Protocol Description

Preliminaries

We take $\lambda$ as our security parameter, and unless explicitly noted all algorithms and adversaries are probabilistic (interactive) Turing machines that run in polynomial time in this security parameter. We use $\text{negl}(\lambda )$ to denote a function that is negligible in $\lambda$.

Cryptographic Groups

We let $\mathbb{G}$ denote a cyclic group of prime order $p$. The identity of a group is written as $\mathcal{O}$. We refer to the scalars of elements in $\mathbb{G}$ as elements in a scalar field $\mathbb{F}$ of size $p$. Group elements are written in capital letters while scalars are written in lowercase or Greek letters. Vectors of scalars or group elements are written in boldface, i.e. $\mathbf{a}\in {\mathbb{F}}^n$ and $\mathbf{G}\in {\mathbb{G}}^n$. Group operations are written additively and the multiplication of a group element $G$ by a scalar $a$ is written $[a]G$.

We will often use the notation $⟨\mathbf{a},\mathbf{b}⟩$ to describe the inner product of two like-length vectors of scalars $\mathbf{a},\mathbf{b}\in {\mathbb{F}}^n$. We also use this notation to represent the linear combination of group elements such as $⟨\mathbf{a},\mathbf{G}⟩$ with $\mathbf{a}\in {\mathbb{F}}^n,\mathbf{G}\in {\mathbb{G}}^n$, computed in practice by a multiscalar multiplication.

We use $0^n$ to describe a vector of length $n$ that contains only zeroes in $\mathbb{F}$.

Discrete Log Relation Problem. The advantage metric $${\mathsf{Adv}}_{\mathbb{G},n}^{\mathsf{dl}-\mathsf{rel}}(\mathcal{A},\lambda )=\text{Pr}\left[{\mathsf{G}}_{\mathbb{G},n}^{\mathsf{dl}-\mathsf{rel}}(\mathcal{A},\lambda )\right]$$ is defined with respect the following game. $$\begin{array}{ll}& \underline{\mathbf{Game}{\mathsf{G}}_{\mathbb{G},n}^{\mathsf{dl}-\mathsf{rel}}(\mathcal{A},\lambda ):}\\ & \mathbf{G}\leftarrow {\mathbb{G}}_{\lambda }^n\\ & \mathbf{a}\leftarrow \mathcal{A}(\mathbf{G})\\ & \text{Return}\left(⟨\mathbf{a},\mathbf{G}⟩=\mathcal{O}\wedge \mathbf{a}\ne 0^n\right)\end{array}$$

Given an $n$-length vector $\mathbf{G}\in {\mathbb{G}}^n$ of group elements, the discrete log relation problem asks for $\mathbf{g}\in {\mathbb{F}}^n$ such that $\mathbf{g}\ne 0^n$ and yet $⟨\mathbf{g},\mathbf{G}⟩=\mathcal{O}$, which we refer to as a non-trivial discrete log relation. The hardness of this problem is tightly implied by the hardness of the discrete log problem in the group as shown in Lemma 3 of [JT20]. Formally, we use the game ${\mathsf{G}}_{\mathbb{G},n}^{\mathsf{dl}-\mathsf{rel}}$ defined above to capture this problem.

Interactive Proofs

Interactive proofs are a triple of algorithms $\text{IP}=(\text{Setup},\mathcal{P},\mathcal{V})$. The algorithm $\text{Setup}(1^{\lambda })$ produces as its output some public parameters commonly refered to by $\mathsf{pp}$. The prover $\mathcal{P}$ and verifier $\mathcal{V}$ are interactive machines (with access to $\mathsf{pp}$) and we denote by $⟨\mathcal{P}(x),\mathcal{V}(y)⟩$ an algorithm that executes a two-party protocol between them on inputs $x,y$. The output of this protocol, a transcript of their interaction, contains all of the messages sent between $\mathcal{P}$ and $\mathcal{V}$. At the end of the protocol, the verifier outputs a decision bit.

