1 Introduction

In [20] a remarkably efficient non-interactive zero-knowledge (NIZK) proof system [5] was given for groups with a bilinear map, which has found many applications in design of cryptographic protocols in the standard model. All earlier NIZK proof systems (except [19], which was not very efficient) were constructed by reduction to Circuit Satisfiability or other NP-complete problems. Underlying this system, now commonly known as Groth–Sahai NIZKs, is a homomorphic commitment scheme. Each variable in the system of algebraic equations to be proven is committed to using this scheme. Since the commitment scheme is homomorphic, group operations in the equations are translated to corresponding operations on the commitments and new terms are constructed involving the constants in the equations and the randomness used in the commitments. It was shown that these new terms along with the commitments to variables constitute a zero-knowledge proof [20].

While the Groth–Sahai system is quite efficient, it still falls short in comparison with Schnorr-based \(\Sigma \)-protocols [14] turned into NIZK proofs in the Random Oracle model [7] using the Fiat–Shamir paradigm [18]. Thus, the quest remains to obtain even more efficient NIZK proofs. In particular, in a linear system of rank t, some t of the equations already serve as commitments to t variables. Thus, the question arises whether, at the very least, fresh commitments to these variables as done in Groth–Sahai NIZKs can be avoided.

Our contributions

In this paper, we show that for languages that are linear subspaces of vector spaces of the bilinear groups, one can indeed obtain more efficient computationally sound NIZK proofs in a slightly different quasi-adaptive setting, which suffices for many cryptographic applications. In the quasi-adaptive setting, we consider a class of languages \(\{L_\rho \}\), parameterized by \(\rho \), and we allow the CRS generator to generate the CRS based on the language parameter \(\rho \). However, the CRS simulator in the zero-knowledge setting is required to be a single efficient algorithm that works for the whole parameterized class or probability distributions of languages, by taking the parameter as input. We will refer to this property as uniform simulation.

Many hard languages that are commonly used in cryptography are distributions on class of parameterized languages. For example, the DDH language based on the decisional Diffie–Hellman (DDH) assumption is hard only when in the tuple \(\langle \mathbf{g}, \mathbf{f}\,, x \cdot \mathbf{g}, x \cdot \mathbf{f}\,\rangle \),Footnote 1 even \(\mathbf{f}\,\) is chosen at random (in addition to \(x \cdot \mathbf{g}\) being chosen randomly). However, applications (or trusted parties) usually set \(\mathbf{f}\,\), once and for all, by choosing it at random, and then all parties in the application can use multiple instances of the above language with the same fixed \(\mathbf{f}\,\). Thus, we can consider \(\mathbf{f}\,\) as a parameter for a class of languages that only specify the last two components above. If NIZK proofs are required in the application for this parameterized language, then the NIZK CRS can be generated by the trusted party that chooses the language parameter \(\mathbf{f}\,\). Hence, it can base the CRS on the language parameter.Footnote 2

We remark that adaptive NIZK proofs [5] also allow the CRS to depend on the language, but without requiring uniform simulation. Such NIZK proofs that allow different efficient simulators for each particular language (from a parameterized class) are unlikely to be useful in applications. Thus, most NIZK proofs, including Groth–Sahai NIZKs, actually show that the same efficient simulator works for the whole class, i.e., they show uniform simulation. The Groth–Sahai system achieves uniform simulation without making any distinction between different classes of parameterized languages, i.e., it shows a single efficient CRS simulator that works for all algebraic languages without taking any language parameters as input. Thus, there is potential to gain efficiency by considering quasi-adaptive NIZK proofs, i.e., by allowing the (uniform) simulator to take language parameters as input.Footnote 3

Our approach to building more efficient quasi-adaptive NIZK proofs for linear subspaces is quite different from the Groth–Sahai techniques. In fact, our system does not require any commitments to the witnesses at all. If there are t free variables in defining a subspace of the n-dimensional vector space and assuming the subspace is full-ranked (i.e., has rank t), then t components of the vector already serve as commitment to the variables. As an example, consider the language L (over a cyclic bilinear group \(\mathbb {G}\) of order q, in additive notation) to be

$$\begin{aligned} L= & {} \left\{ \langle \varvec{ l }_1, \varvec{ l }_2, \varvec{ l }_3 \rangle \in \mathbb {G}^3 \quad |\quad \exists x_1, x_2 \in {\mathbb {Z}}_q : \quad \right. \\&\left. \varvec{ l }_1 = x_1 \cdot \mathbf{g}, \quad \varvec{ l }_2 = x_2 \cdot \mathbf{f}\,,\varvec{ l }_3 = (x_1+x_2) \cdot \mathbf{h}\right\} \end{aligned}$$

where \(\mathbf{g}, \,\mathbf{f}\,, \,\mathbf{h}\) are parameters defining the language. Then, \(\varvec{ l }_1\) and \(\varvec{ l }_2\) are already binding commitments to \(x_1\) and \(x_2\). Thus, we only need to show that the last component \(\varvec{ l }_3\) is consistent.

The main idea underlying our construction can be summarized as follows. Suppose the CRS can be set to be a basis for the null-space \(L^\bot _\rho \) of the language \(L_\rho \). Then, just (bilinear-) pairing a potential language candidate with \(L^\bot _\rho \) and testing for all-zero suffices to prove that the candidate is in \(L_\rho \), as the null-space of \(L^\bot _\rho \) is just \(L_\rho \). However, efficiently computing null-spaces in hard bilinear groups is itself hard. Thus, an efficient CRS simulator cannot generate \(L^\bot _\rho \), but can give a (hiding) commitment that is computationally indistinguishable from a binding commitment to \(L^\bot _\rho \). To achieve this we use a homomorphic commitment just as in the Groth–Sahai system, but we can use the simpler ElGamal encryption style commitment as opposed to the more involved Groth–Sahai commitments, and as a bonus this allows for a more efficient verifier.Footnote 4 As we will see later in Sect. 5, a more efficient verifier is critical for obtaining short identity-based encryption schemes (IBE).

In fact, the idea of using the null-space of the language is reminiscent of Waters’ dual-system IBE construction [39], and indeed our system is inspired by that construction,Footnote 5 although the idea of using it for NIZK proofs and, in particular, proving their soundness is novel.

For n equations in t variables, our quasi-adaptive computationally sound NIZK proofs for linear subspaces require only \(k(n-t)\) group elements, under the k-linear decisional assumption [21, 38]. Thus, under the XDH assumption for bilinear groups, our proofs require only \((n-t)\) group elements. In contrast, the Groth–Sahai system requires \((n+2t)\) group elements. Similarly, under the decisional linear assumption (DLIN), our proofs require only \(2(n-t)\) group elements, whereas the Groth–Sahai system requires \((2n+3t)\) group elements. These parameters are summarized in Table 1. While our CRS size grows proportional to \(t(n-t)\), more importantly there is a significant comparative improvement in the number of pairings required for verification. Specifically, under XDH we require at most half the number of pairings, and under DLIN we require at most 2/3 the number of pairings. The \(\Sigma \)-protocol NIZK proofs based on the Random Oracle model require n group elements, t elements of \(\mathbb {Z}_q\) and 1 hash value. Although our XDH-based proofs require less number of group elements, the \(\Sigma \)-protocol proofs do not require bilinear groups and have the advantage of being proofs of knowledge (PoK). We remark that the Groth–Sahai system is also not a PoK for witnesses that are \(\mathbb {Z}_q\) elements. A recent paper by Escala et al. [16] has also optimized proofs of linear subspaces in a language dependent CRS setting. Their system also removes the need for commitment to witnesses but still implicitly uses Groth–Sahai proofs. In comparison, our proofs are still much shorter.

Table 1 Comparison with Groth–Sahai NIZKs for linear subspaces
Full size table

Thus, for the language L above, which is just a DLIN tuple used ubiquitously for encryption, our system only requires two group elements under the DLIN assumption, whereas the Groth–Sahai system requires twelve group elements (note, \(t=2, \,n=3\) in L above). For the Diffie–Hellman analogue of this language \(\langle x \cdot \mathbf{g}, x \cdot \mathbf{f} \rangle \), our system produces a single element proof under the XDH assumption, which we demonstrate in Sect. 3 (whereas the Groth–Sahai system requires \((n+2t=)\,4\) elements for the proof with \(t=1\) and \(n=2\)).

Our NIZK proofs also satisfy some interesting new properties. Firstly, the proofs in our system are unique for each language member. This has interesting applications as we will see later in a CCA2-IBE construction. Secondly, the CRS in our system, though dependent on the language parameters, can be split into two parts. The first part is required only by the prover, and the second part is required only by the verifier, and the latter can be generated independent of the language. This is surprising since our verifier does not even take the language (parameters) as input. Only the randomization used in the verifier CRS generation is used in the prover CRS to link the two CRSes. This is in sharp contrast to Groth–Sahai NIZKs, where the verifier needs the language as input. This split-CRS property has interesting applications as we will see later.

Extension to Linear Systems with Tags

Our system does not yet extend naturally to quadratic or multi-linear equations, whereas the Groth–Sahai system does.Footnote 6 However, we can extend our system to include tags, and allow the defining equations to be polynomially dependent on tags. For example, our system can prove the following language:

$$\begin{aligned} L' = \left\{ \begin{array}{c} \langle \varvec{ l }_1, \varvec{ l }_2, \varvec{ l }_3, \textsc {tag}\rangle \in \mathbb {G}^3 \times {\mathbb {Z}}_q \quad |\quad \exists x_1, x_2 \in {\mathbb {Z}}_q :\\ \varvec{ l }_1 = x_1 \cdot \mathbf{f}\,, \quad \varvec{ l }_2 = x_2 \cdot \mathbf{g}, \quad \varvec{ l }_3 = (x_1 + \textsc {tag}\cdot x_2) \cdot \mathbf{h}\end{array} \right\} . \end{aligned}$$

Note that this is a non-trivial extension since the \(\textsc {tag}\) is adaptively provided by the adversary after the CRS has been set.

The extension to tags is important, as we now discuss. Many applications require that the NIZK proof also be simulation sound. However, extending NIZK proofs for bilinear groups to be unbounded simulation sound requires handling quadratic equations (see [9] for a generic construction). On the other hand, many applications just require one-time simulation soundness, and as has been shown in [22], this can be achieved for linear subspaces by projective hash proofs [13]. Projective hash proofs can be defined by linear extensions, but require use of tags. Thus, our system can handle such equations. Many applications, such as signatures, can also achieve implicit unbounded simulation soundness using projective hash proofs, and such applications can utilize our system (see Sect. 5).

Applications While the cryptographic literature is replete with NIZK proofs, we will demonstrate the applicability of quasi-adaptive NIZKs, and in particular our efficient system for linear subspaces, to a few recent applications such as signature schemes [9], UC commitments [17], password-based key exchange [22, 26], key-dependent encryption [9]. For starters, based on [17], our system yields an adaptive UC-secure commitment scheme (in the erasure model) that has only four group elements as commitment, and another four as opening (under the DLIN assumption; and \(3+2\) under SXDH assumption), whereas the original scheme using Groth–Sahai NIZKs required \(5+16\) group elements.

We also obtain one of the shortest signature schemes under a static standard assumption, i.e., SXDH, that only requires five group elements. We also show how this signature scheme can be extended to a short fully secure (and perfectly complete) dual-system IBE scheme, and indeed a scheme with ciphertexts that are only four group elements plus a tag (under the SXDH assumption). This is the shortest IBE scheme under the SXDH assumption, and is technically even shorter than a recent and independently obtained scheme of [12] which requires five group elements as ciphertext. Table 2 depicts numerical differences between the parameter sizes of the two schemes. The SXDH-IBE scheme of [12] uses the concept of dual pairing vector spaces (due to Okamoto and Takashima [33, 34], and synthesized from Waters’ dual-system IBE). However, the dual vector space and its generalizations due to others [28] do not capture the idea of proof verification. Thus, one of our contributions can be viewed as showing that the dual system not only does zero-knowledge simulation but also extends to provide a computationally sound proof system for general linear systems.

Table 2 Comparison with the SXDH-based IBE of Chen et al. [12]
Full size table

Finally, using our QA-NIZKs we show a short publicly verifiable CCA2-secure IBE scheme. Public verifiability is an informal but practically important notion which implies that one can publicly verify if the decryption will yield “invalid ciphertext.” Thus, this can allow a network gateway to act as a filter. Our scheme only requires two additional group elements over the basic IBE scheme.

Recent works Following the extended abstract [23] of this paper, QA-NIZKs for linear subspaces have been considerably optimized, leading to constant size proofs [24, 29], and have been extended to provide simulation soundness [1, 25, 27, 29]. QA-NIZKs have been applied to develop several applications, such as anonymous compact HIBEs [36], keyed-homomorphic encryption schemes [25, 29] and linear homomorphic structure preserving signatures [27, 30].

Organization of the paper We begin the rest of the paper with the definition of quasi-adaptive NIZKs in Sect. 2. In Sect. 3 we develop quasi-adaptive NIZKs for linear subspaces under the XDH assumption and then generalize to quasi-adaptive NIZKs under the k-linear assumption. In Sect. 4, we extend our system to include tags, define a notion called split-CRS QA-NIZKs and extend our system to construct split-CRS NIZKs for affine spaces. Finally, we demonstrate applications of our system in Sect. 5. We defer detailed proofs to the appendix.

Notations We will be dealing with witness relations R that are binary relations on pairs (xw), and where w is commonly referred to as the witness. Each witness relation defines a language \(L = \{ x | \,\exists w:\, R(x,w) \}\). For every witness relation \(R_\rho \) we will use \(L_\rho \) to denote the language it defines. Thus, a NIZK proof for a witness relation \(R_\rho \) can also be seen as a NIZK proof for its language \(L_\rho \).

Vectors will always be row vectors and will always be denoted by an arrow over the letter, e.g., \(\vec {\text{ r }}\) for (row) vector of \(\mathbb {Z}_q\) elements, and \(\vec {\mathbf{d}}\) as (row) vector of group elements. The notations are summarized in Table 3.

Table 3 Notations
Full size table

2 Quasi-Adaptive NIZK Proofs

Instead of considering NIZK proofs for a (witness-) relation R, we will consider Quasi-Adaptive NIZK proofs for a probability distribution \({\mathcal {D}}\) on a collection of (witness-) relations \({{\mathcal {R}}}= \{R_\rho \}\). The quasi-adaptiveness allows for the common reference string (CRS) to be set based on \(R_\rho \) after the latter has been chosen according to \({\mathcal {D}}\). We will however require, as we will see later, that the simulator generating the CRS (in the simulation world) is a single probabilistic polynomial time algorithm that works for the whole collection of relations \({{\mathcal {R}}}\).

To be more precise, we will consider an ensemble of distributions on witness relations, each distribution in the ensemble itself parameterized by a security parameter. Thus, we will consider an ensemble \(\{{\mathcal {D}}_\lambda \}\) of distributions on collection of relations \({{\mathcal {R}}}_\lambda \), where each \({\mathcal {D}}_\lambda \) specifies a probability distribution on \({{\mathcal {R}}}_\lambda = \{R_{\lambda , \rho }\}\). When \(\lambda \) is clear from context, we will just refer to a particular relation as \(R_\rho \), and write \({{\mathcal {R}}}_\lambda = \{R_\rho \}\).

