Succinct Non-Interactive Arguments via Linear Interactive Proofs

Succinct non-interactive arguments (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays, researchers have focused also on minimizing verification time, by drawing motivation from the problem of delegating computation. A common relaxation is a preprocessing SNARG, which allows the verifier to conduct an expensive offline phase that is independent of the statement to be proven later. Recent constructions of preprocessing SNARGs have achieved attractive features: they are publicly-verifiable, proofs consist of only O(1) encrypted (or encoded) field elements, and verification is via arithmetic circuits of size linear in the NP statement. Additionally, these constructions seem to have “escaped the hegemony” of probabilistically-checkable proofs (PCPs) as a basic building block of succinct arguments. We present a general methodology for the construction of preprocessing SNARG\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text{ SNARG } $$\end{document}s, as well as resulting new efficiency features. Our contribution is threefold: (1) We introduce and study a natural extension of the interactive proof model that considers algebraically-bounded provers; this new setting is analogous to the common study of algebraically-bounded “adversaries” in other fields, such as pseudorandomness and randomness extraction. More concretely, in this work we focus on linear (or affine) provers, and provide several constructions of (succinct two-message) linear interactive proofs (LIPs) for NP. Our constructions are based on general transformations applied to both linear PCPs (LPCPs) and traditional “unstructured” PCPs.(2) We give conceptually simple cryptographic transformations from LIPs to preprocessing SNARGs, whose security can be based on different forms of linear targeted malleability (implied by previous knowledge assumptions). Our transformations convert arbitrary (two-message) LIPs into designated-verifier SNARGs, and LIPs with degree-bounded verifiers into publicly-verifiable SNARGs. We also extend our methodology to obtain zero-knowledge LIPs and SNARGs. Our techniques yield SNARGs of knowledge and thus can benefit from known recursive composition and bootstrapping techniques.(3) Following this methodology, we exhibit several constructions achieving new efficiency features, such as “single-ciphertext preprocessing SNARGs.” We also offer a new perspective on existing constructions of preprocessing SNARGs, revealing a direct connection of these to LPCPs and LIPs. We introduce and study a natural extension of the interactive proof model that considers algebraically-bounded provers; this new setting is analogous to the common study of algebraically-bounded “adversaries” in other fields, such as pseudorandomness and randomness extraction. More concretely, in this work we focus on linear (or affine) provers, and provide several constructions of (succinct two-message) linear interactive proofs (LIPs) for NP. Our constructions are based on general transformations applied to both linear PCPs (LPCPs) and traditional “unstructured” PCPs. We give conceptually simple cryptographic transformations from LIPs to preprocessing SNARGs, whose security can be based on different forms of linear targeted malleability (implied by previous knowledge assumptions). Our transformations convert arbitrary (two-message) LIPs into designated-verifier SNARGs, and LIPs with degree-bounded verifiers into publicly-verifiable SNARGs. We also extend our methodology to obtain zero-knowledge LIPs and SNARGs. Our techniques yield SNARGs of knowledge and thus can benefit from known recursive composition and bootstrapping techniques. Following this methodology, we exhibit several constructions achieving new efficiency features, such as “single-ciphertext preprocessing SNARGs.” We also offer a new perspective on existing constructions of preprocessing SNARGs, revealing a direct connection of these to LPCPs and LIPs.


Introduction
Interactive proofs [62] are central to modern cryptography and complexity theory. One extensively studied aspect of interactive proofs is their expressibility, culminating with the result IP = PSPACE [96]. Another aspect, which is the focus of this work, is that proofs for NP statements can potentially be much shorter than an NP witness and be verified much faster than the time required for checking the NP witness.

Background
Succinct interactive arguments. In interactive proofs for NP with statistical soundness, significant savings in communication (let alone verification time) are unlikely [21,58,67,102]. If we settle for proof systems with computational soundness, known as argument systems [9], then significant savings can be made. Using collision-resistant hashes (CRHs) and probabilistically-checkable proofs (PCPs) [16], Kilian [74] showed a four-message interactive argument for NP where, to prove membership of an instance x in a given NP language L with NP machine M L , communication and verification time are bounded by poly(λ + |M L | + |x| + log t), and the prover's running time is poly(λ + |M L | + |x| + t). Here, t is the classical NP verification time of M L for the instance x, λ is a security parameter, and poly is a universal polynomial (independent of λ, M L , x, and t). We call such argument systems succinct. also to concrete improvements to different features of SNARKs (e.g., communication complexity, verifier complexity, prover complexity, and so on). Thus, we ask: Is there a general methodology for constructing preprocessing SNARKs from probabilistic proof systems? Which improvements can it lead to?

Our Results
We present a general methodology for constructing preprocessing SNARKs from suitable kinds of probabilistic proof systems. Using different instantiations of this methodology, we obtain conceptually simple variants of previous SNARKs, as well as SNARKs with new efficiency features.
Our methodology starts with a linear PCP, 1 a more structured variant of a classical PCP in which the verifier can make a small number of inner-product queries to a single proof vector. We transform such a linear PCP into a stronger kind of probabilistic proof system called a linear interactive proof, and then to a SNARK via a cryptographic compiler that respects the efficiency features of the linear PCP.
In more detail, our contribution is threefold: • We introduce a new, information-theoretic probabilistic proof system that extends the standard interactive proof model by considering algebraically-bounded provers. Concretely, we focus on linear interactive proofs (LIPs), where both honest and malicious provers are restricted to computing linear (or affine) functions of messages they receive over some finite field or ring. We construct succinct two-message LIPs for NP by applying a simple and general transformation to any linear PCP. We also present an alternative construction of LIPs from classical PCPs. • We give cryptographic transformations from (succinct, two-message) LIPs to preprocessing SNARKs, using different forms of linear targeted malleability [34], which can be instantiated based on existing knowledge assumptions. More concretely, we assume a "linear-only" encryption scheme that only supports linear homomorphism. Our transformation is very intuitive: to force a prover to "act linearly" on the verifier's message, as in the LIP soundness guarantee, the preprocessed common reference string simply includes an encryption of each field or ring element in the verifier's LIP message with such a linear-only encryption. This enables the honest SNARK prover to faithfully compute an encryption of its correct LIP message, which the verifier can decrypt. For the case of designated-verifier SNARKs, this simple idea suffices. To obtain public verification, we require the LIP verification to be "simple" (say, testing whether a quadratic function of the answers is 0) and replace the linear-only encryption by a linear-only encoding that supports "simple" zero-tests (say, via pairing). • Following this methodology, we obtain several constructions that either simplify previous ones or exhibit new asymptotic efficiency features. The latter include "single-ciphertext preprocessing SNARKs" and improved succinctness-soundness tradeoffs in the designated-verifier setting. We also offer a new perspective on existing constructions of preprocessing SNARKs: namely, although existing constructions do not explicitly invoke PCPs, they can be reinterpreted as using linear PCPs. • We also extend our methodology to obtain zero-knowledge LIPs and SNARKs.
We now discuss our results further, starting in Sect. 1.3.1 with the information-theoretic constructions of LIPs, followed in Sect. 1.3.2 by the cryptographic transformations to preprocessing SNARKs, and concluding in Sect. 1.3.3 with the new features we are able to obtain.

Linear Interactive Proofs
The LIP model modifies the traditional interactive proofs model in a way analogous to the way the common study of algebraically-bounded "adversaries" modifies other settings, such as pseudorandomness [35,86] and randomness extraction [48,63]. In the LIP model, both honest and malicious provers are restricted to apply linear (or affine) functions over a finite field F to messages they receive from the verifier. (The notion can be naturally generalized to apply over rings.) The choice of these linear functions can depend on auxiliary input to the prover (e.g., a witness), but not on the verifier's messages (Fig. 1).
With the goal of non-interactive succinct verification in mind, we restrict our attention to (input-oblivious) two-message LIPs for boolean circuit satisfiability problems with the following template. To verify the relation R C = {(x, w) : C(x, w) = 1} where C is a boolean circuit, the LIP verifier V LIP sends to the LIP prover P LIP a message q that is a vector of field elements, depending on C but not on x; V LIP may also output a verification state u. The LIP prover P LIP (x, w) applies to q an affine transformation = ( , b), resulting in only a constant number of field elements. The prover's message a = ·q+b can then be quickly verified (e.g., with O(|x|) field operations) by V LIP , and the soundness error is at most O(1/|F|). From here on, we shall use the term LIP to refer to LIPs that adhere to the above template.
LIP complexity measures. Our constructions provide different tradeoffs among several complexity measures of an LIP, which ultimately affect the features of the resulting preprocessing SNARKs. The two most basic complexity measures are the number of field elements sent by the verifier and the number of those sent by the prover. An addi-tional measure that we consider in this work is the algebraic complexity of the verifier (when viewed as an F-arithmetic circuit). Specifically, splitting the verifier into a query algorithm Q LIP and a decision algorithm D LIP , we say that it has degree (d Q , d D ) if Q LIP can be computed by a vector of multivariate polynomials of total degree d Q each in the verifier's randomness, and D LIP by a vector of multivariate polynomials of total degree d D each in the LIP answers a and the verification state u. Finally, of course, the running times of the query algorithm, decision algorithm, and prover algorithm are all complexity measures of interest. See Sect. 2.3 for a definition of LIPs and their complexity measures.
As mentioned above, our LIP constructions are obtained by applying general transformations to two types of PCPs. We now describe each of these transformations and the features they achieve. Some of the parameters of the resulting constructions are summarized in Table 1.

LIPs from linear PCPs.
A linear PCP (LPCP) of length m is an oracle computing a linear function π : F m → F; namely, the answer to each oracle query q i ∈ F m is a i = π , q i . Note that, unlike in an LIP where different affine functions, given by a matrix and shift b, are applied to a message q, in an LPCP there is one linear function π , which is applied to different queries. (An LPCP with a single query can be viewed as a special case of an LIP.) This difference prevents a direct use of an LPCP as an LIP.
Our first transformation converts any (multi-query) LPCP into an LIP with closely related parameters. Concretely, we transform any k-query LPCP of length m over F into an LIP with verifier message in F (k+1)m , prover message in F k+1 , and the same soundness error up to an additive term of 1/|F|. The transformation preserves the key properties of the LPCP, including the algebraic complexity of the verifier. Our transformation is quite natural: the verifier sends q = (q 1 , . . . , q k+1 ) where q 1 , . . . , q k are the LPCP queries and q k+1 = α 1 q 1 + · · · + α k q k is a random linear combination of these. The (honest) prover responds with a i = π , q i , for i = 1, . . . , k + 1. To prevent a malicious prover from using inconsistent choices for π, the verifier checks that a k+1 = α 1 a 1 +· · ·+α k a k .
By relying on two different LPCP instantiations, we obtain two corresponding LIP constructions: • A variant of the Hadamard-based PCP of Arora et al. [4] (ALMSS), extended to work over an arbitrary finite field F, yields a very simple LPCP with three queries. After applying our transformation, for a circuit C of size s and input length n, the resulting LIP for R C has verifier message in F O(s 2 ) , prover message in F 4 , and soundness error O(1/|F|). When viewed as F-arithmetic circuits, the prover P LIP and query algorithm Q LIP are both of size O(s 2 ), and the decision algorithm is of size O(n). Furthermore, the degree of (Q LIP , D LIP ) is (2, 2). • A (strong) quadratic span program (QSP), as defined by Gennaro et al. [56], directly yields a corresponding LPCP with three queries. For a circuit C of size s and input length n, the resulting LIP for R C has verifier message in F O(s) , prover message in F 4 , and soundness error O(s/|F|). When viewed as F-arithmetic circuits, the prover P LIP is of size O(s), the query algorithm Q LIP is of size O(s), and the decision algorithm is of size O(n). The degree of (Q LIP , D LIP ) is (O(s), 2).
A notable feature of the LIPs obtained above is the very low "online complexity" of verification: in both cases, the decision algorithm is an arithmetic circuit of size O(n). Moreover, all the efficiency features mentioned above apply not only to satisfiability of boolean circuits C, but also to satisfiability of F-arithmetic circuits. In both the above constructions, the circuit to be verified is first represented as an appropriate algebraic satisfaction problem, and then probabilistic checking machinery is invoked. In the first case, the problem is a system of quadratic equations over F, and, in the second case, it is a (strong) quadratic span program (QSP) over F. These algebraic problems are the very same problems underlying [56,64,78].
As explained earlier, [56] invested much effort to show an efficient reduction from circuit satisfiability problems to QSPs. Our work does not subsume nor simplify the reduction to QSPs of [56], but instead reveals a simple LPCP to check a QSP, and this LPCP can be plugged into our general transformations. Reducing circuit satisfiability to a system of quadratic equations over F is much simpler, but generating proofs for the resulting problem is quadratically more expensive. (Concretely, both [64,78] require O(s 2 ) computation already in the preprocessing phase). See Sect. 3.1 for more details.
LIPs from traditional PCPs. Our second transformation relies on traditional "unstructured" PCPs. These PCPs are typically more difficult to construct than LPCPs; however, our second transformation has the advantage of requiring the prover to send only a single field element. Concretely, our transformation converts a traditional k-query PCP into a 1-query LPCP, over a sufficiently large field. Here the PCP oracle is represented via its truth table, which is assumed to be a binary string of polynomial size (unlike the LPCPs mentioned above, whose truth tables have size that is exponential in the circuit size). The transformation converts any k-query PCP of proof length m and soundness error ε into an LIP, with soundness error O(ε) over a field of size 2 O(k) /ε, in which the verifier sends m field elements and receives only a single field element in return. The high-level idea is to use a sparse linear combination of the PCP entries to pack the k answer bits into a single field element. The choice of this linear combination uses additional random noise to ensure that the prover's coefficients are restricted to binary values, and uses easy instances of subset-sum to enable an efficient decoding of the k answer bits.
Taking time complexity to an extreme, we can apply this transformation to the PCPs of Ben-Sasson et al. [28] and get LIPs where the prover and verifier complexity are both optimal up to polylog(s) factors, but where the prover sends a single element in a field of size |F| = 2 λ·polylog(s) . Taking succinctness to an extreme, we can apply our transformation to PCPs with soundness error 2 −λ and O(λ) queries, obtaining an LIP with similar soundness error in which the prover sends a single element in a field of size |F| = 2 λ·O (1) . For instance, using the query-efficient PCPs of Håstad and Khot [69], the field size is only |F| = 2 λ·(3+o(1)) . 2 (Jumping ahead, this means that a field element can be encrypted using a single, normal-size ciphertext of homomorphic encryption schemes such as Paillier or Elgamal even when λ = 100.) On the down side, the degrees of the LIP verifiers obtained via this transformation are high; we give evidence that this is inherent when starting from "unstructured" PCPs. See Sect. 3.2 for more details.
QSPs of [56] O(s) PCPs of [28] O(s) 1 None 2 λ·polylog(s) 3. 10 PCPs of [69] poly(s) 1 None 2 λ·(3+o (1)) See each theorem for more details, including the running times of the prover, query, and decision algorithms Honest-verifier zero-knowledge LIPs. We also show how to make the above LIPs zero-knowledge against honest verifiers (HVZK). Looking ahead, using HVZK LIPs in our cryptographic transformations results in preprocessing SNARKs that are zeroknowledge (against malicious verifiers in the CRS model).
For the Hadamard-based LIP, an HVZK variant can be obtained directly with essentially no additional cost. More generally, we show how to transform any LPCP where the decision algorithm is of low degree to an HVZK LPCP with the same parameters up to constant factors (see Sect. 8); this HVZK LPCP can then be plugged into our first transformation to obtain an HVZK LIP. Both of the LPCP constructions mentioned earlier satisfy the requisite degree constraints.
For the second transformation, which applies to traditional PCPs (whose verifiers, as discussed above, must have high degree and thus cannot benefit from our general HVZK transformation), we show that if the PCP is HVZK (see [47] for efficient constructions), then so is the resulting LIP; in particular, the HVZK LIP answer still consists of a single field element.

