Compact NIZKs from Standard Assumptions on Bilinear Maps

Abstract

A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all \({{\textbf {NP}}}\) languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM’12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is multiplicative in the circuit size computing the \({{\textbf {NP}}}\) relation. That is, the proof size grows by \(O(|C|\kappa )\), where C is the circuit for the \({{\textbf {NP}}}\) relation and \(\kappa \) is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static q-type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of \({{\textbf {NP}}}\) whose proof size is additive in |C|, that is, the proof size only grows by \(|C| +\textsf{poly}(\kappa )\), based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for \({{\textbf {NP}}}\) relations computable in \({{\textbf {NC}}}^1\) with proof size \(|w| \cdot \textsf{poly}(\kappa )\) where |w| is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of \({{\textbf {NP}}}\) languages whose proof size is independent of |C| based on a standard assumption. (2) We construct a universally composable (UC) NIZK for \({{\textbf {NP}}}\) relations computable in \({{\textbf {NC}}}^1\) in the erasure-free adaptive setting whose proof size is \(|w| \cdot \textsf{poly}(\kappa )\) from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO’19), which gave a similar result based on a non-static q-type assumption. The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency. This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.

Appendices

Homomorphic Signature from CS

Here, we give a construction of homomorphic signature (HomSig) scheme from CS. To do so, we apply the CS-to-HomSig conversion proposed by Tsabary [70]. Our version of the conversion here is slightly different from hers in that we sign on circuits rather than signing on messages (or data). We provide discussion on this difference in Remark A.4. We note that from a theoretical stand point, the two formalizations are equivalent (up to some small differences) since one can always view circuits and messages interchangeably using universal circuits [18, 71].

1.1 Definition

In the following, we only define single-data HomSig for simplicity. The definition for the multi-data version can be found in [42, 53].

Syntax. Let \(\{ \{ 0,1 \} ^{\ell (\kappa )} \}_{\kappa \in {\mathbb {N}}}\) be a family of message spaces. Let \(\{ {\mathcal {C}}_{\kappa } \}_{\kappa \in {\mathbb {N}}}\) be a family of circuits, where \({\mathcal {C}}_\kappa \) is a set of polynomial sized circuits with domain \( \{ 0,1 \} ^{\ell (\kappa )}\) and range \( \{ 0,1 \} \).¹⁵ Below, we omit the subscripts for simplicity.

Definition A.1

(Homomorphic Signatures) A homomorphic signature (HomSig) scheme \(\Pi _\textsf{HS}\) with message space \( \{ 0,1 \} ^\ell \) for the circuit class \({\mathcal {C}}\) is defined by the following five algorithms:

• \(\mathsf {HS.KeyGen}(1^\kappa , 1^\ell ) \rightarrow (\textsf{pk}, \textsf{sk})\): The key generation algorithm takes as input the security parameter \(1^\kappa \) and the message length \(1^\ell \) and outputs a public verification key \(\textsf{pk}\) and a signing key \(\textsf{sk}\).

• \(\mathsf {HS.Sign}(\textsf{sk}, C) \rightarrow \varvec{\sigma }\): The signing algorithm takes as input a signing key \(\textsf{sk}\) and a circuit \(C\in {\mathcal {C}}\), and outputs a signature \(\varvec{\sigma }\).

• \(\mathsf {HS.Eval}(\textsf{pk}, C, {\textbf{x}}, \varvec{\sigma }) \rightarrow \sigma \): The signature-evaluation algorithm takes as input a verification key \(\textsf{pk}\), a circuit \(C: \{ 0,1 \} ^{\ell } \rightarrow \{ 0,1 \} \) in \({\mathcal {C}}\), messages \({\textbf{x}}\in \{ 0,1 \} ^\ell \), and a signature \(\varvec{\sigma }\) and outputs an evaluated signature \(\sigma \).

• \(\mathsf {HS.Verify}(\textsf{pk}, {\textbf{x}}, z, \sigma ) \rightarrow \top \text { or } \bot \): The verification algorithm splits into a pair of algorithms \((\mathsf {HS.VerifyOffL}, \mathsf {HS.VerifyOnL})\):

  • \(\mathsf {HS.VerifyOffL}( \textsf{pk}, {\textbf{x}}) \rightarrow \textsf{pk}_{\textbf{x}}: \) The offline verification algorithm takes as input a verification key \(\textsf{pk}\), messages \({\textbf{x}}\in \{ 0,1 \} ^\ell \), and outputs an evaluated verification key \(\textsf{pk}_{\textbf{x}}\).

  • \(\mathsf {HS.VerifyOnL}( \textsf{pk}', z, \sigma ) \rightarrow \top \text { or } \bot : \) The online verification algorithm takes as input an (evaluated) verification key \(\textsf{pk}'\), a message \(z \in \{ 0,1 \} \), and a evaluated signature \(\sigma \), and outputs \(\top \) if the signature is valid and outputs \(\bot \) otherwise.

Correctness We define correctness for evaluated messages.

