Efficient Designated-Verifier Non-interactive Zero-Knowledge Proofs of Knowledge

Chaidos, Pyrros; Couteau, Geoffroy

doi:10.1007/978-3-319-78372-7_7

Pyrros Chaidos¹⁵ &
Geoffroy Couteau¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10822))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3541 Accesses
18 Citations

Abstract

We propose a framework for constructing efficient designated-verifier non-interactive zero-knowledge proofs ($\mathsf {DVNIZK}$) for a wide class of algebraic languages over abelian groups, under standard assumptions. The proofs obtained via our framework are proofs of knowledge, enjoy statistical, and unbounded soundness (the soundness holds even when the prover receives arbitrary feedbacks on previous proofs). Previously, no efficient $\mathsf {DVNIZK}$ system satisfying any of those three properties was known. Our framework allows proving arbitrary relations between cryptographic primitives such as Pedersen commitments, ElGamal encryptions, or Paillier encryptions, in an efficient way. For the latter, we further exhibit the first non-interactive zero-knowledge proof system in the standard model that is more efficient than proofs obtained via the Fiat-Shamir transform, with still-meaningful security guarantees and under standard assumptions. Our framework has numerous applications, in particular for the design of efficient privacy-preserving non-interactive authentication.

G. Couteau—Part of this work was made while the second author was at École Normale Supérieure de Paris, France.

You have full access to this open access chapter, Download conference paper PDF

Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time and Space Overheads

Non-interactive Zero-Knowledge in Pairing-Free Groups from Weaker Assumptions

Efficient Adaptively Secure Zero-Knowledge from Garbled Circuits

Keywords

1 Introduction

Zero-knowledge proof systems allow a prover to convince someone of the truth of a statement, without revealing anything beyond the fact that the statement is true. After their introduction in the seminal work of Goldwasser, Micali, and Rackoff [34], they have proven to be a fundamental primitive in cryptography. Among them, non-interactive zero-knowledge proofs ($\mathsf {NIZK}$ proofs), where the proof consists of a single flow from the prover to the verifier, are of particular interest, in part due to their tremendous number of applications in cryptographic primitives and protocols, and in part due to the theoretical and technical challenges that they represent.

For almost two decades after their introduction in [10], $\mathsf {NIZKs}$ coexisted in two types: inefficient $\mathsf {NIZKs}$ secure under standard assumptions (such as doubly enhanced trapdoor permutations [30]) in the common reference string model, and practically efficient $\mathsf {NIZKs}$ built from the Fiat-Shamir heuristic [31, 47], which are secure in the random oracle model [6] (hence only heuristically secure in the standard model). This state of affairs changed with the arrival of pairing-based cryptography, from which a fruitful line of work (starting with the work of Groth, Ostrovsky, and Sahai [37, 38]) introduced increasingly more efficient $\mathsf {NIZK}$ proof systems in the standard model. That line of work culminated with the framework of Groth-Sahai proofs [39], which provided an efficient framework of pairing-based $\mathsf {NIZKs}$ for a large class of useful languages. Yet, one decade later, pairing-based $\mathsf {NIZKs}$ from the Groth-Sahai framework remain the only known efficient $\mathsf {NIZK}$ proof system in the standard model. Building efficient $\mathsf {NIZKs}$ in the standard model, without pairing-based assumptions, is a major open problem, and research in this direction has proven elusive.

1.1 Designated-Verifier Non-interactive Zero-Knowledge

Parallel to the research on $\mathsf {NIZKs}$, an alternative promising line of research has focused on designated-verifier non-interactive zero-knowledge proof systems ($\mathsf {DVNIZKs}$). A $\mathsf {DVNIZK}$ retains most of the security properties of a $\mathsf {NIZK}$, but is not publicly verifiable: only the owner of some secret information (the designated verifier) can check the proof. Nevertheless, $\mathsf {DVNIZKs}$ can replace publicly verifiable $\mathsf {NIZKs}$ in a variety of applications. In addition, unlike their publicly-verifiable counterpart, it is known that efficient $\mathsf {DVNIZKs}$ secure in the standard model for rich classes of languages can be constructed without pairing-based assumptions [17, 23, 43, 49]. However, to date, research in $\mathsf {DVNIZKs}$ has attracted less attention than $\mathsf {NIZKs}$, the previously listed papers being (to our knowledge) the only existing works on this topic, and several important questions have been left open. We list the main open questions below.

Proofs Versus Arguments. A non-interactive zero-knowledge argument system is a $\mathsf {NIZK}$ in which the soundness property is only required to hold against computationally bounded adversaries. In a $\mathsf {NIZK}$ proof system, however, soundness is required to hold even against unbounded adversaries.

Currently, while several $\mathsf {DVNIZK}$ argument systems have been designed in the standard model without pairing-based assumptions, efficient $\mathsf {DVNIZK}$ proof systems without pairings remain an open question. In fact, to our knowledge, the only known constructions of (possibly inefficient) $\mathsf {DVNIZK}$ proofs rely on publicly-verifiable $\mathsf {NIZK}$ proofs.

Soundness Versus Knowledge Extraction. A non-interactive zero-knowledge proof (or argument) system is a $\mathsf {NIZK}$ of knowledge if it guarantees that, when the prover succeeds in convincing the verifier, he must know a witness for the truth of the statement. This is in constrast with the standard soundness notion, which only guarantees that the statement is true. Formally, this is ensured by requiring the existence of an efficient simulator that can extract a witness from the proof.

Non-interactive zero-knowledge proofs of knowledge are more powerful than standard $\mathsf {NIZKs}$, and the knowledge-extractability property is crucial in many applications. In particular, they are necessary for the very common task of proving relations between values committed with a perfectly hiding commitment scheme, and they are a core component in privacy-preserving authentication mechanisms [4]. Currently, all known $\mathsf {DVNIZK}$ argument systems are not arguments of knowledge. Designing efficient $\mathsf {DVNIZKs}$ of knowledge without pairing-based assumptions remains an open question.

Bounded Soundness Versus Unbounded Soundness. The classical soundness security notion for non-interactive zero-knowledge proof systems states that if the statement is not true, no malicious prover can possibly convince the verifier of the truth of the statement with non-negligible probability. While this security notion is sufficient for publicly-verifiable $\mathsf {NIZKs}$, it turns out to be insufficient when considering designated-verifier $\mathsf {NIZKs}$, and corresponds only to a passive type of security notion. Indeed, the verification of a $\mathsf {DVNIZK}$ involves a secret value, known to the verifier. The fact that a $\mathsf {DVNIZK}$ satisfies the standard soundness notion does not preclude the possibility for a malicious prover to learn this secret value, e.g. by submitting a large number of proofs and receiving feedback on whether the proof was accepted or not. Intuitively, this is the same type of issue as for encryption schemes indistinguishable against chosen-plaintext attacks, which can be broken if the adversary is given access to a decryption oracle, or for signature schemes secure against key-only or known-message attacks, which can be broken if the adversary is given access to a signing oracle. Here, an adversary could possibly break the soundness of a $\mathsf {DVNIZK}$ if it is given access to a verification oracle.

In practice, this means that as soon as a proof system with bounded soundness is used for more than a logarithmic number of proofs, the soundness property is no longer guaranteed to hold. This calls for a stronger notion of soundness, unbounded soundness, which guarantees security even against adversaries that are given arbitrary access to a verification oracle.

Designing a $\mathsf {DVNIZK}$ with unbounded soundness has proven to be highly non-trivial. In fact, apart from publicly-verifiable $\mathsf {NIZKs}$ (which can be seen as particular types of $\mathsf {DVNIZKs}$ where the secret key of the verifier is the empty string), the only known construction of $\mathsf {DVNIZK}$ claiming to satisfy unbounded soundness is the construction of [23], where the claim is supported by a proof of security in an idealized model. However, we found this claim to be flawed: there is an explicit attack against the unbounded soundness of any protocol obtained using the compiler of [23], which operates by using slightly malformed proofs to extract the verification key. In the full version of this work [16], we describe our attack, and identify the flaw in the proof of Theorem 5 in [23, Appendix A]. We have notified the authors of our finding and will update future versions of this work with their reply. To our knowledge, in all current constructions, the common reference string and the public key must be refreshed after a logarithmic number of proofs.

1.2 Our Contribution

In this work, we first introduce a framework for designated-verifier $\mathsf {NIZKs}$ on group-dependent languages, in the spirit of the Groth-Sahai framework for $\mathsf {NIZKs}$ on languages related to pairing-friendly elliptic curves. Our framework only requires that the underlying abelian group on which it is instantiated has order M, where $\mathbb {Z}_M$ is the plaintext-space of an homomorphic cryptosystem with specific properties, and allows to prove a wide variety statements formulated in terms of the operation associated to this abelian group. In particular, we do not need to rely on pairings. The $\mathsf {DVNIZKs}$ obtained with our framework are efficient, as they only require a few group elements and ciphertexts. The zero-knowledge property of our schemes reduces to the $\mathsf {IND\text {-}CPA}$ security of the underlying encryption scheme. Additionally, our $\mathsf {DVNIZKs}$ enjoy the following properties: they are (adaptively) knowledge-extractable; their knowledge-extractability holds statistically; their knowledge-extractability is unbounded. We stress that previously, no efficient construction of $\mathsf {DVNIZK}$ in the standard model satisfying any of the above properties was known. The third property, unbounded soundness, was only claimed to hold for the construction of [23], and this claim was formalized with a proof in an idealized model, but as previously mentioned, we found this claim to be flawed. We also point out that in the Groth-Sahai framework, witness extraction is limited either to statements about group elements, or to statements about exponents committed in a bit-by-bit fashion (making the proof highly inefficient). In contrast, our proof system allows to efficiently extract large exponents, without harming the efficiency of the proof. In addition to the above properties, our $\mathsf {DVNIZKs}$ satisfy some other useful properties: they are multi-theorem [30], randomizable [3], and same-string zero-knowledge [27] (i.e., the common reference string used by the prover and the simulator are the same).

Second, our framework comes with a dual variant, where the role of the encryption scheme and the abelian group are reversed, to prove statements, not about elements of the abelian group, but about the underlying homomorphic encryption scheme. This dual variant leads to $\mathsf {DVNIZKs}$ satisfying adaptive statistical unbounded soundness, but not knowledge-extractability (i.e. the dual variant does not give proofs of knowledge).

Third, we show that if one is willing to give up unbounded soundness for efficiency, our techniques can be used to construct extremely efficient $\mathsf {DVNIZKs}$ with bounded-soundness. The $\mathsf {DVNIZKs}$ that we obtain this way are more efficient than any previously known construction of non-interactive zero-knowledge proofs, even when considering $\mathsf {NIZKs}$ in the random oracle model using the Fiat-Shamir transform: the proofs we obtain are shorter than the proofs obtained via the Fiat-Shamir transform by almost a factor two. To our knowledge, this is the first example of a $\mathsf {NIZK}$ construction in the standard model which (conditionally) improves on the Fiat-Shamir paradigm.

Instantiating the Encryption Scheme. Informally, the security properties we require from the underlying scheme are the following: it must be additively homomorphic, with plaintext space $\mathbb {Z}_M$, random source $\mathbb {Z}_R$, and $\gcd (M,R) = 1$, and it must be decodable, which means that a plaintext m can be efficiently recovered from an encryption of m with random coin 0. A natural candidate for the above scheme is the Paillier encryption scheme [45] (and its variants, such as Damgård-Jurik [26]). This gives rise to efficient $\mathsf {DVNIZK}$ proofs of knowledge over abelian groups of composite order (e.g. subgroups of $\mathbb {F}_p^*$, with order a prime $p = k\cdot n + 1$ for a small k and an RSA modulus n, or composite-order elliptic curves), as well as efficient $\mathsf {DVNIZKs}$ for proving relations between Paillier ciphertexts (using the dual variant of our framework). Alternatively, the scheme can also be instantiated with the more recent Castagnos-Laguillaumie encryption scheme [15] to get $\mathsf {DVNIZKs}$ over prime-order abelian groups.

