## Limits on the Power of Quantum Statistical Zero-Knowledge (2003)

### Cached

### Download Links

Citations: | 27 - 3 self |

### BibTeX

@MISC{Watrous03limitson,

author = {John Watrous},

title = {Limits on the Power of Quantum Statistical Zero-Knowledge },

year = {2003}

}

### OpenURL

### Abstract

In this paper we propose a definition for honest verifier quantum statistical zero-knowledge interactive proof systems and study the resulting complexity class, which we denote QSZK

### Citations

1512 |
Quantum computation and quantum information
- Nielsen, Chuang
- 2000
(Show Context)
Citation Context ...arity with the quantum formalism, including the quantum circuit model and definitions of mixed quantum states, trace distance, and fidelity (all of which are discussed in detail in Nielsen and Chuang =-=[22]-=-). 2.1. (Honest verifier) quantum statistical zeroknowledge In the classical case, the zero-knowledge property concerns the distribution of possible conversations between the prover and verifier from ... |

1086 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...power [3, 8]. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Zeroknowledge proof systems were first defined by Goldwasser, Micali, and Rackoff =-=[14]-=- in 1985, are have since been studied extensively in complexity theory and cryptography. Familiarity with the basics of zero-knowledge proof systems is assumed in this paper; see, for instance, Goldre... |

941 | Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
- Shor
- 1996
(Show Context)
Citation Context ...mples of such advantages include: polynomial-time quantum algorithms for factoring, computing discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems =-=[5, 16, 17, 18, 21, 26, 30]-=-; information-theoretically secure quantum key-distribution [4, 27]; and exponentially more efficient quantum than classical communication-complexity protocols [24]. Equally important for understandin... |

651 |
Quantum cryptography: Public key distribution and coin tossing
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...puting discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems [5, 16, 17, 18, 21, 26, 30]; information-theoretically secure quantum key-distribution =-=[4, 27]-=-; and exponentially more efficient quantum than classical communication-complexity protocols [24]. Equally important for understanding the power of quantum models are upper bounds and impossibility pr... |

390 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...at SZK has natural complete promise problems [13, 25]. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are known to be contained in SZK but are not known to be in BPP =-=[11, 14]-=-. For further information on statistical zero-knowledge we refer the reader to Okamoto [23], Sahai and Vadhan [25], and Vadhan [28]. To our knowledge, no formal definitions for quantum zero-knowledge ... |

321 | Strengths and weaknesses of quantum computing
- Bennett, Bernstein, et al.
- 1997
(Show Context)
Citation Context ...mpossibility proofs, such as the containment of BQP in PP [1, 8], the impossibility of quantum bit commitment [20], and the existence of oracles relative to which quantum computers have limited power =-=[3, 8]-=-. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Zeroknowledge proof systems were first defined by Goldwasser, Micali, and Rackoff [14] in 1985... |

279 | Quantum lower bounds by polynomials
- Beals, Buhrman, et al.
(Show Context)
Citation Context ...h as the containment of BQP in PP [2, 15], the impossibility of quantum bit commitment [27], and the existence of oracles and black-box problems relative to which quantum computers have limited power =-=[1, 5, 6, 7, 1-=-5]. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Zero-knowledge proof systems weresrst dened by Goldwasser, Micali, and Racko [20] in 1985, a... |

160 |
Simple proof of security of the BB84 quantum key distribution protocol. Available as arXiv.org e-Print quant-ph/0003004
- Shor, Preskill
- 2000
(Show Context)
Citation Context ...puting discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems [5, 16, 17, 18, 21, 26, 30]; information-theoretically secure quantum key-distribution =-=[4, 27]-=-; and exponentially more efficient quantum than classical communication-complexity protocols [24]. Equally important for understanding the power of quantum models are upper bounds and impossibility pr... |

151 | Quantum lower bounds by quantum arguments
- Ambainis
(Show Context)
Citation Context ...h as the containment of BQP in PP [2, 15], the impossibility of quantum bit commitment [27], and the existence of oracles and black-box problems relative to which quantum computers have limited power =-=[1, 5, 6, 7, 1-=-5]. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Zero-knowledge proof systems weresrst dened by Goldwasser, Micali, and Racko [20] in 1985, a... |

150 | Quantum measurements and the Abelian stabilizer problem. Available as arXiv.org e-Print quant-ph/9511026
- Kitaev
- 1995
(Show Context)
Citation Context ...mples of such advantages include: polynomial-time quantum algorithms for factoring, computing discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems =-=[5, 16, 17, 18, 21, 26, 30]-=-; information-theoretically secure quantum key-distribution [4, 27]; and exponentially more efficient quantum than classical communication-complexity protocols [24]. Equally important for understandin... |

