1 / 12

Non-interactive zero-knowledge with quantum random oracles

Non-interactive zero-knowledge with quantum random oracles. WORK IN PROGRESS!. Dominique Unruh University of Tartu With Andris Ambainis , Ansis Rosmanis. Estonian Theory Days. Classical Crypto. (Quick intro.). Non-interactive zero-knowledge (NIZK). Statement x (math. fact)

nigel
Télécharger la présentation

Non-interactive zero-knowledge with quantum random oracles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non-interactive zero-knowledgewith quantum random oracles WORK IN PROGRESS! Dominique Unruh University of Tartu With AndrisAmbainis, AnsisRosmanis Estonian Theory Days

  2. ClassicalCrypto (Quick intro.) Non-interactive ZK with Quantum Random Oracles

  3. Non-interactive zero-knowledge (NIZK) Statement x (math. fact) Witness w (proof of fact) P Uses:Proving honest behavior, signatures, … ZK proof of x Zero-knowledge Proof leaks nothingabout witness Soundness Hard to provewrong statements Non-interactive ZK with Quantum Random Oracles

  4. Towards efficient NIZK: Sigma protocols commitment challenge response Prover Verifier “Special soundness”: Two different responses allow to compute witness ⇒ For wrong statement, prover fails w.h.p. Non-interactive ZK with Quantum Random Oracles

  5. Toward efficient NIZK: Random Oracles • Model hash function as random function H • Many useful proof techniques Rewind andre-answer Learn queries H x H(x) Insert “special” answers(“programming”)

  6. NIZK with random oracles Fiat-Shamir Fischlin com • Fix com • Try different chal, respuntil H(chal,resp)=xxx000 • Proof := com,chal,resp • Need to query severalchal,resp • Implies existenceof witness chal H(com) resp Prover • NIZK consists ofcom,chal,resp • Prover can’t cheat:H is like a verifier • Security-proof:Rewinding Non-interactive ZK with Quantum Random Oracles

  7. Classical security easy. Quantum! But if adversary has aquantum computer? Non-interactive ZK with Quantum Random Oracles

  8. The “pick-one trick” (simplified) S • Given a set S • can encode it asa quantum state |Ψ〉 • s.t. for any set Z • you find one x1∈S∩Z • but not two x1,x2∈S Z x1 x2 Non-interactive ZK with Quantum Random Oracles

  9. Attacking Fischlin Fix com Try different chal, respuntil H(chal,resp)=xxx000 Proof = com,chal,resp S={chal,resp} Without knowingwitness! (Because we haveonly one S-element) Z={H(·)=xxx000} Valid fake NIZK [Fiat-Shamir attacked similarly] Non-interactive ZK with Quantum Random Oracles

  10. How does “one-pick trick” work? • Grover: Quantum algorithm for searching • Observation: • First step of Grover produces a stateencoding the search space • This state (plus modified Grover)implements “one-pick trick” • Hard part: Prove “can’t find two x1,x2∈S” Non-interactive ZK with Quantum Random Oracles

  11. No efficient quantum NIZK? • All random oracle NIZKbroken? • No: under extra conditions,Fiat-Shamir and Fischlinmight work (no proof idea) • We found a provable new construction(less efficient) Non-interactive ZK with Quantum Random Oracles

  12. I thank for yourattention This research was supported by European Social Fund’s Doctoral Studies and InternationalisationProgrammeDoRa

More Related