WO2008127428A2 - Efficient non-interactive proof systems for bilinear groups - Google Patents

Abstract

An apparatus and method for constructing efficient non-interactive zero-knowledge proofs and non-interactive witness-indistinguishable proofs that work directly for groups with a bilinear map is described. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This disclosure provides n on -interactive witness-indistinguishable proofs and non-interactive zero-knowledge proofs that can be used in connection with these protocols.

Description

EFFICIENT NON-INTERACTIVE PROOF SYSTEMS FOR BILINEAR GROUPS

Reference to Related Applications

[0001] The present application claims priority from U.S. Provisional Application No. 60/859,875, filed November 17, 2006, titled "METHOD AND APPARATUS FOR EFFICIENT VERIFICATION OF ENCRYPTED DATA," the entire contents of which is hereby incorporated by reference

Government Interest Statement

[0002] This invention was made with Government support of Grant No. CNS0456717 awarded by the NSF. The Government has certain rights in this invention.

Background

Field of the Invention

[0003] The technical field generally relates to cryptographic systems and specifically relates to non-interactive zero-knowledge proofs.

Description of the Related Art

[0004] Non-interactive zero-knowledge (NIZK) proofs allow a prover to create a proof of membership of an NP language. The proof can be used to convince another that a statement in question belongs to the language, but the zero-knowledge property ensures that the proof will reveal nothing but the truth (or falsity) of the statement. NIZK proofs are fundamental cryptographic primitives used in many constructions, including CCA2-secure cryptosystems, digital signatures, and various cryptographic protocols. Blum, Feldman, and Micali, in Non- interactive zero-knowledge and its applications in the proceedings of STOC '88, pp. 103-1 12, 1988, introduced the notion of NIZK in the common random string model and showed how to construct computational NIZK proof systems for proving a single statement about any NP language. The fist computational NIZK proof system for multiple theorems was constructed by Blurn, De Santis, Micali, and Persiano in Noninteractive zero-knowledge in SIAM Journal of Computation, 20(6), pp.1084-1118, 1991. Both papers based their NIZK systems on certain number-theoretic assumptions (specifically, the hardness of deciding quadratic residues modulo a composite number). Feige, Lapidot, and Shamir in Multiple non-interactive zero knowledge proofs under general assumptions in SIAM Journal of Computing, 29( 1 ), pp. 3 -28, 1999, showed how to construct computational NIZK proofs based on a trapdoor permutation. Much research has been devoted to the construction of efficient NIZK proofs, but until now the only known method to do so has been the hidden random bits method wherein the prover has a string of random bits, which are secret to the verifier. By revealing a subset of these bits, and keeping the rest secret, the prover can convince the verifier of the truth of the statement in question.

[0005] Unfortunately, these prior NIZK proofs are all very inefficient. While leading to interesting theoretical results, such as the construction of public-key encryption secure against chosen ciphertext attack, they have therefore not had any impact in practice.

[0006] It is worthwhile to identify the roots of the inefficiency in the above mentioned NIZK proofs. One drawback is that they were designed with a general NP-complete language in mind, e.g. Circuit Satisfiability. In practice, we want to prove statements such as "the ciphertext c encrypts a signature on the message m" or "the three commitments c_a, c_b, c_c contain messages a. b. c so c = ab". An NP-reduction of even very simple statements like these requires large circuits containing thousands of gates and the corresponding NIZK proofs become very large.

Summary

[0007] These and other problems are solved by a system for efficient non-interactive proof for bilinear groups. In one embodiment, commitment schemes are homomorphic and equipped with a bilinear map. The variables in the equations to be proved are replace with commitments to those variables. Since the commitment schemes are hiding, the equations will no longer be valid. However, we can extract out the additional terms introduced by the randomness of the commitments: An additional term is introduced by substituting the commitments. Because the additional term is a value which makes the equation true, giving it away preserves witness indistinguishability. If there are many terms, that means that these terms are not unique, and we can randomize these terms so that the equation is still true, but so that we effectively reduce to the case of there being a single term being given away with a unique value.

[0008] In one embodiment, the proof system is used for fair key exchange.

[009] In one embodiment, the proof system is used in a mix-net.

[0010] In one embodiment, the proof system is used for verifiable encryption. Brief Description of the Figures

[0011] Figure 1 shows a first computer and a second computer provided to a computer network for exchanging encrypted data.

[0012] Figure 2 is a flow diagram of key generation in a system for verifiable encryption.

[0013] Figure 3 is a flow diagram of encryption in the system of Figure 2.

[0014] Figure 4 is a flow diagram of generation of a verification proof of membership in the system of Figure 2.

[0015] Figure 5 is a flow diagram of decryption in the system of Figure 2.

[0016] Figure 6 shows a mix-net system wherein a plurality of senders and a plurality of mix-net servers are provided to a network.

[0017] Figure 7 is a flow diagram of key generation in the system of Figure 6.

[0018] Figure 8 is a flow diagram of encryption in the system of Figure 6.

[0019] Figure 9 is a flow diagram of re-randomization in the system of Figure 6.

[0020] Figure 10 is a flow diagram of an NIZK proof of membership in the system of Figure 6.

[0021] Figure 1 1 is a flow diagram showing decryption in the system of Figure 6.

Description

1 Introduction

[0022] In the following disclosure, for notational convenience we will follow the tradition of mathematics and use additive notation. (Note: In the cryptographic literature it is more common to use multiplicative notation for these groups, since the "discrete log problem" is believed to be hard in these groups, which is also important to us. In the present setting, however, it is more convenient to use multiplicative notation to refer to the action of the bilinear map for the binary operations in Gi and G₂.) We have a probabilistic polynomial time algorithm Q that takes a security parameter as input and outputs (n, G₁, G₂, G_τ, e, P₁, V₂) where

• G₁, G₂, G_τ are descriptions of cyclic groups of order n.

• The elements V₁, V₂ generate G₁ and G₂ respectively. • e : G₁ X G₂ is a non-degenerate bilinear map so e(P₁, P₂) generates G_τ and for all

• We can efficiently compute group operations, compute the bilinear map and decide membership.

[0022] In this disclosure, we develop a general set of highly efficient techniques for proving statements involving bilinear groups. First, we formulate the constructions in terms of modules over commutative rings with an associated bilinear map. This framework captures bilinear groups with cryptographic significance — for both sυpersingular and ordinary elliptic curves, for groups of both prime and composite order. Second, we consider mathematical operations that can take place in the context of a bilinear group - addition in G₁ and G₂, scalar point-multiplication, addition or multiplication of scalars, and use of the bilinear map. We also allow both group elements and exponents to be "unknowns" in the statements to be proven.

[0023] With the level of generality herein, for example it would be easy to write down a short statement, using the operations above, that encodes "c is an encryption of the value committed to in d under the product of the two keys committed to in a and b" where the encryptions and commitments being referred to are existing cryptographic constructions based on bilinear groups. Logical operations like AND and OR are also easy to encode into the framework herein using standard techniques in arithmetization.

[0024] The proof systems we build are non -interactive. This allows them to be used in contexts where interaction is undesirable or impossible. We first build highly efficient witness- indistinguishable proof systems, which are of independent interest. We then show how to transform these into zero-knowledge proof systems. We also provide a detailed examination of the efficiency of the constructions herein in various settings (depending on what type of bilinear group is used).

[0025] The security of constructions arising from the framework herein can be based on any of a variety of computational assumptions about bilinear groups (3 of which we discuss in detail here). Thus, the techniques herein do not rely on any one assumption in particular.

[0026] Note that while we want to avoid an expensive NP-reduction, it is still desirable to have a general way to express statements that arise in practice instead of having to construct non-interactive proofs on an ad hoc basis. A useful observation in this context is that many public-key cryptography protocols are based on finite abelian groups. If we can capture statements that express relations between group elements, then we can express statements that come up in practice such as "the commitments c_a, c_b, c_c contain messages so c = ab" or "the plaintext of c is a signature on m ", as long as those commitment, encryption, and signature schemes work over the same finite group. In the disclosure, we will therefore construct NIWI and NIZK proofs for group-dependent languages.

[0027] The next issue to address is where to find suitable group-dependent languages. We will look at statements related to groups with a bilinear map, which have become widely used in the design of cryptographic protocols. Not only have bilinear groups been used to give new constructions of such cryptographic staples as public-key encryption, digital signatures, and key agreement (see [DBS04] and the references therein), but bilinear groups have enabled the first constructions achieving goals that had never been attained before. The most notable of these is the Identity-Based Encryption scheme of Boneh and Franklin [BF03] (see also [Wat05]), and there are many others, such as Attribute-Based Encryption [SW05, GPSW06], Searchable Public-Key Encryption [BCOP04, BSW06, BW06], and One-time Double-Homomorphic Encryption [BGN05]. For an incomplete list of disclosures (currently over 200) on the application of bilinear groups in cryptography, see [BarOό],

[0028] We consider equations over variables from G₁. G_? and Z_n as shown in Table 1. We construct efficient witness-indistinguishable proofs for the simultaneous satisfiability of a set of such equations. The witness-indistinguishable proofs have perfect completeness and there are two computationally indistinguishable types of common reference strings giving respectively perfect soundness and perfect witness indistinguishability. We refer to Section 1.2 for precise definitions.

[0029] We also consider the question of non-interactive zero-knowledge. We show that we can give zero-knowledge proofs for multi-scalar multiplication in G₁ or G₂ and for quadratic equations in Z_n. We can also give zero-knowledge proofs for pairing product equations with t_τ = 1. When t_τ ≠ 1 we can still give zero-knowledge proofs for P₁. Q₁ ..... P_n. Q_n such thaU

[0030] Example Embodiment 1 : Subgroup decision. The present disclosure includes a general description of the proof techniques as well as three example embodiments that illustrate the use of these techniques. The first example embodiment is based on the composite order groups introduced by Boneh, Goh and Nissim [BGN05]. Here we generate a composite order bilinear group (n. G. C_τ, r/. V) where n = pq. We can write G = G_p x G_q, where G_p. G_q are the subgroups of order p and q respectively. Boneh, Goh and Nissim introduce the subgroup decision assumption, which says that it is hard to distinguish a random element from

Table 1 : Equations over groups with bilinear map.

G from a random element from G_q. In this disclosure, we will demonstrate that assuming the hardness of the subgroup decision problem there exists a witness-indistinguishable proof for satisfiability of a set of equations from Table 1 in the subgroup G_p and the order p subgroup of G_T.

[0031] Example Embodiment 2: The symmetric external Diffie-Hellman (SXDH) problem. Let (p, G₁; G₂; GT _. e. P₁ , P₂) be a prime order bilinear group. The external Diffie- Hellman (XDH) assumption is that the decisional Diffie-Hellman (DDH) problem is hard in one of the groups G₁ or G₂ [Sco02, BBS04, BGdMM05, GR04, VerO4]. The Symmetric XDH assumption is that the DDH problem is hard in both G₁ and G₂. We will construct a witness- indistinguishable proof for satisfiability of a set of equations of the form given in Figure 1 under the SXDH assumption.

[0032] Example Embodiment 3; The decisional linear assumption (DLIN) problem. The DLIN for a prime order bilinear group (p, G. G_{T :} e. V) introduced by Boneh, Boyen and Shacham [BBS04] states that given {aP, βV, rαV, sβV, tP) for random α, β, r, s ε Z_p it is hard to tell whether t = r -+- s or t is random. Assuming the hardness of the DLIN problem, we show a witness-indistinguishable proof for satisfiability of the equations from Table 1.

[0033] The example embodiments illustrate some of the variety of ways bilinear groups can be constructed. We can choose prime order groups or composite order groups, we can have G₁ = G₂ and G₁ ≠ G₂ , and we can make various cryptographic assumptions. These three security assumptions have been used in the cryptographic literature to build useful protocols. [0034] For these three example embodiments, the techniques presented here yield very efficient witness-indistinguishable proofs. In particular, the cost in proof size of each extra equation is constant and independent of the number of variables in the equation. The size of the proofs, can be computed by adding the cost, measured in group elements from G₁ or G₂, of each variable and each equation listed in Figure 2. We refer to Section 6 for more detailed tables.

Table 2: Number of group elements each variable or equation adds to the size of a NIWI proof.

Early work on NIZK proofs demonstrated that NP-languages have non-interactive proofs, however, did not yield efficient proofs. One cause for these proofs being inefficient in practice was the need for an expensive NP-reduction to e.g. Circuit Satisfiability. Another cause of inefficiency was the reliance on the so-called hidden bits model, which even for small circuits is inefficient. The systems and methods disclosed herein are significantly more general, and vastly more efficient.