Zero knowledge Arguments of Knowledge

Proofs of knowledge are interactive proofs where the prover aims to convince the verifier that they know a witness $w$ such that $(x,w)\in \mathcal{R}$ for a statement $x$ and polynomial-time decidable relation $\mathcal{R}$. We will work with arguments of knowledge which assume computationally-bounded provers.

We will analyze arguments of knowledge through the lens of four security notions.

• Completeness: If the prover possesses a valid witness, can they always convince the verifier? It is useful to understand this property as it can have implications for the other security notions.
• Soundness: Can a cheating prover falsely convince the verifier of the correctness of a statement that is not actually correct? We refer to the probability that a cheating prover can falsely convince the verifier as the soundness error.
• Knowledge soundness: When the verifier is convinced the statement is correct, does the prover actually possess ("know") a valid witness? We refer to the probability that a cheating prover falsely convinces the verifier of this knowledge as the knowledge error.
• Zero knowledge: Does the prover learn anything besides that which can be inferred from the correctness of the statement and the prover's knowledge of a valid witness?

First, we will visit the simple definition of completeness.

Perfect Completeness. An interactive argument $(\text{Setup},\mathcal{P},\mathcal{V})$ has perfect completeness if for all polynomial-time decidable relations $\mathcal{R}$ and for all non-uniform polynomial-time adversaries $\mathcal{A}$ $$Pr\left[(x,w)\notin \mathcal{R}\vee ⟨\mathcal{P}(\mathsf{pp},x,w),\mathcal{V}(\mathsf{pp},x)⟩\text{accepts}|\begin{array}{ll}& \mathsf{pp}\leftarrow \text{Setup}(1^{\lambda })\\ & (x,w)\leftarrow \mathcal{A}(\mathsf{pp})\end{array}\right]=1$$

Soundness

Complicating our analysis is that although our protocol is described as an interactive argument, it is realized in practice as a non-interactive argument through the use of the Fiat-Shamir transformation.

Public coin. We say that an interactive argument is public coin when all of the messages sent by the verifier are each sampled with fresh randomness.

Fiat-Shamir transformation. In this transformation an interactive, public coin argument can be made non-interactive in the random oracle model by replacing the verifier algorithm with a cryptographically strong hash function that produces sufficiently random looking output.

This transformation means that in the concrete protocol a cheating prover can easily "rewind" the verifier by forking the transcript and sending new messages to the verifier. Studying the concrete security of our construction after applying this transformation is important. Fortunately, we are able to follow a framework of analysis by Ghoshal and Tessaro ([GT20]) that has been applied to constructions similar to ours.

We will study our protocol through the notion of state-restoration soundness. In this model the (cheating) prover is allowed to rewind the verifier to any previous state it was in. The prover wins if they are able to produce an accepting transcript.

State-Restoration Soundness. Let $\text{IP}$ be an interactive argument with $r>=r(\lambda )$ verifier challenges and let the $i$th challenge be sampled from ${\mathsf{Ch}}_i$. The advantage metric $${\mathsf{Adv}}_{\text{IP}}^{\text{SRS}}(\mathcal{P},\lambda )=\text{Pr}\left[{\text{SRS}}_{\mathcal{P}}^{\text{IP}}(\lambda )\right]$$ of a state restoration prover $\mathcal{P}$ is defined with respect to the following game. $$\begin{array}{ll}\begin{array}{ll}& \underline{\mathbf{Game}{\text{SRS}}_{\text{IP}}^{\mathcal{P}}(\lambda ):}\\ & \text{win}\leftarrow \mathtt{false};\\ & \text{tr}\leftarrow ϵ\\ & \mathsf{pp}\leftarrow \text{IP}.\text{Setup}(1^{\lambda })\\ & (x,{\text{st}}_{\mathcal{P}})\leftarrow {\mathcal{P}}_{\lambda }(\mathsf{pp})\\ & \text{Run}{\mathcal{P}}_{\lambda }^{{\mathcal{O}}_{\text{SRS}}}({\text{st}}_{\mathcal{P}})\\ & \text{Return win}\end{array}& \begin{array}{ll}& \underline{\mathbf{Oracle}{\mathcal{O}}_{\text{SRS}}(\tau =(a_1,c_1,...,a_{i-1},c_{i-1}),a_i):}\\ & \text{If}\tau \in \text{tr}\text{then}\\ & \text{If}i\le r\text{then}\\ & c_i\leftarrow {\mathsf{Ch}}_i;\text{tr}\leftarrow \text{tr}||(\tau ,a_i,c_i);\text{Return}{c}_i\\ & \text{Else if}i=r+1\text{then}\\ & d\leftarrow \text{IP}.\mathcal{V}(\mathsf{pp},x,(\tau ,a_i));\text{tr}\leftarrow (\tau ,a_i)\\ & \text{If}d=1\text{then win}\leftarrow \mathtt{true}\\ & \text{Return}d\\ & \text{Return}\perp \end{array}\end{array}$$

