Oracle Separations Between Quantum and Non-interactive Zero-Knowledge Classes

by   Benjamin Morrison, et al.

We study the relationship between problems solvable by quantum algorithms in polynomial time and those for which zero-knowledge proofs exist. In prior work, Aaronson [arxiv:quant-ph/0111102] showed an oracle separation between BQP and SZK, i.e. an oracle A such that SZK^A ⊈BQP^A. In this paper we give a simple extension of Aaronson's result to non-interactive zero-knowledge proofs with perfect security. This class, NIPZK, is the most restrictive zero-knowledge class. We show that even for this class we can construct an A with NIPZK^A ⊈BQP^A.



page 1

page 2

page 3


Perfect zero knowledge for quantum multiprover interactive proofs

In this work we consider the interplay between multiprover interactive p...

Oracle Separations for Quantum Statistical Zero-Knowledge

This paper investigates the power of quantum statistical zero knowledge ...

Zero-Knowledge for QMA from Locally Simulatable Proofs

We provide several advances to the understanding of the class of Quantum...

Demystifying the Role of zk-SNARKs in Zcash

Zero-knowledge proofs have always provided a clear solution when it come...

Time Transitive Functions for Zero Knowledge Proofs

Verifiable delay functions have found a lot of applications in blockchai...

Verifiable Quantum Advantage without Structure

We show the following hold, unconditionally unless otherwise stated, rel...

Classically Verifiable (Dual-Mode) NIZK for QMA with Preprocessing

We propose three constructions of classically verifiable non-interactive...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

We investigate the relationship between quantum-computable problems and those with zero-knowledge proofs. We are motivated by the general desire of complexity theory to understand all relationships between complexity classes, as well as implications this particular relationship has for quantum-resilient cryptography. Specifically we consider the class BQP, those languages decidable by a quantum computer in polynomial time with bounded error. (See [mermin2007quantum] for a more thorough discussion.)

Zero-knowledge is really a family of complexity classes. In a zero-knowledge proof for language , the prover must convince a verifier that . The zero-knowledge property requires that the verifier cannot learn anything other than the statement being proved. (For example, cannot send a witness for .) This is formalized by requiring that a simulator without access to can produce a transcript that is indistinguishable from a transcript of a real interaction. If is required to be distributed identically to , then the resulting complexity class is perfect zero-knowledge (PZK). If it is required only to be statistically close, we get statistical zero-knowledge (SZK). If it is only required to be computationally indistinguishable, we get computational zero-knowedge (CZK). (See [goldreichbook] for a more thorough discussion.)

We can further restrict the three classes above by requiring that the protocols be non-interactive. That is, we require that the whole interaction between and consist of a single message sent from to . To make this possible, we must give the parties access to a common random string. We therefore have three non-interactive classes, analogous to those above (NICZK, NISZK, and NIPZK).

There are no unconditional results proving anything about the relationship between BQP and any of the six zero-knowledge classes discussed above. However, Aaronson [aaronson] gave an oracle separation, an oracle under which . This is evidence that there are problems with zero-knowledge proofs but no quantum algorithms, and it rules out many proof techniques for proving otherwise. In this paper we give a simple extension of this result, showing an oracle separation between BQP and NIPZK. NIPZK is the most restrictive of the zero-knowledge classes, so when we show an such that we implicitly show the same for PZK, NICZK, and NISZK.

Implications for cryptography

In recent years a variety of cryptographic protocols have been built using non-interactive zero-knowledge proofs. For example, Miller et al. use them to create a cryptocurrency that can be generated and spent anonymously [miller-kosba-katz-shi]. Haralambiev uses them to create leakage-resilient signatures, signatures that remain secure even when some of the secret key is disclosed [haralambiev]. Juels et al. show they can be used in a less desirable way, allowing crowdfunding to be used to reward hackers for disclosing the secret information of their victims [juels-kosba-shi].

The cryptographic community has also recently spent considerable effort finding protocols that will remain secure in the face of adversaries with quantum computers. If the non-interactive zero-knowledge classes were contained in BQP, it would imply that cryptographic protocols using such proofs could not be made resilient to such quantum adversaries.

2 Oracle Separation Between SZK and BQP

Aaronson [aaronson] proved the following result:

Theorem 2.1.

There exists an oracle A such that .

Our own proofs follow a similar structure and rely on some of Aaronson’s lemmas, so we begin by recalling a few key details of his proof. He begins with a lower bound for the quantum query complexity of the Collision Problem. The problem is defined as follows.

Definition 2.1 (Collision Problem).

Let be an integer and , represented in the standard way as a list of outputs. Suppose either is one-to-one (that is, each element of is output for exactly one input) or is r-to-one111It is sufficient for our result to restrict the problem to the case. for a fixed (that is, each element of is output for exactly r inputs or not at all.) Then given the ability to query , the Collision Problem is to accept if is one-to-one and reject if is -to-one.

Aaronson then shows the following result, which we present without proof. represents the (bounded error) quantum query complexity of the problem, defined as the number of bits of the input that the algorithm must examine.

Lemma 2.2.


Kutin [kutin] proves a stronger version of the collision lower bound, , that also applies when . (This result is also a strengthening of the result of Shi [shi2002quantum], which gives the same bound but requires a larger output set for the function.) From either result, a diagonalization can be performed to produce the desired oracle separation.

3 Oracle Separation Between NIPZK and BQP

We now prove the following new result:

Theorem 3.1.

There exists an oracle such that .

It suffices to demonstrate a NIPZK algorithm for . The algorithm, inspired by the algorithm for uniformity testing given by Malka [malka], proceeds as follows. The prover divides the shared random string into two strings and , each of length . For each , it chooses uniformly a string with . It then sends the chosen to the verifier. The verifier accepts if for both .

We now prove the algorithm is NIPZK. First, we prove its completeness. If is one-to-one, then its image equals its codomain, and so the can always be selected to be valid, regardless of the . Thus the verifier will always accept any one-to-one function.

Next, we prove its soundness. If

is two-to-one, then half of its codomain is not in its image. Thus, with probability

, at least one of or is not in the image of . Thus, with probability , the prover cannot select that the verifier will accept. Thus the soundness error is .

Next, we prove its perfect zero-knowledge property. The simulator can simply randomly pick two inputs and , then run them through to get appropriate . Since the are selected uniformly, when is one-to-one the

are also uniformly distributed. Furthermore, for those

, there is only one possible pair of ; thus the simulator can exactly recreate the distribution over inputs to the verifier. From there, it can simply perfectly simulate any verifier on those inputs.

Thus NIPZK, and the theorem follows as above.

4 Conclusion

We constructed a NIPZK query algorithm for the collision problem. Using this algorithm and the quantum query lower bound on the collision problem we have demonstrated the existence of an oracle relative to which NIPZK  BQP. This result has applications to the quantum-resistance of cryptography and cryptocurrency, where algorithms occasionally rely on non-interactive zero-knowledge proof protocols. Our result suggests that the use of those proofs does not introduce vulnerabilities into those algorithms in the presence of a quantum adversary. The next step would be to extend this oracle separation into an algebraic oracle separation [aaronson-wigderson], which would rule out a wider array of proof techniques and give additional evidence that NIPZK  BQP.