post-quantum proof of knowledge from qlwe
TRANSCRIPT
![Page 1: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/1.jpg)
Post-QuantumProof of Knowledge from QLWE
Prabhanjan AnanthUC Santa Barbara
Joint work with:Kai-Min Chung (Academia Sinica, Taiwan),
Rolando L. La Placa (MIT → $$$)
(to appear in CRYPTO’21)
![Page 2: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/2.jpg)
Proof of Knowledge
Any classical prover who convinces a verifier to accept xmust know a valid witness for x .
![Page 3: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/3.jpg)
Preparing for Post-Quantum Era
![Page 4: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/4.jpg)
Post-Quantum Proof of Knowledge (PQPoK) for NP[Unruh’12]
Any quantum prover who convinces a verifier to accept xmust know a valid witness for x .
![Page 5: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/5.jpg)
Difference between Classical Prover and Quantum Prover
Classical Prover: intermediate states are binary strings.
Quantum Prover: intermediate states are quantum states.
Rewinding a quantum prover is difficult!
![Page 6: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/6.jpg)
Difference between Classical Prover and Quantum Prover
Classical Prover: intermediate states are binary strings.
Quantum Prover: intermediate states are quantum states.
Rewinding a quantum prover is difficult!
![Page 7: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/7.jpg)
Informal Definition of PQPoK for L
∀ quantum prover P∗,∃ black-box extractor E ,
Correctness of Extraction:
Pr [P∗ convinces verifier to accept x ] = ε
⇒ Pr[(ρE ,w)← EP∗
(x)∧
(x ,w) ∈ R(L)]
= ε′
P∗ can be computationally unbounded.
![Page 8: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/8.jpg)
Informal Definition of PQPoK for L
∀ quantum prover P∗,∃ black-box extractor E ,
Correctness of Extraction:
Pr [P∗ convinces verifier to accept x ] = ε
⇒ Pr[(ρE ,w)← EP∗
(x)∧
(x ,w) ∈ R(L)]
= ε′
P∗ can be computationally unbounded.
![Page 9: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/9.jpg)
Informal Definition of PQPoK for L
∀ quantum prover P∗,∃ black-box extractor E ,
Correctness of Extraction:
Pr [P∗ convinces verifier to accept x ] = ε
⇒ Pr[(ρE ,w)← EP∗
(x)∧
(x ,w) ∈ R(L)]
= ε′
P∗ can be computationally unbounded.
![Page 10: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/10.jpg)
Informal Definition of PQPoK for L
∀ quantum prover P∗,∃ black-box extractor E ,
Correctness of Extraction:
Pr [P∗ convinces verifier to accept x ] = ε
⇒ Pr[(ρE ,w)← EP∗
(x)∧
(x ,w) ∈ R(L)]
= ε′
Ideally: |ε′ − ε| = negl
![Page 11: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/11.jpg)
Informal Definition of PQPoK for L
Another useful property:
Indistinguishability of Extraction:
TD(ρV , ρE) = δ
(TD = Trace distance)
ρV : output state of P∗ after interacting with V .ρE : output of EP
∗.
Ideally: δ = negl
![Page 12: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/12.jpg)
Informal Definition of PQPoK for L
Another useful property:
Indistinguishability of Extraction:
TD(ρV , ρE) = δ
(TD = Trace distance)
ρV : output state of P∗ after interacting with V .ρE : output of EP
∗.
Ideally: δ = negl
![Page 13: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/13.jpg)
Application: Secure Computation
Simulator uses the extractor to extract adversary’s inputs
![Page 14: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/14.jpg)
Application: Secure Computation
Simulator uses the extractor to extract adversary’s inputs
![Page 15: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/15.jpg)
Application: Proof of Quantum Knowledge for QMA[Coladangelo-Vidick-Zhang’20]
Prover(x , |Ψ〉) Verifier(x)
X aZ b|Ψ〉
Post-Quantum PoK of (a, b)
Extractor can extract (a, b) and then recover |Ψ〉.
We use the fact here that (a, b) is classical.
![Page 16: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/16.jpg)
Application: Proof of Quantum Knowledge for QMA[Coladangelo-Vidick-Zhang’20]
Prover(x , |Ψ〉) Verifier(x)
X aZ b|Ψ〉
Post-Quantum PoK of (a, b)
Extractor can extract (a, b) and then recover |Ψ〉.
We use the fact here that (a, b) is classical.
