Keywords

1 Introduction

In this paper, we consider the problem of achieving (almost) tight security in short simulation-sound non-interactive zero-knowledge proofs and chosen-ciphertext-secure encryption. While tight security results are known in both cases [35, 38], they incur quite long proofs and ciphertexts. A natural question is to develop tools and techniques to make them short and, in the process, develop deeper understanding of this highly constrained setting. As an answer in this direction, we describe space-efficient methods and constructions with almost tight security. For the specific problem of proving that a vector of group elements belongs to a linear subspace, our main result is the first constant-size NIZK arguments whose simulation-soundness tightly relates to a standard assumption.

Tight and Almost Tight Security. Any public-key system must rely on some hardness assumption. To provide concrete guarantees, the security proof should preferably give a tight reduction from a well-established assumption. Namely, a successful adversary should imply a probabilistic polynomial time (PPT) algorithm breaking the assumption with nearly the same advantage. Tightness matters because the loss in the reduction may necessitate the use of a larger (at times prohibitively larger) security parameter to counteract the loss. The importance of tightness was first advocated by Bellare and Rogaway [10] in the context of digital signatures 18 years ago. Since then, it received a continuous attention with a flurry of positive and negative results in the random oracle model [2, 11, 2426, 44, 46, 57] and in the standard model [6, 14, 39, 40, 57].

A highly challenging problem has been to obtain tight security under standard assumptions in the standard model. For many primitives, satisfactory solutions have remained elusive until very recently. Bellare, Boldyreva and Micali [7] raised the problem of constructing a chosen-ciphertext-secure public-key cryptosystem based on a standard assumption and whose exact security does not degrade with the number of users or the number of challenge ciphertexts. The first answer to this question was only given more than a decade later by Hofheinz and Jager [38] and it was more a feasibility result than a practical solution. In the context of identity-based encryption (IBE), Chen and Wee [23] designed the first “almost tightly” secure system —meaning that the degradation factor only depends on the security parameter \(\lambda \), and not on the number q of adversarial queries— based on a simple assumption in the standard model,Footnote 1 which resolved an 8-year-old open problem [58].

NIZK Proofs and Simulation-Soundness. Non-interactive zero- knowledge proofs [15] are crucial tools used in the design of countless cryptographic protocols. In the standard model, truly efficient constructions remained lacking until the last decade, when Groth and Sahai [36] gave nearly practical non-interactive witness indistinguishable (NIWI) and zero-knowledge (NIZK) proof systems for a wide class of languages in groups endowed with a bilinear map. While quite powerful, their methods remain significantly more costly than the non-interactive proof heuristics enabled by the Fiat-Shamir paradigm [30] in the idealized random oracle model [9]. recently, Jutla and Roy [42] showed that important efficiency improvements are possible for quasi-adaptive NIZK (QA-NIZK) proofs, i.e., where the common reference string (CRS) may depend on the specific language for which proofs are being generated but a single CRS simulator works for the entire class of languages. For the specific task of proving that a vector of n group elements belongs to a linear subspace of rank t, Jutla and Roy [42] gave computationally sound QA-NIZK proofs of length \(\varTheta (n-t)\) where the Groth-Sahai (GS) techniques entail \(\varTheta (n+t)\) group elements per proof. They subsequently refined their techniques, reducing the proof’s length to a constant [43], regardless of the number of equations or the number of variables. Libert et al. [49] independently obtained similar improvements using different techniques. Other constructions were recently given by Abdalla et al. [1] and Kiltz and Wee [47] who gave a general methodology for building short QA-NIZK arguments.

The design of non-malleable protocols, primarily IND-CCA2-secure encryption schemes, at times appeals to NIZK proofs endowed with a property named simulation-soundness by Sahai [56]: informally, an adversary should remain unable to prove a false statement by itself, even with the help of an oracle generating simulated proofs for (possibly false) adversarially-chosen statements. Groth [35] and Camenisch et al. [19] extended the Groth-Sahai techniques so as to obtain simulation-sound NIZK proofs. Their techniques incur a substantial overhead due to the use of quadratic pairing product equations, OR proofs or IND-CCA2-secure encryption schemes. It was shown [41, 45, 51] that one-time simulation-soundness —where the adversary obtains only one simulated proof— is much cheaper to achieve than unbounded simulation-soundness (USS). When it comes to proving membership of linear subspaces, Libert, Peters, Joye and Yung [49] gave very efficient unbounded simulation-sound quasi-adaptive NIZK proofs which do not require quadratic pairing product equations or IND-CCA2-secure encryption. As in the improved solution of Kiltz and Wee [47], their USS QA-NIZK arguments have constant size, regardless of the dimensions of the considered subspace. Unfortunately, the simulation-soundness of their proof system does not tightly reduce to the underlying assumption. The multiplicative gap between the reduction’s probability of success and the adversary’s advantage depends on the number q of simulated proofs observed by the adversary. As a consequence, the results of [47, 49] do not imply tight chosen-ciphertext security [38] in a scenario —first envisioned by Bellare, Boldyreva and Micali [7]— where the adversary obtains polynomially many challenge ciphertexts. As of now, USS proof systems based on OR proofs [35, 38] are the only ones to enable tight multi-challenge security and it is unclear how to render them as efficient as [49] for linear equations.

Tightness and Chosen-Ciphertext Security. Bellare, Boldyreva and Micali [7] showed that, if a public-key cryptosystem is secure in the sense of the one-user, one-challenge security definition [55], it remains secure in a more realistic multi-user setting where the adversary obtains polynomially many challenge ciphertexts. Their reduction involves a loss of exact security which is proportional to the number of users and the number of challenge ciphertexts. They also showed that, in the Cramer-Shoup encryption scheme [28], the degradation factor only depends on the number of challenges per user. Hofheinz and Jager [38] used a tightly secure simulation-sound proof system to build the first encryption system whose IND-CCA2 security tightly reduces to a standard assumption in the multi-user, multi-challenge setting. Due to very large ciphertexts, their scheme was mostly a feasibility result and the same holds for the improved constructions of Abe et al. [5]. Until recently, the only known CCA2-secure encryption schemes with tight security in the multi-challenge, multi-user setting either relied on non-standard q-type assumptions [37] —where the number of input elements depends on the number of adversarial queries— or incurred long ciphertexts [5, 38] comprised of hundreds of group elements (or both). One of the reasons is that solutions based on standard assumptions [5, 38, 50] build on simulation-sound proof systems relying on OR proofs. Libert et al. [50] gave an almost tightly IND-CCA2 system in the multi-challenge setting where, despite their use of OR proofs, ciphertexts only require 69 group elements under the Decision Linear assumption. Unfortunately, their result falls short of implying constant-size simulation-sound QA-NIZK proofs of linear subspace membership since each vector coordinate would require its own proof elements. In particular, the technique of [50] would result in long proofs made of \(O(\lambda )\) group elements in the setting of key-dependent message CCA2 security, where O(1) group elements per proof suffices [43, Section6] if we accept a loose reduction.

Very recently, Hofheinz et al. [40] put forth an almost tightly secure IBE scheme in the multi-challenge, multi-instance scenario. While their result implies an almost tightly CCA2 secure public-key encryption scheme via the Canetti-Halevi-Katz paradigm [21], it relies on composite order groups. In [40], it was left as an open problem to apply the same technique under standard assumptions in the (notoriously much more efficient) prime order setting.

Our Contributions. As a core technical innovation, this paper presents short QA-NIZK proofs of linear subspace membership (motivated by those in [43, 49]) where the unbounded simulation-soundness property can be almost tightly —in the terminology of Chen and Wee [23]— related to the standard Decision Linear (DLIN) assumption [16]. As in [23], the loss of concrete security only depends on the security parameter, and not on the number of simulated proofs obtained by the adversary, which solves a problem left open in [49]. Our construction only lengthens the QA-NIZK proofs of Libert et al. [49] by a factor of 2 and thus retains the constant proof length of [49], independently of the dimensions of the subspace. In particular, it does not rely on an IND-CCA2-secure encryption scheme —which, in this context, would require a tightly secure CCA2 cryptosystem to begin with— and it does not even require quadratic equations.

Building on our QA-NIZK proofs and the Naor-Yung paradigm [54], we obtain a new public-key encryption scheme which is proved IND-CCA2-secure in the multi-challenge, multi-user setting under the Decision Linear assumption via an almost tight reduction. While the reduction is slightly looser than those of [5, 38], our security bound does not depend on the number of users or the number of challenges, so that our scheme is as secure in the multi-challenge, multi-user scenario as in the single-challenge, single-user setting. Like [5, 38], our construction features publicly recognizable well-formed ciphertexts, which makes it suitable for non-interactive threshold decryption. Moreover, our ciphertexts are much shorter than those of [5, 38] as they only consist of 48 group elements under the DLIN assumption, whereas the most efficient construction based on the same assumption [50] entails 69 group elements per ciphertext.

Our constant-size proofs offer more dramatic savings when it comes to encrypting long messages without affecting the compatibility with zero-knowledge proofs. We can encrypt N group elements at once while retaining short proofs, which only takes \(2N+46\) group elements per ciphertext. The asymptotic expansion ratio of 2 —which is inherent to the Naor-Yung technique— is thus optimal. To our knowledge, all prior results on tight CCA2 security would incur \(\varTheta (N)\) elements per proof and thus a higher expansion rate in this situation. In turn, our encryption schemes imply tightly secure non-interactive universally composable (UC) commitments [20, 27] with adaptive security in the erasure model. In particular, using the same design principle as previous UC commitments [31, 42, 52] based on CCA2-secure cryptosystems, our scheme for long messages allows committing to N group elements at once with a two-fold expansion rate.

Using our QA-NIZK proof system, we also construct an almost tightly secure encryption scheme with key-dependent message chosen-ciphertext security (KDM-CCA2) [12, 18] —in the sense of [19]— with shorter ciphertexts. Analogously to the Jutla-Roy construction [43, Section6], our system offers substantial savings w.r.t. [19] as it allows for constant-size proofs even though, due to the use of the Boneh et al. approach [18] to KDM security, the dimension of underlying vectors of group elements depends on the security parameter. Like the Jutla-Roy construction [43], our KDM-CCA2 system only lengthens the ciphertexts of its underlying KDM-CPA counterpart by a constant number of group elements. Unlike [43], however, the KDM-CCA2 security of our scheme is almost tightly related to the DLIN assumption. So far, the most efficient tightly KDM-CCA2 system was implied by the results of Hofheinz-Jager [38] and Abe et al. [5], which incur rather long proofs. Our QA-NIZK proofs yield ciphertexts that are about \(75\,\%\) shorter, as we show in the full version of the paper.

Our Techniques. Our QA-NIZK arguments (as the construction in [49]) build on linearly homomorphic structure-preserving signatures (LHSPS) [48]. In [49], each proof of subspace membership is a Groth-Sahai NIWI proof of knowledge of a homomorphic signature on the vector \(\varvec{v}\) whose membership is being proved. The security analysis relies on the fact that, with some probability, all simulated proofs take place on a perfectly NIWI Groth-Sahai CRS while the adversary’s fake proof pertains to a perfectly binding CRS. Here, in order to do this without applying Waters’ partitioning method [58] to the CRS space as in [53], we let the prover generate a Groth-Sahai CRS \(\mathbf {F}=(\varvec{f_1},\varvec{f_2},\varvec{F})\) of its choice (a similar technique was used by Escala and Groth [29] in a different context), for vectors of group elements \(\varvec{f_1},\varvec{f_2},\varvec{F} \in \mathbb {G}^3\), and first prove that this CRS is perfectly binding (i.e., \(\varvec{F} \) lives in \(\mathsf {span}\langle \varvec{f_1},\varvec{f_2} \rangle \)). This seemingly additional “freedom” that we give the prover ends up allowing a stronger simulator (tight simulation-soundness).

Simulation-soundness is, in fact, obtained by having the prover demonstrate that either: (i) The prover’s CRS \(\mathbf {F}\) is perfectly binding; or (ii) The prover knows a signature which only the NIZK simulator would be able to compute using some simulation trapdoor. One key idea is that, since the latter OR proof involves a relatively short statement (namely, the membership of a two-dimensional subspace) which the adversary has no control on, it can be generated using a constant number of group elements and using only linear pairing product equations.

