Multilinear Schwartz-Zippel mod N

and Lattice-Based Succinct Arguments

Benedikt Bünz∗, Ben Fisch†
Stanford University, Yale University

June 14, 2023

Abstract
$ λ µ
We show that for x ← [0, 2 ) and any integer N the probability that f (x) ≡ 0 mod N for
any non-zero multilinear polynomial f ∈ Z[X1 , . . . , Xµ ], co-prime to N is inversely proportional
to N . As a corollary we show that if log2 N ≥ log2 (2µ)λ + 8µ2 then the probability is bounded
by µ+1
2λ
. We also give tighter numerically derived bounds, showing that if log2 N ≥ 418, and
µ ≤ 20 the probability is bounded by 2µλ + 2−120 .
We then apply this Multilinear Composite Schwartz-Zippel Lemma (LCSZ) to resolve an
open problem in the literature on succinct arguments: that the Bulletproofs protocol for linear
relations over classical Pedersen commitments in prime-order groups remains knowledge sound
when generalized to commitment schemes that are binding only over short integer vectors. In
particular, this means that the Bulletproofs protocol can be instantiated with plausibly post-
quantum commitments from lattice hardness assumptions (SIS/R-SIS/M-SIS). It can also be
instantiated with commitments based on groups of unknown order (GUOs), in which case the
verification time becomes logarithmic instead of linear time.1
Prior work on lattice-based Bulletproofs (Crypto 2020) and its extensions required modi-
fying the protocol to sample challenges from special sets of polynomial size. This results in
a non-negligible knowledge error, necessitating parallel repetition to amplify soundness, which
not only impacts efficiency but also poses issues for the Fiat-Shamir transform. Our analy-
sis shows knowledge soundness for the original Bulletproofs protocol with the exponential-size
integer challenge set [0, 2λ ] and thus achieves a negligible soundness error without repetition,
circumventing a previous impossibility result (Crypto 2021). Our analysis also closes a critical
gap in the original security proof of DARK, a GUO-based polynomial commitment scheme (Eu-
rocrypt 2020). Along the way to achieving our result we also define Almost Special Soundness
(AMSS), a generalization of Special-Soundness. Our main result is divided into two parts: (1)
that the Bulletproofs protocol over generalized commitments is AMSS, and (2) that AMSS im-
plies knowledge soundness. This framework serves to simplify the application of our analytical
techniques to protocols beyond Bulletproofs in the future.

1 Introduction
The famous DeMillo-Lipton-Schwartz–Zippel (DLSZ) lemma [DL77; Zip79; Sch80] states that
for any field F, non-empty finite subset S ⊆ F, and non-zero µ-variate polynomial f over
F of total degree d, the number of zeros of f contained in S µ is bounded by d · |S|µ−1 (or
d
equivalently, the probability that f (x) = 0 for x sampled uniformly from S µ is bounded by |S| ).
For µ = 1 this simply follows from the Fundamental Theorem of Algebra, but for multivariate
polynomials, the number of zeros over the whole field could be unbounded. The computational
significance of this lemma is that sampling an element from S only takes n · log2 (|S|) random
bits but the probability of randomly sampling a zero of f from S µ is inversely proportional to
|S|, which is exponential in the number of random bits. One of its original motivations was an
efficient randomized algorithm for polynomial identity testing, but it has since found widespread
application in computer science [KI04].
The classical lemma applies more broadly to integral domains, but not to more general
commutative rings such as the ring ZN . As a simple counterexample, over the ring of integers
modulo N = 2p the polynomial f (X) = pX mod N vanishes on half of the points in [0, N ).
This counterexample exploits the fact that f is of the form f (X) = u · g(X) where u is a
zero-divisor. There are also simple counterexamples for f co-prime to N : setting N = 2λ the
polynomial f (X) = X λ mod N vanishes on half of the points in [0, N ). However, there are no
such counterexamples when f is both multilinear and co-prime to N . In fact, we will show in
this work the probability a random vector from S µ = [0, m)µ is a zero of a µ-linear polynomial
(multilinear with µ variables) co-prime to N is negligible in the minimum of log m and log N .
As we will show in our main result, this special case of f and N still has a surprisingly powerful
∗
[email protected]
†
[email protected]
1
This paper supersedes an earlier pre-print on the LCSZ [BF22] and also incorporates content published in the
updated EPRINT of DARK [BFS19].

1
 application to cryptography that resolves multiple recent open questions in the area of succinct
arguments.
The DLSZ lemma has previously been extended to commutative rings by restricting the set
S to special subsets in which the difference of any two elements is not a zero divisor [BCPS15].
For example, in the case of ZN this would require the difference of any two elements in S to be
co-prime to N . All examples of such sets have O(log N ) size. Our present work explores the
setting where S is the contiguous interval [0, m) and thus does not have this restriction.
As a warmup, it is easy to see that any univariate linear polynomial f (X) = c · X + b
co-prime to N has at most one root modulo N . If there were two such roots x1 ̸≡ x2 mod N
then c(x1 − x2 ) ≡ 0 mod N implies c is a zero divisor (i.e., gcd(c, N ) ̸= 1). Furthermore,
c · x1 ≡ −b mod N implies −b = c · x1 + q · N for some q ∈ Z, and thus, gcd(c, N ) also divides b.
This would contradict the co-primality of f and N . So for x uniformly distributed in S = [0, m)
1
the probability of f (x) ≡ 0 mod N in this case is indeed at most |S| . Unfortunately, this does not
generalize nicely to polynomials of arbitrary degree as illustrated by the counterexample above.
On the other hand, we are able to generalize the lemma in a meaningful way to multivariate
linear polynomials (i.e, at most degree 1 in each variable). We bound the probability of sampling
µ
a zero from S µ = [0, m)µ of a µ-linear polynomial co-prime to N by ϵ + |S| , where ϵ is tightly
bounded by a product of regularized beta functions.
We also formulate an inverse lemma showing that for all sufficiently large N , ϵ is negligibly
small. In particular, for log N ≥ 8µ2 + (1 + log µ)λ, ϵ is at most 2−λ , showing that the prob-
ability decays exponentially. Our technique for deriving this threshold lower bound t(λ, µ) on
N for a target λ formulates t(λ, µ) as the objective function of a knapsack problem. We derive
an analytical solution by deriving bounds on the regularized beta function. We also apply a
knapsack approximation algorithm to find tighter values of t(λ, µ) for specific values of µ and λ.

1.1 Bulletproofs for short pre-images

Using the multi-linear composite Schwartz-Zippel lemma (LCSZ), we can prove that a gener-
alization of the Bulletproofs Polynomial Commitment [BCCGP16; BBBPWM18; WTsTW18]
is secure even with large challenge sets. The generalization allows for commitments to “short”
(i.e., bounded norm) integer vectors. This includes groups of unknown order, such as the RSA
group or class groups, as well as lattice-based commitments (i.e. Ajtai commitments based
on the Integer SIS or Ring-SIS assumptions). The instantiation using commitments based on
groups of unknown order is essentially a variation of DARK [BFS20], and our analysis closes a
vital gap in the security proof that was first discovered by [BHRRS21].2 Unlike the fix proposed
by [BHRRS21], our analysis covers the original DARK protocol and enables the use of a large
challenge space instead of relying on binary challenges. Our analysis is also the first to show that
lattice-based Bulletproofs [BLNS20] (i.e., Bulletproofs instantiated with Ajtai commitmenets)
with a challenge space of exponential size (e.g., [0, 2λ )) has a negligible knowledge error (with-
out parallel repetition). All previous attempts [BLNS20; ACK21b; AL21] had analyzed small,
1
specially constructed challenge sets, which result in a knowledge error o( poly(λ) ), and thus these
protocols used parallel repetition to amplify soundness. In fact, [AL21] give an impossibility
result, showing that the approach of specially constructing such sets is limited and unlikely to
result in a negligible soundness error. Furthermore, parallel-repetition is not always compatible
with the Fiat-Shamir transform [AFK21; Wik21].
Both DARK, as well as the previous analysis of lattice-based Bulletproofs, consider the
special-soundness of the protocol. Informally, special-soundness requires that an extractor can
extract an opening to a vector commitment from any tree of accepting transcripts with distinct
challenges at any branch. By the forking lemma, which shows how to generate such trees,
special-soundness implies knowledge soundness. The special-soundness requirement includes
trees where the differences of challenges are arbitrary, and thus it is difficult to tightly bound
the size of the extracted opening. Bulletproofs over commitments binding only to short vectors
fails to satisfy special-soundness with large challenges. However, using the LCSZ, we are able
to show that Bulletproofs satisfies a more general property we call almost-special soundness
(AMSS), which we show also implies knowledge soundness.

Almost Special Soundness We introduce Almost special soundness (AMSS) as a gener-

alization of Special-Soundness. AMSS protocols are multi-round protocols where every round is
associated with a commitment that is binding over openings to messages in a set W. This does
not have to be an explicit message sent to the verifier but roughly represents the prover’s state
at a round of the protocol. At a very high level, protocols are AMSS if there exists an algorithm
that extracts from any forking transcript tree an opening to these commitments, and if the
opening is not inside a subset W ′ ⊂ W then re-running (or completing) the protocol starting
from this extracted state on fresh challenges would fail (with overwhelmingly high probability)
to result in a transcript accepted by the verifier. One additional key requirement, stated infor-
mally here, is that re-running the protocol on the same challenges would either result in the
same transcript or a break of the commitment scheme. We leverage these combined proper-
ties to show that AMSS protocols are knowledge-sound. We then show that Bulletproofs with
commitments to short pre-images are almost-special sound, which relies on the inverse LCSZ.
2
The same analysis we provide in this paper also applies to DARK in its original form, which is now included in
an updated appendix of the original DARK paper.

2
 As a brief overview, we relax the commitment scheme to allow for rational openings of a
commitment C to a rational f /N such that com(f ) = N · C. The Bulletproofs verifier accepts
the protocol transcript if the final message is a “small” integer. This suggests that if the prover
were to run the honest protocol starting with f /N as its private state, then its success would
imply f (r) ≡ 0 mod N where f is a multilinear polynomial with the coefficients defined by f
and r are the verifier challenges. We can use the inverse LCSZ to show that if N is too “large”
and r is sampled randomly then this probability is negligible. Making this analysis formal is
non-trivial, and we present a summary of the ideas in the technical overview below.
Along the way to showing that AMSS implies knowledge soundness we also introduce a
variant of the standard forking lemma, which we call the path predicate forking lemma. This
lemma shows the existence of a PPT algorithm to generate a transcript tree satisfying additional
properties for AMSS protocols that enable the efficient extraction of a witness.

Fiat-Shamir transform The Fiat-Shamir transform is a method for transforming an in-

teractive protocol with a public coin verifier into a non-interactive publicly verifiable protocol
by replacing the verifier public-coin challenges with hashes of the prover’s messages. Recent
work [ACK21a; Wik21] has shown that the Fiat-Shamir transform is secure for multi-round
special-sound protocols. However, the security proof does not translate immediately to almost
special-sound (AMSS) protocols. We prove security of the Fiat-Shamir transform for AMSS
protocols with computationally unique commitments, where it is infeasible to open two distinct
commitments to the same message. The deterministic variants of DARK and Ajtai commitments
have this property.

1.2 Related work

Lattice-based Bulletproofs Most practical lattice-based succinct proof systems have
p fo-
cused on single-round protocols. These protocols [LNS21; ALS20; ENS20; NS22] have o( (m))
communication complexity.Bulletproofs [BCCGP16; BBBPWM18] is a multiround argument
of knowledge for the opening of discrete-logarithm-based vector commitments. Using a fold-
ing technique, one can prove knowledge of a vector of size m using only 2 log2 (m) λ-bit sized
messages. Bootle et al. [BLNS20] ported the protocol to the lattice setting using Ring-SIS
commitments. They rely on a small challenge set (the challenges are monomials with binary
coefficients), such that the differences of any two challenges divide 2 in the ring. This allows
them to extract an opening to the lattice-based vector commitment from a tree of transcripts.
However, the small challenge space as well as the blow-up in the opening size, increase the
total opening size to O(λ2 log2 (m)), instead of O(λ log(m)) for normal Bulletproofs. [ACK21b]
generalize the techniques of [BLNS20] for more general challenge sets, i.e. special sets where
differences in challenges are invertible. This also enables a generalization from Ring-SIS to other
modules. [AL21] further generalizes the challenge set Q to so-called subtractive sets. These are
sets such that for any t-sized subset T and c ∈ T , c′ ∈T \{c} (c − c′ ) divides a ring-element s.
They construct a (2, 3) sized set of size O(m) for a 2m extension of the integers. This means that
the challenge set is only linear in the bits of the message space as opposed to being exponential,
necessitating parallel repetition to amplify soundness. Beyond increasing the communication
this also poses difficulties for the security of the Fiat-Shamir transform [AFK21; Wik21]. More-
over, [AL21] show that the subtractive sets they construct are nearly optimal, implying the
limits of this approach. [AL21] state that “unless fundamentally new techniques are discovered”
the small challenge sets and thus, the resulting Ω( n1 ) knowledge error, “represents a barrier to
practically efficient lattice-based succinct arguments in the Bulletproof framework”.
Our work overcomes this barrier, showing that lattice-based Bulletproofs can be instantiated
with an exponential-sized challenge set and a negligible knowledge error. The analysis is based
on our variant of the DLSZ lemma for multilinear polynomials mod composite N (i.e., our LCSZ
lemma). It also demonstrates compatibility with the Fiat-Shamir transform. Specifically, we use
the integer set [0, 2λ ) as in the original Bulletproofs protocol. To achieve the same soundness
level prior variants of lattice-Bulletproofs [BLNS20; ACK21b; AL21] required O(λ/ log(m))
parallel repetitions where m is the degree of the cyclotomic polynomial of the ring used for M-
SIS commitments. On the other hand, we require a larger modulus for the M-SIS commitment.
With vectors of length n over Zp the modulus q in our case is O(λ log n + log p) bits, whereas
when using a smaller challenge set of size m the modulus q can be O(log m log n + log p). Our
performance benefit is thus optimized when log p ≈ λ log n. Unfortunately, this means that for
p ≪ nλ there isn’t yet a clear performance benefit over prior work based on subtractive sets. An
interesting direction for future work is to look at ways to pack the coefficients of vectors over
a smaller modulus p′ ≪ p into vectors over the larger modulus and still make use of the linear
form opening. Another direction is to use an exponential-size challenge set of smaller norm
elements (i.e., over the polynomial ring rather than integers), but this would require further
generalizations of the LCSZ lemma.

DARK and Groups of Unknown Order The DARK Polynomial Commitment [BFS20]
is a polynomial commitment with succinct verification using groups of unknown order. If instan-
tiated with class groups (see [BH01]) the protocol does not require a trusted setup. The scheme
is particularly interesting because of the short proof sizes. Unfortunately, the original scheme
had a gap in the security proof that was first discovered by [BHRRS21]. [BHRRS21] provide
a fix by using binary challenges but this blows up the proof size. [AGLMS22] provide another

3
fix which allows for large challenges but requires significantly larger parameters, resulting in a
proof system that has a setup and prover runtime that are quadratic in the length of the prover’s
witness.

2 Technical overview
The regular DLSZ is relatively simple to prove. Consider the special case of a multilinear
polynomial over a field. As a base case, a univariate linear polynomial has at most one root over
the field. For the induction step, express f (X1 , ..., Xµ+1 ) = g(X1 , ..., Xµ ) + Xµ+1 h(X1 , ..., Xµ )
for random variables X1 , . . . , Xµ+1 . The probability that h(x1 , ..., xn ) = 0 over random xi
sampled from S is at most µ/|S| by the inductive hypothesis, and if h(x1 , ..., xµ ) = w ̸= 0 and
g(x1 , . . . , xµ ) = u, then u + Xµ+1 w has at most one root (base case). By the union bound,
the overall probability is at most µ/|S| + 1/|S| = (µ + 1)/|S|. This simple proof does not
work for multilinear polynomials modulo a composite integer. The base case is the same for
f coprime to N, which has at most one root. However, in the induction step, it isn’t enough
that h(x1 , ..., xµ ) ̸= 0 as it still may be a zero divisor, in which case the polynomial u + Xµ+1 w
is not necessarily coprime to N and the base case no longer applies. The number of roots
depends on gcd(u + Xµ+1 w, N ) and our new analysis takes into account its distribution. For
each prime divisor pi of N , the highest power of pi that divides u + Xµ+1 w follows a geometric
distribution. Using a modified inductive argument, we are able Pnto show that the probability
f (x1 , . . . , xµ ) ≡ 0 mod pr is bounded by the probability that i=1 Zi ≥ r for i.i.d. geometric
variables with success parameter 1 − p1 . This probability is equal to a I p1 (r, µ) where I is the
regularized beta function. Furthermore, by CRT this probability is independent for each prime
factor of N , and thus, the overall probability can be bounded by a product of regularized beta
functions.

Inverse lemma While our main theorem gives a tight bound on the probability for particular
values of N, µ, and m, cryptographic applications require finding concrete parameters such that
the probability is exponentially small in a security parameter λ. Concretely, we want to find a
value N ∗ such that for all N ≥ N ∗ the probability that f (X1 , . . . , Xµ ) ≡ 0 mod N is bounded
by 2−λ . To do this, we first derive simple and useful bounds for the regularized beta function:
 r
• I p1 (r, µ) ≤ np for p ≥ 2µ
rn
• I p1 (r, µ) ≤ pr for r ≥ 2µ
• log(I1/p (r − 1, µ)) − log(I1/p (r, µ)) is non-increasing in r for any p > µ and for r = 1 in p.
We then formulate finding N ∗ as an optimization problem. N ∗ is the maximum value of
N such that the probability of f (x) ≡ 0 mod N is greater than 2−λ . For any N let S(N )
denote the set of pairs (p, r) where p is a prime divisor of N with multiplicity r. Taking
the logarithm of both the objective and the constraint P yields a knapsack-like constraint max-
imization problem where the objective is log(N ∗ ) = (pi ,ri )∈S(N ∗ ) ri · log(pi ) and the con-
P
straint is (pi ,ri )∈S(N ∗ ) − log(I p (r, µ)) ≤ λ. Using the bounds on I p1 and several transforma-
1
i i
tions of the problem we show that any optimal solution to this problem must be bounded by
t = 8µ2 + log2 (2µ)λ, which in turn implies that N ∗ ≤ 2t .

Tighter computational solution We further show that a simple greedy knapsack algo-
rithm computes an upper bound to the knapsack problem. The algorithm uses the fact that
log(p)
log(I1/p (r−1,µ))−log(I1/p (r,µ)) the so-called marginal density of each item is non increasing over
certain regions. Adding the densest items to the knapsack computes an upper bound to the
objective. We run the algorithm on a large number of values for µ and λ and report the result.

2.1 Bulletproofs for Short Pre-Images and Almost Special Soundness

In the Bulletproofs Inner Product Argument a prover convinces a verifier that it knows the
opening f ∈ Fnp to a homomorphic commitment C = com(f ) ∈ G where G is a prime-order group.
At a very high level, it does this by iteratively computing f⃗′ = fL +x·fR ∈ Fn/2 , where fL , fR are
the left and right half of f respectively and x ∈ F is a verifier generated challenge, and sending
a commitment to the new f ′ to the verifier. After log2 (n) rounds, the prover sends a single field
element as the final message. This naturally generalizes to homomorphic commitments that
map vectors in Zn to a group G, where G is either prime or unknown. We consider schemes that
may only be binding to short vectors in Zn , or more generally binding under what we call short
rational openings that open C to h = f /N by showing N · C = com(f ), where the numerator
and denominator of h have bounded norms in reduced form. The Bulletproofs protocol operates
in exactly the same way over integer vectors but using these more general instantiations of the
commitment scheme. Additionally, the verifier checks that the final message is a “small” integer.
In the soundness analysis, we leverage the fact that the final integer is small in order to bound the
numerator/denominators of the prover’s witness. This is where we invoke the new LCSZ lemma
for multilinear polynomials. Intuitively, if the prover’s private state at the start of protocol is a
rational vector f /N , i.e. com(f ) = N · C, then running protocol will result in a final integer y
that is the evaluation of a multi-linear polynomial f with coefficients f⃗ at the log2 (n) challenges

4
x ∈ Zlog2 (n) : y = f N
(x)
. Note, that since y is an integer, we can deduce that f (x) ≡ 0 mod N .
We LCSZ to show that if N is too ’large’, then this probability is small.
For commitments binding over Zp , Bulletproofs satisfies special-soundness: there exists an
efficient extractor that can extract a witness (i.e., an opening to the input commitment) from
any forking tree of transcripts. Special-soundness implies knowledge-soundness by the classic
forking lemma, which shows how to generate a transcript tree in polynomial time. Unfortunately,
Bulletproofs with commitments that are only binding over bounded norm openings fails to satisfy
special-soundness because the opening extracted from a forking tree of transcripts may have a
very large norm. On the other hand, it turns out that we can leverage the intuition above in
order to bound the size of extracted openings. Along the way, we introduce a new notion called
almost-special soundness.

Almost Special Soundness A k-ary transcript tree for a µ-round public-coin interactive
proof labels each node of a k-ary µ-depth tree with a prover message and each edge with a
verifier public-coin challenge so that the labels along any root-to-leaf path in the tree form a
valid transcript between the prover and verifier that would cause the verifier to accept. An
interactive proof for a relation R is k (µ) -special-sound if there exists an extractor that can
efficiently extract a witness w from any k-ary tree of protocol transcripts for input x so that
(x, w) ∈ R. Bulletproofs for standard Pedersen vector commitments has this property for 3-
ary trees, but not for vector commitments with bounded-norm openings because the extractor
may obtain an opening that has a too large norm. On the other hand, if a prover running the
protocol honestly were to start in its head with an opening of the commitment that has a too
large norm there is a negligible probability over the random challenges that it would result in a
valid transcript. The probability analysis relies on LCSZ.
This observation suggests the following strawman extraction analysis: show that one of
the valid transcripts in the tree corresponds to running the honest prover on the extracted
opening/witness, and conclude that if the extracted opening had large norm then it would have
a negligible probability of resulting in a valid transcript. A fallacy in this argument is that the
extracted witness is computed from the transcripts, and is thus dependent on the challenges
appearing in the transcripts, whereas running the prover on a large norm witness only results
in an invalid transcript with high probability over challenges sampled independently from the
witness. To address this we could attempt the following: generate a 4-ary tree T via rejection
sampling from polynomially many random simulations, extract an opening w∗ from its 3-ary
left subtree TL , show that some transcript tr in T \ TL is the result of running the prover on w∗ .
The extracted witness is now independent of the challenges appearing in tr and was well-defined
during the generation of T , after TL was created and before tr was added. Given that T was
generated via polynomially many random simulations we can argue this event had a negligible
probability of occurring.
The remaining challenge, however, is to show that some transcript tr in T \ TL is consistent
with running the honest prover on the extracted witness w∗ . It turns out that for protocols
like Bulletproofs this is only true when the extracted witness is already a valid opening of the
input commitment within the space over which the scheme is binding, which seems to bring us
back to square one. For example, the transcript for a single round Bulletproofs protocol over
an input commitment C to a vector in Z2 and commitment basis g = (gL , gR ) ∈ G2 consists
of (C, CL , CR , r, f ′ ) ∈ G3 × Z such that f ′ · (gR + rgL ) = CR + r2 CL + rC. Given an opening
f = (fL , fR ) such that com(f ) = ⟨f , g⟩ = C and ⟨(0, fL ), g⟩ = CL and ⟨(fR , 0), g⟩ = CR then
“re-running” the protocol on the openings with challenge r gives f ∗ = fL + r · fR such that
f ∗ · (gR + rgL ) = CR + r2 CL + rC = C ∗ . If f ∗ is sufficiently small then this implies f ∗ = f ′ ,
otherwise it is a break of the commitment scheme as it provides conflicting openings to C ∗ .
However, f ∗ is only guaranteed to be small if the extracted opening f has low norm.
To get around this issue, we can increase the parameters of the commitment scheme so that
it is binding over slightly larger openings, and we will argue level by level that the extracted
openings remain small (using the independent path and the fact that re-generation of transcripts
either returns the same commitments/messages or a break of the commitment scheme). In other
words, while we want to show that every extracted value remains below some norm bound A,
each extraction step produces a value that might be as large as some bound B > A, but for
which the scheme is still binding, and thus re-running the protocol on this value will conflict
with some path in the transcript tree with overwhelmingly high probability if too much larger
than A. This allows us to bound the norm growth at each level by some sufficiently small value
C ∈ (A, B). Crucially, while the growth from A to B is at least quadratic in A, the growth from
A to C will be constant.
We generalize this to the notion of Almost Special Sound (AMSS) protocols and replace the
bounds A and B with arbitrary predicates ϕa and ϕb . We prove that all protocols with this
structure are knowledge sound, just like special-sound protocols, where the knowledge error is
dependent on the probability that a random completion of a transcript starting from a message
that fails predicate ϕa results in a valid transcript. Intuitively, this captures the fact that once
the adversary has a private state that fails the desired extraction predicate, it will fail with
overwhelming probability over fresh challenges to complete the proof transcript successfully.
Our proof that AMSS implies knowledge-soundness relies on a lemma that we call the path
predicate forking lemma (Lemma 9). The usual forking lemma shows how to generate forking
transcript tree, which in special-sound protocols can be passed directly to the extractor. In our
case, we need to generate transcript tree that satisfies additional predicates on each node. In

5
the standard forking lemma [BCCGP16], the predicate would simply be that challenges on each
child of a node in the transcript tree are distinct from previous challenges. Our new lemma
considers more general predicates, which may depend on partial transcripts that have already
been generated in the course of the transcript generation algorithm. The analysis is similar and
uses a union bound over all polynomial steps of the transcript tree generation process.

Fiat-Shamir transform The analysis showing that AMSS protocols are knowledge-sound
critically relies on the fact that in the transcript tree generation process for an interactive pro-
tocol, the challenges on any given branch are sampled uniformly and independently. This is
used to show that the transcript tree generated satisfies a certain property with overwhelming
probability. The Fiat-Shamir transform converts an interactive public-coin protocol into a non-
interactive protocol by replacing the verifier’s messages with a transcript hash. The problem
with applying the Fiat-Shamir transform to an AMSS protocol is that the adversary can now
grind the challenges in each round when generating a transcript, breaking uniformity and in-
dependence of challenges. Using a union bound, we could still bound the probability that the
transcript tree does not have the desired property, but this would result in a factor Qµ loss
where Q is the number of queries an adversary performs, and µ is the number of rounds in the
protocol. However, we can instead focus on protocols where grinding challenges is impossible for
the adversary. To do this, we introduce the notion of computationally unique commitments. In a
computationally unique commitment scheme, it is infeasible to open two distinct commitments
to the same message. We prove that this property is held by a large class of deterministic homo-
morphic commitment schemes, which include those from groups of unknown order and lattice
assumptions. We prove security of the Fiat-Shamir transform for AMSS protocols in the random
oracle model with computationally unique commitments. This analysis is in Appendix D.