Since in the quasi-adaptive setting the CRS could depend on the relation, we must specify what information about the relation is given to the CRS generator. Thus, we will consider an associated parameter language such that a member of this language is enough to characterize a particular relation, and this language member is provided to the CRS generator. For example, consider the class of parameterized relations \({{\mathcal {R}}}= \{R_\rho \}\), where parameter \(\rho \) is a tuple \(\mathbf{g}, \mathbf{f}, \mathbf{h}\) of three elements from a group \(\mathbb {G}\) of order q. Suppose, \(R_\rho \) (on \( \langle \varvec{ l }_1, \varvec{ l }_2, \varvec{ l }_3 \rangle , \langle x_1, x_2 \rangle \)) is defined as

$$\begin{aligned} R_{\langle \mathbf{g}, \mathbf{f}, \mathbf{h}\rangle }(\langle \varvec{ l }_1, \varvec{ l }_2, \varvec{ l }_3 \rangle , \langle x_1, x_2 \rangle ) \mathop {=}\limits ^\mathrm{def}\left( \begin{array}{c} x_1, x_2 \in \mathbb {Z}_q, \quad \varvec{ l }_1, \varvec{ l }_2, \varvec{ l }_3 \in \mathbb {G} \quad \mathbf{and}\\ \varvec{ l }_1 = x_1 \cdot \mathbf{g}, \quad \varvec{ l }_2 = x_2 \cdot \mathbf{f}, \quad \varvec{ l }_3 = (x_1+x_2) \cdot \mathbf{h} \end{array} \right) . \end{aligned}$$

For this class of relations, one could seek a quasi-adaptive NIZK where the CRS generator is just given \(\rho \) as input. Thus in this case, the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\) will just be triples of group elements.Footnote 7 Moreover, the distribution \({\mathcal {D}}\) can just be on the parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), i.e., \({\mathcal {D}}\) just specifies a \(\rho \in {{\mathcal {L}}_{\mathrm{par}}}\). Again, \({{\mathcal {L}}_{\mathrm{par}}}\) is technically an ensemble.

Definition 1

(QA-NIZK) We call a tuple of efficient algorithms \((\mathsf{K}_0,\mathsf{K}_1,\mathsf{P},\mathsf{V})\) a QA-NIZK proof system for witness relations \({{\mathcal {R}}}_\lambda = \{R_\rho \}\) with parameters sampled from a distribution \({\mathcal {D}}\) over associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), if there exists a probabilistic polynomial time simulator \((\mathsf{S}_1,\mathsf{S}_2)\), such that for all non-uniform PPT adversaries \({\mathcal {A}}_1, {\mathcal {A}}_2, {\mathcal {A}}_3\) we have:Footnote 8

  • Quasi-Adaptive Completeness:

    $$\begin{aligned}&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi \leftarrow \mathsf{K}_1(\lambda ,\rho ); \\ (x,w) \leftarrow {\mathcal {A}}_1(\lambda , \psi , \rho ); \quad \pi \leftarrow \mathsf{P}(\psi , x,w): \\ \mathsf{V}(\psi , x, \pi ) =1 {\ \mathbf{if} \ } R_\rho (x,w) \end{array} \right] = 1 \end{aligned}$$

  • Quasi-Adaptive Soundness:

    $$\begin{aligned}&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi \leftarrow \mathsf{K}_1(\lambda ,\rho ); \quad (x,\pi ) \leftarrow {\mathcal {A}}_2(\lambda , \psi , \rho ): \\ \mathsf{V}(\psi , x,\pi ) =1\, { \mathbf and }\, \lnot (\exists w: R_\rho (x,w)) \end{array} \right] \approx 0 \end{aligned}$$

  • Quasi-Adaptive Zero-Knowledge:

    $$\begin{aligned}&\Pr \left[ \lambda \leftarrow \mathsf{K}_0(1^m); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi \leftarrow \mathsf{K}_1(\lambda ,\rho ): \quad {\mathcal {A}}_3^{\mathsf{P}(\psi , \cdot , \cdot )}(\lambda , \psi , \rho ) = 1 \right] \approx \\&\Pr \left[ \lambda \leftarrow \mathsf{K}_0(1^m); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad (\psi , \tau ) \leftarrow \mathsf{S}_1(\lambda , \rho ): \quad {\mathcal {A}}_3^{\mathsf{S}(\psi , \tau , \cdot , \cdot )}(\lambda , \psi , \rho ) = 1 \right] , \end{aligned}$$

    where \(\mathsf{S}(\psi , \tau , x,w) = \mathsf{S}_2(\psi , \tau , x)\) for \((x,w)\in R_\rho \) and both oracles (i.e., \(\mathsf{P}\) and \(\mathsf{S}\)) output failure if \((x,w)\not \in R_\rho \). We call the property Perfect Zero-Knowledge, if the above probabilities are in fact equal.

Note that \(\psi \) is the CRS in the above definitions.

3 QA-NIZK for Linear Subspaces

Setup Let \(\mathbb {G}_1, \mathbb {G}_2\) and \(\mathbb {G}_T\) be cyclic groups of prime order q with a bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) chosen by a group generation algorithm. Let \(\mathbf{g}_1\) and \(\mathbf{g}_2\) be generators of the group \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. Let \(\mathbf{0}_1, \,\mathbf{0}_2\) and \(\mathbf{0}_T\) be the identity elements in the three groups \(\mathbb {G}_1, \mathbb {G}_2\) and \(\mathbb {G}_T\), respectively. We use additive notation for the group operations in all the groups.

The bilinear pairing e naturally extends to \(\mathbb {Z}_q\)-vector spaces of \(\mathbb {G}_1\) and \(\mathbb {G}_2\) of the same dimension n as follows: \(e(\vec {\mathbf{a}}, \vec {\mathbf{b}}^\top ) = \sum _{i= 1}^{n} e(\mathbf{a}_i, \mathbf{b}_i)\), where \(\vec {\mathbf{a}}, \vec {\mathbf{b}}\) are row vectors. Thus, if \(\vec {\mathbf{a}}\) \(=\) \(\vec {\text{ x }} \cdot \mathbf{g}_1\) and \(\vec {\mathbf{b}}\) \(= \vec {\text{ y }} \cdot \mathbf{g}_2\), where \(\vec {\text{ x }}\) and \(\vec {\text{ y }}\) are now vectors over \(\mathbb {Z}_q\), then \(e(\vec {\mathbf{a}}, \vec {\mathbf{b}}^\top )\) \(=\) \((\vec {\text{ x }} \cdot \vec {\text{ y }}^\top ) \cdot e(\mathbf{g}_1, \mathbf{g}_2)\).

Linear Subspace Languages To start off with an example, a set of equations \(\varvec{ l }_1 = x_1 \cdot \mathbf{g}, \varvec{ l }_2 = x_2 \cdot \mathbf{f}, \varvec{ l }_3 = (x_1+x_2) \cdot \mathbf{h}\) will be expressed in the form \(\vec {\varvec{ l }} = \vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}\) as follows:

$$\begin{aligned} \vec {\varvec{ l }} = \left[ \begin{array}{ccc} \varvec{ l }_1&\varvec{ l }_2&\varvec{ l }_3 \end{array} \right] = \left[ \begin{array}{ccc} x_1&x_2 \end{array} \right] \cdot \left[ \begin{array}{ccc} \mathbf{g} &{} \mathbf{0}_1 &{} \mathbf{h} \\ \mathbf{0}_1 &{} \mathbf{f} &{} \mathbf{h} \end{array} \right] \end{aligned}$$

where \(\vec {\text{ x }}\) is a vector of unknowns and \({\mathbf {\mathsf{{A}}}}\) is a matrix specifying the group constants \(\mathbf{g}, \mathbf{f}, \mathbf{h}\).

The scalars in this system of equations are from the field \(\mathbb {Z}_q\). In general, we consider languages that are linear subspaces of vectors of \(\mathbb {G}_1\) elements. These are just \(\mathbb {Z}_q\)-modules, and since \(\mathbb {Z}_q\) is a field, they are vector spaces. In other words, the languages we are interested in can be characterized as languages parameterized by \({\mathbf {\mathsf{{A}}}}\) as below:

$$\begin{aligned} L_{{\mathbf {\mathsf{{A}}}}} = \{ \vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}} \in \mathbb {G}_1^n \ |\ \vec {\text{ x }} \in \mathbb {Z}_q^t \}\quad \text {, where } {\mathbf {\mathsf{{A}}}} \text { is a } t \times n \text { matrix of } \mathbb {G}_1 \text { elements.} \end{aligned}$$

Here \({\mathbf {\mathsf{{A}}}}\) is an element of the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), which is all \(t \times n\) matrices of \(\mathbb {G}_1\) elements. The parameter language \({{\mathcal {L}}_{\mathrm{par}}}\) also has a corresponding witness relation \({{\mathcal {R}}_{\mathrm{par}}}\), where the witness is a matrix of \(\mathbb {Z}_q\) elements : \({{\mathcal {R}}_{\mathrm{par}}}({\mathbf {\mathsf{{A}}}}, \text{ A })\) iff \({\mathbf {\mathsf{{A}}}} = \text{ A } \cdot \mathbf{g}_1\).

Robust and Efficiently Witness-Samplable Distributions Let the \(t \times n\)-dimensional matrix \({\mathbf {\mathsf{{A}}}}\) be chosen according to a distribution \({\mathcal {D}}\) on \({{\mathcal {L}}_{\mathrm{par}}}\). We will call the distribution \({\mathcal {D}}\) robust if with overwhelming probability the left-most t columns of \({\mathbf {\mathsf{{A}}}}\) are full-ranked. We will call a distribution \({\mathcal {D}}\) on \({{\mathcal {L}}_{\mathrm{par}}}\) efficiently witness samplable if there is a probabilistic polynomial time algorithm such that it outputs a pair of matrices \(({\mathbf {\mathsf{{A}}}}, \text{ A })\) that satisfy the relation \({{\mathcal {R}}_{\mathrm{par}}}\) (i.e., \({{\mathcal {R}}_{\mathrm{par}}}({\mathbf {\mathsf{{A}}}}, \text{ A })\) holds), and further the resulting distribution of the output \({\mathbf {\mathsf{{A}}}}\) is same as \({\mathcal {D}}\). For example, the uniform distribution on \({{\mathcal {L}}_{\mathrm{par}}}\) is efficiently witness samplable, by first picking \(\text{ A }\) at random, and then computing \({\mathbf {\mathsf{{A}}}}\). As an example of a robust distribution, consider a distribution \({\mathcal {D}}\) on \((2 \times 3)\)-dimensional matrices \( \left[ \begin{array}{ccc} \mathbf{g} &{} \mathbf{0}_1 &{} \mathbf{h} \\ \mathbf{0}_1 &{} \mathbf{f} &{} \mathbf{h} \end{array} \right] \) with \(\mathbf{g}, \mathbf{f}\) and \(\mathbf{h}\) chosen randomly from \(\mathbb {G}_1\). It is easy to see that the first two columns are full-ranked if \(\mathbf{g} \ne \mathbf{0}_1 \text { and } \mathbf{f} \ne \mathbf{0}_1\), which holds with probability \((1-1/q)^2\).

3.1 QA-NIZK Construction Under the XDH Assumption

We now describe a computationally sound quasi-adaptive NIZK \((\mathsf{K}_0, \mathsf{K}_1, \mathsf{P}, \mathsf{V})\) for linear subspace languages \(\{ L_{{\mathbf {\mathsf{{A}}}}} \}\) with parameters sampled from a robust and efficiently witness-samplable distribution \({\mathcal {D}}\) over the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\).

Algorithm \(\mathsf{K}_0\): \(\mathsf{K}_0\) is same as the group generation algorithm for which the XDH assumption holds. \(\lambda \mathop {=}\limits ^\mathrm{def}(q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e, \mathbf{g}_1, \mathbf{g}_2) \leftarrow \mathsf{K}_0(1^m)\), with \((q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T,\) \(e, \mathbf{g}_1, \mathbf{g}_2)\) as described above.

We will assume that the size \(t \times n\) of the matrix \({\mathbf {\mathsf{{A}}}}\) is either fixed or determined by the security parameter m. In general, t and n could also be part of the parameter language, and hence tn could be given as part of the input to CRS generator \(\mathsf{K}_1\).

Algorithm \(\mathsf{K}_1\): The algorithm \(\mathsf{K}_1\) generates the CRS as follows. Let \({\mathbf {\mathsf{{A}}}}^{t \times n}\) be the parameter supplied to \(\mathsf{K}_1\). Let \(s \mathop {=}\limits ^\mathrm{def}n - t\): This is the number of equations in excess of the unknowns. It generates a matrix \(\text{ D }^{t \times s}\) with all elements chosen randomly from \(\mathbb {Z}_q\) and a single element b chosen randomly from \(\mathbb {Z}_q\). The common reference string (CRS) \(\psi \) has two parts \({\mathbf {\mathsf{{CRS}}}}_p\) and \({\mathbf {\mathsf{{CRS}}}}_v\) which are to be used by the prover and the verifier, respectively.

$$\begin{aligned} {\mathbf {\mathsf{{CRS}}}}_p^{t \times s} := {\mathbf {\mathsf{{A}}}} \cdot \left[ \begin{array}{c} \begin{array}{c} \text{ D }^{t \times s} \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \end{array} \right] \qquad \qquad {\mathbf {\mathsf{{CRS}}}}_v^{(n+s) \times s} := \left[ \begin{array}{c} b \cdot \text{ D } \\ \mathrm {I}^{s \times s} \\ -b \cdot \mathrm {I}^{s \times s} \end{array} \right] \cdot \mathbf{g}_2 \end{aligned}$$

Here, \(\mathrm {I}\) denotes the identity matrix. Note that \({\mathbf {\mathsf{{CRS}}}}_v\) is independent of the parameter.

Prover \(\mathsf{P}\): Given candidate \(\vec {\varvec{ l }} = \vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}\) with witness vector \(\vec {\text{ x }}\), the prover generates the following proof consisting of s elements in \(\mathbb {G}_1\):

$$\begin{aligned} \vec {\mathbf{p}} {:}{=} \vec {\text{ x }} \cdot {\mathbf {\mathsf{{CRS}}}}_p \end{aligned}$$

Verifier \(\mathsf{V}\): Given candidate \(\vec {\varvec{ l }}\), and a proof \(\vec {\mathbf{p}}\), the verifier checks the following:

The security of the above system depends on the DDH assumption in group \(\mathbb {G}_2\). Since \(\mathbb {G}_2\) is a bilinear group, this assumption is known as the XDH assumption. These assumptions are standard and are formally described in “Appendix 1.”

Remark

The proofs are unique for language members as the bottom s rows of \({\mathbf {\mathsf{{CRS}}}}_v\) are invertible.

Theorem 2

The above algorithms \((\mathsf{K}_0, \mathsf{K}_1, \mathsf{P}, \mathsf{V})\) constitute a perfectly complete, computationally sound and perfectly zero-knowledge quasi-adaptive NIZK proof system for linear subspace languages \(\{ L_{{\mathbf {\mathsf{{A}}}}} \}\) with parameters \({\mathbf {\mathsf{{A}}}}\) sampled from a robust and efficiently witness-samplable distribution \({\mathcal {D}}\) over the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), given the DDH assumption holds for group \(\mathbb {G}_2\), with respect to the group generation algorithm \(\mathsf{K}_0\).

Completeness and zero-knowledge are fairly straightforward as we will see below. Soundness is the most non-trivial part of proving this theorem.

Completeness: For a candidate \(\vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}\) (which is a language member), the left-hand side of the verification equation is:

Hence completeness follows.

Zero-Knowledge: The CRS is generated exactly as above. In addition, the simulator is given the trapdoor \( \left[ \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \right] \). Now, given a language candidate \(\vec {\varvec{ l }}\), the proof is simply \( \vec {\mathbf{p}} := \vec {\varvec{ l }} \cdot \left[ \begin{array}{c} \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \end{array} \right] . \) If \(\vec {\varvec{ l }}\) is in the language, i.e., it is \(\vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}\) for some \(\vec {\text{ x }}\), then the distribution of the simulated proof is identical to the real-world proof. Therefore, the simulated NIZK CRS and simulated proofs of language members are identically distributed as the real world. Hence the system is perfect zero-knowledge.

