A. Non-Interactive Zero-Knowledge Proof System

A non-interactive zero-knowledge proof system (NIZK) [1] is a cryptographic protocol between two parties, a prover and a verifier. Given a statement for an NP language, the prover, who is the only one possessing a witness, proves the validity of the statement without leaking anything other than the validity of the statement. Recently, efficient construction methods for NIZKs have been proposed, such as GS-NIZK [2] and QA-NIZK [3], and NIZKs are used to build cryptographic applications.

A typical methodology that is employed in NIZKs is the commit-and-prove medhodology [4]–​[6]. Roughly speaking, this technique guarantees that, given a proof and a commitment, the proof is carried out with respect to the opening of the commitment. NIZKs that employ the commit-and-prove methodology (CP-NIZKs) are seen in the literature [2], [7]–​[10]. The commit-and-prove methodology itself is of interest. For instance, as noted in [11], the commit-and-prove technique is standard when one wants to prove that the witnesses to two distinct statements are the same [10], [12]–​[15].

One of the most notable applications of CP-NIZKs is Zcash [16], which uses zk-SNARK by [17] to guarantee the anonymity of users. In fact, the zk-SNARK does not explicitly employ a commit-and-prove methodology. However, as mentioned in [18], a prover in Zcash proves knowledge about a committed value, and thus we can regard Zcash as an application of a CP-NIZK.

B. Black-Box Language Extension

A language ${\mathcal L}_{0} \diamond {\mathcal L} _{1}$ such that $\diamond \in \{\wedge, \vee \}$ is referred to as an extended language. NIZKs for extended languages are important from the perspective of both theory and practice. The well-known Naor-Yung construction [19] uses an NIZK for a conjunctive language to construct a chosen ciphertext attack secure public key encryption scheme. In electronic voting protocols such as Helios, an NIZK for a disjunctive language is employed to guarantee the validity of votes. Therefore, a black-box construction of NIZKs for extended languages may help in obtaining efficient constructions for these applications.

Abe et al. [20] showed the (im)possibility of extending a language class that can be proven by NIZKs in a black-box manner. They showed that, given simulation-sound NIZKs (SS-NIZKs) [21] for a language ${\mathcal L}_{0}$ , it is impossible to construct a (standard) NIZK for ${\mathcal L}_{0} \vee {\mathcal L} _{1}$ , where ${\mathcal L}_{1}$ is some NP language. Note that, given NIZKs for ${\mathcal L}_{0}$ and ${\mathcal L}_{1}$ , we can trivially construct a standard NIZK for ${\mathcal L}_{0} \land {\mathcal L} _{1}$ by executing the given NIZKs in parallel. Furthermore, Yamashita et al. [22] showed a negative result on a more involved language. That is, they showed that, given an NIZK that proves the validity of the ciphertext of a chosen plaintext attack secure public key encryption scheme (CPA-PKE), it is impossible to construct an NIZK that proves the equality of the plaintexts behind two distinct ciphertexts (i.e., the NIZK employed in the Naor-Yung construction [19]) in a black-box manner.

While somewhat folklore, we can construct an NIZK that proves witness equality if the underlying NIZKs are CP-NIZKs. Suppose that we are given CP-NIZKs for distinct languages ${\mathcal L}_{0}$ and ${\mathcal L}_{1}$ that share the same commitment scheme. Then, we can construct an NIZK for the language ${\mathcal L}= \{x_{0}, x_{1} \, | \, \exists w_{0}, w_{1} \, \textrm {such that} \, (x_{0}, w_{0}) \in R_{\mathcal L_{0}} \land (x_{1}, w_{1}) \in R_{\mathcal L_{1}} \land w_{0}=w_{1}\}$ by executing the NIZKs on the same commitment. In other words, the commit-and-prove methodology trivially breaks the barrier presented in [22]. However, it is not clear if a commit-and-prove technique overcomes the negative result for disjunctive languages by [20]. Hence, the following question is still open:

Is it possible to construct an NIZK for a disjunctive language based on CP-NIZKs in a black-box manner?

C. Our Contribution

We investigate the above problem and answer negatively. That is, there is no fully black-box construction of an NIZK for a disjunctive language based on CP-NIZKs. In this paper, we first formalize CP-NIZKs and introduce an oracle that implements a CP-NIZK for a certain language. Then, we demonstrate a polynomial-time adversary that attacks the soundness of an NIZK for a disjunctive language.

Specifically, let ${O}$ be a certain oracle and ${Z}$ be an oracle that implements a CP-NIZK for an oracle-relativized language, denoted by ${\mathcal L}^{O}$ . Assume that there exists a black-box construction $\textsf {M}^{O, {Z}}$ of a proof system for ${\mathcal L}^{O} \vee {\mathcal L} '$ that is complete and zero-knowledge, where ${\mathcal L}'$ is some language. Then, we can construct an adversary that breaks the soundness of ${\mathsf {M}}$ in the standard soundness game. This result suggests that if we want to augment the capability of NIZKs in terms of the languages they prove, we should rely on certain algebraic structures.

D. Technical Overview

We follow the “swapping technique” that is introduced in [20] in the construction of our adversary. The idea behind the technique is the following: Let ${O}$ be an oracle implemented by a uniformly chosen random injection and ${\mathcal L}^{O} = \{x \, | \, \exists \, w \, \textrm {such that} \, x = {O}(w)\}$ be a language. Let $x = {O}(w)$ for some $w$ and $x' \notin {\mathcal L} ^{O}$ , where $|x| = |x'|$ . Suppose that we are considering a game between a challenger and an adversary, and the adversary internally simulates some oracle algorithm. When the algorithm makes a query to ${O}$ on $w$ , the adversary actually relays the query to the oracle. Even if the adversary returns $x'$ as the answer to the algorithm (i.e., the adversary sets $x':= {O}(w)$ ), the algorithm cannot detect this swap, as ${O}$ is implemented by a random injection. In other words, there must be another “correct” oracle ${O}'$ that maps $w$ to $x'$ in the oracle distribution. Thus, the simulated algorithm runs correctly and outputs its result based on the swapped value.

Our adversary works as follows: Let ${\mathsf {M}}$ be a black-box construction of a proof system for a disjunctive language that is complete and zero-knowledge. Given a common reference string in a soundness game, the adversary runs the prover algorithm of ${\mathsf {M}}$ on a false statement. The adversary cheats the prover by following the above swapping technique, and finally the prover outputs a (forged) proof. This proof should pass the verification by ${\mathsf {M}}$ since it is generated by the prover. Actually, the oracle ${O}$ and the construction of the adversary are more involved. See Section IV for more details.

