Classically Verifiable (Dual-Mode) NIZK for QMA with Preprocessing
aa r X i v : . [ qu a n t - ph ] F e b YITP-21-10
Classically Verifiable (Dual-Mode) NIZK for QMA withPreprocessing ∗ Tomoyuki Morimae and Takashi Yamakawa Yukawa Institute for Theoretical Physics, Kyoto University and PRESTO, JST, Japan [email protected] NTT Secure Platform Laboratories, Japan [email protected]
February 19, 2021
Abstract
We propose three constructions of classically verifiable non-interactive proofs (CV-NIP) andnon-interactive zero-knowledge proofs and arguments (CV-NIZK) for
QMA in various prepro-cessing models.1. We construct an information theoretically sound CV-NIP for
QMA in the secret parametermodel where a trusted party generates a quantum proving key and classical verificationkey and gives them to the corresponding parties while keeping it secret from the otherparty. Alternatively, we can think of the protocol as one in a model where the verifiersends an instance-independent quantum message to the prover as preprocessing.2. We construct a CV-NIZK for
QMA in the secret parameter model. It is informationtheoretically sound and zero-knowledge.3. Assuming the quantum hardness of the leaning with errors problem, we construct a CV-NIZK for
QMA in a model where a trusted party generates a CRS and the verifier sendsan instance-independent quantum message to the prover as preprocessing. This modelis the same as one considered in the recent work by Coladangelo, Vidick, and Zhang(CRYPTO ’20). Our construction has the so-called dual-mode property, which means thatthere are two computationally indistinguishable modes of generating CRS, and we haveinformation theoretical soundness in one mode and information theoretical zero-knowledgeproperty in the other. This answers an open problem left by Coladangelo et al, which isto achieve either of soundness or zero-knowledge information theoretically. To the best ofour knowledge, ours is the first dual-mode NIZK for
QMA in any kind of model.
Classical verification of quantum computation.
Whether quantum computing is classicallyverifiable with the information-theoretical soundness is one of the most important open problems ∗ This is a major update version of [Mor20]
1n quantum computing and quantum cryptography [Got04, AV12, GKK19]. In terms of complexitytheory, it is whether
BQP is in IP BQP , where IP BQP is the class of languages that have aninteractive proof with quantum polynomial-time honest prover. (Note that the well-known result
BQP ⊆ IP does not solve the open problem, because the honest prover is not quantum polynomial-time.) There have been many positive results for relaxed situations. They include protocols withslightly quantum verifiers [FK17, ABOEM17, HM15, FHM18] or multiple provers [RUV13, Gri19,CGJV19], and those with computational soundness (i.e., arguments [BC90]) [Mah18b, GV19].What we study in this paper is related to the slightly-quantum-verifier approach. A well-knownverification protocol in the slightly-quantum-verifier approach is so-called the Fitzsimons-Kashefi(FK) protocol [FK17]. In the FK protocol, the verifier first sends an instance-independent quantumstate to the prover as preprocessing. After the instance is determined, the prover and verifier run aninteractive classical protocol as an online phase. A drawback of the FK protocol is that it requirespolynomially many rounds.Another protocol in the slightly-quantum-verifier approach is so-called the post-hoc verificationprotocol [FHM18]. In this protocol, the prover generates a state called the history state, and sendsit to the verifier, which only needs to measure randomly chosen two qubits of the state. Though thisprotocol has an advantage that it is non-interactive, an obvious drawback is that the communicationis quantum and therefore the verifier has to have the quantum capability.A non-interactive proof for BQP with classical verifier is too much to hope for since that wouldimply
BQP ⊆ MA , which is believed to be unlikely [Wat00, RT19]. However, if we introducea quantum preprocessing similarly to the FK protocol, we may be able to circumvent the aboveimplausibility. Therefore we ask the following question. Can we construct a non-interactive proof for
BQP with a quantum polynomial-time honest proverand classical verifier with quantum preprocessing?
Non-interactive zero-knowledge.
A desirable feature of a (non-)interactive proof is the zero-knowledge property [GMR89], which ensures that the verifier learns nothing beyond the statementproven by the prover. Recently, there have been many works that constructed non-interactive zero-knowledge (NIZK) [BFM88] proofs or arguments for
QMA , which is the “quantum counterpart”of NP , in various kind of models [ACGH20, CVZ20, BG20, Shm20, BCKM20]. We note that werequire the honest prover to run in quantum polynomial-time receiving sufficiently many copies ofa witness when we consider NIZK proofs or arguments for QMA . All known protocols except forthe protocol of Broadbent and Grilo [BG20] only satisfy computational soundness. The protocolof [BG20] satisfies information theoretical soundness and zero-knowledge in the secret parameter(SP) model [Ps05] where a trusted party generates proving and verification keys and gives them tothe corresponding party while keeping it secret to the other party as setup. A drawback of theirprotocol is that the prover sends a quantum proof to the verifier, and thus the verifier should bequantum. Then it is natural to ask the following question.
Can we construct a NIZK proof for
QMA with classical verification in the SP model?
In addition, the SP model is not a very desirable model since it assumes a strong trust on thesetup. In the classical literature, there are constructions of NIZK proofs for NP in the commonreference string (CRS) model [BFM88, FLS99, PS19] where the only trust on the setup is thata classical string is chosen according to a certain distribution and then published. Compared tothe SP model, we need to put much less trust on the setup in the CRS model. Indeed, several The SP model is also often referred to as preprocessing model [DMP90].
QMA in the CRS model. Though this is still open, there are several constructionsof NIZKs for
QMA in different models that assume less trust on the setup than in the SP model[ACGH20, CVZ20, Shm20, BCKM20]. However, all of them are arguments. Therefore, we ask thefollowing question.
Can we construct a NIZK proof for
QMA with classical verification in a model that assumes lesstrust on the setup than in the SP model?
We answer the above questions affirmatively.1. We construct a (not zero-knowledge) classically verifiable non-interactive proof (CV-NIP)for
QMA in the SP model where a trusted party generates a quantum proving key andclassical verification key and gives them to the corresponding parties. We do not rely onany computational assumption for this construction. Furthermore, the proving key is thesimplest quantum state, i.e., a tensor product of random computational or Hadamard basisstates. Alternatively, we can think of the protocol as one in a model where the verifier sendsan instance-independent quantum message to the prover as preprocessing since soundness isnot harmed even if the verifier plays the role of the trusted party. In the preprocessing, theverifier only needs to do single-qubit quantum operations (Hadamard or bit-flip gates) andsend qubits one-by-one, and the online phase of the verifier is completely classical. Note thatthe honest prover in our construction runs in quantum polynomial time receiving a witnessstate. Because
BQP is in
QMA with a trivial witness state (such as the all-zero state), thisanswers our first question.2. We extend the above construction to a classically verifiable NIZK (CV-NIZK) for
QMA in theSP model where a trusted party generates a quantum proving key and classical verificationkey and gives them to the corresponding parties. We do not rely on any computationalassumption for this construction either, and thus both soundness and the zero-knowledgeproperty are satisfied information theoretically. This answers our second question. Comparedwith [BG20], ours has an advantage that verification is classical at the cost of making theproving key quantum. The proving key is again a very simple state, i.e., a tensor productof randomly chosen Pauli X , Y , or Z basis states. We note that we should not let theverifier play the role of the trusted party for this construction since that would break thezero-knowledge property.3. Assuming the quantum hardness of the learning with errors problem (the LWE assump-tion) [Reg09], we construct a CV-NIZK for QMA in a model where a trusted party generatesa CRS and the verifier sends an instance-independent quantum message to the prover as pre-processing. We note that the CRS is reusable for generating multiple proofs but the quantummessage in the preprocessing is not reusable. In this model, we only assume a trusted partythat just generates a CRS once, and thus this answers our third question. This model isthe same as one considered in [CVZ20] recently, and we call it the CRS + ( V → P ) model.Compared to their work, our construction has the following advantages.(a) In their protocol, both soundness and the zero-knowledge property hold only againstquantum polynomial-time adversaries, and they left it open to achieve either of them in-formation theoretically. We answer the open problem. Indeed, our construction has the3able 1: Comparison of NIZKs for QMA . Reference Soundness ZK Verification Model Assumption Misc[ACGH20] comp. comp. classical DV LWE + RO[CVZ20] comp. comp. quantum+classical CRS + ( V → P ) LWE AoQK[BG20] stat. stat. quantum SP None[Shm20] comp. comp. quantum MDV LWE reusable[BCKM20] comp. comp. quantum MDV LWE reusable andsingle-witnessSection 4 stat. stat. classical SP NoneSection 5 stat.comp. comp.stat. quantum+classical CRS + ( V → P ) LWE dual-modeIn column “Soundness” (resp. “ZK”), stat., and comp. mean statistical, and computational soundness (resp.zero-knowledge), respectively. In column “Verification”, “quantum+classical” means that the verifier needs tosend a quantum message in preprocessing but the online phase of verification is classical. so-called dual-mode property [GOS12, PS19], which means that there are two computa-tionally indistinguishable modes of generating CRS, and we have information theoreticalsoundness in one mode and information theoretical zero-knowledge property in the other.To the best of our knowledge, ours is the first dual-mode NIZK for QMA in any kindof model.(b) Our protocol uses underlying cryptographic primitives (which are lossy encryption andoblivious transfer with certain security) only in a black-box manner whereas their pro-tocol heavily relies on non-black-box usage of the underlying primitives. Indeed, theirprotocol uses fully homomorphic encryption to homomorphically runs the proving algo-rithm of a NIZK for NP , which would make the protocol extremely inefficient. On theother hand, our construction uses the underlying primitives only in a black-box manner,which results in a much more efficient construction. We note that black-box construc-tions have been considered desirable for both theoretical and practical reasons in thecryptography community (e.g., see introduction of [IKLP06]).(c) The verifier’s quantum operation in our preprocessing is simpler than that in theirs: inthe preprocessing of our protocol, the verifier has only to do single-qubit gate operations(Hadamard, bit-flip or phase gates), while in the preprocessing of their protocol, theverifier has to do five-qubit (entangled) Clifford operations. In their paper [CVZ20], theyleft the following open problem: how far their preprocessing phase could be weakened?Our construction with the weaker verifier therefore partially answers the open problem.On the other hand, Coladangelo et al. [CVZ20] proved that their protocol is also an argumentof quantum knowledge (AoQK) . We leave it open to study if ours is also a proof/argument ofknowledge. Comparison among NIZKs for QMA.
We give more comparisons among our and knownconstructions of NIZKs for
QMA . Since we already discuss comparisons with ours and [BG20,CVZ20], we discuss comparisons with other works. A summary of the comparisons is given inTable 1.Alagic et al. [ACGH20] gave a construction of a NIZK for
QMA in the designated-verifier (DV)model where a trusted party generates a CRS and verification key and gives the verification key tothe verifier while keeping it secret from the prover. Their protocol has an advantage that both thetrusted party and verifier are completely classical. On the other hand, the drawbacks are that their4ecurity proof relies on random oracle (RO) heuristic, and only achieves computational soundnessand zero-knowledge whereas our constructions achieve (at least) either statistical soundness orzero-knowledge without relying on RO (though in different models).Shmueli [Shm20] gave a construction of a NIZK for
QMA in the malicious designated-verifier(MDV) model, where a trusted party generates a CRS and the verifier sends an instance-independentclassical message to the prover as preprocessing. In this model, the preprocessing is reusable , i.e.,a single preprocessing can be reused to generate arbitarrily many proofs later. This is a crucialadvantage of their construction compared to ours. On the other hand, in their protocol, proofs arequantum and thus the verifier should perform quantum computations in the online phase whereasthe online phase of the verifier is classical in our constructions. Also, their protocol only satisfiescomputational soundness and zero-knowledge whereas we can achieve (at least) either of them sta-tistically. Recently, Bartusek et al. [BCKM20] gave another construction of a NIZK for
QMA inthe MDV model that has an advantage that the honest prover only uses a single copy of a witness.(Note that all other NIZKs for
QMA including ours require the honest prover to take multi-ple copies of a witness if we require neglible completeness and soundness errors.) However, theirconstruction also requires quantum verifier in the online phase and only achieves computationalsoundness and zero-knowledge similarly to [Shm20].
Classically verifiable non-interactive proof for QMA in the SP model.
