Keywords

1 Introduction

Non-Interactive Zero-Knowledge (NIZK) proof and argument systems have been studied for about 30 years [BFM88, FLS90, Gol01]. The concept of proving a statement in just one round without leaking any information has been intriguing for theoreticians and extremely useful as building block for designers of cryptographic protocols. The initial constructions for NIZK worked in the common reference string (CRS) model and because of various limitations (e.g., the need of NP reductions, the non-reusability of the CRS, the expensive computations) their impact was mainly in the theoretical foundations of cryptography.

Proofs vs Arguments. The gap between NIZK proof (NIZKP) systems and NIZK argument (NIZKA) systems consists in a different soundness requirement. The soundness property aims to prevent an adversarial prover from convincing the verifier about the veracity of a false statement. The powerful concept of a NIZK proof requires the soundness guarantee to be unconditional, therefore the adversarial prover can be unbounded. Instead, the notion of a NIZK argument has a significantly weaker soundness guarantee since it applies to PPT (corresponding to non-uniform polynomial-time algorithms) adversarial provers only.Footnote 1.

The difference seems subtle but may be fundamental in real-world applications. Consider an e-voting system that uses cryptographic proofs to ensure the election result claimed by the authorities to be authentic. If the system uses NIZK proofs, then there is a guarantee that the authorities cannot subvert the result of the election whatever computing power they have. If NIZK arguments are instead employed, then the guarantee is only conditional (it holds only if the authorities do not have enough computational power).

The Bridge Between Theory and Practice: the Fiat-Shamir (FS) Transform. The traditional power of the simulator in a NIZK proof/argument system consists in programming the common reference string (CRS). A popular alternative to the CRS model is the Random Oracle (RO) model [BR93]. The RO model assumes the availability of a perfect random function to all parties. One of the most successful applications of the RO model in cryptography is the FS transform that allows to obtain very efficient NIZK arguments [FS87]. The simulator of such a NIZK argument programs the RO (i.e., the simulator replaces at least in part the RO in answering to RO queries of the adversary).

In concrete implementations of this transform, prover and verifier replace the RO by some “secure” hash function.

Even if the RO methodology has been shown to be controversial already in [CGH98] and further negative results were published next [DNRS99, Bar01, GK03, BLV03, DRV12, GOSV14, KRR16], NIZK arguments via the FS transform are widely used in concrete cryptographic protocols (e.g., in e-voting). We remark that one could also consider an hybrid notion where the adversarial prover can be unbounded except that it can query the random oracle a polynomial number of times only. We stress that in this paper we consider a truly unbounded adversarial prover, and as such, a NIZK proof system does not impose any limitation on the number of RO queries. This difference can be crucial in applications.

1.1 Problem Statement

The FS transform induces a significant soundness loss. Indeed it receives as input a constant-round public-coin honest-verifier zero-knowledge (HVZK) proof system and outputs a NIZK argument system. This is a step back compared to the known NIZK proofs in the CRS model [BFM88, FLS90, GOS06b, GS08].

Of course if one is interested in a NIZK proof system in the RO model there is a trivial approach: just evaluate the RO on input the instance x to get a random string that can be used to compute a NIZK proof in the common reference string model (e.g., [FLS90]). However the trivial approach is very unsatisfying for the following two reasons: (1) it requires expensive computations (sometimes including an \(\mathsf{NP}\) reduction) that make the NIZK proof completely impractical, and (2) it requires some complexity assumptions (e.g., trapdoor permutations in [FLS90]) therefore incurring a significant security loss in the zero-knowledge guarantee.

These limitations of the FS-transform and of the above trivial approach motivate the main question of this work.

Open question: is there an alternative transform that outputs an efficient NIZK proof system (i.e., soundness is guaranteed also against unbounded adversarial provers) in the RO model for practical languages without introducing any additional unproven hypothesis?

1.2 The FS Transform Internals

Formal definitions of NIZK proofs and arguments of knowledge in the RO model through the FS transform have been investigated in several papers [FKMV12, BPW12, BFW15] and are discussed in Appendix A.3. For simplicity here we will now discuss the specific case of a 3-round public-coin HVZK proof system \(\mathsf {3HVZK}=(\mathcal {P},\mathcal {V})\) where the decision of the verifier is deterministic. However our discussion can be generalized to any constant-round public-coin HVZK argument system.

P sends a first message a to V, also called the commitment. Then V sends back a random challenge c. Finally P outputs the final message z, the answer to c. The triple (acz) is called the transcript of an execution of \(\mathsf {3HVZK}\) for an instance x and V takes deterministically the decision of accepting or not the transcript.

The FS transform constructs \(\mathsf {NIZK}=(\mathsf {NIZK}.\mathsf {Prove},\mathsf {NIZK}.\mathsf{Verify})\) as follows. \(\mathsf {NIZK}.\mathsf {Prove}\) computes a precisely as P, but then the challenge c of V is replaced by the output of the RO on input the statement x and a, i.e., \(c=H(x,a)\).Footnote 2 Finally \(\mathsf {NIZK}.\mathsf {Prove}\) computes z precisely as P would compute it.

\(\mathsf {NIZK}\) is only computationally sound (i.e., it is an argument system) in the random oracle model. Indeed one can easily see that computing with non-negligible probability an accepting transcript for a false statement when the adversarial prover runs in polynomial time, implies that the challenge is the output of one out of a polynomially bounded number of evaluations of the RO, and this can be translated to proving with non-negligible probability a false statement to V. Soundness cannot be claimed when instead the adversarial prover is unbounded and can therefore make an unbounded number of queries to the RO.

If \(\mathsf {3HVZK}\) is also HVZK (see Appendix A.1), then the resulting \(\mathsf {NIZK}\) argument system is additionally a computational ZK argument system. Indeed the ZK simulator can program the queries therefore being able to produce a simulated proof using the HVZK simulator that is computationally indistinguishable from the a real proof.

