Non-interactive zero-knowledge (NIZK) proofs are fundamental to modern cryptography. Numerous NIZK constructions are known in both the random oracle and the common reference string (CRS) models. In the CRS model, there exist constructions from several classes of cryptographic assumptions such as trapdoor permutations, pairings, and indistinguishability obfuscation. However, at the time of the initial publication of this work, we did not have constructions of NIZKs from standard lattice assumptions. In this work, we take an initial step toward constructing multi-theorem NIZKs for general $$\mathsf {NP}$$NP languages from standard lattice assumptions by considering a relaxation to the preprocessing model and a new model we call the designated-prover model. In the preprocessing model, a setup algorithm generates secret proving and verification keys for the prover and the verifier, respectively. In the designated-prover model, the proving key is secret, but the verification key is public. In both settings, the proving key is used to construct proofs and the verification key is used to check proofs. Finally, in the multi-theorem setting, both the proving and verification keys should be reusable for an unbounded number of theorems without compromising soundness or zero-knowledge. Previous constructions of NIZKs in the preprocessing model that rely on weaker assumptions like one-way functions or oblivious transfer are only secure in a single-theorem setting. Thus, constructing multi-theorem NIZKs in these relaxed models does not seem to be inherently easier than constructing them in the CRS model. In this work, we first construct a multi-theorem preprocessing NIZK argument from context-hiding homomorphic signatures. In fact, the construction is a designated-prover NIZK. We also show that using homomorphic commitments, we can get statistically sound proofs in the preprocessing and designated-prover models. Together with lattice-based instantiations of homomorphic signatures and commitments, we obtain the first multi-theorem NIZKs in the preprocessing and designated-prover models from standard lattice assumptions. Finally, we show how to generalize our construction to obtain a universally composable NIZK (UC-NIZK) in the preprocessing model from standard lattice assumptions. Our UC-NIZK relies on a simple preprocessing protocol based on a new primitive we call blind homomorphic signatures.

中文翻译：

---

来自晶格的多定理预处理 NIZK

非交互式零知识 (NIZK) 证明是现代密码学的基础。许多 NIZK 结构在随机预言机和公共参考字符串 (CRS) 模型中都是已知的。在 CRS 模型中，存在来自几类密码假设的构造，例如陷门排列、配对和不可区分性混淆。然而，在这项工作最初发表时，我们还没有根据标准晶格假设构造 NIZK。在这项工作中，我们迈出了第一步，通过考虑对预处理模型的松弛和我们称为指定证明者的新模型，从标准格假设为一般 $$\mathsf {NP}$$NP 语言构建多定理 NIZK模型。在预处理模型中，设置算法分别为证明者和验证者生成秘密证明和验证密钥。在指定证明者模型中，证明密钥是秘密的，而验证密钥是公开的。在这两种设置中，证明密钥用于构造证明，验证密钥用于检查证明。最后，在多定理设置中，证明和验证密钥都应该可用于无限数量的定理，而不会影响可靠性或零知识。先前在预处理模型中构建的 NIZK 依赖于较弱的假设，如单向函数或不经意的转移，仅在单定理设置中是安全的。因此，在这些宽松模型中构建多定理 NIZK 似乎并不比在 CRS 模型中构建它们更容易。在这项工作中，我们首先从上下文隐藏的同态签名构造一个多定理预处理 NIZK 参数。事实上，该建筑是一个指定的证明者 NIZK。我们还表明，使用同态承诺，我们可以在预处理和指定证明者模型中获得统计上可靠的证明。连同基于格的同态签名和承诺实例化，我们从标准格假设中获得预处理和指定证明者模型中的第一个多定理 NIZK。最后，我们展示了如何推广我们的构造，以根据标准格假设在预处理模型中获得通用可组合的 NIZK (UC-NIZK)。我们的 UC-NIZK 依赖于一个简单的预处理协议，该协议基于我们称为盲同态签名的新原语。