Proof of knowledge.
In each of the above transformations, we ensure not only soundness for the LIP, but also a proof of knowledge property. Namely, it is possible to efficiently extract from a convincing affine function a witness for the underlying statement. The proof of knowledge property is then preserved in the subsequent cryptographic compilations, ultimately allowing to establish the proof of knowledge property for the preprocessing SNARK. As discussed in Sect. 1.1, proof of knowledge is a very desirable property for preprocessing SNARKs; for instance, it enables to remove the preprocessing phase, as well as to improve the complexity of the prover and verifier, via the result of [12].

Preprocessing SNARKs from LIPs
We explain how to use cryptographic tools to transform an LIP into a corresponding preprocessing SNARK. At high level, the challenge is to ensure that an arbitrary (yet computationally-bounded) prover behaves as if it was a linear (or affine) function. The idea, which also implicitly appears in previous constructions, is to use an encryption scheme with targeted malleability [34] for the class of affine functions: namely, an encryption scheme that "only allows affine homomorphic operations" on an encrypted plaintext (and these operations are independent of the underlying plaintexts). Intuitively, the verifier would simply encrypt each field element in the LIP message q, send the resulting ciphertexts to the prover, and have the prover homomorphically evaluate the LIP affine function on the ciphertexts; targeted malleability ensures that malicious provers can only invoke (malicious) affine strategies.
We concretize the above approach in several ways, depending on the properties of the LIP and the exact flavor of targeted malleability; different choices will induce different properties for the resulting preprocessing SNARK. In particular, we identify natural sufficient properties that enable an LIP to be compiled into a publicly-verifiable SNARK. We also discuss possible instantiations of the cryptographic tools, based on existing knowledge assumptions. (Recall that, in light of the negative result of [68], the use of nonstandard cryptographic assumptions seems to be justified.) Designated-verifier preprocessing SNARKs from arbitrary LIPs. First, we show that any LIP can be compiled into a corresponding designated-verifier preprocessing SNARK with similar parameters. (Recall that "designated verifier" means that the verifier needs to maintain a secret verification state.) To do so, we rely on what we call linear-only encryption: an additively homomorphic encryption that is (a) semanticallysecure, and (b) linear-only. The linear-only property essentially says that, given a public key pk and ciphertexts Enc pk (a 1 ), . . . , Enc pk (a m ), it is infeasible to compute a new ciphertext c in the image of Enc pk , except by "knowing" β, α 1 , . . . , α m such that c ∈ Enc pk (β + m i=1 α i a i ). Formally, the property is captured by guaranteeing that, whenever A(pk, Enc pk (a 1 ), . . . , Enc pk (a m )) produces valid ciphertexts (c 1 , . . . , c k ), an efficient extractor E (non-uniformly depending on A) can extract a corresponding affine function "explaining" the ciphertexts. As a candidate for such an encryption scheme, we propose variants of Paillier encryption [88] (as also considered in [56]) and of Elgamal encryption [51] (in those cases where the plaintext is guaranteed to belong to a polynomial-size set, so that decryption can be done efficiently). These variants are "sparsified" versions of their standard counterparts; concretely, a ciphertext does not only include Enc pk (a), but also Enc pk (α · a), for a secret field element α. (This "sparsification" follows a pattern found in many constructions conjectured to satisfy "knowledge-of-exponent" assumptions.) As for Paillier encryption, we have to consider LIPs over the ring Z pq (instead of a finite field F); essentially, the same results also hold in this setting (except that soundness is O(1/ min {p, q}) instead of O(1/|F|)).
We also consider a notion of targeted malleability, weaker than linear-only encryption, that is closer to the definition template of Boneh et al. [34]. In such a notion, the extractor is replaced by a simulator. Relying on this weaker variant, we are only able to prove the security of our preprocessing SNARKs against non-adaptive choices of statements (and still prove soundness, though not proof of knowledge, if the simulator is allowed to be inefficient). Nonetheless, for natural instantiations, even adaptive security seems likely to hold for our construction, but we do not know how to prove it. One advantage of working with this weaker variant is that it seems to allow for more efficient candidates constructions. Concretely, the linear-only property rules out any encryption scheme where ciphertexts can be sampled obliviously; instead, the weaker notion does not, and thus allows for shorter ciphertexts. For example, we can consider a standard ("nonsparsified") version of Paillier encryption. We will get back to this point in Sect. 1.3.3. For further details on the above transformations, see Sect. 6.1.
Publicly-verifiable preprocessing SNARKs from LIPs with low-degree verifiers. Next, we identify properties of LIPs that are sufficient for a transformation to publiclyverifiable preprocessing SNARKs. Note that, if we aim for public verifiability, we cannot use semantically-secure encryption to encode the message of the LIP verifier, because we need to "publicly test" (without decryption) certain properties of the plaintext underlying the prover's response. The idea, implicit in previous publicly-verifiable preprocessing SNARK constructions, is to use linear-only encodings (rather than encryption) that do allow such public tests, while still providing certain one-wayness properties. When using such encodings with an LIP, however, it must be the case that the public tests support evaluating the decision algorithm of the LIP and, moreover, the LIP remains secure despite some "leakage" on the queries. We show that LIPs with low-degree verifiers (which we call algebraic LIPs), combined with appropriate one-way encodings, suffice for this purpose.
More concretely, like [56,64,78], we consider candidate encodings in bilinear groups under similar knowledge-of-exponent and computational Diffie-Hellman assumptions; for such encoding instantiations, we must start with an LIP where the degree d D of the decision algorithm D LIP is at most quadratic. (If we had multilinear maps supporting higher-degree polynomials, we could support higher values of d D .) In addition to d D ≤ 2, to ensure security even in the presence of certain one-way leakage, we need the query algorithm Q LIP to be of polynomial degree.
Both of the LIP constructions from LPCPs described in Sect. 1.3.1 satisfy these requirements. When combined with the above transformation, these LIP constructions imply new constructions of publicly-verifiable preprocessing SNARKs, one of which can be seen as a simplification of the construction of [64] and the other as a reinterpretation (and slight simplification) of the construction of [56].
For more details, see Sect. 6.2.
Zero knowledge. In all aforementioned transformations to preprocessing SNARKs, if we start with an HVZK LIP (such as those mentioned in Sect. 1.3.1) and additionally require a rerandomization property for the linear-only encryption/encoding (which is available in all of the candidate instantiations we consider), we obtain preprocessing SNARKs that are (perfect) zero-knowledge in the CRS model. In addition, for the case of publicly-verifiable (perfect) zero-knowledge preprocessing SNARKs, the CRS can be tested, so that (similarly to previous works [56,64,78]) we also obtain succinct ZAPs. See Sect. 6.3.

New Efficiency Features for SNARKs
We obtain the following improvements in communication complexity for preprocessing SNARKs.
"Single-ciphertext preprocessing SNARKs". If we combine the LIPs that we obtained from traditional PCPs (where the prover returns only a single field element) with "nonsparsified" Paillier encryption, we obtain (non-adaptive) preprocessing SNARKs that consist of a single Paillier ciphertext. Moreover, when using the query-efficient PCP from [69] as the underlying PCP, even a standard-size Paillier ciphertext (with plaintext group Z pq where p, q are 512-bit primes) suffices for achieving soundness error 2 −λ with λ = 100. (For the case of [69], due to the queries' dependence on the input, the reference string of the SNARK also depends on the input.) Alternatively, using the sparsified version of Paillier encryption, we can also get security against adaptivelychosen statements with only two Paillier ciphertexts.

Optimal succinctness.
A fundamental question about succinct arguments is how low can we push communication complexity. More accurately: what is the optimal tradeoff between communication complexity and soundness? Ideally, we would want succinct arguments that are optimally succinct: to achieve 2 − (λ) soundness against 2 O(λ)bounded provers, the proof length is O(λ) bits long.
In several existing constructions of succinct arguments, to provide 2 − (λ) soundness against 2 O(λ) -bounded provers, the prover has to communicate ω(λ) bits to the verifier. Concretely, PCP-based (and MIP-based) solutions require (λ 3 ) bits of communication. This also holds for preprocessing SNARKs based on Paillier encryption, which suffer from subexponential-time attacks. In the case of pairing-based solutions, subexponentialtime attacks are not known to be inherent (this applies to the base groups, relevant to SNARK constructions, rather than the target group). 3 Following our approach, any candidate for linear-only homomorphic encryption that does not suffer from subexponential-time attacks, would yield other instantiations of preprocessing SNARKs that are optimally succinct. Currently, the only known such candidate is Elgamal encryption (say, in appropriate elliptic curve groups) [89]. However, the problem with using Elgamal decryption in our approach is that it requires to compute discrete logarithms.
One way to overcome this problem is to ensure that honest proofs are always decrypted to a known polynomial-size set. This can be done by taking the LIP to be over a field F p of only polynomial size, and ensuring that any honest proof π has small 1 -norm π 1 , so that in particular, the prover's answer is taken from a set of size at most π 1 · p. For example, in the two LPCP-based constructions described in Sect. 1.3.1, this norm is O(s 2 ) and O(s), respectively, for a circuit of size s. This approach, however, has two caveats: the soundness of the underlying LIP is only 1/poly(λ) and moreover, the verifier's running time is proportional to s, and not independent of it, as we usually require. With such an LIP, we would be able to directly use Elgamal encryption because linear tests on the plaintexts can be carried out "in the exponent," without having to take discrete logarithms.
Finally, a rather generic approach for obtaining "almost-optimal succinctness" is to use (linear-only) Elgamal encryption in conjunction with any linear homomorphic encryption scheme (perhaps not having the linear-only property) that is sufficiently secure. Concretely, the verifier sends his LIP message encrypted under both encryption schemes, and then the prover homomorphically evaluates the affine function on both. The additional ciphertext can be efficiently decrypted, and can assist in the decryption of the Elgamal ciphertext. For example, there are encryption schemes based on Ring-LWE [79] that are conjectured to have quasiexponential security; by using these in the approach we just discussed, we can obtain 2 − (λ) soundness against 2 O(λ) -bounded provers with O(λ) bits of communication.
Strong knowledge and reusability. Designated-verifier SNARKs typically suffer from a problem known as the verifier rejection problem: security is compromised if the prover can learn the verifier's responses to multiple adaptively-chosen statements and proofs. For example, the PCP-based (or MIP-based) SNARKs of [8,10,11,46,60] suffer from the verifier rejection problem because a prover can adaptively learn the encrypted PCP (or MIP) queries, by feeding different statements and proofs to the verifier and learning his responses, and since the secrecy of these queries is crucial, security is lost.
Of course, one way to avoid the verifier rejection problem is to generate a new reference string for each statement and proof. Indeed, this is an attractive solution for the aforementioned SNARKs because generating a new reference string is very cheap: it costs poly(λ). However, for a designated-verifier preprocessing SNARK, generating a new reference string is not cheap at all, and being able to reuse the same reference string across an unbounded number of adaptively-chosen statements and proofs is a very desirable property.
A property that is satisfied by all algebraic LIPs (including the LPCP-based LIPs discussed in Sect. 1.3.1), which we call strong knowledge, is that such attacks are impossible. Specifically, for such LIPs, every prover either makes the verifier accept with probability 1 or with probability less than O(poly(λ)/|F|). (In Sect. 9, we also show that traditional "unstructured" PCPs cannot satisfy this property.) Given LIPs with strong knowledge, it seems that designated-verifier SNARKs that have a reusable reference string can be constructed. Formalizing the connection between strong knowledge and reusable reference string actually requires notions of linear-only encryption that are somewhat more delicate than those we have considered so far. See details in Sect. 9 for additional discussions.

Previous Structured PCPs
Ishai et al. [72] proposed the idea of constructing argument systems with nontrivial efficiency properties by using "structured" PCPs and cryptographic primitives with homomorphic properties, rather than (as in previous approaches) "unstructured" polynomialsize PCPs and collision-resistant hashing. We have shown how to apply this basic approach in order to obtain succinct non-interactive arguments with preprocessing. We now compare our work to other works that have also followed the basic approach of [72].
Strong vs. weak linear PCPs. Both in our work and in [72], the notion of a "structured" PCP is taken to be a linear PCP. However, the notion of a linear PCP used in our work does not coincide with the one used in [72]. Indeed there are two ways in which one can formalize the intuitive notion of a linear PCP. Specifically: • A strong linear PCP is a PCP in which the honest proof oracle is guaranteed to be a linear function, and soundness is required to hold for all (including nonlinear) proof oracles. • A weak linear PCP is a PCP in which the honest proof oracle is guaranteed to be a linear function, and soundness is required to hold only for linear proof oracles.
In particular, a weak linear PCP assumes an algebraically-bounded prover, while a strong linear PCP does not. While Ishai et al. [72] considered strong linear PCPs, in our work we are interested in studying algebraically-bounded provers, and thus consider weak linear PCPs.
Arguments from strong linear PCPs. Ishai et al. [72] constructed a four-message argument system for NP in which the prover-to-verifier communication is short (i.e., an argument with a laconic prover [67]) by combining a strong linear PCP and (standard) linear homomorphic encryption; they also showed how to extend their approach to "balance" the communication between the prover and verifier and obtain a O(1/ε)message argument system for NP with O(n ε ) communication complexity. Let us briefly compare their work with ours. First, in this paper we focus on the non-interactive setting, while Ishai et al. focused on the interactive setting. In particular, in light of the negative result of Gentry and Wichs [68], this means that the use of non-standard assumptions in our setting (such as linear targeted malleability) may be justified; in contrast, Ishai et al. only relied on the standard semantic security of linear homomorphic encryption (and did not rely on linear targeted malleability properties). Second, we focus on constructing (non-interactive) succinct arguments, while Ishai et al. focus on constructing arguments with a laconic prover. Third, by relying on weak linear PCPs (instead of strong linear PCPs) we do not need to perform (explicitly or implicitly) linearity testing, while Ishai et al. do. Intuitively, this is because we rely on the assumption of linear targeted malleability, which ensures that a prover is algebraically bounded (in fact, in our case, linear); not having to perform proximity testing is crucial for preserving the algebraic properties of a linear PCP (and thus, e.g., obtain public verifiability) and obtaining O(poly(λ)/|F|) soundness with only a constant number of encrypted/encoded group elements. (Recall that linearity testing only guarantees constant soundness with a constant number of queries.) Turning to computational efficiency, while their basic protocol does not provide the verifier with any saving in computation, Ishai et al. noted that their protocol actually yields a batching argument: namely, an argument in which, in order to simultaneously verify the correct evaluation of circuits of size S, the verifier may run in time S (i.e., in time S/ per circuit evaluation). In fact, a set of works [94,95,97,98] has improved upon, optimized, and implemented the batching argument of Ishai et al. [72] for the purpose of verifiable delegation of computation.
Finally, [94] have also observed that QSPs can be used to construct weak linear PCPs; while we compile weak linear PCPs into LIPs, [94] (as in previous work) compile weak linear PCPs into strong ones. Indeed, note that a weak linear PCP can always be compiled into a corresponding strong one, by letting the verifier additionally perform linearity testing and self-correction; this compilation does not affect proof length, increases query complexity by only a constant multiplicative factor, and guarantees constant soundness.
Remark 1.1. The notions of (strong or linear) PCP discussed above should not be confused with the (unrelated) notion of a linear PCP of Proximity (linear PCPP) [31,80], which we now recall for the purpose of comparison.
Given a field F, an F-linear circuit [100] is an F-arithmetic circuit C : F h → F in which every gate computes an F-linear combination of its inputs; its kernel, denoted ker(C), is the set of all w ∈ F h for which C(w) = 0 . A linear PCPP for a field F is an oracle machine V with the following properties: (1) V takes as input an F-linear circuit C and has oracle access to a vector w ∈ F h and an auxiliary vector π of elements in F, (2) if w ∈ ker(C) then there exists π so that V w,π (C) accepts with probability 1, and (3) if w is far from ker(C) then V w,π (C) rejects with high probability for every π .
Thus, a linear PCPP is a proximity tester for the kernels of linear circuits (which are not universal), while a (strong or weak) linear PCP is a PCP in which the proof oracle is a linear function.