If \(\mathsf {3HVZK}\) satisfies special soundness (i.e., there is a deterministic efficient extractor that from 2 different accepting transcripts for the same statement with the same first message outputs a witness), then the resulting \(\mathsf {NIZK}\) argument system additionally enjoys witness extraction but limited to PPT adversarial provers. Known variations [Pas03, Fis05, FKMV12] of the FS transform produce NIZK argument systems that suffer of the same limitation of witness extraction with respect to PPT provers. We also stress that, to our knowledge, all previous variants of the FS transform (e.g., the ones of Pass [Pas03] and Fischlin [Fis05]) only achieve computational soundness (i.e., there is no security guarantee against an unbounded adversarial prover that as such can have unlimited access to the random oracle). In this paper we call NIZK proof of knowledge (NIZKPoK) a NIZK proof (i.e., soundness unconditional) system that enjoys the above extraction property (i.e., limited to PPT adversarial provers).

1.3 The Soundness Degradation of the FS Transform

Suppose that the underlying interactive protocol has the following properties. The space of prover commitments has cardinality \(\ge 2^{b(\lambda )}\), the verifier’s challenges have length \(k(\lambda )\), the soundness error is \(2^{-k(\lambda )}\), with \(k(\lambda )\in \omega (\log (\lambda )),b(\lambda )\ge \lambda +k(\lambda )\) where \(\lambda \) is the security parameter. Suppose further that the prover computes the answer z deterministically based on (ac) and suppose that for each \(x\notin L\) and each commitment a, there exists at least one challenge c such that (acz) is an accepted transcript (a natural \(\varSigma \)-protocol satisfying the above requirements will be shown soon).

Fix an \(x\notin L\) and consider the following unbounded prover \(\mathsf {NIZK}.\mathsf {Prove}^\star \) that aims to compute an accepting proof for x. \(\mathsf {NIZK}.\mathsf {Prove}^\star \) searches over all pairs of challenges and commitments \((a_c,c)\) such that the above property holds (i.e., \((a_c,c,z)\) is an accepting tuple, where z is the deterministic answer of the prover to \((a_c,c)\)) and RO maps \((x,a_c)\) into c; if \(\mathsf {NIZK}.\mathsf {Prove}^\star \) can find a pair \((a_c,c)\) that verifies such conditions, it outputs \((a_c,c,z)\) as its proof, otherwise outputs some error \(\bot \).

For each challenge and commitment pair \((a_c,c)\) the probability that the RO maps \((x,a_c)\) into c such that \((a_c,c,z)\) is an accepted transcript is \(\ge 2^{-k(\lambda )}\) (by hypothesis on the soundness error). Thus, since there are \(2^{b(\lambda )}\ge 2^{\lambda + k(\lambda )}\) commitments, \(\mathsf {NIZK}.\mathsf {Prove}^\star \) fails in proving the false statement x with probability \(<(1-\frac{1}{2^{k(\lambda )}})^{2^{\lambda +k(\lambda )}}\). Therefore, \(\mathsf {NIZK}.\mathsf {Prove}^\star \) succeeds with probability \(\ge 1-(1-\frac{1}{2^{k(\lambda )}})^{2^{k(\lambda )}\cdot 2^{\lambda }}\approx 1-(\frac{1}{e})^{2^{\lambda }}\).Footnote 3

This example shows that an unbounded prover can break the soundness of the FS transform applied to some particular proof system satisfying the above requirements. This is not an artificial counter-example as such requirements are satisfied by very natural proof systems like the ones of [CP93, CDS94].

Example. Consider for instance the protocol of Chaum and Pedersen [CP93] for proving that a tuple (ghuv) of 4 group elements, in a group of prime order q, is a Diffie-Hellman (DH, in short) tuple.Footnote 4

The prover chooses a random \(r\in \mathbb {Z}_q\), where q is the order of the group, and sends the commitment \(a=g^r, b=h^r\). The verifier sends a random challenge \(c\in \mathbb {Z}_q\). The prover sends back deterministically \(z=r+cw \mod q\) and the verifier accepts iff \(g^z=au^c\) and \(h^z=bv^c\).

Let \(k(\lambda )=\lambda \) with security parameter \(\lambda \) equals to the length of the group elements. Then, the challenges have length \(k(\lambda )\), the commitments have length \(2\cdot k(\lambda )\) and \(k(\lambda )\) is also the soundness parameter. By using the simulator (of the special HVZK), it is easy to see that for each false statement \(x\notin L\) and for each challenge c, there exists (az) such that (acz) is an accepted transcript for x. Thus, the Chaum and Pedersen’s protocol satisfies the above requirements and the soundness can be broken in time \({\approx }2^{k(\lambda )}\).

Ineffectiveness of Parallel Repetition. A natural approach to adjust the FS transform in order to circumventing the above attack would be to execute p instances of the protocol in parallel and computing each challenge \(c_i\), for \(i=1,\ldots ,p\), as \(\mathcal{R}\mathcal{O}(x||a_i||i)\). Unluckily, this strategy does not improve the situation. In fact, while the number of possible challenges increases (each challenge now consists of \(k\cdot p\) bits) the number of possible commitments also increases. A simple analysis shows that an attack similar to the previous one can be applied to such variant of the FS transform as well. Observe also that the previous attack can be viewed as a special case for \(p(\lambda )=1\).

In fact, consider a false statement x and an unbounded prover \(\mathsf {NIZK}.\mathsf {Prove}^\star \) similar to before aiming at computing an accepting proof for x. By the previous analysis on the protocol without repetitions (that can be seen as a special case for \(p(\lambda )=1\)) and since the \(p(\lambda )\) executions are independent, \(\mathsf {NIZK}.\mathsf {Prove}^\star \) succeeds with probability \(\left( 1-(\frac{1}{e})^{2^{\lambda }}\right) ^{p(\lambda )}\) that is overwhelming in \(\lambda \).

It is fundamental for the previous analysis to hold that the space of commitments is much bigger than the challenge space, as it is indeed the case in general for natural \(\varSigma \)-protocols for languages where deciding membership is non-trivial. In fact, if for instance the space of the challenges and commitments were of the same cardinality, the lower-bound on the winning probability of the previous prover would be only \(\left( 1-\frac{1}{e}\right) ^{p(\lambda )}\) that is a negligible function. As we will see next, our transform still uses parallel repetitions but in a more careful way achieving NIZK proof systems for several natural and practical languages.

2 Our Results

In the main result of this work we give a positive answer to the above open question: we show a transform that gives NIZK proof systems for practical languages.

We first (see Appendix A.3) provide formal definitions for NIZK proof/argument systems in the RO model following the lines of Faust et al. [FKMV12] and Bernhard et al. [BFW15] but taking into account unbounded adversarial provers, therefore considering statistical soundness. Then we propose a new transform from a specific class of 3-round public-coin HVZK proof systems for a given class of relations (see below) to NIZK proof systems in the RO model for the same class of relations.

