Are zero-knowledge proofs quantum-resistant?

Question

SNARKs and STARKs are not, by default, zero-knowledge proof systems @YoussefElHousni — iwriteonbananas, Nov 16 '18 at 16:59
They are, but the question was about zero-knowlege proof systems. STARKs are, by default, not zero-knowledge. @YoussefElHousni — iwriteonbananas, Nov 16 '18 at 18:12
Can you please develop your point a little bit more? According to the paper https://eprint.iacr.org/2018/046, starks are zero-knowledge. @iwriteonbananas — Youssef El Housni, Nov 16 '18 at 18:23
@YoussefElHousni "STARK" is a succinct non-interactive argument system which can be made zero-knowledge with a slight modification. The resulting argument system is called "zkSTARK". — iwriteonbananas, Nov 16 '18 at 18:27
Ok I was talking about ZK-STARKs. Precision matters. @iwriteonbananas — Youssef El Housni, Nov 16 '18 at 18:35

score 7 · Accepted Answer · edited Feb 03 '21 at 11:05

There is no generic answer to this question. Zero-knowledge proof (ZKP) systems can be post-quantum secure, but they need not be. It all depends on the cryptography on which the security of the ZKP rests.

There exist ZKPs that only use collision-resistant hash functions and hence are plausibly post-quantum secure. The most well-known examples are those using the FRI protocol: Aurora, Fractal, and zk-Starks [*].

Other notable ZKPs like Bulletproofs or Groth16 rely on cryptographic assumptions (e.g. hardness of discrete log in elliptic curve groups) for which it is known they would be vulnerable to quantum attacks, if such attacks became practical.

[*] "zk-STARK" refers both to a security definition and to a particular family of FRI-based proof systems that satisfies it. The security definition does not mention post-quantum security, so it is the latter that is meant here.

I think Hyrax is based on DL, so not quantum secure. – Shan Chen Nov 16 '18 at 22:45 — Shan Chen, Nov 16 '18 at 22:45

Are zero-knowledge proofs quantum-resistant?

1 Answers1