Rinocchio: SNARKs for Ring Arithmetic

Abstract

Succinct non-interactive arguments of knowledge (SNARKs) enable non-interactive efficient verification of NP computations and admit short proofs. However, all current SNARK constructions assume that the statements to be proven can be efficiently represented as either Boolean or arithmetic circuits over finite fields. For most constructions, the choice of the prime field \({\mathbb {F}}_{p}\) is limited by the existence of groups of matching order for which secure bilinear maps exist. In this work, we overcome such restrictions and enable verifying computations over rings. We construct the first designated-verifier SNARK for statements which are represented as circuits over a broader kind of commutative rings. Our contribution is threefold:

1. 1.

   We first introduce Quadratic Ring Programs (QRPs) as a characterization of NP where the arithmetic is over a ring.

2. 2.

   Second, inspired by the framework in Gennaro et al. (in: Johansson and Nguyen (eds) EUROCRYPT 2013, volume 7881 of LNCS, pp 626–645. Springer, Heidelberg, 2013), we design SNARKs over rings in a modular way. We generalize preexistent assumptions employed in field-restricted SNARKs to encoding schemes over rings. As our encoding notion is generic in the choice of the ring, it is amenable to different settings.

3. 3.

   Finally, we propose two applications for our SNARKs.

   • Our first application is verifiable computation over encrypted data, specifically for evaluations of Ring-LWE-based homomorphic encryption schemes.

   • In the second one, we use Rinocchio to naturally prove statements about circuits over, e.g., \({\mathbb {Z}}_{2^{64}}\), which closely matches real-life computer architectures such as standard CPUs.

Appendices

QRP: Abstraction, Composition and Circuit Representation

We begin by recalling the definition of a QRP, after which we follow with all the results about QRP composition and circuit representation.

Definition 10

(Quadratic Ring Programs (QRP)) A Quadratic Ring Program (QRP) Q over a finite commutative ring R consists of three sets of polynomials, \(\mathcal {V}=\{v_k(x): k \in [0,m]\}, \mathcal {W}=\{w_k(x): k \in [0,m]\}, \mathcal {Y}=\{y_k(x): k \in [0,m]\}\) and a target polynomial t(x), all in R[x]. Let C be an arithmetic circuit over R with n inputs and \(n'\) outputs. We say that Q is a QRP that computes C if the following holds:

\(a_1, \dots , a_n, a_{m-n'+1}, \dots a_m \in R^{n+n'}\) is a valid assignment to the input/output variables of C if and only if there exist \(a_{n+1}, \dots , a_{m-n'} \in R^{m-n-n'}\) such that:

t(x) divides \(V(x) \cdot W(x) - Y(x),\)

where \(V(x) = \big ( v_0(x) +\sum _{k=1}^{m} a_k \cdot v_k(x) \big )\), \(W(x) = \big ( w_0(x) +\sum _{k=1}^{m} a_k \cdot w_k(x) \big )\) and \(Y(x) = \big ( y_0(x) +\sum _{k=1}^{m} a_k \cdot y_k(x) \big )\).

We define the size and degree of Q to be m and \(\deg (t(x))\), respectively. Given polynomials \(V(x), W(x), Y(x) \in R[x]\) defined as above and corresponding to a valid assignment of the input/output wires, we will call them a QRP solution.

Theorem 6

Let C be a circuit over the ring R containing only one multiplication gate. If C has \(m-1\) inputs and a single output, there is a QRP of size m and degree 1 that computes C.

