Abstract
We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e., for some u, “\(u \in S\) and P(u) holds”. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new modular and efficient constructions for this problem through new commitandprove zeroknowledge systems for set membership, i.e. schemes proving \(u \in S\) for a value u that is in a public commitment \(c_u\). We also extend our results to support nonmembership proofs, i.e. proving \(u \notin S\). Being commitandprove, our solutions can act as plugandplay modules in statements of the form “\(u \in S\) and P(u) holds” by combining our set (non)membership systems with any other commitandprove scheme for P(u). Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. We implemented our schemes as a software library, and tested experimentally their performance. Compared to previous work that achieves similar properties—the clever techniques combining zkSNARKs and Merkle Trees in Zcash—our solutions offer more flexibility, shorter public parameters and \(3.7 \times \)–\(30\times \) faster proving time for a set of size \(2^{64}\).
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
The problem of proving set membership—that a given element x belongs to some set S—arises in many applications, including governmental whitelists to prevent terrorism or moneylaundering, voting and anonymous credentials, among others. More recently, this problem also appears at the heart of currency transfer and identity systems over blockchains. In this setting, parties can first publicly commit to sets of data (through the blockchain itself) and then, by proving set membership, can claim ownership of assets or existence of identity attributes, while ensuring privacy.
A naive approach to check if an element is in a set is to go through all its entries. The complexity of this approach, however, is unacceptable in many scenarios. This is especially true for blockchains, where most of the parties (the verifiers) should run quickly.
How to efficiently verify set membership then? Cryptographic accumulators [6] provide a nice solution to this problem. They allow a set of elements to be compressed into a short value (the accumulator) and to generate membership proofs that are short and fast to verify. As a security guarantee they require it should be computationally infeasible to generate a false membership proof.
As of today, we can divide constructions for accumulators into three main categories: Merkle Trees [55]; RSAbased [2, 11, 16, 50]; pairingbased [17, 32, 57, 78]. Approaches based on Merkle Trees^{Footnote 1} allow for short (i.e., O(1)) public parameters and accumulator values, whereas the witness for membership proofs is of size \(\log (n)\), where n is the size of the set. In RSAbased constructions (which can be actually generalized to any group of unknown order [48], including class groups) both the accumulator and the witness are each a single element in a relatively large hiddenorder group \(\mathbb {G}\),^{Footnote 2} and thus of constantsize. Schemes that use pairings in elliptic curves such as [17, 57] offer small accumulators and small witnesses (which can each be a single element of a prime order bilinear group, e.g., 256 bits) but require large parameters (approximately O(n)) and a trusted setup.
In anonymous cryptocurrencies, e.g. Zerocash [5] (but also in other applications such as Anonymous Credentials [22] and whitelists), we also require privacy. That is, parties in the system would not want to disclose which element in the set is being used to prove membership. Phrased differently, one desires to prove that \(u \in S\) without revealing u, or: the proof should be zeroknowledge [45] for u. As an example, in Zerocash users want to prove that a coin exists (i.e. belongs to the set of previously sent coins) without revealing which coin it is that they are spending.
In practice it is common that this privacy requirement goes beyond proving membership. In fact, these applications often require proving further properties about the accumulated elements, e.g., that for some element u in the set, property P(u) holds. And this without leaking any more information about u other than what is entailed by P. In other words, we desire zeroknowledge for the statement \(R^*(S, u) :=``u \in S \text { and } P(u)"\).
One way to solve the problem, as done in Zerocash, is to directly apply generalpurpose zeroknowledge proofs for \(R^*\), e.g., [46, 61]. This approach, however, tends to be expensive and adhoc. One of the questions we aim to tackle is that of providing a more efficient proof systems for set membership relations, that can also be modular.
Specifically, as observed in [18], the design of practical proof systems can benefit from a more modular vision. A modular framework such as the one in [18] not only allows for separation of concerns, but also increases reusability and compatibility in a plugandplay fashion: the same proof system is designed once and can be reused for the same subproblem regardless of the context^{Footnote 3}; it can be replaced with a component for the same subproblem at any time. Also, as [18] shows, this can have a positive impact on efficiency since designing a specialpurpose proof system for a specific relation can lead to significant optimizations. Finally, this compositional approach can also be leveraged to build generalpurpose proof systems.
In this work we focus on applying this modular vision to designing succinct zeroknowledge proofs for set membership. Following the abstract framework in [18] we investigate how to apply commitandprove techniques [20] to our setting. Our approach uses commitments for composability as follows. Consider an efficient zeroknowledge proof system \(\Pi \) for property P(u). Let us also assume it is commitandprove, i.e. the verifier can test P(u) by simply holding a commitment \(c(u)\) to u. Such \(\Pi \) could be for example a commitandprove NIZK such as Bulletproofs [13] or a commitandprove zkSNARK such as LegoGroth16 from [18] that are able to operate on Pedersen commitments \(c(\cdot )\) over elliptic curves. In order to obtain a proof gadget for set membership, all one needs to design is a commitandprove scheme for the relations “\(u \in S\)” where both u and S are committed: u through \(c(u)\) and S through some other commitment for sets, such as an accumulator.
Our main contribution is to propose a formalization of this approach and new constructions of succinct zeroknowledge commitandprove systems for set membership. In addition, as we detail later, we also extend our results to capture proofs of nonmembership, i.e., to show that \(u \notin S\). For our constructions we focus on designing schemes where \(c(u)\) is a Pedersen commitment in a prime order group \(\mathbb {G}_{q}\). We focus on linking through Pedersen commitments as these can be (re)used in some of the best stateoftheart zeroknowledge proof systems for generalpurpose relations that offer for example the shortest proofs and verification time (see, e.g., [46] and its efficient commitandprove variant [18]), or transparent setup and logarithmicsize proofs [13].
Before describing our results in more detail, we review existing solutions and approaches to realize commitandprove zkSNARKs for set membership.
1.1 Existing approaches for proving set membership for pedersen commitments
The accumulator of Nguyen [57], by the simple fact of having a succinct pairingbased verification equation, can be combined with standard zeroknowledge proof techniques (e.g., Sigma protocols or the celebrated Groth–Sahai proofs [47]) to achieve a succinct system with reasonable proving and verification time. The main drawbacks of using [57], however, are the large public parameters (i.e. requiring as many prime group elements as the elements in the set) and a high cost for updating the accumulator to the set, in order to add or remove elements (essentially requiring to recompute the accumulator from scratch).
By using generalpurpose zkSNARKs one can obtain a solution with constantsize proofs based on Merkle Trees: prove that there exists a valid path which connects a given leaf to the root; this requires proving correctness of about \(\log n\) hash function computations (e.g., SHA256). This solution yields a constantsize proof and requires \(\log n\)size public parameters if one uses preprocessing zkSNARKs such as [46, 61]. On the other hand, often when proving a relation such as \(R^*(S, u) :=``u \in S \text { and } P(u)''\) the bulk of the work stems from the set membership proof. This is the case in Zcash or Filecoin^{Footnote 4} where the predicate \(P(\cdot )\) is sufficiently small.
Finally, another solution that admits constantsize public parameters and proofs is the protocol of [16]. Specifically, Camenisch and Lysyanskaya showed how to prove in zeroknowledge that an element \(u\) committed in a Pedersen commitment over a prime order group \(\mathbb {G}_{q}\) is a member of an RSA accumulator. In principle this solution would fit the criteria of the gadget we are looking for. Nonetheless, its concrete instantiations show a few limitations in terms of efficiency and flexibility. The main problem is that, for its security to hold, we need a prime order group (the commitment space) and the primes (the message space) to be quite large, for example^{Footnote 5}\(q > 2^{519}\). But having such a large prime order group may be undesirable in practice for efficiency reasons. In fact the group \(\mathbb {G}_{q}\) is the one that is used to instantiate more proof systems that need to interact and be linked with the Pedersen commitment.
1.2 Our contributions
We investigate the problem of designing commitandprove zeroknowledge systems for set membership and nonmembership that can be used in a modular way and efficiently composed with other zeroknowledge proof systems for potentially arbitrary relations. Our main results are the following.
First, building upon the view of recent works on composable proofs [1, 18], we define a formal framework for commitandprove zkSNARKs (CPSNARKs) for set (non)membership. The main application of this framework is a compiler that, given a CPSNARK \(\textsf {CP}_{\textsf{mem}}\) for set membership and any other CPSNARK \(\textsf {CP}_{R}\) for a relation R, yields a CPSNARK \(\textsf {CP}\) for the composed relation “\(u\in S \wedge \exists \omega : R(u, \omega )\)”. As a further technical contribution, our framework extends the one in [18] in order to work with commitments from multiple schemes (including set commitments, e.g., accumulators).
Second, we propose new efficient constructions of CPSNARKs for set membership and nonmembership, in which elements of the accumulated set can be committed with a Pedersen commitment in a prime order group \(\mathbb {G}_{q}\)—a setting that, as argued before, is of practical relevance due to the widespread use of these commitments and of proof systems that operate on them. In more detail, we propose: four schemes (two for set membership and two for nonmembership) that enjoy constantsize public parameters and are based on RSA accumulators for committing to sets, and a scheme over pairings that has public parameters linear in the size of the set, but where the set can remain hidden.
Finally, we implement our solutions in a software library and experimentally evaluate their performance.
Like the recent works [1, 18], our work can be seen as showing yet another setting—set membership—where the efficiency of SNARKs can benefit from a modular design.
1.3 RSAbased constructions
Our first scheme, a CPSNARK for set membership based on RSA accumulators, supports a large domain for the set of accumulated elements, represented by binary strings of a given length \(\eta \). Our second scheme, also based on RSA accumulators, supports elements that are prime numbers of exactly \(\mu \) bits (for a given \(\mu \)). Neither scheme requires an apriori bound on the cardinality of the set. Both schemes improve the proofofknowledge protocol by Camenisch and Lysyanskaya [16]: (i) we can work with a prime order group \(\mathbb {G}_{q}\) of “standard” size, e.g., 256 bits, whereas [16] needs a much larger \(\mathbb {G}_{q}\) (see above). We note that the size of \(\mathbb {G}_{q}\) affects not only the efficiency of the set membership protocol but also the efficiency of any other protocol that needs to interact with commitments to alleged set members; (ii) we can support flexible choices for the size of set elements. For instance, in the second scheme, we could work with primes of about 50 or 80 bits,^{Footnote 6} which in practice captures virtually unbounded sets and can make the accumulator operations 4–\(5\times \) faster compared to using \(\approx 256\)bits primes as in [16].
Our main technical contribution here involves a new way to link a proof of membership for RSA accumulators to a Pedersen commitment in a prime order group, together with a careful analysis showing this can be secure under parameters not requiring a larger prime order group (as in [16]). See Sect. 4 for further details.
1.4 Pairingbased construction
Our pairingbased scheme for set membership supports set elements in \(\mathbb {Z}_q\), where \(q\) is the order of bilinear groups, while the sets are arbitrary subsets of \(\mathbb {Z}_q\) of cardinality less than a fixed apriori bound n. This scheme has the disadvantage of having public parameters linear in n, but has other advantages in comparison to previous schemes with a similar limitation (and also in comparison to the RSAbased schemes above). First, the commitment to the set can be hiding and untrusted for the verifier, i.e., the set can be kept hidden and it is not needed to check the opening of the commitment to the set; this makes it composable with proof systems that could for example prove global properties on the set, i.e., that P(S) holds. Second, the scheme works entirely in bilinear groups, i.e., no need of operating over RSA groups. The main technical contribution here is a technique to turn the EDRAX vector commitment [23] into an accumulator admitting efficient zeroknowledge membership proofs.
1.5 Extensions to set nonmembership
We propose extensions of both our CPSNARK framework and RSA constructions to deal with proving set nonmembership, namely proving in zeroknowledge that \(u \notin S\) with respect to a commitment \(c(u)\) and a committed set S. Our two RSAbased schemes for nonmembership have the same features as the analogous membership schemes mentioned above: the first scheme supports sets whose elements are strings of length \(\eta \), the second one supports elements that are prime numbers of \(\mu \) bits, and both work with elements committed using Pedersen in a prime order group and sets committed with RSA accumulators. A byproduct of sharing the same parameters is that we can easily compose the setmembership and nonmembership schemes, via our framework, in order to prove statements like \(u \in S_1 \wedge u \notin S_2\). Our technical contribution in the design of these schemes is a zeroknowledge protocol for nonmembership witnesses of RSA accumulators that is linked to Pedersen commitments in prime order groups.
1.6 Implementation and experiments
We have implemented our RSAbased^{Footnote 7} schemes for membership and nonmembership as a Rust library which is publicly available [28]. Our library is implemented in a modular fashion to work with any elliptic curve from libzexe [67] and Ristretto from curve25519dalek [54]. This choice enables everyone to easily and efficiently combine our CPSNARKs in a modular way with other CPSNARKs implemented over these elliptic curves, such as Bulletproofs [13] and LegoGroth16 [18].
We evaluated our RSAbased constructions and compared them against highly optimized solutions based on Merkle Trees.^{Footnote 8} Our schemes achieve significantly better performance in proving time while slightly compromising on proof size and verification time. Our implementation is fast, yet we have not heavily optimized it and thus expect the results can be further improved.
Our solutions supporting sets of arbitrary elements achieve a proving time that is up to^{Footnote 9}\(3.7\times \) faster for set membership (309 ms vs. 1.14 s) and up to \(7\times \) faster for set nonmembership (325 ms vs. 2.28 s).^{Footnote 10}
Our solutions where elements of the set are large prime numbers (i.e., of 252bit size) offer even better results: our proving time is \(4.5\times \)–\(23.5\times \) faster for membership and \(6.8\times \)–\(36\times \) faster for nonmembership (depending on the depth of the Merkle tree used in the comparison). We also show an optimization that, at the price of achieving computational (instead of statistical) zeroknowledge, is twice faster (see Sect. 7.4). This scenario can for example capture the case of sets made of hiding commitments that are prime numbers. In Sect. 8 we discuss how this can be relevant for a slight variant of the Zerocash protocol where commitments can be made prime numbers.
More details on the implementation and the benchmarks are available in Sect. 7.
1.7 Transparent instantiations
We generalize our building blocks for RSA groups to any hiddenorder group (Appendix 4). By instantiating the latter with class groups and by using a transparent CPNIZK such as Bulletproofs, we obtain variants of our RSAbased schemes with transparent setup. Class groups are more expensive than traditional RSA groups; in this setting we still obtain performance (proving time 12s; \(\Pi  = 6.4\) kB) outperforming other transparent solution for large Merkle trees, roughly \(2^{64}\) leaves (see [79, Fig. 5] which summarizes performances of transparent SNARKs used to prove Merkle tree computations using SHA256 as hash). These potential gains come at the price of a relatively longer verification (compared to other solutions): 6.4 s.
1.8 Other related work
Ozdemir et al. [58] recently proposed a solution to scale operations on RSA accumulators inside a SNARK. In particular, their approach scales when these operations are batched (i.e., when proving membership of many elements at the same time); for example, they surpass a \(2^{20}\)large Merkle tree when proving batches of at least 600 elements. This approach is attractive in settings where we can delegate a large quantity of these checks to an untrusted server as there is a high constant proving cost. In contrast, our approach can achieve faster proving time than Merkle trees already for a single membership check. It is an interesting open problem to adapt our techniques for modular set (non)membership for the case of batched membership while keeping the tested elements hidden.
1.9 Organization
We give basic definitions in Sect. 2. In Sect. 3 we formalize commitandprove zkSNARKs for set (non)membership. We describe our main constructions based on RSA accumulators for set membership and nonmembership respectively in Sects. 4 and 5. We describe our construction for set membership based on bilinear pairings in Sect. 6. Finally, in Sects. 7 and 8 we discuss our implementation, experiments and applications.
1.10 Recent developments
Here we mention recent developments in the area of zeroknowledge proof for set (non)membership, following the conference version of this paper published in 2021 [8].
A closely related work is that of Campanelli et al. [19] who present zeroknowledge protocols for RSA Accumulators with which one can prove membership for any number of Pedersencommitted elements (a socalled ‘batch proof’). That is the proofs of [19] are independent both of the size of the set and the number of elements proving membership for.
In the bilinear groups setting, Srinivasan et al. [70], among other improvements on the functionalities and security properties of the actual pairingbased accumulator, provide zeroknowledge (batch) proofs for membership and nonmembership over the Nguyen accumulator [57].
Another relevant, rapidly developing, line of work has to do with succinct zeroknowledge lookup arguments. That is, given a committed vector of n elements, one proves that a number m of committed elements are all values of the vector in some hidden position, while retaining the elements secret. The proofs are succinct in both n and m. This line of work was initiated by the seminal work of Zapico et al. [74] followed by a number of works improving the prover’s complexity [35, 42, 62, 75]. All these constructions work over bilinear groups.
Finally, Lipmaa and Parisella [53] (building on [24, 26]) construct succinct set (non)membership NIZKs from falsifaible assumptions. That is, the objective of their work is constructing efficient NIZKs for set (non)membership that can be proven secure in the standard model and assuming only falsifiable assumptions.
1.11 Publication note
This article is the long version of the homonymous paper that appeared in the proceedings of Financial Cryptography and Data Security 2021 [8]. This version additionally contains:

The Sect. 1.10 on recent developments (subsequent to [8] works) in the area.

The full definitional framework of CPSNARKs for set (non)membership (Sect. 3).

The pairingbased construction of Sect. 6.

Full security proofs of the RSAbased constructions (Sects. 4, 5).

An experimental evaluation of our RSAbased protocols (Sect. 7).

A (slightly) different variant of our nonmembership protocol (Appendix 2).

A discussion on how to extend our RSAbased protocols to work with any Hidden Order Group (Appendix 4).
2 Preliminaries
2.1 Notation
We denote the security parameter with \(\lambda \in \mathbb {N}\) and its unary representation with \(1^\lambda \). Throughout the paper we assume that all the algorithms of the cryptographic schemes take as input \(1^\lambda \), which is thus omitted from the list of inputs. If D is a distribution, we denote by \(x \leftarrow D\) the process of sampling x according to D. An ensemble \(\mathcal {X} = \{X_{\lambda }\}_{\lambda \in \mathbb {N}}\) is a family of probability distributions over a family of domains \(\mathcal {D}=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\), and we say that two ensembles \(\mathcal {D} = \{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) and \(\mathcal {D}' = \{D'_{\lambda }\}_{\lambda \in \mathbb {N}}\) are statistically indistinguishable (denoted by \(\mathcal {D} \approx _s\mathcal {D'}\)) if \(\frac{1}{2}\sum _x D_{\lambda }(x)D_{\lambda }'(x) < \textsf{negl}(\lambda )\). If \(\mathcal {A}= \{ \mathcal {A}_{\lambda } \}\) is a (possibly nonuniform) family of circuits and \(\mathcal {D} = \{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) is an ensemble, then we denote by \(\mathcal {A}(\mathcal {D})\) the ensemble of the outputs of \(\mathcal {A}_{\lambda }(x)\) when \(x \leftarrow D_{\lambda }\). We say two ensembles \(\mathcal {D} = \{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) and \(\mathcal {D}' = \{D'_{\lambda }\}_{\lambda \in \mathbb {N}}\) are computationally indistinguishable (denoted by \(\mathcal {D} \approx _c\mathcal {D'}\)) if for every nonuniform polynomial time distinguisher \(\mathcal {A}\) we have \(\mathcal {A}(\mathcal {D}) \approx _s\mathcal {A}(\mathcal {D'})\).
We use [n] to denote the set of integers \(\{1, \dots , n\}\), and [0, n] for \(\{0, 1, \dots , n\}\). We denote by \((u_j)_{j \in [\ell ]}\) the tuple of elements \((u_1, \ldots , u_{\ell })\).
We denote \(\textsf{Primes}:=\{e\in \mathbb {N}: e\text { is prime}\}\) the set of all positive integers \(e>1\) such that they do not have nontrivial (i.e. different than \(e\) and 1) factors. More specifically, given two positive integers \(A, B > 0\) such that \(A<B\), we denote with \(\textsf{Primes}(A,B)\) the subset of \(\textsf{Primes}\) of numbers lying in the interval (A, B), i.e., \(\textsf{Primes}(A,B) :=\{e\in \mathbb {Z}: e\text { is prime} \; \wedge \; A<e<B\}\). According to the well known prime number theorem \(\left \textsf{Primes}(1,B) \right = O\big (\frac{B}{\log B}\big )\) which results to \(\left \textsf{Primes}(A,B) \right =O\big (\frac{B}{\log B}\big )O\big (\frac{A}{\log A}\big )\).
2.2 RSA groups
We say that \(N=pq\) is an RSA modulus for some primes p, q, such that \(p=q\). We further say that N is a strong RSA modulus if there are primes \(p',q'\) such that \(p=2p'+1,q = 2q'+1\). We call \(\mathbb {Z}_N^*\) for an RSA modulus an RSA group. With \(\phi :\mathbb {N} \rightarrow \mathbb {N}\) we denote the Euler’s totient function, \(\phi (N) :=\mathbb {Z}_N^*\). In particular for RSA modulus \(\phi (N) = (p1)(q1)\). An RSA Group generator \(N {\leftarrow }{\$}\,\textsf{GenSRSAmod}(1^{\lambda })\) is a probabilistic algorithm that outputs a strong RSA modulus N of bitlength \(\ell (\lambda )\) for an appropriate polynomial \(\ell (\cdot )\).
For any N we denote by \(\textsf{QR}_N :=\{Y: \exists X \in \mathbb {Z}_N^*\text { such that } Y=X^2 \pmod {N}\}\), the set of all the quadratic residues modulo N. \(\textsf{QR}_N\) is a subgroup (and thus closed under multiplication) of \(\mathbb {Z}_N^*\) with order \(\textsf{QR}_N = \mathbb {Z}_N^*/2\). In particular for a strong RSA modulus \(\textsf{QR}_N = \frac{4p'q'}{2} = 2 p'q'\).
2.2.1 Computational assumptions in RSA groups
The most fundamental assumption for RSA groups is the factoring assumption which states that given an RSA modulus \(N \leftarrow \textsf{GenSRSAmod}(1^{\lambda })\) it is hard to compute its factors p and q. We further recall the Discrete Logarithm and strong RSA [2] assumptions:
Definition 2.1
(DLOG assumption for RSA groups) We say that the Discrete Logarithm (DLOG) assumption holds for \(\textsf{GenSRSAmod}\) if for any PPT adversary \(\mathcal {A}\):
Definition 2.2
(StrongRSA assumption [2]) We say that the strong RSA assumption holds for \(\textsf{GenSRSAmod}\) if for any PPT adversary \(\mathcal {A}\):
2.3 Noninteractive zeroknowledge (NIZK)
We recall the definition of zeroknowledge noninteractive arguments of knowledge (NIZKs, for short).
Definition 2.3
(NIZK) A NIZK for \(\{\mathcal {R}_{\lambda }\}_{\lambda \in \mathbb {N}}\) is a tuple of three algorithms \(\Pi = (\textsf{KeyGen}, \textsf{Prove}, \textsf{VerProof})\) that work as follows and satisfy the notions of completeness, knowledge soundness and (composable) zeroknowledge defined below.

\(\textsf{KeyGen}(R) \rightarrow (\textsf{ek}, \textsf{vk})\) takes the security parameter \(\lambda \) and a relation \(R\in \mathcal {R}_{\lambda }\), and outputs a common reference string consisting of an evaluation and a verification key.

\(\textsf{Prove}(\textsf{ek}, x, w) \rightarrow \pi \) takes an evaluation key for a relation \(R\), a statement \(x\), and a witness \(w\) such that \(R(x, w)\) holds, and returns a proof \(\pi \).

\(\textsf{VerProof}(\textsf{vk}, x, \pi ) \rightarrow b\) takes a verification key, a statement \(x\), and either accepts (\(b=1\)) or rejects (\(b=0\)) the proof \(\pi \).
Completeness For any \(\lambda \in \mathbb {N}\), \(R\in \mathcal {R}_{\lambda }\) and \((x, w)\) such that \(R(x, w)\), it holds \(\Pr [(\textsf{ek}, \textsf{vk}) \leftarrow \textsf{KeyGen}(R), \pi \leftarrow \textsf{Prove}(\textsf{ek}, x, w): \textsf{VerProof}(\textsf{vk}, x, \pi )=1 ]=1\).
Knowledge soundness Let \(\mathcal{R}\mathcal{G}\) be a relation generator such that \(\mathcal{R}\mathcal{G}_{\lambda } \subseteq \mathcal {R}_{\lambda }\). \(\Pi \) has computational knowledge soundness for \(\mathcal{R}\mathcal{G}\) and auxiliary input distribution \(\mathcal {Z}\), denoted \(\textsf{KSND}(\mathcal{R}\mathcal{G}, \mathcal {Z})\) for brevity, if for every (nonuniform) efficient adversary \(\mathcal {A}\) there exists a (nonuniform) efficient extractor \(\mathcal {E}\) such that \(\Pr [{\textsf{Game}}^{\textsf{KSND}}_{\mathcal{R}\mathcal{G},\mathcal {Z},\mathcal {A},\mathcal {E}} = 1] = \textsf{negl}\). We say that \(\Pi \) is knowledge sound if there exists benign \(\mathcal{R}\mathcal{G}\) and \(\mathcal {Z}\) such that \(\Pi \) is \(\textsf{KSND}(\mathcal{R}\mathcal{G}, \mathcal {Z})\).
Composable zeroknowledge A scheme \(\Pi \) satisfies composable zeroknowledge for a relation generator \(\mathcal{R}\mathcal{G}\) if there exists a simulator \(\mathcal {S}= (\mathcal {\mathcal {S}_{\textsf{kg}}}, \mathcal {\mathcal {S}_{\textsf{prv}}})\) such that both following conditions hold.
Keys indistinguishability For all adversaries \(\mathcal {A}\)
Proof indistinguishability For all adversaries \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\)
Definition 2.4
(zkSNARKs) A NIZK \(\Pi \) is called zeroknowledge succinct noninteractive argument of knowledge (zkSNARK) if \(\Pi \) is a NIZK as per Definition 2.3 enjoying an additional property, succinctness, i.e., if the running time of \(\textsf{VerProof}\) is \(\textsf{poly}(\lambda + x + \log w)\) and the proof size is \(\textsf{poly}(\lambda + \log w)\).
Remark 2.1
(On knowledgesoundness) In the NIZK definition above we use a non blackbox notion of extractability. Although this is virtually necessary in the case of zkSNARKs [44], NIZKs can also satisfy stronger (blackbox) notions of knowledgesoundness.
2.4 Typebased commitments
We recall the notion of TypeBased Commitment schemes introduced by Escala and Groth [36]. In brief, a TypeBased Commitment scheme is a normal commitment scheme with the difference that it allows one to commit to values from different domains. More specifically, the \(\textsf{Commit}\) algorithm (therefore the \(\textsf{VerCommit}\) algorithm also) depends on the domain of the input, while the commitment key remains the same. For example, as in the original motivation of [36], the committer can use the same scheme and key to commit to elements that may belong to two different groups \(\mathbb {G}_1,\mathbb {G}_2\) or a field \(\mathbb {Z}_p\). In our work we use typebased commitments. The main benefit of this formalization is that it can unify many commitment algorithms into one scheme. In our case this is useful to formalize the notion of commitandprove NIZKs that work with commitments from different groups and schemes.
More formally, a TypeBased Commitment is a tuple of algorithms \(\textsf{Com}= (\textsf{Setup}, \textsf{Commit}, \textsf{VerCommit})\) that works as a Commitment scheme defined above with the difference that \(\textsf{Commit}\) and \(\textsf{VerCommit}\) algorithms take an extra input \(\textsf{t}\) that represent the type of \(u\). All the possible types are included in the type space \(\mathcal {T}\).^{Footnote 11}
Definition 2.5
A typebased commitment scheme for a set of types \(\mathcal {T}\) is a tuple of algorithms \(\textsf{Com}= (\textsf{Setup}, \textsf{Commit}, \textsf{VerCommit})\) that work as follows:

\(\textsf{Setup}(1^\lambda ) \rightarrow \textsf{ck}\) takes the security parameter and outputs a commitment key \(\textsf{ck}\). This key includes \(\forall \textsf{t}\in \mathcal {T}\) descriptions of the input space \(\mathcal {D}_\textsf{t}\), commitment space \(\mathcal {C}_\textsf{t}\) and opening space \(\mathcal {O}_\textsf{t}\).

\(\textsf{Commit}(\textsf{ck}, \textsf{t}, u) \rightarrow (c, o)\) takes the commitment key \(\textsf{ck}\), the type \(\textsf{t}\) of the input and a value \(u\in \mathcal {D}_\textsf{t}\), and outputs a commitment \(c\) and an opening \(o\).

\(\textsf{VerCommit}(\textsf{ck}, \textsf{t}, c, u, o) \rightarrow b\) takes as a type \(\textsf{t}\), a commitment \(c\), a value \(u\) and an opening \(o\), and accepts (\(b=1\)) or rejects (\(b=0\)).
Furthermore, the security properties depend on the type, in the sense that binding and hiding should hold with respect to a certain type.
Definition 2.6
Let \(\mathcal {T}\) be a set of types, and \(\textsf{Com}\) be a typebased commitment scheme for \(\mathcal {T}\). Correctness, \(\textsf{t}\)Type Binding and \(\textsf{t}\)Type Hiding are defined as follows:
Correctness For all \(\lambda \in \mathbb {N}\) and any input \((\textsf{t}, u) \in (\mathcal {T}, \mathcal {D}_\textsf{t})\) we have:
\(\textsf{t}\)Type binding Given \(\textsf{t}\in \mathcal {T}\), for every polynomialtime adversary \(\mathcal {A}\):
In case \(\textsf{Com}\) is \(\textsf{t}\)type bidning for all \( \textsf{t}\in \mathcal {T}\) we will say that it is Binding.
\(\textsf{t}\) Type hiding Given a \(\textsf{t}\in \mathcal {T}\), for \(\textsf{ck}\leftarrow \textsf{Setup}(1^\lambda )\) and every pair of values \(u, u' \in \mathcal {D}_\textsf{t}\), the following two distributions are statistically close: \(\textsf{Commit}(\textsf{ck}, \textsf{t}, u) \approx \textsf{Commit}(\textsf{ck},\textsf{t}, u')\).
In case \(\textsf{Com}\) is \(\textsf{t}\)Type Hiding for all \(\textsf{t}\in \mathcal {T}\) we say it is Hiding.
Composing typebased commitments For simplicity we now define an operator that allows to compose typebased commitment schemes in a natural way.
Definition 2.7
Let \(\textsf{C}\) and \(\textsf{C}'\) be two commitment schemes respectively for (disjoint) sets of types \(\mathcal {T}\) and \(\mathcal {T}'\). Then we denote by \(\textsf{C}\bullet \textsf{C}'\) the commitment scheme \(\bar{\textsf{C}}\) for \(\mathcal {T}\cup \mathcal {T}'\) such as:

\(\bar{\textsf{C}}.\textsf{Setup}(\textsf{secpar}, \textsf{secpar}') \rightarrow \overline{\textsf{ck}}:\) compute \(\textsf{ck}\leftarrow \textsf{C}.\textsf{Setup}(\textsf{secpar}) \text { and } \textsf{ck}' \leftarrow \textsf{C}'.\textsf{Setup}(\textsf{secpar}'); \overline{\textsf{ck}} :=(\textsf{ck}, \textsf{ck}')\).

\(\bar{\textsf{C}}.\textsf{Commit}(\overline{\textsf{ck}} :=(\textsf{ck}, \textsf{ck}'), \textsf{t}, u):\) If \(\ t \in \mathcal {T}\) then output \(\textsf{C}.\textsf{Commit}(\textsf{ck}, \textsf{t}, u)\); otherwise return \(\textsf{C}'.\textsf{Commit}(\textsf{ck}', \textsf{t}, u)\).

\(\bar{\textsf{C}}.\textsf{VerCommit}(\overline{\textsf{ck}} :=(\textsf{ck}, \textsf{ck}'), \textsf{t}, c, u, o):\) If \(\ t \in \mathcal {T}\) then return \(\textsf{C}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}, c, u, o)\); otherwise return \(\textsf{C}'.\textsf{VerCommit}(\textsf{ck}', \textsf{t}, c, u, o)\).
The following property of \(\bullet \) follows immediately from its definition.
Lemma 2.1
Let \(\textsf{C}\) and \(\textsf{C}'\) be two commitment schemes with disjoint sets of types. For all types t if \(\textsf{C}\) or \(\textsf{C}'\) is thiding (resp. tbinding) then \(\textsf{C}\bullet \textsf{C}'\) is thiding (resp. tbinding).
Remark 2.2
We observe that a standard non typebased commitment scheme with input space \(\mathcal {D}\) induces directly a typebased commitment scheme with the same input space and a type we denote by \(\mathbb {T}[\mathcal {D}]\).
2.5 Commitandprove NIZKs
We give the definition of commitandprove NIZKs (CPNIZKs). We start from the definition given in [7, 18] and we extend it to typebased commitments. The main benefit of such extension is that we can formalize CPNIZKs working with commitments over different domains. In a nutshell, a CPNIZK is a NIZK that can prove knowledge of \((x, w)\) such that \(R(x, w)\) holds with respect to a witness \(w=( u, \omega )\) such that \(u\) opens a commitment \(c_u\). As done in [18], we explicitly considers the input domain \(\mathcal {D}_{u}\) at a more fine grainedlevel splitting it over \(\ell \) subdomains. We call them commitment slots as each of the \(\mathcal {D}_i\)s intuitively corresponds to a committed element.^{Footnote 12} The description of the splitting is assumed part of \(R\)’s description.
In the remainder of this work we use the following shortcut definition. If \(\textsf{C}\) is a typebased commitment scheme over set of types \(\mathcal {T}\), we say that a relation \(R\) over \((\mathcal {D}_1 \times \cdots \times \mathcal {D}_{\ell })\) is \(\mathcal {T}\)compatible if for all \(j\in [\ell ]\) it holds that \(\mathbb {T}[\mathcal {D}_j] \in \mathcal {T}\). We say a relation family \(\mathcal {R}\) is \(\mathcal {T}\)compatible if every \(R\) in \(\mathcal {R}\) is \(\mathcal {T}\)compatible; a relation generator \(\mathcal{R}\mathcal{G}\) is \(\mathcal {T}\)compatible if \(\textsf{Range}(\mathcal{R}\mathcal{G})\) is \(\mathcal {T}\)compatible.
Definition 2.8
(CPNIZKs [18]) Let \(\{\mathcal {R}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of relations \(R\) over \(\mathcal {D}_{x} \times \mathcal {D}_{u} \times \mathcal {D}_{\omega }\) such that \(\mathcal {D}_{u}\) splits over \(\ell \) arbitrary domains \((\mathcal {D}_1 \times \cdots \times \mathcal {D}_{\ell })\) for some arity parameter \(\ell \ge 1\). Let \(\textsf{C}= (\textsf{Setup}, \textsf{Commit}, \textsf{VerCommit})\) be a commitment scheme (as per Definition 2.5) over set of types \(\mathcal {T}\) such that \(\{\mathcal {R}_{\lambda }\}_{\lambda \in \mathbb {N}}\) is \(\mathcal {T}\)compatible.
A commit and prove NIZK for \(\textsf{C}\) and \(\{\mathcal {R}_{\lambda }\}_{\lambda \in \mathbb {N}}\) is a NIZK for a family of relations \(\{\mathcal {R}^{\textsf{C}}_{\lambda }\}_{\lambda \in \mathbb {N}}\) such that:

every \(\smash {\varvec{\mathsf R}\in \mathcal {R}^{\textsf{C}}}\) is represented by a pair \((\textsf{ck}, R)\) where \(\textsf{ck}\in \) \(\smash {\textsf{C}.\textsf{Setup}(1^\lambda )}\) and \(R\in \mathcal {R}_{\lambda }\);

\(\varvec{\mathsf R}\) is over pairs \((\varvec{\mathsf x}, \varvec{\mathsf w})\) where the statement is \(\varvec{\mathsf x}:=(x, (c_j)_{j \in [\ell ]}) \in \mathcal {D}_{x} \times \mathcal {C}^{\ell }\), the witness is \(\varvec{\mathsf w}:=((u_j)_{j \in [\ell ]}, (o_j)_{j \in [\ell ]}, \omega ) \in \) \( \mathcal {D}_1 \times \cdots \times \mathcal {D}_{\ell }\times \mathcal {O}^{\ell } \times \mathcal {D}_{\omega }\), and the relation \(\varvec{\mathsf R}\) holds iff
$$\begin{aligned} \bigwedge \nolimits _{j \in [\ell ]} \ \textsf{VerCommit}(\textsf{ck}, \mathbb {T}[\mathcal {D}_j], c_j, u_j, o_j)=1 \wedge R(x, (u_j)_{j \in [\ell ]}, \omega )=1. \end{aligned}$$
We denote knowledge soundness of a CPNIZK for commitment scheme \(\textsf{C}\) and relation and auxiliary input generators \(\mathcal{R}\mathcal{G}\) and \(\mathcal {Z}\) as \(\textsf{CP}\text{ }\textsf{KSND}(\textsf{C}, \mathcal{R}\mathcal{G}, \mathcal {Z})\).
We denote a CPNIZK as a tuple of algorithms \(\textsf {CP}= (\textsf{KeyGen}, \textsf{Prove}, \textsf{VerProof})\). For ease of exposition, in our constructions we adopt the following explicit syntax for \(\textsf {CP}\)’s algorithms.

\(\textsf{KeyGen}(\textsf{ck},R) \rightarrow \textsf{crs}:=(\textsf{ek}, \textsf{vk})\)

\(\textsf{Prove}(\textsf{ek}, x, (c_j)_{j \in [\ell ]}, (u_j)_{j \in [\ell ]}, (o_j)_{j \in [\ell ]}, \omega ) \rightarrow \pi \)

\(\textsf{VerProof}(\textsf{vk}, x, (c_j)_{j \in [\ell ]}, \pi ) \rightarrow b \in \{0, 1\}\)
2.6 Commitandprove NIZKs with partial opening
We now define a variant of commitandprove NIZKs with a weaker notion of knowledgesoundness. In particular we consider the case where part of the committed input is not assumed to be extractable (or hidden),^{Footnote 13} i.e., such input is assumed to be opened by the adversary. This models scenarios where we do not require this element to be input of the verification algorithm (the verifier can directly use a digest to it).
The motivation to define and use this notion is twofold. First, in some constructions commitments on sets are compressing but not knowledgeextractable. Second, in many applications this definition is sufficient since the set is public (e.g., the set contain the valid coins).
The definition below is limited to a setting where the adversary opens only one input in this fashion.^{Footnote 14} We will assume, as a convention, that in a scheme with partial opening this special input is always the first committed input of the relation, i.e. the one denoted by \(u_1\) and corresponding to \(\mathcal {D}_1\). We note that the commitment to \(u_1\) does not require hiding for zeroknowledge to hold.
Definition 2.9
(CPNIZK with partial opening) A commit and prove NIZK with partial opening for \(\textsf{C}\) and \(\{\mathcal {R}_{\lambda }\}_{\lambda \in \mathbb {N}}\) is a NIZK for a family of relations \(\{\mathcal {R}^{\textsf{C}}_{\lambda }\}_{\lambda \in \mathbb {N}}\) (defined as in Definition 2.8) such that the property of knowledge soundness is replaced by knowledge soundness with partial opening below.
Knowledge soundness with partial opening Let \(\mathcal{R}\mathcal{G}\) be a relation generator such that \(\mathcal{R}\mathcal{G}_{\lambda } \subseteq \mathcal {R}_{\lambda }\). \(\Pi \) has knowledge soundness with partial opening for \(\textsf{C}\), \(\mathcal{R}\mathcal{G}\) and auxiliary input distribution \(\mathcal {Z}\), denoted \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \mathcal{R}\mathcal{G}, \mathcal {Z})\) for brevity, if for every (nonuniform) efficient adversary \(\mathcal {A}\) there exists a (nonuniform) efficient extractor \(\mathcal {E}\) such that \(\Pr [{\textsf{Game}}^{\textsf{CP}\text{ }\textsf{poKSND}}_{\textsf{C},\mathcal{R}\mathcal{G},\mathcal {Z},\mathcal {A},\mathcal {E}} = 1] = \textsf{negl}\). We say that \(\Pi \) is knowledge sound for \(\textsf{C}\) if there exists benign \(\mathcal{R}\mathcal{G}\) and \(\mathcal {Z}\) such that \(\Pi \) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \mathcal{R}\mathcal{G}, \mathcal {Z})\).^{Footnote 15}
Remark 2.3
(On weaker ZK in the context of partial opening) The notion of zeroknowledge for CPNIZKs with partial opening that is implied by our definition above implies that the simulator does not have access to the opening of the first input (as it is the case in zeroknowledge for CPNIZKs in general). Since this first commitment is opened, in principle one could also consider and define a weaker notion of zeroknowledge where the simulator has access to the first opened input. We leave it as an open problem to investigate if it can be of any interest.
Remark 2.4
(Full extractability) If a CPNIZK has an empty input \(u_1\) opened by the adversary in the game above, then we say that it is fully extractable. This roughly corresponds to the notion of knowledge soundness in Definition 2.3.
2.6.1 Composition properties of commitandprove schemes
In [18], Campanelli et al. show a compiler for composing commitandprove schemes that work for the same commitment scheme in order to obtain \(\textsf {CP}\) systems for conjunction of relations. In this section we generalize their results to the case of typed relations and typebased commitments. This generalization in particular can model the composition of CPNIZKs that work with different commitments, as is the case in our constructions for set membership in which one has a commitment to a set and a commitment to an element.
We begin by introducing the following compact notation for an augmented relation generator.
Definition 2.10
(Augmented relation generator) Let \(\mathcal{R}\mathcal{G}\) be a relation generator and \(\mathcal {F}(1^\lambda )\) an algorithm taking as input a security parameter. Then we denote by \(\mathcal{R}\mathcal{G}[\mathcal {F}]\) the relation generator returning \((R, (\textsf{aux}_{R}, \textsf{out}_{\mathcal {F}}))\) where \(\textsf{out}_{\mathcal {F}} \leftarrow \mathcal {F}(1^\lambda )\) and \((R, \textsf{aux}_{R}) \leftarrow \mathcal{R}\mathcal{G}(1^{\lambda })\).
The next lemma states that we can (with certain restrictions) trivially extend a CPNIZK for commitment scheme \(\textsf{C}\) to an extended commitment scheme \(\textsf{C}\bullet \textsf{C}'\).
Lemma 2.2
(Extending to commitment composition) Let \(\textsf{C}, \textsf{C}'\) be commitment schemes defined over disjoint type sets \(\mathcal {T}\) and \(\mathcal {T}'\). If \(\textsf {CP}\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \mathcal{R}\mathcal{G}[\textsf{C}.\textsf{Setup}], \mathcal {Z})\) for some relation and auxiliary input generators \(\mathcal{R}\mathcal{G}, \mathcal {Z}\). Then \(\textsf {CP}\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}\bullet \textsf{C}', \mathcal{R}\mathcal{G}[\textsf{C}.\textsf{Setup}], \mathcal {Z})\) if \(\mathcal{R}\mathcal{G}\) is \(\mathcal {T}\)compatible.
We now define relation generators and auxiliary input generators for our composition constructions.
The following lemma shows how we can compose CPNIZKs even when one of them is fully extractable but the other is not. We are interested in the conjunction \(R^{\wedge }_{asym}\) of relations of type \(R_1(x_1, (u_0, u_1, u_3), \omega _1)\) and \(R_2(x_2, (u_2, u_3), \omega _2)\) where
Lemma 2.3
(Composing conjunctions (with asymmetric extractability)) Let \(\textsf{C}\) be a computationally binding commitment scheme. If \(\textsf {CP}_1\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \overline{\mathcal{R}\mathcal{G}}_1, \overline{\mathcal {Z}}_1)\) and \(\textsf {CP}_2\) is \(\textsf{KSND}(\textsf{C}, \overline{\mathcal{R}\mathcal{G}}_2, \overline{\mathcal {Z}}_2)\) (where \(\overline{\mathcal{R}\mathcal{G}}_{b}, \overline{\mathcal {Z}}_{b}\) are defined in terms of \(\mathcal{R}\mathcal{G}_{b}, \mathcal {Z}_{b}\) in Fig. 1 for \(b \in \{1,2\}\)), then the scheme \(\textsf {CP}^{\wedge }_{asym}\) in Fig. 2 is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*})\) where \(\mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*}\) are as defined in Fig. 1.
The following lemma is a symmetric variant of Lemma 2.3, i.e. the CPNIZKs we are composing are both secure over the same commitment scheme and support partial opening, that is they both handle relations with and adversarially open input \(u_0\). This time we are interested in the conjunction \(R^{\wedge }_{sym}\) of relations of type \(R_1(x_1, (u_0, u_1, u_3), \omega _1)\) and \(R_2(x_2, (u_0, u_2, u_3), \omega _2)\) where
Lemma 2.4
(Composing conjunctions (symmetric case)) Let \(\textsf{C}\) be a (typebased) computationally binding commitment scheme. If \(\textsf {CP}_{b}\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}, \overline{\mathcal{R}\mathcal{G}}_{b}, \overline{\mathcal {Z}}_{b})\) (where \(\overline{\mathcal{R}\mathcal{G}}_{b}, \overline{\mathcal {Z}}_{b}\) are defined in terms of \(\mathcal{R}\mathcal{G}_{b}, \mathcal {Z}_{b}\) in Fig. 1) for \(b \in \{1,2\}\), then the scheme \(\textsf {CP}^{\wedge }_{sym}\) in Fig. 3 is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C},\mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*})\) where \(\mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*}\) are as defined in Fig. 1.
3 CPSNARKs for set membership (and nonmembership)
In this section we discuss a specialization of CPSNARKs for the specific NP relation that models membership (resp. nonmembership) of an element in a set, formally defined below.
3.1 Set membership relations
Let \(\mathcal {D}_{\textsf{elm}}\) be some domain for set elements, and let \(\mathcal {D}_{\textsf{set}} \subseteq 2^{\mathcal {D}_{\textsf{elm}}}\) be a set of possible sets over \(\mathcal {D}_{u}\). We define the set membership relation \(R_{\textsf{mem}}: \mathcal {D}_{\textsf{elm}} \times \mathcal {D}_{\textsf{set}}\) as
This is the fundamental relation that we deal with in the rest of this work.
The nonmembership relation \(R_{\textsf{nmem}}: \mathcal {D}_{\textsf{elm}} \times \mathcal {D}_{\textsf{set}}\) can be defined analogously as
3.2 CPSNARKs for set membership
Intuitively, a commitandprove SNARK for set membership allows one to commit to a set \(U\) and to an element \(u\), and then to prove in zeroknowledge that \(R_{\textsf{mem}}(U,u) = 1\). More formally, let \(R_{\textsf{mem}}: \mathcal {D}_{\textsf{elm}} \times \mathcal {D}_{\textsf{set}}\) be a set membership relation as defined above where \(\mathbb {T}[\mathcal {D}_{\textsf{elm}}] = \textsf{t}_{\textsf{elm}}\) and \(\mathbb {T}[\mathcal {D}_{\textsf{set}}] = \textsf{t}_{\textsf{set}}\), and let \(\textsf{Com}_{\mathsf {S\cup elm}}\) be a typebased commitment scheme for \(\mathcal {T}\) such that \(\textsf{t}_{\textsf{set}}, \textsf{t}_{\textsf{elm}} \in \mathcal {T}\). Basically, \(\textsf{Com}_{\mathsf {S\cup elm}}\) allows one to either commit an element of \(\mathcal {D}_\textsf{elm}\) or to a set of values of \(\mathcal {D}_\textsf{elm}\). Then a CPSNARK for set membership is a CPSNARK for the family of relations \(\{\mathcal {R}^{\textsf{mem}}_\lambda \}\) and a typebased commitment scheme \(\textsf{Com}_{\mathsf {S\cup elm}}\). It is deduced from definition 2.8 that this is a zkSNARK for the relation:
\(\varvec{\mathsf R}=(ck,R_{\textsf{mem}})\) over \((\varvec{x},\varvec{w})=((x,c),(u,o,\omega )) :=\left( \, (\, \varnothing \, ,\, (c_U,c_u)\, )\, ,\, (\, (U,u)\, ,\, (o_U,o_u)\, ,\, \varnothing \, ) \, \right) \),
such that \(\varvec{\mathsf R}\) holds iff:
A commitandprove version of \(R_{\textsf{nmem}}\) can be defined as a natural variant of the relation above.
Notice that for the relation \(R_{\textsf{mem}}\) it is relevant for the proof system to be succinct so that proofs can be at most polylogarithmic (or constant) in the the size of the set (that is part of the witness). This is why for set membership we are mostly interested in designing CPSNARKs.
3.3 Proving arbitrary relations involving set (non)membership
As discussed in the introduction, a primary motivation of proving set membership in zeroknowledge is to prove additional properties about an alleged set member. In order to make our CPSNARK for set membership a reusable gadget, we discuss a generic and simple method for composing CPSNARKs for set membership (with partial opening) with other CPSNARKs (with full extractability) for arbitrary relations. More formally, let \(R_{\textsf{mem}}\) be the set membership relation over pairs \((U, u) \in \mathbb {X}\times \mathcal {D}_{u}\) as \(R\) be an arbitrary relation over pairs \((u, \omega )\), then we define as \(R^*\) the relation:
The next corollary (direct consequence of Lemmas 2.2, 2.3) states we can straightforwardly compose a CPSNARK for set membership with a CPSNARK for an arbitrary relation on elements of the set.
Corollary 3.1
(Extending relations with set membership) Let \(\textsf{C}_{\textsf{S}}, \textsf{C}_{u}\) be two computationally binding commitment schemes defined over disjoint type sets \(\mathcal {T}_{\textsf{S}}\) and \(\mathcal {T}_u\). Let \(\textsf {CP}_{\textsf{mem}}, \textsf {CP}_u\) be two CPSNARKs and \(R_{\textsf{mem}}, \mathcal{R}\mathcal{G}_u\) (resp. \(\mathcal {Z}_{\textsf{mem}}, \mathcal {Z}_u\)) be two relation (resp. auxiliary input) generators. If \(\textsf {CP}_{\textsf{mem}}\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}_{\textsf{S}}\bullet \textsf{C}_{u}, R_{\textsf{mem}}, \mathcal {Z}_{\textsf{mem}})\) and \(\textsf {CP}_u\) is \(\textsf{KSND}(\textsf{C}_{u}, \mathcal{R}\mathcal{G}_u, \mathcal {Z}_u)\) then there exists a \(\textsf {CP}^*\) that is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}_{\textsf{S}}\bullet \textsf{C}_{u}, \mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*})\) where \(\mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*}\) are as defined in Fig. 1.
In a similar fashion, we can combine an arbitrary relation \(R\) with the relation for nonmembership obtaining relation \(\bar{R}^*\) defined as:
The next corollary states we can straightforwardly compose a CPSNARK for set nonmembership with a CPSNARK for an arbitrary relation on elements in the universe of the set.
Corollary 3.2
(Extending relations with set nonmembership) Let \(\textsf{C}_{\textsf{S}}, \textsf{C}_{u}\) be two computationally binding commitment schemes defined over disjoint type sets \(\mathcal {T}_{\textsf{S}}\) and \(\mathcal {T}_u\). Let \(\textsf {CP}_{\textsf{nmem}}, \textsf {CP}_u\) be two CPSNARKs and \(R_{\textsf{nmem}}, \mathcal{R}\mathcal{G}_u\) (resp. \(\mathcal {Z}_{\textsf{nmem}}, \mathcal {Z}_u\)) be two relation (resp. auxiliary input) generators. If \(\textsf {CP}_{\textsf{nmem}}\) is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}_{\textsf{S}}\bullet \textsf{C}_{u}, R_{\textsf{nmem}}, \mathcal {Z}_{\textsf{nmem}})\) and \(\textsf {CP}_u\) is \(\textsf{KSND}(\textsf{C}_{u}, \mathcal{R}\mathcal{G}_u, \mathcal {Z}_u)\) then there exists a \(\textsf {CP}^*\) that is \(\textsf{CP}\text{ }\textsf{poKSND}(\textsf{C}_{\textsf{S}}\bullet \textsf{C}_{u}, \mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*})\) where \(\mathcal{R}\mathcal{G}^{*}, \mathcal {Z}^{*}\) are as defined in Fig. 1.
3.3.1 CPSNARKs for set membership from accumulators with proofs of knowledge
As discussed in the introduction, CPSNARKs for set membership are simply a different lens through which we can approach accumulators that have a protocol for proving in zeroknowledge that a committed value is in the accumulator (i.e., it is in the set succinctly represented by the accumulator). To strengthen this intuition in Appendix 2 we formally show that a CPSNARK for set membership can be constructed from an accumulator scheme that has a zeroknowledge proof for committed values. This allows us to capture existing schemes such as [16, 57].
4 A CPSNARK for set membership with short parameters
In this section we describe CPSNARKs for set membership in which the elements of the sets can be committed using a Pedersen commitment scheme defined in a prime order group, and the sets are committed using an RSA accumulator. The advantage of having elements committed with Pedersen in a prime order group is that our CPSNARKs can be composed with any other CPSNARK for Pedersen commitments and relations \(R\) that take set elements as inputs. The advantage of committing to sets using RSA accumulators is instead that the public parameters (i.e., the CRS) of the CPSNARKs presented in this section are short, virtually independent of the size of the sets. Since RSA accumulators are not extractable commitments, the CPSNARKs presented here are secure in a model where the commitment to the set is assumed to be checked at least once, namely they are knowledgesound with partial opening of the set commitment.
A bit more in detail, we propose two CPSNARKs. Our first scheme, called \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\), works for set elements that are arbitrary strings of length \(\eta \), i.e., \(\mathcal {D}_{\textsf{elm}} = \{0, 1\}^{\eta }\), and for sets that are any subset of \(\mathcal {D}_{\textsf{elm}}\), i.e., \(\mathcal {D}_{\textsf{set}} = 2^{\mathcal {D}_{\textsf{elm}}}\). Our second scheme, \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\), instead works for set elements that are prime numbers of exactly \(\mu \) bits, and for sets that are any subset of such prime numbers. This second scheme is a simplified variant of the first one that requires more structure on the set elements (they must be prime numbers) but in exchange of that offers better efficiency. So it is preferable in those applications that can work with prime representatives.
4.1 An highlevel overview of our constructions
We provide the main idea behind our scheme, and to this end we use the simpler scheme \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) in which set elements are prime numbers in \(\left( 2^{\mu 1},2^{\mu } \right) \). The commitment to the set \(P= \{e_1, \ldots , e_{n}\}\) is an RSA accumulator [2, 6] that is defined as \(\textsf{Acc}= G^{\prod _{e_i \in P} e_i}\) for a random quadratic residue \(G \in \textsf{QR}_N\). The commitment to a set element \(e\) is instead a Pedersen commitment \(c_{e} = g^{e} h^{r_{q}}\) in a group \(\mathbb {G}_{q}\) of prime order \(q\), where \(q\) is of \(\nu \) bits and \(\mu < \nu \). For public commitments \(\textsf{Acc}\) and \(c_{e}\), our scheme allows to prove in zeroknowledge the knowledge of \(e\) committed in \(c_{e}\) such that \(e\in P\) and \(\textsf{Acc}= G^{\prod _{e_i \in P} e_i}\). A public coin protocol for this problem was proposed by Camenisch and Lysyanskaya [16]. Their protocol however requires various restrictions. For instance, the accumulator must work with at least \(2\lambda \)bit long primes, which slows down accumulation time, and the prime order group must be more than \(4 \lambda \)bits (e.g., of 512 bits), which is undesirable for efficiency reasons, especially if this prime order group is used to instantiate more proof systems to create other proofs about the committed element. In our scheme the goal is instead to keep the prime order group of “normal” size (say, \(2\lambda \) bits), so that it can be for example a prime order group in which we can efficiently instantiate another CPSNARK that could be composed with our \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\). And we can also allow flexible choices of the primes size that can be tuned to the application so that applications that work with moderately large sets can benefit in efficiency. In order to achieve these goals, our idea to create a membership proof is to compute the following:

An accumulator membership witness \(W = G^{\prod _{e_i \in P{\setminus } \{e\}} e_i}\), and an integer commitment to \(e\) in the RSA group, \(C_{e} = G^{e} H^{r}\), where \(H \in \textsf{QR}_N\).

A ZK proof of knowledge \(\textsf {CP}_{\textsf{Root}}\) of a committed root for \(\textsf{Acc}\), i.e. a proof of knowledge of \(e\) and W such that \(W^{e} = \textsf{Acc}\) and \(C_{e} = G^{e} H^{r}\). Intuitively, this gives that \(C_{e}\) commits to an integer that is accumulated in \(\textsf{Acc}\) (at this point, however, the integer may be a trivial root, i.e., 1).

A ZK proof \(\textsf {CP}_{\textsf{modEq}}\) that \(C_{e}\) and \(c_{e}\) commit to the same value modulo \(q\).

A ZK proof \(\textsf {CP}_{\textsf{Range}}\) that \(c_{e}\) commits to an integer in the range \(\left( 2^{\mu 1},2^{\mu } \right) \).
From the combination of the above proofs we would like to conclude that the integer committed in \(c_{e}\) is in \(P\). Without further restrictions, however, this may not be the case; in particular, since for the value committed in \(C_{e}\) we do not have a strict bound it may be that the integer committed in \(c_{e}\) is another \(e_{q}\) such \(e=e_{q}\pmod q\) but \(e\ne e_{q}\) over the integers. In fact, the proof \(\textsf {CP}_{\textsf{Root}}\) does not guarantee us that \(C_{e}\) commits to a single prime number \(e\), but only that \(e\) divides \(\prod _{e_i \in P} e_i\), namely e might be a product of a few primes in \(P\) or the corresponding negative value, while its residue modulo \(q\) may be some value that is not in the set—what we call a “collision”. We solve this problem by taking in consideration that \(e_{q}\) is guaranteed by \(\textsf {CP}_{\textsf{Range}}\) to be in \(\left( 2^{\mu 1},2^{\mu } \right) \) and by enhancing \(\textsf {CP}_{\textsf{Root}}\) to also prove a bound on \(e\): roughly speaking \(e < 2^{2\lambda _{s}+ \mu }\) for a statistical security parameter \(\lambda _{s}\). Using this information we develop a careful analysis that bounds the probability that such collisions can happen for a malicious \(e\) (see Sect. 4.3 for more intuition).
In the following section we formally describe the typebased commitment scheme supported by our CPSNARK, and a collection of building blocks. Then we present the \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) CPSNARKs in Sects. 4.3 and 4.4 respectively, and finally we give instantiations for some of our building blocks in Sect. 4.5.
Remark 4.1
Although we specifically describe our protocols for RSA groups, they generalize to work over any Hidden Order Group with slight modifications. See Appendix 4 for details.
4.2 Preliminaries and building blocks
4.2.1 Notation
Given a set \(U= \{u_1,\dots ,u_n\} \subset \mathbb {Z}\) of cardinality n we denote compactly with \(\textsf{prod}_{U} :=\prod _{i=1}^{n} u_i\) the product of all its elements. We use capital letters for elements in an RSA group \(\mathbb {Z}_N^*\), e.g., \(G,H \in \mathbb {Z}_N^*\). Conversely, we use small letters for elements in a prime order group \(\mathbb {G}_q\), e.g., \(g,h \in \mathbb {G}_q\). Following this notation, we denote a commitment in a prime order group as \(c \in \mathbb {G}_q\), while a commitment in an RSA group as \(C \in \mathbb {Z}_N^*\).
4.2.2 Commitment schemes
Our first CPSNARK, called \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\), is for a family of relations \(R_{\textsf{mem}}: \mathcal {D}_{\textsf{elm}} \times \mathcal {D}_{\textsf{set}}\) such that \(\mathcal {D}_{\textsf{elm}} = \{0, 1\}^{\eta }\), \(\mathcal {D}_{\textsf{set}} = 2^{\mathcal {D}_{\textsf{elm}}}\), and for a typebased commitment scheme that is the canonical composition \(\textsf{SetCom}_{\textsf{RSA}}\bullet \textsf{PedCom}\) of the two commitment schemes given in Fig. 4. \(\textsf{PedCom}\) is essentially a classical Pedersen commitment scheme in a group \(\mathbb {G}_{q}\) of prime order \(q\) such that \(q\in (2^{{\nu }1},2^{\nu })\) and \(\eta < \nu \). \(\textsf{PedCom}\) is used to commit to set elements and its type is \(\textsf{t}_{q}\). \(\textsf{SetCom}_{\textsf{RSA}}\) is a (nonhiding) commitment scheme for sets of \(\eta \)bit strings, that is built as an RSA accumulator [2, 6] to a set of \(\mu \)bit primes, each derived from an \(\eta \)bit string by a deterministic hash function \(\textsf{H}_{\textsf{prime}}: \{0, 1\}^{\eta } \rightarrow \textsf{Primes}\left( 2^{\mu 1},2^{\mu } \right) \). \(\textsf{SetCom}_{\textsf{RSA}}\) is computationally binding under the factoring assumption^{Footnote 16} and the collision resistance of \(\textsf{H}_{\textsf{prime}}\). Its type for sets is \(\textsf{t}_{U}\).
4.2.3 Hashing to primes
The problem of mapping arbitrary values to primes in a collisionresistant manner has been studied in the past, see e.g., [14, 29, 43], and in [40] a method to generate random primes is presented. Although the main idea of our scheme would work with any instantiation of \(\textsf{H}_{\textsf{prime}}\), for the goal of significantly improving efficiency, our construction considers a specific class of \(\textsf{H}_{\textsf{prime}}\) functions that work as follows. Let \(\textsf{H}: \{0, 1\}^{\eta } \times \{0, 1\}^{\iota } \rightarrow \{0, 1\}^{\mu 1}\) be a collisionresistant function, and define \(\textsf{H}_{\textsf{prime}}(u)\) as the function that starting with \(j=0\), looks for the first \(j \in [0,2^{\iota }1]\) such that the integer represented by the binary string \(1  \textsf{H}(u,j)\) is prime. In case it reaches \(j = 2^{\iota }1\) it failed to find a prime and outputs \(\perp \).^{Footnote 17} We consider two main candidates of such function \(\textsf{H}\) (and thus \(\textsf{H}_{\textsf{prime}}\)):

Pseudorandom function Namely \(\textsf{H}(u,j) :=\textsf{F}_{\kappa }(u,j)\) where \(\textsf{F}_{\kappa }:\{0, 1\}^{\eta + \iota }\) is a PRF with public seed \(\kappa \) and \(\iota = \lceil \log \mu \lambda \rceil \). Due to the density of primes, the corresponding \(\textsf{H}_{\textsf{prime}}\) runs in the expected running time \(O(\mu )\) and \(\perp \) is returned with probability \(\le \textsf{exp}(\lambda ) =\textsf{negl}(\lambda )\).^{Footnote 18} Under the random oracle heuristic, \(\textsf{F}\) can be instantiated with a hash function like SHA256.

Deterministic map \(\textsf{H}(u,j) :=f(u) + j\) with \(u>2^{\eta 1}\) and \(j \in (f(u), f(u+1))\), where \(f(u) :=2(u+ 2) \log _2(u+1)^{2}\). The corresponding function \(\textsf{H}_{\textsf{prime}}(u)\) is essentially the function that maps to the next prime after \(f(u)\). This function is collisionfree (indeed it requires to take \(\mu > \eta \)) and generates primes that can be smaller (in expectation) than the function above. Cramer’s conjecture implies that the interval \((f(u), f(u+1))\) contains a prime when \(u\) is sufficiently large.
4.2.4 CPNIZK for \(\textsf{H}\) computation and \(\textsf{PedCom}\)
We use a CPNIZK \(\textsf {CP}_{\textsf{HashEq}}\) for the relation \(R_\textsf{HashEq}: \{0, 1\}^{\mu } \times \{0, 1\}^{\eta } \times \{0, 1\}^{\iota }\) defined as
and for the commitment scheme \(\textsf{PedCom}\). Essentially, with this scheme one can prove that two commitments \(c_{e}\) and \(c_{u}\) in \(\mathbb {G}_{q}\) are such that \(c_{e}=g^{e} h^{r_{q}}\), \(c_{u}=g^{u}h^{r_u}\) and there exists j such that \(e=(1  \textsf{H}(u, j))\). As it shall become clear in our security proof, we do not have to prove all the iterations of \(\textsf{H}\) until finding j such that \((1  \textsf{H}(u, j)) = \textsf{H}_{\textsf{prime}}(u)\) is prime, which saves significantly on the complexity of this CPNIZK.
4.2.5 Integer commitments
We use a scheme for committing to arbitrarily large integer values in RSA groups introduced by Fujisaki and Okamoto [41] and later improved in [31]. We briefly recall the commitment scheme. Let \(\mathbb {Z}_N^*\) be an RSA group. The commitment key consists of two randomly chosen generators \(G,H \in \mathbb {Z}_N^*\); to commit to any \(x \in \mathbb {Z}\) one chooses randomly an \(r {\leftarrow }{\$}\,[1,N/2]\) and computes \(C \leftarrow G^x H^r\); the verifier checks whether or not \(C = \pm G^x H^r\). This commitment scheme is statistically hiding, as long as G and H lie in the subgroup of \(\mathbb {Z}_N^*\). This can be achieved by setting \(G \leftarrow F^2, H \leftarrow J^2 \in \textsf{QR}(N)\), where F, J are randomly sampled from \(\mathbb {Z}_N^*\). Moreover it’s computationally binding under the assumption that factoring is hard in \(\mathbb {Z}_N^*\). Furthermore, a proof of knowledge of an opening was presented in [31], its knowledge soundness was based on the strong RSA assumption, and later found to be reducible to the plain RSA assumption in [25]. We denote this commitment scheme as \(\textsf{IntCom}\).
4.2.6 StrongRSA accumulators
As observed earlier, our commitment scheme for sets is an RSA accumulator \(\textsf{Acc}\) computed on the set of primes \(P\) derived from \(U\) through the map to primes, i.e., \(P:=\{\textsf{H}_{\textsf{prime}}(s)  s \in U\}\). In our construction we use the accumulator’s feature for computing succinct membership witnesses, which we recall works as follows. Given \(\textsf{Acc}= G^{\prod _{e_i \in P}e_i} :=G^{\textsf{prod}_P}\), the membership witness for \(e_{k}\) is \(W_k = G^{\prod _{e_i \in P{\setminus } \{e_k\}}e_i}\), which can be verified by checking if \(W_k^{e_k} = \textsf{Acc}\).
4.2.7 Argument of knowledge of a root
We make use of a zeroknowledge noninteractive argument of knowledge of a root of a public RSA group element \(\textsf{Acc}\in \textsf{QR}_N\). This NIZK argument is called \(\textsf {CP}_\textsf{Root}\). More precisely, it takes in an integer commitment to a \(e\in \mathbb {Z}\) and then proves knowledge of an \(e\)th root of \(\textsf{Acc}\), i.e., of \(W=\textsf{Acc}^{\frac{1}{e}}\). More formally, \(\textsf {CP}_\textsf{Root}\) is a NIZK for the relation \(R_\textsf{Root}: (\mathbb {Z}_N^*\times \textsf{QR}_N \times \mathbb {N}) \times (\mathbb {Z}\times \mathbb {Z}\times \mathbb {Z}_N^*)\) defined as
\(R_\textsf{Root}\left( (C_e, \textsf{Acc}, \mu ),(e, r, W) \right) = 1\) iff,
where \(\lambda _{z}\) and \(\lambda _{s}\) are the statistical zeroknowledge and soundness security parameters respectively of the protocol \(\textsf {CP}_\textsf{Root}\). \(\textsf {CP}_\textsf{Root}\) is obtained by applying the Fiat–Shamir transform to a publiccoin protocol that we propose based on ideas from the protocol of Camenisch and Lysysanskaya for proving knowledge of an accumulated value [16]. In [16], the protocol ensures that the committed integer \(e\) is in a specific range, different from 1 and positive. In our \(\textsf {CP}_\textsf{Root}\) protocol we instead removed these constraints and isolated the portion of the protocol that only proves knowledge of a root. We present the \(\textsf {CP}_\textsf{Root}\) protocol in Sect. 4.5; its interactive public coin version is knowledge sound under the RSA assumption and statistical zeroknowledge. Finally, we notice that the relation \(R_{\textsf{Root}}\) is defined for statements where \(\textsf{Acc}\in \textsf{QR}_N\), which may not be efficiently checkable given only N if \(\textsf{Acc}\) is adversarially chosen. Nevertheless \(\textsf {CP}_\textsf{Root}\) can be used in larger cryptographic constructions that guarantee \(\textsf{Acc}\in \textsf{QR}_N\) through some extra information, as is the case in our scheme.
4.2.8 Proof of equality of commitments in \(\mathbb {Z}_N^*\) and \(\mathbb {G}_{q}\)
Our last building block, called \(\textsf {CP}_\textsf{modEq}\), proves in zeroknowledge that two commitments, a Pedersen commitment in a prime order group and an integer commitment in an RSA group, open to the same value modulo the prime order \(q= \textsf{ord}(\mathbb {G})\). This is a conjunction of a classic Pedersen \(\varSigma \)protocol and a proof of knowledge of opening of an integer commitment [31], i.e. for the relation
We present \(\textsf {CP}_\textsf{modEq}\) in Sect. 4.5.
4.3 Our CPSNARK \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\)
We are now ready to present our CPSNARK \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) for set membership. The scheme is fully described in Fig. 5 and makes use of the building blocks presented in the previous section.
The \(\textsf{KeyGen}\) algorithm takes as input the commitment key of \(\textsf{Com}_{1}\) and a description of \(R_{\textsf{mem}}\) and does the following: it samples a random generator \(H {\leftarrow }{\$}\,\textsf{QR}_N\) so that (G, H) define a key for the integer commitment, and generate a CRS \(\textsf{crs}_{\textsf{HashEq}}\) of the \(\textsf {CP}_\textsf{HashEq}\) CPNIZK.
For generating a proof, the ideas are similar to the ones informally described at the beginning of Sect. 4 for the case when set elements are prime numbers. In order to support sets \(U\) of arbitrary strings the main differences are the following: (i) we use \(\textsf{H}_{\textsf{prime}}\) in order to derive a set of primes \(P\) from \(U\), (ii) given a commitment \(c_{u}\) to an element \(u\in \{0, 1\}^{\eta }\), we commit to \(e= \textsf{H}_{\textsf{prime}}(u)\) in \(c_{e}\); (iii) we use the previously mentioned ideas to prove that \(c_{e}\) commits to an element in \(P\) (that is correctly accumulated), except that we replace the range proof \(\pi _{\textsf{Range}}\) with a proof \(\pi _\textsf{HashEq}\) that \(c_{u}\) and \(c_{e}\) commits to \(u\) and \(e\) respectively, such that \(\exists j: e= (1  \textsf{H}(u,j))\).
Remark 4.2
(On the support of larger \(\eta \)) In order to commit to a set element \(u\in \{0, 1\}^{\eta }\) with the \(\textsf{PedCom}\) scheme we require \(\eta < \nu \). This condition is actually used for ease of presentation. It is straightforward to extend our construction to the case \(\eta \ge \nu \), in which case every \(u\) should be split in blocks of less than \(\nu \) bits that can be committed using the vector Pedersen commitment (Fig. 4).
The correctness of \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) can be checked by inspection: essentially, it follows from the correctness of all the building blocks and the condition that \(\eta , \mu < \nu \). For succinctness, we observe that the commitments \(C_{U}, c_{u}\) and all the three proofs have size that does not depend on the cardinality of the set \(U\), which is the only portion of the witness whose size is not apriori fixed.
4.3.1 Proof of security
Recall that the goal is to prove in ZK that \(c_{u}\) is a commitment to an element \(u\in \{0, 1\}^{\eta }\) that is in a set \(U\) committed in \(C_{U}\). Intuitively, we obtain the security of our scheme from the conjunction of proofs for relations \(R_\textsf{Root}, R_\textsf{modEq}\) and \(R_\textsf{HashEq}\): (i) \(\pi _{\textsf{HashEq}}\) gives us that \(c_{e}\) commits to \(e_{q}= (1\textsf{H}(u,j))\) for some j and for \(u\) committed in \(c_{u}\). (ii) \(\pi _{\textsf{modEq}}\) gives that \(C_{e}\) commits to an integer \(e\) such that \(e\mod q= e_{q}\) is committed in \(c_{e}\). (iii) \(\pi _{\textsf{Root}}\) gives us that the integer \(e\) committed in \(C_{e}\) divides \(\textsf{prod}_{P}\), where \(C_{U} = G^{\textsf{prod}_{P}}\) with \(P= \{ \textsf{H}_{\textsf{prime}}(u_i): u_{i} \in U\}\).
By combining these three facts we would like to conclude that \(e_{q}\in P\) that, together with \(\pi _{\textsf{HashEq}}\), should also guarantee \(u\in U\). A first problem to analyze, however, is that for \(e\) we do not have guarantees of a strict bound in \(\left( 2^{\mu 1},2^{\mu } \right) \); so it may in principle occur that \(e=e_{q}\pmod q\) but \(e\ne e_{q}\) over the integers. Indeed, the relation \(R_{\textsf{Root}}\) does not guarantee us that \(e\) is a single prime number, but only that \(e\) divides the product of primes accumulated in \(C_{U}\). Assuming the hardness of Strong RSA we may still have that \(e\) is the product of a few primes in \(P\) or even is a negative integer. We expose a simple attack that could arise from this: an adversary can find a product of primes from the set \(P\), let it call \(e\), such that \(e=e_{q}\pmod q\) but \(e\ne e_{q}\) over the integers. Since \(e\) is a legitimate product of members of \(P\), the adversary can efficiently compute the \(e\)th root of \(C_{U}\) and provide a valid \(\pi _\textsf{Root}\) proof. This is what we informally call a “collision”. Another simple attack would be that an adversary takes a single prime \(e\) and then commits to its opposite \(e_{q}\leftarrow e\mod q\) in the prime order group. Again, since \(e\in P\) the adversary can efficiently compute the \(e\)th root of \(C_{U}\), \(W^{e}= C_{U}\), and then the corresponding \(e\)th root of \(C_{U}\), \(\left( W^{1} \right) ^{e} = C_{U}\). This is a second type of attack to achieve what we called “collision”. With a careful analysis we show that with appropriate parameters the probability that such collisions occur can be either 0 or negligible.
One key observation is that \(R_\textsf{Root}\) does guarantee a lower and an upper bound, \(2^{\lambda _{z}+ \lambda _{s}+ \mu + 2}\) and \(2^{\lambda _{z}+ \lambda _{s}+ \mu + 2}\) respectively, for \(e\) committed in \(C_{e}\). From these bounds (and that \(e\mid \textsf{prod}_{P}\)) we get that an adversarial \(e\) can be the product of at most \(d = 1 + \lfloor \frac{\lambda _{z}+ \lambda _{s}+ 2}{\mu }\rfloor \) primes in \(P\) (or their corresponding negative product). Then, if \(2^{d\mu } \le 2^{\nu 2} < q\), or \(d \mu + 2 \le \nu \), we get that \(e< 2^{d\mu } < q\). In case \(e>0\) and since \(q\) is prime, \(e= e_{q}\bmod q\wedge e< q\) implies that \(e= e_{q}\) over \(\mathbb {Z}\), namely no collision can occur at all. In the other case \(e<0\) we have \(e> 2^{d \mu }\) and \(e= e_{q}\pmod q\) implies \(e= q+e_{q}< 2^{\nu 1}+2^{\mu } < 2^{\nu 1}+2^{\nu 2}=2^{\nu 2}\). Therefore, \(2^{d \mu }<2^{\nu 2}\), which is a contradiction since we assumed \(d \mu +2 \le \nu \). So this type of collision cannot happen.
If on the other hand we are in a parameters setting where \(d \mu > \nu 2\), we give a concrete bound on the probability that such collisions occur. More precisely, for this case we need to assume that the integers returned by \(\textsf{H}\) are random, i.e., \(\textsf{H}\) is a random oracle, and we also use the implicit fact that \(R_\textsf{HashEq}\) guarantees that \(e_{q}\in \left( 2^{\mu 1},2^{\mu } \right) \). Then we give a concrete bound on the probability that the product of d out of \(\textsf{poly}(\lambda )\) random primes lies in a specific range \(\left( 2^{\mu 1},2^{\mu } \right) \), which turns out to be negligible when d is constant and \(2^{\mu  \nu }\) is negligible.
Since the requirements of security are slightly different according to the setting of parameters mentioned above, we state two separate theorems, one for each case.
Theorem 4.1
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\textsf{RSA}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Root}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption holds, and that \(\textsf{H}\) is collision resistant. If \(d \mu + 2 \le \nu \), then \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) is knowledgesound with partial opening of the set commitments \(C_{U}\).
Theorem 4.2
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\textsf{RSA}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Root}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption hold, and that \(\textsf{H}\) is collision resistant. If \(d \mu + 2 > \nu \), \(d = O(1)\) is a small constant, \(2^{\mu  \nu } \in \textsf{negl}(\lambda )\) and \(\textsf{H}\) is modeled as a random oracle, then \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) is knowledgesound with partial opening of the set commitments \(C_{U}\).
Remark 4.3
It is worth noting that Theorem 4.2 where we assume \(\textsf{H}\) to be a random oracle requires a random oracle assumption stronger than usual; this has to do with the fact that while we assume \(\textsf{H}\) to be a random oracle we also assume that \(\textsf {CP}_\textsf{modEq}\) can create proof about correct computations of \(\textsf{H}\). Similar assumptions have been considered in previous works, see, e.g, [71, Remark 2].
Finally, we state the theorem about the zeroknowledge of \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\).
Theorem 4.3
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\textsf{RSA}}\) and \(\textsf{IntCom}\) be statistically hiding commitments, \(\textsf {CP}_\textsf{Root}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) be zeroknowledge arguments. Then \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) is zeroknowledge.
Proof
(Sketch) The proof is rather straightforward, so we only provide a sketch. We define the simulator \(\mathcal {S}\) that takes as input \((\textsf{crs},C_{U},c_{u})\) and does the following:

Parses \(\textsf{crs}:=(N,G,H, \textsf{H}_{\textsf{prime}}, \mathbb {G}_q,g,h, \textsf{crs}_{\textsf{HashEq}})\), from which it computes the corresponding \(\textsf{crs}_{\textsf{Root}} :=(N,G,H)\) and \(\textsf{crs}_{\textsf{modEq}} :=(N,G,H,\mathbb {G}_q,g,h) \).

Samples at random \(C_{e}^* {\leftarrow }{\$}\,\mathbb {Z}_N^*\) and \(c_{e}^* {\leftarrow }{\$}\,\mathbb {G}_q\).

Invokes \(\mathcal {S}_{\textsf{Root}}(\textsf{crs}_{\textsf{Root}},C_e^*,C_{U})\), \(\mathcal {S}_{\textsf{modEq}}(\textsf{crs}_\textsf{modEq},C_{e}^*,c_{e}^*)\) and \(\mathcal {S}_{\textsf{HashEq}}(\textsf{crs}_{\textsf{HashEq}},c_{e}^*,c_{u})\) the corresponding simulators of \(\textsf {CP}_{\textsf{Root}}\), \(\textsf {CP}_{\textsf{modEq}}\) and \(\textsf {CP}_{\textsf{HashEq}}\) respectively. They output simulated proof \(\pi _{\textsf{Root}}^*\), \(\pi _{\textsf{modEq}}^*\) and \(\pi _{\textsf{HashEq}}^*\) respectively.

\(\mathcal {S}\) outputs \((C_{e}^*,c_{e}^*,\pi _{\textsf{Root}}^*,\pi _{\textsf{modEq}}^*,\pi _{\textsf{HashEq}}^*)\).
Let \(\pi :=(C_e,c_{e}, \pi _{\textsf{Root}},\pi _{\textsf{modEq}},\pi _{\textsf{HashEq}}) \leftarrow \textsf{Prove}(\textsf{crs}, (C_{U}, c_{u}), (U, u),(\varnothing , r_{u}))\) be the output of a real proof. Since \(\textsf{IntCom}\) and \(\textsf{PedCom}\) are statistically hiding \(C_{e}^*\) and \(c_{e}^*\) are indistinguishable from \(C_e\) and \(c_{e}\) resp. Finally, since \(\textsf {CP}_{\textsf{Root}}\), \(\textsf {CP}_{\textsf{modEq}}\) and \(\textsf {CP}_{\textsf{HashEq}}\) are zero knowledge arguments \(\pi _{\textsf{Root}}^*\), \(\pi _{\textsf{modEq}}^*\) and \(\pi _{\textsf{HashEq}}^*\) are indistinguishable from \(\pi _{\textsf{Root}}\), \(\pi _{\textsf{modEq}}\) and \(\pi _{\textsf{HashEq}}\) resp. \(\square \)
4.3.2 Notation
We introduce some notation that eases our proofs exposition. Let \(U= \{u_1,\dots ,u_n\} \subset \mathbb {Z}\) be a set of cardinality n. We denote as \(\textsf{prod}\) a product of (an arbitrary number of) elements of \(U\), \(\textsf{prod}= \prod _{i \in I}u_i\), for some \(I \subseteq [n]\). Furthermore, \(\Pi _U= \{\textsf{prod}_1,\dots , \textsf{prod}_{2^n1}\}\) is the set of all possible products and more specifically \(\Pi _{U,d} \subseteq \Pi _U\) denotes the set of possible products of exactly d elements of \(U\), \(I=d\), while for the degenerate case of \(d > n\) we define \(\Pi _{U,d}= \emptyset \). We note that \(\Pi _{U,d} = \left( {\begin{array}{c}n\\ d\end{array}}\right) \) (except for the degenerate case where \(\Pi _{U,d} =0\)). For convenience, in the special case of \(\textsf{prod}\in \Pi _{U,U}\), i.e. the (unique) product of all elements of \(U\), we will simply write \(\textsf{prod}_U\). Finally, for a \(J \subseteq [n]\) we let \(\Pi _{U,J} = \cup _{j \in J}\Pi _{U,j}\); for example \(\Pi _{U,[1,\dots ,d]} = \cup _{j=1}^d\Pi _{U,j}\) is the set of all possible products of up to d elements of \(U\). For all of the above we also denote with "−" the corresponding set of the opposite element, e.g. \(\Pi _U= \{\textsf{prod}_1,\dots , \textsf{prod}_{2^n1}\}\)
Proof of Theorem 4.1
Let a malicious prover \(\mathcal {P}^*\), a PPT adversary of Knowledge Soundness with Partial Opening (see the definition in Sect. 2.6) that on input \((\textsf{ck}, R_{\textsf{mem}}, \textsf{crs}, \textsf{aux}_{R}, \textsf{aux}_{Z})\) outputs \(\left( C_{U}, c_{u}, U, \pi \right) \) such that the verifier \(\mathcal {V}\) accepts, i.e. \( \textsf{VerProof}(\textsf{crs}, C_{U}, c_{u}), \pi )= 1\) and \(\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, C_{U}, U, \varnothing )=1\) with nonnegligible probability \(\epsilon \). We will construct a PPT extractor \(\mathcal {E}\) that on the same input outputs a partial witness \((u,r_{q})\) such that \(R_{\textsf{mem}}(U,u)=1 \wedge \textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, c_{u}, u, r_{q})=1\).
For this we rely on the Knowledge Soundness of \(\textsf {CP}_\textsf{Root}, \textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) protocols. \(\mathcal {E}\) parses \(\pi :=(C_e,c_{e}, \pi _{\textsf{Root}},\pi _{\textsf{modEq}},\pi _{\textsf{HashEq}})\) and \(\textsf{crs}:=(N,G,H, \textsf{H}_{\textsf{prime}}, \mathbb {G}_q,g,h, \textsf{crs}_{\textsf{HashEq}})\), from which it computes the corresponding \(\textsf{crs}_{\textsf{Root}} :=(N,G,H)\) and \(\textsf{crs}_{\textsf{modEq}} :=(N,G,H,\mathbb {G}_q,g,h) \). Then constructs an adversary \(\mathcal {A}_{\textsf{Root}}\) for \(\textsf {CP}_\textsf{Root}\) Knowledge Soundness that outputs \((C_e, C_{U}, \mu ,\pi _{\textsf{Root}})\). It is obvious that since \(\mathcal {V}\) accepts \(\pi \) then it also accepts \(\pi _{\textsf{Root}}\), i.e., \(\textsf {CP}_{\textsf{Root}}.\textsf{VerProof}(\textsf{crs}_{\textsf{Root}},(C_{e}, C_{U}, \mu ), \pi _{\textsf{Root}})=1\). From Knowledge Soundness of \(\textsf {CP}_{\textsf{Root}}\) we know that there is an extractor \(\mathcal {E}_{\textsf{Root}}\) that outputs \((e,r,W)\) such that \(C_{e}=\pm G^{e}H^r \pmod N \wedge W^{e}= C_{U} \pmod N \wedge e < 2^{\lambda _{z}+ \lambda _{s}+\mu + 2}\). Similarly, \(\mathcal {E}\) constructs adversaries \(\mathcal {A}_{\textsf{modEq}}\) and \(\mathcal {A}_{\textsf{HashEq}}\) of protocols \(\textsf {CP}_{\textsf{modEq}}\) and \(\textsf {CP}_{\textsf{HashEq}}\) respectively. And similarly there are extractors \(\mathcal {E}_{\textsf{modEq}}\) and \(\mathcal {E}_{\textsf{HashEq}}\) that output \((e',e_{q},r',r_{q})\) such that \(e' = e_{q}\pmod q\wedge C_{e'}=\pm G^{e'}H^{r'} \pmod N \wedge c_{e_{q}} = g^{e_{q}\mod q}h^{r_{q}\mod q} \) and \((e_{q}',u,r_{q}', r_{u},j)\) such that \(c_{e}=g^{e_{q}'}h^{r_{q}'} \wedge e_{q}' = (1  \textsf{H}(u, j))\) respectively.
From the Binding property of the integer commitment scheme we get that \(e=e'\) and \(r = r'\) (over the integers), unless with a negligible probability. Similarly, from the Binding property of the Pedersen commitment scheme we get that \(e_{q}=e_{q}' \pmod q\) and \(r_{q}= r_{q}' \pmod q\), unless with a negligible probability. So if we put everything together the extracted values are \((e,r,W,e_{q},r_{q},u,r_{u},j)\) such that:
and additionally
From \(\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, C_{U}, U, \varnothing )=1\) we infer that \(C_{U} = G^{\textsf{prod}_{P}}\), where \(P:=\{ \textsf{H}_{\textsf{prime}}(u) \mid u\in U\} \). From the strong RSA assumption since \(W^{e}= C_{U} = G^{\textsf{prod}_{P}} \pmod N\) we get \(e\in \Pi _{P}\) or \(e\in \Pi _{P}\), unless with a negligible probability (see Appendix 2).
Since, all the elements of \(P\) are outputs of \(\textsf{H}_{\textsf{prime}}\) they have exactly bitlength \(\mu \), that is \(2^{\mu 1}< e_i < 2^{\mu }\) for each \(e_i \in P\). This means that \(e\) is a (±) product of \(\mu \)sized primes. Let \(e\) be a product of \(\ell \) primes, meaning that \(2^{\ell (\mu 1)}< e < 2^{\ell \mu }\), and \(d :=\lfloor \frac{ \lambda _{z}+ \lambda _{s}+\mu + 2}{\mu } \rfloor \). From \(e < 2^{\lambda _{z}+ \lambda _{s}+\mu + 2}\) we get that \(2^{\ell \mu }< 2^{\lambda _{z}+ \lambda _{s}+\mu + 2} \Rightarrow \ell < d\) which means that \( e\in \Pi _{P,[1,\dots ,d]}\) or \( e\in \Pi _{P,[1,\dots ,d]}\) (i.e. \(e\) is a (±) product of at most d primes).
First we show that \(e\in \Pi _{P}\), i.e., that \(e\) cannot be negative. Let \(e\in \Pi _{P,[1,\dots ,d]}\). We use the fact that \(e= e_{q}\pmod q\), so \(e\le q+e_{q}< 2^{\nu 1}+2^{\mu } < 2^{\nu 1}+2^{\nu 2}=2^{\nu 2} \). Since \(2^{d \mu }<e\) this leads to \(2^{d \mu } < 2^{\nu 2}\) which contradicts the assumption \(d \mu +2 \le \nu \) (we used the fact that \(e_{q}= (1  \textsf{H}(u, j))\) to conclude that \(2^{\mu 1}< e_{q}< 2^{\mu }\), which comes from the definition of \(\textsf{H}\)). So \(e> 0\) or \( e\in \Pi _{P,[1,\dots ,d]}\).
Recall that \(e< 2^{d \mu }\). From the assumption \(d \mu + 2 \le \nu \) which means that \(e< 2^{d \mu }< 2^{\nu 2}<q\Rightarrow e< q\). Since \(e= e_{q}\pmod q\) and \(e< q\) this means that \(e= e_{q}\) over the integers. Again we are using the fact that \(e_{q}= (1  \textsf{H}(u, j))\) to conclude that \(2^{\mu 1}< e_{q}< 2^{\mu }\), which comes from the definition of \(\textsf{H}\), and combined with \(e= e_{q}\) we get that \(2^{\mu 1}< e< 2^{\mu }\). The last fact means that \(e\in \Pi _{P,\{1\}}\) (i.e. \(e\) is exactly one prime from \(P\)) otherwise it would exceed \(2^{\mu }\), so \(e\in P\).
Finally, \(e= e_{q}= (1  \textsf{H}(u, j)) = \textsf{H}_{\textsf{prime}}(u) \in P= \{\textsf{H}_{\textsf{prime}}(u_1),\dots ,\textsf{H}_{\textsf{prime}}(u_n)\}\), where \(U:=\{u_1,\dots ,u_n\}\). This means that there is an i such that \(\textsf{H}_{\textsf{prime}}(u) = \textsf{H}_{\textsf{prime}}(u_i)\). From collision resistance of \(\textsf{H}_{\textsf{prime}}\) we infer that \(u= u_i\). So we conclude that \(u\in U\) or \(R_{\textsf{mem}}(U,u) = 1\) and as shown above \(\textsf{VerCommit}(\textsf{ck},\textsf{t}_{q},c_{u},u,r_{u})=1\). \(\square \)
4.3.3 Collision finding analysis
For the second theorem we cannot count on the formula \(d \mu + 2 \le \nu \) that ensures that the extracted integer \(e\) lies inside \([0,q1]\). As explained above, we can only rely on the randomness of each prime to avoid the described “collisions”. First, we formally define what a “collision” is through a probabilistic experiment, \(\textsf{CollisionFinding}\), and then we compute a concrete bound for the probability that this event happens, i.e. the experiment outputs 1. Finally, we state a theorem that shows this probability is asymptotically negligible under the assumption that \(2^{\mu \nu }\) is a negligible value (and d is a constant).
Lemma 4.1
Let \(\mathbb {G}_{q}\) be a prime order group of order \(q\in \left( 2^{\nu 1}, 2^{\nu } \right) \) and \(\mu \) such that \(\mu < \nu \) then \(Pr[\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_{e},n)=1] \le 2 \cdot \sum _{j=2}^d \frac{\left( {\begin{array}{c}n\\ j\end{array}}\right) 2^{(j+1)\mu  j \nu } (2^j1)}{\frac{2^{j\mu j}}{(\mu 1)^j} \left( {\begin{array}{c}n\\ j\end{array}}\right) }\).
Proof
First we will prove it for positive products, that is we bound the probability
\(Pr[\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_{e},n)=1  \textsf{prod}\in \Pi _{P,[2,d]}]\). Let \(\textsf{prod}= q_1...q_j\) be a product of exactly j primes for a \(2 \le j \le d\). Since \(q_i \in \left( 2^{\mu 1},2^{\mu } \right) \) we get \(\textsf{prod}=q_1...q_j \in \left( 2^{j\mu j},2^{j \mu } \right) \). Also \(\mathbb {Z}_q^*\) is cyclic so we know that at most
integers in \(\left( 2^{j\mu j},2^{j \mu } \right) \) are equal to c modulo \(q\), for any \(c \in \{0,1,...,q1\}\).
We are interested in the interval \(\left( 2^{\mu 1},2^{\mu } \right) \) modulo \(q\). From the previous we get that at most \(2^{j\mu  j \nu +1} \cdot (2^j1) \cdot \left \left( 2^{\mu 1}, 2^{\mu } \right) \right = 2^{j\mu  j \nu +1} \cdot (2^j1) \cdot 2^{\mu 1}= 2^{(j+1)\mu  j \nu } (2^j1)\) integers in the range of \(\left( 2^{j\mu j},2^{j \mu } \right) \) are “winning” integers for the adversary, meaning that after modulo \(q\) they are mapped to the winning interval \(\left( 2^{\mu 1},2^{\mu } \right) \).
From the distribution of primes we know that the number of primes in \(\left( 2^{\mu 1},2^{\mu } \right) \) is approximately \(\frac{2^{\mu 1}}{\mu 1}\). So there are (approximately) \( \left( \frac{2^{\mu 1}}{\mu 1} \right) ^j =\frac{2^{j\mu j}}{(\mu 1)^j}\) different products of j primes from \(\textsf{Primes}\left( 2^{\mu 1},2^{\mu } \right) \) in \(\left( 2^{j\mu d},2^{j \mu } \right) \).
This leads us to the combinatorial experiment of choice of \(B=\frac{2^{j \mu j}}{(\mu 1)^j}\) “balls”, with \(T=2^{(j+1)\mu  j \nu } (2^j1)\) “targets” and \(X = \left( {\begin{array}{c}n\\ j\end{array}}\right) \) “tries” without replacement, where “balls” are all possible products, “targets” are the ones that go to \(\left( 2^{\mu 1},2^{\mu } \right) \) modulo \(q\) (the winning ones) and tries are the number of products (for a constant j) that the adversary can try. The “without replacement” comes from the fact that all products are different. The final winning probability is:
By applying the union bound for all j’s we get:
By using the same arguments for negative products we would conclude that
Therefore
\(\square \)
Theorem 4.4
Let \(\mathbb {G}_q\) be a prime order group of order \(q\in \left( 2^{\nu 1}, 2^{\nu } \right) \), \(\mu \) such that \(2^{\mu \nu } \in \textsf{negl}(\lambda )\), d constant and \(n = \textsf{poly}(\lambda )\) then \(Pr[\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_q,n)=1] \in \textsf{negl}(\lambda )\)
Proof
Now \(n = \textsf{poly}(\lambda )\) so the set \(P\) is polynomially bounded. Due to Lemma 4.1 it is straightforward that \(Pr[\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_q,n)=1] \le \sum _{j=2}^d \frac{\left( {\begin{array}{c}n\\ j\end{array}}\right) 2^{(j+1)\mu  j \nu } (2^j1)}{\frac{2^{j\mu j}}{(\mu 1)^j} \left( {\begin{array}{c}n\\ j\end{array}}\right) }\). Since d is constant, for any \(j \in [2,d]\) \(\left( {\begin{array}{c}n\\ j\end{array}}\right) = O(n^j)\) and we get:
\(O(n^j) (2^j1)(\mu 1)^j = \textsf{poly}(\lambda )\) and \(\frac{O(n^j)(\mu 1)^j}{2^{(j+1)\mu  j \nu }} = \textsf{negl}(\lambda )\). Also \(\frac{2^{j\mu j}}{2^{(j+1)\mu  j \nu }} = 2^{\nu \mu }\), therefore for j we get a probability bounded by \(\frac{\textsf{poly}(\lambda )2^{\mu  \nu }}{1  \textsf{negl}(\lambda )2^{\mu \nu }} = \textsf{negl}(\lambda )\) by assumption.
Finally, \(Pr[\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_q,n)=1] \le (d1) \cdot \textsf{negl}(\lambda ) = \textsf{negl}(\lambda )\). \(\square \)
Remark 4.4
For the sake of generality, in \(\textsf{CollisionFinding}\) we do not specify how the random primes are generated. In practice in our scheme they are outputs of the hash function \(\textsf{H}_{\textsf{prime}}\) that we model as a random oracle.
Now we are ready to give the proof of Theorem 4.2:
Proof of Theorem 4.2
The proof is almost the same as the one of Theorem 4.1 except for the nexttolast paragraph, i.e. the justification of \(e\in \Pi _{P,\{1\}} \). Since \(d \mu + 2 > \nu \) we cannot use the same arguments to conclude to it. However, still \(e\in \left( \Pi _{P,[1,\dots , d]} \cup \Pi _{P,[1,\dots , d]} \right) \).
Let \(e\in \left( \Pi _{P,[1,\dots , d]} \cup \Pi _{P,[1,\dots , d]} \right) \), it is straightforward to reduce this case to the the collision finding problem. Assume that the adversary \(\mathcal {P}^*\) made \(q_{\textsf{H}}\) random oracle queries to \(\textsf{H}\) and let \(Q_{\textsf{H}}\) be the set of answers she received. Further assume that exactly \(q_{\textsf{H}_{\textsf{prime}}}\) of the them are primes and let \(Q_{\textsf{H}_{\textsf{prime}}}\) be the set of them. We note that \(P\subseteq Q_{\textsf{H}_{\textsf{prime}}}\), unless a collision happened in \(\textsf{H}\).
Now let \(Q_{\textsf{H}_{\textsf{prime}}}\) be the set of the \(\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_q,Q_{\textsf{H}_{\textsf{prime}}})\) experiment. It satisfies all three conditions since each \(e_i \in Q_{\textsf{H}_{\textsf{prime}}}\) is an output of \(\textsf{H}_{\textsf{prime}}\). Therefore \(e_i\) is prime, \(2^{\mu 1}< e_i < 2^{\mu }\) and since \(\textsf{H}\) is modeled as a random oracle the outputs of \(\textsf{H}_{\textsf{prime}}\) are uniformly distributed in \(\textsf{Primes}\left( 2^{\mu 1},2^{\mu } \right) \). Then for the extracted \(e\), we know that \(e= e_{q}\pmod q\in \left( 2^{\mu 1},2^{\mu } \right) \) and from the assumption \(e\in \left( \Pi _{P,[1,\dots , d]} \cup \Pi _{P,[1,\dots , d]} \right) \), which (as noted above) means that \(e\in \left( \Pi _{Q_{\textsf{H}_{\textsf{prime}}},[2,\dots ,d]} \cup \Pi _{Q_{\textsf{H}_{\textsf{prime}}},[2,\dots ,d]} \right) \). So \(\textsf{CollisionFinding}(\mu ,d,\mathbb {G}_{q},Q_{\textsf{H}_{\textsf{prime}}}) = 1\). Since the adversary is PPT \(Q_{\textsf{H}_{\textsf{prime}}} = \textsf{poly}(\lambda )\). Also, \(d = O(1)\) and \(2^{\mu  \nu } \in \textsf{negl}(\lambda )\) (from the assumptions of the theorem) so the previous happens with a negligible probability according to theorem 4.4. So we conclude that, unless with a negligible probability, \(e\in \Pi _{P,\{1\}} \). \(\square \)
4.4 Our CPSNARK for set membership for primes sets
In this section we show a CPSNARK for set membership \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) that supports set elements that are prime numbers of exactly \(\mu \) bits, i.e., \(\mathcal {D}_{\textsf{elm}} = \textsf{Primes}(2^{\mu 1}, 2^{\mu })\), and \(\mathcal {D}_{\textsf{set}} = 2^{\mathcal {D}_\textsf{elm}}\). \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) works for a typebased commitment scheme \(\textsf{Com}_{2}\) that is the canonical composition \(\textsf{SetCom}_{\mathsf {RSA'}}\bullet \textsf{PedCom}\) where \(\textsf{SetCom}_{\mathsf {RSA'}}\) is in Fig. 6 (it is essentially a simplification of \(\textsf{SetCom}_{\textsf{RSA}}\) since elements are already primes).
The scheme \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) is described in Fig. 7. Its building blocks are the same as the ones for \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) except that instead of a CPNIZK for proving correctness of a maptoprime computation, we use a CPNIZK for range proofs. Namely, we let \(\textsf {CP}_\textsf{Range}\) be a NIZK for the following relation on \(\textsf{PedCom}\) commitments \(c\) and two given integers \(A<B\):
.
The idea behind the security of the scheme is similar to the one of the \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) scheme. The main difference is that here we rely on the range proof \(\pi _{\textsf{Range}}\) in order to “connect” the Pedersen commitment \(c_{e}\) to the accumulator. In particular, in order to argue the absence of possible collisions here we assume that \(d \mu + 2 \le \nu \) holds, namely we argue security only for this setting of parameters. It is worth noting that in applications where \(\textsf {D}_{\textsf{elm}}\) is randomly chosen subset of \(\textsf{Primes}\left( 2^{\mu 1},2^{\mu } \right) \), we could argue security even when \(d \mu + 2 > \nu \), in a way similar to Theorem 4.2. We omit the analysis of this case from the paper.
Theorem 4.5
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Root}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{Range}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption hold. If \(d \mu + 2 \le \nu \), then \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) is knowledgesound with partial opening of the set commitments \(c_{P}\). Furthermore, if \(\textsf{PedCom}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\) and \(\textsf{IntCom}\) are statistically hiding commitments, and \(\textsf {CP}_\textsf{Root}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{Range}\) be zeroknowledge, then \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) is zeroknowledge.
Proof of Theorem 4.5
Knowledge soundness with partial opening of \(C_{P}\): the proof is similar to the one of Theorem 4.1 except for some minor parts.
Let a malicious prover \(\mathcal {P}^*\), a PPT adversary of Knowledge Soundness with Partial Opening (see the definition in Sect. 2.6) that on input \((\textsf{ck}, R_{\textsf{mem}}, \textsf{crs}, \textsf{aux}_{R}, \textsf{aux}_{Z})\) outputs \(\left( C_{P}, c_{e}, P, \pi \right) \) such that the verifier \(\mathcal {V}\) accepts, i.e. \( \textsf{VerProof}(\textsf{crs}, C_{P}, c_{e}), \pi )= 1\) and \(\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, C_{P}, P, \varnothing )=1\) with nonnegligible probability \(\epsilon \). We will construct a PPT extractor \(\mathcal {E}\) that on the same input outputs a partial witness \((e,r)\) such that \(R_{\textsf{mem}}(P,e)=1 \wedge \textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, c_{e}, e, r)=1\).
For this we rely on the Knowledge Soundness of \(\textsf {CP}_\textsf{Root}, \textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{Range}\) protocols. \(\mathcal {E}\) parses \(\pi :=(C_e, \pi _{\textsf{Root}},\pi _{\textsf{modEq}},\pi _{\textsf{Range}})\) and \(\textsf{crs}:=(N,G,H, \textsf{H}_{\textsf{prime}}, \mathbb {G}_q,g,h, \textsf{crs}_{\textsf{Range}})\), from which it computes the corresponding \(\textsf{crs}_{\textsf{Root}} :=(N,G,H)\) and \(\textsf{crs}_{\textsf{modEq}} :=(N,G,H,\mathbb {G}_q,g,h) \). Then constructs an adversary \(\mathcal {A}_{\textsf{Root}}\) for \(\textsf {CP}_\textsf{Root}\) Knowledge Soundness that outputs \((C_e, C_{P}, \mu ,\pi _{\textsf{Root}})\). It is obvious that since \(\mathcal {V}\) accepts \(\pi \) then it also accepts \(\pi _{\textsf{Root}}\), i.e., \(\textsf {CP}_{\textsf{Root}}.\textsf{VerProof}(\textsf{crs}_{\textsf{Root}},(C_{e},C_{P},\mu ),\pi _{\textsf{Root}})=1\). From Knowledge Soundness of \(\textsf {CP}_{\textsf{Root}}\) we know that there is an extractor \(\mathcal {E}_{\textsf{Root}}\) that outputs \((e,r,W)\) such that \(C_{e}=\pm G^{e}H^r \pmod N \wedge W^{e}= C_{P} \pmod N \wedge e< 2^{\lambda _{z}+ \lambda _{s}+\mu + 2}\). Similarly, \(\mathcal {E}\) constructs adversaries \(\mathcal {A}_{\textsf{modEq}}\) and \(\mathcal {A}_{\textsf{Range}}\) of protocols \(\textsf {CP}_{\textsf{modEq}}\) and \(\textsf {CP}_{\textsf{Range}}\) respectively. And similarly there are extractors \(\mathcal {E}_{\textsf{modEq}}\) and \(\mathcal {E}_{\textsf{Range}}\) that output \((e',e_{q},r',r_{q})\) such that \(e' = e_{q}\pmod q\wedge C_{e'}=\pm G^{e'}H^{r'} \pmod N \wedge c_{e_{q}} = g^{e_{q}\mod q}h^{r_{q}\mod q} \) and \((e_{q}',r_{q}')\) such that \(c_{e}=g^{e_{q}'}h^{r_{q}'} \wedge 2^{\mu 1}< e_{q}' < 2^{\mu }\) respectively.
From the Binding property of the integer commitment scheme we get that \(e=e'\) and \(r = r'\) (over the integers), unless with a negligible probability. Similarly, from the Binding property of the Pedersen commitment scheme we get that \(e_{q}=e_{q}' \pmod q\) and \(r_{q}= r_{q}' \pmod q\), unless with a negligible probability. So if we put everything together the extracted values are \((e,r,W,e_{q},r_{q})\) such that:
and additionally
From \(\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, C_{P}, P, \varnothing )=1\) we infer that \(C_{P} = G^{\textsf{prod}_{P}}\), where for each \(e_i \in P\) it holds that \(e\in \textsf{Primes}\left( 2^{\mu 1},2^{\mu } \right) \). From the strong RSA assumption since \(W^{e}= C_{P} = G^{\textsf{prod}_{P}} \pmod N\) we get \(e\in \Pi _{P}\), unless with a negligible probability (see Appendix 2).
The rest of the analysis that justifies \(e\in P\) is identical to the one of the proof of Theorem 4.1. So \(e\in P\) and as shown above \(\textsf{VerCommit}(\textsf{ck},\textsf{t}_{q},c_{e},e_{q},r_{q})=1\).
Zero knowledge For the Zero Knowledge Property we rely on similar techniques with the ones of the proof of Theorem 4.3 except for the use of \(\mathcal {S}_{\textsf{HashEq}}\). Here we use instead the simulator of the \(\textsf {CP}_\textsf{Range}\) protocol, \(\mathcal {S}_{\textsf{Range}}\). \(\square \)
4.5 Proposed instantiations of protocols for \(R_{\textsf{Root}}\) and \(R_{\textsf{modEq}}\)
4.5.1 Protocol \(\textsf {CP}_\textsf{Root}\)
We first give a protocol \(\textsf {CP}_\mathsf {Root'}\) for a simpler version of the \(\textsf{Root}\) relation in which the upper bound on e is removed; let us call \(R_{\mathsf {Root'}}\) this relation.
Below is an interactive ZK protocol for \(R_\mathsf {Root'}\):

1.
Prover computes a W such that \(W^e=Acc\) and \(C_W=WH^{r_2},C_r=G^{r_2}H^{r_3}\) and sends to the verifier:
\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: C_W,C_r\)

2.
Prover and Verifier perform a protocol for the relation:
\(R((C_e,C_r,C_W,Acc),(e,r,r_2,r_3,\beta ,\delta ))=1 \) iff
$$\begin{aligned} C_e = G^eH^r \wedge C_r=G^{r_2}H^{r_3} \wedge Acc=C_W^e \left( \frac{1}{H} \right) ^\beta \wedge 1= C_r^e \left( \frac{1}{H} \right) ^\delta \left( \frac{1}{G} \right) ^\beta \end{aligned}$$Let \(\lambda _{s}\) be the size of the challenge space, \(\lambda _{z}\) be the statistical security parameter and \(\mu \) the size of e.

Prover samples:
$$\begin{aligned} \begin{aligned}&r_e {\leftarrow }{\$}\,\left( 2^{\lambda _{z}+ \lambda _{s}+ \mu },2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) \\&r_r,r_{r_2},r_{r_3} {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}},\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}} \right) \\&r_\beta ,r_\delta {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu },\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) \end{aligned} \end{aligned}$$and computes:
$$\begin{aligned} \alpha _1 = G^{r_e}H^{r_r}, \quad \alpha _2 = G^{r_{r_2}}H^{r_{r_3}},\quad \alpha _3 = C_W^{r_e} \left( \frac{1}{H} \right) ^{r_\beta } , \quad \alpha _4 = C_{r}^{r_e}(\frac{1}{H})^{r_\delta } \left( \frac{1}{G} \right) ^{r_{\beta }} \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (\alpha _1,\alpha _2,\alpha _3,\alpha _4)\)

Verifier samples the challenge \(c \leftarrow \{0,1\}^{\lambda _{s}}\) \(\underline{\mathcal {V} \rightarrow \mathcal {P}}: c\)

Prover computes the response:
$$\begin{aligned} \begin{aligned}&s_e = r_e  c e\\&s_r = r_r  c r, \quad s_{r_2} = r_{r_2}  c r_2, \quad s_{r_3} = r_{r_3}  c r_{r_3}\\&s_\beta = r_\beta  c e r_2, \quad s_\delta =r_\delta  c e r_3 \end{aligned} \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (s_e,s_r,s_{r_2},s_{r_3},s_\beta ,s_\delta )\)

Verifier checks if:
$$\begin{aligned}{} & {} \alpha _1 {\mathop {=}\limits ^{?}} C_e^c G^{s_e} H^{s_r}, \quad \alpha _2 {\mathop {=}\limits ^{?}} C_r^c G^{s_{r_2}}H^{s_{r_3}},\quad \alpha _3 {\mathop {=}\limits ^{?}} Acc^c C_W^{s_e}\left( \frac{1}{H} \right) ^{s_\beta }, \\ {}{} & {} \quad \alpha _4 {\mathop {=}\limits ^{?}} C_{r}^{s_e}\left( \frac{1}{H}\right) ^{s_\delta } \left( \frac{1}{G} \right) ^{s_{\beta }} \end{aligned}$$

Theorem 4.6
Let \(\mathbb {Z}_N^*\) be an RSA group where strongRSA assumption holds, then the above protocol is a correct, knowledge sound and honestverifier zero knowledge protocol for \(R_{\mathsf {Root'}}\) (Fig. 8).
The proof of the above is similar to the one of [16] where the more specific protocol was introduced, but implicitly was including a protocol for \(R_{\mathsf {Root'}}\). Before proceeding to the proof we recall some properties related to RSA groups. First we expose two standard arguments. The first is that obtaining a multiple of \(\phi (N)\) is equivalent to factoring N. This directly allows us to argue that for any \(G \in \mathbb {Z}_N^*\), if one is able to find an \(x \in \mathbb {Z}\) such that \(G^x = 1 \pmod {N}\) then under the factoring assumption \(x= 0\), otherwise x is a multiple of \(\phi (N)\). Secondly, finding any nontrivial solution of the equation \(\mu ^2=1 \pmod N\) in \(\mathbb {Z}_N^*\) (nontrivial means \(\mu \ne \pm 1\)) is equivalent to factoring N.
Remark 4.5
In 2017 Couteau et al. proved that in fact knowledge soundness for the protocol of opening an integer commitment can be reduced to (plain) RSA problem [25]. This could be inherited to our protocol too. However, the relation itself assumes strong RSA’s hardness, otherwise finding a root would be computable in polynomial time. Additionally, in the reduction to (plain) RSA, the extractor’s probability of success is cubic, while in the reduction to strong RSA linear, in the adversary’s probability of success.
Proposition 4.1
Let \(\mathbb {Z}_N^*\) be an RSA group with a modulus N and \(\textsf{QR}_N\) the corresponding group of quadratic residues modulo N.

1.
Let \(G,H {\leftarrow }{\$}\,\textsf{QR}_N\) two random generators of \(\textsf{QR}_N\) and a PPT adversary \(\mathcal {A}\) outputting \(\alpha , \beta \in \mathbb {Z}_N^*\) such that \(G^\alpha H^\beta =1\) then under the assumption that DLOG problem is hard in \(\textsf{QR}_N\) it holds that \(\alpha =\beta =0\).

2.
Let \(A,B \in \mathbb {Z}_N^*\) and a PPT adversary \(\mathcal {A}\) outputting \(x,y \in \mathbb {Z}_N^*\) such that \(A^y = B^x\) and \(y \mid x\) then under the assumption that factoring of N is hard it holds that \(A = \pm B^{\frac{x}{y}}\).
Proof

1.
Since \(G,H \in \textsf{QR}_N\) there is an \(x \in \mathbb {Z}_N^*\) such that \(G = H^x \pmod N\) which leads to \(H^{x \alpha + \beta } = 1\). As we discussed above under the assumption that factoring of N is hard, \(x \alpha + \beta = 0\). If \(\alpha \ne 0\) then \(x \leftarrow \frac{\beta }{\alpha }\) is a discrete logarithm of H, so assuming that DLOG is hard \(\alpha = 0\). Similarly, there is an \(y \in \mathbb {Z}_N^*\) such that \(G^y = H \pmod N\) and with a similar argument we can conclude that \(\beta = 0\).

2.
We discern two cases, \(y = \rho \) is odd or \(y = 2^v \rho \) is even (for an odd \(\rho \)). In case y is odd then it is coprime with \(\phi (N) = p'q'\) (otherwise if \(y = p'\) or \(y = q'\) we would be able to factor N), so \(y^{1} \pmod {\phi (N)}\) exists and \(A = B^{\frac{x}{y}}\). If \(y=2^v \rho \) then \(\left( A^{1}B^{\frac{x}{y}} \right) ^{y} = 1 \Rightarrow \left( A^{1}B^{\frac{x}{y}} \right) ^{2^v\rho }=1 \Rightarrow \left( A^{1}B^{\frac{x}{y}} \right) ^{2^v}=1\). From the second fact that we discussed above under the factoring assumption \(\left( A^{1}B^{\frac{x}{y}} \right) ^{2^{v1}} = \pm 1\). However for \(v >1\) the left part of the equation is a quadratic residue so it cannot be \(1\), therefore \(\left( A^{1}B^{\frac{x}{y}} \right) ^{2^{v1}} = 1\). Using the same facts repeatedly we will eventually conclude that \(\left( A^{1}B^{\frac{x}{y}} \right) ^{2} = 1\), hence \( A^{1}B^{\frac{x}{y}} = \pm 1 \Rightarrow A = \pm B^{\frac{x}{y}}\).
\(\square \)
Proof of Theorem 4.6
Correctness is straightforward. Honestverifier zero knowledge can be shown with standard arguments used in \(\varSigma \)protocols and the fact that the commitments to \(C_e,C_W,C_r\) are statistically hiding. That is the simulator \(\mathcal {S}\) on input \((C_e,\textsf{Acc})\) samples \(C_W^* {\leftarrow }{\$}\,\mathbb {Z}_N^*\) and \(C_r^* {\leftarrow }{\$}\,\mathbb {Z}_N^*\). Then samples
Finally it samples \(c^* {\leftarrow }{\$}\,\{0,1\}^{\lambda _{s}}\). Then it sets \(\alpha _1^* \leftarrow C_e^c G^{s_e} H^{s_r}\), \(\alpha _2^* \leftarrow C_r^c G^{s_{r_2}}H^{s_{r_3}}\), \(\alpha _3^* \leftarrow \textsf{Acc}^c C_W^{s_e}\left( \frac{1}{H} \right) ^{s_\beta }\) and \(\alpha _4^* {\mathop {=}\limits ^{?}} C_{r}^{s_e}\left( \frac{1}{H}\right) ^{s_\delta } \left( \frac{1}{G} \right) ^{s_{\beta }}\). \(\mathcal {S}\) outputs \(\pi ^* \leftarrow (C_W^*,C_r^*,\alpha _1^*,\alpha _2^*,\alpha _3^*\), \(\alpha _4^*,c^*,s_e^*,s_r^*,s_{r_2}^*,s_{r_3}^*,s_\beta ^*,s_\delta ^*)\). The distribution of \(\pi ^*\) is identical to the one of a real proof \(\pi \).
For the knowledge soundness, let an adversary of the knowledge soundness \(\mathcal {A}\) that is able to convince the verifier \(\mathcal {V}\) with a probability at least \(\epsilon \). We will construct an extractor \(\mathcal {E}\) that extracts the witness \((e,r,r_2,r_3,\beta ,\delta )\). Using rewinding \(\mathcal {E}\) gets two accepted transcripts
on two different challenges c and \(c'\). \(\mathcal {E}\) aborts if it cannot get two such transcripts (\(\textsf {abort}1\)).
We denote \(\varDelta c :=c'c, \varDelta s_e :=s_e  s_e', \varDelta s_r :=s_r  s_r', \varDelta s_{r_2} :=s_{r_2}  s_{r_2}', \varDelta s_{r_3} :=s_{r_3}  s_{r_3}', \varDelta s_{\beta } :=s_{\beta }  s_{\beta }', \varDelta s_{\delta } :=s_{\delta }  s_{\delta }'\) then
Define the (possibly rational) numbers \(\hat{e} :=\frac{\varDelta s_e}{\varDelta c}, \hat{r} :=\frac{\varDelta s_r}{\varDelta c}, \hat{r_2} :=\frac{\varDelta s_{r_2}}{\varDelta c}, \hat{r_3} :=\frac{\varDelta s_{r_3}}{\varDelta c}\). In case \(\varDelta c\) doesn’t divide \(\varDelta s_e\) and \(\varDelta s_r\), \(\mathcal {E}\) aborts (\(\textsf {abort}\, 2a\)). Similarly, in case \(\varDelta c\) doesn’t divide \(\varDelta s_{r_2}\) and \(\varDelta s_{r_3}\), \(\mathcal {E}\) aborts (\(\textsf {abort}\, 2b\)). Therefore, since the above aborts didn’t happen and according to second point of Proposition 4.1, \(C_e = \pm G^{\hat{e}}H^{\hat{r}}\) and \(C_{r} = \pm G^{\hat{r_2}}H^{\hat{r_3}}\).
Now if we replace \(C_r\) in the fourth equation we get \(1 = (\pm 1)^{\varDelta s_e} G^{\hat{r_2} \varDelta s_e} H^{\hat{r_3} \varDelta s_e} \left( \frac{1}{H} \right) ^{\varDelta s_\delta } \left( \frac{1}{G} \right) ^{\varDelta s_\beta }\) or \((\pm 1)^{\varDelta s_e} G^{\hat{r_2} \varDelta s_e  \varDelta s_\beta } H^{\hat{r_3} \varDelta s_e  \varDelta s_\delta } = 1\). However, \((\pm 1)^{\varDelta s_e} = 1\) otherwise if \((\pm 1)^{\varDelta s_e}=1\) then \(G^{\hat{r_2} \varDelta s_e  \varDelta s_\beta } H^{\hat{r_3} \varDelta s_e  \varDelta s_\delta }\) would be a nonquadratic residue (since G, H are both in \(\textsf{QR}_N\) and \(\textsf{QR}_N\) is closed under multiplication) equal to 1 which is a quadratic residue and this would be a contradiction, hence \(G^{\hat{r_2} \varDelta s_e  \varDelta s_\beta } H^{\hat{r_3} \varDelta s_e  \varDelta s_\delta } = 1\). According to the first point of Proposition 4.1, under the factoring assumption \(\hat{r_2} \varDelta s_e  \varDelta s_\beta = \hat{r_3} \varDelta s_e  \varDelta s_\delta = 0\), so \(\hat{r_2} \varDelta s_e = \varDelta s_\beta \).
Finally we replace \(\varDelta s_\beta \) in the third equation and we get \(Acc^{\varDelta c} = C_W^{\varDelta s_e}\left( \frac{1}{H} \right) ^{\hat{r_2} \varDelta s_e} \Rightarrow Acc^{\varDelta c} = \left( \frac{C_w}{H^{\hat{r_2}}} \right) ^{\varDelta s_e}\). As stated above \(\varDelta c\) divides \(\varDelta s_e\) so according to the second point of Proposition 4.1\(\textsf{Acc}= \pm \left( \frac{C_W}{H^{\hat{r_2}}} \right) ^{\frac{\varDelta s_e}{\varDelta c}} = \pm \left( \frac{C_W}{H^{\hat{r_2}}} \right) ^{\hat{e}}\). We discern three cases:

\(\underline{\textsf{Acc}= + \left( \frac{C_W}{H^{\hat{r_2}}} \right) ^{\frac{\varDelta s_e}{\varDelta c}}}\): Then \(\mathcal {E}\) sets \(\tilde{W} \leftarrow \frac{C_W}{H^{\hat{r_2}}}\) and \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\) \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) as above. It is clear that \(\textsf{Acc}= \tilde{W}^{\tilde{e}}\) and as stated above \(C_e = G^{\tilde{e}}H^{\tilde{r}}\).

\(\underline{\textsf{Acc}=  \left( \frac{C_W}{H^{\hat{r_2}}} \right) ^{\frac{\varDelta s_e}{\varDelta c}} and \frac{\varDelta s_e}{\varDelta c} odd}\): Then \(\mathcal {E}\) sets \(\tilde{W} \leftarrow \frac{C_W}{H^{\tilde{r_2}}}\) and \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\) \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) as above. It is clear that \(\textsf{Acc}= \tilde{W}^{\tilde{e}}\) and as stated above \(C_e = G^{\tilde{e}}H^{\tilde{r}}\).

\(\underline{\textsf{Acc}=  \left( \frac{C_W}{H^{\hat{r_2}}} \right) ^{\frac{\varDelta s_e}{\varDelta c}} and \frac{\varDelta s_e}{\varDelta c} even}\): this means that Acc is a nonquadratic residue, which is a contradiction since in the \(R_{\mathsf {Root'}}\) relation we assume that \(\textsf{Acc}\in \textsf{QR}_N\).
Finally the \(\mathcal {E}\) outputs \((\tilde{e},\tilde{r}, \tilde{W})\).
Now we show that the probability the extractor terminates with outputting a valid witness is \(O(\epsilon )\). If the extractor does not abort then it clearly outputs a valid witness (under factoring assumption). For the first abort, with a standard argument it can be shown that the extractor is able to extract two accepting transcripts with probability \(O(\epsilon )\) (for the probabilistic analysis we refer to [31]). Thus \(Pr[\textsf {abort}1] = 1  O(\epsilon )\). For the second type of aborts (\(\textsf {abort}\, 2a\) and \(\textsf {abort}\, 2b\)), they happen with negligible probability under the strong RSA assumption. For the details see Lemma 4.2 below, which was proven in [31]. Putting them together the probability of success of \(\mathcal {E}\) is at least \(O(\epsilon )  \textsf{negl}(\lambda _{s})\). \(\square \)
Lemma 4.2
([31]) Given that \(\textsf {abort}\, 2a\) occurs a PPT adversary \(\mathcal {B}\) can solve the strong RSA problem with probability at least \(\frac{1}{2}2^{\lambda _{s}}\).
From the above we get \(Pr[\mathcal {B} \text { solves } sRSA] \ge \left( \frac{1}{2}2^{\lambda _{s}} \right) Pr[\textsf {abort}\, 2a]\), so we conclude to \( Pr[\textsf {abort}\, 2a] \le \frac{1}{\frac{1}{2} 2^{\lambda _{s}}} Pr[\mathcal {B} \text { solves } sRSA] = \textsf{negl}(\lambda _{s})\). The same lemma holds for \(\textsf {abort}\, 2b\).
Notice in the above protocol that
so if we impose an additional verification check of honest \(s_e\) size, i.e., \(s_e \in \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}\right. \), \(\left. 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] \), we get that \( \hat{e} \le 2^{\lambda _{z}+ \lambda _{s}+ \mu +2}\). The verifier performs an extra range check \(s_e {\mathop {\in }\limits ^{?}} \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}, 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] \) and the resulting protocol is the \(\textsf {CP}_\textsf{Root}\) that except for proving of knowledge of an eth root also provides a bound for the size of e:
4.5.2 Protocol \(\textsf {CP}_\textsf{modEq}\)
Below we describe the publiccoin ZK protocol for \(R_\textsf{modEq}\). In Fig. 9 we summarize the corresponding NIZK obtained after applying the Fiat–Shamir transform to it.

1.
Prover samples:
$$\begin{aligned} \begin{aligned}&r_e \leftarrow \left( 2^{\lambda _{z}+ \lambda _{s}+ \mu },2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) \\&r_r\leftarrow \left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}},\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}} \right) \\&r_{r_{q}} \leftarrow \mathbb {Z}_{q}, \end{aligned} \end{aligned}$$and computes:
$$\begin{aligned} \alpha _1 = G^{r_e}H^{r_r}, \quad \alpha _2 = g^{r_e \pmod p}h^{r_{r_{q}}}. \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (\alpha _1,\alpha _2)\).

2.
Verifier samples the challenge \(c \leftarrow \{0,1\}^{\lambda _{s}}\).para \(\underline{\mathcal {V} \rightarrow \mathcal {P}} c\).

3.
Prover computes the response:
$$\begin{aligned} \begin{aligned}&s_e = r_e  c e\\&s_r = r_r  c r\\&s_{r_{q}} = r_{r_{q}}  c r_{q}\pmod q. \end{aligned} \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (s_e,s_r,s_{r_{q}})\).

