 Research
 Open access
 Published:
Shorter ZKSNARKs from square span programs over ideal lattices
Cybersecurity volume 7, Article number: 33 (2024)
Abstract
Zeroknowledge succinct noninteractive arguments of knowledge (zkSNARKs) are cryptographic protocols that offer efficient and privacypreserving means of verifying NP language relations and have drawn considerable attention for their appealing applications, e.g., verifiable computation and anonymous payment protocol. Compared with the prequantum case, the practicability of this primitive in the postquantum setting is still unsatisfactory, especially for the space complexity. To tackle this issue, this work seeks to enhance the efficiency and compactness of latticebased zkSNARKs, including proof length and common reference string (CRS) length. In this paper, we develop the framework of square span programbased SNARKs and design new zkSNARKs over cyclotomic rings. Compared with previous works, our construction is without parallel repetition and achieves shorter proof and CRS lengths than previous latticebased zkSNARK schemes. Particularly, the proof length of our scheme is around \(23.3\%\) smaller than the recent shortest latticebased zkSNARKs by Ishai et al. (in: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp 212–234, 2021), and the CRS length is \(3.6\times\) smaller. Our constructions follow the framework of Gennaro et al. (in: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 556–573, 2018), and adapt it to the ring setting by slightly modifying the knowledge assumptions. We develop concretely small constructions by using moduleswitching and keyswitching procedures in a novel way.
Introduction
Zeroknowledge (ZK) proofs are cryptographic protocols that enable a prover to persuasively demonstrate the validity of a specific statement to a verifier while keeping the witness secret. The concept was initially introduced by Goldwasser et al. (1989), and there have been active researches in both theory and practice since then.
In numerous scenarios, it is essential for the prover to genuinely possess knowledge of a valid witness, thereby establishing an argument of knowledge. To enhance efficiency, specific characteristics like noninteractive and succinctness are highly desirable. These proofs entail a single round of message exchange from the prover’s side, enabling the verifier to validate the correctness in a considerably shorter time compared to the prover’s computational effort. These attributes give rise to a class of cryptographic constructions, commonly known as succinct noninteractive arguments of knowledge (ZK)SNARKs. It finds wideranging applications, including verifiable computations (BenSasson et al. 2013, 2014; Parno et al. 2016) and anonymous payment protocols (Sasson et al. 2014). Despite these compelling features, some negative results are associated with these constructions. Gentry and Wichs (2011) demonstrated that no secure succinct noninteractive arguments (SNARGs) existed in the standard model. Consequently, all existing SNARGs are constructed in the Random Oracle Model or rely on nonfalsifiable assumptions (Naor 2003). Additionally, the most efficient SNARKs are designed verifiers, wherein only those who possess the verification keys are authorized to validate the proofs, in contrast to the public verifiers that permit anyone to verify a proof.
The concept of SNARK has been extensively investigated in the literature (Bitansky et al. 2011, 2012, 2017; Goldwasser et al. 2011), and subsequent works mainly focus on enhancing the efficiency for practical use. The early schemes (Gennaro et al. 2013; Danezis et al. 2014) in this area were almost based on group or bilinear pairing. Nowadays, driven by the advances in quantum computation and quantum computers, postquantum security progressively attracts more attention. Many latticebased SNARKs have emerged in recent years.
However, the latticebased constructions have a significant inefficiency compared to the group or pairingbased ones. Intuitively, the optimal scheme belongs to preprocessing SNARK and was proposed by Groth (2016), whose proof length is 128B. The stateoftheart postquantum SNARK was proposed by Ishai et al. (2021), whose proof size is 16.4KB, which is 131.2x larger. Furthermore, as almost all efficient SNARKs necessitate a trusted setup, the length of the common reference string (CRS) also merits attention. Therefore, how to promote the efficiency of latticebased SNARKs is an important and meaningful research problem.
These motivate our main question:
Can we improve the efficiency of latticebased SNARKs, especially in the proof length and CRS length?
Related works
The constructions of SNARKs exhibit diverse design routes. Two paradigmatic routes are presented: one research line adopts a combination of polynomial interactive oracle proof (polynomial IOP) and the polynomial commitment; another research line is built on the circuit directly. The former approach presents a notable advantage in terms of applicability, such as transparent setup and public verifier, albeit at the expense of efficiency. On the contrary, the latter approach imposes certain limitations, requiring a trusted setup and designed verifier, but achieves higher efficiency.
The same applies to latticebased SNARKs. Recent advancements in latticebased SNARKs can be divided into two categories. For the first research line, the researcher tried to obtain SNARKs with attractive properties or functionalities. The most critical components are various commitments, i.e., vector commitments (Peikert et al. 2021; Albrecht et al. 2022), and functional commitments (Wee and Wu 2023; Fisch et al. 2023). Albrecht et al. (2022) proposed the first latticebased SNARK construction from vector commitment, in which the verifier is public and has logarithmic complexity, and the construction is recursively composable. Cini et al. (2023) proposed the first latticebased recursive folding protocol with a polylogarithmictime verifier for linear relations and the first latticebased succinct argument with a lineartime prover for NP problem in the preprocessing model.
Before we review the latticebased constructions following the second approach, we first retrospect the groupbased ones. This route originated from Groth (2010), which constructed a noninteractive argument of zeroknowledge (NIZK) based on the circuit satisfiability problem. Then, the researchers found it is possible to convert the circuit satisfiability problem into more algebraic formulations to construct efficient SNARKs. Many works introduced different characterizations of the NP complexity class: quadratic span programs (QSPs) (Gennaro et al. 2013), square span programs (SSPs) (Danezis et al. 2014), and rank1 constraint systems (R1CS) (BenSasson et al. 2013) Then many efficient constructions of SNARKs based on specific structures came. Detailedly, Gennaro et al. (2013) proposed constructions based on QSPs, whose proof consists of 7 group elements and the CRS size is linear in the circuit size. In the next year, Danezis et al. (2014) introduced SSPs and built SNARKs based on SSPs (a simpler form than QSPs), whose proof consists of 4 group elements. Meanwhile, a concurrent research line (Bitansky et al. 2013; Boneh et al. 2017) studied a more abstract cryptographic primitive: linear probabilistically checkable proof (LPCP). They established constructions of LPCP for NP problems and then built SNARG (SNARK) based on LPCP. The nature of the above designs can be unified in that preprocessing implies holography as claimed in Chiesa and Yogev (2020), but the revealing information of probabilistically checkable proof differs.
In terms of efficiency, the optimal scheme belongs to preprocessing and designatedverifier SNARKs and was proposed by Groth (2016), whose proof only consists of 3 group elements. Its proof length is 128B for the circuit of size \(2^{20}\), which significantly outperforms other schemes. This is also the most widely used SNARK scheme in practice, i.e., ZCash (Sasson et al. 2014),Filecoin (Labs Labs 2018), and Coda (Bonneau et al. 2020).
In the domain of latticebased SNARKs, Boneh et al. (2017) introduced the first quasioptimal SNARGs based on lattice, employing linear multiprover interactive proofs. Closely followed by this work, Gennaro et al. (2018) put forward the first latticebased SNARK scheme, which was built on SSPs. Nitulescu (2019) introduced the first latticebased zkSNARG for arithmetic circuits leveraging square arithmetic programs (SAPs), whose proof consists of 2 LWE ciphertexts. Naganuma et al. (2020) proposed faster zkSNARK constructions for arithmetic circuits using quadratic arithmetic programs (QAPs), whose proof consists of 3 LWE ciphertexts. Then, Ishai et al. (2021) followed the framework of Bitansky et al. (2013) and Boneh et al. (2017) and proposed a new LPCPbased SNARK, which is the stateoftheart parameters for latticebased SNARKs. The most recent latticebased SNARKs from Chung et al. (2023), proposed a new noise flooding technique and achieved smaller proof length in the amortized sense.
Our results
This research endeavors to tackle the aforementioned issue by devising novel, efficient SSPbased zkSNARKs. Notably, we have succeeded in reducing proof and CRS lengths by circumventing parallel repetition, while retaining a high level of soundness. To provide a more comprehensive understanding of our work, we present a comparative analysis with prior research in Table 1. (It is essential to highlight that the estimation methodology employed in Ishai et al. (2021) is suboptimal, necessitating the adjustment of their parameters using the same “ADPS16” method to enable a more precise and reliable comparison. The CRS length is empty since they did not provide it.)
Technical overview
Next, we present a summary of our technical contributions below.
Get Rid of Parallel Repetition by Ring Structure. Parallel repetition is a standard technique to amplify (knowledge) soundness error. In the field (\(\mathbb{Z}_p\) or even \(\mathbb{Z}_{p^2}\)), if we do not use parallel repetition and guess a random element over the field with probability lower than \(2^{128}\), it requires the modulus p satisfies that \(p>2^{128}\)(or \(p^2>2^{128}\)), which is too large. Therefore, previous works chose smaller p (such as 32bits or 19bits) and use parallel repetition for a desired security level.
To deal with this issue, we adopt a strategy of transforming the field structure into a ring structure. To illustrate, if we consider a ring with the modulus p and dimension n, the desired target can be accomplished by ensuring that \(p^{n}>2^{128}\). Albeit combining with other limitations in our construction, the final requirement turns out to be \(2d/p^{\frac{n}{2}}<2^{128}\). However, solely employing the ring structure may not suffice in reducing the parameter size and may potentially incur additional issues. As such, supplementary techniques must be employed to tackle these issues, which will be expounded upon below.
Reductions from Boolean Circuits over Ring. Both SSPbased schemes and LPCPbased schemes use polynomial interpolation to express circuits into SSP/LPCP instances. Prior works (to our knowledge) consider polynomial interpolation over fields, and extending it to the rings inheres challenges, particularly with regards to invertibility in R. Towards this, we leverage a useful result (Katsumata and Yamada 2016), which stated that the ring elements with a “small” norm are invertible. More concretely, in the polynomial interpolation, the denominators of the interpolation coefficients take the form of \(x_ix_j\) for distinct i, j. In order to ensure that \(x_ix_j\) has an inverse over \(R_p\), we restrict the domain of \(x_i\) and \(x_j\) to \(R_{[0,1]}\), where the coefficients of polynomials are either 0 or 1. As a result, we can instantiate polynomial interpolation over the ring of our choice.
Optimizations via Ciphertext Operations. As noted above, the SSPbased scheme presented in Gennaro et al. (2018) has a large proof length, primarily due to its inclusion of five ciphertexts in the proof. In contrast, the LPCPbased scheme proposed by Ishai et al. (2021) utilizes different encrypted queries as the CRS, which are multiplied by the same coefficients during proof generation. This allows for the utilization of the packing method described in Peikert et al. (2008) to reduce the proof length by sharing randomness. Unfortunately, the SSPbased scheme involves different coefficients (e.g.,\(\textbf{h},\textbf{v}\)), which precludes the direct application of the aforementioned method. However, in the ring setting, we can leverage the ring structure to pack the 5 ciphertexts into a single ciphertext. This approach reduces the number of ciphertexts for constructing the proof.
The utilization of a packing technique leads to a decrease in the number of ciphertexts, although it comes at the expense of augmenting the ring dimension. This implies that the size of the proof has not undergone any reduction. To address this, we employ the keyswitching technique to attain a shorter proof. As a consequence, a slight modification of the knowledge assumption becomes necessary. Further deliberations are provided in section "Assumptions".
Preliminaries
Basic notations and probability results
Let \(\lambda\), \(\kappa\) represent the computational, and statistical security parameters respectively. The negligible function \(\textsf{negl} (\lambda )\) is strictly bounded by \(1/\lambda ^c\) for large \(\lambda\), constant \(c>0\). On the contrary, the overwhelming probability represents the value to be \(1\textsf{negl} (\lambda )\).
In our notation, a bold lowercase letter (e.g., \(\textbf{x}\)) signifies a column vector, while a bold uppercase letter (e.g., \(\textbf{A}\)) represents a matrix.
\(\mathbb{Z}\) represents the set of integers, and \(\mathbb{Z}_{q}\) indicates the ring of integers modulo q. R is a polynomial ring, and \(R_{q}\) indicates the ring elements in R modulo q. Then we adopt the unified notation \([a]_{q}\) to represent \(a\bmod q\) encompassing both integer and ring elements, without distinction. In the case where the modulus q is not a power of 2, we employ \(\log q\) to substitute \(\lceil \log _2 q\rceil\) for simplicity.
We use \(u\xleftarrow {\$} U\) to indicate that sample a random element u from the set U. For two distributions A, B, let \(A\overset{s}{\approx }\ B\), \(A\overset{c}{\approx }\ B\) represent statistically close, computationally indistinguishable respectively.
Gaussian Distribution. The ndimension Gaussian function with parameter \(\sigma >0\) is defined as \(\rho _\sigma (\textbf{x})=\exp (\pi \Vert \textbf{x}\Vert _2^2/\sigma ^2)\). Based on this, the discrete Gaussian distribution over \(\mathbb{Z}^n\) is defined as \(D_{\mathbb{Z}^n,\sigma }=\rho _\sigma (\textbf{x})/\rho _\sigma (\mathbb{Z}^n)\), where \(\rho _\sigma (\mathbb{Z}^n)=\sum _{\textbf{x}\in \mathbb{Z}^n}\rho _\sigma (\textbf{x})\).
Lemma 1
(Banaszczyk (1995), Lemma 2.4) For any \(s,t>0\) and a integer vector \(\textbf{a}\in \mathbb{Z}^n\), we have \(\Pr [\langle \textbf{a}, D_{\mathbb{Z}^n,s} \rangle \ge ts\Vert \textbf{a}\Vert _2]\le 2\exp (\pi t^2/s^2).\)
SchwartzZippel Lemma. SchwartzZippel lemma is commonly employed in the analysis of soundness error.
Lemma 2
\(\mathbb{F}\) is a finite field and K is a subset of \(\mathbb{F}\) (e.g., \(K \subset \mathbb{F}\)) with size K. Assume that the nonzero polynomial \(f(Y_1,\ldots ,Y_n)\) has total degree D. If \(t_1,\ldots ,t_n\) are chosen from K randomly, then we have
Cyclotomic rings
In this paper, we work on the power of 2 polynomial rings. Let n be a power of 2, and the 2nth cyclotomic polynomial is defined as \(\Phi _{2n}(x) = x^{n}+1\). Then we define 2nth cyclotomic ring as \(R \cong \mathbb{Z}[x]/(x^n+1)\) and the 16nth cyclotomic ring as \(\mathcal{R}\cong \mathbb{Z}[x]/(x^{8n}+1)\). In this paper, we view ring elements via coefficient embedding. Namely, for any \(s\in R\) we view \(s=s_{0}+s_{1}x+\cdots +s_{n1}x^{n1}\) for \(s_i \in \mathbb{Z}\). The ring addition and multiplication are with respect to modulo \(x^{n}+1\). Under the coefficient embedding, the \(\ell _{\infty }\) and \(\ell _{2}\) norms for s are defined as: \(\Vert s\Vert _{\infty }=\max _{i}\Vert s_{i}\Vert ,\Vert s\Vert _{2}=\sqrt{\Vert s_{0}\Vert ^{2}+\cdots +\Vert s_{n1}\Vert ^{2}}\). Similarly, it is extended to the vector. For \(\textbf{a} = (a_{1},..., a_{t})\in R^{t}\), we define \(\Vert \textbf{a}\Vert _{\infty }=\max _{i}\Vert a_{i}\Vert _{\infty },\Vert \textbf{a}\Vert _{2}=\sqrt{\Vert a_{1}\Vert ^{2}_{2}+\cdots +\Vert a_{t}\Vert ^{2}_{2}}\).
To discuss our choice of moduli, we first recall a special result from Katsumata and Yamada (2016).
Lemma 3
(Katsumata and Yamada (2016), Lemma 3) The prime p satisfies \(p\bmod 8=3\) and n is a power of 2. Then \(x^n+1\) splits as \(x^n+1=g_1g_2\bmod p\) with two irreducible polynomials in \(\mathbb{Z}_p[x]\) \(g_1=x^{n/2}+vx^{n/4}1\) and \(g_2=x^{n/2}vx^{n/4}1\), where \(v^2=2\bmod p\). Then, all \(a\in R_p\) with \(\Vert a\Vert _2<\sqrt{p}\) are invertible.
MLWE problems and encoding schemes based on MLWE
ModuleLearning with Error (MLWE). Module Learning with Error (ModuleLWE) is a fusion of RingLWE and plainLWE, which was proposed and studied in Brakerski et al. (2014); Langlois and Stehlé (2015). For the power of 2 cyclotomic rings, the ring R, and \(R^\vee\) only differ by a scale of n. Thus, we opt to work solely on R. More formally, the decision MLWE distribution and problem from Langlois and Stehlé (2015) are defined as follows:
Definition 4
(ModuleLWE Distribution) Let \(\psi\) over \(R_{q}\) be the error distribution. Given a secret vector \(\textbf{s}\in R_{q}^k\), an instance in the \(\textsf{MLWE}\) distribution \(A_{\textbf{s},\psi }\) over \(R_{q}^k\times R_{q}\) is (\(\textbf{a}, b\)), where \(\textbf{a}\) is chosen from \(R_{q}^k\) uniformly at random, e is from \(\psi\), and \(b=\langle \textbf{a}, \textbf{s}\rangle +e\bmod q\).
Definition 5
(ModuleLWE, Decision Problem) The averagecase decision \(\textsf{MLWE}_{R_{q},k,\psi }\) problem is to distinguish instances from \(A_{\textbf{s},\psi }\) or from uniform distributions over \(R_{q}^k\times R_{q}\).
The decision \(\textsf{MLWE}_{R_{q},k,\psi }\) problem is infeasible if for all \(\textsc{ppt}\) adversarys B given any polynomial number of samples, the probability that B solves \(\textsf{MLWE}_{R_{q},k,\psi }\) is negligibly close to 1/2.
The Encoding Scheme. The encoding scheme used in the SNARK schemes can be symmetric and asymmetric. For convenience, we instantiate it as a symmetric \(\textsf{MLWE}\) scheme. Furthermore, the simple linear combination is not sufficient for zeroknowledge of SNARK, thus we rerandomize the linear evaluation procedure as that in Ishai et al. (2021).
Construction 6
(MLWE Encoding Scheme) For any positive integers n, k, Q, an encoding scheme \(\textsf{MLWE}\) with dimension n, rank k and modulus Q consists three \(\textsc{ppt}\) algorithms (\(\textrm{K},\textsf{E},\textsf{D}\)) and a randomized linear evaluation algorithm \(\textsf{Eval}\). These algorithms are defined below:

\(\textrm{K}(1^{\lambda },k)\): Sample \(A^*\leftarrow R_Q^{k\times k}\), \(\mathbf{s'},\textbf{e}^* \leftarrow \Phi _\sigma ^{k}\). Define \(F=(A^*,b^*)=(A^*,(A^*)^{T}\mathbf{s'}+p\textbf{e}^*)\), \(\textbf{s}=(\mathbf{s'},1)\). Output \((\textbf{s},F)\).

\(\textsf{E}_{\textbf{s}}(m)\): Sample \(\textbf{a}\leftarrow R_{Q}^{k}\), and \(e\leftarrow \Phi _\sigma\). Compute and output \(\textbf{c}=(\textbf{a}, \langle \mathbf{s'},\textbf{a}\rangle +pe+m)\).

\(\textsf{Eval} (\{\mathbf{c_i}=(\mathbf{a_i},b_i),\alpha _i\}_{i\in [d]},F)\): Sample independent \(\textbf{r},\mathbf{e'}\leftarrow \Phi _\sigma ^{k}\). Compute and ouput \(\textbf{c}=(\sum _{i=1}^d \alpha _i\mathbf{a_i}+A^*\textbf{r}+p\mathbf{e'},\sum _{i=1}^d \alpha _ib_i+\textbf{r}^T\textbf{b}^*)\).

\(\textsf{D}_{\textbf{s}}(\textbf{c})\): Compute and output \(m'=[[\langle \textbf{c},\textbf{s} \rangle ]_{Q} ]_{p}\).
The encoding scheme satisfies completeness and INDCPA security. For clarity, we defer the properties of the encoding scheme in Appendix A.
Zeroknowledge succinct noninteractive argument of knowledge (zkSNARK)
In this subsection, we present the formal definitions of zkSNARKs and their properties.
Definition 7
(zkSNARK) For a relation \({\mathcal{L}}\), a zeroknowledge succinct noninteractive argument of knowledge protocol \(\Pi\) comprises three \(\textsc{ppt}\) algorithms \((\Pi .\textsf{Setup}, \Pi .\textsf{Prove}, \Pi .\textsf{Verify})\).

1.
\((\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)\): Given the security parameters and a statement u, the setup algorithm generates three components: a common reference string denoted as \(\textsf{crs}\), verification secret information represented by \(\textsf{vrs}\), and the trapdoor denoted as \(\textsf{td}\).

2.
\(\pi \leftarrow \Pi .\textsf{Prove}(\textsf{crs},u,\omega )\): On receiving u, \(\omega\), and \(\textsf{crs}\), the prove algorithm produces a proof \(\pi\).

3.
\(0/1\leftarrow \Pi .\textsf{Verify}(\textsf{crs},\textsf{vrs},\pi )\): Taking \(\textsf{crs}\), \(\textsf{vrs}\) and \(\pi\) as inputs, the verify algorithm yields a bool symbol 1 or 0 to indicate the acceptance or rejection of the proof.
A zkSNARK scheme exhibits four fundamental properties, namely completeness, zeroknowledge, argument of knowledge, and succinctness.
Definition 8
(Completeness) For a statement u included in the relation, the setup algorithm outputs \((\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)\), and the prove algorithm outputs a proof \(\pi \leftarrow \Pi .\textsf{Prove}(\textsf{crs},u,\omega )\). If \(\Pr \left[ \Pi .\textsf{Verify}(\textsf{crs},\textsf{vrs},\pi )=1 \right] =1\textsf{negl} (\lambda )\), then \(\Pi\) is complete.
Definition 9
(Zeroknowledge) For any \((u,\omega )\in {\mathcal{L}}\), a \(\textsc{ppt}\) simulator \(\mathcal{S}\) exists such that \(\{\Pi .\textsf{Prove}(u,\omega ,\textsf{crs})\}\approx \{\mathcal{S}(u,\textsf{td})\}\), where \((\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup} (1^{\lambda },u)\) and \(\approx\) can denote perfect, statistically, and computationally indistinguishable. Then this argument system \(\Pi\) is zeroknowledge.
Definition 10
(Argument of Knowledge) For any statement u, and if a \(\textsc{ppt}\) adversary can produce a proof \(\pi ^*\) passing the verification, then a probabilistic polynomialtime extractor \(\textsf{Ext}\) exists and extracts a witness \(\omega\) satisfying \((u,\omega )\in {\mathcal{L}}\) with polynomial probability. Equivalently, we have \(\Pr [ (\pi ^*;\omega ) \leftarrow (\mathcal{A} \textsf{Ext})(\textsf{crs},u)\wedge \Pi .\textsf{Vefify}(\textsf{crs},\textsf{vrs},\pi ^*)=1 ]\)=\(\textsf{poly}(\lambda )\), where \((\textsf{crs},\textsf{vrs},\textsf{td})\leftarrow \Pi .\textsf{Setup}(1^{\lambda },u)\). Then the noninteractive argument system \(\Pi\) satisfies the argument of knowledge.
Definition 11
(Succinctness) If the argument length of an argument system is sublinear in the security parameter and the circuit size is included in the relation, we say that it is succinct.
Optimization techniques
In this subsection, we present several optimized techniques used in our schemes, including noise smudging, modulusswitching, keyswitching, packing, and unpacking.
Noise Smudging. Noise smudging from Gentry (2009) is commonly used to obfuscate additivehomomorphic evaluated ciphertexts or fresh ciphertexts.
Lemma 12
(Noise Smudging, Gentry (2009)) Let \(B_1,B_2\) be positive integers, and k be the statistical security parameter. For an arbitrary integer \(m\in [B_1,B_1]\), we pick n uniformly at random from the interval \([B_2,B_2]\). Then if \(B_1/B_2=\textsf{negl} (k)\), \(\{m+n\} \overset{s}{\approx }\ \{n\}\).
Modulusswitching. The modulusswitching technique from Brakerski et al. (2014) can transform a large modulus to a comparatively small modulus without knowing the secret key.
Definition 13
(Modulusswitching) For any integers k, \(Q>Q'>p\), and any vector \(\textbf{x}\in R^k\), \(\mathbf{x'}\leftarrow \textsf{ModSwit}(\textbf{x},Q,Q',p)\) is defined as the closest \(R^k\)vector to \(\frac{Q'}{Q}\textbf{x}\) satisfying \(\mathbf{x'}=\textbf{x}\bmod p\).
Lemma 14
(Correctness of modulus switching) \(Q,Q',p\) are positive integers satisfying \(Q>Q'>p\) and \(Q=Q'=1\bmod {p}\). R is a ring with degree n and \(\kappa\) is the statistical parameter. For any \(\textbf{c}\in R^{k+1}\), let \(\textbf{c}'\leftarrow \textsf{ModSwit}(\textbf{c},Q,Q',p)\). Then for any \(\textbf{s}=(\mathbf{s'},1)\) with \(\mathbf{s'} \leftarrow \Phi _\sigma ^{k}\) satisfying \(\Vert [\langle \textbf{c}, \textbf{s} \rangle ]_Q\Vert _{\infty } <\frac{Q}{2}\frac{Q}{Q'}\frac{p}{2}(n+\sigma \sqrt{nk\kappa })\), the probability of \([[\langle \textbf{c}, \textbf{s} \rangle ]_{Q}]_{p}= [[\langle \textbf{c}', \textbf{s} \rangle ]_{Q'}]_{p},\text{ and } \Vert [\langle \textbf{c}', \textbf{s} \rangle ]_{Q'}\Vert _{\infty }< \frac{Q'}{Q}\Vert [\langle \textbf{c}, \textbf{s} \rangle ]_{Q} \Vert _{\infty } +\frac{p}{2}(n+\sigma \sqrt{nk\kappa })\) is at least \(12n\exp (\pi \kappa /\sigma ^2)\).
Keyswitching. The keyswitching technique from Brakerski et al. (2014) facilitates the transformation of an encryption under secret key \(\mathbf{s_1}\) to another encryption of the same or related message utilizing a distinct secret key \(\mathbf{s_2}\) with the help of keyswitching keys.
Definition 15
(Keyswitching) For any vector \(\textbf{x}\in R_Q^k\), we can decompose \(\textbf{x}\) as \(\sum _{j=0}^{\log Q1}\mathbf{y_j}2^j\), where \(\mathbf{y_j}\in R_{2}^k\) and define \(\textsf{BD}(\textbf{x})\)=\((\mathbf{y_0},\dots ,\mathbf{y_{\log Q1}})\). \(\textsf{PV}(\textbf{x})\) is defined as \((\textbf{x}, 2\textbf{x}, \dots , 2^{\log Q1}\textbf{x})\). The keyswitching algorithm is presented as follows:

\(\textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_2})\): Sample \(\mathbf{A'}\leftarrow R_Q^{k_1\log Q\times (k_21)}\), \(\mathbf{e'}\leftarrow \Phi _{\sigma '}^{k_1\log Q}\). Let \(\mathbf{s'}\in R^{k_21}\) be the residual vector of \(\mathbf{s_2}\) except for the last row. Compute \(\mathbf{a'}=\mathbf{A'}\mathbf{s'}+p\mathbf{e'}\). Output \(\textsf{switkey}=(\mathbf{A'},\mathbf{ a'})+(\textbf{0},\textsf{PV}(\mathbf{s_1}))\in R_Q^{k_1\log Q\times k_2}\).

\(\textsf{KeySwit}(\textsf{switkey},\textbf{c})\): Output \(\textsf{switkey}^{T}\cdot \textsf{BD}(\textbf{c})\).
Lemma 16
(Correctness of keyswitching) For any \(\mathbf{s_1}\in R_Q^{k_1},\mathbf{s_2}\in R_Q^{k_2}\) with the last coordinate being 1, \(\textsf{switkey}\leftarrow \textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_2})\) and \(\mathbf{c_2}\leftarrow \textsf{KeySwit}(\textsf{switkey},\mathbf{c_1})\). Then we have \(\langle \mathbf{c_2},\mathbf{s_2}\rangle =p\langle \textsf{BD}(\mathbf{c_1}),\mathbf{e'}\rangle +\langle \mathbf{c_1},\mathbf{s_1}\rangle \bmod Q.\)
Packing and Unpacking Algorithms. The packing algorithm operates on the message defined over the ring \(\mathcal{R}\) by treating it as several message slots over R. Conversely, the unpacking technique is responsible for successively converting the ciphertext’s other slots into the lowest order and extracting the lowest order slot homomorphically. The extraction process is essentially a homomorphic computation of the trace function, which is further addressed by carrying out homomorphic automorphism evaluations. This idea is derived from Halevi and Shoup (2014, 2020).

Plaintext encoding: Given \(\mathbf{c_1},\dots ,\mathbf{c_{\xi }}\in R^{k+1}\), then \(\textsf{Pack}(\mathbf{c_1},\dots ,\mathbf{c_{\xi }})=\mathbf{c_1}+\mathbf{c_2}x^n+\dots +\mathbf{c_{\xi 1}}x^{n(\xi 1)}\), where n is the dimension of R.

Homomorphic plaintext decoding: Given a keyswitching subalgorithm \(\textsf{KeySwit}\), the ciphertext \(\textbf{c}\in \mathcal{R}^{k+1}\) and trace homomorphic evaluation keys \(\{\textbf{B}_i\}_{i\in \mathbb{Z}_{2\xi '}^*}\), then compute \(\mathbf{c_1}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}))\), \(\mathbf{c_2}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}\cdot x^{n}))\),\(\ldots\), \(\mathbf{c_{\xi '}}=\sum _{i\in \mathbb{Z}_{2\xi '}^*}\textsf{KeySwit}(\textbf{B}_i,\tau _i(\textbf{c}\cdot x^{(\xi '1)n}))\) to obtain individual ciphertexts.
At the end of this section, we present a summary of some essential notations in Table 2.
Square span programs over cyclotomic rings
Square span programs (\(\textsf{SSP}\)s) were originally introduced by Danezis et al. (2014) as a novel and distinct characterization of the class NP. While all prior works (to our knowledge) considered \(\textsf{SSP}\)s over fields, this work generalizes the notion/construction to the setting of rings (particularly the cyclotomic rings). In this way, the underlying mathematical structure of the \(\textsf{SSP}\)s can match the one of RingLWE (Lyubashevsky et al. 2010), yielding much more efficient SNARK constructions (than the plainLWEbased instantiations).
Definition 17
(Square Span Programs over Rings) A square span program P over the ring R is represented as a polynomial tuple \(( l_0(x),\ldots ,l_m(x), a(x) )\) in R[x], where the degree of each \(l_i(x)\) is no more than the degree of a(x). The size of P is m, and the degree d equals the degree of a(x). A vector \(\textbf{s} = (s_1,\ldots ,s_\ell )\in R^\ell (\ell <m)\) is accepted by P if and only if there exists another vector \(\mathbf{s'}= (s_{\ell +1},\ldots ,s_{m})\in R^{m\ell }\) satisfying a(x) divides \((l_0(x)+\sum _{i=1}^m s_il_i(x))^21\).
Moreover, if exactly the vectors \(\textbf{s}\in \{0,1\}^\ell \subset R^\ell\) satisfying \(g(\textbf{s})= 1\) are accepted, P is said to verify a boolean function g.
The polynomial \(((l_0(x)+\sum _{i=1}^m s_il_i(x))^21)/a(x)\) is a integer polynomial since a(x) is monic. Below we are going to show that \(\textsf{SSP}\)s over rings (some particular cyclotomic rings) can be used to express general NP verifications. We first describe the following corollary about the linearization of logic gates in a boolean circuit in the ring setting, similar to Theorem 2 in Danezis et al. (2014).
Corollary 18
R is a cyclotomic ring. Assume that \(\textrm{C}\) is a circuit having m wires and n fanin 2 gates. For any prime \(p \ge 11\), we can compute a matrix–vector pair \((\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^d\) (with \(d = m+n\)) from \(\textrm{C}\). Then to show that C is satisfiable over R, equivalently, find a vector \(\textbf{s} \in R_p^m\) such that \(\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d\). Moreover, \(\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d\), results in \(\textbf{s} \in \{0,1\}^m\).
Based on this corollary, we can express a boolean circuit C as a ring matrix–vector pair \((\textbf{M}, \textbf{v})\). Subsequently, we delineate the method for constructing an SSP (over ring R) of C from such a pair.
Construction 19
(Square Span Programs over Ring) R is a cyclotomic ring, and the prime p is larger than 11. Let \(R_{[0,\pm 1]}\) denote the subset of R with coefficients within the range of \([0,\pm 1]\). We assume that for every distinct elements x, y from \(R_{[0 \pm 1]}\), the difference \(xy\) is invertible modulo pR.
Taking a circuit \(\textrm{C}\) with m wires and n fanin 2 gates as an input, denote \(d = m+n\). Subsequently, we can construct a SSP instance as follows:

Let \((\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^{d}\) be the matrix–vector pair as Corollary 18.

Select distinct \(r_1,\ldots ,r_d\) in \(R_{[0,\pm 1]}\), arbitrarily.

Interpolate polynomials \(l_0(x), \dots , l_m(x)\) of degree at most \(d1\) such that
(1) \(l_0(r_i) = v_i  1 \pmod {pR}\) for \(i\in [d]\); (2) \(l_i(r_j)=\textbf{M}_{ij}\pmod {pR}\) for \(i\in [m], j\in [d]\).

