1 Introduction

Secure multi-party computation (MPC) allows a set of parties to compute a joint function of their inputs, revealing only the output of the function while keeping their inputs private. General secure MPC, initiated in works such as [6, 14, 33, 68], has played a central role in modern theoretical cryptography. The last few years have seen tremendous research optimizing MPC in various ways, enabling a plethora of practical applications that include joint computations on distributed medical data, privacy-preserving machine learning, e-voting, distributed key management, among others. The looming threat of quantum computers naturally motivates the problem of constructing protocols with provable security against quantum adversaries.

After Watrous’ breakthrough work on zero-knowledge against quantum adversaries [64], the works of [20, 41, 51] considered variants of quantum-secure computation protocols, in the two-party setting. Very recently, Bitansky and Shmueli [10] obtained the first constant-round classical zero-knowledge arguments with security against quantum adversaries. Their techniques (and those of [1] in a concurrent work) are based on the recent non-black-box simulation technique of [8], who constructed two-message classically-secure weak zero-knowledge in the plain model. Unfortunately, it is unclear whether these protocols compose under parallel repetition. As a result, they become largely inapplicable to the constant-round multi-party setting.

There has also been substantial effort in constructing protocols for securely computing quantum circuits [23, 25, 26] (see Sect. 2.6 for further discussion). However, to the best of our knowledge, generic multi-party computation protocols with classical communication and security against quantum adversaries have only been studied in models with trusted pre-processing or setup. To make things even worse, [23] construct a maliciously-secure multi-party protocol for computing quantum ciruits, assuming the existence of a maliciously-secure post-quantum classical MPC protocol. This means that the only available implementations of such a building block require trusted pre-processing or a common reference string.

Post-Quantum MPC. In this work we initiate the study of MPC protocols that allow classical parties to securely compute general classical functionalities, and where security is guaranteed against malicious quantum adversaries. Our focus is on MPC in the plain model: Fully classical participants interact with each other with no access to trusted/pre-processed parameters or a common reference string. Multi-party protocols achieving security in these settings do not seem to have been previously analyzed in any number of rounds.

We stress that the challenges of proving post-quantum security of MPC protocols stretch far beyond the appropriate instantiations of the cryptographic building blocks (e.g. avoiding factoring- or discrete logarithm-based cryptosystems): Because quantum information behaves very differently from classical information, designing post-quantum protocols often requires new techniques to achieve provable security. As an example, a common strategy to prove classical security of MPC protocols is to define a simulator that can extract the inputs of the corrupted parties by “rewinding” them, i.e. taking a snapshot of the state of the adversary and split the protocol execution in multiple branches. However, when the adversary is a quantum machine, this technique becomes largely inapplicable since the no-cloning theorem (one of the fundamental principles of quantum mechanics) prevents us from creating two copies of an arbitrary quantum state. One of our key contributions is a new parallel no-cloning non-black-box simulation technique that extends the work of [10], to achieve security against multiple parallel quantum verifiers.

1.1 Our Results

We begin by summarizing our main result: Classical multi-party computation with security against quantum circuits in the plain model. Here, parties communicate classically via authenticated point-to-point channels as well as broadcast channels, where everyone can send messages in the same round. In each round, all parties simultaneously exchange messages. The network is assumed to be synchronous with rushing adversaries, i.e. adversaries may generate their messages for any round after observing the messages of all honest parties in that round, but before observing the messages of honest parties in the next round. The (quantum) adversary may corrupt upto all but one of the participants. In this model, we obtain the following main result.

Theorem 1 (Informal)

Assuming mildly super-polynomial quantum hardness of LWE and AFS-spooky encryption for relations computable by polynomial-size quantum circuits, there exists a constant-round classical MPC protocol (in the plain model) maliciously secure against quantum polynomial-time adversaries.

In more detail, our protocol is secure against any adversary \(\mathsf {A}= \{\mathsf {A}_\lambda ,\rho _\lambda \}_\lambda \), where each \(\mathsf {A}_\lambda \) is the (classical) description of a polynomial-size quantum circuit and \(\rho _\lambda \) is some (possibly inefficiently computable) non-uniform quantum advice. Beyond being interesting in its own right, our plain-model protocol may serve as a useful stepping stone to obtaining interesting protocols for securely computing quantum circuits in the plain model, as evidenced by the work of [23]. This protocol is constructed in Sects. 8 and 9 in the full version.

By “mildly” super-polynomial quantum hardness of LWE, we mean to assume that there exists a constant \(c \in \mathbb {N}\), such that for large enough security parameter \(\lambda \in \mathbb {N}\), no quantum polynomial time algorithm can distinguish LWE samples from uniform with advantage better than \(\mathsf {negl}(\lambda ^{\mathsf {ilog}(c,\lambda )})\), where \(\mathsf {ilog}(c,\lambda )\) denotes the c-times iterated logarithm \({\log \log \cdots _{{c}~\mathrm {times}}}(\lambda )\). We note that this is weaker than assuming the quasi-polynomial quantum hardness of LWE, i.e. the assumption that quantum polynomial-time adversaries cannot distinguish LWE samples from uniform with advantage better than \(2^{-{(\log \lambda )}^c}\) for some constant \(c > 1\).

A central technical ingredient of our work is an additive function sharing (AFS) spooky encryption scheme [21] for relations computable by quantum circuits. An AFS-spooky encryption scheme has a publicly-computable algorithm that, on input a set of ciphertexts \(\mathsf {Enc}(\mathsf {pk}_1, m_1),\dots ,\mathsf {Enc}(\mathsf {pk}_n, m_n)\) encrypted under independently sampled public keys and a (possibly quantum) circuit C, computes a new set of ciphertexts

$$ \mathsf {Enc}(\mathsf {pk}_1, y_1), \dots , \mathsf {Enc}(\mathsf {pk}_n, y_n) \textit{ s.t. }\mathop {\bigoplus }\limits _{i=1}^n y_i = C(m_1,\dots ,m_n). $$

In Sect. 4 in the full version we show how to construct AFS-spooky encryption for relations computable by quantum circuits, under an LWE-based circular security assumption. We refer the reader to Sect. 4.4 in the full version for the exact circular security assumption we need, which is similar to the one used in [52]. As a corollary, this immediately yields the first multi-key fully-homomorphic encryption [50] for quantum circuits with classical key generation and classical encryption of classical messages.

Theorem 2 (Informal)

Under an appropriate LWE-based circular security assumption, there exists an AFS-spooky encryption scheme for relations computable by polynomial-size quantum circuits with classical key generation and classical encryption of classical messages.

Along the way to proving our main theorem, we construct and rely on constant-round zero-knowledge arguments against parallel quantum verifiers, and constant-round extractable commitments against parallel quantum committers. Parallel extractable commitments and zero-knowledge are formally constructed and analyzed in Sects. 5 and 6 in the full version, respectively. We only show the construction of parallel extractable commitments in Sect. 3 in this paper. We point out that we do not obtain protocols that compose under unbounded parallel repetition. Instead we build a bounded variant (that we also refer to as multi-verifier zero-knowledge and multi-committer extractable commitments) that suffices for our applications.

Theorem 3 (Informal)

Assuming the quantum polynomial hardness of LWE and the existence of AFS-spooky encryption for relations computable by polynomial-size quantum circuits, there exists:

  • A constant-round classical argument for NP that is computational-zero-knowledge against parallel quantum polynomial-size verifiers.

  • A constant-round classical commitment that is extractable against parallel quantum polynomial-size committers.

In addition, we initiate the study of post-quantum non-malleable commitments. Specifically, we construct and rely on constant-round post-quantum non-malleable commitments based on the super-polynomial hardness assumption described above. The formal construction and analysis can be found in Sect. 7 in the full version.

Theorem 4 (Informal)

Assuming the mildly super-polynomial quantum hardness of LWE and the existence of fully-homomorphic encryption for quantum circuits, there exists a constant-round non-malleable commitment scheme secure against quantum polynomial-size adversaries.

We also obtain quantum-secure non-malleable commitments in \(O(\mathsf {ilog}(c,\lambda ))\) rounds for any constant \(c \in \mathbb {N}\) based on any quantum-secure extractable commitment. In particular, plugging in these commitments instead of our constant round non-malleable commitments gives an \(O(\mathsf {ilog}(c,\lambda ))\) round quantum-secure MPC from any quantum AFS-spooky encryption scheme.

2 Technical Overview

2.1 Background

Our starting point is any constant-round post-quantum MPC protocol maliciously secure in the programmable common reference string (CRS) model. Such a protocol can be obtained, for example, based on the semi-maliciously secure MPC protocols of [2, 53] in the CRS model. Specifically, assuming the existence of post-quantum zero-knowledge in the CRS model (that can be obtained based on the quantum hardness of LWE [60]) and the quantum hardness of LWE, these works obtain multi-party computation for classical circuits in the CRS model with the following property: There exists an ideal-world simulator that programs the CRS, interacts in a straight-line, black-box manner with any quantum adversary corrupting an arbitrary subset of the players, and outputs a view that is indistinguishable from the real view of the adversary, including the output of honest parties.