The protocols and relations we support are a strengthening of the ones introduced by Maurer [Mau15]. Precisely, Maurer shows that most of the known practical sigma protocols can be viewed as special case of a sigma protocol for a group homomorphic one-way function (OWF). Sigma protocols are a special case of 3-round public-coin HVZK proof systems (see Appendix A.1). Similarly, our transform can be applied to sigma protocols for proving that an element y is in the range of a group homomorphic OWF but we also require additional properties on the function f. Namely, we require the following properties (this is only a sketch and the complete set of properties will be presented in Definition 11).

  1. 1.

    f is a trapdoor OWF with range \(\subseteq \{0,1\}^{m(\lambda )}\) for some polynomial \(m(\cdot )\). The witness for the relation includes the trapdoor, i.e., the prover needs the trapdoor to compute the proof. The trapdoor also allows to efficiently decide whether a string \(y\in \{0,1\}^{m(\lambda )}\) is in the range of f or not.

  2. 2.

    The language of all strings \(y\notin \mathsf{Range}(f),y\in \{0,1\}^{m(\lambda )}\) is in co-NP and using the trapdoor for f it is possible to compute a witness for the fact that \(y\notin \mathsf{Range}(f)\). That is, there are: (a) an algorithm \(\mathsf {Prove}_f\) that on input a string y and a trapdoor \(\mathsf{trap}\) for f computes a proof \(\pi \); (b) an algorithm \(\mathsf{Verify}\) that on input y and a proof \(\pi \) accepts if and only if \(y\notin \mathsf{Range}(f)\); (c) a PPT simulator \(\mathsf{Sim}_f\) that, with input the security parameter, outputs a pair \((a,\pi )\) that is distributed identically to \((a',\pi ')\) where \(a'\) is selected at random in the space of strings \(y\in \{0,1\}^{m(\lambda )},y\notin \mathsf{Range}(f)\) and \(\pi '\leftarrow \mathsf {Prove}_f(y,\mathsf{trap})\).

  3. 3.

    A random element in \(\{0,1\}^{m(\lambda )}\) falls outside the range of f with probability \(\le \frac{1}{q}\) (up to a negligible factor) for some constant \(q>1\); this probability affects the length of the proof.

We call such a function a special one-way group homomorphic function (SOWGHF). To exemplify the requirements, consider the squaring function modulo a Blum integer N that acts on the group \(\mathbb {Z}_N^{\star }\); sigma protocols for such f allow to prove whether a number is a quadratic-residue modulo N. The first condition requires the existence of a trapdoor that in this case is the factorization of N and the range of the function is \(\mathbb {Z}_N\).

The second condition requires the existence of an efficient way for proving that a number is not a quadratic residue mod N. As N is a Blum integer, \(-1\) is a quadratic non-residue and thus \(-y\) is a quadratic residue mod N if and only if y is a quadratic non-residue mod N. Thus, there exists a witness for proving that a number y is not a quadratic residue. The simulator can simply pick a random number \(r\leftarrow \mathbb {Z}_N\) and output \((-r^2 \mod N, r)\).

The third condition is also satisfied since a random number in \(\mathbb {Z}_N^{\star }\) is a quadratic-residue modulo N with probability \(\frac{1}{4}\) and only a negligible fraction of the integers in \(\mathbb {Z}_N\) are not in \(\mathbb {Z}_N^{\star }\).

The second and third conditions are trivially satisfied when f is a permutation, e.g., for the RSA permutation. In that case, it makes no sense to prove with our NIZKP that a string is in the range of the function because for permutations the soundness is trivially satisfied. Moreover, the knowledge extraction property is also guaranteed by the FS transform at a lower cost. Nevertheless, one might consider statements like \(\exists x_1,x_2,x_3\) such that \(((y_1=f_1(x_1) \wedge y_2=f_2(x_2)) \vee y_3=f_3(x_3)),\) where one or more of the functions \(f_1,f_2,f_3\) are permutations and at least one is not a permutation and all the functions satisfy our requirements. Following Cramer et al. [CDS94], our transform can be likewise extended to support such compound statements.

One might be worried that the first condition is very restrictive in that we do not just require f to be a trapdoor OWF but in addition to feed the trapdoor as input to the prover. However, notice that for many practical statements this is the case, e.g., for a proof of correct decryption of a Goldwasser-Micali’s ciphertext [GM84] we can assume that the prover is endowed with the factorization of N.

We defer the reader to Appendix A.2 for more details on what we call special one-way group homomorphic functions and special protocols. In Appendix B we show several examples of SOWGHFs that exemplify the usefulness and practicality of our notion. Combined with our transform, this gives efficient NIZK proof systems with statistical soundness for disparate relations of wide applicability.

Our transform preserves the same properties of the FS transform (except some efficiency loss) but maintains the unconditional soundness of the starting protocol (unlike the FS transform). Regarding knowledge extraction, if the starting protocol satisfies special soundness then \(\mathsf {NIZK}\) will have the same guarantee of extractability (see Appendix E) of the FS transform (i.e., extraction is possible against a PPT adversarial prover). Our transform does not add any computational assumption and thus our NIZK proof will be secure in the RO model without any unproven hypothesis.

Therefore our work gives the first NIZK proof systems for a variety of useful languages in the RO model. See Theorems 10 and 12.

As noted and proved by Yung and Zhao [YZ06] (see also Ciampi et al. [CPSV16]), if the original 3-round public-coin HVZK proof system is witness indistinguishable (WI), then the FS-transformed argument is still WI, and the security proof for WI is RO-free. Since the same holds for our transform we get an efficient non-interactive WI proof system (also called non-interactive zap in previous work) [GOS06a, GS08, DN00] in the non-programmable RO model. The result is formally stated in Corollary G. In Sect. 5 we present applications of this result to hardware-assisted cryptography. In particular we achieve an unconditional NIWI proof system in an ideal-PUF model.

