 Welcome to the session on protocols. The first talk is on quantum proofs of knowledge and will be presented by Dominic on rule Please go ahead Okay So my topic is quantum proofs of knowledge and quantum proofs of knowledge are related to of course zero-knowledge proofs So let me first say a few words of motivation why it would be interesting to consider zero-knowledge Quantum zero-knowledge proofs in the first place So most of you will probably agree that considering zero-knowledge is an interesting thing. It's a central tool in crypto and Not only that many things that Appeared in crypto can be studied in a like small example on cryptography all these things like revinding concurrency All the problems pop up there first and then you get them in more complex settings like multiparty computation And then the other thing why quantum Well more precisely what we are doing here is post quantum crypto Meaning we consider classical protocols. So some zero-knowledge protocol like for graphism or something that everyone knows But we ask is it secure against adversaries with quantum computers? Why is this important? Well first thing if at some point physicists manage to build a quantum computer then we would like cryptography to be ready for it and On the other side if we build a protocol if we want to build future protocols that make use of quantum cryptography We also need the classical building blocks in that to be secure against quantum computers So let's jump into the topic and have a look at how How we deal in the classical setting with the zero-knowledge property. So how do we prove that a given protocol is zero-knowledge We have to give them only a malicious verifier Simulate the whole interaction with the prover, but we don't have access to the prover This will then imply the zero-knowledge property and this is usually done at follow So we will only consider sigma protocols where three messages from the prove at the verifier commitment He answers with a challenge and then gets a response And what the simulator does is he first or in many situations does he first guesses the challenge Then if he knows what the challenge will be He can construct the commitment so that everything will go through and then if he gets right everything works He produces a good transcript if it doesn't He just goes back tries again and repeats until he gets the challenge right and this goes through This works well if the challenge space has only polynomial size like for example going to challenges however in the quantum case this approach is much is Much more tricky. Why why doesn't this work? Well, the thing is this error here is not well defined In a quantum mechanical setting because what this precisely means is at this point You copy the state of the verifier and if you reach this point you restore the state to the copy you made But quantum states cannot be copied. That's one of the laws of quantum mechanics So we cannot do that and we need an alternative solution This solution was proposed in 2006 or 2009 in the general version by John Watrous and The basic idea is instead of making a copy and going back to that copy we Since we can't do that. We have to undo the computation that we made so far So this is basically the algorithm that Watrous suggests to Make a simulator for zero knowledge proof You take some simulator that kind of tries and may either say it worked or it doesn't so it's like one try He guesses the challenge if it works goes through otherwise says no, please try again And then you run it you measure whether it worked so it will have an output bit I'm succeeded or not. You measure that if it works You're done. If not you apply the inverse of the simulator. That's a nice thing in quantum mechanics Any operation that is so-called unitary has an inverse So you can apply the inverse computation of what the simulator just did and Hopefully you are then back in this original state There are a lot of subtleties here which imply that you need to do some additional stuff But that can all be solved and you can find it in Watrous paper What you can achieve with this technique is what I call oblivious Rewinding if the simulator says I want to rewind to the beginning that works He goes back to the beginning, but he forgets everything. He has learned because we removed rewind the whole state of the simulator No problem in typical zero knowledge simulations because he just wants to try again He doesn't need to remember that he's trying again, but this will be important later So that's what was result result solve the problem of Quantum zero knowledge Well, it covers a lot of existing Zero knowledge protocols and can show the zero knowledge property in the quantum case of these There are some exceptions, but that's not the topic of this talk But there's one big limitation if we don't want just zero knowledge proofs, but your knowledge proofs of knowledge Then what this technique does not work And this is what I will show you in this talk and I will show you in this talk how we can actually Get proofs of knowledge with a different technique So let's recapitulate very quickly what we want from a proof of knowledge Intuitively we want to prove not only that a certain Mathematic effect is true, but that we know something example application. We want to prove our age to some vendor We have a set of certificate issued from the state and we want to prove that we know a Government signature on a document that says that we are at least 18 years old We don't want to reveal this document directly because We might be ashamed of our actual age or don't want to tell everyone or something like that So This is why we need proofs of knowledge that allowed to express this fact that we know a certain thing in this case a signature and The definition of proofs of knowledge very roughly is the following We want that if the proof is successful So if the proof of success in convincing the verifier in this case We want that a certain machine the extractor can give them only the state of the proof of compute the witness or In this in this example here if the proof of succeeds