From Polynomial IOP and Commitments to

Non-malleable zkSNARKs

Antonio Faonio1 , Dario Fiore2 , Markulf Kohlweiss3 ,

Luigi Russo1 , and Michal Zajac5
1
EURECOM, {faonio,russol}@eurecom.fr
2
IMDEA Software Institute, [email protected]
3
University of Edinburgh and Input Output, [email protected]
4
Nethermind, [email protected]

Abstract. We study sufficient conditions for compiling simulation-extractable

zkSNARKs from information-theoretic interactive oracle proofs (IOP)
using a simulation-extractable commit-and-prove system for its oracles.
Specifically, we define simulation extractability for opening and evalua-
tion proofs of polynomial commitment schemes, which we then employ
to prove the security of zkSNARKS obtained from polynomial IOP prove
systems, such as Plonk and Marlin. To instantiate our methodology we
additionally prove that KZG commitments satisfy our simulation ex-
tractability requirement, despite being naturally malleable. To this end,
we design a relaxed notion of simulation extractability that matches how
KZG commitments are used and optimized in real-world prove systems.
Only the proof that KZG satisfies this relaxed simulation extractability
property relies on the algebraic group model (AGM) and random oracle
(RO). We thus isolate the use of (and thus the reliance on) these strong
heuristics.

1 Introduction
Non-interactive succinct zero-knowledge arguments of knowledge (zkSNARKs)
[43], are the new Swiss army knife of blockchain scalability and privacy. They
effectively deliver the twin dream of probabilistically checkable proofs (PCP) [3]
and zero-knowledge proofs (ZKP) [32] while also being non-interactive, short,
and efficiently verifiable. These features make zkSNARK of high practical and
theoretical relevance. They are an active area of research that has seen rapid
progress in multiple aspects, such as efficiency [7,31,33,34], security and versa-
tility of their setups [6,35], and proof composition [13,15].
Simulation-extractable zkSNARKs. The basic security notion of zkSNARKs
is knowledge-soundness which, informally speaking, guarantees that, in isola-
tion, a prover producing a valid proof must know the corresponding witness.
In contrast, there exist real-world deployments and cryptographic applications
of zkSNARKs that require a stronger property called simulation extractability
(SE, for brevity) [36,46]. Intuitively, this notion considers attackers that can see
proofs for some statements and may use this information in order to produce
a proof for some other statement without knowing the witness. Interestingly,
simulation extractability implies that proofs are non-malleable [22], a relevant
property in practical applications. Most zkSNARKs in the literature are only
proven to be knowledge-sound. In some cases, this is due to the fact that their
proofs may indeed be malleable, e.g., as in [34] (see also [4]). In other cases,
the lack of SE security proof is because it is a challenging task that may require
more investigation.
From polynomial commitments to SNARKs. The design of modern zk-
SNARKs follows the common cryptographic approach of starting with protocols
that achieve information-theoretic security in idealized models and then compil-
ing them into efficient protocols by employing a smaller computationally-secure
primitive. In the world of SNARKs, the corresponding concepts are (polyno-
mial) interactive oracle proofs F -IOP [16,17,20,26,47] and (polynomial) func-
tional commitments F -COM [12,38,39]. An F -IOP employs two (idealized) ora-
cles that share their state: The prover calls the first oracle to commit to functions
f ∈ F and the verifier calls the second to query the committed functions. Con-
cretely, the F -IOP to SNARK compiler uses F -COM to replace oracles with
commitments, opening proofs, and query proofs. As this only removes reliance
on idealized function oracles but not interaction, the compiler additionally em-
ploys the usual Fiat-Shamir transformation for public-coin protocols to obtain
the final zkSNARK. The benefits of this compilation paradigm are modularity
and separation of concerns: once the compiler is proven, a line of research can
address the problem of improving F -IOPs while another research line can tackle
the problem of realizing F -COM schemes (e.g., with better efficiency, from differ-
ent assumptions, etc.): this approach has been successfully adopted to construct
several recent zkSNARKs. All this recent work, though, only shows that schemes
obtained via this paradigm are knowledge-sound.

1.1 Our work

We study the simulation extractability of a broad class of zkSNARKs built

through this compilation approach. In particular, our primary goal includes
showing that existing zkSNARKs (and thus existing compilers) provide sim-
ulation extractability. This goal has a twofold motivation. On the theoretical
side, we are interested in understanding sufficient conditions on F -COM to com-
pile an F -IOP into a simulation-extractable zkSNARK. On the practical side,
by capturing existing compilers we can show that existing schemes that are un-
der deployment, e.g., Plonk [26], have already this strong security property. For
this reason, in our work we focus on the popular case of the compiler where the
F -IOP is a polynomial IOP (i.e., the oracle functions F are low-degree poly-
nomials), and F -COM is a polynomial commitment. Furthermore, in terms of
instantiations we are interested to cover the celebrated polynomial commitment
scheme of Kate, Zaverucha and Goldberg [38] (KZG, shortly) and on a polyno-
mial IOP framework that is flexible enough to include recent constructions, e.g.,
[17,20,26,41,45].

2
 The main contributions of our work are: (i) to introduce a relaxed notion
of simulation extractability for polynomial commitments; (ii) to prove that the
KZG scheme satisfies our relaxed SE notion in the algebraic group model (AGM)
and random oracle model (ROM); and (iii) to prove that our notion is sufficient to
compile a polynomial IOP into a (full-fledged) simulation extractable zkSNARK,
using the usual compilation approach. By combining these three results we ob-
tain a simulation-extractability proof for Plonk [26] and a slight variation of
Marlin [20].
Below, we elaborate more on our results and the challenges that we had to
overcome along the way.

1.2 Our techniques

Background. For our work, we chose the class of Polynomial (Holographic)
IOPs (PIOP) as defined by [17] as a generalization of [16].5 The oracle of the
prover commits to low-degree polynomials over a finite field while the queries
of the verifier check polynomial equations over these polynomials. These poly-
nomial equations can depend on additional field elements sent by the prover
and/or the verifier during the execution of the protocol. Slightly more in detail,
the verifier can query an oracle polynomial p(X) (or multiple polynomials si-
multaneously) by specifying polynomials G and v to test equations of the form
G(X, p(v(X))) ≡ 0. Therefore, to be compiled, PIOPs need a commit-and-prove
SNARK (CP-SNARK) for proving the validity of such equations concerning
the committed polynomials. Notably, one can easily build this CP-SNARK from
one for polynomial evaluations (e.g., KZG) by testing the equations on a random
point chosen by the random oracle.
Simulation extractability challenges. Intuitively, the use of SE-secure CP-
SNARK in the above compiler should result in a simulation-extractable zk-
SNARK: The zero-knowledge simulator samples random commitments (relying
either on hiding property of commitments, or the randomness in the commit-
ted functions p). It then simulates evaluations of p that satisfy the verification
equation of the PIOP. The reduction to PIOP soundness extracts all committed
functions from their opening proofs and the final function evaluations from the
evaluation proofs. However, this approach presents two major challenges:
– The PIOP could be arbitrary. In particular, internally it could sequentially
compose two PIOP sub-protocols that prove statements over different sets
of polynomials. For example, consider a PIOP obtained by the sequential
composition of two PIOP protocols for two independent statements. Very
likely, the set of queries to the polynomials made by the two sub-protocols
are independent and (unless the PIOP specifies it explicitly) the evaluation
queries of the first sub-protocol may be chosen based on the verifier’s random
challenges sent before the second sub-protocol even starts. The simulation
5
The choice is mainly motivated by generality as PIOPs can flexibly capture under
the same hat all the most recent protocols based on the notions of [16], AHP [20],
and ILDP [26].

3
 extractability of the zkSNARK compiled from this protocol might be affected
because one could strip off the second set of evaluation proofs and replace
them with those for another statement6 .
– Secondly, one needs to prove that existing, efficient, and practically deploy-
able instantiations of polynomial commitments are simulation-extractable.

Our solutions. To solve the first challenge, we define a zkSNARK compiler

that bundles all verification queries together instead of translating verification
queries on-the-fly into calls to the commit-and-prove system. Motivated by our
goal to show that existing zkSNARKs are simulation extractable, we define two
(rather minimal) constraints on the PIOP: The first one is that at least one of the
polynomial equations involves all the oracle polynomials and that the polynomial
v chosen by the verifier (see above) is not constant.7 Fortunately, this constraint
is natural and easy to meet in practice: Plonk naturally meets our constraint
meanwhile all the other proof systems based on Aurora’s univariate sumcheck
[8] can be easily (and at negligible cost) adapted by instantiating the proof
of polynomial degree through an evaluation query on all the polynomials. The
second constraint regards the distribution of the polynomial commitments after
compilation: we require that the joint view of a transcript of the polynomial
oracle protocol execution and the commitments to the oracle polynomials can
be simulated. Notice, this property is obvious when we compile using hiding
commitment schemes, and it is not hard to show when the hiding property is
obtained through randomization of the oracle polynomials at the protocol level
(for example see the proof of zero-knowledge for Plonk in [27]).
For the second challenge, unfortunately, the issue is that the most obvi-
ous candidate, the efficient and widely deployed KZG polynomial commitment
scheme [38], is not simulation-extractable. Using bracket notation, KZG commit-
ments are of the form [p(s)]1 for a trapdoor secret s encoded in the parameters
([si ]1 )i∈[0..d] , [1, s]2 , while evaluation proofs for an input x and output y are of
the form [ p(s)−y
s−x ]1 . KZG is malleable, and thus not simulation-extractable in the
usual sense: e.g., given a commitment to f anyone can compute [f (s) + ∆]1 and
open it using the same proof to (x, y + ∆).
Our starting point is the observation that KZG retains a form of simula-
tion extractability for evaluations at points that are randomly chosen after the
commitment. Fortunately, this is the situation we encounter in the Fiat-Shamir
part of the PIOP-to-SNARK compiler. The commitment forms part of the first
commit-and-prove part of the statement which is hashed to determine the x of
the second part of the statement. Thus, the evaluation point depends on the
commitment and can be considered random in the RO model.
6
In particular, the adversary could have a simulated proof π̃ = (π, π ′ ) for (x, x′ ) and
then could choose x′′ for which it knows a valid witness, and finally forge for (x, x′′ )
using (π, π ′′ ), where π ′′ is honestly generated. As the simulated proof π is reused,
extraction fails. Notice, this attack works even when the Fiat-Shamir challenges for
π ′′ are derived by hashing a transcript that contains π.
7
This can be for example be implemented via a common random point chosen at the
end of the protocol, on which all oracles are evaluated.

4
 To formalize this important relaxation, we introduce a Φ-flexible simulation
extractability (Φ-SE) notion. In the standard simulation-extractability exper-
iment, the adversary can ask the simulator to generate proofs for statements
of its choice and, eventually, must produce a new valid proof without knowing
the witness. In Φ-SE, we consider a relaxation of the SE game in which all the
simulation queries of the adversary must satisfy a predicate specified in Φ, and
similarly, Φ can constrain the winning condition of the adversary. For this reason,
we refer to Φ as the policy. One can see that Φ-SE is a generalization of existing
SE notions such as true-simulation-extractability (where the adversary can only
see simulated proofs on true statements) [21], or weak simulation extractability
(where the adversary only wins if it provides a proof for a new statement, and
contrary to (strong) SE loses if it provides a new proof for a statement previ-
ously asked to the simulation oracle). Once having defined this framework, we
analyze which policies Φ are strong enough to achieve simulation extractabil-
ity in the compiled zkSNARK, while at the same time being weak enough for
instantiation by KZG under plausible assumptions (in the AGM [25] and RO).
Specifically, we isolate the (simulation) extractability properties needed for the
compiler and verify it for KZG in the AGM. This is the only part of our results
where we need the AGM. Given the broad applications of KZG in the field of
practical zkSNARKs and beyond, the characterization of its (non-)malleability
is interesting in its own right. In fact, our policy highlights some malleability
attacks that we discovered and that we needed to handle. Finally, for our Φ we
prove that KZG is Φ-SE in the AGM and ROM. This proof turned out to be
highly non-trivial and is one of the main technical contributions of our work.

Related work. It is hard to be exhaustive, or even representative, in discussing

related work on SNARKs. For the sake of our paper, we focus on related work
on simulation extractability notions. Groth and Maller [36] give a simulation-
extractable zkSNARK that consists of only 3 group elements. Their construction
is neither universal nor updatable. The recent work of Ganesh, Orlandi, Pan-
choli, Takahashi and Tschudi [29] shows that Bulletproofs [14] are non-malleable
in AGM. Their work extends the framework introduced by Faust, Kohlweiss,
Marson and Venturi in [23] to Fiat-Shamir applied to multi-round interactive
arguments. On a similar path, the work of Ganesh, Khoshakhlagh, Kohlweiss,
Nitulescu and Zajac [27] shows non-malleability for Plonk, Sonic and Marlin.
Both [27,29] show that interactive arguments can be simulation-extractable af-
ter Fiat-Shamir transform. In contrast, our work takes a step further in the
compilation pipeline showing the simulation extractability of SNARKs derived
from interactive oracle protocols. In particular, [27,29] rely on properties such as
trapdoor-less zero-knowledge, i.e. the zero-knowledge where the simulator does
not rely on the SRS’s trapdoor but on the programmability of the random oracle,
and on the unique-response property, which states that at some point of the pro-
tocol, the prover becomes a deterministic algorithm. Reliance on these two prop-
erties imposes additional effort to show that schemes are simulation-extractable.
Namely, both of these properties were coined only for the purpose of showing
simulation extractability, hence are usually not analyzed in papers that introduce

5
new protocols. Furthermore, [27] relies on rewinding-based soundness, which is
a non-standard notion of soundness, and rewinding which make the simulator-
extractability extractor success dependent on the probability of the adversary
returning an acceptable proof; and [29] relies on the AGM.Contrary to these re-
sults, our paper’s result does not directly rely on the AGM, does not require the
protocol to be trapdoor-less zero knowledge or have the unique-response property
and uses more standard notion of soundness, i.e. the state restoration soundness.
The work of Abdolmaleki, Ramacher and Slamanig [2] shows a generic com-
piler to simulation extractable SNARKs which requires key-homomorphic signa-
tures. Their compiler produces universally-composable SNARKs (UC-SNARKs),
which they prove through black-box straight-line extractor. To obtain a black-
box straight-line extractor, they append to the SNARK proof an encryption of
the witness, thus achieving a relaxed succinctness w.r.t. the size of the circuit
describing the relation. The recent work of Ganesh, Kondi, Orlandi, Pancholi
and Takahashi [28] shows how to regain full succinctness in UC-SNARKs in the
ROM through Fischlin’s transform [24].

Open problems. Our framework is general enough to handle compilation from

polynomial commitment schemes different than KZG. Our contribution identifies
a set of properties that a polynomial commitment scheme needs to have so that
the resulting SNARK is simulation extractable. We believe that FRI polynomial
commitment scheme [10] readily possesses the necessary properties, which would
imply the simulation extractability of STARKs [6].
Another advantage of our formalization of PIOP over previous proposals such
as [16] is that it naturally supports optimization tricks in the literature [17]. As
an intermediate step of our compiler, we define a CP-SNARK for polynomial
evaluations based on KZG. While we capture the important use case of batched
evaluations on a common point, for the sake of simplicity, we leave further ex-
tensions and optimizations for future work. In particular, we do not capture the
case of proving evaluations on arbitrary linear combinations of committed poly-
nomials. We believe this extension could be handled at PIOP level by extending
the notion to virtual oracle polynomials obtained through linear combinations of
other oracles (and thus using the homomorphic property of KZG). We leave as
open problem to extend our result to even more flexible polynomial IOP models.
One could think that restricting the forgery on a fresh randomly-sampled
evaluation point x would be a natural condition to prove simulation extractabil-
ity of KZG. This restriction, however, is not sufficient to prove strong simulation
extractability for the compiler. This is why we enlarge the class of forgeries for
the PCOM: we prove that these additional forgeries are unfeasible for KZG, and
the compiled SNARK is simulation extractable in the strong sense, as desired.
Recent works extend the polynomial evaluation proofs of KZG to multiple
evaluation points [48,49]. Our simulation-extractability strategy for KZG can be
applied partially to these schemes; however, our technique uses a clever argument
to separate the realm of commitments from the realm of proofs (in KZG proofs
and commitments are both of the form [p(s)]1 for some polynomial p) based
on their degree as polynomials. Unfortunately, the same technique does not

6
work when the degree of the polynomial in the proof depends on the number of
evaluation points in the proved statement.
Organization of the paper. We define the framework of policy-based simulation-
extractability in Section 3, we proceed with the analysis of the simulation-
extractability of KZG in Section 4 and we give our generic compiler for strong
simulation-extractable Universal SNARKs from (simulation-extractable) poly-
nomial commitment and PIOP in Section 5. The thesis of the theorem on KZG
polynomial commitment and the hypothesis for the theorem of the Universal
SNARKs compiler do not quite match. Indeed, they could be even considered
as two independent and (almost) self-contained results. We show how to fill the
gaps and connect the two results in Section 6.

2 Preliminaries

A function f is negligible in λ (we write f ∈ negl(λ)) if it approaches zero faster

than the reciprocal of any polynomial: i.e., for every c ∈ N there is an integer
λc such that f (λ) ≤ λ−c for all λ ≥ λc . The expression [n] denotes the set
{1, 2, . . . , n} for an integer n ≥ 1. Calligraphic letters denote sets, while set sizes
are written as |X |. Lists are represented as ordered tuples, e.g. L := (Li )i∈[n] is
a shortcut for the list of n elements (L1 , . . . , Ln ). To get a specific value from a
list, we also use the “dot” notation; e.g., we use L.b to access the second element
of the list L = (a, b, c). The difference between lists and vectors is that elements
of vectors are of the same type.
An asymmetric bilinear group G is a tuple (q, G1 , G2 , GT , e, P1 , P2 ), where
G1 , G2 and GT are groups of prime order q, the elements P1 , P2 are genera-
tors of G1 , G2 respectively, e : G1 × G2 → GT is an efficiently-computable non-
degenerate bilinear map, and there is no efficiently computable isomorphism be-
tween G1 and G2 . Let GroupGen be some probabilistic polynomial-time (PPT)
algorithm which on input 1λ , where λ is the security parameter, returns a de-
scription of a bilinear group G. Elements in Gi , i ∈ {1, 2, T } are denoted in
implicit notation as [a]i := aPi , where PT := e(P1 , P2 ). Every element in Gi
can be written as [a]i for some a ∈ Zq , but note that, given [a]i , is in general
hard to compute (discrete logarithm problem). Given a, b ∈ Zq we distinguish
between [ab]i , namely the group element whose discrete logarithm base Pi is
ab, and [a]i · b, namely the execution of the multiplication of [a]i and b, and
[a]1 · [b]2 = [a · b]T , namely the execution of a pairing between [a]1 and [b]2 . We
do not use the implicit notation for variables, e.g. c = [a]1 indicates that c is a
variable name for the group element whose logarithm is a.

Definition 1 (Algebraic algorithm, [25]). An algorithm A is called alge-

braic if for all group elements z that A outputs (either as returned by A or by
calling one of its oracles), it additionally provides the representation of z rela-
tive to all previously received group elements. That is, if elems is the list of group
elements that A has received so far, then A must also provide a vector r such
that z = ⟨r, elems⟩.

7
Definition 2 (Commitment scheme). A commitment scheme with mes-
sage space M (and group parameters GroupGen) is a tuple of algorithms CS =
(KGen, Com, VerCom) that works as follows:

KGen(ppG ) → ck takes as input group parameters ppG ←$ GroupGen(1λ ) and

outputs a commitment key ck.
Com(ck, m) → (c, o) takes the commitment key ck, and a message m ∈ M, and
outputs a commitment c and an opening o.
VerCom(ck, c, m, o) → b takes as input the commitment key ck, a commitment
c, a message m ∈ M and an opening o, and it accepts (b = 1) or rejects
(b = 0).

A commitment scheme CS satisfies correctness, binding and hiding properties.

Definition 3 (Polynomial Commitment). A polynomial commitment scheme

PC is a commitment scheme (Definition 2) in which the message space M is
F≤d [X], the set of low degree polynomials over a finite field F with degree bound
d ∈ N. The key generation algorithm might take as additional input the degree
d.

Finally, we state these assumptions on distributions.

Definition 4 (Witness Sampleability, [37]). A distribution D is witness

sampleable if there exists a PPT algorithm D̃ such
 that for any ppG we have
that the random variables A ←$ D(ppG ) and à 1 , where à ←$ D̃(ppG ), are
equivalently distributed.

Definition 5 (Dℓ,k -Aff-MDH assumption). Given a matrix distribution

Dℓ,k , the Affine Diffie-Hellman Problem is given A ∈ Gℓ×k1 , with A ←$ Dℓ,k ,
find a nonzero vector x ∈ Zℓq and a vector y ∈ Zkq such that x⊤ A 1 = [y]1 .

The Aff-MDH Assumption could be seen as an extension of the Kernel-MDH As-

sumption introduced by Morillo, Ràfols, Villar [44] since the Ker-MDH assumes
y = 0; Our assumption is incomparable because we also require the adversary
to give x ∈ Zℓq “in the exponent”.

Definition 6 ((d, d′ )-Power Polynomial in the Exponent). The (d, d′ )-

PEA Assumption holds for a bilinear group generator GroupGen i if for every
 d
 h d′
PPT adversary A that receives as input ( 1, . . . , s 1 , 1, . . . , s ) and outputs
2
a polynomial p(X) of degree at most max{d, d′ }, and a value y, the probability
that p(s) = y is negligible. When d = d′ we use the shortcut d-PEA.

Definition 7 (d-Power Discrete Logarithm [40]). Given a degree bound

d ∈ N, the d-Power Discrete Logarithm (d-DL) assumption holds for a bilinear
group   GroupGen
generator  if for every PPT adversary A that receives as input
( 1, . . . , sd 1 , 1, . . . , sd 2 ), and outputs the value s′ , the probability that s = s′


is negligible. We also use DL as a shortcut for 1-DL.

8
Lemma 1 (d-DL ⇒ d-PEA). We can make a reduction to the assumption
that computes s. The reduction invokes the adversary, gets p(X) − y of degree
d, and computes s by factoring the polynomial p(s) − y. As p(s) − y = 0 we are
guaranteed that s is a root.
Lemma 2 (DL ⇒ Uℓ,k -Aff-MDH). When considering the uniform random
distribution Uℓ,k , we can make a reduction to the assumption that computes
s. The reduction samples at the exponent a uniformly random matrix A =
(ai,j )i,j ∈ Zℓ×k
q and invokes the adversary on input [(ai,j )i,j ]1 . Finally, let pi (s)
be the i-the row of x⊤ A. The reduction computes s by factoring one of the k
polynomials pi (s) − yi .

3 Policy-based Simulation-Extractable NIZKs

We start by defining the basic syntax and properties for a Non-Interactive Zero-
Knowledge Argument of Knowledge. Following Groth et al. [35], we define a PT
relation R verifying triple (pp, x, w). We say that w is a witness to the instance
x being in the relation defined by the pp when (pp, x, w) ∈ R (equivalently, we
sometimes write R(pp, x, w) = 1). For example, the parameters pp could be the
description of a bilinear group or additionally contain a commitment key for a
commitment scheme or a common reference string. A NIZK for a relations R (and
group parameters GroupGen) is a tuple of algorithms Π = (KGen, Prove, Verify)
that work as described below.
– KGen(ppG ) → srs is a probabilistic algorithm that takes as input the group
parameters ppG ←$ GroupGen(1λ ) and it outputs an srs := (ek, vk, pp) where
ek is the evaluation key, vk is the verification key, and pp are the parameters
for the relation R.
– Prove(ek, x, w) → π takes an evaluation key ek, a statement x, and a witness
w such that R(pp, x, w) holds, and returns a proof π.
– Verify(vk, x, π) → b takes a verification key, a statement x, and either accepts
(b = 1) or rejects (b = 0) the proof π.
Basic notions for a NIZK are completeness, (knowledge) soundness and zero-
knowledge.
zkSNARKs. We consider the notion of zero-knowledge succinct argument of
knowledge (zkSNARKs) which are NIZKs that are knowledge sound and succinct
as defined below.
Definition 8 (Succinctness). A NIZK Π is said succinct if the running time
of Verify is poly(λ + |x| + log |w|) and the proof size is poly(λ + log |w|).