Set \(a(x)=\prod _{i=1}^d (xr_i)\) and output (\(a(x),l_0(x),\ldots ,l_m(x)\)).
We notice that the third step of the above construction is welldefined—any degree \(d1\) polynomial over \(R_p [x]\) (say, f(x)) can be uniquely determined given any d values in \(R_p\) (say, \(y_1,\dots , y_d\)) evaluated at \(r_1, \dots , r_d\). This is because the jth Lagrange basis polynomial \(\ell _j(x)=\prod _{i=1,i\ne j}^d (xr_i)(r_jr_i)^{1}\) is uniquely defined, as every \((r_jr_i)^{1}\) (the multiplicative inverse over modulo pR) uniquely exists.
Theorem 20
The prime p satisfies \(p\equiv 3\bmod 8\), and R is a cyclotomic ring with degree (a power of 2) n. Let \(p>4n\), and \(3^n > d\). Then Construction 19 is a square span program over the ring \(R_p\).
Proof
Initially, we prove that all the steps involved in Construction 19 are welldefined under the conditions in the theorem statement. Subsequently, we proceed to demonstrate that the output of this construction is an SSP over \(R_p\).
In order to substantiate the welldefinedness of the steps, we need to show the following claims: (1) in Step 2, there are indeed d distinct elements in \(R_{[0,\pm 1]}\), and (2) in Step 3, the multiplicative inverse (in \(R_p\)) of every \((r_i  r_j)\) exists.
Claim (1) is easy to see, as there are \(3^d\) distinct elements in \(R_{[0,\pm 1]}\) and \(3^n >d\) from the theorem statement. Claim (2) follows from Lemma 21.
Lemma 21
(Katsumata and Yamada 2016) The prime p satisfies \(p\equiv 3\bmod 8\), and R is a cyclotomic ring with degree (a power of 2) n. Let \(p>4n\). For any distinct element x and y in \(R_{[0,\pm 1]}\), the difference \(xy\) is invertible in \(R_p\).
This concludes the first part of our goal. Below we show that the construction outputs an SSP over \(R_p\).
Given the circuit \(\textrm{C}\) mentioned above, we can construct a matrix–vector pair \((\textbf{M},\textbf{v}) \in \mathbb{Z}_p^{m\times d} \times \mathbb{Z}_p^{d}\) as Corollary 18. Proving the circuit \(\textrm{C}\) is satisfiable equals that finding a vector \(\textbf{s} \in R_p^m\) such that \(\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d\). Moreover, \(\textbf{s} \textbf{M} + \textbf{v} \in \{0,2\}^d\) equals \(\textbf{s} \textbf{M} + \textbf{v}\textbf{1} \in \{1,1\}^d\), further implying \((\textbf{s} \textbf{M} + \textbf{v}\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}\textbf{1})= \textbf{1}\), where \(\circ\) denotes entrywise product and \(\textbf{1}\) is the all1 vector.
Next, as the construction sets \(l_i (r_j) = \textbf{M}_{ij}\) for \(i>0\) and \(l_0(r_j) = \textbf{v}_j\), the following holds.
Thus we obtain the following expression: \((\textbf{s} \textbf{M} + \textbf{v}\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}\textbf{1}) \textbf{1}= \left( \left( \sum _{i=1}^m s_il_i(r_1)+l_0(r_1) \right) ^21,\ldots , \left( \sum _{i=1}^m s_il_i(r_d)+l_0(r_d) \right) ^21 \right)\).
Given any \(\textbf{s} \in R_p^m\) such that \((\textbf{s} \textbf{M} + \textbf{v}\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}\textbf{1})  \textbf{1} = \textbf{0}\), the equivalent condition is that for every \(j\in [d]\), we have \(\left( \sum _{i=1}^m s_il_i(r_j)+l_0(r_j) \right) ^21 = 0\), meaning that \(\{r_j\}_{j\in [d]}\) are the roots of the polynomial \((\sum _{i=1}^m s_il_i(x)+l_0(x))^2 1\). Thus, \(a(x)=\prod _{i=1}^d (xr_i)\) divides \((\sum _{i=1}^m s_il_i(x)+l_0(x))^21\).
To conclude, we notice that if C is satisfiable, a vector \(\textbf{s}\) exists such that \((\textbf{s} \textbf{M} + \textbf{v}\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}\textbf{1})  \textbf{1} = \textbf{0}\). The above argument further implies that a(x) divides the polynomial \((\sum _{i=1}^m s_il_i(x)+l_0(x))^21\). Conversely, if a vector \(\textbf{s}\) exists to make a(x) divides the polynomial, then \(\{r_j\}_{j\in [d]}\) must be the roots of the polynomial, implying \((\textbf{s} \textbf{M} + \textbf{v}\textbf{1})\circ (\textbf{s} \textbf{M} + \textbf{v}\textbf{1}) \textbf{1} = \textbf{0}\). This again proves that C is satisfiable.
Putting things together shows that Construction 19 is a square span program over the ring \(R_p\). \(\hfill\square\)
Assumptions
The security of previous SNARK schemes relied on two longstanding assumptions: power knowledge of exponent (PKE) assumptions and power DiffieHellman (PDH) assumptions.
The PKE assumption, introduced by Gennaro et al. (2013), is a kind of knowledge assumption, which extends the knowledge of exponent assumption (KEA). The original PKE assumption used a discrete logarithmhard groupbased encoding scheme. Later, Gennaro et al. (2018) changed the encoding scheme to \(\textsf{LWE}\)based schemes.
The PDH assumption was proposed by Boneh et al. (2005) and Groth (2010), whose hardness is built on discrete logarithm problems due to the encoding scheme. After altering the encoding scheme directly, Gennaro et al. (2018) obtained new instantiations, whose hardness relies on the \(\textsf{LWE}\) problem.
To build our SNARK schemes, it is necessary to broaden the PDH and PKE assumptions in the ring setting. These two assumptions are formally defined in Subsection 4.1. Moreover, we observe a specific scenario in which these assumptions are developed with some useful auxiliary information. The auxiliary information enables us to do ciphertext operations to promote efficiency without harming the hardness of assumptions, which is explained in Subsection 4.2.
Assumptions in the ring setting
The qPKE assumption and qPDH assumption in the ring setting follow the nature of those in Gennaro et al. (2013, 2018), except the encoding scheme is instantiated as Module\(\textsf{LWE}\). The slight modification originates from the structure difference, i.e., group, integer rings, and polynomial rings.
Definition 22
(qPKE Assumption Over Ring) R is a cyclotomic ring with degree n and prime modulus p. (\(\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}\)) is an encoding scheme. The qPKE assumption over R states that for any \(\textsc{ppt}\) adversary \(\mathcal{A}\) and some auxiliary information \(\textsf{aux} \in \{0,1\}^{\textsf{poly}(\lambda )}\), which is independent of \(\alpha\), there exists a \(\textsc{ppt}\) extractor \(\textsf{Ext}\) such that
For the qPDH assumption in the ring setting, we observe that its form depends on the structure of the ring. Namely, in our choice of ring, \(R_p\) is isomorphic to a product of two subfields with norm \(p^{n/2}\). A nonzero element \(a\in R_p\) means there exists at least one subfield such that a is invertible in the subfield.
Definition 23
(qPDH Assumption Over Ring) The prime p satisfies \(p\equiv 3\bmod 8\), and R is a cyclotomic ring with degree (a power of 2) n. (\(\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}\)) is an encoding scheme. The qPDH assumption over R is that for any \(\textsc{ppt}\) adversary \(\mathcal{A}\),
Assumptions with special auxiliary information
In comparison to the PDH/PKE assumption stated above, we consider a special case where appending some useful auxiliary information. The auxiliary information needs to satisfy the basic principle: admit linear operations only.
Following this idea, we turn a new perspective on the keyswitching procedure. As we all know, an integral keyswitching algorithm includes two steps: keyswitching key generation and the product of bitdecomposed ciphertext and keyswitching key. Apparently, the whole keyswitching algorithm is nonlinear. Nevertheless, with access to the keyswitching key, the product can be construed as a linear combination comprising the keyswitching key and the decomposition of the ciphertext. Also, no adaptive keyswitching keys can be incorporated into the auxiliary information, as the ciphertexts can be evaluated homomorphically by means of modulusswitching and keyswitching, as demonstrated in Brakerski et al. (2014).
An important observation is that we can separate the linear and nonlinear parts of the keyswitching procedure. The separation is putting some predetermined keyswitching keys into the auxiliary information. This means that if the adversary wants to utilize the keyswitching keys, the remaining part he can do is linear. Then it does not violate the knowledge assumption (PKE assumption).
Next, we give a formal description of the strengthening qPKE assumption, which embeds proper keyswitching keys into the qPKE assumption:
Definition 24
(The Strengthening qPKE Assumption) (\(\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}\)) is an encoding scheme and \(\textsf{KeySwitch}=(\textsf{SwitKeyGen},\textsf{KeySwit})\) is a keyswitching algorithm. The strengthening qPKE assumption states that for any automorphism or identity mapping f, any \(\textsc{ppt}\) adversary \(\mathcal{A}\), any auxiliary information \(\textsf{aux}\) and key switching keys \(\textsf{switkey}\), which are independent of \(\alpha\), there exists a \(\textsc{ppt}\) extractor, denoted as \(\textsf{Ext}\), such that
Lemma 25
If the encoding scheme (\(\textrm{K},\textsf{E},\textsf{D}\)) satisfies the strengthening qPKE assumption, then it satisfies the qPKE assumption over ring.
Proof
The proof is direct. If there is a \(\textsc{ppt}\) adversary can break the qPKE assumption over ring, then it outputs a valid pair \((\mathbf{c_1},\mathbf{c_2})\) such that \(\textsf{D}_{\textsf{sk}}(\mathbf{c_2})=\alpha \textsf{D}_{\textsf{sk}}(\mathbf{c_1})\) with polynomial probability. This pair is also a valid pair for the strengthening qPKE assumption. \(\hfill\square\)
Similarly, we give the formal definition of the strengthening qPDH assumption.
Definition 26
(The Strengthening qPDH Assumption) (\(\textrm{K},\textsf{E},\textsf{D},\textsf{Eval}\)) is an encoding scheme and \(\textsf{KeySwitch}=(\textsf{SwitKeyGen},\textsf{KeySwit})\) is a keyswitching algorithm. The strengthening qPDH assumption states that for any automorphism or identity mapping f, any \(\textsc{ppt}\) adversary \(\mathcal{A}\), any auxiliary information \(\textsf{aux}\) and key switching keys \(\textsf{switkey}\),
Lemma 27
If the encoding scheme (\(\textrm{K},\textsf{E},\textsf{D}\)) satisfies the strengthening qPDH assumption, then it satisfies the qPDH assumption over ring.
Proof
The proof is similar. If there is a \(\textsc{ppt}\) adversary can break the qPDH assumption over ring, then it outputs an encoding \({\hat{c}}\) such that \(\textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _1\equiv s^{q+1} \text{ or } \textsf{D}_{\textsf{sk}}({\hat{c}})\bmod {\mathfrak{p}} _2\equiv s^{q+1}\) with polynomial probability. This encoding is also a valid encoding for the strengthening qPDH assumption. \(\hfill\square\)
The Lemmas 25 and 27 show that our new assumptions are stronger than previous ones, which is why it’s so named. Next, we give the feasibility of our new assumptions.
Feasibility of New Assumptions. Our modified PKE assumption, which enhances PKE assumption, is rooted in prior knowledge assumptions but refined by the specific ring structure. Furthermore, a set of predetermined keyswitching keys is appended to the auxiliary information. The feasibility of this strategy is premised on the keyswitching procedure, which can be separated into a nonlinear component (Key Generation) and a linear component. Since the keyswitching keys are fixed, the adversary is limited to linear evaluations, which does not violate the PKE assumption.
The qPDH assumption is also amenable to combination with keyswitching keys, without compromising the security of the message \(\textsf{sk}\) since the encoding scheme is \(\textsf{IND}\)\(\textsf{CPA}\) secure. Consequently, including extra keyswitching keys does not impact the difficulty of the qPDH assumption.
Parameters. The PKE assumption still holds over a small field (or a ring with a small ideal norm). This is due to the spareness of a valid pair of \(\textsf{MLWE}\) encodings, which requires a relation of \(\alpha\) between two messages.
Yet, the PDH assumption does not maintain its hardness when considered over a polynomialsized field \(\mathbb{F}\). The direct consequence is that we can accurately deduce the value of s with a probability of \(1/\textsf{poly}(\lambda )\) and subsequently compute \(\textsf{E}_{\textsf{sk}}(s^{q+1})\). Moreover, Ishai et al. (2021) proposed a more efficient attack. The adversary can select random and independent \(x_1,\ldots ,x_{2q}\in F\), and compute \(f(x)=\prod _{i=1}^{2q}(xx_i)\), where all \(x_i\) are roots of f(x). Then if s collides with any \(x_i\), the adversary can compute \(\textsf{E}_{\textsf{sk}}(s^{q+1})\) since the coefficient of \(x^{q+1}\) in f(x) is not zero with nonnegligible probability. Consequently, we require \(2q/\mathbb{F}<2^{\lambda }\) to reach \(\lambda\)bits security level.
Zeroknowledge succinct noninteractive argument of knowledge schemes
In this section, we present two constructions of zkSNARKs—one basic construction and then an optimized variant. The basic construction generalizes the framework of \(\textsf{SSP}\)based SNARK (Gennaro et al. 2018) to the ring setting and then applies the technique of modulus switching to reduce the proof length. From the basic scheme, we then design the optimized construction, based on the strengthening assumptions (Definitions 24 and 26) and additional techniques including keyswitching and packing, to optimize the parameters.
Below we first present the basic scheme.
The basic scheme
Construction 28
(Basic zkSANRK) For any NP relation \({\mathcal{L}}=\{(u,\omega ):C(u,\omega )=1\}\) related to a boolean circuit C, the protocol \(\Pi _1\) is composed of three \(\textsc{ppt}\) algorithms \((\Pi _1.\textsf{Setup}, \Pi _1.\textsf{Prove}, \Pi _1.\textsf{Verify})\), and uses an encoding scheme \(({\textsf{K}},\textsf{E},\textsf{D},\textsf{Eval})\) (e.g., the Construction 6) and a \(\textsf{SSP}\) generation algorithm (e.g., the Construction 19) as building blocks. It works as follows:

\(\Pi _1.\textsf{Setup}(\lambda )\rightarrow (\textsf{crs},\textsf{vrs},\textsf{td})\):

1.
Run \((\textbf{s},\textbf{F}){\mathop {\leftarrow }\limits ^{\$}} {\textsf{K}}\left( 1,k\right)\) and sample \(\beta ,r,\alpha {\mathop {\leftarrow }\limits ^{\$}} R_p\). Set \(\textsf{vrs}=\textsf{td}= (\textbf{s},\alpha ,\beta ,r)\).

2.
Run \(ssp=(a(x), v_0(x),\ldots ,v_m(x))\leftarrow \textsf{SSP}(\textrm{C})\), and compute \(\rho =(\textsf{E}_{\textbf{s}}(1),\) \(\ldots ,\textsf{E}_{\textbf{s}}(r^d),\textsf{E}_{\textbf{s}}(\alpha ),\ldots ,\textsf{E}_{\textbf{s}}(\alpha r^d),\textsf{E}_{\textbf{s}}(\beta a(r)),\{\textsf{E}_{\textbf{s}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m})\). Set \(\textsf{crs}\) \(=(ssp,\rho ,\textbf{F})\).

3.
Return \((\textsf{crs},\textsf{vrs},\textsf{td})\).

1.