In order to efficiently prove the above OR statement, we leverage the algebraic properties of a variant of the Chen-Wee signature scheme [23], which was proved almost tightly secure under the DLIN assumption, recently proposed by Libert et al. [50]. In short, the real prover computes a pseudo-signature \(\sigma \) (without knowing the signing key) on the verification key of a one-time signature and uses the real witnesses to prove that \(\mathbf {F}\) is a perfectly binding CRS. In contrast, the simulator computes a real signature \(\sigma \) using the private key instead of the real witnesses. In order to make sure that simulated proofs will be indistinguishable from real proofs, we apply a technique —implicitly used in [50]— consisting of hiding the linear subspace from where a partially committed vector of group elements defined by the signature \(\sigma \) is chosen: while a pseudo-signature fits within a proper subspace of a linear space specified by the public key, real signatures live in the full linear space. A difference between our approach and the one of [50] is our non-modular and more involved use of the signature scheme, yet the technique we point at above may be useful elsewhere. Our QA-NIZK CRS actually contains the description of a linear subspace which mixes the public key components of the signature and vectors used to build the prover’s Groth-Sahai CRS \(\mathbf {F}\). In order to implement the OR proof, our idea is to make sure that the only way to prove a non-perfectly-binding CRS \(\mathbf {F}\) is to compute the committed \(\sigma \) as a real signature for a legally modified public key. By “legally modified key,” we mean that some of its underlying private components may be scaled by an adversarially-chosen factor \(x \in \mathbb {Z}_p\) as long as the adversary also outputs \(g^x\). While we rely on an unusual security property of the signature which allows the adversary to tamper with the public key, this property can be proved under the standard DLIN assumption in the scheme of [50]. This unusual property is a crucial technique allowing us to prove the OR statement about the ephemeral CRS \(\mathbf {F}\) without using quadratic equations.

In turn, the simulation-soundness relies on the fact that, unless some security property of the signature of [50] is broken, the adversary still has to generate its fake proof on a perfectly binding CRS. If this condition is satisfied, we can employ the arguments as in [49] to show that the reduction is able to extract a non-trivial homomorphic signature, thus breaking the DLIN assumption.

Full Version. The full version of this paper is available as Cryptology ePrint Archive, Report 2015/242 at URL http://eprint.iacr.org/2015/242.

2 Background and Definitions

2.1 Hardness Assumptions

We consider groups \((\mathbb {G},\mathbb {G}_T)\) of prime-order p endowed with a bilinear map \(e:\mathbb {G}\times {\mathbb {G}} \rightarrow \mathbb {G}_T\). In this setting, we rely on the standard Decision Linear assumption.

Definition 1

[16] The Decision Linear Problem (DLIN) in \(\mathbb {G}\), is to distinguish the distributions \((g^{a},g^b,g^{ac},g^{bd},g^{c+d})\) and \((g^{a},g^b,g^{ac},g^{bd},g^{z})\), with \(a,b,c,d \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\), \(z\mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p \). The DLIN assumption asserts the intractability of DLIN for any PPT distinguisher.

We also use the following problem, which is at least as hard as DLIN [22].

Definition 2

The Simultaneous Double Pairing problem (SDP) in \((\mathbb {G}, \mathbb {G}_T)\) is, given group elements \(( {g_z}, {g_r}, {h_{z}}, {h_{u}}) \in {\mathbb {G}}^4 \), to find a non-trivial triple \((z,r,u) \in \mathbb {G}^3 \backslash \{(1_{\mathbb {G}},1_{\mathbb {G}},1_{\mathbb {G}})\}\) such that \(e( z, {g_z}) \cdot e(r,{g_{r}})=1_{\mathbb {G}_T}\) and \(e(z,{h_z} ) \cdot e(u, {h_{u}})=1_{\mathbb {G}_T}\).

2.2 Quasi-Adaptive NIZK Proofs and Simulation-Soundness

Quasi-Adaptive NIZK (QA-NIZK) proofs are NIZK proofs where the CRS is allowed to depend on the specific language for which proofs have to be generated. The CRS is divided into a fixed part \(\Gamma \), produced by an algorithm \(\mathsf {K}_0\), and a language-dependent part \(\psi \). However, there should be a single simulator for the entire class of languages.

Let \(\lambda \) be a security parameter. For public parameters \(\Gamma \leftarrow \mathsf {K}_0 (\lambda )\), let \(\mathcal {\mathcal {D}}_{\Gamma }\) be a probability distribution over a collection of relations \(\mathcal {R}=\{R_{\rho }\}\) parametrized by a string \({\rho }\) with an associated language \( \mathcal {L}_{\rho }=\{x \mid \exists w : R_{{\rho }}(x,w)=1\}.\)

We consider proof systems where the prover and the verifier both take a label \(\mathsf {lbl}\) as additional input. For example, this label can be the message-carrying part of an ElGamal-like encryption. Formally, a tuple of algorithms \((\mathsf {K}_0,\mathsf {K}_1,\mathsf {P},\mathsf {V})\) is a QA-NIZK proof system for \(\mathcal {R}\) if there exists a PPT simulator \(({\mathsf {S}}\_1,{\mathsf {S}}\_2)\) such that, for any PPT adversaries \(\mathcal {A}_1,\mathcal {A}_2\) and \(\mathcal {A}_3\), we have the following properties:

  • Quasi-Adaptive Completeness:

    $$\begin{aligned}&\Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~\rho \leftarrow \mathcal {D}_{\Gamma };~\psi \leftarrow \mathsf {K}_1(\Gamma ,\rho );\\&\qquad \qquad \qquad (x,w,\mathsf {lbl}) \leftarrow \mathcal {A}_1(\Gamma ,\psi ,\rho );~\pi \leftarrow \mathsf {P}(\psi ,x,w,\mathsf {lbl}):\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \mathsf {V}(\psi ,x,\pi ,\mathsf {lbl})=1 ~\text { if } R_{\rho }(x,w)=1]=1. \end{aligned}$$

  • Quasi-Adaptive Soundness:

    $$\begin{aligned}&\Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~\rho \leftarrow \mathcal {D}_{\Gamma };~\psi \leftarrow \mathsf {K}_1(\Gamma ,\rho ); ~(x,\pi ,\mathsf {lbl}) \leftarrow \mathcal {A}_2(\Gamma ,\psi ,\rho ):\\&\qquad \quad \qquad \qquad \ \ \mathsf {V}(\psi ,x,\pi ,\mathsf {lbl})=1 ~\wedge ~ \lnot (\exists w : R_{\rho }(x,w)=1)] \in \mathsf {negl}(\lambda ). \end{aligned}$$

  • Quasi-Adaptive Zero-Knowledge:

    $$\begin{aligned}&\Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~\rho \leftarrow \mathcal {D}_{\Gamma };~\psi \leftarrow \mathsf {K}_1(\Gamma ,\rho )~:~ \mathcal {A}_3^{\mathsf {P}(\psi ,.,.)}(\Gamma ,\psi ,\rho ) =1] \\&\qquad \qquad \quad \approx \Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~\rho \leftarrow \mathcal {D}_{\Gamma };~(\psi ,\tau _{sim}) \leftarrow {\mathsf {S}}_1(\Gamma ,\rho )~:\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \mathcal {A}_3^{{\mathsf {S}}(\psi ,\tau _{sim},.,.,.)}(\Gamma ,\psi ,\rho ) =1], \end{aligned}$$

    where

    • \(\mathsf {P}(\psi ,.,.,.)\) emulates the actual prover. It takes as input (xw) and \(\mathsf {lbl}\) and outputs a proof \(\pi \) if \((x,w) \in R_{\rho }\). Otherwise, it outputs \(\perp \).

    • \({\mathsf {S}}(\psi ,\tau _{sim},.,.,.)\) is an oracle that takes as input (xw) and \(\mathsf {lbl}\). It outputs a simulated proof \({\mathsf {S}}_2(\psi ,\tau _{sim},x,\mathsf {lbl})\) if \((x,w) \in R_{\rho }\) and \(\perp \) if \((x,w) \not \in R_{\rho }\).

We assume that the CRS \(\psi \) contains an encoding of \(\rho \), which is thus available to \(\mathsf {V}\). The definition of Quasi-Adaptive Zero-Knowledge requires a single simulator for the entire family of relations \(\mathcal {R}\).

The property called simulation-soundness [56] requires that the adversary remain unable to prove false statements even after having seen simulated proofs for potentially false statements. We consider the strongest form, called unbounded simulation-soundness (USS) as opposed to one-time simulation-soundness, where the adversary is allowed to see polynomially many simulated proofs.

In order to use QA-NIZK proofs in a modular manner without degrading the exact security of our constructions, we will require simulation-soundness to hold even if the adversary \(\mathcal {A}_4\) has a trapdoor \(\tau _m\) that allows deciding membership in the language \(\mathcal {L}_\rho \). We thus assume that the algorithm \(\mathcal {D}_\Gamma \) outputs a language parameter \(\rho \) and a trapdoor \(\tau _{m}\) that allows recognizing elements of \(\mathcal {L}_{\rho }\). This trapdoor \(\tau _m\) is revealed to \(\mathcal {A}_4\) and should not help prove false statements.

Enhanced Unbounded Simulation-Soundness: For any PPT adversary \(\mathcal {A}_4\),

  • $$\begin{aligned}&\Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~(\rho ,\tau _m) \leftarrow \mathcal {D}_{\Gamma };~(\psi ,\tau _{sim}) \leftarrow {\mathsf {S}}_1(\Gamma ,\rho );\\&\quad \qquad \qquad \qquad (x,\pi ,\mathsf {lbl}) \leftarrow \mathcal {A}_4^{{\mathsf {S}}_2(\psi ,\tau _{sim},.,.)}(\Gamma ,\psi ,\rho ,\tau _m):\\&\mathsf {V}(\psi ,x,\pi ,\mathsf {lbl})=1 ~\wedge ~ \lnot (\exists w : R_{\rho }(x,w)=1) ~\wedge ~(x,\pi ,\mathsf {lbl}) \not \in Q] \in \mathsf {negl}(\lambda ) , \end{aligned}$$

    where the adversary is allowed unbounded access to an oracle \({\mathsf {S}}_2(\psi ,\tau ,.,.)\) that takes as input statement-label pairs \((x,\mathsf {lbl})\) (where x may be outside \(\mathcal {L}_{\rho }\)) and outputs simulated proofs \(\pi \leftarrow {\mathsf {S}}_2(\psi ,\tau _{sim},x,\mathsf {lbl})\) before updating the set \(Q = Q \cup \{(x,\pi ,\mathsf {lbl})\}\), which is initially empty.

The standard notion of soundness can be enhanced in a similar way, by handing the membership testing trapdoor \(\tau _m\) to \(\mathcal {A}_2\). In the weaker notion of one-time simulation-soundness, only one query to the \({\mathsf {S}}_2\) oracle is allowed.

In order to achieve tight security in the multi-user setting, we also consider a notion of unbounded simulation-soundness in the multi-CRS setting. Namely, the adversary is given a set of \(\mu \) reference strings \(\{\psi _\kappa \}_{\kappa =1}^\mu \) for language parameters \(\{\rho _\kappa \}_{\kappa =1}^\mu \) and should remain unable to break the soundness of one these after having seen multiple simulated proofs for each CRS \(\psi _\kappa \). A standard argument shows that (enhanced) unbounded simulation-soundness in the multi CRS setting is implied by the same notion in the single CRS setting. However, the reduction is far from being tight as it loses a factor \(\mu \). In our construction, the random self-reducibility of the underlying hard problems fortunately allows avoiding this security loss in a simple and natural way.

