Cryptobazaar: Private Sealed-bid Auctions at Scale

Andrija Novakovic Alireza Kavousi Kobi Gurkan

Geometry Research University College London Geometry Research
[email protected] [email protected] [email protected]
Philipp Jovanovic
University College London
[email protected]

Abstract vent disclosure of their bid preferences [36] which is partic-

This work introduces Cryptobazaar, a novel scalable, private, ularly crucial to ensure fairness in iterative auctions, as any
and decentralized sealed-bid auction protocol. In particular, leakage may allow bidders to adapt their strategies in sub-
our protocol protects the privacy of losing bidders by pre- sequent runs [1, 22, 31]; (2) verifiability to ensure that third
serving the confidentiality of their bids while ensuring public parties (auditors) can verify the outcome and penalize misbe-
verifiability of the outcome and relying only on a single un- having participants [31]; (3) trust minimization to mitigate the
trusted auctioneer for coordination. At its core, Cryptobazaar influence that a potentially malicious auctioneer could have
combines an efficient distributed protocol to compute the on the auction’s outcome [50]; and (4) scalability to ensure
logical-OR for a list of unary-encoded bids with various novel that the auction protocol can meet the requirements of the
zero-knowledge succinct arguments of knowledge that may application (in terms of the number of bidders or price ranges)
be of independent interest. We further present variants of our in which it is used and not be a performance bottleneck (in
protocol that can be used for efficient first-, second-, and more terms of computational and communication overheads) [36].
generally (p + 1)st-price as well as sequential first-price auc- There have been many attempts to design sealed-bid auc-
tions. Finally, the performance evaluation of our Cryptobazaar tion systems with the above properties but they usually fall
implementation shows that it is highly practical. For example, short in one way or another: In the commonly used commit-
a single run of an auction with 128 bidders and a price range reveal approach, bidders first commit to their bids and open
of 1024 values terminates in less than 0.5 sec and requires them later after all bids have been submitted [51]. This ap-
each bidder to send and receive only about 32 KB of data. proach has incentive misalignments though given that bids
may be selectively revealed and it is usually difficult to protect
1 Introduction the privacy of losing bidders. There have been recent attempts
to address the incentive problem through time-based cryp-
An auction is a sales process in which potential buyers aim to tography [27, 48, 56] but none have managed to address the
acquire goods or services by placing competitive bids. Auc- privacy issue as well so far. Other approaches rely on heavy
tions thus facilitate transactions by enforcing a specific set cryptographic machinery such as generic secure multi-party
of rules regarding the resource allocation of a group of bid- computation (MPC) [8] or fully homomorphic encryption
ders. An auctioneer usually coordinates an auction process (FHE) [32] to address the privacy challenges which, however,
and may also be a seller of goods or services. There are vari- severely impacts scalability making these protocols not prac-
ous different types of auctions with the four main ones being tically useful or restricting them to small scale settings. In a
first-price sealed-bid, second-price sealed-bid (Vickrey), as- recent attempt, Addax [57] achieves both privacy and scala-
cending open-bid (English), and descending open-bid (Dutch). bility but only under a weakened threat model that requires
Throughout history auctions have been used for countless dif- non-colluding assumption among (two or more) auctioneers.
ferent purposes. They also play a crucial role in many digital In this work, we propose Cryptobazaar, a novel private
systems such as for selling and buying of advertisements [54], auction protocol which improves over the state-of-the-art by
for allocating block space and determining the transaction or- addressing the previously identified challenges. In particular,
der to mitigate maximal extractable value (MEV) in cryptocur- Cryptobazaar provides (1) privacy for (losing) bidders/bids
rencies [22, 46], or for renting out hardware to run large-scale by only revealing the the winning bid and the sale price; (2)
computations or to store data [36], and more. verifiability to ensure that all protocol steps can be publicly
A digital auction system should provide various essential verified by anyone (e.g., auditors) to flag any misbehavior;
properties, including: (1) privacy for (losing) bidders to pre- (3) trust minimization to support auction execution in peer-to-

1
peer mode while also allowing a single untrusted auctioneer The remainder of the paper is organized as follows: Sec-
as coordinator for additional efficiency; (4) scalability to sup- tion 2 provides the required background, Section 3 introduces
port a large number of bidders and price ranges while having Cryptobazaar and the protocol details, Section 4 discusses
low overheads in terms of computation and bandwidth con- the zero-knowledge proof techniques that we developed, Sec-
sumption for bidders and auctioneer; and (5) versatility to tion 5 provides various extensions of Cryptobazaar, Section 6
support first-, second-, and more general (p + 1)-price auc- presents the evaluation results for our implementation, and
tions (i.e., uniform auction) as well as an iterative mode with Section 7 gives an overview on related work.
only a slight adjustment of the main protocol.
Technical overview. In Cryptobazaar we encode bids as
unary vectors enabling us to determine the results of an 2 Background
auction run in a privacy-preserving yet scalable way via a
distributed Boolean-OR over all bids using the anonymous
veto protocol [30]. To ensure the well-formedness of the 2.1 Notation
submitted values while maintaining privacy, we design and $
use various new efficient zero-knowledge proofs. These We write x ← S to denote uniform sampling of element x
include, for example, arguments for proving correctness of from finite set S and [n] for the set of integers {1, . . . , n}.
unary encodings which could be also useful for other appli- We denote by G a cyclic group of prime order p and by F
cations like voting. We further show how to link Pederson a finite (scalar) field. We write group operations additively.
commitments to univariate sumcheck and how to replace We indicate group elements by uppercase letters G ∈ G, and
an inner-product argument with a univariate sumcheck to scalars by lowercase letters a ∈ F. Given a scalar a ∈ F and
improve prover efficiency. These newly developed techniques group element G ∈ G, we denote scalar multiplication by
on inner-product arguments [9, 13], log-derivatives [29], a · G ∈ G. We express vectors of elements in boldface, e.g.,
and univariate sumcheck [6] may be of independent interest. a = (a1 , . . . , an ) ∈ Fn . We denote the inner product of two
We break possible ties via public randomness [34] and vectors a , b ∈ Fn as ⟨aa, b ⟩ = ∑ni=1 ai bi and the entry-wise
efficient zero-knowledge set membership proofs preserving multiplication of two vectors as a ◦ b = (a1 · b1 , . . . , an · bn ).
the privacy of the winner. Moreover, we show how to To denote the scalar multiplication of scalar a ∈ F with every
extend the base version of Cryptobazaar to second- and element of a vector of group elements G ∈ Gn , we write a ·
more generally (p + 1)st-price auctions efficiently without G = (a · G1 , . . . , a · Gn ). Given 1 ≤ l ≤ n and vector a ∈ Fn ,
re-running the protocol which is a common practice for a we denote the slice of the first l elements of a by a [:l] =
private Vickery auction [39]. Finally, we propose a variant to (a1 , . . . , al ) ∈ Fl and the slice of the last n − l elements of a
run secure iterative auctions using setup re-randomization by a [l:] = (al+1 , . . . , an ) ∈ Fn−l . A non-empty subset H ⊆ F
techniques, making Cryptobazaar particularly appealing for is said to be a multiplicative subgroup of field F if H is closed
practical use cases. As a concrete application, Cryptobazaar under multiplication and inverses. Given a non-empty subset
could be an alternative for the auction protocol used in the H ⊆ F we denote by zH (X) = ∏w∈H (X − w) the vanishing
Ethereum block building process [22] demanding the auction polynomial of H. Capitalized bold font A ∈ Fn×m denotes
to terminate in a fraction of its 12-second block time window. a matrix, with n rows and m columns. Blinding factors are
denoted by Greek letters. We denote the security parameter
In summary, we make the following contributions: by λ ∈ N and implicitly assume for a given n that n = poly(λ).
• We propose Cryptobazaar, a scalable private sealed-bid auc-
tion protocol that supports first- and second-price auctions
and relies only on a untrusted auctioneer for coordination.
2.2 Bilinear Groups
• We co-design various novel (public coin) zero-knowledge
succinct arguments of knowledge to ensure the well- Let G1 and G2 be two cyclic groups of prime order p with
formedness of the different protocol steps. generators G and H, respectively. Let e : G1 × G2 → GT be a
• We present two extensions to Cryptobazaar showing how bilinear map with the following properties.
to support (p + 1)-price auctions and iterative auctions effi-
ciently without having to re-run the full protocol. • Bilinearity. For all U ∈ G1 and V ∈ G2 and a, b ∈ F, we
have e(aU, bV ) = e(U,V )ab .
• We demonstrate the practicality of our system by evaluating
an open-source implementation of Cryptobazaar in Rust. • Non-degeneracy. It holds that e(G, H) ̸= 1.
Concretely, a run of the auction with 128 bidders and a price We call (G1 , G2 , GT , p, G, H, e) a bilinear group if e is effi-
range of 1024 values terminates in less than 0.5 seconds ciently computable. For ease of notation, we define [x]1 =
and requires each bidder to communicate only about 32 KB xG ∈ G1 , and [x]2 = xH ∈ G2 . We sometimes also write [1]1
of data. and [1]2 for the generators G of G1 and H of G2 , respectively.

2
2.3 Commitment Schemes In our protocols we use the popular KZG PCS [33]:
A commitment scheme allows a sender to commit to a secret • SP ← KZG.Setup(1λ , d): Outputs a bilinear pairing group
value and open it later in a verifiable way such that a receiver (G1 , G2 , GT , p, G, H, e), and system parameters SP =
can check whether the revealed value is consistent with the [τi ]1 = (G, τG, . . . , τd G) for trapdoor τ ∈ F which is gen-
committed one. A commitment scheme has two main secu- erated by a (distributed) trusted authority.
rity properties, namely (1) binding, meaning that the com- • C ← KZG.Commit(SP, φ(·)): Outputs the commitment
mitment cannot be opened to two different values, and (2) C = [φ(τ)]1 = ∑di=0 φi [τi ]1 .
hiding, meaning that the commitment should not reveal any • (π, φ(w)) ← KZG.Open(SP, φ(·), w): Computes the quo-
information about the committed secret value. The Peder- tient polynomial q(X) = (φ(X) − φ(w)) · (X − w)−1 and
sen commitment scheme [42] is an example of a widely-used outputs evaluation φ(w) and proof π = [q(τ)]1 .
commitment scheme that is perfectly hiding and computa-
• 1/0 ← KZG.Verify(SP,C, w, φ(w), π): Outputs 1 if
tionally binding in which a sender can commit to a secret
e(π, [τ − w]2 ) = e(C − [φ(w)]1 , [1]2 ) holds and 0 otherwise.
value x ∈ F using generators G, H ∈ G and randomness r ∈ F
via C = xG + rH ∈ G. Vector commitments [14] are an ex- The basic version of KZG is not hiding since it is determin-
tension allowing a sender to commit to a set of values and istic. However, in some situations having hiding is desirable.
open them individually later on with two popular examples This means that no PPT adversary should learn anything about
being Merkle trees and Pedersen vector commitments. Finally, an unqueried evaluation point w′ given information of up to d
a polynomial commitment scheme (PCS) [33] is a variant of a evaluations. By masking commitment and proof with random-
vector commitment scheme that enables the sender to commit izers, one can turn KZG into blinded KZG [55] and achieve
to a polynomial such that the receiver can confirm claimed hiding. KZG requires a setup phase to compute system param-
evaluations of the committed polynomial later. In more detail: eters SP that include a trapdoor τ. To ensure that no individual
party knows τ, which would enable them to undermine the
Definition 1 (Polynomial Commitment Scheme (PCS)). A
security of KZG, one can use a distributed protocol to com-
polynomial commitment scheme PCS is defined by the fol-
pute SP ensuring security as long as there is a single honest
lowing algorithms:
contribution [40]. Alternatively, one could use a PCS that
• SP ← PCS.Setup(1λ , d): Takes as input a security parame- does not require a trusted setup at the cost of a performance
ter λ and an integer d, and outputs system parameters SP trade-off [5].
to commit to a polynomial of degree ≤ d.
• C ← PCS.Commit(SP, φ(·)): Takes as input the system
parameters SP and a polynomial φ(·), and outputs a com-
mitment C to φ(·). 2.4 Anonymous Veto
• (π, φ(w)) ← PCS.Open(SP, φ(·), w): Takes as input the
system parameters SP, the polynomial φ(·), and a point In Cryptobazaar we use the anonymous veto (AV) proto-
w, and outputs the polynomial evaluation φ(w) and an eval- col [30] as one of the main building blocks. AV is an efficient
uation proof π. two-round protocol for computing the logical-OR function
• 1/0 ← PCS.Verify(SP,C, w, φ(w), π): Takes as input the over a set of input bits without revealing any information
system parameter SP, the commitment C, a point w, the about the individual ones. AV is run over a cyclic group G
evaluation φ(w), and the proof π, and verifies that φ(w) is of prime order p with a generator G in which the Decision
indeed the evaluation of polynomial φ at value w in com- Diffie-Hellman (DDH) problem is hard. The AV protocol
mitment C using proof π. works as follows:
A PCS furthermore satisfies the following security properties:
• Each party i samples a random value xi ∈ F, and broad-
• Correctness. Given C ← PCS.Commit(SP, φ(·)) casts xi G. After seeing messages from all other parties, i
and (π, φ(w)) ← PCS.Open(SP, φ(·), w), then computes Yi = ∑i−1 n
j=1 x j G − ∑ j=i+1 x j G.
PCS.Verify(SP,C, w, φ(w), π) = 1 with probability 1.
• After obtaining Yi , each party i computes a value Ri as either
• Polynomial Binding. An adversary should not be able to Ri = riYi if they veto or Ri = xiYi if they do not veto where
produce two different polynomials φ(·) and φ′ (·) such that $
PCS.Commit(SP, φ(·)) = PCS.Commit(SP, φ′ (·)), except ri ← F, and sends Ri to all of the other participants.
with negligible probability. The output of the AV protocol is obtained by having each party
• Evaluation Binding. An adversary should not be compute R = ∑ni=1 Ri . If no one vetoes then R = 0, otherwise
able to produce values {C, (w, φ(w), π), (w, φ′ (w), π′ )} if at least one party vetoes then R ̸= 0. This follows from
with PCS.Verify(SP,C, w, φ(w), π) = 1, the definition of Yi that implies ∑i xiYi = 0 (see Proposition
PCS.Verify(SP,C, w, φ′ (w), π′ ) = 1, and φ(w) ̸= φ′ (w), 1, [30]). To illustrate this equality more intuitively, let X be
except with negligible probability. the vector of elements obtained after the first AV round, i.e.,

