 Hello. I'm going to be talking about non-interactive zero-knowledge arguments for QMA with pre-processing. I'm Tina Zhang and this was joint work with Andrea Colodangelo and Tomar Wittig. So I want to motivate a little bit the problem that we're going to try and study and to do that I have to remind everyone about interactive proof systems and what they're used for. So let's suppose that we have a graph X and let's suppose that today our purpose in life is to decide whether X is three-colourable or not three-colourable. And by three-colourable of course we mean that a graph can be coloured using only three colours such that each edge connects to vertices of different colours. So of course three-colouring is a problem that's complete for MP. So if we can decide this problem we can decide any problem in MP. So the setup we're going to use to do this is that we have a weak probabilistic polynomial time verifier and an unbounded but untrusted prover. We're going to try and design a protocol that this weak verifier can use to interact with the untrusted prover and at the end of the interaction the verifier should know whether X is three-colourable or not. So formally we want two protocols, two properties from this protocol. Soundness and zero knowledge. The first one is soundness which means that the prover even though it's unbounded can't convince the verifier with high probability that X is three-colourable if it's not. Well, this is pretty easy to achieve. There's a trivial protocol that achieves it, which is which is simply that the prover sends the colouring. So in this case the verifier would receive the colouring and check that each edge joins two vertices of different colours. But okay, we're doing cryptography and so maybe we don't trust the verifier either. So maybe this three colouring encodes some sort of state secret and we don't want the verifier to know the colouring and we only wanted to know whether X is three-colourable or not. So that brings us to the second property which is zero knowledge and zero knowledge just means that in the protocol in which the verifier makes use of this untrusted prover to decide whether X is three-colourable or not, the verifier should not learn anything except for the fact that X is three-colourable. So I'm going to quickly go through the sort of quintessential protocol for deciding NP problems in a zero knowledge way, which is the gold-dry Nikali Wictusen protocol for three-colouring. So firstly, we have to label all the vertices and all the edges of X which have done here. The vertices have numbers and the edges have letters. So the first message in the protocol comes from the prover and the first thing that the prover does is permute the colours of the three-colouring randomly. So here we had, you know, red here, white here and blue here. Here it's just a random permutation of those three colours. Then the prover sends a commitment to that colouring. We should think of a commitment as a safe. So the prover can put anything at once in the safe and then it locks the safe and it sends it to the verifier and the prover can't change its mind about what's in the safe after it has sent it to the verifier. But the verifier also can't open the safe unless the prover gives it a key. So what's in the safe? Well, I drew only one safe, but you actually should imagine that there's one safe for every vertex of the graph X. So in this case, there should be five saves. So for each vertex, the prover writes down the colour of that vertex. So for example in the first safe, the prover will put red because the first vertex is red. The second save, the prover will put blue and so on. So the prover sends this collection of safes to the verifier and that's the first step in the GMW protocol for three-colouring. Okay, and the second step is that the verifier sends a label of an edge which constitutes a challenge to the prover. So this is edge F over here. Then the prover sends back the keys to the safes for the vertices that are connected to that edge. So in this case, the third and the fourth safes because vertices three and four are connected to edge F. The verifier can then open those safes and check that the two colours that the prover put inside are different. So intuitively we can see that this protocol satisfies soundness because if X is not three-colourable, then one of the edges at least will join two vertices of the same colour. So then the verifier will look at that edge with some probability. So if we repeat the protocol many times and X is not three-colourable, then the prover will eventually get caught out. But the protocol also satisfies their knowledge chiefly because of the random permutations of colours that the prover chooses. So you might imagine that the verifier could try to deviate from the protocol by running it many times and each time trying to learn the colours attached to a different edge in hopes of reconstructing the entire colouring. However, this won't work because every time the permutation of colours that the prover chooses will be different. So the verifier will just see each time that the two colours attached to any given edge are different. So hopefully this example gives some intuition for why this protocol is their knowledge. So now I want to talk a little bit about non-interactive zero-knowledge proof systems, which are really the focus of the paper. So in the previous protocol, there was a kind of back-and-forth between the verifier and the prover. The prover had to send a commitment and then the verifier had to send a challenge and then the prover had to