 Hello, my name is Pravanjan Anand and I'm going to talk about Secure Quantum Extraction Protocols. This is joint work with Rolando L. La Placa, who is a graduate student at MIT. So I'm going to talk about knowledge extraction and knowledge instruction is one of the important concepts that is useful in the design of cryptographic protocols. So for instance, you know, it is very useful in Secure Multi-Party Computation. So in order to prove a security of Secure Multi-Party Computation Protocol, we need to come up with a simulator that can extract inputs from the adversarial properties, adversarial parties. It also shows up in zero knowledge. So if you look at the seminal FLS paradigm, the simulator works by first extracting a trapdoor from the adversarial verifier and then uses this extracted trapdoor to simulate the rest of the protocol. So what are the extraction techniques that we have at our disposal? So one extraction technique that we are all too familiar with is the rewinding technique. This technique has been quintessential to proving security of several cryptographic protocols. But it has been observed that the rewinding technique itself is not sufficient to prove security of several protocols. So in order to circumvent this problem, there were other techniques proposed. For instance, the seminal work of Barak proposes the non-blackbox simulation technique and the work of past proposes, super polynomial, time extraction technique and so on. And it's sort of fair to say that most results on Secure Computation and zero knowledge rely on these three extraction techniques. Of course, there are other extraction techniques proposed as well, but most of them typically rely on some version of these three techniques. You know, when we talk about extraction techniques, who are we extracting from? We are extracting from adversaries. So natural question to ask is, how is an adversary modeled? And traditionally, we modeled the adversary to be a classical probabilistic polynomial time algorithm. However, given the recent advances in quantum computing, it might be possible that many, many, many, many years into the future, a full-fledged quantum computer can come into existence. So you know, which means that we need to be prepared from now on. We need to start designing protocols that are secure even if the adversary can have access to a full-fledged quantum computer. So in order to design protocols that are secure even if quantum computers come into existence, you know, the first starting point is to model the adversary as a quantum polynomial time algorithm. So now we can ask that, you know, if the adversary is a quantum polynomial time algorithm, then are there, do there exist post-quantum secure protocols? And it turns out that towards developing these post-quantum secure protocols, it turns out that the existing extraction techniques or simulation techniques that helped us in designing classical secure protocols will fail in the post-quantum setting, right? So for instance, the traditional rewinding doesn't work as is in the quantum setting. And the main reason is because of the no-cloning theorem in quantum mechanics that tells us that, you know, given any state, we cannot loan it to obtain, you know, another copy of the state. And it also turns out that Barak's non-black box technique doesn't work. And actually, there are many reasons why Barak's technique doesn't work. And one main reason is because, you know, the core part of Barak's protocol is the universal arguments. And we don't know how to design universal arguments for quantum computation. At least we don't know yet how to do this. So while general rewinding-based strategies don't work in the post-quantum setting, Watru's and Undru observe that you can actually achieve rewinding-based strategies in the post-quantum setting. But the class of rewinding strategies are highly restrictive. So it's not possible to take any rewinding-based strategy and just port it to the quantum setting. At least we don't know of such a generic theorem. On the other hand, we don't even have any non-black box technique known in the post-quantum setting. So in this work, we give a clean definition that captures knowledge extraction against quantum polynomial time adversaries. So we're going to give two new quantum extraction techniques that satisfy this definition. And as an application of one of these two techniques, we show how to construct zero knowledge protocol that has a sound against classical polynomial time brewers. But on the other hand, it guarantees zero knowledge against quantum polynomial time verifiers. So it's a strict generalization of classical CK. So we want this notion to satisfy three properties. The first property is called correctness of extraction. It states that the extractor should be able to extract W from a quantum sender. Here we require the extraction guarantee to only hold if the sender behaves according to the protocol. It can choose whatever randomness it wants in the protocol, but it needs to behave according to the protocol. So we say that a secure quantum extraction protocol satisfies the correctness property if the extractor can extract a witness in this setting. The second property is called indistinguishability of extraction. The sender should not be able to, that the malicious quantum sender should not be able to distinguish whether it is interacting with the extractor or the receiver. So this is the second property. And the third property is called the similarity property. A malicious receiver should not be able to learn the witness from the sender. I mean this is formalized by defining a simulator and we say that the similarity property satisfied if the receiver cannot distinguish whether it is interacting with the sender or