3 Main theorem statement (LCSZ)

Qℓ
Theorem 1 (Multilinear Composite Schwartz-Zippel (LCSZ)). Let N = i=1 pri i for distinct
primes p1 , ..., pℓ . Let f be any µ-linear integer polynomial co-prime to N . For any integer m > 1
and x sampled uniformly from [0, m)µ :
ℓ
µ Y
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ + I 1 (ri , µ),
m i=1 pi

P∞ µ+r−1

 1 j
where I p1 (r, µ) = (1 − p1 )µ j=r r p is the regularized beta function.
Remark 1. The regularized beta function characterizes
Pµ the tail distribution of the sum of
independent geometric random variables. If Y = i=1 i where each Zi is an independent
Z
geometric random variable with parameter ϵ then P [Y ≥ r] = I1−ϵ (r, µ). Y is a negative
binomial variable with parameters ϵ, µ.
Remark 2. A close reading of the proof reveals Qℓ that if m = N , then the theorem statement
simplifies to Px←[0,N )µ [f (x) ≡ 0 mod N ] ≤ i=1 I p1 (ri , µ). This is because x is uniform mod
i
N and thus uniform mod any N ∗ |N .
Qµ
Remark 3. The theorem is nearly tight for all N . Setting f (x) = i=1 xi and m = N gives
Qℓ
Px←[0,m)µ [f (x) ≡ 0 mod N ] = Px←[0,N )µ [f (x) ≡ 0 mod N ] = i=1 I p1 (ri , µ).
i

−µ/pi µ
Remark 4. 1−e ≤ I (1, µ) =
1
pi
1−(1− p1i )µ ≤ pi . Hence, for square-free N the probability
µ µℓ
in Theorem 1 is upper bounded by + N,
but for ℓ > 1 this is a loose upper bound unless
m
µ ≪ pi for all pi |N . For ℓ = 1 (i.e., prime N ), Theorem 1 coincides with the Schwartz-Zippel
lemma.
  ri
Remark 5. I p1 (ri , 1) = p1i . Hence, for µ = 1, the bound in Theorem 1 is N1 + m1
.
i

We defer the proof of Theorem 1 to Appendix A.1.

4 Inverse LCSZ
Theorem 1 (LCSZ) bounds the probability Px←[0,m)µ [f (x ≡ 0 mod N ] for given values of µ, N,
µ µ
and m, which has the form m + δN,µ . In the case that N is prime, δN,µ = N , which agrees
with the standard Schwartz-Zippel lemma applied to µ-linear polynomials. The term δN,µ for
composite N , which is dependent on both µ and the factorization of N , has a complicated closed
form expression in terms of a product of regularized beta functions.
This section analyzes the inverse: for a given µ, λ ∈ N what size threshold t(λ, µ) ∈ N is
sufficient such that δN,µ ≤ 2−λ for all N ≥ t(λ, µ)? In other words:
Y
t(λ, µ) := sup{N ∈ N : I p1 (r, µ) ≥ 2−λ }. (t(λ, µ) def)
(p,r)∈S(N )
1 1
Q
For µ = 1, since I1/p (r, 1) = pr and (p,r)∈S(N ) I p1 (r, µ) = N, it is easy to see that t(λ, µ) =
λ
2 . For µ ≥ 2, the value of t(λ, µ) (or even an upper bound) is not nearly as easy to derive. For

6
 the rest of this section we will focus on this µ ≥ 2 case. We will analytically derive an upper
bound to t(λ, µ), showing that log t(λ, µ) ∈ O(µ2+ϵ + λϵ ) for any ϵ ≥ logµ (2).
Theorem 2 (Inverse LCSZ). For all µ ≥ 2, ϵ ≥ logµ (2), and all N such that

1
log N ≥ 4µ2+ϵ + (1 + ) · λ.
ϵ
we have that for any µ-linear polynomial f that is coprime with N
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + .
m
By setting ϵ = logµ (2) we get:
Corollary 1. For all N such that

log N ≥ 8µ2 + log2 (2µ) · λ.

we have that for any n-linear polynomial f that is coprime with N

µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + .
m
We defer the proof of Theorem 2 to Appendix A.3

4.1 Computational Inverse LCSZ

Theorem 2 provides an analytical upper bound on t(λ, µ) for any µ, λ ∈ N. However, the
analytical bound does not appear to be tight for µ ≥ 2 (for µ = 1 it is tight). This next section
provides an algorithm to derive an upper bound on t(λ, µ) for any specific values of λ, µ. The
algorithm gives tighter bounds than Theorem 2 for a table of tested values (Table 1). This is
useful in practice, e.g. for deriving concrete cryptographic security parameters in cryptographic
protocols that rely on LCSZ.

Algorithm 1 Greedy algorithm that returns an upper bound to Eq. (Constrained Max 2)
Input µ ∈ N, λ ∈ N
1. Initialize a max heap H that stores tuples (p, r, d) ∈ P × Z × R and sorts them by the third
value.
2. Initialize w ← 0 and v ← 0.
3. Push (density(2, 1), 2, 1) onto the heap and set pmax = 2.
4. While w < λ
5. (a) Pop (p, r, d) from H.
(b) Push (p, r + 1, (density(p, r + 1)) onto H
(c) Set v ← v + val(p, r)
(d) Set w ← w + weight(p, r)
(e) If p = pmax then set pmax ← next prime(p) and push (density(pmax, 1), pmax, 1) onto H
6. Output v

Theorem 3 (Computational bound). Let k be the output of algorithm Algorithm 1 on input

λ, µ. Then for all m ∈ N, all N ≥ 2k and all µ-linear polynomials f , coprime with N , log2 N ≥
t(λ, µ) and
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + .
m
The proof of the Theorem is in Appendix A.4.

4.2 Computational Results

Using Algorithm 1 we computed analytical bounds for all µ ∈ (1, 50) for different values of λ.
The precise bound for µ = 20 and λ = 120 is:
2v ≥ 236 · 320 · 511 · 78 · 115 · 135 · 174 · 193 · 233 · 292 · 312 · 372 · 412 · 432 · 472 · 532 · 59 · 61 · 67
· 71 · 73 · 79 · 83 · 89 · 97 · 101 · 103 · 107 · 109 · 113 · 127 · 131 · 137 · 139 · 149 · 151 · 157 · 163

Other results are presented in their logarithmic form in Table 1. The results are
significantly tighter than the analytical Theorem 2. For n = 20 and λ = 120 the
analytical theorem gives a value for log2 (N ) of 3839 vs the computational which is 416.
We also provide the open-source Python implementation of the algorithm3 .
3
https://github.com/bbuenz/Composite-Schwartz-Zippel

7
 µ λ = 40 λ = 120 λ = 240 µ λ = 40 λ = 120 λ = 240
1 40 120 240 25 241 472 758
10 133 289 500 26 248 481 772
20 207 416 679 27 256 492 792
21 216 429 695 28 264 506 806
22 222 437 718 29 275 516 820
23 228 448 732 30 278 527 831
24 233 464 749 50 419 736 1105

Table 1: Computationally determined values of t(λ, µ) such that for all N ≥ t(λ, µ),
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + m for different µ and different λ

5 Almost-Special-Soundness
We first define deterministic (non-hiding) commitment scheme over a message space
M and opening space W ⊇ M. When M = W it is identical to collision-resistant
hash functions. More generally, the commitment function is a collision-resistant hash
function H : M → {0, 1}λ , but the algorithm that verifies an opening of C to m is not
restricted to checking H(m) = C (e.g., this may not be possible when m ̸∈ M).
These schemes do not provide a way to commit to x ∈ W \ M, but is nonetheless
useful to define in the context of arguments of knowledge. Suppose a party commits
to a message m ∈ M as C = H(m) and is asked to prove knowledge of an opening
of C using an argument system for which the knowledge extractor is only guaranteed
to extract an opening to a message in the superset W. There are applications where
it doesn’t matter whether the prover knows an actual input m ∈ M to H such that
H(m) = C as long as it is committed in a binding way to some message in W that
it knows. In fact, commitment schemes where M = Zn and W ⊆ Qn together with
arguments of knowledge that extract openings to W suffice to construct linear-map
vector commitments over prime fields Fp , with polynomial commitment schemes as a
special case. These have very powerful applications including the construction of generic
succinct non-interactive argument (SNARK) systems for all of N P .
Definition 1 (Deterministic Commitment Scheme). A deterministic commitment scheme
Γ is a tuple Γ = (Setup, G, Commit, Open) where:
• Setup(1λ ) → pp is a PPT algorithm that generates public parameters pp, which
define a finite set of indices I, a message space M, and an opening space W ⊇ M;
• G(pp, ι) → pp∗ is a PPT algorithm that generates parameters for the index ι ∈ I;
• Commit(pp∗ , m) → C is a polynomial time computable function that takes a secret
message m and returns a public commitment C.
• Open(pp∗ , C, w, σ) → b ∈ {0, 1} is a PPT algorithm that verifies the opening of
commitment C to the message w ∈ W provided with an opening hint σ ∈ {0, 1}∗ .
A commitment scheme Γ is binding if for all PPT adversaries A:
pp ← Setup(1λ )
 
 (ι, C, m0 , m1 ) ← A(pp) 
pp∗ ← G(pp, ι)
 
b0 = b1 ̸= 0 ∧ x0 ̸= x1 :
Pr   ≤ negl(λ)
b0 ← Open(pp∗ , C, x0 , r0 )

 
b1 ← Open(pp∗ , C, x1 , r1 )

Remark on I: The standard definition of commitment schemes does not have an

indexing set I, or equivalently has |I| = 1. The more general definition we presented is
important for our applications, and it is important for the scheme to be binding even
for an adversarially sampled index. As a simple example, Setup might determine a
prime-order group G in which the discrete logarithm is hard and I ⊂ G is the set of
p − 1 generators. The commitment function at index g ∈ I computes x 7→ g x for x ∈ Fp .
Definition 2 (Almost-Special-Soundness). Let χ denote any set of size 2λ . Let Γ =
(Setup, G, Commit, Open) denote a deterministic commitment scheme with message space
M, opening space W, and indexing set I. A µ-round public-coin interactive proof Π
for a relation Rpp , where the relation is possibly dependent on pp ← Setup(1λ ), with
challenge space χ is (k (µ) , δ(·), Γ, ϕ)-almost-special-sound if it satisfies the following
conditions with respect to some pair of predicates ϕ = (ϕa , ϕb ) where ϕa , ϕb : [µ] × M →
{0, 1}, and a negligible function δ : N → R:

8
 1. The setup for the interactive proof Π includes generation of the public parameters
for the commitment scheme pp ← Setup(1λ ), which determine sets I, M, and W
among other parameters (including possibly the relation Rpp ). For each index
ι ∈ I let ppι = G(pp, ι).
2. There is a localized transcript tree labeling4 F that assigns to each node ν of
a valid transcript tree for Π a commitment label C (ν) for the scheme Γ at an
index ιν ∈ I.5 Additionally, any leaf node ν of the transcript tree is labelled
with C (ν) for some index ιν ∈ I together with an opening (mν , oν ) such that
Open(ppιν , C (ν) , mν , oν ) = 1 and ϕa (µ, mµ ) = 1.
3. There is a poly(λ) time algorithm Extract(ν, C (ν) , openSubtree) → (m, o) where
C (ν) is a commitment label assigned by F to node ν at level ℓν , and openSubtree
contains a list of openings for the commitment labels that F assigns to all internal
nodes (excluding the root) of a k-ary subtree of a transcript tree rooted at a node
ν. The corresponding commitment labels and indices in I for each internal node of
the subtree is also an implicit input. If the challenge labels on the k children of any
node in the subtree are distinct, and the openings for all internal (non-root) nodes
of the subtree are valid with respect to their corresponding indices in I and satisfy
predicate ϕa (i.e., for any j > ℓν and node u on the jth level of the transcript tree
that is a member of this subtree with label C u as a commitment with respect to
index ιu , its opening (mu , ou ) in openSubtree satisfies Open(ppιu , C (u) , mu , ou ) and
ϕa (j, mu ) = 1) then the algorithm returns an opening (m, o) for the commitment
label C (ν) with respect to its corresponding index ιν , such that ϕb (ℓν , m) = 1 and
Open(ppιν , C (ν) , mν , oν ) or it returns a break of the commitment C (u) of any label
of the subtree. That is, break = (ν, m′ , o′ , mν , oν , C (ν) ), such that both (m′ , o′ ) and
(m, o) are valid openings of C (ν) to distinct messages in W.
4. Extract(x, openTree) → w takes as inputs openings for the commitments assigned
by F to all nodes in an entire transcript tree satisfying predicate ϕa (same condition
as above for subtrees) and returns a witness w for the public input x such that
R(x, w) = 1 or it returns a break of a commitment label for node ν, i.e. break =
(ν, m′ , o′ , mν , oν , C (ν) ), such that both (m′ , o′ ) and (m, o) are valid openings of C (ν)
to distinct messages in W.
5. Extend(i, m, α1 , .., αµ−i ) is a deterministic poly(λ)-time algorithm that is given an
index i ∈ [µ−1], a message m in the opening space of the commitment scheme com,
µ − i challenges from X , and outputs µ − i messages m′1 , ..., m′µ−i in the opening
space of the commitment scheme.
For any i ∈ [µ − 1] and m where ϕa (i, m) = 0, the probability over αi , ..., αµ
sampled uniformly i.i.d. from X that the last message m′µ−i in the list returned
by Extend(i, m) satisfies ϕa (µ, m′µ−i ) = 1 is bounded by δ(λ).
6. Break(i, m, α1 , ..., αµ , ι0 , ..., ιµ , C0 , ..., Cµ , (mi , oi ), ..., (mµ , oµ )) first runs the algo-
rithm Extend(i, m, αi , .., αµ ), which returns messages m′1 , ..., m′µ−i . If ϕb (i, mi ) = 0
or ∀j m′j = mi+j−1 then it outputs ⊥. Otherwise, for some j ≥ i, it outputs an
attempted opening (m′ , o′ ) of Cj for index ιj where m′ ̸= mj .
For any i ∈ [µ − 1], given a valid (accepting) transcript with commitments C =
(C0 , ..., Cµ ) for the commitment scheme indices ⃗ι = (ι0 , ..., ιµ ), round challenges
⃗ = (α1 , ..., αµ ), and openings open = ((mi , oi ), ..., (mµ , oµ )) to the last µ − i + 1
α
commitments, where ϕb (i, mi ) = 1 and ϕa (j, mj ) = 1 for all j ∈ [i + 1, µ], either
Extend(i, mi , αi+1 , ..., αµ ) returns mi+1 , ..., mµ or Break(i, mi , α ⃗ ,⃗ι, C, open) returns
the output break = (m′ , o′ , mj , oj , Cj ), where (m′ , o′ ) is an opening of some Cj to
a conflicting message m′ ̸= mj ∈ W such that Open(ppιj , Cj , m′ , o′ ) = 1, which
breaks the binding of the commitment scheme over W.
Short-hand notation: An interactive proof is (k (µ) , δ)-almost-special-sound if it
is (k (µ) , δ, com, ϕ)-almost-special-sound for some commitment scheme com and some
predicate pair ϕ. We may omit δ and simply write k (µ) -almost-special-soundness if this
holds for some negligible function δ : N → R.
4
Recall that a localized transcript tree labeling is a function F that given the transcript tree L as input, and thus its
assignments of message/challenge labels to each tree node, induces a post-order tree labeling F (L) : [1, N ] → {0, 1}∗ ,
which computes a new label on each node ν that is a function of its predecessor labels L(pred(ν)). As a special case
F may be the identity function, i.e. the induced labeling is the same as L.
5
Crucially, the definition does not require the ith position of all transcripts to use the same commitment index.
The commitment index µi used in a particular transcript for the ith commitment C (i) might be a function of the
transcript prefix preceding C (i) .

9
Remark 6. Any special sound protocol satisfies almost-special-soundness as 3) essen-
tially captures the special soundness definition. More precisely a k (µ) -special sound
satisfies k (µ) -almost-special-soundness by setting the commitment scheme to be trivial
(i.e., identity function) and the ith round commitment C (i) to the prover’s ith round
message and setting the predicates ϕa = 1, ϕb = 0 to be trivial as well (i.e., always return
1 and 0 respectively). The algorithm Extend can output an arbitrary set of messages
because the condition on the algorithm is vacuously true as ϕa (i, m) ̸= 0 for any (i, m).
The algorithm Extract(ν, C (ν) , ∗) is trivial because C (ν) is the message itself. The algo-
rithm Break is also trivial as ϕb is always 0. The algorithm Extract(x, openTree) → w
exists by the definition of k (µ) -special soundness.

Theorem 4 (AMSS implies Knowledge Soundness). If a µ-round interactive proof for

a relation R with λ-bit challenges, µ ∈ O(log(λ + |x|)), and verifier decision algorithm
runtime tV ∈ poly(|pp|, |x|, λ) on input x ∈ LR and parameters pp ← Γ.Setup(1λ ) is
(k (µ) , δ, Γ, ϕ)-almost-special-sound then for δ ′ (λ) = 2λ(k + 1)µ (µ + tV ) · max(δ(λ), k ·
2−λ ) + 2−λ it is δ ′ -knowledge sound for the modified relation:

R′ (pp) = {(x, w) : R(x, w) = 1 ∨ w ∈ Lbreak (pp)}

where

Lbreak (pp) = {(C, σ1 , σ2 , ι) : ι ∈ I ∧ σ1 ̸= σ2 ∧ Open(ppι , C, σ1 ) = Open(ppι , C, σ2 ) = 1}

Remark 7. δ ′ (λ) is a negligible function if δ(λ) is negligible, assuming k ∈ O(1),

µ ∈ O(log(λ + |x|)), tV ∈ poly(|x|, λ), and |x| ∈ poly(λ).

The proof of Theorem 4 is in Appendix C. By Lemma 11, this theorem has the
following corollary:

Corollary 2. An interactive proof with λ-bit challenges that is k (µ) -almost-special-

sound for a relation R and has at most µ ∈ O(log(λ + |x|)) rounds on any instance
x ∈ LR has witness-extended emulation for R.

6 Argument of knowledge of “short” rational opening

For any deterministic homomorphic commitment to vectors in Znp , where the commit-
ment function is a homomorphism com : Znp → G, there is a generic succinct argument
of knowledge of a commitment opening (i.e., a homomorphism preimage) with O(log n)
communication complexity [BDFG21; AC20; BCS21]. This same protocol can also
be used to argue knowledge of any linear form of the committed vector. This is also
known as a linear-map vector commitment (LMVC) [LM19; CNRZZ22], and captures
polynomial commitments as a special case.
We generalize this result to work with deterministic homomorphic integer vector
commitments that are only binding over short vectors in Zn , which includes vector
commitment schemes based on lattices and groups of unknown order. Furthermore,
the protocol can still be used to argue knowledge of any linear form h : Zn → G of
the committed vector, where G is a prime order group. The protocol is essentially the
same as the succinct homomorphism preimage protocol [BDFG21; AC20], but where
the verifier additionally checks a bound on the prover’s final message. This can also be
viewed as a special case of the sumcheck argument with a bound check, as described
in [BCS21], but we provide a much tighter soundness analysis.
A bit more precisely, the protocol is not an argument of knowledge of a short integer
vector pre-image per se, but rather a short rational opening of the commitment C =
com(x), which is some x′ ∈ Zn and z ∈ Z such that com(x′ ) = z · C and x′ /z ∈ M ⊆ Qn
where M = {x/z ∈ Qn : z ∈ Z, gcd(x, z) = 1, ||x|| ≤ βn , |z| ≤ βd } is a subset of rational
vectors with bounded norm denominators and numerators in reduced form. We call this
an opening of the commitment C to the rational vector x′ /z ∈ M. If the commitment
scheme is binding over such rational openings to vectors in M and [0, p)n ⊆ M, then
it also functions as a binding commitment scheme for vectors in Znp where an opening
to m ∈ M is also an opening to m mod p ∈ Znp and the protocol is thus an argument
of knowledge of an opening to a unique vector in Znp . Finally, for any linear form
h : Znp → G the modified commitment com∗ (x) = (com(x), h(x)) preserves binding over
M and running the same protocol for com∗ becomes an argument of knowledge for an
opening of the commitment (C, y) to a unique x∗ ∈ Znp such that h(x∗ ) = y.

10
 Remark on zero-knowledge Deterministic commitment schemes are non-hiding
and our construction is focussed on producing a succinct argument of knowledge with-
out concern for zero-knowledge. To obtain a zero-knowledge argument, the succinct
argument can be composed with (i.e., applied as the pivot to) a sigma protocol for
pre-images of ϕ. See [ACK21b] for further details.

Definition 3 (Z-linear commitment scheme). Let Γ = (Setup, G, Commit, Open) be

a deterministic commitment scheme such that for any pp = (I, M, W) ← Setup(1λ )
where M ⊆ W ⊆ Zn and ι ∈ I the commitment function Commit(ppι , ·) : M → G is
the restriction h|M of a group homomorphism h : Zn → G. We say that Γ is a Z-linear
deterministic commitment scheme.

Definition 4 (Rational openings). Let Γ = (Setup, G, Commit, Open) be Z-linear deter-

ministic commitment scheme where commitments are contained within a finite group G.
Let W ∗ ⊆ Qn and let Setup∗ (1λ ) denote a new setup algorithm that runs Setup(1λ ) but
replaces W with W ∗ . Let Open∗ (pp, C, x/z, (z, x, σ)) denote a new opening verification
algorithm which on inputs z ∈ Z, x ∈ Zn such that x/z ∈ W ∗ and C ∈ G returns
1 if and only if z ̸= 0 mod |G|, and Open(pp, z · C, x, σ) = 1.6 We call the opening
hint (z, x, σ) a rational opening of C to x/z ∈ W ∗ . We say Γ is binding over rational
openings to W ∗ ⊆ Qn if Γ∗ = (Setup∗ , G, Commit, Open∗ ) satisfies the usual definition
of commitment binding (See Definition 1).

Lemma 1 (trivial). If (Setup, G, Commit, Open) is a Z-linear deterministic commitment

scheme binding over W ⊆ Qn where Commit(ppι , ·) : Zn → Gcom and h : Zn → G is any
homomorphism, then the modified scheme (Setup, G, Commit, Open∗ ) where:
• Setup(1λ ) → pp and G(ι, pp) → ppι
• Commit∗ (ppι , x ∈ Zn ) → (Commit(ppι , x), h(x)) ∈ Gcom × G
• Open∗ (ppι , (C, y) ∈ Gcom × G, x ∈ Zn , s) → Open(ppι , x, s, C)
is also a Z-linear deterministic commitment scheme binding over W.

Proof. Any break of the modified scheme includes a break of the original scheme, i.e.
tuples (x, ι, s, (C, y)) and (x′ , ι, s′ , (C, y)) such that x ̸= x′ ∈ W and Open(ppι , C, x, s) =
1 and Open(ppι , C, x′ , s′ ) = 1.

Commitment schemes binding over bounded rationals Let β = βn · βd for some

βn , βd > 0. Let W(βn , βd ) := {x/z ∈ Qn : z ∈ Z, ||x|| ≤ βn , |z| ≤ βd }. The following
lemmas establish several families of integer vector commitment schemes that are binding
over W(βn , βd ).

Lemma 2. Let Γ = (Setup, G, Commit, Open) denote any Z-linear deterministic com-
mitment scheme where for any ι ∈ I and ppι = G(pp, ι) the algorithm Open(ppι , C, x)
receives no hint and simply checks C = Commit(ppι , x) = ⟨x, gppι ⟩ where gppι ∈ Gn is
a basis for the homomorphism. Let A(pp) denote a polynomial time algorithm that on
input pp ← Setup(1λ ) returns ι ∈ I, (z, x), (z ′ , x′ ) ∈ Z × Zn and Y ∈ G such that with
probability non-negligible in λ:
(a) z ′ x ̸= zx′
x x′
(b) z , z′ ∈ W(βn , βd )
(c) z · Y = Commit(ppι , x) and z ′ · Y = Commit(ppι , x′ )
x′
(d) z, z ′ ̸= 0 mod |G| and either x
z ̸= 0 mod |G| or z′ ̸= 0 mod |G|
If |G| is prime then A breaks the binding of Γ over Wβ = {x ∈ Zn : ||x|| ≤ β}.
Otherwise, A either breaks the binding over Wβ or outputs an element u in the span of
gppι and an integer multiple of its order.

Proof. Let com := Commit(ppι , ·) for shorthand notation. Condition (c) implies com(z ′ ·
x) = com(z · x′ ). Condition (b) implies xz = xz11 for ||x1 || ≤ βn and |z1 | ≤ βd where
′
gcd(x1 , z1 ) = 1, and likewise xz ′ = xz22 for ||x2 || ≤ βn and |z2 | ≤ βd where gcd(x2 , z2 ) = 1.
Let ∆1 = z/z1 ∈ Z and ∆2 = z/z2 ∈ Z and let ∆ = ∆1 · ∆2 . These relations imply
that ∆ · com(z2 · x1 ) = ∆ · com(z1 · x2 ) where, by condition (b), ||z1 · x2 || ≤ β and
6
In a group of unknown order it may be difficult to check that z ̸= 0 mod |G|. If g is a generator (e.g., the
generator of a subgroup of unknown order) then it suffices to check z · g = 0. In any case, GUOs are typically used
for commitments under the hardness assumption that it is difficult to compute any multiple of the order of G, in
which case checking z ̸= 0 mod |G| can be dropped from verification.

11
 ||z2 · x1 || ≤ β. Finally, ∆ ̸= 0 mod |G| by condition (d) and z2 · x1 ̸= z1 · x2 by condition
(a). Let x∗ = z2 · x1 − z1 · x2 and u = com(x∗ ). We have established that x∗ ̸= 0 and
∆·u = 0 and ∆ ̸= 0 mod |G|. If |G| is prime, then this implies com(z2 ·x1 ) = com(z1 ·x2 ),
which breaks the binding of Πcm over Wβ . If |G| is not prime, then either u = 0, which
breaks binding over Wβ , or otherwise ∆ must be a multiple of the order of u, which is
in the span of gppι .

Corollary 3 (Homomorphic prime-order commitments). Let Γ = (Setup, G, Commit, Open)

denote any Z-linear deterministic commitment scheme where the commitments are con-
tained within a group G of prime-order, for C ̸= 0 the algorithm Open(ppι , C, x) checks
Commit(ppι , x) = C, and the element 0 ∈ G is the unique valid commitment to 0 ∈ Zn .
If Γ is binding over Wβ = {x ∈ Zn : ||x|| ≤ β} then Γ is also binding over rational
openings to W(βn , βd ).

Proof. Suppose there exists a polynomial time algorithm A(pp) that on input pp ←
Setup(1λ ) returns ι ∈ I and C ∈ G and conflicting valid openings (z, x), (z ′ , x′ ) ∈ Z×Zn
of C to x/z ̸= x′ /z ′ ∈ W(βn , βd ) with probability non-negligible in λ. By validity of
the openings z, z ′ ̸= 0 mod |G|. If x = 0 mod |G| then z · C = Commit(ppι , x) = 0,
which implies C = 0 because z ̸= 0 mod |G| and G has prime order. If C = 0 then
only x = x′ = 0 would be accepted as valid openings of z · C and z ′ · C respectively,
contradicting x/z ̸= x′ /z ′ . This shows that x ̸= 0 mod |G| and the same argument
shows that x′ ̸= 0 mod |G|. Therefore, by Lemma 2, A(pp) breaks the binding of Π
over Wβ = {x ∈ Zn : ||x|| ≤ β}, a contradiction.

Homomorphic prime-order examples. Examples of commitments to integer vec-

tors that satisfy the conditions in Corollary 3 trivially include Pedersen commitments
but also Ajtai commitments based on Integer-SIS/Ring-SIS/Module-SIS. Let q be a
prime, let n, κ ∈ N denote security parameters, Let Φn (x) be the n-th cyclotomic poly-
nomial7 (i.e., its roots are the primitive n-th roots of unity). Let R = Z[x]/Φn and
Rq = Zq [x]/Φn , and let m = m(n) and B = B(n) be functions.
$
• Integer-SIS. The problem SISn,q,m,B is: given A ← Zqn×m , find z ∈ Zm such that
A · z = 0n mod q and 0 < ∥z∥ ≤ B.
$
• Ring-SIS. The problem R-SISn,q,m,B is: given a ← Rm
q , find z ∈ R
m such that

a · z = 0 mod q and 0 < ∥z∥ ≤ B.

$
• Module-SIS. For some κ > 0, the problem M-SISκ,n,q,m,B is: given A ← Rκ×m
q ,
find z ∈ Rm such that A · z = 0κ mod q and 0 < ∥z∥ ≤ B.
Note that SIS and R-SIS are both special cases of M-SIS, with appropriate setting
of the parameters. For example, Ring-SIS is the same as Module-SIS when κ = 1. All
three problems are related to certain worst case lattice problems, and are believed to be
hard for appropriate settings of the parameters n, q, m, B, and κ. In particular, these
problems are believed to be post-quantum secure when the following conditions holds:
• Integer-SIS [MP13; GPV08] n sufficiently large and m, log(q) ≤ poly(n) and
√
q ≥ B n · ω(log n).
√
• Module-SIS [LS15, Th. 3.6]: nκ sufficiently large and q > B·(nκ)1/2 ω( log nκ),
and both m and log q are less than poly(nκ).

