In this section we construct the basic delegation protocol(GenBP,PBP,VBP). Let{Ck}k∈Nbe a con-
structible ensemble of circuits. LetS(k) = 2m(k)= poly(k)be the size ofCk(we assume without loss
of generality thatS(k)is a power of2). Before describing the proceduresGenBP,PBP,VBP we define
an ensemble of ring-independent circuits{φk}that describes the structure ofCk.
4.2.1 The Circuitφbx
For every inputx∈ {0,1}k, letϕ
xbe a 3-CNF boolean formula such thatϕx(y1, . . . , yS(k)) = 1iff the
wire-assignmentsy1, . . . , yS(k)describe the correct computation of the circuitC(x)and alsoC(x) = 1.
More specifically,ϕxcontains the following clauses:
• Input clauses: For every input wire, there is a clause verifying that the value of this wire is consis- tent withx.
• Gate clauses: For every set of wires (of size 2 or 3) that are connected to a gate inC, there are clauses verifying that the values of these wires are consistent with the gate.
• Output clause: There is a clause verifying that value of the output wire is1.
• Boolean clauses: For every wire, except for the output wire, there is a (seemingly redundant) clause verifying that value of the wire is either0or1.
We remark that the boolean clauses are added so thatϕxcan also be used to verify the consistency
ofpartialassignments that may contain general ring elements (we elaborate in the security proof). For every triplet of bitsb= (b1, b2, b3)∈ {0,1}3, letφbx :{0,1}3m → {0,1}, be a boolean function
such that for every triplet of wiresw1, w2, w3 ∈ {0,1}m,φbx(w1, w2, w3) = 1iffϕxcontains the clause:
(yw1 =b1)∨(yw2 =b2)∨(yw3 =b3) ,
and otherwiseφbx(w1, w2, w3) = 0.
Claim 4.6(Efficient Computation ofφbx). For everyb∈ {0,1}3, the functionφb
x can be computed by a
uniform ensemble of ring-independent circuits with degreeδ(k) = polylog(k)and sizeO(k)˜ .
Proof. The circuit forφbx computes the sum of4 ring-independent sub-circuits, each checking if the input represents a specific type of clause contained in ϕ. Since every input represents at most one type of clause,φbx is ring independent (Claim 3.18). Checking for boolean clauses and for the output clause can be implemented by a uniform ring-independent circuit ofpolylog(k)degree andpolylog(k)
size. Checking for input clauses can be implemented by a uniform ring-independent circuit of degree
polylog(k)degree andO(k)˜ size. SinceCk is a constructible ensemble, checking for gate clauses can
be implemented by a uniform ring-independent circuit ofpolylog(k)degree andpolylog(k)size, using the wiring predicates ofCk(see Definition 3.20).
Remark4.7. By considering a constructible ensemble{Ck}, we are able to prove
Claim4.8. (claim.phi-easy). This will be used to argue that the verifierVBP can efficiently evaluateφbx
(on encoded inputs). This defers from the protocol of [KRR14] where they only argue that the ensemble
{Ck} is log-space uniform and therefore, the time to evaluateφbx may be as long as performing the
entire computation. The solution of [KRR14] is to delegate the computation ofφbx to the prover using a sperate delegation protocol for log-space computations.
4.2.2 The Challenge GeneratorGenBP
GenBP is given as input the security parameter1nand the input size1k. LetC =Ck,S = S(k), and
m = m(k). LetQ = O(log6n)be a parameter defined as in Claim 4.3, and let δ = δ(k) (recall that
δ(k) is the degree of the circuit φbx). Let δ0 = 3m·(δ+ 1). GenBP samples public parameters and
re-randomization parameters:
pp,rp←InstGen(1n, δ0) .
Let Zp be the underlying field of the public parameterspp. GenBP samples random curves passing
though0mencoded in level1using the procedureCurvedescribed in Section 3.2.1:
∀q∈[Q], [γq]1,[t]1 ←Curve(pp,rp, δ
0,0m).
(The output[t]1 ofCurveis ignored.) GenBP outputs the CRSthat contains the public parameterspp
and the encoded curves[γ1]1, . . . ,[γQ]1.
4.2.3 The ProverPBP
We start by introducing some notation. For an instancex ∈ L, letX :{0,1}m → {0,1}be a boolean
function such that for every wirew ∈ {0,1}m, X(w) is the value of the wirew in the computation
C(x). LetXe be the ring-independent multi-linear extension ofX(see Section 3.5). For everyb∈ {0,1}3letPb
0 be the arithmetic circuit given by the expression:
P0b(w1, w2, w3) =φbx(w1, w2, w3)· Y i∈[3] 1−β(bi,X(we i)) .
(Whereβis the ring-independent circuit for computing the identity function on bits. See Section 3.5.) For everyj∈[3m], letPjbbe the arithmetic circuit given by the expression:
Pjb(z1, . . . , z3m) =
X
y1,...yj∈{0,1}
β(y1, . . . yj, z1, . . . zj)·P0b(y1, . . . yj, zj+1, . . . , z3m) .