Soundness: We prove soundness by transforming the system over two games. Game \(\mathbf{G }_0\) just replicates the soundness security definition. In game \(\mathbf{G }_1\) the CRS is generated using witness \(\text{ A }\) and its null-space, and this can be done efficiently by the challenger as the distribution is efficiently witness samplable. After this transformation, we show that a verifying proof of a non-language member implies breaking DDH in group \(\mathbb {G}_2\).

\(\mathbf{Game\, G }_0\): This is just the original system, i.e., the challenger takes a security parameter m, generates \(\lambda \) using \(\mathsf{K}_0\), then generates \({\mathbf {\mathsf{{A}}}}\) according to \({\mathcal {D}}\), generates the CRS \(\psi \) using \(\mathsf{K}_1\) and passes \(\lambda , {\mathbf {\mathsf{{A}}}}\) and the CRS (i.e., \({\mathbf {\mathsf{{CRS}}}}_p, \,{\mathbf {\mathsf{{CRS}}}}_v\) ) to an Adversary \({{\mathcal {B}}}\). Let the \({{\mathcal {B}}}\) produce candidate \(\vec {\varvec{ l }}\) and proof \(\vec {\mathbf{p}}\). We say \({{\mathcal {B}}}\) wins if while \(\vec {\varvec{ l }}\) is not in \(L_{{\mathbf {\mathsf{{A}}}}}\). Let \(W_0\) denote the event that \({{\mathcal {B}}}\) wins game \(\mathbf{G_{0}}\). If we can show that \(\Pr [W_0]\) is negligible (in m), then soundness follows.

\(\mathbf{Game\, G }_1\): Since \({\mathcal {D}}\) is efficiently witness samplable, say using a PPT machine \({{\mathcal {M}}}\), in this game the challenger generates \({\mathbf {\mathsf{{A}}}} = \text{ A } \cdot \mathbf{g}_1\) using \({{\mathcal {M}}}\), and hence the challenger also gets \(\text{ A }\) (the witness to \({\mathbf {\mathsf{{A}}}}\) in language \({{\mathcal {L}}_{\mathrm{par}}}\)). Next the challenger checks whether the left-most t columns of \(\text{ A }\) are full-ranked. If they are not full-ranked, the Challenger declares the Adversary as winner. We will also call this event BAD. The probability of event BAD happening is negligible by definition as the distribution \({\mathcal {D}}\) is robust. Otherwise, it computes a rank s matrix \(\left[ \begin{array}{c} \text{ W }^{t \times s} \\ \mathrm {I}^{s \times s} \end{array} \right] \) of dimension \((t+s) \times s\) whose columns form a complete basis for the null-space of \(\text{ A }\), which means \(\text{ A } \cdot \left[ \begin{array}{c} \text{ W }^{t \times s} \\ \mathrm {I}^{s \times s} \end{array} \right] = \text{0 }^{t \times s}\). Next, the NIZK CRS is computed as follows: The challenger generates matrix \(\text{ D }'^{\ t \times s}\) with elements randomly chosen from \(\mathbb {Z}_q\) and element b randomly chosen from \(\mathbb {Z}_q\) (just as in the real CRS). Now set,

$$\begin{aligned} \left[ \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \right] = \left[ \begin{array}{c} \text{ D }' \\ \text{0 }^{s \times s} \end{array} \right] + b^{-1} \cdot \left[ \begin{array}{c} \text{ W } \\ \mathrm {I}^{s \times s} \end{array} \right] \end{aligned}$$

Therefore the challenger produces,

$$\begin{aligned}&{\mathbf {\mathsf{{CRS}}}}_p^{t \times s} = {\mathbf {\mathsf{{A}}}} \cdot \left[ \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \right] = {\mathbf {\mathsf{{A}}}} \cdot \left( \left[ \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \right] - b^{-1} \cdot \left[ \begin{array}{c} \text{ W } \\ \mathrm {I}^{s \times s} \end{array} \right] \right) = {\mathbf {\mathsf{{A}}}} \cdot \left[ \begin{array}{c} \text{ D }' \\ \text{0 }^{s \times s} \end{array} \right] \\&{\mathbf {\mathsf{{CRS}}}}_v^{(n+s) \times s} = \left[ \begin{array}{c} b \cdot \text{ D } \\ \mathrm {I}^{s \times s} \\ -b \cdot \mathrm {I}^{s \times s} \end{array} \right] \cdot \mathbf{g}_2 = \left[ \begin{array}{c} b \cdot \left[ \begin{array}{c} \text{ D }' \\ \text{0 }^{s \times s} \end{array} \right] + \left[ \begin{array}{c} \text{ W } \\ \mathrm {I}^{s \times s} \end{array} \right] \\ - b \cdot \mathrm {I}^{s \times s} \end{array} \right] \cdot \mathbf{g}_2 \end{aligned}$$

Observe that \(\text{ D }\) has identical distribution as in game \(\mathbf{G_{0}}\) and the rest of the computations were same. So game \(\mathbf{G_{1}}\) is statistically indistinguishable from game \(\mathbf{G_{0}}\), conditioned on BAD not happening. Let \(W_1\) denote the event that Adversary wins game \(\mathbf{G_{1}}\). Since event BAD implies event \(W_1\), it follows that \(\Pr [W_1] \ge \Pr [W_0]\). Moreover,

$$\begin{aligned} \Pr [ W_1]&= \,\Pr [W_1 \,\wedge \, \text {BAD}] \,+ \,\Pr [W_1 \,\wedge \, \lnot \text {BAD}]\\&\le \,\Pr [\text {BAD}] \,+ \,\Pr [W_1 \,\wedge \, \lnot \text {BAD}] \end{aligned}$$

Since probability of event BAD is negligible, if we can show \(\Pr [W_1 \,\wedge \, \lnot \text {BAD}]\) to be negligible, soundness would follow. We remark that the Challenger in game \(\mathbf{G_{1}}\) is efficient (i.e., it can be implemented by a PPT).

Lemma 3

\(\Pr [W_1 ~|~ \lnot \text {BAD}]\) is negligible given the DDH assumption in group \(\mathbb {G}_2\).

Proof

We will condition on the event BAD not happening in Game \(\mathbf{G_{1}}\). We show that if adversary \({{\mathcal {B}}}\) can produce a “proof” \(\vec {\mathbf{p}}\) for which the pairing test holds and yet the candidate \(\vec {\varvec{ l }}\) is not in \(L_{{\mathbf {\mathsf{{A}}}}}\), then it implies an efficient adversary that can break DDH in group \(\mathbb {G}_2\). So consider a DDH game, where a challenger either provides a real DDH tuple \(\langle \mathbf{g}_2, \hat{b} \cdot \mathbf{g}_2, r \cdot \mathbf{g}_2, {\varvec{\chi }}= \hat{b}r \cdot \mathbf{g}_2 \rangle \) or a fake DDH tuple \(\langle \mathbf{g}_2, \hat{b} \cdot \mathbf{g}_2, r \cdot \mathbf{g}_2, {\varvec{\chi }}= \hat{b}r' \cdot \mathbf{g}_2 \rangle \).

The QA-NIZK challenger sets \(b \cdot \mathbf{g}_2\) to be the same as \(\hat{b} \cdot \mathbf{g}_2\) in the description of \(\mathbf{G_{1}}\). Observe that due to our transformations, \({\mathbf {\mathsf{{CRS}}}}_1\) does not use b at all and \({\mathbf {\mathsf{{CRS}}}}_2\) can be constructed from \(b \cdot \mathbf{g}_2\) alone. Let us partition the \(\mathbb {Z}_q\) matrix \(\text{ A }\) as \(\left[ \begin{array}{c | c} \text{ A }_0^{t \times t}&\text{ A }_1^{t \times s} \end{array} \right] \) and the candidate vector \(\vec {\varvec{ l }}\) as \(\left[ \begin{array}{c | c} \vec {\varvec{ l }}_0^{1 \times t}&\vec {\varvec{ l }}_1^{1 \times s} \end{array} \right] \). Note that, since \(\text{ A }_0\) has rank t, the elements of \(\vec {\varvec{ l }}_0\) are ‘free’ elements and \(\vec {\varvec{ l }}_0\) can be extended to a unique n element vector \(\vec {\varvec{ l }}\,'\), which is a member of \(L_{{\mathbf {\mathsf{{A}}}}}\). This member vector \(\vec {\varvec{ l }}\,'\) can be computed as \(\vec {\varvec{ l }}\,'\, := \left[ \begin{array}{c | c} \vec {\varvec{ l }}_0&\ -\vec {\varvec{ l }}_0 \cdot \text{ W } \end{array} \right] \), where \(\text{ W }\) is the same matrix as in Game \(\mathbf{G_{1}}\), and can be computed as \(-\text{ A }_0^{-1} \text{ A }_1\). The proof of \(\vec {\varvec{ l }}\,'\) is computed as \(\vec {\mathbf{p}}\,' := \vec {\varvec{ l }}_0 \cdot \text{ D }'\). Since both \((\vec {\varvec{ l }}, \vec {\mathbf{p}})\) and \((\vec {\varvec{ l }}\,', \vec {\mathbf{p}}\,')\) pass the verification equation, we obtain: \(\vec {\varvec{ l }}\,'_1 - \vec {\varvec{ l }}_1 = b (\vec {\mathbf{p}}\,' - \vec {\mathbf{p}})\), where \(\vec {\varvec{ l }}_1 = - \vec {\varvec{ l }}_0 \cdot \text{ W }\). In particular there exists \(i \in [1, s]\), such that, \(\varvec{ l }'_{1i} - \varvec{ l }_{1i} = b (\mathbf{p}'_i - \mathbf{p}_i) \ne \mathbf{0}_1\). This gives us a straightforward test for the DDH challenge: \( e (\varvec{ l }'_{1i} - \varvec{ l }_{1i}, r \cdot \mathbf{g}_2 ) \mathop {=}\limits ^{?}e (\mathbf{p}'_i - \mathbf{p}_i, {\varvec{\chi }}) \). \(\square \)

This concludes our proof of soundness of the QA-NIZK.

Remark

Observe from the proof above that the soundness can be based on the following computational assumption which is implied by XDH, which is a decisional assumption:

Definition 4

Consider a generation algorithm \({{\mathcal {G}}}\) taking the security parameter as input, that outputs a tuple \((q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e, \mathbf{g}_1, \mathbf{g}_2)\), where \(\mathbb {G}_1, \mathbb {G}_2\) and \(\mathbb {G}_T\) are groups of prime order q with generators \(\mathbf{g}_1, \mathbf{g}_2\) and \(e(\mathbf{g}_1, \mathbf{g}_2)\), respectively, and which allow an efficiently computable \(\mathbb {Z}_q\)-bilinear pairing map \(e : \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). The assumption asserts that the following problem is hard: Given \(\mathbf{f}, b \cdot \mathbf{f} \xleftarrow {\$}\mathbb {G}_2\), output \(\mathbf{h}, \mathbf{h}' \in \mathbb {G}_1\), such that \(\mathbf{h}' = b \cdot \mathbf{h} \ne \mathbf{0}_1\).

This assumption is called the Double Pairing Assumption in [2] and can also be framed as the Kernel-MDH assumption [31] for the Diffie–Hellman distribution.

Example: QA-NIZK for a DH tuple.

In this example, we instantiate our general system to provide a NIZK for a DH tuple, that is a tuple of the form \((x \cdot \mathbf{g}, x \cdot \mathbf{f})\) for an a priori fixed base \((\mathbf{g}, \mathbf{f}) \in \mathbb {G}_1^2\). We assume DDH for the group \(\mathbb {G}_2\).

As in the setup described before, we have \( {\mathbf {\mathsf{{A}}}} = \left[ \begin{array}{cc} \mathbf{g}&\mathbf{f} \end{array} \right] \). The language is: \(L = \{ [x] \cdot {\mathbf {\mathsf{{A}}}} \ |\ x \in \mathbb {Z}_q\}\).

Now proceeding with the framework, we generate \(\text{ D }\) as [d] and the element b where d and b are random elements of \(\mathbb {Z}_q\). With this setting, the NIZK CRS is:

The proof of a tuple \((\mathbf{r}, \hat{\mathbf{r}})\) with witness r, is just the single element \( r \cdot (d \cdot \mathbf{g} + b^{-1} \cdot \mathbf{f}) \). In the proof of zero-knowledge, the simulator trapdoor is (db) and the simulated proof of \((\mathbf{r}, \hat{\mathbf{r}})\) is just \( (d \cdot \mathbf{r} + b^{-1} \cdot \hat{\mathbf{r}}) \).

3.2 QA-NIZK Construction Under the k-Linear Assumption

In this section we generalize our QA-NIZK proof system to be based on the k-linear assumption for any \(k \ge 1\). The hardness assumption is defined in Appendix 5.5. We specially mention DLIN, which is the case of \(k=2\), since it is a widely used assumption and note that XDH is the case of \(k=1\).

Let \(\mathbb {G}_1, \mathbb {G}_2\) and \(\mathbb {G}_T\) be cyclic groups of prime order q with a bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). Let \(\mathbf{g}_1\) and \(\mathbf{g}_2\) be randomly chosen generators of the group \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. We assume that the k-linear problem is hard in the group \(\mathbb {G}_2\). The groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are in fact allowed to be the same for \(k \ge 2\). In the rest of the subsection, we adopt the same symbols and conventions as in the former subsection.

NIZK CRS: Suppose the language is \(L_{{\mathbf {\mathsf{{A}}}}} = \{ \vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}^{t \times n} \in \mathbb {G}_1^{n} \ |\ \vec {\text{ x }} \in \mathbb {Z}_q^t \}\). Let \(s \mathop {=}\limits ^\mathrm{def}n - t\): this is the number of equations in excess of the unknowns. Generate a matrix \(\text{ D }^{t \times ks}\) with all elements chosen randomly from \(\mathbb {Z}_q\) and k elements \(b_1, \cdots , b_k\) chosen randomly from \(\mathbb {Z}_q\). Let

In other words, \(\text{ E }\) is a diagonal matrix with s copies of each of the \(b_i\)’s in the diagonal. The common reference string (CRS) has two parts \({\mathbf {\mathsf{{CRS}}}}_1\) and \({\mathbf {\mathsf{{CRS}}}}_2\) which are to be used by the prover and the verifier, respectively.

Prover: Given candidate \(\vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}}\) with witness vector \(\vec {\text{ x }}\), the prover generates the following proof:

$$\begin{aligned} \vec {\mathbf{p}} := \vec {\text{ x }} \cdot {\mathbf {\mathsf{{CRS}}}}_p \end{aligned}$$

Verifier: Given a proof \(\vec {\mathbf{p}}\) of candidate \(\vec {\varvec{ l }}\) , the verifier checks the following:

Theorem 5

The above algorithms \((\mathsf{K}_0, \mathsf{K}_1, \mathsf{P}, \mathsf{V})\) constitute a perfectly complete, computationally sound and perfectly zero-knowledge quasi-adaptive NIZK proof system for linear subspace languages \(\{ L_{{\mathbf {\mathsf{{A}}}}} \}\) with parameters \({\mathbf {\mathsf{{A}}}}\) sampled from a robust and efficiently witness-samplable distribution \({\mathcal {D}}\) over the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), given the DDH assumption holds for group \(\mathbb {G}_2\), with respect to the group generation algorithm \(\mathsf{K}_0\).

A detailed proof of the theorem can be found in Appendix 5.5.

4 Extensions

In this section we consider some useful extensions of the concepts and constructions of QA-NIZK systems. We show how the previous system can be extended to include tags. The tags are elements of \(\mathbb {Z}_q\), are included as part of the proof and are used as part of the defining equations of the language. We define a notion called split-CRS QA-NIZK system, where the prover and verifier use distinct parts of a CRS and we construct a split-CRS system for affine systems.

