On QA-NIZK in the BPK Model

Behzad Abdolmaleki, Helger Lipmaa, Janno Siim, Michał Zajac

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Recently, Bellare et al. defined subversion-resistance (security in the case the CRS creator may be malicious) for NIZK. In particular, a Sub-ZK NIZK is zero-knowledge, even in the case of subverted CRS. We study Sub-ZK QA-NIZKs, where the CRS can depend on the language parameter. First, we observe that subversion zero-knowledge (Sub-ZK) in the CRS model corresponds to no-auxiliary-string non-black-box NIZK in the Bare Public Key model, and hence, the use of non-black-box techniques is needed to obtain Sub-ZK. Second, we give a precise definition of Sub-ZK QA-NIZKs that are (knowledge-)sound if the language parameter but not the CRS is subverted and zero-knowledge even if both are subverted. Third, we prove that the most efficient known QA-NIZK for linear subspaces by Kiltz and Wee is Sub-ZK under a new knowledge assumption that by itself is secure in (a weaker version of) the algebraic group model. Depending on the parameter setting, it is (knowledge-)sound under different non-falsifiable assumptions, some of which do not belong to the family of knowledge assumptions.
Original languageEnglish
Title of host publicationPublic-Key Cryptography -- PKC 2020
EditorsAggelos Kiayias, Markulf Kohlweiss, Petros Wallden, Vassilis Zikas
Place of PublicationCham
PublisherSpringer International Publishing
Number of pages31
ISBN (Electronic)978-3-030-45374-9
ISBN (Print)978-3-030-45373-2
Publication statusPublished - 29 Apr 2020
EventIACR International Conference on Practice and Theory of Public-Key Cryptography 2020 - Online
Duration: 1 Jun 20204 Jun 2020

Publication series

NameLecture Notes in Computer Science
PublisherSpringer, Cham
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


ConferenceIACR International Conference on Practice and Theory of Public-Key Cryptography 2020
Abbreviated titlePKC 2020
Internet address


Dive into the research topics of 'On QA-NIZK in the BPK Model'. Together they form a unique fingerprint.

Cite this