Shorter ZK-SNARKs from square span programs over ideal lattices

Lin, Xi; Cao, Heyang; Liu, Feng-Hao; Wang, Zhedong; Wang, Mingsheng

doi:10.1186/s42400-024-00215-x

Research
Open access
Published: 19 March 2024

Shorter ZK-SNARKs from square span programs over ideal lattices

Xi Lin^1,2,
Heyang Cao ORCID: orcid.org/0009-0006-0180-0319^1,2,
Feng-Hao Liu³,
Zhedong Wang⁴ &
…
Mingsheng Wang^1,2

Cybersecurity volume 7, Article number: 33 (2024) Cite this article

439 Accesses
Metrics details

Abstract

Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) are cryptographic protocols that offer efficient and privacy-preserving means of verifying NP language relations and have drawn considerable attention for their appealing applications, e.g., verifiable computation and anonymous payment protocol. Compared with the pre-quantum case, the practicability of this primitive in the post-quantum setting is still unsatisfactory, especially for the space complexity. To tackle this issue, this work seeks to enhance the efficiency and compactness of lattice-based zk-SNARKs, including proof length and common reference string (CRS) length. In this paper, we develop the framework of square span program-based SNARKs and design new zk-SNARKs over cyclotomic rings. Compared with previous works, our construction is without parallel repetition and achieves shorter proof and CRS lengths than previous lattice-based zk-SNARK schemes. Particularly, the proof length of our scheme is around $23.3\%$ smaller than the recent shortest lattice-based zk-SNARKs by Ishai et al. (in: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp 212–234, 2021), and the CRS length is $3.6\times$ smaller. Our constructions follow the framework of Gennaro et al. (in: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 556–573, 2018), and adapt it to the ring setting by slightly modifying the knowledge assumptions. We develop concretely small constructions by using module-switching and key-switching procedures in a novel way.

Introduction

Zero-knowledge (ZK) proofs are cryptographic protocols that enable a prover to persuasively demonstrate the validity of a specific statement to a verifier while keeping the witness secret. The concept was initially introduced by Goldwasser et al. (1989), and there have been active researches in both theory and practice since then.

In numerous scenarios, it is essential for the prover to genuinely possess knowledge of a valid witness, thereby establishing an argument of knowledge. To enhance efficiency, specific characteristics like non-interactive and succinctness are highly desirable. These proofs entail a single round of message exchange from the prover’s side, enabling the verifier to validate the correctness in a considerably shorter time compared to the prover’s computational effort. These attributes give rise to a class of cryptographic constructions, commonly known as succinct non-interactive arguments of knowledge (ZK)-SNARKs. It finds wide-ranging applications, including verifiable computations (Ben-Sasson et al. 2013, 2014; Parno et al. 2016) and anonymous payment protocols (Sasson et al. 2014). Despite these compelling features, some negative results are associated with these constructions. Gentry and Wichs (2011) demonstrated that no secure succinct non-interactive arguments (SNARGs) existed in the standard model. Consequently, all existing SNARGs are constructed in the Random Oracle Model or rely on non-falsifiable assumptions (Naor 2003). Additionally, the most efficient SNARKs are designed verifiers, wherein only those who possess the verification keys are authorized to validate the proofs, in contrast to the public verifiers that permit anyone to verify a proof.

The concept of SNARK has been extensively investigated in the literature (Bitansky et al. 2011, 2012, 2017; Goldwasser et al. 2011), and subsequent works mainly focus on enhancing the efficiency for practical use. The early schemes (Gennaro et al. 2013; Danezis et al. 2014) in this area were almost based on group or bilinear pairing. Nowadays, driven by the advances in quantum computation and quantum computers, post-quantum security progressively attracts more attention. Many lattice-based SNARKs have emerged in recent years.

However, the lattice-based constructions have a significant inefficiency compared to the group or pairing-based ones. Intuitively, the optimal scheme belongs to preprocessing SNARK and was proposed by Groth (2016), whose proof length is 128B. The state-of-the-art post-quantum SNARK was proposed by Ishai et al. (2021), whose proof size is 16.4KB, which is 131.2x larger. Furthermore, as almost all efficient SNARKs necessitate a trusted setup, the length of the common reference string (CRS) also merits attention. Therefore, how to promote the efficiency of lattice-based SNARKs is an important and meaningful research problem.

These motivate our main question:

Can we improve the efficiency of lattice-based SNARKs, especially in the proof length and CRS length?

Related works

The constructions of SNARKs exhibit diverse design routes. Two paradigmatic routes are presented: one research line adopts a combination of polynomial interactive oracle proof (polynomial IOP) and the polynomial commitment; another research line is built on the circuit directly. The former approach presents a notable advantage in terms of applicability, such as transparent setup and public verifier, albeit at the expense of efficiency. On the contrary, the latter approach imposes certain limitations, requiring a trusted setup and designed verifier, but achieves higher efficiency.

The same applies to lattice-based SNARKs. Recent advancements in lattice-based SNARKs can be divided into two categories. For the first research line, the researcher tried to obtain SNARKs with attractive properties or functionalities. The most critical components are various commitments, i.e., vector commitments (Peikert et al. 2021; Albrecht et al. 2022), and functional commitments (Wee and Wu 2023; Fisch et al. 2023). Albrecht et al. (2022) proposed the first lattice-based SNARK construction from vector commitment, in which the verifier is public and has logarithmic complexity, and the construction is recursively composable. Cini et al. (2023) proposed the first lattice-based recursive folding protocol with a polylogarithmic-time verifier for linear relations and the first lattice-based succinct argument with a linear-time prover for NP problem in the preprocessing model.

Before we review the lattice-based constructions following the second approach, we first retrospect the group-based ones. This route originated from Groth (2010), which constructed a non-interactive argument of zero-knowledge (NIZK) based on the circuit satisfiability problem. Then, the researchers found it is possible to convert the circuit satisfiability problem into more algebraic formulations to construct efficient SNARKs. Many works introduced different characterizations of the NP complexity class: quadratic span programs (QSPs) (Gennaro et al. 2013), square span programs (SSPs) (Danezis et al. 2014), and rank-1 constraint systems (R1CS) (Ben-Sasson et al. 2013) Then many efficient constructions of SNARKs based on specific structures came. Detailedly, Gennaro et al. (2013) proposed constructions based on QSPs, whose proof consists of 7 group elements and the CRS size is linear in the circuit size. In the next year, Danezis et al. (2014) introduced SSPs and built SNARKs based on SSPs (a simpler form than QSPs), whose proof consists of 4 group elements. Meanwhile, a concurrent research line (Bitansky et al. 2013; Boneh et al. 2017) studied a more abstract cryptographic primitive: linear probabilistically checkable proof (LPCP). They established constructions of LPCP for NP problems and then built SNARG (SNARK) based on LPCP. The nature of the above designs can be unified in that preprocessing implies holography as claimed in Chiesa and Yogev (2020), but the revealing information of probabilistically checkable proof differs.

In terms of efficiency, the optimal scheme belongs to preprocessing and designated-verifier SNARKs and was proposed by Groth (2016), whose proof only consists of 3 group elements. Its proof length is 128B for the circuit of size $2^{20}$, which significantly outperforms other schemes. This is also the most widely used SNARK scheme in practice, i.e., ZCash (Sasson et al. 2014),Filecoin (Labs Labs 2018), and Coda (Bonneau et al. 2020).

In the domain of lattice-based SNARKs, Boneh et al. (2017) introduced the first quasi-optimal SNARGs based on lattice, employing linear multi-prover interactive proofs. Closely followed by this work, Gennaro et al. (2018) put forward the first lattice-based SNARK scheme, which was built on SSPs. Nitulescu (2019) introduced the first lattice-based zk-SNARG for arithmetic circuits leveraging square arithmetic programs (SAPs), whose proof consists of 2 LWE ciphertexts. Naganuma et al. (2020) proposed faster zk-SNARK constructions for arithmetic circuits using quadratic arithmetic programs (QAPs), whose proof consists of 3 LWE ciphertexts. Then, Ishai et al. (2021) followed the framework of Bitansky et al. (2013) and Boneh et al. (2017) and proposed a new LPCP-based SNARK, which is the state-of-the-art parameters for lattice-based SNARKs. The most recent lattice-based SNARKs from Chung et al. (2023), proposed a new noise flooding technique and achieved smaller proof length in the amortized sense.

Our results

This research endeavors to tackle the aforementioned issue by devising novel, efficient SSP-based zk-SNARKs. Notably, we have succeeded in reducing proof and CRS lengths by circumventing parallel repetition, while retaining a high level of soundness. To provide a more comprehensive understanding of our work, we present a comparative analysis with prior research in Table 1. (It is essential to highlight that the estimation methodology employed in Ishai et al. (2021) is suboptimal, necessitating the adjustment of their parameters using the same “ADPS16” method to enable a more precise and reliable comparison. The CRS length is empty since they did not provide it.)

Table 1 Comparison of lattice-based SNARKs

Full size table

Technical overview

Next, we present a summary of our technical contributions below.

Get Rid of Parallel Repetition by Ring Structure. Parallel repetition is a standard technique to amplify (knowledge) soundness error. In the field ($\mathbb{Z}_p$ or even $\mathbb{Z}_{p^2}$), if we do not use parallel repetition and guess a random element over the field with probability lower than $2^{-128}$, it requires the modulus p satisfies that $p>2^{128}$(or $p^2>2^{128}$), which is too large. Therefore, previous works chose smaller p (such as 32-bits or 19-bits) and use parallel repetition for a desired security level.

To deal with this issue, we adopt a strategy of transforming the field structure into a ring structure. To illustrate, if we consider a ring with the modulus p and dimension n, the desired target can be accomplished by ensuring that $p^{n}>2^{128}$. Albeit combining with other limitations in our construction, the final requirement turns out to be $2d/p^{\frac{n}{2}}<2^{-128}$. However, solely employing the ring structure may not suffice in reducing the parameter size and may potentially incur additional issues. As such, supplementary techniques must be employed to tackle these issues, which will be expounded upon below.

Reductions from Boolean Circuits over Ring. Both SSP-based schemes and LPCP-based schemes use polynomial interpolation to express circuits into SSP/LPCP instances. Prior works (to our knowledge) consider polynomial interpolation over fields, and extending it to the rings inheres challenges, particularly with regards to invertibility in R. Towards this, we leverage a useful result (Katsumata and Yamada 2016), which stated that the ring elements with a “small” norm are invertible. More concretely, in the polynomial interpolation, the denominators of the interpolation coefficients take the form of $x_i-x_j$ for distinct i, j. In order to ensure that $x_i-x_j$ has an inverse over $R_p$, we restrict the domain of $x_i$ and $x_j$ to $R_{[0,1]}$, where the coefficients of polynomials are either 0 or 1. As a result, we can instantiate polynomial interpolation over the ring of our choice.

Optimizations via Ciphertext Operations. As noted above, the SSP-based scheme presented in Gennaro et al. (2018) has a large proof length, primarily due to its inclusion of five ciphertexts in the proof. In contrast, the LPCP-based scheme proposed by Ishai et al. (2021) utilizes different encrypted queries as the CRS, which are multiplied by the same coefficients during proof generation. This allows for the utilization of the packing method described in Peikert et al. (2008) to reduce the proof length by sharing randomness. Unfortunately, the SSP-based scheme involves different coefficients (e.g.,$\textbf{h},\textbf{v}$), which precludes the direct application of the aforementioned method. However, in the ring setting, we can leverage the ring structure to pack the 5 ciphertexts into a single ciphertext. This approach reduces the number of ciphertexts for constructing the proof.

The utilization of a packing technique leads to a decrease in the number of ciphertexts, although it comes at the expense of augmenting the ring dimension. This implies that the size of the proof has not undergone any reduction. To address this, we employ the key-switching technique to attain a shorter proof. As a consequence, a slight modification of the knowledge assumption becomes necessary. Further deliberations are provided in section "Assumptions".

Preliminaries

Basic notations and probability results

Let $\lambda$, $\kappa$ represent the computational, and statistical security parameters respectively. The negligible function $\textsf{negl} (\lambda )$ is strictly bounded by $1/\lambda ^c$ for large $\lambda$, constant $c>0$. On the contrary, the overwhelming probability represents the value to be $1-\textsf{negl} (\lambda )$.

In our notation, a bold lowercase letter (e.g., $\textbf{x}$) signifies a column vector, while a bold uppercase letter (e.g., $\textbf{A}$) represents a matrix.

$\mathbb{Z}$ represents the set of integers, and $\mathbb{Z}_{q}$ indicates the ring of integers modulo q. R is a polynomial ring, and $R_{q}$ indicates the ring elements in R modulo q. Then we adopt the unified notation $[a]_{q}$ to represent $a\bmod q$ encompassing both integer and ring elements, without distinction. In the case where the modulus q is not a power of 2, we employ $\log q$ to substitute $\lceil \log _2 q\rceil$ for simplicity.

