-
Exponential Quantum One-Wayness and EFI Pairs
Authors:
Giulio Malavolta,
Tomoyuki Morimae,
Michael Walter,
Takashi Yamakawa
Abstract:
In classical cryptography, one-way functions are widely considered to be the minimal computational assumption. However, when taking quantum information into account, the situation is more nuanced. There are currently two major candidates for the minimal assumption: the search quantum generalization of one-way functions are one-way state generators (OWSG), whereas the decisional variant are EFI pai…
▽ More
In classical cryptography, one-way functions are widely considered to be the minimal computational assumption. However, when taking quantum information into account, the situation is more nuanced. There are currently two major candidates for the minimal assumption: the search quantum generalization of one-way functions are one-way state generators (OWSG), whereas the decisional variant are EFI pairs. A well-known open problem in quantum cryptography is to understand how these two primitives are related. A recent breakthrough result of Khurana and Tomer (STOC'24) shows that OWSGs imply EFI pairs, for the restricted case of pure states.
In this work, we make progress towards understanding the general case. To this end, we define the notion of inefficiently-verifiable one-way state generators (IV-OWSGs), where the verification algorithm is not required to be efficient, and show that these are precisely equivalent to EFI pairs, with an exponential loss in the reduction. Significantly, this equivalence holds also for mixed states. Thus our work establishes the following relations among these fundamental primitives of quantum cryptography: (mixed) OWSGs => (mixed) IV-OWSGs $\equiv_{\rm exp}$ EFI pairs, where $\equiv_{\rm exp}$ denotes equivalence up to exponential security of the primitives.
△ Less
Submitted 21 April, 2024;
originally announced April 2024.
-
A Computational Tsirelson's Theorem for the Value of Compiled XOR Games
Authors:
David Cui,
Giulio Malavolta,
Arthur Mehta,
Anand Natarajan,
Connor Paddock,
Simon Schmidt,
Michael Walter,
Tina Zhang
Abstract:
Nonlocal games are a foundational tool for understanding entanglement and constructing quantum protocols in settings with multiple spatially separated quantum devices. In this work, we continue the study initiated by Kalai et al. (STOC '23) of compiled nonlocal games, played between a classical verifier and a single cryptographically limited quantum device. Our main result is that the compiler pro…
▽ More
Nonlocal games are a foundational tool for understanding entanglement and constructing quantum protocols in settings with multiple spatially separated quantum devices. In this work, we continue the study initiated by Kalai et al. (STOC '23) of compiled nonlocal games, played between a classical verifier and a single cryptographically limited quantum device. Our main result is that the compiler proposed by Kalai et al. is sound for any two-player XOR game. A celebrated theorem of Tsirelson shows that for XOR games, the quantum value is exactly given by a semidefinite program, and we obtain our result by showing that the SDP upper bound holds for the compiled game up to a negligible error arising from the compilation. This answers a question raised by Natarajan and Zhang (FOCS '23), who showed soundness for the specific case of the CHSH game. Using our techniques, we obtain several additional results, including (1) tight bounds on the compiled value of parallel-repeated XOR games, (2) operator self-testing statements for any compiled XOR game, and (3) a ``nice" sum-of-squares certificate for any XOR game, from which operator rigidity is manifest.
△ Less
Submitted 27 February, 2024;
originally announced February 2024.
-
Public-Key Encryption with Quantum Keys
Authors:
Khashayar Barooti,
Alex B. Grilo,
Loïs Huguenin-Dumittan,
Giulio Malavolta,
Or Sattath,
Quoc-Huy Vu,
Michael Walter
Abstract:
In the framework of Impagliazzo's five worlds, a distinction is often made between two worlds, one where public-key encryption exists (Cryptomania), and one in which only one-way functions exist (MiniCrypt). However, the boundaries between these worlds can change when quantum information is taken into account. Recent work has shown that quantum variants of oblivious transfer and multi-party comput…
▽ More
In the framework of Impagliazzo's five worlds, a distinction is often made between two worlds, one where public-key encryption exists (Cryptomania), and one in which only one-way functions exist (MiniCrypt). However, the boundaries between these worlds can change when quantum information is taken into account. Recent work has shown that quantum variants of oblivious transfer and multi-party computation, both primitives that are classically in Cryptomania, can be constructed from one-way functions, placing them in the realm of quantum MiniCrypt (the so-called MiniQCrypt). This naturally raises the following question: Is it possible to construct a quantum variant of public-key encryption, which is at the heart of Cryptomania, from one-way functions or potentially weaker assumptions?
