Abstract
In a noninteractive zeroknowledge (NIZK) proof, a prover can noninteractively convince a verifier of a statement without revealing any additional information. A useful relaxation of NIZK is a designated verifier NIZK (DVNIZK) proof, where proofs are verifiable only by a designated party in possession of a verification key. A crucial security requirement of DVNIZKs is unboundedsoundness, which guarantees soundness even if the verification key is reused for multiple statements. Most known DVNIZKs (except standard NIZKs) for \(\mathbf{NP} \) do not have unboundedsoundness. Existing DVNIZKs for \(\mathbf{NP} \) satisfying unboundedsoundness are based on assumptions which are already known to imply standard NIZKs. In particular, it is an open problem to construct (DV)NIZKs from weak paringfree group assumptions such as decisional Diffie–Hellman (DH). As a further matter, all constructions of (DV)NIZKs from DH type assumptions (regardless of whether it is over a paringfree or paring group) require the proof size to have a multiplicativeoverhead \(C \cdot \mathsf {poly}(\kappa )\), where C is the size of the circuit that computes the \(\mathbf{NP} \) relation. In this work, we make progress of constructing DVNIZKs from DHtype assumptions that are not known to imply standard NIZKs. Our results are summarized as follows:

DVNIZKs for \(\mathbf{NP} \) from the computational DH assumption over pairingfree groups. This is the first construction of such NIZKs on pairingfree groups and resolves the open problem posed by Kim and Wu (CRYPTO’18).

