Skip to main content

Table 3 Constant-Round Resettable NMZK Argument(rNMZK)

From: Concurrent non-malleable zero-knowledge and simultaneous resettable non-malleable zero-knowledge in constant rounds

The prover P and the verifier V on common input 1n, x and id, and private input w for P:

1. V sends m0=(Com(r1),,Com(r)) to P, where =O(1) is the number of rounds of the CNMZK protocol.

2. P chooses a random seed s for a pseudorandom function fs:{0,1}→{0,1}l(n) where l(n) is the upper bound of the size of random bits that P needs in each round of the protocol CNMZK in Table 2

3. P and V run protocol CNMZK with the following modifications:

– For each message mi that V sends in the i-th round of CNMZK, V and P run (PrsZK,VrsZK) so that V proves to P that mi is computed using random bits ri that committed in m0 in the first round.

– For each message mi′ that P sends in the i-th round of CNMZK, P applies fs to the transcript so far and uses the output as random bits to compute mi′.