A Simple and Efficient Framework of Proof Systems for NP

Abstract

In this work, we propose a simple framework of constructing efficient non-interactive zero-knowledge proof (NIZK) systems for all \(\textsf{NP}\). Compared to the state-of-the-art construction by Groth, Ostrovsky, and Sahai (J. ACM, 2012), our resulting NIZK system reduces the proof size and proving and verification cost without any trade-off, i.e., neither increasing computation cost, CRS size nor resorting to stronger assumptions.

Furthermore, we extend our framework to construct a batch argument (BARG) system for all \(\textsf{NP}\). Our construction remarkably improves the efficiency of BARG by Waters and Wu (Crypto 2022) without any trade-off.

1 Introduction

1.1 Motivation

Zero-knowledge proof systems introduced by Goldwasser, Micali, and Rackoff [25] allow a prover to convince a verifier for the validity of an \(\textsf{NP}\) statement, without revealing anything beyond that. As its round-optimal variant, non-interactive zero-knowledge proof (NIZK) allows a prover to convince the verifier by sending out a single message. Due to this nice property, NIZK is a very interesting topic in both practical and theoretical cryptography, and it has been used as an important building block for countless cryptographic primitives and protocols.

NIZKs for all \(\textsf{NP}\) were firstly proposed in [7, 19] based on the quadratic residuosity assumption and the existence of trapdoor permutation. While these results demonstrate the feasibility of NIZKs for \(\textsf{NP}\) under standard assumptions, they are not very efficient.

For better efficiency, Groth, Ostrovsky, and Sahai [29] proposed a framework of efficient pairing-based constructions (GOS-NIZK). It provides constructions with prime-order and composite-order pairings. Their security is based on the Decisional Linear (\(\textsf{DLIN}\)) assumption and the subgroup decision assumption, depending on which pairing group they are constructed in. Their constructions have tight security and compact common reference strings (CRS), namely, a CRS contains a constant number of group elements. Moreover, they achieve perfect soundness and computationally zero-knowledge, or computational soundness and perfect zero-knowledge, depending on the CRS. This is referred to as the dual-mode property. Perfect soundness and perfect zero-knowledge can provide “everlasting security” and are interesting for certain applications. For instance, a NIZK with perfect soundness always rejects an invalid proof and can protect messages that are valuable for a limited time and can be published or deleted later. Additionally, the dual mode with perfect zero-knowledge continuously protects secrets and prevents adversaries from breaking soundness at the time where an honest proof is generated, thereby ensuring security by letting the system reject users who have timed out when attempting to generate proofs.

To further improve the efficiency of GOS-NIZK, a sequence of works have been proposed. These works either restrict to algebraic languages (e.g., [15, 30, 33, 34, 39]) or base their security on non-falsifiable assumptions (e.g., [17, 23, 26, 28, 40]). In this paper, we are interested in constructions based on standard assumptions in pairing groups. By “standard assumptions”, we refer to static and falsifiable assumptions, such as the (Matrix) Diffie-Hellman assumption [18]. The reason of using standard assumptions is that they are well-studied and provide more reliable security guarantee. Recently, a notable work by Katsumata et al. [37, 38] (\(\text {KNYY}\)) shortened the proof size of pairing-based NIZKs for all \(\textsf{NP}\) based on standard assumptions. Their proof size is additive, e.g., \(s+\textsf{poly}(\lambda )\) rather than \(s\cdot \textsf{poly}(\lambda )\) as in GOS-NIZK, where \(s\) is the number of gates. However, its security is based on a particular computational Diffie-Hellman assumption, \(\textsf{CDH}^*\), which is the \(\textsf{CDH}\) assumption in a subgroup of \(\mathbb {Z}_p^*\) (where prime p is the group order).¹ As noted by the authors themselves, it is unclear how to instantiate their construction under the standard \(\textsf{CDH}\) assumption in a pairing group. Also, their construction suffers from non-compact CRSs and significant security loss, and lacks both perfect zero-knowledge and perfect soundness.

Summing up the above discussion, we ask the following question:

Is it possible to improve the efficiency of GOS-NIZK without any trade-off?

Table 1. Comparison of pairing-based NIZKs for all \(\textsf{NP}\) under standard assumptions. GOS12 is the original GOS-NIZK which is only with symmetric pairings, and \(\text {GOS12}^*\) is its variant with asymmetric pairings (see Appendix A). \(t\) and \(s\) are the number of wires and gates in the statement circuit respectively. In column \(``{} {\textbf {Sound.}}"\) (respectively, \(``{} {\textbf {ZK}}"\)), comp. and perf. mean computation and perfect soundness (respectively, zero-knowledge) respectively. In columns \(``{} {\textbf {Prov. Cost}}"\), \(``{} {\textbf {Ver. Cost}}"\) we measure the numbers of exponentiations and pairings for the proving and verification cost respectively (since they dominate the overall performance of proving and verification). \(``{} {\textbf {Assump.}}"\) means the underlying assumption.

Non-interactive batch arguments. Another line of research focuses on non-interactive batch arguments (BARG), which are sound proof systems amortizing the cost of verification across multiple statements. Specifically, a BARG allows a prover to generate a proof of the validity of multiple statements where the proof size scales sublinearly with the number of statements.

Up until now most works are devoted to constructions in idealized models [2, 11, 12, 28, 42, 46] or non-standard assumptions [3,4,5,6, 8, 16, 23, 27, 36, 41, 44]. Recently, Choudhuri et al. [13, 14] proposed a construction under both quadratic residue and the subexponentially hard Diffie-Hellman assumption and a construction under the learning with errors assumption. Subsequently, a breakthrough work by Waters and Wu [48] proposed the first BARG (WW-BARG) for all \(\textsf{NP}\) over prime-order bilinear maps under the matrix Diffie-Hellman (\(\textsf{MDDH}\)) assumption [18]. They also gave a composite-order group version under the subgroup decision assumption. The proof sizes of both constructions are independent of the number of statements. As applications of WW-BARG, they proposed the first succinct non-interactive argument (SNARG) for \(\textsf{P}\) with sublinear-sized CRS and the first aggregated signature from standard assumptions over bilinear maps. A recent work by Kalai et al. [35] shows a bootstrapping technique that can generally convert BARGs into ones where CRSs grow polylogarithmically with the number of statements. As a trade-off, the proof sizes grow polylogarithmically as well.

Due to the versatility of BARGs over bilinear maps, it is natural to ask the same question on GOS-NIZK mentioned above for the state-of-the-art BARG by Waters and Wu, i.e. whether we can improve its efficiency without any trade-off. Such an improvement will immediately yields a more efficient BARGs with short CRSs via the bootstrapping technique by Kalai et al. [35].

1.2 Our Contributions

Improvement on GOS-NIZK without Trade-Off. In this work, we improve the efficiency of GOS-NIZK with asymmetric Type-3 pairings by proposing a new and simple framework of constructing efficient NIZKs for \(\textsf{NP}\). We consider Type-3 pairings, since it is the most efficient one among all different types of pairings [20]. Moreover, cryptanalysis [31, 32] against symmetric pairing groups with small characteristic curves motivate cryptographic schemes in Type-3 pairings (for instance, [1, 10]).

We note that the original GOS-NIZK was proposed with symmetric pairings under the decisional linear (\(\textsf{DLIN}\)) assumption. For a fair comparison with our scheme, we give its variant in the asymmetric pairing explicitly in Appendix A. In the rest of this section, we refer GOS-NIZK to be the one in the Type-3 setting, unless stated otherwise.

By instantiating our scheme based on the \(\textsf{SXDH}\) assumption, our resulting NIZK proofs consist of \(2t+8s\) group elements in \(\mathbb {G}_1\) and \(10s\) elements in \(\mathbb {G}_2\), where \(t\) and \(s\) respectively denote the numbers of wires and gates of the statement circuit (the statement represented by fan-in-2 and unbounded fan-out \(\textsf{NAND}\) gates). We denote this as \((2t+8s,10s)\). Notice that for each multiple fan-out gate, we only increment the count of wires \(t\) by 1 for its output wires, since all output wires of the gate are assigned the same value and serves as input wires for multiple other gates. For proving and verification, we use \(2t+30s\) exponentiations and \(24s\) pairings respectively. We note that any circuit can be converted to one with only NAND gates.² For GOS-NIZK, its proof size, proving cost, and verification cost are \((6t+4s,6t+6s)\), \(18t+16s\) exponentiations, and \(12(t+s)\) pairings respectively, which are strictly larger than ours. This is because \(t\) is larger (or even much larger in many cases) than \(s\), since each gate has at least 1 output wire. Indeed, \(t-s\) corresponds to the number of input wires (with no gates outputting them) and it cannot be very small. Otherwise, the witness will be very short and an adversary can guess it with large probability. As an instance, for a statement circuit consisting only of fan-in-2 and fan-out-1 gates, we have \(t=2s\) (without counting the final ouput wire) since each time when adding a gate from the bottom to the top in a circuit, \(s\) and \(t\) increase by 1 and 2 respectively. In this case, our scheme uses \((12s,10s)\) group elements in the proof, \(34s\) exponentiations for proving, and \(24s\) pairings for verification, which is much more efficient than GOS-NIZK using \((16s, 18s)\) elements in a proof, \(52s\) exponentiations for proving, and \(36s\) pairings for verification.

In Table 1, we give comparison of the security quality, CRS size, proof size, proving and verification cost, and the underlying assumptions of our NIZK and the ones by GOS. For being general, we present the schemes and proofs in the technical part with the \(\textsf{MDDH}\) assumption [18], which is an algebraic generalization of the \(\textsf{DLIN}\) and \(\textsf{SXDH}\) assumptions. The security of all the instantiations are tight. For the experimental results on the cost and proof size, which are consistent with our comparison in Table 1, we refer the reader to Sect. 5.

Table 2. Comparison of pairing-based BARGs for all \(\textsf{NP}\). WW22 is WW-BARG in the asymmetric pairing, and \(\text {WW22}^*\) is its symmetric pairing version. m denotes the number of statement instances. \(t\) and \(s\) denote the number of wires and gates in the relation circuit respectively. We assume that all provers take as input m statements. All the instantiations satisfy somewhere argument of knowledge. In columns \(``{} {\textbf {Prov. Cost}}"\), \(``{} {\textbf {Ver. Cost}}"\), we measure the numbers of multiplications and pairings for the proving and verification cost respectively (since they dominate the overall performance of proving and verification). \(``{} {\textbf {Assump.}}"\) means the underlying assumption.

Given that our construction improves the proving and verification costs of state-of-the-art constructions without any trade-off, it is recommended that any applications of GOS-NIZK utilize our construction as a drop-in replacement. Shorter proofs are always better, particularly in distributed settings. In such scenarios, proofs may need to be stored permanently and can significantly impact bandwidth usage. Therefore, even a constant rate of communication cost holds significant importance. This is exemplified by ZKB++ [9], which successfully reduces the proof size of ZKBoo [24] in the random oracle model by a factor of 2. Also, similar to GOS-NIZK, via the generic construction in [29], our NIZK can be converted into a (more efficient) non-interactive zap, which has witness-indistinguishability and uses no CRS. As far as we know, this is the most efficient non-interactive zap based on standard assumptions by now. It provides perfect subversion-resistance and is important for distributed systems where trusted CRS is not desirable. Moreover, it can be converted into a leakage-resilient NIZK via the generic construction by Garg-Jain-Sahai [21], which in turn implies a (more efficient) fully leakage-resilient signature.

Extension to BARG. We further extend our framework to improve the efficiency of WW-BARG without making compromises. Similar to our NIZK, we present our BARG with the \(\textsf{MDDH}\) assumptions. Under the \(\textsf{SXDH}\) assumption, we obtain a BARG with each proof consisting of \((6s+2t,6s+2t)\) elements. It is shorter than that in WW-BARG with \((4s+4t,4s+4t)\) elements. Transplanting our BARG into composite-order bilinear groups derives a BARG with the proof size \(2s+t\), while the proof size of the composite-order construction by Waters and Wu is \(2t+s\). Moreover, our proving and verifying costs are less than WW-BARG in both the prime-order and composite-order groups.

