Shorter ZK-SNARKs from square span programs over ideal lattices

Zero‑knowledge succinct non‑interactive arguments of knowledge (zk‑SNARKs) are cryptographic protocols that offer efficient and privacy‑preserving means of verifying NP language relations and have drawn considerable atten‑ tion for their appealing applications, e.g., verifiable computation and anonymous payment protocol. Compared with the pre‑quantum case, the practicability of this primitive in the post‑quantum setting is still unsatisfactory, espe‑ cially for the space complexity. To tackle this issue, this work seeks to enhance the efficiency and compactness of lat‑ tice‑based zk‑SNARKs, including proof length and common reference string (CRS) length. In this paper, we develop the framework of square span program‑based SNARKs and design new zk‑SNARKs over cyclotomic rings. Compared with previous works, our construction is without parallel repetition and achieves shorter proof and CRS lengths than previous lattice‑based zk‑SNARK schemes. Particularly, the proof length of our scheme is around 23.3% smaller than the recent shortest lattice‑based zk‑SNARKs by Ishai et al. (in: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp 212–234, 2021), and the CRS length is 3.6 × smaller. Our constructions follow the framework of Gennaro et al. (in: Proceedings of the 2018 ACM SIGSAC conference on computer and com‑ munications security, pp 556–573, 2018), and adapt it to the ring setting by slightly modifying the knowledge assumptions. We develop concretely small constructions by using module‑switching and key‑switching procedures in a novel way.


Introduction
Zero-knowledge (ZK) proofs are cryptographic protocols that enable a prover to persuasively demonstrate the validity of a specific statement to a verifier while keeping the witness secret.The concept was initially introduced by Goldwasser et al. (1989), and there have been active researches in both theory and practice since then.
In numerous scenarios, it is essential for the prover to genuinely possess knowledge of a valid witness, thereby establishing an argument of knowledge.To enhance efficiency, specific characteristics like non-interactive and succinctness are highly desirable.These proofs entail a single round of message exchange from the prover's side, enabling the verifier to validate the correctness in a considerably shorter time compared to the prover's computational effort.These attributes give rise to a class of cryptographic constructions, commonly known as succinct non-interactive arguments of knowledge (ZK)-SNARKs.It finds wide-ranging applications, including verifiable computations (Ben-Sasson et al. 2013, 2014;Parno et al. 2016) and anonymous payment protocols (Sasson et al. 2014).Despite these compelling features, some negative results are associated with these constructions.Gentry and Wichs (2011) demonstrated that no secure succinct non-interactive arguments (SNARGs) existed in the standard model.Consequently, all existing SNARGs are constructed in the Random Oracle Model or rely on non-falsifiable assumptions (Naor 2003).Additionally, the most efficient SNARKs are designed verifiers, wherein only those who possess the verification keys are authorized to validate the proofs, in contrast to the public verifiers that permit anyone to verify a proof.
The concept of SNARK has been extensively investigated in the literature (Bitansky et al. 2011(Bitansky et al. , 2012(Bitansky et al. , 2017;;Goldwasser et al. 2011), and subsequent works mainly focus on enhancing the efficiency for practical use.The early schemes (Gennaro et al. 2013;Danezis et al. 2014) in this area were almost based on group or bilinear pairing.Nowadays, driven by the advances in quantum computation and quantum computers, post-quantum security progressively attracts more attention.Many lattice-based SNARKs have emerged in recent years.
However, the lattice-based constructions have a significant inefficiency compared to the group or pairing-based ones.Intuitively, the optimal scheme belongs to preprocessing SNARK and was proposed by Groth (2016), whose proof length is 128B.The state-of-the-art post-quantum SNARK was proposed by Ishai et al. (2021), whose proof size is 16.4KB, which is 131.2xlarger.Furthermore, as almost all efficient SNARKs necessitate a trusted setup, the length of the common reference string (CRS) also merits attention.Therefore, how to promote the efficiency of lattice-based SNARKs is an important and meaningful research problem.
These motivate our main question: Can we improve the efficiency of lattice-based SNARKs, especially in the proof length and CRS length?