As shown earlier, if the starting interactive proof system has challenges of length \(\lambda \) (with \(\lambda \) security parameter) and space of commitments of cardinality \(2^{\lambda }\) then the soundness guarantee of the FS transform is completely violated by adversaries running in \(\varTheta (2^{\lambda })\) steps. Instead, the soundness of our transform is preserved with respect to adversaries running in \(O(2^{\lambda })\) steps, when the instantiation of the random oracle is resilient to adversaries running in time \(O(2^{\lambda })\) (e.g., idealized hash functions, PUFs). We formally state it in Conjecture 1.

3 Overview of Our Transform

We next describe our transform. Given an \(x\notin L\), we denote by “space of bad commitments” \(S_x\) for x of a 3-round public-coin proof system the set of all commitments a such that there exist ez such that \(\mathcal {V}(x,a,e,z)\) is accepted by the verifier. With a slight abuse of notation, we say that the space of bad commitments S of \(\mathsf {3HVZK}\) has cardinality \(\le N\) if for all \(x\notin L\), the cardinality of \(S_x\) is \(\le ~N\).

Let \(\mathsf {3HVZK}\) be a 3-round public-coin HVZK proof system \(\mathsf {3HVZK}=(\mathcal {P},\mathcal {V})\) with space of bad commitments of cardinality \(\le 2^{b(\lambda )}\), challenges of length \(k(\lambda )\) and soundness error bounded by \(s(\lambda )\). In Lemma 9 we prove that the FS transform applied to a such \(\mathsf {3HVZK}\) results into a NIZK proof system with statistical soundness that degrates “nicely” in relation to \(s(\lambda )\) when the space of the bad commitments \(2^{b(\lambda )}\) is not too “big” (see the Lemma and also Theorem 10 for a more precise statement).

As a consequence, the problem of transforming sigma protocols into NIZK proofs with statistical soundness can be reduced to the problem of transforming 3-round public-coin HVZK proof systems into ones having arbitrarily small ratio between soundness error and space of bad commitments. So, we first present a transform from interactive protocols (that do not use the RO) to interactive protocols in the RO model with shorter commitment space. Then, applying the FS transform to the latter protocol will result into a NIZK with statistical soundness.

Trapdoor One-Way Group Homomorphism and Special Protocols. Before presenting our transform, we define the class of relations supported by our protocols. As in Maurer [Mau15], the class of relations we consider are associated with an homomorphic OWF that in our case satisfies some additional requirements. We first recall the abstraction of Maurer [Mau15] and then we proceed to state the additional properties we require.

Consider two groups \((G,\cdot )\), \((H,*)\) and a one-way homomorphic function from G to H, that is a OWF with the property that \(f(x_1\cdot x_2)=f(x_1)*f(x_2)\). By abstracting several known protocols in the literature, Maurer presents a sigma protocol for proving that an element \(y\in H\). In the Maurer’s protocol, the prover knows x and the verifier knows \(y=f(x)\). The prover selects a random element r in G and sends \(a=f(k)\) to the verifier. The verifier sends back a number c selected at random in a challenge space that is a set of integers. The prover sends \(z=k\cdot x^c\) to the verifier that accepts the transcript if and only if \(f(z)=a*y^c\).

If a protocol is so defined and if in addition the function f satisfies the three conditions given in Sect. 2 we say that the protocol is special. We now show how to transform a special protocol (\(\mathsf {spec}\)-\(\mathsf {prot}\)  henceforth) into one with shorter commitment space.

Reducing the Space of Commitments in Special Protocols. We construct a 3-round public-coin HVZK protocol \(\mathsf {3HVZK}=(\mathsf {3HVZK}.\mathsf {Prove},\mathsf {3HVZK}.\mathsf{Verify})\) for proving that \(y\in \mathsf{Range}(f)\) from a \(\mathsf {spec}\)-\(\mathsf {prot}\) \(\mathsf {SpecP}=(\mathsf {SpecP}.\mathsf {Prove},\mathsf {SpecP}.\mathsf{Verify})\) for the same relation. We denote by \(\mathsf {Prove}\) and \(\mathsf{Verify}\) the efficient algorithms to prove and verify that a string \(y\notin \mathsf{Range}(f)\) guaranteed by a \(\mathsf {spec}\)-\(\mathsf {prot}\) for f. We recall that in a \(\mathsf {spec}\)-\(\mathsf {prot}\) (see. Definition 13) the prover \(\mathsf {SpecP}.\mathsf {Prove}\) computes a commitment as f(r) where r is a string drawn at random in the domain of f.

The idea behind the transform is to make the space of the commitments to be arbitrarily shorter than the space of the challenges. Specifically, we repeat the protocol a sufficient number of times p to increase the space of the challenges but at the same time we have to avoid that the space of the commitment increases with the same ratio. To that aim, we force the space of the commitment to be short by computing each commitment via the RO as \(a_i=RO(y||i), i\in [p]\). In this way the space of the commitment is limited by \(2^{|y|}\cdot p\) and thus, e.g, doubling p just double the space of the commitments while quadrupling the space of the challenges.

Under one of the assumptions for any \(\mathsf {spec}\)-\(\mathsf {prot}\) we can assume that with noticeable probability \(a_i=f(r_i)\) for some \(r_i\). If this is the case the prover, by means of the trapdoor, can invert \(a_i\) and get \(r_i\). As mentioned above, the value \(r_i\) is meant to be the randomness used by \(\mathsf {SpecP}.\mathsf {Prove}\) to compute a commitment. Thus, using \(r_i\) \(\mathsf {3HVZK}.\mathsf {Prove}\) can complete the protocol (i.e., computing the final answer to send to the verifier). Note that, by hypothesis, the trapdoor can be also employed to check whether \(a_i\in \mathsf{Range}(f)\). On the other hand, if this is not the case, the prover can still use the trapdoor to show the verifier that \(a_i\notin \mathsf{Range}(f)\). As in FS, the verifier has also to check that each commitment \(a_i\) received by the prover equals \(\mathcal{R}\mathcal{O}(y,i)\).

Overall Transform. We define our transform to be the result of applying the above transform to a \(\mathsf {spec}\)-\(\mathsf {prot}\) \(\mathsf {SpecP}\) to obtain a protocol \(\mathsf {3HVZK}\) and then apply FS transform to \(\mathsf {3HVZK}\) to obtain a NIZK argument. It can be seen that our transform guarantees completeness if \(\mathsf {SpecP}\) is perfectly complete. It can be seen that our transform guarantees computational ZK (see Appendix A.3) if \(\mathsf {SpecP}\) is HVZK exactly as it is the case for the FS transform. It can be seen that our transform guarantees computational witness extraction (see Appendix E) if \(\mathsf {SpecP}\) satisfies special soundness exactly as it is the case for the FS transform. More details will be given in Sect. 7.