143 | Unconditionally secure quantum bit commitment is impossible
- Mayers
- 1997
(Show Context)
Citation Context ...4]. Equally important for understanding the power of quantum models are upper bounds and impossibility proofs, such as the containment of BQP in PP [1, 8], the impossibility of quantum bit commitment =-=[20]-=-, and the existence of oracles relative to which quantum computers have limited power [3, 8]. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Ze... |

124 | Modern Cryptography, Probabilistic Proofs and Pseudo-Randomness
- GOLDREICH
- 1999
(Show Context)
Citation Context ...1985, are have since been studied extensively in complexity theory and cryptography. Familiarity with the basics of zero-knowledge proof systems is assumed in this paper; see, for instance, Goldreich =-=[9, 10]-=- for background on zero-knowledge. Several notions of zero-knowledge have been studied, but we will only consider statistical zero-knowledge in this paper. Moreover, we will focus on honest verifier s... |

115 | Quantum circuits with mixed states
- Aharonov, Kitaev, et al.
- 1998
(Show Context)
Citation Context ...scussion of the unitary quantum circuit model, while a discussion of the more general model (including a proof that the two models are equivalent in power) can be found in Aharonov, Kitaev, and Nisan =-=[-=-3]. Although the unitary quantum circuit model has been shown to be equivalent in power to the more general quantum circuit model, we hasten to add that our denition for honest verier quantum statisti... |

113 | Measurement-only topological quantum computation
- Bonderson, Freedman, et al.
- 2008
(Show Context)
Citation Context ...ar with the study of (classical) interactive proof systems. 2.1 The quantum formalism Detailed discussions of the quantum formalism can be found in Nielsen and Chuang [31] and Kitaev, Shen and Vyalyi =-=[26]-=-. Recall that a pure quantum state of an n-qubit quantum system can be represented as a unit vector in the Hilbert space H that consists of all linear mappings from f0; 1g n to the complex numbers. Co... |

112 |
The complexity of promise problems with applications to public-key cryptography
- Even, Selman, et al.
- 1984
(Show Context)
Citation Context ..., and no requirement is made in case the input string is not in A yes [ A no . Ordinary decision problems are a special case of promise problem where A yes [ A no = . See Even, Selman, and Yacobi [6=-=]-=- for further information on promise problems. Our above definition for QSZK HV is stated in terms of decision problems, but may be rephrased in terms of promise problems in the straightforward way. We... |

110 | Quantum computability
- Adleman, DeMarrais, et al.
- 1997
(Show Context)
Citation Context ...than classical communication-complexity protocols [24]. Equally important for understanding the power of quantum models are upper bounds and impossibility proofs, such as the containment of BQP in PP =-=[1, 8]-=-, the impossibility of quantum bit commitment [20], and the existence of oracles relative to which quantum computers have limited power [3, 8]. In this paper we consider the potential advantages of qu... |

97 | On relating time and space to size and depth
- Borodin
- 1977
(Show Context)
Citation Context ...on s(n) log n, NC(2 s ) denotes the class of languages computable by space O(s)-uniform boolean circuits having size 2 O(s) and depth s O(1) [10]. The class NC(2 s ) is contained in DSPACE(s O(1) ) [9]. Thus, it will suce to prove that (;s)-QSD is contained in NC(2 n ). Let (Q 0 ; Q 1 ) be an input pair of quantum circuits specifying density matrices ( 0 ; 1 ) on k qubits, and let n be the leng... |

95 | Complexity limitations on quantum computation
- Fortnow, Rogers
- 1999
(Show Context)
Citation Context ...than classical communication-complexity protocols [24]. Equally important for understanding the power of quantum models are upper bounds and impossibility proofs, such as the containment of BQP in PP =-=[1, 8]-=-, the impossibility of quantum bit commitment [20], and the existence of oracles relative to which quantum computers have limited power [3, 8]. In this paper we consider the potential advantages of qu... |

90 |
Fast parallel matrix inversion algorithms
- Csanky
- 1976
(Show Context)
Citation Context ...p can be performed in NC; simple arithmetic operations and multiplication of matrices are well-known to be in NC, the fact that the characteristic polynomial can be computed in NC was shown by Csanky =-=[1-=-2], and polynomial root approximation was shown to be in NC by Ne [30]. 22 Proof of Corollary 20. [Sketch] By Theorem 14 it suces to show that (;s)-QSD is in PSPACE. Recall that for any function s(n) ... |

