 Hello, I'm Tina Zang and I'm going to talk about Classical Proofs of Quantum Knowledge. This was joint work with Tomah Vidiak at Caltech. So this is the rough outline of the presentation, it's also the rough outline of the paper. In this paper, we're interested in defining Classical Proofs of Quantum Knowledge. So many of you might be familiar with proofs of knowledge in the purely classical setting. Here we're interested in looking at versions of proofs of knowledge, where the verifier is classical, but the witness is a quantum state and not a classical string. So after we define these objects, we're going to show some properties of the definition, which have simple proofs. Then finally, we want to show an example that instantiates the definition. So here's the canonical setup in the classical setting. There is a Prover P who wants to prove to verify V that it knows a secret key, some publicly known public encryption key, pk, such that pksk is valid. How do we formalize the notion that the tuple pksk is valid? The answer usually is that there's a public MP relation r, which takes in instance witness pairs and checks that the witness w is indeed a witness for the instance x. So we encode the public key as the instance x, and we encode the secret key as the witness. So in this case, the instance is a graph, the witness I've chosen three colorings, so the witness is a coloring of the graph. That only uses three colors, such that no edge has two endpoints of the same color. So this encoding makes sense in the context of typical classical public key encryption schemes, such as, you know, this is an example using Diffie-Hellman. It's clear why this encoding is a natural one in the case of this particular application. So this is the general setup, but what is the proof of knowledge? So it's a protocol between the prover and the verifier. Intuitively, it has a security property that the verifier accepts if and only if the prover really does know w, the witness, and we'll formalize what it means for the prover to know w in a second. So this protocol can be trivial if we're not concerned about zernology. No, the prover can just send this witness to the verifier. But if we do want to hide the secret key from the verifier, then we might have something a bit more involved here. Okay, so now let's formalize what it means to say that the prover really does know w. This is a basic setup. There's an efficient machine called the extractor, whose job it is to compute w. And the prover is modeled as a black box. So the extractor only gets to test its input output behavior. However, the extractor gets to rewind the prover if it wants, so it can replay one of the rounds with a different message, for example, and see what the prover does under the new second stances. So this is to give it more power than the real verifier. So if the protocol is zernology, you don't want the real verifier computing the witness, which is what the extractor is supposed to be doing. So if after interacting with the prover p, for a polynomial number of steps and doing polynomial additional computation, the extractor can output the witness, then we say that p knew the witness because it was able to pull, it was possible to pull the witness out of the prover efficiently. So just a couple of quick remarks. You know, classical proofs of knowledge are useful as building blocks in many other protocols, such as identification protocols, signatures, and CCA secure encryption. And they have been considered and proven secure in the post-quantum setting. So for example, see 2012 when there is paper. Our focus here is different. We want to look at proving quantum knowledge, not just post-quantum security. So I'll make some more remarks about that shortly. But basically it means that the witness will be a quantum state instead of a classical string. Okay, so now we want to look at how we want to define in a classical proofs of quantum knowledge. So the first application we might think of for something called a proof of quantum knowledge is proving knowledge for a QMA witness. So QMA is the quantum analog of NP. If NP is the class of problems that can be efficiently checked by a classical verifier given a classical string as witness, QMA is the class of problems that can be efficiently checked by a quantum verifier that's given a quantum state as witness. So how would we go about letting the proof of proof that knows a witness to some instance of a QMA complete problem? In other words, how do we translate the NP primitives to the quantum setting? So the first step of course is to replace the classical witness string with a quantum state row that's the witness that the proof wants to prove knowledge of. We also need to replace the instance of the NP complete problem. So I used three coloring my earlier pictures with an instance of a QMA complete problem. So for example, this can be a local Hamiltonian. And finally, we need to replace the NP relation which checked whether witness instance pairs were actually valid with a so-called QMA relation. So it's basically a quantum circuit that performs the same function as the classical relation R, takes in an instance and a witness has input and an