Compact Designated Verifier NIZKs from the CDH Assumption Without Pairings

Abstract

In a non-interactive zero-knowledge (NIZK) proof, a prover can non-interactively convince a verifier of a statement without revealing any additional information. A useful relaxation of NIZK is a designated verifier NIZK (DV-NIZK) proof, where proofs are verifiable only by a designated party in possession of a verification key. A crucial security requirement of DV-NIZKs is unbounded-soundness, which guarantees soundness even if the verification key is reused for multiple statements. Most known DV-NIZKs (except standard NIZKs) for \(\mathbf{NP} \) do not have unbounded-soundness. Existing DV-NIZKs for \(\mathbf{NP} \) satisfying unbounded-soundness are based on assumptions which are already known to imply standard NIZKs. In particular, it is an open problem to construct (DV-)NIZKs from weak paring-free group assumptions such as decisional Diffie–Hellman (DH). As a further matter, all constructions of (DV-)NIZKs from DH type assumptions (regardless of whether it is over a paring-free or paring group) require the proof size to have a multiplicative-overhead \(|C| \cdot \mathsf {poly}(\kappa )\), where |C| is the size of the circuit that computes the \(\mathbf{NP} \) relation. In this work, we make progress of constructing DV-NIZKs from DH-type assumptions that are not known to imply standard NIZKs. Our results are summarized as follows:

• DV-NIZKs for \(\mathbf{NP} \) from the computational DH assumption over pairing-free groups. This is the first construction of such NIZKs on pairing-free groups and resolves the open problem posed by Kim and Wu (CRYPTO’18).

• DV-NIZKs for \(\mathbf{NP} \) with proof size \(|C|+\mathsf {poly}(\kappa )\) from the computational DH assumption over specific pairing-free groups. This is the first DV-NIZK that achieves a compact proof from a standard DH type assumption. Moreover, if we further assume the \(\mathbf{NP} \) relation to be computable in \(\mathbf{NC} ^1\) and assume hardness of a (non-static) falsifiable DH type assumption over specific pairing-free groups, the proof size can be made as small as \(|w| + \mathsf {poly}(\kappa )\).

Appendices

Transformation from DV-NIWI into Multi-theorem DV-NIZK

In this section, we prove Theorem 2.13. That is, we show that we can convert DV-NIWI into (multi-theorem) DV-NIZK additionally assuming pseudorandom generators.

First, we recall the definition of pseudorandom generators.

Definition A.1

(Pseudorandom Generators) Let \(n = n(\kappa )\) and \(m = m(\kappa )\) be positive integer valued functions such that \(m > n\). A function \(\mathsf {PRG}: \{ 0,1 \} ^n \rightarrow \{ 0,1 \} ^{m}\) is called a pseudorandom generator (PRG) if \(\mathsf {PRG}\) is polynomial time computable and for every efficient algorithm \({\mathcal {A}}\) we have the following:

$$\begin{aligned} \left| \Pr \left[ 1 \leftarrow {\mathcal {A}}(1^\kappa , \mathsf {PRG}(x)) : x \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{ 0,1 \} ^n \right] - \Pr \left[ 1 \leftarrow {\mathcal {A}}(1^\kappa , y) : y \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{ 0,1 \} ^m \right] \right| \le \mathsf {negl}(\kappa ). \end{aligned}$$

Then, we give a proof of Theorem 2.13 in the following.