Definition A.2

(Correctness) We say a homomorphic signature scheme \(\Pi _\textsf{HS}\) is correct, if for all \(\kappa \in {\mathbb {N}}\), \(\ell \in \textsf{poly}(\kappa )\), messages \({\textbf{x}}= (x_1, \cdots , x_\ell ) \in \{ 0,1 \} ^\ell \), circuits \(C\in {\mathcal {C}}\), and \((\textsf{pk}, \textsf{sk}) \in \mathsf {HS.KeyGen}(1^\kappa , 1^\ell )\) we have

$$\begin{aligned}&\Pr [ \mathsf {HS.Sign}(\textsf{sk}, C) \rightarrow \varvec{\sigma };~ \mathsf {HS.Eval}( \textsf{pk}, C, {\textbf{x}}, \varvec{\sigma })\\&\quad \rightarrow \sigma :~ \mathsf {HS.Verify}(\textsf{pk}, {\textbf{x}}, C({\textbf{x}}), \sigma ) = \top ] = 1, \end{aligned}$$

where the probability is taken over the randomness used by all of the algorithms.

Unforgeability We now define unforgeability for a HomSig scheme. The security notion is defined formally by the following game between a challenger and an adversary \({\mathcal {A}}\).

• Setup: At the beginning of the game, the adversary \({\mathcal {A}}\) is given \(1^\kappa \) as input and sends \(1^\ell \) to the challenger. Then the challenger generates a signing-verification key pair \((\textsf{pk}, \textsf{sk}) \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {HS.KeyGen}(1^\kappa , 1^\ell )\) and gives \(\textsf{pk}\) to \({\mathcal {A}}\).

• Signing Query: The adversary \({\mathcal {A}}\) submits a circuit \(C\in {\mathcal {C}}\) to be signed. The challenger responds by creating a signature \(\varvec{\sigma }\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {HS.Sign}(\textsf{sk}, C)\) and sends \(\varvec{\sigma }\) to \({\mathcal {A}}\). Here, \({\mathcal {A}}\) can query a circuit only once.

• Forgery: Then the adversary \({\mathcal {A}}\) outputs messages \({\textbf{x}}^\star \), a message \(z^\star \in \{ 0,1 \} \), and a signature \(\sigma ^\star \) as the forgery. We say that \({\mathcal {A}}\) wins the game if:

  1. 1.

     \({\textbf{x}}^\star \in \{ 0,1 \} ^\ell \); and

  2. 2.

     \(C({\textbf{x}}^\star ) \ne z^\star \); and

  3. 3.

     \(\mathsf {HS.Verify}(\textsf{pk}, {\textbf{x}}^\star , z^\star , \sigma ^\star ) = \top \).

The advantage of an adversary winning the above game is defined by \(\Pr [{\mathcal {A}}\text { wins}]\), where the probability is taken over the randomness used by the challenger and the adversary.

Definition A.3

(Unforgeability) A homomorphic signature scheme \(\Pi _\textsf{HS}\) is said to satisfy unforgeability if for any PPT adversary \({\mathcal {A}}\) the advantage \(\Pr [{\mathcal {A}}\text { wins}]\) of the above game is negligible.

Compactness and Offline/Online Efficiency. We say a HomSig scheme \(\Pi _\textsf{HS}\) is compact if there exists a universal polynomial \(\textsf{poly}(\cdot )\) such that the evaluated signature \(\sigma \) (output by \(\mathsf {HS.Eval}\)) satisfies \(\left| \sigma \right| \le \textsf{poly}(\kappa )\). Moreover, we say \(\Pi _\textsf{HS}\) is online-offline efficient if there exists a universal polynomial \(\textsf{poly}(\cdot )\) such that the running time of \(\mathsf {HS.VerifyOnL}\) is \(\textsf{poly}(\kappa )\). Here, we allow the running time of the offline phase, i.e., running \(\mathsf {HS.VerifyOffL}\), to depend on the size of the messages \(\left| {\textbf{x}} \right| \). In particular, once the messages \({\textbf{x}}\) is fixed and we preprocess the evaluation key \(\textsf{pk}_{\textbf{x}}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {HS.VerifyOffL}(\textsf{pk}, {\textbf{x}})\), then we can verify an evaluated signature with respect to the messages \({\textbf{x}}\) and any circuit \(C\) in time independent of \(\left| C \right| \) or \(\left| {\textbf{x}} \right| \).

Remark A.4

(Comparison with HS signing on messages) It is common in the literature to define the signing algorithm \(\mathsf {HS.Sign}\) with respect to messages \({\textbf{x}}\) rather than a circuit \(C\), e.g., [7, 42]. In many natural applications, e.g., a client wants to outsource a computation of many algorithms on a fixed dataset, it may be more convenient to work with our formalization of HS. However, in either cases, we note that the two formalizations are equivalent from a theoretical point view in that both definitions are interchangeable using universal circuits. Namely, given messages \({\textbf{x}}\), we can view it as a universal circuit \(U(\cdot , {\textbf{x}})\) which takes as input a circuit \(C\) (represented as say bit strings) output \(C({\textbf{x}})\). Since Cook and Hoover [18] showed that \(U(\cdot , {\textbf{x}})\) can be only a constant times deeper than that of \(C\), this conversion can be made without incurring any strong restrictions on the circuit class supported by the underlying HS. A shortcoming of this approach is that the signature size for the message \({\textbf{x}}\) depends on the description size of \(C\) since the input-length of the universal circuit \(U(\cdot , {\textbf{x}})\) should be taken as large as the description size of \(C\). On the other hand, compactness for an evaluated signature is preserved.