DVNIZKs for \(\mathbf{NP} \) with proof size \(C+\mathsf {poly}(\kappa )\) from the computational DH assumption over specific pairingfree groups. This is the first DVNIZK that achieves a compact proof from a standard DH type assumption. Moreover, if we further assume the \(\mathbf{NP} \) relation to be computable in \(\mathbf{NC} ^1\) and assume hardness of a (nonstatic) falsifiable DH type assumption over specific pairingfree groups, the proof size can be made as small as \(w + \mathsf {poly}(\kappa )\).
Similar content being viewed by others
Notes
NIZK arguments are a relaxed notion of NIZK proofs where soundness only holds against computationally bounded adversaries. Throughout the introduction, we simply refer to them as NIZKs.
The pairingfree group should be a subgroup of \(\mathbb {Z}_p^*\) for a prime p. Specific groups means it in this paper.
We say that \((g,g^x,g^y,g^z)\in \mathbb {G}^4\) is a DDHtuple if \(z=xy \mod p\) where p is the order of \(\mathbb {G}\).
Though a cheating prover can arbitrarily choose \(\tau \in \mathbb {Z}_p\), we can negligibly bound its success probability by the union bound if the success probability of a cheating prover of the underlying HBMNIZK is bounded by \(p^{1}\cdot \mathsf {negl}(\kappa )\).
In fact, Kim and Wu [64] showed a generic conversion from a homomorphic signature to a designated prover NIZK (DPNIZK). However, it is easy to see that if one uses their generic conversion on homomorphic MACs instead of homomorphic signatures, it would result in a PPNIZK instead of a DPNIZK.
Though the original construction by Catalano and Fiore [16] is based on PRF, we present an information theoretically secure variant of it in a simplified setting where the arity of an arithmetic circuit is bounded.
Though there are many circuits that compute the same relation, we assume a corresponding circuit that computes the relation is implicitly fixed whenever we consider a relation.
Precisely speaking, the \((D1)\)CDHI assumption was defined for a group generator. We describe our construction as if it was defined for a fixed group \(\mathbb {G}\) for notational simplicity.
References
H. Abusalah, Generic Instantiations of the Hidden Bits Model for Noninteractive ZeroKnowledge Proofs for NP. Master’s thesis, RWTHAachen University (2013)
E. Boyle, G. Couteau, N. Gilboa, Y. Ishai, Compressing vector OLE, in D. Lie, M. Mannan, M. Backes, X.F. Wang, editors, ACM CCS 2018 (ACM Press, 2018), pp. 896–912
P.W. Beame, S.A. Cook, H.J. Hoover, Log depth circuits for division and related problems. SIAM J. Comput. 15(4), 994–1003 (1986)
M. Blum, P. Feldman, S. Micali, Noninteractive zeroknowledge and its applications (extended abstract), in 20th ACM STOC (ACM Press, 1988), pp. 103–112
E. Boyle, N. Gilboa, Y. Ishai, Breaking the circuit size barrier for secure computation under DDH, in M. Robshaw, J. Katz, editors, CRYPTO 2016, Part I. LNCS, vol.9814 (Springer, Heidelberg, 2016), pp. 09–539
Z. Brakerski, V. Koppula, T. Mour, NIZK from LPN and trapdoor hash via correlation intractability for approximable relations, in D. Micciancio, T. Ristenpart, editors, CRYPTO 2020, Part III, LNCS, vol. 12172 (Springer, Heidelberg, 2020), pp. 738–767
M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions, in E. Biham, editor, EUROCRYPT 2003. LNCS, vol. 2656 (Springer, Heidelberg, 2003), pp. 614–629
N. Bitansky O. Paneth, ZAPs and noninteractive witness indistinguishability from indistinguishability obfuscation, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part II. LNCS, vol. 9015 (Springer, Heidelberg, 2015), pp. 401–427
N. Bitansky, O. Paneth, D. Wichs, Perfect structure on the edge of chaos—trapdoor permutations from indistinguishability obfuscation, in E. Kushilevitz, T. Malkin, editors, TCC 2016A, Part I. LNCS, vol. 9562 (Springer, Heidelberg, 2016), pp. 474–502
M. Bellare, M. Yung, Certifying permutations: noninteractive zeroknowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)
P. Chaidos, G. Couteau, Efficient designatedverifier noninteractive zeroknowledge proofs of knowledge, in J.B. Nielsen, V. Rijmen, editors, EUROCRYPT 2018, Part III. LNCS, vol. 10822 (Springer, Heidelberg, 2018), pp. 193–221
R. Canetti, Y. Chen, J. Holmgren, A. Lombardi, G.N. Rothblum, R.D. Rothblum, D. Wichs, FiatShamir: from practice to theory, in M. Charikar, E. Cohen, editors, 51st ACM STOC (ACM Press, 2019), pp. 1082–1090
R. Canetti, Y. Chen, L. Reyzin, R.D. Rothblum, FiatShamir and correlation intractability from strong KDMsecure encryption, in J.B. Nielsen, V. Rijmen, editors, EUROCRYPT 2018, Part I. LNCS, vol. 10820 (Springer, Heidelberg, 2018), pp. 91–122
R. Cramer, I. Damgård, Secretkey zeroknowlegde and noninteractive verifiable exponentiation, in M. Naor, editor, TCC 2004. LNCS, vol. 2951 (Springer, Heidelberg, 2004), pp. 223–237
M. Chase, Y. Dodis, Y. Ishai, D. Kraschewski, T. Liu, R. Ostrovsky, V. Vaikuntanathan, Reusable noninteractive secure computation, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part III, LNCS, vol. 11694 (Springer, Heidelberg, 2019), pp. 462–488
D. Catalano, D. Fiore, Practical homomorphic message authenticators for arithmetic circuits. J. Cryptol. 31(1), 23–59 (2018)
R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multiparty computation, in 28th ACM STOC (ACM Press, 1996), pp. 639–648
D. Chaum, A. Fiat, M. Naor, Untraceable electronic cash, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, 1990), pp. 319–327
P. Chaidos, J. Groth, Making sigmaprotocols noninteractive without random oracles, in J. Katz, editor, PKC 2015 LNCS, vol. 9020 (Springer, Heidelberg, April 2015), pp. 650–670
G. Couteau, D. Hofheinz, Designatedverifier pseudorandom generators, and their applications, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part II LNCS, vol. 11477 (Springer, Heidelberg, 2019), pp. 562–592
D. Chaum, Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28(10), 1030–1044 (1985)
R. Canetti, S. Halevi, J. Katz, A forwardsecure publickey encryption scheme, in E. Biham, editor, EUROCRYPT 2003. LNCS, vol. 2656 (Springer, Heidelberg, 2003), pp. 255–271