We use $u\xleftarrow {\$} U$ to indicate that sample a random element u from the set U. For two distributions A, B, let $A\overset{s}{\approx }\ B$, $A\overset{c}{\approx }\ B$ represent statistically close, computationally indistinguishable respectively.

Gaussian Distribution. The n-dimension Gaussian function with parameter $\sigma >0$ is defined as $\rho _\sigma (\textbf{x})=\exp (-\pi \Vert \textbf{x}\Vert _2^2/\sigma ^2)$. Based on this, the discrete Gaussian distribution over $\mathbb{Z}^n$ is defined as $D_{\mathbb{Z}^n,\sigma }=\rho _\sigma (\textbf{x})/\rho _\sigma (\mathbb{Z}^n)$, where $\rho _\sigma (\mathbb{Z}^n)=\sum _{\textbf{x}\in \mathbb{Z}^n}\rho _\sigma (\textbf{x})$.

Lemma 1

(Banaszczyk (1995), Lemma 2.4) For any $s,t>0$ and a integer vector $\textbf{a}\in \mathbb{Z}^n$, we have $\Pr [|\langle \textbf{a}, D_{\mathbb{Z}^n,s} \rangle |\ge ts\Vert \textbf{a}\Vert _2]\le 2\exp (-\pi t^2/s^2).$

Schwartz-Zippel Lemma. Schwartz-Zippel lemma is commonly employed in the analysis of soundness error.

Lemma 2

$\mathbb{F}$ is a finite field and K is a subset of $\mathbb{F}$ (e.g., $K \subset \mathbb{F}$) with size |K|. Assume that the non-zero polynomial $f(Y_1,\ldots ,Y_n)$ has total degree D. If $t_1,\ldots ,t_n$ are chosen from K randomly, then we have

$$\begin{aligned} \Pr \left[ f(t_1,\ldots ,t_n)=0 \right] \le \frac{D}{|K|}. \end{aligned}$$

Cyclotomic rings

In this paper, we work on the power of 2 polynomial rings. Let n be a power of 2, and the 2n-th cyclotomic polynomial is defined as $\Phi _{2n}(x) = x^{n}+1$. Then we define 2n-th cyclotomic ring as $R \cong \mathbb{Z}[x]/(x^n+1)$ and the 16n-th cyclotomic ring as $\mathcal{R}\cong \mathbb{Z}[x]/(x^{8n}+1)$. In this paper, we view ring elements via coefficient embedding. Namely, for any $s\in R$ we view $s=s_{0}+s_{1}x+\cdots +s_{n-1}x^{n-1}$ for $s_i \in \mathbb{Z}$. The ring addition and multiplication are with respect to modulo $x^{n}+1$. Under the coefficient embedding, the $\ell _{\infty }$ and $\ell _{2}$ norms for s are defined as: $\Vert s\Vert _{\infty }=\max _{i}\Vert s_{i}\Vert ,\Vert s\Vert _{2}=\sqrt{\Vert s_{0}\Vert ^{2}+\cdots +\Vert s_{n-1}\Vert ^{2}}$. Similarly, it is extended to the vector. For $\textbf{a} = (a_{1},..., a_{t})\in R^{t}$, we define $\Vert \textbf{a}\Vert _{\infty }=\max _{i}\Vert a_{i}\Vert _{\infty },\Vert \textbf{a}\Vert _{2}=\sqrt{\Vert a_{1}\Vert ^{2}_{2}+\cdots +\Vert a_{t}\Vert ^{2}_{2}}$.

To discuss our choice of moduli, we first recall a special result from Katsumata and Yamada (2016).

Lemma 3

(Katsumata and Yamada (2016), Lemma 3) The prime p satisfies $p\bmod 8=3$ and n is a power of 2. Then $x^n+1$ splits as $x^n+1=g_1g_2\bmod p$ with two irreducible polynomials in $\mathbb{Z}_p[x]$ $g_1=x^{n/2}+vx^{n/4}-1$ and $g_2=x^{n/2}-vx^{n/4}-1$, where $v^2=-2\bmod p$. Then, all $a\in R_p$ with $\Vert a\Vert _2<\sqrt{p}$ are invertible.

MLWE problems and encoding schemes based on MLWE

Module-Learning with Error (MLWE). Module Learning with Error (Module-LWE) is a fusion of Ring-LWE and plain-LWE, which was proposed and studied in Brakerski et al. (2014); Langlois and Stehlé (2015). For the power of 2 cyclotomic rings, the ring R, and $R^\vee$ only differ by a scale of n. Thus, we opt to work solely on R. More formally, the decision MLWE distribution and problem from Langlois and Stehlé (2015) are defined as follows:

Definition 4

(Module-LWE Distribution) Let $\psi$ over $R_{q}$ be the error distribution. Given a secret vector $\textbf{s}\in R_{q}^k$, an instance in the $\textsf{MLWE}$ distribution $A_{\textbf{s},\psi }$ over $R_{q}^k\times R_{q}$ is ($\textbf{a}, b$), where $\textbf{a}$ is chosen from $R_{q}^k$ uniformly at random, e is from $\psi$, and $b=\langle \textbf{a}, \textbf{s}\rangle +e\bmod q$.

Definition 5

(Module-LWE, Decision Problem) The average-case decision $\textsf{MLWE}_{R_{q},k,\psi }$ problem is to distinguish instances from $A_{\textbf{s},\psi }$ or from uniform distributions over $R_{q}^k\times R_{q}$.

The decision $\textsf{MLWE}_{R_{q},k,\psi }$ problem is infeasible if for all $\textsc{ppt}$ adversarys B given any polynomial number of samples, the probability that B solves $\textsf{MLWE}_{R_{q},k,\psi }$ is negligibly close to 1/2.

The Encoding Scheme. The encoding scheme used in the SNARK schemes can be symmetric and asymmetric. For convenience, we instantiate it as a symmetric $\textsf{MLWE}$ scheme. Furthermore, the simple linear combination is not sufficient for zero-knowledge of SNARK, thus we re-randomize the linear evaluation procedure as that in Ishai et al. (2021).

Construction 6

(MLWE Encoding Scheme) For any positive integers n, k, Q, an encoding scheme $\textsf{MLWE}$ with dimension n, rank k and modulus Q consists three $\textsc{ppt}$ algorithms ($\textrm{K},\textsf{E},\textsf{D}$) and a randomized linear evaluation algorithm $\textsf{Eval}$. These algorithms are defined below:

$\textrm{K}(1^{\lambda },k)$: Sample $A^*\leftarrow R_Q^{k\times k}$, $\mathbf{s'},\textbf{e}^* \leftarrow \Phi _\sigma ^{k}$. Define $F=(A^*,b^*)=(A^*,(A^*)^{T}\mathbf{s'}+p\textbf{e}^*)$, $\textbf{s}=(-\mathbf{s'},1)$. Output $(\textbf{s},F)$.
$\textsf{E}_{\textbf{s}}(m)$: Sample $\textbf{a}\leftarrow R_{Q}^{k}$, and $e\leftarrow \Phi _\sigma$. Compute and output $\textbf{c}=(\textbf{a}, \langle \mathbf{s'},\textbf{a}\rangle +pe+m)$.
$\textsf{Eval} (\{\mathbf{c_i}=(\mathbf{a_i},b_i),\alpha _i\}_{i\in [d]},F)$: Sample independent $\textbf{r},\mathbf{e'}\leftarrow \Phi _\sigma ^{k}$. Compute and ouput $\textbf{c}=(\sum _{i=1}^d \alpha _i\mathbf{a_i}+A^*\textbf{r}+p\mathbf{e'},\sum _{i=1}^d \alpha _ib_i+\textbf{r}^T\textbf{b}^*)$.
$\textsf{D}_{\textbf{s}}(\textbf{c})$: Compute and output $m'=[[\langle \textbf{c},\textbf{s} \rangle ]_{Q} ]_{p}$.

The encoding scheme satisfies completeness and IND-CPA security. For clarity, we defer the properties of the encoding scheme in Appendix A.

Zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK)

In this subsection, we present the formal definitions of zk-SNARKs and their properties.

Definition 7

(zk-SNARK) For a relation ${\mathcal{L}}$, a zero-knowledge succinct non-interactive argument of knowledge protocol $\Pi$ comprises three $\textsc{ppt}$ algorithms $(\Pi .\textsf{Setup}, \Pi .\textsf{Prove}, \Pi .\textsf{Verify})$.

1.
$(\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)$: Given the security parameters and a statement u, the setup algorithm generates three components: a common reference string denoted as $\textsf{crs}$, verification secret information represented by $\textsf{vrs}$, and the trapdoor denoted as $\textsf{td}$.
2.
$\pi \leftarrow \Pi .\textsf{Prove}(\textsf{crs},u,\omega )$: On receiving u, $\omega$, and $\textsf{crs}$, the prove algorithm produces a proof $\pi$.
3.
$0/1\leftarrow \Pi .\textsf{Verify}(\textsf{crs},\textsf{vrs},\pi )$: Taking $\textsf{crs}$, $\textsf{vrs}$ and $\pi$ as inputs, the verify algorithm yields a bool symbol 1 or 0 to indicate the acceptance or rejection of the proof.

A zk-SNARK scheme exhibits four fundamental properties, namely completeness, zero-knowledge, argument of knowledge, and succinctness.

Definition 8

(Completeness) For a statement u included in the relation, the setup algorithm outputs $(\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)$, and the prove algorithm outputs a proof $\pi \leftarrow \Pi .\textsf{Prove}(\textsf{crs},u,\omega )$. If $\Pr \left[ \Pi .\textsf{Verify}(\textsf{crs},\textsf{vrs},\pi )=1 \right] =1-\textsf{negl} (\lambda )$, then $\Pi$ is complete.

Definition 9

(Zero-knowledge) For any $(u,\omega )\in {\mathcal{L}}$, a $\textsc{ppt}$ simulator $\mathcal{S}$ exists such that $\{\Pi .\textsf{Prove}(u,\omega ,\textsf{crs})\}\approx \{\mathcal{S}(u,\textsf{td})\}$, where $(\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup} (1^{\lambda },u)$ and $\approx$ can denote perfect, statistically, and computationally indistinguishable. Then this argument system $\Pi$ is zero-knowledge.

Definition 10

(Argument of Knowledge) For any statement u, and if a $\textsc{ppt}$ adversary can produce a proof $\pi ^*$ passing the verification, then a probabilistic polynomial-time extractor $\textsf{Ext}$ exists and extracts a witness $\omega$ satisfying $(u,\omega )\in {\mathcal{L}}$ with polynomial probability. Equivalently, we have $\Pr [ (\pi ^*;\omega ) \leftarrow (\mathcal{A} ||\textsf{Ext})(\textsf{crs},u)\wedge \Pi .\textsf{Vefify}(\textsf{crs},\textsf{vrs},\pi ^*)=1 ]$=$\textsf{poly}(\lambda )$, where $(\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)$. Then the non-interactive argument system $\Pi$ satisfies the argument of knowledge.

Definition 11

(Succinctness) If the argument length of an argument system is sublinear in the security parameter and the circuit size is included in the relation, we say that it is succinct.

Optimization techniques

In this subsection, we present several optimized techniques used in our schemes, including noise smudging, modulus-switching, key-switching, packing, and unpacking.

Noise Smudging. Noise smudging from Gentry (2009) is commonly used to obfuscate additive-homomorphic evaluated ciphertexts or fresh ciphertexts.

Lemma 12

(Noise Smudging, Gentry (2009)) Let $B_1,B_2$ be positive integers, and k be the statistical security parameter. For an arbitrary integer $m\in [-B_1,B_1]$, we pick n uniformly at random from the interval $[-B_2,B_2]$. Then if $B_1/B_2=\textsf{negl} (k)$, $\{m+n\} \overset{s}{\approx }\ \{n\}$.

Modulus-switching. The modulus-switching technique from Brakerski et al. (2014) can transform a large modulus to a comparatively small modulus without knowing the secret key.

Definition 13

(Modulus-switching) For any integers k, $Q>Q'>p$, and any vector $\textbf{x}\in R^k$, $\mathbf{x'}\leftarrow \textsf{ModSwit}(\textbf{x},Q,Q',p)$ is defined as the closest $R^k$-vector to $\frac{Q'}{Q}\textbf{x}$ satisfying $\mathbf{x'}=\textbf{x}\bmod p$.

Lemma 14

(Correctness of modulus switching) $Q,Q',p$ are positive integers satisfying $Q>Q'>p$ and $Q=Q'=1\bmod {p}$. R is a ring with degree n and $\kappa$ is the statistical parameter. For any $\textbf{c}\in R^{k+1}$, let $\textbf{c}'\leftarrow \textsf{ModSwit}(\textbf{c},Q,Q',p)$. Then for any $\textbf{s}=(-\mathbf{s'},1)$ with $\mathbf{s'} \leftarrow \Phi _\sigma ^{k}$ satisfying $\Vert [\langle \textbf{c}, \textbf{s} \rangle ]_Q\Vert _{\infty } <\frac{Q}{2}-\frac{Q}{Q'}\frac{p}{2}(n+\sigma \sqrt{nk\kappa })$, the probability of $[[\langle \textbf{c}, \textbf{s} \rangle ]_{Q}]_{p}= [[\langle \textbf{c}', \textbf{s} \rangle ]_{Q'}]_{p},\text{ and } \Vert [\langle \textbf{c}', \textbf{s} \rangle ]_{Q'}\Vert _{\infty }< \frac{Q'}{Q}\Vert [\langle \textbf{c}, \textbf{s} \rangle ]_{Q} \Vert _{\infty } +\frac{p}{2}(n+\sigma \sqrt{nk\kappa })$ is at least $1-2n\exp (-\pi \kappa /\sigma ^2)$.