Proof of Theorem 2.13

We construct DV-NIZK proof \(\Pi _{\mathsf {zk}} \mathrel {\mathop :}=(\mathsf {Setup},\mathsf {Prove},\mathsf {Verify})\) for \({\mathcal {L}}\) based on a PRG \(\mathsf {PRG}(\cdot ): \{0,1\}^{n} \rightarrow \{0,1\}^{2n}\) and DV-NIWI proof \(\Pi _{\mathsf {wi}} \mathrel {\mathop :}=(\mathsf {WI}.\mathsf {Setup},\mathsf {WI}.\mathsf {Prove},\mathsf {WI}.\mathsf {Verify})\) for a language

$$\begin{aligned} {\mathcal {L}}^{\vee } \mathrel {\mathop :}=\{(x,\sigma ): \exists w\text {~s.t.~}(x,w)\in {\mathcal {R}}\vee \exists \mathsf {seed}\in \{0,1\}^{n}\text {~s.t.~}\mathsf {PRG}(\mathsf {seed})=\sigma \} \end{aligned}$$

where \({\mathcal {R}}\) is the corresponding relation to \({\mathcal {L}}\). The construction of \(\Pi _{\mathsf {zk}}\) is described below.

• \(\mathsf {Setup}(1^\kappa )\): This algorithm samples \((\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V}) \leftarrow \mathsf {WI}.\mathsf {Setup}(1^\kappa )\) and \(\sigma \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{2n}\). It sets \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs},\sigma )\) and \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\) and outputs \((\mathsf {crs},k_\mathsf{V})\).

• \(\mathsf {Prove}(\mathsf {crs}, x, w) \rightarrow \pi \): This algorithm generates \(\mathsf {wi}.\pi \leftarrow \mathsf {WI}.\mathsf {Prove}(\mathsf {wi}.\mathsf {crs},(x,\sigma ),w)\) and outputs a proof \(\pi \mathrel {\mathop :}=\mathsf {wi}.\pi \).

• \(\mathsf {Verify}(\mathsf {crs}, k_\mathsf{V}, x, \pi ) \rightarrow \top \text { or }\bot \): This algorithm parses \(\mathsf {crs}= (\mathsf {wi}.\mathsf {crs},\sigma )\), \(k_\mathsf{V}= \mathsf {wi}.k_\mathsf{V}\), and \( \pi = \mathsf {wi}.\pi \) and outputs \(\mathsf {WI}.\mathsf {Verify}(\mathsf {wi}.\mathsf {crs}, \mathsf {wi}. k_\mathsf{V},(x,\sigma ),\mathsf {wi}.\pi )\).

Lemma A.2

\(\Pi _\mathsf {zk}\) satisfies completeness.

Proof

The completeness clearly follows from the completeness of \(\Pi _\mathsf {wi}\). \(\square \)

Lemma A.3

\(\Pi _\mathsf {zk}\) satisfies soundness.

Proof

By simple counting argument, \(\sigma \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{2n}\) is not in the range of \( \mathsf {PRG}\) except probability \(2^{-n}\) since the seed length is n. Therefore, except negligible probability, there does not exist \(\mathsf {seed}\in \{0,1\}^n\) such that \(\mathsf {PRG}(\mathsf {seed}) = \sigma \). That is, except negligible probability, \((x,w) \notin {\mathcal {L}}^{\vee }\) since \(x \notin {\mathcal {L}}\). By the soundness of \(\Pi _{\mathsf {wi}}\), the soundness of \(\Pi _{\mathsf {zk}}\) follows. \(\square \)

Lemma A.4

\(\Pi _\mathsf {zk}\) satisfies (adaptive multi-theorem) zero-knowledge.

Proof

We construct a simulator \(\mathsf {zk}.{\mathcal {S}}= (\mathsf {zk}.{\mathcal {S}}_1,\mathsf {zk}.{\mathcal {S}}_2)\) as follows.

• \(\mathsf {zk}.{\mathcal {S}}_1 (1^\kappa )\): It works as follows.

  1. 1.

     Runs \((\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V}) \leftarrow \mathsf {WI}.\mathsf {Setup}(1^\kappa )\)

  2. 2.

     Samples \(\mathsf {seed} \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{n}\) and computes \(\sigma \mathrel {\mathop :}=\mathsf {PRG}(\mathsf {seed})\).

  3. 3.

     Outputs \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs},\sigma )\), \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\), and \(\tau _\mathsf{V}\mathrel {\mathop :}=\mathsf {seed}\).

