DualSystem SimulationSoundness with Applications to UCPAKE and More
Abstract
We introduce a novel concept of dualsystem simulationsound noninteractive zeroknowledge (NIZK) proofs. Dualsystem NIZK proof system can be seen as a twotier proof system. As opposed to the usual notion of zeroknowledge proofs, dualsystem defines an intermediate partialsimulation world, where the proof simulator may have access to additional auxiliary information about the word, for example a membership bit, and simulation of proofs is only guaranteed if the membership bit is correct. Further, dualsystem NIZK proofs allow a quasiadaptive setting where the CRS can be generated based on language parameters. This allows for the further possibility that the partialworld CRS simulator may have access to additional trapdoors related to the language parameters. We show that for important hard languages like the DiffieHellman language, such dualsystem proof systems can be given which allow unbounded partial simulation soundness, and which further allow transition between partial simulation world and singletheorem full simulation world even when proofs are sought on nonmembers. The construction is surprisingly simple, involving only two additional group elements for general linearsubspace languages in asymmetric bilinear pairing groups.
As a direct application we give a short keyedhomomorphic CCAsecure encryption scheme. The ciphertext in this scheme consists of only six group elements (under the SXDH assumption) and the security reduction is tight. An earlier scheme of Libert et al. based on their efficient unbounded simulationsound QANIZK proofs only provided a loose security reduction, and further had ciphertexts almost twice as long as ours.
We also show a singleround universallycomposable password authenticated keyexchange (UCPAKE) protocol which is secure under adaptive corruption in the erasure model. The single message flow only requires four group elements under the SXDH assumption.
This is the shortest known UCPAKE even without considering adaptive corruption. The latest published scheme which considered adaptive corruption, by Abdalla et al [ABB+13], required nonconstant (more than 10 times the bitsize of the password) number of group elements.
Keywords
NIZK Bilinear pairings UCPAKE Keyedhomomorphic encryption SXDH1 Introduction
Since the introduction of simulationsound noninteractive zeroknowledge proofs (NIZK) in [Sah99] (based on the concept of nonmalleability [DDN91]), simulationsoundness has become an essential cryptographic tool. While the idea of zeroknowledge simulation [GMR89] brought rigor to the concept of semantic security, simulationsoundness of some form is usually implicit in most cryptographic applications. While the original construction of [Sah99] was rather inefficient, the advent of pairing based cryptography, and in particular GrothSahai NIZK proofs [GS08], has led to much more efficient simulationsound NIZK constructions. Pairingbased cryptography has also led to efficient construction of powerful primitives where simulationsoundness is not very explicit.
It has been shown that different forms of simulationsoundness suffice for many applications. Indeed, the original application (CCA2secure encryption) considered in [Sah99] only required what is known as singletheorem simulationsoundness (also known as onetime simulationsoundness). However, many other cryptographic constructions are known only using unbounded simulationsound NIZK proofs. In this paper, we introduce the concept of dualsystem simulationsound NIZK proofs, which lie somewhere in between onetime and unbounded simulationsound NIZK proofs. The aim is to show that this weaker concept suffices for constructions where unbounded simulationsoundness was being used till now. We also show that in many applications this new concept of dualsystem simulation soundness is implicit, in the sense that although we cannot get a generic construction from a NIZK proof, we can use the underlying ideas of the dualsystem simulationsound NIZK proofs.
Indeed, our novel definition is inspired by the dualsystem identitybased encryption (IBE) scheme of Waters [Wat09], where such a concept was implicit, and led to the first IBE scheme which was fullysecure under static and standard assumptions. So without further ado, we jump straight into the main idea of the new concept. In dualsystem simulationsound NIZK proof systems we will consider three worlds: the realworld, the partialsimulation world, and the onetime fullsimulation world. The real world consists of a commonreference string (CRS), an efficient prover \({\mathsf{P}}\), and an efficient verifier \({\mathsf{V}}\). The concept of completeness and soundness of \({\mathsf{P}}\) and \({\mathsf{V}}\) with respect to a witnessrelation R is wellunderstood. The fullsimulation world is also standard, and it includes two simulators: a CRS simulator and a proof simulator. The proof simulator is a zeroknowledge simulator in the sense that it can simulate proofs even without access to the witness. In order to achieve this, the CRS simulator generates the CRS in a potentially different way and produces a trapdoor for the proof simulator. The partialsimulation world we consider also has a CRS simulator, and a proof simulator, but this proof simulator is allowed partial access to the witness (or some other auxiliary information) about the member on which the proof is sought.
At this point, we also bring in the possibility of the CRS being generated as a function of the language or witnessrelation under consideration. The recent quasiadaptive NIZK (QANIZK) proofs of [JR13] allow this possibility for distributions of witnessrelations. The CRS in the real and the fullsimulation world is generated based on a language parameter generated according to some distribution. Now we consider the possibility that in the partialsimulation world, the CRS simulator actually generates the language parameter itself. In other words, the CRS simulator has access to the “witness” of the language parameter. For example, the CRS simulator may know the discretelogs of the language parameters. This leads to the possibility that in the partial simulation world the proof simulator may have access to additional trapdoors which makes simulation and/or simulation soundness easier to achieve.
In this paper, we will only define and consider dualsystem simulation sound QANIZK proofs (called DSSQANIZK), where the only auxiliary information that the partial proof simulator gets is a single bit which is called the membership bit. The membership bit indicates whether the word on which the proof is sought is in the language or not. We show that we can achieve unbounded partialsimulation soundness for important languages like the DiffieHellman language by relatively simple constructions. The constructions also allow onetime fullZK simulation, and hence form a DSSQANIZK for the DiffieHellman language. We actually give a general construction for arbitrary languages which allow smooth and universal\(_2\) projective hash proofs [CS02] and have QANIZKs for the language augmented with such a hash proof. We show that for linear subspace languages (over bilinear groups), like the DiffieHellman and decisionallinear (DLIN) languages, the requirements for the general construction are easy to obtain. Thus, for all such languages, under the standard and static SXDH assumption in bilinear pairing groups, we get a DSSQANIZK proof of only two group elements.
Comparison with existing NIZK schemes for linear subspaces with table adapted from [KW15]. The language of interest is a t dimensional subspace of an n dimensional ambient space. m is the bitsize of the tag. AS is adaptivesoundness. OTSS is onetime simulationsoundness and USS is unbounded simulationsoundness.
Soundness  Assumption  Proof  CRS  #pairings  

[GS08]  AS  DLIN  \(2n+3t\)  6  \(3n(t+3)\) 
[LPJY14]  AS  DLIN  3  \(2n+3t+3\)  \(2n+4\) 
[JR13]  AS  kLinear  \(k(nt)\)  \(2kt(nt)+k+1\)  \(k(nt)(t+2)\) 
[JR14a]  AS  kLinear  k  \(kn+kt+k^2\)  \(kn+k^2\) 
[ABP15]  AS  kLinear  k  \(kn+kt+k\)  \(kn+k\) 
[KW15]  AS  kLinear  k  \(kn+kt+k1\)  \(kn+k1\) 
[ABP15]  OTSS  kLinear  k  \(2m(kn+(k+1)t)+k\)  \(m kn+k\) 
[KW15]  OTSS  kLinear  k  \(2m(kn+(k+1)t)+\)k\(1\)  \(m kn+\)k\(1\) 
This paper  DSS  kLinear  \(k+1\)  \(k(n+1)+kt+k^2\)  \(k(n+1)+k^2\) 
[CCS09]  USS  DLIN  \(2n+6t+52\)  18  O(tn) 
[LPJY14]  USS  DLIN  20  \(2n+3t+3m+10\)  \(2n+30\) 
[KW15]  USS  kLinear  \(2k+2\)  \(kn+4(k+t+1)k+2k\)  \(k(n+k+1)+k\) 
Applications. We now give the main idea as to why such a construction is useful. The security of most applications is shown by reduction to a hard language. However, a particular application may have a more complex language for which the NIZK proofs are required, and the security proof may require soundness of the NIZK system while proofs of many elements (real or fake) of such a complex language are being simulated. The idea is that multiple simulations of such elements can be performed in a partialsimulation manner (i.e. it is always possible to supply the correct membershipbit), and full simulation is only required of one member at a time, on which the hardness assumption can then be invoked.
