Results 1  10
of
23
ZeroKnowledge Against Quantum Attacks
 STOC'06
, 2006
"... This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally conceal ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally concealing commitment schemes in the second case). Also included is a quantum interactive protocol for a complete problem for the complexity class of problems having “honest verifier” quantum statistical zeroknowledge proofs, which therefore establishes that honest verifier and general quantum statistical zeroknowledge are equal: QSZK = QSZK HV. Previously no nontrivial proof systems were known to be zeroknowledge against quantum attacks, except in restricted settings such as the honestverifier and common reference string models. This paper therefore establishes for the first time that true zeroknowledge is indeed possible in the presence of quantum information and computation.
On the hardness of distinguishing mixedstate quantum computations
, 2004
"... This paper considers the following problem. Two mixedstate quantum circuits Q0 and Q1 are given, and the goal is to determine which of two possibilities holds: (i) Q0 and Q1 act nearly identically on all possible quantum state inputs, or (ii) there exists some input state ρ that Q0 and Q1 transform ..."
Abstract

Cited by 11 (6 self)
 Add to MetaCart
This paper considers the following problem. Two mixedstate quantum circuits Q0 and Q1 are given, and the goal is to determine which of two possibilities holds: (i) Q0 and Q1 act nearly identically on all possible quantum state inputs, or (ii) there exists some input state ρ that Q0 and Q1 transform into almost perfectly distinguishable outputs. This may be viewed as an abstraction of the problem that asks, given two discrete quantum mechanical processes described by sequences of local interactions, are the processes effectively the same or are they different? We prove that this promise problem is complete for the class QIP of problems having quantum interactive proof systems, and is therefore PSPACEhard. This is in contrast to the fact that the analogous problem for classical (probabilistic) circuits is in AM, and for unitary quantum circuits is in QMA.
Computational indistinguishability between quantum states and its cryptographic application
 Advances in Cryptology – EUROCRYPT 2005
, 2005
"... We introduce a computational problem of distinguishing between two specific quantum states as a new cryptographic problem to design a quantum cryptographic scheme that is “secure ” against any polynomialtime quantum adversary. Our problem QSCDff is to distinguish between two types of random coset s ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
We introduce a computational problem of distinguishing between two specific quantum states as a new cryptographic problem to design a quantum cryptographic scheme that is “secure ” against any polynomialtime quantum adversary. Our problem QSCDff is to distinguish between two types of random coset states with a hidden permutation over the symmetric group of finite degree. This naturally generalizes the commonlyused distinction problem between two probability distributions in computational cryptography. As our major contribution, we show three cryptographic properties: (i) QSCDff has the trapdoor property; (ii) the averagecase hardness of QSCDff coincides with its worstcase hardness; and (iii) QSCDff is computationally at least as hard in the worst case as the graph automorphism problem. These cryptographic properties enable us to construct a quantum publickey cryptosystem, which is likely to withstand any chosen plaintext attack of a polynomialtime quantum adversary. We further discuss a generalization of QSCDff, called QSCDcyc, and introduce a multibit encryption scheme relying on the cryptographic properties of QSCDcyc.
Quantum expanders and the quantum entropy difference problem
, 2007
"... Classical expanders and extractors have numerous applications in computer science. However, it seems these classical objects have no meaningful quantum generalization. This is because it is easy to generate entropy in quantum computation simply by tracing out registers. In this paper we define quant ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Classical expanders and extractors have numerous applications in computer science. However, it seems these classical objects have no meaningful quantum generalization. This is because it is easy to generate entropy in quantum computation simply by tracing out registers. In this paper we define quantum expanders and extractors in a natural way. We show that this definition is exactly what is needed for showing that QED, the quantum analogue of ED (the entropy difference problem) is QSZKcomplete. We also show that quantum expanders exist and with very good parameters in the high minentropy regime. The first construction is derived from the work of Ambainis and Smith and is based on expander graphs that are based on Cayley graphs of Abelian groups. The drawback of this construction is that it uses logarithmic seed length (yet, this already suffices for showing that QED is QSZKcomplete). We also show a quantum analogue of the Lubotzky, Philips and Sarnak construction of Ramanujan expanders from Cayley graphs of PGL(2, q). Our construction is a sequence of two steps on the Cayley graph with a basis change in between steps. We believe this quantum analogue of classical Ramanujan expanders is of independent interest.