with the simulator. And here you can ask whether the receiver is a classical or a quantum adversary and we consider two notions. One is called the classical similarity property, the other is called quantum similarity property. So we want extraction always against quantum senders, but the receiver can either be classical or quantum, both cases are interesting. So what are our results? The first result is the following. We show that there exists a quantum extraction protocols that is secure against quantum receivers meaning that it satisfies quantum similarity properties assuming the existence of quantum fully homomorphic encryption, satisfying some additional natural properties. And the other assumption is quantum hardness of learning with others. So what is quantum fully homomorphic encryption? It is a natural quantum analog of fully homomorphic encryption to the quantum setting. So in this case you know the we can encrypt a quantum state and the server can actually perform a quantum computation homomorphically on this quantum state, on this encrypted quantum state. And the result will be the encryption of applying this quantum circuit on the original state. And there are lattice based constructions of quantum fully homomorphic encryption known. So we assume quantum fully homomorphic encryption for unbounded depth computations, but if you don't only stick to bounded depth computations then you can actually construct from just quantum hardness of learning with errors. This sort of extraction technique also showed up in this, in a concurrent work by Nirvitansky and Omri Shmueli. Our second result is the following. We show the existence of quantum extraction protocols, satisfying classical similarity property assuming quantum hardness of learning with errors. And an additional nice property about our construction is that it satisfies quantum lasting security. What does this mean? So we are in, we are still in 2020. We don't have a full-fledged scalable quantum computer. So we can, we can, we can consider crypto protocols that are secure against classical adversaries. You know, the classical adversary will try to learn the witness from the center. It won't be able to do that. It won't be able to learn the witness, but maybe 40 years from now when quantum computers do come into existence, you know, at this point, it is possible that this receiver might try to use the quantum computer, you know, to break the transcript of conversation and to learn the witness of the center. So it might actually use this, that the power of quantum computer to break the, to violate the privacy of the center. So we want to prevent this. And to prevent the scenario, Undruh proposed the following notion, you know, the security should hold even if the classical adversary can use the quantum computer long after the protocol is finished. We called it everlasting security, but we prefer to use the name quantum lasting security. As an application of the second result, we show how to construct constant rounds, you know, knowledge arguments against quantum verifiers. I mean, this is still classical soreness, but we have, we satisfy the knowledge against quantum verifiers. So why is this useful? So suppose let's say, you know, you have a user that is actually talking to a big company. And you know, suppose let's say, you know, the user needs to convince company X that it has the right credentials in order to access the system. Maybe it needs to, the user needs to reveal some sensitive information in order to convince company X. Now the question is, is it possible for the user to convince the company without revealing its sensitive information? You know, of course, we can use the notion of zero knowledge to do this, but this creates a problem if, you know, this company has access to a quantum computer. I think it might still be reasonable to assume that, you know, big corporations might have access to quantum computers long before everyday users will get access to quantum computers. So in this case, you know, the user is still like a classical entity and is talking to a malicious, a company who is possibly malicious and has access to a quantum computer. And in this case, you know, the question is whether zero knowledge still holds. And this is why we need to use zero knowledge protocols that are secure even if the verifier is a quantum adversary. So in this case, user is classical, but the server is quantum. So we show that there exists a constant round classical argument system with post-quantum zero knowledge property assuming quantum hardness of learning with errors. And in the concurrent work, there, Ritanski and Omrish really gave a beautiful construction of the first constant round QCK for NP, which actually gets stronger quantum soundness property. That is, it's secure even if the prover is quantum, but it is based on QFHE as against just QLW. So there are a few related works and these two are the most prominent works in the literature. The first is the similar work of Watrous, who showed the first feasibility result on quantum CK for NP, you know, the advantage of Watrous was that it gave unconditional soundness. It satisfied the conditional soundness. But on the other hand, it had non-constant number of rounds. Undru also demonstrated quantum CK performance protocol, and in particular, he showed how to extract from unborned rulers. But on the downside, again, the number of rounds was not constant. So we will start with our extraction, giving an overview of our extraction techniques. So let's start with the first one. The starting point to this quantum extraction technique is the test of quantumness protocol that was devised by Prakarski et al. And how is this test of quantumness protocol useful? Using this protocol, the receiver