 Hi, I am Prabhanjan and I'm going to talk about quantum zero knowledge in the concurrent composition setting This is in joint work with Kaiman Chung and Rolando Laplacca Zero knowledge is a notion that we are all familiar with The traditional notion of zero is depletes that the conversation between a prover and a verifier can be simulated in other words The verify doesn't learn any additional information after talking to the prover You know in most protocols we have seen so far the assumption is that the verifier is a classical PPT algorithm However, this assumption has been challenged By the prospect of quantum computers in the last few years Some companies and many governments have intensified efforts towards building quantum computers In the next few decades, we need to brace ourselves towards the possibility that quantum computers could become a reality And towards this we need to start thinking about designing protocols that are secure even after quantum computers come into existence So we're going to look at one such Protocols which is you know, we're going to look at one such notion, which is the notion of quantum zero knowledge So this notion is an analog of zero knowledge in the quantum setting and It roughly says that the conversation between a prover and a quantum verifier Can be simulated by a quantum simulator This notion is not new. I mean people have actually looked at Quantum zero knowledge protocols But they're mostly focused on standalone quantum zero knowledge protocols in the setting we assume that there is a prover and a verifier and You know the execution between the prover and this verifier is run in isolation So in other words, you know, the prover is talking to this verifier, then it cannot talk to any other verifier During this time. So the good news is that there are some feasibility results known. So we do know how to achieve the standalone QZK However, this is not a very realistic setting So if you think about it, it's not reasonable to assume that you know, the prover only talks to one verifier at a time In the real world setting, you know, you have You could have a, you know, maybe like a server who's running He's taking the role of the prover, you know talking to many clients who are taking the role of verifiers At the same time. So more realistic setting that we can consider is concurrency So in this setting we have a prover talking to multiple verifiers at the same time and These verifiers can interleave their messages with the prover in any arbitrary fashion You know, maybe, you know, there's one verifier who starts the execution with the prover And before this verifier sends its second message, maybe another verifier starts talking to this prover And we want the notion of zero knowledge to even hold in this setting you know and the the notion of QZK in the concurrent setting will be called as a concurrent QZK And unfortunately we don't know much about the possibility or impossibility of QZK in the concurrent composition setting But if you look at the classical cryptography literature, there are many many works on you know On on the feasibility of concurrent CK So before we try to understand the feasibility of QZK in the concurrent composition setting, let's first try to formally define what concurrent QZK is So in order to do that, we need to define What is a malicious how does a malicious verifier behave? So in this case, the malicious verifier is a QPT algorithm Let me denote this by we start And we are going to work in the setting where the verifier can be non-uniform So in other words, it can take as input an auxiliary state This auxiliary state denoted here by row can be thought of as A quantum state That has a polynomial number of qubits And this verifier we start can invoke Q sessions or Q verifiers with the pruer p with the honest pruer p And the sessions are denoted by V1 through VQ Okay, so to Be a little more precise about how the interaction between the pruer and the verifier we start goes So we can think of every message computed by V star to be let's say unitary Followed by a measurement where this measurement determines the message to be sent to the pruer Right, and then we can think of every message we start sense to be of the following format So it's message one corresponding to the first session message to corresponding to the second session and so on And then we have q comma message q where q is the number of sessions And then you can do this for all the messages and you know Not all sessions need to You know Be active in any round So for example, the ith session can choose not to you know, send any message to the pruer In some round in this case it will set the message message i to be empty Which which we are going to interpret as saying that the ith verifier is not sending any message in this round and We say that a protocol satisfies concurrent q ck if there exists a simulator such that the following two distributions are indistinguishable The output of the verifier, you know after it interacts with the honest pruer Uh, you know the output of the verifier v star is going to be some state We want this state to be computationally indistinguishable Or rather like a distribution of states to be computationally indistinguishable from the Uh, the the The distribution specified by the simulator, right? So the output of the simulator Describes a distribution and we want this distribution to be indistinguishable from the output of the verifier So it's the same as as a Classical zk except that you know the algorithms here are quantum And and also the advice is as quantum There are two notions of concurrent q zk that we can consider one is bounded concurrency and another one is unbounded concurrency So in in in bounded concurrency the number of sessions q needs to be fixed apri like even before the protocol begins Uh, in the case of unbounded concurrency, you know the verifier the militia's verifier can choose how many sessions to run Um, you know at the beginning of the security experiment So it need not be specified as part of the protocol description So we can also consider another weaker notion which is parallel q zk Um, so in in the parallel setting we want all the verifiers to send the messages at the same time While this is not the most, uh Useful notion in practice Parallel zk is still useful for constructing let's say mpc protocols Okay, so let's let me, uh give a an overview of our results So we initiate a formal study of concurrent q zk Uh, we give a feasibility result of bounded concurrent q zk for, uh, all languages in np And we actually show how to get, uh, quantum proof of knowledge for np Um And finally we also show feasibility of bounded concurrent q zk for, uh q ma So q ma is a quantum analog of ma um, so, um, we say that a relation is q ma relation if You know for Every instance pooling string, let's say x we say x comma some state belongs to this relation If there's a quantum