Enhanced Unbounded Simulation-Soundness in the multi-CRS setting: For any PPT adversary \(\mathcal {A}_4\), we have

  • $$\begin{aligned}&\Pr [\Gamma \leftarrow \mathsf {K}_0(\lambda ); ~\{\rho _\kappa ,\tau _{m,\kappa } \}_{\kappa =1}^\mu \leftarrow \mathcal {D}_{\Gamma }; (\{\psi _\kappa ,\tau _{sim,\kappa }\}_{\kappa =1}^\mu ) \leftarrow {\mathsf {S}}_1(\Gamma ,\{\rho _\kappa \}_{\kappa =1}^\mu ); \\&\qquad (\kappa ^\star ,x,\pi ,\mathsf {lbl}) \leftarrow \mathcal {A}_4^{{\mathsf {S}}_2 (\{\psi _\kappa \}_{\kappa =1}^\mu ,\{\tau _{sim,\kappa }\}_{\kappa =1}^\mu ,. ,.,. )} (\Gamma ,\{\psi _\kappa ,\rho _\kappa ,\tau _{m,\kappa } \}_{\kappa =1}^\mu ) : \\&\mathsf {V}(\psi _{\kappa ^\star },x,\pi ,\mathsf {lbl})=1 ~\wedge ~ \lnot (\exists w : R_{\rho _{\kappa ^\star }}(x,w)=1) ~\wedge ~(\kappa ^\star ,x,\pi ,\mathsf {lbl}) \not \in Q] \in \mathsf {negl}(\lambda ). \end{aligned}$$

    Here, \(\mathcal {A}_4\) has access to an oracle \({\mathsf {S}}_2(\{\psi _\kappa \}_{\kappa =1}^\mu ,\{\tau _{sim,\kappa }\}_{\kappa =1}^\mu ,.,.,.)\) that takes as input tuples \((j,x,\mathsf {lbl})\) (where x may be outside \(\mathcal {L}_{\rho _j}\)) and outputs simulated proofs \(\pi \leftarrow {\mathsf {S}}_2(\{\psi _\kappa \}_{\kappa =1}^\mu ,\{\tau _{sim,\kappa }\}_{\kappa =1}^\mu ,j,x,\mathsf {lbl})\) for \(\mathcal {L}_{\rho _j}\) before updating the set \(Q = Q \cup \{(j,x,\pi ,\mathsf {lbl})\}\), which is initially empty.

The standard notion of soundness extends to the multi-CRS setting in a similar way and it can be enhanced by giving \(\{\psi _\kappa \}_{\kappa =1}^\mu \) and the membership trapdoors \(\{\tau _{m,\kappa }\}_{\kappa =1}^\mu \) to the adversary. The definition of quasi-adaptive zero-knowledge readily extends as well, by having \({\mathsf {S}}_1\) output \(\{\psi _\kappa ,\tau _{sim,\kappa }\}_{\kappa =1}^\mu \) while the oracle \({\mathsf {S}}\) and the simulator \({\mathsf {S}}_2\) both take an additional index \(j \in \{1,\cdots ,\mu \}\) as input.

2.3 Linearly Homomorphic Structure-Preserving Signatures

Structure-preserving signatures [3, 4] are signature schemes where messages and public keys consist of elements in the group \(\mathbb {G}\) of a bilinear configuration \((\mathbb {G},\mathbb {G}_T)\).

Libert et al. [48] considered structure-preserving with linear homomorphic properties (see the full version of the paper for formal definitions). This section reviews the one-time linearly homomorphic structure-preserving signature (LHSPS) of [48].

  • \({\mathbf {\mathsf{{Keygen}}}}\mathsf {(\lambda ,n)}\): given a security parameter \(\lambda \) and the subspace dimension \(n \in \mathbb {N}\), choose bilinear group \((\mathbb {G},\mathbb {G}_T)\) of prime order \(p >2^{\lambda }\). Then, choose \({g_z},{g_r},{h_z},{h_u} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}{\mathbb {G}}\). For \(i=1\) to n, choose \(\chi _i,\gamma _i,\delta _i \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and compute \({g_i}={g_z}^{\chi _i} {g_r}^{\gamma _i}\), \({h_i}={h_z}^{\chi _i} {h_u}^{\delta _i}\). The private key is \(\mathsf {sk}= \{ (\chi _i, \gamma _i,\delta _i ) \}_{i=1}^n \) and the public key is \( \mathsf {pk}=\big ( {g_z},~{g_r},~{h_z},~ {h_u},\{ ({g_i},{h_i} ) \}_{i=1}^n \big ) \in {\mathbb {G}}^{2n+4}\).

  • \({\mathbf {\mathsf{{Sign}}}}(\mathsf {sk}, (M_1,\cdots ,M_n))\): to sign a vector \((M_1,\ldots ,M_n) \in \mathbb {G}^n\) using \(\mathsf {sk}= \{ (\chi _i, \gamma _i,\delta _i ) \}_{i=1}^n \), output \(\sigma =(z,r,u ) =\big ( \prod _{i=1}^n M_i^{-\chi _i} , \prod _{i=1}^n, M_i^{-\gamma _i} ,\prod _{i=1}^n M_i^{-\delta _i} \big )\).

  • \({\mathbf {\mathsf{{SignDerive}}}}(\mathsf {pk}, \{(\omega _i, \sigma ^{(i)})\}_{i=1}^\ell )\): given \(\mathsf {pk}\) as well as \(\ell \) tuples \((\omega _i,\sigma ^{(i)}) \), parse \(\sigma ^{(i)}\) as \(\sigma ^{(i)}=\big ( z_i,r_i,u_i \big ) \) for \(i=1\) to \(\ell \). Return the triple \(\sigma =(z,r,u ) \in \mathbb {G}^3\), where \(z = \prod _{i=1}^\ell z_{i}^{\omega _i}\), \(r=\prod _{i=1}^{\ell } r_i^{\omega _i}\), \(u=\prod _{i=1}^{\ell } u_i^{\omega _i} \).

  • \({\mathbf {\mathsf{{Verify}}}}(\mathsf {pk},\sigma , (M_1,\ldots ,M_n))\): given \(\sigma =(z,r,u ) \in \mathbb {G}^3\) and \((M_1,\ldots ,M_n)\), return 1 if and only if \((M_1,\ldots ,M_n)\ne (1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\) and (zru ) satisfy

    $$\begin{aligned} 1_{\mathbb {G}_T} = e({g_z},z) \cdot e({g_r},r) \cdot \prod _{i=1}^n e(g_i,M_i) = e({h_z},z) \cdot e({h_u},u) \cdot \prod _{i=1}^n e(h_i,M_i). \end{aligned}$$
    (1)

Our simulation-sound proof system will rely on the fact that the above scheme provides tight security under the DLIN assumption, as implicitly shown in [48].

3 Constant-Size QA-NIZK Proofs of Linear Subspace Membership with Tight Simulation-Soundness

At a high level, our proof system can be seen as a variant of the construction of Libert et al. [49] with several modifications allowing to tightly relate the simulation-soundness property to the DLIN assumption. The construction also uses the tightly signature scheme of [50].

3.1 Intuition

Like [49], we combine linearly homomorphic signatures and Groth-Sahai proofs for pairing product equations. Each QA-NIZK proof consists of a Groth-Sahai NIWI proof of knowledge of a homomorphic signature on the candidate vectorFootnote 2 \(\varvec{v}\). By making sure that all simulated proofs take place on a perfectly WI CRS, the simulator is guaranteed to leak little information about its simulation trapdoor, which is the private key of the homomorphic signature. At the same time, if the adversary’s proof involves a perfectly binding CRS, the reduction can extract a homomorphic signature that it would have been unable to compute and solve a DLIN instance. To implement this approach, the system of [49] uses Waters’ partitioning technique [58] in the fashion of [53], which inevitably [39] affects the concrete security by a factor proportional to the number q of queries.

Our first main modification is that we let the prover compute the Groth-Sahai NIWI proof on a CRS \(\mathbf {F}\) of his own and append a proof \(\pi _{{F}}\) that the chosen CRS is perfectly binding, which amounts to proving the membership of a two-dimensional linear subspace \(\mathsf {span} \langle \varvec{f_1},\varvec{f_2}\rangle \). At first, it appears that \(\pi _{{F}}\) has to be simulation-sound itself since, in all simulated proofs, the reduction must trick the adversary into believing that the ephemeral CRS \(\mathbf {F}\) is perfectly sound. Fortunately, the reduction only needs to do this for vectors of its choice —rather than adversarially chosen vectors— and this scenario can be accommodated by appropriately mixing the subspace of Groth-Sahai vectors \(\varvec{f_1},\varvec{f_2} \in \mathbb {G}^3\) with the one in the public key of the signature scheme of [50].

The NIWI proof of knowledge is thus generated for a Groth-Sahai CRS \(\mathbf {F}=(\varvec{f_1},\varvec{f_2},\varvec{F})\) where \(\varvec{f_1}\) and \(\varvec{f_2}\) are part of the global CRS but \(\varvec{F} \in \mathbb {G}^3\) is chosen by the prover and included in the proof. To prove that \(\mathbf {F}\) is a perfectly sound CRS, honest provers derive a homomorphic signature (ZRU) from the first \(4L+2\) rows of a matrix \(\mathbf {M} \in \mathbb {G}^{(4L+5) \times (4L+6)}\) defined by the public key of the signature scheme and fixed vectors \(\varvec{f_1},\varvec{f_2},\varvec{f_0} \in \mathbb {G}^3\). The first two rows allow deriving a signature on the honestly generated \(\varvec{F}=\varvec{f}_1^{\mu _1}\cdot \varvec{f}_2^{\mu _2}\) from publicly available homomorphic signatures on \(\varvec{f}_1\) and \(\varvec{f}_2\). The next 4L rows are used to demonstrate the validity of a pseudo-signature \((\sigma _1,\sigma _2,\sigma _3)=(H(\varvec{V},\mathsf {VK})^r \cdot H(\varvec{W},\mathsf {VK})^s,f^r,h^s)\) on the verification key \(\mathsf {VK}\) of a one-time signature. This allows the prover to derive a homomorphic signature (ZRU) that authenticates a specific vector \(\varvec{\sigma } \in \mathbb {G}^{(4L+6)}\) determined by \(\varvec{F}\) and the pseudo-signature \((\sigma _1,\sigma _2,\sigma _3)\).

The proof of simulation-soundness uses a strategy where, with high probability, all simulated proofs will take place on a perfectly NIWI CRS \(\mathbf {F}=(\varvec{f_1},\varvec{f_2},\varvec{F})\) —where \(\varvec{F} \in \mathbb {G}^3\) is linearly independent of \((\varvec{f_1},\varvec{f_2})\)— whereas the adversary’s fake proof \(\pi ^\star \) will contain a vector \(\varvec{F}^\star \in \mathbb {G}^3\) such that \(\mathbf {F}=(\varvec{f_1},\varvec{f_2},\varvec{F}^\star )\) is an extractable CRS (namely, \(\varvec{F}^\star \in \mathsf {span}\langle \varvec{f_1},\varvec{f_2} \rangle \)). In order to satisfy the above conditions, the key idea is to have each QA-NIZK proof demonstrate that either: (i) The vector \(\varvec{F}\) contained in \(\pi \) satisfies \(\varvec{F} \in \mathsf {span} \langle \varvec{f_1},\varvec{f_2} \rangle \); (ii) \((\sigma _1,\sigma _2,\sigma _3)\) is a real signature rather than a pseudo-signature. Since \(\varvec{F} \in \mathbb {G}^3\) is chosen by the simulator, we can prove this compound statement without resorting to quadratic equations, by appropriately mixing linear subspaces. In more details, using a perfectly NIWI CRS in all simulated proofs requires the reduction to introduce a dependency on the fixed \(\varvec{f_0} \in \mathbb {G}^3\) in the vector \(\varvec{F}\) which is included in the proof \(\pi \). In turn, in order to obtain a valid homomorphic signature on the vector \(\varvec{\sigma } \in \mathbb {G}^{(4L+6)}\) determined by \(\varvec{F}\) and \((\sigma _1,\sigma _2,\sigma _3)\), this forces the simulator to use the last row of the matrix \(\mathbf {M}\) which contains the vector \(\varvec{f_0} \in \mathbb {G}^3\) and the public key components \(\Omega _1,\Omega _2\) of the signature scheme in [50]. To satisfy the verification algorithm, the vector \(\varvec{\sigma }\) must contain \(1_\mathbb {G}\) in the coordinates where \(\Omega _1,\Omega _2\) are located in the last row of \(\mathbf {M}\). In order to retain these \(1_\mathbb {G}\)’s at these places, the simulator must use two other rows of \(\mathbf {M}\) to cancel out the introduction of \(\Omega _1,\Omega _2\) in \(\varvec{\sigma }\). Applying such a “correction” implies the capability of replacing the pseudo-signature \((\sigma _1,\sigma _2,\sigma _3,Z,R,U)\) by a pair \((\sigma ,X=g^x)\), where \(\sigma =(\sigma _1,\sigma _2,\sigma _3,Z,R,U)\) is a real signature for a possibly modified key.

