Arxiv:2104.04742V2 [Quant-Ph] 13 Apr 2021 Keywords: Quantum Cryptography, Remote State Preparation, Zero-Knowledge, Learning with Errors Table of Contents

Non-Destructive Zero-Knowledge Proofs on Quantum States, and Multi-Party Generation of Authorized Hidden GHZ States

Léo Colisson 1, Frédéric Grosshans 1, Elham Kasheﬁ1,2

1 Laboratoire d’Informatique de Paris 6 (LIP6), Sorbonne Université, 4 Place Jussieu, 75252 Paris CEDEX 05, France {leo.colisson, frederic.grosshans}@lip6.fr 2 School of Informatics, University of Edinburgh, 10 Crichton Street, Edinburgh EH8 9AB, UK

Abstract. Due to the special no-cloning principle, quantum states appear to be very useful in cryptography. But this very same property also has drawbacks: when receiving a quantum state, it is nearly impossible for the receiver to eﬃciently check non-trivial properties on that state without destroying it. This allows a malicious sender to send maliciously crafted states without being detected. The natural (destructive) method for testing a quantum state is the “cut-and-choose” method. However, this method has many drawbacks: the security is only linear, and the class of states and properties that can be tested is quite restricted.

In this work, we propose a diﬀerent approach, and we initiate the study of Non-Destructive Zero-Knowledge Proofs on Quantum States. Our method binds a quantum state to a classical encryption of that quantum state. That way, the receiver can obtain guarantees on the quantum state by asking to the sender to prove properties directly on the classical encryption. This method is therefore non-destructive, and it is possible to verify a very large class of properties. For instance, we can force the sender to send diﬀerent categories of states depending on whether they know a classical password or not. Moreover, we can also provide guarantees to the sender: for example, we can ensure that the receiver will never learn whether the sender knows the password or not.

We also extend this method to the multi-party setting. We show how it can prove useful to distribute a GHZ state between diﬀerent parties, in such a way that only parties knowing a secret can be part of this GHZ. Moreover, the identity of the parties that are part of the GHZ remains hidden to any malicious party. A direct application would be to allow a server to create a secret sharing of a qubit between unknown parties, authorized for example by a third party Certiﬁcation Authority.

Finally, we provide simpler “blind” versions of the protocols that could prove useful in Anonymous Transmission or Quantum Onion Routing, and we explicit a cryptographic function required in our protocols based on the Learning With Errors hardness problem.

arXiv:2104.04742v2 [quant-ph] 13 Apr 2021 Keywords: Quantum Cryptography, Remote State Preparation, Zero-Knowledge, Learning With Errors Table of Contents

1 Introduction ...... 3 1.1 Our Results ...... 3 1.2 Related works...... 4 1.3 Paper Organization ...... 5 2 Technical overview and presentation of the setup ...... 5 2.1 Initial setup ...... 5 2.2 List of the protocols proposed in this work...... 6 2.3 Quick overview of our methods ...... 8 3 Preliminaries ...... 10 3.1 Notation ...... 10 3.2 Generalized hidden GHZ state ...... 12 3.3 Classical Zero-Knowledge proofs and arguments for NP...... 12 3.4 Classical Multi-Party Computations ...... 14 3.5 Introduction to the Learning With Errors (LWE) problem ...... 15 3.6 The [MP12] Construction ...... 18 4 Cryptographic requirements ...... 21 5 The diﬀerent protocols...... 24 5.1 The protocol BLIND ...... 24 5.2 The protocol BLINDsup ...... 25 5.3 The impossible protocol BLINDcan ...... 26 sup 5.4 The protocol BLINDcan ...... 27 5.5 The protocol AUTH BLINDdist ...... 30 − can 6 Function construction ...... 38 6.1 Construction of a δ-GHZH capable family ...... 38 6.2 Generic construction to create distributable δ0-GHZcan capable primitives from δ-GHZH capable primitives ...... 44 7 Acknowledgement ...... 47 1 Introduction

Due to the special no-cloning principle, quantum states appear to be very useful in cryptography. But this very same property also has drawbacks: when receiving a quantum state, it is nearly impossible for the receiver to efficiently check non-trivial properties on that state without destroying it. This allows malicious sender to send maliciously crafted states without being detected. To illustrate this, let us imagine the following simple goal: a receiver receives a quantum state, 1 iθ π 7π and would like to make sure that this state is a +θ := √ ( 0 +e 1 ), with θ 0, ,..., , | i 2 | i | i ∈ { 4 4 } and not a complicated, maliciously prepared, entangled state. A first naive method would be, maybe, to ask to the sender to commit before on the value of θ and then, during a test run, to open the commitment and let the sender measure the state using this angle in order to test if the qubit indeed corresponds to a +θ state. The problems of this kind of methods are | i three-fold: – The test is destructive: once the measurement is done, the qubit is destroyed. This means that this qubit will not be usable later in any protocol. The usual “quantum way” of solving this problem is to use a “cut-and-choose” method: repeat this operation many times (say N), randomly select one run which will not be tested, and test (i.e. destroy) the other N 1 − ones. If all tests pass, then the remaining, non tested qubit can be used later. . . – But this cut-and-choose method has another problem: the security scales only (at most) linearly with the number of qubits. A malicious sender could be honest in N 1 runs and − send a completely malicious state for one of the runs. If the receiver decides not to test this 1 run (probability N ) and uses it in other protocols, then the sender managed to trick the receiver. – And finally, there are cases where the cut-and-choose method cannot even apply: for example when the value of the state must be kept secret, or if this value must depend on a secret information. Indeed, the angle θ that is revealed during all the test runs may contain valuable information. For example, one could imagine a desired protocol in which the sender is only allowed to send a +θ with θ = 0, π if they know the password of the local Mafia, | i { } π 3π and otherwise the sender would be expected to generate states for which θ , . We ∈ { 2 2 } can see that cut-and-choose does not help us here: revealing the value of θ during the test runs would leak to the receiver whether the sender is part of the Mafia or not. Moreover, the server has no way to enforce someone that is not part of the Mafia to generate a +θ | i with θ 0, π . ∈ { } This work: The method that we propose here solves these three issues altogether: we provide a way to obtain a quantum state, do tests on it without destroying it, in such a way that the probability of cheating is negligible (but the security is computational), and the tests are performed in such a way that we can test properties linking secret classical data (like passwords) to the produced quantum state. In this work, we also generalize this idea to multi-party quantum states, and focus on the generation of distributed GHZ states with special properties.

1.1 Our Results

In this work: 1. We initiate the study of Non-Destructive Zero-Knowledge Proofs on Quantum States. We are able to obtain these guarantees by changing the way the sender sends the quantum state. Instead of sending a quantum state directly, the sender sends classical data encrypting a target class of quantum states. Then, the receiver will use this classical encryption to produce one quantum state. Since the quantum state is now tightly bound to the classical encryption, the receiver is able to obtain guarantees on the obtained quantum state by using classical protocols directly on the classical state, such as Zero-Knowledge (ZK) or Multi-Party Computation (MPC) protocols.

3 The advantages are numerous: this verification is non-destructive, can be done over a purely classical channel, and it is now possible to check much more involved properties on the quantum state, potentially linked with secret classical information or involving multiple parties. For instance, we can force the sender to send different categories of states depending on whether or not they know a classical password or signature. While it is not the first time that LWE based methods are used in quantum cryptography to protect the sender, to the best of our knowledge, it is the first time that this kind of cryptography is used to also protect the receiver. This allows us to bypass fundamental quantum limitations, and our result suggests the existence of a “classical advantage”, i.e. a class of problems that cannot be solved via more traditional purely quantum protocols. We expect this result to have further independent interests. 2. We present a concrete usecase in the context of the generation of multi-party certified hidden GHZ states. We derive a protocol between a server and n “applicants”. At the end of the protocol, the applicants end-up sharing a GHZ state in such a way that, if the server is honest, only the applicants knowing a classical secret (password/secret key/signature/. . . ) can be part of the GHZ (they are then said to be supported). Others applicant will not be entangled in any way with the supported applicants, and therefore cannot disturb a potential future protocol. Our protocol has the following properties: – The protocol is blind, in the sense that no adversary (corrupting potentially the server and some applicants) can learn whether the honest applicants are supported or not. – As soon as the server is honest, it is also impossible for any malicious or noisy applicant to significantly change the GHZ state obtained by supported applicants. This is particularly interesting to avoid “Denial Of Service” kind of attacks in which a malicious applicant can try to force the protocol to produce a wrong state without being detected. One direct application is the following: a server can share a quantum state between parties that have been authorized, say, by some Certification Authority. The protocol can ensure that the identity of these authorized parties stay hidden, even against a malicious coalition involving the server and applicants. 3. We provide a series of simpler protocols that only provide blindness. In these protocol a classical trusted third party is in charge of choosing who is supported and who is not. These protocols could prove useful in the context of Anonymous Transmission, Quantum Onion Routing... 4. We give an instantiation of a cryptographic family required in our protocol whose security relies on the hardness of LWE (with superpolynomial modulus-to-noise ratio).

1.2 Related works Classical Zero-Knowledge proofs and interactive proofs systems have been introduced thirty years ago [GMR89, BM88], and allow a prover to prove a statement to a verifier without revealing anything beyond the fact that this statement is true. Zero-Knowledge proofs have been proposed for any language in NP [GMW91]. The security of classical Zero-Knowledge proofs were also extended to protect against malicious quantum provers [Wat09, Unr12, BS20], and much work has been done to extend these protocols to remove interactivity or deal with multiple (potentially quantum) provers, targeting larger classes like IP, QMA, MIP or MIP∗, sometimes considering “dequantized” verifiers ([IY87, BFM88, BJSW16, GSY19, CVZ20, ACGH20, BG20, BCKM20, VZ20, Shm20, MY21], see also the review [VW16]). However, in the previous studies, the goal was to prove that a classical string belongs to a given language (potentially using a quantum witness). To our knowledge, no work has been done before to show similar properties on a quantum state: we aim to initiate this study. In this paper, we use internally classical cryptography to leverage quantum cryptography. [Mah18a] introduced for the first time this notion, and this idea lead to the development of many quantum protocols based on classical cryptography [Mah18b, BCM+18, Bra18, MDCAF20]. The first classical-client Remote State Preparation (RSP) protocol was proposed in [CCKW21]. Informally, in this protocol, a purely classical client can create a state on a quantum server,

4 in such a way that only the client knows the description of that qubit. This protocol named QFactory was later improved in [CCKW19], and proven secure against an arbitrary malicious adversary. Another protocol [GV19] can also be used to obtain a verifiable classical-client RSP. While this later paper provides stronger guarantees in term of verification, it offers less control over the secret bits and it cannot be directly extended to produce multi-party GHZ states. For these reasons, we will build our approach upon the QFactory protocol. Some general impossibility results on classical RSP protocols are also given in [BCC+20, MT20]: therefore we will not consider the Constructive Cryptography framework in this paper. We emphasize that in these protocols, the client was always considered to be honest: In this work, we also exploit differently the “classical cryptographic leash”, in order to also provide guarantees against malicious clients and achieve protocols that seem to be impossible to obtain using pure quantum cryptography. We expect this “classical advantage” to be of independent interest, potentially in Quantum Anonymous Transmission [CW05], Quantum Onion-like Routing, or Quantum Multi-Party Computations. Moreover, even if we focus on GHZ states in this paper, it may be possible to combine QFactory and the Universal Blind Quantum Computing protocol [BFK09] (whose security is proven in [BCC+20]) to obtain similar results on different classes of states. In this work, we focus on the distributed generation of hidden Greenberger–Horne–Zeilinger (GHZ) state [GHZ89]. This state (and its special case, the Bell state) is quite popular, and appears to be useful in many protocols, such as in Quantum Secret Sharing [HBB99], Quantum Teleportation [BBC+93], Entanglement Distillation [BBPS96, BBP+96, BDSW96], Anonymous Transmission [CW05], Quantum Routing [PWD18, MMG19]. Our approach could be used as an initial step in order to run this kind of protocols between an unknown subset of authorized parties. We note that even if our protocols are computationally secure (no computationally bounded party, including the source, can learn to whom the GHZ will be distributed), one may still be able to obtain unconditional guarantees, for example when the source is not corrupted: each authorized supported party will indeed receive a GHZ state, and the security guarantees coming from a protocol assuming an honest or not collaborating source should follow. However, when the source is allowed to be malicious and to collaborate with the parties, extra care is required: the source/server can try to learn information about the set of supported applicants by sending garbage to some honest parties and then ask to the corrupted parties whether the protocol aborted or not.

1.3 Paper Organization

In the Section2 we give a generic overview of our result: Section 2.1 presents the role of the different parties, Section 2.2 gives the list of the different protocols we realize, and Section 2.3 gives an insight on the technical methods used in this paper. The preliminaries can be found in Section3. Then, we give in Section4 the cryptographic requirements of our protocols. In Section5, the reader will find the definition of our different protocols—including one desirable but impossible protocol—with our main protocol AUTH BLINDdist in Section 5.5. Finally, the − can Section6 explains how to construct the required cryptographic primitives: Section 6.1 shows how to obtain an δ-GHZH capable family, and Section 6.2 describes a generic way to construct a distributable δ0-GHZcan capable family.

2 Technical overview and presentation of the setup

2.1 Initial setup

In this paper we describe protocols which allow the (secret) distribution of a GHZ state between n clients. The protocols involve several parties:

5 3 – There are n (weakly ) quantum applicants ai. At the end of the protocols, a (secret) subset of these applicants—the supported4 applicants—will share a GHZ state. S – A quantum5 server, Bob. Bob is quantumly connected to all applicants, and this is the only quantum communication required in the upcoming protocols. – Cupid6 is an honest classical party (the only party that will always be considered as honest when present. In our last protocol, we will replace Cupid with MPC). Cupid will be in charge of choosing the supported applicants that will share a GHZ at the end of the protocol. We assume Cupid can communicate classically with the server, as well as with all applicants—using secure (i.e. conﬁdential7 and authenticated) channels. Note that if the supported applicants want to perform at the end some quantum protocols in order to use the previously shared GHZ state, Cupid may also be used as a proxy forwarding the messages to the good applicants in case classical communication is required between participants8.

Note also that these parties may not be always diﬀerent entities. For example, when a user wants to send a qubit to a secret recipient, this user could be both considered as an applicant and as Cupid. Similarly, the server may want to be part of the applicants. Moreover, in our ﬁnal protocol, the role of Cupid is distributed among all applicants: each applicant will be able to choose whether they want to be part of the GHZ or not, and in that setting all parties may potentially be malicious. This protocol will also be the one that exhibits the notion of Non-Destructive Zero-Knowledge on Quantum States. However, since the simpler protocols could be of independent interest, we also study them separately.

2.2 List of the protocols proposed in this work

In the following, a canonical GHZ state will be a state of the form √1 ( 0 ... 0 + 1 ... 1 ) (we 2 | i | i will drop all normalization factors later), a generalized GHZ state is a GHZ state in which we applied some local X or Z gates, and a hidden (generalized) GHZ is a permutation of a (generalized) GHZ state tensored with some 0 and 1 qubits. | i | i We propose different protocols to distribute a GHZ state, depending on the exact nature of the distributed state (canonical or generalized), whether the applicants know their own support status, and who chooses the set of applicants that can share the GHZ state (trusted party or via a “blind” authorization mechanism). All these protocols are extensions of the same initial protocol BLIND: they are composed by a run of BLIND followed by few simple local quantum sup sup operations and some classical interactions. The first protocols BLIND, BLIND and BLINDcan require the trusted party Cupid, while in the last (more advanced) protocol AUTH BLINDdist − can 3The applicants need only basics quantum skills, depending on the protocol, they may have nothing to do except receiving a state, or may need to apply a few gates. 4We also call them supported because they are part of the support of the hidden GHZ state. We may also refer to this as being the support status of an applicant. 5Bob needs to perform quite heavy quantum computations. 6Besides having a name starting with a ’C’, Cupid, the roman god of love, is famous for sending arrows at the heart of Humans to designate the beloved among the applicants. 7Since secure channels may still leak the length of the exchanged message, in this paper we assume that for a given round, all messages have the same size. 8In that case, it is also important to make sure that no adversary can detect the source and the destination of a message, otherwise it would be trivial for the adversary to obtain the set of supported applicants. This could be achieved by either asking to all non-supported applicants to also send/receive dummy encrypted messages to Cupid when a message is expected to be exchanged (it is the simplest solution but may not be the most efficient solution), by using a classical channel that is not controlled by the adversary to exchange these messages, by using a noisy cover channel in which communications can be made undetectable, or by relying on an anonymous onion-like routing protocol if the adversary controls only parts of the network and if enough unrelated messages are exchanged this way to make sure that the adversary cannot apply timing attacks/flow correlation attacks. . .

6 all parties are potentially malicious. We also show the impossibility of a desirable variant of these protocols, BLINDcan. The first protocols show how a quantum state can be obtained from a classical encryption, which allows us to “bind” a quantum state to classical data, and the last protocol AUTH BLINDdist is the one that exploits this property and exhibits non-destructive − can proofs on quantum states. More precisely: – The initial protocol BLIND (Section 5.1) will generate (during an honest run) a hidden generalized GHZ state between all applicants. Cupid will be able to choose the support of that hidden GHZ, and they will be the only person knowing the GHZ key. None of the applicants will be able to know if they are supported or not, even if they all collude with the server. – The protocol BLINDsup (Section 5.2) is like BLIND but all applicants will learn their respective support status. The support status of honest applicants is completely hidden to any malicious adversary that can corrupt the server, any other applicant, and collude with them. – The protocol BLINDcan would be like BLIND, except that the supported applicants would also share a canonical GHZ state. The security of such a protocol is impossible to guarantee, as shown in Section 5.3. sup sup – The protocol BLINDcan (Section 5.4) is like BLIND (i.e. all applicants learn their respective support status), except that the supported applicants also share a canonical GHZ state. For the security, we require at least one supported applicant to be honest when the adversary is allowed to corrupt supported applicants (the identity of this honest applicant may be unknown to the adversary), otherwise there is a trivial attack against any such protocol. In that case, we show that the support status of honest applicants is completely hidden to any malicious adversary that can corrupt and control the server and any other applicant. – While the previous protocols introduced how to bind quantum states to classical data, we can now use all the classical methods to manipulate indirectly quantum states: Zero- Knowledge [GMW91], classical Multi-Party computation [GMW87], Fully Homomorphic dist sup Encryption [Gen09], etc. The protocol AUTH BLIND (Section 5.5) is like BLINDcan − can (applicants share a canonical GHZ and each applicant know its own support status), except that each applicant can choose their own support status at the beginning of the protocol (so Cupid is not useful anymore as its role is distributed among applicants). Moreover, the server can also ask to each participant to “authorize” by proving in a zero-knowledge way that if they are supported, then they know a classical secret (it could be a password, a signature from a trusted authority, a private key linked with a public key, etc.). This operation can be seen as a non-destructive zero-knowledge proof on a (multi-party) quantum state, which, up to our knowledge, is the first protocol of this kind. sup The security guarantees are also similar to the ones of BLINDcan (a malicious server, corrupting some applicants, cannot know the support status of other applicants), except that we also prove that the server is guaranteed to share the correct hidden GHZ state, even in the presence of malicious or noisy applicants. Note that this protocol uses internally a general classical Multi-Party Computing (MPC) protocol, together with a classical Zero-Knowledge Proof of Knowledge (ZKPoK) protocol, therefore the classical communication in this protocol is not as trivial as in the previous protocols. The MPC part is used not only to ensure security, but also to detect any malicious applicant trying to alter the state obtained by honest supported applicant. The ZKPoK part is used to guarantee to the server that it is not only sharing a hidden GHZ, but that the applicants that are supported indeed know a secret. A simple application of the AUTH BLINDdist protocol would be to allow Bob to teleport a − can quantum state ψ to an unknown applicant who knows a secret password, or who has access to | i a signature provided by a Certification Authority. The applicant would be allowed to hide its identity to Bob, and Bob can be sure that only applicants knowing the password/signature could obtain the state ψ . In addition, if several applicants know the secret, then Bob is in fact secret | i sharing its qubit ψ among all applicants knowing this secret [HBB99]. Other applications are | i discussed at the end of Section 1.2.

7 Finally, we emphasize that in this work, any property of security is understood as “for any QPTadversary, the probability of attacking the protocol is negligible with respect to the security parameter λ”.

