Computationally Binding Quantum Commitments
 19 Citations
 6 Mentions
 2k Downloads
Abstract
We present a new definition of computationally binding commitment schemes in the quantum setting, which we call “collapsebinding”. The definition applies to string commitments, composes in parallel, and works well with rewindingbased proofs. We give simple constructions of collapsebinding commitments in the random oracle model, giving evidence that they can be realized from hash functions like SHA3. We evidence the usefulness of our definition by constructing threeround statistical zeroknowledge quantum arguments of knowledge for all NP languages.
Keywords
Quantum Zeroknowledge Quantum Arguments Random Oracle Commitment Scheme Quantum Setting1 Introduction
We study the definition and construction of computationally binding string commitment schemes in the quantum setting. A commitment scheme is a twoparty protocol consisting of two phases, the commit and the open phase. The goal of the commitment is to allow the sender to transmit information related to a message m during the commit phase in such a way that the recipient learns nothing about the message (hiding property). But at the same time, the sender cannot change his mind later about the message (binding property). Later, in the open phase, the sender reveals the message m and proves that this was indeed the message that he had in mind earlier. We will focus on noninteractive classical commitments, that is, the commit and open phase consists of a single classical message. However, the adversary who tries to break the binding or hiding property will be a quantumpolynomialtime algorithm. At the first glance, it seems that the definition of the binding property in this setting is straightforward; we just take the classical definition but consider quantum adversaries instead of classical ones:
Definition 1
(ClassicalStyle Binding – Informal). No quantumpolynomialtime algorithm A can output, except with negligible probability, a commitment c (i.e., the message sent during the commit phase) as well as two openings \(u,u'\) that open c to two different messages \(m,m'\).
(Formal definition in Sect. 2). Unfortunately, this definition turns out to be inadequate in the quantum setting. Ambainis et al. [1] show the existence of a commitment scheme (relative to a special oracle) such that: The commitment is classicalstyle binding. Yet there exists a quantumpolynomialtime adversary A that outputs a commitment c, then expects a message m as input, and then provides valid opening information for c and m. That is, the adversary can open the commitment c to any message of his choosing, even if he learns that message only after committing. This is in clear contradiction to the intuition of the binding property. How is this possible, as Definition 1 says that the adversary cannot produce two different openings for the same commitment? In the construction from [1], the adversary has a quantum state \({\varPsi }\rangle \) that allows him to compute one opening for a message of his choosing, however, this computation will destroy the state \({\varPsi }\rangle \). Thus, the adversary cannot compute two openings simultaneously, hence the commitment is classicallybinding. But he can open the commitment to an arbitrary message once, which shows that the commitment scheme is basically useless despite being classicallybinding.^{1}
1.1 Prior Definitions
We now discuss various definitions that appeared in the literature and that circumvent the above limitation of the classicalbinding property. (We do not discuss the hiding property here, because that one does not have any comparable problems. See Definition 10 below for the definition of hiding.) In each case, we discuss some limitations of the definitions to motivate the need for a new definition for computationally binding commitments. The reader only interested in our results can safely skip this section.
SumBinding. The most obvious solution is to simply require that the adversary cannot open successfully to each of two messages: That is:
Definition 2
(SumBinding – Informal). Consider a bit commitment scheme. (I.e., one can only commit to \(m=0\) or \(m=1\).)
Given an adversary A, let \(p_b\) be the probability that the recipient accepts in the following execution: A commits, then A is given b, and then A provides opening information for message b. A commitment is sumbinding iff for any quantumpolynomialtime adversary A, \(p_0+p_1\le 1+ negligible \).
Note that even with an ideal commitment, \(p_0+p_1=1\) is possible (the adversary just picks \(b:=0\) in the commit phase with probability \(p_0\), and \(b:=1\) else). So \(p_0+p_1\le 1+ negligible \) is the best we can expect if we allow for a negligible probability of an attack. The sumbinding definition has occurred implicitly and explicitly in different variants in [4, 6, 8, 13, 15]. We use the name sumbinding here to distinguish it from the other definitions of binding discussed here since it does not have an established name.

It is specific to the bit commitment case. There is no straightforward generalization to the string commitment case (i.e., where the message m does not have to be a single bit). See [6] for discussion why obvious approaches fail.

It is unclear how the definition behaves when we use the commitment several times. (I.e., it is not clear how it behaves under composition.) For example, given bits \(m_1,\dots ,m_n\), what are the security guarantees if we commit to each of the \(m_i\)? (Be it in parallel, or sequentially.) Basically, we would expect that all commitments together form a binding commitment on the string \(m=m_1\dots m_n\), but this is something we cannot even express using the sumbinding definition.

It is not clear how useful sumbinding commitments are as subprotocols in larger protocols. That is, is the sumbinding property strong enough to allow to prove the security of complex protocols using commitments? While there are constructions of sumbinding in the literature (e.g., [13]), we are not aware of research where (computational) sumbinding commitments are used as subprotocols.
Definition 3
(CDMSBinding – Informal). Let F be a family of functions. Fix a string commitment scheme. For \(f\in F\), let \(\tilde{p}^f_y\) be the probability that the recipient accepts in the following execution: A commits. A gets y. A tries to open the commitment to some m with \(f(m)=y\).
We call the commitment scheme FCDMSbinding iff for all adversaries A and all \(f\in F\), we have \(\sum _y \tilde{p}^f_y\le 1+ negligible \).
Now if all \(f\in F\) have a polynomialsize range, the sum \(\sum _y \tilde{p}^f_y\) will have polynomially many summands. The intuition behind this definition is that every function \(f\in F\) represents some property of the committed message m (e.g., f(m) is the parity of m). Then, if a commitment scheme is FCDMSbinding, this intuitively means that the although the adversary might be able to change his mind about the message m, he cannot change his mind about f(m). (E.g., if the parity function is in F, this means that the adversary will be committed to the parity of the message m). [6] successfully used this definition (for a specific class F) to show that using quantum communication and a commitment, we can construct an oblivious transfer protocol. (Note however that their protocol is different and more complex than the original OT protocol from [2]).

The definition is parametrized by a specific family F of functions that specifies in which way the commitment should be binding. This function family has to be chosen dependent on the particular use case. This makes the definition less universal and canonical.

To the best of our knowledge, no construction of CDMSbinding commitments is known. Crépeau et al. [6] conjecture that the protocol from [7] can be extended to a CDMSbinding one for functions F with small range, but no proof or construction is given.

It is not known whether the definition is composable. If we commit to messages \(m_1,\ldots ,m_n\) individually using FCDMSbinding commitments, does this constitute an \(F'\)CDMSbinding commitment on \(m:=m_1\Vert \dots \Vert m_n\)? If so, for which \(F'\)?

While CDMSbinding commitments have successfully been used in a larger protocol (namely, the OT protocol from [6]), we believe that in many contexts, the definition is still not very easy to use. At least in classical cryptography, one often uses the fact that it is possible to extract the committed message by rewinding (basically, one runs the open phase, saves the opened message, and rewinds to before the opening phase). It is not clear how to do that with CDMSbinding commitments. For example, it is not clear how one could use CDMSbinding commitments in the construction of sigmaprotocols that are quantum arguments of knowledge (as done in Sect. 7 below using our definition of binding commitments).
Definition 4
(PerfectlyBinding – Informal). A commitment scheme is perfectlybinding if there exists no tuple \((c,m,u,m',u')\) with \(m\ne m'\) such that u is a valid opening for c with message m, and \(u'\) is a valid opening for c with message \(m'\).

A perfectlybinding commitment cannot be statistically hiding [15]. That is, the hiding property cannot hold against computationally unlimited adversaries. That means that we give up on informationtheoretical security for one party just because we do not have a suitable definition for the computationallybinding property. For example, the constructions in [19] are only computational zeroknowledge (not statistical zeroknowledge) because perfectlybinding commitments are used.

Perfectlybinding commitments cannot be short. That is, the length of the commitment must be as long as the length of the committed message. So by using only perfectlybinding commitments, we may lose efficiency.

UCcommitments do not exist without the use of additional setup such as, e.g., a common reference strings (CRS). It is possible to chose the CRS in a precomputation phase using a cointoss protocol [12]. But that increases the round complexity of the resulting protocol (and, incidentally, loses the UC security and possibly even the concurrent composability of the resulting protocol).

In the construction of UCsecure commitment schemes, trapdoors are used that allow the simulator to extract the committed message. This implies that constructions of UCsecure commitment are usually more complex, less efficient, and use stronger computational assumptions.