In order to obtain a perfectly NIZK proof system, we need to unconditionally hide the actual subspace where \(\varvec{\sigma }\in \mathbb {G}^{(4L+6)}\) lives as well as the fact that \((\sigma _1,\sigma _2,\sigma _3)\) is a real signature in simulated proofs. To this end, we refrain from letting \((\sigma _1,Z,R,U)\) appear in the clear and replace them by perfectly hiding commitments \(\varvec{C}_{\sigma _1},\varvec{C}_Z,\varvec{C}_R,\varvec{C}_U\) to the same values and a NIWI proof that (ZRU) is a valid homomorphic signature on the partially committed vector \(\varvec{\sigma }\). Using our technique, we only need to prove linear pairing product equations.

In a construction of nearly tightly CCA2-secure cryptosystem, Libert et al. [50] used a somewhat similar approach based on pseudo-signatures and consisting of hiding the subspace where a partially committed vector is chosen. However, besides falling short of providing constant-size QA-NIZK proofs of subspace membership, the approach of [50] requires quadratic equations. In contrast, while we also relying on pseudo-signatures, our technique for compactly hiding the underlying linear span completely avoids quadratic equations. It further yields simulation-sound QA-NIZK arguments that is constant size fitting within 42 group elements, regardless of the dimensions of the subspace.

3.2 Construction

For simplicity, the description below assumes symmetric pairings \( e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) but instantiations in asymmetric pairings \(e : \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\), with \(\mathbb {G}\ne \hat{\mathbb {G}}\), are possible, as explained in the full version of the paper.

As in [42], we assume that the language parameter \(\varvec{\rho } \) is a matrix in \(\mathbb {G}^{t \times n}\), for some integers \(t,n \in \mathsf {poly}(\lambda )\) such that \(t<n\), with an underlying witness relation \(R_{\mathrm {par}}\) such that, for any \(\mathbf {A} \in \mathbb {Z}_p^{t \times n}\) and \(\varvec{\rho } \in \mathbb {G}^{t \times n}\), \(R_{\mathrm {par}}(\mathbf {A},\varvec{\rho })=1\) if and only if \(\varvec{\rho }=g^{\mathbf {A}}\). We consider distributions \(\mathcal {D}_{\Gamma } \subset \mathbb {G}^{t \times n}\) that are efficiently witness-samplable: namely, there is a PPT algorithm which outputs a pair \((\varvec{\rho },\mathbf {A})\) such that \(R_{\mathrm {par}}(\mathbf {A},\varvec{\rho })=1\) and describing a relation \(R_{\varvec{\rho }}\) with its associated language \(\mathcal {L}_{\rho }\) according to \(\mathcal {D}_{\Gamma }\). For example, the sampling algorithm could pick a random matrix \(\mathbf {A} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p^{t \times n}\) and define \(\varvec{\rho }=g^{ \mathbf {A} }\).

  • \(\varvec{\mathsf {K}}_0(\lambda )\): choose symmetric bilinear groups \((\mathbb {G}, \mathbb {G}_T)\) of prime order \(p>2^\lambda \) with \( f, g,h \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}{\mathbb {G}}\). Choose a strongly unforgeable one-time signature \(\Sigma =(\mathcal {G},\mathcal {S},\mathcal {V})\) with verification keys consisting of L-bit strings, for a suitable \(L \in \mathsf {poly}(\lambda )\). Then, output \(\Gamma =(\mathbb {G},\mathbb {G}_T,f,g, h, \Sigma )\).

The dimensions (tn) of the matrix \(\mathbf {A} \in \mathbb {Z}_p^{t \times n}\) such that \(\varvec{\rho }=g^{\mathbf {A}}\) can be part of the language, so that tn can be given as input to algorithm \(\mathsf {K}_1\).

  • \(\varvec{\mathsf {K}}_1(\Gamma ,\varvec{\rho })\): parse \(\Gamma \) as \((\mathbb {G}, \mathbb {G}_T,f,g,h,\Sigma )\) and \(\varvec{\rho }\) as \(\varvec{\rho }=\big ( G_{i,j} \big )_{1\le i \le t,~1\le j \le n} \in \mathbb {G}^{t \times n}\).

    1. 1.

      Generate key pairs \(\{(\mathsf {sk}_b,\mathsf {pk}_b)\}_{b=0}^1\) for the one-time homomorphic signature of Sect. 2.3 in order to sign vectors of \(\mathbb {G}^n\) and \(\mathbb {G}^{4L+6}\), respectively. Namely, choose \(g_z,g_r,h_z,h_u \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {G}\), \(G_z,G_r,H_z,H_u \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {G}\). Then, for \(i=1\) to n, pick \(\chi _{i},\gamma _i,\delta _i \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and compute \({g_i}={g_z}^{\chi _i} {g_r}^{\gamma _i}\) and \({h_i}={h_z}^{\chi _i} {h_u}^{\delta _i}\). Let \(\mathsf {sk}_{0}= \{ \chi _i, \gamma _i,\delta _i \}_{i=1}^n \) be the private key and let \( \mathsf {pk}_{0} = \bigl ( {g_z},{g_r},{h_z}, {h_u}, \{{g_i},{h_i}\}_{i=1}^n \bigr ) \) be the public key. The second LHSPS key pair \((\mathsf {sk}_1,\mathsf {pk}_1)\) is generated analogously as \(\mathsf {sk}_{1}= \{ \varphi _i, \phi _i,\vartheta _i \}_{i=1}^{4L+6} \) and

      $$ \mathsf {pk}_{1} = \Bigl ( {G_z},~{G_r},~{H_z},~ {H_u},~ \{G_i = G_z^{\varphi _i} G_r^{\phi _i},~H_i=H_z^{\varphi _i} H_u^{\vartheta _i} \}_{i=1}^{4L+6} \Bigr ). $$
    2. 2.

      Choose \(y_1,y_2,\xi _1,\xi _2,\xi _3 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and compute \(f_1=g^{y_1}\), \(f_2=g^{y_2}\). Define vectors \(\varvec{f_1}=(f_1,1_\mathbb {G},g)\), \(\varvec{f_2}=(1_\mathbb {G},f_2,g)\) and \(\varvec{f_3}=\varvec{f_1}^{\xi _1} \cdot \varvec{f_2}^{\xi _2} \cdot \iota (g)^{\xi _3}\), where \(\iota (g)=(1_\mathbb {G},1_\mathbb {G},g)\). Define the Groth-Sahai CRS \(\mathbf {f}=(\varvec{f_1},\varvec{f_2},\varvec{f_3})\). Then, define yet another vector \(\varvec{f_0}=\varvec{f_1}^{\nu _1} \cdot \varvec{f_2}^{\nu _2}\), with \(\nu _1,\nu _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\).

    3. 3.

      For \(\ell =1\) to L, choose \({V}_{\ell ,0},{V}_{\ell ,1},{W}_{\ell ,0},{W}_{\ell ,1} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}{\mathbb {G}}\) and define row vectors \(\varvec{{V}} = ({V}_{1,0},{V}_{1,1},\cdots ,{V}_{L,0},{V}_{L,1})\), \(\varvec{{W}} =({W}_{1,0},{W}_{1,1},\cdots ,{W}_{L,0},{W}_{L,1}) \).

    4. 4.

      Choose random exponents \(\omega _1,\omega _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and group elements \(u_1,u_2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {G}\), and compute \({\Omega }_1={u}_1^{\omega _1} \in {\mathbb {G}}\), \({\Omega }_2={u}_2^{\omega _2} \in {\mathbb {G}}\).

    5. 5.

      Define the matrix \(\mathbf {{M}} = \big ({M}_{i,j} \big )_{i,j} \in {\mathbb {G}}^{(4L+5) \times (4L+6)}\) as

      (2)

      with \(\mathbf {Id}_{{f},2L}={f}^{\mathbf {I}_{2L}} \in {\mathbb {G}}^{2L \times 2L}\), \(\mathbf {Id}_{{h},2L}={h}^{\mathbf {I}_{2L}} \in {\mathbb {G}}^{2L \times 2L}\), and where \(\mathbf {I}_{2L} \in \mathbb {Z}_p^{2L \times 2L}\) stands for the identity matrix. Note that the last row allows linking \(\varvec{f_0}\) and \(\Omega _1,\Omega _2\).

    6. 6.

      Use \(\mathsf {sk}_{0}\) to generate one-time homomorphic signatures \(\{(z_i,r_i,u_i)\}_{i=1}^t\) on the vectors \((G_{i1},\ldots ,G_{in})\in \mathbb {G}^n\) that form the rows of \(\varvec{\rho } \in \mathbb {G}^{t \times n}\). These are given by \((z_i,r_i,u_i)=\big (\prod _{j=1}^n G_{i,j}^{-\chi _j},\prod _{j=1}^n G_{i,j}^{-\gamma _j},\prod _{j=1}^n G_{i,j}^{-\delta _j} \big )\) for each \(i \in \{1,\ldots ,t\}\). Likewise, use \(\mathsf {sk}_1\) to sign the rows \(\mathbf {M}_j=(M_{j,1},\ldots , M_{j,4L+6}) \) of the matrix (2) and obtain signatures

      $$ (Z_j,R_j,U_j) = \big (\prod _{k=1}^{4L+6} M_{j,k}^{-\varphi _k},~\prod _{k=1}^{4L+6} M_{j,k}^{-\phi _{k}},~\prod _{k=1}^{4L+6} M_{j,k}^{-\vartheta _k} \big ) $$

      for each \(j \in \{1,\ldots ,4L+5\}\).

    7. 7.

      The CRS \(\psi =(\mathbf {CRS}_1,\mathbf {CRS}_2)\) consists of two parts which are defined as

      $$\begin{aligned} \mathbf {CRS}_1&= \Bigl ( \varvec{\rho },~\mathbf {f},~\varvec{f_0},~u_1,~u_2,~\Omega _1,~\Omega _2,~\varvec{V},~\varvec{W},~\mathsf {pk}_{0},~\mathsf {pk}_{1},\\[-4pt]&\qquad \qquad \qquad \qquad \{(z_i,r_i,u_i)\}_{i=1}^t,~\{(Z_j,R_j,U_j)\}_{j=1}^{4L+5} \Bigr ), \\ \mathbf {CRS}_2&= \Bigl (\mathbf {f},~\varvec{f_0}, ~ \mathsf {pk}_{0}, ~\mathsf {pk}_1 ,~\Omega _1,~\Omega _2, ~\varvec{V},~\varvec{W} \Bigr ), \end{aligned}$$

      while the simulation trapdoor is \(\tau _{sim} =\big ( \omega _1,\omega _2, \{ \chi _i, \gamma _i,\delta _i \}_{i=1}^n \big ) \).

  • \(\varvec{\mathsf {P}}(\Gamma ,\psi ,\varvec{v},x,\mathsf {lbl})\): given \(\varvec{v} \in \mathbb {G}^n\) and a witness \(\varvec{x}=(x_1,\ldots ,x_t) \in \mathbb {Z}_p^t\) such that \(\varvec{v}=g^{\varvec{x} \cdot \mathbf {A}}\), generate a one-time signature key pair \((\mathsf {VK},\mathsf {SK}) \leftarrow \mathcal {G}(\lambda )\).

    1. 1.

      Using \(\{(z_j,r_j,u_j)\}_{j=1}^t\), derive a one-time linearly homomorphic signature (zru ) on the vector \(\varvec{v} \) with respect to \(\mathsf {pk}_0\). Namely, compute \( z = \prod _{i=1}^t z_i^{x_i}\), \( r = \prod _{i=1}^t r_i^{x_i}\) and \( u = \prod _{i=1}^t u_i^{x_i}\).

    2. 2.

      Choose a vector \(\varvec{F}=(F_1,F_2,F_3)=\varvec{f}_1^{\mu _1} \cdot \varvec{f}_2^{\mu _2}\), for random \(\mu _1,\mu _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\).

    3. 3.

      Pick \(r,s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and compute a pseudo-signature on \(\mathsf {VK}=\mathsf {VK}[1] \ldots \mathsf {VK}[L]\), which is obtained as \((\sigma _1,\sigma _2,\sigma _3)=( {H}(\varvec{{V}},\mathsf {VK})^r \cdot {H}(\varvec{{W}},\mathsf {VK})^s,f^r, h^s )\), where \({H}(\varvec{{V}},\mathsf {VK})= \prod _{\ell =1}^L {V}_{\ell ,\mathsf {VK}[\ell ]}\) and \({H}(\varvec{{W}},\mathsf {VK})= \prod _{\ell =1}^L {W}_{\ell ,\mathsf {VK}[\ell ]}\).