In this work, we initiate the formal study of the notion of quantum public-key encryption (qPKE), i.e., public-key encryption where keys are allowed to be quantum states. We propose new definitions of security and several constructions of qPKE based on the existence of one-way functions (OWF), or even weaker assumptions, such as pseudorandom function-like states (PRFS) and pseudorandom function-like states with proof of destruction (PRFSPD). Finally, to give a tight characterization of this primitive, we show that computational assumptions are necessary to build quantum public-key encryption. That is, we give a self-contained proof that no quantum public-key encryption scheme can provide information-theoretic security.
△ Less
Submitted 20 June, 2023; v1 submitted 13 June, 2023;
originally announced June 2023.
-
Weakening Assumptions for Publicly-Verifiable Deletion
Authors:
James Bartusek,
Dakshita Khurana,
Giulio Malavolta,
Alexander Poremba,
Michael Walter
Abstract:
We develop a simple compiler that generically adds publicly-verifiable deletion to a variety of cryptosystems. Our compiler only makes use of one-way functions (or one-way state generators, if we allow the public verification key to be quantum). Previously, similar compilers either relied on the use of indistinguishability obfuscation (Bartusek et. al., ePrint:2023/265) or almost-regular one-way f…
▽ More
We develop a simple compiler that generically adds publicly-verifiable deletion to a variety of cryptosystems. Our compiler only makes use of one-way functions (or one-way state generators, if we allow the public verification key to be quantum). Previously, similar compilers either relied on the use of indistinguishability obfuscation (Bartusek et. al., ePrint:2023/265) or almost-regular one-way functions (Bartusek, Khurana and Poremba, arXiv:2303.08676).
△ Less
Submitted 9 October, 2023; v1 submitted 19 April, 2023;
originally announced April 2023.
-
Robust Quantum Public-Key Encryption with Applications to Quantum Key Distribution
Authors:
Giulio Malavolta,
Michael Walter
Abstract:
Quantum key distribution (QKD) allows Alice and Bob to agree on a shared secret key, while communicating over a public (untrusted) quantum channel. Compared to classical key exchange, it has two main advantages: (i) The key is unconditionally hidden to the eyes of any attacker, and (ii) its security assumes only the existence of authenticated classical channels which, in practice, can be realized…
▽ More
Quantum key distribution (QKD) allows Alice and Bob to agree on a shared secret key, while communicating over a public (untrusted) quantum channel. Compared to classical key exchange, it has two main advantages: (i) The key is unconditionally hidden to the eyes of any attacker, and (ii) its security assumes only the existence of authenticated classical channels which, in practice, can be realized using Minicrypt assumptions, such as the existence of digital signatures. On the flip side, QKD protocols typically require multiple rounds of interactions, whereas classical key exchange can be realized with the minimal amount of two messages using public-key encryption. A long-standing open question is whether QKD requires more rounds of interaction than classical key exchange. In this work, we propose a two-message QKD protocol that satisfies everlasting security, assuming only the existence of quantum-secure one-way functions. That is, the shared key is unconditionally hidden, provided computational assumptions hold during the protocol execution. Our result follows from a new construction of quantum public-key encryption (QPKE) whose security, much like its classical counterpart, only relies on authenticated classical channels.
△ Less
Submitted 2 January, 2024; v1 submitted 6 April, 2023;
originally announced April 2023.
-
A Simple Construction of Quantum Public-Key Encryption from Quantum-Secure One-Way Functions
Authors:
Khashayar Barooti,
Giulio Malavolta,
Michael Walter
Abstract:
Quantum public-key encryption [Gottesman; Kawachi et al., Eurocrypt'05] generalizes public-key encryption (PKE) by allowing the public keys to be quantum states. Prior work indicated that quantum PKE can be constructed from assumptions that are potentially weaker than those needed to realize its classical counterpart. In this work, we show that quantum PKE can be constructed from any quantum-secur…
▽ More
Quantum public-key encryption [Gottesman; Kawachi et al., Eurocrypt'05] generalizes public-key encryption (PKE) by allowing the public keys to be quantum states. Prior work indicated that quantum PKE can be constructed from assumptions that are potentially weaker than those needed to realize its classical counterpart. In this work, we show that quantum PKE can be constructed from any quantum-secure one-way function. In contrast, classical PKE is believed to require more structured assumptions. Our construction is simple, uses only classical ciphertexts, and satisfies the strong notion of CCA security.
△ Less
Submitted 2 March, 2023;
originally announced March 2023.