Key-switching. The key-switching technique from Brakerski et al. (2014) facilitates the transformation of an encryption under secret key $\mathbf{s_1}$ to another encryption of the same or related message utilizing a distinct secret key $\mathbf{s_2}$ with the help of key-switching keys.

Definition 15

(Key-switching) For any vector $\textbf{x}\in R_Q^k$, we can decompose $\textbf{x}$ as $\sum _{j=0}^{\log Q-1}\mathbf{y_j}2^j$, where $\mathbf{y_j}\in R_{2}^k$ and define $\textsf{BD}(\textbf{x})$=$(\mathbf{y_0},\dots ,\mathbf{y_{\log Q-1}})$. $\textsf{PV}(\textbf{x})$ is defined as $(\textbf{x}, 2\textbf{x}, \dots , 2^{\log Q-1}\textbf{x})$. The key-switching algorithm is presented as follows:

$\textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_2})$: Sample $\mathbf{A'}\leftarrow R_Q^{k_1\log Q\times (k_2-1)}$, $\mathbf{e'}\leftarrow \Phi _{\sigma '}^{k_1\log Q}$. Let $\mathbf{s'}\in R^{k_2-1}$ be the residual vector of $\mathbf{s_2}$ except for the last row. Compute $\mathbf{a'}=-\mathbf{A'}\mathbf{s'}+p\mathbf{e'}$. Output $\textsf{switkey}=(\mathbf{A'},\mathbf{ a'})+(\textbf{0},\textsf{PV}(\mathbf{s_1}))\in R_Q^{k_1\log Q\times k_2}$.
$\textsf{KeySwit}(\textsf{switkey},\textbf{c})$: Output $\textsf{switkey}^{T}\cdot \textsf{BD}(\textbf{c})$.

Lemma 16

(Correctness of key-switching) For any $\mathbf{s_1}\in R_Q^{k_1},\mathbf{s_2}\in R_Q^{k_2}$ with the last coordinate being 1, $\textsf{switkey}\leftarrow \textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_2})$ and $\mathbf{c_2}\leftarrow \textsf{KeySwit}(\textsf{switkey},\mathbf{c_1})$. Then we have $\langle \mathbf{c_2},\mathbf{s_2}\rangle =p\langle \textsf{BD}(\mathbf{c_1}),\mathbf{e'}\rangle +\langle \mathbf{c_1},\mathbf{s_1}\rangle \bmod Q.$

Packing and Unpacking Algorithms. The packing algorithm operates on the message defined over the ring $\mathcal{R}$ by treating it as several message slots over R. Conversely, the unpacking technique is responsible for successively converting the ciphertext’s other slots into the lowest order and extracting the lowest order slot homomorphically. The extraction process is essentially a homomorphic computation of the trace function, which is further addressed by carrying out homomorphic automorphism evaluations. This idea is derived from Halevi and Shoup (2014, 2020).

Plaintext encoding: Given $\mathbf{c_1},\dots ,\mathbf{c_{\xi }}\in R^{k+1}$, then $\textsf{Pack}(\mathbf{c_1},\dots ,\mathbf{c_{\xi }})=\mathbf{c_1}+\mathbf{c_2}x^n+\dots +\mathbf{c_{\xi -1}}x^{n(\xi -1)}$, where n is the dimension of R.
Homomorphic plaintext decoding: Given a key-switching subalgorithm $\textsf{KeySwit}$, the ciphertext $\textbf{c}\in \mathcal{R}^{k+1}$ and trace homomorphic evaluation keys $\{\textbf{B}_i\}_{i\in \mathbb{Z}_{2\xi '}^*}$, then compute $\mathbf{c_1}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}))$, $\mathbf{c_2}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}\cdot x^{-n}))$,$\ldots$, $\mathbf{c_{\xi '}}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}\cdot x^{-(\xi '-1)n}))$ to obtain individual ciphertexts.

At the end of this section, we present a summary of some essential notations in Table 2.

Table 2 Overview of parameters and notations

Full size table

Square span programs over cyclotomic rings

Square span programs ($\textsf{SSP}$s) were originally introduced by Danezis et al. (2014) as a novel and distinct characterization of the class NP. While all prior works (to our knowledge) considered $\textsf{SSP}$s over fields, this work generalizes the notion/construction to the setting of rings (particularly the cyclotomic rings). In this way, the underlying mathematical structure of the $\textsf{SSP}$s can match the one of Ring-LWE (Lyubashevsky et al. 2010), yielding much more efficient SNARK constructions (than the plain-LWE-based instantiations).

Definition 17

(Square Span Programs over Rings) A square span program P over the ring R is represented as a polynomial tuple $( l_0(x),\ldots ,l_m(x), a(x) )$ in R[x], where the degree of each $l_i(x)$ is no more than the degree of a(x). The size of P is m, and the degree d equals the degree of a(x). A vector $\textbf{s} = (s_1,\ldots ,s_\ell )\in R^\ell (\ell <m)$ is accepted by P if and only if there exists another vector $\mathbf{s'}= (s_{\ell +1},\ldots ,s_{m})\in R^{m-\ell }$ satisfying a(x) divides $(l_0(x)+\sum _{i=1}^m s_il_i(x))^2-1$.

Moreover, if exactly the vectors $\textbf{s}\in \{0,1\}^\ell \subset R^\ell$ satisfying $g(\textbf{s})= 1$ are accepted, P is said to verify a boolean function g.

The polynomial $((l_0(x)+\sum _{i=1}^m s_il_i(x))^2-1)/a(x)$ is a integer polynomial since a(x) is monic. Below we are going to show that $\textsf{SSP}$s over rings (some particular cyclotomic rings) can be used to express general NP verifications. We first describe the following corollary about the linearization of logic gates in a boolean circuit in the ring setting, similar to Theorem 2 in Danezis et al. (2014).

Corollary 18

R is a cyclotomic ring. Assume that $\textrm{C}$ is a circuit having m wires and n fan-in 2 gates. For any prime $p \ge 11$, we can compute a matrix–vector pair $(\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^d$ (with $d = m+n$) from $\textrm{C}$. Then to show that C is satisfiable over R, equivalently, find a vector $\textbf{s} \in R_p^m$ such that $\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d$. Moreover, $\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d$, results in $\textbf{s} \in \{0,1\}^m$.

Based on this corollary, we can express a boolean circuit C as a ring matrix–vector pair $(\textbf{M}, \textbf{v})$. Subsequently, we delineate the method for constructing an SSP (over ring R) of C from such a pair.

Construction 19

(Square Span Programs over Ring) R is a cyclotomic ring, and the prime p is larger than 11. Let $R_{[0,\pm 1]}$ denote the subset of R with coefficients within the range of $[0,\pm 1]$. We assume that for every distinct elements x, y from $R_{[0 \pm 1]}$, the difference $x-y$ is invertible modulo pR.

Taking a circuit $\textrm{C}$ with m wires and n fan-in 2 gates as an input, denote $d = m+n$. Subsequently, we can construct a SSP instance as follows:

Let $(\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^{d}$ be the matrix–vector pair as Corollary 18.
Select distinct $r_1,\ldots ,r_d$ in $R_{[0,\pm 1]}$, arbitrarily.
Interpolate polynomials $l_0(x), \dots , l_m(x)$ of degree at most $d-1$ such that

(1) $l_0(r_i) = v_i - 1 \pmod {pR}$ for $i\in [d]$; (2) $l_i(r_j)=\textbf{M}_{ij}\pmod {pR}$ for $i\in [m], j\in [d]$.
Set $a(x)=\prod _{i=1}^d (x-r_i)$ and output ($a(x),l_0(x),\ldots ,l_m(x)$).

We notice that the third step of the above construction is well-defined—any degree $d-1$ polynomial over $R_p [x]$ (say, f(x)) can be uniquely determined given any d values in $R_p$ (say, $y_1,\dots , y_d$) evaluated at $r_1, \dots , r_d$. This is because the j-th Lagrange basis polynomial $\ell _j(x)=\prod _{i=1,i\ne j}^d (x-r_i)(r_j-r_i)^{-1}$ is uniquely defined, as every $(r_j-r_i)^{-1}$ (the multiplicative inverse over modulo pR) uniquely exists.

Theorem 20

The prime p satisfies $p\equiv 3\bmod 8$, and R is a cyclotomic ring with degree (a power of 2) n. Let $p>4n$, and $3^n > d$. Then Construction 19 is a square span program over the ring $R_p$.

Proof

Initially, we prove that all the steps involved in Construction 19 are well-defined under the conditions in the theorem statement. Subsequently, we proceed to demonstrate that the output of this construction is an SSP over $R_p$.

In order to substantiate the well-definedness of the steps, we need to show the following claims: (1) in Step 2, there are indeed d distinct elements in $R_{[0,\pm 1]}$, and (2) in Step 3, the multiplicative inverse (in $R_p$) of every $(r_i - r_j)$ exists.

Claim (1) is easy to see, as there are $3^d$ distinct elements in $R_{[0,\pm 1]}$ and $3^n >d$ from the theorem statement. Claim (2) follows from Lemma 21.

Lemma 21

(Katsumata and Yamada 2016) The prime p satisfies $p\equiv 3\bmod 8$, and R is a cyclotomic ring with degree (a power of 2) n. Let $p>4n$. For any distinct element x and y in $R_{[0,\pm 1]}$, the difference $x-y$ is invertible in $R_p$.

This concludes the first part of our goal. Below we show that the construction outputs an SSP over $R_p$.

Given the circuit $\textrm{C}$ mentioned above, we can construct a matrix–vector pair $(\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^{d}$ as Corollary 18. Proving the circuit $\textrm{C}$ is satisfiable equals that finding a vector $\textbf{s} \in R_p^m$ such that $\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d$. Moreover, $\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d$ equals $\textbf{s} \textbf{M} + \textbf{v}-\textbf{1} \in \{-1,1\}^d$, further implying $(\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})= \textbf{1}$, where $\circ$ denotes entry-wise product and $\textbf{1}$ is the all-1 vector.

Next, as the construction sets $l_i (r_j) = \textbf{M}_{ij}$ for $i>0$ and $l_0(r_j) = \textbf{v}_j$, the following holds.

$$\begin{aligned} \textbf{s} \textbf{M} + \textbf{v}-\textbf{1}&= (s_1,\ldots ,s_m)\cdot \begin{pmatrix} l_1(r_1) &{}\cdots &{} l_1(r_d) \\ \vdots &{}\ddots &{}\vdots \\ l_m(r_1) &{} \cdots &{} l_{m}(r_d) \end{pmatrix}+(l_0(r_1),\ldots ,l_0(r_d)) \\&= \left( \sum _{i=1}^m s_il_i(r_1)+l_0(r_1),\ldots ,\sum _{i=1}^m s_il_i(r_d)+l_0(r_d) \right) . \end{aligned}$$

Thus we obtain the following expression: $(\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})- \textbf{1}= \left( \left( \sum _{i=1}^m s_il_i(r_1)+l_0(r_1) \right) ^2-1,\ldots , \left( \sum _{i=1}^m s_il_i(r_d)+l_0(r_d) \right) ^2-1 \right)$.

Given any $\textbf{s} \in R_p^m$ such that $(\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}-\textbf{1}) - \textbf{1} = \textbf{0}$, the equivalent condition is that for every $j\in [d]$, we have $\left( \sum _{i=1}^m s_il_i(r_j)+l_0(r_j) \right) ^2-1 = 0$, meaning that $\{r_j\}_{j\in [d]}$ are the roots of the polynomial $(\sum _{i=1}^m s_il_i(x)+l_0(x))^2 -1$. Thus, $a(x)=\prod _{i=1}^d (x-r_i)$ divides $(\sum _{i=1}^m s_il_i(x)+l_0(x))^2-1$.

To conclude, we notice that if C is satisfiable, a vector $\textbf{s}$ exists such that $(\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}-\textbf{1}) - \textbf{1} = \textbf{0}$. The above argument further implies that a(x) divides the polynomial $(\sum _{i=1}^m s_il_i(x)+l_0(x))^2-1$. Conversely, if a vector $\textbf{s}$ exists to make a(x) divides the polynomial, then $\{r_j\}_{j\in [d]}$ must be the roots of the polynomial, implying $(\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}-\textbf{1})- \textbf{1} = \textbf{0}$. This again proves that C is satisfiable.