    4. 4.

      Derive a one-time linearly homomorphic signature \((Z,R,U) \in \mathbb {G}^3\) for \(\mathsf {pk}_1\) on the vector

      $$\begin{aligned} \varvec{\sigma }=({\sigma }_1,&{\sigma }_2^{1-\mathsf {VK}[1]},\sigma _2^{\mathsf {VK}[1]}, \cdots ,\sigma _2^{1-\mathsf {VK}[L]} ,\sigma _2^{\mathsf {VK}[L]}, \sigma _3^{1-\mathsf {VK}[1]}, \nonumber \\&\,\,\,\sigma _3^{\mathsf {VK}[1]},\cdots ,\sigma _3^{1-\mathsf {VK}[L]} ,\sigma _3^{\mathsf {VK}[L]}, 1_\mathbb {G},1_\mathbb {G}, F_1,F_2,F_3 ) \in \mathbb {G}^{4L+6} \end{aligned}$$
      (3)

      which belongs to subspace spanned by the first \(4L+2\) rows of the matrix \(\mathbf {M} \in \mathbb {G}^{(4L+5) \times (4L+6)}\). Hence, the coefficients \(r,s,\mu _1,\mu _2 \in \mathbb {Z}_p\) allow deriving a homomorphic signature (ZRU) on \(\varvec{\sigma }\) in (3). Note that the \((4L+2)\)-th and the \((4L+3)\)-th coordinates of \(\varvec{\sigma }\) must both equal \(1_\mathbb {G}\).

    5. 5.

      Using the CRS \(\mathbf {f}=(\varvec{f_1},\varvec{f_2},\varvec{f_3})\), generate Groth-Sahai commitments \(\varvec{C}_{\sigma _1},\varvec{C}_Z,\varvec{C}_R,\varvec{C}_U \in \mathbb {G}^3\). Then, compute NIWI proofs \(\varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2} \in {\mathbb {G}}^3\) that committed variables \((\sigma _1,Z,R,U)\) satisfy

      $$\begin{aligned} \begin{aligned} e(Z,{G_z}) \cdot e(R,{G_r}) \cdot e(\sigma _1,{G}_1) = t_G,\\ e(Z,{H_z}) \cdot e(U,{H_u}) \cdot e(\sigma _1,{H_1}) = t_H, \end{aligned} \end{aligned}$$
      (4)

      where

      $$ t_G =e(\sigma _2,\textstyle \prod \limits _{i=1}^L {G}_{2i+{\mathsf {VK}[i]}})^{-1} \cdot e(\sigma _3,\prod \limits _{i=1}^L {G}_{2L+2i+{\mathsf {VK}[i]}})^{-1} \cdot \prod \limits _{i=1}^3 e(F_i,{G}_{4L+3+i})^{-1} $$

      and

      $$\begin{aligned} t_H&= e(\sigma _2,\textstyle \prod \limits _{i=1}^L {H}_{2i+{\mathsf {VK}[i]}})^{-1} \cdot e(\sigma _3,\prod \limits _{i=1}^L {H}_{2L+2i+{\mathsf {VK}[i]}})^{-1}\\[-6pt]&\quad \cdot {} \textstyle \prod \limits _{i=1}^3 e(F_i,{H}_{4L+3+i})^{-1}. \end{aligned}$$
    6. 6.

      Using the vector \(\varvec{F}=(F_1,F_2,F_3)\) of Step 2, define a new Groth-Sahai CRS \(\mathbf {F}=(\varvec{f}_{1},\varvec{f}_{2},\varvec{F})\) and use it to compute commitments

      $$\begin{aligned} \varvec{C}_z = \iota (z) \cdot \varvec{f}_{1}^{\theta _{z,1}} \cdot \varvec{f}_{2}^{\theta _{z,2}} \cdot \varvec{F}^{\theta _{z,3}} , \quad \varvec{C}_r = \iota (r) \cdot \varvec{f}_{1}^{\theta _{r,1}} \cdot \varvec{f}_{2}^{\theta _{r,2}} \cdot \varvec{F}^{\theta _{r,3}},\\ \varvec{C}_u = \iota (u) \cdot \varvec{f}_{1}^{\theta _{u,1}} \cdot \varvec{f}_{2}^{\theta _{u,2}} \cdot \varvec{F}^{\theta _{u,3}} \end{aligned}$$

      to the components of (zru) along with NIWI proofs \((\varvec{\pi }_1,\varvec{\pi }_2) \in \mathbb {G}^6\) that \(\varvec{v}\) and (zru) satisfy (1). Let \((\varvec{C}_z,\varvec{C}_r,\varvec{C}_u,\varvec{\pi }_1,\varvec{\pi }_2)\in \mathbb {G}^{15}\) be the resulting commitments and proofs.

    7. 7.

      Set \(\sigma =\mathcal {S}(\mathsf {SK}, (\varvec{v},\varvec{F},\varvec{C}_{\sigma _1},\sigma _2,\sigma _3, \varvec{C}_Z,\varvec{C}_R,\varvec{C}_U, \varvec{C}_z,\varvec{C}_r,\varvec{C}_u, \varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2},\varvec{\pi }_1,\varvec{\pi }_2,\mathsf {lbl}))\) and output

      $$\begin{aligned} \begin{aligned} \pi =&\big (\mathsf {VK}, \varvec{F},\varvec{C}_{\sigma _1},\sigma _2,\sigma _3,\varvec{C}_Z,\varvec{C}_R, \varvec{C}_U, \varvec{C}_z,\varvec{C}_r,\varvec{C}_u, \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2} ,\varvec{\pi }_1,\varvec{\pi }_2 ,\sigma \big ). \end{aligned} \end{aligned}$$
      (5)

  • \(\varvec{\mathsf {V}}(\Gamma ,\psi ,\varvec{v},\pi ,\mathsf {lbl})\): parse \(\pi \) as in (5) and \(\varvec{v}\) as \((v_1,\ldots ,v_n) \in \mathbb {G}^n\). Return 1 if the conditions hereunder all hold. Otherwise, return 0.

    1. (i)

      \(\mathcal {V}(\mathsf {VK}, (\varvec{v},\varvec{F},\varvec{C}_{\sigma _1},\sigma _2,\sigma _3, \varvec{C}_Z,\varvec{C}_R,\varvec{C}_U, \varvec{C}_z,\varvec{C}_r,\varvec{C}_u, \varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2} ,\varvec{\pi }_1,\varvec{\pi }_2,\mathsf {lbl}),\sigma )=1\);

    2. (ii)

      \(\varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2}\) are valid proofs that the variables \((\sigma _1,Z,R,U)\), which are contained in commitments \(\varvec{C}_{\sigma _1},\varvec{C}_Z,\varvec{C}_R,\varvec{C}_U \), satisfy equations (4).

    3. (iii)

      The tuple \((\varvec{C}_z,\varvec{C}_r,\varvec{C}_u,\varvec{\pi }_1,\varvec{\pi }_2) \) forms a valid a valid NIWI proof for the Groth-Sahai CRS \(\mathbf {F}=(\varvec{f}_{1},\varvec{f}_{2},\varvec{F})\). Namely, \(\varvec{\pi }_1=(\pi _{1,1},\pi _{1,2},\pi _{1,3})\) and \(\varvec{\pi }_2=(\pi _{2,1},\pi _{2,2},\pi _{2,3})\) satisfy

      $$\begin{aligned} \begin{aligned} \prod _{i=1}^n E\big (g_i,\iota (v_i) \big )^{-1}&= E \big (g_z,\varvec{C}_z \big ) \cdot E \big (g_r,\varvec{C}_r \big ) \cdot E(\pi _{1,1},\varvec{{f}}_1).\\&\qquad \qquad \qquad \qquad E(\pi _{1,2},\varvec{{f}}_2) \cdot E(\pi _{1,3},\varvec{F})\\ \prod _{i=1}^n E\big (h_i,\iota (v_i) \big )^{-1}&= E \big (h_z,\varvec{C}_z \big ) \cdot E \big (h_u,\varvec{C}_u \big ) \cdot E(\pi _{2,1}, \varvec{{f}}_1).\\&\qquad \qquad \qquad \qquad E(\pi _{2,2},\varvec{{f}}_2) \cdot E(\pi _{2,3},\varvec{F}). \end{aligned} \end{aligned}$$
      (6)

The proof only requires 38 elements of \(\mathbb {G}\) and a pair \((\mathsf {VK},\sigma )\). In instantiations using the one-time signature of [38], its total size amounts to 42 group elements, which only lengthens the QA-NIZK proofs of [49] by a factor of 2.

4 Security

To avoid unnecessarily overloading notations, we will prove our results in the single CRS setting. At the main steps, we will explain how the proof can be adapted to the multi-CRS setting without affecting the tightness of reductions.

Theorem 1

The above proof system is perfectly quasi-adaptive zero-knowledge.

Proof

(sketch). We describe the QA-NIZK simulator here but we refer to the full paper for a detailed proof that the simulation is perfect. This simulator \(({\mathsf {S}}_{1}\), \({\mathsf {S}}_{2})\) is defined by having \({\mathsf {S}}_{1}\) generate the CRS \(\psi \) as in the real \(\mathsf {K}_0\) algorithm but retain the simulation trapdoor \(\tau _{sim} =\big ( \omega _1,\omega _2, \{ \chi _i, \gamma _i,\delta _i \}_{i=1}^n \big ) \) for later use. As for \({\mathsf {S}}_2\), it generates a simulated proof for \(\varvec{v}=(v_1,\ldots ,v_n) \in \mathbb {G}^n\) by using \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\) to compute \((z,r,u)=\big ( \prod _{j=1}^n v_j^{-\chi _j}, \prod _{j=1}^n v_j^{-\gamma _j}, \prod _{j=1}^n v_j^{-\delta _j})\) at step 1 of the simulation instead of using the witness \(\varvec{x} \in \mathbb {Z}_p^t\) as in the real proving algorithm \(\mathsf {P}\). At step 2, it defines \((F_1,F_2,F_3)=\varvec{f}_0 \cdot \varvec{f}_1^{\mu _1} \cdot \varvec{f}_2^{\mu _2}\) with \(\mu _1,\mu _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\). At step 3, it picks \(r,s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) to compute \( (\sigma _1,\sigma _2,\sigma _3)= \big ( g^{\omega _1 + \omega _2} \cdot H(\varvec{V},\mathsf {VK})^r \cdot H(\varvec{W},\mathsf {VK})^s, ~ f^r, ~h^s \big ) \) before using the coefficients \(\mu _1,\mu _2,r,s,\omega _1,\omega _2,1 \in \mathbb {Z}_p\) to derive a homomorphic signature (ZRU) from \(\{(Z_j,R_j,U_j)\}_{j=1}^{4L+5}\) at step 4. Steps 5 to 7 are conducted as in the real \(\mathsf {P}\). In the full paper, we prove that the simulation is perfect in that the simulated CRS \(\psi \) is distributed as a real CRS and, for all \(\varvec{v} \in \mathbb {G}^n\) such that \(\varvec{v}=g^{\varvec{x} \cdot \mathbf {A}}\) for some \(\varvec{x} \in \mathbb {Z}_p^t\), simulated proofs are distributed as real proofs.\(\square \)

We now prove that the system remains computationally sound and simulation-sound, even when the adversary is given the matrix \(\mathbf {A}=\log _g(\varvec{\rho }) \in \mathbb {Z}_p^{t \times n}\), which allows recognizing elements of \(\mathcal {L}_{\rho }\). Although the enhanced soundness property is implied by that of enhanced simulation-soundness, we prove it separately (see the full paper for the proof) in Theorem 2 since the reduction is optimal.

Theorem 2

The system provides quasi-adaptive soundness under the DLIN assumption. Any enhanced soundness adversary \(\mathcal {A}\) with running time \(t_\mathcal {A}\) implies a DLIN distinguisher \(\mathcal {B}\) with running time \(t_{\mathcal {B}} \le t_\mathcal {A}+ q \cdot \mathsf {poly}(\lambda ,L, t,n)\) and such that \(\mathbf {Adv}^{\mathrm {e}\text {-}\mathrm {sound}}_\mathcal {A}(\lambda ) \le 2 \cdot \mathbf {Adv}_{\mathcal {B}}^{\mathrm {DLIN}}(\lambda ) + 2 /p \).

