QIP 2017 Zero-knowledge proof systems for QMA
Fang Song Portland State University
Joint work with Anne Broadbent Zhengfeng Ji John Watrous U of Ottawa U of Technology Sydney U of Waterloo How does cryptography change in a quantum world?
§ Quantum attacks § Quantum protocols Hard problems broken Outperform classical protocols • Factoring & DL [Shor’94], • Ex. Quantum key distribution • Some lattice problems [EHKS’14,BS’16,CDPR’16] Crypto tools for quantum tasks • Ex. Encrypt quantum data Security analyses fail • Unique quantum attacks arise • Difficult to reason about quantum adversaries!
1 Today’s Topic
Zero-Knowledge proof systems [GoldwasserMicaliRacoff STOC’84]
The two bananas can be I’m convinced! transformed into each other But I still don’t know how What problems can be proven in Zero-Knowledge?
2 Today in history: ZK for NP
What problems can be proven in Zero-Knowledge?
[GoldreichMicaliWidgerson FOCS’86]
Every problem in NP has a zero-knowledge proof system* * Under suitable hardness assumptions
§ Invaluable in modern cryptography
3 Today: ZK in a quantum world What problems can be proven in Zero-Knowledge quantumly?
1. Do classical protocols remain 2. Can honest users empower Zero-Knowledge against quantum capability and quantum malicious verifiers? prove problems concerning quantum computation?
4 ZK in a quantum world: status
1. Classical ZK against quantum attacks: big challenge • Rewinding: difficult against quantum attackers [Graaf’97] Critical for showing ZK classically
• Special quantum rewinding [Watrous’06] Quantum-secure✔ • GMW protocol can be made quantum-secure ZK for NP • many other cases not applicable
2. ZK proofs for quantum problems: little known • Quantum statistical zero-knowledge well understood • We, as in GMW, consider computational zero-knowledge GMW analogue in Quantum?
5 Our main result
QMA: quantum analogue of NP (MA) |�〉
Every problem in QMA • Problems verifiable by Q-Polytime � efficient quantum alg. � has a zero-knowledge ���/��� proof system* • Power: ∃ � in QMA, NOT believed in NP (ex. group non-membership) QMA NP § Nice features of our ZK protocol for QMA: • Simple structure 3-“move”: commit-challenge-respond • All communication classical except first message • *(Almost) minimal assumption: same as GMW with quantum resistance • Efficient prover: useful to build larger crypto constructions
6 Our additional contributions
New tools for quantum crypto and quantum complexity theory
§ Identifying a new complete problem for QMA Further Corollary: QMA = QMA with very limited verifier implications? • Simpler proof than some recent work [MorimaeNF’15’16]
§ A quantum encoding mechanism, supporting Other • “Somewhat homomorphic” applications? • Perfect secrecy • Authentication
7 ZK for QMA Our construction:
8 Inspiration: ZK by homomorphic encryption
ZK for Reductionist's wishful thinking: QMA reduce (ZK for QMA) to (ZK for NP) ZK for NP
§ I seem to know how to: reduce (ZK for NP) to (ZK for NP) using HOMOMORPHIC ENCRYPTION � � �(�) � �′ �� �� ��(�) �� ��(� � ) ��(�) ≈ ��(�′) Homomorphic Secrecy 9 Inspiration: ZK by homomorphic encryption
§ Construct (ZK for NP) on (ZK for NP) using homomorphic Enc � = ���(�) • Verifier homomorphically � = ���(�) Verification evaluatesVerification ckt on �� encrypted witness � circuit � • Prover proves in ZK: the �� = ���(� (�)) Run subroutine: � result encodes “accept” (Quantum-secure) ZK for NP • Decode of �� is accept
§ Challenges of adapting to QMA: Evaluate another circuit �� • Right tools in the quantum setting: encoding, etc? compute 1 bit of �! • Need authentication: how to prevent dishonest verifier? ! We give an elegant quantum solution
10 Build quantum tool I: a new encoding scheme * Based on quantum error correcting �� & (trap) quantum auth. scheme [BGS12] § Augmented trap scheme*, simultaneously supporting i. Clifford circuits � & measure, transversally ii. Perfect* secrecy (“somewhat” homomorphic) � � Avg over � �� ��,� �� �� * Need no computational assumptions
iii. Authentication • Dishonest behavior can be detected § But: verification of existing QMA-complete problems require more than �(simple, non-universal) 11 Build quantum tool II: a new QMA-complete problem
