On monotone function closure of perfect and statistical zero-knowledge

Assume we are given a language $L$ with an honest verifier perfect zero-knowledge proof system. Assume also that the proof system is a $leq 3$ move Arthur-Merlin game. The class of such languages includes all random self-reducible language, and also any language with a perfect zero-knowledge non-interactive proof. We show that such a language satisfies a certain closure property, namely that languages constructed from $L$ by applying certain monotone functions to statements on membership in $L$ have perfect zero-knowledge proof systems. The new set of languages we can build includes $L$ itself, but also for example languages consisting of $n$ words of which at least $tleq n$ are in $L$. A similar closure property is shown to hold for the complement of $L$ and for statistical zero-knowledge. The property we need fo

Proofs of partial knowledge and simplified design of witness hiding protocols

Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets defined by S . For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, we get a witness hiding protocol, even if P did not have this property. Our results can be used to efficiently implement general forms of group oriented identification and signatures. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions

Cryptography in the Bounded Quantum-Storage Model

We initiate the study of two-party cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least n/2 in order to break the protocol, where n is the number of qubits transmitted. This is in sharp contrast to the classical bounded-memory model, where we can only tolerate adversaries with memory of size quadratic in honest players’ memory size. Our protocols are efficient and noninteractive and can be implemented using today’s technology. On the technical side, a new entropic uncertainty relation involving min-entropy is established

Proofs of partial knowledge and simplified design of witness hiding protocols

Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets defined by S . For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, we get a witness hiding protocol, even if P did not have this property. Our results can be used to efficiently implement general forms of group oriented identification and signatures. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions

Improving the security of quantum protocols via commit-and-open

We consider two-party quantum protocols starting with a transmission of some random BB84 qubits followed by classical messages. We show a general compiler improving the security of such protocols: if the original protocol is secure against an almost honest adversary, then the compiled protocol is secure against an arbitrary computationally bounded (quantum) adversary. The compilation preserves the number of qubits sent and the number of rounds up to a constant factor. The compiler also preserves security in the bounded-quantum-storage model (BQSM), so if the original protocol was BQSM-secure, the compiled protocol can only be broken by an adversary who has large quantum memory and large computing power. This is in contrast to known BQSM-secure protocols, where security breaks down completely if the adversary has larger quantum memory than expected. We show how our technique can be applied to quantum identification and oblivious transfer protocols

Linear Secret Sharing Schemes from Error Correcting Codes and Universal Hash Functions

We present a novel method for constructing linear secret sharing schemes (LSSS) from linear error correcting codes and linear universal hash functions in a blackbox way. The main advantage of this new construction is that the privacy property of the resulting secret sharing scheme essentially becomes independent of the code we use, only depending on its rate. This allows us to fully harness the algorithmic properties of recent code constructions such as efficient encoding and decoding or efficient list-decoding. Choosing the error correcting codes and universal hash functions involved carefully, we obtain solutions to the following open problems: - A linear near-threshold secret sharing scheme with both linear time sharing and reconstruction algorithms and large secrets (i.e. secrets of size $\Omega(n)$). Thus, the computational overhead per shared bit in this scheme is *constant*. - An efficiently reconstructible robust secret sharing scheme for $n/3 \leq t 0$) with shares of optimal size $O(1 + \lambda / n)$ and secrets of size $\Omega(n + \lambda)$, where $\lambda$ is the security parameter