QIP 2017 Zero-knowledge proof systems for QMA
Fang Song Portland State University
Joint work with Anne Broadbent Zhengfeng Ji John Watrous U of Ottawa U of Technology Sydney U of Waterloo How does cryptography change in a quantum world?
§ Quantum attacks § Quantum protocols Hard problems broken Outperform classical protocols • Factoring & DL [Shor’94], • Ex. Quantum key distribution • Some lattice problems [EHKS’14,BS’16,CDPR’16] Crypto tools for quantum tasks • Ex. Encrypt quantum data Security analyses fail • Unique quantum attacks arise • Difficult to reason about quantum adversaries!
1 Today’s Topic
Zero-Knowledge proof systems [GoldwasserMicaliRacoff STOC’84]
The two bananas can be I’m convinced! transformed into each other But I still don’t know how What problems can be proven in Zero-Knowledge?
2 Today in history: ZK for NP
What problems can be proven in Zero-Knowledge?
[GoldreichMicaliWidgerson FOCS’86]
Every problem in NP has a zero-knowledge proof system* * Under suitable hardness assumptions
§ Invaluable in modern cryptography
3 Today: ZK in a quantum world What problems can be proven in Zero-Knowledge quantumly?
1. Do classical protocols remain 2. Can honest users empower Zero-Knowledge against quantum capability and quantum malicious verifiers? prove problems concerning quantum computation?
4 ZK in a quantum world: status
1. Classical ZK against quantum attacks: big challenge • Rewinding: difficult against quantum attackers [Graaf’97] Critical for showing ZK classically
• Special quantum rewinding [Watrous’06] Quantum-secure✔ • GMW protocol can be made quantum-secure ZK for NP • many other cases not applicable
2. ZK proofs for quantum problems: little known • Quantum statistical zero-knowledge well understood • We, as in GMW, consider computational zero-knowledge GMW analogue in Quantum?
5 Our main result
QMA: quantum analogue of NP (MA) |�〉
Every problem in QMA • Problems verifiable by Q-Polytime � efficient quantum alg. has a zero-knowledge ���/��� proof system* • Power: ∃ � in QMA, NOT believed in NP (ex. group non-membership) QMA NP § Nice features of our ZK protocol for QMA: • Simple structure 3-“move”: commit-challenge-respond • All communication classical except first message • *(Almost) minimal assumption: same as GMW with quantum resistance • Efficient prover: useful to build larger crypto constructions
6 Our additional contributions
New tools for quantum crypto and quantum complexity theory
§ Identifying a new complete problem for QMA Further Corollary: QMA = QMA with very limited verifier implications? • Simpler proof than some recent work [MorimaeNF’15’16]
§ A quantum encoding mechanism, supporting Other • “Somewhat homomorphic” applications? • Perfect secrecy • Authentication
7 ZK for QMA Our construction:
8 Inspiration: ZK by homomorphic encryption
ZK for Reductionist's wishful thinking: QMA reduce (ZK for QMA) to (ZK for NP) ZK for NP
§ I seem to know how to: reduce (ZK for NP) to (ZK for NP) using HOMOMORPHIC ENCRYPTION � � �(�) � �′ � � � (�) � � (� � ) � (�) ≈ � (�′) Homomorphic Secrecy 9 Inspiration: ZK by homomorphic encryption
§ Construct (ZK for NP) on (ZK for NP) using homomorphic Enc � = ���(�) • Verifier homomorphically � = ���(�) Verification evaluatesVerification ckt on � encrypted witness circuit � • Prover proves in ZK: the � = ���(� (�)) Run subroutine: result encodes “accept” (Quantum-secure) ZK for NP • Decode of � is accept