Proof

Let \(t(x) = x-r\), \(r \in A\), where A is the exceptional set. Define \(\rho _1(X_1, \dots , X_{m-1}) = c_0 + \sum _{i=1}^{m-1} c_i \cdot X_i\) (resp. \(\rho _2(X_1, \dots , X_{m-1}) = d_0 + \sum _{i=1}^{m-1} d_i \cdot X_i\)) to be the linear polynomial corresponding to the left (resp. right) input wire of the only multiplication gate in C. For \(k \in \{0, \ldots , m-1\}\), let \(v_k(x) = c_k\), \(w_k(x) = d_k\), and \(y_k(x) = 0\). Set \(v_m(x) = w_m(x) = 0\) and \(y_m(x)=1\). Then, we have that:

$$\begin{aligned}&\big ( v_0(x) +\sum _{k=1}^{m} a_k \cdot v_k(x) \big ) \cdot \big ( w_0(x) +\sum _{k=1}^{m} a_k \cdot w_k(x) \big ) - \big ( y_0(x) +\sum _{k=1}^{m} a_k \cdot y_k(x) \big )\\&\quad = \rho _1(a_1, \dots , a_{m-1}) \cdot \rho _2(a_1, \dots , a_{m-1}) - a_m = p(x) \end{aligned}$$

We prove that this is a QRP for C. First assume that \(a_1, \ldots , a_m \in R^m\) is a valid assignment to the input/output of C. Then \(p(x) = 0\), which is trivially divisible by t(x). Conversely, assume that the degree-zero polynomial p(x) is divisible by the degree-one t(x). As r is a root of t(x), then so it has to be of p(x), which implies \(p(x) = 0\). \(\square \)

1.1 QRP as an Abstraction

Here, we highlight the generality of our notion of QRP and our construction by outlining how our notion recovers the QPP based construction of [37] for polynomial circuits.

In [37], Kosba et al. generalized the notion of Quadratic Arithmetic Programs over a field \(\mathbb {F}\) to that of Quadratic Polynomial Programs (QPPs), which compute circuits whose wires carry values in the ring \(\mathbb {F}[Z]\) of polynomials over the base field \(\mathbb {F}\). These polynomial circuits, where the addition and multiplication operations are over \(\mathbb {F}[Z]\), are introduced with the goal of representing (multi-)sets S of elements over \(\mathbb {F}\). Our definition of QRPs and SNARK construction, being more general than those of [37], also covers their work and allows us to see it as an instantiation of Rinocchio for \(R= \mathbb {F}[Z]\).

In [37], we have that \(A = \mathbb {F}\subset R\), i.e., the degree-zero polynomials, and \(A^* = \mathbb {F}^*\). The polynomials \(v_k, w_k, z_k \in R[X] = \mathbb {F}[Z][X]\) can be made univariate in X by imposing that the coefficients of public linear combinations in the arithmetic circuit over R are all field elements, rather than elements of \(R = \mathbb {F}[Z]\), which is also the approach taken in [37]. The secure encoding \(E: R \rightarrow S\) consists in, given \(c_k(z) \in R\), producing \(\tilde{E}(c_k(t)) = g^{c_k(t)}\) for some fixed, secret \(t \in \mathbb {F}\) and where \(\tilde{E}: \mathbb {F}\rightarrow S\) is the same encoding used for QAPs over finite fields, e.g., in Pinocchio.

To cast the construction of [37] in our framework, consider the following encoding \(\textsf{E}: \mathbb {F}\rightarrow S \) to encode the QRP polynomials in the CRS: \(\textsf{E}(s) = \{ \tilde{\textsf{E}}(t^i \cdot s) \}_{i=1}^{n}\), where n is determined by the degree of the polynomials on the wires of the computation circuit. When \(\tilde{\textsf{E}}\) is exponentiation in a bilinear group, the encoding \(\textsf{E}\) satisfies additive homomorphism and the resulting SNARK achieves public verifiability. The central idea is that even though one has to encode “wire values,” which in this case are polynomials and therefore, ring elements, the polynomials can be mapped to an evaluation instead, resulting in a field element which is subsequently encoded during the computation of the proof by the prover. The encoding \(\textsf{E}\) is designed to allow the prover to compute this encoding where the evaluation point is the secret t. At a high level, the encoding and the CRS crafted this way means that the secret point of evaluation of the wire polynomials is t, the secret point of evaluation for the QRP polynomials is s, and the prover can compute the correct encodings of the SNARK proof given the encodings in the CRS.