Related works
The constructions of SNARKs exhibit diverse design routes.Two paradigmatic routes are presented: one research line adopts a combination of polynomial interactive oracle proof (polynomial IOP) and the polynomial commitment; another research line is built on the circuit directly.The former approach presents a notable advantage in terms of applicability, such as transparent setup and public verifier, albeit at the expense of efficiency.On the contrary, the latter approach imposes certain limitations, requiring a trusted setup and designed verifier, but achieves higher efficiency.
The same applies to lattice-based SNARKs.Recent advancements in lattice-based SNARKs can be divided into two categories.For the first research line, the researcher tried to obtain SNARKs with attractive properties or functionalities.The most critical components are various commitments, i.e., vector commitments (Peikert et al. 2021;Albrecht et al. 2022), and functional commitments (Wee and Wu 2023;Fisch et al. 2023).Albrecht et al. (2022) proposed the first lattice-based SNARK construction from vector commitment, in which the verifier is public and has logarithmic complexity, and the construction is recursively composable.Cini et al. (2023) proposed the first lattice-based recursive folding protocol with a polylogarithmic-time verifier for linear relations and the first lattice-based succinct argument with a linear-time prover for NP problem in the preprocessing model.
Before we review the lattice-based constructions following the second approach, we first retrospect the group-based ones.This route originated from Groth (2010), which constructed a non-interactive argument of zero-knowledge (NIZK) based on the circuit satisfiability problem.Then, the researchers found it is possible to convert the circuit satisfiability problem into more algebraic formulations to construct efficient SNARKs.Many works introduced different characterizations of the NP complexity class: quadratic span programs (QSPs) (Gennaro et al. 2013), square span programs (SSPs) (Danezis et al. 2014), and rank-1 constraint systems (R1CS) (Ben- Sasson et al. 2013) Then many efficient constructions of SNARKs based on specific structures came.Detailedly, Gennaro et al. (2013) proposed constructions based on QSPs, whose proof consists of 7 group elements and the CRS size is linear in the circuit size.In the next year, Danezis et al. (2014) introduced SSPs and built SNARKs based on SSPs (a simpler form than QSPs), whose proof consists of 4 group elements.Meanwhile, a concurrent research line (Bitansky et al. 2013;Boneh et al. 2017) studied a more abstract cryptographic primitive: linear probabilistically checkable proof (LPCP).They established constructions of LPCP for NP problems and then built SNARG (SNARK) based on LPCP.The nature of the above designs can be unified in that preprocessing implies holography as claimed in Chiesa and Yogev (2020), but the revealing information of probabilistically checkable proof differs.
In terms of efficiency, the optimal scheme belongs to preprocessing and designated-verifier SNARKs and was proposed by Groth (2016), whose proof only consists of 3 group elements.Its proof length is 128B for the circuit of size 2 20 , which significantly outperforms other schemes.This is also the most widely used SNARK scheme in practice, i.e., ZCash (Sasson et al. 2014),Filecoin (Labs Labs 2018), and Coda (Bonneau et al. 2020).
In the domain of lattice-based SNARKs, Boneh et al. (2017) introduced the first quasi-optimal SNARGs based on lattice, employing linear multi-prover interactive proofs.Closely followed by this work, Gennaro et al. (2018) put forward the first lattice-based SNARK scheme, which was built on SSPs.Nitulescu (2019) introduced the first lattice-based zk-SNARG for arithmetic circuits leveraging square arithmetic programs (SAPs), whose proof consists of 2 LWE ciphertexts.Naganuma et al. (2020) proposed faster zk-SNARK constructions for arithmetic circuits using quadratic arithmetic programs (QAPs), whose proof consists of 3 LWE ciphertexts.Then, Ishai et al. ( 2021) followed the framework of Bitansky et al. (2013) and Boneh et al. (2017) and proposed a new LPCPbased SNARK, which is the state-of-the-art parameters for lattice-based SNARKs.The most recent lattice-based SNARKs from Chung et al. (2023), proposed a new noise flooding technique and achieved smaller proof length in the amortized sense.

Our results
This research endeavors to tackle the aforementioned issue by devising novel, efficient SSP-based zk-SNARKs.Notably, we have succeeded in reducing proof and CRS lengths by circumventing parallel repetition, while retaining a high level of soundness.To provide a more comprehensive understanding of our work, we present a comparative analysis with prior research in Table 1.(It is essential to highlight that the estimation methodology employed in Ishai et al. ( 2021) is suboptimal, necessitating the adjustment of their parameters using the same "ADPS16" method to enable a more precise and reliable comparison.The CRS length is empty since they did not provide it.)

Technical overview
Next, we present a summary of our technical contributions below.
Get Rid of Parallel Repetition by Ring Structure.Parallel repetition is a standard technique to amplify (knowledge) soundness error.In the field ( Z p or even Z p 2 ), if we do not use parallel repetition and guess a ran- dom element over the field with probability lower than 2 −128 , it requires the modulus p satisfies that p > 2 128 (or p 2 > 2 128 ), which is too large.Therefore, previous works chose smaller p (such as 32-bits or 19-bits) and use parallel repetition for a desired security level.
To deal with this issue, we adopt a strategy of transforming the field structure into a ring structure.To illustrate, if we consider a ring with the modulus p and dimension n, the desired target can be accomplished by ensuring that p n > 2 128 .Albeit combining with other limitations in our construction, the final requirement turns out to be 2d/p n 2 < 2 −128 .However, solely employ- ing the ring structure may not suffice in reducing the parameter size and may potentially incur additional issues.As such, supplementary techniques must be employed to tackle these issues, which will be expounded upon below.
Reductions from Boolean Circuits over Ring.Both SSP-based schemes and LPCP-based schemes use polynomial interpolation to express circuits into SSP/LPCP instances.Prior works (to our knowledge) consider polynomial interpolation over fields, and extending it to the rings inheres challenges, particularly with regards to invertibility in R. Towards this, we leverage a useful result (Katsumata and Yamada 2016), which stated that the ring elements with a "small" norm are invertible.More concretely, in the polynomial interpolation, the denominators of the interpolation coefficients take the form of x i − x j for distinct i, j.In order to ensure that x i − x j has an inverse over R p , we restrict the domain of x i and x j to R [0,1] , where the coefficients of polynomials are either 0 or 1.As a result, we can instantiate polynomial interpolation over the ring of our choice.
Optimizations via Ciphertext Operations.As noted above, the SSP-based scheme presented in Gennaro et al. (2018) has a large proof length, primarily due to its inclusion of five ciphertexts in the proof.In contrast, the LPCP-based scheme proposed by Ishai et al. (2021) utilizes different encrypted queries as the CRS, which are multiplied by the same coefficients during proof generation.This allows for the utilization of the packing method described in Peikert et al. (2008) to reduce the proof length by sharing randomness.Unfortunately, the SSPbased scheme involves different coefficients (e.g.,h, v ), which precludes the direct application of the aforementioned method.However, in the ring setting, we can leverage the ring structure to pack the 5 ciphertexts into a single ciphertext.This approach reduces the number of ciphertexts for constructing the proof.The utilization of a packing technique leads to a decrease in the number of ciphertexts, although it comes at the expense of augmenting the ring dimension.This implies that the size of the proof has not undergone any reduction.To address this, we employ the key-switching technique to attain a shorter proof.As a consequence, a slight modification of the knowledge assumption becomes necessary.Further deliberations are provided in section "Assumptions".