2.3 Quick overview of our methods

Cryptographic assumptions: We need to use a classical cryptographic family of functions fk k∈K, together with a function h having several properties. The exact list of requirements is { } n given in Section4, but here are the important properties. For any d0 0, 1 (intuitively that ∈ { } λ represents the support status of all applicants), we can generate using a function Gen(1 , d0) an index k and a trapdoor tk such that:

−1 – fk is 2-to-1 (i.e. for all x, f (fk(x)) = 2, we will also generalize later to approximate | k | δ-2-to-1 functions). – fk can be efficiently computed given k, but should be hard to invert without tk. Moreover, it should be hard to obtain any information on d0 given k. – Given the trapdoor tk, fk can be efficiently inverted. 0 0 0 – For any x = x such that f(x) = f(x ), the bitwise XOR h(x) h(x ) = d0. 6 ⊕ We will say that such a family is δ-GHZH capable (more details in Definition 4.1). While these properties will be enough to understand our “binding” approach, in practice we will also require other properties in order to allow each applicant to choose their own support status. More pre- (i) (i) λ cisely, we will require the existence of a local generation procedure (tk , k ) GenLoc(1 , d0[i]) (1) (n) (i) ← (i) such that k = (k , . . . , k ) (since k is enough to fix d0[i], we may write d0[i] := d0(k )). (i) Moreover tk can be used to obtain partial information about the preimages of fk: one can, for (i) example, obtain the i-th bit of h(x) given fk(x) and tk . These additional properties will be important to allow the creation of a multi-party state, and we will say that such family is a distributable δ-GHZcan capable family.

Binding quantum states and classical data: The ﬁrst key point of our method is to bind a classical message to a quantum state. Instead of receiving directly a quantum state, the receiver receives a classical encryption of that quantum state and derives from it the actual quantum state. More precisely, since in our case we are interested in the preparation of hidden GHZ states (i.e. a state which is equal, up to some local operations, to a permutation of ( 0 ... 0 + 1 ... 1 ) 0 ... 0 ), we proceed as follows: If we expect d0 to be the support of the | i | i ⊗ | i GHZ state (i.e. qubit i is part of the GHZ iﬀ d0 = 1), then the encryption of the quantum state λ will be k, were k is generated using Gen(1 , d0). Then, in order to produce the quantum state, the receiver will run the unitary corresponding to x (h(x), fk(x)) in superposition, obtaining 7→ the state:

X X 0 0 x h(x) fk(x) = ( x h(x) + x h(x ) ) y (1) x | i | i | i y | i | i | i | i | i

0 where in the right hand side, we sum over the elements y in the image of fk, and (x, x ) are the two preimages of y (reminder: the function is 2-to-1). After measuring the last register, we obtain a y, and the following quantum state (where x and x0 are the two preimages of y):

x h(x) + x0 h(x0) (2) | i | i | i | i Now, we measure the ﬁrst register in the Hadamard basis, and we obtain:

h(x) + ( 1)α h(x0) (3) | i − | i for some α 0, 1 , depending on the outcome of the measurement. This state is now a hidden ∈ { } 0 GHZ state, whose support is equal to d0 due to the property h(x) h(x ) = d0. Indeed, when ⊕

8 0 d0[i] = 0, h(x)[i] = h(x )[i], so we can factor out this qubit. In order to come back to a canonical GHZ on the other qubits, one just needs to apply an X gate on the i-th qubit for all i such that 1 = h(x)[i] = h(x0)[i], followed by a Z operation on one supported qubit if α = 1. 6 dist Usage in protocols: In order to achieve the above protocols, notably the AUTH BLINDcan (i) (i) − λ protocol, the idea is that each applicant will be asked to sample (k , t ) GenLoc(1 , d0). k ← Then, the k(i) will be sent to the server. In order to prove that they are authorized, each applicant will run with the server a classical Zero-Knowledge (ZK) protocol in order to prove to the server that they know a classical witness wi such that Auth(d0[i], wi) = 1 (the ZK (i) protocol also checks that d0[i] = d0(k )): Auth can be any deterministic function, for example it could return 1 when d0[i] = 0 or if wi corresponds to a signature given by some Certification Authority. Since this protocol is a Zero-Knowledge protocol, the server will not be able to learn much information about d0. In return, the server will have the guarantee that it will indeed produce a hidden GHZ state distributed among authorized applicants. Therefore, the server can run the quantum circuit given in the previous paragraph, and distribute each qubit to the corresponding applicant. In order to come back to a canonical GHZ, each applicant will use (i) their local trapdoor tk to compute h(x) in order to apply the corresponding X correction. Moreover, in order to compute the α needed to apply the Z correction, all parties will run a Multi-Party Computation (MPC). Since α could leak some information about the state, each supported applicant will in fact obtain from the MPC a linear secret sharing of α, i.e. a random αî such that i∈S αî = α. That way, each supported applicant will be able to locally ⊕ apply a Zαî correction, and it will be equivalent to applying a single Zα gate on the overall state.

How to construct the cryptographic assumptions: In order to implement the family can fk k∈K, we proceed in two steps: we first build a family which is δ-GHZ capable (see { } intuitive definition above, or Definition 4.1). The δ is needed because in practice the functions are only 2-to-1 with a probability 1 δ, where δ can be made negligible by relying on the − hardness of GapSVPγ with a super-polynomial ratio γ. We then provide a quite generic method to turn a δ-GHZcan capable family into a δ0-GHZcan capable distributable family. The security of our construction reduces to the hardness of the LWE assumption (more details in Section 3.5), and builds on ideas introduced in [CCKW19] and [CCKW21]. The starting point is the trapdoor construction provided by [MP12]. They provide an algorithm to M×N generate a matrix A Zq (q will be a power of two) that looks random, together with a ∈ M 9 trapdoor matrix R. If the noise e Zq is sufficiently small , the function gA(s, e) := As + e ∈ is injective. Moreover, given the trapdoor R, one can easily invert the function gA, otherwise inverting this function is hard: gA(s, e) is even indistinguishable from a random vector given A. From that, we can first see how to get a δ-2-to-1 family of functions. Note that the larger the noise e is, the larger δ is. So a perfect (but insecure) 2-to-1 family would use e = 0: therefore, to better understand this construction, it may be practical to imagine that e = 0 during a first M reading. The idea of the construction is to sample first an image vector y0 := Aus0 + e0 Zq N m ∈ (by sampling first s0 uniformly at random over Zq and e0 Zq according to a discrete Gaussian ¯m N ∈ M Ψα ), and then to define for all s Zq , c 0, 1 and errors e belonging to some set E Zq ∈ ∈ { } ⊆ (to be defined), the function fA ,y (s, e, c 0, 1 ) := Aus + e + c y0. That way, if all vectors u 0 ∈ { } × in E are small enough, the fAu,y0 has at most two preimages, one for c = 0 and one for c = 1: f(s, e, 0) = Aus + e = Au(s s0) + (e e0) + y0 = f(s s0, e e0, 1). We remark that in − − − − order to have two preimages, we want to make sure that both e E and e e0 E: we ∈ − ∈ will rely on LWE with super-polynomial modulus to noise ratio to ensure this is true for a n super-polynomially large fraction of inputs. Then, in order to obtain the bit string d0 0, 1 0 0 ∈ { } and the function h such that for any two preimages x, x , h(x) h(x ) = d0, we will update ⊕ the previous construction and now sample y0 as follows: We will first sample additional lines

9In the actual construction, we also require s to be small because we rely on the equivalent but more eﬃcient normal-form of LWE, but for simplicity we use the classic LWE problem in this overview.

9 $ n×N N Al Zq to add to the matrix Au. Then, we will sample s0 uniformly at random over Zq ← M+n ¯M+n (as before) and e0 Zq will be sampled according to the discrete Gaussian Ψα . Finally, ∈ n if we also denote by d0 the binary vector in Zq composed of elements of d0, we compute M Au q 0 y0 := s0 + e0 + 2 . We update similarly our function f by adding a parameter Al d0 d 0, 1 n: ∈ { } M Au q 0 fAu,Al,y0 (s, e, c, d) := s + e + + c y0 (4) Al 2 d ×

Then, we can remark that, because q is even:

M Au q 0 fAu,Al,y0 (s, e, 0, d) = s + e + (5) Al 2 d M Au q 0 = (s s0) + (e e0) + + y0 (6) Al − − 2 d d0 ⊕ = fA ,A ,y (s s0, e e0, 1, d d0) (7) u l 0 − − ⊕ and that therefore (skipping a small technicality) for any two preimages (s, e, 0, d) and 0 0 0 0 (s , e , 1, d ), we have d d = d0. So we just need to define h(s, e, c, d) = d to get the ⊕ XOR property. Finally, the indistinguishability property is simple to obtain: since Au is indis- Au tinguishable from a random matrix, and Al is actually a random matrix, thus A := is Al indistinguishable from a random matrix. Therefore, under the decision-LWEq,Ψ¯α assumption, As0 + e0 is indistinguishable from a random vector. Therefore, since adding a constant vector to a uniformly sampled vector does not change its distribution, one cannot distinguish As0 + e0 0M 0M from As0 + e0 + , or from any vector of the form As0 + e0 + . We provide in d0 d Section 6.1 a more in-depth analysis in order to properly handle the noise, we find an explicit set of parameters allowing f to be negl(λ)-2-to-1, and we give a method to prove that a maliciously sampled f is indeed negl(λ)-2-to-1 and has the XOR property. This is required to turn it into a distributable δ0-GHZcan capable family. Finally, one can obtain a distributable δ0-GHZcan capable family from a δ-GHZcan capable family (which has an additional property that the two preimages have the form x = (0, x¯) and 0 0 can x = (1, x¯ )). The idea is to sample one δ-GHZ capable function for each d0[i]. Then, we can (1) (n) (1) (n) define a our new function to be f (1) (n) (c, x¯ ,..., x¯ ) = f (1) (c, x¯ ) ... f (n) (c, x¯ ). k ,...,k k | | k More details can be found in Section6.

3 Preliminaries

3.1 Notation

The applicants and Cupid are designated with the gender neutral pronoun they, while the server—a machine—is designated by it. n 10 If b 0, 1 is a bit string or a vector, and i is an integer, we may use bi or b[i] to ∈ { } denote the i-th bit of b. The symbol will be used to denote string concatenation, and we | b b[1] b[2] b[n] define b := (b1 1) ... bn 1). We define also X := X X X and Zi is the ⊕ | | ⊕ ⊗ · · · ⊗ 10 n Note however that we often refer in this paper to a bit string d0 ∈ {0, 1} (we use this notation in order to keep a consistent notation with previous works), so to avoid confusion between d0 (the bit string) and d0 (the first bit of d), we will always use the bracket notation d[i] or d0[i] when the d letter is involved. Since d0 will also be interpreted as a vector in the second part of the paper, and to highlight the difference with a previous work in which d0 was a bit string, we will use a bold font for this kind of bit string.

10 operator that applies the Z gate on the i-th qubit, i.e. Zi = I I Z I I. For | ⊗ ·{z · · ⊗ } ⊗ ⊗ ⊗ · · · ⊗ i−1 any permutation σ, we denote by PERMσ the quantum unitary that performs a permutation of the qubits, such that the i-th qubit is mapped on σ(i). For any bit strings x, x0 and b of same L 0 0 0 length, we also define b, x := bixi, x x := (x1 x ) ... (xn x ). We will also use the h i i ⊕ ⊕ 1 | | ⊕ n notation x[i] to denote the i-th component of the vector x, the bold font being used to denote vectors or matrices (in upper case letters). R is the set of reals, Z the set of integers, Zq is the set of integers modulo q and [n] := 1, . . . , n . T := R/Z is the additive group of R modulo 1, whose canonical representation is { } q q T = [0, 1). For any element x Zq, if xˆ is the representant of x in [ 2 , 2 ) we will define the ∈ q q − modular rounding RoundModq(x) = 0 if xˆ [ , ) and RoundModq(x) = 1 otherwise. We ∈ − 4 4 extend this notation when x is a vector by doing it component wise. Similarly, for any element n n x Zq , x ∞ will be understood in a modular way: x ∞ := maxi xˆ[i]. For any vector x R , T∈ k k T k k ∈ x is the transpose operation, x 2 := √x x is the Euclidean norm of x. For any matrix n×m k k R R , R 2 := supx Rx 2/ x 2 is the spectral norm of R, and σmax(R) is the highest ∈ k k k k k k singular value of R. Note that σmax(R) = R 2. k k PPT stands for Probabilistic Polynomial Time, and we may refer to PPT machines or PPT algorithm when they can be run efficiently on (classical) PPT machines. Similarly, QPT stands for Quantum Polynomial Time, and we may refer to QPT machines, adversaries or algorithms. We denote by negl(λ) any function that goes asymptotically to 0 faster than any inverse polynomial in λ: we say that this function is negligible. We say that a probability is overwhelming when it is 1 negl(λ). We use the Landau notation O( ), and we say that − k · f(x) = O˜(g(x)) if there exists k such that f(x) = O(g(x) log g(x)). We use ω(√log N) to denote a function, fixed across all the paper, such that limN→∞ √log N/ω(√log N) = 0. For instance, we can take ω(√log N) = log N. For any finite set X, we denote x $ X when x X is sampled uniformly at random. The ← ∈ uniform distribution on X is also denoted by (X), and the statistical distance between the 1 PU distributions 1 and 2 is ∆( 1, 2) := 1(x) 2(x) . For any distribution , we D D D D 2 x |D − D | D write x if x is sampled according to , and y := f(x) when f is deterministic or if it is the ← D D definition of y. If an adversary interacts n times with its environment, without loss of generality A we may decompose = ( 1,..., n) and denote y1 1(x1); y2 2(x2); ... ; yn n(xn) A A A ← A ← A ← A to denote the fact that we first send x1 to , then we get answer y1 from , then we send x2 A A to and receive as answer y2. . . This notation implicitly hides the fact that can keep an A A internal memory ρi between rounds of communication, and we could also have written it using (y1, ρ1) 1(x1); (y1, ρ2) 1(x2, ρ1); ... (yn, ρn) n(xn, ρn−1) but to avoid a too heavy ← A ← A ← A notation the dependency of the i on the internal state will be kept implicit. In the hybrid A games, we will also often strike out some lines to denote differences between two games: it only removes the content of the current line, and does not change the line numbering of the other lines. We also slightly abuse notations, by using a set-like notation Xλ λ∈ to denote a “map”-like { } N structure, which maps any λ to the value Xλ. This notation will usually be clear from the context, but sometimes we may use a more explicit formula (λ, Xλ) λ∈ or (X1,...,Xn) if { } N the set is finite. We also need to define computational indistinguishability of quantum states:

Deﬁnition 3.1 (Computational indistinguishability [BS20]). Two maps of quantum random variables X := Xi λ∈ ,i∈I and Y := Yi λ∈ ,i∈I over the same set of indices { } N λ { } N λ I = λ∈ Iλ are said to be computationally indistinguishable, denoted by X c Y , if for ∪ N ≈ any non-uniform quantum polynomial-time distinguisher D := (Dλ, ρλ) λ∈ , there exists a { } N negligible function µ such that for all λ N, i Iλ, ∈ ∈

Pr [ Dλ(Xi, ρλ) = 1 ] Pr [ Dλ(Yi, ρλ) = 1 ] µ(λ) (8) | − | ≤

11 3.2 Generalized hidden GHZ state

In this paper we assume basic familiarity with quantum computing [NC00]. The GHZ (Greenberger–Horne–Zeilinger) quantum state [GHZ89] is a generalization of the Bell state on multiple qubits. This state turns out to be useful in many applications, going from Quantum Secret Sharing [HBB99] to Anonymous Transmission [CW05].

Deﬁnition 3.2 ((Canonical) GHZ state). We denote by GHZn a n qubits (canonical) GHZ | i state, i.e. a state of the form: 1 GHZn := ( 00 ... 0 + 11 ... 1 ) | i √2 | i | i

Deﬁnition 3.3( GHZG: Generalized GHZ state). A quantum state on n qubits is said to be G G a generalized GHZ state (sometimes abbreviated as GHZ ), and usually denoted GHZ α,d if | i it is a GHZ state up to an eventual π phase, and up to local X gates , i.e. if there exist a bit string d 0, 1 n and α 0, 1 such that: ∈ { } ∈ { }

G d α 1 α GHZ α,d := X Z1 GHZn = ( d + ( 1) d ) | i | i √2 | i − | i

We call (α, d) the GHZ key, since with the help of (α, d) it is possible to turn a generalized GHZ state into a canonical GHZ state using only local X and Z gates. The term “key” is used since the generalized GHZ state can be seen as a kind of one-time padded (OTP) canonical GHZ state.

G 1 Example: we have GHZ 1,001 = √ ( 001 110 ) | i 2 | i − | i Definition 3.4( GHZH: Hidden generalized GHZ state). A quantum state φ on n qubits | i is said to be a hidden (generalized) GHZ state (sometimes abbreviated as GHZH) if it is a permutation of a state composed of one generalized GHZ state and the tensor product of qubits in the computational basis, i.e. if there exist a permutation σ, a bit α 0, 1 , a bit string d, ∈ { } and two integers (l, m) N2 such that: ∈ G l m φ = PERMσ( GHZ α,d 0 1 ) | i | i ⊗ | i ⊗ | i Equivalently, it means that there exist two bit strings (d, d0) ( 0, 1 n)2 and a bit α 0, 1 such that: ∈ { } ∈ { } 1 α 0 H φ = ( d + ( 1) d ) =: GHZ α,d,d0 | i √2 | i − | i | i H For such a state GHZ α,d,d0 , we will say that a qubit i is part of the (generalized) GHZ iff | i d[i] = d0[i]. The set of all such qubits is called the support of a GHZH state: 6 H 0 supp( GHZ α,d,d0 ) := i d[i] = d [i] | i { | 6 } 0 H We will assimilate the string d0 := d d (bitwise XOR) to the support of the GHZ since H ⊕ 0 d0[i] = 1 iff i supp( GHZ α,d,d0 ). Moreover, we will call (α, d, d ) the GHZ key since it is ∈ | i possible the come back to a canonical GHZ state tensored with some 0 qubits by using (α, d, d0). | i

3.3 Classical Zero-Knowledge proofs and arguments for NP

In the last protocol presented in this paper, we need to use a classical Zero-Knowledge (ZK) protocol for NP. Intuitively, in a ZK protocol for a language NP, a prover must convince a L ∈ verifier that a word x belongs to , in such a way that the verifier should not learn anything L more about x beyond the fact that x belongs to . Because is in NP, is described by a L L L relation L, in such a way that a word x belongs to iff there exists a witness w such that R L

12 w L(x). Moreover, deciding if a witness x belongs to L(x) must be doable in polynomial ∈ R R time. We will now formalize the above security statements, taking definition from [BS20]. But first, we introduce a few notations: if (P, V) is a protocol between two parties P and V, we denote by OUT P, V (x) the output of the party V after having followed the protocol with P, Vh i x being a common input of P and V. An honest verifier outputs a single bit (1 if they accept and 0 if they reject), but a malicious verifier can output an arbitrary quantum state.

Definition 3.5 (Post-Quantum Zero-Knowledge Classical Protocol [BS20, definitions 2.1 and 2.6]). Let (P, V) be a protocol between an honest PPT prover P and an honest PPT verifier V. Then (P, V) is said to be a Post-Quantum Zero-Knowledge Classical Protocol for a language NP if the following properties are respected: L ∈ λ 1. Perfect Completeness: For any λ N, x 0, 1 , w L(x), ∈ ∈ L ∩ { } ∈ R Pr [ OUT P(w), V (x) = 1 ] = 1 (9) Vh i 2. Soundness: The protocol satisfies one of the following. – Computational Soundness: For any non-uniform QPT malicious prover P∗ = ∗ (P , ρλ) λ∈ , there exists a negligible function µ( ) such that for any security pa- { λ } N · rameter λ N and any x 0, 1 λ , ∈ ∈ { } \L ∗ Pr [ OUT P (ρλ), V (x) = 1 ] µ(λ) (10) Vh λ i ≤ A protocol with computational soundness is called an argument. – Statistical Soundness: There exists a negligible function µ( ) such that for any · unbounded prover P∗, any security parameter λ N and any x 0, 1 λ , ∈ ∈ { } \L Pr [ OUT P∗, V (x) = 1 ] µ(λ) (11) Vh i ≤ A protocol with computational soundness is called a proof. 3. Quantum Zero Knowledge: There exists a QPT simulator Sim such that for any QPT ∗ ∗ verifier V = (V , ρλ) λ∈ , { λ } N ∗ ∗ OUT ∗ P(w), V (ρλ) (x) λ,x,w c Sim(x, V , ρλ) λ,x,w (12) { Vλ h λ i } ≈ { λ } λ ∗ where x N, x 0, 1 , w L(x), and V is given to Sim by sending the circuit ∈ ∈ L ∪ { } ∈ R description of V∗.