As shown in [GT20] (Theorem 1) state restoration soundness is tightly related to soundness after applying the Fiat-Shamir transformation.

Knowledge Soundness

We will show that our protocol satisfies a strengthened notion of knowledge soundness known as witness extended emulation. Informally, this notion states that for any successful prover algorithm there exists an efficient emulator that can extract a witness from it by rewinding it and supplying it with fresh randomness.

However, we must slightly adjust our definition of witness extended emulation to account for the fact that our provers are state restoration provers and can rewind the verifier. Further, to avoid the need for rewinding the state restoration prover during witness extraction we study our protocol in the algebraic group model.

Algebraic Group Model (AGM). An adversary ${\mathcal{P}}_{\text{alg}}$ is said to be algebraic if whenever it outputs a group element $X$ it also outputs a representation $\mathbf{x}\in {\mathbb{F}}^n$ such that $⟨\mathbf{x},\mathbf{G}⟩=X$ where $\mathbf{G}\in {\mathbb{G}}^n$ is the vector of group elements that ${\mathcal{P}}_{\text{alg}}$ has seen so far. Notationally, we write $\left[X\right]$ to describe a group element $X$ enhanced with this representation. We also write $[X{]}_i^{\mathbf{G}}$ to identify the component of the representation of $X$ that corresponds with ${\mathbf{G}}_i$. In other words, $$X=\sum _{i=0}^{n-1}\left[[X{]}_i^{\mathbf{G}}\right]{\mathbf{G}}_i$$

The algebraic group model allows us to perform so-called "online" extraction for some protocols: the extractor can obtain the witness from the representations themselves for a single (accepting) transcript.

State Restoration Witness Extended Emulation Let $\text{IP}$ be an interactive argument for relation $\mathcal{R}$ with $r=r(\lambda )$ challenges. We define for all non-uniform algebraic provers ${\mathcal{P}}_{\text{alg}}$, extractors $\mathcal{E}$, and computationally unbounded distinguishers $\mathcal{D}$ the advantage metric $${\mathsf{Adv}}_{\text{IP},\mathcal{R}}^{\text{sr-wee}}({\mathcal{P}}_{\text{alg}},\mathcal{D},\mathcal{E},\lambda )=\text{Pr}\left[{\text{WEE-real}}_{\text{IP},\mathcal{R}}^{\mathcal{P},\mathcal{D}}(\lambda )\right]-\text{Pr}\left[{\text{WEE-ideal}}_{\text{IP},\mathcal{R}}^{\mathcal{E},\mathcal{P},\mathcal{D}}(\lambda )\right]$$ is defined with the respect to the following games. $$\begin{array}{ll}\begin{array}{ll}& \underline{\mathbf{Game}{\text{WEE-real}}_{\text{IP},\mathcal{R}}^{{\mathcal{P}}_{\text{alg}},\mathcal{D}}(\lambda ):}\\ & \text{tr}\leftarrow ϵ\\ & \mathsf{pp}\leftarrow \text{IP}.\text{Setup}(1^{\lambda })\\ & (x,{\mathsf{st}}_{\mathcal{P}})\leftarrow {\mathcal{P}}_{\text{alg}}(\mathsf{pp})\\ & \text{Run}{{\mathcal{P}}_{\text{alg}}}^{{\mathcal{O}}_{\text{real}}}({\mathsf{st}}_{\mathcal{P}})\\ & b\leftarrow \mathcal{D}(\text{tr})\\ & \text{Return}b=1\\ & \underline{\mathbf{Game}{\text{WEE-ideal}}_{\text{IP},\mathcal{R}}^{\mathcal{E},{\mathcal{P}}_{\text{alg}},\mathcal{D}}(\lambda ):}\\ & \text{tr}\leftarrow ϵ\\ & \mathsf{pp}\leftarrow \text{IP}.\text{Setup}(1^{\lambda })\\ & (x,{\mathsf{st}}_{\mathcal{P}})\leftarrow {\mathcal{P}}_{\text{alg}}(\mathsf{pp})\\ & {\mathsf{st}}_{\mathcal{E}}\leftarrow (1^{\lambda },\mathsf{pp},x)\\ & \text{Run}{{\mathcal{P}}_{\text{alg}}}^{{\mathcal{O}}_{\text{ideal}}}({\mathsf{st}}_{\mathcal{P}})\\ & w\leftarrow \mathcal{E}({\mathsf{st}}_{\mathcal{E}},\perp )\\ & b\leftarrow \mathcal{D}(\text{tr})\\ & \text{Return}(b=1)\\ & \wedge (\text{Acc}(\text{tr})⟹(x,w)\in \mathcal{R})\end{array}& \begin{array}{ll}& \underline{\mathbf{Oracle}{\mathcal{O}}_{\text{real}}(\tau =(a_1,c_1,...,a_{i-1},c_{i-1}),a_i):}\\ & \text{If}\tau \in \text{tr}\text{then}\\ & \text{If}i\le r\text{then}\\ & c_i\leftarrow {\mathsf{Ch}}_i;\text{tr}\leftarrow \text{tr}||(\tau ,a_i,c_i);\text{Return}{c}_i\\ & \text{Else if}i=r+1\text{then}\\ & d\leftarrow \text{IP}.\mathcal{V}(\mathsf{pp},x,(\tau ,a_i));\text{tr}\leftarrow (\tau ,a_i)\\ & \text{If}d=1\text{then win}\leftarrow \mathtt{true}\\ & \text{Return}d\\ & \text{Return}\perp \\ & \\ & \\ & \underline{\mathbf{Oracle}{\mathcal{O}}_{\text{ideal}}(\tau ,a):}\\ & \text{If}\tau \in \text{tr}\text{then}\\ & (r,{\mathsf{st}}_{\mathcal{E}})\leftarrow \mathcal{E}({\mathsf{st}}_{\mathcal{E}},\left[(\tau ,a)\right])\\ & \text{tr}\leftarrow \text{tr}||(\tau ,a,r)\\ & \text{Return}r\\ & \text{Return}\perp \end{array}\end{array}$$

Zero Knowledge

We say that an argument of knowledge is zero knowledge if the verifier also does not learn anything from their interaction besides that which can be learned from the existence of a valid $w$. More formally,

Perfect Special Honest-Verifier Zero Knowledge. A public coin interactive argument $(\text{Setup},\mathcal{P},\mathcal{V})$ has perfect special honest-verifier zero knowledge (PSHVZK) if for all polynomial-time decidable relations $\mathcal{R}$ and for all $(x,w)\in \mathcal{R}$ and for all non-uniform polynomial-time adversaries ${\mathcal{A}}_1,{\mathcal{A}}_2$ there exists a probabilistic polynomial-time simulator $\mathcal{S}$ such that $$\begin{array}{rl}& Pr\left[{\mathcal{A}}_1(\sigma ,x,\text{tr})=1|\begin{array}{ll}& \mathsf{pp}\leftarrow \text{Setup}(1^{\lambda });\\ & (x,w,\rho )\leftarrow {\mathcal{A}}_2(\mathsf{pp});\\ & tr\leftarrow ⟨\mathcal{P}(\mathsf{pp},x,w),\mathcal{V}(\mathsf{pp},x,\rho )⟩\end{array}\right]\\ & \\ =& Pr\left[{\mathcal{A}}_1(\sigma ,x,\text{tr})=1|\begin{array}{ll}& \mathsf{pp}\leftarrow \text{Setup}(1^{\lambda });\\ & (x,w,\rho )\leftarrow {\mathcal{A}}_2(\mathsf{pp});\\ & tr\leftarrow \mathcal{S}(\mathsf{pp},x,\rho )\end{array}\right]\end{array}$$ where $\rho$ is the internal randomness of the verifier.

In this (common) definition of zero-knowledge the verifier is expected to act "honestly" and send challenges that correspond only with their internal randomness; they cannot adaptively respond to the prover based on the prover's messages. We use a strengthened form of this definition that forces the simulator to output a transcript with the same (adversarially provided) challenges that the verifier algorithm sends to the prover.

Protocol

Let $\omega \in \mathbb{F}$ be a $n=2^k$ primitive root of unity forming the domain $D=({\omega }^0,{\omega }^1,...,{\omega }^{n-1})$ with $t(X)=X^n-1$ the vanishing polynomial over this domain. Let $k,n_g,n_a$ be positive integers. We present an interactive argument $\text{Halo}=(\text{Setup},\mathcal{P},\mathcal{V})$ for the relation $$\mathcal{R}=\left\{\begin{array}{ll}& \left(\begin{array}{l}\left(g(X,C_0,C_1,...,C_{n_a-1})\right);\\ \left(a_0(X),a_1(X,C_0),...,a_{n_a-1}(X,C_0,C_1,...,C_{n_a-1})\right)\end{array}\right):\\ & \\ & g({\omega }^i,C_0,C_1,...,C_{n_a-1})=0\forall i\in [0,2^k)\end{array}\right\}$$ where $a_0,a_1,...,a_{n_a-1}$ are (multivariate) polynomials with degree $n-1$ in $X$ and $g$ has degree $n_g(n-1)$ in $X$.

$\text{Setup}(\lambda )$ returns $\mathsf{pp}=(\mathbb{G},\mathbb{F},\mathbf{G}\in {\mathbb{G}}^n,U,W\in \mathbb{G})$.

For all $i\in [0,n_a)$:

• Let ${\mathbf{p}}_{\mathbf{i}}$ be the exhaustive set of integers $j$ (modulo $n$) such that $a_i({\omega }^{j}X,\cdots )$ appears as a term in $g(X,\cdots )$.
• Let $\mathbf{q}$ be a list of distinct sets of integers containing ${\mathbf{p}}_{\mathbf{i}}$ and the set ${\mathbf{q}}_0=\{0\}$.
• Let $\sigma (i)={\mathbf{q}}_j$ when ${\mathbf{q}}_j={\mathbf{p}}_{\mathbf{i}}$.

Let $n_q$ denote the size of $\mathbf{q}$, and let $n_e$ denote the size of every ${\mathbf{p}}_{\mathbf{i}}$ without loss of generality.

In the following protocol, we take it for granted that each polynomial $a_i(X,\cdots )$ is defined such that $n_e+1$ blinding factors are freshly sampled by the prover and are each present as an evaluation of $a_i(X,\cdots )$ over the domain $D$.

1. $\mathcal{P}$ and $\mathcal{V}$ proceed in the following $n_a$ rounds of interaction, where in round $j$ (starting at $0$)

• $\mathcal{P}$ sets $a_j^{\prime }(X)=a_j(X,c_0,c_1,...,c_{j-1})$
• $\mathcal{P}$ sends a hiding commitment $A_j=⟨{\mathbf{a}}^{\prime },\mathbf{G}⟩+[\cdot ]W$ where ${\mathbf{a}}^{\prime }$ are the coefficients of the univariate polynomial $a_j^{\prime }(X)$ and $\cdot$ is some random, independently sampled blinding factor elided for exposition.
• $\mathcal{V}$ responds with a challenge $c_j$.