The most important property of this new transform is that starting from a 3-round public-coin proof system that matches our requirements (i.e., what we call a \(\mathsf {spec}\)-\(\mathsf {prot}\)), our transform gives in output a non-interactive proof system, assuming a suitable choice of the parameters as we will specify later.

The parameter \(p(\cdot )\) in our transform depends on the cardinality of the challenge space \(k(\cdot )\) and the probability \(q(\cdot )\) that a random element in the space of the commitments falls to be in the range of f. A more precise statement will be given in Sect. 7.

Connection to FLS. The reader may have noticed a connection to the work of Feige, Lapidot and Shamir (FLS) [FLS90]. A CRS-based NIZK like FLS can be easily converted to a NIZK in the RO model by setting the CRS to be the string \(\mathcal{R}\mathcal{O}(1^{\lambda })\). In that case, the CRS in the FLS’ NIZK can be seen as the first message in our protocol and then, by using a trapdoor, the prover in FLS is able to open the bits to the verifier in a selected way.

As we want to avoid expensive \(\mathsf{NP}\)-reductions, in our case the trapdoor depends on the language. Moreover we have to handle the case when f is not a permutation.

4 Comparison

Comparison. Here we compare in more detail the NIZK proofs obtained through our transform with other NIZK arguments and proofs discussed before.

In Table 1 we present a comparison of the NIZK proof resulting to other NIZK proofs and arguments known in the literature (see Sect. 6). The NIZK proof and argument system in the comparison are very different in that they admit so different and disparate relations or can prove general statements through expensive \(\mathsf{NP}\)-reductions. Nevertheless, it makes sense to compare them in terms of properties achieved. We omit the comparison with the transform of Mittelbach and Venturi that can be instantiated only for specific classes of interactive protocols and uses strong computational assumptions.

The 3rd line in the table refers to a NIZK in the RO constructed from a CRS-based NIZK in the trivial way by replacing the CRS with the string \(\mathcal{R}\mathcal{O}(1^\lambda )\) and programming the RO in the obvious way. The ZK type is omitted but is implicitly assumed to be (multi-theorem adaptive) computational in the programmable RO modelFootnote 5 for works in which the corresponding entry CRS is set to No and (multi-theorem adaptive) computational for the CRS model otherwise.

Efficiency: the Case of Quadratic Residuosity. It is difficult to compare different NIZK proofs and arguments systems for practical statements when they can handle different classes of relations. However, it makes sense to compare FS-transformed NIZK argument to the NIZK proof systems resulting from our transform when both are for the same relation. As an example, we can compare a FS-transformed NIZK argument system for proving that an integer is a quadratic residue to a NIZK proof system resulting from our transformation for the same relation.

The basic sigma protocol for proving quadratic residuosity has soundness error \(\frac{1}{2}\). To make the soundness error, let us say \(2^{-\lambda }\), it is necessary to repeat the protocol \(\lambda \) times and in turn applying the FS transform to the latter protocol results into just a NIZK argument with computational soundness. Let us now compare the improvement offered by our transform.

As it will be shown in our transform \(\mathsf{Trans}_{\mathsf {main}}\) of Construction 2, to get soundness error \(2^{-\lambda }\) our transform will compute a NIZKP consisting of \(p(\lambda )\) repetitions of a 3-round protocol with essentially the same efficiency in terms of communication that the basic sigma protocol for quadratic residuosity, where \(p(\lambda )\) has to satisfy the equation (cf. Eq. (1) in Construction 2):

$$2^{2\cdot \lambda +\log (p(\lambda ))}\cdot \left( \frac{1}{q}+\left( 1-\frac{1}{q}\right) \cdot \frac{1}{k(\lambda )}\right) ^{p(\lambda )}\le 2^{-\lambda }.$$

As \(\frac{1}{q}\approx \frac{3}{4}\), the above equation can be simplified to \(3\cdot \lambda +\log (p(\lambda ))\le c\cdot p(\lambda )\) where \(c\buildrel \triangle \over =3-\log _2(7)\approx 0.2\).

Then it can be seen that \(p(\lambda )\approx 16\cdot \lambda \) satisfies the equation. Therefore, our transform allows to upgrade from computational to statistical soundness at a cost of a moderate factor of inefficiency.

5 Applications

Efficient NIWI Proofs in the NPRO Model. Yung and Zhao [YZ06] (see also Ciampi et al. [CPSV16]) observed that if the original 3-round public-coin HVZK proof system is witness indistinguishable (WI), then the FS-transformed argument is still WI, and the security proof for WI is RO free. Since the same holds for our transform, we get an efficient non-interactive witness indistinguishable (NIWI) proof system (also called non-interactive zap in previous work) [GOS06a] [GS08, DN00] in the non-programmable RO model. Next we show an application of this primitive.

Unconditional NIWI Proofs in the Ideal-PUF Model. In last decade, there has been a renewed interest about hardware-assisted cryptographic protocols and physically uncloneable functions (PUFs, in short) [PRTG02, GCvD02, TSS+05, Kat07, HL08, GKR08, DORS08, AMS+09, GIS+10, BFSK11, OSVW13, RvD13]. We note that our unconditional NIWI proof system in the NPRO can be turned in an unconditional NIWI proof system in the ideal-PUF model, in which the PUF acts like a RO.

More specifically, we consider the availability of an ideal-PUF. Note that this is different from assuming a RO. In the RO model, all parties need to have access to the same function. In the ideal-PUF model we envision, we just assume that an hardware token acting as an ideal-PUF can be attached to a proof and sent from a party to another (specifically, from the prover to the verifier). We observe that our unconditional NIWI proof system in the NPRO can be turned in an unconditional NIWI proof system in the ideal-PUF model.

