PriBank: Confidential Blockchain Scaling Using Short Commit-and-Proof NIZK Argument

Abstract

Decentralized financial applications demand fast, cheap, and privacy-preserving cryptocurrency systems to facilitate high transaction volumes and provide privacy for users. Off-chain Layer-2 scaling solutions such as Plasma, ZK-Rollup, NOCUST are appealing innovations devised to enable the scalability and extensibility account-based blockchains that support smart contracts. The essential idea is simple yet powerful: move expensive computations off-chain and commit the abbreviated transaction data on-chain. Nevertheless, these solutions do not provide privacy for the users’ balances and off-chain transaction data. In this paper, we propose PriBank, a novel privacy-preserving cryptocurrency system that enables private balances and transaction values on top of these Layer-2 scaling solutions. To construct PriBank system, we propose a Commit-and-Prove short NIZK argument for quadratic arithmetic programs. The Commit-and-Prove short NIZK argument is built on top of the existing zero-knowledge proof scheme: Bulletproof. It allows a prover to commit to an arbitrary set of witnesses by Pedersen commitments before proving, which may be of independent interest. We construct security models and definitions for Layer-2 privacy-preserving scaling solutions and analyse the security of our scheme under the security model. We also implement and evaluate the system, and present a comparative analysis with the existing solutions.

Appendices

A Commit-Prove Zero-Knowledge Proof Construction

Circuit: The arithmetic circuit C of the zero-knowledge proof is in Fig. 11

Fig. 11.

Circuit

B Proof of Protocol 3.1

Proof

Soundness. By the rewinding, the prover, the extractor \(\mathcal {X}\) gets two valid transcripts that have the same commitments:

\((d_1,d_2,c_0,c_1,x,\theta _a,\theta _b,\theta _1,\theta _2,\theta _{ab})\), \((d_1,d_2,c_0,c_1,x',\theta _a',\theta _b',\theta _1',\theta _2',\theta _{ab}')\) from the verification, we get equations

$$\begin{aligned} c_a^x g^{\theta _a}h^{\theta _1}=d_1 \qquad c_a^{x'}g^{\theta _a'}h^{\theta _1'}=d_1 \end{aligned}$$

By the binding property of Pedersen commitment, This implies \(a=\frac{\theta _a'-\theta _a}{x-x'}\), by the same technique, \(\mathcal {X}\) can compute \(b=\frac{\theta _b'-\theta _b}{x-x'}\) and \(\alpha ,\beta \).

Next, assume c is a commitment that committed to z, we will prove \(z=ab\). Assume \(c_0=g^uh^{r_{c_0}}, c_1=g^vh^{r_{c_1}}\), observe that \(g^{\theta _a\theta _b}h^{\theta _{ab}}c_0^x=c^{x^2}c_1\), it implies

$$\begin{aligned} g^{abx^2-(a\beta +b\alpha )x+\alpha \beta +ux}h^{\theta _{ab}+xr_{c_0}}=g^{zx^2+v}h^{r_{c}x^2+r_{c_1}} \end{aligned}$$

Since \(a,b,\alpha ,\beta ,u,v\) are all predefine value, either \(\mathcal {X}\) can extract non-trivial relation between g, h or \(u=\alpha b+\beta a\) and the extractor can extract \(z=ab=\frac{\theta _a\theta _b-\theta '_a\theta '_b+(\alpha b+\beta a)(x-x')}{x^2-{x'}^2}\).

Perfect special honest-verifier zero-knowledge. The simulator randomly chooses \(\theta _1,\theta _2,\theta _a,\theta _b,\theta _{ab},u,r\leftarrow \mathbb {Z}_p\) and randomly chooses a challenge \(x\leftarrow \mathbb {Z}_p\), it computes \(d_1=c_a^xg^{\theta _a}h^{\theta _1}\), \(d_2=c_b^xg^{\theta _b}h^{\theta _2}, c_0=g^uh^r,c_1=g^{\theta _a\theta _b}h^{\theta _{ab}}c_0^x/c^{x^2}\). Thus the simulator produces a valid transcript \((d_1,d_2,c_0,c_1,x,\theta _a,\theta _b,\theta _1,\theta _2,\theta _{ab})\) that has the identical probability distributions with the real proof.    \(\square \)