• \(\mathsf {zk}.{\mathcal {S}}_2 (\mathsf {crs},{\widetilde{k}}_\mathsf{V},\tau _\mathsf{V},x_i)\): It works as follows.

  1. 1.

     Runs \(\mathsf {wi}.\pi _\mathsf {seed}\leftarrow \mathsf {WI}.\mathsf {Prove}(\mathsf {wi}.\mathsf {crs},(x_i,\sigma ),\mathsf {seed})\). That is, \(\mathsf {zk}.{\mathcal {S}}_2\) uses \(\mathsf {seed}\) as a witness for \({\mathcal {L}}^{\vee }\). This is a valid witness since \(\mathsf {PRG}(\mathsf {seed})=\sigma \) by the definition of \(\mathsf {zk}.{\mathcal {S}}_1\) above.

  2. 2.

     Outputs \(\pi _i \mathrel {\mathop :}=\mathsf {wi}.\pi _\mathsf {seed}\).

In the following, we prove that the simulated proofs are indistinguishable from real ones. Suppose that \({\mathcal {A}}\) distinguishes simulated and real proofs. Then, we construct a distinguisher \({\mathcal {B}}\) that breaks the witness indistinguishability of \(\Pi _\mathsf {wi}\) as follows.

• \({\mathcal {B}}(1^\kappa ,\mathsf {wi}.\mathsf {crs},\mathsf {wi}.k_\mathsf{V})\): It works as follows.

  1. 1.

     Samples \(\mathsf {seed} \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{n}\), sets \(\sigma \mathrel {\mathop :}=\mathsf {PRG}(\mathsf {seed})\), \(\mathsf {crs}\mathrel {\mathop :}=(\mathsf {wi}.\mathsf {crs}, \sigma )\) and \(k_\mathsf{V}\mathrel {\mathop :}=\mathsf {wi}.k_\mathsf{V}\), and runs \({\mathcal {A}}\) on input \((\mathsf {crs},k_\mathsf{V})\).

  2. 2.

     When \({\mathcal {A}}\) queries \((x_i,w_i) \in {\mathcal {R}}\) to its oracle, \({\mathcal {B}}\) queries \(((x_i,\sigma ),w_i, \mathsf {seed})\) to its own oracle to get \(\mathsf {wi}.\pi _i\) and returns \(\mathsf {wi}.\pi _i\) to \({\mathcal {A}}\) as a response by the oracle.

  3. 3.

     Finally, outputs whatever \({\mathcal {A}}\) outputs.

This completes the description of \({\mathcal {B}}\). First, we remark that \(\mathsf {wi}.\pi _i\ne \bot \) in each query since both \(w_i\) and \(\mathsf {seed}\) are valid witness for \((x_i,\sigma )\in {\mathcal {L}}^{\vee }\). Then, it is easy to see that \({\mathcal {B}}\) perfectly simulates the experiment where \({\mathcal {A}}\) gets real proofs if the coin chosen in the witness indistinguishability experiment \({\mathcal {B}}\) is involved is equal to 0, and \({\mathcal {B}}\) perfectly simulates the experiment where \({\mathcal {A}}\) gets simulated proofs otherwise. Therefore, if \({\mathcal {A}}\) distinguishes real and simulated proofs, then \({\mathcal {B}}\) breaks the witness indistinguishability of \(\Pi _\mathsf {wi}\). This completes the proof of Lemma A.4. \(\square \)

Proof of Lemma 3.25

Here, we give a proof of Lemma 3.25

Proof of Lemma 3.25

Our construction runs \(\ell '\)-parallel repetition of the base proof system by reusing the same s for all instances. For each instance, the relaxed zero-knowledge property ensures the witness indistinguishability noting that s is randomly chosen by the proving algorithm. The witness indistinguishability of the whole proof system then follows from a straightforward hybrid argument by observing that one can generate a proof for each instance of the underlying base proof system publicly given a witness. We provide the formal proof below.