Basic notations and probability results
Let , κ represent the computational, and statisti- cal security parameters respectively.The negligible function negl( ) is strictly bounded by 1/ c for large , constant c > 0 .On the contrary, the overwhelming probability represents the value to be 1 − negl( ).
In our notation, a bold lowercase letter (e.g., x ) signi- fies a column vector, while a bold uppercase letter (e.g., A ) represents a matrix.
Z represents the set of integers, and Z q indicates the ring of integers modulo q.R is a polynomial ring, and R q indicates the ring elements in R modulo q.Then we adopt the unified notation [a] q to represent a mod q encom- passing both integer and ring elements, without distinction.In the case where the modulus q is not a power of 2, we employ log q to substitute ⌈log 2 q⌉ for simplicity.
We use u Gaussian Distribution.The n-dimension Gaussian function with parameter σ > 0 is defined as ρ σ (x) = exp(−π �x� 2 2 /σ 2 ) .Based on this, the dis- crete Gaussian distribution over Z n is defined as Lemma 1 (Banaszczyk (1995), Lemma 2.4) For any s, t > 0 and a integer vector a ∈ Z n , we have Schwartz-Zippel Lemma.Schwartz-Zippel lemma is commonly employed in the analysis of soundness error.
Lemma 2 F is a finite field and K is a subset of F (e.g., K ⊂ F ) with size |K|.Assume that the non-zero polyno- mial f (Y 1 , . . ., Y n ) has total degree D. If t 1 , . . ., t n are cho- sen from K randomly, then we have

Cyclotomic rings
In this paper, we work on the power of 2 polynomial rings.Let n be a power of 2, and the 2n-th cyclotomic polynomial is defined as � 2n (x) = x n + 1 .Then we define 2n-th cyclotomic ring as R ∼ = Z[x]/(x n + 1) and the 16n-th cyclotomic ring as R ∼ = Z[x]/(x 8n + 1) .In this paper, we view ring elements via coefficient embedding.Namely, for any s ∈ R we view s = s 0 + s 1 x + • • • + s n−1 x n−1 for s i ∈ Z .The ring addition and multiplication are with respect to modulo x n + 1 .Under the coefficient embed- ding, the ℓ ∞ and ℓ 2 norms for s are defined as: To discuss our choice of moduli, we first recall a special result from Katsumata and Yamada (2016).
Lemma 3 (Katsumata and Yamada (2016), Lemma 3) The prime p satisfies p mod 8 = 3 and n is a power of 2. Then x n + 1 splits as x n + 1 = g 1 g 2 mod p with two irre- ducible polynomials in Z p [x] g 1 = x n/2 + vx n/4 − 1 and Definition 4 (Module-LWE Distribution) Let ψ over R q be the error distribution.Given a secret vector s ∈ R k q , an instance in the MLWE distribution A s,ψ over R k q × R q is ( a, b ), where a is chosen from R k q uniformly at random, e is from ψ , and b = �a, s� + e mod q.
Definition 5 (Module-LWE, Decision Problem) The average-case decision MLWE R q ,k,ψ problem is to distin- guish instances from A s,ψ or from uniform distributions over R k q × R q . .
The decision MLWE R q ,k,ψ problem is infeasible if for all ppt adversarys B given any polynomial number of sam- ples, the probability that B solves MLWE R q ,k,ψ is negligi- bly close to 1/2.
The Encoding Scheme.The encoding scheme used in the SNARK schemes can be symmetric and asymmetric.For convenience, we instantiate it as a symmetric MLWE scheme.Furthermore, the simple linear combi- nation is not sufficient for zero-knowledge of SNARK, thus we re-randomize the linear evaluation procedure as that in Ishai et al. (2021).
Construction 6 (MLWE Encoding Scheme) For any positive integers n, k, Q, an encoding scheme MLWE with dimension n, rank k and modulus Q consists three ppt algorithms ( K, E, D ) and a randomized linear evaluation algorithm Eval .These algorithms are defined below: The encoding scheme satisfies completeness and IND-CPA security.For clarity, we defer the properties of the encoding scheme in Appendix A.

Zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK)
In this subsection, we present the formal definitions of zk-SNARKs and their properties.
1. (crs, vrs, td) ← �.Setup(1 , u) : Given the security parameters and a statement u, the setup algorithm generates three components: a common reference string denoted as crs , verification secret information represented by vrs , and the trapdoor denoted as td. 2. π ← �.Prove(crs, u, ω) : On receiving u, ω , and crs , the prove algorithm produces a proof π.
A zk-SNARK scheme exhibits four fundamental properties, namely completeness, zero-knowledge, argument of knowledge, and succinctness.
Definition 10 (Argument of Knowledge) For any statement u, and if a ppt adversary can pro- duce a proof π * passing the verification, then a probabilistic polynomial-time extractor Ext exists and extracts a witness ω satisfying (u, ω) ∈ L with polynomial probability.
Definition 11 (Succinctness) If the argument length of an argument system is sublinear in the security parameter and the circuit size is included in the relation, we say that it is succinct.