In one protocol in which the applicants are asked to prove that they are either not supported or that they are authorized to be part of the GHZ state (for instance using some sort of password or signature coming from a known authority), we would like to ensure that the applicants indeed “know” the password/witness. Therefore, to get stronger guarantees, we will require the ZK protocol to also be a Proof of Knowledge protocol. Intuitively, we would like to check that any malicious prover P∗ that can convince a veriﬁer with a non-negligible probability has the witness w “encoded in its source code or memory”. We formalize this notion by saying that there exist a QPT circuit K, the extractor, which can recover w with non-negligible probability from a full description of P∗ and its input. This is usually enough, since being able to obtain a witness with non-negligible probability is usually enough to break the security: for example it could be used to forge a signature and break the unforgeability property as explained in [Unr12]. More precisely:

Deﬁnition 3.6 (Post-Quantum Zero-Knowledge Proof of Knowledge [Unr12]). We say that a Post-Quantum Zero-Knowledge protocol (P, V) for a relation L is a Proof of R Knowledge protocol, if it is quantum extractable with knowledge error κ = negl(λ), i.e. if there exists a constant d > 0, a polynomially-bounded function p > 0, and a QPT K such that for

13 any interactive QPT malicious prover P ∗, any polynomial l, any security parameter λ N, any ∈ state ρ, and any x 0, 1 λ, we have: ∈ { } ∗ Pr [ OUTV P (ρ), V (x) = 1 ] κ(λ) h i ≥ ∗ 1 ∗ d = Pr [ w L(x) w K(P , ρ, x)] (Pr [ OUTV P (ρ), V (x) = 1 ] κ(λ)) ⇒ ∈ R | ← ≥ p(λ) h i −

Several Post-Quantum ZK protocols have been proposed in the literature [Wat09, Unr12, BS20] and have been shown to obey properties similar to both Deﬁnitions 3.5 and 3.6. In the following, we assume the existence of a protocol obeying both these properties.

3.4 Classical Multi-Party Computations

In the last protocol presented in this paper, we also need to use a classical11 Multi-Party Computation (MPC) protocol. A MPC protocol works as follows: given n (public and deterministic) functions (f1, . . . , fn), at the end of the protocol involving n parties P1,..., Pn, we expect party Pi to get fi(x1, . . . , xn), where xj is the (secret) input of the party Pj. More- over, we expect that no party can learn anything more than what they can already learn from fi(x1, . . . , xn). For simplicity, we may define the function f1, . . . , fn as a unique function f(x1, . . . , xn) = (f1(x1, . . . , xn), . . . , fn(x1, . . . , xn)). We will now formalize the above security statements. In order to characterize the security of the MPC protocol Π, we will follow the standard real/ideal world paradigm, adapted to quantum adversaries. We will use in this paper the definition used in [ABG+20], which also describes a MPC protocol achieving this functionality. Informally, the protocol Π will be said to be secure if it is impossible to distinguish two “worlds”. On the one hand, we have a real world in which an adversary = λ λ∈ can corrupt a subset ( [n] of parties and interact in an A {A } N M arbitrary way with the other honest parties. On the other hand, we have an ideal world, in which a simulator Sim interacts with a functionality, this functionality behaving as a trivially-secure trusted third-party. If these two worlds are indistinguishable, it means that the protocol is “secure” because any secret obtained from the real world would also be obtainable from the ideal world. . . which is impossible because the ideal world is trivially secure. More precisely, we define the real and ideal world as follows, where ~x := (x1, . . . , xn) is the inputs of the parties:

Definition 3.7( REALΠ,A(λ, ~x,ρλ)). λ is given ρλ, and gives a subset ( [n] of corrupted A M (malicious) parties. Then λ receives the inputs xi of all corrupted parties Pi (i ), sends and receive all the messagesA on the behalf of these corrupted parties, and communicates∈ M in an arbitrary quantum polynomial time way with the honest parties that follow the protocol Π. At the end of the interaction, λ outputs an arbitrary state ρ, and we define as ~y the output of A the honest parties Pj, j / . Finally, we define REALΠ,A(λ, ~x,ρλ) as the random variable ∈ M corresponding to (ρ, ~y).

Definition 3.8( IDEALf,Sim(λ, ~x,ρλ)). Sim (playing the role of the adversary) receives ρλ, outputs a set ( [n] of corrupted parties, interacts with a trusted party (called the ideal functionality)M defined below, and outputs at the end a state ρ. The ideal functionality also outputs at the end a message ~y corresponding to the output of the trusted party. We then define IDEALf,Sim(λ, ~x,ρλ) as the random variable corresponding to (ρ, ~y). Now we define the ideal functionality:

– The ideal functionality receives the set ( [n] a subset of corrupted parties, and for each 0 M 0 0 party Pi, it receives an input xi: if Pi is honest (i / ), we have xi = xi, otherwise xi can be arbitrary. ∈ M 0 0 – Then, it computes (y1, . . . , yn) := f(x , . . . , x ), and sends (i, yi)i∈M to the simulator. 1 n { } 11But of course post-quantum secure.

14 – The simulator can choose to abort by sending a message to the ideal functionality. Otherwise it sends a “continue” message . If the message received⊥ by the ideal functionality > is , then it outputs to each honest party, which is formalized by outputting ~y := ⊥ ⊥ (i, ) . Otherwise, it outputs ~y := (i, yi) . { ⊥ }i/∈M { }i/∈M Deﬁnition 3.9 (Secure MPC [ABG+20]). Let f be a deterministic function with n inputs and n outputs, and Π be an n-party protocol. Protocol Π securely computes f if for every non-uniform quantum polynomial-time adversary = λ λ∈ corrupting a set of at most A {A } N n 1 players, there exists a non-uniform quantum polynomial-time ideal-world adversary Sim − such that for any combination of inputs ~x ( 0, 1 ∗)n and any non-uniform quantum advice ∈ { } ρ = ρλ λ∈ , { } N

REALΠ,A(λ, ~x,ρλ) λ∈ c IDEALf, (λ, ~x,ρλ) λ∈ (13) { } N ≈ { Sim } N

3.5 Introduction to the Learning With Errors (LWE) problem

The Learning With Errors (LWE) problem was introduced in [Reg05]. Definition 3.10 (Learning With Errors (LWE)[Reg05]). 12 Let (N,M) be two integers , q = q(N) N≥2 be a modulus and χ a distribution on R (χ may ∈ be continuous or χ Z (we will then say that χ is discrete), and will always be reduced modulo N⊆ N q). For any s Zq we define As,χ as the distribution on Zq [0, q) obtained by sampling N ∈ $ T × a Zq uniformly at random, e χ and outputting (a, a s + e mod q). ∈ ← We say that an algorithm solves the search-LWEq,χ problem (in the worst case, with over- N whelming probability) if for any s Zq , given an arbitrary number of samples from As,χ, ∈ it outputs s with overwhelming probability. We say that an algorithm solves the decision- LWEq,χ problem (on the average, with non-negligible advantage) if it can distinguish with $ N non-negligible advantage between the distribution As,χ where s Zq , and the uniform distri- N ← bution U := (Zq [0, q)) (when χ is discrete, we consider instead the uniform distribution N U × U := (Zq Zq)). U × We can also formulate this problem using matrices by grouping a fixed number M N of N $ M×N M ∈ samples: For any s Zq , we can sample A Zq and e χ a (typically small) vector ∈ ← ← where each of its component is sampled according to χ. Then let b := As + e. The search problem consists in finding s given (A, b). The decision problem consists in deciding, when receiving a couple (A, b), if b has been sampled uniformly at random (over [0, q)M if is m X continuous, or over Zq if χ is discrete) or if b has been sampled according to the procedure described above (and therefore b = As + e).

Note that having access to less samples can only make the problem harder. On the other hand, one can show that having access to polynomially many samples is enough to generate arbitrary many further samples, with only a minor degradation in the error [GPV08, ACPS09a, APS15]. Note also that the the worst-case and average-case search problems are in fact equivalent: [Reg05, Lem. 4.1] shows how it is possible to turn a distinguisher that can solve the decision- LWE problem with non-negligible advantage into a better distinguisher that can solve the decision-LWE problem with overwhelming probability. The distribution χ can be instantiated in many diﬀerent ways: for example when χ is always equal to 0, these problems are trivial, and when χ is uniform, they are impossible. In practice, χ is usually a (discrete or continuous) Gaussian:

Deﬁnition 3.11 (Continuous and discrete Gaussian). For any s R>0 and any vector 2 ∈ N kxk2 T 2 x R , we deﬁne ρs(x) := exp π = exp( πx x/s ). By applying a linear ∈ − s −

12While usually the parameters N and M are written in lowercase, we will use this notation here since n already represents the number of applicants.

15 transformation on x, we can generalize this notion: for any positive-deﬁnite matrix Σ > 0, we deﬁne:

ρ√ (x) := exp( π xT Σ−1x) (14) Σ − · 2 √ In particular, if Σ = s I, we have ρs = ρ Σ: therefore, s will be used as a shortcut for √Σ = 2 R √ R N √s I. The normalization of the expression gives n ρ (x) = √det Σ and n ρs(x) = s . R Σ R We can now deﬁne the continuous Gaussian distribution:

N √ √ s(x) := ρs(x)/s (x) := ρ (x)/√det Σ (15) D D Σ Σ Note that due to our choice of normalization, s and Σ are not exactly equal to the standard deviation and to the covariance matrix: s has standard deviation σ := s/(√2π) and the actual D covariance of √ is Σ0 := Σ/(2π). D Σ If Λ RN is a lattice (i.e. a discrete additive subgroup of RN ), we deﬁne for any c RN ⊆ ∈ the coset Λ + c = x + c x Λ and ρ√ (Λ + c) := P ρ√ (x). We can deﬁne now { | ∈ } Σ x∈Λ+c Σ the discrete Gaussian on Λ + c by simply normalizing ρ√ (x). For any x RN , if x / Λ + c, Σ ∈ ∈ √ (x) = 0 and if x Λ + c: DΛ+c, Σ ∈ ρ√ (x) √ x Σ Λ+c, Σ( ) := √ (16) D ρ Σ(Λ + c)

In the following, for α (0, 1), the discrete Gaussian on Z, ,αq = 2 , will be ∈ DZ DZ,√(αq) I particularly important to sample the noise.

The next lemma is useful to bound the length of a vector sampled according to a discrete Gaussian. Lemma 3.12 (Particular case of [Ban93, Lem. 1.5][MP12, Lem. 2.6]). For any s > 0, we have:

n −n Pr x 2 s√n x 2 (17) k k ≥ ← DZ,s ≤ The search-LWE problem is widely supposed to be hard to solve even for quantum computers and is the basic building block of many post-quantum cryptographic protocols [BGG+14, Pei16]. In particular, it is on average as hard as worst-case problems on lattices: notably it can be used to approximates the decision version of the shortest vector problem (GapSVPγ ): Lemma 3.13 (Hardness of LWE [Reg05]). Let N, q be integers and α (0, 1) be such ∈ that αq > 2√N. If there exists an algorithm that solves search-LWEq,Dαq , then there exists an efficient quantum algorithm that approximates the decision version of the shortest vector problem (GapSVPγ ) and the shortest independent vectors problem (SIVPγ ) to within γ := O˜(N/α). To have strong security guarantees, we usually want γ to be polynomial in N, but this is sometimes impossible. According to [Pei16] the best algorithm for solving these problems in polynomial time works for only slightly sub-exponential approximation factor γ = 2Θ(N log log N/ log N). They also mention the algorithm [Sch87] that provides a tradeoff between the approximation ˜ γ and the running time: an approximation of γ = 2k can be obtained in time 2Θ(N/k). This N 1 suggest that there is no efficient algorithm for γ = 2 for (0, 2 ) (the algorithm provided by 1− ∈ [Sch87] would indeed run in subexponential time 2N ). In practice, many works rely on the security of LWE when γ is super-polynomial ([BGG+14] uses for example the above assumption that γ = 2N for some (0, 1 )), and we will follow this same path here. ∈ 2 Moreover, the decision-LWEq,χ is equivalent to the search-LWEq,χ problem in many cases. It was shown in [Reg05, Lem. 2.4] when q is a (polynomial in N) prime number, but in our case, q = 2k will be a power of 2. For that reason, we use a special case of the search to decision reduction given in [MP12, Thm. 3.1]:

16 Corollary 3.14 (Reduction from search-LWE to decision-LWE, particular case of [MP12, Thm. 3.1]). Let q := 2k be a power of two, and let ω(√log N) be a function (ﬁxed across all the paper) such that √log N/ω(√log N) 0 (we also assume that for all N of interest, → ω(√log N) 1: this is always true for suﬃciently large N). Let (α, α0) (0, 1)2 be such that ≥ ∈ 0 < α 1/ω(√log N), α0 αω(√log N)2. Then, there is a PPT reduction from solving search- ≤ ≥ LWEq,Dαq (in the worst case, with overwhelming probability) to solving decision-LWEq,Dα0q (on the average, with non-negligible advantage).

Proof. The proof is a quite direct application of [MP12, Thm 3.1], in which q = 2k (the choice ω(√log N) 1 is to ensure that α0 α). The value of l is either 0 or 1, in any cases the above ≥ ≥ conditions are enough to conclude. While these problems are stated with continuous noise distribution, one can also replace them with discrete distributions. [Reg05] introduced a slightly different discrete Gaussian Ψ¯α = ,αq mod q obtained by simply rounding a continuous Gaussian to the nearest integer. bDZ e It is easy to see that LWEq,bD e is harder to solve than LWEq,D : we can always convert a Z,αq Z,αq continuous sample from ,αq mod q into a sample of ,αq mod q by a simple rounding DZ bDZ e step [Reg05, Lem. 4.3]. However, this discrete Gaussian is not a true Gaussian distribution (the sum of theses distributions may not be a discrete Gaussian), and most of the theorems we will need (notably on the bound of the singular values) are formulated using the distribution ,αq. Therefore, we need an equivalent reduction to turn continuous Gaussians into discrete DZ Gaussians: Corollary 3.15 (From continuous Gaussian to discrete Gaussian, corollary of [Pei10, Thm. 3.1]). Let λ, q N, α (0, 1). If ec is sampled according to αq and e ec + ∈ ∈ D ← , then the marginal distribution of e is within negligible statistical distance DZ−ec,ω √log λ q 2 2 2 ∆ = 1/(exp(πω(√log λ) ln(2λ)) 1) = negl(λ) of Z,s with s := (αq) + ω √log λ . − − T D N N Moreover, if there exists x Zq (for example x = a s for some s Zq and a Zq ) such that ∈ ∈ ∈ ec is distributed according to x+ αq mod q, then the statistical distance between the distribution D e mod q and x + ,s mod q is ∆ = negl(λ). Finally, if ec is uniformly sampled over [0, q), the DZ marginal distribution of e is uniform over Zq. Proof. The first part of this corollary is a direct application of [Pei10, Thm. 3.1]: We define 2 2 c1 = 0, Λ1 = Z, Σ2 = (αq) I1, Σ1 = ω(√log λ) I1 with √Σ1 = ω(√log λ) ηε(Z), where ε is ≥ a negligible function of N (the last inequality comes from [Pei10, Lem. 2.5]). When x2(= ec) is chosen according to a continuous Gaussian, the marginal distribution of e is within statistical distance 8ε = negl(λ) of √ (the constant can actually be improved in this specific case), Z, Σ D2 2 2 with Σ = Σ1 + Σ2 = (αq) I1 + ω(√log λ) I1 = s I1, which concludes the first part of the proof. To see that the equality also holds when ec x + αq mod q for some x Z, we remark 0 ← D ∈ that for any e¯ Zq and for any ec = x + ec R: ∈ ∈

p := Pr e¯ = e mod q e ec + (18) ← DZ−ec,ω √log λ

= Pr e¯ = e e ec + mod q (19) ← DZ−ec,ω √log λ e e e x e0 q = Pr ¯ = + c + −e0 ,ω log λ mod (20) ← DZ c √

0 where the last equality comes from Z ec = Z (ec mod q). But we already know that e0 − − c + −e0 ,ω log λ is statistically close to Z,s from the ﬁrst part of the corollary, which DZ c √ D concludes this part of the proof. Now, let us assume that ec is sampled uniformly at random over [0, q). Because ec can be uniquely decomposed into ec = ec,1 + ec,2 where ec,1 0, . . . , q 1 and ec,2 [0, 1), and ∈ { − } ∈

17 n because Z ec = Z ec,2 we have: − −

Pr e¯ = e mod q ec [0, q), e ec + ← ← DZ−ec,ω √log λ

1 q−1 ρ (e ec,1 ec,2) 1 Z X X ω √log λ − − = dec,2 q 0 ρ (Z ec,2) ec,1=0 e∈Z ω √log λ − e¯=e[q]

Similarly, because any integer eˆ Z can be decomposed uniquely into eˆ = e ec,1 where ∈ − ec,1 0, . . . , q 1 , and e = e¯ mod q, we can merge the two sums into a single sum over eˆ Z, ∈ { − } P ∈ replace the e ec,1 with eˆ, and use the fact that ρω(eˆ ec,2) = ρω(Z ec,2) to conclude − eˆ∈Z − − that the probability is equal to 1/q: it corresponds to a uniform sampling over Zq.

N While in the usual LWE problem, s is sampled uniformly at random over Zq , it is also possible to sample s according to a small Gaussian. Since this can be seen as a reformulation of the problem in its Hermite Normal form (HNF), this new sampling method is actually at least as secure as the initial uniform sampling, and it appears to be more eﬃcient. Moreover, the construction given in [MP12] will naturally be formulated in this form, so in this paper we will also sample s according to a small Gaussian (however, one can easily come back to the initial formulation as we will see later).

Lemma 3.16 (Normal LWE problem [ACPS09b, Lem. 2]). Let q = pk be a prime power. N There is a deterministic polynomial-time transformation T that, for arbitrary s Zq and error N N ∈ distribution χ, maps As,χ to A¯s,χ where ¯s χ , and maps U(Zq Zq) to itself. ← ×

The idea of the proof given in [ACPS09b, Lem. 2] (following [MR09], see also [Pei16, p. 23]) is to ﬁrst obtain and select enough samples (A¯ , y¯ := As¯ + ¯s), ¯s being sampled according to ¯ N×N χ, to ensure that A Zq is invertible. Then, any new sample (a, y := a, s + e) can be ∈ h i updated into (a0, b0) where a0 := (A¯ T )−1a and b0 := y + a0, y¯ = a0, ¯s + e. − h i h i

3.6 The [MP12] Construction

In order to realize the primitives described in Definitions 4.1 and 4.3, we will use the trapdoor system presented in [MP12]. This work introduced an algorithm MP.Gen that samples a matrix A and a trapdoor R. In addition, A is indistinguishable from a random matrix (without R), and gA(s, e) := As + e is injective and can be inverted given R for any (s, e) ( will be ∈ X X defined later as sets of elements having a small norm, see Lemma 3.16 to see why we bound s). Note that [MP12] uses a left-style multiplication sT AT , here we will prefer a right-style multiplication As for consistency. In this paper, we will also focus on the (more efficient) computationally-secure construction presented in [MP12] (we also require the modulus q := 2k to be a power of 2), but the same method should extend to other constructions with even q. We give in Definition 3.17 the construction we will use, and we explain after the intuition behind it. The reader not interested in the details of the construction and on the choice of parameters can safely skip the rest of the section.

Deﬁnition 3.17([MP12]). Let λ N be a security parameter, and 0 = (k, N, α, rmax) with 2 ∈ P (k, N) N , α (0, 1) and rmax R, be some parameters that can depend on λ. We deﬁne ∈ ∈ ∈ k N M s k−1T M := N(1 +k), q := 2 , g := (s, e) rmax , g := 1 2 4 ... 2 Zq Zq e X ∈ × 2 ≤ ∈

18 k Zq , and the gadget matrix G as:

 .  . g   .   .     .  Nk×N G := In g = .. Zq (21) ⊗   ∈  .   .     g . .

We deﬁne now in Fig.1 a procedure to sample a public matrix and its trapdoor (A, R) λ ← MP.GenP (1 ), and for any (s, e) g, we deﬁne y := gA(s, e) and its inversion procedure 0 ∈ X (˜s, e˜) := MP.Invert(R, A, y).