E. Related Work

Utilizing NIZK oracles in a black-box framework was initiated by Brakerski et al. [23]. They introduced an oracle that implements an NIZK for an NP-complete language and showed that, despite the existence of the NIZK oracle, there is no fully black-box construction of a key agreement protocol based on a one-way function, which is a well-known result by Impagliazzo and Rudich [24]. Follow-up work in [23] treats sophisticated primitives, such as functional encryption [25] and garbled circuits [26].

As mentioned earlier, many CP-NIZKs have been proposed [2], [7]–​[10]. Namely, in [10], a commit-and-prove methodology plays an essential role in obtaining a modular composition of zk-SNARKs.

A $\Sigma$ -protocol for a disjunctive language has already been proposed [27]. Therefore, we can obtain an NIZK for a disjunctive language in the random oracle model if we apply the Fiat-Shamir transformation [28] to the $\Sigma$ -protocol. However, this does not affect the meaning of this work as we consider NIZKs in the common reference string (CRS) model.

F. Paper Organization

In Section II, we introduce basic notation. Namely, we formalize CP-NIZKs by following the definition in [7]. In Section III, we introduce an oracle that implements a CP-NIZK for a certain language and show that the oracle indeed constitutes a CP-NIZK. Section IV provides our main result on the black-box construction of an NIZK for a disjunctive language based on a CP-NIZK. Finally, Section V concludes this paper and presents several remaining tasks.

A. Basic Notation

We denote by $n \in {\mathbb {N}}$ a security parameter throughout this paper. A polynomial function and a negligible function are denoted by poly and negl, respectively. For a finite set $X$ , the notation $x \leftarrow X$ represents a sampling of an instance $x \in X$ with a uniform distribution over $X$ . Similarly, for an algorithm $A$ , the computation that $A$ takes $x$ as input and outputs $y$ is denoted by $y \leftarrow A(x)$ . A probabilistic polynomial-time Turing machine is denoted by PPT. A Turing machine ${\mathsf {M}}$ that has access to an oracle ${O}$ is called an oracle Turing machine, denoted by $\textsf {M}^{O}$ . For an NP language ${\mathcal L}$ , the NP relation is denoted by $R_{\mathcal L}$ , and we let ${\mathcal L}_{n}:= {\mathcal L}\cap \{0, 1\}^{n}$ and $R_{n}:= \{ (x, w) \, | \, (x, w) \in R_{\mathcal L} \wedge x \in {\mathcal L} _{n}\}$ . For a function $f$ , we denote the inverse function by $f^{-1}$ . When $y$ has no preimage, we write $f^{-1}(y) = \bot$ . For a function $f: \{0, 1\}^{n_{1}} \rightarrow \{0, 1\}^{n_{2}}$ , where $n_{1} < n_{2}$ , we say $y \in \{0, 1\}^{n_{2}}$ is legitimate with respect to $f$ if $y$ has a preimage $x$ s.t. $f(x) = y$ . We say that a query to an oracle is successful if it has a result other than $\bot$ .

The notation $y \leftarrow {O} (x)$ represents that a query to an oracle ${O}$ on $x$ results in $y$ . We use oracles and algorithms that implement several functionalities. We denote by $\textsf {M}(\textsf {func}, x)$ an algorithm or an oracle ${\mathsf {M}}$ that works as a functionality ${\mathsf {func}}$ on input $x$ . If the input is not important in the context, we write $\textsf {M}.\textsf {func}$ to denote the functionality ${\mathsf {func}}$ implemented by ${\mathsf {M}}$ . We regard an oracle ${O}$ as a set of entries $(\textsf {func}, x; y)$ where ${\mathsf {func}}$ is a function implemented by ${O}$ , $x$ is an input of ${\mathsf {func}}$ and $y$ is an output s.t. $y \leftarrow {O} (\textsf {func}, x)$ . We denote by ${O}(\textsf {func}, x, y)$ such an entry.

We use bracket notation $[\cdot]$ to represent a variable that matches any value; for instance, $y \leftarrow {O} ([x])$ is a query that results in $y$ , and we refer to the input value as $x$ thereafter. When the matched value is not important in the context, we write $y \leftarrow {O} (*)$ .

A partial oracle $S$ of an oracle ${O}$ is a set that is defined on only some subset of inputs of ${O}$ , and $S$ is consistent with ${O}$ if there exists another set $S'$ s.t. $S \cup S' = {O}$ . We sometimes denote an oracle $S$ by $S = S_{1} || S_{2} || \cdots$ , where $S_{i}$ are partial oracles and $S$ works as follows: Given a query on $x$ , it first searches for a matching entry $S_{1}(x, [y])$ and returns $y$ if such a query exists, otherwise it searches $S_{2}$ and so on.

In this paper, we focus on an NIZK, which is formally defined as follows:

We formally define a commit-and-prove NIZK. We partially follow the definition in [7], but there are some differences. We will explain the differences after the definition.

There are three differences between our definition and the definition in [7]. In [7], every algorithm of a CP-NIZK takes a tag as an input to identify the type of value that is given, such as a group element or a field element, while we do not require such a tag. Second, they divide a witness into pieces while we treat only a single witness, because it is sufficient for our purpose. Finally, in the composable zero-knowledge game of [7], the adversary outputs a statement and indices that correspond to the witnesses and commitments it chooses, while ours outputs a statement, a single witness and a single commitment.

We consider the impossibility of a black-box construction of a primitive, and define a black-box construction of a primitive below.

This work focuses on a black-box construction of an NIZK for disjunctive languages. We formally define an extended language, which includes disjunctive languages.

If a statement $(x, x^{*})$ for an extended language ${\mathcal L}\diamond \hat {\mathcal L}$ satisfies $x \in {\mathcal L}$ and $x^{*} \in \hat {\mathcal L}$ , we say such a statement is an (yes, yes)-instance, and we define other such statements in the obvious way.

In this work we treat a CP-NIZK for a hard language, which is defined as follows, since it is convenient for our purpose.

Definition 8 (Oracle${O}$ ):

Let $H_{\mathsf {smpl}}: \{0, 1\}^{n+1} \rightarrow \{0, 1\}^{2n}$ be a random injection. An oracle ${O}$ provides the three functionalities $\mathsf {SmplYes}$ , $\mathsf {SmplNo}$ and ${\mathsf {Promise}}$ as follows:

• ${O}. \mathsf {SmplYes}$ : $x \leftarrow {O} (\mathsf {SmplYes}, w)$

  Given $w \in \{0, 1\}^{n}$ , compute $x \leftarrow H_{\mathsf {smpl}}(1 || w)$ and output $x$ .