[0035] We achieve generality, at least in part, by viewing the groups G₁, G₂, G_τ as modules over the ring Z_n. The ring Z_n itself can also be viewed as a Z_n-module. We therefore look at the more general question of satisfiability of quadratic equations over Z_n-modu!es A₁ . A₂, A_τ with a bilinear map, see Section 2 for details. Since many bilinear groups with various cryptographic assumptions and various mathematical properties can be viewed as modules we are not bound to any particular bilinear group or any particular assumption.

[0036] Given modules A₁. A₂. Aq^ with a bilinear map, we construct new modules B₁. B₂., Bx, also equipped with a bilinear map, and we map the elements in A₁, A₂, Ax into B₁. B₂, B_τ. These modules will typically be larger modules, which give us space to hide the elements of Ai, A₂, A_T- More precisely, we devise commitment schemes that map variables from A₁ , A₂-, A_τ to the modules B₁, B₂.. B_τ. The commitment schemes are homomorphic with respect to the module operations but also with respect to the bilinear map.

[0037] It is instructive to begin with an intuition-based explanation before showing the more detailed explanation in Section 6 and related sections. Because the commitment schemes herein are homomorphic and we equip them with a bilinear map. we can take the equation that we are trying to prove, and replace the variables in the equations with commitments to those variables. Since the commitment schemes are hiding, the equations will no longer be valid. Intuitively, however, we can extract out the additional terms introduced by the randomness of the commitments: if we give away these terms in the proof, then this would be a convincing proof of the equation's validity (again, because of the homomorphic properties). But, giving away these terms might destroy witness indistinguishability. However, if there is an "additional term" introduced by substituting the commitments. Then, because it would be the unique value which makes the equation true, giving it away would preserve witness indistinguishability. If there are many terms, that means that these terms are not unique, and we can randomize these terms so that the equation is still true, but so that we effectively reduce to the case of there being a single term being given away with a unique value.

1.1 Applications

[0038] in one embodiment, we construct ring-signatures of sub-linear size using the NIWI proofs in the first example embodiment, which is based on the subgroup decision problem. Groth and Lu [GL07] have used the NIWI and NIZK proofs from example embodiment 3 to construct a NIZK proof for the correctness of a shuffle. Groth [Gro07] has used the NIWI and NIZK proofs from example embodiment 3 to construct a fully anonymous group signature scheme. By attaching NIZK proofs to semantically secure public-key encryption we get an efficient non-interactive verifiable cryptosystem. This can be used for optimistic fair exchange, where two parties use a trusted but lazy third party to guarantee fairness.

1.2 Non-interactive Witness-Indistinguishable Proofs

[0039] Let R be an efficiently computable ternary relation. For triplets (gk, x, w) ε R. we call gk the setup, x the statement and w the witness. Given some yk we let L be the language includes statements in R. For a relation that ignores gk this is of course the standard definition of an NP-language. We will, however, be more interested in the case where gk describes a bilinear group.

[0040] A non-interactive proof system for a relation R, with setup incudes four probabilistic polynomial time algorithms: a setup algorithm Q, a CRS generation algorithm K, a prover P and a verifier V . The setup algorithm outputs a setup (gk, sk). In the present disclosure, gk will be a description of a bilinear group. The setup algorithm may output some related information sk, for instance the factorization of the group order. A cleaner case, however, is when sk is just the empty string, meaning the protocol is built on top of the group without knowledge of any trapdoors. The CRS generation algorithm takes (gk:, sk) as input and produces a common reference string σ. The prover takes as input (gk, σ. x. w) and produces a proof TΓ. The verifier takes as input (gk. σ. x. π) and outputs 1 if the proof is acceptable and 0 if rejecting the proof. We call (Q, K. P, V) a non-interactive proof system for R with setup Q if it has the completeness and soundness properties described below.

[0041] With respect to perfect completeness, for adversaries Λ we have

[0042] With respect to perfect soundness, for adversaries Λ we have

[0043] In the standard definition of soundness defined above, the adversary is successful if creating a valid proof for .x ∉ L. We will generalize this notion to what we will call co- soundness, where the adversary is successful if creating a valid proof for x ∈ L_co for some language L_co, which may depend on gk and σ. Standard soundness is a special case of co- soundness with L_co being the complement of L.

[0044] With respect to perfect L_co-soundness, for adversaries A we have

[0045] In this disclosure, we will use a strong definition of witness indistinguishability. We introduce a reference string simulator S that generates a simulated CRS. We require that the adversary cannot distinguish a real CRS from a simulated CRS. We also require that on a simulated CRS it is perfectly indistinguishable which witness the prover used.

[0046] In other words, for non-uniform polynomial time adversaries A we have

and

where we require

[0047] Composable zero-knowledge is a strengthening of the usual notion of non- interactive zero-knowledge. First, we require that an adversary cannot distinguish a real CRS from a simulated CRS. Second, we require that the adversary, even when it gets access to the secret simulation key r, cannot distinguish real proofs on a simulated CRS from simulated proofs.

[0048] In other words, there exists a polynomial time simulator (S₁ , S₂) so for nonuniform polynomial time adversaries A we have

and

where we require A outputs (gk. x, w) ∈ R.

2 Modules with Bilinear Maps

[0049] Let (R. +. , O, 1) be a finite commutative ring. Recall that an ^-module A is an abelian group (A. +. 0) where the ring acts on the group such that

[0050] A cyclic group G of order n can in a natural way be viewed as a Z_n -module. We will observe that the equations in Table 1 can be viewed as equations over Z_n -modules with a bilinear map. To generalize completely, let R. be a finite commutative ring and let A₁. A₂. A_T be finite R.-modules with a bilinear map / : A₁ x A₂ → A_τ, We will consider quadratic equations over variables Xi, x_m € A_\. yu — y_n 6 ,4₂ of the form n m m >ι

∑ /tø> W) + ∑ /(*_*, M + ∑ ∑ 7.j/(^a: _*- %) = *•

J-I t-1 1- 1 7-1

[0051] In order to simplify notation, let us for x_\, — X_n e ^₁, j/i y_n G ^₂ define

X - y = ∑ /(X|. y,).

The equations can now be written as

(I ^■ y — r. - h + τ ^■ Ty — /..

We note for future use that due to the bilinear properties of /, we have for any matrix T C Mat_mxn(7£) and for any x, . . . . . x_m, y_x , . . . , y_n that x ^■ Ty - T ' f • y.

[0052J Now return to the equations in Table 1 and sec how they can be recast as quadratic equations over Z_n-modulcs with a bilinear map.

• Pairing product equations: Define ^'/? — Z_n, Ay = G\. A^ = G₂-. A_T = Gτ; f(x-. y) = e(.τ_; y) and we can rewrite the pairing product equation as (Λ • y)(X - B)[X - Ty) = tγ. (We use multiplicative notation here, because, usually GT is written multiplicatively in the literature. When we work with the abstract modules, however, we will use additive notation.)

• Multi-scalar multiplication in G_λ : Define 72. = Z_n. Ai = Gy. A₂ = Z_n, Ar = G₁, J[X. y) — i)X and we can rewrite the scalar multiplication equation as A - y + X b + X - Ty = Z .

• Multi-scalar multiplication in G₂'- Define ^'R. — Z_n- A-, = Z_n, A₂ — G^. AT = G_?, j[x. y) = xy and we can rewrite the multi-scalar multiplication equation as a - y + x - B + χ - ry = τ₂.

• Quadratic equation in Z_n: Define Tl = Z_n, . Λi = Z_n. A₂ — Z_n. A_τ — Z_n. f[χ, y) — xy mod n and we can rewrite lhe quadratic equation in Z_n as a - y + x ■ b + x ■ Fy = I.

We now focus on the more general problem of constructing non-interactive compos- able witness-indistinguishable proofs for satisfiability of quadratic equations over 7?.-modules M , M; AT (using additive notation for all modules) with a bilinear map /.

3 Commitment from Modules

[0053] In the present NlWI proofs we will commit to the variables x_u . . . . x_m e A₁, y₁ , y_n ∈ A₂. We do this by mapping them into other R-moduJes B₁ , B₂ and making the commitments in those modules.

[0054] Let us for now just consider how to commit to elements from one 7^-module A. The public key for the commitment scheme will describe another R.-module B and ^-linear maps L : Λ → B and p : B → A. It will also contain elements U₁, . . . . u_n G B. To commit to ,τ € A we pick r_\ , . . _; r_n <— IZ at random and compute the commitment

In one embodiment, the Commitment scheme has two types of commitment keys, hiding keys and binding keys. The main assumption that we will be making throughout this disclosure is that the distribution of hiding keys and the distribution of binding keys are computationally indistinguishable. Witness-indistinguishability of the present NIWI proofs and later the zero- knowledge property of the present ZK proofs use this property.

• Hiding key: A hiding key contains (B. t, p, Ii₁. . . . ., U_n) such that

The commitment c '^s therefore perfectly hiding when are chosen at random from R.

• Binding key: A binding key contains (B, ι, p, uι , . . . , u_n) such that Vf : ρ(u,) ~ 0 and L o p is non-trivial. The commitment therefore contains the non- trivial information p(c) — p[t{x)) about x. In particular, if i o p is the identity map on A, then the commitment is perfectly binding. (The map p is not efficiently computable. However, one can imagine scenarios where a secret key will make p efficiently computable and t o p is the identity map. In this case the commitment scheme is a cryptosystem with p being the decryption operation.)

[0055] Since we will often be committing to many elements at a time let us define some convenient notation. Given elements we will write ( ) with R ∈ Mat_mxn(R) for making commitments C₁ c_m computed as _i i\₃v_}. 3.1 Example Embodiments

[0056] The treatment of commitments using the language of modules generalizes several previous works dealing with commitments over bilinear groups.

Example Embodiment 1: Subgroup decision.

[0057] In this setting, we have a composite order group G of order n := pq. The group can in a natural way be viewed as a Z_π-module: using the notation above we define A = G and B = G. The commitment key will contain an element IA. We can choose it so U generates G or so U has order q. The subgroup decision assumption tells us that the two types of commitment keys are computationally indistinguishable.

[0058] Let i : G > G be the identity map. Define λ e Z_n so λ = 1 mod p and λ = 0 mod q. The map v : G — » G is p[X) := XX; in other words, p maps elements onto the order p subgroup of G. If U generates G, then C := t(X) + rlA is perfectly hiding. On the other hand, if IA has order q, then XG — XX defines X uniquely in C₁,.

[0059] We can also commit to exponents. The modules are A' — Z_n and H — G. Let i' : Z_n → G be given by ι'(x) = xV and γ! : G → Z_n be given by p'(xV) = Xx. When U generates G, the commitment scheme C :— xP -+^■ rlA is perfectly hiding. On the other hand, if IA has order q, then the commitment determines p'{C) — Xx G Z_n.

Example embodiment 2: SXDH.

[0060] Consider a cyclic group A :— G ot prime order p. By entry-wise addition we get an abelian group B := G², which is a module over Z_p. The commitment key will contain an element i/j = (V, Q), where Q = a'P for a randomly chosen α fc ZL. It will also contain an element «₂ = [IA.. V) which can be chosen in one of two ways: U₇, := lu_λ or u₇, := Ju₁ — (O, V) for a randomly chosen ( ζ Z^* . The former will give a perfectly binding commitment key, whereas the latter will give a perfectly hiding commitment key. The DDH assumption tells us that the two types of commitment keys are computationally indistinguishable.

[0061] Let us now describe how to commit to an element X e C. Wc define L(X) := (O, X). Using randomness 7 _{J ;} r₂ € Z_p we get a commitment of the form c := t(X) -f rjiij + r₂u₂- If U₂ = tiii we have c = ({r + st)V. [r + st) Q) which is an ElGamal encryption of V. We define p : (Cj . C₂) *→ C₂ — αC₃ and see that the commitment is perfectly binding since i o p is the identity map on G and p(u_\) = p(»₂) = O. If «i and ?/₂ are linearly independent we have that U₁- ^₂ is a basis for B — C² and therefore L{G) C (Xi₁- U₂). When uj and U₂ are linearly independent we therefore have a perfectly hiding commitment.