algorithm quantum polynomial time algorithm that on input this instance and the state outputs One with high probability So it's in ma the witness is classical in q ma the witness can be quantum. So that's that's the difference So i'm not going to elaborate on the quantum proof of knowledge and the bounded concurrent q zk for q ma results I encourage you to look at the paper So for the rest of the talk, i'm going to focus on the feasibility of bounded concurrent q zk for np Okay, so, um, let me zoom in on this and expand on this result statement So we show that there exists bounded concurrent q zk for np, uh, assuming The existence of post quantum one-way functions And two nice features about our protocol is that first of all, it's a it's a public coin Uh protocol and moreover, it's a proof system. That is the soundness holds against the unbounded provers So we know that, um There you know, there there was a prior work on bounded parallel q zk argument system for np from f h e for quantum computation Which is going to appear in your record this year So our work improves upon their result in terms of assumption. Also, we get the stronger stronger notion of bounded concurrent q zk Let's dive right into the techniques A natural approach that we can consider is the following So we can start with a classical bounded concurrent zk for np. So we do know how to achieve this So let's start with the construction that we know and then What we can do is, you know, try to come up with a A different proof for the same construction that proves that this construction is actually Secure against quantum verifiers and not just classical verifiers So not to do that, you know, we need to figure out a Way to port the classical simulation strategy to quantum to quantum simulation Right and we're going to focus on revinding based simulation strategies So and towards this, you know, we can ask a more general question What are the classical revinding techniques that can be ported to the quantum setting? So we can identify a quote-unquote Quantum friendly classical revinding techniques. These are the techniques that Can actually be ported to the quantum setting. These are classical techniques, but that can be adapted to the quantum setting And a rule of thumb that we can adopt For identifying this class of quantum friendly classical revinding techniques is the following So we can first ask if the classical revinding technique is oblivious. What do I mean? You know in any round the simulator can You know decide whether it wants to rewind or not And we want the property that You know at any point in time the simulators The distribution on simulators decisions should be independent of the verifier state So it should be the same no matter what auxiliary state the verifier has. So this is the first condition See the other condition is that we want Um the simulator to be no recording. What does it mean? It means that Um the simulator, you know should not learn some information Um and then rewind And then you know continue to use the information that it had gathered from a previous rewind for for future windings So this is the other sort of uh guarantee we need So if I think that these two properties are sort of artificial and you can ask whether do we Know any classical revinding that satisfies these two properties And as it is Yes, there are actually protocols that satisfy uh both these there are actually techniques that satisfy both these properties So if you look at the um the simulator of uh the popular graph isomorphism protocol You can show that that that particular simulator satisfies both these properties You know, there are other examples as well. So this is the um This is sort of like the prototypical example that you can consider Okay, so once we have identified this Quantum friendly classical rewinding the next step would be to combine this with Uh a lemma that was proposed by watrus And we can combine both of them to get quantum simulation. It's a um somehow we can uh You know Merge these two different uh techniques together to get a quantum simulator So this is sort of roughly the strategy we are going to adopt to um Come up with a feasibility result for bonnet concurrent QZK Okay, so towards this you can ask if there are quantum friendly classical concurrent rewinding techniques, right? And then we can try to combine them with watrus And the um answer is unfortunately no, I mean most of the techniques we know in the classical concurrent literature Either violate the obliviousness condition or the no recording condition Um, so which means that we need to really, you know, sort of devise a new um Quantum friendly classical rewinding technique and that's what we do in this work So we propose a technique called block rewinding technique And then we're going to use this technique to prove that the classical protocol of um pass Sing and mix strong Is bounded concurrent QZK Did they showed the existence of classical concurrent ZK? Boundary concurrent ZK, and we're going to show that the same construction Modulo some modifications in the parameters Is also secure in the quantum setting Okay So what is this block rewinding technique um at a high level what we do is we sort of divide the Entire transcript, which is the execution of the pro with all the verifiers into blocks And The simulator what it's going to do is at the end of every block It's going to do decide whether to rewind to the beginning of the block or not with with probability half And since the decision to rewind Um Is oblivious of the very fast state. So the simulator will do this no matter what the auxiliary state was So this particular Step would satisfy the obliviousness condition And when the simulator records, it's going to forget all the transcript. It has remembered so far So when it goes from step i to step j Uh, so sorry when it when it revines from step j to step i then it's going to forget all the messages from i to j And that's uh the this also satisfies the no recording condition So this was a So really vague and high-level Um idea of how the simulator would work. I mean here there are many questions. How big are the blocks? You know, will the simulation work for all schedule links, you know Can the verifier somehow interleave the messages cleverly in such a way that the simulator fails and uh Finally, what if the all the verifiers are bought in a single block? Um, will the simulator even rewind that right? So, um If the simulator doesn't choose to rewind then It would end up depending on the verifier state and thus violating the obliviousness condition So we need to also handle the case when all the verifiers are bought in a block Okay, so before Answering these questions. Let's uh look at the protocol description of bass sing and big strong So their protocol is composed into two stages in the first stage. Uh, the pruer p sends a commitment Of a bit to the verifier and the verifier sends some