{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,20]],"date-time":"2025-10-20T10:30:48Z","timestamp":1760956248430,"version":"3.41.2"},"reference-count":73,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T00:00:00Z","timestamp":1720396800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/V034065\/1"],"award-info":[{"award-number":["EP\/V034065\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","award":["SFB 1119 \u2013 236615297"],"award-info":[{"award-number":["SFB 1119 \u2013 236615297"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":"<jats:p>The generic-group model (GGM) and the algebraic-group model (AGM) have been exceptionally successful in proving the security of many classical and modern cryptosystems. These models, however, come with standard-model uninstantiability results, raising the question of whether the schemes analyzed under them can be based on firmer standard-model footing.<\/jats:p>\n          <jats:p>We formulate the uber-knowledge (UK) assumption, a standard-model assumption that naturally extends the uber-assumption family to knowledge-type problems. We justify the soundness of UK in both the bilinear GGM and the bilinear AGM. Along the way we extend these models to account for hashing into groups, an adversarial capability that is available in many concrete groups\u2014In contrast to standard assumptions, hashing may affect the validity of knowledge assumptions. These results, in turn, enable a modular approach to security in the GGM and the AGM.<\/jats:p>\n          <jats:p>As example applications, we use the UK assumption to prove knowledge soundness of Groth's zero-knowledge SNARK (EUROCRYPT 2016) and of KZG polynomial commitments (ASIACRYPT 2010) in the standard model, where for the former we reuse the existing proof in the AGM without hashing. <\/jats:p>","DOI":"10.62056\/anr-zoja5","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":5,"title":["The Uber-Knowledge Assumption: A Bridge to the AGM"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-1469-5405","authenticated-orcid":false,"given":"Balthazar","family":"Bauer","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/03mkjjy25","id-type":"ROR","asserted-by":"publisher"}],"name":"Universit\u00e9 de Versailles Saint-Quentin-en-Yvelines","place":["France"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2746-3585","authenticated-orcid":false,"given":"Pooya","family":"Farshim","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/04abwvq32","id-type":"ROR","asserted-by":"publisher"}],"name":"IOG","place":["Switzerland"]},{"id":[{"id":"https:\/\/ror.org\/01v29qb04","id-type":"ROR","asserted-by":"publisher"}],"name":"Durham University","place":["United Kingdom"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-6095-9402","authenticated-orcid":false,"given":"Patrick","family":"Harasser","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05n911h24","id-type":"ROR","asserted-by":"publisher"}],"name":"Technical University of Darmstadt","place":["Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8660-9663","authenticated-orcid":false,"given":"Markulf","family":"Kohlweiss","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01nrxwf90","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Edinburgh","place":["United Kingdom"]},{"id":[{"id":"https:\/\/ror.org\/04abwvq32","id-type":"ROR","asserted-by":"publisher"}],"name":"IOG","place":["United Kingdom"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:C:FiaSha86","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","article-title":"How to Prove Yourself: Practical Solutions to\n  Identification and Signature Problems","volume":"263","author":"Amos Fiat","year":"1987"},{"key":"ref2:CCS:BelRog93","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1145\/168588.168596","article-title":"Random Oracles are Practical: A Paradigm for Designing\n  Efficient Protocols","author":"Mihir Bellare","year":"1993"},{"key":"ref3:EC:BDPV08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-540-78967-3_11","article-title":"On the Indifferentiability of the Sponge Construction","volume":"4965","author":"Guido Bertoni","year":"2008"},{"key":"ref4:C:BlaRogShr02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/3-540-45708-9_21","article-title":"Black-Box Analysis