1. Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Charanjit Jutla, IBM Watson
and
Arnab Roy, Fujitsu Labs of America

2. El-Gamal Encryption
a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , x ′ · a ∗ g (DDH)
a ∗ g , x ∗ g , x · a ∗ g ≈ a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g)
c ∗ g , f c ∗ g , f
(El-Gamal Encryption of c ∗ f)
a, x, c :: a = a ∗ g ,  = x ∗ g ,  = c ∗ g ,  = c ∗ f + x · a ∗ g
x, c ::  = x ∗ g ,  = c ∗ g ,  = c ∗ f + x ∗ a
 x, c :: (, , ) =   a 

3. Novel Quasi-Adaptive NIZK

4. El-Gamal Encryption
Public Parameters: g, a, f  D and CRS  CRS-gen(g, a, f )
Honest Party:
Choose x, c at random, generate , ,  and proof π  Adv
(Need to hide x, c from Adv.)
Replace π with simulated proof π‘
So, x and c no more needed in proof gen.
a ∗ g , x ∗ g , (c ∗ f + x · a ∗ g) ≈ a ∗ g , x ∗ g , x · a ∗ g
c ∗ g , f c ∗ g , f
CRS-gen better be a polynomial time Turing Machine.
4. c ∗ f not needed in simulation to Adv.

5. Proving Hard Linear Subspaces

6. Our Comp. Sound Proof System – DH example

7. Comparison with Groth-Sahai
n : the number of equations
t : the number of witnesses
Groth-Sahai
Ours
XDH
Proof Size
n + 2t
n - t
CRS Size 4
2t·(n-t)+2
#Pairings
2n·(t+2)
(n-t)·(t+2)
DLIN
2n + 3t
2n - 2t 9
4t·(n-t)+3
3n· (t+3)
2(n-t)·(t+2)

8. Conceptual Comparison
n : the number of equations
t : the number of witnesses
Conceptual Comparison
Groth Sahai
Ours
CRS independent of language constants
CRS dependent on the language constants
Each witness is taken to a higher dimensional space:
2 for XDH, 3 for DLIN
No special treatment of witnesses.
The first t elements of the candidate are themselves treated as witnesses.
Each of the n equations is checked by pairing with the commitments
Along 2 dims for XDH, 3 for DLIN
Only the remaining n-t ‘dependent’ elements are checked by pairing
Along 1 dim for XDH, 2 for DLIN
With hiding CRS: Perfect ZK, Comp Sound
With binding CRS: Comp ZK, Perfect Sound
There is no analogous hiding/binding CRS concept.
Perfect ZK, Comp Sound
Since the properties are based on the indistinguishability of the two types of CRSes, the system is fundamentally based on a decision problem.

9. Properties Comparison
Groth-Sahai
Ours
Extends to Quadratic Equations
Extends to Quadratic but only using Groth-Sahai commitments.
Linear Pairing Product Equations
Better Linear Pairing Product Equations of special kind. 2/3 improvement.
Quadratic Pairing Product Equations
No additional Advantage
Randomized Proofs
Unique Proofs
Verifier needs language description/parameters
Split CRS -- verifier CRS does not depend on the language. Verifier does not even need language.

10. Dual-System IBE with a hint from QA-NIZKs
A fully-secure (perfectly complete, anonymous) IBE follows under SXDH.
Only 4 group elements.
(shortest under static standard assumptions)
Recently and independently CLLWW-12 : group elements and larger MPK.
Dual-system IBE (Waters 08) has built-in QA-NIZK and obtains effective simulation soundness using smooth hash-proofs.

11. Thanks!

12. Quasi-Adaptive NIZK Definition
(K0, K1, P, V) is a QA-NIZK for a distribution D on collection of relations Rρ if there exists a PPT simulator (S1, S2) such that for all PPT adversaries A1, A2, A3:
(Completeness)
Pr[ λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x;w) ← A1(λ; ψ ; ρ );
π ← P(ψ; x;w) : V(ψ; x; π ) = 1 if Rρ(x;w)] = 1
(Computational-Soundness)
Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ); (x; π) ← A2(λ; ψ ; ρ ) :
V(ψ; x; π) = 1 and not (∃w : Rρ(x;w))] ≈ 0
QA ZK
Pr[λ←K0(1m); ρ ← D; ψ ← K1(λ; ρ ): A3 P(ψ ; .;.) (λ; ψ ; ρ ) = 1] ≈
Pr[λ←K0(1m); ρ ← D; (ψ, τ) ← S1(λ; ρ ) :A3 S2(ψ ; τ; .; *) (λ; ψ ; ρ ) = 1]

13. Novel Quasi-Adaptive NIZK
Can the CRS depend on defining matrix, i.e. g, f, a ?
Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a
Problem: g, f, a are not constant, but are chosen according to some distribution.
The hardness of DDH (hence encryption security) depends on this choice.

14. Novel Quasi-Adaptive NIZK
Can the CRS depend on defining matrix or g, f, a ?
Yes, g, f, a are defined by a trusted party, who can also set CRS for NIZK depending on g, f, a
Problem: g, f, a are not constant, but are chosen according to some distribution.
The hardness of DDH (hence encryption security) depends on this choice.
CRS can depend on defining matrix, but CRS-gen must be a single efficient machine for the distribution of defining matrix.
Most applications can use this notion.

15. Detour: Groth-Sahai NIZKs

16. Proving Hard Linear Subspaces

17. QA-NIZK for Hard Linear Subspaces
Prover CRS
Verifier CRS

18. Zero Knowledge Simulation

19. Soundness

20. Soundness (contd.)

21. Extensions

22. Signatures from QA-NIZK and CCA2 Encryption