We sketch how the SNARK construction via QPP is a special case of our construction via QRP below.

QPP as an instantiation of QRP. The following definition is recovered by Definition 7, where \(R= \mathbb {F}_p[Z], A = \mathbb {F}_p \subset R\), i.e., the degree-zero polynomials, and \(A^* = \mathbb {F}_p^*\). The bivariate polynomial p(x, z) accounts for the wire values themselves being polynomials.

Definition A1

(Quadratic Polynomial Program (QPP) [37]) A QPP Q consists of three sets of polynomials, \(\mathcal {V}=\{v_k(x)\}, \mathcal {W}=\{w_k(x)\}, \mathcal {Y}=\{y_k(x)\}\) and a target polynomial t(x). Let C be a polynomial circuit. We say that Q computes C if the following holds:

\(a_1(z), \dots , a_n(z), a_{m-n'+1}(z), \dots a_m(z)\) is a valid assignment to the input/output variables of C if and only if there exist polynomials \(a_{n+1}(z), \dots , a_{m-n'}(z) \) such that t(x) divides p(x, z), where

$$\begin{aligned} p(x,z) = \big ( \sum _{k=1}^{m} a_k(z) \cdot v_k(x) \big ) \cdot \big ( \sum _{k=1}^{m} a_k(z) \cdot w_k(x) \big ) - \big ( \sum _{k=1}^{m} a_k(z) \cdot y_k(x) \big ) \end{aligned}$$

The degree of Q is said to be \(\deg (t(x))\).

1.2 Composing QRPs

Our definition of QRPs and the construction of QRP above allow for their composition exactly as in the field case [31]. In the following, we use the symbol \(\circ \) both for circuit and QRP composition. Note that the composition theorem below holds for the particular QRP construction of Theorem 6, and we make no claims about other constructions that satisfy the QRP definition. In particular, we are careful to pick all the roots of the target polynomials to belong to the same exceptional set A.

For \(i \in \{1,2\}\), let \(Q_i\) be a QRP computing an arithmetic circuit \(f_i\). Let \(\mathcal {I}_i\) be the set of indices representing all wires in \(f_i\) and allow \(\mathcal {I}_1 \cap \mathcal {I}_2\) to “stitch” up to \(\ell \) output wires of \(\mathcal {I}_1\) to the inputs of \(\mathcal {I}_2\). Denote such stitched circuit as \(C = C_2 \circ C_1\). Express \(Q_i\) as \(\mathcal {V}^{(i)}=\{v^{(i)}_k(x): k \in \mathcal {I}_i\}, \mathcal {W}^{(i)}=\{w^{(i)}_k(x): k \in \mathcal {I}_i\}, \mathcal {Y}^{(i)}=\{y^{(i)}_k(x): k \in \mathcal {I}_i\}\) and target polynomial \(t^{(i)}(x)\). Then, let \(Q = Q_2 \circ Q_1\) consist of \(\mathcal {V}=\{v_k(x): k \in \mathcal {I}_1 \cup \mathcal {I}_2\}, \mathcal {W}=\{w_k(x): k \in \mathcal {I}_1 \cup \mathcal {I}_2\}, \mathcal {Y}=\{y_k(x): k \in \mathcal {I}_1 \cup \mathcal {I}_2\}\) and a target polynomial t(x) which are constructed as follows.