4.1 Tags

While our system works for any number of components in the tuple (except the first t) being dependent on any number of tags, to simplify the presentation we will focus on only one dependent element and only one tag. Also for simplicity, we will assume that this element is an affine function of the tag (the function being defined by parameters). We can handle arbitrary polynomial functions of the tags as well, but we will focus on affine functions here as most applications seem to need just affine functions. Then, the languages we handle can be characterized as

where \({\mathbf {\mathsf{{A}}}}^{t \times (n-1)}, \vec {\mathbf{a}}_1^{1 \times t}\) and \(\vec {\mathbf{a}}_2^{1 \times t}\) are parameters of the language.

Algorithm \(\mathsf{K}_{0}\) is just the group generation algorithm as before. A distribution is still called robust (as in Sect. 3) if with overwhelming probability the first t columns of \({\mathbf {\mathsf{{A}}}}\) are full-ranked. Write \({\mathbf {\mathsf{{A}}}}\) as \([{\mathbf {\mathsf{{A}}}}_l^{t\times t} \ |\ {\mathbf {\mathsf{{A}}}}_r^{t\times (n-1-t)} ]\), where without loss of generality, \({\mathbf {\mathsf{{A}}}}_l\) is non-singular. While the first \(n-1-t\) components in excess of the unknowns, corresponding to \({\mathbf {\mathsf{{A}}}}_r\), can be verified just as in Sect. 3, for the last component we proceed as follows.

Algorithm \(\mathsf{K}_1\): The CRS is generated as:

where \(\text{ D }_1\) and \(\text{ D }_2\) are random matrices of order \(t \times 1\) independent of the matrix \(\text{ D }\) chosen for proving the other components. The \(\mathbb {Z}_q\) element b can be re-used from the other components.

Prover \(\mathsf{P}\): Let . The prover generates the following proof for the last component, which is just 1 element in \(\mathbb {G}_1\):

$$\begin{aligned} \vec {\mathbf{p}} := \vec {\text{ x }} \cdot ( {\mathbf {\mathsf{{CRS}}}}_{p,1} + \textsc {tag}\cdot {\mathbf {\mathsf{{CRS}}}}_{p,2} ) \end{aligned}$$

Verifier \(\mathsf{V}\): Given a proof \(\vec {\mathbf{p}}\) for candidate \(\langle \vec {\varvec{ l }}\,',\ \textsc {tag}\rangle \) the verifier checks the following:

Theorem 6

The above algorithms \((\mathsf{K}_0, \mathsf{K}_1, \mathsf{P}, \mathsf{V})\) constitute a perfectly complete, computationally sound and perfectly zero-knowledge quasi-adaptive NIZK proof system for tagged subspace languages \(\{ L_{{\mathbf {\mathsf{{A}}}}, \vec {\mathbf{a}}_1, \vec {\mathbf{a}}_2} \}\) with parameters \(({\mathbf {\mathsf{{A}}}}, \vec {\mathbf{a}}_1, \vec {\mathbf{a}}_2)\) sampled from a robust and efficiently witness-samplable distribution \({\mathcal {D}}\) over the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), given the DDH assumption holds for group \(\mathbb {G}_2\), with respect to the group generation algorithm \(\mathsf{K}_0\).

The proof of completeness, soundness and zero-knowledge for this quasi-adaptive system is similar to proof in Sect. 3, and a proof sketch can be found in Appendix 5.5.

4.2 Split-CRS QA-NIZK Proofs

We note that the QA-NIZK described in Sect. 3 (and its extension to tags in Sect. 4.1) has an interesting split-CRS property. In a split-CRS QA-NIZK for a distribution of relations, the CRS generator \(\mathsf{K}_1\) generates two CRSes \(\psi _{p}\) and \(\psi _{v}\), such that the prover \(\mathsf{P}\) only needs \(\psi _p\), and the verifier \(\mathsf{V}\) only needs \(\psi _v\). In addition, the CRS \(\psi _v\) is independent of the particular relation \(R_\rho \). In other words the CRS generator \(\mathsf{K}_1\) can be split into two PPTs \(\mathsf{K}_{11}\) and \(\mathsf{K}_{12}\), such that \(\mathsf{K}_{11}\) generates \(\psi _v\) using just \(\lambda \), and \(\mathsf{K}_{12}\) generates \(\psi _p\) using \(\rho \) and a state output by \(\mathsf{K}_{11}\). The key generation simulator \(\mathsf{S}_1\) is also split similarly.

In many applications, split-CRS QA-NIZKs can lead to simpler constructions (and their proofs) and possibly shorter proofs.

Definition 7

(Split-CRS QA-NIZK) We call a tuple of algorithms \((\mathsf{K}_0,\mathsf{K}_{11},\mathsf{K}_{12}, \mathsf{P},\mathsf{V})\) a split-CRS QA-NIZK proof system for an ensemble of distributions \(\{{\mathcal {D}}_\lambda \}\) on collection of witness relations \({{\mathcal {R}}}_\lambda = \{R_\rho \}\) with associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\) if there exists a probabilistic polynomial time simulator \((\mathsf{S}_{11},\mathsf{S}_{12}, \mathsf{S}_2)\), such that for all non-uniform PPT adversaries \({\mathcal {A}}_1, {\mathcal {A}}_2, {\mathcal {A}}_3\) we have

Quasi-Adaptive Completeness.

$$\begin{aligned}&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad (\psi _v,st) \leftarrow \mathsf{K}_{11}(\lambda ); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi _p \leftarrow \mathsf{K}_{12}(\lambda ,\rho , st); \\ (x,w) \leftarrow {\mathcal {A}}_1(\lambda , \psi _v,\psi _p, \rho ); \quad \pi \leftarrow \mathsf{P}(\psi _p, x,w): \\ \mathsf{V}(\psi _v, x, \pi ) =1 {\ \mathbf if\ } R_\rho (x,w) \end{array} \right] = 1 \end{aligned}$$

Quasi-Adaptive Soundness.

$$\begin{aligned}&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad (\psi _v,st) \leftarrow \mathsf{K}_{11}(\lambda ); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi _p \leftarrow \mathsf{K}_{12}(\lambda ,\rho ,st); \\ (x,\pi ) \leftarrow {\mathcal {A}}_2(\lambda , \psi _v,\psi _p, \rho ): \\ \mathsf{V}(\psi _v, x,\pi ) =1\, { \mathbf and\,\, not }\, (\exists w: R_\rho (x,w)) \end{array} \right] \approx 0 \end{aligned}$$

Quasi-Adaptive Zero-Knowledge.

$$\begin{aligned}&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad (\psi _v,st) \leftarrow \mathsf{K}_{11}(\lambda );\quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad \psi _p \leftarrow \mathsf{K}_{12}(\lambda ,\rho ,st): \\ {\mathcal {A}}_3^{\mathsf{P}(\psi _p, \cdot , \cdot )}(\lambda , \psi _v,\psi _p, \rho ) = 1 \end{array} \right] \approx \\&\Pr \left[ \begin{array}{c} \lambda \leftarrow \mathsf{K}_0(1^m); \quad (\sigma _v,st) \leftarrow \mathsf{S}_{11}(\lambda ); \quad \rho \leftarrow {\mathcal {D}}_{\lambda }; \quad (\sigma _p, \tau ) \leftarrow \mathsf{S}_{12}(\lambda , \rho ,st): \\ {\mathcal {A}}_3^{\mathsf{S}(\sigma _p, \tau , \cdot , \cdot )}(\lambda , \sigma _v,\sigma _p, \rho ) = 1 \end{array} \right] , \end{aligned}$$

where \(\mathsf{S}(\sigma _p, \tau , x,w) = \mathsf{S}_2(\sigma _p, \tau , x)\) for \((x,w)\in R_\rho \) and both oracles (i.e., \(\mathsf{P}\) and \(\mathsf{S}\)) output failure if \((x,w)\not \in R_\rho \).

A split-CRS QA-NIZK is called a strong split-CRS QA-NIZK if the proof simulator \(\mathsf{S}_2\) does not use \(\sigma _p\) and the trapdoor \(\tau \) is independent of \(\rho \). In particular, in this case \(\tau \) could be generated by \(\mathsf{S}_{11}\) in the above definition. We remark that the QA-NIZK described in Sect. 3 (and its extension to tags in Sect. 4.1) is strong split-CRS QA-NIZK proof systems as can be checked by inspecting the proofs.

Strong Split-CRS QA-NIZK for Affine Spaces.

Consider languages that are affine spaces

$$\begin{aligned} L_{{\mathbf {\mathsf{{A}}}}, \vec {\mathbf{a}}} = \{ (\vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}} + \vec {\mathbf{a}} ) \in \mathbb {G}_1^n \ |\ \vec {\text{ x }} \in \mathbb {Z}_q^t \} \end{aligned}$$

The parameter language \({{\mathcal {L}}_{\mathrm{par}}}\) just specifies \({\mathbf {\mathsf{{A}}}}\) and \(\vec {\mathbf{a}}\). A distribution over \({{\mathcal {L}}_{\mathrm{par}}}\) is called robust if with overwhelming probability the left-most \(t \times t\) submatrix of \({\mathbf {\mathsf{{A}}}}\) is non-singular (full-ranked). If \(\vec {\mathbf{a}}\) is given as part of the verifier CRS, then a QA-NIZK for distributions over this class follows directly from the construction in Sect. 3. However, that would make the QA-NIZK non-split-CRS. We now show that the techniques of Sect. 3 can be extended to give a strong split-CRS QA-NIZK for (robust and witness samplable) distributions over affine spaces.

Algorithm \(\mathsf{K}_{0}\) is just the group generation algorithm as before. The common reference string (CRS) has two parts \(\psi _p\) and \(\psi _v\) which are to be used by the prover and the verifier, respectively. The split-CRS generators \(\mathsf{K}_{11}\) and \(\mathsf{K}_{12}\) work as follows. Let \(s \mathop {=}\limits ^\mathrm{def}n - t\): This is the number of equations in excess of the unknowns.

Algorithm \(\mathsf{K}_{11}\): The verifier CRS generator first generates a matrix \(\text{ D }^{t \times s}\) with all elements chosen randomly from \(\mathbb {Z}_q\) and a single element b chosen randomly from \(\mathbb {Z}_q\). It also generates a row vector \(\vec {\text{ d }}^{1 \times s}\) at random from \(\mathbb {Z}_q\). Next, it computes

$$\begin{aligned} {\mathbf {\mathsf{{CRS}}}}_v^{(n+s) \times s} := \left[ \begin{array}{c} b \cdot \text{ D } \\ \mathrm {I}^{s \times s} \\ -b \cdot \mathrm {I}^{s \times s} \end{array} \right] \cdot \mathbf{g}_2 \qquad \qquad \vec {\mathbf{f}}^{1\times s} := b \cdot \vec {\text{ d }} \cdot e(\mathbf{g}_1, \mathbf{g}_2) \end{aligned}$$

The verifier CRS \(\psi _v\) is the matrix \({\mathbf {\mathsf{{CRS}}}}_v\) and \(\vec {\mathbf{f}}\). The state st is \((b,\ \text{ D },\ \vec {\text{ d }})\).

Algorithm \(\mathsf{K}_{12}\): The prover CRS generator \(\mathsf{K}_{12}\) takes as inputs \(\rho = ({\mathbf {\mathsf{{A}}}},\ \vec {\mathbf{a}})\) and \(st = (b,\ \text{ D },\ \vec {\text{ d }})\) and generates

$$\begin{aligned} {\mathbf {\mathsf{{CRS}}}}_p^{(t+1) \times s} = \left[ \begin{array}{c} {\mathbf {\mathsf{{A}}}}^{t \times n} \\ \vec {\mathbf{a}}^{1 \times n} \end{array} \right] \cdot \left[ \begin{array}{c} \text{ D } \\ b^{-1} \cdot \mathrm {I}^{s \times s} \end{array} \right] - \left[ \begin{array}{c} \text{0 }^{t \times s} \\ \vec {\text{ d }}^{1 \times s} \end{array} \right] \cdot \mathbf{g}_1 \end{aligned}$$

The prover CRS \(\psi _p\) is just the matrix \({\mathbf {\mathsf{{CRS}}}}_p\).

Prover \(\mathsf{P}\): Given candidate \((\vec {\text{ x }} \cdot {\mathbf {\mathsf{{A}}}} + \vec {\mathbf{a}})\) with witness vector \(\vec {\text{ x }}\), the prover generates the following proof:

Verifier \(\mathsf{V}\): Given a proof \(\vec {\mathbf{p}}\) of candidate \(\vec {\varvec{ l }}\), the verifier checks the following:

Theorem 8

The above algorithms \((\mathsf{K}_0, \mathsf{K}_{11}, \mathsf{K}_{12}, \mathsf{P}, \mathsf{V})\) constitute a perfectly complete, computationally sound and perfectly zero-knowledge quasi-adaptive NIZK proof system for affine subspace languages \(\{ L_{{\mathbf {\mathsf{{A}}}}, \vec {\mathbf{a}}} \}\) with parameters \(({\mathbf {\mathsf{{A}}}}, \vec {\mathbf{a}})\) sampled from a robust and efficiently witness-samplable distribution \({\mathcal {D}}\) over the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\), given the DDH assumption holds for group \(\mathbb {G}_2\), with respect to the group generation algorithm \(\mathsf{K}_0\).

The proof of Theorem 8 is similar to that of Theorem 2. We highlight the main points in the proof sketch in Appendix 5.5. The strong split-CRS QA-NIZK for affine spaces also naturally extends to include tags as described before in this section.

5 Applications

In this section we mention several important applications of quasi-adaptive NIZK proofs. Before we go into the details of these applications, we discuss the general applicability of quasi-adaptive NIZKs. Recall in quasi-adaptive NIZKs, the CRS is set based on the language for which proofs are required. In many applications the language is set by a trusted party. The most prominent example of this is the trusted party that sets the CRS in some UC applications, many of which have UC realizations only with a CRS. Also in many public key applications, the party issuing the public key is also considered trusted, as security is defined with respect to the public key issuing party (acting as challenger). For example, the IBE- or HIBE-trusted authority that issues secret keys to various identities. Thus, in all these settings if the language for which proofs are required is determined by a trusted party, then that party can also issue a QA-NIZK CRS based on that language.

5.1 Adaptive UC Commitments in the Erasure Model

Commitment schemes in the Universal Composability [8] model were first formalized and constructed in [10]. In a UC commitment scheme, the functionality defines two interactions: Commit and Open. Each one takes as inputs a session id sid and an additional commitment id cid that is used to distinguish among the different commitments that take place with the same sid.

The SXDH-based commitment scheme from [17] requires a quasi-adaptive NIZK proof for the following language:

$$\begin{aligned} L_\rho {:}{=} \left\{ \langle R, S, T, H, t \rangle \ | \ \exists r: R = r \cdot \mathbf{g}, S = r\cdot \mathbf{h}, T = r \cdot K_1, H = r \cdot (\mathbf{d}_{1} + t \cdot \mathbf{e}_{1}) \right\} \end{aligned}$$

with parameter \(\rho \) being \((\mathbf{g}, \mathbf{h}, K_1, \mathbf{d}_{1}, \mathbf{e}_{1})\). Consider the tag-based language \(L_\rho \), with tag t, with parameter \(\rho \) being \((\mathbf{g}, \mathbf{h}, K_1, \mathbf{d}_{1}, \mathbf{e}_{1})\), and with the distribution on the parameters being that they are chosen randomly and uniformly (as in the Cramer–Shoup Key Generation). Consider a QA-NIZK \((\mathsf{K}_0, \mathsf{K}_1, \mathsf{P}, \mathsf{V}\)) for the above distribution of (tag-based) linear languages.