Putting things together shows that Construction 19 is a square span program over the ring $R_p$. $\hfill\square$

Assumptions

The security of previous SNARK schemes relied on two long-standing assumptions: power knowledge of exponent (PKE) assumptions and power Diffie-Hellman (PDH) assumptions.

The PKE assumption, introduced by Gennaro et al. (2013), is a kind of knowledge assumption, which extends the knowledge of exponent assumption (KEA). The original PKE assumption used a discrete logarithm-hard group-based encoding scheme. Later, Gennaro et al. (2018) changed the encoding scheme to $\textsf{LWE}$-based schemes.

The PDH assumption was proposed by Boneh et al. (2005) and Groth (2010), whose hardness is built on discrete logarithm problems due to the encoding scheme. After altering the encoding scheme directly, Gennaro et al. (2018) obtained new instantiations, whose hardness relies on the $\textsf{LWE}$ problem.

To build our SNARK schemes, it is necessary to broaden the PDH and PKE assumptions in the ring setting. These two assumptions are formally defined in Subsection 4.1. Moreover, we observe a specific scenario in which these assumptions are developed with some useful auxiliary information. The auxiliary information enables us to do ciphertext operations to promote efficiency without harming the hardness of assumptions, which is explained in Subsection 4.2.

Assumptions in the ring setting

The q-PKE assumption and q-PDH assumption in the ring setting follow the nature of those in Gennaro et al. (2013, 2018), except the encoding scheme is instantiated as Module-$\textsf{LWE}$. The slight modification originates from the structure difference, i.e., group, integer rings, and polynomial rings.

Definition 22

(q-PKE Assumption Over Ring) R is a cyclotomic ring with degree n and prime modulus p. ($\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}$) is an encoding scheme. The q-PKE assumption over R states that for any $\textsc{ppt}$ adversary $\mathcal{A}$ and some auxiliary information $\textsf{aux} \in \{0,1\}^{\textsf{poly}(\lambda )}$, which is independent of $\alpha$, there exists a $\textsc{ppt}$ extractor $\textsf{Ext}$ such that

$$\begin{aligned} \Pr \left[ \begin{array}{ll}\textsf{sk} \leftarrow \textrm{K}(1), s,\alpha \leftarrow R_p,\\ \mu =(\textsf{E}_{\textsf{sk}}(1),\textsf{E}_{\textsf{sk}}(s),\dots ,\textsf{E}_{\textsf{sk}}(s^q),\textsf{E}_{\textsf{sk}}(\alpha ),\textsf{E}_{\textsf{sk}}(\alpha s),\dots ,\textsf{E}_{\textsf{sk}}(\alpha s^{q})), \\ (c,{\hat{c}};a_0,\dots ,a_q) \leftarrow (\mathcal{A} ||\textsf{Ext})(pk,\mu ,\textsf{aux}):\\ \textsf{D}_{\textsf{sk}}({\hat{c}})=\alpha \textsf{D}_{\textsf{sk}}(c) \wedge \textsf{D}_{\textsf{sk}}(c)=\sum _{i=0}^q a_is^i \end{array} \right] \ge 1-\textsf{negl} (\lambda ). \end{aligned}$$

For the q-PDH assumption in the ring setting, we observe that its form depends on the structure of the ring. Namely, in our choice of ring, $R_p$ is isomorphic to a product of two subfields with norm $p^{n/2}$. A non-zero element $a\in R_p$ means there exists at least one subfield such that a is invertible in the subfield.

Definition 23

(q-PDH Assumption Over Ring) The prime p satisfies $p\equiv 3\bmod 8$, and R is a cyclotomic ring with degree (a power of 2) n. ($\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}$) is an encoding scheme. The q-PDH assumption over R is that for any $\textsc{ppt}$ adversary $\mathcal{A}$,

$$\begin{aligned} \Pr \left[ \begin{array}{ll}\textsf{sk} \leftarrow \textrm{K}(1),s\leftarrow R_p, \\ {\hat{c}}\leftarrow \mathcal{A} (\textsf{E}_{\textsf{sk}}(1),\textsf{E}_{\textsf{sk}}(s),\dots ,\textsf{E}_{\textsf{sk}}(s^q),\textsf{E}_{\textsf{sk}}(s^{q+2}),\dots ,\textsf{E}_{\textsf{sk}}(s^{2q})):\\ \textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _1\equiv s^{q+1} \text{ or } \textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _2\equiv s^{q+1} \end{array} \right] \le \textsf{negl} (\lambda ). \end{aligned}$$

Assumptions with special auxiliary information

In comparison to the PDH/PKE assumption stated above, we consider a special case where appending some useful auxiliary information. The auxiliary information needs to satisfy the basic principle: admit linear operations only.

Following this idea, we turn a new perspective on the key-switching procedure. As we all know, an integral key-switching algorithm includes two steps: key-switching key generation and the product of bit-decomposed ciphertext and key-switching key. Apparently, the whole key-switching algorithm is non-linear. Nevertheless, with access to the key-switching key, the product can be construed as a linear combination comprising the key-switching key and the decomposition of the ciphertext. Also, no adaptive key-switching keys can be incorporated into the auxiliary information, as the ciphertexts can be evaluated homomorphically by means of modulus-switching and key-switching, as demonstrated in Brakerski et al. (2014).

An important observation is that we can separate the linear and non-linear parts of the key-switching procedure. The separation is putting some predetermined key-switching keys into the auxiliary information. This means that if the adversary wants to utilize the key-switching keys, the remaining part he can do is linear. Then it does not violate the knowledge assumption (PKE assumption).

Next, we give a formal description of the strengthening q-PKE assumption, which embeds proper key-switching keys into the q-PKE assumption:

Definition 24

(The Strengthening q-PKE Assumption) ($\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}$) is an encoding scheme and $\textsf{KeySwitch}=(\textsf{SwitKeyGen},\textsf{KeySwit})$ is a key-switching algorithm. The strengthening q-PKE assumption states that for any automorphism or identity mapping f, any $\textsc{ppt}$ adversary $\mathcal{A}$, any auxiliary information $\textsf{aux}$ and key switching keys $\textsf{switkey}$, which are independent of $\alpha$, there exists a $\textsc{ppt}$ extractor, denoted as $\textsf{Ext}$, such that

$$\begin{aligned} \Pr \left[ \begin{array}{ll}(\textsf{sk},\textbf{F}),(\textsf{sk} ',\mathbf{F'})\leftarrow \textrm{K}(1), s,\alpha \leftarrow R_p,\textsf{switkey}\leftarrow \textsf{SwitKeyGen}(\textsf{sk},f(\textsf{sk} ')), \\ \mu =(\textsf{E}_{\textsf{sk}}(1),\textsf{E}_{\textsf{sk}}(s),\dots ,\textsf{E}_{\textsf{sk}}(s^q),\textsf{E}_{\textsf{sk}}(\alpha ),\textsf{E}_{\textsf{sk}}(\alpha s),\dots ,\textsf{E}_{\textsf{sk}}(\alpha s^{q})), \\ (c,{\hat{c}};a_0,\dots ,a_q) \leftarrow (\mathcal{A} ||\textsf{Ext})(\mu ,\textsf{aux},\textsf{switkey},f):\\ \textsf{D}_{\textsf{sk}}({\hat{c}})=\alpha \textsf{D}_{\textsf{sk}}(c) \wedge \textsf{D}_{\textsf{sk}}(c)=\sum _{i=0}^q a_is^i \text{ or } \textsf{D}_{\textsf{sk} '}({\hat{c}})=\alpha \textsf{D}_{\textsf{sk} '}(c) \wedge \textsf{D}_{\textsf{sk} '}(c)=\sum _{i=0}^q a_is^i \end{array} \right] \ge 1-\textsf{negl} (\lambda ). \end{aligned}$$

Lemma 25

If the encoding scheme ($\textrm{K},\textsf{E},\textsf{D}$) satisfies the strengthening q-PKE assumption, then it satisfies the q-PKE assumption over ring.

Proof

The proof is direct. If there is a $\textsc{ppt}$ adversary can break the q-PKE assumption over ring, then it outputs a valid pair $(\mathbf{c_1},\mathbf{c_2})$ such that $\textsf{D}_{\textsf{sk}}(\mathbf{c_2})=\alpha \textsf{D}_{\textsf{sk}}(\mathbf{c_1})$ with polynomial probability. This pair is also a valid pair for the strengthening q-PKE assumption. $\hfill\square$

Similarly, we give the formal definition of the strengthening q-PDH assumption.

Definition 26

(The Strengthening q-PDH Assumption) ($\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}$) is an encoding scheme and $\textsf{KeySwitch}=(\textsf{SwitKeyGen},\textsf{KeySwit})$ is a key-switching algorithm. The strengthening q-PDH assumption states that for any automorphism or identity mapping f, any $\textsc{ppt}$ adversary $\mathcal{A}$, any auxiliary information $\textsf{aux}$ and key switching keys $\textsf{switkey}$,

$$\begin{aligned} \Pr \left[ \begin{array}{ll}(\textsf{sk},\textbf{F}),(\textsf{sk} ',\mathbf{F'})\leftarrow \textrm{K}(1),s\leftarrow R_p,\textsf{switkey}\leftarrow \textsf{SwitKeyGen}(\textsf{sk},\textsf{sk} '), \\ {\hat{c}}\leftarrow \mathcal{A} (\textsf{E}_{\textsf{sk}}(1),\textsf{E}_{\textsf{sk}}(s),\dots ,\textsf{E}_{\textsf{sk}}(s^q),\textsf{E}_{\textsf{sk}}(s^{q+2}),\dots ,\textsf{E}_{\textsf{sk}}(s^{2q}),\textsf{aux},\textsf{switkey},f):\\ \textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _i\equiv s^{q+1} \text{ for }i=1 \text{ or } 2 \text{ or } \textsf{D}_{\textsf{sk} '}({\hat{c}})\bmod {\mathfrak{p}} _i\equiv s^{q+1} \text{ for }i=1 \text{ or } 2 \end{array} \right] \le \textsf{negl} (\lambda ). \end{aligned}$$

Lemma 27

If the encoding scheme ($\textrm{K},\textsf{E},\textsf{D}$) satisfies the strengthening q-PDH assumption, then it satisfies the q-PDH assumption over ring.

Proof

The proof is similar. If there is a $\textsc{ppt}$ adversary can break the q-PDH assumption over ring, then it outputs an encoding ${\hat{c}}$ such that $\textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _1\equiv s^{q+1} \text{ or } \textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _2\equiv s^{q+1}$ with polynomial probability. This encoding is also a valid encoding for the strengthening q-PDH assumption. $\hfill\square$

The Lemmas 25 and 27 show that our new assumptions are stronger than previous ones, which is why it’s so named. Next, we give the feasibility of our new assumptions.

Feasibility of New Assumptions. Our modified PKE assumption, which enhances PKE assumption, is rooted in prior knowledge assumptions but refined by the specific ring structure. Furthermore, a set of predetermined key-switching keys is appended to the auxiliary information. The feasibility of this strategy is premised on the key-switching procedure, which can be separated into a non-linear component (Key Generation) and a linear component. Since the key-switching keys are fixed, the adversary is limited to linear evaluations, which does not violate the PKE assumption.

The q-PDH assumption is also amenable to combination with key-switching keys, without compromising the security of the message $\textsf{sk}$ since the encoding scheme is $\textsf{IND}$-$\textsf{CPA}$ secure. Consequently, including extra key-switching keys does not impact the difficulty of the q-PDH assumption.

Parameters. The PKE assumption still holds over a small field (or a ring with a small ideal norm). This is due to the spareness of a valid pair of $\textsf{MLWE}$ encodings, which requires a relation of $\alpha$ between two messages.

Yet, the PDH assumption does not maintain its hardness when considered over a polynomial-sized field $\mathbb{F}$. The direct consequence is that we can accurately deduce the value of s with a probability of $1/\textsf{poly}(\lambda )$ and subsequently compute $\textsf{E}_{\textsf{sk}}(s^{q+1})$. Moreover, Ishai et al. (2021) proposed a more efficient attack. The adversary can select random and independent $x_1,\ldots ,x_{2q}\in F$, and compute $f(x)=\prod _{i=1}^{2q}(x-x_i)$, where all $x_i$ are roots of f(x). Then if s collides with any $x_i$, the adversary can compute $\textsf{E}_{\textsf{sk}}(s^{q+1})$ since the coefficient of $x^{q+1}$ in f(x) is not zero with non-negligible probability. Consequently, we require $2q/|\mathbb{F}|<2^{-\lambda }$ to reach $\lambda$-bits security level.

Zero-knowledge succinct non-interactive argument of knowledge schemes

In this section, we present two constructions of zk-SNARKs—one basic construction and then an optimized variant. The basic construction generalizes the framework of $\textsf{SSP}$-based SNARK (Gennaro et al. 2018) to the ring setting and then applies the technique of modulus switching to reduce the proof length. From the basic scheme, we then design the optimized construction, based on the strengthening assumptions (Definitions 24 and 26) and additional techniques including key-switching and packing, to optimize the parameters.

Below we first present the basic scheme.