§ Challenges of adapting to QMA: Evaluate another circuit • Right tools in the quantum setting: encoding, etc? compute 1 bit of �! • Need authentication: how to prevent dishonest verifier? ! We give an elegant quantum solution
10 Build quantum tool I: a new encoding scheme * Based on quantum error correcting � & (trap) quantum auth. scheme [BGS12] § Augmented trap scheme*, simultaneously supporting i. Clifford circuits � & measure, transversally ii. Perfect* secrecy (“somewhat” homomorphic) � � Avg over � � � , � � * Need no computational assumptions
iii. Authentication • Dishonest behavior can be detected § But: verification of existing QMA-complete problems require more than �(simple, non-universal) 11 Build quantum tool II: a new QMA-complete problem
§ Local Clifford-Hamiltonian (LCH) Problem ∗ Input: Hamiltonian � , … � , each � on 5 qubits & of form � 0 〈0|� • YES: ∃ �-qubit state �, �, ∑� ≤ 2 (no violation, low eigenvalue) • NO: ∀ �-qubit state �, �, ∑� ≥ 1/� (lots violation, large eigenvalue) Theorem: LCH is QMA-Complete è QMA = QMA[Clifford verifier] = QMA[single qubit measurement] Verification circuit • Pick small random part of witness � ∈ � � = � 0 〈0|�∗ • Apply Clifford � ∈ � & measure: Clifford • non-zero string à accept � Can run Verification on encoded witness (by AugTrap) transversally 12 cute-calendar.com
ZK for QMA Reductionist's wishful thinking:✓ reduce (ZK for QMA) to (ZK for NP) ZK for NP
13 ZK proof system for LCH
∗ Witness |�〉 Input: � , … , � , � = � 0 〈0|�
AugTrap Enc Committing � w. key � 1 |�〉 �
2 Pick random � and measure � �, � on encoded witness, outcome � Check � & � consistent 3 (i.e. verifier seemed honest) Invoke quantum-secure a. ∃� consistent with commit � 5 ZK proof for NP b. decoding according to key � not violate �
§ Nice features • Simple structure 3-“move” • Efficient prover • All but first message classical • Only assuming: commitment (to classical msg) that is quantum-secure
14 Our ZK protocol for LCH works
§ Completeness: ✔ § Soundness: ✔ • Full proof non-trivial, relying on error correcting code & binding of commit § Zero-knowledge: for any malicious verifier Can be viewed as hybrid encryption of |�〉 � (|�〉) + � • Verifier’s measurement produces classical encrypted msg • “Leakage” resilient: acc/rej in step 3 may leak info. about � • � doesn’t compromise secrecy on remaining qubits Corollary: any problem in QMA has a ZK proof system
15 Timeline in retrospect: alternate approaches?
Q2PC ZK born ZK for IP [DNS] OUR RESULT [GMR] [BGG+] (quantum-secure) ZK for QMA ‘86‘86 ‘06 ‘84 ’88 ’12 ’16
ZKZK forfor NPNP Quantum-secure [GMW][GMW] [Shor’94] ZK for NP QMA IP [Watrous] NP
16 Comparison
GMW ZK for IP1 Q2PC1 Our protocol analogue1 w. Q-Security All QMA ✗ ✔ ✔ ✔
Prover ✔ ✗ ✔ ✔ efficiency Mild ✔ ✔ ✗ ✔ assumption2 Round # ✔ ✗ ✗3 ✔
Availability ✔ ✔✔4 ✗ ✔
1. plausible, but needs double-check; 2. commitment vs. dense PKE 3. depends on V’s ckt; 4. purely classical 17 Concluding Remarks
Every QMA problem has a “nice” zero-knowledge proof system
New tools for quantum crypto • QMA complete: local Clifford Hamiltonian Problem & quantum complexity theory • Augmented Trap encoding scheme § Future directions 1. ZK for QMA 3. QPIP • purely classical protocol (w. efficient prover)? • verifying a quantum • constant-round (CR) w. negl. soundness error: computer by a • CRZK for NP (Q-Security unknown) è CRZK for QMA classical computer? 2. Proof of quantum knowledge? Thank you!
18 Supplement materials
19 Augmented Trap Scheme
Input: |�〉 1. Error correcting code 0 − �|1〉 � ∈ |0〉, + , 2 2. Trap qubits
3. Random permutation �