No Arabic abstract
Starting from the one-way group action framework of Brassard and Yung (Crypto 90), we revisit building cryptography based on group actions. Several previous candidates for one-way group actions no longer stand, due to progress both on classical algorithms (e.g., graph isomorphism) and quantum algorithms (e.g., discrete logarithm). We propose the general linear group action on tensors as a new candidate to build cryptography based on group actions. Recent works (Futorny--Grochow--Sergeichuk, Lin. Alg. Appl., 2019) suggest that the underlying algorithmic problem, the tensor isomorphism problem, is the hardest one among several isomorphism testing problems arising from areas including coding theory, computational group theory, and multivariate cryptography. We present evidence to justify the viability of this proposal from comprehensive study of the state-of-art heuristic algorithms, theoretical algorithms, and hardness results, as well as quantum algorithms. We then introduce a new notion called pseudorandom group actions to further develop group-action based cryptography. Briefly speaking, given a group $G$ acting on a set $S$, we assume that it is hard to distinguish two distributions of $(s, t)$ either uniformly chosen from $Stimes S$, or where $s$ is randomly chosen from $S$ and $t$ is the result of applying a random group action of $gin G$ on $s$. This subsumes the classical decisional Diffie-Hellman assumption when specialized to a particular group action. We carefully analyze various attack strategies that support the general linear group action on tensors as a candidate for this assumption. Finally, we establish the quantum security of several cryptographic primitives based on the one-way group action assumption and the pseudorandom group action assumption.
We prove that Kilians four-message succinct argument system is post-quantum secure in the standard model when instantiated with any probabilistically checkable proof and any collapsing hash function (which in turn exist based on the post-quantum hardness of Learning with Errors). This yields the first post-quantum succinct argument system from any falsifiable assumption. At the heart of our proof is a new quantum rewinding procedure that enables a reduction to repeatedly query a quantum adversary for accepting transcripts as many times as desired. Prior techniques were limited to a constant number of accepting transcripts.
We investigate the existence of constant-round post-quantum black-box zero-knowledge protocols for $mathbf{NP}$. As a main result, we show that there is no constant-round post-quantum black-box zero-knowledge argument for $mathbf{NP}$ unless $mathbf{NP}subseteq mathbf{BQP}$. As constant-round black-box zero-knowledge arguments for $mathbf{NP}$ exist in the classical setting, our main result points out a fundamental difference between post-quantum and classical zero-knowledge protocols. Combining previous results, we conclude that unless $mathbf{NP}subseteq mathbf{BQP}$, constant-round post-quantum zero-knowledge protocols for $mathbf{NP}$ exist if and only if we use non-black-box techniques or relax certain security requirements such as relaxing standard zero-knowledge to $epsilon$-zero-knowledge. Additionally, we also prove that three-round and public-coin constant-round post-quantum black-box $epsilon$-zero-knowledge arguments for $mathbf{NP}$ do not exist unless $mathbf{NP}subseteq mathbf{BQP}$.
In this work, we study a generalization of hidden subspace states to hidden coset states (first introduced by Aaronson and Christiano [STOC 12]). This notion was considered independently by Vidick and Zhang [Eurocrypt 21], in the context of proofs of quantum knowledge from quantum money schemes. We explore unclonable properties of coset states and several applications: - We show that assuming indistinguishability obfuscation (iO), hidden coset states possess a certain direct product hardness property, which immediately implies a tokenized signature scheme in the plain model. Previously, it was known only relative to an oracle, from a work of Ben-David and Sattath [QCrypt 17]. - Combining a tokenized signature scheme with extractable witness encryption, we give a construction of an unclonable decryption scheme in the plain model. The latter primitive was recently proposed by Georgiou and Zhandry [ePrint 20], who gave a construction relative to a classical oracle. - We conjecture that coset states satisfy a certain natural (information-theoretic) monogamy-of-entanglement property. Assuming this conjecture is true, we remove the requirement for extractable witness encryption in our unclonable decryption construction, by relying instead on compute-and-compare obfuscation for the class of unpredictable distributions. - Finally, we give a construction of a copy-protection scheme for pseudorandom functions (PRFs) in the plain model. Our scheme is secure either assuming iO, OWF, and extractable witness encryption, or assuming iO, OWF, compute-and-compare obfuscation for the class of unpredictable distributions, and the conjectured monogamy property mentioned above. This is the first example of a copy-protection scheme with provable security in the plain model for a class of functions that is not evasive.
Owing to some special characteristics and features, blockchain is a very useful technique that can securely organize diverse devices in a smart city. It finds wide applications, especially in distributed environments, where entities such as wireless sensors need to be certain of the authenticity of the server. As contemporary blockchain techniques that address post-quantum concerns have not been designed, in this study, we investigate a blockchain in the post-quantum setting and seek to discover how it can resist attacks from quantum computing. In addition, traditional proof of work (PoW)-based consensus protocols such as Bitcoin cannot supply memory mining, and the transaction capacity of each block in a blockchain is limited and needs to be expanded. Thus, a new post-quantum proof of work (post-quantum PoW) consensus algorithm for security and privacy of smart city applications is proposed. It can be used to not only protect a blockchain under a quantum computing attack compared to existing classical hash-based PoW algorithms but also to supply memory mining. Meanwhile, an identity-based post-quantum signature is embedded into a transaction process to construct lightweight transactions. Subsequently, we provide a detailed description on the execution of the post-quantum lightweight transaction in a blockchain. Overall, this work can help enrich the research on future post-quantum blockchain and support the construction or architecture of emerging blockchain-based smart cities.
We propose a general method for studying properties of quantum channels acting on an n-partite system, whose action is invariant under permutations of the subsystems. Our main result is that, in order to prove that a certain property holds for any arbitrary input, it is sufficient to consider the special case where the input is a particular de Finetti-type state, i.e., a state which consists of n identical and independent copies of an (unknown) state on a single subsystem. A similar statement holds for more general channels which are covariant with respect to the action of an arbitrary finite or locally compact group. Our technique can be applied to the analysis of information-theoretic problems. For example, in quantum cryptography, we get a simple proof for the fact that security of a discrete-variable quantum key distribution protocol against collective attacks implies security of the protocol against the most general attacks. The resulting security bounds are tighter than previously known bounds obtained by proofs relying on the exponential de Finetti theorem [Renner, Nature Physics 3,645(2007)].