\(\Pi _1.\textsf{Prove}(\textsf{crs},u,\omega )\rightarrow \pi\):

1.
Parse \(u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}\), \(\omega =(\omega _{\ell _{u}+1},\ldots ,\omega _m)\), and sample \(\gamma {\mathop {\leftarrow }\limits ^{\$}} R_p\). Then compute \(v(x)=v_0(x)+\sum _{i=1}^{\ell _u} u_iv_i(x)+\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)\), \(v^*(x)=\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)\) and \(h(x)=(v^2(x)1)/a(x)\).

2.
Run \(\textsf{Eval}\) to compute

\(\bullet\) \(H=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),h_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(h(r))\),

\(\bullet\) \({\hat{H}}=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),h_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\alpha h(r))\),

\(\bullet\) \({\hat{V}}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),v_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\alpha v(r))\),

\(\bullet\) \(\hat{V^*}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\beta v_i(r)),\omega _i\} _{i=\ell _u+1}^m \{\textsf{E}_{\textbf{s}}(\beta a(r)),\gamma \},\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\beta v^*(r))\),

\(\bullet\) \(V^*=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),v^*_i\}_{i=0}^d,\textbf{F})=\textsf{E}_{\textbf{s}}(v^*(r))\).


3.
Sample \(\{e_{sm,i}\}_{i\in \{1,\ldots ,5\}}{\mathop {\leftarrow }\limits ^{\$}} [B_{sm},B_{sm}]\), and compute \((H', {\hat{H}}', {\hat{V}}', \hat{V^*}',\) \({V^*}')\)=\((H, {\hat{H}}, {\hat{V}}, \hat{V^*}, V^*)\) +\((pe_{sm,1},pe_{sm,2},pe_{sm,3},pe_{sm,4},pe_{sm,5})\).

4.
Run \(\textsf{ModSwit}\) to compute

\(\bullet\) \(H''\leftarrow \textsf{ModSwit}(H',Q,Q',p)\),

\(\bullet\) \({\hat{H}}''\leftarrow \textsf{ModSwit}({\hat{H}}',Q,Q',p)\),

\(\bullet\) \({\hat{V}}''\leftarrow \textsf{ModSwit}({\hat{V}}',Q,Q',p)\),

\(\bullet\) \(\hat{V^*}''\leftarrow \textsf{ModSwit}(\hat{V^*}',Q,Q',p)\),

\(\bullet\) \({V^*}''\leftarrow \textsf{ModSwit}({V^*}',Q,Q',p)\).


5.
Return \(\pi =(H'', {\hat{H}}'', {\hat{V}}'', \hat{V^*}'', {V^*}'')\in R_{Q'}^{(k+1)\times 5}\).

1.

\(\Pi _1.\textsf{Vefify}(\textsf{vrs},u,{\tilde{\pi }})\rightarrow 0/1\):

1.
Parse \(u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}\), \({\tilde{\pi }}=({\tilde{H}}, \tilde{{\hat{H}}}, \tilde{{\hat{V}}}, \tilde{\hat{V^*}}, \tilde{V^*})\) and compute \(v_r^*=\textsf{D}_{\textbf{s}}(\tilde{V^*})\), \(b^*_r=\textsf{D}_{\textbf{s}}(\tilde{\hat{V^*}})\), \(h_r=\textsf{D}_{\textbf{s}}({\tilde{H}})\), \(\hat{h_r}=\textsf{D}_{\textbf{s}}(\tilde{{\hat{H}}})\), \(\hat{v_r}=\textsf{D}_{\textbf{s}}(\tilde{{\hat{V}}})\), \(a_r=a(r)\) and \(v_r=v_0(r)+\sum _{i=1}^{\ell _u} u_iv_i(r)+v^*_r\).

2.
Check if the following equations hold:

\(\bullet\) \(\alpha h_r=\hat{h_r}\),

\(\bullet\) \(\alpha v_r=\hat{v_r}\),

\(\bullet\) \(v_r^21=h_r\cdot a_r\),

\(\bullet\) \(b^*_r=\beta v_r^*\).
If all of the equations are satisfied, then proceed to the subsequent step; otherwise, terminate the process and output “0”.


1.
Theorem 29
The prime p satisifies \(p\equiv 3\bmod 8\) and the cyclotomic ring R is \({\mathbb{Z}}[\zeta _{2n}]\cong {\mathbb{Z}}[X]/(X^n+1)\) with degree n. Assume the hardness of \(\textsf{MLWE}\) assumption, strengthening qPDH assumption and strengthening qPKE assumption, as well as \(\textsf{IND}\)\(\textsf{CPA}\) security of the encoding scheme. Then for any modulus \(Q>2^{\kappa +4}\sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)\), \(Q=1\bmod p\), and the switched modulus \(Q'>4np^2\left( \sigma \sqrt{nk\kappa }+n\right)\), \(Q'=1\bmod p\), the Construction 28 is a zeroknowledge succinct noninteractive adaptive argument of knowledge (zkSNARK) for any square span program relation \((u,\omega )\in {\mathcal{L}}\).
The proof shares some similarities with the proof of our later optimized proof. For brevity, we defer the proof in Appendix B.
The optimized scheme
The optimized scheme further improves the efficiency of the basic construction using more algebraic techniques—at a high level, we can pack multiple ModuleLWE encodings in a lower dimension ring to one ModuleLWE encoding in a higher dimension ring, via packing technique. As encodings from a higher dimension ring have a better rate, i.e., output/input length ratio, then the keyswitching technique can further compress the length of the proof (by a factor of 8x from our concrete instantiations). However, as the keyswitching procedure requires an additional keyswitching key, our proof of security would rely on a stronger assumption (Assumptions 26, 24). Below we present the description of the optimized scheme.
Construction 30
(Optimized zkSNARK) For any NP relation \({\mathcal{L}}=\{(u,\omega ):C(u,\omega )=1\}\) related to a boolean circuit C, the optimized protocol \(\Pi _2\) is composed of three \(\textsc{ppt}\) algorithms \((\Pi _2.\textsf{Setup}, \Pi _2.\textsf{Prove}, \Pi _2.\textsf{Verify})\), and uses an encoding scheme \((\textrm{K},\textsf{E},\textsf{D},\textsf{Eval})\) (e.g., the Construction 6), a \(\textsf{SSP}\) generation algorithm (e.g., the Construction 19) and a key switching algorithm \((\textsf{SwitKeyGen},\textsf{KeySwit})\) as building blocks. It is defined as follows:

\(\Pi _2.\textsf{Setup}(\lambda )\rightarrow (\textsf{crs},\textsf{vrs},\textsf{td})\):

1.
\(\boxed { {\textrm{Run}}\, (\mathbf{s_1},\textbf{F})\leftarrow \textrm{K}(1,k), (\mathbf{s_2},\textbf{F}_2),(\mathbf{s_3},\textbf{F}_3)\leftarrow \textrm{K}(1,k')\, {\mathrm{independently.}}}\)
Sample \(\alpha ,\beta ,r{\mathop {\leftarrow }\limits ^{\$}} R_p\). Set \(\textsf{vrs}=\textsf{td}= (\mathbf{s_1},\mathbf{s_2},\alpha ,\beta ,r)\).

2.
Run \(ssp=(a(x),v_0(x),\ldots ,v_m(x))\leftarrow \textsf{SSP}(\textrm{C})\). \(\boxed { {\textrm{Run}}\, \textbf{B}\leftarrow \textsf{SwitKeyGen}\, (\mathbf{s_1},\mathbf{s_2}),}\)
\(\boxed {\mathbf{B'}\leftarrow \textsf{SwitKeyGen}(\mathbf{s_1},\mathbf{s_3}),}\)\(\boxed { \textbf{B}_i\leftarrow \textsf{SwitKeyGen}(\tau _i(\mathbf{s_2}),\mathbf{s_3}),\,}\)
\(\boxed { \text{for} \, i\in \mathbb{Z}_{16}^*, {\text{where}}\, \tau _i \,{\text{are}}\, {\text{predetermined}}}\)\(\boxed {\text{automorphisms} \, \text{over} \, \mathcal{R}.}\) Then run \(\textsf{E}\) to obtain \(\rho =(\textsf{E}_{\mathbf{s_1}}(1),\textsf{E}_{\mathbf{s_1}}(r),\ldots ,\textsf{E}_{\mathbf{s_1}}(r^d),\textsf{E}_{\mathbf{s_1}}(\alpha ),\textsf{E}_{\mathbf{s_1}}(\alpha r),\ldots ,\textsf{E}_{\mathbf{s_1}}(\alpha r^d),\)
\(\textsf{E}_{\mathbf{s_1}}(\beta a(r)),\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m})\). \(\boxed { {\textrm{Set}}\, \textsf{crs}=(ssp,\rho ,\textbf{F},\textbf{B}, \mathbf{B'},\{\textbf{B}_i\}_{i\in \mathbb{Z}_{16}^*}).}\)

3.
Return \((\textsf{crs},\textsf{vrs},\textsf{td})\).

1.

\(\Pi _2.\textsf{Prove}(\textsf{crs},u,\omega )\rightarrow \pi '\):

1.
Parse \(u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}\), \(\omega =(\omega _{\ell _{u}+1},\ldots ,\omega _m)\), and sample \(\gamma {\mathop {\leftarrow }\limits ^{\$}} R_p\). Then compute \(v(x)=v_0(x)+\sum _{i=1}^{\ell _u} u_iv_i(x)+\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)\), \(v^*(x)=\sum _{i=\ell _u+1}^{m} \omega _iv_i(x)+\gamma a(x)\) and \(h(x)=(v^2(x)1)/a(x)\).

2.
Run \(\textsf{Eval}\) to compute

\(\bullet\) \(H=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),h_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(h(r))\),

\(\bullet\) \({\hat{H}}=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),h_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\alpha h(r))\),

\(\bullet\) \({\hat{V}}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\alpha r^i),v_i\}_{i=0}^d,\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\alpha v(r))\),

\(\bullet\) \(\hat{V^*}= \textsf{Eval} (\{\textsf{E}_{\textbf{s}}(\beta v_i(r)),\omega _i\} _{i=\ell _u+1}^m \{\textsf{E}_{\textbf{s}}(\beta a(r)),\gamma \},\textbf{F})\)=\(\textsf{E}_{\textbf{s}}(\beta v^*(r))\),

\(V^*=\textsf{Eval} (\{\textsf{E}_{\textbf{s}}(r^i),v^*_i\}_{i=0}^d,\textbf{F})=\textsf{E}_{\textbf{s}}(v^*(r))\).


3.
Sample \(\{e_{sm,i}\}_{i\in \{1,\ldots ,5\}}{\mathop {\leftarrow }\limits ^{\$}} [B_{sm},B_{sm}]\), and compute \((H', {\hat{H}}', {\hat{V}}', \hat{V^*}',\) \({V^*}')\)=\((H, {\hat{H}}, {\hat{V}}, \hat{V^*}, V^*)\) +\((pe_{sm,1},pe_{sm,2},pe_{sm,3},pe_{sm,4},pe_{sm,5})\).

4.
Run \(\textsf{ModSwit}\) to compute

\(\bullet\) \(H''\leftarrow \textsf{ModSwit}(H',Q,Q',p)\),

\(\bullet\) \({\hat{H}}''\leftarrow \textsf{ModSwit}({\hat{H}}',Q,Q',p)\),

\(\bullet\) \({\hat{V}}''\leftarrow \textsf{ModSwit}({\hat{V}}',Q,Q',p)\),

\(\bullet\) \(\hat{V^*}''\leftarrow \textsf{ModSwit}(\hat{V^*}',Q,Q',p)\),

\(\bullet\) \({V^*}''\leftarrow \textsf{ModSwit}({V^*}',Q,Q',p)\).


5.
\(\boxed { {\textrm{Let}}\, \pi =Pack(\hat{V^*}'',H'', {\hat{H}}'',{V^*}'', {\hat{V}}'')\in \mathcal{R}_{Q'}^{k+1}.}\)

6.
\(\boxed { {\textrm{Run}}\, \textsf{KeySwit}{\textrm{to compute and return}}\, \pi '=\textsf{KeySwit}(B,\pi ).}\)

1.

\(\Pi _2.\textsf{Vefify}(\textsf{vrs},u,{\tilde{\pi }})\rightarrow 0/1\):

1.
Parse \(u=(u_1,\ldots ,u_{\ell _{u}})\in \{0,1\}^{\ell _{u}}\) and \({\tilde{\pi }}=({\tilde{H}}, \tilde{{\hat{H}}}, \tilde{{\hat{V}}}, \tilde{\hat{V^*}}, \tilde{V^*})\).