3
X i = xi G, then we define matrix M as Note that all our arguments throughout the paper will be pub-
  lic coin and thus can be made non-interactive. We prove
0 −1 −1 · · · −1 the security of our arguments in the Algebraic Group Model
1 0 −1 · · · −1
  (AGM) [25]. There are different ways to build zkSNARKs
.. .. .. 
concretely. We follow the approach in PLONK [26] by taking

M= 1 1 . . .
. 
. . . polynomial interactive oracle proofs (IOP) [7], combining it
 .. .. .. 0

−1 with a polynomial commitment scheme to obtain succinct in-
1 1 ··· 1 0 teractive arguments, and applying the Fiat-Shamir transform
to make it non-interactive. Below we recall the basics for
Now it holds ⟨X, M · X T ⟩ = 0. The AV protocol preserves the some of the techniques that we use in our zkSNARKs.
privacy of a participating party as long as not all the other
parties collude. The security of this scheme stems from the
inability of an attacker to distinguish between riYi and xiYi 2.5.1 Inner-product Arguments (IPA)
under the DDH assumption. Later we show how the structure An inner-product argument [9] is an efficient argument system
of M can be used to efficiently delegate the computation of Yi for the following relation:
for i ∈ [n] to a single untrusted party.
P = ⟨aa, G ⟩ + ⟨bb, H ⟩,
G, H ∈ Gn , P ∈ G, c ∈ F p ; a , b ∈ Fnp ) :
R = {(G
2.5 Zero-knowledge Argument of Knowledge c = ⟨aa, b ⟩}

In Cryptobazaar we deploy zero-knowledge succinct non- An IPA convinces the verifier that the prover knows the
interactive arguments of knowledge (zkSNARKs) [41] to en- openings of two Pedersen vector commitments satisfying a
force honest behavior of the parties and ensure public verifia- given inner product relation. Bunz et al. [12] proposed an
bility. These are defined as follows: improved IPA where the inner-product value c is hidden as
part of the vector commitment P and with logarithmic proof
Definition 2 (Argument System). A (non-interactive) argu- size in the vector dimension n. IPA can be generalized to
ment system for an efficiently decidable binary relation R capture other types of inner products, including ones that
for an NP language LR is a tuple of probabilistic polynomial work with bilinear pairings [13].
algorithms AS = (Setup, Prove, Verify, Simulate) such that:
• (crs, td) ← AS.Setup(1λ , R ): The setup algorithm takes as
2.5.2 Univariate Sumcheck Protocol
input a security parameter λ and a relation R and outputs a
common reference string crs and a trapdoor td. The univariate sumcheck protocol [6] relates the sum of any
• π ← AS.Prove(crs, u, w): The prover algorithm takes as (low-degree) polynomial over a multiplicative subgroup H of
input the crs, a statement u and a witness w and outputs an field F to the polynomial’s evaluation at a single point. The
argument π. following lemma offers a polynomial IOP that we use for
• 0/1 ← AS.Verify(crs, u, π): The verifier algorithm takes as constructing some of our arguments.
input the crs, a statement u, and an argument π and outputs
Lemma 1 (Univariate Sumcheck for Subgroups). Given a
1 (accept) if the proof was accepted and 0 otherwise.
multiplicative subgroup H of field F, a polynomial f (X) sums
• π ← AS.Simulate(crs, td, u): The simulator takes as input to σ over H if and only if f (X) can be written as Xg(X) +
the crs, a simulation trapdoor td, and a statement u and h(X)zH (X) + σ/|H|.
outputs an argument π.
Interactive argument systems exploit the following basic
For an argument system to be a zkSNARK, we require
property of polynomials, which is commonly known as the
certain security properties to protect the prover from witness
Schwartz-Zippel lemma [58].
leakage and the verifier from a forged proof. Informally, an
argument system should have completeness, where an honest Lemma 2 (Schwartz-Zippel). Let F be any field, and let
prover always convinces the verifier about a true statement. It g : Fm → F be a nonzero polynomial of total degree at most d.
also requires knowledge soundness demanding the prover to Then, on any finite set S ⊆ F and for any x ← Sm , Pr[g(xx) =
indeed know the witness whenever it generates a valid proof. d
0] ≤ |S| .
Lastly, an argument system should be zero-knowledge and
does not leak any information besides the truth of the state- An implication of the Schwartz-Zippel lemma is that for
ment. We provide the formal definitions in Appendix A.1. any two distinct (univariate) polynomials φ1 and φ2 of to-
An argument system is public coin if all the messages sent tal degree at most d over F, they agree (i.e., φ1 (x) = φ2 (x))
form the verifier have uniform distribution and are indepen- mostly at d/|F| fraction of inputs. So, one could verify that a
dent from the ones received from the prover. This then allows polynomial relation holds with overwhelming probability by
to make the protocol non-interactive using Fiat-Shamir [21]. evaluating it at a random point.

4
2.5.3 Logarithmic Derivatives 3.2 Design Goals
As in basic calculus, the logarithmic derivative of a polyno- We aim to achieve the following goals in designing Crypto-
mial φ(X) over a field F is defined as φ′ (X) · φ(X)−1 . Fur- bazaar:
ther, the logarithmic derivative of a product function φ(X) = • Privacy: The protocol only discloses the (second) highest
∏ni=1 (X + zi ), where zi ∈ F, is equal to the sum of its recip- bid and protects the privacy of (losing) bidders.
rocals, i.e., φ′ (X) · φ(X)−1 = ∑ni=1 (X + zi )−1 . Further if two • Verifiability: If any participant misbehaves during the pro-
normalized polynomials have the same logarithmic derivative, tocol execution, verification fails and the cheating party is
they are equal, as stated by the following lemma [29]. detected with overwhelming probability. All protocol steps
are publicly verifiable and auditors could verify the protocol
Lemma 3. Let a , b ∈ Fnp with p > n. Then, ∏ni=1 (X + ai ) = run using the data posted on a public log.
∏ni=1 (X + bi ) if and only if ∑ni=1 (X + ai )−1 = ∑ni=1 (X + bi )−1 . • Trust minimization: The protocol runs in a decentraliza-
tion fashion where bidders do not necessarily know each
Further, Haboeck [29] shows that it is possible to ob- other and there is no trust on the auctioneer as a coordinator.
tain the unique fractional decomposition of the logarithmic
• Scalability: The protocol supports a large number of bid-
derivative of a product function φ(X) = ∏ni=1 (X + zi ) via
ders and price ranges while having low overheads in terms
φ′ (X) · φ(X)−1 = ∑z∈F m(z) · (X + z)−1 where m(z) ∈ [n] is
of computation and bandwidth consumption for bidders and
the multiplicity of the value z in z1 , . . . , zn .
auctioneer.

3 Cryptobazaar 3.3 Protocol Description

In this section we present Cryptobazaar, our private scalable Figure 1 presents an overview of Cryptobazaar which consists
sealed-bid auction protocol. In Section 3.1 we discuss system of the two phases preprocessing and bidding. Below we focus
and threat models, in Section 3.2 we present the design goals, on the core protocol and present the necessary validity proofs
and in Section 3.3 we discuss the protocol details. only abstractly. We defer the discussion of the proofs’ techni-
cal details to Section 4. Note that these proofs are computed
asynchronously and sent to the public log to be verified later.
3.1 System and Threat Models Preprocessing phase. Each bidder initially samples two vec-
tors x , r ∈ Fn , and computes X = x · G ∈ Gn . Suppose all the
In Cryptobazaar we assume that there are m bidders, an un-
input values (i.e., bids) are integers in the range [0, n]. Each
trusted auctioneer, and one or more auditors with access to
bidder encodes their bid as a unary vector b = (b1 , . . . , bn ),
an append-only public log (e.g., a public ledger) and a price
where b j = 1 if and only if j ≤ b. For example, for n = 5 the
range of n values. Each bidder communicates with the auc-
bid b = 3 is represented as 11100. Observe that the values in
tioneer through a public authenticated channel. We do not
X are randomly sampled and thus are independent from the
assume any point-to-point channel (and thus interaction) be-
bids. Furthermore, each bidder computes the polynomial com-
tween bidders as they might have no priori information about
mitments x, r, b, constructs three validity proofs πx , πr , πb ,
the number of protocol participants or their identities. Our
and appends (x, r, b, X , πx , πr , πb ) to the public log.
communication pattern resembles a star topology with the auc-
The auctioneer then carries out n runs of the AV protocol
tioneer being the coordinator. Note that Cryptobazaar can also
(first round) in parallel on the values received from the bidders
work in a peer-to-peer setting without an auctioneer but we
and computes the vectors Y i for i ∈ [m] as the row-vectors of
prefer the auctioneer-based mode henceforth due to its lower
a m × n matrix Y = M · X, where M is the AV matrix (Section
bandwidth consumption and since they are usually present in
2.4), and X contains row-vectors X . Finally, the auctioneer
practice [57].
appends the row-vectors Y i to the public log and optionally
We model bidders and auctioneer as covert adversaries [2]
sends Y i to bidder i for all i.
who may arbitrarily deviate from the correct execution of the
protocol as long as they are not detected. If they are caught, Bidding phase. After a bidder received its individual vector
they might be subject to penalties (e.g., financial or reputa- Y i , they compute Z i = (xxi +bbi ◦rr i )◦Y
Y i . The values of random
tional). The auditor gets involved at the end of the auction r
vector i are enabled depending on the values of the unary vec-
to validate the outcome using the information posted on the tor bi . So, for each j ∈ [n] we have either Z i j = (xxi j + r i j )Y
Y ij
public log. However, no information should be leaked beyond b Z x Y b
if i j = 1 or i j = i j i j if i j = 0. Each bidder furthermore
what can already be inferred from the auction including the computes a validity proof πZi showing the well-formedness
(second) highest bid. We assume that authentication between of the vector Z i , i.e., its consistency with their committed vec-
bidders and auctioneer and the penalizing of misbehaving tors xi , ri , bi and vector Y i . Then, the auctioneer completes
parties is handled out of band. the AV protocols and determines the outcome by computing

5
 Preprocessing phase second-price auction, we need to run the protocol again after
Each bidder i ∈ [m] executes the following steps:
excluding the current winner to compute the second-highest
price as the sale price. In Section 5, we propose a variant
1. Sample random non-zero vectors x i , r i ∈ Fn . that supports second-price and more generally (p + 1)st-price
2. Create polynomial commitments xi of x i and ri of r i . auction [35] without having to re-run the protocol.
3. Compute vector X i such that X i = x i · G.
Theorem 1. The Cryptobazaar protocol (Figure 1) achieves
4. Create a proof πxi showing that xi and X i both encode
completeness, privacy, soundness, and public verifiability.
the same vector x i .
5. Create a proof πri showing that r j ̸= 0 for each j ∈ [n]. We provide the proof to Theorem 1 in Appendix B.1.
6. Decide on bid bi and compute its unary encoding b i .
Reducing computational overheads. The original AV proto-
7. Compute a (blinded) polynomial commitment bi of b i . col has linear O(n) communication cost (assuming broadcast)
8. Create a proof πbi that b i is a valid unary encoding. and quadratic O(n2 ) computational cost for each participant.
9. Append (xi , ri , bi , X i , πxi , πri , πbi ) to the public log. However, it is possible to reduce the computational overhead
to determine the values Y i to O(n) group operations from the
Once all bidders are done, the auctioneer executes the follow-
naive computation M · X requiring O(n2 ) group operations.
ing steps:
We observe that by utilizing the relationship between con-
10. Load row-vectors X i to compute m × n matrix Y = M · X secutive rows of M, we have Y i+1 = Y i + X i + X i+1 . Note
where M is the matrix as specified in Section 2.4. that Y 0 can be computed by a single multiscalar multiplica-
11. Append row-vector Y i to the public log for each i ∈ [m]. tion (MSM) [19] of size n between the first row of M and
X . In total, this leads to O(n) group operations. To verify the
Bidding phase computation, anyone with access to the transcript can simply
Each bidder i ∈ [m] executes the following steps: run the same computation in O(n) group operations and com-
1. Load row-vector Y i and compute vector Z i such that pare the outputs. Verifying that vectors X ,Y Y and R are valid
Z i = (xxi + b i ◦ r i ) ◦Y
Y i. requires more elaboration which we provide in Section 4.
2. Create a proof πZi showing that Z i is of the above form.
3. Append (bi , Z i , πbi , πZi ) to the public log. 4 Validity Proofs
Once all bidders are done, the auctioneer executes the follow-
ing steps: In this section we present the technical details of the validity
proofs used in Cryptobazaar. In Section 4.1 we discuss the
4. Compute vector R such that R j = ∑m Z i ) j for j ∈ [n].
i=1 (Z
preprocessing phase proofs πxi (Step 4), πri (Step 5), and πbi
5. Append R to the public log. (Step 8) and in Section 4.2 we discuss the bidding phase
The highest bid is defined by the highest index w with R w ̸= 0. proofs πZi (Step 2) and πw (Step 6).
6. The candidate winner constructs a proof πw to demon-
strate their eligibility.
4.1 Preprocessing Phase

Figure 1: The Cryptobazaar protocol Proof πxi [Step 4]. The goal of this validity proof is to link a
KZG polynomial commitment with a vector of elliptic curve
points X to show that they both encode the same vector x .
R = ∑m Z i ). The index w of the highest non-zero value in More precisely, we need to develop an argument of knowledge
i=1 (Z
R indicates the highest bid. for the following relation Rpv :
To find the winner in a first-price auction, we simply deter-    
(SP, G); f (X) = x̃x
mine the highest bid and the corresponding bidder wins. After
 
the winning price has been announced, a candidate winner
Rpv =  (x, X );  x = [ f (τ)]1
(xx); X i = xi G, ∀i
 
can claim their win by providing a proof πw showing that they
have indeed bid one at position/index w. Given that the AV Here x̃x is the low degree extension (LDE) of x . We provide
computes a logical-OR across all bids and thus only distin- the corresponding argument Πpv in Figure 2 which proves
guishes whether there is at least one bid for a certain value or that X and polynomial commitment x encode the same vector
not, there might actually be multiple bids at the same price. x.
In this case, the auctioneer can use public randomness [34] to
choose among the set of candidate winners. Lemma 4. The protocol Πpv for relation Rpv , see Figure 2,
For a first-price auction, we are done at this point. For a satisfies completeness, soundness, and zero-knowledge.