The basic scheme

Construction 28

(Basic zk-SANRK) For any NP relation ${\mathcal{L}}=\{(u,\omega ):C(u,\omega )=1\}$ related to a boolean circuit C, the protocol $\Pi _1$ is composed of three $\textsc{ppt}$ algorithms $(\Pi _1.\textsf{Setup}, \Pi _1.\textsf{Prove}, \Pi _1.\textsf{Verify})$, and uses an encoding scheme $({\textsf{K}},\textsf{E},\textsf{D},\textsf{Eval})$ (e.g., the Construction 6) and a $\textsf{SSP}$ generation algorithm (e.g., the Construction 19) as building blocks. It works as follows:

$\Pi _1.\textsf{Setup}(\lambda )\rightarrow (\textsf{crs},\textsf{vrs},\textsf{td})$:
1. 1.
  Run $(\textbf{s},\textbf{F}){\mathop {\leftarrow }\limits ^{\$}} {\textsf{K}}\left( 1,k\right)$ and sample $\beta ,r,\alpha {\mathop {\leftarrow }\limits ^{\$}} R_p$. Set $\textsf{vrs}=\textsf{td}= (\textbf{s},\alpha ,\beta ,r)$.
2. 2.
  Run $ssp=(a(x), v_0(x),\ldots ,v_m(x))\leftarrow \textsf{SSP}(\textrm{C})$, and compute $\rho =(\textsf{E}_{\textbf{s}}(1),$ $\ldots ,\textsf{E}_{\textbf{s}}(r^d),\textsf{E}_{\textbf{s}}(\alpha ),\ldots ,\textsf{E}_{\textbf{s}}(\alpha r^d),\textsf{E}_{\textbf{s}}(\beta a(r)),\{\textsf{E}_{\textbf{s}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m})$. Set $\textsf{crs}$ $=(ssp,\rho ,\textbf{F})$.
3. 3.
  Return $(\textsf{crs},\textsf{vrs},\textsf{td})$.
$\Pi _1.\textsf{Prove}(\textsf{crs},u,\omega )\rightarrow \pi$:
1. 1.
  Parse $u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}$, $\omega =(\omega _{\ell _{u}+1},\ldots ,\omega _m)$, and sample $\gamma {\mathop {\leftarrow }\limits ^{\$}} R_p$. Then compute $v(x)=v_0(x)+\sum _{i=1}^{\ell _u} u_iv_i(x)+\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)$, $v^*(x)=\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)$ and $h(x)=(v^2(x)-1)/a(x)$.
2. 2.
  Run $\textsf{Eval}$ to compute
  - $\bullet$ $H=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),h_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(h(r))$,
  - $\bullet$ ${\hat{H}}=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),h_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(\alpha h(r))$,
  - $\bullet$ ${\hat{V}}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),v_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(\alpha v(r))$,
  - $\bullet$ $\hat{V^*}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\beta v_i(r)),\omega _i\} _{i=\ell _u+1}^m ||\{\textsf{E}_{\textbf{s}}(\beta a(r)),\gamma \},\textbf{F})$=$\textsf{E}_{\textbf{s}}(\beta v^*(r))$,
  - $\bullet$ $V^*=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),v^*_i\}_{i=0}^d,\textbf{F})=\textsf{E}_{\textbf{s}}(v^*(r))$.
3. 3.
  Sample $\{e_{sm,i}\}_{i\in \{1,\ldots ,5\}}{\mathop {\leftarrow }\limits ^{\$}} [-B_{sm},B_{sm}]$, and compute $(H', {\hat{H}}', {\hat{V}}', \hat{V^*}',$ ${V^*}')$=$(H, {\hat{H}}, {\hat{V}}, \hat{V^*}, V^*)$ +$(pe_{sm,1},pe_{sm,2},pe_{sm,3},pe_{sm,4},pe_{sm,5})$.
4. 4.
  Run $\textsf{ModSwit}$ to compute
  - $\bullet$ $H''\leftarrow \textsf{ModSwit}(H',Q,Q',p)$,
  - $\bullet$ ${\hat{H}}''\leftarrow \textsf{ModSwit}({\hat{H}}',Q,Q',p)$,
  - $\bullet$ ${\hat{V}}''\leftarrow \textsf{ModSwit}({\hat{V}}',Q,Q',p)$,
  - $\bullet$ $\hat{V^*}''\leftarrow \textsf{ModSwit}(\hat{V^*}',Q,Q',p)$,
  - $\bullet$ ${V^*}''\leftarrow \textsf{ModSwit}({V^*}',Q,Q',p)$.
5. 5.
  Return $\pi =(H'', {\hat{H}}'', {\hat{V}}'', \hat{V^*}'', {V^*}'')\in R_{Q'}^{(k+1)\times 5}$.
$\Pi _1.\textsf{Vefify}(\textsf{vrs},u,{\tilde{\pi }})\rightarrow 0/1$:
1. 1.
  Parse $u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}$, ${\tilde{\pi }}=({\tilde{H}}, \tilde{{\hat{H}}}, \tilde{{\hat{V}}}, \tilde{\hat{V^*}}, \tilde{V^*})$ and compute $v_r^*=\textsf{D}_{\textbf{s}}(\tilde{V^*})$, $b^*_r=\textsf{D}_{\textbf{s}}(\tilde{\hat{V^*}})$, $h_r=\textsf{D}_{\textbf{s}}({\tilde{H}})$, $\hat{h_r}=\textsf{D}_{\textbf{s}}(\tilde{{\hat{H}}})$, $\hat{v_r}=\textsf{D}_{\textbf{s}}(\tilde{{\hat{V}}})$, $a_r=a(r)$ and $v_r=v_0(r)+\sum _{i=1}^{\ell _u} u_iv_i(r)+v^*_r$.
2. 2.
  Check if the following equations hold:
  - $\bullet$ $\alpha h_r=\hat{h_r}$,
  - $\bullet$ $\alpha v_r=\hat{v_r}$,
  - $\bullet$ $v_r^2-1=h_r\cdot a_r$,
  - $\bullet$ $b^*_r=\beta v_r^*$.
  If all of the equations are satisfied, then proceed to the subsequent step; otherwise, terminate the process and output “0”.

Theorem 29

The prime p satisifies $p\equiv 3\bmod 8$ and the cyclotomic ring R is ${\mathbb{Z}}[\zeta _{2n}]\cong {\mathbb{Z}}[X]/(X^n+1)$ with degree n. Assume the hardness of $\textsf{MLWE}$ assumption, strengthening q-PDH assumption and strengthening q-PKE assumption, as well as $\textsf{IND}$-$\textsf{CPA}$ security of the encoding scheme. Then for any modulus $Q>2^{\kappa +4}\sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)$, $Q=1\bmod p$, and the switched modulus $Q'>4np^2\left( \sigma \sqrt{nk\kappa }+n\right)$, $Q'=1\bmod p$, the Construction 28 is a zero-knowledge succinct non-interactive adaptive argument of knowledge (zk-SNARK) for any square span program relation $(u,\omega )\in {\mathcal{L}}$.

The proof shares some similarities with the proof of our later optimized proof. For brevity, we defer the proof in Appendix B.

The optimized scheme

The optimized scheme further improves the efficiency of the basic construction using more algebraic techniques—at a high level, we can pack multiple Module-LWE encodings in a lower dimension ring to one Module-LWE encoding in a higher dimension ring, via packing technique. As encodings from a higher dimension ring have a better rate, i.e., output/input length ratio, then the key-switching technique can further compress the length of the proof (by a factor of 8x from our concrete instantiations). However, as the key-switching procedure requires an additional key-switching key, our proof of security would rely on a stronger assumption (Assumptions 26, 24). Below we present the description of the optimized scheme.

Construction 30

(Optimized zk-SNARK) For any NP relation ${\mathcal{L}}=\{(u,\omega ):C(u,\omega )=1\}$ related to a boolean circuit C, the optimized protocol $\Pi _2$ is composed of three $\textsc{ppt}$ algorithms $(\Pi _2.\textsf{Setup}, \Pi _2.\textsf{Prove}, \Pi _2.\textsf{Verify})$, and uses an encoding scheme $(\textrm{K},\textsf{E},\textsf{D},\textsf{Eval})$ (e.g., the Construction 6), a $\textsf{SSP}$ generation algorithm (e.g., the Construction 19) and a key switching algorithm $(\textsf{SwitKeyGen},\textsf{KeySwit})$ as building blocks. It is defined as follows:

$\Pi _2.\textsf{Setup}(\lambda )\rightarrow (\textsf{crs},\textsf{vrs},\textsf{td})$:
1. 1.
  $\boxed { {\textrm{Run}}\, (\mathbf{s_1},\textbf{F})\leftarrow \textrm{K}(1,k), (\mathbf{s_2},\textbf{F}_2),(\mathbf{s_3},\textbf{F}_3)\leftarrow \textrm{K}(1,k')\, {\mathrm{independently.}}}$
  
  Sample $\alpha ,\beta ,r{\mathop {\leftarrow }\limits ^{\$}} R_p$. Set $\textsf{vrs}=\textsf{td}= (\mathbf{s_1},\mathbf{s_2},\alpha ,\beta ,r)$.
2. 2.
  Run $ssp=(a(x),v_0(x),\ldots ,v_m(x))\leftarrow \textsf{SSP}(\textrm{C})$. $\boxed { {\textrm{Run}}\, \textbf{B}\leftarrow \textsf{SwitKeyGen}\, (\mathbf{s_1},\mathbf{s_2}),}$
  
  $\boxed {\mathbf{B'}\leftarrow \textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_3}),}$$\boxed { \textbf{B}_i\leftarrow \textsf{SwitKeyGen}(\tau _i(\mathbf{s_2}),\mathbf{s_3}),\,}$
  
  $\boxed { \text{for} \, i\in \mathbb{Z}_{16}^*, {\text{where}}\, \tau _i \,{\text{are}}\, {\text{pre-determined}}}$$\boxed {\text{automorphisms} \, \text{over} \, \mathcal{R}.}$ Then run $\textsf{E}$ to obtain $\rho =(\textsf{E}_{\mathbf{s_1}}(1),\textsf{E}_{\mathbf{s_1}}(r),\ldots ,\textsf{E}_{\mathbf{s_1}}(r^d),\textsf{E}_{\mathbf{s_1}}(\alpha ),\textsf{E}_{\mathbf{s_1}}(\alpha r),\ldots ,\textsf{E}_{\mathbf{s_1}}(\alpha r^d),$
  
  $\textsf{E}_{\mathbf{s_1}}(\beta a(r)),\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m})$. $\boxed { {\textrm{Set}}\, \textsf{crs}=(ssp,\rho ,\textbf{F},\textbf{B}, \mathbf{B'},\{\textbf{B}_i\}_{i\in \mathbb{Z}_{16}^*}).}$
3. 3.
  Return $(\textsf{crs},\textsf{vrs},\textsf{td})$.
$\Pi _2.\textsf{Prove}(\textsf{crs},u,\omega )\rightarrow \pi '$:
1. 1.
  Parse $u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}$, $\omega =(\omega _{\ell _{u}+1},\ldots ,\omega _m)$, and sample $\gamma {\mathop {\leftarrow }\limits ^{\$}} R_p$. Then compute $v(x)=v_0(x)+\sum _{i=1}^{\ell _u} u_iv_i(x)+\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)$, $v^*(x)=\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)$ and $h(x)=(v^2(x)-1)/a(x)$.
2. 2.
  Run $\textsf{Eval}$ to compute
  - $\bullet$ $H=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),h_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(h(r))$,
  - $\bullet$ ${\hat{H}}=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),h_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(\alpha h(r))$,
  - $\bullet$ ${\hat{V}}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),v_i\}_{i=0}^d,\textbf{F})$=$\textsf{E}_{\textbf{s}}(\alpha v(r))$,
  - $\bullet$ $\hat{V^*}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\beta v_i(r)),\omega _i\} _{i=\ell _u+1}^m ||\{\textsf{E}_{\textbf{s}}(\beta a(r)),\gamma \},\textbf{F})$=$\textsf{E}_{\textbf{s}}(\beta v^*(r))$,
  - $V^*=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),v^*_i\}_{i=0}^d,\textbf{F})=\textsf{E}_{\textbf{s}}(v^*(r))$.
3. 3.
  Sample $\{e_{sm,i}\}_{i\in \{1,\ldots ,5\}}{\mathop {\leftarrow }\limits ^{\$}} [-B_{sm},B_{sm}]$, and compute $(H', {\hat{H}}', {\hat{V}}', \hat{V^*}',$ ${V^*}')$=$(H, {\hat{H}}, {\hat{V}}, \hat{V^*}, V^*)$ +$(pe_{sm,1},pe_{sm,2},pe_{sm,3},pe_{sm,4},pe_{sm,5})$.
4. 4.
  Run $\textsf{ModSwit}$ to compute
  - $\bullet$ $H''\leftarrow \textsf{ModSwit}(H',Q,Q',p)$,
  - $\bullet$ ${\hat{H}}''\leftarrow \textsf{ModSwit}({\hat{H}}',Q,Q',p)$,
  - $\bullet$ ${\hat{V}}''\leftarrow \textsf{ModSwit}({\hat{V}}',Q,Q',p)$,
  - $\bullet$ $\hat{V^*}''\leftarrow \textsf{ModSwit}(\hat{V^*}',Q,Q',p)$,
  - $\bullet$ ${V^*}''\leftarrow \textsf{ModSwit}({V^*}',Q,Q',p)$.
5. 5.
  $\boxed { {\textrm{Let}}\, \pi =Pack(\hat{V^*}'',H'', {\hat{H}}'',{V^*}'', {\hat{V}}'')\in \mathcal{R}_{Q'}^{k+1}.}$
6. 6.
  $\boxed { {\textrm{Run}}\, \textsf{KeySwit}{\textrm{to compute and return}}\, \pi '=\textsf{KeySwit}(B,\pi ).}$
$\Pi _2.\textsf{Vefify}(\textsf{vrs},u,{\tilde{\pi }})\rightarrow 0/1$:
1. 1.
  Parse $u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}$ and ${\tilde{\pi }}=({\tilde{H}}, \tilde{{\hat{H}}}, \tilde{{\hat{V}}}, \tilde{\hat{V^*}}, \tilde{V^*})$.
2. 2.
  $\boxed { {\textrm{Compute}}\, m'=\textsf{D}_{\mathbf{s_2}}({\tilde{\pi }})\in \mathcal{R}, {\textrm{and parse}}\, m' {\textrm{as}}\, (b^*_r,h_r,\hat{h_r},v^*_r,\hat{v_r},0,0,0).}$
  