we could extract from the proof of The signature of its age and this is in most situations sufficient to prove all the things We want to do when using these proofs of knowledge in bigger protocols So let's see How this property is usually proven again in the classical case? so we are given a Prover and this prover Outputs the first message called commitment gets a challenge and answers with the response But we want to know not only see these messages here, but extract the witness and A typical technique is the following We run an interaction with the prover Where the simulator just sends the messages that would usually come from the verifier and Then when we reach the end we go back We rewind to the point just after getting the commitment from the prover and then we send him another challenge and get another response and Now many such sigma protocols see three messages and knowledge protocols have the following property called special soundness This one means that if you have two different Two different two responses to different challenges as we get in this case Then from these two responses we can compute efficiently a witness. So for example in the relatively well-known graph isomorphism protocol You would get The commitment would be a graph J and you would one response would be an isomorphism to G and the other to a graph H and From this we can compute an isomorphism between G and H, which is what we were interested in in the first place So what happens if we try to do the same in the quantum case? Oops There it doesn't work again because as I said before rewinding means copying So in this case we would have to stop we have to store the state here do this interaction then go back And going back means taking the copy we made earlier and continue not possible with quantum mechanics What about The rewinding by Rutgers we have seen that there we can do rewind we can go back But as I said earlier Rutgers needs the dust oblivious rewinding. So if you rewind we forgot everything we have learned so far So if we do this here the extractor would rewind He could do the second execution with a second challenge, but you would forget the first response Because quantum mechanics you can't just store this response because by storing this response you Inhibit the going back. So you have undoing the whole computation means also undoing the learning of the response sounds paradoxical is quantum So So we need to find some way around this we need to we will try to get do the same kind of interaction however We want to do it in a way that is compatible with the laws of quantum mechanics and For this we use the same idea again as in the water's case namely that we Apply the inverse of the simulator, but we cannot use the proof of what truth We cannot use the precise construction of what truth because it doesn't apply here So let's try completely naively to take the extractor We have seen just now the rewinding one and replace the rewinding by an inverse of the simulator So this is what I call the canonical extractor and as the following steps So first we run the prover so the first step of the prover and we measure the commitment So here we run the prover and then we do a measurement that gives us the commitment first step of the prover Then we continue running the prover with input challenge one and then we measure response one here Prover was challenge one measure response one now We what we have the challenge one response one and we want now to give him challenge to risk and get response to So we need to rewind for this we just do the inverse operation of what the prover there So the prover does something on challenge one. We do the inverse This can be efficiently applied and this at least intuitively would bring us back here and Finally we now run the proven challenge true and get response to and hopefully if we are in the state that we were here This is just normal and interaction prover get the commitment give him challenge to give get response to So we might hope that this will actually give us Two responses to two different challenges Does this work Unfortunately not Because if we measure response one here Then a second particularity of quantum mechanics comes into play Namely whenever you measure Something so you have a state and you want to measure some information about this state of the system this Will in almost any all cases change the system So if you if you have something which is in a superposition between zero and one and you measure whether it is one Then you will get your answer, but afterwards it will not be in a superposition anymore We have the same problem because if we measure the response here We change the state so it will mean not this state after here so this one will not be the same as this one and then This rewinding here fails because applying the inverse of the Prover here Assumed that we had the state that we just got out of the prover so this and then this would work But this then this then this doesn't work. It's simple to construct examples where the canonical extractor fails So what can we do? Let's make a thought experiment first Let's assume the response that we get got here response one or both responses Actually are not long bit strings that they would usually be in zero knowledge, but actually just one bit messages This doesn't really make sense because you are no zero sensible protocols that have one bit responses just a thought experiment Then we have that by measuring the response We measure only a single bit and the less you measure the less you disturb So if you do the math here, which I won't then you will find out that measuring the response one Disturbs the state only in some moderate amount and then you do all the calculations and find out this amount is moderate enough That the whole extractor works with a sufficiently good to probability And Therefore extraction would work in this setting if we would have a protocol which has a one-bit response, which we don't So the idea now is not to assume that we have a one-bit response But to trade try to make sure that the length of the response is