KeyedHomomorphic CCAsecure Encryption. As a first application we consider the keyedhomomorphic CCAsecure encryption scheme notion of [EHO+13]. In such an encryption scheme, a further functionality called Eval is available which using a key can homomorphically combine valid ciphertexts. The scheme should provide INDCCA2 security when this Eval key is unavailable to the adversary, and should continue to enjoy INDCCA1 security when the Eval key is exposed to the adversary. Emura et al. also gave constructions for such a scheme, albeit schemes which are not publicly verifiable, and further satisfying a weaker notion than CCA1security when Eval key is revealed. Recently, Libert et al. gave a publiclyverifiable construction which is more efficient and also CCA1secure when Eval key is revealed. Their construction is based on a new and improved unbounded simulationsound QANIZK for linear subspace languages. We show in this paper that a DSSQANIZK for the DiffieHellman language suffice, and leads to a much improved construction. While the construction in [LPJY14], under the SXDH assumption, requires nine group elements in one group, and two more in the other plus a onetime signature key pair, our construction only requires six group elements in any one of the bilinear groups. Further, while the earlier construction was loose (i.e. loses a factor quadratic in number of Eval calls), our reduction is tight.
UC PasswordAuthenticated Key Exchange (UCPAKE). The UCPAKE ideal functionality was introduced in [CHK+05] where they also gave a threeround construction. In [KV11] a singleround construction for UCPAKE was given using GrothSahai NIZK proofs along with unbounded simulationsoundness construction of [CCS09] (also see [JR12]). Later [BBC+13] gave a UCPAKE construction based on novel trapdoor smooth projective hash functions, but secure only under static corruption; each message consisted of six group elements in one group, and another five elements in the other group (under the SXDH assumption).
In this paper, we construct a a singleround construction based on dualsystem simulationsoundness which is UCsecure under adaptive corruption (in the erasure model), and which has only a total of four group elements in each message. The key is generated in the target group. The construction is not a blackbox application of the DSSQANIZK for the DiffieHellman language, but uses its underlying idea as well as the various component algorithms of the DSSQANIZK. The main idea of the construction is given in more detail in Sect. 6.2.
Comparison with existing UCPAKE schemes. m is the password size in bits and \(\lambda \) is the security parameter. AC stands for Adaptive Corruption. For oneround schemes, message size is per flow.
AC  Oneround  Assumption  Message size  

[ACP09]  yes  no  DDH  \(O(m \lambda )\) 
[KV11]  no  yes  DLIN  \(> 65 \times \mathbb {G}\) 
[JR12]  no  yes  SXDH  \(> 30 \text{ total } \text{ group } \text{ elements }\) 
[BBC+13]  no  yes  SXDH  \(6 \times \mathbb {G}_1 + 5 \times \mathbb {G}_2\) 
[ABB+13]  yes  yes  SXDH  \(10*m \times \mathbb {G}_1 + m \times \mathbb {G}_2\) 
This paper  yes  yes  SXDH  \(3 \times \mathbb {G}_1 + 1 \times \mathbb {G}_2\) 
IdentityBased Encryption (IBE). In the full version of this paper [JR14b], we show that the recent efficient dualsystem IBE [JR13] (inspired by the original dualsystem IBE of Waters [Wat09]) can also be obtained using the ideas of DSSQANIZK. While the construction is not blackbox and utilizes additional “smoothness” and “singlepairingproduct test” properties of the verifier, it along with the other two applications clearly demonstrate the power and utility of the new notion, which we expect will find many more applications.
2 Preliminaries: QuasiAdaptive NIZK Proofs
A witness relation is a binary relation on pairs of inputs, the first called a word and the second called a witness. Note that each witness relation R defines a corresponding language L which is the set of all x for which there exists a witness w, such that R(x, w) holds.
We will consider QuasiAdaptive NIZK proofs [JR13] for a probability distribution \(\mathcal{D}\) on a collection of (witness) relations \(\mathcal{{R}}= \{R_\rho \}\) (with corresponding languages \(L_\rho \)). Recall that in a quasiadaptive NIZK, the CRS can be set after the language parameter has been chosen according to \(\mathcal{D}\). Please refer to [JR13] for detailed definitions.
Definition 1

QuasiAdaptive Completeness: Open image in new window

QuasiAdaptive Soundness: Open image in new window

QuasiAdaptive ZeroKnowledge: Open image in new window Open image in new window , where \({\mathsf{sim^*}}(\textsc {crs}, {\mathsf{trap}}, x,w, {{ l}}) = {\mathsf{sim}}(\textsc {crs}, {\mathsf{trap}}, x, {{ l}})\) for \((x,w)\in R_\rho \) and both oracles (i.e. \({\mathsf{prover}}\) and \({\mathsf{sim^*}}\)) output failure if \((x,w)\not \in R_\rho \).
The QANIZK is called a statistical zeroknowledge QANIZK if the view of adversary \(\mathcal{A}_3\) above in the two experiments is statistically indistinguishable.
3 DualSystem SimulationSoundness
To define dualsystem simulation soundness of QANIZK proofs, we will consider three worlds: the realworld, the partialsimulation world, and the onetime (or single theorem) fullsimulation world. While the realworld and the fullsimulation world should be familiar from earlier definitions of NIZK proof systems, the partialsimulation world leads to interesting possibilities. To start with, in the partial simulation world, one would like the proof simulator to have access to partial or complete witness of the word^{1}. Finally, in the quasiadaptive setting, the language parameters may actually be generated by the CRS simulator and hence the simulator may have access to, say, the discrete logs of the language parameters, which can serve as further trapdoors.
Rather than considering these general settings, we focus on a simple partialsimulation setting, where (a) the CRS simulator can generate the language parameters itself and (b) the proof simulator when invoked with a word x is given an additional bit \(\beta \), which we call the membership bit, that represents the information whether x is indeed a member or not.
The partial simulation world is required to be unbounded simulationsound, and hopefully this should be easier to prove than usual unbounded simulationsoundness (given that its simulators have additional information). We also allow the partial simulation world to be sound with respect to a private verifier (this concept has been considered earlier in [JR12]), and this further leads to the possibility of easier and/or simpler constructions. A surprising property achievable under such a definition is that one can go back and forth between the partialsimulation world and the onetime fullsimulation world even when simulating fake tuples.
Definition 2
 Real World consisting of:
 –
A pair of CRS generators \(({\mathsf{K}}_0, {\mathsf{K}}_1)\), where \({\mathsf{K}}_0\) takes a unary string and produces an ensemble parameter \(\lambda \). (The ensemble parameter \(\lambda \) is used to sample a witnessrelation parameter \(\rho \) using \(\mathcal{D}_\lambda \) in the security definition.) PPT algorithm \({\mathsf{K}}_1\) uses \(\rho \) (and \(\lambda \)) to produce the realworld CRS \(\psi \).
 –
A prover \({\mathsf{P}}\) that takes as input a CRS, a language member and its witness, a label, and produces a proof.
 –
A verifier \({\mathsf{V}}\) that takes as input a CRS, a word, a label, and a proof, and outputs a single bit.
 –
 PartialSimulation World consisting of:
 –
A semifunctional CRS simulator \({\mathsf{sfK}}_1\) that takes ensemble parameter \(\lambda \) as input and produces a witness relation parameter \(\rho \), a semifunctional CRS \(\sigma \), as well as two trapdoors \(\tau \) and \(\eta \). The first trapdoor is used by the proof simulator, and the second by the private verifier.
 –
A semifunctional simulator \({\mathsf{sfSim}}\) that takes a CRS, a trapdoor \(\tau \), a word, a membershipbit \(\beta \), and a label, to produce a proof.
 –
A private verifier \({\mathsf{pV}}\) that takes a CRS, a trapdoor \(\eta \), a word, a label, and a proof and outputs a single bit.
 –
 Onetime Full Simulation World consisting of:
 –
A onetime fullsimulation CRS generator \({\mathsf{otfK}}_1\), that takes as input the ensemble parameter \(\lambda \), the witness relation parameter \(\rho \) to produce a CRS and three trapdoors \(\tau \), \(\tau _1\) and \(\eta \).
 –
A onetime full simulator \({\mathsf{otfSim}}\) that takes as input a CRS, a trapdoor \(\tau _1\), a word, a label, and produces a proof^{2}.
 –
A semifunctional verifier \({\mathsf{sfV}}\) that takes as input a CRS, a trapdoor \(\eta \), a word, a label, a proof and outputs a bit. The adversaries also have access to the semifunctional simulator.