Thus, a natural approach to achieving post-quantum MPC in the plain model is to then securely implement a multi-party functionality that generates the aforementioned CRS. Specifically, we would like a set of n parties to jointly execute a coin-flipping protocol. Such a protocol outputs a uniformly random string that may then be used to implement post-quantum secure MPC according to [2, 53]. The programmability requirement on the CRS roughly translates to ensuring that for any quantum adversary, there exists a simulator that on input a random string s, can force the output of the coin-flipping protocol to be equal to s. A protocol satisfying this property is often referred to as a fully-simulatable multi-party coin-flipping protocol.

Post-Quantum Multi-Party Coin-Flipping. Existing constant-round protocols  [36, 65] for multi-party coin-flipping against classical adversaries make use of the following template. Each participant first commits to a uniformly random string using an appropriate perfectly binding commitment.Footnote 1 In a later phase, all participants reveal the values they committed to, without actually revealing the randomness used for commitment. Additionally, each participant proves (in zero-knowledge) to every other participant that they opened to the same value that they originally committed to. If all zero-knowledge arguments verify, the protocol output is computed as the sum of the openings of all participants. To highlight challenges to construct constant-round protocols, we elaborate on this template and outline a simple polynomial-round coin tossing protocol. Readers familiar with this template for multi-party coin-tossing may skip to the next page.

A Simple Protocol in Polynomially Many Rounds. In order to motivate the challenges involved in constructing a post-quantum constant-round multiparty coin tossing protocol, we first outline a simple protocol that requires polynomially many rounds, and follows from ideas in existing work. Our starting point is the polynomial-round post-quantum zero-knowledge protocol due to Watrous [64]. Ideas developed in [10] can be used almost immediately to convert this to a post-quantum extractable commitment scheme, assuming polynomial hardness of LWE (or, more generally, any post-quantum oblivious transfer). For completeness, we outline how this is done in Appendix A in the full version. Next, it is possible to use the resulting post-quantum secure extractable commitment to obtain post-quantum multiparty fully-simulatable coin flipping, that admits a straight-line simulator in the dishonest majority setting. The protocol requires rounds that grow linearly with the number of parties and polynomially with the security parameter, as described in Fig. 1.

Fig. 1.
figure 1

Multiparty coin tossing

Full size image

Recall that the simulator \(\mathsf {Sim} \) of any coin-flipping protocol will obtain a uniformly random string \(r^*\) from the ideal functionality, and must force this value as the output. The \(\mathsf {Sim} \) for the protocol in Fig. 1 samples \(r_i\) uniformly at random on behalf of each honest party \(P_i\), and commits to \(r_i\) in Step 2 following honest sender strategy. At the same time, \(\mathsf {Sim} \) runs \(\mathsf {Ext} \) to (sequentially) extract the value committed by every corrupted party in Step 2. This allows the simulator to compute \(\bigoplus _{i \in \mathbb {M}} r_i\), where \(\mathbb {M}\) denotes the set of corrupted parties. In Step 3, the simulator broadcasts values \(r'_i\) on behalf of honest parties such that \(\bigoplus _{i \in [n] \setminus \mathbb {M}} r'_i = \bigoplus _{i \in \mathbb {M}} r_i \oplus r^*\). Finally, it invokes the simulator of the ZK protocol to produce proofs on behalf of honest parties. It is easy to see that the output would indeed end up being the intended output \(r^*\).

Notice that replacing Watrous’ polynomial-round ZK protocol with the constant-round ZK of [1, 10] only decreases the rounds to linear in the number of parties. To decrease the number of rounds to constant, it is clear that one would need to find a way to execute the commitment sessions (Step 2) and ZK sessions (Step 4) in parallel. While the recent work of Bitansky and Shmueli [10] builds constant-round post-quantum zero-knowledge, their protocol and its guarantees turn out to be insufficient for the parallel setting. In this setting, a single prover would typically need to interact in parallel with \((n-1)\) different verifiers, a subset or all of which may be adversarial. It should be possible for a simulator to simultaneously simulate the view of multiple parallel verifiers. In addition, the argument should continue to satisfy soundness, even if a subset of verifiers colludes with a (cheating) prover.

Post-Quantum Parallel Zero-Knowledge. We overcome this barrier by building the first constant-round zero-knowledge argument secure against parallel quantum verifiers from quantum polynomial hardness of an LWE-based circular security assumption. This improves upon the work of [1, 10] who provided arguments with provable security only against a single quantum verifier. Very roughly, the approach in [1, 10] relies on a modification of the [8] homomorphic trapdoors paradigm. We do not assume familiarity with the details of this protocol or paradigm, and will in fact discuss a (variant of) this in the next subsection. For now, we simply point out that in this paradigm, the verifier generates an initial FHE ciphertext and public key, as well as some additional information to enable simulation. The simulator homomorphically evaluates the verifier’s (quantum) circuit over the initial FHE ciphertext and then uses the result of this evaluation to recover secrets that will enable simulation.

However, when a prover interacts with several verifiers at once, each verifier will generate its own FHE ciphertexts. In a nutshell, in the parallel setting the simulator can no longer perform individual homomorphic evaluations corresponding to each verifier, due to no-cloning. To address this issue, we develop a novel parallel no-cloning simulation strategy. This strategy relies on a novel technique that enables the simulator to peel away secret keys of this FHE scheme layer-by-layer. An overview of this technique can be found in Sect. 2.2.

Our technique also crucially relies on a strong variant of quantum fully-homomorphic encryption that allows for homomorphic operations under multiple keys at once. The encryption scheme that we use is a quantum generalization of the notion of additive function sharing (AFS) spooky encryption [21]. As a contribution of independent interest, we build the first AFS-spooky encryption (that also implies multi-key FHE) for quantum circuits from a circular variant of the LWE assumption. We give an overview of our construction in Sect. 2.3.

Post-Quantum Non-malleable Commitments. Our construction of zero-knowledge against parallel quantum verifiers gives rise to a coin-flipping protocol that is secure as long as at least one participant is honest, and all committed strings are independent of each other. However, ensuring such independence is not straightforward, even in the classical setting. In fact, upon seeing an honest party’s commitment string c, a malicious, rushing adversary may be able to produce a string \(c'\) that commits to a related message. This is known as a malleability attack, and can be prevented by relying on non-malleable commitments. In this work, we devise the first post-quantum non-malleable commitments based on slightly superpolynomial hardness of LWE. An overview of our construction can be found in Sect. 2.4.

Finally, we discuss how to combine all these primitives to build our desired coin-tossing protocol, and a few additional subtleties that come up in the process, in Sect. 2.5.

2.2 A New Parallel No-Cloning Non-Black-Box Simulation Technique

In the following we give a high-level overview of our constant-round zero-knowledge protocol secure against parallel quantum verifiers. In favor of a simpler exposition, we first describe a parallel extractable commitment protocol. A parallel extractable commitment is a commitment where a single receiver interacts in parallel with multiple committers, each committing to its own independent message. The main challenge in this setting is to simulate the view of an adversary corrupting several of these committers, while simultaneously recovering all committed messages. Once we build a parallel extractable commitment, obtaining a parallel zero-knowledge protocol becomes a simple exercise (that we discuss towards the end of this overview).

Throughout the following overview we only consider adversaries that are (i) non-aborting, i.e. they never interrupt the execution of the protocol, and (ii) explainable, i.e. their messages always lie in the support of honestly generated messages, though they can select their random coins and inputs arbitrarily. We further simplify our overview by only considering (iii) classical adversaries, while being mindful to avoid any kind of state cloning during extraction. In the end of this overview we discuss how to remove these simplifications.

Cryptographic Building Blocks. Before delving into the description of our protocol, we introduce the technical tools needed for our construction. A fully-homomorphic encryption (FHE) scheme [29] allows one to compute any function (in its circuit representation) over some encrypted message \(\mathsf {Enc}(\mathsf {pk}, m)\), without the need to decrypt it first. We say that an FHE is multi-key [50] if it supports the homomorphic evaluation of circuits even over messages encrypted under independently sampled public keys:

$$ \{\mathsf {Enc}(\mathsf {pk}_i, m_i)\}_{i\in [n]} \xrightarrow {\mathsf {Eval}((\mathsf {pk}_1, \dots , \mathsf {pk}_n),C, \cdot )} \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_n), C(m_1, \dots , m_n)). $$

Clearly, decrypting the resulting ciphertext should require the knowledge of all of the corresponding secret keys \((\mathsf {sk}_1, \dots , \mathsf {sk}_n)\). Other than semantic security, we require that the scheme is compact, in the sense that the size of the evaluated ciphertext is proportional to \(|C(m_1, \dots , m_n)|\) (and possibly the number of parties n) but does not otherwise depend on the size of C.

