Paper 2013/670

Switching Lemma for Bilinear Tests and Constant-size NIZK Proofs for Linear Subspaces

Charanjit Jutla and Arnab Roy

Abstract

We state a switching lemma for tests on adversarial inputs involving bilinear pairings in hard groups, where the tester can effectively switch the randomness used in the test from being given to the adversary at the outset to being chosen after the adversary commits its input. The switching lemma can be based on any $k$-linear hardness assumptions on one of the groups. In particular, this enables convenient information theoretic arguments in the construction of sequence of games proving security of cryptographic schemes, mimicking proofs and constructions in the random oracle model. As an immediate application, we show that the quasi-adaptive NIZK proofs of Jutla and Roy [AsiaCrypt 2013] for linear subspaces can be further shortened to \emph{constant}-size proofs, independent of the number of witnesses and equations. In particular, under the XDH assumption, a length $$ vector of group elements can be proven to belong to a subspace of rank $$ with a quasi-adaptive NIZK proof consisting of just a single group element. Similar quasi-adaptive aggregation of proofs is also shown for Groth-Sahai NIZK proofs of linear multi-scalar multiplication equations, as well as linear pairing-product equations (equations without any quadratic terms).

Note: Fixed typo in definition of Strong QA-NIZK.