R. Canetti, S. Halevi, J. Katz, A forwardsecure publickey encryption scheme. J. Cryptol. 20(3), 265–294 (2007)
D. Cash, E. Kiltz, V. Shoup, The twin Diffie–Hellman problem and applications. J. Cryptol. 22(4), 470–504 (2009)
G. Couteau, S. Katsumata, B. Ursu, Noninteractive zeroknowledge in pairingfree groups from weaker assumptions, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part III. LNCS, vol. 12107 (Springer, Heidelberg, 2020), pp. 442–471
R. Canetti, A. Lichtenberg, Certifying trapdoor permutations, revisited, in A. Beimel, S. Dziembowski, editors, TCC 2018, Part I. LNCS, vol. 11239 (Springer, Heidelberg, 2018), pp. 476–506
R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption, in L.R. Knudsen, editor, EUROCRYPT 2002. LNCS, vol. 2332 (Springer, Heidelberg, 2002), pp. 45–64
R. Cramer, V. Shoup, Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
R. Cohen, A. Shelat, D. Wichs, Adaptively secure MPC with sublinear communication complexity, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part II. LNCS, vol. 11693 (Springer, Heidelberg, 2019), pp. 30–60
D. Chaum, E. van Heyst, Group signatures, in D.W. Davies, editor, EUROCRYPT’91. LNCS, vol. 547 (Springer, Heidelberg, 1991), pp. 257–265
I. Damgård, On the randomness of Legendre and Jacobi sequences, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, 1990), pp. 163–172
I. Damgård, Noninteractive circuit based proofs and noninteractive perfect zeroknowledge with proprocessing, in R.A. Rueppel, editor, EUROCRYPT’92. LNCS, vol. 658 (Springer, Heidelberg, 1993), pp. 341–355
D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
I. Damgård, N. Fazio, A. Nicolosi, Noninteractive zeroknowledge from homomorphic encryption, in S. Halevi, T. Rabin, editors, TCC 2006. LNCS, vol. 3876 (Springer, Heidelberg, 2006), pp. 41–59
A. De Santis, S. Micali, G. Persiano, Noninteractive zeroknowledge with preprocessing, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, 1990), pp. 269–282
C. Dwork, M. Naor, Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)
U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)
A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in A.M. Odlyzko, editor, CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, 1987), pp. 186–194
C. Gentry, A Fully Homomorphic Encryption Scheme. Ph.D. thesis, Stanford University (2009)
C. Gentry, J. Groth, Y. Ishai, C. Peikert, A. Sahai, A.D. Smith, Using fully homomorphic hybrid encryption to minimize noninterative zeroknowledge proofs. J. Cryptol. 28(4), 820–843 (2015)
R. Gennaro, C. Gentry, B. Parno, M. Raykova, Quadratic span programs and succinct NIZKs without PCPs, in T. Johansson, P.Q. Nguyen, editors, EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Heidelberg, 2013), pp. 626–645
O. Goldreich, L.A. Levin, A hardcore predicate for all oneway functions, in 21st ACM STOC (ACM Press, 1989), pp. 25–32
S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in A. Aho, editor, 19th ACM STOC (ACM Press, 1987), pp. 218–229
O. Goldreich, Y. Oren, Definitions and properties of zeroknowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)
O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications (2004)
J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zeroknowledge. J. ACM 59(3), 11:1–11:35 (2012)
J. Groth, Short noninteractive zeroknowledge proofs, in M. Abe, editor, ASIACRYPT 2010. LNCS, vol. 6477 (Springer, Heidelberg, 2010), pp. 341–358
J. Groth, Short pairingbased noninteractive zeroknowledge arguments, in M. Abe, editor, ASIACRYPT 2010. LNCS, vol. 6477 (Springer, Heidelberg, 2010), pp. 321–340
J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multiparty computation, in R. SafaviNaini, R. Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, Heidelberg, 2012), pp. 162–179
C. Gentry, D. Wichs, Separating succinct noninteractive arguments from all falsifiable assumptions, in L. Fortnow, S.P. Vadhan, editors, 43rd ACM STOC (ACM Press, 2011), pp. 99–108
J. Holmgren, A. Lombardi, Cryptographic hashing from strong oneway functions (or: oneway product functions and their applications), in M. Thorup, editor, 59th FOCS (IEEE Computer Society Press, 2018), pp. 850–858
Y. Ishai, E. Kushilevitz, R. Ostrovsky, A. Sahai, Zeroknowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)
A. Jain, Z. Jin, Noninteractive zero knowledge from subexponential DDH, in A. Canteaut, F.X. Standaert, editors, Advances in Cryptology—EUROCRYPT 2021—40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, October 17–21, 2021, Proceedings, Part I. Lecture Notes in Computer Science, vol. 12696 (Springer, 2021), pp. 3–32
S. Katsumata, On the untapped potential of encoding predicates by arithmetic circuits and their applications, in T. Takagi, T. Peyrin, editors, ASIACRYPT 2017, Part III. LNCS, vol. 10626 (Springer, Heidelberg, 2017), pp. 95–125
J. Kilian, On the complexity of boundedinteraction and noninteractive zeroknowledge proofs. In 35th FOCS (IEEE Computer Society Press, 1994), pp. 466–477
J. Kilian, S. Micali, R. Ostrovsky, Minimum resource zeroknowledge proofs (extended abstract), in G. Brassard, editor, CRYPTO’89. LNCS, vol. 435 (Springer, Heidelberg, 1990), pp. 545–546
S. Katsumata, R. Nishimaki, S. Yamada, T. Yamakawa, Designated verifier/prover and preprocessing NIZKs from Diffie–Hellman assumptions, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part II. LNCS, vol. 11477 (Springer, Heidelberg, 2019), pp. 622–651
S. Katsumata, R. Nishimaki, S. Yamada, T. Yamakawa, Exploring constructions of compact NIZKs from various assumptions, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part III LNCS, vol. 11694 (Springer, Heidelberg, 2019), pp. 639–669
S. Katsumata, R. Nishimaki, S. Yamada, T. Yamakawa, Compact NIZKs from standard assumptions on bilinear maps, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part III. LNCS, vol. 12107 (Springer, Heidelberg, 2020), pp. 379–409
J. Kilian, E. Petrank, An efficient noninteractive zeroknowledge proof system for NP with general assumptions. J. Cryptol. 11(1), 1–27 (1998)