1.2 Construction of Homomorphic Signatures from CS

We construct a HomSig scheme with message space \( \{ 0,1 \} ^\ell \) for circuit class \({\mathcal {C}}=\{C: \{ 0,1 \} ^{\ell } \rightarrow \{ 0,1 \} \}\) from a CS scheme. Concretely, let \(\Pi _{\textsf{CS}}= (\mathsf {CS.Setup}, \mathsf {CS.KeyGen}, \mathsf {CS.Sign}, \mathsf {CS.Vrfy})\) be a CS scheme with message space \( \{ 0,1 \} ^{\ell + 1}\) for a circuit class \(\tilde{{\mathcal {C}}}\) defined as

$$\begin{aligned} {\tilde{{\mathcal {C}}}}&= \{ {\tilde{C}}: \{ 0,1 \} ^{\ell + 1} \rightarrow \{ 0,1 \} \mid \text {for all } C\in {\mathcal {C}}, ({\textbf{x}}, z) \in \{ 0,1 \} ^\ell \times \{ 0,1 \} , \\&\quad \text {we have } {\tilde{C}}({\textbf{x}}, z) = \big ( C({\textbf{x}}) {\mathop {=}\limits ^{\mathrm {?}}}z \big ) \}. \end{aligned}$$

More specifically, \(\tilde{{\mathcal {C}}}\) is a set of circuits with input length \(\ell + 1\) such that a circuit \({\tilde{C}}\in \tilde{{\mathcal {C}}}\) on input \(({\textbf{x}}, z) \in \{ 0,1 \} ^\ell \times \{ 0,1 \} \) outputs 1 if and only if the associated circuit \(C\in {\mathcal {C}}\) outputs z on input \({\textbf{x}}\). Since \((z' {\mathop {=}\limits ^{\mathrm {?}}}z)\) can be expressed by a constant-sized circuit, every circuit in \(\tilde{{\mathcal {C}}}\) has depth and size bounded by \(d + O(1)\) and \(s + O(1)\), respectively, where d and s denotes the maximal depth and size of the circuits in \({\mathcal {C}}\), respectively. In particular, if \({\mathcal {C}}\) is in \({{\textbf {NC}}}^1\), then so is \(\tilde{{\mathcal {C}}}\). Further, assume the CS scheme has decomposable online-offline efficiency (see Definition 4.2), and in particular, we have algorithms \((\mathsf {CS.Aggrgt}, \mathsf {CS.VrfyOnL})\).

Our construction of offline-online efficient HomSig with message space \( \{ 0,1 \} ^\ell \) for circuit class \({\mathcal {C}}\) is provided as follows:

• \(\mathsf {HS.KeyGen}(1^\kappa , 1^\ell )\): On input the security parameter \(1^\kappa \) and the message length \(1^\ell \), generate \((\textsf{msk}, \textsf{vk}) \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {CS.Setup}(1^\kappa , 1^\ell )\), and output \(\textsf{pk}:=\textsf{vk}\) and \(\textsf{sk}:=\textsf{msk}\).

• \(\mathsf {HS.Sign}(\textsf{sk}, C)\): On input \(\textsf{sk}= \textsf{msk}\) and \(C\in {\mathcal {C}}\), compute the associated circuit \({\tilde{C}}\in \tilde{{\mathcal {C}}}\) defined above. I.e., \({\tilde{C}}({\textbf{x}}', z') = \big ( C({\textbf{x}}') {\mathop {=}\limits ^{\mathrm {?}}}z' \big )\) for all \(({\textbf{x}}', z') \in \{ 0,1 \} ^\ell \times \{ 0,1 \} \). Then compute \(\textsf{sk}_{{\tilde{C}}} \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {CS.KeyGen}(\textsf{msk}, {\tilde{C}})\), and output \(\varvec{\sigma }= \textsf{sk}_{{\tilde{C}}}\).

• \(\mathsf {HS.Eval}(\textsf{pk}, C, {\textbf{x}}, \varvec{\sigma })\): On input \(C\in {\mathcal {C}}\), \({\textbf{x}}\in \{ 0,1 \} ^\ell \), and \(\varvec{\sigma }= \textsf{sk}_{{\tilde{C}}}\), compute \(z = C({\textbf{x}})\). Then compute \({\sigma _{\textsf{CS}}}_{{\textsf{CS}}} \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {CS.Sign}(\textsf{sk}_{{\tilde{C}}}, {\textbf{x}}\Vert z)\), and output \(\sigma = {\sigma _{\textsf{CS}}}_{{\textsf{CS}}}\). Here \(\cdot \Vert \cdot \) denotes concatenation of bit strings.