[0062] To commit to an exponent x 6 A' := Z_p, we use the following approach. We define u = U₁ -f (O, V) and ι'{x) :— xu and p'{c_\V, C₂P) :— c₂ — acj. To commit to x using randomness i e Z_p we compute c :— t'(a) -I- r_V_:. On a hiding key we have « = /«i so u 6 (ui), which implies t'{Z_p) C (U₁). A hiding key therefore gives us a perfectly hiding commitment scheme. On a binding key we have c = ((r + xt)V, (r + xl)Q + xP), which is an ElGama) encryption of xV. We have that t! o p' is the identity map and p'(ui) — 0 so the commitment scheme is perfectly binding.

Example Embodiment 3: DLIN.

[0063] In a DLIN group let U := aP. V := βV be given for random a. β e Z^* . The DLIN assumption states that it is hard to tell whether three elements rU, sV, tV have the property that t — r + s. We will use the Z_p-modules A - G and B - G³ formed by entry- wise addition. The commitment key will contain three elements «i _; u₂- «₃ € B. We use Ji₁ := (U, O, V). U₂ := (O, V, V) and U₃ can be chosen as either υ₃ := ru^ + su₇ or uj-i :— rui + su_? - (O. O. V), which will give respectively a binding key and a hiding key. The DLIN assumption implies that the two types of commitment keys are computationally indistinguishable.

[0064] We will now describe how to commit to X fc G. The map t is defined by L(X) :— (O, O, X). A commitment is formed by choosing n . r_2: »-₃ E Z₁, and computing c := L{X) + YlI=_I ^r _> ^1x _< • O° a hiding key Uj . u?. U₃ are linearly independent so they form a basis for B - G³ and therefore t(G') C (u-, , u^. «₃} so the commitment scheme is perfectly hiding. On a binding key we have c = ((r_x f rr₃)U. (r₂ I Sr₃)V, {n + r₂ + {r -\- s)r₃)V + X), which is a BBS encryption [BBS04] of X. Defining the decryption function p(Ci. C₂. C₃) := C₃ - ^C₁ - ^C₂ we see that p{u-[ ) = p(t4₂) = p(u^) = O and t 0 p is the identity map so the commitment is perfectly binding. (This commitment scheme coincides with the scheme of [WatO6]. We note that the different, and less efficient, commitment scheme of [GroOόj can be similarly described in the language of modules, as well.)

[0065] To commit to a message x e A' := Z₁₁ we first define u := u₃ + (O. O, V) and /'(.r) := xv. We commit to r using randomness π . r₂ by setting r := xii + T^x₁ + r₂«₂- On a hiding key, we have that u — ruy + su₂ so i'(Zp) Q («₁, 1*₂} ^a"d ^tne commitment scheme is perfectly hiding. On a binding key, the commitment is c = ((rj I rx)U, (r₂ + sτ)V. (ri + r-₂ + x(i + s))V + xV). This corresponds to a BBS encryption of xV. We define //(C₁₁ C₂ - C₃) ^•= C₃ - ^C, - ^C₂). We have p'(m) = />'(ι/₂) = 0 and / 0 jf is the identity on Z_p, so the commitment scheme is perfectly binding. 4 Setup

[0066] In the present NIWI proofs the common reference string contains commjtmem keys to commit to elements in respectively A₁ and A₂. These commitment keys specify

Bi . L_λ , pi , U] , u_m> and B₂. L₂, P₂- V₁, v_n> . In addition, the common reference string will also specify a third 7£-module B_T together with 7^-linear maps L_T : A_T > B_T and Pr ■ Br → A_x. There will be a bilinear map F : Bi x B₂ → Bγ as well. We require that the maps are commutative. We refer to Table 3 for an overview of the modules and the maps. For

Ai x A-i → AT f h ϊl P^ 1-2 it P2 L_T l] p_τ

B_I x B₂ → Br F

Vx e A₁ Vy e A₂ : F(L₁(X).. ι₂(y)) = tr(f(x, y)) V.τ e B₁ Vy € B₂ : /(_Pl(.r)_{; P2}(x)) = p_τ(F(.τ_: y))

Table 3: Modules and maps between them,

notational convenience, let us define for x ε B^, y F Bζ that

The final part of the common reference string is a set of matrices Hi, . , H_n € Ma^_x,,/ (K) that satisfy ύ • H₁V = 0.

[0067] Two types of settings arc of primary interest, soundness settings and witness- iπdistinguishability settings.

• Soundness setting: In the soundness setting, we require that the commitment keys are binding so we have p_\ (u) = 0 and P₂(v) — 0 and the maps I₁ c p_x and ι₂ ° In ^ non-trivial.

• Witness-indistinguishability setting: In the witness-indistinguishability setting we have hiding commitment keys, so L] (G]) C {u_λ. . . »,„<} and A₂(G^) - (¹^ ■■ ■ ■ - ^vn')- ^^e also require that H] _, . . . , H,_t generate lhe β-module of matrices Ii so ύ • Hv — 0. As we will see in the next section, these matrices play a role as randomizers in the wjtness-indistinguishability proof.

The (only) computational assumption this disclosure is based on is that the two settings can be set up in a computationally indistinguishable way. The example embodiments show that there are many ways to get such computationally indistinguishable soundness and witness- indistingυishability setups.

4.1 Example Embodiments

Example Embodiment 1: Subgroup Decision.

[0068] The common reference string specifies {p, G_: Gj, e. V ., U), which is sufficient to describe the entire setup given in this section. We use B = B_\ — B₂ — G and B_T = GY and the bilinear map F(X , y) .= e(X. y). In the witness-indistinguishability setup we use a hiding key U that generates G and consequently e(U. U) generates G₁ . The only solution to e (U, HU) — 1 is therefore the trivial // — 0, so we do not need to include any JI_x in the common reference string.

[0069] There are three scenarios to look at: pairing product equations, multi-scalar multiplication and quadratic equations in Z_n. In the pairing product equation scenario, we have /I₁ — A₂ ^~~ G and A_τ — G_T and a bilinear map / := e. We define the map ι._τ '■ Aγ ^→ ^r to be the identity map, whereas pτ(z) '•= _* ^λ- Observe, since A = I mod p, λ = 0 mod q that λ² = λ mod n so we have the commutative property P(^₁ (X).p₂(y)) — e(XX. λ>^') — p_T{e(X. y)) and the other commutative property is trivial.

[0070] In the multi-scalar multiplication scenario, we have Ai = Z_n, A₂ = G, A_T = G. The bilinear map / is the scalar multiplication function /(.τ. y) :— xy. We define Vr(Z) :— t(V, Z) and pr(e(V, Z)) — XZ. This gives us the required commutative properties

C(L'(X). ι{y)) = c(xv. y) = c(v, xy) = ι_τ(χy) and pτ«χv, y)) = x*y = (xχ)(\y) = p'(xV)p(Y).

[0071] In the quadratic equation in Z_n, we have A_\ — A^ — AT — Z_n. The bilinear map / is the multiplication function }[x, y) := iy mod n. We define L'_T(Z) := c(V. Vy and μ'_τ(e(P. VY) := Xz. We have the commutative properties e(t'(.τ), /(.(/)) = e(xV. yV) = e('P. VY» = i'_τ(xy) and K(^(X-P.1_/'P)) = Xxy = (Xr)(Xy) - _P'(xP)p'(yV).

Example Embodiment 2: SXDH.

[0072] The common reference string specifies (p. Gi- G₂. G_τ- e. V\. P₂. U₁- H₂-. i"i_: ^), where (U₁ , U₂) is a commitment key for the group Gi and (v_\ , v^) is a commitment key for Gj as described in Section 3.1. We have B_\ = G\. B₂ = G\ and define B₇ ■= G_τ with respectively cntiy-wise addition and entry-wise multiplication. The map F is defined as follows:

[0073] In the pairing product equation scenario, we have A_\ — G_\, A₂ = G₂, A_τ — G_T and f(x, y) := e(x, y). The commitment keys are Uι, u₂ and D₁ , V₂ for committing to respectively elements in G₅ and G₂. In the witness-indistinguishability scenario, the commitment keys arc hiding, which means they are chosen so U₁ and u₂ are linearly independent and V₁ and V₂ are linearly independent. The four elements F(uι, υι), F(Ui₁ V₂)-. F(U₂- vι), F(U₂, v₂) are linearly independent in this scenario. This implies that u * Hv only has the trivial solution where H is the 2 x 2 matrix with 0-entries. As for the maps iτ, PT ^we define ^•

T : * ~ ( ] ^l J , M \ ^{ZU Zl2} )) " ^Z22z7₂ ^ai (z2^χZn^ai)-^a2-

\ l z J \ z₂ι Z₂₂ J

The map pr corresponds to first ElGamal decrypting down the columns using O₁ where Ui = (Vi, <x_\Ti) and then ElGamal decrypting the resulting row by using a₂ where Vy = (P₂. α₂ ^'P₂). We note that LT 0 PT is the identity map. One can check that the maps satisfy the commutative properties in Table 3.

[0074] We will now look at the case of multi-scalar multiplication in C₂. The case of multi-scalar multiplication in G_\ is treated similarly. We have Ai — -£_p, -4₂ — G₂- Λ_T = G₂ and the bilinear map is f(x, y) = xy. We will use 1'. U₁ for commitments to scalars in Zp and /-. Vi₁ V₂ for commitments to elements in G₇. We define iτ(-Z) — t-τ(e-CP< Z))- Let C-^c(P- Z)) := Z and define pj (∑) := c^{~ }} (p_τ(z))- We note that t_τ 0 PT is the identity map on G₂. We see that in the witness-indistinguishability setting, where v_\. v₂ are linearly independent, the equation U₁ • Hv — 0 only has the trivial solution where H is the 1 x 2 matrix containing 0-entries.

[0075J Finally, we have the case of quadratic equations in Z_p. We have A₁ — A₂ — A_τ — Z_p and the bilinear map f(x. y) — xy mod p. We use u. ui for commitments in G\ and v. 7-j for commitments in G\. We define i'_τ(∑) :— iτ(f-CP. V)^z) and p^-(z) := \og-p(pτ(z)) . The maps satisfy the commutative properties from Table 3 and we have iSp 0 p'_τ is the identity map on Z_p. Since F(U₁. IJr₁) has no non-trivial solution we do not need to specify a set of generators Hi . H_η. Example embodiment 3: DLIN.

[00761 The common reference string specifics (p.G.Gr,e,P.u-[,u₂.u_Α), where (uj, U₂, us) is a commitment key tor the group G, and Ui.u_? is used for committing to exponents. We have B-G³.

We will use the module B_τ — G_j defining the addition of two elements to correspond to entry-wise multiplication of the 9 group elements. We will use two different bilinear maps F, F. The map F is defined as follows:

/ *i \ ( yΛ Ie[X^y₁) e(x_uy₂) e(x_uy₃)

F;G^ΆXG^Ά ->G^a _T (\ X₂ \A y, \)→ l e{X₂.y_Υ) e(X,,y₂) c(X₂.y_Α)

\ *₃ ) \ y₂ J V ^y₁ ) e(^χ _a,y₂) e(χ₃,y₃)

[0077] The symmetric map F is defined by F(x. y) :- |F(x, y) + ±F(y, x).

[0078] In the pairing product equation scenario, we have A^ = (7, A₇ = Gη>, A_τ = G_τ and f(x, y) := e(x, y). The commitment key is u_\ , u₂,Ui. In the witness-indistinguishability scenario, the commitment key is hiding, which means that it is chosen so U₁, uu^ are linearly independent and hence span of B = G³. Some computation shows that the nine elements F(ui,Uj) are linearly independent in the witπcss-indistinguishability setting. This implies that u • HiT only has the trivial solution where H is the 3 x 3 matrix with 0-entries.

[0079] On the other hand, the map F has non-trivial solutions to ύ * Mil corresponding to the identities F(ui, U_j) = F(u_j. u,). Some computation shows that the matrices

0 ϋ i \ 0 t \ I

Hi = 0 ϋ H₃ = ( ° 0

⁰ ϋ

⁰

1 0 0 / Vo -1

form a basis for the matrices // so d • Ifii = 0. [0080] As for the maps L_T-V_T we define

1 1 1 iτ{z) := I 1 1 1 1 1 2

Z\\ 712 =13 \

-31 -32 -33 / The map pr corresponds to first BBS decrypting down the columns using the decryption key a. β and then after that BBS decrypting along the row. We note that ι._τ opγ is the identity map. One can check that the maps satisfy the commutative properties with both F and F in Table 3.