Related and Subsequent Work
In this section we include a more detailed comparison with the work of Gennaro et al. [56] (GGPR), which is the most closely related to the current work, as well as some subsequent works in this area.

Comparison with GGPR.
Our work can be seen as providing a conceptually simple general methodology that not only captures close variants 4 of the SNARKs from GGPR (as well as earlier SNARKs from [64,78]), but can also be instantiated in other useful ways. In more detail, GGPR consider the QSP constraint satisfaction problem, and show how to directly compile it into a SNARK. This is similar to the previous works of Groth [64] and Lipmaa [78], except that the QSP representation is quadratically more efficient. In contrast, our starting point is a linear interactive proof-a new kind of probabilistic information-theoretic proof system, which we show how to build from any (classical or linear) PCP. Only then, we compile such LIPs into SNARKs. The LIP abstraction also admits a natural zero-knowledge variant, which in the QSP-based approach is part of the cryptographic compiler. When using a LIP based on the QSP construction of GGPR, we end up with a slightly different SNARK from that of GGPR, which is in fact slightly less succinct (8 vs. 7 bilinear group elements). Indeed, the GGPR construction makes an additional optimization thanks to compiling QSPs directly.
Whereas QSPs (as well as their arithmetic QAP variant) are tied to polynomials and to quadratic verification, the linear PCP and LIP primitives are more general. GGPR-style linear PCPs still give the best efficiency for most applications, however, other linear PCPs have proven useful in this work and in subsequent works [7,22,87]. For example, we show that a LIP based on the Hadamard linear PCP, which is not captured by a QSP, yields a very simple SNARK construction with quadratic CRS size. The single-query linear PCP (or LIP) we obtain from a classical PCP, which serves as a basis for "singleciphertext SNARKs," is also not captured by a QSP. Applications in subsequent works are discussed below. Subsequent developments. An influential work of Groth [65], building on a 2-element LIP implicit in [45], obtained a (publicly verifiable) SNARK requiring only 3 bilinear group elements (or roughly 1000 bits), and left open the possibility of a SNARK with 2 group elements. The latter would follow from a LIP with a linear decision procedure.
However, the existence of such a LIP was ruled out in [65], settling an open question posed in the conference version of this work.
These barriers from [65] were recently circumvented in [22] by relaxing either the soundness or the completeness requirement. Settling for inverse-polynomial soundness, practical designated-verifier SNARKs for small circuits with only 2 group elements were obtained by applying a variant of the packing transformation from this work to the Hadamard PCP. Moreover, a 1-element LIP with a linear decision procedure, negligible soundness error, and non-negligible (but sub-constant) completeness error follows from the NP-hardness of approximating a problem related to linear codes, implying 2-element laconic arguments for NP with negligible soundness error and sub-constant completeness error. Finally, a plausible (but yet unproven) hardness of approximation result would imply a 1-element laconic argument with predictable answers, which would in turn imply witness encryption [57].
Several other kinds of "linear" probabilistic proof systems in the spirit of LIP were used in subsequent works. For instance, a variant of LIP was used in [13] to obtain sublinear-communication arguments for arithmetic circuits in which the prover runs in linear time. Fully linear proof systems, where linear queries apply jointly to the input and the proof vector, were used for sublinear zero-knowledge proofs on secret-shared data and information-theoretic secure multiparty computation [7].
We refer the reader to Thaler's recent survey [99] for an overview of SNARKs based on Linear PCP (Chapter 14) and comparison to other approaches to practical arguments (Chapter 15). Earlier expositions appear in [7, Section 2], [18,Section 5], and [73].

Organization
In Sect. 2, we introduce the notions of LPCPs and LIPs. In Sect. 3, we present our transformations for constructing LIPs from several notions of PCPs. In Sect. 4, we give the basic definitions for preprocessing SNARKs. In Sect. 5, we define the relevant notions of linear targeted malleability, as well as candidate constructions for these. In Sect. 6, we present our transformations from LIPs to preprocessing SNARKs. In Sect. 7, we discuss two constructions of algebraic LPCPs. In Sect. 8, we present our general transformation to obtain HVZK for LPCPs with low-degree decision algorithms. In Sect. 9, we discuss the notion of strong knowledge and its connection to designated-verifier SNARKs with a reusable reference string.

Definitions of LIPs and LPCPs
We begin with the information-theoretic part of the paper, by introducing the basic definitions of LPCPs, LIPs, and relevant conventions.

Polynomials, Degrees, and Schwartz-Zippel
Vectors are denoted in bold, while their coordinates are not; for example, we may write a to denote the ordered tuple (a 1 , . . . , a n ) for some n. A field is denoted F; we always work with fields that are finite. We say that a multivariate polynomial f : F m → F has degree d if the total degree of f is at most d. A multivalued multivariate polynomial A very useful fact about polynomials is the following: In particular, any two distinct polynomials f, g : F m → F of total degree d can agree on at most a d/|S| fraction of the points in S m .

Linear PCPs
A linear probabilistically-checkable proof (LPCP) system for a relation R over a field F is one where the PCP oracle is restricted to compute a linear function π : F m → F of the verifier's queries. Viewed as a traditional PCP, π has length |F| m (and alphabet F). For simplicity, we ignore the computational complexity issues in the following definition, and refer to them later when they are needed.

Definition 2.2.
(Linear PCP (LPCP)) Let R be a binary relation, F a finite field, P LPCP a deterministic prover algorithm, and V LPCP a probabilistic oracle verifier algorithm. We say that the pair (P LPCP , V LPCP ) is a (input-oblivious) k-query linear PCP for R over F with knowledge error ε and query length m if it satisfies the following requirements: • Syntax On any input x and oracle π , the verifier V π LPCP (x) makes k input-oblivious queries to π and then decides whether to accept or reject. More precisely, V LPCP consists of a probabilistic query algorithm Q LPCP and a deterministic decision algorithm D LPCP working as follows. Based on its internal randomness, and independently of x, Q LPCP generates k queries q 1 , . . . , q k ∈ F m to π and state information u; then, given x, u, and the k oracle answers a 1 = π , q 1 , . . . , a k = π , q k , D LPCP accepts or rejects.
• Completeness For every (x, w) ∈ R, the output of P LPCP (x, w) is a description of a linear function π : F m → F such that V π LPCP (x) accepts with probability 1. • Knowledge There exists a knowledge extractor E LPCP such that for every linear function π * : F m → F if the probability that V π * LPCP (x) accepts is greater than ε then E π * LPCP (x) outputs w such that (x, w) ∈ R. 5 Furthermore, we say that (P LPCP , V LPCP ) has degree (d Q , d D ) if, additionally, 1. the query algorithm Q LPCP is computed by a degree d Q arithmetic circuit (i.e., there are k polynomials p 1 , . . . , p k : F μ → F m and state polynomial p : F μ → F m , all of degree d Q , such that the LPCP queries are q 1 = p 1 (r), . . . , q k = p k (r) and the state is u = p(r) for a random r ∈ F μ ), and Finally, for a security parameter λ, we say that (P LPCP , V LPCP ) is an algebraic LPCP (for λ) if it has degree (poly(λ), poly(λ)).
and P LPCP also get as input 1 . In this case, all parameters k, m, μ, m , η may also be a function of .
Some of the aforementioned properties only relate to the LPCP verifier V LPCP , so we will also say things like "V LPCP has degree...," i.e., using the verifier as the subject (rather than the LPCP).

Honest-verifier zero-knowledge LPCPs.
We also consider honest-verifier zeroknowledge (HVZK) LPCPs. In an HVZK LPCP, soundness or knowledge is defined as in a usual LPCP, and HVZK is defined as in a usual HVZK PCP. For convenience, let us recall the definition of a HVZK PCP: Definition 2.4. (Honest-verifier zero-knowledge PCP (HVZK PCP)) A PCP system (P PCP , V PCP ) for a relation R, where P PCP is also probabilistic, is δ-statistical HVZK if there exists a simulator S PCP , running in expected polynomial time, for which the following two ensembles are δ-close (δ can be a function of the field, input length, and so on): where View represents the view of the verifier, including its coins and the induced answers according to π .
If the above two distributions are identically distributed then we say that (P PCP , V PCP ) is perfect HVZK (Fig. 2).

Linear Interactive Proofs
A linear interactive proof (LIP) is defined similarly to a standard interactive proof [62], except that each message sent by a prover (either an honest or a malicious one) must be a linear function of the previous messages sent by the verifier. In fact, it will be convenient for our purposes to consider a slightly weaker notion that allows a malicious prover to compute an affine function of the messages. While we will only make use of two-message LIPs in which the verifier's message is independent of its input, below we define the more general notion. Definition 2.5. (Linear Interactive Proof (LIP)) A linear interactive proof over a finite field F is defined similarly to a standard interactive proof [62], with the following differences.
• Each message exchanged between the prover P LIP and the verifier V LIP is a vector q i ∈ F m over F. • The honest prover's strategy is linear in the sense that each of the prover's messages is computed by applying some linear function i : F m → F k to the verifier's previous messages (q 1 , . . . , q i ). This function is determined only by the input x, the witness w, and the round number i. • Knowledge should only hold with respect to affine prover strategies where is a linear function, and b is some affine shift.
Analogously to the case of LPCPs (Definition 2.2), we say that a two-message LIP is input-oblivious if the verifier's messages do not depend on the input x. In such a case the verifier can be split into a query algorithm Q LIP that outputs the query q and possibly a verification state u, and a decision algorithm D LIP that takes as input u, x, and the LIP answer · q. We also consider notions of degree and algebraic LIPs, also defined analogously to the LPCP case.

Remark 2.7. (Honest-verifier zero knowledge)
We also consider an honest-verifier zero-knowledge variant of LIPs (HVZK LIPs), which is defined analogously to Definition 2.4. In this case, the honest prover is probabilistic.
Note that a one-query LPCP is an LIP where the prover returns a single field element; however, when the prover returns more than one field element, an LIP is not a one-query LPCP. In this paper we construct both LIPs where the prover returns more than a single field element (see Sect. 3.1) and LIPs where the prover returns a single field element (see Sect. 3.2).

Constructions of LIPs
We present two transformations for constructing LIPs, in Sects. 3.1, and 3.2, respectively.

LIPs From LPCPs
We show how to transform any LPCP into a two-message LIP with similar parameters. Crucially, our transformation does not significantly affect strong knowledge or algebraic properties of the LPCP verifier. Note that a non-trivial transformation is indeed required in general because the LIP verifier cannot simply send to the LIP prover the queries q 1 , . . . , q k generated by the LPCP verifier. Unlike in the LPCP model, there is no guarantee that the LIP prover will apply the same linear function to each of these queries; instead, we only know that the LIP prover will apply some affine function to the concatenation of q 1 , . . . , q k . Thus, we show how to transform any LPCP (P LPCP , V LPCP ) with knowledge error ε into a two-message LIP (P LIP , V LIP ) with knowledge error at most ε + 1 |F| . If the LPCP has k queries of length m and is over a field F, then the LIP verifier V LIP will send (k + 1)m field elements and receive (k + 1) field elements from the LIP prover P LIP . The idea of the transformation is for V LIP to run V LPCP and then also perform a consistency test (consisting of also sending to P LIP a random linear combination of the k queries of V LPCP and then verifying the obvious condition on the received answers).
More precisely, we construct a two-message LIP (P LIP , V LIP ) from an LPCP (P LPCP , V LPCP ) as follows: • The LIP verifier V LIP runs the LPCP verifier V LPCP to obtain k queries q 1 , . . . , q k ∈ F m , draws α 1 , . . . , α k in F uniformly at random, and sends to the LIP prover P LIP the (k + 1)m field elements obtained by concatenating the k queries q 1 , . . . , q k together with the additional query q k+1 := k i=1 α i q i . • The LIP prover P LIP runs the LPCP prover P LPCP to obtain a linear function π : F m → F, parses the (k + 1)m received field elements as k + 1 queries of m field elements each, applies π to each of these queries to obtain k + 1 corresponding field elements a 1 , . . . , a k+1 , and sends these answers to the LIP verifier V LIP . • The LIP verifier V LIP checks that a k+1 = k i=1 α i a i (if this is not the case, it rejects) and decides whether to accept or reject by feeding the LPCP verifier V LPCP with the answers a 1 , . . . , a k .
Proof. Syntactic properties and completeness are easy to verify. Furthermore, since the construction of V LIP from V LPCP only involves an additional quadratic test, the degree of We are left to argue knowledge (and strong knowledge).
Indeed, the above tells us that if makes V LIP accept with probability greater than ε + 1 |F| , then π k+1,k+1 makes V PCP accept with probability greater than ε. Knowledge (and strong knowledge) thus follow as claimed.
To show the above, fix a tuple of queries, and assume that, for some i * ∈ [k], a i * = π k+1,k+1 , q i * . For the consistency check to pass, it should hold that: Breaking the first summation using the equality q k+1 = k j=1 α j q j , we get: Rearranging, we see that the consistency check reduces to verifying the following equation: Because k+1 j=1 π i * , j , q j + γ i * = a i * = π k+1,k+1 , q i * , the coefficient of α i * in the above polynomial is non-zero. Hence, by the Schwartz-Zippel Lemma (see Lemma 2.1), the identity holds with probability at most 1 |F| . In light of the two LPCP constructions described in Sect. 7, we deduce the following two theorems.

Zero-Knowledge
The LIPs we obtain by via above transformation can all be made honest-verifier zeroknowledge (HVZK) by starting with an HVZK LPCP. For this purpose, we show in Sect. 8 a general transformation from any LPCP with d D = O(1) to a corresponding HVZK LPCP, with only small overhead in parameters.

LIPs From (Traditional) PCPs
We present a second general construction of LIPs. Instead of LPCPs, this time we rely on a traditional k-query PCP in which the proof π is a binary string of length m = poly(|x|). While any PCP can be viewed as an LPCP (by mapping each query location q ∈ [m] to the unit vector e q equal to 1 at the q-th position and 0 everywhere else), applying the transformation from Sect. 3.1 yields an LIP in which the prover's message consists of k + 1 field elements. Here we rely on the sparseness of the queries of an LPCP that is obtained from a PCP in order to reduce the number of field elements returned by the prover to 1. (In particular, the transformation presented in this section does not apply to either of the LPCPs we construct in Sect. 7, because they do not have sparse queries.) The construction relies on the easiness of solving instances of subset sum in which each integer is bigger than the sum of the previous integers (see [81]). Fact 3.5. There is a quasilinear-time algorithm for the following problem: • input: Non-negative integers w 1 , . . . , w k , a such that each w i is bigger than the sum of the previous w j .