CP-SNARKs. Commit-and-Prove SNARKs (CP-SNARKs) are zkSNARKs whose

relations verify predicates over commitments (see Campanelli, Fiore and Querol
[18]). We consider the following syntax. Briefly speaking, we refer to a CP-
SNARK for a relation R and a commitment scheme CS as a tuple of algorithms
CP = (KGen, Prove, Verify) where:

9
 – KGen(ck) → srs is a probabilistic (or deterministic) algorithm that takes as
input a commitment key ck for CS and it outputs srs := (ek, vk, pp), where
ek is the evaluation key, vk is the verification key, and pp are the parameters
for the relation R (which include the commitment key ck).
Moreover, if we consider the key generation algorithm KGen′ that upon group
parameters ppG first runs ck ←$ CS.KGen(ppG ), runs srs ←$ CP.KGen(ck) and
outputs srs; then the tuple (KGen′ , Prove, Verify) defines a SNARK.
Zero-Knowledge in the SRS (and RO) model. The zero-knowledge simu-
lator S of a NIZK is a stateful PPT algorithm that can operate in three modes.
(srs, stS ) ← S(0, ppG ) takes care of generating the parameters and the simulation
trapdoor (if necessary), (π, stS ) ← S(1, stS , x) simulates the proof for a state-
ment x, (a, stS ) ← S(2, stS , s) takes care of answering random oracle queries.
The state stS is shared and updated after each operation.
Similarly to [23,29], we define the following wrappers.
Definition 9 (Wrappers for NIZK Simulator). The following algorithms
are stateful and share their state st = (stS , coms, Qsim , QRO , Qaux ) where stS is
initially set to be the empty string, and Qsim , QRO and Qaux are initially set to
be the empty sets.
– S1 (x, aux) denotes an oracle that returns the first output of S(1, stS , x, aux)8 .
– S1′ (x, w) denotes an oracle that first checks (pp, x, w) ∈ R where pp is part
of srs and then runs (and returns the output of) S1 (x).
– S1F (x, w) denotes an oracle parameterized by a function F that first checks
(pp, x, w) ∈ R and then runs (and returns the output of) S1 (x, F (x, w)). As
explained below, this is useful to model leaky-zero-knowledge.
– S2 (s, aux) denotes an oracle that first checks if the query s is already present
in QRO and in case answers accordingly, otherwise it returns the first output
a of S(2, stS , s). Additionally, the oracle updates the set QRO by adding the
tuple (s, aux, a) to the set.
Almost all the oracles in our definitions can take auxiliary information as ad-
ditional input. We use this auxiliary information in a rather liberal form. For
example, in the definition above, the auxiliary information for S1 refers to the
(optional) leakage required by the simulator to work in some cases (see more in
Definition 11), while the auxiliary information for S2 can contain, for example,
the algebraic representations of the group elements in s (when we restrict to
algebraic adversaries) or other information the security experiments might need.
Definition 10 (Zero-Knowledge). A NIZK Π is (perfect) zero-knowledge if
there exists a PPT simulator S such that for all adversaries A:
ppG ← GroupGen(1λ ) ppG ← GroupGen(1λ )
   

Pr srs ← KGen(ppG )  ≈ Pr (srs, stS ) ← S(0, ppG ) 

   
′
AProve(ek,·,·) (srs) = 1 AS1 (·,·) (srs) = 1
8
More often, simulators need only the first three inputs, see Definition 10; abusing
notation, we assume that such simulators simply ignore the auxiliary input aux.

10
Zero-knowledge is a security property that is only guaranteed for valid statements
in the language, hence the above definition uses S1′ as a proof simulation oracle.
We also introduce a weaker notion of zero-knowledge. A NIZK Π is F -leaky
zero-knowledge if its proofs may leak some information, namely a proof leaks
F (x, w), where (x, w) ∈ R. We formalize this by giving the zero-knowledge sim-
ulator the value F (x, w), which should be interpreted as a hint for the simulation
of proofs. This notion could be seen as an extension of the bounded leaky zero-
knowledge property defined in [17] and tailored for CP-SNARKs. Our notion is
a special case of the leakage-resilient zero-knowledge framework of Garg, Jain
and Sahai [30] where the leakage of the simulator is known ahead of time.

Definition 11 (Leaky Zero-Knowledge). A NIZK Π is F -leaky zero-knowledge

if there exists a PPT simulator S such that for all adversaries A:

ppG ← GroupGen(1λ ) ppG ← GroupGen(1λ )

   

Pr srs ← KGen(ppG )  ≈ Pr (srs, stS ) ← S(0, ppG ) 

   

AS1 (·,·) (srs) = 1

F
AProve(ek,·,·) (srs) = 1

3.1 Policy-Based Simulation Extractability

An extraction policy defines the constraints under which the extractor must ex-
tract the witness. For example, we could consider the policy that checks that
the forged instance and proof were not queried/output by the zero-knowledge
simulator (thus modeling the classical simulation extractability notion), or we
could consider a policy that only checks that the forged instance was not queried
to the zero-knowledge simulator, thus obtaining a weaker flavor of classical sim-
ulation extractability. Clearly, the more permissive the policy the stronger the
security provided.
In our work, we also consider policies that constrain the behavior of the zero-
knowledge simulator. For example, we could consider the policy that checks that
the queried instances belong to the relation, thus obtaining a notion similar to
true-simulation extractability (see Dodis et al. [21]). Looking ahead, contrary to
the true-simulation extractability notion in [21], our policy-based version of the
true-simulation extractability rather than disallowing certain queries, punishes
the adversary at extraction time. It is not hard to see that the two definitional
flavors, namely disallowing illegal queries versus punishing an adversary that
made an illegal query are equivalent in the context of simulation extractability,
because the adversary’s goal is computational9 .
Extraction policies. We define an extraction policy as a tuple Φ = (Φ0 , Φ1 )
of PPT algorithms. This is used to define Φ-simulation extractability as fol-
lows. The security experiment starts by running the extraction policy algorithm
Φ0 , which generates public information ppΦ . The public information may con-
tain, for example, random values that define the constraints later checked by
9
Observe that for decisional tasks disallowing and punishing flavors can result in
different security notions, see Bellare, Hofheinz and Kiltz [5].

11
Φ1 . Therefore, we feed ppΦ to the adversary. In the case of commit-and-prove
proof systems, the public information may contain commitments for which the
adversary does not know openings (but on which it can still query simulated
proofs).
After receiving a forgery from the adversary, the security experiment runs
the extraction policy Φ1 . The policy Φ1 is as a predicate and takes as input:

1. The public parameter ppΦ .

2. The forged instance and proof (x, π).
3. The view of the experiment, denoted view. Such a view contains the public
parameters, the set of simulated instances and proofs Qsim , and the set QRO
of queries and answers to the random oracle. Even if the given NIZK is not
in the random oracle (namely neither the prover nor the verifier algorithms
make random oracle queries) it still makes sense to assume the existence
of the set QRO . This is useful to model security for NIZK protocols that
eventually are used as sub-protocols in ROM-based protocols (as Universal
zkSNARKs based on Polynomial Commitments, see 5).
4. Auxiliary information auxΦ which might come along with the forged instance.
We use auxΦ to provide the adversary an interface with the policy10 .

Definition 12 (Simulation extractability). Let Π be a NIZK for a relation

R with a simulator S whose wrappers are S1 , S2 , as defined in Definition 9.
Consider the experiment in Fig. 1. Π is Φ-simulation-extractable (or simply Φ-
SE) if for every PPT adversary A there exists an efficient extractor E such that
the following advantage is negligible in the security parameter:
h i
AdvΦ-se
Π,A,S,E (λ) := Pr Exp Φ-se
Π,A,S,E (λ) = 1

Below, we give a definition that explicitly considers the sub-class of PPT al-
gebraic adversaries. To fit algebraic adversaries into our definitional framework
we let the algebraic adversaries return the representation vectors (1) for any
query to the oracles S1 and S2 into the auxiliary information aux provided to
the oracles and (2) for the forgery into the auxiliary information auxE .

Definition 13 (Simulation extractability in the AGM). Let Π be a NIZK

for a relation R with a simulator S whose wrappers are S1 , S2 , as defined in
Definition 9. Consider the experiment in Fig. 1. Π is Φ-simulation-extractable
(or simply Φ-SE) if there exists an efficient extractor E such that for every PPT
algebraic adversary A the advantage AdvΦ-seΠ,A,S,E (λ) (as defined in Definition 12)
is negligible in the security parameter.

10
For example, looking ahead, in the policy in Section 6.2 the adversary that forges
a “loose” proof of opening for a commitment, additionally provides a certificate
(different than the proof itself) that the commitment is indeed extractable. In this
case, we require the extractor only to work for those commitments that come along
with valid certificates.

12
 ExpΦ-se
A,S,E (λ) S1 (x, aux) :
ppG ←$ GroupGen(1 ) λ π, stS ← S(1, stS , x, aux)
(srs, stS ) ← S0 (ppG ) Qsim ← Qsim ∪ {(x, aux, π)}
ppΦ ←$ Φ0 (ppG ) return π
S1 ,S2
(x, π, auxE , auxΦ ) ← A (srs, ppΦ )
S2 (s, aux) :
w ← E(srs, x, π, auxE )
if ̸ ∃aux, a : (s, aux, a) ∈ QRO :
view ← (srs, ppΦ , Qsim , QRO , Qaux )
S2
a, stS ← S(2, stS , s, aux)
if Φ1 ((x, π), view, auxΦ ) ∧ Verify (srs, x, π)
QRO ← QRO ∪ {(s, aux, a)}
∧ (pp, x, w) ∈
/ R then return 1
return a
else return 0

Fig. 1. The Φ-simulation extractability experiments in ROM. The extraction policy Φ takes as input
the public view of the adversary view (namely, all the inputs received and all the queries and answers to
its oracles). The set Qsim is the set of queries and answers to the simulation oracle. The set QRO is the
set of queries and answers to the random oracle. The set Qaux is the set of all the auxiliary information
sent by the adversary (depending on the policy, this set might be empty or not). The wrappers S1 and
S2 deal respectively with the simulation queries and the random oracle queries of A in the experiment.

4 Simulation extractability of KZG in AGM

We recap the polynomial commitment scheme of Kate, Zaverucha and Goldberg

[38] (KZG, shortly), highlighting in blue the parts related to hiding. KZG is a
Polynomial Commitment scheme (see Definition 3) defined over bilinear groups
G = (G1 , G2 , GT , e) as follows:

KGen(1λ , d) on input the security λ

 j  parameter 1 j, and a maximum degree bound
d ∈ N, outputs ck := (( s 1 )j∈[0,d] , ( αs 1 )j∈[0,d] , [1, s]2 ), for a random
secret s, α ←$ Fq .
Com(ck, f (X), r(X)) on input ck, a polynomial f (X), and a masking polynomial
r(X), outputs a commitment c := [f (s) + αr(s)]1 .
VerCom(ck, c, f (X)) outputs 1 if c = [f (s) + αr(s)]1 .

The above scheme is (standard) binding under the d-DL assumption (see Groth
[33]), in fact, given two polynomials f and f ′ that evaluate to the same value on
the secret point s, we can find s among the roots of the (non-zero) polynomial
f − f ′.

4.1 CP-SNARK for polynomial evaluation in AGM

We consider a CP-SNARK CPevl for the relation Revl ((x, y), f ) := f (x) = y,
where f is committed as [f (s)+αr(s)]1 . The scheme constructed in this section
requires one G1 element to commit to f (X), one G1 and one Fq element for
the evaluation proof, and checking this proof of evaluation requires two pairings.
This is taken from [17] but adapted to AGM only.

13
    
KGenevl : parse ck as (( sj 1 )j∈[0,d] , ( αsj 1 )j∈[0,d] , [1, s]2 ) and define ek := ck
and vk := [1, s]2 , and return srs := (ek, vk).
Proveevl (ek, x = (c, x, y), w = (f , r)): compute the polynomial π(X) such that
π(X)(X−x) ≡ f (X)−y, and the polynomial π ′ (X) such that π ′ (X)(X−x) ≡
r(X) − r(x) and y ′ := r(x), and output π := ( [π(s)+απ ′ (s)]1 , y ′ ) .
Verifyevl (vk, x = (c, x, y), (π, y ′ )): output 1 iff e(c−[y]1 − [αy ′ ]1 , [1]2 ) = e(π, [s − x]2 ).

The above CP-SNARK is knowledge extractable in the AGM [20]. The original
work of [38] proves a weaker notion of security, called evaluation binding, which
states that an adversary cannot find two distinct instances (with relative valid
proofs) of the form x = (c, x, y) and x′ = (c, x, y ′ ). The CP-SNARK supports
a bounded (by deg(r)) number of evaluation proofs for a given commitment.
One may argue that giving more than deg(f ) evaluations of a polynomial f
on distinct points should reveal the polynomial and, thus, the zero-knowledge
property would not be needed. However, there are applications in which we
could give more than deg(f ) evaluation proofs concerning f without necessarily
revealing the evaluation values: e.g., this is achieved when we only show the
evaluations of linear combinations of multiple committed polynomials to known
constants. Since the technique of [38] would leak information on the random
masking polynomials and would therefore be usable only a limited number of
times, one may use the “full-fledged” CP-SNARK of Lunar [17] for proving an
unbounded number of evaluations of committed polynomials in zero-knowledge,
at the cost of two additional pairings at verification time.
The scheme that we describe above is zero-knowledge for non-hiding commit-
ments and leaky zero-knowledge (Definition 11) for hiding commitments. For the
latters, given a commitment c = [f (s) + αr(s)]1 , a proof for x = (c, x, y) leaks
y ′ = r(x). Thus, we prove that CPevl achieves F -leaky zero-knowledge where
F (x = (c, x, y), w = (f, r)) := r(x).
We define the simulator S = (S0 , S1 ), where S0 outputs the trapdoor infor-
mation s, α together with the srs, and S1 simulates proofs for x = (c, x, y) and
leakage y ′ outputting π = ((c − [y]1 − [αy ′ ]1 )(s − x)−1 , y ′ ).

Remark 1. Consider an attacker that receives a single simulated commitment c

and queries the ZK-simulator twice on the same evaluation point xj with two
different evaluation values y1 and y2 . These two queries form a linear system
without solutions because we have only one variable but two linearly independent
equations. These simulation queries lead to the two malleability attacks on KZG
that we describe below. For sake of simplicity, we show the attacks in the non-
hiding setting.
(Arbitrary Evaluation Point.) Let w1 , w2 and c be such that π1 = [w1 ]1 , π2 =
[w2 ]1 and c∗ = [c]1 we observe that:

(w1 − w2 )(s − xj ) = y2 − y1 . (1)

For an arbitrary point x∗ ̸= xj , the adversary sets c∗ ← (π2 − π1 ), π ∗ ←

π1 −π2 ∗ y1 −y2 ∗ ∗ ∗ ∗
x∗ −xj and y ← x∗ −xj . The tuple (c , x , y , π ) is a valid forgery. Let

14
 [w∗ ]1 = π ∗ and [c∗ ]1 = c∗ ,

w1 − w2 w2 − w1 ∗ w1 − w2
w∗ (s − x∗ ) = ∗
(s − x∗ ) = ∗ (x − xj ) + ∗ (s − xj )
x − xj x − xj x − xj
y1 − y2
= w2 − w1 − ∗ = c∗ − y ∗ .
x − xj

The second equation comes directly from the definition of the elements in-
volved, and the third equation follows because of Eq. (1).
(Same Evaluation Point.) For x∗ = xj , instead, by the homomorphic prop-
erty of KZG we have ((α + β)c∗ , xj , αy1 + βy2 ) is a valid forgery; we can
forge a proof for c∗ by setting, for example, α = 2 and β = −1.

The attacks described in Remark 1 can be mounted because of the relation

between two simulation queries obtained and it can be generalized under the no-
tion of attacks that violate the “Algebraic Consistency”, as we explain hereafter.
Since here and in the next sections we focus on CP-SNARKs in which, given a
proof π for a statement x, and a view view, it is possible to derive a linear system
of polynomial equations {pi (xj ) = yi,j }i,j , we introduce the following definition
to make the policies easier to describe.

Definition 14 (Algebraic Consistency). A view view (that might contain

a set of simulated instances and proofs for CP) satisfies the algebraic consistency
for a CP-SNARK CP if it is possible to derive (in a way that depends on CP) a
linear system of polynomial equations that admits a solution.

The extraction policy. We define Φs-adpt evl = {ΦD }D as the family (indexed by
a sampler D) of semi-adaptive extraction policies for KZG commitment scheme.
Indeed, as we show below, the evaluation points xj for the instances for which
the adversary can see simulated proofs are selectively chosen independently of
the commitment key, while the evaluation values y can be adaptively chosen
by the adversary. Each policy ΦD is a tuple of the form (ΦD 0 , Φ1 ), as defined in
Section 3.1, where ΦD 0 outputs the parameters ppΦ while Φ1 outputs a virdict
bit. In particular, ΦD
0 on input group parameters pp G outputs ppΦ := (coms, Qx ),
where coms is a vector of commitments sampled from D, and Qx is a set of Qx
evaluation points.
For sake of clarity, we define the policy Φ1 as the logical conjunction of a
“simulator” policy Φsim and an “extractor” policy Φext , i.e. Φ1 = Φsim ∧ Φext , the
first defines rules under which we can classify a simulation query legal, while
the second defines rules under which the extractor must be able to extract a
meaningful witness. We highlight the parts needed only for the hiding setting.

Definition 15. Let Φsim be the policy that returns 1 if and only if:

1. Points check: let (xi , auxi , πi )i be all the entries of Qsim . Recall that an
instance x can be parsed as (c, x, y). Check that ∀i : xi .x ∈ Qx .

15
2. Commitment Check: For any i ∈ [Qsim ], parse auxi as the leakage value yi′
and the representation vectors for xi .c and πi ; in particular, let ri = f i ∥vi ∥ci
be the algebraic representation of the commitment xi .c. For any i check that
⟨f i ∥vi , ek⟩ + ⟨ci , coms⟩ = xi .c (namely, that the commitment in the instance
xi is computed as a linear combination of the simulated commitments and
the elements of G1 of the SRS);
3. Algebraic Consistency: The simulation queries satisfy the algebraic con-
sistency for CPevl . Namely, let Ij = {i : xi .x = xj } and let Rj = (ci )i∈Ij .
Check that for all j: (i) the system of linear equations Rj z = yj has at least a
solution, where z are the variables and yj = (xi .y − ⟨f i , (1, xj , . . . , xdj )⟩)i∈Ij ,
and (ii) the system of linear equations Rj z′ = y′j has at least a solution,
where z′ are the variables and y′j = (yi′ − ⟨vi , (1, xj , . . . , xdj )⟩)i∈Ij .
For the sake of concreteness, we explicitly define the algebraic consistency check
in the previous definition. Notice the matrix Rj defines linear constraints that
must hold for each of the polynomials for which the adversary asks evaluations.
In the case of hiding commitments, some of the constraints are obtained by
parsing adequately the inputs of the adversary to the simulation oracle.
Next, we define the policy Φext as the logical disjunction of two policies.
First, we define some notation, let gc : G1 × {0, 1}∗ → {0, 1} be a function
that on inputs a group element c and a string s, that can be parsed as a list of
group elements ci followed by a second string s̃, outputs 1 iff ∃i : c = ci .
Definition 16. Let Φext , Φrnd der
ext and Φext be predicates that parse the forgery in-
∗ ∗ ∗ ∗
stance x = (c , x , y ).
– Φrnd
ext returns 1 if and only if there exist a query (s, aux, a) to the random ora-
cle and aux contains a non-constant polynomial h(X) such that the following
conditions are satisfied:
1. Hashing check: (s, aux, a) ∈ QRO , note that QRO is contained in view,
2. Decoding check: gc (c∗ , s) = 1.
3. Polynomial check: gh (h, aux) = 1, where gh : F[X] × {0, 1}∗ → {0, 1}
is a function that on input a polynomial h(X) and a string aux outputs
1 iff h(X) is encoded in aux.
4. Computation check: h(a) = x∗ .
∗ ∗ ′ ′ ∗ ∗
– Φder
ext returns 1 iff ∃(x, ·, π) ∈ Qsim s.t. x := (c , x , y ) and (y , π) ̸= (y , π ).
– Φext returns logical disjunction of Φrnd
ext and Φder
ext .
In the following theorem, we focus on the non-hiding version of KZG, we
show in Section 4.2 how to handle the hiding setting.
Theorem 1. For any witness sampleable distribution D that is D-Aff-MDH-
secure (see Definition 5), any bilinear-group generator GroupGen that samples
the generator of the group G1 uniformly at random, ∀ΦD ∈ Φs-adpt
evl , the non-
hiding KZG CPevl is ΦD -simulation-extractable in the AGM. In particular, there
exists E such that for any algebraic adversary A:
D -se
AdvΦ
CPevl ,A,S,E (λ) ≤ O(ϵ(Qx +d+1)-DL (λ)) + O(ϵAff-MDH (λ)) + poly(λ)ϵh

16
where d is the maximum degree supported by CPevl , ϵ(Qx +d+1)-DL (λ) is the max-
imum advantage for any algebraic PT adversary against the (Qx + d + 1)-strong
Discrete-Log Assumption, ϵAff-MDH (λ) is the maximum advantage for any al-
gebraic PT adversary against the D-Aff-MDH Assumption, h is the polynomial
that satisfies the Polynomial check of ΦD , and ϵh = deg(h)
q .
Before giving the proof of Theorem 1, we recall that when D is the dis-
tribution Uℓ that outputs ℓ uniformly random group elements of G1 we could
reduce the Dℓ -Aff-MDH Assumption to the Discrete Log (see Lemma 2). Hence
we can state the following corollary, whose proof follows from the fact that
ϵDL ≤ ϵd-DL , ∀d ≥ 1.

Corollary 1. For any algebraic adversary A, for any ℓ ∈ N, and for any dis-
tribution Uℓ that outputs ℓ uniformly random group elements:
ΦU -se
,A,S,E (λ) ≤ O(ℓϵ(Qx +d+1)-DL (λ)) + poly(λ)ϵh .
ℓ
AdvCPevl

Proof intuition of Theorem 1. The proof of this theorem is rather technical.