Effectively one bit so it's not truly one bit But it should be kind of in an information theoretical sense be equivalent to being a one-bit response And that can actually be achieved by adding an additional condition on the zero knowledge protocol this condition I call strict soundness and it says that For any challenge that you sent To the prover There's at most one possible answer that would convince the verifier There can be none if the prover made a mess It can be very hard to find this but we have the guarantee That there cannot be two different answers the proof of I can give this is what I call strict soundness and now This makes the response effectively one bit because it's either the one correct response or Something which makes us abort and which thing of the things that makes us abort doesn't really matter because we abort anyway So this is really as if we would measure only a one-bit response. So measuring The response that is unique if it is valid is equivalent to measuring one bit And if we do go through the math again, we will see this actually works as soon as we have the strict soundness property The canonical extractors shown here on the side will work and it will Successfully extract a witness with a certain sufficiently big probability And you may wonder what this probability is So if so this is the main result of the paper if we have special soundness Which was the property that given two responses you can extract the witness and you have strict soundness meaning There is at most one correct answer Then the probability of that the extractor extracts successfully is at least the probability that the verifier is Convinced minus one over the square root of the number of challenges to the three And if you're familiar with proofs of knowledge, you will see that this is similar to the classical case Except that there you will have the number two here and the square root will not be there but Essentially this except a bit for efficiency doesn't hurt us very much so If you have strict soundness you get as close you get quite close to what you can do in the classical case and We can now actually construct Quantum proofs of knowledge which using what this work also Zero knowledge However, there's one remaining problem. How do we get strict soundness? Well, for example, the well-known graph isomorphism proof Does not have strict soundness because there could be several different isomorphisms between the same graphs Unless the graphs have a property called rigidity So the graph isomorphism proof does not fall into this framework. We can't prove it The disc the typical discrete logarithm proof has this property However, it is rather boring in the quantum setting because in the quantum setting we can just compute the discrete logarithm anyway I don't know any natural candidate actually be that is not boring But we can make a trick to achieve strict soundness give them an existing protocol We just add a commitment in the in the first message to every response that we might give this only works if we have a polynomial number of challenges, of course And then we will not have the choice to open to a different message This addition means a property called strict binding on the commitment Which makes sure that we also don't have different possible unveil informations because otherwise this would introduce new choices for the verifier Although I think I've a few days ago had an idea how to get rid of this, but there's not in this talk If we plug things together So if we take for example proof system for a Mediterranean cycles, we take commitments that we can build from injective one-way functions Then we have the theorem that assuming injective Quantum one-way functions Quantum zero-knowledge proofs of knowledge exists for all languages in NP This is pretty nice besides one caveat, which is Still there. We currently don't have any candidates for Quantum secure injective one-way functions, so please find some but I have ideas How to get to lower these Conditions I'd be happy to talk about this offline if someone is interested So future work generalizations like Considering the computational setting. This was only in the proof settings not for arguments Things that are not sigma protocols, but have more messages. I think these are pretty simple, but I haven't done then then In the future, we will have a look also at other rewinding techniques. So for example to follow-up papers had different approaches to Solving proofs of knowledge Where they rewind not the actual extractor, but in the coin toss and I guess there are many more other Rewinding techniques out there and then of course we would like candidates for injective one-way functions There's not only needed for my work, but also virtuous prior results also assumes them and doesn't have them So with this I thank you for your attention Are there any questions Now to get if you want a quantum bit commitment scheme that has sorry, can you say again? Yeah To get strict binding for in a quantum bit commitment scheme, then it cannot be hiding And you kind of have both binding and and and hiding Well, it will not be information if it's info if it's a strict binding Then it cannot be information Theoretically hiding but it can be hiding so if you take for example the construction that you take an injective one-way function and With random input, that's your commitment and the bit you commit to is the hard-core bit of this one of this function This has strict binding because there's only one inverse and it's statistically hiding. This is why in this theorem here Quantum that came means computational zero knowledge not statistical zero knowledge. You just said it's strict binding but statistical Strict money in statistical hiding or can be strict strict binding Computation, which is a statistic you could also I guess I haven't done this weakening the strict binding property to something where that like collision Resist you can't find to But I haven't gone through that. I don't know whether it works out or not, but that's a conjecture. I have Any other questions Okay. Thank you once again