• \(\mathsf {HS.Verify}(\textsf{pk}, {\textbf{x}}, z, \varvec{\sigma })\): Run the following algorithms in order:

  • \(\mathsf {HS.VerifyOffL}( \textsf{pk}, {\textbf{x}}):\) Parse \(\textsf{pk}= \textsf{vk}\rightarrow (\textsf{vk}_0, \{ \textsf{vk}_{i, b} \}_{i \in [n + 1], b \in \{ 0,1 \} } )\) and compute \(\textsf{vk}_{\textbf{x}}= \mathsf {CS.Aggrgt}( \{ \textsf{vk}_{i, {\textbf{x}}_i} \}_{i \in [n]} )\) where \({\textbf{x}}_i\) denotes the i-th bit of \({\textbf{x}}\). Finally, output \(\textsf{pk}_{\textbf{x}}= (\textsf{vk}_0, \textsf{vk}_{\textbf{x}}, \{ \textsf{vk}_{n + 1, b} \}_{b \in \{ 0,1 \} } )\).

  • \(\mathsf {HS.VerifyOnL}( \textsf{pk}', z, \sigma ): \) Parse \(\textsf{pk}' \rightarrow (\textsf{vk}_0, \textsf{vk}_{\textbf{x}}, \{ \textsf{vk}_{n + 1, b} \}_{b \in \{ 0,1 \} } )\) and \(\sigma \rightarrow {\sigma _{\textsf{CS}}}_{{\textsf{CS}}}\) and compute \(\textsf{vk}_{{\textbf{x}}\Vert z} = \mathsf {CS.Aggrgt}(\textsf{vk}_{\textbf{x}}, \textsf{vk}_{n + 1, z})\). Then output whatever returned by running \(\mathsf {CS.VrfyOnL}( \textsf{vk}_0, \textsf{vk}_{{\textbf{x}}\Vert z}, {\sigma _{\textsf{CS}}}_{{\textsf{CS}}})\).

Security and correctness of the scheme directly follow from the result by Tsabary [70]. However, since we adapt slightly different syntax from hers, we show the proofs for the sake of completeness.

Correctness.

Theorem A.5

(Correctness) If \(\Pi _{\textsf{CS}}\) satisfies correctness, then \(\Pi _\textsf{HS}\) satisfies correctness.

Proof

It can be checked by inspection. Fix messages \({\textbf{x}}\in \{ 0,1 \} ^\ell \) and a circuit \(C\in {\mathcal {C}}\) and let \(z = C({\textbf{x}})\), Then by correctness of \(\Pi _{\textsf{CS}}\), we have \(\mathsf {CS.Vrfy}( \textsf{vk}, {\textbf{x}}\Vert z, \textsf{vk}_{\textsf{CS}} ) = \top \) where \(\textsf{vk}_{\textsf{CS}} \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \mathsf {CS.Sign}(\textsf{sk}_{{\tilde{C}}}, {\textbf{x}}\Vert z)\), since \({\tilde{C}}({\textbf{x}}\Vert z) = 1\) by definition of \({\tilde{C}}\). Therefore, due to the decomposable online-offline efficiency property of \(\Pi _{\textsf{CS}}\) (see Definition 4.2), it can be checked that \(\mathsf {HS.Verify}\) output \(\top \) as well. \(\square \)

Security.

Theorem A.6

(Unforgeability) If \(\Pi _{\textsf{CS}}\) satisfies (adaptive one-key) unforgeability, then \(\Pi _\textsf{HS}\) satisfies unforgeability.

Proof

We prove by contradiction. Suppose that there exists a PPT adversary \({\mathcal {A}}\) that breaks unforgeability of \(\Pi _\textsf{HS}\) with non-negligible probability \(\epsilon \). We then construct a PPT adversary \({\mathcal {B}}\) that breaks the (adaptive one-key) security of \(\Pi _{\textsf{CS}}\) with probability \(\epsilon \) as follows.

• \({\mathcal {B}}(\textsf{vk})\): It sets \(\textsf{pk}:= \textsf{vk}\) and gives the verification key \(\textsf{pk}\) to \({\mathcal {A}}\). When submits a circuit \(C\in {\mathcal {C}}\), \({\mathcal {B}}\) first computes the associated circuit \({\tilde{C}}\in \tilde{{\mathcal {C}}}\) defined as \({\tilde{C}}({\textbf{x}}', z') = \big ( C({\textbf{x}}') {\mathop {=}\limits ^{\mathrm {?}}}z' \big )\) for all \(({\textbf{x}}', z') \in \{ 0,1 \} ^\ell \times \{ 0,1 \} \). \({\mathcal {B}}\) then makes a key generation query for \({\tilde{C}}\) to its own \(\Pi _{\textsf{CS}}\) challenger to obtain \(\textsf{sk}_{{\tilde{C}}}\), and gives \(\textsf{sk}_{{\tilde{C}}}\) to \({\mathcal {A}}\). When \({\mathcal {A}}\) outputs a forgery \(({\textbf{x}}^\star , z^\star , \sigma ^\star )\), \({\mathcal {B}}\) outputs \(({\textbf{x}}^\star \Vert z^\star , \sigma ^\star )\) as its forgery.