• ${O}. \mathsf {SmplNo}$ : $x \leftarrow {O} (\mathsf {SmplNo}, w)$

  Given $w \in \{0, 1\}^{n}$ , compute $x \leftarrow H_{\mathsf {smpl}}(0 || w)$ and output $x$ .

• ${O}.\mathsf {Promise}$ : $b \leftarrow {O} (\mathsf {Promise}, x)$

  Given $x \in \{0, 1\}^{2n}$ , output 0 if $\bot \leftarrow H_{\mathsf {smpl}}(x)$ , otherwise 1.

For ${O}\in \mathcal {O}_{n}$ , let $\textsf {L}^{O} = (\textsf {L}^{O}. \mathsf {SmplYes}, \textsf {L}^{O}. \mathsf {SmplNo},\,\,\textsf {L}^{O}.\textsf {Promise})$ be an oracle machine that works as follows:

• Given $(\mathsf {SmplYes}, w)$ , output $x \leftarrow {O} (\mathsf {SmplYes}, w)$ .

• Given $(\mathsf {SmplNo}, w)$ , output $x \leftarrow {O} (\mathsf {SmplNo}, w)$ .

• Given $({\mathsf {Promise}}, x)$ , output $b \leftarrow {O} ({\mathsf {Promise}}, x)$ .

Lemma 1[20]:

The algorithm ${\mathsf {L}}^{O}$ constitutes a hard language $({\mathcal L}^{O}_{n}, {\mathcal C}^{O}_{n})$ where

View Source\begin{align*} {\mathcal L}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(1||w) \},\\ {\mathcal C}^{O}_{n}=&\{x \, | \, \exists w \, \textrm {such that} \, x = H_{\mathsf {smpl}}(0||w) \}.\end{align*}

Definition 9:

Let ${O}\in \mathcal {O}_{n}$ be an oracle of the kind that is defined in Definition 8, and let ${\mathcal L}^{O}_{n}$ be the language defined in Lemma 1. An NIZK oracle ${Z}= ({Z}. \mathsf {Crs},\,\, {Z}. \mathsf {Com},\,\, {Z}. \mathsf {Prv},\,\, {Z}. \mathsf {Vrf},\,\, {Z}. \mathsf {PrvSim})$ for ${\mathcal L}^{O}_{n}$ is equipped with random injections $H_{\mathsf {crs}}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{2n}$ , $H_{\mathsf {com}}: \{0, 1\}^{4n} \rightarrow \{0, 1\}^{5n}$ and $H_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n}$ that implement the functionalities below.¹

• ${Z}. \mathsf {Crs}$ : $ck \leftarrow {Z} (\mathsf {Crs}, \tau)$

  Given a trapdoor $\tau \in \{0, 1\}^{n}$ , output a CRS $ck \leftarrow H_{\mathsf {crs}}(\tau)$ .

• ${Z}. \mathsf {Com}$ : $c \leftarrow {Z} (\mathsf {Com}, ck, w, r)$

  Given a CRS $ck \in \{0, 1\}^{2n}$ , a witness $w \in \{0, 1\}^{n}$ and a randomness $r \in \{0, 1\}^{n}$ , output a commitment $c \leftarrow H_{\mathsf {com}}(ck || w || r)$ if there exists a trapdoor $\tau$ such that $H^{-1}_{\mathsf {crs}}(ck) = \tau$ , otherwise output $\bot$ .

• ${Z}. \mathsf {Prv}$ : $\pi \leftarrow {Z}(\mathsf {Prv}, ck, x, w, r)$

  Given a CRS $ck \in \{0, 1\}^{2n}$ , a statement $x \in \{0, 1\}^{2n}$ , a witness $w \in \{0, 1\}^{n}$ and a randomness $r \in \{0, 1\}^{n}$ , if $(x, w) \in R_{\mathcal L^{O}_{n}}$ and there exists a trapdoor $\tau$ such that $H^{-1}_{\mathsf {crs}}(ck) = \tau$ , then compute $c = H_{\mathsf {com}}(ck, w, r)$ and output a proof $\pi \leftarrow H_{\mathsf {prf}}(ck || x || c)$ , otherwise output $\bot$ .

• ${Z}. \mathsf {Vrf}$ :$b \leftarrow {Z} (\mathsf {Vrf}, ck, x, c, \pi)$

  Given a CRS $ck \in \{0, 1\}^{2n}$ , a statement $x \in \{0, 1\}^{2n}$ , a commitment $c \in \{0, 1\}^{5n}$ and a proof $\pi \in \{0, 1\}^{10n}$ , output 1 if $\pi = H_{\mathsf {prf}}(ck || x || c)$ . Otherwise output 0.

• ${Z}. \mathsf {PrvSim}$ : $\pi \leftarrow {Z}(\mathsf {PrvSim}, ck, x, c, \tau)$

  Given a CRS $ck \in \{0, 1\}^{2n}$ , a statement $x \in \{0, 1\}^{2n}$ , a commitment $c \in \{0, 1\}^{5n}$ and a trapdoor $\tau \in \{0, 1\}^{n}$ , if $ck = H_{\mathsf {crs}}(\tau)$ then output a proof $\pi \leftarrow H_{\mathsf {prf}}(ck || x || c)$ , otherwise output $\bot$ .

Lemma 2:

${\mathsf {M}}$ is a CP-NIZK for ${\mathcal L}^{O}_{n}$ .

Remark 1:

Let ${Z}, {Z}' \in \mathcal {ZK}_{n}$ be oracles that constitute CP-NIZKs for some languages ${\mathcal L}$ and ${\mathcal L}'$ respectively. If ${Z}. \mathsf {Com}$ and ${Z}'. \mathsf {Com}$ are implemented by the same random injection, then we can construct an NIZK that proves witness equality (i.e., an NIZK for $(x, w) \in R_{\mathcal L} \land (x', w') \in R_{\mathcal L'} \land w=w'$ ).

Theorem 1:

Given a hard language ${\mathcal L}$ and a CP-NIZK for ${\mathcal L}$ , there is no fully black-box construction of a (standard) NIZK for ${\mathcal L}\vee \hat {\mathcal L}$ where $\hat {\mathcal L}$ is a hard language.

