Zero-knowledge proofs for set membership: efficient, succinct, modular

We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e., for some u, “u∈S\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u \in S$$\end{document} and P(u) holds”. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new modular and efficient constructions for this problem through new commit-and-prove zero-knowledge systems for set membership, i.e. schemes proving u∈S\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u \in S$$\end{document} for a value u that is in a public commitment cu\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_u$$\end{document}. We also extend our results to support non-membership proofs, i.e. proving u∉S\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u \notin S$$\end{document}. Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form “u∈S\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u \in S$$\end{document} and P(u) holds” by combining our set (non-)membership systems with any other commit-and-prove scheme for P(u). Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. We implemented our schemes as a software library, and tested experimentally their performance. Compared to previous work that achieves similar properties—the clever techniques combining zkSNARKs and Merkle Trees in Zcash—our solutions offer more flexibility, shorter public parameters and 3.7×\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$3.7 \times $$\end{document}–30×\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$30\times $$\end{document} faster proving time for a set of size 264\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{64}$$\end{document}.


Introduction
The problem of proving set membership-that a given element x belongs to some set S-arises in many applications, including governmental white-lists to prevent terrorism or money-laundering, voting and anonymous credentials, among others.More recently, this problem also appears at the heart of currency transfer and identity systems over blockchains.In this setting, parties can first publicly commit to sets of data (through the blockchain itself) and then, by proving set membership, can claim ownership of assets or existence of identity attributes.
A naive approach to verifying that an element is in a set is that of going through all its entries.The complexity of this direct approach, however, is unacceptable in many scenarios.This is especially true for blockchains, where most of the parties (the verifiers) should run quickly.
How to efficiently verify set membership then?Cryptographic accumulators [Bd94] provide a nice solution to this problem.They allow a set of elements to be compressed into a short value (the accumulator) and to generate membership proofs that are short and fast to verify.As a security guarantee they require it should be computationally infeasible to generate a false membership proof.
As of today, we can divide constructions for accumulators into three main categories: Merkle Trees [Mer88]; RSA-based [BP97, CL02, LLX07, BBF18]; pairing-based [Ngu05,DT08,CKS09,ZKP17].Approaches based on Merkle Trees 1 allow for short (i.e., O(1)) public parameters and accumulator values, whereas the witness for membership proofs is of size log(n), where n is the size of the set.In RSA-based constructions both the accumulator and the witness are each a single element in a relatively large hidden-order group G2 , and thus of constant-size.Schemes that use pairings in elliptic curves such as [Ngu05,CKS09] offer small accumulators and small witnesses (which can each be a single element of a prime order bilinear group, e.g., 256 bits) but require large parameters (approximately O(n)) and a trusted setup.
In anonymous cryptocurrencies, e.g.Zerocash [BCG + 14] (but also in other applications such as anonymous Credentials [Cha85] and whitelists), we also require privacy.That is, parties in the system would not want to disclose which element in the set is being used to prove membership.Phrased differently, one desires to prove that u ∈ S without revealing u, or: the proof should be zero-knowledge [GMR89] for u.As an example, in Zerocash users want to prove that a coin is unspent (i.e.belongs to the set of all unspent coins) without revealing which coin it is that they are spending.
It is common in practice that this privacy requirement goes beyond proving membership.In fact, these applications often require proving further properties about the accumulated elements, e.g., that for some element u in the set, property P (u) holds.And this without leaking any more information about u other than what is entailed by P .In other words, we desire zero-knowledge for the statement R * (S, u) := "u ∈ S and P (u)".
One way to solve the problem, as done in Zerocash, is to directly apply general-purpose zeroknowledge proofs for R * , e.g., [PHGR13,Gro16].This approach, however, tends to be expensive and ad-hoc.One of the questions we aim to tackle is that of providing a more efficient proof systems for set membership relations, that can also be modular.
Specifically, as observed in [CFQ19] the design of practical proof systems can benefit from a more modular vision.A modular framework such as the one in [CFQ19] not only allows for separation of concerns, but also increases reusability and compatibility in a plug-and-play fashion: the same proof system is designed once and can be reused for the same sub-problem regardless of the context 3 ; it can be replaced with a component for the same sub-problem at any time.Also, as [CFQ19] shows, this can have a positive impact on efficiency since designing a special-purpose proof system for a specific relation can lead to significant optimizations.Finally, this compositional approach can also be leveraged to build general-purpose proofs.
In this work we focus on applying this modular vision to designing succinct zero-knowledge proofs for set membership.Following the abstract framework in [CFQ19] we investigate how to apply commit-and-prove techniques [CLOS02] to our setting.Our approach uses commitments for composability as follows.Consider an efficient zero-knowledge proof system Π for property P (u).Let us also assume it is commit-and-prove, i.e. the verifier can test P (u) by simply holding a commitment c(u) to u.Such Π could be for example a commit-and-prove NIZK such as Bulletproofs [BBB + 18] or a commit-and-prove zkSNARK such as LegoGroth from [CFQ19] that are able to operate on Pedersen commitments c(•) over elliptic curves.In order to obtain a proof gadget for set membership, all one needs to design is a commit-and-prove scheme for the relations "u ∈ S" where both u and S are committed: u through c(u) and S through some other commitment for sets, such as an accumulator.
Our main contribution is to propose a formalization of this approach and new constructions of succinct zero-knowledge commit-and-prove systems for set membership.In particular, for our constructions we focus on designing schemes where c(u) is a Pedersen commitment in a prime order group G q .We focus on linking with Pedersen commitments as these can be (re)used in some of the best state-of-the-art zero-knowledge proof systems for general-purpose relations that offer for example the shortest proofs and verification time (see, e.g., [Gro16] and its efficient commit-andprove variant [CFQ19]), or transparent setup and logarithmic-size proofs [BBB + 18].
Before describing our results in more detail, we review existing solutions and approaches to realize commit-and-prove zkSNARKs for set membership.
Existing Approaches for Proving Set Membership for Pedersen Commitments.The accumulator of Nguyen [Ngu05], by the simple fact of having a succinct pairing-based verification equation, can be combined with standard zero-knowledge proof techniques (e.g., Sigma protocols or the celebrated Groth-Sahai proofs [GS08]) to achieve a succinct system with reasonable proving and verification time.The main drawbacks of using [Ngu05], however, are the large public parameters (i.e.requiring as many prime group elements as the elements in the set) and a high cost for updating the accumulator to the set, in order to add or remove elements (essentially requiring to recompute the accumulator from scratch).
By using general-purpose zkSNARKs one can obtain a solution with constant-size proofs based on Merkle Trees: prove that there exists a valid path which connects a given leaf to the root; this requires proving correctness of about log n hash function computations (e.g., SHA256).This solution yields a constant-size proof and requires log n-size public parameters if one uses preprocessing zkSNARKs such as [PHGR13,Gro16].On the other hand, often when proving a relation such as R * (S, u) := "u ∈ S and P (u)" the bulk of the work stems from the set membership proof.This is the case in ZCash or Filecoin 4 where the predicate P (•) is sufficiently small.
Finally, another solution that admits constant-size public parameters and proofs is the protocol of [CL02].Specifically, Camenisch and Lysyanskaya showed how to prove in zero-knowledge that an element u committed in a Pedersen commitment over a prime order group G q is a member of an RSA accumulator.In principle this solution would fit the criteria of the gadget we are looking for.Nonetheless, its concrete instantiations show a few limitations in terms of efficiency and flexibility.The main problem is that, for its security to hold, we need a prime order group (the commitment space) and the primes (the message space) to be quite large, for example 5 q > 2 519 .But having such a large prime order group may be undesirable in practice for efficiency reasons.In fact the group G q is the one that used to instantiate more proof systems that need to interact and be linked with the Pedersen commitment.

