SNARK-friendly Symmetric Encryption

Problem Statement

We want an encryption scheme that would work well in arithmetic circuits (for SNARKS). So both the key and the input to the encryption should be $m∈\mathbb{F}^n$ vectors (with $\mathbb{F}$ being the field).

Solution

Keygen: generate key $x∈\mathbb{F}$ uniformly at random

Encrypt:

Input: message $m∈\mathbb{F}^n$ , key $x∈\mathbb{F}$
Sample a nonce $k∈\mathbb{F}$ uniformly at random. Compute $a=hash(k,x)∈\mathbb{F}$
Compute $ri=hash(a,i)$ for $i=1,2,…,n$ and let $r∈\mathbb{F}^n$ be the resulting vector
Compute $e=m+r$ (note $e∈\mathbb{F}^n$ )
Output $(k,e)$

Decrypt:

Input: ciphertext $(k,e)$ , key $x∈\mathbb{F}$ ,
Compute $r∈\mathbb{F}^n$ based on $k,x$ as above
compute $m=e−r$
Output $m$

Total cost for encryption and decryption is: $≈n⋅G_{hash}$ where $G_{hash}$ is the number of gates one hashing costs.

PreviousDeterministic Secret Management NextSNARK-friendly Asymmetric Encryption

Last updated 6 days ago

Was this helpful?

SNARK-friendly Symmetric Encryption

Problem Statement

Solution

Keygen: generate key $x∈\mathbb{F}$ uniformly at random

Encrypt:

Input: message $m∈\mathbb{F}^n$ , key $x∈\mathbb{F}$
Sample a nonce $k∈\mathbb{F}$ uniformly at random. Compute $a=hash(k,x)∈\mathbb{F}$
Compute $ri=hash(a,i)$ for $i=1,2,…,n$ and let $r∈\mathbb{F}^n$ be the resulting vector
Compute $e=m+r$ (note $e∈\mathbb{F}^n$ )
Output $(k,e)$

Decrypt:

Input: ciphertext $(k,e)$ , key $x∈\mathbb{F}$ ,
Compute $r∈\mathbb{F}^n$ based on $k,x$ as above
compute $m=e−r$
Output $m$

Total cost for encryption and decryption is: $≈n⋅G_{hash}$ where $G_{hash}$ is the number of gates one hashing costs.

PreviousDeterministic Secret Management NextSNARK-friendly Asymmetric Encryption

Last updated 6 days ago

Was this helpful?