On the Impossibility of NIZKs for Disjunctive Languages From Commit-and-Prove NIZKs

This paper considers the problem of expanding a language class that can be proven by a non-interactive zero-knowledge proof system (NIZK) in a black-box manner in the common reference string model. Namely, given NIZKs for two languages, L-0 and L-1, can we construct an NIZK for L-0 boolean OR L-1 in a black-box manner? NIZKs for disjunctive languages have a large number of applications, such as electronic voting. Therefore, such a black-box construction may enable the efficient constructions of such applications. However, Abe et al. (PKC 2020) showed that this is impossible if the two given NIZKs are simulation-sound. In this paper, we prove that it is also impossible if the two given NIZKs are constructed by the commit-andprove methodology that is typically used in many cryptographic protocols, including NIZKs. This result suggests that if we want to augment the capability of NIZKs in terms of the languages they can prove, we should rely on certain properties or structures of the underlying NIZKs, such as algebraic structures.