I'm currently writing my bachelor thesis about zero-knowledge proofs. Right now I'm working on introducing SNARK's and in my approach I'm following this course that's available on youtube. In the course they first define what arithmetic circuits are and the SNARK introduction begins with "A SNARK is applied to an arithmetic circuit C...". For my thesis I would like to give a motivation why I use arithmetic circuits as a computation model at that point. Also I'm wondering if SNARKs are defined for other computation models.
Asked
Active
Viewed 91 times
1 Answers
2
SNARKs were designed with pairing-based methods in mind where a secret $s$ is hidden as the discrete logarithm of a point $P$ with respect to a generator $G$, thus one computes $P=sG$ to hide the secret. The additive nature of the logarithm makes it easy to then compute a hidden version of the sum of two secrets by adding points: $P_1+P_2=s_1G+s_2G=(s_1+s_2)G$ or, more generally, a a hidden version of a known linear combination of secrets $\sum a_iP_i=(\sum a_is_i)G$. In particular then, it is easy to confirm that one hidden value is equal to a known linear combination of other hidden values, simply by comparing group elements.
Using the pairing function it is also possible to check whether a hidden value is equal to the product or quotient of two other hidden values using the expressions $$e(aG,bG)=e(G,abG)$$ and $$e\left(ag,\frac baG\right)=e(G,bG).$$
Using these checking mechanisms alongside hidden intermediate computation points, it is possible to confirm that a given hidden value is the evaluation of a known arithmetic expression (modulo $\ell$ the group order) of other hidden values.
As the checks can be confirmed directly with the operation of the pairing-based primitive, this makes mod $\ell$ arithmetic circuits an especially straightforward computation to verify and motivates constructing proofs out of such circuits. Computations without a simple/natural mod $\ell$ expression (e.g. evaluation of a Boolean circuit) are less easy to validate and have to be painstakingly constructed from arithmetic circuits.
Daniel S
- 29,316
- 1
- 33
- 73