At least when using a CRS, UC commitments cannot be short.
Damgård et al. [9] use socalled dualmode commitments, these are somewhat weaker than UC commitments. Yet, they also use extraction using a trapdoor in the CRS. Hence the disadvantages of UC commitments apply to dualmode commitments as well.
QBinding. Damgård et al. [11] give another definition for computationally binding string commitments. Intuitively, the definition says that an adversary who uses the commitment has negligible advantage in a “betting game” over an adversary that has to use perfect commitments. Here, a betting game is represented as an arbitrary predicate on the opened values in the commitments, and on some random input that the adversary learns only after committing. (E.g., a bet could be: the sum of all opened values equals the random value u that the adversary learns just before opening.) Somewhat more formally:
Definition 5
(QBinding – Informal). For an adversary A and an predicate Q, consider the following game: A outputs commitments \(C_1,\dots ,C_N\). Then A gets a random bitstring u. Then A opens a subset \(\mathbf A\) of the commitments, let \((s_i)_{i\in \mathbf A}\) be the contents. A wins if \(Q(\mathbf A,(s_i)_{i\in \mathbf A},u)=1\).
A commitment scheme is Qbinding iff for any quantumpolynomialtime A and any predicate Q, the adversary A wins with probability at most \(p_\mathsf {IDEAL}+ negl \), where \(p_\mathsf {IDEAL}\) is the maximum winning probability when using a perfectly binding commitment.
The definition overcomes some of the problems of the CDMSbinding definition. In particular, there is no need to parametrize the definition with a class F of functions, specifically chosen to fit the use case at hand. Also, the Qbinding definition composes in parallel: if a commitment scheme is Qbinding, then the commitment scheme resulting from committing to each of \(m_1,\dots ,m_n\) individually is Qbinding, too. (This should come as no surprise, since the Qbinding definition itself explicitly refers to a polynomial number of parallel copies of the commitment scheme). The definition seems particularly wellsuited for commitandchoose constructions (i.e., where one party commits to a set of values, and the other party selects which of them should be opened), since security when opening a specific subset is built into the definition. [11] give a generic construction for unconditionally hiding Qbinding equivocal trapdoor commitments from a certain class of sigmaprotocols. They show that using such commitments, sigmaprotocols can be converted into statistical quantum zeroknowledge arguments in the CRS model.

The only construction of unconditionally hiding Qbinding commitments known is actually an equivocal trapdoor commitment. Trapdoor commitments usually need stronger assumptions. Note also that no protocols using nonequivocal Qbinding commitments are known (the zeroknowledge protocols in [11] need the trapdoor because they are constructed following the “no quantum rewinding paradigm”). And, due to the absence of rewinding, the zeroknowledge protocols only work in the CRS model.

The possibility for parallel composition might be limited: It follows directly from the definition that Qbinding commitments on \(m_1,\ldots ,m_n\) are a Qbinding commitment on \(m=m_1\ldots m_n\). However, it is not clear what happens if we commit to \(m_1,\dots ,m_n\) using different Qbinding commitments. (Or the same Qbinding commitment, but using different public keys.)