λ T MP.GenP (1 ) InvertSmallGadget (y = y . . . y ) 0 P0 0 k−1 ˆ $ N×N 1 : A ← Zq 1 : // Return s ∈ Zq such that y = gs + e Nk×2N 2 : R = R1 R2 ← D 2 : s := 0 Z,αq ˆ 3 : for i = k − 1,..., 0 do A M×N 3 : A := ∈ ˆ Zq i h q q G − R2A − R1 4 : if y − 2 s∈ / − , mod q i 4 4 4 : return (A, R) k−1−i 5 : s := s + 2 ﬁ endfor

gA(s, e) 6 : return s

T 1 : return As + e InvertGadget (y = yT ... yT ) P0 1 N

1 Return s ∈ n such that y = Gs + e MP.InvertP0 (R := R1 R2 , A, y) : // Zq 2 : for i = 1,...,N do 1 : // Return (˜s, e˜) ∈ Xg s.t. y = gA(s, e) 3 : si := InvertSmallGadget (yi) 2 : ˜s := InvertGadget ( R I y) P0 P0 2 Nk 4 : endfor 3 : e˜ := y − A˜s T ˜s 5 : s := s1 . . . sn 4 : if > rmax return ⊥ ﬁ e˜ 6 : return s 2 5 : return (˜s, e˜)

Fig. 1: Construction from [MP12]

The idea of the construction given in Definition 3.17 is to use a gadget matrix G which is easy to invert even in the presence of noise, and then to hide this matrix inside a random looking matrix A. G is easy to invert because G basically encodes all bits of the binary representation of each component of s in a different component (where a 1 is encoded by q/2+noise, and 0 is encoded by 0+noise): the inversion of G is doable by a rounding operation, starting from the least significants bits of the components of s. Then, as we will see, R can be used to invert As + e: with R we can obtain a vector of the form Gs + e0 (e0 is small if R has sufficiently small singular values), and then since G is easy to invert we can obtain s easily. We formalize now these statements.

Lemma 3.18([MP12]). If q,D is hard and if Nk = (λ), then the matrix A LWE Z,αq poly obtained via MP.Gen is indistinguishable from a uniform random matrix.

Proof. For completeness, we sketch the proof given in [MP12]. Since G is a fixed matrix, it is T T T T easy to subtract G from A and transpose the matrices: A looks random iff (Aˆ , Aˆ R2 + R1 ) looks random. But this is nearly an exact LWE instance in its normal form (R2 is indeed sampled according to a small Gaussian). The only difference is that the Aˆ samples are “reused”

19 T multiple times since Ri are matrices and not vectors. However, as shown in [PW11, Lem. 6.2], an hybrid argument can be made (by gradually replacing each column with random elements) to prove that it is still hard to distinguish it from a random matrix if q,D is hard (since LWE Z,αq we obtain Nk hybrid games, we need Nk = poly(λ)).

Remark 3.19. It is possible to easily translate the normal form into a more usual form in which N×N s is sampled uniformly at random: one can sample a random invertible matrix Ar Zq , ∈ 0 I and deﬁne A := Ar. A

ˆ ˆ N×N Nk×N 2 A M×N Lemma 3.20. Let A Zq , (R1, R2) (Z ) , A := Zq . If ∈ ∈ G R2Aˆ R1 ∈ p − q− the highest singular value σmax(R) of R is such that σmax(R) + 1 < , then gA : g 4rmax M X → Zq is injective and for all (s, e) g, MP.Invert( R1 R2 , A, As + e) = (s, e). ∈ X Moreover, if we denote by C √1 the universal constant defined in [MP12, Lem. 1.9], ≈ 2π and if we have for the parameters 0 defined in Definition 3.17: P r 2 q C αq √N(√k + √2 + 1) + 1 (22) × × ≤ 4rmax

−N p 2 q then with overwhelming probability (on N) 1 2e , we have σmax(R) + 1 < and ≥ − 4rmax therefore gA is injective.

Proof. This proof can be obtained by combining theorems from [MP12]. For completeness, we put the full proof of this lemma here. For the injectivity, we assume that there exist (s, s0) S 0 0 0 0 0 ∈ and (e, e ) E such that gA(s, e) = gA(s , e ). So A(s s ) + (e e ) = 0, and it is enough ∈ 0 0 − − now to prove that s = s to obtain e = e . We multiply (on the left) this equation by R2 INk : 0 0 0 we obtain G(s s ) R1(s s ) + R2 INk (e e ) = 0, i.e. if we deﬁne R˜ := R1 R2 INk , − − − − − s s0 e˜ := R˜ − and ˜s = s s0, we have G˜s + e˜ = 0. First, we remark that e e0 − − T T σmax(R˜ ) = R˜ 2 k k  T  R1 − T = max  R2 x x,kxk2=1 I Nk 2 s 2 RT 1 x x 2 = max −RT + 2 x,kxk2=1 2 2 k k s 2 RT 1 x = max RT + 1 x,kxk2=1 2 2 r T 2 = max R x 2 + 1 x,kxk2=1 k k q T 2 = σmax (R ) + 1

q 2 = σmax (R) + 1 (23)

q q We prove now that for all i, e˜[i] ( , ): If we denote by ui the vector such that ui[i] = 1 ∈ − 2 2 and for all j = i, ui[j] = 0, we have 6 0 0 T T s s T s s e˜[i] = u e˜ = u R˜ − = R˜ ui, − (24) | | | i | i e e0 e e0 − −

20 Using the Cauchy-Schwarz inequality we get: 0 T s s e˜[i] R˜ ui 2 − (25) | | ≤ k k e e0 − 2 T Using A 2 = σmax(R˜ ), and the deﬁnition of g (Deﬁnition 3.17), then Eq. (23) and the k k X assumption on σmax(R) we obtain:

T q e˜[i] σmax(R˜ ) (2rmax) < (26) | | ≤ × 2 Pk−1 j Now, if we write for all i [N], ˜s[i] = 2 ˜s[i]j, with for all j, ˜s[i]j 0, 1 (we also use ∈ j=0 ∈ { } the same notation for e˜), we can prove, following the same path as the InvertSmallGadget algorithm that i, j, ˜s[i]j = 0. Let i [n]. If we consider only the line l := (i 1)k + k of ∀ k−1 ∈q q −q G˜s + e˜ = 0, we obtain 2 ˜s + e˜[l] = ˜s[i]0 + e˜[i] mod q = 0. Since e˜[l] ( , ), we can’t 2 ∈ − 2 2 have ˜s[i]0 = 1, so ˜s[i]0 = 0. We can then iterate the same process for m = 1 . . . k 1 with the − line l := (i 1)k + (k m) to show that ˜s[i]m = 0, i.e. ˜s = 0, which concludes the proof of the − − injectivity of gA. Because this proof follows exactly the algorithm MP.Invert, it is easy to see using the same argument that this algorithm correctly inverts any y = As + e with (s, e) g. ∈ X We prove now the second part of the theorem. Because R is sampled according to a discrete Gaussian of parameter αq, so according to [MP12, Lem. 2.8], this distribution is 0-subgaussian, p and therefore we can apply [MP12, Lem. 2.9] with, for example, t = N/π (we divide by π just to simplify the probability, and to transform the into a <). So with probability ≤ 1 2 exp( πt2) = 1 2eN , − − − r N σmax(R) C αq (√Nk + √2N + ) < C αq √N(√k + √2 + 1) ≤ × × π × × To conclude the proof, we inject this equation inside Eq. (23) and use Eq. (44).

4 Cryptographic requirements

All the protocols are based on the existence of a (post-quantum secure) cryptographic family of H functions, which is said to be δ-GHZ capable. Intuitively, in the definition below, the string d0 is such that d0[i] = 1 iff applicant ai is part of the support of the final GHZ): Definition 4.1. Let λ N be a security parameter, and n N. We say that a family of ∈ l H ∈ functions fk : λ λ k∈Kλ with λ 0, 1 is δ-GHZ capable if there exists a family of { X → Y } n X ⊆ { } function hk : λ 0, 1 k such that the following properties are respected: { X → { } } n – efficient generation: for all d0 0, 1 a PPT machine can efficiently sample (k, tk) λ ∈ { } ← Gen(1 , d0) to generate (with overwhelming probability) an index k λ and a trapdoor ∈ K tk λ ∈ T – efficient computation: for any index k, the function fk is efficiently computable by a PPT algorithm Eval(k, x). – trapdoor: for any trapdoor tk and any y, there exists a procedure Invert that efficiently inverts fk when y has two preimages. More precisely, if y has exactly two distinct preim- −1 ages, we have Invert(tk, y) = f (y). If the number of preimages is not 2, we expect Invert(tk, y) = . ⊥ λ – quantum input superposition: there exists a QPT algorithm that, on input 1 generates a uniform superposition P x . x∈Xλ l | i ⊗l ⊗l For instance, if λ = 0, 1 , it can be trivially done by computing H 0 . 13 X { } | i – δ-2-to-1 : for all k , when sampling an input x uniformly at random in λ, the ∈ K X 0 probability that y := fk(x) has exactly two distinct preimages (denoted by xy and xy or simply x and x0) is larger than 1 δ. When δ = 0, we just say that the function is 2-to-1. − 13This kind of functions are sometimes said to be δ-2-regular.

21 n – XOR of h: for all k, there exists d0 0, 1 such that for all y, if y has exactly 2 distinct −1 ∈ { } preimages x and x0 (i.e. f (y) = x, x0 with x = x0), then: k { } 6 0 h(x) h(x ) = d0 ⊕ λ ∗ ∗ Moreover, if k was obtained from Gen(1 , d0), then d0 = d0. We will always assume that d0 is easy to obtain from tk (it is always possible to append d0 to tk). Since, ﬁxing k ﬁxes also d0, in the following we may use interchangeably d0(k), d0(tk) or simply d0. – indistinguishability: If Gen(1λ, ) is seen as en en- · cryption function, then, similarly to IND-CPA secu- IND D0A (λ) − Gen rity (see for example [Gol04]), a quantum adversary (0) (1) λ 1 :(d0 , d0 ) ← A1(1 ) cannot learn d0 from the index k, seen as an “en- 2 : c ←$ {0, 1} cryption” of d0. More formally, if we formulate it A λ (c) as an indistinguishability game IND D0 , where 3 :(k, t ) ← Gen(1 , d ) − Gen k 0 = ( 1, 2) is a QPT adversary (as explained in A A A 4 :c ˜ ← A2(k) Section 3.1, 1 gives implicitly its internal state to A 5 : return c˜ = c 2). A Then, any QPT adversary has only a negligible advantage of winning this game: A A 1 Pr IND D0 (λ) + negl(λ) (27) − Gen ≤ 2

Note that we provide in Section6 an explicit implementations of δ-GHZH capable functions. The above properties are enough to prove the security of BLIND and BLINDsup against an sup arbitrary corruption of parties, and can be used to prove the security of BLINDcan and BLINDcan when the adversary corrupts only the server and the non-supported applicants. However, if we want to prove the security of these last two protocols in a stronger attack model, namely when the adversary can also corrupt some supported applicants, we also require our function to have a stronger property. Intuitively, the PartInfo function will list the messages to send to all applicants: if it contains a for applicant i, it means that applicant i is not part of the support of the GHZ, if it is a 0 or a 1, it means that the applicant gets a GHZ canonical state—up to a local X correction if it is a 1—and, if it is a , it means that the protocol aborts “locally”. ⊥ Remark 4.2. This local abort is interesting since it triggers when y has only one preimage, and this means that the server is malicious with overwhelming probability14. Note that one may want to send this abort bit to all applicants, however it is not yet known if leaking this bit to other corrupted applicants could reduce the security of the protocol (for example, it is not clear if a malicious server could force the protocol to abort when one speciﬁc honest applicant is not part of the GHZG). To avoid that issue, we introduce this notion of local abort, that tells locally to participants if the server was behaving honestly. Note that it is important to make sure that this abort bit don’t leak to the adversary later, otherwise the security is not guaranteed anymore.

H can Deﬁnition 4.3. A δ-GHZ capable family of function fk is said to be δ-GHZ capable if this additional property is respected: { }

– indistinguishability with partial knowledge: We want to show that, by leaking some information about the “key” of the GHZG state owned by malicious applicants, we don’t reveal additional information about the support status of applicants. This translates as n follows: There exists a PPT algorithm PartInfo: λ λ 0, 1, , such that: T × Y → { ⊥} correctness: k λ, y λ, and v PartInfo(tk, y): • ∀ ∈ K ∈ Y ← ∗ y has exactly two preimages iﬀ there is no partial abort (see discussion above): f −1(y) = 2 iﬀ / v | k | ⊥ ∈ 14At least when we consider the construction based on LWE with super-polynomial noise ratio.

22 ∗ for all i, if v[i] 0, 1 then d0[i] = 1, and if v[i] = , then d0[i] = 0 (required to ∈ { } make sure is sent only to applicants not part of the GHZG and that 0/1 is sent only to supported applicants). −1 0 ∗ if fk (y) = 2, u h(x), h(x ) , such that i, if d0[i] = 1 then v[i] = u[i] (required| to| make∃ sure∈ that { all corrections} are correct).∀ security: The following game is impossible to win with non negligible advantage for • any QPT adversary = ( 1, 2, 3) (note that is intuitively the set of malicious corrupted applicants,A andA theA conditionA line2 isM added because otherwise there is a trivial uninteresting way to distinguish):

IND PARTIALA (λ) − Gen,PartInfo (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i]: return false ﬁ 3 : c ←$ {0, 1} λ (c) 4 :(k, tk) ← Gen(1 , d0 )

5 : y ← A2(k)

6 : v ← PartInfo(tk, y)

7 :c ˜ ← A3({(i, v[i])}i∈M) 8 : return c˜ = c

For our protocol AUTH BLINDdist, we also need to make sure that this family of functions − can can be computed in a distributed manner among users:

can Deﬁnition 4.4. A δ-GHZ capable family of function fk is said to be distributable if the following procedures can be computed after gathering partial{ } results from the parties:

λ – There exists GenLoc, a “local” generation procedure such that sampling (k, tk) Gen(1 , d0) (i) (i) λ ← can be done by first sampling for all i: (k , tk ) GenLoc(1 , d0[i]) and defining k := (1) (n) (1) (n) ← (i) (k , . . . , k ) and tk := (t , . . . , t ). We will denote as λ,Loc the set of such k , and k k K we assume that = n . K Kλ,Loc – Similarly, there exists PartInfoLoc, a “local” version of PartInfo such that sampling (i) v PartInfo(tk, y) can be done by sampling for all i: v[i] PartInfoLoc(t , y). ← ← k – Finally, there exists a method PartAlphaLoc such that for any bit string b and for any y −1 0 0 0 (i) such that f (y) = x, x with x = x we have b, x x = iPartAlphaLoc(i, t , y, b). k { } 6 h ⊕ i ⊕ k Moreover, we cannot assume anymore that people running these functions will be honest. Therefore, if we want to make sure that a non-supported malicious applicant cannot alter the state obtained by supported applicants (for example by providing a function which is not δ-2-to-1), (i) (i) we also require the existence of a circuit CheckTrapdoorλ(d0[i], tk , k ) that returns true iff (i) 15 (i) (i) k λ,Loc and if k is the public key corresponding to the trapdoor t , embedding the bit ∈ K k d0[i]. This circuit can in particular be combined with a ZK protocol to prove in a zero-knowledge (i) way that k λ,Loc. ∈ K We also provide Section 6.2 a generic construction that turns a δ-GHZH capable family of functions into a δ0-GHZcan capable distributable family of functions, with δ0 = 1 (1 δ)n 1 δn. − − ≤ − In particular, if δ is a negligible function of λ as in Section 6.1 and n = O(λ), δ0 is negligible.

15 ∗ This is particularly important when Kλ,Loc ⊆ {0, 1} and when there exists no eﬃcient algorithm (i) to decide if a bit string k is indeed an element of Kλ,Loc. For example, with our construction, it is 0 easy to produce a key k that is indistinguishable from a key k ∈ K, and such that the function fk0 is injective instead of δ-2-to-1.

23 5 The diﬀerent protocols

In this section, we deﬁne the protocols BLIND (Protocol1), BLINDsup (Protocol2), the impossible sup dist BLINDcan (Section 5.3), BLINDcan(Protocol3) and ﬁnally our main protocol AUTH BLIND − can (Protocol4).

5.1 The protocol BLIND

We deﬁne now the protocols BLIND (Protocol1), which is the basic building block of all the other protocols. This protocol allows a trusted classical party, Cupid, to create a hidden GHZ state on a server. This hidden GHZ state is then distributed to all applicants (one qubit per applicant), who just need to store the received qubit.

Protocol 1: BLIND n Inputs: Cupid gets as input d0 ∈ {0, 1} , a bit string describing the final supported applicants: applicant ai will be supported iff d0[i] = 1. λ ∈ N is a public, fixed, security parameter. Assumptions: There exists a δ-GHZH capable family of functions with δ = negl(λ). Protocol: λ – Cupid: Generate (k, tk) ← Gen(1 , d0), and send k to the server. – Server: Perform the following operations (circuit in Fig.2): P – create the state |xi |h(x)i |fk(x)i by applying in superposition the unitary mapping x∈Xλ |xi |0i |0i 7→ |xi |h(x)i |fk(x)i on the uniform superposition of all inputs, – measure the third register in the computational basis, which gives a y, – measure the first register in the Hadamard basis, which gives a bit string b Then, send (y, b) to Cupid, and for all i, send the i-th qubit of the (unmeasured) second register to applicant ai. – All applicants: just receive and store the qubit sent by the server.

Uh,fk

0 H H b1 | i . . . l . . x x .

We prove the correctness of this protocol and of the BLINDsup protocol (whose state is identical):

Lemma 5.1 (Correctness of BLIND and BLINDsup). At the end of an honest run of protocol BLIND, when y has exactly two distinct preimages x, x0 (which occurs with probability 1 δ according to Deﬁnition 4.1, which is overwhelming when we use the construction deﬁned− in

24 H Section 6.1), the state shared between all applicants is a hidden generalized GHZ α,d,d0 state, with:

0 0 M 0 0 d = h(x) d = h(x ) α = bi(xi x ) = b, x x (28) ⊕ i h ⊕ i i

0 0 In particular, since by deﬁnition of fk we have d0 = h(x) h(x ) = d d , the support of the ⊕ ⊕ hidden GHZ is d0.

Proof. After the measurement of the third register, Bob gets on the first two registers the state P −1 x h(x) . But because the first register was created as a uniform superposition, y x∈f (y) | i | i has exactly two preimages x, x0 with probability 1 δ. So with probability 1 δ, the state − − obtained by an honest Bob is ( x h(x) + x0 h(x0) ). Then, after applying the Hadamard gates | i | i | i | i P hb,xi (preparing the measurement in the Hadamard basis), we obtain the state b( 1) b h(x) + 0 − | i | i ( 1)hb,x i b h(x0) . So after measuring a b, the second register contains the state: − | i | i 0 0 ( 1)hb,xi h(x) + ( 1)hb,x i h(x0) = ( 1)hb,xi( h(x) + ( 1)hb,x⊕x i h(x0) ) (29) − | i − | i − | i − | i which is, once we get rid of the global phases the state and define d := h(x), d0 := h(x0) and 0 G α = b, x x , equal to the state GHZ α,d,d0 . h ⊕ i We prove now the security of this protocol. Lemma 5.2 (Security of BLIND). At the end of a fully IND BLINDA (λ) malicious interaction during the protocol BLIND, where − Gen (0) (1) λ all applicants and the server can be fully malicious and 1 :(d0 , d0 ) ← A1(1 ) can all collude together, the set of supported applicants 2 : c ←$ {0, 1} is completely hidden. More precisely, if we define a game λ (c) 3 :(k, tk) ← Gen(1 , d ) following the spirit of IND-CPA security, no QPT adver- 0 4 :(y, b, c˜) ← A2(k) sary = ( 1, 2) can win the game IND BLIND with A A A 1 − 5 : // No more interaction probability better than 2 + negl(λ). 6 : return c˜ = c

Proof. This is a trivial reduction to the indistinguishability property of the family fk : since { } y and b are not used, we can remove them without changing the probability of winning, and we get exactly the game IND D0 introduced Deﬁnition 4.1. This game is impossible to win for 1 − probability better than + negl(λ) by assumption on the family fk , which ends the proof. 2 { }

5.2 The protocol BLINDsup

We give now the protocol BLINDsup (Protocol2). In this protocol, all the applicants will obtain a qubit part of a hidden GHZ state, and they will learn their own support status. However, they will not know the “key” of the hidden GHZ state.

