**Stretching Groth-Sahai: NIZK Proofs of Partial Satisfiability**

*Carla Rāfols*

**Abstract: **Groth, Ostrovsky and Sahai constructed a non-interactive Zap for NP-languages by observing that
the common reference string of their proof system for circuit satisfiability admits what they call correlated key generation.
The latter means that it is possible to create from scratch two common reference strings in such a way that it can be publicly verified that at least one of them guarantees perfect soundness while
it is computationally infeasible to tell which one. Their technique also implies that it is possible to have NIWI Groth-Sahai proofs for certain types of equations over bilinear groups in the plain model. We extend the result of Groth, Ostrovsky and Sahai in several directions. Given as input some predicate $P$ computable by some monotone span program over a finite field, we show how to generate a set of common reference strings in such a way that it can be publicly verified that the subset of them which guarantees perfect soundness is accepted by the span program. We give several different flavors of the technique suitable for different applications scenarios and different equation types. We use this to stretch the expressivity of Groth-Sahai proofs and construct NIZK proofs of partial satisfiability of sets of equations in a bilinear group and more efficient Groth-Sahai NIWI proofs without common reference string for a larger class of equation types. Finally, we apply our results to significantly reduce the size of the signatures of the ring signature scheme of Chandran, Groth and Sahai or to have a more efficient proof in the standard model that a commitment opens to an element of a public list.

**Category / Keywords: **cryptographic protocols / Zero-knowledge, Groth-Sahai proofs, distributed cryptography, simulation soundness.

**Original Publication**** (with minor differences): **IACR-TCC-2015

**Date: **received 21 Jan 2015

**Contact author: **carla rafols at rub de

**Available format(s): **PDF | BibTeX Citation

**Version: **20150122:171052 (All versions of this report)

**Short URL: **ia.cr/2015/050

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]