6
 Round 1 Verifier: Send random challenge γ ∈ F. Round 1 Prover:
Round 1 Prover: 1. Sample random degree-1 blinding polynomial b(X).
f (X)− f (γ)
1. Compute q(X) = X−γ . 2. Compute s(X) such that s(wi ) = r(wi )−1 , ∀wi ∈ H.
2. Send q = [q(τ)]1 . 3. Blind s(X) by setting ŝ(X) = s(X) + b(X)zH (X).
Round 2 Verifier: 4. Sample a random blinding polynomial m(X) to blind
1. Compute [y]1 ← ∑ni=1 Li (γ)Xi . r(X) by setting r̂(X) = r(X) + m(X)zH (X).
2. Assert e(x − [y]1 + γq, [1]2 ) = e(q, [τ]2 ). 5. Compute q(X) such that r̂(X)ŝ(X) − 1 = q(X)zH (X).
6. Send s = [ŝ(τ)]1 , q = [q(τ)]1 .
Round 1 Verifier: Sample and send random γ ∈ F.
Figure 2: Interactive zero-knowledge argument of knowledge
Round 2 Prover: Send openings rγ = r̂(γ), sγ = ŝ(γ).
protocol Πpv for relation Rpv . Round 2 Verifier: Sample and send random α ∈ F.
Round 3 Prover:
1. Set φ(X) = r(X) + αŝ(X) + α2 q(X).
We provide the proof for Lemma 4 in Appendix B.2.
2. Compute (·, t) = KZG.Open(SP, φ(X), γ).

Proof πri [Step 5]. The goal of this proof is to show that 3. Send t.
r i ̸= 0 for the following two reasons. First, these random Round 3 Verifier:
values are enabled according to the values of unary bid vector 1. Compute qγ = (rγ · sγ − 1) · zH (γ)−1 .
b i and vice-versa. That is, setting r i = 0 essentially prevents
2. Set y = rγ + αsγ + α2 qγ and c = r + αs + α2 q.
verifying if the bidder used the same bid that they committed
earlier. Second, we later show how the candidate winner can 3. Assert 1 = KZG.Verify(SP, c, γ, y, t).
use these random values to construct a proof of eligibility.
Before we proceed with describing the relation, it is helpful Figure 3: Interactive zero-knowledge argument of knowledge
to state a simple but crucial technique. protocol Πnz for relation Rnz .

Blinding. Constructing succinct arguments often requires

Rnz showing that r(wi ) ̸= 0 for each wi ∈ H.
the prover P to open some committed polynomial f (X) at    
some random point γ (which is due to the Schwartz-Zippel (SP, H);
r = [r(τ) + m(τ)zH (τ)]1 ,
 
Lemma 2 that facilitates efficient equality check of polyno- Rnz =  (r);
r(wi ) ̸= 0 ∀wi ∈ H

(r(X), m(X));
 
mials). To show that the relation R ( f1 (X), f2 (X), . . . , fn (X))
holds over subgroup H of field F, one could instead show that We provide the corresponding argument Πnz in Figure 3.
R ( f1 (h), f2 (h), . . . , fn (h)) = 0, ∀h ∈ H. This is equivalent to Lemma 5. The protocol Πnz for relation Rnz , see Figure 3,
demonstrating the knowledge of some quotient polynomial satisfies completeness, soundness, and zero-knowledge.
q(X) such that R ( f1 (X), f2 (X), . . . , fn (X)) = q(X)zH (X),
where zH (X) is a vanishing polynomial of H [33]. Since send- We provide the proof for Lemma 5 in Appendix B.3.
ing plain evaluations may leak information, one can blind the Proof πbi [Step 8]. The goal of this proof is to show that b i
(witness) polynomial to achieve zero-knowledge. To do so, we is a valid unary encoding of bidder i’s bid bi . To construct
follow the approach used in Marlin [15] where the prover P this proof we use logarithmic derivatives, see Section 2.5.3,
samples a random polynomial r(X) of degree (at least) equal and translate the problem to an equality of sum of recipro-
to the number of openings they have to provide during the pro- cals. To do this, we first re-formulate the problem to make it
tocol and send fˆ(X) = f (X) + r(X)zH (X). So, fˆ(X) does not more amenable to logarithmic derivatives, show its equiva-
leak information on f (X) up to a certain number of openings, lency with the problem of unary encoding and then present
i.e., zero-knowledge is provided up to a query bound [15]. the proof system for this re-formulated problem. Given a pos-
Further, the use of vanishing polynomial makes the evalua- itive integer n, the unary representation for a value b ∈ [0, n]
tions of fˆ(X) be equal to those of f (X) over H and thus it includes an array of |b| ‘ones’ and |n − b| ‘zeroes‘. To prove
does not affect the relation R ( f1 (X), f2 (X), . . . , fn (X)). that a vector b of length n is a valid unary encoding of b,
Now assume that the number of positions n is a power consider the following lemma:
of 2, let H be a multiplicative subgroup of size n, and let
zH (X) be a vanishing polynomial of H. Let r(X) be a low Lemma 6. There are 1 ≤ i < n and 0 ≤ j < n such that
degree extension of r , then P samples a random masking i + j = n and b is a vector of i ‘ones’ concatenated with j
polynomial m(X) and commits to the blinded variant of r(X), ‘zeros’ if and only if b starts with ‘1’ and vector ∆ defined
i.e., r̂(X) = r(X) + m(X)zH (X). Then we develop a zero- as below consists of all ‘zeros’ except a single ‘one’, i.e.,
knowledge argument of knowledge for the following relation ∆i = bi − bi+1 if i < n and ∆i = bi if i = n.

7
We provide the proof for Lemma 6 in Appendix B.4. Round 1 Prover:
To prove the correct form of ∆, we use logarithmic deriva-
tives [29]. Due to the unique fractional decomposition of 1. Compute f (X) such that f (wi ) = u(wi )−u(wi+1 ), ∀wi ∈
logarithmic derivatives, see Section 2.5.3, we need to prove H \ wn−1 .
1 n−1 1
that ∑ni=1 X+∆ i
= X+0 + X+1 . Logarithmic derivatives allow 2. Sample blinding polynomials m(X), b(x) to blind u(X)
us to check that, given the vectors t , f , and m , each value by setting û(X) = u(X) + m(X)zH (X) and f (X) by set-
fi appears exactly mi times in t which can be expressed via ting fˆ(X) = f (X) + b(X)zH (X).
m
∑ni=1 X+1 fi = ∑ni=1 X+ti i . To prove this, we turn the fractional 3. Compute (·, u1 ) = KZG.Open(SP, û(X), 1).
expression into a polynomial one via low degree extensions 1 4. Compute Q f (X) such that fˆ(X) − (u(X) − u(wX)) =
of the functions t|K , f|H , m|K over multiplicative subgroups Q f (X)zH (X).
H and K of size n. The prover can show that the equality
5. Send f = [ fˆ(τ)]1 , u1 , qf = [Q f (τ)]1 .
holds at a random challenge γ as per Lemma 2, i.e., that
m(wi ) Round 1 Verifier: Sample and send random γ.
∑ni=1 γ+ f1(wi ) = ∑ni=1 γ+t(wi ) . With that in mind, the relation
Round 2 Prover:
Runary for which we need to develop an argument of knowl- 1
edge is as follows: 1. Compute B(X) such that B(wi ) = γ+ f (wi )
, ∀wi ∈ H.
    2. Sample random r(X) and compute blinded B̂(X) =
(SP, H);
 u = [u(τ) + m(τ)zH (τ)]1 B(X) + r(X)zH (X).
 
Runary =  (u);
u(X) is LDE of b

(u(X), m(X));
 3. Compute QB that B̂(X)( f (X) + γ) − 1 = QB (X)zH (X).
4. Sample random S(X) and set s = ∑h∈H S(h).
We present the corresponding argument Πunary in Figure 4.
5. Send b = [B̂(τ)]1 , qb = [QB (τ)]1 , s = [S(τ)]1 , s.
Lemma 7. The protocol Πunary for relation Runary , see Fig- Round 2 Verifier: Sample and send random α.
ure 4, satisfies completeness, soundness, and zero-knowledge. Round 3 Prover:
1
We provide the proof for Lemma 7 in Appendix B.5. 1. Set v = γ + n−1
γ+1 .

2. Compute R(X) and Q(X) such that S(X) + αB̂(X) =

s+α·v
4.2 Bidding Phase n + XR(X) + Q(X)zH (X).
3. Send r = [R(τ)]1 , q = [Q(τ)]1 .
Proof πZi [Step 2]. The goal of this proof is to enable a bidder Round 3 Verifier: Sample and send random β.
to show that Z = (xx + b ◦ r ) ◦ Y . More generally, given the Round 4 Prover: Send openings uβ = u(β), uw,β = u(wβ),
message received after the preprocessing phase Y , the bidder fβ = fˆ(β), Q f ,β = Q f (β), Bβ = B̂(β), sβ = S(β), QB,β =
has to prove that their message sent in the bidding phase is of QB (β), Rβ = R(β), and Qβ = Q(β).
the form Z = aY , where a = x + b ◦ r . We prove this by using Round 4 Verifier: Sample and send random v.
an inner product argument (IPA) showing that ⟨⟨rr ◦ a ⟩,Y Y⟩ = Round 5 Prover:
⟨rr , Z ⟩, where r = (r, r2 , . . . , rn ) for a (separation) challenge 1. Compute A(X) = (u(X) + v f (X) + v2 Q f (X) + v3 B̂(X) +
r. 2 This way, the verifier computes C = ∑ r j Z j and the prover v4 S(X) + v5 QB (X) + v6 R(X) + v7 Q(X)) · (X + β)−1 .
is left to show it is indeed equivalent to a generalized IPA [13]
2. Compute Aw (X) = u(X) · (X − wβ)−1 .
between a and Y . Thus, we need to develop an argument of
knowledge for the following relation: 3. Send a = [A(τ)]1 and aw = [Aw (τ)]1 .
    Round 5 Verifier:
 (SP, G, H, H); a(X) is LDE of a ,  1. Assert that 1 = KZG.Verify(SP, u, 1, 1, u1 ) and fβ −
Rsum =  (a,YY , Z );  a = [a(τ)]1 , (uβ − uw,β ) = Q f ,β zH (β)
(aa) a(w j )Y
Yj =Zj
 
1
2. Set v = γ + n−1
γ+1 .
We provide the corresponding argument Πsum in Figure 5. 3. Assert that S(β) + αBβ = s+α·v
n + βRβ + Qβ zH (β).
Lemma 8. The protocol Πsum for relation Rsum , see Figure 5, 4. Set C = u + vf + v2 qf + v3 b + v4 s + v5 qb + v6 r + v7 q
satisfies completeness, soundness, and zero-knowledge. and y = uβ + v fβ + v2 Q f ,β + v3 Bβ + v4 sβ + v5 QB,β +
1 Let φ : {0, 1}v → F be any function mapping a v-dimensional Boolean v6 Rβ + v7 Qβ .
1
hypercube to F. A v-variate polynomial φ2 over F is said to be an extension 5. Assert that 1 = KZG.Verify(SP,C, β, y, a) and 1 =
of φ1 if φ2 agrees with φ1 for all x ∈ {0, 1}v . We can think of a (low-degree) KZG.Verify(SP, u, wβ, uw,β , aw ).
extension φ2 of φ1 as an error-corrected encoding, amplifying the distance
between the original polynomials according to Schwartz-Zippel lemma. We
refer the reader to [47] for more details. Figure 4: Interactive zero-knowledge argument of knowledge
2 A random linear combination of terms is needed to guarantee that the
protocol Πunary for relation Runary .
equivalency holds for all j ∈ [n] and no terms cancel out.