It is clear that \({\mathcal {B}}\) perfectly simulates the view of the unforgeability game of \(\Pi _\textsf{HS}\) to \({\mathcal {A}}\). We claim that whenever \({\mathcal {A}}\) wins the unforgeability game of \(\Pi _\textsf{HS}\), \({\mathcal {B}}\) wins the unforgeability game of \(\Pi _{\textsf{CS}}\). By the winning condition, \({\mathcal {A}}\)’s forgery satisfies \(({\textbf{x}}^\star , z^\star ) \in \{ 0,1 \} ^\ell \times \{ 0,1 \} \), \(C({\textbf{x}}^\star ) \ne z^\star \), and \(\mathsf {HS.Verify}( \textsf{pk}, {\textbf{x}}^\star , z^\star , \sigma ^\star ) = \top \). In particular, this implies \({\tilde{C}}( {\textbf{x}}^\star , z^\star ) = 0\) and \(\mathsf {CS.Vrfy}(\textsf{vk}, {\textbf{x}}^\star \Vert z^\star , \sigma ^\star ) = \top \). Therefore, \({\mathcal {B}}\) wins the unforgeability game of \(\Pi _{\textsf{CS}}\) with advantage \(\epsilon \), which is non-negligible as desired. \(\square \)

Remark A.7

(Instantiations) If we instantiate the scheme based on the decomposable online-offline efficient CS scheme in Sect. 4, we obtain a compact offline-online efficient HomSig scheme based on the DLIN assumption where “compact” means that the evaluated signature size does not depend on the size of the circuit on which the pre-evaluation signature is generated.

Remark A.8

(Extension to multi-data scheme) By using the generic transformation from single-data scheme to multi-data scheme by Gorbunov et al. [42], we obtain multi-data HomSig scheme based on CS. Similarly to [54], the resulting scheme does not satisfy amortized verification efficiency, which means that a verifier only needs to perform a computation depending on the size of the circuit only once and then he can reuse it for verifying signatures generated by multiple signers w.r.t. multiple data sets.

Efficient Instantiation based on Groth-Sahai Proof

Here, we give an efficient instantiation of the scheme given in Sect. 5.1 based on the Groth-Sahai proof under the SXDH assumption.

Groth-Sahai Proof. First, we briefly recall the Groth-Sahai proof. We refer the full description to [41]. We note that we focus on the instantiation based on the SXDH assumption here.

Roughly speaking, the Groth-Sahai proof is an efficient NIZK for a specific class of languages associated with a pairing-group. Specifically, it enables one to prove that committed values under an associated extractable¹⁶ commitment scheme satisfy certain algebraic relations. We denote the setup algorithm of the associated commitment scheme by \(\textsf{GS}.\textsf{Setup}\) and committing algorithm in \(G_b\) by \(\textsf{GS}.\textsf{Commit}_{G_b}\) for \(b=1,2\). The setup algorithm \(\textsf{GS}.\textsf{Setup}\) takes a description of a pairing group and outputs a common reference string \(\textsf{crs}_{\textsf{GS}}\). The committing algorithm \(\textsf{GS}.\textsf{Commit}_{G_b}\) in \(G_b\) takes the common reference string \(\textsf{crs}_{\textsf{GS}} \) and an element of \(G_b\) or \({\mathbb {Z}}_p\) as input, and returns a commitment that consists of 2 elements \(G_b\). For \(X=(X_1,\ldots ,X_m) \in G_b^m\) (resp. \(x=(x_1,\ldots ,x_m)\in {\mathbb {Z}}_p^m)\), we denote \(\textsf{GS}.\textsf{Commit}_{G_b}(\textsf{crs}_{\textsf{GS}}, X)\) (resp. \(\textsf{GS}.\textsf{Commit}_{G_b}(\textsf{crs}_{\textsf{GS}}, x)\)) to mean \((\textsf{GS}.\textsf{Commit}_{G_b}(\textsf{crs}_{\textsf{GS}}, X_1),\ldots ,\textsf{GS}.\textsf{Commit}_{G_b}(\textsf{crs}_{\textsf{GS}}, X_m))\) (resp. \((\textsf{GS}.\textsf{Commit}_{G_b} (\textsf{crs}_{\textsf{GS}}, x_1), ...,\textsf{GS}.\textsf{Commit}_{G_b}(\textsf{crs}_{\textsf{GS}}, x_m))\))for notational simplicity.

Suppose that \((X_1,\ldots ,X_m)\in G_1^m\) and \((x_1,\ldots ,x_{m'})\in {\mathbb {Z}}_p^{m'}\) are committed under \(\textsf{GS}.\textsf{Commit}_{G_1}\) and \((Y_1,\ldots ,Y_n)\in G_2^n\) and \((y_1,\ldots ,y_{n'})\in {\mathbb {Z}}_p^{n'}\) are committed under \(\textsf{GS}.\textsf{Commit}_{G_2}\). Then the GS proof enables one to prove an equation of the following forms.

