Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Oblivious Transfer from Zero-Knowledge Proofs, or How to Achieve Round-Optimal Quantum Oblivious Transfer and Zero-Knowledge Proofs on Quantum States

Léo Colisson, Garazi Muguruza, Florian Speelman

TL;DR

The paper develops a framework to translate any classical Zero-Knowledge (ZK) protocol into a composable quantum oblivious transfer (OT) protocol, achieving round-optimal performance in the random oracle model with a 2-message OT and extending to string and k-out-of-n OT. Central to the construction is ZKoQS, a quantum analogue of ZK that proves properties about quantum states without revealing witnesses, formalized via quantum languages and complexity classes such as ZKstatesQIP and ZKstatesQMA. The authors introduce postponable measurements and a suite of ideal functionalities to modularize security proofs, enabling a clean simulation-based reduction from OT to ZK assumptions and non-interactive ZK (NIZK) in RO or CRS settings. They also discuss concurrent work, open problems, and potential extensions to the plain model and weaker assumptions, illustrating the broad applicability and potential impact of ZKoQS for quantum cryptography and complexity theory.

Abstract

We provide a generic construction to turn any classical Zero-Knowledge (ZK) protocol into a composable (quantum) oblivious transfer (OT) protocol, mostly lifting the round-complexity properties and security guarantees (plain-model/statistical security/unstructured functions...) of the ZK protocol to the resulting OT protocol. Such a construction is unlikely to exist classically as Cryptomania is believed to be different from Minicrypt. In particular, by instantiating our construction using Non-Interactive ZK (NIZK), we provide the first round-optimal (2-message) quantum OT protocol secure in the random oracle model, and round-optimal extensions to string and k-out-of-n OT. At the heart of our construction lies a new method that allows us to prove properties on a received quantum state without revealing additional information on it, even in a non-interactive way, without public-key primitives, and/or with statistical guarantees when using an appropriate classical ZK protocol. We can notably prove that a state has been partially measured (with arbitrary constraints on the set of measured qubits), without revealing any additional information on this set. This notion can be seen as an analog of ZK to quantum states, and we expect it to be of independent interest as it extends complexity theory to quantum languages, as illustrated by the two new complexity classes we introduce, ZKstatesQIP and ZKstatesQMA.

Oblivious Transfer from Zero-Knowledge Proofs, or How to Achieve Round-Optimal Quantum Oblivious Transfer and Zero-Knowledge Proofs on Quantum States

TL;DR

The paper develops a framework to translate any classical Zero-Knowledge (ZK) protocol into a composable quantum oblivious transfer (OT) protocol, achieving round-optimal performance in the random oracle model with a 2-message OT and extending to string and k-out-of-n OT. Central to the construction is ZKoQS, a quantum analogue of ZK that proves properties about quantum states without revealing witnesses, formalized via quantum languages and complexity classes such as ZKstatesQIP and ZKstatesQMA. The authors introduce postponable measurements and a suite of ideal functionalities to modularize security proofs, enabling a clean simulation-based reduction from OT to ZK assumptions and non-interactive ZK (NIZK) in RO or CRS settings. They also discuss concurrent work, open problems, and potential extensions to the plain model and weaker assumptions, illustrating the broad applicability and potential impact of ZKoQS for quantum cryptography and complexity theory.

Abstract

We provide a generic construction to turn any classical Zero-Knowledge (ZK) protocol into a composable (quantum) oblivious transfer (OT) protocol, mostly lifting the round-complexity properties and security guarantees (plain-model/statistical security/unstructured functions...) of the ZK protocol to the resulting OT protocol. Such a construction is unlikely to exist classically as Cryptomania is believed to be different from Minicrypt. In particular, by instantiating our construction using Non-Interactive ZK (NIZK), we provide the first round-optimal (2-message) quantum OT protocol secure in the random oracle model, and round-optimal extensions to string and k-out-of-n OT. At the heart of our construction lies a new method that allows us to prove properties on a received quantum state without revealing additional information on it, even in a non-interactive way, without public-key primitives, and/or with statistical guarantees when using an appropriate classical ZK protocol. We can notably prove that a state has been partially measured (with arbitrary constraints on the set of measured qubits), without revealing any additional information on this set. This notion can be seen as an analog of ZK to quantum states, and we expect it to be of independent interest as it extends complexity theory to quantum languages, as illustrated by the two new complexity classes we introduce, ZKstatesQIP and ZKstatesQMA.
Paper Structure (31 sections, 3 theorems, 18 equations, 15 figures, 1 algorithm)

This paper contains 31 sections, 3 theorems, 18 equations, 15 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Overview of the main contributions.
  4. First attempt: a naive OT protocol.
  5. The need for ZK on quantum state.
  6. Sketch of security proof.
  7. ZKoQS and quantum language.
  8. Extensions, and formalisation of ZKoQS and quantum language.
  9. Concurrent work
  10. Open problems and ongoing works
  11. Preliminaries
  12. Notations
  13. Model of security
  14. Quantum Interactive Machines (QIM).
  15. Adversaries.
  16. ...and 16 more sections

Key Result

theorem thmcountertheorem

There exists a (non-black-boxOur protocol requires the use of a hash function $h$: since we need to prove statements on preimages of $h$ in a ZK protocol, this makes our protocol non-black-box with respect to $h$ since the circuit of $h$ must be known to the verifier. Therefore, even if the assumpti

Figures (15)

  • Figure 1: Comparison with related works. "RO" stands for Random Oracle, "Plain M." stands for "plain model", "Like ZK" means that the properties (mostly) inherit from the property of the underlying ZK protocol, the party in the "statistical" column represents the malicious party allowed to be unbounded to get statistical security. Note that using WW06_ObliviousTransferSymmetric we can get statistical security against the other party (of course we lose the statistical security against the first party Lo97_InsecurityQuantumSecure), at the cost of an additional message. This list only considers standard bit or string OT (notably BKS23_SecureComputationShared also provides a $1$-message protocol in the (strong) shared-EPR model, but for a randomized-version of OT).
  • Figure 2: Real-world and ideal-world executions when Bob is malicious.
  • Figure 3: $\mathsf{World}_0$
  • Figure 4: $\mathsf{World}_1$
  • Figure 5: $\mathsf{World}_2$
  • ...and 10 more figures

Theorems & Definitions (17)

  • theorem thmcountertheorem: informal
  • theorem thmcountertheorem: informal
  • theorem thmcountertheorem: informal
  • remark thmcounterremark
  • definition thmcounterdefinition
  • definition thmcounterdefinition: Indistinguishable random variables
  • definition thmcounterdefinition: Indistinguishable quantum maps
  • definition thmcounterdefinition: Quantum stand-alone ( \ref{['def:QSA']}) realization of a functionality HSS11_ClassicalCryptographicProtocols
  • definition thmcounterdefinition: Functionality for bit oblivious transfer $\ref{['def:Fot']}$ HSS11_ClassicalCryptographicProtocols
  • definition thmcounterdefinition: Functionality for predicate oblivious transfer $\ref{['def:Fotpred']}$
  • ...and 7 more