The definition is specialized for the commitandchoose paradigm. It is unclear how it can be used in rewindingbased proofs. (On the other hand, in commitandchoose situations, Qbinding commitments might be more suitable than those we propose; whether this is the case constitutes future work.)
Summarizing, Qbinding commitments seem to be well suited for commitandchoose constructions, but for proofs involving rewinding, we need another definition.
DFRSSBinding. Damgård et al. [10] presented a definition for the unconditional binding property, targeted mainly for the bounded quantum storage model; the following is a direct adaptation of their definition to the computational setting:
Definition 6
(DFRSSBinding – Adapted). In a commitment, let V denote the recipient’s classical state, and Z the sender’s classical state.
A bit commitment is DFRSSbinding iff for any quantumpolynomialtime sender \(\tilde{C}\), there exists a randomized function \(B'\) such that the following holds:
Let \(\tilde{C}\) and the honest recipient execute the commit phase. Compute \(b':=B'(V,Z)\). Let \(\tilde{C}(b')\) and the honest recipient execute the open phase. Let b denote the opened bit (or \(\bot \) if the recipient does not accept). Then \(\Pr [b'\ne b]\) is negligible.
In other words, given the classical part of the state of the recipient and the sender, it is possible to extract what bit the sender will open to. (The extraction does not have to be efficiently feasible.) The definition can be extended to string commitments by letting \(B'\) range over bitstrings.
We have changed the original definition from [10] to refer to quantumpolynomialtime adversaries. (We also reformulated it for easier readability, changing a number of technical details in the process. However, the current definition is in the spirit of the original. And our discussion also applies to the original formulation.)
The definition was originally intended for protocols in the bounded quantum storage model. What happens if we use it in the standard model, i.e., with no limit on the quantum memory of the sender? In this case, it is always possible for the malicious sender to perform all his operations in superposition, and only the recipient will perform measurements. Then, in Definition 6, the register Z will be empty. Hence the definition requires that the committed bit \(b'\) can be computed from the recipient’s state V alone. This immediately implies that the scheme cannot be statistically hiding, and that the commitments cannot be shorter than the message.
Hence the DFRSSbinding definition shares the drawbacks of the perfectly binding definition, unless we are in the bounded quantum storage model. (We stress that [10] never claimed that the definition should be used outside the bounded quantum storage model.)
1.2 Our Contribution
We give a new definition for the computationalbinding property for commitment schemes, called “collapsebinding” (Sect. 2). This definition is composable (several collapsebinding commitments are also collapsebinding together), works well with quantum rewinding (see below), does not conflict with statistical hiding (as perfectlybinding commitments would), allows for short commitments (i.e., the commitment can be shorter than the committed message, in contrast to perfectlybinding commitments, and to extractable commitments in the CRS model). Basically, collapsebinding commitments seem to be in the quantum setting what computationallybinding commitments are in the classical setting.
We show that collisionresistant hash functions are not sufficient for getting collapsebinding or even just sumbinding commitments (Sect. 3), at least when using standard constructions, and relative to an oracle. We present a strengthening of collisionresistant hash functions, “collapsing hash functions” that can serve as a dropin replacement for collisionresistant hash functions (Sect. 4). Using collapsing hash functions, we show several standard constructions of commitments to be collapsebinding (Sect. 5).
We conjecture that standard cryptographic hash functions such as SHA3 [17] are collapsing (and thus lead to collapsebinding commitments). We give evidence for this conjecture by proving that the random oracle is a collapsing hash function.
We show that the definition of collapsebinding commitments is usable by extending the construction of quantum proofs of knowledge from [19] (Sect. 7). Their construction uses perfectlybinding commitments (actually, strictbinding, which is slightly stronger) to get proofs of knowledge. We show that when replacing the perfectlybinding commitments with collapsebinding ones, we get statistical zeroknowledge quantum arguments of knowledge. In particular, this shows that collapsebinding commitments work well together with rewinding.
1.3 Our Techniques
To express this more formally, consider the circuit in Fig. 1(a). Here the adversary A outputs a commitment c (classical message). Furthermore, he outputs three quantum registers S, U, M. S contains his state. M is supposed to contain a superposition of messages, U a superposition of corresponding opening informations. Then we apply the measurement \(V_c\). This measurement measures whether U, M contain matching opening information/message. More formally, \(V_c\) measures whether U, M is a superposition of states \({u,m}\rangle \) such that u is valid opening information for message m and commitment c. Let \( ok =1\) if the measurement succeeds. Then we feed the registers S, U, M back to the second part B of the adversary. B outputs a classical bit b. As discussed before, a commitment is perfectlybinding iff for all adversaries A, the state of M after measuring \( ok =1\) is a computational basis vector.
The state of a register is a computational basis vector (or, synonymously: is in a collapsed state) iff measuring that register in the computational basis does not change that state. Consider the circuit in Fig. 1(b). Here we added a measurement \(M_ ok \) on M after \(V_c\). \(M_ ok \) is a complete measurement in the computational basis, but is executed only if \( ok =1\). Since \(M_ ok \) disturbs the state of M iff that state is not a computational basis vector, we can rephrase the definition of perfectlybinding commitments:
A commitment is perfectlybinding iff, for all computationally unlimited adversaries A, B, \(\Pr [b=1]\) is equal in Fig. 1(a) and (b) where b is the output (i.e., guess) of B.^{2}
Now we are ready to weaken this characterization to get a computational binding property. Basically, we require that the same holds for quantumpolynomialtime adversaries:
Definition 7
(CollapseBinding – Informal). A commitment is collapsebinding iff, for all quantumpolynomialtime adversaries A, B, \(\Pr [b=1]\) in Fig. 1(a) is negligibly close to \(\Pr [b=1]\) in Fig. 1(b).
In other words, with a perfectlybinding commitment, the adversary cannot produce a superposition of different messages that are contained in the commitment. But with a collapsebinding commitment, the adversary is forced to produce a state that looks like it is not a superposition of different messages. For the purpose of computational security, this will often be as good.
We quickly explain why collapsebinding commitments work well with quantum rewinding. In the case of quantum rewinding (e.g., in the analysis of proofs of knowledge [19]), one problem is that we might need to run an adversary until he opens a commitment c, then to measure the opened message, and then to go back to an earlier state by applying the inverse of the adversary. The problem is that measuring the opened message will disturb the state of the adversary, and thus make rewinding impossible. Except: if the opened message cannot be distinguished from being already in a collapsed state (as guaranteed by collapsebinding), then measuring the opened message does not disturb the state in a noticeable way and we can rewind. (See the discussion on arguments of knowledge below.)
Constructing CollapseBinding Commitments. Collapsebinding commitments are useful only if they exist. Perfectlybinding commitments are easily seen to be collapsebinding, but then we cannot have statistically hiding or short commitments. In the classical setting, we get practical computationallybinding commitments from a collisionresistant hash function H. The most obvious construction is to send \(c:=H(m\Vert u)\) for uniformly random u of suitable length. We call this the “canonical commitment”. The canonical commitment is easily seen to be classicalstyle binding if H is collisionresistant, and it is statistically hiding if H is a random oracle. To get rid of the randomoracle requirement, we can use a somewhat more complex constructions by Halevi and Micali [14] instead. Unfortunately, both the canonical commitment and the HaleviMicali commitments are not collapsebinding if H is merely collisionresistant. In fact, relative to a specific oracle and using a specific collisionresistant hash function, there is a total break where the adversary can unveil the commitment to any message of his chosing. To show this, we tweak the technique from [1] to construct a hash function H such that the adversary can sample an image c of H together with a quantum state \({\varPsi }\rangle \) such that: Given the state \({\varPsi }\rangle \), for any m, the adversary can find a random u with \(H(m\Vert u)=c\). But this process destroys \({\varPsi }\rangle \), so the adversary cannot find two preimages of c; the hash function is collisionresistant. But the canonical commitment, based on this H, is trivially broken. Similar constructions break the HaleviMicali commitments.
Since collisionresistance seems too weak a property in the quantum setting (at least for our purposes), we give a strengthening of collisionresistance: collapsing hash functions:
Definition 8
(Collapsing Hash Function – Informal). An adversary is valid if he outputs a classical value c, and a register M containing a superposition of messages m with \(H(m)=c\). We call H collapsing iff no quantumpolynomialtime adversary can distinguish whether we measure M in the computational basis or not, before giving the register M back to the adversary. (This is formalized with games similar to those in Fig. 1.)
We can show that collapsing hash functions are collisionresistant, and they share a number of structural properties with collisionresistant functions. E.g., injective functions are collapsing, and the composition \(H\circ H'\) of collapsing functions is collapsing.
Due to the similarity between the definition of collapsing hash functions and collapsebinding commitments, we can show that the canonical commitment and the HaleviMicali commitments are collapsebinding if H is collapsing.
However, this leaves the question: do collapsing functions exist in the first place? We conjecture that common industrial hash function like SHA3 [17] are actually collapsing (not only collisionresistant). In fact, we argue that the collapsing property should be a requirement for the design of future hash functions (in the sense that a hash function where the collapsing property is in doubt should not be selected for industry standards), since collisionresistance is not sufficient if we wish to achieve postquantum secure cryptography. We support our conjecture that sufficiently unstructured functions are collapsing by proving that the random oracle is collapsing:
Random Oracles Are Collapsing. We now sketch on a high level our proof that random oracles are collapsing, or, equivalently, that a random function is collapsing with high probability. In our analysis, we assume that the adversary can query the random oracle on the superposition of different inputs; this is necessary for having a realistic modeling of hash functions [3]. As a first step, we identify a new property, “halfcollision resistance”:
Definition 9
(HalfCollision Resistance – Informal). A halfcollision of H is a string x such that there exists an \(x'\ne x\) with \(H(x')=H(x)\). A hash function H is halfcollision resistant if no adversary does the following: He outputs a halfcollision with nonnegligible probability. And he never outputs a nonhalfcollision. (The adversary may output \(\bot \) though.)
That is, halfcollision resistance says that the adversary cannot find noninjective inputs to H without sometimes accidentally outputting injective inputs. We show: if H is halfcollision resistant, it is collapsing.
The proof idea is: if H is not collapsing, the adversary can produce a superposition M of messages m with \(H(m)=c\) and notice whether M is being measured. The latter implies that M must be a superposition of at least two messages m with \(H(m)=c\). Hence by measuring M, the adversary gets a halfcollision. Much additional work is needed to make sure that the adversary does not accidentally measure the register M when it is not a nontrivial superposition.
(The halfcollision resistance property might be useful independent of the proof that the random oracle is collapsing. When trying to construct collapsing hash functions based on other assumptions, halfcollision resistance might be easier to verify since its definition consists of purely classical games.)
Next we construct a random function \(H^*:X\rightarrow Y\) with \({Y}=\frac{2}{3}{X}\). That is, \(H^*\) is slightly compressing. The domain of \(H^*\) is partitioned into two sets \(X_1,X_2\) with \({ X_1}=2{X_2}\). \(H^*\) is injective on \(X_2\), and 2to1 on \(X_1\). Besides those constraints, \(H^*\) is uniformly random. We can then show that \(H^*\) is halfcollision resistant. (Basically, this means that the adversary cannot identify the subset \(X_1\).) Furthermore, we can show that \(H^*\) is indistinguishable from a random function \(H:X\rightarrow Y\). Since \(H^*\) is halfcollision resistant, it is collapsing. And since H is indistinguishable from \(H^*\), H is collapsing.
We now know that random functions \(H:X\rightarrow Y\) are collapsing if \({Y}=\frac{2}{3}{X}\) (i.e., if they are slightly compressing). However, we want that H is collapsing for arbitrary X and Y, as long as Y has superpolynomial size. For \({X}\le {Y}\), H is indistinguishable from a random injection, which in turn is collapsing. The interesting case is \({X} > {Y}\) (namely, when H is compressing). In this case, we show (following an idea from [24]) that H can be written as \(H=f_n\circ \dots \circ f_1\) where all \(f_i\) are slightly compressing. Since all \(f_i\) are collapsing, so is H. This shows that a random function H is collapsing, in other words, that the random oracle is collapsing (if its range has superpolynomial size).
Quantum Arguments of Knowledge. We illustrate the use of collapsebinding commitments by revisiting the construction of proofs of knowledge from Unruh [19]. Unruh showed that a sigmaprotocol (i.e., a particular kind of three round proof system) is a quantum proof of knowledge if it has two properties: special soundness (from two interactions with the same first and different second messages one can efficiently compute a witness) and strict soundness (the first and second message of a valid interaction determine the third). In the classical setting, only special soundness is needed. In the quantum setting, strict soundness is additionally required to allow for quantum rewinding: In the proof from [19], we run the malicious prover to get his response (the third message). Then we measure the response. Then we rewind the prover (by applying the inverse of the unitary transformation representing the prover). Then we run the prover again to get a second answer. Special soundness then implies that from the two responses, we get a witness. However, we need to make sure that measuring the prover’s response before rewinding does not disturb the state (too much). In [19], this follows from strict soundness: strict soundness guarantees that the response is uniquely determined, and thus measuring the response does not disturb the state. To achieve strict soundness, [19] lets the prover commit to all possible responses in the first message using perfectlybinding commitments.^{3} The drawback of this solution is that the commitments cannot be statistically hiding, so we cannot get statistical zeroknowledge proofs using the method from [19].
What happens if we replace the perfectlybinding commitments by collapsebinding commitments containing the response? In that case, the response will not necessarily be informationtheoretically determined by the first two messages. However, the definition of collapsebinding commitments guarantees that measuring that response will be indistinguishable from not measuring it. Thus, if we measure the response, the state might be disturbed, but it will be computationally indistinguishable from not being disturbed. This is enough for the proof technique from [19] to go through, assuming the prover is computationally limited. The resulting protocol will not be a quantum proof of knowledge, but a quantum argument of knowledge (i.e., secure only against computationally limited provers). But in contrast to [19], the proof system will be statistical zeroknowledge.
To summarize: from collapsebinding commitments (or from collapsing hash functions), we get threeround statistical zeroknowledge quantum arguments of knowledge for all languages in NP (with inverse polynomial knowledge error). To the best of our knowledge, not even threeround statistical zeroknowledge quantum arguments were known before.
1.4 Related Work
Commitments. Brassard et al. [4] presented an informationtheoretically hiding and binding commitment scheme using quantum communication. However, the protocol was flawed, Mayers [15] showed that informationtheoretically hiding and binding commitments are impossible. (This is no contradiction to our results, because our commitments are not informationtheoretically binding.) Dumais et al. [13] and Crépeau et al. [7] constructed statistically hiding commitments from quantum oneway permutations/functions, respectively. Their protocols use quantum communication, and are sumbinding. Crépeau et al. [6] generalized the sumbinding definition to string commitments and constructed an OT protocol based on that definition. (However, it is not known whether the protocol composes even sequentially.) Damgård et al. [9] and Unruh [18] showed a much simpler OT protocol to be secure, assuming much stronger commitment definitions in the CRS model, but achieving stronger security notions (sequential composability/UC). Ambainis et al. [1] show that classicalstyle binding commitments are not necessarily even sumbinding.
Quantum Random Oracles. Random oracles were first explicitly considered in a quantum cryptographic context by Boneh et al. [3] who stressed that the adversary should have superposition access to the random oracle. Zhandry [24] showed that the random oracle is collisionresistant. In contrast, we show (based on his result) that the random oracle is collapsing (a stronger property).
Quantum Rewinding and Proof Systems. Watrous [23] showed how quantum rewinding can be used to prove the security of quantum zeroknowledge protocols. Unruh [19] showed how a different flavor of quantum rewinding can be used for proving the security of quantum proofs of knowledge; we extend their technique to quantum arguments of knowledge.
2 Definitions and Basic Properties
Preliminaries. For the necessary background in quantum computing, see, e.g., [16]. By \({i}\rangle \) with \(i\in I\) we denote the vectors of the computational basis of the Hilbert space with dimension \({I}\). We also use the symbol \({\cdot }\rangle \) to refer to other (nonbasis) vectors (e.g., \({\varPsi }\rangle \)). And \(\langle {\varPsi }\) is the conjugate transpose of \({\varPsi }\rangle \). \({x}\) refers to the Euclidean or \(\ell ^2\)norm. We only consider finite dimensional Hilbert spaces. We denote \({+}\rangle :=\tfrac{1}{\sqrt{2}}{0}\rangle +\tfrac{1}{\sqrt{2}}{1}\rangle \) and \({}\rangle :=\tfrac{1}{\sqrt{2}}{0}\rangle \tfrac{1}{\sqrt{2}}{1}\rangle \). For a linear operator A on a Hilbert space, we denote by \(A^\dagger \) its conjugate transpose. We denote by \(I\) the identity. We call an operator A on a Hilbert space a projector iff it is an orthogonal projector, i.e., a linear map with \(P^2=P\) and \(P=P^\dagger \). By \({\text {TD}}(\rho ,\rho ')\) we denote the trace distance between \(\rho \) and \(\rho '\), and by \(F(\rho ,\rho ')\) the fidelity.
Given an algorithm A, let \(x\leftarrow A(y)\) denote the result of running A with inputs y, and assigning the output to x. Let \(x{\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}M\) denote assigning a uniformly random element of M to x. We will use \(\eta \) to denote the security parameter, that is a positive integer that will be passed to all algorithms and adversaries and that indicates the required security level. By \(a\Vert b\) we denote the concatenation of bitstrings a and b.
We call an algorithm quantumpolynomialtime if it is a quantum algorithm and its runtime is bounded by a polynomial in its input length with probability 1. We call an algorithm classicalpolynomialtime if it performs only classical operations and its runtime is bounded by a polynomial in its input length with probability 1. We write \(1^\eta \) for a bitstring (of 1’s) of length \(\eta \). (The latter is useful for making algorithms run in polynomialtime in the length of the security parameter, e.g., \(A(1^\eta )\) will run polynomialtime in \(\eta \).)
Commitments. A commitment scheme \((com, verify )\) consists of a quantumpolynomialtime algorithm com and a deterministic quantumpolynomialtime algorithm \( verify \).^{4} \((c,u)\leftarrow com (1^\eta ,m)\) returns a commitment c and the opening information u for the message m and security parameter \(\eta \). c alone is supposed not to reveal anything about m (hiding). To open, we send (m, u) to the recipient who checks whether \( verify (1^\eta ,c,m,u)=1\). Both \( com \) and \( verify \) have classical input and output. \( com \) has a welldefined message space \({\mathsf {MSP}_\eta }\) that also depends on the security parameter \(\eta \) (e.g., \({\{0,1\}^{\eta }}\)). Furthermore, for technical reasons, we assume that it is possible to find triples (c, m, u) with \( verify (1^\eta ,c,m,u)=1\) with probability 1 in quantumpolynomialtime in \(\eta \).
We first state some standard properties of commitments.
Definition 10