[0081] We will now look at the case of multi-scalar multiplication in G. We have A_\ — %_p, A₂ = G. A_T = G and the bilinear map is. f(x., y) = xy. We will use L'. U^ VQ for commitments to scalars in Z_p and L. u_λ , u_?. u_$ for commitments to elements in G. We define L_T(Z) = L_T(e{V. Z)). Let e^~ ^e(P- Z)) :- Z and define pτ{z) := e-\pτ(z)). We note that I₇ o PT is the identity map on G. We see that (U₁. u₂) • Hu = 0 only has the trivial solution where H is the 2 x 3 matrix containing 0-entries. We also have

generates the matrices H so (W₁. U₂) • Hu — 0.

[0082] Finally, we have the case of quadratic equations in Z_n. We have A_\ — A₂ = A_τ = Z_p and the bilinear map f(χ. y) :— xy mod p. We use U₁ , u₂ for commitments to the exponents. We define c'_τ{z) := tτ((-(7\ V)^z and jJτ(z) := log_p(p_r(^)). The maps satisfy the commutative properties from Table 3 and we have d_γ o γ/_τ is the identity map on Z_p. Again we have for F only trivial matrices U, whereas for F we have the non-trivial basis

5 Proving that Committed Values Satisfy a Quadratic Equation

[0083] Recall that a quadratic equation looks like the following:

a ^■ ij -\- f ^■ b 4- r • Vy — t.

with constants a € /1" b € Aψ. T e MaI_{1n X71}(Ti). L € A_τ. The prover's task is to convince the verifier that the commitments contain .f G A"', y e A% that satisfy the quadratic equation. [0084] We will first consider the case of a single quadratic equation of the above form. The first step in the present NlWI proof is to commit to the variables x. y. The commitments are of the form

(Note that for various other embodiments, we will use these same commitments.)

[0085] Before giving the proof let us give some intuition. In the previous sections, we have set up the commitments so that the commitments themselves also "behave" like the values being committed to: they also belong to modules (the B modules) equipped with a bilinear map (the map F, also implicitly used in the • operation). Given that we have done this, a natural idea is to take the quadratic equation we are trying to prove, and "plug in" the commitments in place of the variables; let us evaluate:

After some computations, where we expand the commitments, make use of the bilinearity of •, and rearrange terms (the details can be found in the proof of Theorem J below) we get

By the commutativity properties of the maps, the first group of three terms are equal to t_r(f), if the equation is true. Looking at the remaining terms, note that the verifier knows u and v. Using the fact that bilinearity implies that for any x. y we have .f • Ty = T^ττ • y, we can sort the remaining terms so that they match either u or v to get (again see the proof of Theorem 1 for details)

Now, for sake of explanation only, and not limitation, let us make some simplifying assumptions: Assume that we are working in a symmetric case where A_\ = A₂, and B_\ = B₂, and therefore u = r and, so, the above equation can be simplified further to get:

Assume further, I₁ O p₁^₂ O p₂ and ι_τ o p_τ are the identity maps on A₁, A₂ and A_τ-

[0086] Now, suppose the prover gives to the verifier as his proof π = (l^^Ψ) +

R^TTi₂{y) + S^ΎL₁ (a) H- 5^Tr^Ti_! [x] ) . The verifier would then check that the following verification equation holds:

[0087] It is easy to see that this proof would be convincing in the soundness setting, because we have that pi (v) = 0. Then the verifier would know (but not be able to compute) that by applying the maps p_\ . p-ι- P_T we get

This gives us soundness, since x := pi[c) and y := ρ₂[d) satisfy the equations.

[0088] The remaining problem is to get witness-indistinguishability. Recall that in the witness-indistinguϊshability setting, the commitments are perfectly hiding. Therefore, in the verification equation, nothing except for π has any information about x and y except for the information that can be inferred from the quadratic equation itself. So, consider two cases:

1. Suppose that π is the unique value so that the verification equation is valid. In this case, we trivially have witness indistinguishability, since this means that all witnesses would lead to the same value for π.

2. The simple case above might seem too good to be true, but see what it means if it isn't true. If two values π and TΓ' both satisfy the verification equation, then just subtracting the equations shows that u • (π - π' ) = 0. On the other hand, recall that in the witness indistinguishability setting, the it vectors generate the entire space where π or π' exist, and furthermore we know that the matrices Hi H_τι generate H such that u • Hu =

0. Therefore, choose T₁ r_η at random, and consider the distribution π" = -π +

Σ'/=_i ^τ _ιH_%'U- We thus obtain the same distribution on π" regardless of what π we started from, and such that Έ" always satisfies the verification equation.

[0089] Thus, for the symmetric case we obtain a witness indistinguishable proof system. For the general non-symmetric case, instead of having just TΓ for the u part of the equation, we would also have c for the v part. In this case, we would also have to make sure that this split does not reveal any information about the witness. What we will do is to randomize the proofs such that they get a uniform distribution on τ. φ that satisfy the verification equation. If we pick T <— MaI_nZ_x771-(Ti) at random we have that φ I Tu completely randomizes Φ. The part we add in ψ can be "subtracted" from π by observing that

ι_T(t) + u • if + Ψ • v = ι_T(t) + ?/ • (τr - T ^] v^ + (ψ + Tu \ • υ. This leads to a unique distribution of proofs for the general non-symmetric case as well.

[0090] Having now explained the intuition behind the following proof system, we proceed to a formal description and proof of security properties.

Proof: Pick T <- MaW _xm'rø, T₁, . . . , r_v *- H at random. Compute

π := R^Jc₂(b) + R^'TL₂(y) + R^TTSv - T^Tv ^ ^ r_iH_iv i=l i/7 := A^lT.₁ (o) + ά^'Tr^Tti (a0 + ϊ^'ύ

and return the proof [ψ_: TΓ). Verification: Return 1 if and only if

Lι (a) • d^"+ c * C₂{b) + c » I d — ι_τ(<) + u • if + ψ • v.

[0091] Perfect completeness of the NFWI proof will follow from the following theorem no matter whether we are in the soundness setting or the witness-iπdistiπguishability setting.

Theorem 1

[0092] Given x, y, R, S satisfying

c = L₁(S) + Ru . d — ι₂(y) + Sv , a ■ y ÷- x b -\- x - Ty - L.

we have for all choices of T, r_Λ . r,, that the proofs π. ψ constructed as above will be accepted.

[0093] Proof. The commutative property of the linear and bilinear maps gives us i _\((ϊ) • i-₂{y) + ii(x) • L₂(b) + L₁(S) • Tii(y) — tτ(t). For any choice of T, T₁, r_η we have

M (a) • d + (!• r.-₂(b) + c • Vd = L₁[Ct) • (_t2{y) + sή + (nCf) + Rϋj • L₂[S) + (M (X) + flu) • r(t₂(y) + SV))

= M (α) ^t₂(J/) + iι{x) • 12$) + Li(x) • Iι₂{y)

+ /?7i*Λ₂(&)H- flu»r_₂(j7} + flu "TSr + I₁(S) *Λ7 -Ht₁(Z)W¹Si'^'

= tτ(O + U • (/f^Tt₂(^) + H^TV1₂{V) + K⁷TSv) + (_^S¹ L₁[S) + S^Tr^T (,;(.?)) • V

= ι._τ[t) + M • (V<.₂(&) + Λ^τ Fi₂(JT) + Λ^τrSt;) + £Vi(a • H,tT) - u • T^τϋ

+Ti/.r I (S^τti(β) I 5^τr^τfi(i))*υ — ir(') -\- u« 7T + w • r

D

Theorem 2

[0094] In the soundness setting, where we have p_\ (u) — O. ipiiy) ~^~ O α valid proof implies vΛh(d)) ^■ Met) + /J₁(C) ^■ P₂(I₂(S)) + Pi (c) ^• Ip₂(J) - pr((τ(0)-

[0095] Proof. An acceptable proof π. ^•φ satisfies i(α) • cf + c* L₂[S) -\- c»Td = c_τ[t) + u • TΓ + ψ • v. The commutative property of the linear and bilinear maps gives us

Pi[h[d)) ^■ P₂[J) + pi[c) ^■ Mtofy) + Pι(c) Vp₂[S) = RrMO) + Pi(C) ^• M*) +Pi(^) ^• Mtf

= Pϊ'(^tr(0)-

D

[0096] Observe as a particularly interesting case that when ti 0 p, . ι₂0 p₂-,iτ ° Pr are the identity maps on A₁, A₇ and /4_T respectively, then this means x :— p_\ (c) and y := P₂[d) give us a satisfying solution to the equation S-y+x-y+I-Vy = I. In this case, the theorem says that the proof is perfectly sound in the soundness setting. It is still possible though that interesting co-soundness properties emerge also in the case where these maps are not the identity-maps on A-[. Ai and Aγ.

Theorem 3

[0097] In the witness-indistinguishable setting where L_\[Gi) C {it, , u_m<), I₂(G₂) ^

(uj . V₁₁') and Hi H_v generate the matrices H so ϋ • Hv — 0, the satisfying witnesses X; y_: R; S yield proofs if ζ {t'_i; .... ιv)^m' and iy G [U₁, .... Ji_7n')"' that are uni- formly distributed conditioned on the verification equation ti(α) • d + £• L₂(b) -+^• c • Td =

L₇(I) + U • TT + ψ • (T.

[0098] Pπyw/ Since -ι (G'j) C (Ti₁, U_7n,) and i₂{G₂) Q (V₁ , . . . , If_n/) there exists

A, B, X. Y so i; (α) = Au, L₁ (£) = Xu and L₂(S) = Bv. ι₂{y) = Yv. We have c = 6 + (X + R)u and d - 0 + (Y ^■+^■ S)u. The proof is 7r. τ/7 given by

ψ = S^τ I₁(O) + S^Tr^T<i (x) + Tn = [S¹A + S¹VX + T)t? π = 7?^τi₂(ϊ) + /?^τn₂(i/) + R⁷TSv)) - T^τv + J^ r_;Hit;

<=i

= (R^TB + R^TTY + R^TΓS - TΛV + (J2^r _' ^Hi)^ϋ-

We choose T at random, so we can think of ύ being a uniformly random variable given by ψ = Ψυ for a randomly chosen matrix Φ. We can think of π as being written π — 130^", where Il is a random variable that depends on Ψ.

[099] By perfect completeness the satisfying witnesses yield proofs where L_\ (S) • d + c • ι.₂(b) + (^•!• Td — ι._τ(l.) — φ • JT = u • 7? = u • TIv. Conditioned on the random variable Φ we therefore have that any two possible solutions πi, π₂ satisfy u • (II_I - U₂) v — 0. Since H₁ , . . . , IJ_V generate the matrices II so u* II υ = 0 we can write this as IT₁ — II₂ -4- 5Z7- ₁ ^r<^i- In constructing 7? we form it as ( R^J B + βTK + fl^TI\9 - T^Υλv + ( ∑?₌₁ r^W for randomly chosen T _J , r_7J. Wc therefore get a uniform distribution over the π that satisfy the equation conditioned on ib. Since ^- is uniformly chosen, we conclude that for any witness we get a uniform distribution over ψ. τ. conditioned on them constituting an acceptable proof. C

5.1 Linear Equations

[0100] As a special case, we will consider the proof system when S = O and T = 0. In this case the equation is simply

S - S= L

The scheme can be simplified JΠ this case by choosing T = 0 in the proof, which gives x> :~ 0 and π := R^τ L-^(S) + ∑"_{= ]} i\H_xv. Theorem 1 still applies with T - O. Theorem 2 gives us P\ (c\ ^■ /J'i('.2 (&)) = Vi ('-i ('))' which will g'^{ve u}s soundness. Finally, we have the following theorem. Theorem 4

[0101] In the witness-indistinguishable setting where 1^ (Gi ) C (^₁ , u_m>}, ^(G_t) C

(W₁. . . v_nι) and Hj . . H_v generate the matrices H so v * Hv = 0, the satisfying witnesses x, y. R. S yield the uniform distribution of the proof τ € (i/j , . . . , iv)"¹ conditioned on the verification equation c • Iz(B) = _τ(.) I ϋ u being satisfied.

[0102] Proof. As in the proof of Theorem 3 we can write π = Uv. Any witness gives a proof that satisfies c » ii(6) — ir(0 — ύ » π = -2 » lit;.

Since /Z₁, H,_; generate the matrices H so x? • iM = ϋ we have that n has a uniform distribution over the matrices II satisfying the verification equation. D

5.2 The Symmetric Case

[0103] An interesting special case is when B := B_\ = B₂, m' < n' with ui = V₁. . . . , u_m> = v_mι and for the i, y € B we have .F(x. y) = F(y, x). We call this the symmetric case. In the symmetric case, we can simplify the scheme by just padding έ with zeroes in the end to extend the length to it', call this vector i/, and revealing the proof φ = π 4- w'. In the verification, we check that

A₁ (α) • il Λ- c • ι{ϊ>) + c • Td = iτ(t) I φ * v.