In Table 2, we give comparison of our constructions and the ones by Waters and Wu. All the instantiations in the table satisfy the (tight) security of somewhere extractability argument of knowledge (see Definition 7), which in turn implies non-adaptive soundness, namely, soundness for statements independent of the CRS. For the experimental results on the cost and proof size, which are consistent with our comparison in Table 2, we refer the reader to Sect. 5.

Similar to our NIZK construction, we recommend using our BARG construction as a drop-in replacement for WW-BARG in any of its applications. For instance, it provides the most efficient SNARG for \(\textsf{P}\) with optimal succinctness on CRS and proof sizes, through conversions by Waters-Wu and Kalai et al. [35].

1.3 Technical Overview

Let \(\textsf{C}(\textsf{x},\cdot )\) be a statement circuit represented by \(\textsf{NAND}\) gates, where \(\textsf{x}\) is the statement hardwired in \(\textsf{C}\). We briefly recall that, in the GOS-NIZK, to prove the existence of a witness \(\textsf{w}\) such that \(\textsf{C}(\textsf{x},\textsf{w})=1\), a prover first extends the witness to contain the bits for all wires of \(\textsf{C}(\textsf{x},\cdot )\). Then it hides all bits in \(\textsf{w}\) with an additively homomorphic commitment and makes the commitment for the final output wire a fixed one corresponding to 1. In this way anyone can check it. Since for each gate \(G_\ell =({d_1},{d_2},{d_3})\), \(((\textsf{w}_{d_1},\textsf{w}_{d_2}),\textsf{w}_{d_3})\) is a valid input/output tuple if and only if

$$\begin{aligned} \textsf{w}_{d_1}+\textsf{w}_{d_2}+2\textsf{w}_{d_3}-2\in \{0,1\}. \end{aligned}$$

(1)

Here by \(G_\ell =({d_1},{d_2},{d_3})\) we mean that the left and right input wires of the gate \(G_\ell \) are indexed as \({d_1}\) and \({d_2}\) respectively, while the output wire of \(G_\ell \) is indexed as \({d_3}\). The prover can use an OR-proof system to prove that the plaintexts of all the commitments satisfy such a relation. Additionally, the prover has to prove the validity of each wire, namely, each commitment commits to a bit (rather than some other value).

Our approach of NIZK for all \(\textsf{NP}\). In our construction, we also commit to the value of each wire and prove that the committed values are valid for each gate. Different to the GOS-NIZK, we adopt the following consistency relation to improve the efficiency:

$$\begin{aligned} (-1+\textsf{w}_{d_1}+\textsf{w}_{d_3}=0\wedge -1+\textsf{w}_{d_2}=0)\ \vee \ (-1+\textsf{w}_{d_3}=0\wedge \textsf{w}_{d_2}=0). \end{aligned}$$

(2)

One can check that when the computations are over GF(2), Relation (2) holds if and only if the input/output pair is binary. Only proving this relation of committed values for each gate can be done by using a simple OR-proof, and this indeed yields shorter proof size in total, compared with the GOS-NIZK. However, when considering a large field, only satisfying this relation may seem meaningless. Specifically, when \(\textsf{w}_{d_2}=1\), \(\textsf{w}_{d_1}\) and \(\textsf{w}_{d_3}\) might be large numbers with sum “happening to be” 1, and when \(\textsf{w}_{d_2}=0\), the situation seems worse: there is no restriction on \(\textsf{w}_{d_1}\) at all. Hence, without proving the wires are binary, a valid proof for such a relation does not necessarily mean the validity of a statement. A natural approach is to additionally generate proofs of wire validity for \(\textsf{w}_{d_1},\textsf{w}_{d_3}\in \{0,1\}\). However, this results in longer proofs than the GOS-NIZK. To overcome this, we develop a new method for soundness without additional wire validity checking procedure.

A new witness-extraction strategy. To maintain both security and efficiency, we propose a new witness-extraction strategy for proving soundness, which does not require additional wire validity checks when adopting Relation (2). Specifically, this strategy helps us extract a witness from any valid proof only proving that committed values satisfy Relation (2) for each gate. The strategy uses two phases.

In the first phase, given a valid proof, we use a trapdoor to decrypt all commitments. The decryption result for the final output wire must be 1, and those for other wires could be any value (not necessarily in \(\{0,1\}\)). The soundness of the underlying OR-proof system only guarantees that all the decryption results satisfy Relation (2) for each gate.

In the next phase, we start to pick up useful values from the decryption results. This procedure starts from the final output wire to the input wires. Let \(((\textsf{w}_{d_1},\textsf{w}_{d_2}),\textsf{w}_{d_3})\) be the decryption results for the final gate \(G_t\). We must have \(\textsf{w}_{d_3}=1\), and \(\textsf{w}_{d_2}\in \{0,1\}\) according to Relation (2). If \(\textsf{w}_{d_2}=1\), \(\textsf{w}_{d_1}=0\) must hold, and we set \(((\textsf{w}_{d_1}, \textsf{w}_{d_2}),\textsf{w}_{d_3})\) as the input/output values for \(G_t\). The problem is that when \(\textsf{w}_{d_2}=0\), \(\textsf{w}_{d_1}\) could be any large value. Our trick is not to assign any number to this wire and leave it blank for now. The point is that no matter which in \(\{0,1\}\) will be assigned to the left-input wire, as long as \(\textsf{w}_{d_2}=0\) and \(\textsf{w}_{d_3}=1\), \(((\textsf{w}_{d_1},\textsf{w}_{d_2}),\textsf{w}_{d_3})\) will be a valid pair for \(G_t\). Next, for each gate where we have previously assigned a value in \(\{0,1\}\) to its output wire, we assign values to its input-wire(s) in a similar way. By doing this recursively from the bottom to the top of the circuit, we eventually obtain values for part of the input wires of the whole statement circuit. Now notice that these values will lead the circuit to output 1 anyway, no matter what the rest of the input wires (left as blank) will be. By setting these rest of the input wires as, say 0, we obtain a value witness.

For better understanding, we give an example of the witness-extraction procedure for the statement circuit in Fig. 1. In the decryption result of a valid proof, the final output must be 1, and the right inputs of all gates must be in \(\{0,1\}\) according to Relation (2). Without loss of generality, we assume that the right inputs of \((G_1,G_2,G_4,G_5)\) are (0, 1, 1, 0) respectively. Here we do not care about the right input of \(G_3\) since it does not affect the final output as we will see. Then we extract the witness from the bottom to the top. For \(G_5\), we leave its left input as blank. Then for \(G_4\), its left input must be 1 according to Relation (2). Next, according to the same rule, we leave the left input of \(G_1\) as blank and set the left input of \(G_2\) as 0. One can see that by now, we have found a path (remarked as red wires in Fig. 1) leading the whole circuit to output 1. By setting the rest of the input wires assigned \(\bot \) as 0, we immediately obtain a valid witness, which is 000001. One can check that it leads the circuit to output 1. For the full details, we refer the reader to Sect. 3.

Fig. 1.

An instance of the witness-extraction procedure. Without loss of generality, all the gates \(\{G_i\}_{i\in [5]}\) in the statement circuit are set as NAND gates. The procedure starts from the bottom to the top. By setting the (blue) input wires assigned \(\bot \) as 0, we extract a valid witness 000001 leading the circuit to output 1. (Color figure online)

Extension to batch argument for all \(\textsf{NP}\). We now explain how to combine our witness-extraction strategy with the WW-BARG proposed by Waters and Wu in [48] to achieve a BARG with shorter proofs.

To prove the existence of witnesses \((\textsf{w}_i)_{i\in [m]}\) such that \(\textsf{C}(\textsf{x}_i,\textsf{w}_i)=1\) for m statements \(\textsf{x}_i\), WW-BARG first extends each \((\textsf{x}_i,\textsf{w}_i)\) to \((\textsf{w}_{i,j})_{j\in [t]}\) containing bits of all wires in the circuit \(\textsf{C}\). Then it commits to \((\textsf{w}_{i,j})_{i\in [m]}\) with an additively homomorphic (de-randomized) vector commitment for each wire. Next it generates succinct proofs of wire validity and gate consistency, i.e., for all \(i\in [m]\), it proves that \(\textsf{w}_{i,j}\in \{0,1\}\) for each \(j\in [t]\) and \(1-\textsf{w}_{i,{d_1}}\textsf{w}_{i,{d_2}}=\textsf{w}_{i,{d_3}}\) for each gate \(G_\ell =({d_1},{d_2},{d_3})\). The final proof size is independent of m.

Alternatively, if we can prove gate consistency with respect to Relation (2) as in the case of NIZK, then we can adopt our aforementioned witness-extraction strategy to avoid generating proofs of wire validity and achieve soundness with shorter proofs. However, we do not have an explicit “batch OR-proof” for doing this. To overcome this, we observe that WW-BARG essentially provides us with a way to prove \(\textsf{w}_{i,1}\textsf{w}_{i,2}=0\) for all \(i\in [m]\) given two commitments to \((\textsf{w}_{i,1})_{i\in [m]}\) and \((\textsf{w}_{i,2})_{i\in [m]}\) respectively. Then for each gate \(G_\ell =({d_1},{d_2},{d_3})\), we let the prover homomorphically evaluate commitments to \((1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})_{i\in [m]}\), \((1-\textsf{w}_{i,{d_3}})_{i\in [m]}\), and \((1-\textsf{w}_{i,{d_2}})_{i\in [m]}\) respectively, and extend WW-BARG to adopt the following relation for consistency checks:

$$\begin{aligned} (1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textsf{w}_{i,{d_2}}=0\ \wedge \ (1-\textsf{w}_{i,{d_3}})(1-\textsf{w}_{i,{d_2}})=0. \end{aligned}$$

(3)

One can check that Relation (3) implies

$$(1-\textsf{w}_{i,{d_3}}=0 \wedge \textsf{w}_{i,{d_2}}=0) \vee (1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}}=0 \wedge 1-\textsf{w}_{i,{d_2}}=0),$$

which is equivalent to Relation (2), or

$$\textsf{w}_{i,{d_1}}=0 \wedge 1-\textsf{w}_{i,{d_3}}=0.$$

Then for any valid proof, we can extract the extended witness from the bottom to the top of the circuit in a similar way to the witness-extraction strategy for our NIZK. Here, a main difference is that there is a new case \(\textsf{w}_{i,{d_1}}=0 \wedge 1-\textsf{w}_{i,{d_3}}=0\) captured by Relation (3) but not captured by Relation (2). When this happens, we just leave \(\textsf{w}_{i,{d_2}}\) blank and continue to extract values for the gate outputting \(\textsf{w}_{i,{d_1}}\). We refer the readers to Sect. 4 for the detailed construction and security analysis, which reflects a bulk of our main technical contribution.

2 Preliminaries

Notations. We use to denote the process of sampling an element x from set \(\mathcal {S}\) uniformly at random. All our algorithms are probabilistic polynomial time unless we stated otherwise. If \(\mathcal {A}\) is a probabilistic algorithm, then we write to denote the random variable that outputted by \(\mathcal {A}\) on input b. By \(\textsf{negl}(\cdot )\) we mean an unspecified negligible function.

2.1 Pairing Groups and Matrix Diffie-Hellman Assumptions

Let \(\textsf{GGen}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\lambda \) returns a description \(\mathcal {G}:=(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,p,{P}_1,{P}_2,e)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic groups of order p for a \(\lambda \)-bit prime p, \({P}_1\) and \({P}_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1 \times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is an efficiently computable (non-degenerate) bilinear map. Define \({P}_T:=e({P}_1, {P}_2)\), which is a generator in \(\mathbb {G}_T\). Unless stated otherwise, we consider Type III pairings, where \(\mathbb {G}_1 \ne \mathbb {G}_2 \) and there is no efficient homomorphism between them.