2.
\(\boxed { {\textrm{Compute}}\, m'=\textsf{D}_{\mathbf{s_2}}({\tilde{\pi }})\in \mathcal{R}, {\textrm{and parse}}\, m' {\textrm{as}}\, (b^*_r,h_r,\hat{h_r},v^*_r,\hat{v_r},0,0,0).}\)
Then compute \(a_r=a(r)\) and \(v_r=v_0(r)+\sum _{i=1}^{\ell _u} u_iv_i(r)+v^*_r\).

3.
Check if the following equations hold:

\(\bullet\) \(\alpha h_r=\hat{h_r}\),

\(\bullet\) \(\alpha v_r=\hat{v_r}\),

\(\bullet\) \(v_r^21=h_r\cdot a_r\),

\(\bullet\) \(\beta v^*_r=b^*_r\).
If all of the equations are satisfied, then proceed to the subsequent step; otherwise, terminate the process and output “0”.


1.
To show the above Construction 30 is a zkSNARK, we first prove three separated properties, including completeness, the argument of knowledge, and honestverifier zeroknowledge respectively, which corresponds to Theorem 31, 32, and 33. Then we put them together and further prove the succinctness property to show the Construction 30 is a zkSNARK.
Completeness
Theorem 31
The prime p satisfies \(p\equiv 3\bmod 8\), and R, \(\mathcal{R}\) are cyclotomic rings with degree n, 8n. For any modulus Q satisfying \(Q=1\bmod p\), \(Q>2^{\kappa +3}\cdot 9 \sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)\), and switched modulus \(Q'\) satisfying \(Q'\)=\(1\bmod p\), \(Q'>\) \(2np^2\left[ 9(\sigma \sqrt{nk\kappa }+n)+18\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}+16\sigma ''\sqrt{(k'+1)8n\kappa \log {Q'}} \right]\), the Construction 30 satisfies completeness with probability at least \((18n\exp (\pi \kappa /\sigma ^2))\cdot (116n\exp (\pi \kappa /\sigma '^2))\).
Proof
We demonstrate that the infinite norm of the ultimate noise in \(\pi '\) remains below half of the switched modulus when the prover is in accordance with the protocol. Our analysis will elucidate the evolution of noise throughout each step.
In the setup stage, \(\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}\) and \(\textsf{E}_{\mathbf{s_1}}(\beta a(r))\) are computed by additive homomorphic evaluations and we have \(B_{\textsf{crs}}=\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). In the proving stage, we first compute 5 evaluations, and the largest noise growth lies in \(\hat{V^*}\), which is \(B_{\hat{V^*}}=B_{\textsf{crs}}(m\ell _u+pn)=(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). Noise smudging makes the error bound increase to \((2^{\kappa }+1)B_{\hat{V^*}}\). Then the infinity norm is less than \((2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). After modulusswitching, the bound \(B_{\hat{V^*}'}\) is less than \(\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)\) with probability \(12n\exp (\pi \kappa /\sigma ^2)\) together with \((2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)+2dnp^2(m\ell _u+pn) <\gamma Q\). The packing procedure does not introduce extra noise. Applying keyswitching introduces additional noise, \(p\langle \textsf{BD}(\pi ),\mathbf{e'}\rangle\), and it’s infinity norm is no more than \(p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}\) with probability \(116n\exp (\pi \kappa /\sigma '^2)\). Since the noise in keyswitching key \(\mathbf{e'}\) is independent of noise in \(\textsf{crs}\), thus the whole error’s infinity norm in the proof is no more than \(e_{\pi '}=\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)+p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}\) with probability \((18n\exp (\pi \kappa /\sigma ^2))\cdot (116n\exp (\pi \kappa /\sigma '^2))\).
Therefore, the proof can be decrypted correctly as long as \(\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)+p\sigma '\sqrt{(k+1)8n\kappa \log {Q'}}<\frac{Q'}{2}\). \(\hfill\square\)
Computational Honestverifier Zeroknowledge
Theorem 32
Assume the hardness of \(\textsf{MLWE}\) assumption, strengthening qPDH assumption and strengthening qPKE assumption. Suppose that the encoding scheme is \(\textsf{IND}\)\(\textsf{CPA}\) secure. Then for any \(Q,Q'\) are defined as Theorem 31, the Construction 30 satisfies computational honestverifier zero knowledge.
Proof
To establish computational honestverifier zeroknowledge property, we can construct a \(\textsc{ppt}\) simulator \(\textsf{Sim}=(\mathcal{S}_1,\mathcal{S}_2)\) such that the distribution of its output is computationally indistinguishable from the distribution of an honest execution. We divide the whole protocol into three stages. The first stage is the setup phase, the second stage is the first three steps of the prover, and the third stage is the remaining three steps of the prover.
The construction of \(\textsf{Sim}\) is presented in Fig. 1. From the construction, it differs from the real case in two aspects: one is that a(r) is always invertible in the simulate case; another is that the simulator encodes messages directly by trapdoor instead of applying additive homomorphic evaluation on \(\textsf{crs}\).
In the first stage, the statistical distance of \(\mathcal{S}_1\) and the real setup algorithm is at most \(2/p^{\frac{n}{2}}\) as the probability that a random chosen \(a(r)\bmod {\mathfrak{p}}_i\) equals 0 is \(\frac{2\cdot p^{n/2}1}{p^n}\approx 2/p^{\frac{n}{2}}\). This means that the output distribution of \(\mathcal{S}_1(u)\) is statistically close to the output distribution produced by the real setup algorithm.
In the second stage, the simulator and real prover take the output of the first stage as inputs and generate \((H'', {\hat{H}}'', {\hat{V}}'', \hat{V^*}'', {V^*}'')\). In the real protocol, the prover uses rerandomized evaluation (Construction 6) and each encoding consists of two parts e.g., (\(\textbf{a},b\)). From the Construction 6, we have \(\textbf{a}\) as a pseudorandom ring vector over \(\mathcal{R}^{k'}\), assuming the hardness of the \(\textsf{MLWE}\) assumption. After noise smudging, the distribution of b is statistically indistinguishable from the noise distribution by Lemma 12.
In the simulation case, the prover encodes directly using the \(\textsf{MLWE}\) encoding scheme. Each encoding consists of two parts e.g., (\(\mathbf{a'},b'\)). In the \(\textsf{MLWE}\) encoding scheme, \(\mathbf{a'}\) is truly random. Thus we have the distribution of \(\textbf{a}\) and the distribution of \(\mathbf{a'}\) are computationally indistinguishable. After noise smudging, the distribution of \(b'\) is statistically indistinguishable from the noise distribution by Lemma 12. Then the distribution of b and \(b'\) are the same.
Up to now, we have proven that two executions are computationally indistinguishable after the first two stages. In the third stage, the simulator and the real prover perform the same modulus switching, pack algorithm, and keyswitching, which implies the two distributions are indistinguishable.
Putting things together, we have that the Construction 30 satisfies computational honestverifier zeroknowledge. \(\hfill\square\)
Computational Argument of Knowledge
Theorem 33
Assume the hardness of \(\textsf{MLWE}\) assumption, strengthening qPDH assumption, and strengthening qPKE assumption. Suppose that the encoding scheme is \(\textsf{IND}\)\(\textsf{CPA}\) secure. Then for any \(Q,Q'\) defined as Theorem 31, the Construction 30 satisfies computational argument of knowledge with knowledge error \(2(qm+\ell _u)/p^{\frac{n}{2}}\).
Proof
We show this via a reduction—assuming the existence of a \(\textsc{ppt}\) adversary produces a valid proof \(\pi '\), we can break the hardness of strengthening qPDH assumption. More concretely, assuming the existence of a \(\textsc{ppt}\) adversary, denoted as \(\mathcal{A} ^{\pi '}\), who can forge a proof for a false statement that passes the verification, it follows that, at least one of the subsequent two events will ensue.

\(E_1\): \(v^2(r)1= a(r)h(r)\) and \(v^2(x)1\ne a(x)h(x)\).