Our framework captures many useful zero-knowledge proofs of knowledge that are commonly used in cryptography. This includes $\mathsf {DVNIZK}$ proofs of knowledge of a discrete logarithm, of correctness of a Diffie-Hellman tuple, of multiplicative relationships between Pedersen commitments or ElGamal ciphertexts (or variants thereof), among many others. Our results show that, in the settings where a designated-verifier is sufficient, one can build efficient non-interactive zero-knowledge proofs of knowledge for most statements of interest, under well-known assumptions and with strong security properties, without having to rely on pairing-friendly groups.

1.3 Our Method

It is known that linear relations (i.e., membership in linear subspaces) can be non-interactively verified, using the homomorphic properties of cryptographic primitives over abelian groups. Indeed, $\mathsf {DVNIZK}$ proofs for linear languages can be constructed, e.g., from hash proof systems [33, 41]. In [39], pairings provide exactly the additional structure needed to evaluate degree-two relations, which can be easily generalized to arbitrary relations.

An alternative road was taken in [23] and subsequent works, to obtain non-interactive zero-knowledge proofs for a wide variety of relations, in the designated-verifier setting. To illustrate, let us consider a prover interacting with a verifier, with a common input $(g_1,g_2,h_1,h_2)\in \mathbb {G}^4$ in some group $\mathbb {G}$ of order p, where p is a $\lambda $-bit prime. The prover wants to show that $(h_1,h_2)$ have the same discrete logarithm in the basis $(g_1,g_2)$, i.e., there exists x such that $(h_1,h_2) = (g_1^x,g_2^x)$. The standard interactive zero-knowledge proof for this statement proceeds as follows:^{Footnote 1}

1.
The prover picks $r{\mathop {\leftarrow }\limits ^{{}_\$}}\{0,1\} ^{3\lambda }$, and sends $(a_1,a_2) \leftarrow (g_1^r,g_2^r)$.
2.
The verifier picks and sends a uniformly random challenge $e {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p$.
3.
The prover computes and sends $d \leftarrow e\cdot x + r$. The verifier accepts the proof if and only if $(g_1^d,g_2^d) = (h_1^ea_1, h_2^ea_2)$.

The idea of [23] is to squash this interactive protocol into a (designated-verifier) non-interactive proof, by giving the challenge to the prover in advance. As knowing the challenge before sending the first flow gives the prover the ability to cheat, the challenge is encrypted with an additively homomorphic encryption scheme. That way, the prover cannot see the challenge; yet, he can still compute an encryption of the value d homomorphically, using the encryption of e. The verifier, who is given the secret verification key, can decrypt the last flow and perform the above check. Thus, the proof is a tuple $(a_1,a_2,c_d)$, where $c_d$ is an encryption of d computed from (x, r) and an encryption $c_e$ of the challenge e.

Although natural, this intuitive approach has proven quite tough to analyze. In [23], the authors had to rely on a new complexity-leveraging-type assumption tailored to their scheme, which (informally) states that the simulator cannot break the security of the encryption scheme, even if he is powerful enough to break the problem underlying the protocol (in the above example, the discrete logarithm problem over $\mathbb {G}$). Even in the bounded setting, analyzing the soundness guarantees of the protocols obtained by this compilation technique (and its variants) is non-trivial, and it has been the subject of several subsequent works [17, 43, 49]. Additionally, in the unbounded setting, where we must give an efficient simulator that can successfully answer to the proofs submitted by any malicious prover, this compilation technique breaks down. Furthermore, for $\mathsf {DVNIZKs}$ constructed with this method, soundness holds only computationally, and security does not guarantee that the simulator can extract a witness for the statement.

Our core idea to overcome all of the above issues is to implement the same strategy in a slightly different way: rather than encrypting the challenge e as the plaintext of an homomorphic encryption scheme, we encrypt it as the random coin of an encryption scheme which is also homomorphic over the coins. To understand how this allows us to improve over all previous constructions, suppose that we have an encryption scheme $\mathsf {Enc} $ which is homomorphic over both the plaintext and the random coins, with plaintext space $\mathbb {Z}_M$ and random source $\mathbb {Z}_R$, and that M is coprime to R. Consider the previously described protocol for proving equality of two discrete logarithms. Given an encryption $\mathsf {Enc} (0;e)$ of 0, where the challenge is the random coin, a prover holding (x, r) can compute and send $\mathsf {Enc} (x;\rho )$ and $\mathsf {Enc} (r;-e\rho )$, for some random $\rho $. This allows the verifier, who knows e, to compute $\mathsf {Enc} (x\cdot e + r;0)$, from which she can extract $d = x\cdot e + r \bmod M$ (note that the verifier only needs to know e; unlike in previous work, she does not need to know the decryption key of $\mathsf {Enc} $). Observe that the extracted value depends only on e modulo M. At the same time, however, the ciphertext E(0; e) only leaks e modulo R, even to an unbounded adversary. By picking e to be sufficiently large ($e > MR$), as M is coprime to R, the verifier can ensure that this leaks no information (statistically) about $e\bmod M$. Therefore, we can use a statistical argument to show that the prover cannot cheat when the verification using d succeeds. To allow for efficient simulation of the verifier, we simply give to the simulator the secret key of the scheme, which will allow him to extract all encrypted values, and to check the validity of the equations, without knowing $e\bmod M$. As the simulator is able to extract the values encrypted with $\mathsf {Enc} $, the scheme can be proven to be (statistically) knowledge-extractable. Contrary to previous constructions, the verification key is a random coin rather than the secret key of an encryption scheme. The secret key is only used to extract information in the simulated game.

Example: DVNIZK Proof of Knowledge of a Discrete Logarithm. We illustrate our method with the classical example of proving knowledge of a discrete logarithm. For concreteness, we describe an explicit protocol using the Paillier encryption scheme; therefore, this section assumes some basic knowledge of the Paillier encryption scheme. All necessary preliminaries can be found in Sect. 2. Let $\mathbb {G}$ be a group of order $n $, where $n=p\cdot q$ is an RSA modulus (i.e., a product of two strong primes). Let g be a generator of $\mathbb {G}$, and let T be a group element. A prover P wishes to prove to a verifier V that he knows a value $t \in \mathbb {Z}_n $ such that $g^t = T$.

Let $h \leftarrow u^n \bmod n ^2$, where u denotes an arbitrary generator of $\mathbb {J}_n $, the subgroup of elements of ${\mathbb {Z}^*_n}$ with Jacobi symbol 1. The Paillier encryption of a message $m \in \mathbb {Z}_n $ with randomness $r\in \mathbb {Z}_{\varphi (n)/2}$ is $\mathsf {Enc} (m;r) = (1+n)^mh^r \bmod n ^2$. The public key of the $\mathsf {DVNIZK}$ is $E = h^e \in \mathbb {Z}^*_{n ^2}$, for a random $e \gg n \cdot \varphi (n)/2$; observe that this is exactly $\mathsf {Enc} (0;e)$. The secret key is e. The $\mathsf {DVNIZK}$ proceeds as follows:

The prover P picks $x {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_n $ and a Paillier random coin r, and computes $X \leftarrow g^x$, $T' \leftarrow (1+n)^th^r \bmod n ^2$, and $X'\leftarrow (1+n)^xE^{-r} \bmod n ^2$. The verifier V computes $D \leftarrow T^eX \bmod n ^2$ and $D' \leftarrow (T')^eX' \bmod n ^2$. Then, she checks that $D'$ is of the form $(1+n)^d \bmod n ^2$. If so, V computes $d \bmod n $ from $D'$, and checks that $D = g^d$. V accepts iff both checks succeeded.

Let us provide an intuition of the security of this scheme. Correctness follows easily by inspection. Zero-knowledge comes from the fact that $T'$ hides t, under the $\mathsf {IND\text {-}CPA}$ security of Paillier. For statistical knowledge extractability, note E only reveals $e \bmod \varphi (n)$ to an unbounded adversary, which leaks (statistically) no information on $e \bmod n $ as $\varphi (n)$ is coprime to $n $. This ensures the value $t'$ encrypted in $T'$ must be equal to t, otherwise the verification equations would uniquely define $e\bmod n $, which is statistically unknown to the prover. The simulator knows $\varphi (n)$ (but not $e\bmod n $) and gets t by decrypting $T'$.

1.4 Applications

A natural application of non-interactive zero-knowledge proofs of knowledge is the design of privacy-preserving non-interactive authentication schemes. This includes classical authentication protocols, but also P-signatures [4] and their many applications, such as anonymous credentials [4], group signatures [20], electronic cash [19], or anonymous authentication [48]. Our framework can lead to a variety of efficient new constructions of designated-verifier variants for the above applications without pairings, whereas all previous constructions either had to rely on the random oracle model, or use pairing-based cryptography.^{Footnote 2} In many scenarios of non-interactive authentication, the designated-verifier property is not an issue.

In addition, the aforementioned applications build upon the Groth-Sahai framework for $\mathsf {NIZKs}$. However, Groth-Sahai $\mathsf {NIZKs}$ only satisfy a restricted notion of extractability, called f-extractability in [4]. As a result, constructions of privacy-preserving authentication mechanisms from Groth-Sahai $\mathsf {NIZKs}$ require a careful security analysis. Our framework leads to fully extractable zero-knowledge proofs, which could potentially simplify this. We note that our $\mathsf {DVNIZKs}$ are additionally randomizable, which has applications for delegatable anonymous credential schemes [3].

Other potential applications of our framework include round-efficient two-party computation protocols secure against malicious adversaries, electronic voting (see e.g. [17]), as well as designated-verifier variants of standard cryptographic primitives, such as verifiable encryption [13], or verifiable pseudorandom-functions [5]. Potential applications to the construction of adaptive oblivious transfers can also be envisioned: in [35], the authors mention that an adaptive oblivious transfer protocol can be designed by replacing the interactive zero-knowledge proofs of the protocol of [14] by non-interactive one. They raise two issues to this approach, namely, that Groth-Sahai proofs are only witness-indistinguishable for the required class of statements, and that they only satisfy a weak form of extractability. None of these restrictions apply to our $\mathsf {DVNIZK}$ constructions.

1.5 Related Work

Non-interactive zero-knowledge proofs were first introduced in [10]. Efficient publicly-verifiable non-interactive zero-knowledge proofs can be constructed in the random oracle model [31, 32, 47], or in the non-programmable random oracle model [42] (using a common reference string in addition). The latter construction was improved in [21]. In the standard model, the main construction of efficient publicly-verifiable $\mathsf {NIZKs}$ is the Groth-Sahai framework [39].

Designated-verifier non-interactive zero-knowledge arguments where first introduced in [46], where it was shown that the existence of semantically secure encryption implies the existence of $\mathsf {DVNIZK}$ arguments with bounded soundness; however, the construction is highly inefficient and therefore only of theoretical interest. Furthermore, even putting aside efficiency consideration, the construction is inherently limited to arguments (as opposed to proofs) with bounded soundness (as opposed to unbounded soundness).

Designated-verifier $\mathsf {NIZKs}$ for linear languages can be constructed from hash proof systems [22, 33, 41]. Such $\mathsf {NIZKs}$ are perfectly zero-knowledge and statistically adaptively sound, but are not proofs of knowledge and are restricted to very specific statements, captured by linear equations.

Efficient designated-verifier $\mathsf {NIZKs}$ for more general statements were first described in [23]. The authors describe a general compiler that converts any three-round (honest-verifier) zero-knowledge protocol satisfying some (mild) requirements into a $\mathsf {DVNIZK}$. However, the construction has several drawbacks: the soundness only holds under a very specific complexity-leveraging assumption, and only against adversaries making at most $O(\log \lambda )$ proofs (as already mentioned, the paper claims that the construction enjoy unbounded soundness as well, but this claim is flawed, see the full version [16]). In addition, the proofs obtained with this compiler are not proofs of knowledge.

In subsequent works [17, 49], variations of the compilation technique of [23] are described, where the complexity-leveraging assumption was replaced by more standard assumptions (although achieving a more restricted type of soundness) by relying on encryption schemes with additional properties. Eventually, [43] removes some of the constraints of the constructions of [17], and provides new protocols that can be compiled using the transformation. However, all the constructions obtained in these papers are only computationally sound, do not enjoy unbounded soundness, and are not proofs of knowledge; this strongly limits their scope, and in particular, prevents them from being used in the previously discussed applications.

