TY - CHAP

T1 - List-decoding of linear functions and analysis of a two-round zero-knowledge argument

AU - Dwork, Cynthia

AU - Shaltiel, Ronen

AU - Smith, Adam

AU - Trevisan, Luca

PY - 2004

Y1 - 2004

N2 - Dwork and Stockmeyer showed 2-round zero-knowledge proof systems secure against provers which are resource-bounded during the interaction [6]. The resources considered are running time and advice (the amount of precomputed information). We re-cast this construction in the language of list-decoding. This perspective leads to the following improvements: 1. We give a new, simpler analysis of the protocol's unconditional security in the advice-bounded case. Like the original, the new analysis is asymptotically tight. 2. When the prover is bounded in both time and advice, we substantially improve the analysis of [6]: we prove security under a worst-case (instead of average-case) hardness assumption. Specifically, we assume that there exists g ∈ DTIME(2 3) such that g is hard in the worst case for MAM circuits of size O(2s(1/2+γ)) for some γ > 0. Here s is the input length and MAM corresponds the class of circuits which are verifiers in a 3-message interactive proof (with constant soundness error) in which the prover sends the first message. In contrast, Dwork and Stockmeyer require a function that is average-case hard for "proof auditors," a model of computation which generalizes randomized, non-deterministic circuits. 3. Our analyses rely on new results on list-decodability of codes whose codewords are linear functions from {0,1}l to {0,1}l. For (1), we show that the set of all linear transformations is a good list-decodable code. For (2), we give a new, non-deterministic list-decoding procedure which runs in time quasi-linear in l.

AB - Dwork and Stockmeyer showed 2-round zero-knowledge proof systems secure against provers which are resource-bounded during the interaction [6]. The resources considered are running time and advice (the amount of precomputed information). We re-cast this construction in the language of list-decoding. This perspective leads to the following improvements: 1. We give a new, simpler analysis of the protocol's unconditional security in the advice-bounded case. Like the original, the new analysis is asymptotically tight. 2. When the prover is bounded in both time and advice, we substantially improve the analysis of [6]: we prove security under a worst-case (instead of average-case) hardness assumption. Specifically, we assume that there exists g ∈ DTIME(2 3) such that g is hard in the worst case for MAM circuits of size O(2s(1/2+γ)) for some γ > 0. Here s is the input length and MAM corresponds the class of circuits which are verifiers in a 3-message interactive proof (with constant soundness error) in which the prover sends the first message. In contrast, Dwork and Stockmeyer require a function that is average-case hard for "proof auditors," a model of computation which generalizes randomized, non-deterministic circuits. 3. Our analyses rely on new results on list-decodability of codes whose codewords are linear functions from {0,1}l to {0,1}l. For (1), we show that the set of all linear transformations is a good list-decodable code. For (2), we give a new, non-deterministic list-decoding procedure which runs in time quasi-linear in l.

UR - http://www.scopus.com/inward/record.url?scp=35048892067&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-24638-1_6

DO - 10.1007/978-3-540-24638-1_6

M3 - Chapter

AN - SCOPUS:35048892067

SN - 3540210008

SN - 9783540210009

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 101

EP - 120

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

A2 - Naor, Moni

PB - Springer Verlag

ER -