Corollary 4 (Homomorphic GUO commitments). Let Γ = (Setup, G, Commit, Open)

denote any Z-linear deterministic commitment scheme where for any pp, ι, and ppι =
G(pp, ι) the function Commit(ppι ) : Zn → G is a homomorphism with basis gppι . Sup-
pose that the subgroup order assumption for G holds8 with respect to the distribution
over subgroups ⟨gppι ⟩ ⊆ G induced by sampling pp ← Setup(1λ ) and any adversarially
sampled ι ∈ I. If Γ is binding over Wβ = {x ∈ Zn : ||x|| ≤ β} then Γ is also binding
over rational openings to W(βn , βd ).
7
When n is a power of two we have that Φn (x) = xn + 1.
8
If the generators gppι are uniformly distributed for any ι and G is cyclic (or more generally a random element
in the span of gppι is statistically close to uniform over G) then this is equivalent to the assumption that it is hard
to compute a multiple of the order of a random element, which is implied by the difficulty of taking square roots of
random elements (the RSA assumption) for G. In certain groups where it is difficult to compute any integer that
shares a common factor with |G| then the assumption holds regardless of how gppι is sampled. One such group is
the multiplicative subgroup H = {x4 : x ∈ Z× N } for N = p · q, where p and q are unknown safe primes and thus
|H| = (p − 1)(q − 1)/4 = p′ · q ′ for unknown primes p′ , q ′ .

12
Corollary 5 (DARK commitments). The integer vector commitment scheme known
as DARK [BFS20] uses a group of unknown G and for x ∈ Zn computes the
Pnorder i−1
homomorphism x 7→ g f x (q) , where fx (q) = i=1 xi q , given setup parameters q ∈ N
√
and g ∈ G sampled uniformly at random. Setting q = ⌈2 nβ⌉, DARK is binding over
rational openings to W(βn , βd ) based on the order assumption in G.

Proof. For x ∈ Zn let fx denote the univariate polynomial with coefficient vector x. By
Fact 1, fx (q) ̸= fx′ (q) for all x ̸= x′ of L∞ norm at most q/2 which is guaranteed if the
√
L2 norm is at most q/(2 n). By the order assumption (Assumption 1) no polynomial-
$
time adversary can compute integers x ̸= y such that g x = g y for g ← G. DARK
√
is therefore binding over Wβ = {x ∈ Zn : ||x|| ≤ β} for q ≥ 2 nβ by the order
assumption, and as a corollary to Lemma 2 it is also binding over W(βn , βd ) under the
order assumption.

Definition 5. We define a integer matrix norm family F as an infinite collection

F = {Nm,n } of matrix norms Nm,n : Zm×n → R. We say that the F is α(m, n, k)-
submultiplicative if for all m, n, k ∈ N, M ∈ Zm×n , and X ∈ Zn×k :

Nm,k (M · X) ≤ α(m, n, k) · Nm,n (M ) · Nn,k (X)

Lemma 3. Let (Setup, G, Commit, Open) be any Z-linear deterministic commitment

scheme that is binding over Wβ = {x ∈ Zn : ||x|| ≤ β}, where the norm || · || be-
longs to an α-submultiplicative norm family. Let U : Zm → Zn denote any injective
linear map, i.e. U ∈ Zm×n is a full row rank matrix. Then the modified scheme
(Setup, G, Commit∗ , Open∗ ) over Zm where:
• Commit∗ (pp, x ∈ Zm ) → Commit(pp, x · U )
• Open∗ (pp, C, x ∈ Zm , s) → Open(pp, C, x · U, s)
β
is binding over W ∗ = {x ∈ Zm : ||x|| ≤ α·||U || }.

Proof. Suppose (C, x ∈ Zm , s) and (C, x′ ∈ Zm , s′ ) are both accepted by Open∗ for
distinct x, x′ ∈ W ∗ , then both (C, x · U, s) and (x′ · U, s′ , C) are accepted by Open.
Since U is injective, x · U ̸= x′ · U . Furthermore, since the norm is α-submultiplicative,
||x · U || ≤ α · ||x|| · ||U || ≤ β. Similarly, ||x′ · U || ≤ β. This contradicts the binding of
(Setup, G, Commit, Open).

Lemma 4. Let (Setup, G, Commit, Open) be any Z-linear deterministic commitment

scheme that is binding over rational openings to W(βn , βd ), where the norm || · || be-
longs to an α-submultiplicative norm family. Let U : Zm → Zn denote any injective
linear map, i.e. U ∈ Zm×n is a full row rank matrix. Then the modified scheme
(Setup, G, Commit∗ , Open∗ ) over Zm where:
• Commit∗ (pp, x ∈ Zm ) → Commit(pp, x · U )
• Open∗ (pp, C, x ∈ Zm , s) → Open(pp, C, x · U, s)
βn
is binding over W( α||U || , βd ).

βn
Proof. Let βn∗ = α||U m ′ m ′
|| . Suppose (C, x ∈ Z , z ∈ Z, s) and (C, x ∈ Z , z ∈ Z, s ) are
′

both accepted by Open∗ for distinct x/z, x′ /z ∈ W(βn∗ , βd ), then both (C, x · U, z, s)
and (x′ · U, z ′ , s′ , C) are accepted by Open. Let x/z = x1 /z1 in reduced form so that
||x1 || ≤ βn∗ and |z1 | ≤ βd . Similarly, let x′ /z ′ = x′1 /z1′ in reduced form so that ||x′1 || ≤ βn∗
and |z1′ | ≤ βd . Since the norm is α-submultiplicative, ||x1 · U || ≤ α · ||x1 || · ||U || ≤ βn .
Similarly, ||x′1 · U || ≤ βn . This shows that x · U/z ∈ W(βn , βd ) and x′ · U/z ′ ∈ W(βn , βd ).
Furthermore, since z ′ x ̸= zx′ and U is injective, z ′ x · U ̸= zx′ · U . This contradicts the
binding of (Setup, G, Commit, Open).

6.1 Interactive protocol for short rational openings

The public input of the protocol is a homomorphism com : Zn → G, a target value
C ∈ G, and a bound β ∈ R. The honest prover has a witness x of L2 norm at most
β such that com(x) = C. The prover’s√claim is that it√knows some witness (z, x) such
that com(x) = z · C and ||x|| ≤ 2λ log n ξ · β and |z|√≤ ξ/2λ log n for√a soundness slack
parameter ξ. In other words, setting βn = 2λ log n ξ · β and βd = ξ/2λ log n so that
βn · βd = ξ · β, the knowledge extractor for this protocol opens a valid rational opening
for C as long as the commitment scheme is binding over W(βn , βd ) := {x/z ∈ Qn : z ∈
Z, ||x||2 ≤ βn , |z| ≤ βd }. We prove that it suffices to set ξ = 2(16+2µ)λ+6CSZµ,λ +2µ+6 ,

13
 where CSZlog n,λ ∈ O(log2 n + λ log log n) is derived from the Multilinear Composite
2
Schwartz Zippel (Theorem 2). Hence ξ ∈ 2O(λ log n+log n) .
Let g = (g1 , ..., gn ) denote a basis of com such that com(x) = ⟨x, g⟩. The in-
teractive protocol is essentially the succinct argument for homomorphism preimages
from [BDFG21; AC20], but where the verifier additionally checks a bound on the
prover’s final message. This is also a special case of a sumcheck argument with a
bound check, as described in [BCS21]. The prover’s final message is an integer x∗ ∈ Z
and the verifier immediately rejects the proof unless |x|∗ ≤ β · 2λ log n . We include the
full protocol in the figure below for completeness.

Figure 1: A succinct interactive protocol for short rational openings. The honest prover’s input
must have norm at most β. For simplicity n is a power of 2.

PSRO (n, x ∈ Zn , C ∈ G, g ∈ Gn ) VSRO (n, C ∈ G, g ∈ Gn )

If n = 1 send x ?
−−−−−−−−−−−−→ x · g = C ∧ |x| ≤ β · 2λ log n
If yes accept, else reject
Else n′ ← ⌈ n2 ⌉
x = (xL , xR ); g = (gL , gR )
CL ← ⟨xL , gR ⟩, CR ← ⟨xR , gL ⟩
CL , CR
−−−−−−−−−−−−→
r r ← [0, 2λ−1 )
←−−−−−−−−−−−−
x′ ← xL + rxR
C ′ ← ⟨x′ , gR + rgL ⟩
C ′ ← CL + r2 CR + rC
g′ ← gR + rgL
recurse
PSRO (n′ , x′ , C ′ , g′ ) ←−−−−−−−−−−−−−−−→ VSRO (n′ , C ′ , g′ )

An important observation, as first noted in [BBBPWM18] and leveraged in Halo [BGH19],

is that the verifier does not use its input g unless n = 1. Thus, the verifier does not
i
need to compute g ∈ G2 at each round of recursion. Instead, it only needsPn to compute
′ ′
the final g ∈ G at the final round, which can be computed as g = i=1 ui gi where
ui is the ith coefficient of the polynomial u(X) = log 2j−1 ) where r is the
Q n
j=1 (rj + X j
verifier’s challenge at the jth round.

Application: polynomial commitment scheme Given any prime p of size |p| ≥ β

and any deterministic homomorphic commitment scheme (Setup, com, Vf) that is bind-
ing over D = {x ∈ Zn : ||x|| ≤ ξ · β}, where com : Zn → Gcom is a homomorphism
and ξ is the slack parameter of the homomorphism-preimage (HPI) protocol,P we can
commit to the coefficient vector x ∈ [0, p) of a degree-n polynomial fx (Z) = i xi Z i
n

as C = com(x) and open evaluations of the committed polynomial at any point z ∈ Zp

to t = fx (z) by running √ the HPI protocol for the homomorphism x 7→ (com(x), fx (z)).
√ λ log
Setting β1 = 2 λ log n ξ · β and β2 = ξ/2 n , this protocol proves knowledge of a pair
∗ ∗
(a, x ) such that com(x ) = a · C and fx∗ (z) = a · t mod p where ||x|| ≤ β1 and |a| ≤ β2 .
This is a valid rational opening of CPto x∗ /a, and by Lemma 2 |a| · ||x∗ || ≤ ξβ. to open
the polynomial evaluation fx (z) = i xi z i mod p at a point z ∈ Zp . The protocol has
logarithmic communication complexity but requires a linear verifier in order to compute
the final g ′ value.

Special case: DARK rational openings with log verifier In the special case that
G is a group of unknown
Pn orderi−1 and com(x) = g fx (q) for q ∈ N and g a random element
in G, where fx (q) = i=1 xi q , the verifier complexity can be made logarithmic by
√
adding a proof-of-exponentiation (PoE)[Wes19] step. By Corollary 5, for q = ⌈ n2ξβ⌉
this commitment scheme is binding over vectors in {x ∈ Zn : ||x||2 ≤ ξβ} and for any
βn , βd > 0 such that βn · βd = ξβ, is binding under rational openings to W(βn , βd ) :=
{x/z ∈ Qn : z ∈ Z, ||x||2 ≤ βn , |z| ≤ βd }.
When using this as a linear-map vector commitment scheme over Fp , where the
√
honest prover may commit to any x ∈ [0, p)n which has L2 norm at most β = n · p,

14
 we would set q = ⌈n2ξp⌉. The resulting interactive argument in this case is a slight
variation of the DARK evaluation protocol.
The verifier complexity is made logarithmic usingQa PoE as follows. Recall that the
verifier only needs to compute the final round g ′ = giui where ui are P the coefficients
Qlog n 2j−1 i) ′ i
of u(X) = j=1 (rj + X (q (
). In this case, gi = g , and thus g = g i ui q ) = g u(q) .
The Wesolowski PoE[Wes19] enables a Prover to convince a Verifier that Y = X a ∈ G
for X, Y ∈ G and a ∈ Z. In the protocol, the verifier sends a random 2λ-bit prime
a
ℓ, and the prover computes Q ← g (⌊ ℓ ⌋) and sends it to the verifier. The verifier then
computes r ← a mod ℓ and checks that Y = X r + Qℓ . The protocol is secure under
the adaptive root assumption in G. Note that the verifier just has to compute a mod ℓ
and do two O(λ)-bit scalar multiplications. The prover runs the PoE protocol on input
(g, g ′ , u(q)) in order to show that g ′ was constructed correctly. Note that the verifier
can evaluate u(q) mod ℓ in O(log(n)) field multiplications in Fℓ . To do this the prover
j
computes q (2 ) mod ℓ for j ∈ [0, log2 (n) − 1] using log2 (n) multiplications. And then
evaluates u(q) mod ℓ = log 2j−1 ) mod ℓ using another log (n) multiplications.
Q n
j=1 (rj + X 2
Alternatively, one can use Pietrzak’s proof of exponentiation[Pie19]. The protocol only
2i
works for powers of 2. The prover would send the gi ← g q for all i ∈ [0, log2 (n)).
The verifier can efficiently compute g u(q) given the gi values. The proof size would
be O(log2 (n)), but importantly, it can be instantiated without anypassumptions in all
groups[HHKKP22]. Using preprocessing of q, it also has prover O( (n)), independent
of |q|.

6.2 Almost special soundness analysis

Theorem 5 (Bulletproofs for short openings is AMSS). Let n = 2µ for µ ≥ 1. Let
CSZµ,λ = 8µ2 + log2 (2µ)λ.9 . Let Γ = (Setup, G, Commit, Open) denote any Z-linear
deterministic commitment scheme satisfying the following conditions:
√ √
• For βn = 2λµ ξ · β and βd = ξ/2λµ where log ξ = (14 + 2µ)λ + 6CSZµ,λ + 2(µ + 4)
it is binding to W(βn , βd ) := {x/z ∈ Qn : z ∈ Z, ||x||2 ≤ βn , |z| ≤ βd } under
rational openings.
• Open(ppι , C, x) receives no hint, i.e. checks Commit(ppι , x) = C.
• The group G defined for any pp ← Setup(1λ ) either has prime-order, or is a GUO
(i.e., the order assumption (Assumption 1) holds in G).
Let Π denote the interactive protocol which runs the protocol in Figure 1 for pa-
rameters β and g ∈ Gn defined by pp ← Setup(1λ ), an index ι ∈ I, ppι = G(pp, ι), and
Commit(ppι , x) = ⟨x, g⟩ for x ∈ Zn . There exists a predicate pair ϕ = (ϕa , ϕb ) and com-
mitment scheme Γ∗ such that Π is an (4(µ) , 3µ2λ
, Γ∗ , ϕ)-almost-special-sound interactive
argument for the relation:

SROβ,ppι = {(C, w = (z, x)) : ⟨x, g⟩ = z · C and x/z ∈ W(βn , βd )}

2
Remark 8. Note that ξ ∈ 2O(λ log n+log n) . CSZµ,λ is derived from the Multilinear
Composite Schwartz Zippel Theorem (Theorem 2). We can also substitute any value
for CSZµ,λ using the table of concrete bounds in Theorem 3 for fixed 120-bit security in
place of the analytical bound from Theorem 2).

Proof. The commitment scheme Γ∗ = (Setup∗ , G ∗ , Commit∗ , Open∗ ) is defined as follows:

• Setup∗ (1λ ) first runs pp ← Setup(1λ ), which determinesSG and I among other
parameters. The new indexing set is defined as I ∗ = I ∪ µi=1 I × χi .
• G ∗ (pp, ι ∈ I, r ∈ χi ) for i ∈ [0, µ] first computes ppι = G(pp, ι) to determine
the basis g ∈ Gn such that Commit(ppι , x) = ⟨x, g⟩ for all x ∈ Zn , and then
µ−i
computes g(i) = Ui · g
where Ui ∈ Z2 ×n is defined recursively as: U0 = I2µ and
Ui = ri · I2µ−i I2µ−i · Ui−1 for i ≥ 1. The notation Ik for k ∈ N denotes the
(i) µ (0)
k × k identity matrix. Let βn = βn · 2−(iλ+ 2 ) for i ≥ 1 and βn = βn .
µ−i (i)
The output ppι,r determines the message space Mi = {x ∈ Z2 : ||x|| ≤ βn }
(i) µ−i (i)
and opening space Wi (βn , βd ) = {x/z ∈ Q2 : z ∈ Z, ||x||2 ≤ βn , |z| ≤ βd } and
µ−i
includes g(i) ∈ G2 .
µ−i (i)
• Commit∗ (ppι,r , x ∈ Z2 ) returns C = ⟨x, g(i) ⟩, as well as CL = ⟨xL , gR ⟩ and
(i)
⟨xR , gL ⟩ for i ∈ [1, µ]. Here xL , gL denote the left half of x and g respectively
and xR , gR the right. For i = 0, it just returns C = ⟨x, g⟩.
9
The CSZµ,λ value can be replaced with values from the table in Theorem 3

15
 µ−i (i)
• Open∗ (ppι,r , (C, CL , CR ), x ∈ Z2 , z ∈ Z) returns 1 iff x/z ∈ Wi (βn , βd ), and
(i) (i)
⟨x, g(i) ⟩ = z · C, ⟨xL , gR ⟩ = z · CL , ⟨xR , gL ⟩ = z · CR , and z ̸= 0 mod |G| for
i ∈ [1, µ − 1]. For i = 0, the CL and CR checks are omitted. (If G is a GUO, z ̸= 0
(µ)
suffices). For i = µ it returns 1 iff |x| ≤ βn and x · g(µ) = C.
The setup of the proof system determines the bound β ∈ R, pp ← Setup(1λ ), and
an index ι and ppι = G(pp, ι) so that the protocol in Figure 1 is run on shared inputs
β, C ∈ G, and g ∈ Gn to the prover/verifier, where Commit(ppι , x) = ⟨x, g⟩ for x ∈ Zn .
The parameters β, ppι thus determine the relation SROβ,ppι . This setup can also be
viewed as running Setup∗ (1λ ) as an extension of Setup(1λ ), which determines the same
parameters. The public input C to the relation SROβ,ppι is thus a commitment for Γ∗ at
index ι ∈ I. By construction, the ith round prover message of the protocol for i ∈ [1, µ]
is a commitment for Γ∗ at index (ι, ri ) ∈ I × χi where ri = (r1 , ..., ri ) are the first i
round challenges in the protocol
transcript.
Let Ei = ri · I2µ−i I2µ−i so that Ui = Ei · Ui−1 for all i ≥ 1. Right-multiplication
by U0 is injective. For i ≥ 1, right-multiplication by Ei is an injective map from
µ−i µ−i+1
Z2 → Z2 . Thus, by induction, right-multiplication by Ui is an injective map
µ−i µ
from Z2 → Z2 . The number of non-zero entries in U1 is exactly 2µ , and for each
i > 1 the number of non-zero entries in Ui is no greater than the number of non-zero
entries in Ui−1 . The entries of Ui are subset products of {r1 , ..., ri } and thus each have
µ
absolute value at most 2iλ . Therefore, we can bound the Frobenius norm ||Ui || ≤ 2iλ+ 2 .
(i) µ
Let βn = βn · 2−(iλ+ 2 ) . Since the Frobenius norm is 1-submultiplicative, by Lemma 4,
the commitment scheme Γ∗ at index (ι, ri ) is binding over rational openings of CL , CR
(i)
to Wi (βn /, βd ).
(i) (i)
For each round of the protocol, let ri denote the ith round challenge and (CL , CR )
denote the ith round prover messages for i ∈ [0, µ − 1]. Let xµ ∈ Z denote the prover’s
µth round message. We define C0 = C (the input) and “virtual” messages Ci+1 =
(i) 2 C (i) + r (i) for each i ∈ [0, µ − 1]. In transcript trees we will denote
CL + ri+1 R i+1 C
by C (ν) the virtual commitment corresponding to a node index ν ∈ [0, N ] (i.e., the
virtual commitment defined by the partial transcript ending at node ν). These virtual
commitments will be included in the localized transcript tree labeling F .

Transcript tree labeling F In any transcript the ith round prover message is a triple
of commitments in G3 . Given a transcript tree defined by L : [1, N ] → χ × G3 , the
(ν) (ν)
function F (L)(ν) = (C (ν) , CR , CL ) assigns a Γ∗ commitment label to node ν ∈ [1, N ],
computed as follows. The root of a transcript tree, which is at index N in a post-order
labelling and level 0, is assigned the commitment label F (L)(N ) = C (N ) = C, where C
is the input commitment to the protocol. Each internal node of a transcript tree with
(ω) (ω) (ω) (ω)
index ν is assigned (C (ν) = CL + rν2 CR + rν Cω , CL , CR ). F is localized because
C (ν) is computed from the partial transcript that L assigns to the predecessor nodes of
ν.
Finally, we show that C (ν) is a correct Γ∗ commitment for the index ιν . Define
gN = g = G ∗ (pp, ι) for the root, and gν = G ∗ (pp, ι, r(ν) ) for a node on level i ≥ 1
(ν) (ν)
whose transcript prefix has the challenge sequence r(ν) = (r1 , ..., ri ). Note that on
µ−i
the ith level gν ∈ G2 . In a correct transcript tree, for any node ν at the ℓν th
µ−ℓν (ν)
level, C (ν) = ⟨x′ , gν ⟩ for some x′ ∈ Z2 . Additionally, CL = ⟨(0, x′L ), gν ) and
(ν)
CR = ⟨(x′R , 0), gν ⟩ where x′L and x′R are the left and right half of x′ , respectively.

The predicates ϕa and ϕb We define the numerator bounds B0 ≥ · · · ≥ Bµ such

that log Bµ = µλ + log β (corresponding to the numerator verification bound on the
prover’s final round message) and log Bi = CSZµ−i,λ + (2µ − i)λ + µ2 + log β for i ≥ 1.
We define denominator bounds D0 ≥ · · · ≥ Dµ such that Dµ = 1 (corresponding to the
denominator verification bound on the prover’s final round message, i.e. that it is an
integer) and log Di = CSZµ−i,λ for i ≥ 1.
µ−i
For any i ∈ [0, µ] and m = x/z ∈ Q2 we define:
• ϕa (i, m) = 1 iff m ∈ Wi (Bi , Di )
(i)
• ϕb (i, m) = 1 iff m ∈ Wi (βn /22λ+1 , βd )
(i)
Note that log βn = (2µ − i)λ + log β + 2(λ + 1 + CSZµ,λ ) + 12 ≥ log Bi and βd ≥ Di for
(i)
all i ∈ [0, µ], thus Wi (Bi , Di ) ⊆ Wi (βn , βd ). This shows that ith round commitments
(i.e., commitment labels assigned by F to nodes on the ith level) are binding under

16
 (i)
rational openings to Wi (Bi , Di ) as a subset of Wi (βn , βd ) and also that ϕa (i, m) = 1
implies ϕb (i, m) = 1.
The following facts will be needed later on in the proof:
√
• βd = ξ/2µλ ≥ 23λ · D03 for 21 log ξ ≥ (µ + 3)λ + 3CSZµ,λ
(i) µ √
• βn /22λ+1 = 2(µ−i−2)λ− 2 −1 ξ · β ≥ 26λ+2 Bi+1 Di+1 2 for 12 log ξ ≥ (µ + 8)λ +
3CSZµ,λ + µ + 3
Both conditions are satisfied by the theorem hypothesis.

(ν) (ν)
The Extract algorithm The Extract(i, ν, (C (ν) , CR , CL ), openSubtree) algorithm
(ν) (ν)
operates as follows to extract an opening of (C (ν) , CR , CL ) for a node ν on the
ith tree level. The input openSubtree contains openings (xuj , tuj ) for all three chil-
dren nodes u1 , u2 , and u3 of node ν. Let Cj = F (L)(uj ) and let rj denote the chal-
lenge labels that L assigns to uj where r1 ̸= r2 ̸= r3 ̸= r4 ̸= 0. By construction,
(ν) (ν)
Cj = CL + rj2 CR + rj C (ν) for j ∈ {1, 2, 3, 4}. Define R ∈ Z3×3 to be the ma-
trix with rows (rj , rj2 , 1) for j ∈ {1, 2, 3}, T the diagonal matrix with diagonal entries


tu1 , tu2 , tu3 ̸= 0 (also non-zero mod prime |G|) , and let Ej = rj · I2µ−i−1 I2µ−i−1 . We
can summarize the relations as:

  
C (ν) C (u1 )
  (u1 )     
C ⟨xu1 , gu1 ⟩ xu1 · E1
 (ν) 
R · CR  = C (u2 )  T · C (u2 )  = ⟨xu2 , gu2 ⟩ = xu2 · E2  · gν
(ν) C (u3 ) C (u3 ) ⟨xu3 , gu3 ⟩ xu3 · E3
CL
 
C (ν)
 (u1 )   
C xu1 · E1
 (ν) 
T · R · CR  = T · C (u2 )  = xu2 · E2  · gν = X · gν .
(ν) C (u3 ) xu3 · E3
CL
Let P = adj(T·R) ∈ Z3×3 , the adjugate matrix so that P·T·R = det(T)·det(R)·I3 .
Let tν = det(T) · det(R) = tu1 · tu2 · tu3 · det(R). Since R is Vandermonde it has a
non-zero integer determinant, which is also non-zero mod prime |G|. Therefore tν ̸= 0,
and also tν ̸= 0 mod |G| in the case that |G| is prime.
Finally:    
C (ν) C (ν)
 (ν)   (ν) 
P · T · R · CR  = tν · CR  = P · X · gν .
(ν) (ν)
CL CL
Letting P1 denote the first row of P we obtain tν ·Cν = ⟨P1 , X·gν ⟩. The extractor sets
(ν)
x(ν) := ⟨P1 , X⟩, which now satisfies ⟨x(ν) , gν ⟩ = tν · Cν . Similarly, it sets xR = ⟨P2 , X⟩
(ν) (ν) (ν) (ν) (ν)
and xL = ⟨P3 , X⟩, which satisfy ⟨xR , gν ⟩ = tν · CR and ⟨xL , gν ⟩ = tν · CL .
If all entries of T have absolute value bounded by Di+1 then |tν | ≤ 23λ Di+1 3 . We

will next bound the norm of xν assuming that all xui have norm bounded by Bi+1 , first
note that all entries
2
√ of the adjugate matrix √ are determinants of 2 × 2 submatrices, thus
||adj(T)|| ≤ Di+1 3 and ||adj(R)|| ≤ 23λ 3. Since P = adj(T · R) = adj(R) · adj(T),
and since the Frobenius norm is 1-submultiplicative, ||P|| ≤ 3 · 23λ Di+1 2 . For each j,

||xuj ·Ej ||2 = (rj2 +1)·||xuj ||2 , thus ||X||2 = 3j=1 ||xuj ·Ej ||2 ≤ 3·(22λ +1)·Bi+1
2 . Finally,
P
√
for any j ∈ {1, 2, 3}, ||⟨Pj , X⟩|| ≤ ||P·X|| ≤ 23λ Di+1 2 · 3(2λ +1)B
i+1 ≤ 2
4λ+1 B 2
i+1 Di+1 .
(ν) (ν) (i)
As shown above, this implies x(ν) /tν , xR /tν , xL /tν ∈ Wi (βn , βd ).
Note that for all i ∈ {1, 2, 3, 4} we have that:
(ν) (ν)
tui · ⟨(ri , ri2 , 1), (C (ν) , CR , CL )⟩ = ⟨(ri xui , xui ), gν ⟩

Multiplying both sides by tν we get:

(ν) (ν)
tui tν · ⟨(ri , ri2 , 1), (C (ν) , CR , CL )⟩ = tν ⟨(ri xui , xui ), gν ⟩
(ν) (ν)
We can now replace (C (ν) , CR , CL ) with the extracted openings:
(ν) (ν)
tui · ⟨ri x(ν) + ri2 xR + xL , gν ⟩ = tν ⟨(ri xui , xui ), gν ⟩
Let xν = (a, b), xνL = (aL , bL ) and xνR = (aR , bR ) denote the subdivision of each vector
into two equal length halves. Two cases ensue. Either
• tui · (ri · a + ri2 aR + aL ) = tν ri xui and tui · (ri · b + ri2 bR + bL ) = tν xui ; or

17
 (ν) (ν)
• they are distinct openings of the commitment C (ui ) = ⟨(ri , ri2 , 1), (C (ν) , CR , CL )⟩
(ν) (ν)
(ri xui ,xui ) ri x(ν) +ri2 xR +xL
to the rationals h1 = tν and h2 = tui .
Given that ||x(ν) ||, ||xνL || and ||x(ν) || are all bounded by B ′ = 24λ+1 Bi+1 Di+1
2 we
(ν) (ν)
have that ||(ri x(ν) + ri2 xR + xL || is bounded by 3 · 22λ B ′ ≤ 26λ+3 Bi+1 Di+1
2 and
(i)
thus h1 , h2 ∈ Wi (βn , βd ). Additionally, ||(xui , xui )|| ≤ 2λ+1 · Bi+1 ≤ B ′ and thus
(i)
h1 , h2 ∈ Wi (βn , βd ). In this case, the algorithm returns these openings as a break of
the commitment scheme Γ∗ .
Otherwise:

ri · a + ri2 aR + ri aL = ri2 · b + ri3 bR + ri bL ∀i ∈ {1, 2, 3, 4}

Since the 4 × 4 Vandermonde matrix with rows (1, ri , ri2 , ri3 ) has a trivial kernel, this
equation implies:
a = bL b = aR
bR = 0 aL = 0
(ν) (ν)
Therefore, (x(ν) , tν ) is a valid opening to the commitment (C (ν) , CR , CL ).
At the root, Extract(C, openTree) runs Extract(0, N, C, openTree) to either obtain
a witness (x, t) such that ⟨x, g⟩ = t · C where x/t ∈ W(βn , βd ) or a break of the
commitment scheme Γ∗ .
µ−i
The Extend algorithm For h ∈ Q2 and µ − i challenges in χ, the algorithm
Extend(i, h, ri+1 , ..., rµ ) sets hi := h and runs the following iterative algorithm: for
j = i to µ − 1 set hj+1 := hj,L + rj+1 · hj,R where hj,L and hj,R are the left/right
coefficient split of hj . It returns hi , ..., hµ .