1.6 Organization

In Sect. 2, we introduce our notation, and necessary primitives. We refer the reader to the full version of this work [16] for classical preliminaries on commitments and cryptosystems. Section 2 also describes the notion of a $\mathsf {DVNIZK}$-friendly encryption scheme, which is central to our framework. In Sect. 3, we introduce our framework for building $\mathsf {DVNIZKs}$ of knowledge over an abelian group, illustrate it with practical examples, and prove its security. In Sect. 4, we describe the dual variant of our framework for proving statements over plaintexts of a $\mathsf {DVNIZK}$-friendly encryption scheme. In the full version of this work [16], we additionally describe optimizations on the efficiency of $\mathsf {DVNIZKs}$ for relations between plaintexts of a $\mathsf {DVNIZK}$-friendly scheme, by eschewing unbounded soundness, as well as our attack on the unbounded soundness of [23].

2 Preliminaries

Throughout this paper, $\lambda $ denotes the security parameter. A probabilistic polynomial time algorithm (PPT, also denoted efficient algorithm) runs in time polynomial in the (implicit) security parameter $\lambda $. A positive function f is negligible if for any polynomial p there exists a bound $B>0$ such that, for any integer $k\ge B$, $f(k)\le 1/{\vert p(k)\vert }$. An event depending on $\lambda $ occurs with overwhelming probability when its probability is at least $1-{{\mathrm{negl}}}(\lambda )$ for a negligible function ${{\mathrm{negl}}}$. Given a finite set S, the notation $x{\mathop {\leftarrow }\limits ^{{}_\$}}S$ means a uniformly random assignment of an element of S to the variable x. We represent adversaries as interactive probabilistic Turing machines; the notation $\mathscr {A}^{\mathcal {O}}$ indicates that the machine $\mathscr {A}$ is given oracle access to $\mathcal {O}$. Adversaries will sometime output an arbitrary state $\mathsf {st}$ to capture stateful interactions.

Abelian Groups and Modules. We use additive notation for groups for convenience, and write for an abelian group of order k. When it is clear from the context, we denote 0 its neutral element (otherwise, we denote it $0_\mathbb {G}$). We denote by $\bullet $ the scalar-multiplication algorithm (i.e. for any $(x,G)\in \mathbb {Z}_k\times \mathbb {G}$, , where the sum contains x terms). Observe that we can naturally view $\mathbb {G}$ as a $\mathbb {Z}_k$-module , for the ring $(\mathbb {Z}_k,+,\cdot )$. For simplicity, we write for $(-1) \bullet G$. We use lower case to denote elements of $\mathbb {Z}_k$, upper case to denote elements of $\mathbb {G}$, and bold notations to denote vectors. We extend the notations to vectors and matrices in the natural way, and write $\varvec{x}\bullet \varvec{G}$ to denote the scalar product (where $\varvec{x},\varvec{G}$ are vectors of the same length t). For a vector $\varvec{v}$, we denote by $\varvec{v}^\intercal $ its transpose. By $\mathsf {GGen}(1^\lambda )$, we denote a probabilistic efficient algorithm that, given the security parameter $\lambda $, generates an abelian group $\mathbb {G}$ such that the best known algorithm for solving discrete logs in G takes time $2^\lambda $. In the following, we write $(\mathbb {G},k){\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {GGen}(1^\lambda )$. Additionally, we denote by $\mathsf {GGen}(1^\lambda ,k)$ a group generation algorithm that allows us to select the order k beforehand.

RSA Groups. A strong prime is a prime $p = 2p'+1$ such that $p'$ is also a prime. We call RSA modulus a product $n = pq$ of two strong primes. We denote by $\varphi $ Euler’s totient function; it holds that $\varphi (n) = (p-1)(q-1)$. We denote by $\mathbb {J}_n $ the cyclic subgroup of ${\mathbb {Z}^*_n}$ of elements with Jacobi symbol 1 (the order of this group is $\varphi (n)/2$), and by $\mathsf {QR}_n $ the cyclic subroup of squares of ${\mathbb {Z}^*_n}$ (which is also a subgroup of $\mathbb {J}_n $ and has order $\varphi (n)/4$). By $\mathsf {Gen} (1^\lambda )$, we denote a probabilistic efficient algorithm that, given the security parameter $\lambda $, generates a strong RSA modulus $n $ and secret parameters (p, q) where $n =pq$, such that the best known algorithm for factoring $n $ takes time $2^\lambda $. In the following, we write $(n,(p,q)){\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {Gen} (1^\lambda )$.

2.1 Encryption Schemes

The formal definition of an $\mathsf {IND\text {-}CPA}$-secure public-key encryption scheme is recalled in the full version [16], but in short, a public-key encryption scheme S is a triple of PPT algorithms $(S.\mathsf {KeyGen}, S.\mathsf {Enc}, S.\mathsf {Dec})$, where $S.\mathsf {KeyGen} $ generates a pair $(\mathsf {ek}, \mathsf {dk})$ with an encryption key and a decryption key, decryption (with $\mathsf {dk} $, deterministically) is the reverse operation of encryption (with $\mathsf {ek} $, randomized), and no adversary can distinguish encryptions of one of two messages of its choice ($\mathsf {IND\text {-}CPA}$ security).

In this work, we will focus on additively homomorphic encryption schemes, which are homomorphic for both the message and the random coin. More formally, we require that the message space $\mathcal {M} $ and the random source $\mathcal {R} $ are integer sets $(\mathbb {Z}_M,\mathbb {Z}_R)$ for some integers (M, R), and that there exists an efficient operation $\oplus $ such that for any $(\mathsf {ek},\mathsf {sk}){\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {KeyGen}(1^\lambda )$, any $(m_1,m_2)\in \mathbb {Z}_M^2$ and $(r_1,r_2) \in \mathbb {Z}_R^2$, denoting $(C_i)_{i\le 2}\leftarrow (S.\mathsf {Enc} _\mathsf {ek} (m_i;r_i))_{i\le 2}$, it holds that $C_1 \oplus C_2 = S.\mathsf {Enc} _\mathsf {ek} (m_1+m_2\bmod M;r_1+r_2\bmod R)$. We say an encryption scheme is strongly additive if it satisfies these requirements. Note that the existence of $\oplus $ implies (via a standard square-and-multiply method) the existence of an algorithm that, on input a ciphertext $C = S.\mathsf {Enc} _\mathsf {ek} (m;r)$ and an integer $\rho \in \mathbb {Z}$, outputs a ciphertext $C' = S.\mathsf {Enc} _\mathsf {ek} (\rho m \bmod M;\rho r\bmod R)$. We denote by $\rho \odot C$ the external multiplication of a ciphertext C by an integer $\rho $, and by $\ominus $ the operation $C \oplus (-1)\odot C'$ for two ciphertexts $(C,C')$. We will sometimes slightly abuse these notations, and write $C \oplus m$ (resp. $C \ominus m$) for a plaintext m to denote $C \oplus S.\mathsf {Enc} _\mathsf {ek} (m;0)$ (resp. $C \ominus S.\mathsf {Enc} _\mathsf {ek} (m;0)$).

A simple observation on strongly additively homomorphic encryption schemes is that $\mathsf {IND\text {-}CPA}$ security implies that R must either be equal to $0\mod M$, or unknown given $\mathsf {ek} $. Otherwise, an $\mathsf {IND\text {-}CPA}$ adversary would set $(m_0,m_1)=(0,1)$ and check if $R \odot C$ equals $S.\mathsf {Enc} _\mathsf {ek} (0;0)$ or $S.\mathsf {Enc} _\mathsf {ek} (R;0)$.

The Paillier Encryption Scheme. The Paillier encryption scheme [45] is a well-known additively homomorphic encryption scheme over $\mathbb {Z}_n $ for an RSA modulus $n $. We describe here a standard variant [25, 43], where the random coin is an exponent over $\mathbb {J}_n $ rather than a group element. Note that the exponent space of $\mathbb {J}_n $ is $\mathbb {Z}_{\varphi (n)/2}$, which is a group of unknown order; however, it suffices to draw exponents at random from $\mathbb {Z}_{n/2}$ to get a distribution statistically close from uniform over $\mathbb {Z}_{\varphi (n)/2}$.

$\mathsf {KeyGen}(1^\lambda )$: run $(n,(p,q)){\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {Gen} (1^\lambda )$, pick $g {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {J}_n $, set $h \leftarrow g^n \bmod n ^2$, and compute $\delta \leftarrow n ^{-1} \bmod \varphi (n)$ ($n $ and $\varphi (n)$ are relatively prime). Return $\mathsf {ek} =(n,h)$ and $\mathsf {dk} =\delta $;
$\mathsf {Enc} (\mathsf {ek},m;r)$: given $m\in \mathbb {Z}_n $, for a random $r{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{n/2}$, compute and output $c\leftarrow (1+n)^m\cdot h^r \bmod n ^2$;
$\mathsf {Dec} (\mathsf {dk},c)$: compute $x\leftarrow c^\mathsf {dk} \bmod n $ and $c_0 \leftarrow [c\cdot x^{-n} \bmod n ^2]$. Return $m\leftarrow (c_0-1)/n $.

Note that knowing $\mathsf {dk} $ is equivalent to knowing the factorization of $n $. The $\mathsf {IND\text {-}CPA}$ security of the Paillier encryption scheme reduces to the decisional composite residuosity ($\mathsf {DCR}$) assumption, which states that it is computationally infeasible to distinguish random $n $’th powers over $\mathbb {Z}^*_{n ^2}$ from random elements of $\mathbb {Z}^*_{n ^2}$.^{Footnote 3} It is also strongly additive, where the homomorphic addition of ciphertexts is the multiplication over $\mathbb {Z}^*_{n ^2}$.

The ElGamal Encryption Scheme. We recall the additive variant of the famous ElGamal cryptosystem [28], over an abelian group of order k.

$\mathsf {KeyGen}(1^\lambda )$: pick $G {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {G}$, pick $s{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k$, set $G \leftarrow s\bullet G$, and return $\mathsf {ek} =(G,H)$ and $\mathsf {dk} =s$;
$\mathsf {Enc} (\mathsf {ek},m;r)$: given $m\in \mathbb {Z}_k$, for a random $r{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k$, output ;
$\mathsf {Dec} (\mathsf {dk},\varvec{C})$: parse $\varvec{C}$ as $(C_0,C_1)$, and compute . Compute the discrete logarithm m of M in base G, and return m.

The $\mathsf {IND\text {-}CPA}$ security of the ElGamal encryption scheme reduces to the decisional Diffie-Hellman ($\mathsf {DDH}$) assumption over $\mathbb {G}$, which states that it is computationally infeasible to distinguish tuples of the form $(G,H,x\bullet G,x\bullet H)$ for random x from uniformly random 4-tuples over $\mathbb {G}$. It is also strongly additive (and the homomorphic operation is the vector addition over $\mathbb {G}$). However, the decryption procedure is not efficient in general, as it requires to compute a discrete logarithm. For the decryption process to be efficient, the message m must be restricted to come from a subset of $\mathbb {Z}_k$ of polynomial size.

DVNIZK-Friendly Encryption Scheme. We say that a strongly additive encryption scheme is $\mathsf {DVNIZK}$ -friendly, when it satisfies the following additional properties:

Coprimality Property: we require that the size M of the plaintext space and the size R of the random source are coprime^{Footnote 4}, i.e., $\gcd (M,R) = 1$;
Decodable: for any $(\mathsf {ek},\mathsf {sk}){\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {KeyGen}(1^\lambda )$, the function $f_\mathsf {ek}:m\mapsto \mathsf {Enc} _\mathsf {ek} (m;0)$ must be efficiently invertible (i.e., there is a PPT algorithm, which is given $\mathsf {ek} $, computing $f_\mathsf {ek} ^{-1}$ on any value from the image of $f_\mathsf {ek} $).