-
Succinct Classical Verification of Quantum Computation
Authors:
James Bartusek,
Yael Tauman Kalai,
Alex Lombardi,
Fermi Ma,
Giulio Malavolta,
Vinod Vaikuntanathan,
Thomas Vidick,
Lisa Yang
Abstract:
We construct a classically verifiable succinct interactive argument for quantum computation (BQP) with communication complexity and verifier runtime that are poly-logarithmic in the runtime of the BQP computation (and polynomial in the security parameter). Our protocol is secure assuming the post-quantum security of indistinguishability obfuscation (iO) and Learning with Errors (LWE). This is the…
▽ More
We construct a classically verifiable succinct interactive argument for quantum computation (BQP) with communication complexity and verifier runtime that are poly-logarithmic in the runtime of the BQP computation (and polynomial in the security parameter). Our protocol is secure assuming the post-quantum security of indistinguishability obfuscation (iO) and Learning with Errors (LWE). This is the first succinct argument for quantum computation in the plain model; prior work (Chia-Chung-Yamakawa, TCC '20) requires both a long common reference string and non-black-box use of a hash function modeled as a random oracle.
At a technical level, we revisit the framework for constructing classically verifiable quantum computation (Mahadev, FOCS '18). We give a self-contained, modular proof of security for Mahadev's protocol, which we believe is of independent interest. Our proof readily generalizes to a setting in which the verifier's first message (which consists of many public keys) is compressed. Next, we formalize this notion of compressed public keys; we view the object as a generalization of constrained/programmable PRFs and instantiate it based on indistinguishability obfuscation.
Finally, we compile the above protocol into a fully succinct argument using a (sufficiently composable) succinct argument of knowledge for NP. Using our framework, we achieve several additional results, including
- Succinct arguments for QMA (given multiple copies of the witness),
- Succinct non-interactive arguments for BQP (or QMA) in the quantum random oracle model, and
- Succinct batch arguments for BQP (or QMA) assuming post-quantum LWE (without iO).
△ Less
Submitted 29 June, 2022;
originally announced June 2022.
-
A Note on the Post-Quantum Security of (Ring) Signatures
Authors:
Rohit Chatterjee,
Kai-Min Chung,
Xiao Liang,
Giulio Malavolta
Abstract:
This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the oth…
▽ More
This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with super-polynomial modulus. Prior to this work, the only known blind-unforgeable schemes are Lamport's one-time signature and the Winternitz one-time signature, and both of them are in the quantum random oracle model.
For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blind-unforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blind-unforgeable (ordinary) signatures to a ring signature satisfying our definition.
△ Less
Submitted 11 December, 2021;
originally announced December 2021.
-
Indistinguishability Obfuscation of Null Quantum Circuits and Applications
Authors:
James Bartusek,
Giulio Malavolta
Abstract:
We study the notion of indistinguishability obfuscation for null quantum circuits (quantum null-iO). We present a construction assuming: - The quantum hardness of learning with errors (LWE). - Post-quantum indistinguishability obfuscation for classical circuits. - A notion of ''dual-mode'' classical verification of quantum computation (CVQC).
We give evidence that our notion of dual-mode CVQC ex…
▽ More
We study the notion of indistinguishability obfuscation for null quantum circuits (quantum null-iO). We present a construction assuming: - The quantum hardness of learning with errors (LWE). - Post-quantum indistinguishability obfuscation for classical circuits. - A notion of ''dual-mode'' classical verification of quantum computation (CVQC).
We give evidence that our notion of dual-mode CVQC exists by proposing a scheme that is secure assuming LWE in the quantum random oracle model (QROM).
Then we show how quantum null-iO enables a series of new cryptographic primitives that, prior to our work, were unknown to exist even making heuristic assumptions. Among others, we obtain the first witness encryption scheme for QMA, the first publicly verifiable non-interactive zero-knowledge (NIZK) scheme for QMA, and the first attribute-based encryption (ABE) scheme for BQP.
△ Less
Submitted 10 June, 2021;
originally announced June 2021.
