zero knowledge against quantum attacks
play

Zero-Knowledge Against Quantum Attacks John Watrous Department of - PowerPoint PPT Presentation

Apr 12, 2023 •293 likes •531 views

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 1 / 22 Zero-Knowledge Proof

  1. Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 1 / 22

  2. Zero-Knowledge Proof Systems [ G OLDWASSER , M ICALI & R ACKOFF , 1985] Assume that a promise problem A = ( A yes , A no ) has been fixed. A zero-knowledge proof system for the problem A is a pair ( V , P ) of interacting parties; a (computationally bounded) verifier and a prover . Interaction: Both parties receive an input string x ∈ A yes ∪ A no , exchange messages with one another, and finally the verifier V produces an output string denoted ( V , P )( x ) . Conditions: Completeness : If x ∈ A yes , then it must be the case that ( V , P )( x ) = 1 (accept) with high probability. Soundness : If x ∈ A no , then it must be the case that ( V , P ′ )( x ) = 0 (reject) with high probability for every possible cheating prover P ′ . Zero-knowledge: If x ∈ A yes , then no cheating verifier V ′ can extract knowledge from an interaction with P . John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 2 / 22

  3. What does it mean to “extract knowledge”? The notion of knowledge is a complexity-theoretic notion, and is different from information ; it is formalized by means of the simulator paradigm . Informally: a verifier V ′ learns nothing (i.e., fails to extract knowledge) from P if there exists a polynomial-time simulator S that produces an output that is indistinguishable from the output V ′ would produce when interacting with P on any x ∈ A yes : x x V ′ P S ( V ′ , P )( x ) S ( x ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 3 / 22

  4. Auxiliary inputs The previous informal definition is not quite strict enough to capture the notion of zero-knowledge, and gives rise to a class of protocols lacking certain desirable properties. . . We need to allow the cheating verifier V ′ (as well as the simulator S ) to take an auxiliary input string w . The outputs of these two processes should be indistinguishable provided x ∈ A yes : w x w x V ′ P S ( V ′ ( w ) , P )( x ) S ( x , w ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 4 / 22

  5. Auxiliary inputs This auxiliary input definition captures the idea that zero-knowledge proofs should not increase knowledge, and is closed under sequential composition. Definition of Zero-Knowledge (classical) An interactive proof system ( P , V ) for a given problem A = ( A yes , A no ) is zero-knowledge if, for every polynomial-time verifier V ′ there exists a polynomial-time simulator S such that, for every w and x ∈ A yes , ( V ′ ( w ) , P )( x ) and S ( x , w ) are indistinguishable ∗ . [G OLDWASSER , M ICALI & R ACKOFF , 1989] . ∗ Different notions of indistinguishability give rise to different variants of zero-knowledge, such as statistical and computational zero-knowledge. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 5 / 22

  6. Quantum version of the definition Suppose that some verifier V ′ tries to use quantum information to extract knowledge from P . (Note that the prover P is still classical, so the input x and any information exchanged between V ′ and P must be classical.) The interaction between V ′ and P on input x induces some admissible mapping on the auxiliary input: ρ x V ′ P Φ x ( ρ ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 6 / 22

  7. Quantum version of the definition If P is zero-knowledge even against a verifier V ′ that uses quantum information, then there should exist a simulator S that performs an admissible mapping Ψ x on the auxiliary input that is indistinguishable from Φ x (when x ∈ A yes ): ρ x ρ x V ′ P S Φ x ( ρ ) Ψ x ( ρ ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 7 / 22

  8. Problem with the quantum definition? These definitions are fairly straightforward. . . but have been considered problematic for several years. (The problem was apparently first identified by Jeroen van de Graaf in his 1997 PhD thesis.) The problem: No nontrivial protocols were previously shown to be zero-knowledge with respect to these definitions, even protocols already proved zero-knowledge in the classical setting. In order to describe the problem, it will be helpful to consider a simple and well-known zero-knowledge proof system for the Graph Isomorphism problem: Input: Two graphs G 0 and G 1 (given by adjacency matrices). G 0 and G 1 are isomorphic ( G 0 ∼ Yes: = G 1 ). G 0 and G 1 are not isomorphic ( G 0 � ∼ No: = G 1 ). John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 8 / 22

  9. A zero-knowledge proof system for Graph Isomorphism The following protocol (described for honest parties) is a zero-knowledge protocol for Graph Isomorphism [G OLDREICH , M ICALI & W IDGERSON , 1991] . The GMW Graph Isomorphism Protocol Assume the input is a pair ( G 0 , G 1 ) of n -vertex graphs. Let σ ∈ S n be a permutation satisfying σ ( G 1 ) = G 0 if G 0 ∼ = G 1 , and let σ be arbitrary otherwise. Prover’s step 1: Choose π ∈ S n uniformly at random and send H = π ( G 0 ) to the verifier. Verifier’s step 1: Choose a ∈ { 0, 1 } randomly and send a to the prover. (Implicit: challenge prover to show H ∼ = G a .) Prover’s step 2: Let τ = πσ a and send τ to the verifier. Verifier’s step 2: Accept if τ ( G a ) = H , reject otherwise. Sequential repetition reduces soundness error. . . John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 9 / 22