8
 Verifier: Send a random c. ing the IPA protocol [12, 13], at each round the prover folds
Prover and Verifier: in half the vectors a , G and X and both P and V derive up-
1. Compute c = (1, c, c2 , . . . , cn−1 ) and C = ⟨c, Y⟩. dated commitments F ′ ,C′ . In the last round, P sends a fully
folded a′ , and V computes the fully folded values G′ , X ′ . The
2. Set C′ = C and n′ = n.
verifier then checks if a′ G′ = F ′ and a′ X ′ = C′ . It turns out
3. Rescale the basis X by computing Xc = c ◦ X . that computing a′ from a is a multi-scalar multiplication of
Prover: Set a′ = a and X′ = Xc and initialize r = 0. size n where the scalar factors are the coefficients of the
l=log n i
Until n′ = 1 do: polynomial f (X) = ∏i=0 (1 + αl−i X 2 ), and αi are the ran-
1. Set n′ = n′
L = ⟨a′lo , X′hi ⟩, and R = ⟨a′hi , X′lo ⟩. dom challenges picked by the verifier [11, 13]4 . So, we have
2,
a′ = ⟨aa, f ⟩ where f are the coefficients of polynomial f (X).
2. Sample random rl and rr .
Further, let f˜(X) denote a polynomial such that its evaluations
3. Send L + rl H and R + rr H. are equal to f . Therefore, instead of running the IPA for F the
Verifier: prover needs to show that ∑ni=0 a(X) f˜(X) = a′ using an in-
4. Sample and send a random challenge α. stance of univariate sumcheck. This way, the prover no longer
needs to compute the folding for G which is genuinely ex-
5. Compute C′ = α−1 L +C′ + αR.
pensive, overall improving run time. Note that we instantiate
Prover: the polynomial commitment scheme with KZG to show that
6. Compute C′ = α−1 L +C′ + αR. ∑h∈H a(h) f˜(h) = a′ , where H is a multiplicative subgroup of
7. Set a′ = ⟨a′lo , a′hi α ⟩ and X ′ = ⟨X′lo , X′hi
α−1
⟩.
F of order n.
So far, we have not considered zero-knowledge. To make
8. Compute r = r + α1 r l + αrr . IPA zero-knowledge, the prover first forms the perfectly
n′
When = 1: blinded commitment Cb = C + rH and then samples random
Prover and Verifier: scalars rl , rr to compute the left and right blinded commit-
l=log n i
ments Li,b = Li + rl H, Ri,b = Ri + rr H. One subtlety we need
1. Compute f (X) = ∏i=0 (1 + αl−i X 2 ).
2. Interpolate f˜(X) from f (X).
to get around is to avoid sending a′ in plain at the last round
while allowing the verifier to check that a′ X ′ = C′ holds. We
Verifier: tackle this by having the prover show knowledge of opening
1. Compute X ′ = ⟨Xc , f⟩, where vector f denotes coeffi- of a Pedersen commitment that is defined by the folded basis
cients of f (X). X ′ and blinder H. Thus, we should develop an argument Rpse
2. Invoke Rpse ((pp, srs, X ′ , H); (qa , f˜(X),C′ ); (a(X), a′ , r)). to link an instance of the Pedersen commitment with a uni-
variate sumcheck showing that given a Pedersen commitment
P = xG + rH, we have ∑ni=0 a(X) f˜(X) = x without leaking
Figure 5: Interactive zero-knowledge argument of knowledge any information about x.
protocol Πsum for relation Rsum . Remark 1. The auditor is not computationally restricted
thus we assume they can interpolate f˜(X) from f (X). How-
We provide the proof for Lemma 8 in Appendix B.6. ever, this part can be verifiably delegated. Let W denote
a set of n-th roots of unity, then the prover can show that
Removal of one inner product. As part of the argument sys- ∑wi ∈W f˜(wi )p(wi ) = f (α) for a random α such that p(wi ) =
tem for the above relation, we introduce a technique that could αi . Note that evaluating f (X) at α takes O(log n) field oper-
be of independent interest. We observe that when running an ations, and validity of p(X) can be proved by showing that
IPA between vectors of a and Y with the verifier having access p(w0 ) = 1 and that p(wX) = αp(X) when X ∈ W \ wn−1 .
to the polynomial commitment qa of a , one can replace an Remark 2. We develop Rpse as a generic independent rela-
instance of IPA with an instance of univariate sumcheck [6]. tion where both a(X), b(X) are witnesses. However, in the
As we describe next, it reduces the computation cost of the last round of our inner product protocol we use the public
prover and the proof size. We first build an intuition on why polynomial f˜(X), thus we slightly abuse notation and we put
this works followed by our full argument protocol for Rsum . f˜(X) directly in the instance instead of committing to it.
Assume that a prover P wants to convince a verifier V
that C = ⟨aa, X ⟩, where a ∈ Fn and X ∈ Gn1 is a set of random Linking Pedersen commitment to univariate sumcheck.
generators. Let F = ⟨aa, G ⟩ be a commitment to the vector a We now develop a zero knowledge argument of knowledge
for proving the equality of Pedersen commitment [42] and
using some basis G ∈ Gn1 . Then, P and V should run two
univariate sumcheck [6] that may be of independent in-
IPAs in parallel3 , one for F and the other for C. The former terest. Given a Pedersen Commitment P = xG + rH, the
is needed to convince V that P is indeed using a . Follow-
4 In the non-interactive variant the challenges are computed by applying a
3 Running IPAs in parallel matters security-wise, as we need to use the hash function modeled in random oracle on the messaged received from the
same set of challenges for both [23]. prover in each round of IPA for C = ⟨aa, X ⟩ which is running in parallel.

9
prover P aims to prove the knowledge of a , b ∈ Fn such that Round 1 Prover:
∑ni=0 a i b i = x, without leaking any information about x. We 1. Sample random p, s and compute Q = pG + sH.
define the relation Rpse as follows:
  2. Compute b0 = np and sample random b1 , b2 , b3 , b4 , b5 , b6 ,



(SP, G, H, H);
 a = [a(τ)]1 
 then compute B(X) = b0 + b1 X + b2 X 2 + b3 X 3 + b4 X 4 +
b = [b(τ)]1
 
Rpse =  (a, b, P);  (b5 + b6 X)zH (X), observe that ∑h∈H B(h) = p.
P = xG + rH
(a(X), b(X), x, r); 3. Send Q, B = [B(τ)]1 .

 

∑h∈H a(h)b(h) = x
 
Round 1 Verifier: Send random challenge c
We present a zero-knowledge argument realizing the relation Round 2 Prover:
Rpse in Figure 6. At a high level, the prover P computes and 1. Compute z1 = cx + p and z2 = cr + s.
commits to a(X) and b(X), low degree extensions of a and
2. Compute R(X), q(X) such that B(X) + ca(X)b(X) =
b over H. Then the prover P and the verifier V engage in a z1
|H|
+ XR(X) + q(X)zH (X).
(public coin) interactive argument for proving knowledge of
x and that ∑h∈H a(h)b(h) = x. This is done by invoking both 3. Compute D(X) = R(X) · X N−1−(n−2) where N is the
(zero-knowledge) arguments for proving the opening of Peder- length of the SP proving key.
sen commitment and univariate sumcheck. Note that proving 4. Send z1 , z2 , R = [R(τ)]1 , q = [q(τ)]1 , D = [D(τ)]1 .
the knowledge of opening of Pedersen Commitment is done
Round 2 Verifier: Sample and send a random opening chal-
by providing two Schnorr proofs of knowledge of discrete lenge γ ∈ F∗ \ {H, 0}.
logarithm. However, P should take additional care when sam- Round 3 Prover: Send openings aγ = a(γ), bγ = b(γ), Bγ =
pling blinders for the univariate sumcheck instance. The key B(γ), Rγ = R(γ).
insight is that in the first round P samples a blinder B(X) for Round 3 Verifier: Send random separation challenge v.
zero-knowledge univariate sumcheck such that its sum over H Round 4 Prover:
is equal to the randomness/blinder used in the first instance of 1. Compute W (X) = (a(X) + vb(X) + v2 B(X) + v3 R(X) +
the underlying Schnorr proof, denoted by p. Then in the sec- v4 q(X)) · (X − γ)−1 .
ond round after receiving challenge c from V , P shows that
2. Send W = [W (τ)]1 .
∑h∈H B(h) + ca(h)b(h) = cx + p. As mentioned earlier, we
make use of this argument as a sub-argument of the protocol Round 4 Verifier:
realizing the relation Rpse . So, we slightly modify the relation 1. Check that cP + Q = z1 G + z2 H.
and assume that P already committed to a(X), b(X). This, 2. Compute qγ = (Bγ + caγ bγ − zn1 − γRγ ) · zH (γ)−1 .
however, leads to the following issue. At the last round of the
3. Compute C = a + vb + v2 B + v3 R + v4 q.
zero-knowledge univariate sumcheck, P has to send openings
of a(X), b(X) at a random challenge, potentially introducing a 4. Compute y = aγ + vbγ + v2 Bγ + v3 Rγ + v4 qγ .
leakage affecting zero-knowledge. One way to deal with this 5. Assert 1 = KZG.Verify(SP,C, γ, y, W).
is to assume that witness polynomials a(X), b(X) are already 6. Set degree bound d = N − 1 − (n − 2), where N is the
properly blinded and thus openings do not produce any leak- length of the SP proving key.
age. By looking closely at the argument for Rpse , we notice
7. Assert e(R, [xd ]2 ) = e(D, [1]2 ).
that in our case a(x) is properly blinded and b(x) is a public
polynomial, guaranteeing zero-knowledge. So, we state the
relation assuming the openings of a(X), b(X) do not affect Figure 6: Interactive zero-knowledge argument of knowledge
zero-knowledge. However, we later describe how to adapt protocol Πpse for relation Rpse .
the argument to make it generalized and cover the situations
where the witness polynomials are committed without blin-
ders. The argument is agnostic to the polynomial commitment
another zero-knowledge argument to enable the candidate
scheme but we instantiate it with KZG. winner to show their eligibility while preserving their privacy.
Lemma 9. The protocol Πpse for relation Rpse presented Before describing the relation, recall that the followings hold:
(1) X = x G, (2) b is a vector with valid unary encoding, (3)
in Figure 6 satisfies completeness, soundness, and zero- a = x + b ◦ r , and (4) Z = aY . We observe that the candi-
knowledge. date bidder can demonstrate their eligibility if they manage to
We provide the proof for Lemma 9 in Appendix B.8. prove that the discrete logs of X w and Z w are different, ensur-
ing that b w = 1. So, it is enough to prove knowledge of x, and
Proof πw [Step 6]. After determining the highest bid w, the r such that X w = xG, (x + r)Y Y w = Z w , and r ̸= 0. To preserve
winner can simply open their bid vector at the corresponding privacy, we follow the standard approach in the literature [45]
position showing that b w = 1. We can further preserve the to have auctioneer/auditor compute a public vector commit-
privacy of candidate winners, particularly in case there is a ment C (e.g., using a Merkle Tree) of all triples (X X w , Z w ,Y
Y w)
tie and only one of them should be picked. We now develop and then each candidate winner proves knowledge of satisfy-

10
ing x and r for some pair in the vector. Further, each candidate 5.2 Sequential First-price Auctions
winner has to compute a nullifier [45] nul to ensure that they
cannot submit multiple proofs. The corresponding relation An inherent limitation of the AV protocol is that the winner
Rwin is as follows: can examine the protocol transcript and check if they were
  the only winner. In particular, they can try inputting x in the

 r ̸= 0, 
 second round and see if the output is still random, implying
xG = X,
 
another party has vetoed. Consequently, the winner of a Cryp-

   
C, nul;

Rwin = (x + r)Y = Z, tobazaar auction can learn the second-highest price of a given
x, r, X,Y, Z, π
nul = H (x, r),

 

run. A similar issue has been also observed in other proto-

 