One can observe that the Paillier cryptosystem is $\mathsf {DVNIZK}$-friendly ($\gcd (n,\varphi (n)) = 1$, and any message m can be efficiently recovered from $\mathsf {Enc} _\mathsf {ek} (m;0) = (1+n)^m\bmod n ^2$), while the ElGamal cryptosystem is not (it satisfies none of the above properties). Other $\mathsf {DVNIZK}$-friendly cryptosystems include variants of the Paillier cryptosystem [12, 22, 24,25,26], and the more recent Castagnos-Laguillaumie cryptosystem [15], with prime-order plaintext space. For simplicity, we will also assume that all prime factors of the size M of the plaintext space of a $\mathsf {DVNIZK}$-friendly cryptosystem are of superpolynomial size; our results can be extended to cryptosystems with a small plaintext space (or a plaintext space with small prime factors), but at a cost in efficiency. Note that by the homomorphic property, the decodability property implies that a plaintext can always be recovered from a ciphertext if the random coin is known.

2.2 Non-interactive Zero-Knowledge Proof Systems

In the definitions below, we focus on proof systems for $\mathsf {NP} $-languages that admit an efficient (polynomial-time) prover. For an $\mathsf {NP} $-language $\mathscr {L}$, we denote $R_\mathscr {L}$ its associated relation, i.e., a polynomial-time algorithm which satisfies . It is well known that non-interactive proof systems cannot exist for non-trivial languages in the plain model [44]; our constructions will be described in the common reference string model. For conciseness, the common reference string is always implictly given as input to all algorithms. We note that all of our constructions can be readily adapted to work in the registered public-key model as well, a relaxation of the common reference string model introduced by Barak et al in [2].

While languages are naturally associated to statements of membership, the constructions of this paper will mainly consider statements of knowledge. We write to denote the statement “I know a witness w such that $R(x,w) = 1$” for a word x and a polytime relation R. Similarly, we write $\mathsf {St} (x) = \exists \{w : R(x,w)=1\}$ to denote the existential statement “there exists a witness w such that $R(x,w) = 1$”.

Definition 1

(Non-Interactive Zero-Knowledge Proof System). A non-interactive zero-knowledge ($\mathsf {NIZK}$) proof system $\Pi $ between for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ is a quadruple of probabilistic polynomial-time algorithms $(\Pi .\mathsf {Setup},\Pi .\mathsf {KeyGen},\Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$ such that

$\Pi .\mathsf {Setup} (1^\lambda )$, outputs a common reference string ${\mathsf {crs}} $ (which specifies the language $\mathscr {L}_{\mathsf {crs}} $),
$\Pi .\mathsf {KeyGen} (1^\lambda )$, outputs a public key $\mathsf {pk} $ and a verification key $\mathsf {vk} $,
$\Pi .\mathsf {Prove} (\mathsf {pk},x,w)$, on input the public key $\mathsf {pk} $, a word $x\in \mathscr {L}_{\mathsf {crs}} $, and a witness w, outputs a proof $\pi $,
$\Pi .\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, x, \pi )$, on input the public key $\mathsf {pk} $, the verification key $\mathsf {vk} $, a word x, and a proof $\pi $, outputs $b\in \{0,1\} $,

which satisfies the completeness, zero-knowledge, and soundness properties defined below.

We assume for simplicity that once it is generated, the common reference string ${\mathsf {crs}} $ is implicitly passed as an argument to the algorithms $(\Pi .\mathsf {KeyGen},\Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$. In the above definition of $\mathsf {NIZK}$ proof systems, we let the key generation algorithm generate a verification key $\mathsf {vk} $ which is used by the verifier to check the proofs. We call publicly verifiable non-interactive zero-knowledge proof system a $\mathsf {NIZK}$ proof system in which $\mathsf {vk} $ is set to the empty string (or, equivalently, in which $\mathsf {vk} $ is made part of the public key). Otherwise, we call it a designated-verifier non-interactive zero-knowledge proof system.

Definition 2

(Completeness). A $\mathsf {NIZK}$ proof system $\Pi = (\Pi .\mathsf {Setup}, \Pi .\mathsf {KeyGen},$ $\Pi .\mathsf {Prove}, \Pi .\mathsf {Verify})$ for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ with relations $R_{\mathsf {crs}} $ satisfies the (perfect, statistical) completeness property if for ${\mathsf {crs}} {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {Setup} (1^\lambda )$, for every $x \in \mathscr {L}_{\mathsf {crs}} $ and every witness w such that $R_{\mathsf {crs}} (x,w) = 1$,

where $\mu (\lambda ) = 0$ for perfect completeness, and $\mu (\lambda ) = {{\mathrm{negl}}}(\lambda )$ for statistical completeness.

We now define the zero-knowledge property.

Definition 3

(Composable Zero-Knowledge). A $\mathsf {NIZK}$ proof system $\Pi = (\Pi .\mathsf {Setup},\Pi .\mathsf {KeyGen}, \Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$ for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ with relations $R_{\mathsf {crs}} $ satisfies the (perfect, statistical) composable zero-knowledge property if for any ${\mathsf {crs}} {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {Setup} (1^\lambda )$, there exists a probabilistic polynomial-time simulator $\mathsf {Sim} $ such that for any stateful adversary $\mathscr {A}$,

$$\begin{aligned}&\left| \Pr \left[ \begin{array}{ll} (\mathsf {pk},\mathsf {vk}) {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {KeyGen} (1^\lambda ), &{}\\ (x,w)\leftarrow \mathscr {A}(\mathsf {pk},\mathsf {vk}), &{}\;:\; (R_{\mathsf {crs}} (x,w)= 1) \wedge (\mathscr {A}(\pi ) = 1)\\ \pi \leftarrow \Pi .\mathsf {Prove} (\mathsf {pk},x,w) &{} \end{array}\right] -\right. \\&\left. {}\Pr \left[ \begin{array}{ll} (\mathsf {pk},\mathsf {vk}) {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {KeyGen} (1^\lambda ), &{}\\ (x,w)\leftarrow \mathscr {A}(\mathsf {pk},\mathsf {vk}), &{}\;:\; (R_{\mathsf {crs}} (x,w)= 1) \wedge (\mathscr {A}(\pi ) = 1)\\ \pi \leftarrow \mathsf {Sim} (\mathsf {pk},\mathsf {vk},x) &{} \end{array}\right] \right| \le \mu (\lambda ) \end{aligned}$$

where $\mu (\lambda ) = 0$ for perfect composable zero-knowledge, and $\mu (\lambda ) = {{\mathrm{negl}}}(\lambda )$ for statistical composable zero-knowledge. If the composable zero-knowledge property holds against efficient (PPT) verifiers, the proof system satisfies computational composable zero-knowledge.

The composable zero-knowledge property was first introduced in [36]. It strenghtens the standard zero-knowledge definition, in that it explicitly states that the trapdoor of the simulator is exactly the verification key $\mathsf {vk} $ of the verifier. This strong security property guarantees that the same common reference string can be used for many different proofs, as the same trapdoor is used for simulating all proofs, which enhances the proof system with composability properties. We note that [36] additionally required indistinguishability between real and simulated common reference string; in our constructions, this will be trivially satisfied, as the simulated crs will be exactly the real one. We define below the notion of (bounded) adaptive soundness, which allows the input to be adversarially picked after the public key is fixed.

Definition 4

(Bounded Adaptive Soundness). A $\mathsf {NIZK}$ proof system $\Pi = (\Pi .\mathsf {Setup}, \Pi .\mathsf {KeyGen}, \Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$ for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ with relations $R_{\mathsf {crs}} $ satisfies the bounded adaptive soundness property if for ${\mathsf {crs}} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {Setup} (1^\lambda )$, for every adversary $\mathscr {A}$,

Definition 4 is formulated with respect to arbitrary adversaries $\mathscr {A}$, which leads to a statistical notion of soundness. A natural relaxation of this requirement is to consider only efficient (PPT) adversarial provers. We denote by computational soundness this relaxed notion of soundness. Computationally sound proof systems are called argument systems.

Unbounded Soundness. Definition 4 corresponds to a bounded notion of soundness, in the sense that soundness is only guaranteed to hold when the prover tries to forge a single proof of a wrong statement, right after the setup phase. However, if the prover is allowed to interact polynomially many times with the verifier before trying to forge a proof, sending proofs and receiving feedback on whether the proof was accepted, the previous definition provides no security guarantees.

Intuitively, in this situation, the distinction between bounded and unbounded soundness is comparable to the distinction between security against chosen plaintext attacks and security against chosen ciphertext attacks for cryptosystems. We define unbounded soundness in a similar fashion, by giving the prover access to a verification oracle $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$ (with ${\mathsf {crs}} $ implicitly given as parameter) which, on input $(x,\pi )$, returns $b \leftarrow \mathsf {Verify} (\mathsf {pk},\mathsf {vk},x,\pi )$.

Definition 5

(Q-bounded Adaptive Soundness). A $\mathsf {NIZK}$ proof system $\Pi = (\Pi .\mathsf {Setup}, \Pi .\mathsf {KeyGen}, \Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$ for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ with relations $R_{\mathsf {crs}} $ satisfies the Q-bounded adaptive soundness property if for ${\mathsf {crs}} {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {Setup} (1^\lambda )$, and every adversary $\mathscr {A}$ making at most Q queries to $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$, it holds that

Alternatively, the above definition can be formulated with respect to polynomial-time adversarial provers, leading to computational Q-bounded adaptive soundness. Note that the answers of the oracle are bits; therefore, if a $\mathsf {NIZK}$ proof system satisfies the bounded adaptive soundness property of Definition 4, it also satisfies the above Q-bounded adaptive soundness property for any $Q = O(\log \lambda )$. Indeed, if Q is logarithmic, one can always guess in advance the answers of the verification oracle with non-negligible (inverse polynomial) probability. We say that a $\mathsf {NIZK}$ proof system which is Q-bounded adaptively sound for any $Q = \mathsf {poly} (\lambda )$ satisfies unbounded adaptive soundness.

Eventually, we define (unbounded) knowledge-extractability, a strenghtening of the soundness property which guarantees that if the prover produces an accepting proof, then the simulator can actually extract a witness for the statement. To this aim, we extend the syntax of the $\mathsf {Setup} $ algorithm to also output a trapdoor $\tau $, used by the extractor. The knowledge-extractibility guarantee is stronger than soundness, in that the proof guarantees not only that there exists a witness, but also that the prover must know that witness. A $\mathsf {NIZK}$ satisfying knowledge-extractability is called a $\mathsf {NIZK}$ proof of knowledge.

Definition 6

(Q-bounded Knowledge-Extractability). A $\mathsf {NIZK}$ proof system $\Pi = (\Pi .\mathsf {Setup}, \Pi .\mathsf {KeyGen}, \Pi .\mathsf {Prove},\Pi .\mathsf {Verify})$ for a family of languages $\mathscr {L}= \{\mathscr {L}_{\mathsf {crs}} \}_{\mathsf {crs}} $ with relations $R_{\mathsf {crs}} $ satisfies the Q-bounded knowledge-extractability property if for $({\mathsf {crs}},\tau ) {\mathop {\leftarrow }\limits ^{{}_\$}}\Pi .\mathsf {Setup} (1^\lambda )$, and every adversary $\mathscr {A}$ making at most Q queries to $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$, there is an efficient extractor $\mathsf {Ext} $ such that

3 A Framework for Designated-Verifier Non-interactive Zero-Knowledge Proofs of Knowledge

In this section, we let k be an integer, be an abelian group of order k, and $(\alpha ,\beta ,\gamma )$ be three integers. We will describe a framework for proving statements of knowledge over a wide variety of algebraic relations over $\mathbb {G}$, in the spirit of the Groth-Sahai framework for $\mathsf {NIZK}$ proofs over bilinear groups. To describe the relations handled by our framework, we describe languages of algebraic relations via linear maps. While this system was previously used to describe membership statements [7,8,9], we adapt it to statements of knowledge. As previously observed in [7], this system encompasses a wider class of languages than the Groth-Sahai framework.

3.1 Statements Defined by a Linear Map over $\mathbb {G}$

Let $\varvec{G}\in \mathbb {G}^{\alpha }$ denote a vector of public parameters, and let $\varvec{C}\in \mathbb {G}^{\beta }$ denote a public word. We will consider statements $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ defined by a linear map $\Gamma : (\mathbb {G}^\alpha ,\mathbb {G}^\beta ) \mapsto \mathbb {G}^{\gamma \times \beta }$ as follows:

(1)

That is, the prover knows a witness-vector $\varvec{x} \in \mathbb {Z}_k^\gamma $ such that the equation $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C}$ holds. This abstraction captures a wide class of statements. Below, we describe two examples of statements that can be handled by our framework. They aim at clarifying the way the framework can be used, illustrating its power, as well as providing useful concrete instantiations. The examples focus on the most standard primitives (Pedersen commitments, ElGamal ciphertexts), but the reader will easily recognize they can be naturaly generalized to all standard variants of these primitives (e.g., variants of ElGamal secure under t-linear assumptions [11], or under assumptions from the matrix Diffie-Hellman family of assumptions [29]).

