4-1- PFR Verify
Verify(F,H,K,comPFR,πPFR): This function outputs 1, if the following equations satisfies.
1) h(γpi)=ai for i∈{1,2,...,v} where πPFR1=h(x).
2) M(β2)−q2(β2)ZK(β2)=0
4-2- AHP Verify
Verify(F,H,K,ComAHP,ΠAHP,X,Y): This function outputs 1 if
1- The following four equations satisfies for random value β3∈F chosen by the Verifier.
h3(β3)vK(β3)=a(β3)−b(β3)(β3g3(β3)+∣K∣σ3)(1)
r(α,β2)σ3=h2(β2)vH(β2)+β2g2(β2)+∣H∣σ2(2)
s(β1)+r(α,β1)(∑M∈{A,B,C}ηMz^M(β1))−σ2z^(β1)=h1(β1)vH(β1)+β1g1(β1)+∣H∣σ1(3)
z^A(β1)z^B(β1)−z^C(β1)=h0(β1)vH(β1)(4)
where a(x)=∑M∈{A,B,C}ηMvH(β2)vH(β1)valM′^(x)∏N∈{A,B,C}−{M}(β2−rowN′^(x))(β1−colN′^(x))and b(x)=∏M∈{A,B,C}(β2−rowM′^(x))(β1−colM′^(x)).
2- The output result in following steps is 1.
2-1- The Verifier chooses random values ηw^, ηz^A, ηz^B, ηz^C, ηz^, ηh0, ηs, ηg1, ηh1, ηg2, ηh2, ηg3 and ηh3 of F The Verifier can choose as following:
ηw^=hash(s(10)), ηz^A=hash(s(11)), ηz^B=hash(s(12)), ηz^C=hash(s(13)), ηh0=hash(s(14)), ηs=hash(s(15)), ηg1=hash(s(16)), ηh1=hash(s(17)), ηg2=hash(s(18)), ηh2=hash(s(19)), ηg3=hash(s(20)), ηh3=hash(s(21)).
2-2- The Verifier derives commitment of p(x), Comp, by using polynomial commitment scheme homomorphism.
For example, if polynomial commitment scheme KZG is used, then
Comp=ηw^ComAHPX2+ηz^AComAHPX3+ηz^BComAHPX4+ηz^CComAHPX5+ηh0ComAHPX6+ηsComAHPX7+ηg1ComAHPX8+ηh1ComAHPX9+ηg2ComAHPX10+ηh2ComAHPX11+ηg3ComAHPX12+ηh3ComAHPX13
2-3- The Verifier chooses random x′∈F and queries p(x′). Also, can select as x′=hash(s(22))).
2-4- The Verifier computes result=PC.Check(vk,Comp,x′,y′=πAHP16,πAHP17).
For example, if polynomial commitment scheme KZG is used, then the following equation checks:
e(Comp−gy′,g)=e(πAHP17,vk−gx′)
4-4- Example 2