Theorem 1 and Theorem 3 still hold in this setting. With respect to soundness we have the following theorem.

Theorem 5

[0104] In the soundness setting, where we have p₂ (r) = O o valid proof implies

Pi Ma)) ^• ft(rf) I Pι(c) ^■ P₂Mb)) \ Pi(c) - Tp₂(J) = PrMO)-

[0105] Proof. An acceptable proof s satisfies I₁ (a) » <f I (.^'• i₂(^) I c» rd = f_T(ή + φ» c. The commutative property of the linear and bilinear maps gives us

PiMa)) ^• P2(d) + Pi (c) ^■ P₂ U (6)) + Pi(c) ^• Tp₂[Q = Miτ(t)) + P₁(O) ^■ Pi(Jf) = PrMO)- G [0106] We can simplify the computation of the proof in the symmetric case. We have

and extend -φ to φ' by padding it with m' — n' O's. Another way to accomplish this padding is by padding T with m' — n¹ 0-rows and S with m! — n' 0-columns and H₁ with m' — ??' 0-columns. We then have

Since the map is symmetric we have u • (T' — (T')^τ)u = 0, so if we have a set H[, . . . . HL that generates the matrices //' so (7 • ll'v — 0, then we can rewrite the proof as

6 NIWI Proof for Satisfiability of a Set of Quadratic Equations

[0107] We wiJl now give the full composable NIWI proof for satisfiability of a set of quadratic equations in a module with a bilinear map. The proof will have L_co-soundness. where

{ \ }

Observe that /_Jrø-soundness and soundness are the same notions in the common case where <-i ⁰ Pi- i-₂ ° P₂ ^ar|d i_f o p_τ are the identity maps on respectively Λ\ . A-χ and A_T-

[0108] The cryptographic assumption we make is that the common reference string is created by one of two algorithms K or 5 and that their outputs are computationally indistinguishable. The first algorithm outputs a common reference string that specifies a soundness setting, whereas the second algorithm outputs a common reference string that specifies a witness-mdistinguishability setting. [01091 Setup: [gk sk) := ({11. A_λ.A₂.A_τJ).sk) <- Q{\^k).

[OUO] Soundness String: σ :— (B₁. Ii₂, B_τ, F. iχ.pι. '₂-7^J _2;'r- Pr- " '") <— K (gk.sk).

[0111] Witness-indistinguishability string: σ :-

(Bl, B₂, Bj; F. I₁, pi . Λ_2> 02, ^T, VT, '"• ¹^) <" 5(yA:, sfc).

[0112] Proof: The input includes gk, σ, a list of quadratic equations {(α,. S₁. F₁. ^)J₁I₁ and a satisfying witness i, y.

• Pick at random R <— Mat_n,_xtn'{7S} and S _*— Mat_nXn'(7S) and commit to the variables as c :— x + Ru and d:— ,y + ώV.

• For each equation (o_f. ϊi, F^, fj) make a proof as described in Section 5. In other words, pick Ti < Mat,,_{* Xm}> (TZ) and r,_lt .... r,_n < 7? compute

τr_{ :- Λ^τt₂(ζ) + /?^τn₂(y) + /?^TR9f - T/r + ∑ r_y//,ϊ7

J = I

^ := S^τti(20 + S^Tr^Tt₁(5) + 'J_t-u.

• Output the proof (c, d, {(π<, V_t))UJ-

[0113] Verification: The input is ^A, t7,{(α, ,6,,1',-,Zi))^₁ and the proof (c.c/i{(π_f!VΛ)}). For each equation check

Li (Uj) •£/+£^*• t₂(^_t) + C 9 T_x(I = CT[U) + U • K_x + Vi • V-

Output 1 if all the checks pass, else output 0.

Theorem 6

[0114] The protocol given above is a NIWl proof for satisfiability υj a set of quadratic equations with perfect completeness, perfect L₀₀- soundness and compobable witness- indistinguishability.

[OUS] Proof. Perfect completeness follows from Theorem I.

[0116] Consider a proof (c. d, {(π,, (Ji₁))) on a soundness string. Define .f := pi (e). y := p₂(d). It follows from Theorem 2 that for each equation we have This means we have perfect L_co-soundness.

[0117] In the present disclosure, a computational assumption is that soundness strings and witrtess-indistinguishability strings are computationally indistinguishable (or at least computationally similar). Consider now a witness-indistinguishability string σ. The commitments are perfectly hiding, so they do not reveal the witness x. y^'that the prover uses in the commitments c. d. Theorem 3 says that in either equation each of two possible witnesses yield the same distribution on the proof for that equation. A straightforward hybrid argument then shows that we have perfect witness-indistinguishability. D

[0118] Proof of knowledge. We observe that if K outputs an additional secret piece of information ξ that makes it possible to efficiently compute pi and p₂, then it is straightforward to compute the witness x — p_\(c) and y = p₂{d), so the proof is a perfect proof of knowledge.

[0119] Proof size. The size of the common reference string is m' elements in B₁ and n! elements in B₂ m addition to the description of the modules and the maps. The size of the proof is m -\- Nn' elements in B₁ and n -\- Nm' elements in B₂.

[0120] Typically, m' and n' will be small, giving us a proof size that is O(m + n + , N) elements in Bj and B₂. The proof size may thus be smaller than the description of the statement, which can be of size up to Nn elements in A_x, Nm elements in A₂, Nπm elements in Tl and N elements in A_τ.

6.1 NIWI Proofs for Bilinear Groups

[0121] We will now outline the strategy for making NIWI proofs for satisfiability of a set of quadratic equations over bilinear groups. As we described in Section 2, there are four different types of equations, corresponding to the following four combinations of X_n -modules:

• Pairing product equations: A₁ = G₁. A₂ = G₂. A_τ = G_τ, /(A", y) = e(X. y).

• MuI ti -scalar multiplication in G₁ : /I₁ = G₁. /I₂ = S_n. A_τ = G₁ - J[X. y) = yX.

• Multi-scalar multiplication in G₂: A₁ = I_n,, A₂ = G₂. A_τ = G_τ. /(.τ. y) = xy.

• Quadratic equations in Z_n: /I₁ = Z_n. A₂ = Z_n. /l_r = Z_n. f{.r. y) = xy mod n.

[0122] The common reference string will specify commitment schemes to respectively scalars and group elements. We first commit to the variables and then make the NIWl proofs that correspond to the types of equations that we are looking at. It is important that we use the same commitment schemes and commitments for equations, i.e., for instance we only commit to a scalar x once and we use the same commitment in the proof whether the equation τ is involved in is a multi-scalar multiplication in G₂ or a quadratic equations in Z_n. The use of the same commitment in the equations is necessary to ensure a consistent choice of x throughout the proof. As a consequence of this we use the same module B[ to commit to x in both multi- scalar multiplication in G₂ and quadratic equations in Z_n. We therefore end up with at most four different modules B₁, B[. B₂. B₂ to commit to respectively X. x₇ y, y variables.

Example Embodiment 1 : Subgroup decision.

[0123] Setup: (gk. sk) := ((n. G. G_τ. e. V), (p q)) <- G(l^k). where n = pq.

[0124] Soundness string: On input (gk sk) return σ := U where U := rpV for random T G Z_n.

[0125] Witness-indistinguishability string: On input (gk. sk) return σ .— U where U .= rV for random r € Z_n ^* .

[0126] Proof: On input (n. G. Gr, e. VM), a set of equations and a witness x. y do:

1. Commit to each exponent X₁ x_m and each element 3Λ ■ ■ y_n as respectively C₂ :=

X₁V + T₁U and V₁ := y._t + s,U for randomly chosen f. s.

1. For each pairing product equation (A ^■ y)(y ^■ Ty) — Ir make a proof as described in section 5.2. Writing it out and doing calculations, we get

3. For each multi-scalar multiplication equation a ^■ y + x ^■ β + τ ^■ Ty = T the proof is

4. For each quadratic equation τ ■ b + x Tx = t in Z_n we have

[0127] Verification: On input {n, G, G_T, e, V , U), a set of equations and a proof £ £, {*.}£.! do:

1. For each pairing product equation (.4 ^• y){y ^• Ty) = t-r check that JIl=_] ^e(-^/^ ^^J«) " π;u uu ^fc( A. »ip" - 'MM Φ).

2. For each multi-scalar multiplication a-y+x-B+x-Ty = T check that JTjLi efaP. 'Di)- nr₌₁ <^■&^, B.^{) ■} n^*, nu ^- ^v^ = ^ ^Ύ)<^U- *⁾'

3. For each quadratic equation x ^■ b -f .f • Tx = t in Z_n check that Y["L_} e(C,. WP) ^■

[0128] Define L₀₀ to be the sets of quadratic equations over Z_n that are unsatisfiable in the order p subgroups of Z_n, G and G_T-

Theorem 7

[0129] The NIWI proof given above has perfect completeness, perfect L_QI>-soιmdness and cυmpυsable witness-indistinguishubilily.

[0130] Proof. Perfect completeness follows from Theorem 1. Perfect L_co-soundness follows from Theorem 2 since the t o p maps go to the order p subgroups of Z_n, G and GT- The subgroup decision problem gives us that we cannot distinguish whether U has order η or order n so the two types of common reference strings are computationally indistinguishable. On a witness-indistinguishabihty string, the commitments are perfectly hiding and we get perfect witness-indistinguishabihty from Theorem 3. D

[0131] The size of the proof is m + n -\- N group elements in G, where m is the number of variables in x, n is the number of variables in 3^ and Λ^r is the number of equations.

Example Embodiment 2: SXDII.

[0132] Setup: gk := (p, <?i, G₇. GT₁ F- ¹PI , P?) «- 0(1*)-

[0133] Soundness string: On input gk return σ :— («i, «₂. v^ t^) from the soundness setup described in Section 4. This gives us u₂ = ii«i and v₂ = ^'₂ f°^r random J₁.1₂ <— Z_p so the elements are linearly dependent.

[0134] [Witness-indistinguishability string:] On input gk ieturn σ :— (7.₁. ti^. i'i . t- ₂) from the witness-indistinguishability setup described in Section 4. This gives us u^ — t_λu\ — {O. Vi) and r₂ = tϊυi - {O. Vi) for random i_Υ. i₂ <- Z_p.

[0135] Proof: On input ^A:. σ, a set of equations and a witness Λ? y. χ, y do: 1. Commit to group elements X as c := ii(<£) + Ru for R <— Mat_mX2(Z_p) and group elements y as d :— ^(.V) + Sv for .S¹ <— NIaI_7nX2(Z_p). Commit to exponents x as ? := t'^x) -f- rui and exponents i/ as d' :— ^(y) 4- Sv^ for f «— Z_p ¹', s«— Z_p'.

2. For each pairing product equation (^-^(^ ^(^V- JW) = £χ make a proof as described in section 5. Writing it out we have for T <— Mat_2X2(Z_p) the following proof.

π := Λ^τi₂(i#) + Λ^"rt_a(^)-ι-(H^τr5-r^τ)^ tf^' := S¹ tj(X) + 5' r ¹I₁(AT)-I- Tu

For each linear equation A- y — Lγv/e use ψ :— 5^TM(^)- For each linear equation Λ^* • 23 = t_τ we use π := Λ^τt₂(β)-

3. For each multi-scalar multiplication equation A ■ y + X ^■ b + X ^■ T y — T_\ in G i the proof is for random T <— Mat_lx2(Z_p)

π := Λ^τ4{b) | β^τr('₂(ϊ) + (Λ^τr?-2'^τ)ι-ι ^ := s^r L₁(J) + S⁷^L₁[X) + Tu

For each linear equation A • y= T₁ the proof is ^ := s^"1 ii(_^4). For each linear equation X ^■ b = T_\ the proof is π := R^J L₂(b).

4. For each multi-scalar multiplication equation a • y + x • B 4- .f • F>" = 7a in G₂ the proof is for random T *— Mat_2X i (Z_p)

π := f^τt₂(β) + r^Υ T I₂Qf) + (f^τr5 - T^τ)v φ := S¹IUo) + 5¹T¹^₁(X)-I- Tti,

For each linear equation α • ^ = T₂ the proof is π := 5^Tti (α). For each linear equation x ^■ B — T₁ the proof is TΓ := F^τ.₂(β).