Optimization techniques
In this subsection, we present several optimized techniques used in our schemes, including noise smudging, modulus-switching, key-switching, packing, and unpacking.
Noise Smudging.Noise smudging from Gentry ( 2009) is commonly used to obfuscate additive-homomorphic evaluated ciphertexts or fresh ciphertexts.
Lemma 12 (Noise Smudging, Gentry ( 2009)) Let B 1 , B 2 be positive integers, and k be the statistical security parameter.For an arbitrary integer m ∈ Modulus-switching.The modulus-switching technique from Brakerski et al. ( 2014) can transform a large modulus to a comparatively small modulus without knowing the secret key.

Definition
13 (Modulus-switching) For any integers k, Q > Q ′ > p , and any vector Key-switching.The key-switching technique from Brakerski et al. ( 2014) facilitates the transformation of an encryption under secret key s 1 to another encryption of the same or related message utilizing a distinct secret key s 2 with the help of key-switching keys.
Packing and Unpacking Algorithms.The packing algorithm operates on the message defined over the ring R by treating it as several message slots over R. Conversely, the unpacking technique is responsible for successively converting the ciphertext's other slots into the lowest order and extracting the lowest order slot homomorphically.The extraction process is essentially a homomorphic computation of the trace function, which is further addressed by carrying out homomorphic automorphism evaluations.This idea is derived from Halevi andShoup (2014, 2020).
where n is the dimension of R. • Homomorphic plaintext decoding: Given a keyswitching subalgorithm KeySwit , the ciphertext c ∈ R k+1 and trace homomorphic evaluation keys At the end of this section, we present a summary of some essential notations in Table 2.

Square span programs over cyclotomic rings
Square span programs ( SSP s) were originally intro- duced by Danezis et al. (2014) as a novel and distinct characterization of the class NP.While all prior works (to our knowledge) considered SSP s over fields, this work generalizes the notion/construction to the setting of rings (particularly the cyclotomic rings).In this way, the underlying mathematical structure of the SSP s can match the one of Ring-LWE (Lyubashevsky et al. 2010),

Notations Explanation
yielding much more efficient SNARK constructions (than the plain-LWE-based instantiations).
Definition 17 (Square Span Programs over Rings) A square span program P over the ring R is represented as a polynomial tuple (l 0 (x), . . .
where the degree of each l i (x) is no more than the degree of a(x).The size of P is m, and the degree d equals the degree of a(x).A vector s = (s 1 , . . ., s ℓ ) ∈ R ℓ (ℓ < m) is accepted by P if and only if there exists another vector Moreover, if exactly the vectors s ∈ {0, 1} ℓ ⊂ R ℓ satisfying g(s) = 1 are accepted, P is said to verify a boolean func- tion g.
The polynomial ((l 0 (x) + m i=1 s i l i (x)) 2 − 1)/a(x) is a integer polynomial since a(x) is monic.Below we are going to show that SSP s over rings (some particular cyclotomic rings) can be used to express general NP verifications.We first describe the following corollary about the linearization of logic gates in a boolean circuit in the ring setting, similar to Theorem 2 in Danezis et al. (2014).
Corollary 18 R is a cyclotomic ring.Assume that C is a circuit having m wires and n fan-in 2 gates.For any prime p ≥ 11 , we can compute a matrix-vector pair Based on this corollary, we can express a boolean circuit C as a ring matrix-vector pair (M, v) .Subsequently, we delineate the method for constructing an SSP (over ring R) of C from such a pair.
Construction 19 (Square Span Programs over Ring) R is a cyclotomic ring, and the prime p is larger than 11.Let R [0,±1] denote the subset of R with coefficients within the range of [0, ±1] .We assume that for every distinct ele- ments x, y from R [0±1] , the difference x − y is invertible modulo pR.
Taking a circuit C with m wires and n fan-in 2 gates as an input, denote d = m + n .Subsequently, we can construct a SSP instance as follows: p be the matrix-vector pair as Corollary 18.
We notice that the third step of the above construction is well-defined-any degree d − 1 polynomial over R p [x] (say, f(x)) can be uniquely determined given any d values in R p (say, y 1 , . . ., y d ) evaluated at r 1 , . . ., r d .This is because the j-th Lagrange basis polynomial 1 is uniquely defined, as every (r j − r i ) −1 (the multiplicative inverse over modulo pR) uniquely exists.

Theorem 20
The prime p satisfies p ≡ 3 mod 8 , and R is a cyclotomic ring with degree (a power of 2) n.Let p > 4n , and 3 n > d .Then Construction 19 is a square span program over the ring R p .
Proof Initially, we prove that all the steps involved in Construction 19 are well-defined under the conditions in the theorem statement.Subsequently, we proceed to demonstrate that the output of this construction is an SSP over R p .In order to substantiate the well-definedness of the steps, we need to show the following claims: (1) in Step 2, there are indeed d distinct elements in R [0,±1] , and (2) in Step 3, the multiplicative inverse (in R p ) of every (r i − r j ) exists.
Claim (1) is easy to see, as there are 3 d distinct elements in R [0,±1] and 3 n > d from the theorem statement.Claim (2) follows from Lemma 21.
Lemma 21 (Katsumata and Yamada 2016) The prime p satisfies p ≡ 3 mod 8 , and R is a cyclotomic ring with degree (a power of 2) n.Let p > 4n .For any distinct ele- ment x and y in R This concludes the first part of our goal.Below we show that the construction outputs an SSP over R p .
Given the circuit C mentioned above, we can construct a matrix-vector pair (M, v) ∈ Z m×d p × Z d p as Corollary 18. Proving the circuit C is satisfiable equals that find- ing a vector s ∈ R m p such that sM , where • denotes entry-wise product and 1 is the all-1 vector.
Next, as the construction sets l i (r j ) = M ij for i > 0 and l 0 (r j ) = v j , the following holds.
Thus we obtain the following expression: are the roots of the polynomial The above argument further implies that a(x) divides the polynomial ( m i=1 s i l i (x) + l 0 (x)) 2 − 1 .Conversely, if a vector s exists to make a(x) divides the polynomial, then {r j } j∈ [d] must be the roots of the polynomial, implying (sM + v − 1) • (sM + v − 1) − 1 = 0 .This again proves that C is satisfiable.
Putting things together shows that Construction 19 is a square span program over the ring R p .