Example 1: Knowledge of Opening to a Pedersen Commitment. We consider statements of knowledge of an opening (m, r) to a Pedersen commitment C.

Public Parameters: $(G,H)\in \mathbb {G}^2$;
Word: $C \in \mathbb {G}$;
Witness: a pair $(m,r)\in \mathbb {Z}_k^2$ such that ;
Linear Map: $\Gamma _\mathsf {Ped}: (G,H,C) \mapsto (G,H)^\intercal $;
Statement: .

Example 2: Multiplicative Relationship Between ElGamal Ciphertexts. This type of statement is of particular interest, as it can be generalized to arbitrary (polynomial) relationships between plaintexts.

Public Parameters: $(G,H)\in \mathbb {G}^2$;
Word: $\varvec{C} = ((U_i,V_i)_{0\le i\le 2}) \in \mathbb {G}^6$;
Witness: a 5-tuple $\varvec{x} = (m_0,r_0,m_1,r_1,r_2)\in \mathbb {Z}_k^5$ such that $U_i = r_i\bullet G$ and for $i=0,1$, and , ;
Linear Map:
$$\Gamma _\mathsf {EM}: (G,H,\varvec{C}) \mapsto \left( \begin{matrix} 0 &{}G &{}0 &{}0 &{}0 &{}0\\ G &{}H &{}0 &{}0 &{}0 &{}0\\ 0 &{}0 &{}0 &{}G &{}U_0 &{}V_0\\ 0 &{}0 &{}G &{}H &{}0 &{}0\\ 0 &{}0 &{}0 &{}0 &{}G &{}H \end{matrix}\right) ;$$
Statement: .

Conjunction of Statements. The above framework naturally handles conjuctions. Consider two statements $(\mathsf {St} _{\Gamma _0}(\varvec{G_0},\varvec{C_0}),\mathsf {St} _{\Gamma _1}(\varvec{G_1},\varvec{C_1}))$, defined by linear maps $(\Gamma _0,\Gamma _1)$, with public parameters $(\varvec{G_1},\varvec{G_1})$, words $(\varvec{C_0},\varvec{C_1})$, and witnesses $(\varvec{x_0},\varvec{x_1})$. Let $\varvec{G} \leftarrow (\varvec{G_1},\varvec{G_1})$, $\varvec{C} \leftarrow (\varvec{C_0},\varvec{C_1})$, and $\varvec{x} \leftarrow (\varvec{x_0},\varvec{x_1})$. We construct the linear map $\Gamma $ associated to $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ as $\Gamma \leftarrow ((\Gamma _0,0)^\intercal , (0,\Gamma _1)^\intercal )$. One can immediatly observe that $\mathsf {St} _\Gamma (\varvec{G},\varvec{C}) = \mathsf {St} _{\Gamma _0}(\varvec{G_0},\varvec{C_0}) \wedge \mathsf {St} _{\Gamma _1}(\varvec{G_1},\varvec{C_1})$. The framework handles disjunction of statements as well, as observed in [1]; we omit the details.

3.2 A Framework for $\mathsf {DVNIZK}$ Proofs of Knowledge

We now introduce our framework for constructing designated-verifier non-interactive zero-knowledge proofs of knowledge for statements defined by a linear map over $\mathbb {G}$. Let $S = (S.\mathsf {KeyGen},S.\mathsf {Enc},S.\mathsf {Dec})$ denote a $\mathsf {DVNIZK}$-friendly encryption scheme with plaintext space $\mathbb {Z}_k$. We construct a $\mathsf {DVNIZK}$ of knowledge $\Pi _\mathsf {K} = (\Pi _\mathsf {K}.\mathsf {Setup}, \Pi _\mathsf {K}.\mathsf {KeyGen},\Pi _\mathsf {K}.\mathsf {Prove}, \Pi _\mathsf {K}.\mathsf {Verify})$ for a statement $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ over a word $\varvec{C} \in \mathbb {G}^\beta $, with public parameters $\varvec{G} \in \mathbb {G}^\alpha $, defined by a linear map $\Gamma : (\mathbb {G}^\alpha ,\mathbb {G}^\beta ) \mapsto \mathbb {G}^{\gamma \times \beta }$. Our construction proceeds as follows:

$\Pi _\mathsf {K}.\mathsf {Setup} (1^\lambda ):$ compute $(\mathsf {ek},\mathsf {dk}){\mathop {\leftarrow }\limits ^{{}_\$}}S.\mathsf {KeyGen} (1^\lambda )$. Output ${\mathsf {crs}} \leftarrow \mathsf {ek} $. Note that $\mathsf {ek} $ defines a plaintext space $\mathbb {Z}_k$ and a random source $\mathbb {Z}_R$. As the $\mathsf {IND\text {-}CPA}$ and strong additive properties of S require R to be unknown, we assume that a bound B on R is publicly available. We denote $\ell \leftarrow 2^\lambda kB$.
$\Pi _\mathsf {K}.\mathsf {KeyGen} (1^\lambda )$: pick $e\leftarrow \mathbb {Z}_{\ell }$, set $\mathsf {pk} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (0;e)$ and $\mathsf {vk} \leftarrow e$.
$\Pi _\mathsf {K}.\mathsf {Prove} (\mathsf {pk},\varvec{C},\varvec{x})$: on a word $\varvec{C}\in \mathbb {Z}_k^\beta $, with witness $\varvec{x}$ for the statement $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$, pick $\varvec{x'}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k^\gamma $, $\varvec{r}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{2^\lambda B}^{\gamma }$, compute
$$\begin{aligned} \varvec{X}&\leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{x},\varvec{r}),&\varvec{X'} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{x'},0)\ominus (\varvec{r}\odot \mathsf {pk}),&\varvec{C'} \leftarrow \varvec{x'}\bullet \Gamma (\varvec{G},\varvec{C}), \end{aligned}$$
and output $\varvec{\pi } \leftarrow (\varvec{X},\varvec{X'},\varvec{C'})$.
$\Pi _\mathsf {K}.\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, \varvec{C},\varvec{\pi })$: parse $\varvec{\pi }$ as $(\varvec{X},\varvec{X'},\varvec{C'})$. Check that $e\odot \varvec{X}\oplus \varvec{X'}$ is decodable, and decode it to a vector $\varvec{d} \in \mathbb {Z}_k^\gamma $. Check that
If all checks succeeded, accept. Otherwise, reject.

The proof $\varvec{\pi }$ consists of $2\gamma $ ciphertexts of S, and $\beta $ elements of $\mathbb {G}$. Below, we illustrate our construction of $\mathsf {DVNIZK}$ on the examples of statements given in the previous section. For the sake of concreteness, we instantiate the $\mathsf {DVNIZK}$-friendly encryption scheme S with Paillier (hence the operation is instantiated as the multiplication modulo $n ^2$), so that the message space is $\mathbb {Z}_n $ and the randomizer space is $\mathbb {Z}_{\varphi {(n)}/2}$ for an RSA modulus $n $. In the examples, we use a bound $B = n $ and draw Paillier random coins from $\mathbb {Z}_{2^{\lambda }B}$, following our generic framework. However, observe that in the case of Paillier, we can also draw the coins from $\mathbb {Z}_{n/2}$ to get a distribution statistically close to uniform over $\mathbb {Z}_{\varphi (n)/2}$, which is more efficient.

Example 1: Knowledge of Opening to a Pedersen Commitment.

$\Pi _\mathsf {Ped}.\mathsf {Setup} (1^\lambda ):$ Compute $((n,h),\delta ) = (\mathsf {ek},\mathsf {dk}){\mathop {\leftarrow }\limits ^{{}_\$}}S.\mathsf {KeyGen} (1^\lambda )$. Output ${\mathsf {crs}} \leftarrow \mathsf {ek} $. Let $\ell \leftarrow 2^\lambda n ^2$. Let $\mathbb {G}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {GGen}{(1^\lambda ,n)}$, $(G,H){\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {G}^2$.
$\Pi _\mathsf {Ped}.\mathsf {KeyGen} (1^\lambda )$: pick $e{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{\ell }$, set $\mathsf {pk} \leftarrow h^e\bmod n ^2$ and $\mathsf {vk} \leftarrow e$.
$\Pi _\mathsf {Ped}.\mathsf {Prove} (\mathsf {pk},{C},\varvec{x})$: on a word ${C}\in \mathbb {G}$, with witness $\varvec{x}=(m,r)\in \mathbb {Z}_n ^2$ for the statement $\mathsf {St} _{\Gamma _\mathsf {Ped}}(\varvec{G},\varvec{C})$, pick $\varvec{x'}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_n ^2$, $\varvec{\rho }{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{2^\lambda B}^{2}$, compute $\varvec{X} \leftarrow (1+n)^{\varvec{x}}h^{\varvec{\rho }}\bmod n ^2, \varvec{X'} \leftarrow (1+n)^{\varvec{x'}}\mathsf {pk} ^{-\varvec{\rho }}\bmod n ^2, \varvec{C'} \leftarrow \varvec{x'}\bullet (G,H)^\intercal $, and output $\varvec{\pi } \leftarrow (\varvec{X},\varvec{X'},\varvec{C'})$.
$\Pi _\mathsf {Ped}.\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, \varvec{C},\varvec{\pi })$: parse $\varvec{\pi }$ as $(\varvec{X},\varvec{X'},\varvec{C'})$. Check that $\varvec{X}^e\varvec{X'}$ is of the form $(1+n)^{\varvec{d}}$, and recover the vector $\varvec{d} \in \mathbb {Z}_n ^2$. Check that .

Example 2: Multiplicative Relationship Between ElGamal Ciphertexts.

$\Pi _\mathsf {EM}.\mathsf {Setup} (1^\lambda )$ as $\Pi _\mathsf {Ped}.\mathsf {Setup} (1^\lambda )$.
$\Pi _\mathsf {EM}.\mathsf {KeyGen} (1^\lambda )$ as $\Pi _\mathsf {Ped}.\mathsf {KeyGen} (1^\lambda )$.
$\Pi _\mathsf {EM}.\mathsf {Prove} (\mathsf {pk},\varvec{C},\varvec{x})$: on a word $\varvec{C}\in \mathbb {G}^6$, with witness $\varvec{x}=(m_0,r_0,m_1, r_1,r_2)\in \mathbb {Z}_n ^5$ for the statement $\mathsf {St} _{\Gamma _\mathsf {EM}}(\varvec{G},\varvec{C})$, pick $\varvec{x'}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_n ^5$, $\varvec{\rho }{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{2^\lambda B}^{5}$, compute $\varvec{X} \leftarrow (1+n)^{\varvec{x}}h^{\varvec{\rho }}\bmod n ^2, \varvec{X'} \leftarrow (1+n)^{\varvec{x}}\mathsf {pk} ^{-\varvec{\rho }}\bmod n ^2, \varvec{C'} \leftarrow \varvec{x'}\bullet \Gamma _\mathsf {EM} (\varvec{G},\varvec{C})$, and output $\varvec{\pi } \leftarrow (\varvec{X},\varvec{X'},\varvec{C'})$.
$\Pi _\mathsf {EM}.\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, \varvec{C},\varvec{\pi })$: parse $\varvec{\pi }$ as $(\varvec{X},\varvec{X'},\varvec{C'})$. Check that $\varvec{X}^e\varvec{X'}$ is of the form $(1+n)^{\varvec{d}}$, and recover the vector $\varvec{d} \in \mathbb {Z}_n ^5$. Check that .

3.3 Security Proof

We now prove the generic $\mathsf {DVNIZK}$ construction from Sect. 3.2 is secure.