of the Block-Cipher-Based Hash-Function\n  Constructions from PGV","volume":"2442","author":"John Black","year":"2002"},{"key":"ref5:C:CDMP05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"430","DOI":"10.1007\/11535218_26","article-title":"Merkle-Damg\u00e5rd Revisited: How to Construct a Hash\n  Function","volume":"3621","author":"Jean-S\u00e9bastien Coron","year":"2005"},{"key":"ref6:STOC:HolKunTes11","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1145\/1993636.1993650","article-title":"The equivalence of the random oracle model and the ideal\n  cipher model, revisited","author":"Thomas Holenstein","year":"2011"},{"key":"ref7:Nechaev94","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1007\/BF02113297","article-title":"Complexity of a Determinate Algorithm for the Discrete\n  Logarithm","volume":"55","author":"Vassiliy Ilyich Nechaev","year":"1994","journal-title":"Mathematical Notes"},{"key":"ref8:EC:Shoup97","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1007\/3-540-69053-0_18","article-title":"Lower Bounds for Discrete Logarithms and Related Problems","volume":"1233","author":"Victor Shoup","year":"1997"},{"key":"ref9:C:Zhandry22b","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1007\/978-3-031-15982-4_3","article-title":"To Label, or Not To Label (in Generic Groups)","volume":"13509","author":"Mark Zhandry","year":"2022"},{"key":"ref10:IMA:Maurer05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11586821_1","article-title":"Abstract Models of Computation in Cryptography (Invited\n  Paper)","volume":"3796","author":"Ueli M. Maurer","year":"2005"},{"key":"ref11:EC:BonBoy04a","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1007\/978-3-540-24676-3_4","article-title":"Short Signatures Without Random Oracles","volume":"3027","author":"Dan Boneh","year":"2004"},{"key":"ref12:EC:GroSho22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"365","DOI":"10.1007\/978-3-031-06944-4_13","article-title":"On the Security of ECDSA with Additive Key Derivation and\n  Presignatures","volume":"13275","author":"Jens Groth","year":"2022"},{"key":"ref13:C:AGHO11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"649","DOI":"10.1007\/978-3-642-22792-9_37","article-title":"Optimal Structure-Preserving Signatures in Asymmetric\n  Bilinear Groups","volume":"6841","author":"Masayuki Abe","year":"2011"},{"key":"ref14:EC:Groth16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-662-49896-5_11","article-title":"On the Size of Pairing-Based Non-interactive Arguments","volume":"9666","author":"Jens Groth","year":"2016"},{"key":"ref15:C:FucKilLos18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-319-96881-0_2","article-title":"The Algebraic Group Model and its Applications","volume":"10992","author":"Georg Fuchsbauer","year":"2018"},{"key":"ref16:EC:BonVen98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1007\/BFb0054117","article-title":"Breaking RSA May Not Be Equivalent to Factoring","volume":"1403","author":"Dan Boneh","year":"1998"},{"key":"ref17:CCS:MBKM19","doi-asserted-by":"publisher","first-page":"2111","DOI":"10.1145\/3319535.3339817","article-title":"Sonic: Zero-Knowledge SNARKs from Linear-Size Universal\n  and Updatable Structured Reference Strings","author":"Mary Maller","year":"2019"},{"key":"ref18:C:GhoTes21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1007\/978-3-030-84252-9_3","article-title":"Tight State-Restoration Soundness in the Algebraic Group\n  Model","volume":"12827","author":"Ashrujit Ghoshal","year":"2021"},{"key":"ref19:PKC:KasLosXu22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"468","DOI":"10.1007\/978-3-030-97131-1_16","article-title":"On Pairing-Free Blind Signature Schemes in the Algebraic\n  Group Model","volume":"13178","author":"Julia Kastner","year":"2022"},{"key":"ref20:EC:FucPloSeu20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-030-45724-2_3","article-title":"Blind Schnorr Signatures and Signed ElGamal Encryption\n  in the Algebraic Group Model","volume":"12106","author":"Georg Fuchsbauer","year":"2020"},{"key":"ref21:C:RafZap21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"774","DOI":"10.1007\/978-3-030-84242-0_27","article-title":"An Algebraic Framework for Universal and Updatable\n  SNARKs","volume":"12825","author":"Carla