outputs whether or not the X row pair is valid. So a few remarks about proving knowledge for QMA witnesses. Again, the situation is not to be confused with post-quantum proof of classical knowledge. There you want to prove knowledge of a classical string but consider potentially cheating quantum proofers and verifiers. Here we're proving knowledge of a quantum state. One remark is that there is no longer a trivial non-zero knowledge protocol to prove knowledge of a QMA witness if we restrict to classical communication which is what we're interested in doing in this paper. So of course if we allow quantum communication the proofer can just send the witness says before but with classical communication it's not easy to see how this could be done. And the last remark, for this application we basically just went and translated all of the MP primitives to their direct equivalence in the quantum setting. But we might want also to look at scenarios which are more uniquely quantum and we'll look at one of these now. So here's a second application we looked at in this paper. In this situation we have a quantum money scheme and the proofer wants to prove that it has a quantum money state. So just in case you haven't seen quantum money before, so we have an all-powerful trusted entity called the bank which mints banknotes that are quantum states. And we imagine that the bank gives a banknote state to the proofer, for example as interest on the proof of savings. Some time passes, then the proofer comes back and wants to spend that banknote. And the bank wants to verify that the banknote the proofer hands in is legitimate. So wants to know that the proofer hasn't tampered with the banknote or tried to counterfeit one to forge one. So they execute a protocol in which loosely speaking the proofer proves to the bank that it, quote marks, has the banknote which was given to it before. So often this protocol is really just one round where the proofer sends the banknote and then the bank applies some quantum measurement to it and accepts if the measurement accepts. But we'd also like to consider in this paper protocols which only involve classical communication in order to verify these banknotes. So why does the banknote have to be a quantum state? Because we want to exploit no cloning to make uncountable money. So if the banknote were a classical string the proofer could just copy the string endlessly. And unless the bank remembers every interaction that it's ever had, the proofer could cheat and spend more money than it's meant to have. But quantum states can't be easily copied. So we can design a scheme such that after being given one banknote, let's say of N qubits, P, the proofer can pass once in the verification protocol here, but it cannot produce any two N qubit states such that two copies of verification applied to the first N and the last N qubits, respectively, by the bank will both pass verification. So here's an example of such a scheme to make things concrete. It was invented by Wiesner in 1983. A banknote is an N qubit state. Each qubit of that N qubit state is drawn uniformly at random from the set zero, one plus and minus. Question, how would the bank make such a state? Well, one way would be to write down some random classical string X and then apply a hard amount gate to each qubit with half probability. To verify this banknote, the bank would need to remember the qubits to which it applied Hadamards. Then it would unapply the Hadamards that applied and measure in the standard basis and then check that the classical string that it got was X. So with this verification procedure, the maximum probability that the proofer can produce two N qubits such that the first N and last N qubits independently pass verification, this verification procedure we just described is three quarters to the N. This was shown in 2012 by, I think, what's used to tell. Okay, so that's a relatively interesting situation where we have a proofer wanting to prove in some sense that it knows or has a quantum state. And we already saw one way to generalize the classical notion of proofs of knowledge to the quantum setting. Does this situation, this quantum money situation fit into that formalism? So it turns out that for any visa money state, for example, we can write down an instance X of a Q and A complete problem such as local Hamiltonian and a Q and A relation such that Q of X and the money state equals one, if and only if the dollar state really is the money state. However, if we were to then publicly disseminate X, the instance in Q, this relation, this would break the security of the scheme. So basically X and Q would tell you the qubits to which the bank had applied Hadamards in the Visner example. And given that knowledge, it's quite easy to counterfeit a visa money state. So on the other hand, if we don't make its X and Q publicly known, it's not even clear what the prover should be proving knowledge of. You might say it's going, okay, why don't we have an oracle or something to make it well-defined without giving out the secret information? But that's not allowed in the canonical Q and A formalism. And the, in there, the instance and the relation are supposed