Protocol 2: BLINDsup Inputs: Same as BLIND: Cupid gets d0 and λ. Assumptions: Same as BLIND (δ-GHZH capable family with δ = negl(λ)). Protocol: – Run the protocol BLIND, so that Cupid gets (b, y) and each applicant ai the i-th qubit – Cupid: For all i, send d0[i] to applicant ai, so that each applicant knows whether they are supported or not.

Now, in order to prove the security of the BLINDsup protocol, we first need to define what we mean by security. Since in this protocol Cupid reveal to all applicants their respective support status, we can’t use the previous definition of security.

25 Lemma 5.3 (Security of BLINDsup). If we allow in the protocol BLINDsup the fully malicious server Bob to corrupt an arbitrary subset of applicants, then the support status of the remaining honest applicants is completely hidden. More precisely, no QPT adversary = ( 1, 2, 3) can sup 1 A A A A win the game IND BLIND (Fig.3) with probability better than 2 + negl(λ). In the following, − (0) (1) is the set of malicious applicants corrupted by Bob, and the condition i , d0 [i] = d0 [i] isM required to avoid a trivial uninteresting distinguishing strategy. ∀ ∈ M

IND − BLINDsupA (λ) {fk} (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i]: return false ﬁ 3 : c ←$ {0, 1} λ (c) 4 :(k, tk) ← Gen(1 , d0 )

5 :(y, b) ← A2(k) 6 : // The adversary has only access to the messages sent by Cupid to corrupted applicants: (c) 7 :c ˜ ← A3({(i, d0 [i])}i∈M) 8 : return c˜ = c

Fig. 3: Game IND BLINDsup required in Lemma 5.3 −

Proof. To prove the security of this scheme, we will assume by contradiction that there sup exists an adversary = ( 1, 2, 3) that can win the game IND BLIND with probability 1 1 A A A A 0 0 −0 pA := + , and we will construct an adversary = ( , ) that can win the game 2 poly(λ) A A1 A2 IND BLIND with a non negligible advantage (which is impossible by assumption). So we deﬁne 0 − 0 (0) (1) (0) (1) 1(λ) as follows: 1 runs in a blackbox way ( , d0 , d0 ) 1, returns (d0 , d0 ) and A (0) A M ← A keeps ( , d ) in its internal state. We then deﬁne: M 0 0 (0) (0) (k, state := ( , d )) := (y, b) 2(k);c ˜ 3( (i, d [i]) i∈M); return c˜ (30) A2 1 M 0 ← A ← A { 0 } 0 It is then easy to see that wins the game IND D0 with probability greater than pA. Indeed, (0)A (1) − (0) (1) when 1 outputs a ( , d , d ) that does not respect the condition i , d [i] = d [i], A M 0 0 ∀ ∈ M 0 0 then always lose (while 0 may win the game). Moreover, when the condition is respected, A (0) A (1) (c) 0 since (i, d0 [i]) i∈M = (i, d0 [i]) i∈M = (i, d0 [i]) i∈M, we can replace the input of 3 { (c) } { } { } sup A with (i, d [i]) i∈M: the game is now exactly equivalent to IND BLIND , so in that case { 0 } − 0 win with the exact same probability as . Therefore, 0 wins the game IND D0 with A p 1 1 A A − probability greater than A = 2 + poly(n) : contradiction.

5.3 The impossible protocol BLINDcan

One may be interested by a protocol BLINDcan, that would make sure that all supported applicants share a canonical GHZ, but that at the same time none of them know if they are part of the GHZ or not. We state here that such security guarantee is impossible, and why it is sup therefore meaningful to use BLINDcan protocols instead.

Lemma 5.4 (Impossibility of a secure BLINDcan protocol). There exists no protocol BLINDcan such that, at the end of an honest interaction, all supported applicants share a canonical GHZ, and such that none of them know their own support status. More precisely, there exists always an adversary that can win the game in Fig.4. A Proof. So for simplicity, we do here a sketch of the proof, in order to give the general ideas. So when it comes to proving the security of the protocol, we realize that at least one of the

26 Impossible Game 1

(0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) // Avoid trivial attack: check if at least one honest applicant is in the GHZ (0) (1) 2 : if (∀i∈ / M, d0 [i] = 0) or (∀i∈ / M, d0 [i] = 0) then return false ﬁ

3 : // Run BLINDcan with adversary.c˜ ← A3() 4 : return c˜ = c

Fig. 4: Impossible Game 1 required in Lemma 5.4 supported applicants needs to be honest, otherwise it is trivial to distinguish any correct (0) (1) protocol: The attacker can always send d0 = 1 1 0 ... 0 and d0 = 0 0 0 ... 0 , and at the end of the any (correct) protocol run honestly, the attacker will get either a Bell pair on the first two qubits or two qubits not entangled. It is therefore easy to distinguish, so the condition in Game 1 is indeed required. But it is not enough. Even if we assume that one applicant is honest (let’s say the first one), it is still impossible to prove the security of the protocol. (0) (0) Indeed, let’s consider an adversary that sends d0 = 1 ... 1 and d0 = 1 ... 1 0 ... 0 (first half of the qubits is 1 second half is 0). Then, a first remark is that at the end of an honest protocol, all the qubits that are not entangled must be all equal, i.e. if c = 1, the state obtained is ( 0 ... 0 + 1 ... 1 ) 0 ... 0 or ( 0 ... 0 + 1 ... 1 ) 1 ... 1 . Indeed, if some qubits | i | i ⊗ | i | i | i ⊗ | i in the second half are different, then a measurement in the computational basis will reveal some different outcomes with high probability (while when c = 0 all measurements are equal since the state is a canonical GHZ state by the correctness property). But even in that case, it is still easy to distinguish: when we do the measurement, in the first case, we either get 1 ... 1 or 0 ... 0. In the second case, however, the first part may be different compared to the second part, 1 i.e. we can measure either a 0 ... 0 or a 1 ... 10 ... 0 with probability 2 . This last measurement is enough to distinguish, we can just ask to to measure the state in the computational basis: A if all measurements are equal, picks c˜ uniformly at random, otherwise outputs c˜ = 1. A A A will succeed with non negligible advantage.

Therefore it is not possible to hide to an adversary its support status, so the best we can get is to prove that no adversary can learn the support status of the honest applicants, which is sup the goal of the protocol BLINDcan.

sup 5.4 The protocol BLINDcan

sup We present now the protocol BLINDcan (Protocol3): at the end of the protocol, the supported applicants share a canonical GHZ state, and each applicant knows their own support status.

sup sup Lemma 5.5 (Correctness of BLINDcan). If all parties are honestly running the BLINDcan protocol, then at the end of the protocol, with probability 1 δ (so with overwhelming probability − when δ is negligible), all supported applicants share a canonical GHZ, and all applicants know whether they are supported or not.

Proof. With probability 1 δ, the y obtained by Cupid has exactly two preimages. In that case, − due to the correctness property of PartInfo given Definition 4.3 (part 1) we get i, v[i] = , ∀ 6 ⊥ so v[i] 0, 1, . Then, using Lemma 5.1, we know that the state shared by all participants ∈ { } α 0 0 after the BLIND part is h(x) + ( 1) h(x ) , with h(x) h(x ) = d0. We can combine this | i − | i ⊕ using part 2 of the correctness property given in Definition 4.3, (that states that v[i] 0, 1 ∈ { } iff d0[i] = 1): because the set of supported participants is := i d0[i] = 1 , we have for all S { | } i / : h(x)[i] = h(x0)[i]. Thus the register of each applicant i / is in a tensor product with all ∈ S ∈ S the other qubits, so we can factor them out, and consider only the state shared by applicants

27 sup Protocol 3: BLINDcan Inputs: Same as BLIND: Cupid gets d0 and λ. Assumptions: There exists a δ-GHZcan capable family of functions with δ = negl(λ). Protocol: – Run the protocol BLIND, so that Cupid gets (b, y) and each applicant ai the i-th qubit −1 0 0 – Cupid: Compute v ← PartInfo(tk, y), and if fk (y) = {x, x } with x 6= x , compute 0 α := hb, x ⊕ x i (otherwise, sample α randomly). Computes the supported set S = {i | d0[i] = 1}. n Sample uniformly at random αˆ ← {0, 1} such that α = ⊕i∈S αî. For all i, send (ˆαi, v[i]) to applicant ai. – All applicants: When receiving the message (ˆαi, v[i]): – If v[i] = , then it means that the applicant is not part of the support of the final GHZ. The end. – If v[i] = ⊥, it is a local abort. It’s likely that the server was malicious. Do not reveal this information to the server. The end. – If v[i] ∈ {0, 1}, it means that this applicant is part of the final GHZ state. Apply Zαî Xv[i] on the qubit sent by the server. i (in that case h(x0)[i] = 1 h(x)[i]): ∈ S ⊕ O O O O h(x)[i] + ( 1)α h(x0)[i] = h(x)[i] + ( 1)α 1 h(x)[i] (31) | i − | i | i − | ⊕ i i∈S i∈S i∈S i∈S After the corrections, the state becomes: L O v[i] α⊕ αî O v[i] X h(x)[i] + ( 1) i∈S X 1 h(x)[i] (32) | i − | ⊕ i i∈S i∈S L And due to the fact that α = i∈S αî, we can get rid of the phase. Moreover, we can now use 0 the part 3 of Definition 4.3 which states that there exists u h(x), h(x ) such that if d0[i] = 1, ∈ { } then v[i] = u[i]. So if i , we have u[i] = v[i] = h(x)[i], then after the correction we get the ∀ ∈ S state 0 ... 0 + 1 ... 1 , which is a canonical GHZ, and if u[i] = v[i] = h(x0)[i] = 1 h(x)[i], | i | i − then we get 1 ... 1 + 0 ... 0 , which is the same canonical GHZ state. | i | i sup Similarly, we define now the security of the BLINDcan protocol: sup sup Lemma 5.6 (Security of BLINDcan). If we allow in the protocol BLINDcan the fully malicious server to corrupt a subset of applicants in such a way that either at least one supported applicant is not corrupted or no supported applicant is corrupted16, then the support status of honest applicants is completely hidden. More precisely, no QPT adversary = ( 1, 2, 3) can win sup 1 A A A A the game IND BLINDcan (Fig.5)with probability better than 2 + negl(λ). In the following, − (0) (1)M is the set of malicious applicants corrupted by Bob, and the condition i , d0 [i] = d0 [i] is required to avoid a trivial uninteresting distinguishing strategy. ∀ ∈ M Proof. The first step in the proof is to note that, due to the condition line 3, we have either: (0) – i , d = 0, i.e. = . But since we send αî to the adversary only if i , ∀ ∈ M 0 M ∩ S ∅ ∈ M and since the line 10 does not put any restriction on the sampling αî when i / , the line 9 ∈ S and 10 can be replaced with a single line αˆ 0, 1 n. (c) ← { } – or there exists j / such that d [j] = 1, i.e. such that j . Therefore, αˆ can be ∈ M 0 ∈ S L sampled by choosing for all i = j, αî randomly, and finally by setting αˆj = α αˆj 6 ⊕ i∈S\{j} (this is statistically indistinguishable). But since αˆj is never sent to because j / , we A ∈ M can also remove lines 9 and 10 and replace them with αˆ 0, 1 n. ← { } 16 (0) Otherwise there is a trivial, fundamental, attack to any protocol which consists in setting d0 = (01), (1) d0 = (11), M = {2} and then testing if the quantum state obtained by the party 2 is a |+i or not. However, this attack is not possible anymore if the adversary is not in possession of one part of the (0) (1) GHZ (for example if we replace d0 = (00) and d0 = (10) in the above example), that is the reason why we can provide a stronger security guarantee when no supported applicant is supported.

28 IND − BLINDsupA (λ) can{fk} (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i] then return false ﬁ (0) (0) (1) 3 : if (∃i ∈ M, d0 = 1) and ((∀i∈ / M, d0 [i] = 0) or (∀i∈ / M, d0 [i] = 0)) 4 : then return false ﬁ 5 : c ←$ {0, 1} λ (c) 6 :(k, tk) ← Gen(1 , d0 )

7 :(y, b) ← A2(k)

8 : v ← PartInfo(tk, y) 0 9 : if ⊥ ∈/ v then α := hb, x ⊕ x i else α ←$ {0, 1} ﬁ

n M 10 :α ˆ ← {αˆ | αˆ ∈ {0, 1} , αˆi = α or S = ∅} i∈S 11 : // The adversary has only access to the messages sent by Cupid to corrupted applicants:

12 :c ˜ ← A3({(i, αˆi, v[i])}i∈M) 13 : return c˜ = c

sup Fig. 5: Game IND BLINDcan required in Lemma 5.6 − This gives us a new game GAME1:

GAME1A

sup // . . . First 7 lines like IND − BLINDcan n 9 :α ˆ ← {0, 1}

10 :c ˜ ← A3({(i, αˆi, v[i])}i∈M) 11 : return c˜ = c

h supA i A Since the two games are exactly equivalent, we have Pr IND BLINDcan = Pr GAME1 . − Then, deﬁne a new game GAME2 by removing the condition line 3 and 4:

GAME2A

// . . . Remove line 3 and 4 of GAME1 (0) (0) (1) 3 : if (∃i ∈ M, d0 = 1) and ((∀i∈ / M, d0 [i] = 0) or (∀i∈ / M, d0 [i] = 0)) 4 : then return false ﬁ 5 : // . . . Rest is like GAME1

We can remark that this condition cannot help the adversary to win since entering inside this A A condition always returns “false”, therefore Pr GAME1 Pr GAME2 . But now, we remark ≤ that GAME2 is very similar to the game IND PARTIAL defined Definition 4.3, except that we − provide an additional random string αˆ to 3. But since this string is random, it is easy to A see that we can turn any adversary winning GAME3 with probability p into an adversary 0 A 0 A winning the game IND PARTIAL with the same probability p by defining ( (i, v[i]) i∈M) as − A3 { } an adversary sampling a uniformly random bit string αˆ and calling 3( (i, αî, v[i]) i∈M) (and A { } reciprocally, any adversary that can win IND PARTIAL without access to αˆ can win GAME3 − with access to αˆ by simply forgetting this value). So we get:

A A max Pr GAME3 = max Pr IND PARTIAL (33) QPT A QPT A −

29 A 1 But by assumption, for any QPT , Pr IND PARTIAL + negl(λ). So by combining all A − ≤ 2 the inequations we showed on games, we also get: h i 1 Pr IND BLINDsupA (λ) + negl(λ) (34) − can{fk} ≤ 2 which ends the proof.

dist 5.5 The protocol AUTH − BLINDcan dist sup We can now define our main protocol AUTH BLIND . Similarly to the BLINDcan protocol, − can each supported applicant is supposed to end up with a canonical GHZ state, and the support status of each applicant should be unknown to the other applicants and to the server. However, in this protocol the trusted party Cupid is not needed anymore: each applicant is supposed to choose themselves their own support status. Moreover, the server can have some guarantees on the support status of the applicants: for example, the server can ensure that if some applicants are supported, then they all know a classical secret. This secret can be any witness of a NP relation: it could be a password, a private key linked with some known public key, a signature from a third party Certification Authority, the proof of any famous theorem. . . In this protocol, we protect both the server against malicious applicants, and the honest applicants against a malicious coalition of the server and other applicants: – Protecting the server: the server wants to check if the applicants have the required credentials, in order to ensure that if an applicant is supported, then they know some secrets. Moreover, it wants to ensure that no malicious applicant can alter the GHZ state. – Protecting the applicants: as before, the applicants want to hide to other applicants and to the server their own support status. We want to emphasize that such unique functionality of Non-Destructive Zero-Knowledge Proofs on Quantum States is made possible due to the fact that we can bind quantum data to classical data: that way, the server can have guarantees about a quantum state using only a non-destructive classical Zero-Knowledge protocol. This contrasts highly with the usual destructive way of testing a property on a quantum state. dist ∗ In the AUTH BLIND protocol, n deterministic functions Authi : 0, 1 0, 1 0, 1 − can { } × { } → { } are responsible of the “authorization” of the applicants: the server will allow applicant i to be part of the protocol iff they can prove in a ZK way that they know w such that Authi(d0[i], w) = 1. In particular, we can use the Authi function to ensure that an applicant is part of the GHZ iff they know a password si by defining Authi(d0[i], s˜i)) := (d0[i] = 0 si = s˜i). We emphasize ∨ that with such a function, we also allow applicants that do no know the password to be part of the protocol, they just won’t be able to receive a qubit that is part of the final GHZ. Moreover, the output of Authi does not reveal whether the user is supported, nor that they know the password. It just reveals that if the user is supported, then they know the password. The dist protocol AUTH BLINDcan is described in Protocol4. − dist dist We study now the properties of the AUTH BLINDcan protocol. Since the protocol AUTH BLINDcan − sup − replaces via an MPC computation the Cupid party of the BLINDcan protocol, the correctness is obtained easily. We prove now that we can also get a correctness property even if applicants are malicious. This is a first fundamental property that seems to be hard to achieve with “purely quantum” protocols: indeed, one could imagine a protocol in which an honest source distributes a GHZ state to all parties, and then parties that do not want to be part of the GHZ could measure their qubit in the Hadamard basis, and transmit (maybe via a MPC protocol) the correction to apply to others parties. However, this kind of quantum protocol has the following drawback: it is hard to detect cheaters (for example that do not give the right correction to apply, or that measure in the computational basis) or protect against parties having a noisy device, since there is no way to check that the party actually measured that precise outcome. It may be possible to use a verification step on top of that to verify at the very end the state, but it

30 dist Protocol 4: AUTH BLINDcan − ∗ Inputs: Each applicant i gets λ. They also get d0[i] ∈ {0, 1} and wi ∈ {0, 1} such that Authi(d0[i], wi) = 1 (d0[i] = 1 iff applicant i wants to be supported). The authentication functions {Authi}i∈[n] are also public. Assumptions: There exists a δ-GHZcan capable distributable family of functions with δ = negl(λ). Cupid is not required anymore, and instead we require the existence of a classical (but quantum-secure) Multi-Party Computation protocol. Protocol: (i) (i) λ (i) – Each applicant ai: Run (k , tk ) ← GenLoc(1 , d0[i]), send k to the server, and continue the protocol. – Server: Run (as a verifier) a Zero-Knowledge protocol with each applicant (the prover) to check that k(i) is well prepared, and that the applicant can authenticate the quantum state. More (i) (i) precisely, each applicant i proves to the server that they know (d0[i], tk , w ) such that (i) (i) (i) CheckTrapdoorλ(d0[i], tk , k ) ∧ Authi(d0[i], w ) = 1. If the protocol fails with at least one applicant, abort after sending ⊥ to all applicants (the server can also output if needed the identity of the applicant who were malicious in case other actions should be performed with respect to them, e.g. in further runs). Otherwise, the protocol continues. – Server: Compute k := (k(1), . . . , k(n)), run the quantum circuit already described in protocol BLIND, and for all i, send the i-th qubit of the second register to applicant ai together with (y, b). (i) – For each applicant i: Compute v[i] ← PartInfoLoc(tk , y), and compute via a MPC protocol the function CombineAlpha (Fig.6). The first input is the input of the server, and the other inputs are from the applicants (the y(i) and b(i) are supposed to be equal to y and b and are just used to ensure that the server provided coherent inputs in the MPC, and r(i) ∈ {0, 1}n is a string supposed to be sampled uniformly at random). The reason we use a MPC protocol is that (i) a PartAlphaLoc(i, tk , y, b) can leak information about the bit d0[i], so this bit should not be revealed directly. Intuitively, CombineAlpha checks that the input are honestly prepared, and computes a secret share αî of α, such that ⊕i∈S αî = α. – For each applicant i: If the outcome αî of the MPC is ⊥, abort. Otherwise, similarly to the last sup v[i] (ˆαi) step of the BLINDcanprotocol: if v[i] ∈ {0, 1}, apply the correction X Z on the qubit, else discard the qubit.

aThe attack would be as follows: the malicious server Bob can run the QFactory [CCKW19] protocol (i) with k which gives him a BB84 state in the basis d0[i]: if d0[i] = 0 then it gets either |0i or |1i, but (i) if d0[i] = 1 then it gets the state |+i if αp αi = 0 and a |−i otherwise. So the trick is to measure the (i) state in the Hadamard basis: if the measurement is diﬀerent from αp then we know that d0[i] = 0, and otherwise the server will randomly guess the value of d0[i]. It is easy to see that if d0[i] is chosen uniformly at random, then the server has a non-negligible advantage in guessing d0[i].