Theorem 3

The above system provides quasi-adaptive unbounded simulation-soundness if: (i) \(\Sigma \) is a strongly unforgeable one-time signature; (ii) The DLIN assumption holds. For any enhanced unbounded simulation-soundness adversary \(\mathcal {A}\), there exist a one-time signature forger \(\mathcal {B}'\) in the multi-key setting and a DLIN distinguisher \(\mathcal {B}\) with running times \(t_{\mathcal {B}},t_{\mathcal {B}'} \le t_\mathcal {A}+ q \cdot \mathsf {poly}(\lambda ,L, t,n)\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathrm {e}\text {-}\mathrm {uss}}_\mathcal {A}(\lambda ) \le \mathbf {Adv}^{q\text {-}\mathrm {suf}\text {-}\mathrm {ots}}_{\mathcal {B}'}(\lambda ) + 3 \cdot (L + 2) \cdot \mathbf {Adv}_{\mathcal {B}}^{\mathrm {DLIN}}(\lambda ) + 4 /p , \end{aligned}$$
(7)

where L is the verification key length of \(\Sigma \) and q is the number of simulations.

Proof

To prove the result, we consider a sequence of games. In \(\mathsf {Game}_i\), we denote by \(S_i\) the event that the challenger outputs 1.

  • \(\mathsf {Game}_1\): This game is the actual attack. Namely, the adversary \(\mathcal {A}\) receives as input the description of the language \(\mathcal {L}_{\rho }\) and has access to a simulated CRS \(\psi \) and the simulated prover \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\) which is described in the proof of Theorem 1. At each invocation, \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\) inputs a vector-label pair \((\varvec{v},\mathsf {lbl})\) and outputs a simulated proof \(\pi \) that \(\varvec{v} \in \mathcal {L}_{\rho }\). In order a generate the matrix \(\varvec{\rho } \in \mathbb {G}^{t \times n}\) with the appropriate distribution \(D_{\Gamma }\), the challenger chooses a matrix \(\mathbf {A} \in \mathbb {Z}_p^{t \times n}\) with the suitable distribution (which is possible since \(D_{\Gamma }\) is efficiently witness-samplable) and computes \(\varvec{\rho } = g^{\mathbf {A}} \). Also, the challenger \(\mathcal {B}\) computes a basis \(\mathbf {W} \in \mathbb {Z}_p^{n \times (n-t)}\) of the nullspace of \(\mathbf {A}\). The adversary receives as input the simulated CRS \(\psi \) and the matrix \(\mathbf {A} \in \mathbb {Z}_p^{t \times n}\), which serves as a membership testing trapdoor \(\tau _m\), and queries the simulator \({\mathsf {S}}_2(\psi , \tau _{sim},.,.)\) on a polynomial number of occasions. When the adversary \(\mathcal {A}\) halts, it outputs an element \(\varvec{v}^\star \), a proof \(\pi ^\star \) and a label \(\mathsf {lbl}^\star \). The adversary is declared successful and the challenger outputs 1 if and only if \((\pi ^\star ,\mathsf {lbl}^\star )\) is a verifying proof but \(\varvec{v}^\star \not \in \mathcal {L}_{\varvec{\rho }}\) (i.e., \(\varvec{v}^\star \) is linearly independent of the rows of \(\varvec{\rho } \in \mathbb {G}^{t \times n}\)) and \((\pi ^\star ,\mathsf {lbl}^\star )\) was not trivially obtained from the simulator. We call \(S_1\) the latter event, which is easily recognizable by the challenger \(\mathcal {B}\) since the latter knows a basis \(\mathbf {W} \in \mathbb {Z}_p^{n \times (n-t)}\) of the right kernel of \(\mathbf {A}\). Indeed, \(\mathbf {W}\) allows testing if \(\varvec{v}=(v_1,\ldots ,v_n) \in \mathbb {G}^n\) satisfies \( \prod _{j=1}^n v_j^{w_{ji}}=1_{\mathbb {G}}\) for each column \(\varvec{w}_i^\top =(w_{1i},\ldots ,w_{ni})^\top \) of \(\mathbf {W}\). By definition, the adversary’s advantage is \(\mathbf {Adv}(\mathcal {A}):= \Pr [S_1]\).

  • \(\mathsf {Game}_{2}\): We modify the generation of the CRS \(\psi =(\mathbf {CRS}_1,\mathbf {CRS}_2)\). Instead of choosing \(\varvec{f}_3 \in _R \mathbb {G}^3\) as a uniformly random vector, \(\mathsf {S}_1\) sets \(\varvec{f}_3=\varvec{f}_1^{\xi _1} \cdot \varvec{f}_2^{\xi _2}\), for random \(\xi _1,\xi _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\). Hence, \( \varvec{f}_1,\varvec{f}_2\) and \(\varvec{f}_3 \) now underlie a subspace of dimension 2 and \(\mathbf {f}=(\varvec{f}_1,\varvec{f}_2,\varvec{f}_3)\) thus becomes a perfectly binding CRS. Under the DLIN assumption, this modification should have no noticeable impact on \(\mathcal {A}\)’s probability of success. We have \(|\Pr [S_2]-\Pr [S_1]| \le \mathbf {Adv}^{\mathrm {DLIN}}(\mathcal {B})\).

  • \(\mathsf {Game}_{3}\): We modify again the generation of \(\psi \). Now, instead of choosing \(\varvec{f_0} \) in \(\mathsf {span} \langle \varvec{f_1},\varvec{f_2} \rangle \), \(\mathsf {S}_1\) sets \(\varvec{f_0}=\varvec{f}_1^{\nu _1} \cdot \varvec{f}_2^{\nu _2} \cdot \iota (g)\), for random \(\nu _1,\nu _2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p^*\). The vector \(\varvec{f}_0\) is now linearly independent of \((\varvec{f_1},\varvec{f_2})\). Under the DLIN assumption, this modification will remain unnoticed to the adversary. In particular, \(\mathcal {A}\)’s winning probability should only change by a negligible amount. A two-step reduction from DLIN shows that \(|\Pr [S_3]-\Pr [S_2]| \le 2 \cdot \mathbf {Adv}^{\mathrm {DLIN}}(\mathcal {B})\).

  • \(\mathsf {Game}_{4}\): This game is like \(\mathsf {Game}_3\) but \(\mathcal {B}\) halts and outputs a random bit if \(\mathcal {A}\) outputs a proof \(\pi ^\star \) containing a one-time verification key \(\mathsf {VK}^\star \) that is recycled from an output of the \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\) oracle. \(\mathsf {Game}_4\) and \(\mathsf {Game}_3\) proceed identically until the latter event occurs. This event further contradicts the strong unforgeability of \(\Sigma \). If \(\Sigma \) has tight multi-key securityFootnote 3 (in the sense of [38]), the probability of this event can be bounded independently of the number q of queries to \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\). We have \(|\Pr [S_4]-\Pr [S_3]| \le \mathbf {Adv}^{q\text {-}\mathrm {suf}\text {-}\mathrm {ots}}_{\mathcal {B}}(\lambda )\).

  • \(\mathsf {Game}_5\): This game is identical to \(\mathsf {Game}_{4}\) but we raise a failure event \(E_5\). When \(\mathcal {A}\) outputs its fake proof \(\pi ^\star =\big (\mathsf {VK}^\star , \varvec{F}^\star ,\varvec{C}_{\sigma _1}^\star , \sigma _2^\star ,\sigma _3^\star ,\varvec{C}_Z^\star ,\varvec{C}_R^\star ,\varvec{C}_U^\star , \varvec{C}_z^\star ,\varvec{C}_r^\star ,\varvec{C}_u^\star ,\varvec{{\pi }}_{\sigma , 1}^\star , \varvec{{\pi }}_{\sigma , 2}^\star ,\varvec{\pi }_1^\star ,\varvec{\pi }_2^\star ,\sigma ^\star \big )\), \(\mathcal {B}\) parses the vector \(\varvec{F}^\star \) as \((F_1^\star ,F_2^\star ,F_3^\star ) \in \mathbb {G}^3\) and uses the extraction trapdoor \((y_1,y_2)=(\log _g(f_1),\log _g(f_2))\) of the Groth-Sahai CRS \(\mathbf {f}=(\varvec{f_1},\varvec{f_2},\varvec{f_3})\) to test if \(F_3^\star \ne {F_1^\star }^{1/y_1} \cdot {F_2^\star }^{1/y_2}\), meaning that \(\mathbf {F}^\star =(\varvec{f_1},\varvec{f_2},\varvec{F}^\star )\) is not a perfectly binding Groth-Sahai CRS. We denote by \(E_5\) the latter event, which causes \(\mathcal {B}\) to abort and output a random bit if it occurs. Clearly, \(\mathsf {Game}_5\) is identical to \(\mathsf {Game}_4\) unless \(E_5\) occurs, so that \(|\Pr [S_5] - \Pr [S_4] | \le \Pr [E_5]\). Lemma 1 demonstrates that event \(E_5\) occurs with negligible probability if the DLIN assumption holds. More precisely, the probability \(\Pr [E_5]\) is at most \(\Pr [E_5] \le (2 \cdot L +1) \cdot \mathbf {Adv}_{\mathcal {B}}^{\mathrm {DLIN}}(\lambda ) + 2 /p,\) where \(\mathcal {B}\) is a DLIN distinguisher whose computational complexity only exceeds that of \(\mathcal {A}\) by the cost of a polynomial number of exponentiations in \(\mathbb {G}\) and a constant number of pairing evaluations.

In \(\mathsf {Game}_{5}\), we have \(\Pr [S_5] = \Pr [S_5 \wedge E_5] + \Pr [S_5 \wedge \lnot E_5] = \frac{1}{2} \cdot \Pr [E_5] + \Pr [S_5 \wedge \lnot E_5]\), so that \( \Pr [S_5] \le ( L +1) \cdot \mathbf {Adv}_{\mathcal {B}}^{\mathrm {DLIN}}(\lambda ) + \frac{1}{p} + \Pr [S_5 \wedge \lnot E_5]\).

In \(\mathsf {Game}_5\), we show that event \(S_5 \wedge \lnot E_5\) implies an algorithm \(\mathcal {B}\) solving a given SDP instance \(({g_z},{g_r},{h_z},{h_u})\), which also contradicts the DLIN assumption.

Assuming that event \(S_5 \wedge \lnot E_5\) indeed occurs, we know that the adversary \(\mathcal {A}\) manages to output a correct proof \(\pi ^\star =\big (\mathsf {VK}^\star , \varvec{F}^\star ,\varvec{C}_{\sigma _1}^\star ,\sigma _2^\star ,\sigma _3^\star , \varvec{C}_Z^\star ,\varvec{C}_R^\star ,\varvec{C}_U^\star , \varvec{C}_z^\star ,\varvec{C}_r^\star ,\varvec{C}_u^\star , \varvec{{\pi }}_{\sigma , 1}^\star , \varvec{{\pi }}_{\sigma , 2}^\star ,\varvec{\pi }_1^\star ,\varvec{\pi }_2^\star ,\sigma ^\star \big )\) for a vector \(\varvec{v}^\star =(v_1^\star ,\ldots ,v_n^\star )\) outside the row space of \(\varvec{\rho }=g^{\mathbf {A}}\) and such that \(\varvec{F}^\star =(F_1^\star ,F_2^\star ,F_3^\star )\) is a BBS encryption of \(1_\mathbb {G}\) (namely, \(F_3^\star = {F_1^\star }^{1/y_1} \cdot {F_2^\star }^{1/y_1}\)). This means that, although the simulated proofs produced by \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\) were all generated for a perfectly NIWI Groth-Sahai CRS \(\mathbf {F}=(\varvec{f}_1,\varvec{f}_2,\varvec{F})\), the last part \((\varvec{C}_z^\star ,\varvec{C}_r^\star ,\varvec{C}_u^\star , \varvec{\pi }_1^\star ,\varvec{\pi }_2^\star ) \) of \(\mathcal {A}\)’s proof \(\pi ^\star \) takes place on a perfectly binding CRS \(\mathbf {F}^\star =(\varvec{f}_1,\varvec{f}_2,\varvec{F}^\star )\). Moreover, although \(\mathcal {B}\) does not know \(\mu _1^\star ,\mu _2^\star \in \mathbb {Z}_p\) such that \(\varvec{F}^\star =\varvec{f_1}^{\mu _1^\star } \cdot \varvec{f_2}^{\mu _2^\star }\), \(\mathcal {B}\) can still use the extraction trapdoor \((y_1,y_2)=(\log _g(f_1),\log _g(f_2))\) to recover \((z^\star ,r^\star ,u^\star )\) from \((\varvec{C}_z^\star ,\varvec{C}_r^\star ,\varvec{C}_u^\star )\) by performing BBS decryptions. Indeed, \(\varvec{C}_z^\star =\iota (z^\star ) \cdot \varvec{f_1}^{\theta _{z,1}} \cdot \varvec{f_2}^{\theta _{z,2}} \cdot \varvec{F^\star }^{\theta _{z,3}}\) is of the form \(\varvec{C}_z^\star = \iota (z^\star ) \cdot \varvec{f_1}^{{\theta _{z,1}}+ \mu _1^\star \cdot {\theta _{z,3}}} \cdot \varvec{f_2}^{{\theta _{z,2}}+\mu _2^\star \cdot {\theta _{z,3}}}\), which decrypts to \(z^\star \).