![Page 17: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/17.jpg)
Application: Proof of Quantum Knowledge for QMA[Coladangelo-Vidick-Zhang’20]
Prover(x , |Ψ〉) Verifier(x)
X aZ b|Ψ〉
Post-Quantum PoK of (a, b)
Extractor can extract (a, b) and then recover |Ψ〉.
We use the fact here that (a, b) is classical.
![Page 18: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/18.jpg)
First work on Post-Quantum PoK: [Unruh Eurocrypt’12]
Followups rely upon Unruh’s technique.
![Page 19: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/19.jpg)
Drawback with Unruh
Unruh’s PQPoK does not satisfyindistinguishability of extraction property.
Prover’s state after extraction6≈
Prover’s state after verifier’s interaction.
![Page 20: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/20.jpg)
Drawback with Unruh
Unruh’s PQPoK does not satisfyindistinguishability of extraction property.
Prover’s state after extraction6≈
Prover’s state after verifier’s interaction.
![Page 21: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/21.jpg)
Q: is it necessary for the extractor to disturb the prover’s state inorder to learn the witness?
At first glance, could seem inherent:
Example: Prover could start with superposition of all the witnesses.If extractor learns w then prover’s state should have collapsed to w .
![Page 22: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/22.jpg)
Q: is it necessary for the extractor to disturb the prover’s state inorder to learn the witness?
At first glance, could seem inherent:
Example: Prover could start with superposition of all the witnesses.If extractor learns w then prover’s state should have collapsed to w .
![Page 23: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/23.jpg)
Q: is it necessary for the extractor to disturb the prover’s state inorder to learn the witness?
At first glance, could seem inherent:
Example: Prover could start with superposition of all the witnesses.If extractor learns w then prover’s state should have collapsed to w .
![Page 24: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/24.jpg)
Our Work
TheoremAssuming LWE is hard against quantum polynomial-timealgorithms,
There exists PQPoK for NP.
![Page 25: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/25.jpg)
Techniques
![Page 26: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/26.jpg)
Main Idea: Extraction via Oblivious Transfer
Warmup: extraction of first bit of witness.
![Page 27: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/27.jpg)
Main Idea: Extraction via Oblivious Transfer
Warmup: extraction of first bit of witness.
![Page 28: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/28.jpg)
Extraction of first bit of witness
Prover and Verifier run OT.Prover: role of senderVerifier: role of receiver.
Prover embeds w1 (1st bit of witness) in one of the twolocations at random.
Verifier randomly guesses the location.
If the guessed location is correct, verifier gets w1, o/w gets ⊥.
![Page 29: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/29.jpg)
Extraction of first bit of witness
Prover and Verifier run OT.Prover: role of senderVerifier: role of receiver.
Prover embeds w1 (1st bit of witness) in one of the twolocations at random.
Verifier randomly guesses the location.
If the guessed location is correct, verifier gets w1, o/w gets ⊥.
![Page 30: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/30.jpg)
Extraction of first bit of witness
Prover and Verifier run OT.Prover: role of senderVerifier: role of receiver.
Prover embeds w1 (1st bit of witness) in one of the twolocations at random.
Verifier randomly guesses the location.
If the guessed location is correct, verifier gets w1, o/w gets ⊥.
![Page 31: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/31.jpg)
Extraction of first bit of witness
Prover and Verifier run OT.Prover: role of senderVerifier: role of receiver.
Prover embeds w1 (1st bit of witness) in one of the twolocations at random.
Verifier randomly guesses the location.
If the guessed location is correct, verifier gets w1, o/w gets ⊥.
![Page 32: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/32.jpg)
First Attempt
Prover(x ,w) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OT phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b$←− {0, 1}
if b = 0, (m0,m1) = (w1,⊥)
if b = 1, (m0,m1) = (⊥,w1) b′$←− {0, 1}
Sender’s input: (m0,m1) OT Receiver’s input : b′
![Page 33: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/33.jpg)
Prover(x ,w) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OT phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b$←− {0, 1}
if b = 0, (m0,m1) = (w1,⊥)
if b = 1, (m0,m1) = (⊥,w1) b′$←− {0, 1}
Sender’s input: (m0,m1) OT Receiver’s input : b′
. . . . . . . . . . . . . . . . . . . . . . . . . . Zero-Knowledge Phase . . . . . . . . . . . . . . . . . . . . . . . . . .
