 Hi everyone, my name is Omri and welcome to this crypto talk on multi-theorem- designated Verifier NAZK for QMA. So let's start with recalling what is a NAZK or NISAC and non-interactive zero-knowledge protocol for. First, let's talk about the classical analog of QMA which is NP. We want a non-interactive pool for statements in L where L is some NP language. This is a long known result. This is impossible to do it just non-interactively for languages outside of BPP and using what's called the CRS, a common reference string. This can be done where this string is publicly accessible to everyone and is trusted by all of the parties in the system as let's say for the sake of this talk just a random classical string. Everyone trust that this is truly random. So completeness of a NISAC states that if the string is sampled correctly and everyone plays nice and runs the honest algorithms that the Verifier always accepts yes instances. Soundness says that the Verifier cannot be cheated and zero-knowledge says that the Verifier learns nothing from the interaction with the honest prover seeing the honest CRS which means formally that there is some polynomial time simulator such as for every instance of the language the CRS together with the proof are simulatable by the simulator who receives only the instance. So this talk we're going to talk about NISACs for QMA and the setting that we are aiming for is exactly the same except that the proof from the prover to the Verifier is a quantum state and the CRS is also a random classical string in this case this case classical and what we know for MP already for quite some time is that under learning with arrows assumptions a non-interactive zero-knowledge for MP exists this is the work of Connecticut and then I'm removing the circle of security assumption by Michael and Chehan and for QMA we don't have NISACs under any assumption so what do we know in what models we do know how to construct NISACs for QMA so we can relax the setup and instead of just only the CRS the trusted party can give a trap to the verifier and under this model non-interactive zero-knowledge which is called the designated verifier model they do exist for QMA so this is already known to be possible the first question that we are going to ask in this walk which is not known to be achieved is that can this data be reused that is after I'm seeing the CRS and the verifier received this secret verification key and can we give arbitrary many proofs and this is especially important in terms of the efficiency gains of NISACs over interactive protocols because in the real world the trusted setup we don't have a trusted party and the trusted setup is known to be generated by multi-party computation which is interactive so if we need to interact for every new proof and we cannot just interact once generate the setup and then carry on to have as many proofs as we like and this is exactly from practical point of view like an interactive protocol so this is our main question for this walk and the other question is improving another part of the setup look at that this trusted party need to sample a trap though for each new verifier that wants to join the system and what we would like to achieve is a setting where the trusted party runs once it generates this CRS and that's it this is the only trusted part from the system and any verifier can sample all by itself a private and secret verification keys and publish the public key this model called the malicious designated verifier model as suggested first by watch more two and weeks and from this point on the proven trust only this and this can be possibly malicious this comes up naturally in the zero knowledge of NISAC okay so this is our second question naturally we want to achieve this while also keeping having multi-theorem security the first and main question okay so let's talk a bit about prior work and these are the four parameters that we're going to be looking at so this is the work of allergies Charles a gorilla and whom this is the word of the work of brought Ben and Grillo this is called a dungeon of Vidic and Zheng as you can see all of the previous walks did not have multi-theorem security and this is how they compare in these parameters and two things to mention is that the ACGH work has a classical verifier which is very significant and the brought Ben and Grillo work is a proof system it has statistical sounds while the other walks are only arguments okay so our main result is that assuming the standard hardness for polynomial time algorithms and for LWE we have multi-theorem secure malicious this thing the verifier NISAC for QMA also if we assume sub exponential hardness of LWE and we have adaptive sounds but this is just complexity leveraging this is the more interesting part okay and subsequent work are these two works this is about to say called a dungeon of piranha and ma this is more in my name a kawa and the BCKM work actually in all meaningful parameters subsume this work two improvements they make is that they use a single QMA witness rather than polynomial many copies of the quantum witness and in order to achieve adaptive soundness they use only polynomial at W and the NY walk has a classical verifier again but it uses a very non-standard setup where you use quantum computation for the trusted set okay so let's just define what we are aiming for again this is the only trusted part and any verifier can publish a public key and save to itself the trapdoor the secret verification key any prover can approach seeing the common reference string and trusting only this and also a public verification key it can give proof non-interruptively and this is going to be reusable which means completeness stays the same computing completeness is always reusable multi-perim soundness is going to be the interesting part and after a malicious quantum polynomial time rover sees these two it can repeatedly interact with the verifier every time sending a proof and seeing the acceptance or rejection bit of the verifier and at the end it's going to send a fake proof for a known instance and the verifier is still going to reject almost always with overwhelming property multi-perim zero knowledge is going to define to be defined as empire works where we have some quantum polynomial time distinguish that sends a possibly malicious private verification a public verification key and a yes instance and a witness for that instance these two have to be legit and the prover sends a real proof and the extinguisher is going to try to distinguish this channel this prover channel from the simulator challenge the simulator is going to be some quantum polynomial time algorithm it's going to sample a crs with trapdoor and then where the distinguisher sends this it the simulator was going to have access to the public key the instance but of course not the witness and these are going to be indistinguishable this channel from the prover channel so let's carry on to the construction itself we are going to start