The second tool that we use is compute and compare obfuscation [35, 66]. A compute and compare program \(\mathbf {CC}[f,u,z]\) program is defined by a function f, a lock value u, and an output z. On input a string x, the program returns z if and only if \(f(x) = u\). The obfuscator \(\mathsf {Obf}\) is guaranteed to return an obfuscated program \(\widetilde{\mathbf {CC}}\) that is indistinguishable from a program that rejects any input, as long as u has sufficient entropy conditioned on f and z. Finally, we use a conditional disclosure of secret (CDS)Footnote 2 scheme. Recall that this is an interactive protocol parametrized by an NP relation \(\mathcal {R}\) where both the sender and the receiver share a statement x and in addition, the sender has a secret message m. At the end of the interaction, the receiver obtains m if and only if it knows a valid witness w such that \(\mathcal {R}(x,w)=1\).

A Strawman Solution. We now describe a naive extension of the [1, 10] approach to the parallel setting (where a receiver interacts with multiple committers), and highlight its pitfalls. We do not assume familiarity with [1, 10]. To commit to messages \((m_1, \dots , m_n)\), the committers and the receiver engage in the following protocol.

  • Each committer samples a key pair of a multi-key FHE scheme \((\mathsf {pk}_i, \mathsf {sk}_i)\), a uniform trapdoor \(\mathsf {td}_i\), and a uniform lock value \(\mathsf {lk}_i\), and sends to the receiver:

    1. 1.

      A commitment \(\mathsf {c}_i = \mathsf {Com}(\mathsf {td}_i)\).

    2. 2.

      An FHE encryption \(\mathsf {Enc}(\mathsf {pk}_i, \mathsf {td}_i)\).

    3. 3.

      An obfuscation \(\widetilde{\mathbf {CC}}_i\) of the program \(\mathbf {CC}[\mathsf {Dec}(\mathsf {sk}_i, \cdot ),\mathsf {lk}_i,(\mathsf {sk}_i, m_i)]\).

  • The receiver engages each committer in a (parallel) execution of a CDS protocol where the i’th committer sends \(\mathsf {lk}_i\) if the receiver correctly guesses a valid pre-image of \(\mathsf {c}_i\).

At a high level, the fact that the protocol hides the message \(m_i\) is ensured by the following argument. Since the receiver cannot invert \(\mathsf {c}_i\), it cannot guess \(\mathsf {td}_i\) and therefore the CDS protocol will return 0. This in turn means that the lock \(\mathsf {lk}_i\) is hidden from the receiver, and consequently that the obfuscated program is indistinguishable from a null program. This is, of course, an informal explanation, and we refer the reader to [1, 8, 10] for a formal security analysis.

We now turn to the description of the extractor. The high-level strategy is the following: Upon receiving the first message from all committers, the extractor uses the FHE encryption \(\mathsf {Enc}(\mathsf {pk}_i, \mathsf {td}_i)\) and the code of the adversary to run the CDS protocol homomorphically (on input \(\mathsf {td}_i\)) to recover an FHE encryption of \(\mathsf {lk}_i\). Then the extractor feeds it as an input to the obfuscated program \(\widetilde{\mathbf {CC}}_i\), which returns \((\mathsf {sk}_i, m_i)\).

Unfortunately this approach has a major limitation: It implicitly assumes that each corrupted party is a local algorithm. In other words, we are assuming that the adversary consists of individual subroutines (one per corrupted party), which may not necessarily be the case. As an example, if the adversary were to somehow implement a strategy where corrupted machines do not respond until all receiver messages have been delivered, then the above homomorphic evaluation would get stuck and return no output. It is also worth mentioning that what makes the problem challenging is our inability to clone the state of the adversary. If we were allowed to clone its state, then we could extract messages one by one, by running a separate thread under each FHE key.

Multi-Key Evaluation. A natural solution to circumvent the above issue is to rely on multi-key FHE evaluation. Using this additional property, the extractor can turn the ciphertexts \(\mathsf {Enc}(\mathsf {pk}_1, \mathsf {td}_1),\dots , \mathsf {Enc}(\mathsf {pk}_n, \mathsf {td}_n)\) into a single encryption

$$ \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_n), (\mathsf {td}_1, \dots , \mathsf {td}_n)) $$

under the hood of all public keys \((\mathsf {pk}_1, \dots , \mathsf {pk}_n)\). Given this information, the extractor can homomorphically evaluate all instances of the CDS protocol at once, using the code of the adversary, no matter how intricate. This procedure allows the extractor to obtain the encryption of each lock value \(\mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_n), \mathsf {lk}_i)\). In the single committer setting, we could then feed this into the corresponding obfuscated program and call it a day.

However, in the parallel setting, even given multi-key FHE, it is unclear how to proceed. If the compute and compare program \(\widetilde{\mathbf {CC}}_i\) tried to decrypt such a ciphertext, it would obtain (at best) an encryption under the remaining public keys. Glossing over the fact that the structure of single-key and multi-key ciphertexts might be incompatible, it is unlikely that

$$\mathsf {Dec}(\mathsf {sk}_i, \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_{n}), \mathsf {lk}_i)) = \mathsf {lk}_i$$

which is what we would need to trigger the compute and compare program. The general problem here is that each compute and compare program cannot encode information about other secret keys, thus making it infeasible to decrypt multi-key ciphertexts. One approach to resolve this issue would be to ask all committers to jointly obfuscate a compute and compare program that encodes all secret keys at once. However, this seems to require a general-purpose MPC protocol, which is what we are trying to build in the first place. Therefore, we outline a different approach by imagining a special kind of multi-key fully homomorphic encryption scheme.

A spooky encryptionFootnote 3 scheme [21] is an FHE scheme that supports a special spooky evaluation algorithm, that generates no-signaling correlations among independently encrypted messages. We will restrict attention to a sub-class of no-signaling relations called additive function sharing (AFS) relations, and we will call the scheme AFS-spooky. More concretely, on input a circuit C and n independently generated ciphertexts (under independently generated public keys), the algorithm \(\mathsf {Spooky}.\mathsf {Eval}\) produces

$$ \{\mathsf {Enc}(\mathsf {pk}_i, m_i)\}_{i\in [n]} \xrightarrow {\mathsf {Spooky}.\mathsf {Eval}((\mathsf {pk}_1, \dots , \mathsf {pk}_n),C, \cdot )} \{\mathsf {Enc}(\mathsf {pk}_i, y_i)\}_{i\in [n]} \textit{ s.t. } \mathop {\bigoplus }\limits _{i=1}^n y_i = C(m_1,\dots ,m_n). $$

It is not hard to see that AFS-spooky encryption is a special case of multi-key FHE where multi-key ciphertexts have the following structure

$$ \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_n), m) = \{\mathsf {Enc}(\mathsf {pk}_i, y_i)\}_{i\in [n]} \textit{ s.t. } \mathop {\bigoplus }\limits _{i=1}^n y_i = m. $$

This additional structure is going to be our main leverage for constructing an efficient extractor.

The Extractor. Going back to our extractor, our next technical insight is to look for a mechanism to peel away encryption layers one by one from an AFS-spooky (multi-key) ciphertext. Our extractor will achieve this via careful homomorphic evaluation of the independently generated programs \((\widetilde{\mathbf {CC}}_1, \dots , \widetilde{\mathbf {CC}}_n)\), as described below.

  • First, homomorphically execute the code of the adversary using the AFS-spooky scheme to obtain

    $$ \mathsf {ct}_1 = \mathsf {Enc}((\mathsf {pk}_1,\dots , \mathsf {pk}_n), \mathsf {lk}_1), \dots , \mathsf {ct}_n = \mathsf {Enc}((\mathsf {pk}_1,\dots , \mathsf {pk}_n), \mathsf {lk}_n), $$

    as described above.

  • Parse \(\mathsf {ct}_n\) as a collection of individual ciphertexts

    $$ \mathsf {Enc}((\mathsf {pk}_1,\dots , \mathsf {pk}_n), \mathsf {lk}_n) = \{\mathsf {Enc}(\mathsf {pk}_i, y_i)\}_{i\in [n]} = \{\mathsf {Enc}(\mathsf {pk}_i, y_i)\}_{i\in [n-1]} ~\cup ~ \underbrace{\{\mathsf {Enc}(\mathsf {pk}_n, y_n)\}}_{\tilde{\mathsf {ct}}_n}. $$

    Note that we can interpret the first \(n-1\) elements as an AFS-spooky ciphertext encrypted under \((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}):\)

    $$ \tilde{\mathsf {ct}} = \{\mathsf {Enc}(\mathsf {pk}_i, y_i)\}_{i\in [n-1]} = \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) , \mathop {\bigoplus }\limits _{i=1}^{n-1} y_i\right) = \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) , \tilde{y}\right) $$

    where \(\tilde{y} = \mathop {\bigoplus }\limits _{i=1}^{n-1} y_i\).

