**Post-Quantum Zero Knowledge, Revisited (or: How to do Quantum Rewinding Undetectably)**

*Alex Lombardi and Fermi Ma and Nicholas Spooner*

**Abstract: **A major difficulty in quantum rewinding is the fact that measurement is destructive: extracting information from a quantum state irreversibly changes it. This is especially problematic in the context of zero-knowledge simulation, where preserving the adversary's state is essential.

In this work, we develop new techniques for quantum rewinding in the context of extraction and zero-knowledge simulation:

(1) We show how to extract information from a quantum adversary by rewinding it without disturbing its internal state. We use this technique to prove that important interactive protocols, such as the Goldreich-Micali-Wigderson protocol for graph non-isomorphism and the Feige-Shamir protocol for NP, are zero-knowledge against quantum adversaries.

(2) We prove that the Goldreich-Kahan protocol for NP is post-quantum zero knowledge using a simulator that can be seen as a natural quantum extension of the classical simulator.

Our results achieve (constant-round) black-box zero-knowledge with negligible simulation error, appearing to contradict a recent impossibility result due to Chia-Chung-Liu-Yamakawa (FOCS 2021). This brings us to our final contribution:

(3) We introduce coherent-runtime expected quantum polynomial time, a computational model that (a) captures all of our zero-knowledge simulators, (b) cannot break any polynomial hardness assumptions, and (c) is not subject to the CCLY impossibility. In light of our positive results and the CCLY negative results, we propose coherent-runtime simulation to be the right quantum analogue of classical expected polynomial-time simulation.

**Category / Keywords: **foundations / quantum rewinding, zero knowledge, proofs of knowledge

**Date: **received 23 Nov 2021, last revised 23 Nov 2021

**Contact author: **alexjl at mit edu, fermima at alum mit edu, nspooner at bu edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20211123:142715 (All versions of this report)

**Short URL: **ia.cr/2021/1543

[ Cryptology ePrint archive ]