Abstract
We define the notion of a proof of knowledge in the setting where the verifier is classical, but the prover is quantum, and where the witness that the prover holds is in general a quantum state. We establish simple properties of our definition, including that, if a nondestructive classical proof of quantum knowledge exists for some state, then that state can be cloned by an unbounded adversary, and that, under certain conditions on the parameters in our definition, a proof of knowledge protocol for a hard-to-clone state can be used as a (destructive) quantum money verification protocol. In addition, we provide two examples of protocols (both inspired by private-key classical verification protocols for quantum money schemes) which we can show to be proofs of quantum knowledge under our definition. In so doing, we introduce techniques for the analysis of such protocols which build on results from the literature on nonlocal games. Finally, we show that, under our definition, the verification protocol introduced by Mahadev (FOCS 2018) is a classical argument of quantum knowledge for QMA relations. In all cases, we construct an explicit quantum extractor that is able to produce a quantum witness given black-box quantum (rewinding) access to the prover, the latter of which includes the ability to coherently execute the prover’s black-box circuit controlled on a superposition of messages from the verifier.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
These three works give inequivalent definitions, but the differences are not important for the purpose of this introduction.
- 2.
Argument systems differ from proof systems only in that the honest prover must be efficient, and that soundness is required to hold only against efficient provers. In this case, ‘efficient’ means quantum polynomial-time.
- 3.
In [BJM19], \(\mathcal {O}_\mathcal {F}\) has an additional function: when it is called with the argument \(\mathtt {QUERIES}\), \(\mathcal {O}_\mathcal {F}(\mathtt {QUERIES})\) returns a list of tuples representing all of the queries made to \(\mathcal {O}_\mathcal {F}\) by the prover P and the replies that were given. This functionality is available only to the extractor, not to the parties I, P and V, and it is necessary in order to permit the design of an efficient extractor for some protocols, particularly those in the random oracle model (see, for example, the discussion at the bottom of page 10 in [BJM19]). Since we do not need to use this functionality in our protocols, we omit it here.
- 4.
In [BJM19] the agreement relation also takes two auxiliary inputs. We will not need this.
- 5.
Note that, for completeness, we require that the input generation algorithm is chosen from a set \(\mathcal {I}\) of ‘honest’ algorithms. Here we depart from [BJM19], where input generation is always unrestricted (even when the verifier and the prover are honest). We refer the reader to the full version [VZ21] for a fuller discussion of this subject.
- 6.
The string r represents any random choices that \({{\texttt {\textit{Bank}}}}\) might make while generating valid bills; we make this string explicit for later convenience.
- 7.
Many quantum money schemes are information-theoretically secure; however, it is also possible to consider computationally secure schemes by replacing ‘any’ with ‘any QPT’.
- 8.
\({{\texttt {\textit{init}}}}_M\) doesn’t necessarily need to actually allocate memory for the database; since the database will only ever be accessed through the oracle \(\mathcal {O}_{\mathcal {F}_M}\), it is possible to ‘instantiate’ the database using the method described in Sect. 2.3.
- 9.
Which identifier is returned is at the discretion of any particular instantiation of this function. Intuitively, this oracle is used to represent identifiers of bills that have been generated in the past and are thus available in an “environment” that I may have access to.
- 10.
A is in general not efficient. It is also allowed slightly more invasive access to \(\hat{P}_2\) than a typical extractor. This is acceptable because A is not an extractor, but a cloning procedure. We refer the reader to the full version [VZ21] for a fuller discussion of this topic.
- 11.
This definition is distinct from the definition of security of a protocol \(\mathcal {K}\) described in Definition 7. The latter is a security definition that can apply to any AaP scenario, and the present definition is a new definition tailored to quantum money that is a natural extension of the standard “no-cloning”-based definition recalled in Sect. 8. Our aim in this section, in fact, is to show that (qualitatively speaking) Definition 7 implies Definition 11.
- 12.
Formally the oracle is implemented in the standard way, recalled in Sect. 2.3.
- 13.
Formally, we mean that \(Z^B(c \cdot \theta )\) and \(X^B(\bar{c} \cdot \bar{\theta })\) both commute with the measurement that produces \(\beta \) when \(\mathcal {F}'_W\)’s choice of basis string is \(\theta \) and when the verifier’s choice of challenge is c, and that performing the measurement which produces \(\beta \) and computing \(\oplus _{i: c_i = \theta _i = 0} \beta _i\) (resp. \(\oplus _{i: c_i = \theta _i = 1} \beta _i\)) always gives the same outcome as measuring \(Z^B(c \cdot \theta )\) (resp. \(X^B(\bar{c} \cdot \bar{\theta })\)).
- 14.
The reader should feel free to check that this holds given the previous paragraph.
- 15.
What we describe here is actually a private-key version of the Aaronson-Christiano scheme, equipped with a verification procedure which is similar to a verification procedure used in [BDS16]. Aaronson and Christiano originally proposed this subspace scheme with the idea of making progress towards public-key quantum money. As such, in their original scheme, \(\mathsf {public}\) is not empty.