Verify(C; (X,Y, Z); π) = 1
 
cols like Addax [57]. Although this might not be problematic
Observe that it is enough to prove knowledge of some x, in a Vickery auction or when the participating bidders fre-
and r and not the ones committed in the first place. This fol- quently change, it might result in a strategic advantage to the
lows from the fact that the bidder already proved connection current winner when choosing their bids for future runs of it-
between vectors x and r with X and Y . Should the bidder erative/sequential first-price auctions, e.g., when several items
provide any other satisfying x′ and r′ , it would break the dis- are sold one after the other to the same group of buyers [22].
crete logarithm assumption. If there is a tie we can utilize For example, the winner who learns the second-highest price
public randomness [34] to break the tie and choose among might choose their bid in the next run slightly above the pre-
the submitted proofs fairly. We highlight that preserving the vious second-highest price to minimize the amount they have
privacy of the winner is important in applications where the to pay while maximizing their winning chances.
winner could be subject to attacks like briberies [4]. Before we describe how to address this issue below, ob-
serve that there is a conflict of interest between the seller and
the winner. Thus our solution aims to take advantage of such
5 Extensions collusion disincentivization between the seller and a bidder
preventing them from winning at a lower price. So, we as-
5.1 Efficient Second-price Auctions sume the auctioneer has common interest with the seller (e.g.,
Our main protocol, see Figure 1, can support both first- and auctioneer is the seller).
second-price auctions. However, in the latter case, we need Preprocessing. This step is as before, except that the auc-
to re-run the protocol without the winner to detect the second tioneer also acts as a bidder and submits their own bid. In
highest price, as with other private auctions [57]. We now particular, for their own bid they choose the maximum price,
show how to modify the Cryptobazaar protocol to support i.e., b0 = n. Moreover, there is no need for the bidders to
second-price and generally (p + 1)st-price auctions more effi- decide and commit to their bid in this phase, allowing them
ciently without having to re-run the protocol. In this variant, to adaptively decide on their bids in the bidding phase. This
the set of bidders who propose the top p bids will win and further allows running the pre-processing in an offline phase
purchase the (identical) goods at the (p + 1)st price. as common in the MPC literature [20].
Preprocessing. This phase is mostly as before, with the only Finding the highest bid. This step is as before. However,
exception being that each bidder uses a Boolean encoding since the auctioneer bid the maximum price b0 = n the leakage
for their bid b such that b = (0, . . . , b j , . . . , 0), where b j = 1 of the second-highest price to the winner is prevented. The
if and only if j = b. To construct validity proof πbi , we can auctioneer then computes Y 0 with b0 = 0 locally to find the
use similar techniques based on log derivatives as before. highest position w such that R w ̸= 0 and announces this value.
Finding the highest bid. This step is as before, and the high- Finding the winner. This step is as before, except that we
est bid is defined by the highest position w such that R w ̸= 0. might need to add a fraud proof. That is, if the auctioneer
announces a bid w′ that is lower than the actual highest bid w,
Finding the winner. This step is as before, except that we now
the honest winner could present a fraud proof showing that
have a possible set of winners bidding at positions [w, w − p +
b w = 1 to slash the cheating auctioneer.
1], with the sale price being the highest position w′ such that
Another option to relax the assumption on the auctioneer
Rw′ ̸= 0 and w′ < w − p + 1.
is to have multiple auctioneers and assume that at least one of
We remark that the efficiency gained in this variant comes
them is honest in line with the anytrust threat model [49].
with some privacy leakage. That is, one can learn all the bids
submitted in the auction protocol by examining the protocol Re-using the preprocessing phase. To reduce the overheads
transcript, but without linking the bids to the corresponding for bidders in the iterative variant of Cryptobazaar, it is useful
bidders. This variant still offers a decent amount of privacy to explore whether bidders could re-use the values they com-
(i.e., unlinkability of bidders and their bids [18]) and could be puted in the preprocessing phase for future runs of the auction
of interest depending on the applications, e.g., when moving (besides the option of pre-computing k sets of these values in
from single-item to multi-item NFT auctions [38]. advance as soon as they know that they will participate in k

11
auctions). With that in mind, note that re-using the random πxi , πri , and πbi for relations Rpv , Rnz , and Runary , respectively.
matrix Y for multiple runs of the auction is not secure, as one All proofs require O(1) elliptic curve points and field elements
can learn information about the bids by comparing the proto- except the proof for Rpv . Thus, the amount of data each bidder
col transcripts. Interestingly, we can efficiently re-randomize has to send is m + O(1) elliptic curve elements and O(1)
the matrix Y by re-randomizing only a single row-vector X i in field elements. For example, given a price range of n = 1024
the matrix X. Given this, we can essentially make the protocol the overall amount of data an individual bidder has to send
non-interactive. However, we need to be careful regarding the is about 32 KB assuming a single elliptic curve point is 32
possible collusion between the party who re-randomizes the bytes. The bidding phase of a bidder i is dominated by the
matrix Y and the bidders. We can either sample a small subset computation of the validity proof πZi for the relation Rsum . We
of bidders for re-randomization or make a threshold/anytrust provide the computational overheads to compute the above
security assumption on the auctioneer’s side. In case some proofs for price ranges n ∈ {128, 1024, 8192} in Table 1a.
bidders wish to leave the auction, one could also on-board Note that the computation of the validity proofs is not on the
new bidders to the protocol and use their contributions for critical path for certain deployment scenarios given our threat
re-randomization without the need for bidders who remain to model, like running an auction via optimistic roll-ups [44].
re-do their preprocessing. Moreover, observe that if we allow
the winner to open its bid vector at the winning index w to Auctioneer overheads. The preprocessing phase of the auc-
announce its eligibility (instead of using a zero-knowledge tioneer is dominated by the computation of the vectors Y i
set membership proof), the winner is incentivized to re-do its requiring 1 MSM and m − 1 elliptic curve additions per AV
preprocessing phase to protect its privacy for future runs of and thus n MSMs of size m and n · (m − 1) elliptic curve ad-
the auction. ditions in total. We provide the running times to compute
vectors Y i for the number of bidders m ∈ {32, 128, 256} and
Protection against non-responsive winner. One might won- price ranges n ∈ {128, 1024, 8192} in Table 1b. Each vector
der what if a candidate winner does not show up to claim their Y i contains n elliptic curve points for i ∈ [m] and assuming
win, given that there is no way to determine the winner if they an elliptic curve point is 32 bytes, the auctioneer thus sends
do not come forward voluntarily due to the privacy guarantees m vectors of size 32n bytes. For example, for n = 1024 and
of the AV protocol. We argue that this is not problematic since m = 128 this amounts to 32 KB per bidder or 4.2 MB in total.
the winner has no incentive to remain silent. Furthermore, one After the bidding phase, the auctioneer needs to add n el-
can slightly tweak the protocol requiring the winner to claim liptic curve points per AV. It starts from the highest price
their win within a certain time window and if they do not, and runs until it finds the first non-zero point. In the worst
declare the second-highest bidder as winner and give them case where all bidders bid the minimal price, it runs m · n el-
the chance to claim the win. This continues until some bidder liptic curve additions. We report the (worst case) running
presents a valid proof for the currently eligible slot. times for computing vector R for the number of bidders
m ∈ {32, 128, 256} and price ranges n ∈ {128, 1024, 8192}
in Table 1c. In practice the expected running time to compute
6 Evaluation R should be much lower since the auctioneer stops as soon as
the first non-zero entry is found.
We implemented Cryptobazaar in Rust using the cryptog-
raphy framework arkworks [59]5 . The implementation is Remark. It would be helpful to see how the numbers we
generic and supports any pairing-friendly curve. We run our choose for evaluation reflect the real-world deployments. A
benchmarks on an Apple MacBook Pro with an M1 Max chip promising application is the use of (sealed-bid) auctions in
with 10 cores and 64 GB memory. For the benchmarks we Ethereum via proposer-builder separation architecture [24].
instantiated our implementation with the BN254 curve and In the current realization [22], builders take part in an auction
we focus on the main computational overheads for individual to bid for their prepared block and the one with the highest bid
bidders and the auctioneer. We notice that the most demand- is chosen to be proposed by the proposer. According to the
ing computation for both bidder and auctioneer is running recent work of [53], the block preparation is almost dominated
multiscalar multiplications (MSM) which are implemented by 25 builders/bidders ( [53], Table 5). Moreover, the authors
in the arkworks module VariableBaseMSM. The arkworks managed to collect 191 builder public keys ( [53], Table 2),
code is not particularly optimized and switching to hardware- which means the number of bidders is likely lower given
specialized libraries such RapidSnark [43] or gnark [10] that each could hold several public keys (e.g., Titan builder
may further improve performance obviously. has disclosed 12 public keys in their official document). So,
our experiments with 32, 128, and 256 bidders reflects what
Bidder overheads. The preprocessing phase of an individual
currently deployed large-scale systems like Ethereum require.
bidder i is dominated by the computation of the validity proofs
Furthermore, bids range usually from cents to tens of dollars
5Weprovide our implementation at https://github.com/akinovak/ and a realistic deployment would likely be 1000 ≤ n ≤ 10000
cryptobazaar-impl . depending on the application [57].

12
 Table 1: Cryptobazaar microbenchmarks (in ms) for number of bidders m and price ranges n.

(a) Individual bidder overheads to com- (b) Auctioneer overheads to compute (c) Auctioneer overheads to compute re-
pute validity proofs. AV matrix Y. sults vector R .

n 128 1024 8192 m/n 128 1024 8192 m/n 128 1024 8192
πxi 13.59 101.51 807.21 32 1.84 14.19 112.12 32 0.30 6.36 50.48
πri 2.38 10.25 58.38 128 4.29 38.87 286.60 128 1.95 26.83 145.06
πbi 2.53 10.68 62.03 256 7.75 59.00 552.24 256 4.01 32.90 265.14
πZi 27.28 141.38 953.36

Table 2: A high-level comparison among state-of-the-art sealed-bid auction protocols. A black (white) circle states that the
protocol does (does not) provide a given property and a half circle states that the protocol provides the property under certain
circumstances / with some restrictions. Privacy refers to the confidentiality of bids during and after protocol execution. Scalability
refers to having low computation and communication costs. Trust minimization states whether the protocol makes any trust
assumptions or not. Versatility captures the ability to (securely) support different protocol variants without major modifications.

Protocols Privacy Scalability Trust minimization Versatility

Riggs [48] # #
G #
Cicada [27] # #
G #
SEAL [3] # #
Addax [57] # G
#
Cryptobazaar

7 Related Work Second, bidders use a modified AV to compute the logical-

OR of their input bits starting from the most significant bid
Riggs [48] realizes decentralized sealed-bid auctions using where the bidders dynamically change their input to the AV
time-based cryptography. The protocol has bidders commit according to some decision rule in case the output of last the
to their bids which are then either self-opened by bidders AV equals 1, limiting the usability of the system. An issue of
or force-opened through (sequential) computation. Although this approach is that bidders learn during protocol execution
the idea of using time-based cryptography for sealed-bid auc- that they lost and thus need to be incentivized to finish the
tion was already explored in the literature [17, 52], this work protocol run. Moreover, SEAL uses traditional Sigma pro-
addresses the practical details of the deployment setting in- tocols instead of more efficient succinct validity arguments.
cluding running auctions in parallel while locking up enough Addax [57] is a private online ad exchange that has a sealed-
collateral without privacy leakage. Cicada [27] is another re- bid auction protocol at its core. The protocol adopts an affine
cent auction protocol that differs from Riggs by proposing aggregatable encoding (AFE) introduced in Prio [16] allowing
a non-interactive protocol via homomorphic time lock puz- an auction to be conducted over secret-shared bids. Crypto-
zles [37] that pack many puzzles (i.e., bids) into a single one. bazaar shares some common properties with Addax including
None of the aforementioned protocols offer privacy for bids using price range, unary encoding of bids, and performing
after the protocol execution though. In Cicada, there is an on- bitwise OR on inputs. However, the crucial advantage of our
chain coordinator (as auctioneer) and off-chain solver. The design is its more relaxed threat model of only requiring a
solver needs to present the outcome to the auctioneer (with single untrusted auctioneer as coordinator while Addax needs
proofs) to let the auctioneer announce the winner. One can at least two non-colluding auctioneers due to their adoption
use Cryptobazaar in a similar fashion by having an on-chain of Prio-based techniques. Although a side-by-side compari-
auctioneer (i.e., smart contract) and off-chain coordinator to son between Cryptobazaar and Addax is difficult due to the
help with the computation. different settings (e.g., evaluations on Apple M1 vs AWS,
Two recent private auction protocols are SEAL [3], and threat models, etc.), we provide some numbers for intuition:
Addax [57]. The SEAL protocol is auctioneer-free and the Addax (Cryptobazaar) incurs a computational overhead of
bidders themselves jointly compute the highest bid by inter- 1802 ms (1880 ms) per bidder per auction run and terminates
acting with each other, leading to a communication bottleneck. in 440 ms (431 ms) for 96 (128) bidders and a price range
Similar to ours, they also make use of anonymous veto [30] of 10000 (8192). This shows that the performance of Crypto-
as their underlying primitive but in a quite different way. First, bazaar and Addax is in the same ballpark while Cryptobazaar
they modify the original AV protocol where each bidder needs provides a better threat model and more versatility in terms
to commit to two random values for each run of the protocol. of deployment.