UC CRS-Gen \((\lambda )\)::

Choose \(\mathbf{g}, \mathbf{h}, K_1, \mathbf{d}_{1}, \mathbf{e}_{1}\) randomly from \(\mathbb {G}_1\) and a public key \({\mathcal {H}}\) for a collision-resistant hash function. Generate a QA-NIZK CRS \(\psi \) for language \(L_{\rho }\) with \(\rho \) being \((\mathbf{g}, \mathbf{h}, K_1, \mathbf{d}_{1}, \mathbf{e}_{1})\). Publish \(crs := (\rho , \psi , {\mathcal {H}})\).

Commit \((crs, M, sid, cid, P_i, P_j)\)::

to commit to message \(M \in \mathbb {G}\) for party \(P_j\) upon receiving a command \((commit, sid, cid, P_i, P_j, M)\), party \(P_i\) proceeds as follows:

1.:

Generate \(r\xleftarrow {\$}\mathbb {Z}_q\). Compute a Cramer–Shoup Encryption of M as follows:

$$\begin{aligned} R = r \cdot \mathbf{g}, \quad S = r \cdot \mathbf{h}, \quad T = M + r \cdot K_1 , \quad H = r \cdot (\mathbf{d}_{1} +t \cdot \mathbf{e}_{1}) \end{aligned}$$

where t is a tag generated using a collision-resistant hash function just as in Cramer–Shoup encryption. Specifically, \(t = {\mathcal {H}}(sid, cid, P_i, P_j, R, S, T)\).

2.:

Generate QA-NIZK proof (using \(\mathsf{P}\)) \(\pi \) of:

$$\begin{aligned} \exists r. \left( \begin{array}{c} R = r \cdot \mathbf{g}, \quad S = r \cdot \mathbf{h}, \\ T - M = r \cdot K_1, \quad H = r \cdot (\mathbf{d}_{1}+t \cdot \mathbf{e}_{1}) \end{array} \right) \end{aligned}$$

with witness r.

3.:

Keep \(\pi \) and erase r.

4.:

Commitment is

Open \((crs, M, sid, cid, P_i, P_j)\)::

Reveal M and \(\pi \), which is .

As the proof is for \((T- M)\) it can be shown that it suffices to hide M with the hash key itself (see a similar remark for the signature scheme), which leads to a commitment consisting of three elements, and a proof (opening) consisting of another two elements. A similar scheme using QA-NIZKs, and under the DLIN assumption leads to a commitment consisting of 4 elements and an opening of another 4 elements, whereas [17] stated a scheme using Groth–Sahai NIZK proofs requiring 21 elements.

5.2 One-Time Relatively Simulation Sound NIZK for DDH and Others

In [22] it was shown that for linear subspace languages, such as the DDH or DLIN language, or the language showing that two ElGamal encryptions are of the same message [32, 37], the NIZK proof can be made one-time relatively simulation sound using a projective hash proof [13] and proving in addition that the hash proof is correct. For the DLIN language, this one-time relatively simulation sound proof (in Groth–Sahai system) required 15 group elements, whereas the quasi-adaptive proof in this paper leads to a proof size of only 5 group elements.

5.3 Signatures

We will now show a generic construction of an existentially unforgeable signature scheme (against adaptive chosen message attacks) from labeled CCA2-secure encryption schemes and split-CRS QA-NIZK proof system (as defined in Sect. 4.2) for a related language distribution. This construction is a generalization of a signature scheme from [9] which used (fully) adaptive NIZK proofs and required constructions based on groups in which the CDH assumption holds. The paradigm of using encryption and NIZK together to construct signatures is originally due to [6].

Let \({\mathcal {E}}=(\mathsf{KeyGen}, \mathsf{Enc}, \mathsf{Dec}\)) be a labeled CCA2-secure encryption scheme on messages. Let \(X_m\) be any subset of the message space of \({\mathcal {E}}\) such that \(1/|X_m|\) is negligible in the security parameter m. Consider the following class of (parameterized) languages \(\{L_\rho \}\):

$$\begin{aligned} L_\rho = \{(c, M) ~|~ \exists r: \, c= \mathsf{Enc}_{\mathsf{pk}}(\mathbf{u}; r; M) \} \end{aligned}$$

with parameter \(\rho = (\mathbf{u}, \mathsf{pk})\). The notation \(\mathsf{Enc}_{\mathsf{pk}}(\mathbf{u};r;M)\) means that \(\mathbf{u}\) is encrypted under public key \(\mathsf{pk}\) with randomness r and label M. Consider the following distribution \({\mathcal {D}}\) on the parameters: \(\mathbf{u}\) is chosen uniformly at random from \(X_m\) and \(\mathsf{pk}\) is generated using the probabilistic algorithm \(\mathsf{KeyGen}\) of \({\mathcal {E}}\) on \(1^m\) (the secret key is discarded). Note we have an ensemble of distributions, one for each value of the security parameter, but we will suppress these details.

Let \({{\mathcal {Q}}}= (\mathsf{K}_0, \langle \mathsf{K}_{11}, \mathsf{K}_{12}\rangle , \mathsf{P}, \mathsf{V})\) be a split-CRS QA-NIZK for distribution \({\mathcal {D}}\) on \(\{L_\rho \}\). Note that the associated parameter language \({{\mathcal {L}}_{\mathrm{par}}}\) is just the set of pairs \((\mathbf{u}, \mathsf{pk})\), and \({\mathcal {D}}\) specifies a distribution on \({{\mathcal {L}}_{\mathrm{par}}}\).

Now, consider the following signature scheme \({\mathcal {S}}\).

Key Generation: On input a security parameter m, run \(\mathsf{K}_0(1^m)\) to get \(\lambda \). Let \({\mathcal {E}}.\mathsf{pk}\) be generated using \(\mathsf{KeyGen}\) of \({\mathcal {E}}\) on \(1^m\) (the secret key \(\mathsf{sk}\) is discarded). Choose \(\mathbf{u}\) at random from \(X_m\). Let \(\rho = (\mathbf{u}, {\mathcal {E}}.\mathsf{pk})\). Generate \(\psi _v\) by running \(\mathsf{K}_{11}\) on \(\lambda \) (it also generates a state s). Generate \(\psi _p\) by running \(\mathsf{K}_{12}\) on \((\lambda , \rho )\) and state s. The public key \({\mathcal {S}}.\mathsf{pk}\) of the signature scheme is then \(\psi _v\). The secret key \({\mathcal {S}}.\mathsf{sk}\) consists of \((\mathbf{u}, {\mathcal {E}}.\mathsf{pk}, \psi _p)\).

Sign: The signature on M just consists of a pair \(\langle c, \pi \rangle \), where c is an \({\mathcal {E}}\)-encryption of \(\mathbf{u}\) with label M (using public key \({\mathcal {E}}.\mathsf{pk}\) and randomness r), and \(\pi \) is the QA-NIZK proof generated using prover \(\mathsf{P}\) of \({{\mathcal {Q}}}\) on input \((\psi _p, (c, M), r)\). Recall r is the witness to the language member (cM) of \(L_\rho \) (and \(\rho = (\mathbf{u}, {\mathcal {E}}.\mathsf{pk})\)).

Verify: Given the public key \({\mathcal {S}}.\mathsf{pk}\,(=\psi _v)\), and a signature \(\langle c, \pi \rangle \) on message M, the verifier uses the verifier \(\mathsf{V}\) of \({{\mathcal {Q}}}\) and outputs \(\mathsf{V}(\psi _v, (c, M), \pi )\).

Theorem 9

If \({\mathcal {E}}\) is a labeled CCA2-encryption scheme and \({{\mathcal {Q}}}\) is a strong split-CRS quasi-adaptive NIZK system for distribution \({\mathcal {D}}\) on class of languages \(\{L_\rho \}\) described above, then the signature scheme described above is existentially unforgeable under adaptive chosen message attacks.

Proof

Recall the security game for a signature scheme. Once the signature scheme’s public key is given to the signature scheme adversary \({{\mathcal {B}}}\), it adaptively obtains several signatures \(\langle c_i, \pi _i \rangle \) on messages \(M_i\) of its choosing. Let T denote the set of all such messages \(M_i\). To win the game, \({{\mathcal {B}}}\) must obtain a \(\langle M^{*}, c^{*}, \pi ^{*} \rangle \) (\(M^{*}\not \in T\)) which passes the public signature verification, which in this case just means that the claimed proof \(\pi ^*\) of \((c^*, M^*)\) being in \(L_\rho \) (where \(\rho = (\mathbf{u}, {\mathcal {E}}.\mathsf{pk})\))) passes the QA-NIZK verifier \(\mathsf{V}\) using the CRS \(\psi _v\). Let W be the event that \({{\mathcal {B}}}\) wins. By soundness of the QA-NIZK, it follows that \(\Pr [W]\) is at most the probability that (cM) is in \(L_\rho \) plus a negligible amount.

To show that \(\Pr [W]\) is negligible consider the following experiments:

\(\mathbf{Expt }_{1}\)::

The challenger generates the signature scheme public key \({\mathcal {S}}. \mathsf{pk}\,( = \psi _v)\) just as in the signature scheme described above, and passes it to \({{\mathcal {B}}}\). Apart from retaining the secret key \({\mathcal {S}}. \mathsf{sk}= \,(\mathbf{u}, {\mathcal {E}}.\mathsf{pk}, \psi _p)\), the challenger also retains the secret key \({\mathcal {E}}.\mathsf{sk}\) generated by \(\mathsf{KeyGen}\) of \({\mathcal {E}}\). It then adaptively answers multiple requests for signatures on \(M_i\) by encrypting \(\mathbf{u}\) with labels \(M_i\) (using \({\mathcal {E}}\)’s encryptor \(\mathsf{Enc}\) with key \({\mathcal {E}}.\mathsf{pk}\)) and generating proofs \(\pi _i\) using \(\psi _p\) and QA-NIZK Prover \(\mathsf{P}\). The view of \({{\mathcal {B}}}\) is identical so far to that in the signature scheme security game. When the adversary \({{\mathcal {B}}}\) replies with a triple \(\langle M^{*}, c^{*}, \pi ^{*} \rangle \), the challenger decrypts \(c^{*}\) with label \(M^{*}\) using secret key \({\mathcal {E}}.\mathsf{sk}\) to get \(u^*\). If \(u^* = \mathbf{u}\) the challenger outputs WIN, otherwise it outputs LOSE. Let \(W_1\) be the event that challenger outputs WIN. By correctness of the encryption scheme \({\mathcal {E}}\), the event \(W_1\) happens whenever \(c^{*}\) is an encryption of \(\mathbf{u}\) with label \(M^{*}\) under \({\mathcal {E}}.\mathsf{pk}\), i.e. whenever \((c^{*}, M^{*}(\) are in \(L_\rho \)(where \(\rho = (\mathbf{u}, {\mathcal {E}}.\mathsf{pk})\)). Thus, \(\Pr [W]\) is at most \(\Pr [W_1]\) plus a negligible amount.

\(\mathbf{Expt }_{2}\)::

This is same as \(\mathbf{Expt }_{1}\) except that the Challenger generates the QA-NIZK CRSes (and trapdoor) \(\sigma _v\) using \(\mathsf{S}_{11}\) and \(\sigma _p, \tau \) using \(\mathsf{S}_{12}\). Further, it generates all the proofs using \(\mathsf{S}_2(\sigma _p, \tau , \cdot )\). Since the QA-NIZK is a strong split-CRS QA-NIZK, the simulator does not use \(\sigma _p\) and further \(\tau \) is independent of u. Let \(W_2\) be the event that challenger outputs WIN. By QA-NIZK zero-knowledge, \(|\Pr [W_2] - \Pr [W_1]|\) is negligible.

\(\mathbf{Expt }_{3}\)::

This is same as \(\mathbf{Expt }_{2}\) except that the challenger now encrypts 1 instead of \(\mathbf{u}\). Let \(W_3\) be the event that challenger outputs WIN. By CCA-2 security of the encryption scheme \({\mathcal {E}}\), it follows that \(|\Pr [W_3] - \Pr [W_2]|\) is negligible. Technically, this requires a sequence of hybrid experiments, with each subsequent experiment replacing \(\mathbf{u}\) by 1 in the next signature request of \({{\mathcal {B}}}\).

Now, note that in \(\mathbf{Expt }_{3}\), \(\Pr [W_3]\) is at most \(1/|X_m|\) as the view of the adversary \({{\mathcal {B}}}\) is independent of \(\mathbf{u}\). Thus, by hypothesis about \(X_m\) , \(\Pr [W_3]\) is negligible. It follows that \(\Pr [W]\) is negligible as well.

A couple of remarks are in order here. If we did not have a split-CRS QA-NIZK, but a QA-NIZK where the verifier also needed a CRS that depended on \(\rho \), then in \(\mathbf{Expt }_{3}\) above the view of the Adversary \({{\mathcal {B}}}\) would depend on \(\mathbf{u}\). In such a case, one can still get a signature scheme (as in [9]) but one has to encrypt a hard to compute challenge such as \(x \cdot \mathbf{u}\) (given \(\mathbf{u}, \,\mathbf{g}\) and \(x \cdot \mathbf{g}\)). However, the size of the QA-NIZK proof and hence the signature would not increase as although the number of equations to prove would go up by one, but so would the number of variables (note the additional variable x). \(\square \)

It is worth remarking here that the reason one can use a quasi-adaptive NIZK here is because the language \(L_\rho \) for which (multiple) NIZK proof(s) is required is set (or chosen) by the (signature scheme) key generator, and hence the key generator can generate the CRS for the NIZK after it sets the language. The proof of the above theorem can be understood in terms of simulation soundness. Suppose the above split-CRS QA-NIZK was also unbounded simulation sound. Then, one can replace the CCA2 encryption scheme with just a CPA-encryption scheme, and still get a secure signature scheme. A proof sketch of this is as follows: An Adversary \({{\mathcal {B}}}\) is only given \(\psi _v\) (which is independent of parameters, including \(\mathbf{u}\)). Further, the simulator for the QA-NIZK can replace all proofs by simulated proofs (that do not use witness r used for encryption). Next, one can employ CPA-security to replace encryptions of \(\mathbf{u}\) by encryptions of 1. By unbounded simulation soundness of the QA-NIZK it follows that if \({{\mathcal {B}}}\) produces a verifying signature then it must have produced an encryption of \(\mathbf{u}\). However, the view of \({{\mathcal {B}}}\) is independent of \(\mathbf{u}\), and hence its probability of forging a signature is negligible.

However, the best known technique for obtaining efficient unbounded simulation soundness itself requires CCA2 encryption (see [9]), and in addition NIZK proofs for quadratic equations. On the other hand, if we instantiate the above theorem with Cramer–Shoup encryption scheme, we get remarkably short signatures (in fact the shortest signatures under any static and standard assumption). The Cramer–Shoup encryption scheme PK consists of \(\mathbf{g}, \mathbf{f}\,, \mathbf{k}, \mathbf{d}_{}, \mathbf{e}_{}\) chosen randomly from \(\mathbb {G}_1\), along with a target collision-resistant hash function \({\mathcal {H}}\) (with a public random key). The set X from which \(\mathbf{u}\) is chosen is just the whole group \(\mathbb {G}_1\). Then an encryption of \(\mathbf{u}\) is obtained by picking r at random, and obtaining the tuple

$$\begin{aligned} \langle R = r \cdot \mathbf{g}, \,S = r \cdot \mathbf{f}\,,\, T = \mathbf{u}+ r \cdot \mathbf{k}, \, H = r \cdot (\mathbf{d}_{} + \textsc {tag}\cdot \mathbf{e}_{}) \rangle \end{aligned}$$

where \(\textsc {tag}= {\mathcal {H}}(R, S, T, M)\). It can be shown that it suffices to hide \(\mathbf{u}\) with the hash proof H (although one has to go into the internals of the hash proof-based CCA2 encryption; see Appendix in  [22]). Thus, we just need a (split-CRS) QA-NIZK for the tag-based affine system (it is affine because of the additive constant \(\mathbf{u}\)). There is one variable r, and three equations (four if we consider the original CCA-2 encryption) Thus, we just need \((3-1)*1 \,(= 2)\) proof elements, leading to a total signature size of 5 elements (i.e., \(R, S, \mathbf{u}+ H\), and the two proof elements) under the SXDH assumption.

