The prover P and the verifier V on common input 1^{n}, x and id, and private input w for P: |
1. V sends m_{0}=(Com(r_{1}),⋯,Com(r_{ℓ})) to P, where ℓ=O(1) is the number of rounds of the CNMZK protocol. |
2. P chooses a random seed s for a pseudorandom function f_{s}:{0,1}^{∗}→{0,1}^{l(n)} where l(n) is the upper bound of the size of random bits that P needs in each round of the protocol CNMZK in Table 2 |
3. P and V run protocol CNMZK with the following modifications: |
– For each message m_{i} that V sends in the i-th round of CNMZK, V and P run (P_{rsZK},V_{rsZK}) so that V proves to P that m_{i} is computed using random bits r_{i} that committed in m_{0} in the first round. |
– For each message mi′ that P sends in the i-th round of CNMZK, P applies f_{s} to the transcript so far and uses the output as random bits to compute mi′. |