13
Acknowledgements [9] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens
Groth, and Christophe Petit. Efficient zero-knowledge
We thank Guillermo Angeris for constructive discussions on arguments for arithmetic circuits in the discrete log set-
auction theory. This work is supported by a grant from the ting. In Advances in Cryptology–EUROCRYPT 2016:
Ecosystem Support Program of the Ethereum Foundation. 35th Annual International Conference on the Theory
and Applications of Cryptographic Techniques, Vienna,
Austria, May 8-12, 2016, Proceedings, Part II 35, pages
References
327–357. Springer, 2016.
[1] Ramiro Alvarez and Mehrdad Nojoumian. Comprehen-
[10] Gautam Botrel, Thomas Piellard, Youssef El
sive survey on privacy-preserving protocols for sealed-
Housni, Arya Tabaie, Gus Gutoski, and Ivo Kub-
bid auctions. Computers & Security, 88:101502, 2020.
jas. Consensys/gnark-crypto: v0.11.2, January
[2] Yonatan Aumann and Yehuda Lindell. Security against 2023.
covert adversaries: Efficient protocols for realistic ad-
[11] Sean Bowe, Jack Grigg, and Daira Hopwood. Recursive
versaries. Journal of Cryptology, 23(2):281–343, 2010.
proof composition without a trusted setup. Cryptology
[3] Samiran Bag, Feng Hao, Siamak F Shahandashti, and ePrint Archive, 2019.
Indranil Ghosh Ray. Seal: Sealed-bid auction without
auctioneers. IEEE Transactions on Information Foren- [12] Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew
sics and Security, 15:2042–2052, 2019. Poelstra, Pieter Wuille, and Greg Maxwell. Bulletproofs:
Short proofs for confidential transactions and more. In
[4] Jeb Bearer, Benedikt Bünz, Philippe Camacho, Binyi 2018 IEEE symposium on security and privacy (SP),
Chen, Ellie Davidson, Ben Fisch, Brendon Fish, Gus pages 315–334. IEEE, 2018.
Gutoski, Fernando Krell, Chengyu Lin, et al. The
espresso sequencing network: Hotshot consensus, [13] Benedikt Bünz, Mary Maller, Pratyush Mishra, Nirvan
tiramisu data-availability, and builder-exchange. Cryp- Tyagi, and Psi Vesely. Proofs for inner pairing prod-
tology ePrint Archive, 2024. ucts and applications. In Advances in Cryptology–
ASIACRYPT 2021: 27th International Conference on the
[5] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Theory and Application of Cryptology and Information
Michael Riabzev. Fast reed-solomon interactive ora- Security, Singapore, December 6–10, 2021, Proceedings,
cle proofs of proximity. In 45th international collo- Part III 27, pages 65–97. Springer, 2021.
quium on automata, languages, and programming (icalp
2018). Schloss Dagstuhl-Leibniz-Zentrum fuer Infor- [14] Dario Catalano and Dario Fiore. Vector commitments
matik, 2018. and their applications. In Public-Key Cryptography–
PKC 2013: 16th International Conference on Practice
[6] Eli Ben-Sasson, Alessandro Chiesa, Michael Riabzev, and Theory in Public-Key Cryptography, Nara, Japan,
Nicholas Spooner, Madars Virza, and Nicholas P Ward. February 26–March 1, 2013. Proceedings 16, pages 55–
Aurora: Transparent succinct arguments for r1cs. In 72. Springer, 2013.
Advances in Cryptology–EUROCRYPT 2019: 38th An-
nual International Conference on the Theory and Appli- [15] Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush
cations of Cryptographic Techniques, Darmstadt, Ger- Mishra, Noah Vesely, and Nicholas Ward. Marlin: Pre-
many, May 19–23, 2019, Proceedings, Part I 38, pages processing zksnarks with universal and updatable srs.
103–128. Springer, 2019. In Advances in Cryptology–EUROCRYPT 2020: 39th
Annual International Conference on the Theory and Ap-
[7] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas plications of Cryptographic Techniques, Zagreb, Croa-
Spooner. Interactive oracle proofs. In Theory of Cryp- tia, May 10–14, 2020, Proceedings, Part I 39, pages
tography: 14th International Conference, TCC 2016-B, 738–768. Springer, 2020.
Beijing, China, October 31-November 3, 2016, Proceed-
ings, Part II 14, pages 31–60. Springer, 2016. [16] Henry Corrigan-Gibbs and Dan Boneh. Prio: Private, ro-
bust, and scalable computation of aggregate statistics. In
[8] Erik-Oliver Blass and Florian Kerschbaum. Strain: A 14th USENIX symposium on networked systems design
secure auction for blockchains. In Computer Security: and implementation (NSDI 17), pages 259–282, 2017.
23rd European Symposium on Research in Computer Se-
curity, ESORICS 2018, Barcelona, Spain, September 3-7, [17] Dominic Deuber, Nico Döttling, Bernardo Magri, Giulio
2018, Proceedings, Part I 23, pages 87–110. Springer, Malavolta, and Sri Aravinda Krishnan Thyagarajan.
2018. Minting mechanism for proof of stake blockchains. In

14
 Applied Cryptography and Network Security: 18th Inter- [30] Feng Hao and Piotr Zieliński. A 2-round anonymous
national Conference, ACNS 2020, Rome, Italy, October veto protocol. In International Workshop on Security
19–22, 2020, Proceedings, Part I 18, pages 315–334. Protocols, pages 202–211. Springer, 2006.
Springer, 2020.
[31] J Horwitz and K Hagey. Google’s secret ‘project
[18] Jannik Dreier, Pascal Lafourcade, and Yassine Lakhnech. bernanke’revealed in texas antitrust case. Wall Street
Formal verification of e-auction protocols. In Interna- Journal, 2021.
tional Conference on Principles of Security and Trust,
pages 247–266. Springer, 2013. [32] Jong-Hyuk Im, Taek-Young Youn, and Mun-Kyu Lee.
Privacy-preserving blind auction protocol using fully
[19] Youssef El Housni and Gautam Botrel. Edmsm: multi- homomorphic encryption. Advanced Science Letters,
scalar-multiplication for snarks and faster montgomery 22, 2016.
multiplication. Cryptology ePrint Archive, 2022.
[33] Aniket Kate, Gregory M Zaverucha, and Ian Goldberg.
[20] Daniel Escudero, Vipul Goyal, Antigoni Polychroni- Constant-size commitments to polynomials and their
adou, and Yifan Song. Turbopack: honest majority mpc applications. In Advances in Cryptology-ASIACRYPT
with constant online communication. In Proceedings of 2010: 16th International Conference on the Theory and
the 2022 ACM SIGSAC Conference on Computer and Application of Cryptology and Information Security, Sin-
Communications Security, pages 951–964, 2022. gapore, December 5-9, 2010. Proceedings 16, pages
177–194. Springer, 2010.
[21] Amos Fiat and Adi Shamir. How to prove yourself: Prac-
tical solutions to identification and signature problems. [34] Alireza Kavousi, Zhipeng Wang, and Philipp Jovanovic.
In Conference on the theory and application of crypto- Sok: Public randomness. In 2024 IEEE 9th European
graphic techniques, pages 186–194. Springer, 1986. Symposium on Security and Privacy (EuroS&P), pages
216–234. IEEE, 2024.
[22] Flashbots. Introduction to mev-boost. https:
//docs.flashbots.net/flashbots-mev-boost/ [35] Hiroaki Kikuchi. (m+ 1) st-price auction protocol. IE-
introduction, 2024. ICE TRANSACTIONS on Fundamentals of Electronics,
Communications and Computer Sciences, 85(3):676–
[23] Ethereum Foundation. Curdleproofs: A shuffle ar-
683, 2002.
gument protocol. https://github.com/asn-d6/
curdleproofs/tree/main, 2022. [36] Michal Król, Alberto Sonnino, Argyrios Tasiopoulos,
Ioannis Psaras, and Etienne Rivière. Pastrami: privacy-
[24] Ethereum Foundation. Proposer builder separation (pbs)
preserving, auditable, scalable & trustworthy auctions
- ethereum roadmap. https://ethereum.org/en/
for multiple items. In Proceedings of the 21st Interna-
roadmap/pbs/, 2024.
tional Middleware Conference, pages 296–310, 2020.
[25] Georg Fuchsbauer, Eike Kiltz, and Julian Loss. The al-
[37] Giulio Malavolta and Sri Aravinda Krishnan Thyagara-
gebraic group model and its applications. In Advances in
jan. Homomorphic time-lock puzzles and applications.
Cryptology–CRYPTO 2018: 38th Annual International
In Annual International Cryptology Conference, pages
Cryptology Conference, Santa Barbara, CA, USA, Au-
620–649. Springer, 2019.
gust 19–23, 2018, Proceedings, Part II 38, pages 33–62.
Springer, 2018. [38] Jason Milionis, Dean Hirsch, Andy Arditi, and Pranav
Garimidi. A framework for single-item nft auction mech-
[26] Ariel Gabizon, Zachary J Williamson, and Oana Ciob-
anism design. In Proceedings of the 2022 ACM CCS
otaru. Plonk: Permutations over lagrange-bases for
Workshop on Decentralized Finance and Security, pages
oecumenical noninteractive arguments of knowledge.
31–38, 2022.
Cryptology ePrint Archive, 2019.
[27] Noemi Glaeser, István András Seres, Michael Zhu, and [39] Jose A Montenegro, Michael J Fischer, Javier Lopez,
Joseph Bonneau. Cicada: A framework for private non- and Rene Peralta. Secure sealed-bid online auctions
interactive on-chain auctions and voting. Cryptology using discreet cryptographic proofs. Mathematical and
ePrint Archive, 2023. Computer Modelling, 57(11-12):2583–2595, 2013.

[28] Oded Goldreich. Foundations of cryptography: volume [40] Valeria Nikolaenko, Sam Ragsdale, Joseph Bonneau,
2, basic applications. Cambridge university press, 2009. and Dan Boneh. Powers-of-tau to the people: Decen-
tralizing setup ceremonies. In International Conference
[29] Ulrich Haböck. Multivariate lookups based on logarith- on Applied Cryptography and Network Security, pages
mic derivatives. Cryptology ePrint Archive, 2022. 105–134. Springer, 2024.

15
[41] Anca Nitulescu. zk-snarks: A gentle introduction. Ecole [54] Shuai Yuan, Jun Wang, Bowei Chen, Peter Mason, and
Normale Superieure, 2020. Sam Seljan. An empirical study of reserve price optimi-
sation in real-time bidding. In Proceedings of the 20th
[42] Torben Pryds Pedersen. Non-interactive and ACM SIGKDD international conference on Knowledge
information-theoretic secure verifiable secret sharing. discovery and data mining, pages 1897–1906, 2014.
In Annual international cryptology conference, pages
129–140. Springer, 1991. [55] Arantxa Zapico, Vitalik Buterin, Dmitry Khovratovich,
Mary Maller, Anca Nitulescu, and Mark Simkin. Caulk:
[43] RapidSnark. https://github.com/iden3/ Lookup arguments in sublinear time. In Proceedings of
rapidsnark, 2021. the 2022 ACM SIGSAC Conference on Computer and
Communications Security, pages 3121–3134, 2022.
[44] Ethereum Research. Nft auc-
tion. https://ethresear.ch/t/ [56] Haoqian Zhang, Michelle Yeo, Vero Estrada-Galinanes,
off-chain-l2-nft-auction-protocol-idea/ and Bryan Ford. Zeroauction: Zero-deposit sealed-
12930, 2024. bid auction via delayed execution. Cryptology ePrint
Archive, 2024.
[45] Eli Ben Sasson, Alessandro Chiesa, Christina Garman,
Matthew Green, Ian Miers, Eran Tromer, and Madars [57] Ke Zhong, Yiping Ma, Yifeng Mao, and Sebastian Angel.
Virza. Zerocash: Decentralized anonymous payments Addax: A fast, private, and accountable ad exchange in-
from bitcoin. In 2014 IEEE symposium on security and frastructure. In 20th USENIX Symposium on Networked
privacy, pages 459–474. IEEE, 2014. Systems Design and Implementation (NSDI’23), pages
[46] Jan Christoph Schlegel. Transaction ordering auctions. 825–848, 2023.
arXiv preprint arXiv:2312.02055, 2023.
[58] Richard Zippel. Probabilistic algorithms for sparse poly-
[47] Justin Thaler et al. Proofs, arguments, and zero- nomials. In International symposium on symbolic and
knowledge. Foundations and Trends® in Privacy and algebraic manipulation, pages 216–226. Springer, 1979.
Security, 4(2–4):117–660, 2022.
[59] zkSNARK ecosystem. arkworks contributors. https:
[48] Nirvan Tyagi, Arasu Arun, Cody Freitag, Riad Wahby, //arkworks.rs, 2024.
Joseph Bonneau, and David Mazières. Riggs: Decen-
tralized sealed-bid auctions. In Proceedings of the 2023
A Definitions
ACM SIGSAC Conference on Computer and Communi-
cations Security, pages 1227–1241, 2023.
A.1 Zero Knowledge Argument of Knowledge
[49] David Isaac Wolinsky, Henry Corrigan-Gibbs, Bryan
A proof system enables a prover P to convince a verifier
Ford, and Aaron Johnson. Scalable anonymous group
V about some statement u such that ∃w : (u; w) ∈ R , where
communication in the anytrust model. In European
w is the corresponding witness and R is a polynomial-time
Workshop on System Security (EuroSec), volume 4,
decidable relation. A proof of knowledge system further con-
2012.
vinces the verifier that not only the witness exists, but also
[50] Fei Wu, Thomas Thiery, Stefanos Leonardos, and the prover knows it. When a proof system only demonstrates
Carmine Ventre. Strategic bidding wars in on-chain some statement holds and does not leak any information about
auctions. arXiv preprint arXiv:2312.14510, 2023. the witness, it is zero-knowledge. A proof system is an ar-
gument when it holds for a computationally bounded prover
[51] Pengcheng Xia, Haoyu Wang, Zhou Yu, Xinyu Liu, under certain computationally hard assumption.
Xiapu Luo, and Guoai Xu. Ethereum name ser-
vice: the good, the bad, and the ugly. arXiv preprint Definition 3 (zkSNARK). A (non-interactive) argument sys-
arXiv:2104.05185, 2021. tem AS = (Setup, Prove, Verify, Simulate) for R is a zk-
SNARK if it satisfies the following properties:
[52] Jie Xiong and Qi Wang. Anonymous auction proto- • Completeness. Given a true statement u for relation R , a
col based on time-released encryption atop consortium honest prover P with a valid witness w should convince
blockchain. arXiv preprint arXiv:1903.03285, 2019. the verifier V . More formally, for all λ ∈ N and for all
(u, w) ∈ R :
[53] Sen Yang, Kartik Nayak, and Fan Zhang. Decentral- " #
ization of ethereum’s builder market. arXiv preprint (crs, td) ← AS.Setup(1λ , R )
Pr AS.Verify(crs, u, π) = 1 =1
arXiv:2405.01329, 2024. π ← AS.Prove(crs, u, w)