 –
Definition 3
 (Composable) PartialZK:and$$\begin{aligned}&\Pr [ \rho \leftarrow \mathcal{D}_\lambda ; \sigma \,\leftarrow \, {\mathsf{K}}_1(\lambda ,\rho ): {\mathcal{A}}_0(\sigma , \rho ) = 1] \approx \\&\Pr [ (\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda ): {\mathcal{A}}_0(\sigma , \rho ) = 1], \end{aligned}$$where \({\mathsf{sfSim^*}}(\sigma , \tau , x, w, {{ l}})\) is defined to be \({\mathsf{sfSim}}(\sigma , \tau , x, \beta =1, {{ l}})\) (i.e. witness is dropped, and membershipbit \(\beta =1\)), and the experiment aborts if either a call to the first oracle (i.e. \({\mathsf{P}}\) and \({\mathsf{sfSim^*}}\)) is with \((x,w, {{ l}})\) s.t. \(\lnot R_\rho (x,w)\), or call to the second oracle is with an \((x, \beta , {{ l}})\) s.t. \(x \not \in L_\rho \) or \(\beta =0\).$$\begin{aligned} \Pr [(\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda ): \, {\mathcal{A}}_1^{\;{\mathsf{P}}(\sigma , \cdot ,\cdot , \cdot ), \;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{V}}(\sigma , \cdot , \cdot , \cdot )}(\sigma , \rho ) = 1] \,\approx \\ \Pr [(\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda ): \, {\mathcal{A}}_1^{\;{\mathsf{sfSim^*}}(\sigma ,\tau , \cdot , \cdot , \cdot ), \;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{pV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\sigma , \rho ) = 1], \end{aligned}$$
 Unbounded PartialSimulation Soundness:$$\begin{aligned} \Pr&\left[ \begin{array}{c} (\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda ); \, (x,{{ l}}, \pi )\leftarrow {\mathcal{A}}_2^{\;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \; {\mathsf{pV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\sigma , \rho ):\,\\ ((x \not \in L_\rho ) \,\vee \, {\mathsf{V}}(\sigma , x, {{ l}}, \pi )=0) \,\wedge \, {\mathsf{pV}}(\sigma ,\eta ,x, {{ l}}, \pi )=1 \end{array} \right] \approx 0. \end{aligned}$$
 Onetime FullZK:where the experiment aborts if either in the call to the first oracle, or in the \((x^*, \beta ^*)\) produced by \({\mathcal{A}}_3\), the membershipbit provided is not correct for \(L_\rho \), or if \(\langle x^*, {{ l}}^*, \pi ^* \rangle \) is queried to \({\mathsf{sfV}}/{\mathsf{pV}}\). Here s is a state variable.$$\begin{aligned} \Pr&\left[ \begin{array}{c} (\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda ); (x^*,{{ l}}^*, \beta ^*,s) \leftarrow \, {\mathcal{A}}_3^{\;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{pV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\sigma , \rho ); \\ \pi ^* \leftarrow {\mathsf{sfSim}}(\sigma , \tau , x^*,\beta ^*, {{ l}}^*): {\mathcal{A}}_4^{\;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{pV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\pi ^*,s) = 1 \end{array} \right] \\ \approx \Pr&\left[ \begin{array}{c} \rho \leftarrow \mathcal{D}_\lambda ;\, (\sigma , \tau , \tau _1, \eta ) \leftarrow {\mathsf{otfK}}_1(\lambda ,\rho ); \\ (x^*, {{ l}}^*, \beta ^*, s) \leftarrow {\mathcal{A}}_3^{\;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{sfV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\sigma , \rho );\;\; \\ \pi ^* \leftarrow {\mathsf{otfSim}}(\sigma ,\tau _1, x^*, {{ l}}^*): {\mathcal{A}}_4^{\;{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot ), \;{\mathsf{sfV}}(\sigma , \eta , \cdot , \cdot , \cdot )}(\pi ^*,s) = 1 \end{array} \right] \!, \\ \end{aligned}$$
Remark 1. In the partialsimulation soundness definition, there is no restriction of \(x, {{ l}}, \pi \) being not the same as that obtained from a call to the first oracle \({\mathsf{sfSim}}\).
Remark 2. Note that in the partialZK definition, the calls to the prover are restricted to ones satisfying the relation. However, the calls to the simulator \({\mathsf{sfSim}}\) in the onetime fullZK definition are only restricted to having the correct membership bit \(\beta \).
Remark 3. It can be shown that \({\mathsf{sfSim}}\) generated proofs on words (whether members or not) are accepted by realworld verifier \({\mathsf{V}}\) (with semifunctional CRS). Of course, the private verifier \({\mathsf{pV}}\) will even reject proofs generated by \({\mathsf{sfSim}}\) on nonlanguage words. This justifies the name “semifunctional simulator”. See [JR14b] for a precise claim and proof.
It can also be shown that the semifunctional verifier \({\mathsf{sfV}}\) is still complete, i.e. it accepts language members and proofs generated on them by \({\mathsf{P}}(\sigma , \cdot , \cdot , \cdot )\) (with \(\sigma \) generated by \({\mathsf{otfK}}_1\)). As opposed to \({\mathsf{P}}\) and \({\mathsf{pV}}\), it may no longer be sound. This justifies the name “semifunctional verifier” a la Waters’ dualsystem IBE construction. However, if the onetime fullZK property holds statistically, it can be shown that the semifunctional verifier is sound in the onetime fullsimulation world. See [JR14b] for a precise statement.
Remark 4. The composable partialZK and unbounded partialsimulation soundness imply that that the system is truesimulationsound (cf. truesimulation extractable [Har11]) w.r.t. the semifunctional simulator, as stated below.
Lemma 1
(truesimulationsoundness) For a DSSQANIZK, for all PPT \({\mathcal{A}}\),
\( \Pr \left[ \begin{array}{c} (\rho , \sigma , \tau , \eta ) \leftarrow {\mathsf{sfK}}_1(\lambda );\, (x, {{ l}}, \pi ) \leftarrow {\mathcal{A}}^{{\mathsf{sfSim}}(\sigma , \tau , \cdot , \cdot , \cdot )}\;(\sigma , \rho ): \\ \, (x \not \in L_\rho ) \,\wedge \, {\mathsf{V}}(\sigma , x, {{ l}}, \pi )=1\end{array}\right] \,\approx 0,\) where the experiment aborts if \({\mathcal{A}}\) calls the oracle with some \((y, \beta , {{ l}})\), s.t. \(y \not \in L_\rho \) or \(\beta =0\).
4 DSSQANIZK for Linear Subspaces
In this section we show that languages that are linear subspaces of vector spaces of hard bilinear groups have very short dualsystem simulation sound QANIZK. In fact, under the SymmetriceXternal DiffieHellman (SXDH) assumption, such proofs only require two group elements, regardless of the subspace. It was shown in [JR14a] that such subspaces have a QANIZK proof of just one group element (under the SXDH assumption). Our construction essentially shows that with one additional group element, one can make the QANIZK dualsystem simulationsound. We will actually show a more general construction which is more widely applicable, and does not even refer to bilinear groups or linear subspaces. Informally speaking, the requirement for such a general construction for parameterized languages is that each language has a 2universal projective hash proof system and the augmented language with this hash proof attached has a QANIZK proof system with statistical zeroknowledge. A few other properties of the QANIZK are required for this construction, and we show that such properties already hold for the construction of [JR14a]. Since for linear subspaces, 2universal projective hash proofs are rather easy to obtain, the general construction along with the QANIZK of [JR14a] allows us to obtain a short DSSQANIZK for linear subspaces. Apart from abstracting the main ideas involved in the DSSQANIZK construction for linear subspaces, the general construction’s wider applicability also allows us to extend our results to linear subspaces with tags.
We start this section by briefly reviewing projective hash proofs [CS02], and their extensions to distributions of languages, as they are extensively used in the rest of the section.
The above notions can also incorporate labels. In an extended PHPS, the hash functions take an additional input called label. The public evaluation algorithm also takes this additional input called label. All the above notions are now required to hold for each possible value of label. The extended PHPS is now defined to be \(\mathbf {\epsilon }\)\({\mathbf {universal_2}}\) is for all \(s\in S\), \(x, x^* \in X\), all labels \({{ l}}\) and \({{ l}}^*\), and \(\pi , \pi ^* \in \Pi \) with \(x \not \in L\) and \((x, {{ l}}) \ne (x^*, {{ l}}^*)\), the following holds: \( \Pr [H_k(x, {{ l}})\,=\,\pi \)  \(H_k(x^*, {{ l}}^*)\) \(=\) \(\pi ^* \, \wedge \) \(\alpha (k) = s]\) \(\, \le \,\) \(\epsilon . \)
Since, we are interested in distributions of languages, we extend the above definition to distribution of languages. So consider a parametrized class of languages \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\) with the parameters coming from an associated parameter language \(\mathsf{Lpar}\). Assume that all the languages in this collection are subsets of X. Let H as above be a collection of hash functions from X to \(\Pi \). We say that the hash family is a projective hash family if for all \(L_\rho \), the action of \(H_k\) on \(L_\rho \) is determined by \(\alpha (k)\). Similarly, the hash family is \(\epsilon \)universal\(_2\) (\(\epsilon \)smooth) for \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\) if for all languages \(L_\rho \) the \(\epsilon \)universal\(_2\) (resp. \(\epsilon \)smooth) property holds.