Prove (x ,w) ∈ L ZK
and behaved honestly in OT
![Page 34: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/34.jpg)
Requirement:Post-Quantum ZK with soundness against
unbounded quantum provers.
![Page 35: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/35.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
![Page 36: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/36.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
![Page 37: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/37.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
![Page 38: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/38.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
![Page 39: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/39.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS,
otherwise TBD.
![Page 40: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/40.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
![Page 41: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/41.jpg)
TBD step: Can we perform Watrous rewinding?
Watrous rewinding only worksIF the measurement outcome doesn’t disturb the prover’s state.
![Page 42: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/42.jpg)
TBD step: Can we perform Watrous rewinding?
Watrous rewinding only worksIF the measurement outcome doesn’t disturb the prover’s state.
![Page 43: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/43.jpg)
Input auxiliary state of P∗ is |Ψ〉 = 1√2|Ψ0〉|0〉A + 1√
2|Ψ1〉|1〉A.
If the value in register A is 0 then use (⊥,⊥) in OT.If the value in register A is 1 then use (w1,w1) in OT.
- After rewinding, prover’s state is ≈ |Ψ1〉〈Ψ1|.- In the real world, prover’s state is ≈ 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|.
TD(|Ψ1〉〈Ψ1|, 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|
)is not small.
![Page 44: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/44.jpg)
Input auxiliary state of P∗ is |Ψ〉 = 1√2|Ψ0〉|0〉A + 1√
2|Ψ1〉|1〉A.
If the value in register A is 0 then use (⊥,⊥) in OT.If the value in register A is 1 then use (w1,w1) in OT.
- After rewinding, prover’s state is ≈ |Ψ1〉〈Ψ1|.- In the real world, prover’s state is ≈ 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|.
TD(|Ψ1〉〈Ψ1|, 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|
)is not small.
![Page 45: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/45.jpg)
Input auxiliary state of P∗ is |Ψ〉 = 1√2|Ψ0〉|0〉A + 1√
2|Ψ1〉|1〉A.
If the value in register A is 0 then use (⊥,⊥) in OT.If the value in register A is 1 then use (w1,w1) in OT.
- After rewinding, prover’s state is ≈ |Ψ1〉〈Ψ1|.- In the real world, prover’s state is ≈ 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|.
TD(|Ψ1〉〈Ψ1|, 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|
)is not small.
![Page 46: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/46.jpg)
Input auxiliary state of P∗ is |Ψ〉 = 1√2|Ψ0〉|0〉A + 1√
2|Ψ1〉|1〉A.
If the value in register A is 0 then use (⊥,⊥) in OT.If the value in register A is 1 then use (w1,w1) in OT.
- After rewinding, prover’s state is ≈ |Ψ1〉〈Ψ1|.- In the real world, prover’s state is ≈ 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|.
TD(|Ψ1〉〈Ψ1|, 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|
)is not small.
![Page 47: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/47.jpg)
Input auxiliary state of P∗ is |Ψ〉 = 1√2|Ψ0〉|0〉A + 1√
2|Ψ1〉|1〉A.
If the value in register A is 0 then use (⊥,⊥) in OT.If the value in register A is 1 then use (w1,w1) in OT.
- After rewinding, prover’s state is ≈ |Ψ1〉〈Ψ1|.- In the real world, prover’s state is ≈ 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|.
TD(|Ψ1〉〈Ψ1|, 1
2 |Ψ0〉〈Ψ0|+ 12 |Ψ1〉〈Ψ1|
)is not small.
![Page 48: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/48.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
FIX: modify the scheme to ensure that the measurement outcomedoes not affect the state.
![Page 49: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/49.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If recovered message is a bit, store 0 in register X. Otherwisestore 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
FIX: modify the scheme to ensure that the measurement outcomedoes not affect the state.
![Page 50: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/50.jpg)
Prover(x ,w) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OT phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b$←− {0, 1}
if b = 0, (m0,m1) = (w1, 0)
if b = 1, (m0,m1) = (0,w1) b′$←− {0, 1}
Sender’s input: (m0,m1) OT Receiver’s input : b′
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reveal Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reveal b
![Page 51: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/51.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If b = b′, store 0 in the register X. Otherwise store 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
Pr[b = b′] ≈ 12 from OT security.
Since distribution of measurement outcomes is independent of auxstate=⇒
Measurement does not disturb the state.
![Page 52: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/52.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If b = b′, store 0 in the register X. Otherwise store 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
Pr[b = b′] ≈ 12 from OT security.