First, define \(t(x) = t^{(1)}(x) \cdot t^{(2)}(x)\). Second, for all indices \(\tilde{k} \in \mathcal {I}_2 \setminus \mathcal {I}_1\), extend the definition of the wire polynomials in \(Q_1\) as \(v^{(1)}_{\tilde{k}}(x) =w^{(1)}_{\tilde{k}}(x) =y^{(1)}_{\tilde{k}}(x) = 0\). Proceed analogously for \(Q_2\) and \(\hat{k} \in \mathcal {I}_1 {\setminus } \mathcal {I}_2\). For all \(k \in \mathcal {I}_1 \cup \mathcal {I}_2\) and \(i \in \{1,2\}\), we can now set \(v_k(x) \equiv v_k^{(i)}(x) \mod t^{(i)}(x)\), \(w_k(x) \equiv w_k^{(i)}(x) \mod t^{(i)}(x)\) and \(y_k(x) \equiv y_k^{(i)}(x) \mod t^{(i)}(x)\). Such modular equivalences can be satisfied as long as the target polynomials have no common roots, as we show in the following lemma.

Lemma 9

Let \(t^{(1)}(x)\), \(t^{(2)}(x) \in R[x]\) be two polynomials which have roots only on the same exceptional set \(A \subset R\) and such that they have no common roots. Let \(I_1 = (t^{(1)}(x))\), \(I_2 = (t^{(2)}(x))\) and \(I = I_1 \cdot I_2\). Then, \(R[x]/I \xrightarrow {\sim } R[x]/I_1 \times R[x]/I_2\).

Proof

For \(i \in \{1,2\}\), let \(t^{(i)}(x) = \prod _{j_i=1}^{d_i} (x-r^{(i)}_{j_i})\). Define ideals \(I_{i,j_i} = (x - r^{(i)}_{j_i})\), where \(1 \le j_i \le d_i\). Define \(S = \{I_{i,j_i}: 1 \le i \le 2, 1 \le j_i \le d_i\}\). All the ideals in S are pairwise co-prime. To see that, take any \(K, \tilde{K} \in S\) and re-denote for simplicity \(K = (x-k), \tilde{K}= (x-\tilde{k})\). As \(k -x \in K\), we have that \(k - \tilde{k} = k - x + x - \tilde{k} \in K + \tilde{K}\). Hence, as \(k, \tilde{k}\) are two different elements from the same exceptional set \(A \subset R\), we have that \(k - \tilde{k}\) is a unit and so \(K + \tilde{K} = R[x]\).

Given the above, we can apply the CRT (Theorem 2) three times and conclude that

$$\begin{aligned} R[x]/I_1 \times R[x]/I_2 \xrightarrow {\sim } \left( \prod _{j_1=1}^{d_1} R[x]/I_{1,j_1}\right) \times \left( \prod _{j_2=1}^{d_2} R[x]/I_{2,j_2}\right) \xrightarrow {\sim } R[x]/I. \end{aligned}$$

\(\square \)

We prove that the above construction for \(Q = Q_2 \circ Q_1\) indeed computes \(C = C_2 \circ C_1\).

Theorem 7

Let \(C_1\) and \(C_2\) be two arithmetic circuits computed by QRPs \(Q_1\) and \(Q_2\). Assume the target polynomials of both QRPs have roots only on the same exceptional set \(A \subset R\), but no common roots. Allow also some of the input variables of \(C_2\) to include some \(\ell \) output variables from \(C_1\), but let no other kind of overlapping between the arithmetic circuits be possible. Denote by \(C = C_2 \circ C_1\) the circuit obtained by stitching \(C_1\) and \(C_2\) together at those \(\ell \) wires.

There exists a QRP Q with size \(|Q| = |Q_1|+ |Q_2| - \ell \) and \(\deg (Q) = \deg (Q_1) + \deg (Q_2)\) that computes C. Q’s target polynomial is the product of the target polynomials for \(Q_1\) and \(Q_2\).