\({{{{\textbf {Pairing product equation with target }}}1\in G_{T}:}}\)

$$\begin{aligned} \prod _{i=1}^{n}e(A_i,Y_i)\cdot \prod _{i=1}^{m}e(X_i,B_i)\cdot \prod _{i=1}^{m}\prod _{j=1}^{n}e(X_i,Y_j)^{\gamma _{ij}}=1, \end{aligned}$$

for constants \(A_i\in G_1, B_i\in G_2, \gamma _{ij}\in {\mathbb {Z}}_p\).

\({{{{\textbf {Multi-scalar multiplication equation in }}}G_1:}}\)

$$\begin{aligned} \prod _{i=1}^{n'}A_i^{y_i}\cdot \prod _{i=1}^{m}X_i^{b_i}\cdot \prod _{i=1}^{m}\prod _{j=1}^{n'}X_i^{\gamma _{ij}y_{j}}=T_1 \end{aligned}$$

for constants \(A_i,T_1\in G_1\), \(b_i,\gamma _{ij}\in {\mathbb {Z}}_p\).

\({{{{\textbf {Multi-scalar multiplication equation in }}}G_2:}}\)

$$\begin{aligned} \prod _{i=1}^{n}Y_i^{a_i}\cdot \prod _{i=1}^{m'}B_i^{x_i}\cdot \prod _{i=1}^{m'}\prod _{j=1}^{n}Y_j^{\gamma _{ij}x_{i}}=T_2 \end{aligned}$$

for constants \(B_i,T_2\in G_2\), \(a_i,\gamma _{ij}\in {\mathbb {Z}}_p\).

\({{{{\textbf {Quadratic equation in }}}{\mathbb {Z}}_p:}}\)

$$\begin{aligned} \sum _{i=1}^{n'}a_iy_i+\sum _{i=1}^{m'}x_ib_i+\sum _{i=1}^{m'} \sum _{j=1}^{n'}\gamma _{ij}x_iy_j=t \mod p \end{aligned}$$

for constants \(a_i,b_i,\gamma _{ij},t\in {\mathbb {Z}}_p\).

We summarize the number of group elements that are needed to prove these equations in Table 3.

Table 3 Summary of sizes of GS proofs

Our NIZK. Let \({\mathcal {L}}\) be an \({{\textbf {NP}}}\) language defined by a relation \({\mathcal {R}}\subseteq \{0,1\}^*\times \{0,1\}^* \). Let \(n(\kappa )\) and \(m(\kappa )\) be any fixed polynomials. Let C be an \({{\textbf {NC}}}^1\) circuit that computes the relation \({\mathcal {R}}\) on \(\{0,1\}^{n}\times \{0,1\}^{m}\), i.e., for \((x,w)\in \{0,1\}^{n}\times \{0,1\}^{m}\), we have \(C(x,w)=1\) if and only if \((x,w)\in {\mathcal {R}}\). Let \(\Pi _\textsf{SKE}= (\textsf{SKE}.\textsf{Setup}, \textsf{SKE}.\textsf{KeyGen},\textsf{SKE}.\textsf{Enc},\textsf{SKE}.\textsf{Dec})\) be an SKE scheme with message space \( \{ 0,1 \} ^{m}\), key space \( \{ 0,1 \} ^{\ell }\) and ciphertext space \( \{ 0,1 \} ^{|\textsf{ct}|}\). We require that it is one-time secure, its decryption circuit can be computed in \({{\textbf {NC}}}^1\), it has no ciphertext overhead (i.e., \(|\textsf{ct}|=m\)), and \(\ell \) does not depend on m. We define a circuit \(f_{\textsf{pp}_{\textsf{SKE}}}: \{0,1\}^{n'}\rightarrow \{0,1\}\) that computes

$$\begin{aligned} f_{\textsf{pp}_{\textsf{SKE}}}( K, x,\textsf{ct}) = C(x, \textsf{SKE}.\textsf{Dec}(\textsf{pp}_{\textsf{SKE}}, K, \textsf{ct}) ) \end{aligned}$$

for \(\textsf{pp}_{\textsf{SKE}}\in \textsf{SKE}.\textsf{Setup}(1^\kappa )\) where \(n':=\ell +n+|\textsf{ct}|\). Since we assume that both C and \(\textsf{SKE}.\textsf{Dec}\) can be computed in \({{\textbf {NC}}}^1\), \(f_{\textsf{pp}_{\textsf{SKE}}}\) can be computed in \({{\textbf {NC}}}^1\). Let \(\textsf{share}\) be as defined in Definition 3.1 and \(\textsf{EncInp}\) and \(\textsf{EncCir}\) be as defined in Lemma 2.9.

Our scheme is described as follows.

• \(\textsf{Setup}(1^\kappa )\):

  1. 1.

     Generate \(\textsf{pp}_{\textsf{SKE}}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{SKE}.\textsf{Setup}(1^\kappa )\).

  2. 2.

     Run \({\mathbb {G}}= (p, G_1, G_2, G_T, e) \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GGen}(1^\kappa )\). and generate \(\textsf{crs}_{\textsf{GS}} \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Setup}({\mathbb {G}})\).

  3. 3.