Note that if hi is the honest prover’s committed state in the ith round of the protocol
Π and ri+1 , ..., rµ are the last µ − i round challenges then the value hµ ∈ Z returned by
Extend(i, hi , ri+1 , ..., rµ ) returns is also the honest prover’s last message to the verifier.

(1) (1) (µ) (µ)

The Break algorithm Given virtual commitments (C (1) , CL , CR ), ..., (C (µ) , CL , CR ),
openings for the last µ − i commitments, and round challenges r1 , ..., rµ , the algo-
rithm first runs Extend(i, h, ri , .., rµ ), which returns rational vectors h′i+1 , ..., h′µ . If
∀j≥i h′j = xj /zj then it outputs ⊥. Otherwise, let j ∈ [i, µ) be the first index where
h′j+1 ̸= xj+1 /zj+1 and output (xj,L +rj+1 ·xj,R , zj ), where xj,L and xj,R are the left/right
halves of xj , as the attempted opening for C (j+1) .
Subclaim 1 (Application of New Schwartz-Zippel Lemma). For any i ∈ [µ] and h ∈
µ−i
Q2 , if ϕa (i, h) = 0 then the probability over uniform i.i.d. ri+1 , ..., rµ that hµ returned
by Extend(i, h, ri+1 , ..., rµ ) satisfies ϕa (µ, hµ ) = 1 is at most 3(µ−i)
2λ
.
µ−i
Let x/N = h for gcd(x, N ) = 1 denote the reduced form of h ∈ Q2 . If ϕa (i, h) = 0
then either z > Di or ||x|| > Bi while ϕa (µ, hµ ) = 1 implies hµ ∈ Z and |hµ | ≤ Bµ . Let
µ′ = µ − i. Observe that hµ = z1 · f (rµ , ..., ri+1 ) where f is a µ′ -linear polynomial with
coefficient vector x.

Case 1 N > Di :
If |N | > Di then since log Di = CSZµ−i , the probability that hµ ∈ Z is:
µ−i+1
P(ri+1 ,...,rµ )←[0,2λ )µ−i [f (rµ , ..., ri+1 ) ≡ 0 mod N ] ≤ .
2λ
by the Multilinear Composite Schwartz-Zippel Lemma (Theorem 2).

Case 2 N ≤ Di ∧ ||x|| > Bi :

In this case, if |hµ | ≤ Bµ then |f (rµ , ..., ri+1 )| ≤ N ·Bµ ≤ 2CSZµ−i,λ ·Bµ . Furthermore,
the fact that ||x|| > Bi and log Bi = CSZµ−i,λ + (µ − i)λ + µ2 + log Bµ imply:
µ µ
log(CSZµ−i,λ · Bµ ) ≤ log Bi − (µ − i)λ − < log ||x|| − (µ − i)λ − .
2 2
Since ||x|| ≤ 2µ/2 · ||f ||∞ , the Evaluation Bound Lemma (Lemma 7) implies:

P[hµ ≤ Bµ ] ≤ P[|f (rµ , ..., ri+1 )| ≤ Di · Bµ ] ≤ P[|f (rµ , ..., ri+1 )|

1 3(µ − i)
≤ (µ−i)λ · ||f ||∞ ] ≤
2 2λ .

18
 Together these imply that if ϕa (i, x/N ) = 0 then the probability over the random
challenges that the final element hµ of the list returned by Extend satisfies ϕa (µ, hµ ) = 1
is negligible.

Subclaim 2. For any i ∈ [µ − 1], given a valid transcript together with the “virtual”
commitments (C (0) , ..., C (µ) ), round challenges (r1 , ..., rµ ), and openings (oi , ..., oµ ) of
the µ − i + 1 last Γ∗ -commitment triples Ci , ..., Cµ where for j ∈ [i, µ]:
(j) (j)
• Cj = (C (j) , CL , CR )
• oj contains an opening of C (j) to a rational vector hj , such that ϕb (j, hj ) = 1
• ϕa (j, hj ) = 1 if j ≥ i + 1
then either Extend(i, hi , ri+1 , ..., rµ ) returns hi+1 , ..., hµ or Break(i, hi , (oi , ..., oµ )) re-
turns for some j ≥ i a valid opening of C (j) to h′j ̸= hj .

Proof. Let (h′i+1 , ..., h′µ ) denote the output of Extend(i, hi , ri+1 , ..., rµ ) and suppose it is
not equal to (hi+1 , ..., hµ ). Let j ∈ [i, µ) denote the first index for which hj+1 ̸= h′j+1 .
This means that hj = h′j and thus h′j+1 = hj,L + rj+1 · hj,R where hj,L and hj,R
are the left/right halves of hj . Let g(j) = G ∗ (pp, ι, r(j) ) denote the commitment basis
(j) (j) (j) (j)
determined by r1 , ..., rj , let g(j) = (gL , gR ), and let g(j+1) = rj+1 · gL + gR .
Let hj = xj /zj so that ⟨xj , gj ⟩ = zj · C (j) by validity of the opening of Cj . Let
xj = (xj,L , xj,R ) so that x′j+1 = xj,L + rj+1 xj,R and h′j+1 = x′j+1 /zj . Validity of the
(j) (j) (j) (j)
opening of Cj additionally implies zj · CL = ⟨xj,L , gR ⟩ and zj · CR = ⟨xj,R , gL ⟩.
(j) (j+1)
Furthermore, ϕb (j, hj ) = 1 implies ||x′j+1 || ≤ 2λ+1 ||xj || ≤ βn /2λ = βn and thus
(i)
h′j+1 ∈ W(βn , βd ).
In a correct transcript:
(j) 2 (j)
⟨xj,L , gR ⟩ + rj+1 ⟨xj,L , gR ⟩ + rj+1 ⟨xj , g(j) ⟩ = zj · C (j+1)

(j) (j)
Thus ⟨xj,L + rj+1 · xj,R , gR + rj+1 gL ⟩ = ⟨x′j+1 , g(j+1) ⟩ = zj · C (j+1) . This shows
that h′j+1 ̸= hj+1 is a conflicting valid opening to C (j+1) .

References
[AC20] Thomas Attema and Ronald Cramer. “Compressed Σ-Protocol The-
ory and Practical Application to Plug & Play Secure Algorithmics”. In:
CRYPTO 2020, Part III. Ed. by Daniele Micciancio and Thomas Ris-
tenpart. Vol. 12172. LNCS. Springer, Heidelberg, Aug. 2020, pp. 513–
543. doi: 10.1007/978-3-030-56877-1_18.
[ACK21a] Thomas Attema, Ronald Cramer, and Lisa Kohl. A Compressed Σ-
Protocol Theory for Lattices. Cryptology ePrint Archive, Report 2021/307.
https://eprint.iacr.org/2021/307. 2021.
[ACK21b] Thomas Attema, Ronald Cramer, and Lisa Kohl. “A Compressed Σ-
Protocol Theory for Lattices”. In: CRYPTO 2021, Part II. Ed. by Tal
Malkin and Chris Peikert. Vol. 12826. LNCS. Virtual Event: Springer,
Heidelberg, Aug. 2021, pp. 549–579. doi: 10.1007/978-3-030-84245-
1_19.
[AFK21] Thomas Attema, Serge Fehr, and Michael Klooß. Fiat-Shamir Trans-
formation of Multi-Round Interactive Proofs. Cryptology ePrint Archive,
Report 2021/1377. https://eprint.iacr.org/2021/1377. 2021.
[AGLMS22] Arasu Arun, Chaya Ganesh, Satya Lokam, Tushar Mopuri, and Sri-
ram Sridhar. Dew: Transparent Constant-sized zkSNARKs. Cryptology
ePrint Archive, Report 2022/419. https://eprint.iacr.org/2022/
419. 2022.
[AL21] Martin R. Albrecht and Russell W. F. Lai. “Subtractive Sets over Cy-
clotomic Rings - Limits of Schnorr-Like Arguments over Lattices”.
In: CRYPTO 2021, Part II. Ed. by Tal Malkin and Chris Peikert.
Vol. 12826. LNCS. Virtual Event: Springer, Heidelberg, Aug. 2021,
pp. 519–548. doi: 10.1007/978-3-030-84245-1_18.

19
[ALS20] Thomas Attema, Vadim Lyubashevsky, and Gregor Seiler. “Practical
Product Proofs for Lattice Commitments”. In: CRYPTO 2020, Part II.
Ed. by Daniele Micciancio and Thomas Ristenpart. Vol. 12171. LNCS.
Springer, Heidelberg, Aug. 2020, pp. 470–499. doi: 10.1007/978-3-
030-56880-1_17.
[BBBPWM18] Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter
Wuille, and Greg Maxwell. “Bulletproofs: Short Proofs for Confidential
Transactions and More”. In: 2018 IEEE Symposium on Security and
Privacy. IEEE Computer Society Press, May 2018, pp. 315–334. doi:
10.1109/SP.2018.00020.
[BCCGP16] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and
Christophe Petit. “Efficient Zero-Knowledge Arguments for Arithmetic
Circuits in the Discrete Log Setting”. In: EUROCRYPT 2016, Part II.
Ed. by Marc Fischlin and Jean-Sébastien Coron. Vol. 9666. LNCS.
Springer, Heidelberg, May 2016, pp. 327–357. doi: 10.1007/978-3-
662-49896-5_12.
[BCPS15] Anurag Bishnoi, Pete L. Clark, Aditya Potukuchi, and John R. Schmitt.
On zeros of a polynomial in a finite grid. 2015. doi: 10.48550/ARXIV.
1508.06020. url: https://arxiv.org/abs/1508.06020.
[BCS21] Jonathan Bootle, Alessandro Chiesa, and Katerina Sotiraki. “Sum-
check Arguments and Their Applications”. In: CRYPTO 2021, Part I.
Ed. by Tal Malkin and Chris Peikert. Vol. 12825. LNCS. Virtual Event:
Springer, Heidelberg, Aug. 2021, pp. 742–773. doi: 10.1007/978-3-
030-84242-0_26.
[BDFG21] Dan Boneh, Justin Drake, Ben Fisch, and Ariel Gabizon. “Halo Infi-
nite: Proof-Carrying Data from Additive Polynomial Commitments”.
In: CRYPTO 2021, Part I. Ed. by Tal Malkin and Chris Peikert.
Vol. 12825. LNCS. Virtual Event: Springer, Heidelberg, Aug. 2021,
pp. 649–680. doi: 10.1007/978-3-030-84242-0_23.
[BF22] Benedikt Bünz and Ben Fisch. Schwartz-Zippel for multilinear poly-
nomials mod N. Cryptology ePrint Archive, Report 2022/458. https:
//eprint.iacr.org/2022/458. 2022.
[BFS19] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent SNARKs
from DARK Compilers. Cryptology ePrint Archive, Report 2019/1229.
https://eprint.iacr.org/2019/1229. 2019.
[BFS20] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. “Transparent SNARKs
from DARK Compilers”. In: EUROCRYPT 2020, Part I. Ed. by Anne
Canteaut and Yuval Ishai. Vol. 12105. LNCS. Springer, Heidelberg,
May 2020, pp. 677–706. doi: 10.1007/978-3-030-45721-1_24.
[BG93] Mihir Bellare and Oded Goldreich. “On Defining Proofs of Knowledge”.
In: CRYPTO’92. Ed. by Ernest F. Brickell. Vol. 740. LNCS. Springer,
Heidelberg, Aug. 1993, pp. 390–420. doi: 10 . 1007 / 3 - 540 - 48071 -
4_28.
[BGH19] Sean Bowe, Jack Grigg, and Daira Hopwood. Halo: Recursive Proof
Composition without a Trusted Setup. Cryptology ePrint Archive, Re-
port 2019/1021. https://eprint.iacr.org/2019/1021. 2019.
[BH01] Johannes Buchmann and Safuat Hamdy. “A survey on IQ cryptogra-
phy”. In: Public-Key Cryptography and Computational Number Theory.
2001, pp. 1–15.
[BHRRS21] Alexander R. Block, Justin Holmgren, Alon Rosen, Ron D. Rothblum,
and Pratik Soni. “Time- and Space-Efficient Arguments from Groups of
Unknown Order”. In: CRYPTO 2021, Part IV. Ed. by Tal Malkin and
Chris Peikert. Vol. 12828. LNCS. Virtual Event: Springer, Heidelberg,
Aug. 2021, pp. 123–152. doi: 10.1007/978-3-030-84259-8_5.
[BLNS20] Jonathan Bootle, Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Gre-
gor Seiler. “A Non-PCP Approach to Succinct Quantum-Safe Zero-
Knowledge”. In: CRYPTO 2020, Part II. Ed. by Daniele Micciancio
and Thomas Ristenpart. Vol. 12171. LNCS. Springer, Heidelberg, Aug.
2020, pp. 441–469. doi: 10.1007/978-3-030-56880-1_16.

20
[CNRZZ22] Matteo Campanelli, Anca Nitulescu, Carla Ràfols, Alexandros Zacharakis,
and Arantxa Zapico. Linear-map Vector Commitments and their Prac-
tical Applications. Cryptology ePrint Archive, Report 2022/705. https:
//eprint.iacr.org/2022/705. 2022.
[CPP17] Geoffroy Couteau, Thomas Peters, and David Pointcheval. “Removing
the Strong RSA Assumption from Arguments over the Integers”. In:
EUROCRYPT 2017, Part II. Ed. by Jean-Sébastien Coron and Jes-
per Buus Nielsen. Vol. 10211. LNCS. Springer, Heidelberg, Apr. 2017,
pp. 321–350. doi: 10.1007/978-3-319-56614-6_11.
[DF02] Ivan Damgård and Eiichiro Fujisaki. “A Statistically-Hiding Integer
Commitment Scheme Based on Groups with Hidden Order”. In: ASI-
ACRYPT 2002. Ed. by Yuliang Zheng. Vol. 2501. LNCS. Springer,
Heidelberg, Dec. 2002, pp. 125–142. doi: 10.1007/3-540-36178-2_8.
[DL77] Richard A DeMillo and Richard J Lipton. A Probabilistic Remark on
Algebraic Program Testing. Tech. rep. GEORGIA INST OF TECH AT-
LANTA SCHOOL OF INFORMATION and COMPUTER SCIENCE,
1977.
[ENS20] Muhammed F. Esgin, Ngoc Khanh Nguyen, and Gregor Seiler. “Prac-
tical Exact Proofs from Lattices: New Techniques to Exploit Fully-
Splitting Rings”. In: ASIACRYPT 2020, Part II. Ed. by Shiho Moriai
and Huaxiong Wang. Vol. 12492. LNCS. Springer, Heidelberg, Dec.
2020, pp. 259–288. doi: 10.1007/978-3-030-64834-3_9.
[GI08] Jens Groth and Yuval Ishai. “Sub-linear Zero-Knowledge Argument
for Correctness of a Shuffle”. In: EUROCRYPT 2008. Ed. by Nigel P.
Smart. Vol. 4965. LNCS. Springer, Heidelberg, Apr. 2008, pp. 379–396.
doi: 10.1007/978-3-540-78967-3_22.
[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. “Trapdoors
for hard lattices and new cryptographic constructions”. In: 40th ACM
STOC. Ed. by Richard E. Ladner and Cynthia Dwork. ACM Press,
May 2008, pp. 197–206. doi: 10.1145/1374376.1374407.
[HHKKP22] Charlotte Hoffmann, Pavel Hubácek, Chethan Kamath, Karen Klein,
and Krzysztof Pietrzak. “Practical Statistically-Sound Proofs of Expo-
nentiation in Any Group”. In: CRYPTO 2022, Part II. Ed. by Yevgeniy
Dodis and Thomas Shrimpton. Vol. 13508. LNCS. Springer, Heidel-
berg, Aug. 2022, pp. 370–399. doi: 10.1007/978-3-031-15979-4_13.
[Kar15] Dmitrii Karp. Normalized incomplete beta function: log-concavity in
parameters and other properties. 2015. doi: 10.48550/ARXIV.1509.
05120. url: https://arxiv.org/abs/1509.05120.
[KI04] Valentine Kabanets and Russell Impagliazzo. “Derandomizing Polyno-
mial Identity Tests Means Proving Circuit Lower Bounds”. In: Comput.
Complex. 13.1-2 (2004), pp. 1–46. doi: 10.1007/s00037-004-0182-6.
url: https://doi.org/10.1007/s00037-004-0182-6.
[Lin01] Yehuda Lindell. “Parallel Coin-Tossing and Constant-Round Secure
Two-Party Computation”. In: CRYPTO 2001. Ed. by Joe Kilian. Vol. 2139.
LNCS. Springer, Heidelberg, Aug. 2001, pp. 171–189. doi: 10.1007/3-
540-44647-8_10.
[LM19] Russell W. F. Lai and Giulio Malavolta. “Subvector Commitments with
Application to Succinct Arguments”. In: CRYPTO 2019, Part I. Ed.
by Alexandra Boldyreva and Daniele Micciancio. Vol. 11692. LNCS.
Springer, Heidelberg, Aug. 2019, pp. 530–560. doi: 10.1007/978-3-
030-26948-7_19.
[LNS21] Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Gregor Seiler. “Shorter
Lattice-Based Zero-Knowledge Proofs via One-Time Commitments”.
In: PKC 2021, Part I. Ed. by Juan Garay. Vol. 12710. LNCS. Springer,
Heidelberg, May 2021, pp. 215–241. doi: 10.1007/978-3-030-75245-
3_9.
[LS15] Adeline Langlois and Damien Stehlé. “Worst-case to average-case re-
ductions for module lattices”. In: Des. Codes Cryptogr. 75.3 (2015),
pp. 565–599.

21
[MP13] Daniele Micciancio and Chris Peikert. “Hardness of SIS and LWE with
Small Parameters”. In: CRYPTO 2013, Part I. Ed. by Ran Canetti
and Juan A. Garay. Vol. 8042. LNCS. Springer, Heidelberg, Aug. 2013,
pp. 21–39. doi: 10.1007/978-3-642-40041-4_2.
[NS22] Ngoc Khanh Nguyen and Gregor Seiler. “Practical Sublinear Proofs
for R1CS from Lattices”. In: CRYPTO 2022, Part II. Ed. by Yevgeniy
Dodis and Thomas Shrimpton. Vol. 13508. LNCS. Springer, Heidel-
berg, Aug. 2022, pp. 133–162. doi: 10.1007/978-3-031-15979-4_5.
[Pie19] Krzysztof Pietrzak. “Proofs of Catalytic Space”. In: ITCS 2019. Ed. by
Avrim Blum. Vol. 124. LIPIcs, Jan. 2019, 59:1–59:25. doi: 10.4230/
LIPIcs.ITCS.2019.59.
[RS62] J Barkley Rosser and Lowell Schoenfeld. “Approximate formulas for
some functions of prime numbers”. In: Illinois Journal of Mathematics
6.1 (1962), pp. 64–94.
[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. “A Method
for Obtaining Digital Signatures and Public-Key Cryptosystems”. In:
Communications of the Association for Computing Machinery 21.2
(1978), pp. 120–126.
[Sch80] Jacob T Schwartz. “Fast probabilistic algorithms for verification of
polynomial identities”. In: Journal of the ACM (JACM) 27.4 (1980),
pp. 701–717.
[Wes19] Benjamin Wesolowski. “Efficient Verifiable Delay Functions”. In: EU-
ROCRYPT 2019, Part III. Ed. by Yuval Ishai and Vincent Rijmen.
Vol. 11478. LNCS. Springer, Heidelberg, May 2019, pp. 379–407. doi:
10.1007/978-3-030-17659-4_13.
[Wik21] Douglas Wikström. Special Soundness in the Random Oracle Model.
Cryptology ePrint Archive, Report 2021/1265. https : / / eprint .
iacr.org/2021/1265. 2021.
[WTsTW18] Riad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, and Michael
Walfish. “Doubly-Efficient zkSNARKs Without Trusted Setup”. In:
2018 IEEE Symposium on Security and Privacy. IEEE Computer So-
ciety Press, May 2018, pp. 926–943. doi: 10.1109/SP.2018.00060.
[Zip79] Richard Zippel. “Probabilistic algorithms for sparse polynomials”. In:
International symposium on symbolic and algebraic manipulation. Springer.
1979, pp. 216–226.

A Proofs for the Multilinear Composite Schwartz Zippel

Lemma
A.1 Proof of main LCSZ theorem (Theorem 1)
Theorem 1 (Multilinear Composite Schwartz-Zippel (LCSZ)). Let N = ℓi=1 pri i for
Q
distinct primes p1 , ..., pℓ . Let f be any µ-linear integer polynomial co-prime to N . For
any integer m > 1 and x sampled uniformly from [0, m)µ :
ℓ
µ Y
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ + I 1 (ri , µ),
m pi
i=1

P∞ µ+r−1

 1 j
where I 1 (r, µ) = (1 − p1 )µ j=r r p is the regularized beta function.
p

Proof. We begin by introducing some notations.

• For a polynomial f ∈ Z[X1 , ..., Xµ ] let f⃗ denote the coefficients of f and let cont(f )
denote the greatest integer divisor of f , i.e. the content.
• β⃗ = (β1 , ..., βµ ) ∈ [0, m)µ is a random variable distributed uniformly over [0, m)µ .
For any i ≥ 1, let β⃗i = (β1 , ..., βi ), let f0 = f , and let fi (β⃗i ) := f (β1 , . . . , βi , Xi+1 , . . . , Xµ ).
• Given the random variable β⃗ distributed uniformly over [0, m)µ , define for each
j ∈ [1, ℓ] and i ∈ [1, µ] the random variable Yj,i (as a function of β)⃗ representing
⃗
the multiplicity of pj in cont(fi (βi ))). Naturally, we set Yj,0 = 0 for all j because
∀j f0 ̸= 0 mod pj . (Note: Yj,i are not independent). For any i ∈ [µ] the event

22
 that ∀j Yj,i ≥ rj is equivalent to the event that fi (β⃗i ) = 0 mod N and the event
that ∀j Yj,i = ri is equivalent to cont(fi (β⃗i )) = N . The event ∀j Yj,µ ≥ rj is thus
⃗ = 0 mod N .
equivalent to f (β)
• Let {Zj,i } for i ∈ [µ] and j ∈ [ℓ] be a set of independent random variables, where
Zj,i is geometric with parameter 1 − p1j .

From the CCDF (complementary CDF) Pµ of geometric random variables we have that
1 k
P [Zj,i ≥ k] = ( pj ) . Setting Zj := i=1 Zj,i , from the CCDF of the negative bino-
mial distribution (i.e., tail distribution of the sum of independent geometric random
variables) it follows that ∀j P [Zj ≥ r] = I 1 (r, µ).
pj
Next, we establish an important subclaim:

Claim 1. For any i ≥ 2 and ⃗k, ⃗k ′ ∈ Nℓ where ∀j kj ≥ 0:

1
P [∀j Yj,i ≥ kj + kj′ |∀j Yj,i−1 = kj′ ] ≤ + P [∀j Zj,i ≥ kj ].
m
1
Furthermore, for all i ≥ 1, P [∀j Yj,i ≥ Yj,i−1 + kj ] ≤ m + P [∀j Zj,i ≥ kj ].

Proof. Since the order of the variables does not matter, w.l.o.g. assume that ∀j∈[1,ℓ′ ] kj ≥
Q′ k Q′ k′
1 and ∀j>ℓ′ kj = 0. Let N ∗ = ℓj=1 pj j and N ′ = ℓj=1 pj j . For any i ≥ 2 and any
x ∈ [0, m)i−1 , in the event that β⃗i−1 = x and ∀j Yj,i−1 = k ′ , then by definition fi−1 (x) ≡
j
0 mod N ′ and ∀j fi−1 (x)/N ′ ̸≡ 0 mod pj . In case i = 1, we have that ∀j Yj,0 = 0, N ′ = 1,
and ∀j f0 = f ̸= 0 mod pj . Thus, for all i ≥ 1, conditioned on the events that β⃗i−1 = x
and ∀j Yj,i−1 = kj′ , there exist multilinear µ − i variate polynomials hi , gi such that
fi−1 (x)/N ′ = hi (Xi+1 , . . . , Xµ ) + Xi · gi (Xi+1 , . . . , Xµ ) where for all j at least one of hi
or gi is nonzero modulo pj .
Furthermore, for any i ≥ 1, conditioned on the events ∀j Yj,i−1 = kj′ and β⃗i−1 = x,
the event that ∀j Yj,i ≥ kj + kj′ is equivalent to the event that hi + βi gi ≡ 0 mod N ∗ .
For each index t ∈ [1, 2µ−i ] let hi [t] and gi [t] denote the tth coefficients of hi and
gi respectively (i.e., the coefficients on the tth monomial in a canonical ordering of the
2µ−i monomials over the µ − i variables Xi+1 , ..., Xµ ). Given that for every j ∈ [ℓ′ ] the
polynomial hi + Xi · gi is non-zero modulo pj , for each j ∈ [ℓ′ ] there exists at least one
index tj for which the univariate linear polynomial hi [tj ] + Xi gi [tj ] is non-zero modulo
pj . We now have that:

P [∀j Yj,i ≥ kj + kj′ |β⃗i−1 = x ∧ ∀j Yj,i−1 = kj′ ] (1)

k
= P [∀j hi + βi · gi ≡ 0 mod pj j ] (2)
k
≤ P [∀j hi [tj ] + βi · gi [tj ] ≡ 0 mod pj j ]. (3)

For each tj there is at most one solution to the equation hi [tj ]+Xi ·gi [tj ] ≡ 0 mod pj .
Consequently, by CRT, there is at most one integer solution x∗ ∈ [0, N ∗ ) to the system
of equations ∀j hi [tj ] + Xi · gi [tj ] ≡ 0 mod pj 10 . If x∗ was uniform mod N ∗ then the
probability would be N1∗ . However, we must also consider the case that x∗ is not uniform
mod N ∗ .
k
Let E denote the event that the system of equations ∀j hi [tj ] + βi · gi [tj ] ≡ 0 mod pj j
from equation (3) is satisfied. There is at most one integer equivalence class modulo N ∗
satisfying this system of equations and the random variable βi is uniformly distributed
over [0, m). Let U denote the event that βi ∈ [0, m − m mod N ∗ ) and let Ū denote
the event that βi ∈ [m − m mod N ∗ , m). Conditioned on U , βi is uniformly distributed
modulo N ∗ , and thus P [E|U ] ≤ 1/N ∗ . Conditioned on Ū , βi is uniformly distributed
over the set [m − m mod N ∗ , m). As this set is a contiguous interval of less than
N ∗ integers it contains at most one solution to the systems of equations, and thus,
N∗
P [E|Ū ] ≤ 1/(m mod N ∗ ). The probability of Ū is exactly m mod m . Therefore:

P [E] = P [E|U ] · P [U ] + P [E|Ū ] · P [Ū ] (4)

1 m mod N ∗ 1 m mod N ∗
≤ ∗ · (1 − )+ · (5)
N m m mod N ∗ m
1 1
≤ ∗+ . (6)
N m
10
This is where the proof falls apart for higher degree polynomials. For example if the polynomial is quadratic in
each variable then there could be up to 2ℓ solutions where ℓ is the number of prime factors.