Our startingpoint is the post-hoc verification protocol [FHM18]. Their protocol is based on the fact that anyinstance x of a QMA language L can be reduced to the local Hamiltonian problem [VW16] withan N -qubit Hamiltonian H x of the form H x = X j 2. Let ( m j , m j ) ∈ { , } be the measurement outcomes. Theverifier accepts if ( − m j ⊕ m j = − s j ,j and rejects otherwise. The probability that the verifieraccepts is 1 − Tr( ρ H x ) when the prover’s quantum message is ρ , and therefore the verifier acceptswith probability at least 1 − α if x ∈ L and the prover is honest whereas it accepts with probabilityat most 1 − β if x / ∈ L . (See [FHM18] for the proof.) The gap between completeness of soundnesscan be amplified by simple parallel repetitions.Our first idea is to use the quantum teleportation to replace the quantum communicationwith classical communication. Suppose that the prover and verifier share sufficiently many Bellpairs at the beginning. Then the prover can send the history state to the verifier with classicalcommunication by the quantum teleportation. Though this removes the necessity of quantumcommunication, the verifier still needs to be quantum since it has to keep halves of Bell pairs andperform a measurement after receiving a proof.To solve the problem, we utilize our observation that the verifier’s measurement and the prover’smeasurement commute with each other, which is our second idea. In other words, we can let the5erifier perform the measurement at the beginning without losing completeness or soundness. Inthe above quantum-teleportation-based protocol, when the prover sends its measurement outcomes { ( x j , z j ) } j ∈ [ N ] to the verifier, the verifier’s state collapses to X x Z z ρ hist Z z X x where ρ hist denotesthe history state and X x Z z means Q Nj =1 X x j j Z z j j . Then the verifier applies the Pauli correction X x Z z and then measures two qubits of it in X or Z basis. We observe that the Pauli correctioncan be applied even after the verifier measures X or Z in advance since X x j j Z z j j before X (resp. Z )measurement on the j th qubit has the same effect as XOR by z j (resp. x j ) after the measurement.Therefore, if a trusted party generates Bell pairs and measures halves of them in either of X or Z basis with probability 1 / QMA language, which solves our first question affirmatively. Classically verifiable NIZK for QMA in the SP model. We apply a similar idea to theNIZK of [BG20] to make the verification classical. The NIZK of [BG20] is based on the fact thata QMA language can be reduced to the 5-local Hamiltonian problem with a locally simulatable history state [GSY19]. That is, an instance x corresponds to an N -qubit Hamiltonian H x of theform H x = M X i =1 p i I + s i P i , where N = poly ( | x | ), M = poly ( | x | ), s i ∈ { +1 , − } , p i > P Mi =1 p i = 1, and P i is a tensor productof Pauli operators ( I, X, Y, Z ) with at most 5 nontrivial Pauli operators ( X, Y, Z ). Moreover, thedensity matrix of the history state over any 5-qubit subsystem is classically simulatable withoutknowing the witness.Based on this, they propose a NIZK for QMA in the SP model that roughly works as follows.A trusted party randomly chooses ( b x, b z ) $ ← { , } N × { , } N , and randomly picks a random subset S V ⊆ [ N ] such that 1 ≤ | S V | ≤ 5. Then it gives ( b x, b z ) to the prover as a proving key and gives { ( b x j , b z j ) } j ∈ S V to the verifier as a verification key where b x j and b z j denote the j -th bits of b x and b z , respectively. The prover generates the history state ρ hist and sends ρ ′ = X b x Z b z ρ hist Z b z X b x to theverifier as a proof. The verifier chooses i with probability p i , and let S i ⊆ [ N ] be the set of indiceson which P i nontrivially acts. If S i = S V , the verifier just accepts. Otherwise, it removes X b x Z b z onqubits corresponding to S i by using the verification key, and then measures these qubits in the basesspecified by P i . The rest of the verification is similar to the post-hoc protocol. Since the probabilitythat we have S i = S V is (cid:16)P j =1 (cid:0) Nj (cid:1)(cid:17) − = 1 / poly ( | x | ), we can still achieve inverse-polynomial gapbetween completeness and soundness. (See [BG20] for details.) Moreover, it satisfies the zero-knowledge property since qubits of ρ ′ that do not correspond to S V are indistinguishable froma maximally mixed state from the view of the verifier by the security of quantum one-time pad,and thus the verifier can only know information of the density matrix of ρ ′ corresponding to thepositions of S V , which can be simulated without using the witness. In this NIZK protocol of [BG20],however, the proof is a quantum state, and therefore the verifier has to be quantum.Our idea is to use the quantum teleportation to remove the quantum communication and thenperform the measurement at the beginning to make the verification key classical similarly to theprevious paragraph. A difference is that the above protocol involves Y measurements, but thiscan be easily dealt with observing that X x j j Z z j j before Y measurement on j th qubit has the sameeffect as XOR by x j ⊕ z j after the measurement. Another difference is that the distribution ofbases that appear in P i depends on a statement x , and thus we cannot sample the distribution at6he setup phase where x is not decided yet. (Note that this problem did not occur in the previousparagraph since we assumed that weights of XX and ZZ terms in the Hamiltonian H x were equalfor any x .) To resolve this issue, we use the idea used in [ACGH20]. The trusted party just choosesrandom bases, and the verifier just accepts if they are inconsistent to P i chosen by the verifier inthe online phase. Since there are only 3 possible choices of the bases and P i non-trivially acts onat most 5 qubits, the probability that the randomly chosen bases are consistent to P i is at least3 − . Therefore we can still achieve inverse-polynomial gap between completeness and soundness.Finally, we remark that we can amplify the gap by parallel repetition, which preserves the zero-knowledge property (see Lemma 2.10). This results in a classically verifiable NIZK for QMA inthe SP model. Classically verifiable NIZK for QMA in the CRS + ( V → P ) model. We want to reducethe trust on the setup, so let us first examine what happens if the verifier runs the setup aspreprocessing. Unfortunately, such a construction is not zero-knowledge since the verifier can knowwhole bits of ( b x, b z ) and thus it may obtain information of qubits of ρ hist that are outside of S V , inwhich case we cannot rely on the local simulatability. Therefore, for ensuring the zero-knowledgeproperty, we have to make sure that the verifier only knows { ( b x j , b z j ) } j ∈ S V . Then suppose that theprover chooses ( b x, b z ) whereas other setups are still done by the verifier. Here, the problem is howto let the verifier know { ( b x j , b z j ) } j ∈ S V . A naive solution is that the verifier sends S V to the proverand then the prover returns { ( b x j , b z j ) } j ∈ S V . However, such a construction is not sound since it isessential that the prover “commits” to a single quantum state independently of S V when reducingsoundness to the local Hamiltonian problem. So what we need is a protocol between the prover andverifier where the verifier only gets { ( b x j , b z j ) } j ∈ S V and the prover does not learn S V . We observethat this is exactly the functionality of 5 -out-of- N oblivious transfer [BCR87].Though it may sound easy to solve the problem by just using a known two-round 5-out-of- N oblivious transfer, there is still some subtlety. For example, if we use an oblivious transferthat satisfies only indistinguishability-based notion of receiver’s security (e.g., [NP01, BD18]), which just says that the sender cannot know indices chosen by the receiver, we cannot provesoundness. Intuitively, this is because the indistinguishability-based receiver’s security does notprevent a malicious sender from generating a malicious message such that the message derived onthe receiver’s side depends on the chosen indices, which does not force the prover to “commit” toa single state.If we use a fully-simulatable [Lin08] oblivious transfer, the above problem does not arise and wecan prove both soundness and zero-knowledge. However, the problem is that we are not aware ofany efficient fully-simulatable 5-out-of- N oblivious transfer based on post-quantum assumptions (inthe CRS model). The LWE-based construction of [PVW08] does not suffice for our purpose sincea CRS can be reused only bounded times in their construction. Recently, Quach [Qua20] resolvedthis issue, and proposed an efficient fully-simulatable 1-out-of-2 oblivious transfer based on theLWE assumption. We can extend his construction to a fully-simulatable 1-out-of- N oblivioustransfer efficiently. However, we do not know how to convert this into 5-out-of- N one efficientlywithout losing the full-simulatability. We note that a conversion from 1-out-of- N to 5-out-of- N oblivious transfer by a simple 5-parallel repetition loses the full-simulatability against malicioussenders since a malicious sender can send different inconsistent messages in different sessions, whichshould be considered as an attack against the full-simulatability. One possible way to prevent such There is a subtle issue that the probability depends on the number of qubits on which P i non-trivially acts. Weadjust this by an additional biased coin flipping. The indistinguishability-based receiver’s security is also often referred to as half-simulation security [CNs07]. Actually, his construction satisfies a stronger UC-security [Can20, PVW08]. 7n inconsistent message attack is to let the sender prove that the messages in all sessions areconsistent by using (post-quantum) CRS-NIZK for NP [PS19]. However, such a construction isvery inefficient since it uses the underlying 1-out-of- N oblivious transfer in a non-black-box manner,which we want to avoid.We note that the parallel repetition construction preserves indistinguishability-based receiver’ssecurity and fully-simulatable sender’s security for two-round protocols. Therefore, we have anefficient (black-box) construction of 5-out-of- N oblivious transfer if we relax the receiver’s securityto the indistinguishability-based one. As already explained, such a security does not suffice forproving soundness. To resolve this issue, we add an additional mechanism to force the prover to“commit” to a single state. Specifically, instead of directly sending ( x, z ) by a 5-out-of- N oblivioustransfer, the prover sends a commitment of ( x, z ) and then sends ( x, z ) and the correspondingrandomness used in the commitment by a 5-out-of- N oblivious transfer. When the verifier receives { x j , z j } j ∈ S V and corresponding randomness, it checks if it is consistent to the commitment byrecomputing it, and immediately rejects if not. This additional mechanism prevents a maliciousprover’s inconsistent behavior, which resolves the problem in the proof of soundness.Finally, our construction satisfies the dual-mode property if we assume appropriate dual-modeproperties for building blocks. A dual-mode oblivious transfer (in the CRS model) has two modesof generating a CRS and it satisfies statistical (indistinguishability-based) receiver’s security in onemode and statistical (full-simulation-based) sender’s security in the other mode. The constructionof [Qua20] is an instantiation of a 1-out-of-2 oblivious transfer with such a dual-mode property, andthis can be converted into 5-out-of- N one as explained above. We stress again that it is importantto relax the receiver’s security to the indistinguishability-based one to make the conversion work.A dual-mode commitment (in the CRS model) has two modes of generating a CRS and it isstatistically binding in one mode and statistically hiding in the other mode. We can use lossyencryption [BHY09, Reg09] as an instantiation of such a dual-mode commitment. Both of dual-mode 5-out-of- N oblivious transfer and lossy encryption are based on the LWE assumption (withsuper-polynomial modulus for the former) and fairly efficient in the sense that they do not relyon non-black-box techniques. Putting everything together, we obtain a fairly efficient (black-box)constrution of a dual-mode NIZK for QMA in the CRS + ( V → P ) model. More related works on quantum NIZKs. Kobayashi [Kob03] studied (statistically soundand zero-knowledge) NIZKs in a model where the prover and verifier share Bell pairs, and gave acomplete problem in this setting. It is unlikely that the complete problem contains (even a subclassof) NP [MW18] and thus even a NIZK for all NP languages is unlikely to exist in this model. Notethat if we consider the prover and verifier sharing Bell pairs in advance like this model, the verifier’spreprocessing message of our protocols (and the protocol of [CVZ20]) becomes classical. Chaillouxet al. [CCKV08] showed that there exists a (statistically sound and zero-knowledge) NIZK for alllanguages in QSZK in the help model where a trusted party generates a pure state depending onthe statement to be proven and gives copies of the state to both prover and verifier. Interactive zero-knowledge for QMA. There are several works of interactive zero-knowledgeproofs/arguments for QMA . The advantage of these constructions compared to non-interactiveones is that they do not require any trusted setup. Broadbent, Ji, Song, and Watrous [BJSW20]gave the first construction of a zero-knowledge proof for QMA . Broadbent and Grilo [BG20] gavean alternative simpler construction. Bitansky and Shmueli [BS20] gave the first constant roundzero-knowledge argument for QMA with negligible soundness error. Brakerski and Yuen [BY20]8ave a construction of 3-round delayed-input zero-knowledge proof for QMA where the proverneeds to know the statement and witness only for generating its last message. By considering thefirst two rounds as preprocessing, we can view this construction as a NIZK in a certain kind ofpreprocessing model. However, their protocol has a constant soundness error, and it seems difficultto prove the zero-knowledge property for the parallel repetition version of it. Notations. We use λ to denote the security parameter throughout the paper. For a positiveinteger N , [ N ] means the set { , , ..., N } . For a probabilistic classical or quantum algorithm A ,we denote by y $ ← A ( x ) to mean A runs on input x and outputs y . For a finite set S of classicalstrings, x $ ← S means that x is uniformly randomly chosen from S . For a classical string x , x i denotes the i -th bit of x . For classical strings x and y , x k y denotes the concatenation of x and y . We write poly to mean an unspecified polynomial and negl to mean an unspecified negligiblefunction. We use PPT to stand for (classical) probabilistic polynomial time and QPT to stand forquantum polynomial time. When we say that an algorithm is non-uniform QPT, it is expressed asa family of polynomial size quantum circuits with quantum advice. Here, we briefly review basic notations and facts on quantum computations.For any quantum state ρ over registers A and B , Tr A ( ρ ) is the partial trace of ρ over A . We use I to mean the identity operator. (For simplicity, we use the same I for all identity operators withdifferent dimensions, because the dimension of an identity operator is clear from the context.) Weuse X , Y , and Z to mean Pauli operators i.e., X := (cid:18) (cid:19) , Z := (cid:18) − (cid:19) , and Y := iXZ .We use H to mean Hadamard operator, i.e., H := √ (cid:18) − (cid:19) . We also define the T operatorby T := (cid:18) e iπ/ (cid:19) . The CN OT := | ih | ⊗ I + | ih | ⊗ X is the controlled-NOT operator.We define V ( Z ) := I , V ( X ) := H , and V ( Y ) := √ (cid:18) i − i (cid:19) so that for each W ∈ { X, Y, Z } , V ( W ) | i and V ( W ) | i are the eigenvectors of W with eigenvalues +1 and − 1, respectively. Foreach W ∈ { X, Y, Z } , we call { V ( W ) | i , V ( W ) | i} the W -basis.When we consider an N -qubit system, for a Pauli operator Q ∈ { X, Y, Z } , Q j denotes theoperator that acts on j -th qubit as Q and trivially acts on all the other qubits. Similarly, V j ( W )denotes the operator that acts on j -th qubit as V ( W ) and trivially acts on all the other qubits.For any x ∈ { , } N and z ∈ { , } N , X x Z z means Q Nj =1 X x j j Z z j j .We call the state √ ( | i ⊗ | i + | i ⊗ | i ) the Bell pair and we call {| φ x,z i} ( x,z ) ∈{ , } the Bellbasis where | φ x,z i := ( X x Z z ⊗ I ) | i⊗| i + | i⊗| i√ . Let us define U ( X ) := V ( X ), U ( Y ) := V ( Y ) X , and U ( Z ) := V ( Z ). Lemma 2.1 (State Collapsing) . If we project one qubit of a Bell pair onto V ( W ) | m i with W ∈{ X, Y, Z } and m ∈ { , } , the other qubit collapses to U ( W ) | m i . Lemma 2.2 (Effect of X x Z z before measurement) . For any N -qubit state ρ , ( W , ..., W N ) ∈{ X, Y, Z } N , and ( x, z ) ∈ { , } N × { , } N , the distributions of ( m ′ , ...m ′ n ) sampled in the followingtwo ways are identical. . For j ∈ [ N ] , measure j -th qubit of ρ in W j basis, let m j ∈ { , } be the outcome, and set m ′ j := m j ⊕ x j ( W j = Z ) ,m j ⊕ z j ( W j = X ) ,m j ⊕ x j ⊕ z j ( W j = Y ) . 