Our Contributions
We investigate the problem of designing commit-and-prove zero-knowledge systems for set membership that can be used in a modular way and efficiently composed with other zero-knowledge proof systems for potentially arbitrary relations.Our main results are the following.
Building upon the view of recent works on composable proofs [AGM18, CFQ19], we define a formal framework for commit-and-prove zkSNARKs for set membership.The main application of this framework is a compiler that, given a CP-SNARK CP mem for set membership and any other CP-SNARK CP R for a relation R, yields a CP-SNARK CP for the composed relation "u ∈ S ∧ ∃ω : R(u, ω)".As a further technical contribution, our framework extends the one in [CFQ19] in order to work with commitments from multiple schemes (including set commitments, e.g.: accumulators).
We propose new efficient construction of commit-and-prove zkSNARKs for set membership, in which elements of the accumulated set can be committed with a Pedersen commitment in a prime order group G q -a setting that, as argued before, is of practical relevance due to the widespread use of these commitments and of proof systems that operate on them.More in detail, we propose two schemes that enjoy constant-size public parameters that are based on RSA accumulators for committing to sets, and a third scheme over pairings that has public parameters linear in the size of the set, but where the set can remain hidden.
RSA-based constructions.Our first scheme, a CP-SNARK for set membership based on RSA accumulators, supports a large domain for the set of accumulated elements, represented by binary strings of a given length η.Our second scheme, also based on RSA accumulators, supports elements that are prime numbers of exactly µ bits (for a given µ).Neither scheme requires an a-priori bound on the cardinality of the set.Both schemes improve the proof-of-knowledge protocol by Camenisch and Lysyanskaya [CL02]: (i) we can work with a prime order group G q of "standard" size, e.g., 256 bits, whereas [CL02] needs a much larger G q (see above).We note that the size of G q affects not only the efficiency of the set membership protocol but also the efficiency of any other protocol that needs to interact with commitments to alleged set members; (ii) we can support flexible choices for the size of set elements.For instance, in the second scheme, we could work with primes of about 50 or 80 bits, which in practice captures virtually unbounded sets and can make the accumulator operations 4-5× faster compared to using ≈ 256-bits primes as in [CL02].
High-Level Idea of the Construction.Our main technique involves a new way to link a proof of membership for RSA accumulators to a Pedersen commitment in a prime order group, together with a careful analysis showing this can be secure under parameters not requiring a larger prime order group.This construction essentially allows us to prove an arbitrary relation using a SNARK, while optimizing in a modular way the proof of set membership.See Section 3 for further details.
Preliminary Efficiency Estimation.The work reported in this submission is still in progress; in particular we are currently implementing our schemes with the goal of making them publicly available and also to have full fledged system that can be used for "apples-to-apples" comparisons.In what follows, we give an initial estimate of the efficiency gains of our protocol as compared to the Merkle tree based solution for proving set membership using zkSNARK.
From a local benchmark, we conclude that for accumulated primes of size 256-bits, a single RSA exponentiation takes about 3.5 milliseconds.Given that our proof of set membership involves three different proofs (RSA root, commitment equality and knowledge of opening), we estimate as a maximum bound that there are 15 RSA exponentiations involved in generating the three proofs.This entails a total of about 350 milliseconds to generate the (non-SNARK) proofs.Since our construction requires either a range-proof or a proof of hash computation, we can add about 0.7 seconds to compute the SNARK proof (note that using Bulletproofs for the range-proof would make the membership proof considerably faster), for a SHA256 hash.Thus we conclude that to prove membership for a single accumulated value, we would take about 1.05s using SHA256.Note that this estimate considers that the RSA witnesses for the accumulated values have been pre-generated.
In terms of the Merkle tree proof, we use the state-of-the-art computation based on Pedersen hashes, as optimized by the Zcash team in the Sapling protocol6 .The pedersen hash has been optimized to cost 1.68 constraints per hashed bit, where the input is a concatenation of two 256-bit group elements, getting to about 869 constraints in total.Adding some extra constraints needed for each Merkle Tree layer, the total number of constraints gets 1380.For a Merkle Tree of about 2 60 elements (i.e.depth 60), we would have about 82800 constraints.From a local benchmark done on the Bellman library (that uses the [Gro16] SNARK), we have that computing a proof of about 100, 000 constraints takes 3 seconds.This yields a final cost of 2.48 seconds to compute the whole merkle tree for set membership.On the other hand if we combine our protocol with the same SNARK for the BLAKE2 hash (in the same curve) we get a proving time of about 0.96s, since our protocol requires only one hash computation in the SNARK.
In light of this analysis, we conclude that the larger the set of elements to be accumulated, the greater the performance difference is between the two methods.This is because the merkle tree proof is directly dependent on the number of leaves.In the case of the RSA accumulator construction, the proof running time is independent of the accumulated set.It is clear that using a SNARK generates a more succinct proof.However our solution can save in proving time.Also, note that in contrast to the Zcash solution our estimations do not consider any optimizations and we expect to improve the gain.
Pairing-based construction.Our third scheme supports set elements in Z q , where q is the order of bilinear groups, while the sets are arbitrary subsets of Z q of cardinality less than a fixed a-priori bound n.This scheme has the disadvantage of having public parameters linear in n, but has other advantages in comparison to previous schemes with a similar limitation (and also in comparison to the RSA-based schemes above).First, the commitment to the set can be hiding and untrusted for the verifier, i.e., the set can be kept hidden and it is not needed to check the opening of the commitment to the set; this makes it composable with proof systems that could for example prove global properties on the set, i.e., that P (S) holds.Second, the scheme entirely works in bilinear groups, i.e., no need of operating over expensive RSA groups7 .The main technical contribution is a technique to turn the EDRAX vector commitment [CPZ18] into an accumulator admitting efficient zero-knowledge membership proofs.

Pairing-Based Construction
Table 1: Summary of constructions in this work.Above, N is the cardinality of the set.

Applications
We now discuss some of the applications for which our constructions are suitable.
The following two application scenarios concern sets that are publics (both to the verifier of the proof and to anyone with access to the accumulator): 1. Any application which does not require to keep the underlying data to be private.This is to say that the underlying data being accumulated, X, is indeed the set of arbitrary length binary strings, U ; X = U .For example, in the context of blockchain-based asset transfers, there may be a set of rules, X (where a rule = (pk, [a, b])), defining which entities (public keys) are allowed to issue which assets (defined by a range of asset types), forming an "issuance whitelist".When one of those issuers wants to issue a new asset, they need to prove that their public key belongs to the issuance whitelist, which entails set membership, as well as prove that the asset type they issued is within the allowed range of asset types (as defined in the original rule).In this case, the accumulated set of rules is public to all, and this public information may also include a mapping between rules and prime numbers.Our second RSA-based scheme for sets of primes (Section 4.3) suits this scenario in particular.2. Any application which does require to keep the underlying data private, such as in anonymous cryptocurrencies like Zerocash.In this scenario, the public set of elements to be accumulated, U , can derive from creating a commitment to the underlying data, X, e.g., u = COM M (x).Specifically, for the Zerocash protocol, the data that defines the amount and ownership of the unspent coin must be kept private to all the network, and hence must be hidden by using a commitment.
Another specific application of our RSA-based constructions is that of solving the security vulnerability of the implementation of the Zerocoin protocols [MGGR13] used in the Zcoin cryptocurrency [Yap19].The vulnerability in a nutshell: when proving equality of values committed under the RSA commitment and the prime-order group commitment, the equality may not hold over the integers, and hence one could easily produce collisions in the prime order group.Our work can provide different ways to solve this problem by providing a proof of equality over the integers, while at the same time improves the proof size at least 6×.We leave it as future work to figure out the most efficient solution.

Organization
We give basic definitions in Section 2. We formalize commit-and-prove zkSNARKs for set membership in Section 3 and describe our main construction based on RSA accumulators in Section 4. In section 5 out pairing-based construction.

Preliminaries
Notation.We denote the security parameter with λ ∈ N and its unary representation with 1 λ .Throughout the paper we assume that all the algorithms of the cryptographic schemes take as input 1 λ , which is thus omitted from the list of inputs.If D is a distribution, we denote by x ← D the process of sampling x according to D. An ensemble X = {X λ } λ∈N is a family of probability distributions over a family of domains D = {D λ } λ∈N , and we say that two ensembles D = {D λ } λ∈N and D = {D λ } λ∈N are statistically indistinguishable (denoted by is a (possibly non-uniform) family of circuits and D = {D λ } λ∈N is an ensemble, then we denote by A(D) the ensemble of the outputs of A λ (x) when x ← D λ .We say two ensembles D = {D λ } λ∈N and D = {D λ } λ∈N are computationally indistinguishable (denoted by D ≈ c D ) if for every non-uniform polynomial time distinguisher A we have A(D) ≈ s A(D ).
We denote Primes := {e ∈ N : e is prime} the set of all positive integers e > 1 such that they do not have non-trivial (i.e.different than e and 1) factors.More specifically, given two positive integers A, B > 0 such that A < B, we denote with Primes(A, B) the subset of Primes of numbers lying in the interval (A, B), i.e., Primes(A, B) := {e ∈ Z : e is prime ∧ A < e < B}.According to the well known prime number theorem |Primes(1,

RSA Groups
We say that N = pq is an RSA modulus for some primes p, q, such that |p| = |q|.We further say that N is a strong RSA modulus if there are primes p , q such that p = 2p + 1, q = 2q + 1.We call Z * N for an RSA modulus an RSA group.With φ : N → N we denote the Euler's totient function, φ(N ) := |Z * N |.In particular for RSA modulus φ(N ) = (p − 1)(q − 1).An RSA Group generator N ←$ GenSRSAmod(1 λ ) is a probabilistic algorithm that outputs a strong RSA modulus N of bit-length (λ) for an appropriate polynomial (•).
For any N we denote by QR N := {Y : ∃X ∈ Z * N such that Y = X 2 (mod N )}, the set of all the quadratic residues modulo N .QR N is a subgroup (and thus closed under multiplication) of Z * N with order |QR N | = |Z * N |/2.In particular for a strong RSA modulus |QR N | = 4p q 2 = 2p q .
Computational Assumptions in RSA Groups.The most fundamental assumption for RSA groups is the factoring assumption which states that given an RSA modulus N ← GenSRSAmod(1 λ ) it is hard to compute its factors p and q.We further recall the Discrete Logarithm, RSA and strong RSA [BP97] assumptions: Definition 2.1 (DLOG Assumption for RSA groups).We say that the Discrete Logarithm (DLOG) assumption holds for GenSRSAmod if for any PPT adversary A: Definition 2.2 (D N -RSA assumption).We say that the RSA assumption holds with respect to GenSRSAmod and a family of distributions {D N over Z * N } N ∈N if for any PPT adversary A: Definition 2.3 (Strong-RSA Assumption [BP97]).We say that the strong RSA assumption holds for GenSRSAmod if for any PPT adversary A: We recall the definition of zero-knowledge non-interactive arguments of knowledge (NIZKs, for short).
Definition 2.4 (NIZK).A NIZK for {R λ } λ∈N is a tuple of three algorithms Π = (KeyGen, Prove, VerProof) that work as follows and satisfy the notions of completeness, knowledge soundness and (composable) zero-knowledge defined below.
-KeyGen(R) → (ek, vk) takes the security parameter λ and a relation R ∈ R λ , and outputs a common reference string consisting of an evaluation and a verification key.-Prove(ek, x, w) → π takes an evaluation key for a relation R, a statement x, and a witness w such that R(x, w) holds, and returns a proof π. -VerProof(vk, x, π) → b takes a verification key, a statement x, and either accepts (b = 1) or rejects (b = 0) the proof π.