23
 We also have that:
ℓ ′ ℓ ′
1 kj

Y Y 1
P [∀j∈[ℓ] Zj,i ≥ kj ] = P [Zj,i ≥ kj ] = = ∗.
pj N
j=1 j=1

Thus, putting it all together, for any i ≥ 1 and any x ∈ [0, m)i−1 :
1 1 1
P [∀j Yj,i ≥ kj + kj′ |β⃗i−1 = x ∧ ∀j Yj,i−1 = kj′ ] ≤ + ∗ = + P [∀j Zj,i ≥ kj ].
m N m
Since the probability bound is independent of x, this implies:
1
P [∀j Yj,i ≥ kj + kj′ |∀j Yj,i−1 = kj′ ] ≤ + P [∀j Zj,i ≥ kj ].
m
Consequently, for any i ≥ 2 and ⃗k ∈ Nℓ where ∀j kj > 0:

1
P [∀j Yj,i ≥ Yj,i−1 + kj ] ≤ max P [∀j Yj,i ≥ kj + kj′ |∀j Yj,i−1 = kj′ ] ≤ + P [∀j Zj,i ≥ kj ].
k⃗′ m
Similarly, for i = 1 and ⃗k ∈ Nℓ where ∀j kj > 0:
1
P [∀j Yj,i ≥ kj ] ≤ + P [∀j Zj,i ≥ kj ].
m

We now prove the full theorem by induction over i ∈ [1, µ]. Specifically, we will prove
the following inductive hypothesis for i ∈ [1, µ]:
ℓ i
i Y X
P [fi (β⃗i ) = 0 mod N ] = P [∀j Yj,i ≥ rj ] ≤ + P[ Zj,k ≥ rj ].
m
j=1 k=1
Setting i = µ this is equivalent to the theorem statement.
Base Case: The base case follows directly from the subclaim for the case i = 1.
ℓ
1 1 Y
P [∀j Yj,1 ≥ rj ] ≤ + P [∀j Zj,1 ≥ rj ] = + P [Zj,1 ≥ rj ].
m m
j=1
Induction Step: Assume the inductive hypothesis holds for some 1 ≤ i < µ, i.e.:
ℓ i
i Y X
P [∀j Yj,i ≥ rj ] ≤ + P[ Zj,k ≥ rj ].
m
j=1 k=1
We will show this implies the hypothesis holds for i + 1:
X
P [∀j Yj,i+1 ≥ rj ] = P [∀j Yj,i+1 − Yj,i ≥ rj − kj |∀j Yj,i = kj ] · P [∀j Yj,i = kj ]
⃗
k∈Nℓ
X 1
≤ (P [∀j Zj,i+1 ≥ rj − kj ] + ) · P [∀j Yj,i = kj ] (by subclaim)
m
⃗
k
1 X
= + P [∀j Zj,i+1 ≥ rj − kj ] · P [∀j Yj,i = kj ]
m
⃗
k
1 X
= + P [∀j Zj,i+1 ≥ ∆j ] · P [∀j Yj,i = rj − ∆j ] (change of variables)
m
⃗
∆∈Zℓ :∀ ∆ ≤r
j j j

1 X X
= + P [∀j Zj,i+1 = ∆j + kj ] · P [∀j Yj,i = rj − ∆j ]
m
⃗
∆∈Zℓ :∀ ∆ ≤r ⃗
j j j k∈N
ℓ

1 X X
= + P [∀j Zj,i+1 = ∆′j ] · P [∀j Yj,i = rj − (∆′j − kj )] (c.o.v.)
m
⃗ ′ ∈Nℓ
∆ ⃗
k∈Nℓ
1 X
= + P [∀j Zj,i+1 = ∆′j ] · P [∀j Yj,i ≥ rj − ∆′j ]
m
⃗ ′ ∈Nℓ
∆
i
1 X X i
≤ + P [∀j Zj,i+1 = ∆′j ] · (P [∀j Zj,i′ ≥ rj − ∆′j ] + ) (inductive hyp.)
m ′
m
⃗′
∆ i =1
i
i+1 X X
= + P [∀j Zj,i+1 = ∆′j ] · P [∀j Zj,k ≥ rj − ∆′j ]
m
⃗′
∆ k=1

i
i+1 X
= + P [∀j Zj,k ≥ rj − Zj,i+1 ] (independence of variables)
m
k=1
ℓ i+1
i+1 Y X
= + P[ Zj,k ≥ kj ]. (independence of variables)
m j=1 k=1

24
A.2 Bounds on the regularized beta function
We provide useful bounds of the regularized beta function that are necessary for the
proofs of Theorems 2 and 3.
The regularized incomplete beta function is defined for k, µ ∈ N as:
∞  
X µ+j−1 j
µ
Iϵ (k, µ) = (1 − ϵ) ϵ .
j
j=k

Special values are Iϵ (k, 1) = ϵk , which matches the tail distribution of a geometric
variable with parameter 1 − ϵ, and Iϵ (1, µ) = 1 − (1 − ϵ)µ , which is the probability that
at least one of µ geometric variables of parameter 1 − ϵ is positive.

Lemma 5. Iϵ (k, µ) ≤ (ϵµ)k for all µ, k ∈ N and ϵ ∈ (0, 1) where ϵµ ≤ 1/2.

Proof. For k = 0 the statement holds because Iϵ (0, µ) = 1. For µ = 1 we have Iϵ (k, 1) =
ϵk . It remains to prove the inequality for µ ≥ 2 and k ≥ 1. WePwill use the

following or-
∞ a+j j 1
dinary generating function identity for binomial coefficients: j=0 a x = (1−x)a+1 .
This allows us to write Iϵ (k, µ) as:
 
∞   k−1  
X µ+j−1 j X µ + j − 1 j
Iϵ (k, µ) = (1 − ϵ)µ ·  ϵ − ϵ
j j
j=0 j=0

k−1   k−1  
µ 1 X µ+j−1 j µ
X µ+j−1 j
= (1 − ϵ) · ( − ϵ ) = 1 − (1 − ϵ) ϵ
(1 − ϵ)µ j j
j=0 j=0

Pk−1
Using the geometric series identity (ϵµ)k = 1 − (1 − ϵµ) · j=0 (ϵµ)
j, we obtain:
k−1  
k
X
µ µ+j−1 j
(ϵµ) − Iϵ (k, µ) = (1 − ϵ) · ϵ − (1 − ϵµ)(ϵµ)j
j
j=0

k−1  
X
µ µ+j−1
= ((1 − ϵ) · − (1 − ϵµ)µj )ϵj .
j
j=0

Let Φϵ,µ (k) = (ϵµ)k − Iϵ (k, µ) so that the goal is to show Φϵ,µ (k) ≥ 0 for k, µ ∈ N
where µ ≥ 2 and ϵµ ≤ 1/2. Observe that:

Φϵ,µ (1) = ϵµ − 1 + (1 − ϵ)µ = (1 − ϵ)µ − (1 − ϵµ) ≥ 0.

lim Φϵ,µ (k) = 0.

k→∞

Thus, it suffices to show that Φϵ,µ (k) is non-increasing on the interval k ∈ [2, ∞)
when ϵµ ≤ 1/2 as this implies that Φϵ,µ (k) ≥ 0 for all k ≥ 1, µ ≥ 2, and ϵµ ≤ 1/2.
Moreover, we can easily show this by showing that for all µ, j ≥ 2 and ϵµ ≤ 1/2:
 
µ µ+j−1
(1 − ϵ) · ≤ (1 − ϵµ) · µj .
j
(µ+j−1
j )
Letting R(µ, j) = µj
, observe that:
µ+j−1 j−1

Qj−1
j i=0 (µ + i) µ+i
Y
R(µ, j) = = = .
µj j! µj µ · (i + 1)
i=0

Since µ + i ≤ µ · (i + 1) for all µ ≥ 2 and i ≥ 0, it follows that R(µ, j) ≤ R(µ, 2) =

1
2 · (1 + µ1 ) for j ≥ 2. Furthermore, for ϵ ∈ (0, 1/µ):

d (1 − ϵ)µ (µ − 1)ϵµ(1 − ϵ)µ−1

= ≥ 0.
dϵ 1 − ϵµ (1 − ϵµ)2
1
Thus, for ϵ ∈ (0, 2µ ] and µ ≥ 2:
1 µ
(1 − ϵ)µ (1 − 2µ ) (1 + µ1 ) 1
−1/2
· R(µ, j) ≤ · R(µ, 2) ≤ √ ≤ eµ ≤ 1.
(1 − ϵµ) 1/2 e
This completes the proof.

25
Lemma 6. Iϵ (k, µ) ≤ ϵk · k µ for k ≥ 2µ and ϵ ≤ 1/2.

This is tighter than Bound 1 for larger k, i.e. when k µ < µk .

Proof. Similar to the analysis in Bound 1, define Ψϵ,µ (k) = ϵk k µ − Iϵ (k, µ) so that:
k−1  
k µ
X
µ µ+j−1 j
Ψϵ,µ (k) = ϵ k − 1 + (1 − ϵ) ϵ .
j
j=0

Bound 2 holds iff Ψϵ,µ (k) ≥ 0 for all k ≥ 2µ and ϵ ≤ 1/2. For µ = 1 we have
Iϵ (k, 1) = ϵk so

Ψϵ,1 (k) = ϵk · k − ϵk ≥ 0.
Furthermore, limk→∞ Ψϵ,µ (k) = 0. Thus, it suffices to show that Ψϵ,µ is non-
increasing on the interval [2µ, ∞) for µ ≥ 2 and ϵ ≤ 1/2.
Observe that:
 
k+1 µ k µ µ µ+k−1
Ψϵ,µ (k + 1) − Ψϵ,µ (k) = ϵ (k + 1) − ϵ k + (1 − ϵ) ϵk
k
  
k µ µ µ µ+k−1
= ϵ ϵ(k + 1) − k + (1 − ϵ) .
k
Defining:
µ+k−1


µ 1
∆ϵ (k, µ) := (1 − ϵ) k
+ ϵ(1 + )µ .
kµ k
Ψϵ,µ (k) is non-increasing on k ∈ [2µ, ∞] iff ∆ϵ (k, µ) ≤ 1 for all k ≥ 2µ. We will
√
prove this for µ ≥ 2 and ϵ ≤ 1/2. Using the inequality (1 + k1 )µ ≤ e for k ≥ 2µ:
3n−1


2µ √
∆ϵ (2µ, µ) ≤ (1 − ϵ)µ µ
+ ϵ e.
(2µ)
The right hand side is decreasing as µ → ∞ and thus for µ ≥ 2 and ϵ ≤ 1/2:
5


√ 5 √
∆ϵ (2µ, µ) ≤ (1 − ϵ)2 · 42 + ϵ e = (1 − ϵ)2 · + ϵ e < 1.
4 16
d
To see why this is less than 1 for ϵ ≤ 1/2, note that dϵ (1−ϵ)2 ·c1 +ϵ·c2 = 2c1 ϵ+c2 −2c1
√
is positive when ϵ ≥ 0 and c2 ≥ 2c1 , and e > 8 . Thus, on the interval ϵ ∈ [0, 12 ],
5
5 √ √
(1 − ϵ)2 16 + ϵ e ≤ 14 · 16
5
+ 12 e = 0.902...
Finally, since ∆ϵ (k, µ) is decreasing as k → ∞:

∀k≥2µ,µ≥2,ϵ≤1/2 ∆ϵ (k, µ) ≤ ∆ϵ (2µ, µ) < 1.

Corollary 6. For any prime p and any positive integer µ

 rµ
Xµ  pr if r ≥ 2µ

P[ Xi ≥ r] = I 1 (r, µ) ≤ ( µp )r if p ≥ 2µ ,
p 
i=1
1 otherwise


where Xi are independent geometric variables with parameter ( p1 ) and P [Xi ≥ r] =

 r
1
p .

A.3 Proof of Inverse LCSZ (Theorem 2)

Theorem 2 (Inverse LCSZ). For all µ ≥ 2, ϵ ≥ logµ (2), and all N such that

1
log N ≥ 4µ2+ϵ + (1 + ) · λ.
ϵ
we have that for any µ-linear polynomial f that is coprime with N
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + .
m

26
 Q ri
By Theorem 1 (CSZ) we have that for N = i pi :
Y µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ I 1 (ri , µ) + .
pi m
i

For µ = 1 and log2 (N ) ≥ λ, Theorem 1 shows that Px←[0,m) [f (x) ≡ 0 mod N ] ≤

2−λ +m 1
. This is derived by substituting I1/p (r, 1) = p1r , which gives Px←[0,m) [f (x) ≡
0 mod N ] ≤ N1 + m 1
. The case µ ≥ 2 is more complicated. This is the focus of the rest
of the proof..
For a given N ∈ N, let S(N ) denote Q the set of pairs (p, r) where p is a prime divisor
of N and r is its multiplicity, i.e. N = (p,r)∈S pr . Q
It follows from Theorem 1 (CSZ) that if N ≥ t(λ, µ) = supN ∈N { (p,r)∈S(N ) I 1 (r, µ) ≥
p
2−λ } then
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ +
.
m
Assuming t(λ, µ) < ∞, we obtain the following constrained maximization problem:

log2 t(λ, µ) := max log2 N

N ∈N
X (Constrained Max 1)
subject to − log2 I 1 (r, µ) ≤ λ.
p
(p,r)∈S(N )

In order to derive an upper bound on log2 t(λ, µ), we construct a sequence of modified
maximization problems, each of which is an upper bound to the prior. The last in this
sequence is a knapsack problem for which we analytically derive an upper bound.
Definition 6. Let val(p, r) := r log2 p and let weightµ (p, r) = − log2 I 1 (r, µ). Addition-
p
ally, for all ϵ ≥ logµ (2), let:

1+ϵ
r · (log2 (p) − log2 (µ)) if p ≥ µ

weightµ,ϵ (p, r) := r · log2 (p) − µ · log2 (r) if p < µ1+ϵ ∧ r > 2(1 + ϵ) µlnlnpµ .

0 otherwise


Claim 2. For any prime p and r ∈ N, if ϵ ≥ logµ (2) then weightµ (p, r) ≤ weightµ,ϵ (p, r).

Proof. If ϵ ≥ logµ (2) then µ1+ϵ ≥ 2µ and the claim follows from Corollary 6 (to Lemma 5
and Lemma 6).

Claim 3. For any prime p, weightµ,ϵ (p, r) is non-decreasing over r ≥ 1 and increasing
for r > 2(1 + ϵ) µlog
log µ
p .

Proof. We first show that the function weightµ,ϵ (p, r) is non-decreasing in r in each
of the three cases, which comprise three subdivisions of the plane Primes × N, which
we denote SA , SB , and SC respectively. SA contains all (p, r) where p ≥ µ1+ϵ , in
d
which case dr weightµ,ϵ (p, r) = log2 (p) − log2 (µ) > 0. SB contains all (p, r) where
µ ln µ d µ
r > 2(1 + ϵ) ln p and p < µ1+ϵ , in which case dr weightµ,ϵ (p, r) = log2 (p) − r ln 2 , and
µ 1
log2 (p)− r ln 2 ≥ log2 p− 2 ln 2 > 0. The weight function is constant at 0 for all remaining
pairs, which comprise set SC .
It remains to show that weightµ,ϵ (p, r) increases in r across the boundary between
SB and SC , for which it suffices to show that the weight is positive for all (p, r) ∈
SB . Suppose, towards contradiction, that r log2 p ≤ µ log2 r and r > 2(1 + ϵ) µlog log2 µ
.
2p
r µ r µ
This would imply that both log r ≤ log p and 2(1+ϵ) log µ > log p , which implies that
2 2 2
log2 r > 2(1 + ϵ) log µ. Since logr r is monotonic increasing in r, this in turn implies that
2
r µ2 r
>
log2 r ≥ µ for all µ ≥ 1. Finally, the implication that
4 log2 µ log2 r > µ contradicts the
assumption that r log2 p ≤ µ log2 r.

The first modified maximization problem is:

X
max val(p, r)
N ∈N
(p,r)∈S(N )
X (Constrained Max 2)
subject to weightµ,ϵ (p, r) ≤ λ.
(p,r)∈S(N )

27
Claim 4. Eq. (Constrained Max 2) is an upper bound to Eq. (Constrained Max 1) for
any µ and ϵ ≥ logµ (2):
P
Proof. For any N ∈ N, by definition (p,r)∈S(N ) val(p, r) = log2 N . Thus the only
difference between the two maximization problems are the constraints. Furthermore, if
ϵ ≥ logµ (2) then, by Claim 2, Eq. (Constrained Max 2) is simply a relaxation of the
constraints in Eq. (Constrained Max 1).

Let Primes denote the infinite set of prime numbers.

Definition 7 (Marginal Value/Weight). Using val(p, r) and weight(p, r) as defined in

Definition 6, r ≥ 1 and p ∈ Primes, let ∆val(p, r) := val(p, r) − val(p, r − 1) = log2 p and
∆val(p, 0) := val(p, 0) = 0. Similarly, for r ≥ 1 let ∆weightµ,ϵ (p, r) := weightµ,ϵ (p, r) −
weightµ,ϵ (p, r − 1) and ∆weightµ,ϵ (p, 0) := weightµ,ϵ (p, 0) = 1.

By Claim 3, ∆weightµ,ϵ (p, r) is non-negative for all prime p and r ∈ N, and posi-
tive for r > 2(1 + ϵ) µlog
log µ
p . The following knapsack problem gives an upper bound to
Eq. (Constrained Max 2) :

X
max ∆val(p, r)
S⊆Primes×N
(p,r)∈S
X (Knapsack Problem)
subject to ∆weightµ,ϵ (p, r) ≤ λ.
(p,r)∈S

Claim 5. Eq. (Knapsack Problem) is an upper bound to Eq. (Constrained Max 2).

Proof. Le S ∗ denote argmax of Eq. (Knapsack Problem) with v ∗ = (p,r)∈S ∗ ∆val(p, r)

P
and suppose (towards contradiction) that there exists N ∈ N such that
X
weightµ,ϵ (p, r) ≤ λ
(p,r)∈S(N )

and X
val(p, r) > v ∗ .
(p,r)∈S(N )

Consider the set S ′ , which includes S(N ) and adds for each (p, r) ∈ S(N ) the pairs
(p, j) for each j ≤ r, i.e:

[ r
[
S′ = {(p, j)}.
(p,r)∈S(N ) j=0

Observe that:

X X r
X X
∆val(p, r) = ∆val(p, j) = val(p, r) > v ∗ .
(p,r)∈S ′ (p,r)∈S(N ) j=0 (p,r)∈S(N )

and
X X r
X X
∆weightµ,ϵ (p, r) = ∆weightµ,ϵ (p, j) = weightµ,ϵ (p, r) ≤ λ.
(p,r)∈S ′ (p,r)∈S(N ) j=0 (p,r)∈S(N )

This is a contradiction to the assumption that v ∗ is the solution to Eq. (Knapsack

Problem).

Finally, we prove a series of claims that will enable us to derive an upper bound on
Eq. (Knapsack Problem). First, we define:
∆val(p,r)
Definition 8 (Density). densityµ,ϵ (p, r) = ∆weightµ,ϵ (p,r) where ∆val(p, r) and ∆weight(p, r)
are defined in Definition 7.

Claim 6. For all S ⊆ Primes × N:

X X
∆val(p, r) ≤ ∆weight(p, r) · max {densityµ,ϵ (p, r)}.
(p,r)∈S
(p,r)∈S (p,r)∈S

28
Proof.
X
∆weight(p, r) · max {densityµ,ϵ (p, r)}
(p,r)∈S
(p,r)∈S
X
≥ weightµ (p, r) · densityµ,ϵ (p, r)
(p,r)∈S
X
= val(p, r).
(p,r)∈S

1
Claim 7. If µ ≥ 2, ϵ ≥ logµ (2), r ≥ 1, and p ≥ µ1+ϵ then densityµ,ϵ (p, r) ≤ 1 + ϵ

Proof. If ϵ ≥ logµ (2) and p ≥ µ1+ϵ then p ≥ 2µ, and thus:

∆val(p, r) log p
densityµ,ϵ (p, r) = = .
∆weightµ,ϵ (p, r) log2 (p) − log2 (µ)
Furthermore, p ≥ µ1+ϵ implies that:
1 ϵ
log2 (p) − log2 (µ) ≥ log2 (p) − log2 (p) = log2 (p) · .
1+ϵ 1+ϵ
log2 (p)
Thus densityµ,ϵ (p, r) ≤ ϵ
log2 (p)· 1+ϵ = 1 + 1ϵ .

Claim 8. If µ ≥ 2, ϵ ≥ logµ (2), r > 2(1 + ϵ) · µ·ln µ

ln p , and p < µ
1+ϵ then density (p, r) ≤
µ,ϵ
1 + 1ϵ

Proof. Since p < µ1+ϵ , the conditions on r imply r > 2(1 + ϵ) µlnlnpµ > 2µ and thus:

∆val(p, r) ln p 1
densityµ,ϵ (p, r) = = = µ r .
∆weightµ,ϵ (p, r) ln p + µ ln r−1
r
1− ln p ln r−1
densityµ,ϵ (p, r) is non-negative because ∆val(p, r) is non-negative and ∆weight(p, r)
is positive over r > 2(1 + ϵ) µlog log µ
p . Thus, for p and r satisfying these conditions,
µ r
it must be the case that 0 ≤ ln p ln r−1 < 1. Furthermore, this term is decreas-
ing (approaching zero) as r increases, which shows that for r and p subject to these
conditions densityµ,ϵ (p, r) is also decreasing in r. Combining this with the fact that
r 1 1
ln r−1 = ln(1 + r−1 ) ≤ r−1 :

µ ln µ 1 1 1
densityµ,ϵ (p, r) ≤ densityµ,ϵ (p, 2(1+ϵ) +1) ≤ µ ln p
= 1 ≤ 1+ .
ln p 1− 1− 2(1+ϵ) ln µ
ϵ
ln p 2(1+ϵ)µ ln µ

Claim 9. For α ∈ R let Primes(α) denote the set of prime numbers strictly less than
α. For µ ∈ N and ϵ ∈ (0, 1) define:

µ ln µ
Bµ,ϵ := {(p, r) : p ∈ Primes(µ1+ϵ ), r ≤ 2(1 + ϵ) }.
ln p
Then : X
∆val(p, r) ≤ 4µ2+ϵ .
(p,r)∈Bµ,ϵ

Proof. Let π(X) denote the prime counting function. We use the fact that π(x) ≤
x
1.3 · ln(x) for all x > 1 [RS62].

⌊2(1+ϵ) µlnlnpµ ⌋
X X X X
∆val(p, r) = log p = 2(1 + ϵ)µ log2 µ
(p,r)∈Bµ,ϵ p∈Primes(µ1+ϵ ) r=0 Primes(µ1+ϵ )

µ1+ϵ 2 · (1 + ϵ)µ ln(µ)

≤ 1.3 · 1+ϵ
· ≤ 4µ2+ϵ .
ln(µ ) ln(2)

29
 Putting together these claims, we obtain the bound:

Claim 10. For all µ ≥ 2, ϵ ≥ logµ (2) and S ⊆ Primes × N:

X X 1
∆val(p, r) ≤ 4n2+ϵ + ∆weightµ,ϵ (p, r) · (1 + ).
ϵ
(p,r)∈S (p,r)∈S

Proof. Partition S into disjoint sets S1 and S2 such that S2 contains all the pairs
(p, r) ∈ S for which either p ≥ µ1+ϵ or r > 2(1 + ϵ) µlnlnpµ , and S1 contains the remaining
pairs. S1 ⊆ Bµ,ϵ from Claim 9 and thus (p,r)∈S1 ∆val(p, r) ≤ 4µ2+ϵ . Furthermore, by
P

Claim 7, if (p, r) ∈ S2 then densityµ,ϵ (p, r) ≤ 1 + 1ϵ and by Claim 6:

X X 1
∆val(p, r) ≤ ∆weightµ,ϵ (p, r) · (1 + ).
ϵ
(p,r)∈S2 (p,r)∈S2

Putting everything together:

X X X
∆val(p, r) = ∆val(p, r) + ∆val(p, r)
(p,r)∈S (p,r)∈S1 (p,r)∈S2
X 1
≤ 4n2+ϵ + ∆weightµ,ϵ (p, r) · (1 + ).
ϵ
(p,r)∈S

Finally, we can conclude

P from Claim 10 that for any S ∈ Primes × N, µ ≥ 2,
and ϵ ≥ logµ (2), if (p,r)∈S ∆weightµ,ϵ (p, r) ≤ λ, i.e., if S satisfies the constraints
of Eq. (Knapsack Problem) then:
X 1
∆weightµ,ϵ (p, r) ≤ 4n2+ϵ + λ · (1 + ).
ϵ
(p,r)∈S

The right hand side of the equation is therefore an upper bound for the solution to
Eq. (Knapsack Problem), and consequently (by Claim 4 and Claim 5), an upper bound
for the solution t(λ, µ) to Eq. (Constrained Max 1) when µ ≥ 2. In conclusion, for any
N ∈ N, µ ≥ 2, and ϵ ≥ logµ (2), if log2 N ≥ 4n2+ϵ + λ · (1 + 1ϵ ) then log2 N ≥ t(λ, µ)
and:
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ +
m

A.4 Proof of Computational Inverse LCSZ (Theorem 3)

Theorem 3 (Computational bound). Let k be the output of algorithm Algorithm 1
on input λ, µ. Then for all m ∈ N, all N ≥ 2k and all µ-linear polynomials f , coprime
with N , log2 N ≥ t(λ, µ) and
µ
Px←[0,m)µ [f (x) ≡ 0 mod N ] ≤ 2−λ + .
m
As shown in the prior section, t(λ, µ) is upper bounded by a solution to a knapsack
problem, Eq. (Knapsack Problem), over the infinite set of items Primes × N. There is a
simple well-known greedy algorithm that returns an upper bound to the optimal value
for the knapsack problem over a finite set of items. This algorithm greedily adds items
to the knapsack in order of decreasing density until the knapsack overflows the weight
bound, and returns the total value of the added items at this point. Over an infinite set
of items, it is not generally possible to sort by decreasing density. However, by leveraging
monotonicity properties of the density function in our case, we are able to adapt the
greedy approximation algorithm to work for Eq. (Knapsack Problem). In particular,
we are able to enumerate over pairs in Primes × N in an order of non-increasing density.

