**Secure Quantum Extraction Protocols**

*Prabhanjan Ananth and Rolando L. La Placa*

**Abstract: **Knowledge extraction, typically studied in the classical setting, is at the heart of several cryptographic protocols. The prospect of quantum computers forces us to revisit the concept of knowledge extraction in the presence of quantum adversaries.

We introduce the notion of secure quantum extraction protocols. A secure quantum extraction protocol for an NP relation R is a classical interactive protocol between a sender and a receiver, where the sender gets as input the instance z and witness w while the receiver only gets the instance z as input. There are two properties associated with a secure quantum extraction protocol: (a) Extractability: for any efficient quantum polynomial-time (QPT) adversarial sender, there exists a QPT extractor that can extract a witness w' such that (z,w') \in R and, (b) Zero-Knowledge: a malicious receiver, interacting with the sender, should not be able to learn any information about w.

We study and construct two flavors of secure quantum extraction protocols.

- Security against QPT malicious receivers: First we consider the setting when the malicious receiver is a QPT adversary. In this setting, we construct a secure quantum extraction protocol for NP assuming the existence of quantum fully homomorphic encryption satisfying some mild properties (already satisfied by existing constructions [Mahadev, FOCS'18, Brakerski CRYPTO'18]) and quantum hardness of learning with errors. The novelty of our construction is a new non black box technique in the quantum setting. All previous extraction techniques in the quantum setting were solely based on quantum rewinding. - Security against classical PPT malicious receivers: We also consider the setting when the malicious receiver is a classical probabilistic polynomial time (PPT) adversary. In this setting, we construct a secure quantum extraction protocol for NP solely based on the quantum hardness of learning with errors. Furthermore, our construction satisfies quantum-lasting security: a malicious receiver cannot later, long after the protocol has been executed, use a quantum computer to extract a valid witness from the transcript of the protocol.

Both the above extraction protocols are constant round protocols.

We present an application of secure quantum extraction protocols to zero-knowledge (ZK). Assuming quantum hardness of learning with errors, we present the first construction of ZK argument systems for NP in constant rounds based on the quantum hardness of learning with errors with: (a) zero-knowledge against QPT malicious verifiers and, (b) soundness against classical PPT adversaries. Moreover, our construction satisfies the stronger (quantum) auxiliary-input zero knowledge property and thus can be composed with other protocols secure against quantum adversaries.

**Category / Keywords: **foundations /

**Date: **received 17 Nov 2019, last revised 27 May 2020

**Contact author: **prabhanjan at cs ucsb edu, rlaplaca at mit edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20200527:152316 (All versions of this report)

**Short URL: **ia.cr/2019/1323

[ Cryptology ePrint archive ]