L ∈ QMA L ∈ QIP = PSPACE V 0/1 P V 0/1 P ...

for x ∈ L, ∃P V accepts whp for x ∈ L, ∀P V rejects whp for x ∈ L, ∃P V accepts for x ∈ L, ∀P V rejects whp

7 / 19

Quantum Zero-knowledge

V 0/1 P ...

8 / 19

Quantum Zero-knowledge

˜ V P ...

8 / 19

Quantum Zero-knowledge

˜ V ρ P ...

8 / 19

Quantum Zero-knowledge

˜ V ρ P ... S ˜

V

8 / 19

Quantum Zero-knowledge

˜ V ρ P ... S ˜

V

σ

8 / 19

Quantum Zero-knowledge

˜ V ρ P ... S ˜

V

σ

Quantum computational zero-knowledge

ρ and σ cannot be efficiently distinguished:

8 / 19

Quantum Zero-knowledge

˜ V ρ P ... S ˜

V

σ

Quantum computational zero-knowledge

ρ and σ cannot be efficiently distinguished: ∀ quantum poly-time A : |Pr[A(ρ) = 1] − Pr[A(σ) = 1]| ≤ negl(n)

8 / 19

Zero-knowledge for quantum proofs

9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

BJSW’16: QMA ⊆ QZK with efficient prover

Multiple rounds of communication Somewhat complicated

9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

BJSW’16: QMA ⊆ QZK with efficient prover

Multiple rounds of communication Somewhat complicated

BG19: explore Locally Simulatable codes from GSY19

9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

BJSW’16: QMA ⊆ QZK with efficient prover

Multiple rounds of communication Somewhat complicated

BG19: explore Locally Simulatable codes from GSY19

Applications in Cryptography

⋆ “commit-and-open” Proof of Knowledge QZK proof for QMA ⋆ “commit-and-open” Proof of Knowledge QSZK argument for QMA ⋆ QNISZK for QMA in the secret parameters setup 9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

BJSW’16: QMA ⊆ QZK with efficient prover

Multiple rounds of communication Somewhat complicated

BG19: explore Locally Simulatable codes from GSY19

Applications in Cryptography

⋆ “commit-and-open” Proof of Knowledge QZK proof for QMA ⋆ “commit-and-open” Proof of Knowledge QSZK argument for QMA ⋆ QNISZK for QMA in the secret parameters setup

Applications in Complexity theory

⋆ QMA-hardness of Consistency of local density matrices problem under

Karp reductions (open for 15 years!)

⋆ Locally Simulatable proofs 9 / 19

Zero-knowledge for quantum proofs

Assuming qOWF: QMA ⊆ QZK since PSPACE = CZK ⊆ QZK

Need to go through QMA ⊆ PP Desired: Efficient prover with QMA witness

BJSW’16: QMA ⊆ QZK with efficient prover

Multiple rounds of communication Somewhat complicated

BG19: explore Locally Simulatable codes from GSY19

Applications in Cryptography

⋆ “commit-and-open” Proof of Knowledge QZK proof for QMA ⋆ “commit-and-open” Proof of Knowledge QSZK argument for QMA ⋆ QNISZK for QMA in the secret parameters setup

Applications in Complexity theory

⋆ QMA-hardness of Consistency of local density matrices problem under

Karp reductions (open for 15 years!)

⋆ Locally Simulatable proofs 9 / 19

Consistency of local density matrices problem

10 / 19

Consistency of local density matrices problem

Input: Reduced density matrices ρ1, ..., ρm on k-qubits Output: yes: ∃ψ such that ∀i :

• TrSi(ψ) − ρi
• ≤ ε

no: ∀ψ, ∃i :

• TrSi(ψ) − ρi
• ≥

1 poly(n)

10 / 19

Consistency of local density matrices problem

Input: Reduced density matrices ρ1, ..., ρm on k-qubits Output: yes: ∃ψ such that ∀i :

• TrSi(ψ) − ρi
• ≤ ε

no: ∀ψ, ∃i :

• TrSi(ψ) − ρi
• ≥

1 poly(n)

Liu’06: containment in QMA, and partial result on QMA-hardness

10 / 19

Consistency of local density matrices problem

Input: Reduced density matrices ρ1, ..., ρm on k-qubits Output: yes: ∃ψ such that ∀i :

• TrSi(ψ) − ρi
• ≤ ε

no: ∀ψ, ∃i :

• TrSi(ψ) − ρi
• ≥

1 poly(n)

Liu’06: containment in QMA, and partial result on QMA-hardness BG’19: QMA-hardness

10 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

ψ⊗ℓ

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

X aZ bψ⊗ℓZ bX a

a1, b1 a2, b2 ... an−1, bn−1 an, bn

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

X aZ bψ⊗ℓZ bX a

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

a1, b1 → 564651 a2, b2 → 984565 ... an, bn → 894102

X aZ bψ⊗ℓX aZ b

...