§ Local Clifford-Hamiltonian (LCH) Problem ∗ Input: Hamiltonian ��, … ��, each �� on 5 qubits & of form �� 0 〈0|�� �� • YES: ∃ �-qubit state �, �, ∑�� ≤ 2 (no violation, low eigenvalue) • NO: ∀ �-qubit state �, �, ∑�� ≥ 1/� (lots violation, large eigenvalue) Theorem: LCH is QMA-Complete è QMA = QMA[Clifford verifier] = QMA[single qubit measurement] Verification circuit • Pick small random part of witness �� ∈ � � = � 0 〈0|�∗ • Apply Clifford � ∈ � & measure: Clifford � � � • non-zero string à accept � Can run Verification on encoded witness (by AugTrap) transversally 12 cute-calendar.com
ZK for QMA Reductionist's wishful thinking:✓ reduce (ZK for QMA) to (ZK for NP) ZK for NP
13 ZK proof system for LCH
∗ Witness |�〉 Input: ��, … , ��, �� = �� 0 〈0|��
AugTrap Enc Committing � w. key � 1 |�〉 �
2 Pick random � and measure � �, ��� � on encoded witness, outcome �� Check ���& �� consistent � 3 (i.e. verifier seemed honest) Invoke quantum-secure a. ∃� consistent with commit �� 5 ZK proof for NP b. decoding � according to key �� not violate ��
§ Nice features • Simple structure 3-“move” • Efficient prover • All but first message classical • Only assuming: commitment (to classical msg) that is quantum-secure
14 Our ZK protocol for LCH works
§ Completeness: ✔ § Soundness: ✔ • Full proof non-trivial, relying on error correcting code & binding of commit § Zero-knowledge: for any malicious verifier Can be viewed as hybrid encryption of |�〉 ��(|�〉) + � • Verifier’s measurement produces classical encrypted msg • “Leakage” resilient: acc/rej in step 3 may leak info. about �� • �� doesn’t compromise secrecy on remaining qubits Corollary: any problem in QMA has a ZK proof system
15 Timeline in retrospect: alternate approaches?
Q2PC ZK born ZK for IP [DNS] OUR RESULT [GMR] [BGG+] (quantum-secure) ZK for QMA ‘86‘86 ‘06 ‘84 ’88 ’12 ’16
ZKZK forfor NPNP Quantum-secure [GMW][GMW] [Shor’94] ZK for NP QMA IP [Watrous] NP
16 Comparison
GMW ZK for IP1 Q2PC1 Our protocol analogue1 w. Q-Security All QMA ✗ ✔ ✔ ✔
Prover ✔ ✗ ✔ ✔ efficiency Mild ✔ ✔ ✗ ✔ assumption2 Round # ✔ ✗ ✗3 ✔
Availability ✔ ✔✔4 ✗ ✔
1. plausible, but needs double-check; 2. commitment vs. dense PKE 3. depends on V’s ckt; 4. purely classical 17 Concluding Remarks
Every QMA problem has a “nice” zero-knowledge proof system
New tools for quantum crypto • QMA complete: local Clifford Hamiltonian Problem & quantum complexity theory • Augmented Trap encoding scheme § Future directions 1. ZK for QMA 3. QPIP • purely classical protocol (w. efficient prover)? • verifying a quantum • constant-round (CR) w. negl. soundness error: computer by a • CRZK for NP (Q-Security unknown) è CRZK for QMA classical computer? 2. Proof of quantum knowledge? Thank you!
18 Supplement materials
19 Augmented Trap Scheme
Input: |�〉 1. Error correcting code 0 − �|1〉 �� ∈� |0〉, + , � 2 2. Trap qubits
3. Random permutation �
�� �� � � : ��, �� ∈� {0,1} 4. Quantum one-time pad
Output: ��(|�〉) Classical Key: � = (��, �, ��, ��)
20 LCH: Proof sketch and implications
§ It’s (almost) there in Kitaev’s proof: � � for an arb. QMA problem = ��� + ���� + ������ + ����� 1 � = ⋯ = 10 10 ⊗ � ⊗ � − 1 0 ⊗ � − 0 1 ⊗ �∗] ����,� ���,��� 2 � � � � � A universal gate set {Λ � , �}: L � Instead, assume � ∈ {Λ � , � ⊗ �} � ⊗ � − 1 0 ⊗ �(�) − 0 1 ⊗ � � ∗] � Ex. � � � � = �� ⊗ � ⊗ � 000 + �� ⊗ � ⊗ � 000 + �� ⊗ � ⊗ � 000 + �∗� ⊗ � ⊗ � |000〉 QMA = QMA with Clifford verifier
QMA = QMA with single qubit measurement Simper proof than [MNS’16]
21 Alternate approaches?
§ Mimicking GMW 3-Coloring protocol? Known QMA-complete J • A candidate: local-consistency problem [Liu05] problems NOT as fit … L • But, does NOT give ZK for all QMA problem • Local-consistency was proven QMA-complete only under Cook reductions QMA NP IP § Making ZK for IP [BGG+88] quantum secure? J • Plausible w. comparable assumption L • Prover not poly-time • Purely classical protocol • Round complexity large
§ Invoking secure quantum 2-party computation [DNS12]? L • Only sound against poly-time prover (i.e. argument system) • Comm. inherently quantum, round # depends on Ver circuit • Much stronger assumptions: quantum secure dense PKE
22