C Proof of Protocol 3.2

Proof

Soundness. For an accepting transcripts \((c_0,\varOmega ,d_1,d_2,x,\theta _1,\theta _2)\), assume that

$$\begin{aligned} c_0=h^{\gamma },\varOmega =\tau ^{u}h^{-v}, d_1=h^\alpha , d_2=\tau ^\delta h^\beta \end{aligned}$$

since \(d_1=c_0^xh^{\theta _1}\), \( d_2=\varOmega ^x\tau ^{\theta _1}h^{\theta _2}\) we have

$$\begin{aligned} h^{x\gamma +\theta _1}=h^\alpha , \quad \tau ^{ux+\theta _1}h^{\theta _2-vx}=\tau ^\delta h^\beta \end{aligned}$$

If \(u\ne \gamma \) then it means \(\theta _1=\frac{\delta \gamma -u\alpha }{\gamma -u}\) and \(x=\frac{\alpha -\delta }{\gamma -u}\) or the cheating prover is able to compute the Pedersen commitment key \(\log _gh\). Since \(\alpha ,\delta ,\gamma \) are pre-defined values, \(\Pr [x=\frac{\alpha -\delta }{u-\gamma }]=\frac{1}{p}\).

Since in the verification, \(c=\prod \limits _{i=1}^{n}c_i^{b_i}/\varOmega \), assume \(c=g^wh^t\), this implies

$$\begin{aligned} g^w h^t=g^{\sum \limits _{i=1}^n a_i b_i}h^v \end{aligned}$$

Hence, either \(w=\sum \limits _{i=1}^n a_i b_i\) or the prover is able to compute the discrete logarithm.

   \(\square \)

Perfect special honest-verifier zero-knowledge. The simulator randomly chooses \(\gamma ,\theta _1,\theta _2\leftarrow \mathbb {Z}_p\) and computes \(c_0=h^{\gamma }, \varOmega =\prod \limits _{i=1}^nc_i^{b_i}/c\). Then the simulator chooses a challenge randomly \(x\leftarrow \mathbb {Z}_p\) and computes \(d_1=c_0^xh^{\theta _1}, d_2=\varOmega ^x\tau ^{\theta _1}h^{\theta _2}\). The transcript \(trs=(c_0,d_1,d_2,x,\theta _1,\theta _2)\) is a valid transcript that has the identical probability distributions with the real proof.

D Proof of Protocol 3.3

Proof

We follow the proof of [9] for the soundness, and give our proof for the zero-knowledge property.

Soundness. We firstly construct an extractor \(\mathcal {X}_1\) of protocol \(\mathsf {Prove}\), then construct an extractor \(\mathcal {X}_2\) for protocol 3.3. For \(\mathcal {X}_1\), we use an inductive argument showing that in each step, we either extract a witness or a discrete log relation. If \(n=|g|=1\), rewinding \(\mathcal {P}\) to get 2 transcripts with the same randomness used by \(\mathcal {P}\) but different challenges from \(\mathcal {V}\), assume the witness of \(\mathcal {P}\) are \((a_1,c,r)\), \(d=g_1^{t_1}u^{t_2}h^{t_3},\) the transcripts are

$$\begin{aligned}&tr:=(d,x,\theta _1,\theta _2)\\&tr':=(d,x',\theta _1',\theta _2') \end{aligned}$$

then we get \(g_1^{a_1x+\theta _1}u^{cx+b_1\theta _1}h^{\theta _2+xr}=g_1^{a_1x'+\theta _1'}u^{cx'+b_1\theta '_1}h^{\theta '_2+x'r}=d\).

Since \(a_1,c,d\) are predefined value, either extractor can compute

$$\begin{aligned} \log _{g_1}u+\log _{g_1}h=\frac{\theta _1-\theta '_1}{b_1\theta '_1+\theta '_2-b_1\theta _1-\theta _2} \end{aligned}$$

or \(a_1=\frac{\theta _1-\theta '_1}{x'-x}\) and \(c=a_1b_1\)

Next, on the k-th recursive step that on input(\(\boldsymbol{g},u,h,c,\boldsymbol{b}\)), assume that the \((k+1)\)th recursive step has input(\(\boldsymbol{g}',u,h,c',\boldsymbol{b}'\)) and the witness can be extracted from this recursive are \(r',\boldsymbol{a}',\langle \boldsymbol{a}',\boldsymbol{b}'\rangle \). We show that with the witness of the \((k+1)\)th recursive step, an extractor can effectively compute a witness of the k-th recursive step or a non-trivial discrete logarithm relation between the generators.