  • Let \(\varGamma \) be the following function

    $$ \varGamma (\zeta ): \mathsf {Spooky}.\mathsf {Eval}(\mathsf {pk}_n, \zeta \oplus \cdot , \tilde{\mathsf {ct}}_n) $$

    which homomorphically computes the XOR of \(\zeta \) with the plaintext of \(\tilde{\mathsf {ct}}_n\). Compute the following nested AFS-spooky correlation

    $$\begin{aligned} \widehat{\mathsf {ct}}&= \mathsf {Spooky}.\mathsf {Eval}((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}), \varGamma , \tilde{\mathsf {ct}}) \nonumber \\&= \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) , \mathsf {Spooky}.\mathsf {Eval}(\mathsf {pk}_n,\tilde{y} \oplus \cdot , \tilde{\mathsf {ct}}_n)\right) \end{aligned}$$
    (1)
    $$\begin{aligned}&= \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) ,\mathsf {Enc}\left( \mathsf {pk}_n, \mathop {\bigoplus }\limits _{i=1}^{n} y_i\right) \right) \end{aligned}$$
    (2)
    $$\begin{aligned}&= \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) ,\mathsf {Enc}\left( \mathsf {pk}_n, \mathsf {lk}_n \right) \right) \end{aligned}$$
    (3)

    by interpreting \(\tilde{\mathsf {ct}}_n\) as a single key ciphertext. Here (1) follows by substituting \(\varGamma \), and (2) follows by correctness of the AFS-spooky evaluation.

  • Run the obfuscated compute and compare program homomorphically to obtain an encryption of \(\mathsf {sk}_n\) and \(m_n\) under \((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1})\)

    $$\begin{aligned} \mathsf {Spooky}.\mathsf {Eval}\left( (\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}), \widetilde{\mathbf {CC}}_n, \widehat{\mathsf {ct}}\right)&=\mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) ,\widetilde{\mathbf {CC}}_n\left( \mathsf {Enc}\left( \mathsf {pk}_n, \mathsf {lk}_n \right) \right) \right) \\&= \mathsf {Enc}\left( \left( \mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}\right) , (\mathsf {sk}_n, m_n) \right) . \end{aligned}$$

  • Using the encryption of \(\mathsf {sk}_n\) under \((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1})\), update the initial ciphertexts \((\mathsf {ct}_1, \dots , \mathsf {ct}_{n-1})\) by homomorphically decrypting their last component and adding the resulting string. This allows the extractor to obtain

    $$ \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}), \mathsf {lk}_1), \dots , \mathsf {Enc}((\mathsf {pk}_1, \dots , \mathsf {pk}_{n-1}), \mathsf {lk}_{n-1}). $$

  • Recursively apply the procedure described above until \(\mathsf {Enc}(\mathsf {pk}_1, \mathsf {lk}_1)\) is recovered, then feed this ciphertext as an input to \(\widetilde{\mathbf {CC}}_1\) to obtain \((\mathsf {sk}_1, m_1)\) in the clear. Iteratively recover \((\mathsf {sk}_2, \dots , \mathsf {sk}_n)\) by decrypting the corresponding ciphertexts. At this point the extractor knows all secret keys and can decrypt the transcript of the interaction together with the committed messages.

To summarize, this extractor will isolate single-key ciphertexts (albeit in a nested form) by relying on AFS-spooky encryption. These ciphertexts by design will be compatible with compute and compare programs. In turn, evaluating the program under the encryption allows us to escape from the newly introduced layer. Repeating this procedure recursively eventually leads to a complete recovery of the plaintexts.

We stress that, although the extraction algorithm repeats the nesting operation n times, the additional encryption layer introduced in each iteration is immediately peeled off by executing the obfuscated compute and compare program. Thus the above procedure runs in (strict) polynomial time for any polynomial number of parties n.

Parallel Zero Knowledge. The above outline is deliberately simplified and ignores some subtle issues that arise during the analysis of the protocol. As an example, we need to ensure that the adversary is not able to maul the commitment of the trapdoor into a CDS encryption to be used in the CDS protocol. This issue also arose in [10], and we follow their approach of using non-uniformity in a reduction to the semantic security of the quantum FHE scheme. [10] also present the technical tools needed to lift the protocol to the setting of malicious and possibly aborting adversaries (as opposed to explainable), and we roughly follow their approach. However, it is worth pointing out that [10] directly construct a zero-knowledge argument, without first constructing and analyzing a stand-alone extractable commitment. Since we use a parallel extractable commitment as a building block in the our coin-flipping protocol, we analyze the above as a stand-alone commitment, which requires a few modifications to the protocol and proof techniques. More discussion about this can be found in Sect. 3.

Now, we describe how to obtain parallel zero-knowledge (i.e. zero-knowledge against multiple verifiers) from parallel extractable commitment. This is accomplished in a routine manner by enhancing a standard \(\varSigma \) protocol with a stage where each verifier commits to its \(\varSigma \) protocol challenge using a parallel extractable commitment. Using the extractor, the simulator can obtain the challenges ahead of time and can therefore simulate the rest of the transcript, without the need to perform state cloning.

It remains to argue that our extraction strategy does not break down in the presence of quantum adversaries. Observe that the only step that involves the execution of a quantum circuit is the AFS-spooky evaluation of the CDS protocol, under the hood of \((\mathsf {pk}_1, \dots , \mathsf {pk}_n)\). Assuming that we can construct AFS-spooky encryption for relations computable by quantum circuits (which we show in Sect. 2.3), the remainder of the extraction algorithm only depends on the encryptions of \((\mathsf {lk}_1, \dots , \mathsf {lk}_n)\), which are classical strings. Once the extractor recovers all the secret keys, it can decrypt the (possibly quantum) state of the adversary resulting from the homomorphic evaluation of the CDS, and resume the protocol execution, without the need to clone the adversary’s state.

2.3 Quantum AFS-Spooky Encryption

We now turn to the construction of AFS-spooky encryption for relations computable by quantum circuits. The main technical contribution of this section is a construction of multi-key fully-homomorphic encryption for quantum circuits with classical key generation and classical encryption of classical messages. Such schemes were already known in the single-key setting, due to [11, 52].

Background. At a very high level, these single-key schemes follow a paradigm introduced by Broadbent and Jeffery [13], which makes use of the quantum one-time pad (QOTP). The QOTP is a method of perfectly encrypting arbitrary quantum states with a key that consists of only classical bits. [13] suggest to encrypt a quantum state with a quantum one-time pad (QOTP), and then encrypt the classical bits that comprise the QOTP using a classical fully-homomorphic encryption scheme. One can then apply quantum gates to the encrypted quantum state, and update the classical encryption of the one-time pad appropriately. A key feature of this encryption procedure is that while an encryption of a quantum state necessarily must be a quantum state, an encryption of classical information does not necessarily have to include a quantum state. Indeed, one can simply give a classical one-time pad encryption of the data, along with a classical fully-homomorphic encryption of the pad.

However, the original schemes presented by Broadbent and Jeffery [13] and subsequent work [24] based on their paradigm left much to be desired. In particular, they required even a classical encryptor to supply quantum “gadgets” encoding their secret key. These gadgets were then used to evaluate a particular non-Clifford gate over encrypted data.Footnote 4 The main innovation in the work of [52] was to remove the need for quantum gadgets, instead showing how to evaluate an appropriate non-Clifford gate using just classical information supplied by the encryptor.

Encrypted CNOT Operation. In more detail, evaluating a non-Clifford gate on a ciphertext \((\mathsf {ct},| \phi \rangle )\), where \(\mathsf {ct}\) is an FHE encryption of a QOTP key and \(| \phi \rangle \) is a quantum state encrypted under the QOTP key, involves an operation (referred to as encrypted CNOT) that somehow must “teleport” the bits encrypted in \(\mathsf {ct}\) into the state \(| \phi \rangle \). [52] gave a method for doing this, as long as the ciphertext \(\mathsf {ct}\) is encrypted under a scheme with some particular properties. Roughly, the scheme must support a “natural” XOR homomorphic operation, it must be circuit private with respect to this homomorphism, and perhaps most stringently, there must exist some trapdoor that can be used to recover the message and the randomness used to produce any ciphertext.

 [52] observed that the dual-Regev encryption scheme [30] (with large enough modulus-to-noise ratio) does in fact satisfy these properties, as long as one generates the public key matrix \(\mathbf {A}\) along with a trapdoor. However, recall that \(\mathsf {ct}\) was supposed to be encrypted under a fully-homomorphic encryption scheme. [52] resolves this by observing that ciphertexts encrypted under the dual variant of the [31] fully-homomorphic encryption scheme actually already contain a dual-Regev ciphertext. In particular, a dual-GSW ciphertext encrypting a bit \(\mu \) is a matrix \(\mathbf {M}= \mathbf {A}\mathbf {S}+ \mathbf {E}+ \mu \mathbf {G}\), where \(\mathbf {G}\) is the gadget matrix. The final column of \(\mathbf {M}\) is \(\mathbf {A}\mathbf {s}+ \mathbf {e}+ \mu [0,\dots ,0,q/2]^\top \), which is exactly a dual-Regev ciphertext encrypting \(\mu \) under public key \(\mathbf {A}\). Note that, crucially, if the dual-GSW public key \(\mathbf {A}\) is drawn with a trapdoor, then this trapdoor also functions as a trapdoor for the dual-Regev ciphertext. Thus, an evaulator can indeed perform the encrypted CNOT operation on any ciphertext \((\mathsf {ct},| \phi \rangle )\), by first extracting a dual-Regev ciphertext \(\mathsf {ct}'\) from \(\mathsf {ct}\) and then proceeding.