  Then compute $a_r=a(r)$ and $v_r=v_0(r)+\sum _{i=1}^{\ell _u} u_iv_i(r)+v^*_r$.
3. 3.
  Check if the following equations hold:
  - $\bullet$ $\alpha h_r=\hat{h_r}$,
  - $\bullet$ $\alpha v_r=\hat{v_r}$,
  - $\bullet$ $v_r^2-1=h_r\cdot a_r$,
  - $\bullet$ $\beta v^*_r=b^*_r$.
  If all of the equations are satisfied, then proceed to the subsequent step; otherwise, terminate the process and output “0”.

To show the above Construction 30 is a zk-SNARK, we first prove three separated properties, including completeness, the argument of knowledge, and honest-verifier zero-knowledge respectively, which corresponds to Theorem 31, 32, and 33. Then we put them together and further prove the succinctness property to show the Construction 30 is a zk-SNARK.

Completeness

Theorem 31

The prime p satisfies $p\equiv 3\bmod 8$, and R, $\mathcal{R}$ are cyclotomic rings with degree n, 8n. For any modulus Q satisfying $Q=1\bmod p$, $Q>2^{\kappa +3}\cdot 9 \sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)$, and switched modulus $Q'$ satisfying $Q'$=$1\bmod p$, $Q'>$ $2np^2\left[ 9(\sigma \sqrt{nk\kappa }+n)+18\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}+16\sigma ''\sqrt{(k'+1)8n\kappa \log {Q'}} \right]$, the Construction 30 satisfies completeness with probability at least $(1-8n\exp (-\pi \kappa /\sigma ^2))\cdot (1-16n\exp (-\pi \kappa /\sigma '^2))$.

Proof

We demonstrate that the infinite norm of the ultimate noise in $\pi '$ remains below half of the switched modulus when the prover is in accordance with the protocol. Our analysis will elucidate the evolution of noise throughout each step.

In the setup stage, $\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}$ and $\textsf{E}_{\mathbf{s_1}}(\beta a(r))$ are computed by additive homomorphic evaluations and we have $B_{\textsf{crs}}=\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. In the proving stage, we first compute 5 evaluations, and the largest noise growth lies in $\hat{V^*}$, which is $B_{\hat{V^*}}=B_{\textsf{crs}}(m-\ell _u+pn)=(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. Noise smudging makes the error bound increase to $(2^{\kappa }+1)B_{\hat{V^*}}$. Then the infinity norm is less than $(2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. After modulus-switching, the bound $B_{\hat{V^*}'}$ is less than $\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)$ with probability $1-2n\exp (-\pi \kappa /\sigma ^2)$ together with $(2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)+2dnp^2(m-\ell _u+pn) <\gamma Q$. The packing procedure does not introduce extra noise. Applying key-switching introduces additional noise, $p\langle \textsf{BD}(\pi ),\mathbf{e'}\rangle$, and it’s infinity norm is no more than $p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}$ with probability $1-16n\exp (-\pi \kappa /\sigma '^2)$. Since the noise in key-switching key $\mathbf{e'}$ is independent of noise in $\textsf{crs}$, thus the whole error’s infinity norm in the proof is no more than $e_{\pi '}=\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)+p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}$ with probability $(1-8n\exp (-\pi \kappa /\sigma ^2))\cdot (1-16n\exp (-\pi \kappa /\sigma '^2))$.

Therefore, the proof can be decrypted correctly as long as $\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)+p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}<\frac{Q'}{2}$. $\hfill\square$

Computational Honest-verifier Zero-knowledge

Theorem 32

Assume the hardness of $\textsf{MLWE}$ assumption, strengthening q-PDH assumption and strengthening q-PKE assumption. Suppose that the encoding scheme is $\textsf{IND}$-$\textsf{CPA}$ secure. Then for any $Q,Q'$ are defined as Theorem 31, the Construction 30 satisfies computational honest-verifier zero knowledge.

Proof

To establish computational honest-verifier zero-knowledge property, we can construct a $\textsc{ppt}$ simulator $\textsf{Sim}=(\mathcal{S}_1,\mathcal{S}_2)$ such that the distribution of its output is computationally indistinguishable from the distribution of an honest execution. We divide the whole protocol into three stages. The first stage is the setup phase, the second stage is the first three steps of the prover, and the third stage is the remaining three steps of the prover.

The construction of $\textsf{Sim}$ is presented in Fig. 1. From the construction, it differs from the real case in two aspects: one is that a(r) is always invertible in the simulate case; another is that the simulator encodes messages directly by trapdoor instead of applying additive homomorphic evaluation on $\textsf{crs}$.

In the first stage, the statistical distance of $\mathcal{S}_1$ and the real setup algorithm is at most $2/p^{\frac{n}{2}}$ as the probability that a random chosen $a(r)\bmod {\mathfrak{p}}_i$ equals 0 is $\frac{2\cdot p^{n/2}-1}{p^n}\approx 2/p^{\frac{n}{2}}$. This means that the output distribution of $\mathcal{S}_1(u)$ is statistically close to the output distribution produced by the real setup algorithm.

In the second stage, the simulator and real prover take the output of the first stage as inputs and generate $(H'', {\hat{H}}'', {\hat{V}}'', \hat{V^*}'', {V^*}'')$. In the real protocol, the prover uses re-randomized evaluation (Construction 6) and each encoding consists of two parts e.g., ($\textbf{a},b$). From the Construction 6, we have $\textbf{a}$ as a pseudo-random ring vector over $\mathcal{R}^{k'}$, assuming the hardness of the $\textsf{MLWE}$ assumption. After noise smudging, the distribution of b is statistically indistinguishable from the noise distribution by Lemma 12.

In the simulation case, the prover encodes directly using the $\textsf{MLWE}$ encoding scheme. Each encoding consists of two parts e.g., ($\mathbf{a'},b'$). In the $\textsf{MLWE}$ encoding scheme, $\mathbf{a'}$ is truly random. Thus we have the distribution of $\textbf{a}$ and the distribution of $\mathbf{a'}$ are computationally indistinguishable. After noise smudging, the distribution of $b'$ is statistically indistinguishable from the noise distribution by Lemma 12. Then the distribution of b and $b'$ are the same.

Up to now, we have proven that two executions are computationally indistinguishable after the first two stages. In the third stage, the simulator and the real prover perform the same modulus switching, pack algorithm, and key-switching, which implies the two distributions are indistinguishable.

Putting things together, we have that the Construction 30 satisfies computational honest-verifier zero-knowledge. $\hfill\square$

Computational Argument of Knowledge

Theorem 33

Assume the hardness of $\textsf{MLWE}$ assumption, strengthening q-PDH assumption, and strengthening q-PKE assumption. Suppose that the encoding scheme is $\textsf{IND}$-$\textsf{CPA}$ secure. Then for any $Q,Q'$ defined as Theorem 31, the Construction 30 satisfies computational argument of knowledge with knowledge error $2(q-m+\ell _u)/p^{\frac{n}{2}}$.

Proof

We show this via a reduction—assuming the existence of a $\textsc{ppt}$ adversary produces a valid proof $\pi '$, we can break the hardness of strengthening q-PDH assumption. More concretely, assuming the existence of a $\textsc{ppt}$ adversary, denoted as $\mathcal{A} ^{\pi '}$, who can forge a proof for a false statement that passes the verification, it follows that, at least one of the subsequent two events will ensue.

$E_1$: $v^2(r)-1= a(r)h(r)$ and $v^2(x)-1\ne a(x)h(x)$.
$E_2$: $v^*(x)$ can not be represented as a linear combination of a(x), $v_{\ell _u+1}(x)$, $\ldots$,$v_m(x)$, but the message encoded in the $\hat{V^*}''$ equals $\beta v^*(r)$.

We can demonstrate that the occurrence of either event $E_1$ or $E_2$ results in breaking the strengthening of q-PDH assumption. The construction of the adversary $\mathcal{A} ^{PDH }$ closely resembles that presented in Gennaro et al. (2018). Nevertheless, contrary to the proof presented in Gennaro et al. (2018), our construction is built over the ring. Accordingly, we emphasize the approach to deal with the inverse of a ring element.

A valid proof encompasses a single encoding belonging to $\mathcal{R}_{Q'}^{k'+1}$. By executing the unpack algorithm, we obtain 5 encodings. The d-PKE assumption enables the existence of a $\textsc{ppt}$ extractor $\textsf{Ext} ^{PKE }$ to extract h(x) from $(H'', {\hat{H}}'')$, and v(x) from $(V'',{\hat{V}}'')$, where $V''$ is computed as by homomorphic evaluation and ${V^*}''$. Set $z(x)=v^2(x)-1-a(x)h(x)$. The event $E_1$ implies that z(x) is not zero polynomial and $z(s)=0$. We assume the highest degree of non-zero coefficient is $k (k\le 2d)$ and parse z(x) as $\sum _{i=0}^k z_ix^i$. Since $z_k\ne 0$, there exists at least one ideal such that $z_k\bmod {\mathfrak{p}}_i\ne 0$ (here $z_k$ is treated as a ring element). We suppose that $z_k\bmod {\mathfrak{p}}_1\ne 0$, and then $z_k$ has its inverse $z_k^{-1}$ in $R_p/{\mathfrak{p}}_1$ without loss of generality.

Next, we show how to compute $\textsf{E}_{\mathbf{s_1}}(r^{q+1})$. We have $z(r)\bmod {\mathfrak{p}}_1=0$ since $z(r)=0\bmod p$. Let ${\tilde{z}}(x)=((x^{k}- z_k^{-1} \cdot z(x))~mod ~ {p})~mod ~{\mathfrak{p}}_1$ with degree at most $k-1$. Clearly, $r^k-{\tilde{z}}(r)$ equals zero over $R/{\mathfrak{p}}_1$, so does $r^{q+1}-r^{q+1-k}{\tilde{z}}(r)$. This means that if we can derive $\textsf{E}_{\mathbf{s_1}}(r^{q+1-k}{\tilde{z}}(r))$, we also obtain $\textsf{E}_{\mathbf{s_1}}(r^{q+1})$. As the degree of $x^{q+1-k}{\tilde{z}}(x)$ is at most q, we compute $\textsf{E}_{\mathbf{s_1}}(r^{q+1-k}{\tilde{z}}(r))$ by homomorphic evaluation $\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^{q+1-k+i}),{\tilde{z}}_i\}_{i=0}^{k-1},\textbf{F})$. Furthermore, we require $q\ge 2d-1$ to make sure $q+1-k$ to be positive for k is less than 2d. This breaks the hardness of strengthening of q-PDH assumption for $q\ge 2d-1$.

