QA-NIZK arguments in asymmetric groups: new tools and new constructions

Abstract

A sequence of recent works have constructed constant-size quasi-adaptive (QA) NIZK arguments of membership in linear subspaces of ^Gm, where ^G is a group equipped with a bilinear map e : G x H --> T. Although applicable to any bilinear group, these techniques are less useful in the asymmetric case. For example, Jutla and Roy (Crypto 2014) show how to do QA aggregation of Groth-Sahai proofs, but the types of equations which can be aggregated are more restricted in the asymmetric setting. Furthermore, there are natural statements which cannot be expressed as membership in linear subspaces, for example the satisfiability of quadratic equations. In this paper we develop specific techniques for asymmetric groups. We introduce a new computational assumption, under which we can recover all the aggregation results of Groth-Sahai proofs known in the symmetric setting. We adapt the arguments of membership in linear spaces of ^Gm to linear subspaces of ^Gm x Hn. In particular, we give a constantsize argument that two sets of Groth-Sahai commitments, defined over different groups ^G; H, open to the same scalars in Zq, a useful tool to prove satisfiability of quadratic equations in Zq. We then use one of the arguments for subspaces in ^Gm x Hn and develop new techniques to give constant-size QA-NIZK proofs that a commitment opens to a bit-string. To the best of our knowledge, these are the first constant-size proofs for quadratic equations in Zq under standard and falsifiable assumptions. As a result, we obtain improved threshold Groth-Sahai proofs for pairing product equations, ring signatures, proofs of membership in a list, and various types of signature schemes.