R\u00e0fols","year":"2021"},{"key":"ref22:C:BauFucLos20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1007\/978-3-030-56880-1_5","article-title":"A Classification of Computational Assumptions in the\n  Algebraic Group Model","volume":"12171","author":"Balthazar Bauer","year":"2020"},{"key":"ref23:TCC:RotSeg20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"366","DOI":"10.1007\/978-3-030-64381-2_13","article-title":"Algebraic Distinguishers: From Discrete Logarithms to\n  Decisional Uber Assumptions","volume":"12552","author":"Lior Rotem","year":"2020"},{"key":"ref24:STOC:CanGolHal98","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1145\/276698.276741","article-title":"The Random Oracle Methodology, Revisited (Preliminary\n  Version)","author":"Ran Canetti","year":"1998"},{"key":"ref25:FSE:Black06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/11799313_21","article-title":"The Ideal-Cipher Model, Revisited: An Uninstantiable\n  Blockcipher-Based Hash Function","volume":"4047","author":"John Black","year":"2006"},{"key":"ref26:AC:Dent02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1007\/3-540-36178-2_6","article-title":"Adapting the Weaknesses of the Random Oracle Model to the\n  Generic Group Model","volume":"2501","author":"Alexander W. Dent","year":"2002"},{"key":"ref27:JC:KobMen07","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/s00145-005-0432-z","article-title":"Another Look at \u201cProvable Security\u201d","volume":"20","author":"Neal Koblitz","year":"2007","journal-title":"Journal of Cryptology"},{"key":"ref28:C:BelHoaKee14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1007\/978-3-662-44371-2_10","article-title":"Cryptography from Compression Functions: The UCE Bridge to\n  the ROM","volume":"8616","author":"Mihir Bellare","year":"2014"},{"key":"ref29:EC:BonBoyGoh05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"440","DOI":"10.1007\/11426639_26","article-title":"Hierarchical Identity Based Encryption with Constant Size\n  Ciphertext","volume":"3494","author":"Dan Boneh","year":"2005"},{"key":"ref30:C:EHKRV13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-642-40084-1_8","article-title":"An Algebraic Framework for Diffie-Hellman Assumptions","volume":"8043","author":"Alex Escala","year":"2013"},{"key":"ref31:TCC:BFHO22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"212","DOI":"10.1007\/978-3-031-22368-6_8","article-title":"Beyond Uber: Instantiating Generic Groups via PGGs","volume":"13749","author":"Balthazar Bauer","year":"2022"},{"key":"ref32:C:Naor03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1007\/978-3-540-45146-4_6","article-title":"On Cryptographic Assumptions and Challenges (Invited Talk)","volume":"2729","author":"Moni Naor","year":"2003"},{"key":"ref33:TCC:GolKal16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"505","DOI":"10.1007\/978-3-662-49096-9_21","article-title":"Cryptographic Assumptions: A Position Paper","volume":"9562","author":"Shafi Goldwasser","year":"2016"},{"key":"ref34:AC:Groth10a","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/978-3-642-17373-8_19","article-title":"Short Pairing-Based Non-interactive Zero-Knowledge\n  Arguments","volume":"6477","author":"Jens Groth","year":"2010"},{"key":"ref35:SP:PHGR13","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1109\/SP.2013.47","article-title":"Pinocchio: Nearly Practical Verifiable Computation","author":"Bryan Parno","year":"2013"},{"key":"ref36:C:GroMal17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"581","DOI":"10.1007\/978-3-319-63715-0_20","article-title":"Snarky Signatures: Minimal Signatures of Knowledge from\n  Simulation-Extractable SNARKs","volume":"10402","author":"Jens Groth","year":"2017"},{"key":"ref37:EC:CHMMVW20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"738","DOI":"10.1007\/978-3-030-45721-1_26","article-title":"Marlin: Preprocessing zkSNARKs with Universal and\n  Updatable SRS","volume":"12105","author":"Alessandro Chiesa","year":"2020"},{"volume-title":"PLONK: Permutations over Lagrange-bases for Oecumenical\n  Noninteractive arguments of Knowledge","year":"2019","author":"Ariel Gabizon","key":"ref38:EPRINT:GabWilCio19"},{"volume-title":"On the Existence of 3-Round Zero-Knowledge Proofs","year":"2002","author":"Matthew