actually can convince the sender that it is indeed a quantum computer. And if the sender gets convinced, then it will send the witness to the receiver, otherwise it sends nil. So of course, the indistinguishability of extraction property is not satisfied here. And the reason is because the honest receiver is not going to pass the test of quantumness protocol, but the extractor is going to pass the protocol. So this way, the sender can know whether it is talking to the extractor of the receiver. So to overcome this problem, we first of all observe that the test of quantumness protocol of Prakarski et al. is like a four-round protocol. And what you can do is that you can use a two-party computation protocol where the input to this two-PC from the receiver side is going to be the fourth message. And from the sender side, it's going to be the witness. And this two-PC is going to output the witness to the receiver if indeed the sender is convinced that the receiver is indeed the quantum protocol, a quantum computer. So the functionality has the first, second, and third message hardwired inside it. And it takes the fourth message from the receiver and it checks if indeed the receiver passed the test of quantumness protocol, test of quantumness. And if so, it outputs the witness to the receiver. Of course, as is, this is not sufficient because how do we know if the receiver actually committed the correct fourth message in this two-PC protocol? So in order to argue similarity property, we have to sort of extract this fourth message from the receiver. And in order for us to do that, we are going to make the receiver commit the fourth message using an extractable commitment scheme. And this extractable commitment scheme has the property that if the the committer is a classical adversary, then you can actually extract from the receiver. And we do know of such extractable commitment scheme. And thus using this, you can actually show that this sort of template can actually satisfy classical similarity property and extraction against quantum senders. So this was a whirlwind overview of the first extraction technique. Going to the second quantum extraction technique, which is going to be the non-black box extraction technique. And the main tool we are going to use is two circular insecure quantum fully homomorphic encryption scheme. What is this? What is two-circular insecurity? So before that, I want to mention that we can actually remove the two-circular insecurity part using quantum fully homomorphic encryption and quantum learning with errors just like the way Pitansky, Kuran and Panit did in stock 2019. Okay. So what is this two-circular insecurity? This is the following. Given encryption of secret key sk2 under pk1 and given another encryption of sk1 under pk2 and given encryption of x under pk1, you should be able to recover x. So given the cycle pk1, sk2 and pk2 sk1, if I give you encryption of x, you should be able to recover x. Okay. So what is the protocol? The sender is going to send encryption of r under pk1. It is also going to x or r and w, the witness w. Then it is also going to send encryption of the secret key sk1 under a new public key pk2. So then the receiver is going to send r prime and the sender will send sk2 if r prime is r, otherwise it sends part. It sends nil. So now how do we show the correctness of extraction? So we are going to do non-bankbox extraction, that is the extractor has the core of the sender. So suppose I say the sender is a quantum polynomial time adversary, you know, he will send this first message as before. But now what the extractor will do is it will copy the first message is encryption of r under pk1. So then what it is going to do is that it is going to homomorphically evaluate the sender. So this is the insight. Once you do that, you will end up with encryption of sender output of sender of r under pk1. So this, when I say sender of r, I am implicitly also incorporating the state of the sender in this. So but what is the output of sender of r? So if you go back earlier, you know, if you give r to the sender, the sender is going to give sk2, right? So thus you get the final ciphertext to be encryption of sk2 under pk1. So now you have encryption of r under pk1, encryption of sk1 under pk2, and you also have encryption of sk2 under pk1. So now that you have a cycle and encryption of r under pk1, using the circular insecurity, you can now recover r. So once you recover r, you can now recover the witness. So thus correctness of extraction is satisfied. Of course, in this case, the sender can again detect whether it is talking to the receiver or the extractor. This is because, you know, the receiver is never going to send an r that's equal, the r prime that equals r. But on the other hand, the extractor is always going to input r to the sender, albeit in an encrypted fashion, but still. So now the sender can actually, you know, detect. So to overcome this problem, we're going to again use secure computation, 2PC. And we're going to make the receiver input r prime to this 2PC. And we're going to make the sender input sk2 into this 2PC. And, you know, internally, this 2PC is going to check if, you know, r prime is the same as r. And if so, it outputs sk1, right? Otherwise it, you know, otherwise it, otherwise it outputs part. So now that you have sk1, you can recover r. And once you have r, you can recover w. Okay. So to conclude, we propose two new extraction techniques. You know, this is an opinion just a beginning. We need many more extraction techniques in the quantum setting to push the envelope of building zero-knowledge and secure computation protocols. And we also show the application of our extraction technique to the post-quantum zero-knowledge setting. Thanks.