16
• Knowledge Soundness. There is an extractor that can com- Definition 5 (Completeness). A sealed-bid auction ΠAuction
pute a witness whenever the adversary produces a valid satisfies completeness if the algorithm Eval outputs the high-
argument. The extractor gets full access to the adversary’s est bid bw assuming all parties follow the protocol and any
state, including any random coins. Formally, we require setup phase is performed correctly. More formally, for all
that for all PPT adversaries A there exists a PPT extractor λ ∈ N and for all b1 , . . . , bm ∈ χ
EA such that  
" # (SP) ← Auction.Setup(1λ )
AS.Verify(crs, u, π) = 1 (crs, td) ← AS.Setup(1λ , R ) 
(ci , πi ) ← Auction.Seal(SP, i, b) ∀i ∈ [m]

Pr ≤ negl

y = bw
Pr  =1
∧(u, w) ∈ /R ((u, π); w) ← A ||EA (crs) (y, π) ← Auction.Eval(SP, {ci , πi }i∈[m] )
 
Auction.Verify(SP, y, πw ) = 1
• Succinctness. A non-interactive argument where the veri-
fier runs in polynomial time λ + |u| and the proof and the Definition 6 (Soundness). Let bw denote the highest (honest)
common reference string sizes are polynomial λ, is a fully bid and assume the adversary A corrupts the auctioneer and
succinct SNARK. k ≤ m − 2 bidders. A sealed-bid auction ΠAuction satisfies
• Statistical Zero-knowledge. An argument is zero- soundness if there is a negligible function negl such that for
all PPT adversaries A and for all λ ∈ N
knowledge if it does not leak any information besides the
truth of the statement. Formally, if for all λ ∈ N, for all 
(SP) ← Auction.Setup(1λ )


(u, w) ∈ R and for all PPT adversaries A , the following Auction.Verify(SP, y, πw ) = 1


(b j , c j , π j ) ← A (SP) ∀ j ∈ [k]

Pr   ≤ negl
two distributions are statistically close: 
 ∧ y ̸= bw (c, π) ← Auction.Seal(SP, ·, b) 
(y, πw ) ← Auction.Eval(SP, {ci , πi }i∈[m] )
D0 = {π0 ← AS.Prove(crs, u, w) : (crs, td) ← AS.Setup(1λ , R )}
D1 = {π1 ← AS.Simulate(crs, td, u) : (crs, td) ← AS.Setup(1λ , R )} Definition 7 (Privacy). The sealed-bid auction ΠAuction satis-
fies privacy if for all PPT adversaries A corrupting the auc-
An argument of knowledge is public coin if all the mes- tioneer and k ≤ m − 2 bidders and for all λ ∈ N, there exists a
sages sent form the verifier have uniform distribution and are PPT simulator S and a negligible function negl such that
independent from the ones received from the prover. This
then allows to make the protocol non-interactive using Fiat- " #
Shamir [21]. (SP) ← Auction.Setup(1λ )
Pr A (SP, b, c, π) = 1 −
(c, π) ← Auction.Seal(SP, ·, b) ∀i ∈
/ [k]

B Proofs "
(SP) ← Auction.Setup(1λ )
#
Pr A (SP, b, c, π) = 1 ≤ negl
(b, c, π) ← S (SP, ·) ∀i ∈
/ [k]
B.1 Proof for Theorem 1
Proof. Completeness follows directly from that of the under-
An auction protocol takes as input m submissions
lying AV protocol. Note that the value Z = (x + b ◦ r) ◦Y sent
b1 , . . . , bm in a domain χ and outputs the highest bid bw =
by each bidder in the bidding phase, see Figure 1, is essen-
max{b1 , . . . , bm } as the winning one. Inspired by [27], we
tially the same as that of sent in the original AV, where here
now provide a formal definition for a (verifiable and private)
the randomness r comes to play depending on the bid value.
sealed-bid auction ΠAuction .
Soundness follows from the underlying argument of knowl-
Definition 4 (Selead-bid auction). A sealed bid auction edge protocols. We now go over the possible situations that
ΠAuction = (Setup, Seal, Eval, Verify) is defined with the fol- may lead to an incorrect outcome and argue that all are cap-
lowing algorithms: tured by the soundness of the arguments systems. The sce-
narios are: (1) the auctioneer is honest and some bidders are
• (SP) ← Auction.Setup(1λ ): The algorithm takes as input
malicious, (2) the auctioneer is malicious and all bidders are
a security parameter λ, and outputs system parameters SP.
honest, (3) the auctioneer is malicious and colludes with some
• (ci , πi ) ← Auction.Seal(SP, i, b): The algorithm takes as bidders. A malicious bidder may (A1) provide inconsistent
input the system parameters SP and submission b of user values for the first round of AV conflicting with their com-
i ∈ [m], and outputs a sealed bid ci and a proof of well- mitments, (A2) provide invalid unary encoding, (A3) provide
formedness πi . inconsistent values for the second round of AV conflicting
• (y, π) ← Auction.Eval(SP, {ci , πi }i∈[m] ): The algorithm to their initial commitments, (A4) wrongly claim they are
takes as input the system parameters SP, the sealed bid the candidate winner. All of the aforementioned items will
ci together with their corresponding proof πi for i ∈ [m], lead to the failure of the verification of Rpv , Runary , Rsum , and
and outputs the final result y and a validity proof π. Rwin with overwhelming probability. A malicious auctioneer
• (1/0) ← Auction.Verify(SP, y, πw ): The algorithm verifies may (B1) send incorrect value after the first round of AV, (B2)
if the output y is indeed the correct result of the auction bw . output a wrong bid as the winner. Both of the aforementioned

17
items will be detected publicly. A malicious auctioneer which Input: h bids b1 , . . . , bh from honest bidders
is colluding with some malicious bidders could do a combi- Output: (b∗ , sp), where
nation of the cases mentioned above that lead to failure in • Compute b∗ = max(b1 , . . . , bh ).
verification and are detected publicly. • Find w, such that bw = b∗
Privacy: Before we describe our formal privacy analysis we • Compute sp = max(b1 , . . . , bw−1 , bw+1 , . . . , bh ).
intuitively argue about the privacy of the underlying AV pro- F outputs (b∗ , sp) at the end.
tocol. When xi is sampled randomly by bidder i, the adversary
controlling all but one bidder (i.e., without full collusion) can-
not break the privacy of the bidder i (Theorem 4, [30]) and the Figure 7: Ideal Functionality F for Cryptobazaar
confidentiality of its input. This is because the value Yi has
a uniform distribution (Lemma 3, [30]) and under the DDH
assumption one cannot distinguish between xiYi and a random
group element riYi . It is straightforward to extend this to a
vector of values x i , r i , and Y i as in our case.
Hybrid2 The same as Hybrid1 , except that the matrix Y is
We now proceed to prove Cryptobazaar’s privacy using
computed with respect to the simulated row-vectors X̃ X i for
real/ideal simulation paradigm [28]. We start by defining
an ideal functionality F that acts as a trusted third party, re- i ∈ [h] and the ones from adversary X ′j for j ∈ [k]. This hybrid
ceiving the protocol’s input and giving its output. A protocol is computationally indistinguishable from Hybrid1 due to the
is said to be secure if what the adversary can learn from the privacy guarantee of AV under the DDH assumption. That is,
interaction with protocol (and output) could also be learned having one honest row-vector X included in the matrix Y, its
from the interaction with the ideal functionality. This is for- row-vectors Y i have uniform distributions (Lemma 3, [30]).
mally shown by constructing a simulator S that can generate
a simulated view (i.e., protocol transcript) for the adversary Hybrid3 The same as Hybrid2 , except that the simulator S
which is indistinguishable from the actual protocol transcript computes the vectors Z̃ Z i on behalf of honest bidders using
without having access to the honest parties’ inputs. its chosen bids. It also computes the validity proofs π̃Zi
Let b1 , . . . , bh denote the set of honest bids and without for i ∈ [h]. The indistinguishability of this hybrid from the
loss of generality assume the adversary A corrupts the previous one stems from the security guarantee of the AV
auctioneer and k ≤ m − 2 bidders, with h + k = m. Further, protocol under the DDH assumption and the zero-knowledge
let out = (b∗ , sp) denote the set of outputs, including the property of the π̃Zi .
highest (honest) bid, and second highest (honest) bid. The
description of ideal functionality F and simulator S are
Hybrid4 The same as Hybrid3 , except that the output vector is
given in Figure 7 and Figure 8, respectively. We define a
sequence of hybrid distributions starting from the actual computed as R = ∑hi=1 (Z̃ Z ′j ), where the highest
Z i ) + ∑kj=1 (Z
∗
position w should equal b . Otherwise, the simulator aborts.
protocol transcript/distribution and ending with the simulated
transcript/distributions. We argue that each two consecutive Observe that due to the unary encoding and the way AV
hybrids are computationally indistinguishable, implying works, a valid unary proof for the highest bid π̃b∗ should be
the indistinguishably of the real and ideal distributions. enough to ensure the privacy of honest bidders and failure to
Note that we exploit the zero-knowledge property of the do so by A does not affect the security of the view. Therefore,
underlying validity arguments, the privacy guarantees of this view is indistinguishable from the previous one.
the underlying AV protocol, and the hiding property of
the underlying polynomial commitment to simulate the views. Hybrid5 The same as Hybrid4 , except that the simulator
computes an eligibility proof π̃w on behalf of the candidate
Hybrid0 This is the actual view of the Cryptobazaar protocol. honest winner. This view is computationally indistinguishable
form the previous one due to the zero-knowledge property of
Hybrid1 The same as Hybrid0 , except that the simulator S the π̃w .
does the following on behalf of each honest bidder i ∈ [h].
X , π̃x , π̃r , π̃b ) to the public
It computes and appends (x̃, q̃, b̃, X̃
Hybrid6 This is the view of A ′ simulated by S in Cryptobazaar.
log. This view is indistinguishable from the last one due to
Further, the simulator sets b∗ = 0 and sends the corresponding
the uniform random distribution of x̃x, r̃r , the zero-knowledge
Z to the adversary. The adversary can now learn the second
Z̃
property of the underlying proofs for π̃x , π̃r , π̃b , and the
highest price sp by determining the highest non-zero position
hiding property of the polynomial commitment b̃. Note that
at R = ∑hi=1 (Z̃ Z ′j ). So, the adversary learns nothing
Z i ) + ∑kj=1 (Z
the original KZG commitment is deterministic in the sense ∗
beyond the output (b , sp) at the end of the protocol.
that the same polynomials have the same commitment. So,
for the indistinguishably to hold we need to use blinded KZG.

18
 S ({xx′j , r ′j } j∈[k] , {b′j } j∈[k] , out) script that is identically distributed to the transcript obtained
from interaction with the honest prover that has a valid
1. Receive the output out = (b∗ , sp) from F . witness. Given γ, we have [y]1 ← ∑ni=0 Li (γ)Xi that looks
2. Sample random non-zero vectors x̃xi , r̃r i ∈ Fn for i ∈ [h]. random given DDH assumption. Simulator then computes
It also computes their corresponding commitments x̃i , r̃i q = (f − [y]1 )(τ − γ) which is randomly distributed over γ. It
and validity proofs π̃xi , π̃ri . is easy to check that q satisfies verifier’s pairing check and
3. Sample random bid bi for i ∈ [h] such that one of them therefore S pv is able to produce a valid transcript which is
is equal to b∗ and others are smaller. Also, set one of the indistinguishable from the one in the actual protocol.
bids to sp such that others (excluding b∗ ) are smaller or
equal.
4. Compute the polynomial commitment to unary encoding
of the bids bi for i ∈ [h]. It also computes their corre- B.3 Proof for Lemma 5
sponding validity proofs π̃bi .
5. Knowing the description of AV, compute Y = M · X in-
cluding row-vector Xi′ for i ∈ [k] received from an adver-
sary A . Proof. We proceed to show this argument is knowledge sound
6. Compute vector Z i = (xxi + b i ◦ r i ) ◦Y
Y i on behalf of hon- by building an efficient extractor E that extracts the witness.
est bidders together with validity proofs π̃Zi for i ∈ [h]. Afterwards, we prove zero-knowledge by building up a simu-
lator.
7. Receive the values Z ′j for j ∈ [k] from A . If Z ′ is not of
valid form, it aborts. Knowledge soundness. As adversary A is algebraic, when-
ever it sends a commitment to some polynomial it also sends
8. Compute the vector R = ∑hi=1 (Z Z ′j ). Note that
Z i )+ ∑kj=1 (Z
the actual polynomial. Further, if the verifier V does not ac-
A can also compute the same vector at this point.
cept then A clearly does not win the game, thus further assume
9. The highest bid is highest position w such that R w ̸= 0. that V accepts. Then, since A is algebraic, it sends ŝ(X) and
Check if Rw = b∗ ; otherwise, it aborts. q(X) together with s and q. E then reconstructs r(X) from
10. Set b∗ = 0 and compute its corresponding vector Z = ŝ(X), q(X), and (publicly-known) zH (X) in polynomial time.
(xx + b ∗ ◦ r ) ◦Y
Y. Zero knowledge. We construct Snz that, given instance r,
11. Compute the vector R = ∑hi=1 (Z Z ′j ).
Z i ) + ∑kj=1 (Z trapdoor τ and verifier randomness, produces a transcript that
12. The second highest bid is highest position w such that is equally distributed as the transcript obtained from the inter-
R w ̸= 0. Check if Rw = sp; otherwise, it aborts. action with the honest prover that has a witness. Note that Snz
samples all values s, q, rγ , sγ , qγ uniformly at random. In the
real execution r(X) and s(X) are blinded with m(X) and b(X),
Figure 8: Simulator for Cryptobazaar respectively, thus commitments and evaluations also look ran-
dom. The simulator then computes c = r + αs + α2 q and
y = rγ + αŝγ + α2 qγ as in the real protocol execution. Finally,
B.2 Proof for Lemma 4 by knowing trapdoor τ it computes t = (c − [y]1 )(τ − γ).