Assumptions
The security of previous SNARK schemes relied on two long-standing assumptions: power knowledge of exponent (PKE) assumptions and power Diffie-Hellman (PDH) assumptions.
The PKE assumption, introduced by Gennaro et al. ( 2013), is a kind of knowledge assumption, which extends the knowledge of exponent assumption (KEA).The original PKE assumption used a discrete logarithm-hard group-based encoding scheme.Later, Gennaro et al. (2018) changed the encoding scheme to LWE-based schemes.
The PDH assumption was proposed by Boneh et al. (2005) and Groth (2010), whose hardness is built on discrete logarithm problems due to the encoding scheme.After altering the encoding scheme directly, Gennaro et al. ( 2018) obtained new instantiations, whose hardness relies on the LWE problem.
To build our SNARK schemes, it is necessary to broaden the PDH and PKE assumptions in the ring setting.These two assumptions are formally defined in Subsection 4.1.Moreover, we observe a specific scenario in which these assumptions are developed with some useful auxiliary information.The auxiliary information enables us to do ciphertext operations to promote efficiency without harming the hardness of assumptions, which is explained in Subsection 4.2.

Assumptions in the ring setting
The q-PKE assumption and q-PDH assumption in the ring setting follow the nature of those in Gennaro et al. (2013Gennaro et al. ( , 2018)), except the encoding scheme is instantiated as Module-LWE .The slight modification originates from the structure difference, i.e., group, integer rings, and polynomial rings.
Definition 22 (q-PKE Assumption Over Ring) R is a cyclotomic ring with degree n and prime modulus p. ( K, E, D, Eval ) is an encoding scheme.The q-PKE assumption over R states that for any ppt adversary A and some auxiliary information aux ∈ {0, 1} poly( ) , which is independent of α , there exists a ppt extractor Ext such that 1), E sk (s), . . ., E sk (s q ), E sk (α), E sk (αs), . . ., E sk (αs q )), (c, ĉ; a 0 , . . ., a q ) ← (A||Ext)(pk, µ, aux) : For the q-PDH assumption in the ring setting, we observe that its form depends on the structure of the ring.Namely, in our choice of ring, R p is isomorphic to a product of two subfields with norm p n/2 .A non-zero ele- ment a ∈ R p means there exists at least one subfield such that a is invertible in the subfield.
Definition 23 (q-PDH Assumption Over Ring) The prime p satisfies p ≡ 3 mod 8 , and R is a cyclotomic ring with degree (a power of 2) n. ( K, E, D, Eval ) is an encod- ing scheme.The q-PDH assumption over R is that for any ppt adversary A,

Assumptions with special auxiliary information
In comparison to the PDH/PKE assumption stated above, we consider a special case where appending some useful auxiliary information.The auxiliary information needs to satisfy the basic principle: admit linear operations only.
Following this idea, we turn a new perspective on the key-switching procedure.As we all know, an integral keyswitching algorithm includes two steps: key-switching key generation and the product of bit-decomposed ciphertext and key-switching key.Apparently, the whole key-switching algorithm is non-linear.Nevertheless, with access to the key-switching key, the product can be construed as a linear combination comprising the key-switching key and the decomposition of the ciphertext.Also, no adaptive key-switching keys can be incorporated into the auxiliary information, as the ciphertexts can be evaluated homomorphically by means of modulus-switching and keyswitching, as demonstrated in Brakerski et al. (2014).
An important observation is that we can separate the linear and non-linear parts of the key-switching procedure.The separation is putting some predetermined keyswitching keys into the auxiliary information.This means that if the adversary wants to utilize the key-switching keys, the remaining part he can do is linear.Then it does not violate the knowledge assumption (PKE assumption).
Next, we give a formal description of the strengthening q-PKE assumption, which embeds proper key-switching keys into the q-PKE assumption: Definition 24 (The Strengthening q-PKE Assumption) ( K, E, D, Eval ) is an encoding scheme and KeySwitch = (SwitKeyGen, KeySwit) is a key-switching algorithm.The strengthening q-PKE assumption states that for any automorphism or identity mapping f, any ppt adversary A , any auxiliary information aux and key switching keys switkey , which are independent of α , there exists a ppt extractor, denoted as Ext , such that 1), E sk (s), . . ., E sk (s q ), E sk (α), E sk (αs), . . ., E sk (αs q )), (c, ĉ; a 0 , . . ., a q ) ← (A||Ext)(µ, aux, switkey, f ) : Lemma 25 If the encoding scheme ( K, E, D ) satisfies the strengthening q-PKE assumption, then it satisfies the q-PKE assumption over ring.