A. Soundness Game and the Adversary

• Step 1:

  The challenger chooses $\tilde {\tau }$ uniformly, computes a CRS $\tilde {\sigma } \leftarrow {\mathsf {M}}. \mathsf {Crs}(\tilde {\tau })$ and sends it to the adversary. Let $Q_{\mathsf {leg}}$ be a list of CRSs and their trapdoors such that $ck \leftarrow {O} (\mathsf {Crs}, \tau)$ appears during this step.

• Step 2:

  Given the CRS $\tilde {\sigma }$ , the adversary ${\mathcal{ A}}$ repeats the following $q^{c}$ times where $c$ is some constant: Sample $(x_{i}, w_{i}) \in R_{\mathcal L^{O}_{n}}$ and $(\hat {x}_{i}, \hat {w}_{i}) \in R_{\hat {\mathcal C}}$ uniformly, and obtain $\pi _{i} \leftarrow {\mathsf {M}}(\mathsf {Prv}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, w_{i}, \hat {w}_{i})$ and $b = {\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, x_{i}, \hat {x}_{i}, \pi)$ .

  Let $Q_{\mathsf {triv}}$ be a set of $(ck, \tau)$ pairs such that a query $ck = {Z}(\mathsf {Crs}, \tau)$ or ${Z}(\mathsf {PrvSim}, ck, *, *, \tau, *) = \pi \neq \bot$ appears during this step. Roughly speaking, $Q_{\mathsf {triv}}$ is a set of pairs of a trapdoor and a CRS such that the adversary generates them in this phase or the pair is encoded in $\tilde {\sigma }$

• Step 3:

  ${\mathcal{ A}}$ chooses $w \in \{0, 1\}^{n}$ and $\hat {x} \in \hat {\mathcal C}$ uniformly and obtains $x = {O}(\mathsf {SmplNo}, w)$ and $x^{*} = {O}(\mathsf {SmplYes}, w)$ . The adversary defines new partial oracles ${O}'$ and ${Z}'$ based on the query answer pairs that she has learned. That is, the adversary applies the swapping technique to $x$ and $x^{*}$ in ${O}$ and ${Z}$ , respectively.

  • Partial Oracle ${O}'$

    A new oracle ${O}'$ is obtained by swapping $x$ and $x^{*}$ in ${O}$ . That is, ${O}'$ consists of entries ${O}'(\mathsf {SmplYes}, w; x)$ and ${O}(\mathsf {SmplNo}, w; x^{*})$ .

  • Partial Oracle ${Z}'$

    The new oracle ${Z}'$ contains the entries ${Z}'(\mathsf {Prv}, *, x, w, *; \bot)$ .

    Let $\tilde {x} = (x^{*}, \hat {x})$ and $\tilde {w} = (w, \bot)$ . The adversary evokes ${\mathsf {M}}^{O'', {Z}''}(\mathsf {Prv}, \tilde {\sigma }, \tilde {x}, \tilde {w})$ where ${O}''$ and ${Z}''$ are algorithms defined as follows:

  • Algorithm ${O}''$ : Algorithm ${O}''$ works as follows:

    • If ${O}''$ is given a query registered in ${O}'$ , then it returns the registered answer.

    • Otherwise, it forwards the query to ${O}$ and returns the answer.

  • Algorithm ${Z}''$ : Let $Q_{\mathsf {intl}}$ be an initially empty set. Algorithm ${Z}''$ works as follows (recall that the bracket notation $[x]$ means a value that matches any value, and we denote the value by $x$ thereafter):

    • For any query registered in ${Z}'$ , return the registered answer.

    • ${Z}''. \mathsf {Crs}$ : For any query of the form $(\mathsf {Crs}, [\tau])$ , return $ck = {Z}(\mathsf {Crs}, \tau)$ and record $(ck, \tau)$ in $Q_{\mathsf {intl}}$ .

    • ${Z}''. \mathsf {Prv}$ : For any query of the form $(\mathsf {Prv}, [ck], x^{*}, w, [r])$ with a legitimate CRS $ck$ , obtain $c = {Z}(\mathsf {Com}, ck, w, r)$ and do the following:

      • If there exists an entry $(ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ , then return $\pi = {Z}(\mathsf {PrvSim}, ck, x^{*}, c, \tau)$ and record $(\mathsf {Prv}, ck, x^{*}, w, r; \pi)$ to ${Z}'$ .

      • If there is no entry such that $(ck, [\tau]) \in Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ , then choose $\pi \in \{0, 1\}^{10n}$ uniformly, return $\pi$ and record $(\mathsf {Prv}, ck, x^{*}, w, r; \pi)$ and $(\mathsf {Vrf}, ck, x^{*}, c, \pi; 1)$ to ${Z}'$ .

    • For every other query, forward it to ${Z}$ and return the answer.

    If ${\mathsf {M}}. \mathsf {Prv}$ outputs a proof $\tilde {\pi }$ , send $\tilde {x}$ and $\tilde {\pi }$ to the challenger.

• Step 4:

  Given $\tilde {x}$ and $\tilde {\pi }$ , the challenger outputs ${\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi })$ . If ${\mathsf {M}}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi }) = 1$ , then the adversary wins.

B. Evaluation

We first introduce the following lemma, which is useful for the analysis of the adversary.

We show that the challenger accepts the proof with noticeable probability by a hybrid argument. We start with the soundness game, and ultimately reach a situation where the challenger accepts the proof trivially. The first game, Game 0, is the soundness game itself. In the next four games, from ${\mathsf {Game}}$ 1 to ${\mathsf {Game}}$ 4, we exclude certain bad events that happen only by accident. Note that in these games, we sometimes let the soundness game abort (or halt) if these bad events happen. This means that the challenger outputs 0 and the adversary loses the soundness game. Then, we modify the game step by step, finally reaching a situation where the challenger trivially accepts the proof unless a completeness error occurs. Let $P$ be the probability that the challenger accepts the proof in the soundness game and $P_{i}$ be the same probability in Game $i$ .

• Game 0:

  This is the soundness game; thus, $P_{0} = P$ .

• Game 1:

  This game excludes the case where a legitimate value suddenly appears without its prior generation by ${O}$ or ${Z}$ . That is, we halt the game if one of the following events occurs:

  • A successful query that includes a legitimate CRS $ck$ is made but there is no entry $(ck, [\tau])$ in $Q_{\mathsf {leg}} \cup Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ .

  • A successful query that includes

    • $x \in {\mathcal L} ^{O}_{n}$ or $x \in {\mathcal C} ^{O}_{n}$

    • a legitimate commitment $c$

    • a legitimate proof $\pi$

    is made without their prior generation by the given oracles.

  Regarding the first case, the probability that a CRS without prior generation by ${Z}. \mathsf {Crs}$ is legitimate is bounded by $1/2^{n}$ , as $H_{\mathsf {crs}}$ is a random injection such that $H_{\mathsf {crs}}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{2n}$ . Therefore, the probability that this query occurs can be evaluated if we take the union bound for the number of queries that are made during the soundness game. Recall that ${\mathsf {M}}$ makes at most $q$ queries in its execution. Thus, the number of queries made in Steps 1, 3 and 4 are at most $q$ respectively, since in these steps, only a single subroutine of ${\mathsf {M}}$ is executed once (we ignore the instance sampling queries by ${\mathcal{ A}}$ in Step 3 because they are obviously irrelevant to the query we are concerned with). In Step 2, $\mathsf {M}. \mathsf {Prv}$ and $\mathsf {M}. \mathsf {Vrf}$ are executed $q^{c}$ times. Thus, at most $2q \cdot q^{c}$ queries are made in this step (the instance sampling queries are ignored here as well). Since at most $3q + 2q^{c+1}$ queries are made in the game, the probability that the first case deviates is at most $(3q + 2q^{c+1})/2^{n}$ . The other cases can be evaluated in the same manner by considering the domains of $H_{\mathsf {smpl}}: \{0, 1\}^{n+1} \rightarrow \{0, 1\}^{2n}$ , $H_{\mathsf {com}}: \{0, 1\}^{4n} \rightarrow \{0, 1\}^{5n}$ and $H_{\mathsf {prf}}: \{0, 1\}^{9n} \rightarrow \{0, 1\}^{10n}$ . Thus, we have

  $$\begin{equation*}|P_{1} - P_{0}| \leq 5(3q + 2q^{c+1}) /2^{n}.\end{equation*}$$ View Source\begin{equation*}|P_{1} - P_{0}| \leq 5(3q + 2q^{c+1}) /2^{n}.\end{equation*}

• Game 2:

  We halt the game if a query including $w$ is made in Step 1 or 2. As $w$ is uniformly chosen by ${\mathcal{ A}}$ and $\mathsf {M}. \mathsf {Crs}$ makes at most $q$ queries in Step 1, the probability that a query on $w$ is made in Step 1 is at most $q/2^{n}$ . Recall that the adversary chooses $q^{c}$ witnesses and runs ${\mathsf {M}}. \mathsf {Prv}$ and ${\mathsf {M}}. \mathsf {Vrf}~q^{c}$ times in Step 2. As ${\mathsf {M}}$ makes at most $q$ queries, there are at most $q^{c} + 2q \cdot q^{c}$ chances to make a query on $w$ in Step 2. Thus, we have

  $$\begin{equation*}|P_{2} - P_{1}| \leq (q + q^{c} + 2q^{c+1})/2^{n},\end{equation*}$$ View Source\begin{equation*}|P_{2} - P_{1}| \leq (q + q^{c} + 2q^{c+1})/2^{n},\end{equation*} which is negligible.

• Game 3:

  We halt the game if the challenger observes $b = 0$ in Step 2. This excludes the case in which the challenger learns nothing in this step. Note that the challenger observes $b=0$ only when a completeness error occurs, as the challenger chooses values honestly in this step. As this step is executed $q^{c}$ times, we have

  $$\begin{equation*} |P_{3} - P_{2}| \leq q^{c} \cdot \rho _{\textsf {co}}.\end{equation*}$$ View Source\begin{equation*} |P_{3} - P_{2}| \leq q^{c} \cdot \rho _{\textsf {co}}.\end{equation*}

• Game 4:

  We abort the game if a randomly assigned proof $\pi$ by ${Z}''$ in Step 3 appears as a result of a query to ${Z}. \mathsf {Prv}$ or ${Z}. \mathsf {PrvSim}$ by the end of Step 3. Similar to ${\mathsf {Game}}$ 1, there are at most $2q + 2q^{c+1}$ queries that may occur in this event (note that here we do not consider the case where this event occurs in Step 4). As ${Z}. \mathsf {Prv}$ and ${Z}. \mathsf {PrvSim}$ are implemented by the random injection $H_{\mathsf {prf}}$ , the probability that such a $\pi$ is returned by ${Z}. \mathsf {Prv}$ or ${Z}. \mathsf {PrvSim}$ is at most $(2q + 2q^{c+1})/2^{n}$ . Furthermore, as there are at most $q$ randomly assigned proofs, we have

  $$\begin{equation*} |P_{4} - P_{3}| \leq q(2q + 2q^{c+1})/2^{n}\end{equation*}$$ View Source\begin{equation*} |P_{4} - P_{3}| \leq q(2q + 2q^{c+1})/2^{n}\end{equation*}

• Game 5:

  This game excludes the case where the adversary fails to learn all the trivial CRSs embedded in $\tilde {\sigma }$ in Step 2 and its trapdoor appears suddenly in Step 3. That is, the game halts if ${\mathsf {M}}. \mathsf {Prv}$ in Step 3 makes a query $(\mathsf {PrvSim}, [ck], x, [c], [\tau])$ that results in a proof $\pi \neq \bot$ while $(ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ .

  As such, the query results in a value other than $\bot$ , it implies that $\tau$ is the trapdoor of $ck$ . Furthermore, we exclude the case where a legitimate $ck$ appears without its generation by ${Z}$ in ${\mathsf {Game}}$ 1. Therefore, this is a case where a pair $(ck, \tau) \in Q_{\textsf {leg}}$ does not appear in Step 2 but appears in Step 3. For each such pair, the probability that it does not appear in Step 2 but appears in Step 3 for the first time is bounded by $1/(eq^{c})$ due to Lemma 3. As $\tilde {\sigma }$ contains at most $q$ such pairs, we have

  $$\begin{equation*} |P_{5} - P_{4}| \leq 1/(eq^{c-1}).\end{equation*}$$ View Source\begin{equation*} |P_{5} - P_{4}| \leq 1/(eq^{c-1}).\end{equation*}

• Game 6:

  Replace ${O}$ and ${Z}$ in Steps 1 and 2 with ${O}''$ and ${Z}''$ , which contain the partial oracles ${O}'$ and ${Z}'$ defined at the end of Step 3, respectively. Observe that the randomness chosen by the adversary is independent of the oracles and the randomness chosen by the challenger. Hence, modifying the game so that ${\mathcal{ A}}$ chooses its randomness at the beginning of the soundness game does not affect the distribution of the soundness game. The view changes only if a query that includes $x$ , $x^{*}$ or $w$ is made in Step 1 or Step 2, and we have already excluded such cases. Thus, we have $P_{6} = P_{5}$ .

• Game 7:

  Replace ${O}$ and ${Z}$ in Step 4 with ${O}''$ and ${Z}''$ , respectively. The view of the game changes if ${\mathsf {M}}. \mathsf {Vrf}$ makes one of the following queries in Step 4:

  • A query $(\mathsf {PrvSim}, [ck], x, [c], [\tau])$ that results in $\pi \neq \bot$ while $(ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ and there already exists an entry $(\mathsf {Prv}, ck, x, w, r; \pi ' \neq \bot)$ in ${Z}'$ such that $c = {O}(\mathsf {Com}, ck, w, r)$ and $\pi \neq \pi '$ .

  • A query that is registered in ${O}'$ or ${Z}'$ .

Let us elaborate the first query. The proof $\pi '$ is randomly assigned by the adversary in Step 3 to $(ck, \tau) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ , but the entry $(\mathsf {Prv}, ck, x, w, r; \pi ')$ is in ${Z}'$ . Recall that we have already excluded the case where a legitimate CRS suddenly appears without prior generation by ${O}. \mathsf {Crs}$ in ${\mathsf {Game}}$ 1. Hence, if ${\mathsf {M}}. \mathsf {Vrf}$ makes such a query, it means that the adversary failed to learn a pair of a CRS and its trapdoor in Step 2 and such a pair appears in Step 4. Applying the same discussion as in ${\mathsf {Game}}$ 5, we obtain that such a query is made with probability at most $1/(eq^{c-1})$ .

Observe that the second query is classified into two cases:

• A query that contains $w$ , i.e., $(\mathsf {SmplYes}, w)$ , $(\mathsf {SmplNo}, w)$ and $(\mathsf {Prv}, [ck], x, w, [r])$

• A query to ${Z}. \mathsf {Vrf}$ that verifies a randomly assigned proof by ${Z}''$ in Step 3.

We define two events regarding these queries and show that they are made with small probability. Let ${\mathsf {AskW}}$ be an event in which ${\mathsf {M}}. \mathsf {Vrf}$ makes a query on $w$ in Step 4, and let ${\mathsf {VerRand}}$ be an event in which ${\mathsf {M}}. \mathsf {Vrf}$ in Step 4 makes a query to ${Z}. \mathsf {Vrf}$ that includes a randomly assigned proof generated by ${Z}''$ . By ${\mathsf {AskW}}^{i}$ (resp., ${\mathsf {VerRand}}^{i}$ ), we denote an event in which ${\mathsf {AskW}}$ (resp., ${\mathsf {VerRand}}$ ) occurs in game $i$ . We claim the following two statements:

Claim 2:

$\mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}$ .

The proofs of these claims appear after the proof of Theorem 1. Therefore, we obtain

$$\begin{align*} |P_{7} - P_{6}|\leq&1/(eq^{c-1}) + \mathrm {Pr}[\textsf {AskW}] + \mathtt {Pr}[\textsf {VerPi}] \\\leq&1/(eq^{c-1}) + 2q/2^{n} + 3\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}$$ View Source\begin{align*} |P_{7} - P_{6}|\leq&1/(eq^{c-1}) + \mathrm {Pr}[\textsf {AskW}] + \mathtt {Pr}[\textsf {VerPi}] \\\leq&1/(eq^{c-1}) + 2q/2^{n} + 3\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}

• Game 8:

  Let $\textsf {R}_{\mathsf {o}}$ and $\textsf {R}_{\mathsf {zk}}$ be uniformly chosen partial oracles such that ${O}' || \textsf {R}_{\mathsf {o}} \in \mathcal {O}_{n}$ and ${Z}' || \textsf {R}_{\mathsf {zk}} \in \mathcal {Z}_{n}$ . Replace ${O}''$ and ${Z}''$ with ${O}' || \textsf {R}_{\mathsf {o}}$ and ${Z}' || \textsf {R}_{\mathsf {zk}}$ respectively. Such oracles must exist since both ${O}$ and ${Z}$ are implemented by random injections.

Recall that in ${\mathsf {Game}}$ 7, oracles ${O}'' = {O}' || {O}$ and ${Z}'' = {Z}' || {Z}$ are given. Furthermore, we have already excluded the case where $\textsf {M}. \mathsf {Vrf}$ in Step 4 makes queries that are inconsistent with ${O}'$ and ${Z}'$ in ${\mathsf {Game}}$ 7. Therefore, replacing ${O}$ and ${Z}$ with $\textsf {R}_{\textsf {o}}$ and $\textsf {R}_{\textsf {zk}}$ does not change the view in Step 4. Thus, we have $P_{8} = P_{7}$ .

Observe that now a proof generated by $\textsf {M}. \mathsf {Prv}$ is a correct proof on $(x, \hat {x})$ . Therefore, $\textsf {M}. \mathsf {Vrf}$ should accept such a proof unless a completeness error occurs. Hence,

$$\begin{equation*} P_{8} \geq 1 - \rho _{\textsf {co}}.\end{equation*}$$ View Source\begin{equation*} P_{8} \geq 1 - \rho _{\textsf {co}}.\end{equation*}

Summarizing the above evaluations, we have

$$\begin{align*}& P \geq 1 - (17q + 2q^{2} + q^{c} + 12q^{c+1} + 2q^{c+2})/2^{n} \\& \qquad \qquad \,\,\,\, { -\, 2/(eq^{c-1}) - (1 + q^{c})\rho _{\textsf {co}} - 3\rho _{\textsf {zk}} - \rho _{\textsf {ind}} - \hat {\rho }_{\textsf {ind}},}\end{align*}$$ View Source\begin{align*}& P \geq 1 - (17q + 2q^{2} + q^{c} + 12q^{c+1} + 2q^{c+2})/2^{n} \\& \qquad \qquad \,\,\,\, { -\, 2/(eq^{c-1}) - (1 + q^{c})\rho _{\textsf {co}} - 3\rho _{\textsf {zk}} - \rho _{\textsf {ind}} - \hat {\rho }_{\textsf {ind}},}\end{align*} which concludes Theorem 1.

Claim 3:

$\mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] \leq \rho _{\mathsf {zk}}$ .

Proof ofClaim 3:

We construct a stateful PPT adversary $\mathcal {B} = (\mathcal {B}_{0}, \mathcal {B}_{1})$ that attacks the zero-knowledgeness of ${\mathsf {M}}$ , assuming that $\mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] > \rho _{\mathsf {zk}}$ . Such an adversary contradicts the assumption that ${\mathsf {M}}$ is zero-knowledge, thus justifying the claim. The adversary works in the (standard) zero-knowledge game with a challenger as follows:

• $\mathcal {B}_{0}$ :

  Given a CRS $\tilde {\sigma }$ , sample $w \leftarrow \{0, 1\}^{n}$ and $\hat {x} \in \hat {\mathcal {C}}$ and obtain $x^{*} = {O}(\mathsf {SmplYes}, w)$ . Set $\tilde {x} = (x^{*}, \hat {x})$ and $\tilde {w} = (w, \bot)$ and output $(\tilde {x}, \tilde {w})$ . Note that $(\tilde {x}, \tilde {w})$ is chosen in the same way as for the challenger of ${\mathsf {Game}}$ 7.2 and ${\mathsf {Game}}$ 7.3.

• $\mathcal {B}_{1}$ :

  Given a proof $\tilde {\pi }$ , run $\textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi })$ . If $\mathcal {B}_{1}$ observes a query that includes $w$ during the execution of $\textsf {M}. \mathsf {Vrf}$ (i.e., ${\mathsf {AskW}}$ occurs), output $b' = 1$ , otherwise $b' = 0$ .

We denote by $b = 1$ (resp., $b = 0$ ) the situation where the challenger works with $\textsf {M}. \mathsf {Crs}$ and $\textsf {M}. \mathsf {Prv}$ (resp., $\textsf {M}. \mathsf {CrsSim}$ and $\textsf {M}. \mathsf {PrvSim}$ ). Observe that the distribution of $(\tilde {\sigma }, \tilde {x}, \tilde {\pi })$ in $\mathcal {B}_{1}$ is the same as that given to $\textsf {M}. \mathsf {Vrf}$ in Step 4 in ${\mathsf {Game}}$ 7.2 (resp., ${\mathsf {Game}}$ 7.3) if $b=1$ (resp., $b=0$ ). Thus, we obtain that

$$\begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {AskW}^{7.2}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {AskW}^{7.3}].\end{align*}$$ View Source\begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {AskW}^{7.2}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {AskW}^{7.3}].\end{align*} Considering the definition of $\mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O} \vee \hat {\mathcal L}}$ , we obtain the following formula: $$\begin{align*} \mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {AskW}^{7.2}] - \mathrm {Pr}[\textsf {AskW}^{7.3}] > \rho _{\mathsf {zk}}\end{align*}$$ View Source\begin{align*} \mathtt {AdvZK}_{\mathcal {B}, \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {AskW}^{7.2}] - \mathrm {Pr}[\textsf {AskW}^{7.3}] > \rho _{\mathsf {zk}}\end{align*} which contradicts the assumption that ${\mathsf {M}}$ is zero-knowledge. Thus, we obtain $\mathrm {Pr}[{\mathsf {AskW}}^{7.2}] - \mathrm {Pr}[{\mathsf {AskW}}^{7.3}] \leq \rho _{\mathsf {zk}}$ .

Now we show that $\mathrm {Pr}[\textsf {AskW}^{7.3}] \leq q/2^{n}$ . As a proof generated by ${\mathsf {M}}. \mathsf {PrvSim}$ is independent of $w$ , the verifier makes a query on $w$ only by chance. As ${\mathsf {M}}. \mathsf {Vrf}$ makes at most $q$ queries, $\mathrm {Pr}[\textsf {AskW}^{7.3}] \leq q/2^{n}$ . Summarizing the above, we have

View Source\begin{align*} \mathrm {Pr}[\textsf {AskW}^{7.0}]=&\mathrm {Pr}[\textsf {AskW}^{7.1}] = \mathrm {Pr}[\textsf {AskW}^{7.2}] \\\leq&\rho _{\mathsf {zk}} + \mathrm {Pr}[\textsf {AskW}^{7.3}] \leq \rho _{\mathsf {zk}} + q/2^{n}.\end{align*}

We introduce an alternative event ${\mathsf {VerCrs}}$ and show that $\mathrm {Pr}[\textsf {AskW}] \leq \mathrm {Pr}[\textsf {VerCrs}] + 1/(eq^{c-1})$ . Observe that a proof is randomly assigned only when a query that contains a CRS $ck$ such that $(ck, [\tau]) \notin Q_{\mathsf {triv}} \cup Q_{\mathsf {intl}}$ is made in Step 3. Hence, whenever ${\mathsf {VerPi}}$ occurs, such a CRS is queried by $\textsf {M}. \mathsf {Vrf}$ . As we have already excluded the case where a legitimate CRS suddenly appears without its prior generation by given oracle in ${\mathsf {Game}}$ 1, the appearance of such a CRS in Step 4 is due to one of the following:

• $ck$ is trivial but the adversary failed to learn $(ck, \tau)$ in Step 2

• $ck$ is nontrivial.

• Game $7.1'$ (The Same as Game 7.1):

  Replace ${O}''$ and ${Z}''$ with ${O}' || \textsf {R}_{\mathsf {o}}$ and ${Z}' || \textsf {R}_{\mathsf {zk}}$ respectively. Similar to ${\mathsf {Game}}$ 7.1, we have $\mathrm {Pr}[\textsf {VerCrs}^{7.1}] = \mathrm {Pr}[\textsf {VerCrs}^{7.0}]$ .

• Game $7.2'$ (The Same as Game 7.2):

  Replace ${O}' || \textsf {R}_{\mathsf {o}}$ and ${Z}' || \textsf {R}_{\mathsf {zk}}$ with ${O}\leftarrow \mathcal {O}_{n}$ and ${Z}\leftarrow \mathcal {Z}_{n}$ . Furthermore, let the adversary run $\textsf {M}^{O, {Z}}. \mathsf {Prv}$ on a correct instance, i.e., on $(x^{*}, \hat {x})$ . Since the same discussion as in ${\mathsf {Game}}$ 7.2 can be applied, we have $\mathrm {Pr}[\textsf {VerCrs}^{7.2}] = \mathrm {Pr}[\textsf {VerCrs}^{7.1}]$ .

• Game $7.3'$ (The Same as Game 7.3):

  Replace ${\mathsf {M}}. \mathsf {Crs}$ in Step 1 and ${\mathsf {M}}. \mathsf {Prv}$ in Step 3 with ${\mathsf {M}}. \mathsf {CrsSim}$ and ${\mathsf {M}}. \mathsf {PrvSim}$ respectively. Furthermore, let the challenger pass the trapdoor generated by ${\mathsf {M}}. \mathsf {CrsSim}$ to the adversary. We claim the following:

Claim 4:

$\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}] \leq \rho _{\textsf {zk}}$ .