Lepinski","key":"ref39:Lepinski02"},{"key":"ref40:C:BelPal04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-540-28628-8_17","article-title":"The Knowledge-of-Exponent Assumptions and 3-Round\n  Zero-Knowledge Protocols","volume":"3152","author":"Mihir Bellare","year":"2004"},{"key":"ref41:EC:Dent06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"289","DOI":"10.1007\/11761679_18","article-title":"The Cramer-Shoup Encryption Scheme Is Plaintext Aware in\n  the Standard Model","volume":"4004","author":"Alexander W. Dent","year":"2006"},{"key":"ref42:ITCS:BCCT12","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1145\/2090236.2090263","article-title":"From extractable collision resistance to succinct\n  non-interactive arguments of knowledge, and back again","author":"Nir Bitansky","year":"2012"},{"key":"ref43:JC:BCCGLR17","doi-asserted-by":"publisher","first-page":"989","DOI":"10.1007\/s00145-016-9241-9","article-title":"The Hunting of the SNARK","volume":"30","author":"Nir Bitansky","year":"2017","journal-title":"Journal of Cryptology"},{"key":"ref44:CCS:KiaLiuTse16","doi-asserted-by":"publisher","first-page":"1317","DOI":"10.1145\/2976749.2978352","article-title":"Practical Non-Malleable Codes from $\\ell$-more Extractable\n  Hash Functions","author":"Aggelos Kiayias","year":"2016"},{"key":"ref45:C:HadTan98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"408","DOI":"10.1007\/BFb0055744","article-title":"On the Existence of 3-Round Zero-Knowledge Protocols","volume":"1462","author":"Satoshi Hada","year":"1998"},{"key":"ref46:JC:BirDen14","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1007\/s00145-012-9141-6","article-title":"Security Models and Proof Strategies for Plaintext-Aware\n  Encryption","volume":"27","author":"James Birkett","year":"2014","journal-title":"Journal of Cryptology"},{"key":"ref47:AC:CFFQR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-030-92078-4_1","article-title":"Lunar: A Toolbox for More Efficient Universal and\n  Updatable zkSNARKs and Commit-and-Prove Extensions","volume":"13092","author":"Matteo Campanelli","year":"2021"},{"key":"ref48:EC:BunFisSze20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"677","DOI":"10.1007\/978-3-030-45721-1_24","article-title":"Transparent SNARKs from DARK Compilers","volume":"12105","author":"Benedikt B\u00fcnz","year":"2020"},{"key":"ref49:Berlekamp67","doi-asserted-by":"publisher","first-page":"1853","DOI":"10.1002\/j.1538-7305.1967.tb03174.x","article-title":"Factoring polynomials over finite fields","volume":"46","author":"Elwyn R. Berlekamp","year":"1967","journal-title":"The Bell System Technical Journal"},{"key":"ref50:JIS:CheCheSma07","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/s10207-006-0011-9","article-title":"Identity-based key agreement protocols from pairings","volume":"6","author":"Liqun Chen","year":"2007","journal-title":"International Journal of Information Security"},{"key":"ref51:AC:ZhaZhoKat22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"310","DOI":"10.1007\/978-3-031-22972-5_11","article-title":"An Analysis of the Algebraic Group Model","volume":"13794","author":"Cong Zhang","year":"2022"},{"key":"ref52:PKC:Lipmaa22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"553","DOI":"10.1007\/978-3-030-97121-2_20","article-title":"A Unified Framework for Non-universal SNARKs","volume":"13177","author":"Helger Lipmaa","year":"2022"},{"key":"ref53:TCC:LipParSii23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1007\/978-3-031-48624-1_14","article-title":"Algebraic Group Model with Oblivious Sampling","volume":"14372","author":"Helger Lipmaa","year":"2023"},{"key":"ref54:AC:RLBDS08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1007\/978-3-540-89255-7_30","article-title":"Sufficient Conditions for Intractability over Black-Box\n  Groups: Generic Lower Bounds for Generalized DL and DH Problems","volume":"5350","author":"Andy Rupp","year":"2008"},{"key":"ref55:EC:BelRog06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/11761679_25","article-title":"The Security of Triple Encryption and a Framework for\n  Code-Based Game-Playing Proofs","volume":"4004","author":"Mihir Bellare","year":"2006"},{"key":"ref56:C:CraSho98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/BFb0055717","article-title":"A