31 (1) (1) (1) (1) (n) (1) (n) (n) CombineAlpha((k, y, b), (tk , d0[1], k , y , b ),..., (tk , d0[n], k , y , b ))

1 : // Check if the input are honestly prepared (1) (n) 2 : if k 6= (k , . . . , k ) or (i) (i) (i) (i) 3 : ∃i, y 6= y or b 6= b or ¬CheckTrapdoorλ(d0[i], tk , k ) n+1 4 : then return ⊥ fi 5 : // Compute the correction α, the set of supported applicants, sample a first version of αˆ M (i) M (l) 6 : α = PartAlphaLoc(i, tk , y, b); S = {i | d0[i] = 1}; ∀i, αî = r [i] i l

7 : if S= 6 ∅ then // If at least one person is supported, ensure ⊕i∈S αˆi = α 8 : j = max i// Pick an arbitrary j ∈ S to change i∈S M 9 :α ˆj = α ⊕ αˆi i∈S\{j}

10 : ﬁ // Return αˆi to applicant i and > to the server to indicate no problem occurred.

11 : return (>, αˆ1,..., αˆn)

Fig. 6: The function to compute in the AUTH BLINDdist protocol in a MPC way. − can has other drawbacks: it can be costly, often leads to polynomial security, and, more importantly, it seems to be hard to know who is the cheater when the verification fails. Moreover, if many parties are honest but noisy, the verification step would be likely to always fail, and it would be hard to pin point a specific cheater. On the contrary, for our protocol, we can prove the following properties:

– Blindness against malicious server and applicants: If the server is malicious, then the support status of non-corrupted applicants is hidden to the server and to others malicious applicants. – Correctness with honest server and malicious applicants: If the server is honest, then with an overwhelming probability, the protocol will either abort (this occurs with negligible probability if all parties are honest), or the applicants will share (up to unavoidable local deviation) a hidden GHZ, in such a way that applicant i is part of the GHZ iff they know wi such that Authi(1, wi) = 1. This property is true even if all applicants are malicious or have noisy devices. The assumption of having an honest server here may sound strong, however: The blindness property still holds against a malicious server. • In some protocol, we can expect the server to behave honestly, wanting to protect itself • against malicious applicants. This is the case for example when the server is also an applicant (i.e. wants to be part of the final GHZ), and plans to use this GHZ to teleport a qubit to an unknown party (or secret-share this qubit to an unknown set of parties). That way, the server may want to make sure that unsupported applicant cannot destroy the state it is wanting to send, and that no malicious applicant can “change” this state in order to steal the sent qubit. Moreover, this unique property of being able to do non-destructive proofs on quantum states could be of independent interest, for example to protect the receiver of a quantum state, including maybe in some quantum-MPC protocols. With this property, we already avoid many Denial of Service (DoS) attacks: no malicious • or noisy applicant can corrupt the final state, and therefore this solution scales nicely with the number of users. If we assume that some applicants have noisy devices, it is not a problem since the correctness only rely on the ability of the server to be honest/noiseless. In a more traditional setup, a few noisy devices would force the protocol to always abort, leading to a DoS attack.

32 In order to protect against a malicious server wanting to alter the ﬁnal state, it is • also possible to add at the end a veriﬁcation step (or a distillation step to boost the security/correctness). If the server cannot corrupt the supported applicants, then the security is trivial to show17.

dist Lemma 5.7 (Correctness of AUTH BLINDcan in the presence of malicious applicants). If the server is honest, and if we allow− an attacker to corrupt an arbitrary subset of applicants, then with overwhelming probabilities, the protocol either aborts, or the k receivedM by the server belongs to , and for all applicant i, there exists wi such that Authi(d0[i], wi) = 1. If the ZK K protocol is also a Proof of Knowledge protocol, then the applicant “knows” wi, in the sense that if the adversary can pass the test with non-negligible probability, there exists an extractor that can extract wi given the applicant’s circuit with non-negligible probability (this is a direct application of Deﬁnition 3.6)18. Moreover, if the protocol did not abort before, at the end of the protocol, with probability 1 δ negl(λ) (i.e. overwhelming if δ is negligible), the protocol will either abort, or a state will − − be obtained by applicants. In this later case, if we denote by ρA,M the joint state of the honest applicants (register A) and of the adversary (register ) obtained at the end of the protocol, M 19 then ρA,M can be written as a Completely Positive Trace Preserving (CPTP) map applied on a GHZ state shared among all parties i such that d0[i] = 1, in such a way that the CPTP map leaves untouched the qubits of the GHZ state owned by honest applicants i. In particular, if all supported parties are honest, they all share a GHZ state.

Proof. The first action of the server (which is assumed to be honest here) is to run a ZK protocol (i) to check that i, k λ,Loc and Authi(d0[i], wi) = 1. Therefore, we can use the soundness ∀ ∈ K (i) property of the ZK protocol to claim that with overwhelming probability i, k λ,Loc and ∀ ∈ K there exist wi such that Authi(d0[i], wi) = 1 (since the provers are the applicants, they are bounded so we can rely on both computational or statistical soundness). The fact that wi is actually “known” to the applicant comes directly from the fact that the ZK protocol is a Proof of Knowledge and is extractable. So with overwhelming probability, k := (k(1), . . . , k(n)) belongs n to := λ,Loc. Therefore, since the server is honest, with probability 1 δ it will measure a y K K −1 − such that fk (y) = 2, and due to the properties of the family fk, the two preimages x and 0 | | 0 a 0 x are such that h(x) h(x ) = d0. So the state sent by the server is h(x) + ( 1) h(x ) ⊕ | i − | i with a = b, x x0 . Then, the MPC protocol will be performed. If the MPC aborts, then we h ⊕ i are already in the setting of the theorem. If the MPC does not aborts, then, due to the fact that in quantum mechanics, operations performed by two non-communicating parties commute, without any loss of generality we can assume that the honest applicants will apply the correction before the deviation of the malicious party. Moreover, since the honest corrections are unitary, we can also assume without any loss of generality that the first step of the malicious party is to apply the honest correction on the state received from the server and then deviate (eventually 17Note that if the server can corrupt supported applicants in such protocols in which a verification is added, it may be able to exploit the “abort” in order to break the blindness property. For example, the server could send a garbage state to a given user to determine if this user is supported or not. This seems to be quite fundamental, and hard to avoid, but a costly tradeoff may be found by asking to all participants to run verification between GHZ shared between a smaller subset of parties, but this is out of the scope of the current paper. 18 In particular, if it is impossible to forge with non-negligible probability a wi such that Authi(d0[i], wi) = 1 (for instance because this wi is a signature coming from an unforgeable signature scheme), then it means that with overwhelming probability the applicant is indeed in possession of wi. 19Note that for simplicity, we just require the existence of this CPTP map, and therefore it can depend on any quantity, including k, d0. . . Therefore we don’t require this map to be efficiently computable since it will not be useful for us. However, a similar “efficient” version should be derivable if we make sure our ZK protocol is extractable, i.e. that the trapdoor of each k(i) can be extrated by a simulator. This is however out of the scope of this paper.

33 by starting to undo the correction). Note that we do not even ask this correction to be efficiently computable by the adversary (see Footnote 19) since we just claim that such deviation exists. Due to the definition of PartInfo, after applying the X correction, the parties i for which α d0[i] = 1 share a state 0 ... 0 + ( 1) 1 ... 1 . Now, we have two cases: | i − | i 1. If there exists at least one supported applicant which is malicious, then the proof is done: no matter what are the values of αî which will be used by the honest applicant to correct L α⊕ αî the state, we can always include in the CPTP map a first step that applies Z i∈S,i∈M / on the qubit of the malicious applicant to map the step back to a GHZ state. Again, this is possible since we just require the existence of the CPTP map. Then, any CPTP deviation can be applied on the state owned by the malicious adversary, including undoing the previous Z and X corrections. 2. If there exists no malicious supported applicant, and if the probability of having no abort and no malicious supported applicant is non-negligible20, then with overwhelming probability L we must have i∈S αî = α. Indeed, if it is not the case, then it is possible to distinguish the real world from the ideal world of the MPC computation. Therefore, after the Z correction the honest applicants having d0[i] = 1 will share a canonical GHZ, which ends the proof.

dist Lemma 5.8 (Blindness of AUTH BLINDcan in the presence of malicious applicants). If the server corrupts a set of applicants,− in such a way that at least one supported applicant is not corrupted, or that no supported applicant is corrupted, then the support status of the honest dist applicants is hidden in the AUTH BLINDcan protocol, beyond the fact that server knows whether they can pass (or not) the authorization− step. More formally, no adversary can win the game IND AUTH BLINDdist (Fig.7). − − can IND − AUTH − BLINDdistA (λ) can {fk} (0) (0) (1) (1) λ 1 :(M, d0 , {(i, wi )}i∈[n]\M), d0 , {(i, wi )}i∈[n]\M) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i] then return false ﬁ (0) (0) (1) 3 : if (∃i ∈ M, d0 = 1) and ((∀i∈ / M, d0 [i] = 0) or (∀i∈ / M, d0 [i] = 0)) 4 : then return false ﬁ

// Check that the adversary did not gave wrong witnesses wi: (c) (c) 5 : if ∃i ∈ [n], ∃c ∈ {0, 1}, Authi(d0 [i], wi ) 6= 1 then return false ﬁ $ (c) (c) 6 : c ← {0, 1}; d0 := d0 ; wi := wi dist 7 : Run with A2 the protocol AUTH − BLINDcan .

8 :c ˜ ← A3 9 : return c˜ = c

Fig. 7: Game IND AUTH BLINDdist deﬁned in Lemma 5.8 − − can

Proof. The above game is more formally deﬁned in Fig.8. We will prove the above theorem by using a hybrid argument. First, we can easily see that if the adversary corrupts all applicants 1 ( = [n]), then it cannot win the game with probability better than 2 . Indeed, the line2 forces M(0) (1) d0 = d0 (and both maps wi are empty), therefore the view of the adversary is exactly the same for c = 0 and c = 1. So we can deﬁne a new hybrid game GAME2 in which we return false if = [n]: M 20If on the other hand this quantity is negligible, then this second case occurs with negligible probability so it is absorbed in the negl(λ) of the theorem.

34 GAME1A(λ)

(0) (0) (1) (1) λ 1 :(M, d0 , {(i, wi )}i∈[n]\M), d0 , {(i, wi )}i∈[n]\M) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i] then return false ﬁ (0) (0) (1) 3 : if (∃i ∈ M, d0 = 1) and ((∀i∈ / M, d0 [i] = 0) or (∀i∈ / M, d0 [i] = 0)) 4 : then return false ﬁ

// Check that the adversary did not gave wrong witnesses wi: (c) (c) 5 : if ∃i ∈ [n], ∃c ∈ {0, 1}, Authi(d0 [i], wi ) 6= 1 then return false ﬁ $ (c) (c) 6 : c ← {0, 1}; d0 := d0 ; wi := wi (i) (i) λ 7 : ∀i∈ / M, (k , tk ) ← GenLoc(1 , d0[i]) (i) 8 : A2({k }i∈M / ) 9 : for i∈ / M do (i) (i) 10 : Prove in ZK with A2,i that CheckTrapdoorλ(d0[i], tk , k ) ∧ Authi(d0[i], wi) = 1 11 : endfor

12 : if A2 aborts then wait for c˜ from A2. return c˜ = c ﬁ

13 :(y, b) ← A3

14 : Compute in a MPC way the CombineAlpha function, where A4 controls adversaries in M. // All others operations are not sent to the adversary, and operations // applied on the quantum state do not change anything due to non-signaling.

15 :c ˜ ← A5 16 : return c˜ = c

Fig. 8

GAME2A

// Just update the line2 of GAME1 as follows: (0) (1) 2 : if M = [n] or ∃i ∈ M, d0 [i] 6= d0 [i] then return false ﬁ // Rest is like GAME1...

Then, we can turn any adversary winning GAME1 with probability p into another adversary 0 A 0 winning GAME2 with probability p. To do so, runs ﬁrst 1: if 1 returns = [n], then A A A A M 6 0 continues normally with , otherwise if = [n] then 0 removes one element of (of A A M 0 A M course, [n] is assumed to be non empty. . . ), and aborts when 2 is supposed to run, and A A output a random c˜. Therefore, we have:

h 0 i max Pr GAME1A (λ) = max Pr GAME2A (λ) (35) QPTA QPTA0

The second hybrid game that we define is the same as the game GAME2, except that we replace lines 14 to 15 with one line (c,˜ ~y) REALΠ,A0 (λ, ~x,ρ3), where ρ3 is the final internal state of ← the adversary 3, ~x contains the honest inputs of the MPC computation for the non-corrupted A adversaries and dummy inputs for the corrupted adversaries (we will ignore them anyway), and 0 is the adversary that outputs the corrupted set , that runs 4(ρ3) followed by c˜ 5(ρ4), A M A ← A where ρ4 is the final internal state of 4, and that finally returns c˜. This defines a new game A GAME3:

GAME3A

14 : Compute in a MPC way the CombineAlpha function, where A4 controls adversaries in M.

15 : c˜ ← A5 (˜c, ~y) ← REALΠ,A0 (λ, ~x,ρ3)

35 Since this is perfectly equivalent from the point of view of the adversary (due to the definition A or REAL), the probability of winning these two games are exactly the same: Pr GAME2 = A Pr GAME3 . Now, because the MPC protocol is secure, there exists a simulator Sim fitting Definition 3.9. Therefore, we can now define a new game GAME4, in which we replace the real world with the ideal world:

GAME4A

15 : (˜c, ~y) ← REALΠ,A0 (λ, ~x,ρ3) (˜c, ~y) ← IDEALCombineAlpha,Sim(λ, ~x,ρ3)

Then, we have Pr [ REALΠ,A0 (λ, ~x,ρ3)[0] = c ] Pr IDEALCombineAlpha, (λ, ~x,ρ3)[0] = c + ≤ Sim negl(λ) (otherwise we could distinguish between the real and ideal worlds), and therefore A A Pr GAME3 Pr GAME4 + negl(λ). Now, we can deﬁne CombineRandom, which is an ≤ adaptation of CombineAlpha that does not depend anymore on the secret values of the honest parties:

(1) (1) (1) (1) (1) (n) (n) (1) (n) (n) CombineRandom((k, y, b), (tk , d0[1], r , k , y , b ),..., (tk , d0[n], r , k , y , b )) 1 : // Check if the input are honestly prepared (1) (n) (i) (i) (i) (i) 2 : if k 6= (k , . . . , k ) or ∃i, y 6= y or b 6= b or ∃i ∈ M, ¬CheckTrapdoorλ(d0[i], tk , k ) n+1 3 : then return ⊥ ﬁ

M (l) 4 : ∀i, αˆi = r [i] l

5 : return (>, αˆ1,..., αˆn)

We can now deﬁne a new game GAME5 in which we substitute the CombineAlpha function with the CombineRandom function:

GAME5A

15 : (˜c, ~y) ← IDEALCombineAlphaCombineRandom,Sim(λ, ~x,ρ3)

A A Then, we have Pr GAME4 = Pr GAME5 . Indeed, by construction, the inputs of the honest parties always pass the CheckTrapdoor test, so removing this test for the honest parties cannot help the adversary to distinguish the two games. Moreover, since at least one applicant is honest, L (l) the string l r is indistinguishable from a random string. Therefore, we can use the same trick used already in the proof of Lemma 5.6: the condition line3 gives us two cases. – If all malicious applicants are not supported, then, since the output of honest applicants are never given back the adversary, we don’t need to update αˆj – Similarly, if at least one honest applicant is supported, then instead of updating αˆj, we can update the αˆj or this applicant. . . But since the output of honest applicants are never given to the adversary, we don’t even need to update it.

A A Therefore, Pr GAME4 = Pr GAME5 . In the next hybrid, we are going to remove completely the MPC computation, and the previous line that can now be merged in a single one:

GAME6A

12 : if A2 aborts then wait for c˜ from A2. return c˜ = c ﬁ

13 : (y, b) ← A3

12 : (˜c, ~y) ← IDEALCombineRandom,Sim(λ, ~x,ρ3)˜ c ← A3

The reason is that now, since the CombineRandom function does not depend on any secret (i) own by honest parties, the input of honest parties can be replaced with wrong trapdoors tk

36 (i) and d0[i]. Therefore, since the adversary knows already k , it can simulate locally the ideal world. More precisely, from an adversary winning the game GAME5A with probability p, we A can create another adversary 0 winning the game GAME6A with the same probability p: 0 will A (i) A run 1 and 2 against the challenger, keeping locally the k . If 2 aborts and sends c˜, then it A A 0 A returns c˜ directly. Otherwise runs as a blackbox 3 to obtain (y, b), and then it locally runs A A Sim to compute IDEALCombineRandom,Sim(λ, ~x,ρ3), by feeding the input of honest parties input ~x (i) with the k(i) that it got before, y(i) := y, b(i) := b, r(i) $ 0, 1 n and since the values of t ← { } k do not matter anymore, it can put any value here. Finally 0 outputs the c˜ obtained from the A simulation IDEAL. Therefore, since we do not change what is done, but who’s doing what, we get:

A h A0 i max Pr GAME5 (λ) = max Pr GAME6 (λ) (36) QPTA QPTA0 So now, the game GAME6 is exactly like GAME1 except that the lines 12–15 are replaced with a single line c˜ 3. We will now do a similar strategy to remove the ZK protocol (line9). The ← A first step is to formalize this line (we will also merge it with the next line). We define L as the (i) (i) (i) (i) (i) R relation (d0[i], t , k ) L(k ) iff CheckTrapdoor (d0[i], t , k ) Authi(d0[i], wi) = 1, k ∈ R λ k ∧ and P the honest ZK prover associated with L. If we define ρ1 as the internal state at the end ∗ (i) R of 1, and V ( k , ρ1) := (ρ2 2(ρ1); c˜ 3(ρ2)) then we can merge the line 12 of A { }i/∈M ← A ← A GAME6 with the line9 as follows:

GAME7A (i) 8 : ρ ←A2({k }i∈M / )// We just explicit the internal state after A2 9 : for i∈ / M do (i) (i) 10 : Prove in ZK with A2,i that CheckTrapdoorλ(d0[i], tk , k ) ∧ Authi(d0[i], wi) = 1 (i) (i) ρ ← OUTA2,i hP(d0[i], tk , wi), A2,i(ρ)i(k ) 11 : endfor

Since both games are exactly identical (up to the notation), we get Pr GAME6A = A Pr GAME7 . Now, due to the fact that the MPC protocol respects the property Quan- tum Zero Knowledge defined in Definition 3.5, there exist for all i / a simulator Simi fitting ∈ M Definition 3.5. To be completely formal, one should define a series of games in which we replace in the loop only one OUT at a time by the simulated version, and we can then claim that the probability of having c˜ = c in each hybrid game is negligibly close to the probability of having c˜ = c in the first game, otherwise we could distinguish between the real world and the ideal world. This gives us at the end a new game GAME8:

GAME8A (i) (i) (i) ∗ 10 : ρ ← OUTA2,i hP(d0[i], tk , wi), A2,i(ρ)i(k ) ρ ← Simi(k , V , ρ)

A A And using the above argument, Pr GAME7 Pr GAME8 + negl(λ). Now, the simulators ≤ Simi can be fully simulated by the adversary since there is no more secret information. So, exactly like we did for the MPC computation, we can move the loop into the adversary:

GAME7A (i) (i) 8 : ρ ← A2({k }i∈M / )˜ c ← A2({k }i∈M / ) 9 : for i∈ / M do (i) ∗ 10 : ρ ← Sim(k , V , ρ) 11 : endfor

12 : c˜ ← A3

37 and we get:

A h A0 i max Pr GAME8 (λ) = max Pr GAME9 (λ) (37) QPTA QPTA0 So now, GAME9 is like GAME1 except that all lines starting from line8 are replaced with a single (i) line c˜ 2( k ). We see now that the conditions line5 and line3 can only decrease the ← A { }i/∈M probability of winning the game. Therefore we can remove them (as well as wi’s which are not used anymore). This gives us this new game (after removing empty lines):

GAME10A(λ) (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i] then return false ﬁ $ (c) 3 : c ← {0, 1}; d0 := d0 (i) (i) λ 4 : ∀i∈ / M, (k , tk ) ← GenLoc(1 , d0[i]) (i) 5 :c ˜ ← A2({k }i∈M / ) 6 : return c˜ = c

Since we only increase the probability of success, we have:

A h A0 i max Pr GAME9 (λ) max Pr GAME10 (λ) (38) QPTA ≤ QPTA0

Similarly, we can decide to give more advices to the adversary, by running GenLoc on all i [n] ∈ instead of only on the i / : ∈ M GAME11A (i) (i) λ 4 : ∀i∈ / M∀i ∈ [n], (k , tk ) ← GenLoc(1 , d0[i]) (i) 5 :c ˜ ← A2({k }i∈M/ ∈[n])

Since we give more advices to the adversary, its probability of winning the game can only increase (it can always decide to drop this additional information). Therefore

A h A0 i max Pr GAME10 (λ) max Pr GAME11 (λ) (39) QPTA ≤ QPTA0

However, since Gen is defined as the concatenation of GenLoc, then this game is actually exactly A the IND D0Gen(λ) game defined Definition 4.1, and by assumption, the probability of winning − 1 this game is smaller than 2 + negl(λ). Therefore, we also have:

A 1 max Pr GAME1 (λ) + negl(λ) (40) QPTA ≤ 2 which ends the proof.