Y.T. Kalai, G.N. Rothblum, R.D. Rothblum, From obfuscation to the security of FiatShamir for proofs, in J. Katz, H. Shacham, editors, CRYPTO 2017, Part II. LNCS, vol. 10402 (Springer, Heidelberg, 2017), pp. 224–251
S. Kim, D.J. Wu, Multitheorem preprocessing NIZKs from lattices, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part II. LNCS, vol. 10992 (Springer, Heidelberg, 2018), pp. 733–765
S. Kim, D.J. Wu, Multitheorem preprocessing nizks from lattices. Cryptology ePrint Archive, Report 2018 https://eprint.iacr.org/2018/272.pdf, Version 20180606:204702. Preliminary version appeared in CRYPTO 2018
H. Lipmaa, Progressionfree sets and sublinear pairingbased noninteractive zeroknowledge arguments, in R. Cramer, editor, TCC 2012. LNCS, vol. 7194 (Springer, Heidelberg, 2012), pp. 169–189
H. Lipmaa, Optimally sound sigma protocols under DCRA, in A. Kiayias, editor, FC 2017. LNCS, vol. 10322 (Springer, Heidelberg, 2017), pp. 182–203
B. Libert, A. Passelègue, Ho. Wee, D.J. Wu, New constructions of statistical NIZKs: dualmode DVNIZKs and more, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part III. LNCS, vol. 12107 (Springer, Heidelberg, 2020), pp. 410–441
A. Lombardi, W. Quach, R.D. Rothblum, D. Wichs, D.J. Wu, New constructions of reusable designatedverifier NIZKs, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part III. LNCS, vol. 11694 (Springer, Heidelberg, 2019), pp. 670–700
D. Lapidot, A. Shamir, Publicly verifiable noninteractive zeroknowledge proofs, in A.J. Menezes, S.A. Vanstone, editors, CRYPTO’90. LNCS, vol. 537 (Springer, Heidelberg, 1991), pp. 353–365
S. Mitsunari, R. Sakai, M. Kasahara, A new traitor tracing. IEICE Trans. E85A(2), 481–484 (2002)
M. Naor, On cryptographic assumptions and challenges (invited talk), in D. Boneh, editor, CRYPTO 2003. LNCS, vol. 2729 (Springer, Heidelberg, 2003), pp. 96–109
M. Naor, O. Reingold, Numbertheoretic constructions of efficient pseudorandom functions. J. ACM 51(2), 231–262 (2004)
D. Naccache, J. Stern, A new public key cryptosystem based on higher residues, in L. Gong, M.K. Reiter, editors, ACM CCS 98 (ACM Press, 1998), pp. 59–66
M. Naor, M. Yung, Publickey cryptosystems provably secure against chosen ciphertext attacks, in 22nd ACM STOC (ACM Press, 1990), pp. 427–437
D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)
C. Peikert, S. Shiehian, Noninteractive zero knowledge for NP from (plain) learning with errors, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part I. LNCS, vol. 11692 (Springer, Heidelberg, 2019), pp. 89–114
R. Pass, A. Shelat, V. Vaikuntanathan, Construction of a nonmalleable encryption scheme from any semantically secure one, in C. Dwork, editor, CRYPTO 2006. LNCS, vol. 4117 (Springer, Heidelberg, 2006), pp. 271–289
W. Quach, R.D. Rothblum, D. Wichs, Reusable designatedverifier NIZKs for all NP from CDH, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part II. LNCS, vol. 11477 (Springer, Heidelberg, 2019), pp. 593–621
O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)
R.D. Rothblum, A. Sealfon, K. Sotiraki, Towards noninteractive zeroknowledge for NP from LWE, in D. Lin, K. Sako, editors, PKC 2019, Part II. LNCS, vol. 11443 (Springer, Heidelberg, 2019), pp. 472–503
R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in C. Boyd, editor, ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Heidelberg, 2001), pp. 552–565
A. Sahai, Nonmalleable noninteractive zero knowledge and adaptive chosenciphertext security, in 40th FOCS (IEEE Computer Society Press, 1999), pp. 543–553
A. Sahai, H. Seyalioglu, Worryfree encryption: functional encryption with public keys, in E. AlShaer, A.D. Keromytis, V. Shmatikov, editors, ACM CCS 2010 (ACM Press, 2010), pp. 463–472
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in D.B. Shmoys, editor, 46th ACM STOC (ACM Press, 2014), pp. 475–484
I. Teranishi, J. Furukawa, K. Sako, kTimes anonymous authentication (extended abstract), in P.J. Lee, editor, ASIACRYPT 2004. LNCS, vol. 3329 (Springer, Heidelberg, 2004), pp. 308–322
C. Ventre, I. Visconti, Cosound zeroknowledge with public keys, in B. Preneel, editor, AFRICACRYPT 09. LNCS, vol. 5580 (Springer, Heidelberg, 2009), pp. 287–304
Acknowledgements
We would like to thank Geoffroy Couteau for helpful comments on related works and anonymous reviewers of Eurocrypt 2019 for their valuable comments. The first author was partially supported by JST CREST Grant Number JPMJCR1302 and JSPS KAKENHI Grant Number 17J05603. The third author was supported by JST CREST Grant No. JPMJCR1688 and JSPS KAKENHI Grant Number 16K16068.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Jonathan Katz
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work appeared in the proceedings of the 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques [59] and in the proceedings of the 39th Annual International Cryptology Conference [60]. This is the revised and merged full version of them.
Appendices
Transformation from DVNIWI into Multitheorem DVNIZK
In this section, we prove Theorem 2.13. That is, we show that we can convert DVNIWI into (multitheorem) DVNIZK additionally assuming pseudorandom generators.
First, we recall the definition of pseudorandom generators.
Definition A.1
(Pseudorandom Generators) Let \(n = n(\kappa )\) and \(m = m(\kappa )\) be positive integer valued functions such that \(m > n\). A function \(\mathsf {PRG}: \{ 0,1 \} ^n \rightarrow \{ 0,1 \} ^{m}\) is called a pseudorandom generator (PRG) if \(\mathsf {PRG}\) is polynomial time computable and for every efficient algorithm \({\mathcal {A}}\) we have the following:
Then, we give a proof of Theorem 2.13 in the following.
Proof of Theorem 2.13
We construct DVNIZK proof \(\Pi _{\mathsf {zk}} \mathrel {\mathop :}=(\mathsf {Setup},\mathsf {Prove},\mathsf {Verify})\) for \({\mathcal {L}}\) based on a PRG \(\mathsf {PRG}(\cdot ): \{0,1\}^{n} \rightarrow \{0,1\}^{2n}\) and DVNIWI proof \(\Pi _{\mathsf {wi}} \mathrel {\mathop :}=(\mathsf {WI}.\mathsf {Setup},\mathsf {WI}.\mathsf {Prove},\mathsf {WI}.\mathsf {Verify})\) for a language
where \({\mathcal {R}}\) is the corresponding relation to \({\mathcal {L}}\). The construction of \(\Pi _{\mathsf {zk}}\) is described below.

