Table 3 Constant-Round Resettable NMZK Argument(rNMZK)

The prover P and the verifier V on common input 1ⁿ, x and id, and private input w for P:

1. V sends m₀=(Com(r₁),⋯,Com(r_ℓ)) to P, where ℓ=O(1) is the number of rounds of the CNMZK protocol.

2. P chooses a random seed s for a pseudorandom function f_s:{0,1}^∗→{0,1}^l(n) where l(n) is the upper bound of the size of random bits that P needs in each round of the protocol CNMZK in Table 2

3. P and V run protocol CNMZK with the following modifications:

– For each message m_i that V sends in the i-th round of CNMZK, V and P run (P_rsZK,V_rsZK) so that V proves to P that m_i is computed using random bits r_i that committed in m₀ in the first round.

– For each message mi′ that P sends in the i-th round of CNMZK, P applies f_s to the transcript so far and uses the output as random bits to compute mi′.