Claim 11. Let A and B be any pair of discrete strictly ordered sets which contain
minimum elements a0 ∈ A and b0 ∈ B. Let a+ denote the next element of A after a
and likewise b+ the next element of B after b. If f : A × B → R+ is monotonically non-
increasing over pairs (a, b0 ) as a ∈ A increases, and for any fixed a, monotonically non-
increasing over pairs (a, b) as b ∈ B increases, then the following algorithm enumerates
the pairs (a, b) ∈ A × B in order of decreasing f (a, b). The algorithm initializes the set
C = {(a0 , b0 )} and also a variable maxA to keep track of the highest order element in

30
A seen so far. At each iteration, it removes a pair (a, b) ∈ C of lowest f (a, b) value and
appends (a, b) to the output enumeration list. Before proceeding to the next iteration,
it adds (a, b+) to C, and if a = maxA then it also adds (a+, b0 ) to C and updates
maxA := a+.

Proof. Suppose, towards contradiction, that the algorithm appends (a, b) to the output
list, and there exists at least one pair (a′ , b′ ) not yet in the list at this iteration such
that f (a′ , b′ ) > f (a, b). If b′ ̸= b0 and (a′ , b0 ) appeared in the output list already, then
each (a′ , b∗ ) for b∗ ∈ [b0 , b′ ] would also have been added to C and removed before (a, b)
because f (a′ , b∗ ) ≥ f (a′ , b′ ) > f (a, b). This would be a contradiction, so it remains
to consider the case that b′ = b0 , i..e. that (a′ , b0 ) did not appear in the list and
f (a′ , b0 ) > f (a, b).
First, this implies that a′ > a. Otherwise, If a′ ≤ a, then (a′ , b0 ) would have
been added to C before (a, b) and thus removed before (a, b). Second, b ̸= b0 and
f (a, b) < f (a, b0 ), as otherwise this would imply that f (a′ , b0 ) > f (a, b) ≥ f (a, b0 ),
contradicting the monotonicity property. Thus (a, b0 ) must already appear in the output
list because it is added to C before (a, b) and removed before (a, b). Furthermore, for
all a∗ ∈ [a, a′ ], f (a∗ , b0 ) ≥ f (a′ , b0 ) > f (a, b), thus each such pair (a∗ , b0 ) would have
been added and removed before (a, b). This is a contradiction.

We use the enumeration algorithm of Claim 11 to implement the greedy algorithm

that obtains an upper bound to a generic knapsack problem over the infinite set of items
Primes × N:

X
max val(p, r)
S⊆Primes×N
(p,r)∈S
X (Generic Knapsack Problem)
subject to weight(p, r) ≤ λ.
(p,r)∈S

val(p,r)
for any val, weight : Primes × N → R+ where density(p, r) = weight(p,r) is monotonic
non-increasing over r for any fixed p, and also over p for fixed r = 1. This is presented
below as Algorithm 1.
Moreover, we will show that the density function defined in terms of val(p, r) = log p,
weight(p, 1) = − log I1/p (1, µ), and weight(p, r) = log I1/p (r −1, )−log I1/p (r, µ) for r > 1
satisfies this monotonicity property. The density function in Eq. (Knapsack Problem)
also has this monotonicity property, but we are able to obtain a tighter bound on
Eq. (Constrained Max 1) by defining regularized beta function directly instead of the
simpler form upper bounds on the regularized beta function that were more useful for
deriving the analytical result in Theorem 2.
val(p,r)
Claim 12. Eq. (Generic Knapsack Problem) with density(p, r) = weight(p,r) , val(p, r) =
log p, and weight(p, r) = log I1/p (r − 1, µ) − log I1/p (r, µ) is an upper bound to Eq. (Con-
strained Max 1).

Proof. The analysis is the same as in Claim 5, replacing ∆weightµ,ϵ with the weights
defined here.
val(p,r)
Claim 13. For p ∈ P, r ∈ N and µ ≥ 2 ∈ N let density(p, r) = weight(p,r) where
val(p, r) = log p, and weight(p, r) = log I1/p (r − 1, µ) − log I1/p (r, µ) for r ≥ 1. Then
density(p, r) is decreasing in r and density(p, 1) is non-increasing in p.

Proof. Part 1: density(p, r) is decreasing in r

log p
density(p, r) = weight(p,r) is decreasing in r iff weight(p, r) is increasing in r.

I1/p (r − 1, µ)
weight(p, r) = − log I1/p (r, µ) + log I1/p (r − 1, µ) = log .
I1/p (r, µ)
I1/p (r−1,µ)
is decreasing in r if I1/p (r,µ) is decreasing in r. This is the case if for all r

I1/p (r, µ) I1/p (r − 1, µ)

− > 0.
I1/p (r + 1, µ) I1/p (r, µ)

Which is equivalent to showing that

I1/p (r, µ) · I1/p (r, µ) − I1/p (r − 1, µ) · I1/p (r − 1, µ) > 0. (7)

31
The regularized beta function Ix (a, b) is log convave for all b > 1 as shown in [Kar15].
This implies that for b > 1 and all α, β > 0 Ix (a + α, b) · Ix (a + β, b) − Ix (a, b) · Ix (a +
α + β, b) > 0. Setting a = r − 1, b = µ, α = 1, β = 1 this shows that Eq. (7) holds and
weight is incresing in r, and density is decreasing in r for all µ > 1.
Part 2: density(p, 1) is non-increasing in p.

log p ln p
density(p, 1) = = .
weight(p, 1) − ln(1 − (1 − p−1 )µ )
d
The derivative dp density(p, 1) is non-negative iff:

ln p · µ(1 − p−1 )µ−1 · p−2

−p−1 · ln(1 − (1 − p−1 )µ ) − ≥ 0.
1 − (1 − p−1 )µ
Equivalently:

ln p · µ(1 − p−1 )µ−1 p−1

− ln(1 − (1 − p−1 )µ ) − ≥ 0.
1 − (1 − p−1 )µ
Set x = 1 − p1 , which increases over the range (1/2, 1) as p increases in the range
[2, ∞). The requisite inequality for x ∈ (1/2, 1) becomes:

ln(1 − x) · µ · xµ−1 (1 − x)
− ln(1 − xµ ) + ≥ 0.
1 − xµ
which, rearranging terms, holds true iff for x ∈ (1/2, 1):

ln(1 − xµ )(1 − xµ )
≤ µ.
ln(1 − x)(1 − x)xµ−1
In fact we can show this inequality holds true over all x ∈ (0, 1). Using the inequal-
ities ln(1 − xµ ) ≤ −xµ and − ln(1 − x) ≥ x we obtain:

ln(1 − xµ )(1 − xµ ) xµ (1 − xµ ) 1 − xµ
≤ = ≤ µ.
ln(1 − x)(1 − x)xµ−1 x(1 − x)xµ−1 1−x

Proof of Theorem 3

Proof. Algorithm 1 is a greedy enumeration algorithm over pairs (p, r) following the
enumeration strategy in Claim 11. By Claim 13, density satisfies the monotonicity
conditions required for Claim 11 and thus the enumeration algorithm enumerates pairs
in order of non-increasing density. Thus, the algorithm outputs an upper bound to
val(p,r)
(Generic Knapsack Problem) with density density(p, r) = weight(p,r) , val(p, r) = log p,
and weight(p, r) = log I1/p (r − 1, µ) − log I1/p (r, µ). By Claim 12 this is an upper
bound to Eq. (Constrained Max 1) which in turn by Theorem 1 gives a bound on
log2 t(λ, µ).

B Definitions and Notations

B.1 Integer Polynomials
If f is a multivariate polynomial, then ||f ||∞ denotes the maximum over the absolute
values of all coefficients of f .

Lemma 7 (Evaluation Bound). For any µ-linear integer polynomial f and m ≥ 2:

1 3µ
Px←[0,m)µ [|f (x)| ≤ · ||f ||∞ ] ≤
mµ m
(j)
Proof. Let f (0) := f . Given a vector x = (x1 , .., xµ ), for each j ∈ [1, µ] define fx to
(j)
be the µ − j-variate partial evaluation fx := f (x1 , ..., xj , Xj+1 , ..., Xµ ). Then we can
rewrite the lemma statement as:
(µ) 1 3µ
Px←[0,m)µ [||fx ||∞ ≤ · ||f (0) ||∞ ] ≤
mµ m
(j)
We will bound the probability for random x that there exists any j for which ||fx || <
1 (j−1)
m · ||fx ||. If no such j exists, then ||f (µ) || ≥ m1µ · ||f (0) ||.

32
 (j)
For any j, we can write fx = g(Xj+1 , ..., Xµ ) + xj · h(Xj+1 , ..., Xµ ) where g, h are
(j−1)
µ − j variate multilinear integer polynomials and ||fx || = max(||g||, ||h||) because
(j−1)
the coefficients of g and h are a partition of the coefficients of fx . Suppose now that
(j) 1 (j−1) 1
||fx || < m · ||fx ||, i.e. that ||g + xj · h|| < m · max(||g||, ||h||) and consider two cases:

Case 1: ||h|| = max(||g||, ||h||). For any integer ∆ ̸= 0, using the triangle inequality:
1 1
||g + (xj + ∆)h|| = ||g + xj h + ∆h|| ≥ ||∆h|| − ||g + xj h|| > (1 − ) · ||h|| ≥ · ||h||
m m
1 1
The last part of the inequality holds because 1 − m ≥ m for any m ≥ 2.

Case2: ||g|| = max(||g||, ||h||). Using the triangle inequality,

1
||g|| > ||g + xj · h|| ≥ ||g|| − ||xj · h||
m
1
This implies, for m ≥ 2, that ||h|| > m · ||g|| because:
1 m−1 1
||xj · h|| > (1 − ) · ||g|| =⇒ ||h|| > · ||g|| ≥ ||g||
m xj · m m
The last step uses that xj ∈ [1, m). For xj = 0, ||g + xj h|| = ||g||. Finally, for any
integer ∆, by the triangle inequality:

|∆| 1 |∆| − 1
||g + (xj + ∆) · h|| ≥ ||∆h|| − ||g + xj · h|| > · ||g|| − · ||g|| = · ||g||
m m m
1
When |∆| ≥ 2 this implies that ||g + (xj + ∆) · h|| > m · ||g||.
In both cases, we conclude that for any choice of (x1 , ..., xj−1 ) for the first j − 1
components of the random x, which define g and h, there are at most three choices of
(j) 1 (j−1)
xj such that the event ||fx || < m · ||fx || holds true (i.e., if true for xj , then it is
also true for at most xj + 1 and xj − 1). Thus this event occurs with probability at
3
most m . Finally, by a union bound over j, the probability this event occurs for some
index j is at most 3µm.

−q d+2
Fact 1. Let q ∈ Z be any positive integer. For any integer E ∈ Z such that |E| ≤ q2(q−1)
there exists a unique degree d integer polynomial f ∈ Z[X] with ||f ||∞ ≤ q/2 such that
f (q) = E.

Lemma 8 (Rational Encoding of multi-linear polynomials). Let q ∈ Z be any positive

i−1
integer. Let ⃗q = [q 2 ]µi=1 ∈ Zµ . Consider any βd , βn ∈ N such that βd · βn ≤ 2q .
Let Z = {z ∈ Z : |z| ≤ βd }, let F = {f ∈ Z[X1 , . . . , Xµ ] : ||f ||∞ ≤ βn } be a µ-
linear polynomial, and let H = {f /z ∈ Q[X1 , . . . Xµ ] : f ∈ F ∧ z ∈ Z}. Then for any
h1 , h2 ∈ H, if h1 (⃗q) = h2 (⃗q) then h1 = h2 .

Proof. Let h1 = fz11 and h2 = fz22 . If h1 (⃗q) = h2 (⃗q) then z1 f2 (⃗q) = z2 f1 (⃗q). Since
||z2 · f1 ||∞ ≤ βd · βn ≤ 2q and likewise ||z1 · f2 ||∞ ≤ 2q . Note that there exist a unique
univariate degree 2µ − 1 polynomial fˆ1 that has the same coefficients as f1 such that
for all q f1 (⃗q) = fˆ1 (q). Let f2 be the univariate degree 2µ − 1 polynomial with the same
coefficients as fˆ2 . It then follows from Fact 1 that if z1 f2 (⃗q) = z1 fˆ2 (q) = z2 fˆ1 (q) =
z2 f1 (⃗q) then z1 f2 = z2 f1 , or equivalently, h1 = h2 .

B.2 Groups of Unknown Order

A group of unknown order is a group where the order is computationally hard to com-
pute. It is defined by an algorithm GGen that on input security parameter, samples
a group G, along with size bounds on the group that depend on the security param-
eter (we omit the size bounds for simplicity). We define three assumptions in these
groups. The Order assumption which is the most basic, minimal assumption, saying
that it is hard to compute the order of random group elements. The stronger sub-group
order assumption states that it is hard to compute any information about the order
of a sampled subgroup, e.g., a subgroup generated by a commitment key. And finally,
the famous RSA assumption which states that it is hard to compute roots of random
elements in the group and implies the order assumption.

33
 Assumption 1 (Order Assumption). The order assumption holds for a group sampling
algorithm GGen if for any probabilistic polynomial time adversary A:
 
G ← GGen(1λ )
$
Pr a · G = 0 : G ←  ≤ negl(λ) .
 
G
a ∈ Z ← A(G, G)

Assumption 2 (Subgroup Order Assumption). The subgroup order assumption is a

generalization of the order assumption. It says that it is difficult to compute a multiple
of the order of any element in a subgroup sampled according to some distribution. It
holds for a group sampling algorithm GGen and subgroup sampling11 algorithm SGGen
if for any probabilistic polynomial time adversary A:

G ← GGen(1λ )
 

Pr gcd(a, |H|) ̸= 1 : H ← SGGen(G)  ≤ negl(λ) .

a ∈ Z ← A(G, H)

Assumption 3 (RSA assumption, [RSA78; CPP17]). The RSA assumption holds for
GGen if for any probabilistic polynomial time adversary A:
 
G, N ← GGen(1λ )
$ $
Pr  ℓ · U = G : G ←  ≤ negl(λ) .
 
G, ℓ ← [N ]
U ∈ G ← A(G, G)

The RSA Assumption implies Assumption 1[BFS19].

B.3 IP Transcript Trees

Let (P, V ) be a µ-round public coin interactive protocol. A µ-round public-coin protocol
(P, V ) consists of µ-rounds of messages between the prover and verifier, where in each
round the prover sends a message to the verifier and the verifier responds with x ← X
sampled uniformly from the challenge space X . At the end of the protocol, the verifier
outputs either accept or reject. By convention, the protocol starts with the prover’s
first message and ends with the prover’s last message. A transcript thus contains µ + 1
prover messages and µ challenges. We will denote transcripts by a µ × 2 matrix A such
that A(0, 0) is the protocol input x, A(0, 1) is the prover’s first message, and for all
i ≥ 1, A(i, 0) is the verifier’s ith round challenge and A(i, 1) is the prover’s ith round
response. We restrict our attention to protocols in which the verifier’s decision is a
deterministic function DV of the transcript, but is also without loss of generality. An
accepting transcript is an array A such that DV (A) = accept.
A k-ary transcript tree for (P, V ) is a labeling of a µ-depth k-ary tree such that
the labels on every root-to-leaf path forms an accepting (P, V ) transcript. It will be
convenient to order the nodes of the tree according to a depth-first reverse topological
sort (aka post-order tree traversal). This is a topological sorting of the tree with directed
edges flowing from leaves to root which places left subtrees before right subtrees. This
µ+1
ordering associates each node with an index in [1, N ] where N = size(µ, k) = k k−1−1 .
A post-order labeling of the tree is a function L : [1, N ] → {0, 1}∗ . We may refer to the
level of a node in the tree. The root of a tree is always at level 0 and the leaves of a
depth µ tree are at level µ. The height of node at level ℓ within a µ-depth tree is µ − ℓ.
For each v ∈ [1, N ] let Sv ⊆ [1, N ] denote the indices of all nodes in the subtree rooted
at node v. For each v ∈ [1, N ] let v ∗ denote the largest index v ∗ < v such that the
node at index v ∗ does not belong to the subtree Sv . Note that for nodes on the leftmost
path of the tree v ∗ does not exist so we denote it by ⊥. For any subset S ⊆ [1, N ] et
pred(S) denote a superset of S which include the indices of all predecessors of nodes
S. Finally, for each v ∈ [1, N ] let Lv : [1, v] → {0, 1}∗ denote the restriction of L to
the subset pred([1, v]). More generally, for any S ⊆ [1, N ] let LS : S → {0, 1}∗ denote
the restriction of the labeling L to the subset of node indices S. LSv thus denotes the
labeling of the subtree Sv . Note that Lv is not the same as LSv .
A transcript tree is thus a special post-order labeling of the tree L : [1, N ] → X × M
where X is the verifier’s challenge set and M is the space of prover messages. We
can think of the first component (i.e., the verifier challenge) as a label on the node’s
incoming edge and the second component (i.e., prover’s response) as a label on the
node itself. The root has no incoming edge, but the root label’s first component is the
11
The subgroup sampling algorithm takes G as input, which is interpreted as a succinct description of G, such as
a list of generators, not necessarily the list of all elements in G.

34
Level 0 L(13):
x, A(0, 1)
v∗ = ⊥

)0 L (1
L(4 2)0

L(8)0
Level 1 L1 (4): L1 (8): L1 (12):
A(1, 1) A(1, 1) A(1, 1)
v∗ = ⊥ v∗ = 4 v∗ = 8

L(
L(10)0
L(

L(
L(2)0

L(6)0
0
0

0
1)

5)

9)

11
3) 0

7) 0

L(
L(

L(

)0
Level 2 L1 (1): L1 (2): L1 (3): L1 (5): L1 (6): L1 (7): L1 (9): L1 (10): L1 (11):
A(2, 1) A(2, 1) A(2, 1) A(2, 1) A(2, 1) A(2, 1) A(2, 1) A(2, 1) A(2, 1)
v ∗ = ⊥ v ∗ = 1 v ∗ = 2 v ∗ = 4 v ∗ = 5 v ∗ = 6 v ∗ = 8 v ∗ = 9 v ∗ = 10

Figure 2: IP transcript tree for µ = k = 3. Nodes and edges are labeled using post-order labeling.
We also indicate v ∗ for every node.

protocol input. For any root-to-leaf path of nodes with indices {v0 , ..., vµ } the labeling L
defines the matrix A such that L(vi ) = (A(i, 0), A(i, 1)) and A is an accepting transcript.
Given a label L(v) for v < N (non-roots) we will use the notation L(v)0 to denote the
first component of the label containing the verifier’s challenge and L(v)1 the second
component containing the prover’s response. We define a k-ary forking transcript tree
to be a k-ary transcript tree in which the challenge labels on all edges sharing a common
parent are distinct.
Finally, we define a transcript tree labeling as a function of transcript trees that
returns a derived labeling of the tree, i.e. a function f : (X × M)N → C N that given the
labeling L corresponding to a k-ary transcript tree induces the labeling f (L) : [1, N ] →
C. For any ν ∈ [1, N ] let pred(ν) denote the indices of the path starting at the root and
ending at node ν so that Lpred(ν) denotes the labels assigned to the nodes along this
path by L, i.e. in a transcript tree this is the prefix of all transcripts that pass through
ν. A localized transcript tree labeling further restricts f so that the label cν ∈ C that
f (L) assigned to node ν is a function of Lpred(ν) .

B.4 Path Predicate Forking Lemma

The standard forking lemma for µ-round public coin interactive protocols characterizes
the efficiency of generating a k-ary µ-depth transcript tree for which the challenges
labeling the children within the tree fork, i.e. are distinct. More precisely, the forking
lemma says that given any adversarial prover A that may deviate from the honest
protocol but causes the verifier to accept with probability ϵ, there is a tree generation
algorithm that has only black-box access to A, runs in time t ∈ O( λϵ ·k µ ·(µ+tV )), where
tV is the running time of the verifier’s decision algorithm, and succeeds with probability
1 − t · negl(λ) in producing a transcript tree with the forking property.
Our path predicate forking lemma generalizes the property of the transcript tree that
can be generated by considering arbitrary predicates on partial labelings of the tree.
In the standard forking lemma, the predicate would simply be that new challenges are
distinct from previous challenges. The lemma considers more general predicates for each
node v ∈ [1, N ], which may depend on Lv . Recall that for each v ∈ [1, N ], the node v ∗ is
the largest index v ∗ < v such that the node at this index is not contained in the subtree
Sv rooted at v and pred([1, v ∗ ]) is the superset of [1, v ∗ ] that includes the indices of all
predecessors of nodes [1, v ∗ ], which by definition also do not intersect with Sv . Our
∗
lemma considers predicates at level ℓv of the form πv : (X × M)pred([1,v ]) × X µ−ℓv →
{0, 1}, i.e. each predicate πv takes as input a labeling function Lv∗ and a vector of
challenges x ∈ X µ−ℓv .
The vector of challenges will represent the leftmost path down the tree starting from
v, which by definition is independent of the partial labeling Lv∗ . We denote the indices
of the leftmost path from v to the leaves as lpathv and the challenge labels along this
path assigned by L as L(lpathv )0 . For example in Figure 2 the predicate π8 for node

35
 8 would take as input the labels on the subtree spanned by node 4, the root label,
and the challenge L(5)0 . The lemma says that if πv (Lv∗ , x) = 1 with overwhelming
probability 1 − negl(λ) for any post-order labeling L : [1, N ] → X × M of the k-
ary µ-depth tree, any node v in the tree, and x sampled randomly, then the transcript
generation algorithm produces a transcript tree represented by some post-order labeling
L for which πv (Lv∗ , L(lpathv )0 ) = 1 for all v in the tree. In fact, the lemma is even
more general as it has a weaker requirement that πv (Lv , x) = 1 with overwhelming
probability conditioned on πu (Lu , L(lpathu )0 ) = 1 for all u ≤ v ∗ . The standard forking
lemma is a special case where πv checks that the challenge label on v is distinct from
the challenge labels on any of its left siblings. The challenge label L(v)0 on v is the first
component of L(lpathv )0 . Assuming v is not a first child, the labels on the left sibling(s)
of v as well as its parent are included in Lv∗ .

Proof Overview We will begin with a high level overview of the proof. The algorithm
is exactly the same as the recursive tree generation algorithm for the standard forking
lemma. The difference is only in the analysis. The standard forking lemma considers
predicates πv (Lv∗ , x) that are functions only of the challenges assigned by Lv∗ to left
sibling nodes of v and a single (fresh) x ∈ X rather than a vector, and are independently
true with overwhelming probability.
Just as in the standard forking lemma, the analysis is a simple union bound. First,
the tree generation algorithm is transformed to a Monte Carlo algorithm that runs for
t ∈ poly(λ) steps and succeeds with overwhelming probability. The standard forking
lemma is based on the observation that a t-step algorithm makes at most t samples from
X and thus the predicates hold true for all sampled challenges with probability at least
1−t·negl(λ). In our case, the analysis is very similar. Let L denote the labeling returned
by the Monte Carlo tree generation algorithm. We begin with the observation that this
tree generation algorithm constructs the labeling in depth-first post-order. In particular,
when the transcript tree generation algorithm visits a node v at heigh hv it has already
derived a partial labeling Lv∗ . It samples a random vector x ∈ X hv and attempts to
derive a valid transcript for lpathv using this challenge vector x. If it succeeds then it sets
L(lpathv )0 = x, otherwise the entire vector x is discarded and it tries again starting from
v. Suppose there exists some v such that πv (Lv∗ , L(lpathv )0 ) = 0 and let v be the lowest
index node with this property. This would imply that there occurred an event where the
algorithm had already constructed Lv∗ satisfying πu (Lu∗ , L(lpathu )0 ) = 1 for all u ≤ v ∗
and then sampled x ← X hv , setting L(lpathv )0 = x, such that πv (Lv∗ , x) = 0. However,
by hypothesis this event occurs with probability negl(λ) over random x. Since the
algorithm runs for only t ∈ poly(λ) steps, an event of this kind occurs with probability
at most t · negl(λ).
Thus, we obtain a Monte Carlo algorithm that returns a transcript tree where all
the predicates are satisfied with overwhelming probability.
Lemma 9 (Path Predicate Forking Lemma). Let (P, V ) be a µ-round public-coin pro-
tocol with prover message space M and verifier challenge space X . For each node
v ∈ [1, N ] of a µ-depth k-ary balanced tree on N = size(µ, k) nodes, let hv denote the
height of v. Let {πv : v ∈ [1, N ]} denote a set of predicates, where πv (Lv∗ , x) is a
function of the partial labeling Lv∗ and challenge vector x ∈ X hv , with the property
that for any post-order labeling function L : [1, N ] → X × M and any v ∈ [1, N ]:

P rx←X hv [πv (Lv∗ , x) = 1 | ∀u≤v∗ πu (Lu∗ , L(lpathu )0 ) = 1] ≥ 1 − δ

Let tV denote the worst-case running time of the verifier’s decision algorithm DV .
There is an algorithm TreeA (z) that, given a security parameter λ ∈ N and oracle access
to an adversarial prover A that causes V to accept with probability ϵ on public input
µ
z, runs in time at most t = 2λ · kϵ · (µ + tV ) and with probability at least 1 − t · δ − 2−λ
outputs a k-ary transcript tree with post-order labeling L : [1, N ] → X × M such that
πv (Lv∗ , L(lpathv )0 ) = 1 for all v ∈ [1, N ].

Proof. We will first describe a Las Vegas tree-finding algorithm that runs in expected
polynomial time as we can then transform it to a Monte Carlo algorithm with a finite
runtime and overwhelming success probability.

Tree finding algorithm The tree-finding algorithm Tree(k, z) begins by sampling a

random tape σ for the adversary. Let A(σ) denote the deterministic 12 adversary with
12
Any probabilistic adversarial algorithm can be represented by a deterministic algorithm that takes as input a
random tape.

36
 fixed random tape σ. For all i ∈ [0, µ] define Ti (σ, k, z, x1 , ..., xi ) as follows:

Algorithm Ti (σ, k, z, x1 , ..., xi ):

• If i = µ: Simulate the protocol with A(σ) as the prover and fixing the verifier’s
challenges µ ordered challenges to the values x1 , ..., xµ . If the verifier outputs 1
during this simulation then return the protocol transcript tr, and otherwise return
fail.
• Else if 0 ≤ i < µ: Sample xi+1 ← X and run Ti (σ, k, y, x1 , ..., xi+1 ). This either
returns fail or a transcript tree denoted tree. If it returns fail, then output fail.
Otherwise, save the pair (xi+1 , tree). If i < µ − 1 then tree is a tree of accepting
transcripts that share a common prefix for the first i+1 rounds, which includes the
challenges x1 , ..., xi+1 . If i+1 = µ then tree is a single accepting transcript. Repeat
this process as many times as needed, each time sampling a fresh x′i+1 , running
Ti (σ, y, x1 , ..., x′i+1 ), ignoring the runs that fail, saving the succesful challenge/tree
pairs until k pairs have been recorded. Together the transcripts in all k recorded
trees form one larger tree of accepting transcripts that share a commmon prefix
trpre for the first i rounds of messages with fixed challenges x1 , ..., xi .
Tree(k, z) repeatedly samples σ and runs T0 (σ, k, z) until it outputs a tree of accepting
transcripts.
We now analyze the expected runtime of Tree(k, z) and success probability of re-
turning an k-ary tree of accepting transcripts given that A succeeds with probability ϵ.
T0 (σ, k, z) returns fail iff the first iteration of each subroutine Ti returns fail for i = 1
to µ. The probability this happens is equal to the probability that Tµ (σ, y, x1 , ..., xµ )
outputs fail for a uniformly distributed challenge tuple (x1 , ..., xµ ). This is equal to the
failure probability of A(σ), i.e. 1 − ϵ. Thus, Tree(k, z) calls T0 in expectation 1/ϵ times.
Letting t0 be a random variable for the runtime of T0 (σ, z) over random σ, the expected
runtime of Tree(k, z) is t0 /ϵ.
It remains to analyze the expected runtime E[t0 ] of T0 (σ, z). Each call to Ti (σ, k, z, x1 , ..., xi )
for i ∈ [1, µ] that occurs in the execution trace of T0 (σ, k, z) is on i.i.d. uniformly dis-
tributed challenges x1 , ..., xi . Let ti be a random variable denoting the runtime of
Ti (σ, k, z, x1 , ..., xi ) over a uniformly distributed challenge prefix xi = (x1 , ..., xi ) and
uniformly distributed σ. We omit the time to sample a random challenge from the
runtime analysis as this will only affect the runtime up to a constant factor. Since
Tµ (σ, k, z, xµ ) makes µ calls to the oracle A and one call to the verifier’s decision al-
gorithm DV its runtime is at most µ + tV , where tV is the worst case running time of
DV .
For i < µ, Ti (σ, k, y, xi ) outputs fail iff the first call to each Tj subroutine for j ∈
[i + 1, µ] returns fail, in which case the runtime is tA . The probability Ti (σ, k, z, xi )
outputs fail for random σ and xi is again equal to the failure probability of A(σ), i.e.
1 − ϵ. If it does not output fail, then in expectation it runs an additional (k − 1)/ϵ
iterations of Ti+1 (σ, k, z, xi , xi+1 ) sampling a fresh xi+1 for each iteration. Thus, the
expected runtime E(ti ) is:

E[(1 − ϵ) · tA + (k − 1) · ti+1 ] ≤ E[ti+1 · k]

This recurrence relation shows:

E[t0 ] ≤ E[tµ · k µ ]
kµ
Thus, we have shown that the expected runtime of Tree(k, z) is E[t] ≤ ϵ · (µ + tV ).
By standard techniques13 ,
the Las Vegas algorithm Tree(k, z) may be transformed
to a Monte Carlo algorithm that runs for 2λ · E[t]) steps and succeeds except with
probability 1 − 2−λ .