\(\mathsf {Setup}(1^\kappa )\): This algorithm samples \((\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V}) \leftarrow \mathsf {WI}.\mathsf {Setup}(1^\kappa )\) and \(\sigma \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{2n}\). It sets \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs},\sigma )\) and \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\) and outputs \((\mathsf {crs},k_\mathsf{V})\).

\(\mathsf {Prove}(\mathsf {crs}, x, w) \rightarrow \pi \): This algorithm generates \(\mathsf {wi}.\pi \leftarrow \mathsf {WI}.\mathsf {Prove}(\mathsf {wi}.\mathsf {crs},(x,\sigma ),w)\) and outputs a proof \(\pi \mathrel {\mathop :}=\mathsf {wi}.\pi \).

\(\mathsf {Verify}(\mathsf {crs}, k_\mathsf{V}, x, \pi ) \rightarrow \top \text { or }\bot \): This algorithm parses \(\mathsf {crs}= (\mathsf {wi}.\mathsf {crs},\sigma )\), \(k_\mathsf{V}= \mathsf {wi}.k_\mathsf{V}\), and \( \pi = \mathsf {wi}.\pi \) and outputs \(\mathsf {WI}.\mathsf {Verify}(\mathsf {wi}.\mathsf {crs}, \mathsf {wi}. k_\mathsf{V},(x,\sigma ),\mathsf {wi}.\pi )\).
Lemma A.2
\(\Pi _\mathsf {zk}\) satisfies completeness.
Proof
The completeness clearly follows from the completeness of \(\Pi _\mathsf {wi}\). \(\square \)
Lemma A.3
\(\Pi _\mathsf {zk}\) satisfies soundness.
Proof
By simple counting argument, \(\sigma \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{2n}\) is not in the range of \( \mathsf {PRG}\) except probability \(2^{n}\) since the seed length is n. Therefore, except negligible probability, there does not exist \(\mathsf {seed}\in \{0,1\}^n\) such that \(\mathsf {PRG}(\mathsf {seed}) = \sigma \). That is, except negligible probability, \((x,w) \notin {\mathcal {L}}^{\vee }\) since \(x \notin {\mathcal {L}}\). By the soundness of \(\Pi _{\mathsf {wi}}\), the soundness of \(\Pi _{\mathsf {zk}}\) follows. \(\square \)
Lemma A.4
\(\Pi _\mathsf {zk}\) satisfies (adaptive multitheorem) zeroknowledge.
Proof
We construct a simulator \(\mathsf {zk}.{\mathcal {S}}= (\mathsf {zk}.{\mathcal {S}}_1,\mathsf {zk}.{\mathcal {S}}_2)\) as follows.

\(\mathsf {zk}.{\mathcal {S}}_1 (1^\kappa )\): It works as follows.

1.
Runs \((\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V}) \leftarrow \mathsf {WI}.\mathsf {Setup}(1^\kappa )\)

2.
Samples \(\mathsf {seed} \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{n}\) and computes \(\sigma \mathrel {\mathop :}=\mathsf {PRG}(\mathsf {seed})\).

3.
Outputs \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs},\sigma )\), \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\), and \(\tau _\mathsf{V}\mathrel {\mathop :}=\mathsf {seed}\).

1.

\(\mathsf {zk}.{\mathcal {S}}_2 (\mathsf {crs},{\widetilde{k}}_\mathsf{V},\tau _\mathsf{V},x_i)\): It works as follows.

1.
Runs \(\mathsf {wi}.\pi _\mathsf {seed}\leftarrow \mathsf {WI}.\mathsf {Prove}(\mathsf {wi}.\mathsf {crs},(x_i,\sigma ),\mathsf {seed})\). That is, \(\mathsf {zk}.{\mathcal {S}}_2\) uses \(\mathsf {seed}\) as a witness for \({\mathcal {L}}^{\vee }\). This is a valid witness since \(\mathsf {PRG}(\mathsf {seed})=\sigma \) by the definition of \(\mathsf {zk}.{\mathcal {S}}_1\) above.

2.
Outputs \(\pi _i \mathrel {\mathop :}=\mathsf {wi}.\pi _\mathsf {seed}\).

1.
In the following, we prove that the simulated proofs are indistinguishable from real ones. Suppose that \({\mathcal {A}}\) distinguishes simulated and real proofs. Then, we construct a distinguisher \({\mathcal {B}}\) that breaks the witness indistinguishability of \(\Pi _\mathsf {wi}\) as follows.

\({\mathcal {B}}(1^\kappa ,\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V})\): It works as follows.

1.
Samples \(\mathsf {seed} \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{n}\), sets \(\sigma \mathrel {\mathop :}=\mathsf {PRG}(\mathsf {seed})\), \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs}, \sigma )\) and \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\), and runs \({\mathcal {A}}\) on input \((\mathsf {crs},k_\mathsf{V})\).

2.
When \({\mathcal {A}}\) queries \((x_i,w_i) \in {\mathcal {R}}\) to its oracle, \({\mathcal {B}}\) queries \(((x_i,\sigma ),w_i, \mathsf {seed})\) to its own oracle to get \(\mathsf {wi}.\pi _i\) and returns \(\mathsf {wi}.\pi _i\) to \({\mathcal {A}}\) as a response by the oracle.

3.
Finally, outputs whatever \({\mathcal {A}}\) outputs.

1.
This completes the description of \({\mathcal {B}}\). First, we remark that \(\mathsf {wi}.\pi _i\ne \bot \) in each query since both \(w_i\) and \(\mathsf {seed}\) are valid witness for \((x_i,\sigma )\in {\mathcal {L}}^{\vee }\). Then, it is easy to see that \({\mathcal {B}}\) perfectly simulates the experiment where \({\mathcal {A}}\) gets real proofs if the coin chosen in the witness indistinguishability experiment \({\mathcal {B}}\) is involved is equal to 0, and \({\mathcal {B}}\) perfectly simulates the experiment where \({\mathcal {A}}\) gets simulated proofs otherwise. Therefore, if \({\mathcal {A}}\) distinguishes real and simulated proofs, then \({\mathcal {B}}\) breaks the witness indistinguishability of \(\Pi _\mathsf {wi}\). This completes the proof of Lemma A.4. \(\square \)
Proof of Lemma 3.25
Here, we give a proof of Lemma 3.25
Proof of Lemma 3.25
Our construction runs \(\ell '\)parallel repetition of the base proof system by reusing the same s for all instances. For each instance, the relaxed zeroknowledge property ensures the witness indistinguishability noting that s is randomly chosen by the proving algorithm. The witness indistinguishability of the whole proof system then follows from a straightforward hybrid argument by observing that one can generate a proof for each instance of the underlying base proof system publicly given a witness. We provide the formal proof below.
First, we remark that we can assume that an adversary against the witness indistinguishability makes only one query without loss of generality as remarked in Remark 2.12.
We define hybrid games \(\mathsf {Game}_j\) for \(j=0,1,...,\ell '\) for an adversary \({\mathcal {A}}\).