to be publicly known. So basically in order to make our definition of a proof of knowledge broad enough to capture both quantum money and Q and A, we borrow a formalism called the agree and prove formalism. I went well on this in the interest of time, but it was invented by Badrucha, Jost and Maurer in order to capture in the classical settings situations that don't fit neatly into the MP formalism. And this framework turns out to work nicely as well for our purposes here. Okay, so we want to broaden our definition of a proof of knowledge, because crypto in the quantum setting might involve new tasks that aren't well captured by a direct translation of the MP formalism. That's the first issue surrounding translating the idea of proof of knowledge to the setting of the witness as a quantum state. There's also a subtlety surrounding defining black box access to the prover when the prover is quantum, but only outputs classical information. So if we only let the extractor look at classical transcripts, question is how will it get a quantum witness out? That seems as hard as quantum state democracy, which is hard, which in general requires an exponential number of measurements on the state. So we must allow some sort of quantum access to the prover. And we use a solution to this problem that's similar to solutions which we're considered in. In RU 2012, also Watrus 2009. And, but we use this definition in ways that were allowed in both these definitions before, but not completely explored. So I'll go over the definition so that we all have the model clear. So here's how we model the prover in this definition. We consider it to consist of a private register in which you can put any quantum state it likes and a message register, which is used for exchanging messages with the verifier. So we'll see how in a second. We assume the prover's private register is initialized to some arbitrary state and that the message register starts off initialized to zero. So how does interaction work? We assume that the prover is entirely characterized by a unitary operation, use of P, which it applies in every round. So let's say the protocol starts now and that the prover sends the first message. The first thing that happens is that the prover applies use of P and it acts on both the private and the message register. It could be entangling these, whatever. After use of P is applied, some trusted party measures the message register on the computational basis. This results in a classical string and that's the message that the prover sends the verifier. So then the verifier processes this message and puts the message that sends back to the prover and the message register, replacing the message that was there after the measurement here. And then we apply use of P again and measure again in order to get the next proof of message, et cetera. Okay, so here's how P would be available to the extractor. So P starts out, initialize the way it would be in the real protocol. The extractor can read and write arbitrary corner states of the message register but cannot access the prover's private register and that's the justification for our black box terminology. However, the extractor can command the prover to do one or two things. Apply use of P, controlled on some state which the extractor provides or apply use of P dagger, again, controlled. So this is the analog of rewinding since use of P dagger is the inverse operation of use of P and note that both these unitaries act on the private and the message register. So the extractor never gets to see the private register but it can act on it indirectly through use of P and it can also put an arbitrary state in the message register and it doesn't need to be a classical string. So the classical verify would only ever put a classical string there but the extractor can put anything. So this possibility was allowed in previous works but not really used and as far as I know this is the first time anyone actually uses this capability in a meaningful way in a proof of security. So that's what I was referring to earlier. As before we expect the extractor to output the witness state at the end of the interaction. Okay, so that's basically it for the definition of a classical proof of quantum knowledge and we've defined black box access in a meaningful way and we've expanded our setup a bit to allow for more flexible interactions between prooper and verifier in order to capture quantum money as well as Q and A. So one of the things we do in this paper is proof some simple properties of classical proofs of quantum knowledge as defined in this way. I won't dwell on this in the interest of time but I will describe them briefly. So the first one is if the classical non-destructive proof of knowledge exists for a witness state then the witness state can be cloned by an unbounded adversary. So non-destructive here just means that the witness state is not damaged by the protocol and the protocol can be run and arbitrary number of times without the prover having to produce fresh witness states. So this has consequences in the quantum money setting because a lot of quantum money protocols are information theoretically secure. Specifically it