Transcript tree property analysis The transcript tree labels returned by Tree(k, z)
are computed in depth-first post-order by the Monte Carlo tree generation algorithm.
Let L denote this post-order labeling. Consider any node v that is labeled with chal-
lenge L(v)0 = x in the tree. Let i denote the level of v within the tree and let
x = (x1 , .., xi−1 , x, xi+1 , ..., xµ ) denote the vector of challenge labels assigned to the
path starting from the root to v and following the left-most path down the tree from v.
During the execution of Tree(k, z) the following event occurred: immediately after x was
13
Run λ independent instances in parallel for 2 · E[t] steps. By Markov, each instance terminates (i.e., succeeds)
with probability at least 1/2. The probability none succeed is at most 2−λ

37
 sampled as a candidate label for v, the challenges xi+1 , ..., xµ were sampled uniformly
and independently such that A(σ, k, z, x) succeeded (i.e., produced a valid transcript).
If this event had not occurred (i.e., A(σ, k, z, x) failed) then x would have been discarded
and the process would have been repeated.
In other words, when the transcript tree generation algorithm visits a node v it has
already derived a partial labeling Lv∗ for the nodes at indices pred([1, v ∗ ]), which are
not in any subtree rooted at v. It samples a random vector x ∈ X hv and attempts
to derive a valid transcript for lpathv using this challenge vector x. If it succeeds,
then it sets L(lpathv )0 = x, otherwise the entire vector x is discarded, and it tries
again starting from v. Suppose there exists some v such that πv (Lv∗ , L(lpathv )0 ) = 0
and let v be the lowest index node with this property. This would imply that there
occurred an event where the algorithm had already partially constructed L such that
πu (Lu∗ , L(lpathu )0 ) = 1 for all u ≤ v ∗ and then subsequently sampled x ← X hv , setting
L(lpathv )0 = x, such that πv (Lv∗ , x) = 0. However, by hypothesis this event occurs
with probability δ over random x. The algorithm runs for at most t = 2λ µ
ϵ k · (µ + tV )
steps in total, hence by a union bound the probability that an event of this kind occurs
at all is at most t · δ.
Thus, we obtain a Monte Carlo extraction algorithm that returns a transcript tree
where all the predicates are satisfied with overwhelming probability (for appropriate
setting of the parameters). More precisely, for any security parameter λ ∈ N and
for t = 2λ µ
ϵ · k · (µ + tV ) the extraction algorithm runs in time at most t and (by
a union bound) succeeds in returning a transcript tree labeling L where, for all v,
πv (Lv∗ , L(lpathv )0 ) = 1 with probability at least 1 − t · δ − 2−λ .

B.5 Knowledge Soundness

An NP relation R is a subset of strings x, w ∈ {0, 1}∗ such that there is a decision
algorithm to decide (x, w) ∈ R that runs in time polynomial in |x| and |w|. The
language of R, denoted LR , is the set {x ∈ {0, 1}∗ : ∃w ∈ {0, 1}∗ s.t. (x, w) ∈ R}. The
string w is called the witness and x the instance. An interactive proof of knowledge
for an NP relation R is a special kind of two-party interactive protocol between a prover
denoted P and a verifier denoted V, where P has a private input w and both parties
have a common public input x such that (x, w) ∈ R. Informally, the protocol is complete
if P(x, w) always causes V(x) to output 1 for any (x, w) ∈ R. The protocol is knowledge
sound if there exists an extraction algorithm E called the extractor such that for every
x and adversarial prover A that causes V(x) to output 1 with non-negligible probability,
E outputs w such that (x, w) ∈ R with overwhelming probability given access14 to A.

Definition 9 (Interactive Proof of Knowledge). An interactive protocol Π = (P, V)

between a prover P and verifier V is a proof of knowledge for a relation R with knowledge
error δ : N → [0, 1] if the following properties hold, where on common input x and prover
witness w the output of the verifier is denoted by the random variable ⟨P(x, w), V(x)⟩:
• Perfect Completeness: for all (x, w) ∈ R

Pr [ ⟨P(x, w), V(x)⟩ = 1] = 1

• δ-Knowledge Soundness: There exists a polynomial poly(·) and a probabilistic ora-

cle machine E called the extractor such that given oracle access to any adversarial
interactive prover algorithm A and any input x ∈ LR the following holds: if

P [⟨A(x), V(x)⟩ = 1] = ϵ(x)

poly(|x|)
then E A (x) with oracle access to A runs in time ϵ(x) and outputs w such that
δ(|x|)
(x, w) ∈ R with probability at least 1 − ϵ(x) .

An interactive proof is “knowledge sound”, or simply a “proof of knowledge”, if has

negligible knowledge error δ.

Remark 9. Definition 9 places no restriction on the runtime of the adversary, however,

it does not guarantee extraction from an adversary that succeeds with sufficiently small
ϵ(x) such that ϵ(x) ≤ δ(|x|). For R in NP, this definition of knowledge soundness
implies the alternative formulation of Bellare and Goldreich [BG93], which says that
14
The extractor can run A for any specified number of steps, inspect the internal state of A, and even rewind A
to a previous state.

38
 the protocol has knowledge error δ(|x|) if there exists an extractor that succeeds in
poly(|x|)
expected time ϵ(x)−δ(|x|) . An extractor which succeeds with probability p = 1 − δ(|x|)
ϵ(x) in
t = poly(|x|)
ϵ(x) steps can run repeatedly (for t steps per iteration) on fresh randomness until
it obtains a witness for the relation, which it can verify efficiently. It will succeed in an
poly(|x|)
expected pt = ϵ(x)−δ(|x|) steps. Finally, this has been shown to imply another equivalent
formulation which requires the extractor to run in O(poly(|x|)) steps and succeed with
probability ϵ(x)−δ(|x|)
q(|x|) for some polynomial q. It is easy to see this implies the former
q·poly(|x|)
because such an extractor can be repeated, succeeding in expected time ϵ(x)−δ(|x|) .

Interactive arguments Knowledge soundness holds against unbounded provers. The

DARK protocol does not satisfy knowledge soundness because it relies on the computa-
tional binding property of cryptographic commitments. Interactive proofs that are only
secure against computationally bounded adversaries are called interactive arguments.
Adapting Definition 9 for arguments is more subtle than simply restricting the runtime
of the adversary. The issue comes from the fact that the knowledge soundness defini-
tion quantifies the success of the extractor over all inputs x. For example, there could
exist an input x that encodes the factorization of an RSA modulus which allows the
adversarial prover to break the binding property of commitments that are based on the
difficulty of factoring. For this input, the adversarial prover could succeed while the
extractor would fail. This particular problem is fixed by requiring the adversary to gen-
erate the input x. If the trapdoor is exponentially hard to compute the polynomial time
adversary will not be able to embed the trapdoor in x with non-negligible probability.
(See Damgård and Fujisaki [DF02] for a broader discussion of these issues).

Witness-extended emulation A property called witness-extended emulation [Lin01]

strengthens the knowledge-soundness definition so that the extractor outputs not only
a witness but also a simulated transcript of the messages between the prover and ver-
ifier. This property is helpful for composability. In particular, if the interactive proof
is used as a subprotocol within a larger protocol, it may be necessary in the security
analysis to construct a simulator that needs to both obtain the adversary’s witness as
well as simulate its view in the subprotocol. Fortunately, Lindell [Lin01] proved that
every knowledge sound protocol also satisfies witness-extended emulation. Groth and
Ishai [GI08] further adapt the definition of witness-extended emulation for interactive
arguments with setup (i.e., SRS model). This is the definition we will use in the present
work.
Before presenting the definition we will introduce some useful notations. In the SRS
model, there is an additional setup algorithm Setup that generates public parameters pp
that are common inputs to the prover P and verifier V. The setup, which may or may not
require a trusted party to sample trapdoor secrets, typically generates these parameters
based on a security parameter λ necessary for computational security. Without loss of
generality, the length of pp ← Setup(λ) is at least λ bits. The relation R being proved
may also depend on the setup parameters, denote Rpp . For any prover algorithm P ∗
interacting with a verifier algorithm V, which may deviate arbitrarily from the honest
prover algorithm P, let Record(P ∗ , pp, x, st) denote the message transcript between P ∗
and V on shared inputs x and pp and initial prover state st. For tr ← Record(P ∗ , pp, x, st)
let Vcheck (tr) denote the verifier’s decision algorithm to accept or reject the transcript.
∗
Furthermore, let E Record(P ,pp,x,st) denote a machine E with a transcript oracle for this
interaction that can be rewound to any round and run again on fresh verifier randomness.
Definition 10 (Witness-extended emulation [GI08; Lin01]). An interactive proof in
the SRS model Π = (Setup, P, V) satisfies witness-extended emulation for relation R if
for every deterministic polynomial time P ∗ there exists an expected polynomial time
emulator E such that for any non-uniform15 adversary A and distinguisher D that runs
in time poly(λ) the following condition holds:

pp ← Setup(1λ )
 

Pr D(tr) = 1 : (x, st) ← A(pp)  ≈λ

tr ← Record(P ∗ , pp, x, st)

pp ← Setup(1λ )
 
D(tr) = 1 and
Pr  : (x, st) ← A(pp) 
Vcheck (tr) = 1 ⇒ (x, w) ∈ Rpp ∗
(tr, w) ← E Record(P ,pp,x,st) (pp, x)
where X ≈λ Y denotes that |X − Y | ≤ negl(λ).
15
A non-uniform adversary may run a different algorithm for each input length.

39
Lemma 10 (Lindell [Lin01]). Any proof of knowledge for relation R also satisfies
witness-extended emulation for R.
Lemma 11. Let R denote any NP relation. Given a commitment scheme com =
(Setup, Commit, Open), for any pp ← Setup(λ) let R′ (pp) denote the relation:
 
 (x, w) : R(x, w) = 1 
R′ (pp) = ∨
[w = (C, σ1 , σ2 ) ∧ σ1 ̸= σ2 ∧ Open(pp, C, σ1 ) = Open(pp, C, σ2 ) = 1]
 

Let Π(pp) denote the interactive protocol between P and V parameterized by the setup
parameter pp. If for all pp ← Setup(λ) the protocol Π(pp) is a proof of knowledge
(Definition 9) for R′ (pp) then the tuple (Setup, P, V) as an interactive proof with setup
satisfies witness-extended emulation (Definition 10) for R.

Proof. By Lemma 10 a knowledge sound interactive proof for R′ (pp) also satisfies
witness-extended emulation for R′ (pp). It remains to show that this implies witness-
extended emulation for R. It suffices to show that:
 
pp ← Setup(λ)
D(tr) = 1 and
Pr  : (x, st) ← A(pp)  ≈λ
Vcheck (tr) = 1 ⇒ (x, w) ∈ R ∗
(tr, w) ← E Record(P ,pp,x,st) (pp, x)
 
pp ← Setup(λ)
D(tr) = 1 and
Pr  : (x, st) ← A(pp)
Vcheck (tr) ⇒ (x, w) ∈ R′ (pp)

∗
(tr, w) ← E Record(P ,pp,x,st) (pp, x)
The difference between these two probabilities is bounded by the probability, over
the distribution on the right side of the equation, that (x, w) ∈ R′ (pp) but (x, w) ̸∈ R.
This event implies that w encodes a break to the commitment scheme with parameters
pp. Since A, P ∗ , Setup and E all run in time poly(λ) this occurs with probability
at most negl(λ) over randomly sampled pp ← Setup(λ) by the computational binding
property of the commitment scheme. More precisely, supposing that the difference
between these two probabilities is ϵ(λ), then we can use A, P ∗ , and E to construct an
algorithm A′ which on input pp ← Setup(λ) simulates (x, st) ← A(pp) and (tr, w) ←
∗
E Record(P ,pp,x,st) (pp, x) returning w such that:
 
w = (C, σ1 , σ2 )
 ∧ 
 pp ← Setup(λ) 
Pr  σ1 ̸= σ2 : ′
 = ϵ(λ)
 w ← A (pp) 
 ∧ 
Vf pp (C, σ1 ) = Vf pp (C, σ2 ) = 1

If ϵ(λ) is non-negligible this contradicts the binding property of the commitment

scheme.

Zero knowledge We recall the definition of honest verifier zero-knowledge (HVZK)

for interactive proofs. HVZK only considers simulating the view of a verifier that
follows the protocol honestly. The Fiat-Shamir transform compiles public-coin proofs
that have HVZK into non-interactive proofs that have statistical zero-knowledge (for
malicious verifiers).
Definition 11 (HVZK for interactive arguments). Let View⟨P(x,w),V(x)⟩ denote the view
of the verifier in an interactive protocol on common input x and prover witness input
w. The interactive protocol has δ-statistical honest verifier zero-knowledge if there
exists a probabilistic polynomial time algorithm S such that for every (x, w) ∈ R, the
distribution S(x) is δ-close to View⟨P(x,w),V(x)⟩ (as distributions over the randomness of
P and V).

C Proof of Almost Special Soundness Theorems

Theorem 4 (AMSS implies Knowledge Soundness). If a µ-round interactive proof for
a relation R with λ-bit challenges, µ ∈ O(log(λ + |x|)), and verifier decision algorithm
runtime tV ∈ poly(|pp|, |x|, λ) on input x ∈ LR and parameters pp ← Γ.Setup(1λ ) is
(k (µ) , δ, Γ, ϕ)-almost-special-sound then for δ ′ (λ) = 2λ(k + 1)µ (µ + tV ) · max(δ(λ), k ·
2−λ ) + 2−λ it is δ ′ -knowledge sound for the modified relation:

R′ (pp) = {(x, w) : R(x, w) = 1 ∨ w ∈ Lbreak (pp)}

40
 where

Lbreak (pp) = {(C, σ1 , σ2 , ι) : ι ∈ I ∧ σ1 ̸= σ2 ∧ Open(ppι , C, σ1 ) = Open(ppι , C, σ2 ) = 1}

Proof. Suppose we have a protocol that is (k (µ) , δ)-almost-special-sound with challenge

space X of size 2λ for some negligible function δ : N → R. We will make use of
algorithms Extract, Extend, and Break and their properties that are guaranteed to exist
by the definition of almost-special-soundness (Definition 2).
For any node ν of a (k + 1)-ary transcript tree let Sν∗ denote the left k-ary subtree
rooted at ν defined by a breadth first search from ν that visits only the first k children
of each node reached (i.e., prunes the rightmost branch from each node of the complete
(k + 1)-ary subtree Sν ).
In Definition 12, we define an algorithm TreeExtract(ℓν , ν, LSν , F (L)Sν ) that operates
on a labeled subtree of a (k + 1)-ary transcript tree that has depth µ, where ℓν is the
level of ν, L defines a (k + 1)-ary transcript tree and F (L) is a localized transcript
tree labeling, while LSν and F (L)Sν are their respective restrictions to the subtree Sν
rooted at ν.16 This algorithm uses the algorithm Extract as a subroutine. There are
three potential outcomes of running TreeExtract(k, ℓν , ν, LSν , F (L)Sν ):
1. If any of the internal calls to Extract return break, i.e. a break of a commitment
scheme, the algorithm immediately outputs that break as a valid witness.
2. It returns openSubtree, which contains valid openings of all the commitment labels
F (L) assigned to nodes in Sν valid for their corresponding commitment scheme
indices, including the label Cν on node ν with respect to index ιν . In this case we
say it “succeeds”.
3. It returns ⊥.
The TreeExtract algorithm is not guaranteed to succeed. In particular, the internal
calls to Extract are only guaranteed to either succeed or break the commitment scheme
when the openings of subtrees satisfy predicate ϕa and the challenge labels are distinct
within the pruned subtrees Sν∗ . Definition 12 also defines TreeExtract∗ (k, ℓν , ν, LSν∗ ), F (L)Sν∗ ),
an algorithm that only extracts openings of the commitments in F (L)Sν∗ and returns an
opening of Cν as a commitment for index ιν . This runs similarly to TreeExtract, but it
is only a function of nodes present in the left k-ary subtree Sν∗ . While it is possible that
TreeExtract fails and TreeExtract∗ succeeds, they will always output the same opening
of Cν in the event that both succeed.
µ+1
Let size(k, µ) = k k−1−1 , which is the number of nodes is a k-ary depth µ tree.
Given any µ-round protocol that satisfies (k (µ) , δ)-almost-special-soundness, setting
N = size(k + 1, µ) we will define a collection of predicates {πν : ν ∈ [1, N ]} for the
nodes of a k-ary transcript tree with post-order labeling L, such that each πν is a func-
tion of the partial labeling Lν ∗ and a µ − ℓν -length challenge vector r ∈ X µ−ℓν , where ℓν
is the level of node ν in the tree. Recall that ν ∗ < ν is the node of highest index smaller
than ν that is not a member of the subtree of ν, and Lν ∗ are the labels L assigned to
pred([1, ν ∗ ]), the superset of [1, ν ∗ ] that includes all its predecessors. Let ω denote the
parent node of ν. Note that if ν is not a first child then ω ∈ pred([1, ν ∗ ]). Similarly, if ν ′
is a left-sibling of ν then ν ′ ∈ [1, ν ∗ ]. So the labels on both ν ′ and ω would be included
in Lν ∗ . Finally, for any localized transcript tree labeling F , the induced labeling F (L)Sω∗
is a function of Lν ∗ . This is because the labels that F (L) assigns to Sω∗ are computed
from the labels that L assigns to Sω∗ and its predecessors pred(Sω∗ ) ⊆ pred([1, ν ∗ ]).
The predicate πν (Lν ∗ , r) is defined as follows:
• If ν has no left-sibling, then πν always returns 1.
• If ν has 0 < i < k left-siblings (i.e., it is neither the first nor last child) then
πν (Lν ∗ , r) = 1 iff the challenge label L(ν)0 assigned to ν is distinct from the
challenge labels assigned to its i left-siblings.
• If ν has no right-sibling (i.e., is rightmost child) then let (mω , oω ) denote the output
returned by TreeExtract∗ (k, ℓω , Cω , LSω∗ , F (L)Sω∗ ) if successful in returning a valid
opening of the commitment Cω with respect to its index ιω . We say it “fails”
otherwise, including potentially returning a break of the commitment scheme. Let
m′ denote the last message in the output list of Extend(ℓω , mω , r) and finally:
16
In addition to commitment/challenge labels, we assume information about the commitment scheme indices used
by F (L) for each node in Sν are also implicit inputs.

41
 


1 if TreeExtract∗ (k, ℓω , ω, LSω∗ , F (L)Sω∗ ) fails

1 if ϕa (ℓω , mω ) = 1
πν (Lν ∗ , r) =


1 if ϕa (ℓω , mω ) = 0 ∧ ϕa (µ, m′ ) = 0

0 otherwise

As remarked above, while TreeExtract operates on the entire (k +1)-ary subtree of labels
rooted at ω, the algorithm TreeExtract∗ takes as input only the labelings of the left k-ary
subtree Sω∗ , i.e. LSω∗ ⊆ Lν ∗ , and F (L)Sω∗ , which can all be derived from Lν ∗ . By the
definition of (k (µ) , δ)-almost-special-soundness (Definition 2, pt. 5), for any ν ∈ [0, N )
that has no right-sibling and any Lν ∗ :
Pr←X µ−ℓν [πv (Lν ∗ , r) = 1] ≥ 1 − δ(λ)
If ν has 0 < i < k left-siblings then by a union bound:
i
Pr←X µ−ℓν [πv (Lν ∗ , r) = 1] ≥ 1 −
2λ
For any ν ∈ [0, N ] let lpath(ν)0 denote the challenge labels L(·)0 along the leftmost
branch from ν to a leaf starting with the label L(ν)0 on ν. By Lemma 9 (Path Predicate
Forking Lemma) there is an algorithm TreeA (z) that, given a security parameter λ ∈ N,
an input x ∈ LR , and oracle access to an adversarial prover A that µ
causes V to accept
on input x with probability ϵ, runs in time at most t = 2λ · (k+1) ϵ · (µ + tV ), where tV is
the worst-case running time of verifier’s decision algorithm, and returns with probability
at least 1 − t · max(δ(λ), 2kλ ) − 2−λ a (k + 1)-ary transcript tree with post-order labeling
L : [1, N ] → X × M such that πv (Lv∗ , lpath(v)0 ) = 1 for all v ∈ [1, N ].
In particular, L defines a (k + 1)-ary transcript tree with the properties:
1. The challenge labels on the first k children of any node are distinct, i.e., if ω has
children ν1 , ..., νk+1 ordered from left-to-right, then for any i, j ∈ [1, k] if i ̸= j then
L0 (νi ) ̸= L0 (νj ).
2. If ν is the (k + 1)th child of ω and running TreeExtract(k, ℓω , ω, LSω∗ , F (L)Sω∗ )
at level ℓω returns an opening of the commitment label Cω = F (L)(ω) to mω
with respect to index ιω such that ϕa (ℓω , mω ) ̸= 1, then the final output of
Extend(ℓω , mω , lpath(ν)0 ) is a message m′ such that ϕa (µ, m′ ) ̸= 1.
By Lemma 12 there is a deterministic extraction algorithm that takes any L with
the above properties and computes a witness w such that (x, w) ∈ R′ .
In conclusion, for any adversarial prover that succeeds on input x with probability
µ
ϵ(x), there is a probabilistic extractor that runs in time at most t = 2λ (k+1)
ϵ(x) (µ + tV )
and with probability at least 1−t·max(δ(λ), 2kλ )−2−λ returns a witness for R′ . Since t ∈
poly(|x|,λ)
ϵ(x) assuming µ ∈ O(log(λ + |x|)) and tV ∈ poly(|x|, λ), this satisfies the definition
of δ -knowledge soundness with δ ′ (λ) = 2λ(k
′ + 1)µ (µ + tV ) · max(δ(λ), k · 2−λ ) + 2−λ ,
which is a negligible function of λ as long as δ(λ) is negligible.

Definition 12 (Tree Extractor). We define an algorithm TreeExtract(k, ℓ, ν, Cν , LSν , F (L)Sν )

where ℓν is the level of ν in a (k+1)-ary transcript tree with depth µ, L is a labeling that
defines a valid transcript tree and F (L) is a localized induced labeling, Cν = F (L)(ν) is
the commitment label on ν for commitment index ιν , and and LSν and F (L)Sν are their
restrictions to the (k +1)-ary subtree Sν rooted at ν. LSν also contains the commitment
indices in I for each node of the subtree Sν . If TreeExtract(k, ℓν , ν, LSν , F (L)Sν ) fails
it returns ⊥. Otherwise, it succeeds and returns openSubtree, which contains open-
ings of all the commitment labels F (L) assigned to nodes in Sν with respect to their
corresponding commitment indices in I, and also an opening (m, o) for the root. The
algorithms runs as follows:
• For all leaf nodes u, if the opening of (mu , ou ) of Cu = F (L)(u) with respect to
index ιu does not satisfy ϕa (µ, mu ) = 1 then abort and output ⊥, otherwise output
(mu , ou ) and continue.
• For each node ω ∈ Sν on the second to last level with commitment label Cω =
F (L)(ω) with respect to index ιω , set openLeaves to include the first k leaves of
ω along with their openings and commitment indices. If the challenge labels on
these k leaves given by L are not all distinct then abort and return ⊥. Otherwise
run Extract(µ − 1, ω, Cω , openLeaves) to get an opening (mω , oω ) of Cω with respect
to ιω . If ϕ(µ − 1, mω ) ̸= 1 then abort and return ⊥.

42
 • Continue iteratively: once openings for all commitment labels of all subtrees rooted
at the ith level have been computed, for each node ω on level i − 1 with label
Cω = F (L)(ω) with respect to ιω , if its first k children do not have distinct challenge
labels in L abort and return ⊥, otherwise run Extract(i, ω, Cω , openSubtree∗ω ) on the
commitment label openings openSubtree∗ω of the left k-ary subtree Sω∗ (excluding
node ω), which were computed in prior iterations, to get (mω , oω ). If ϕa (i, mω ) ̸= 1
abort and return ⊥.
Finally, TreeExtract∗ (k, ℓν , ν, Cν , LSν∗ ) denotes the algorithm that only extracts open-
ings of the commitments in LSν∗ and returns an opening of Cν . This runs exactly like
TreeExtract except that it only iterates over nodes that are present in the left k-ary
subtree Sν∗ .

The TreeExtract algorithm is not guaranteed to succeed. In particular, the internal

calls to Extract are only guaranteed to succeed when the openings of subtrees satisfy
predicate ϕa and the challenge labels are distinct within the pruned subtrees Sν∗ . If
any internal step fails then TreeExtract outputs ⊥. While it is possible that TreeExtract
fails and TreeExtract∗ succeeds, it is easy to see that they output the same opening
of the commitment label Cν on node ν assuming both succeed. Furthermore, while
TreeExtract operates on a labeling of a (k + 1)-ary transcript tree, the internal calls to
Extract run on labelings of k-ary transcript trees because it is defined for a protocol
that is (k (µ) , δ)-almost-special-sound. The reason we always pass the labeling/opening
of the left k-ary subtree (as opposed to an arbitrary k-ary subtree) to Extract is to ensure
that the opening of Cν included in the output of TreeExtract(k, ℓν , ν, LSν , F (L)Sν ) is a
function of only the labels on the left k-ary subtree Sν∗ and its predecessors, and in
particular is computed independently from any of the labels assigned to the (rightmost)
subtree rooted at the (k + 1)th (rightmost) child of ν. This fact is used in the proof of
Theorem 4.

Definition 13 (Predicate Special Soundness). Let ρ denote any binary predicate that
takes as input any k-ary µ-depth transcript tree. A µ-round public coin interactive
proof for a relation R with λ-bit challenges is (k (µ) , ρ)-special sound if there exists a
deterministic extraction algorithm E that takes as input an instance x ∈ LR , any k-ary
forking transcript tree rooted at x with labeling L such that ρ(L) = 1, and returns a
witness w such that (x, w) ∈ R in time poly(λ, k µ ).