We use implicit representation of group elements as in [18]. For \(s \in \{1,2,T\}\) and \(a \in \mathbb {Z}_p\) define \([a]_s = a {P}_s\in \mathbb {G}_s\) as the implicit representation of a in \(\mathbb {G}_s\). Similarly, for a matrix \(\mathbf {{A}} = (a_{ij}) \in \mathbb {Z}_p^{n\times m}\) we define \([\mathbf {{A}}]_s\) as the implicit representation of \(\mathbf {{A}}\) in \(\mathbb {G}_s\). \(\textsf{Span}(\mathbf {{A}}):=\{\mathbf {{A}}\textbf{r}|\textbf{r}\in \mathbb {Z}_p^m\}\subset \mathbb {Z}_p^{n}\) denotes the linear span of \(\mathbf {{A}}\), and similarly \(\textsf{Span}([\mathbf {{A}}]_s):=\{[\mathbf {{A}}\textbf{r}]_s |\textbf{r}\in \mathbb {Z}_p^m\}\subset \mathbb {G}_s^{n}\). Note that it is efficient to compute \([\mathbf {{AB}}]_s\) given \(([\mathbf {{A}}]_s,\mathbf {{B}})\) or \((\mathbf {{A}},[\mathbf {{B}}]_s)\) with matching dimensions. We define \([\mathbf {{A}}]_1 \circ [\mathbf {{B}}]_2:= e([\mathbf {{A}}]_1,[\mathbf {{B}}]_2) = [\mathbf {{A}} \mathbf {{B}}]_T\), which can be efficiently computed given \([\mathbf {{A}}]_1\) and \([\mathbf {{B}}]_2\).

Next we recall the definition of the Matrix Decisional Diffie-Hellman (\(\textsf{MDDH}\)) [18] and related assumptions [43].

Definition 1

(Matrix distribution). Let \(k,\ell \in \mathbb {N}\) with \(\ell >k\). We call \(\mathcal {D}_{\ell ,k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{\ell \times k}\) of full rank k in polynomial time. By \(\mathcal {D}_k\) we denote \(\mathcal {D}_{k+1,k}\).

For a matrix , we define the set of kernel matrices of \(\mathbf {{A}}\) as

$$\begin{aligned} \textsf{ker}(\mathbf {{A}}):= \{ \mathbf {{A}}^\bot \in \mathbb {Z}_p^{\ell \times (\ell -k) } \mid (\mathbf {{A}}^\bot )^\top \cdot \mathbf {{A}} = \textbf{0} \in \mathbb {Z}_p^{(\ell -k ) \times k} \text { and }\mathbf {{A}} \text { has rank } (\ell -k) \}. \end{aligned}$$

Given a matrix \(\mathbf {{A}}\) over \(\mathbb {Z}_p^{\ell \times k}\), it is efficient to sample an \(\mathbf {{A}}^\bot \) from \(\textsf{ker}(\mathbf {{A}})\).

The \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman problem is to distinguish the two distributions \(([\mathbf {{A}}], [\mathbf {{A}} \textbf{w}])\) and \(([\mathbf {{A}} ],[\textbf{u}])\) where , and .

Definition 2

(\(\mathcal {D}_{\ell ,k}\)-matrix decisional Diffie-Hellman assumption [18]). Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution and \(s \in \{1,2,T\}\). We say that the \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{\ell ,k}\text{- }\textsf{MDDH}\)) is hard relative to \(\textsf{GGen}\) in group \(\mathbb {G}_s\) if for all PPT adversaries \(\mathcal {A}\), it holds that

where , and .

2.2 Non-Interactive Zero-Knowledge Proof

Let \(\lambda \in \mathbb {N}\) be the security parameter determining a public parameter \(\textsf{par}\). We define NIZK as follows.

Definition 3

(Non-interactive zero-knowledge proof [30]). A non-interactive zero-knowledge proof (NIZK) for a family of languages \(\{\mathcal {L}_\textsf{par}\}\) consists of three PPT algorithms \(\textsf{NIZK}=({\textsf{NGen}}, {\textsf{NProve}}, {\textsf{NVer}})\) such that:

• \(\textsf{NGen}(1^\lambda ,\textsf{par})\) returns a common reference string \(\textsf{crs}\).

• \({\textsf{NProve}}(\textsf{crs},\textsf{C},\textsf{x}, \textsf{w})\) returns a proof \(\pi \).

• \({\textsf{NVer}}(\textsf{crs},\textsf{C},\textsf{x},\pi )\) returns 1 (accept) or 0 (reject). Here, \({\textsf{NVer}}\) is deterministic.

Completeness is satisfied if for all \((\textsf{C},\textsf{x})\in \mathcal {L}_\textsf{par}\) and all \(\textsf{w}\) such that \(\textsf{C}(\textsf{x},\textsf{w})=1\), all \(\textsf{crs}\in {\textsf{NGen}}(1^\lambda ,\textsf{par})\), and all \(\pi \in {\textsf{NProve}}(\textsf{crs},\textsf{x},\textsf{w})\), we have \({\textsf{NVer}}(\textsf{crs},\textsf{x},\pi )=1\).

Definition 4

(Composable zero-knowledge). A NIZK \(\textsf{NIZK}=(\textsf{NGen},\textsf{NProve},\textsf{NVer})\) is said to satsify composable zero-knowledge if there exist a simulator consisting of two PPT algorithms \((\textsf{NTGen},\textsf{NSim})\) such that

• \({\textsf{NTGen}}(1^\lambda ,\textsf{par})\) returns \(\textsf{crs}\) and a trapdoor \(\textsf{td}\),

• \({\textsf{NSim}}(\textsf{crs},\textsf{td},\textsf{C},\textsf{x})\) returns a proof \(\pi \),

and for any PPT adversary \(\mathcal {A}\), we have

and for all \((\textsf{x},\textsf{w})\) such that \(\textsf{C}(\textsf{x},\textsf{w})=1\), the following distributions are identical.

where .

Definition 5

(Perfect soundness). A NIZK \(\textsf{NIZK}= ( \textsf{NGen},\) \(\textsf{NProve},\) \(\textsf{NVer})\) is said to satisfy perfect soundness if for all \(\textsf{x}\notin \mathcal {L}_\textsf{par}\), all \(\textsf{crs}\in \textsf{NGen}(1^\lambda ,\textsf{par})\), and all \(\pi \), we have \(\textsf{NVer}(\textsf{crs},\textsf{C},\textsf{x},\pi )=0\).

Witness-extractor. One can easily see that for any statement, if there exists a (possibly inefficient) witness-extractor that can extract a valid witness from any valid proof passing the verification, then perfect soundness is satisfied.

Dual mode. A NIZK defined as above satisfies computational zero-knowledge and perfect soundness. By generating CRSs with \(\textsf{NTGen}\) instead of \(\textsf{NGen}\), we immediately achieve its dual mode with perfect zero-knowledge but computational soundness.

2.3 Batch Argument

Let \(\lambda \in \mathbb {N}\) be the security parameter determining a public parameter \(\textsf{par}\). We define batch argument as follows.

Definition 6

(Batch argument). A batch argument (BARG) for a family of languages \(\{\mathcal {L}_\textsf{par}\}\) consists of three PPT algorithms \(\textsf{BARG}=(\textsf{BGen},\textsf{BProve},\textsf{BVer})\) such that

• \(\textsf{BGen}(1^\lambda ,\textsf{par},1^m)\) returns a common reference string \(\textsf{crs}\).

• \(\textsf{BProve}(\textsf{crs},\textsf{C},(\textsf{x}_i)_{i\in [m]},(\textsf{w}_i)_{i\in [m]})\) returns a proof \(\pi \).

• \(\textsf{BVer}(\textsf{crs},\textsf{C},(\textsf{x}_i)_{i\in [m]},\pi )\) returns 1 (accept) or 0 (reject). Here, \(\textsf{BVer}\) is deterministic.

Completeness is satisfied if for all \(\lambda ,m\in \mathbb {N}\), all \((\textsf{C},(\textsf{x}_i)_{i\in [m]})\in \mathcal {L}_\textsf{par}\), all \((\textsf{w}_i)_{i\in [m]})\) such that \(\textsf{C}(\textsf{x}_i,\textsf{w}_i)=1\) for all \({i\in [m]}\), all \(\textsf{crs}\in \textsf{BGen}(1^\lambda ,\textsf{par},1^m)\), and all \(\pi \in \textsf{BProve}(\textsf{crs},\textsf{C},(\textsf{x}_i)_{i\in [m]},(\textsf{w}_i)_{i\in [m]})\), we have \( \textsf{BVer}(\textsf{crs},\textsf{C},(\textsf{x}_i)_{i\in [m]},\pi )=1 \).

Definition 7

(Somewhere argument of knowledge). A BARG \(\textsf{BARG}=(\textsf{BGen},\textsf{BProve},\textsf{BVer})\) for \(\{\mathcal {L}_\textsf{par}\}\) is said to be a somewhere argument of knowledge if there exist two PPT algorithms \((\textsf{BTGen},\textsf{BExt})\) such that

• \(\textsf{BTGen}(1^\lambda ,\textsf{par},1^m,{i^*})\) returns a common reference string \(\textsf{crs}\) and a trapdoor \(\textsf{td}\),

• \(\textsf{BExt}(\textsf{td},\textsf{C},(\textsf{x}_i)_{i\in [m]},\pi )\) returns a witness \(\textsf{w}^*\). Here, \(\textsf{BExt}\) is deterministic,

and \((\textsf{BTGen},\textsf{BExt})\) satisfy the following two properties.

CRS indistinguishability: for all \(\lambda ,m\in \mathbb {N}\), all \({i^*}\in [m]\), and all PPT adversary \(\mathcal {A}\), we have

Somewhere extractability in trapdoor mode: for all polynomial \(m=m(\lambda )\), all \({i^*}\in [m]\), and all adversary \(\mathcal {A}\), we have

As noted in [48], somewhere extractability implies non-adaptive soundness, i.e., soundness for statements independent of the CRS (see [48] for the formal definition), by a standard hybrid argument.³

Definition 8

(Succinctness). A batch argument \(\textsf{BARG}=(\textsf{BGen},\textsf{BProve},\textsf{BVer})\) for \(\{\mathcal {L}_\textsf{par}\}\) is said to satisfy succinctness if there exists a fixed polynomial \(\textsf{poly}(\cdot ,\cdot ,\cdot )\) such that for all \(\lambda ,m\in \mathbb {N}\), all \(\textsf{crs}\in \textsf{BGen}(1^\lambda ,\textsf{par},1^m)\), and all \((\textsf{C}:\{0,1\}^n\times \{0,1\}^h\rightarrow \{0,1\},(\textsf{x}_i)_{i\in [m]})\in \mathcal {L}_\textsf{par}\), the following properties hold:

Succinct proofs: all \(\pi \in \textsf{BProve}(\textsf{crs},\textsf{C},(\textsf{x}_i)_{i\in [m]},(\textsf{w}_i)_{i\in [m]})\) where \(\textsf{C}(\textsf{x}_i,\textsf{w}_i)=1\) for all \({i\in [m]}\) satisfies \(|\pi |\le \textsf{poly}(\lambda ,\log m,s)\).

Succinct CRS: all \(\textsf{crs}\in \textsf{Gen}(1^\lambda ,\textsf{par},1^m)\) satisfies \(|\textsf{crs}|\le \textsf{poly}(\lambda ,m,n)+\textsf{poly}(\lambda ,\log m,s)\).

Succinct verification: \(\textsf{BVer}\) runs in time \(\textsf{poly}(\lambda ,m,n)+\textsf{poly}(\lambda ,\log m,s)\).

Above by \(s\) we denote the number of gates in \(\textsf{C}\).

3 Simple NIZK from OR-Proof

In this section, we recall an efficient instantiation of OR-proof and give a new framework for converting an OR-proof into an efficient NIZK for circuit satisfiability in \(\textsf{NP}\).

3.1 NIZK for OR-Language

We now recall the OR-proof system based on the \(\textsf{MDDH}\) assumptions presented in [39, 45] and implicitly given in [29]. As far as we know, this is the most efficient OR-proof by now in the standard model.