89 | The complexity of perfect zero-knowledge
- Fortnow
- 1989
(Show Context)
Citation Context ...knowledge proof system against any verifier. The class of languages having statistical zero-knowledge proof systems is denoted SZK; it is known that SZK is closed under complement [23], that SZK AM [=-=2, 7]-=-, and that SZK has natural complete promise problems [13, 25]. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are known to be contained in SZK but are not known to be... |

82 | Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem
- Hallgren
- 2002
(Show Context)
Citation Context ...mples of such advantages include: polynomial-time quantum algorithms for factoring, computing discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems =-=[5, 16, 17, 18, 21, 26, 30]-=-; information-theoretically secure quantum key-distribution [4, 27]; and exponentially more efficient quantum than classical communication-complexity protocols [24]. Equally important for understandin... |

80 | Exponential separation of quantum and classical communication complexity
- Raz
- 1999
(Show Context)
Citation Context ...tic problems [5, 16, 17, 18, 21, 26, 30]; information-theoretically secure quantum key-distribution [4, 27]; and exponentially more efficient quantum than classical communication-complexity protocols =-=[24]-=-. Equally important for understanding the power of quantum models are upper bounds and impossibility proofs, such as the containment of BQP in PP [1, 8], the impossibility of quantum bit commitment [2... |

67 | Statistical zero-knowledge languages can be recognized in two rounds
- Aiello, H̊astad
- 1991
(Show Context)
Citation Context ...knowledge proof system against any verifier. The class of languages having statistical zero-knowledge proof systems is denoted SZK; it is known that SZK is closed under complement [23], that SZK AM [=-=2, 7]-=-, and that SZK has natural complete promise problems [13, 25]. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are known to be contained in SZK but are not known to be... |

62 |
Parallel computation for well-endowed rings and space-bounded probabilistic machines
- Borodin, Cook, et al.
- 1983
(Show Context)
Citation Context ...w that (;s)-QSD is in PSPACE. Recall that for any function s(n) log n, NC(2 s ) denotes the class of languages computable by space O(s)-uniform boolean circuits having size 2 O(s) and depth s O(1) [1=-=0-=-]. The class NC(2 s ) is contained in DSPACE(s O(1) ) [9]. Thus, it will suce to prove that (;s)-QSD is contained in NC(2 n ). Let (Q 0 ; Q 1 ) be an input pair of quantum circuits specifying density ... |

60 | Parallelization, amplification, and exponential time simulation of quantum interactive proof system
- Kitaev, Watrous
- 2000
(Show Context)
Citation Context ...ate Distinguishability problem, which is shown to be complete for QSZK HV in subsequent sections. We assume the reader is familiar with quantum interactive proof systems, which are discussed in Refs. =-=[19, 29]-=- and are reviewed in the complete version of the paper. We also assume familiarity with the quantum formalism, including the quantum circuit model and definitions of mixed quantum states, trace distan... |

60 | Quantum lower bound for the collision problem
- Aaronson
- 2002
(Show Context)
Citation Context ...h as the containment of BQP in PP [2, 15], the impossibility of quantum bit commitment [27], and the existence of oracles and black-box problems relative to which quantum computers have limited power =-=[1, 5, 6, 7, 1-=-5]. In this paper we consider the potential advantages of quantum variants of zero-knowledge proof systems. Zero-knowledge proof systems weresrst dened by Goldwasser, Micali, and Racko [20] in 1985, a... |

47 | Honest verifier statistical zero knowledge equals general statistical zero knowledge
- Goldreich, Sahai, et al.
- 1998
(Show Context)
Citation Context ...specified protocol (as opposed to a verifier that may intentionally deviate from the specified protocol in order to gain knowledge). In the classical case it was proved by Goldreich, Sahai and Vadhan =-=[12]-=- that any honest verifier statistical zero-knowledge proof system can be transformed into a statistical zero-knowledge proof system against any verifier. The class of languages having statistical zero... |

43 | On relationships between statistical zero-knowledge proofs
- Okamoto
(Show Context)
Citation Context ... a statistical zero-knowledge proof system against any verifier. The class of languages having statistical zero-knowledge proof systems is denoted SZK; it is known that SZK is closed under complement =-=[23-=-], that SZK AM [2, 7], and that SZK has natural complete promise problems [13, 25]. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are known to be contained in SZK b... |