On k-th recursive step, the extractor runs the prover to get L and R. Then, by rewinding the prover four times and giving it four different challenges \(x_1, x_2, x_3, x_4\), the extractor obtains four \(\boldsymbol{a}'_i \in \mathbb {Z}_p^{n'}\) such that

$$\begin{aligned} c\cdot L^{x^2_i}\cdot R^{x_i^{-2}}=\left( \boldsymbol{g}_{[:n']}^{x_i^{-1}}\circ \boldsymbol{g}_{[n':]}^{x_i^2}\right) ^{\boldsymbol{a}_i'}h^{r'_i}u^{\langle \boldsymbol{a}_i',\boldsymbol{b}_i'\rangle } \quad \text { for } i=1,...,4 \end{aligned}$$

(1)

compute \(v_1,v_2,v_3 \in \mathbb {Z}_p\) such that

$$\begin{aligned} \sum \limits _{i=1}^3v_ix^2_i=1, \qquad \sum \limits _{i=1}^3v_i=0, \qquad \sum \limits _{i=1}^3v_ix_i^{-2}=0 \end{aligned}$$

(2)

Then taking a linear combination of the first three equations with \(v_1,v_2,v_3\) as the coefficients,

$$\begin{aligned} c^{v_i}\cdot L^{x_i^2v_i}\cdot R^{x_i^{-2}v_i}=(\boldsymbol{g}_{[:n']}^{x_i^{-1}}\boldsymbol{g}_{[n':]}^{x_i})^{\boldsymbol{a}_i' v_i}h^{v_i r'_i}u^{\langle \boldsymbol{a}_i',\boldsymbol{b}'_i\rangle v_i} \text { for } i=1,2,3 \end{aligned}$$

we can compute

$$\begin{aligned}&\,\,\, L=\boldsymbol{g}^{\boldsymbol{a}_{L}}h^{r_L}u^{s_L} \text { , where } \\&r_L=\sum \limits _{i=1}^3v_ir'_i,\quad {\boldsymbol{a}_L}_{[:n']}=\sum \limits _{i=1}^3x_i^{-1}\boldsymbol{a}'_iv_i,\quad {\boldsymbol{a}_L}_{[n':]}=\sum \limits _{i=1}^3x_i\boldsymbol{a}'_iv_i,\quad s_L=\sum \limits _{i=1}^3\langle \boldsymbol{a}'_i,\boldsymbol{b}'_i\rangle v_i \end{aligned}$$

Repeating this process with different combinations (compute \(v_1,v_2,v_3\) of Eq. 2 with different summations), we can also compute R, c such that

$$\begin{aligned}&R=\boldsymbol{g}^{\boldsymbol{a}_{R}}h^{r_R}u^{s_R}\\&c=\boldsymbol{g}^{\boldsymbol{a}_c}h^{r_c}u^{s_c} \end{aligned}$$

Now, we can rewrite Eq. 1, for each \(x\in \{x_1,x_2,x_3,x_4\}\) as

$$\begin{aligned} \boldsymbol{g}^{\boldsymbol{a}_L x^{2}+\boldsymbol{a}_{c}+\boldsymbol{a}_{R} x^{-2}}h^{x^2r_L+r_c+x^{-2}r_R}u^{x^2s_L+s_c+x^{-2}s_R}=\boldsymbol{g}_{[:n']}^{\boldsymbol{a}'\cdot x^{-1}}\boldsymbol{g}_{[n':]}^{\boldsymbol{a'}\cdot x}h^{r'}u^{\langle \boldsymbol{a}',\boldsymbol{b}'\rangle } \end{aligned}$$

This implies that

$$\begin{aligned}&\boldsymbol{a}'\cdot x^{-1} ={x^{2}{\boldsymbol{a}_{L}}_{[:n']}+{\boldsymbol{a}_{c}}_{[:n']}}+x^{-2}{\boldsymbol{a}_{R}}_{[:n']}\\&\boldsymbol{a}'\cdot x={x^{2}{\boldsymbol{a}_{L}}_{[n':]}+{\boldsymbol{a}_{c}}_{[n':]}}+x^{-2}{\boldsymbol{a}_{R}}_{[n':]}\\&\langle \boldsymbol{a}',\boldsymbol{b}'\rangle =x^2s_L+s_c+x^{-2}s_R \end{aligned}$$