Since distribution of measurement outcomes is independent of auxstate=⇒
Measurement does not disturb the state.
![Page 53: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/53.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If b = b′, store 0 in the register X. Otherwise store 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
Pr[b = b′] ≈ 12 from OT security.
Since distribution of measurement outcomes is independent of auxstate
=⇒Measurement does not disturb the state.
![Page 54: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/54.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If b = b′, store 0 in the register X. Otherwise store 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise TBD.
Pr[b = b′] ≈ 12 from OT security.
Since distribution of measurement outcomes is independent of auxstate=⇒
Measurement does not disturb the state.
![Page 55: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/55.jpg)
Extractor rewinds ONLY IF the guessed location is different from b.
![Page 56: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/56.jpg)
Extraction Process
Rewinding strategy:
Run the prover P in superposition.
If b = b′, store 0 in the register X. Otherwise store 1.
Measure X.
If the outcome is 0 then declare SUCCESS, otherwise performWatrous Rewinding.
![Page 57: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/57.jpg)
Why does checking b = b′ suffice?
Case 1. Prover does not cheat:Extractor extracts the first bit of the witness.
Case 2. Prover cheats:Extractor might have extracted garbage......but the prover will get caught in the ZK phase.
![Page 58: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/58.jpg)
Why does checking b = b′ suffice?
Case 1. Prover does not cheat:Extractor extracts the first bit of the witness.
Case 2. Prover cheats:Extractor might have extracted garbage......but the prover will get caught in the ZK phase.
![Page 59: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/59.jpg)
Why does checking b = b′ suffice?
Case 1. Prover does not cheat:Extractor extracts the first bit of the witness.
Case 2. Prover cheats:Extractor might have extracted garbage...
...but the prover will get caught in the ZK phase.
![Page 60: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/60.jpg)
Why does checking b = b′ suffice?
Case 1. Prover does not cheat:Extractor extracts the first bit of the witness.
Case 2. Prover cheats:Extractor might have extracted garbage......but the prover will get caught in the ZK phase.
![Page 61: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/61.jpg)
Protocol for extraction of 1st bit of witness
Prover(x ,w) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OT phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
b$←− {0, 1}
if b = 0, (m0,m1) = (w1, 0)
if b = 1, (m0,m1) = (0,w1) b′$←− {0, 1}
Sender’s input: (m0,m1) OT Receiver’s input : b′
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reveal Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reveal b
. . . . . . . . . . . . . . . . . . . . . . . . . . Zero-Knowledge Phase . . . . . . . . . . . . . . . . . . . . . . . . . .
· · ·
![Page 62: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/62.jpg)
Extractor extracts the first bit of witness
ISSUE: Verifier can also recover the first bit of the witnesswith probability 1
2
![Page 63: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/63.jpg)
Extractor extracts the first bit of witness
ISSUE: Verifier can also recover the first bit of the witnesswith probability 1
2
![Page 64: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/64.jpg)
Error reduction
![Page 65: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/65.jpg)
Error reduction
Prover additively secret shares w1 into sh1, . . . , sh`.
Prover invokes ` instantiations of OT.
It embeds shi into the i th instantiation of OT.
![Page 66: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/66.jpg)
Error reduction
Prover additively secret shares w1 into sh1, . . . , sh`.
Prover invokes ` instantiations of OT.
It embeds shi into the i th instantiation of OT.
![Page 67: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/67.jpg)
Error reduction
Prover additively secret shares w1 into sh1, . . . , sh`.
Prover invokes ` instantiations of OT.
It embeds shi into the i th instantiation of OT.
![Page 68: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/68.jpg)
Error reduction
Prover additively secret shares w1 into sh1, . . . , sh`.
Prover invokes ` instantiations of OT.
It embeds shi into the i th instantiation of OT.
![Page 69: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/69.jpg)
Prover(x ,w = w1 · · ·w`) Verifier(x)
. . . . . . . . . Amplified OT for w1 . . . . . . . . .
∀i , shi$←− {0, 1} : ⊕`
i=1shi = w1
![Page 70: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/70.jpg)
Prover(x ,w = w1 · · ·w`) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . .Amplified OT for w1 . . . . . . . . . . . . . . . . . . . . . . . . . .
