Uni/multi variate polynomial embeddings for zkSNARKs

Abstract

AbstractA zero-knowledge proof is a cryptographic primitive that enables a prover to convince a verifier the validity of a mathematical statement (an NP statement) without revealing any secret inputs to the verifier. A special case, called zero-knowledge Succinct Non-interactive ARgument of Knowledge (zkSNARK) is particularly designed for arithmetic circuit proof systems which have important applications in blockchain privacy. The major computations in this type of zkSNARK proofs with post-quantum security are polynomial evaluations and Lagrange interpolations over finite fields. Given a sequence over a finite field, in the field of coding and sequences research, we understand that there are two representations of the sequence, one is a univariate polynomial and the other, a multivariate polynomial. This is exactly what is done in those zero-knowledge proof systems to transform the proof of a R1CS relation to evaluate uni/multi variate polynomials at some random points in the finite field. In this paper, we present a comparative analysis on how to convert a rank 1 constrained satisfiability (R1CS) system (more general than a circuit system) into a polynomial equality and provide analysis on the concrete complexities of provers, proof sizes and verifiers. We use two concrete zkSNARK schemes, i.e., Polaris, univariate polynomial encodings and Spartan, multivariate polynomial encodings, as examples to show our analysis. Secondly, we propose to select interpolating sets as subfields instead of affine spaces of a large field for Lagrange interpolation. This new method has improved the performance of R1CS encodings largely. We comment that post-quantum secure zkSNARKs yield post-quantum digital signatures with security only depending on symmetric-key schemes. Some open problems are proposed at the end of the paper.