Either the extractor can obtain a non-trivial discrete logarithm relation between the generators (\(\boldsymbol{g},h,u\)) if these equations do not hold, or we can deduce that for each challenge \(x\in \{x_1,x_2,x_3,x_4\}\)

$$\begin{aligned} x^3{\boldsymbol{a}_{L}}_{[:n']}+x({\boldsymbol{a}_c}_{[:n']}-{\boldsymbol{a}_{L}}_{[n':]})+x^{-1}({\boldsymbol{a}_{R}}_{[:n']}-{\boldsymbol{a}_c}_{[n':]})-x^{-3}{\boldsymbol{a}_{R}}_{[n':]}=0 \end{aligned}$$

The only way the above equation hold for all challenges is if

$$\begin{aligned} {\boldsymbol{a}_{L}}_{[:n']}={\boldsymbol{a}_{R}}_{[n':]}=0,\quad {\boldsymbol{a}_c}_{[:n']}={\boldsymbol{a}_{L}}_{[n':]},\quad {\boldsymbol{a}_{R}}_{[:n']}={\boldsymbol{a}_c}_{[n':]} \end{aligned}$$

Thus \(\boldsymbol{a}'=x{\boldsymbol{a}_{c}}_{[:n']}+x^{-1}{\boldsymbol{a}_c}_{[n':]}\) Using these values we can see that:

$$\begin{aligned} x^2s_L+s_c+x^{-2}s_R&=\langle \boldsymbol{a}',\boldsymbol{b}'\rangle \\ {}&=\langle {\boldsymbol{a}_{c}}_{[:n']},{\boldsymbol{b}}_{[n':]}\rangle \cdot x^2+\langle {\boldsymbol{a}_{c}},{\boldsymbol{b}}\rangle +\langle {\boldsymbol{a}_{c}}_{[n':]},{\boldsymbol{b}}_{[:n']}\rangle \cdot x^{-2} \end{aligned}$$

Since the relation holds for all \(x\in \{x_1,x_2,x_3,x_4\}\), it must be that

$$\begin{aligned} \langle {\boldsymbol{a}_{c}},{\boldsymbol{b}}\rangle =s_c \end{aligned}$$

The extractor, thus, either extracts a discrete logarithm relation between the generators, or the witness \(\boldsymbol{a}_c\).

We now show that at the beginning of the protocol 3.3, on input \((c_{\boldsymbol{a}},c_{\boldsymbol{ab}},\boldsymbol{g},\boldsymbol{b})\), the extractor \(\mathcal {X}_2\) runs \(\mathcal {P}\) with challenge x and uses \(\mathcal {X}_1\) to obtain a witness \(\boldsymbol{a},r\) such that \(c_{\boldsymbol{a}}c_{\boldsymbol{ab}}^x=\boldsymbol{g}^{\boldsymbol{a}}g^{x\langle \boldsymbol{a},\boldsymbol{b}\rangle }h^{r}\). Rewinding \(\mathcal {P}\) with a different challenge \(x'\) and \(\mathcal {X}_1\) extracts new witness \(\boldsymbol{a}',r'\) such that \(c_{\boldsymbol{a}}c_{\boldsymbol{ab}}^{x'}=\boldsymbol{g}^{\boldsymbol{a}'}g^{x\langle \boldsymbol{a}',\boldsymbol{b}\rangle }h^{r'}\). Then we get

$$\begin{aligned} g^{s(x-x')}h^{r_{ab}(x-x')}=\boldsymbol{g}^{\boldsymbol{a-a'}}g^{x\langle \boldsymbol{a},\boldsymbol{b}\rangle -x'\langle \boldsymbol{a}',\boldsymbol{b}\rangle }h^{r-r'} \end{aligned}$$

Unless \(\boldsymbol{a}=\boldsymbol{a}'\) we get a not trivial discrete log relation between \(\boldsymbol{g}, h\)and g. Otherwise we get \(s=\langle \boldsymbol{a},\boldsymbol{b}\rangle , r_{ab}=\frac{r-r'}{x-x'}, r_a=r-\frac{x(r-r')}{x-x'}.\)    \(\square \)

Perfect Zero-Knowledge. The simulator chooses randomly a vector \(\boldsymbol{a}\in \mathbb {Z}_p^n\) as witness and we show it can generate a valid transcripts for this vector.