Intuition for the Construction. The main idea of the construction is to first attach (as a proof component) a universal\(_2\) and smooth projective hash proof T. The DSSQANIZK is then just \((T, \pi )\), where \(\pi \) is a QANIZK proof of the original language augmented with hash proof T. So, why should this work? First note that the smooth projective hash function is a designatedverifier NIZK, and hence this component T is used in private verification. Secondly, since it is universal\(_2\), its soundness will hold even when the Adversary gets to see the projection key \(\alpha (k)\) plus one possibly fake hash proof (i.e. \(H_k(x)\), where x not in the language).
We will assume in our general construction that the parameterized language is such that the simulator can sample the language parameters along with auxiliary information that allows it to easily verify a language member. For example, this auxiliary information can be discrete logs of the language parameters. The idea of obtaining partialZK and unbounded partialsimulation soundness is then pretty simple. The proof simulation of T is easy to accomplish given the hash keys and, crucially, the correct membershipbit. In fact, if the membershipbit is false, T can just be set randomly (by smoothness). The simulation of \(\pi \) part of the proof is done using the QANIZK simulation trapdoor. The private verification is done as conjunction of three separate checks: (a) using the auxiliary information, (b) using the hash proof and (c) using the realworld verifier.
Now, in the onetime full simulation, the auxiliary information is not available, but the semifunctional verifier can still use hash keys. Further, we can have one bad use of keys (in full simulation of one proof. Since the oracle calls to semifunctional simulator \({\mathsf{sfSim}}\) are restricted to having correct membershipbit, they do not yield any additional information about the hash keys.
We will also assume that the distribution \(\mathcal{D}\) on \(\mathsf{Lpar}\) is efficiently witness samplable which is defined by requiring that there are two efficient (probabilistic) algorithms \(E_1,E_2\) such that \(E_1\) can sample \(\rho \) from \(\mathcal{D}\) along with auxiliary information \(\psi \) (which can be thought of as witness of \(\rho \) in the language \(\mathsf{Lpar}\)), and \(E_2\) can decide w.h.p. if a word x is in \(L_\rho \) given \(\rho \) and \(\psi \), where the probability is defined over choice of \(\rho \) according to \(\mathcal{D}\) and the internal coins of \(E_2\).
Finally, we need a few additional properties of QANIZK proofs (Sect. 2) that we now define. We will later show that the single group element QANIZK construction for linearsubspaces of [JR14a] already satisfies these properties.
Definition 4
 The QANIZK (Sect. 2) is said to have composable zeroknowledge [GS08] if the CRS are indistinguishable in the real and simulation worlds, and the simulation is indistinguishable even if the adversary is given the trapdoor. More precisely, for all PPT adversary \({\mathcal{A}}_1, {\mathcal{A}}_2\),where \({\mathcal{A}}_2\) is restricted to calling the oracle only on \((x, w, {{ l}})\) with \((x,w) \in R_\rho \).$$\begin{aligned}&\Pr [ \textsc {crs}\leftarrow {\mathsf{crsgen}}(\lambda ,\rho ): {\mathcal{A}}_{1}(\textsc {crs}, \rho ) = 1] \,\approx \, \\&\Pr [ (\textsc {crs}, {\mathsf{trap}}) \leftarrow {\mathsf{crssim}}(\lambda , \rho ): \mathcal{A}_{1}(\textsc {crs}, \rho ) = 1 ], \\&\mathbf{and}\\&\Pr [(\textsc {crs}, {\mathsf{trap}}) \leftarrow {\mathsf{crssim}}(\lambda , \rho ): \mathcal{A}_{2}^{{\mathsf{prover}}(\textsc {crs}, \cdot , \cdot , \cdot )}(\textsc {crs}, \rho , {\mathsf{trap}}) = 1] \approx \\&\Pr [(\textsc {crs}, {\mathsf{trap}}) \leftarrow {\mathsf{crssim}}(\lambda , \rho ): \mathcal{A}_{2}^{{\mathsf{sim^*}}(\textsc {crs}, {\mathsf{trap}}, \cdot , \cdot , \cdot )}(\textsc {crs}, \rho , {\mathsf{trap}}) = 1 ], \end{aligned}$$
 The QANIZK is called truesimulationsound [Har11] if the verifier is sound even when an adaptive adversary has access to simulated proofs on language members. More precisely, for all PPT \({\mathcal{A}}\),where the experiment aborts if the oracle is called with some \(y \not \in L_\rho \).$$ \Pr \left[ \begin{array}{c} (\textsc {crs}, {\mathsf{trap}}) \leftarrow {\mathsf{crssim}}(\lambda , \rho ) \\ (x,{{ l}}, \pi ) \leftarrow {\mathcal{A}}^{{\mathsf{sim}}(\textsc {crs}, {\mathsf{trap}}, \cdot , \cdot )}(\textsc {crs}, \rho ) \end{array} : x \not \in L_\rho \, \wedge \, {\mathsf{ver}}(\textsc {crs}, x,{{ l}}, \pi ) =1 \right] \approx 0, $$
 The simulator is said to generate unique acceptable proofs if for all x, all labels \({{ l}}\), and all proofs \(\pi ^*\),$$ \Pr \left[ \begin{array}{c} (\textsc {crs}, {\mathsf{trap}}) \leftarrow {\mathsf{crssim}}(\lambda , \rho ) \\ \pi \leftarrow {\mathsf{sim}}(\textsc {crs}, {\mathsf{trap}}, x, {{ l}}) \end{array} : (\pi ^* \ne \pi ) \wedge {\mathsf{ver}}(\textsc {crs}, x, {{ l}}, \pi ^*) =1 \right] \approx 0. $$
 1.
An \(\epsilon \)smooth and \(\epsilon \)universal\(_2\) (labeled) projective hash proof system for the collection \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\), and
 2.
A composable zeroknowledge, truesimulationsound QANIZK Q= (pargen, crsgen, prover, ver, crssim, sim) for the augmented parameterized language \({L^{*}_{\rho , s}}\) with probability distribution \(\mathcal{D}'\), such that the simulator generates unique acceptable proofs, and
 3.
Efficient algorithms \((E_1,E_2)\) s.t. \(\mathcal{D}\) is efficiently witnesssamplable using \((E_1,E_2)\), and
 4.
An efficient algorithm \(E_3\) to sample uniformly from \(\Pi \),
 Real World consisting of:
 –
The algorithm \({\mathsf{K}}_0\) takes a unary string \(1^m\) as input and generates parameters \(\lambda \) using \({\mathsf{pargen}}\) of Q on \(1^m\). The CRS generation algorithm \({\mathsf{K}}_1\) uses \({\mathsf{crsgen}}\) of Q and produces the CRS as follows: it takes \(\lambda \) and the language parameter \(\rho \), and first samples k uniformly from \(K_\lambda \) (recalling that the hash function families are ensembles, one for each \(\lambda \)). It then outputs the CRS to be the pair \(({\mathsf{crsgen}}(\lambda , \langle \rho , \alpha (k) \rangle ), \alpha (k))\).
 –
The prover \({\mathsf{P}}\) takes a CRS \((\sigma , s)\), input x, witness w, and label \({{ l}}\) and outputs the proof to be \((T,\,W)\) where T is computed using the public evaluation algorithm \(\hat{H}\) as \(\hat{H}(s,\langle x, {{ l}}\rangle , w)\) and \(W = {\mathsf{prover}}(\sigma , \langle x, T, {{ l}}\rangle , w)\).
 –
The verifier \({\mathsf{V}}\) on input CRS \(=(\sigma ', s)\), x, \({{ l}}\), and proof (T, W), returns the value \({\mathsf{ver}}(\sigma '\), \(\langle x, T, {{ l}}\rangle \), W) (using \({\mathsf{ver}}\) of Q).
 –
 PartialSimulation World consisting of:
 –
The semifunctional CRS simulator \({\mathsf{sfK}}_1\) takes \(\lambda \) as input and samples \((\rho , \psi )\) using \(E_1\), and also samples k uniformly from \(K_\lambda \). It then uses \({\mathsf{crssim}}\) of Q, and key projection algorithm \(\alpha \) to generate the CRS \(\sigma \) as follows: Let \((\sigma ', {\mathsf{trap}})\) \(=\) \({\mathsf{crssim}}(\lambda , \langle \rho , \alpha (k) \rangle )\). The CRS \(\sigma \) is then the pair \((\sigma ', \alpha (k))\). \({\mathsf{sfK}}_1\) also outputs \(k, {\mathsf{trap}}\) as proof simulator trapdoors \(\tau \), and \(\rho , \psi , k\) as private verifier trapdoors \(\eta \).