2. $\mathcal{P}$ and $\mathcal{V}$ set $g^{\prime }(X)=g(X,c_0,c_1,...,c_{n_a-1})$.
3. $\mathcal{P}$ sends a commitment $R=⟨\mathbf{r},\mathbf{G}⟩+[\cdot ]W$ where $\mathbf{r}\in {\mathbb{F}}^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n-1$.
4. $\mathcal{P}$ computes univariate polynomial $h(X)=\frac{g^{\prime }(X)}{t(X)}$ of degree $n_g(n-1)-n$.
5. $\mathcal{P}$ computes at most $n-1$ degree polynomials $h_0(X),h_1(X),...,h_{n_g-2}(X)$ such that $h(X)=\sum _{i=0}^{n_g-2}{X}^{ni}{h}_i(X)$.
6. $\mathcal{P}$ sends commitments $H_i=⟨{\mathbf{h}}_{\mathbf{i}},\mathbf{G}⟩+[\cdot ]W$ for all $i$ where ${\mathbf{h}}_{\mathbf{i}}$ denotes the vector of coefficients for $h_i(X)$.
7. $\mathcal{V}$ responds with challenge $x$ and computes $H^{\prime }=\sum _{i=0}^{n_g-2}[x^{ni}]H_i$.
8. $\mathcal{P}$ sets $h^{\prime }(X)=\sum _{i=0}^{n_g-2}{x}^{ni}{h}_i(X)$.
9. $\mathcal{P}$ sends $r=r(x)$ and for all $i\in [0,n_a)$ sends ${\mathbf{a}}_{\mathbf{i}}$ such that $({\mathbf{a}}_{\mathbf{i}}{)}_j=a_i^{\prime }({\omega }^{({\mathbf{p}}_{\mathbf{i}}{)}_j}x)$ for all $j\in [0,n_e]$.
10. For all $i\in [0,n_a)$ $\mathcal{P}$ and $\mathcal{V}$ set $s_i(X)$ to be the lowest degree univariate polynomial defined such that $s_i({\omega }^{({\mathbf{p}}_{\mathbf{i}}{)}_j}x)=({\mathbf{a}}_{\mathbf{i}}{)}_j$ for all $j\in [0,n_e)$.
11. $\mathcal{V}$ responds with challenges $x_1,x_2$ and initializes $Q_0,Q_1,...,Q_{n_q-1}=\mathcal{O}$.

• Starting at $i=0$ and ending at $n_a-1$ $\mathcal{V}$ sets $Q_{\sigma (i)}:=[x_1]Q_{\sigma (i)}+A_i$.
• $\mathcal{V}$ finally sets $Q_0:=[x_1^2]Q_i+[x_1]H^{\prime }+R$.

12. $\mathcal{P}$ initializes $q_0(X),q_1(X),...,q_{n_q-1}(X)=0$.

• Starting at $i=0$ and ending at $n_a-1$ $\mathcal{P}$ sets $q_{\sigma (i)}:=x_1{q}_{\sigma (i)}+a^{\prime }(X)$.
• $\mathcal{P}$ finally sets $q_0(X):=x_1^2{q}_0(X)+x_1{h}^{\prime }(X)+r(X)$.

13. $\mathcal{P}$ and $\mathcal{V}$ initialize $r_0(X),r_1(X),...,r_{n_q-1}(X)=0$.

• Starting at $i=0$ and ending at $n_a-1$ $\mathcal{P}$ and $\mathcal{V}$ set $r_{\sigma (i)}(X):=x_1{r}_{\sigma (i)}(X)+s_i(X)$.
• Finally $\mathcal{P}$ and $\mathcal{V}$ set $r_0:=x_1^2{r}_0+x_{1}h+r$ and where $h$ is computed by $\mathcal{V}$ as $\frac{g^{\prime }(x)}{t(x)}$ using the values $r,\mathbf{a}$ provided by $\mathcal{P}$.