  10. Zero-knowledge property for the GMW protocol The completeness and soundness properties are straightforward. Let us consider the zero-knowledge property. . . Consider a classical cheating verifier V ′ : Verifier’s step 1: Perform some arbitrary polynomial-time computation on ( G 0 , G 1 ) , auxiliary input w , and H to obtain a ∈ { 0, 1 } . Send a to P . Verifier’s step 2: Perform some arbitrary polynomial-time computation on ( G 0 , G 1 ) , auxiliary input w , H , and τ to produce output. Simulator for V ′ : 1. Choose b ∈ { 0, 1 } and τ ∈ S n uniformly, and let H = τ ( G b ) . 2. Simulate whatever V ′ does given prover message H . Let a denote the resulting message back to the prover. 3. If a � = b then rewind: go back to step 1 and try again. 4. Output whatever V ′ would after receiving τ . John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 10 / 22

  11. Simulator for a cheating quantum verifier? Suppose that we have a cheating quantum verifier V ′ that starts the protocol with an auxiliary quantum register W . Verifier’s step 1: Perform some arbitrary polynomial-time quantum computation on ( G 0 , G 1 ) , auxiliary input register W , and H to obtain a ∈ { 0, 1 } . Send a to P . For example: let a be the outcome of some binary-valued projective measurement { Π H 0 , Π H 1 } of W that depends on H . Verifier’s step 2: Perform some arbitrary polynomial-time quantum computation to produce an output. How can we simulate such a verifier? John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 11 / 22

  12. The “no quantum rewinding” issue Two principles are working against us: • The no cloning theorem prevents making a copy of the auxiliary input register’s state. • Measurements are irreversible . Suppose that we randomly choose b and τ , and let H = τ ( G b ) as for our simulator before. If the simulator guesses incorrectly (meaning a � = b ), then the original state of W may not be recoverable. “Rewinding by reversing the unitary transformation induced by [the verifier], or taking snapshots is impossible. But. . . showing that rewinding by reversing or by taking snapshots is impossible does not show that no other ways to rewind in polynomial time exist.” [ VAN DE G RAAF , 1997] John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 12 / 22

  13. New results In the remainder of this talk I will argue that the GMW Graph Isomorphism protocol is indeed zero-knowledge against quantum verifiers: • For any quantum verifier V ′ , there exists a simulator S that induces precisely the same admissible mapping as the interaction between V ′ and P (on a “yes” input to the problem). • The method gives a way to “rewind” the simulator, but it requires more than just reversing the verifier’s actions. (The entire simulation will be quantum, even though the prover is classical.) • The method generalizes to several other protocols (but I will only discuss the Graph Isomorphism example in this talk for simplicity). John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 13 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein

Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies Daniel J. Bernstein Tanja Lange Chloe Martindale Lorenz Panny quantum.isogeny.org Key bits where all known attacks take 2 operations (naive serial attack metric,

412 views • 16 slides
Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana University South Bend joint work with Cristopher Moore Alexander Russell University of New Mexico University of Connecticut Post-quantum

401 views • 18 slides
Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017 Introduction Quantum Basics Grover Grover

1.45k views • 97 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

From quantum hardware to quantum AI School of Electrical and Electronic Engineering University

CLASSICAL BIT vs QUBIT Computation as physical process Concept of programmable matter Classical neural network Distance between quantum states Quantum algorithms Quantum Neural Networks From quantum hardware to quantum AI School of

322 views • 31 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum

Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum

Quantum Weirdness Part 6 Quantum Weirdness in Materials Quantum Cryptography Quantum Teleportation Quantum Snake Oil Quantum Weirdness in Materials Why Materials Behave as they do Combining Atoms Into Molecules Molecular Orbital Theory

1.17k views • 72 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Quantum Approach Explains Let Us Therefore Look . . . the Need for Expert The Main Idea of . . .

Quantum Approach Explains Let Us Therefore Look . . . the Need for Expert The Main Idea of . . .

Why Arent We in . . . Experts Are Needed . . . Why Cannot We Just . . . Quantum Equations . . . Quantum Approach Explains Let Us Therefore Look . . . the Need for Expert The Main Idea of . . . The Main Successes of . . . Knowledge: On

606 views • 33 slides
Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum

Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum

Contents: Quantum Cryptography 1. Fake Quantum Theory. 2. Simple Quantum Protocols. 3. More Fake Quantum Theory: Fake Tensor Products, Entanglement. 4. A Glance at Genuine Quantum Theory. 5. Quantum Computing, Shors

559 views • 8 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11 Threshold Cryptography Setting: A

678 views • 39 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser Department of Computer Science, Columbia University New York, NY 10027 {jbell, swapneel, kaiser}@cs.columbia.edu 1. There is no connection

367 views • 17 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M

Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M

Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M unchen Summer term 2010 1 Lecture 15 Public Coins and Graph (Non)Isomorphism 2 Intro Goal and Plan Goal understand public coins and their

391 views • 20 slides
List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of

List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of

List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of Technology and Economics dmarx@cs.bme.hu 1 List edge multicoloring Generalization of list edge coloring: multiple colors have to be assigned to each

551 views • 38 slides
1 Scenario I: Semantic Parsing [CoNLL 10 ,ACL 11 ] Scenario II. The language-world

1 Scenario I: Semantic Parsing [CoNLL 10 ,ACL 11 ] Scenario II. The language-world

Can we rely on this interaction to provide supervision? Connecting Language to the World Can I get a coffee with sugar and no milk Learning Great ! from Natural Instructions Arggg Semantic Parser MAKE(COFFEE,SUGAR=YES,MILK=NO) Dan Roth

820 views • 14 slides

More recommend