5. For each quadratic equation x • 6 + x • r.f = Z in 2_P the proof is for random T<-Z_p

π := f^T4(6) + f^Tr4(y) + (f^Tf-Tju, V • ~ s ' 4 (α) + .?'r' Ji(5) + Tu, For each linear equation α y - t we use Φ := S^JL\ (a). For each linear equation x ^■ b = I. we use IT := T¹V₂(F).

[0136J Verification: On input (gk, σ), a set of equations and a proof c, d. ?. d'. (7T₁. ^₁)U₁ do:

1. For each pairing product equation (-4 • y)(X ^■ &){$ ^• Vy) = tr check that

h (A) • d I c • I₂(B) -\ c • rά^'= c_τ{tτ) + ύ » π + -ψ » v

2. For each multi-scalar equation {A y){X ^■ b){X ^■ Ty) = % in G\ check that

L₁[A) • <? 4- c • ι'₂(b) + c * Td¹ = Ci-(Ti) + «' t i + F[i)>. Vi).

3. For each multi-scalar multiplication a • y + x ^■ B + .τ • F^ — 7₂ in 6'₂ check that

ι\ [S) • (T+ Z • I₂(S) I ^ • T(T= LT(T₂) f- F(tij , π) + ^ • v.

4. For each quadratic equation « - i/+ i - 6 + i - ry = f in Z_p check that

έ¹ _! (0) • <? + £ • 4(6) + c • Tc? = ^.(i) + /-X-U₁, π) 4- /-'(V, <>i)-

Theorem 8

[0137] The protocol is a NIWI proof with perfect completeness, perfect soundness and com- posable witness-indistinguishability for satisfiability of a set of equations over a bilinear group where the SXDH problem is hard.

[0138] Perfect completeness follows from Theorem 1. Perfect soundness follows from Theorem 2 since the t 0 p maps are identity maps on Z_p, G₁. G₂ and G_T- The SXDH assumption gives us That the two types of common reference strings are computationally indistinguishable. On a witness-indistinguishability string, the commitments are perfectly hiding and we get perfect witness-indistinguishability from Theorem 3. U

[0139] The modules we work in are Si — Gf and S₂ = G\, so each element in a module includes two group elements from respectively G^₁ and GV Table 4 list the cost of the different types of equations.

Table 4: Cost of each variable and equation measured in elements from G₁ and G₂.

Example Embodiment 3: DLIN.

[0140] Setup: gk ^■- (p. G, G_τ, c, ¹P) < £(1*).

[01411 Soundness string: On input gk return σ := (U₁. ^, U₃) from the soundness setup described in Section 4. This gives us ti₃ = ϊ] Mi + faV₂ for random Z₁ , /,_? <— Z₁, so the elements are linearly dependent.

[0142] Witness-indistinguishability string: On input gk return σ := (uι, U₂- U₃.) from the witness-indistinguishability setup described in Section 4. This gives us u_: = {aP, O. V). u₂ - (O. βV, V)- U₃ - {O - V) + M_-1 + I₂U₂) for random a,β — Z$ and t_\., t.₂ <— ^_p- Define for notational convenience v :— (ι/.i₇ τ.₂).

[0143J Proof: On input gk. σ, a set of equations and a witness 1, 3? do:

1. Commit to exponents x as c^* := ι'(x) + Rv for Λ < Mat_^^Zp). Commit to group elements 3? as d := L(Ϋ) + Su for S — MaI_nX3(Z_p).

2. For each pairing product equation (.4 • S'){y ^■ Vy) — W make a proof as described in section 5 using the symmetric map F.

3 φ ^•-. R¹L(B) + R^l TL(y) I S ' L(A) I S^τT^~ι(X) + R^TrSu + J] r,//^. t=l [0144] For each linear equation y ^■ B = t_? we use the asymmetric map F to get the proof ό := S^T,,(B).

We remark that the reason we use the asymmetric F is that there are no matrices non- trivial H so u • Hu = 0, which simplifies the proof. Observe that φ = L(S^Ύ B) = S^Ύ L(B) and vice versa p(φ) = S^TB is easily computable in this special setting, since L(B₁) = (Q, O, B_t). We can therefore just reveal the proof o' := p(ό) = S ¹B, which is three group elements.

3. For each multi-scalar multiplication equation a ^■ y + x ^■ B + I ^■ Ty = T₂ we use the symmetric map F. The proof is for random r₂ *— Z_p

For each linear equation y ■ b = T we use the asymmetric map F to get the proof

It suffices to reveal the value φ' = S^Υb. Since ς> determines φ' uniquely, this does not compromise the perfect witness-indistinguishability we have on witness- indistinguishability strings. The verifier can compute o = L'(Φ'). The proof now includes 3 elements in Z_p.

For each linear equation f - β = T we use F again to get the proof

We can use φ' = R^TB as the proof, since it allows the verifier to compute ώ = ι(φ'). The proof therefore includes 2 group elements.

4. For each quadratic equation £■ b + x ■ Tx — ( in Z_p we use the symmetric map F. There is one matrix H₁ that generates the H so v • Hv. The proof is for random T₁ <— Z_p

For each linear equation x ^■ b — ( we use the asymmetric map F to get the proof φ := R¹ ι'(b). It suffices to reveal just FCb, from which the verifier can compute £=t'(/?^T5).

[0145] Verification: On input (gk, σ), a set of equations and a proof c, <f, {Φi}^Lι do:

1. For each pairing product equation (A~y)(y ■ ry) = t_τ check that o{A) • -T+ d* Td= L_T{L_T) + u»φ.

For each linear equation y B = tγ check d* ι[j§) = ι_τ(t_τ) + u»φ.

2. For each mulli-scalar multiplication a y -\- x ^■ B + x ^■ Vy = T check that if (a) • d + c» L(B) + c • r<T= L_T(T) + ύ»o.

For each linear equation y -b — T check dZi'φ) = tr(T) I ϋϊφ^'.

For each linear equation x - B = T check c*ι{g) = L_T{T) + c*φ.

3. For each quadratic equation x ■ b + x ■ Tx — t in Z_n check that c*t'(6) I c»Tc = ι'_τ(t) + v»φ.

For each linear equation x -b — t check

Theorem 9 [0146] The protocol is a NIWI proof with perfect completeness, perfect soundness and com- posable wilness-indistinguishability for satisfiability of a set of equations over a bilinear group where the DLIN problem is hard.

[0147] Perfect completeness follows from Theorem 1. Perfect soundness follows from Theorem 2 since the t o p maps are identity maps on Z_p. G and G_τ- The DLIN assumption gives us that the two types of common reference strings are computationally indistinguishable. On a witness-indistinguishability string, the commitments are perfectly hiding and we get perfect witness-indistinguishability from Theorem 5. D

[0148] The module we work in is B = G³, so each element in the module includes three group elements from G. In some of the linear equations, we can compute p(φ) efficiently and we have ι(p(φ)) = φ which gives us a shorter proof. Table 5 list the cost of the different types of equations.

Table 5: Cost of each variable and equation measured in elements from G.

7 Zero-Knowledge

[0149] We will show that in many cases it is possible to make zero-knowledge proofs for satisfiability of quadratic equations. One strategy is to use the NIWI proofs directly, however, such proofs may not be zero-knowledge because the zero-knowledge simulator may not be able to compute any witness for satisfiability of the equations. However, we can often modify the set of quadratic equations into an equivalent set of quadratic equations where a witness can be found.

[0150] We consider first the case where A_\ = R. /I₂ — A_τ. f(r. y) = ry and where S outputs an extra piece of information r that makes it possible to trapdoor open the commit- ments in B_\. More precisely, r permits the computation of s^* G TZ⁷"' so ^₁(I) = t] (0} -I- s^Jil. We remark that this is a common case; in bilinear groups both multi-scalar multiplication equations in C₁, G₂ and quadratic equations in Z_n have this structure.

[0151] Define c — _i (1) to be a commitment to (b — 1. Let us rewrite the equations in the statement as

S, y + f{-φ. t_τ) + χ - bi + χ ry = 0.

We have introduced a new variable φ and if we choose the variables in these modified equations to be 0 then we have a satisfying witness. In the simulation, we give the simulator trapdoor information that permits it to open c to 0 and we can now use the NWI proof from Section 6.

[01521 Setup: (gk, sk) := ((K, A_u A₂, A_T, f), sk) ^ G(l^k).

[0153] Soundness string: σ := (Bj . B₂, B_τ, F, ^₁. p₃. L₂, P₂, tr- VT- ^■", ^) «— K{gk. sk).

[0154] Proof: This protocol is exactly the same as in the NIWI proof. The input includes gk, σ, a list of quadratic equations {(α_t, 6,, Y₁, U))^L¹ ₁ and a satisfying witness x, y.

Pick at random R <— Mat_mxτn'{7£) and 5 ♦— MaI_71x^(Tl) and commit to the variables as c := t_! (x) + Ru and d := ι₂{y) + Sv.

For each equation (α,. b_{i }} F< U) make a proof as described in Section 5. In other words, pick ^'J\ «— Mat_n<_Xm'(7l) and τ_xl. . . . , r_iη <— TZ and compute η π,- — R¹ L₂{b_t) + R^TTt₂(y) + R^TTSv - T^~v + ∑ ^rυ^Hi^v'

J = I φ_t := S⁷H (O₁) + S^Tr^"V (a;) + 7;u.

Output the proof (r. ^ {(π^. VΛ) }^ _I )-

[0155] Verification: The input is r/A-. σ, {(α,, 6,. I\_r Z₁)J₁^₁ and the proof (c_t ^ { (π,, ^•£)}).

For each equation check

¹ _I (^i) * d + c * L_ϊibi) + c * Tid — tj(fj) + u • π,- 4- u"i • v.

Output 1 if all the checks pass, else output 0.

[0156] Simulation string: (σ r) :— [{B_λ . B₂ B_τ, F. i\ .pι , i_2: P₂- iτ P_T-. « v) iή *— Si iyk. bk), where _tl(l) = ., (0) ^ ^₁ ^u_x.

[0157] Simulated proof: The input includes gk, σ, a list of quadratic equations {(«,. JJ₁ - F_I. Ii))^Li ^an<^ ^a satisfying witness x. y. Rewrite the equations as a, y + x 6_X + f(φ. -I₁) + x • T_ty = 0. Define 7 := 0, y := 0 and φ — 0 to get a witness thai satisfies the equations.

Pick at random R < MaI_171x^(Ti) and 5 < Mat_nXn< (Ti) and commit to the the variables as C := 0 + /fu and (T:= 0 + Sv. We have c := I₁(I) = I₁(O) + ∑™\ 6,«,.

For each modified equation (δ,. δ,. — tf,. IV 0) make a proof as described in Section 5. Return the simulated proof {(<?, d. π_t. V-^)IiI₁-

Theorem 10

[0158] The. pm1nc.nl described above is a composable NIZK proof for satisfiability of pairing product equations with perfect completeness, perfect L_eo-soundness and composable zero- knowledge.

[0159] Proof. Perfect completeness on a soundness string follows from the perfect completeness of the NIWI proof. The simulator knows an opening of c :— -i (l) to c — t] (0) + Y^L₁ SiV_n. It therefore knows a witness 0, 0, φ — 0 for satisfiability of the modified equations. It therefore outputs a proof {(c. d, π_it Ψi)}$L_Λ such that for i we have

ii (<?;) • d + c • tiφt) -*- F(c- -<-2(*ι)) + c • Tid — tsr{0) + v » π_t + I/Λ- • v.

The commutative properties of the maps gives us F(ti{l), Li(I₁)) = iτ(/(Mι)) = <>τ{U), so the proof satisfies the equation the verifier checks. Perfect completeness on a simulation string now follows from the perfect completeness of the NIWI proof as well.

[0160] Perfect L_co-soundness follows from the perfect L₀₀ -soundness of the NIWI proof.

[0161] We will now show that on a simulation string we have perfect 2ero knowledge. The commitments c. d and c = L_\ (1) are perfectly hiding and therefore have the same distribution whether we use witness x, y, ό — 1 or 0. 0_: φ — 0. Theorem 3 now tells us that the proofs 7?,, Vi made with either type of opening of c, d. c are uniformly distributed over the possible choices of {{φ_t: ir,)}jli that satisfy the equations ti(α,) • d + c m &, + c • Td = tχ(0- ^^e therefore have perfect zero-knowledge on a simulation string. D

7.1 NIZK Proofs for Bilinear Groups

[0162] Let us return to the four types of quadratic equations given in Table 1. If we set up the common reference string such that we can trapdoor open respectively L[ (1) and i'₂(l) to 0 then multi-scalar multiplication equations and quadratic equations in Z_n are of the form for which we can give zero-knowledge proofs (at no additional cost).