\(E_2\): \(v^*(x)\) can not be represented as a linear combination of a(x), \(v_{\ell _u+1}(x)\), \(\ldots\),\(v_m(x)\), but the message encoded in the \(\hat{V^*}''\) equals \(\beta v^*(r)\).
We can demonstrate that the occurrence of either event \(E_1\) or \(E_2\) results in breaking the strengthening of qPDH assumption. The construction of the adversary \(\mathcal{A} ^{PDH }\) closely resembles that presented in Gennaro et al. (2018). Nevertheless, contrary to the proof presented in Gennaro et al. (2018), our construction is built over the ring. Accordingly, we emphasize the approach to deal with the inverse of a ring element.
A valid proof encompasses a single encoding belonging to \(\mathcal{R}_{Q'}^{k'+1}\). By executing the unpack algorithm, we obtain 5 encodings. The dPKE assumption enables the existence of a \(\textsc{ppt}\) extractor \(\textsf{Ext} ^{PKE }\) to extract h(x) from \((H'', {\hat{H}}'')\), and v(x) from \((V'',{\hat{V}}'')\), where \(V''\) is computed as by homomorphic evaluation and \({V^*}''\). Set \(z(x)=v^2(x)1a(x)h(x)\). The event \(E_1\) implies that z(x) is not zero polynomial and \(z(s)=0\). We assume the highest degree of nonzero coefficient is \(k (k\le 2d)\) and parse z(x) as \(\sum _{i=0}^k z_ix^i\). Since \(z_k\ne 0\), there exists at least one ideal such that \(z_k\bmod {\mathfrak{p}}_i\ne 0\) (here \(z_k\) is treated as a ring element). We suppose that \(z_k\bmod {\mathfrak{p}}_1\ne 0\), and then \(z_k\) has its inverse \(z_k^{1}\) in \(R_p/{\mathfrak{p}}_1\) without loss of generality.
Next, we show how to compute \(\textsf{E}_{\mathbf{s_1}}(r^{q+1})\). We have \(z(r)\bmod {\mathfrak{p}}_1=0\) since \(z(r)=0\bmod p\). Let \({\tilde{z}}(x)=((x^{k} z_k^{1} \cdot z(x))~mod ~ {p})~mod ~{\mathfrak{p}}_1\) with degree at most \(k1\). Clearly, \(r^k{\tilde{z}}(r)\) equals zero over \(R/{\mathfrak{p}}_1\), so does \(r^{q+1}r^{q+1k}{\tilde{z}}(r)\). This means that if we can derive \(\textsf{E}_{\mathbf{s_1}}(r^{q+1k}{\tilde{z}}(r))\), we also obtain \(\textsf{E}_{\mathbf{s_1}}(r^{q+1})\). As the degree of \(x^{q+1k}{\tilde{z}}(x)\) is at most q, we compute \(\textsf{E}_{\mathbf{s_1}}(r^{q+1k}{\tilde{z}}(r))\) by homomorphic evaluation \(\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^{q+1k+i}),{\tilde{z}}_i\}_{i=0}^{k1},\textbf{F})\). Furthermore, we require \(q\ge 2d1\) to make sure \(q+1k\) to be positive for k is less than 2d. This breaks the hardness of strengthening of qPDH assumption for \(q\ge 2d1\).
Similarly, if the event \(E_2\) happens, we can also construct an adversary for qPDH assumption. Specifically, we first generate the \(\textsf{crs}\) as the event \(E_1\) happens except the way of computing \(\{\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}\) and \(\textsf{E}_{\mathbf{s_1}}(\beta a(r))\). Similar to the idea of Gennaro et al. (2018), we interpret \(\beta\) as f(r), where \(f(x)\in {\mathcal{F}}\), and \({\mathcal{F}}\) is defined as the function class: \(\{f(x):\text{the coefficient of } x^{q+1} \text{ in } f(x)v_{i}(x) \text{ and } f(x)a(x) \text{ are} \text{ zero, } \forall i\in [\ell _u+1,m] \}.\) In this condition, we generate \(\textsf{crs}\) without knowing \(\textsf{E}_{\mathbf{s_1}}(r^{q+1})\). Meanwhile, the \(m\ell _u+1\) constraints in \({\mathcal{F}}\) make the degree freedom of f(x) drop to \(q(m\ell _u)\). We sample \(f(x)\xleftarrow {\$} {\mathcal{F}}\). Then \(\textsf{E}_{\mathbf{s_1}}(\beta v_{i}(r)))=\textsf{E}_{\mathbf{s_1}}(f(r)v_i(r))=\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^j),c_{ij}\}_{j=0,j\ne q+1}^{2q},\textbf{F})\) for \(i\in [\ell _u+1,m]\) and \(\textsf{E}_{\mathbf{s_1}}(\beta a(r))=\textsf{E}_{\mathbf{s_1}}(f(r)a(r))=\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^j),c'_{j}\}_{j=0,j\ne q+1}^{2q},\textbf{F})\), assuming that \(f(x)v_{i}(x)=\sum _{j=0}^{2q} c_{ij}x^j\) and \(f(x)a(x)=\sum _{j=0}^{2q} c'_jx^j\). Similar to the case of event \(E_1\), we get the proof \(\pi '\). By running unpacking algorithm on \(\pi '\), we obtain the separated ciphertexts \((\hat{V^*}'',H'', {\hat{H}}'',{V^*}'', {\hat{V}}'')\). Next, we prove the coefficient of \(x^{q+1}\) in \(f(x)v^*(x)\) is invertible (which is treated as a ring element) with overwhelming probability. More specifically, let \(f(x)=\sum _{i=0}^q f_ix^i\), \(v^*(x)=\sum _{i=0}^d v^*_ix^i\), then \(f(x)v^*(x)=\sum _{i=0}^{2d}c_ix^i\) for \(q=d\). The coefficient of \(x^{q+1}\) in \(f(x)v^*(x)\) is \(c_{q+1}=\sum _{i=1}^{q}f_iv^*_{q+1i}\). We consider the case that \(c_{q+1}\) is not invertible, which means that \(\sum _{i=1}^{q}f_iv^*_{q+1i}=0\pmod {{\mathfrak{p}}_i}\) for any \(i\in \{1,2\}\). The probability of the case where \(c_{q+1}\) is not invertible is at most \(2(qm+\ell _u)/p^{n/2}\) by SchwartzZippel lemma. Since the SchwartzZippel lemma holds in the field, all elements here are considered as elements in \(R/{\mathfrak{p}}_i\). Therefore, the coefficient of \(x^{q+1}\) is invertible in \(R_p\) with probability \(12(qm+\ell _u)/p^{n/2}\). Recall that \(V^*=\textsf{E}_{\mathbf{s_3}}(\beta v^*(r))=\textsf{E}_{\mathbf{s_3}}(f(r)v^*(r))=\textsf{E}_{\mathbf{s_3}}(\sum _{i=0}^{2q}c_ir^i)\). Then we can obtain \(\textsf{E}_{\mathbf{s_2}}(r^{q+1})\) by \({V^*}''\) subtracts other terms (via homomorphic evaluation and key switching) and multiples \(c_{q+1}^{1}\). Concretely, we can compute \(\textsf{E}_{\mathbf{s_3}}(r^{q+1}\bmod {\mathfrak{p}} _1)=c_{q+1}^{1}({V^*}''\mathbf{c'})\), where \(\mathbf{c'}\) is \(\textsf{Eval} (\{\textsf{E}_{\mathbf{s_1}}(r^i),c_i\}_{i=0,i\ne q+1}^{2q},\textbf{F}))\) after modulusswitching and keyswitching. That breaks the strengthening of qPDH assumption for \(q=d\).
So far, we have established the computational soundness of the proposed Construction 30 with soundness error \(2(qm+\ell _u)/p^{\frac{n}{2}}\). Furthermore, the construction also satisfies the argument of knowledge property, i.e., the existence of a \(\textsc{ppt}\) extractor to recover the witness when the adversary outputs convincing proof. As the event \(E_2\) happens with negligible probability, the recovered \(v^*(x)\) is a linear combination of \(\{ a(x), v_{\ell _u+1}(x),\ldots ,v_m(x)\}\). Then there are \(m\ell _u+1\) unknowns and \(d+1\) constraints. The witness \(\omega =(\omega _{\ell _u+1},\ldots ,\omega _m)\) can be recovered easily by Gaussian elimination since \(d=m+n>m\ell _u\). \(\hfill\square\)
Corollary 34
Assume the hardness of \(\textsf{MLWE}\) assumption, strengthening qPDH assumption, and strengthening qPKE assumption. Assume the encoding scheme is \(\textsf{IND}\)\(\textsf{CPA}\) secure. Then for any \(R,\mathcal{R},p, Q, Q'\) are defined as Theorem 31, the Construction 30 is a zkSNARK for any NP relation \((u,\omega )\in {\mathcal{L}}\).
Proof
To show the Construction 30 is a zkSNARK, we show four properties, including completeness, the argument of knowledge, honestverifier zeroknowledge, and succinctness, are satisfied.
Firstly, the succinctness property is evident since the proof consists of a single MLWE encoding, which implies a constantsized proof and achieves succinctness. From the Theorem 31, we have the Construction 30 satisfies completeness. From the Theorem 32, we have the Construction 30 satisfies computational honestverifier zeroknowledge. From the Theorem 33, we have the Construction 30 satisfies the computational argument of knowledge.
Put all the pieces together, we prove that the Construction 30 is a zkSNARK. \(\hfill\square\)
Concrete parameters
In this section, we exhibit explicit and quantifiable parameters for our basic and optimized schemes.
Parameter selection
Firstly, we summarize the preceding restrictions on parameters and then propose several parameter sets.

Message Modulus p: The choice of p is jointly influenced by the PDH assumption and SSP instance generation. We have opted for a specific scenario where pR is divided into two ideals, and in this case, the prime p satisfies \(p\equiv 3\bmod 8\). To guarantee the robustness of the dPDH assumption over the subfield \(R/{\mathfrak{p}}\) (where \({\mathfrak{p}}\) is an ideal of pR) and ensure the accuracy of SSP instance generation over ring \(R_p\), we impose the following requirements: \(\log p> 2(\lambda +\log {2d})/n\) and \(p>4n\). After several attempts, we have determined that \(n=64, p=283\), as well as \(n=32,p=643\) (for \(d=2^{20}\)), or alternatively \(n=32,p=547\) (for \(d=2^{16}\)).

Dimension n of R: The ring dimension n is set to be a power of 2 and it can be small, such as 64, as long as we set a larger rank k to maintain sufficient nk in the \(\textsf{MLWE}\) estimation. Analyze with p, and we set \(n=64\) or \(n=32\).

Standard deviation \(\sigma\) and \(\sigma '\): In this paper, we set all standard deviations \(\sigma =\sigma '=64\) without other annotations.

Modulus Q, \(Q'\): The modulus Q and \(Q'\) are positive integers that satisfy completeness of construction as Theorem 31.

Rank \(k,k'\): The quantities k and \(k'\) are measured by the LWE security estimator (Albrecht et al. 2015) for a desired security level given predetermined values \(n,\alpha ,\sigma ,\sigma '\). In terms of classical security, we adopt “ADPS16” (Alkim et al. 2016) method, which yields the least security level relative to other approaches with equivalent parameters. In the case of quantum security, two methodologies, namely “LasMosPol14” (Laarhoven et al. 2015) and “qsieve”, yield identical results.