2. For j ∈ [ N ] , measure j -th qubit of X x Z z ρZ z X x in W j basis and let m ′ j ∈ { , } be theoutcome. The proofs of the above lemmas are straightforward. Lemma 2.3 (Pauli Mixing) . Let ρ be an arbitrary quantum state over registers A and B , and let N be the number of qubits in A . Then we have N X x ∈{ , } N ,z ∈ { , } N ( X x Z z ⊗ I B ) ρ ( Z z X x ⊗ I B ) = 12 N I A ⊗ Tr A ( ρ ) . This is well-known, and one can find a proof in e.g., [Mah18a]. Lemma 2.4 (Quantum Teleportation) . Suppose that we have N Bell pairs between registers A and B , i.e., N/ P s ∈{ , } N | s i A ⊗ | s i B , and let ρ be an arbitrary N -qubit quantum state in register C .Suppose that we measure j -th qubits of C and A in the Bell basis and let ( x j , z j ) be the measurementoutcome for all j ∈ [ N ] . Let x := x k x k ... k x N and z := z k z k ... k z N . Then the ( x, z ) is uniformlydistributed over { , } N × { , } N . Moreover, conditioned on the measurement outcome ( x, z ) , theresulting state in B is X x Z z ρZ z X x . This is also well-known, and one can find a proof in e.g., [NC00].The following lemma is implicit in previous works e.g., [MNS18, FHM18]. Lemma 2.5. Let H := I + s ( Q j ∈ S X X j )( Q j ∈ S Y Y j )( Q j ∈ S Z Z j )2 be an N -qubit projection operator, where s ∈ { +1 , − } , and S X , S Y , and S Z are disjoint subsetsof [ N ] . For any N -qubit quantum state ρ , suppose that for all j ∈ S W , where W ∈ { X, Y, Z } , wemeasure j -th qubit of ρ in the W -basis, and let m j ∈ { , } be the outcome. Then we have Pr h ( − L j ∈ SX ∪ SY ∪ SZ m j = − s i = 1 − Tr( ρ H ) . Proof of Lemma 2.5. Let us define V := ( Q j ∈ S X V j ( X ))( Q j ∈ S Y V j ( Y ))( Q j ∈ S Z V j ( Z )), and | m i := N Nj =1 | m j i . Then,Pr h ( − L j ∈ SX ∪ SY ∪ SZ m j = − s i = X m ∈{ , } N h m | V † ρV | m i − s ( − L j ∈ SX ∪ SY ∪ SZ m j X m ∈{ , } N h m | V † ρV I − s Q j ∈ S X ∪ S Y ∪ S Z Z j | m i = Tr h V † ρV I − s Q j ∈ S X ∪ S Y ∪ S Z Z j i = Tr h ρV I − s Q j ∈ S X ∪ S Y ∪ S Z Z j V † i = Tr h ρ ( I − H ) i = 1 − Tr( ρ H ) . .2 QMA Languages and Local Hamiltonian Problem Definition 2.6 ( QMA languages) . We say that a language L ⊆ { , } ∗ is in QMA if there is apolynomial ℓ and a QPT algorithm V such that the following is satisfied: • For any x ∈ L , there exists a quantum state w of ℓ ( | x | ) -qubit (called a witness) such that wehave Pr[ V ( x , w ) = 1] ≥ / . • For any x / ∈ L and any quantum state w of ℓ ( | x | ) -qubit, we have Pr[ V ( x , w ) = 1] ≤ / .For any x ∈ L , we denote by R L ( x ) to mean the (possibly infinite) set of all quantum states w suchthat Pr[ V ( x , w ) = 1] ≥ / . It is known that the { ZZ, XX } -local Hamiltonian problem is QMA -complete. That is,we have the following lemma. Lemma 2.7 ( QMA -completeness of 2-local { ZZ, XX } -Hamiltonian problem [CM16]) . For any QMA language L , there is a classical polynomial-time computable deterministic function that maps x ∈ { , } ∗ to an N -qubit Hamiltonian H x of the form H x = X j QMA problem can be reduced to a5-local Hamiltonian problem with local simulatability . (See also [GSY19].) Moreover, it is easy tosee that we can make the Hamiltonian H x be of the form H x = P Mi =1 p i I + s i P i where s i ∈ { +1 , − } , p i ≥ P Mi =1 p i = 1, and P i is a tensor product of Pauli operators ( I, X, Z, Y ) with at most 5nontrivial Pauli operators ( X, Y, Z ). See Appendix A for more details. Then we have the followinglemma. Lemma 2.8 ( QMA -completeness of 5-local Hamiltonian problem with local simulatability [BG20]) . For any QMA language L , there is a classical polynomial-time computable deterministic functionthat maps x ∈ { , } ∗ to an N -qubit Hamiltonian H x of the form H x = M X i =1 p i I + s i P i , where N = poly ( | x | ) , M = poly ( | x | ) , s i ∈ { +1 , − } , p i > , P Mi =1 p i = 1 , and P i is a tensor productof Pauli operators ( I, X, Y, Z ) with at most nontrivial Pauli operators ( X, Y, Z ) , and satisfies thefollowing: There are < α < β < such that β − α = 1 / poly ( | x | ) and if x ∈ L , then there exists an N -qubit state ρ such that Tr( ρ H x ) ≤ α , and • if x / ∈ L , then for any N -qubit state ρ , we have Tr( ρ H x ) ≥ β .Moreover, for any x ∈ L , we can convert any witness w ∈ R L ( x ) into a state ρ hist , called the historystate, such that Tr( ρ hist H x ) ≤ α in quantum polynomial time. Moreover, there exists a classicaldeterministic polynomial time algorithm Sim hist such that for any x ∈ L and any subset S ⊆ [ N ] with | S | ≤ , Sim hist ( x , S ) outputs a classical description of an | S | -qubit density matrix ρ S suchthat k ρ S − Tr [ N ] \ S ρ hist k tr = negl ( λ ) where Tr [ N ] \ S ρ hist is the state of ρ hist in registers correspondingto S tracing out all other registers. Remark 1. It might be possible to prove QMA -completeness of 2-local { ZZ, XX } -Hamiltonianproblem with local simulatability by combining the techniques of [BG20, GSY19] and [CM16]. How-ever, this is not clear, and indeed, this is mentioned as an open problem in [BG20]. Therefore weconsider the -local Hamiltonian problem whenever we need local simulatability. Definition 2.9 (Classically-verifiable non-interactive (zero-knowledge) proof) . A classically-verifiablenon-interactive proof (CV-NIP) for a QMA language L in the secret parameter (SP) model consistsof algorithms Π = ( Setup , Prove , Verify ) with the following syntax: Setup (1 λ ) : This is a QPT algorithm that takes the security parameter λ as input and outputs aquantum proving key k P and a classical verification key k V . Prove ( k P , x , w ⊗ k ) : This is a QPT algorithm that takes the proving key k P , a statement x , and k = poly ( λ ) copies w ⊗ k of a witness w ∈ R L ( x ) as input and outputs a classical proof π . Verify ( k V , x , π ) : This is a PPT algorithm that takes the verification key k V , a statement x , and aproof π as input and outputs ⊤ indicating acceptance or ⊥ indicating rejection.We require Π to satisfy the following properties for some < s < c < such that c − s > / poly ( λ ) .Especially, when we do not specify c and s , they are set as c = 1 − negl ( λ ) and s = negl ( λ ) . c -Completeness. For all x ∈ L ∩ { , } λ , and w ∈ R L ( x ) , we have Pr h Verify ( k V , x , π ) = ⊤ : ( k P , k V ) $ ← Setup (1 λ ) , π $ ← Prove ( k P , x , w ⊗ k ) i ≥ c. (Adaptive Statistical) s -Soundness. For all unbounded-time adversary A , we have Pr h x / ∈ L ∧ Verify ( k V , x , π ) = ⊤ : ( k P , k V ) $ ← Setup (1 λ ) , ( x , π ) $ ← A ( k P ) i ≤ s. We say that Π is a classically-verifiable non-interactive zero-knowledge proof (CV-NIZK) if itadditionally satisfies the following property. (Adaptive Statistical Single-Theorem) Zero-Knowledge. There exists a PPT simulator Sim such that for any unbounded-time distinguisher D , we have (cid:12)(cid:12)(cid:12) Pr h D O P ( k P , · , · ) ( k V ) = 1 i − Pr h D O S ( k V , · , · ) ( k V ) = 1 i(cid:12)(cid:12)(cid:12) = negl ( λ )12 here ( k P , k V ) $ ← Setup (1 λ ) , D can make at most one query, which should be of the form ( x , w ⊗ k ) where w ∈ R L ( x ) and w ⊗ k is unentangled with D ’s internal registers, O P ( k P , x , w ⊗ k ) returns Prove ( k P , x , w ⊗ k ) , and O S ( k V , x , w ⊗ k ) returns Sim ( k V , x ) . Remark 2. In a CV-NIP, Setup can be think of an offline quantum preprocessing that is done bythe verifier before the instance is determined. This is because there is no security requirement for amalicious verifier, and thus security is not harmed even if Setup is run by a verifier. On the otherhand, in a CV-NIZK, Setup should be run by a trusted third party since a malicious verifier canbreak the zero-knowledge property if it can run Setup . It is easy to see that we can amplify the gap between completeness and soundness thresholdsby a simple parallel repetition. Moreover, we can see that this does not lose the zero-knowledgeproperty. Therefore, we have the following lemma. Lemma 2.10 (Gap Amplification for CV-NIP and CV-NIZK) . If there exists a CV-NIP (resp. CV-NIZK) for L in the SP model that satisfies c -completeness and s -soundness, for some < s < c < such that c − s > / poly ( λ ) , then there exists a CV-NIP (resp. CV-NIZK) for L in the SP model(with (1 − negl ( λ )) -completeness and negl ( λ ) -soundness).Proof. We prove the lemma for the case of CV-NIZK, from which the case of CV-NIP immediatelyfollows. Let Π = ( Setup , Prove , Verify ) be a CV-NIZK for L in the SP model that satisfies c -completeness, s -soundness, and the zero-knowledge property for some 0 < s < c < c − s > / poly ( λ ). Let k be the number of copies of a witness Prove takes as input. For anypolynomial N = poly ( λ ), Π N = ( Setup N , Prove N , Verify N ) be the N -parallel version of Π. That is, Setup N and Prove N run Setup and Prove N times parallelly and outputs tuples consisting of outputsof each execution, respectively where Prove N takes N k copies of the witness as input. Verify N takes N -tuple of the verification key and proof, runs Verify to verify each of them separately, and outputs ⊤ if the number of executions of Verify that outputs ⊤ is larger than N ( α + β )2 . By Hoeffding’sinequality, it is easy to see that we can take N = O (cid:16) log λ ( α − β ) (cid:17) so that Π N satisfies (1 − negl ( λ ))-completeness and negl ( λ )-soundness.What is left is to prove that Π N satisfies the zero-knowledge property. This can be reducedto the zero-knowledge property of Π by a standard hybrid argument. More precisely, for each i ∈ { , ..., N } , let O i be the oracle that works as follows where k ′ P and k ′ V denote the proving andverification keys of Π N , respectively. O i ( k ′ P = ( k P , ..., k NP ) , k ′ V = ( k V , ..., k NV ) , x , w ⊗ Nk ) : It works as follows: • For 1 ≤ j ≤ i , it computes π j $ ← Sim ( k jV , x ). • For i < j ≤ N , it computes π j $ ← Prove ( k jP , x , w ⊗ k ) where it uses the ( k ( j − 1) + 1)-thto kj -th copies of w . • Output π := ( π , ..., π N ).Clearly, we have O ( k ′ P , k ′ V , · , · ) = O P ( k ′ P , · , · ) and O N ( k ′ P , k ′ V , · , · ) = O S ( k ′ V , · , · ). Therefore, itsuffices to prove that no distinguisher can distinguish O i ( k ′ P , k ′ V , · , · ) and O i +1 ( k ′ P , k ′ V , · , · ) for any Though our protocols are likely to remain secure even if they can be entangled, we assume that they are un-entangled for simplicity. To the best of our knowledge, none of existing works on interactive or non-interactivezero-knowledge for QMA [BJSW20, CVZ20, BS20, BG20, Shm20, BCKM20] considered entanglement between awitness and distinguisher’s internal register. O P ( k ′ P , · , · ) and O S ( k ′ V , · , · ) mean the corresponding oracles for Π N . ∈ { , , ..., N − } . For the sake of contradiction, suppose that there exists a distinguisher D ′ thatdistinguishes O i ( k ′ P , k ′ V , · , · ) and O i +1 ( k ′ P , k ′ V , · , · ) with a non-negligible advantage by making onequery of the form ( x , w ⊗ Nk ). Then we construct a distinguisher D that breaks the zero-knowledgeproperty of Π as follows: D O ( k V ): D takes k V as input and is given a single oracle access to O , which is either O P ( k P , · , · ) or O S ( k V , · , · ) where k P is the proving key corresponding to k V . (Remark that D is not given k P .) It sets k i +1 V := k V (which implicitly defines k i +1 P := k P ) and generates ( k jP , k jV ) $ ← Setup (1 λ ) for all j ∈ [ N ] \ { i + 1 } . It sets k ′ V := ( k V , ..., k NV ) and runs D ′O ′ ( k ′ V ) where when D ′ makes a query ( x , w ⊗ Nk ) to O ′ , D simulates the oracle O ′ for D ′ as follows: – For 1 ≤ j ≤ i , D computes π j $ ← Sim ( k jV , x ). – For j = i + 1, D queries ( x , w ⊗ k ) to the external oracle O where it uses the ( ki + 1)-thto k ( i + 1)-th copies of w as part of its query, and lets π i +1 be the oracle’s response. – For i + 1 < j ≤ N , it computes π j $ ← Prove ( k jP , x , w ⊗ k ) where it uses the ( k ( j − 1) + 1)-thto kj -th copies of w . We note that this can be simulated by D since it knows k jP for j = i + 1. – D returns π ′ := ( π , ..., π N ) to D ′ as a response from the oracle O ′ .Finally, when D ′ outputs b , D also outputs b .We can see that the oracle O ′ simualted by D works similarly to O i ( k ′ P , k ′ V , · , · ) when O is O P ( k P , · , · )and works similarly to O i +1 ( k ′ P , k ′ V , · , · ) when O is O S ( k V , · , · ) where k ′ P = ( k P , ..., k NP ). Therefore,by the assumption that D ′ distinguishes O i ( k ′ P , k ′ V , · , · ) and O i +1 ( k ′ P , k ′ V , · , · ) with a non-negligibleadvantage, D distinguishes O P ( k P , · , · ) and O S ( k V , · , · ) with a non-negligible advantage. However,this contradicts the zero-knowledge property of Π. Therefore, such D ′ does not exist, which com-pletes the proof of Lemma 2.10. In this section, we give a construction of an information-theoretically sound CV-NIP for a QMA language L in the SP model. Specifically, we prove the following theorem. Theorem 3.1. There exists a CV-NIP for all QMA languages in the SP model (without anycomputational assumption). We note that this theorem is subsumed by Theorem 4.1 proven in Section 4. Nonetheless, wegive a proof of the theorem because the CV-NIP given here is simpler than the CV-NIZK given inSection 4 and thus we believe that this would enable readers to understand our main idea moreeasily.Our construction of a CV-NIP for a QMA language L is given in Figure 1 where H x , N , p j ,j , s j ,j , α , β , and ρ hist are as in Lemma 2.7 for the language L . We remark that the proving algorithmuses only one witness, and thus we have k = 1 in Definition 2.9 for this protocol. Multiple copiesof the witness are needed only when we do the gap amplification (Lemma 2.10). A similar remarkapplies to all protocol proposed in this paper.We prove the following lemma O P ( k P , · , · ) and O S ( k V , · , · ) mean the corresponding oracles for Π by abuse of notation. etup (1 λ ) : The setup algorithm chooses ( h, m , ..., m N ) $ ← { , } N +1 , and outputs a proving key k P := N Nj =1 ( H h | m j i ) and a verification key k V := ( h, m , ..., m N ). Prove ( k P , x , w ) : The proving algorithm generates the history state ρ hist for H x from w and measures j -th qubits of ρ hist and k P in the Bell basis for j ∈ [ N ]. Let x := x k x k ... k x N , and z := z k z k ... k z N where ( x j , z j ) ∈ { , } denotes the outcome of j -th measurement. It outputs aproof π := ( x, z ). Verify ( k V , x , π ) : The verification algorithm parses ( h, m , ..., m N ) ← k V and ( x, z ) ← π , chooses( j , j ) ∈ [ N ] according to the probability distribution defined by { p j ,j } j Setup vir - (1 λ ) : The setup algorithm generates N Bell-pairs between registers P and V and lets k P and k V be quantum states in registers P and V , respectively. Then it outputs ( k P , k V ). Prove vir - ( k P , x , w ) : This is the same as Prove ( k P , x , w ) in Figure 1. Verify vir - ( k V , x , π ) : The verification algorithm chooses h $ ← { , } , and measures each qubit of k V in basis { H h | i , H h | i} , and lets ( m , ..., m N ) ∈ { , } N be the measurement outcomes. Therest of this algorithm is the same as Verify ( k V , x , π ) given in Figure 1.Figure 2: The virtual protocol 1 for Π NIP Lemma 3.2 (Completeness and Soundness) . Π NIP satisfies (1 − α ) -completeness and (1 − β ) -soundness. Since (1 − α ) − (1 − β ) = β − α ≥ / poly ( λ ), by combining Lemma 2.10 and Lemma 3.2,Theorem 3.1 follows.In the following, we give a proof of Lemma 3.2. Proof of Lemma 3.2. We prove this lemma by considering virtual protocols that do not changecompleteness and soundness. An alternative direct proof can be found in Appendix B.1. First, weconsider the virtual protocol 1 described in Figure 2. The difference from the original protocol isthat the setup algorithm generates N Bell pairs and gives each halves to the prover and verifier,and the verifier obtains ( m , ..., m n ) by measuring his halves in either standard or Hadamard basis.Because verifier’s measurement and the prover’s measurement commute with each other, in thevirtual protocol 1, verifier’s acceptance probability does not change even if the verifier chooses h andmeasures k V (i.e., the V register of the N Bell-pairs) in the corresponding basis to obtain outcomes( m , ..., m N ) before k P (i.e, the P register of the N Bell-pairs) is given to the prover. Moreover,conditioned on the above measurement outcomes, the state in P collapses to N Nj =1 ( H h | m j i ). (SeeLemma 2.1.) Therefore, the virtual protocol 1 is exactly the same as the original protocol from the15 etup vir - (1 λ ) : This is the same as Setup vir -1 (1 λ ) in Figure 2. Prove vir - ( k P , x , w ) : This is the same as Prove ( k P , x , w ) in Figure 1. Verify vir - ( k V , x , π ) : The verification algorithm parses ( x, z ) ← π , computes k ′ V := X x Z z k V Z z X x ,chooses h $ ← { , } , measures each qubit of k ′ V in basis { H h | i , H h | i} , and lets ( m ′ , ..., m ′ N )be the measurement outcomes. It chooses ( j , j ) ∈ [ N ] according to the probability distri-bution defined by { p j ,j } j NIP for any possibly malicious prover.Next, we further modify the protocol to define the virtual protocol 2 described in Figure 3. Thedifference from the virtual protocol 1 is that instead of setting m ′ j := m j ⊕ ( hz j + (1 − h ) x j ), theverification algorithm applies a corresponding Pauli operator to ( x, z ) on k V , and then measures itto