[0163] In the case of pairing product equations we do not know how to get zero- knowledge, since even with the trapdoors we may not be able to compute a satisfiability witness. We do observe though that in the special case, where t_τ = 1 the choice of X = O. y = O is a satisfactory witness. Since we also use X = O. y = O in the other zero- knowledge proofs, the simulator can use this witness and give a NIWI proof. In the special case where tψ = 1 we can therefore make NIZK proofs for satisfiability of the set of pairing product equations.

[0164] Next, let us look at the case where we have a pairing product equation with t_τ = πr=i ^e(^- Qi) f°^r some known V₁. Q₁. In this case, we can add linear equations Zj = V₁ to the set of multi- scalar multiplication equations in G_\ . We already know that such equations have zero-knowledge proofs. We can now rewrite the pairing product equation as (.A ^■ y){X • B)(Z ^■ Q)(X - Ty) = 1. This is a pairing product equation of the type where we can make a zero-knowledge proof. We can therefore also make zero-knowledge proofs for a set of quadratic equations over a bilinear group if the pairing product equations have t_τ of the form

IT = πr=i ^eCPf Qt) ^{for some} known V₁- Q₁.

[0165] The case of pairing product equations points to a couple of differences between witness-indistinguishable proofs and zero-knowledge proofs using the techniques herein. NIWI proofs can handle any target I₁-, whereas zero-knowledge proofs can only handle special types of target tγ. Furthermore, if tγ φ 1 the size of the NIWI proof for this equation is constant, whereas the NIZK proof for the same equation may be larger.

8 Application Embodiments

8.1 Fair Key Exchange

[0166] Suppose two parties want to exchange a pair of keys. However, neither party wants to give away his key without having assurance that the other party will give him a key in return. In the standalone setting, there is no fair protocol to implement this objective, since either party may abort the protocol after learning his output. If we introduce a trusted party, the problem is of course easily solved, the parties can hand their keys to the trusted party that then gives each party the desired key.

[0167] In one embodiment, each party encrypts the key under the public key of a trusted party. Now both parties exchange their keys. If either party aborts, the other party can call on the trusted party to get his key, however, if both parties act honestly there will be no need to call upon the trusted party. This way. we reduce the burden on the honest party that is only invoked in case of protocol breaches.

[0168] Verifiable encryption can be used to solve this problem. In addition to encrypting the key, we also make a proof that we have encrypted a proper key. Of course this proof should not reveal the nature of the key we are encrypting.

[0169] Given witness indistinguishable proofs, it is straightforward to construct NIZK proofs. We can therefore use an NIZK proof to prove that we have encrypted a proper key. This NIZK proof suffices for our purpose, since it guarantees the correctness of the encryption, yet reveals nothing else. The present techniques makes these NIZK proofs efficient enough to be practical, when we set up the cryptosystem in groups with bilinear maps. We therefore get a satisfactory solution to the fair key exchange problem.

8.2 Verifiable Encryption

In one embodiment, the NIZK proof system is used to provide verifiable encryption. Figure 1 shows a first computer 101, a second computer 102 provided to a computer network 103 for exchanging encrypted data, and, optionally, a third party computer 105. One of ordinary skill in the art will recognize that one or more of the computers 101 , 102, and 105 can be combined to provide the functionality shown in Figure 1. A message is encrypted in the computer 101 and sent to the second computer 103 where it can be decrypted and displayed or the second computer 103 can use techniques as describe herein to use an NlZK proof of membership for one or more aspects of the encrypted message without decrypting (or even being able to decrypt) the message. In one embodiment, a third computer (not shown) is provided as a third party that uses a proof of membership algorithm to verify one or more aspects of the encrypted message without decrypting the message. This allows two parties to exchange information while using a third party to verify one or more aspects of the message without revealing the contents of the message to the third party. Thus the NIZK proof allows two parties to communicate through a third party (e.g., an escrow party) who verifies aspects of the message and/or escrows the messages. This permits encryption of a message X and construction of an NIZK proof that X satisfies a certain equation. For the purpose of this example I have chosen the equation e(X, Q + rnV) = e(V- V). This equation has practical value, such an X is a Boneh-Boyen signature on m (with public verification key Q). So it is a verifiable encryption of a signature on m. Those skilled in the art can extend the verifiable encryption scheme to encrypt multiple messages and prove that they simultaneously satisfy multiple equations. Figure 2 is a flow diagram of key generation in a system for verifiable encryption. Figure 3 is a flow diagram of encryption in the system of Figure 2. Figure 4 is a flow diagram of generation of a verification proof of membership in the system of Figure 2. Figure 5 is a flow diagram of decryption in the system of Figure 2.

8.3 Verifiable encryption based on the DLIN embodiment

[0170] Verifiable encryption includes key generation, encryption, and verification.

• Key generation: Generate bilinear group <jk = (μ, C, Gγ, e. V) <— Q{Ϋ). Pick a soud- ness reference string for the NfWI proof σ = (u-j . U₂- U^) (G G^{3x 3}). Pick at random a. b ^- Z^* and set A = aV and B - bV.

The public key is pk — (gk, σ. A, B). The secret decryption key is sk = (a. b).

• Encryption: To encrypt a message X pick at random r, s <— Z_p and let the ciphertext be c = [U, V, W) = [rA. sB. X + (r + s)V).

• Verification proof: To prove that the ciphertext c = (U, V, VV) contains X satisfying e(X, Q + rnP) = e{V. V) we need to prove

3r. s, ^ : W = d Λ V = sδ Λ W = X + (r + s)V A e{X., Q + mV) = e(V., V).

Since we need an NlZK proof, we start by rewriting the equations as described in section

7:

Observe, φ = \ and r. s. X chosen as in the encryption phase gives a satisfying witness for the statement (provided we have indeed encrypted a Boneh-Boyen signature X).

[0171] As in Section 7, by choosing a simulation reference string, we can typically open φ to both 0 and 1. This means we can choose r = 0, 5 = 0, X = V., W = O, V = O, W = V₁ Q! = V such that all equations are satisfied. This in turn means we can make a ZK simulation of the proof, without knowing how the ciphertext c was generated.)

[0172] We now give an NIWI proof π as described in Section 6 for all the equations above being simultaneously satisfiable.

• Verifying ciphertext and proof: Write out the equations as described above and verify the NIWI proof π.

• Decryption: To decrypt c — {U, V, W) using the secret decryption key (a. b) compute X = W - a^~xU - b^~lV.

8.4 Mix-nets

[0173] Figure 6 shows a mix-net system wherein a plurality of senders 601 and a plurality of mix-net servers 602 are provided to a network 604. A mix-net takes a set of messages from one or more senders 601 as input and publishes them in random order (e.g., to one or more receivers 603. At the recievers 603, the message can be decrypted and displayed. The sender of each message is thus hidden among all the other senders, so it provides some degree of anonymity. Mix-nets are for instance used in internet- voting protocols, anonymous broadcast protocols, etc. The goal for the parties is to publish a message without revealing the sender. One place where this is useful is in internet-voting protocols, where voters anonymously publish their votes.

[0174] A standard way of constructing mix-nets is to use a homomorphic cryptosystem, since such ciphertexts can be rerandomized. The senders encrypt their intended message and send them to the mix-net. The mix-servers one by one take the encrypted messages, permute them and rerandomize them. After they have all rerandomized and permuted the ciphertexts, they use threshold decryption to get out the ciphertext. Provided just one server is honest, the ciphertexts get permuted completely and thus loose their link to the sender. This is what gives us anonymity. It is of course important that the decryption keys are shared between the servers, such that no single server can decrypt the incoming or intermediate ciphertexts.

[0175] The construction described here works well as long as the servers are honest but curious. However, it is easy to imagine a setting where a server might wish to replace messages with other messages, for instance votes for a particular candidate. To guard against this, it has been suggested to provide a proof of correctness of the shuffle, i.e., the permutation and rerandomization of the ciphertexts. Such a proof would guarantee that no messages are replaced. However, it is of course important that this proof keeps the permutation secret.

[0176] Research in this area has resulted in a number of interactive proofs for correctness of a shuffle that hide the permutation. To minimize server interaction, it is desirable to reduce the round complexity and several 3-move schemes have been suggested.

[0177] Some use a permutation network based approach for proving the correctness of a shuffle. The idea is to write the permutation as n log n potential transpositions. For each transposition, we may choose to transpose the ciphertexts or choose not to transpose them, thus giving us the potential of selecting all of the n\ possible permutations. By publishing the intermediate ciphertexts in this network and by making a proof for each potential transposition that we have transposed them or not, it is straightforward to build an interactive zero-knowledge proof for the correctness of the shuffle.

[0178] The witness-indistinguishable proofs in the present disclosure will give us the first non-interactive shuffle proof. We first describe our setup. We need a homomorphic cryptosystem, for instance the one based on the DLIN problem, i.e., we encrypt m G G as [P ^' ■, h^S; g^r+*m). This cryptosystem is obviously, semantically secure and homomorphic and it is easy to set up a threshold decryption structure for it. The mix-servers will in addition also publish (u, v, w). We will now encrypt as (/⁷V. Zi¹V. g^r+bwⁱm), lfu = f^x, v = h^y. w ~ g^x+y this is fine, we just get a slightly more complicated way of encrypting m. However, if we set it up with u = f^x, v — h^y. w = g^z for z φ x + y, then we have a perfectly hiding commitment scheme instead.

[0179] We can now make Abe's shuffle proof non-interactive as follows. We compute all the intermediate ciphertexts in the network. For each potential transposition, we now make a WI proof that either we transposed the ciphertext or we kept them in place, i.e., in either case we did not introduce new messages into the shuffle. In the perfect binding case, i.e., when u = f^x. v = h^y. w = g^x+v we can set up the proof with perfect soundness. This means we have a non-interactive proof that the shuffle is correct. On the other hand, we may compare with using u = f^x . v = h^y . w = g^z in which case we have perfectly binding commitments. In this case, there are many possible witnesses and we can set up our proofs so they are perfectly witness indistinguishable. We can therefore argue that the permutation is computationally hidden because the cryptosystem setup that we use in the mix-net is computationally indistinguishable from the perfect hiding setup, where we do not reveal the permutation. [0180] The mix-net is run by a set of mix-servers M₁, . . . . M^. Each sender encrypts his message (for privacy) and sends it to the mix-net. We will now describe what the mix- servers do with the ciphertexts. The first mix-server Mj permutes and re-randomizes the ciphertexts. It also provides an NlZK proof for having permuted and re-randomized correctly (otherwise it would be able to replace some ciphertexts and thus alter the messages). The second mix-server M₂ permutes and re-randomizes the output from M₂- It also provides an NIZK proof for having done this correctly. The mix-servers continue like this until all of them have permuted and re-randomized the ciphertexts. If at least one of the mix-servers is honest the messages have now been permuted and re-randomized so it is impossible to trace them back to the senders. The mix-servers now cooperate to decrypt.

[0181] A mix-net showing permutations of the messages in rows 1 ,...N. (The messages are encrypted, so outsiders do not actually see these permutations).

Input : 1 2 3 4 5 6

Ml out: 6 3 4 2 3 5

M2 out: 2 4 5 1 6 3

[0182] Each mix-server permutes and re-randomizes all the ciphertexts that the previous mix-server outputs. It must prove that this has been done correctly. This can be done by creating a permutation network of log N layers. In each layer, we have N /2 pairs of cipher- texts, which can either pass on to the next layer after re-randomization or be swapped and re-randomized. (Any permutation of J¥ elements can be built from N log N swaps/not swaps)

A permutation of N elements built from swaps/non-swaps of pairs of messages. E.g.

Layer 1 : 1 2 3 4 5 6

Layer 2: 2 1 4 3 5 6 swapping/non-swapping neighbours

Layer 3: 3 6 4 2 5 1 swapping/non-swapping 3 spaces apart

Layer 4: 6 3 4 2 1 5 swapping/non-swapping neighbours

The key operation is therefore an NIZK proof of having swapped or not swapped two ciphertexts.

[0183] Figure 7 is a flow diagram of key generation in the system of Figure 6. Figure 8 is a flow diagram of encryption in the system of Figure 6. Figure 9 is a flow diagram of re-randomization in the system of Figure 6. Figure 10 is a flow diagram of an NIZK proof of membership in the system of Figure 6. 8.5 Encryption with swap/non-swap NIZK proofs based on SXDH embodiment

[0184] Encryption with swap/non-swap NIZK proofs includes key generation, encryption, etc.