\(\mathsf {Game}_j\): This game is described as follows:

1.
The challenger generates \((\mathsf {crs}_j,k_\mathsf{V}^{(j)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(j\in [\ell ^{\prime }]\), and sets \(\mathsf {crs}\mathrel {\mathop :}=\mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)}\Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

2.
\({\mathcal {A}}\) is given \((\mathsf {crs},k_\mathsf{V})\) and outputs \((x,w_0,w_1)\).

3.
The challenger chooses \(s \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{\ell _{\mathsf {hrs}}}\), generates \(\pi _i^{(1)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\) for \(i \le j\) and \(\pi _i^{(0)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\) for \(i > j\), and sets \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _j^{(1)},\pi _{j+1}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)})\).

4.
\({\mathcal {A}}\) is given \(\pi \). The game outputs as \({\mathcal {A}}\) outputs.

1.
What we need to prove is \(\Pr [\mathsf {Game}_0=1]\Pr [\mathsf {Game}_{\ell '}=1]\le \mathsf {negl}(\kappa )\). For proving this, we prove \(\Pr [\mathsf {Game}_{j1}=1]\Pr [\mathsf {Game}_{j}=1]\le \mathsf {negl}(\kappa )\) for \(j=1,...,\ell '\), which immediately implies the above and completes the proof. To do so, we define auxiliary hybrid games \(\widetilde{\mathsf {Game}}_{j}\) as follows.

\(\widetilde{\mathsf {Game}}_j\): This game is described as follows:

1.
The challenger generates \((\mathsf {crs}_i,k_\mathsf{V}^{(i)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(i \in [\ell ^{\prime }] {\setminus } \{j+1\}\) and \((\mathsf {crs}_j,k_\mathsf{V}^{(j+1)},\tau _\mathsf{V}^{(j+1)})\leftarrow \mathsf {bP}.{\mathcal {S}}_1(1^{\kappa })\) and sets \(\mathsf {crs}\mathrel {\mathop :}=\mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)}\Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

2.
\({\mathcal {A}}\) is given \((\mathsf {crs},k_\mathsf{V})\) and outputs \((x,w_0,w_1)\).

3.
The challenger generates \((\pi _{j+1},s)\leftarrow \mathsf {bP}.{\mathcal {S}}_2(\tau _\mathsf{V}^{(j+1)},x)\), \(\pi _i \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\) for \(i < j+1\), and \(\pi _i \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\) for \(i > j+1\) and sets \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _{j}^{(1)}, \pi _{j+1}, \pi _{j+2}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)})\).

4.
\({\mathcal {A}}\) is given \(\pi \). The game outputs as \({\mathcal {A}}\) outputs.

1.
Then, we prove the following claims.
Claim B.1
If \(\mathsf {bP}\) satisfies the relaxed ZK defined in Definition 3.6, then we have \(\Pr [\mathsf {Game}_{j1}=1]\Pr [\widetilde{\mathsf {Game}}_{j1}=1]\le \mathsf {negl}(\kappa )\).
Proof
We construct a distinguisher \({\mathcal {B}}\) for the relaxed zeroknowledge described in Definition 3.6 of the base proof system \(\mathsf {bP}\) by using a distinguisher \({\mathcal {D}}\) of \(\mathsf {Game}_{j1}\) and \(\widetilde{\mathsf {Game}}_{j1}\).

\({\mathcal {B}}(1^\kappa ,\mathsf {crs}^*,k_\mathsf{V}^*)\): This algorithm does the following:

1.
Generates \((\mathsf {crs}_i,k_\mathsf{V}^{(i)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(i \in [\ell ^{\prime }] {\setminus } \{j\}\) and sets \(\mathsf {crs}\mathrel {\mathop :}= \mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{j1}\Vert \mathsf {crs}^* \Vert \mathsf {crs}_{j+1}\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)} \Vert \cdots \Vert k_\mathsf{V}^{(j1)} \Vert k_\mathsf{V}^* \Vert k_\mathsf{V}^{(j+1)} \Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

2.
Sends \((\mathsf {crs},k_\mathsf{V})\) to \({\mathcal {A}}\) and \({\mathcal {A}}\) outputs \((x,w_0,w_1)\).

3.
Sends \((x,w_{0})\) to the challenger of the experiment of relaxed zeroknowledge in Definition 3.6, and receives \((\pi ^* ,s)\) of \(\mathsf {bP}\) and does the following.

\(\bullet \) For \(i < j\), \({\mathcal {B}}\) generates \(\pi _i^{(1)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\).

\(\bullet \) For \(i > j\), \({\mathcal {B}}\) generates \(\pi _i^{(0)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\).

\(\bullet \) For \(i=j\), \({\mathcal {B}}\) sets \(\pi _j \mathrel {\mathop :}=\pi ^*\).


4.
Sends \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _{j1}^{(1)},\pi ^*,\pi _{j+1}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)},s)\) to \({\mathcal {A}}\).