We provide here an overview to help the reader get the rationale behind our
strategy. The first steps of the proof show an alternative way to simulate proofs:
we give a semi-adaptive zero-knowledge simulator for KZG. This step allows one
to move from a simulator whose trapdoor is a “secret exponent” s to a simulator
whose trapdoor is a ‘tower’ of G1 -elements si 1 . The simulated SRS seen by the
 
adversary includes only high-degree polynomials of the form p(s)si 1 , while the
 i
simulator keeps the low-degree monomials s 1 for simulation. Here, p is a poly-
nomial that vanishes in all the points to be asked in the simulation queries (this
is reminiscent of the reduction technique for Boneh-Boyen signatures [11]). Since
we program the SRS based on the queries our simulator is only semi-adaptive.
This first change essentially simplifies the objects involved in our analysis, from
rational polynomials (with the formal variable being the trapdoor) to standard
polynomials.
Next, we need to show that the adversary cannot mix the simulated com-
mitments and the forgery material. In particular, we need to show that the
forged proof is not derived as a linear combination involving simulated com-
mitments. To show this, we use the fact that the degree of the proof must be
smaller than the degrees of simulated commitments, otherwise we could break
the d-DL assumption in the AGM. This intuitively comes from the fact that
the verification equation lifts the degree of the polynomial in the forged proof
(as it is multiplied by (X − x∗ )). Similarly, we need to show that the forged
instance cannot use a linear combination that involves the simulated commit-
ments. For this, we use the Aff-MDH assumption to handle multiple evaluation
proofs on different simulated commitments on the same evaluation point. In
particular, we reduce the view of many simulated proofs over many  commit-

ments and many evaluation points to a view that only contains p(s)si 1 and
(non-rational) polynomials [p(s)/(s − xj )]1 . At this point, the attacker could
still perform the attack if it could decide the evaluation point x∗ arbitrarily:

17
(i) the adversary asks a simulation proof π for x = (c, x, y), and (ii) produces
the forgery x∗ = (c + απ, x − α, y, π), for any α ∈ Zq . It is easy to check that
the forgery satisfies the verification equation. Though, for this attack to work
the attacker needs to set the commitment in the forged instance as a function
of x∗ = x − α. The last part of our analysis shows that, indeed, the algebraic
representation of the commitment in the forgery cannot depend on x∗ and that
this attack cannot be mounted when x∗ is chosen after the commitment with
sufficient randomness.
Proof (of Theorem 1). We stress that A is algebraic (cf. Definition 1), there-
fore for each group element output it additionally attaches a representation r
of such a group element with respect to all the elements seen during the ex-
periment (included elements in coms). In particular, we assume that for each
query (x, aux) to the oracle S1 we can parse the value aux as (r, aux′ ) and r
is a valid representation for x.c. Similarly, for the queries (s, aux) to S2 , aux
includes a valid representation for all the group elements gi encoded in s, i.e.
such that gc (gi , s) = 1. Together with its forgery, the algebraic adversary en-
codes a polynomial h(X) in auxϕ , and stores in auxE two representation vectors
rc∗ and rπ∗ for the two group elements c∗ and π ∗ . We can parse the vectors
rτ := f τ ∥cτ ∥oτ for τ ∈ {c∗ , π ∗ } where f τ is the vector of coefficients associated
to group elements ek, cτ is the vector of coefficients associated to group elements
coms = ([ci ]1 )i∈[Qc ] , and oτ is the vector of coefficients associated to the group
elements of the simulated proofs proofs. Namely, we have:
c∗ = ⟨f c∗ , ek⟩ + ⟨cc∗ , coms⟩ + ⟨oc∗ , proofs⟩ (2)
∗
π = ⟨f π∗ , ek⟩ + ⟨cπ∗ , coms⟩ + ⟨oπ∗ , proofs⟩ (3)
We can assume w.l.g. that all the simulation queries and the forgery of the adver-
sary A agree with the policy ΦD , as otherwise the adversary would automatically
lose the experiment. We assume that f i,j = 0, ∀i, j, i.e., the adversary asks sim-
ulation queries on commitments that are a linear combination of coms only:
this is also w.l.g. as we briefly show below. Given a commitement ci,j = xi,j .c,
whose representation is ri,j = f i,j ∥ci,j , the adversary could compute a proof
πi,j for the point xj and the evaluation value y as follows: (i) let y ′ = fi,j (xj ),
A computes an “honest” proof π ′ for c′ = (Com(ek, fi,j (X)), xj , y ′ ), (ii) asks
the simulation oracle to provide a proof π̃ for the instance (c − c′ , xj , y − y ′ )
with representation 0∥ci,j and (iii) recombines the proof πi,j = π ′ + π̃. We de-
fine our extractor to be the canonical extractor that returns the polynomial
f (X) ← ⟨f c∗ , (1, X, . . . , X d )⟩.
We start by proving that for any algebraic adversary A whose forgery satisfies
the predicate Φderext , there exists an algebraic adversary B whose forgery satisfies
the predicate Φrnd ′ s-adpt
ext . Let {ΦD }D be the family of policies defined exactly as Φevl
rnd
with the difference that the extracion policy Φext is equal to Φext (i.e., there is
no logical disjunction with Φder ext ).
Lemma 3. For any algebraic adversary A there exists an algebraic adversary
B such that:
D -se Φ′D -se
AdvΦ CPevl ,A,S,E (λ) = AdvCPevl ,B,S,E (λ)

18
Proof. First, we notice that once we fix a commitment c, a point x, and a value y,
there is a unique proof π that can satisfy the KZG verification equation. Thus,
the predicate Φder ext can be simplified as requiring that an adversary outputs a
∗
valid proof π ∗ and a value y ∗ such that ∃(([c]1 , x∗ , y ′ ), ·, π) ∈ Qsim and y ∗ ̸= y ′ .
The reduction B internally runs A forwarding all the simulation queries,
up to the forgery (x∗ , π ∗ ), where x∗ = (c∗ , x∗ , y ∗ ). If the simulation queries
and/or the forgery of the adversary A do not agree with the policy ΦD , i.e.
A automatically loses its game, B aborts. Otherwise, it must be true that the
forgery of A either (i) satisfies the extraction predicate Φrnd ext or (ii) satisfies the
extraction predicate Φder ext . Both cases can be efficiently checked by B. In case (i)
B would simply forward the forgery of A retaining the same advantage of A.
Otherwise, before submitting the forgery, B retrieves from Qsim the statement
x := (c∗ , x∗ , y ′ ), where y ′ ̸= y ∗ , and the corresponding proof π output by S1 .
Then B produces the forgery:
π − π∗ y − y∗
ĉ ← π ∗ − π, x̂ ← h(a), π̂ ← , ŷ ←
x̂ − x∗ x̂ − x∗
which satisfies the verification equation (cf. Remark 1), and the extraction pred-
icate Φrnd
ext when (ĉ, h, a) ∈ QRO . ⊔
⊓
Thanks to Lemma 3 we can assume that the forgery of A satisfies the extraction
ΦD -se
predicate Φrnd
ext . We let H0 be the ExpA,S,E (λ) experiment, and we denote by ϵi
the advantage of A to win Hi , i.e. ϵi := Pr[Hi = 1].
Hybrid H1 . Recall that D is witness sampleable, thus according to Definition 4
there exists a PPT algorithm D̃ associated with the sampler D. The hybrid
experiment H1 is identical to the previous one, but the group elements in coms
are “sampled at exponent”, i.e. we use D̃ to generate the field elements γ, and
we let coms ← [γ]1 ; we also add γ to stS . By the witness sampleability of D, H0
and H1 are perfectly indistinguishable, thus ϵ1 = ϵ0 .
Hybrid H2 . In this hybrid, we change the way we generate the SRS srs and the
way in which S1 simulates the proofs.

Let
 (G 1 , G 2 , G
 T , e), [1] 1 , [1]2 ←$ GroupGen(1λ ), sample s ←$ F and com-
D+d
pute s, . . . , s 1
, [1, s]2 , where D ← Qx + 1. Let xr ←$ F, and let p(X) be
the vanishing polynomial in Qx ∪ {xr }, namely:
Y
p(X) := (X − xr ) (X − x).
x∈Qx
−1
Let also pj (X) := p(X)(X − xj ) , for j ∈ [Qx ]. In H2 we have that:
– ppG := ((G1 , G2 , GT , e), [p(s)]
 1 , [1]2 ), 
– srs := (ek,
 vk), where ek
 ← p(s), p(s)s, . . . , p(s)sd 1 and vk ← [1, s]2 ,
– stS := 1, s, . . . , sD+d 1 , [1, s]2 , γ.
Upon a query of the form (x = (c, xj , yk ), aux = (rc , aux′ )) to S1 , the latter
outputs the proof π ← [(⟨rc , γ⟩ − yk ) · pj (s)]1 , and updates Qsim accordingly.
We now show that H1 ≡ H2 , i.e., the view offered to the adversary A is
identically distributed in the two experiments.

19
Lemma 4. ϵ2 = ϵ1 .
Proof. Notice that in H2 we sample from GroupGen the description of the group,
and then we set the generator of G1 to [p(s)]1 which, thanks to the random root
xr , is distributed uniformly at random even given the value s. It is not hard to
verify that the simulated proofs generated by the hybrid H2 pass the verification
equations, in fact, we are assuming that queried commitment c are of the form
⟨rc , coms⟩. Additionally, since the proofs are uniquely determined given the SRS
and the statements, the simulated proofs created in H2 are distributed as the
simulated proofs generated by the simulator S1 in H1 . Thus the advantage of A
is the same in the two experiments. ⊔
⊓
Given an algebraic adversary A we can define a new adversary, Ac , that we
call the core adversary. Whenever the adversary A outputs a group element g it
provides a representation vector rg := f g ∥cg ∥og for g such that:
g = ⟨f g , ek⟩ + ⟨cg , coms⟩ + ⟨og , proofs⟩.
The adversary Ac runs internally A and forwards all the queries and answers
from A to its simulation oracle. However, the way of simulating RO queries must
ensure to not alter the result of the extractor policy, i.e. the “hash-check” for x∗ .
This is why we cannot simply forward the queries of A to the random oracle.
Therefore, we keep track of the queries made by A in the list QRO,A and the list
of queries made by the core adversary in QRO . More in detail, when A queries
the RO with (s, aux), the adversary Ac makes a “core” RO query (sc , auxc ) such
that:
1. Let s be parsed as (gi )i∈[k] (the group elements in s whose representations
rgi := f gi ∥cgi ∥ogi are in aux) and a string s̃. Notice, since the adversary is
algebraic we can un-ambiguously parse s as such.
2. For each i, Ac computes the group elements gi′ = gi − ⟨f gi , ek⟩. Ac encodes
into the string s′ the group elements (gi , gi′ )i∈[k] .
3. Ac queries the RO with (sc , auxc ), where sc := s′ ∥s̃, and auxc contains the
representations of all the group elements in s′ and the same function h
encoded in aux. Finally, it forwards the output to A, i.e. it adds (s, aux, a)
to QRO,A , and adds (s, sc ) to (the initially empty) Qs .
Eventually, the adversary A outputs as forgery a string s and the tuple (c′ , x′ , y ′ , π ′ ),
together with representation vectors rc′ and rπ′ . Let f (X) := ⟨f c′ , (1, X, . . . , X d )⟩,
y := f (x′ ), and q(X) be such that q(X)(X − x′ ) = f (X) − y. Let f q be the vector
of the coefficients of q(X), namely q(X) := ⟨f q , (1, X, . . . , X d )⟩. The core adver-
sary Ac returns for its forgery the string sc such that (s, sc ) ∈ Qs , and the tuple
(c∗ , x′ , y ∗ , π ∗ ), where y ∗ ← y ′ − f (x′ ) and:
c∗ ← c′ − [f (s)p(s)]1 , π ∗ ← π ′ − [q(s)p(s)]1
| {z } | {z }
Com(ck,f (X)) Com(ck,q(X))

inserting into auxΦ the (correct) algebraic representations (0∥cc′ ∥oc′ ) for c∗ and
((f π′ − f q )∥cπ′ ∥oπ′ ) for π ∗ .

20
Hybrid H3 . This hybrid is exactly the same of H2 but instead of running the
experiment with the adversary A we run it with the core adversary Ac .
Lemma 5. ϵ3 = ϵ2 .
Proof. First, by construction, it is easy to verify that Ac is algebraic. Thus we
need to show that the forgery of A is valid if and only if the forgery of Ac is
valid. By construction, we have:

c∗ := c′ − [f (s)p(s)]1 , π ∗ := π ′ − [q(s)p(s)]1 , y ∗ := y ′ − f (x∗ ).

By the verification equation of the forgery of Ac we have:

e(c∗ − [y ∗ ]1 , [1]2 ) − e(π ∗ , [s − x∗ ]2 ) =

e(c′ − [f (s)p(s)]1 − [y ′ − f (x′ )]1 , [1]2 ) − e(π ′ − [q(s)p(s)]1 , [s − x∗ ]2 ) =
e(c′ − [y ′ ]1 , [1]2 ) − e(π ′ , [s − x′ ]2 ) − [f (s)p(s) − f (x′ ) − q(s)p(s)(s − x∗ )]T =
e(c′ − [y ′ ]1 , [1]2 ) − e(π ′ , [s − x′ ]2 ),

where the last equation holds since q(X)(X − x′ ) = (f (X) − f (x′ )) and x∗ = x′ .
Finally, notice that a forgery is valid for A if it provides a string s that
satisfies the “hash check” of Φext . We have that there exist s, aux, a, and h(X)
such that: (i) gc (c∗ , s) = 1, (ii) gh (h, aux) = 1, (iii) (s, aux, a) ∈ QRO,A , and (iv)
x∗ = h(a) for the forgery of A.
The way Ac simulates the RO queries ensures that for the query s of A to the
RO, the core adversary sent the “core” RO query sc that encodes both c′ and c∗ ,
thus we have that (i) gc (c∗ , sc ) = 1, (ii) gh (h, auxc ) = 1, (iii) (sc , auxc , a) ∈ QRO ,
and (iiv) x∗ = h(a) for the forgery of Ac .
Notice that if we run the canonical extractor on the outputs of the core
adversary Ac , the extractor sets the extracted witness to be the zero polynomial.
Hybrid H4 . The hybrid H4 additionally checks that f π∗ ̸= 0 ∨ cπ∗ ̸= 0, and if
the condition holds the adversary Ac loses the game.
Lemma 6. ϵ3 ≤ ϵ4 + ϵ(Qx +d+1)-DL
Proof. Recall that from the definition of the experiment, upon a query (x, aux)
from Ac to the simulation oracle of the form x = (c, xj , yk ) and aux = r where
c = ⟨r, coms⟩, the adversary receives the proof [πr,j,k (s)]1 where:

πr,j,k (X) := (⟨r, (γi )i ⟩ − yk )pj (X).

Consider the following polynomials:

X X
c∗ (X) := cc∗ ,i · γi p(X) + oc∗ ,r,j,k · πr,j,k (X)
i∈[Qc ] r,j,k
X X X
∗
π (X) := cπ∗ ,i · γi p(X) + oπ∗ ,r,j,k · πr,j,k (X) + fπ∗ ,i X i−1 p(X)
i∈[Qc ] r,j,k i∈[d+1]

v(X) := c (X) − y p(X) − (X − x∗ )π ∗ (X)

∗ ∗

21
By the guarantees of the AGM, we have c∗ = [c∗ (s)]1 and π ∗ = [π ∗ (s)]1 , more-
over, if the verification equation is satisfied by the forgery of Ac , then v(s) = 0.
Next, we show that when the forgery of the adversary is valid the probability
of f π∗ ̸= 0 or cπ∗ ̸= 0 is bounded by ϵ(Qx +d+1)-DL .
First, notice that if the verification equation for Ac holds then polynomial
v(X) must be equivalent to the zero polynomial with overwhelming probability.
In fact, v(s) = 0 when the verification equation holds; if v(X) is not the zero
polynomial then, by Lemma 1, we can reduce Ac to an adversary to the (Qx +
d + 1)-DL assumption. Thus:

c∗ (X) − y ∗ p(X) − (X − x∗ )π ∗ (X) = v(X) = 0. (4)

By the guarantees of the AGM, the polynomial π ∗ (X) is a linear combination

of elements that depend on X i−1 p(X) for i ∈ [d + 1] and pj (X) for j ∈ [Qx ].
However, when the verification equation holds, the degree of π ∗ (X) must be
strictly less than the degree of p(X), because, by Eq. (4), v(X) would contain a
non-zero coefficient of degree Qx +d+1 which in particular implies that v(X) ̸≡ 0.
Then it must be the case that the forged proof π ∗ (s) is a linear combination of
the simulated proofs only, thus both f π∗ and cπ∗ are null. ⊔
⊓

The representation of c∗ and π ∗ computed by the adversary (possibly) depends

on the elements πr,j,k (i.e. the proof for the linear combination r of the elements
of coms with evaluation point xj and evaluation value yk ) of proofs. However, it is
much more convenient to give a representation that depends on the polynomials
pj (X). This motivates the definition of our next hybrid.
Hybrid H5 . The hybrid H5 finds coefficients o′′τ , for τ ∈ {c∗ , π ∗ } such that:

⟨oτ , proofs⟩ = ⟨o′′τ , ([pj (s)]1 )j ⟩. (5)

Moreover, if oc∗ ̸= 0 but o′′c∗ = 0 the adversary loses the game.

Lemma 7. ϵ4 ≤ ϵ5 + ϵAff-MDH

Proof. We begin by showing that the hybrid can compute such alternative rep-
resentations efficiently. We proceed in steps.
Let us parse the simulated proofs proofs := (πj,ℓ )j,ℓ such that πj,ℓ is the ℓ-
th simulated proof obtained by S1 on a query involving the j-th point xj , i.e.,
((xj , ĉj,ℓ , yj,ℓ ), auxj,ℓ ). Also, let cj,ℓ be the algebraic representation for the group
element ĉj,ℓ in auxj,ℓ . For every j ∈ [Qx ], we define Rj as the Qc × Qc matrix
whose ℓ-th column is cj,ℓ .
By construction of S1 in this hybrid we have that for every j ∈ [Qx ] it holds

πj,ℓ := (c⊤
 
j,ℓ · γ − yj,ℓ ) pj (s) 1
h i
and thus π j := (R⊤j γ − yj )pj (s) with yj := (yj,ℓ )ℓ .
1
Without loss of generality, we assume that for each xj the adversary makes
the maximum number of simulation queries (i.e., ℓ ∈ [Qc ]); therefore Rj is a

22
full rank matrix (this follows from the fact that the simulation queries of the
adversary satisfy the policy Φsim , and in particular the algebraic consistency of
the policy, see Item 3).
Given any vector oτ with τ ∈ {c∗ , π ∗ }, its m-th entry oτ,m corresponds to
the m-th simulated proof in proofs. Therefore, similarly to above, we denote by
oτ,j,ℓ the entry corresponding to proof πj,ℓ and we define oτ,j := (oτ,j,ℓ )ℓ .
Then, for every j ∈ [Qx ] we define

o′τ,j ← Rj · oτ,j (6)

π ′j ← (R⊤
j )
−1
· πj (7)

from which we derive that for any j:

X X
⟨o′τ,j , π ′j ⟩ = ⟨Rj · oτ,j , (R⊤
j )
−1
· πj ⟩
j j
X
⊤ ⊤ −1
= o⊤
τ,j R j (R j ) · πj
j
X
= ⟨oτ,j , π j ⟩
j

which is equal to ⟨oτ , proofs⟩, up to a permutation of the indices j.

For all j ∈ [Qx ] let zj := (R⊤j )
−1
· yj , and note that

π ′j = [(γ − zj )pj (s)]1 ,

′
namely πj,i is a valid proof for the instance (ci , xj , zj,i ) w.r.t. the simulated SRS.
The hybrid H5 computes o′′τ,j ← ⟨o′τ,j , (γ − zj )⟩, and o′′τ ← (o′′τ,j )j∈[Qx ] . By
construction:
X X
⟨o′τ,j , π ′j ⟩ = o′′τ,j · [pj (s)]1 .
j∈[Qx ] j∈[Qx ]

which proves the first part of the lemma, i.e., computing o′′τ,j satisfying Eq. (5).
In what follows, we prove that if the event that H5 outputs 0 but H4 would
output 1, namely that all the conditions of H4 hold but oc∗ ̸= 0 ∧ o′′c∗ = 0, then
we can break the Aff-MDH assumption.
First, notice that for any j oc∗ ,j ̸= 0 implies that o′c∗ ,j ̸= 0, because the linear
transformation applied to compute o′c∗ ,j is full rank. Second, take an index j ∗
such that oc∗ ,j ∗ ̸= 0 and set A ← o′c∗ ,j ∗ and ζ ← ⟨zj ∗ , o′c∗ ,j ∗ ⟩.
By the above definition of the values o′′c∗ ,j ∗ and our assumption that the “bad
event” of this hybrid is o′′c∗ = 0, we have that:
⟨A, [γ]1 ⟩ = [⟨o′c∗ ,j ∗ , (γ − zj ∗ )⟩]1 + [⟨o′c∗ ,j ∗ , zj ∗ ⟩]1 = [ζ]1 .
| {z } | {z }
o′′
c∗ ,j ∗
=0 ζ

The reduction B to the D-Aff-MDH Assumption takes as input a distribution [γ]1

and runs the experiment as in H4 (it perfectly emulates H4 , and in particular

23
the simulation oracle, because it knows the trapdoor s “at the exponent”). Then
B computes the coefficients (Ai )i∈[Qc ] and the value ζ as described above, which
is a valid D-Aff-MDH solution. ⊔
⊓

Hybrid H6 . The hybrid H6 additionally checks that rc∗ ̸= 0, and if the condi-
tion holds the adversary Ac loses the game.
Lemma 8. ϵ5 ≤ ϵ6 + ϵAff-MDH + 2ϵ(Qx +1+d)-DL + poly(λ) deg(h)
q

Proof. We bound the probability that the adversary loses in H6 but not in H5 ,
namely, the probability that r∗c ̸= 0 but the conditions of H5 hold, we show a
reduction B to the Aff-MDH when this event happens.
First of all, we can assume that the core adversary outputs coefficients f c∗ =
f π∗ = cπ∗ = 0, i.e. the adversary only makes use of previous commitments
ci ∈ coms and simulated proofs πr,j,k ∈ proofs to represent c∗ , and only uses the
simulated proofs to represent the proof π ∗ .
The reduction B takes as input a distribution [γ]1 and runs the experiment
as in H5 . B aborts if the forgery (c∗ , x∗ , y ∗ , π ∗ ) returned by the adversary is
not valid (i.e. either the extraction predicate or the verification equation is not
satisfied) or rc∗ = 0. Otherwise, we have that:
e(c∗ − [p(s)y ∗ ]1 , [1]2 ) = e(π ∗ , [s − x∗ ]2 ) and rc∗ ̸= 0
where rc∗ ̸= 0 if oc∗ ̸= 0 ∨ cc∗ ̸= 0.
We can then rewrite the commitment and the proof of forgery of the core
adversary as a function of the coefficients o′′c∗ and o′′π∗ (as computed in the H5 ):
X X X
c∗ := cc∗ ,i [γi p(s)]1 + o′′c∗ ,j [pj (s)]1 , π ∗ := o′′w∗ ,j [pj (s)]1
i∈[Qc ] j∈[Qx ] j∈[Qx ]

Since the verification equation is satisfied, and plugging in the AGM represen-
tations we have:
X X X
cc∗ ,i γi p(s) + o′′c∗ ,j pj (s) − p(s)y ∗ = o′′π∗ ,j pj (s)(s − x∗ ) (8)
i∈[Qc ] j∈[Qx ] j∈[Qx ]

For all j ∈ [Qx ], we define δj := xj − x∗ . We can rewrite the r.h.s. of Eq. (8) as:
X X
o′′π∗ ,j pj (s)(s − x∗ ) = o′′π∗ ,j pj (s)((s − xj ) + δj ))
j∈[Qx ] j∈[Qx ]
X
= o′′π∗ ,j (p(s) + pj (s)δj )
j∈[Qx ]

In Eq. (8), we group all the terms that depend on p(s) on the left side, and we
move all the terms that depend on pj (s) on the right side, thus obtaining:
 X X  X  
cc∗ ,i γi − o′′w∗ ,j − y ∗ p(s) = o′′w∗ ,j δj − o′′c∗ ,j pj (s) (9)
i∈[Qc ] j∈[Qx ] j∈[Qx ] | {z }
| {z } Bj
A

24
 P
Let f (X) := Ap(X) − j∈[Qx ] Bj pj (X). Notice that because of Eq. (9) we
have f (s) = 0, thus we can assume f (X) ≡ 0, as otherwise we can reduce, by
Lemma
P 1, to the (Qx + d + 1)-DL assumption. It must be the case that both
j∈[Qx ] Bj pj (s) = 0 and A = 0 because the degree of p(X) and of pj (X) for
any j are different. Moreover, the polynomials
P pj (X) are linearly independent,
namely the only linear combination j aj pj (X) = 0 is the trivial one where the
coefficients aj = 011 , thus Bj = 0 for all j. We have that o′′w∗ ,j δj − o′′c∗ ,j = 0, ∀j.
o′′
c∗ ,j
Thus we can rewrite the coefficients o′′π∗ ,j = δj , ∀j. Since A must be 0:
X X o′′
cc∗ ,i γi − c∗ ,j
δj − y ∗ = 0. (10)
i∈[Qc ] j∈[Qx ]

B can plug the definition of the coefficients o′′c∗ ,j in Eq. (10) and derive:
X o′ ∗
c ,i,j (γi −zji )
X
0= cc∗ ,i γi − δj − y∗
i∈[Qc ] i,j
X o′ ∗ X o′ ∗
c ,i,j zji
X X
= cc∗ ,i γi − γi c ,i,j
δj + δj − y∗
i∈[Qc ] i j i,j
X o′ ∗ X o′ ∗
c ,i,j zji
X
= (cc∗ ,i − c ,i,j
δj )γi + δj − y∗ .
i∈[Qc ] j i,j

Above, the second equation follows from the distributive property of the sum,
while in the last step we have grouped the terms depending on γi . In particular,
the last equation shows that B can make a forgery in the Aff-MDH game since it
P o′ ∗ zji P o′ ∗
knows z := y ∗ − i,j c ,i,j
δj and coefficients Ai := cc∗ ,i − j c δj,i,j such that:
X
Ai [γi ]1 = [z]1 .
i∈[Qc ]

For this to be a valid solution in the Aff-MDH game, we need the existence of
at least an index i such that Ai ̸= 0. We show that this occurs with all but
negligible probability, i.e., Pr[∃i ∈ [Qc ] : Ai ̸= 0] ≥ 1 − negl(λ).
To this end, consider an arbitrary µ ∈ [Qc ], then we have Pr[∀i ∈ [Qc ] : Ai =
0] ≤ Pr[Aµ = 0]. Thus, for any µ, we have:

Pr[∃i ∈ [Qc ] : Ai ̸= 0] = 1 − Pr[∀i ∈ [Qc ] : Ai = 0] ≥ 1 − Pr[Aµ = 0].

Below, we argue that Pr[Aµ = 0] is negligible based on the randomness of x∗

which is chosen by the random oracle after defining Aµ , and we make use of the
assumption that rc∗ ̸= 0.
11
P
To see this, ∀xj ∈ Qx we have that a ′ p ′ (xj ) = aj pj (xj ) since pj (xj ) ̸= 0 and
j′ j j
pj ′ (xj ) = 0 for j ̸= j ′ , and aj pj (xj ) = 0 iff aj = 0

25
 P o′c∗ j,µ
We claim that the value Aµ = cc∗, µ − j (x∗,−xj ) can be fixed before the
random oracle query x∗ is made. To this end, we start by showing that that
o′c∗ ,j does not depend on x∗ . Let B(j) ⊆ [Qc ] be the subset of indices of the
simulation queries that involve xj and that occurred before the random oracle
query that returned x∗ . We observe that for every η ∈ B(j) it must be oc∗ ,j,η = 0
since the simulated proof πj,η is not in the view of the adversary. Therefore:
X X
o′c∗ ,j,i = Rj,η,i · oc∗ ,j,η = Rj,η,i · oc∗ ,j,η
η∈[Qc ] η∈B(j)

and observe that all the rows of Rj belonging to B(j) can all be defined before
x∗ is sampled. Hence, we have that Aµ depends on the values cc∗ , x∗ , {xj }j , and
oc∗ ,j which can all be defined before the random oracle query x∗ is made.
Now, we bound Pr[Aµ = 0]. Recall that, since the extractor policy Φext holds
true, we have that x∗ = h(a) and (s, aux, a) ∈ QRO where = gc (c∗ , s) = 1 and
the function h is the polynomial encoded in auxϕ : the adversary may want to
encode up to n ∈ poly(λ) different polynomials hi into auxϕ to maximize its
advantage, and the extractor policy does not impose any restriction on this.
Moreover, by the AGM, since Ac sends a query s (where c∗ is encoded in s)
to the random oracle it also defines coefficients for c∗ before the value a, and
therefore x∗ = h(a), is defined. Also, it is not hard to see that the representation
vector of c∗ defined by Ac when querying the random oracle must be the same
representation vector used for the forgery. As otherwise we would break the
(Qx + d + 1)-DL assumption. Thus the coefficients cc∗ and o′c∗ ,j are defined by
the adversary before seeing the random value x∗ .
Notice that, once the coefficients cc∗ and o′c∗ ,j are fixed, the coefficient Aµ
can be seen as function of x∗ ∈ Zq , i.e. Aµ = Aµ (x∗ ), where:
X o′∗
c ,j,µ
Aµ (X) := cc∗ ,µ + X−xj
j
Q P ′ Q
cc∗ ,µ j (X − xj ) + j (oc∗ ,j,µ j ′ ̸=j (xj − X))
′
= Q .
j X − xj
Q
Notice that Aµ (X)( j (X −xj )) vanishes in at most Qx points in F\Qx and van-
ishes in the set of points Qx . Let R be the set of the roots of such a polynomial,
since ∀i ∈ [n], hi is defined before x∗ is computed, and by union bound:

Pr[∃i : hi (RO(s)) = r] ≤ nQx maxi deg(hi)

X
Pr[∃i : hi (RO(s)) ∈ R] ≤ q
r∈R

for each string s that encodes c∗ , To conclude, we notice that A can submit
at most QRO queries to the RO with strings encoding c∗ , say s1 , . . . sQRO . Thus
the probability that there exist i ∈ [n], j ∈ [QRO ] such that hi (RO(sj )) ∈ R is
bounded by nQRO Qx maxi deg(h
q
i)
. ⊔
⊓

Hybrid H7 . The hybrid H7 additionally checks that y ∗ ̸= 0, and if the condition

holds the adversary Ac loses the game.

26
Lemma 9. ϵ6 ≤ ϵ7 + ϵ(Qx +1+d)-DL + poly(λ) deg(h)
q

Proof. We reduce to the evaluation binding of KZG polynomial commitment

for polynomials of maximum degree Qx + 1 + d, which, in turn, can be reduced
to (Qx + 1 + d)-strong Discrete Log assumption. Let B be the reduction that
upon input ppG , ck = 1, s, . . . , sQx +d+1 1 , [1, s]2 simulates experiment H4 for


the adversary Ac . Eventually, Ac outputs its forgery (c∗ , x∗ , y ∗ , π ∗ ), and B aborts

if y ∗ = 0. The reduction sets f˜(X) ∗ ˜ ∗
 :=−y ∗p(X), sets y := f (x ), and computes
π to be a valid KZG-proof for ( f˜(s) 1 , x , y). The forgery against evaluation
biding of the reduction is set to be (y, π) and (0, π ∗ ) for the commitment f˜(s) 1
 

on the point x∗ .
We need to show that (1) ( f˜(s) 1 , x∗ , 0, π ∗ ) passes the verification equation
 

of KZG commitment where the commitment key is set to ck and that (2) y ̸= 0.
For the first item notice that, by the definition of core adversary, we have that
rc∗ = 0 thus c∗ = 0. Therefore, by the verification equation:
e([0]1 − y ∗ [p(s)]1 , [1]2 ) = e( f˜(s) 1 − 0 [1]1 , [1]2 ) = e(π ∗ , [s]2 − x∗ [1]2 ).
 

For the second item, notice that f˜(x∗ ) = 0 if and only if x∗ is a root of p(X), i.e.
x∗ ∈ Qx or x∗ = xr . Thus, similarly to the previous lemma, by the assumption
on the polynomials hi and by union bound:
Pr[∃i : hi (RO(s)) ∈ Qx ∪ {xr }] ≤ nQRO (Qx + 1) maxi deg(h
q
i)
.
⊔
⊓
Finally, we have that the probability that the adversary wins in H7 is null,
namely ϵ7 = 0. Indeed, the canonical extractor E outputs the 0 polynomial,
moreover because of the condition introduced in H6 , we have c∗ = [0]1 , and
because of the condition introduced in H7 we have y ∗ = 0, thus the witness
extracted is valid for the instance x∗ = (c∗ = [0]1 , x∗ , y ∗ = 0). ⊔
⊓

CP-SNARK for evaluation of multiple polynomials in AGM. We give

in Appendix A a scheme CPm-evl which follows from [26,42] and that allows one
to prove that for all i the polynomial fi committed in ci evaluates to yi on the
s-adpt
point x. We also show how to extend the policy Φsim to the batched setting.

4.2 Simulation extractability of Hiding KZG

We extend the result of Theorem 1 to the case in which the CPevl based on KZG
uses hiding commitments. In particular, we show a reduction to the simulation
extractability of non-hiding KZG for uniform distributions Uℓ of the commit-
ments.
Theorem 2. Let Uℓ be the distribution that outputs ℓ uniformly random group
elements in G1 . ∀ℓ ∈ N, the hiding KZG CPevl (see Section 4) is ΦUℓ -simulation-
extractable in the AGM. In particular, there exists E such that for any algebraic
adversary A:
AdvΦ-se
CPevl ,A,S,E,Uℓ (λ) ≤ O(ℓϵq-DL (λ)) + poly(λ)ϵh (λ).

27
where d is the maximum degree supported by CPevl , ϵ(Qx +d+1)-DL (λ) is the max-
imum advantage for any algebraic PT adversary against the (Qx + d + 1)-strong
Discrete-Log Assumption, ϵAff-MDH (λ) is the maximum advantage for any al-
gebraic PT adversary against the D-Aff-MDH Assumption, h is the polynomial
that satisfies the Polynomial check of ΦD , and ϵh = deg(h)
q .
Proof. We reduce an adversary A for the simulation extractability of Πevl with
hiding commitments to an adversary B for the simulation extractability with
non-hiding commitments and a uniform distribution that generates twice as
many commitments. B receives as input  the description
 of a bilinear group ppG
and an SRS srs := (ek, vk) where ek = 1, s, . . . , sd 1 and vk = [1, s]2 ; B samples
α ←$ Zq and computes ekα ← α, αs, . . . , αsd 1 and forwards to A the SRS srs′ :=
 

((ek, ekα ), vk). Finally, B parses the list of commitments coms as two lists of equal
size (coms1 , coms2 ) and gives A the commitements coms′ = coms1 + αcoms2 .
Every time A comes up with some group element c, attaches a representation
vector rc that we can parse as f c ∥vc ∥cc ∥oc where f c (resp. vc ) is the vector
of coefficients associated to group elements ek (resp. ekα ), cc is the vector of
coefficients associated to group elements coms′ , and oc is the vector of coefficients
associated to the group elements of the simulated proofs proofs′ . The strategy
of B is to forward the simulation queries of A whose representation vectors are
given w.r.t. srs′ , attaching the representation vectors w.r.t. srs.
On input a simulation query of the form x = (c, xj , y) and leakage y ′ , with
rc = f c ∥vc ∥cc as representation vector for c, B invokes the simulation oracle
S1 first on input x1 = (⟨f c + αvc , ek⟩ + ⟨cc ∥0, coms⟩, xj , y) and then on x2 =
(⟨0∥cc , coms⟩, xj , y ′ ), obtaining the two proofs π1 and π2 . Finally returns to A
the proof π := π1 + απ2 which satisfies the verification equation:

e(c − [y]1 − [αy ′ ]1 , [1]2 ) = e(π, [s − xj ]2 )

and adds π to proofs′ . When A makes the forgery (c∗ , x∗ , y ∗ , y ′∗ , π ∗ ), with as-
sociated representation vectors r′τ = f τ ∥vτ ∥cτ ∥oτ , for τ ∈ {c∗ , π}, B forwards
the forgery (c, x∗ , y ∗ + αy ′∗ , π ∗ ). B needs to attach representation vectors for the
group elements c∗ , π ∗ w.r.t. srs, coms and proofs; to do that, B applies the fol-
lowing transformation and computes rτ = f τ + αvτ ∥cτ ∥αcτ ∥(oτ,i ∥αoτ,i )i . This
choice, indeed, is such that:

⟨r′τ , (ek∥ekα ∥coms′ ∥proofs′ )⟩ = ⟨rτ , (ek∥coms∥proofs)⟩

If the forgery of A is valid, so is the forgery of B and, unless with negligible

probability, the canonical extractor E extracts the valid witness f (X) + αv(X).

5 Simulation-Extractable Universal zkSNARKs

We extend the notion of relations to indexed relations [20]. We define a PT
indexed relation R verifying tuple (pp, i, x, w). We say that w is a witness to the
instance x being in the relation defined by the pp and index i when (pp, i, x, w) ∈
R (equivalently, we sometimes write R(pp, i, x, w) = 1).

28
Definition 17 (Universal NIZKs). A universal NIZK for an indexed relation
R is a tuple of algorithms Π = (KGen, Derive, Prove, Verify) where
– Derive is a deterministic algorithm that takes as input an srs (which includes
relation parameters pp) produced by KGen, an index i, and outputs specialized
SRS srsi = (eki , vki ).
– Consider the relation R′ such that R′ (pp, (i, x), w) ⇐⇒ R(pp, i, x, w), the
tuple of algorithms (KGen, Prove, Verify′ ) is a NIZK for the relation R′ and
Verify′ is the algorithm that upon input srs, instance (i, x) and a proof π,
first runs Derive on srs and index i, then runs Verify(vki , x, π).
Moreover, we say Π is a universal SNARK if the length of vki is poly(λ, log |i|),
the proof size is poly(λ, log |w|).

5.1 Polynomial Holographic Interactive Oracle Proofs

Definition 18 (Polynomial Holographic IOP). Let F be a family of finite
fields and let R be an indexed relation. A (public-coin non-adaptive) Polyno-
mial Holographic IOP over F for R is a tuple PIOP = (r, n, m, D, ne , RE, P, V)
where r, n, m, D, ne : {0, 1}∗ → N are polynomial-time computable functions, and
RE, P, V are three algorithms for the encoder, prover and verifier respectively,
that work as follows.
Offline phase: The encoder RE(F, i) is executed on input a field F ∈ F and a
relation description i, and it returns n(0) polynomials {p0,j }j∈[n(0)] encoding
the relation i.
Online phase: The prover P(F, i, x, w) and the verifier V RE(F,i) (F, x) are exe-
cuted for r(|i|) rounds; the prover has a tuple (F, i, x, w) ∈ R and the verifier
has an instance x and oracle access to the polynomials encoding i.
In the i-th round, P sends m(i) messages {πi,j ∈ F}j∈[m(i)] , and n(i) oracle
polynomials {pi,j ∈ F[X]}j∈[n(i)] of degree at most D := D(|i|), while V
replies (except for the last round) with a uniformly random message ρi ∈ F.
Decision phase: After the r := r(|i|)-th round, let ne := ne (|i|), the ver-
ifier V(F, x, ρ), on input the description of the field F, the input x and
all the random messages of the verifier ρ := (ρ1 , . . . , ρr−1 ), outputs tuples
(k) (k)
(G(k) , v1 , . . . , vn )k∈[ne ] which define the following algebraic checks. Let
Pr Pr(|i|)
n := k=0 n(k), let m := k=1 m(k), and denote by (p1 , ..., pn ) all the ora-
cle polynomials (including the n(0) ones from the encoder) and by (π1 , ..., πm )
all the messages sent by the prover. For any k ∈ [ne ] we have G(k) ∈
(k) (k) (k)
F[X, X1 , ..., Xn , Y1 , ..., Ym ] and vj ∈ F[X] Then a tuple (G(k) , v1 , ..., vn )
is satisfied if and only if F (k) (X) ≡ 0 where
(k)
F (k) (X) := G(k) (X, {pi (vi (X))}i∈[n] , {πi }i∈[m] )
The verifier accepts if and only if all the checks are satisfied.
A list L = {(i1 , y1 ), . . . } is (b, C)-bounded where b ∈ Nn and C is a PT algo-
rithm if ∀i ∈ [n] : |{(i, y) : (i, y) ∈ L}| ≤ bi and ∀(i, y) ∈ L : C(i, y) = 1.

29
Definition 19 (b-bounded Zero-Knowledge). A PIOP PIOP is b-Zero-
Knowledge if there exists a checker C such that Pr[C(i, x) = 0] ≤ negl(λ)(|F|)
over random x such that for every index i, and (pp, i, x, w) ∈ R, and every
(b, C)-bounded list L, the following random
variables are
within ϵ statistical dis-
tance: view P(F, i, x, w), V RE(F,i) (F, x) , (pi (y))(i,y)∈L ≈ϵ S(F, i, x, L). where
p1 , . . . , pn are the polynomials returned by the prover P and S is a PPT sim-
ulator. Moreover, PIOP is special honest-verifier b-bounded zero-knowledge if
S first samples uniformly at random the verifier’s messages ρ1 , . . . , ρr−1 and
then computes the full transcript. Namely, S can take as additional input the
verifier’s messages. PIOP is independent leakage if S can be divided in two al-
gorithms (S0 , S1 ) where S0 outputs the simulated transcript, and S1 the leakage.
Namely S(F, i, x, L; r) = S0 (F, i, x; r), S1 (F, i, x, L; r).

Remark 2. Our notion of PIOP is slightly different from that of [17]: first, we
consider a verifier that checks polynomial equations between the oracle polyno-
mials but we do not explicitly check the degree of the polynomials; second, we
let the prover send the first message. This is mainly for simplicity in the pre-
sentation of the compiler since, given a PIOP according to the definition of [17],
we can define a PIOP in our model: P sends an extra (initial) message which is
ignored, and for each poly pi where we check degree di the PIOP additionally
sends p′i (X) = p(X)·X D−di
P i where D is the maximum degree, and V additionally
checks the equation ρ · (X D−di pi (X) − p′i (X)) ≡ 0, for a randomizer ρ.

Definition 20. A PIOP PIOP is (almost) instance-independent verifier queries

if there exists an alternative deterministic PT algorithm Ṽ such for any i and
(j) (j)
x we have (ṽ1 , . . . , ṽn )j∈[ne ] ← Ṽ(F, i) where for any j ∈ [n] and k ∈ [ne ] we
(k)
have ṽj ∈ F[X, Xi , . . . , Xr−1 ]. Moreover, for any field elements ρ1 , . . . , ρr−1 let
(k) (j) (j)
(G , v1 , . . . , vn̄ )j∈[ne ] ← V(F, i, x, ρ1 , . . . , ρr−1 ) we have for any i ∈ [r(|i|) −
1], j ∈ [ni−1 , ni ], k ∈ [ne ]:
(k) (k)
ṽj (X, ρi , . . . , ρr−1 ) = vj (X).

State restoration. We introduce state restoration attacks on PIOPs, extending

the notion of state-restoration for IOPs introduced in [9]. Informally, a state-
restoring prover receives in each round a verifier message ρi as well as a complete
verifier state cvs, and then sends to the verifier m(i) messages πi,j and n(i) oracle
polynomials pi,j , and a previously-seen complete verifier state which sets the
verifier to that state; this forms a state restoration attack on the verifier. The
interaction between a state-restoring prover P̃ and the verifier V is mediated
through the experiment described below. The experiment considers a straight-
line extractor E run after the interaction of the state-restoring prover and verifier.
We consider the experiment Expsr P̃,PIOP,E (F):

1. The challenger initializes the list SeenStates to be empty.

2. Repeat the following until the challenger halts:

30
 (a) P̃ either (1) chooses a complete verifier state cvs in the list SeenStates
or (2) sends a new fresh tuple (i, x, {π1,j }j , {p1,j }j ) to the challenger.
(b) If (1) the challenger sets the verifier to cvs:
i. if cvs = (i, x, {π1,j }j , {p1,j }j ∥ρ1 ∥ . . . ∥{πi,j }j , {pi,j }j ) and i < r(x):
P̃ outputs {πi−1,j }j , {pi−1,j }j ; V samples ρi and sends it to P̃;
the game appends cvs′ := (cvs∥{πi−1,j }j ∥{pi−1,j }j ∥ρi ) to the list
SeenStates;
ii. if cvs = (i, x, {π1 , j}j , {p1 , j}j ∥ρ1 ∥ . . . ∥ρr−1 ): P̃ outputs {πr,j }j , {pr,j }j ;
the challenger runs RE(F, i) and V performs the decision phase of the
PIOP. The challenger sets cvs to be the final cvs, sets the decision
bit d as the output of the verifier V and halts.
(c) If (2) the verifier samples ρ1 and sends it to P̃; the game appends cvs′ =
(i, x, {π1,j }j , {p1,j }j ∥ρ1 ) to the list SeenStates.
def
3. The game computes the extraction bit b = (i, x, E(i, x, p1 , . . . , pn )) ∈ R
where the instance x and the polynomials p1 , . . . , pn are the ones generated
by RE and the ones included in the final cvs. The game returns (d ∧ ¬b)
(namely, the malicious prover convinces the verifier but the extractor fails).

Definition 21 (State-restoration (straight-line) proof of knowledge).

A PIOP PIOP is state-restoration (straight-line) proof of knowledge if there
exists an extractor E such that for any P̃ and any F:
h i
Pr Expsr
P̃,PIOP,E (F) = 1 ≤ negl(|F|)

We consider PIOPs with the following structural condition.

Definition 22. A PIOP PIOP is compiler-safe if for any i, x and ρ := ρ1 , . . . , ρr−1
(j) (j)
and any tuple (G(k) , v1 , . . . , vn̄ )j∈[ne ] ← V(F, i, x, ρ) there exists an index k
(k)
such that for all j the polynomials vj are of degree at least one.
This is the formalization of the technical condition mentioned in the introduction
that allows us to “bundle together” all the oracles and solve the first challenge.
We notice that some PIOPs have this technical condition (an example is [26])
while other PIOPs that internally run different sub-protocols might not have this
property. However, at PIOP level we can always obtain this property by adding
an extra degree of randomness to the polynomials (obtaining b + 1-bounded
zero-knowledge) and adding an extra trivial equation over the polynomials with
the vj set to be the identity function.
Commitments Simulator. We abstract how our compiler handles the simula-
tion of the commitments for the oracles sent during a PIOP protocol’s execution.

Definition 23 (Commitment Simulator for PIOP). Let PIOP be a PIOP

with b-Zero-Knowledge simulator S and checker C and consider a two-stage
PPT algorithm where SCom (0, ck) outputs a vector coms of commitments, and
SCom (1, i, x) outputs a matrix Mi,x of linearly independent rows. SCom is a com-
mitments simulator for a CP (defined over the same commitment scheme) and

31
PIOP, if for every (b, C)-bounded list L, F, i and x the following distributions
are computationally indistinguishable:



ck, view P(F, i, x, w) , V , (pj (x))(j,x)∈L , (Com(ck, pi ))i∈[n] ≈c
(ck, S(F, i, x, L), (Mi,x · coms∥ck))

Moreover, we have that the view (L, S(F, i, x, L), x, Mi,x ) satisfies the algebraic
consistency for the CP-SNARK CP (as in Definition 14).

The definition is in two stages so to fit our result of Theorem 1. For KZG the
first part handles the generation of instance-independent commitments according
to a Dk -Aff-MDH Assumption, while, the second part acts over the formerly
sampled commitments adapting them to the instance at hand. If the commitment
scheme is hiding then the task of defining the commitment simulator SCom for
an arbitrary PIOP is trivial (the distribution of SCom (0, ck) is uniformly over the
commitment space), thus this property is interesting for the case of non-hiding
commitments. Similarly, this notion can be applied to commitment schemes that
are not homomorphic, in that case, we must require Mi,x to be the identity.

5.2 The Compilation-Ready CP-SNARK

Consider the relation Rpoly
that upon relation parameters ck and an instance
msg, c, (Ḡ(k) , v(k) )k∈[ne ] where msg is an arbitrary string and with c = (cj )j∈[n]
and witness p, o outputs 1 if and only if:
(k)
∀k ∈ [ne ] : Ḡ(k) (X, p1 (v1 (X)), . . . , pn (vn(k) (X))) ≡ 0 ∀j : VerCom(ck, cj , pj , oj ) = 1

Notice that a simulation-extractable CP-SNARK for the relation Rpoly forms sig-

nature of knowledge [19] for the message msg and an instance c, (Ḡ(k) , v(k) )k∈[ne ] .
Consider the relation for multi-instance opening of commitments defined below:

Ropn (ck, c, (p, o)) := (∀j ∈ [|c|] : VerCom(ck, cj , pj , oj )) .

The second ingredient for our compiler is a CP-SNARK that can simultaneously
prove the polynomial evaluation relation and the knowledge of the openings. We
consider the join of the two relations Rpoly and Ropn :
def
R̂ = {ck, (poly, x), w : Rpoly (ck, x, w)}∪{ck, (opn, c), w : Ropn (ck, c, w)} (11)

Notice that if we have a CP-SNARK for Rpoly and a CP-SNARK for Ropn we
can easily define a single proof system that proves the relation R̂. In fact, the
relation R̂ could be seen as a join of the two relations plus some syntactic sugar.
The reason to use a single CP-SNARK for R̂ (instead of one for each relation)
is rather technical and it has to do with the security guarantees when we compose
protocols in the AGM [1]. In fact, we need a CP-SNARK for Rpoly that is
simulation extractable in the AGM even in presence of the simulated proofs for
a CP-SNARK for the Ropn . In particular, the simulated proofs for the latter

32
CP-SNARK could contain group elements in G1 that might interfere with the
security proved for the former CP-SNARK (and vice versa). In other words,
even if the first CP-SNARK is simulation extractable (in the AGM), it could
potentially be insecure when we use it in combination with the second CP-
SNARK (if we are using the same group to instantiate the proof of opening).
We consider a set of policies Φ̂ where Φ̂ = (Φ̂0 , Φ̂1 ) ∈ Φ̂ such that Φ0 (ppG )
outputs parameters ppΦ that contain an arbitrary set of vectors of polynomials
(i) (i)
Qv = {v(i) = (v1 , . . . , vn )}i∈poly(λ) and a list of commitments sampled coms =
(c(i) )i∈[q] from a sampler D where the D-Aff-MDH assumption holds, while Φ̂1
is such that:
– Semi-adaptive w.r.t. poly-queries. Given the set of simulation queries
Qsim , define the projections of the set to the poly-simulation queries and
opn-simulation queries. Let the i-th poly-query to the simulation oracle be
(x, aux, π) ∈ Qsim , parse x as (msg, c, (G(k) , v(k) )k∈[ne ] ). (1) ∀k : v(k) ∈
Qv and (2) parse aux two matrices C, F the tuple (c, C, F) satisfies the
commitment check, namely c = C · c(i) + F · ck. (3) the view defined by set of
all poly-queries satisfies the algebraic consistency for CP (cf. Definition 14).
– Extractor policy for opn-forgery. If the forgery of the adversary (x∗ , π ∗ )
is of the form x∗ := (opn, c∗ ), parse auxΦ as (yet another) forgery x̃ :=
(poly, msg, c, (G(k) , v(k) )i∈[ne ] ), π̃ and check that:
1. All the commitments c∗ are in the vector of commitments c,
2. The proof π̃ is valid according to the extractor policy for poly-forgeries
below.
– Extractor policy for poly-forgery. If the forgery of the adversary (x∗ , π ∗ )
is of the form x∗ := (poly, x′ ), then check that x∗ was never queried to the
simulation oracle and there exists a k ∈ [ne ] such that for all j the polynomial
(k)
vj has degree at least 1 (and degree poly(λ)).
Intuitively, the extractor policy for opn-forgery means that a proof of opening for
a commitment c can be extracted (given some auxiliary information) only when
the adversary can exhibit a proof of evaluation that involves such a commitment.
In Section 6.1 we describe a simple and unoptimized CP-SNARK for Rpoly for
KZG, in Section 6.2 we show how to extend it to R̂. The security analysis is given
in the AGM. The CP-SNARK uses classical random-point evaluation for the
polynomial equations and a vacuous proof of opening that can be extracted given
the algebraic representation. The extraction of the latter is successful, namely the
representation depends only on the element in the commitment key, only if the
adversary exhibits a proof of polynomial equation. Both the proof of polynomial
equation and of opening are extracted through the algebraic representations.
Thus, unless the binding property is broken, when the proof of evaluation holds
the proof of opening can be extracted correctly.

5.3 The Universal zkSNARK

Let ΦSE be the standard (strong) simulation extractability policy. Namely, the
policy checks that the forgery of the adversary is a tuple (xΠ , πΠ ) ∈
/ Qsim .

33
 Π.Derive(srs, i) :
p0 ← RE(F, i);
for j ∈ [n(|i|, 0)] do c0,j ← Com(ck, p0,j ; 0) // Determistic commitments
return (eki , vki ) where eki ← p0 , vki ← (c0,i )i∈[n(|i|,0)]
Π.Prove(srs, eki , x, w) :
for i ∈ [r(|i|)] do :


pi , π i ← P(F, i, x, w, ρ1 , . . . , ρi−1 ) // Get polynomials and messages from PIOP prover

for j ∈ [n(i)] do (ci,j , oi,j ) ← Com(ck, pi,j )

xo,i ← (opn, ci ), ci := (ci,j )j , oi := (oi,j )j , πopn,i ← CP.Prove(ck, xo,i , (pi , oi )), π̄i := (ci , πopn,i , π i )
ρi ← RO(vki , x, π̄1 , . . . , π̄i ) // Fiat-Shamir transform

(G(k) , v (k) )k∈[ne ] ← V(F, x, ρ1 , . . . , ρr−1 )

for k ∈ [ne ] do : Ḡ(k) (X, X1 , . . . , Xn ) ← G(k) (X, X1 , . . . , Xn , π)
(k) (k)
trns ← (vki , x, π̄1 , . . . , π̄r ), xpoly ← (poly, trns, c, (Ḡ , v1 , . . . , vn(k) )k∈[ne ] ), πpoly ← CP.Prove(srs, xpoly , (p, o))
return (c, π, (πopn,i )i∈[r] , πpoly )
Π.Verify(vki , x, πΠ ) :
compute (π̄1 , . . . , π̄r )
for i ∈ [r(|i|) − 1] do : ρi ← RO(vki , x, π̄1 , . . . , π̄i−1 ) // Fiat-Shamir transform

(G(k) , v (k) )k∈[ne ] ← V(F, x, ρ1 , . . . , ρr−1 )

for k ∈ [ne ] do : Ḡ(k) (X, X1 , . . . , Xn ) ← G(k) (X, X1 , . . . , Xn , π)
(k) (k)
trns ← (vki , x, π̄1 , . . . , π̄r ), xpoly ← (poly, trns, c, (Ḡ , v1 , . . . , vn(k) )k∈[ne ] )
^
return CP.Verify(ck, xopn,i , πopn,i ) ∧ CP.Verify(srs, xpoly , πpoly )
i∈[r]

Fig. 2. The Compiler to Universal zkSNARKs.

Theorem 3. Let CP be a compilation-ready CP-SNARK, namely a Φ̂-simulation-

extractable CP-SNARK for the joint relation R̂ (cf. Eq. (11)). Let PIOP be a
PIOP for an indexed relation R that is state-restoration straight-line extractable
(cf. Definition 21), and bounded special honest-verifier zero-knowledge, where
the technical condition of Definition 22 holds and equipped with a commitment
simulator for CP (cf. Definition 23). Let Π be the zkSNARK compiled from PIOP
using the compiler from Fig. 2. Then Π is ΦSE -simulation-extractable.
The proof relies mostly on the simulation extractability of compiler-ready
scheme CP. By inspection of the policy set Φ̂, we notice that a technical condition
similar to Definition 22 is already required to prove the simulation extractability
of the compilation-ready scheme. In fact, without the technical condition, the
mix-and-match malleability attack mentioned in the introduction would already
apply for two disjoint sets of equations for CP over disjoint sets of committed
polynomials. Given an adversary A for Π, we can derive a malicious prover
P̃ for the state-restoration game of the PIOP. The idea is to translate all the
RO queries of A to messages of the malicious prover. The prover additionally
needs to send polynomial oracles, we extract them using the extractor for the
proof of opening. Notice this extractor is quite weak, we have an assurance that
its extractions are valid only if the adversary A later can provide a proof of

34
polynomial evaluation. Luckily for us, the adversary must provide the latter
proof if it wants to win its security game. Notice, this avoids rewinding, since
the extraction can be performed at the same moment when the adversary sends
the proof of opening (through a RO call).
The bounded special honest-verifier zero-knowledge property, together with
the property of the commitment simulator for the PIOP (see Definition 23),
guarantee that the simulated proofs in our reduction to the security of CP match
the simulation policy of the latter.

Proof. We prove the theorem assuming the commitments are not hiding. The
adaption to hiding commitments is straightforward. We start showing the zero-
knowledge simulator for Π. The simulator is in Fig. 3. For the description of the
simulator, we assume we can couple the leakage function Fpoly , which defines the
Fpoly -leaky zero-knowledge of the CP-SNARK, with a function F̃poly that upon
input the instance outputs the set Lx of evaluation points necessary to compute
a simulated proof. The zero-knowledge guarantees of the simulator come from
the zero-knowledge property of the PIOP, the zero-knowledge property of the
CP and the simulator commitment property of SCom (see Definition 23). Notice
that S1 might abort if (vki , x, π̄1 , . . . , π̄i ) for some i was already queried to the
random oracle. However, by simply assuming that the first message of P has
ω(log |F|) min-entropy then the event that the simulator aborts happens with
negligible probability.
We define the extractor for Π for a given adversary AΠ . We make some
simplifying assumptions on the behavior of AΠ : (1) the adversary always queries
first the RO on a string that can be parsed as (i, x) before querying the simulation
oracle on the same string, (2) the auxiliary string auxE output by AΠ can be
parsed as a list of strings (si , auxi , sti )i and a string aux′E where for any i we have
(si , auxi , sti ) string is identical to the auxiliary input output at the i-th query
of the adversary and (3) for any i the auxiliary input of the i-th random oracle
query of the adversary contains the full internal state of the adversary. These
assumptions are w.l.g. In fact, given an adversary AΠ that does not respect these
rules we can always define another adversary that runs internally AΠ , collects
all the necessary information to comply with (2) and (3), and moreover follows
the rule (1).
Let Bi be a reduction to the simulation extractability of CP that runs AΠ
(simulating the oracles for AΠ using its own oracles and the code defined in
Fig. 3) and sets its output to be the i-th random oracle query of AΠ . For any
i ∈ [q] let Ei be the extractor associated to Bi (thanks to the Φ̂-simulation ex-
tractability of CP we can associate to Bi an extractor, in Lemma 11 we describe
Bi with more details and we show that it complies with the Φ̂ policy). Similarly,
let Epoly be the extractor for the adversary Bpoly that runs AΠ (simulating the
oracles of AΠ using its own oracles and the code defined in Fig. 3) until comple-
tion, and isolates the instance xpoly := (poly, trns, c, (G(k) , v(k) )k∈[ne ] ) and the
proof πpoly in the forgery of AΠ , and outputs all the auxiliary outputs that AΠ
does.
We first set some notation:

35
 S(0, ppG ) : S(1, stS , srs, (i, x)) :
srs, stCP ←$ CP.S(0, ppG ) (j) (j)
stS ← (stCP , µ, (coms ,ρ )j )
µ←0 // S1 queries counter (µ)
coms ← coms
for j ∈ [q] do : (µ)
(j)
π 1 , . . . , π r ←$ PIOP.S0 (F, i, x, ρ ; r)
coms ←$ SCom (0, ck) (k) (k) (µ)
(j) (j) (j) r−1
(G ,v )k∈[ne ] ← V(F, x, ρ )
ρ = (ρ1 , . . . , ρr−1 ) ←$ F ; (k) (k)
for k ∈ [ne ] do : Ḡ (X) ← G (X, π)
(j) (j)
stS ← (stCP , µ, (coms ,ρ )j ) Mi,x ← SCom (1, ck, i, x)
return srs, stS c = Mi,x · coms∥ck
parse c = vki , c1 , . . . , cr
for i ∈ [r] do :
S(2, stS , s, aux) : πopn,i , stCP ← CP.S1 (stCP , (opn, ci ))
if (s, aux, a) ∈ QRO : π̄i = (ci , πopn,i , π i )
return a, stS trns ← (vki , x, π̄1 , . . . , π̄r )
a ←$ F (k) (k)
xpoly ← (poly, trns, c, (G ,v )k∈[ne ] )
QRO ← QRO ∪ (s, aux, a)
leak ← PIOP.S1 (F, i, x, F̃poly (xpoly ); r)
return a, stS
πpoly , stCP ← CP.S1 (stCP , xpoly , leak)
for i ∈ [r − 1] do :
if ((vki , x, π̄1 , . . . , π̄i ),·,·) ∈ QRO : abort
QRO ← QRO ∪ ((x, π̄1 , . . . , π̄i ), ·, ρi )
(j) (j)
stS ← (stCP , µ + 1, (coms ,ρ )j )
π ← (π̄1 , . . . , π̄r , πpoly )
return π, stS

Fig. 3. The simulator S for Π.

– Let Pi be the indexes of the polynomials sent at the i-th round by the PIOP.
– Given a proof π for Π we define the RO-queries set of π be the set of string
{(vki , x), . . . , (vki , x, π̄1 , . . . , π̄r )}.
– We say that a proof π shares a simulated commitment c of proof π ′ simulated
by S if in stS one can find m1 ̸= 0 and m2 such that c = m1 ∥m2 · coms∥ck.

The extractor EΠ (xΠ , πΠ , auxE ):

1. Parse auxE as the concatenation of a list (si , auxi , sti )i and aux′E ,
where (si , auxi , sti ) is the output of AΠ at the i-th query to the ROM
and aux′E the remaining auxiliary information given by the adversary
(namely, the auxiliary information associated with its last output).
2. From πΠ derive the messages π̄1 , . . . , π̄r and find the indexes qi such
that sqi = (vki , x, π̄1 , . . . , π̄i ).
3. If πΠ shares a simulated commitment with one of the simulated
proofs then return ⊥.
4. For i ∈ [r] run wi,opn ← Eqi (srs, ci , πopn,i , auxi ) where π̄i contains
both the instance and the proof of opening and wi,opn = (p′j )j∈Pi .
5. Run (pj )j∈[n] ← Epoly (srs, xpoly , πpoly , aux′ ).
6. If ∃i : p′i ̸= pi then return ⊥.

36
 7. If ∃i ∈ [n] and j ∈ Pi : VerCom(ck, cj , p′j ) ̸= 1 then return ⊥.
(k) (k)
8. If ∃k : G(k) (X, p1 (v1 (X)), . . . , pn (vn (X)), π1 , . . . , πr ) ̸≡ 0 then re-
turn ⊥.
9. Return EPIOP (i, xΠ , (pj )j∈[n] ).

To analyze the success of the extractor we define a series of hybrid games. We

start from the first hybrid that is the Expsr
APIOP ,PIOP (F) experiment for PIOP (see
Definition 21) for an adversary APIOP that we define next.
APIOP :
1. Run simulator srs, stS ← S(0, ppG ) and set QRO , Qsim empty sets.
2. Run AΠ (srs) and answer all the simulation query of AΠ with S1 .
3. Upon i-th query (si , auxi ) from AΠ to S2 :
(a) if si is in the RO-queries set of a simulated proof in Qsim then
run S2 on input si .
(b) Else parse si as a (partial) transcript trns = (vki , x, π̄1 , . . . , π̄r′ )
for r′ ∈ [r]; parse π̄j = (cj , πopn,j , π j ), compute w ← Ei (srs, cr′ , πopn,r′ , auxi ),
parse w as some polynomials, find in SeenStates the state cvs =
(i, x, π 1 , {p1,i }i ∥ρ1 ∥ . . . ∥π r′ −1 , {pr′ −1,i }i ∥ρr′ −1 ), set the verifier
state to cvs, and send the message (w, π r′ ) to the PIOP verifier.
Receive the challenge ρr′ , and program the random oracle adding
(si , auxi , ρr′ ) to QRO .
4. Eventually the adversary outputs a (valid) forgery (xΠ , πΠ ). From πΠ
derive the PIOP transcript trns := (i, x, π̄1 , ρ1 , . . . , π̄r ), and act as
if A has queried S1 with (trns, ·): i.e., let i be the index of RO query
of the partial transcript (i, x, π̄1 , ρ1 , . . . , π̄r−1 ); as described in the
previous step, find the cvs in SeenStates associated with si , set the
verifier state to cvs, extract the (last) witness w and send (w, π r ) to
the verifier. cvs and the last messages (w, π r ) define a full transcript:
this would trigger the verifier to perform the decision phase of the
PIOP and set the decision bit d of the game.
Let H0 be the Expsr
APIOP ,PIOP (F). By the (state-restoration) knowledge extractabil-
ity of PIOP:
Pr[H0 ] ∈ negl(|F|).
Consider H1 that additionally extracts (pj )j∈[n] ← Epoly (srs, xpoly , πpoly , aux′ )
(k) (k)
and returns 1 if ∃k : G(k) (X, p1 (v1 (X)), . . . , pn (vn (X)), π1 , . . . , πr ) ̸≡ 0 or
∃j : VerCom(ck, cj , pj ) = 0.

Lemma 10. Pr[H1 ] ≤ Pr[H0 ] + ϵCP

Proof. We reduce to Φ̂-simulation extractability of CP. We define with more

details the adversary Bpoly that runs AΠ , and we define a policy Φ̂0 that samples
parameters for Bpoly .

Policy Φ̂0 (ppG )

1. Run S(0, ppG )

37
 2. Parse stS = (stCP , 0, (coms(j) )j , (ρ(j) )j ).
(k)
3. Let (ṽj )j,k be the polynomials defined by the instance-independent
verifier queries of PIOP (see Definition 20).
(k)
4. Set Qv = {ṽj (X, ρi ) : i ∈ [q], j ∈ [n], k ∈ [ne ]}
Next, we define the reduction Bpoly .
Reduction Bpoly (srs, ppΦ̂ )
1. Run AΠ (srs).
2. Upon query ((i, x), aux) to the simulation oracle, run the same strat-
egy of S1 defined in Fig. 3 where the calls to CP.S1 are forwarded to
the simulation oracle of Bpoly .
3. Given the forgery ((i, xΠ ), πΠ ) output by AΠ , define the instance
xpoly = (poly, trns, c, (G(k) , v(k) )k∈[ne ] ) and the proof πpoly .
4. Return the forgery (xpoly , πpoly ) and set the auxiliary input auxE as
the adversary AΠ does.
By inspection, if the forgery of AΠ passes the verification then forgery of Bpoly
passes the verification too. Moreover, by the (strong) simulation extractability
game of AΠ we have that ((i, xΠ ), πΠ ) is not in the set of simulation proofs
Qsim,Π of AΠ , thus the pair (xpoly , πpoly ) is not in the simulation proofs Qsim,poly
of Bpoly . In particular, there are three cases:
1. If A never queried (i, xΠ ) to its simulation oracle, i.e. xΠ is a “fresh” instance
for Π, then Bpoly never queried the simulator with xpoly (notice that xpoly
contains xΠ in the message trns).
2. Otherwise, A queried (i, xΠ ) to its simulation oracle:
(a) For any simulated proof πΠ′ for (i, xΠ ) the transcript of πΠ is different
from the simulated one. This implies that xpoly ̸= x′poly (for the same
reason of above).
(b) There exists a simulated proof πΠ′ for (i, xΠ ) such that the transcripts
of the forgery and of the simulated proof are equal. Since the forgery of
′
AΠ is not in Qsim,Π then the proofs πpoly ̸= πpoly .
By the property of the PIOP we have that there exists an index k such that for
(k)
all j we have vj is not constant polynomial, thus the forgery of Bpoly meets the
extractor policy.
Finally, by the definition of the simulator S in Fig. 3, the query to the sim-
ulation oracle of Bpoly respects the simulator policy of Φ̂1 .In fact, the simulator
policy of Φ̂ matches the constraint in Definition 23. Thus the reduction Bpoly
follows the policy Φ̂. On the other hand, the distinguish event implies that the
extractor fails, thus this would break the Φ̂-simulation extractability of CP. ⊔ ⊓

Let H2 additionally return 1 if ∃i, j : j ∈ Pi ∧ VerCom(ck, cj , p′j ) ̸= 1, where

qi is the index of the random oracle query such that (sqi , auxqi , ρi ) ∈ QRO , and
wqi = (p′j )j∈Pi are the polynomials extracted by Eqi .

Lemma 11. Pr[H2 ] ≤ Pr[H1 ] + r · ϵCP

38
Proof. We prove through a series of r hybrids. Let H1,0 be the same as H1 ;
moreover, let H1,i be the same as H1,i−1 but that additionally returns 1 if
∃j ∈ Pi : VerCom(ck, cj , p′j ) ̸= 1, where qi is the index of the random oracle
query such that (sqi , auxqi , ρi ) ∈ QRO , and wqi = (p′j )j∈Pi are the polynomials
extracted by Eqi . Clearly, H1,r ≡ H2 (where r is the number of rounds of the
PIOP).
We reduce again to Φ̂-simulation extractability of CP. We define the adversary
B that runs AΠ . The adversary B corresponds to the reduction Bqi mentioned
before. Additionally, we need to define a policy Φ̂0 that samples the parameters
for B, we set the policy identical to the one used in Lemma 10.

Reduction B(srs, ppΦ̂ )

1. Run AΠ (srs).
2. Upon query ((i, x), aux) to simulation oracle, run the same strategy
of S1 defined in Fig. 3 with the only difference that instead of calling
CP.S1 it makes a query to its simulator.
3. Parse the qi -th query (sqi , auxqi ) to the RO of AΠ as a partial tran-
script where π̄i := (ci , πopn,i , π i ).
4. Continue running the adversary, parse the forgery output by AΠ as
(π̄1′ , . . . , π̄r′ , πpoly ). Set the instance x̃ := (poly, trns, c, (G(k) , v(k) )k∈[ne ] )
as the verifier would do.
5. Return the forgery ((opn, ci ), πopn,i ) with auxiliary information auxE ←
auxqi and auxΦ ← (x̃, πpoly ).

By inspection, if the forgery of AΠ pass the verification (both for poly-instance

in the final proof and for the opn-instance in the qi -th query) then B’s forgery
passes the verification too. Moreover, by the (strong) simulation extractability
game of AΠ we have that ((i, xΠ ), πΠ ) is not in the set of simulations Qsim of
AΠ , thus the pair (x̃, πpoly ) is not in the simulations of B (cf. Lemma 10). By
(k)
the property of the PIOP, there exists an index k such that for all j we have vj
is not constant polynomial, thus the forgery of B meets the extractor policy.
Finally, by the definition of the simulator S in Fig. 3, the query to the
simulation oracle of B respects the simulator policy of Φ̂1 . In fact, the simulator
policy of Φ̂ matches with the constraint in Definition 23. Notice we are running
the experiment for B with the same extractor of Bqi . However, the first three
outputs of A and B are distributed equivalently (B additionally outputs auxΦ ),
thus the same extractor Eqi works either for Bqi or for B. ⊔
⊓

Let H3 additionally return 1 if ∃i : p′i ̸= pi where (p′j )j∈Pi are the polynomials
extracted by Eqi and (pj )j∈[n] are the polynomials extracted by Epoly .

Lemma 12. Pr[H3 ] ≤ Pr[H2 ] + ϵCP .

Proof. The distinguishing event implies that we can define an adversary B that
runs the Φ̂-simulation extractability experiment for CP and finds a commitment c
and two different polynomials p, p′ such that VerCom(ck, c, p) = VerCom(ck, c, p′ ) =

39
112 .Let D be the maximum degree allowed by the commitment key, let x ∈ F
such that p(x) ̸= p′ (x) and consider the following (false) statement for Rpoly
(and in turn of R̂):
– For j ∈ [D + 1] set G(j) (X, X1 , Xj ) = (X1 − p(j)) − (X − j)Xj . Namely, the
polynomial associated with formal variable X1 evaluates on p(j) at point j,
and Xj is the witness.
– Set G(D+2) (X, X1 , XD+2 ) = (X1 − p′ (x)) − (X − x)XD+2 . Namely, the poly-
nomial associated to formal variable X1 evaluates on p′ (x) at point x, and
XD+2 is its witness.
We can create a valid proof for such a statement using the prover of CP: the
first d + 1 equations are proved using p and the polynomials pj (X) = (p(X) −
p(j))/(X − j), while to prove the last equation we use the witness p′ . Here, we
use the hypothesis that CP uses internally a CP-SNARK for Rm-evl . The proof
is for a statement that is not in the language, thus we break the simulation
extractability of CP.
Let H4 additionally return 1 if the forged proof shares a simulated commitment
with a simulated proof in Qsim .
Lemma 13. Pr[H4 ] ≤ Pr[H3 ] + negl(λ)
Proof. We need to bound the probability that AΠ returns a forgery that shares
a simulated commitment with a proof in Qsim .
Let B be the same reduction described in Lemma 10: as shown before, if AΠ
satisfies the simulation-extractability policy then the reduction B satisfies the
policy Φ̂. We notice that the extractor of B extracts a witness for all the com-
mitments in c in the forgery. Let assume that the forgery shares a commitment
with the i-th simulated proof for some i ∈ [q] and coms ← Mi,x · (coms(i) ∥ck) (in
case the commitments are not homomorphic we assume that Mi,x is the identity
matrix). Since coms ← Mi,x · (coms(i) ∥ck) there exists a row m of the matrix
Mi,x such that cj = m · coms(i) . Moreover, we have a valid opening for cj so
VerCom(ck, cj , p). Notice that a commitment function defines a one-way func-
tion; moreover, the simulated commitment is sampled from a distribution that
is computationally indistinguishable from a distribution that samples random
commitments. Thus, such an extractor would break the one-way property of the
commitment function. ⊔
⊓
SE -se
Lemma 14. Pr[H4 ] = AdvΦ
AΠ ,S,EΠ (λ)

Proof. We now show that the probability that H4 outputs 1 is equal to the
probability that the adversary AΠ wins the ΦSE -se experiment against EΠ . First,
notice that the srs is generated by S(0, ppG ) in both experiments. Upon (valid)
forgery ((i, xΠ ), πΠ ), we notice that:
12
Intuitively, this breaks the binding property of the commitment scheme, however,
the binding property does not assume that the adversary can see simulated proofs
thus we cannot reduce to it. Here, instead, we show how forge a proof for an instance
that is not in the language.

40
 – πΠ cannot share a simulated commitment with one of the simulated proofs
(see Item 3) because of the check introduced in Lemma 13. Thus all the
RO queries of AΠ that constitute πΠ (namely the queries q1 , . . . , qr ) where
forwarded to the challenger in Item 3b (in particular, any of the query was
already answerd by the programming of the RO by the simulator S1 ). This
implies that the complete transcript sent by APIOP is in the list SeenStates.
On the other hand, the extractor EΠ does not abort at Item 3.
– ∀j ∈ [n], the polynomial pj extracted by Eqi is equal to p′j extracted from
Epoly and VerCom(ck, cj , pj ) = 1; this is ensured by the checks introduced
in Lemma 11 and Lemma 12. This implies that the extractor EPIOP in the
ExpsrAPIOP ,PIOP in H3 is fed with the same polynomials extracted by EΠ .
– Finally, the polynomial check on xpoly must be satisfied by the extracted
polynomials pj because of the check introduced in Lemma 10. Thus, if the
proof πPIOP is valid, the decision bit in the state-restoration game is 1.

6 The Glue
In this section, we bridge together the results from Sections 4 and 5. In Sec-
tion 5 we defined the notion of compilation-ready CP-SNARK as the (simulation-
extractable) CP-SNARK for the joint relationship R̂ (see Eq. (11) in Section 5.2)
that proves both knowledge of the opening and polynomial equations. In the
next sections, we first give a (simulation extractable) CP-SNARK for polyno-
mial equations in the AGM based on our result in Section 4 and then we show
a CP-SNARK for R̂ leveraging the extractability of the AGM.

6.1 CP-SNARK for polynomial equations in the AGM

We present a simple and un-optimized simulation-extractable CP-SNARK for
the relation of polynomial equations in the random oracle model (and AGM). We
recall the CP-SNARK should be a signature of knowledge [19] for an arbitrary
message msg and an instance of the
following relation Rpoly that upon parameters
ck, instance (c, (Ḡ(k) , v(k) )k∈[ne ] ) , and witness (p, o) outputs 1 if and only if:
(k)
∀k ∈ [ne ] : Ḡ(k) (X, p1 (v1 (X)), . . . , pn (vn(k) (X))) ≡ 0

To make the scheme a signature of knowledge we extend the relation by adding

to the instance the message msg, and requiring simulation extractability with
respect to the extended instance. Our scheme is based on the CP-SNARK for
Rm-evl for Hiding KZG from Section 4. We describe the CP-SNARK CPpoly :
(k) (k)
– Prove(ck, x = (msg, c, (Ḡ(k) , v1 , . . . , vn )k∈[ne ] ), w = (p, o)) :
1. Compute x∗ ← RO(x).
(k) (k)
2. Compute for any j, k the value xj ← vj (x∗ ).
(k)
3. Let X := {x∗1 , . . . , x∗m } be the set of the points xj for all k and j
(k)
computed at the previous step, and let Pi := {j : vj (x∗ ) = x∗i }.

41
 4. For i ∈ [m], compute πm-evl,i ← Pm-evl (ck, xm-evl , (pj , oj )j∈Pi ) for the
instance xm-evl = (x∗i , (cj , pj (x
∗i ))j∈Pi ).
5. Output πm-evl,i , (pj (x∗i ))j∈Pi i∈[m] .
(k) (k)
– Verify(ck, c, x = (msg, Ḡ(k) , v1 , . . . , vn )k∈[ne ] , π)
1. Compute x∗ ← RO(x).
(k) (k)
2. Compute for any j, k the value xj ← vj (x∗ ).
(k)
3. Let X := {x∗1 , . . . , x∗m } be the set of the points xj computed at the
(k)
previous step, and let Pi := {j : vj (x∗ ) = x∗i }.

(k)
4. Parse π as πm-evl,i , (yi,j )j∈Pi i∈[m] . For any j, k let ȳj be the (claimed)
(k)
evaluation of the polynomial committed in cj on point vj (x∗ ) ∈ X , this
(k)
value is equivalent to yi,j for the index i such that vj (x∗ ) = x∗i .
5. Output 1 iff
(a) ∀i ∈ [m] : Vm-evl (ck, xm-evl,i , πm-evl,i ) = 1, where xm-evl,i = (x∗i , (cj , yi,j )j∈Pi )
(k) (k)
(b) ∀k ∈ [ne ] : Ḡ(k) (x∗ , ȳ1 , . . . , ȳn ) = 0.
Consider the family of policies Φpoly , such that for any (Φ0 , Φ1 ) ∈ Φpoly we have
Φ0 (ppG ) outputs parameters ppΦ that contain an arbitrary set Qv = {v(i) =
(i) (i)
(v1 , . . . , vn )}i∈poly(λ) and a list of commitments sampled from a sampler D
where the D-Aff-MDH assumption holds. On the other hand, Φ1 returns 1 iff:
– Semi-adaptive simulation queries. Let Qsim be the set of simulation
queries made by the adversary and parse coms as a list of vectors of com-
mitments (c(i) )i∈[Qsim ] where c(i) ∈ Gn1 . Let the i-th query to the simulation
oracle be (x, aux, π) ∈ Qsim , we can parse x as (msg, c, (G(k) , v(k) )k∈[ne ] )
where (1) ∀k : v(k) ∈ Qv and (2) we can find in aux two matrices C, F such
that c = C · c(i) + F · ck. Moreover (3) the algebraic consistency for CPpoly
holds13 .
– Forgery. The forgery (x, π) ∈ / Qsim , i.e. π is “fresh” and not produced by
the simulation oracle on input x. Moreover, there exists a k ∈ [ne ] such that
(k)
for all j the polynomial vj has a degree at least 1 (and degree polynomial
in the security parameter).
Let CPm-evl be Fm-evl -leaky zero-knowledge, consider the following leakage func-
tion:
Function Fpoly (x, w):
(k)
1. Parse w as (p, o), leak {(j, pj (xj ))}j,k
2. For any i ∈ [m] compute xm-evl,i from x and the leaked points (as in
the scheme above), leak points Fm-evl (xm-evl,i , (pj , oj )i∈Pi ).
13
Specifically, as in the protocol specification, if we derive from x the m different
instances (xm-evl,i )i∈[m] and let Ci (resp Fi ) be the sub-matrix of C (resp. F) in
which the set of row indices is Pi . Then the following consistency opening check
must hold: ∀i the system of linear equations Ci · z = yi has at least a solution,
where z are the variables and yi = xi .y + Fi · (1, x∗i , . . . , x∗i d )⊤ .

42
Theorem 4. If the CP-SNARK CPm-evl is Fm-evl -leaky zero-knowledge then the
CP-SNARK CPpoly is Fpoly -leaky zero-knowledge.
Let ϵm-evl be the maximum winning probability of a PT adversary against the
Φm-evl -simulation extractability. Let E be the canonical extractor in the AGM,
let S be the leaky-ZK simulators for CPpoly . For every Φpoly ∈ Φpoly , for every
adversary A that makes at most Qsim simulation queries,
Φ -se poly(d,λ)
AdvCPpoly
poly ,S,E,A
(λ) ≤ (Qsim + 1)ϵm-evl + ϵAff-MDH + |F| .

Proof. We first prove leaky zero-knowledge and then simulation extractability.

Leaky zero-knowledge. We rely on the leaky zero knowledge simulator S ′ =
(S0′ , S1′ , S2′ ) of the scheme CPm-evl . In particular, we define the simulator S =
(S0 , S1 , S2 ), where S0 (resp. S2 ) is simply a wrapper of S0′ (resp. S2′ ). S1 upon in-
put the statement xpoly and the leakage (j, ỹi,j )i∈[m],j∈Pi , y1′ , . . . , ym
′
← Fpoly (xpoly , wpoly )
derives, for any i, the statement xm-evl,i from xpoly and (j, ỹi,j )i∈[m] , then it runs
S1′ on the derived statement and leakage yi′ . The indistinguishability of the sim-
ulated view from the real view can be proved with an hybrid argument where
at each step we use the leaky zero-knowledge of CPm-evl .
Simulation Extractability. We consider the canonical extractor given by the
AGM guarantees, namely the extractor that parses and outputs the polynomials
in the instance as derived by the coefficients in the algebraic representations.
We define an hybrid experiment H1 that is equivalent to the Φpoly -simulation
extractability experiment but additionally the hybrid experiment outputs 0 if the
instance in the forgery (x∗poly , πpoly
∗
) of the adversary is in the set of simulation
queries and the canonical extractor fails to extract a valid witness.
Φ -se
Lemma 15. AdvCPpoly
poly ,S,E,A
(λ) ≤ Pr[H1 ] + ϵm-evl + ϵAff-MDH

Proof. The distinguishing event between the original experiment and H1 is that
A returns a valid “fresh” proof for a statement for which has seen a simulated
proof which the extractor cannot extract.
We reduce to Φm-evl -simulation extractability showing an adversary that pro-
duces a fresh proof for a statement xm-evl for which has seen a simulated proof.
Consider the policy Φm-evl = (Φ̄0 , Φ̄1 ) ∈ Φm-evl where Φ̄0 (ppG ) does the fol-
lowing:
1. Runs the policy Φ0 (ppG ) and obtains the set of vectors Qv .
2. Samples random x̃1 , . . . , x̃q from F and computes Qx := {vj (x̃i ) : v ∈ Qv }i,j .
3. Runs for i ∈ [Qsim ] the sampler c(i) ←$ D(ppG ), where Qsim is the maximum
number of simulation queries made by A, and defines coms := (c(i) )i .
4. Outputs (Qx , coms).
We can assume w.l.g. that A queries the random oracle on x before querying
the simulation oracle on such an instance.
Consider the adversary B for the Φm-evl -simulation-extractability game that:
1. Run the adversary A on parameters ck and ppΦ := (Qv , coms)

43
 2. Parse coms as (c(i) )i∈[Qsim ] and keep a list Q′RO (initially empty) of the random
oracle call of A.
3. At the i-th random-oracle query on input (s, aux), store (s, aux, x̃i ) in Q′RO ,
and forward x̃i to the adversary A.
4. Upon simulation query with a tuple (xpoly , auxpoly ) from A:
– Find in auxpoly the leakage-input for the simulator (yi,j )i∈[m],j∈Pi , (yi′ )i∈[m] .
– Following the specification of the prover, query the simulation oracle with
instances xm-evl,i = ((cj )j∈Pi , x∗i , (yi,j )i,j∈Pi ), using yi′ as the leakage for
the i-th instance. Parse them as a proof for poly.
5. Upon forgery (x∗poly , aux∗E , π ∗ = (πm-evl,i
∗
, (yi,j )j )i ):
(a) Abort if A never queried S2 with x∗poly . .
(b) Let π̃poly := (π̃m-evl,i , (ỹi,j )j )i be the first simulated proof for x∗poly and
let i∗ be the index such that either (yi∗ ,j ) ̸= (ỹi∗ ,j ) or π̃m-evl,i ̸= πm-evl,i ,
return the forgery (x∗m-evl,i∗ , aux∗E , πm-evl,i
∗
∗ ).

We need to show that if Φpoly holds for A then the policy Φm-evl holds for B.
Notice that, by condition (1) of the semi-adaptive simulation queries property of
Φpoly and the definition of Φ0 the reduction B calls its own simulator on points
in Qx , moreover (2) and (3) (of the semi-adaptive simulation queries property
of Φpoly ) easily imply respectively the Commitment Check and the Algebraic
Consistency of Φm-evl (cf. Definition 24).
By inspection the forgery, if the reduction B does not abort and there exists
only one π̃poly associated with the forged instance then B matches the predicate
Φder
ext of the Φm-evl policy (cf. Definition 25). We show that, because of condition
(2) and the algebraic consistency check of the semi-adaptive simulation queries
property of Φpoly , that there exists indeed only one simulated proof π̃poly for each
queried instance. In fact, from an adversary that asks twice the same instance to
the simulator, let say at query i and i′ , we can derive that C(i) · c(i) + F(i) · ck =
′ ′ ′
C(i ) · c(i ) + F(i ) · ck. If the matrices C(i) or C(i ) are non-zero then we can break
′

the D-Aff-MDDH assumption. On the other hand, if both matrices are the zero
matrix, we have that the commitments are fully defined given the ck and thus
by the algebraic consistency check the leakage for the simulated proofs must be
the same (and thus the proofs are the same). ⊔
⊓

The next hybrid experiment H2 is equivalent to H1 but additionally it outputs

0 if the instance in the forgery (x∗poly , πpoly
∗
) of the adversary is valid and the
canonical extractor fails to extract valid witnesses for the m-evl-instances derived
by x∗poly .
ϵm-evl
Lemma 16. Pr[H1 ] ≤ Pr[H2 ] + Qsim

Proof. We reduce again to Φm-evl -simulation-extractability We consider the same

Φ̄0 (ppG ) as in the previous lemma.
Consider the adversary B that:

1. Sample an index q ∗ ←$ [Qsim ].

2. Run the adversary A on parameters ck and ppΦ := (Qv , coms)

44
 3. Parse coms as (c(i) )i∈[Qsim ] and keep a list Q′RO (initially empty) of the random
oracle call of A.
4. At the i-th random-oracle query on input (s, aux):
– if i ̸= q ∗ then store (s, aux, x̃i ) in Q′RO , and forward x̃i to A
(k∗ )
– else parse s as (msg, c, (G(k) , v(k) )k ), find k ∗ such that ∀j : deg(vj ) ≥
(k∗ )
1, set aux′ := (aux, (vj )j∈[n] ), and send the query (s, aux′ ) to S2 , and
forward a to the adversary A
5. Upon simulation query with a tuple (xpoly , auxpoly ) from A (as in the previ-
ous lemma):
– find in Q′RO the tuple (xpoly , ·, x̃)
– find in auxpoly the leakage-input for the simulator (yi,j )i∈[m],j∈Pi , (yi′ )i∈[m]
– following the specification of the prover, query the simulation oracle with
instances xm-evl,i = ((cj )j∈Pi , x∗i , (yi,j )i,j∈Pi ), using yi′ as the leakage for
the i-th instance
6. Upon forgery (x∗poly , aux∗E , π ∗ = (πm-evl,i
∗
, (yi,j )j )i )
(a) abort if xpoly was not queried at the q ∗ -th random oracle query by A
∗

(b) abort if ∀j ∈ [n] cj can be extracted as pj (X) and ∀i : pj (x∗i ) = yi,j ,

(c) Let j ∗ , i be such that pj ∗ (x∗i ) the previous check does not hold. Return
the forgery (x∗m-evl,i∗ , aux∗E , πm-evl,i
∗
∗ ).

Let Abort be the event that B aborts. We notice that B could abort if one of
two distinct events happens. The first event Abort1 in Item 6a, and the second
event Abort2 is the condition in Item 6b. Notice that the distinguishing event
between the two hybrids implies that Abort2 does not happen. Moreover, notice
that when the reduction does not abort, it returns a valid proof that either
the canonical extractor cannot extract or such that the extracted polynomial
pj (x∗i ) ̸= yi∗ ,j ∗ ; thus, if the policy Φm-evl is valid the reduction wins the Φm-evl -
simulation extractability experiment. Namely,
 
Pr Φ̄1 ∧ ¬Abort|b = 0 ≤ ϵm-evl
The event Abort1 only depends on the uniformly random index q ∗ which is
independent of the view of the adversary A, i.e., Pr[¬Abort1 ] = Q1sim . Notice that
A wins the Φpoly -simulation extractability experiment when ¬Abort2 happens
and Φ1 holds. Thus, we only need to show that, conditioned on ¬Abort, when
the policy Φ1 holds w.r.t. the view of A then the policy Φ̄1 holds w.r.t. the
view of B. By construction of Qx and the answers to the random oracle queries
to A, if the simulation query of A has v(k) ∈ Qv then the evaluation points
derived are in Qx . Moreover, it is not hard to see that the consistency check of
the two policies match: in particular, the conditions on matrix Ci (resp Fi ) are
equivalent to the consistent opening check described in Item 3 of the extraction
policy (the adversary is considered valid if its queries form a solvable linear
system of equations defined by the coefficients of the linear combinations of
commitments and the evaluation values). As for the forgery, in case of ¬Abort1 ,
the entry (x∗poly , aux′ , a∗ ) is indeed in the list of random oracle checked by the
m-evl-policy: in fact, it is the only query. And, by construction, aux′ contains the
(k∗ )
polynomial vj ∗ . Putting things together we have the statement of the lemma.
⊔
⊓

45
The next hybrid experiment H3 is equivalent to H2 but additionally it outputs
0 if the instance in the forgery (x∗poly , πpoly
∗
) of the adversary is valid and the
canonical extractor fails to extract valid witness, namely:

∃k : Ḡ(k) (X, p1 (vn(k) (X)), . . . , pn (vn(k) (X))) ̸≡ 0

poly(d,λ)
Lemma 17. Pr[H3 ] ≤ |F| .

Proof. First notice that by the changes introduced in the previous hybrid the
canonical extractor must extract valid polynomials and pj (x∗i ) = yi,j for any i
and j ∈ Pi . Also x∗ is sampled after all the polynomials extracted by the canoni-
(k) (k)
cal extractor are defined. Let d the degree of Ḡ(k) (X, p1 (vn (X)), . . . , pn (vn (X))),
such value is polynomial in the security parameter and the maximum degree for
the commitments. If the verification passes we have:

Ḡ(k) (x∗ , p1 (vn(k) (x∗ ), . . . , pn (vn(k) (x∗ ))) = 0

d
which, by Swartz-Zippel lemma happens with probability F. ⊔
⊓

6.2 The Compilation-Ready CP-SNARK in the AGM

We define a CP-SNARK CP for R̂ that uses the CP-SNARK CPpoly from Sec-
tion 6.1. We set the CP = (KGen, Prove, Verify) where KGen is the same as
in CPpoly and Prove upon poly-instances runs CPpoly .Prove, while upon opn-
instances simply outputs an empty string. (The verifier algorithm is the obvious
one.)
We recall the policy set Φ defined in Section 5.2. For every (Φ0 , Φ1 ) ∈ Φpoly ,
(Φ0 , Φ̂1 ) ∈ Φ where Φ̂1 satisfies the 3 properties:

– Semi-adaptive w.r.t. poly-queries. Given the set of simulation queries

Qsim , define the projections of the set to the poly-simulation queries and
opn-simulation queries. Let the i-th poly-query to the simulation oracle be
(x, aux, π) ∈ Qsim , parse x as (msg, c, (G(k) , v(k) )k∈[ne ] ). (1) ∀k : v(k) ∈
Qv and (2) parse aux two matrices C, F the tuple (c, C, F) satisfies the
commitment check, namely c = C · c(i) + F · ck. (3) the view defined by set of
all poly-queries satisfies the algebraic consistency for CP (cf. Definition 14).
– Extractor policy for opn-forgery. If the forgery of the adversary (x∗ , π ∗ )
is of the form x∗ := (opn, c∗ ), parse auxΦ as (yet another) forgery x̃ :=
(poly, msg, c, (G(k) , v(k) )i∈[ne ] ), π̃ and check that:
1. All the commitments c∗ are in the vector of commitments c,
2. The proof π̃ is valid according to the extractor policy for poly-forgeries
below.
– Extractor policy for poly-forgery. If the forgery of the adversary (x∗ , π ∗ )
is of the form x∗ := (poly, x′ ), then check that x∗ was never queried to the
simulation oracle and there exists a k ∈ [ne ] such that for all j the polynomial
(k)
vj has degree at least 1 (and degree poly(λ)).

46
Theorem 5. The CP-SNARK CP for R̂ is Φ̂-simulation extractable.

Proof. The proof is mostly syntactical as we need to match the interface of an

adversary of CP with the interface of an adversary of CPpoly .
We reduce to the Φpoly -simulation extractability of CPpoly . In particular,
given an adversary A for CP consider the reduction that runs A and forwards
all its poly-simulation queries, moreover, the reduction answers all the opn-
simulation queries by trivially outputting the empty string. If A outputs as a
forgery a opn-instance then the reduction outputs as a forgery the instance and
valid proof in auxΦ .
We assume that the representations of the commitments in the opn-forgery
and the representations of the same commitments in the auxiliary output auxΦ
are the same. Notice, if we have two distinct representations for the same com-
mitment then we break the binding of KZG. Thus the canonical extractor would
output the same opening both when extracting the opn-forgery (using the rep-
resentations in auxE ) and when extracting from auxΦ .

References
1. M. Abdalla, M. Barbosa, J. Katz, J. Loss, and J. Xu. Algebraic adversaries in
the universal composability framework. In M. Tibouchi and H. Wang, editors,
ASIACRYPT 2021, Part III, volume 13092 of LNCS, pages 311–341. Springer,
Heidelberg, Dec. 2021.
2. B. Abdolmaleki, S. Ramacher, and D. Slamanig. Lift-and-shift: Obtaining simu-
lation extractable subversion and updatable SNARKs generically. In J. Ligatti,
X. Ou, J. Katz, and G. Vigna, editors, ACM CCS 2020, pages 1987–2005. ACM
Press, Nov. 2020.
3. S. Arora and S. Safra. Probabilistic checking of proofs; A new characterization of
NP. In 33rd FOCS, pages 2–13. IEEE Computer Society Press, Oct. 1992.
4. K. Baghery, M. Kohlweiss, J. Siim, and M. Volkhov. Another look at extraction and
randomization of groth’s zk-snark. In N. Borisov and C. Dı́az, editors, Financial
Cryptography and Data Security - 25th International Conference, FC 2021, Virtual
Event, March 1-5, 2021, Revised Selected Papers, Part I, volume 12674 of Lecture
Notes in Computer Science, pages 457–475. Springer, 2021.
5. M. Bellare, D. Hofheinz, and E. Kiltz. Subtleties in the definition of IND-CCA:
When and how should challenge decryption be disallowed? Journal of Cryptology,
28(1):29–48, Jan. 2015.
6. E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev. Scalable zero knowledge
with no trusted setup. In A. Boldyreva and D. Micciancio, editors, CRYPTO 2019,
Part III, volume 11694 of LNCS, pages 701–732. Springer, Heidelberg, Aug. 2019.
7. E. Ben-Sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza. SNARKs for C:
Verifying program executions succinctly and in zero knowledge. In R. Canetti and
J. A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages 90–108.
Springer, Heidelberg, Aug. 2013.
8. E. Ben-Sasson, A. Chiesa, M. Riabzev, N. Spooner, M. Virza, and N. P. Ward.
Aurora: Transparent succinct arguments for R1CS. In Y. Ishai and V. Rijmen, ed-
itors, EUROCRYPT 2019, Part I, volume 11476 of LNCS, pages 103–128. Springer,
Heidelberg, May 2019.

47
 9. E. Ben-Sasson, A. Chiesa, and N. Spooner. Interactive oracle proofs. In M. Hirt
and A. D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS, pages
31–60. Springer, Heidelberg, Oct. / Nov. 2016.
10. E. Ben-Sasson, L. Goldberg, S. Kopparty, and S. Saraf. DEEP-FRI: Sampling
outside the box improves soundness. In T. Vidick, editor, ITCS 2020, volume 151,
pages 5:1–5:32. LIPIcs, Jan. 2020.
11. D. Boneh and X. Boyen. Short signatures without random oracles. In C. Cachin
and J. Camenisch, editors, EUROCRYPT 2004, volume 3027 of LNCS, pages 56–
73. Springer, Heidelberg, May 2004.
12. D. Boneh, J. Drake, B. Fisch, and A. Gabizon. Efficient polynomial commitment
schemes for multiple points and polynomials. Cryptology ePrint Archive, Report
2020/081, 2020. https://eprint.iacr.org/2020/081.
13. D. Boneh, J. Drake, B. Fisch, and A. Gabizon. Halo infinite: Proof-carrying data
from additive polynomial commitments. In T. Malkin and C. Peikert, editors,
CRYPTO 2021, Part I, volume 12825 of LNCS, pages 649–680, Virtual Event,
Aug. 2021. Springer, Heidelberg.
14. B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. Bulletproofs:
Short proofs for confidential transactions and more. In 2018 IEEE Symposium on
Security and Privacy, pages 315–334. IEEE Computer Society Press, May 2018.
15. B. Bünz, A. Chiesa, P. Mishra, and N. Spooner. Recursive proof composition from
accumulation schemes. In R. Pass and K. Pietrzak, editors, TCC 2020, Part II,
volume 12551 of LNCS, pages 1–18. Springer, Heidelberg, Nov. 2020.
16. B. Bünz, B. Fisch, and A. Szepieniec. Transparent SNARKs from DARK compilers.
In A. Canteaut and Y. Ishai, editors, EUROCRYPT 2020, Part I, volume 12105
of LNCS, pages 677–706. Springer, Heidelberg, May 2020.
17. M. Campanelli, A. Faonio, D. Fiore, A. Querol, and H. Rodrı́guez. Lunar: A tool-
box for more efficient universal and updatable zkSNARKs and commit-and-prove
extensions. In M. Tibouchi and H. Wang, editors, ASIACRYPT 2021, Part III,
volume 13092 of LNCS, pages 3–33. Springer, Heidelberg, Dec. 2021.
18. M. Campanelli, D. Fiore, and A. Querol. LegoSNARK: Modular design and com-
position of succinct zero-knowledge proofs. In L. Cavallaro, J. Kinder, X. Wang,
and J. Katz, editors, ACM CCS 2019, pages 2075–2092. ACM Press, Nov. 2019.
19. M. Chase and A. Lysyanskaya. On signatures of knowledge. In C. Dwork, editor,
CRYPTO 2006, volume 4117 of LNCS, pages 78–96. Springer, Heidelberg, Aug.
2006.
20. A. Chiesa, Y. Hu, M. Maller, P. Mishra, N. Vesely, and N. P. Ward. Marlin:
Preprocessing zkSNARKs with universal and updatable SRS. In A. Canteaut and
Y. Ishai, editors, EUROCRYPT 2020, Part I, volume 12105 of LNCS, pages 738–
768. Springer, Heidelberg, May 2020.
21. Y. Dodis, K. Haralambiev, A. López-Alt, and D. Wichs. Efficient public-key cryp-
tography in the presence of key leakage. In M. Abe, editor, ASIACRYPT 2010,
volume 6477 of LNCS, pages 613–631. Springer, Heidelberg, Dec. 2010.
22. D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography (extended ab-
stract). In 23rd ACM STOC, pages 542–552. ACM Press, May 1991.
23. S. Faust, M. Kohlweiss, G. A. Marson, and D. Venturi. On the non-malleability
of the Fiat-Shamir transform. In S. D. Galbraith and M. Nandi, editors, IN-
DOCRYPT 2012, volume 7668 of LNCS, pages 60–79. Springer, Heidelberg, Dec.
2012.
24. M. Fischlin. Communication-efficient non-interactive proofs of knowledge with
online extractors. In V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS,
pages 152–168. Springer, Heidelberg, Aug. 2005.

48
25. G. Fuchsbauer, E. Kiltz, and J. Loss. The algebraic group model and its applica-
tions. In H. Shacham and A. Boldyreva, editors, CRYPTO 2018, Part II, volume
10992 of LNCS, pages 33–62. Springer, Heidelberg, Aug. 2018.
26. A. Gabizon, Z. J. Williamson, and O. Ciobotaru. PLONK: Permutations over
lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology
ePrint Archive, Report 2019/953, 2019. https://eprint.iacr.org/2019/953.
27. C. Ganesh, H. Khoshakhlagh, M. Kohlweiss, A. Nitulescu, and M. Zajac. What
makes fiat-shamir zksnarks (updatable SRS) simulation extractable? In C. Galdi
and S. Jarecki, editors, Security and Cryptography for Networks, SCN 2022, volume
13409 of Lecture Notes in Computer Science, pages 735–760. Springer, 2022.
28. C. Ganesh, Y. Kondi, C. Orlandi, M. Pancholi, A. Takahashi, and D. Tschudi.
Witness-succinct universally-composable snarks. Cryptology ePrint Archive, Paper
2022/1618, 2022. https://eprint.iacr.org/2022/1618.
29. C. Ganesh, C. Orlandi, M. Pancholi, A. Takahashi, and D. Tschudi. Fiat-shamir
bulletproofs are non-malleable (in the algebraic group model). In O. Dunkelman
and S. Dziembowski, editors, EUROCRYPT 2022, Part II, volume 13276 of LNCS,
pages 397–426. Springer, Heidelberg, May / June 2022.
30. S. Garg, A. Jain, and A. Sahai. Leakage-resilient zero knowledge. In P. Rogaway,
editor, CRYPTO 2011, volume 6841 of LNCS, pages 297–315. Springer, Heidelberg,
Aug. 2011.
31. R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs
and succinct NIZKs without PCPs. In T. Johansson and P. Q. Nguyen, editors,
EUROCRYPT 2013, volume 7881 of LNCS, pages 626–645. Springer, Heidelberg,
May 2013.
32. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive
proof-systems (extended abstract). In 17th ACM STOC, pages 291–304. ACM
Press, May 1985.
33. J. Groth. Short pairing-based non-interactive zero-knowledge arguments. In
M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 321–340.
Springer, Heidelberg, Dec. 2010.
34. J. Groth. On the size of pairing-based non-interactive arguments. In M. Fischlin
and J.-S. Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages
305–326. Springer, Heidelberg, May 2016.
35. J. Groth, M. Kohlweiss, M. Maller, S. Meiklejohn, and I. Miers. Updatable and uni-
versal common reference strings with applications to zk-SNARKs. In H. Shacham
and A. Boldyreva, editors, CRYPTO 2018, Part III, volume 10993 of LNCS, pages
698–728. Springer, Heidelberg, Aug. 2018.
36. J. Groth and M. Maller. Snarky signatures: Minimal signatures of knowledge
from simulation-extractable SNARKs. In J. Katz and H. Shacham, editors,
CRYPTO 2017, Part II, volume 10402 of LNCS, pages 581–612. Springer, Hei-
delberg, Aug. 2017.
37. C. S. Jutla and A. Roy. Shorter quasi-adaptive NIZK proofs for linear subspaces.
In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part I, volume 8269 of
LNCS, pages 1–20. Springer, Heidelberg, Dec. 2013.
38. A. Kate, G. M. Zaverucha, and I. Goldberg. Constant-size commitments to poly-
nomials and their applications. In M. Abe, editor, ASIACRYPT 2010, volume
6477 of LNCS, pages 177–194. Springer, Heidelberg, Dec. 2010.
39. J. Lee. Dory: Efficient, transparent arguments for generalised inner products and
polynomial commitments. In K. Nissim and B. Waters, editors, TCC 2021, Part II,
volume 13043 of LNCS, pages 1–34. Springer, Heidelberg, Nov. 2021.

49
40. H. Lipmaa. Progression-free sets and sublinear pairing-based non-interactive zero-
knowledge arguments. In R. Cramer, editor, TCC 2012, volume 7194 of LNCS,
pages 169–189. Springer, Heidelberg, Mar. 2012.
41. M. Maller, S. Bowe, M. Kohlweiss, and S. Meiklejohn. Sonic: Zero-knowledge
SNARKs from linear-size universal and updatable structured reference strings. In
L. Cavallaro, J. Kinder, X. Wang, and J. Katz, editors, ACM CCS 2019, pages
2111–2128. ACM Press, Nov. 2019.
42. M. Maller, S. Bowe, M. Kohlweiss, and S. Meiklejohn. Sonic: Zero-knowledge
SNARKs from linear-size universal and updateable structured reference strings.
Cryptology ePrint Archive, Report 2019/099, 2019. https://eprint.iacr.org/
2019/099.
43. S. Micali. CS proofs (extended abstracts). In 35th FOCS, pages 436–453. IEEE
Computer Society Press, Nov. 1994.
44. P. Morillo, C. Ràfols, and J. L. Villar. The kernel matrix Diffie-Hellman assump-
tion. In J. H. Cheon and T. Takagi, editors, ASIACRYPT 2016, Part I, volume
10031 of LNCS, pages 729–758. Springer, Heidelberg, Dec. 2016.
45. C. Ràfols and A. Zapico. An algebraic framework for universal and updatable
SNARKs. In T. Malkin and C. Peikert, editors, CRYPTO 2021, Part I, volume
12825 of LNCS, pages 774–804, Virtual Event, Aug. 2021. Springer, Heidelberg.
46. A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-
ciphertext security. In 40th FOCS, pages 543–553. IEEE Computer Society Press,
Oct. 1999.
47. A. Szepieniec. Polynomial IOPs for linear algebra relations. Cryptology ePrint
Archive, Report 2020/1022, 2020. https://eprint.iacr.org/2020/1022.
48. A. Tomescu, I. Abraham, V. Buterin, J. Drake, D. Feist, and D. Khovratovich.
Aggregatable subvector commitments for stateless cryptocurrencies. In C. Galdi
and V. Kolesnikov, editors, SCN 20, volume 12238 of LNCS, pages 45–64. Springer,
Heidelberg, Sept. 2020.
49. A. Zapico, V. Buterin, D. Khovratovich, M. Maller, A. Nitulescu, and M. Simkin.
Caulk: Lookup arguments in sublinear time. In H. Yin, A. Stavrou, C. Cremers,
and E. Shi, editors, ACM CCS 2022, pages 3121–3134. ACM Press, Nov. 2022.

50
A CP-SNARK for evaluation of multiple polynomials in
AGM
Here we generalize the scheme described in Section 4.1 to the batched setting,
highlighting the parts of the construction that are not needed if hiding is not
desired. In particular, this scheme CPm-evl allows one to prove that for all i
the polynomial fi committed in ci evaluates to yi on the point x. This batched
version, which is given in the ROM, follows from [26,42] and relies on the linearity
of the polynomials and the homomorphic properties of KZG. Our contribution
is to prove its policy-based simulation extractability.
   
KGenm-evl : parse ck as (( sj 1 )j∈[0,d] , ( αsj 1 )j∈[0,d] , [1, s]2 ) and define ek := ck
and vk := [1, s]2 , and return srs := (ek, vk).
Provem-evl (ek, x = (x, (ci , yi )i ), w = (fi , ri )i ): for all i compute the polynomials
πi (X) such that πi (X)(X − x) ≡ fi (X) − yi , the polynomials πi′ (X) such
that πi′ (X)(X − x) ≡ ri (X) − r(x), ρ ← RO(batch∥x), and output
X X 
ρi−1 [πi (s)+απ ′ (s)]1 , ρi−1 ri (x)
i i

Verifym-evl (vk, x = (x, (ci , yi )i ), (π, y ′ )): compute ρ ← RO(batch∥x) and output
1 iff
" #
X X
e( i−1
ρ ci − ρ yi − [αy ′ ]1 , [1]2 ) = e(π, [s − x1 ]2 ).
i−1

i i 1

Similarly to CPevl, we can prove that CPm-evl achieves F -leaky P zero-knowledge

(see Definition 11) where F (x = (x, (ci , yi )i ), w = (fi , ri )i ) = i ρi−1 ri (x) and
ρ = RO(batch∥x).
We define the simulator S = (S0 , S1 , S2 ), where S0 outputs the trapdoor
information s, α together with the srs, S2 simulates the random oracle on any
input via lazy sampling, and S1 simulates proofs for x = (x, (ci , yi )i ) and
P leakage
y ′ byPoutputting π = ((c − [y]1 − [αy ′ ]1 )(s − x)−1 , y ′ ), where c ← iρ
i−1
ci ,
i−1
y ← i ρ yi for ρ ← S2 (batch∥x).
s-adpt
The extraction policy. The extraction policy Φm-evl is naturally extended
from the single point case of CPevl. The evaluation points xj for the instances
for which the adversary can see simulated proofs are selectively chosen indepen-
dently of the commitment key, while the evaluation values (yi )i can be arbi-
trarily chosen by the adversary. Each policy ΦD in the family is a tuple of the
form (ΦD D
0 , Φ1 ). Each policy ΦD is a tuple of the form (Φ0 , Φ1 ), as defined in Sec-
D
tion 3.1, where Φ0 outputs the parameters ppΦ while Φ1 outputs a virdict bit.
In particular, ΦD 0 on input group parameters ppG outputs ppΦ := (coms, Qx ),
where coms is a vector of commitments sampled from D, and Qx is a set of Qx
evaluation points.
For sake of clarity, we define the policy Φ1 as the logical conjunction of a
“simulator” policy Φsim and an “extractor” policy Φext , i.e. Φ1 = Φsim ∧ Φext , the

51
first defines rules under which we can classify a simulation query legal, while
the second defines rules under which the extractor must be able to extract a
meaningful witness. We highlight the parts needed only for the hiding setting.
Definition 24. Let Φsim be the policy that returns 1 if and only if:
1. Points check: let (xi , auxi , πi )i be all the entries of Qsim . Recall that an
instance x can be parsed as (x, (c, y)), check that ∀i : xi .x ∈ Qx .
2. Commitment Check: For any i ∈ [Qsim ], parse auxi as the leakage value
yi′ and the representation vectors for xi .c and πi ; in particular, let Mi =
Fi ∥Vi ∥Ci be the algebraic
representation of the commitments xi .c. For any
i check that Fi ∥Vi · ek + Ci · coms = xi .c (namely, that the commitments
in the instance xi are computed as a linear combination of the simulated
commitments and the elements of G1 of the SRS)
3. Algebraic Consistency: The simulation queries satisfy the algebraic con-
sistency for CPm-evl . Namely, let IJ = {i : xi .x = xj } and let Rj =
(Ci )i∈IJ . Check that for all j: (i) the system of linear equations Rj · z = yj
has at least a solution, where z are the variables and yj = (xi .y + Fi ·
(1, xj , . . . , xdj )⊤ )i∈IJ , and (ii) the system of linear equations Rj · z′ = y′j has
at least a solution, where z′ are the variables and y′j = (yi′ + (1, ρi , . . . , ρm i )·
d ⊤
Vi · (1, xj , . . . , xj ) )i∈IJ , and ρi = RO(batch∥xi ).
Next, we define the policy Φext as the logical disjunction of two policies. We recall
and extend the notation introduced in Section 4.1: let gc : G∗1 × {0, 1}∗ → {0, 1}
be a function that on inputs a list of group elements ci and a string s, that can
be parsed as a list of group elements ĉi followed by a second string s̃, outputs 1
iff ∀i, ∃j : ci = ĉj .
Definition 25. Let Φext , Φrnd der
ext and Φext be predicates that parse the forgery in-
∗ ∗ ∗ ∗
stance x = (x , c , y ).
– Φrnd
ext returns 1 if and only if there exists a query (s, aux, a) to the random ora-
cle and aux contains a non-constant polynomial h(X) such that the following
conditions are satisfied:
1. Hashing check: (s, aux, a) ∈ QRO
2. Decoding check: gc (c∗ , s) = 1.
3. Polynomial check: gh (h, aux) = 1, where gh : F[X] × {0, 1}∗ → {0, 1}
is a function that on input a polynomial h(X) and a string aux outputs
1 iff h(X) is encoded in aux.
4. Computation check: h(a) = x∗ .
∗ ∗ ′ ′ ∗ ∗
– Φder
ext returns 1 iff ∃(x, ·, π) ∈ Qsim s.t. x := (x , c , y ) and (y , π) ̸= (y , π ).
rnd der
– Φext returns logical disjunction of Φext and Φext .
Theorem 6. For any witness sampleable distribution D that is D-Aff-MDH-
secure (see Definition 5), any bilinear-group generator GroupGen that samples
the generator of the group G1 uniformly at random, ∀ΦD ∈ Φs-adpt
m-evl , the scheme
CPm-evl is ΦD -simulation-extractable in the AGM. In particular, there exists E
such that for any algebraic adversary A:
D -se
AdvΦ
CPm-evl,A,S,E (λ) ≤ O(ϵ(Qx +d+1)-DL (λ)) + O(ϵAff-MDH (λ)) + poly(λ)ϵh

52
where d is the maximum degree supported by CPm-evl, ϵ(Qx +d+1)-DL (λ) is the
maximum advantage for any algebraic PT adversary against the (Qx + d + 1)-
strong Discrete-Log Assumption, ϵAff-MDH (λ) is the maximum advantage for any
algebraic PT adversary against the D-Aff-MDH Assumption, h is the polynomial
that satisfies the Polynomial check of ΦD , and ϵh = deg(h)
q .

Proof (of Theorem 6). The goal of the proof is to show that for any algebraic
D -se
A there exists an extractor E such that Pr[ExpΦ Πm-evl ,A,S,E (λ) = 1] is negligible.
Since A is algebraic (cf. Definition 1), for each group element g that it pro-
duces, it additionally attaches a representation vector rg := f g ∥cg ∥og such that:

g = ⟨f g , ek⟩ + ⟨cg , coms⟩ + ⟨og , proofs⟩.

where ek are all the group elements of the SRS, coms = ([ci ]1 )i∈[Qc ] are the
simulated commitments, and proofs are the simulated proofs.
The algebraic assumption applies to each query (x = (x, (ci , yi )i ), aux) to the
oracle S1 , in which case we can parse aux as ((rci )i , aux′ ) such that rci is the
representation of ci , as well as to each query (s, aux) to S2 , in which case aux
includes a valid representation for all the group elements gi encoded in s, i.e.,
such that gc (gi , s) = 1.
∗
Furthermore, when returning its forgery x∗ = (x∗ , (c∗i , yi )i ), [π]1 , the alge-
braic adversary encodes a polynomial h(X) in auxϕ , and stores in auxE the
representation vectors {rc∗i }i and rπ∗ for the group elements (c∗i )i and π ∗ .
We can assume w.l.o.g. that all the simulation queries and the forgery of
the adversary A agree with the policy ΦD , as otherwise the adversary would
automatically lose the experiment. In particular, we assume that the forgery
satisfies the extraction predicate Φrnd
ext : we show in Lemma 27 why this is without
loss of generality. For every query (x = (x, (ci , yi )i ), aux) to the oracle S1 , recall
that this means that oci = 0 for all i.
We define the extractor E to be the canonical extractor that, given auxE ,
returns the polynomials (fi (X))i where:

fi (X) = ⟨f c∗i , (1, X, . . . , X d )⟩

ΦD -se
We let H0 (A) be the ExpΠ m-evl ,A,S,E
(λ) experiment (executed with adversary
A).
Hybrid H1 . This is a modification of H0 in which the adversary is allowed to
only do queries to S1 of the form (x = (x, c, y), aux) (i.e., for single evaluations)
and such that f c = 0. This means that an adversary not meeting this requirement
loses, i.e., the hybrid returns 0. As we show in the following lemma, we can
perfectly simulate adversaries in H0 using an adversary in A1 . Such a change is
useful as it allows us to later consider “simpler” adversaries.

Lemma 18. For any A0 there exists A1 such that Pr[H1 (A1 )] = Pr[H0 (A0 )].

Proof. We build A1 runs A0 providing its own inputs and forwarding all the ran-
dom oracle queries, except for S1 queries that are handled as follows. Whenever

53
A0 makes a simulation query (x = (x, (ci , yi )i ), aux), A1 proceeds as described
below.

– For every i, parse rci := f ci ∥cci ∥oci and define fi (X) := ⟨f ci , (1, X, . . . , X d ).
– Compute yi′ ← fi (x), πi′ (X) ← (fi (X) − yi′ )/(X − x) and πi′ ← [πi′ (s)]1 ,
which is essentially a “honest” evaluation proof w.r.t. a commitment to the
polynomial fi (X), input x and output yi′ .
– For every i, ask the query (x, ci − [fi (s)]1 , yi − yi′ ) to its simulation oracle.
Notice that the queried commitments satisfy the condition f = 0. Let π̃i be
the obtained proofs.
– “Merge” these proofs by computing πi ← πi′ + π̃i . One can verify that πi is
a valid evaluation proof for (x, ci , yi ).
– Aggregate all the proofs by computing π ← i ρi−1 πi , where ρ ← S2 (x).
P

Hybrid H2 . Recall that D is witness sampleable, thus according to Definition 4

there exists a PPT algorithm D̃ associated with the sampler D. The hybrid ex-
periment H2 is identical to the previous one, but the group elements in coms
are “sampled at the exponent”, i.e., we use D̃ to first generate the field ele-
ments γ, we compute coms ← [γ]1 , and we also add γ to stS . By the witness
sampleability of D, H1 and H2 are perfectly indistinguishable, i.e., for any A
Pr[H2 (A)] = Pr[H1 (A)].
Hybrid H3 . In this hybrid, we change the way we generate the SRS srs with S0
and the way in which S1 simulates
proofs.
Let
 (G 1 , G 2 , G
 T , e), [1] 1 , [1]2 ←$ GroupGen(1λ ), sample s ←$ F and com-
D+d
pute s, . . . , s 1
, [1, s]2 , where D ← Qx + 1. Let xr ←$ F, and let p(X) be
the vanishing polynomial in Qx ∪ {xr }, namely:
Y
p(X) := (X − xr ) (X − x).
x∈Qx

Let also pj (X) := p(X)(X − xj )−1 , for j ∈ [Qx ]. In this game S0 computes:

– ppG := ((G1 , G2 , GT , e), [p(s)]

 1 , [1]2 ), 
– srs := (ek, vk), where ek ← p(s), p(s)s, . . . , p(s)sd 1 and vk ← [1, s]2 ,
– coms :=  [p(s)γ]1 , 
– stS := 1, s, . . . , sD+d 1 , [1, s]2 , γ.

Upon a query of the form (x = (x, c, y), aux = (rc , aux′ )) to S1 such that x =
xj ∈ Qx , we proceed as follows.

– Parse rc := f c ∥cc ∥oc (recall, oc = 0 by simulation policy and f c = 0 by the

change introduced earlier).
– Compute π ← [(⟨cc , γ⟩ − y) · pj (s)]1 , which is a valid simulated proof w.r.t.
commitment [⟨cc , γ⟩p(s)]1 , input x and output y.

We now show that the view offered to the adversary A in the two experiments
is statistically close.

54
 Qx +1+d
Lemma 19. For any A Pr[H3 (A)] ≤ Pr[H2 (A)] + q .

Proof. Let us first look at the distribution of the input provided to A. Notice
that in H3 we sample from GroupGen the description of the group, and then
we set the generator of G1 to be [p(s)]1 which, thanks to the random root xr ,
is distributed uniformly at random even given the value s. This however holds
except with the negligible probability Qx +1+d
p that s is one of the roots of p(X).
Second, it is not hard to verify that the simulated proofs generated in the
hybrid H3 pass the verification equations. Since the proofs are unique, given
the SRS and the statements, the simulated proofs created in H3 are distributed
identically to the simulated proofs generated by the simulator S1 in H2 . ⊔
⊓

Hybrid H4 and core adversaries. This is a modification of H3 in which

we provide the adversary with a slightly different random oracle interface and in
which the adversary loses if in its forgery there is a commitment c∗i and associated
representation vector such that f c∗i ̸= 0. The random oracle is changed only in
the sense that each input queried to the random oracle in H4 may contain more
elements than the same query in H3 . We call an adversary that satisfies this
additional requirement of H4 , i.e., f c∗i = 0 for all i, a core adversary.
To continue the proof, we show how to perfectly simulate any adversary A
playing in H3 using a core adversary Ac that runs in hybrid H4 .

Lemma 20. For any A there exists Ac such that Pr[H4 (Ac )] = Pr[H3 (A)].

Proof. We define Ac as follows. Whenever the adversary A outputs a group

element g it provides a representation vector rg := f g ∥cg ∥og for g such that:

g = ⟨f g , ek⟩ + ⟨cg , coms⟩ + ⟨og , proofs⟩.

The adversary Ac runs internally A and forwards all the queries and answers
from A to its simulation oracle. However, the way of simulating RO queries must
ensure to not alter the result of the extractor policy, i.e. the “hash-check” for x∗ .
For this reason, we cannot simply forward the queries of A to the random oracle.
Therefore, we keep track of the queries made by A in the list QRO,A and the list
of queries made by the core adversary in QRO . More in detail, when A queries
the RO with (s, aux), the adversary Ac makes a “core” RO query (sc , auxc ) such
that:

1. Let s be parsed as (gi )i∈[k] (the group elements in s whose representations

rgi := f gi ∥cgi ∥ogi are in aux) and a string s̃. Notice, since the adversary is
algebraic we can un-ambiguously parse s as such.
2. For each i, Ac computes the group elements gi′ = gi − ⟨f gi , ek⟩. Ac encodes
into the string s′ the group elements (gi , gi′ )i∈[k] .
3. Ac queries its RO with (sc , auxc ), where sc := s′ ∥s̃, and auxc contains the
representations of all the group elements in s′ and the same function h
encoded in aux. Finally, it forwards the output to A, i.e. it adds (s, aux, a)
to QRO,A , and adds (s, sc ) to (the initially empty) Qs .

55
Eventually, the adversary A outputs as forgery a string s and the tuple (x′ , (c′i , yi′ )i , π ′ ),
together with representation vectors (rc′i )i and rπ′ . For every i, let fi (X) :=
⟨f c′i , (1, X, . . . , X d )⟩, yi := fi (x′ ), and qi (X) be such that qi (X)(X − x′ ) =
fi (X) − yi . Let f qi be the vector of the coefficients of qi (X), namely qi (X) :=
⟨f qi , (1, X, . . . , X d )⟩. The core adversary Ac returns for its forgery the string sc
such that (s, sc ) ∈ Qs , and the tuple (x∗ , (c∗i , yi∗ )i , π ∗ ), where:

c∗i ← c′i − Com(ck, fi (X)) = c′i − [fi (s)p(s)]1

x∗ ← x′
yi∗ ← yi′ − yi = yi′ − fi (x′ )
" #
X X
∗ ′ i−1 ′ i−1
π ←π − ρ Com(ck, qi (X)) = π − p(s) ρ qi (s)
i i 1

where ρ is the value obtained by A as the result of the random oracle query on
batch∥(x′ , (ci , yi′ )i ). Ac inserts into P
auxΦ the (correct) algebraic representations
(0∥cc′i ∥oc′i ) for each c∗i and ((f π′ − i ρi−1 f qi )∥cπ′ ∥oπ′ ) for π ∗ .
First, by construction, it is easy to verify that Ac is algebraic if so is A. Thus
we need to show that the forgery of A is valid if and only if the forgery of Ac is
valid too. By construction, we have:
" #
X
∗ ′ ∗ ′
ci := ci − [fi (s)p(s)]1 , π := π − p(s) ρ qi (s) , yi′ := yi∗ − fi (x∗ ).
i−1

i 1

By the verification equation of the forgery of Ac we have:

" #
X X
i−1 ∗
e( ρ ci − ρ yi , [1]2 ) − e(π ∗ , [s − x∗ ]2 ) =
i−1 ∗

i i 1
" # " #
X X X
e( ρi−1 c′ i − ρ i−1
fi (s)p(s) − [yi′ ′
− fi (x )]1 , [1]2 ) − e(π −′
ρ i−1
qi (s)p(s) , [s − x∗ ]2 ) =
i i 1 1 i
" #
X X X
e( ρi−1 c′ i − ρi−1 yi′ , [1]2 ) − e(π ′ , [s − x′ ]2 ) − [p(s) ρi−1 (fi (s) − fi (x′ ) − qi (s)(s − x∗ ))]T =
#1
i i i
"
X X
e( ρi−1 c′ i − ρi−1 yi′ , [1]2 ) − e(π ′ , [s − x′ ]2 )
i i 1

where the last equation holds because for every i we have qi (X)(X − x′ ) =
(fi (X) − fi (x′ )) and x∗ = x′ by definition.
Finally, notice that a forgery is valid for A if it provides a string s that
satisfies the “hash check” of Φext . We have that there exist s, aux, a, and h(X)
such that: (i) gc ((c∗i )i , s) = 1, (ii) gh (h, aux) = 1, (iii) (s, aux, a) ∈ QRO,A , and
(iv) x∗ = h(a) for the forgery of A.
The way Ac simulates the RO queries ensures that for the query s of A to the
RO, the core adversary sent the “core” RO query sc that encodes both vectors

56
(c′i )i and (c∗i )i , thus we have that (i) gc ((c∗i )i , sc ) = 1, (ii) gh (h, auxc ) = 1, (iii)
(sc , auxc , a) ∈ QRO , and (iiv) x∗ = h(a) for the forgery of Ac . ⊔
⊓
Notice that if we run the canonical extractor on the outputs of a core adver-
sary Ac in H4 , the extractor sets the extracted witness to be the zero polyno-
mials.
Hybrid H5 . The hybrid H5 additionally checks that f π∗ ̸= 0 ∨ cπ∗ ̸= 0, and if
the condition holds the adversary Ac loses the game.
Lemma 21. For any Ac it holds Pr[H5 (Ac )] ≤ Pr[H4 (Ac )] + ϵ(Qx +d+1)-DL
Proof. Recall that from the definition of the experiment, upon the ℓ-th query
(x, aux) from Ac to the simulation oracle S1 of the form x = (xj , c, y) and
aux = rc = (0∥cc ∥0) such that c = ⟨cc , coms⟩, the adversary receives the proof
[πx (s)]1 where:
πℓ (X) := (⟨cc , γ⟩ − y)pj (X).
Given the forgery, consider the following polynomials:
|Qsim |
X
c∗i (X) := ⟨cc∗i , γ⟩p(X) + oc∗i ,ℓ · πℓ (X)
ℓ=1
|Qsim |
X
∗ d
π (X) := ⟨f π∗ , (1, X, . . . , X )⟩p(X) + ⟨cπ∗ , γ⟩p(X) + oπ∗ ,ℓ · πℓ (X)
ℓ=1
X
v(X) := ρi−1 (c∗i (X) − yi∗ p(X)) − (X − x∗ )π ∗ (X)
i

By the guarantees of the AGM, we have c∗i = [c∗i (s)]1 and π ∗ = [π ∗ (s)]1 , more-
over, if the verification equation is satisfied by the forgery of Ac , then v(s) = 0.
Next, we show that when the forgery of the adversary is valid the probability
of f π∗ ̸= 0 or cπ∗ ̸= 0 is bounded by ϵ(Qx +d+1)-DL .
First, notice that if the verification equation for Ac holds then polynomial
v(X) must be equivalent to the zero polynomial with overwhelming probability.
In fact, if v(X) ̸≡ 0 and v(s) = 0 then, by Lemma 1, we can reduce Ac to an
adversary against the (Qx + d + 1)-DL assumption. To conclude the proof we
show that, whenever f π∗ ̸= 0 or cπ∗ ̸= 0, we have v(X) ̸≡ 0.
Assume by contradiction that:
X
ρi−1 (c∗i (X) − yi∗ p(X)) − (X − x∗ )π ∗ (X) = v(X) = 0. (12)
i

For this equation to hold, it must be thePcase that the degree of (X − x∗ )π ∗ (X)
is less than or equal to the degree of i ρi−1 (c∗i (X) − yi∗ p(X)). However, by
the definition of π ∗ (X) above, this cannot occur if f π∗ ̸= 0 or cπ∗ ̸= 0 as in
suchP a case the degree of (X − x∗ )π ∗ (X) would be > Qx + 1 while the degree
of i ρ (ci (X) − yi∗ p(X)) is ≤ Qx + 1. Therefore we can conclude that the
i−1 ∗

forged proof π ∗ (s) is a linear combination of the simulated proofs only, i.e., both
f π∗ and cπ∗ are null. ⊔
⊓

57
 The representation of the commitments (c∗i )i and the proof π ∗ computed by
the adversary in the forgery (possibly) depends on the simulated proofs proofs
returned by S1 . This dependence is characterized by the vector of coefficients oτ
for τ ∈ {c∗i }i ∪ {π ∗ }. However, to proceed with the proof it is more convenient
to obtain an equivalent representation that depends on the polynomials pj (X).
This motivates the definition of our next hybrid.