 –The semifunctional simulator \({\mathsf{sfSim}}\) uses trapdoors \(k, {\mathsf{trap}}\) to produce a (partiallysimulated) proof for a word x, a label \({{ l}}\) and a binary bit \(\beta \) using \({\mathsf{sim}}\) of Q as follows: if \(\beta =1\), outputelse sample \(\pi '\) at random from \(\Pi \) (using \(E_3\)) and output$$ T = H_k(x, {{ l}}), \, W = {\mathsf{sim}}(\sigma , {\mathsf{trap}}, \langle x, T, {{ l}}\rangle ), $$This proof is partially simulated as it uses the bit \(\beta \).$$ T = \pi ' \;,\; W = {\mathsf{sim}}(\sigma , {\mathsf{trap}}, \langle x, T , {{ l}}\rangle ). $$
 –
The private verifier \({\mathsf{pV}}\) uses trapdoors \((\rho , \psi , k)\) to check a word x, label \({{ l}}\) and a proof T, W as follows: it outputs 1 iff (a) \(E_2\) using \(\rho \) and \(\psi \) confirms that x is in \(L_\rho \), and (b) \(H_k(x, {{ l}})\) = T, and (c) verifier of Q accepts, i.e. \({\mathsf{ver}}(\sigma , \langle x, T, {{ l}}\rangle , W) =1\).
 –
 Onetime Full Simulation World consisting of:
 –
The onetime fullsimulation CRS generator \({\mathsf{otfK}}_1\) takes as input \(\lambda \) and language parameter \(\rho \), and using \({\mathsf{crssim}}\) of Q outputs \(\sigma \) as follows: first it samples k uniformly from \(K_\lambda \). Let \((\sigma ' , {\mathsf{trap}}) = {\mathsf{crssim}}(\lambda , \langle \rho , \alpha (k) \rangle )\). Then \(\sigma = (\sigma ', \alpha (k))\). \({\mathsf{otfK}}_1\) also outputs \( k, {\mathsf{trap}}\) as proof simulator trapdoors \(\tau \) and \(\tau _1\), and outputs k as private verifier trapdoor \(\eta \).
 –The onetime full simulator \({\mathsf{otfSim}}\) takes as input the trapdoors \(k, {\mathsf{trap}}\) and a word x and a label \({{ l}}\) to produce a proof as follows:$$ T = H_k(x,{{ l}}), \;\; W = {\mathsf{sim}}(\sigma , {\mathsf{trap}}, \langle x, T, {{ l}}\rangle ). $$
 –
The semifunctional verifier \({\mathsf{sfV}}\) uses trapdoors k to verify a word x, a label \({{ l}}\) and a proof T, W as follows: output 1 iff (a) \(H_k(x, {{ l}})\) = T, and (b) \({\mathsf{ver}}(\sigma , \langle x, T, {{ l}}\rangle , W) =1\).
 –
Theorem 1
For a parameterized class of languages \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\) with probability distribution \(\mathcal{D}\), if the above four conditions hold for projective hash family H, QANIZK Q, and efficient algorithms \(E_1,E_2, E_3\), then the above dualsystem noninteractive proof system \({\Sigma }\) is a DSSQANIZK for \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\) with probability distribution \(\mathcal{D}\).
Remark. In [JR14b] we instantiate the general construction for linear subspaces of vector spaces of hard bilinear groups. As a corollary, it follows that under the SXDH assumption the DiffieHellman (DH) language has a DSSQANIZK with only two group elements.
Due to space limitations, we will focus on only the proof of onetime zeroknowledge (otzk) property, as that is the most nontrivial proof. Indeed, this property is a significant generalization of the usual dualsystem technique employed in IBE constructions because although in otzk only one proof needs to be fully simulated (i.e. without its membership bit being available), all the private verifier calls in the partialsimulation world need to be simulated in the otzk world without the quasiadaptive trapdoors (i.e. trapdoor obtained by witnesssampling the language parameters). Recall, in the IBE construction the ciphertext is the counterpart of our verifier, and the IBE private keys are the QANIZK proofs. Thus, in IBE only a single ciphertext needs to be simulated when the different private keys are being “fixed” onebyone by otzk simulation.
The detailed proof of all other properties is given in [JR14b]. The main idea of the proof of these properties is already sketched earlier in this section.
Lemma 2
In the context of Theorem 1, let the maximum probability that the simulator of Q does not generate unique acceptable proofs be \(\delta \). Let H be an \(\epsilon \)smooth and \(\epsilon \)universal\(_2\) (labeled) projective hash proof system for the collection \(\{L_\rho \}_{\rho \in \mathsf{Lpar}}\). Let M be the number of calls to the second oracle (verifier) by \(\mathcal{A}_3\) and \(\mathcal{A}_4\) combined in the two experiments of the onetime fullZK property of DSSQANIZK \({\Sigma }\). Then the maximum statistical distance (over all PPT Adversaries \(\mathcal{A}_3\) and \(\mathcal{A}_4\)) between the views of the adversaries (\({\mathcal{A}_3},{\mathcal{A}_4}\)) in these two experiments, denoted \({{dist}}^{{{otzk}}}({\Sigma })\), is at most \((\epsilon + \delta )*(1 + M)\).
Proof
We will show that the onetime fullZK property holds statistically. We will define a sequence of experiments and show that the view of the PPT adversary is statistically indistinguishable in every two consecutive experiments. The first experiment \(\mathbf H _{0}\) is identical to the partialsimulation world. First, note that \(\rho \) is identically generated using \(\mathcal{D}\) in both worlds. Next, note that the CRS \(\sigma \) and trapdoors \(\tau \) generated by \({\mathsf{sfK}}_1\) is identically distributed to the CRS \(\sigma \) and both the trapdoors \(\tau \) and \(\tau _1\) generated by \({\mathsf{otfK}}_1\).
The next experiment \(\mathbf H _{1}\) is identical to \(\mathbf H _{0}\) except that on \({\mathcal{A}}_3\) supplied input \((x^*,{{ l}}^*, \beta ^*)\) the proof \(\pi ^*\) generated by \({\mathsf{sfSim}}\) is replaced by proof generated by \({\mathsf{otfSim}}\). If \(\beta ^*\) provided by \({\mathcal{A}}_3\) is not the valid membership bit for \(x^*\) then both experiments abort. So, assume that \(\beta ^*\) is the correct membership bit. In case \(\beta ^*=1\), both \({\mathsf{sfSim}}\) and \({\mathsf{otfSim}}\) behave identically. When \(\beta ^*=0\), the random \(T^*\) produced by \({\mathsf{sfSim}}\) is identically distributed to the \(T^*\) generated by \(H_k(x^*,{{ l}}^*)\) since H is assumed to be smooth.
The next experiment \(\mathbf H _{2}\) is identical to \(\mathbf H _{1}\) except that the second oracle is replaced by \({\mathsf{sfV}}\) (from being \({\mathsf{pV}}\)). In order to show that the view of the adversary is indistinguishable in experiments \(\mathbf H _{2}\) and \(\mathbf H _{1}\), we define several hybrid experiments \(\mathbf H _{1,i}\) (for \(0 \le i \le N\), where N is the total number of calls to the secondoracle by \({\mathcal{A}}_3\) and \({\mathcal{A}}_4\) combined). Experiment \(\mathbf H _{1,0}\) is identical to \(\mathbf H _{1}\), and the intermediate experiments are defined inductively, by modifying the response of one additional secondoracle call starting with the last (Nth) secondoracle call, and ending with the changed response of the first secondoracle call. The last hybrid experiment \(\mathbf H _{1,N}\) will then be same as \(\mathbf H _{2}\). The secondoracle call response in experiment \(\mathbf H _{1,i+1}\) differs only in the \((Ni)\)th secondoracle call response in \(\mathbf H _{1,i}\). In the latter experiment, this call is still served as in \(\mathbf H _{1}\) (i.e. using \({\mathsf{pV}}\)). In the former experiment \(\mathbf H _{1,i+1}\), the \((Ni)\)th call is responded to as defined in \(\mathbf H _{2}\) above (i.e. using \({\mathsf{sfV}}\)).
To show that the view of the adversary is statistically indistinguishable in \(\mathbf H _{1,i}\) and \(\mathbf H _{1,i+1}\), first note that the view of the adversary (\({\mathcal{A}}_3\) and \(A_4\) combined) till it’s \((Ni)\)th call in both experiments is identical. Moreover, as we next show, the dependence on k of this partial view (i.e. till the \((Ni)\)th call) is limited to \(\alpha (k)\) and at most one evaluation of \(H_k\) (by \({\mathsf{otfSim}}\)) on an input that is not in \(L_\rho \). To start with, the CRS generated by \({\mathsf{sfK}}_1\) depends only on \(\alpha (k)\). Next, the first oracle \({\mathsf{sfSim}}\) produces T using \(H_k\) on its input only if the membership bit \(\beta \) is 1 and correct, and since H is projective this hash value is then completely determined by \(\alpha (k)\). Finally, all calls to the second oracle till the \((Ni)\)th call are still served using \({\mathsf{pV}}\), and again using the projective property of H, it is clear that the conjunct (b) in \({\mathsf{pV}}\) can be computed using only \(\alpha (k)\), because for non \(L_\rho \) members, the conjunct (a) is already false, and hence (b) is redundant.