Proof
The proof is direct.If there is a ppt adversary can break the q-PKE assumption over ring, then it outputs a valid pair (c 1 , c 2 ) such that D sk (c 2 ) = αD sk (c 1 ) with pol- ynomial probability.This pair is also a valid pair for the strengthening q-PKE assumption.
Similarly, we give the formal definition of the strengthening q-PDH assumption.
Definition 26 (The Strengthening q-PDH Assumption) ( K, E, D, Eval ) is an encoding scheme and KeySwitch = (SwitKeyGen, KeySwit) is a key-switching algorithm.The strengthening q-PDH assumption states that for any automorphism or identity mapping f, any ppt adversary A , any auxiliary information aux and key switching keys switkey, Lemma 27 If the encoding scheme ( K, E, D ) satisfies the strengthening q-PDH assumption, then it satisfies the q-PDH assumption over ring.

Proof
The proof is similar.If there is a ppt adver- sary can break the q-PDH assumption over ring, then it outputs an encoding ĉ such that D sk (ĉ) mod p 1 ≡ s q+1 or D sk (ĉ) mod p 2 ≡ s q+1 with pol- ynomial probability.This encoding is also a valid encoding for the strengthening q-PDH assumption.
The Lemmas 25 and 27 show that our new assumptions are stronger than previous ones, which is why it's so named.Next, we give the feasibility of our new assumptions.
Feasibility of New Assumptions.Our modified PKE assumption, which enhances PKE assumption, is rooted in prior knowledge assumptions but refined by the specific ring structure.Furthermore, a set of predetermined keyswitching keys is appended to the auxiliary information.The feasibility of this strategy is premised on the key-switching procedure, which can be separated into a non-linear component (Key Generation) and a linear component.Since the key-switching keys are fixed, the adversary is limited to linear evaluations, which does not violate the PKE assumption.
The q-PDH assumption is also amenable to combination with key-switching keys, without compromising the security of the message sk since the encoding scheme is IND-CPA secure.Consequently, including extra key- switching keys does not impact the difficulty of the q-PDH assumption.
Parameters.The PKE assumption still holds over a small field (or a ring with a small ideal norm).This is due to the spareness of a valid pair of MLWE encodings, which requires a relation of α between two messages.
Yet, the PDH assumption does not maintain its hardness when considered over a polynomial-sized field F .The direct consequence is that we can accurately deduce the value of s with a probability of 1/poly( ) and subse- quently compute E sk (s q+1 ) .Moreover, Ishai et al. (2021) proposed a more efficient attack.The adversary can select random and independent x 1 , . . ., x 2q ∈ F , and compute f (x) = 2q i=1 (x − x i ) , where all x i are roots of f(x).Then if s collides with any x i , the adversary can com- pute E sk (s q+1 ) since the coefficient of x q+1 in f(x) is not zero with non-negligible probability.Consequently, we require 2q/|F| < 2 − to reach -bits security level.

Zero-knowledge succinct non-interactive argument of knowledge schemes
In this section, we present two constructions of zk-SNARKs-one basic construction and then an optimized variant.The basic construction generalizes the framework of SSP-based SNARK (Gennaro et al. 2018) to the ring setting and then applies the technique of modulus switching to reduce the proof length.From the basic scheme, we then design the optimized construction, based on the strengthening assumptions (Definitions 24 and 26) and additional techniques including key-switching and packing, to optimize the parameters.
Below we first present the basic scheme.
, pe sm,2 , pe sm,3 , pe sm,4 , pe sm,5 ). 4. Run ModSwit to compute 2. Check if the following equations hold: If all of the equations are satisfied, then proceed to the subsequent step; otherwise, terminate the process and output "0".

Theorem 29
The prime p satisifies p ≡ 3 mod 8 and the Assume the hardness of MLWE assumption, strengthening q- PDH assumption and strengthening q-PKE assumption, as well as IND-CPA security of the encoding scheme.Then for The proof shares some similarities with the proof of our later optimized proof.For brevity, we defer the proof in Appendix B.

The optimized scheme
The optimized scheme further improves the efficiency of the basic construction using more algebraic techniquesat a high level, we can pack multiple Module-LWE encodings in a lower dimension ring to one Module-LWE encoding in a higher dimension ring, via packing technique.As encodings from a higher dimension ring have a better rate, i.e., output/input length ratio, then the key-switching technique can further compress the length of the proof (by a factor of 8x from our concrete instantiations).However, as the key-switching procedure requires an additional key-switching key, our proof of security would rely on a stronger assumption (Assumptions 26, 24).Below we present the description of the optimized scheme.
To show the above Construction 30 is a zk-SNARK, we first prove three separated properties, including completeness, the argument of knowledge, and honest-verifier zero-knowledge respectively, which corresponds to Theorem 31, 32, and 33.Then we put them together and further prove the succinctness property to show the Construction 30 is a zk-SNARK.
Proof We demonstrate that the infinite norm of the ultimate noise in π ′ remains below half of the switched modulus when the prover is in accordance with the protocol.Our analysis will elucidate the evolution of noise throughout each step.

Computational Argument of Knowledge
Theorem 33 Assume the hardness of MLWE assump- tion, strengthening q-PDH assumption, and strengthening q-PKE assumption.Suppose that the encoding scheme is IND-CPA secure.Then for any Q, Q ′ defined as Theorem 31, the Construction 30 satisfies computational argument of knowledge with knowledge error Proof We show this via a reduction-assuming the existence of a ppt adversary produces a valid proof π ′ , we can break the hardness of strengthening q-PDH assumption.More concretely, assuming the existence of a ppt adversary, denoted as A π ′ , who can forge a proof for a false statement that passes the verification, it follows that, at least one of the subsequent two events will ensue.
We can demonstrate that the occurrence of either event E 1 or E 2 results in breaking the strengthening of q-PDH assump- tion.The construction of the adversary A PDH closely resem- bles that presented in Gennaro et al. (2018).Nevertheless, contrary to the proof presented in Gennaro et al. (2018), our construction is built over the ring.Accordingly, we emphasize the approach to deal with the inverse of a ring element.
A valid proof encompasses a single encoding belong- By executing the unpack algorithm, we obtain 5 encodings.The d-PKE assumption enables the existence of a ppt extractor Ext PKE to extract h(x) from (H ′′ , Ĥ ′′ ) , and v(x) from (V ′′ , V ′′ ) , where V ′′ is com- puted as by homomorphic evaluation and V * ′′ .Set z(x) = v 2 (x) − 1 − a(x)h(x) .The event E 1 implies that z(x) is not zero polynomial and z(s) = 0 .We assume the highest degree of non-zero coefficient is k(k ≤ 2d) and parse z(x) as k i=0 z i x i .Since z k = 0 , there exists at least one ideal such that z k mod p i = 0 (here z k is treated as a ring element).We suppose that z k mod p 1 = 0 , and then z k has its inverse z −1 k in R p /p 1 without loss of generality.
Next, we show how to compute E s 1 (r q+1 ) .We have z(r) mod p 1 = 0 since z(r) = 0 mod p .Let ) mod p) mod p 1 with degree at most k − 1 .Clearly, r k − z(r) equals zero over R/p 1 , so does r q+1 − r q+1−k z(r) .This means that if we can derive E s 1 (r q+1−k z(r)) , we also obtain E s 1 (r q+1 ) .As the degree of x q+1−k z(x) is at most q, we compute E s 1 (r q+1−k z(r)) by homomorphic evaluation Eval({E s 1 (r q+1−k+i ), zi } k−1 i=0 , F) .Furthermore, we require q ≥ 2d − 1 to make sure q + 1 − k to be positive for k is less than 2d.This breaks the hardness of strengthening of q-PDH assumption for q ≥ 2d − 1.
Similarly, if the event E 2 happens, we can also construct an adversary for q-PDH assumption.Specifically, we first generate the crs as the event E 1 happens except the way of computing {E s 1 (βv i (r))} m i=ℓ u +1 and E s 1 (βa(r)) .Similar to the idea of Gennaro et al. (2018), we interpret β as f(r), where f (x) ∈ F , and F is defined as the function class: In this condition, we generate crs without knowing E s 1 (r q+1 ) .Meanwhile, the m − ℓ u + 1 constraints in F make the degree freedom of j=0,j� =q+1 , F) , assuming that f (x)v i (x) = 2q j=0 c ij x j and f (x)a(x) = 2q j=0 c ′ j x j .Similar to the case of event E 1 , we get the proof π ′ .By running unpack- ing algorithm on π ′ , we obtain the separated cipher- texts ( V * ′′ , H ′′ , Ĥ ′′ , V * ′′ , V ′′ ) .Next, we prove the coeffi- cient of x q+1 in f (x)v * (x) is invertible (which is treated as a ring element) with overwhelming probability.More specifically, let f We consider the case that c q+1 is not invertible, which means that q i=1 f i v * q+1−i = 0 (mod p i ) for any i ∈ {1, 2} .The probability of the case where c q+1 is not invertible is at most 2(q − m + ℓ u )/p n/2 by Schwartz-Zippel lemma.Since the Schwartz-Zippel lemma holds in the field, all elements here are considered as elements in R/p i .Therefore, the coefficient of x q+1 is invertible in R p with probability 1 − 2(q − m + ℓ u )/p n/2 .Recall that .
Then we can obtain E s 2 (r q+1 ) by V * ′′ subtracts other terms (via homomorphic evaluation and key switching) and multiples c −1 q+1 .Concretely, we can compute E s 3 (r q+1 mod p after modulus-switching and key-switching.That breaks the strengthening of q-PDH assumption for q = d. So far, we have established the computational soundness of the proposed Construction 30 with soundness error 2(q − m + ℓ u )/p n 2 .Furthermore, the construction also satisfies the argument of knowledge property, i.e., the existence of a ppt extractor to recover the witness when the adversary outputs convincing proof.As the event E 2 happens with negligible probability, the recovered v * (x) is a linear combination of {a(x), v ℓ u +1 (x), . . ., v m (x)} .Then there are m − ℓ u + 1 unknowns and d + 1 constraints.The witness ω = (ω ℓ u +1 , . . ., ω m ) can be recovered easily by Gaussian elimination since d = m + n > m − ℓ u .
Corollary 34 Assume the hardness of MLWE assump- tion, strengthening q-PDH assumption, and strengthening q-PKE assumption.Assume the encoding scheme is IND-CPA secure.Then for any R, R, p, Q, Q ′ are defined as The- orem 31, the Construction 30 is a zk-SNARK for any NP relation (u, ω) ∈ L.
Proof To show the Construction 30 is a zk-SNARK, we show four properties, including completeness, the argument of knowledge, honest-verifier zero-knowledge, and succinctness, are satisfied.Firstly, the succinctness property is evident since the proof consists of a single MLWE encoding, which implies a constant-sized proof and achieves succinctness.From the Theorem 31, we have the Construction 30 satisfies completeness.From the Theorem 32, we have the Construction 30 satisfies computational honest-verifier zero-knowledge.From the Theorem 33, we have the Construction 30 satisfies the computational argument of knowledge.
Put all the pieces together, we prove that the Construction 30 is a zk-SNARK.