First, we remark that we can assume that an adversary against the witness indistinguishability makes only one query without loss of generality as remarked in Remark 2.12.

We define hybrid games \(\mathsf {Game}_j\) for \(j=0,1,...,\ell '\) for an adversary \({\mathcal {A}}\).

• \(\mathsf {Game}_j\): This game is described as follows:

  1. 1.

     The challenger generates \((\mathsf {crs}_j,k_\mathsf{V}^{(j)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(j\in [\ell ^{\prime }]\), and sets \(\mathsf {crs}\mathrel {\mathop :}=\mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)}\Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

  2. 2.

     \({\mathcal {A}}\) is given \((\mathsf {crs},k_\mathsf{V})\) and outputs \((x,w_0,w_1)\).

  3. 3.

     The challenger chooses \(s \overset{\mathsf {\scriptscriptstyle \$}}{\leftarrow } \{0,1\}^{\ell _{\mathsf {hrs}}}\), generates \(\pi _i^{(1)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\) for \(i \le j\) and \(\pi _i^{(0)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\) for \(i > j\), and sets \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _j^{(1)},\pi _{j+1}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)})\).

  4. 4.

     \({\mathcal {A}}\) is given \(\pi \). The game outputs as \({\mathcal {A}}\) outputs.

What we need to prove is \(|\Pr [\mathsf {Game}_0=1]-\Pr [\mathsf {Game}_{\ell '}=1]|\le \mathsf {negl}(\kappa )\). For proving this, we prove \(|\Pr [\mathsf {Game}_{j-1}=1]-\Pr [\mathsf {Game}_{j}=1]|\le \mathsf {negl}(\kappa )\) for \(j=1,...,\ell '\), which immediately implies the above and completes the proof. To do so, we define auxiliary hybrid games \(\widetilde{\mathsf {Game}}_{j}\) as follows.

• \(\widetilde{\mathsf {Game}}_j\): This game is described as follows:

  1. 1.

     The challenger generates \((\mathsf {crs}_i,k_\mathsf{V}^{(i)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(i \in [\ell ^{\prime }] {\setminus } \{j+1\}\) and \((\mathsf {crs}_j,k_\mathsf{V}^{(j+1)},\tau _\mathsf{V}^{(j+1)})\leftarrow \mathsf {bP}.{\mathcal {S}}_1(1^{\kappa })\) and sets \(\mathsf {crs}\mathrel {\mathop :}=\mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)}\Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

  2. 2.

     \({\mathcal {A}}\) is given \((\mathsf {crs},k_\mathsf{V})\) and outputs \((x,w_0,w_1)\).

  3. 3.

     The challenger generates \((\pi _{j+1},s)\leftarrow \mathsf {bP}.{\mathcal {S}}_2(\tau _\mathsf{V}^{(j+1)},x)\), \(\pi _i \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\) for \(i < j+1\), and \(\pi _i \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\) for \(i > j+1\) and sets \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _{j}^{(1)}, \pi _{j+1}, \pi _{j+2}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)})\).

  4. 4.

     \({\mathcal {A}}\) is given \(\pi \). The game outputs as \({\mathcal {A}}\) outputs.

Then, we prove the following claims.

Claim B.1

If \(\mathsf {bP}\) satisfies the relaxed ZK defined in Definition 3.6, then we have \(|\Pr [\mathsf {Game}_{j-1}=1]-\Pr [\widetilde{\mathsf {Game}}_{j-1}=1]|\le \mathsf {negl}(\kappa )\).

Proof

We construct a distinguisher \({\mathcal {B}}\) for the relaxed zero-knowledge described in Definition 3.6 of the base proof system \(\mathsf {bP}\) by using a distinguisher \({\mathcal {D}}\) of \(\mathsf {Game}_{j-1}\) and \(\widetilde{\mathsf {Game}}_{j-1}\).

• \({\mathcal {B}}(1^\kappa ,\mathsf {crs}^*,k_\mathsf{V}^*)\): This algorithm does the following:

  1. 1.