respond. So we might sometimes wish because for some reason communication is expensive, we might wish that the prover can just send a single message to the verifier. Now, if we saw that if we don't require zero-knowledge, then this is fine for MP problems since the prover can just send, in this case, the colouring. But that is not zero-knowledge. So the question is, can we do that in a zero-knowledge fashion? And the answer is no. It's impossible for languages outside of BPP. So for three colourings, since that's a problem that's complete for MP, it's impossible to have a protocol to decide three colouring that would only use one message from prover to verifier. So this is why people consider extended models and one popular extend model is the CRS model, which stands for Common Refit String. And it just means that in addition to the usual setup where the instance X is known to both prover and verifier and so on, there's a trusted third party which samples this string from a specified distribution and makes it publicly available. So this is not achievable in the standard model because we can't trust the verifier to generate the string and we can't trust the prover to do it either. But if we assume that this string can be obtained somehow and maybe that's not such an unreasonable assumption in the real world, then we can do it. So we can indeed have protocol where with the CRS, the prover only sends a single message to the verifier. So okay, then there's a question of what happens in the quantum setting. And the first thing we want to look at in the quantum setting is post-quantum security, which is where the verifier is now allowed to be a potentially cheating quantum device. So the prover was unbounded anyway, but if the verifier is allowed to be quantum, can we still make the protocol's error knowledge? And the answer is yes, and in particular it's known to be possible in the CRS model under LWE so learning with errors, which was proven in 2019. But okay, post-quantum security might not be the only thing that we're interested in in a world where there are quantum computers. Maybe now that there are quantum computers, we're not only interested in mp problems, but also problems in QMA, which is the quantum analog of mp in the sense that it's the class of problems that can be checked efficiently by a quantum computer with access to a quantum witness. So in this case x, which was a graph before because three coloring is complete for mp, would be replaced with some instance of a QMA complete problem, such as the local Hamiltonian problem, which I'll talk more about later. And in this in this case, in this situation, we might also want to allow the message that the prover sends to the verifier to be quantum. But we want to achieve the same thing we did in the classical setting, which is that the prover sends only a single message to the verifier. So this problem is perhaps still unsolved. We in this paper don't achieve something quite, there's a deal, but we achieve something that's almost what we want. So instead of exactly one message, we have two messages. One from verify to prover, which contains a quantum part and classical part, and one from prover to verify, which is actually entirely classical. So the thing that allows us still to claim that our protocol is non-interactive is that the first message is independent of x. So in a sense, it can be thought of like the CRS, in that it's part of an instance independent pre-processing phase, which can, if need be, be completed ages in advance of the actual protocol before the instance is even decided. So we just need the verify to send this message at some point to the prover so that it contrasts that it was sent properly, and also for the CRS to be generated at some point. Then after the pre-processing is complete, the prover only needs to send a single classical message to the verifier. Okay, so I want to go over how we achieve this. And to do that, I need to explain a bit an interactive zero-knowledge proof system for QMA, which inspires our protocol. So let me talk a little bit more about the instance here. So in the NP case, we had a graph because the coloring was complete for NP. So in this case, we have a local Hamiltonian, so a measurement operator. That's the sum of Clifford terms, these terms here, which are called CI. And the problem is to decide whether the Hamiltonian H has the smallest eigenvalue that is smaller than sum number A or greater than sum number B. So you'll promise that it's one of these two, it can't be in between. And this problem was shown to be complete for QMA by Broadbent Z Song and Watrous, these guys, in the same paper in which they propose this protocol. So I've drawn a scale here, that's because the Hamiltonian represents a measurement, it's a measurement operator. So we can make an analogy where the question is, is there an object that I can place on this scale which will make it read a small value? Now, obviously, this is a trivial question with a normal scale, but we can imagine that maybe the scale is weird, it doesn't respond in the way we think it should, and so the question is, can we make it read a low value? Now, because the Hamiltonian H is a sum of terms, a particular state, so a particular object placed on the scale in the analogy has a small eigenvalue with respect to the Hamiltonian H. If and only if it has a small eigenvalue with respect to each of the CIs that make up the sum. And each of these CIs is a Clifford and is also a measurement operator. So this gives us a convenient way to make an analogy with the classical setting. So