Table 1. Stat denotes statistical and Comp computational. PV denotes public verifiability: a YES refers to standard NIKZP/NIZKA and a NO to designated verifier ones. CR denotes computational extractability with rewinding extractors and CS denotes computational extractability with straight-line extractors. The ZK type is omitted but is implicitly assumed to be (multi-theorem adaptive) computational in the programmable RO model for works in which the corresponding entry CRS is set to No and (multi-theorem adaptive) computational for the CRS model otherwise. \(^\star \): When referred to the transforms, a No means that the transform does not add any additional computational assumption (beyond assuming the RO model) beyond the ones of the underlying starting protocol (that could even be unconditional). \(^{\star \star }\): Note that the definition of online extractability of Fischlin implicitly assumes that the adversary is possibly computationally unbounded but limited to a polynomial number of RO queries. Thus, according to our terminology, it is still an argument with computational extractability.
Full size table

6 Related Work

CRS-based NIZK proof and argument systems have been intensively studied in the last 30 years in a sequel of works [BFM88, FLS90, RS92, BY96, Pas03, BCNP04, Ps05, GOS06b, AF07, GS08, Pas13, BFS16]. One of the initial motivations for CRS-based NIZK proof was CCA-security [NY90, CS98, Sah99, CS03, Lin06]. In this setting, the CRS is computed by the receiver, while the NIZK proofs are computed by the sender of ciphertexts. Thus, for CCA-security the CRS model does not pose any issue. However, in e-voting the authority cannot compute the CRS because it must compute proofs that show the correctness of the tally and thus cannot be the same party that computes the CRS that thus has to be setup by a trusted party.

An alternative to the CRS model is the RO model that does not solve the issues of the CRS model but often leads to the design of more efficient protocols. The RO methodology has been introduced in the groundbreaking work of Bellare and Rogaway [BR93]. Canetti et al. [CGH98] show that the RO methodology is unsound in general and several works [DNRS99, Bar01, GK03, BLV03, BDSG+13, GOSV14, KRR16] study the security of the FS methodology. The first rigorous analysis of the FS transform (applied to the case of signature schemes) appeared in Pointcheval and Stern [PS00]. Since the introduction of the FS transform [FS87], a lot of works have investigated alternative transformations achieving further properties or mitigating some issues of FS.

Pass [Pas03] and Fischlin [Fis05] introduce new transformations with straight-line extractors to address some problems that arise when using the NIZK argument systems resulting from the FS transform in larger protocols [SG02]. The NIZK systems resulting from the Pass’ and Fischlin’s transforms share the same limitation of FS of being arguments, i.e., sound only against computationally bounded adversaries. Furthermore, as in our case, Fischlin’s transform also results in a completeness error.

(Note that the definition of online extractability of Fischlin implicitly assumes that the list of RO queries given to the extractor has polynomial size and thus only withstands adversaries that are possibly computationally unbounded but limited to a polynomial number of RO queries; according to our terminology, this limitation brings to an argument system with computational extractability.Footnote 6)

Damgård et al. [DFN06] propose a new transformation for the standard model but it results in NIZK argument systems that are only designated verifier, rests on computational assumptions and has soundness limited to a logarithmic number of theorems. Designated verifier NIZK proofs are sufficient for some applications (e.g., non-malleable encryption [PsV06]) but not for others like e-voting in which public verifiability is a wished property. The limitation on the soundness of the Damgård’s transformation has been improved in the works of Ventre and Visconti [VV09] and Chaidos and Groth [CG15].

Lindell [Lin15] (see also the improvement of Ciampi et al. [CPSV16]) puts forward a new transformation that requires both a non-programmable RO and a CRS and has computational complexity only slightly higher than FS. The transformations of Lindell and Ciampi et al. are based on computational assumptions whereas ours does not require any unproven hypothesis.

Mittelbach and Venturi [MV16] investigate alternative classes of interactive protocols where the FS transform does have standard-model instantiations but their result yields NIZK argument systems and is based on strong assumptions like indistinguishability obfuscation [GGH+13], and as such is far from being practical. Moreover the result of Mittelbach and Venturi seems to apply only to the weak FS transform in which the statement is not hashed along with the commitment. The weak FS transform is known to be insecure in some applications [BPW12]. In this work, we only consider the strong FS transform.

The work of Mittelbach and Venturi has been improved by Kalai et al. [KRR16] that, building on [BLV03, DRV12], have shown how to transform any public-coin interactive proof system into a two-round argument system using strong computational assumptions. The latter work does not yield non-interactive argument systems.

Sigma protocols, on which efficient NIZK arguments (and our NIZK proofs) in the RO model are based, have been intensively studied [CP93, CDS94, FKI06, BR08, ABB+10, Mau15, GMO16]. Sigma protocols incorporate properties both of interactive proof systems and proofs of knowledge systems [GMR89, BG93]. Faust et al. [FKMV12] and Bernhard et al. [BFW15] provide a careful study of the definitions and security properties of the NIZK argument systems resulting from the FS transform but they do not investigate the possibility of achieving statistically sound proofs. Both works, as well as ours, make use of the general forking lemma of Bellare and Neven [BN06] that extends the forking lemma of Pointcheval and Stern [PS00]. We note that in our NIWI the RO can be replaced by an ideal PUF. In the last decade, a lot of works study constructions and applications of hardware-assisted cryptographic protocols and PUFs [PRTG02, GCvD02, Kat07, HL08, GKR08, DORS08, AMS+09, BFSK11, OSVW13, RvD13].

Roadmap. In Appendix A we provide the necessary background and formal definitions of all the primitives and concepts used in this work, including our new framework of special one-way group homomorphic functions. Additional definitions regarding extractability will be given in Appendix E. In Sect. 7 we present our main transform, in Appendix D we analyze its soundness and in Appendices E-G zero-knowledge, extractability and additional properties. In Appendix B we present several instantiations of special one-way group homomorphic functions.

7 Our Transform

7.1 Step I: From \(\mathsf {spec}\)-\(\mathsf {prot}\) to 3-Round Public-Coin HVZK in the ROM

For the sake of exposition, we define our main transform as consisting of two transforms. The first one transforms a \(\mathsf {spec}\)-\(\mathsf {prot}\) into a 3-round public-coin HVZK protocol in the RO model.