     Generates \((\mathsf {crs}_i,k_\mathsf{V}^{(i)}) \leftarrow \mathsf {bP}.\mathsf {Setup}(1^\kappa )\) for \(i \in [\ell ^{\prime }] {\setminus } \{j\}\) and sets \(\mathsf {crs}\mathrel {\mathop :}= \mathsf {crs}_1\Vert \cdots \Vert \mathsf {crs}_{j-1}\Vert \mathsf {crs}^* \Vert \mathsf {crs}_{j+1}\Vert \cdots \Vert \mathsf {crs}_{\ell ^{\prime }}\) and \(k_\mathsf{V}\mathrel {\mathop :}=k_\mathsf{V}^{(1)} \Vert \cdots \Vert k_\mathsf{V}^{(j-1)} \Vert k_\mathsf{V}^* \Vert k_\mathsf{V}^{(j+1)} \Vert \cdots \Vert k_\mathsf{V}^{(\ell ^{\prime })}\).

  2. 2.

     Sends \((\mathsf {crs},k_\mathsf{V})\) to \({\mathcal {A}}\) and \({\mathcal {A}}\) outputs \((x,w_0,w_1)\).

  3. 3.

     Sends \((x,w_{0})\) to the challenger of the experiment of relaxed zero-knowledge in Definition 3.6, and receives \((\pi ^* ,s)\) of \(\mathsf {bP}\) and does the following.

     • \(\bullet \) For \(i < j\), \({\mathcal {B}}\) generates \(\pi _i^{(1)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_1,s)\).

     • \(\bullet \) For \(i > j\), \({\mathcal {B}}\) generates \(\pi _i^{(0)} \leftarrow \mathsf {bP}.\mathsf {Prove}(\mathsf {crs}_i,x,w_0,s)\).

     • \(\bullet \) For \(i=j\), \({\mathcal {B}}\) sets \(\pi _j \mathrel {\mathop :}=\pi ^*\).

  4. 4.

     Sends \(\pi \mathrel {\mathop :}=(\pi _1^{(1)},\ldots ,\pi _{j-1}^{(1)},\pi ^*,\pi _{j+1}^{(0)},\ldots ,\pi _{\ell ^{\prime }}^{(0)},s)\) to \({\mathcal {A}}\).

  5. 5.

     Outputs as \({\mathcal {A}}\) outputs.

If \((\mathsf {crs}^*,k_\mathsf{V}^*)\) and \((\pi ^*, s)\) are outputs of \(\mathsf {bP}.\mathsf {Setup}(1^\kappa )\) and \(\mathsf {bP}.\mathsf {Prove}(\mathsf {crs},x,w_{0},s)\), then \({\mathcal {B}}\) perfectly simulates \(\mathsf {Game}_{j-1}\). If \((\mathsf {crs}^*,k_\mathsf{V}^*)\) and \((\pi ^* ,s)\) are outputs of \(\mathsf {bP}.{\mathcal {S}}_1 (1^\kappa )\) and \(\mathsf {bP}.{\mathcal {S}}_2 (\mathsf {crs},k_\mathsf{V},\tau _\mathsf{V},x)\), then \({\mathcal {B}}\) perfectly simulates \(\widetilde{\mathsf {Game}}_{j-1}\). Therefore, if \({\mathcal {A}}\) distinguishes these two hybrid games, then \({\mathcal {B}}\) can break the zero-knowledge in Lemma 3.17. This complete the proof of Claim B.1. \(\square \)

Claim B.2

If \(\mathsf {bP}\) satisfies the relaxed ZK defined in Definition 3.6, then we have \(|\Pr [\widetilde{\mathsf {Game}}_{j-1}=1]-\Pr [\mathsf {Game}_{j}=1]|\le \mathsf {negl}(\kappa )\).