Proof ofClaim 4:

We first construct a zero-knowledge adversary $\mathcal {B}' = (\mathcal {B}'_{0}, \mathcal {B}'_{1})$ as follows:

• $\mathcal {B}'_{0}$ :

  Given a CRS $\tilde {\sigma }$ , execute Step 2 in the soundness game. Then, choose $w \in \{0, 1\}^{n}$ and $\hat {x} \in \hat {\mathcal {C}}$ uniformly and obtain $x^{*} = {O}(\mathsf {SmplYes}, w)$ . Set $\tilde {x} = (x^{*}, \hat {x})$ and $\tilde {w} = (w, \bot)$ and output $(\tilde {x}, \tilde {w})$ .

• $\mathcal {B}'_{1}$ :

  Given a proof $\tilde {\pi }$ , run $\textsf {M}(\mathsf {Vrf}, \tilde {\sigma }, \tilde {x}, \tilde {\pi })$ . Output $b'=1$ if $\mathcal {B}'_{1}$ observes ${\mathsf {VerCrs}}$ , otherwise output $b' = 0$ .

Similar to ${\mathsf {Game}}$ 7.3, we denote by $b = 1$ (resp., $b = 0$ ) the situation where the challenger runs $\textsf {M}. \mathsf {Crs}$ and $\textsf {M}. \mathsf {Prv}$ (resp., $\textsf {M}. \mathsf {CrsSim}$ and $\textsf {M}. \mathsf {PrvSim}$ ). Then, we obtain $$\begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*}$$ View Source\begin{align*} \mathrm {Pr}[b'=1 | b=1]=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}],\\ \mathrm {Pr}[b'=1 | b=0]=&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*} Considering the definition of $\mathtt {AdvZK}_{\mathcal {B}', \textsf {M}, {\mathcal L}^{O} \vee \hat {\mathcal L}}$ , we obtain the following formula: $$\begin{align*} \mathtt {AdvZK}_{\mathcal {B}', \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*}$$ View Source\begin{align*} \mathtt {AdvZK}_{\mathcal {B}', \textsf {M}, {\mathcal L}^{O}\vee \hat {\mathcal L}}=&\mathrm {Pr}[b' = 1| b = 1] - \mathrm {Pr}[b' = 1| b = 0]\\=&\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}].\end{align*} Therefore, it contradicts the zero-knowledgeness of ${\mathsf {M}}$ if $\mathrm {Pr}[\textsf {VerCrs}^{7.2'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}] > \rho _{ \textsf {zk}}$ , which justifies Claim 4.

• Game $7.4'$ :

  Modify the adversary so that it chooses $(\hat {x}, \hat {w}) \in R_{\hat {\mathcal L}}$ instead of $\hat {x} \in \hat {\mathcal C}$ in Step 2 (i.e., ${\mathcal{ A}}$ samples an (yes, yes)-instance). Note that since ${\mathcal{ A}}$ runs $\textsf {M}. \mathsf {PrvSim}$ , $\hat {w}$ is not given to $\textsf {M}. \mathsf {PrvSim}$ .

  Recall that $\hat {\mathcal L}$ is a hard language, along with $\hat {\mathcal C}$ . Thus, if $|\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| > \hat {\rho }_{\textsf {ind}}$ , it contradicts the instance indistinguishability of $\hat {\mathcal L}$ , yielding $|\mathrm {Pr}[\textsf {VerCrs}^{7.4'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.3'}]| \leq \hat {\rho }_{\textsf {ind}}$ .

• Game $7.5'$ :

  Modify the adversary so that it chooses $(x^{*}, w) \in R_{\mathcal C}$ instead of $(x^{*}, w) \in R_{\mathcal L}$ (i.e., ${\mathcal{ A}}$ samples a (no, yes)-instance). Similar to ${\mathsf {Game}} ~7.4'$ , we obtain $|\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.4'}]| \leq \rho _{\textsf {ind}}$ .

• Game $7.6'$ :

  Replace $\textsf {M}. \mathsf {CrsSim}$ and $\textsf {M}. \mathsf {PrvSim}$ with $\textsf {M}. \mathsf {Crs}$ and $\textsf {M}. \mathsf {Prv}$ , respectively. Note that as ${\mathcal{ A}}$ samples a (no, yes)-instance, the adversary runs $\textsf {M}. \mathsf {Prv}$ on $\tilde {x} = (x^{*}, \hat {x})$ and $\tilde {w} = (\bot, \hat {w})$ . Since the same discussion as in ${\mathsf {Game}} ~7.3'$ can be applied, we have $\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] - \mathrm {Pr}[\textsf {VerCrs}^{7.6'}] \leq \rho _{\textsf {zk}}$ .

As $\textsf {M}. \mathsf {Prv}$ runs on a (no, yes)-instance, there is little chance that $\textsf {VerCrs}$ will occur. That is, the probability of a query $(\mathsf {Prv}, [ck], x^{*}, w, [r])$ having a legitimate CRS $ck \in Q_{\textsf {nt}}$ is bounded by $q/2^{n}$ , as ${O}. \mathsf {SmplNo}$ is implemented by a random injection and $\mathsf {M}. \mathsf {Prv}$ is not given $w$ . Therefore, $\mathrm {Pr}[\textsf {VerCrs}^{7.6'}] \leq q/2^{n}$ .

To sum up the above, we have

View Source\begin{align*} \mathrm {Pr}[\textsf {VerCrs}^{7.0'}]=&\mathrm {Pr}[\textsf {VerCrs}^{7.1'}] = \mathrm {Pr}[\textsf {VerCrs}^{7.2'}] \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.3'}] + \rho _{\textsf {zk}} \leq \mathrm {Pr}[\textsf {VerCrs}^{7.4'}] \\&+\, \rho _{\textsf {zk}} + \hat {\rho }_{\textsf {ind}}\\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.5'}] + \rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&\mathrm {Pr}[\textsf {VerCrs}^{7.6'}] + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}} \\\leq&q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{align*}

$$\begin{equation*} \mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{equation*}$$ View Source\begin{equation*} \mathrm {Pr}[\textsf {VerPi}^{7}] \leq 1/(eq^{c-1}) + q/2^{n} + 2\rho _{\textsf {zk}} + \rho _{\textsf {ind}} + \hat {\rho }_{\textsf {ind}}.\end{equation*}