(All integers are given in binary representation.)
The following construction uses a parameter that will affect the soundness error. We assume that the field F is of a prime order p where p > 2 k and identify its elements with the integers 0, . . . , p − 1.
• The LIP verifier V LIP runs the PCP verifier V PCP to obtain k distinct query locations , picks a sequence of k random field elements and sends to the LIP prover P LIP the vector • The LIP prover P LIP responds by applying to q the linear function π : F m → F whose coefficients are specified by the m bits of the PCP generated by the PCP prover P PCP . Let a denote the field element returned by P LIP . • The LIP verifier V LIP applies the subset sum algorithm of Fact 3.5 to find (a 1 , . . . , a k ) ∈ {0, 1} k such that a = k i=1 a i w i (if none exists it rejects) and decides whether to accept by feeding the PCP verifier V PCP with a 1 , . . . , a k .
is a k-query PCP for a relation R with proof length m and knowledge error ε, and F is a field of prime order p with p > 2 k . Then (P LIP , V LIP ) from Construction 3.6 is a two-message LIP for R over F with verifier message in F m , prover message in F, and knowledge error ε + 2 k .
Proof. Because the prover message is in F (i.e., the prover returns a single field element) the prover strategy is an affine function * : F m → F (i.e., as in an LPCP, see Remark (2.8)). Let π * : F m → F be a linear function and γ * ∈ F be a constant such that * (q) = π * , q + γ * for all q ∈ F m . We say that query positions q 1 , . . . , q k ∈ [m] are invalid with respect to * if γ * = 0 or there is i ∈ {1, . . . , k} such that * (e q i ) ∈ {0, 1}. It suffices to show that, for any strategy * as above, conditioned on any choice of invalid query positions q 1 , . . . , q k by V LIP , the probability of V LIP accepting is bounded by 2 k / . Indeed, for queries for which * is valid, it holds that * (q i ) = π * , q i ∈ {0, 1} corresponding a traditional PCP oracle π * , so that the knowledge guarantees of (P PCP , V PCP ) would kick in.
The above follows from the sparseness of the answers a that correspond to valid strategies and the high entropy of the answer resulting from any invalid strategy. Con-cretely, fix any candidate solution (a 1 , . . . , a k ) ∈ {0, 1} k and pick w 1 , . . . , w k as in Construction 3.6. Since each w i is picked uniformly from an interval of size , , 1}) and thus, by the Schwartz-Zippel Lemma (see Lemma 2.1), the probability that the polynomial vanishes is at most 1/ ; and . , k} such that π * q i = a i then the same argument as in the previous bullet holds; otherwise, γ * = 0 with probability 0 since we know that γ * = 0.
By a union bound, the probability that there exists solution (a 1 , . . . , Hence, the subset sum algorithm will fail to find a solution and V LIP will reject except with at most 2 k / probability. By setting := 2 k /ε, we obtain the following corollary: is a k-query PCP for a relation R with proof length m and knowledge error ε, and F is a field of prime order p with p > 2 2k /ε. Then (P LIP , V LIP ) from Construction 3.6 is a two-message LIP for R over F with verifier message in F m , prover message in F, and knowledge error 2ε.
Focusing on asymptotic time complexity, perhaps the most relevant PCPs for our purposes here are those of Ben-Sasson et al. [28]. They constructed PCPs where, to prove and verify that a random-access machine M accepts (x, w) within t steps for some w with |w| ≤ t, the prover runs in time (|M| + |x| + t) · polylog(t) and the verifier runs in time (|M| + |x|) · polylog(t) (while asking polylog(t) queries, for constant soundness). Invoking Corollary 3.8 with these PCPs, one can deduce the following theorem. Theorem 3.9. Let F be a finite field and C : {0, 1} n ×{0, 1} h → {0, 1} a boolean circuit of size s. There is an input-oblivious two-message LIP for R C with knowledge error 2 −λ , verifier message in FÕ (s) , prover message in F, and |F| > 2 λ·polylog(s) . Furthermore: • the LIP prover P LIP runs in timeÕ(s); • the LIP query algorithm Q LIP runs in timeÕ(s) + λ · n · polylog(s); • the LIP decision algorithm D LIP runs in time λ · n · polylog(s).
(All the above running times are up to polylog(|F|) factors.) Focusing on communication complexity instead, we can invoke Corollary 3.8 with the query-efficient PCPs of Håstad and Khot [69], which have λ + o(λ) queries for soundness 2 −λ . (Because their PCPs have a query algorithm that depends on the input, we only obtain an LIP where the verifier's message depends on the input; it is plausible that [69] can be modified to be input oblivious, but we did not check this.) (1)) . Furthermore: • the LIP prover P LIP runs in time poly(s); • the LIP query algorithm Q LIP runs in time poly(s) + λ · n · polylog(s); • the LIP decision algorithm D LIP runs in time λ · n · polylog(s). The verifiers of the PCPs of Ben-Sasson et al. [28] (used to derive Theorem 3.9) and of Håstad and Khot [69] (used to derive Theorem 3.10) do not have low degree, and thus the LIPs they induce via our transformation are not algebraic. In Sect. 9, we give evidence that this is inherent, proving that no PCP (for a hard enough language) can have low-degree verifiers (or even satisfy a weaker, but still useful, property that we call "strong knowledge").

Zero-Knowledge
In Sect. 3.1.1 we discussed a generic transformation from any LPCP with d D = O(1) to a corresponding HVZK LPCP. A (traditional) PCP does not typically induce an LPCP with d D = O (1). Thus, if we want to obtain an HVZK LIP through Construction 3.6, we need a different approach.
We observe that if we plug into Construction 3.6 a PCP that is HVZK (see Definition 2.4), then the corresponding LIP is also HVZK.

Definitions of SNARKs and Preprocessing SNARKs
We now turn to the cryptographic part of this work. We define the notions of a SNARK and a preprocessing SNARK. Our definitions follow those in previous works (see for instance, [10,64]).
We first recall the universal relation [19], which provides us with a canonical form to represent verification-of-computation problems. Because such problems typically arise in the form of algorithms (e.g., "is there w that makes program P accept (x, w)?"), we adopt the universal relation relative to random-access machines [6,39]. , t), w , where |y|, |w| ≤ t and M is a random-access machine, such that M accepts (x, w) after at most t steps. 6 We denote by L U the universal language corresponding to R U .
We now proceed to define SNARGs and preprocessing SNARGs. A succinct noninteractive argument (SNARG) is a triple of algorithms (G, P, V ) that works as follows. The (probabilistic) generator G, on input the security parameter λ (presented in unary) and a time bound T , outputs a reference string σ and a corresponding verification state τ . The honest prover P(σ, y, w) produces a proof π for the instance y = (M, x, t) given a witness w, provided that t ≤ T ; then V (τ, y, π) verifies the validity of π .
The SNARG is adaptive if the prover may choose the statement after seeing σ , otherwise, it is non-adaptive; the SNARG is fully-succinct if G runs "fast," otherwise, it is of the preprocessing kind.

Soundness (depending on which notion is considered)
• non-adaptive: For every polynomial-size prover P * , every large enough security parameter λ ∈ N, every time bound T ∈ N, and every instance y . 6 While the witness w for an instance y = (M, x, t) has size at most t, there is no a-priori polynomial bounding t in terms of |x|. Also, the restriction that |y|, |w| ≤ t simplifies notation but comes with essentially no loss of generality: see [27] for a discussion of how to deal with "large inputs" (i.e., x or w much larger than t, in the model where M has random access to them).
• adaptive: For every polynomial-size prover P * , every large enough security parameter λ ∈ N, and every time bound T ∈ N,

Efficiency
There exists a universal polynomial p (independent of R) such that, for every large enough security parameter λ ∈ N, every time bound T ∈ N, and every instance • the generator G runs in time p(λ + log T ) for a fully-succinctSNARG p(λ + T ) for a preprocessingSNARG ; • the prover P runs in time p(λ + |M| + |x| + t + log T ) for a fully-succinct SNARG p(λ + |M| + |x| + T ) for a preprocessing SNARG ; • the verifier V runs in time p(λ + |M| + |x| + log T ); • an honestly generated proof has size p(λ + log T ).

Proof of knowledge. A SNARG of knowledge (SNARK) is a SNARG where soundness
is strengthened as follows: it is a SNARG for R where adaptive soundness is replaced by the following stronger requirement: • Adaptive proof of knowledge 7 For every polynomial-size prover P * there exists a polynomial-size extractor E such that for every large enough security parameter λ ∈ N, every auxiliary input z ∈ {0, 1} poly(λ) , and every time bound T ∈ N, One may want to distinguish between the case where the verification state τ is allowed to be public or needs to remain private: a publicly-verifiable SNARK (pvSNARK) is one where security holds even if τ is public; in contrast, a designated-verifier SNARK (dvSNARK) is one where τ needs to remain secret.

Zero-knowledge.
A zero-knowledge SNARK (or "succinct NIZK of knowledge") is a SNARK satisfying a zero-knowledge property. Namely, zero knowledge ensures that the honest prover can generate valid proofs for true theorems without leaking any information about the theorem beyond the fact that the theorem is true (in particular, without leaking any information about the witness that he used to generate the proof for the 7 One can also formulate weaker proof of knowledge notions. In this work we focus on the above strong notion. theorem). Of course, when considering zero-knowledge SNARKs, the reference string σ must be a common reference string that is trusted, not only by the verifier, but also by the prover.

Definition 4.4.
A triple of algorithms (G, P, V ) is a (perfect) zero-knowledge SNARK for the relation R if it is a SNARK for R and, moreover, satisfies the following property: • Zero Knowledge There exists a stateful interactive polynomial-size simulator S such that for all stateful interactive polynomial-size distinguishers D, large enough security parameter λ ∈ N, every auxiliary input z ∈ {0, 1} poly(λ) , and every time bound T ∈ N, As usual, Definition 4.4 can be relaxed to consider the case in which the distributions are only statistically or computationally close.
In this work, we also consider more "direct," and potentially more efficient, ways to construct zero-knowledge preprocessing SNARKs by relying on various constructions of HVZK LIPs (and without relying on generic NIZKs). See Sect. 6.3.
(We note that when applying the transformations of [12], e.g., to remove preprocessing, zero knowledge is preserved. 8

)
Multiple theorems. A desirable property (especially so when preprocessing is expensive) is the ability to generate σ once and for all and then reuse it in polynomiallymany proofs (potentially by different provers). Doing so requires security also against provers that have access to a proof-verification oracle. While for pvSNARKs this multitheorem proof of knowledge property is automatically guaranteed, this is not the case for dvSNARKs. In Sect. 9, we formally define and discuss this stronger notion of security, and show that some of our dvSNARKs achieve this security notion because of the "strong knowledge" of the underlying LIPs. (We note that, like zero-knowledge above, 8 The definition of proof of knowledge of a SNARK (Definition 4.3) says that the extractor is given the same inputs that are given to the prover, but nothing else; in particular, the extractor does not receive any trapdoor. The transformation of Bitansky et al. [12] crucially relies on this fact. Thus, if one is interested in constructing a zero-knowledge SNARK via the result of [11] and then invoke the result of [12], one must be mindful to rely on (not-necessarily-succinct) non-interactive arguments of knowledge where the extractor does not require a trapdoor. (E.g., the extractor in [2] does not require a trapdoor.) the multi-theorem proof-of-knowledge property is preserved by the transformations of [12].) OUR FOCUS. In this work we study preprocessing SNARKs, where (as stated in Definition 4.2) the generator G may run in time polynomial in the security parameter λ and time bound T .

Preprocessing SNARKs for Boolean Circuit Satisfaction Problems
In Sect. 4, we have defined SNARKs for the universal relation. In this work, at times it will be more convenient to discuss preprocessing SNARKs for boolean circuit satisfaction problems rather than for the universal relation. 9 We thus briefly sketch the relevant definitions, and also explain how preprocessing SNARKs for boolean circuit satisfaction problems suffice for obtaining preprocessing SNARKs, with similar efficiency, for the universal relation. (Indeed, because we are often interested in the correctness of algorithms, and not boolean circuits, it is important that this transformation be efficient!) We begin by introducing boolean circuit satisfaction problems: A preprocessing SNARK for a uniform family of boolean circuits C is defined analogously to a preprocessing SNARK for the universal relation, with only small syntactic modifications. The (probabilistic) generator G, on input the security parameter λ and an index for the circuit C : {0, 1} n( ) × {0, 1} h( ) → {0, 1}, outputs a reference string σ and a corresponding verification state τ . (Both τ and σ can be thought to include λ and .) Given w, the honest prover P(σ, x, w) produces a proof π attesting that x ∈ L C ; then, V (τ, x, π) verifies the validity of π . As for efficiency, we require that there exists a universal polynomial p (independent of the family C) such that for every large enough security parameter λ ∈ N, index ∈ N, and input x ∈ {0, 1} n( ) : • the generator G runs in time p(λ + |C |); • the prover P runs in time p(λ + |C |); • the verifier V runs in time p(λ + |x| + log |C |); • an honestly generated proof has size p(λ + log |C |).
We can also consider the case where C is a non-uniform family, in which case G and P will get as additional input the circuit C .
We show how to obtain a preprocessing SNARK for R U from preprocessing SNARKs for uniform families of boolean circuits. To do so, we need to introduce the notion of a universal RAM simulator: Definition 4.6. Let n ∈ N. We say that a boolean circuit family C n = {C T : {0, 1} n × {0, 1} h(T ) → {0, 1}} T is a universal RAM simulator for n-bit instances if, for every y = (M, x, t) with |y| = n, C T (y, ·) is satisfiable if and only if y ∈ L U and t ≤ T . A witness map of C n , denoted w, is a function such that, for every y = (M, x, t) with |y| = n and t ≤ T , if (y, w) ∈ R U then C T (y, w(T, y, w)) = 1. An inverse witness map of C n , denoted w −1 , is a function such that, for every y = (M, x, t) with |y| = n and t ≤ T , if C T (y, w ) = 1 then (y, w −1 (T, y, w )) ∈ R U . For every n ∈ N, given a preprocessing SNARK (G, P, V ) for a universal RAM simulator C n (for n-bit instances) with (efficient) witness map w and inverse witness map wit −1 , we construct a preprocessing SNARK (G n , P n , V n ) for those pairs (y, w) in the universal relation with |y| = n as follows: Proof. The existence of wit −1 ensures that proof of knowledge is preserved. Concretely, a knowledge extractor E n for a prover convincing V n would first run a knowledge extractor for the same prover convincing V and then run wit −1 to obtain a suitable witness.

Construction 4.7.
The efficiency of C, w, and w −1 has direct implications to the efficiency of (G n , P n , V n ). Concretely: • Let f (T ) := |C T |. The growth rate of f (T ) affects the efficiency of G n and P n , because the efficiency of G and P depends on |C T |. So, for instance, if G and P run in time |C T | 2 · poly(λ) and f (T ) = (T 2 ), then G n and P n run in time (T 4 ) · poly(λ). • The running time of w affects the running time of P n . Indeed, P n must first transform the witness w for y into a witness w for C T (y, ·), and only then he can invoke P. So, for instance, even if f (T ) =Õ(T ) but w runs in time (T 3 ), then P n will run in time (T 3 ). • The running time of w −1 sometimes affects the running time of G n , P n , and V n .
Indeed, if the proof of knowledge property of (G n , P n , V n ) is used in a security reduction (e.g., verifying the correctness of cryptographic computations) then the slower w −1 is the more expensive is the security reduction, and thus the larger the security parameter has to be chosen for (G, P, V ). A larger security parameter affects the efficiency of all three algorithms.
We thus wish the growth rate of f (T ) to be as small as possible, and that w and w −1 be as fast as possible. The reduction from RAM computations to circuits of Ben-Sasson et al. [27] implies that there is a universal RAM simulator where f (T ) =Õ(T ) and both w and w −1 run in sequential timeÕ(T ) (or in parallel time O((log T ) 2 )).
Next, we show how to remove the restriction on the instance size, by using collisionresistant hashing. (Indeed, (G n , P n , V n ) only handles instances y with |y| = n.) Let H = {H λ } λ∈N be a collision-resistant hash-function family such that functions in H λ map {0, 1} * to {0, 1} λ . For any h ∈ H λ and instance y, define y h to be the instance (U h , h(x), poly(λ) + O(t)), where U h is a universal random-access machine that, on input (x,w), parsesw as ((M, x, t), w), verifies thatx = h (M, x, t), and then runs M(x, w) for at most t steps. Because we can assume a uniform super-polynomial upper bound on t, say t ≤ λ log λ , there is a constant c > 0 for which we can assume that |y h | = λ c . Construction 4.9. We construct a preprocessing SNARK (G , P , V ) for the universal relation as follows: Proof. The required efficiency follows readily by construction. The proof of knowledge also follow directly: applying the extractor of the underlying system, we either obtain a valid witness for the statement y, or a collision. The latter is ruled out by collision resistance.
In sum, asymptotically, we incur in essentially no overhead if we focus on constructing preprocessing SNARKs for uniform families of boolean circuits.