5.4 Dual-System Fully Secure IBE

It is well known that identity-based encryption (IBE) implies signature schemes (due to Naor), but the question arises whether the above signature scheme using Cramer–Shoup CCA2-encryption and the related QA-NIZK can be converted into an IBE scheme. To achieve this, we take a hint from Naor’s IBE to Signature Scheme conversion, and let the signatures (on identities) be private keys of the various identities. The verification of the QA-NIZK from Sect. 3 works by checking (or more precisely, for the affine language). However, there are two issues: (1) \({\mathbf {\mathsf{{CRS}}}}_v\) needs to be randomized, (2) there are two equations to be verified (which correspond to the alternate decryption of Cramer–Shoup encryption, providing implicit simulation soundness). Both these problems are resolved by first scaling \({\mathbf {\mathsf{{CRS}}}}_v\) by a random value s, and then taking a linear combination of the two equations using a public random tag. The right-hand side \(s\cdot \vec {\mathbf{f}}\) can then serve as secret one-time pad for encryption. Rather than being a provable generic construction, this is more of a hint to get to a really short IBE. We give a construction of an IBE scheme under the SXDH assumption where the ciphertext has only four group (\(\mathbb {G}_1\)) elements plus a \(\mathbb {Z}_q\)-tag, which is the shortest IBE known under standard static assumptions.Footnote 9

We first consider the QA-NIZK for the affine language (incorporating tags)

$$\begin{aligned} \langle R = r \cdot \mathbf{g}_2, \,S = r \cdot \mathbf{f}\,,\, T = \mathbf{u}+ r \cdot (\mathbf{d}_{} + {{ i}} \cdot \mathbf{e}_{}) \rangle \end{aligned}$$

where i is an identity, and can be viewed as a tag. More precisely, the affine-system is given by

$$\begin{aligned} L_{\rho } = \{ r \cdot (\left[ \begin{array}{ccc} \mathbf{g}_2&\mathbf{f}\,&0 \end{array} \right] + \left[ \begin{array}{ccc} 0&0&\mathbf{d}_{} \end{array} \right] + {{ i}} \cdot \left[ \begin{array}{ccc}0&0&\mathbf{e}_{} \end{array}\right] ) + \left[ \begin{array}{ccc}0&0&\mathbf{u}\end{array}\right] \ |\ r \in \mathbb {Z}_q\} \end{aligned}$$

where \(\rho \) consists of the matrices \(\left[ \begin{array}{cc}\mathbf{g}_2&\mathbf{f}\,\end{array}\right] \) and \(\left[ \begin{array}{ccc}0&0&\mathbf{u}\end{array}\right] \) (affine shift), and group elements \(\mathbf{d}_{}\) and \(\mathbf{e}_{}\) (for defining the tag-based last component). Note that T corresponds to the language component that depends on a tag. So, let us focus on the components \(\langle R, S\rangle \) first. In the notation of Sect. 3, this is a language with rank one, and two dimensions, i.e., \(n=2, \,t=1\) and \(s= (n-t) =1\). Let \(\mathbf{f}\,= \mathbf{g}_2^c\) for some \(c \in \mathbb {Z}_q\). Then the matrix \(\text{ A }\) is \(\left[ \begin{array}{cc}1&c \end{array}\right] \). Further its null-space is generated by \(\left[ \begin{array}{cc}-c&1 \end{array}\right] \).

For the IBE scheme, instead of generating the CRS as in Sect. 3 for the above language, we will generate the CRS as in game \(\mathbf{G_{1}}\) in the proof of soundness of QA-NIZK, as this will be more in line with the original construction of Waters, and hence possibly easier to relate. Thus, the two CRS-es are generated by choosing a matrix \(\text{ D }'\) of dimension \(t \times s\), which in this case is just one element. This single element in \(\text{ D }'\) will be called \(\Delta _3\) in the IBE scheme below. The \({\mathbf {\mathsf{{CRS}}}}_p\) (prover CRS) is then specified by \(\text{ A }\cdot \mathbf{g}_2\) and \(\Delta _3 \cdot \mathbf{g}_2\). Recall, the prover CRS is to be used in KeyGen in IBE.

The verifier CRS, i.e., \({\mathbf {\mathsf{{CRS}}}}_p\) is specified by \(\mathbf{g}_1, \,b \cdot \mathbf{g}_1\) and \((b \cdot \Delta _3 -c)\cdot \mathbf{g}_1\). Similarly, the CRSes for the tag-based element T, and the affine shift \(\mathbf{u}\) can be obtained from Sects. 4.1 and 4.2 resp. The element T will require single element matrices \(\text{ D }'_1\) and \(\text{ D }'_2\) (for \(\mathbf{d}_{}\) and \(\mathbf{e}_{}\) resp.), which will be called \(\Delta _1\) and \(\Delta _2\), respectively (see Appendix 5.5). Similarly, using Sect. 4.2, we derive the CRS element required for the affine shift, which will be \(e(\mathbf{g}_1, (b\cdot \Delta _4 -u) \cdot \mathbf{g}_2)\) (see the vector \(\vec {\mathbf{f}}\) in Appendix 4.2, and note we want the representation corresponding to the simulation of game \(\mathbf{G_{1}}\) in the soundness proof). That completes the description of how we intend to setup the CRSes in the IBE using the QA-NIZK for the above language.

Now, the verifier CRS needs to be randomized to represent IBE ciphertexts, and hence each ciphertext is a scaling of the verifier CRS by a \(\mathbb {Z}_q\) scalar s (as in game \(\mathbf{G }_2\) of the soundness proof in Sect. 3). Also, there is one variable r, and two equations in excess of the variables, and hence the verification requires testing two pairing product equations—which is a problem as mentioned in Sect. 5. The two pairing product equation tests can be converted into one by taking a linear combination with a random public tag, and this gives us the final form of the ciphertext. The (fully secure) IBE scheme so obtained is described below, along with a proof of security. For a security definition of fully secure IBE we refer the reader to [39].

For ease of reading, we switch to multiplicative group notation in the following.

Setup: The authority uses a group generation algorithm for which the SXDH assumption holds to generate a bilinear group (\(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\)) with \(\mathbf{g}_1\) and \(\mathbf{g}_2\) as generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. Assume that \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are of order q, and let e be a bilinear pairing on \(\mathbb {G}_1 \times \mathbb {G}_2\). It picks \(\Delta _1, \,\Delta _2, \,\Delta _3, \,\Delta _4, \,b, \,c, \,d, \,e, \,u\) from \(\mathbb {Z}_q\), and publishes the following public key:

$$\begin{aligned}{} \mathbf{PK} := \left( \begin{array}{c} \mathbf{g}_1, \quad \mathbf{g}_1^b, \quad \mathbf{f}\,= \mathbf{g}_2^c, \\ \mathbf{v}_1 = \mathbf{g}_1^{-\Delta _1 \cdot b + d}, \\ \mathbf{v}_2 = \mathbf{g}_1^{-\Delta _2 \cdot b + e}, \\ \mathbf{v}_3 = \mathbf{g}_1^{-\Delta _3 \cdot b + c}, \\ \mathbf{k} = e(\mathbf{g}_1, \mathbf{g}_2)^{-\Delta _4 \cdot b + u} \end{array} \right) \end{aligned}$$

The authority retains the following master secret key:

$$\begin{aligned} \mathbf{MSK} := \left( \mathbf{g}_2,\ \mathbf{f}\,,\ \Delta _1,\ \Delta _2,\ \Delta _3,\ \Delta _4,\ d,\ e,\ u \right) \end{aligned}$$

Encrypt(PK, \({{ i}}, \,M\)): The encryption algorithm chooses s and \(\textsc {tag}\) at random from \(\mathbb {Z}_q\). It then computes the ciphertext as:

$$\begin{aligned} C := \left( C_0 = M \cdot \mathbf{k}^s,\quad C_1 = \mathbf{g}_1^s,\quad C_2 = \mathbf{g}_1^{bs},\quad C_3 = \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s},\quad \textsc {tag}\right) \end{aligned}$$

KeyGen(MSK, \({{ i}}\)): The authority chooses r at random from \(\mathbb {Z}_q\) and creates the following secret key \(K_{{{ i}}}\) for identity i:

$$\begin{aligned} K_{{{ i}}} := \left( R = \mathbf{g}_2^r,\quad S = \mathbf{g}_2^{r \cdot c},\quad T = \mathbf{g}_2^{u + r \cdot (d + {{ i}}\cdot e)},\quad W_1 = \mathbf{g}_2^{-\Delta _4 - r \cdot (\Delta _1 + {{ i}} \cdot \Delta _2)},\quad W_2 = \mathbf{g}_2 ^{- r \cdot \Delta _3} \right) \end{aligned}$$

Decrypt(\(K_{{{ i}}}, \,C\)): Let C be parsed as \((C_0, C_1, C_2, C_3, \textsc {tag})\). Obtain

$$\begin{aligned} \kappa = \frac{e( C_1, S^{\textsc {tag}} \cdot T) \cdot e( C_2, W_1 \cdot W_2 ^{\textsc {tag}})}{e( C_3,R)} \end{aligned}$$

and output \(C_0/ \kappa \).

Theorem 10

Under the SXDH Assumption, the above scheme is a fully secure IBE scheme.

Proof

We will just show that \(\mathbf{k}^s\) (as used in blinding the plaintext M) is distributed randomly in the view of an adaptive Adversary, who after obtaining the public key, adaptively obtains secret keys for multiple identities \({ i}_1, { i}_2, \dots , { i}_n\), and a ciphertext for identity \({ i}\) (where all the identities are chosen adaptively by the Adversary, and \({ i}\) is different from the secret key identities). The ciphertext can be obtained by the Adversary at any stage.

We will consider a sequence of games, and show that the Adversary’s view is either statistically or computationally indistinguishable between any two consecutive games. Game \(G_0\) is same as the actual adaptive security IBE game above.

Game \(G_1\): In this game the challenger behaves exactly like the authority while publishing the PK, and while generating the secret keys. However, it picks another random value \(s'\) from \(\mathbb {Z}_q\), and outputs the following as ciphertext (for identity i):

$$\begin{aligned}&C_0 = M \cdot \mathbf{k}^s \cdot e(\mathbf{g}_1, \mathbf{g}_2) ^{u \cdot s'}, \nonumber \\&C_1 = \mathbf{g}_1^{s+s'}, C_2 = \mathbf{g}_1^{b \cdot s}, \nonumber \\&C_3 = \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{g}_1^{(d + {{ i}}\cdot e + \textsc {tag}\cdot c) s'} \end{aligned}$$
(1)

The tag \(\textsc {tag}\) is chosen randomly as in game \(G_0\). This simulation of the ciphertext is called semi-functional ciphertext in [39]. Intuitively, from the point of view of QA-NIZK proofs, the semi-functional ciphertext provides simulation soundness as the null-space of the language is reflected as a factor (linear combination in additive notation)“shifted” by \(s'\).

The view of the Adversary in games \(G_0\) and \(G_1\) is computationally indistinguishable by employing the DDH assumption in group \(\mathbb {G}_1\) on the tuples \(\langle \mathbf{g}_1, \mathbf{g}_1^b, \mathbf{g}_1^{bs}, \mathbf{g}_1^{s} \rangle \), and \(\langle \mathbf{g}_1, \mathbf{g}_1^b, \mathbf{g}_1^{bs}, \mathbf{g}_1^{s + s'} \rangle \). The former tuple is used in game \(G_0\) and the latter in game \(G_1\). Note that the order of the last two components in the DDH tuples is switched from usual formulation of DDH; however, it is easy to see that this formulation is equivalent to the usual DDH.

Game \(G_2\): In this game the challenger chooses \(\Delta _1', \,\Delta _2', \,\Delta _3', \,\Delta _4'\) at random and sets \(\Delta _1= (\Delta _1' + d) /b, \,\Delta _2= (\Delta _2' + e) /b, \,\Delta _3= (\Delta _3' + c) /b, \,\Delta _4= (\Delta _4' + u) /b\). Thus, the PK is now output as

\(\mathbf{g}_1, \,\mathbf{g}_1^b, \,\mathbf{v}_1 = \mathbf{g}_1^{-\Delta _1'}, \,\mathbf{v}_2 = \mathbf{g}_1^{-\Delta _2'}, \,\mathbf{v}_3 = \mathbf{g}_1^{-\Delta _3' }\), and \(\mathbf{k} = e(\mathbf{g}_1, \mathbf{g}_2)^{-\Delta _4'}\).

Further, the secret keys are output as

$$\begin{aligned}&R = \mathbf{g}_2^r, S = \mathbf{g}_2^{r \cdot c}, T = \mathbf{g}_2^{u + r \cdot (d + {{ i}}\cdot e)}, \nonumber \\&W_1 = \mathbf{g}_2^{[-\Delta _4' - r \cdot (\Delta _1' + {{ i}} \cdot \Delta _2')]/b} \cdot T^{-1/b}, \nonumber \\&W_2 = \mathbf{g}_2 ^{- r \cdot (\Delta _3' + c) /b}. \end{aligned}$$
(2)

The view of the Adversary in games \(G_2\) and \(G_1\) is statistically identical.

Game \(G_3\): This game is actually a sequence of several hybrid games, with the j-th hybrid game \(G_{3,j}\) changing the simulation of the j-th secret key generation. Game \(G_{3,0}\) is just the same as game \(G_2\).

In game \(G_{3,j}\) the challenger modifies the output of the j-th secret key as follows (assume that the identity requested by the Adversary is \({{ i}}_j\)): It chooses \(r_j, \,r_j'\) and \(r_j''\) at random and sets

$$\begin{aligned}&R = \mathbf{g}_2^{r_j},S = \mathbf{g}_2^{r_j \cdot c + r_j'},\\&T = \mathbf{g}_2^{r_j''}, \\&W_1 = \mathbf{g}_2^{[-\Delta _4' - r \cdot (\Delta _1' + {{ i}} \cdot \Delta _2')]/b} \cdot T^{-1/b}, \\&W_2 = \mathbf{g}_2 ^{(- r_j' - r_j \cdot (\Delta _3' + c)) /b} . \end{aligned}$$

Note that u has completely vanished from the j-th (and earlier) secret key simulation. This simulation of the secret key is called semi-functional key.

Lemma 11

The view of the Adversary in game \(G_{3,j}\) is computationally indistinguishable from the view of the Adversary in game \(G_{3, j-1}\).

Proof

Let \(H_0\) be same as the game \(G_{3, j-1}\). In game \(H_1\), the challenger chooses \(d = d_1 + c \cdot d_2\), and \(e = e_1 + c \cdot e_2\), and tag \(\textsc {tag}\) in the ciphertext as \(-(d_2 + {{ i}} \cdot e_2)\). where \(d_1, d_2, e_1\) and \(e_2\) are random and independent values from \(\mathbb {Z}_q\). It is easy to see that \(d, \,e\) and \(\textsc {tag}\) are random and independent, and hence the view of the Adversary in games \(H_0\) and \(H_1\) is statistically identical. Note that with this value of \(\textsc {tag}\), \(C_3\) (in the ciphertext) can be generated by the challenger as

$$\begin{aligned} C_3&= \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{g}_1^{(d_1 + {{ i}}\cdot e_1 + (d_2+ {{ i}}\cdot e_2) \cdot c + \textsc {tag}\cdot c) s'} \\&= \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{g}_1^{(d_1 + {{ i}}\cdot e_1) s'} \end{aligned}$$

As a consequence c is not used at all in the simulation of the ciphertext (whose elements are all in group \(\mathbb {G}_1\)). The simulation of PK (without using c) is unchanged from game \(G_2\).