Perfect Completeness. It follows from straighforward calculations: $e \odot \varvec{X} \oplus \varvec{X'} = S.\mathsf {Enc} _\mathsf {ek} (e\cdot \varvec{x} + \varvec{x'}; e\cdot \varvec{r} - e\cdot \varvec{r}) = S.\mathsf {Enc} _\mathsf {ek} (e\cdot \varvec{x} + \varvec{x'}; 0)$ is decodable and decodes to $\varvec{d} = e\cdot \varvec{x} + \varvec{x'} \bmod k$. Then, by the correctness of the statement ($\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C}$) and by construction of $\varvec{C'}$.

Composable Zero-Knowledge. We prove the following theorem:

Theorem 7

(Zero-Knowledge of $\Pi _\mathsf {K} \mathbf{).}$ If the encryption scheme S is $\mathsf {IND\text {-}CPA}$ secure, the $\mathsf {DVNIZK}$ scheme $\Pi _\mathsf {K} $ is composable zero-knowledge.

We describe a simulator $\mathsf {Sim} (\varvec{C},\mathsf {pk},\mathsf {vk})$ producing proofs computationally indistinguishable from those produced by an honest prover on true statements. The simulator operates as follows: let $\varvec{d} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k^\gamma $, and . Sample $\varvec{x}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k^\gamma $, $\varvec{r}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_{2^\lambda B}^{\gamma }$, and compute $\varvec{X} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{x},\varvec{r}), \varvec{X'} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{\varvec{d}-e\cdot \varvec{x}},\varvec{-e\cdot r})$. Output $\pi _s=(\varvec{X},\varvec{X'},\varvec{C'})$.

Let $\mathscr {A}$ be an adversary that can distinguish $\mathsf {Sim} $ from $\mathsf {Prove} $. We will build a reduction against the $\mathsf {IND\text {-}CPA}$ security of S. The reduction obtains $\varvec{C},\varvec{x}$ from $\mathscr {A}$, samples $\tilde{\varvec{x}}\leftarrow \mathbb {Z}_k^\gamma $, sends $(\varvec{x},\tilde{\varvec{x}})$ to the $\mathsf {IND\text {-}CPA}$ game and sets $\varvec{X}$ to be the challenge from the $\mathsf {IND\text {-}CPA}$ game. Now, the reduction samples $\varvec{d}\leftarrow \mathbb {Z}_k^\gamma $ and sets $\varvec{X'}:=S.\mathsf {Enc} _\mathsf {ek} (\varvec{d};0)\ominus \varvec{X}\odot e$. Finally, the reduction sets . Send $\pi ^*=(\varvec{X},\varvec{X'},\varvec{C})$ to $\mathscr {A}$.

Direct calculation shows that if the $\mathsf {IND\text {-}CPA}$ game outputs an encryption of $\tilde{\varvec{X}}$, then $\varvec{X},\varvec{X'},\varvec{C}$ are distributed as those produced by $\mathsf {Sim} $, whereas when it outputs an encryption of $\varvec{X}$ then $\pi ^*$ is distributed identical to a real proof. Thus, whatever advantage $\mathscr {A}$ has in distinguishing $\mathsf {Sim} $ from $\mathsf {Prove} $ is also achieved by the reduction against $\mathsf {IND\text {-}CPA}$. Note that for simplicity, our proof assume that the $\mathsf {IND\text {-}CPA}$ game is directly played over vectors, but standard methods allow to reduce this to the classical $\mathsf {IND\text {-}CPA}$ game with a single challenge ciphertext.

Adaptive Unbounded Knowledge-Extractability. We start by showing that $\Pi _\mathsf {K} $ satisfies statistical adaptive unbounded knowledge-extractability. More precisely, we prove the following theorem:

Theorem 8

(Soundness of $\Pi _\mathsf {K} $). There is an efficient simulator $\mathsf {Sim} $ such that for any (possibly unbounded) adversary $\mathscr {A}$ that outputs an accepting proof $\varvec{\pi }$ with probability $\varepsilon $ on an arbitrary word $\varvec{C}$ after making at most Q queries to the oracle $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$, $\mathsf {Sim} $ extracts a valid witness for the statement $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ with probability at least $\varepsilon - (Q+1)\beta /p_k$, where $p_k$ is the smallest prime factor of k.

The proof describes an efficient simulator $\mathsf {Sim} $ that correctly emulates the verifier, without knowing $\mathsf {vk} \bmod k$. The simulation is done as follows:

$\mathsf {Sim}.\mathsf {Setup} (1^\lambda ):$ compute $(\mathsf {ek},\mathsf {dk}){\mathop {\leftarrow }\limits ^{{}_\$}}S.\mathsf {KeyGen} (1^\lambda )$. Output ${\mathsf {crs}} \leftarrow \mathsf {ek} $. The encryption key $\mathsf {ek} $ defines a plaintext space $\mathbb {Z}_k$ and a random source $\mathbb {Z}_R$ with bound B. Let $\ell \leftarrow 2^\lambda kB$.
$\mathsf {Sim}.\mathsf {KeyGen} (1^\lambda )$: compute $(\mathsf {pk},\mathsf {vk}){\mathop {\leftarrow }\limits ^{{}_\$}}\Pi _\mathsf {K}.\mathsf {KeyGen} (1^\lambda )$, output $\mathsf {pk} $, store $e_R \leftarrow \mathsf {vk} \bmod R$, and erase $\mathsf {vk} $.
$\mathsf {Sim}.\mathsf {Verify} (\mathsf {pk}, \mathsf {dk}, e_R, \varvec{C},\varvec{\pi })$: parse $\varvec{\pi }$ as $(\varvec{X},\varvec{X'},\varvec{C'})$. Using the secret key $\mathsf {dk} $ of S, decrypt $\varvec{X}$ to a vector $\varvec{x}$, and $\varvec{X'}$ to a vector $\varvec{x'}$. Check that $(-e_R) \odot (\varvec{X} \ominus \varvec{x}) = \varvec{X'} \ominus \varvec{x'}$. Check that $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C}$, and that $\varvec{x'}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C'}$. If all checks succeeded, accept. Otherwise, reject.

The simulator $\mathsf {Sim} $ first calls $\mathsf {Sim}.\mathsf {Setup} (1^\lambda )$ to generate the common reference string (note that our simulator generates the common reference string honestly, hence the simulation of $\mathsf {Setup} $ cannot be distinguished from an honest run of $\mathsf {Setup} $), and stores $\mathsf {dk} $. Each time the adversary $\mathscr {A}$ sends a query $(\varvec{C},\varvec{\pi })$ to the oracle $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$, $\mathsf {Sim} $ simulates $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$ (without knowing $\mathsf {vk} \bmod k$) by running $\mathsf {Sim}.\mathsf {Verify} (\mathsf {pk}, \mathsf {dk}, e_R, \varvec{C},\varvec{\pi })$, and accepts or rejects accordingly. When $\mathscr {A}$ outputs a final answer $(\varvec{C},\varvec{\pi })$, $\mathsf {Sim} $ computes a witness $\varvec{x}$ for $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ by decrypting $\varvec{C}$ with $\mathsf {dk} $.

Observe that the distribution $\{(\mathsf {pk},\mathsf {vk}){\mathop {\leftarrow }\limits ^{{}_\$}}\Pi _\mathsf {K}.\mathsf {KeyGen} (1^\lambda ), e_k\leftarrow \mathsf {vk} \bmod k:(\mathsf {pk},e_k)\}$ is statistically indistinguishable from the distribution $\{(\mathsf {pk},\mathsf {vk}){\mathop {\leftarrow }\limits ^{{}_\$}}\Pi _\mathsf {K}.\mathsf {KeyGen} (1^\lambda ), e_k{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_k:(\mathsf {pk},e_k)\}$. Put otherwise, the distribution of $\mathsf {vk} \bmod k$ is statistically indistinguishable from random, even given $\mathsf {pk} $. Indeed, as S is a $\mathsf {DVNIZK}$-friendly encryption scheme, it holds by definition that $\gcd (k,R)=1$. As $\ell = 2^\lambda Bk \ge 2^\lambda Rk$, the distribution $\{e{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_\ell , e_k\leftarrow e\bmod k, e_R \leftarrow e\bmod R : (e_k,e_R)\}$ is statistically indistinguishable from the uniform distribution over $\mathbb {Z}_k\times \mathbb {Z}_R$, and the value $\mathsf {pk} $ only leaks $e_R$, even to an unbounded adversary (as $S.\mathsf {Enc} _\mathsf {ek} (0;e) = S.\mathsf {Enc} _\mathsf {ek} (0;e\bmod R)$). We now prove the following claim:

Claim

For any public parameters $\varvec{G}$ and word $\varvec{C}$, it holds that

$$\Pr _{}\left[ \begin{matrix} (\mathsf {pk},\mathsf {vk}){\mathop {\leftarrow }\limits ^{{}_\$}}\Pi _\mathsf {K}.\mathsf {KeyGen} (1^\lambda ), &{}\\ b \leftarrow \mathsf {Sim}.\mathsf {Verify} (\mathsf {pk}, \mathsf {dk},\varvec{C},\varvec{\pi }), &{}:b'=b\\ b' \leftarrow \Pi _\mathsf {K}.\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, \varvec{C},\varvec{\pi }) &{} \end{matrix}\right] \ge 1 - \beta /p_k,$$

where $p_k$ is one of the prime factors of k.

Proof

First, we show that if $b = 1$, then $b' = 1$. Indeed, let us denote $(\varvec{x},\varvec{x'})$ the plaintexts associated to $(\varvec{X},\varvec{X'})$. Let $(\varvec{r},\varvec{r'})$ be the random coins of the ciphertexts $(\varvec{X},\varvec{X'})$. Observe that, by the homomorphic properties of S, the equation $(-e_R) \odot (\varvec{X} \ominus \varvec{x}) = \varvec{X'} \ominus \varvec{x'}$ is equivalent to $S.\mathsf {Enc} _\mathsf {ek} (0;-e_R\cdot \varvec{r}) = S.\mathsf {Enc} _\mathsf {ek} (0;\varvec{r'})$, which is equivalent to $e\odot \varvec{X}\oplus \varvec{X'} = S.\mathsf {Enc} (e\cdot \varvec{x}+\varvec{x'} \bmod k; e\cdot \varvec{r}+\varvec{r'} \bmod R) = S.\mathsf {Enc} (e\cdot \varvec{x}+\varvec{x'} \bmod k; 0)$ as $e = e_R \bmod R$. Therefore, the verifier’s check that $e\odot \varvec{X}\oplus \varvec{X'}$ is decodable succeeds if and only if $\mathsf {Sim} $’s first check succeeds, and the decoded value $\varvec{d} \in \mathbb {Z}_k^\gamma $ satisfies $\varvec{d} = e\cdot \varvec{x} + \varvec{x'} \bmod k$. Moreover, if the equations $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C}$ and $\varvec{x'}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C'}$ are both satisfied (i.e. $\mathsf {Sim} $’s other checks succeed), then it necessarily holds that . This concludes the proof that, conditioned on $\mathsf {Sim} $’s checks succeeding, the verifier’s checks necessarily succeed.