Proof

Let \(\mathcal {I}_{i/o}, \mathcal {I}_{1,i/o}, \mathcal {I}_{2,i/o}\) be the indices of the input/output wires of \(C, C_1\) and \(C_2\), respectively. Suppose \({\varvec{a}}_{i/o} = \{a_k \in \mathcal {I}_{i/o}\}\) is a valid input/output assignment for C. By definition, such input/output assignment can be extended to a valid assignment to all wires of C and hence in particular we can extend \({\varvec{a}}_{i/o}\) to a valid assignment \(\tilde{{\varvec{a}}} = \{a_k \in \mathcal {I}_{1, i/o} \cup \mathcal {I}_{2,i/o}\}\). Since \(Q_1\) is a QRP, there exist coefficients \({\varvec{b}}= \{b_k: k \in \mathcal {I}_1\}\) which are consistent with the valid assignment to \(\mathcal {I}_{1, i/o}\) and such that the polynomial

$$\begin{aligned} p^{(1)}(x) =&\ \big ( v^{(1)}_0(x) +\sum _{k \in \mathcal {I}_1} b_k \cdot v^{(1)}_k(x) \big ) \cdot \big ( w^{(1)}_0(x) +\sum _{k \in \mathcal {I}_1} b_k \cdot w^{(1)}_k(x) \big )\\&\ - \big ( y^{(1)}_0(x) +\sum _{k \in \mathcal {I}_1} b_k \cdot y^{(1)}_k(x) \big ) \end{aligned}$$

is a multiple of \(t^{(1)}(x)\). The same reasoning can be applied to \(Q_2\), for a polynomial \(p^{(2)}(x)\) defined from coefficients \({\varvec{c}}= \{c_k: k \in \mathcal {I}_2\}\) which must exist by the fact that \(Q_2\) is a QRP. By construction, \({\varvec{b}}\) and \({\varvec{c}}\) must be consistent for the indices in \(\mathcal {I}_1 \cap \mathcal {I}_2\), as those are contained in both \(\mathcal {I}_{1,i/o}\) and \(\mathcal {I}_{2,i/o}\), which were fixed by the extended assignment \(\tilde{{\varvec{a}}}\). Therefore, we can define \({\varvec{a}}= \{a_k \in \mathcal {I}_{1}\cup \mathcal {I}_2\}\) as \(a_k = b_k\) for all \(b_k \in \mathcal {I}_1\) and \(a_k = c_k\) for all \(c_k \in \mathcal {I}_2\). Let

$$\begin{aligned} p(x) =&\ \big (v_0(x) +\sum _{k \in \mathcal {I}_1 \cup \mathcal {I}_2} a_k \cdot v_k(x) \big ) \cdot \big ( w_0(x) +\sum _{k \in \mathcal {I}_1 \cup \mathcal {I}_2} a_k \cdot w_k(x) \big ) \\&\ - \big ( y_0(x) +\sum _{k \in \mathcal {I}_1 \cup \mathcal {I}_2} a_k \cdot y_k(x) \big ) \end{aligned}$$

where \(v_k(x), w_k(x)\) and \(y_k(x)\) are defined from \(v^{(i)}_k(x), w^{(i)}_k(x)\) and \(y^{(i)}_k(x)\), \(i \in \{1,2\}\), as described above (note the hypothesis of Lemma 9 are satisfied). We show that t(x) divides p(x). Since \(v_k(x) = v_k^{(1)}(x) \mod t^{(1)}(x)\), \(w_k(x) \equiv w_k^{(1)}(x) \mod t^{(1)}(x)\) and \(y_k(x) \equiv y_k^{(1)}(x) \mod t^{(1)}(x)\) for all k, and since \(v_{\tilde{k}}(x) =w_{\tilde{k}}(x) =y_{\tilde{k}}(x) \equiv 0 \mod t^{(1)}(x)\) for all \(\tilde{k} \in \mathcal {I}_2 {\setminus } \mathcal {I}_1\), we conclude that \(t^{(1)}(x)\) divides p(x). Applying analogous reasoning, we can deduce that \(t^{(2)}(x)\) divides p(x) and, thus, \(t(x)= t^{(1)}(x) \cdot t^{(2)}(x)\) divides p(x)