Challenges in the Multi-Key Setting. Now, it is natural to ask whether this approach readily extends to the multi-key setting. Namely, does there exist a multi-key FHE scheme where any (multi-key) ciphertext contains within it a dual-Regev ciphertext with a corresponding trapdoor? Unfortunately, this appears to be much less straightforward than in the single-key setting, for the following reason. Observe that (dual) GSW homomorphic operations over ciphertexts \(\mathbf {M}_i = \mathbf {A}\mathbf {S}_i + \mathbf {E}_i + \mu _i \mathbf {G}\) always maintain the same \(\mathbf {A}\) matrix, while updating \(\mathbf {S}_i\), \(\mathbf {E}_i\), and \(\mu _i\). Thus, a trapdoor for \(\mathbf {A}\) naturally functions as a trapdoor for the dual-Regev ciphertext that consitutes the last column of \(\mathbf {M}_i\). However, LWE-based multi-key FHE schemes from the literature [12, 18, 53, 59] include a ciphertext expansion procedure, which allows an evaluator, given public keys \(\mathsf {pk}_1,\dots ,\mathsf {pk}_n\), and a ciphertext \(\mathsf {ct}\) encrypted under some \(\mathsf {pk}_i\), to convert \(\mathsf {ct}\) into a ciphertext \(\hat{\mathsf {ct}}\) encrypted under all keys \(\mathsf {pk}_1,\dots ,\mathsf {pk}_n\). Now, even if these public keys are indeed matrices \(\mathbf {A}_1,\dots ,\mathbf {A}_n\) drawn with trapdoors \(\tau _1,\dots ,\tau _n\), it is unclear how to combine \(\tau _1,\dots ,\tau _n\) to produce a trapdoor \(\hat{\tau }\) for the “expanded” ciphertext. Indeed, the expanded ciphertext generally can no longer be written as some \(\mathbf {A}\mathbf {S}+ \mathbf {E}+ \mu \mathbf {G}\), since the expansion procedure constructs a highly structured matrix that includes components from the ciphertexts \(\mathsf {ct}_1,\dots ,\mathsf {ct}_n\), as well as auxiliary encryptions of the randomness used to produce the ciphertexts (see e.g. [53]).

A Solution Based on Key-Switching. Thus, we take a different approach. Rather than attempting to tweak known ciphertext expansion procedures to also support “trapdoor expansion”, we rely on the notion of key-switching, which is a method of taking a ciphertext encrypted under one scheme and converting it into a ciphertext encrypted under another scheme. The observation, roughly, is that we do not need to explicitly maintain a trapdoor for the multi-key FHE scheme, as long as it is possible to convert a multi-key FHE ciphertext into a dual-Regev ciphertext that does explicitly have a trapdoor. In fact, we will consider a natural multi-key generalization of dual-Regev, as described below. Key switching is possible as long as the second scheme has sufficient homomorphic properties, namely, it can support homomorphic evaluation of the decryption circuit of the first scheme.

Fortunately, the dual-Regev scheme is already linearly homomorphic, and many known classical multi-key FHE schemes [12, 18, 53, 59] support nearly linear decryption, which means that decrypting a ciphertext simply consists of applying a linear function (derived from the secret key) and then rounding. Thus, as long as the evaluator has the secret key of the multi-key FHE ciphertext encrypted under a dual-Regev public key with a trapdoor, they can first key-switch the multi-key FHE ciphertext \(\mathsf {ct}\) into a dual-Regev ciphertext \(\mathsf {ct}'\), and then proceed with the encrypted CNOT operation.

It remains to show how an evaluator may have access to such a dual-Regev encryption. Since we are still in the multi-key setting, we will need a ciphertext and corresponding trapdoor expansion procedure for dual-Regev. However, we show that such a procedure is much easier to come by when the scheme only needs to support linear homomorphism (as is the case for the dual-Regev scheme) rather than full homomorphism. Each party can draw its own dual-Regev public key \(\mathbf {A}_i\) along with a trapdoor \(\tau _i\), and encrypt its multi-key FHE secret key under \(\mathbf {A}_i\) to produce a ciphertext \(\mathsf {ct}_i\). The evaluator can then treat the block-diagonal matrix \(\hat{\mathbf {A}} = \mathsf {diag}(\mathbf {A}_1,\dots ,\mathbf {A}_n)\) as an “expanded” public key.Footnote 5 Now, the message and randomness used to generate a ciphertext encrypted under \(\hat{\mathbf {A}}\) may be recovered by applying \(\tau _1\) to the first set of entries of the ciphertext, applying \(\tau _2\) to the second set of entries and so on. This observation, combined with an appropriate expansion procedure for the ciphertexts \(\mathsf {ct}_i\), allows an evaluator to convert any multi-key FHE ciphertext into a multi-key dual-Regev ciphertext with trapdoor. Given a classical multi-key FHE scheme with nearly linear decryption, this suffices to build multi-key quantum FHE with classical key generation and encryption.

Distributed Setup. We showed above how to convert any classical multi-key FHE scheme into a quantum multi-key FHE scheme, as long as the classical scheme has nearly linear decryption. However, most LWE-based classical multi-key FHE schemes operate in the common random string (CRS) model, which assumes that all parties have access to a common source of randomness, generated by a trusted party. Thinking back to our application to parallel extractable commitments, it is clear that this will not suffice, since we have no CRS a priori, and a receiver that generates a CRS maliciously may be able to break hiding of the scheme. Thus, we rely on the multi-key FHE scheme of [12], where instead of assuming a CRS, the parties participate in a distributed setup procedure. In particular, each party (and in our application, each committer) generates some public parameters \(\mathsf {pp}_i\), which are then combined publicly to produce a single set of public parameters \(\mathsf {pp}\), which can be used by anyone to generate their own public key/secret key pair.

This form of distributed setup indeed suffices to prove the hiding of our parallel commitment, so it remains to show that our approach, combined with [12], yields a quantum multi-key FHE scheme with distributed setup. First, the [12] scheme does indeed enjoy nearly linear decryption, so plugging it into our compiler described above gives a functional quantum multi-key FHE scheme. Next, we need to confirm that our compiler does not destroy the distributed setup property. This follows since each party draws its own dual-Regev public key with trapdoor without relying on any CRS, or even any public parameters.

Quantum AFS-Spooky Encryption. Finally, we show, via another application of key-switching, how to construct a quantum AFS-spooky encryption scheme (with distributed setup). Recall that we only require “spooky” interactions to hold over classical ciphertexts. That is, for any quantum circuit C with classical outputs, given ciphertexts \(\mathsf {ct}_1,\dots ,\mathsf {ct}_n\) encrypting \(| \phi _1 \rangle ,\dots ,| \phi _n \rangle \) respectively under public keys \(\mathsf {pk}_1,\dots ,\mathsf {pk}_n\), an evaluator can produce ciphertexts \(\mathsf {ct}_1',\dots ,\mathsf {ct}_n'\) where \(\mathsf {ct}_i'\) encrypts \(y_i\) under \(\mathsf {pk}_i\), and such that \(\mathop {\bigoplus }\limits _{i=1}^n y_i = C(| \phi _1 \rangle ,\dots ,| \phi _n \rangle )\).

Now, using our quantum multi-key FHE scheme, it is possible to compute a single (multi-key) ciphertext \(\hat{\mathsf {ct}}\) that encrypts \(C(| \phi _1 \rangle ,\dots ,| \phi _n \rangle )\) under all public keys \(\mathsf {pk}_1,\dots ,\mathsf {pk}_n\). Then, if each party additionally drew a key pair \((\mathsf {pk}_i', \mathsf {sk}_i')\) for a classical AFS-spooky encryption scheme, and released \(\tilde{\mathsf {ct}}_1,\dots ,\tilde{\mathsf {ct}}_n\), where \(\tilde{\mathsf {ct}}_i = \mathsf {Enc}(\mathsf {pk}_i', \mathsf {sk}_i)\) encrypts the i-th party’s quantum multi-key FHE secret key under their AFS-spooky encryption public key, then the evaluator can homomorphically evaluate the quantum multi-key FHE decryption circuit (which is classical for classical ciphertexts) with \(\hat{\mathsf {ct}}\) hardcoded, where \(\hat{\mathsf {ct}}\) is the multi-key ciphertext defined at the beginning of this paragraph. This circuit on input \(\tilde{\mathsf {ct}}_1,\dots ,\tilde{\mathsf {ct}}_n\) produces the desired output \(\mathsf {ct}_1',\dots ,\mathsf {ct}_n'\). Finally, note that the classical AFS-spooky encryption scheme must also have distributed setup, and we show (see Sect. 4.5 in the full version) that one can derive a distributed-setup AFS-spooky encryption scheme from [12] using standard techniques [21].