Now, assume for the sake of contradiction that the converse is not true: suppose that $\mathsf {Sim} $ rejected the proof, while the verifier accepted. We already showed that the equation $(-e_R) \odot (\varvec{X} \ominus \varvec{x}) = \varvec{X'} \ominus \varvec{x'}$ is equivalent to the equation $e\odot \varvec{X}\oplus \varvec{X'} = S.\mathsf {Enc} (e\cdot \varvec{x}+\varvec{x'} \bmod k; 0)$; therefore, if $e\odot \varvec{X}\oplus \varvec{X'}$ is decodable (it has random coin 0), then $\mathsf {Sim} $’s check that $(-e_R) \odot (\varvec{X} \ominus \varvec{x}) = \varvec{X'} \ominus \varvec{x'}$ succeeds. As we assumed that $\mathsf {Sim} $ rejects the proof, this means that at least one of $\mathsf {Sim} $’s last checks must fail: either $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) \ne \varvec{C}$, or $\varvec{x'}\bullet \Gamma (\varvec{G},\varvec{C}) \ne \varvec{C'}$. By the first check of the verifier, it holds that $e\odot \varvec{X}\oplus \varvec{X'}$ is decodable; denoting $(\varvec{x},\varvec{x'})$ the plaintexts associated to $(\varvec{X},\varvec{X'})$, it therefore decodes to $\varvec{d} = e\cdot \varvec{x} + \varvec{x'} \bmod k$. By the second check of the verifier, it holds that , which implies . This last equation rewrites to

(2)

Now, recall that by assumption, either $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) \ne \varvec{C}$, or $\varvec{x'}\bullet \Gamma (\varvec{G},\varvec{C}) \ne \varvec{C'}$. Observe that Eq. 2 further implies, as $e \ne 0$ (with overwhelming probability), that if and only if . Therefore, conditioned on $\mathsf {Sim} $ rejecting the proof, it necessarily holds that and . Let $(\mu _i,\nu _i)$ be two non-zero entries of the vectors at the same position $i \le \beta $; by Eq. 2, it holds that $e = \nu _i \cdot \mu _i^{-1}\bmod p$ for at least one of the prime factors p of k. However, recall that the value $e\bmod k$ is statistically hidden to the prover (and therefore, so is the value $e\bmod p$), hence the probability of this event happening can be upper-bounded by $\beta /p \le \beta /p_k$. This concludes the proof of the claim. $\square $

Now, consider an adversary $\mathscr {A}$ that outputs an accepting proof $(\varvec{C},\varvec{\pi })$ with probability at least $\varepsilon $ after a polynomial number Q of interactions with the oracle $\mathcal {O}_{\mathsf {vk}} [\mathsf {pk} ]$. By the above claim and a union bound, it necessarily holds that $\mathscr {A}$ outputs an accepting proof $(\varvec{C},\varvec{\pi })$ with probability at least $\varepsilon - Q\beta /p_k$ after interacting Q times with $\mathsf {Sim}.\mathsf {Verify} (\mathsf {pk}, \mathsf {dk}, e_R, \cdot , \cdot )$; moreover, with probability at least $1-\beta p_k$, this proof is also accepted by $\mathsf {Sim} $’s verification algorithm. Overall, $\mathsf {Sim} $ obtains a proof accepted by his verification algorithm with probability at least $\varepsilon - (Q+1)\beta /p_k$. In particular, this implies that the vector $\varvec{x}$ extracted by $\mathsf {Sim} $ from $\varvec{\pi }$ satisfies $\varvec{x}\bullet \Gamma (\varvec{G},\varvec{C}) = \varvec{C}$ with probability at least $\varepsilon - (Q+1)\beta /p_k$. Therefore, $\mathsf {Sim} $ extracts a valid witness for the knowledge statement $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ with probability at least $\varepsilon - (Q+1)\beta /p_k$. As the size k of a $\mathsf {DVNIZK}$-friendly cryptosystem has only superpolynomially large prime-factors, it holds that $p_k$ is superpolynomially large. As $(Q+1)\beta $ is polynomial, we conclude that if $\mathscr {A}$ outputs an accepting proof with non-negligible probability, then $\mathsf {Sim} $ extracts a valid witness with non-negligible probability.

4 Dual Variant of the Framework

In the previous section, we described a framework for constructing efficient $\mathsf {DVNIZKs}$ of knowledge for relations between words defined over an abelian group , using a cryptosystem with specific properties as the underlying commitment scheme for the proof system. In this section, we show that the framework can also be used in a dual way, by considering languages of relations between the plaintexts of the underlying encryption scheme – we call this variant ‘dual variant’ of the framework, as the roles of the underlying encryption scheme (which is used as a commitment scheme for the proof) and of the abelian group (which contains the words on which the proof is made) are partially exchanged. This allows for example to handle languages of relations between Paillier ciphertexts. To instantiate the framework, it suffices to have any perfectly binding commitment scheme defined over $\mathbb {G}$. This dual variant leads to efficient $\mathsf {DVNIZK}$ proofs for relations between, e.g., Paillier ciphertexts, whose zero-knowledge property reduces to the binding property of the commitment scheme over $\mathbb {G}$ (e.g. the $\mathsf {DDH}$ assumption, or its variants), and with statistical (unbounded, adaptive) soundness.

4.1 Perfectly Binding Commitment over $\mathbb {G}$

Suppose that we are given a perfectly binding homomorphic commitment $C = (C.\mathsf {Setup}, C.\mathsf {Com}, C.\mathsf {Verify})$, where $C.\mathsf {Com}: \mathbb {Z}_k\times \mathbb {Z}_k \mapsto \mathbb {G}^*$. Assume further that $C.\mathsf {Setup} $ generates a public vector of parameters $\varvec{G}\in \mathbb {G}^*$, and that there is a linear map $\Gamma _C$ associated to this commitment such that for all $(m,r)\in \mathbb {Z}_k^2$, $C.\mathsf {Com} (m,r) = (m,r) \bullet \Gamma _C(\varvec{G})$. Note this implies the commitment scheme is homomorphic over $\mathbb {G}$. ElGamal (Sect. 2.1), can be used as a commitment scheme satisfying these properties, is hiding under the $\mathsf {DDH}$ assumption and perfectly binding. We do so by using $\mathsf {KeyGen}(1^\lambda )$ in place of $\mathsf {Setup} (1^\lambda )$ to generate group elements (G, H) (the public key of the encryption scheme), and commit (i.e encrypt) via $\Gamma _C(G,H) = ((0,G)^\intercal , (G,H)^\intercal )$. We generalize this to commitments to length-t vectors as follow: we let $\Gamma _{C,t}$ denote the extended matrix such that $C.\mathsf {Com} (\varvec{m},\varvec{r}) = (\varvec{m},\varvec{r}) \bullet \Gamma _{C,t}(\varvec{G})$, where $(\varvec{m},\varvec{r})$ are vectors of length t ($\Gamma _{C,t}$ is simply the block-diagonal matrix whose t blocks are all equal to $\Gamma _C$). Consider now the following statement, where the word is a vector $\varvec{C}$ of commitments:

One can immediatly observe that this statement (which is a proof of knowledge of openings to a vector of commitments with C) is handled by the framework of Sect. 3.

4.2 Equality of Plaintexts Between C and S

In this section, we describe a simple method to convert a $\mathsf {DVNIZK}$ on the statement into a $\mathsf {DVNIZK}$ on the statement for a length-t vector $\varvec{C}$ of commitments with a commitment scheme over $\mathbb {G}$ satisfying the requirements defined in the previous section, and a length-t vector of $\mathsf {DVNIZK}$-friendly ciphertexts $\varvec{X_m}$. Instantiating the framework of Sect. 3 for the statement $\mathsf {St} _{\Gamma _{C,t}}(\varvec{G},\varvec{C})$, we get the following $\mathsf {DVNIZK}$ $\Pi $:

$\Pi .\mathsf {Setup} (1^\lambda ):$ compute $(\mathsf {ek},\mathsf {dk}){\mathop {\leftarrow }\limits ^{{}_\$}}S.\mathsf {KeyGen} (1^\lambda )$. Output ${\mathsf {crs}} \leftarrow \mathsf {ek} $. Note that $\mathsf {ek} $ defines the plaintext space $\mathbb {Z}_k$ and the random source $\mathbb {Z}_R$ with bound B. We denote $\ell \leftarrow 2^\lambda kB$.
$\Pi .\mathsf {KeyGen} (1^\lambda )$: pick $e\leftarrow \mathbb {Z}_{\ell }$, set $\mathsf {pk} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (0;e)$ and $\mathsf {vk} \leftarrow e$.
$\Pi .\mathsf {Prove} (\mathsf {pk},\varvec{C},(\varvec{m},\varvec{r}))$: on a word $\varvec{C}\in \mathbb {Z}_k^t$, with witness $(\varvec{m},\varvec{r})$ for the statement $\mathsf {St} _{\Gamma _{C,t}}(\varvec{G},\varvec{C})$ (where $\varvec{G} {\mathop {\leftarrow }\limits ^{{}_\$}}C.\mathsf {Setup} (1^\lambda )$), pick random $(\varvec{m'},\varvec{r'})$, random coins $(\varvec{\rho _m},\varvec{\rho _r})$ for S, and compute
$$\begin{aligned}&\varvec{X_m} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{m},\varvec{\rho _m}),&\varvec{X_r} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{r},\varvec{\rho _r}),\\&\varvec{X'_m} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{m'},0)\ominus (\varvec{\rho _m}\odot \mathsf {pk}),&\varvec{X'_r} \leftarrow S.\mathsf {Enc} _\mathsf {ek} (\varvec{r'},0)\ominus (\varvec{\rho _r}\odot \mathsf {pk}),\\&\varvec{C'} \leftarrow (\varvec{m'},\varvec{r'})\bullet \Gamma _{C,t}(\varvec{G},\varvec{C}), \end{aligned}$$
and output $\varvec{\pi } \leftarrow (\varvec{X_m},\varvec{X'_m}, \varvec{X_r},\varvec{X'_r},\varvec{C'})$.
$\Pi _\mathsf {K}.\mathsf {Verify} (\mathsf {pk}, \mathsf {vk}, \varvec{C},\varvec{\pi })$: parse $\varvec{\pi }$ as $(\varvec{X_m},\varvec{X'_m}, \varvec{X_r},\varvec{X'_r},\varvec{C'})$. Check that $e\odot \varvec{X_m}\oplus \varvec{X'_m}$ and $e\odot \varvec{X_r}\oplus \varvec{X'_r}$ are decodable, and decode them to vectors $(\varvec{d_m},\varvec{d_r}) \in (\mathbb {Z}_k^{t})^2$. Check that .

By the result of Sect. 3, this is an unbounded statistical adaptive knowledge-extractable $\mathsf {DVNIZK}$ of knowledge of an opening for C. Suppose now that we modify the above scheme as follow: we let $\varvec{X_m}$ be part of the word on which the proof is executed, rather than being computed as part of the proof by the algorithm $\Pi .\mathsf {Prove} $. That is, we consider words of the form $(\varvec{C},\varvec{X_m})$ with witness $(\varvec{m},\varvec{r},\varvec{\rho _m})$ such that $(\varvec{C},\varvec{X_m}) = (C.\mathsf {Com} (\varvec{m};\varvec{r}), S.\mathsf {Enc} _\mathsf {ek} (\varvec{m},\varvec{\rho _m}))$. Let $\Pi '$ denote the modified proof, in which $\varvec{X_m}$ is part of the word and $(\varvec{X'_m}, \varvec{X_r},\varvec{X'_r},\varvec{C'})$ are computed as in $\Pi $. Observe that the proof of security of our framework immediatly implies that $\Pi '$ is a secure $\mathsf {DVNIZK}$ for plaintext equality between commitments with C and encryptions with S: our statistical argument shows that a (possibly unbounded) adversary has negligible probability of outputting a word $\varvec{C}$ together with an accepting proof $\varvec{\pi } = (\varvec{X_m},\varvec{X'_m}, \varvec{X_r},\varvec{X'_r},\varvec{C'})$ where the plaintext extracted by the simulator from $\varvec{X_m}$ is not also the plaintext of $\varvec{C}$. Hence, it is trivial that the probability of outputting a word $(\varvec{C},\varvec{X_m})$ and an accepting proof $\varvec{\pi '} = (\varvec{X'_m}, \varvec{X_r},\varvec{X'_r},\varvec{C'})$ where the plaintext extracted by the simulator from $\varvec{X_m}$ is not also the plaintext of $\varvec{C}$ is also negligible. Thus, we get:

Theorem 9

The proof system $\Pi '$ is an adaptive unbounded statistically sound proof for equality between plaintexts of C and plaintexts of S, whose composable zero-knowledge property reduces to the $\mathsf {IND\text {-}CPA} $ security of S.

Note that the proof $\Pi '$ is no longer a proof of knowledge: while the simulator can extract $(\varvec{m},\varvec{r})$ from the prover, he cannot necessarily extract the random coins $\varvec{\rho _m}$ of $\varvec{X_m}$, which are now part of the witness. Therefore, for the protocol to make sense, it is important that C is perfectly binding.

