Witness-Indistinguishability Against Quantum Adversaries 6 . 845 Quantum Complexity Theory – Project Report

Proof systems are a central concept in complexity theory and cryptography. Zero-knowledge and witnessindistinguishability are useful security properties of proof systems. Considering the increased power of quantum computation, it comes as a natural question to understand what happens to these security properties when quantum computation becomes feasible. Zero-knowledge [GMR89] is the security property of proof systems that has received the most attention. Intuitively, a proof system is zero-knowledge if the prover does not leak any information to the verifier other than the veracity of the statement to be proved. There has been a significant amount of research aimed at characterizing what happens to zero-knowledge when quantum adversaries are possible (e.g., [Wat09, Wat02, CK08, HKSZ08, Kob08]) and we will survey the main such results. A weaker security property of proof systems is witness-indistinguishability. Introduced by Feige and Shamir [FS90] in 1990, witnessindistinguishability roughly means that the verifier cannot distinguish which witness the prover used among the possible witnesses. In this report, we characterize witness-indistinguishability against quantum adversaries. To the best of our knowledge, quantum witness-indistinguishability has not been studied so far; moreover, witnessindistinguishability is worthwhile to study because: