The prover P and the verifier V on common input 1n, x and id, and private input w for P: |
1. V sends m0=(Com(r1),⋯,Com(rℓ)) to P, where ℓ=O(1) is the number of rounds of the CNMZK protocol. |
2. P chooses a random seed s for a pseudorandom function fs:{0,1}∗→{0,1}l(n) where l(n) is the upper bound of the size of random bits that P needs in each round of the protocol CNMZK in Table 2 |
3. P and V run protocol CNMZK with the following modifications: |
– For each message mi that V sends in the i-th round of CNMZK, V and P run (PrsZK,VrsZK) so that V proves to P that mi is computed using random bits ri that committed in m0 in the first round. |
– For each message mi′ that P sends in the i-th round of CNMZK, P applies fs to the transcript so far and uses the output as random bits to compute mi′. |