TY - CHAP
T1 - List-decoding of linear functions and analysis of a two-round zero-knowledge argument
AU - Dwork, Cynthia
AU - Shaltiel, Ronen
AU - Smith, Adam
AU - Trevisan, Luca
PY - 2004
Y1 - 2004
N2 - Dwork and Stockmeyer showed 2-round zero-knowledge proof systems secure against provers which are resource-bounded during the interaction [6]. The resources considered are running time and advice (the amount of precomputed information). We re-cast this construction in the language of list-decoding. This perspective leads to the following improvements: 1. We give a new, simpler analysis of the protocol's unconditional security in the advice-bounded case. Like the original, the new analysis is asymptotically tight. 2. When the prover is bounded in both time and advice, we substantially improve the analysis of [6]: we prove security under a worst-case (instead of average-case) hardness assumption. Specifically, we assume that there exists g ∈ DTIME(2 3) such that g is hard in the worst case for MAM circuits of size O(2s(1/2+γ)) for some γ > 0. Here s is the input length and MAM corresponds the class of circuits which are verifiers in a 3-message interactive proof (with constant soundness error) in which the prover sends the first message. In contrast, Dwork and Stockmeyer require a function that is average-case hard for "proof auditors," a model of computation which generalizes randomized, non-deterministic circuits. 3. Our analyses rely on new results on list-decodability of codes whose codewords are linear functions from {0,1}l to {0,1}l. For (1), we show that the set of all linear transformations is a good list-decodable code. For (2), we give a new, non-deterministic list-decoding procedure which runs in time quasi-linear in l.
AB - Dwork and Stockmeyer showed 2-round zero-knowledge proof systems secure against provers which are resource-bounded during the interaction [6]. The resources considered are running time and advice (the amount of precomputed information). We re-cast this construction in the language of list-decoding. This perspective leads to the following improvements: 1. We give a new, simpler analysis of the protocol's unconditional security in the advice-bounded case. Like the original, the new analysis is asymptotically tight. 2. When the prover is bounded in both time and advice, we substantially improve the analysis of [6]: we prove security under a worst-case (instead of average-case) hardness assumption. Specifically, we assume that there exists g ∈ DTIME(2 3) such that g is hard in the worst case for MAM circuits of size O(2s(1/2+γ)) for some γ > 0. Here s is the input length and MAM corresponds the class of circuits which are verifiers in a 3-message interactive proof (with constant soundness error) in which the prover sends the first message. In contrast, Dwork and Stockmeyer require a function that is average-case hard for "proof auditors," a model of computation which generalizes randomized, non-deterministic circuits. 3. Our analyses rely on new results on list-decodability of codes whose codewords are linear functions from {0,1}l to {0,1}l. For (1), we show that the set of all linear transformations is a good list-decodable code. For (2), we give a new, non-deterministic list-decoding procedure which runs in time quasi-linear in l.
UR - http://www.scopus.com/inward/record.url?scp=35048892067&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-24638-1_6
DO - 10.1007/978-3-540-24638-1_6
M3 - Chapter
AN - SCOPUS:35048892067
SN - 3540210008
SN - 9783540210009
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 101
EP - 120
BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A2 - Naor, Moni
PB - Springer Verlag
ER -