Linear-Only Encryption and Encodings
We introduce and discuss the two cryptographic tools used in this paper. First, in Sect. 5.1, we present linear-only encryption and then, in Sect. 5.2, linear-only one-way encodings. In Sect. 5.3, we discuss candidate instantiations for both. Later, in Sect. 6, we describe how to use these tools in our transformations from LIPs to SNARKs (or SNARGs).

Linear-Only Encryption
At high-level, a linear-only encryption scheme is a semantically-secure encryption scheme that supports linear homomorphic operations, but does not allow any other form of homomorphism.
We first introduce the syntax and correctness properties of linear-only encryption; then its (standard) semantic-security property; and finally its linear-only property. In fact, we consider two formalizations of the linear-only property (a stronger one and a weaker one).

Syntax and correctness.
A linear-only encryption scheme is a tuple of algorithms (Gen, Enc, Dec, Add, ImVer) with the following syntax and correctness properties: • Given a security parameter λ (presented in unary), Gen generates a secret key sk and a public key pk. The public key pk also includes a description of a field F representing the plaintext space. • Enc and Dec are (randomized) encryption and (deterministic) decryption algorithms working in the usual way. • Add(pk, c 1 , . . . , c m , α 1 , . . . , α m ) is a homomorphic evaluation algorithm for linear combinations. Namely, given a public key pk, ciphertexts c i ∈ Enc pk (a i ) i∈ [m] , and field elements {α i } i∈ [m] , Add computes an evaluated ciphertextĉ ∈ Enc pk ( i∈[m] α i a i ). • ImVer sk (c ) tests, using the secret key sk, whether a given candidate ciphertext c is in the image of Enc pk . While ultimately a private-key linear homomorphic encryption implies a public-key one [92], using a private-key encryption could, in principle, have efficiency benefits.
Remark 5.3. The linear homomorphism property can be relaxed to allow for cases where the evaluated ciphertextĉ is not necessarily in the image of Enc pk , but only decrypts to the correct plaintext; in particular, it may not be possible to perform further homomorphic operations on such a cipher.
Semantic security. Semantic security of linear-only encryption is defined as usual. Namely, for any polynomial-size adversary A and large enough security parameter λ ∈ N: Linear-only homomorphism. The linear-only (homomorphism) property essentially says that, given a public key pk and ciphertexts (c 1 , . . . , c m ), it is infeasible to compute a new ciphertext c in the image of Enc pk , except by evaluating an affine combination of the ciphertexts (c 1 , . . . , c m ). (Affinity accounts for adversaries encrypting plaintexts from scratch and then adding them to linear combinations of the c i .) Formally, the property is captured by guaranteeing that, whenever the adversary produces a valid ciphertext, it is possible to efficiently extract a corresponding affine function "explaining" the ciphertext.
Remark 5.5. (On the auxiliary input z) In Definition 5.4, the polynomial-size extractor is required to succeed for any (adversarial) auxiliary input z ∈ {0, 1} poly(λ) . This requirement seems rather strong considering the fact that z could potentially encode arbitrary circuits. For example, z could encode a circuit that, given as input public key pk, outputs Enc pk (x) where x = f s (pk) and f s is some hardwired pseudorandom function.
In this case, the extractor would be required to (efficiently) reverse engineer the circuit, which seems to be a rather strong requirement (or even an impossible one, under certain obfuscation assumptions). While for presentational purposes Definition 5.4 is simple and convenient, it can be relaxed to only consider specific "benign" auxiliary-input distributions. Indeed, in our application, it will be sufficient to only consider a truly-random auxiliary input z. (Requiring less than that seems to be not expressive enough, because we would at least like to allow the adversary to toss random coins.) An analogous remark holds for both Definitions 5.8 and 5.17.
Remark 5.6. (Oblivious ciphertext sampling) Definition 5.4 has a similar flavor to plaintext awareness. In fact, an encryption scheme cannot satisfy the definition if it allows for "oblivious sampling" of ciphertexts. (For instance, both standard Elgamal and Paillier encryption do.) Thus, the set of strings c that are valid (i.e., for which ImVer sk (c) = 1) must be "sparse." Later on, we define a weaker notion of linear-only encryption that does not have this restriction.
Remark 5.7. In order for Definition 5.4 to be non-trivial, the extractor E has to be efficient (for otherwise it could run the adversary A, obtain A's outputs, decrypt them, and then output a zero linear function and hard-code the correct values in the constant term).
As for the equivalent formulation in Remark (5.11), for similar reasons the simulator S has to be efficient; additionally, requiring statistical indistinguishability instead of computational indistinguishability does not strengthen the assumption.
Linear targeted malleability. We also consider a weaker variant of the linear-only property, which we call linear targeted malleability. (Indeed, the definition follows the lines of the notion of targeted malleability proposed by Boneh et al. [34], when restricted to the class of linear, or affine, functions.) Definition 5.8. An encryption scheme has the linear targeted malleability property if for any polynomial-size adversary A and plaintext generator M there is a polynomialsize simulator S such that, for any sufficiently large λ ∈ N, and any auxiliary input z ∈ {0, 1} poly(λ) , the following two distributions are computationally indistinguishable: , a 1 , . . . , a m ) ← M(pk)  (c 1 , . . . , c m ) ← (Enc pk (a 1 ), . . . , Enc pk (a m ))  (c 1 , . . . , c k ) ← A(pk, c 1 , . . . , c m ; z) where and s is some arbitrary string (possibly correlated with the plaintexts).
Remark 5.9. Definition 5.8 can be further relaxed to allow the simulator to be inefficient. Doing so does not let us prove knowledge but still enables us to prove soundness (i.e., obtain a SNARG instead of a SNARK). See Remark (6.4) in Sect. 6.1.
By invoking semantic security and the extraction guarantee of E, we can show that S works. The proof follows by a standard hybrid argument. First we consider an experiment where S gives A and E an encryption of a ← M(pk), rather than an encryption of zeros, and argue computational indistinguishability by semantic security. Then we can show that the output in this hybrid experiment is statistically close to that in the real experiment by invoking the extraction guarantee.
A converse to Lemma 5.10 appears unlikely, because Definition 5.8 seems to allow for encryption schemes where ciphertexts can be obliviously sampled while Definition 5.4 does not.
where ∈ F k×m and b ∈ F k , with the convention that if the i-th row of is left empty then a i := ⊥.

Linear-Only One-Way Encoding
Unlike linear-only encryption schemes, linear-only encoding schemes allow to publicly test for certain properties of the underlying plaintexts without decryption (which is now allowed to be inefficient). In particular, linear-only encoding schemes cannot satisfy semantic security. Instead, we require that they only satisfy a certain one-wayness property.
We now define the syntax and correctness properties of linear-only encoding schemes, their one-wayness property, and their linear-only property.

Syntax and correctness.
A linear-only encoding scheme is a tuple of algorithms (Gen, Enc, SEnc, Test, Add, ImVer) with the following syntax and correctness properties: • Given a security parameter λ (presented in unary), Gen generates a public key pk.
The public key pk also includes a description of a field F representing the plaintext space. • Encoding can be performed in two modes: Enc pk is an encoding algorithm that works in linear-only mode, and SEnc pk is a deterministic encoding algorithm that works in standard mode.

Remark 5.12. (Degrees supported by Test)
In this work, we restrict our attention to the case in which Test only takes as input test polynomials t of at most quadratic degree. This restriction comes from the fact that, at present, the only candidates for linear-only one-way encoding schemes that we know of are based on bilinear maps, which only let us support testing of quadratic degrees. (See Sect. 5.3.) This restriction propagates to the transformation from algebraic LIPs discussed in Sect. 6.2, where we must require that the degree of the LIP query algorithm is at most quadratic. Nonetheless our transformation holds more generally (for query algorithms of poly(λ) degree), when given linear-only one-way encoding schemes that support tests of the appropriate degree.
-power one-wayness. In our main application of transforming algebraic LIPs into public-verifiable preprocessing SNARKs (see Sect. 6.2), linear-only encoding schemes are used to (linearly) manipulate polynomial evaluations over F. The notion of onewayness that we require is that, given polynomially-many encodings of low-degree polynomials evaluated at a random point s, it is hard to find s. Definition 5.13. A linear-only encoding scheme satisfies -power one-wayness if for every polynomial-size A and all large enough security parameter λ ∈ N, . . . , c ) ← Enc pk (s), . . . , Enc pk (s ) (c 1 , . . . ,c ) ← SEnc pk (s), . . . , SEnc pk (s ) Our constructions of preprocessing SNARKs from LIPs also involve manipulations of multivariate polynomials. Thus, we are in fact interested in requiring a more general property of multivariate -power one-wayness.
For the case of univariate polynomials (i.e., μ = 1), it is immediate to see that Definition 5.14 is equivalent to Definition 5.13; this follows directly from the fact that univariate polynomials over finite fields can be efficiently factored into their roots [15,24,42,101]. We show that the two definitions are equivalent also for any μ = poly(λ), provided that the encoding scheme is rerandomizable; indeed, in the instantiation discussed in this paper the encoding is deterministic and, in particular rerandomizable.

While j < i and p
to be the non-zero polynomial p * j+1,k with minimal k. (c) Set j := j + 1.

After computing p *
i , restrict the μ − i last variables to s, i.e., compute the x iunivariate polynomial p * i (x i , s i+1 , . . . , s μ ), and factor it to find at most roots; finally, output one of the roots at random as a guess for s = s i .
To analyze the success probability of A , we rely on the following claim: Claim 5.16. If p * ≡ 0 and p * (s 1 , . . . , s μ ) = 0, then there exists i ∈ [μ] such that: Proof of Claim 5. 16. The proof is by induction on i. The base case is when i = 1, for which it holds that: For any i with 2 < i < μ, suppose that: If this inductive process reaches p * μ , then it holds that: which already satisfies the claim.
Note that A guesses the i guaranteed by Claim 5.16 with probability 1/μ, and hence, with the same probability, finds a non-trivial polynomial that vanishes at the challenge point s = s i ; in such a case, A thus guesses s correctly, from among at most roots, with probability at least 1/ . The overall probability of success of A is at lest ε/μ , and this concludes the proof of Proposition 5.15.

Instantiations
We discuss candidates for our notions of linear-only encryption and one-way encoding schemes.

Linear-only property (and linear targeted malleability) from Paillier encryption.
Paillier encryption [88] has plaintext group (Z N , +), where N is a product of two λ-bit primes p and q. (See Remarks (2.6) and (5.1).) We consider two variants of Paillier encryption: • A "single-ciphertext" variant with linear targeted malleability. We assume that standard Paillier encryption satisfies Definition 5.8. Note that this variant cannot satisfy Definition 5.4 (which is stronger, as shown in Lemma 5.10), because it is easy to "obliviously sample" valid Paillier ciphertexts without "knowing" the corresponding plaintext. (See Remark (5.6).) • A "two-ciphertext" variant with linear-only property. In order to (heuristically) prevent oblivious sampling, we can "sparsify" the ciphertext space of Paillier encryption by following the template of knowledge-of-exponent assumptions. Concretely, an encryption of a plaintext a consists of Enc pk (a) and Enc pk (α · a) for a secret random α ∈ Z N ; additionally, an image verification algorithm ImVer sk checks this linear relation. (This candidate is also considered in [56].) We then assume that this variant of Paillier encryption satisfies Definition 5.4.
Because Paillier encryption is based on the decisional composite residuosity assumption, it suffers from factoring attacks, and thus security for succinct arguments based on the above instantiations can only be assumed to hold against subexponential-time provers (specifically, running in time 2 o(λ 1/3 ) ).

Linear-only property (and linear targeted malleability) from Elgamal encryption.
Elgamal encryption [51] has plaintext group (Z p , ×) for a large prime p, and is conjectured to resist subexponential-time attacks when implemented over elliptic curves [89]. We are interested in additive, rather than multiplicative, homomorphism for plaintexts that belong to the field F p (whose elements coincide with those of Z p ). Thus, we would like the plaintext group to be (Z p , +) instead. The two groups (Z p , ×) and (Z p , +) are in fact isomorphic via the function that maps a plaintext a to a new plaintext g a ( mod p), where g is a primitive element of F p . Unfortunately, inverting this mapping is computationally inefficient: in order to recover the plaintext a from g a (mod p), the decryption algorithm has to compute a discrete logarithm base g; doing so is inefficient when a can be any value. Thus, a naive use Elgamal encryption in our context presents a problem.
Nonetheless, as explained in Sect. 1.3.3, we can still use Elgamal encryption in our context by ensuring that the distribution of the honest LIP prover's answers, conditioned on any choice of verifier randomness, has a polynomial-size support. Doing so comes with two caveats: it results in succinct arguments with only 1/poly(λ) security and (possibly) a slow online verification time (but, of course, with proofs that are still succinct).
Here too, to prove security, we can consider single-ciphertext and two-ciphertext variants of Elgamal encryption that we assume satisfy Definitions 5.8 and 5.4, respectively.

Linear-only property (and linear targeted malleability) from Benaloh encryption.
Benaloh encryption [14] generalizes the quadratic-residuosity-based encryption scheme of Goldwasser and Micali [61] to higher residue classes; it can support any plaintext group (Z p , +) where p is polynomial in the security parameter. Unlike Elgamal encryption (implemented over elliptic curves) and similarly to Paillier encryption, Benaloh encryption is susceptible to subexponential-time attacks.
As before, we can consider single-ciphertext and two-ciphertext variants of Benaloh encryption that we assume satisfy Definitions 5.8 and 5.4, respectively. Because we are restricted to p = poly(λ), succinct arguments based on Benaloh encryption can only yield 1/poly(λ) security.
Linear-only one-way encodings from KEA in bilinear groups. In order to obtain publicly-verifiable preprocessing SNARKs (see Sect. 6.2), we seek linear-only encodings that have poly(λ)-power one-wayness and allow to publicly test for zeroes of poly(λ)-degree polynomials. For this, we use the same candidate encoding over bilinear groups, and essentially the same assumptions, as in [56,64,78]; because of the use of bilinear maps, we will in fact only be able to publicly test for zeros of quadratic polynomials. The corresponding construction can be instantiated with conjectured exponential security. Indeed, subexponential-time attacks against the base groups (relevant to the security in pairing-based SNARK constructions) are not known to be inherent. (In terms of concrete instantiations, however, existing symmetric-pairing groups are subject to subexponential attacks, whereas there do exist asymmetric-pairing groups conjectured to be resilient to subexponential attacks, for instance [23].) For the sake of completeness, and since the construction does not correspond directly to a known encryption scheme as in the examples above, we give the basic construction and relevant assumptions. For the sake of simplicity, we describe the construction and relevant assumption in the setting of symmetric pairings, but the construction could naturally be adapted to the setting of asymmetric pairings.
The encoding is defined over a bilinear group ensemble {G λ } λ∈N where each (G, G T ) ∈ G λ is a pair of groups of prime order p ∈ (2 λ−1 , 2 λ ) with an efficiently-computable pairing e : G × G → G T . A public key pk includes the description of the groups and g, g α ∈ G, where g ∈ G * is a generator and α ← F p is random. The encoding is deterministic: the linear-only mode encoding is Enc pk (a) := (g a , g αa ), and the standard-mode encoding is SEnc pk (a) := g a . Public image verification is as follows: ImVer pk ( f, f ) outputs 1 if and only if e( f, g α ) = e(g, f ). Public testing of quadratic polynomials can also be done using the pairing: for Test uses g 1 , . . . , g m andg 1 , . . . ,gm and the pairing to test zeros for a quadratic polynomial t. The required cryptographic assumptions are: Assumption 5.18. (KEA and poly-power DL in bilinear groups) There exists an efficiently-samplable group ensemble {G λ } λ∈N , where each (G, G T ) ∈ G λ are groups of prime order p ∈ (2 λ−1 , 2 λ ) having a corresponding efficiently-computable pairing e : G × G → G T , such that the following properties hold.
1. Knowledge of exponent For any polynomial-size adversary A there exists a polynomial-size extractor E such that for all large enough λ ∈ N, any auxiliary input z ∈ {0, 1} poly(λ) , 10 and any group element sampler S,

Hardness of poly-power discrete logarithms For any polynomial-size adversary
A, polynomial t = poly(λ), all large enough λ ∈ N, and generator sampler S:

Remark 5.19. (Lattice-based candidates)
In principle, we may also consider as candidates lattice-based encryption schemes (e.g., [91]). However, our confidence that these schemes satisfy linear-only properties may be more limited, as they can be tweaked to yield fully-homomorphic encryption schemes [36].

