Yehuda Lindell, "An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle," TCC 2015: Theory of Cryptography, pp.
 Ciampi M., Persiano G., Siniscalchi L., Visconti I, "A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles," Theory of Cryptography.
The Groth-Sahai proofs  are the only practical NIZK. To obtain efficient KDM-CCA secure PKE, we have to employ an efficient PKE scheme with KDM-CPA security and the Groth-Sahai proofs if we follow the CCS approach .
However, the only efficient KDM[[F.sup.d.sub.poly]]-CPA secure PKE  is incompatible with the Groth-Sahai NIZK proofs ; thus the CCS approach must adopt a general inefficient NIZK.
In addition, since there are two constructions are presented in , the more efficient construction based on Waters signature is used to measure the signature size, and the underlying Groth-Sahai NIZK
system is instantiated under DLIN Assumption.
(b) The NIZK
argument system constructed by Groth et al.
Once a string "FALSE- 1" is output, TPA can issue a NIZK
proof [[pi].sub.2] to show the incorrectness of the data storage.
In the subset protocol of , Sang utilized a nonmalleable NonInteractive Zero-Knowledge (NIZK
) argument, which is based on the Boneh-Goh-Nissim (BGN) cryptosystem to protect it against malicious attacks.