Public Key Cryptography – PKC 2010

Volume 6056 of the series Lecture Notes in Computer Science pp 177-192

Groth–Sahai Proofs Revisited

  • Essam GhadafiAffiliated withDept. Computer Science, University of Bristol
  • , Nigel. P. SmartAffiliated withDept. Computer Science, University of Bristol
  • , Bogdan WarinschiAffiliated withDept. Computer Science, University of Bristol


Since their introduction in 2008, the non-interactive zero-knowledge (NIZK) and non-interactive witness indistinguishable (NIWI) proofs designed by Groth and Sahai have been used in numerous applications. In this paper, we offer two contributions to the study of these proof systems. First, we identify and correct some errors, present in the oringal online manuscript, that occur in two of the three instantiations of the Groth-Sahai NIWI proofs for which the equation checked by the verifier is not valid for honest executions of the protocol. In particular, implementations of these proofs would not work correctly. We explain why, perhaps surprisingly, the NIZK proofs that are built from these NIWI proofs do not suffer from a similar problem. Secondly, we study the efficiency of existing instantiations and note that only one of the three instantiations has the potential of being practical. We therefore propose a natural extension of an existing assumption from symmetric pairings to asymmetric ones which in turn enables Groth-Sahai proofs based on new classes of efficient pairings.