For the language

$$\begin{aligned} \textsf{L}^\textsf{or}_{[\mathbf {{A}}]_1}=\{ (\textsf{C}_{[\mathbf {{A}}]_1},([\textbf{x}_0]_1,[\textbf{x}_1]_1))|\exists \textbf{w} \in \mathbb {Z}_p^{t}:\textsf{C}_{[\mathbf {{A}}]_1}([\textbf{x}_0,\textbf{x}_1]_1,\textbf{w})=1\}, \end{aligned}$$

where \([\mathbf {{A}}]_1\in \mathbb {G}_1^{n\times t}\) is public and \(\textsf{C}_{[\mathbf {{A}}]_1}\) is a Boolean circuit on input \(([\textbf{x}_0,\textbf{x}_1]_1,\textbf{w})\) outputting 1 iff \([\textbf{x}_0]_1= [\mathbf {{A}}]_1 \textbf{w} \vee [\textbf{x}_1]_1=[\mathbf {{A}}]_1 \textbf{w}\), the OR-proof system \(\textsf{ORNIZK}\) with each public parameter containing is defined as in Fig. 2.

Fig. 2.

Construction of \(\textsf{ORNIZK}= ({\textsf{NGen}}_{\textsf{or}}, \textsf{NProve}_{\textsf{or}}, \textsf{NVer}_{\textsf{or}})\) with the simulator \(({\textsf{NTGen}}_{\textsf{or}},\textsf{NSim}_{\textsf{or}})\).

Lemma 1

If the \(\mathcal {D}_k\)-\(\textsf{MDDH}\) assumption holds in the group \(\mathbb {G}_2\), then the proof system \(\textsf{ORNIZK}={( {\textsf{NGen}}_{\textsf{or}},{\textsf{NTGen}}_{\textsf{or}},\textsf{NProve}_{\textsf{or}},}\) \({\textsf{NVer}_{\textsf{or}}, \textsf{NSim}_{\textsf{or}})}\) is a NIZK with perfect completeness, perfect soundness, and composable zero-knowledge. For any adversary \(\mathcal {A}\) against the composable zero-knowledge of \(\textsf{ORNIZK}\), there exists a tight reduction algorithm breaking the \(\textsf{MDDH}\) assumption by using \(\mathcal {A}\) in a black-box way with security loss O(1).

We refer the reader to [39, 45] for the detailed proof.

3.2 Our NIZK for \(\textsf{NP}\)

Before giving our NIZK for \(\textsf{NP}\), we first introduce the notion of circuit satisfiability.

Definition 9

(Circuit satisfiability). Let \(\lambda \) be the security parameter. The circuit satisfiability language is defined as

$$ \mathcal {L}_\lambda ^\textsf{CSAT}=\{(\textsf{C},\textsf{x})|\exists \textsf{w}\in \{0,1\}^h: \textsf{C}(\textsf{x},\textsf{w})=1\}, $$

where \(\textsf{C}:\{0,1\}^n\times \{0,1\}^h\rightarrow \{0,1\}\) is any Boolean circuit with polynomial size in \(\lambda \) and \(\textsf{x}\in \{0,1\}^{n}\) is the instance. Without loss of generality, we assume that \(\textsf{C}\) consists only of fan-in-2 \(\textsf{NAND}\) gates.

Let \(\lambda \) be the security parameter and \(\textsf{par}=\mathcal {G}\) be the public parameter, where . Let \(\textsf{ORNIZK}=({\textsf{NGen}}_{\textsf{or}},\textsf{NProve}_{\textsf{or}},\textsf{NVer}_{\textsf{or}})\) be an OR-proof with the simulator \(({\textsf{NTGen}}_{\textsf{or}},\textsf{NSim}_{\textsf{or}})\), where each public parameter is comprised of \(\mathcal {G}\). Let \(\textsf{L}^\textsf{or}_{[\mathbf {{M}}']_1}\) be the following language it supports.

$$\begin{aligned} \textsf{L}^\textsf{or}_{[\mathbf {{M}}']_1}&=\{ (\textsf{C}_{[\mathbf {{M}}']_1},([\textbf{x}_0]_1,[\textbf{x}_1]_1))| \exists \textbf{w} \in \mathbb {Z}_p^{2k}:\textsf{C}_{[\mathbf {{M}}']_1}(([\textbf{x}_0]_1,[\textbf{x}_1]_1),\textbf{w})=1\},\end{aligned}$$

where \(\textsf{C}_{[\mathbf {{M}}']_1}:\mathbb {G}_1^{2k+2}\times \mathbb {G}_1^{2k+2}\times \mathbb {Z}_p^{2k}\rightarrow \{0,1\}\) is a Boolean circuit on input \(((\textbf{x}_0,\textbf{x}_1),\textbf{w})\) outputting 1 iff \([\textbf{x}_0]_1= [\mathbf {{M}}']_1 \textbf{w} \vee [\textbf{x}_1]_1=[\mathbf {{M}}']_1\textbf{w}\) for \(\mathbf {{M}}'=\begin{pmatrix}\mathbf {{M}} &{} \mathbf {{0}}\\ \mathbf {{0}}&{} \mathbf {{M}}\end{pmatrix}\) and \(\mathbf {{M}}\in \mathcal {D}_k\). We give our NIZK for \(\mathcal {L}_\lambda ^\textsf{CSAT}\) in Fig. 3. Roughly, we first extend the witness to all wires, commit to all the values, and use the OR-proof to prove that committed values satisfy Relation (2) (see Sect. 1.3) for each gate.⁴

Fig. 3.

Definition of \(\textsf{NIZK}=(\textsf{NGen},\textsf{NProve},\textsf{NVer})\). By \(G_\ell =({d_1},{d_2},{d_3})\) we mean that the left and right input wires of the gate \(G_\ell \) are indexed as \({d_1}\) and \({d_2}\) respectively, while the output wire of \(G_\ell \) is indexed as \({d_3}\). Notice that for each multiple fan-out gate, we only increment the count of wires \(t\) by 1 for its output wires and generate only one commitment for these wires, since all output wires of the gate are assigned the same value and serves as input wires for multiple other gates. The same argument is also made for all other proof systems given later.

Theorem 1

(Completeness). If \(\textsf{ORNIZK}\) is complete, then \(\textsf{NIZK}\) is complete.

Proof

Let \(\textsf{w}_{d_1}\) and \(\textsf{w}_{d_2}\) be the input bits of a NAND gate, and \(\textsf{w}_{d_3}\) be the true output. We must have

$$(-1+\textsf{w}_{d_1}+\textsf{w}_{d_3}=0\wedge -1+\textsf{w}_{d_2}=0) \ \text {or}\ (-1+\textsf{w}_{d_3}=0\wedge \textsf{w}_{d_2}=0).$$

Let \(\textsf{cm}_{d_1}=[\mathbf {{M}}\textbf{r}_{d_1}+\textbf{z}\textsf{w}_{d_1}]_1\) and \(\textsf{cm}_{d_2}=[\mathbf {{M}}\textbf{r}_{d_2}+\textbf{z}\textsf{w}_{d_2}]_1\) be the input commitments and \(\textsf{cm}_{d_3}=[\mathbf {{M}}\textbf{r}_{d_3}+\textbf{z}\textsf{w}_{d_3}]_1\) be the output commitment. We have

$$\begin{aligned} \textsf{x}_{\ell ,1}&=\begin{pmatrix}-[\textbf{z}]_1+\textsf{cm}_{d_1}+\textsf{cm}_{d_3}\\ -[\textbf{z}]_1+\textsf{cm}_{d_2}\end{pmatrix} =[\mathbf {{M}}']_1\begin{pmatrix}\textbf{r}_{d_1}+\textbf{r}_{d_3}\\ \textbf{r}_{d_2}\end{pmatrix} +\begin{pmatrix} [\textbf{z}]_1(-1+\textsf{w}_{d_1}+\textsf{w}_{d_3})\\ [\textbf{z}]_1 (-1+\textsf{w}_{d_2})\end{pmatrix}\\ &=[\mathbf {{M}}']_1\begin{pmatrix}\textbf{r}_{d_1}+\textbf{r}_{d_3}\\ \textbf{r}_{d_2}\end{pmatrix} \end{aligned}$$

$$\begin{aligned} \text {or}{\textbf{x}}_{\ell ,2}=\begin{pmatrix}-[\textbf{z}]_1+\textsf{cm}_{d_3}\\ \textsf{cm}_{d_2}\end{pmatrix} &=[\mathbf {{M}}']_1\begin{pmatrix}\textbf{r}_{d_3}\\ \textbf{r}_{d_2}\end{pmatrix}+\begin{pmatrix}[\textbf{z}]_1(-1+\textsf{w}_{d_3})\\ [\textbf{z}]_1\textsf{w}_{d_2}\end{pmatrix} =[\mathbf {{M}}']_1\begin{pmatrix}\textbf{r}_{d_3}\\ \textbf{r}_{d_2}\end{pmatrix}. \end{aligned}$$

Therefore, we have \(\textsf{x}_{\ell ,1}\in \textsf{Span}([\mathbf {{M}}']_1)\) if \(\textsf{w}_{d_2}=1\) and \(\textsf{x}_{\ell ,2}\in \textsf{Span}([\mathbf {{M}}']_1)\) otherwise. Then the completeness of \(\textsf{NIZK}\) follows from the completeness of \(\textsf{ORNIZK}\), completing the proof of Theorem 1.    \(\square \)

Theorem 2

(Composable zero-knowledge). Under the \(\mathcal {D}_k \text{- }\textsf{MDDH}\) assumption, if \(\textsf{ORNIZK}\) satisfies composable zero-knowledge, then \(\textsf{NIZK}\) satisfies composable zero-knowledge.

Fig. 4.

Definition of the simulator \((\textsf{NTGen},\textsf{NSim})\).

Proof

We define the simulator \((\textsf{NTGen},\textsf{NSim})\) as in Fig. 4.

First we note that the distribution of -statistically close to the uniform distribution over \(\mathbb {Z}_p^{k+1}\). Then the indistinguishability of CRSs generated by \(\textsf{NGen}(1^\lambda ,\textsf{par})\) and \(\textsf{NTGen}(1^\lambda ,\textsf{par})\) follows immediately from the \(\mathcal {D}_k\text{- }\textsf{MDDH}\) assumption and the composable zero-knowledge of \(\textsf{ORNIZK}\) (which says that \(\textsf{crs}_{\textsf{or}}\) generated by \({\textsf{NGen}}_{\textsf{or}}\) and \({\textsf{NTGen}}_{\textsf{or}}\) are computationally close).

Next we define a modified prover \(\textsf{NProve}'\), which is exactly the same as \(\textsf{NProve}\) except that for each NAND gate, \(\pi _\ell \) is generated as

The following distributions are identical due to the composable zero-knowledge of \(\textsf{ORNIZK}\).

for and any \((\textsf{x},\textsf{w})\) such that \(\textsf{C}(\textsf{x},\textsf{w})=1\).

Moreover, since the distribution of \(\textsf{cm}_i=[\mathbf {{M}}\textbf{r}_i]_1\) is identical to that of \(\textsf{cm}_i=[\mathbf {{M}}\textbf{r}_i+\textbf{z} \textsf{w}_i]_1\) for when \(\textbf{z}\in \textsf{Span}(\mathbf {{M}})\), the distributions of

where and \(\textsf{C}(\textsf{x},\textsf{w})=1\), are identical as well, completing the proof of Theorem 2.    \(\square \)

Theorem 3

(Soundness). If \(\textsf{ORNIZK}\) is perfectly sound, then \(\textsf{NIZK}\) is perfectly sound.

Fig. 5.

Definition of \(\textsf{Ext}_\textsf{NIZK}\). \(\textsf{F}_\textsf{NIZK}\) is the recursion algorithm defined as in Fig. 6.

Fig. 6.

Definition of \(\textsf{F}_\textsf{NIZK}\). \(\textsf{Parent}_l\) (repsectively, \(\textsf{Parent}_r\)) denotes the gate whose output is the left (respectively, right) input to \(G_\ell \).

Proof

To prove perfect soundness, we just have to show that we can extract a valid witness from any proof passing the verification. Let \(\textbf{k}\) be the vector in the kernel of \(\mathbf {{M}}\) such that \(\textbf{k}^\top \textbf{z}=1\), which must exist when \(\textbf{z}\notin \textsf{Span}(\mathbf {{M}})\). We define an extractor as in Fig. 5. For any valid statement/proof pair \((\textsf{x},\varPi )\), we argue that the extractor must be able to extract a valid witness \(\textsf{w}\) for \(\textsf{x}\) as below.