-
Post-Quantum Multi-Party Computation
Authors:
Amit Agarwal,
James Bartusek,
Vipul Goyal,
Dakshita Khurana,
Giulio Malavolta
Abstract:
We initiate the study of multi-party computation for classical functionalities (in the plain model) with security against malicious polynomial-time quantum adversaries. We observe that existing techniques readily give a polynomial-round protocol, but our main result is a construction of *constant-round* post-quantum multi-party computation. We assume mildly super-polynomial quantum hardness of lea…
▽ More
We initiate the study of multi-party computation for classical functionalities (in the plain model) with security against malicious polynomial-time quantum adversaries. We observe that existing techniques readily give a polynomial-round protocol, but our main result is a construction of *constant-round* post-quantum multi-party computation. We assume mildly super-polynomial quantum hardness of learning with errors (LWE), and polynomial quantum hardness of an LWE-based circular security assumption. Along the way, we develop the following cryptographic primitives that may be of independent interest:
1. A spooky encryption scheme for relations computable by quantum circuits, from the quantum hardness of an LWE-based circular security assumption. This yields the first quantum multi-key fully-homomorphic encryption scheme with classical keys.
2. Constant-round zero-knowledge secure against multiple parallel quantum verifiers from spooky encryption for relations computable by quantum circuits. To enable this, we develop a new straight-line non-black-box simulation technique against *parallel* verifiers that does not clone the adversary's state. This forms the heart of our technical contribution and may also be relevant to the classical setting.
3. A constant-round post-quantum non-malleable commitment scheme, from the mildly super-polynomial quantum hardness of LWE.
△ Less
Submitted 20 November, 2020; v1 submitted 22 May, 2020;
originally announced May 2020.
-
Concurrency and Privacy with Payment-Channel Networks
Authors:
Giulio Malavolta,
Pedro Moreno-Sanchez,
Aniket Kate,
Matteo Maffei,
Srivatsan Ravi
Abstract:
Permissionless blockchains protocols such as Bitcoin are inherently limited in transaction throughput and latency. Current efforts to address this key issue focus on off-chain payment channels that can be combined in a Payment-Channel Network (PCN) to enable an unlimited number of payments without requiring to access the blockchain other than to register the initial and final capacity of each chan…
▽ More
Permissionless blockchains protocols such as Bitcoin are inherently limited in transaction throughput and latency. Current efforts to address this key issue focus on off-chain payment channels that can be combined in a Payment-Channel Network (PCN) to enable an unlimited number of payments without requiring to access the blockchain other than to register the initial and final capacity of each channel. While this approach paves the way for low latency and high throughput of payments, its deployment in practice raises several privacy concerns as well as technical challenges related to the inherently concurrent nature of payments, such as race conditions and deadlocks, that have been understudied so far. In this work, we lay the foundations for privacy and concurrency in PCNs, presenting a formal definition in the Universal Composability framework as well as practical and provably secure solutions. In particular, we present Fulgor and Rayo. Fulgor is the first payment protocol for PCNs that provides provable privacy guarantees for PCNs and is fully compatible with the Bitcoin scripting system. However, Fulgor is a blocking protocol and therefore prone to deadlocks of concurrent payments as in currently available PCNs. Instead, Rayo is the first protocol for PCNs that enforces non-blocking progress (i.e., at least one of the concurrent payments terminates). We show through a new impossibility result that non-blocking progress necessarily comes at the cost of weaker privacy. At the core of Fulgor and Rayo is Multi-Hop HTLC, a new smart contract, compatible with the Bitcoin scripting system, that provides conditional payments while reducing running time and communication overhead with respect to previous approaches.
△ Less
Submitted 20 November, 2019;
originally announced November 2019.
-
Early-warning signals for bifurcations in random dynamical systems with bounded noise
Authors:
Christian Kuehn,
Giuseppe Malavolta,
Martin Rasmussen
Abstract:
We consider discrete-time one-dimensional random dynamical systems with bounded noise, which generate an associated set-valued dynamical system. We provide necessary and sufficient conditions for a discontinuous bifurcation of a minimal invariant set of the set-valued dynamical system in terms of the derivatives of the so-called extremal maps. We propose an algorithm for reconstructing the derivat…
▽ More
We consider discrete-time one-dimensional random dynamical systems with bounded noise, which generate an associated set-valued dynamical system. We provide necessary and sufficient conditions for a discontinuous bifurcation of a minimal invariant set of the set-valued dynamical system in terms of the derivatives of the so-called extremal maps. We propose an algorithm for reconstructing the derivatives of the extremal maps from a time series that is generated by iterations of the original random dynamical system. We demonstrate that the derivative reconstructed for different parameters can be used as an early-warning signal to detect an upcoming bifurcation, and apply the algorithm to the bifurcation analysis of the stochastic return map of the Koper model, which is a three-dimensional multiple time scale ordinary differential equation used as prototypical model for the formation of mixed-mode oscillation patterns. We apply our algorithm to data generated by this map to detect an upcoming transition.
△ Less
Submitted 6 April, 2018; v1 submitted 1 March, 2018;
originally announced March 2018.