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

a1, b1 → 564651 a2, b2 → 984565 ... an, bn → 894102 i

X aZ bψ⊗ℓX aZ b

...

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

a1, b1 → 564651 a2, b2 → 984565 ... an, bn → 894102 i 984565, 894102

keys to open otp of copies of ρi

X aZ bψ⊗ℓX aZ b

...

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

a1, b1 → 564651 a2, b2 → 984565 ... an, bn → 894102 i 984565, 894102

keys to open otp of copies of ρi

X aZ bψ⊗ℓX aZ b

...

a2, b2 an, bn

11 / 19

Very simple ZK proof for QMA

V

ρ1, ..., ρm

P

a1, b1 → 564651 a2, b2 → 984565 ... an, bn → 894102 i 984565, 894102

keys to open otp of copies of ρi

X aZ bψ⊗ℓX aZ b

...

a2, b2 an, bn

Completeness ✓ Soundness ✓ ZK ✓

11 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110)

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

For every |ψ and i, j ∈ [7], Tr{i,j}(Enc(|ψ)) = I

4

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

For every |ψ and i, j ∈ [7], Tr{i,j}(Enc(|ψ)) = I

4

The reduced density matrix on 2 qubits can be efficiently computed (independently of the logical state)

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

For every |ψ and i, j ∈ [7], Tr{i,j}(Enc(|ψ)) = I

4

The reduced density matrix on 2 qubits can be efficiently computed (independently of the logical state)

12 / 19

Simulatable codes - Steane code

|0 → 1 2 √ 2 ( |0000000 + |1010101 + |0110011 + |1100110 + |0001111 + |1011010 + |0111100 + |1101001) |1 → 1 2 √ 2 ( |1111111 + |0101010 + |1001100 + |0011001 + |1110000 + |0100101 + |1000011 + |0010110) Enc(|ψ)

For every |ψ and i, j ∈ [7], Tr{i,j}(Enc(|ψ)) = I

4

The reduced density matrix on 2 qubits can be efficiently computed (independently of the logical state)

Not true anymore for i, j, k ∈ [7]

12 / 19

Simulatable codes - concatenated Steane code

13 / 19

Simulatable codes - concatenated Steane code

Lemma (s-locally simulatable codes)

13 / 19

Simulatable codes - concatenated Steane code

Lemma (s-locally simulatable codes)

Fix s and let k = log3(s). We have the following properties of k-fold concatenation of the Steane code Ck:

13 / 19

Simulatable codes - concatenated Steane code

Lemma (s-locally simulatable codes)

Fix s and let k = log3(s). We have the following properties of k-fold concatenation of the Steane code Ck:

1 There is a poly(2k)-time classical algorithm that compute s-reduced

density matrix of a EncCk(ρ), without knowing ρ

13 / 19

Simulatable codes - concatenated Steane code

Lemma (s-locally simulatable codes)

Fix s and let k = log3(s). We have the following properties of k-fold concatenation of the Steane code Ck:

1 There is a poly(2k)-time classical algorithm that compute s-reduced

density matrix of a EncCk(ρ), without knowing ρ

2 There is a poly(2k)-time classical algorithm that compute s-reduced

density matrix of (partial) computation on EncCk(ρ)

◮ transversal Clifford gates ◮ T-gadgets

H H Enc(ρ) · · · H

13 / 19

CLDM is QMA-hard

Circuit-to-hamiltonian construction

Given a circuit V = UT...U1 and initial state |ψinit, there is a reduction to a 5-Local Hamiltonian HV such that

14 / 19

CLDM is QMA-hard

Circuit-to-hamiltonian construction

Given a circuit V = UT...U1 and initial state |ψinit, there is a reduction to a 5-Local Hamiltonian HV such that If V accepts with high probability, then the history state 1 √ T + 1

• t∈[T+1]

|t ⊗ Ut...U1 |ψinit has low energy in respect to HV .

14 / 19

CLDM is QMA-hard

Circuit-to-hamiltonian construction

Given a circuit V = UT...U1 and initial state |ψinit, there is a reduction to a 5-Local Hamiltonian HV such that If V accepts with high probability, then the history state 1 √ T + 1

• t∈[T+1]

|t ⊗ Ut...U1 |ψinit has low energy in respect to HV . If V accepts with low probability, then all states have high energy in respect to HV .

14 / 19

CLDM is QMA-hard

Circuit-to-hamiltonian construction

Given a circuit V = UT...U1 and initial state |ψinit, there is a reduction to a 5-Local Hamiltonian HV such that If V accepts with high probability, then the history state 1 √ T + 1

• t∈[T+1]

|t ⊗ Ut...U1 |ψinit has low energy in respect to HV . If V accepts with low probability, then all states have high energy in respect to HV .

Goal

Tweak the verification algorithm such that we can compute the reduced density matrices of history states.