5.
Outputs as \({\mathcal {A}}\) outputs.

1.
If \((\mathsf {crs}^*,k_\mathsf{V}^*)\) and \((\pi ^*, s)\) are outputs of \(\mathsf {bP}.\mathsf {Setup}(1^\kappa )\) and \(\mathsf {bP}.\mathsf {Prove}(\mathsf {crs},x,w_{0},s)\), then \({\mathcal {B}}\) perfectly simulates \(\mathsf {Game}_{j1}\). If \((\mathsf {crs}^*,k_\mathsf{V}^*)\) and \((\pi ^* ,s)\) are outputs of \(\mathsf {bP}.{\mathcal {S}}_1 (1^\kappa )\) and \(\mathsf {bP}.{\mathcal {S}}_2 (\mathsf {crs},k_\mathsf{V},\tau _\mathsf{V},x)\), then \({\mathcal {B}}\) perfectly simulates \(\widetilde{\mathsf {Game}}_{j1}\). Therefore, if \({\mathcal {A}}\) distinguishes these two hybrid games, then \({\mathcal {B}}\) can break the zeroknowledge in Lemma 3.17. This complete the proof of Claim B.1. \(\square \)
Claim B.2
If \(\mathsf {bP}\) satisfies the relaxed ZK defined in Definition 3.6, then we have \(\Pr [\widetilde{\mathsf {Game}}_{j1}=1]\Pr [\mathsf {Game}_{j}=1]\le \mathsf {negl}(\kappa )\).
Proof
We can prove this similarly to Claim B.1. \(\square \)
By combining Claims B.1 and B.2, we have \(\Pr [\mathsf {Game}_{j1}=1]\Pr [\mathsf {Game}_{j}=1]\le \mathsf {negl}(\kappa )\) and thus we have \(\Pr [\mathsf {Game}_0=1]\Pr [\mathsf {Game}_{\ell '}=1]\le \mathsf {negl}(\kappa )\) by a hybrid argument. This completes the proof of Lemma 3.25. \(\square \)
DVNIZK for Leveled Relations with Sublinear Proof Size
Here, we give variants of our compact DVNIZK whose proof size is sublinear in the size of the circuit that computes the \(\mathbf{NP} \) relation to prove. This construction only works for \(\mathbf{NP} \) languages with “leveled” relation, which is a relation that can be expressed by a leveled circuit, i.e., a circuit whose gates are divided into L levels, and all incoming wires to a gate of level \(i+1\) come from gates of level i. For this case, the proof size of the scheme becomes \(w+C/\log \kappa +\mathsf {poly}(\kappa )\).
Leveled Circuits and Relations. First, we define leveled circuits and its “special” levels following [5]. We say that a circuit is a leveled circuit of depth D if its gates are partitioned into \(D+1\) levels, all input gates are of level 0, all output gates are of level \(D+1\), and all incoming wires to a gate of level \(i+1\) come from gates of level i for each \(i\in [D]\). The width at level i is defined to be the number of gates of level i. For a leveled circuit C of depth D, we define a set \({\mathcal {S}}_C\subset \{0,...,D+1\}\) of “special” levels in the following manner. For each \(j\in \{0,...,\lfloor D /\log \kappa \rfloor 1\}\), \({\mathcal {S}}_C\) contains one level i in the interval \([j \log \kappa +1,...,(j+1)\log \kappa ]\) such that the width at level i is the minimum among the width at levels in this interval. (If there exist multiple levels whose width are minimum, we choose the smallest level.) We say that i is a special level if \(i\in {\mathcal {S}}_C\). Let \(\mathsf {pre}(i)\) denote the precedent special level of i, i.e., the maximal \(i'<i\) such that \(i'\in {\mathcal {S}}_C\) (if such \(i'\) does not exist, then we define \(\mathsf {pre}(i)\mathrel {\mathop :}=0\)) and \(L_C\) denote the largest special level of C, i.e., the largest i such that \(i\in {\mathcal {S}}_C\) . It is easy to see that the number of gates of a special level is at most \(C/\log \kappa \) since \({\mathcal {S}}_C\) contains levels whose width are the smallest in the corresponding interval of length \(\log \kappa \). For any gate g of a special level \(i\in {\mathcal {S}}_C\), we can compute the output value of g as a function of output values of gates of level \(\mathsf {pre}(i)\). We denote this function by \(\mathsf {EvalfromPre}_g\). Since each special level is at most \(2\log \kappa \) far apart from its precedent special level, \(\mathsf {EvalfromPre}_g\) can be expressed as a circuit of depth at most \(2\log \kappa \). Similarly, we define a function \(\mathsf {EvalfromPre}_\mathsf {out}\) to be a function that computes the output value of C given output values gates of level \(L_C\) as input. Similarly, \(\mathsf {EvalfromPre}_\mathsf {out}\) can be expressed as a circuit of depth at most \(2\log \kappa \).
An \(\mathbf{NP} \) relation \({\mathcal {R}}\subseteq \{0,1\}^*\times \{0,1\}^* \) is said to be a leveled relation if there exists a family \(\{C_{n,m}:\{0,1\}^{n}\times \{0,1\}^{m}\rightarrow \{0,1\}\}\) of leveled circuits such that for \(x\in \{0,1\}^n\) and \(w\in \{0,1\}^m\), we have \(C_{n,m}(x,w)=1\) if and only if \((x,w)\in {\mathcal {R}}\). In the following, we fix n and m, and omit the subscripts n and m from C for notational simplicity. For \(x\in \{0,1\}^{n}\), we let \(\mathsf {SGates}[C(x,\cdot )]\) be the set of all gates of \(C(x,\cdot )\) whose level is a special level. For a gate g of \(C(x,\cdot )\), we let \(s_g\) be the output value of the gate g when \(C(x,\cdot )\) is evaluated on input w. We call \(w'\mathrel {\mathop :}=(w,\{s_g\}_{g\in \mathsf {SGates}[C(x,\cdot )]})\) an expanded witness of w w.r.t. x and C. It is easy to see that we have \(w'\le w+C/\log \kappa \) since \(\mathsf {SGates}[C(x,\cdot )]\) is at most \(C/\log \kappa \). Then, we define an expanded circuit \(\mathsf {ExpCir}_{C(x,\cdot )}\) for the expanded witness as follows.