- 16.
In fact Aaronson and Christiano show the stronger result that this bound holds even if the adversary is given black-box access to a pair of measurement operators that respectively implement projections on A and \(A^\perp \).
- 17.
Formally the oracle is implemented in the standard way, recalled in Sect. 2.3.
- 18.
We use \(H^{-1}\) and not H here because we specified in Sect. 3.5 that H maps \({\mathsf {id}}\)s to \(({\mathsf {public, secret}})\) pairs.
- 19.
The agreement relation does not even require that \(x\in R_{Q,\alpha }\cup N_{Q,\beta }\), as in general this cannot be efficiently verified.
- 20.
This description slightly departs from the ‘canonical’ formalism introduced in Sect. 2.2 by using different symbols for the prover’s unitaries associated with different rounds as well as different challenges. It is not hard to find an equivalent description that uses the language from Sect. 2.2. In this case, the four registers \({\mathsf {KYCM}}\) would all be considered network registers, and are thus accessible to the extractor.
- 21.
For clarity we omit explicitly writing out |x| in both registers.
References
Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing (2012)
Aaronson, S., Farhi, E., Gosset, D., Hassidim, A., Kelner, J., Lutomirski, A.: Quantum money. Commun. ACM 55(8), 84–92 (2012)
Badertscher, C., et al.: Security limitations of classical-client delegated quantum computing. arXiv preprint arXiv:2007.01668 (2020)
Ben-David, S., Sattath, O.: Quantum tokens for digital signatures. arXiv preprint arXiv:1609.09047 (2016)
Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_28
Broadbent, A., Grilo, A.B.: Zero-knowledge for QMA from locally simulatable proofs. arXiv preprint arXiv:1911.07782 (2019)
Badertscher, C., Jost, D., Maurer, U.: Agree-and-prove: generalized proofs of knowledge and applications. IACR Cryptol. ePrint Arch. 2019, 662 (2019)
Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_5
Coladangelo, A., Vidick, T., Zhang, T.: Non-interactive zero-knowledge arguments for QMA, with preprocessing. arXiv preprint arXiv:1911.07546 (2019)
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Gheorghiu, A., Vidick, T.: Computationally-secure and composable remote state preparation. In: 2019 IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), pp. 1024–1033. IEEE (2019)
Haah, J., Harrow, A.W., Ji, Z., Wu, X., Yu, N.: Sample-optimal tomography of quantum states. IEEE Trans. Inf. Theory 63(9), 5628–5641 (2017)
Kempe, J., Regev, O.: 3-local Hamiltonian is QMA-complete. Quantum Inf. Comput. 3(3), 258–264 (2003)
Kitaev, A.Y., Shen, A., Vyalyi, M.N., Vyalyi, M.N.: Classical and quantum computation. Number 47. American Mathematical Soc. (2002)
Mahadev, U.: Classical homomorphic encryption for quantum circuits. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 332–338. IEEE (2018)
Mahadev, U.: Classical verification of quantum computations. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 259–267, October 2018
Mahadev, U.: Classical verification of quantum computations. arXiv preprint arXiv:1804.01082 (2018)
Metger, T., Vidick, T.: Self-testing of a single quantum device under computational assumptions. arXiv preprint arXiv:2001.09161 (2020)
Molina, A., Vidick, T., Watrous, J.: Optimal counterfeiting attacks and generalizations for Wiesner’s quantum money. In: Iwama, K., Kawano, Y., Murao, M. (eds.) TQC 2012. LNCS, vol. 7582, pp. 45–64. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35656-8_4
Natarajan, A., Vidick, T.: Robust self-testing of many-qubit states. arXiv e-prints, page arXiv:1610.03574, October 2016
Claus Schnorr and Markus Jakobsson. Security of signed ElGamal encryption. In International Conference on the Theory and Application of Cryptology and Information Security, volume 1976, pages 73–89, 12 2000
Tompa, M., Woll, H.: Random self-reducibility and zero knowledge interactive proofs of possession of information. In: 28th Annual Symposium on Foundations of Computer Science (sfcs 1987), pp. 472–482. IEEE (1987)
Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10
Vidick, T., Zhang, T.: Classical zero-knowledge arguments for quantum computations. Quantum 4, 266 (2020)
Vidick, T., Zhang, T.: Classical proofs of quantum knowledge (2021)
Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)
Wiesner, S.: Conjugate coding. ACM SIGACT News 15(1), 78–88 (1983)
Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_14
Acknowledgement
We thank Alexandru Gheorghiu for useful feedback and Or Sattath for comments. Thomas Vidick is supported by NSF CAREER Grant CCF-1553477, AFOSR YIP award number FA9550-16-1-0495, MURI Grant FA9550-18-1-0161 and the IQIM, an NSF Physics Frontiers Center (NSF Grant PHY-1125565) with support of the Gordon and Betty Moore Foundation (GBMF-12500028). This material is based upon work supported by DARPA under Agreement No. HR00112020023. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Vidick, T., Zhang, T. (2021). Classical Proofs of Quantum Knowledge. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)