Now, the difference in the \((Ni)\)th call is that the conjunct (a) of \({\mathsf{pV}}\) is missing in \({\mathsf{sfV}}\). Let \(x, {{ l}}, T, W\) be the input supplied by the PPT Adversary to this call. If \(H_k(x, {{ l}})\) is not equal to the supplied T, then both \({\mathsf{pV}}\) and \({\mathsf{sfV}}\) return 0. So, suppose \(H_k(x, {{ l}})\) is equal to T, and yet x is not in \(L_\rho \), i.e. conjunct (a) of \({\mathsf{pV}}\) is false. First, if this input \(x, {{ l}}, T, W\) is same as \((x^*, {{ l}}^*, T^*, W^*)\) associated with the onetime call to \({\mathsf{otfSim}}\), then the experiment aborts. Thus, we can assume that this is a different input. If \((x, {{ l}}) \) is same as \( (x^*, {{ l}}^*)\), then \((T, W) \ne (T^*,W^*)\). Now, by construction (i.e. by definition of \({\mathsf{otfSim}}\)) \(T^* = H_k(x^*, {{ l}}^*)\), and hence either \(T \ne H_k(x, {{ l}})\) which is not possible by hypothesis, or \((x, {{ l}}, T) = (x^*, {{ l}}^*, T^*)\) and \(W \ne W^*\). But, \(W^*\) is proof generated by the simulator of Q, and since the simulator of Q generates unique acceptable proofs (by assumption), the verifier ver of Q rejects \((x, {{ l}}, T, W)\), and thus both \({\mathsf{pV}}\) and \({\mathsf{sfV}}\) return 0.
On the other hand, if \((x, {{ l}}) \ne (x^*, {{ l}}^*)\) then by the \(\epsilon \)universal\(_2\) property of H, the probability of T being same as \(H_k(x, {{ l}})\) is at most \(\epsilon \). Thus, both \({\mathsf{pV}}\) and \({\mathsf{sfV}}\) return 0. That completes the induction step, and thus the view of the adversary in experiments \(\mathbf H _{1}\) and \(\mathbf H _{2}\) is statistically indistinguishable.
The next experiment \(\mathbf H _{3}\) is identical to \(\mathbf H _{2}\) except that the CRS is generated using \({\mathsf{otfK}}_1\). The only difference is that the (verifier) trapdoor does not include \(\rho , \psi \). But, since the second oracle is served by \({\mathsf{sfV}}\) and it does not need \(\rho , \psi \), the experiment \(\mathbf H _{3}\) is welldefined and statistically indistinguishable from \(\mathbf H _{2}\), Further, \(\mathbf H _{3}\) is identical to the onetime simulation world, and that completes the proof.
The statistical distance between the views of the adversaries (\({\mathcal{A}}_3,{\mathcal{A}}_4\)) in \(\mathbf H _{0}\) and \(\mathbf H _{3}\) is at most \((\epsilon + \delta )*(1 + M)\). \(\square \)
5 KeyedHomomorphic CCA Encryption
KeyedHomomorphic Encryption is a primitive, first developed in [EHO+13], which allows homomorphic operations with a restricted evaluation key, while preserving different flavors of semantic security depending on whether access to the evaluation key is provided or not. For an adversary not having access to the evaluation key, the homomorphic operation should not be available and this is ensured by requiring CCA security. However, if an adversary comes into possession of the evaluation key, CCA security can no longer be preserved and thus weaker forms of security, such as CCA1, are required. In [LPJY14], the authors gave improved constructions for multiplicative homomorphism with better security guarantees.
A KHPKE scheme consists of algorithms (KeyGen, Enc, Dec, Eval), where the first three are familiar from publickey encryption, and KeyGen generates a public key pk, a decryption key \(sk_d\) and an Eval key \(sk_h\). Algorithm Eval takes two ciphertexts and returns a ciphertext or \(\bot \). Detailed definitions can be found in [JR14b]. The scheme is said to be correct if (i) for Enc we have \(Dec(sk_d, Enc(pk, M)) = M\), where \(sk_d\) is the secret decryption key, and (ii) for Eval we have \(Dec(sk_d, Eval(sk_h, C_1, C_2)) = Dec(sk_d, C_1) \odot Dec(sk_d, C_2)\), where \(\odot \) is a binary operation on plaintexts, and if any operand of \(\odot \) is \(\bot \) then the result is \(\bot \). The KHPKE scheme is defined to be KHCCA secure by a usual publickey CCA experiment with the following twists: the challenger maintains a set D of ciphertexts dependent on the challenge ciphertext (via Eval); decryption queries are not allowed on ciphertexts in D. Further, an adversary \({\mathcal{A}}\) can adaptively ask for \(sk_h\), which we call the reveal event. After the reveal event, the Eval oracle is not available. Similarly, decryption is not available after \({\mathcal{A}}\) has both requested \(sk_h\) and obtained the challenge ciphertext, in any order. Again, detailed definitions can be found in [JR14b].
Construction. We present a construction of a KHCCA secure KHPKE encryption scheme with multiplicative homomorphism which utilizes our general DSSQANIZK construction for the DiffieHellman (DH) language. In fact, if we assume that the adversary never invokes RevHK, we can prove security generically assuming any DSSQANIZK (with statistical onetime fullZK) for the DH language. When the adversary invokes RevHK, the partialsimulation trapdoor is revealed to the Adversary, and hence the onetime fullZK property of DSSQANIZK may not hold. Thus, we a need a stronger notion of DSSQANIZK that incorporates the reveal event, and includes an additional requirement that the semifunctional verifier remains sound as before. Using this stronger notion, we can prove generic security of the KHPKE scheme even with RevHK, and we further show that our general construction of Sect. 4 continues to satisfy this stronger property.
We start with the observation that a standard ElGamal encryption scheme \((\mathbf{{g}}^x, m \cdot \mathbf{{f}}^x)\) is multiplicatively homomorphic, but is not CCA secure due to the exact same reason. The main idea of our construction is as follows. The ciphertexts include an ElGamal encryption of the message M, say \(\mathbf{{g}}^r, M\cdot \mathbf{{g}}^{kr}\) for a public key \(\mathbf{{g}}^k\). The public key also consists of a member \(\mathbf{{g}}^a\), and the ciphertext also include \(\mathbf{{g}}^{ar}\) (we refer to this triple in the ciphertext as augmented ElGamal encryption). It is wellknown [JR12] that if a onetime simulationsound NIZK proof of \(\mathbf{{g}}^r\) and \(\mathbf{{g}}^{ar}\) being of the correct form is also included in the ciphertext then it becomes a publiclyverifiable CCA2secure encryption scheme. In our keyedhomomorphic construction, we include a DSSQANIZK for \(\mathbf{{g}}^r\) and \(\mathbf{{g}}^{ar}\) being of the correct form (i.e. being a DH tuple). Although the DSSQANIZK itself is not homomorphic, we can take advantage of the corresponding SemiFunctional Simulator \({\mathsf{sfSim}}\) and simulate the proof of a multiplicatively generated (augmented) ElGamal encryption when computing a homomorphic evaluation.

KeyGen: Generate \(\mathbf{{g}}, a, k\) randomly. Use \({\mathsf{sfK}}_1\) of \({\Sigma }\) to get CRS \(\sigma \) and trapdoors \(\tau \) and \(\eta \), and language parameters \(\rho = (\mathbf{{g}}, \mathbf{{g}}^{a})\). Set \(pk = (\mathbf{{g}}, \mathbf{{g}}^a, \mathbf{{g}}^k, \sigma )\), \(sk_h = \tau \), \(sk_d = k\).

Enc: Given plaintext m, generate \(w \leftarrow \mathbb {Z}_q\) and compute (using \({\mathsf{P}}\) of \({\Sigma }\)) \(c := (\mathbf{{g}}^w, \mathbf{{g}}^{aw}, \gamma , {\mathsf{P}}(\sigma , (\mathbf{{g}}^w, \mathbf{{g}}^{aw}), w, {{ l}}= \gamma )), \text{ where } \gamma := m \cdot \mathbf{{g}}^{kw}.\)

Dec: Given ciphertext \(c = (\rho , \hat{\rho }, \gamma , \pi )\), first check if \({\mathsf{V}}(\sigma , \pi , (\rho , \hat{\rho }), \gamma )\) of \({\Sigma }\) holds, then compute \(m:= \gamma /\rho ^k\).

