Contributed Talks 1: Post-quantum (Chair: Carl Miller)
contributed
Mon, 23 Aug
, 16:00 - 16:30
- On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential WorkKai-Min Chung (Academia Sinica, Taiwan); Serge Fehr (CWI Cryptology Group and Leiden University, The Netherlands); Yu-Hsuan Huang (Academia Sinica, Taiwan); Tai-Ning Liao (National Taiwan University, Taiwan)[abstract]Abstract: We revisit the so-called compressed oracle technique, introduced by Zhandry for analyzing quantum algorithms in the quantum random oracle model (QROM). To start off with, we offer a concise exposition of the technique, which easily extends to the parallel-query QROM, where in each query-round the considered algorithm may make several queries to the QROM in parallel. This variant of the QROM allows for a more fine-grained query-complexity analysis. Our main technical contribution is a framework that simplifies the use of (the parallel-query generalization of) the compressed oracle technique for proving query complexity results. With our framework in place, whenever applicable, it is possible to prove quantum query complexity lower bounds by means of purely classical reasoning. More than that, for typical examples the crucial classical observations that give rise to the classical bounds are sufficient to conclude the corresponding quantum bounds. We demonstrate this on a few examples, recovering known results (like the optimality of parallel Grover), but also obtaining new results (like the optimality of parallel BHT collision search). Our main target is the hardness of finding a q-chain with fewer than q parallel queries, i.e., a sequence x_0, x_1..., x_q with x_i = H(x_{i-1}) for all 1 <= i <= q. The above problem of finding a hash chain is of fundamental importance in the context of proofs of sequential work. Indeed, as a concrete cryptographic application of our techniques, we prove that the "Simple Proofs of Sequential Work" proposed by Cohen and Pietrzak remains secure against quantum attacks. Such an analysis is not simply a matter of plugging in our new bound; the entire protocol needs to be analyzed in the light of a quantum attack. Thanks to our framework, this can now be done with purely classical reasoning.Presenter live session: Yu-Hsuan Huang
- Post-Quantum Succinct ArgumentsAlessandro Chiesa (UC Berkeley); Fermi Ma (Princeton and NTT Research); Nicholas Spooner (Boston University); Mark Zhandry (Princeton and NTT Research)[abstract]Abstract: We prove that Kilian's four-message succinct argument system is post-quantum secure in the standard model when instantiated with any probabilistically checkable proof and any collapsing hash function (which in turn exist based on the post-quantum hardness of Learning with Errors). At the heart of our proof is a new "measure-and-repair" quantum rewinding procedure that achieves asymptotically optimal knowledge error.Presenter live session: Nick Spooner
- On the Round Complexity of Secure Quantum ComputationJames Bartusek (UC Berkeley); Andrea Coladangelo (UC Berkeley); Dakshita Khurana (UIUC); Fermi Ma (Princeton University and NTT Research)[abstract]Abstract: We construct the first constant-round protocols for secure quantum computation in the two-party (2PQC) and multi-party (MPQC) settings with security against malicious adversaries. Our protocols are in the common random string (CRS) model. - Assuming two-message oblivious transfer (OT), we obtain (i) three-message 2PQC, and (ii) five-round MPQC with only three rounds of online (input-dependent) communication; such OT is known from quantum-hard Learning with Errors (QLWE). - Assuming sub-exponential hardness of QLWE, we obtain (i) three-round 2PQC with two online rounds and (ii) four-round MPQC with two online rounds. - When only one (out of two) parties receives output, we achieve minimal interaction (two messages) from two-message OT; classically, such protocols are known as non-interactive secure computation (NISC), and our result constitutes the first maliciously-secure quantum NISC. Additionally assuming reusable malicious designated-verifier NIZK arguments for NP (MDV-NIZKs), we give the first MDV-NIZKs for QMA that only require one copy of the witness. Finally, we perform a preliminary investigation into two-round secure quantum computation where each party must obtain output. On the negative side, we identify a broad class of simulation strategies that suffice for classical two-round secure computation that are unlikely to work in the quantum setting. Next, as a proof-of-concept, we show that two-round secure quantum computation exists with respect to a quantum oracle.Presenter live session: James Bartusek