4.
Verifier checks if:
$$\begin{aligned} \alpha _1 {\mathop {=}\limits ^{?}} \pm C_{e}^{c} G^{s_e} H^{s_{r}} \pmod N, \alpha _2 {\mathop {=}\limits ^{?}} c_{e_{q}}^{c} g^{s_e \pmod q} h^{s_{r_{q}}}. \end{aligned}$$
Theorem 4.7
Let \(\mathbb {Z}_N^*\) be an RSA group where strongRSA assumption holds and \(\mathbb {G}\) be a prime order group where DLOG assumption holds then the above protocol is a correct, knowledge sound and honestverifier zero knowledge protocol for \(R_{\textsf{modEq}}\).
The proof is quite simple and is omitted.
4.6 Instantiations
We discuss the possible instantiations of our schemes \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) that can be obtained by looking at applications’ constraints and security parameters constraints.
Parameters for \(d\mu + 2 \le \nu \) and \(\mu \le \nu  2\). First we analyze possible parameters that satisfy the conditions \(d\mu + 2 \le \nu \wedge \mu \le \nu  2\) that is used in Theorems 4.1 and 4.2; we recall \(d = 1 + \lfloor \frac{\lambda _{z}+ \lambda _{s}+ 2}{\mu }\rfloor \), where \(\lambda _{z}\) and \(\lambda _{s}\) are statistical security parameters for zeroknowledge and soundness respectively of \(\textsf {CP}_{\textsf{Root}}\).
If the prime order group \(\mathbb {G}_{q}\) is instantiated with (pairingfriendly) elliptic curves, then the bitsize \(\nu \) of its order must be at least \(2\lambda \). And recall that for correctness we need \(\mu < \nu \).
Considering these constraints, one way to satisfy \(d\mu + 2 \le \nu \) is to choose \(\mu \) such that \(\nu 1> \mu > \lambda _{z}+ \lambda _{s}+ 2\). More specifically, a choice that maximizes security is \(\nu = 2\lambda \), \(\mu = 2\lambda 2\) and \(\lambda _{z}=\lambda 3, \lambda _{s}= \lambda  2\). For the case of the \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) scheme, this choice yields an instantiation with nearly \(\lambda \) bits of security and where the function \(\textsf{H}\) does not necessarily need to be a random oracle (yet it must be collision resistant).
Because of the constraint \(\mu > \lambda _{z}+ \lambda _{s}+ 2\), we the choice above implies the use of large primes. This would be anyway the case if one instantiates the scheme with a collisionresistant hash function \(\textsf{H}\) (e.g., SHA256 or SHA3), e.g., because set elements are quite arbitrary. If on the other hand, one could support more specific set elements, one could use instead a deterministic maptoprimes or even use our scheme \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) in which set elements themselves are primes. In this case one may wonder if it is possible to choose values of \(\mu \) smaller than \(2\lambda \); for example \(\mu \approx 30, 60, 80\). The answer is positive although the characterization of such \(\mu \)’s require an involved analysis.
Let us fix \(\nu = 2\lambda \), and say that the statistical security parameters \(\lambda _{z}, \lambda _{s}\) are such that \(\lambda _{z}+ \lambda _{s}+ 2 = 2\lambda  2  c\) for some constant c (for example \(c=4\) if \(\lambda _{z}= \lambda _{s}= \lambda  4\)). We are essentially looking for \(\mu \) such that
From the fact \(x \mod y = x  y \lfloor \frac{x}{y}\rfloor \), we can reduce the above inequality into
that can admit solutions for \(c \ge 2\).
For instance, if \(\lambda = 128\) and \(c = 4\), then we get several options for \(\mu \), e.g., \(\mu = 32, 42, 63, 84, 126, 127\).
Parameters for \(d\mu + 2 > \nu \). This case concerns only \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) and Theorem 4.2 in particular. In this case, if one aims at maximizing security, say to get a scheme with \(\lambda \)bits of security, then would have to set \(\mu \approx 2\lambda \) for collision resistance, and consequently select the prime order group so that \(\nu \ge 3\lambda \). This choice however is costly in terms of performance since the efficiency of all protocols that work in the prime order group degrades.
5 A CPSNARK for set nonmembership with short parameters
Here we describe two CPSNARKs for set nonmembership that work in a setting identical to the one of Sect. 4. Namely, the set is committed using an RSA accumulator, and the element (that one wants to prove not to belong to the set) is committed using a Pedersen commitment scheme. As in the previous section, we propose two protocols for nonmembership, called \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\), in complete analogy to \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\). In the former, the elements of the set are arbitrary bitstrings of length \(\eta \), \(\mathcal {D}_{\textsf{elm}} = \{0, 1\}^{\eta }\), while in the latter the elements are primes of length \(\mu \). The schemes are fully described in Figs. 10 and 11.
5.1 An highlevel overview of the constructions
The main idea of \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) is similar to the one of the corresponding membership protocol, \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\). It uses in the same modular way the \(\textsf{modEq}\) and \(\textsf{HashEq}\) protocols. The only difference lies in the third protocol: instead of using \(\textsf{Root}\) it uses a new protocol \(\textsf{Coprime}\). In a similar manner, \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\) uses \(\textsf{modEq}\), \(\textsf{Range}\) and \(\textsf{Coprime}\).
Let us explain the need of the \(\textsf{Coprime}\) protocol and what it does. First, recall how a nonmembership proof is computed in RSA Accumulators [50]. Let \(P\) be a set of primes to be accumulated and \(\textsf{prod}\) the corresponding product. For any prime element \(e \notin P\) it holds that \(\gcd (e,\textsf{prod}) = 1\), while for any member \(e \in P\) it is \(\gcd (e,\textsf{prod}) = e \ne 1\). Thus, proving that \(\gcd (e,\textsf{prod})=1\) would exhibit nonmembership of e in \(P\). Recall, also, that using the extended Euclidean algorithm one can efficiently compute coefficients (a, b) such that \(a \cdot e + b \cdot \textsf{prod}= \gcd (e,\textsf{prod})\). A nonmembership proof for an element e w.r.t. an accumulator \(\textsf{Acc}= G^{\textsf{prod}}\) consists of a pair \((D=G^a, b)\), where a, b are such that \(a \cdot e + b \cdot \textsf{prod}= 1\). The verification is \(D^e \textsf{Acc}^b = G\), which ensures that e and \(\textsf{prod}\) are coprime, i.e. \(\gcd (e,\textsf{prod}) = 1\). Therefore, the goal of the \(\textsf{Coprime}\) protocol is to prove knowledge of an element \(e\) committed in an integer commitment \(C_{e}\) that satisfies this relation. A more formal definition of \(\textsf{Coprime}\) is given below and an instantiation of this protocol is in Sect. 5.4.
5.2 Argument of knowledge for a coprime element
We make use of a noninteractive argument of knowledge of a nonmembership witness of an element such that the verification equation explained above holds. More formally \(\textsf {CP}_\textsf{Coprime}\), is a NIZK for the relation: \(R_\textsf{Coprime}: (\mathbb {Z}_N^*\times \textsf{QR}_N) \times (\mathbb {Z}\times \mathbb {Z}\times \textsf{QR}_N \times \mathbb {Z})\) defined as
\(R_\textsf{Coprime}\left( (C_e, \textsf{Acc}),(e, r, D, b) \right) = 1\) iff
We propose an instantiation of a protocol for the above relation in the Sect. 5.4.
5.3 Our constructions of \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\)
In Figs. 10 and 11 we give a full description of the schemes.
The security of these schemes follow very closely the one of the corresponding membership schemes given in Sect. 4. Below we give the Theorems that state their security. The proofs are omitted since they are almost identical to the corresponding proofs for the membership schemes.
Theorem 5.1
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\textsf{RSA}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Coprime}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption hold, and that \(\textsf{H}\) is collision resistant.
If \(d \mu + 2 \le \nu \), \(\lambda _{s}+ 1 < \mu \) and \(\lambda _{s}< \log (N)/2\) then \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) is knowledgesound with partial opening of the set commitments \(C_{U}\).
Theorem 5.2
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\textsf{RSA}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Coprime}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{HashEq}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption hold, and that \(\textsf{H}\) is collision resistant.
If \(d \mu + 2 > \nu \), \(\lambda _{s}+ 1 < \mu \), \(\lambda _{s}< \log (N)/2\), \(d = O(1)\) is a small constant, \(2^{\mu  \nu } \in \textsf{negl}(\lambda )\) and \(\textsf{H}\) is modeled as a random oracle, then \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) is knowledgesound with partial opening of the set commitments \(C_{U}\).
Theorem 5.3
Let \(\textsf{PedCom}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\) and \(\textsf{IntCom}\) be computationally binding commitments, \(\textsf {CP}_\textsf{Coprime}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{Range}\) be knowledgesound NIZK arguments, and assume that the Strong RSA assumption hold. If \(d \mu + 2 \le \nu \), \(\lambda _{s}+ 1 < \mu \) and \(\lambda _{s}< \log (N)/2\) then \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\) is knowledgesound with partial opening of the set commitments \(c_{P}\). Furthermore, if \(\textsf{PedCom}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\) and \(\textsf{IntCom}\) are statistically hiding commitments, and \(\textsf {CP}_\textsf{Coprime}\), \(\textsf {CP}_\textsf{modEq}\) and \(\textsf {CP}_\textsf{Range}\) be zeroknowledge, then \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\) is zeroknowledge.
5.4 Proposed instantiations of protocol for \(R_{\textsf{Coprime}}\)
Below we propose an interactive ZK protocol for \(R_\textsf{Coprime}\). As the relation indicates, we need to prove knowledge of (D, b) such that \(D^e\textsf{Acc}^b=G\), for a committed e. Proving opening of \(C_e\) to e is straightforward, so the main challenge is to prove the nonmembership equation. For this the prover should send D and \(\textsf{Acc}^b\) to the verifier so that she can check that \(D^e\textsf{Acc}^b=G\) herself. Of course, there are two caveats. The first one is that D and \(\textsf{Acc}^b\) cannot be sent in the plain as we require zeroknowledge; we solve this by sending them in a hiding manner, i.e., \(C_a = D H^{r_a}\) and \(C_B = \textsf{Acc}^b H^{\rho _{B}}\) for random values \(r_a,\rho _B\). Consequently, the verification now should work with the hiding elements. Secondly, the verifier should be ensured that \(\textsf{Acc}^b\) is indeed an exponentiation of \(\textsf{Acc}\) with a known (to the prover) value b, otherwise soundness can be broken. More specifically we require extraction of \(b,\rho _B\) such that \(C_B = \textsf{Acc}^b H^{\rho _B}\). This is done using the partial opening of \(\textsf{Acc}\) to the set represented by \(\textsf{prod}\), i.e., the protocol assumes that \(\textsf{Acc}= G^{\textsf{prod}}\) is a common knowledge.
Below we present our protocol in full details.

1.
Prover computes \(C_a=D H^{r_a}, C_{r_a}=G^{r_a} H^{r'_a}, C_B=Acc^{b}H^{\rho _B}, C_{\rho _{B}} = G^{\rho _{B}} H^{\rho '_{B}}\) and sends to the verifier:
\(\underline{\mathcal {P} \rightarrow \mathcal {V}}:C_a, C_{r_a}, C_B, C_{\rho _B}\).

2.
Prover and Verifier perform a protocol for the relation: \(R((\textsf{Acc}, C_e, C_a, C_{r_a}, C_B, C_{\rho _B}), (e,b,r, r_a, r'_a, \rho _{B}, \rho '_B, \beta ,\delta ))=1 \) iff
$$\begin{aligned} C_e = G^eH^r \wedge C_r=G^{r_2}H^{r_3} \wedge Acc=C_W^e \left( \frac{1}{H} \right) ^\beta \wedge 1= C_r^e \left( \frac{1}{H} \right) ^\delta \left( \frac{1}{G} \right) ^\beta . \end{aligned}$$Let \(\lambda _{s}\) be the size of the challenge space, \(\lambda _{z}\) be the statistical security parameter and \(\mu \) the size of e.

Prover samples:
$$\begin{aligned} \begin{aligned}&r_b, r_e {\leftarrow }{\$}\,\left( 2^{\lambda _{z}+ \lambda _{s}+ \mu },2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) \\&r_{\rho _B}, r_r, r_{r_a},r_{r'_a}, r_{\rho _{B}'} {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}},\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}} \right) \\&r_\beta ,r_\delta {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu },\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) , \end{aligned} \end{aligned}$$and computes:
$$\begin{aligned}{} & {} \alpha _2 = \textsf{Acc}^{r_b}H^{r_{\rho _B}}, \quad \alpha _3 = G^{r_e}H^{r_r}, \quad \alpha _4 = G^{r_{r_a}}H^{r_{r_a'}},\\{} & {} \alpha _5 = C_a^{r_e} H^{r_\beta }, \quad \alpha _6 = C_{r_a}^{r_e} G^{r_{\beta }} H^{r_\delta }, \quad \alpha _7 = G^{r_{\rho _B}}H^{r_{\rho _B'}}. \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}:(\alpha _2,\alpha _3,\alpha _4, \alpha _5, \alpha _6, \alpha _7)\)

Verifier samples the challenge \(c \leftarrow \{0,1\}^{\lambda _{s}} \underline{\mathcal {V} \rightarrow \mathcal {P}}: c\).

Prover computes the response:
$$\begin{aligned} \begin{aligned}&s_b = r_b  c b, s_e = r_e  c e\\&s_{\rho _B} = r_{\rho _B}  c \rho _B, s_r = r_r  c r, s_{r_a} = r_{r_a}  c r_a, s_{r'_a} = r_{r'_a}  c r_a', s_{\rho _{B}'} = r_{\rho _B'}  c \rho _B'\\&s_\beta = r_\beta + c (e r_a + \rho _{B}), \quad s_\delta =r_\delta + c ( e r_a' +\rho '_{B}). \end{aligned} \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (s_b, s_e, s_{\rho _B}, s_r, s_{r_a}, s_{r'_a}, s_{\rho _{B}'}, s_\beta , s_\delta )\)

Verifier checks if:
$$\begin{aligned}{} & {} \alpha _2 {\mathop {=}\limits ^{?}} C_B^c \textsf{Acc}^{s_b}H^{s_{\rho _B}}, \quad \alpha _3 {\mathop {=}\limits ^{?}} C_e^c G^{s_e} H^{s_r}, \quad \alpha _4 {\mathop {=}\limits ^{?}} C_{r_a}^c G^{s_{r_a}}H^{s_{r_a'}}, \quad \\{} & {} \alpha _5 {\mathop {=}\limits ^{?}} C_a^{s_e} H^{s_\beta } G^{c} C_{B}^{c}, \quad \alpha _6 {\mathop {=}\limits ^{?}} C_{r_a}^{s_e} H^{s_\delta } G^{s_{\beta }} C_{\rho _B}^{c}, \quad \alpha _7 {\mathop {=}\limits ^{?}} C_{\rho _B}^c G^{s_{\rho _B}}H^{s_{\rho _B'}},\\{} & {} s_e {\mathop {\in }\limits ^{?}} \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}, 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] . \end{aligned}$$

5.4.1 Correctness
Here we show the correctness of the protocol (Fig. 12).
5.4.2 Security
Security of our scheme holds with the partial opening of \(\textsf{Acc}\), i.e., when it is ensured outside the protocol that \(\textsf{Acc}\) is a valid commitment of the set. The proof is similar to the one of Theorem 4.6. The main technical difference is in the extraction of the opening of \(C_B\), because \(\textsf{Acc}\) is not a random generator sampled at the setup phase. However, from partial opening we know that it is \(\textsf{Acc}= G^{\textsf{prod}}\) for a random generator G. This will allow us to state an alternative to Lemma 4.2 to justify the extraction of the opening of \(C_B\).
Theorem 5.4
Let \(\mathbb {Z}_N^*\) be an RSA group where strongRSA assumption holds, then the above protocol is honestverifier zero knowledge protocol and, also, if \(\lambda _{s}+ 1 < \mu \) and \(\lambda _{s}< \log (N)/2\), is knowledge sound with partial opening of \(\textsf{Acc}\) for \(R_{\textsf{Coprime}}\).
Proof
ZeroKnowledge can be proven with standard techniques, similar to the ones in the proof of Theorem 4.6 and is therefore omitted.
For the knowledge soundness, let an adversary of the knowledge soundness \(\mathcal {A}\) that is able to convince the verifier \(\mathcal {V}\) with a probability at least \(\epsilon \). We will construct an extractor \(\mathcal {E}\) that extracts the witness \((e,r,r_2,r_3,\beta ,\delta )\). Using rewinding \(\mathcal {E}\) gets two accepted transcripts
on two different challenges c and \(c'\). \(\mathcal {E}\) aborts if it cannot get two such transcripts (\(\textsf {abort}1\)).
We denote \(\varDelta c :=c'c, \varDelta s_b :=s_b  s_b', \varDelta s_e :=s_e  s_e', \varDelta s_{\rho _B} :=s_{\rho _B}  s_{\rho _B}', \varDelta s_r :=s_r  s_r', \varDelta s_{r_a} :=s_{r_a}  s_{r_a}', \varDelta s_{r_a'} :=s_{r_a'}  s_{r_a'}', \varDelta s_{\rho _B'} :=s_{\rho _B'}  s_{\rho _B'}', \varDelta s_\beta :=s_\beta  s_\beta ', \varDelta s_\delta :=s_\delta  s_\delta '\) then
define the (possibly rational) numbers \(\hat{b} :=\frac{\varDelta s_b}{\varDelta c}\), \(\hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\hat{r} :=\frac{\varDelta s_r}{\varDelta c}\), \(\hat{r_a} :=\frac{\varDelta s_{r_a}}{\varDelta c}\), \(\hat{r_a'} :=\frac{\varDelta s_{r_a'}}{\varDelta c}\), \(\hat{\rho _B} :=\frac{\varDelta s_{\rho _B}}{\varDelta c}\), \(\hat{\rho _B'} :=\frac{\varDelta s_{\rho _B'}}{\varDelta c}\).
\(\mathcal {E}\) aborts in case \(\varDelta c\) doesn’t divide: \(\varDelta s_e\) and \(\varDelta s_r\)(\(\textsf {abort}\, 2a\)), \(\varDelta s_{r_a}\) and \(\varDelta s_{r_a'}\)(\(\textsf {abort}\, 2b\)), \(\varDelta s_{\rho _B}\) and \(\varDelta s_{\rho _B'}\)(\(\textsf {abort}\, 2c\)). And finally, \(\mathcal {E}\) aborts if \(\varDelta c\) doesn’t divide \(\varDelta s_b\) and \(\varDelta s_{\rho _B}\) (\(\textsf {abort}\, 2d\)). Therefore, after these aborts didn’t happen we can infer the equivalent equalities on the right of Eqs. 2, 3, 6 and 1.
If we replace Eqs. 3 and 6 in Eq. 5 we get \(1 = \left( \pm G^{\hat{r_a}}H^{\hat{r'_a}} \right) ^{\varDelta s _e} H^{\varDelta s_\beta } G^{\varDelta s_\beta } \left( \pm G^{\hat{\rho _B}}H^{\hat{\rho '_B}} \right) ^{\varDelta c}\) or \(1 = (\pm 1)^{\varDelta s_e} (\pm 1)^{\varDelta c} G^{\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta } H^{\hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta }\). Since G, H, 1 are quadratic residues then \((\pm 1)^{\varDelta s_e} (\pm 1)^{\varDelta c} = 1\), hence \(1 = G^{\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta } H^{\hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta }\). Then under the DLOG assumption \(\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta = 0 = \hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta \), which gives us that
Finally, we replace Eqs. 1 and 7 in Eq. 4 we get \(1 = C_a^{\varDelta s_e} H^{\hat{r_a} \varDelta s_e  \hat{\rho _B} \varDelta c} G^{\varDelta c} \left( \pm \textsf{Acc}^{\hat{b}}H^{\hat{\rho _B}} \right) ^{\varDelta c}\) or \(1 = (\pm 1)^{\varDelta c} C_a^{\varDelta s_e} \textsf{Acc}^{\hat{b} \varDelta c} G^{ \varDelta c} H^{ \hat{r_a} \varDelta s_e}\) or \(\left( \pm \textsf{Acc}^{\hat{b}}G^{1} \right) ^{\varDelta c} = \left( C_a^{1} H^{r_a} \right) ^{\varDelta s_e}\). But as noted above \(\varDelta c\) divides \(\varDelta s_e\) so \(\pm \textsf{Acc}^{\hat{b}}G^{1} = \pm \left( C_a^{1} H^{r_a} \right) ^{\hat{e}} \Rightarrow \textsf{Acc}^{\hat{b}}G^{1} = \pm \left( C_a^{1} H^{\hat{r_a}} \right) ^{\hat{e}} \Rightarrow \left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} = \pm G\). We discern two cases:

\(\underline{\left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} = + G}\): Then \(\mathcal {E}\) sets \(\tilde{D} \leftarrow \frac{C_a}{H^{\hat{r_a}}}\), \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) and \(\tilde{b} \leftarrow \hat{b} :=\frac{\varDelta s_b}{\varDelta c}\).

\(\underline{\left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} =  G}\): Then \(\hat{e}\) should be odd otherwise if \(\hat{e} = 2 \rho \) then \(G = \left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{2\rho }\textsf{Acc}^{\hat{b}}\) would be a nonquadratic residue. So \(\mathcal {E}\) sets \(\tilde{D} \leftarrow \frac{C_a}{H^{\hat{r_a}}}\), \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) and \(\tilde{b} \leftarrow \hat{b} :=\frac{\varDelta s_b}{\varDelta c}\). It is clear that \(\tilde{D}^{\tilde{e}} \textsf{Acc}^{\tilde{b}} = G\).
Finally the \(\mathcal {E}\) outputs \((\tilde{e},\tilde{r}, \tilde{D}, \tilde{b})\).
Now we show that the probability the extractor terminates with outputting a valid witness is \(O(\epsilon )\). If the extractor does not abort then it clearly outputs a valid witness (under the factoring assumption). For the first abort, with a standard argument it can be shown that the extractor is able to extract two accepting transcripts with probability \(O(\epsilon )\) (for the probabilistic analysis we refer to [31]). Thus \(Pr[\textsf {abort}1] = 1  O(\epsilon )\). For the aborts \(\textsf {abort}\, 2a\), \(\textsf {abort}\, 2b\) and \(\textsf {abort}\, 2c\) they happen with negligible probability (\( \le \frac{2}{1 2^{\lambda _{s}+1}} Pr[\mathcal {B} \text { solves } sRSA]\) each, for any PPT adversary \(\mathcal {B}\)) under the strong RSA assumption according to Lemma 4.2. For \(\textsf {abort}\, 2d\) we cannot directly use the same lemma as \(\textsf{Acc}\) is not a random generator that is part of the \(\textsf{crs}\). However, with a similar argument and using partial extractability we show below that the probability for this abort is the same. Putting them together the probability of success of \(\mathcal {E}\) is at least \(O(\epsilon )  \frac{8}{1 2^{\lambda _{s}+1}} Pr[\mathcal {B} \text { solves } sRSA] = O(\epsilon )  \textsf{negl}(\lambda _{s})\).
For Eq. 1, we get from partial opening that \(\textsf{Acc}= G^{\textsf{prod}_{P}}\), where \(P:=\{ \textsf{H}_{\textsf{prime}}(u) \mid u\in U\}\), so
We use a similar to [31] argument to prove that \(\varDelta c\) divides \(\varDelta s_b\) and \(\varDelta s_{\rho _B}\) under the strong RSA assumption, given that \(\lambda _{s}+ 1 < \mu \). Then
Lemma 5.1
Let \(\lambda _{s}+ 1 < \mu \) and \(\lambda _{s}< \log (N)/2\) then \(\varDelta c\) divides \(\varDelta s_b\) and \(\varDelta s_{\rho _B}\) under the strong RSA assumption.
Proof
An adversary against the strong RSA assumption receives \(H \in \textsf{QR}_N\) and does the following: sets \(G = H^\tau \) for \(\tau {\leftarrow }{\$}\,[0,2^{\lambda _{s}} N^2]\) and sends (G, H) to the adversary \(\mathcal {A}\) which outputs a proof \(\pi _{\textsf{Coprime}}\). Then we rewind to get another successful proof \(\pi _{\textsf{Coprime}}'\) and we use the extractor as above to get \(C_B^{\varDelta c} = G^{\prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b} H^{\varDelta s_{\rho _B}}\) or
We can exclude the case that \(\varDelta c\) divides \(\prod _{u\in U} \textsf{H}_{\textsf{prime}}(u)\), since \(\varDelta c\) is smaller than the domain of the hash function \(\textsf{H}_{\textsf{prime}}\), i.e. \(\varDelta c < \textsf{H}_{\textsf{prime}}(u)\) for each \(u\in U\), which comes from \(\lambda _{s}+ 1 < \mu \). Assume that \(\varDelta c \not \mid \varDelta s_b \vee \varDelta c \not \mid \varDelta s_{\rho _B}\). we discern two cases:

\(\varDelta c\) doesn’t divide \(\tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B}\): then \(\gcd (\varDelta c, \tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} ) {=} g\) and there are \(\chi , \psi \) such that \(\chi \cdot \varDelta c {+} \psi \cdot \left( \tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} \right) = g\). Thus
$$\begin{aligned} H^g = H^{\chi \cdot \varDelta c + \psi \cdot \left( \tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} \right) } = H^{\chi \varDelta c} \cdot C_B^{\psi \varDelta c} = \left( H^{\chi } \cdot C_B^{\psi }\right) ^{\varDelta c}. \end{aligned}$$Since g divides \(\varDelta c\) we get \(H = \pm \left( H^{\chi } \cdot C_B^{\psi }\right) ^{\frac{\varDelta c}{g}}\). However H is a quadratic residue (thus \(C_B\) is so), meaning that \(H = \left( H^{\chi } \cdot C_B^{\psi }\right) ^{\frac{\varDelta c}{g}}\), thus \((H^{\chi } \cdot C_B^{\psi },\frac{\varDelta c}{g})\) is a solution to the strong RSA problem.

