List-decoding of linear functions and analysis of a two-round zero-knowledge argument

Abstract

Dwork and Stockmeyer showed 2-round zero-knowledge proof systems secure against provers which are resource-bounded during the interaction [6]. The resources considered are running time and advice (the amount of precomputed information). We re-cast this construction in the language of list-decoding. This perspective leads to the following improvements: 1. We give a new, simpler analysis of the protocol's unconditional security in the advice-bounded case. Like the original, the new analysis is asymptotically tight. 2. When the prover is bounded in both time and advice, we substantially improve the analysis of [6]: we prove security under a worst-case (instead of average-case) hardness assumption. Specifically, we assume that there exists g ∈ DTIME(2 3) such that g is hard in the worst case for MAM circuits of size O(2s(1/2+γ)) for some γ > 0. Here s is the input length and MAM corresponds the class of circuits which are verifiers in a 3-message interactive proof (with constant soundness error) in which the prover sends the first message. In contrast, Dwork and Stockmeyer require a function that is average-case hard for "proof auditors," a model of computation which generalizes randomized, non-deterministic circuits. 3. Our analyses rely on new results on list-decodability of codes whose codewords are linear functions from {0,1}l to {0,1}l. For (1), we show that the set of all linear transformations is a good list-decodable code. For (2), we give a new, non-deterministic list-decoding procedure which runs in time quasi-linear in l. © Springer-Verlag 2004.