14. $\mathcal{P}$ sends $Q^{\prime }=⟨{\mathbf{q}}^{\prime },\mathbf{G}⟩+[\cdot ]W$ where ${\mathbf{q}}^{\prime }$ defines the coefficients of the polynomial $$q^{\prime }(X)=\sum _{i=0}^{n_q-1}{x}_2^i\left(\frac{q_i(X)-r_i(X)}{\prod _{j=0}^{n_e-1}\left(X-{\omega }^{{\left({\mathbf{q}}_{\mathbf{i}}\right)}_j}x\right)}\right)$$
15. $\mathcal{V}$ responds with challenge $x_3$.
16. $\mathcal{P}$ sends $\mathbf{u}\in {\mathbb{F}}^{n_q}$ such that ${\mathbf{u}}_i=q_i(x_3)$ for all $i\in [0,n_q)$.
17. $\mathcal{V}$ responds with challenge $x_4$.
18. $\mathcal{P}$ and $\mathcal{V}$ set $P=Q^{\prime }+x_4\sum _{i=0}^{n_q-1}[x_4^i]Q_i$ and $v=$ $$\sum _{i=0}^{n_q-1}\left(x_2^i\left(\frac{{\mathbf{u}}_i-r_i(x_3)}{\prod _{j=0}^{n_e-1}\left(x_3-{\omega }^{{\left({\mathbf{q}}_{\mathbf{i}}\right)}_j}x\right)}\right)\right)+x_4\sum _{i=0}^{n_q-1}{x}_4{\mathbf{u}}_i$$
19. $\mathcal{P}$ sets $p(X)=q^{\prime }(X)+[x_4]\sum _{i=0}^{n_q-1}{x}_4^i{q}_i(X)$.
20. $\mathcal{P}$ samples a random polynomial $s(X)$ of degree $n-1$ with a root at $x_3$ and sends a commitment $S=⟨\mathbf{s},\mathbf{G}⟩+[\cdot ]W$ where $\mathbf{s}$ defines the coefficients of $s(X)$.
21. $\mathcal{V}$ responds with challenges $\xi ,z$.
22. $\mathcal{P}$ and $\mathcal{V}$ set $P^{\prime }=P-[v]{\mathbf{G}}_0+[\xi ]S$.
23. $\mathcal{P}$ sets $p^{\prime }(X)=p(X)-v+\xi s(X)$.
24. Initialize ${\mathbf{p}}^{\prime }$ as the coefficients of $p^{\prime }(X)$ and ${\mathbf{G}}^{\prime }=\mathbf{G}$ and $\mathbf{b}=(x_3^0,x_3^1,...,x_3^{n-1})$. $\mathcal{P}$ and $\mathcal{V}$ will interact in the following $k$ rounds, where in the $j$th round starting in round $j=0$ and ending in round $j=k-1$:

• $\mathcal{P}$ sends $L_j=⟨{{\mathbf{p}}^{\prime }}_{\text{hi}},{{\mathbf{G}}^{\prime }}_{\text{lo}}⟩+[z⟨{{\mathbf{p}}^{\prime }}_{\text{hi}},{\mathbf{b}}_{\text{lo}}⟩]U+[\cdot ]W$ and $R_j=⟨{{\mathbf{p}}^{\prime }}_{\text{lo}},{{\mathbf{G}}^{\prime }}_{\text{hi}}⟩+[z⟨{{\mathbf{p}}^{\prime }}_{\text{lo}},{\mathbf{b}}_{\text{hi}}⟩]U+[\cdot ]W$.
• $\mathcal{V}$ responds with challenge $u_j$.
• $\mathcal{P}$ and $\mathcal{V}$ set ${\mathbf{G}}^{\prime }:={{\mathbf{G}}^{\prime }}_{\text{lo}}+u_j{{\mathbf{G}}^{\prime }}_{\text{hi}}$ and $\mathbf{b}={\mathbf{b}}_{\text{lo}}+u_j{\mathbf{b}}_{\text{hi}}$.
• $\mathcal{P}$ sets ${\mathbf{p}}^{\prime }:={{\mathbf{p}}^{\prime }}_{\text{lo}}+u_j^{-1}{{\mathbf{p}}^{\prime }}_{\text{hi}}$.

25. $\mathcal{P}$ sends $c={{\mathbf{p}}^{\prime }}_0$ and synthetic blinding factor $f$.
26. $\mathcal{V}$ accepts only if ${\sum }_{j=0}^{k-1}[u_j^{-1}]L_j+P^{\prime }+{\sum }_{j=0}^{k-1}[u_j]R_j=[c]{{\mathbf{G}}^{\prime }}_0+[c{\mathbf{b}}_{0}z]U+[f]W$.