Post-Quantum Zero Knowledge, Revisited (or: How to Do Quantum Rewinding Undetectably)

TL;DR

This paper introduces new quantum rewinding techniques enabling zero-knowledge proofs to be secure against quantum adversaries, overcoming previous limitations and proposing a novel computational model.

Contribution

It develops quantum rewinding methods for zero-knowledge simulation, proving certain protocols are post-quantum zero-knowledge, and introduces the coherent-runtime expected quantum polynomial time model.

Findings

Protocols like graph non-isomorphism are zero-knowledge against quantum adversaries.

The Goldreich-Kahan protocol is proven to be post-quantum zero-knowledge.

The new model avoids the CCLY impossibility result.

Abstract

A major difficulty in quantum rewinding is the fact that measurement is destructive: extracting information from a quantum state irreversibly changes it. This is especially problematic in the context of zero-knowledge simulation, where preserving the adversary's state is essential. In this work, we develop new techniques for quantum rewinding in the context of extraction and zero-knowledge simulation: (1) We show how to extract information from a quantum adversary by rewinding it without disturbing its internal state. We use this technique to prove that important interactive protocols, such as the Goldreich-Micali-Wigderson protocol for graph non-isomorphism and the Feige-Shamir protocol for NP, are zero-knowledge against quantum adversaries. (2) We prove that the Goldreich-Kahan protocol for NP is post-quantum zero knowledge using a simulator that can be seen as a natural quantum extension of the classical simulator. Our results achieve (constant-round) black-box zero-knowledge with negligible simulation error, appearing to contradict a recent impossibility result due to Chia-Chung-Liu-Yamakawa (FOCS 2021). This brings us to our final contribution: (3) We introduce coherent-runtime expected quantum polynomial time, a computational model that (a) captures all of our zero-knowledge simulators, (b) cannot break any polynomial hardness assumptions, and (c) is not subject to the CCLY impossibility. In light of our positive results and the CCLY negative results, we propose coherent-runtime simulation to be the right quantum analogue of classical expected polynomial-time simulation.