6 Function construction

6.1 Construction of a δ-GHZH capable family

In this section, we will explain how to derive a δ-GHZH capable family. See the Section 2.3 to get an intuitive explanation of our method, which extends the construction introduced in [CCKW19] (itself based on [CCKW21]). In the following, MP.Gen and MP.Invert are the functions deﬁned in [MP12] (to, respectively, generate a couple public key/trapdoor (A, R) and to invert the function gA(s, e) := As + e). Details are in Section 3.6.

38 Definition 6.1. For the parameters 0 := (k, N, α, rmax) (like in Definition 3.17) and := N P M+n k P ( 0, n, ) with n N and Zq Zq where q := 2 and M := N(1 + k), we define P X ∈ X ⊆ × n n Fig.9 the algorithms GenP , InvertP , EvalP (to compute fk) and h. We use d0 0, 1 Zq N M (M+n)×N ∈ { } ⊆ (same for d), s0 Zq , e0 Zq , (s, e) , c 0, 1 , A Zq and R is the trapdoor obtained via the [∈MP12] algorithm.∈ ∈ X ∈ { } ∈

λ GenP (1 , d0) InvertP (tk := (R, d0, s0, e0, A), y)

λ M 1 :(Au, R) ← MP.Gen(1 ) yu ∈ Zq Au 1 : n := y; := A $ n yl ∈ Zq Al 2 : Al ← Zq 2 :(s, eu) ← MP.Invert(R, A, yu) Au 3 : A := Al 3 : if s = ⊥ then return ⊥ ﬁ

N 4 : d := RoundModq (yl − Als) 4 : s0 ← D Z,αq M+n eu 5 : e0 ← D Z,αq 5 : e := yl − Als − d M q 0 0 0 6 : y0 := As0 + e0 + 6 : s := s − s0; e := e − s0 2 d0 0 0 7 : if (s, e) ∈/ X or (s , e ) ∈/ X then 7 : k := (A, y0) 8 : return ⊥ ﬁ 8 : t := (R, d , s , e , A) k 0 0 0 0 0 0 9 : return ((s, e, 0, d), (s , e , 1, d ⊕ d0)) 9 : return (k, tk)

EvalP (k := (A, y0), x := (s, e, c, d)) =: fk(x) h(x := (s, e, c, d)) M 0 1 : return d 1 : return As + e + + c × y d 0

Fig. 9: Deﬁnition of the δ-GHZH capable family

While most of the correctness proofs, sketched in Section 2.3, follow the same line as [CCKW21] and the security proofs is similar to the one in [CCKW19], we need to slightly adapt and improve the analysis since we also want a worst-case analysis (for malicious applicants) and because we are also interested to have a negl(λ)-2-to-1 family: for that reason, we will do an analysis of the requirements of the parameters, and we give an explicit instantiation of these parameters that ensures that the construction is negl(λ)-2-to-1. To that end, we need to rely on the hardness of GapSVPγ for superpolynomial γ (note that this kind of assumptions is used to achieve similar δ-2-to-1 constructions, for example see [Bra18]). We describe now a way to check that a function is δ-2-to-1 and have the XOR property explained in Deﬁnition 4.1, which is exactly what the H.CheckTrapdoor function (required later in Theorem 6.8) must do (i.e. check that the trapdoor is well formed, and that it has the properties given in Theorem 6.2). Note that the δ given here is a kind of worst-case analysis (which is required if the key is maliciously sampled): on average, if we sample random functions we expect to have a smaller δ.

Theorem 6.2 (Conditions for fk to be δ-2-to-1). Let be like in Deﬁnition 6.1. We P deﬁne rsafe = rmax αq√N + M + n, + (ˆs0, eˆ0) := (s + ˆs0, e + eˆ0) (s, e) and − X { | ∈ X } ( + (ˆs0, eˆ0)) δ := 1 min |X ∩ X | − |X | N M+n ˆs0 (ˆs0, eˆ0) , αq√N + M + n (41) Zq Zq e ∈ × ˆ0 2 ≤

39 N M+n ˆ N×N n×n Nk×2N Let s0 Zq , e0 Zq , d0 0, 1 , A Zq , Al Zq and R = R1 R2 Zq . We deﬁne∈ as before:∈ ∈ { } ∈ ∈ ∈ Aˆ Au (M+n)×N Au := A := Zq (42) G R2Aˆ R1 Al ∈ − − M q 0 together with y0 := As0 + e0 + 2 and k := (A, y0). d0 p 2 q s0 If σmax(R) + 1 , αq√N + M + n, and 4rmax e ≤ 0 2 ≤ N M+n s (s, e) rsafe (43) Zq Zq e X ⊆ ∈ × 2 ≤ then the function fk(x) described in Deﬁnition 6.1 is δ-2-to-1, trapdoor, and for any y having 0 0 0 exactly two preimages x and x , we have x = x , h(x) h(x ) = d0. 6 ⊕ λ On the other hand, if (k, tk) is sampled according to Gen(1 , d0), if Eq. (43) is true, and if: r 2 q C αq √N(√k + √2 + 1) + 1 (44) × × ≤ 4rmax then with overwhelming probability on N, the function fk is δ-2-to-1, trapdoor, and for any y 0 0 0 having exactly two preimages x and x , we have x = x , h(x) h(x ) = d0. 6 ⊕

Proof. Let us first prove that for all c 0, 1 , the function fk( , , c, ) is injective. Let 0 0 0 ∈ { } 0 0 · 0· · c 0, 1 , and s, e, d, s , e , d be such that fk(s, e, c, d) = fk(s , e , c, d ). Then, if we consider ∈ { } only the upper part of this equation (and denote eu the upper part of the vector e), we 0 0 0 0 get Aus + eu + c y0,l = Aus + eu + c y0,l, i.e. Aus + eu = Aus + eu. But because p 2 × q × σmax(R) + 1 and due to the condition on given in Eq. (43) and the fact ≤ 4rmax X that rsafe rmax, according to Lemma 3.20 the function (s, e) Aus + e is injective. So 0 ≤ 0 → s = s and eu = eu. Now, we focus on the upper part of the above equation: we have q 0 0 q 0 0 q 0 q 0 Als+el + 2 d+c y0,l = Als +el + 2 d +c y0,l. Because s = s , we obtain el + 2 d = el + 2 d . p × q × q q Because 1 σmax(R) + 1 < 4r , we have rmax < 4 . Therefore, we get for all i, el[i] < 4 , ≤ q max 0 q 0 0 | | so RoundModq(el[i] + 2 d[i]) = RoundModq(el[i] + 2 d [i]), i.e. d[i] = d [i]. So d = d and 0 therefore we also get el = e : the function fk( , , c, ) is injective. l · · · Therefore, fk has at most two preimages, one for c = 0 and one for c = 1. We prove now that 0 0 0 0 0 0 fk(s, e, 0, d) = fk(s , e , 1, d ), iff (s , e , d ) = (s s0, e e0, d d0). One implication is trivial: 0 0 0 − − ⊕ 0 0 0 if (s , e , d ) = (s s0, e e0, d d0) then because q is even, fk(s, e, 0, d) = fk(s , e , 1, d ). We − − ⊕ prove now the second implication. By definition of fk, if we consider again the upper part of 0 0 the equation and replace y0 by its definition, we have Aus + eu = Au(s + s0) + (eu + e0,u). But the triangle inequality gives:

0 0 s + s0 s s0 + rsafe + αq√N + M + n = rmax e0 e e0 e u + 0,u 2 ≤ u 2 0,u 2 ≤

Therefore, we can use again the injectivity property given in Lemma 3.20, which gives (s, eu) = 0 0 q (s + s0, e + e0,u). We can now analyse the lower part of the equation: Als + el + 2 d = 0 0 q 0 0 q Al(s + s0) + (el + e0,l) + 2 (d + d0). Because s = s + s0 and q is even, we have el + 2 d = 0 q 0 (el + e0,l) + 2 (d d0). Using again the triangle inequality, we prove the same way that 0 q ⊕ el + e0,l 2 < 2 . As before, by rounding the previous equation using RoundModq, we obtain k 0 k 0 0 d = d d0 and el = el which concludes the proof. In particular, if x and x are the two ⊕ 0 0 preimage, we have h(x) h(x ) = d d = d0. We remark that this proof follows exactly ⊕ ⊕ the algorithm Invert, therefore the correctness of Invert follows quite directly and thus the function is trapdoor.

40 Now, we prove that the function fk is δ-2-to-1. The total number of elements in the domain of n n fk is 2 2 . Let (s, e) and d 0, 1 . Then, using the result proven above, fk(s, e, 0, d) |X |× ∈ X ∈ { } has a second preimages (s s0, e e0, 1, d d0) iff (s s0, e e0) , i.e. iff (s, e) +(s0, e0). − − ⊕ −1 − − ∈ X ∈ X n So the number of elements x such that f (fk(x)) = 2 is equal to 2 ( + (s0, e0)) 2 , | k | |X ∩ X | therefore if we define: n 2 ( + (s0, e0)) 2 ( + (s0, e0)) δk := 1 |X ∩ X | = 1 |X ∩ X | (45) − 2 2n − |X | |X | s0 this function is δk-2-to-1. But αq√N + M + n, so by definition of δ, δk δ. So fk e 0 2 ≤ ≤ is also δ-2-to-1. To prove the last part of the theorem, we use Eq. (44) and Lemma 3.20: with overwhelming p 2 q s0 probability (on N), σmax(R) + 1 < 4r . Moreover, because is sampled according to max e0 N+(M+n) 21 ,αq , we get, using Lemma 3.12, that with overwhelming probability (on N + M + n): DZ s0 αq√N + M + n. We can now end the proof using the first (already proven) part of e 0 2 ≤ the theorem. Note that we did not yet give an explicit definition of . The most natural way to define X X may be to define it following Eq. (43) as: N M+n s • := (s, e) rsafe (46) Zq Zq e X ∈ × 2 ≤ However, for our protocol to work, one needs to be able to create quantumly a uniform superposition over all elements in . A first naive method would be a rejection sampling X P method: we create a uniform superposition x over the hypercube of length 2rsafe (see x | i later how to do), add an auxiliary qubit, set (in superposition) this qubit to 1 if x 2 rsafe, k k ≤ and to 0 otherwise, and we finally measure it. If the output is 0, we discard the state and start again from scratch, otherwise we have the wanted state. Unfortunately, this method is inefficient as the probability of not rejecting is negligible when N tends to the infinity. While some more efficient methods may exist, it will be easier to focus rather on being an hypercube. X 4 Definition 6.3. For any (µ, N, M, n) N , we define the hypercube µ as: ∈ X N M+n s µ := (s, e) µ (47) Zq Zq e X ∈ × ∞ ≤

Remark 6.4. It is now easy to sample from µ: we can do a rejection sampling as explained X above, except that we proceed coordinate per coordinate (this is much more efficient than doing a rejection sampling on the final high dimensional state): if we use the binary two’s complement notation, we apply Hadamard gates on log (2µ + 1) qubits, and use an auxiliary qubit to d 2 e check if the state is projected on the superposition of elements having size 2µ + 1 (this should 2µ+1 ≤ happen with probability dlog (2µ+1)e 1/2). If the test passes, we add 0 “significants qubits” 2 2 ≥ | i until having k = log2(q) qubits, and run the quantum unitary that substracts µ modulo q. We repeat until having N + M + n successful projections (this require therefore O(N + M + n) samplings). Moreover, we can even get completely rid of the rejection sampling if we slightly 0 change the definition of µ and if we make it less symmetric by asking that there exists k N X ∈ s h 0 0 i such that for all i, [i] 2k , 2k 1 . The superposition procedure is the same except e ∈ − − that we work on k0 + 1 qubits, and we don’t need the rejection sampling. However this notation 21Note that the original lemma applies to Gaussian distributions that are not reduced modulo q, but reducing the Gaussian distribution modulo q can only decrease the length of the vector.

41 slightly complicates the computations with no clear beneﬁt (if simpliﬁes slightly the sampling 0 part, but it may decrease the value of δ since the term 2k must be a power of 2), so for simplicity we will keep our initial notation. Note also that in the following, for the sake of simplicity we won’t try to give tight bounds.

4 0 Lemma 6.5. Let (N, M, n, µ) N , = µ, α (0, 1), δ be as in Eq. (41) and µ := ∈0 X X ∈ µ αq√N + M + n . Then if µ 0: − ≥ N+M+n 2µ0 + 1 (αq + 1)(N + M + n)3/2 δ 1 (48) ≤ − 2µ + 1 ≤ µ + 1/2 s N M+n ˆ0 √ Proof. Let (s, e) µ and (ˆs0, eˆ0) Zq Zq such that αq N + M + n. Then, ∈ X ∈ × eˆ0 ≤ 2 s ˆs0 (s, e) µ + (ˆs0, eˆ0) iﬀ (s ˆs0, e eˆ0) , i.e. iﬀ − µ. If we assume that ∈ X − − ∈ X e eˆ0 ≤ − ∞ s µ0 (this will not be super tight, but it is good enough for our analysis), then e ∞ ≤ s ˆs0 s ˆs0 s ˆs0 − + + µ (49) e eˆ0 ≤ e eˆ0 ≤ e eˆ0 ≤ − ∞ ∞ ∞ ∞ 2 0 N+M+n 0 0 Therefore, µ µ ( µ + (ˆs0, eˆ0)). So µ ( µ + (ˆs0, eˆ0)) µ = (2µ + 1) , X ⊆ X ∩ X N+M+n |X ∩ X | ≥ |X | and because µ = (2µ + 1) , we get: |X | N+M+n N+M+n 2µ0 + 1 2µ0 + 1 δ 1 = 1 1 + 1 + ≤ − 2µ + 1 − − 2µ + 1 2µ0 + 1 1 1 + (N + M + n) 1 + (Bernouilli’s inequality) ≤ − − 2µ + 1 2µ0 + 1 = (N + M + n) 1 − 2µ + 1 2µ 2αq√N + M + n + 3 (N + M + n) 1 − (Remove ) ≤ − 2µ + 1 b·c αq√N + M + n + 1 = (N + M + n) µ + 1/2 (αq + 1)(N + M + n)3/2 (50) ≤ µ + 1/2

Theorem 6.6 (Conditions on parameters). Let λ N be a security parameter and let ∈ 1 (k, n) N and α (0, 1) be parameters that depend on λ, and C √ (see Lemma 3.20). We ∈ ∈ ≈ 2π deﬁne N := λ, q = 2k, M := N(1 + k), q rmax := (51) r 2 4 C αq √N(√k + √2 + 1) + 1 × ×

rsafe := rmax αq√N + M + n (52) − rsafe µ := (53) √N + M + n

:= µ (54) X X (αq + 1)(N + M + n)3/2 δm := (55) µ + 1/2

42 H Then, if µ αq√N + M + n 0, the construction given in Definition 6.1 is δm GHZ capable − ≥ − (see Definition 4.1) assuming the security of decision- q,D . Moreover, if we define: LWE Z,αq 1q p α0 := (αq)2 ω( log N)2 (56) 0 q − 0 α0 α0 := (57) ω(√log N)2 N γ := O˜ (See constants in [Reg05]) α0 and if α0q > 2√N, α0 (0, 1/ω(√log N)], then the construction is secure if GapSVP is hard. ∈ γ In particular, we are interesting in the regime in which δm is negligible (correctness) and in ε which γ = O˜(2N ) for some ε (0, 1/2) (security). ∈ Proof. For the first part of the theorem, the efficient generation and computation properties are trivial to check. The fact that the function is trapdoor and the property on the XOR is a direct consequence of Theorem 6.2. The δm-2-to-1 property comes from Theorem 6.2 and Lemma 6.5. The method to efficiently create a uniform superposition of elements in is given X in Remark 6.4. To prove the indistinguishability property on game IND D0, we assume that there exists − an adversary that can win this game with a non-negligible advantage. Because has only A M A q 0 access to A, y0 = As0 + e0 + 2 (c) , we can use to break the decision-LWE problem: d0 A M 0 0 q 0 given a challenge (A , y), we run the adversary and send to the couple (A , y + 2 (c) ). If A d0 the guess c˜ of equals c, we guess that we get the non-uniform distribution normal-As,D A Z,αq (i.e. the distribution where s is also sampled according to ,αq), otherwise we guess that we DZ get the uniform distribution U. We remark that if y is a vector chosen uniformly at random, M q 0 then the distribution of y + 2 (c) is statistically uniform. So in that case, cannot guess d0 A c with probability better than 1/2. Now, if y is sampled from normal-As,D , then must Z,αq A guess correctly the value of c with non-negligible advantage, otherwise it means that we can distinguish a matrix obtained by MP.Gen from a uniform matrix (we already know it is not possible, see Lemma 3.18). Therefore, the probability p of guessing the correct distribution is:

1 1 1 1 1 p + + negl(λ) = + negl(λ) (58) ≥ 2 × 2 2 2 2 which is absurd since we assumed the hardness of LWE. Note that we don’t exactly have an instance of decision-LWE, because it is an instance of the normal version of decision-LWE (s0 is sampled according to the same distribution as e0). However, Lemma 3.16 shows that the normal problem is harder, and keeping only K samples can also only make the problem harder. Therefore, no adversary can win IND D0 with non-negligible advantage. − For the second part, if we assume GapSVPγ to be hard, then using Lemma 3.13 we get α q > √N ω √ N that search-LWEq,Dα0q is also hard ( 0 2 , and because ( log ) 1, we also have < α α0 α < ≥ 0 0 0 1). Then, using Corollary 3.14, the problem decision-LWEq,Dα0 q is also ≤ ≤ 0 hard (using α0 1/ω(√log N) and Eq. (57)). We can now discretize the distribution using ≤ Corollary 3.15( λ = N) to obtain that decision- q,D is hard. Indeed, if we assume the LWE Z,αq existence of an adversary that can distinguish with non-negligible advantage the distribution A U from As,D for a vector s chosen uniformly at random, then has also a non-negligible Z,αq A advantage in distinguishing s,χ where χ is the marginal distribution of e in Corollary 3.15 A (otherwise we could use to distinguish χ from ,αq, which is impossible because they are A DZ statistically negligibly close). But it also means that can also be used to break LWEq,D by A α0q

43 first discretizing α q (it works because the transformation given in Corollary 3.15 also maps D 0 the uniform distribution on itself). Since we already prove the security when we assume the hardness of decision- q,D above, the proof is finished. LWE Z,αq We prove now that there exists an instantiation that fulfills the requirements of Theorem 6.6. Note that for simplicity, we only verify the properties asymptotically. Moreover, we do not attempt to give any particularly optimized construction (note that there is a tradeoff between security, correctness, and simplicity of the quantum superposition preparation circuit).

Theorem 6.7 (Existence of a negl(λ)-GHZH capable family). Let ε (0, 1 ) be a constant, ∈ 2 and λ N be a security parameter. Let n = poly(λ) N and N := λ. If we assume the hardness ∈ N ε ∈ H of the GapSVPγ problem for any γ = O˜(2 ), then there exists a negl(λ)-GHZ capable family of functions. More precisely, if we deﬁne the ﬁxed function ω(√log N) := log N, k := N ε , b c q := 2k,

1 p q p α := ω( log N) 4Nω( log N)2 + 2 (59) q and M, rmax, rsafe, µ, , δm as in Theorem 6.6, the construction given in Deﬁnition 6.1 is H X 22 δm-GHZ capable (for suﬃciently large λ), with δm = negl(λ).