Specifically, \(\mathsf{Trans}(c(\cdot ), k(\cdot ), q),m(\cdot ),f)\) converts a \(\mathsf {spec}\)-\(\mathsf {prot}\) \(\mathsf {SpecP}\) \(\mathsf {SpecP}=\)\((\mathsf {SpecP}.\mathsf {Prove},\mathsf {SpecP}.\mathsf{Verify})\) with challenges of length \(k(\cdot )\) and commitments of length \(c(\cdot )\) for a \((m(\cdot ),q)\)-SOWGHF f into a 3-round public-coin HVZK proof system \(\mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ), p(\cdot ),f]=(\mathsf {3HVZK}[c(\cdot ), k(\cdot ),q,m(\cdot ), p(\cdot ),f].\)\(\mathsf {Prove}, \mathsf {3HVZK}[c(\cdot ), k(\cdot ),q, m(\cdot ), p(\cdot ), f].\mathsf{Verify})\) with commitments of length \(c(\lambda )\cdot p(\lambda )\), space of bad commitments of cardinality \(2^{\lambda +\log (p(\lambda ))}\), challenges of length \(k(\lambda )\cdot p(\lambda )\). Moreover, \(\mathsf {3HVZK}\) is associated with a polynomial \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot )\).

The algorithms of \(\mathsf {3HVZK}[c(\cdot ),k(\cdot ), q,m(\cdot ),p(\cdot ),f]\) when run on an input x with \(|x|\buildrel \triangle \over =\lambda \) need oracle access to a function \(\mathcal{R}\mathcal{O}\) with domain \(\{0,1\}^{\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\lambda )}\) and co-domain \(\{0,1\}^{c(\lambda )}\), and guarantee soundness bounded by \(p(\lambda )\). We next define our transform \(\mathsf{Trans}[c(\cdot ),k(\cdot ),q,m(\cdot ), p(\cdot ),f]\).

Construction 1

Let \(\mathsf {SpecP}=(\mathsf {SpecP}.\mathsf {Prove},\mathsf {SpecP}.\mathsf{Verify})\) be a \(\mathsf {spec}\)-\(\mathsf {prot}\) with challenges of length \(k(\cdot )\) and commitments of length \(c(\cdot )\) for a \((m(\cdot ),q)\)-SOWGHF f. Note that according to our formulation, \(\mathsf {SpecP}\) is induced by f, \(k(\cdot )\), \(m(\cdot )\) and q. Our transform \(\mathsf{Trans}(c(\cdot ),k(\cdot ),q,m(\cdot ),p(\cdot ),f)\) is a polynomial-time algorithm that takes as input the description of f (and thus implicitly \(\mathsf {SpecP}\)), the description of functions \(c(\cdot ),k(\cdot )\), \(q,m(\cdot )\) and \(p(\cdot )\) and outputs a pair \((\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot ), \mathsf {3HVZK}[c(\cdot ),k(\cdot ),q, m(\cdot ), p(\cdot ),f])\) that consists of the description of a polynomial and the description of a proof system computed as follows.

Compute \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot )=\lambda +\log (p(\cdot ))\), and set \(\mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ),p(\cdot ),f]=(\mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ),p(\cdot ),f].\mathsf {Prove}, \mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ),p(\cdot ),f].\mathsf{Verify})\) according to the description of the following two algorithms that are algorithms with oracle access to a function \(\mathcal{R}\mathcal{O}\) with domain \(\{0,1\}^{\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\lambda )}\) and co-domain \(\{0,1\}^{c(\lambda )}\).

In the following we denote by \(\mathsf {SpecP}.\mathsf {Prove}(y,(x,\mathsf{trap}),f^{-1}(a_i),e_i)\) the output of \(\mathsf {SpecP}.\mathsf {Prove}\) when executed with theorem z, witness \((y,\mathsf{trap})\), first message computed with randomness \(f^{-1}(a_i)\) (where the inverse is computed with trapdoor \(\mathsf{trap}\)) and after having received as challenge \(e_i\) from the verifier. Note that the prover of a \(\mathsf {spec}\)-\(\mathsf {prot}\) computes its first message as f(r) where r is the chosen randomness, thus the first message corresponds to \(f(f^{-1}(a_i))=a_i\).

\(\mathsf {3HVZK}.\mathsf {Prove}\), with inputs xy and the trapdoor \(\mathsf{trap}\) and \(\mathsf {3HVZK}.\mathsf{Verify}\), with input y, performs the following three rounds of communication.

figure a

7.2 Step II: Composing with the FS Transform

\(\mathsf{Trans}(c(\cdot ),k(\cdot ),q,m(\cdot ) p(\cdot ),f)\) converts a \(\mathsf {spec}\)-\(\mathsf {prot}\) \(\mathsf {SpecP}=(\mathsf {SpecP}.\mathsf {Prove},\mathsf {SpecP}.\)\(\mathsf{Verify})\) with space of bad commitments of cardinality \(\le 2^{b(\cdot )}\), commitments of length \(c(\cdot )\), challenges of length \(k(\cdot )\) into a proof system in the RO model \(\mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ),p(\cdot ),f]= (\mathsf {3HVZK}[c(\cdot ), k(\cdot ), q,m(\cdot ), p(\cdot ),f].\)\(\mathsf {Prove}, \mathsf {3HVZK}[c(\cdot ),k(\cdot ), q,m(\cdot ),p(\cdot ),f].\mathsf{Verify})\) with commitments of length \(c(\lambda )\cdot p(\lambda )\), space of bad commitments of cardinality \(2^{\lambda +\log (p(\lambda ))}\) and challenges of length \(k(\lambda )\cdot p(\lambda )\). The protocol is associated with a polynomial \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot )\) that dictates the domain of the RO.

By appropriately setting the parameter \(p(\cdot )\) and applying the FS transform to \(\mathsf {3HVZK}\) we can obtain a NIZK proof system with negligible soundness error (precisely, \(p(\cdot )\) and the soundness error will be related). We now show our main transform that uses the previous one and the FS transform to achieve our goal.

Construction 2

Let \(\mathsf {SpecP}=(\mathsf {SpecP}.\mathsf {Prove},\mathsf {SpecP}.\mathsf{Verify})\) be a \(\mathsf {spec}\)-\(\mathsf {prot}\) with challenges of length \(k(\cdot )\) and commitments of length \(c(\cdot )\) for a \((m(\cdot ),q)\)-SOWGHF f. Note that according to our formulation, \(\mathsf {SpecP}\) is induced by f, \(k(\cdot )\), \(m(\cdot )\) and q. Our main transform \(\mathsf{Trans}_{\mathsf {main}}(c(\cdot ),k(\cdot ),q,m(\cdot ),\delta (\cdot ),f)\) is a polynomial-time algorithm that takes as input the description of f (and thus implicitly \(\mathsf {SpecP}\)), the description of functions \(c(\cdot ),k(\cdot )\), \(q,m(\cdot )\) and a negligible function \(\delta (\cdot )\) and outputs a pair \((\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot ), \mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\cdot ), \mathsf {NIZK}[c(\cdot ),k(\cdot ),q, m(\cdot ), \delta (\cdot ),f])\) that consists of the description of two polynomials \((\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot ),\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\cdot ))\) and the description of a NIZKPoK proof system computed as follows.