In game \(H_2\), the challenger generates the j-th secret key by choosing \(r_j\) and \(r_j'\) uniformly and independently and setting

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, S = \mathbf{g}_2^{r_j \cdot c + r_j'},\\&T = \mathbf{g}_2^{u + r_j \cdot (d_1 + c \cdot d_2 + {{ i}}_j\cdot (e_1 + c \cdot e_2)) + r_j' \cdot (d_2 + {{ i}}_je_2)} \\&W_1 = \mathbf{g}_2^{[-\Delta _4' - r \cdot (\Delta _1' + {{ i}} \cdot \Delta _2')]/b} \cdot T^{-1/b}, \\&W_2 = \mathbf{g}_2 ^{(- r_j \cdot (\Delta _3' + c) - r_j' )/b} . \end{aligned}$$

Recall that in game \(H_1\), the secret key is being generated as in Eq. (2), with \(d = d_1 + cd_2\) and \(e= e_1 + c e_2\). The view of the Adversary in games \(H_2\) and \(H_1\) is computationally indistinguishable, and this is shown by employing the DDH assumption on the two tuples \(\langle \mathbf{g}_2, \mathbf{g}_2^{c}, \mathbf{g}_2^{r_j}, \mathbf{g}_2^{cr_j} \rangle \) and \(\langle \mathbf{g}_2, \mathbf{g}_2^{c}, \mathbf{g}_2^{r_j}, \mathbf{g}_2^{cr_j + r_j'} \rangle \), where the first tuple is employed in simulating game \(H_1\) and the second tuple is used in simulating game \(H_2\).

In game \(H_3\), the challenger generates the j-th secret key as

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, S = \mathbf{g}_2^{r_j \cdot c + r_j'},\\&T = \mathbf{g}_2^{u + r_j \cdot (d_1 + c \cdot d_2 + {{ i}}_j\cdot (e_1 + c \cdot e_2)) + r_j' \cdot r_j''} \\&W_1 = \mathbf{g}_2^{[-\Delta _4' - r \cdot (\Delta _1' + {{ i}} \cdot \Delta _2')]/b} \cdot T^{-1/b}, \\&W_2 = \mathbf{g}_2 ^{(- r_j \cdot (\Delta _3' + c) - r_j' )/b} . \end{aligned}$$

where \(r_j, \,r_j'\) and \(r_j''\) are chosen randomly and independently (and independently from all other variables). Note that d and e are also chosen independently and randomly (back as in game \(H_0\)). Moreover, \(\textsc {tag}\) is also chosen at random, and \(C_3\) output just as in game \(H_0\), i.e., \( \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{g}_1^{(d + {{ i}}\cdot e + \textsc {tag}\cdot c) s'} \).

The view of the Adversary in game \(H_3\) and \(H_2\) is statistically identical by noting that \(d = d_1 + c \cdot d_2\), and \(e = e_1 + c \cdot e_2, \,\textsc {tag}= -(d_2 + {{ i}} \cdot e_2)\) and \(r_j'' = d_2 + {{ i}}_j e_2\) are all random and independent (since \({{ i}} \ne {{ i}}_j\)). This can be seen by noting that the four by four matrix of coefficients of \(d, e, \textsc {tag}, r_j''\) in their linear representation in terms of \(d_1, d_2, e_1 , e_2\) is non-singular.

In game \(H_4\), the challenger generates \(d, \,e\) and \(\textsc {tag}\) at random (instead of \(d_1 + c d_2\), etc.), and also chooses \(r_j'''\) at random (and independent of \(r_j, r_j'\) and other variables) and outputs the j-th secret key as

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, S = \mathbf{g}_2^{r_j \cdot c + r_j'},\\&T = \mathbf{g}_2^{r_j'''} \\&W_1 = \mathbf{g}_2^{[-\Delta _4' - r \cdot (\Delta _1' + {{ i}} \cdot \Delta _2')]/b} \cdot T^{-1/b}, \\&W_2 = \mathbf{g}_2 ^{(- r_j \cdot (\Delta _3' + c) - r_j' )/b} . \end{aligned}$$

Game \(H_4\) is statistically identical to game \(H_3\), as \((u + r_j' \cdot r_j'' + r_j \cdot (d + {{ i}}_j\cdot e))\) in game \(H_3\) is random and independent of \(r_j'\), and hence is distributed same as a random \(r_j'''\) as in game \(H_4\). Now note that game \(H_4\) is identical to the game \(G_{3,j}\) as described above the lemma 11 statement.

We now continue with the proof of the theorem. Game \(G_4\) is just the game \(G_{3, n}\) (where n is the number of secret key requests). Note that in game \(G_4\) the only place that u is used is in the ciphertext component \(C_0\) which is simulated by the challenger as \( C_0 = M \cdot \mathbf{k}^s \cdot e(\mathbf{g}_1, \mathbf{g}_2) ^{u s'}\) (see Eq. 1). Hence, \(C_0\) is completely random and independent of M in the view of the Adversary in game \(G_4\) (note u is nonzero with high probability). That completes the proof.

We also claim that the ciphertext is anonymity preserving.Footnote 10 This is because in game \(H_4\), the component \(C_3\) is randomized by d and e which do not appear elsewhere and hence the ciphertext is independent of the identity \({{ i}}\). \(\square \)

5.5 Publicly Verifiable CCA2 Fully Secure IBE

We can also extend our IBE scheme above to be publicly verifiable CCA2-secure [4, 35]. Public verifiability is an informal but practical notion: Most CCA2-secure schemes specify a decryptor that has a test of well formedness of ciphertext, and on passing the test a CPA-secure scheme style decryption suffices. However, if this test can be performed publicly, i.e., without access to the secret key, then we call the scheme publicly verifiable. While there is a well-known reduction from hierarchical IBE to make an IBE scheme CCA2-secure [11], that reduction does not make the scheme publicly verifiable CCA2 in a useful manner. In the IBE setting, publicly verifiable also requires that it be verifiable if the ciphertext is valid for the claimed identity. This can have interesting applications where the network can act as a filter. We show that our scheme above can be extended to be publicly verifiable CCA2-fully secure IBE with only two additional group elements in the ciphertext (and two additional group elements in the keys). We give a construction of an IBE scheme, which has four group elements (and a tag), where one group element serves as one-time pad for encrypting the plaintext. The remaining three group elements form a linear subspace with one variable as witness and three integer tags corresponding to: (a) the identity, (b) the tag needed in the IBE scheme and (c) a 1-1 (or universal one-way) hash of some of the elements. We show that if these three group elements can be QA-NIZK proven to be consistent, and given the unique proof property of our QA-NIZKs, then the above IBE scheme can be made CCA2-secure - the dual-system already has implicit simulation soundness as explained in the signature scheme above, and we show that this QA-NIZK need not be simulation sound. Since there are three components, and one variable (see the appendix for details), the QA-NIZK requires only two group elements under SXDH.

The definition of CCA2-secure encryption [4] naturally extends to the Identity-based encryption setting [11]. We stress that we prove fully adaptive security, i.e., the Adversary can choose the identity for which it invokes the encryption oracle adaptively. Our scheme also enjoys the informal publicly verifiability property mentioned above. While one may want to define it to be a notion akin to plaintext-awareness, getting an implementation satisfying such a strong extractable property would be rather inefficient and/or require strong hardness assumptions. Hence, we focus on obtaining only the weaker but practically useful public verifiability property.

As in the last subsection, for ease of reading we switch to multiplicative group notation in the following.

Setup: The authority uses a group generation algorithm for which the SXDH assumption holds to generate a bilinear group (\(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\)) with \(\mathbf{g}_2\) and \(\mathbf{g}_1\) as generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. Assume that \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are of order q, and let e be a bilinear pairing on \(\mathbb {G}_1 \times \mathbb {G}_2\). It picks \(\Delta _1, \,\Delta _2, \,\Delta _3, \,\Delta _4, \,b, \,c, \,d, \,e, \,z\) randomly from \(\mathbb {Z}_q\), and computes:

$$\begin{aligned} \mathbf{v}_1 = \mathbf{g}_1^{-\Delta _1 \cdot b + d},\quad \mathbf{v}_2 = \mathbf{g}_1^{-\Delta _2 \cdot b + e},\quad \mathbf{v}_3 = \mathbf{g}_1^{-\Delta _3 \cdot b + c},\quad \mathbf{v}_4 = \mathbf{g}_1^{-\Delta _4 \cdot b + z} \end{aligned}$$

Consider the language:

$$\begin{aligned} L = \{ \langle C_1, C_2, C_3, i, \textsc {tag}, h \rangle \ | \ \exists s \,:\, C_1 = \mathbf{g}_1^s,\quad C_2 = \mathbf{g}_1^{bs},\quad C_3 = \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{v}_4^{ h \cdot s}\} \end{aligned}$$

It generates a QA-NIZK CRS \(\psi _L\) for the language L (which uses tags \(i,\ \textsc {tag}\) and h). It also fixes a 1-1, or Universal One-Way Hash function (UOWHF) \({\mathcal {H}}\). Finally, it picks \(\Delta _5\) and u randomly from \(\mathbb {Z}_q\) and publishes the following public key:

$$\begin{aligned} \mathbf{PK} := \left( \begin{array}{c} \mathbf{g}_1,\quad \mathbf{g}_1^b,\quad \mathbf{f}\,= \mathbf{g}_2^c, \\ \mathbf{v}_1,\quad \mathbf{v}_2,\quad \mathbf{v}_3,\quad \mathbf{v}_4, \\ \mathbf{k} = e(\mathbf{g}_1, \mathbf{g}_2)^{-\Delta _5 \cdot b + u},\quad \psi _L,\quad {\mathcal {H}}\end{array} \right) \end{aligned}$$

The authority retains the following master secret key:

$$\begin{aligned} \mathbf{MSK} := \left( \mathbf{g}_2,\quad \mathbf{f}\,,\quad \Delta _1,\quad \Delta _2,\quad \Delta _3,\quad \Delta _4,\quad \Delta _5,\quad d,\quad e,\quad u,\quad z \right) \end{aligned}$$

Encrypt(PK, \({{ i}}, \,M\)): The encryption algorithm chooses s and \(\textsc {tag}\) at random from \(\mathbb {Z}_q\). It then computes:

$$\begin{aligned} \begin{array}{c} C_0 = M \cdot \mathbf{k}^s,\quad C_1 = \mathbf{g}_1^s,\quad C_2 = \mathbf{g}_1^{b\cdot s}, \\ h = {\mathcal {H}}(C_0, C_1, C_2, \textsc {tag}, {{ i}} ), \\ C_3 = \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{v}_4^{ h \cdot s}. \end{array} \end{aligned}$$

The ciphertext is then \(C = \langle C_0, C_1, C_2, C_3,\textsc {tag}, \mathbf{p}_1, \mathbf{p}_2 \rangle \), where \(\langle \mathbf{p}_1, \mathbf{p}_2 \rangle \) is a QA-NIZK proof that \(\langle C_0, C_1, C_2, C_3, i, \textsc {tag}, h \rangle \in L\).

KeyGen(MSK, \({{ i}}\)): The authority chooses r at random from \(\mathbb {Z}_q\) and creates the following secret key for identity i:

$$\begin{aligned} K_{{{ i}}}:= \left( \begin{array}{c} R = \mathbf{g}_2^r,\quad S_1 = \mathbf{g}_2^{ r \cdot c},\quad S_2 = \mathbf{g}_2^{r \cdot z},\quad T = \mathbf{g}_2^{u + r \cdot (d + {{ i}}\cdot e)}, \\ W_1 = \mathbf{g}_2^{-\Delta _5 - r \cdot (\Delta _1 + {{ i}} \cdot \Delta _2)},\quad W_2 = \mathbf{g}_2 ^{- r \cdot \Delta _3},\quad W_3 = \mathbf{g}_2^{- r\cdot \Delta _4} \end{array} \right) \end{aligned}$$

Decrypt(\(K_{{{ i}}}, \,C\)): Let C be parsed as \(\langle C_0, C_1, C_2, C_3,\) \(\textsc {tag},\) \(\mathbf{p}_1, \mathbf{p}_2 \rangle \). Let \(h = {\mathcal {H}}(C_0, C_1, C_2, \textsc {tag}, {{ i}} )\). First (publicly) check that \((\mathbf{p}_1, \mathbf{p}_2)\) verifies as a QA-NIZK proof of \(\langle C_0, C_1, C_2, C_3, i, \textsc {tag}, h \rangle \in L\). If the QA-NIZK does not verify, output \(\bot \). This public verifiability of the consistency test is informally called the publicly verifiable CCA2 security.

If the public verification succeeds, then obtain

$$\begin{aligned} \kappa = \frac{e(C_1, S_1^{\textsc {tag}} \cdot S_2^{h} \cdot T ) \cdot e( C_2, W_1 \cdot W_2 ^{\textsc {tag}} \cdot W_3 ^{h})}{e(C_3, R)} \end{aligned}$$

and output \(C_0/ \kappa \).

Theorem 12

Under the SXDH Assumption, the above scheme is a CCA2 fully secure IBE scheme.

Proof

We will just show that \(\mathbf{k}^s\) (as used in blinding the plaintext M) is distributed randomly in the view of an adaptive Adversary, who after obtaining the public key, adaptively obtains secret keys for multiple identities \({ i}_1, { i}_2, \dots , { i}_n\), and a challenge ciphertext for identity \({ i}\) (where all the identities are chosen adaptively by the Adversary, and \({ i}\) is different from the secret key identities). Moreover, the Adversary is allowed to make decryption queries for identity \({ i}\) as long as the ciphertext in the query is different from the challenge ciphertext. The challenge ciphertext can be obtained by the Adversary at any stage.

We will consider a sequence of games, and show that the Adversary’s view is either statistically or computationally indistinguishable between any two consecutive games. Game \(G_0\) is same as the actual adaptive security CCA2-IBE game above.

Game \(G_1\): In this game the challenger behaves exactly like the authority while publishing the PK, and while generating the secret keys, as well as generating the ciphertext (for identity i). It also behaves the same for serving decryption requests, except that if the QA-NIZK verification fails then the challenger wins.

The probability of the Adversary winning in game \(G'_0\) is no less than the probability of the Adversary winning in game \(G_0\) since the Adversary can itself check that a proof is not going to verify, and hence just not make such a query. Moreover, in game \(G_0\) the adversary gets no additional information from the challenger when the verification (and hence decryption) fails. Thus, the view of an Adversary which does not make such calls is identical to the view of an adversary that makes such a call in game \(G_0\).