Conversely, let p(x) be defined from the polynomial sets \(\mathcal {V}, \mathcal {W}\) and \(\mathcal {Y}\) as above and such that t(x) divides p(x). We show that any set of coefficients \({\varvec{a}}\) enabling such divisibility contains a valid assignment \({\varvec{a}}_{i/o} = \{a_k \in \mathcal {I}_{i/o}\}\) to the input/output wires of C. As \(p(x) \equiv 0 \mod t(x)\), by Lemma 9, \(p(x) \equiv 0 \mod t^{(i)}(x)\) for \(i \in \{1,2\}\). Since \(Q_1\) and \(Q_2\) are QRPs, it follows that \({\varvec{a}}\) must then contain valid assignment to the input/output wires of \(C_1\) and \(C_2\). As \(\mathcal {I}_{i/o} \subseteq \mathcal {I}_{1,i/o} \cup \mathcal {I}_{2,i/o}\), we have found a valid assignment \({\varvec{a}}_{i/o}\) to the input/output wires of C. \(\square \)

Finally, we conclude by showing how to build a QRP for any arithmetic circuit by using the previous results from this section.

Theorem 8

Let C be an arithmetic circuit with n inputs in (a subring of) R and \(s < |A|\) multiplication gates, each with fan-in 2. If each output wire of C is the output of a multiplication gate, there is a QRP with size \(n+s\) and degree s that computes C.

Proof

We obtain this result by combining Theorem 6 and Theorem 7, one multiplication gate at a time. As long as \(s < |A|\), we can ensure that the target polynomials of the QRPs for each multiplication gate do not have common roots, so that Theorem 7 can be invoked. \(\square \)

There is only one small task remaining. Let C be a circuit with \(\tilde{n} \ge 1\) output wires which are not the output of multiplication gates. Our last result does not teach us how to deal with C, but we can build a modified circuit \(\tilde{C}\) for which the hypothesis of Theorem 8 is satisfied. As in [31], \(\tilde{C}\) has one additional “dummy” input wire, which is required to be always assigned to the multiplicative identity 1. Furthermore, \(\tilde{C}\) has a \(\tilde{n}\) additional multiplication gates: For each of them, the left gate-input wire is the “dummy” circuit-input wire and the right gate-input wire is one of the circuit-output wires which did not satisfy the hypothesis of Theorem 8. It follows that the QRP of size \(n+s+\tilde{n}+1\) and degree \(s + \tilde{n}\) that computes \(\tilde{C}\) also computes the original C.

Fig. 4

Arithmetic circuit and equivalent QRP. The polynomials \(\mathcal {V}= \{v_k(x): k \in [6]\}, \mathcal {W}=\{w_k(x): k \in [6]\}, \mathcal {Y}=\{y_k(x): k \in [6]\}\) and the target polynomial \(t(x) = (x-r_5)(x-r_6)\) are defined in terms of their evaluations at two random points belonging to the same exceptional set (\(r_5, r_6 \in A\)), one for each multiplicative gate

Given a circuit C, we can construct a QRP for C using the composition theorem above. We can also construct a QRP directly for the given circuit without relying on composition. Let C be a circuit whose gates have fan-in two and fan-out one. To build a QRP, we will make use of a exceptional set A as follows. In order to define the target polynomial, we will pick elements \(r_g \in A\) for each multiplication gate \(g \in C\) and define \(t(x) = \prod _{g \in C} (x-r_g)\). We define the polynomials \(v_k(x), w_k(x)\) and \(y_k(x)\) by interpolating over those same points in the same way one proceeds in the QAP case [42]. As an example for this procedure, see Fig. 4.

1.3 Some Useful QRPs

While the QRP construction described in Sect. 3 would allow us to easily describe arithmetic circuits over, e.g., \(\mathbb {Z}_{2^k}\) or the rings \(\mathcal {R}_q\) used for homomorphic encryption, in practical scenarios one is also interested in performing bit-wise operations such as comparisons, for which we provide a bit decomposition gate.

Bit Decomposition Gate

We show how to build a QRP which, given an input \(a \in R\), gives as an output wires holding values \(a_i \in \{0,1\}\) which correspond to the “binary representation” of a. Our following description is specialized for \(R= GR(2^k,d)\), but it can be easily adapted to other rings such as those employed in Sect. 7.1.

We provide two different versions of this gate. For the first one, nothing is known about a, whereas in the second case, better efficiency is achieved by assuming that \(a \in \mathbb {Z}_{2^k}\). When interested in computation over \(\mathbb {Z}_{2^k}\) only, the former version of the gate where potentially \(a \notin \mathbb {Z}_{2^k}\) is necessary only if the prover is providing some inputs to the QRP in a zero-knowledge way. Nevertheless, once the inputs from the prover have been asserted to be elements of \(\mathbb {Z}_{2^k}\), one can use the more efficient \(\mathbb {Z}_{2^k}\)-splitter gate during the rest of the circuit. The provers inputs can be tested to be from \(\mathbb {Z}_{2^k}\) either by inspection when those are provided in the clear, or when they are provided in ZK, by, e.g., applying the general R-splitter gate to them and outputting to the verifier all the wires that should be always equal to zero in a “binary representation” of an element in \(\mathbb {Z}_{2^k} \subset R\). Let \(A \subset R\) be the exceptional set.

1. 1.

   \(\mathbb {Z}_{2^k}\)-splitter gate: This mini-QRP has one input wire, holding \(a \in \mathbb {Z}_{2^k}\), and k output wires holding \(a_1, \ldots , a_k \in \{0,1\}\) such that \(a = \sum _{i=1}^{k} 2^{i-1} a_i\). Label the input wires as \(1, \ldots , k\) and the output wire as \(k+1\). Let \(t(x) = (x-r) \prod _{i=1}^{k} (x - r_i)\), where \(r, r_1, \ldots , r_k \in A\) are pairwise different. In an approach similiar to Pinocchio [42], we set:

   $$\begin{aligned}&v_0(r) = 0, v_i(r) = 2^{i-1}, \text { for } 1 \le i \le k, v_{k+1}(r) = 0, \\&w_0(r) = 1, w_i(r) = 0, \text { for } 1 \le i \le k, w_{k+1}(r) = 0, \\&y_0(r) = 0, y_i(r) = 0, \text { for } 1 \le i \le k, y_{k+1}(r) = 1 \end{aligned}$$

   For \(1 \le j \le k\):

   $$\begin{aligned}&v_j(r_j)=1, v_i(r_j)=0 \text { for all } i \ne j, \\&w_0(r_j)=1, w_j(r_j)=-1, w_i(r_j) = 0 \text { for all } i \ne 0, j,\\&y_i(r_j)=0 \text { for all } i \end{aligned}$$

   If \(\left( v_0(x)+\sum a_k v_k(x) \right) \cdot \left( w_0(x)+\sum a_k w_k(x)\right) - \left( y_0(x)+\sum a_k y_k(x)\right) \) is divisible by t(x), then it must be 0 at r, and therefore, by the first set of equations, this gives, \(a = \sum _{i=1}^{k} 2^{i-1} a_i\). The second set of equations guarantee that each \(r_j\) is a root, which implies, \(a_j (1-a_j) = 0\). Since all the zero divisors of R belong to the maximal ideal (2), it follows that if \(a_j\) is a zero divisor then \(a_j \pm 1\) is not, and thence the only solutions for the previous equation are \(a_j \in \{0,1\}\). Together, these give the guarantee that all \(a_i\) are bits, and are the binary decomposition of a.

2. 2.

   R-splitter gate: This works essentially as the previous version of the splitter gate repeated \(\delta \) times in parallel, once for every component of R seen as a free module of rank \(\delta \) over \(\mathbb {Z}_{2^k}\).