2.4 Post-Quantum Non-malleable Commitments

In this section, we describe how to obtain constant-round post-quantum non-malleable commitments under the assumption that there exists a natural number \(c>0\) such that quantum polynomial-time adversaries cannot distinguish LWE samples from uniform with advantage better than \({\lambda ^{-\mathsf {ilog}(c,\lambda )}}\), where \(\mathsf {ilog}(c,\lambda ) = {\log \log \cdots _{{c}~\mathrm {times}} \log }(\lambda )\) and \(\lambda \) denotes the security parameter.

We will focus on perfectly binding and computationally hiding constant-round interactive commitments. Loosely speaking, a commitment scheme is said to be non-malleable if no adversary (also called a man-in-the-middle), when participating as a receiver in an execution of an honest commitment \(\mathsf {Com}(m)\), can at the same time generate a commitment \(\mathsf {Com}(m')\), such that the message \(m'\) is related to the original message m. This is equivalent (assuming the existence of one-way functions with security against quantum adversaries) to a tag-based notion where the commit algorithm obtains as an additional input a tag in \(\{0,1\}^\lambda \), and the adversary is restricted to using a tag, or identity, that is different from the tag used to generate its input commitment. We will rely on tag-based definitions throughout this paper. We will also only focus on the synchronous setting, where the commitments proceed in rounds, and the man-in-the-middle sends its own message for a specific round before obtaining an honest party’s message for the next round.

Before describing our ideas, we briefly discuss existing work on classically-secure non-malleable commitments. Unfortunately, existing constructions of constant-round non-malleable commitments against classical adversaries from standard polynomial hardness assumptions [4, 16, 17, 36,37,38,39,40, 44, 46,47,48, 54, 56,57,58, 65] either rely on rewinding, or use Barak’s non-black-box simulation technique, both of which require the reduction to perform state cloning. As such, known techniques fail to prove quantum security of these constructions.

We now discuss our techniques for constructing post-quantum non-malleable commitments. Just like several classical approaches, we will proceed in two steps.

  • We will obtain simple “base” commitment schemes for very small tag/identity spaces from slightly superpolynomial hardness assumptions.

  • Then assuming polynomial hardness of LWE against quantum adversaries, and making use of constant-round post-quantum zero-knowledge arguments, we will convert non-malleable commitments for a small tag space into commitments for a larger tag space, while only incurring a constant round overhead.

For the base schemes, there are known classical constructions [58] that assume hardness of LWE against \(2^{\lambda ^\delta }\)-size adversaries, where \(\lambda \) denotes the security parameter and \(0<\delta <1\) is a constant. We observe that these constructions can be proven secure in the quantum setting, resulting in schemes that are suitable for tag spaces of \(O(\log \log \lambda )\) tags.

Tag Amplification. Since an MPC protocol could be executed among up to \(\mathsf {poly}(\lambda )\) parties where \(\mathsf {poly}(\cdot )\) is an arbitrary polynomial, we end up requiring non-malleable commitments suitable for tag spaces of \(\mathsf {poly}(\lambda )\). This is obtained by combining classical tools for amplifying tag spaces [22] with constant round post-quantum zero-knowledge protocols. Our tag amplification protocol, on input a scheme with tag space 2t, outputs a scheme with tag space \(2^{t}\), for any \(t \le \mathsf {poly}(\lambda )\). This follows mostly along the lines of existing classical protocols, and as such we do not discuss the protocol in detail here. Our protocol can be found in Sect. 7.3 in the full version.

Base Schemes from \(\lambda ^{-\mathsf {ilog}(c,\lambda )}\) Hardness. Returning to the question of constructing appropriate base schemes, we also improve the assumption from \(2^{\lambda ^\delta }\)-quantum hardness of LWE (that follows based on [58]) to the mildly superpolynomial hardness assumption discussed at the beginning of this subsection. Recall that we will only need to assume that there exists an (explicit) natural number \(c>0\) such that quantum polynomial time adversaries cannot distinguish LWE samples from uniform with advantage better than \(\mathsf {negl}(\lambda ^{\mathsf {ilog}(c,\lambda )})\) where \(\mathsf {ilog}(c,\lambda ) = {\log \log \cdots _{{c}~\mathrm {times}} \log }(\lambda )\). Our base scheme will only be suitable for identities in \(\mathsf {ilog}(c+1, \lambda )\), where \(c >0\) is a natural number, independent of \(\lambda \). We will then repeatedly apply the tag amplification process referred to above to boost the tag space to \(2^\lambda \), by adding only a constant number of rounds.

To build our base scheme, we take inspiration from the classically secure non-malleable commitments of Khurana and Sahai [45]. However, beyond considering quantum as opposed to classical adversaries, our protocol and analysis will have the following notable differences from [45]:

  • The work of [45] relies on sub-exponential hardness (i.e. \(2^{\lambda ^\delta }\) security), which is stronger than the type of superpolynomial hardness we assume. This is primarily because [45] were restricted to two rounds, but we can improve parameters while allowing for a larger constant number of rounds.

  • [45] build a reduction that rewinds an adversary to the beginning of the protocol, and executes the adversary several times, repeatedly sampling the adversary’s initial state. This may be undesirable in the quantum setting.Footnote 6 On the other hand, we have a simpler fully straight-line reduction that only needs to run the adversary once.

Specifically, following [45], we will establish an erasure channel between the committer and receiver that transmits the committed message to the receiver with probability \(\epsilon \). To ensure that the commitment satisfies hiding, \(\epsilon \) is chosen to be a value that is negligible in \(\lambda \). At the same time, the exact value of \(\epsilon \) is determined by the identity (\(\mathsf {tag} \)) of the committer. Recall that \(\mathsf {tag} \in [1,\mathsf {ilog}(c+1,\lambda )]\). We will set \(\epsilon = \eta ^{-\mathsf {tag}}\) where \(\eta = \lambda ^{\mathsf {ilog}(c+1,\lambda )}\) is a superpolynomial function of \(\lambda \).

Next, for simplicity, we restrict ourselves to a case where the adversary’s tag (which we denote by \(\mathsf {tag} '\)) is smaller than that of the honest party (which we denote by \(\mathsf {tag} \)). In this case, the adversary’s committed message is transmitted with probability \(\epsilon ' = \eta ^{-\mathsf {tag} '}\), whereas the honest committer’s message is transmitted with probability only \(\epsilon = \eta ^{-\mathsf {tag}}\), which is smaller than \(\epsilon '\).

We set this up so that the transcript of an execution transmits the adversary’s message with probability \(\epsilon '\) (over the randomness of the honest receiver), and on the other hand, an honestly committed message will remain hidden except with probability \(\epsilon < \epsilon '\) (over the randomness of the honest committer). This gap in the probability of extraction will help us argue non-malleability, using a proof strategy that bears resemblance to the proof technique in [9] (who relied on stronger assumptions to achieve such a gap in the non-interactive setting).

We point out one subtlety in our proof that does not appear in [9]. We must rule out a man-in-the-middle adversary that on the one hand, does not commit to a related message if its message was successfully transmitted, but on the other hand, can successfully perform a mauling attack if its message was not transmitted. To rule out such an adversary, just like [45], we will design our erasure channel so that the adversary cannot distinguish transcripts where his committed message was transmitted from those where it wasn’t.

Finally, our erasure channel can be cryptographically established in a manner similar to prior work [3, 42, 45] via an indistinguishability-based variant of two-party secure function evaluation, that can be based on quantum hardness of LWE. Specifically, we would like to ensure that the SFE error is (significantly) smaller than the transmission probabilities of our erasure channels: therefore, we will set parameters so that SFE error is \(\lambda ^{-\mathsf {ilog}(c,\lambda )}\). We refer the reader to Sect. 7 in the full version for additional details about our construction.

On Super-Constant Rounds from Polynomial Hardness. We also observe that for any \(t(\lambda ) \le \mathsf {poly}(\lambda )\), non-malleable commitments for tag space of size \(t(\lambda )\) can be obtained in \(O(t(\lambda ))\) rounds based on any extractable commitment using ideas from [15, 22], where only one party speaks in every round. These admit a straight-line reduction, and can be observed to be quantum-secure. As such, based on quantum polynomial hardness of LWE and quantum FHE, we can obtain a base protocol for \(O(\log \log \ldots _{\text {c times}} \log \lambda )\) tags requiring \(O(\log \log \ldots _{\text {c times}} \log \lambda )\) rounds, for any constant \(c \in \mathbb {N}\). Applying our tag-amplification compiler to this base protocol makes it possible to increase the tag space to \(2^\lambda \) while only adding a constant number of rounds. Therefore, this technique gives \(O(\log \log \ldots _{\text {c times}} \log \lambda )\) round non-malleable commitments for exponentially large tags from quantum polynomial hardness. It also yields constant round non-malleable commitments for a constant number of tags from polynomial hardness.

2.5 Putting Things Together

Finally, we show how to combine the primitives described above to obtain a constant-round coin-flipping protocol that supports straight-line simulation. As we saw above, in the setting of multi-verifier zero-knowledge, simultaneously simulating the view of multiple parties without rewinding can be quite challenging, so a careful protocol and proof is needed.