14 / 19

CLDM is QMA-hard

Encoded circuit

Instead of V = UT...U1 and initial state |ψinit, consider the circuit V ′ that

1 Receives

1 2n

• a,b Enc(|a, b a, b| ⊗ X aZ b |ψ ψ| Z bX a)

2 Check encoding of the witness 3 Undoes the OTP of the witness 4 Create Enc(|0) and Enc(|T) 5 Perform logical V on encoded states 6 Decode the output 15 / 19

CLDM is QMA-hard

Encoded circuit

Instead of V = UT...U1 and initial state |ψinit, consider the circuit V ′ that

1 Receives

1 2n

• a,b Enc(|a, b a, b| ⊗ X aZ b |ψ ψ| Z bX a)

2 Check encoding of the witness 3 Undoes the OTP of the witness 4 Create Enc(|0) and Enc(|T) 5 Perform logical V on encoded states 6 Decode the output

Theorem

There is a classical simulator that computes in polynomial time the reduced density matrices of the history state of the encoded verifier.

15 / 19

CLDM is QMA-hard

Encoded circuit

Instead of V = UT...U1 and initial state |ψinit, consider the circuit V ′ that

1 Receives

1 2n

• a,b Enc(|a, b a, b| ⊗ X aZ b |ψ ψ| Z bX a)

2 Check encoding of the witness 3 Undoes the OTP of the witness 4 Create Enc(|0) and Enc(|T) 5 Perform logical V on encoded states 6 Decode the output

Theorem

There is a classical simulator that computes in polynomial time the reduced density matrices of the history state of the encoded verifier. Moreover there is a global state consistent with the reduced density matrices iff it is a yes-instance.

15 / 19

CLDM is QMA-hard - Overview of the proof

1 There is a polynomial-time algorithm that computes the density

matrices of snapshot of the computation at time t

◮ At every step, every qubit is encoded and if it is decoded, we know

exactly its value

16 / 19

CLDM is QMA-hard - Overview of the proof

1 There is a polynomial-time algorithm that computes the density

matrices of snapshot of the computation at time t

◮ At every step, every qubit is encoded and if it is decoded, we know

exactly its value

2 There is a polynomial-time algorithm that computes the density

matrices of “invervals” of the computation

◮ Uses the snapshot simulation with some loss in the parameters 16 / 19

CLDM is QMA-hard - Overview of the proof

1 There is a polynomial-time algorithm that computes the density

matrices of snapshot of the computation at time t

◮ At every step, every qubit is encoded and if it is decoded, we know

exactly its value

2 There is a polynomial-time algorithm that computes the density

matrices of “invervals” of the computation

◮ Uses the snapshot simulation with some loss in the parameters 3 There is a polynomial-time algorithm that computes the density

matrices of the history state

◮ Most of clock qubits are traced-out, so the remaining state is a mixture

• f intervals

16 / 19

Proof of Quantum Knowledge

17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

Proof of Knowledge for NP:

◮ If Prover passes with high enough probability, then a NP-witness is

known

17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

Proof of Knowledge for NP:

◮ If Prover passes with high enough probability, then a NP-witness is

known

◮ There is an extractor K, such that if ˜

P passes with probability ≥ κ K ˜

P outputs a good witness with high probability

17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

Proof of Knowledge for NP:

◮ If Prover passes with high enough probability, then a NP-witness is

known

◮ There is an extractor K, such that if ˜

P passes with probability ≥ κ K ˜

P outputs a good witness with high probability

Proof of Quantum Knowedge for QMA

◮ If Prover passes with high enough probability, then a QMA-witness is

known

17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

Proof of Knowledge for NP:

◮ If Prover passes with high enough probability, then a NP-witness is

known

◮ There is an extractor K, such that if ˜

P passes with probability ≥ κ K ˜

P outputs a good witness with high probability

Proof of Quantum Knowedge for QMA

◮ If Prover passes with high enough probability, then a QMA-witness is

known

◮ BG’19: Definition of PoQ and prove that our protocol is also a PoQ 17 / 19

Proof of Quantum Knowledge

Properties of (ZK) interactive proof system

Completeness: there is a good strategy for yes-instance Soundness: there is no good strategy for no-instance

Proof of Knowledge for NP:

◮ If Prover passes with high enough probability, then a NP-witness is

known

◮ There is an extractor K, such that if ˜

P passes with probability ≥ κ K ˜

P outputs a good witness with high probability

Proof of Quantum Knowedge for QMA

◮ If Prover passes with high enough probability, then a QMA-witness is

known

◮ BG’19: Definition of PoQ1 and prove that our protocol is also a PoQ 1Independent concurrent work by Coladangelo, Vidick and Zhang. 17 / 19

Open questions

Find applications for QZK MIPns = PZK-MIPns? QNIZK protocol for QMA in the CRS model QMA-hardness of (bosonic) representability [LCV’07, WMN’10], universal functional of density function theory [SV’09]

18 / 19

Thank you for your attention!

19 / 19