\(\mathsf {ExpCir}_{C(x,\cdot )}(w')\): It parses \((w,\{s_g\}_{g\in \mathsf {SGates}[C(x,\cdot )]})\leftarrow w'\). For all \(i\in {\mathcal {S}}_C\), we denote the output values of gates of level i (in a canonical order) by \(S_i\) and we let \(S_0\mathrel {\mathop :}=w\). For all gates g of a special level \(i\in {\mathcal {S}}_C\), it verifies if \(s_g=\mathsf {EvalfromPre}_g(S_{\mathsf {pre}(i)})\) holds and returns 0 if this does not hold. If all check pass, it outputs \(\mathsf {EvalfromPre}_{\mathsf {out}}(S_{L_{C(x,\cdot )}})\).
It is easy to see that for any \(x\in \{0,1\}^n\), there exists an expanded witness \(w'\) such that \(\mathsf {ExpCir}_{C(x, \cdot )}(w')=1\) if and only if there exists a witness \(w\in \{ 0,1 \} ^m\) such that \(C(x,w)=1\). We can implement \(\mathsf {ExpCir}_{C(x, \cdot )}\) by a circuit of depth at most \(2\log \kappa + \log (C/\log \kappa +1)\). This can be seen by observing that \(\mathsf {ExpCir}_{C(x, \cdot )}\) first computes \(\mathsf {EvalfromPre}_g\) for at most \(C/\log \kappa \) different g and \(\mathsf {EvalfromPre}_{\mathsf {out}}\), each of which can be computed by a circuit of depth at most \(2\log \kappa \), followed by taking the AND of them. Since the last AND is fanin at most \(C/\log \kappa +1\), this can be implemented by a circuit of depth \(\log (C/\log \kappa +1)\) and fanin 2. Particularly, if \(C=\mathsf {poly}(\kappa )\), then there exists a constant c such that \(\mathsf {ExpCir}_{C(x, \cdot )}\) can be computed by a circuit of depth at most \(c \log \kappa \).
Preparation. For our construction of a DVNIZK with sublinear proof size, we prove the following variant of Lemma 4.6.
Lemma C.1
Let C be a leveled circuit that computes a relation \({\mathcal {R}}\) on \(\{0,1\}^{n}\times \{0,1\}^{m}\), i.e., for \((x,w)\in \{0,1\}^{n}\times \{0,1\}^{m}\), we have \(C(x,w)=1\) if and only if \((x,w)\in {\mathcal {R}}\), and p be an integer larger than C. Then, there exists a deterministic algorithm \(\mathsf {Exp}'_{C,x}\) and an arithmetic circuit \({\tilde{C}}'\) on \(\mathbb {Z}_p\) with degree at most \(\kappa ^4\) such that we have

\(\mathsf {Exp}'_{C,x}(w)=w+C/\log \kappa \) for all \(w\in \{0,1\}^{m}\).

If \(C(x,w)=1\), then we have \({\tilde{C}}'(x,\mathsf {Exp}'_{C,x}(w))=1 \mod p\).

For any \(x\in \{0,1\}^{n}\), if there does not exist \(w\in \{0,1\}^{m}\) such that \(C(x,w)=1\), then there does not exist \(w'\) such that \({\tilde{C}}'(x,w')=1 \mod p\)
Proof
We let \(\mathsf {Exp}'_{C,x}(w)\) be the expanded witness defined in the previous paragraph. As already shown, we have \(\mathsf {Exp}'_{C,x}(w)=w+C/\log \kappa \). By the definition, if we let \(\mathsf {Exp}'_{C,x}(w)=(w, \{s_g\}_{g\in \mathsf {SGates}})\), then C(x, w) can be computed as
where \(i_g\) denotes g’s level. By using a similar trick to the one used in the proof of Lemma 4.6, the condition that \(C(x,w)=1\) is equivalent to the condition that
Therefore, if we define
then it satisfies the condition required in the lemma. Since the degrees of \(\mathsf {EvalfromPre}_g\) \(\mathsf {EvalfromPre}_\mathsf {out}\) are at most \(\kappa ^2\) as they are implemented by a circuit of depth at most \(2 \log \kappa \), the degree of \({\tilde{C}}'(x,\cdot )\) is at most \(\kappa ^4\) as required. \(\square \)
DVNIZK with Sublinear Proof Size. Then, we instantiate the construction of DVNIZK given in Sect. 4.2 with replacing \(\mathsf {Exp}_{C,x}\) and \({\tilde{C}}\) with \(\mathsf {Exp}'_{C,x}\) and \({\tilde{C}}'\), respectively. Security can be proven similarly. The size of \(\mathsf {ct}_{\mathsf {SKE}}=\mathsf {SKE}.\mathsf {Enc}(\mathsf {pp}_{\mathsf {SKE}}, K,\mathsf {Exp}'_{C,x}(w))\) is \(w+C/\log \kappa +\mathsf {poly}(\kappa )\). Moreover, we note that we still have \(D=\mathsf {poly}(\kappa )\) since the degree of \(f_{x,\mathsf {pp}_{\mathsf {SKE}},\mathsf {ct}}(\cdot )\mathrel {\mathop :}={\tilde{C}}'(x,\mathsf {SKE}.\mathsf {Dec}(\mathsf {pp}_{\mathsf {SKE}},\cdot , \mathsf {ct}))\) is \(\mathsf {poly}(\kappa )\) since the degree of \({\tilde{C}}'\) is at most \(\kappa ^4\) as shown above. Therefore, the sizes of all other components of a proof still remain \(\mathsf {poly}(\kappa )\). In summary, the total proof size is \(w+C/\log \kappa +\mathsf {poly}(\kappa )\). This completes the proof of Corollary 4.24.
Rights and permissions
About this article
Cite this article
Katsumata, S., Nishimaki, R., Yamada, S. et al. Compact Designated Verifier NIZKs from the CDH Assumption Without Pairings. J Cryptol 34, 42 (2021). https://doi.org/10.1007/s0014502109408w
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s0014502109408w