obtain m ′ j . Since X and Z before the measurement has the effect of flipping the measurementoutcome for Z and X basis measurements, respectively, this does not change the distribution of( m ′ , ..., m ′ N ). (See Lemma 2.2.) Therefore, verifier’s acceptance probability of the virtual protocol2 is the same as that of the virtual protocol 1 for any possibly malicious prover.Therefore, it suffices to prove (1 − α )-completeness and (1 − β )-soundness for the virtual pro-tocol 2. When x ∈ L and π is honestly generated, then k ′ V is the history state ρ hist , whichsatisfies Tr( ρ hist H x ) ≤ α , by the correctness of quantum teleportation (Lemma 2.4). Therefore, byLemma 2.5 and Lemma 2.7, verifier’s acceptance probability is 1 − Tr( ρ hist H x ) ≥ − α .Let A be an adaptive adversary against soundness of virtual protocol 2. That is, A is given k P and outputs ( x , π ). We say that A wins if x / ∈ L and Verify ( k V , x , π ) = ⊤ . For any x , let E x be theevent that the statement output by A is x , and k ′ V, x be the state in V right before the measurementby Verify conditioned on E x . Similarly to the analysis for the completeness, by Lemma 2.5 andLemma 2.7, we havePr[ A wins] = X x / ∈ L Pr[ E x ] (cid:0) − Tr( k ′ V, x H x ) (cid:1) ≤ X x / ∈ L Pr[ E x ] (1 − β ) ≤ − β. Impossibility of classical setup. In our protocol, the setup algorithm sends a quantum provingkey to the prover. Can it be classical? It is easy to see that such a protocol can exist only forlanguages in AM . In fact, assume that we have a CV-NIP for L in the SP model. Then, we canconstruct a 2-round interactive proof for L where the verifier runs the setup by itself and sendsthe proving key to the prover, and then the prover replies as in the original protocol. (Recallthat soundness is not harmed even if the verifier runs the setup as noted in Remark 2.) Since IP (2) = AM , the above implies L ∈ AM . Since it is believed that BQP is not contained in AM [RT19], it is highly unlikely that there is a CV-NIZK even for BQP in the SP model withclassical setup. A similar observation is also made in [Ps05]. CV-NIZK in the SP Model In this section, we extend the CV-NIP in Section 3 to construct a CV-NIZK. Specifically, we provethe following theorem. Theorem 4.1. There exists a CV-NIZK for all QMA languages in the SP model (without anycomputational assumption). Our construction of a CV-NIZK for a QMA language L is given in Figure 4 where H x , N , M , p i , s i , P i , α , β , and ρ hist are as in Lemma 2.7 for the language L and V j ( W j ) is as defined inSection 2.1.We note that there is a slightly simpler construction of CV-NIZK as shown in Figure 8 inAppendix C. However, we consider the construction given in Figure 4 as our main constructionsince this is more convenient to extend to the computationally secure construction given in Section 5.We prove the following lemmas. Lemma 4.2 (Completeness and Soundness) . Π NIZK satisfies (cid:0) − αN ′ (cid:1) -completeness and (cid:16) − βN ′ (cid:17) -soundness where N ′ := 3 P i =1 (cid:0) Ni (cid:1) . Lemma 4.3 (Zero-Knowledge) . Π NIZK satisfies the zero-knowledge property. Since (cid:0) − αN ′ (cid:1) − (cid:16) − βN ′ (cid:17) = β − αN ′ ≥ / poly ( λ ), by combining Lemmas 2.10, 4.2 and 4.3, Theo-rem 4.1 follows.In the following, we give proofs of Lemmas 4.2 and 4.3. Proof of Lemma 4.2. The proof of this lemma is similar to that of Lemma 3.2. We prove thislemma by considering virtual protocols that do not change completeness and soundness. For moredetails, see Appendix B.2. First, we consider the virtual protocol 1 described in Figure 5. Thereare two differences from the original protocol. The first is that k V includes the whole ( b x, b z ) insteadof { b x j , b z j } j ∈ S V . This difference does not change the (possibly malicious) prover’s view since k V is not given to the prover. The second is that the setup algorithm generates N Bell pairs andgives each halves to the prover and verifier, and the verifier obtains ( m , ..., m N ) by measuring hishalves in P -basis with P ∈ { X, Y, Z } . Because verifier’s measurement and prover’s measurementcommute with each other, in the virtual protocol 1, verifier’s acceptance probability does notchange even if the verifier chooses ( W , ..., W N ) and measures ρ V in the corresponding basis toobtain outcomes ( m , ..., m N ) before ρ P is given to the prover. Moreover, conditioned on theabove measurement outcomes, the state in P collapses to N Nj =1 ( U ( W j ) | m j i ) (See Lemma 2.1).Therefore, the virtual protocol 1 is exactly the same as the original protocol from the prover’sview, and verifier’s acceptance probability of the virtual protocol 1 is the same as that of theoriginal protocol Π NIZK for any possibly malicious prover.Next, we further modify the protocol to define the virtual protocol 2 described in Figure 6. Thedifference from the virtual protocol 1 is that instead of setting m ′ j , the verification algorithm appliesa corresponding Pauli X x ⊕ b x Z z ⊕ b z on ρ V , and then measures it to obtain m ′ j . By Lemma 2.2, thisdoes not change the distribution of ( m ′ , ..., m ′ N ). Therefore, verifier’s acceptance probability of thevirtual protocol 2 is the same as that of the virtual protocol 1 for any possibly malicious prover.Therefore, it suffices to prove (1 − αN ′ )-completeness and (1 − βN ′ )-soundness for the virtualprotocol 2. When x ∈ L and π is honestly generated, then ρ ′ V is the history state ρ hist , whichsatisfies Tr( ρ hist H x ) ≤ α , by the correctness of quantum teleportation (Lemma 2.4). For any fixed P i , the probability that P i is consistent to ( S V , { W j } j ∈ S V ) and the coin tails is N ′ . Therefore, byLemma 2.5 and Lemma 2.8, verifier’s acceptance probability is 1 − N ′ Tr( ρ hist H x ) ≥ − αN ′ .17 etup (1 λ ) : The setup algorithm chooses ( W , ..., W N ) $ ← { X, Y, Z } N , ( m , ..., m N ) $ ← { , } N ,( b x, b z ) $ ← { , } N × { , } N , and a uniformly random subset S V ⊆ [ N ] such that 1 ≤ | S V | ≤ k P := (cid:16) ρ P := N Nj =1 ( U ( W j ) | m j i ) , b x, b z (cid:17) and a verification key k V := ( W , ..., W N , m , ..., m N , S V , { b x j , b z j } j ∈ S V ). Prove ( k P , x , w ) : The proving algorithm parses ( ρ P , b x, b z ) ← k P , generates the history state ρ hist for H x from w , and computes ρ ′ hist := X b x Z b z ρ hist Z b z X b x . It measures j -th qubits of ρ ′ hist and ρ P in the Bell basis for j ∈ [ N ]. Let x := x k x k ... k x N , and z := z k z k ... k z N where( x j , z j ) ∈ { , } denotes the outcome of j -th measurement. It outputs a proof π := ( x, z ). Verify ( k V , x , π ) : The verification algorithm parses ( W , ..., W N , m , ..., m N , S V , { b x j , b z j } j ∈ S V ) ← k V and ( x, z ) ← π , chooses i ∈ [ M ] according to the probability distribution defined by { p i } i ∈ [ M ] (i.e., chooses i with probability p i ). Let S i := { j ∈ [ N ] | j th Pauli operator of P i is not I } . We note that we have 1 ≤ | S i | ≤ H x . We say that P i is consistent to( S V , { W j } j ∈ S V ) if and only if S i = S V and the j th Pauli operator of P i is W j for all j ∈ S i .If P i is not consistent to ( S V , { W j } j ∈ S V ), it outputs ⊤ . If P i is consistent to ( S V , { W j } j ∈ S V ),it flips a biased coin that heads with probability 1 − | S i |− . If heads, it outputs ⊤ . If tails,it defines m ′ j := m j ⊕ x j ⊕ ˆ x j ( W j = Z ) ,m j ⊕ z j ⊕ ˆ z j ( W j = X ) ,m j ⊕ x j ⊕ ˆ x j ⊕ z j ⊕ ˆ z j ( W j = Y )for j ∈ S i , and outputs ⊤ if ( − L j ∈ Si m ′ j = − s i and ⊥ otherwise.Figure 4: Our CV-NIZK Π NIZK etup vir - (1 λ ) : The setup algorithm generates N Bell-pairs between registers P and V and lets ρ P and ρ V be quantum states in registers P and V , respectively. It chooses ( b x, b z ) $ ← { , } N ×{ , } N . It chooses a uniformly random subset S V ⊆ [ N ] such that 1 ≤ | S V | ≤ 5, and outputsa proving key k P := ( ρ P , b x, b z ) and a verification key k V := ( ρ V , S V , b x, b z ). Prove vir - ( k P , x , w ) : This is the same as Prove ( k P , x , w ) in Figure 4. Verify vir - ( k V , x , π ) : The verification algorithm chooses ( W , ..., W N ) $ ← { X, Y, Z } N , and measures j -th qubit of ρ V in the W j basis for all j ∈ [ N ], and lets ( m , ..., m N ) be the measurementoutcomes. The rest of this algorithm is the same as Verify ( k V , x , π ) given in Figure 4.Figure 5: The virtual protocol 1 for Π NIZK Setup vir - (1 λ ) : This is the same as Setup vir -1 (1 λ ) in Figure 5. Prove vir - ( k P , x , w ) : This is the same as Prove ( k P , x , w ) in Figure 4. Verify vir - ( k V , x , π ) : The verification algorithm parses ( ρ V , S V , b x, b z ) ← k V and ( x, z ) ← π , computes ρ ′ V := X x ⊕ b x Z z ⊕ b z ρ V Z z ⊕ b z X x ⊕ b x , chooses ( W , ..., W N ) $ ← { X, Y, Z } N , measures j -th qubit of ρ ′ V in the W j basis for all j ∈ [ N ], and lets ( m ′ , ..., m ′ N ) be the measurement outcomes.It chooses i ∈ [ M ] and defines S i ⊆ [ N ] similarly to Verify ( k V , x , π ) in Figure 4. If P i is notconsistent to ( S V , { W j } j ∈ S V ), it outputs ⊤ . If P i is consistent to ( S V , { W j } j ∈ S V ), it flips abiased coin that heads with probability 1 − | S i |− . If heads, it outputs ⊤ . If tails, it outputs ⊤ if ( − L j ∈ Si m ′ j = − s i and ⊥ otherwise.Figure 6: The virtual protocol 2 for Π NIZK Let A be an adaptive adversary against soundness of virtual protocol 2. That is, A is given k P and outputs ( x , π ). We say that A wins if x / ∈ L and Verify ( k V , x , π ) = ⊤ . For any x , let E x be theevent that the statement output by A is x , and ρ ′ V, x be the state in V right before the measurementby Verify conditioned on E x . Similarly to the analysis for the completeness, by Lemma 2.5 andLemma 2.8, we havePr[ A wins] = X x / ∈ L Pr[ E x ] (cid:18) − N ′ Tr( ρ ′ V, x H x ) (cid:19) ≤ X x / ∈ L Pr[ E x ] (cid:18) − βN ′ (cid:19) ≤ − βN ′ . Proof of Lemma 4.3. We describe the simulator Sim below. Sim ( k V , x ) : The simulator parses ( W , ..., W N , m , ..., m N , S V , { b x j , b z j } j ∈ S V ) ← k V and does thefollowing.1. Generate the classical description of the density matrix ρ S V := Sim hist ( x , S V ) where Sim hist is as in Lemma 2.8. 19. Sample { x j , z j } j ∈ S V according to the probability distribution of outcomes of the Bell-basis measurements of the corresponding pairs of qubits of (cid:16)Q j ∈ S V X b x j j Z b z j j (cid:17) ρ S V (cid:16)Q j ∈ S V Z b z j j X b x j j (cid:17) and N j ∈ S V ( U ( W j ) | m j i ). We emphasize that this measurement can be simulated in aclassical probabilistic polynomial time since | S V | ≤ x j , z j ) $ ← { , } for all j ∈ [ N ] \ S V .4. Output π := ( x, z ) where x := x k x k ... k x N and z := z k z k ... k z N .We prove that the output of this simulator is indistinguishable from the real proof. For provingthis, we consider the following sequences of modified simulators. We note that these simulatorsmay perform quantum computations unlike the real simulator. Sim ( k V , x ) : The simulator parses ( W , ..., W N , m , ..., m N , S V , { b x j , b z j } j ∈ S V ) ← k V and does thefollowing.1. Generate the classical description of the density matrix ρ S V := Sim hist ( x , S V ) where Sim hist is as in Lemma 2.8. (This step is the same as the step 1 of Sim ( k V , x ).)2. Generate e ρ ′ hist := (cid:16)Q j ∈ S V X b x j j Z b z j j (cid:17) ρ S V (cid:16)Q j ∈ S V Z b z j j X b x j j (cid:17) ⊗ I [ N ] \ SV | [ N ] \ SV | .3. Measure j -th qubits of e ρ ′ hist and ρ P := N Nj =1 ( U ( W j ) | m j i ) in the Bell basis for j ∈ [ N ],and let ( x j , z j ) be the j -th measurement result.4. Output π := ( x, z ) where x := x k x k ... k x N and z := z k z k ... k z N .Clearly, the distributions of { x j , z j } j ∈ S V output by Sim ( k V , x ) and Sim ( k V , x ) are the same.Moreover, the distributions of { x j , z j } j ∈ [ N ] \ S V output by Sim ( k V , x ) and Sim ( k V , x ) are both uni-formly and independently random. Therefore, output distributions of Sim ( k V , x ) and Sim ( k V , x )are exactly the same.Next, we consider the following modified simulator that takes a witness w ∈ R L ( x ) as input. Sim ( k V , x , w ) : The simulator parses ( W , ..., W N , m , ..., m N , S V , { b x j , b z j } j ∈ S V ) ← k V and does thefollowing.1. Generate the history state ρ hist for H x from w .2. Generate ( b x j , b z j ) $ ← { , } for j ∈ [ N ] \ S V and let b x := b x k ... k b x N and b z := b z k ... k b z N .3. Compute ρ ′ hist := X b x Z b z ρ hist Z b z X b x .4. Measure j -th qubits of ρ ′ hist and ρ P := N Nj =1 ( U ( W j ) | m j i ) in the Bell basis for j ∈ [ N ],and let ( x j , z j ) be the j -th measurement result.5. Output π := ( x, z ) where x := x k x k ... k x N and z := z k z k ... k z N .By Lemma 2.3, we have ρ ′ hist = (cid:16)Q j ∈ S V X b x j j Z b z j j (cid:17) Tr N \ S V [ ρ hist ] (cid:16)Q j ∈ S V Z b z j j X b x j j (cid:17) ⊗ I [ N ] \ SV | [ N ] \ SV | from the view of a distinguisher that has no information on { b x j , b z j } j ∈ [ N ] \ S V . By Lemma 2.8,we have k ρ S V − Tr [ N ] \ S V ρ hist k tr = negl ( λ ). Therefore, we have k e ρ ′ hist − ρ ′ hist k tr = negl ( λ ).This means that Sim ( k V , x ) and Sim ( k V , x , w ) are statistically indistinguishable from theview of a distinguisher that makes at most one query.Finally, noting that the output distribution of Sim ( k V , x , w ) is exactly the same as that of Prove ( k P , x , w ), the proof of Lemma 4.3 is completed.20 Dual-Mode CV-NIZK with Preprocessing In this section, we extend the CV-NIZK given in Section 4 to reduce the amount of trust onthe setup at the cost of introducing a quantum preprocessing and relying on a computationalassumption. In the construction in Section 4, we assume that the trusted setup algorithm honestlygenerates proving and verification keys, which are correlated with each other, and sends them tothe prover and verifier, respectively, without revealing them to the other party. Here, we givea construction of CV-NIZK with preprocessing that consists of generation of common referencestring by a trusted party and a single instance-independent quantum message from the verifier tothe prover. We call such a model the CRS + ( V → P ) model. We note this is the same model as isconsidered in [CVZ20]. Moreover, our construction has a nice feature called the dual-mode property,which has been considered for NIZKs for NP [GS12, GOS12, PS19, HU19, LPWW20]. The dual-mode property requires that there are two computationally indistinguishable modes of generatinga common reference string, one of which ensures statistical soundness (and computational zero-knowledge) while the other ensures statistical zero-knowledge (and computational soundness). Tothe best of our knowledge, ours is the first construction of a dual-mode NIZK for QMA in anykind of model. We give a formal definition of a dual-mode CV-NIZK in the CRS + ( V → P ) model. Definition 5.1 (Dual-Mode CV-NIZK in the CRS + ( V → P ) Model) . A dual-mode CV-NIZK fora QMA language L in the CRS + ( V → P ) model consists of algorithms Π = ( CRSGen , Preprocess , Prove , Verify ) with the following syntax: CRSGen (1 λ , mode ) : This is a PPT algorithm that takes the security parameter λ and a mode mode ∈ { binding , hiding } as input and outputs a classical common reference string crs . Wenote that crs can be reused and thus this algorithm is only needed to run once by a trustedthird party. Preprocess ( crs ) : This is a QPT algorithm that takes the common reference string crs as input andoutputs a quantum proving key k P and a classical verification key k V . We note that thisalgorithm is supposed to be run by the verifier as preprocessing, and k P is supposed to be sentto the prover while k V is supposed to be kept on verifier’s side in secret. We also note thatthey can be used only once and cannot be reused unlike crs . Prove ( crs , k P , x , w ⊗ k ) : This is a QPT algorithm that takes the common reference string crs , theproving key k P , a statement x , and k = poly ( λ ) copies w ⊗ k of a witness w ∈ R L ( x ) as inputand outputs a classical proof π . Verify ( crs , k V , x , π ) : This is a PPT algorithm that takes the common reference string crs , the veri-fication key k V , a statement x , and a proof π as input and outputs ⊤ indicating acceptanceor ⊥ indicating