Proof. We just need to check that for suﬃciently large λ the properties of Theorem 6.6 are respected. Because 1/q = negl(N), it is easy to see that for suﬃciently large λ, a (0, 1) since ∈ α = poly(N)/q. Then, using notation from Theorem 6.6, we see that: q 1 2 p 2 α0 = (αq) ω( log N) qω(√log N)2 − s 2 1 p q p p > ω( log N) 4Nω( log N)2 + 1 ω( log N)2 qω(√log N)2 − = 2√N/q

So we have α0q > 2√N. Moreover, multiplying Eq. (59) by q, we get αq = poly(N), so it means that α0 = poly(N)/q = negl(λ). Therefore, for large enough λ, α0 (0, 1/ω(√log N)]. We also N ε N∈ε have γ = O˜(N/α0) = O˜(Nq/poly(n)) = O˜(N2 /poly(n)) = O˜(2 ) which is assumed to be hard. Next, let us study µ and δm. Because αq = poly(n) and q = 1/negl(λ) is superpolynomial, that rmax is also superpolynomial, and same for rsafe, µ and µ αq√N + M + N (we only b − c substract or divide by terms that are poly(N)). Therefore, for a large enough λ (= N), we have µ αq√N + M + N 0. Finally, δm = poly(N)/(µ + 1/2). But we showed that µ is b − 1 c ≥ superpolynomial, so µ is negligible, and therefore δm is also negligible, which ends the proof.

6.2 Generic construction to create distributable δ0-GHZcan capable primitives from δ-GHZH capable primitives

We prove in this section that we can create a distributable δ0-GHZcan capable family of functions from a δ-GHZH capable family having a small assumption.

H 23 Theorem 6.8. Let δ [0, 1], and fk k∈K0 be a δ-GHZ capable family of functions, such ∈ { } 24 that fk(x) can be written as fk((c, x¯)) with c 0, 1 a bit labelling the preimage , i.e. such ∈ { } 22The function may not be well deﬁned for too small λ because the input set may be empty. For 1 6 example, with this instantiation, if we take ε = 3 , the function is well deﬁned for N ≥ 2×10 . Moreover, 6 −86 when N = 9 × 10 , we get k = 125 and δm < 2 . There is surely place for optimisation, but only existence matters here. 23 In fact we only require this function to work when d0 is a single bit. 24This is quite similar to the concept of claw-free functions used in [Mah18a].

44 that when a given y has exactly two preimages, one preimage has the form (0, x¯) and the other 0 0 0 can (1, x¯ ). Then there exists a family f k∈K0 which is a distributable δ -GHZ capable family with { k} δ0 = 1 (1 δ)n δn. In particular, if δ is negligible (and n polynomial) then δ0 is negligible. − − ≤ Moreover, if the family fk admits a circuit H.CheckTrapdoor (d0, tk, k) that returns 1 iff tk { } λ is the trapdoor of k, k and d0 = d0(tk), then there exists a function CheckTrapdoor for 0 ∈ K fk having the properties from Definition 4.4. { } 0 The family f k∈K0 can be obtained by generating n independent functions in fk (one { k} { } for each d0[i]). More precisely, we define in Fig. 10 the following construction (in which H.Gen, H.Enc, H.Invert and H.Eval are the functions coming from the family fk ). { }

λ (1) (n) GenLoc(1 , d0[i]) h((x , . . . , x ))

(i) (i) λ (i) (i) 1 n 1 :(k , tk ) ← H.Gen(1 , d0[i])return (k , tk ) 1 : return h(x )| ... |h(x )

(1) (n) (1) (n) (i) EvalP ((k , . . . , k ), (c, x¯ ,..., x¯ )) PartAlphaLoc(i, tk , y, b) (1) (1) (1) (n) (1),...,b(n) 1 : return (H.Eval(k , (c, x¯ )), 1 :(y , . . . , y ) := y;(bc, b ) := b (n) (n) 0 (i),y 2 : ..., H.Eval(k , (c, x¯ ))) 2 : {(0, x¯), (1, x¯ )} ← H.Invert(tk ) 0 (i) 3 : if x¯ = ⊥ or x¯ = ⊥ then return ⊥ fi PartInfoLoc(tk , y) (i) 0 4 : if i = 1 then return bc ⊕ hb , x¯ ⊕ x¯ i (i) 1 : if d0(tk ) = 0 then return fi (i) 5 : else return hb , x¯ ⊕ x¯0i fi 0 (i),y 2 : {(0, x¯), (1, x¯ )} ← H.Invert(tk ) 0 (i) (i) 3 : if x¯ = ⊥ or x¯ = ⊥ then return ⊥ CheckTrapdoorλ(d0[i], tk , k ) 4 : return H.h((0, x¯)) (i) (i) 1 : return H.CheckTrapdoorλ(d0[i], tk , k )

Fig. 10: Construction distributable δ0-GHZcan capable family

Proof. Most of the properties are simple to check. We just precise the δ0-2-to-1 proof and 0 0 n blindness. First, we show that the function f are δ -2-to-1 with δ = 1 (1 δ) . Let #2(f) k − − be the number of images having exactly 2 preimages by f (we will call this kind of preimages “twin”), and the number of elements in . Then by deﬁnition, for all k, 1 δ #2(fk)/ . 0 (1)|K| (n) n 0 K 0 n− ≤ 0 |X0 | Let k = (k , . . . , k ) = , we want to show that 1 δ := (1 δ) #2(fk0 )/( ). ∈ K K − − ≤ 0 |X | First, we compute #2(fk0 ). Because of the assumption of the shape (0, x¯) and (1, x¯ ) of all the couples of preimages, we can deﬁne for any k(i) the sets

(i) −1 0 A := x¯ f (i) (f (i) (x)) = (0, x¯), (1, x¯ ) (60) 0 { | k k { }} and

(i) 0 −1 0 A := x¯ f (i) (f (i) (x)) = (0, x¯), (1, x¯ ) (61) 1 { | k k { }}

(i) (i) 1 Moreover, due to this same condition, we have A0 = A1 = 2 #2(fk(i) ). Now, we compute a | | | | (1) (n) (1) (n) lower bound on the number of twin preimages of fk0 . Let (x¯ ,..., x¯ ) A0 A0 : (1)0 (i) (i) ∈ ×(i ·) · · × then for all i there exists a unique x¯ A such that f (i) ((0, x¯ )) = f (i) ((1, x¯ ). So ∈ 1 k k

(1) (n) (1) (n) fk0 (0, x¯ ,..., x¯ ) = f (1) (0, x¯ ) ... f (n) (0, x¯ ) (62) k | | k (1)0 (n)0 = f (1) (1, x¯ ) ... f (n) (1, x¯ ) (63) k | | k (1)0 (n)0 = fk0 (1, x¯ ,..., x¯ ) (64)

45 So we found at least one diﬀerent preimage, and due to the uniqueness of the above x¯(1)0 it is the only second preimage. Therefore: (1) (n) #2(fk0 ) 2 A0 A0 = × | | × · · ·n × | | (65) 0 |X | |X | 2 2

#2(f (1) ) #2(f (n) ) = k × · · · × k (66) ( )n |X | (1 δ)n (67) ≥ − Which concludes the proof. To prove the inequality, we use the Bernoulli’s inequality: since δ [0, 1] and n is a ∈ non-negative integer, we get: (1 δ)n 1 δn, so − ≥ − δ0 = 1 (1 δ)n 1 (1 δn) = δn (68) − − ≤ − − 0 0 Since the keys of f are keys of f (except that d0 is a single bit), the properties of { k} { k} CheckTrapdoor come directly from the properties of H.CheckTrapdoor. All the other correctness properties are true by construction. The security is quite intuitive: since all trapdoors are independently sampled, if one can learn A information about the d0 sampled by another party, then it can break the IND D0Gen(λ) game − A of fk. More formally, because of the properties on GenLoc, the game IND PARTIAL (λ) − Gen,PartInfo can equivalently be rewritten as follows:

GAME1 (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) (0) (1) 2 : if ∃i ∈ M, d0 [i] 6= d0 [i]: return false ﬁ 3 : c ←$ {0, 1} (i) (i) λ (c) 4 : ∀i, (k , tk ) ← H.Gen(1 , d0 [i]) (1) (n) 5 : y ← A2(k , . . . , k ) (i) 6 : ∀i, v[i] ← PartInfoLoc(i, tk , y)

7 :c ˜ ← A3({(i, v[i])}i∈M) 8 : return c˜ = c

(i) Then, we can deﬁne the following game in which the sampling of malicious tk , the computing of PartInfoLoc and the initial condition are removed:

GAME2 (0) (1) λ 1 :(M, d0 , d0 ) ← A1(1 ) 2 : c ←$ {0, 1} (i) (i) λ (c) 3 : ∀i ∈ M, (k , tk ) ← H.Gen(1 , d0 [i]) (i) 4 :c ˜ ← A2({k }i∈M) 5 : return c˜ = c

Then, because 2 in GAME2 can do itself the sampling and computing done in GAME1, and A because the removing the condition line2 can only increase the probability of winning the game, we have:

A h A0 i max Pr GAME1 (λ) max Pr GAME2 (λ) (69) QPTA ≤ QPTA0

λ (c) Then, we deﬁne a series a hybrid games in which we gradually replace the H.Gen(1 , d0 [i])’s with H.Gen(1λ, 0), which starting from until = . Z ∅ Z M

46 GAME3Z (i) (i) λ (c) 3 : ∀i ∈ M, (k , tk ) ← H.Gen(1 , d0 [i]) (c) (i) (i) λ ∀i ∈ M, if i ∈ Z then x := 0 else x := d0 [i] ﬁ ;(k , tk ) ← H.Gen(1 , x)

This is possible because the game IND D0 of H.Gen can be seen as a CPA secure encryption − (where Gen is the concatenation of the key generation and encryption of d0), itself equivalent to semantic security: i.e. the ciphertext does not give any advice on the clear text. Therefore we can replace the clear text with 0 for example, which gives for all j:

A h A0 i max Pr GAME3Z (λ) max Pr GAME3Z∪{j} (λ) (70) QPTA ≤ QPTA0 At the end of the hybrid series, when = , we get a ﬁnal game where no information about c Z M are given to the adversary: it is therefore impossible to win this game GAME3M with probability 1 better than 2 . Therefore we get:

A 1 max Pr IND PARTIALGen,PartInfo (λ) + negl(λ) (71) QPTA − ≤ 2 Which ends the proof. Finally, the security of the game IND PARTIAL implies the security of IND D0 since when − − = , both games are equivalent. M ∅ 7 Acknowledgement

We thank AirFrance for the unscheduled one night delay of a ﬂight which was instrumental in starting this line of research. We are also very grateful to Alex Grilo, Chris Peikert, Florian Bourse, the StackExchange user Mark and Romain Gay for very valuable discussions. This work has been supported in part by the French ANR Project ANR-18-CE39-0015 (CryptiQ), the French ANR project ANR-18-CE47-0010 (QUDATA), the EU Flagship Quantum Internet Alliance (QIA) project and the European Union as H2020 Programme under grant agreement number ERC-669891. EK acknowledges support from the EPSRC Veriﬁcation of Quantum Technology grant (EP/N003829/1), the EPSRC Hub in Quantum Computing and Simulation (EP/T001062/1), and the UK Quantum Technology Hub: NQIT grant (EP/M013243/1).

References

ABG+20. Amit Agarwal, James Bartusek, Vipul Goyal, Dakshita Khurana, and Giulio Malavolta. Post-Quantum Multi-Party Computation. arXiv preprint arXiv:2005.12904, 2020. ACGH20. Gorjan Alagic, Andrew M. Childs, Alex B. Grilo, and Shih-Han Hung. Non-interactive Classical Veriﬁcation of Quantum Computation. In Rafael Pass and Krzysztof Pietrzak, editors, Theory of Cryptography, Lecture Notes in Computer Science, pages 153–180, Cham, 2020. Springer International Publishing. ACPS09a. Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, volume 5677 of Lecture Notes in Computer Science, pages 595–618. Springer, 2009. ACPS09b. Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, pages 595–618, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg. APS15. Martin Albrecht, Rachel Player, and Sam Scott. On the concrete hardness of learning with errors. Journal of Mathematical Cryptology, 9, 10 2015. Ban93. Wojciech Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296(1):625–635, 1993.

47 BBC+93. Charles H Bennett, Gilles Brassard, Claude Crépeau, Richard Jozsa, Asher Peres, and William K Wootters. Teleporting an unknown quantum state via dual classical and einstein-podolsky-rosen channels. Physical Review Letters, 70(13):1895, 1993. BBP+96. Charles H Bennett, Gilles Brassard, Sandu Popescu, Benjamin Schumacher, John A Smolin, and William K Wootters. Purification of noisy entanglement and faithful teleportation via noisy channels. Physical Review Letters, 76(5):722, 1996. BBPS96. Charles H Bennett, Herbert J Bernstein, Sandu Popescu, and Benjamin Schumacher. Concentrating partial entanglement by local operations. Physical Review A, 53(4):2046, 1996. BCC+20. Christian Badertscher, Alexandru Cojocaru, Léo Colisson, Elham Kashefi, Dominik Le- ichtle, Atul Mantri, and Petros Wallden. Security limitations of classical-client delegated quantum computing. In International Conference on the Theory and Application of Cryptology and Information Security, pages 667–696. Springer, 2020. BCKM20. James Bartusek, Andrea Coladangelo, Dakshita Khurana, and Fermi Ma. On The Round Complexity of Two-Party Quantum Computation. arXiv:2011.11212 [quant-ph], December 2020. BCM+18. Zvika Brakerski, Paul Christiano, Urmila Mahadev, Umesh Vazirani, and Thomas Vidick. A cryptographic test of quantumness and certifiable randomness from a single quantum device. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 320–331. IEEE, 2018. BDSW96. Charles H Bennett, David P DiVincenzo, John A Smolin, and William K Wootters. Mixed-state entanglement and quantum error correction. Physical Review A, 54(5):3824, 1996. BFK09. Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi. Universal blind quantum computation. In Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on, pages 517–526. IEEE, 2009. BFM88. Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge and its applications. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, page 103–112, New York, NY, USA, 1988. Association for Computing Machinery. BG20. A. Broadbent and A. B. Grilo. QMA-hardness of Consistency of Local Density Matrices with Applications to Quantum Zero-Knowledge. In 2020 IEEE 61st Annual Symposium on Foundations of Computer Science (FOCS), pages 196–205, November 2020. BGG+14. Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Nikolaenko, Gil Segev, Vinod Vaikuntanathan, and Dhinakaran Vinayagamurthy. Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, pages 533–556, Berlin, Heidelberg, 2014. Springer Berlin Heidelberg. BJSW16. Anne Broadbent, Zhengfeng Ji, Fang Song, and John Watrous. Zero-knowledge proof systems for qma. In 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS), pages 31–40. IEEE, 2016. BM88. László Babai and Shlomo Moran. Arthur-merlin games: A randomized proof system, and a hierarchy of complexity classes. Journal of Computer and System Sciences, 36(2):254–276, 1988. Bra18. Zvika Brakerski. Quantum fhe (almost) as secure as classical. In Annual International Cryptology Conference, pages 67–95. Springer, 2018. BS20. Nir Bitansky and Omri Shmueli. Post-quantum zero knowledge in constant rounds. In Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, pages 269–279, 2020. CCKW19. Alexandru Cojocaru, Léo Colisson, Elham Kashefi, and Petros Wallden. Qfactory: Classically-instructed remote secret qubits preparation. In Steven D. Galbraith and Shiho Moriai, editors, Advances in Cryptology – ASIACRYPT 2019, pages 615–645. Springer International Publishing, 2019. CCKW21. Alexandru Cojocaru, Léo Colisson, Elham Kashefi, and Petros Wallden. On the possibility of classical client blind quantum computing. Cryptography, 5(1):3, 2021. CVZ20. Andrea Coladangelo, Thomas Vidick, and Tina Zhang. Non-interactive zero-knowledge arguments for qma, with preprocessing. In Annual International Cryptology Conference, pages 799–828. Springer, 2020.

48 CW05. Matthias Christandl and Stephanie Wehner. Quantum anonymous transmissions. In International Conference on the Theory and Application of Cryptology and Information Security, pages 217–235. Springer, 2005. Gen09. Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC ’09, pages 169–178, New York, NY, USA, May 2009. Association for Computing Machinery. GHZ89. Daniel M Greenberger, Michael A Horne, and Anton Zeilinger. Going beyond Bell’s theorem. In Bell’s theorem, quantum theory and conceptions of the universe, pages 69–72. Springer, 1989. GMR89. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989. GMW87. O. Goldreich, S. Micali, and A. Wigderson. How to play ANY mental game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC ’87, pages 218–229, New York, NY, USA, January 1987. Association for Computing Machinery. GMW91. Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM, 38(3):690–728, July 1991. Gol04. Oded Goldreich. Foundations of cryptography. II: Basic applications. 2004. GPV08. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC ’08, page 197–206, New York, NY, USA, 2008. Association for Computing Machinery. GSY19. Alex B Grilo, William Slofstra, and Henry Yuen. Perfect zero knowledge for quantum multiprover interactive proofs. In 2019 IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), pages 611–635. IEEE, 2019. GV19. Alexandru Gheorghiu and Thomas Vidick. Computationally-secure and composable remote state preparation. 2019 IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), pages 1024–1033, 2019. HBB99. Mark Hillery, Vladimír Bužek, and André Berthiaume. Quantum secret sharing. Physical Review A, 59(3):1829, 1999. IY87. Russell Impagliazzo and Moti Yung. Direct minimum-knowledge computations. Lecture Notes in Computer Science, 293:40–51, 08 1987. Mah18a. Urmila Mahadev. Classical homomorphic encryption for quantum circuits. In Mikkel Thorup, editor, 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7-9, 2018, pages 332–338. IEEE Computer Society, 2018. Mah18b. Urmila Mahadev. Classical verification of quantum computations. In Mikkel Thorup, editor, 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7-9, 2018, pages 259–267. IEEE Computer Society, 2018. MDCAF20. Tony Metger, Yfke Dulek, Andrea Coladangelo, and Rotem Arnon-Friedman. Device- independent quantum key distribution from computational assumptions. arXiv preprint arXiv:2010.04175, 2020. MMG19. Clément Meignant, Damian Markham, and Frédéric Grosshans. Distributing graph states over arbitrary quantum networks. Phys. Rev. A, 100:052333, Nov 2019. MP12. Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. Lecture Notes in Computer Science, page 700–718, 2012. MR09. Daniele Micciancio and Oded Regev. Lattice-based cryptography. In Post-quantum cryptography, pages 147–191. Springer, 2009. MT20. Tomoyuki Morimae and Yuki Takeuchi. Trusted center verification model and classical channel remote state preparation. arXiv preprint arXiv:2008.05033, 2020. MY21. Tomoyuki Morimae and Takashi Yamakawa. Classically Verifiable (Dual-Mode) NIZK for QMA with Preprocessing. arXiv:2102.09149 [quant-ph], February 2021. NC00. Michael A Nielsen and Isaac Chuang. Quantum Computation and Quantum Information. Cambridge University Press, 2000. Pei10. Chris Peikert. An Efficient and Parallel Gaussian Sampler for Lattices. In David Hutchison, Takeo Kanade, Josef Kittler, Jon M. Kleinberg, Friedemann Mattern, John C. Mitchell, Moni Naor, Oscar Nierstrasz, C. Pandu Rangan, Bernhard Steffen, Madhu Sudan, Demetri Terzopoulos, Doug Tygar, Moshe Y. Vardi, Gerhard Weikum, and Tal Rabin, editors, Advances in Cryptology – CRYPTO 2010, volume 6223, pages 80–97. Springer Berlin Heidelberg, Berlin, Heidelberg, 2010.

49 Pei16. Chris Peikert. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci., 10(4):283–424, March 2016. PW11. Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. SIAM Journal on Computing, 40(6):1803–1844, 2011. PWD18. A. Priker, J. Wallnöfer, and W. Dür. Modular architectures for quantum networks. New Journal of Physics, 20:053054, May 2018. Reg05. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the thirty-seventh annual ACM symposium on Theory of computing - STOC '05. ACM Press, 2005. Sch87. C.P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci., 53(2):201–224, June 1987. Shm20. Omri Shmueli. Multi-theorem (Malicious) Designated-Veriﬁer NIZK for QMA. arXiv:2007.12923 [quant-ph], July 2020. Unr12. Dominique Unruh. Quantum proofs of knowledge. In David Pointcheval and Thomas Johansson, editors, Advances in Cryptology – EUROCRYPT 2012, pages 135–152, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. VW16. Thomas Vidick and John Watrous. Quantum proofs. Foundations and Trends in Theoretical Computer Science, 11(1-2):1–215, 2016. VZ20. Thomas Vidick and Tina Zhang. Classical zero-knowledge arguments for quantum computations. Quantum, 4:266, 2020. Wat09. John Watrous. Zero-knowledge against quantum attacks. SIAM Journal on Computing, 39(1):25–58, 2009.