Eval (Multiplicative): Given ciphertexts \(c_1 = (\rho _1, \hat{\rho }_1, \gamma _1, \pi _1)\) and \(c_2\) = \((\rho _2\), \(\hat{\rho }_2\), \(\gamma _2\), \(\pi _2)\), first check if \({\mathsf{V}}(\sigma , \pi _i, (\rho _i, \hat{\rho }_i), \gamma _i)\) of \({\Sigma }\) holds for all \(i \in \{1,2\}\). Then compute: \(\rho = \rho _1 \rho _2\rho _3\), \(\hat{\rho }= \hat{\rho }_1 \hat{\rho }_2\hat{\rho }_3\), \(\gamma = \gamma _1 \gamma _2\gamma _3\), where \(\langle \rho _3, \hat{\rho }_3, \gamma _3 \rangle \) is a fresh random tuple obtained by picking r at random and setting the tuple to be \(\langle \mathbf{{g}}^r, (\mathbf{{g}}^{a})^r, (\mathbf{{g}}^k)^r \rangle \). Then compute \(\pi := {\mathsf{sfSim}}(\sigma , \tau , (\rho , \hat{\rho }), \beta = 1, {{ l}}= \gamma )\) using \({\mathsf{sfSim}}\) of \({\Sigma }\). Output ciphertext \(c := (\rho , \hat{\rho }, \gamma , \pi )\).
Theorem 2
\(\mathbf {(Security\,of\,Construction).}\) The above algorithms \(\mathcal{P}\)= (KeyGen, Enc, Dec, Eval) constitute a KHCCA secure KeyedHomomorphic Public Key Encryption scheme with multiplicative homomorphism, if \({\Sigma }\) is a DSSQANIZK for the parameterized DiffieHellman language (with language parameters distributed randomly) and RevHK is not available.
The main idea of the proof of the above theorem is similar to proofs of CCA2secure public key encryption schemes using alternate decryption. In other words, the ciphertext can be decrypted as \(m:= \gamma /\rho ^k\), or as \(m:= \gamma /(\rho ^{k_0}\hat{\rho }^{k_1})\), where \(k = k_0 + a k_1\). But, this requires that the ciphertext has correct \(\hat{\rho }\) component, i.e. \(\hat{\rho }= \rho ^a\). The ciphertexts include a NIZK for this purpose, but the NIZK needs to be simulationsound. Additional complication arises because of dependent ciphertexts. To handle this, we first build an intermediate experiment where all dependent ciphertexts are generated using fresh random ElGamal tuples. Indistinguishability of such an intermediate experiment from the KHCCA experiment is shown inductively, by carefully employing onetime fullZK and partialsimulation unbounded simulation soundness. The theorem is proved in detail in [JR14b]. The Adversary’s advantage in the KHCCA security game is at most \((8L+1) \cdot {\textsc {ADV}_\textsc {DDH}} + O(L/q)\), where L is the total number of calls to Eval.
The more general theorem (with RevHK) is stated and proved in [JR14b]. Under the SXDH assumption, the above construction leads to ciphertexts of size only five group elements. Further, using an augmented Diffie Hellman language (augmented with a smooth hash proof of DH tuple) and its DSSQANIZK, we also extend our result to get CCA1security despite the key being revealed (see [JR14b]). The resulting scheme has KHPKE ciphertexts of size six group elements.
6 SingleRound UC PasswordBased Key Exchange
6.1 UCPAKE Definition
Just as in the normal keyexchange functionality, if both participating parties are not corrupted, then they receive the same uniformly distributed session key and the adversary learns nothing of the key except that it was generated. However, if one of the parties is corrupted, then the adversary determines the session key. This power to the adversary is also given in case it succeeds in guessing the parties’ shared password. Participants also detect when the adversary makes an unsuccessful attempt. If the adversary makes a wrong password guess in a given session, then the session is marked \({\mathsf {interrupted}}\) and the parties are provided random and independent session keys. If however the adversary makes a successful guess, then the session is marked \(\mathsf {compromised}\), and the adversary is allowed to set the session key. If a session remains marked \(\mathsf {fresh}\), meaning that it is neither interrupted nor compromised. uncorrupted parties conclude with both parties receiving the same, uniformly distributed session key. The formal description of the UCPAKE functionality \({{\mathcal{F}}_{\textsc {pake}}}\) is given in Fig. 2.
6.2 Main Idea of the UC Protocol Using DSSQANIZK
For the sake of exposition, let’s call one party in the session the server and the other the client. (There is no such distinction in the actual protocol, and in fact each party will run two parallel protocols, one as a client and another as a server, and output the product of the two keys generated). The common reference string (CRS) defines a DiffieHellman language, i.e. \(\rho = \mathbf{{g}}_1, \mathbf{{g}}_1^{a}\). The client picks a fresh DiffieHellman tuple by picking a witness r and computing \(\langle \mathbf{{x}}_1 = \mathbf{{g}}_1^r, \mathbf{{x}}_2= \mathbf{{g}}_1^{a\cdot r} \rangle \). It also computes a DSSQANIZK proof on this tuple, which is a hash proof T and a QANIZK proof W of the augmented DiffieHellman tuple. Note, the QANIZK proof W is just a single group element [JR14a] (see [JR14b] for details). It next modifies the DiffieHellman tuple using the password pwd it possesses. Essentially, it multiplies \(\mathbf{{x}}_2\) by pwd to get a modified group element which we will denote by S  in fact \((\mathbf{{x}}_1, S)\) is an ElGamal encryption of pwd. It next sends this ElGamal encryption \(\mathbf{{x}}_1, S\) and the T component of the proof to the server. It retains W for later use. At this point it can erase the witness r.
As mentioned earlier, each pair of parties actually run two versions of the above protocol, wherein each party plays the part of client in one version, and the part of server in the other version. Each party then outputs the product of the LHS of (1) computation (in the server version) and the RHS of (1) computation (in the client version) as the sessionkey. We will refer to these two factors in the sessionkey computation as the server factor and the client factor resp. This is the final UCPAKE protocol described in Fig. 3 (with the parties identities, session identifiers and \(\mathbf{{b}}^s\) from its server version, used as label). The quantity \(\mathbf{{x}}_1\) is called R in the protocol, as subscripts will be used for other purposes.
Theorem 3
Assuming the existence of SXDHhard groups, the protocol given in Fig. 3 securely realizes the \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) functionality in the \(\mathcal{F}_ {\textsc {crs}}\) hybrid model, in the presence of adaptive corruption adversaries.
The theorem is proved in [JR14b]. We provide the intuition below.
6.3 Main Idea of the UC Simulator
The UC simulator \(\mathcal{S}\) works as follows: It will generate the CRS for \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) using the semifunctional CRS generator \({\mathsf{sfK}}_1\) for the DiffieHellman language. The next main difference is in the simulation of the outgoing message of the real world parties: \(\mathcal{S}\) uses a dummy message \(\mu \) instead of the real password which it does not have access to. Further, it postpones computation of W till the sessionkey generation time. Finally, another difference is in the processing of the incoming message, where \(\mathcal{S}\) decrypts the incoming message \(R_2', S_2', T_2'\) to compute a \(\text{ pwd }'\), which it uses to call the ideal functionality’s test function. It next generates a \(\text{ sk }\) similar to how it is generated in the realworld (recall the computation of server factor and client factor by LHS and RHS of (1)) except that it uses the Eq. (2) corresponding to the private verifier. It sends \(\text{ sk }\) to the ideal functionality to be output to the party concerned.
Note, \(\mathcal{S}\) simulating the server factor computation can compute the LHS of Eq. (2), except \(\mathcal{S}\) does not have direct access to pwd and hence cannot get \(\mathbf{{x}}_2\) from the modified \(\hat{S}\) that it receives. However, it can do the following: Use the \(\textsc {TestPwd}\) functionality of the ideal functionality \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) with a pwd\('\) computed as \(\hat{S}/\mathbf{{x}}_1^{a}\). If this pwd\('\) does not match the pwd recorded in \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) for this session and party, then \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) anyway outputs a fresh random session key, which will then turn out to be correct simulation (note, this case is same as \(\mathbf{{x}}_2 \,( = S/pwd) \,\ne \mathbf{{x}}_1^{a}\), which would also have resulted in the same computation on the LHS). If the pwd\('\) matched the pwd, the simulator is notified the same, and hence it can now do the following: if \(T = \mathbf{{x}}_1^{d + \iota e}\) then set \(\xi = \mathbf{{1}}_T\) else set \(\xi = e(\mathbf{{g}}_1, \mathbf{{g}}_2)^{s'}\). Next, it calls \({\widehat{\mathcal{F}}_{\textsc {pake}}}\)’s \(\textsc {NewKey}\) with session key \(e(\mathbf{{x}}_1, (\mathbf{{v}}_1\mathbf{{v}}_2^\iota ) )^s \cdot e(\mathbf{{x}}_1^{a}, \mathbf{{c}})^s \cdot e(T, \mathbf{{g}}_2)^s \cdot \xi \) (multiplied by a RHS computation of (2) in simulation of the client factor, which we will discuss later).