Due to the perfect soundness of \(\textsf{ORNIZK}\), for each NAND gate with input commitments \((\textsf{cm}_{d_1},\textsf{cm}_{d_2})\) and an output commitment \(\textsf{cm}_{d_3}\) in a valid proof, we have

$$\textsf{x}_{\ell ,1}=\begin{pmatrix}-[\textbf{z}]_1+\textsf{cm}_{d_1}+\textsf{cm}_{d_3}\\ -[\textbf{z}]_1+\textsf{cm}_{d_2}\end{pmatrix}\in \textsf{Span}([\mathbf {{M}}']_1)$$

$$ \text {or} {\textbf{x}}_{\ell ,2}=\begin{pmatrix}-[\textbf{z}]_1+\textsf{cm}_{d_3}\\ \textsf{cm}_{d_2}\end{pmatrix}\in \textsf{Span}([\mathbf {{M}}']_1).$$

Then we have

$$\begin{aligned} \textbf{k}^\top (-[\textbf{z}]_1+\textsf{cm}_{d_1}+\textsf{cm}_{d_3})=-[1]_1+\textbf{k}^\top \textsf{cm}_{d_1}+\textbf{k}^\top \textsf{cm}_{d_3}=[0]_1\\ \wedge \textbf{k}^\top (-[\textbf{z}]_1+\textsf{cm}_{d_2})=-[1]_1+\textbf{k}^\top \textsf{cm}_{d_2}=[0]_1 \end{aligned} $$

$$\begin{aligned} \text {or}\,\, \textbf{k}^\top (-[\textbf{z}]_1+\textsf{cm}_{d_3})=-[1]_1+\textbf{k}^\top \textsf{cm}_{d_3}=[0]_1 \wedge \textbf{k}^\top \textsf{cm}_{d_2}=[0]_1. \end{aligned} $$

Moreover, we must have \(\textbf{k}^\top \textsf{cm}_t=\textbf{k}^\top [\textbf{z}]_1=[1]_1\) for the output wire. As a result, for a valid proof, \(\textsf{F}_\textsf{NIZK}\) (see Fig. 6) will never abort during the execution of \(\textsf{Ext}_\textsf{NIZK}\), and running \(\textsf{F}_\textsf{NIZK}\) recursively will result in bits for input wires leading the statement circuit to output 1. Notice that after running \(\textsf{F}_\textsf{NIZK}(\textbf{k},\textsf{C},G_t,\varPi )\), there might be some input wires assigned \(\bot \). However, these wires do not affect the final output and we can just assign 0 to them.

As a result, we can extract the bits for all wires consisting of valid input/output pairs for all \(\textsf{NAND}\) gates and leading the statement circuit to output 1. Therefore, for all proofs passing the verification, there must exist a valid witness for the statement \(\textsf{x}\), i.e., \(\textsf{x}\in \mathcal {L}_\lambda ^\textsf{CSAT}\), completing the proof of Theorem 3.⁵    \(\square \)

Remark on the representation of circuits. We represent the circuits by \(\textsf{NAND}\) gates only for conceptual simplicity. In practice, this conversion is unnecessary. For any original circuit represented as \(\textsf{AND}\), \(\textsf{OR}\), \(\textsf{NOT}\) gates, the \(\textsf{NOT}\) gates are free, and by slightly changing Relation 2 on Page 6, we can directly adopt the OR-proof for AND and OR gates. Concretely, for AND gates, we prove \( (\textsf{w}_{d_1}-\textsf{w}_{d_3}=0\wedge -1+\textsf{w}_{d_2}=0)\ \vee \ (\textsf{w}_{d_3}=0\wedge \textsf{w}_{d_2}=0), \) and for OR gates, we prove \( (\textsf{w}_{d_1}-\textsf{w}_{d_3}=0\wedge \textsf{w}_{d_2}=0)\ \vee \ (\textsf{w}_{d_3}=1\wedge \textsf{w}_{d_2}=1). \) Then our new technique saves overhead for \(\textsf{AND}\) and \(\textsf{OR}\) gates with our witness-extraction strategy in the same way as for \(\textsf{NAND}\)-gates. The same argument can also be made for our BARG given later.

Instantiation of our NIZK. By instantiating the OR-proof system as in Sect. 3.1 under the \(\textsf{SXDH}\) assumption, each proof of our NIZK consists of \((2t+8s)\) elements in \(\mathbb {G}_1\) and \(10s\) elements in \(\mathbb {G}_2\), where \(t\) and \(s\) are the number of wires and gates in the statement circuit respectively. Compared to the GOS-NIZK given in Appendix A, which requires \((6t+4s)\) elements in \(\mathbb {G}_1\) and \((6t+6s)\) elements in \(\mathbb {G}_2\) for each proof, our proof size is strictly smaller since \(t\) must be larger than \(s\) in any circuit. Moreover, the numbers of exponentiations and pairing products required in our proving and verification procedures are only \(2t+30s\) and \(24s\) respectively, while those in the GOS-NIZK are \(18t+16s\) and \(12(s+t)\). Notice that when adopting the OR-proof in our construction, the statement \(\mathbf {{M}}'\) determining the language has half of the entries being \([0]_1\). We do not count exponentiations of these entries and pairing products between these entries and other elements in verification, since the computing results can always be fixed as \([0]_1\) or \([0]_T\).

More instantiations. By instantiating the underlying OR-proof system based on the Extended-Kernel Matrix Diffie-Hellman assumption, which holds unconditionally in the generic group model and implied by the discrete logarithm assumption in the algebraic group model, as in Fig. 6 of [15], we can further reduce the OR-proof size used by our construction by 5 elements in \(\mathbb {G}_2\), compared to our \(\textsf{SXDH}\) based instantiation (see Table 1). While this also works for the GOS-NIZK in Appendix A, its OR-proof size can only be reduced by 3 elements in \(\mathbb {G}_2\).

Extension to non-interactive zaps. In [29], Groth, Sahai, and Ostrovsky gave a generic conversion from any NIZK with verifiable correlated key generation into a non-interactive zap, i.e., non-interactive witness-indistinguishability proof systems in the plain model. To date, this is the only known non-interactive zap for \(\textsf{NP}\) based on standard assumptions. Here, verifiable correlated key generation refers to the ability to efficiently generate two correlated common reference strings (CRSs) along with one trapdoor. One CRS is binding, meaning it provides perfect soundness, while the other CRS is hiding, meaning it offers perfect zero-knowledge and corresponds to the trapdoor. It is crucial that a PPT adversary cannot distinguish which CRS is hiding when given both of them. Additionally, it is required that a verification algorithm exist such that honestly sampled CRS pairs always pass verification, and for any CRS pair that passes verification, one of them must be binding. We refer the reader to [29] for a detailed description of the conversion method, while we argue that our NIZK proof system satisfies the requirements for verifiable correlated key generation as outlined above. Consequently, it can be converted into a non-interactive zap, thereby improve the construction in [29] without any trade-offs. As far as we know, this results in the most efficient non-interactive zap based on standard assumptions.

To show that our NIZK has verifiable correlated key generation, we first recall that in both our NIZK and the GOS-NIZK, each CRS essentially consists of a CRS from the underlying NIZK and a key for a homomorphic commitment. Since both parts have the same distribution, we can combine them into a single tuple \((\textsf{par},[\mathbf {{M}}]_1,[\textbf{z}_\textsf{bind}]_1)\), where , , and , without compromising security. In the hiding mode, we replace \(\textbf{z}_\textsf{bind}\) with \(\textbf{z}_\textsf{hide}=\mathbf {{M}}\textbf{u}\) where . We can further change the distribution of \(\textbf{z}_\textsf{bind}\) to that of \(\textbf{z}_\textsf{hide}+\textbf{f}\), where \(\textbf{f}\) is some fixed vector outside \(\textsf{Span}(\mathbf {{M}})\). One can easily see that changed \(\textbf{z}_\textsf{bind}\) remains binding due to non-linearility and composable zero-knowledge still holds due to the \(\textsf{MDDH}\) assumption. Then we can set the correlated CRSs as \((\textsf{par},[\mathbf {{M}},\textbf{z}_\textsf{bind}]_1)\) and \((\textsf{par},[\mathbf {{M}},\textbf{z}_\textsf{hide}=\textbf{z}_\textsf{bind}-\textbf{f}]_1)\) and set \(\textbf{u}\) as the trapdoor. Due to the \(\textsf{MDDH}\) assumption, any PPT adversary cannot tell which one is hiding. The verification algorithm given the two CRSs checks the validity of \(\textsf{par}\) and \([\mathbf {{M}}]_1\) and whether \(\textbf{z}_\textsf{bind}+\textbf{z}_\textsf{hide}=\textbf{f}\) holds. For any two CRS \((\textsf{par},[\mathbf {{M}},\textbf{z}_0]_1)\) and \((\textsf{par},[\mathbf {{M}},\textbf{z}_1]_1)\) passing the verification, we must have either \([\textbf{z}_0]_1\notin \textsf{Span}([\mathbf {{M}}]_1)\) or \([\textbf{z}_1]_1\notin \textsf{Span}([\mathbf {{M}}]_1)\), i.e., one of them must be binding. Therefore, our NIZK proof system, as well as the GOS-NIZK in the asymmetric pairing setting, has verifiable correlated key generation.

4 Batch Argument for NP

In this section, we extend our framework for NIZK to give an efficient construction of BARG for batch circuit satisfiability in \(\textsf{NP}\).

Definition 10

(Batch circuit satisfiability). Let \(\lambda \) be the security parameter. The batch circuit satisfiability language for an integer \(m\in \mathbb {N}\) is defined as follows.

$$\begin{aligned} \mathcal {L}_\lambda ^\textsf{BatchCSAT}=&\{(\textsf{C},(\textsf{x}_i)_{i\in [m]})| \forall i\in [m]: \exists \textsf{w}_i\in \{0,1\}^h: C(\textsf{x}_i,\textsf{w}_i)=1\}, \end{aligned}$$

where \(\textsf{C}:\{0,1\}^n\times \{0,1\}^h\rightarrow \{0,1\}\) is any Boolean circuit with polynomial size in \(\lambda \) and \(\textsf{x}_1,\cdots ,\textsf{x}_m\in \{0,1\}^{n}\) are the statements. Without loss of generality, we assume that \(\textsf{C}\) consists only of fan-in-2 \(\textsf{NAND}\) gates.

Let \(\textsf{par}=\mathcal {G}\) be the public parameter, where . We give our BARG for \(\mathcal {L}_\lambda ^\textsf{BatchCSAT}\) in Fig. 7.

Fig. 7.

Definition of \(\textsf{BARG}=(\textsf{BGen},\textsf{BProve},\textsf{BVer})\).

Theorem 4

(Completeness).\(\textsf{BARG}\) is complete.

Proof

Validity of statement. Since the first n wires corresponds to the statement, for honestly generated \( ([\textbf{u}_d]_1=\sum \limits _{i\in [m]}\textsf{w}_{i,d}[\textbf{a}_i]_1)_{d\in [t]}\) and \(([\textbf{u}_d^*]_1=\sum \limits _{i\in [m]}\textsf{x}_{i,d}[\textbf{a}_i]_1)_{d\in [n]}\), we must have \(\textsf{x}_{i,d}=\textsf{w}_{i,d}\) for all \(i\in [m]\) and \(d\in [n]\). Hence, we have \([\textbf{u}_d]_1=[\textbf{u}_d^*]_1\) for all \(d\in [n]\). Similarly, we have \([\hat{\textbf{u}}_d]_2=[\hat{\textbf{u}}_d^*]_2\) for all \(d\in [n]\). Moreover, when the witnesses are valid, we must have \(\textsf{w}_{i,t}=1\) for all \(i\in [m]\) for the output wire. Hence, we have \([\textbf{u}_t]_1=[\sum \limits _{{i\in [m]}}\textbf{a}_i]_1=[\textbf{a}]_1\) and \([\hat{\textbf{u}}_t]_2=[\sum \limits _{{i\in [m]}}\hat{\textbf{a}}_i]_2=[\hat{\textbf{a}}]_2\).