Proof

We can prove this similarly to Claim B.1. \(\square \)

By combining Claims B.1 and B.2, we have \(|\Pr [\mathsf {Game}_{j-1}=1]-\Pr [\mathsf {Game}_{j}=1]|\le \mathsf {negl}(\kappa )\) and thus we have \(|\Pr [\mathsf {Game}_0=1]-\Pr [\mathsf {Game}_{\ell '}=1]|\le \mathsf {negl}(\kappa )\) by a hybrid argument. This completes the proof of Lemma 3.25. \(\square \)

DV-NIZK for Leveled Relations with Sublinear Proof Size

Here, we give variants of our compact DV-NIZK whose proof size is sublinear in the size of the circuit that computes the \(\mathbf{NP} \) relation to prove. This construction only works for \(\mathbf{NP} \) languages with “leveled” relation, which is a relation that can be expressed by a leveled circuit, i.e., a circuit whose gates are divided into L levels, and all incoming wires to a gate of level \(i+1\) come from gates of level i. For this case, the proof size of the scheme becomes \(|w|+|C|/\log \kappa +\mathsf {poly}(\kappa )\).

Leveled Circuits and Relations. First, we define leveled circuits and its “special” levels following [5]. We say that a circuit is a leveled circuit of depth D if its gates are partitioned into \(D+1\) levels, all input gates are of level 0, all output gates are of level \(D+1\), and all incoming wires to a gate of level \(i+1\) come from gates of level i for each \(i\in [D]\). The width at level i is defined to be the number of gates of level i. For a leveled circuit C of depth D, we define a set \({\mathcal {S}}_C\subset \{0,...,D+1\}\) of “special” levels in the following manner. For each \(j\in \{0,...,\lfloor D /\log \kappa \rfloor -1\}\), \({\mathcal {S}}_C\) contains one level i in the interval \([j \log \kappa +1,...,(j+1)\log \kappa ]\) such that the width at level i is the minimum among the width at levels in this interval. (If there exist multiple levels whose width are minimum, we choose the smallest level.) We say that i is a special level if \(i\in {\mathcal {S}}_C\). Let \(\mathsf {pre}(i)\) denote the precedent special level of i, i.e., the maximal \(i'<i\) such that \(i'\in {\mathcal {S}}_C\) (if such \(i'\) does not exist, then we define \(\mathsf {pre}(i)\mathrel {\mathop :}=0\)) and \(L_C\) denote the largest special level of C, i.e., the largest i such that \(i\in {\mathcal {S}}_C\) . It is easy to see that the number of gates of a special level is at most \(|C|/\log \kappa \) since \({\mathcal {S}}_C\) contains levels whose width are the smallest in the corresponding interval of length \(\log \kappa \). For any gate g of a special level \(i\in {\mathcal {S}}_C\), we can compute the output value of g as a function of output values of gates of level \(\mathsf {pre}(i)\). We denote this function by \(\mathsf {EvalfromPre}_g\). Since each special level is at most \(2\log \kappa \) far apart from its precedent special level, \(\mathsf {EvalfromPre}_g\) can be expressed as a circuit of depth at most \(2\log \kappa \). Similarly, we define a function \(\mathsf {EvalfromPre}_\mathsf {out}\) to be a function that computes the output value of C given output values gates of level \(L_C\) as input. Similarly, \(\mathsf {EvalfromPre}_\mathsf {out}\) can be expressed as a circuit of depth at most \(2\log \kappa \).