Preprocessing SNARKs from LIPs
We describe how to combine LIPs and linear-only encryption and encodings in order to construct preprocessing SNARKs. Before describing our transformations, we make two technical remarks.

SNARKs and LIPs for boolean circuit families.
Since the LIPs that we have presented so far are for boolean circuit satisfaction problems, it will be convenient to construct here preprocessing SNARKs for boolean circuit satisfaction problems. As explained in Sect. 4.1, such preprocessing SNARKs imply preprocessing SNARKs for the universal relation R U with similar efficiency.
Also, for the sake of simplicity, the LIP constructions that we have presented so far are for satisfiability of specific boolean circuits. However, all of these constructions directly extend to work for any family of boolean circuits C = {C } ∈N , in which case all the LIP algorithms (e.g., V LIP = (Q LIP , D LIP ) and P LIP ) will also get as input 1 (as foreshadowed in Remark (2.3)). If the circuit family C is uniform, all the LIP algorithms are uniform as well. If the circuit family C is non-uniform, then Q LIP and P LIP will also get a circuit C as auxiliary input (in addition to 1 ).
Field size depending on λ. Definition 2.5 (and Definition 2.2) are with respect to a fixed field F. However, since the knowledge error of a LIP (or LPCP) typically decreases with the field size, it is often convenient to let the size of F scale with a security parameter λ. In fact, when combining a LIP with some of our linear-only encryption and encoding candidates, letting F scale with λ is essential, because security will only hold for a large enough plaintext space. (For example, this is the case for the Elgamal-like linear-only encoding described in Sect. 5.3). All of the LIP constructions described in Sects. 3.1 and 3.2 do work for arbitrarily large fields, and we can assume that (P LIP , V LIP ) simply get as additional input the description of the field; abusing notation, we will just denote this description by F λ .

Designated-Verifier Preprocessing SNARKs from Arbitrary LIPs
We describe how to combine a LIP and linear-only encryption to obtain a designatedverifier preprocessing SNARK. Construction 6.1. Let {F λ } λ∈N be a field ensemble (with efficient description and operations). Let C = {C } ∈N be a family of circuits. Let (P LIP , V LIP ) be an inputoblivious two-message LIP for the relation R C , where for the field F λ , the verifier message is in F m λ , the prover message is in F k λ , and the knowledge error is ε(λ). Let E = (Gen, Enc, Dec, Add, ImVer) be a linear-only encryption scheme whose plaintext field, for security parameter λ, is F λ . We define a preprocessing SNARK (G, P, V ) for R C as follows.
Proof. Completeness follows readily from the completeness of (P LIP , V LIP ) and the correctness of E. Efficiency follows readily from that of (P LIP , V LIP ). We thus focus on establishing the knowledge property. Let P * be a malicious polynomial-size prover. We construct a knowledge extractor E for P * in two steps: E(σ, z), given common reference string σ and auxiliary input z, first invokes the linear-only extractor E (σ, z) for P * (on the same input (σ, z) as P * ) to obtain an LIP affine transformation * "explaining" the encryptions output by P * ; in the second step, E invokes the LIP extractor E LIP with oracle access to * and on input the statement chosen by P * to obtain an assignment for the circuit.
We now argue that E works as required. First, we claim that, except with negligible probability, whenever P * (σ, z) produces a statement x and proof c = (c 1 , . . . , c k ) accepted by the verifier, the extracted * is such that D LIP (F λ , 1 , x, u, a * ) = 1, where u is the private state of the verifier and a * = * (q). Indeed, by the linear-only property of E (see Definition 5.4), except with negligible probability, whenever the verifier is convinced, a * = * (q) is equal to a = Dec sk (c ), which is accepted by the LIP decision algorithm.
Second, we claim that, due to semantic security of E, except with probability 4ε + negl(λ), whenever the verifier accepts, the extracted proof * is not only "locally satisfying" but "globally satisfying," and thus the LIP extractor E LIP is guaranteed to extract from * a witness for x.
Assume toward contradiction that for some noticeable δ(λ), it holds with probability 4ε + δ that D LIP (F λ , 1 , x, u, * (q)) = 1, and yet E * LIP (x) fails to output a valid witness for x. We describe a reduction that breaks the semantic security of E. The reduction applies Q LIP (F λ , 1 ) to sample two random queries q 0 , q 1 along with corresponding states u 0 , u 1 . It then submits q 0 , q 1 to a challenger and gets back a public key pk and encryption of Enc pk (q b ), it then runs the extractor with σ = (pk, Enc pk (q b )) (and auxiliary input z) and obtains * . We consider two events: (F λ , 1 , x, u 1 ,  *  (q 1 )).
If F and D both occur, the reduction outputs the unique bit β such that D LIP (F λ , 1 , x, u β , * (q β )) = 1; otherwise, the reduction outputs a random guess β. We next show that the reduction guesses b with noticeable advantage over 1/2. For this, we shall prove: 1. Both F and D occur at least with noticeable probability δ. 2. If both F and D occur, the reduction guesses β = b with constant advantage; specifically, with probability 2/3.
First, by our assumption toward contradiction Second, since E LIP fails to extract from * , and q 1−b , u 1−b are sampled independently of * , We now have In particular, Furthermore, This concludes the proof.

Designated-verifier non-adaptive preprocessing SNARKs from linear targeted malleability.
We also consider a notion that is weaker than linear-only encryption: encryption with linear targeted malleability (see Definition 5.8). For this notion, we are still able to obtain, via the same Construction 6.1, designated-verifier preprocessing SNARKs, but this time only against statements that are non-adaptively chosen. Proof. Let P * be a malicious polynomial-size prover, which convinces the verifier for infinitely many false statements x. By the targeted malleability property (see Definition 5.8), there exists a polynomial-size simulator S (depending on P * ) such that: where where q is the LIP query and u is the LIP verification state. If P * convinces the verifier to accept with probability at least ε + δ for some noticeable δ, then, with at least the same probability, the distribution on the left satisfies that D LIP (x, u, a) = 1. Because this condition is efficiently testable, the simulated distribution on the right satisfies the same condition with probability at least ε + δ/2. However, in this distribution the generation of q and u is independent of the generation of the simulated affine function = ( , b). Therefore, by averaging, there is a δ/2 fraction of such that, with probability at least ε over the choice of q and u, it holds that D LIP (x, u, q + b) = 1. This yields an extractor whose expected running time is 2/δ = λ O (1) . The extractor repeatedly samples (sk, pk) applies the simulator S(pk; x) and then applies the LIP extractor attempting to extract from = ( , b).
Remark 6.4. (Inefficient simulator) As mentioned in Remark (5.9), Definition 5.8 can be weakened by allowing the simulator to be inefficient. In such a case, we are able to obtain designated-verifier non-adaptive preprocessing SNARGs (note the lack of the knowledge property), via essentially the same proof as the one we gave above for Lemma 6.3.

Remark 6.5. (A word on adaptivity)
One can strengthen Definition 5.8 by allowing the adversary to output an additional (arbitrary) string y, which the simulator must be able to simulate as well. Interpreting this additional output as the adversary's choice of statement, a natural question is whether the strengthened definition suffices to prove security against adaptively-chosen statements as well.
Unfortunately, to answer this question in the positive, it seems that a polynomial-size distinguisher should be able to test whether a statement y output by the adversary is a true or false statement. This may not be possible if y encodes an arbitrary NP statement (and for the restricted case of deterministic polynomial-time computations, the approach we just described does in fact work. ) We stress that, while we do not know how to prove security against adaptively-chosen statements, we also do not know of any attack on the construction in the adaptive case.

Publicly-Verifiable Preprocessing SNARKs from Algebraic LIPs
We show how to transform any LIP with degree (d Q , d D ) = (poly(λ), 2) to a publiclyverifiable preprocessing SNARK using linear-only one-way encodings with quadratic tests. The restriction to quadratic tests (i.e., d D ≤ 2) is made for simplicity, because we only have one-way encoding candidates based on bilinear maps. As noted in Remark (5.12), the transformation can in fact support any d D = poly(λ), given one-way encodings with corresponding d D -degree tests. Construction 6.6. Let {F λ } λ∈N be a field ensemble (with efficient description and operations). Let C = {C } ∈N be a family of circuits. Let (P LIP , V LIP ) be an input-oblivious two-message LIP for the relation R C , where for field F λ , the verifier message is in F m λ , the prover message is in F k λ , and the knowledge error is ε(λ); assume that the verifier degree is (d Q , d D ) = (poly(λ), 2). Let E = (Gen, Enc, SEnc, Test, Add, ImVer) be a linear-only one-way encoding scheme whose plaintext field, for security parameter λ, is F λ . We define a preprocessing SNARK (G, P, V ) for R C as follows.
Proof. Completeness follows readily from the completeness of (P LIP , V LIP ) and the correctness of E. Efficiency as claimed above follows readily from that of the underlying LIP. We thus focus on establishing the knowledge property.
Let P * be a malicious polynomial-size prover. As in the designated-verifier case, we construct its knowledge extractor E in two steps: first invoke the linear-only extractor E for P * (on the same input (σ, z) as P * ) to obtain an LIP affine transformation * "explaining" the encryptions output by P * , and then the LIP extractor E LIP (with oracle access to * and on input the statement chosen by P * ) to obtain an assignment for the circuit.
We now argue that E works as required. (Differently from the designated verifier case (see proof of Lemma 6.2), we now rely on poly(λ)-power one-wayness (Definition 5.13) of the linear-only encoding scheme, instead of semantic security.) First, we claim that, except with negligible probability, whenever P * (σ, z) produces a statement x and proof c = (c 1 , . . . , c k ) accepted by the verifier, the extracted * is such that t x ( * (q), u) = 0. Indeed, by the linear-only property of E (see Definition 5.17), except with negligible probability, whenever the verifier is convinced, it holds that c ∈ Enc pk ( * (q)) (i.e., c encodes the plaintext * (q)); moreover, since the verifier only accepts if Test pk, t x , c ,c = 1, wherec = (c 1 , . . . ,c m ) is the (standard-mode) encoding of u, it indeed holds that t x ( * (q), u) = 0.
Second, recall that the query q(r) and state u(r) are polynomials in the randomness r of Q LIP of degrees d Q and d D , respectively. Accordingly, t x ( * (q(r)), u(r)) is a (d Q d D )-degree polynomial in the randomness r of the query algorithm Q LIP . We claim that t x ( * (q(r)), u(r)) ≡ 0, i.e., it is vanishes everywhere; in particular, * is a (perfectly) convincing LIP affine function. Indeed, if that is not the case, then, since t x is of degree d Q · d D = poly(λ), we can use the extractor E to break the poly(λ)-power onewayness of the linear-only scheme (see Definitions 5.13 and 5.14). Specifically, given encodings of poly(λ) polynomials in r, we manage to find a poly(λ)-degree polynomial t x ( * (q(·)), u(·)) that vanishes on r, but not everywhere.

Resulting Preprocessing SNARKs
We now state what preprocessing SNARKs we get by applying our different transformations. Let C = {C } be a circuit family where C is of size s = s( ) and input size n = n( ). Table 2 summarizes (most) of the preprocessing SNARKs obtained from our LIP constructions (from Sects. 3.1 and 3.2) and computational transformations (from Sects. 6.1 and 6.2).
Zero-knowledge and ZAPs. As mentioned before, if the LIP is HVZK then the corresponding preprocessing SNARK is zero-knowledge (against malicious verifiers in the CRS model), provided that linear-only encryption (or one-way encoding) are rerandomizable; all of our candidates constructions are rerandomizable.
As mentioned in Sect. 3.1.1, both of our LIP constructions based on LPCPs can be made HVZK (either via the general transformation described in Sect. 8 or via construction-specific modifications discussed in Sect. 7). As for the LIP constructions based on traditional PCPs, we need to start with an HVZK PCP. For efficient such constructions, see [47].
The zero-knowledge preprocessing SNARKs we obtain are arguments of knowledge where the witness can be extracted without a trapdoor on the CRS; this is unlike what happens in typical NIZKs (based on standard assumptions). This property is crucial when recursively composing SNARKs as in [12].
Finally, the zero-knowledge SNARKs we obtain are, in fact, perfect zero-knowledge. Moreover, for the case of publicly-verifiable (perfect) zero-knowledge preprocessing  Recall that adaptivity is a crucial property in order to benefit from the recursive composition techniques of Bitansky et al. [12] SNARKs, the CRS can be tested, so that (similarly to previous works [56,64,78]) we also obtain succinct ZAPs.

Two LPCPs for Circuit Satisfaction Problems
We describe two ways of obtaining algebraic LPCPs for boolean circuit satisfaction problems (see Definition 4.5). For simplicity, in this section (as well as in Sects. 3.1 and 3.2), we focus on relations R C where C is a fixed boolean circuit. All the discussions can be naturally extended to relations R C where C is a uniform boolean circuit family.

An LPCP from the Hadamard Code
We begin with a very simple LPCP, which is the well-known Hadamard-based PCP of Arora et al. [4] (ALMSS), naturally extended to work over an arbitrary finite field F. Since we only require soundness against linear proof oracles, there is no need to apply linearity testing and self-correction as in the original PCP of ALMSS. This makes the construction of the LPCP and its analysis even simpler, and has the advantage of yielding knowledge error O(1/|F|) with a constant number of queries. The resulting LPCP verifier will have degree (2, 2), so that the LPCP is algebraic. We now formulate the properties of the simplified version of the Hadamard-based PCP in the arithmetic setting: Claim 7.1. Let F be a finite field and C : {0, 1} n × {0, 1} h → {0, 1} a boolean circuit of size s. There is a 3-query LPCP for R C with knowledge error 2/|F|, query length s + s 2 , and degree (2,2). Furthermore: • the LPCP prover P LPCP is an arithmetic circuit of size O(s 2 ); • the LPCP query algorithm Q LPCP is an arithmetic circuit of size O(s 2 ); • the LPCP decision algorithm D LPCP is an arithmetic circuit of size O(n).