General properties of quantum zeroknowledge proofs
 In Proceedings of the Fifth IACR Theory of Cryptography Conference
, 2008
"... This paper studies the complexity classes QZK and HVQZK, the classes of problems having a quantum computational zeroknowledge proof system and an honestverifier quantum computational zeroknowledge proof system, respectively. The results proved in this paper include: • HVQZK = QZK. • Any problem i ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This paper studies the complexity classes QZK and HVQZK, the classes of problems having a quantum computational zeroknowledge proof system and an honestverifier quantum computational zeroknowledge proof system, respectively. The results proved in this paper include: • HVQZK = QZK. • Any problem in QZK has a publiccoin quantum computational zeroknowledge proof system. • Any problem in QZK has a quantum computational zeroknowledge proof system of perfect completeness. • Any problem in QZK has a threemessage publiccoin quantum computational zeroknowledge proof system of perfect completeness with polynomially small error in soundness (hence with arbitrarily small constant error in soundness). All the results proved in this paper are unconditional, i.e., they do not rely any computational assumptions such as the existence of quantum oneway functions or permutations. For the classes QPZK, HVQPZK, and QSZK of problems having a quantum perfect zeroknowledge proof system, an honestverifier quantum perfect zeroknowledge proof system, and a quantum statistical zeroknowledge proof system, respectively, the following new properties are proved:
Interactive and Noninteractive Zero Knowledge are Equivalent in the Help Model ∗
, 2007
"... We show that interactive and noninteractive zeroknowledge are equivalent in the ‘help model ’ of BenOr and Gutfreund (J. Cryptology, 2003). In this model, the shared reference string is generated by a probabilistic polynomialtime dealer who is given access to the statement to be proven. Our resul ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We show that interactive and noninteractive zeroknowledge are equivalent in the ‘help model ’ of BenOr and Gutfreund (J. Cryptology, 2003). In this model, the shared reference string is generated by a probabilistic polynomialtime dealer who is given access to the statement to be proven. Our results do not rely on any unproven complexity assumptions and hold for statistical zero knowledge, for computational zero knowledge restricted to AM, and for quantum zero knowledge when the help is a pure quantum state.
New limits to classical and quantum instance compression
 In IEEE Symp. on Foundations of Computer Science (FOCS), 2012. [FRR+ 10] Sebastian Faust, Tal Rabin, Leonid Reyzin, Eran Tromer, and Vinod Vaikuntanathan
"... Given an instance of a hard decision problem, a limited goal is to compress that instance into a smaller, equivalent instance of a second problem. As one example, consider the problem where, given Boolean formulas ψ 1,..., ψ t, we must determine if at least one ψ j is satisfiable. An ORcompression ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Given an instance of a hard decision problem, a limited goal is to compress that instance into a smaller, equivalent instance of a second problem. As one example, consider the problem where, given Boolean formulas ψ 1,..., ψ t, we must determine if at least one ψ j is satisfiable. An ORcompression scheme for SAT is a polynomialtime reduction R that maps (ψ 1,..., ψ t) to a string z, such that z lies in some “target ” language L ′ if and only if ∨ j [ψj ∈ SAT] holds. (Here, L ′ can be arbitrarily complex.) ANDcompression schemes are defined similarly. A compression scheme is strong if z  is polynomially bounded in n = maxj ψ j , independent of t. Strong compression for SAT seems unlikely. Work of Harnik and Naor (FOCS ’06/SICOMP ’10) and Bodlaender, Downey, Fellows, and Hermelin (ICALP ’08/JCSS ’09) showed that the infeasibility of strong ORcompression for SAT would show limits to instance compression for a large number of natural problems. Bodlaender et al. also showed that the infeasibility of strong ANDcompression for SAT would have consequences for a different list of problems. Motivated by this, Fortnow and Santhanam (STOC ’08/JCSS ’11) showed that if SAT is strongly ORcompressible,
An application of quantum finite automata to interactive proof systems
 in Proc. 9th International Conference on Implementation and Application of Automata, LNCS, Vol.3317
, 2004
"... Abstract: Quantum finite automata have been studied intensively since their introduction in late 1990s as a natural model of a quantum computer with finitedimensional quantum memory space. This paper seeks their direct application to interactive proof systems in which a mighty quantum prover commun ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract: Quantum finite automata have been studied intensively since their introduction in late 1990s as a natural model of a quantum computer with finitedimensional quantum memory space. This paper seeks their direct application to interactive proof systems in which a mighty quantum prover communicates with a quantumautomaton verifier through a common communication cell. Our quantum interactive proof systems are juxtaposed to DworkStockmeyer’s classical interactive proof systems whose verifiers are twoway probabilistic automata. We demonstrate strengths and weaknesses of our systems and further study how various restrictions on the behaviors of quantumautomaton verifiers affect the power of quantum interactive proof systems.
QuantumSecure CoinFlipping and Applications
, 903
"... Abstract. In this paper, we prove a wellknown classical coinflipping protocol secure in the presence of quantum adversaries. More precisely, we show that the protocol implements a natural ideal functionality for coinflipping. The proof uses a recent result of Watrous [Wat06] that allows quantum r ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. In this paper, we prove a wellknown classical coinflipping protocol secure in the presence of quantum adversaries. More precisely, we show that the protocol implements a natural ideal functionality for coinflipping. The proof uses a recent result of Watrous [Wat06] that allows quantum rewinding for protocols of a certain form. We then discuss two applications. First, the combination of coinflipping with any noninteractive zeroknowledge protocol leads to an easy transformation from noninteractive zeroknowledge to interactive quantum zeroknowledge. Second, we discuss how our protocol can be applied to a recently proposed method for improving the security of quantum protocols [DFL + 09], resulting in an implementation without setup assumptions.