     Sample \({\textbf{a}}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } {\mathbb {Z}}_p^{2}\), \({\textbf{w}}_{i} \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } {\mathbb {Z}}_p^{2}\) for \(i\in [2n']\) and \({\textbf{v}}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } {\mathbb {Z}}_p^{2}\) and set

     $$\begin{aligned} \textsf{vk}= ( [{\textbf{a}}^\top ]_1, [{\textbf{a}}^\top {\textbf{w}}_1]_1,\ldots , [{\textbf{a}}^\top {\textbf{w}}_{2n'}]_1, e( [{\textbf{a}}^\top ]_1, [{\textbf{v}}]_2 ) ). \end{aligned}$$
  4. 4.

     Compute \(\textsf{EncCir}(f_{\textsf{pp}_{\textsf{SKE}}}) \rightarrow f'\), sample \((\{ {\textbf{v}}_j \}_{j\in [ {\hat{m}} ]}, \rho ) \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{share}(f', {\textbf{v}})\) and \(r_j \overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } {\mathbb {Z}}_p\) for \(j\in [{\hat{m}} ]\) and compute

     $$\begin{aligned} \textsf{sk}_f= & {} \left( \Bigl \{ \textsf{sk}_{ j } :=[r_j]_2, \quad \textsf{sk}_{ \rho (j), j }:=[{\textbf{v}}_j + {\textbf{w}}_{\rho (j)}r_j]_2, \right. \\{} & {} \quad \left. \{ ~ \textsf{sk}_{i,j} :=[{\textbf{w}}_{i} r_j]_2 ~ \}_{ i\in [2n'] \backslash \{\rho (j) \}} \Bigr \}_{j\in [{\hat{m}}]} \right) \end{aligned}$$

     where \({\textbf{w}}_{0} = {\textbf{0}}\) and \({\hat{m}}\) is the number of shares that is generated by \(\textsf{share}(f',{\textbf{v}})\).

  5. 5.

     Output \(\textsf{crs}= (\textsf{pp}_{\textsf{SKE}}, {\mathbb {G}}, \textsf{crs}_{\textsf{GS}}, \textsf{vk}, \textsf{sk}_f )\).

• \(\textsf{Prove}(\textsf{crs},x,w)\):

  1. 1.

     Abort if \({\mathcal {R}}(x,w)=0\). Otherwise, do the following.

  2. 2.

     Parse \(\textsf{crs}\rightarrow (\textsf{pp}_{\textsf{SKE}}, {\mathbb {G}}, \textsf{crs}_{\textsf{GS}}, \textsf{vk}, \textsf{sk}_f)\).

  3. 3.

     Generate \(K\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{SKE}.\textsf{KeyGen}(\textsf{pp}_{\textsf{SKE}})\) and \(\textsf{ct}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{SKE}.\textsf{Enc}(\textsf{pp}_{\textsf{SKE}}, K,w)\).

  4. 4.

     Set \(z :=\textsf{EncInp}(K\Vert x\Vert \textsf{ct}) \) and compute \(\omega _j\) such that \({\textbf{v}}= \sum _{j: \rho (j)=0\vee y_{\rho (j)}=1 } \omega _j {\textbf{v}}_j\) and

     $$\begin{aligned} \sigma _{\textsf{CS}}= & {} \left( {\sigma _{\textsf{CS}}}_1 = \prod _{j:\rho (j)=0 \vee z_{\rho (j)}=1 } \left( \prod _{i: z_i = 1 } \textsf{sk}_{i,j} \right) ^{\omega _j } , \right. \\{} & {} \quad \left. {\sigma _{\textsf{CS}}}_2= \prod _{j: \rho (j)=0 \vee z_{\rho (j)=1} } \textsf{sk}_{j}^{\omega _j } \right) \in G_2^3. \end{aligned}$$
  5. 5.

     Compute \(Y :=\prod _{i\in [n+|\textsf{ct}| ] } [{\textbf{a}}^\top {\textbf{w}}_{2\ell + 2i-y_i}]_1\) where \(y :=( x,\textsf{ct})\in \{ 0,1 \} ^{n+|\textsf{ct}|} \).

  6. 6.

     Compute \(\textsf{com}_{K}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Commit}_{G_1}(\textsf{crs}_{\textsf{GS}},\{K_i\}_{i\in [\ell ]})\) and \(\textsf{com}_{{\widetilde{K}}_i}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Commit}_{G_2} (\textsf{crs}_{\textsf{GS}},\{\widetilde{K_i}\}_{i\in [\ell ]})\) where \({\widetilde{K}} :=K\).

  7. 7.

     Compute \(\textsf{com}_{Z}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Commit}_{G_1}(\textsf{crs}_{\textsf{GS}},Z)\) where \(Z:=\prod _{i\in [\ell ]}[{\textbf{a}}^\top {\textbf{w}}_{2i-K_i}]_1\cdot Y \in G_1\).

  8. 8.

     Compute \(\textsf{com}_{V}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Commit}_{G_2}(\textsf{crs}_{\textsf{GS}},V)\) where \(V :=[{\textbf{v}}]_2 \in G_2^{2}\).

  9. 9.