Construction and analysis.
It is convenient to formulate our variant of the ALMSS construction for a relation R(x, w) defined by an arithmetic (rather than boolean) circuit over F. In the following, an arithmetic circuit may contain addition gates of unbounded fan-in and multiplication gates of fan-in 2; both types of gates can have unbounded fanout. A sequence of one or more nodes (gates or inputs) defines the output of the circuit. The size of the circuit is defined as the total number of nodes. We say that an arithmetic circuit C : F n × F h → F is satisfied on a given input if all of the outputs are 0; that is, the corresponding relation is defined as The standard problem for boolean circuit satisfaction can be easily reduced to the problem of arithmetic circuit satisfaction with only constant overhead. Claim 7.2. (From boolean circuit satisfaction to arithmetic circuit satisfaction) Let F be a finite field, n an input length parameter, and h an output length parameter. There exist efficient (in fact, linear-time) transformations (arith, inp, wit, wit −1 ) such that, for any boolean circuit C : {0, 1} n × {0, 1} h → {0, 1} (with AND, OR, and NOT gates) and input x ∈ {0, 1} n , the following conditions hold: • arith(C) outputs an arithmetic circuit C : Proof sketch. Let x = (−1, x 1 , . . . , x n ). The circuit C (x, w) emulates the computation of C on (x, w), using the constant −1 to emulate OR and NOT gates, and treating the entries of w as bits of w. (For instance, NOT(z) can be computed as 1 + (−1) · z.) The first output of C is equal to 1 − C(x, w) (for all w ∈ {0, 1} h ). The remaining h outputs of C are used to ensure that any satisfying w ∈ F h is a bit vector. This is done by outputting We now proceed to describe the construction of the LPCP for an arithmetic circuit C : F n ×F h → F . We let z i denote the value of the i-th wire of C given input x ∈ F n and witness w ∈ F h , where we assume that z i = x i for i ∈ {1, . . . , n} and z s− +1 , . . . , z s are the values of the output wires (which are supposedly 0). The honest prover uses a linear oracle π whose coefficient vector includes z 1 , . . . , z s , and z i · z j for all i, j ∈ {1, . . . , s}. The verifier needs to check that: (1) the coefficient vector is consistent with itself (namely, the entry which supposedly contained z i ·z j is indeed the product of the entries containing z i and z j ); (2) z i = x i for i ∈ {1, . . . , n}; (3) z s−i = 0 for i ∈ {0, . . . , − 1}; and (4) for every gate, the given value for its output wire is consistent with the given values for its input wires.
The first condition can be verified with two queries: the first query asks for a random linear combination of the z i and the second query asks for the linear combination of the z i · z j that corresponds to the square of the first query. The verifier checks that the second answer is the square of the first answer. It follows from the Schwartz-Zippel Lemma (cf. Lemma 2.1) that if condition (1) is violated then this test will fail except with at most 2/|F| probability. Conditions 2, 3, 4 are tested together using a single query by taking a random linear combination with coefficient vector r of the left hand sides of the following equations: − 1), . . . , s; • k j=1 z i j − z k = 0 for each addition gate with input wires i 1 , . . . , i k and output wire k; • z i · z j − z k = 0 for each multiplication gate with input wires i, j and output wire k.
Note that this random linear combination can be efficiently transformed into a random linear combination of the coefficients z i and z i · z j . The verifier accepts if the answer is equal to the corresponding linear combination of the right hand side, namely to n i=1 r i x i . Assuming that condition (1) is satisfied, this test fails with probability at most 1/|F|. Overall, we get a 3-query LPCP with knowledge error 2/|F| = O(1/|F|), query length s + s 2 = O(s 2 ) and degree (2,2). The construction is summarized as follows: Construction 7.3. Let F be a finite field and C : F n × F h → F an arithmetic circuit over F of size s. LPCP prover algorithm P LPCP . Given (x, w) ∈ F n × F h such that C(x, w) = 1, compute the values z 1 , . . . , z s of all wires in C(x, w), and output the linear function π : F s+s 2 → F defined by the coefficients z i for all i ∈ [s] and z i · z j for all i, j ∈ [s]. LPCP query algorithm Q LPCP . The query algorithm Q LPCP has hardcoded in it: Both A C and b C can be computed efficiently (in fact, in linear time) from C. The query algorithm Q LPCP outputs queries q 1 , q 2 , q 3 ∈ F s+s 2 that are computed as follows: 1. sample a random vector r = (r 1 , r 2 ) ∈ F 2s ; denote by r x the first n coordinates of r 1 and by r C the last s − n coordinates of r 1 ; 2. set q 1 := r 1 · A C ; 3. the first s elements of q 2 is the vector r 2 and the last s 2 elements are 0; 4. the first s elements of q 3 are 0 and the last s 2 element are r 2 Additionally the query algorithm Q LPCP outputs the state information Given input x, state u = (u C , r x ), and answers a 1 , a 2 , a 3 ∈ F, verify that

Remark 7.4. (HVZK variant)
To make the LPCP of Claim 7.1 an HVZK LPCP, we could apply the general transformation presented in Sect. 8. However, there is a transformation specific to the LPCP of Claim 7.1 that introduces almost no overhead. Essentially, the prover can simply concatenate a random element to the linear function he generates; this can be interpreted as adding a dummy wire to the circuit and assigning to it a random value; the verifier then reasons in terms of this new circuit. In fact, the idea we just described is a very simple instance of the transformation in Sect. 8, which generalizes it to work for any LPCP.

An LPCP from Quadratic Span Programs
Next, we note that an LPCP with linear query algorithm and quasilinear prover algorithm can be easily obtained by going through the quadratic span programs of Gennaro et al. [56]; this gain is at the expense of the degree of the query algorithm which now becomes O(s) instead of 2.

Construction and analysis.
We present the definition of a quadratic span program satisfiability problem, based on the definition of a strong quadratic-span program (QSP) in [56].
Gennaro et al. [56] have shown that there is a very efficient reduction from boolean circuit satisfiability problems to QSP satisfiability problems: moreover, Q is sparsely represented; Moreover, qsp, inp, wit −1 run in linear time and wit runs in quasilinear time.
We now give a construction of an LPCP for a QSP satisfiability problem: LPCP prover algorithm P LPCP . Given (x, (a, b, h)) such that (x, (a, b, h)) ∈ R Q , output the linear function π : F 2m−n+d → F defined by π : = (a, b, h) (i.e., the concatenation of the coefficients vectors). LPCP query algorithm Q LPCP . Select a random point r ∈ F and output the queries q 1 , q 2 , q 3 ∈ F 2m−n+d defined as follows: • the first m − n elements of q 1  Additionally, the algorithm outputs the state information u := ({v i (r )} 0≤i≤n , w 0 (r ), t (r )) ∈ F n+2 . LPCP decision algorithm D LPCP . Given input x, state u = ({v i (r )} 0≤i≤n , w 0 (r ), t (r )), and answers a 1 , a 2 , a 3 , verify that We now prove that Construction 7.8 has the desired properties. Correctness follows from the construction. Next, fix a linear function π * : F 2m−n+d → F and view it as π * = (a * , b * , h * ) for some a * ∈ F m−n , b * ∈ F m , and h * ∈ F d . Suppose that V π * LPCP (x) accepts with more than 2d/|F| probability. By construction, we have that: By the Schwartz-Zippel Lemma (cf. Lemma 2.1), we deduce that: We conclude that (x, (a * , b * , h * )) ∈ R Q . We thus have a 3-query LPCP for R Q with knowledge error 2d/|F|, query length 2m − n + d, and degree (d, 2  Remark 7.9. (HVZK variant) To make the LPCP of Claim 7.5 an HVZK LPCP, we could apply the general transformation presented in Sect. 8. However, Gennaro et al. [56] give a transformation for the specific case of QSPs that introduces almost no overhead. Their transformation is rather different from our general transformation and exploits special features of QSPs. At a very high-level, we first pad each of the LPCP answers with a random field element, and then add terms to the proof that allow a verifier to cancel the noise, but without leaking any further information. In particular, in our transformation, the verifier has to make sure that these additional terms are properly structured, and doing so requires additional tests. Instead, [56] use the special QSP structure: instead of padding the LPCP answers with random field elements, they add randomized factors of the target polynomial t to the answers, and this is already sufficient to force the prover to stick to the proper structure, and does not require additional structure tests.

HVZK for LPCPs with Low-Degree Decision Algorithm
We describe a general transformation that takes any LPCP with d D = 2 to a corresponding LPCP that is HVZK, with only a small overhead in parameters. Of course, because the transformation guaranteed by Theorem 8.1 is generic, optimizations are often possible in specific cases to, e.g., reduce the number of queries. For instance, the two LPCP constructions described in Sect. 7 have HVZK variants with almost no overhead (see Remarks 7.4 and 7.9).
The rest of this section contains the proof of Theorem 8.1. Let us begin with the high-level idea.
The high-level idea. The LPCP prover adds to each of the original LPCP answers a i a random element ξ i ; clearly, the distribution of these new answers is independent of the witness used by the prover, and thus the new answers are HVZK. Unfortunately, this modification allows the LPCP verifier to only compute a noisy evaluation of the test polynomial, namely t x (u, a+ξ), when instead the verifier needed a noiseless evaluation. To recover soundness without breaking HVZK, the verifier needs to learn the difference = t x (u, a + ξ) − t x (u, a), but nothing else. We show how the prover can do this by adding suitable crossterms to the linear function, and letting the verifier test that the new linear function, which includes these crossterms, has the correct "structure." We now concretize this high-level idea by proceeding in three steps.
Step 1: soundness against provers respecting quadratic tensor relations. In our transformation, an honest LPCP proof π is mapped to a new proof π = (π 1 , . . . , π c ) that must satisfy a set T of quadratic tensor relations; a quadratic tensor relation is a triple (i, j, k) ∈ [c] 3 , that corresponds to the requirement π i = π j ⊗ π k . 11 Thus, we can write: where a ⊗ b = (a i · b j ) i, j is the tensor product of vectors a and b. We say that β is the size of T . In our construction, T is independent of the input x, so we focus our attention to this case.
We begin by showing that any LPCP that is secure against T -respecting provers (for some given T ) can be transformed into a corresponding LPCP against arbitrary provers, with a small overhead in parameters and while maintaining HVZK. For a given set of quadratic tensor relations T , we say that an LPCP has soundness (or knowledge) error ε against T -respecting provers if it has soundness (or knowledge) error ε against proofs that satisfy all the quadratic tensor relations in T .  Proof sketch. We sketch the transformation T and an argument for its correctness; a detailed description of the transformation can be found after the proof sketch, in Construction 8.4. The transformation leverages the fact that any quadratic tensor relation can be checked with only 3 queries and a quadratic decision predicate. Concretely, given two vectors a and b and another vector c, to test whether c = a ⊗ b, we can sample two random vectors r a and r b , and test whether c, r a ⊗ r b = a, r a · b, r b .
By the Schwartz-Zippel Lemma (see Lemma 2.1), if the quadratic tensor relation does not hold, then the test passes with probability at most 2/|F|.
Thus, letting π * = (π 1 , . . . , π c ) be a potentially malicious proof, if we want to test whether π * satisfies the set of quadratic tensor relations T , we proceed as follows. For each (i, j, k) ∈ T , generate queries q i , q j , q k to π * so that π * , q i = π i , r j ⊗ r k π * , q j = π j , r j π * , q k = π k , r k where r j and r k are random vectors of suitable length, 12 and then test whether π * , q i = π * , q j · π * , q k .
While the solution described in the previous paragraph does provide suitable security and efficiency guarantees, it does not preserve HVZK, because the additional "structure" queries may reveal information about the witness. To fix this problem, we proceed as follows. For each quadratic tensor relation c = a ⊗ b, we modify the part of the proof corresponding to it, as well as the verifier's "structure" queries for it. Specifically, we extend the vectors a, b, c to a = (a|ξ a ), b = (b|ξ b ), c = a ⊗ b , where ξ a and ξ b are random field elements; similarly, the verifier's "structure" queries r a , r b , r a ⊗ r b are extended to r a = (r a |r a ), r b = (r b |r b ), r a ⊗ r b , where r a and r b are random field elements. The two query answers a , r a and b , r b are now truly random conditioned on r a and r b being non-zero, and hence can be simulated. 13 In addition, c , r a ⊗ r b can be simulated by taking the product of the simulated answers. As for the queries of the original LPCP, these can be appropriately padded with zeros so that the answers to them 12 If the same j or k appears in multiple triples in T , there is no need to sample a new random vector. 13 Here is where we lose 1/|F| in statistical distance between the honest distribution and the simulated distribution. If, however, the honest verifier could sample randomness from the set F − {0} (instead of F as required by the definition), then this loss can be avoided at the expense of an additional 1/|F| factor in the knowledge error. (Note that mapping the uniform distribution on F to the uniform distribution on F − {0} is not a low-degree operation so, if we want to ensure that d Q = d Q , then we cannot simply let V LIP do this, but we must supply him with the uniform distribution on F − {0}.) are not affected by the changes to the proof; the answers to these queries are simulatable, when assuming that the original LPCP is HVZK. Overall, the modification to preserve HVZK does not change the number of queries, and increases their length m by at most a factor of 1 + 1 m < 2. This concludes the proof sketch for Claim 8.3.