Recall the outline presented at the beginning of this section, where each party first commits to a uniformly random string, then broadcasts the committed message, and finally proves in ZK that the message broadcasted is equal to the previously committed message. If all proofs verify, then the common output is the XOR of all broadcasted strings. Recall also that the coin-tossing protocol should be fully-simulatable. This means that a simulator should be able to force the common output to be a particular uniformly drawn string given to it as input.

It turns out that in order to somehow force a particular output, the simulator should be able to simultaneously extract in advance all the messages that adversarial parties committed to. In particular, we require commitments where a simulator can extract from multiple committers committing in parallel. Here, we will rely on our parallel extractable commitment described above. Note that we will also need to simulate the subsequent zero-knowledge arguments given by the malicious parties in parallel, and thus we instantiate these with our parallel zero-knowledge argument described above. However, an issue remains. What if an adversary could somehow maul an honest party’s commitment to a related message and then broadcast that commitment as their own? This could bias the final outcome away from uniformly random.

Thus, we need to introduce some form of non-malleability into the protocol. Indeed, we will add another step at the beginning where each party commits to its message \(c_i\) and some randomness \(r_i\) using our post-quantum many-to-one non-malleable commitment.Footnote 7 Each party will then commit to \(c_i\) again with our extractable commitment, using randomness \(r_i\). Finally, each party proves in zero-knowledge that the previous commitments were consistent.

This protocol can be proven to be fully simulatable. Intuitively, even though the simulator changes the behavior of honest players in order to extract from the adversary’s commitments and then later force the appropriate output, the initial non-malleable commitments given by the adversary must not change in a meaningful way, due the the guarantee of non-malleability. However, additional subtleties arise in the proof of security. In particular, during the hybrids the simulator will first have to simulate the honest party zero-knowledge arguments, before changing the honest party commitments in earlier stages. However, when changing an honest party’s commitment, we need to rely on non-malleability to ensure that the malicious party commitments will not also change in a non-trivial way. Here, we use a proof technique that essentially invokes soundness of the adversary’s zero-knowledge arguments at an earlier hybrid but allows us to nevertheless rely on non-malleable commitments to enforce that the adversary behaves consistently in all future hybrids. More discussion and a formal analysis can be found in Sect. 8 in the full version.

2.6 Related Work

Classical secure multi-party computation was introduced and shown to be achievable in the two-party setting by [67] and in the multi-party setting by [33]. Since these seminal works, there has been considerable interest in reducing the round complexity of classical protocols. In the setting of malicious security against a dishonest majority, [49] gave the first constant-round protocol for two-party computation, and [43] gave the first constant-round protocol for multi-party computation. Since then, there has been a long line of work improving on the exact round complexity and assumptions necessary for classical multi-party computation (see e.g. [27, 55]).

Post-quantum Classical Protocols. The above works generally focus on security against classical polynomial-time adversaries. Another line of work, most relevant to the present work, has considered the more general goal of proving the security of classical protocols against arbitrary quantum polynomial-time adversaries.

This study was initiated by van de Graaf [63], who observed that the useful rewinding technique often used to prove zero-knowledge in the classical setting may be problematic in the quantum setting. In a breakthrough work, Watrous [64] showed that several well-known classical zero-knowledge protocols are in fact zero-knowledge against quantum verifiers, via a careful rewinding argument. However, these protocols require a polynomial number of rounds to achieve negligible security against quantum attackers. Later, Unruh [62] developed a more powerful rewinding technique that suffices to construct classical zero-knowledge proofs of knowledge secure against quantum adversaries, though still in a polynomial number of rounds. In a recent work, [10] managed to construct a constant-round post-quantum zero-knowledge protocol, under assumptions similar to those required to obtain classical fully-homomorphic encryption. In another recent work, [1] constructed a constant-round protocol that is zero-knowledge against quantum verifiers under the quantum LWE assumption, though soundness holds against only classical provers.

There has also been some work on the more general question of post-quantum secure computation. In particular, [20] used the techniques developed in [64] to build a two-party coin-flipping protocol, and [41, 51] constructed general two-party computation secure against quantum adversaries, in a polynomial number of rounds. More recently, [10] gave a constant-round two-party coin-flipping protocol, with full simulation of one party. However, prior to this work, nothing was known in the most general setting of post-quantum multi-party computation (in the plain model).

Finally, we remark that post-quantum classical protocols do exist in the literature, as long as some form of trusted setup is available. For example, the two-round protocol of [53] from LWE is in the programmable common random string model, and was shown to be semi-maliciously secure via straight-line simulation. Thus, applying the semi-malicious to malicious compiler of [2] instantiated with a NIZK from LWE [60] gives a post-quantum maliciously secure protocol in the common random string model from the quantum hardness of LWE. Another example is the maliciously secure OT-based two-round protocol of [7, 28] instantiated with maliciously-secure oblivious transfer from LWE [61].

Quantum Protocols. Yet another line of work focuses on protocols for securely computing quantum circuits. General multi-party quantum computation was shown to be achievable in the information-theoretic setting (with honest majority) in the works of [5, 19]. In the computational setting, [25] gave a two-party protocol secure against a quantum analogue of semi-honest adversaries, and [26] extended security of two-party quantum computation to the malicious setting. In a recent work [23] constructed a maliciously secure multi-party protocol for computing quantum circuits, assuming the existence of a maliciously secure post-quantum classical MPC protocol. We remark that all of the above protocols operate in a polynomial number of rounds.

3 Quantum-Secure Multi-Committer Extractable Commitment

In this section, we follow the outline presented in Sect. 2.2 to construct a commitment scheme that allows for simultaneous extraction from multiple parallel committers. The protocol is somewhat more involved than the high-level description given earlier, so we briefly highlight the differences.

First, the committer is instructed to (non-interactively) commit to its message and trapdoor at the very beginning of the protocol. We use these commitments to take advantage of non-uniformity in the reductions between hybrids in the extractability proof. In particular, hybrids that come before the step where the simulator goes “under the hood” of the FHE may still need access to the trapdoor and commitment, and this can be given to any reduction via non-uniform advice consisting of each committer’s first message and corresponding openings.

Next, the CDS described earlier is replaced with a function-hiding secure function evaluation (SFE) protocol. In order to rule out the malleability attack mentioned in Sect. 2.2, where a malicious receiver mauls the AFS-spooky encryption of the committer’s trapdoor into an SFE encryption of the trapdoor, we do the following. The first message sent by the receiver to each committer \(\mathsf {C}_i\) will actually be a commitment to some key \(k_i\) of a generic secret-key encryption scheme. After \(\mathsf {C}_i\) sends its AFS-spooky encryption ciphertext and compute and compare obfuscation, the receiver prepares and sends a secret-key encryption of an arbitrary message. Then, the receiver’s input to the SFE consists of the opening to its earlier commitment \(k_i\), and the SFE checks if the secret-key encryption sent by the receiver is actually an encryption of the committer’s trapdoor under secret key \(k_i\). If so, it returns the lock and otherwise it returns \(\bot \). This setup ensures that a malicious receiver cannot maul the AFS-spooky encryption of the committer’s trapdoor, for the following reason. If it could, then a non-uniform reduction to the semantic security of AFS-spooky encryption may obtain the receiver’s committed \(k_i\) as advice and decrypt the receiver’s secret-key encryption to obtain the trapdoor. Of course, this assumes the receiver actually acted explainably in sending a valid commitment at the beginning of the protocol, and this is ensured by the opening check performed under the SFE. We note that this mechanism is somewhat different than what was presented in [10], as they directly build a zero-knowledge argument (i.e. without first constructing a stand-alone extractable commitment) and are able to take advantage of witness indistinguishability to enforce explainable behavior.

Compliant Distinguishers. Finally, we discuss the issue of committer explainability. Recall from the high-level overview that a simulator is able to extract from a committer by homomorphically evaluating its code on an AFS-spooky encryption ciphertext generated by the committer. Thus, if the committer acts arbitrarily maliciously and does not return a well-formed ciphertext, the extraction may completely fail. Again, [10] address this issue by only analyzing their commitment within the context of a larger zero-knowledge argument protocol, and having the verifier prove to the prover using a witness indistinguishable proof that it performed the commitment explainably.

Thus, without adding zero-knowledge and performing [32]-style analysis to handle non-explainable and aborting committers, we will only obtain extractability against explainable committers. However, since we will be using this protocol inside larger protocols where participants are not assumed to be acting explainably, restricting the class of committers we consider in our definition is problematic. We instead consider arbitrary committers but restrict the class of distinguishers (who are supposed to decide whether they received the view of a committer interacting in the real protocol or the view of a committer interacting with the extractor) to those that always output 0 on input a non-explainable transcript. In other words, any advantage these distinguishers may have must be coming from their behavior on input explainable views. Even though checking whether a particular view is explainable or not is not efficient, it turns out that this definition lends itself quite nicely to composition, since one can use witness indistinguishability/zero-knowledge to construct provably compliant distinguishers between hybrids for the larger protocols.

For completeness, and because post-quantum multi-committer extractable commitments may be of independent interest, we also show in Appendix D in the full version how to add zero-knowledge within the extractable commitment protocol itself to obtain security against arbitrary committers.