other bit To a back to P So in terms of what commitment we use we are going to use a statistically binding A quantum concealing commitment scheme which can be based on post quantum on my functions And in the second stage, uh pruer proves to the verifier that either it knows the witness for this instance or Uh, there are enough number of uh executions in stage one Where the verifiers bit agreed with the pruer's committed bit So we're going to use the term matchings. Uh, so we say that, um, you know, a particular execution of stage one has been matched if Uh, the verifiers bit is the same as the pruer's committed bit Like in other words, if bi prime is the same as bi and if you can we can replace this Condition as saying that the number of matchings has to be at least l over two plus q to the four, uh lander So roughly, you know, uh in expectation l over two executions will have The verifier spit to be the same as the pruer spit What we are asking is something that is slightly more than, uh, roughly half of the executions of stage one okay So we're going to use the you know, we're going to call a single execution of stage one to be a slot So let's first consider the setting when the simulator is, uh Uh, when the verifier is classical and then You know, we're we're going to see how to port the ideas developed here to the case when this verifier is uh going to Okay Okay, so we're going to divide the the transcript into b size blocks. We're going to fix, uh, b soon So what we are going to do is for the ith message of v star Um in in a block what we are going to check is if uh, this message Is a is a last message in a block. Okay So if this message is the last message in the block Then you see how many of the sessions, uh contain a slot in this block b Okay, so you're going to consider all the slots that are completely contained in this block And then you're going to pick one of these slots uniformly at random, right? Um And so there are let's say there are l verifiers Whose uh slots are contained in b then you're going to pick one of the verifiers uniformly at random Um, you know, of course a single verifier could have multiple slots Just pick one of them at random And then you're going to check if this slot has been matched in other words if bi prime is the same as bi So if that is the case then you mourn to the next block Otherwise what you're going to do is you're going to rewind Uh rewind to the beginning of the block Okay So let's first assume that Um somehow the verifiers interleaving strategy says that Uh one slot in every block contains at least one slot If this is the case then you can see that the probability that the simulator rewinds Uh is going to be roughly half Right. Um, so now we can ask what if a block doesn't contain any slot If a block doesn't contain any slot then You know, what you're going to do is the simulator is going to just You know pick a bit uniformly random This is a dummy bit and if this bit comes up as zero then it goes to the next block Otherwise it's going to rewind to the beginning of the block And why do we have this? Uh, remember we need to satisfy condition called obliviousness that says that the simulator's revinding Um, the the decision to rewind should be independent of the verifier state Right. So this you know, it could very well be the very very well be the case that the verifier has Interleaved it its messages in such a way that There does not exist any slot in a block Uh, and if the simulator does not choose to rewind then Um, then its decision is depending on the verifier state, right and that violates obliviousness So we're going to add this condition as well in the description of the simulator Okay, so now what if uh, you know the The the message that you're considering is the intermediate message in the block In this case, you know, if it is a stage one message, then you're going to behave like the honest pruer You're going to just send a commitment of a random bit if it is a stage two message Then you check if the number of matchings Uh, is at least l over two plus this additional q to the four lambda or not if it is less than that then you're going to abort Otherwise you have sufficient number of matchings now you can use these matchings to complete the wi phase So what is left is to show that the probability that the number of matchings Um, is at most l over two plus q to the four lambda is uh negligible, right? Because if this happens then the simulator is failing and we want to show that the probability of this event is low So the intuition is that for every verifier vi the number of blocks that contain at least one slot of vi is at least six Um times q to the five lambda so you can you can show this using a counting argument Similarly, you can also show that the number of blocks in which a particular verifier slot is picked is also sufficiently high Then you can use both combine both these facts to argue that with high probability using churn up on um At least three times q to the four lambda of these slots are matched Um, you know, this is by the simulator um employing the rewinding strategy On the other hand, you know, there are still l minus three q to the four lambda slots remaining and you know even You know, even if the simulator doesn't try to match them just by sheer luck Uh, half of them are going to be satisfied in expectation And again using churn off you can show that the number of slots that are satisfied with high probabilities At least l over two minus two q to the four lambda So if you add both of them up These two quantities up you're going to get um the desired bound right so you can argue that This is in fact negligible Right, so that's how we complete the simulation strategy so What is remaining is to show that uh the verifier is um We need to show the case when the verifier is q p t and the quantum Uh simulation strategy is very simple, you know The quantum simulator is just going to run the classical simulator and the verifier in superposition. So it's not going to measure anything um Except at the end of the block at the end of the block It's going to measure something and based on that it decides to rewind Uh, and how does it rewind it employs the rewinding strategy proposed by waters? So this is the rewinding that's going to be uh given to us by the waters lemma Right and we can show that a careful repeated application of waters. Uh lemma implies a successful simulation against a quantum verifier Okay, so with this, uh, let me conclude this talk We initiate a formal study of concurrent q z k We showed a feasibility of bounded concurrent q z k for np Couple of results I didn't talk about is quantum proof of knowledge for np And we also show the feasibility of bounded concurrent q z k for q ma So what is open is to show the possibility or impossibility of unbounded concurrent q z k Um, and also post quantum concurrent, uh, secure computation With this, uh, I conclude. Thanks