Similarly, if the event $E_2$ happens, we can also construct an adversary for q-PDH assumption. Specifically, we first generate the $\textsf{crs}$ as the event $E_1$ happens except the way of computing $\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}$ and $\textsf{E}_{\mathbf{s_1}}(\beta a(r))$. Similar to the idea of Gennaro et al. (2018), we interpret $\beta$ as f(r), where $f(x)\in {\mathcal{F}}$, and ${\mathcal{F}}$ is defined as the function class: $\{f(x):\text{the coefficient of } x^{q+1} \text{ in } f(x)v_{i}(x) \text{ and } f(x)a(x) \text{ are} \text{ zero, } \forall i\in [\ell _u+1,m] \}.$ In this condition, we generate $\textsf{crs}$ without knowing $\textsf{E}_{\mathbf{s_1}}(r^{q+1})$. Meanwhile, the $m-\ell _u+1$ constraints in ${\mathcal{F}}$ make the degree freedom of f(x) drop to $q-(m-\ell _u)$. We sample $f(x)\xleftarrow {\$} {\mathcal{F}}$. Then $\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r)))=\textsf{E}_{\mathbf{s_1}}(f(r)v_i(r))=\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^j),c_{ij}\}_{j=0,j\ne q+1}^{2q},\textbf{F})$ for $i\in [\ell _u+1,m]$ and $\textsf{E}_{\mathbf{s_1}}(\beta a(r))=\textsf{E}_{\mathbf{s_1}}(f(r)a(r))=\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^j),c'_{j}\}_{j=0,j\ne q+1}^{2q},\textbf{F})$, assuming that $f(x)v_{i}(x)=\sum _{j=0}^{2q} c_{ij}x^j$ and $f(x)a(x)=\sum _{j=0}^{2q} c'_jx^j$. Similar to the case of event $E_1$, we get the proof $\pi '$. By running unpacking algorithm on $\pi '$, we obtain the separated ciphertexts $(\hat{V^*}'',H'', {\hat{H}}'',{V^*}'', {\hat{V}}'')$. Next, we prove the coefficient of $x^{q+1}$ in $f(x)v^*(x)$ is invertible (which is treated as a ring element) with overwhelming probability. More specifically, let $f(x)=\sum _{i=0}^q f_ix^i$, $v^*(x)=\sum _{i=0}^d v^*_ix^i$, then $f(x)v^*(x)=\sum _{i=0}^{2d}c_ix^i$ for $q=d$. The coefficient of $x^{q+1}$ in $f(x)v^*(x)$ is $c_{q+1}=\sum _{i=1}^{q}f_iv^*_{q+1-i}$. We consider the case that $c_{q+1}$ is not invertible, which means that $\sum _{i=1}^{q}f_iv^*_{q+1-i}=0\pmod {{\mathfrak{p}}_i}$ for any $i\in \{1,2\}$. The probability of the case where $c_{q+1}$ is not invertible is at most $2(q-m+\ell _u)/p^{n/2}$ by Schwartz-Zippel lemma. Since the Schwartz-Zippel lemma holds in the field, all elements here are considered as elements in $R/{\mathfrak{p}}_i$. Therefore, the coefficient of $x^{q+1}$ is invertible in $R_p$ with probability $1-2(q-m+\ell _u)/p^{n/2}$. Recall that $V^*=\textsf{E}_{\mathbf{s_3}}(\beta v^*(r))=\textsf{E}_{\mathbf{s_3}}(f(r)v^*(r))=\textsf{E}_{\mathbf{s_3}}(\sum _{i=0}^{2q}c_ir^i)$. Then we can obtain $\textsf{E}_{\mathbf{s_2}}(r^{q+1})$ by ${V^*}''$ subtracts other terms (via homomorphic evaluation and key switching) and multiples $c_{q+1}^{-1}$. Concretely, we can compute $\textsf{E}_{\mathbf{s_3}}(r^{q+1}\bmod {\mathfrak{p}} _1)=c_{q+1}^{-1}({V^*}''-\mathbf{c'})$, where $\mathbf{c'}$ is $\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^i),c_i\}_{i=0,i\ne q+1}^{2q},\textbf{F}))$ after modulus-switching and key-switching. That breaks the strengthening of q-PDH assumption for $q=d$.

So far, we have established the computational soundness of the proposed Construction 30 with soundness error $2(q-m+\ell _u)/p^{\frac{n}{2}}$. Furthermore, the construction also satisfies the argument of knowledge property, i.e., the existence of a $\textsc{ppt}$ extractor to recover the witness when the adversary outputs convincing proof. As the event $E_2$ happens with negligible probability, the recovered $v^*(x)$ is a linear combination of $\{ a(x), v_{\ell _u+1}(x),\ldots ,v_m(x)\}$. Then there are $m-\ell _u+1$ unknowns and $d+1$ constraints. The witness $\omega =(\omega _{\ell _u+1},\ldots ,\omega _m)$ can be recovered easily by Gaussian elimination since $d=m+n>m-\ell _u$. $\hfill\square$

Corollary 34

Assume the hardness of $\textsf{MLWE}$ assumption, strengthening q-PDH assumption, and strengthening q-PKE assumption. Assume the encoding scheme is $\textsf{IND}$-$\textsf{CPA}$ secure. Then for any $R,\mathcal{R},p, Q, Q'$ are defined as Theorem 31, the Construction 30 is a zk-SNARK for any NP relation $(u,\omega )\in {\mathcal{L}}$.

Proof

To show the Construction 30 is a zk-SNARK, we show four properties, including completeness, the argument of knowledge, honest-verifier zero-knowledge, and succinctness, are satisfied.

Firstly, the succinctness property is evident since the proof consists of a single MLWE encoding, which implies a constant-sized proof and achieves succinctness. From the Theorem 31, we have the Construction 30 satisfies completeness. From the Theorem 32, we have the Construction 30 satisfies computational honest-verifier zero-knowledge. From the Theorem 33, we have the Construction 30 satisfies the computational argument of knowledge.

Put all the pieces together, we prove that the Construction 30 is a zk-SNARK. $\hfill\square$

Concrete parameters

In this section, we exhibit explicit and quantifiable parameters for our basic and optimized schemes.

Parameter selection

Firstly, we summarize the preceding restrictions on parameters and then propose several parameter sets.

Message Modulus p: The choice of p is jointly influenced by the PDH assumption and SSP instance generation. We have opted for a specific scenario where pR is divided into two ideals, and in this case, the prime p satisfies $p\equiv 3\bmod 8$. To guarantee the robustness of the d-PDH assumption over the subfield $R/{\mathfrak{p}}$ (where ${\mathfrak{p}}$ is an ideal of pR) and ensure the accuracy of SSP instance generation over ring $R_p$, we impose the following requirements: $\log p> 2(\lambda +\log {2d})/n$ and $p>4n$. After several attempts, we have determined that $n=64, p=283$, as well as $n=32,p=643$ (for $d=2^{20}$), or alternatively $n=32,p=547$ (for $d=2^{16}$).
Dimension n of R: The ring dimension n is set to be a power of 2 and it can be small, such as 64, as long as we set a larger rank k to maintain sufficient nk in the $\textsf{MLWE}$ estimation. Analyze with p, and we set $n=64$ or $n=32$.
Standard deviation $\sigma$ and $\sigma '$: In this paper, we set all standard deviations $\sigma =\sigma '=64$ without other annotations.
Modulus Q, $Q'$: The modulus Q and $Q'$ are positive integers that satisfy completeness of construction as Theorem 31.
Rank $k,k'$: The quantities k and $k'$ are measured by the LWE security estimator (Albrecht et al. 2015) for a desired security level given predetermined values $n,\alpha ,\sigma ,\sigma '$. In terms of classical security, we adopt “ADPS16” (Alkim et al. 2016) method, which yields the least security level relative to other approaches with equivalent parameters. In the case of quantum security, two methodologies, namely “LasMosPol14” (Laarhoven et al. 2015) and “qsieve”, yield identical results.
Circuit size d: We take circuit size ranging from $2^{10}$ to $2^{20}$, which is sufficient in the majority of applications.

Following the aforementioned parameter suggestions, we present detailed parameters for partial circuits ($d=2^{16}$ and $d=2^{20}$ as before) in Table 3.

Table 3 Parameter setting for $\lambda \approx 128$, $\kappa =40$

Full size table

Proof and CRS length

The proof of the basic scheme consists of 5 encodings in $R_{Q'}$ and that in the optimized scheme is 1 encoding in $\mathcal{R}_{Q'}$. Then the proof size of the basic scheme and optimized scheme are $5n(k+1)\log Q'$ bits, and $n'(k'+1)\log Q'$ bits respectively. For the basic scheme, CRS consists of $2(d+1)+m-\ell _u+3$ encodings in $R_{Q}^{k+1}$, which are less than $3(d+1)(k+1)n\log Q$ bits. Furthermore, we can utilize a seed and a pseudorandom generator to substitute true randomness in the encodings, then the length of CRS shrinks to $3(d+1)n\log Q$ bits. Since the optimized scheme utilizes the key-switching technique, the CRS length in the optimized scheme increases by key-switching keys. To be specific, the optimized scheme employs 2 key-switchings from $\mathcal{R}_{Q'}^{k+1}$ to $\mathcal{R}_{Q'}^{k'+1}$ and 8 key-switchings from $\mathcal{R}_{Q'}^{k'+1}$ to $\mathcal{R}_{Q'}^{k'+1}$, which are $8n(k'+1)(2(k+1)+8(k'+1))\log ^2 {Q'}$ bits.

Plug the estimated values into the formulae, we obtain the concrete proof and CRS lengths in Table 4 and depict the tendency for circuit size ranging from $2^{10}$ to $2^{20}$ in Figs. 2 and 3.

Table 4 Proof and CRS lengths of schemes for $\lambda \approx 128,\kappa =40$

Full size table

Comparison Between the Basic and the Optimized Schemes. As shown in Figs. 2 and 3, our results indicate a slight increase in the proof length alongside a nearly linear increase in the CRS length. (It is important to note that our horizontal axis is logarithmic in scale with respect to circuit size, which is why the growth follows an exponential pattern.) This is due to the slight effect of circuit size on switched modulus, which translates to a small impact on proof length. Conversely, the increase in circuit size has a significant impact on the CRS length, which displays an almost linear correlation.

Our optimized scheme offers a marked improvement over the basic scheme, with the proof length being roughly 5x shorter. This attributes to its single encoding, as opposed to the basic scheme’s five encodings. As for the CRS length, the difference between the two schemes is minimal, primarily arising from the size of key-switching keys, which constitutes only $1\%$ of the total CRS size at $d=2^{20}$.

Conclusion

In this paper, we develop the framework of square span program-based SNARKs and design new zk-SNARKs over cyclotomic rings. To fit in the ring setting, we first extend square span programs over rings and then propose two new assumptions. Based on these fundamental components, we construct SANRKs by applying module-switching and key-switching procedures in a novel way.

Our scheme avoids parallel repetition leveraging the ring structure. Thus, we obtain concretely small constructions for SNARKs with the designated verifier in the preprocessing model, which has a proof of length 14.06KB and a CRS of length 133.99MB for the circuit of size $2^{16}$. For larger circuits, i.e., the size of $2^{20}$, the proof length and CRS length of our scheme are 14.34KB and 1.48GB respectively. These are $23.3\%$ smaller and the CRS length is 3.6x smaller compared to those in Ishai et al. (2021).

Availability of data and materials

Not applicable.