\(\varDelta c\) divides \(\tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B}\): let \(q^\ell \) be the maximal qpower that divides \(\varDelta c\) (i.e. \(q^\ell \) is a factor of \(\varDelta \)) and doesn’t divide at least one of \(\varDelta s_b\) and \(\varDelta s_{\rho _B}\), where q is prime. Such a \(q^\ell \) should exist otherwise \(\varDelta c\) would divide both \(\varDelta s_b\) and \(\varDelta s_{\rho _B}\), which we assumed it doesn’t. Notice that if \(q^\ell \) divided \(\varDelta s_b\) then it would also divide \(\varDelta s_{\rho _B}\), as \(q^\ell \) divides \(\tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B}\) (from assumption), so \(q^\ell \not \mid \varDelta s_b\).
$$\begin{aligned} q^\ell \mid \left( \tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} \right) \Rightarrow \tau \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} = 0 \pmod {q^\ell }. \end{aligned}$$We can write \(\tau :=\tau _1 + \tau _2 \, \textsf{ord}(H)\). Notice that \(\tau _2\) is information theoretically hidden to the adversary and thus is uniformly random in \([0,2^{\lambda _{s}} N^2/\textsf{ord}(H)] \supset [0,2^{\lambda _{s}} N]\) in its view.
$$\begin{aligned}{} & {} \Rightarrow \tau _1 \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \tau _2 \textsf{ord}(H) \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b + \varDelta s_{\rho _B} = 0 \pmod {q^\ell }\\{} & {} \Rightarrow \tau _2 \cdot \varDelta s_b = \left( \tau _1 \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \cdot \varDelta s_b  \varDelta s_{\rho _B}\right) \\ {}{} & {} \quad \cdot \left( \prod _{u\in U} \textsf{H}_{\textsf{prime}}(u) \right) ^{1} \cdot \left( \textsf{ord}(H) \right) ^{1} \pmod {q^\ell }. \end{aligned}$$To see that \(\prod _{u\in U} \textsf{H}_{\textsf{prime}}(u)\) has an inverse modulo \(q^\ell \) note that since \(\varDelta c < \textsf{H}_{\textsf{prime}}(u)\) implies \(q^{\ell } < \textsf{H}_{\textsf{prime}}(u)\), so \(\gcd (\prod _{u\in U} \textsf{H}_{\textsf{prime}}(u), q^\ell ) = 1\). For the inverse of \(\textsf{ord}(H)\) note that \(H \in \textsf{QR}_N\) so \(\textsf{ord}(H) \in \{q_1,q_2,q_1q_2\}\), where \(N = (2q_1+1)(2q_2+1)\) is the RSA modulus. Then from \(\lambda _{s}< \log (N)/2\) we get \(\varDelta c < q_1,q_2\) and thus \(\gcd (\textsf{ord}(H), q^\ell ) = 1\).
As noted above, \(\tau _2\) is uniformly random in a superset of \([0,2^{\lambda _{s}} N]\). But \(q^\ell< \varDelta c < N\), so \(2^{\lambda _{s}} N\) is at least \(2^{\lambda _{s}}\) larger than \(q^\ell \). Thus \(\tau _2\) is statistically close to uniform in \(\{0, 1, \dots , q^\ell 1\}\) (with \(2^{\lambda _{s}}\) error), \(Pr_{\tau _2} [\tau _2 = C \pmod {q^\ell }] \approx \frac{1}{q^\ell }\). Furthermore, for any \(\varDelta s_b\), \(Pr_{\tau _2} [\tau _2 \cdot \varDelta s_b = C \pmod {q^\ell }] \approx \frac{1}{q^\ell } \cdot \gcd (q^\ell ,\varDelta s_b) \le \frac{1}{q^\ell } \cdot q^{\ell 1}\) (since \(q^\ell \) doesn’t divide \(\varDelta s_b\)). This is because for variable \(\tau _2\), the equation \(\tau _2 \varDelta s_b = C \pmod {q^\ell }\) has \(\gcd (q^\ell , \varDelta s_b )\) solutions.
In conclusion, the probability that the above equation holds is at most \(\frac{1}{q} + 2^{\lambda _{s}} \le \frac{1}{2} + 2^{\lambda _{s}}\).
To summarize we showed that the probability to fall in the second case is at most \(\frac{1}{2} + 2^{\lambda _{s}}\). So with probability to fall in the first case, and thus solve the strong RSA problem, is at least \(\frac{1}{2}  2^{\lambda _{s}}\). \(\square \)
By a simple argument identical to the one of section 4.5, we can also conclude about the range of the extracted \(\tilde{e}\): \(s_e {\mathop {\in }\limits ^{?}} \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}, 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] \) implies \(2^{\lambda _{z}+ \lambda _{s}+ \mu +2} \le \hat{e} \le 2^{\lambda _{z}+ \lambda _{s}+ \mu +2}\). \(\square \)
6 A CPSNARK for set membership in bilinear groups
In this section we propose another CPSNARK, called \(\textsf{Mem}\textsf {CP}_{\textsf{VC}}\), for the set membership relation that works in bilinear groups. Unlike the schemes of Sect. 4, the CPSNARK given in this section does not have short parameters; specifically it has a CRS linear in the size of the sets to be committed. On the other hand, it enjoys other features that are not satisfied by our previous schemes (nor by other schemes in the literature): first, it works solely in Bilinear Groups without having to deal with RSA groups; second, it allows to commit the set in an hiding manner and, for the sake of soundness, does not need to be opened by the adversary. This is possible thanks to the fact that the set is committed in a way that (under a knowledge assumption) guarantees that the prover knows the set.
More in detail, \(\textsf{Mem}\textsf {CP}_{\textsf{VC}}\) is a CPSNARK for set membership where set elements are elements from the large field \(\mathbb {F}= \mathbb {Z}_q\) where \(q\) is the order of bilinear groups. So \(\mathcal {D}_{\textsf{elm}} = \mathbb {F}\). In terms of set it supports all the subsets of \(2^{\mathcal {D}_{\textsf{elm}}}\) of cardinality bounded by n, \(\mathcal {D}_{\textsf{set}} = \{U\in 2^{\mathcal {D}_{\textsf{elm}}}: \#U\le n\} \), which we denote by \(\mathcal {S}_n\), \(\#\) symbol denotes the cardinality of a set. So \(U\) has elements in \(\mathbb {F}\) and is a subset of \(\mathcal {S}_n\).
6.1 Preliminaries and building blocks
6.1.1 Bilinear groups
A bilinear group generator \(\mathcal{B}\mathcal{G}(1^\lambda )\) outputs \((q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, e)\), where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are additive groups of prime order q, and \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) is an efficiently computable, nondegenerate, bilinear map. For ease of exposition we present our results with Type1 groups where we assume that \(\mathbb {G}_1 = \mathbb {G}_2\). Our results are under the \((\ell + 1)d\)Strong Diffie Hellman and the \((d, \ell )\)Extended Power Knowledge of Exponent assumptions, for which we refer the reader to [77].
6.1.2 A polynomialpedersen typebased commitment scheme
First we present \(\textsf{PolyCom}\), a typebased commitment scheme which was introduced in [18] extracted from the verifiable polynomial delegation scheme of [77]. The scheme has two types: one for \(\ell \)variate polynomials \(f:\mathbb {F}^\ell \rightarrow \mathbb {F}\) over \(\mathbb {F}\) of variable degree at most d, and one which is a standard Pedersen commitment for field elements. Let \(\mathcal {W}_{\ell ,d}\) be the set of all multisets of \(\{1, \dots , \ell \}\) where the cardinality of each element is at most d. The scheme is described in Fig. 13.
Theorem 6.1
Under the \((\ell + 1)d\)Strong Diffie Hellman and the \((d, \ell )\)Extended Power Knowledge of Exponent assumptions \(\textsf{PolyCom}\) is an extractable trapdoor commitment scheme.
For the proof we refer to [18, 77].
6.1.3 Inputhiding CPSNARK for polynomial evaluation
The main building block of our main protocol is a CPSNARK \(\textsf {CP}_{\textsf{PolyEval}}\) for the typebased commitment \(\textsf{PolyCom}\). Loosely speaking the idea is to commit to the input \(\varvec{t}\) and the output y of a polynomial (with a Pedersen commitment), further commit to the polynomial f itself (with a polynomial commitment) and then prove that the opening of the committed polynomial evaluated on the opening of the committed input gives the committed output. The relation of the protocol is \(R_{\textsf{PolyEval}}((t_k)_{k \in [\ell ]},f,y))=1 \) iff \(f(t_1,\dots ,t_\ell )=y\):
\(\varvec{\mathsf R}=(\textsf{ck},R_{\textsf{PolyEval}})\) where \(\varvec{\mathsf R}\) is over
We will present a CPSNARK for this relation, \(\textsf {CP}_\textsf{PolyEval}\), in Sect. 6.3. \(\textsf {CP}_\textsf{PolyEval}\) is based on a similar protocol for polynomial evaluation given in [18] which was in turn based on the verifiable polynomial delegation scheme of zkvSQL [77]. In those protocols, however, the input \(\textbf{t}\) is public whereas in ours we can keep it private and committed.
6.1.4 Range proof CPNIZK
We make use of \(\textsf {CP}_\textsf{Range}\), a CPNIZK for the following relation on \(\textsf{PedCom}\) commitments \(, \) and two given integers \(A<B\):
\(\textsf {CP}_{\textsf{Range}}\) can have various instantiations such as Bulletproofs [13].
6.1.5 Multilinear extensions of vectors
Let \(\mathbb {F}\) be a field and \(n=2^\ell \). The multilinear extension of a vector \(\varvec{a}=(a_0,\dots ,a_{n1})\) in \(\mathbb {F}\) is a polynomial \(f_{\varvec{a}}:\mathbb {F}^\ell \rightarrow \mathbb {F}\) with variables \(x_1,\dots ,x_\ell \) defined as
where \(i_\ell i_{\ell 1} \dots i_{2} i_{1}\) is the bit representation of i and \( \textsf{select}_{i_k}(x_k)= {\left\{ \begin{array}{ll} x_k, &{} \text {if } i_k=1\\ 1x_k, &{} \text {if } i_k=0. \end{array}\right. }\)
A property of Multilinear extension of \(\varvec{a}\) is that \(f_{\varvec{a}}(i_1,\dots ,i_\ell )=a_i\) for each \(i \in [n]\).
6.1.6 The typebased commitment scheme of \(\textsf{Mem}\textsf {CP}_{\textsf{VC}}\)
We define the typebased commitment \(\textsf{C}_{EdraxPed}\) for our CPSNARK \(\textsf{Mem}\textsf {CP}_{\textsf{VC}}\). We recall we need a commitment that allows one to commit to both elements and sets. We build this based on a hiding variant of EDRAX Vector Commitment [23], which in turn relies on a polynomial commitment. Therefore, we use a special case of \(\textsf{PolyCom}\) for polynomials of maximum variable degree \(d = 1\). Let \(\ell :=\Bigg \lceil \log (n) \Bigg \rceil \) and \(2^{[\ell ]}\) be the powerset of \([\ell ]=\{1,...,\ell \}\) then \(\mathcal {W}_{\ell ,1} = 2^{[\ell ]}\). Furthermore, for any \(n' \le n\) let \(L:\mathcal {S}_{n'} \rightarrow \mathbb {F}^{n'}\) be a function that maps a set of cardinality \(n'\) to its corresponding vector according to an ordering. The description of the scheme can be found in Fig. 14. Essentially the idea is to take the set, fix some ordering so that we can encode it with a vector, and then commit to such vector using the vector commitment of [23], which in turn commits to a vector by committing to its multilinear extension polynomial.
6.2 CPSNARK for set membership using EDRAX vector commitment
Here we present a CPSNARK for set membership that uses a Vector Commitment—an EDRAX [23] variant—to commit to a set. The idea is to transform a set to a vector (using for example lexicographical order) and then commit to the vector with a vector commitment. Then the set membership is proven with a zero knowledge proof of opening of the corresponding position of the vector. However to preserve zero knowledge we additionally need to hide the position of the element. For this we construct a zero knowledge proof of knowledge of an opening of a position that does not give out the position. Finally, since the position is hidden we additionally need to ensure that the prover is not cheating by providing a proof for a position that exceeds the length of the vector. For this we, also, need a proof of range for the position, i.e. that \(i < n\).
In this section the domain of the elements is a field, \(\mathcal {D}_{\textsf{elm}} :=\mathbb {F}\), and the domain of the set is all the subsets of \(2^{\mathcal {D}_{\textsf{elm}}}\) of cardinality bounded by n, \(\mathcal {D}_{\textsf{set}} = \{U\in 2^{\mathcal {D}_{\textsf{elm}}}: \#U\le n\} \), which we denote by \(\mathcal {S}_n\) (the \(\#\) symbol denotes the cardinality of a set). So \(U\) has elements in \(\mathbb {F}\) and is a subset of \(\mathcal {S}_n\).
The typebased commitment of our scheme is \(\textsf{C}_{EdraxPed}\) (Fig. 14) that is presented in the previous section, and the relation is
\(\varvec{\mathsf R}=(\textsf{ck},R_{\textsf{VCmem}})\) where \(\varvec{\mathsf R}\) is over
\( R_{\textsf{VCmem}}(\#U,\left( y,(i_k)_{k \in [\ell ]},U\right) )= 1\) iff \(y =L(U)[i] \wedge i < \#U\wedge i=\sum _{k=1}^{\ell } i_k 2^{k1}\).
Note that in the above the prover should normally give exactly \(\ell = \Bigg \lceil \log (\#U) \Bigg \rceil \) commitments. In case \(\ell <\Bigg \lceil \log (\#U) \Bigg \rceil \) the position is not fully hiding since it is implicit that \(i < 2^{\ell 1}\) so the verifier gets a partial information about the position.
For this we will compose a CPSNARK \(\textsf {CP}_{\textsf{PolyEval}}\) and a CPNIZK \(\textsf {CP}_{\textsf{Range}}\) for the relations \(R_{\textsf{PolyEval}}((i_k)_{k \in [\ell ]},f,y))=1\) iff \(f(i_1,\dots ,i_\ell )=y\) and \(R_{\textsf{Range}}(T,(i_k)_{k \in [\ell ]}) = 1\) iff \(i<T\) respectively and the commitment scheme \(\textsf{C}_{EdraxPed}\). So \(\textsf {CP}_{\textsf{VCmem}}\) is a conjuction of the former, where the common commitments are \((, _{i_k})_{k \in [\ell ]}\) (Fig. 15).
Theorem 6.2
Let \(\textsf {CP}_{\textsf{PolyEval}}\) and \(\textsf {CP}_{\textsf{Range}}\) be zero knowledge CPSNARKs for the relations \(R_{\textsf{PolyEval}}\) and \(R_{\textsf{Range}}\) respectively under the commitment scheme \(\textsf{PolyCom}\) then the above scheme is a zero knowledge CPSNARK for the relation \(R_{\textsf{VCmem}}\) and the commitment scheme \(\textsf{C}_{EdraxPed}\). Further it is a CPSNARK for \(R_{\textsf{mem}}\) under the same commitment scheme.
Proof
Zero Knowledge comes directly from the zero knowledge of \(\textsf {CP}_{\textsf{PolyEval}}\) and \(\textsf {CP}_{\textsf{PolyEval}}\).
For Knowledge Soundness, let an adversary \(\mathcal {A}(\varvec{\mathsf R},\textsf{crs}, \textsf{aux}_{R}, \textsf{aux}_{Z})\) outputting \((x,, ) :=\big (\#U,\) \((, _y,(, _{i_k})_{k \in [\ell ]},, _{U}) \big )\) and \(\pi \) such that \(\textsf{VerProof}(\textsf{vk},\#U,(, _y,(, _{i_k})_{k \in [\ell ]},, _{U}),\pi ) = 1\). We will construct an extractor \(\mathcal {E}\) that on input \((\varvec{\mathsf R},\textsf{crs}, \textsf{aux}_{R}, \textsf{aux}_{Z})\) outputs a valid witness \(w :=\big ((y,(i_k)_{k \in [\ell ]},U),(r_y,(r_{i_k})_{k \in [\ell ]},\) \(r_{U}),\varnothing \big )\).
\(\mathcal {E}\) uses the extractors of \(\mathcal {E}_{\textsf{PolyEval}}\), \(\mathcal {E}_{\textsf{Range}}\) of \(\textsf {CP}_{\textsf{PolyEval}}\) and \(\textsf {CP}_{\textsf{Range}}\). \(\mathcal {E}_{\textsf{PolyEval}}\) outputs \((y,(i_k)_{k \in [\ell ]},f)\), \((r_y,(r_{i_k})_{k \in [\ell ]},r_f)\) such that \(f(i_1,\dots ,i_{\ell }) = y \wedge \textsf{PolyCom}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{\mathbb {F}[\varvec{s}]}, , _{U}, f, r_f)=1 \wedge \)
\(\textsf{PolyCom}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, , _y, y, r_y)=1 \bigwedge _{k=1}^{\ell } \textsf{PolyCom}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, , _{i_k}, i_k, r_{i_k}) = 1\). Further, from the Extended Power Knowledge of Exponent assumption we know that f is an \(\ell \)variate polynomial of maximum variable degree 1. Therefore it corresponds to a multilinear extension of a unique vector \(\vec {U}\), which is efficiently computable. The extractor computes the vector \(\vec {U}\) from f and the corresponding set \(U\). It is clear that, since f is the multilinear extension of the \(U\) and \(\textsf{PolyCom}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{\mathbb {F}[\varvec{s}]}, , _{U}, f, r_f)=1\), \(\textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, , _{U}, U, r_f) = 1\). \(\textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, , _y, y, r_y)=1 \bigwedge _{k=1}^{\ell } \textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, , _{i_k}, i_k, r_{i_k}) = 1\) is straightforward from the definition of the \(\textsf{C}_{EdraxPed}\) commitment scheme for field elements type.
\(\mathcal {E}\) uses the extractor of the commitment scheme \(\textsf{PolyCom}\), \(\mathcal {E}_{\textsf{PolyCom}}\), that outputs for each \(k = 1,\dots , \ell \) \(i_k, r_{i_k}\) such that \(c_{i_k,1} = g^{i_k}h^{r_{i_k}} \wedge e(c_{i_k,1},g^\beta ) = e(c_{i_k,2},g)\) or \(\textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck},\textsf{t}_{q}, , _{i_k},r_{i_k})=1\). \(\mathcal {E}_{\textsf{Range}}\) outputs \((i,r_i)\) such that \(i < \#U\wedge \textsf{PolyCom}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{q}, , _i, i, r_i)=1\) which means that \(, _{i,1} = g^{i}h^{r_i}\). Since the proof \(\pi \) is verified then \(, _{i,1} = \prod _{k=1}^{\ell }(, _{i_k,1})^{2^{k1}}\) or \(g^{i}h^{r_i} = g^{\sum _{k=1}^{\ell } i_k 2^{k1}}h^{\sum _{k=1}^{\ell } r_{i_k} 2^{k1}}\). From the binding property of the Pedersen commitment we get that \(i = \sum _{k=1}^{\ell } i_k 2^{k1}\) and \(r_i = \sum _{k=1}^{\ell } r_{i_k} 2^{k1}\).
Putting them together the extractor outputs \(\left( (y,(i_k)_{k \in [\ell ]},U),(r_y,(r_{i_k})_{k \in [\ell ]},r_{f}),\varnothing \right) \) such that \(\textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck},\textsf{t}_{q}, , _{y},r_{y})=1 \bigwedge _{i=1}^{\ell } \textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck},\textsf{t}_{q}, , _{i_k},r_{i_k})=1 \wedge \) \(\textsf{C}_{EdraxPed}.\textsf{VerCommit}(\textsf{ck}, \textsf{t}_{U}, , _f, U, r_f) = 1\) and further \(y =L(U)[i] \wedge i < \#U\wedge i=\sum _{k=1}^{\ell } i_k 2^{k1}\). It is straightforward that \(y =L(U)[i] \wedge i < \#U\) means that \(y \in U\) which leads to \(R_{\textsf{mem}}(y,U) =1\). \(\square \)
6.3 Inputhiding CPSNARKs for polynomial evaluation
Here, we present an instantiation of a a zero knowledge CPSNARK for the relation \(R_\textsf{PolyEval}\) presented in Sect. 6.1.
To give an intuition of the protocol we recall that zkvSQL uses Lemma 6.1 to prove the correct evaluation of the polynomial, that we recall below.
Lemma 6.1
([59]) Let \(f:\mathbb {F}^\ell \rightarrow \mathbb {F}\) be a polynomial of variable degree d. For all \(\varvec{t} :=(t_1, \dots , t_\ell ) \in \mathbb {F}^\ell \) there exist efficiently computable polynomials \(q_1, \dots , q_\ell \) such that: \(f(\varvec{z})  f(\varvec{t}) = \sum _{i=1}^{\ell }(z_i  t_i)q_i(\varvec{z})\).
With this one can verify in time linear in the number of variables that \(f(\varvec{t}) = y\) by checking iff \(g^{f(\varvec{t})}g^{y} = \prod _{i=1}^{\ell } e(g^{s_i},w_i)\), given the values \(g^{f(\varvec{s})},\{g^{s_i}\}_{i=1}^{\ell }, \{w_i = g^{q_i(\varvec{s})}\}_{i=1}^{\ell }\) We are interested in the committed values of \(f, y = f(\varvec{t})\) and \(\varvec{t}\), \(, _f,, _y,, _t\) respectively, that hide them. For this we will use instead the equation below for verification:
The equation indicates us how to construct the protocol which we present in Fig. 16.
Theorem 6.3
Under the \((\ell +1)d\)Strong Diffie Hellmann and the \((d,\ell )\)extended power knowledge of exponent assumptions, \(\textsf {CP}_{\textsf{PolyEval}}\) is a Knowledge Extractable CPSNARK for the relation \(R_{\textsf{PolyEval}}\) and the commitment scheme \(\textsf{PolyCom}\).
Proof
Below is a proof sketch, which however is quite similar to the one of \(\textsf {CP}_{\textsf{poly}}\) in [18].
Knowledge soundness The proof comes directly from Evaluation Extractability of vSQL (see [77]) with the difference that here \(t_k\) for each \(k \in [\ell ]\) should also be extracted. However, its extraction is straightforward from the extractability of the commitment scheme.
Zeroknowledge Consider the following proof simulator algorithm
\(\mathcal {\mathcal {S}_{\textsf{prv}}}(\textsf{td},, _{f}, (, _{t_k})_{k \in [\ell ]}, , _{y})\):

Use \(\textsf{td}\) to get \(\alpha \) and \(s_{\ell +1}\).

For \(k=1\) to \(\ell \), sample \(\xi _{k} {\leftarrow }{\$}\,\mathbb {Z}_{q}\) and sets \(w_k \leftarrow g^{\xi _k}\).

Compute \(w_{\ell +1}\) such that \(e\left( , _{f,1} \cdot , _{y,1}^{1},g \right) =\prod _{k=1}^{\ell } e \left( g^{s_k}{, _{t_{k},1}}^{1},w_k \right) \cdot e \left( g^{s_{\ell +1}},w_{\ell +1} \right) \) holds. That is: \(w_{\ell +1} \leftarrow \left( , _f \cdot c_y^{1} \cdot \prod _{k=1}^{\ell } \left( g^{s_k}, _{t_k,1} \right) ^{\xi _k} \right) ^{s_{\ell +1}^{1}}\).

Use \(\alpha \) to compute \(w_k'=w_k^a\) for all \(k \in [\ell +1]\).

Return \(\{w_1,...,w_\ell ,w_{\ell + 1},w_1', \dots ,w_\ell ',w_{\ell + 1}'\}\)
It is straightforward to check that proofs created by \(\mathcal {\mathcal {S}_{\textsf{prv}}}\) are identically distributed to the ones returned by \(\textsf {CP}_{\textsf{PolyEval}}.\textsf{Prove}\). \((w_k)_{k \in [\ell ]}\)’s are uniformely distributed in both cases. For \(w_{\ell +1}\) there is a function W such that \(w_{\ell +1} = W(, _{f,1},, _{y,1},\textsf{vk},(, _{t_k,1})_{k \in [\ell ]},(w_k)_{k \in [\ell ]})\) in both cases. Since the inputs are either identical or identically distributed, the outputs \(w_{\ell + 1}\) are also identically distributed in the case of of \(\mathcal {\mathcal {S}_{\textsf{prv}}}\) and \(\textsf {CP}_{\textsf{PolyEval}}.\textsf{Prove}\). \(\square \)
7 Experimental evaluation
We implemented all our RSAbased CPSNARKs for setmembership and nonmembership as a Rust library cpsnarksset[28]. Our library is implemented in a modular fashion such that any elliptic curve from libzexe[67] and Ristretto from curve25519dalek[54] can be used. In particular, this means that our CPSNARKs can be easily (and efficiently) used in combination with other CPSNARKs implemented over these elliptic curves, such as Bulletproofs [13] and LegoGroth16^{Footnote 19} [18].
In this section, we provide details on the implementation, we present experimental results to validate the concrete efficiency of our solutions and we compare with existing approaches.
7.1 Implementation of cpsnarksset
Our cpsnarksset library includes implementations of the schemes \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\), \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\), \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\), and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\). In all the schemes, the RSA accumulator implementation is a modification of accumulator[15], and the internal protocols are implemented as interactive and are made noninteractive with the use of Merlin[33]. For \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\)—where we recall set elements can be binary strings and the protocol encodes them into primes—we used our implementation of LegoGroth16 [66] on top of \(\textit{libzexe}\) to provide efficient instantiations of \(\textsf {CP}_{\textsf{HashEq}}\). For \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\)—where set elements are already primes and one needs to verify a claim about ranges—we implemented two instantiations of \(\textsf {CP}_{\textsf{Range}}\): one based on LegoGroth16 and one based on Bulletproofs.
Each of the protocols \(\textsf{Root}, \textsf{Coprime}, \textsf{modEq}, \textsf{HashEq}\) and the different instantiations of \(\textsf{Range}\) are implemented individually and are further composed into the higher level membership and nonmembership protocols. The higher level protocols are modular: they can use any hashtoprime proof—or range proof in the prime elements case—as long as it implements the appropriate interface.
We benchmark the implementation on a desktop machine having a 3.8 Ghz 6Core Intel Core i7 processor and 32GB RAM. The benchmarks code is available on [27, 28].
7.2 CPSNARKs for set membership
For the problem of set membership, we tested the following instantiations of our solutions using the RSA2048 [65] modulus: 1. \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) with LegoGroth16 for \(\textsf {CP}_{\textsf{HashEq}}\) and a Blake2sbased hashtoprime mapping to 252bit primes (\(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}^\textsf{LG}\)); 2. \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) with LegoGroth16 on the BLS12381 curve for \(\textsf {CP}_{\textsf{Range}}\) (\(\textsf{MemCP}_{\textsf{RSAPrm}}^{\textsf{LG}}\)), and: (a) 252bit primes, (b) 63bit primes; 3. \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) with Bulletproofs on the Ristretto curve for \(\textsf {CP}_{\textsf{Range}}\) (\(\textsf{MemCP}_{\textsf{RSAPrm}}^{\textsf{BP}}\)), and: (a) 250bit primes; (b) 62bit primes.
The results of our experiments are summarized in Fig. 1.
7.2.1 Comparison with Merkletree approach
We compare our solutions against one based on proving a valid opening of a Merkle Tree in a SNARK. Specifically, we ran experiments for Merkle trees with maximum capacities of \(\{2^{8}, 2^{16}, 2^{32}, 2^{64}\}\) elements, using the Groth16 SNARK [46] over the BLS12381 curve, with the following hash functions: 1. Pedersen Hash over the Jubjub curve, a curve defined over the scalar field of the BLS12381 \(\mathbb {G}_1\) group.^{Footnote 20} 2. SHA256. The Merkle tree benchmark code is based on the production Zcash code from [76]. The results of the experiments are in Fig. 2. We recall that proofs in this solution are of 192 bytes.
As one can see from the results, our solutions are highly attractive in terms of proving time and CRS size. For instance, compared to an optimized solution based on a PedersenHashbased Merkle tree containing up to \(2^{32}\) elements, our \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\) scheme for arbitrary elements enjoys a subsecond proof generation on a commodity laptop, it is more than twice faster and requires a shorter CRS. A price to pay in our solution is a larger proof size (4.4 kilobytes vs. 192 bytes) and higher verification time (31 ms vs. 2.8 ms). Nevertheless, these values stay within practical reach. When comparing to less optimized solutions based on Merkle trees (e.g., using SHA256, something common in lack of specialized elliptic curves), we achieve up to \(32\times \) faster proving time and a \(48\times \) shorter CRS.
In addition to the aforementioned gains in prover efficiency, our solutions can benefit from the use of RSA accumulators to succinctly represent sets in comparison to using Merkle trees. In particular, the algebraic properties of RSA accumulators yield simple and efficient methods to add (resp. delete) elements to (resp. from) the set.
For instance, we can insert an element in an RSA accumulator in O(1) time and space, and with the same complexity we can update each existing membership and nonmembership witness. This means that, once having an updated witness, our zeroknowledge proofs can also be recomputed in O(1) time and space. With respect to deleting elements, this can also be done in constant time and space by a party who holds a valid membership witness.
Insertion and deletion in ordinary Merkle Trees may require O(n) time by rebuilding the tree from scratch from the whole set (thus also requiring O(n) storage). A more efficient method for insertion requires clients to store a “frontier” of size \(\varTheta (\textsf{log}(n))\) of internal hashes which lowers the time complexity to \(O(\textsf{log}(n))\). One can also lower deletion times to \(O(\textsf{log}(n))\) by using other techniques, e.g., [63], but at the expense of keeping O(n) storage. Updating a Sparse Merkle Trees requires O(n) time and space during updates. Inserting and deleting elements in Interval Merkle trees requires keeping the elements contiguous and sorted. This brings the time/storage complexity to O(n) for insertion and deletion, since we may need to rebuild substantial portions of the tree from scratch.
7.3 CPSNARKs for set nonmembership
For set nonmembership, we tested the following instantiations of our solutions using the RSA2048 [65] modulus: 1. \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) with LegoGroth16 for \(\textsf {CP}_{\textsf{HashEq}}\) and a Blake2sbased hashtoprime mapping yielding primes of 252 bits; 2. \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\) with LegoGroth16 on the BLS12381 curve for \(\textsf {CP}_{\textsf{Range}}\), and 252bit primes; 3. \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\) with Bulletproofs on the Ristretto curve for \(\textsf {CP}_{\textsf{Range}}\), and 250bit primes.
The results of our experiments are summarized in Fig. 3.
7.3.1 Comparison to other approaches for nonmembership
Nonmembership proofs are usually a more computationally intensive task in SNARKs. There are two common approaches to deal with this problem using Merkle trees: sparse Merkle trees and interval Merkle trees. We did not test these solutions experimentally. However, as we detail below, creating a zeroknowledge proof for one of these solutions would not be more efficient than proving one Merkle tree path. Therefore, our solutions for nonmembership achieve at least the same improvement as in the previous section.
Sparse Merkle trees for a set S are built through an ordinary Merkle Tree T on the universe \(\mathbb {U}\) of elements (we assume there is some conventional way to index the elements). For each element x not in the set S we store a dummy element in T corresponding to the index of x. For each element in the S we store that particular element at the corresponding index. In order to prove that \(x \not \in S\) we provide an opening path of a Merkle tree whose leaf is a dummy value at the right index. Although there are efficient techniques to build or update a sparse Merkle Tree [4, 30], the main drawback with this technique is the opening size, which is \(\varTheta (\textsf{log}(\mathbb {U}))\) instead of \(\varTheta (\textsf{log}(S))\). If we perform the opening inside a SNARK, we have to pay a higher proving time. For example, consider if we use SHA256 to index elements in a set with a roughly 32 bitrepresentations. This would require a tree of size \(2^{256}\) which typically implies at least a \(256/32 = 8\times \) slowdown.
Interval Merkle trees work by sorting the leaves on each insertion and storing a pair of adjacent elements in each leaf, signifying intervals that don’t contain elements in the set. The depth of an Interval Merkle Tree is the same as in an ordinary Merkle Tree. Nonetheless it has the following performance overheads: (i) opening requires two opening paths instead of only one (typically doubling the proving time); (ii) insertion requires sorting all leaves, which may be computationally demanding if the set is large.
Unlike either of the approaches above, the size of the set does not impact proving time in our constructions. Moreover, both insertions and nonmembership witness updates are efficient to compute.
7.4 Improving running times: from statistical ZK to computational ZK
The schemes described in this section use statistically hiding commitments to achieve statistical zeroknowledge. We can improve our running times switching to computationally hiding commitments and thus computational zeroknowledge. This optimization has concrete benefits as it can cut running times by approximately half. Specifically, it reduces by 50%:

verification time in constructions \(\textsf{Mem}\textsf {CP}_{\textsf{RSA}}\), \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\), \(\textsf{NonMem}\textsf {CP}_{\textsf{RSA}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\);