rejection.We require Π to satisfy the following properties for some < s < c < such that c − s > / poly ( λ ) .Especially, when we do not specify c and s , they are set as c = 1 − negl ( λ ) and s = negl ( λ ) . -Completeness. For all mode ∈ { binding , hiding } , x ∈ L ∩ { , } λ , and w ∈ R L ( x ) , we have Pr Verify ( crs , k V , x , π ) = ⊤ : crs $ ← CRSGen (1 λ , mode )( k P , k V ) $ ← Preprocess ( crs ) π $ ← Prove ( crs , k P , x , w ⊗ k ) ≥ c. (Adaptive) Statistical s -Soundness in the Binding Mode For all unbounded-time adver-sary A , we have Pr x / ∈ L ∧ Verify ( crs , k V , x , π ) = ⊤ : crs $ ← CRSGen (1 λ , binding )( k P , k V ) $ ← Preprocess ( crs )( x , π ) $ ← A ( crs , k P ) ≤ s. (Adaptive Multi-Theorem) Statistical Zero-Knowledge in the Hiding Mode. There ex-ists a PPT simulator Sim and a QPT simulator Sim such that for any unbounded-time distin-guisher D , we have (cid:12)(cid:12)(cid:12) Pr h D O P ( crs , · , · , · ) ( crs ) = 1 : crs $ ← CRSGen (1 λ , hiding ) i − Pr h D O S ( td , · , · , · ) ( crs ) = 1 : ( crs , td ) $ ← Sim (1 λ ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) where D can make poly ( λ ) queries, which should be of the form ( k P , x , w ⊗ k ) where w ∈ R L ( x ) and w ⊗ k is unentangled with D ’s internal registers, O P ( crs , k P , x , w ⊗ k ) returns Prove ( crs , k P , x , w ⊗ k ) ,and O S ( td , k P , x , w ⊗ k ) returns Sim ( td , k P , x ) . Computational Mode Indistinguishability. For any non-uniform QPT distinguisher D , wehave (cid:12)(cid:12)(cid:12) Pr h D ( crs ) = 1 : crs $ ← CRSGen (1 λ , binding ) i − Pr h D ( crs ) = 1 : crs $ ← CRSGen (1 λ , hiding ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . Remark 3 (On definition of zero-knowledge property) . By considering a combination of CRSGen (for a fixed mode ) and Preprocess as a setup algorithm, (dual-mode) CV-NIZK in the CRS + ( V → P ) model can be seen as a CV-NIZK in the SP model in a syntactical sense. However,it seems difficult to prove that this satisfies (even a computational variant of ) the zero-knowledgeproperty defined in Definition 2.9 due to the following reasons:1. In Definition 5.1, Sim is quantum, whereas a simulator is required to be classical in Defini-tion 2.9. We observe that this seems unavoidable in the above model: If k P is quantum, thena classical simulator cannot even take k P as input. On the other hand, if k P is classical, thenthat implies L ∈ AM similarly to the final paragraph of Section 3.2. A simulator in Definition 5.1 can embed a trapdoor td behind the common reference string crs whereas a simulator in Definition 2.9 just takes an honestly generated verification key k V as input. We remark that this also seems unavoidable since k V may be maliciously generatedwhen the verifier is malicious, in which case just taking k V as input would be useless for thesimulation. We remark that k P is allowed to be entangled with D ’s internal registers unlike w ⊗ k . See also footnote 5. n the other hand, the definition in Definition 5.1 allows a distinguisher (that plays the role of a ma-licious verifier) to maliciously generate k P , which is a stronger capability than that of a distinguisherin Definition 2.9. Therefore, the zero-knowledge properties in Definition 5.1 and Definition 2.9 areincomparable. We believe that the definition of the zero-knowledge property in Definition 5.1 en-sures meaningful security. It roughly means that any malicious verifier cannot learn anything beyondwhat could be computed in quantum polynomial time by itself even if it is allowed to interact withmany sessions of honest provers under maliciously generated proving keys and the reused honestlygenerated common reference string. While this does not seem very meaningful when L ∈ BQP ,we can ensure a meaningful privacy of the witness when L ∈ QMA . Finally we remark that ourdefinition is essentially the same as that in [CVZ20] (except for the dual-mode property). Remark 4 (Comparison to NIZK in the malicious designated verifier model) . A CV-NIZK for QMA in the CRS + ( V → P ) model as defined above is syntactically very similar to the NIZKfor QMA in the malicious designated verifier model as introduced in [Shm20]. However, a crucialdifference is that the proving key k P is a quantum state in our case and cannot be reused whereasthat is classical and can be reused for proving multiple statements in [Shm20]. On the other hand,a CV-NIZK in the CRS + ( V → P ) model has two nice features that the NIZK of [Shm20] doesnot have: one is that verification can be done classically in the online phase and the other is thedual-mode property. Though Definition 5.1 does not explicitly require anything on soundness in the hiding mode orthe zero-knowledge property in the binding mode, we can easily prove that they are satisfied in acomputational sense. Specifically, we have the following lemma. Lemma 5.2. If a dual-mode CV-NIZK Π = ( CRSGen , Preprocess , Prove , Verify ) for a QMA lan-guage L satisfies statistical s -soundness in the binding mode, statistical zero-knowledge property inthe hiding mode, and computational mode indistinguishability, then it also satisfies the followingproperties. (Exclusive-Adaptive) Computational ( s + negl ( λ )) -Soundness in the Hiding Mode Forall non-uniform QPT adversaries A , we have Pr Verify ( crs , k V , x , π ) = ⊤ : crs $ ← CRSGen (1 λ , hiding )( k P , k V ) $ ← Preprocess ( crs )( x , π ) $ ← A ( crs , k P ) ≤ s + negl ( λ ) . where A ’s output must always satisfy x / ∈ L . (Adaptive Multi-Theorem) Computational Zero-Knowledge in the Binding Mode. Thereexists a PPT simulator Sim and QPT simulator Sim such that for any non-uniform QPT distin-guisher D , we have (cid:12)(cid:12)(cid:12) Pr h D O P ( crs , · , · , · ) ( crs ) = 1 : crs $ ← CRSGen (1 λ , binding ) i − Pr h D O S ( td , · , · , · ) ( crs ) = 1 : ( crs , td ) $ ← Sim (1 λ ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) where D can make poly ( λ ) queries, which should be of the form ( k P , x , w ⊗ k ) where w ∈ R L ( x ) and w ⊗ k is unentangled with D ’s internal registers, O P ( crs , k P , x , w ⊗ k ) returns Prove ( crs , k P , x , w ⊗ k ) , and O S ( td , k P , x , w ⊗ k ) returns Sim ( td , k P , x ) . NP , which has been folklore and formally provenrecently [AB20]. Remark 5. Remark that soundness in the hiding mode is defined in the “exclusive style” where A should always output x / ∈ L . This is weaker than soundness in the “penalizing style” as inDefinition 5.1 where A is allowed to also output x ∈ L and we add x / ∈ L as part of the adversary’swinning condition. This is because the adaptive soundness in the penalizing style does not transferwell through the mode change while the adaptive soundness in the exclusive style does. This wasformally proven for NIZK for NP in the common reference string model in [AB20], and easilyextends to CV-NIZK for QMA in the CRS + ( V → P ) model. This is justified by the impossibilityof penalizing-adaptively (computational) sound and statistically zero-knowledge NIZK for NP inthe classical setting (under falsifiable assumptions) [Pas13]. We leave it open to study if a similarimpossibility holds for dual-mode CV-NIZK for QMA in the CRS + ( V → P ) model. Finally, we note that we can amplify the gap between the thresholds for completeness andsoundness by parallel repetitions similarly to CV-NIZK in the SP model as discussed in Section 2.3.As a result, we obtain the following lemma. Lemma 5.3 (Gap amplification for dual-mode CV-NIZK in the CRS + ( V → P ) model) . If thereexists a dual-mode CV-NIZK for L in the CRS + ( V → P ) model that satisfies c -completeness and s -soundness, for some < s < c < such that c − s > / poly ( λ ) , then there exists a dual-mode CV-NIZK for L in the CRS + ( V → P ) model (with (1 − negl ( λ )) -completeness and negl ( λ ) -soundness). Since this can be proven similarly to Lemma 2.10, we omit a proof. We introduce two cryptographic bulding blocks for our dual-mode CV-NIZK in the CRS + ( V → P ) model. Lossy Encryption The first building block is lossy encryption [BHY09]. Intuitively, a lossyencryption scheme is a public key encryption scheme with a special property that we can generatea lossy key that is computationally indistinguishable from an honestly generated public key, forwhich there is no corresponding decryption key. Definition 5.4 (Lossy Encryption) . A lossy encryption scheme over the message space M andthe randomness space R consists of PPT algorithms Π LE = ( InjGen , LossyGen , Enc , Dec ) with thefollowing syntax. InjGen (1 λ ) : The injective key generation algorithm takes the security parameter λ as input andouputs an injective public key pk and a secret key sk . LossyGen (1 λ ) : The lossy key generation algorithm takes the security parameter λ as input andouputs a lossy public key pk . Enc ( pk , µ ) : The encryption algorithm takes the public key pk and a message µ ∈ M as input andoutputs a ciphertext ct . This algorithm uses a randomness R ∈ R . We denote by Enc ( pk , µ ; R ) to mean that we run Enc on input pk and µ and randomness R when we need to clarify therandomness. ec ( sk , ct ) : The decryption algorithm takes the secret key sk and a ciphertext ct as input and outputsa message µ .We require Π LE to satisfy the following properties. Correctness on Injective Keys For all µ ∈ M , we havePr " Dec ( sk , ct ) = µ : ( pk , sk ) $ ← InjGen (1 λ ) ct $ ← Enc ( pk , µ ) = 1 . Lossiness on Lossy Keys With overwhelming probability over pk $ ← LossyGen (1 λ ), for all µ , µ ∈ M and all unbounded-time distinguisher D , we have (cid:12)(cid:12)(cid:12) Pr h D ( ct ) = 1 : ct $ ← Enc ( pk , µ ) i − Pr h D ( ct ) = 1 : ct $ ← Enc ( pk , µ ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . Computational Mode Indistinguishability For any non-uniform QPT distinguisher D , wehave (cid:12)(cid:12)(cid:12) Pr h D ( pk ) = 1 : ( pk , sk ) $ ← InjGen (1 λ ) i − Pr h D ( pk ) = 1 : pk $ ← LossyGen (1 λ ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . It is well-known that Regev’s encryption [Reg09] is lossy encryption under the LWE assumptionwith a negligible correctness error. We can modify the scheme to achieve perfect correctness by astandard technique. Then we have the following lemma. Lemma 5.5. If the LWE assumption holds, then there exists a lossy encryption scheme. Dual-Mode Oblivious Transfer The second building block is a k -out-of- n dual-mode obliv-ious transfer . Though this is a newly introduced definition in this paper, 1-out-of-2 case is al-ready implicit in existing works on universally composable (UC-secure) [Can20] oblivious transfers[PVW08, Qua20]. Definition 5.6 (Dual-mode oblivious transfer) . A (2-round) k -out-of- n dual-mode oblivious trans-fer with a message space M consists of PPT algorithms Π OT = ( CRSGen , Receiver , Sender , Derive ) . CRSGen (1 λ , mode ) : This is an algorithm supposed to be run by a trusted third party that takes thesecurity parameter λ and a mode mode ∈ { binding , hiding } as input and outputs a commonreference string crs . Receiver ( crs , J ) : This is an algorithm supposed to be run by a receiver that takes the common ref-erence string crs and an ordered set of k indices J ∈ [ n ] k as input and outputs a first message ot and a receiver’s state st . Sender ( crs , ot , µ ) : This is an algorithm supposed to be run by a sender that takes the commonreference string crs , a first message ot sent from a receiver and a tuple of messages µ ∈ M n as input and outputs a second message ot . Derive ( crs , st , ot ) : This is an algorithm supposed to be run by a receiver that takes a receiver’s state st and a second message ot as input and outputs a tuple of messages µ ′ ∈ M k . e require the following properties. Correctness For all mode ∈ { binding , hiding } , J = ( j , ..., j k ) ∈ [ n ] k , and µ = ( µ , ..., µ n ) ∈ M n ,we have Pr Derive ( crs , st , ot ) = ( µ j , ..., µ j k ) : crs $ ← CRSGen (1 λ , mode )( ot , st ) $ ← Receiver ( crs , J ) ot $ ← Sender ( crs , ot , µ ) ≥ − negl ( λ ) . Statistical Receiver’s Security in the Binding Mode Intuitively, this security requires thatthe indices chosen by a receiver are hidden from a sender. Formally, we require that there is a PPTalgorithm Sim rec such that for any unbounded-time distinguisher D and J ∈ [ n ] k , we have (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr " D ( crs , ot ) = 1 : crs $ ← CRSGen (1 λ , binding )( ot , st ) $ ← Receiver ( crs , J ) − Pr " D ( crs , ot ) = 1 : crs $ ← CRSGen (1 λ , binding ) ot $ ← Sim rec ( crs ) ≤ negl ( λ ) . Statistical Sender’s Security in the Hiding Mode Intuitively, this security requires that wecan extract the indices of messages which a (possibly malicious) receiver tries to learn by usinga trapdoor in the hiding mode. Formally, there are PPT algorithms Sim CRS and Sim sen and adeterministic classical polynomial-time algorithm Open rec such that the following two properties aresatisfied. • For any unbounded-time distinguisher D , we have (cid:12)(cid:12)(cid:12) Pr h D ( crs ) = 1 : crs $ ← CRSGen (1 λ , hiding ) i − Pr h D ( crs ) = 1 : ( crs , td ) $ ← Sim CRS (1 λ ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . • For any unbounded-time adversary A = ( A , A ) (that plays the role of a malicious receiver)and µ = ( µ , ..., µ n ) , we have (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr A ( st A , ot ) = 1 : ( crs , td ) $ ← Sim CRS (1 λ )( ot , st A ) $ ← A ( crs , td ) ot $ ← Sender ( crs , ot , µ ) − Pr A ( st A , ot ) = 1 : ( crs , td ) $ ← Sim CRS (1 λ )( ot , st A ) $ ← A ( crs , td ) J := Open rec ( td , ot ) ot $ ← Sim sen ( crs , ot , J, µ J ) (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) where the output of Open rec always satisfies J ∈ [ n ] k and µ J := ( µ j , ..., µ j k ) for J =( j , ..., j k ) . Computational Mode Indistinguishability. For any non-uniform QPT distinguisher D , wehave (cid:12)(cid:12)(cid:12) Pr h D ( crs ) = 1 : crs $ ← CRSGen (1 λ , binding ) i − Pr h D ( crs ) = 1 : crs $ ← CRSGen (1 λ , hiding ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . emark 6 (On security definition of dual-mode oblivious transfer) . We remark that security ofa k -out-of- n dual-mode oblivious transfer as defined in Definition 5.6 does not imply UC-security[Can20, PVW08, Qua20] or even full-simulation security in the standard stand-alone simulation-based definition [Lin08]. This is because the receiver’s security in Definition 5.6 only ensures privacyof J and does not prevent a malicious sender from generating ot so that he can manipulate themessage derived on the receiver’s side depending on J . The security with such a weaker receiver’ssecurity is often referred to as half-simulation security [CNs07]. We define the security in this waydue to the following reasons:1. This definition is sufficient for constructing a dual-mode CV-NIZK in the CRS + ( V → P ) modelgiven in Section 5.3 by additionally relying on lossy encryption.2. We are not aware of an efficient construction of a k -out-of- n oblivious transfer that satisfiesfull-simulation security under a post-quantum assumption (even if we ignore the dual-modeproperty). We note that Quach [Qua20] gave a construction of a -out-of- oblivious transferwith full-simulation security based on LWE and we can extend it to -out-of- n one. However,we are not aware of an efficient way to convert this into k -out-of- n one without losing thefull-simulation security. We note that a conversion from -out-of- n to k -out-of- n oblivioustransfer by a simple k -parallel repetition does not work if we require the full-simulation securitysince a malicious sender can send different inconsistent messages in different sessions, whichshould be considered as an attack against full-simulation security. One possible way to preventsuch an inconsistent message attack is to let the sender prove that the messages in all sessionsare consistent by using (post-quantum) NIZK for NP in the common reference string model[PS19]. However, such a construction is very inefficient since it uses the underlying -out-of- n oblivious transfer in a non-black-box manner. On the other hand, the half-simulation securityis preserved under parallel repetitions as shown in Appendix D, and thus we can achieve thismuch more efficiently. Lemma 5.7. If the LWE assumption