in three colouring, the verifier in the second step of the protocol chose a random edge from the graph that was the proper instance, and that represented its challenge to the prover. So here, the verifier can choose a random term from this Hamiltonian H and measure that, and that's kind of analogous to the verifier in the previous setting choosing a random edge. So now there's a question, why don't we just measure the whole Hamiltonian and that will become answered shortly. So let me describe the first step of the BJSW protocol for QMA. So the first thing the prover does is to choose an encryption key, K. Now this encryption scheme acts on quantum states, we want to imagine. It takes quantum states as input, encrypts them, and then outputs quantum states. And so it sends, it puts K in this safe and sends commitment to K to the verifier. Sort of like how the prover committed in the beginning of the GMW protocol. And it also sends, so recall that the prover has, it's supposed to know this witness. And in this case, the witness is a state because QMA is a class of problems that can be checked by a quantum computer and efficient quantum computer using a quantum witness. So in this case, the quantum witness is a quantum state. And this quantum state allows V to check if it had access to that state that acts as indeed a yes instance. And remember that X being a yes instance in this case means that there exists some object we can place on the scale such that the scale reads a low value. So this state is just some state we can measure with respect to this Hamiltonian which will have a low eigenvalue with respect to that Hamiltonian. So the prover is going to send an encryption under this key K that it just committed to of this witness state and send that to the verifier. And intuitively why do we want to encrypt this state? Well, it's so that V when it receives this message, this quantum message, it can't learn anything about the state by looking at the encryption of the state. But this encryption has one more special property which is that it allows homomorphic applications of Clifford gates and so homomorphic measurements of Clifford operators through the encryption. And that why this is important will become clear in the next slide. Okay, so this is the first step of the interactive BJSW protocol for deciding problems in QMA and in zero knowledge fashion. So the second step is that the verifier is going to choose a challenge rather like in the second step of the GMW protocol. So the verifier chooses an index J uniformly at random and it takes the term in the sum here that corresponds to that J. So basically it chooses a random term of the Hamiltonian H and as we said before it will measure that term of the Hamiltonian and now, but it will measure that term of the Hamiltonian on the encrypted witness state that I just received from the prover and not the actual witness state because we don't want it to have access to that. So now it becomes clear why we need this encryption scheme to have the homomorphic property with respect to Clifford gates and that's because we need the verifier to be able to homomorphically measure this thing through the encryption. And okay, it does that and what happens when it does that, it gets an encryption, you know, it gets classical outcome and the classical outcome exactly represents an encryption under the key K of the outcome it would have gotten if it had measured W directly under CJ. Okay, and I will just make one remark here which is that this term CJ does not depend on K. This should be obvious because, you know, the verifier does not have access to K but it will become important later that we don't need to know the key in order to perform this homomorphic measurement. Okay, and so now, you know, in the original GMW protocol for NP what happens next is that the prover reveals it opens its commitment, it opens the safe, sends the verifier the key to the safe so that the verifier can check essentially that the prover was not cheating. Now here maybe you'd imagine that an analogy would be that the prover would open the safe, the commitment to the key that it sent at the beginning and allow the verifier to use the key K to check, to decrypt this encryption and check that Z in fact corresponds to, you know, a low reading of the scale. But this might not be a zero knowledge or at least it's hard to argue that it is zero knowledge but there is something else the prover can do and that is that it can use an NP zero knowledge proof system to prove the following statement. There exists a key consistent with the commitment that was sent in step one so, you know, the commitment to key here such that the outcome that the verifier got in this step is an encryption under K of an accepting outcome. So this is essentially saying, you know, verifier if you had the key K, you would accept at the stage and why is this an NP statement? Well, it's an NP statement because it can be efficiently checked with a witness and the witness is simply the key K. So if the verifier had the key K, it could check. Now we don't want to give the verifier the key K so we're just going to prove to it in a zero knowledge fashion using a zero knowledge proof or NP statements that in fact basically the prover's behavior has been honest. So, okay, we want to make the BGSW protocol non-interactive. The first thing we can do, the obvious thing is to replace the zero knowledge proof that the prover sends at the end of the BGSW protocol with a non-interactive zero knowledge proof. But the real obstacle to compressing the three steps of