![](https://i.imgur.com/WeIvTiX.png =150x) **#4 Home Edition**
# Proposal: Rinocchio: SNARKs for Ring Arithmetic
**Moderator:** Daniel Benarroch
**Presenters:** Anca Nitulescu
**Authors:**
* Chaya Ganesh
* Anca Nitulescu
* Eduardo Soria-Vazquez
To be presented on 2021-04-19.
Resources:
* [Latest PDF version](https://docs.zkproof.org/pages/standards/accepted-workshop4/proposal-rinocchio.pdf)
* [Miro whiteboard frame](https://miro.com/app/board/o9J_lJQRFxQ=/?moveToWidget=3074457357481295789&cot=14)
* [Additional related links](https://hackmd.io/@workshop4/links)
* [Related conversation]()
----
## Real-time notes
_Note Taker:_ Sean Coughlin
_SNARKs Background:_
Properties: Succinct, non-interactive, knowledge soundness
Public vs. Designated verifier
Will discuss pre-processing non-updatable SNARKs; will allow for more complexity than Groth16
(ECRH = Extractable Crash-Resistant Hash function)
Encodings must be secure under knowledge assumtions
Considering arithmatical and Boolean circuit satisfiability, abstractly a circuit over a field vs a circuit over a ring
Transforming a circuit over a ring to a circuit over a field: bit decomposition costs, ...
C?...
Pinocchio is over a field, with Rinocchio over a ring
Applications:
* Verifiable computation on encrypted data
* Anonymous credentials using RSA signatures
_Framework:_
Proving NP statements: circuit satisfiability is finding a set of polynomials that solve ...
Polynomial problem: reduce statement of all polynomials into proving at a secret point using CRS, polynomial will encode proof
The encoding properties are linearly homomorphic, quadratic root detection, image verifcation
QAP: find solution of quadratic arithmatic problem using secret point, so can convince verifier that prover know the witnesses
Schwartz-Zippel Lemma over fields
Encodings over fields: DLog problem allows for field
General encoding: encoding needs to be linearly homomorphic
Quadratic Root detection (with pairings): public verifier can be public, while designated verifier needs a secret key
Assumptions on DL encodings for fields: d-PKE vs d-PDH
_Construction of SNARKs for ring arithmatic:_
Polynomial EQ with coefficients in rings: isomorphism for QRP soundness equivalent to ideals being co-prime
Exceptional sets: have uniqueness but have no algebraic structure
Schwartz-Zippel Lemma over fields: ...
Assumptions on DL encodings for rings: d-PKE vs d-PDH
Ring-augmented PDH assumptions on rings: PDH: s in field extension, PDH: s in exceptional set extension (subset of ring)
Encoding instance for ring Z_{2^k}: need sample from d-1 (degree of Galois extension)
Encoding instance for ring R_q = Z_q[h]...
This is designated-verifier (except for special cases where we have pairings).
_Conclusions:_
QAP and SNARKs over fields: many implemenations, not standardized
Rinocchio: SNARKs for ring arithmatic,
Open questions:
## Questions:
- Quadratic Ring Programs (QRP) as an abstraction capturing circuit satisfiability/R1CS over commutative rings. QRPs recover previous abstractions such as QAPs (by instantiating the ring with a field) and QPPs (as in the Trueset paper). They furthermore allow to build SNARKs for ring arithmetic as we show in our work.
- Security assumptions when generalizing over rings. Linear-only extractable vs q-PDH & q-PKE.
- Generally speaking: Interfacing QRPs and SNARKs over rings with existing interfaces in the standards.
- Daira: can we have pairings over rings? Anca: we can have composite ground for pairings
- Mary: are there any problems in ring that are not secure in field? Anca: can have QAP solutions that are not solutions to ring
- Daira: Can we have more information on the encryption? Anca & Eduardo: security depends on the size exceptional set, which is proportional to the QAP.
- Carla: What about interactive settings (to remove designated verifier)? Eduardo: can use Fiat-Shamir, etc. Daniel: Use FS to go NI? Carla: Latices have issues with NI due to encoding. Eduardo & Jonathan B.: Latices, Bulletproofs can do the same with rings with suitable encoding, interactive proofs possible but more complex with rings & there may be no need for exceptional sets.
- Daira: Have there been concrete comparisons? Anca: Don't have complete practical implementation. The overhead will be in the encoding scheme, parallel implementation, etc. Too early to estimate.
- Daniel: How efficient can these be for ring-enherent operations? (Sieve program could be more efficient.) Daria: The costs are in the reductions, not the multiplications. In R1CS, 1 gate per bit; two times the size of modulus. In PLONK/Plookup can use lookup table to reduce multiples at once. (More efficient in rows than R1CS gates, but not equivalent.) Estimate approximately a factor of 100 times the cost. Eduardo: RSA costs... Anca: Lookup tables can be efficient. Daira: Lookup tables can improve due to parallalism, so 2^2 and 2^20 have similar costs.
- Daniel: How close are the assumptions to ring RLE assumptions? Eduardo: There's different ways to instantiate the encodings, which are basically linearly homomorphic encryption schemes (take that statement with a pinch of salt). We have one encoding based on RLWE.
- Daniel: How close are we to standardizing/documentating? Daira: We're not close yet. Mary: Can standardize ring arithmatic in circuit. Daniel: Document SNARKs over rings, example that compares ring SNARK vs field SNARK? Daira: Implementors need to know if standard exists or if customization needed. Eduardo: Paper shows that if we have the exceptional set then we can build the SNARK. We could prove that ... ideals will not be co-prime.
- Pratyush: QAPs are restricted to setup-based SNARKs. Research has more opportunitied to move away from these. Jonathan: Polynomial QAPs defined over ... require exceptional set.
- Mary & Daira: Do we need to know the order of the group, considering groups of unknown order, hidden order, composite groups? Anca & Eduardo: Paper does not cover that. Chaya: Possible that can be covered, but would likely require exceptional sets. Carla: In RSA, order is unknown but structure is known, so it's possible to have an exceptional set. Anca: If we have an exceptional set at definition then we can do this. Daira: Does exceptional set leak information about the group? Anca: Unknown, but this should be researched. Jonathan: If a non-exceptional set is provided and an exception is found then the group information can be discovered. (You can solve the hard problem.)
- Daniel: Are these discussions mature enough to create working group, or instead a stand-alone section in the standard document ready to be worked on? Vote is to create working group. Anca will create Telegram group and prepare for discussion, in 1 week.