Quantum Attacks on Classical Proof Systems: The Hardness of Quantum Rewinding

Quantum zero-knowledge proofs and quantum proofs of knowledge are inherently difficult to analyze because their security analysis uses rewinding. Certain cases of quantum rewinding are handled by the results by Watrous (SIAM J Comput, 2009) and Unruh (Eurocrypt 2012), yet in general the problem remains elusive. We show that this is not only due to a lack of proof techniques: relative to an oracle, we show that classically secure proofs and proofs of knowledge are insecure in the quantum setting. More specifically, sigma-protocols, the Fiat-Shamir construction, and Fischlin's proof system are quantum insecure under assumptions that are sufficient for classical security. Additionally, we show that for similar reasons, computationally binding commitments provide almost no security guarantees in a quantum setting. To show these results, we develop the "pick-one trick", a general technique that allows an adversary to find one value satisfying a given predicate, but not two.

[1]  Andris Ambainis,et al.  A new quantum lower bound method, : with applications to direct product theorems and time-space tradeoffs , 2006, STOC.

[2]  Scott Aaronson,et al.  Quantum money from hidden subspaces , 2012, STOC '12.

[3]  Mark Zhandry,et al.  How to Construct Quantum Random Functions , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[4]  W. Haemers,et al.  Association schemes , 1996 .

[5]  Mark Zhandry,et al.  Quantum-Secure Message Authentication Codes , 2013, IACR Cryptol. ePrint Arch..

[6]  Markulf Kohlweiss,et al.  On the Non-malleability of the Fiat-Shamir Transform , 2012, INDOCRYPT.

[7]  Andris Ambainis A New Quantum Lower Bound Method, with an Application to a Strong Direct Product Theorem for Quantum Search , 2010, Theory Comput..

[8]  W. Wootters,et al.  A single quantum cannot be cloned , 1982, Nature.

[9]  Andris Ambainis,et al.  Symmetry-Assisted Adversaries for Quantum State Generation , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[10]  R. Cleve,et al.  Quantum fingerprinting. , 2001, Physical review letters.

[11]  John Watrous Zero-Knowledge against Quantum Attacks , 2009, SIAM J. Comput..

[12]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[13]  Bruce E. Sagan,et al.  The symmetric group - representations, combinatorial algorithms, and symmetric functions , 2001, Wadsworth & Brooks / Cole mathematics series.

[14]  Gilles Brassard,et al.  Quantum Cryptanalysis of Hash and Claw-Free Functions , 1998, LATIN.

[15]  W. Marsden I and J , 2012 .

[16]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[17]  Jeroen van de Graaf,et al.  Towards a formal definition of security for quantum protocols , 1998 .

[18]  I. Chuang,et al.  Quantum Computation and Quantum Information: Bibliography , 2010 .

[19]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[20]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[21]  Donald E. Knuth,et al.  Selected Papers on Discrete Mathematics , 2001 .

[22]  Daniel Berend,et al.  On the Convergence of the Empirical Distribution , 2012, 1205.6711.

[23]  Dominique Unruh Revocable Quantum Timed-Release Encryption , 2014, EUROCRYPT.

[24]  Gilles Brassard,et al.  Quantum Algorithm for the Collision Problem , 1997 .

[25]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[26]  G. James,et al.  The Representation Theory of the Symmetric Group , 2009 .

[27]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[28]  Louis Salvail,et al.  Perfectly Concealing Quantum Bit Commitment from any Quantum One-Way Permutation , 2000, EUROCRYPT.

[29]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[30]  Dominique Unruh,et al.  Quantum Position Verification in the Random Oracle Model , 2014, CRYPTO.

[31]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[32]  Tommaso Gagliardoni,et al.  The Fiat-Shamir Transformation in a Quantum World , 2013, IACR Cryptol. ePrint Arch..

[33]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[34]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[35]  Andris Ambainis,et al.  A New Quantum Lower Bound Method, with Applications to Direct Product Theorems and Time-Space Tradeoffs , 2005, STOC '06.

[36]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[37]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[38]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[39]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[40]  Ivan Damgård,et al.  Superposition Attacks on Cryptographic Protocols , 2011, ICITS.

[41]  Daniel J. Bernstein Post-Quantum Cryptography , 2011, Encyclopedia of Cryptography and Security.