4.3 A Framework for Relations Between Plaintexts of S

The observations of the above section suggest a very natural way for designing $\mathsf {DVNIZKs}$ for relations between plaintexts $\varvec{m} \in \mathbb {Z}_k^*$ of the encryption scheme S, which intuitively operates in two steps: first, we create commitments to the plaintexts $\varvec{m}$ over $\mathbb {G}$ using C and prove them consistent with the encrypted values using the method described in the previous section. Then, we are able to use the framework of Sect. 3 to demonstrate the desired relation holds between the commited values (this is a statement naturally captured by the framework). More formally, on input a vector of ciphertexts $\varvec{X_m}$ encrypting plaintexts $\varvec{m}$ with random coins $\varvec{\rho _m}$,

Pick $\varvec{r}$ and compute $\varvec{C} \leftarrow C.\mathsf {Com} (\varvec{m},\varvec{r})$.
Construct a $\mathsf {DVNIZK} $ for the statement $\mathsf {St} '(\varvec{G},\varvec{C},\varvec{X_m})$ with witness $(\varvec{m},\varvec{\rho _m},\varvec{r})$, using the method described in Sect. 4.2.
Construct a $\mathsf {DVNIZK} $ for the statement $\mathsf {St} _\Gamma (\varvec{G},\varvec{C})$ with witness $(\varvec{m},\varvec{r})$, using the framework of Sect. 3.

The correctness of this approach is immediate: the second $\mathsf {DVNIZK} $ guarantees that the appropriate relation is satisfied between the plaintexts of the commitments, while the first one guarantees that the ciphertexts indeed encrypt the committed values. This leads to a $\mathsf {DVNIZK}$ proof of relation between plaintexts of S, with unbounded adaptive statistical soundness. Regarding zero-knowledge, as the proof starts by committing to $\varvec{m}$ with C, we must in addition assume that the commitment scheme is hiding (the security analysis is straightforward).

Theorem 10

The above system is an adaptive unbounded statistically sound proof for relations of plaintexts of S, whose composable zero-knowledge reduces to the $\mathsf {IND\text {-}CPA} $ security of S and the hiding property of C.

We note that we can also obtain a variant of Theorem 10, where zero-knowledge only relies on the $\mathsf {IND\text {-}CPA}$ of S, and hiding of C implies the soundness property, using commitment schemes a la Groth-Sahai where the crs can be generated in two indistinguishable ways, one leading to a perfectly hiding scheme, and one leading to a perfectly binding scheme (such commitments are known, e.g., from the $\mathsf {DDH}$ assumption).

Example: Multiplicative Relationship Between Paillier Ciphertexts. We focus now on the useful case of multiplicative relationship between plaintexts of Paillier ciphertexts. We instantiate S with the Paillier encryption scheme over an RSA group $\mathbb {Z}_n $, with a public key $(n,h)$ ($h = g^n \bmod n ^2$ for a generator g of $\mathbb {J}_n $), and the commitment scheme C with the ElGamal encryption scheme over a group $\mathbb {G}$ of order $n $, with public key (G, H). Let $(P_0,P_1,P_2) \in (\mathbb {Z}^*_{n ^2})^3$ be three Paillier ciphertexts, and let $(m_0,m_1,m_2,\rho _0,\rho _1,\rho _2)$ be such that $m_2 = m_0m_1\bmod n $, and $P_0 = (1+n)^{m_0}h^{\rho _0} \bmod n ^2, P_1 = (1+n)^{m_1}h^{\rho _1} \bmod n ^2, P_2 = (1+n)^{m_2}h^{\rho _2} \bmod n ^2$. Let $E = h^e \bmod n ^2$ denote the public key of the verifier. The designated-verifier $\mathsf {NIZK}$ for proving that $P_2$ encrypts $m_0m_1$ proceeds as follows:

Committing over $\mathbb {G}$ : pick $(r_0,r_1,r_2)$ and send (which are commitments with ElGamal to $(m_0,m_1,m_2)$ over $\mathbb {G}$).
Proof of Plaintext Equality: pick $(m'_i,r'_i,\rho '_i)_{0\le i \le 2} {\mathop {\leftarrow }\limits ^{{}_\$}}(\mathbb {Z}_n \times \mathbb {Z}_n \times \mathbb {Z}_{n/2})^3$, and send for $i = 0$ to 2, $X_i \leftarrow (1+n)^{r_i}h^{\rho '_i}\bmod n ^2, X'_i\leftarrow (1+n)^{r'_i}E^{-\rho '_i}\bmod n ^2, P'_i \leftarrow (1+n)^{m'_i}E^{-\rho _i}\bmod n ^2$, and .
Proof of Multiplicative Relationship Between the Committed Values: apply the proof system of Example 2 from Sect. 3 to the word $(U_i,V_i)_{0\le i \le 2}$, with public parameters (G, H), and the witness $\varvec{x} = (m_0,r_0,m_1,r_1,r_2-r_0m_1)$ which satisfies , and .
Proof Verification: upon receving $(U_i,V_i,X_i,X'_i,P'_i,U'_i,V'_i)_{0\le i\le 2}$ together with the proof of multiplicative relationship between the values committed with $(U_i, V_i)_i$, the verifier with verification key $\mathsf {vk} = e$ checks that $e\odot P_i \oplus P'_i$ and $e\odot X_i \oplus X'_i$ successfully decode (respectively) to values $p_i,x_i$, and that and , for $i = 0$ to 2. The verifier additionally checks the multiplicative proof, as in Example 4 from Sect. 3. She accepts iff all checks succeed.

The proof for the multiplicative statement involves 10 Paillier ciphertexts and 3 ElGamal ciphertexts. Overall, the total proof involves 20 Paillier ciphertexts, and 9 ElGamal ciphertexts. However, this size is obtained by applying the framework naively; in this situation, it introduces a lot of redudancy. For instance, instead of computing Paillier encryptions of $(m_0,r_0,m_1,r_1)$ in the third phase, one can simply reuse the word $(P_0,P_1)$ and the ciphertexts $(X_0,X_1)$, as well as reusing $(P'_i,X'_i)_i$ for the corresponding masks $(m'_i,r'_i)_i$, saving 8 Paillier ciphertexts; similar savings can be obtained for the ElGamal ciphertexts, leading to a proof of total size 12 Paillier ciphertexts $+$ 7 ElGamal ciphertexts.

Furthermore, if we eschew unbounded soundness and accept bounds on $m_i$ we are able to produce a much shorter proof, comprising only two Paillier ciphertexts, outperforming even Fiat-Shamir. We detail this in the full version [16].

Notes

1.
More formally, this proof only satisfies zero-knowledge against honest verifiers, but this property is sufficient for the construction of [23].
2.
These applications typically require a proof-friendly signature scheme, but designated-verifier variants of such scheme can easily be constructed (without pairings) from algebraic MACs [18, 40], by committing to the secret key of the MAC and proving knowledge of the committed value with a $\mathsf {DVNIZK}$; such statements are naturally handled by our framework.
3.
In the variant we consider here, we must restrict our attention to elements of $\mathbb {Z}^*_{n ^2}$ which have Jacobi symbol 1 when reduced modulo $n $ as $g \in \mathbb {J}_n $, but this can be checked in polynomial time anyway.
4.
In view of our previous observation on $\mathsf {IND\text {-}CPA}$ security for strongly additive cryptosystems, this implies that R is secret.

References

Abdalla, M., Benhamouda, F., Pointcheval, D.: Disjunctions for hash proof systems: new constructions and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 69–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_3
Google Scholar
Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: 45th FOCS, pp. 186–195. IEEE Computer Society Press, October 2004
Google Scholar
Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_7
Chapter Google Scholar
Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_20
Chapter Google Scholar
Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact e-cash and simulatable VRFs revisited. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 114–131. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_9
Chapter Google Scholar
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993
Google Scholar
Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_25
Chapter Google Scholar
Benhamouda, F., Couteau, G., Pointcheval, D., Wee, H.: Implicit zero-knowledge arguments and applications to the malicious setting. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 107–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_6
Chapter Google Scholar
Benhamouda, F., Pointcheval, D.: Trapdoor smooth projective hash functions. Cryptology ePrint Archive, Report 2013/341 (2013). http://eprint.iacr.org/2013/341
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112. ACM Press, May 1988
Google Scholar
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_3
Chapter Google Scholar
Bresson, E., Catalano, D., Pointcheval, D.: A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 37–54. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_3
Chapter Google Scholar
Camenisch, J., Damgård, I.: Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 331–345. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_25
Chapter Google Scholar
Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_33
Chapter Google Scholar
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from $\sf DDH$. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26
Google Scholar
Chaidos, P., Couteau, G.: Efficient designated-verifier non-interactive zero-knowledge proofs of knowledge. Cryptology ePrint Archive, Report 2017/1029 (2017). http://eprint.iacr.org/2017/1029
Chaidos, P., Groth, J.: Making sigma-protocols non-interactive without random oracles. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 650–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_29
Google Scholar
Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs and keyed-verification anonymous credentials. In: ACM CCS 2014, pp. 1205–1216. ACM Press (2014)
Google Scholar
Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_25
Google Scholar
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Google Scholar
Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the fiat-shamir transform without programmable random oracles. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 83–111. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_4
Chapter Google Scholar
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Chapter Google Scholar
Damgård, I., Fazio, N., Nicolosi, A.: Non-interactive zero-knowledge from homomorphic encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 41–59. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_3
Chapter Google Scholar
Damgård, I., Jurik, M.: A length-flexible threshold cryptosystem with applications. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 350–364. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45067-X_30
Chapter Google Scholar
Damgård, I., Jurik, M., Nielsen, J.B.: A generalization of paillier’s public-key system with applications to electronic voting. Int. J. Inf. Secur. 9(6), 371–385 (2010)
Article Google Scholar
Damgård, I., Jurik, M.: A generalisation, a simpli.cation and some applications of paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_9
Chapter Google Scholar
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33
Chapter Google Scholar
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie-hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, pp. 308–317. IEEE Computer Society Press, October 1990
Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Google Scholar
Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_10
Chapter Google Scholar
Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-secure encryption without pairings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_1
Chapter Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Article MathSciNet MATH Google Scholar
Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_12
Chapter Google Scholar
Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_29
Chapter Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_6
Chapter Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_21
Chapter Google Scholar
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24
Chapter Google Scholar
Kiltz, E., Pan, J., Wee, H.: Structure-preserving signatures from standard assumptions, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 275–295. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_14
Chapter Google Scholar
Kiltz, E., Wee, H.: Quasi-adaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_4
Google Scholar
Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_5
Google Scholar
Lipmaa, H.: Optimally sound sigma protocols under DCRA. Cryptology ePrint Archive, Report 2017/703 (2017). http://eprint.iacr.org/2017/703
Oren, Y.: On the cunning power of cheating verifiers: some observations about zero knowledge proofs (extended abstract). In: 28th FOCS, pp. 462–471. IEEE Computer Society Press, October 1987
Google Scholar
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Google Scholar
Pass, R., Shelat, A., Vaikuntanathan, V.: Construction of a non-malleable encryption scheme from any semantically secure one. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 271–289. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_16
Chapter Google Scholar
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Google Scholar
Teranishi, I., Furukawa, J., Sako, K.: k-times anonymous authentication (extended abstract). In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 308–322. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_22
Chapter Google Scholar
Ventre, C., Visconti, I.: Co-sound zero-knowledge with public keys. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 287–304. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_18
Chapter Google Scholar

Download references

Acknowledgements

We thank Jens Groth for insightful discussions and contributions to early versions of this work. The first author was supported by EU Horizon 2020 grant 653497 (project PANORAMIX). The second author was supported by ERC grant 339563 (project CryptoCloud) and ERC grant 724307 (project PREP-CRYPTO).

Author information

Authors and Affiliations

National and Kapodistrian University of Athens, Athens, Greece
Pyrros Chaidos
Karsruhe Institute of Technology, Karlsruhe, Germany
Geoffroy Couteau

Authors

Pyrros Chaidos
View author publications
You can also search for this author in PubMed Google Scholar
Geoffroy Couteau
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pyrros Chaidos .

Editor information

Editors and Affiliations

Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen
University of Leuven, Leuven, Belgium
Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Chaidos, P., Couteau, G. (2018). Efficient Designated-Verifier Non-interactive Zero-Knowledge Proofs of Knowledge. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018 . EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10822. Springer, Cham. https://doi.org/10.1007/978-3-319-78372-7_7

Download citation

DOI: https://doi.org/10.1007/978-3-319-78372-7_7
Published: 31 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78371-0
Online ISBN: 978-3-319-78372-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)