Perfect completeness: \((com, verify )\) has perfect completeness iff for all \(m\in {\mathsf {MSP}_\eta }\), \(\Pr [ verify (1^\eta ,c,m,u)=1:(c,u)\leftarrow com (1^\eta ,m)]=1\).

Computational hiding: \((com, verify )\) is computationally hiding iff for any quantumpolynomialtime A and any polynomial \(\ell \), there is a negligible \(\mu \) such that for any \(\eta \), any \(m_0,m_1\in {\mathsf {MSP}_\eta }\) with \({m_0},{m_1}\le \ell (\eta )\), and any \({\varPsi }\rangle \),^{5} \(\bigl P_0P_1\bigr \le \mu (\eta )\) where \(P_i:=\Pr [b=1:(c,u)\leftarrow com (1^\eta ,m_i),b\leftarrow A(1^\eta ,{\varPsi }\rangle ,c)]\).

Statistical hiding: Like computational hiding, except that we quantify over all A (not just quantumpolynomialtime A).
Definition 11
(ClassicalStyle Binding). A commitment scheme is classicalstyle binding iff for any quantumpolynomialtime algorithm A, the following is negligible in \(\eta \): \(\Pr [ verify (1^\eta ,c,m,u)=1\wedge verify (1^\eta ,c,m',u')=1\wedge m\ne m':(c,m,u,m',u')\leftarrow A(1^\eta )].\)
Definition 12
A commitment scheme is collapsebinding iff for any quantumpolynomialtime algorithms A, B, the difference \(\bigl \Pr [b=1:\mathsf {Game}_1]  \Pr [b=1:\mathsf {Game}_2]\bigr \) is negligible.
Instead of measuring using \(V_c\) whether the adversary outputs a correct opening information, we can quantify only over adversaries that always output correct opening information. This leads to the following equivalent definition of collapsebinding commitments. This definition is often easier to handle when proving that a given scheme is collapsebinding.
Definition 13
We call an adversary (A, B) valid if \(\Pr [ verify (c,m,u)=1]=1\) when running \((S,M,U,c)\leftarrow A(1^\eta )\) and measuring M, U in the computational basis to obtain m, u.
A commitment scheme is collapsebinding iff for any quantumpolynomialtime valid adversary (A, B), the difference \(\bigl \Pr [b=1:\mathsf {Game}_1]  \Pr [b=1:\mathsf {Game}_2]\bigr \) is negligible.
In [20], we show Definitions 12 and 13 equivalent, and that the collapsebinding property is preserved under parallel composition of commitments.
3 Commitments from CollisionResistant Hash Functions
In the following, we will often refer to hash functions. We will always assume that a hash function depends implicitly on the security parameter (in particular, the size of the range can depend on the security parameter). We also assume that the hash function is quantumpolynomialtime computable (in \(\eta \) and the input length).^{6} Besides that, we do not assume any further properties such as collisionresistance unless explicitly mentioned.
Definition 14

Message space \({\mathsf {MSP}_\eta }:={\{0,1\}^{*}}\).

\(com_can(m)\): Pick \(u{\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\{0,1\}^{\ell _u}}\). Compute \(c:=H(m\Vert u)\). Return (c, u).

\( verify _{ can }(c,m,u)\): Return 1 iff \(H(m\Vert u)=c\).
It is immediate to see that this scheme is classicalstyle binding if H is collisionresistant. However, in general it will not be hiding; for example, \(H(m\Vert u)\) could leak the first bit of m. However, it is hiding if H is a random oracle:
Lemma 15
Fix \(\ell _u\ge 0\) and assume that \({Y}\le 2^{\ell _u/8}\). For a random oracle \(H:X\rightarrow Y\), the canonical commitment is statistically hiding.
When using a hash function in the standard model, we can use the following commitment scheme instead:
Definition 16

\( com _{ HMb }(m)\): Pick \(f\in F\) and \(u\in {\{0,1\}^{L}}\) uniformly at random, conditioned on \(f(u)=m\). Compute \(h:=H(u)\). Let \(c:=(h,f)\). Return (c, u).