Practical Public Key Cryptosystem Provably Secure Against\n  Adaptive Chosen Ciphertext Attack","volume":"1462","author":"Ronald Cramer","year":"1998"},{"key":"ref57:JC:Joux04","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/s00145-004-0312-y","article-title":"A One Round Protocol for Tripartite Diffie\u2013Hellman","volume":"17","author":"Antoine Joux","year":"2004","journal-title":"Journal of Cryptology"},{"volume-title":"Pairings for Cryptographers","year":"2006","author":"Stephen D. Galbraith","key":"ref58:EPRINT:GalPatSma06"},{"volume-title":"New Paradigms in Signature Schemes","year":"2005","author":"Hovav Shacham","key":"ref59:phd:Shacham05"},{"key":"ref60:Schwartz80","doi-asserted-by":"publisher","first-page":"701","DOI":"10.1145\/322217.322225","article-title":"Fast probabilistic algorithms for verification of polynomial\n  identities","volume":"27","author":"Jack T. Schwartz","year":"1980","journal-title":"Journal of the ACM"},{"key":"ref61:Zippel79","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1007\/3-540-09519-5_73","article-title":"Probabilistic algorithms for sparse polynomials","volume":"72","author":"Richard Zippel","year":"1979"},{"key":"ref62:DeMLip78","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1016\/0020-0190(78)90067-4","article-title":"A probabilistic remark on algebraic program testing","volume":"7","author":"Richard A. Demillo","year":"1978","journal-title":"Information Processing Letters"},{"volume-title":"The Exact Security of ECDSA","year":"2001","author":"Daniel R. L. Brown","key":"ref63:Brown01"},{"key":"ref64:AC:BelFucSca16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"777","DOI":"10.1007\/978-3-662-53890-6_26","article-title":"NIZKs with an Untrusted CRS: Security in the Face of\n  Parameter Subversion","volume":"10032","author":"Mihir Bellare","year":"2016"},{"key":"ref65:AC:ZhaZha23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"390","DOI":"10.1007\/978-981-99-8736-8_13","article-title":"The Relationship Between Idealized Models Under\n  Computationally Bounded Adversaries","volume":"14443","author":"Cong Zhang","year":"2023"},{"key":"ref66:AC:PaiVer05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11593447_1","article-title":"Discrete-Log-Based Signatures May Not Be Equivalent to\n  Discrete Log","volume":"3788","author":"Pascal Paillier","year":"2005"},{"key":"ref67:EC:FleGoyJai18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-78372-7_1","article-title":"On the Existence of Three Round Zero-Knowledge Proofs","volume":"10822","author":"Nils Fleischhacker","year":"2018"},{"key":"ref68:C:Damgaard91","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"445","DOI":"10.1007\/3-540-46766-1_36","article-title":"Towards Practical Public Key Systems Secure Against Chosen\n  Ciphertext Attacks","volume":"576","author":"Ivan Damg\u00e5rd","year":"1992"},{"volume-title":"The Hardness of the DHK Problem in the Generic Group\n  Model","year":"2006","author":"Alexander W. Dent","key":"ref69:EPRINT:Dent06a"},{"key":"ref70:AC:BelPal04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1007\/978-3-540-30539-2_4","article-title":"Towards Plaintext-Aware Public-Key Encryption without Random\n  Oracles","volume":"3329","author":"Mihir Bellare","year":"2004"},{"volume-title":"On the Existence of 3-Round Zero-Knowledge Protocols","year":"1999","author":"Satoshi Hada","key":"ref71:EPRINT:HadTan99a"},{"key":"ref72:AC:KatZavGol10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-17373-8_11","article-title":"Constant-Size Commitments to Polynomials and Their\n  Applications","volume":"6477","author":"Aniket Kate","year":"2010"},{"key":"ref73:TCC:FFKRZ23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/978-3-031-48621-0_16","article-title":"From Polynomial IOP and Commitments to Non-malleable\n  zkSNARKs","volume":"14371","author":"Antonio Faonio","year":"2023"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:32Z","timestamp":1733866112000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/31"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,7]]},"references-count":73,"URL":"https:\/\/doi.org\/10.62056\/anr-zoja5","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-07-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-3-91"}}