Type-Based Commitments
We recall the notion of Type-Based Commitment schemes introduced by Escala and Groth [EG14].
In brief, a Type-Based Commitment scheme is a normal commitment scheme with the difference that it allows one to commit to values from different domains.More specifically, the Commit algorithm (therefore the VerCommit algorithm also) depends on the domain of the input, while the commitment key remains the same.For example, as in the original motivation of [EG14], the committer can use the same scheme and key to commit to elements that may belong to two different groups G 1 , G 2 or a field Z p .In our work we use type-based commitments.The main benefit of this formalization is that it can unify many commitment algorithms into one scheme.In our case this is useful to formalize the notion of commit-and-prove NIZKs that work with commitments from different groups and schemes.More formally, a Type-Based Commitment is a tuple of algorithms Com = (Setup, Commit, VerCommit) that works as a Commitment scheme defined above with the difference that Commit and VerCommit algorithms take an extra input t that represent the type of u.All the possible types are included in the type space T9 .Definition 2.6.A type-based commitment scheme for a set of types T is a tuple of algorithms Com = (Setup, Commit, VerCommit) that work as follows: -Setup(1 λ ) → ck takes the security parameter and outputs a commitment key ck.This key includes ∀t ∈ T descriptions of the input space D t , commitment space C t and opening space O t .-Commit(ck, t, u) → (c, o) takes the commitment key ck, the type t of the input and a value u ∈ D t , and outputs a commitment c and an opening o. -VerCommit(ck, t, c, u, o) → b takes as a type t, a commitment c, a value u and an opening o, and accepts (b = 1) or rejects (b = 0).
Furthermore, the security properties depend on the type, in the sense that binding and hiding should hold with respect to a certain type.Definition 2.7.Let T be a set of types, and Com be a type-based commitment scheme for T .Correctness, t-Type Binding and t-Type Hiding are defined as follows: Correctness.For all λ ∈ N and any input (t, u) ∈ (T , D t ) we have: t-Type Binding.Given t ∈ T , for every polynomial-time adversary A: In case Com is t-Type Bidning for all t ∈ T we will say that it is Binding.Remark 2.2.We observe that a standard non type-based commitment scheme with input space D induces directly a type-based commitment scheme with the same input space and T[D] as a type.

Commit-And-Prove NIZKs
We give the definition of commit-and-prove NIZKs (CP-NIZKs).We start from the definition given in [CFQ19, BCF19] and we extend it to type-based commitments.The main benefit of such extension is that we can formalize CP-NIZKs working with commitments over different domains.In a nutshell, a CP-NIZK is a NIZK that can prove knowledge of (x, w) such that R(x, w) holds with respect to a witness w = (u, ω) such that u opens a commitment c u .As done in [CFQ19], we explicitly considers the input domain D u at a more fine grained-level splitting it over subdomains.We call them commitment slots as each of the D i -s intuitively corresponds to a committed element 10 .The description of the splitting is assumed part of R's description.
In the remainder of this work we use the following shortcut definition.If C is a type-based commitment scheme over set of types T , we say that a relation R over Definition 2.9 (CP-NIZKs [CFQ19]).Let {R λ } λ∈N be a family of relations R over D x × D u × D ω such that D u splits over arbitrary domains (D 1 × • • • × D ) for some arity parameter ≥ 1.Let C = (Setup, Commit, VerCommit) be a commitment scheme (as per Definition 2.6) over set of types T such that {R λ } λ∈N is T -compatible.A commit and prove NIZK for C and {R λ } λ∈N is a NIZK for a family of relations {R C λ } λ∈N such that: We denote knowledge soundness of a CP-NIZK for commitment scheme C and relation and auxiliary input generators RG and Z as CP-KSND(C, RG, Z).
We denote a CP-NIZK as a tuple of algorithms CP = (KeyGen, Prove, VerProof).For ease of exposition, in our constructions we adopt the following explicit syntax for CP's algorithms.

Commit-and-Prove NIZKs with Partial Opening
We now define a variant of commit-and-prove NIZKs with a weaker notion of knowledge-soundness.In particular we consider the case where part of the committed input is not assumed to be extractable (or hidden) 11 , i.e., such input is assumed to be opened by the adversary.This models scenarios where we do not require this element to be input of the verification algorithm (the verifier can directly use a digest to it).
The motivation to define and use this notion is twofold.First, in some constructions commitments on sets are compressing but not knowledge-extractable.Second, in many applications this definition is sufficient since the set is public (e.g., the set contain the valid coins).
The definition below is limited to a setting where the adversary opens only one input in this fashion 12 .We will assume, as a convention, that in a scheme with partial opening this special input is always the first committed input of the relation, i.e. the one denoted by u 1 and corresponding to D 1 .We note that the commitment to u 1 does not require hiding for zero-knowledge to hold.Definition 2.10 (CP-NIZK with Partial Opening).A commit and prove NIZK with partial opening for C and {R λ } λ∈N is a NIZK for a family of relations {R C λ } λ∈N (defined as in Definition 2.9)such that the property of knowledge soundness is replaced by knowledge soundness with partial opening below.
Knowledge Soundness with Partial Opening.Let RG be a relation generator such that RG λ ⊆ R λ .Π has knowledge soundness with partial opening for C, RG and auxiliary input distribution Z, denoted CP-poKSND(C, RG, Z) for brevity, if for every (non-uniform) efficient adversary A there exists a (non-uniform) efficient extractor E such that Pr[Game CP-poKSND C,RG,Z,A,E = 1] = negl.We say that Π is knowledge sound for C if there exists benign RG and Z such that Π is CP-poKSND(C, RG, Z) 13 .
Remark 2.3 (On Weaker ZK in the Context of Partial Opening).The notion of zero-knowledge for CP-NIZKs with partial opening that is implied by our definition above implies that the simulator does not have access to the opening of the first input (as it is the case in zero-knowledge for CP-NIZKs in general).Since this first commitment is opened, in principle one could also consider and define a weaker notion of zero-knowledge where the simulator has access to the first opened input.We leave it as an open problem to investigate if it can be of any interest.
Remark 2.4 (Full Extractability).If a CP-NIZK has an empty input u 1 opened by the adversary in the game above, then we say that it is fully extractable.This roughly corresponds to the notion of knowledge soundness in Definition 2.4.
Composition Properties of Commit-and-Prove Schemes In [CFQ19] Campanelli et al. show a compiler for composing commit-and-prove schemes that work for the same commitment scheme in order to obtain CP systems for conjunction of relations.In this section we generalize their results to the case of typed relations and type-based commitments.This generalization in particular can model the composition of CP-NIZKs that work with different commitments, as is the case in our constructions for set membership in which one has a commitment to a set and a commitment to an element.We begin by introducing the following compact notation for an augmented relation generator.
Definition 2.11 (Augmented Relation Generator).Let RG be a relation generator and F(1 λ ) an algorithm taking in input a security parameter.Then we denote by RG[F] the relation generator returning (R, (aux R , out F )) where out F ← F(1 λ ) and (R, aux R ) ← RG(1 λ ).
The next lemma states that we can (with certain restrictions) trivially extend a CP-NIZK for commitment scheme C to an extended commitment scheme C • C .
We now define relation generators and auxiliary input generators for our composition constructions. (aux Parse auxR as (R 3−b , (aux

Fig. 1: Relation and Auxiliary Input Generators for AND Composition Construction
The following lemma shows how we can compose CP-NIZKs even when one of them is fully extractable but the other us not.We are interested in the conjunction R ∧ asym of relations of type Lemma 2.3 (Composing Conjunctions (with asymmetric extractability).Let C be a computationally binding commitment scheme.

CP-SNARKs for Set Membership
In this section we discuss a specialization of CP-SNARKs for the specific NP relation that models membership of an element in a set, formally defined below.
Set Membership Relations.Let D elm be some domain for set elements, and let D set ⊆ 2 D elm be a set of possible sets over D u .We define the set membership relation R mem : This is the fundamental relation that we deal with in the rest of this work.CP-SNARKs for set membership.Intuitively, a commit-and-prove SNARK for set membership allows one to commit to a set U and to an element u, and then to prove in zero-knowledge that R mem (U, u) = 1.More formally, let R mem : D elm × D set be a set membership relation as defined above where T[D elm ] = t elm and T[D set ] = t set , and let Com mem be a type-based commitment scheme for T such that t set , t elm ∈ T .Basically, Com mem allows one to either commit an element of D elm or to a set of values of D elm .Then a CP-SNARK for set membership is a CP-SNARK for the family of relations {R mem λ } and a type-based commitment scheme Com mem .It is deduced from definition 2.9 that this is a zkSNARK for the relation: and R holds iff: Notice that for the relation R mem it is relevant for the proof system to be succinct so that proofs can be at most polylogarithmic (or constant) in the the size of the set (that is part of the witness).This is why for set membership we are mostly interested in designing CP-SNARKs.
Proving Arbitrary Relations Involving Set Membership.As discussed in the introduction, a primary motivation of proving set membership in zero-knowledge is to prove additional properties about an alleged set member.In order to make our CP-SNARK for set membership a reusable gadget, we discuss a generic and simple method for composing CP-SNARKs for set membership (with partial opening) with other CP-SNARKs (with full extractability) for arbitrary relations.More formally, let R mem be the set membership relation over pairs (U, u) ∈ X × D u as R be an arbitrary relation over pairs (u, ω), then we define as R * the relation: The next corollary (direct consequence of Lemmas 2.2, 2.3) states we can straightforwardly compose a CP-SNARK for set membership with a CP-SNARK for an arbitrary relation on elements of the set.
Corollary 3.1 (Extending Relations with Set membership).Let C mem , C u be two computationally binding commitment schemes defined over disjoint type sets T mem and T u .Let CP mem , CP u be two CP-SNARKs and R mem , RG u (resp.Z mem , Z u ) be two relation (resp.auxiliary input) generators.
where RG * , Z * are as defined in Figure 1.CP-SNARKs for set membership from Accumulators with Proofs of Knowledge.As discussed in the introduction, the notion of CP-SNARKs for set membership can be seen as another way to interpret accumulators that have a protocol for proving in zero-knowledge that a committed value is in the accumulator (i.e., it is in the set succinctly represented by the accumulator).To strengthen this intuition in Appendix B we formally show that a CP-SNARK for set membership can be constructed from an accumulator scheme that has a zero-knowledge proof for committed values.This allows us to capture existing schemes such as [CL02] and [Ngu05].
In the next two sections we show new constructions of CP-SNARK for set membership that improve over previous work.

A CP-SNARK for Set Membership with Short Parameters
In this section we describe CP-SNARKs for set membership in which the elements of the sets can be committed using a Pedersen commitment scheme defined in a prime order group, and the sets are committed using an RSA accumulator.The advantage of having elements committed with Pedersen in a prime order group is that our CP-SNARKs can be composed with any other CP-SNARK for Pedersen commitments and relations R that take set elements as inputs.The advantage of committing to sets using RSA accumulators is instead that the public parameters (i.e., the CRS) of the CP-SNARKs presented in this section are short, virtually independent of the size of the sets.Since RSA accumulators are not extractable commitments, the CP-SNARKs presented here are secure in a model where the commitment to the set is assumed to be checked at least once, namely they are knowledge-soundness with partial opening of the set commitment.
A bit more in detail, we propose two CP-SNARKs.Our first scheme, called MemCP RSA , works for set elements that are arbitrary strings of length η, i.e., D elm = {0, 1} η , and for sets that are any subset of D elm , i.e., D set = 2 D elm .Our second scheme, MemCP RSAPrm , instead works for set elements that are prime numbers of exactly µ bits, and for sets that are any subset of such prime numbers.This second scheme is a simplified variant of the first one that requires more structure on the set elements (they must be prime numbers) but in exchange of that offers better efficiency.So it is preferable in those applications that can work with prime representatives.
An High-Level Overview of Our Constructions.We provide the main idea behind our scheme, and to this end we use the simpler scheme MemCP RSAPrm in which set elements are prime numbers in 2 µ−1 , 2 µ .The commitment to the set P = {e 1 , . . ., e n } is an RSA accumulator [Bd94,BP97] that is defined as Acc = G e i ∈P e i for a random quadratic residue G ∈ QR N .The commitment to a set element e is instead a Pedersen commitment c e = g e h rq in a group G q of prime order q, where q is of ν bits and µ < ν.For public commitments Acc and c e , our scheme allows to prove in zero-knowledge the knowledge of e committed in c e such that e ∈ P and Acc = G e i ∈P e i .A public coin protocol for this problem was proposed by Camenisch and Lysyanskaya [CL02].Their protocol however requires various restrictions.For instance, the accumulator must work with at least 2λ-bit long primes, which slows down accumulation time, and the prime order group must be more than 4λ-bits (e.g., of 512 bits), which is undesirable for efficiency reasons, especially if this prime order group is used to instantiate more proof systems to create other proofs about the committed element.In our scheme the goal is instead to keep the prime order group of "normal" size (say, 2λ bits), so that it can be for example a prime order group in which we can efficiently instantiate another CP-SNARK that could be composed with our MemCP RSAPrm .And we can also allow flexible choices of the primes size that can be tuned to the application so that applications that work with moderately large sets can benefit in efficiency.In order to achieve these goals, our idea to create a membership proof is to compute the following: -An accumulator membership witness W = G e i ∈P \{e} e i , and an integer commitment to e in the RSA group, C e = G e H r .-A ZK proof of knowledge CP Root of a committed root for Acc, i.e. a proof of knowledge of e and W such that W e = Acc and C e = G e H r .Intuitively, this gives that C e commits to an integer that is accumulated in Acc (at this point, however, the integer may be a trivial root, i.e., 1).-A ZK proof CP modEq that C e and c e commit to the same value modulo q.
-A ZK proof CP Range that c e commits to an integer in the range 2 µ−1 , 2 µ .
From the combination of the above proofs we would like to conclude that the integer committed in c e is in P .Without further restrictions, however, this may not be the case; in particular, since for the value committed in C e we do not have a strict bound it may be that the integer committed in c e is another e q such e = e q (mod q) but e = e q over the integers.In fact, the proof CP Root does not guarantee us that C e commits to a single prime number e, but only that e divides e i ∈P e i , namely e might be a product of a few primes in P or the corresponding negative value, while its residue modulo q may be some value that is not in the set-what we call a "collision".We solve this problem by taking in consideration that e q is guaranteed by π Range to be in 2 µ−1 , 2 µ and by enhancing π Root to also prove a bound on e: roughly speaking |e| < 2 2λs+µ for a statistical security parameter λ s .Using this information we develop a careful analysis that bounds the probability that such collisions can happen for a malicious e (see Section 4.2 for more intuition).
In the following section we formally describe the type-based commitment scheme supported by our CP-SNARK, and a collection of building blocks.Then we present the MemCP RSA and MemCP RSAPrm CP-SNARKs in Sections 4.2 and 4.3 respectively, and finally we give instantiations for some of our building blocks in Section 4.4.

Preliminaries and Building Blocks
Notation.Given a set U = {u 1 , . . ., u n } ⊂ Z of cardinality n we denote compactly with prod U := n i=1 u i the product of all its elements.We use capital letters for elements in an RSA group Z * N , e.g., G, H ∈ Z * N .Conversely, we use small letters for elements in a prime order group G q , e.g., g, h ∈ G q .Following this notation, we denote a commitment in a prime order group as c ∈ G q , while a commitment in an RSA group as C ∈ Z * N .Commitment Schemes.Our first CP-SNARK, called MemCP RSA , is for a family of relations R mem : D elm × D set such that D elm = {0, 1} η , D set = 2 D elm , and for a type-based commitment scheme that is the canonical composition SetCom RSA • PedCom of the two commitment schemes given in Fig. 4. PedCom is essentially a classical Pedersen commitment scheme in a group G q of prime order q such that q ∈ (2 ν−1 , 2 ν ) and η < ν.PedCom is used to commit to set elements and its type is t q .SetCom RSA is a (non-hiding) commitment scheme for sets of η-bit strings, that is built as an RSA accumulator [Bd94,BP97] to a set of µ-bit primes, each derived from an η-bit string by a deterministic function H prime : {0, 1} η → Primes 2 µ−1 , 2 µ .SetCom RSA is computationally binding under the factoring assumption14 and the collision resistance of H prime .Its type for sets is t U .
VerCommit(ck, tq, c, u, r) : Output 1 if c = g u h r ; output 0 otherwise.Hashing to primes.The problem of mapping arbitrary values to primes in a collision-resistant manner has been studied in the past, see e.g., [GHR99, CMS99, CS99], and in [FT14] a method to generate random primes is presented.Although the main idea of our scheme would work with any instantiation of H prime , for the goal of significantly improving efficiency, our construction considers a specific class of H prime functions that work as follows.Let H : {0, 1} η × {0, 1} ι → {0, 1} µ−1 be a collision-resistant function, and define H prime (u) as the function that starting with j = 0, looks for the first j ∈ [0, 2 ι − 1] such that the integer represented by the binary string 1|H(u, j) is prime.
In case it reaches j = 2 ι − 1 it failed to find a prime and outputs ⊥15 .We consider two main candidates of such function H (and thus H prime ): -Pseudorandom function.Namely H(u, j) := F κ (u, j) where F κ : {0, 1} η+ι is a PRF with public seed κ and ι = log µλ .Due to the density of primes, the corresponding H prime runs in the expected running time O(µ) and ⊥ is returned with probability ≤ exp(−λ) = negl(λ). 16Under the random oracle heuristic, F can be instantiated with a hash function like SHA256.-Deterministic map.H(u, j) := f (u) + j with u > 2 η−1 and j ∈ (f (u), f (u + 1)), where f (u) := 2(u + 2) log 2 (u + 1) 2 .The corresponding function H prime (u) is essentially the function that maps to the next prime after f (u).This function is collision-free (indeed it requires to take µ > η) and generates primes that can be smaller (in expectation) than the function above.Cramer's conjecture implies that the interval (f (u), f (u+ 1)) contains a prime when u is sufficiently large.
CP-NIZK for H computation and PedCom.We use a CP-NIZK CP HashEq for the relation and for the commitment scheme PedCom.Essentially, with this scheme one can prove that two commitments c e and c u in G q are such that c e = g e h rq , c u = g u h ru and there exists j such that e = (1|H(u, j)).As it shall become clear in our security proof, we do not have to prove all the iterations of H until finding j such that (1|H(u, j)) = H prime (u) is prime, which saves significantly on the complexity of this CP-NIZK.
Integer Commitments.We use a scheme for committing to arbitrarily large integer values in RSA groups introduced by Fujisaki and Okamoto [FO97] and later improved in [DF02].We briefly recall the commitment scheme.Let Z * N be an RSA group.The commitment key consists of two randomly chosen generators G, H ∈ Z * N ; to commit to any x ∈ Z one chooses randomly an r ←$ [1, N/2] and computes C ← G x H r ; the verifier checks whether or not C = ±G x H r .This commitment scheme is statistically hiding and computationally binding under the assumption that factoring is hard in Z * N .Furthermore, a proof of knowledge of an opening was presented in [DF02], its knowledge soundness was based on the strong RSA assumption, and later found to be reducible to the plain RSA assumption in [CPP17].We denote this commitment scheme as IntCom.
Strong-RSA Accumulators.As observed earlier, our commitment scheme for sets is an RSA accumulator Acc computed on the set of primes P derived from U through the map to primes, i.e., P := {H prime (s)|s ∈ U }.In our construction we use the accumulator's feature for computing succinct membership witnesses, which we recall works as follows.Given Acc = G e i ∈P e i := G prod P , the membership witness for e k is W k = G e i ∈P \{e k } e i , which can be verified by checking if W e k k = Acc.Argument of Knowledge of a Root.We make use of a zero-knowledge non-interactive argument of knowledge of a root of a public RSA group element Acc ∈ QR N .This NIZK argument is called CP Root .More precisely, it takes in an integer commitment to a e ∈ Z and then proves knowledge of an e-th root of Acc, i.e., of W = Acc 1 e .More formally, CP Root is a NIZK for the relation where λ z and λ s are the statistical zero-knowledge and soundness security parameters respectively of the protocol CP Root .CP Root is obtained by applying the Fiat-Shamir transform to a publiccoin protocol that we propose based on ideas from the protocol of Camenisch and Lysysanskaya for proving knowledge of an accumulated value [CL02].In [CL02], the protocol ensures that the committed integer e is in a specific range, different from 1 and positive.In our CP Root protocol we instead removed these constraints and isolated the portion of the protocol that only proves knowledge of a root.We present the CP Root protocol in Section 4.4; its interactive public coin version is knowledge sound under the RSA assumption and statistical zero-knowledfe.Finally, we notice that the relation R Root is defined for statements where Acc ∈ QR N , which may not be efficiently checkable given only N if Acc is adversarially chosen.Nevertheless CP Root can be used in larger cryptographic constructions that guarantee Acc ∈ QR N through some extra information, as is the case in our scheme.

Proof of Equality of Commitments in Z *
N and G q .Our last building block, called CP modEq , proves in zero-knowledge that two commitments, a Pedersen commitment in a prime order group and an integer commitment in an RSA group, open to the same value modulo the prime order q = ord(G).This is a conjunction of a classic Pedersen Σ-protocol and a proof of knowledge of opening of an integer commitment [DF02], i.e. for the relation R modEq ((C e , c e ), (e, e q , r, r q )) = 1 iff e = e q mod q ∧ C e = ±G e H r mod N ∧ c e = g eq mod q h rq mod q We present CP modEq in Section 4.4.

Our CP-SNARK MemCP RSA
We are now ready to present our CP-SNARK MemCP RSA for set membership.The scheme is fully described in Figure 5 and makes use of the building blocks presented in the previous section.The KeyGen algorithm takes as input the commitment key of Com 1 and a description of R mem and does the following: it samples a random generator H ←$ QR N so that (G, H) define a key for the integer commitment, and generate a CRS crs HashEq of the CP HashEq CP-NIZK.
For generating a proof, the ideas are similar to the ones informally described at the beginning of Section 4 for the case when set elements are prime numbers.In order to support sets U of arbitrary strings the main differences are the following: (i) we use H prime in order to derive a set of primes P from U , (ii) given a commitment c u to an element u ∈ {0, 1} η , we commit to e = H prime (u) in c e ; (iii) we use the previously mentioned ideas to prove that c e commits to an element in P (that is correctly accumulated), except that we replace the range proof π Range with a proof π HashEq that c u and c e commits to u and e respectively, such that ∃j : e = (1|H(u, j)).
Remark 4.1 (On the support of larger η.).In order to commit to a set element u ∈ {0, 1} η with the PedCom scheme we require η < ν.This condition is actually used for ease of presentation.It is straightforward to extend our construction to the case η ≥ ν, in which case every u should be split in blocks of less than ν bits that can be committed using the vector Pedersen commitment.
The correctness of MemCP RSA can be checked by inspection: essentially, it follows from the correctness of all the building blocks and the condition that η, µ < ν.For succinctness, we observe that the commitments C U , c u and all the three proofs have size that does not depend on the cardinality of the set U , which is the only portion of the witness whose size is not a-priori fixed.

Proof of Security.
Recall that the goal is to prove in ZK that c u is a commitment to an element u ∈ {0, 1} η that is in a set U committed in C U .Intuitively, we obtain the security of our scheme from the conjunction of proofs for relations R Root , R modEq and R HashEq : (i) π HashEq gives us that c e commits to e q = (1|H(u, j)) for some j and for u committed in c u .(ii) π modEq gives that C e commits to an integer e such that e mod q = e q is committed in c e .(iii) π Root gives us that the integer e committed in C e divides prod P , where C U = G prod P with P = {H prime (u i ) : By combining these three facts we would like to conclude that e q ∈ P that, together with π HashEq , should also guarantee u ∈ U .A first problem to analyze, however, is that for e we do not have guarantees of a strict bound in 2 µ−1 , 2 µ ; so it may in principle occur that e = e q (mod q) but e = e q over the integers.Indeed, the relation R Root does not guarantee us that e is a single prime number, but only that e divides the product of primes accumulated in C U .Assuming the hardness of Strong RSA we may still have that e is the product of a few primes in P or even is a negative integer.We expose a simple attack that could arise from this: an adversary can find a product of primes from the set P , let it call e, such that e = e q (mod q) but e = e q over the integers.Since e is a legitimate product of members of P , the adversary can efficiently compute the e-th root of C U and provide a valid π Root proof.This is what we informally call a "collision".Another simple attack would be that an adversary takes a single prime e and then commits to its opposite e q ← −e mod q in the prime order group.Again, since e ∈ P the adversary can efficiently compute the e-th root of C U , W e = C U , and then the corresponding −e-th root of C U , W −1 −e = C U .This is a second type of attack to achieve what we called "collision".With a careful analysis we show that with appropriate parameters the probability that such collisions occur can be either 0 or negligible.
One key observation is that R Root does guarantee a lower and an upper bound, −2 λz+λs+µ+2 and 2 λz+λs+µ+2 respectively, for e committed in C e .From these bounds (and that e | prod P ) we get that an adversarial e can be the product of at most d = 1 + λz+λs+2 µ primes in P (or their corresponding negative product).Then, if 2 dµ ≤ 2 ν−2 < q, or dµ + 2 ≤ ν, we get that e < 2 dµ < q.
If on the other hand we are in a parameters setting where dµ > ν − 2, we give a concrete bound on the probability that such collisions occur.More precisely, for this case we need to assume that the integers returned by H are random, i.e., H is a random oracle, and we also use the implicit fact that R HashEq guarantees that e q ∈ 2 µ−1 , 2 µ .Then we give a concrete bound on the probability that the product of d out of poly(λ) random integers lies in a specific range 2 µ−1 , 2 µ , which turns out to be negligible when d is constant and 2 µ−ν is negligible.
Since the requirements of security are slightly different according to the setting of parameters mentioned above, we state two separate theorems, one for each case.
Theorem 4.1.Let PedCom, SetCom RSA and IntCom be computationally binding commitments, CP Root , CP modEq and CP HashEq be knowledge-sound NIZK arguments, and assume that the Strong RSA assumption hold, and that H is collision resistant.If dµ+2 ≤ ν, then MemCP RSA is knowledgesound with partial opening of the set commitments C U .Theorem 4.2.Let PedCom, SetCom RSA and IntCom be computationally binding commitments, CP Root , CP modEq and CP HashEq be knowledge-sound NIZK arguments, and assume that the Strong RSA assumption hold, and that H is collision resistant.If dµ + 2 > ν, d = O(1) is a small constant, 2 µ−ν ∈ negl(λ) and H is modeled as a random oracle, then MemCP RSA is knowledge-sound with partial opening of the set commitments C U .Remark 4.2.It is worth noting that Theorem 4.2 where we assume H to be a random oracle requires a random oracle assumption stronger than usual; this has to do with the fact that while we assume H to be a random oracle we also assume that CP modEq can create proof about correct computations of H. Similar assumptions have been considered in previous works, see, e.g, [Val08,Remark 2].
Finally, we state the theorem about the zero-knowledge of MemCP RSA .
Proof [sketch] The proof is rather straightforward, so we only provide a sketch.We define the simulator S that takes as input (crs, C U , c u ) and does the following: -Parses crs := (N, G, H, H prime , G q , g, h, crs HashEq ), from which it computes the corresponding crs Root := (N, G, H) and crs modEq := (N, G, H, G q , g, h Notation.We introduce some notation that eases our proofs exposition.Let U = {u 1 , . . ., u n } ⊂ Z be a set of cardinality n.We denote as prod a product of (an arbitrary number of) elements of U , prod = i∈I u i , for some ).For convenience, in the special case of prod ∈ Π U,|U | , i.e. the (unique) product of all elements of U , we will simply write prod U .Finally, for a J ⊆ [n] we let Π U,J = ∪ j∈J Π U,j ; for example Π U,[1,...,d] = ∪ d j=1 Π U,j is the set of all possible products of up to d elements of U .For all of the above we also denote with "−" the corresponding set of the opposite element, e.g.−Π U = {−prod 1 , . . ., −prod 2 n −1 } Proof [of Theorem 4.1] Let a malicious prover P * , a PPT adversary of Knowledge Soundness with Partial Opening (see the definition in section 2.5) that on input (ck, R mem , crs, aux R , aux Z ) outputs (C U , c u , U, π) such that the verifier V accepts, i.e.VerProof(crs, C U , c u ), π) = 1 and VerCommit(ck, t U , C U , U, ∅) = 1 with non-negligible probability .We will construct a PPT extractor E that on the same input outputs a partial witness (u, r q ) such that R mem (U, u) = 1∧VerCommit(ck, t q , c u , u, r q ) = 1.
For this we rely on the Knowledge Soundness of CP Root , CP modEq and CP HashEq protocols.E parses π := (C e , c e , π Root , π modEq , π HashEq ) and crs := (N, G, H, H prime , G q , g, h, crs HashEq ), from which it computes the corresponding crs Root := (N, G, H) and crs modEq := (N, G, H, G q , g, h).Then constructs an adversary A Root for CP Root Knowledge Soundness that outputs (C e , C U , µ, π Root ).It is obvious that since V accepts π then it also accepts π Root , i.e., CP Root .VerProof(crs Root , (C e , C U , µ), π Root ) = 1.From Knowledge Soundness of CP Root we know that there is an extractor E Root that outputs (e, r, W ) such that C e = ±G e H r (mod N ) ∧ W e = C U (mod N ) ∧ |e| < 2 λz+λs+µ+2 .Similarly, E constructs adversaries A modEq and A HashEq of protocols CP modEq and CP HashEq respectively.And similarly there are extractors E modEq and E HashEq that output (e , e q , r , r q ) such that e = e q (mod q) ∧ C e = ±G e H r (mod N ) ∧ c eq = g eq mod q h rq mod q and (e q , u, r q , r u , j) such that c e = g e q h r q ∧ e q = (1|H(u, j)) respectively.
From the Binding property of the integer commitment scheme we get that e = e and r = r (over the integers), unless with a negligible probability.Similarly, from the Binding property of the Pedersen commitment scheme we get that e q = e q (mod q) and r q = r q (mod q), unless with a negligible probability.So if we put everything together the extracted values are (e, r, W, e q , r q , u, r u , j) such that: and additionally C e = ±G e H r ∧ c e = g eq mod q h rq mod q ∧ VerCommit(ck, t q , c u , u, r u ) = 1 From VerCommit(ck, t U , C U , U, ∅) = 1 we infer that C U = G prod P , where P := {H prime (u) | u ∈ U }. From the strong RSA assumption since W e = C U = G prod P (mod N ) we get e ∈ Π P or e ∈ −Π P , unless with a negligible probability (see appendix A.1).
Recall that e < 2 dµ .From the assumption dµ + 2 ≤ ν which means that e < 2 dµ < 2 ν−2 < q ⇒ e < q.Since e = e q (mod q) and e < q this means that e = e q over the integers.Again we are using the fact that e q = (1|H(u, j)) to conclude that 2 µ−1 < e q < 2 µ , which comes from the definition of H, and combined with e = e q we get that 2 µ−1 < e < 2 µ .The last fact means that e ∈ Π P,{1} (i.e. e is exactly one prime from P ) otherwise it would exceed 2 µ , so e ∈ P .
Collision Finding Analysis For the second theorem we cannot count on the formula dµ + 2 ≤ ν that ensures that the extracted integer e lies inside [0, q − 1].As explained above, we can only rely on the randomness of each prime to avoid the described "collisions".First, we formally define what a "collision" is through a probabilistic experiment, CollisionFinding, and then we compute a concrete bound for the probability that this event happens, i.e. the experiment outputs 1.Finally, we state a theorem that shows this probability is asymptotically negligible under the assumption that 2 µ−ν is a negligible value (and d is a constant).
From the distribution of primes we know that the number of primes in 2 µ−1 , 2 µ is ap- This leads us to the combinatorial experiment of choice of B = 2 jµ−j (µ−1) j "balls", with T = 2 (j+1)µ−j−ν (2 j − 1) "targets" and X = n j "tries" without replacement, where "balls" are all possible products, "targets" are the ones that go to 2 µ−1 , 2 µ modulo q (the winning ones) and tries are the number of products (for a constant j) that the adversary can try.The "without replacement" comes from the fact that all products are different.The final winning probability is: By applying the union bound for all j's we get: By using the same arguments for negative products we would conclude that Proof Now n = poly(λ) so the set P is polynomially bounded.Due to lemma 4.1 it is straight- . Since d is constant, for any j ∈ [2, d] n j = O(n j ) and we get: Remark 4.3.For the sake of generality, in CollisionFinding we do not specify how the random primes are generated.In practice in our scheme they are outputs of the hash function H prime that we model as a random oracle.Now we are ready to give the proof of theorem 4.2: Proof [of theorem 4.2] The proof is almost the same as the one of Theorem 4.1 except for the next-to-last paragraph, i.e. the justification of e ∈ Π P,{1} .Since dµ + 2 > ν we cannot use the same arguments to conclude to it.However, still e ∈ Π P,[1,...,d] ∪ −Π P,[1,...,d] .
Let e ∈ Π P,[1,...,d] ∪ −Π P,[1,...,d] , it is straightforward to reduce this case to the the collision finding problem.Assume that the adversary P * made q H random oracle queries to H and let Q H be the set of answers she received.Further assume that exactly q H prime of the them are primes and let Q H prime be the set of them.We note that P ⊆ Q H prime , unless a collision happened in H. Now let Q H prime be the set of the CollisionFinding(µ, d, G q , |Q H prime |) experiment.It satisfies all three conditions since each e i ∈ Q H prime is an output of H prime .Therefore e i is prime, 2 µ−1 < e i < 2 µ and since H is modeled as a random oracle the outputs of H prime are uniformly distributed in Primes 2 µ−1 , 2 µ .Then for the extracted e, we know that e = e q (mod q) ∈ 2 µ−1 , 2 µ and from the assumption e ∈ Π P,[1,...,d] ∪ −Π P,[1,...,d] , which (as noted above) means that e ∈ 1) and 2 µ−ν ∈ negl(λ) (from the assumptions of the theorem) so the previous happens with a negligible probability according to theorem 4.4.So we conclude that, unless with a negligible probability, e ∈ Π P,{1} .

Our CP-SNARK for Set Membership for Primes Sets
In this section we show a CP-SNARK for set membership MemCP RSAPrm that supports set elements that are prime numbers of exactly µ bits, i.e., D elm = Primes(2 µ−1 , 2 µ ), and D set = 2 D elm .MemCP RSAPrm works for a type-based commitment scheme Com 2 that is the canonical composition SetCom RSA • PedCom where SetCom RSA is in Fig. 6 (it is essentially a simplification of SetCom RSA since elements are already primes).
The scheme MemCP RSAPrm is described in figure 7. Its building blocks are the same as the ones for MemCP RSA except that instead of a CP-NIZK for proving correctness of a map-to-prime computation, we use a CP-NIZK for range proofs.Namely, we let CP Range be a NIZK for the following relation on PedCom commitments c and two given integers A < B: R Range ((c e , A, B), (e, r q )) = 1 iff c = g e h rq ∧ A < e q < B The idea behind the security of the scheme is similar to the one of the MemCP RSA scheme.The main difference is that here we rely on the range proof π Range in order to "connect" the Pedersen commitment c e to the accumulator.In particular, in order to argue the absence of possible collisions here we assume that dµ + 2 ≤ ν holds, namely we argue security only for this setting of parameters.It is worth noting that in applications where D elm is randomly chosen subset of Primes 2 µ−1 , 2 µ , KeyGen(ck, R ∈ ) : parse ck := ((N, G), (Gq, g, h)) as the commitment keys of SetCom RSA and PedCom respectively.Sample α ←$ [N/2] and compute H ← G α mod N ∈ QR N .Generate crs Range ←$ CP Range .KeyGen((Gq, g, h), R Range ), a crs for CP Range .
VerProof(crs, (CP , ce), π) : Return 1 iff Fig. 7: MemCP RSAPrm CP-SNARK for set membership we could argue security even when dµ + 2 > ν, in a way similar to Theorem 4.2.We omit the analysis of this case from the paper.
Theorem 4.5.Let PedCom, SetCom RSA and IntCom be computationally binding commitments, CP Root , CP modEq and CP Range be knowledge-sound NIZK arguments, and assume that the Strong RSA assumption hold.If dµ+2 ≤ ν, then MemCP RSAPrm is knowledge-sound with partial opening of the set commitments c P .Furthermore, if PedCom, SetCom RSA and IntCom are statistically hiding commitments, and CP Root , CP modEq and CP Range be zero-knowledge, then MemCP RSAPrm is zeroknowledge.
Proof [of Theorem 4.5] Knowledge Soundness with Partial Opening of C P : the proof is similar to the one of theorem 4.1 except for some minor parts.Let a malicious prover P * , a PPT adversary of Knowledge Soundness with Partial Opening (see the definition in section 2.5) that on input (ck, R mem , crs, aux R , aux Z ) outputs (C P , c e , P, π) such that the verifier V accepts, i.e.VerProof(crs, C P , c e ), π) = 1 and VerCommit(ck, t U , C P , P, ∅) = 1 with non-negligible probability .We will construct a PPT extractor E that on the same input outputs a partial witness (e, r) such that R mem (P, e) = 1 ∧ VerCommit(ck, t q , c e , e, r) = 1.For this we rely on the Knowledge Soundness of CP Root , CP modEq and CP Range protocols.E parses π := (C e , π Root , π modEq , π Range ) and crs := (N, G, H, H prime , G q , g, h, crs Range ), from which it computes the corresponding crs Root := (N, G, H) and crs modEq := (N, G, H, G q , g, h).Then constructs an adversary A Root for CP Root Knowledge Soundness that outputs (C e , C P , µ, π Root ).It is obvious that since V accepts π then it also accepts π Root , i.e., CP Root .VerProof(crs Root , (C e , C P , µ), π Root ) = 1.From Knowledge Soundness of CP Root we know that there is an extractor E Root that outputs (e, r, W ) such that C e = ±G e H r (mod N )∧W e = C P (mod N )∧e < 2 λz+λs+µ+2 .Similarly, E constructs adversaries A modEq and A Range of protocols CP modEq and CP Range respectively.And similarly there are extractors E modEq and E Range that output (e , e q , r , r q ) such that e = e q (mod q) ∧ C e = ±G e H r (mod N ) ∧ c eq = g eq mod q h rq mod q and (e q , r q ) such that c e = g e q h r q ∧ 2 µ−1 < e q < 2 µ respectively.
From the Binding property of the integer commitment scheme we get that e = e and r = r (over the integers), unless with a negligible probability.Similarly, from the Binding property of the Pedersen commitment scheme we get that e q = e q (mod q) and r q = r q (mod q), unless with a negligible probability.So if we put everything together the extracted values are (e, r, W, e q , r q ) such that: W e = C P (mod N ) ∧ e < 2 λz+λs+µ+2 ∧ e = e q (mod q) ∧ 2 µ−1 < e q < 2 µ and additionally C e = ±G e H r ∧ c e = g eq mod q h rq mod q From VerCommit(ck, t U , C P , P, ∅) = 1 we infer that C P = G prod P , where for each e i ∈ P it holds that e ∈ Primes 2 µ−1 , 2 µ .From the strong RSA assumption since W e = C P = G prod P (mod N ) we get e ∈ Π P , unless with a negligible probability (see appendix A.1).
The rest of the analysis that justifies e ∈ P is identical to the one of the proof of theorem 4.1.So e ∈ P and as shown above VerCommit(ck, t q , c e , e q , r q ) = 1.
Zero Knowledge: For the Zero Knowledge Property we rely on similar techniques with the ones of the proof of theorem 4.3 except for the use of S HashEq .Here we use instead the simulator of the CP Range protocol, S Range .
Below is an interactive ZK protocol for R Root : 1. Prover computes a W such that W e = Acc and C W = W H r 2 , C r = G r 2 H r 3 and sends to the verifier: P → V : C W , C r 2. Prover and Verifier perform a protocol for the relation: R((C e , C r , C W , Acc), (e, r, r 2 , r 3 , β, δ)) = 1 iff Let λ s be the size of the challenge space, λ z be the statistical security parameter and µ the size of e.
The proof of the above is similar to the one of [CL02] where the more specific protocol was introduced, but implicitly was including a protocol for R Root , with a modification in the assumption that is derived from the later work of Couteau et.al. [CPP17].Before proceeding to the proof we recall some properties related to RSA groups.First we expose two standard arguments.The first is that obtaining a multiple of φ(N ) is equivalent to factoring N .This directly allows us to argue that for any G ∈ Z * N , if one is able to find an x ∈ Z such that G x = 1 (mod N ) then under the factoring assumption x = 0, otherwise x is a multiple of φ(N ).Secondly, finding any non-trivial solution of the equation µ 2 = 1 (mod N ) in Z * N (non-trivial means µ = ±1) is equivalent to factoring N .N such that G = H x (mod N ) which leads to H xα+β = 1.As we discussed above under the assumption that factoring of N is hard, xα + β = 0.If α = 0 then x ← − β α is a discrete logarithm of H, so assuming that DLOG is hard α = 0. Similarly, there is an y ∈ Z * N such that G y = H (mod N ) and with a similar argument we can conclude that β = 0. 2. We discern two cases, y = ρ is odd or y = 2 v ρ is even (for an odd ρ).In case y is odd then it is co-prime with φ(N ) = p q (otherwise if y = p or y = q we would be able to factor N ), so y −1 (mod N ) exists and x y From the second fact that we discussed above under the factoring assumption Finally it samples c * ←$ {0, 1} λs .Then it sets . The distribution of π * is identical to the one of a real proof π.
For the knowledge soundness, let an adversary of the knowledge soundness A that is able to convince the verifier V with a probability at least .We will construct an extractor E that extracts the witness (e, r, r 2 , r 3 , β, δ).Using rewinding E gets two accepted transcripts (C W , C r , α 1 , α 2 , α 3 , α 4 , c, s e , s r , s r 2 , s r 3 , s β , s δ ) and (C W , C r , α 1 , α 2 , α 3 , α 4 , c , s e , s r , s r 2 , s r 3 , s β , s δ ) on two different challenges c and c .We denote ∆c := c − c, ∆s e := s e − s e , ∆s r := s r − s r , ∆s r 2 := s r 2 − s r 2 , ∆s r 3 := s r 3 − s r 3 , ∆s β := s β − s β , ∆s δ := s δ − s δ then We discern three cases: -Acc = − C W H r2 ∆se ∆c and ∆se ∆c even: this means that Acc is a non-quadratic residue, which is a contradiction since in the R Root relation we assume that Acc ∈ QR N .
Because of the constraint µ > λ z + λ s + 2, we the choice above implies the use of large primes.This would be anyway the case if one instantiates the scheme with a collision-resistant hash function H (e.g., SHA256 or SHA3), e.g., because set elements are quite arbitrary.If on the other hand, one could support more specific set elements, one could use instead a deterministic map-to-primes or even use our scheme MemCP RSAPrm in which set elements themselves are primes.In this case one may wonder if it is possible to choose values of µ smaller than 2λ; for example µ ≈ 30, 60, 80.The answer is positive although the characterization of such µ's require an involved analysis.
Let us fix ν = 2λ, and say that the statistical security parameters λ z , λ s are such that λ z + λ s + 2 = 2λ − 2 − c for some constant c (for example c = 4 if λ z = λ s = λ − 4).We are essentially looking for µ such that Parameters for dµ + 2 > ν.This case concerns only MemCP RSA and Theorem 4.2 in particular.In this case, if one aims at maximizing security, say to get a scheme with λ-bits of security, then would have to set µ ≈ 2λ for collision resistance, and consequently select the prime order group so that ν ≥ 3λ.This choice however is costly in terms of performance since the efficiency of all protocols that work in the prime order group degrades.Nevertheless, in our full paper we will analyze intermediate cases in which we can adjust the parameters in order to get some concrete security bounds that are still reasonable.

A CP-SNARK for Set Membership in Bilinear Groups
In this section we propose another CP-SNARK, called MemCP VC , for the set membership relation that works in bilinear groups.Unlike the schemes of Section 4, the CP-SNARK given in this section does not have short parameters; specifically it has a CRS linear in the size of the sets to be committed.On the other hand, it enjoys other features that are not satisfied by our previous schemes (nor by other schemes in the literature): first, it works solely in Bilinear Groups without having to deal with RSA groups; second, it allows to commit the set in an hiding manner and, for the sake of soundness, does not need to be opened by the adversary.This is possible thanks to the fact that the set is committed in a way that (under a knowledge assumption) guarantees that the prover knows the set.More in detail, MemCP VC is a CP-SNARK for set membership where set elements are elements from the large field F = Z q where q is the order of bilinear groups.So D elm = F.In terms of set it supports all the subsets of 2 D elm of cardinality bounded by n, D set = {U ∈ 2 D elm : #U ≤ n}, which we denote by S n , # symbol denotes the cardinality of a set.So U has elements in F and is a subset of S n .

Preliminaries and Building Blocks
Bilinear Groups.A bilinear group generator BG(1 λ ) outputs (q, G 1 , G 2 , G T , e), where G 1 , G 2 , G T are additive groups of prime order q, and e : G 1 × G 2 → G T is an efficiently computable, non-degenerate, bilinear map.For ease of exposition we present our results with Type-1 groups where we assume that G 1 = G 2 .Our results are under the ( + 1)d-Strong Diffie Hellman and the (d, )-Extended Power Knowledge of Exponent assumptions, for which we refer the reader to [ZGK + 17].
A Polynomial-Pedersen Type-Based Commitment Scheme.First we present PolyCom, a type-based commitment scheme which was introduced in [CFQ19] extracted from the verifiable polynomial delegation scheme of [ZGK + 17].The scheme has two types: one for -variate polynomials f : F → F over F of variable degree at most d, and one which is a standard Pedersen commitment for field elements.Let W ,d be the set of all multisets of {1, . . ., } where the cardinality of each element is at most d.The scheme is described in figure 10.For the proof we refer to [CFQ19, ZGK + 17].