Validity of gate computation. For witnesses \((\textsf{w}_{i})_{i\in [m]}\), for each gate \(G_\ell =({d_1},{d_2},{d_3})\), we have \((-1+\textsf{w}_{i,{d_1}}+\textsf{w}_{i,{d_3}}=0\wedge -1+\textsf{w}_{i,{d_2}}=0)\) or \((-1+\textsf{w}_{i,{d_3}}=0\wedge \textsf{w}_{i,{d_2}}=0)\) for all \(i\in [m]\), which in turn implies

$$(-1+\textsf{w}_{i,{d_1}}+\textsf{w}_{i,{d_3}})\textsf{w}_{i,{d_2}}=0\ \text {and} \ (-1+\textsf{w}_{i,{d_3}})(-1+\textsf{w}_{i,{d_2}})=0.$$

Moreover, for the CRS, we have

$$\mathbf {{B}}_{i,j}\hat{\mathbf {{M}}}^\top +\mathbf {{M}}\hat{\mathbf {{B}}}_{i,j}^\top =\mathbf {{M}}(\alpha _i\hat{\mathbf {\alpha }}_j^\top +\mathbf {{R}}_{i,j})\hat{\mathbf {{M}}}^\top -\mathbf {{M}}\mathbf {{R}}_{i,j}\hat{\mathbf {{M}}}^\top =\mathbf {{M}}\alpha _i\hat{\mathbf {\alpha }}_j^\top \hat{\mathbf {{M}}}^\top =\textbf{a}_i\hat{\textbf{a}}_j^\top .$$

Then for \(((\textbf{u}_d,\hat{\textbf{u}}_d)_{d\in [t]},([\mathbf {{V}}_{\ell ,i},\mathbf {{W}}_{\ell }]_1,[\hat{\mathbf {{V}}}_{\ell ,i},\hat{\mathbf {{W}}}_{\ell }]_2)_{\ell \in [s],i\in [2]})\) in a valid proof, we have

$$\begin{aligned} &(\textbf{a}-\textbf{u}_{d_1}-\textbf{u}_{d_3})\hat{\textbf{u}}_{d_2}^\top =\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textbf{a}_i\sum \limits _{{i\in [m]}}\textsf{w}_{i,{d_2}}\hat{\textbf{a}}_i^\top \\ =&\Big (\underbrace{\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textsf{w}_{i,{d_2}}\textbf{a}_i\hat{\textbf{a}}_i^\top }_{=0} +\sum \limits _{i\ne j}(1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textsf{w}_{j,{d_2}}\textbf{a}_i\hat{\textbf{a}}_j^\top \Big )\\ =&\sum \limits _{i\ne j}(1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textsf{w}_{j,{d_2}}\underbrace{(\mathbf {{B}}_{i,j}\hat{\mathbf {{M}}}^\top +\mathbf {{M}}\hat{\mathbf {{B}}}_{i,j}^\top )}_{=\textbf{a}_i\hat{\textbf{a}}_j^\top } =\mathbf {{M}}\hat{\mathbf {{V}}}_{\ell ,1}^\top +\mathbf {{V}}_{\ell ,1}\hat{\mathbf {{M}}}^\top , \end{aligned}$$

$$\begin{aligned} &\textbf{u}_{d_2}\hat{\textbf{a}}^\top -(\textbf{u}_{d_1}+\textbf{u}_{d_3})\hat{\textbf{u}}_{d_2}^\top \\ =&\sum \limits _{{i\in [m]}}\textsf{w}_{i,{d_2}}\textbf{a}_i\sum \limits _{{i\in [m]}}\hat{\textbf{a}}_i^\top -\sum \limits _{{i\in [m]}}(\textsf{w}_{i,{d_1}}+\textsf{w}_{i,{d_3}})\textbf{a}_i\sum \limits _{{i\in [m]}}\textsf{w}_{i,{d_2}}\hat{\textbf{a}}_i^\top \\ =&\Big (\underbrace{\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_1}}-\textsf{w}_{i,{d_3}})\textsf{w}_{i,{d_2}}\textbf{a}_i\hat{\textbf{a}}_i^\top }_{=0} +\sum \limits _{i\ne j}\big (\textsf{w}_{i,{d_2}}-(\textsf{w}_{i,{d_1}}+\textsf{w}_{i,{d_3}})\textsf{w}_{j,{d_2}}\big )\textbf{a}_i\hat{\textbf{a}}_j^\top \Big )\\ =&\sum \limits _{i\ne j}\big (\textsf{w}_{i,{d_2}}-(\textsf{w}_{i,{d_1}}+\textsf{w}_{i,{d_3}})\textsf{w}_{j,{d_2}}\big )\underbrace{(\mathbf {{B}}_{i,j}\hat{\mathbf {{M}}}^\top +\mathbf {{M}}\hat{\mathbf {{B}}}_{i,j}^\top )}_{=\textbf{a}_i\hat{\textbf{a}}_j^\top } =\mathbf {{M}}\hat{\mathbf {{V}}}_{\ell ,2}^\top +\mathbf {{V}}_{\ell ,2}\hat{\mathbf {{M}}}^\top , \end{aligned}$$

$$\begin{aligned} &(\textbf{a}-\textbf{u}_{d_3})(\hat{\textbf{a}}^\top -\hat{\textbf{u}}_{d_2}^\top )\\ =&\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_3}})\textbf{a}_i\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_2}})\hat{\textbf{a}}_i^\top \\ =&\Big (\underbrace{\sum \limits _{{i\in [m]}}(1-\textsf{w}_{i,{d_3}})(1-\textsf{w}_{i,{d_2}})\textbf{a}_i\hat{\textbf{a}}_i^\top }_{=0}+\sum \limits _{i\ne j}(1-\textsf{w}_{i,{d_3}})(1-\textsf{w}_{j,{d_2}})\textbf{a}_i\hat{\textbf{a}}_j^\top \Big )\\ =&\sum \limits _{i\ne j}(1-\textsf{w}_{i,{d_3}})(1-\textsf{w}_{j,{d_2}})\underbrace{(\mathbf {{B}}_{i,j}\hat{\mathbf {{M}}}^\top +\mathbf {{M}}\hat{\mathbf {{B}}}_{i,j}^\top )}_{=\textbf{a}_i\hat{\textbf{a}}_j^\top }=\mathbf {{M}}\hat{\mathbf {{W}}}_{\ell }^\top +\mathbf {{W}}_{\ell }\hat{\mathbf {{M}}}^\top . \end{aligned}$$

This completes the proof of completeness.    \(\square \)

Theorem 5

(Succinctness).\(\textsf{BARG}\) is succinct.

Proof

For our BARG in Fig. 7, we check the succinctness as follows.

Proof size. Each proof \(\pi \) consists of \(t(k+1)+3s(k+1)k\) group elements in each of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), where each group element can be represented in \(\textsf{poly}(\lambda )\) bits and k is constant. Since \(t=\textsf{poly}(s)\), we have \(|\pi |=\textsf{poly}(\lambda ,s)\).

CRS size. Each CRS \(\textsf{crs}\) consists of the group description and \((k+1)k+(m+1)(k+1)+m(m-1)/2\cdot (k+1)k=O(k^2 m^2)\) elements in each of \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Thus we have \(|\textsf{crs}|=m^2\cdot \textsf{poly}(\lambda )\).

Verification key. Each verification key \(\textsf{vk}\) output by \(\textsf{GenVK}\) consists of \(n(k+1)\) elements in each of \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Thus we have \(|\textsf{vk}|=n\cdot \textsf{poly}(\lambda )\).

Verification key generation time. \(\textsf{GenVK}\) performs \(2mn(k+1)\) group operations, which requires \(\textsf{poly}(\lambda ,m,n)\) time.

Online verification time. The \(\textsf{OnlineVer}\) consists of 3 steps in total, where the running time of each step is bounded by \(nk\cdot \textsf{poly}(\lambda )\), \(k\cdot \textsf{poly}(\lambda )\), and \(s k^3\cdot \textsf{poly}(\lambda )\) respectively. Since \(n=\textsf{poly}(s)\), the total running time is bounded by \(\textsf{poly}(s,\lambda )\)

Putting all the above together, Theorem 5 immediately follows.    \(\square \)

Theorem 6

(Somewhere argument of knowledge). Under the \(\mathcal {D}_k\text{- }\textsf{MDDH}\) assumption, \(\textsf{BARG}\) is a somewhere argument of knowledge.

Proof

We define the trapdoor setup and extraction algorithms as in Fig. 8.

CRS indistinguishability. We prove the CRS indistinguishability by defining a sequence of intermediate games.

Let \(\mathcal {A}\) be any PPT adversary against the CRS indistinguishability of \(\textsf{BARG}\) for some index \({i^*}\in [m]\). It receives a CRS \(\textsf{crs}\) generated by the challenger \(\mathcal{C}\mathcal{H}\) in each game as defined in Fig. 10.

Game \(\textsf{G}_0\) and \(\textsf{G}_1\). Game \(\textsf{G}_0\) is the game where \(\mathcal{C}\mathcal{H}\) on receiving the index \({i^*}\) from the adversary returns \(\textsf{crs}\) generated as to \(\mathcal {A}\). Game \(\textsf{G}_1\) is exactly the same as \(\textsf{G}_0\) except that \(\mathbf {{B}}_{i,j}\) and \(\hat{\mathbf {{B}}}_{i,j}\) are generated in a different way.    \(\square \)

Lemma 2

\(\Pr [\textsf{G}_0^\mathcal {A}\Rightarrow 1] =\Pr [\textsf{G}^\mathcal {A}_1 \Rightarrow 1]\).

Proof

For \(j\ne {i^*}\), the distributions of \(\mathbf {{B}}_{i,j}\) in Games \(\textsf{G}_0\) and \(\textsf{G}_1\) are identical, since

$$\mathbf {{M}}(\alpha _i\hat{\mathbf {\alpha }}_j^\top +\mathbf {{R}}_{i,j})=(\mathbf {{M}}\alpha _i)\hat{\mathbf {\alpha }}_j^\top +\mathbf {{M}}\mathbf {{R}}_{i,j}=\textbf{a}_i\hat{\mathbf {\alpha }}_j^\top +\mathbf {{M}}\mathbf {{R}}_{i,j}.$$

For \(j={i^*}\), in \(\textsf{G}_0\), we have \(\mathbf {{B}}_{i,j}=\mathbf {{M}}(\alpha _i\hat{\mathbf {\alpha }}_j^\top +\mathbf {{R}}_{i,j})\) and

$$\begin{aligned} \hat{\mathbf {{B}}}_{i,j}=-\hat{\mathbf {{M}}}\mathbf {{R}}_{i,j}^\top &=\hat{\mathbf {{M}}}(\alpha _i\hat{\mathbf {\alpha }}_j^\top )^\top -\hat{\mathbf {{M}}}(\mathbf {{R}}_{i,j}+\alpha _i\hat{\mathbf {\alpha }}_j^\top )^\top =\hat{\textbf{a}}_j\alpha _i^\top -\hat{\mathbf {{M}}}(\mathbf {{R}}_{i,j}+\alpha _i\hat{\mathbf {\alpha }}_j^\top ). \end{aligned}$$

Since the distribution of \(\mathbf {{R}}_{i,j}+\alpha _i\hat{\mathbf {\alpha }}_j^\top \) is uniformly distributed, the distribution of \(\mathbf {{B}}_{i,j}\) and \(\hat{\mathbf {{B}}}_{i,j}\) is identical to that in \(\textsf{G}_1\), completing this part of proof.    \(\square \)

Fig. 8.

Definition of \((\textsf{BTGen},\textsf{Ext}_\textsf{BARG})\). \(\textsf{F}_\textsf{BARG}\) is the recursion algorithm defined as in Fig. 9.

Fig. 9.

Definition of \(\textsf{F}_\textsf{BARG}\). \(\textsf{Parent}_l\) (repsectively, \(\textsf{Parent}_r\)) denotes the gate whose output is the left (respectively, right) input to \(G_\ell \).

Fig. 10.

Challenger \(\mathcal{C}\mathcal{H}\) in the intermediate games.

Game \(\textsf{G}_2\). \(\textsf{G}_2\) is the same as \(\textsf{G}_1\) except that \(\textbf{a}_{i^*}\) is randomly sampled outside the span of \(\mathbf {{M}}\).