holds, then there exists k -out-of- n dual-mode oblivious transferfor arbitrary < k < n that are polynomial in λ .Proof (sketch). First, we can see that the LWE-based UC-secure OT by Quach [Qua20] can beseen as a 1-out-of-2 dual-mode oblivious transfer. This construction can be converted into 1-out-of- n dual-mode oblivious transfer by using the generic conversion for an ordinary oblivious transfergiven in [BCR86] observing that the conversion preserves the dual-mode property. By k -parallelrepetition of the 1-out-of- n dual-mode oblivious transfer, we obtain k -out-of- n dual-mode oblivioustransfer. The full proof can be found in Appendix D. In this section, we construct a dual-mode CV-NIZK in the CRS + ( V → P ) model. As a result,we obtain the following theorem. Theorem 5.8. If the LWE assumption holds, then there exists a dual-mode CV-NIZK in the CRS+ ( V → P ) model. His construction further satisfies UC-security, which is stronger than full-simulation security. Alternatively, it may be possible to directly construct 1-out-of- n dual-mode oblivious transfer by appropriatelymodifying the construction by Quach [Qua20]. L be a QMA language, and H x , N , M , p i , s i , P i , α , β , and ρ hist be as in Lemma 2.7 for thelanguage L . We let N ′ := 3 P i =1 (cid:0) Ni (cid:1) similarly to Lemma 4.2. Let Π LE = ( InjGen LE , LossyGen LE , Enc LE , Dec LE )be a lossy encryption scheme over the message space M LE = { , } and the randomness space R LE as defined in Definition 5.4. Let Π OT = ( CRSGen OT , Receiver OT , Sender OT , Derive OT ) be a 5-out-of- N dual-mode oblivious transfer over the message space M OT = M LE × R LE as defined in Defini-tion 5.6. Then our dual-mode CV-NIZK Π DM = ( CRSGen DM , Preprocess DM , Prove DM , Verify DM ) for L is described in Figure 7.Then we prove the following lemmas. Lemma 5.9. Π DM satisfies (cid:0) − αN ′ − negl ( λ ) (cid:1) -completeness.Proof. By the correctness of Π OT , it is easy to see that the probability that an honestly gener-ated proof passes the verification differs from that in Π NIZK in Figure 4 only by negl ( λ ). SinceΠ NIZK satisfies (cid:0) − αN ′ (cid:1) -completeness as shown in Lemma 4.2, Π DM satisfies (cid:0) − αN ′ − negl ( λ ) (cid:1) -completeness. Lemma 5.10. Π DM satisfies the computational mode indistinguishability.Proof. This can be reduced to the computational mode indistinguishability of Π OT and Π LE in astraightforward manner. Lemma 5.11. Π DM satisfies statistical (cid:16) − βN ′ + negl ( λ ) (cid:17) -soundness in the binding mode. Lemma 5.12. Π DM satisfies the statistical zero-knowledge property in the hiding mode. By combining Lemmas 5.3, 5.5, 5.7 and 5.9 to 5.12 and (cid:0) − αN ′ − negl ( λ ) (cid:1) − (cid:16) − βN ′ + negl ( λ ) (cid:17) = β − αN ′ − negl ( λ ) = 1 / poly ( λ ), we obtain Theorem 5.8.In the following, we prove Lemmas 5.11 and 5.12. Proof of Lemma 5.11 (Soundness). For any adversary A , we consider the following sequence ofgames between A and the challenger where we denote by Win i the event that the challenger returns ⊤ in Game i . Game : This game is the original soundness game in the binding game. That is, it works as follows:1. The challenger generates crs OT $ ← CRSGen OT (1 λ , binding ) and ( pk , sk ) $ ← InjGen LE (1 λ ).2. The challenger generates ( W , ..., W N ) $ ← { X, Y, Z } N , ( m , ..., m N ) $ ← { , } N , and ρ P := N Nj =1 ( U ( W j ) | m j i .3. The challenger generates S V and J = ( j , ..., j ) similarly to Preprocess DM .4. The challenger generates ( ot , st ) $ ← Receiver OT ( crs OT , J ).5. The challenger gives crs DM and a proving key k P := ( ρ P , ot ) to A , and A outputs( x , π = ( x, z, { ct j } j ∈ [ N ] , ot )). If x ∈ L , the challenger outputs ⊥ and immediately halts.6. The challenger runs µ ′ $ ← Derive OT ( crs OT , st , ot ) and parses ((( b x ′ , b z ′ ) , R ′ ) , ..., (( b x ′ , b z ′ ) , R ′ )) ← µ ′ . If Enc LE ( pk , ( b x ′ i , b z ′ i ); R ′ i ) = ct j i for some i ∈ [5], it outputs ⊥ and immediately halts.Otherwise, it recovers { b x j , b z j } j ∈ S V by setting ( b x j i , b z j i ) := ( b x ′ i , b z ′ i ) for i ∈ [ | S V | ].7. The challenger samples i and defines S i and P i similarly to Verify DM . If P i is notconsistent to ( S V , { W j } j ∈ S V ), it outputs ⊤ . If P i is consistent to ( S V , { W j } j ∈ S V ), itflips a biased coin that heads with probability 1 − | S i |− . If heads, it outputs ⊤ . If tails,it defines m ′ j for j ∈ S i similarly to Verify DM and outputs ⊤ if ( − L j ∈ Si m ′ j = − s i and ⊥ otherwise. 28 RSGen DM (1 λ , mode ) : The CRS generation algorithm generates crs OT $ ← CRSGen OT (1 λ , mode ). • If mode = binding , then it generates ( pk , sk ) $ ← InjGen LE (1 λ ). • If mode = hiding , then it generates pk $ ← LossyGen LE (1 λ ).Then it outputs crs DM := ( crs OT , pk ). Preprocess DM ( crs DM ) : The preprocessing algorithm parses ( crs OT , pk ) ← crs DM and chooses( W , ..., W N ) $ ← { X, Y, Z } N , ( m , ..., m N ) $ ← { , } N , and a uniformly random subset S V ⊆ [ N ] such that 1 ≤ | S V | ≤ 5. Let J = ( j , ..., j ) ∈ [ N ] be the elements of S V in theascending order where we append arbitrary indices when | S V | < 5. It generates ( ot , st ) $ ← Receiver OT ( crs OT , J ) and outputs a proving key k P := (cid:16) ρ P := N Nj =1 ( U ( W j ) | m j i ) , ot (cid:17) and averification key k V := ( W , ..., W N , m , ..., m N , S V , st ). Prove DM ( crs DM , k P , x , w ) : The proving algorithm parses ( crs OT , pk ) ← crs DM and ( ρ P , ot ) ← k P ,generates ( b x, b z ) $ ← { , } N × { , } N , generates the history state ρ hist for H x from w , andcomputes ρ ′ hist := X b x Z b z ρ hist Z b z X b x . It measures j -th qubits of ρ ′ hist and ρ P in the Bell basisfor j ∈ [ N ]. Let x := x k x k ... k x N , and z := z k z k ... k z N where ( x j , z j ) denotes the outcomeof j -th measurement. For j ∈ [ N ], it generates ct j := Enc LE ( pk , ( b x j , b z j ); R j ) where R j $ ← R LE and b x j and b z j denote the j -th bits of b x and b z , respectively. It sets µ j := (( b x j , b z j ) , R j ) for j ∈ [ N ] and generates ot $ ← Sender OT ( crs OT , ot , ( µ , ..., µ N )). It outputs a proof π :=( x, z, { ct j } j ∈ [ N ] , ot ). Verify DM ( crs DM , k V , x , π ) : The verification algorithm parses ( crs OT , pk ) ← crs DM ,( W , ..., W N , m , ..., m N , S V , st ) ← k V , and ( x, z, { ct j } j ∈ [ N ] , ot ) ← π . It runs µ ′ $ ← Derive OT ( crs OT , st , ot ) and parses ((( b x ′ , b z ′ ) , R ′ ) , ..., (( b x ′ , b z ′ ) , R ′ )) ← µ ′ . If Enc LE ( pk , ( b x ′ i , b z ′ i ); R ′ i ) = ct j i for some i ∈ [5], it outputs ⊥ . Otherwise, it recovers { b x j , b z j } j ∈ S V by setting ( b x j i , b z j i ) := ( b x ′ i , b z ′ i ) for i ∈ [ | S V | ]. It chooses i ∈ [ M ] according to theprobability distribution defined by { p i } i ∈ [ M ] (i.e., chooses i with probability p i ). Let S i := { j ∈ [ N ] | j th Pauli operator of P i is not I } . We note that we have 1 ≤ | S i | ≤ H x . We say that P i is consistent to( S V , { W j } j ∈ S V ) if and only if S i = S V and the j th Pauli operator of P i is W j for all j ∈ S i .If P i is not consistent to ( S V , { W j } j ∈ S V ), it outputs ⊤ . If P i is consistent to ( S V , { W j } j ∈ S V ),it flips a biased coin that heads with probability 1 − | S i |− . If heads, it outputs ⊤ . If tails,it defines m ′ j := m j ⊕ x j ⊕ ˆ x j ( W j = Z ) ,m j ⊕ z j ⊕ ˆ z j ( W j = X ) ,m j ⊕ x j ⊕ ˆ x j ⊕ z j ⊕ ˆ z j ( W j = Y )for j ∈ S i , and outputs ⊤ if ( − L j ∈ Si m ′ j = − s i and ⊥ otherwise.Figure 7: Our Dual-Mode CV-NIZK Π DM Win ] ≤ − βN ′ + negl ( λ ). Game : This game is identical to the previous game except that Step 6 is replaced with Step 6 ′ described as follows.6 ′ . The challenger computes ( b x j , b z j ) $ ← Dec LE ( sk , ct j ) for j ∈ [ N ].If the challenger does not output ⊥ in Step 6, then we have Enc LE ( pk , ( b x ′ i , b z ′ i ); R ′ i ) = ct j i forall i ∈ [5]. In this case, we have Dec LE ( sk , ct j i ) = ( b x ′ i , b z ′ i ) by correctness of Π LE . Therefore,the values of { b x j , b z j } j ∈ S V computed in Step 6 and 6 ′ are identical conditioned on that thechallenger does not output ⊥ in Step 6. Noting that Step 7 only uses the values of ( b x j , b z j )for j ∈ S V , we have Pr[ Win ] ≤ Pr[ Win ]. Game : This game is identical to the previous game except that Step 4 is replaced with Step 4 ′ described as follows.4 ′ The challenger generates ot $ ← Sim rec ( crs OT ).By statistical receiver’s security in the binding mode of Π OT , it is clear that we have | Pr[ Win ] − Pr[ Win ] | ≤ negl ( λ ). Game : This game is identical to the previous game except that Step 2 is replaced with Step 2 ′ described below.2 ′ . The challenger generates N Bell-pairs between registers P and V and lets ρ P and ρ V be quantum states in registers P and V , respectively. Then it chooses ( W , ..., W N ) $ ←{ X, Y, Z } N , and measures j -th qubit of ρ V in the W j basis for all j ∈ [ N ], and lets( m , ..., m N ) be the measurement outcomes.By Lemma 2.1, the joint distributions of ( ρ P , ( W , ..., W N , m , ...m N )) in Game and Game are identical, and thus we have Pr[ Win ] = Pr[ Win ]. Game : This game is identical to the previous game except that the measurement of ρ V in Step 2 ′ is omitted and the way of generating { m ′ j } j ∈ S i in Step 7 is modified as follows. • The challenger computes ρ ′ V := X x ⊕ b x Z z ⊕ b z ρ V Z z ⊕ b z X x ⊕ b x . For all j ∈ S i , it measures j -thqubit of ρ ′ V in W j basis, and lets m ′ j be the measurement outcome.By Lemma 2.2, this does not change the distribution of { m ′ j } j ∈ S i . Therefore, we havePr[ Win ] = Pr[ Win ].Let E x be the event that the statement output by A is x , and ρ ′ V, x be the state in V rightbefore the measurement in the modified Step 7 conditioned on E x . For any fixed P i , theprobability that P i is consistent to ( S V , { W j } j ∈ S V ) and the coin tails is N ′ . Therefore, byLemma 2.5, we have Pr[ Win | E x ] = 1 − N ′ Tr( ρ ′ V, x H x ) . Then we havePr[ Win ] = X x / ∈ L Pr[ E x ] (cid:18) − N ′ Tr( ρ ′ V, x H x ) (cid:19) ≤ X x / ∈ L Pr[ E x ] (cid:18) − βN ′ (cid:19) ≤ − βN ′ where the first inequality follows from Lemma 2.8.30y combining the above, we obtain Pr[ Win ] ≤ − βN ′ + negl ( λ ).This completes the proof of Lemma 5.11. Proof of Lemma 5.12 (Zero-Knowledge). Let Sim CRS , Sim sen , and Open rec be the correspondingalgorithms for statistical sender’s security in the hiding mode of Π OT . The simulator Sim =( Sim , Sim ) for Π DM is described below. Sim (1 λ ) : It generates ( crs OT , td OT ) $ ← Sim CRS (1 λ ) and pk $ ← LossyGen LE (1 λ ) and outputs crs DM :=( crs OT , pk ) and td DM := ( crs OT , td OT , pk ). Sim ( td DM , k P , x ) : The simulator parses ( crs OT , td OT , pk ) ← td DM and ( ρ P , ot ) ← k P and does thefollowing.1. Compute J := Open rec ( td OT , ot ). Let S V := { j , ..., j } ⊆ [ N ] where J = ( j , ..., j ).2. Generate ( b x, b z ) $ ← { , } N × { , } N , R j $ ← R LE for j ∈ [ N ], ct j := Enc LE ( pk , ( b x j , b z j ); R j )for all j ∈ [ N ], and ot $ ← Sim sen ( crs OT , ot , J, µ J ) where µ J := ( µ j , ..., µ j ) and µ j i :=(( b x j i , b z j i ) , R j i ) for i ∈ [5].3. Generate the classical description of the density matrix ρ S V := Sim hist ( x , S V ) where Sim hist is as in Lemma 2.8.4. Generate e ρ ′ hist := (cid:16)Q j ∈ S V X b x j j Z b z j j (cid:17) ρ S V (cid:16)Q j ∈ S V Z b z j j X b x j j (cid:17) ⊗ I [ N ] \ SV | [ N ] \ SV | .5. Measure j -th qubits of e ρ ′ hist and ρ P in the Bell basis for j ∈ [ N ], and let ( x j , z j ) be the j -th measurement result.6. Output π := ( x, z, { ct j } j ∈ [ N ] , ot ) where x := x k x k ... k x N and z := z k z k ... k z N .We consider the following sequence of modified versions of Sim , which take w ∈ R L ( x ) as anadditional input. Sim (1)1 ( td DM , k P , x , w ) : This simulator works similarly to Sim except that it generates the historystate ρ hist for H x from w instead of ρ S V in Step 3, defines ρ ′ hist := X b x Z b z ρ hist Z b z X b x in Step 4,and uses ρ ′ hist instead of e ρ ′ hist in Step 5. Sim (2)1 ( td DM , k P , x , w ) : This simulator works similarly to Sim (1)1 except that in Step 2, it generates ot $ ← Sender OT ( crs OT , ot , ( µ , ..., µ N )) instead of ot $ ← Sim sen ( crs OT , ot , J, µ J ) where µ j :=(( b x j , b z j ) , R j ) for j ∈ [ N ]. We note that Sim (2)1 needs not run Step 1 since it does not use J inlater steps and thus it does not use td OT .Let O P ( crs DM , · , · , · ) and O S ( td DM , · , · , · ) be as in Definition 5.1 and O ( i ) S ( td DM , · , · , · ) be the oraclethat works similarly to O S ( td DM , · , · , · ) except that it uses Sim ( i )1 instead of Sim for i = 1 , Claim 5.13. If Π LE satisfies lossiness on lossy keys, we have (cid:12)(cid:12)(cid:12) Pr h D O S ( td DM , · , · , · ) ( crs DM ) = 1 i − Pr h D O (1) S ( td DM , · , · , · ) ( crs DM ) = 1 i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) where ( crs DM , td DM ) $ ← Sim (1 λ ) for any distinguisher D that makes poly ( λ ) queries of the form ( k P = ( ρ P , ot ) , x , w ) for some w ∈ R L ( x ) . roof of Claim 5.13. Let e O S ( td DM , · , · , · ) and e O (1) S ( td DM , · , · , · ) be oracles that work similarly to O S ( td DM , · , · , · ) and O (1) S ( td DM , · , · , · ) except that they generate ct j := Enc LE ( pk , (0 , R j ) insteadof ct j := Enc LE ( pk , ( b x j , b z j ); R j ) for j / ∈ S V , respectively. By lossiness on lossy keys of Π LE , D cannot distinguish e O S ( td DM , · , · , · ) and e O (1) S ( td DM , · , · , · ) from O S ( td DM , · , · , · ) and O (1) S ( td DM , · , · , · )with non-negligible advantage, respectively, noting that no information of { R j } j / ∈ S V is given to D .When D is given either of e O S ( td DM , · , · , · ) or e O (1) S ( td DM , · , · , · ), it has no information on { b x j , b z j } j / ∈ S V .Therefore, by Lemma 2.3, we have ρ ′ hist = Y j ∈ S V X b x j j Z b z j j Tr N \ S V [ ρ hist ] Y j ∈ S V Z b z j j X b x j j ⊗ I [ N ] \ S V | [ N ] \ S V | from the view of D . By Lemma 2.8, we have k ρ S V − Tr [ N ] \ S V ρ hist k tr ≤ negl ( λ ). Therefore,we have k e ρ ′ hist − ρ ′ hist k tr ≤ negl ( λ ). This means that it cannot distinguish e O S ( td DM , · , · , · ) and e O (1) S ( td DM , · , · , · ) with non-negligible advantage. By combining the above, Claim 5.13 follows. Claim 5.14. If Π OT satisfies the second item of statistical sender’s security in the hiding mode,we have (cid:12)(cid:12)(cid:12) Pr h D O (1) S ( td DM , · , · , · ) ( crs DM ) = 1 i − Pr h D O (2) S ( td DM , · , · , · ) ( crs DM ) = 1 i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) where ( crs DM , td DM ) $ ← Sim (1 λ ) for any distinguisher D that makes poly ( λ ) queries.Proof of Claim 5.14. Let Q = poly ( λ ) be the maximum number of D ’s queries. For i = 0 , ..., Q , let O (1 .i ) S ( td DM , · , · , · ) be the hybrid oracle that works similarly to O (2) S ( td DM , · , · , · ) for the first i queriesand works similarly to O (1) S ( td DM , · , · , · ) for the rest. By a standard hybrid argument, it suffices toprove (cid:12)(cid:12)(cid:12) Pr h D O (1 .i ) S ( td DM , · , · , · ) ( crs DM ) = 1 i − Pr h D O (1 . ( i +1)) S ( td DM , · , · , · ) ( crs DM ) = 1 i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) (1)where ( crs DM , td DM ) $ ← Sim (1 λ ) for all i = 0 , ..., Q − 1. For proving this, for any fixed ( b x, b z ) ∈{ , } N × { , } N and { R j } j ∈ [ N ] ∈ R N LE , we consider the following adversary A = ( A , A ) againstthe second item of statistical sender’s security in the hiding mode of Π OT . A ( crs OT , td OT ) : It generates pk $ ← LossyGen (1 λ ), gives crs DM := ( crs OT , pk ) to D as input and runsit until it makes ( i + 1)-th query where A simulates responses to the first i queries similarlyto O (2) S ( td DM , · , · , · ) where td DM = ( crs OT , td OT , pk ). Let ( k P , x , w ) be D ’s ( i + 1)-th query. A parses ( ρ P , ot ) ← k P and computes the history state ρ hist for H x from w . It outputs ot and st A := ( ρ P , ρ hist ). A ( st A = ( ρ P , ρ hist ) , ot ) : It generates ct j := Enc LE ( pk , ( b x j , b z j ); R j ) for all j ∈ [ N ] and ρ ′ hist := X b x Z b z ρ hist Z b z X b x , measures j -th qubits of ρ ′ hist and ρ P in the Bell basis for j ∈ [ N ], lets( x j , z j ) be the j -th measurement result, and returns π := ( x, z, { ct j } j ∈ [ N ] , ot ) to D as theresponse of the oracle to the ( i + 1)-th query where x := x k x k ... k x N and z := z k z k ... k z N . A runs the rest of the execution of D by simulating the oracle similarly to O (1) S ( td DM , · , · , · ).Finally, A outputs whatever D outputs. 