It follows from Fact 3.18 that for everyj ∈ [0,3m], Pjb is ring-independent. Note that, for every
j ∈ [0,3m], Pjbis multi-linear in its first jinput variables, and of individual degree at most δ+ 1in its last 3m−j input variables (sinceXe is multi-linear). Note also that sincex ∈ L, P0b(z) = 0for everyz ∈ {0,1}3m andb ∈ {0,1}3. Therefore, for everyj ∈ [3m], for every ringR, and for every
z∈Rj× {0,1}3m−j,Pb
j (z) = 0overR.
We continue our description ofPBP. Given the input:
CRS= pp, [γ1]1, . . . ,[γQ]1
,
and an instancex∈ L,PBP computes the polynomials:
e
X , nPjbo
b∈{0,1}3,j∈[3m] ,
as above. For everyq∈[Q]letXeq(t, s)be the bivariate polynomial:
e
Xq(t, s) =Xe ◦ γq1→s
,
of degree at most(δ0·(m−1))intand linear ins.
For everyq= (q1, q2, q3)∈[Q]3,b∈ {0,1}3andj∈[3m], letPj,bqbe the4-variate polynomial:
Pjb−,q1(t1, t2, t3, s) =Pjb−1◦
(γq1, γq2, γq3)
j→s
.
The degree ofPjb−,q1in the variablest1, t2, t3is at most(δ0·m·(δ+ 1))(depending on the value ofj),
and the degree in the variablesis at mostδ+ 1.
PBP uses the operationsAdd,Sub,Multto obtain the encoded polynomials:
Π = h e Xqi m−1 q∈[Q] , h Pjb−,q1i (3m−j)(δ+1)+j−1 q∈[Q]3,b∈{0,1}3,j∈[3m] ! ,
whereXeqis encoded under the levelm−1sinceXe is multi-linear, and the coefficients of the manifold
γq1→s are encoded in level1in all output coordinates, except for the first coordinate whose coefficients are known in the clear. Similarly,Pjb−,q1is encoded under the level(3m−j)(δ+ 1) +j−1sincePjb−1
is multi-linear in its first j−1 coordinates and of individual degree at mostδ+ 1 in its last3m−j
coordinates, and since the coefficients of the manifold (γq1, γq2, γq3)
j→s
are encoded in level1in all output coordinates, except for thejcoordinate whose coefficients are known in the clear. Finally,PBP
outputs the proofΠ.
4.2.4 The VerifierVBP
VBP is given as input theCRS:
CRS= pp, [γ1]1, . . . ,[γQ]1
,
the instancexand the proof:
Π = h e Xqi m−1 q∈[Q] , h Pjb−,q1i (3m−j)(δ+1)+j−1 q∈[Q]3,b∈{0,1}3,j∈[3m] ! ,
The verifier computes the following polynomials:
• For everyq ∈[Q], defineXe0qto be the univariate polynomial: e
X0q,Xe◦γq . (14) Note thatXe0q(t)is just the polynomialXeq(t, s)(as defined by the honest proverPBP), with the variablesis restricted so as to agree withγq(t). That is:
e
X0q(t)≡Xeq(t, γq(t)[1]) ,
whereγq(t)[1]denotes the first coordinate of the curveγqevaluated ont.
• For everyq= (q1, q2, q3)∈[Q]3andb ∈ {0,1}3andj ∈[3m], definePj0b−,1qto be the3-variate
polynomial:
Pj0b−,1q,Pjb−1◦(γq1, γq2, γq3) . (15)
We have that:
Pj0b−,1q(t1, t2, t3)≡Pjb−,q1(t1, t2, t3,(γq1, γq2, γq3) (t1, t2, t3)[j]) , (16)
where(γq1, γq2, γq3) (t1, t2, t3)[j]denotes thej-th coordinate of the manifold(γq1, γq2, γq3)eval-
uated ont1, t2, t3.
• DefineP30bm,qbe the constant zero 3-variate polynomial:
P30bm,q≡0 (17) Following the above definitions, using the operationsAdd,Sub,Multand the encodings inCRSandΠ,
VBP obtains the encoded polynomials:
nh e X0q i m o q∈[Q] , h Pj0b,q i (3m−j)(δ+1)+j q∈[Q]3,b∈{0,1}3,j∈[0,3m] .
Next,VBP verifies that for everyq∈[Q]3,b∈ {0,1}3the following identities hold:
P00b,q(t1, t2, t3)≡φbx(γq1(t1), γq2(t2), γq3(t3))· Y i∈[3] 1−β(bi,Xeq0 i(ti)) , (18) ∀j∈[3m] : Pj0b,q(t1, t2, t3)≡ X y∈{0,1} β(y,(γq1, γq2, γq3) (t1, t2, t3)[j])·P b,q j−1(t1, t2, t3, y) . (19)
Note that VBP can verify these identities: it uses the operations Add,Sub,Mult and the circuit
φbx to compute the encoded polynomials as a list of encoded coefficients. It then uses the operations
Sub,isZeroto test Equalities (18) and (19) for everyq∈[Q]3,b ∈ {0,1}3andj ∈[0,3m]. If all these
tests pass, thenVBP accepts. Otherwise, it rejects.