with the sigma protocol for qma this is a three message protocol the prover sends a quantum possibly quantum message alpha the verifier responds with a classical random string beta which is usually called the challenge and the prover responds with gamma which can also be quantum we're going to use two properties of the sigma protocol first that we have negligible soundness error the probability that the prover convinces on a false instance is like overwhelmingly close to zero and we're going to use the fact that we have what's called special zero knowledge which means that a simulator having this beta the verifier sends if it knows the beta ahead of sending alpha this simulator can send alpha and gamma that are indistinguishable from the gamma from the alpha and gamma that are sent in the real protocol as long as it knows beta in advance okay so when we think of musics for np we also start from a sigma protocol for np not for qma but the techniques require alpha to be classical if you think for example on the phm transform you apply a random or correlation intractable function on alpha on the classical string alpha so we're going to use when we move to qma we're going to use the fact we already have nasics for np and try to avoid this applying a function to alpha at all and more like concretely for the for this talk we're going to start with thinking of a classical sigma protocol and we're going to like make sure that we like do things that seem quantum compatible and then at the end make sure that our technique really works also for quantum this is a classical technique that will also work for quantum protocols okay the tools that we're going to use along sigma protocols for qma is nizak for np in the crs model and we're going to use pseudo random key public key encryption this is a public key encryption where the public key is indistinguishable from a random string and we're going to use a two-masted SFP secure function evaluation which is really simply fully homomorphic encryption where you also have the guarantee of circuit privacy I assume everyone knows what is FHG fully homomorphic encryption and the circuit privacy says that if we have an encryption of x and we evaluate we make homomorphic evaluation of some circuit c and we get an encryption of c of x then this encryption hides like everything on c it just shows you c of x okay so let's start with an attempt to have single theorem security we won't have multi theorem sums okay so let's let's observe that this message because this is a random string it is completely independent of the messages the other messages the approval sends in the protocol so what we're going to try to do is this the developer is going to send an SFP encryption of its random challenge beta and public key encryption of its like entire randomness or the secret verification key which comprises the challenge and the secret key of this SFP scheme and also a Nizek for NP approve that all of this is is consistent it is consistently generated when if you take some string from here you can generate this cipher text and this cipher text okay so now how we are going to prove non-interactively given the public key and the CRS and the CRS is one party CRS for the NP Nizek that both the verifier and the prover are going to use and one is from the pseudo random public key encryption so it's going to compute alpha out in the open and then gamma homomorphically which means we know that the first message of the sigma protocol prover is going to offer two things one public one private the private one is a trap door tower and the public one is alpha and then it's going to send alpha along with this evaluated cipher text which is evaluating this cipher text that contains beta on this function this is actually the third message function in the sigma portal so it just computes the prover homomorphically to compute gamma using this trap door tower and along with these two messages it's also going to send a public encryption of the trap door like the verifier did here and prove in the Nizek that that everything is consistent because all the messages are classical for now this is going to be fine we can prove consistency by an NP Nizek and finally how the verifier is going to decide if to accept or reject and two things need to happen first the proof has to be valid the proof of the prover here if it's not valid it's going to reject immediately and if it's valid it's also going to check whether the sigma protocol verifier accepts this this is alpha beta it always knows beta the verifier alpha is out in the open and it computes gamma by decryption because here this is an SFV encryption of gamma if the prover behaves honestly so with the crypts and then this is alpha beta gamma now let's give a proof set for the zero knowledge simulation validity so let's first recall the setting this is the real protocol but in the the definition of zero knowledge this is going to be a quantum polynomial time distinguisher who is going to try and distinguish the real proof and the crs from the simulator that we just now we described so first the simulator simulates the crs it has a strapped door so we can prove four statements and also samples a tool publicly for the pk now when the distinguisher sends a query we can extract beta by the pk encryption why we can do this first we can look at the the proof the nizek the the distinguisher gives in the public verification key and because of the soundness of the nizek we know that beta is indeed under the encryption under the the public encryption there so when we decrypt using the secret key the simulator sample we do have a beta now that we have beta we can use the signal protocol special zero knowledge simulator that we know that even beta can simulate both alpha and gamma so and then and then here the simulator sends the simulated gamma under sf encryption instead of evaluating this type of x and alpha out in the open and these two are going to be just this is going to be a false proof and this is going to be just a bunch of zeros instead of the trap because the simulator is not going to have a problem so why don't we have a multi theorem soundness this is why we're not going to bother with even proving a single theorem soundness um let's see how a malicious mover can attack and discover the entire beta so record that every single protocol can be let's say a lot of single protocols can be thought of as parallel repetition of three message zero knowledge protocol so this is a bunch of alphas this is a bunch of this is a bunch of gammas um all of them in parallel repetition and each of these betas is of size logarithmic in the instant size and the verifier the sigma protocol verifier except if all of these except so all of these alphas and gammas are good and proof for the challenge beta from one to two so how can a pulver attack the verifier publishes the public verification key and we can think of the beta under the encryption as like a concatenation of these short betas and the goal is the pulver