Circuit size d: We take circuit size ranging from \(2^{10}\) to \(2^{20}\), which is sufficient in the majority of applications.
Following the aforementioned parameter suggestions, we present detailed parameters for partial circuits (\(d=2^{16}\) and \(d=2^{20}\) as before) in Table 3.
Proof and CRS length
The proof of the basic scheme consists of 5 encodings in \(R_{Q'}\) and that in the optimized scheme is 1 encoding in \(\mathcal{R}_{Q'}\). Then the proof size of the basic scheme and optimized scheme are \(5n(k+1)\log Q'\) bits, and \(n'(k'+1)\log Q'\) bits respectively. For the basic scheme, CRS consists of \(2(d+1)+m\ell _u+3\) encodings in \(R_{Q}^{k+1}\), which are less than \(3(d+1)(k+1)n\log Q\) bits. Furthermore, we can utilize a seed and a pseudorandom generator to substitute true randomness in the encodings, then the length of CRS shrinks to \(3(d+1)n\log Q\) bits. Since the optimized scheme utilizes the keyswitching technique, the CRS length in the optimized scheme increases by keyswitching keys. To be specific, the optimized scheme employs 2 keyswitchings from \(\mathcal{R}_{Q'}^{k+1}\) to \(\mathcal{R}_{Q'}^{k'+1}\) and 8 keyswitchings from \(\mathcal{R}_{Q'}^{k'+1}\) to \(\mathcal{R}_{Q'}^{k'+1}\), which are \(8n(k'+1)(2(k+1)+8(k'+1))\log ^2 {Q'}\) bits.
Plug the estimated values into the formulae, we obtain the concrete proof and CRS lengths in Table 4 and depict the tendency for circuit size ranging from \(2^{10}\) to \(2^{20}\) in Figs. 2 and 3.
Comparison Between the Basic and the Optimized Schemes. As shown in Figs. 2 and 3, our results indicate a slight increase in the proof length alongside a nearly linear increase in the CRS length. (It is important to note that our horizontal axis is logarithmic in scale with respect to circuit size, which is why the growth follows an exponential pattern.) This is due to the slight effect of circuit size on switched modulus, which translates to a small impact on proof length. Conversely, the increase in circuit size has a significant impact on the CRS length, which displays an almost linear correlation.
Our optimized scheme offers a marked improvement over the basic scheme, with the proof length being roughly 5x shorter. This attributes to its single encoding, as opposed to the basic scheme’s five encodings. As for the CRS length, the difference between the two schemes is minimal, primarily arising from the size of keyswitching keys, which constitutes only \(1\%\) of the total CRS size at \(d=2^{20}\).
Conclusion
In this paper, we develop the framework of square span programbased SNARKs and design new zkSNARKs over cyclotomic rings. To fit in the ring setting, we first extend square span programs over rings and then propose two new assumptions. Based on these fundamental components, we construct SANRKs by applying moduleswitching and keyswitching procedures in a novel way.
Our scheme avoids parallel repetition leveraging the ring structure. Thus, we obtain concretely small constructions for SNARKs with the designated verifier in the preprocessing model, which has a proof of length 14.06KB and a CRS of length 133.99MB for the circuit of size \(2^{16}\). For larger circuits, i.e., the size of \(2^{20}\), the proof length and CRS length of our scheme are 14.34KB and 1.48GB respectively. These are \(23.3\%\) smaller and the CRS length is 3.6x smaller compared to those in Ishai et al. (2021).
Availability of data and materials
Not applicable.
References
Albrecht MR, Player R, Scott S (2015) On the concrete hardness of learning with errors. J Math Cryptol 9(3):169–203
Albrecht MR, Cini V, Lai RW, Malavolta G, Thyagarajan SA (2022) Latticebased snarks: publicly verifiable, preprocessing, and recursively composable. In: Annual international cryptology conference. Springer, pp 102–132
Alkim E, Ducas L, Pöppelmann T, Schwabe P (2016) Postquantum key exchange: a new hope. In: 25th USENIX security symposium (USENIX Security 16), pp 327–343
Banaszczyk W (1995) Inequalities for convex bodies and polar reciprocal lattices in r n. Discrete Comput Geom 13:217–231
BenSasson E, Chiesa A, Genkin D, Tromer E, Virza M (2013) Snarks for c: verifying program executions succinctly and in zero knowledge. In: Advances in cryptology—CRYPTO 2013: 33rd annual cryptology conference, Santa Barbara, CA, USA, August 18–22 2013. Proceedings, Part II. Springer, pp 90–108
BenSasson E, Chiesa A, Tromer E, Virza M (2014) Succinct {NonInteractive} zero knowledge for a von Neumann architecture. In: 23rd USENIX security symposium (USENIX Security 14), pp 781–796
Bitansky N, Canetti R, Chiesa A, Tromer E (2011) From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again. Cryptology ePrint Archive
Bitansky N, Canetti R, Chiesa A, Tromer E (2012) From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again. In: Proceedings of the 3rd innovations in theoretical computer science conference, pp.326–349
Bitansky N, Chiesa A, Ishai Y, Paneth O, Ostrovsky R (2013) Succinct noninteractive arguments via linear interactive proofs. In: Theory of cryptography: 10th theory of cryptography conference, TCC 2013, Tokyo, Japan, March 3–6 2013. Proceedings. Springer, pp 315–333
Bitansky N, Canetti R, Chiesa A, Goldwasser S, Lin H, Rubinstein A, Tromer E (2017) The hunting of the snark. J Cryptol 30(4):989–1066
Boneh D, Boyen X, Goh EJ (2005) Hierarchical identity based encryption with constant size ciphertext. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 440–456
Boneh D, Ishai Y, Sahai A, Wu DJ (2017) Latticebased snargs and their application to more efficient obfuscation. In: annual international conference on the theory and applications of cryptographic techniques. Springer, pp 247–277
Bonneau J, Meckler I, Rao V, Shapiro E (2020) Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive
Brakerski Z, Gentry C, Vaikuntanathan V (2014) (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory (TOCT) 6(3):1–36
Chiesa A, Yogev E (2020) Barriers for succinct arguments in the random oracle model. In: Theory of cryptography: 18th international conference, TCC 2020, Durham, NC, USA, November 16–19, 2020, Proceedings, Part II 18. Springer, pp 47–76
Chung H, Kim D, Kim JH, Kim J (2023) Amortized efficient zksnark from linearonly rlwe encodings. J Commun Netw
Cini V, Lai RW, Malavolta G (2023) Latticebased succinct arguments from vanishing polynomials. In: Annual international cryptology conference. Springer, pp 72–105
Danezis G, Fournet C, Groth J, Kohlweiss M (2014) Square span programs with applications to succinct nizk arguments. In: International conference on the theory and application of cryptology and information security. Springer, pp 532–550
Fisch B, Liu Z, Vesely P (2023) Orbweaver: succinct linear functional commitments from lattices. In: Annual international cryptology conference. Springer, pp 106–131
Gennaro R, Gentry C, Parno B, Raykova M (2013) Quadratic span programs and succinct nizks without pcps. In: Advances in Cryptology—EUROCRYPT 2013: 32nd annual international conference on the theory and applications of cryptographic techniques, Athens, Greece, May 26–30 2013. Proceedings 32. Springer, pp 626–645
Gennaro R, Minelli M, Nitulescu A, Orrù M (2018) Latticebased zksnarks from square span programs. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 556–573
Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: Proceedings of the fortyfirst annual ACM symposium on theory of computing, pp 169–178
Gentry C, Wichs D (2011) Separating succinct noninteractive arguments from all falsifiable assumptions. In: Proceedings of the fortythird annual ACM symposium on theory of computing, pp 99–108
Goldwasser S, Micali S, Rackoff C (1989) The knowledge complexityof interactive proof systems. SIAM J Comput 18(1):186–208
Goldwasser S, Lin H, Rubinstein A (2011) Delegation of computation without rejection problem from designated verifier csproofs. Cryptology ePrint Archive
Groth J (2010) Short pairingbased noninteractive zeroknowledge arguments. In: Advances in cryptologyASIACRYPT 2010: 16th international conference on the theory and application of cryptology and information security, Singapore, December 5–9 2010. Proceedings 16. Springer, pp 321–340
Groth J (2016) On the size of pairingbased noninteractive arguments. In: Advances in Cryptology–EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 812, 2016, Proceedings, Part II 35, pp. 305–326. Springer
Halevi S, Shoup V (2014) Algorithms in Helib. In: Advances in cryptology—CRYPTO 2014: 34th annual cryptology conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I 34. Springer, pp 554–571
Halevi S, Shoup V (2020) Design and implementation of helib: a homomorphic encryption library. Cryptology ePrint Archive
Ishai Y, Su H, Wu DJ (2021) Shorter and faster postquantum designatedverifier zksnarks from lattices. In: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp 212–234
Katsumata S, Yamada S (2016) Partitioning via nonlinear polynomial functions: more compact ibes from ideal lattices and bilinear maps. In: Advances in cryptology—ASIACRYPT 2016: 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4–8 2016, Proceedings, Part II 22. Springer, pp 682–712
Laarhoven T, Mosca M, Van De Pol J (2015) Finding shortest lattice vectors faster using quantum search. Des Codes Crypt 77:375–400
Labs P (2018) Filecoin. https://filecoin.io/filecoin.pdf
Langlois A, Stehlé D (2015) Worstcase to averagecase reductions for module lattices. Des Codes Crypt 75(3):565–599
Lyubashevsky V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Advances in cryptology—EUROCRYPT 2010: 29th annual international conference on the theory and applications of cryptographic techniques, French Riviera, May 30–June 3, 2010. Proceedings 29. Springer, pp 1–23
Naganuma K, Yoshino M, Inoue A, Matsuoka Y, Okazaki M, Kunihiro N (2020) Postquantum zksnark for arithmetic circuits using qaps. In: 2020 15th Asia joint conference on information security (AsiaJCIS). IEEE, pp 32–39
Naor M (2003) On cryptographic assumptions and challenges. In: Annual international cryptology conference. Springer, pp 96–109
Nitulescu A (2019) Latticebased zeroknowledge snargs for arithmetic circuits. In: Progress in cryptology—LATINCRYPT 2019: 6th international conference on cryptology and information security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings 6. Springer, pp 217–236
Parno B, Howell J, Gentry C, Raykova M (2016) Pinocchio: nearly practical verifiable computation. Commun ACM 59(2):103–112
Peikert C, Vaikuntanathan V, Waters B (2008) A framework for efficient and composable oblivious transfer. In: Annual international cryptology conference. Springer, pp 554–571
Peikert C, Pepin Z, Sharp C (2021) Vector and functional commitments from lattices. In: Theory of cryptography: 19th international conference, TCC 2021, Raleigh, NC, USA, November 8–11 2021, Proceedings, Part III 19. Springer, pp 480–511
Sasson EB, Chiesa A, Garman C, Green M, Miers I, Tromer E, Virza M (2014) Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE symposium on security and privacy. IEEE, pp 459–474
Wee H, Wu DJ (2023) Succinct vector, polynomial, and functional commitments from lattices. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, pp 385–416
Acknowledgements
Not applicable.
Funding
This work is supported by the National Key R&D Program of China under Grant 2020YFA0712303. Zhedong Wang is supported by National Natural Science Foundation of China (Grant No.62202305) and Shanghai Pujiang Program under Grant 22PJ1407700.
Author information
Authors and Affiliations
Contributions
All the authors have equal contributions to this paper.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Propertites of encoding scheme
Lemma A.1
(Correctness) The encoding scheme (\(\textrm{K}\),\(\textsf{E}\),\(\textsf{D}\),\(\textsf{Eval}\)) is defined in the Construction 6. Then for any d independent encodings \(\textsf{E}_{\textsf{sk}}(m_1),\dots ,\textsf{E}_{\textsf{sk}}(m_d)\) and any \(\alpha _i\in R_p\), the infinity norm of error in \(\textsf{Eval} (\textsf{E}_{\textsf{sk}}(m_i),\alpha _i,F)\) is no more than \(\sigma p^2\sqrt{dn\kappa }+2p\sigma ^2n\kappa k\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\).
Proof
As the decoding algorithm depicts, we have \(\sum _{i=1}^d \alpha _ib_i+\textbf{r}^T\textbf{b}^*\langle \sum _{i=1}^d \alpha _i\mathbf{a_i}+A^*\textbf{r}+p\mathbf{e'},\mathbf{s'}\rangle = \sum _{i=1}^d \alpha _i \cdot pe_i+\textbf{r}^T\cdot p\textbf{e}^*p\langle \mathbf{e'},\mathbf{s'}\rangle\). Assume that \(e_i\) is the error in \(\textsf{E}_{\textsf{sk}}(m_i)\) and \(e_{ik}\) is the kth bit representation of \(e_i\) for \(i\in [d],k\in [n]\). \(a_{ik}\) is defined in similar manner. Since the \(e_{ik}\) are independent, every entry of noise in \(\sum _{i=1}^d \alpha _ie_i\) is a linear combination of \(e_{ik}\). Take the constant term as an example, it equals \(\sum _{i=1}^{d}\sum _{k=0}^{n1}\alpha _{ik}pe_{i,nk}\), which is bounded by \(p\sigma \sqrt{\kappa }\Vert \mathbf{\alpha }\Vert _2\le p\sigma \sqrt{\kappa }\sqrt{dn}p=\sigma p^2\sqrt{dn\kappa }\) with probability at least \(12\exp (\pi \kappa /\sigma ^2)\) by Lemma 1. An element sampled from \(\Phi _\sigma\) is bounded by \(\sigma \sqrt{\kappa }\) with probability at least \(12\exp (\pi \kappa /\sigma ^2)\), and two independent elements multiplied is no more than \(\sigma ^2\kappa\) with probability \(14\exp (\pi \kappa /\sigma ^2)\), thus the infinity norm of \(\textbf{r}^T\textbf{e}^*\) is no more than \(\sigma ^2\kappa k\) with probability \(14n\exp (\pi \kappa /\sigma ^2)\). The bound of \(\langle \mathbf{e'},\mathbf{s'}\rangle\) is estimated as well. According to the union bound, the infinity norm of \(\textsf{Eval} (\textsf{E}_{\textsf{sk}}(m_i),a_i)\) is no more than \(\sigma p(p\sqrt{dn\kappa }+2\sigma n\kappa k)\) with probability at least \(16n\exp (\pi \kappa /\sigma ^2)\). \(\hfill\square\)
Lemma A.2
(Security) Let \(n,k, Q,\sigma\) be as defined in Construction 6. Then the Construction 6 is CPAsecurity under the hardness of \(\textsf{MLWE}\) assumption.
Appendix B: Proofs of the basic scheme
Proof
To prove the Construction 28 is a zkSNARK, we need to prove its four properties: completeness, computational soundness, argument of knowledge, and succinctness. Firstly, the succinctness property is satisfied as the proof is constant, i.e., 5 encodings. Next, we show the remaining three properties.
Completeness. If all infinite norms of the accumulated noise in the encodings contained in the proof \(\pi\) are smaller than half of the switched modulus, the descriptions can be performed by the verifier correctly. Then the completeness property is satisfied. Next, we analyze the noise generated in each step.
In the setup stage, \(\{\textsf{E}_{\textbf{s}}(\beta v_{i}(r))\}_{i=\ell _{u}+1}^{m}\) and \(\textsf{E}_{\textbf{s}}(\beta a(r))\) are computed by additive homomorphic evaluations and we have \(B_{\textsf{crs}}=\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). In the proving stage, we first compute 5 evaluations, and the largest noise growth lies in \(\hat{V^*}\), which is \(B_{\hat{V^*}}=B_{\textsf{crs}}(m\ell _u+pn)=(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). Noise smudging makes the error bound increase to \((2^{\kappa }+1)B_{\hat{V^*}}\). Then the infinity norm is less than \((2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)\) with probability \(16n\exp (\pi \kappa /\sigma ^2)\). After modulusswitching, the bound \(B_{\hat{V^*}'}\) is less than \(\gamma Q'+\frac{p}{2}(\sigma \sqrt{\kappa nk}+n)\) with probability \(12n\exp (\pi \kappa /\sigma ^2)\) together with \((2^{\kappa }+1)(\sigma p^2\sqrt{2dn\kappa }+2p\sigma ^2n\kappa k)(m\ell _u+pn)+2dnp^2(m\ell _u+pn) <\gamma Q\).
Let \(\sigma =\alpha Q\), and the parameter \(\alpha\) represents the error rate. In addition, we take \(\gamma =1/8np\). By approximate scaling, we have \(Q>2^{\kappa +4}\sigma np^2\left( d+pn\right) \left( p\sqrt{2dn\kappa }+2\sigma n \kappa k\right)\), and \(Q'>4np^2\left( \sigma \sqrt{nk\kappa }+n\right)\).
Computational HonestVerifier Zeroknowledge. The analysis can be regarded as a simplified version of the proof of Theorem 32. To avoid repetitions, we stress the difference instead of repeating the whole process.
In the first stage, the setup algorithm just consists of encodings of \(1,r,\ldots ,r^{d},\alpha , \ldots , \alpha r^d, \beta a(r),\beta v_m(r),\ldots ,\beta v_{\ell _u+1}(r)\). The simulator for this stage removes other keys as well and checks a(r) whether is invertible, implying statistically indistinguishability with statistical difference \(2/p^{n/2}\). In the second stage, the proof is exactly the same, and two distributions are computationally indistinguishable. In the third stage, the prover only considers the modulusswitching process. Then two distributions are computationally indistinguishable.
Computational Argument of Knowledge The proof is also included in the proof for Theorem 33. The key difference is without the unpacking algorithm and all secret keys are \(\textbf{s}\). The details are omitted. \(\hfill\square\)
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Lin, X., Cao, H., Liu, FH. et al. Shorter ZKSNARKs from square span programs over ideal lattices. Cybersecurity 7, 33 (2024). https://doi.org/10.1186/s4240002400215x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002400215x