Zero Knowledge Proofs (ZKPs) allow one party – the prover – to prove to another party – the verifier – that a statement is true without disclosing any information beyond the statement’s validity.
ZKPs use arithmetic circuits, which reduce computational problems to algebraic problems involving low-degree polynomials over a finite field. In several ZKP protocols, XOR relations can be proven for free, and the complexity essentially depends on the number of AND gates of the relation to be proven.
This cost metric suggests that ciphers that find a use-case in ZK protocols should desirably minimize their use of non-linear operations while most cryptographically relevant work is performed as linear operations. This design philosophy is related to the fundamental theoretical question of the minimal multiplicative complexity (MC) of certain tasks, which is simply the number of AND gates in a circuit. A lower MC allows for a positive impact on latency and throughput of the ZK evaluation of the cipher. Classical symmetric algorithms become inappropriate in this context, and new cryptographic protocols must then be combined with symmetric primitives whose proposed constructions use non-linear functions whose algebraic representations remain very simple on a large finite field F_q where q is either a large prime integer or a power of 2 greater than 2^128, such as a sparse polynomial of F_q[X].
Applications
ZKPs are used in many different applications, including authentication protocols, digital signatures, electronic voting, and cryptocurrency transactions.
Symmetric primitives
ZK-friendly symmetric primitives are usually classified in 3 types.
Low-degree primitives
The first wave of ZK-friendly primitives aimed at limiting the number of nonlinear operations by relying on inner functions of low degree so that it is trivial to verify the result using low-degree functions.
Primitives
Feistel-MiMC
GMiMC
MiMC
Neptune
Poseidon
Poseidon2
Field size
F_2^n or F_p
F_2^n
F_2^n or F_p
F_p
F_p
F_p
State size
m = 2
any m
m = 1
m even
any m
any m
Equivalence relations
The second type of primitive is based on equivalence relation or design strategies allowing high-degree evaluation and low-degree verification at the same time.
Primitives
Anemoi
Arion
Friday
Grendel
Griffin
Jarvis
Rescue
Rescue-Prime
Rescue-Prime Optimized
Vision
Field size
F_2^n or F_p
F_p
F_2^n
F_p
F_p
F_2^n
F_p
F_p
F_p with p = 2^{64} – 2^{32} + 1
F_2^n
State size
m even
any m
any m
any m
m = 3 or 4m’
m = 1
any m
any m
m = 12 or 16
any m
Look-up tables
The last family corresponds to more recent primitives that use look-up tables.
Primitives
Monolith
Reinforced Concrete
Tip5
Tip4
Field size
F_p with p = 2^{64} – 2^{32} + 1 or 2^{31} – 1
F_p
F_p with p = 2^{64} – 2^{32} + 1
F_p with p = 2^{64} – 2^{32} + 1
State size
m >= 8
m = 3
m = 16
m = 12 or 16
STAP Lounge
The STAP Zoo currently collects information about the following list of STAP primitives used in ZK:
◊ Anemoi
◊ Arion
◊ GMiMC
◊ Grendel
◊ Griffin
◊ MARVELlous designs (Jarvis and Friday)
◊ Marvellous designs (Rescue, Rescue-Prime, Rescue-Prime Optimized, Vision, Vision Mark-32, XHash8 and XHash12)
◊ MiMC
◊ Monolith
◊ Poseidon variants (HadesMiMC, Neptune, Poseidon and Poseidon 2)
◊ Reinforced Concrete
◊ Tip5 variants (Tip5, Tip4 and Tip4′)
