Witness indistinguishability and witness hiding against quantum attacks

Abstract

The development of quantum computers has urged the cryptographic community to prepare cryptographic primitives for the eventual arrival of the post-quantum world. To this end, the authors study the witness indistinguishability (WI) and witness hiding (WH) of proof systems against quantum adversaries. They give formal definitions of quantum WI (QWI) and quantum WH (QWH), present proof systems satisfying these definitions, and specify a condition under which QWI implies QWH. Regarding the non-interactive proof systems, they prove that, even if a common reference string is used to generate polynomially many non-interactive proofs, the QWI is still preserved, while quantum zero-knowledge has no such beneficial property. To show the strength of QWI, they present two applications of them. First, they prove that the construction proposed by Feige et al. that transforms any non-interactive bounded zero-knowledge proof system to a general one is also feasible against quantum adversaries. Second, they construct a quantum-secure signature scheme in the CRS model, which is existentially unforgeable against quantum adversaries and remains secure even if a common random string is used to sign polynomially many messages.