Key generation: Generate a group gk = ((n, G_Λ.G₂. G_τ. e. P₁. P_?)) *— £0 ^fe)- Generate a soundness reference string a as described in Section 6. Generate an encryption key by selecting at random a «- Z_p and setting A - aV_x. The public key is (gk, σ. A) and the secret decryption key is a.

Encryption: To encrypt a message Λf eG'i pick at random r ♦— Z_p and let the ciphertext be (U,V) = (rV_uX + rA).

Re-randomization: To re-randomize a cipcrtext (U, V) pick at random s <— Z_p and set

(W .V) = (U + sVuV I s A).

NIZK swap proof: Given input ciphertexts (Ui _: Vj) and (W₂-V₂) and output ciphertext (W₁. V{), (V₂. V₂ ¹) we want to make an NIZK proof for them being swapped or not swapped

3r, 5.

U₁ - U_λ + r^ Λ V₁' .= Vi + rΛ Λ V₂ = U₇ + r'Pj Λ V₂' - V₂ + rA ORU[ = U₂ I SP₁ Λ V/ = Vj + sA A U₂ = U₁ + rV_x Λ V₂ = V₂ + rA.

As in Section 7 we do this by rewriting the equations as

3φ.r.s : φ(<p -I)-O

φ(U[ -U_x- rVi) -O A <pτ(V, - V₁ - rA) = O A <p(V₂ -U₂-rP:) = O A φ(V₂' V₂ - rA) - 1

and (1 - φ)(U[ -U₂- sPi) = O Λ (1 - O)(V₁' -V₂- sA) -O A(\-φ)(W₂ U₁ J-P₁) = O A (1 - φ)(V₂ -V₂- rA) = O. We then give an NIWI proof (π, φ) as in Section 6 for these equations being simultaneously satisfiable.

Verifying swap proof: Verify the NIWI proof {π, ib) for the equations above. Decryption: To decrypt (U, V) compute X = V - nU.

8.6 Blind Signatures

[0185] In blind signatures, there is a signing server and a set of users. The users should be able to obtain signatures on messages of their choice from the signing server. At the same time, the signing server should not learn, which message it is signing. Blind signatures has application in e-cash and anonymous credentials.

[0186] It is straightforward to construct a blind signature scheme using the present witness-indistinguishable techniques. The server will have a verification key for a signature scheme as well as a public key for a commitment scheme. There will be two types of keys for the commitment scheme, one being such that a secret decryption key can be used to extract messages. The other type of public key will give a perfectly hiding commitment. The blind signature protocol now works as follows. The user commits to his message and send it to the signing server. The signing server signs this message. The user can now take his message and create a WI proof for having a commitment to a pair of a commitment to the message and a signature on this message. Since the commitment is perfectly hiding and the WI proof perfectly witness-indistinguishable, there is no way to link the message and the original input to the server.

8.7 Ring Signatures

[0187] In ring signatures, we have a bunch of public verification keys for various users. We want to make a signature such that we know one of the users have signed, yet we do not want to reveal which user signed the message. This could for instance be useful in whistleblower-cases for instance, enabling employees of a company to anonymously identify themselves as being from the particular company and testify to malpractice, yet remain anonymous. The central idea in this protocol is that the signer makes a witness-indistinguishable proof of knowledge that he knows the signature on the message under one of the keys, yet does not reveal which of the verification keys the signature correspond to. [0188] The above disclosure shows the construction of efficient non-interactive cryptographic proofs for use in bilinear groups. These proofs can be instantiated with many different types of bilinear groups and the security of the proofs can be based on many different types of intractability assumptions, of which we have given various example embodiments and applications. One of ordinary skill in the art will recognize that other embodiments will be apparent from the disclosure. For example, the embodiments shown are based on the modules on bilinear groups. One of ordinary skill in the art will recognize that these techniques do not require the modules to be cyclic as is the case for bilinear groups. Other types of modules with a bilinear map exist, which are not constructed from bilinear groups.

[0189] While the present disclosure has been described in connection with various embodiments , it is understood that similar aspects may be used or modifications and additions may be made to the described aspects of the disclosed embodiments for performing the same function of the present disclosure without deviating therefrom. Therefore, the present disclosure should not be limited to any single aspect, but rather construed in breadth and scope in accordance with the appended claims.

References

[BarO6] Paulo Barreto. The pairing-based crypto lounge. 2006. Available at http : //paginas .terra . com.br/informatica/paulobarreto/pblounge

[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In proceedings of CRYPTO '04, LNCS series, volume 3152, pages 41-55, 2004.

[BCOP04] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In proceedings of EUROCRYPT '04, LNCS series, volume 3027, pages 506-522, 2004.

[BF03] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. SlAM Journal of Computing, 32(3):586-615, 2003.

[BGdMM05] Lucas Ballard, Matthew Green, Breno de Medeiros. and Fabian Mon- rose. Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, Report 2005/417, 2005. Available at http : / /eprint . iacr . org/2005 / 417. [BGN05] Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-DNF formulas on ciphertexts. In proceedings of TCC '05, LNCS series, volume 3378, pages 325-341, 2005.

[BSW06] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In proceedings of EUROCRYPT '06, LNCS series, volume 4004, pages 573-592, 2006.

[BW06] Xavier Boyen and Brent Waters. Compact group signatures without random oracles. In proceedings of EUROCRYPT '06, LNCS series, volume 4004, pages 427^44, 2006.

[DBS04] Ratna Dutta, Rana Barua, and Palash Sarkar. Pairing-based cryptographic protocols : A survey. Cryptology ePrint Archive, Report 2004/064, 2004. http : //eprint . iacr . org/.

[GL07] Jens Groth and Steve Lu. A non-interactive shuffle with pairing based verify ability. In proceedings of ASlACRYPT '07, LNCS series, volume 4833, pages 51-67, 2007.

[GPSW06] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In ACM CCS '06, pages 89-98, 2006.

[GR04] Steven D. Galbraith and Victor Rotger. Easy decision Diffie-Hellman groups.

London Mathematical Society Journal of Computation and Mathematics, 7:201-218, 2004.

[Gro06] Jens Groth. Simulation-sound nizk proofs for a practical language and constant size group signatures. In proceedings of

ASlACRYPT '06, LNCS series, 2006. Full paper available at http: //www. brics . dk/~jg/NIZKGroupSignFull .pdf.

[Gro07J Jens Groth. Fully anonymous group signatures without random oracles. In proceedings of ASlACRYPT '06, LNCS series, 2007. Full paper available at http : / /www . brics . dk/~jg/NIZKGroupSignFull . pdf. [Sco02] Mike Scott. Authenticated ID-based key exchange and remote log-in with simple token and PIN number. Cryptology ePrint Archive, Report 2002/364, 2002. Available at http : //eprint . iacr . org/2002/164.

[SW05] Amit Sahai and Brent Waters. Fuzzy identity -based encryption. In proceedings of EUROCRYPT '05, LNCS series, volume 3494, pages 457^t73, 2005.

[VerO4] Eric R. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. Journal of Cryptology, 17{4):277-296, 2004.

[WatO5J Brent Waters. Efficient identity-based encryption without random oracles. In proceedings of EUROCRYPT '05, LNCS series, volume 3494, pages 114-127, 2005.

[WatOό] Brent Waters. New techniques for slightly 2-homomorphic encryption, 2006.

Manuscript.

A Quick Reference to Notation

Bilinear groups.

Gi , Gi. GT'. cyclic groups with bilinear map e Gi X (?2 — •^■ Gγ. "P_\.V₂- generators of respectively G₁ and G₂- Group order: prime order p or composite order n.

Modules with bilinear map.

H: finite commutative ring (TZ, +, .0.1). /I₁ , Λ-₂, A_τ, B_λ . B₂, B₁-: /^-modules. /. F: bilinear maps /I₁ x A₂ -→ A_T and F : S₁ x B₂ → B_r. n x-^y'-∑ffa-^yi)

1=1 J-I

Properties that follows from bilinearity:

X-My = M¹ x y . £• My = M^ΎX* y.

Commutative diagram of maps in setup.

A_x x Ai → A_T f

«•1 IT Pl >-2 IT P2 LT IT Pr

B₁ x B₇ → B₇- F Commutative properties:

F(Φ)-^t2(y))^tτ(f{^χ,v)) , /(PiW-W(X)) =Pr(7^;'(a^;.»)).

Equations.

(Secret) variables: i 6 Λψ. y 6 AV?. (Public) constants: a G A^, b € Aψ, F € Mat,,, ,_r,(re).iG/i_T. Equations: α ^• y + x ^■ b ; x ^■ Ty = t. Commitments.

Commitment keys:

Commitments:

NIWI proofs.

Additional setup information:

i , , j Randomness in proofs:

Proofs:

Verification:

Claims

WHAT IS CLAIMED IS:

1. A method for verification of encrypted data, comprising: encrypting data using an encryption algorithm related to groups with a bilinear map to produce encrypted data; and using a witness-independent algorithm to verify said data.

2. The method of Claim 1, further comprising sending said encrypted data as part of a key exchange.

3. The method of Claim 1, further comprising sending said encrypted data as part of a non-interactive shuffle.

4. An apparatus for verification of encrypted data, comprising: a computer memory provided to a computer processor; and a program loaded into said computer memory, said program configured to verify encrypted data using a witness-independent algorithm and according to selected groups with a bilinear map, wherein said witness-independent algorithm uses commitments of variables from said bilinear map to verify said encrypted data.

5. A method for generating a proof of membership, the method comprising: receiving a common reference string comprising a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the first group, and a second generator of a proper nontrivial subgroup of the first group: receiving a message from a first computing entity; identifying a ciphertext encrypting the message; determining a proof value comprising a triple of values from the first group, said triple of values generated using a unit from the group of integers modulo the group order, the first generator, the second generator, the message, and the secret integer value: and communicating the proof value to a second computing entity.

6. The method as recited in Claim 5, wherein identifying a ciphertext comprises receiving the ciphertext from the first computing entity.

7. The method as recited in Claim 5, wherein identifying a ciphertext comprises computing the ciphertext using at least the first generator, the message, the second generator, and a secret integer value.

8. A proof system comprising: a common reference string computed from a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the first group, wherein said common reference string is computed from commitments of variables mapped by said bilinear map; a message, said message having been generated by a first computing entity; a ciphertext representing an encryption of the message, said ciphertext having been generated using elements of the common reference string and a secret integer value; a proof value comprising a plurality of values from the first group, said plurality of values generated using a unit from the group of integers modulo the group order, the first generator, the second generator, the message, and the secret integer value; and a communications module for communicating the proof value to a second computing entity.

9. The system of claim 8 wherein the plurality is a triple.

10. The system of Claim 8, further comprising: a verifier configured to receive the common reference key, the ciphertext, and the proof value and to verify that relationships hold when the bilinear map is applied to selected elements of the common reference key, the ciphertext, and the proof value.

1 1. A method of verifying a proof, the method comprising: receiving a common reference key comprising a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the firs! group, and a second generator of a proper subgroup of the first group; receiving a ciphertext encrypting a message; receiving a proof value, said proof value comprising a triple of values from the first group: using the bilinear map, the first generator, the second generator, the ciphertext, and the proof value to determine whether the ciphertext encrypts a value from a set of values; and generating a signal representative of the determination.

12. A method for generating a proof, the method comprising: receiving a common reference string computed at least in part from, a description of a first group, said first group comprising a DLIN group, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a plurality of generators of the first group, and a first plurality of values from the first group, wherein the first plurality of values from the first group have a relationship to the plurality of generators; receiving a message from a first computing entity; identifying a ciphertext encrypting the message and comprising a second plurality of values from the first group, the values of the second plurality of values from the first group determined at least in part by a relationship of the plurality generators; determining a proof value comprising a matrix of values from the first group, said matrix of values computed at least in part from commitments to variables in said relationship and from a satisfying witness to said relationship; and communicating the proof value to a second computing entity.

13. The method as recited in Claim 12, wherein identifying a ciphertext comprises receiving the ciphertext from the first computing entity.

14. The method as recited in Claim 12, wherein identifying a ciphertext comprises computing the ciphertext.

15. A system for generating a proof, the system comprising: a common reference string comprising a prime group order p, a description of a first group as an SXDH group, a description of a second group, a description of a bilinear map from the first group to the second group, a plurality of generators of the first group, and a first plurality of values from the first group; a message received from a first computing entity; a ciphertext encrypting the message and satisfying at least one first equation; a proof value computed from proof equations, wherein coefficients for said proof equations are computed at least in part form commitments to said first equation; and a communications module for communicating the proof value to a second computing entity.