     Compute \(\textsf{com}_{\sigma _{\textsf{CS}}}\overset{\hspace{0.1em}\mathsf {\scriptscriptstyle \$}}{\leftarrow } \textsf{GS}.\textsf{Commit}_{G_2}(\textsf{crs}_{\textsf{GS}},\sigma _{\textsf{CS}})\).

  10. 10.

      Generate a proof \(\pi _{K}\) that proves

      $$\begin{aligned}{} & {} K_i-\tilde{K_i}=0 \mod p,\\{} & {} K_i\cdot \tilde{K_i}-K_i=0 \mod p \end{aligned}$$

      for all \(i\in [\ell ]\). (This especially ensures \(K_i,{\widetilde{K}}_i\in \{0,1\}\) for \(i\in [\ell ]\).)

  11. 11.

      Generate a proof \(\pi _{Z}\) that proves

      $$\begin{aligned} Z=\prod _{i\in [\ell ]}([{\textbf{a}}^\top {\textbf{w}}_{2i-1}]_1^{{\widetilde{K}}_i}\cdot [{\textbf{a}}^\top {\textbf{w}}_{2i}]_1^{1-{\widetilde{K}}_i})\cdot Y. \end{aligned}$$

      Note that this is equivalent to

      $$\begin{aligned} Z= \prod _{i\in [\ell ]}[{\textbf{a}}^\top {\textbf{w}}_{2i-{\widetilde{K}}_i}]_1\cdot Y \end{aligned}$$

      for \({\widetilde{K}}_i\in \{0,1\}\).

  12. 12.

      Generate a proof \(\pi _{V}\) that proves

      $$\begin{aligned} V= [{\textbf{v}}]_2. \end{aligned}$$
  13. 13.

      Generate a proof \(\pi _{\sigma _{\textsf{CS}}}\) that proves

      $$\begin{aligned} e( [{\textbf{a}}^\top ]_1 , {\sigma _{\textsf{CS}}}_1) \cdot e(Z, {\sigma _{\textsf{CS}}}_2 )^{-1} \cdot e([{\textbf{a}}^\top ]_1,V)^{-1}=1 \end{aligned}$$
  14. 14.

      Output \(\pi :=(\textsf{ct}, \textsf{com}_{K}, \textsf{com}_{{\widetilde{K}}},\textsf{com}_{Z}, \textsf{com}_{V}, \textsf{com}_{\sigma _{\textsf{CS}}}, \pi _{K}, \pi _{Z},\pi _{V}, \pi _{\sigma _{\textsf{CS}}})\).

• \(\textsf{Verify}(\textsf{crs},x,\pi )\):

  1. 1.

     Parse \(\pi \rightarrow (\textsf{ct}, \textsf{com}_{K}, \textsf{com}_{{\widetilde{K}}},\textsf{com}_{Z}, \textsf{com}_{V}, \textsf{com}_{\sigma _{\textsf{CS}}}, \pi _{K}, \pi _{Z},\pi _{V}, \pi _{\sigma _{\textsf{CS}}})\). If it is not in this form, reject it. Otherwise, do the following.

  2. 2.

     Parse \(\textsf{crs}\rightarrow (\textsf{pp}_{\textsf{SKE}}, {\mathbb {G}}, \textsf{crs}_{\textsf{GS}}, \textsf{vk}, \textsf{sk}_f )\).

  3. 3.

     Compute \( Y :=\prod _{i\in [n+|\textsf{ct}| ] } [{\textbf{a}}^\top {\textbf{w}}_{2\ell + 2i-y_i}]_1 \) where \(y :=( x,\textsf{ct})\in \{ 0,1 \} ^{n+|\textsf{ct}|} \).

  4. 4.

     Output \(\top \) if all proofs \((\pi _{K}, \pi _{Z},\pi _{V}, \pi _{\sigma _{\textsf{CS}}})\) are valid w.r.t. commitments \((\textsf{com}_{K}, \textsf{com}_{{\widetilde{K}}},\textsf{com}_{Z}, \textsf{com}_{V}, \textsf{com}_{\sigma _{\textsf{CS}}})\) and otherwise \(\bot \).

Efficiency. We summarize the size of each component of the proof in Table 4. The total proof size is \(|w|+(6\ell +14)|G_1|+(6\ell +25)|G_2|\). Recall that \(\ell \) is the length of the secret key of \(\textsf{SKE}\) and thus we can take \(\ell \) to be fixed polynomial in the security parameter. In particular, under reasonable assumptions, we can take \(\ell = O(\kappa )\).

Table 4 Summary of sizes of GS commitments and GS proofs in our scheme

Security. Since the above scheme is an instantiation of the scheme in Sect. 5.1, the security follows from Theorems 5.1 and 5.2. Specifically, we have the following theorems.

Theorem B.1

(Soundness) The above NIZK scheme \(\Pi _\textsf{NIZK}\) is computationally (adaptive) sound if the SXDH assumption holds.

Theorem B.2

(Zero-Knowledge) The above NIZK scheme \(\Pi _\textsf{NIZK}\) is computationally zero-knowledge if the SXDH assumption holds and \(\Pi _\textsf{SKE}\) is one-time secure.