Switching Lemma for Bilinear Tests and Constant-Size NIZK Proofs for Linear Subspaces

We state a switching lemma for tests on adversarial responses involving bilinear pairings in hard groups, where the tester can effectively switch the randomness used in the test from being given to the adversary at the outset to being chosen after the adversary commits its response. The switching lemma can be based on any k-linear hardness assumptions on one of the groups. In particular, this enables convenient information theoretic arguments in the construction of sequence of games proving security of cryptographic schemes, mimicking proofs and constructions in the random oracle model. As an immediate application, we show that the computationally-sound quasi-adaptive NIZK proofs for linear subspaces that were recently introduced [JR13] can be further shortened to constant-size proofs, independent of the number of witnesses and equations. In particular, under the XDH assumption, a length n vector of group elements can be proven to belong to a subspace of rank t with a quasi-adaptive NIZK proof consisting of just a single group element. Similar quasi-adaptive aggregation of proofs is also shown for Groth-Sahai NIZK proofs of linear multi-scalar multiplication equations, as well as linear pairing-product equations (equations without any quadratic terms).