Proof. Completeness is immediately followed by writing

out the verification equation as e(G, H) f (τ)− f (γ)+γq(γ) = B.4 Proof for Lemma 6
e(G, H)τq(τ) . So, this is just the equation q(X) = f (X)−X−γ
f (γ)

evaluated at a challenge point γ. Next, we proceed to show

that this argument is knowledge sound by building an efficient
extractor E that extracts the witness and then show how to Proof. If b is a valid unary encoding, then it is straightforward
build a simulator. to see that ∆ has the defined structure. In particular, it consists
Soundness. Suppose that malicious P commits to f (X), X of all zeros except a one at index i. From the other side,
such that there exists i for which Xi ̸= f (wi ). Denote suppose that ∆ has defined structure and that b starts with one.
f (γ) = y. Then, except with negligible probability we have Let set index i such that ∆i = 1 and i ̸= n. From this we have
∑ni=0 Li (γ)Xi = [y′ ]1 ̸= [y]1 . Finally, from soundness of the bi − bi+1 = 1. Given that all the other values of ∆ are zero we
KZG commitment the malicious P has only negligible proba- can derive that b j = bi+1 for j ∈ [i + 1, n] and that b j = bi for
bility in constructing an accepting opening proof that f (γ) = j ∈ [1, i]. Since b1 = 1, thus b j = 1 for j ∈ [1, i] and from this
y′ ̸= y. b j = 0 for j ∈ [i + 1, n], the claim is proved. In case that i = l,
Zero knowledge. We construct Spv such that given instance with the same reasoning we can conclude that ∆n = bn = 1
x, X, toxic waste τ, and verifier’s challenge produces a tran- and thus for j ∈ [1, n − 1] we have b j = bn = 1.

19
B.5 Proof for Lemma 7 zero-knowledge argument of knowledge. The complete
protocol is presented in Figure 9.

Proof. We show that this argument is knowledge sound by

building an efficient extractor E that extracts the witness and
B.8 Proof for Lemma 9
then proceed to build a simulator.
Knowledge soundness. If V does not accept then A clearly
does not win the game, thus further assume that V accepts. By
the knowledge soundness of the log derivative argument we
Proof. Completeness is straightforward. We argue that our
know that if verifier accepts then evaluations of f (X) indeed
protocol is knowledge sound in the Algebraic Group Model
consists of one ‘1’ and all zeroes except with negligible prob-
by building an efficient extractor E that extracts the witness.
ability. Then from knowledge soundness of KZG we argue
Knowledge soundness is defined by a game involving an al-
that u(1) = 1 except with negligible probability. Finally as A
gebraic adversary A and an efficient extractor E . Given the
is algebraic, whenever it sends a commitment to some poly-
SP, adversary A produces the instances a, b, P and produces
nomial it also sends the actual polynomial. Therefore, A send
an interactive argument for the verifier. Then, the goal of
polynomial f (X). Then, E computes u(w) from f (1) and
the extractor is to interact with A and at the end to output
u(1) and then it iteratively computes all u(wi ) from f (wi−1 )
the witness x, r, a(X), b(X). We say that A wins the game
and u(wi−1 ).
if V accepts and one of the following relations is false:
Zero knowledge. We construct Sunary such that given in-
a = [a(τ)]1 , b = [b(τ)]1 , xG + rH = P, ∑h∈H a(h)b(h) = x.
stance u, toxic waste τ and verifier’ challenge, produces a
The protocol has knowledge soundness if there is efficient
transcript that is identically distributed to the transcript ob-
E and that A cannot win the game except with negligible
tained from interaction with honest prover that has a witness.
probability. If V does not accept then A clearly does not
Note that polynomials u(X), f (X), B(X) are properly masked
win the game, thus further assume that V accepts. As A is
such that their commitments and openings have random distri-
algebraic, whenever it sends a commitment to some polyno-
butions. Snz can then simply sample random elliptic curve and
mial it also sends the actual polynomial. Therefore, during
field elements and with knowledge of τ it can simulate correct
the protocol execution A sends s1 , s2 , B, R, q, D, Qs together
opening proofs. Further, by the definition of zero-knowledge
with s1 (X), s2 (X), B(X), R(X), q(X), D(X), Qs (X). First, by
univariate sumcheck R(X), Q(X) at round 3 are also random.
the knowledge soundness of the proof of opening of Ped-
ersen commitment there exists extractor EPedersen such that
except with a negligible probability it extracts x, p, r, s, where
B.6 Proof for Lemma 8 z1 = cx+ p and z2 = cr +s. Further, the passing of all the KZG
checks implies that by the knowledge soundness of KZG and
Schwartz-Zippel all polynomial identities hold except with
Proof. Given that our protocol is closely similar to the gener- negligible probability. Since zero knowledge sumcheck re-
alized IPA introduced in Bunz et al. [13], we just give a high lation also passes we conclude that ∑h∈H B(h) + c(a(h) +
level intuition and refer the reader to [13] for more details. s1 (h))(b(h) + s2 (h)) = z1 , except with negligible probability.
Completeness is straightforward. Given that we use the same From the check that ZH (X) divides both s1 (X) and s2 (X) we
form of blinding the zero knowledge can be proven with the know that they do not affect the sum since ZH (h) = 0, ∀h ∈ H,
identical method of [13]. Soundness can be proven as follows. thus ∑h∈H si (h) = 0. Therefore, ∑h∈H B(h) + ca(h)b(h) = z1 .
The extractor first runs the extractor of Rpse to extract a′ , r. Now suppose that ∑h∈H a(h) · b(h) = x′ ̸= x and suppose that
Then in the similar fashion, the extractor builds a tree of tran- P commits to B(X) such that ∑h∈H B(h) = p′ ̸= p. Then, we
′ −p
scripts by rewinding and recursively extracts vectors ai ∈ F 2i
n
have that cx + p = cx′ + p′ which is true only if c = px−x ′ ,
1
for i ∈ (log n, log n − 1, . . . , 0). that happens with probability |F| . Thus we have shown that
if V accepts then ∑h∈H a(h)b(h) = x holds with overwhelm-
B.7 Rpse with Blinders ing probability. The last ambiguity we have to deal with is
extracting a(X), b(X). Even though A is algebraic it does not
We show how to deal with the aforementioned leakage send a(X), b(X) since commitments a, b are already in the
when a(X), b(X) are not properly blinded. Our solution to instance. However, E has the access to s1 (X), s2 (X) and from
handle this is by committing to two blinding polynomials asγ , bsγ it can compute aγ and bγ . Thus rewinding A n times
s1 (X), s2 (X) and proving that this polynomials are multiples and obtaining different opening challenges γi enable E to
of ZH (X), thus ∑h∈H si (h) = 0, and they do not affect the fully interpolate a(X), b(X). From witness extended emula-
sumcheck. Then, we prove the argument is knowledge tion [47] here we know that this E is still efficient and that it
sound and we provide a simulator to prove it is indeed a fails only with negligible probability.

20
 Round 1 Prover: Spse ((G, H), P, a, b, τ, c, γ, v)
1. Sample random p, s and compute Q = pG + sH. 1. Sample random z1 , z2 and compute Q = z1 G + z2 H − cX.
2. Compute b0 = np and sample random b1 , b2 , b3 , b4 , b5 , b6 , 2. Sample random a1 , a2 , a3 and send Q, B = [a1 ]1 , a2 =
then compute B(X) = b0 + b1 X + b2 X 2 + b3 X 3 + b4 X 4 + [a2 ]1 , a3 = [a3 ]1 .
(b5 + b6 X)zH (X), observe that ∑h∈H B(h) = p.
3. Sample random a4 , a5 , a6 and send z1 , z2 , R = [a4 ]1 , q =
3. Sample random r0 , r1 , r2 , r3 and compute s1 (X) = (r0 + [a5 ]1 , D = τN−1−(n−2) [a4 ]1 , and Qs = [a6 ]1 .
r1 X) · ZH (X) and s2 (X) = (r2 + r3 X + r4 X 2 ) · ZH (X).
4. Sample random Bγ , asγ , bsγ , Rγ , s1,β , ss,β and send them
4. Send Q, B = [B(τ)]1 , s1 = [s1 (τ)]1 , s2 = [s2 (τ)]1 . together with qγ , qS,β such that
Round 1 Verifier: Send random challenges c and α.
z1
Round 2 Prover: Bγ + caγ bγ = + γRγ + qγ ZH (γ)
n
1. Compute z1 = cx + p and z2 = cr + s.
and
2. Compute R(X), q(X) such that B(X) + c(a(X) + QS,β zH (β) = s1,β + αs2,β .
z1
s1 (X))(b(X) + s2 (X)) = |H| + XR(X) + q(X)zH (X).
5. Compute
3. Compute D(X) = R(X) · X N−1−(n−2) where N is the
length of SP proving key. (a) q1 = (τ − γ)−1 · (qa + qs1 − [asγ ]1 )
4. Compute Qs (X) such that s1 (X) + αs2 (X) = (b) q2 = (τ − γ)−1 · (qb + qs2 − [bsγ ]1 )
Qs (X)ZH (X).
(c) q3 = (τ − γ)−1 · (qB − [Bγ ]1 )
5. Send z1 , z2 , R = [R(τ)]1 , q = [q(τ)]1 , D = [D(τ)]1 , Qs =
[Qs (τ)]1 . (d) q4 = (τ − γ)−1 · (qR − [Rγ ]1 )

Round 2 Verifier: Sample and send a random opening chal- (e) q5 = (τ − γ)−1 · (qq − [qγ ]1 )
lenges γ ∈ F∗ \ H, β.
(f) q6 = (τ − β)−1 · (qs1 − [s1,β ]1 )
Round 3 Prover: Send openings asγ = a(γ) + s1 (γ), bsγ =
b(γ) + s2 (γ), Bγ = B(γ), Rγ = R(γ), s1,β = s1 (β), s2,β = s2 (β). (g) q7 = (τ − β)−1 · (qs2 − [s2,β ]1 )
Round 3 Verifier: Send random separation challenge v.
Round 4 Prover: (h) q8 = (τ − β)−1 · (qS − [QS,β ]1 ) .

1. Set W (X) = (a(X) + s1 (X) + v(b(X) + s2 (X)) + 6. Compute and send qW = q1 + vq2 + v2 q3 + v3 q4 + v4 q5
v2 B(X) + v3 R(X) + v4 q(X)) · (X − γ)−1 . and qT = q6 + vq7 + v2 q8 .
2. Set T (X) = (s1 (X) + vs2 (X) + v2 Qs (X)) · (X − β)−1
3. Send W = [W (τ)]1 , T = [T (τ)]1 . Figure 10: Simulator for Rpse
Round 4 Verifier:
1. Check that cP + Q = z1 G + z2 H.
lenge, produces a transcript that is identically distributed to
2. Compute QS,β = (s1,β + αs2,β ) · zH (β)−1 .
the transcript obtained from interaction with honest prover
3. Assert 1 ← KZG.Verify(s1 +vs2 +v2 Qs , β, s1,β +vs2,β + that has a witness. In Figure 10, we outline the steps of the
v2 QS,β , qT ). simulator and then argue that simulator produces an accept-
4. Compute qγ = (Bγ + caγ bγ − zn1 − γRγ ) · zH (γ)−1 .
ing transcript and that all messages are correctly distributed.
It can be seen that all KZG checks are passing and that by
5. Set C = a + s1 + v(B + s2 ) + v2 B + v3 R + v4 q. definition cX + Q = z1 G + z2 H, therefore V accepts. We now
6. Compute y = asγ + vbsγ + v2 Bγ + v3 Rγ + v4 qγ . argue about the indistinguishability of the real and simulated
7. Assert 1 = KZG.Verify(SP,C, γ, y, W). transcripts.
8. Set degree bound d = N − 1 − (n − 2), where N is the
length of SP proving key.
1. z1 , z2 are uniformly sampled, thus Q matches the actual
distribution.
9. Assert e(R, [xd ]2 ) = e(D, [1]2 ).
2. s1 , s2 are blinded with r0 , r2 for prover and a2 , a3 for
simulator respectively.
Figure 9: Interactive zero-knowledge argument of knowledge
protocol Πpse with blinders for relation Rpse . 3. B is blinded with b1 for prover and a1 for simulator.

4. R is blinded with b2 for prover and a4 for simulator.

To prove zero knowledge property, we construct Spse such
that given instance P, a, b, toxic waste τ and verifier’s chal- 5. q is blinded with b5 for prover and a5 for simulator.

21
 6. Qs is blinded with r4 for prover and a6 for simulator.
7. Bγ is blinded with b3 for prover and uniformly sampled
for simulator.
8. Rγ is blinded with b4 for prover and uniformly sampled
for simulator.
9. qγ is blinded with b6 for prover and uniformly sampled
for simulator.
10. s1,β , s2,β are blinded with r1 , r3 for prover and uniformly
sampled for simulator.

11. asγ is uniformly distributed since it has random contri-

bution from both a(X) and s1 (X) for prover and it is
uniformly sampled for simulator.
12. bsγ is uniformly distributed since it has random contri-
bution from both b(X) and s2 (X) for prover and it is
uniformly sampled for simulator.
13. W, T uniquely satisfy the KZG openings.

22