Setting ρ = 1, i.e. the trivial predicate that is always true, recovers the standard
definition of k (µ) -special soundness. Recall that we defined a forking transcript tree
(Section B.3) as a transcript tree in which the challenge labels on edges that share the
same parent node are distinct.17

Lemma 12. Let Π(pp) denote a (k (µ) , δ, Γ, ϕ)-almost-special-sound protocol for a re-
lation R and any δ ∈ [0, 1], parametrized by pp ← Γ.Setup(1λ ). Define the binary
predicate ρ as a function of a (k + 1)-ary µ-depth forking transcript tree given by label-
ing L, which uses the algorithm TreeExtract from Definition 12, the algorithm Extend
and localized transcript tree labelling F from Definition 2 and returns 1 iff the following
condition holds:
For any node ω with (k + 1)th child ν, if TreeExtract(k, ℓω , ω, LSω∗ , F (L)Sω∗ )
returns an opening (mω , oω ) of the label Cω = F (L)(ω) on node ω (at level
ℓω ) with respect to commitment index ιω ∈ I such that ϕa (ℓω , mω ) ̸= 1,
then the final output of Extend(ℓω , mω , lpath(ν)0 ) is a message m′ such that
ϕa (µ, m′ ) ̸= 1.
Π(pp) is ((k + 1)(µ) , ρ)-special sound for the relation R′ (pp) defined in Theorem 4.

Remark 10. The value of δ does not affect ((k + 1)µ , ρ)-special soundness. The value
of δ affects the runtime of the extraction algorithm that is able to generate a transcript
tree satisfying the predicate ρ (in Theorem 4).

Proof. We will argue that, assuming the (k + 1)-ary forking transcript tree has property
ρ, for any ω ∈ [1, N ], either TreeExtract(k, ℓω , ω, LSω , F (L)Sω ):
1. returns a break of the commitment scheme
17
We could have defined predicate special soundness in an even more general way such that the forking property of
the tree is not required, yet can be encapsulated in the predicate. However, this would not be useful for our present
work and less convenient for notational purposes.

43
 2. returns a subtree openSubtree of openings of the commitment labels in F (L)Sω
satisfying ϕa (i.e., each opening of a label Cω to mω for a node ω on level ℓω
satisfies ϕa (ℓω , mω ) = 1)
3. or it returns openSubtree and there is an efficient algorithm that uses openSubtree
and L to break the commitment scheme.

Step 1: Suppose that ω is a node of highest level ℓω for which TreeExtract fails . In
other words, for any node of higher level than ℓω , the output of TreeExtract is a subtree
opening that satisfies ϕa . This means that all the openings of internal (non-root) nodes
of the subtree labeling F (L)Sω computed while running TreeExtract on ω satisfy ϕa .
Furthermore, L has the property that all challenge labels on the first k siblings are
distinct.

Step 2: By the definition of almost-special-soundness and the hypothesis in Step 1,

the algorithm TreeExtract(k, ℓω , ω, LSω , F (L)Sω ) either returns a break of the commit-
ment scheme or succeeds in returning openSubtree consisting of the openings of F (L)Sω
such that the openings of all internal (non-root) nodes satisfy ϕa , and the opening
(mω , oω ) of the subtree root ω satisfies ϕb (ℓω , mω ) = 1. The opening (mω , oω ) is also
identical to the output of TreeExtract∗ (k, ℓω , ω, LSω∗ , F (L)Sω∗ ).

Step 3: Suppose that TreeExtract(k, ℓω , ω, LSω , F (L)Sω ) does not return a break of
the commitment scheme (i.e., returns a subtree opening as described in Step 2). Let
ν denote the rightmost child of ω. By hypothesis, if ϕa (ℓω , mω ) = 0 then the final
output of Extend(ℓω , mω , lpath(ν)) is a message m′ such that ϕa (µ, m′ ) = 0. How-
ever, this implies that m′ must be distinct from the label F (L) assigns to the leaf
node of the rightmost branch extending from ν. Let v1 , ..., vµ denote the nodes along
the root-to-leaf path passing through node ω and ending with its leftmost branch so
that lpath(ν) = (F (L)(vℓν ), ..., F (L)(vµ )). For each i ∈ [1, µ] let Ĉi = L(vi )1 and
Ĉ = (Ĉ1 , ..., Ĉµ ) with corresponding commitment indices ⃗ι = (ι1 , ..., ιµ ). Finally, since
ϕb (ℓω , mω ) = 1 and openSubtree contains openings (mℓν , oℓν ), ...(mµ , oµ ) of the commit-
ments Ĉℓν , ...Ĉµ with respect to their corresponding indices ⃗ι that all satisfy predicate
ϕa (i, mi ) = 1, if m′ ̸= mµ then by the definition of almost-special-soundness this implies
that Break(ℓω , mω , lpath(ν),⃗ι, Ĉ, (mℓν , oℓν ), ...(mµ , oµ )) outputs a conflicting opening of
some commitment label in Ĉ.
Let C = F (L)(N ) denote the transcript tree root commitment label. The extractor
uses TreeExtract to either obtain a break of the commitment scheme or openTree, which
includes an opening for C. If every opening in openTree satisfies predicate ϕa then it
runs Extract(x, openTree) to obtain witness w satisfying R(x, w) = 1. Otherwise, it uses
the Break algorithm (as described in the previous step) to output an index ι ∈ I and
conflicting openings of a commitment with respect to ι, which is a witness for R′ (pp).

D Fiat-Shamir Transform of Almost-Special-Sound Pro-

tocols
Recently, [Wik21; AFK21] showed that for µ-round special sound protocols the non-
interactive Fiat-Shamir transform of these protocols only suffers a security loss that
is linear in the number of queries the adversary makes to the random oracle. These
proofs do not directly apply to almost-special-sound protocols. In particular, in a non-
interactive protocol, we cannot guarantee that the challenges on lpath(ν) are mutu-
ally independent. With the FS transform each challenge is a deterministic function
of the partial transcript of prover messages preceding the challenge. If the adversary
has some degree of freedom in choosing each prover message without altering prior
round messages, then it may be able to sample each challenge conditional on previous
challenges, called grinding. In the case of analyzing DARK, we were able to bound
the probability that f (x1 , . . . , xµ ) ≡ 0 mod N for independently sampled x1 , . . . , xµ .
If the adversary can grind challenges then it can for each challenge xi ensure that
1
f (x1 , . . . , xi , Xi+1 , . . . , Xµ ) ≡ 0 mod Ni where Ni is a factor of N of size roughly N µ .
The proof of Theorem 5 relies on the fact that P(αi+1 ,...,αµ )←[0,2λ )µ−i [g(αi+1 , ..., αµ ) ≡
0 mod N ] = δ is negligible for sufficiently large N . Analyzing a grinding adversary of the
non-interactive protocol that makes at most T queries to the random oracle corresponds

44
 to analyzing the probability that for any set of T values
PS={αi,j }i∈[µ],j∈[T ] )←[0,2λ )µ·T ∃(j1 , . . . , jµ ) s.t. [g(α1,j1 , ..., αµ,jµ ) ≡ 0 mod N ]
which by a union bound is less than T µ · δ.
However, what conditions might be sufficient to prevent an adversary from grinding
challenges? If for every partial transcript, there is a unique next prover message that
leads to an accepting transcript then the adversary would not have the opportunity to
grind. In fact, it suffices for this to be computationally hard. We will show that this
is the case for any protocol satisfying the definition of almost-special soundness with
respect to a computationally unique commitment scheme, which we define. This implies
that the messages in each round are commitments from a scheme where it is computa-
tionally difficult to come up with two distinct commitments to the same message (note
this implies the scheme cannot be hiding). The DARK protocol has precisely this prop-
erty. Finally, we prove that the Fiat-Shamir transform of these almost-special-sound
protocols is secure.
Definition 14 (Random Oracle). In our version of the random oracle model, all random
oracle algorithms have black-box access to a shared random function H : M≤u → X
where M≤u consists of all vectors (m1 , ..., mi ) ∈ Mi for each i ≤ u. H assigns to
u+1 −1
each of the |M||M|−1 unique elements of M≤u an output independently and uniformly
distributed in X . Random oracles may be assigned indices from a set I, where for any
distinct i, j ∈ I the oracles Hi and Hj are independently distributed random functions.
For any k < u and fixed m = (m1 , ..., mk ) we will use the notation Hm : M≤u−k → X
where Hm (m′1 , ..., m′i ) = H(m, m′1 , ..., m′i ) for any i ≤ u − k. This is equivalent to a
random oracle family indexed by Mk .
A Q-query random oracle algorithm is an algorithm that makes at most Q queries
to the random oracle.
Definition 15 (Non-interactive Proof of Knowledge in RO). An non-interactive proto-
col Π = (P, V) between a prover P and verifier V in the random oracle model (i.e., with
shared oracle access to the random function H) is a proof of knowledge for a relation
R with knowledge error δ : N2 → [0, 1] if the following properties hold:
• Perfect Completeness: for all (x, w) ∈ R
P V H (x, π) = 1 : π ← P H (x, w) = 1
 

• δ-Knowledge Soundness: There exists a polynomial poly(·) and a probabilistic or-

acle machine E called the extractor such that given oracle access to any Q-query
random oracle algorithm A and any input x ∈ LR the following holds18 : if
P V H (x, π) = 1 : π ← AH (x) = ϵ(x)
 

poly(|x|)
then E A (x) outputs w such that (x, w) ∈ R in an expected ϵ(x)−δ(|x|,Q) number of
A
steps. In the course of running with black-box access to A, E (x) implements the
random oracle for A, i.e. it intercepts all queries that A makes to H and simulates
the response.
Π is called “knowledge sound” or a “proof of knowledge” for R if for all Q polynomial
in |x| the knowledge error δ(|x|, Q) is a negligible function of |x|.
Definition 16 (Non-interactive argument of knowledge in SRS/RO). A non-interactive
proof system Π = (Setup, P H , V H ) with setup procedure pp ← Setup(λ) in the random
oracle model, where P H and V H are given shared access to both the random oracle
H and the parameters pp (where |pp| ≥ λ), is an argument of knowledge for relation
R with knowledge error err : N2 → [0, 1] if there exists a polynomial time extractor E
such that for any non-uniform polynomial time adversary A and deterministic Q-query
polynomial time prover P ∗ the following holds:19
 
pp ← Setup(λ)  
pp ← Setup(λ)
 (x, w) ∈ R and (x, st) ← A(pp)  ≥ P  V H (pp, x, π) = 1 : (x, st) ← A(pp) −err(λ, Q)

 V H (pp, x, π) = 1 :
P
π ← P ∗ (st)
π ← P ∗ (st)

∗
w ← E P (st) (pp, x)
18
The algorithm A may explicitly hardcode a witness or may not have one, so no witness is given to A as input.
19
This definition says that there is overwhelming intersection between the event where the adversary generates
an input x and corresponding proof π that convinces the verifier, and the event where the extractor succeeds in
obtaining a witness from the input x generated by the adversary. This not only ensures that extraction succeeds with
close to the same probability of the adversary’s success over randomly sampled parameters, but also excludes the
pathological case that both the adversary and extractor succeed with noticeable probability on disjoint sets of inputs.
This definition is also equivalent to fixing the transcript distinguisher in the definition of witness-extended emulation
(Definition 10) to be the verifier decision algorithm. In WEE the transcript distinguisher could be arbitrary, which
is a stronger property important for simulation analysis.

45
Definition 17 (FS Transform). For any µ-round public-coin interactive proof Π the
FS transform ΠH F S of Π with respect to the random oracle H is a non-interactive proof
in the random oracle model which on public input x simulates the interactive protocol
Π by replacing each ith round public-coin challenge, for i ∈ [1, µ], with H(x, m1 , ..., mi ),
where m1 , ..., mi denote the first i prover messages.

Lemma 13 (FS for special-sound multiround protocols [AFK21; Wik21]). For any µ-
round interactive proof Π = (P, V) for relation R and its FS transform ΠF S = (P H , V H )
with random oracle H, there exists a random oracle algorithm Tree which given black-
box access to any Q-query deterministic prover algorithm P ∗ , input x ∈ LR , and k ∈ N
makes at most Q + µ queries to H and returns a k-ary forking transcript tree for
Π in expected time k µ + Q · (k µ − 1) and succeeds with probability ϵ(x)−(Q+1)·κ
(1−κ) where
κ = 1−(1− k−1 2λ
)µ and ϵ(x) is the probability (over H) that P ∗ outputs a non-interactive
proof for x that V H accepts. Moreover, the transcript tree satisfies additional properties:
• Every root-to-leaf labelled path (i.e., transcript included in the tree) matches the
′
output of P ∗H (x) with a partially fresh random oracle H′ , and thus has the format
of a valid ΠF S proof with respect to H′ .
• For any node ν, the labels LSν on the subtree Sν are generated by a (Q + µ)-query
random oracle algorithm independently from all labels Lν ∗ , i.e. labels computed
on lower indexed nodes that do not belong to Sν . In particular, if ν is the kth
child of ω then LSν is independent of the labels on the (k − 1)-ary left subtree of
ω.

Lemma 13 immediately implies that the FS transform of any k (µ) -special sound
protocol for R is knowledge sound in the RO model. However, we need to work a
bit harder to apply this lemma to almost-special-sound protocols. We will only be
able to show computational knowledge soundness for protocols that are almost-special-
sound with respect to a computationally-unique commitment scheme. The DARK proof
system has this property.

Definition 18 (RO relation hardness). Let RH (pp) denote a family of relations parametrized
by a random oracle H and setup pp ← Setup(λ) with security parameter λ where
|pp| ≥ λ. RH (pp) is (Q, ϵ(λ))-hard in the RO model if for any pair of polynomial time
random oracle algorithms A1 , A2 where A1 makes at most Q queries to a random oracle
H′ (possibly distinct from H) and A2 makes at most Q queries to random oracle H:
 
pp ← Setup(λ)
′
P (x, w) ∈ RH (pp) : x ← AH 1 (pp)
 ≤ ϵ(λ)
H
w ← A2 (pp, x)

Definition 19 (Computationally Unique Commitments). A deterministic commitment

scheme Γ = (Setup, G.Commit, Open) is computationally-unique if for any polynomial-
time adversary A

pp ← Setup(1λ )
 

 (C0 , C1 , x, r0 , r1 , ι) ← A(pp) 

Pr b0 = b1 = 1 ∧ C0 ̸= C1 : ppι = G(pp, ι)
  ≤ negl(λ)

 b0 ← Open(ppι , C0 , x, r0 ) 
b1 ← Open(ppι , C1 , x, r1 )

Lemma 14. Any deterministic homomorphic commitment scheme Γ that is binding

under rational openings to W ⊆ Qn is computationally unique if the commitment
group G is either prime or is a group of unknown order in which the subgroup order
assumption holds for all of G.

Proof. Suppose C ′ ̸= C ∈ G and x/z ∈ W and com(x) = z · C and com(x · ∆) = z · ∆ · C.

This implies that z∆ · (C ′ − C) = 0. In a prime-order group this is impossible because
C ′ − C ̸= 0. In a group of unknown order, z∆ is a multiple of the order of C ′ − C,
which violates the subgroup order assumption for G.

Lemma 15. For any µ, Q = poly(λ), and computationally-unique commitment scheme

Γ = (Setup, G, Commit, Open), predicate ρ : M2 ×X µ → {0, 1}, and ext : M×X ≤µ → M
where ∀i, m ∈ M:

Pα1 ,...,αµ [ρi (m, mµ , α1 , ..., αµ ) = 1 : ext(m, α1 , ..., αµ ) = mµ ] ≤ δ

46
the relation
 
 tr = (C1 , ..., Cµ ) 
 



 ∀ i∈[µ] i = H(C, C1 , ..., Ci−1 )
α 






 M = ((m1 , o1 ), ..., (mµ , oµ )) 



Open(pp, C, m, o) = 1
 
RH
ext (pp, µ, ρ) = (x = (C, m, o), w = (tr, M )) :

 ppi = G(pp, α1 , ..., αi ) 

∀ Open(ppi , Ci , mi , oi ) = 1

 


 i∈[µ] 

∀
 
i∈[µ] ext(m, α1 , ..., αi ) = mi

 


 

ρ(m, mµ , α1 , ..., αµ ) = 1
is (Q, δ + negl(λ))-hard in the RO model.
′
Proof. Consider any pair of polynomial time random oracle algorithms x ← AH 1 (pp)
and w ← AH 2 (pp, x) that for setup parameter λ make at most Q = poly(λ) queries to
′
their respective oracles H and H. For fixed x let TH (x) = (T1 , ..., Tµ ) denote a random
variable representing the output tr included in w conditioned on the event that w satis-
fies at least all validity criteria other than possibly the last, i.e. ρ(m, mµ , α1 , ..., αµ ) = 1.
Note that TH (x) is also dependent on the randomness of the oracle H. Presuming this
event occurs with probability at least ϵ(x), we can repeat AH 2 (pp, x) on fresh internal
randomness (not changing H) in expectation 1/ϵ(x) times until it outputs w satisfying
this event with a particular assignment tr = (C1 , ..., Cµ ) to the random variable TH (x).
Suppose that for any i ∈ [µ] we then reprogrammed H to an oracle H∗ by sampling
new answers to any subset of the queries {qj = (C, C1 , ..., Cj )}i≤j<µ but keeping all
other queries consistent with H. For i = µ we do not change the oracle and H∗ = H.
Define the random variable TH∗ (x) in the same way for the new oracle H∗ . Suppose
∗
further that repeating the same experiment with AH 2 (pp, x) were to return with prob-
ability greater than δ ′ (x) a vector tr′ = (C1′ , ..., Cµ′ ) ̸= tr where the first distinct index
between tr′ and tr is some k ≤ i. For i = µ we just repeat the same experiment with
H. For all i ∈ [µ] let αi = H(C, C1 , ..., Ci−1 ), let mi = ext(m, α1 , ..., αi ), let αi′ =
H∗ (C, C1′ , ..., Ci−1
′ ), and let m′ = ext(m, α′ , ..., α′ ). Since the oracle answers to queries
i 1 i
C and {qj = (C, C1 , ..., Cℓ )}1≤ℓ<k have not changed and (C1 , ..., Ck−1 ) = (C1′ , ..., Ck−1 ′ )
′ ′ ′ ′
it follows that (α1 , ..., αk ) = (α1 , ..., αk ) and (m1 , ..., mk ) = (m1 , ..., mk ). The result
of these two experiments would thus include openings of the distinct commitments
Ck ̸= Ck′ to the same message mk = m′k . By computational uniqueness of the commit-
′
ment scheme, for pp ← Setup(λ) and x ← AH ′
1 (pp) either δ (x) or ϵ(x) is negligible in
λ, as we have shown that it is possible to construct and adversary using A1 and A2
that on input pp breaks the uniqueness of the commitment scheme (Definition 19) in
1
expected time ( ϵ(x) + δ′1(x) ) · poly(λ).
′
We draw two conclusions from this. For pp ← Setup(λ) and x ← AH 1 (pp), if
H
A2 (pp, x) succeeds in returning w satisfying the aforementioned event (i.e., all criteria
except the last predicate) with non-negligible probability then there is a unique vector
(C1 , ..., Cµ ) such that:
(a) P[TH (x) = (C1 , ..., Cµ )] ≥ 1 − negl(λ)
(b) While this unique vector of high support may depend on H, for all i ∈ [µ] the first
i components (C1 , ..., Ci ) are independent of the answers to the values H(q) for
q ∈ {(C, C1 , ..., Cj )}i≤j<µ .
If (a) were false then running the experiment above for case i = µ would succeed with
non-negligible probability δ ′ in returning a distinct assignment to TH (x), which contra-
dicts the computational uniqueness of the commitment scheme as shown above. If (b)
were false, then for some i < µ the experiment would succeed with non-negligible prob-
ability δ ′ in returning a distinct assignment to TH (x) where the first index of distinction
is k ≤ i, again contradicting the computational uniqueness of the commitment scheme
as shown above.
Finally, (b) implies that (α1 , ..., αµ ) where αi = H(C, C1 , ..., Ci ) is uniformly dis-
tributed and hence P[ρ(m, mµ , α1 , ..., αµ ) = 1] ≤ δ as stated in the hypothesis. Thus,
conditioned on the event that w satisfies at least all validity criteria except the predi-
cate, then its first component is tr = (C1 , ..., Cµ ) with probability 1 − negl(λ), in which
case it fails the last criteria (i.e., the predicate) with probability 1 − δ. In conclusion,
by a union bound it satisfies all criteria with probability at most δ + negl(λ).

Theorem 6 (Fiat Shamir for AMSS protocols with unique commitments). If Π is a

(k (µ) , δ, com, ϕ)-almost-special-sound protocol for a relation R and a computationally-
unique commitment scheme com (Definition 19) whose setup runs pp ← com.Setup(λ)

47
then its FS transform ΠF S is an argument of knowledge for R in the RO model (Defi-
nition 16) with knowledge error:

(Q + 1)κ
err(λ, Q) = + 2λ(k µ + Q · (k µ − 1)) · δ + negl(λ)
1−κ
k µ
where κ = 1 − (1 − 2λ
) .

Proof. Let V H denote the resulting verifier for ΠF S . We will construct an extractor
E which is given black-box access to any deterministic Q-query prover algorithm P ∗ ,
where Q is assumed to be polynomial in λ. E has the power to intercept and respond
to the queries P ∗ makes to the random oracle, simulating (i.e., reprogramming) the
oracle responses. On input x and parameters pp, E first tests that P ∗ outputs a proof
π such that V H (pp, x, π) = 1 and otherwise aborts. If this first step succeeds, then
E continues by running the tree generation algorithm from Lemma 13 to generate a
(k + 1)-ary forking transcript tree. Given black-box access to a deterministic Q-query
prover algorithm, this tree generation algorithm runs in expected polynomial time k µ +
Q · (k µ − 1) succeeding with probability ϵ(x)−(Q+1)·κ
(1−κ) where κ = 1 − (1 − 2kλ )µ and ϵ(x)
is the probability over the randomness of H that P ∗ outputs a non-interactive proof
that V H accepts. E will repeat λ iterations of running this tree generation algorithm
for 2(k µ + Q · (k µ − 1)) steps each time, and returns the first trial that succeeds. By
Markov, this results in a new tree generation algorithm that runs in strict polynomial
time 2λ(k µ + Q · (k µ − 1)) with negligible loss 2−λ in its probability of success.
For any (k + 1)-ary transcript tree, there is a polynomial time procedure (Defini-
tion 12) which as shown in Lemma 12 either:
(a) Extracts a witness w such that (x, w) ∈ R
(b) Extracts a break to the binding of the commitment scheme, i.e. an element of
Lbreak (pp) defined in Theorem 4.
(c) Extracts an opening (mω , oω ) for the commitment label on some node ω at some
level i with rightmost child ν at level i + 1 such that ϕb (i, mω ) = 1, ϕa (i, mω ) = 0,
openings of all commitment labels on the leftmost path lpath(ν) extending down
from ν to messages equal to Extend(i, m, αi , ..., αµ ) = (mi , ..., mµ ) where (αi , ..., αµ )
are the verifier challenges along this path such that ∀j≥i ϕa (j, mj ) = 1.
The third extraction event was ruled out (with overwhelming probability) from any
transcript tree generated via the Path Predicate Forking Lemma, see Theorem 4 and
Lemma 9. In particular, the transcript tree generated there was shown to satisfy a pred-
icate (with overwhelming probability) that eliminates the possibility that ϕa (i, mω ) = 0
yet ϕa (µ, mµ ) = 1. The analysis leveraged the way that transcripts are sampled by that
tree generation algorithm. However, we will need to use a slightly different analysis this
time.
First, we define the relation for all i ∈ [µ], commitment scheme parameters pp, and
random oracle H∗ :
 
 tr = (x, C1 , ..., Cµ−i ) 
∗
 



 ∀j∈[µ−i] αj = H (C, C1 , ..., Cj−1 )




M = ((m1 , o1 ), ..., (mµ−i , oµ−i ))
∗
 
RHext (pp, µ−i) = (x = (C, m, o), w = (tr, M )) :

 ∀ j∈[µ−i] com.Open(pp, Cj , mj , oj ) = 1 

Extend(i, m, α1 , ..., αµ−i ) = (m1 , ..., mµ−i )

 


 

 
ϕb (i, m) = 1, ϕa (i, m) = 0, ϕa (µ, mµ−i ) = 1

We note that by Lemma 13, in case (c) occurs, there is a (Q + µ)-query polyno-
mial time algorithm A1 that generates (C, m, o) and transcript prefix y, and an in-
∗
dependent (Q + µ)-query adversary AH
2 which generates the witness (tr, M ) such that
H∗
((C, m, o), (tr, M )) ∈ Rexty (pp, µ − i) for some i. A1 represents the algorithm that ran
the partial tree generation that created all labels on the left k-ary subtree of ω and also
the prefix y labeling the trunk (i.e., from root to ω) of subtree Sν , and then also ran
the tree extraction algorithm (Definition 12) on this left k-ary subtree of ω. Note that
conditioned on event (c), ω is the first node and index i for which this tree extraction
succeeds in producing an opening (mω , oω ) such that ϕb (i, mω ) = 1 but ϕa (i, mω ) = 0.
By Lemma 13 the root-to-leaf path that includes the prefix y and lpath(ν) matches
∗
the output of some AH ∗
∗ (x) with partially fresh random oracle H , and there is also
a subtree generation algorithm that is a (Q + µ)-query algorithm which generated the
∗
labels on subtree Sν . AH 2 represents the combination of these two algorithms and also
the subtree extractor that opens the commitments on these labels. Conditioned on (c),

48
the openings of the commitment labels within this subtree all satisfy predicate ϕa and
the opened messages of the commitment labels lpath(ν)0 along the leftmost path from
ν match the output of Extend(i, m, lpath(v)1 ) where lpath(ν)1 are the challenge labels
along this path.
Let ρi denote the predicate such that ρi (m, m′ , α1 , ..., αµ−i ) = 1 iff ϕb (i, m) = 1,
ϕa (i, m) = 0, and ϕa (µ, m′ ) = 1. By the definition of (k (µ) , δ, com, ϕ)-almost-special-
soundness, for uniform random β1 , ..., βµ−i :

Pβ1 ,....,βµ−i [ρ(m, mµ−i , β1 , ..., βµ−i ) = 1 : Extend(i, m, β1 , ..., βµ−i ) = (m1 , ..., mµ−i )] ≤ δ
∗
Thus, since Q + µ is polynomial in λ, by Lemma 15 the relation RH ext (pp, µ − i) is
(Q + µ, δ + negl(λ))-hard in the RO model for Q = poly(λ). This shows that for any
particular index in the transcript tree, the event of type (c) occurs with probability at
most δ + negl(λ) when running the extractor with polynomial time provers making a
polynomial number of queries to the RO. This experiment may effectively occur times
over the course of the tree generation algorithm, but we can loosely union bound the
probability that event (c) ever occurs by the runtime of the tree generation algorithm.
Similarly, we can eliminate event (b) as occurring with negl(λ) by the computational
binding property of the commitment scheme, which does not require an additional union
bound.
Finally, letting ϵ(x, st) denote the probability over the parameters and random oracle
that the verifier accepts the proof π output by P ∗ (st) for public input x, we conclude
that:

   
pp ← Setup(λ) pp ← Setup(λ)
 (x, w) ∈ R and (x, st) ← A(pp)   = P  (x, w) ∈ R : (x, st) ←∗A(pp) 
 
P V H (pp, x, π) = 1 : π ← P (st)∗   π ← P (st) 
P ∗ (st) P ∗ (st)
w←E (pp, x) w←E (pp, x)
X  ϵ(x, st) − (Q + 1)κ 
≥ − 2λ(k µ + Q · (k µ − 1)) · δ − negl(λ) · P [A(pp) = (x, st) : pp ← Setup(λ)]
x,st
1 − κ
 
pp ← Setup(λ)
(Q + 1)κ
≥ P  V H (pp, x, π) = 1 : (x, st) ← A(pp)  − − 2λ(k µ + Q · (k µ − 1)) · δ − negl(λ)
∗ 1−κ
π ← P (st)
∗
The first equality holds because E P (st) (pp, x) aborts in its first step if the determin-
istic P ∗ (st) outputs π such that V H (pp, x, π) ̸= 1.

49