3.1 Definition

Definition 1 (Quantum-Secure Multi-Committer Extractable Commitment)

A quantum-secure multi-committer extractable commitment scheme is a pair \((\mathsf {C},\mathsf {R})\) of classical PPT interactive Turing machines. In the commit phase, \(\mathsf {R}\) interacts with n copies \(\{\mathsf {C}_i\}_{i \in [n]}\) of \(\mathsf {C}\) (who do not interact with each other) on common input \(1^\lambda \) and \(1^n\), with each \(\mathsf {C}_i\) additionally taking a private input \(m_i \in \{0,1\}^*\). This produces a transcript \(\tau \), which may be parsed as a set of n transcripts \(\{\tau _i\}_{i \in [n]}\), one for each set of messages exchanged between \(\mathsf {R}\) and \(\mathsf {C}_i\). In the decommitment phase, each \(\mathsf {C}_i\) outputs \(m_i\) along with its random coins \(r_i\), and \(\mathsf {R}\) on input \((1^\lambda ,\tau _i,m_i,r_i)\) either accepts or rejects. The scheme should satisfy the following properties.

  • Perfect Correctness: For any \(\lambda ,n \in \mathbb {N}, i \in [n]\),

    $$\Pr [\mathsf {R}(1^\lambda ,\tau _i,m_i,r_i) = 1 \ | \ \{\tau _i\}_{i \in [n]} \leftarrow \langle {\mathsf {R},\mathsf {C}_1(m_1;r_1),\dots ,\mathsf {C}_n(m_n;r_n)}\rangle (1^\lambda ,1^n)] = 1.$$

  • Perfect Binding: For any \(\lambda \in \mathbb {N}\) and string \(\tau \in \{0,1\}^*\), there does not exist (mr) and \((m',r')\) with \(m \ne m'\) such that \(\mathsf {R}(1^\lambda ,\tau ,m,r) = \mathsf {R}(1^\lambda ,\tau ,m',r')=1\).

  • Quantum Computational Hiding: For any non-uniform quantum polynomial-size receiver \(\mathsf {R}^* = \{\mathsf {R}^*_\lambda ,\rho _\lambda \}_{\lambda \in \mathbb {N}}\), any polynomial \(\ell (\cdot )\), and any sequence of sets of strings \(\{m^{(0)}_{\lambda ,1},\dots ,m^{(0)}_{\lambda ,n}\}_{\lambda ,n \in \mathbb {N}}\), \(\{m^{(1)}_{\lambda ,1},\dots ,m^{(1)}_{\lambda ,n}\}_{\lambda ,n \in \mathbb {N}}\) where each \(|m^{(b)}_{\lambda ,i}| = \ell (\lambda )\),

    $$\begin{aligned}&\{\mathsf {VIEW} _{\mathsf {R}^*_\lambda }(\langle {\mathsf {R}^*_\lambda (\rho _\lambda ),\mathsf {C}_1(m^{(0)}_{\lambda ,1}),\dots ,\mathsf {C}_{n}(m^{(0)}_{\lambda ,n})}\rangle (1^\lambda ,1^n))\}_{\lambda ,n \in \mathbb {N}} \\ \approx _c&\{\mathsf {VIEW} _{\mathsf {R}^*_\lambda }(\langle {\mathsf {R}^*_\lambda (\rho _\lambda ),\mathsf {C}_1(m^{(1)}_{\lambda ,1}),\dots ,\mathsf {C}_{n}(m^{(1)}_{\lambda ,n})}\rangle (1^\lambda ,1^n))\}_{\lambda ,n \in \mathbb {N}}. \end{aligned}$$

The extractability property will require the following two definitions. First, for any adversary \(\mathsf {C}^* = \{\mathsf {C}^*_\lambda ,\rho _\lambda \}_{\lambda \in \mathbb {N}}\) representing a subset \(I \subseteq [n]\) of n committers, any honest party messages \(\{m_i\}_{i \notin I}\), and any security parameter \(\lambda \in \mathbb {N}\), define \(\mathsf {VIEW}^{\mathsf {msg}}_{\mathsf {C}^*_{\lambda }}(\langle {\mathsf {R},\mathsf {C}^*_\lambda (\rho _\lambda ),\{\mathsf {C}_i(m_i)\}_{i \notin I}}\rangle (1^\lambda ,1^n))\) to consist of the following.

  1. 1.

    The view of \(\mathsf {C}^*_\lambda \) on interaction with the honest receiver \(\mathsf {R}\) and set \(\{\mathsf {C}_i(m_i)\}_{i \notin I}\) of honest parties; this view includes a set of transcripts \(\{\tau _i\}_{i \in I}\) and a state \(\mathsf {st} \).

  2. 2.

    A set of strings \(\{m_i\}_{i \in I}\), where each \(m_i\) is defined relative to \(\tau _i\) as follows. If there exists \(m'_i,r_i\) such that \(\mathsf {R}(1^\lambda ,\tau _i,m'_i,r_i) = 1\), then \(m_i = m'_i\), otherwise, \(m_i = \bot \).

Next, we consider distinguishers \(\mathsf {D}= \{\mathsf {D}_\lambda ,\sigma _\lambda \}_{\lambda \in \mathbb {N}}\) that take as input a sample \((\{\tau _i\}_{i \in I},\mathsf {st},\{m_i\}_{i \in I})\) from the distribution just described. We say that \(\mathsf {D}\) is compliant if whenever \(\{\tau _i\}_{i \in I}\) is not an explainable transcript with respect to the set I, \(\mathsf {D}\) outputs 0 with overwhelming probability (over the randomness of \(\mathsf {D}\)).

  • Multi-Committer Extractability: There exists a quantum expected-polynomial-time extractor \(\mathsf {Ext} \) such that for any compliant non-uniform polynomial-size quantum distinguisher \(\mathsf {D}= \{\mathsf {D}_\lambda ,\sigma _\lambda \}_{\lambda \in \mathbb {N}}\), there exists a negligible function \(\mu (\cdot )\), such that for all adversaries \(\mathsf {C}^* = \{\mathsf {C}^*_\lambda ,\rho _\lambda \}_{\lambda \in \mathbb {N}}\) representing a subset of n committers, namely, \(\{\mathsf {C}_i\}_{i \in I}\) for some set \(I \subseteq [n]\), the following holds for all polynomial-size sequences of inputs \(\{\{m_{i,\lambda }\}_{i \notin I}\}_{\lambda \in \mathbb {N}}\) and \(\lambda \in \mathbb {N}\).

    $$\begin{aligned}&\big |\Pr [\mathsf {D}_\lambda (\mathsf {VIEW}^{\mathsf {msg}}_{\mathsf {C}^*_\lambda }(\langle {\mathsf {R},\mathsf {C}^*_\lambda (\rho _\lambda ),\{\mathsf {C}_i(m_{i,\lambda })\}_{i \notin I}}\rangle (1^\lambda ,1^n)),\sigma _\lambda ) = 1]\\&- \Pr [\mathsf {D}_\lambda ( \mathsf {Ext} (1^\lambda ,1^n,I,\mathsf {C}^*_\lambda ,\rho _\lambda ),\sigma _\lambda )=1]\big | \le \mu (\lambda ). \end{aligned}$$

Remark 1

Observe that the above definition of quantum computational hiding does not consider potentially malicious committers that interact in the protocol to try to gain information about commitments made by other committers. This is without loss of generality, since all communication occurs between \(\mathsf {R}\) and some \(\mathsf {C}_i\). In particular, no messages are sent between any \(\mathsf {C}_i\) and \(\mathsf {C}_j\).

3.2 Construction

Ingredients: All of the following are assumed to be quantum-secure, and the construction is presented in Protocol Fig. 2.

  • A non-interactive perfectly-binding commitment \(\mathsf {Com}\).

  • A secret-key encryption scheme \((\mathsf {Enc},\mathsf {Dec})\).Footnote 8

  • A compute-and-compare obfuscator \(\mathsf {Obf}\).

  • A quantum AFS-spooky encryption scheme with distributed setup

    (\(\mathsf {Spooky}.\mathsf {Setup}\),\(\mathsf {Spooky}.\mathsf {KeyGen}\), \(\mathsf {Spooky}.\mathsf {Enc}\), \(\mathsf {Spooky}.\mathsf {QEnc}\), \(\mathsf {Spooky}.\mathsf {Eval}\),

    \(\mathsf {Spooky}.\mathsf {Dec}\), \(\mathsf {Spooky}.\mathsf {QDec}\)).

  • A two-message function-hiding secure function evaluation scheme

    \((\mathsf {SFE.Gen}, \mathsf {SFE.Enc}, \mathsf {SFE.Eval}, \mathsf {SFE.Dec})\).

Fig. 2.
figure 2

Constant round post-quantum multi-committer extractable commitment.

Full size image

Analysis. We state the security of our scheme in the following and we refer the reader to the full version of this work for the proofs.

Lemma 1

Protocol Fig. 2 is quantum computational hiding.

Lemma 2

Protocol Fig. 2 is multi-committer extractable.