The perfect soundness of the Groth-Sahai CRS \(\mathbf {F}^\star =(\varvec{f}_1,\varvec{f}_2,\varvec{F}^\star )\) ensures that extracted group elements \((z^\star ,r^\star ,u^\star )\) satisfy the pairing product equations

$$\begin{aligned} e(g_z,z^\star ) \cdot e(g_r,r^\star ) \cdot \prod _{i=1} e(g_i,v_i^\star ) = e(h_z,z^\star ) \cdot e(h_u,u^\star ) \cdot \prod _{i=1} e(h_i,v_i^\star ) =1_{\mathbb {G}_T}. \end{aligned}$$
(8)

In addition, \(\mathcal {B}\) computes \((z^\dagger ,r^\dagger ,u^\dagger )=\big ( \prod _{i=1}^n {v_i^\star }^{-\chi _i} , \prod _{i=1}^n {v_i^\star }^{-\gamma _i} , \prod _{i=1}^n {v_i^\star }^{-\delta _i} \big )\), which also satisfies the equations (8). Since \((z^\dagger ,r^\dagger ,u^\dagger )\) and \((z^\star ,r^\star ,u^\star )\) both satisfy (8), the triple \((z^\ddagger , r^{\ddagger },u^{\ddagger }) = \bigl ( \frac{z^{\star }}{z^\dagger }, \frac{r^{\star }}{r^\dagger }, \frac{u^{\star }}{u^\dagger } \bigr )\) necessarily satisfies the equalities \(e(g_z,z^\ddagger ) \cdot e(g_r,r^\ddagger )=e(h_z,z^\ddagger ) \cdot e(h_u,u^\ddagger )=1_{\mathbb {G}_T}\). We argue that \(z^\ddagger \ne 1_{\mathbb {G}}\) with probability \(1-1/p\), so that \((z^\ddagger , r^{\ddagger },u^{\ddagger })\) breaks the SDP assumption.

To see this, we remark that, if event \(S_5 \wedge \lnot E_5\) actually happens, \(\mathcal {B}\) never reveals any information about \((\chi _1,\ldots ,\chi _n)\) when it emulates \({\mathsf {S}}_2(\psi ,\tau _{sim},.,.)\). Indeed, in simulated proofs, the only components that depend on \((\chi _1,\ldots ,\chi _n)\) are \((\varvec{C}_z,\varvec{C}_r,\varvec{C}_u, \varvec{\pi }_1,\varvec{\pi }_2) \), which are generated for a perfectly NIWI Groth-Sahai CRS \((\varvec{f_1},\varvec{f_2},\varvec{F})\). Consequently, the same arguments as in [48, Theorem1] show that \(z^\dagger \ne z^\star \) with probability \(1-1/p\). In the CRS, \(\{(g_i,h_i)\}_{i=1}^n\) and \(\{(z_i,r_i,u_i)\}_{i=1}^t\) provide \(\mathcal {A}\) with a linear system of \(2n+t<3n\) equations in 3n unknowns \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\), which leaves \(z^\dagger \) completely undetermined in \(\mathcal {A}\)’s view if \(\varvec{v}^\star \) is linearly independent of the rows of \(\varvec{\rho }=\big (G_{i,j} \big )_{i,j}\). We thus find \( \Pr [S_{5} \wedge \lnot E_5] \le \mathbf {Adv}^{\mathrm {SDP}}_{\mathcal {B}}(\lambda ) + {1} / {p} , \) which yields the bound (7) since \( \mathbf {Adv}^{\mathrm {SDP}}_{\mathcal {B}}(\lambda ) \le \frac{1}{2} \cdot \mathbf {Adv}^{\mathrm {DLIN}}_{\mathcal {B}}(\lambda ) \) if we translate the SDP solver \(\mathcal {B}\) into a DLIN distinguisher.\(\square \)

The result easily extends to the multi-CRS setting via the following changes. In the transitions from \(\mathsf {Game}_1\) to \(\mathsf {Game}_2\) and \(\mathsf {Game}_2\) to \(\mathsf {Game}_3\), we can simultaneously modify all CRSes \(\{\psi ^{(\kappa )}\}_{\kappa =1}^\mu \) by using the random self-reducibility of DLIN to build \(\mu \) instances of the DLIN assumption from a given instance. In \(\mathsf {Game}_5\), the probability \(\Pr [E_5]\) can be bounded by implicitly relying on the multi-user security (in the sense of [33]) of the signature scheme of [50], which remains almost tight in the multi-key setting. In the proof of the following lemma, we will explain at each step how the proof can be adapted to the multi-CRS setting. Finally, the probability of event \(S_5 \wedge \lnot E_5\) in \(\mathsf {Game}_5\) can be proved by applying the same arguments as in the proof (see [50, AppendixG]) that the signature of [50] provides tight security in the multi-user setting.

Lemma 1

In \(\mathsf {Game}_5\), there is a DLIN distinguisher \(\mathcal {B}\) such that the probability \(\Pr [E_5] \) is at most \(\Pr [E_5] \le (2 \cdot L +1) \cdot \mathbf {Adv}_{\mathcal {B}}^{\mathrm {DLIN}}(\lambda ) + 2 /p.\) Moreover, \(\mathcal {B}\)’s complexity only exceeds that of \(\mathcal {A}\) by a polynomial number of exponentiations and a constant number of pairing computations. (The proof is given in the full version).

5 Applications to Tightly Secure Primitives

As an application of our QA-NIZK proof system, we present a new encryption scheme whose IND-CCA2 security in the multi-challenge-multi-user setting (almost) tightly relates to the DLIN assumption. We show that the resulting construction allows improving the expansion rate of non-interactive universally composable commitments based on IND-CCA2-secure public-key encryption.

5.1 CCA2-Secure (Threshold) Encryption with Shorter Ciphertexts

Like [38, 50], our scheme builds on the Naor-Yung paradigm [54] and the encryption scheme of Boneh, Boyen and Shacham (BBS) [16].

The encryption phase computes \((C_0,C_1,C_2) = (M \cdot g^{\theta _1 + \theta _2}, X_1^{\theta _1} , Y_1^{\theta _2})\) and \((D_0,D_1,D_3) = (M \cdot g^{\theta _3 + \theta _4},X_2^{\theta _3} , Y_2^{\theta _4})\), where \((X_1,Y_1,X_2,Y_2)\) are part of the public key, and generates a QA-NIZK proof \(\pi \) that the vector

$$\begin{aligned} \varvec{v}&= \big (C_1/D_1,C_2/D_2,C_0/D_0,C_1 \cdot C_2,D_1^{-1} \cdot D_2^{-1} \big ) \in \mathbb {G}^5 \\&= \big ( X_1^{\theta _1} \cdot X_2^{-\theta _3},~Y_1^{\theta _2} \cdot Y_2^{-\theta _4}, ~g^{(\theta _1+\theta _2)-(\theta _3+\theta _4)},~X_1^{\theta _1} \cdot Y_1^{ \theta _2}, X_2^{-\theta _3} \cdot Y_2^{ -\theta _4} \big ) \end{aligned}$$

is in the subspace spanned by \(\varvec{X}_1 = (X_1,1,g,X_1,1) \), \(\varvec{Y}_1 = (1,Y_1,g,Y_1,1)\), \(\varvec{X}_2=(X_2,1,g,1,X_2)\) and \(\varvec{Y}_2 = (1,X_2,g,1,X_2)\). As in [50], our reduction is not quite as tight as in [5, 38] since a factor \(\varTheta (\lambda )\) is lost. On the other hand, our scheme becomes nearly practical as the ciphertext overhead now decreases to 48 group elements. In comparison, the solution of Libert et al. [50] incurs 69 group elements per ciphertext. Our technique thus improves upon [50] by \(30\,\%\) and also outperforms the most efficient perfectly tight solution [5], which entails over 300 group elements per ciphertext.

The CRS of the proof system is included in the user’s public key rather than in the common public parameters since, in the QA-NIZK setting, it depends on the considered language which is defined by certain public key components.

  • \({\mathbf {\mathsf{{Par}}}}\text {-}\mathsf {Gen}(\lambda )\): Run the \(\mathsf {K}_0\) algorithm of Sect. 3 in order to obtain common public parameters \(\Gamma =\big ((\mathbb {G},\mathbb {G}_T),f,g,h, \Sigma \big )\).

  • \({\mathbf {\mathsf{{Keygen}}}}(\Gamma )\): Parse \(\Gamma \) as \(\big ((\mathbb {G},\mathbb {G}_T),f,g,h ,\Sigma \big )\) and conduct the following steps.

    1. 1.

      Choose random exponents \(x_1,x_2,y_1,y_2 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and define \(X_1=g^{x_1}\), \(X_2=g^{x_2}\), \(Y_1=g^{y_1}\), \(Y_2=g^{y_2}\). Then, define the independent vectors \(\varvec{X}_1 = (X_1,1,g,X_1,1) \), \(\varvec{Y}_1 = (1,Y_1,g,Y_1,1) \), \(\varvec{X}_2=(X_2,1,g,1,X_2)\) and \(\varvec{Y}_2 = (1,X_2,g,1,X_2) \).

    2. 2.

      Run algorithm \(\mathsf {K}_1(\Gamma ,\varvec{\rho })\) of Sect. 3 to generate the language-dependent part of the CRS for the proof system, where the rows of the matrix \(\varvec{\rho } \in \mathbb {G}^{4 \times 5}\) consist of \(\varvec{X}_1\), \(\varvec{Y}_1\), \(\varvec{X}_2\) and \(\varvec{Y}_2\). Let \(\psi =(\mathbf {CRS}_1,\mathbf {CRS}_2)\) be the obtained CRS, where

      $$ \begin{aligned} \mathbf {CRS}_1&= \Bigl ( \varvec{\rho }, \mathbf {f}, \varvec{f_0}, \{u_i\}_{i=1}^2, \{\Omega _i\}_{i=1}^2, \varvec{V}, \varvec{W}, \\&\qquad \qquad \{\mathsf {pk}_i\}_{i=1}^2, \{(z_i,r_i,u_i)\}_{i=1}^4, \{(Z_j,R_j,U_j)\}_{j=1}^{4L+5} \Bigr ), \\ \mathbf {CRS}_2&= \Bigl ( \mathbf {f},~\varvec{f_0}, ~ \{\mathsf {pk}_i\}_{i=1}^2 , ~\{\Omega _i\}_{i=1}^2, ~\varvec{V},~\varvec{W} \Bigr ). \end{aligned} $$
    3. 3.

      Define the private key as the pair \(SK=(x_1,y_1 ) \in \mathbb {Z}_p^4\). The public key is

      $$ PK=\big ( g, ~\varvec{X}_1,~\varvec{Y}_1,~\varvec{X}_2,~\varvec{Y}_2,~\psi =( \mathbf {CRS}_1,\mathbf {CRS}_2) \big ). $$

  • \({\mathbf {\mathsf{{Encrypt}}}}(M,PK)\): to encrypt \(M \in \mathbb {G}\), conduct the following steps.

    1. 1.

      Pick random exponents \(\theta _1,\theta _2,\theta _3,\theta _4 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and compute

      $$\begin{aligned} (C_0,C_1,C_2)&= (M \cdot g^{\theta _1 + \theta _2}, X_1^{\theta _1} , Y_1^{\theta _2}) \\ ( D_0,D_1,D_3)&= (M \cdot g^{\theta _3 + \theta _4},X_2^{\theta _3} , Y_2^{\theta _4}). \end{aligned}$$
    2. 2.

