We show completeness, soundness, zero-knowledge separately.
Completeness. Take any statementxand witnesswwhereR(x, w) = 1. Let (kP, kV)←Setup(1λ), where kP = (kSE,pk# —HS,vkHS, ~σk). Take (ct, σx,∗ct)←Prove(kP, x, w). By correctness of ΠSE,
Cx,ct(kSE) =R(x,SE.Decrypt(kSE,ct)) =R(x, w) = 1.
Completeness of ΠNIZK then follows from evaluation correctness (Definition 3.3) and hiding correct-
ness (Definition3.4) of ΠHS.
Soundness. At a high-level, soundness follows from (selective) unforgeability of ΠHS(Definition3.5,
Remark3.6). An adversary that succeeds in breaking soundness must produce a statementx /∈ L, a ciphertextct and a signatureσx,∗ct on the message 1 with respect to the function Cx,ct. Sincex /∈ L,
there does not exist any witness w∈ {0,1}m whereR(x, w) = 1, which means that there are no inputs toCx,ct where the output is 1. More formally, suppose there is an adversary Athat breaks
soundness of ΠNIZK with advantage ε. We use Ato construct an adversary that breaks selective
unforgeability of B. Algorithm Bworks as follows:
1. At the beginning of the selective unforgeability game, algorithm B generates a secret key
kSE←SE.KeyGen(1λ), and sendskSEto the challenger. The challenger replies with the public
parameters pk# —HS, the verification keyvkHS and a signature~σk. 2. Algorithm BsetskP = (kSE,pk# —HS,vkHS, ~σk) and gives kP toA.
3. WheneverA makes an oracle query to the verification oracle, algorithmB answers according to the specification in Construction4.3. Note that the verification algorithm only depends on
# —
pkHS and vkHS, both of which are known to B(and in fact A). Notably, the secret signing key skHS is not needed to run Verify.
4. At the end of the game, when Aoutputs a statement xand a proof π= (ct, σ∗x,ct), algorithm
B gives the circuitCx,ct, the message 1, and the signature σ∗x,ct to the challenger.
By construction, algorithm B perfectly simulates the prover key forA. Thus, with probabilityε, algorithmA outputsx /∈ Lsuch thatσx,∗ct is a valid signature on the message 1 with respect to the functionCx,ct. By definition, Cx,ct(kSE) = 0, soσ∗x,ct is a valid forgery. Soundness follows.
Zero-Knowledge. At a high-level, zero-knowledge follows by CPA-security of the encryption scheme and weak context-hiding of the homomorphic signature scheme. Since ΠHS is weak context-
hiding (Definition3.8), there exists an efficient simulatorSch that can simulate the signatures output
• On input the security parameter# — λand the verification state kV = (pk# —HS,vkHS,skHS) where pkHS = (pk1, . . . ,pkρ), algorithm S1 samples a secret key kSE ← SE.KeyGen(1λ). Next, it
computes~σkpk←SignPK(pk,# — skHS), and outputs the state τV = (kSE, ~σpkk ).
• On input the verification statekV = (pk# —HS,vkHS,skHS), the simulation stateτV = (kSE, ~σkpk),
and a statement x ∈ {0,1}n, the simulator algorithm S
2 begins by constructing a ci- phertext ct ← SE.Encrypt(kSE,0m). Then, it computes pkx,ct ← PrmsEval(Cx,ct,pk# —HS), σx,pkct ← SigEvalPK(Cx,ct,pk# —HS, ~σkpk), and finally, it simulates the signature by computing
σx,mct← Sch(pkx,ct,vkHS,skHS,1, σpkx,ct), and outputs the simulated proofπ = (ct, σx,∗ct), where σx,∗ct= (σx,pkct, σmx,ct).
To complete the proof, we use a hybrid argument:
• hyb0: This is the experiment where the adversary has access toO0, whereO0(kP, x, w) :=
Prove(kP, x, w).
• hyb1: Same ashyb0, except theProve(kP, x, w) queries are handled as follows: 1. The challenger first computesct←SE.Encrypt(kSE, w).
2. Next, it computes the public key pkx,ct ← PrmsEval(Cx,ct,pk# —HS), a public signature
component σpkx,ct ← SigEvalPK(Cx,ct,pk# —HS, ~σkpk), and a simulated signature σmx,ct ← Sch(pkx,ct,vkHS,skHS,1, σpkx,ct). Here ~σk = (~σkpk, ~σmsk) is the signature on kSE the chal-
lenger generated fromSetup (and is part of the proving key kP).
3. Finally, the challenger responds withπ = (ct, σx,∗ct), whereσ∗x,ct = (σpkx,ct, σx,mct).
• hyb2: Same ashyb1, except the challenger replaces the encryption of w with an encryption of 0m when answering theProve(kP, x, w) queries.
• hyb3: This is the experiment where the adversary has access toO1, whereO1(kV, τV, x, w) :=
S2(kV, τV, x).
We now briefly argue that each pair of hybrids are computationally indistinguishable:
• Hybridshyb0andhyb1are computationally indistinguishable by weak context-hiding security of ΠHS. Specifically, if A is able to distinguish hyb0 and hyb1, then we can construct an adversaryB that breaks context-hiding as follows:
1. At the beginning of the game, algorithm B receives a signing and a verification key (vkHS,skHS) from the challenger. It then samples parameters pk# —HS ←PrmsGen(1λ,1ρ),
a symmetric key kSE ← SE.KeyGen(1λ) and a signature ~σk ← Sign(pk# —HS,skHS, kSE).
Algorithm B constructs the verification keykV = (pk# —HS,vkHS,skHS) and sends it to A.
2. When A makes an oracle query on a pair (x, w) where R(x, w) = 1, algorithm B
simulates the response by first computing ct←SE.Encrypt(kSE, w). Next, it computes σx,ct←SigEval(Cx,ct,pk# —HS, kSE, ~σk) and parses the result as σx,ct = (σpkx,ct, σx,0 ct). It also
computes pkx,ct ←PrmsEval(Cx,ct,pk# —HS), and sends the public key pkx,ct, the message 1,
and the signature (σx,pkct, σ0x,ct) to the context-hiding challenger. The challenger replies with a refreshed signature σx,∗ct. Algorithm Bresponds to the query with (ct, σx,∗ct).
3. At the end of the experiment,B outputs whateverAoutputs.
By construction, if the signatures returned by the context-hiding challenger are generated using the Hide algorithm, then B perfectly simulates hyb0, while if the signatures are generated using the simulator, thenB perfectly simulates hyb1. Indistinguishability of the two hybrids thus follows by context-hiding.
• Hybridshyb1andhyb2are computationally indistinguishable by CPA-security of ΠSE. Specif-
ically, the challenger’s logic inhyb1 andhyb2 does not depend on kSE, so we can simulate
the two hybrid experiments given access to an encryption oracle. Note that the signature component~σkpk needed to respond to queries inhyb1 and hyb2 is only thepublic component of the signature (and can be generated without knowledge of the actual secret key kSE). • Hybridshyb2 andhyb3 are identical experiments. Namely, the behavior of the challenger in
hyb2 precisely coincides with the behavior in the experiment where the adversary is given access to the oracle O1(kV, τV, x, w) :=S2(kV, τV, x).
Since each pair of hybrid experiments are computationally indistinguishable, we conclude that ΠNIZK
provides zero-knowledge.