Fiat-Shamir: from practice to theory

Canetti, Ran; Chen, Yilei; Holmgren, Justin; Lombardi, Alex; Rothblum, Guy N.; Rothblum, Ron D.; Wichs, Daniel

doi:10.1145/3313276.3316380

Cited by 135 publications

(60 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To start with, we can replace the prover's proof in step 3 with a NIZK proof in the CRS model. NIZK proofs for all languages in NP have recently been shown to exist [CLW19,PS19] based on the hardness of LWE only, and we prove that the Peikert-Shiehian construction from [PS19] remains secure (i.e. quantum computationally sound and zero-knowledge) against quantum adversaries, assuming that LWE is quantum computationally intractable.…”

Section: Our Non-interactive Protocolmentioning

confidence: 92%

“…A building block in our construction of NIZK argument systems for QMA are non-interactive argument systems for NP in the CRS model (or with CRS setup). Based on the work of [CLW19,PS19] it is possible to construct such argument systems satisfying both adaptive soundness and adaptive zero-knowledge assuming only the hardness of the LWE problem. Here, we require such arguments that maintain the soundness and zero-knowledge properties in case the adversarial party may be quantum.…”

Section: Non-interactive Zero-knowledge For Npmentioning

confidence: 99%

“…Here, we require such arguments that maintain the soundness and zero-knowledge properties in case the adversarial party may be quantum. We give the definitions and sketch how quantum security follows almost immediately by adapting the same arguments from [CLW19] and using quantum-security of the LWE-based correlation intractable hash family from [PS19].…”

Section: Non-interactive Zero-knowledge For Npmentioning

confidence: 99%

“…Next we recall the non-interactive variant, protocolΠ in [CLW19, Construction 5.2]. Here crs = (pk, k) where pk is a key for the commitment scheme and k is a key for a family H of hash functions satisfying certain properties (correlation intractability and programmability, see [CLW19]). The prover then computes a as above, sets e = h k (a), and computes the third message z as above.…”

Section: Definition 217 (Adaptive Soundness)mentioning

confidence: 99%

“…The possibility for selecting k * in a way that is indistinguishable from a random key comes from the programmability of H; see[CLW19].…”

mentioning

confidence: 99%

See 4 more Smart Citations

Non-interactive Zero-Knowledge Arguments for QMA, with Preprocessing

Coladangelo

Vidick

Gilroy

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A non-interactive zero-knowledge (NIZK) proof system for a language L ∈ NP allows a prover (who is provided with an instance x ∈ L, and a witness w for x) to compute a classical certificate π for the claim that x ∈ L such that π has the following properties: 1) π can be verified efficiently, and 2) π does not reveal any information about w, besides the fact that it exists (i.e. that x ∈ L). NIZK proof systems have recently been shown to exist for all languages in NP in the common reference string (CRS) model and under the learning with errors (LWE) assumption. We initiate the study of NIZK arguments for languages in QMA. An argument system differs from a proof system in that the honest prover must be efficient, and that it is only sound against (quantum) polynomial-time provers. Our first main result is the following: if LWE is hard for quantum computers, then any language in QMA has an NIZK argument with preprocessing. The preprocessing in our argument system consists of (i) the generation of a CRS and (ii) a single (instance-independent) quantum message from verifier to prover. Meanwhile, the instance-dependent phase of our argument system involves only a single classical message from prover to verifier. Importantly, verification in our protocol is entirely classical, and the verifier needs not have quantum memory; its only quantum actions are in the preprocessing phase. NIZK proofs of (classical) knowledge are widely used in the construction of more advanced cryptographic protocols, and we expect the quantum analogue to likewise find a broad range of applications. In this respect, the fact that our protocol has an entirely classical verification phase is particularly appealing. Our second contribution is to extend the notion of a classical proof of knowledge to the quantum setting. We introduce the notions of arguments and proofs of quantum knowledge (AoQK/PoQK), and we show that our non-interactive argument system satisfies the definition of an AoQK. In particular, we explicitly construct an extractor which can recover a quantum witness from any prover who is successful in our protocol. We also show that any language in QMA has an (interactive) proof of quantum knowledge, again by exhibiting a particular proof system for all languages in QMA and constructing an extractor for it. That our NIZK argument system is also an AoQK further broadens the contexts in which it may be applied.

show abstract

Section: Our Non-interactive Protocolmentioning

confidence: 92%

Section: Non-interactive Zero-knowledge For Npmentioning

confidence: 99%