The UC Simulator \(\mathcal{S}\) must also simulate \(\mathbf{{g}}_1^{r}, \mathrm {pwd} \cdot (\mathbf{{g}}_1^{a})^r\) and the T component of the DSSQANIZK, as that is the message sent out to the adversary by the real party (“client” part of the protocol). However, \(\mathcal{S}\) does not have access to pwd. It can just generate a fake tuple \(\mathbf{{g}}_1^{r}, \mu \cdot (\mathbf{{g}}_1^{a})^r \cdot \mathbf{{g}}_1^{r'}\) (for some constant or randomly chosen group element \(\mu \), and some random and independent \(r' \in \mathbb {Z}_q\)). Now, the semifunctional (proof) simulator \({\mathsf{sfSim}}\) of the DSSQANIZK of [JR14b] has an interesting property that when the tuple \(\langle \mathbf{{x}}_1, \mathbf{{x}}_2\rangle \) does not belong to the language (language membershipbit zero), the T component of the simulated proof can just be generated randomly.
The simulator also needs W to compute the client factor, and we had postponed it till the sessionkey computation phase. As mentioned above, if the password pwd\('\) “decrypted” from the incoming message is not correct then the key is anyway set to be random, and hence a proper W is not even required. However, if the pwd\('\) is correct, the simulator is notified of same, and hence it can compute W component of the proof by passing \(\mathbf{{x}}_2 = \mu \cdot (\mathbf{{g}}_1^{a})^r \cdot \mathbf{{g}}_1^{r'}/\mathrm {pwd}'\) along with \(\mathbf{{x}}_1 \,(= \mathbf{{g}}_1^{r})\) to \({\mathsf{sfSim}}\).
Of course, fixing the above fake tuples employs onetime fullsimulation property of the DSSQANIZK (and the DDH assumption).
6.4 Main Idea of the Proof of UC Realization
The proof that the simulator \(\mathcal{S}\) described above simulates the Adversary in the realworld protocol, follows essentially from the properties of the DSSQANIZK, although not generically since the realworld protocol and the simulator use the verifiers \({\mathsf{V}}\) and \({\mathsf{pV}}\) (resp.) in a split fashion. However, as described above the proof is very similar and we give a broad outline here. The proof will describe various experiments between a challenger \(\mathcal C\) and the adversary, which we will just assume to be the environment \(\mathcal Z\) (as the adversary \({\mathcal{A}}\) can be assumed to be just dummy and following \(\mathcal Z\)’s commands). In the first experiment the challenger \(\mathcal C\) will just be the combination of the code of the simulator \(\mathcal{S}\) above and \({\widehat{\mathcal{F}}_{\textsc {pake}}}\). In particular, after the environment issues a \(\textsc {NewSession}\) request with a password pwd, the challenger gets that password. So, while in the first experiment, the challenger (copying \(\mathcal{S}\)) does not use pwd directly, from the next experiment onwards, it can use pwd. Thus, the main goal of the ensuing experiments is to modify the fake tuples \(\mathbf{{g}}_1^{r}, \mu \cdot (\mathbf{{g}}_1^{a})^r \cdot \mathbf{{g}}_1^{r'}\) by real tuples (as in realworld) \(\mathbf{{g}}_1^{r}, \mathrm {pwd} \cdot (\mathbf{{g}}_1^{a})^r\), since the challenger has access to pwd. This is accomplished by a hybrid argument, modifying one instance at a time using DDH assumption in group \(\mathbb {G}_1\) and using onetime fullZK property (and using the \({\mathsf{otfSim}}\) proof simulator for that instance). A variant of the onetime fullZK semifunctional verifier \({\mathsf{sfV}}\) (just as the variants for \({\mathsf{pV}}\) and \({\mathsf{V}}\) described above) is easily obtained. Note that in each experiment, whenever the simulator invokes partial proof simulation it can provide the correct membership bit (with high probability) as in each experiment it knows exactly which tuples are real and which are fake.
Once all the instances are corrected, i.e. R, S generated as \(\mathbf{{g}}_1^{r}, \mathrm {pwd} \cdot (\mathbf{{g}}_1^{a})^r\), the challenger can switch to the realworld because the tuples \(R, S/\mathrm {pwd}\) are now DiffieHellman tuples. This implies that the session keys are generated using the \({\mathsf{V}}\) variant described above, which is exactly as in the realworld.
6.5 Adaptive Corruption
The UC protocol described above is also UCsecure against adaptive corruption of parties by the Adversary in the erasure model. In the realworld when the adversary corrupts a party (with a \(\textsc {Corrupt}\) command), it gets the internal state of the party. Clearly, if the party has already been invoked with a \(\textsc {NewSession}\) command then the password pwd is leaked at the minimum, and hence the ideal functionality \({{\mathcal{F}}_{\textsc {pake}}}\) leaks the password to the Adversary in the ideal world. In the protocol described above, the Adversary also gets W and s, as this is the only state maintained by each party between sending \(R,S, T, \hat{\rho }\), and the final issuance of sessionkey. Simulation of s is easy for the simulator \(\mathcal{S}\) since \(\mathcal{S}\) generates s exactly as in the real world. For generating W, which \(\mathcal{S}\) had postponed to computing till it received an incoming message from the adversary, it can now use the pwd which it gets from \({\widehat{\mathcal{F}}_{\textsc {pake}}}\) by issuing a \(\textsc {Corrupt}\) call to \({\widehat{\mathcal{F}}_{\textsc {pake}}}\). More precisely, it issues the \(\textsc {Corrupt}\) call, and gets pwd, and then calls the semifunctional simulator with \(\mathbf{{x}}_2 = \mu \cdot (\mathbf{{g}}_1^{a})^r \cdot \mathbf{{g}}_1^{r'}/\mathrm {pwd}\) along with \(\mathbf{{x}}_1 \,(= \mathbf{{g}}_1^{r})\) to get W. Note that this computation of W is identical to the postponed computation of W in the computation of client factor of \(\text{ sk }_1\) (which is really used in the output to the environment when pwd\('\) = pwd).
Footnotes
 1.
In case the proof simulator is being invoked on a nonlanguage word, it is not immediately clear what this witness can be, unless we also define a language and a distribution for a superlanguage which includes the language under consideration as a subset.
 2.
We remark here that the Onetime Full Simulation World also uses a semifunctional simulator as can be seen in Fig. 1. It has the same blackbox properties as in the PartialSimulation World, but could potentially have a different internal construction. In this paper it turns out that the same construction suffices for both the worlds, so for the sake of simplicity we forgo making this explicit in the definition.
References
 [ABB+13]Abdalla, M., Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D.: SPHFfriendly noninteractive commitments. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 214–234. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [ABP15]Abdalla, M., Benhamouda, F., Pointcheval, D.: Disjunctions for hash proof systems: new constructions and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 69–100. Springer, Heidelberg (2015)Google Scholar
 [ACP09]Abdalla, M., Chevalier, C., Pointcheval, D.: Smooth projective hashing for conditionally extractable commitments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 671–689. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 [BBC+13]Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient oneround PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [Can01]Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001Google Scholar
 [CCS09]Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 [CHK+05]Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable passwordbased key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 [CR03]Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 [CS02]Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 [DDN91]Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography (extended abstract). In: Proceedings of 23rd ACM STOC, pp. 542–552 (1991)Google Scholar
 [EHO+13]Emura, K., Hanaoka, G., Ohtake, G., Matsuda, T., Yamada, S.: Chosen ciphertext secure keyedhomomorphic publickey encryption. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 32–50. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GMR89]Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
 [GS08]Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. springer, Heidelberg (2008)CrossRefGoogle Scholar
 [Har11]Haralambiev, K.:Efficient cryptographic primitives for noninteractive zeroknowledge proofs and applications. Ph.D. dissertation (2011)Google Scholar
 [JR12]Jutla, C., Roy, A.: Relativelysound NIZKs and passwordbased keyexchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 485–503. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [JR13]Jutla, C.S., Roy, A.: Shorter quasiadaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [JR14a]Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constantsize NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 [JR14b]Jutla, C.S., Roy, A.: Dualsystem simulationsoundness with applications to UCPAKE and more. Cryptology ePrint Archive, Report 2014/805. https://eprint.iacr.org/2014/805
 [KV11]Katz, J., Vaikuntanathan, V.: Roundoptimal passwordbased authenticated key exchange. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 293–310. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [KW15]Kiltz, E., Wee, H.: Quasiadaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015)Google Scholar
 [LPJY14]Libert, B., Peters, T., Joye, M., Yung, M.: Nonmalleability from malleability: simulationsound quasiadaptive NIZK proofs and CCA2secure encryption from homomorphic signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 514–532. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 [Sah99]Sahai, A.: Nonmalleable noninteractive zero knowledge and adaptive chosenciphertext security. In: 40th FOCS, pp. 543–553. IEEE Computer Society Press, October 1999Google Scholar
 [Wat09]Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)CrossRefGoogle Scholar