\( verify _{ HMu }(c,m,u)\) with \(c=(h,f)\): Check whether \(f(u)=m\) and \(h=H(u)\). If so, return 1.
Definition 17

\( com _{ HMu }(m)\): Pick \(f\in F\) and \(u\in {\{0,1\}^{L}}\) uniformly at random, conditioned on \(f(u)=H(m)\). Compute \(h:=H(u)\). Let \(c:=(h,f)\). Return (c, u).

\( verify _{ HMu }(c,m,u)\) with \(c=(h,f)\): Check whether \(f(u)=H(m)\) and \(h=H(u)\). If so, return 1.
Theorem 18
(Security of HaleviMicali [14]). If \(\ell \) is superlogarithmic, then the HaleviMicali commitment and the boundedlength HaleviMicali commitment are statistically hiding. If H is collisionresistant, then the HaleviMicali commitment and the boundedlength HaleviMicali commitment are classicalstyle binding.
Note that [14] did not prove the classicalstyle binding property against quantum adversaries. But the (very simple) proof of binding carries over unchanged to the quantum setting (if H is collisionresistant against quantum adversaries). The statistical hiding property holds against unlimited adversaries anyway, thus also against quantum adversaries.
The following theorem shows that collisionresistance does not seem to be enough to make the above constructions secure in the quantum setting, i.e., classicalstyle binding is all we get.
Theorem 19
There is an oracle \(\mathcal {O}\) relative to which there exists a collisionresistant^{7} hash function H such that the canonical commitment scheme and both HaleviMicali commitment schemes using H admit the following attack:
There is a quantumpolynomialtime adversary \(A^{\mathcal {O}}\) that outputs a commitment c, then expects a bit b, and then outputs with overwhelming probability a pair (m, u) such that \( verify (c,m,u)=1\) and the first bit of m is b.
Clearly, a commitment with that property should not be considered secure. This shows that collisionresistance is too weak a property for constructing commitments in the quantum setting, at least when using standard constructions.
The proof [20] uses the oracles constructed in [1]. In a nutshell, those oracles give the adversary access to sets \(S_y\), such that the adversary can perform one single search in \(S_y\) for an element with a specific property, but cannot get two elements from the same \(S_y\). Using a suitably constructed hash function H, finding m, u that open c corresponds to a search in \(S_y\). Thus the adversary can use that search to break the binding property. But finding a collision in H corresponds to finding two elements from the same \(S_y\), hence H is collisionresistant.
4 Collapsing Hash Functions
As seen in the previous section, for many protocols collisionresistance is not a sufficiently strong property in the quantum setting. In the following, we propose a strengthening of the collisionresistance property that seems more useful in the quantum setting, namely “collapsing” hash functions. We believe that collapsing hash functions are a natural assumption for reallife hash functions such as SHA3 etc. This belief is supported by the fact that the random oracle is collapsing (see Sect. 6).
The definition of collapsing hash functions is similar to that of collapsing commitments (Definition 13).
Definition 20
We call an adversary (A, B) valid if \(\Pr [H(m)=c]=1\) when we run \((S,M,c)\leftarrow A(1^\eta )\) and measure M in the computational basis as m.
A function H is collapsing iff for any quantumpolynomialtime valid adversary (A, B), the difference \( adv :=\bigl \Pr [b=1:\mathsf {Game}_1]  \Pr [b=1:\mathsf {Game}_2]\bigr \) is negligible. (We call \( adv \) the advantage).
Notice that the definition of collapsing hash functions is inherently quantum, even though the object we consider (the hash function H) is classical. We know of no classical analogue to collapsing hash functions. However, a collapsing hash function will necessarily be collisionresistant, see Lemma 22 below.
We proceed to give a number of useful properties of collapsing hash functions.
Lemma 21
An injective function H is collapsing with advantage 0.
Lemma 22
A collapsing hash function is collision resistant.
Theorem 23
If f and g are collapsing, so is \(g\circ f\).
5 Commitments from Collapsing Hash Functions
In Sect. 3 we saw that collisionresistant hash functions are not sufficient for several standard constructions of commitment schemes. We will now show that those same constructions are secure in the quantum setting when using collapsing hash functions instead.
The following theorem allows us to extend the message space of a collapsing commitment by hashing the message with a collapsing hash function. Besides being useful in its own right, we need it in the analysis of the unbounded HaleviMicali commitment.
Theorem 24
Let f be a collapsing function. Let \(( com , verify )\) be a collapse binding commitment scheme. Let \( com _f(1^\eta ,m):= com (1^\eta ,f(m))\) and \( verify _f(1^\eta ,c,m,u)= verify (1^\eta ,c,f(m),u)\). Then \(( com _f, verify _f)\) is a collapsebinding commitment scheme.
Lemma 25
If H is collapsing, then the canonical commitment scheme \(( com _{ can }, verify _{ can })\), and the boundedlength HaleviMicali commitment \(( com _{ HMb },code= verify _{ HMb })\), and the unbounded HaleviMicali commitment \(( com _{ HMu }, verify _{ HMu })\) are collapsebinding. (For any choice of the parameters \(\ell _u,\ell ,n\).)
We give the proof idea, the full proof is given in [20]. To show that the canonical commitment \( com _{ can }\) is collapsebinding, we use the characterization of collapsebinding from Definition 13. We need to show that the adversary cannot distinguish between a measurement on register M and no measurement on register M, assuming the adversary outputs M, U containing a superposition of m, u with \( verify _{ can }(c,m,u)=1\). The condition \( verify _{ can }(c,m,u)=1\) is equivalent to \(H(m\Vert u)=c\). Hence the adversary outputs in M, U a superposition of preimages of c under H. Since H is collapsing, this implies that the adversary cannot distinguish between a measurement on M, U and no measurement on M, U. This also implies (using some additional work) that the adversary cannot distinguish between a measurement on M and no measurement on M. Hence \( com _{ can }\) is collapsebinding. The HaleviMicali commitments are handled similarly.
6 Random Oracles Are Collapsing
In Sect. 5 we saw that collapsing hash functions imply collapsebinding commitments. In this section, we explore the existence of collapsing hash functions. Specifically, we show that the random oracle is collapsing. This implies that there are simple collapsebinding commitments in the random oracle model. Furthermore, it supports the assumption that reallife hash functions such as SHA3 etc. could be collapsebinding. Alternatively, we could also directly start with the assumption that SHA3 is collapsing, in that setting the constructions from Sect. 5 would not need the random oracle. (In fact, we advocate that a hash function that is not collapsing should not be considered a secure practical hash function, and not recommended for future use.)
For the remainder of this section, X and Y are sets, and \(H:X\rightarrow Y\) is a random oracle. Furthermore Y is finite, and \(X\subseteq {\{0,1\}^{*}}\) (finite or infinite). And \(q\ge 1\) always refers to an upper bound on the number of oracle queries performed by the adversary. The full proofs are given in [20].
We start by defining a seemingly unrelated property (halfcollision resistance) that will turn out to imply the collapsing property. We will need halfcollision resistance in our proof that the random oracle is collapsing. However, the concept of halfcollision resistance might be of use for constructions in the standard model, too: since halfcollision resistance is defined by a classical game, it might be easier to construct hash functions that are halfcollision resistant.^{8}
Definition 26
A halfcollision of a hash function \(f:X\rightarrow Y\) is a value x such that \(\exists x'\ne x. f(x)=f(x')\).