38 | A complete promise problem for statistical zero-knowledge
- Sahai, Vadhan
- 1997
(Show Context)
Citation Context ...r preparing two mixed quantum states, are the states close together or far apart in the trace norm metric? This problem is a quantum generalization of the complete promise problem of Sahai and Vadhan =-=[-=-25] for (classical) statistical zeroknowledge. QSZK HV is closed under complement. QSZK HV PSPACE. (At present it is not known if arbitrary quantum interactive proof systems can be simulated in PSP... |

37 | Quantum algorithms for solvable groups
- Watrous
- 2001
(Show Context)
Citation Context |

36 | PSPACE has constant-round quantum interactive proof systems
- Watrous
- 1999
(Show Context)
Citation Context ...ate Distinguishability problem, which is shown to be complete for QSZK HV in subsequent sections. We assume the reader is familiar with quantum interactive proof systems, which are discussed in Refs. =-=[19, 29]-=- and are reviewed in the complete version of the paper. We also assume familiarity with the quantum formalism, including the quantum circuit model and definitions of mixed quantum states, trace distan... |

32 |
Degrees of concealment and bindingness in quantum bitcommitment protocols. Physical Review A, 65: article 123410
- Spekkens, Rudolph
- 2002
(Show Context)
Citation Context ...]. Next, we mention an inequality concerning thesdelity that will be useful later. Lemma 3 For any ; ; 2 D(H), we have F (; ) 2 + F (; ) 2 1 + F (; ). Proofs of this lemma appear in Refs. [29, 37]. Finally, the following theorem gives a useful relation between the trace norm and thesdelity that will be used several times. A proof may be found in Section 9.2.3 of Nielsen and Chuang [31]. Theore... |

31 | Comparing entropies in statistical zero-knowledge with applications to the structure of SZK
- Goldreich, Vadhan
- 1999
(Show Context)
Citation Context ...anguages having statistical zero-knowledge proof systems is denoted SZK; it is known that SZK is closed under complement [23], that SZK AM [2, 7], and that SZK has natural complete promise problems [=-=13, 25]-=-. Several interesting problems such as Graph Isomorphism and Quadratic Residuosity are known to be contained in SZK but are not known to be in BPP [11, 14]. For further information on statistical zero... |

31 |
Quantum Computer Algorithms
- Mosca
- 1999
(Show Context)
Citation Context |

31 |
A Study of Statistical Zero-Knowledge Proofs
- Vadhan
- 1999
(Show Context)
Citation Context ... are known to be contained in SZK but are not known to be in BPP [11, 14]. For further information on statistical zero-knowledge we refer the reader to Okamoto [23], Sahai and Vadhan [25], and Vadhan =-=[28]-=-. To our knowledge, no formal definitions for quantum zero-knowledge proof systems have previously appeared in the literature. However, the question of whether quantum information allows for an extens... |

30 | Zero-knowledge twenty years after its invention
- Goldreich
(Show Context)
Citation Context ...n studied extensively in complexity theory and cryptography. Familiarity with the basics of zero-knowledge proof systems is assumed in this paper. For a recent survey on zero-knowledge, see Goldreich =-=[16-=-]. Several notions of zero-knowledge have been studied, but we will only consider statistical zeroknowledge in this paper. Moreover, we will focus on honest verier statistical zero-knowledge, which me... |

21 |
Decomposing finite Abelian groups
- Cheung, Mosca
(Show Context)
Citation Context |

13 | A taxonomy of proof systems
- Goldreich
- 1997
(Show Context)
Citation Context ...1985, are have since been studied extensively in complexity theory and cryptography. Familiarity with the basics of zero-knowledge proof systems is assumed in this paper; see, for instance, Goldreich =-=[9, 10]-=- for background on zero-knowledge. Several notions of zero-knowledge have been studied, but we will only consider statistical zero-knowledge in this paper. Moreover, we will focus on honest verifier s... |

13 |
Specified precision polynomial root isolation is in NC
- Neff
- 1994
(Show Context)
Citation Context ...ion of matrices are well-known to be in NC, the fact that the characteristic polynomial can be computed in NC was shown by Csanky [12], and polynomial root approximation was shown to be in NC by Neff =-=[30]-=-. 22Proof of Corollary 20. [Sketch] By Theorem 14 it suffices to show that (α,β)-QSD is in PSPACE. Recall that for any function s(n) ≥ log n, NC(2 s ) denotes the class of languages computable by spa... |

12 |
The knowledge-complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...d power [3, 8]. In this paper we consider the potential advantages ofquantum variants of zero-knowledge proof systems. Zeroknowledge proof systems were first defined by Goldwasser,Micali, and Rackoff =-=[14]-=- in 1985, are have since been studied extensively in complexity theory and cryptography. Fa-miliarity with the basics of zero-knowledge proof systems is assumed in this paper; see, for instance, Goldr... |