An \(\mathbf{NP} \) relation \({\mathcal {R}}\subseteq \{0,1\}^*\times \{0,1\}^* \) is said to be a leveled relation if there exists a family \(\{C_{n,m}:\{0,1\}^{n}\times \{0,1\}^{m}\rightarrow \{0,1\}\}\) of leveled circuits such that for \(x\in \{0,1\}^n\) and \(w\in \{0,1\}^m\), we have \(C_{n,m}(x,w)=1\) if and only if \((x,w)\in {\mathcal {R}}\). In the following, we fix n and m, and omit the subscripts n and m from C for notational simplicity. For \(x\in \{0,1\}^{n}\), we let \(\mathsf {SGates}[C(x,\cdot )]\) be the set of all gates of \(C(x,\cdot )\) whose level is a special level. For a gate g of \(C(x,\cdot )\), we let \(s_g\) be the output value of the gate g when \(C(x,\cdot )\) is evaluated on input w. We call \(w'\mathrel {\mathop :}=(w,\{s_g\}_{g\in \mathsf {SGates}[C(x,\cdot )]})\) an expanded witness of w w.r.t. x and C. It is easy to see that we have \(|w'|\le |w|+|C|/\log \kappa \) since \(|\mathsf {SGates}[C(x,\cdot )]|\) is at most \(|C|/\log \kappa \). Then, we define an expanded circuit \(\mathsf {ExpCir}_{C(x,\cdot )}\) for the expanded witness as follows.

• \(\mathsf {ExpCir}_{C(x,\cdot )}(w')\): It parses \((w,\{s_g\}_{g\in \mathsf {SGates}[C(x,\cdot )]})\leftarrow w'\). For all \(i\in {\mathcal {S}}_C\), we denote the output values of gates of level i (in a canonical order) by \(S_i\) and we let \(S_0\mathrel {\mathop :}=w\). For all gates g of a special level \(i\in {\mathcal {S}}_C\), it verifies if \(s_g=\mathsf {EvalfromPre}_g(S_{\mathsf {pre}(i)})\) holds and returns 0 if this does not hold. If all check pass, it outputs \(\mathsf {EvalfromPre}_{\mathsf {out}}(S_{L_{C(x,\cdot )}})\).

It is easy to see that for any \(x\in \{0,1\}^n\), there exists an expanded witness \(w'\) such that \(\mathsf {ExpCir}_{C(x, \cdot )}(w')=1\) if and only if there exists a witness \(w\in \{ 0,1 \} ^m\) such that \(C(x,w)=1\). We can implement \(\mathsf {ExpCir}_{C(x, \cdot )}\) by a circuit of depth at most \(2\log \kappa + \log (|C|/\log \kappa +1)\). This can be seen by observing that \(\mathsf {ExpCir}_{C(x, \cdot )}\) first computes \(\mathsf {EvalfromPre}_g\) for at most \(|C|/\log \kappa \) different g and \(\mathsf {EvalfromPre}_{\mathsf {out}}\), each of which can be computed by a circuit of depth at most \(2\log \kappa \), followed by taking the AND of them. Since the last AND is fan-in at most \(|C|/\log \kappa +1\), this can be implemented by a circuit of depth \(\log (|C|/\log \kappa +1)\) and fan-in 2. Particularly, if \(|C|=\mathsf {poly}(\kappa )\), then there exists a constant c such that \(\mathsf {ExpCir}_{C(x, \cdot )}\) can be computed by a circuit of depth at most \(c \log \kappa \).

Preparation. For our construction of a DV-NIZK with sublinear proof size, we prove the following variant of Lemma 4.6.

Lemma C.1

Let C be a leveled circuit that computes a relation \({\mathcal {R}}\) on \(\{0,1\}^{n}\times \{0,1\}^{m}\), i.e., for \((x,w)\in \{0,1\}^{n}\times \{0,1\}^{m}\), we have \(C(x,w)=1\) if and only if \((x,w)\in {\mathcal {R}}\), and p be an integer larger than |C|. Then, there exists a deterministic algorithm \(\mathsf {Exp}'_{C,x}\) and an arithmetic circuit \({\tilde{C}}'\) on \(\mathbb {Z}_p\) with degree at most \(\kappa ^4\) such that we have

• \(|\mathsf {Exp}'_{C,x}(w)|=|w|+|C|/\log \kappa \) for all \(w\in \{0,1\}^{m}\).

• If \(C(x,w)=1\), then we have \({\tilde{C}}'(x,\mathsf {Exp}'_{C,x}(w))=1 \mod p\).