For each recursive step when a prover asks for L, R, the simulator chooses randomly \(r_1,r_2\in \mathbb {Z}_p^* \), and computes

$$\begin{aligned} L=\boldsymbol{g}_{[n':]}^{\boldsymbol{a}_{[:n']}}\cdot u^{\langle \boldsymbol{a}_{[:n']},\boldsymbol{b}_{[n':]}\rangle }\cdot h^{r_1}\in \mathbb {G}\\ R=\boldsymbol{g}_{[:n']}^{\boldsymbol{a}_{[n':]}}\cdot u^{\langle \boldsymbol{a}_{[n':]},\boldsymbol{b}_{[:n']}\rangle }\cdot h^{r_2}\in \mathbb {G} \end{aligned}$$

Assume that at the last recursive step the input commitment is \(c'\), the challenge is x. The simulator randomly choose \(\theta _1,\theta _2\in \mathbb {Z}_p^*\), compute \(d=c'^x g_1^{\theta _1}u^{b_1\theta _1}h^{\theta _2}\).

The transcript \(trs=(c,L_1,R_1,x_1,L_2,R_2,x_2,...,d,x,\theta _1,\theta _2)\) is a valid transcript that has the identical probability distributions with the real proof.

E Proof of Protocol 3.4

Proof

Soundness. A valid transcript of protocol 3.4 consists of 8 sub-transcripts: three transcripts of Protocol 3.1 on statements

$$\begin{aligned} (\{c_1\}_{i=1}^k,\{h_i\}_{i=1}^k,g,h,c_u,\{u_i(x_1)\}_{i=1}^k);\\ (\{c_1\}_{i=1}^k,\{h_i\}_{i=1}^k,g,h,c_v,\{v_i(x_1)\}_{i=1}^k);\\ (\{c_1\}_{i=1}^k,\{h_i\}_{i=1}^k,g,h,c_w,\{w_i(x_1)\}_{i=1}^k) \end{aligned}$$

respectively; four transcripts of Protocol 3.2 on statements \((\boldsymbol{g},\boldsymbol{b}:=\{u_{k+1}(x_1),...,u_{l}(x_1)\},c_{l},c_{\boldsymbol{u}})\), \((\boldsymbol{g},\boldsymbol{b}:=\{v_{k+1}(x_1),...,v_{l}(x_1)\},c_{l},c_{\boldsymbol{v}})\), \((\boldsymbol{g},\boldsymbol{b}:=\{w_{k+1}(x_1),...,u_{l}(x_1)\},c_{l},c_{\boldsymbol{w}})\) and \((\boldsymbol{g},\boldsymbol{b}:=\{xz(x_1),...,x^{n-2}z(x_1)\},c_{h},c_{hz})\) respectively; one transcript of Protocol 3.3 on statement \((c_a,c_b,c_c)\).

The soundness of protocol 3.1 implies

$$\begin{aligned} c_u=g^{\sum \limits _{i=1}^{k} a_iu_i(x_1)}h^{t_u}, \quad c_v=g^{\sum \limits _{i=1}^{k} a_iv_i(x_1)}h^{t_v},\quad c_w=g^{\sum \limits _{i=1}^{k} a_iu_i(x_1)}h^{t_w} \end{aligned}$$

The soundness of protocol 3.3 implies

$$\begin{aligned} c_{\boldsymbol{u}}&=g^{\sum \limits _{i=k+1}^la_iu_i(x_1)}h^{s_u}, \quad c_{\boldsymbol{v}}=g^{\sum \limits _{i=k+1}^la_iv_i(x_1)}h^{s_v},\\ c_{\boldsymbol{w}}&=g^{\sum \limits _{i=k+1}^la_iw_i(x_1)}h^{s_w}, \quad c_{hz}=g^{h(x_1)z(x_1)}h^{s_h} \end{aligned}$$

The knowledge extractor described in the proof of Protocol 3.1 can extract \(a,r_a\) and \(b,r_b\) such that

$$\begin{aligned} c_a&=c_u\cdot c_{\boldsymbol{u}}\cdot g^{\sum \limits _{i=l+1}^na_iu_i(x_1)}=g^ah^{r_a}\\ c_b&=c_v\cdot c_{\boldsymbol{v}}\cdot g^{\sum \limits _{i=l+1}^na_iv_i(x_1)}=g^bh^{r_b}\\ c_c&=c_w\cdot c_{\boldsymbol{w}}\cdot g^{\sum \limits _{i=l+1}^na_iw_i(x_1)}\cdot c_{hz}=g^{ab}h^{r_c} \end{aligned}$$

which means

$$\begin{aligned} \sum \limits _{i=1}^na_iu_i(x_1) \cdot \sum \limits _{i=1}^na_iv_i(x_1)=\sum \limits _{i=1}^na_iw_i(x_1)+h(x_1)z(x_1) \end{aligned}$$