Hybrid H6 . The hybrid H6 finds coefficients o′′τ , for τ ∈ {c∗i }i ∪ {π ∗ } such that:

⟨oτ , proofs⟩ = ⟨o′′τ , ([pj (s)]1 )j ⟩. (13)

Moreover, if there is an index k such that oc∗k ̸= 0 but o′′c∗ = 0 the adversary
k
loses the game.

Lemma 22. For any PPT Ac we have Pr[H6 (Ac )] ≤ Pr[H5 (Ac )] + ϵAff-MDH

Proof. We begin by showing that the hybrid can compute such alternative rep-
resentations efficiently. We proceed in steps.
Let us parse the simulated proofs proofs := (πj,ℓ )j,ℓ such that πj,ℓ is the ℓ-
th simulated proof obtained by S1 on a query involving the j-th point xj , i.e.,
((xj , ĉj,ℓ , yj,ℓ ), auxj,ℓ ). Also, let cj,ℓ be the algebraic representation for the group
element ĉj,ℓ in auxj,ℓ . For every j ∈ [Qx ], we define Γj as the Qc × Qc matrix
whose ℓ-th column is cj,ℓ .
By construction of S1 in this hybrid we have that for every j ∈ [Qx ] it holds

πj,ℓ := (c⊤
 
j,ℓ · γ − yj,ℓ ) pj (s) 1

h i
and thus π j := (Γ⊤
j γ − y j )p j (s) with yj := (yj,ℓ )ℓ .
1
Without loss of generality, we assume that for each xj the adversary makes
the maximum number of simulation queries (i.e., ℓ ∈ [Qc ]); therefore Γj is a
full rank matrix (this follows from the fact that the simulation queries of the
adversary satisfy the policy Φsim , and in particular the consistent opening checks
of the policy, see Item 3).
Given any vector oτ with τ ∈ {c∗i }i ∪ {π ∗ }, its entry m-th entry oτ,m cor-
responds to the m-th simulated proof in proofs. Therefore, similarly to above,
we denote by oτ,j,ℓ the entry corresponding to proof πj,ℓ and we define oτ,j :=
(oτ,j,ℓ )ℓ .
Then, for every j ∈ [Qx ] we define

o′τ,j ← Γj · oτ,j (14)

π ′j ← (Γ⊤
j )
−1
· πj (15)

58
from which we derive that for any j:
X X
⟨o′τ,j , π ′j ⟩ = ⟨Γj · oτ,j , (Γ⊤
j )
−1
· πj ⟩
j j
X
⊤ ⊤ −1
= o⊤
τ,j Γj (Γj ) · πj
j
X
= ⟨oτ,j , π j ⟩.
j

Note that the value above is equal to ⟨oτ , proofs⟩, up to a permutation of the
indices j.
For all j ∈ [Qx ] let zj := (Γ⊤
j )
−1
· yj , and note that
π ′j = [(γ − zj )pj (s)]1
′
namely πj,i is a valid proof for the instance (ci , xj , zj,i ) w.r.t. the simulated SRS.
The hybrid computes o′′τ,j ← ⟨o′τ,j , (γ − zj )⟩ and sets o′′τ := (o′′τ,j )j∈[Qx ] . By
construction, it holds:
X X
⟨o′τ,j , π ′j ⟩ = o′′τ,j · [pj (s)]1 .
j∈[Qx ] j∈[Qx ]

which proves the first part of the lemma, i.e., computing o′′τ,j satisfying Eq. (13).
In what follows, we prove that if the event that H6 outputs 0 but H5 would
output 1, namely that all the conditions of H5 hold but there is an index k such
that oc∗k ̸= 0 ∧ o′′c∗ = 0, then we can break the Aff-MDH assumption.
k
First, notice that for any j and k oc∗k ,j ̸= 0 implies that o′c∗ ,j ̸= 0, because
k
the linear transformation applied to compute o′c∗ ,j is full rank.
k
Second, take an index j ∗ such that oc∗k ,j ∗ ̸= 0 and set A ← o′c∗ ,j ∗ and
k
ζ ← ⟨zj ∗ , o′c∗ ,j ∗ ⟩.
k
By the above definition of the values o′′c∗ ,j ∗ and our assumption that the “bad
event” of this hybrid is o′′c∗ , = 0, we have that:
k
 
 
⟨A, [γ]1 ⟩ = ⟨o′c∗ ,j ∗ , (γ − zj ∗ )⟩ + ⟨o′c∗ ,j ∗ , zj ∗ ⟩ = [ζ]1 .
 
| k {z } | k
{z }
o′′
c∗ ,j ∗
=0 ζ
k 1

The reduction B to the D-Aff-MDH Assumption takes as input a distribution [γ]1

and runs the experiment as in H5 (it perfectly emulates H5 , and in particular
the simulation oracle, because it knows the trapdoor s “at the exponent”). Then
B computes the coefficients (Ai )i∈[Qc ] and the value ζ as described above, which
is a valid D-Aff-MDH solution. ⊔
⊓

Hybrid H7 . This hybrid proceeds as the previous one except that we abort in
the case the representation vectors of the commitments in the forgery are differ-
ent from the representations provided for the same commitments when querying

59
the batching random oracle. More precisely, let x∗ be the statement returned by
the adversary at the end of its execution and along with the representation vec-
tors {rc∗i }i of the commitments (c∗i )i . Look for the tuple (batch∥x∗ , aux, a) ∈ QRO
(this tuple must exist w.l.o.g. since otherwise we can always define another ad-
versary that makes this query at the very last) and let r̃c∗i be the representation
vectors of the commitments in aux. If there exists an index i such that rc∗i ̸= r̃c∗i
the adversary loses the game.
Lemma 23. For any PPT Ac , Pr[H7 (Ac )] ≤ Pr[H6 (Ac )] + ϵ(Qx +d+1)-DL (λ) +
ϵAff-MDH .
Proof. Let c∗ be a commitment of the forgery with two different representations
rc∗ ̸= r̃c∗ . By definition of core adversary we have that f c∗ = f̃ c∗ = 0. Thus we
have

⟨(cc∗ − c̃c∗ ), γp(s)⟩ + ⟨(oc∗ − õc∗ ), (pj (s))j ⟩ = ⟨∆c , γp(s)⟩ + ⟨∆0 , (pj (s))j ⟩ = 0

Similarly to previous cases, under the (Qx + d + 1)-DL assumption we can write
the equation above symbolically as

⟨∆c , γ⟩p(X) + ⟨∆0 , (pj (X))j ⟩ = 0

which, by looking at the degree of p(X) and pj (X) and the linear independence
of the latter, implies that ⟨∆c , γ⟩ = 0 and ∆o = 0. However, the event that
⟨∆c , γ⟩ = 0 for a nonzero ∆c can be reduced to the Aff-MDH assumption.

Hybrid H8 . The hybrid H8 additionally checks if there exists an index k ∈ [m]

such that rc∗k ̸= 0, and if the condition holds the adversary Ac loses the game.
Lemma 24. For any PPT Ac ,

Pr[H8 (Ac )] ≤ Pr[H7 (Ac )] + ϵAff-MDH + 2ϵ(Qx +1+d)-DL + poly(λ) deg(h)

q .

Proof. We bound the probability that the adversary loses in H8 but not in H7 ,
namely, the probability that ∃k : rc∗k ̸= 0 but the conditions of H7 hold. The
main idea is to do a reduction B to the Aff-MDH when this event happens.
First of all, notice that by the changes introduced earlier we can assume that
the core adversary outputs commitments (c∗ℓ )ℓ and proof π whose representations
are such that f c∗ℓ = f π∗ = cπ∗ = 0, i.e. the adversary only makes use of previous
commitments in coms and simulated proofs in proofs to represent each c∗ℓ , and
only uses the simulated proofs to represent the proof π ∗ .
The reduction B takes as input a distribution [γ]1 and runs the experiment
as in H7 . B aborts if the forgery x∗ = (x∗ , (c∗ℓ , yℓ∗ )ℓ∈[m] ), π ∗ returned by the
adversary is not valid (i.e. either the extraction predicate or the verification
equation is not satisfied) or if rc∗ℓ = 0 for all ℓ. Otherwise, we have that:
" #
X X
ℓ−1 ∗
e( ρ cℓ − ρ yℓ , [1]2 ) = e(π ∗ , [s − x∗ ]2 ) and ∃k : rc∗k ̸= 0
ℓ−1 ∗

ℓ i 1

60
where rc∗k ̸= 0 if oc∗k ̸= 0 ∨ cc∗k ̸= 0.
We can rewrite each commitment and the proof in the forgery as functions
of the coefficients o′′c∗ and o′′π∗ (as computed in the previous hybrid):
ℓ

h i
c∗ℓ := ⟨cc∗ℓ , γp(s)⟩ + ⟨o′′c∗ , (pj (s))j ⟩
ℓ 1
∗
π := [⟨o′′π∗ , (pj (s))j ⟩]1

Since the verification equation is satisfied, and plugging in the AGM represen-
tations we have:
X X X
⟨ ρℓ−1 · cc∗ℓ , γp(s)⟩ + ⟨ ρℓ−1 · o′′c∗ , (pj (s))j ⟩ − p(s) ρℓ−1 · yℓ∗
ℓ
ℓ ℓ ℓ
= ⟨o′′π∗ , (pj (s))j ⟩(s − x∗ ) (16)

For all j ∈ [Qx ], let δj := xj − x∗ ̸= 0. We can rewrite the r.h.s. of Eq. (16) as:

⟨o′′π∗ , (pj (s)(s − x∗ ))j ⟩ = ⟨o′′π∗ , (pj (s)((s − xj ) + δj ))j ⟩

= ⟨o′′π∗ , (p(s) + pj (s)δj ))j ⟩

In Eq. (16), we group all the terms that depend on p(s) on the left side, and we
move all the terms that depend on pj (s) on the right side, thus obtaining:
X
H · p(s) = Lj · pj (s) (17)
j∈[Qx ]

where
X X X
H := ⟨ ρℓ−1 · cc∗ℓ , γ⟩ − o′′π∗ ,j − ρℓ−1 · yℓ∗
ℓ j ℓ
X
Lj := o′′π∗ ,j δj − ρℓ−1 o′′c∗ ,j .
ℓ
ℓ
P
Let v(X) := Hp(X) − j∈[Qx ] Lj pj (X). Notice that because of Eq. (17) we
have v(s) = 0, thus we can assume v(X) ≡ 0, as otherwise we can reduce, by
Lemma
P 1, to the (Qx + d + 1)-DL assumption. It must be the case that both
j∈[Qx ] Lj pj (X) = 0 and H = 0 because the degrees of p(X) and pj (X), for
all j, are different. Moreover, the polynomials
P pj (X) are linearly independent,
namely the only linear combination j aj pj (X) = 0 is the trivial one where the
coefficients aj = 014 , thus Lj = 0 for all j. From this, we have that:

ρℓ−1 o′′c∗ ,j
P
− ℓ
∀j : o′′π∗ ,j = ℓ
.
δj
14
P
To see this, ∀xj ∈ Qx we have that a ′ p ′ (xj ) = aj pj (xj ) since pj (xj ) ̸= 0 and
j′ j j
pj ′ (xj ) = 0 for j ̸= j ′ , and aj pj (xj ) = 0 iff aj = 0

61
Since H must be 0, we have that:
P
X X X ρℓ−1 o′′
c∗ ,j
X
ℓ−1
ρℓ−1 · yℓ∗ = 0.
ℓ
ρ cc∗ℓ ,i γi − δj
ℓ
− (18)
ℓ i∈[Qc ] j∈[Qx ] ℓ

B can derive from Eq. (18) that:

P
X X X ρℓ−1 o′′
c∗ ,j
X
ℓ−1
ρℓ−1 yℓ∗
ℓ
0= ρ cc∗ℓ ,i γi − δj
ℓ
−
i∈[Qc ] ℓ j∈[Qx ] ℓ
X X X ρℓ−1 o′c∗ ,j,i (γi −zj,i ) X
= ρℓ−1 cc∗ℓ ,i γi − ℓ
δj − ρℓ−1 yℓ∗
i∈[Qc ] ℓ i,j,ℓ ℓ
 
 
X  X ℓ−1 ∗ X o′c∗ ,j,i  X ρℓ−1 o′c∗ ,i,j zj,i
= ρ (ccℓ ,i − ℓ
) γ + ℓ
− ρℓ−1 yℓ∗

 δj  i δj
i∈[Qc ]  ℓ
 
j  i,j,ℓ
| {z } | {z }
Ai,ℓ −z
| {z }
Ai

Above, the second equation comes directly from the definition of the coefficients
o′′τ,j , and in the last step we have grouped the terms depending on γi . In partic-
ular, the last equation shows that B can make a forgery in the Aff-MDH game
since it knows z and all the coefficients Ai such that:
X
Ai [γi ]1 = [z]1 .
i∈[Qc ]

For this to be a valid solution in the Aff-MDH game we need the existence of
at least an index i such that Ai ̸= 0. We show that this occurs with all but
negligible probability, i.e., there is a negligible value ν such that Pr[∃i ∈ [Qc ] :
Ai ̸= 0] ≥ 1 − ν.
To this end, consider an arbitrary µ ∈ [Qc ], then we have Pr[∀i ∈ [Qc ] : Ai =
0] ≤ Pr[Aµ = 0]. Thus, for any µ, we have

Pr[∃i ∈ [Qc ] : Ai ̸= 0] = 1 − Pr[∀i ∈ [Qc ] : Ai = 0] ≥ 1 − Pr[Aµ = 0].

Next, let k be the index such that rc∗k ̸= 0. We have

Pr[Aµ = 0] ≤ Pr[Aµ = 0|Aµ,k ̸= 0] + Pr[Aµ,k = 0]

Below, we argue that Pr[Aµ = 0|Aµ,k ̸= 0] is negligible based on the random-

ness of ρ, which can be shown to be chosen by the random oracle after all the
coefficients Aµ,ℓ are defined, and that Pr[Aµ,k = 0] is negligible based on the
randomness of x∗ , which also in this case is chosen by the random oracle after
defining Aµ,k . Furthermore, for the latter, we make use of the assumption that
rc∗k ̸= 0.

62
 P o′c∗ ,j,µ
For every ℓ, we claim that the values Aµ,ℓ = cc∗ℓ ,µ − j (x∗ℓ−xj ) can be fixed
before the random oracle query batch∥x∗ is made. To this end, we start by
showing that that o′c∗ ,j does not depend on x∗ . Let B(j) ⊆ [Qc ] be the subset
ℓ
of indices of the simulation queries that involve xj and that occurred before
the random oracle query that returned x∗ . We observe that for every η ∈ B(j)
it must be oc∗ℓ ,j,η = 0 since the simulated proof πj,η is not in the view of the
adversary. Therefore, we have
X X
o′c∗ ,j,i = Γj,η,i · oc∗ℓ ,j,η = Γj,η,i · oc∗ℓ ,j,η
ℓ
η∈[Qc ] η∈B(j)

and observe that all the rows of Γj belonging to B(j) can all be defined before
x∗ is sampled.
Hence, we have that each Aµ,ℓ depends on the values cc∗ℓ , x∗ , {xj }j , and oc∗ℓ ,j
which can all be defined before the random oracle query batch∥x∗ is made.
Pmassuming the existence of at least a nonzero Aµ,k ̸= 0 we have
Therefore,
that Aµ = ℓ=1 ρℓ−1 Aµ,ℓ = 0 is at most m/q over the random choice of ρ.
Next, we bound Pr[Aµ,k = 0].
Recall that, since the extractor policy Φext holds true, we have that x∗ = h(a)
and (s, aux, a) ∈ QRO where = gc (c∗k , s) = 1 and the function h is the polynomial
encoded in auxϕ . Moreover, by the AGM, since Ac sends a query s (where c∗k is
encoded in s) to the random oracle it also defines coefficients for c∗ k before the
value a, and therefore x∗ = h(a), is defined. Also, it is not hard to see that the
representation vector of c∗k defined by Ac when querying the random oracle must
be the same representation vector used for the forgery. As otherwise we would
break the (Qx + d + 1)-DL assumption. Thus the coefficients cc∗k and o′c∗ ,j are
k
defined by the adversary before seeing the random value x∗ .
Notice that, once the coefficients cc∗k and o′c∗ ,j are fixed, the coefficient Aµ,k
k
can be seen as function of x∗ ∈ Zq , i.e. Aµ,k = Aµ,k (x∗ ), where
X o′c∗ ,j,µ
Aµ,k (X) := cc∗k ,µ + X−xj
k

j
Q P ′ Q
cc∗k ,µ j (X − xj ) + j (oc∗ j ′ ̸=j (xj − X))
′
k
,j,µ
= Q .
j X − xj
Q
Notice that Aµ,k (X)( j (X − xj )) vanishes in at most Qx points in F \ Qx
and vanishes in the set of points Qx . Let R be the set of the roots of such a
polynomial, since h is defined before x∗ is computed, and by union bound:
X
Pr[h(RO(s)) ∈ R] ≤ Pr[h(RO(s)) = r] ≤ Qx deg(h)
q
r∈R

for each string s that encodes c∗k ,

To conclude, we notice that A can submit at
most QRO queries to the RO with strings encoding c∗ , say s1 , . . . sQRO . Thus the
probability that there exists i ∈ [QRO ] such that h(RO(si )) ∈ R is bounded by
QRO Qx deg(h)
q . ⊔
⊓

63
Hybrid H9 . This hybrid proceeds as the previous one except that the adversary
loses if the forgery triggers the following event:
X
ρℓ−1 yℓ∗ = 0 and ∃k : yk∗ ̸= 0
ℓ∈[m]

Lemma 25. For any PPT Ac we have Pr[H9 (Ac )] ≤ Pr[H8 (Ac )] + m/q.
The proof follows by observing that, since all the outputs (yℓ∗ )ℓ are fixed in the
input of the query (batch∥x∗ ) that returns ρ, we can apply the Schwartz-Zippel
lemma.
Hybrid H10 . The hybrid H10 additionally checks if there exists k such that
yk∗ ̸= 0, and if the condition holds the adversary Ac loses the game.
Lemma 26. For any PPT Ac we have Pr[H10 (Ac )] ≤ Pr[H9 (Ac )]+ϵ(Qx +1+d)-DL +
poly(λ) deg(d)
q

Proof. We reduce to the evaluation binding of KZG polynomial commitment for

polynomials of maximum degree Qx + 1 + d, which, in turn, can be reduced to
(Qx + 1 + d)-strong Discrete Log assumption. Let B be the reduction that upon
input ppG , ck = 1, s, . . . , sQx +d+2 1 , [1, s]2 simulates experiment H9 for the ad-


versary Ac . Eventually, Ac outputs its forgeryP (x∗ , (c∗ℓ , yℓ∗ )ℓ , π ∗ ), and B aborts if
yℓ = 0 for all ℓ. Else, the reduction sets y ← ℓ∈[m] ρℓ−1 yℓ∗ , f˜(X) := −y ∗ p(X),
∗ ∗

y := f˜(x∗ ), and computes π to be a valid KZG-proof for ( f˜(s) 1 , x∗ , y). The

 

forgery against evaluation biding of the reduction is set to be (y, π) and (0, π ∗ )
˜ ∗

for the commitment f (s) 1 on the point x .
We need to show that (1) ( f˜(s) 1 , x∗ , 0, π ∗ ) passes the verification equation
 

of KZG commitment where the commitment key is set to ck and that (2) y ̸= 0.
For the first item notice that, by the definition of core adversary, we have that
rc∗k = 0 thus c∗ = [0]1 . Therefore, by the verification equation:

e([0]1 − y ∗ [p(s)]1 , [1]2 ) = e( f˜(s) 1 − 0 [1]1 , [1]2 ) = e(π ∗ , [s]2 − x∗ [1]2 ).

 

For the second item, first notice that by the change in the previous hybrid we
have that y ∗ ̸= 0. Second, notice that f˜(x∗ ) = 0 if and only if x∗ is a root of
p(X), i.e. x∗ ∈ Qx or x∗ = xr . Thus, similarly to the previous lemma, by the
assumption on h and by union bound:

Pr[h(RO(s)) ∈ Qx ∪ {xr }] ≤ QRO (Qx + 1) deg(d)

q .

⊔
⊓
Finally, we have that the probability that the adversary wins in H10 is null.
Indeed, the canonical extractor E outputs the 0 polynomial, moreover because
of the condition introduced in H8 , we have c∗ = [0]1 , and because of the condition
introduced in H1 0 we have y ∗ = 0, thus the witness extracted is valid for the
instance x∗ = (x∗ , ([0]1 , 0)). ⊔
⊓

64
 Finally, we prove that for any algebraic adversary A whose forgery satisfies
the predicate Φder
ext , there exists an algebraic adversary B whose forgery satisfies
the predicate Φrnd
ext .

Lemma 27. For any algebraic adversary A there exists an algebraic adversary
B such that:
D -se Φ′D -se
AdvΦ CPm-evl ,A,S,E (λ) = AdvCPm-evl ,B,S,E (λ)

Proof. The reduction B internally runs A forwarding all the queries, up to the
forgery (x∗ , π ∗ ), where x∗ = (x∗ , (c∗i , yi∗ )i ). If the simulation queries and/or the
forgery of the adversary A do not agree with the policy ΦD , i.e. A automatically
loses its game, B aborts. Otherwise, it must be true that the forgery of A either
(i) satisfies the extraction predicate Φrnd ext or (ii) satisfies the extraction predicate
Φder
ext . Both cases can be efficiently checked by B. In case (i) B would simply
forward the forgery of A retaining the same advantage of A. Otherwise, before
submitting the forgery, B retrieves from Qsim the statement x = (x∗ , (c∗i , yi )i ),
where there exists an index i such that yi ̸= yi∗ . Let πi be a proof for the “single-
eval” statement xi = (x, (ci , yi )): these additional simulation queries submitted
to S1 do not alter the consistency check, because they are consistent with the
∗
simulation for the statement x. Also, let ρ ← RO(batch∥ P i−1 x ) be the coefficient
∗
used for batch-verify the proof π , and let π := i ρ πi . We can define:

ĉ ← π ∗ − π
x̂ ← h(a)
ρ (yi − yi∗ )
P i−1
ŷ ← i
x̂ − x
π − π∗
π̂ ←
x̂ − x
where (ĉ, h, a) ∈ QRO . We need to prove that x̂ := (x̂, ĉ, ŷ) and π̂ satisfy the
(single-eval) verification equation:

ĉ − [ŷ]1 = π̂([s − x]2 )

We notice that the probability that ∃i : yi ̸= yi∗ but ŷ1 := i ρi−1 (yi − yi∗ ) = 0
P
is only negligible; this is because ρ is chosen uniformly at random and after
the values yi∗ and the values yi are determined by the simulation queries made
up to the forgery. Then, the correctness of P thei−1
above forgery follows from Re-
mark 1, where for the same commitment i ρ ci we have two valid openings
( i ρi−1 yi , π) and ( i ρi−1 yi∗ , π ∗ ) on the point x∗ .
P P

65