means that non-destructive and also non-interactive classical protocols for proving knowledge of quantum money states can't exist. The second property might be somewhat expected that if you can show proof of knowledge under our definition then it is also a quantum money verification procedure. So a quantum money verification procedure remember says that you can't pass twice if you only have one money state. The proof of knowledge says that if you can pass even once then it's possible to efficiently compute a witness state from you. So this lemma just formalizes the intuition that the proof of knowledge is stronger than the quantum money verification procedure with some loss in parameters. Okay, so now we come to an example. So we've settled on a definition, we've proven some properties that it has but we want to show that there are actually protocols which instantiate the definition. We also want to explore the kinds of techniques that might be useful for analyzing protocols that we want to show a proof of quantum knowledge. So we show several examples in the paper but I'm just going to go through one of them. So let's recall reasons quantum money, the money states look like this in Cupid's song. We're going to introduce some notation that will be useful. So remember earlier we said a visa state can be generated by the bank if it's like some classical string X uniformly at random then applies a Hadamard to each Cupid with half of a Billy. So this is just saying the string X chosen uniformly at random and then there's a string theta which encodes the Cupid's which had Hadamards applied to them. And if the bit, if the ith bit of theta is one then that Cupid had a Hadamard applied otherwise it did not. And X and theta completely specify the visa state in terms of classical string. So the bank can keep these strings around to verify the dollar state where it needs to do that. Okay, so now let's look at a protocol which we think might be a proof of quantum knowledge for a visa money state. So the verify issues a challenge to the prover which is a uniformly random string C. It's n bits long. And then the honest river does the following it simply measures the visa state in the basis determined by C. I mean that if the ith bit of C is zero it measures in the computational basis otherwise it measures in the Hadamard basis. And then the verify checks that whenever the ith bit of C is equal to the ith bit of theta the ith bit of the prover's response is equal to X sub i. So note that the honest prover gets deterministic measurement outcomes X sub i exactly for the ith Cupid if C sub i is equal to theta sub i. Otherwise it gets random outcomes uniformly random because C sub i is equal to theta sub i is just saying that the prover measured the ith Cupid in the so-called correct basis the basis that the bank prepared that Cupid in and otherwise it measures in a basis that's rotated so it gets a random outcome. So given that information hopefully the verifies check makes sense. Okay so how do we prove that this protocol is a proof of quantum knowledge? I'm going to describe a thought experiment here. We're going to eventually relate the thought experiment to the real protocol in a way that says something about the real protocol. So let's rename our parties first of all let's call the bank Alice and let's call the prover Bob. And recall in the real protocol Alice generates two strings theta and X uniformly at random and then she constructs the basic money state from them according to the formula we described on an earlier slide, this one. And then she sends the money state to Bob. Now here's the thought experiment. Imagine that instead of making a money state in the way we just described Alice generates N EPR pads, two M qubits. She sends half of each part of Bob. And then she measures her halves in the theta basis where theta is chosen uniformly at random as before. So theta basis just means heart of our basis of theta sub i is one and standard basis of theta sub i is zero. So hopefully it's easy to see that this measurement causes the joint EPR pads that Alice and Bob share to collapse to do copies of the money state. Dollar sub X theta. Where X is uniformly random it comes from the quantum measurement. And theta is the string that Alice chose uniformly at random. So far we've basically just described an alternative way for Alice to generate the dollar state and send it to Bob. But now remember we had this protocol where Alice sends a uniformly random challenge C to Bob and Bob measures his state in the C basis and tells Alice his measurement outcomes. So here's the important part. Note that if Bob passes in this protocol, i.e. he tells Alice the correct outcomes, he recovers a subset of the string X to this one. Which Alice in this thought experiment obtained through a measurement on her halves of the EPR pads. So it turns out that correlations like these between Alice and Bob are a test for entanglement. What do I mean by that? So there's a theorem from Natarajan and Vidic 2016 which says that if Bob and Alice exhibit correlations like they do in the thought experiment that we were just considering, then they once shared EPR pads up to local