• For any \(x\in \{0,1\}^{n}\), if there does not exist \(w\in \{0,1\}^{m}\) such that \(C(x,w)=1\), then there does not exist \(w'\) such that \({\tilde{C}}'(x,w')=1 \mod p\)

Proof

We let \(\mathsf {Exp}'_{C,x}(w)\) be the expanded witness defined in the previous paragraph. As already shown, we have \(|\mathsf {Exp}'_{C,x}(w)|=|w|+|C|/\log \kappa \). By the definition, if we let \(\mathsf {Exp}'_{C,x}(w)=(w, \{s_g\}_{g\in \mathsf {SGates}})\), then C(x, w) can be computed as

$$\begin{aligned} \prod _{g\in \mathsf {SGates}} (1-(s_g-\mathsf {EvalfromPre}_g(S_{\mathsf {pre}(i_g)}))^2)\cdot (1-(1- \mathsf {EvalfromPre}_\mathsf {out}(S_{L_{C(x,\cdot )}}))^2) \end{aligned}$$

where \(i_g\) denotes g’s level. By using a similar trick to the one used in the proof of Lemma 4.6, the condition that \(C(x,w)=1\) is equivalent to the condition that

$$\begin{aligned} \sum _{g\in \mathsf {SGates}} (s_g- \mathsf {EvalfromPre}_g(S_{\mathsf {pre}(i_g)}))^2+(1- \mathsf {EvalfromPre}_\mathsf {out}(S_{L_{C(x, \cdot )}}))^2 = 0 \mod p. \end{aligned}$$

Therefore, if we define

$$\begin{aligned}&{\tilde{C}}'(x,w'=(w, \{s_g\}_{g\in \mathsf {SGates}}))\mathrel {\mathop :}=1+ \sum _{g\in \mathsf {SGates}} (s_g- \mathsf {EvalfromPre}_g(S_{\mathsf {pre}(i_g)}))^2 \\&\quad +(1- \mathsf {EvalfromPre}_\mathsf {out}(S_{L_{C(x, \cdot )}}))^2, \end{aligned}$$

then it satisfies the condition required in the lemma. Since the degrees of \(\mathsf {EvalfromPre}_g\) \(\mathsf {EvalfromPre}_\mathsf {out}\) are at most \(\kappa ^2\) as they are implemented by a circuit of depth at most \(2 \log \kappa \), the degree of \({\tilde{C}}'(x,\cdot )\) is at most \(\kappa ^4\) as required. \(\square \)

DV-NIZK with Sublinear Proof Size. Then, we instantiate the construction of DV-NIZK given in Sect. 4.2 with replacing \(\mathsf {Exp}_{C,x}\) and \({\tilde{C}}\) with \(\mathsf {Exp}'_{C,x}\) and \({\tilde{C}}'\), respectively. Security can be proven similarly. The size of \(\mathsf {ct}_{\mathsf {SKE}}=\mathsf {SKE}.\mathsf {Enc}(\mathsf {pp}_{\mathsf {SKE}}, K,\mathsf {Exp}'_{C,x}(w))\) is \(|w|+|C|/\log \kappa +\mathsf {poly}(\kappa )\). Moreover, we note that we still have \(D=\mathsf {poly}(\kappa )\) since the degree of \(f_{x,\mathsf {pp}_{\mathsf {SKE}},\mathsf {ct}}(\cdot )\mathrel {\mathop :}={\tilde{C}}'(x,\mathsf {SKE}.\mathsf {Dec}(\mathsf {pp}_{\mathsf {SKE}},\cdot , \mathsf {ct}))\) is \(\mathsf {poly}(\kappa )\) since the degree of \({\tilde{C}}'\) is at most \(\kappa ^4\) as shown above. Therefore, the sizes of all other components of a proof still remain \(\mathsf {poly}(\kappa )\). In summary, the total proof size is \(|w|+|C|/\log \kappa +\mathsf {poly}(\kappa )\). This completes the proof of Corollary 4.24.