32et µ := ((( b x , b z ) , R ) , ..., (( b x N , b z N ) , R N )). If ot is generated as ot $ ← Sender ( crs OT , ot , µ ),then A perfectly simulates the execution of D O (1 .i ) S ( td DM , · , · , · ) ( crs DM ) conditioned on the fixed ( b x, b z )and { R j } j ∈ [ N ] . On the other hand, if ot is generated as J := Open rec ( td OT , ot ) and ot $ ← Sim sen ( crs OT , ot , J, µ J ), then A perfectly simulates the execution of D O (1 . ( i +1)) S ( td DM , · , · , · ) ( crs DM ) con-ditioned on the fixed ( b x, b z ) and { R j } j ∈ [ N ] . Therefore, averaging over the random choice of ( b x, b z )and { R j } j ∈ [ N ] , the l.h.s. of Equation (1) can be upper bounded by the average of the advantage of A to distinguish the two cases, which is negligible by the assumption. This completes the proof ofClaim 5.14. Claim 5.15. If Π OT satisfies the first item of statistical sender’s security in the hiding mode, Wehave (cid:12)(cid:12)(cid:12) Pr h D O (2) S ( td DM , · , · , · ) ( crs DM ) = 1 : ( crs DM , td DM ) $ ← Sim (1 λ ) i − Pr h D O P ( crs DM , · , · , · ) ( crs DM ) = 1 : crs DM $ ← CRSGen DM (1 λ , hiding ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) Proof of Claim 5.15. For any ( crs DM , td DM ) $ ← Sim (1 λ ), k P , x , and w , we have O (2) S ( td DM , k P , x , w ) = O P ( crs DM , k P , x , w )observing that Sim (2)1 works in the exactly the same way as the honest proving algorithm. Moreover,we can see that the distributions of crs DM generated by Sim (1 λ ) and CRSGen DM (1 λ , hiding ) arestatistically indistinguishable by the first item of statistical sender’s security in the hiding mode ofΠ OT . Therefore Claim 5.15 follows.By combining Claims 5.13 to 5.15, We can complete the proof of Lemma 5.12. References [AB20] V. Arte and M. Bellare. Dual-Mode NIZKs: Possibility and Impossibility Results forProperty Transfer. In INDOCRYPT 2020 , pages 859–881. 2020.[ABOEM17] D. Aharonov, M. Ben-Or, E. Eban, and U. Mahadev. Interactive Proofs for QuantumComputations, arXiv:1704.04487, 2017.[ACGH20] G. Alagic, A. M. Childs, A. B. Grilo, and S.-H. Hung. Non-interactive ClassicalVerification of Quantum Computation. In TCC 2020, Part III , pages 153–180. 2020.[AV12] D. Aharonov and U. Vazirani. Is Quantum Mechanics Falsifiable? A computationalperspective on the foundations of Quantum Mechanics, arXiv:1206.3686, 2012.[BC90] G. Brassard and C. Cr´epeau. Sorting out Zero-Knowledge. In EUROCRYPT’89 ,pages 181–191. 1990.[BCKM20] J. Bartusek, A. Coladangelo, D. Khurana, and F. Ma. On The Round Complexity ofTwo-Party Quantum Computation, arXiv:2011.11212, 2020.[BCR86] G. Brassard, C. Cr´epeau, and J.-M. Robert. Information Theoretic Reductions amongDisclosure Problems. In , pages 168–173. 1986.33BCR87] G. Brassard, C. Cr´epeau, and J.-M. Robert. All-or-Nothing Disclosure of Secrets. In CRYPTO’86 , pages 234–238. 1987.[BD18] Z. Brakerski and N. D¨ottling. Two-Message Statistically Sender-Private OT fromLWE. In TCC 2018, Part II , pages 370–390. 2018.[BFM88] M. Blum, P. Feldman, and S. Micali. Non-Interactive Zero-Knowledge and Its Appli-cations (Extended Abstract). In , pages 103–112. 1988.[BG20] A. Broadbent and A. B. Grilo. QMA-hardness of Consistency of Local Density Ma-trices with Applications to Quantum Zero-Knowledge. In , pages 196–205.2020.[BHY09] M. Bellare, D. Hofheinz, and S. Yilek. Possibility and Impossibility Results for En-cryption and Commitment Secure under Selective Opening. In EUROCRYPT 2009 ,pages 1–35. 2009.[BJSW20] A. Broadbent, Z. Ji, F. Song, and J. Watrous. Zero-Knowledge Proof Systems forQMA. SIAM J. Comput. , 49(2):245–283, 2020.[BS20] N. Bitansky and O. Shmueli. Post-quantum zero knowledge in constant rounds. In , pages 269–279. 2020.[BY20] Z. Brakerski and H. Yuen. Quantum Garbled Circuits, arXiv:2006.01085, 2020.[Can20] R. Canetti. Universally Composable Security. J. ACM , 67(5):28:1–28:94, 2020.[CCKV08] A. Chailloux, D. F. Ciocan, I. Kerenidis, and S. P. Vadhan. Interactive and Non-interactive Zero Knowledge are Equivalent in the Help Model. In TCC 2008 , pages501–534. 2008.[CGJV19] A. Coladangelo, A. B. Grilo, S. Jeffery, and T. Vidick. Verifier-on-a-Leash: NewSchemes for Verifiable Delegated Quantum Computation, with Quasilinear Resources.In EUROCRYPT 2019, Part III , pages 247–277. 2019.[CM16] T. S. Cubitt and A. Montanaro. Complexity Classification of Local HamiltonianProblems. SIAM J. Comput. , 45(2):268–316, 2016.[CNs07] J. Camenisch, G. Neven, and a. shelat. Simulatable Adaptive Oblivious Transfer. In EUROCRYPT 2007 , pages 573–590. 2007.[CVZ20] A. Coladangelo, T. Vidick, and T. Zhang. Non-interactive Zero-Knowledge Argumentsfor QMA, with Preprocessing. In CRYPTO 2020, Part III , pages 799–828. 2020.[DMP90] A. De Santis, S. Micali, and G. Persiano. Non-Interactive Zero-Knowledge with Pre-processing. In CRYPTO’88 , pages 269–282. 1990.[FHM18] J. F. Fitzsimons, M. Hajduˇsek, and T. Morimae. Post hoc verification with a singleprover. Phys. Rev. Lett. , 120:040501, 2018.[FK17] J. F. Fitzsimons and E. Kashefi. Unconditionally verifiable blind quantum computa-tion. Physical Review A , 96(1), 2017.34FLS99] U. Feige, D. Lapidot, and A. Shamir. Multiple NonInteractive Zero Knowledge ProofsUnder General Assumptions. SIAM J. Comput. , 29(1):1–28, 1999.[GKK19] A. Gheorghiu, T. Kapourniotis, and E. Kashefi. Verification of Quantum Computa-tion: An Overview of Existing Approaches. Theory Comput. Syst. , 63(4):715–808,2019.[GMR89] S. Goldwasser, S. Micali, and C. Rackoff. The Knowledge Complexity of InteractiveProof Systems. SIAM J. Comput. , 18(1):186–208, 1989.[GOS12] J. Groth, R. Ostrovsky, and A. Sahai. New Techniques for Noninteractive Zero-Knowledge. J. ACM , 59(3):11:1–11:35, 2012.[Got04] D. Gottesman, 2004. .[Gri19] A. B. Grilo. A Simple Protocol for Verifiable Delegation of Quantum Computationin One Round. In ICALP 2019 , pages 28:1–28:13. 2019.[GS12] J. Groth and A. Sahai. Efficient Noninteractive Proof Systems for Bilinear Groups. SIAM J. Comput. , 41(5):1193–1232, 2012.[GSY19] A. B. Grilo, W. Slofstra, and H. Yuen. Perfect Zero Knowledge for Quantum Multi-prover Interactive Proofs. In , pages 611–635. 2019.[GV19] A. Gheorghiu and T. Vidick. Computationally-Secure and Composable Remote StatePreparation. In , pages 1024–1033. 2019.[HM15] M. Hayashi and T. Morimae. Verifiable Measurement-Only Blind Quantum Comput-ing with Stabilizer Testing. Physical Review Letters , 115(22), 2015.[HU19] D. Hofheinz and B. Ursu. Dual-Mode NIZKs from Obfuscation. In ASIACRYPT 2019,Part I , pages 311–341. 2019.[IKLP06] Y. Ishai, E. Kushilevitz, Y. Lindell, and E. Petrank. Black-box constructions forsecure computation. In , pages 99–108. 2006.[Kob03] H. Kobayashi. Non-interactive Quantum Perfect and Statistical Zero-Knowledge. In Algorithms and Computation, 14th International Symposium, ISAAC 2003, Kyoto,Japan, December 15-17, 2003, Proceedings , pages 178–188. 2003.[Lin08] A. Y. Lindell. Efficient Fully-Simulatable Oblivious Transfer. In CT-RSA 2008 , pages52–70. 2008.[LPWW20] B. Libert, A. Passel`egue, H. Wee, and D. J. Wu. New Constructions of StatisticalNIZKs: Dual-Mode DV-NIZKs and More. In EUROCRYPT 2020, Part III , pages410–441. 2020.[Mah18a] U. Mahadev. Classical Homomorphic Encryption for Quantum Circuits. In , pages 332–338. 2018.[Mah18b] U. Mahadev. Classical Verification of Quantum Computations. In , pages259–267. 2018. 35MNS18] T. Morimae, D. Nagaj, and N. Schuch. Quantum proofs can be verified using onlysingle-qubit measurements. Phys. Rev. A , 93:022326, 2018.[Mor20] T. Morimae. Information-theoretically-sound non-interactive classical verification ofquantum computing with trusted center, arXiv:2003.10712, 2020.[MW18] S. Menda and J. Watrous. Oracle Separations for Quantum Statistical Zero-Knowledge, arXiv:1801.08967, 2018.[NC00] M. A. Nielsen and I. L. Chuang. Quantum Computation and Quantum Information .Cambridge University Press, 2000.[NP01] M. Naor and B. Pinkas. Efficient oblivious transfer protocols. In Proceedings of theTwelfth Annual Symposium on Discrete Algorithms, January 7-9, 2001, Washington,DC, USA , pages 448–457. 2001.[Pas13] R. Pass. Unprovable Security of Perfect NIZK and Non-interactive Non-malleableCommitments. In TCC 2013 , pages 334–354. 2013.[Ps05] R. Pass and a. shelat. Unconditional Characterizations of Non-interactive Zero-Knowledge. In CRYPTO 2005 , pages 118–134. 2005.[PS19] C. Peikert and S. Shiehian. Noninteractive Zero Knowledge for NP from (Plain)Learning with Errors. In CRYPTO 2019, Part I , pages 89–114. 2019.[PVW08] C. Peikert, V. Vaikuntanathan, and B. Waters. A Framework for Efficient and Com-posable Oblivious Transfer. In CRYPTO 2008 , pages 554–571. 2008.[Qua20] W. Quach. UC-Secure OT from LWE, Revisited. In SCN 20 , pages 192–211. 2020.[Reg09] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM , 56(6):34:1–34:40, 2009.[RT19] R. Raz and A. Tal. Oracle separation of BQP and PH. In , pages13–23. 2019.[RUV13] B. W. Reichardt, F. Unger, and U. Vazirani. Classical Command of Quantum Sys-tems. Nature , 496:456–460, 2013.[Shm20] O. Shmueli. Multi-theorem (Malicious) Designated-Verifier NIZK for QMA,arXiv:2007.12923, 2020.[VW16] T. Vidick and J. Watrous. Quantum Proofs, arXiv:1610.01664, 2016.[Wat00] J. Watrous. Succinct quantum proofs for properties of finite groups. In ,pages 537–546. 2000. A More Explanation on Lemma 2.8 Here, we explain how to obtain Lemma 2.8 based on [BG20]. Let L be any QMA language,and V = U T ...U be its verification circuit, where each U i is an elementary gate taken from auniversal gate set. For x ∈ L , there exists a witness state | ψ i such that V accepts with probability36xponentially close to 1, whereas for x / ∈ L , any state makes V accept with probability exponentiallysmall.As is explained in [BG20], we consider the encoded version of the verification circuit V ′ with acertain quantum error correcting code. The circuit V ′ consists of gates from the universal gate set { CN OT, T, H, X, Z } . From the standard circuit-to-Hamiltonian construction technique, we canconstruct a local Hamiltonian H x := P i H i corresponding to V ′ . If there is a witness state | ψ i thatmakes V ′ accept with probability 1 − negl ( | x | ), then the history state1 √ T + 1 X t ∈ [ T +1] | T − t t i ⊗ U t ...U ( Enc ( | ψ i ) ⊗ | A i )has exponentially small energy. Due to the local simulatability, there is an efficient deterministicalgorithm that outputs the classical description of a state that is close to the reduced density matrixof the history state on at most five qubits [BG20, GSY19]. If every quantum state | ψ i makes V ′ reject with probability at least ǫ , then the groundenergy of H is at least Ω( ǫT ).Let H x = P Mi =1 c i P i be the local Hamiltonian, where M = poly ( | x | ), c i is real, and P i is a tensorproduct of Pauli operators ( I, X, Y, Z ). In the standard circuit-to-Hamiltonian construction, each P i is a tensor product of at most five non-trivial Pauli operators ( X, Y, Z ). As is shown in [MNS18],this Hamiltonian can be changed to the form of P Mi =1 p i I + s i P i with M = poly ( | x | ), s i ∈ { +1 , − } , p i > P Mi =1 p i = 1, and P i is a tensor product of Pauli operators ( I, X, Y, Z ) with at most fivenon-trivial Pauli operators ( X, Y, Z ). In fact, define the normalized Hamiltonian H ′ x := 12 (cid:16) I + H x P Mi =1 | c i | (cid:17) = M X i =1 | c i | P Mi =1 | c i | I + sign ( c i ) P i , and we have only to take p i := | c i | P Mi =1 | c i | and s i := sign ( c i ). B Proofs of Lemmas 3.2 and 4.2 Here, we give an alternative direct proof of Lemma 3.2, and more details for the proof of Lemma 4.2.37 .1 Alternative Proof of Lemma 3.2 We first show the soundness. Let us define H h := Q Nj =1 H hj and | m i := N Nj =1 | m j i . Let { Λ x,z, x } x,z, x be the POVM that the adversary A does on k P . Then,Pr h x / ∈ L ∧ Verify ( k V , x , π ) = ⊤ : ( k P , k V ) $ ← Setup (1 λ ) , ( x , π ) $ ← A ( k P ) i = 12 X h ∈{ , } N X m ∈{ , } N X x,z X x / ∈ L h m | H h Λ x,z, x H h | m i X j ,j p x j ,j − s x j ,j ( − m ′ j ⊕ m ′ j 2= 12 X h ∈{ , } N X m ∈{ , } N X x,z X x / ∈ L X j ,j p x j ,j h m | H h Λ x,z, x H h H h X x Z z H h I − s x j ,j Z j Z j H h Z z X x H h | m i = 12 X h ∈{ , } N X x,z X x / ∈ L X j ,j p x j ,j Tr h H h Λ x,z, x H h H h X x Z z H h I − s x j ,j Z j Z j H h Z z X x H h i = 12 N X x,z X x / ∈ L Tr h Z z X x Λ x,z, x X x Z z ( I − H x ) i = Tr[ σ ( I − H x )] ≤ Tr h σ Tr σ ( I − H x ) i = 1 − Tr h σ Tr σ H x i ≤ − β, where σ := N P x,z P x / ∈ L Z z X x Λ x,z, x X x Z z . Note that σ Tr σ is a quantum state for any POVM { Λ x,z, x } x,z, x .Next we show the completeness. The POVM corresponding to Prove is { Λ x,z = N Z z X x ρ hist X x Z z } x,z .Note that this is a POVM, because Λ x,z ≥ 0, and X x,z Λ x,z = 2 N × N X x,z Z z X x ρ hist X x Z z = 2 N I N = I. The reason why such { Λ x,z } x,z is the POVM done by Prove algorithm is as follows. The Prove algorithm first prepares ρ hist ⊗ H h | m ih m | H h , and then measures j th qubit of the history state andthe j th qubit of H h | m i in the Bell basis for all j = 1 , , ..., N . Then, (cid:16) N O j =1 h φ x j ,z j | (cid:17)(cid:16) ρ hist ⊗ H h | m ih m | H h (cid:17)(cid:16) N O j =1 | φ x j ,z j i (cid:17) = Tr h N Z z X x ρ hist X x Z z × H h | m ih m | H h i . Hence Pr h Verify ( k V , x , π ) = ⊤ : ( k P , k V ) $ ← Setup (1 λ ) , π $ ← Prove ( k P , x , w ⊗ k ) i = 12 N X x,z Tr h Z z X x (cid:16) N Z z X x ρ hist X x Z z (cid:17) X x Z z ( I − H x ) i = Tr h ρ hist ( I − H x ) i = 1 − Tr h ρ hist H x i ≥ − α. .2 More details for the proof of Lemma 4.2 Here we give more details of the completeness and the soundness of the virtual protocol 2. In thevirtual protocol 2, i ∈ [ M ] is chosen after S V and ( W , ..., W N ) are chosen, but we can assume that i is chosen before S V and ( W , ..., W N ) are chosen, because they are independent. When P i is notconsistent to ( S V , { W j } j ∈ S V ) or the coin heads, the measurement result on ρ ′ V is not used. Theprobability that such cases happen is M X i =1 p i (cid:16) Pr[not consistent | i ] + Pr[consistent | i ](1 − | S i |− ) (cid:17) = M X i =1 p i (cid:16) N P j =1 (cid:0) Nj (cid:1) − N −| S i | N P j =1 (cid:0) Nj (cid:1) + 3 N −| S i | N P j =1 (cid:0) Nj (cid:1) (1 − | S i |− ) (cid:17) = M X i =1 p i (cid:16) − P j =1 (cid:0) Nj (cid:1) (cid:17) = 1 − P j =1 (cid:0) Nj (cid:1) = 1 − N ′ . The probability that it is consistent and the coin tails is therefore N ′ . In this case, the measurementresult on ρ ′ V is used. The probability that the measurement result satisfies ( − L j ∈ Si m ′ j = − s i isfrom Lemma 2.5, M X i =1 p i Tr h(cid:16) I − I + s i P i (cid:17) ρ ′ V i = 1 − Tr( H x ρ ′ V ) . The total acceptance probability is therefore1 − N ′ + 1 N ′ h − Tr( H x ρ ′ V ) i = 1 − Tr( H x ρ ′ V ) N ′ . C Alternative Simpler Construction of CV-NIZK in the SecretParameter Model. Here, we give an alternative construction of a CV-NIZK for QMA , which is slightly simpler thanthe construction given in Section 4.Our construction of a CV-NIZK for a QMA language L is given in Figure 8 where H x , N , M , p i , s i , P i , α , β , and ρ hist are as in Lemma 2.7 for the language L .We have the following lemmas. Lemma C.1 (Completeness and Soundness) . Π ′ NIZK satisfies (1 − αN ′ ) -completeness and (1 − βN ′ ) -soundness where N ′ := 3 P i =1 (cid:0) Ni (cid:1) . Lemma C.2 (Zero-Knowledge) . Π ′ NIZK satisfies the zero-knowledge property. They can be proven similarly to Lemmas 4.2 and 4.3, respectively.39 etup (1 λ ) : The setup algorithm chooses ( W , ..., W N , m , ..., m N ) $ ← { X, Y, Z } N × { , } N and auniformly random subset S V ⊆ [ N ] such that 1 ≤ | S V | ≤ 5, and outputs a proving key k P := N Nj =1 ( U ( W j ) | m j i ) and a verification key k V := ( S V , { W j , m j } j ∈ S V ). Prove ( k P , x , w ) : The proving algorithm generates the history state ρ hist for H x from w and measures j -th qubits of ρ hist and k P in the Bell basis