Oracle Separations Between Quantum and Non-interactive Zero-Knowledge Classes

We study the relationship between problems solvable by quantum algorithms in polynomial time and those for which zero-knowledge proofs exist. In prior work, Aaronson [arxiv:quant-ph/0111102] showed an oracle separation between BQP and SZK, i.e. an oracle $A$ such that $\mathrm{SZK}^A \not\subseteq \mathrm{BQP}^A$. In this paper we give a simple extension of Aaronson’s result to non-interactive zero-knowledge proofs with perfect security. This class, NIPZK, is the most restrictive zero-knowledge class. We show that even for this class we can construct an $A$ with $\mathrm{NIPZK}^A \not\subseteq \mathrm{BQP}^A$.

💡 Research Summary

**
This paper investigates the relationship between the class of problems solvable by quantum polynomial‑time algorithms (BQP) and the class of languages that admit non‑interactive perfect zero‑knowledge proofs (NIPZK). The motivation is twofold: to deepen our structural understanding of complexity classes and to assess the quantum‑resilience of cryptographic protocols that rely on non‑interactive zero‑knowledge (NIZK) proofs.

The starting point is Scott Aaronson’s seminal oracle separation showing that there exists an oracle A such that SZK⁽ᴬ⁾ is not contained in BQP⁽ᴬ⁾. Aaronson’s construction hinges on the collision problem, a promise problem where a function X : {1,…,n}→{1,…,n} is either one‑to‑one or r‑to‑one for a fixed r≥2, and the task is to distinguish the two cases. Aaronson proved a quantum query lower bound Q₂(Colₙ)=Ω(n^{1/5}); later works by Kutin and Shi strengthened this to Ω((n/r)^{1/3}) for general r. These lower bounds imply that any quantum algorithm solving the collision problem must make a super‑polynomial number of queries, which is the key ingredient for an oracle separation via diagonalization.

The authors extend this technique to the most restrictive zero‑knowledge class, NIPZK, which requires (i) perfect simulation (the simulated transcript is identically distributed to the real one) and (ii) a single message from prover to verifier, with both parties sharing a common random string. They construct an explicit NIPZK protocol for the collision problem:

1. The shared random string is split into two independent n‑bit strings r₁ and r₂.
2. For each i∈{1,2}, the prover selects uniformly at random an input xᵢ such that X(xᵢ)=rᵢ (if such an input exists) and sends xᵢ to the verifier.
3. The verifier accepts iff X(xᵢ)=rᵢ for both i.

Completeness holds because when X is one‑to‑one its image equals the whole codomain, guaranteeing a pre‑image for every rᵢ. Soundness follows from the fact that a two‑to‑one function leaves exactly half of the codomain uncovered; consequently, with probability 3/4 at least one of r₁ or r₂ lies outside the image, forcing the prover to fail and giving a soundness error at most 1/4.

To establish perfect zero‑knowledge, the authors describe a simulator that simply picks two random inputs x₁, x₂, computes rᵢ=X(xᵢ), and outputs the same transcript that the honest prover would produce. When X is one‑to‑one, the distribution of (r₁,r₂) is uniform and each pair (r₁,r₂) corresponds to a unique pair (x₁,x₂), so the simulated transcript is exactly identical to the real one. Hence the protocol is in NIPZK, and consequently the collision problem lies in NIPZK.

Combining this inclusion with the quantum query lower bound yields an oracle A for which NIPZK⁽ᴬ⁾ is not a subset of BQP⁽ᴬ⁾. The construction mirrors Aaronson’s diagonalization: the oracle encodes a family of collision instances that are hard for any BQP machine but easy for the NIPZK protocol described above. Therefore the paper lifts the known SZK–BQP separation to the stricter NIPZK class, and by implication also to PZK, NICZK, and NISZK.

The authors discuss the cryptographic significance of this result. Recent protocols—such as non‑interactive zero‑knowledge based cryptocurrencies, leak‑resilient signatures, and smart‑contract constructions—depend on the assumption that NIZK proofs remain secure against quantum adversaries. If NIPZK were contained in BQP, a quantum adversary could potentially break these protocols by efficiently simulating the verifier’s view. The oracle separation demonstrates that, at least relative to some oracle, such a collapse does not occur, providing evidence that NIPZK‑based cryptographic schemes can be made quantum‑resistant.

Finally, the paper outlines a direction for future work: extending the separation from a relativized (oracle) setting to an “algebrization” barrier, as introduced by Aaronson and Wigderson. An algebrized separation would rule out a broader class of proof techniques and give stronger evidence that NIPZK is genuinely outside BQP in the unrelativized world.

In summary, the paper presents a simple yet powerful extension of Aaronson’s oracle separation, constructs a concrete NIPZK protocol for the collision problem, and leverages known quantum query lower bounds to prove that there exists an oracle A with NIPZK⁽ᴬ⁾ ⊄ BQP⁽ᴬ⁾. This result deepens our understanding of the interplay between quantum computation and zero‑knowledge proof systems and supports the feasibility of quantum‑secure non‑interactive cryptographic constructions.