wants to decode each of them separately so let's see how it decodes the height one um it takes a yes instance and now to decode beta i it can choose an arbitrary value in the set of possible betas let's say it can go from zero to to the last string all of the possible strings here it can go one after the other and it computes this this um maliciously generated alpha star i in the following way so it uses the sigma protocol simulator that is known that given beta it can generate both alpha and gamma that satisfy this beta so we're going to do this for this beta that equals the value that it shows here and all of the other alphas in the parallel repetition um except the height one are going to be computed honestly you can do this because this is a yes instance so um this is how it's going to look this is how each of the messages of the pulver is going to look and note that all of these are going to be accepted by the verifier because all of them have a gamma that is going to be accepted for each of the betas and this is the only one that can can cause rejection by the verifier and this is one the this is why the verifier is going to accept the entire proof if and only if the value that we chose is um a beta i now we have polynomially many options for each of the beta i's because beta i's are so we can try polynomial many times and find each of the i's each of the beta i's so and this is how we decode the entire beta like one after the other one to k so what what like we can observe in this attack is that the attack relies on the fact that x is in the language that the x that the pulver shows at the beginning of the attack and for that x it could uh decode beta and if you didn't have the the like the option to choose the s instance this wouldn't have been this wouldn't work why because like from the just from the soundness of the underlying sigma protocol all of them are going to all of these alphas now this is a no instance none of these can be like computed honestly as before so all of them are prone to rejection this is just intuition but the formal statement is because of the sigma protocol soundness and all of the answers from the verifier are just going to be zero zero zero zero zero and you cannot decode anything out of this so um we're going to fix our protocol by by letting the challenge um beta depend on x now we're called we are dealing with you we are going to deal later with fewer languages and but even though the witness is quantum the instance is classical and we're going to use this the description of the instance is classical so instead of an SF encryption of beta now the verifier is going to encrypt a prf secret key and now when the pulver sends this book it's going to alpha out in the open again gamma is going to be computed under encryption but this circuit is going to change it's going to take the prf key and instead of just computing the pulver's third method function using the trapdoor and beta it's going to compute a instance dependent beta which is just going to be a pseudo random string um yeah okay so this is the the the fixed protocol we will now move to give a quick proof sketch for the multi theorem sounds so um production starts with uh simulating uh the entire crs which means the crs part for the and benizek and also for the public key for the pkes key and now we have trapdoors we have this trapdoor for the public key and we have a trapdoor for the crs so um we know that the pulver always says under pke encryption this trapdoor now and by the stanness of the empty nizek that the pulver sends we know that this tau is correct which means this is the classical trapdoor that is used to generate um this uh to to perform the the homomorphic evaluation the homomorphic evaluation that the pulver performs when it computes gamma under encryption so we know that from the soundness of this book we know that this trapdoor is the correct one and now intuitively we know that this trapdoor like successfully convinces um moves for unknown like pseudo random values of beta x so we can show that this this is the case we can switch this to the random to a fully random beta and then break the soundness of the underlying sigma protocol for qma so how is it uh look again this is a very rough sketch and we move to compute this circuit here out in the open because we can we have this we extracted this trapdoor and now we can compute it and the next thing we can do is uh not actually use the prf key but using like uh use the this um the fact that the sfp hides the the prf key and then actually compute um the prf just throw an oracle we can do that all of these moves are going to be of course indistinguishable for the pulver um in each of these moves we are going to uh in these of these hybrids we're going to use um one of the primitives but now we arrived into in a finer hybrid where the pulver convinces the verifier using this trapdoor that is always extracted the tau but this is a random this is a random string so we found a pulver that convinces for no this would be at this point in no instance and convinces the verifier with noticeable probability for a random string and this will break the soundness of the sigma protocol very roughly okay so let's move to making sure that we can use this technique for qma so what exactly are the properties that we use in this construction so one thing that we can observe is that uh this computation of the circuit uh c tau has to be a classical computation which isn't necessarily the case for quantum protocols because even in the worst case gamma can be a quantum state and for sure this cannot be a classical computation right um um this is an empty Isaac proof and it always proves that this is a valid computation and um what we're going to observe is that we're going to use a quantum a specific sigma protocol or qma complete language this is for the consistency of local density matrices and local yeah by uh this is the work of reward and this protocol is very very simple um alpha is just a quantum one-time pet encryption of the weakness tau the trapdoor on alpha is um a classical string which is the um the quantum one-time pet keys and uh gamma is just um the protocol is beta you open um some part uh some subset of the qubits of the witness and gamma is just the quantum the classical quantum one-time pet key of this specific qubit so this is uh some part of the uh classical bits of tau and then this computation is simply sending the correct um classical um keys demanded according to beta so what we have here is that this is quantum and this can be untouched this is an empty Isaac and this is a classical computation these red parts are both all classical computers this is a classical trapdoor and this is a classical momorphic evaluation so these parts can be proven consistent using an NP knees and this stays quantum and untouched so we did this isolation of alpha and um this actually works this is the final version of the protocol as an mdv knees for q ma so thank you very much for listening