Table 2 Constant-round concurrent non-malleable zero-knowledge argument

Common input: x∈L and identity id∈{0,1}ⁿ.

Auxiliary input to P: w∈R_L(x).

Stage 1: P and V runs a generation protocol as (Barak 2001)

P←V: \(h \xleftarrow {R} \mathcal {H}_{n}\)

P→V: c₁=Com(0ⁿ,ρ₁)

P←V: \(r \xleftarrow {R} \{0,1\}\text {} ^{4n}\)

Stage 2: P runs a WIUA using its auxiliary input w

P⇔V: P sends c₂ to V and gives a WIUA argument of the statement x∈L or (h,c₁,c₂,r)∈Λ₁, where c₂=Com(0ⁿ,ρ₂).

Stage 3: P runs a WIUA again upon receiving the public parameter PP

P←V: V invokes the PC.Setupalgorithm to generate (PP,K) and sends PP to P.

P⇔V: P sends c₃ to V and gives a WIUA argument of the statement x∈L or (h,PP,c₂,c₃,r)∈Λ₂, where c₃=Com(0ⁿ,ρ₃).

Stage 4: Vdelegates P to generate the CRS

P⇔V: V sends the algorithm\( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} \) to P and gives a ZK argument of the statement \((\textsf {PP},c_{3},\hat {\mathcal {P}}_{\textsf {{CRSGen}}}) \in \Lambda \)₃, where \( \hat {\mathcal {P}}_{\textsf {{CRSGen}}} =i\mathcal {O}(\mathcal {P}^{c_{3},\textsf {{PP}},\textsf {{K}},\rho _{\textsf {{CRSGen}}}},\rho _{i\mathcal {O}}) \).

Stage 5: P runs a WISSP using its auxiliary input w

P⇔V: P sends (c₄,c₅) to V and gives a WISSP argument of the statement that (x,w)∈R_L(x) or \( (\textsf {PP},\hat {\mathcal {P}}_{\textsf {{CRSGen}}},c_{5}) \in \Lambda _{4} \), where \(c_{4}=\textsf {CCACom}_{\textsf {id}}^{1:1}(w,\rho _{4})\) and c₅=Com((PP,κ),ρ₅).