proving time in constructions \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) and \(\textsf{NonMem}\textsf {CP}_{\textsf{RSAPrm}}\).
The results of our experiments for membership and nonmembership are summarized in Figs. 4 and 5 respectively.
Here are more details about the optimization. Our protocols, as originally described, make use of the integer commitment of Damgard and Fujisaki [31] as described in Sect. 4.2. In this scheme we hide the value by uniformly sampling an integer r from a large set. Its size should be at least around the order of the group; for RSA groups, for example, this is equivalent to sampling \(r {\leftarrow }{\$}\,[1,N/2]\). Performing exponentiations with such a large integer—on average N/4 in the RSA case—is expensive.
To overcome this problem, we propose a computationally hiding integer commitment variant of the above, in which r is picked from a smaller set; we sample it as \(r {\leftarrow }{\$}\,[1,2^{2\lambda }]\). The scheme is hiding under the assumption that \(\{G^{r_1}:r_1 {\leftarrow }{\$}\,[1,N/2]\}\) and \(\{G^{r_2}:r_2 {\leftarrow }{\$}\,[1,2^{2\lambda }]\}\) are computationally indistinguishable.^{Footnote 21} This assumption can be justified in the generic group model. Similar assumption related to nonuniform distributions over \([1,\textsf{ord}(\mathbb {G})]\) have been proven secure in GGM by Bartusek et al. [3]. This approach makes exponentiations by r faster on average since \(N>2^{2\lambda }\).
8 Applications
In this section, we discuss applications of our solutions for proving set (non)membership in a succinct and modular way.
As one can note, in our solutions the set of committed elements is public and not hidden to the verifier. Nevertheless, our solutions can still capture some applications in which the “actual” data in the set is kept private. This is for example the case of anonymous cryptocurrencies like Zerocash. In this scenario, the public set of elements to be accumulated, U, is derived by creating a commitment to the underlying data, X, e.g., \(u = COMM(x)\). To support this setting, we can use our solutions for arbitrary elements (so supporting virtually any commitment scheme). Interestingly, though, we can also use our (more efficient) solution for sets of primes if commitments are prime numbers. This can be done by using for example the hashtoprime method described in Sect. 4.2 or another method for Pedersen commitments that we explain below in the context of Zerocash.
We now discuss concrete applications for which our constructions are suitable, both for setmembership and set nonmembership. In particular these are applications in which: (1) the prover time must be small; (2) the size of the state (i.e.: the accumulator value and commitments) must be small (potentially constant); (3) the verifier time should be small; and (4) the time to update the accumulator—adding or deleting an element—should be fast. As we discuss below, our RSAbased constructions are suitable candidate for settings with these constraints.
8.1 Zerocash
Zerocash [5] is a UTXOtype (Unspent Transaction Output) cryptocurrency protocol which extends Bitcoin with privacypreserving (shielded) transactions. When performing a shielded transaction users need to prove they are spending an output note from a token they had previously received. Users concerned with privacy should not reveal which note they are spending, else their new transaction could be linked to the original note that contained the note commitment. This would reveal information both to the public and the sender of the initial transaction, and hence partially reveal the transaction graph. In order to keep transactions unlinkable, the protocol uses zkSNARKs to prove a set membership relation, namely that a note commitment is in a publicly known set of “usable” note commitments.
Zcash is a fullfledged digital currency using Zerocash as the underlying protocol. In its current deployment, Sapling [49], it employs Pedersen commitments of the notes and makes a zeroknowledge set membership proof of these commitments using a PedersenHashbased Merkle tree approach. This is the part of the protocol that can be replaced by one of our RSAbased solutions in order to obtain a speedup in proving time. In particular, we could slightly modify the note commitments in order to enable the use of our scheme \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) for sets of prime numbers, which gives the best efficiency. We can proceed as follows. Let us recall that the note commitments are represented by their x coordinates in the underlying elliptic curve group. We can then modify them so that the sender chooses a blinding factor such that the commitment representation of a note is a prime number, and we can add a consensus rule that enforces this check. With this change, we can achieve a solution that is significantly more efficient than that currently used in Zcash. Currently Zcash uses a Merkle Tree whose depth is 32. In this setting, we would be able to reduce proving time of setmembership from 1.12s to 54.51 ms, trading it for larger proof sizes. We note that in this application, the setmembership proof about \(u \in S\) is accompanied by another predicate P(u). In the proof statement of the Zcash protocol, proving that P(u) is satisfied takes considerably less time than the membership proof, hence this is why our solution would improve the overall proving time considerably, albeit the proof having more components. Another interesting comment is that our solution significantly reduces the size of the circuit, hence the need of a succinct proof system is reduced and one may even consider instantiations with other proof systems, such as Bulletproofs, that would offer transparency at the price of larger proofs and verification time.
8.2 Asset governance
In the context of blockchainbased asset transfers protocols, a governance system must be established to determine who can create new assets. In many cases these assets must be publicly traceable (i.e., their total supply must be public), yet in others, where the assets can be issued privately, validators still need to verify that the assets were issued by an authorized issuer. Specifically, there may be a public set of rules, X (where a \(\textsf{rule} = (pk, [a,b])\)), defining which entities (public keys) are allowed to issue which assets (defined by a range of asset types), forming an “issuance whitelist”. When one of those issuers wants to issue a new asset, they need to prove (in zero knowledge) that their public key belongs to the issuance whitelist, which entails set membership, as well as prove that the asset type they issued is within the allowed range of asset types (as defined in the original rule). In this case, the accumulated set of rules is public to all, and this public information may also include a mapping between rules and prime numbers. Our RSAbased scheme for sets of primes (Sect. 4.4) can suit this scenario.
8.3 Anonymous broadcast
In a peertopeer setting, anonymous broadcast allows users in a group to broadcast a message without revealing their identity. They can only broadcast once on each topic. One approach described in [64] works by asking users to put down a deposit which they will lose if they try and broadcast multiple messages on the same topic. In this approach users joining a group deposit their collateral in a smart contract. Whoever has the private key used by the client for the deposit can claim the sum. The approach in [64] makes sure that the key is leaked if one broadcasts more than one message. To enforce this leakage we require that at broadcast time users (i) derive an encryption key K that depends on their private key and the topic, and (ii) compute an encryption of the private key by the newly derived K. Then the users publish both the ciphertext and a secret share of the encryption key K, and prove (in zeroknowledge) their public key is part of the group and that (i) and (ii) were performed correctly. Which specific share needs to be revealed depends on the broadcasted message, thus making it likely two different shares will be leaked for two different messages.
This way, broadcasting multiple messages on the same topic reveals the user’s private key, allowing other users to remove them from the group by calling a function in the smart contract and receive part of the deposit.
A particularly interesting use case for anonymous broadcast is that in which the group is comprised of validators participating in a consensus algorithm, who would like to broadcast messages without exposing their node’s identity and thus prevent targeted DoS attacks. This setting requires proofs to be computed extremely fast while verification performance requirements are less strict. Our \(\textsf{Mem}\textsf {CP}_{\textsf{RSAPrm}}\) can satisfy these performance requirements trading for a modest increase in proof size.
8.4 Financial identities
In the financial world, regulations establish that financial organizations must know who their costumers are [38]. This is called a KYC check and allows to reduce the risk of fraud. Some common practices for KYC often undermines user privacy as they involve collecting a lot of personal information on them. Zeroknowledge proofs allow for an alternative approach. In modern systems, one can expect that individuals or companies will be able to prove that they belong to a set of accepted or legitimate identities. A privacypreserving KYC check would then be reduced to generating a setmembership proof in zeroknowledge. Often some further information is required, e.g. the credit score of the individual. In such cases our CPSNARK for set membership can be combined with one proving an additional predicate \(P(\textsf{id})\) on the identity in a modular fashion.
Regarding applications of nonmembership proofs, we expand on the wellknown concept of “blacklists”, where identities (or credentials) must be shown to not belong to a certain set of identities (or credentials). As an example, in the context of financial identities, antimoney laundering regulations (AML) [68] require customers not to be in a list of fraudulent identities. Here one can use our nonmembership construction to generate a proof that the customer does not belong to the set of money launderers (or those thought to be). Because, as in the setmembership case, a user may have to prove additional information about their identity, here we can also benefit from a modular framework. Furthermore, modularity allows us to cheaply prove both membership and nonmembership (at the same time) for the same identity \(\textsf{id}\) together with some additional information \(P(\textsf{id})\): holding commitment \(, (\textsf{id})\) one can produce the following tuple of proofs: (1) a membership proof (\(\textsf{id} \in S\)); (2) a nonmembership proof (\(\textsf{id} \not \in S'\)); (3) a CPSNARK proof that includes the statement to be proven on that identity (\(P(\textsf{id})\)).
We note that in some cases, a central authority, who controls the white and black lists, is trusted to ensure the integrity of the lists. This means that the identities can be added or removed from the lists, which means that our RSAbased construction is ideal given the comparatively reduced cost of updating the dynamic accumulator.
8.5 Zerocoin vulnerability
Another specific application of our RSAbased constructions is that of solving the security vulnerability of the implementation of the Zerocoin protocol [56] used in the Zcoin cryptocurrency [73]. The vulnerability in a nutshell: when proving equality of values committed under the RSA commitment and the primeorder group commitment, the equality may not hold over the integers, and hence one could easily produce collisions in the prime order group. Our work can provide different ways to solve this problem by generating a proof of equality over the integers.
Notes
The group \(\mathbb {G}\) is typically \(\mathbb {Z}^*_N\) where N is an RSA modulus. The size of an element in this group for a standard 128bit security parameter is of 3072 bits.
For instance, one can plug a proof system for matrix product \(C = A\cdot B\) in any larger context of computation involving matrix multiplication. This regardless of whether, say, we then hash C or if A, B are in turn the output of a different computation.
More specifically: the elements of a set need to be prime numbers in a range (A, B) such that \({q} / 2> A^{2} 1 > B \cdot 2^{2{\lambda }_{st} + 2}\). If aiming at 128 bits of security level one can meet this constraint by choosing for example \(A = 2^{259}\), \(B=2^{260}\) and \(q > 2^{519}\).
When prime representation is suitable for the application, distinct primes can be generated without a hash fuction (e.g. by using sequential primes).
For the implementation we focused on schemes where the public parameters do not depend on the set size; hence, we did not implement the pairingbased solutions.
For our experiments we consider Merkle Trees using Pedersen Hash over the JubJub curve [49].
We stress the proving time for our construction does not vary when the set grows. On the other hand this time varies for solutions based on Merkle trees.
These ratios refer to a comparison against Interval Merkle Trees which require opening two paths to prove nonmembership. When compared against Sparse Merkle Trees, our solutions show similar improvement ratios.
Normally \(\mathcal {T}\) is finite and includes a small number of type, e.g. \(\mathcal {T}=\{\mathbb {G}_1,\mathbb {G}_2,\mathbb {Z}_p\}\).
Each of the “open” elements in the \(\mathcal {D}_i\)s (together with any auxiliary opening information) should also be thought of as the witness to the relation as we require them to be extractable. On the other hand, the commitments themselves are part of the public input.
This is reminiscent of the soundness notions considered in [39].
We can easily generalize the notion for an adversary opening an arbitrary subset of the committed inputs.
We point out that, although in the game below we make explicit the commitment opening in the relation, this is essentially the same notion of knowledge soundness as in CPNIZKs (i.e. Definition 2.3) where the only tweak is that the adversary gives explicitly the first input in the commitment slot. We make commitments explicit hoping for the definition to be clearer. This is, however, in contrast to the definition of CPNIZKs where the commitment opening is completely abstracted away inside the relation.
Here is why: finding two different sets of primes \(P,P', P\ne P'\) such that \(G^{\textsf{prod}_{P}} = \textsf{Acc}= G^{\textsf{prod}_{P'}}\) implies finding an integer \(\alpha = \textsf{prod}_{P}\textsf{prod}_{P'} \ne 0\) such that \(G^\alpha =1\). This is known to lead to an efficient algorithm for factoring N.
For specific instantiations of \(\textsf{H}\), \(\iota \) can be set so that \(\perp \) is returned with negligible probability.
We assume for simplicity that the function never outputs \(\perp \), though it can happen with negligible probability.
We implemented this scheme in Rust on top of libzexe as part of this work [66].
This is the BoweHopwood variant of a Pedersen hash, as described in [49].
Due to generic lower bounds on the DLOG problem [69], \([1,2^\lambda ]\) would not be enough.
References
Agrawal S., Ganesh C., Mohassel P.: Noninteractive zeroknowledge proofs for composite statements. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2018, pp. 643–673. Part III, volume 10993 of LNCS. Springer, Heidelberg (2018)
Bari N., Pfitzmann B.: Collisionfree accumulators and failstop signature schemes without trees. In: Fumy W. (ed.) EUROCRYPT’97, vol. 1233, pp. 480–494. LNCS. Springer, Heidelberg (1997).
Bartusek J., Ma F., Zhandry M.: The distinction between fixed and random generators in groupbased assumptions. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2019, pp. 801–830. Part II, LNCS. Springer, Heidelberg (2019)
Ben L., Emilia K.: Revocation transparency. Google Research, September, p. 33 (2012)
BenSasson E., Chiesa A., Garman C., Green M., Miers I., Tromer E., Virza M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014)
Benaloh J.C., de Mare M.: Oneway accumulators: a decentralized alternative to digital sinatures (extended abstract). In: Helleseth T. (ed.) EUROCRYPT’93, vol. 765, pp. 274–285. LNCS. Springer, Heidelberg (1994).
Benarroch D., Campanelli M., Fiore D.: Community standards proposal for commitandprove zeroknowledge proof systems (2019). https://www.binarywhales.com/assets/misc/zkproofcpstandards.pdf
Benarroch D., Campanelli M., Fiore D., Gurkan K., Kolonelos D.: Zeroknowledge proofs for set membership: efficient, succinct, modular. In: International Conference on Financial Cryptography and Data Security, pp. 393–414. Springer (2021)
Benoît L., San L., Khoa N., Huaxiong W.: Zeroknowledge arguments for latticebased accumulators: logarithmicsize ring signatures and group signatures without trapdoors. In: Marc F., JeanSébastien C. (eds.) EUROCRYPT 2016, pp. 1–31. Part II, volume 9666 of LNCS. Springer, Heidelberg (2016)
Boneh D., Bünz B., Fisch B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018). https://eprint.iacr.org/2018/712
Boneh D., Bünz B., Fisch B.: Batching techniques for accumulators with applications to iops and stateless blockchains. IACR Cryptol. ePrint Arch. 2018, 1188 (2018).
Buchmann J., Hamdy S.: A survey on IQ cryptography (2001). http://tubiblio.ulb.tudarmstadt.de/100933/
Bünz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pages 315–334. IEEE Computer Society Press (2018)
Cachin C., Micali S., Stadler M.: Computationally private information retrieval with polylogarithmic communication. In: Stern J. (ed.) EUROCRYPT’99, vol. 1592, pp. 402–414. LNCS. Springer, Heidelberg (1999).
Cambrian Tech: Cryptographic accumulators in rust (2019). https://github.com/cambrian/accumulator
Camenisch J., Lysyanskaya A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung M. (ed.) CRYPTO 2002, vol. 2442, pp. 61–76. LNCS. Springer, Heidelberg (2002).
Camenisch J., Kohlweiss M., Soriente C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki S., Tsudik G. (eds.) PKC 2009, vol. 5443, pp. 481–500. LNCS. Springer, Heidelberg (2009).
Campanelli M., Fiore D., Querol A.: Legosnark: modular design and composition of succinct zeroknowledge proofs. To appear at ACM CCS 2019. IACR Cryptology ePrint Archive, 2019 (2019)
Campanelli M., Fiore D., Han S., Kim J., Kolonelos D., Oh H.: Succinct zeroknowledge batch proofs for set accumulators. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 455–469 (2022)
Canetti R., Lindell Y., Ostrovsky R., Sahai A.: Universally composable twoparty and multiparty secure computation. In: 34th ACM STOC, pp. 494–503. ACM Press (2002)
Catalano D., Fiore D.: Vector commitments and their applications. In: Kurosawa K., Hanaoka G. (eds.) PKC 2013, volume 7778 of LNCS, pp. 55–72. Springer, Heidelberg (2013).
Chaum D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28(10), 1030–1044 (1985).
Chepurnoy A., Papamanthou C., Yupeng Z.: A cryptocurrency with stateless transaction validation, Edrax (2018)
Couteau G., Hartmann D.: Shorter noninteractive zeroknowledge arguments and zaps for algebraic languages. In: Advances in Cryptology–CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III, pp. 768–798. Springer (2020)
Couteau G., Peters T., Pointcheval D.: Removing the strong RSA assumption from arguments over the integers. In: Coron J.S., Nielsen J.B. (eds.) EUROCRYPT 2017, Part II, volume 10211 of LNCS, pp. 321–350. Springer, Heidelberg (2017).
Couteau G., Lipmaa H., Parisella R., Ødegaard A.T.: Efficient nizks for algebraic sets. In: Advances in Cryptology–ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, (2021), Proceedings, Part III, pp. 128–158. Springer (2021)
cpsnarkslibrustzcash. https://github.com/kobigurk/cpsnarkslibrustzcash
Cpsnarksset. https://github.com/kobigurk/cpsnarksset
Cramer R., Shoup V.: Signature schemes based on the strong RSA assumption. In: Motiwalla J., Tsudik G. (eds) ACM CCS 99, pp. 46–51. ACM Press (1999)
Dahlberg R., Pulls T., Peeters R.: Efficient sparse merkle trees: Caching strategies and secure (non)membership proofs. Cryptology ePrint Archive, Report 2016/683 (2016). https://eprint.iacr.org/2016/683
Damgård I., Fujisaki E.: A statisticallyhiding integer commitment scheme based on groups with hidden order. In: Yuliang Zheng (ed.) ASIACRYPT 2002, vol. 2501, pp. 125–142. LNCS. Springer, Heidelberg (2002).
Damgård I., Triandopoulos N.: Supporting nonmembership proofs with bilinearmap accumulators. Cryptology ePrint Archive, Report 2008/538 (2008). http://eprint.iacr.org/2008/538
de Valence, H.: Merlin: composable proof transcripts for publiccoin arguments of knowledge (2019). https://github.com/dalekcryptography/merlin
Dobson S., Galbraith Steven D.: Trustless groups of unknown order with hyperelliptic curves. Cryptology ePrint Archive, Report 2020/196 (2020). https://eprint.iacr.org/2020/196
Eagen L., Fiore D., Gabizon A.: cq: Cached quotients for fast lookups. Cryptology ePrint Archive (2022)
Escala A., Groth J.: Finetuning GrothSahai proofs. In: Krawczyk H. (ed.) PKC 2014, vol. 8383, pp. 630–649. LNCS. Springer, Heidelberg (2014).
Fazio N., Nicolosi A.: Cryptographic accumulators: definitions, constructions and applications. Paper written for course at New York University. www.cs.nyu.edu/nicolosi/papers/accumulators.pdf (2002)
FINRA: https://www.finra.org/rulesguidance/rulebooks/finrarules/2090#therule
Fiore D., Fournet C., Ghosh E., Kohlweiss M., Ohrimenko O., Parno B.: Hash first, argue later: adaptive verifiable computations on outsourced data. In: Weippl E.R., Katzenbeisser S., Kruegel C., Myers A.C., Halevi S.(eds) ACM CCS 2016, pp. 1304–1316. ACM Press (2016)
Fouque P.A., Tibouchi M.: Close to uniform prime number generation with fewer random bits. In: Esparza J., Fraigniaud P., Husfeldt T., Koutsoupias E. (eds.) ICALP 2014, pp. 991–1002. Part I, volume 8572 of LNCS. Springer, Heidelberg (2014)
Fujisaki E., Okamoto T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski B.S. (ed.) CRYPTO’97, volume 1294 of LNCS, pp. 16–30. Springer, Heidelberg (1997).
Gabizon A., Khovratovich D.: Flookup: Fractional decompositionbased lookups in quasilinear time independent of table size. Cryptology ePrint Archive (2022)
Gennaro R., Halevi S., Rabin T.: Secure hashandsign signatures without the random oracle. In: Stern J. (ed.) EUROCRYPT’99, vol. 1592, pp. 123–139. LNCS. Springer, Heidelberg (1999).
Gentry C., Wichs D.: Separating succinct noninteractive arguments from all falsifiable assumptions. In: Fortnow L., Vadhan S.P. (eds) 43rd ACM STOC, pp. 99–108. ACM Press (2011)
Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989).
Groth J.: On the size of pairingbased noninteractive arguments. In: Fischlin M., Coron J.S. (eds.) EUROCRYPT 2016, pp. 305–326. Part II, volume 9666 of LNCS. Springer, Heidelberg (2016)
Groth J., Sahai A.: Efficient noninteractive proof systems for bilinear groups. In: Smart N.P. (ed.) EUROCRYPT 2008, vol. 4965, pp. 415–432. LNCS. Springer, Heidelberg (2008).
Helger L.: Secure accumulators from euclidean rings without trusted setup. In: Feng B., Pierangela S., Jianying Z. (eds.) ACNS 12, vol. 7341, pp. 224–240. LNCS. Springer, Heidelberg (2012).
Hopwood D., Bowe S., Hornby T., Wilcox N.: Zcash protocol specification. Tech. rep. 2016–1.10. Zerocoin Electric Coin Company, Tech. Rep., (2016). https://github.com/zcash/zips/blob/master/protocol/sapling.pdf
Jiangtao L., Ninghui L., Rui X.: Universal accumulators with efficient nonmembership proofs. In: Jonathan K., Moti Y. (eds.) ACNS 07, vol. 4521, pp. 253–269. LNCS. Springer, Heidelberg (2007).
Lee J.: The security of groups of unknown order based on jacobians of hyperelliptic curves. Cryptology ePrint Archive, Report 2020/289 (2020). https://eprint.iacr.org/2020/289
Libert B., Yung M.: Concise mercurial vector commitments and independent zeroknowledge sets with short proofs. In: Micciancio D. (ed.) TCC 2010, vol. 5978, pp. 499–517. LNCS. Springer, Heidelberg (2010).
Lipmaa H., Parisella R.: Set (non) membership nizks from determinantal accumulators. Cryptology ePrint Archive (2022)
Lovecruft I.A., de Valence H.: curve25519dalek: a purerust implementation of group operations on ristretto and curve25519. https://github.com/dalekcryptography/curve25519dalek
Merkle R.C.: A digital signature based on a conventional encryption function. In: Pomerance C. (ed.) CRYPTO’87, vol. 293, pp. 369–378. LNCS. Springer, Heidelberg (1988).
Miers I., Garman C., Green M., Rubin Aviel D: Zerocoin: anonymous distributed Ecash from Bitcoin. In: 2013 IEEE Symposium on Security and Privacy, pp. 397–411. IEEE Computer Society Press (2013)
Nguyen L.: Accumulators from bilinear pairings and applications. In: Menezes A. (ed.) CTRSA 2005, vol. 3376, pp. 275–292. LNCS. Springer, Heidelberg (2005).
Ozdemir A., Wahby Riad S., Whitehat B., Boneh D.: Scaling verifiable computation using efficient set accumulators. Cryptology ePrint Archive, Report 2019/1494 (2019). https://eprint.iacr.org/2019/1494
Papamanthou C., Shi E., Tamassia R.: Signatures of correct computation. In: Sahai A. (ed.) TCC 2013, vol. 7785, pp. 222–242. LNCS. Springer, Heidelberg (2013).
Papamanthou C., Shi E., Tamassia R., Yi K.: Streaming authenticated data structures. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013, vol. 7881, pp. 353–370. LNCS. Springer, Heidelberg (2013).
Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press (2013)
Posen J., Kattis Assimakis A: Caulk+: tableindependent lookup arguments. Cryptology ePrint Archive (2022)
Ray J.: Patricia tree (2019). https://github.com/ethereum/wiki/wiki/PatriciaTree
rln Semaphore: rate limiting nullifier for spam prevention in anonymous p2p setting, February (2019). https://ethresear.ch/t/semaphorerlnratelimitingnullifierforspampreventioninanonymousp2psetting/5009
Rsa2048. https://en.wikipedia.org/wiki/RSA_numbers#RSA2048
Rust implementation of LegoGroth16. https://github.com/kobigurk/legogro16
SCIPR Lab: Zexe (zero knowledge execution). https://github.com/sciprlab/zexe
Securities U.S. and Exchange Commission: Antimoney laundering (aml) source tool for brokerdealers (2018). https://www.sec.gov/about/offices/ocie/amlsourcetool.htm
Shoup V.: Lower bounds for discrete logarithms and related problems. In: Fumy W. (ed.) EUROCRYPT’97, vol. 1233, pp. 256–266. LNCS. Springer, Heidelberg (1997).
Srinivasan S., Karantaidou I., Baldimtsi F., Papamanthou C.: Batching, aggregation, and zeroknowledge proofs in bilinear accumulators. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2719–2733 (2022)
Valiant P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti R. (ed.) TCC 2008, vol. 4948, pp. 1–18. LNCS. Springer, Heidelberg (2008).
Wesolowski B.: Efficient verifiable delay functions. Cryptology ePrint Archive, Report 2018/623 (2018). https://eprint.iacr.org/2018/623
Yap R.: Cryptographic description of zerocoin attack (2019). https://zcoin.io/cryptographicdescriptionofzerocoinattack/
Zapico A., Buterin V., Khovratovich D., Maller M., Nitulescu A., Simkin M.: Caulk: lookup arguments in sublinear time. In:Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 3121–3134 (2022)
Zapico A., Gabizon A., Khovratovich D., Maller M., Carla R.: Nearly optimal lookup arguments. Cryptology ePrint Archive, Baloo (2022).
Zcash: Zcash rust crates. https://github.com/zcash/librustzcash
Zhang Y., Genkin D., Katz J., Papadopoulos D., Papamanthou C.: A zeroknowledge version of vSQL. Cryptology ePrint Archive, Report 2017/1146 (2017). https://eprint.iacr.org/2017/1146
Zhang Y., Katz J., Papamanthou C.: An expressive (zeroknowledge) set accumulator. In: 2017 IEEE European Symposium on Security and Privacy (EuroS P), pp. 158–173 (2017)
Zhang J., Xie T., Zhang Y., Song D.: Transparent polynomial delegation and its applications to zero knowledge proof. In: IEEE Symposium on Security and Privacy (2020)
Acknowledgements
Research leading to these results has been partially supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program under project PICOCRYPT (Grant Agreement No. 101001283), by research grants from Protocol Labs, and from Nomadic Labs and the Tezos Foundation, by the Spanish Government under Projects SCUM (RTI2018102043BI00), CRYPTOEPIC (ERC2018092822, EUR2019103816), PRODIGY (TED2021132464BI00), and RED2018102321T, and by the Madrid Regional Government under Project BLOQUES (S2018/TCS4339). The last five projects are cofunded by European Union EIE, and NextGenerationEU/PRTR funds. Most of this work was done while the first author was at QEDIT. Most of this work was done while the second author was at IMDEA Software Institute and part of the work while he was at Aarhus University.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors have no conflicts interests to declare that are relevant to the content of this article, besides the funding that we already state and our affiliations.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue: Mathematics of Zero Knowledge”.
Appendices
A Accumulator definitions
Below is the definition of Accumulators, following the definition of [37]. We insist on public key accumulators, meaning that after the key generation phase no party has access to the secret key.
Definition A.1
(Accumulators) A static (nonUniversal) Accumulator with domain \(\mathbb {X}\) is a tuple of 4algorithms, \(\textsf{Acc}= (\textsf{Gen},\textsf{Eval},\textsf{Witness},\textsf{VerWit})\)

\(\textsf{Gen}(1^{\lambda },t) \rightarrow (\textsf{sk},\textsf{ek},\textsf{vk})\) is a (probabilistic) algorithm that takes the security parameter \(\lambda \) and a parameter t for the upper bound of the number of elements to be accumulated. If \(t=\infty \) there is no upper bound. Returns a secret key \(\textsf{sk}\), an evaluation key \(\textsf{ek}\) and a verification key \(\textsf{vk}\).

\(\textsf{Eval}(\textsf{ek},{\mathcal {X}}) \rightarrow (acc_\mathcal {X},\textsf{aux})\) takes the evaluation key and a set \(\mathcal {X}\) and in case \(\mathcal {X}\subseteq \mathbb {X}\) outputs the accumulated value \(acc_{\mathcal {X}}\) and some auxiliary information \(\textsf{aux}\). If \(\mathcal {X}\nsubseteq \mathbb {X}\) outputs \(\perp \).

\(\textsf{Witness}(\textsf{ek},x,\textsf{aux}) \rightarrow wit_{x}\) takes the evaluation key \(\textsf{ek}\), the value x and the auxiliary information \(\textsf{aux}\) and outputs either a witness \(wit_{x}\) of \(x \in \mathcal {X}\) or \(\perp \) if \(x \notin \mathcal {X}\).

\(\textsf{VerWit}(\textsf{vk},acc_{\mathcal {X}},x,w) \rightarrow b\) takes the verification key \(\textsf{vk}\), the accumulation value \(acc_\mathcal {X}\), a value x and a witness w and outputs 1 if \(wit_{x}\) is a witness of \(x \in \mathcal {X}\) and 0 otherwise.
Further, we give the definition of Dynamic Accumulators, a notion that was introduced by Camenisch and Lysyanskaya [16]. Dynamic Accumulators are Accumulators that additionally provide the ability to update the accumulated value and the witnesses when the set is updated, either on addition of a new element or on deletion.
Definition A.2
(Dynamic accumulators) A Dynamic Accumulator \(\textsf{Acc}\) with domain \(\mathbb {X}\) is a static Accumulator that additionally provides three algorithms \((\textsf{Add},\textsf{Delete},\textsf{WitUpdate})\).

\(\textsf{Add}(\textsf{ek},acc_\mathcal {X},y,\textsf{aux}) \rightarrow (acc_{\mathcal {X}'},\textsf{aux}')\) takes the evaluation key \(\textsf{ek}\), the accumulated value \(acc_\mathcal {X}\), the value to be added to the set y and the auxiliary information \(\textsf{aux}\). If \(y \notin \mathcal {X}\wedge y \in \mathbb {X}\) outputs the new accumulation value for \(\mathcal {X}' = \mathcal {X}\cup \{y\}\), \(acc_{\mathcal {X}'}\) and a new auxiliary information \(\textsf{aux}'\). In case \(y \in \mathcal {X}\) or \(y \notin \mathbb {X}\) outputs \(\perp \).

\(\textsf{Delete}(\textsf{ek},acc_\mathcal {X},y,\textsf{aux}) \rightarrow (acc_{\mathcal {X}'},\textsf{aux}')\) takes the evaluation key \(\textsf{ek}\), the accumulated value \(acc_\mathcal {X}\), the value to be deleted from the set y and the auxiliary information \(\textsf{aux}\). If \(y \in \mathcal {X}\wedge y \in \mathbb {X}\) outputs the new accumulation value for \(\mathcal {X}' = \mathcal {X}\setminus \{y\}\), \(acc_{\mathcal {X}'}\) and a new auxiliary information \(\textsf{aux}'\). In case \(y \notin \mathcal {X}\) or \(y \notin \mathbb {X}\) outputs \(\perp \).

\(\textsf{WitUpdate}(\textsf{ek},wit_x,y,\textsf{aux}) \rightarrow wit_x'\) takes the evaluation key \(\textsf{ek}\), a witness \(wit_x\) to be updated, the value y that was either added or deleted from \(\mathcal {X}\) and the auxiliary information. In case \(x \in \mathcal {X}'\) outputs the updated witness \(wit_{x}'\), otherwise outputs \(\perp \).
Normally, we demand that update algorithms, \(\textsf{Add}\) and \(\textsf{Delete}\) are more efficient than recomputing the accumulation value from scratch with \(\textsf{Eval}\). However in the publicly updatable setting this is not always possible, while it may be possible when the party holds the secret key. Still in this work we treat public key accumulators.
1.1 Security correctness
For every \(t=\textsf{poly}(\lambda )\) and \(\mathcal {X} \le t\):
1.2 Soundness
A cryptographic accumulator is sound if for all \(t=\textsf{poly}(\lambda )\) and for all PPT adversaries \({\mathcal {A}}\) there is a negligible function \(\textsf{negl}(\cdot )\) such that:
1.3 A.1 Dynamic strong RSA accumulators
We formally define Dynamic Strong RSA Accumulators [2, 6, 16] described in Sect. 4.2. It has domain \(\mathbb {X}= \textsf{Primes}\).

\(\textsf{Gen}(1^{\lambda },\infty ) \rightarrow (\textsf{sk},\textsf{ek},\textsf{vk})\) samples an RSA modulus \((N,(q_1,q_2)) \leftarrow \textsf{GenSRSAmod}(1^{\lambda })\) and a generator \(F {\leftarrow }{\$}\,\mathbb {Z}_N^*\) and computes a quadratic residue \(G \leftarrow F^2 \pmod N\). Return \((\textsf{sk},\textsf{ek},\textsf{vk}) \leftarrow ((q_1,q_2),(N,G),(N,G))\)

\(\textsf{Eval}(\textsf{ek},\mathcal {X}) \rightarrow (acc_\mathcal {X},\textsf{aux})\) parses \(\textsf{ek}:=(N,G)\). If \(\mathcal {X}\nsubseteq \textsf{Primes}\) return \(\perp \), otherwise computes \(\textsf{prod}_\mathcal {X}:=\prod _{x_i \in \mathcal {X}}x_i\) and Return \((acc_\mathcal {X},\textsf{aux}) \leftarrow (G^{\textsf{prod}_\mathcal {X}} \mod N, \mathcal {X})\)

\(\textsf{Witness}(\textsf{ek},x,\textsf{aux}) \rightarrow wit_{x}\) parses \(\textsf{ek}:=(N,G)\), \(\mathcal {X}:=\textsf{aux}\) and computes \(\textsf{prod}_{\mathcal {X}{\setminus } \{x\}} :=\prod _{x_i \in \mathcal {X}{\setminus } \{x\}}x_i\) Return \(wit_x \leftarrow G^{\textsf{prod}_{\mathcal {X}\setminus \{x\}}} \mod N\)

\(\textsf{VerWit}(\textsf{vk},acc_{\mathcal {X}},x,w) \rightarrow b\) parses \(\textsf{vk}:=(N,G)\) Return \(b \leftarrow (w^x = acc_\mathcal {X}\pmod N)\).
1.3.1 Security of strong RSA accumulator and batchverification
Collision Freeness of the above Accumulator comes directly from strong RSA assumption. What is more interesting is that the same scheme allows for many memberships to be verified at the same time, what is called batchverification. That is, given \(x_1,\dots ,x_m \subseteq \textsf{Primes}\) one can compute a batchwitness \(W = G^{\textsf{prod}_{\mathcal {X}{\setminus } \{x_1, \dots , x_m\}}}\) and the verification will be \(b \leftarrow (W^{x_1 \dots x_m} = acc_\mathcal {X})\). Again the security of the batchverification comes from strong RSA assumption and it allows us argue that for any W, x if \(W^{x} = acc_{\mathcal {X}} :=G^{\textsf{prod}_\mathcal {X}}\) then \(x \in \Pi _\mathcal {X}\), meaning that x is a product of primes of the set \(\mathcal {X}\).
B Generic CPSNARK for set membership from accumulators with proof of knowledge
We show here that any accumulator \(\textsf{Acc}\) scheme together with a zero knowledge proof of knowledge that a committed value is accumulated, with a commitment scheme \(\textsf{Com}\), can generically construct a CPSNARK for set membership. Let \(\textsf {CP}_\textsf{AccWit}\) be a zero knowledge proof for the relation \(R_{\textsf{AccWit}}((Acc,, _u),(wit,u,o)) =1\) iff \(\textsf{VerCommit}(\textsf{ck},, _{u},u,o)=1 \wedge \textsf{VerWit}(\textsf{vk},Acc,u,wit) = 1\). Consider a type commitment scheme that takes one type for sets that can be accumulated by \(\textsf{Acc}\) and one for elements of the domain of \(\textsf{Com}\). So it is the canonical composition of \(\textsf{Com}_\textsf{Acc}\bullet \textsf{Com}\), where \(\textsf{Com}_\textsf{Acc}\) is decribed in Fig. 17.
Finally the generic CPSNARK can be seen in Fig. 18.
Theorem B.1
Let \(\textsf{Com}\) be a computationally binding commitment scheme, \(\textsf{Acc}\) a sound Accumulator scheme and \(\textsf {CP}_{\textsf{AccWit}}\) be a knowledge sound proof then \(\textsf{MemCP}_{\textsf{Acc}}\) is a knowledgesound with partial opening of the set commitments \(, _{U}\) for the \(R_{\textsf{mem}}\) relation and the \(\textsf{Com}_{\textsf{Acc}}\) commitment scheme. Furthermore, if \(\textsf{Com}\),is statistically hiding commitments and \(\textsf {CP}_{\textsf{AccWit}}\) is zeroknowledge, then \(\textsf{MemCP}_{\textsf{Acc}}\) is zeroknowledge.
C Vector commitments
A vector commitment (VC) [21, 52] is a primitive that allows one to commit to a vector \(\varvec{v}\) of length n in such a way that it can later open the commitment at any position \(i \in [n]\). In terms of security, a VC should be position binding in the sense that it is not possible to open a commitment to two different values at the same position. Also, what makes VC an interesting primitive is conciseness, which requires commitment and openings to be of fixed size, independent of the vector’s length. Furthermore, a vector commitment can also support updates, meaning that updates in the underlying vector allow efficient updates of the commitment and the opening proofs. We note that in this case position binding should also hold with respect to updates.
1.1 C.1 Definition
We follow the definition of a Vector Commitment Scheme and its security with respect to updates as defined in [23].
Definition C.1
A Vector Commitment Scheme is tuple of PPT algorithms, \(\Pi =(\textsf{KeyGen},\) \(\textsf{Com},\) \(\textsf{Prove},\) \(\textsf{Ver},\) \(\textsf{UpdateCom}, \textsf{UpdateCom})\):

\(\textsf{KeyGen}(1^{\lambda },n) \rightarrow (\textsf{prk},\textsf{vrk},\textsf{upk}_0,\dots ,\textsf{upk}_{n1}):\) given the security parameter \(\lambda \) and the size n of the committed vector it outputs a prover key \(\textsf{prk}\), a verifier key \(\textsf{vrk}\) and update keys \(\textsf{upk}_0, \dots ,\textsf{upk}_{n1}\).