References

Albrecht MR, Player R, Scott S (2015) On the concrete hardness of learning with errors. J Math Cryptol 9(3):169–203
Article MathSciNet Google Scholar
Albrecht MR, Cini V, Lai RW, Malavolta G, Thyagarajan SA (2022) Lattice-based snarks: publicly verifiable, preprocessing, and recursively composable. In: Annual international cryptology conference. Springer, pp 102–132
Alkim E, Ducas L, Pöppelmann T, Schwabe P (2016) Post-quantum key exchange: a new hope. In: 25th USENIX security symposium (USENIX Security 16), pp 327–343
Banaszczyk W (1995) Inequalities for convex bodies and polar reciprocal lattices in r n. Discrete Comput Geom 13:217–231
Article MathSciNet Google Scholar
Ben-Sasson E, Chiesa A, Genkin D, Tromer E, Virza M (2013) Snarks for c: verifying program executions succinctly and in zero knowledge. In: Advances in cryptology—CRYPTO 2013: 33rd annual cryptology conference, Santa Barbara, CA, USA, August 18–22 2013. Proceedings, Part II. Springer, pp 90–108
Ben-Sasson E, Chiesa A, Tromer E, Virza M (2014) Succinct {Non-Interactive} zero knowledge for a von Neumann architecture. In: 23rd USENIX security symposium (USENIX Security 14), pp 781–796
Bitansky N, Canetti R, Chiesa A, Tromer E (2011) From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. Cryptology ePrint Archive
Bitansky N, Canetti R, Chiesa A, Tromer E (2012) From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Proceedings of the 3rd innovations in theoretical computer science conference, pp.326–349
Bitansky N, Chiesa A, Ishai Y, Paneth O, Ostrovsky R (2013) Succinct non-interactive arguments via linear interactive proofs. In: Theory of cryptography: 10th theory of cryptography conference, TCC 2013, Tokyo, Japan, March 3–6 2013. Proceedings. Springer, pp 315–333
Bitansky N, Canetti R, Chiesa A, Goldwasser S, Lin H, Rubinstein A, Tromer E (2017) The hunting of the snark. J Cryptol 30(4):989–1066
Article MathSciNet Google Scholar
Boneh D, Boyen X, Goh EJ (2005) Hierarchical identity based encryption with constant size ciphertext. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 440–456
Boneh D, Ishai Y, Sahai A, Wu DJ (2017) Lattice-based snargs and their application to more efficient obfuscation. In: annual international conference on the theory and applications of cryptographic techniques. Springer, pp 247–277
Bonneau J, Meckler I, Rao V, Shapiro E (2020) Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive
Brakerski Z, Gentry C, Vaikuntanathan V (2014) (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory (TOCT) 6(3):1–36
Article MathSciNet Google Scholar
Chiesa A, Yogev E (2020) Barriers for succinct arguments in the random oracle model. In: Theory of cryptography: 18th international conference, TCC 2020, Durham, NC, USA, November 16–19, 2020, Proceedings, Part II 18. Springer, pp 47–76
Chung H, Kim D, Kim JH, Kim J (2023) Amortized efficient zk-snark from linear-only rlwe encodings. J Commun Netw
Cini V, Lai RW, Malavolta G (2023) Lattice-based succinct arguments from vanishing polynomials. In: Annual international cryptology conference. Springer, pp 72–105
Danezis G, Fournet C, Groth J, Kohlweiss M (2014) Square span programs with applications to succinct nizk arguments. In: International conference on the theory and application of cryptology and information security. Springer, pp 532–550
Fisch B, Liu Z, Vesely P (2023) Orbweaver: succinct linear functional commitments from lattices. In: Annual international cryptology conference. Springer, pp 106–131
Gennaro R, Gentry C, Parno B, Raykova M (2013) Quadratic span programs and succinct nizks without pcps. In: Advances in Cryptology—EUROCRYPT 2013: 32nd annual international conference on the theory and applications of cryptographic techniques, Athens, Greece, May 26–30 2013. Proceedings 32. Springer, pp 626–645
Gennaro R, Minelli M, Nitulescu A, Orrù M (2018) Lattice-based zk-snarks from square span programs. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 556–573
Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: Proceedings of the forty-first annual ACM symposium on theory of computing, pp 169–178
Gentry C, Wichs D (2011) Separating succinct non-interactive arguments from all falsifiable assumptions. In: Proceedings of the forty-third annual ACM symposium on theory of computing, pp 99–108
Goldwasser S, Micali S, Rackoff C (1989) The knowledge complexityof interactive proof systems. SIAM J Comput 18(1):186–208
Article MathSciNet Google Scholar
Goldwasser S, Lin H, Rubinstein A (2011) Delegation of computation without rejection problem from designated verifier cs-proofs. Cryptology ePrint Archive
Groth J (2010) Short pairing-based non-interactive zero-knowledge arguments. In: Advances in cryptology-ASIACRYPT 2010: 16th international conference on the theory and application of cryptology and information security, Singapore, December 5–9 2010. Proceedings 16. Springer, pp 321–340
Groth J (2016) On the size of pairing-based non-interactive arguments. In: Advances in Cryptology–EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35, pp. 305–326. Springer
Halevi S, Shoup V (2014) Algorithms in Helib. In: Advances in cryptology—CRYPTO 2014: 34th annual cryptology conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I 34. Springer, pp 554–571
Halevi S, Shoup V (2020) Design and implementation of helib: a homomorphic encryption library. Cryptology ePrint Archive
Ishai Y, Su H, Wu DJ (2021) Shorter and faster post-quantum designated-verifier zksnarks from lattices. In: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp 212–234
Katsumata S, Yamada S (2016) Partitioning via non-linear polynomial functions: more compact ibes from ideal lattices and bilinear maps. In: Advances in cryptology—ASIACRYPT 2016: 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4–8 2016, Proceedings, Part II 22. Springer, pp 682–712
Laarhoven T, Mosca M, Van De Pol J (2015) Finding shortest lattice vectors faster using quantum search. Des Codes Crypt 77:375–400
Article MathSciNet Google Scholar
Labs P (2018) Filecoin. https://filecoin.io/filecoin.pdf
Langlois A, Stehlé D (2015) Worst-case to average-case reductions for module lattices. Des Codes Crypt 75(3):565–599
Article MathSciNet Google Scholar
Lyubashevsky V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Advances in cryptology—EUROCRYPT 2010: 29th annual international conference on the theory and applications of cryptographic techniques, French Riviera, May 30–June 3, 2010. Proceedings 29. Springer, pp 1–23
Naganuma K, Yoshino M, Inoue A, Matsuoka Y, Okazaki M, Kunihiro N (2020) Post-quantum zk-snark for arithmetic circuits using qaps. In: 2020 15th Asia joint conference on information security (AsiaJCIS). IEEE, pp 32–39
Naor M (2003) On cryptographic assumptions and challenges. In: Annual international cryptology conference. Springer, pp 96–109
Nitulescu A (2019) Lattice-based zero-knowledge snargs for arithmetic circuits. In: Progress in cryptology—LATINCRYPT 2019: 6th international conference on cryptology and information security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings 6. Springer, pp 217–236
Parno B, Howell J, Gentry C, Raykova M (2016) Pinocchio: nearly practical verifiable computation. Commun ACM 59(2):103–112
Article Google Scholar
Peikert C, Vaikuntanathan V, Waters B (2008) A framework for efficient and composable oblivious transfer. In: Annual international cryptology conference. Springer, pp 554–571
Peikert C, Pepin Z, Sharp C (2021) Vector and functional commitments from lattices. In: Theory of cryptography: 19th international conference, TCC 2021, Raleigh, NC, USA, November 8–11 2021, Proceedings, Part III 19. Springer, pp 480–511
Sasson EB, Chiesa A, Garman C, Green M, Miers I, Tromer E, Virza M (2014) Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE symposium on security and privacy. IEEE, pp 459–474
Wee H, Wu DJ (2023) Succinct vector, polynomial, and functional commitments from lattices. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 385–416

Download references

Acknowledgements

Not applicable.

Funding

This work is supported by the National Key R&D Program of China under Grant 2020YFA0712303. Zhedong Wang is supported by National Natural Science Foundation of China (Grant No.62202305) and Shanghai Pujiang Program under Grant 22PJ1407700.

Author information

Authors and Affiliations

Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Xi Lin, Heyang Cao & Mingsheng Wang
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Xi Lin, Heyang Cao & Mingsheng Wang
School of Electrical Engineering & Computer Science, Washington State University, Pullman, WA, USA
Feng-Hao Liu
School of Cyber Science and Engineering, Shanghai Jiaotong University, Shanghai, China
Zhedong Wang

Authors

Xi Lin
View author publications
You can also search for this author in PubMed Google Scholar
Heyang Cao
View author publications
You can also search for this author in PubMed Google Scholar
Feng-Hao Liu
View author publications
You can also search for this author in PubMed Google Scholar
Zhedong Wang
View author publications
You can also search for this author in PubMed Google Scholar
Mingsheng Wang
View author publications
You can also search for this author in PubMed Google Scholar

Contributions

All the authors have equal contributions to this paper.

Corresponding author

Correspondence to Heyang Cao.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Propertites of encoding scheme

Lemma A.1

(Correctness) The encoding scheme ($\textrm{K}$,$\textsf{E}$,$\textsf{D}$,$\textsf{Eval}$) is defined in the Construction 6. Then for any d independent encodings $\textsf{E}_{\textsf{sk}}(m_1),\dots ,\textsf{E}_{\textsf{sk}}(m_d)$ and any $\alpha _i\in R_p$, the infinity norm of error in $\textsf{Eval} (\textsf{E}_{\textsf{sk}}(m_i),\alpha _i,F)$ is no more than $\sigma p^2\sqrt{dn\kappa }+2p\sigma ^2n\kappa k$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$.

Proof

As the decoding algorithm depicts, we have $\sum _{i=1}^d \alpha _ib_i+\textbf{r}^T\textbf{b}^*-\langle \sum _{i=1}^d \alpha _i\mathbf{a_i}+A^*\textbf{r}+p\mathbf{e'},\mathbf{s'}\rangle = \sum _{i=1}^d \alpha _i \cdot pe_i+\textbf{r}^T\cdot p\textbf{e}^*-p\langle \mathbf{e'},\mathbf{s'}\rangle$. Assume that $e_i$ is the error in $\textsf{E}_{\textsf{sk}}(m_i)$ and $e_{ik}$ is the k-th bit representation of $e_i$ for $i\in [d],k\in [n]$. $a_{ik}$ is defined in similar manner. Since the $e_{ik}$ are independent, every entry of noise in $\sum _{i=1}^d \alpha _ie_i$ is a linear combination of $e_{ik}$. Take the constant term as an example, it equals $\sum _{i=1}^{d}\sum _{k=0}^{n-1}\alpha _{ik}pe_{i,n-k}$, which is bounded by $p\sigma \sqrt{\kappa }\Vert \mathbf{\alpha }\Vert _2\le p\sigma \sqrt{\kappa }\sqrt{dn}p=\sigma p^2\sqrt{dn\kappa }$ with probability at least $1-2\exp (-\pi \kappa /\sigma ^2)$ by Lemma 1. An element sampled from $\Phi _\sigma$ is bounded by $\sigma \sqrt{\kappa }$ with probability at least $1-2\exp (-\pi \kappa /\sigma ^2)$, and two independent elements multiplied is no more than $\sigma ^2\kappa$ with probability $1-4\exp (-\pi \kappa /\sigma ^2)$, thus the infinity norm of $\textbf{r}^T\textbf{e}^*$ is no more than $\sigma ^2\kappa k$ with probability $1-4n\exp (-\pi \kappa /\sigma ^2)$. The bound of $\langle \mathbf{e'},\mathbf{s'}\rangle$ is estimated as well. According to the union bound, the infinity norm of $\textsf{Eval} (\textsf{E}_{\textsf{sk}}(m_i),a_i)$ is no more than $\sigma p(p\sqrt{dn\kappa }+2\sigma n\kappa k)$ with probability at least $1-6n\exp (-\pi \kappa /\sigma ^2)$. $\hfill\square$

Lemma A.2

(Security) Let $n,k, Q,\sigma$ be as defined in Construction 6. Then the Construction 6 is CPA-security under the hardness of $\textsf{MLWE}$ assumption.

Appendix B: Proofs of the basic scheme

Proof

To prove the Construction 28 is a zk-SNARK, we need to prove its four properties: completeness, computational soundness, argument of knowledge, and succinctness. Firstly, the succinctness property is satisfied as the proof is constant, i.e., 5 encodings. Next, we show the remaining three properties.

Completeness. If all infinite norms of the accumulated noise in the encodings contained in the proof $\pi$ are smaller than half of the switched modulus, the descriptions can be performed by the verifier correctly. Then the completeness property is satisfied. Next, we analyze the noise generated in each step.

In the setup stage, $\{\textsf{E}_{\textbf{s}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}$ and $\textsf{E}_{\textbf{s}}(\beta a(r))$ are computed by additive homomorphic evaluations and we have $B_{\textsf{crs}}=\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. In the proving stage, we first compute 5 evaluations, and the largest noise growth lies in $\hat{V^*}$, which is $B_{\hat{V^*}}=B_{\textsf{crs}}(m-\ell _u+pn)=(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. Noise smudging makes the error bound increase to $(2^{\kappa }+1)B_{\hat{V^*}}$. Then the infinity norm is less than $(2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)$ with probability $1-6n\exp (-\pi \kappa /\sigma ^2)$. After modulus-switching, the bound $B_{\hat{V^*}'}$ is less than $\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)$ with probability $1-2n\exp (-\pi \kappa /\sigma ^2)$ together with $(2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m-\ell _u+pn)+2dnp^2(m-\ell _u+pn) <\gamma Q$.

Let $\sigma =\alpha Q$, and the parameter $\alpha$ represents the error rate. In addition, we take $\gamma =1/8np$. By approximate scaling, we have $Q>2^{\kappa +4}\sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)$, and $Q'>4np^2\left( \sigma \sqrt{nk\kappa }+n\right)$.

Computational Honest-Verifier Zero-knowledge. The analysis can be regarded as a simplified version of the proof of Theorem 32. To avoid repetitions, we stress the difference instead of repeating the whole process.

In the first stage, the setup algorithm just consists of encodings of $1,r,\ldots ,r^{d},\alpha , \ldots , \alpha r^d, \beta a(r),\beta v_m(r),\ldots ,\beta v_{\ell _u+1}(r)$. The simulator for this stage removes other keys as well and checks a(r) whether is invertible, implying statistically indistinguishability with statistical difference $2/p^{n/2}$. In the second stage, the proof is exactly the same, and two distributions are computationally indistinguishable. In the third stage, the prover only considers the modulus-switching process. Then two distributions are computationally indistinguishable.

Computational Argument of Knowledge The proof is also included in the proof for Theorem 33. The key difference is without the unpacking algorithm and all secret keys are $\textbf{s}$. The details are omitted. $\hfill\square$

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Lin, X., Cao, H., Liu, FH. et al. Shorter ZK-SNARKs from square span programs over ideal lattices. Cybersecurity 7, 33 (2024). https://doi.org/10.1186/s42400-024-00215-x

Download citation

Received: 30 July 2023
Accepted: 29 January 2024
Published: 19 March 2024
DOI: https://doi.org/10.1186/s42400-024-00215-x