Lemma 3

There exists an adversary \(\mathcal {B}_1\) breaking the \(\mathcal {D}_k\)-\(\textsf{MDDH}\) assumption in \(\mathbb {G}_1\) with probability at least \(|\Pr [\textsf{G}_2^\mathcal {A}\Rightarrow 1] -\Pr [\textsf{G}_1^\mathcal {A}\Rightarrow 1]|-1/p\).

Proof

We build \(\mathcal {B}_1\) as follows.

\(\mathcal {B}_1\) runs in exactly the same way as the challenger of \(\textsf{G}_1\) except that instead of generating \([\textbf{a}_{i^*}]_1\) by itself, it takes as input \([\textbf{a}_{i^*}]_1\) generated as or \(\textbf{a}_{i^*}=\mathbf {{M}}\alpha _{i^*}\) where from its own challenger. When \(\mathcal {A}\) outputs \(\beta \in \{0,1\}\), \(\mathcal {B}_1\) outputs \(\beta \) as well.

If \({\textbf{a}_{i^*}}\) is generated as \(\textbf{a}_{i^*}=\mathbf {{M}}\alpha _{i^*}\) where , the view of \(\mathcal {A}\) is the same as its view in \(\textsf{G}_1\). Otherwise, the view of \(\mathcal {A}\) is 1/p-statistically close to its view in \(\textsf{G}_2\). Hence, the probability that \(\mathcal {B}_1\) breaks the \(\mathcal {D}_k\)-\(\textsf{MDDH}\) assumption is at least \(| \Pr [\textsf{G}^\mathcal {A}_2\Rightarrow 1] - \Pr [\textsf{G}^\mathcal {A}_1 \Rightarrow 1]|-1/p\), completing this part of proof.    \(\square \)

Game \(\textsf{G}_3\). \(\textsf{G}_3\) is the game \(\mathcal{C}\mathcal{H}\) returns \(\textsf{crs}\) generated by \(\textsf{BTGen}(1^\lambda ,\textsf{par},1^m,{i^*})\). It is exactly the same as \(\textsf{G}_2\) except that \(\hat{\textbf{a}}_{i^*}\) is randomly sampled outside the span of \(\hat{\mathbf {{M}}}\).

Lemma 4

There exists an adversary \(\mathcal {B}_2\) breaking the \(\mathcal {D}_k\)-\(\textsf{MDDH}\) assumption in \(\mathbb {G}_2\) with probability at least \(|\Pr [\textsf{G}_3^\mathcal {A}\Rightarrow 1] -\Pr [\textsf{G}_2^\mathcal {A}\Rightarrow 1]|-1/p\).

Proof

We build \(\mathcal {B}_2\) as follows.

\(\mathcal {B}_2\) runs in exactly the same way as the challenger of \(\textsf{G}_2\) except that instead of generating \([\hat{\textbf{a}}_{i^*}]_2\) by itself, it takes as input \([\hat{\textbf{a}}_{i^*}]_2\) generated as or \(\hat{\textbf{a}}_{i^*}=\hat{\mathbf {{M}}}\hat{\mathbf {\alpha }}_{i^*}\) where from its own challenger. When \(\mathcal {A}\) outputs \(\beta \in \{0,1\}\), \(\mathcal {B}_2\) outputs \(\beta \) as well.

If \({\hat{\textbf{a}}_{i^*}}\) is generated as \(\hat{\textbf{a}}_{i^*}=\hat{\mathbf {{M}}}\hat{\mathbf {\alpha }}_{i^*}\) where , the view of \(\mathcal {A}\) is the same as its view in \(\textsf{G}_2\). Otherwise, the view of \(\mathcal {A}\) is 1/p-statistically close to \(\textsf{G}_3\). Hence, the probability that \(\mathcal {B}_2\) breaks the k-\(\textsf{MDDH}\) assumption is \(| \Pr [\textsf{G}^\mathcal {A}_3\Rightarrow 1] - \Pr [\textsf{G}^\mathcal {A}_2 \Rightarrow 1]|-1/p\), completing this part of proof.    \(\square \)

Putting all the above together, the CRS indistinguishability of \(\textsf{BARG}\) immediately follows.

Somewhere extractability in the trapdoor mode. We now argue that for any valid statement/proof pair \(((\textsf{x}_i)_{i\in [m]},\varPi )\), the extractor must be able to extract a valid witness \(\textsf{w}_{i^*}\) for \(\textsf{x}_{i^*}\).

For each NAND gate \(G_\ell \) with commitments \((\textbf{u}_{d_i},\hat{\textbf{u}}_{d_i})_{i\in [3]}\) and proof \((([\mathbf {{V}}_{\ell ,i}]_1,[\hat{\mathbf {{V}}}_{\ell ,i}]_2)_{i\in [2]},[\mathbf {{W}}_{\ell },\hat{\mathbf {{W}}}_{\ell }]_1)\), we have

$$[\textbf{a}-\textbf{u}_{d_1}-\textbf{u}_{d_3}]_1 \circ [\hat{\textbf{u}}_{d_2}^\top ]_2=[\mathbf {{M}}]_1 \circ [\hat{\mathbf {{V}}}_{\ell ,1}^\top ]_2+[\mathbf {{V}}_{\ell ,1}]_1 \circ [\hat{\mathbf {{M}}}^\top ]_2,$$

$$[\textbf{u}_{d_2}]_1 \circ [\hat{\textbf{a}}^\top ]_2-[\textbf{u}_{d_1}+\textbf{u}_{d_3}]_1 \circ [\hat{\textbf{u}}_{d_2}^\top ]_2=[\mathbf {{M}}]_1 \circ [\hat{\mathbf {{V}}}_{\ell ,2}^\top ]_2+[\mathbf {{V}}_{\ell ,2}]_1 \circ [\hat{\mathbf {{M}}}^\top ]_2,$$

$$[\textbf{a}-\textbf{u}_{d_3}]_1 \circ [\hat{\textbf{a}}^\top -\hat{\textbf{u}}_{d_2}^\top ]_2=[\mathbf {{M}}]_1 \circ [\hat{\mathbf {{W}}}_{\ell ,1}^\top ]_2+[\mathbf {{W}}_{\ell ,1}]_1 \circ [\hat{\mathbf {{M}}}^\top ]_2.$$

Recall that \(\tau \) is the trapdoor in Fig. 8, and let \(\hat{\tau }\) be the vector in the kernel of \(\hat{\mathbf {{M}}}\) such that \(\hat{\tau }^\top \hat{\textbf{a}}_{i^*}=1\), which must exist when \(\hat{\textbf{a}}_{i^*}\notin \textsf{Span}(\hat{\mathbf {{M}}})\). Since \(\tau ^\top \textbf{a}=\hat{\tau }^\top \hat{\textbf{a}}=1\) and \(\tau ^\top \mathbf {{M}}=\hat{\tau }^\top \hat{\mathbf {{M}}}\), where \(\tau \) is the trapdoor in Fig. 8, the above equations imply

$$\begin{aligned}{}[1-\tau ^\top \textbf{u}_{d_1}-\tau ^\top \textbf{u}_{d_3}]_1 \circ [\hat{\textbf{u}}_{d_2}^\top \hat{\tau }]_2=[0]_T \end{aligned}$$

(4)

$$\begin{aligned}{}[\tau ^\top \textbf{u}_{d_2}]_1 \circ [1]_2-[\tau ^\top \textbf{u}_{d_1}+\tau ^\top \textbf{u}_{d_3}]_1 \circ [\hat{\textbf{u}}_{d_2}^\top \hat{\tau }]_2=[0]_T, \end{aligned}$$

(5)

$$\begin{aligned}{}[1-\tau ^\top \textbf{u}_{d_3}]_1 \circ [1-\hat{\textbf{u}}_{d_2}^\top \hat{\tau }]_2=[0]_T. \end{aligned}$$

(6)

The quotient of the Eqs. (4) and (5) yields \( [\tau ^\top \textbf{u}_{d_2}]_T=[\hat{\textbf{u}}_{d_2}^\top \hat{\tau }]_T \). Then, combining Eqs. (4) and (6) yields \( 1-\tau ^\top \textbf{u}_{d_1}-\tau ^\top \textbf{u}_{d_3}=0 \wedge 1-\tau ^\top \textbf{u}_{d_2}=0 \) or \( 1-\tau ^\top \textbf{u}_{d_3}=0 \wedge \tau ^\top \textbf{u}_{d_2}=0 \) or \( 1-\tau ^\top \textbf{u}_{d_1}-\tau ^\top \textbf{u}_{d_3}=0 \wedge 1-\tau ^\top \textbf{u}_{d_3}=0\), i.e., \(1-\tau ^\top \textbf{u}_{d_3}=0 \wedge \tau ^\top \textbf{u}_{d_1}=0. \) Moreover, we must have \(\tau ^\top \textbf{u}_{d_t}=\tau ^\top [\textbf{a}]_1=[1]_1\) for the output wire. As a result, for a valid proof, \(\textsf{F}_\textsf{BARG}\) (see Fig. 9) will never abort during the execution of \(\textsf{Ext}_\textsf{BARG}\), and running \(\textsf{F}_\textsf{BARG}\) recursively will result in bits for input wires leading the statement circuit to output 1. Notice that after running \(\textsf{F}_\textsf{BARG}(\textsf{td},\textsf{C},G_t,\varPi )\), there might be some input wires assigned with \(\bot \). However, these wires do not affect the final output and can be assigned with 0.

As a result, we can extract the bits for all wires consisting of valid input/output pairs for all \(\textsf{NAND}\) gates and leading the statement circuit to output 1, completing the proof of perfect soundness.

Putting all the above together, Theorem 6 immediately follows.   \(\square \)

Proof size and proving and online verification cost. By instantiating our construction under the \(\textsf{SXDH}\) assumption, each proof of our BARG consists of \((2t+6s)\) elements in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), where \(t\) and \(s\) are the numbers of wires and gates in the statement circuit respectively. The proof size is strictly smaller than that of WW-BARG, which require \((4t+4s)\) elements in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Moreover, the proving and online verification procedures in our construction require only \(4mt+6m(m-1)s\) multiplications and \(40s\) pairing products respectively. In contrast, those in WW-BARG require \(4m^2 t+4m(m-1)s\) multiplications and \(24t+32s\) pairing products (after merging items with multiplication in \(\mathbb {G}_1\) and \(\mathbb {G}_2\)).

Construction in the symmetric pairing. Transplanting our construction to the setting of symmetric composite-order pairing groups yields a BARG under the subgroup decision assumption. Compared to the WW-BARG, we reduce the proof size by \((2t+s)-(t+2s)=t-s\) group elements in \(\mathbb {G}\). Also, the number of multiplications and pairing products required in the proving and online verification procedures are reduced by \(m(m-1) t-(m(m-1)/2)s\) and \((2t+3s)-4s=2t-s\) respectively. We refer the reader to the full paper for the construction and security proof.

Bootstrapping to reduce CRS size. Similar to WW-BARG, by using the bootstrapping technique in [48], we can reduce the CRS size of our BARG to \(m^c\cdot \textsf{poly}(\lambda ,s)\) for any \(c>0\). As a trade-off, the proof size will be dependent on \(\log (m)\). A recent work by Kalai et al. [35] shows a general construction to convert BARGs into ones having both CRSs and proofs of size \(\textsf{poly}(\lambda ,\log m,s)\). Instantiating the underlying BARG with ours immediately an efficient construction with both succinct CRSs and succinct proofs.

5 Experimental Performance

In this section, we experimentally evaluate the proving cost, verification cost, and the proof size of our NIZK and BARG for \(\textsf{NP}\) and compare them with GOS-NIZK and WW-BARG respectively. We focus on \(\textsf{SXDH}\) based implementations in asymmetric Type-3 pairings, since it is the most efficient one amongst all different types of pairings as mentioned in the introduction. The GOS-NIZK and WW-BARG are implemented by ourselves since the open sourced implementations are not available.

We implement NIZK and BARG schemes in C++ atop pairing-friendly curve bls12-381 in the mcl library [47]. Parameters of all schemes are set to achieve 128-bit security level. All experiments are carried on a Macbook Pro with Intel i5-7360U CPU (2.30 GHz) and 16 GB, where a single exponentiation and pairing respectively take about 0.08 ms and 0.8 ms.