the BGSW protocol into one is that the prover's proof in step three, this one, depends on the verifier's challenge of measurement outcome from step two, depends on these, which in turn depend on the instant-dependent witness state that the prover holds. So we can't have the prover do step two, that would clearly violate soundness, but we also don't have enough messages for the verifier to do step two. So our first main idea is to get around this using quantum teleportation. So notice that instead of directly sending the verifier to the encrypted witness in step one, the step here, the prover could equally have used quantum teleportation to teleport the witness to the verifier, provided that they share APRs. So this would generate a string D, representing the one-time pad that gets applied to the teleported witness state after the teleportation. And the prover would need to send this to the verifier as well so the verifier could undo the one-time pad and carry out the rest of the protocol. So far we've just complicated the protocol without buying ourselves anything. But now notice that the prover's teleportation measurement that teleports the witness state to the verifier over here and the verifier's measurement of CJ on the teleported witness state commute. If we ignore for now the issue of the one-time pad string D that the prover has to send to the verifier. And this is because, you know, this and this are both just measurements on different halves of their shared APRs. So we could switch the order of these actions without affecting the protocol. Okay, so here's a modified protocol. Firstly, we assume that the verifier prepares APRs for the teleportation and sends the prover its halves. It turns out this is okay for their knowledge. And the verifier then chooses its challenge as before and measures that Clifford operator on its halves of the APR pairs as if they already contained the teleported witness state. Now note that CJ doesn't depend on K so it's fine the encryption key K so it's fine that K hasn't even been chosen yet. The verifier gets, you know, some measurement outcome M which it sends to the prover and then the prover creates the encrypted witness state and teleports this to the verifier. Now this results, as we said, in a one-time pad string D and if you think for a second you'll see that D XOR with M will end up being the encryption of Z the encryption of Z under K where NKZ is just the thing that the verifier would have gotten in the BGSW protocol. So for the final step the prover sends the commitment to K that in the BGSW protocol it would have sent in the first step. It sends D the one-time pad string and it also sends an NIZK proof for an NP statement. Now this NP statement is a little bit different. Now it will say something like verify if you had K then you could XOR D to the measurement outcome that you got in this step and now what is step one? M, you could XOR D to M and then decrypt the encryption remember that D XOR M is equal to NK of Z you could decrypt the encryption to get an accepting outcome, Z. So are we done now? That's not quite. There are a few holes in this construction. The verifier can't measure CJ yet in this step because this step is meant to be instance independent and CJ is part of the instance X. So I won't go into details of how we get around that but it can be done. Secondly, the verifier can't just send CJ and M to the prover before the prover has sent its witness date. Otherwise the prover would know the verifier's challenge ahead of time which is like knowing the edge to be checked ahead of time in the GMW protocol which obviously violates soundness. And thirdly, the prover gets to report D. So maybe if it was clever it could misreport it and make the measurement outcome, the verifier's measurement outcome M look like an accepting one even if it wasn't because after all D controls D XOR M. So to address these problems we add one more ingredient we use homomorphic encryption. The idea here is pretty simple though it's a little delicate to implement. So basically we have the verifier homomorphically encrypt CJ and M. So notice after we do this the prover no longer knows the verifier's challenge because it's encrypted so it can't get away with teleporting a state that's not a witness. And it also wouldn't know what D to report here to mislead the verifier and to thinking that M was accepting and it wasn't because M is now encrypted. However, if it behaves honestly it can still compute its NIZK proof at the end by homomorphically encrypting K, this K its own encryption key. Under the verifier's public key for HE the homomorphic encryption scheme and computing this whole MP proof homomorphically and then the verifier can decrypt the proof that the MP proof is valid. So I've basically just stepped through the soundness argument for our protocol. Note that our protocol is an argument, not a proof meaning that it's only sound against computationally efficient provas and that's due to the homomorphic encryption. So I'm basically out of time so I won't go through the zero-knowledge proof but if you're interested you can check out the paper there are a few subtleties to be worked out there as well. We also define in this paper jointly with Anne Broadbent and Alex Grillo who published independently the notion of a proof of quantum knowledge in analogy with the classical idea of a proof of knowledge. And we show that this protocol I've been describing is also an argument of quantum knowledge. So once again, feel free to check out the paper if you're interested and thanks for listening.