SNARKs for Computation over Encrypted Data (Cont’d)

1.1 Further Details on Torus Encoding

\(\underline{\textit{Multiplying encoded elements with elements from}\, R:}\) We next show explicitly how our TFHE-based encoding is R-linear homomorphic. \({R} = \mathbb {Z}_{m}[Y]/(f(Y))\) is a free module over \(\mathbb {Z}_{m}\) of rank d, i.e., we can find a basis for R. Let \(\xi \) be a root of f(Y), we have that \(\{1, \xi , \ldots , \xi ^{d-1}\}\) is one of such basis. The map \(\phi : R \rightarrow (\mathbb {Z}_{m})^d\), which sends \(b = b_0 + \cdots + b_{d-1} \xi ^{d-1}\) to \(\phi (b) = (b_0, \ldots , b_{d-1})\), is an isomorphism of \(\mathbb {Z}_{m}\)-modules. We will make extensive use of this isomorphism going forward.

Table 1 Parameters for BGV and FV with a plaintext space \(\mathcal {R}_p\) where \(p = 2^{8}\)

Table 2 Parameters for BGV and FV with a plaintext space \(\mathcal {R}_p\) where \(p = 2^{32}\)

The encoding we use is the following:

$$\begin{aligned} \textsf{E}_{\textsf{pk}}: R&\rightarrow (\mathbb {T})^d\\ a&\mapsto \textsf{E}_{\textsf{pk}}(a) = (\textsf{TFHE}(a_0),\ldots , \textsf{TFHE}(a_{d-1})) \end{aligned}$$

For our QRPs, we wish to compute values of the form \(E(a \cdot b)\), where \(a, b \in R\), given E(a) and b. The problem is that \(E(a) \in (\mathbb {T})^d\), and the torus does not allow us to simply and directly compute \(b \cdot E(a)\) as in previous occasions. Rather, we have to look at the R-module endomorphism \(\cdot _{b}\) which is induced by multiplication of any element of R with b, and use this to manipulate the d individual values \(\textsf{TFHE}(a_0),\ldots , \textsf{TFHE}(a_{d-1}) \in \mathbb {T}\).

In a more explicit and step-by-step fashion, \(\cdot _{b}\) is an R-module endomorphism and hence a \(\mathbb {Z}_{m}\)-module homomorphism \(\cdot _{b}: (\mathbb {Z}_{m})^d \rightarrow (\mathbb {Z}_{m})^d\). We can therefore represent this operation as follows:

$$\begin{aligned} \cdot _{b}: (\mathbb {Z}_{m})^d&\rightarrow (\mathbb {Z}_{m})^d\\ a&\mapsto M_b \cdot a \end{aligned}$$

where \(M_b \in \mathcal {M}_{d \times d}(\mathbb {Z}_{m})\). As a side note, in fact, \(M_b\) can be easily defined from the polynomial f(Y) used to construct \(R \simeq (\mathbb {Z}_{m})^d\). Our goal can now be re-stated as computing \(E(\cdot _b(a))\), given E(a) and \(b \in R\). We are almost done, as \(\textsf{TFHE}(x) + \textsf{TFHE}(y) = \textsf{TFHE}(x+y)\) and \(\mathbb {T}\) allows for external multiplication with elements in \(\mathbb {Z}\). In full formalism, let \(N_b \in \mathcal {M}_{d \times d}(\mathbb {Z})\) such that \(N_b \equiv M_b \mod n\). We only need to compute:

$$\begin{aligned} N_b \cdot E(a) = E(N_b \cdot a) = E(M_b \cdot a) = E(\cdot _b(a)) = E(a \cdot b) \end{aligned}$$

1.2 Parameters for BGV and FV

Here, we provide some outputs of the Maple script (https://github.com/rachelplayer/CLP19-code/blob/master/Comparison/comparison.mpl) behind the work of Costache, Laine and Player [23]. These provide a more detailed view of the parameters for the BGV and FV schemes than the one provided in [23], which is necessary to understand both the soundness of our scheme and the efficiency impact compared with [28] (see Sect. 7.4) (Tables 1, 2 and 3).

Table 3 Parameters for BGV and FV with a plaintext space \(\mathcal {R}_p\) where \(p = 2^{64}\)