with probability 1, the output of A is a halfcollision or \(\bot \), and

with probability at \(\varepsilon \), A outputs a halfcollision.
Lemma 27
If (A, B) is valid and has advantage \(\mu \) against the collapsing property of a hash function f, then there is an adversary D with advantage \(\ge \mu ^2/4\) against the halfcollision resistance of f. The timecomplexity of D is linear in that of (A, B). (If f is given as an oracle, D makes \(4q+4\) queries to f when (A, B) makes q queries.)
Proof Sketch: By definition, a valid adversary A will always output in register M a superposition of messages m with \(H(m)=c\) (all with the same c). So we have two cases: M contains a superposition of a single message m, or M contains a superposition of several messages that have the same image c, i.e., a superposition of halfcollisions. Thus, in the second case, we can find a halfcollisions by measuring M. But, an adversary against halfcollision resistance must never output a nonhalfcollision (no false positives). Thus, we need a possibility to test whether M contains only a single message. (In this case, we abort.)
Note that when M contains only a single message, then the adversary B cannot distinguish between a measurement on M and no measurement on M. To exploit this, we run an execution where M is measured and an execution where M is not measured in superposition (roughly speaking), and we make it depend on a control qubit in state \({+}\rangle \) which execution is used. Then, in the case where M contains only a single message, the control qubit stays unentangled with the rest of the circuit. By measuring whether the qubit is still in state \({+}\rangle \), the halfcollision resistance adversary can detect whether M contains one or several messages. (It may err and incorrectly assume that M contains only one message, but an error in that direction is permitted.) Thus we have constructed an adversary against halfcollision resistance.
Lemma 28
Assume \({X}\le {Y}\). Then H is collapsing with advantage \(O(q^3/{Y})\).
Proof Sketch. Zhandry [24] shows that for \({X}\le {Y}\), H can be distinguished from a random injection with probability at most \(O(q^3/{Y})\). An injection is collapsing with advantage 0 (Lemma 21).
For the next lemma, we fix some notation first: \([N]:=\{1,\dots ,N\}\). For functions \(f:[M]\rightarrow [N]\) and \(g:[M']\rightarrow [N]\), let \({f}+{g}:[M+M']\rightarrow [N]\) be defined via \(({f}+{g})(x):=f(x)\) for \(x=1,\dots ,M\) and \(({f}+{g})(x)=g(xM)\) for \(x=M+1,\dots ,M+M'\). For functions \(f:[M]\rightarrow [N]\) and \(g:[M']\rightarrow [N']\), let \(fg:[M+M']\rightarrow [N+N']\) be defined via \((fg)(x):=f(x)\) for \(x=1,\dots ,M\) and \((fg)(x):=g(xM)+N\) for \(x=M+1,\dots ,M+M'\).
Lemma 29
Assume that \(M\ge N\). Let \(\hat{f},\hat{g}:[N]\rightarrow [N]\) and \(\hat{h}:[M]\rightarrow [M]\) and \(\hat{\varphi }:[N+M]\rightarrow [N+M]\) be uniformly distributed permutations (all independent), and let \(H:[2N+M]\rightarrow [N+M]\) be a uniformly distributed function.
Lemma 30
Assume that \({Y}=\bigl \lceil \frac{2}{3}{X}\bigr \rceil \). Then H is collapsing with advantage \(O(\sqrt{q^3/{X}})\).
Proof Sketch: For simplicity, we consider the case \({Y}=2N\), \({X}=3N\). Then, by Lemma 29 with \(M:=N\), H is indistinguishable from \(H^*:=\hat{\varphi }\circ \bigl (({\hat{f}}+{\hat{g}})\hat{h}\bigr )\). Furthermore, for a random permutation \(\pi \), H and \(H\circ \pi \) are identically distributed, and \(H\circ \pi \) is indistinguishable from \(H^*\circ \pi \). Thus it is sufficient to show that \(H^*\circ \pi \) is collapsing. In turn, by Lemma 27, it is sufficient to show that \(H^*\circ \pi \) is halfcollision resistant. To show that, observe that the halfcollisions of \(H^*\) are the inputs \(1,\dots ,2N\), but not \(2N+1,\dots ,3N\). Thus the halfcollisions of \(H^*\circ \pi \) are \(P:=\pi ^{1}(\{1,\dots ,2N\})\). So, the halfcollision resistance adversary has to find elements of P, without false positives, while given oracle access to \(H^*\circ \pi \). But \(H^*\circ \pi \) is indistinguishable from \(H\circ \pi \), so the adversary would also be able to find elements in P given \(H\circ \pi \). Since \(H\circ \pi \) is a random function, independent of P, the adversary cannot do that without getting false positives. Hence \(H^*\circ \pi \) is halfcollision resistant and thus collapsing. Hence H is collapsing.
Theorem 31
Let Y be finite, and \(X\subseteq {\{0,1\}^{*}}\) (finite or infinite). Then \(H:X\rightarrow Y\) is collapsing with advantage \(O(\sqrt{q^3/{Y}})\).
Proof Sketch: H is indistinguishable from a composition \(f_n\circ \dots \circ f_1\) of random functions \(f_n:X_n\rightarrow Y_n\) with \({X_{n+1}}={Y_n}=\frac{2}{3}{X_n}\). By Lemma 30, each \(f_n\) is collapsing. Thus, by Theorem 23, \(f_n\circ \dots \circ f_1\) is collapsing and hence H is collapsing.
7 ZeroKnowledge Arguments of Knowledge
In this section, we study the security of sigmaprotocols. A sigmaprotocol is a specific kind threeround proof system in which the verifier’s message consists only of random bits. Sigmaprotocols play an important role in classical constructions of zeroknowledge proof systems for two reasons: For a number of simple but important languages, sigmaprotocols exist. And given sigmaprotocols for simple languages, there are efficient constructions for more complex languages. (There are constructions for conjunctions and disjunctions of sigmaprotocols, as well as more complex threshold constructions [5].)
In the classical setting, it is relatively simple to give conditions under which sigmaprotocols are zeroknowledge proofs of knowledge. In the quantum setting, however, analyzing the security of sigmaprotocols turns out to be much harder. Watrous [23] presented a rewinding technique for proving the zeroknowledge property of sigmaprotocols (see also Theorem 34 below). Unruh [19] showed that sigmaprotocols are quantum proofs of knowledge under a specific additional condition called “strict soundness”. This condition requires that the third message (“response”) in a valid interaction is uniquely determined by the first two. However, strict soundness is a strong additional assumption. [19] showed how to achieve strict soundness by committing to the response already in the first message. However, the commitment scheme used for this needed to be perfectlybinding (actually, it needed to satisfy a somewhat stronger property, called “strict binding”). In particular, this implies that the commitment scheme cannot be informationtheoretically hiding (hence the resulting protocol cannot be statistical zeroknowledge), and we cannot have short commitments (a perfectlybinding commitment will always be at least as long as the message inside).
Furthermore, Ambainis et al. [1] showed that the condition of strict soundness is necessary, at least relative to an oracle. They also showed that even if we assume that strict soundness holds, but only against computationally limited adversaries,^{9} the resulting sigmaprotocol will, in general, not be a quantum argument of knowledge.^{10} Even more, it might not even be a quantum argument. That is, a computationally limited adversary can successfully prove a wrong statement.
In this section we show how we can use collapsebinding commitments as a dropin replacement for the perfectlybinding commitments in the construction from [19]. One particular consequence is that given collapsebinding hash functions we can construct threeround statistical zeroknowledge quantum arguments of knowledge from sigmaprotocols (without using a commonreference string). This assumes the sigmaprotocol is statistical honestverifier zeroknowledge and has special soundness. And that the challenge space (the set from which the verifier picks his random message) is polynomiallybounded. These properties, however, are also needed in the classical setting.
7.1 Interactive Proof Systems
An interactive proof system \((\mathsf {P},\mathsf {V})\) for some relation R consists of two interactive quantum machines \(\mathsf {P}\) and \(\mathsf {V}\) that get classical inputs \((x,w)\in R\) and x, respectively. Afterwards, \(\mathsf {V}\) outputs a bit. For formal definitions see [19]. (In general, \(\mathsf {P}\) and \(\mathsf {V}\) can exchange quantum messages, but our concrete constructions below will be classical.)
We consider two important properties of interactive proof systems: First, we want them to be arguments of knowledge. Informally, they should convince the verifier that the prover knows a witness w for the statement x (i.e., \((x,w)\in R\)). Second, we want them to be zeroknowledge. Informally, the proof should not leaks anything about the witness besides its existence.
Quantum Arguments of Knowledge. The following definition of quantum arguments of knowledge follows the definition from [22], with one difference: we have formulated security against uniform malicious provers. That is, while in [22] the statement x and the auxiliary input \({\varPsi }\rangle \) are allquantified, in our setting they are chosen by an quantumpolynomialtime algorithm \(\mathsf {Z}\). The reason we consider only uniform malicious provers here is: A nonuniform adversary can break any noninteractive commitment (with classical messages) that is not already perfectlybinding. (Namely, the auxiliary input can simply contain one commitment and two different openings.) Thus, since we consider only noninteractive commitments in this paper, we need a uniform definition of quantum arguments of knowledge. For a motivation of the remaining definitional choices, see [22].
Definition 32
Quantum ZeroKnowledge. Roughly speaking, \((\mathsf {P},\mathsf {V})\) is quantumcomputationally zeroknowledge iff for any quantumpolynomialtime malicious verifier \(\mathsf {V}^*\), there exists a quantumpolynomialtime simulator \(\mathsf {S}\) such that for any \((x,w)\in R\), the output state of \(\mathsf {S}\) is quantum computationally indistinguishable from the from the output state of \(\mathsf {V}^*\) in an interaction with \(\mathsf {P}(1^\eta ,x,w)\).
Similarly, quantum statistical zeroknowledge is defined in the same way, except that \(\mathsf {V}^*\) is not required to be quantumpolynomialtime.
We will not use the definition of quantum zeroknowledge directly, only the imported Theorem 34 from [22] will refer to it. We therefore omit the formal definition and refer to [22].
7.2 SigmaProtocols
We now introduce sigmaprotocols (following [21] with modifications as mentioned in the footnotes). The notions are like the standard classical definitions, all that was done to adopt them to the quantum setting was to make the adversary quantumpolynomialtime.
A sigmaprotocol for a relation R is a threemessage proof system. It is described by its challenge space \(N_{z}\) (where \({N_{z}}\ge 2\)), a classicalpolynomialtime prover \((P_1,P_2)\) and a deterministic classicalpolynomialtime verifier V. The first message from the prover is \( a \leftarrow P_1(1^\eta ,x,w)\) and is called the commitment, the uniformly random reply from the verifier is \( z {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}N_{z}\) (called challenge), and the prover answers with \( r \leftarrow P_2(1^\eta ,x,w, z )\) (the response). We assume \(P_1,P_2\) to share state. Finally \(V(1^\eta ,x, a , z , r )\) outputs whether the verifier accepts.
Definition 33
Note that the above is a standard condition expected from sigmaprotocols in the classical setting. In contrast, for a sigmaprotocol to be a quantum proof of knowledge, a much more restrictive condition is required, strict soundness [1, 19]. We show below how to circumvent this necessity by adding collapsebinding commitments to the sigmaprotocol (at least when we only need a quantum argument of knowledge).
We also use the standard properties of honest verifier zeroknowledge (HVZK) and statistical honestverifier zeroknowledge (SHVZK). They are of secondary importance for the proofs shown in this section, we defer them to [20].
Remark 1
Any sigmaprotocol \((N_{z},P_1,P_2,V)\) can be seen as an interactive proof \((\mathsf {P},\mathsf {V})\) in a natural way: \(\mathsf {P}\) sends the output \( a \) of \(P_1\) to \(\mathsf {V}\). \(\mathsf {V}\) picks \( z {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}N_{z}\) and sends it to \(\mathsf {P}\). \(\mathsf {P}\) sends the resulting output \( r \) of \(P_2\) to \(\mathsf {V}\). \(\mathsf {V}\) checks the triple \(( a , z , r )\) using V.
The following theorem is shown in [22]:
Theorem 34
(HVZK Implies ZeroKnowledge [22]). Let \(\varSigma =(N_{z},P_1,P_2,V)\) be a sigmaprotocol. We consider \(\varSigma \) as an interactive proof \((\mathsf {P},\mathsf {V})\), see Remark 1.
If \({N_{z}}\) is polynomiallybounded and is SHVZK, then \(\varSigma \) is quantum statistical zeroknowledge. If \({N_{z}}\) is polynomiallybounded and \(\varSigma \) is HVZK, then \(\varSigma \) is quantum computational zeroknowledge.
Due to this theorem, it will be sufficient to verify that the sigmaprotocols we construct are HVZK/SHVZK. We will hence not need to use the definition of quantum zeroknowledge explicitly in the following.
7.3 Constructing ZeroKnowledge Arguments of Knowledge
In [19], the following idea was used to construct quantum proofs of knowledge: We assume a sigmaprotocol with special soundness and with polynomialsize \({N_{z}}\). We convert it into a sigmaprotocol with strict soundness as follows: When the prover sends his commitment \( a \leftarrow P_1(x,w)\), he additionally sends \( com ( r _ z )\) for all \(z\in N_{z}\) where \( r _z\) is the response to the challenge z. When the prover receives the challenge \( z \), he opens \( com ( r _ z )\) instead of sending \( r _ z \). If the commitment has the “strict binding” property, the resulting sigmaprotocol has strict soundness (without losing the special soundness or HVZK property).^{12} Strict binding is a strengthening of perfect binding, it means that not only the message in the commitment is informationtheoretically determined, but also the opening information.
Given a sigmaprotocol with strict and special soundness, we can show that it is a proof of knowledge. Basically, [19] runs the protocol twice (using the inverse of the unitary malicious prover to rewind) to get two responses \( r , r '\) for different challenges \( z \ne z '\). The difficulty here is that measuring \( r \) can disturb the state of the malicious prover, leading to a corrupt value \( r '\). The trick here is that due to the strict soundness, the value \( r \) is essentially uniquely determined, and therefore the measurement does not introduce too much disturbance.^{13}
Unfortunately, that technique needs commitments with the strict binding property. First, it is easy to see that strict binding commitments must be longer than the messages they contain. Short strict binding commitments are not possible. Furthermore, the only known construction of strict binding commitments [19] uses quantum 11 oneway functions. No candidates for those are known.
We show below that the same technique of committing to the responses works with collapsebinding commitments. The crucial point in the analysis from [19] was that measuring the committed response does not change the state. The collapsebinding property guarantees something slightly weaker: when measuring the committed response, the state may change, but this cannot be noticed by a computationally limited adversary. So with collapsebinding commitments, an analog reasoning as in [19] can be used, except that we get security only against quantumpolynomialtime adversaries. I.e., we get a quantum argument of knowledge. We will now describe this in more detail.
First, we formalize the sigmaprotocol in which we commit to the responses:
Definition 35