Apart from the challenge \(x_1\), all the variables in the above equation are predefined, therefore either the prover can compute the non-trivial discrete logarithm relation between the generators or \(\sum \limits _{i=1}^na_iu_i(X) \cdot \sum \limits _{i=1}^na_iv_i(X)=\sum \limits _{i=1}^na_iw_i(X)+h(X)z(X).\)

Perfect special honest-verifier zero-knowledge. The zero-knowledge property follows by the zero-knowledge properties of the sub-protocols. The simulator can utilize the sub-protocols’ simulator to produce a valid transcript without knowing the witnesses.    \(\square \)

F Definitions for Commit-and-Prove Zero-Knowledge Proof

Definition 7

(Perfect Completeness). The triple \((\mathcal {G},\mathcal {V},\mathcal {P})\) has perfect completeness if for all non-uniform PPT adversary \(\mathcal {A}\) such that

$$\begin{aligned} \Pr \left[ \begin{array}{l} (\sigma ,c,r,x,u,w)\notin \mathcal {R}_{\lambda }^{\mathsf {Com}}\\ \text {or} \ \langle \mathcal {P}(\sigma ,c,r,x,u,w),\mathcal {V}(\sigma ,c,x)\rangle =1 \end{array} \ \Big \vert \begin{array}{l} \sigma \leftarrow \mathcal {G}(1^\lambda ) \\ (c,r,x,u,w)\leftarrow \mathcal {A}(\sigma ) \end{array}\right] =1 \end{aligned}$$

Definition 8

(Computational Soundness). \((\mathcal {G},\mathcal {V},\mathcal {P})\) has computational soundness if it is not possible to prove a false statement where no witness exist, i.e. for all non-uniform polynomial time interactive adversary \(\mathcal {A}_1,\mathcal {A}_2\), the function \(\mathsf {negl}(\lambda )\) is negligible.

$$\begin{aligned} \Pr \left[ \begin{array}{l} \mathcal {A}_1(tr)=1 \ (\textit{i.e. tr is accepting}) \ \wedge \\ (\sigma ,c,r,x,u,w)\notin \mathcal {R}_{\lambda }^{\mathsf {Com}}) \end{array} \ \Big \vert \begin{array}{l} \sigma \leftarrow \mathcal {G}(1^\lambda ) \\ (c,x,s)\leftarrow \mathcal {A}_2(\sigma ) \end{array}\right] \le \mathsf {negl}(\lambda ) \end{aligned}$$

Definition 9

(Computational Knowledge Soundness). \((\mathcal {G},\mathcal {V},\mathcal {P})\) has computational knowledge soundness if for all deterministic polynomial time \(\mathcal {P}^*\), there exists an polynomial time knowledge extractor \(\mathcal {E}\) such that for all non-uniform polynomial time interactive adversary \(\mathcal {A}_1,\mathcal {A}_2\), the function \(\mathsf {negl}(\lambda )\) is negligible.

where the oracle is given by \(\mathcal {O}=\langle \mathcal {P}^*(\sigma ,c,x,s),\mathcal {V}(\sigma ,c,x)\rangle \).

The oracle \(\mathcal {O}\) permits rewinding to a specific point and resuming with fresh randomness for the verifier from this point onwards. Informally, if there is an adversary that can produce an argument that satisfies the verifier with some probability, then there exists an emulator that can extract the witness. The value s is the internal state of \(\mathcal {P}^*\), including randomness. The emulator is permitted to rewind the interaction between the prover and verifier to any move, then resuming with fresh randomness for the verifier.

Definition 10

(Perfect Special Honest-Verifier Zero-Knowledge). A triple \((\mathcal {G},\mathcal {P},\mathcal {V})\) is a perfect special honest verifier zero knowledge argument of knowledge for \(\mathcal {R}_\lambda ^{\mathsf {Com}}\) if there exists a probabilistic polynomial time simulator \(\mathcal {S}\) such that for all pairs of interactive adversaries \(\mathcal {A}_1,\mathcal {A}_2\)

where \(\rho \) is the randomness used by the verifier.

Definition 11

(Commit-and-Prove Zero-knowledge Argument of Knowledge). The triple \((\mathcal {S},\mathcal {P},\mathcal {V})\) is a commit-and-prove zero-knowledge argument of knowledge for a family of relations \(\mathcal {R}^{\mathsf {Com}}\) if it satisfies the perfect completeness, perfect special honest-verifier zero-knowledge and computational soundness or computational knowledge soundness.

G Notations