Input-Hiding CP-SNARK for Polynomial Evaluation
The main building block of our main protocol is a CP-SNARK CP PolyEval for the type-based commitment PolyCom.Loosely speaking the idea is to commit to the input t and the output y of a polynomial (with a Pedersen commitment), further commit to the polynomial f itself (with a polynomial commitment) and then prove that the We will present a CP-SNARK for this relation, CP PolyEval , in section 5.3.CP PolyEval is based on a similar protocol for polynomial evaluation given in [CFQ19] which was in turn based on the verifiable polynomial delegation scheme of zk-vSQL [ZGK + 17].In those protocols, however, the input t is public whereas in ours we can keep it private and committed.
Range Proof CP-NIZK.We make use of CP Range , a CP-NIZK for the following relation on PedCom commitments c and two given integers A < B: R Range ((c e , A, B), (e, r q )) = 1 iff c = g e h rq ∧ A < e q < B CP Range can have various instantiations such as Bulletproofs [BBB + 18].
Multilinear Extensions of vectors.Let F be a field and n = 2 .The multilinear extension of a vector a = (a 0 , . . ., a n−1 ) in F is a polynomial f a : F → F with variables x 1 , . . ., x defined as where i i −1 . . .i 2 i 1 is the bit representation of i and select i k (x k ) = x k , if i k = 1 1 − x k , if i k = 0 A property of Multilinear extension of a is that f a (i 1 , . . ., i ) = a i for each i ∈ [n].
The type-based commitment scheme of MemCP VC .We define the type-based commitment C EdraxP ed for our CP-SNARK MemCP VC .We recall we need a commitment that allows one to commit to both elements and sets.We build this based on an hiding variant of EDRAX Vector Commitment [CPZ18], which in turn relies on a polynomial commitment.Therefore, we use a special case of PolyCom for polynomials of maximum variable degree d = 1.Let := log(n) and 2 [ ] be the powerset of [ ] = {1, ..., } then W ,1 = 2 [ ] .Furthermore, for any n ≤ n let L : S n → F n be a function that maps a set of cardinality n to its corresponding vector according to an ordering.The description of the scheme can be found in figure 11.Essentially the idea is to take the set, fix some ordering so that we can encode it with a vector, and then commit to such vector using the vector commitment of [CPZ18], which in turn commits to a vector by committing to its multilinear extension polynomial.

CP-SNARK for Set membership using EDRAX Vector Commitment
Here we present a CP-SNARK for set membership that uses a Vector Commitment -an EDRAX [CPZ18] variant -to commit to a set.The idea is to transform a set to a vector (using for example lexicographical order) and then commit to the vector with a vector commitment.Then the set membership is proven with a zero knowledge proof of opening of the corresponding position of the vector.However to preserve zero knowledge we additionally need to hide the position of the element.For this we construct a zero knowledge proof of knowledge of an opening of a position that does not give out the position.Finally, since the position is hidden we additionally need to ensure that the prover is not cheating by providing a proof for a position that exceeds the length of the vector.For this we, also, need a proof of range for the position, i.e. that i < n.
In this section the domain of the elements is a field, D elm := F, and the domain of the set is all the subsets of 2 D elm of cardinality bounded by n, D set = {U ∈ 2 D elm : #U ≤ n}, which we denote by S n (the # symbol denotes the cardinality of a set).So U has elements in F and is a subset of S n .
The type-based commitment of our scheme is C EdraxP ed (fig.11) that is presented in the previous section, and the relation is R = (ck, R VCmem ) where R is over Note that in the above the prover should normally give exactly = log(#U ) commitments.In case < log(#U ) the position is not fully hiding since it is implicit that i < 2 −1 so the verifier gets a partial information about the position.
1. E Range outputs (i, r i ) such that i < #U ∧PolyCom.VerCommit(ck, t q , c i , i, r i ) = 1 which means that c i,1 = g i h r i .Since the proof π is verified then c i,1 = k=1 (c i k ,1 ) 2 k−1 or g i h r i = g k=1 i k 2 k−1 h k=1 r i k 2 k−1 .From the binding property of the Pedersen commitment we get that i = k=1 i k 2 k−1 and r i = k=1 r i k 2 k−1 .

Input-hiding CP-SNARKs for Polynomial Evaluation
Here, we present an instantiation of a a zero knowledge CP-SNARK for the relation R PolyEval presented in section 5.1.
To give an intuition of the protocol we recall that zk-vSQL uses lemma 5.1 to prove the correct evaluation of the polynomial, that we recall below.
With this one can verify in time linear in the number of variables that f (t) = y by checking iff g f (t) g −y = i=1 e(g s i , w i ), given the values g f (s) , {g s i } i=1 , {w i = g q i (s) } i=1 We are interested in the committed values of f, y = f (t) and t, c f , c y , c t respectively, that hide them.For this we will use instead the below equation for verification: The equation indicates us how to construct the protocol which we present in figure 13.Proof Below is a proof sketch, which however is quite similar to the one of CP poly in [CFQ19].
Lemma 2.2 (Extending to Commitment Composition).Let C, C be commitment schemes defined over disjoint type sets T and T .If CP is CP-poKSND(C, RG[C.Setup], Z) for some relation and auxiliary input generators RG, Z.

Fig. 5 :
Fig. 5: MemCP RSA CP-SNARK for set membership is the set of all possible products and more specifically Π U,d ⊆ Π U denotes the set of possible products of exactly d elements of U , |I| = d, while for the degenerate case of d > n we define Π U,d = ∅.We note that |Π U,d | = n d (except for the degenerate case where |Π U,d | = 0

Proposition 4. 1 .
Let Z * N be an RSA group with a modulus N and QR N the corresponding group of quadratic residues modulo N .1.Let G, H ←$ QR N two random generators of QR N and a PPT adversary A outputting α, β ∈ Z * N such that G α H β = 1 then under the assumption that DLOG problem is hard in QR N it holds that α = β = 0. 2. Let A, B ∈ Z * N and a PPT adversary A outputting x, y ∈ Z * N such that A y = B x and y | x then under the assumption that factoring of N is hard it holds that A = ±B x y Proof 1.Since G, H ∈ QR N there is an x ∈ Z * However for v > 1 the left part of the equation is a quadratic residue so it cannot be −1, therefore A −1 B of theorem 4.6] Correctness is straightforward.Honest-verifier zero knowledge can be shown with standard arguments used in Σ-protocols and the fact that the commitments to C e , C W , C r are statistically hiding.That is the simulator S on input (C e , Acc) samples C * W ←$ Z * N and C * r ←$ Z * N .Then samples s * e ←$ −2 λz+λs+µ − 2 λz+µ , 2 λz+λs+µ + 2 λz+µ , s * r , s * r 2 , s * r 3 ←$ − N/4 2 λz+λs − N/4 2 λs , N/4 2 λz+λs + N/4 2 λs , s * β , s * δ ←$ − N/4 2 λz+λs+µ − N/4 2 λs+µ , N/4 2 λz+λs+µ + N/4 2 λs+µ .
Define the (possibly rational) numbers ê := ∆se ∆c , r := ∆sr ∆c , r2 := ∆sr 2 ∆c , r3 := ∆sr 3 ∆c .According to[CPP17], under the assumption that RSA problem is hard in Z * N , (ê, r) is a valid opening of C e and ( r2 , r3 ) a valid opening of C r (yet ê, r, r2 , r3 are integers meaning that ∆c divides ∆s e , ∆s r , ∆s r 2 and ∆s r 3 ).Therefore, C e = ±G êH r and C r = ±G r2 H r3 .Now if we replace C r in the fourth equation we get 1 = (±1) ∆se G r2 ∆se H r3 ∆se 1H ∆s δ 1 G ∆s βor (±1) ∆se G r2 ∆se−∆s β H r3 ∆se−∆s δ = 1.However, (±1) ∆se = 1 otherwise if (±1) ∆se = −1 then −G r2 ∆se−∆s β H r3 ∆se−∆s δ would be a non-quadratic residue (since G, H are both in QR N and QR N is closed under multiplication) equal to 1 which is a quadratic residue and this would be a contradiction, hence G r2 ∆se−∆s β H r3 ∆se−∆s δ = 1.According to the first point of proposition 4.1, under the factoring assumption r2 ∆s e − ∆s β = r3 ∆s e − ∆s δ = 0, so r2 ∆s e = ∆s β .Finally we replace ∆s β in the third equation and we getAcc ∆c = C ∆se W 1 H r2 ∆se ⇒ Acc ∆c = Cw H r2∆se .As stated above ∆c divides ∆s e so according to the second fact of proposition 4.1 ∆se ∆c : Then E sets W ← C W H r2 and ẽ ← ê := ∆se ∆c r ← r := ∆sr ∆c as above.It is clear that Acc = W ẽ and as stated above C e = G ẽH r. -Acc = − C W H r2 ∆se ∆c and ∆se ∆c odd: Then E sets W ← − C W H r2 and ẽ ← ê := ∆se ∆c r ← r := ∆sr ∆c as above.It is clear that Acc = W ẽ and as stated above C e = G ẽH r.

Theorem 5. 1 .
Under the ( +1)d-Strong Diffie Hellman and the (d, )-Extended Power Knowledge of Exponent assumptions PolyCom is an extractable trapdoor commitment scheme.

Theorem 5. 3 .
Under the ( + 1)d-Strong Diffie Hellmann and the (d, )-Extended Power Knowledge of Exponent assumptions, CP PolyEval is a Knowledge Extractable CP-SNARK for the relation R PolyEval and the commitment scheme PolyCom.