isometry. So local isometry just means that if you have some EPR pads, it means that you can apply local reversible quantum operations on Alice's halves, this is Alice or on Bob's halves, this is Bob, but nothing that's applied to the whole state globally. So on both halves simultaneously. And so for Alice, the map on her side, this is just the identity since Alice is honest and she didn't do anything to her halves of the EPR pads after she sent them to Bob. For Bob, we can officially apply the isometry given black box controlled versions of Bob's unitaries which is exactly the condition that the extraction definition gives us. This is all from the theorem. Okay, so what's the point of that? The point is that we have an argument now for extraction. So firstly we argue that the thought experiment and the real protocol are actually indistinguishable to Bob which means he must behave the same way in both. So that the two protocols are indistinguishable should be obvious if Alice measures her halves of the EPR pads temporarily before Bob measures them. Since in that case the two protocols, the imaginary one and the real one are actually equivalent and we just described a different way for Alice to generate the dollar state and send it to Bob. But even if she measures temporarily after Bob does, he still can't tell between the thought experiment and the real protocol because local operations on EPR pads commute. So we can just commute Alice's measurement past Bob's measurement and then we're good to go. The second main point, this is the theorem that we get from Latter-Arden and Wittig, is that if Bob passes in the proof of knowledge protocol in the thought experiment world, then there is a local isometry phi B on his side such that this equation holds where psi AB is the initial joint state of Alice and Bob in the thought experiment world. That's after Alice sent Bob the EPR pads but before either Alice or Bob measured them. So the intuition is that in the thought experiment world, Alice sent half EPR pads to Bob instead of a money state and then Bob might have decided to apply some map to his side of the EPR pads after receiving them. And the theorem from Latter-Arden and Wittig, 2016 just says that there is a phi B which can recover the EPR pads regardless of what Bob might have done to his side, provided that he was able to pass with high probability in the proof of knowledge protocol. So basically saying if Bob passes, we can more or less figure out exactly what his strategy was. Okay, so now here's a technical calculation which I am going to skip over but the punch line basically is this. You might have been wondering on the previous slide, okay, this one. Okay, in the ideal world, the thought experiment world, if we apply this phi B to Bob's side, we recover EPR pads. But what is the point of recovering EPR pads in the ideal world? We want to recover the money state in the real world. And this is just a computation which shows how the two are connected basically. From this computation, we can deduce that if we apply the same phi B to the initial joint state of Alice and Bob in the real protocol, then we'll recover on Bob's side the money state tensed with maybe some auxiliary state on Bob's private register. And this will be, the money state on Bob's side will be in the message register. So the extractor's strategy is simply to apply phi B to Bob's side using the black box access to Bob that it's given and then return the state in the message register and that's it. Okay, so now I'll just quickly go through two other examples which we also showed are classical proofs of quantum knowledge. So one of them is another quantum money scheme. Our proof strategy for the business states as you have seen is quite specific to the structure of that particular protocol but we are able to apply it to one more example. So the example is a modification of a different quantum money scheme which is based on the subspace states proposed by Aronson and Cristiano in 2012. And since the technique worked pretty nicely for the business scheme the main difficulty here with these different states is to massage them to make them look enough like the business scheme to be able to apply the technique. So we don't exactly do it for subspace states but we do it for what we call one time padded subspace states. The third example which we analyze is the celebrated Mahadev verification protocol for verifying quantum computations. So we show that this is an argument of quantum knowledge for Q and A relations that just means that the soundness only holds against computationally bounded proofs just like the original Mahadev protocol. So Mahadev's original analysis showed that a computationally bounded prover who passes in her protocol guarantees that a witness exists satisfying some Q and A relation. And we show that the witness can be extracted from the prover in a black box fashion. And the proof uses technical components that essentially already existed in the Mahadev protocol and we just make the claim explicit. All right, so that's all I would like to say today. Thank you. And if there are any questions please feel free to reach out or to ask me at the question session.