\(P_1'(1^\eta ,x,w)\) runs: \( a \leftarrow P_1(1^\eta ,x,w)\). For each \( z \in N_{z}\): \( r _ z \leftarrow P_2(1^\eta ,x,w, z )\) ^{14} and \((c_ z ,u_ z )\leftarrow com (1^\eta , r _ z )\). Let \( a ':=( a ,(c_ z )_{ z \in N_{z}})\) and return \( a '\).

\(P_2'(1^\eta ,x,w, z )\) returns \( r ':=( r _ z ,u_ z )\).

\(V'(1^\eta ,x, a ', z , r ')\) with \( a '=( a ,(c_ z )_{ z \in N_{z}})\) and \( r '=( r ,u)\): Check whether \( verify (1^\eta ,c_ z , r ,u)=1\) and \(V(1^\eta , a , z , r )=1\). Iff so, return 1.
We show that the above construction is a quantum argument of knowledge:
Theorem 36
(Quantum Argument of Knowledge). If \((N_{z},P_1,P_2,V)\) is a sigmaprotocol with computational special soundness for a relation R, and \(( com , verify )\) is collapsebinding, then \((N_{z},P_1',P_2',V')\) from Definition 35 is computationally quantum extractable for R with knowledge error \(1/\sqrt{{N_{z}}}\).
The proof of this theorem will rely on the following lemma from [19]. (That lemma is the core lemma of the rewinding technique from [19]).
Lemma 37
(Extraction via Quantum Rewinding [19]). Let C be a set with \({C}=c\). Let \((P_i)_{i\in C}\) be projectors. Let \({\Phi }\rangle \) be a unit vector. Let \(V:=\sum _{i\in C}\frac{1}{c}{P_i{\Phi }\rangle }^2\) and \(E:=\sum _{i,j\in C,i\ne j}\frac{1}{c^2}{P_iP_j{\Phi }\rangle }^2\). Then, if \(V\ge \frac{1}{\sqrt{c}}\), \(E\ge V(V^2\frac{1}{c})\).
Proof of Theorem 36 . Recall that any sigmaprotocol can be seen as an interactive proof system by Remark 1. Let \((\mathsf {P},\mathsf {V})\) denote the interactive proof system resulting from the sigmaprotocol \((N_{z},P_1',P_2',V')\). (In particular, the verifier \(\mathsf {V}\) sends a random \( z \in N_{z}\), and in the end checks whether \( verify (1^\eta ,c_ z , r ,u)=1\) and \(V(1^\eta , a , z , r )=1\).)

It operates on quantum registers Z, C, R, U. Here Z contains the internal state of \(\mathsf {P}^*\) (initialized by algorithm \(\mathsf {Z}\)). C is the register that will contain the first message \( a '=( a ,(c_ z )_ z )\) sent by \(\mathsf {P}^*\). R, U contains the second message \( r '=( r ,u)\) sent by \(\mathsf {P}^*\). And C, R, U are initialized with \({0}\rangle \).

The unitary \(U_x\) describes the unitary operation of \(\mathsf {P}^*\) on Z, C during the first invocation of \(\mathsf {P}^*\). \(U_x\) is parametrized by the classical input x of \(\mathsf {P}^*\). The message \( a '=( a ,(c_ z )_ z )\) is obtained by measuring C in the computational basis.

The unitary \(U_ z \) describes the unitary operation of \(\mathsf {P}^*\) on Z, R, U during the second invocation of \(\mathsf {P}^*\). \(U_ z \) is parametrized by the challenge \( z \) that \(\mathsf {P}^*\) receives. The message \(r'=(r,u)\) is obtained by measuring R and U in the computational basis.