Firstly, compute a polynomial \(p(\cdot )\) satisfying the equation

$$\begin{aligned} 2^{2\cdot \lambda +\log (p(\lambda ))}\cdot \left( \frac{1}{q}+(1-\frac{1}{q})\cdot \frac{1}{k(\lambda )}\right) ^{p(\lambda )}\le \delta (\lambda ). \end{aligned}$$
(1)

We will show in Theorem 10 that it is always possible to find such a polynomial.Footnote 7

Then, apply the transform \(\mathsf{Trans}(c(\cdot ),k(\cdot ),q,m(\cdot ) p(\cdot ),f)\) of Construction 1 to obtain a 3-round public-coin HVZK proof system in the RO model \(\mathsf {3HVZK}[c(\cdot ),k(\cdot ),q,m(\cdot ), p(\cdot ),f]\) and a polynomial \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}'(\cdot )\). Set \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot )\) (resp. \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\cdot )\)) to the maximum between \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}'(\cdot )\) and the length of the commitments of \(\mathsf {3HVZK}\) (resp. maximum between the length of the commitments and the length of the challenges of \(\mathsf {3HVZK}\)).

(In the following we assume that, e.g., if \(\mathsf {3HVZK}\) was expecting an RO with domain \(\{0,1\}^{m(\lambda )}\) and we execute with an RO with domain \(\{0,1\}^{n(\lambda )},\) for \(n(\lambda )>m(\lambda )\), the protocol \(\mathsf {3HVZK}\) is slightly modified to use the truncation of the output of the RO; similarly for the co-domain. Thus, the previous setting serves to guarantee that the RO has domain and co-domain enough large to be used both for the transform \(\mathsf{Trans}\) (that uses domain \(\{0,1\}^{\lambda +\log ((p(\lambda ))}\) and co-domain \(c(\lambda )\)) and the FS transform that uses domain \(\{0,1\}^{\lambda +c(\lambda )\cdot p(\lambda )}\) and co-domain \(\{0,1\}^{c(\lambda )\times p(\lambda )}\)).

Then it applies the FS transform to \(\mathsf {3HVZK}\) to get a NIZKPoK proof system \(\mathsf {NIZK}=(\mathsf {NIZK}.\mathsf {Prove},\mathsf {NIZK}.\mathsf{Verify})\) that uses an RO with domain (resp. co-domain) strings of length \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot )\) (resp. \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\cdot )\)).

Note that our main transform \(\mathsf{Trans}_{\mathsf {main}}\) can be viewed as the composition of \(\mathsf{Trans}\) with the FS transform.

Remark 1

By defining \(\mathsf{Trans}_{\mathsf {main}}\) to be the composition of the two transforms (i.e., \(\mathsf{Trans}\) and the FS transform), for simplicity we skipped a detail. Namely, the proof system \(\mathsf {3HVZK}\) on which we apply the FS transform is a protocol for the RO model and thus care has to be taken in avoiding that the added RO queries are in the set of possible RO queries of the original protocol. This issue can be sorted out by letting the RO in the original protocol and in the FS-transformed protocol to query the RO on different prefixes, e.g., 0 and 1; that is, each query x of \(\mathsf {3HVZK}\) (resp. each new query added by the FS transform) will invoke the RO on input (0||x) (resp. (1||x)).

Next, we define the instantiation of a NIZKPoK resulting from our transform with a concrete hash function.

Construction 3

[H-instantiation of our transform]. Let \(\mathsf {SpecP}=(\mathsf {SpecP}.\)\(\mathsf {Prove},\mathsf {SpecP}.\mathsf{Verify})\) be a \(\mathsf {spec}\)-\(\mathsf {prot}\) with challenges of length \(k(\cdot )\) and commitments of length \(c(\cdot )\) for a \((m(\cdot ),q)\)-SOWGHF f. Note that according to our formulation, \(\mathsf {SpecP}\) is induced by f, \(k(\cdot )\), \(m(\cdot )\) and q.

Let \((\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\cdot ),\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\cdot ),\mathsf {NIZK}[\mathsf {3HVZK},c(\cdot ), k(\cdot ), q, m(\cdot ), \delta (\cdot )])= \mathsf{Trans}\)\((\mathsf {3HVZK},c(\cdot ), k(\cdot ),q,m(\cdot ),\delta (\cdot ))\) be the NIZKPoK system resulting from the transform of Construction 1. Let \(H(\cdot )\) be any function with domain \(\{0,1\}^\star \) and co-domain \(\{0,1\}^m\) for some integer \(m>0\).

We denote by \(\mathsf{Trans}_{\mathsf {main}}^{H(\cdot ),m}(\mathsf {3HVZK},c(\cdot ),k(\cdot ),q,m(\cdot ),\delta (\cdot ))\) be the NIZKPoK system resulting from the transform of Construction 1 changed as follows. (In the following we assume for simplicity that \(\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\lambda )\) divides m. It is straightforward to remove the constraint.) When the prover (resp. verifier) needs to access the oracle \(\mathcal{R}\mathcal{O}(\cdot )\) on an input \(y\in \{0,1\}^{\mathop {\mathsf {poly}}\nolimits _{\mathsf {inp}}(\lambda )}\), the function \(H(\cdot )\) is invoked on inputs \(H(1^{1}||0||y),\ldots ,H(1^{\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\lambda )/m}||0||y)\) to get respective outputs \(e_1,\ldots ,e_{\mathop {\mathsf {poly}}\nolimits _{\mathsf {out}}(\lambda )/m}\) and the concatenation of the \(e_i\)’s as the oracle’s answer is returned to the prover (resp. verifier).

With a slight abuse of notation, we call the output of \(\mathsf{Trans}^{H(\cdot ),m}\) the instantiation of the proof system with function \(H(\cdot )\).