Concrete parameters
In this section, we exhibit explicit and quantifiable parameters for our basic and optimized schemes.

Parameter selection
Firstly, we summarize the preceding restrictions on parameters and then propose several parameter sets.
• Message Modulus p: The choice of p is jointly influenced by the PDH assumption and SSP instance generation.We have opted for a specific scenario where pR is divided into two ideals, and in this case, the prime p satisfies p ≡ 3 mod 8 .To guar- antee the robustness of the d-PDH assumption over the subfield R/p (where p is an ideal of pR) and ensure the accuracy of SSP instance generation over ring R p , we impose the following requirements:  • Rank k, k ′ : The quantities k and k ′ are measured by the LWE security estimator (Albrecht et al. 2015) for a desired security level given predetermined values n, α, σ , σ ′ .In terms of classical security, we adopt "ADPS16" (Alkim et al. 2016) method, which yields the least security level relative to other approaches with equivalent parameters.In the case of quantum security, two methodologies, namely "LasMosPol14" (Laarhoven et al. 2015) and "qsieve", yield identical results.• Circuit size d: We take circuit size ranging from 2 10 to 2 20 , which is sufficient in the majority of applica- tions.
Following the aforementioned parameter suggestions, we present detailed parameters for partial circuits ( d = 2 16 and d = 2 20 as before) in Table 3.

Proof and CRS length
The proof of the basic scheme consists of 5 encodings in R Q ′ and that in the optimized scheme is 1 encod- ing in R Q ′ .Then the proof size of the basic scheme and optimized scheme are 5n(k + 1) log Q ′ bits, and n ′ (k ′ + 1) log Q ′ bits respectively.For the basic scheme, CRS consists of 2(d + 1) + m − ℓ u + 3 encodings in R k+1 Q , which are less than 3(d + 1)(k + 1)n log Q bits.Furthermore, we can utilize a seed and a pseudorandom generator to substitute true randomness in the encodings, then the length of CRS shrinks to 3(d + 1)n log Q bits.Since the optimized scheme utilizes the key-switching technique, the CRS length in the optimized scheme increases by key-switching keys.To be specific, the optimized scheme employs 2 key-switchings from Q ′ , which are 8n(k ′ + 1)(2(k + 1) + 8(k ′ + 1)) log 2 Q ′ bits.
Plug the estimated values into the formulae, we obtain the concrete proof and CRS lengths in Table 4 and depict the tendency for circuit size ranging from 2 10 to 2 20 in Figs. 2 and 3.
Comparison Between the Basic and the Optimized Schemes.As shown in Figs. 2 and 3, our results indicate a slight increase in the proof length alongside a nearly linear increase in the CRS length.(It is important to note that our horizontal axis is logarithmic in scale with respect to circuit size, which is why the growth follows an exponential pattern.)This is due to the slight effect of circuit size on switched modulus, which translates to a small impact on proof length.Conversely, the increase in circuit size has a significant impact on the CRS length, which displays an almost linear correlation.
Our optimized scheme offers a marked improvement over the basic scheme, with the proof length being roughly 5x shorter.This attributes to its single encoding, as opposed to the basic scheme's five encodings.As for the CRS length, the difference between the two schemes is minimal, primarily arising from the size of key-switching keys, which constitutes only 1% of the total CRS size at d = 2 20 .

Conclusion
In this paper, we develop the framework of square span program-based SNARKs and design new zk-SNARKs over cyclotomic rings.To fit in the ring setting, we first extend square span programs over rings and then propose two new assumptions.Based on these fundamental components, we construct SANRKs by applying moduleswitching and key-switching procedures in a novel way.
Our scheme avoids parallel repetition leveraging the ring structure.Thus, we obtain concretely small constructions for SNARKs with the designated verifier in the preprocessing model, which has a proof of length 14.06KB and a CRS of length 133.99MB for the circuit of size 2 16 .For larger cir- cuits, i.e., the size of 2 20 , the proof length and CRS length of our scheme are 14.34KB and 1.48GB respectively.These are 23.3% smaller and the CRS length is 3.6x smaller com- pared to those in Ishai et al. (2021).

$
← − U to indicate that sample a random ele- ment u from the set U. For two distributions A, B, let A s ≈ B , A c ≈ B represent statistically close, computa- tionally indistinguishable respectively.
Construction 28 is a zero- knowledge succinct non-interactive adaptive argument of knowledge (zk-SNARK) for any square span program relation (u, ω) ∈ L.
log p > 2( + log 2d)/n and p > 4n .After several attempts, we have determined that n = 64, p = 283 , as well as n = 32, p = 643 (for d = 2 20 ), or alterna- tively n = 32, p = 547 (for d = 2 16 ).• Dimension n of R: The ring dimension n is set to be a power of 2 and it can be small, such as 64, as long as we set a larger rank k to maintain sufficient nk in the MLWE estimation.Analyze with p, and we set n = 64 or n = 32.• Standard deviation σ and σ ′ : In this paper, we set all standard deviations σ = σ ′ = 64 without other annotations.• Modulus Q, Q ′ : The modulus Q and Q ′ are positive integers that satisfy completeness of construction as Theorem 31.
∨ only differ by a scale of n.Thus, we opt to work solely on R.More formally, the decision MLWE distribution and problem fromLanglois and Stehlé (2015)are defined as follows:

Table 4
Proof and CRS lengths of schemes for ≈ 128, κ = 40 * For CRS length, we merely count encodings, and other parts, including the seed for PRF are neglected Proof length varying from circuit size