\(V_ z \): The projector on R, U onto the span of all \({ r ,u}\rangle \) with \( verify (1^\eta ,c_ z , r ,u)=1\). (That is, \(V_ z \) measures whether measuring R, U would yield a valid opening of \(c_ z \).)

\(W_ z \): The projector on R onto the span of all \({ r }\rangle \) with \(V(1^\eta , a , z , r )=1\). (That is, \(W_ z \) measures whether measuring R yields a valid response r for challenge \( z \).)

\(P_ z :=U_ z ^\dagger W_ z V_ z U_ z \). Since \(V_ z \) and \(W_ z \) are projectors and diagonal in the computational basis, they commute and their product is a projector. And since \(U_ z \) is a unitary, \(P_ z \) is a projector (acting on registers Z, R, U).

\(x\leftarrow \mathbf M(X)\) denotes that x is assigned the result of measuring the register X in the computational basis.

\( ok \leftarrow P(X)\) means that \( ok \) is assigned 1 iff measuring the register X with projector P succeeds. (With P being, e.g., one of \(V_ z ,W_ z ,P_ z \).)

We write U(X) or U(X) to mean that the unitary U is applied to the register X. (With U being, e.g., one of \(U_x,U_z\)).
In [20], we additionally show that the resulting protocol is also zeroknowledge. (This only uses the hiding property, and is hence independent of our new definitions).
Theorem 38
(ZeroKnowledge). If \({N_{z}}\) is polynomiallybounded, and \((N_{z},P_1,P_2,V)\) is HVZK and \(( com , verify )\) is computationally hiding, and \( com \) is a polynomialtime algorithm, then \((N_{z},P_1',P_2',V')\) is computational zeroknowledge.
If \({N_{z}}\) is polynomiallybounded, and \((N_{z},P_1,P_2,V)\) is SHVZK and \(( com , verify )\) is statistically hiding, and \( com \) is a polynomialtime algorithm, then \((N_{z},P_1',P_2',V')\) is statistical zeroknowledge.
8 Open Problems

We have constructed quantum arguments of knowledge from sigmaprotocols by using collapsebinding commitments. However, our construction requires the challenge space \(N_{z}\) of the sigmaprotocol to be of polynomiallybounded size. As a consequence, the resulting argument of knowledge will have a noticeable knowledge error; for a negligible knowledge error we need to use sequential repetition, resulting in a proof system with nonconstant round complexity. Are there general constructions of arguments of knowledge from sigmaprotocols that do not require the challenge space to be polynomiallybounded?

Can we use collapsebinding commitments to construct a quantum OT protocol? For example, using the construction from [2] or a variation thereof?

How are the various definitions of computationally binding commitments related? That is, which implications and separations exist between sumbinding, CDMSbinding, collapsebinding, and UCsecure commitments?
Footnotes
 1.
Note that for classical adversaries, the classicalbinding property gives useful guarantees: If an adversary can produce an opening for any message m using some classical algorithm, he can also produce two openings for different messages \(m,m'\) by running that algorithm twice.
 2.
Our exposition above was not very rigorous, but it is easy to see that this is indeed an “if and only if”.
 3.
Actually, “strictbinding commitments” but this distinction is not relevant for this exposition.
 4.
To be practical, those algorithms should of course be classical. We allow quantumpolynomialtime algorithms here to state our results in greater generality.
 5.
\({\varPsi }\rangle \) is the auxiliary input of A that represents knowledge of A acquired, e.g., in prior protocol runs. One could use a mixed state instead, this would lead to an equivalent definition.
 6.
When working in the random oracle model: Quantumpolynomialtime computable given access to the random oracle.
 7.
H is collisionresistant iff for any quantumpolynomialtime A, \(\Pr [x\ne x'\wedge H(x)=H(x'):(x,x')\leftarrow A(1^\eta )]\) is negligible.
 8.
However, halfcollision resistance is strictly stronger than collapsing, at least relative to an oracle, as we show next. Consider an oracle \(\mathcal {O}\) picked according to the following distribution: Let \(P_0,P_1:{\{0,1\}^{n}}\rightarrow {\{0,1\}^{n}}\) be random permutations. Let \(\mathcal {O}(b\Vert x):=P_b(x)\) for \(b\in \{0,1\},x\in {\{0,1\}^{n}}\). Then every input to \(\mathcal {O}\) is a halfcollision, thus \(\mathcal {O}\) cannot be halfcollision resistant. However \(P_0\) and \(P_1\) are indistinguishable from a random function [24], hence \(\mathcal {O}\) is indistinguishable from \(\mathcal {O}'(b\Vert x):=H_b(x)\) for random functions \(H_0,H_1\). Note that \(\mathcal {O}'\) is a random function, hence \(\mathcal {O}'\) is collapsing by Theorem 31. Since \(\mathcal {O}\) and \(\mathcal {O}'\) are indistinguishable, \(\mathcal {O}\) is collapsing as well.
 9.
I.e., it is hard to find two different valid interactions where the first two messages are equal but the response is different.
 10.
Argument and argument of knowledge are the variants of proof and proof of knowledge that consider a computationally limited malicious prover.
 11.
[21] requires a classical \(E_{\varSigma }\) here. By allowing \(E_{\varSigma }\) to be quantum here, we weaken the notion of computational special soundness slightly, and thus strengthen our results below.
 12.
This part was done only implicitly in [19], in the analysis of the Hamiltonian cycle proof system.
 13.
There is some disturbance due to the fact that it is not determined whether \( r \) is a valid response or an invalid one.
 14.
We can run \(P_2\) several times using the final state of \(P_1\) because \(P_1\) is classical.
Notes
Acknowledgements
We thank Ansis Rosmanis for discussions on insecure commitments based on collisionresistant hash functions, and Serge Fehr for discussions on the DFRSSbinding definition. This research by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa, by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science, EXCS, by European Social Fund through the Estonian Doctoral School in Information and Communication Technology, and by the Estonian ICT program 2011–2015 (3.2.1201.130022).
References
 1.Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems (the hardness of quantum rewinding). In: FOCS 2014, pp. 474–483. IEEE (2014)Google Scholar
 2.Bennett, C.H., Brassard, G., Crépeau, C., Skubiszewska, M.H.: Practical quantum oblivious transfer. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 351–366. Springer, Heidelberg (1992)Google Scholar
 3.Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 4.Brassard, G., Crépeau, C., Jozsa, R., Langlois, D.: A quantum bit commitment scheme provably unbreakable by both parties. In: FOCS 1993, pp. 362–371. IEEE (1993)Google Scholar
 5.Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
 6.Crépeau, C., Dumais, P., Mayers, D., Salvail, L.: Computational collapse of quantum state with application to oblivious transfer. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 374–393. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 7.Crépeau, C., Légaré, F., Salvail, L.: How to convert the flavor of a quantum bit commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 60–77. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 8.Crépeau, C., Salvail, L., Simard, J.R., Tapp, A.: Two provers in isolation. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 407–430. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 9.Damgård, I., Fehr, S., Lunemann, C., Salvail, L., Schaffner, C.: Improving the security of quantum protocols via commitandopen. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 408–427. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 10.Damgård, I.B., Fehr, S., Renner, R.S., Salvail, L., Schaffner, C.: A tight highorder entropic quantum uncertainty relation with applications. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 360–378. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 11.Damgård, I.B., Fehr, S., Salvail, L.: Zeroknowledge proofs and string commitments withstanding quantum attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 254–272. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 12.Damgård, I., Lunemann, C.: Quantumsecure coinflipping and applications. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 52–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 13.Dumais, P., Mayers, D., Salvail, L.: Perfectly concealing quantum bit commitment from any quantum oneway permutation. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 300–315. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 14.Halevi, S., Micali, S.: Practical and provablysecure commitment schemes from collisionfree hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996)Google Scholar
 15.Mayers, D.: Unconditionally secure quantum bit commitment is impossible. PRL 78(17), 3414–3417 (1997)CrossRefGoogle Scholar
 16.Nielsen, M., Chuang, I.: Quantum Computation and Quantum Information, 10th Anniv. edn. Cambridge University Press, Cambridge (2010)Google Scholar
 17.NIST: SHA3 standard: Permutationbased hash and extendableoutput functions. Draft FIpPS 202 (2014)Google Scholar
 18.Unruh, D.: Universally composable quantum multiparty computation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 486–505. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 19.Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 20.Unruh, D.: Computationally binding quantum commitments. IACR ePrint 2015/361 (2015). (full version of this paper)Google Scholar
 21.Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015)Google Scholar
 22.Unruh, D.: Quantum proofs of knowledge. IACR ePrint 2010/212/20150211:174234 (2015). updated full version of [19]Google Scholar
 23.Watrous, J.: Zeroknowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 24.Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Information & Computation 15(7&8), 557–567 (2015)MathSciNetGoogle Scholar