\(\textsf{Com}(\textsf{prk},a_{0},\dots ,a_{n1}) \rightarrow \textsf{dig}_{\varvec{a}}:\) given prover key \(\textsf{prk}\) and vector \(\varvec{a} = (a_0,..., a_{n1} )\), it outputs a digest \(\textsf{dig}_{\varvec{a}}\) of vector \(\varvec{a}\).

\(\textsf{Prove}(\textsf{prk},i,\varvec{a}) \rightarrow (a_i,\pi _i):\) given prover key \(\textsf{prk}\), a vector \(\varvec{a} = (a_0,..., a_{n1} )\) and an index i, it outputs the element \(a_i\) in the ith position of the vector and a proof \(\pi _i\).

\(\textsf{Ver}(\textsf{vrk},\textsf{dig},i, a,\pi ) \rightarrow b:\) given the verifier key \(\textsf{prk}\), a digest \(\textsf{dig}\), an index i, a value a and a proof \(\pi \) it outputs 1 iff \(\pi \) is a valid proof that a is in the ith position of the vector that is committed in \(\textsf{dig}\).

\(\textsf{UpdateCom}(\textsf{dig},i,\delta ,\textsf{upk}_i) \rightarrow \textsf{dig}':\) given a digest \(\textsf{dig}\), an index i, an update \(\delta \) and an update key of ith position it outputs an updated digest \(\textsf{dig}'\) of a vector the same as before but with value \(a+\delta \) (instead of a) in the ith position.

\(\textsf{UpdateProof}(\pi ,i,\delta ,\textsf{upk}_i) \rightarrow \pi ':\) given a digest \(\textsf{dig}\), an index i, an update \(\delta \) and an update key of ith position it outputs an updated proof that \(a+\delta \) (instead of a) is in the ith position of the vector.
1.1.1 Soundness
A Vector Commitment Scheme \(\Pi \) is sound if for all PPT adversaries \(\mathcal {A}\) the below probability is \(\textsf{negl}(\lambda )\)
1.2 C.2 EDRAX: A vector commitment from multilinear extensions
1.2.1 Multilinear extension of vectors
Let \(\mathbb {F}\) be a field and \(n=2^\ell \). Multilinear Extension of a vector a \(\varvec{a}=(a_0,\dots ,a_{n1})\) in \(\mathbb {F}\) is a polynomial \(f_{\varvec{a}}:\mathbb {F}^\ell \rightarrow \mathbb {F}\) with variables \(x_1,\dots ,x_\ell \)
where \(i_\ell i_{\ell 1} \dots i_{2} i_{1}\) is the bit representation of i and \( \textsf{select}_{i_k}(x_k)= {\left\{ \begin{array}{ll} x_k, &{} \text {if } i_k=1\\ 1x_k, &{} \text {if } i_k=0. \end{array}\right. }\)
A property of Multilinear extension of \(\varvec{a}\) is that \(f_{\varvec{a}}(i_1,\dots ,i_\ell )=a_i\) for each \(i \in [n]\).
1.2.2 Vector commitment scheme
We describe the EDRAX Vector Commitment:
Definition C.2
Let a bilinear group \(\textsf{bp}=(q,g,\mathbb {G}_1,\mathbb {G}_T,e) \leftarrow \mathcal{R}\mathcal{G}(1^\lambda )\) generated by a group generator. Let \(n=2^\ell \) be the length of the vector and \(2^{[\ell ]}\) be the powerset of \([\ell ]=\{1,\dots ,\ell \}\)

\(\textsf{KeyGen}(1^{\lambda },n) \rightarrow (\textsf{prk},\textsf{vrk},\textsf{upk}_0,\dots ,\textsf{upk}_{n1}):\) samples random \(s_1,\dots , s_\ell {\leftarrow }{\$}\,\mathbb {F}\) and computes \(\textsf{prk}\leftarrow \left\{ g^{\prod _{i \in S}s_i}: S \in 2^{[\ell ]} \right\} \) and \(\textsf{vrk}\leftarrow \left\{ g^{s_1},\dots ,g^{s_\ell } \right\} \). For each \(i=0,\dots ,n1\) computes the update key \( \textsf{upk}_i \leftarrow \left\{ g^{\prod _{k=1}^{t} \textsf{select}_{i_k}(s_k)}: t=1,\dots ,\ell \right\} :=\{\textsf{upk}_{i,t}: t= 1,\dots , \ell \}\).

\(\textsf{Com}(\textsf{prk},a_{0},\dots ,a_{n1}) \rightarrow \textsf{dig}_{\varvec{a}}:\) let \(\varvec{a} :=(a_{0},\dots ,a_{n1})\). Computes \(\textsf{dig}_{\varvec{a}} \leftarrow g^{f_{\varvec{a}}(s_1,\dots ,s_\ell )} \) where \(f_{\varvec{a}}\) is the multilinear extension of vector \(\varvec{a}\) as described above.

\(\textsf{Prove}(\textsf{prk},i,\varvec{a}) \rightarrow (a_i,\pi _i):\) let \(\varvec{x}=(x_1,\dots ,x_\ell )\) be an \(\ell \)variable. Compute \(q_1,\dots ,q_\ell \) such that \(f_{\varvec{a}}(\varvec{x}) f_{\varvec{a}}(i_1,\dots ,i_\ell )=\sum _{k=1}^{\ell }(x_ki_k)q_k(\varvec{x})\) and \(\pi _i \leftarrow \left\{ g^{q_1(\varvec{s})},\dots ,g^{q_\ell (\varvec{s})} \right\} \) (where \(g^{q_{i}(\varvec{s})}\) is evaluated by using \(\textsf{prk}:=\left\{ g^{\prod _{i \in S}s_i}: S \in 2^{[\ell ]} \right\} \) without \(\varvec{s}\)).

\(\textsf{Ver}(\textsf{vrk},\textsf{dig},i, a,\pi ) \rightarrow b:\) parse \(\pi :=(w_1,\dots ,w_\ell )\) and outputs 1 iff \( e(\textsf{dig}/g^a,g)=\prod _{k=1}^{\ell }e(g^{s_ki_k},w_k)\)

\(\textsf{UpdateCom}(\textsf{dig},i,\delta ,\textsf{upk}_i) \rightarrow \textsf{dig}':\) computes \( dig' \leftarrow dig \cdot \left[ g^{\prod _{k=1}^\ell \textsf{select}_{i_k}(s_k)} \right] ^\delta :=\textsf{dig} \cdot \left[ \textsf{upk}_{i,\ell } \right] ^\delta = g^{(a_i+\delta )\cdot \prod _{k=1}^{\ell }\textsf{select}_{i_k}(s_k)}{}^{+ \sum _{j=0,j \ne i}^{n1}a_j \cdot \prod _{k=1}^{\ell }\textsf{select}_{j_k}(s_k)} \)

\(\textsf{UpdateCom}(\pi ,i,a',\textsf{upk}_i) \rightarrow \pi ':\) Parses \(\pi :=(w_1,\dots ,w_\ell )\) and computes \( w_k'\leftarrow w_k \cdot g^{\varDelta _i(\varvec{s})}\) for each \(k = 1,\dots ,\ell \), where \(\varDelta _{k}(\varvec{x})\) are the delta polynomials computed by the \(\textsf{DELTAPOLYNOMIALS}\) algorithm (for more details about the algorithm and its correctness we refer to [23]).
The above scheme is proven in [23] to satisfy the Soundness property under the qStrong Bilinear DiffieHellman assumption.
D Another instantiation of protocol for \(R_{\textsf{Coprime}}\)
Below we propose another interactive ZK protocol for \(R_\textsf{Coprime}\). The difference with the above is that it doesn’t have the limitation of \(\lambda _{s}+ 1 < \mu \) and \(\lambda _{s}< \log (N)/2\). Also, partial opening of \(\textsf{Acc}\) isn’t needed. This comes with a cost of 2 more group elements in the proof size, 4 more exponentiations for the prover and 2 more for the verifier.

1.
Prover computes \(C_a=D H^{r_a}, C_{r_a}=G^{r_a} H^{r'_a}, C_b=G^b H^{\rho _b}, C_B=Acc^{b}H^{\rho _B}, C_{\rho _{B}} = G^{\rho _{B}} H^{\rho '_{B}}\) and sends to the verifier:
\(\underline{\mathcal {P} \rightarrow \mathcal {V}}:C_a, C_b, C_{r_a}, C_B, C_{\rho _B}\).

2.
Prover and Verifier perform a protocol for the relation: \(R((\textsf{Acc}, C_e, C_a, C_{r_a}, C_b, C_B, C_{\rho _B}),(e,r, r_a, r'_a, b, \rho _b, \rho _{B}, \rho '_B, D, B, \beta ,\delta ))=1 \) iff
$$\begin{aligned}{} & {} C_b = G^b H^{\rho _b} \, \wedge \, C_B = Acc^b H^{\rho _B} \, \wedge \, C_e = G^eH^r \, \wedge \, C_{r_a} = G^{r_a} H^{r'_a}\\{} & {} \quad \, \wedge \, C_{\rho _B} = G^{\rho _B} H^{\rho '_B} \, \wedge \, C_a^e C_{B} = G H^{\beta } \, \wedge \, C_{r_a}^e C_{\rho _B} = G^\beta H^\delta . \end{aligned}$$Let \(\lambda _{s}\) be the size of the challenge space, \(\lambda _{z}\) be the statistical security parameter and \(\mu \) the size of e.

Prover samples:
$$\begin{aligned} \begin{aligned}&r_b, r_e {\leftarrow }{\$}\,\left( 2^{\lambda _{z}+ \lambda _{s}+ \mu },2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) \\&r_{\rho _b}, r_{\rho _B}, r_r, r_{r_a},r_{r'_a}, r_{\rho _{B}'} {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}},\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}} \right) \\&r_\beta ,r_\delta {\leftarrow }{\$}\,\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu },\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+ \lambda _{s}+ \mu } \right) , \end{aligned} \end{aligned}$$and computes:
$$\begin{aligned}{} & {} \alpha _1 = G^{r_b}H^{r_{\rho _b}}, \quad \alpha _2 = \textsf{Acc}^{r_b}H^{r_{\rho _B}}, \quad \alpha _3 = G^{r_e}H^{r_r}, \quad \alpha _4 = G^{r_{r_a}}H^{r_{r_a'}}, \\{} & {} \alpha _5 = C_a^{r_e} H^{r_\beta }, \quad \alpha _6 = C_{r_a}^{r_e} G^{r_{\beta }} H^{r_\delta }, \quad \alpha _7 = G^{r_{\rho _B}}H^{r_{\rho _B'}}. \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}:(\alpha _1,\alpha _2,\alpha _3,\alpha _4, \alpha _5, \alpha _6, \alpha _7)\)

Verifier samples the challenge \(c \leftarrow \{0,1\}^{\lambda _{s}}\) \(\underline{\mathcal {V} \rightarrow \mathcal {P}}: c\)

Prover computes the response:
$$\begin{aligned} \begin{aligned}&s_b = r_b  cb, \quad s_e = r_e  c e\\&s_{\rho _b} = r_{\rho _b}  c \rho _b, s_{\rho _B} = r_{\rho _B}  c \rho _B, s_r = r_r  c r, s_{r_a} = r_{r_a}  c r_a, s_{r'_a} = r_{r'_a}  c r_a', \\ {}&s_{\rho _{B}'} = r_{\rho _B'}  c \rho _B'\\&s_\beta = r_\beta + c (e r_a + \rho _{B}), \quad s_\delta =r_\delta + c ( e r_a' +\rho '_{B}). \end{aligned} \end{aligned}$$\(\underline{\mathcal {P} \rightarrow \mathcal {V}}: (s_b, s_e, s_{\rho _b}, s_{\rho _B}, s_r, s_{r_a}, s_{r'_a}, s_{\rho _{B}'}, s_\beta , s_\delta )\).

Verifier checks if:
$$\begin{aligned}{} & {} \alpha _1 {\mathop {=}\limits ^{?}} C_b^c G^{s_b}H^{s_{\rho _b}}, \quad \alpha _2 {\mathop {=}\limits ^{?}} C_B^c \textsf{Acc}^{s_b}H^{s_{\rho _B}}, \quad \alpha _3 {\mathop {=}\limits ^{?}} C_e^c G^{s_e} H^{s_r}, \quad \alpha _4 {\mathop {=}\limits ^{?}} C_{r_a}^c G^{s_{r_a}}H^{s_{r_a'}}, \quad \\{} & {} \alpha _5 {\mathop {=}\limits ^{?}} C_a^{s_e} H^{s_\beta } G^{c} C_{B}^{c}, \quad \alpha _6 {\mathop {=}\limits ^{?}} C_{r_a}^{s_e} H^{s_\delta } G^{s_{\beta }} C_{\rho _B}^{c}, \quad \alpha _7 {\mathop {=}\limits ^{?}} C_{\rho _B}^c G^{s_{\rho _B}}H^{s_{\rho _B'}},\\{} & {} s_e {\mathop {\in }\limits ^{?}} \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}, 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] . \end{aligned}$$

1.1 Correctness
Here we show the correctness of the protocol (Fig. 19).
1.2 Security
Theorem D.1
Let \(\mathbb {Z}_N^*\) be an RSA group where strongRSA assumption holds, then the above protocol is an honestverifier zero knowledge and knowledge sound protocol for \(R_{\textsf{Coprime}}\).
Proof
ZeroKnowledge can be proven with standard techniques, similar to the ones in the proof of Theorem 4.6 and is therefore omitted.
For the knowledge soundness, let an adversary of the knowledge soundness \(\mathcal {A}\) that is able to convince the verifier \(\mathcal {V}\) with a probability at least \(\epsilon \). We will construct an extractor \(\mathcal {E}\) that extracts the witness \((e,r,r_2,r_3,\beta ,\delta )\). Using rewinding \(\mathcal {E}\) gets two accepted transcripts
on two different challenges c and \(c'\). \(\mathcal {E}\) aborts if it cannot get two such transcripts (\(\textsf {abort}1\)).
We denote \(\varDelta c :=c'c, \varDelta s_b :=s_b  s_b', \varDelta s_e :=s_e  s_e', \varDelta s_{\rho _b} :=s_{\rho _b}  s_{\rho _b}', \varDelta s_{\rho _B} :=s_{\rho _B}  s_{\rho _B}', \varDelta s_r :=s_r  s_r', \varDelta s_{r_a} :=s_{r_a}  s_{r_a}', \varDelta s_{r_a'} :=s_{r_a'}  s_{r_a'}', \varDelta s_{\rho _B'} :=s_{\rho _B'}  s_{\rho _B'}', \varDelta s_\beta :=s_\beta  s_\beta ', \varDelta s_\delta :=s_\delta  s_\delta '\) then
define the (possibly rational) numbers \(\hat{b} :=\frac{\varDelta s_b}{\varDelta c}\), \(\hat{\rho _b} :=\frac{\varDelta s_{\rho _b}}{\varDelta c}\), \(\hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\hat{r} :=\frac{\varDelta s_r}{\varDelta c}\), \(\hat{r_a} :=\frac{\varDelta s_{r_a}}{\varDelta c}\), \(\hat{r_a'} :=\frac{\varDelta s_{r_a'}}{\varDelta c}\), \(\hat{\rho _B} :=\frac{\varDelta s_{\rho _B}}{\varDelta c}\), \(\hat{\rho _B'} :=\frac{\varDelta s_{\rho _B'}}{\varDelta c}\).
\(\mathcal {E}\) aborts in case \(\varDelta c\) doesn’t divide: \(\varDelta s_b\) and \(\varDelta s_{\rho _b}\)(\(\textsf {abort}\, 2a\)), \(\varDelta s_e\) and \(\varDelta s_r\)(\(\textsf {abort}\, 2b\)), \(\varDelta s_{r_a}\) and \(\varDelta s_{r_a'}\)(\(\textsf {abort}\, 2c\)), \(\varDelta s_{\rho _B}\) and \(\varDelta s_{\rho _B'}\)(\(\textsf {abort}\, 2d\)). And finally, \(\mathcal {E}\) aborts if \(\varDelta c\) doesn’t divide \(\varDelta s_{\rho _B}\) (\(\textsf {abort}\, 2e\)). Therefore, after these aborts didn’t happen we can infer the equivalent equalities on the right of Eqs. 9, 10, 11, 12 and 15.
If we replace Eqs. 12 and 15 in Eq. 14 we get \(1 = \left( \pm G^{\hat{r_a}}H^{\hat{r'_a}} \right) ^{\varDelta s _e} H^{\varDelta s_\beta } G^{\varDelta s_\beta } \left( \pm G^{\hat{\rho _B}}H^{\hat{\rho '_B}} \right) ^{\varDelta c}\) or \(1 = (\pm 1)^{\varDelta s_e} (\pm 1)^{\varDelta c} G^{\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta } H^{\hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta }\). Since G, H, 1 are quadratic residues then \((\pm 1)^{\varDelta s_e} (\pm 1)^{\varDelta c} = 1\), hence \(1 = G^{\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta } H^{\hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta }\). Then under the DLOG assumption \(\hat{r_a} \varDelta s_e + \hat{\rho _B} \varDelta c + \varDelta s_\beta = 0 = \hat{r_a'} \varDelta s_e + \hat{\rho _B'} \varDelta c + \varDelta s_\beta \), which gives us that
Finally, we replace Eqs. 10 and 16 in Eq. 13 we get \(1 = C_a^{\varDelta s_e} H^{\hat{r_a} \varDelta s_e  \hat{\rho _B} \varDelta c} G^{\varDelta c} \left( \pm \textsf{Acc}^{\hat{b}}H^{\hat{\rho _B}} \right) ^{\varDelta c}\) or \(1 \!=\! (\pm 1)^{\varDelta c} C_a^{\varDelta s_e} \textsf{Acc}^{\hat{b} \varDelta c} G^{ \varDelta c} H^{ \hat{r_a} \varDelta s_e}\) or \(\left( \pm \textsf{Acc}^{\hat{b}}G^{1} \right) ^{\varDelta c} \!=\!\left( C_a^{1} H^{r_a} \right) ^{\varDelta s_e}\). But as noted above \(\varDelta c\) divides \(\varDelta s_e\) so \(\pm \textsf{Acc}^{\hat{b}}G^{1} = \pm \left( C_a^{1} H^{r_a} \right) ^{\hat{e}} \Rightarrow \textsf{Acc}^{\hat{b}}G^{1} = \pm \left( C_a^{1} H^{\hat{r_a}} \right) ^{\hat{e}} \Rightarrow \left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} = \pm G\). We discern two cases:

\(\underline{\left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} = + G}\): Then \(\mathcal {E}\) sets \(\tilde{D} \leftarrow \frac{C_a}{H^{\hat{r_a}}}\), \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) and \(\tilde{b} \leftarrow \hat{b} :=\frac{\varDelta s_b}{\varDelta c}\).

\(\underline{\left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{\hat{e}}\textsf{Acc}^{\hat{b}} =  G}\): Then \(\hat{e}\) should be odd otherwise if \(\hat{e} = 2 \rho \) then \(G = \left( \frac{C_a}{H^{\hat{r_a}}} \right) ^{2\rho }\textsf{Acc}^{\hat{b}}\) would be a nonquadratic residue. So \(\mathcal {E}\) sets \(\tilde{D} \leftarrow \frac{C_a}{H^{\hat{r_a}}}\), \(\tilde{e} \leftarrow \hat{e} :=\frac{\varDelta s_e}{\varDelta c}\), \(\tilde{r} \leftarrow \hat{r} :=\frac{\varDelta s_r}{\varDelta c}\) and \(\tilde{b} \leftarrow \hat{b} :=\frac{\varDelta s_b}{\varDelta c}\). It is clear that \(\tilde{D}^{\tilde{e}} \textsf{Acc}^{\tilde{b}} = G\).
Finally the \(\mathcal {E}\) outputs \((\tilde{e},\tilde{r}, \tilde{D}, \tilde{b})\).
Now we show that the probability the extractor terminates with outputting a valid witness is \(O(\epsilon )\). If the extractor does not abort then it clearly outputs a valid witness (under factoring assumption). For the first abort, with a standard argument it can be shown that the extractor is able to extract two accepting transcripts with probability \(O(\epsilon )\) (for the probabilistic analysis we refer to [31]). Thus \(Pr[\textsf {abort}1] = 1  O(\epsilon )\). For the aborts \(\textsf {abort}\, 2a\), \(\textsf {abort}\, 2b\), \(\textsf {abort}\, 2c\) and \(\textsf {abort}\, 2d\) they happen with negligible probability (\( \le \frac{2}{1 2^{\lambda _{s}+1}} Pr[\mathcal {B} \text { solves } sRSA]\) each, for any PPT adversary \(\mathcal {B}\)) under the strong RSA assumption according to Lemma 4.2. For \(\textsf {abort}\, 2e\) we show in the lemma below that in case it happens an adversary can solve the strong RSA problem. Putting them together the probability of success of \(\mathcal {E}\) is at least \(O(\epsilon )  \left( \frac{8}{1 2^{\lambda _{s}+1}} +1 \right) Pr[\mathcal {B} \text { solves } sRSA] = O(\epsilon )  \textsf{negl}(\lambda _{s})\).
Lemma D.1
If \(\varDelta c\) divides \(\varDelta s_b\) then it also divides \(\varDelta \rho _B\) under the strong RSA assumption.
Proof
An adversary to the strong RSA assumption receives \(H \in \textsf{QR}_N\) and does the following: set \(G = H^\tau \) for \(\tau {\leftarrow }{\$}\,[0,2^{\lambda _{s}} N^2]\) and send (G, H) to the adversary \(\mathcal {A}\) which outputs a proof \(\pi _{\textsf{Coprime2}}\). Then we rewind to get another successful proof \(\pi _{\textsf{Coprime2}}'\) and we use the extractor as above to get \(C_B^{\varDelta c} = \textsf{Acc}^{\varDelta s_b}H^{\varDelta s_{\rho _B}}\).
Assume that \(\varDelta c \not \mid \varDelta \rho _B\). Since \(\varDelta c\) divides \(\varDelta s_b\) then there is a k such that \(k \cdot \varDelta c = \varDelta s_b\). Then \(C_B^{\varDelta c} = \textsf{Acc}^{k \cdot \varDelta c}H^{\varDelta s_{\rho _B}} \Rightarrow \left( C_B \textsf{Acc}^{k} \right) ^{\varDelta c} = H^{\varDelta s_{\rho _B}}\). From assumption \(\varDelta c\) doesn’t divide \(\varDelta \rho _B\), so \(\gcd (\varDelta c, \varDelta \rho _B ) = g\) for a \(g \ne \varDelta c,\varDelta \rho _B\). Hence, there are there are \(\chi , \psi \) such that \(\chi \cdot \varDelta c + \psi \cdot \varDelta \rho _B = g\). Thus, \(H^g = H^{\chi \cdot \varDelta c + \psi \cdot \varDelta \rho _B} = H^{\chi \varDelta c} \left( C_B \textsf{Acc}^{k} \right) ^{\psi \varDelta c} = \left( H^{\chi } C_B^{\psi } \textsf{Acc}^{\psi k} \right) ^{\varDelta c}\) so \(H = \pm \left( H^{\chi } C_B^{\psi } \textsf{Acc}^{\psi k} \right) ^{\frac{\varDelta c}{g}}\). Now since H and \(\textsf{Acc}\) are quadratic residues (and so is \(C_B\)) we get that \(H = \left( H^{\chi } C_B^{\psi } \textsf{Acc}^{\psi k} \right) ^{\frac{\varDelta c}{g}}\) and thus \(\left( H^{\chi } C_B^{\psi } \textsf{Acc}^{\psi k}, \frac{\varDelta c}{g} \right) \) is a solution to the strong RSA problem. \(\square \)
By a simple argument identical to the one of Sect. 4.5, we can also conclude about the range of the extracted \(\tilde{e}\): \(s_e {\mathop {\in }\limits ^{?}} \left[ 2^{\lambda _{z}+ \lambda _{s}+ \mu +1}, 2^{\lambda _{z}+ \lambda _{s}+ \mu +1} \right] \) implies \(2^{\lambda _{z}+ \lambda _{s}+ \mu +2} \le \hat{e} \le 2^{\lambda _{z}+ \lambda _{s}+ \mu +2}\). \(\square \)
E Instantiation over hidden order groups
In Sects. 4 and 5 we construct zero knowledge protocols for set membership/nonmembership, where the sets are committed using an RSA accumulator. The integer commitment scheme \(\textsf{IntCom}\), the RSA accumulatorbased commitments to sets \(\textsf{SetCom}_{\textsf{RSA}}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\), the proof of equality \(\textsf{modEq}\), the argument of knowledge of a root \(\textsf{Root}\) and the argument of knowledge of coprime element \(\textsf{Coprime}\) are all working over RSA groups.
Although in our work above we specify the group to be an RSA group, we note that our protocols can also work over any Hidden Order Group. For example Class Groups [12] or the recently proposed groups from Hyperelliptic Curves [34, 51].
Here we describe the (slight) modifications, in the protocols and the assumptions under which they would be secure, that are necessary to switch to (general) Hidden Order Groups.
Let \(\textsf{Ggen}(1^{\lambda })\) be a probabilistic algorithm that generates such a group \(\mathbb {G}\) with order in a specific range \([\textsf{ord}_{min},\textsf{ord}_{max}]\) such that \(\frac{1}{\textsf{ord}_{min}},\frac{1}{\textsf{ord}_{max}},\frac{1}{\textsf{ord}_{max}\textsf{ord}_{min}} \in \textsf{negl}(\lambda )\).
The additional assumption that we need to make is that it is hard to find any group element in \(\mathbb {G}\) of low (polysize) order. This is the Low Order Assumption [10], which is formally defined below:
Definition E.1
(Low order assumption [10]) We say that the low order assumption holds for a \(\textsf{Ggen}\) if for any PPT adversary \(\mathcal {A}\):
We note that specifically for RSA groups, for Low Order assumption to hold, we have to work in the quotient group \(\mathbb {Z}_N^*/\{1,1\}\) [72], since otherwise \(1\) would trivially break the assumption. So \(\mathbb {Z}_N^*/\{1,1\}\) would be an instantiation of a Hidden Order Group where the Low Order assumption holds.
In terms of constructions, one difference regards the upper bound on the order of \(\mathbb {G}\) that is used in the protocols. More precisely, throughout the main core of our work we use N as an upper bound for the order of the group \(\mathbb {Z}_N^*\) and N/2 as an upper bound for the order of the quadratic residues subgroup \(\textsf{QR}_N\). Similarly, in a Hidden Order Group \(\mathbb {G}\) generated by \(\textsf{Ggen}\), although the order of the group is unknown, a range in which the order lies is known \([\textsf{ord}_{min}, \textsf{ord}_{max}]\). So the maximum order \(\textsf{ord}_{max}\) can be used, instead of N, as an upper bound. In many cases these values are used either to securely sample a random value or to bound the size of a value needed for a security proof. For example a random value that is sampled from \(\left( \left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}},\left\lfloor N/4\right\rfloor 2^{\lambda _{z}+\lambda _{s}} \right) \) in the RSA group instantiation will be sampled from \(\left( \frac{\textsf{ord}_{max}}{2} 2^{\lambda _{z}+\lambda _{s}},\frac{\textsf{ord}_{max}}{2} 2^{\lambda _{z}+\lambda _{s}} \right) \) in the case of hidden order groups.
Here we give other specific changes that need to be made to instantiate our protocols in general hidden order groups. For \(\textsf{IntCom}\), the verification equation becomes \(C = G^x H^r\) (without the ±). Then the argument of knowledge of opening of such a commitment would be secure under the strong RSA and low order assumptions. The set commitments \(\textsf{SetCom}_{\textsf{RSA}}\), \(\textsf{SetCom}_{\mathsf {RSA'}}\) remain the same and are binding under the strong RSA assumption for \(\textsf{Ggen}\) (and collision resistance of \(\textsf{H}_{\textsf{prime}}\) for the case of \(\textsf{SetCom}_{\textsf{RSA}}\)). For \(\textsf{modEq}\), the same difference as for the AoK of an opening of an \(\textsf{IntCom}\) commitment is inherited. For \(\textsf{Root}\) and \(\textsf{Coprime}\), the Proposition 4.1 needs to be slightly modified: \(A = B^{\frac{x}{y}}\) can be without ±, and can be proven under the low order assumption instead. Finally, in the proof of security of protocol \(\textsf{Coprime}\), in Lemma 5.1 the assumption \(\lambda _{s}< \log (N)/2\) is not needed as long as the low order assumption holds (an adversary that can find \(H,\varDelta c\) such that \(\gcd (\textsf{ord}(H), q^\ell ) = 1\) can be used to break low order assumption).
1.1 Transparent instantiation and efficiency
The above instantiation combined with a transparent proof system (for instance Bulletproofs) gives transparent CPNIZKs for set (non)membership analogously with the ones described for RSA groups in Sect. 4, i.e. proof systems with a uniformly random CRS. We ran some preliminary experiments for this instantiation over class groups of 2048bit discriminant and using Bulletproofs. The results showed proving time of 3.3 s, verification time of 2.3 s and proof size of 5.3 kB, for arbitrary accumulated elements (i.e. not necessarily primes). Furthermore, if we make use of the optimization described in Sect. 7.4 it boosts the efficiency to 1.66 s, 1.33 s and 4 kB (prover/verifier and proof size resp.).
Unfortunately, very recent cryptanalytic results on class groups [34] showed that a discriminant of 2048 bits yields only about 60 bits of security level, while for 128 bits of security one needs to choose a 6600bit discriminant for the class group. We estimate that over class groups of a 6000bit discriminant our aforementioned protocol, together with the optimization of Sect. 7.4, will give proving time of \( \sim 12\) s, verification time of \(\sim 6.4\) s and proof size of 6.4 kB. Finally, our estimations for the respective protocol for prime elements (with the computational ZK optimization) are: \( \sim 7\) s/\( \sim 6.2\) s/6 KB (proving time/verification time/proof size resp.).
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Benarroch, D., Campanelli, M., Fiore, D. et al. Zeroknowledge proofs for set membership: efficient, succinct, modular. Des. Codes Cryptogr. 91, 3457–3525 (2023). https://doi.org/10.1007/s10623023012451
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623023012451