Construction 8.4.
(Transformation for Claim 8.3) Let (P LPCP , V LPCP ) be an LPCP for R that is secure against T -respecting provers, for some set of quadratic tensor relations T of size β. Parse a proof π as follows: where c = α+β is the number of components in π and (α+1, j 1 , k 1 ), . . . , (α+β, j β , k β ) are the β triples in T . (We can always relabel triples in T so that the β components of π constrained by a tensor relation in T appear after any unconstrained component.) Note that each of j 1 , . . . , j β , k 1 , . . . , k β can be any index in [α + β] (always subject to the condition that are no "cycles" in T ). Construct the LPCP (P LPCP , V LPCP ) as follows.
Let us explain the mapping from π to π in words. Let us assume without loss of generality that the triples (α + 1, j 1 , k 1 ), . . . , (α + β, j β , k β ) are labeled so that they are in a "topological order": namely, if < then it cannot be that j or k is equal to α + . (A topological order exists because there are no cycles in T .) We first pad each of the components π 1 , . . . , π α with a random element to obtain π 1 , . . . , π α . Then, for = 1, . . . , β (in this order), we pad π j ⊗π k with a random element to obtain π α+ ; because of the topological order, when defining π α+ , we have already defined both π j and π k . • The query algorithm Q LPCP . The query algorithm Q LPCP invokes Q LPCP to obtain queries q 1 , . . . , q k and a state u, and then produces and outputs (along with u) new queries q (1) 1 , . . . , q (1) k , q (2) s 1 , . . . , q (2) s γ , q · The queries q (1) 1 , . . . , q (1) k correspond to the original queries q 1 , . . . , q k to π. In other words, we construct each q (1) j so that Since π contains π (and some new terms), each q (1) j can be obtained from q j via suitable padding with zeros (in the locations corresponding to the new terms). · The remaining queries are for testing the tensor structure in a way that preserves HVZK: * For ∈ [γ ], q (2) s is constructed so that where r (2) s is a random vector (of suitable length) and r (2) s is a random field element.
k and checks that a j β a (2) k β .
Step 2: from higher-degree tensor relations to quadratic tensor relations. The notion of a set of tensor relations introduced in the previous step can of course be extended to relations of more than 2 vectors. In general, a set of tensor relations T is a set of tuples of potentially different length; we say that a vector π = (π 1 , . . . , π c ) satisfies a set of tensor relations in T if for every tuple (i, j, k, . . . , z) ∈ T it holds that π i = π j ⊗π k ⊗· · ·⊗π z . (As before, we require tuples in T to not form cycles, etc.; see Footnote 11.) We describe a (zero-knowledge preserving) transformation that maps any LPCP that is secure against T -respecting provers, for some T containing tensor relations that are at most cubic, into a corresponding LPCP that is secure against T -respecting provers, for a corresponding set of quadratic tensor relations T . (While not needed here, the transformation can be extended to deal with arbitrary sets of tensor relations; see Remark (8.6).) Claim 8.5. There exists an efficient LPCP transformation Q such that, for any set of at-most-cubic tensor relations T , the following properties hold: Proof sketch. The idea is to simply split every cubic tensor into two quadratic tensors. Namely, for every tensor relation π i = π j ⊗ π k ⊗ π in T , we let T require the two tensor relations π i = π j ⊗ π k and π i = π i ⊗ π , for some new index i . With this modification the length of the proof at most doubles and, moreover, the size of T is at most 2β = O(β).
While it is possible to test cubic tensor relations "directly," in a manner that is analogous to the way we test quadratic tensor relations in the proof of Claim 8.3, doing so requires decision predicates of cubic degree, which we wish to avoid. Claim 8.5 thus lets us move from cubic tensor relations to quadratic tensor relations before any tensor relations are tested.
Remark 8.6. Claim 8.5 can be extended to handle any set of tensor relations T , and not only quadratic ones. Concretely, a tensor relation over d vectors can be split into (d − 1) quadratic tensor relations. The corresponding parameter changes to the new proof length and size of T can be easily deduced.
Step 3: from LPCP to HVZK LPCP against tensor-respecting provers. We describe a transformation that maps any LPCP into a corresponding perfect HVZK LPCP, with similar parameters, that is secure against T -respecting provers for a certain set of atmost-cubic tensor relations T .   , 2). Furthermore, T has size β = 3η.
• The query algorithm Q LPCP . The query algorithm Q LPCP invokes Q LPCP to obtain queries q 1 , . . . , q k and a state u, and then produces new queries q 1 , . . . , q k , q k+1 , q k+2 . Specifically: · For each j ∈ [k], the prefix of q j is q j , and the suffix is a unit vector e j , which is 1 in the j-th position and zero otherwise. In other words, we construct q j so that: π , q j = π, q j + ξ j . x . In other words, q k+1 consists of a random vector r padded with zeros so that · The vector q k+2 consists of several copies of each of q 1 , . . . , q k and u, and of zeros, so that π , q k+2 = t x (u, π, q 1 , . . . , π, q k , ξ) = t x (u, a, ξ).
As for the state, Q LPCP outputs u = (u, r). Remark 8.9. (Multi-dimensional test polynomials) As mentioned above, to simplify notation, we have defined the padding polynomial and given Construction 8.8 for the case η = 1. For the general case of η-dimensional polynomial t x with η > 1, we proceed as follows. Instead of defining a single padding polynomial, we define η padding polynomials t x ,i , each with its own coefficients . Accordingly, the third, fourth, and fifth row of the proof π are extended to η corresponding rows; similarly for the sixth, eight, and tenth row of π . The query q k+1 is modified to include η random vectors r 1 , . . . , r η ; indeed, the linear combination checking the correctness of c 1 , . . . , c η can be taken simultaneously for all of the c i (rather than for each c i separately). The last query q k+2 is replaced by η queries q k+2 , . . . , q k+η+1 , each according to the appropriate t x ,i .
First, note that the degree of (P LPCP , V LPCP ) is the same as that of (P LPCP , V LPCP ): we have only introduced linear operations to both query and decision polynomials.
Next, let us argue that (P LPCP , V LPCP ) has the claimed knowledge error. Assuming that the vectors (c x ) are not computed properly, then the random linear combination test will fail except with probability 1/|F|. Thus, the knowledge error of (P LPCP , V LPCP ) is at most ε + 1/|F|.
To see that (P LPCP , V LPCP ) is perfect HVZK, note that the honest verifier does not learn from an honest proof any information except for the fact that t x (u, a) = t x (u, π , q 1 , . . . , π , q k ) = 0. More formally, the answers a 1 , . . . , a k can all be simulated by random independent elements; the answer a k+1 can be simulated by just taking a random combination of (c u⊗ξ x , c a⊗ξ x , c ξ ⊗ξ x ); and the difference a k+2 = t x (u, a, ξ) can be simulated simply as t x (u, a ), where u is an honestly generated state for the verifier and a are the simulated answers a 1 , . . . , a k .

Multi-Theorem Designated-Verifier SNARKs via Strong Knowledge
A desirable property of SNARKs is the ability to generate the reference string σ , once and for all, and then reuse it to produce polynomially-many proofs (potentially by different provers). Doing so is especially desirable for preprocessing SNARKs, where generating σ afresh is expensive. However, being able to securely reuse σ requires security also against provers that have access to a proof-verification oracle. For publicly-verifiable SNARKs, this multi-theorem proof of knowledge is automatically guaranteed. For designated-verifier SNARKs, however, multi-theorem proof of knowledge needs to be required explicitly as an additional property. Intuitively, this is achieved by ensuring that the verifier's response "leaks" only a negligible amount of information about the verification state τ (for then malicious prover strategies that create a significant correlation between τ and the event of the verifier rejecting are ruled out). 14 Security against such provers can be formulated for (computational) soundness or proof of knowledge, both in the non-adaptive and adaptive settings. Because in this paper we are typically interested in adaptive proof of knowledge, we formulate it in this setting.
Definition 9.1. A triple of algorithms (G, P, V ) is a multi-theorem SNARK for the relation R ⊆ R U if it is a SNARK for R where adaptive proof of knowledge (Definition 4.3) is replaced by the following stronger requirement: • Multi-theorem adaptive proof of knowledge For every polynomial-size prover P * , there exists a polynomial-size extractor E such that for every large enough security parameter λ ∈ N, auxiliary input z ∈ {0, 1} poly(λ) , and time bound T ∈ N, As 15 discussed in Sect. 1.3.3, the PCP-based (or MIP-based) SNARKs of [8,10,11,44,46,60,83] are not multi-theorem SNARKs, because a malicious prover can adaptively learn the encrypted PCP (or MIP) queries (whose secrecy is crucial for security), just by feeding different proofs to the verifier and learning his responses. In this paper, some of the designated-verifier preprocessing SNARKs that we construct satisfy multi-theorem proof of knowledge (under suitable assumptions), and some do not.
Concretely, an interesting property that is satisfied by algebraic LIPs, which we call strong knowledge, is that such "correlation attacks" are impossible: roughly, every LIP prover either makes the LIP verifier accept with probability 1 or with probability less than O(poly(λ)/|F|). Designated-verifier preprocessing SNARKs constructed from such LIPs can thus be shown to have the multi-theorem property. Details follow. Definition 9.2. An LPCP (P LPCP , V LPCP ) with knowledge error ε has strong knowledge error if for every input x and every linear function π * : F m → F, the probability that V π * LPCP (x) accepts is either 1 or at most ε. (When we are not paying attention to the knowledge properties of the LPCP, we shall call this property strong soundness.) An analogous definition holds for LIPs.
For sufficiently large field F, algebraic LPCPs and LIPs have the strong knowledge error property, as proved in the following lemma. Proof. Since (P LPCP , V LPCP ) has knowledge error ε, it also has knowledge error max{ε, We are now only left to show that, for every input x and linear function π * , if Pr[V π * LPCP (x) = 1] > max{ε, |F| then Pr[V π * LPCP (x) = 1] = 1. Indeed, letting t x be the test polynomial, p the state polynomial, p 1 , . . . , p k the query polynomials of V LPCP , Pr V π * LPCP (x) = 1 = Pr r←F μ t x p(r), π * , p 1 (r) , . . . , π * , p k (r) = 0 η = Pr r←F μ a(r) = 0 η , where a is the polynomial of degree d Q d D defined by a(r) := t x p(r), π * , p 1 (r) , . . . , π * , p k (r • Both LIPs constructed in Sect. 3.1 are algebraic (as they are based on algebraic LPCPs) and hence, because of Lemma 9.3, do enjoy strong knowledge. • In contrast, the LIPs constructed in Sect. 3.2 are not algebraic and also do not enjoy strong knowledge (or soundness). The reason is that those LIPs are based on traditional PCPs that do not enjoy strong knowledge (or soundness).
In fact, we now prove that no (traditional) PCP (for a hard-enough language) can enjoy strong soundness, so that the lack of strong knowledge (or soundness) for the LIPs constructed in Sect. 3.2 is inherent. Concretely, we show that if a language L has a (traditional) PCP with strong soundness, then it can be decided quite easily. is the PCP oracle that is the same as π at the locations in S and is equal to 1 at all other locations. Indeed, to see that the latter is sufficient, consider the MA verifier that, on input x and candidate witness (S, π| S ) ∈ {0, 1} 2k(log m+1) , runs V PCP with (π | S , 1| [m]\S ) and accepts if and only if V PCP does; by the above claim and the completeness of (P PCP , V PCP ), for any x ∈ L, there is a witness that makes the MA verifier accept with probability 1; furthermore, for every x / ∈ L, the (strong) soundness of (P PCP , V PCP ) implies that the MA verifier accepts with probability at most 1/3 regardless of the witness.
From LIPs with strong knowledge to multi-theorem designated-verifier preprocessing SNARKs. At high level, the fact that LIPs with strong knowledge make "correlation attacks" impossible gives strong intuition for why such LIPs should give rise (through our transformation from Sect. 6.1) to designated-verifier preprocessing SNARKs with the multi-theorem property.
However, formalizing this intuition seems to require a notion of linear-only encryption that is stronger than the one introduced in Sect. 5.1. Specifically, we need to be able to repeatedly extract from a malicious prover in order to simulate its queries to the proof-verification oracle. Doing so raises difficulties similar to the case of plaintextaware encryption (see [25,26]), and seems to be solvable via "interactive extractability assumptions" [25,26,46].
We now provide a definition of linear-only encryption that, together with strong knowledge, suffices to obtain multi-theorem SNARKs. We thus obtain a confirmation that using strong knowledge is a "conceptually correct" method serving as a good heuristic toward the construction of multi-theorem SNARKs (despite the fact that we need to make fairly strong cryptographic assumptions to formalize this step).

Linear-only homomorphism with interactive extraction.
A linear-only encryption scheme with interactive extraction is the same as a (standard) linear-only encryption (Definition 5.4), except that it has a stronger extraction guarantee. Recall that the (standard) linear-only property says that whenever an efficient adversary, given a public key pk and ciphertexts (c 1 , . . . , c m ), produces a ciphertext c in the image of Enc pk , there is an efficient extractor that outputs a corresponding affine function "explaining" the ciphertext (or, more accurately, the underlying plaintext) as an affine combination of (c 1 , . . . , c m ) (or, more accurately, their underlying plaintexts). While the standard definition only guarantees "one-time" extraction, the interactive definition gives the adversary the option to interact with the extractor and try to repeatedly sample additional ciphertexts c 2 , c 3 , . . . given the previously-extracted affine combinations. The definition below is along the same lines as definitions in [25,26,46]. Definition 9.6. An encryption scheme has the linear-only property with interactive extraction if, for any polynomial-size (interactive) adversary A, there is a polynomialsize (interactive) extractor E such that, for any sufficiently large λ ∈ N, any auxiliary input z ∈ {0, 1} poly(λ) , and any plaintext generator M, A wins the following game with negligible probability: 1. Generation step: • (sk, pk) ← Gen(1 λ ); • (a 1 , . . . , a m ) ← M(pk); • (c 1 , . . . , c m ) ← (Enc pk (a 1 ), . . . , Enc pk (a m )).

3.
A wins if there exists some i ∈ [|A|], such that any one of the following holds: • The extractor fails to identify that A outputs an invalid cipher. Namely, there exists j ∈ [k] such that ImVer sk (c i, j ) = 1 and e i = ⊥. (In particular, [25,26,46] considered "knowledge of exponent assumptions" satisfying a similar requirement.) We now show that in Lemma 6.2, provided that the linear-only encryption satisfies Definition 9.6 and the LIP has strong knowledge error, we obtain a multi-theorem SNARK (again through Construction 6.1). Lemma 9.8. Suppose that the LIP (P LIP , V LIP ) has strong knowledge error poly(λ)/|F| and E is a linear-only encryption scheme with interactive extraction (Definition 9.6). Then, (G, P, V ) from Construction 6.1 is a multi-theorem designated-verifier preprocessing SNARK.
Proof. We show that any polynomial-size adversary A that can access the proofverification oracle V (τ, ·, ·) can be transformed into a new polynomial-size adversary A that cannot access V (τ, ·, ·) such that, except with negligible probability, the output of A is equal to the (final) output of A. The lemma then follows by applying Lemma 6.2 with adversary A where the random coins used by A are used as auxiliary input.
First, we use A to define a new interactive adversary I A that (following the template of Definition 9.6) works as follows. Given a public key pk and ciphertexts (c 1 , . . . , c m ), I A runs A and simulates the proof-verification oracle V (τ, ·, ·) for A. Specifically, when A outputs the first query (y 1 , π 1 ) to V (τ, ·, ·), I A proceeds as follows: 1. I A outputs the tuple of ciphers π 1 and then receives e 1 from the extractor; 2. if e 1 = ⊥, I A answers A's query (y 1 , π 1 ) with 0; 3. otherwise, e i is an affine function ( 1 , b 1 ), and I A runs the LIP verification procedure using fresh coins; namely, it samples (u, q) ← Q LIP , computes d 1 = D LIP (u, 1 · q + b 1 ), and then answers A's query (y 1 , π 1 ) with d 1 . (Note that u is sampled independently of the state contained in the verification state τ , which is unknown to I A .) Then, I A continues to run A, each time simulating the answers of V (τ, ·, ·) the same way it simulated its first answer. Finally, when A produces its final output (y f , π f ), I A also outputs (y f , π f ). By the interactive extraction guarantee (see Definition 9.6), I A has a corresponding polynomial-size extractor E such that, when I A and E play the extraction game, I A wins with negligible probability. 16 Next, we use I A and E to define a new (non-interactive) adversary A that works as follows. Given a public key pk and ciphertexts (c 1 , . . . , c m ), A runs the extraction game between I A and E, and then outputs the final output (y f , π f ) of I A . Note that A does not require access to V (τ, ·, ·).
We claim that, except with negligible probability, the output of A is equal to the (final) output of A. To show this, it suffices to argue that, except with negligible probability, the answers provided by I A to A and those provided by V (τ, ·, ·) are equal. And indeed: • Whenever A makes a query (y i , π i ) where π i contains a ciphertext c such that ImVer sk (c ) = 1, V (τ, ·, ·) returns 0. In such a case, the extractor E outputs ⊥, and so I A answers A's query with 0. • For any other query (y i , π i ) of A, except with negligible probability, E outputs ( i , b i ) that explains A's output; i.e., Dec sk (c i, j ) = a j for all j ∈ [k], where (a i,1 , . . . , a i,k ) ← i · (a 1 , . . . , a m ) + b i . We now consider two cases. The first case is where ( i , b i ) convinces the LIP verifier with probability 1; in this case, both V (τ, ·, ·) and I A return 1. The second case is where ( i , b i ) does not always convince the LIP verifier; in particular, by the strong knowledge guarantee, ( i , b i ) convinces the LIP verifier with only negligible probability. We argue that, in this case, except with negligible probability, both V (τ, ·, ·) and I A return 0. This clearly holds for I A , because it samples fresh queries and state from Q LIP . The fact that this is also the case for V (τ, ·, ·) follows from semantic security. For, if this were not the case, I A and E could be used to produce an affine function that causes V (τ, ·, ·) to accept and yet does not satisfy all but a negligible fraction of (u, q) ∈ Q LIP ; this would allow to efficiently distinguish this encrypted LIP query from an encrypted random LIP query.
The proof of the lemma is now complete. appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.