Game \(G_2\): Recall that in the real world (and game \(G_1\)), the challenger wins (outright) if the Adversary supplies a ciphertext for decryption which is identical to the ciphertext output by the challenger, and if the identity is also the same. In game \(G_2\) the challenger wins if the hash h computed (using \({\mathcal {H}}\) as above) on the Adversary supplied ciphertext is same as the hash computed on the ciphertext output by the challenger, and the identity is same. The probability of the Adversary winning in game \(G_2\) is no less than the probability of the Adversary winning in game \(G_1\) since if the hash is same, and the identify is same, and the QA-NIZK verifies, then it implies that \(C_3\) is also identical in the two ciphertexts. This further implies that the proofs are identical, as the proof is uniquely determined once the language components are set.Footnote 11

Game \(G_3\): Recall that the decryption requests for identity \({ j}\) are served by obtaining

$$\begin{aligned} \kappa = \frac{e(C_1, S_1^{\textsc {tag}} \cdot S_2^{h} \cdot T) \cdot e(C_2, W_1 \cdot W_2 ^{\textsc {tag}} \cdot W_3 ^{h})}{e( C_3, R)} \end{aligned}$$

where

$$\begin{aligned}&R = \mathbf{g}_2^r, S_1 = \mathbf{g}_2^{r \cdot c}, S_2 = \mathbf{g}_2^{r \cdot z}, T = \mathbf{g}_2^{u + r \cdot (d + {{ i}}\cdot e)} , \; W_1 = \mathbf{g}_2^{-\Delta _5 - r \cdot (\Delta _1 + {{ i}} \cdot \Delta _2)}, W_2 = \mathbf{g}_2 ^{- r \cdot \Delta _3} ,\\&W_3 = \mathbf{g}_2^{- r\cdot \Delta _4} \end{aligned}$$

is fixed for identity \({ j}\) by choosing r at random. However, in game \(G_3\), each decryption request is served by choosing this r freshly at random. This is identical to the real-world game, since the decryption oracle first verifies the QA-NIZK, which guarantees that \(C_1, C_2, C_3\) are of the correct form. This ensures that \(\kappa \) is independent of the value of r, and hence a fresh value r can be chosen for each decryption request. Thus, the view of the Adversary in games \(G_2\) and \(G_3\) is identical.

Game \(G_4\): In this game the challenger behaves exactly like in game \(G_3\), except that it picks another random value \(s'\) from \(\mathbb {Z}_q\), and outputs the following as ciphertext (for identity i):

$$\begin{aligned}&C_0 = M \cdot \mathbf{k}^s \cdot e(\mathbf{g}_1, \mathbf{g}_2) ^{u \cdot s'}, \nonumber \\&C_1 = \mathbf{g}_1^{s+s'}, C_2 = \mathbf{g}_1^{b \cdot s}, \nonumber \\&C_3 = \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{v}_4^{h \cdot s} \cdot \mathbf{g}_1^{(d + {{ i}}\cdot e + \textsc {tag}\cdot c + h \cdot z) s'} \end{aligned}$$
(3)

The tag \(\textsc {tag}\) is chosen randomly as in game \(G_0\) (and \(G_1\)).

The view of the Adversary in games \(G_3\) and \(G_4\) is computationally indistinguishable by employing the DDH assumption in group \(\mathbb {G}_2\) on the tuples \(\langle \mathbf{g}_1, \mathbf{g}_1^b, \mathbf{g}_1^{bs}, \mathbf{g}_1^{s} \rangle \), and \(\langle \mathbf{g}_1, \mathbf{g}_1^b, \mathbf{g}_1^{bs}, \mathbf{g}_1^{s + s'} \rangle \). The former tuple is used in game \(G_3\) and the latter in game \(G_4\).

Game \(G_5\): In this game the challenger chooses \(\Delta _1', \,\Delta _2', \,\Delta _3', \,\Delta _4',\Delta _5'\) at random and sets \(\Delta _1= (\Delta _1' + d) /b, \,\Delta _2= (\Delta _2' + e) /b, \,\Delta _3= (\Delta _3' + c) /b, \,\Delta _4= (\Delta _4' + z) /b, \,\Delta _5= (\Delta _5' + u) /b\). Thus, the PK is now output as

\(\mathbf{g}_1, \,\mathbf{g}_1^b, \,\mathbf{v}_1 = \mathbf{g}_1^{-\Delta _1'}, \,\mathbf{v}_2 = \mathbf{g}_1^{-\Delta _2'}, \,\mathbf{v}_3 = \mathbf{g}_1^{-\Delta _3' }, \,\mathbf{v}_4\) = \(\mathbf{g}_1^{-\Delta _4' }\), and \(\mathbf{k}\) = \(e(\mathbf{g}_1, \mathbf{g}_2)^{-\Delta _5'}\).

Further, the secret keys are output as

$$\begin{aligned}&R = \mathbf{g}_2^r, S_1 = \mathbf{g}_2^{r \cdot c}, S_2 = \mathbf{g}_2 ^{ r \cdot z}, T = \mathbf{g}_2^{u + r \cdot (d + {{ i}}\cdot e)}, \nonumber \\&W_1 = \mathbf{g}_2^{[-\Delta _5' -u - r \cdot (\Delta _1' + d + {{ i}} \cdot (\Delta _2' + e))]/b}, \nonumber \\&W_2 = \mathbf{g}_2 ^{- r \cdot (\Delta _3' + c) /b}, W_3 = \mathbf{g}_2 ^{- r \cdot (\Delta _4' + z) /b}. \end{aligned}$$
(4)

The computation of \(\kappa \) in decryption requests is similarly changed.

The view of the Adversary in games \(G_5\) and \(G_4\) is statistically identical.

Game \(G_6\): This game is actually a sequence of several hybrid games, with the j-th hybrid game \(G_{6,j}\) changing the simulation of the j-th secret key generation. Game \(G_{6,0}\) is just the same as game \(G_5\).

In game \(G_{6,j}\) the challenger modifies the output of the j-th secret key as follows (assume that the identity requested by the Adversary is \({{ i}}_j\)): It chooses \(r_j, \,r_j'\) and \(r_j''\) at random and sets

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, S_1 = \mathbf{g}_2^{r_j \cdot c}\mathbf{g}_2^{r_j'}, S_2 = \mathbf{g}_2^{r_j \cdot z}\\&T = \mathbf{g}_2^{r_j'' + r_j \cdot (d + {{ i}}_j\cdot e)}, \\&W_1 = \mathbf{g}_2^{[-\Delta _5' -r_j'' - r_j \cdot (\Delta _1' + d + {{ i}}_j \cdot (\Delta _2' + e))]/b}, \\&W_2 = \mathbf{g}_2 ^{(- r_j' - r_j \cdot (\Delta _3' + c)) /b} , W_3 = \mathbf{g}_2 ^{(- r_j \cdot (\Delta _4' + z)) /b}. \end{aligned}$$

Note that u has completely vanished from the j-th (and earlier) secret key simulation.

Lemma 13

The view of the Adversary in game \(G_{6,j}\) is computationally indistinguishable from the view of the Adversary in game \(G_{6, j-1}\).

Proof of this lemma is identical to the proof of the corresponding lemma (Lemma 11) in the plain IBE proof.

Game \(G_7\): This game is again a sequence of several hybrid games, with the j-th hybrid game \(G_{7,j}\) changing the simulation of the j-th decryption request. Game \(G_{7,0}\) is just the game \(G_{6, n}\) (where n is the number of secret key requests).

In game \(G_{7,j}\) the challenger chooses \(r_j, \,r'_j, \,r''_j\) at random and uses the following in computation of \(\kappa \) (w.l.o.g.Footnote 12 let the identity for the decryption request be same as i. Let \(\textsc {tag}_j\) be the tag supplied and \(h_j\) be the hash computed on the given ciphertext):

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, \\&S_1^{\textsc {tag}_j}\cdot T \cdot S_2 ^{h_j} = \mathbf{g}_2 ^{ r_j \cdot (\textsc {tag}_j \cdot c + h_j\cdot z + d + {{ i}} \cdot e) + r_j' + r''_j}, \end{aligned}$$

and

$$\begin{aligned} W_1 \cdot W_2^{\textsc {tag}_j} \cdot W_3 ^{h_j} =&\mathbf{g}_2^{[-\Delta _5' - r_j'' - r_j \cdot (\Delta _1' + d+ {{ i}} \cdot (\Delta _2' + e)) ]/b} \cdot \\&\, \mathbf{g}_2 ^{(- r_j \cdot \textsc {tag}_j \cdot (\Delta _3' + c) - \textsc {tag}_j \cdot r_j' )/b} \cdot \\&\, \mathbf{g}_2 ^{(- r_j \cdot h_j \cdot (\Delta _4' + z) )/b} \end{aligned}$$

Lemma 14

The view of the Adversary in game \(G_{7,j}\) is computationally indistinguishable from the view of the Adversary in game \(G_{7, j-1}\).

Proof

Let \(H_0\) be same as the game \(G_{6, j-1}\). In game \(H_1\), the challenger chooses \(z = z_1 + c \cdot z_2, \,d = d_1 + c \cdot d_2\), and tag \(\textsc {tag}\) in the ciphertext as \(-(d_2 +h \cdot z_2)\). where \(c, z_1, z_2,d_1\) and \( d_2\) are random and independent values from \(\mathbb {Z}_q\). It is easy to see that \(c, \,z, \,d\), and \(\textsc {tag}\) are random and independent, and hence the view of the Adversary in games \(H_0\) and \(H_1\) is statistically identical. Note that with this value of \(\textsc {tag}\), \(C_3\) (in the ciphertext) can be generated by the challenger as

$$\begin{aligned} C_3&= \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{v}_4^{ h \cdot z} \cdot \mathbf{g}_1^{(d_1 + {{ i}}\cdot e + h \cdot z_1+ (d_2+ h \cdot z_2) \cdot c + \textsc {tag}\cdot c) s'} \\&= \mathbf{v}_1^s \cdot \mathbf{v}_2^{{{ i}} \cdot s} \cdot \mathbf{v}_3 ^{\textsc {tag}\cdot s} \cdot \mathbf{v}_4^{ h \cdot z} \cdot \mathbf{g}_1^{(d_1 + {{ i}}\cdot e + h \cdot z_1) s'} \\ \end{aligned}$$

As a consequence c is not used at all in the simulation of the ciphertext (whose elements are all in group \(\mathbb {G}_2\)). The simulation of PK (without using c) is unchanged from game \(G_5\).

In game \(H_2\), the challenger generates the components in j-th decryption request by choosing \(r_j\) and \(r_j'\) uniformly and independently and setting

$$\begin{aligned}&R = \mathbf{g}_2^{r_j}, \;\; S_1^{\textsc {tag}_j}\cdot T \cdot S_2 ^{h_j} = \mathbf{g}_2 ^{ u + r_j \cdot ((\textsc {tag}_j + h_j \cdot z_2)\cdot c + h_j \cdot z_1 + d_1 + c\cdot d_2 + {{ i}} \cdot e) + r_j'(d_2 + \textsc {tag}_j + h_j\cdot z_2)}, \end{aligned}$$

and

$$\begin{aligned} W_1 \cdot W_2^{\textsc {tag}_j} \cdot W_3 ^{h_j}&= \mathbf{g}_2^{[-\Delta _5' - u - r_j \cdot (\Delta _1' + d_1 + d_2 \cdot c + {{ i}} \cdot (\Delta _2' + e))]/b} \\&\quad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot \textsc {tag}_j \cdot (\Delta _3' + c) - \textsc {tag}_j \cdot r_j' )/b} \\&\quad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot h_j \cdot (\Delta _4' + z) - h_j \cdot z_2 \cdot r_j' )/b} \cdot \, \mathbf{g}_2^{ - r_j' (d_2 + \textsc {tag}_j + h_j \cdot z_2)/b} \end{aligned}$$

Recall that in game \(H_1\), the secret key is being generated as in Equation (4), with \(d = d_1 + c\cdot d_2\). The view of the Adversary in games \(H_2\) and \(H_1\) is computationally indistinguishable, and this is shown by employing the DDH assumption on the two tuples \(\langle \mathbf{g}_2, \mathbf{g}_2^{c}, \mathbf{g}_2^{r_j}, \mathbf{g}_2^{cr_j} \rangle \) and \(\langle \mathbf{g}_2, \mathbf{g}_2^{c}, \mathbf{g}_2^{r_j}, \mathbf{g}_2^{cr_j + r_j'} \rangle \), where the first tuple is employed in simulating game \(H_1\) and the second tuple is used in simulating game \(H_2\).

In game \(H_3\), the challenger generates the components in the j-th decryption as

$$\begin{aligned} R = \mathbf{g}_2^{r_j}, \;\; S_1^{\textsc {tag}_j}\cdot T \cdot S_2 ^{h_j} = \mathbf{g}_2 ^{ u + r_j \cdot (\textsc {tag}_j\cdot c + h_j \cdot z + d + {{ i}} \cdot e) + r_j'\cdot r_j''}, \end{aligned}$$

and

$$\begin{aligned} W_1 \cdot W_2^{\textsc {tag}_j} \cdot W_3 ^{h_j}&= \mathbf{g}_2^{[-\Delta _5' - u - r_j \cdot (\Delta _1' + d + {{ i}} \cdot (\Delta _2' + e))]/b} \\&\quad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot \textsc {tag}_j \cdot (\Delta _3' + c) )/b} \\&\quad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot h_j \cdot (\Delta _4' + z) )/b} \cdot \, \mathbf{g}_2^{-r_j' \cdot r_j''/b} \end{aligned}$$

where \(r_j, \,r_j'\) and \(r_j''\) are chosen randomly and independently (and independently from all other variables). Note that d and z are also chosen independently and randomly (back as in game \(H_0\)). Moreover, \(\textsc {tag}\) is also chosen at random, and \(C_3\) output just as in game \(H_0\).

The view of the Adversary in game \(H_3\) and \(H_2\) is statistically identical by noting that \(d = d_1 + c \cdot d_2, \,z = z_1 + c\cdot z_2, \,\textsc {tag}= -(d_2 + h \cdot z_2)\) and \(r_j'' = d_2 + \textsc {tag}_j + h_j \cdot z_2\) are all random and independent (since \(h_j \ne h\)). This can be seen by noting that the four by four matrix of coefficients of \(d, z, \textsc {tag}, r_j''\) in their linear representation in terms of \(d_1, d_2, z_1, z_2\) is non-singular.

In game \(H_4\), the challenger generates \(d, \,z\) and \(\textsc {tag}\) at random (instead of \(d_1 + c \cdot d_2\), etc.), and also chooses \(r_j'''\) at random (and independent of \(r_j, r_j'\) and other variables) and uses the following in decryption

$$\begin{aligned} R = \mathbf{g}_2^{r_j}, \;\; S_1^{\textsc {tag}_j}\cdot T \cdot S_2 ^{h_j} = \mathbf{g}_2 ^{ r_j''' + r_j \cdot ((\textsc {tag}_j + h_j \cdot z_2)\cdot c + h_j \cdot z_1 + d_1 + c\cdot d_2 + {{ i}} \cdot e) }, \end{aligned}$$

and

$$\begin{aligned}&W_1 \cdot W_2^{\textsc {tag}_j} \cdot W_3 ^{h_j} = \mathbf{g}_2^{[-\Delta _5' - r_j''' - r_j \cdot (\Delta _1' + d_1 + d_2 \cdot c + {{ i}} \cdot (\Delta _2' + e))]/b}\\&\qquad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot \textsc {tag}_j \cdot (\Delta _3' + c) )/b}\\&\qquad \cdot \, \mathbf{g}_2 ^{(- r_j \cdot h_j \cdot (\Delta _4' + z) )/b} \end{aligned}$$

Game \(H_4\) is statistically identical to game \(H_3\), as \((\,=\, u + r_j' \cdot r_j'')\) in game \(H_3\) is random and independent of \(r_j'\), and hence is distributed same as a random \(r_j'''\) as in game \(H_4\). Now note that game \(H_4\) is identical to the game \(G_{7,j}\) as described above the Lemma 13 statement. \(\square \)

Game \(G_8\) is just the game \(G_{7,n}\) where n is the number of decryption queries. Note that in game \(G_8\) the only place that u is used is in the ciphertext component \(C_0\) which is simulated by the challenger as \( C_0 = M \cdot \mathbf{k}^s \cdot e(\mathbf{g}_1, \mathbf{g}_2) ^{u s'}\) (see equation (1)). Hence, \(C_0\) is completely random and independent of M in the view of the Adversary in game \(G_7\) (note u is nonzero with high probability). That completes the proof. \(\square \)