∀i < `, shi$←− {0, 1} : ⊕`
i=1shi = w1
b1$←− {0, 1} b′1
$←− {0, 1}
Sender:((1− b1) · sh1, b1 · sh1) OT Receiver : b′1
Reveal b1
![Page 71: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/71.jpg)
Prover(x ,w = w1 · · ·w`) Verifier(x)
. . . . . . . . . . . . . . . . . . . . . . . . . .Amplified OT for w1 . . . . . . . . . . . . . . . . . . . . . . . . . .
∀i < `, shi$←− {0, 1} : ⊕`
i=1shi = w1
b1$←− {0, 1} b′1
$←− {0, 1}
Sender:((1− b1) · sh1, b1 · sh1) OT Receiver : b′1
Reveal b1
· · ·
b`$←− {0, 1} b′`
$←− {0, 1}
Sender:((1− b`) · sh`, b` · sh`) OT Receiver : b`
Reveal b`
![Page 72: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/72.jpg)
So far: extraction of 1 bit of witness.
Repeat this process for all the bits of the witness!
![Page 73: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/73.jpg)
So far: extraction of 1 bit of witness.
Repeat this process for all the bits of the witness!
![Page 74: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/74.jpg)
Prover(x ,w) Verifier(x)
. . . . . . . . . . . . . . . . . . . . OT phase . . . . . . . . . . . . . . . . . . . .
Amplified OT for w1
· · ·
Amplified OT for w`
. . . . . . . . . . . . . . .Zero-Knowledge Phase. . . . . . . . . . . . . . .
· · ·
![Page 75: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/75.jpg)
Instantiation of OT
OT needs to have security against unbounded senders
Security against unbounded senders⇒
security against unbounded P
Current known instantiations don’t satisfy security againstquantum poly-time receivers.
![Page 76: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/76.jpg)
Instantiation of OT
OT needs to have security against unbounded senders
Security against unbounded senders⇒
security against unbounded P
Current known instantiations don’t satisfy security againstquantum poly-time receivers.
![Page 77: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/77.jpg)
Instantiation of OT
OT needs to have security against unbounded senders
Security against unbounded senders⇒
security against unbounded P
Current known instantiations don’t satisfy security againstquantum poly-time receivers.
![Page 78: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/78.jpg)
Instantiation of OT
OT needs to have security against unbounded senders
Security against unbounded senders⇒
security against unbounded P
Current known instantiations don’t satisfy security againstquantum poly-time receivers.
![Page 79: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/79.jpg)
Construction of Post-Quantum OT
Goal: OT satisfying the following:Security against unbounded senders.Post-quantum security against receivers.
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Construction from quantum hardness of LWE: [Brakerski-Döttling’18]
![Page 80: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/80.jpg)
Construction of Post-Quantum OT
Goal: OT satisfying the following:Security against unbounded senders.Post-quantum security against receivers.
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Construction from quantum hardness of LWE: [Brakerski-Döttling’18]
![Page 81: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/81.jpg)
Construction of Post-Quantum OT
Goal: OT satisfying the following:Security against unbounded senders.Post-quantum security against receivers.
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Construction from quantum hardness of LWE: [Brakerski-Döttling’18]
![Page 82: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/82.jpg)
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Steps:OT reversal [WW’06,KKS’18,GJJM’20]
Use a post-quantum statistical ZK: to prove correctness of OT.
This protocol can be extended (painfully)to the setting of bounded concurrent quantum ZK.
![Page 83: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/83.jpg)
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Steps:OT reversal [WW’06,KKS’18,GJJM’20]
Use a post-quantum statistical ZK: to prove correctness of OT.
This protocol can be extended (painfully)to the setting of bounded concurrent quantum ZK.
![Page 84: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/84.jpg)
Start with OT satisfying:Security against unbounded receivers.Post-quantum security against senders.
Steps:OT reversal [WW’06,KKS’18,GJJM’20]
Use a post-quantum statistical ZK: to prove correctness of OT.
This protocol can be extended (painfully)to the setting of bounded concurrent quantum ZK.
![Page 85: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/85.jpg)
Summary
New construction of PQ PoK
Improves upon [Unruh’12]’s PQ PoK.
Thanks!
![Page 86: Post-Quantum Proof of Knowledge from QLWE](https://reader031.vdocument.in/reader031/viewer/2022032812/623f1b6a009c6934d83deeaa/html5/thumbnails/86.jpg)
Summary
New construction of PQ PoK
Improves upon [Unruh’12]’s PQ PoK.
Thanks!