      Define \(\mathsf {lbl}=(C_0,C_1,C_2,D_0,D_1,D_2)\). Using the witness \(\varvec{x}=(\theta _1,\theta _2,-\theta _3,-\theta _4) \in \mathbb {Z}_p^4\) and the label \(\mathsf {lbl}\), run Steps 1–7 of Algorithm \(\mathsf {P}\) in Sect. 3 to generate a proof \(\pi \) that the vector

      $$\begin{aligned} \varvec{v}&= \big (C_1/D_1,C_2/D_2,C_0/D_0,C_1 \cdot C_2,D_1^{-1} \cdot D_2^{-1} \big ) \in \mathbb {G}^5 \\&= \big ( X_1^{\theta _1} \cdot X_2^{-\theta _3},~Y_1^{\theta _2} \cdot Y_2^{-\theta _4}, ~g^{(\theta _1+\theta _2)-(\theta _3+\theta _4)},~X_1^{\theta _1} \cdot Y_1^{ \theta _2}, X_2^{-\theta _3} \cdot Y_2^{ -\theta _4} \big ) \end{aligned}$$

      belongs to \(\mathsf {span}\langle \varvec{X}_1,\varvec{Y}_1,\varvec{X}_2,\varvec{Y}_2 \rangle \). The QA-NIZK proof is

      $$ \pi =\big (\mathsf {VK}, \varvec{F},\varvec{C}_{\sigma _1},\sigma _2,\sigma _3,\varvec{C}_Z,\varvec{C}_R,\varvec{C}_U, \varvec{C}_z,\varvec{C}_r,\varvec{C}_u,\varvec{{\pi }}_{\sigma , 1}, \varvec{{\pi }}_{\sigma , 2} ,\varvec{\pi }_1,\varvec{\pi }_2 ,\sigma \big )\!\!\!. $$
    3. 3.

      Output the ciphertext \(C=(C_0,C_1,C_2,D_0,D_1,D_2,\pi )\).

  • \({\mathbf {\mathsf{{Decrypt}}}}(SK,C)\): given \(C=(C_0,C_1,C_2,D_0,D_1,D_2,\pi )\), do the following.

    1. 1.

      Run the verification algorithm \(\mathsf {V}\) of Sect. 3 on input of \(\mathsf {lbl}=(C_0,C_1,C_2,D_0,D_1,D_2)\), the vector \(\varvec{v}=\big (C_1/D_1,C_2/D_2,C_0/D_0,C_1 \cdot C_2,D_1^{-1} \cdot D_2^{-1} \big ) \) and \(\pi \). Return \(\perp \) if \(\pi \) is not a valid proof for the label \(\mathsf {lbl}\) that \(\varvec{v}\) is in \(\mathrm {span} \langle \varvec{X}_1,\varvec{Y}_1,\varvec{X}_2,\varvec{Y}_2 \rangle \).

    2. 2.

      Using \(SK =(x_1,y_1) \in \mathbb {Z}_p^2\), compute and return \(M=C_0 \cdot C_1^{-1/x_1} \cdot C_2^{-1/y_1}\).

Using our proof system of Sect. 3 and the one-time signature of [38], the ciphertext size amounts to that of 48 group elements, instead of 69 in [50].

While our construction is described in terms of symmetric pairings in order to lighten notations as much as possible, it readily extends to asymmetric pairings.

Theorem 4

The scheme is \((1,q_e)\)-IND-CCA secure provided: (i) \(\Sigma \) is a strongly unforgeable one-time signature; (ii) The DLIN assumption holds in \(\mathbb {G}\). For any adversary \(\mathcal {A}\), there exist a one-time signature forger \(\mathcal {B}'\) and a DLIN distinguisher \(\mathcal {B}\) with running times \(t_{\mathcal {B}},t_{\mathcal {B}'} \le t_\mathcal {A}+ q_e \cdot \mathsf {poly}(\lambda ,L )\) such that

$$ \mathbf {Adv}^{ (1,q_e)\text {-}\mathrm {cca}}_\mathcal {A}(\lambda ) \le \mathbf {Adv}^{q_e\text {-}\mathrm {suf}\text {-}\mathrm {ots}}_{\mathcal {B}'}(\lambda ) + ( 3L+ 10) \cdot \mathbf {Adv}^{\mathrm {DLIN}}_{\mathcal {B}}(\lambda ) + {8}/{p} , $$

where L is the length of one-time verification keys and \(q_e\) is the number of encryption queries. (The proof is given in the full version of the paper.)

The result of Theorem 4 carries over to a scenario involving \(\mu >1\) public keys modulo an additional negligible term \(\mu /p\) in the bound which is inherited from [38, Theorem 6]. This is achieved by relying on the enhanced USS property of the QA-NIZK proof system in the multi-CRS setting.

Similarly to previous IND-CCA2-secure encryption schemes based on the Naor-Yung paradigm (e.g., [32]), the public verifiability of ciphertexts makes our scheme amenable for non-interactive threshold decryption in a static corruption model.

By instantiating the construction of Camenisch et al. [19] with our QA-NIZK proofs, we similarly obtain more efficient KDM-CCA2-secure systems with tight security, as explained in the full version of the paper.

5.2 Encrypting Long Messages

In some applications, it is useful to encrypt long messages while preserving the feasibility of efficiently proving statements about encrypted values using Groth-Sahai proofs. In this case, the amortized efficiency of our system can be significantly improved. Suppose that we want to encrypt messages \((M_1,\cdots ,M_N) \in \mathbb {G}^N\). The technique of Bellare et al. [8] allows doing so while making optimal use of encryption exponents. In more details, the public key consists of group elements \(\big (g,h,\{(X_{i,1},Y_{i,1},X_{i,2},Y_{i,2})\}_{i=1}^N \big )\), with \((X_{i,1},Y_{i,1},X_{i,2},Y_{i,2}) =(g^{x_{i,1}},h^{y_{i,1}},g^{x_{i,2}},h^{y_{i,2}})\) and the secret key is \(\{(x_{i,1},y_{i,1})\}_{i=1}^N\). The vector is encrypted by choosing \(\theta _1,\theta _2,\theta _3,\theta _4 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\mathbb {Z}_p\) and computing

$$\begin{aligned} C_0&= f^{\theta _1},&C_0'&=h^{\theta _2},&\bigl \{ C_i&=M_i \cdot X_{i,1}^{\theta _1} \cdot Y_{i,1}^{\theta _2} \bigr \}_{i=1}^N,\\ D_0&= f^{\theta _3},&D_0'&=h^{\theta _4},&\bigl \{ D_i&=M_i \cdot X_{i,2}^{\theta _3} \cdot Y_{i,2}^{\theta _4} \bigr \}_{i=1}^N, \end{aligned}$$

while appending a simulation-sound QA-NIZK argument that the vector

$$\begin{aligned}&\big (C_1/D_1,\cdots ,C_N/D_N, \overbrace{C_0,\cdots , C_0}^{N \text { times }}, \\&\qquad \qquad \overbrace{D_0^{-1},\cdots ,D_0^{-1}}^{N \text { times }}, \overbrace{C_0',\cdots ,C_0'}^{N \text { times }}, \overbrace{{D_0' }^{-1},\ldots ,{D_0' }^{-1}}^{N \text { times }} \big ) \in \mathbb {G}^{5N} \end{aligned}$$

lives in the 4N-dimensional linear subspace \(\mathsf {span} \langle \varvec{X}_{i,1},\varvec{X}_{i,2},\varvec{Y}_{i,1},\varvec{Y}_{i,2} \rangle _{i=1}^N \), with

$$\begin{aligned} \varvec{X}_{i,1}&= (\varvec{1}^{i-1},X_{i,1},\varvec{1}^{N-i},\varvec{1}^{i-1}, {f},\varvec{1}^{N-i},\varvec{1}^{3N}) ,\\ \varvec{X}_{i,2}&= (\varvec{1}^{i-1},X_{i,2},\varvec{1}^{N-i},\varvec{1}^N,\varvec{1}^{i-1}, {f},\varvec{1}^{N-i},\varvec{1}^{2N}) ,\\ \varvec{Y}_{i,1}&= (\varvec{1}^{i-1},Y_{i,1},\varvec{1}^{N-i},\varvec{1}^{2N},\varvec{1}^{i-1}, {h},\varvec{1}^{N-i},\varvec{1}^{N}) ,\\ \varvec{Y}_{i,2}&= (\varvec{1}^{i-1},Y_{i,2},\varvec{1}^{N-i},\varvec{1}^{3N},\varvec{1}^{i-1}, {h},\varvec{1}^{N-i}) , \end{aligned}$$

where, for each \(i \in \mathbb {N}\), \(\varvec{1}^i\) stands for the i-dimensional vector \((1_\mathbb {G},\cdots ,1_\mathbb {G}) \in \mathbb {G}^i\). The entire ciphertext fits within \(2N+46\) group elements, of which only 42 elements are consumed by the QA-NIZK proof.

The tight IND-CCA2 security can be proved in the same way as in Theorem 4. In particular, we rely on the tight IND-CPA security in the multi-challenge setting of a variant of the BBS encryption scheme where messages M are encryptedFootnote 4 as \((f^{\theta _1},h^{\theta _2}, M \cdot X^{\theta _1} \cdot Y^{\theta _2})\).

In Sect. 5.3, we explain how the compatibility of this construction with zero-knowledge proofs comes in handy to build non-interactive and adaptively secure universally composable commitments based on CCA2-secure encryption.

5.3 Application to UC Commitments

Universally composable commitments [20, 27] are commitment schemes that provably remain secure when composed with arbitrary other protocols. They are known [20] to require some setup assumption like a common reference string. In some constructions, the CRS can only be used in a single commitment. Back in 2001, Canetti and Fischlin [20] gave re-usable bit commitments based on chosen-ciphertext-secure public-key encryption. In [52], Lindell described a simple and practical re-usable construction which allows committing to strings rather than individual bits. In short, each commitment consists of an IND-CCA2-secure encryption. In order to open a commitment later on, the sender generates an interactive zero-knowledge proof that the ciphertext encrypts the underlying plaintext. In its basic variant, Lindell’s commitment only provides security against static adversaries that have to choose whom to corrupt upfrontFootnote 5. Subsequently, Fischlin et al. [31] showed that Lindell’s commitment can be made adaptively secure in the erasure model by the simple expedient of opening commitments via a NIZK proof (rather than an interactive one) which the sender generates at commitment time before erasing his encryption coins. Jutla and Roy [42] gave an optimization of the latter approach where the use of QA-NIZK proofs allows reducing the size of commitments and openings.

Using our CCA2-secure encryption scheme for long messages, we can build a tightly secure non-interactive universally composable commitment [20, 27] that allows committing to long messages with expansion rate 2. In constructions of UC commitments from IND-CCA2-secure encryption (e.g., [20, 31, 42]), a multi-challenge definition of IND-CCA2 security is usually considered in proofs of UC security. In the erasure model, the non-interactive and adaptively secure variants of Lindell’s commitment [31, 42] can be optimized using the techniques of [43, 49] to achieve a two-fold expansion rate. However, these solutions are not known to provide tight security. At the cost of a CRS of size \(\varTheta (N)\), the labeled version of our encryption scheme for long messages (where the label L of the ciphertext is simply included in \(\mathsf {lbl}\)) allows eliminating this limitation. As in [42], the sender can encrypt the message \((M_1,\ldots ,M_N)\) he wants to commit to and open the commitment via a QA-NIZK proof that

$$ \big (C_1/M_1,\cdots ,C_N/M_N, \overbrace{C_0,\cdots , C_0}^{N \text { times }},\overbrace{1,\cdots ,1}^{N \text { times }}, \overbrace{C_0',\cdots ,C_0'}^{N \text { times }}, \overbrace{1,\ldots ,1}^{N \text { times }} \big ) \in \mathbb {G}^{5N} $$

is in \(\mathsf {span} \langle \varvec{X}_{i,1},\varvec{X}_{i,2},\varvec{Y}_{i,1},\varvec{Y}_{i,2} \rangle _{i=1}^N \). For long messages, this construction thus achieves a two-fold expansion rate. While not as efficient as the recent rate-1 commitments of Garay et al. [34], it retains adaptive security assuming reliable erasures while [34] is only known to be secure against static adversaries.