In Tables 3 and 4, we present experimental results regarding the proving and verification costs and the proof sizes of our NIZK and GOS-NIZK. The comparisons are carried out for both schemes under different ratios between the number of gates and wires, namely 2.00, 1.50, and 1.06. We also evaluated their performance across statement circuit sizes ranging from \(2^8\) to \(2^{12}\). Our prover is \(1.52\times \), \(1.32\times \), and \(1.11\times \) faster than GOS-NIZK when the ratios are 2.00, 1.50, and 1.06 respectively. For the same ratios, our verifier is \(1.44\times \), \(1.21\times \), and \(1.02\times \) faster. Additionally, our proof sizes are \(1.62\times \), \(1.38\times \), and \(1.16\times \) smaller. One can see that our scheme outperforms GOS-NIZK in every aspect, and the significance of our improvement increases as the ratio becomes larger. Additionally, we note that the ratio tends to be 2 (i.e., its upper bound) when most gates do not share common input wires, and the ratio tends to be close to 1 (i.e., its lower bound) when most gates share common input wires, which may happen when most gates have multiple fan-out and the witness size is very small. Similar same argument can also be made for our BARG.

Table 3. Comparison of the proving and verification cost (in seconds) between GOS-NIZK and our NIZK.

Table 4. Comparison of the proof size (in MB) between GOS-NIZK and our NIZK.

Table 5. Comparison of the proving and verification costs (in seconds) between WW-BARG and our BARG. “stats.” means statement instances.

Table 6. Comparison of the proof size (in MB) between WW-BARG and our BARG. “stats.” means statement instances.

In Tables 5 and 6, we present experimental results regarding the proving and verification costs and the proof sizes of our BARG and WW-BARG when proving 50 and 100 statements. The comparisons are carried out for both schemes under different ratios between the number of gates and wires, namely 2.00, 1.50, and 1.06. We also evaluated their performance across statement circuit sizes ranging from \(2^8\) to \(2^{12}\). For proving 100 statement instances, our prover is \(2.27\times \), \(1.63\times \), and \(1.35\times \) faster than WW-BARG when the ratios are 2.00, 1.50, and 1.06 respectively. For the same ratios, the verifier is \(2.70\times \), \(2.35\times \), and \(1.92\times \) faster. For proving 50 statement instances with respect to these ratios, our prover is \(2.13\times \), \(1.51\times \), and \(1.28\times \) faster, and our verifier is \(2.63\times \), \(2.27\times \), and \(1.94\times \) faster. Additionally, our proof sizes are \(1.20\times \), \(1.11\times \), and \(1.02\times \) smaller, regardless of the number of statement instances. As a result, our scheme outperforms WW-BARG in every aspect.

Appendices

Appendix

A GOS-NIZK in the Asymmetric Pairing Setting

The original GOS-NIZK [29] was proposed in the symmetric pairing setting. In this section, we give the GOS-NIZK in the asymmetric pairing setting. It was previously indicated by [22, 45] but has never been treated explicitly.

Let \(\lambda \) be the security parameter and \(\textsf{par}=\mathcal {G}\) be the public parameter, where , and \(\textsf{ORNIZK}=({\textsf{NGen}}_{\textsf{or}},\textsf{NProve}_{\textsf{or}},\textsf{NVer}_{\textsf{or}})\) be a NIZK with the simulator \(({\textsf{NTGen}}_{\textsf{or}},\textsf{NSim}_{\textsf{or}})\). Let \(\textsf{L}^\textsf{or}_{[\mathbf {{M}}]_1}\) be the following language it supports.

$$\begin{aligned} \begin{aligned}\textsf{L}^\textsf{or}_{[\mathbf {{M}}]_1}=\{ (\textsf{C}_{[\mathbf {{M}}]_1},([\textbf{x}_0]_1,[\textbf{x}_1]_1))|\exists \textbf{w} \in \mathbb {Z}_p^{2k}: \textsf{C}_{[\mathbf {{M}}]_1}(([\textbf{x}_0]_1,[\textbf{x}_1]_1),\textbf{w})=1\},\end{aligned} \end{aligned}$$

where \(\textsf{C}_{[\mathbf {{M}}]_1}:\mathbb {G}_1^{k+1}\times \mathbb {G}_1^{k+1}\times \mathbb {Z}_p^{k}\rightarrow \{0,1\}\) is a Boolean circuit on input \(((\textbf{x}_0,\textbf{x}_1),\textbf{w})\) outputting 1 iff \([\textbf{x}_0]_1= [\mathbf {{M}}]_1 \textbf{w} \vee [\textbf{x}_1]_1=[\mathbf {{M}}]_1\textbf{w}\) for \(\mathbf {{M}}\in \mathcal {D}_k\). We give the NIZK \(\textsf{NIZK}^*\) in Fig. 11.

Fig. 11.

Definition of \(\textsf{NIZK}^*=(\textsf{NGen}^*,\textsf{NProve}^*,\textsf{NVer}^*)\).

Theorem 7

(Completeness). If \(\textsf{ORNIZK}\) is complete, then \(\textsf{NIZK}^*\) is complete.

Proof

Let \(\textsf{w}_{d_1}\) and \(\textsf{w}_{d_2}\) be the input bits of a NAND gate, and \(\textsf{w}_{d_3}\) be the true output. We must have \(\textsf{w}_{d_1}+\textsf{w}_{d_2}+2\textsf{w}_{d_3}-2\in \{0,1\}\). Let \(\textsf{cm}_{d_1}=[\mathbf {{M}}\textbf{r}_{d_1}+\textbf{z}\textsf{w}_{d_1}]_1\) and \(\textsf{cm}_{d_2}=[\mathbf {{M}}\textbf{r}_{d_2}+\textbf{z}\textsf{w}_{d_2}]_1\) be the input commitments and \(\textsf{cm}_{d_3}=[\mathbf {{M}}\textbf{r}_{d_3}+\textbf{z}\textsf{w}_{d_3}]_1\) be the output commitment. We have

$$\begin{aligned}\textsf{x}_{\ell }&=\textsf{cm}_{d_1}+\textsf{cm}_{d_2}+2\textsf{cm}_{d_3}-[\textbf{z}\cdot 2]_1\\ &=[\mathbf {{M}}]_1(\textbf{r}_{d_1}+\textbf{r}_{d_2}+2\textbf{r}_{d_3})+[\textbf{z}]_1(\textsf{w}_{d_1}+\textsf{w}_{d_2}+2\textsf{w}_{d_3}-2).\end{aligned}$$

Therefore, for all \(\ell \in [s]\), we must have \(\textsf{x}_{\ell }\in \textsf{Span}([\mathbf {{M}}]_1)\) or \(\textsf{x}_{\ell }-[\textbf{z}]_1\in \textsf{Span}([\mathbf {{M}}]_1)\). Moreover, for all \(i\in [t]\), we have \(\textsf{cm}_i\in \textsf{Span}([\mathbf {{M}}]_1)\) or \(\textsf{cm}_i-[\textbf{z}]_1\in \textsf{Span}([\mathbf {{M}}]_1)\). Then the completeness of \(\textsf{NIZK}\) follows from the completeness of \(\textsf{ORNIZK}\), completing the proof of Theorem 7.    \(\square \)

Theorem 8

(Composable zero-knowledge). Under the \(\mathcal {D}_k\text{- }\textsf{MDDH}\) assumption, if \(\textsf{ORNIZK}\) is a NIZK with composable zero-knowledge, then \(\textsf{NIZK}\) is a NIZK with composable zero-knowledge.

Proof

We define the simulator \((\textsf{NTGen}^*,\textsf{NSim}^*)\) as in Fig. 12.

First we note that the distribution of is 1/p-statistically close to the uniform distribution over \(\mathbb {Z}_p^{k+1}\). Then the indistinguishability of CRSs generated by \(\textsf{NGen}^*\) and \(\textsf{NTGen}^*\) follows immediately from the \(\mathcal {D}_k\text{- }\textsf{MDDH}\) assumption and the composable zero-knowledge of \(\textsf{ORNIZK}\) (which says that \(\textsf{crs}_{\textsf{or}}\) generated by \({\textsf{NGen}}_{\textsf{or}}(1^\lambda ,\textsf{par})\) and \({\textsf{NTGen}}_{\textsf{or}}(1^\lambda ,\textsf{par})\) are computationally close).

Fig. 12.

Definition of the simulator \((\textsf{NTGen}^*,\textsf{NSim}^*)\).

Next we define a modified prover \({\textsf{NProve}^*}'\), which is exactly the same as \(\textsf{NProve}^*\) except that \(\hat{\pi }_i\) is generated as

for \(i\in [t]\), and for each NAND gate \(\pi _\ell \) is generated as

The following distributions are identical due to the composable zero-knowledge of \(\textsf{ORNIZK}\).

for and any \((\textsf{x},\textsf{w})\) such that \(\textsf{C}(\textsf{x},\textsf{w})=1\).

Moreover, since the distribution of \(\textsf{cm}_i=[\mathbf {{M}}\textbf{r}_i]_1\) is identical to that of \(\textsf{cm}_i=[\mathbf {{M}}\textbf{r}_i+\textbf{z} \textsf{w}_i]_1\) for when \(\textbf{z}\in \textsf{Span}(\mathbf {{M}})\), the distributions of

where and \(\textsf{C}(\textsf{x},\textsf{w})=1\), are identical as well, completing the proof of Theorem 8.    \(\square \)

Theorem 9

(Soundness). If \(\textsf{ORNIZK}\) is perfectly sound, then \(\textsf{NIZK}^*\) is perfectly sound.

Proof

Due to the perfect soundness of \(\textsf{ORNIZK}\), for each NAND gate with input commitments \((\textsf{cm}_{d_1},\textsf{cm}_{d_2})\) and an output commitment \(\textsf{cm}_{d_3}\) in a valid proof, we have \(\textsf{cm}_d\in \textsf{Span}([\mathbf {{M}}]_1)\) or \(\textsf{cm}_d-[\textbf{z}]_1\in \textsf{Span}([\mathbf {{M}}]_1)\) for \(d\in \{d_1,d_2,d_3\}\), and

$$ \textsf{x}_{\ell }=(\textsf{cm}_{d_1}+\textsf{cm}_{d_2}+\textsf{cm}_{d_3}-[\textbf{z}\cdot 2]_1)\in \textsf{Span}([\mathbf {{M}}]_1) $$

$$ \text {or}\textsf{x}_{\ell }=(\textsf{cm}_{d_1}+\textsf{cm}_{d_2}+\textsf{cm}_{d_3}-[\textbf{z}\cdot 2]_1)-[\textbf{z}]_1\in \textsf{Span}([\mathbf {{M}}]_1). $$

Let \(\textbf{k}\) be the vector in the kernel of \(\mathbf {{M}}\) such that \(\textbf{k}^\top \textbf{z}=1\), which must exist when \(\textbf{z}\notin \textsf{Span}(\mathbf {{M}})\). We have \(\textbf{k}^\top \textsf{cm}_{d_1},\textbf{k}^\top \textsf{cm}_{d_2},\textbf{k}^\top \textsf{cm}_{d_3}\in \{[0]_1,[1]_1\}\) and

$$ \textbf{k}^\top \textsf{cm}_{d_1}+\textbf{k}^\top \textsf{cm}_{d_2}+\textbf{k}^\top \textsf{cm}_{d_3}-[2]_1\in \{[0]_1,[1]_1\}. $$

As a result, we can extract the bits for all wires consisting of valid input/output pairs for all \(\textsf{NAND}\) gates and leading the statement circuit to output 1, completing the proof of Theorem 9.    \(\square \)

Instantiation of the OR-proof system. The underlying OR-proof system can be instantiated as in [22, 45] (see Sect. 3.1 for the instantiation). Under the \(\textsf{SXDH}\) assumption, each CRS consists of 4 elements in \(\mathbb {G}_2\) and each proof consists of 4 and 6 elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively. In this case, the proof size of the resulting NIZK consists of \(6t+4s\) elements in \(\mathbb {G}_1\) and \(6t+6s\) elements in \(\mathbb {G}_2\), where \(t\) and \(s\) are the number of wires and gates in the statement circuit respectively.