12 | Specified precision polynomial root isolation is in - Neff - 1994 |

5 |
Parallelization, ampli and exponential time simulation of quantum interactive proof systems
- Kitaev, Watrous
- 2000
(Show Context)
Citation Context ...uantum circuits, however, and wesnd that this notion is more convenient than the usual notion of uniformity. 2.3 Quantum interactive proofs Quantum interactive proofs were dened and studied in Refs. [=-=25, 3-=-9]. As in the classical case, a quantum interactive proof system consists of two parties, a prover with unlimited computation power and a computationally bounded verier. Quantum interactive proofs die... |

5 |
Decomposing Finite Abelian Groups. Quantum Information and Computation
- Cheung, Mosca
- 2001
(Show Context)
Citation Context ...xamples of such advantages include: polynomial-time quantum algorithms for factoring,computing discrete logarithms, and several believed-to-be intractable group-theoretic and number-theoretic problems=-=[5, 16, 17, 18, 21, 26, 30]-=-; information-theoretically secure quantum key-distribution [4, 27]; and exponentially moreefficient quantum than classical communication-complexity protocols [24]. Equally important for understanding... |

4 |
de Graaf. Towards a formal definition of security for quantum protocols
- van
- 1997
(Show Context)
Citation Context ...at difficulties arise when classical definitions for zeroknowledge are translated to the quantum setting in the most straightforward ways. For a further discussion of these problems, see van de Graaf =-=[15]-=-. The goal of this paper is not to attempt to resolve these difficulties, or to propose a definition for quantum zeroknowledge that is satisfying from a cryptographic point of view. Rather, our goal i... |

4 |
Honest-veri statistical zero-knowledge equals general statistical zeroknowledge
- Goldreich, Sahai, et al.
- 1998
(Show Context)
Citation Context ...he specied protocol (as opposed to a verier that may intentionally deviate from the specied protocol in order to gain knowledge). In the classical case it was proved by Goldreich, Sahai and Vadhan [18] that any honest verier statistical zero-knowledge proof system can be transformed into a statistical zero-knowledge proof system against any verier. The class of languages having statistical zero-k... |

2 |
Efficient algorithms for some instances of the non-Abelian hidden subgroup problem
- Ivanyos, Magniez, et al.
- 2001
(Show Context)
Citation Context |

2 |
Quantum Computation ands Quantum Information (Cambridge
- Nielsen, Chuang
- 2000
(Show Context)
Citation Context ...rity with the quantum formalism, including the quantum circuit model and definitions of mixed quan-tum states, trace distance, and fidelity (all of which are discussed in detail in Nielsen and Chuang =-=[22]-=-). 2.1. (Honest verifier) quantum statistical zero-knowledge In the classical case, the zero-knowledge property con-cerns the distribution of possible conversations between the prover and verifier fro... |

2 |
Bit-commitment based coin flipping. Available as arXiv.org e-Print quant-ph/0206123
- Nayak, Shor
- 2002
(Show Context)
Citation Context ...ng [31]. Next, we mention an inequality concerning the fidelity that will be useful later. Lemma 3 For any ρ,ξ,σ ∈ D(H), we have F(ρ,σ) 2 + F(σ,ξ) 2 ≤ 1 + F(ρ,ξ). Proofs of this lemma appear in Refs. =-=[29, 37]-=-. Finally, the following theorem gives a useful relation between the trace norm and the fidelity that will be used several times. A proof may be found in Section 9.2.3 of Nielsen and Chuang [31]. Theo... |

1 |
Decomposing Abelian groups. arXiv.org e-Print quantph /0101004
- Cheung, Mosca
- 2001
(Show Context)
Citation Context ...mples of such advantages include: polynomial-time quantum algorithms for factoring, computing discrete logarithms, and various believed-to-be intractable group-theoretic and number-theoretic problems =-=[11, 22, 23, 24, 28, 35, 40]-=-; information-theoretically secure quantum key-distribution [8, 36]; and exponentially more ecient quantum than classical communication-complexity protocols [33]. Equally important for understanding t... |

1 |
de Graaf. Towards a formal de of security for quantum protocols
- van
- 1997
(Show Context)
Citation Context ... that diculties arise when classical denitions for zero-knowledge are translated to the quantum setting in the most straightforward ways. For a further discussion of these problems, see van de Graaf [=-=21-=-]. The goal of this paper is not to attempt to resolve these diculties, or to propose a denition for quantum zero-knowledge that is intended to be satisfying from a cryptographic point of view. Rather... |