for j ∈ [ N ]. Let x := x k x k ... k x N , and z := z k z k ... k z N where ( x j , z j ) denotes the outcome of j -th measurement. It outputs a proof π := ( x, z ). Verify ( k V , x , π ) : The verification algorithm parses ( S V , { W j , m j } j ∈ S V ) ← k V and ( x, z ) ← π ,chooses i ∈ [ M ] according to the probability distribution defined by { p i } i ∈ [ M ] (i.e., chooses i with probability p i ). Let S i := { j ∈ [ N ] | j th Pauli operator of P i is not I } . We note that we have 1 ≤ | S i | ≤ H x . We say that P i is consistent to( S V , { W j } j ∈ S V ) if and only if S i = S V and the j th Pauli operator of P i is W j for all j ∈ S i .If P i is not consistent to ( S V , { W j } j ∈ S V ), it outputs ⊤ . If P i is consistent to ( S V , { W j } j ∈ S V ),it flips a biased coin that heads with probability 1 − | S i |− . If heads, it outputs ⊤ . If tails,it defines m ′ j := m j ⊕ x j ( W j = Z ) ,m j ⊕ z j ( W j = X ) ,m j ⊕ x j ⊕ z j ( W j = Y )for j ∈ S i , and outputs ⊤ if ( − L j ∈ Si m ′ j = − s i and ⊥ otherwise.Figure 8: Our CV-NIZK Π ′ NIZK D Construction of Dual-Mode k -out-of- n Oblivious Transfer In this section, we prove Lemma 5.7. That is, we give a construction of a dual-mode k -out-of- n oblivious transfer defined in Definition 5.6 based on the LWE assumption. D.1 Building Block We introduce dual-mode encryption that is used as a building block for our construction. We referto [PVW08] for the intuition of this primitive. Definition D.1 (Dual-Mode Encryption [PVW08, Qua20] ) . A dual-mode encryption scheme overthe message space M consists of PPT algorithms Π DEnc = ( Setup , KeyGen , Enc , Dec , FindMessy , TrapKeyGen ) with the following syntax. Setup (1 λ , mode ) : The setup algorithm takes the security parameter λ and a mode mode ∈ { messy , dec } as input, and outputs a common refernece string crs and a trapdoor td mode . This definition is based on the definition in [Qua20], which has several minor differences from that in [PVW08]. eyGen ( crs , σ ) : The key generation algorithm takes the common reference string crs and a branchvalue σ ∈ { , } as input, and outputs a public key pk and a secret key sk . Enc ( crs , pk , b, µ ) : The encryption algorithm takes the common reference string crs , a public key pk ,a branch value b ∈ { , } , and a message µ ∈ M as input, and outputs a ciphertext ct . Dec ( crs , sk , ct ) : The decryption algorithm takes the common reference string crs , a secret key sk ,and a ciphertext ct as input, and outputs a message µ ∈ M FindMessy ( crs , td messy , pk ) : The messy branch finding algorithm takes the common reference string crs , trapdoor td messy in the messy mode, and a public key pk as input, and outputs a branchvalue b ∈ { , } . TrapKeyGen ( crs , td dec ) : The trapdoor key generation algorithm takes the common reference string crs and a trapdoor td dec in the decryption mode as input, and outputs a public key pk andtwo secret keys sk and sk that correspond to branches and , respectively.We require Π DEnc to satisfy the following properties. Correctness for Decryptable Branch For all mode ∈ { messy , dec } , σ ∈ { , } , and µ ∈ M ,we have Pr Dec ( crs , sk σ , ct , µ ) = µ : ( crs , td mode ) $ ← Setup (1 λ , mode )( pk , sk σ ) $ ← KeyGen ( crs , σ ) ct $ ← Enc ( crs , pk , σ, µ ) ≥ − negl ( λ ) . Statistical Security in the Messy Mode With overwhelming probability over ( crs , td messy ) $ ← Setup (1 λ , messy ) , for all possibly malformed pk , all messages µ , µ ∈ { , } ℓ , and all unbounded-time distinguisher D , we have (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr " D ( ct ) = 1 : b $ ← FindMessy ( crs , td messy , pk ) ct $ ← Enc ( crs , pk , b, µ ) − Pr " D ( ct ) = 1 : b $ ← FindMessy ( crs , td messy , pk ) ct $ ← Enc ( crs , pk , b, µ ) ≤ negl ( λ ) . Statistical Security in the Decryption Mode With overwhelming probability over ( crs , td dec ) $ ← Setup (1 λ , dec ) , for all σ ∈ { , } and all unbounded-time distinguisher D , we have (cid:12)(cid:12)(cid:12) Pr h D ( pk , sk σ ) = 1 : ( pk , sk σ ) $ ← KeyGen ( crs , σ ) i − Pr h D ( pk , sk σ ) = 1 : ( pk , sk , sk ) $ ← TrapKeyGen ( crs , td dec ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . Computational Mode Indistinguishability For any non-uniform QPT distinguisher D , wehave (cid:12)(cid:12)(cid:12) Pr h D ( crs ) = 1 : ( crs , td messy ) $ ← CRSGen (1 λ , messy ) i − Pr h D ( crs ) = 1 : ( crs , td dec ) $ ← CRSGen (1 λ , dec ) i(cid:12)(cid:12)(cid:12) ≤ negl ( λ ) . RSGen - n (1 λ , mode ) : Let mode ′ := dec if mode = binding and mode ′ := messy if mode = hiding .Then it generates ( crs , td mode ′ ) $ ← Setup (1 λ , mode ′ ) and outputs crs . Receiver - n ( crs , j ) : It generates ( pk i , sk i,σ i ) $ ← KeyGen ( crs , σ i ) for all i ∈ [ N ] where σ j := 1 and σ i := 0 for all i ∈ [ n ] \ { j } . It outputs ot := { pk i } i ∈ [ n ] and st := (cid:0) j, { σ i , sk i,σ i } i ∈ [ n ] (cid:1) . Sender - n ( crs , ot , µ ) : It parses { pk i } i ∈ [ n ] ← ot and ( µ , ..., µ n ) ← µ , generates ( r , ..., r N − ) $ ←{ , } ℓ × ( N − , sets µ ′ i, := µ i ⊕ r i − and µ ′ i, := r i ⊕ r i − for all i ∈ [ n ] where r is definedto be 0 ℓ . Then it generates ct i,b $ ← Enc ( pk i , b, µ ′ i,b ) for all i ∈ [ n ] and b ∈ { , } , and outputs ot := { ct i,b } i ∈ [ n ] ,b ∈{ , } . Derive - n ( st , ot ) : It parses (cid:0) j, { σ i , sk i,σ i } i ∈ [ n ] (cid:1) ← st and { ct i,b } i ∈ [ n ] ,b ∈{ , } ← ot , computes µ ′ i,σ i $ ← Dec ( sk i,σ i , ct i,σ i ) for all i ∈ [ j ] and outputs µ j := L ji =1 µ ′ i,σ i .Figure 9: Our 1-out-of- n oblivious transfer Π n Quach [Qua20] gave a construction of a dual-mode encryption scheme based on the LWE as-sumption. Lemma D.2 ([Qua20]) . If the LWE assumption holds, then there exists a dual-mode encryptionscheme. Remark 7. Peikert, Vaikuntanathan, and Waters [PVW08] gave a construction of a relaxed vari-ant of dual-mode encrytption scheme based on the LWE assumption. Their construction is moreefficient than that of Quach [Qua20] since they only rely on LWE with polynomial size modu-lus whereas Quach’s construction relies on LWE with super-polynomial modulus. However, theirscheme does not suffice for our purpose due to the following two reasons.1. The security in the decryption mode holds only against computationally bounded adversaries.2. crs can be reused only for bounded number of times. D.2 -out-of- n Oblivious Transfer In this section, we construct a dual-mode 1-out-of- n oblivious transfer based on dual-mode encryp-tion. That is, we prove the following lemma. Lemma D.3. If there exists a dual-mode encryption scheme, then there exists a dual-mode -out-of- n oblivious transfer. Let Π DEnc = ( Setup , KeyGen , Enc , Dec , FindMessy , TrapKeyGen ) be a dual-mode encryption schemeover the message space M = { , } ℓ . Then our construction of a dual-mode 1-out-of- n oblivioustransfer OT n = ( CRSGen n , Receiver n , Sender n , Derive n ) over the message space M is givenin Figure 9. This can be seen as a protocol obtained by applying the conversion of [BCR86] to thedual-mode 1-out-of-2 oblivious transfer of [Qua20].Then we prove the following lemmas. Lemma D.4. Π - n satisfies correctness roof. This easily follows from correctnes of Π DEnc . Lemma D.5. Π - n satisfies the computational mode indistinguishability.Proof. This can be reduced to the computational mode indistinguishability of Π DEnc in a straight-forward manner. Lemma D.6. Π - n satisfies statistical receiver’s security in the binding mode.Proof. We construct Sim rec as follows. Sim rec ( crs ) : It generates ( pk i , sk i, ) $ ← KeyGen ( crs , 0) for all i ∈ [ n ], and outputs ot := { pk i } i ∈ [ n ] .By statistical security in the decryption mode of Π DEnc , with overwhelming probability over ( crs , td dec ) $ ← Setup (1 λ , dec ), the distribution of pk generated as ( pk , sk σ ) $ ← KeyGen ( crs , σ ) for any fixed σ ∈ { , } is statistically close to that generated as ( pk , sk , sk ) $ ← TrapKeyGen ( crs , td dec ), which does not de-pend on σ . Therefore, the distributions of pk i generated by Sim rec ( crs ) and Receiver ( crs , j ) arestatistically close for any j ∈ [ n ]. Then statistical receiver’s security in the binding mode of Π n follows by a standard hybrid argument. Lemma D.7. Π - n satisfies the statistical sender’s security in the hiding mode.Proof. We construct Sim CRS , Open rec , and Sim sen as follows. Sim CRS (1 λ ) : It generates ( crs , td messy ) $ ← Setup (1 λ , messy ) and outputs crs and td := td messy . Open rec ( td , ot ) : It parses td messy ← td and { pk i } i ∈ [ n ] ← ot , computes σ i $ ← FindMessy ( td messy , pk i )for all i ∈ [ n ], and outputs the minimal j ∈ [ n ] such that σ j = 1. Sim sen ( crs , ot , j, µ j ) : It generates µ i $ ← M for i ∈ [ n ] \{ j } , and outputs ot $ ← Sender n ( crs , ot , ( µ , ..., µ n )).The first item of statistical sender’s security in the hiding mode is clear because Sim CRS (1 λ ) gener-ates crs in exactly the same manner as CRSGen (1 λ , hiding ). In the following, we prove the seconditem is also satisfied. For any unbounded-time adversary A = ( A , A ) and fixed µ = ( µ , ..., µ n ),we consider the following sequence of games between A and the challenger. We denote by E i theevent that A returns 1 in Game i . Game : This game works as follows.1. The challenger generates ( crs , td messy ) $ ← Setup (1 λ , messy ) and sets td := td messy .2. A takes ( crs , td ) as input and outputs ot = { pk i } i ∈ [ n ] and st A .3. The challenger computes j := Open rec ( td , ot ). That is, it computes σ i $ ← FindMessy ( td messy , pk i )for all i ∈ [ n ] and let j be the minimal value such that σ j = 1.4. The challenger sets e µ j := µ j , generates e µ i $ ← M for i ∈ [ n ] \ { j } and ( r , ..., r N − ) $ ←{ , } ℓ × ( N − , and sets µ ′ i, := e µ i ⊕ r i − and µ ′ i, := r i ⊕ r i − for all i ∈ [ n ] where r isdefined to be 0 ℓ . Then it generates ct i,b := Enc ( pk i , b, µ ′ i,b ) for all i ∈ [ n ] and b ∈ { , } and sets ot := { ct i,b } i ∈ [ n ] ,b ∈{ , } .5. A takes st A and ot as input and outputs a bit β .43 RSGen k - n (1 λ , mode ) : It generates crs $ ← CRSGen n (1 λ , mode ) and outputs crs . Receiver k - n ( crs , J ) : It parses ( j , ..., j k ) ← J , generates ( ot ,i , st i ) $ ← Receiver n ( crs , j i ) for all i ∈ [ k ], and outputs ot := { ot ,i } i ∈ [ k ] and st := { st i } i ∈ [ k ] . Sender k - n ( crs , ot , µ ) : It parses { ot ,i } i ∈ [ k ] ← ot , generates ot ,i $ ← Sender n ( crs , ot ,i , µ ) for all i ∈ [ k ], and outputs ot := { ot ,i } i ∈ [ k ] . Derive k - n ( crs , st , ot ) : It parses { st i } i ∈ [ k ] ← st , computes µ j i $ ← Derive n ( crs , st i , ot ,i ) for i ∈ [ k ],and outputs ( µ j , ..., µ j k ).Figure 10: Our k -out-of- n oblivious transfer Π k - n Game : This game is identical to the previous game except that µ ′ i,σ i is replaced with 0 ℓ for all i ∈ [ n ].By the statistical security in the messy mode of Π DEnc , it is easy to see that we have | Pr[ E ] − Pr[ E ] | ≤ negl ( λ ). Game : This game is identical to the previous game except that µ ′ i, is replaced with an indepen-dently and uniformly random element of M for all i > j . We note that this game does notuse { e µ i } i = j at all.By an easy information theoretical argument, we can see that the distribution of { µ ′ i,b } i ∈ [ n ] ,b ∈{ , } does not change from the previous game, and thus we have Pr[ E ] = Pr[ E ]. Game : This game is identical to the Game except that the challenger uses µ instead of e µ .By considering similar game hops to those from Game to Game in the reversed order, bythe statistical security in the messy mode of Π DEnc , we have | Pr[ E ] − Pr[ E ] | ≤ negl ( λ ).Combining the above, we have | Pr[ E ] − Pr[ E ] | ≤ negl ( λ ). This is exactly the second item ofstatistical sender’s security in the hiding mode.By combining Lemmas D.4 to D.7, we obtain Lemma D.3. D.3 k -out-of- n Oblivious Transfer In this section, we construct a dual-mode k -out-of- n oblivious transfer based on dual-mode 1-out-of- n oblivious transfer by k parallel repetitions. That is, we prove the following lemma. Lemma D.8. If there exists a dual-mode -out-of- n oblivious transfer, then there exists a dual-mode k -out-of- n oblivious transfer. By combining Lemmas D.2, D.3 and D.8, we obtain Lemma 5.7.What is left is to prove Lemma D.8. Let Π n = ( CRSGen n , Receiver n , Sender n , Derive n )be a dual-mode 1-out-of- n oblivious transfer over the message space M . Then our dual-mode k -out-of- n oblivious transfer Π k - n = ( CRSGen k - n , Receiver k - n , Sender k - n , Derive k - n ) is described inFigure 10.Then we prove the following lemmas. 44 emma D.9. Π k - n satisfies correctness.Proof. This can be reduced to correctness of Π n in a straightforward manner. Lemma D.10. Π k - n satisfies the computational mode indistinguishability.Proof. This can be reduced to the computational mode indistinguishability of Π n in a straight-forward manner. Lemma D.11. Π k - n satisfies statistical receiver’s security in the binding mode.Proof. Let Sim rec , n be the corresponding algorithm for statistical receiver’s security in the bindingmode of Π n . Then We construct Sim rec ,k - n for Π k - n as follows. Sim rec ,k - n ( crs ) : It parses ( crs , pk ) ← crs , computes ot ,i $ ← Sim rec , n ( crs ) for all i ∈ [ k ], and outputs ot := { ot ,i } i ∈ [ k ] .Statistical receiver’s security in the binding mode of Π k - n follows from that of Π n by a straight-forward hybrid argument. Lemma D.12. Let Π k - n satisfies the statistical sender’s security in the hiding mode.Proof. Let Sim CRS , n , Open rec , n , and Sim sen , n be the corresponding algorithms for statisticalsender’s security in the hiding mode of Π n . Then We construct Sim CRS ,k - n , Open rec ,k - n , and Sim sen ,k - n for Π k - n as follows. Sim CRS ,k - n (1 λ ) : This is exactly the same as Sim CRS , n (1 λ ). Open rec ( td , ot ) : It parses { ot ,i } i ∈ [ k ] ← ot , computes j i := Open ( td , ot ,i ) for all i ∈ [ k ], andoutputs J = ( j , ..., j k ). Sim sen ( crs , ot , J, µ J ) : It parses ( j , ..., j k ) ← J and ( µ j , ..., µ j k ) ← µ J , generates µ i $ ← M for i ∈ [ n ] \ { j , ..., j k } , and outputs ot $ ← Sender k - n ( crs , ot , ( µ , ..., µ n )).The first item of statistical sender’s security in the hiding mode of Π k - n immediately follows fromthat of Π n . In the following, we prove the second item. For any unbounded-time adversary A = ( A , A ) and fixed µ = ( µ , ..., µ n ), we consider the following sequence of games between A and the challenger. We denote by E i the event that A returns 1 in Game i . Game : This game works as follows.1. The challenger generates ( crs , td ) $ ← Sim CRS ,k - n (1 λ ).2. A takes ( crs , td ) as input and outputs ot = { ot ,i } i ∈ [ k ] and st A .3. The challenger computes J := Open rec ,k - n ( td , ot ). That is, it computes j i := Open rec , n ( td , ot ,i )for all i ∈ [ k ] and lets J := ( j , ..., j k ).4. The challenger generates ot ,i $ ← Sim sen , n ( crs , ot ,i , j i , µ j i ) for i ∈ [ k ] and sets ot := { ot ,i } i ∈ [ k ] .5. A takes st A and ot as input and outputs a bit β .45 ame : This game is identical to the previous game except that ot ,i is generated as ot ,i $ ← Sender ( crs , ot ,i , µ ) for i ∈ [ k ].By the second item of statistical sender’s security in the hiding mode of Π n , we have | Pr[ E ] − Pr[ E ] | ≤ negl ( λ ) by a standard hybrid argument. This is exactly the second item of statisticalsender’s security in the hiding mode.By combining Lemmas D.9 to D.12, we obtain Lemma D.8.46 ontents QMA Languages and Local Hamiltonian Problem . . . . . . . . . . . . . . . . . . . 112.3 Classically-Verifiable Non-Interactive Proofs . . . . . . . . . . . . . . . . . . . . . . . 12 A More Explanation on Lemma 2.8 36B Proofs of Lemmas 3.2 and 4.2 37 B.1 Alternative Proof of Lemma 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38B.2 More details for the proof of Lemma 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . 39 C Alternative Simpler Construction of CV-NIZK in the Secret Parameter Model. 39D Construction of Dual-Mode k -out-of- n Oblivious Transfer 40 D.1 Building Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40D.2 1-out-of- n Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42D.3 k -out-of- nn