List-Decoding of Linear Functions and Analysis of a Two-Round Zero-Knowledge Argument (original) (raw)
Related papers
On the communication complexity of zero-knowledge proofs
Journal of Cryptology, 1993
The fact that there are zero-knowledge proofs for all languages in NP (see , , and [5]) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer "which languages in NP have zeroknowledge proofs" but rather "which languages in NP have practical zeroknowledge proofs." Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.
Linear zero-knowledge---a note on efficient zero-knowledge proofs and arguments
Proceedings of the twenty-ninth annual ACM symposium on Theory of computing - STOC '97, 1997
We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x ∈ L with error probability less than 2 −k using communication corresponding to O(|x| c) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also present a 4-move perfect zero-knowledge interactive argument for any NPlanguage L. On input x ∈ L, the communication complexity is O(|x| c) • max(k, l) bits, where l is the security parameter for the prover 1. Again, the protocol can be based on any bit commitment scheme with a particular set of properties. We suggest efficient implementations based on discrete logarithms or factoring. We present an application of our techniques to multiparty computations, allowing for example t committed oblivious transfers with error probability 2 −k to be done simultaneously using O(t+k) commitments. Results for general computations follow from this. As a function of the security parameters, our protocols have the smallest known asymptotic communication complexity among general proofs or arguments for NP. Moreover, the constants involved are small enough for the protocols to be practical in a realistic situation: both protocols are based on a Boolean formula Φ containing and-, or-and not-operators which verifies an NP-witness of membership in L. Let n be the number of times this formula reads an input variable. Then the communication complexity of the protocols when using our concrete commitment schemes can be more precisely stated as at most 4n + k + 1 commitments for the interactive proof and at most 5nl + 5l bits for the argument (assuming k ≤ l). Thus, if we use k = n, the number of commitments required for the proof is linear in n. Both protocols are also proofs of knowledge of an NP-witness of membership in the language involved. * Basic Research in Computer Science, Centre of the Danish National Research Foundation. 1 The meaning of l is that if the prover is unable to solve an instance of a hard problem of size l before the protocol is finished, he can cheat with probability at most 2 −k
Lists that are smaller than their parts: A coding approach to tunable secrecy
2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton), 2012
We present a new information-theoretic definition and associated results, based on list decoding in a source coding setting. We begin by presenting list-source codes, which naturally map a key length (entropy) to list size. We then show that such codes can be analyzed in the context of a novel information-theoretic metric, ǫsymbol secrecy, that encompasses both the one-time pad and traditional rate-based asymptotic metrics, but, like most cryptographic constructs, can be applied in nonasymptotic settings. We derive fundamental bounds for ǫsymbol secrecy and demonstrate how these bounds can be achieved with MDS codes when the source is uniformly distributed. We discuss applications and implementation issues of our codes.
IACR Cryptol. ePrint Arch., 2020
We introduce a new primitive in information-theoretic cryptography, namely zero-communication reductions (zcr), with different levels of security. We relate zcr to several other important primitives, and obtain new results on upper and lower bounds. In particular, we obtain new upper bounds for PSM, CDS and OT complexity of functions, which are exponential in the information complexity of the functions. These upper bounds complement the results of Beimel et al. [BIKK14] which broke the circuit-complexity barrier for “high complexity” functions; our results break the barrier of input size for “low complexity” functions. We also show that lower bounds on secure zcr can be used to establish lower bounds for OT-complexity. We recover the known (linear) lower bounds on OT-complexity [BM04] via this new route. We also formulate the lower bound problem for secure zcr in purely linear-algebraic terms, by defining the invertible rank of a matrix. We present an Invertible Rank Conjecture, pro...
A general approach to list decoding
2017
In [1] we derived one shot achievable and converse bounds with possible mismatched decoding. In this paper, we extend the results to the list decoding case.
An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions
Journal of Cryptology, 1998
We consider noninteractive zero-knowledge proofs in the shared random string model proposed by Blum et al. [5]. Until recently there was a sizable polynomial gap between the most efficient noninteractive proofs for NP based on general complexity assumptions [11] versus those based on specific algebraic assumptions [7]. Recently, this gap was reduced to a polylogarithmic factor [17]; we further reduce the gap to a constant factor. Our proof system relies on the existence of one-way permutations (or trapdoor permutations for bounded provers). Our protocol is stated in the hidden bit model introduced by Feige et al. [11]. We show how to prove that an n-gate circuit is satisfiable, with error probability 1/n O(1) , using only O(n lg n) random committed bits. For this error probability, this result matches to within a constant factor the number of committed bits required by the most efficient known interactive proof systems.
A Lower Bound on the List-Decodability of Insdel Codes
arXiv (Cornell University), 2022
For codes equipped with metrics such as Hamming metric, symbol pair metric or cover metric, the Johnson bound guarantees list-decodability of such codes. That is, the Johnson bound provides a lower bound on the list-decoding radius of a code in terms of its relative minimum distance δ, list size L and the alphabet size q. For study of list-decodability of codes with insertion and deletion errors (we call such codes insdel codes), it is natural to ask the open problem whether there is also a Johnson-type bound. The problem was first investigated by Wachter-Zeh and the result was amended by Hayashi and Yasunaga where a lower bound on the list-decodability for insdel codes was derived. The main purpose of this paper is to move a step further towards solving the above open problem. In this work, we provide a new lower bound for the list-decodability of an insdel code. As a consequence, we show that unlike the Johnson bound for codes under other metrics that is tight, the bound on list-decodability of insdel codes given by Hayashi and Yasunaga is not tight. Our main idea is to show that if an insdel code with a given Levenshtein distance d is not list-decodable with list size L, then the list decoding radius is lower bounded by a bound involving L and d. In other words, if the list decoding radius is less than this lower bound, the code must be list-decodable with list size L. At the end of the paper we use such bound to provide an insdel-list-decodability bound for various well-known codes, which has not been extensively studied before.
Proofs, codes, and polynomial-time reducibilities
1999
Abstract We show how to construct proof systems for NP languages where a deterministic polynomial-time verifier can check membership, given any N (2/3)+ ε bits of an N-bit witness of membership. We also provide a slightly superpolynomial time proof system where the verifier can check membership, given only N (1/2)+ ε bits of an N-bit witness. These pursuits are motivated by the work of Gal et. al.(1997).