In a non-interactive zero-knowledge (NIZK) proof, a prover can non-interactively convince a verifier of a statement without revealing any additional information. A useful relaxation of NIZK is a designated verifier NIZK (DV-NIZK) proof, where proofs are verifiable only by a designated party in possession of a verification key. A crucial security requirement of DV-NIZKs is unbounded-soundness, which guarantees soundness even if the verification key is reused for multiple statements. Most known DV-NIZKs (except standard NIZKs) for \(\mathbf{NP} \) do not have unbounded-soundness. Existing DV-NIZKs for \(\mathbf{NP} \) satisfying unbounded-soundness are based on assumptions which are already known to imply standard NIZKs. In particular, it is an open problem to construct (DV-)NIZKs from weak paring-free group assumptions such as decisional Diffie–Hellman (DH). As a further matter, all constructions of (DV-)NIZKs from DH type assumptions (regardless of whether it is over a paring-free or paring group) require the proof size to have a multiplicative-overhead \(|C| \cdot \mathsf {poly}(\kappa )\), where |C| is the size of the circuit that computes the \(\mathbf{NP} \) relation. In this work, we make progress of constructing DV-NIZKs from DH-type assumptions that are not known to imply standard NIZKs. Our results are summarized as follows:

• DV-NIZKs for \(\mathbf{NP} \) from the computational DH assumption over pairing-free groups. This is the first construction of such NIZKs on pairing-free groups and resolves the open problem posed by Kim and Wu (CRYPTO’18).

• DV-NIZKs for \(\mathbf{NP} \) with proof size \(|C|+\mathsf {poly}(\kappa )\) from the computational DH assumption over specific pairing-free groups. This is the first DV-NIZK that achieves a compact proof from a standard DH type assumption. Moreover, if we further assume the \(\mathbf{NP} \) relation to be computable in \(\mathbf{NC} ^1\) and assume hardness of a (non-static) falsifiable DH type assumption over specific pairing-free groups, the proof size can be made as small as \(|w| + \mathsf {poly}(\kappa )\).

在非交互式零知识 (NIZK) 证明中，证明者可以在不透露任何其他信息的情况下以非交互式方式说服验证者的陈述。NIZK 的一个有用的放松是指定验证者 NIZK (DV-NIZK) 证明，其中证明只能由拥有验证密钥的指定方进行验证。DV-NIZK 的一个关键安全要求是无界健全性，即使验证密钥被重复用于多个语句，它也能保证健全性。大多数已知的用于\(\mathbf{NP} \) 的DV-NIZK（标准 NIZK 除外）都没有无限健全性。\(\mathbf{NP} \) 的现有 DV-NIZK满足无界健全性基于已知暗示标准 NIZK 的假设。特别是，从弱无配对组假设（例如决策性 Diffie-Hellman (DH)）构建 (DV-)NIZK 是一个悬而未决的问题。此外，来自 DH 类型假设的 (DV-)NIZK 的所有构造（无论它是在无配对还是配对组上）都需要证明大小具有乘法开销\(|C| \cdot \ mathsf {poly}(\kappa )\)，其中 | C | 是计算\(\mathbf{NP} \)关系的电路的大小。在这项工作中，我们从不知道暗示标准 NIZK 的 DH 类型假设构建 DV-NIZK 取得了进展。我们的结果总结如下：

• \(\mathbf{NP} \) 的DV-NIZKs来自无配对组的计算 DH 假设。这是在无配对组上首次构建此类 NIZK，并解决了 Kim 和 Wu (CRYPTO'18) 提出的开放问题。

• \(\mathbf{NP} \) 的DV-NIZK ，证明大小\(|C|+\mathsf {poly}(\kappa )\)来自特定无配对组的计算 DH 假设。这是第一个从标准 DH 类型假设获得紧凑证明的 DV-NIZK。此外，如果我们进一步假设\(\mathbf{NP} \)关系在\(\mathbf{NC} ^1\) 中是可计算的，并假设在特定配对上的（非静态）可证伪 DH 类型假设的硬度 -自由组，证明大小可以小到\(|w| + \mathsf {poly}(\kappa )\)。