Succinct non-interactive arguments of knowledge (SNARKs) enable non-interactive efficient verification of NP computations and admit short proofs. However, all current SNARK constructions assume that the statements to be proven can be efficiently represented as either Boolean or arithmetic circuits over finite fields. For most constructions, the choice of the prime field \({\mathbb {F}}_{p}\) is limited by the existence of groups of matching order for which secure bilinear maps exist. In this work, we overcome such restrictions and enable verifying computations over rings. We construct the first designated-verifier SNARK for statements which are represented as circuits over a broader kind of commutative rings. Our contribution is threefold:

1. 1.

   We first introduce Quadratic Ring Programs (QRPs) as a characterization of NP where the arithmetic is over a ring.

2. 2.

   Second, inspired by the framework in Gennaro et al. (in: Johansson and Nguyen (eds) EUROCRYPT 2013, volume 7881 of LNCS, pp 626–645. Springer, Heidelberg, 2013), we design SNARKs over rings in a modular way. We generalize preexistent assumptions employed in field-restricted SNARKs to encoding schemes over rings. As our encoding notion is generic in the choice of the ring, it is amenable to different settings.

3. 3.

   Finally, we propose two applications for our SNARKs.

   • Our first application is verifiable computation over encrypted data, specifically for evaluations of Ring-LWE-based homomorphic encryption schemes.

   • In the second one, we use Rinocchio to naturally prove statements about circuits over, e.g., \({\mathbb {Z}}_{2^{64}}\), which closely matches real-life computer architectures such as standard CPUs.

简洁的非交互式知识论证 (SNARK) 能够对 NP 计算进行非交互式高效验证，并允许简短的证明。然而，当前所有的 SNARK 结构都假设要证明的语句可以有效地表示为有限域上的布尔或算术电路。对于大多数构造，素数域\({\mathbb {F}}_{p}\)的选择受到存在安全双线性映射的匹配阶组的存在的限制。在这项工作中，我们克服了此类限制并能够验证环上的计算。我们为陈述构建第一个指定验证者 SNARK，这些陈述被表示为更广泛的交换环上的电路。我们的贡献有三重：

1. 1.

   我们首先引入二次环规划（QRP）作为 NP 的表征，其中算术是在环上进行的。

2. 2.

   其次，受到 Gennaro 等人的框架的启发。（见：Johansson 和 Nguyen（编）EUROCRYPT 2013，LNCS 第 7881 卷，第 626-645 页。Springer，海德堡，2013），我们以模块化方式设计环上的 SNARK。我们将场限制 SNARK 中采用的预先存在的假设推广到环上的编码方案。由于我们的编码概念在环的选择上是通用的，因此它适合不同的设置。

3. 3.

   最后，我们为 SNARK 提出了两种应用。

   • 我们的第一个应用是对加密数据进行可验证计算，特别是用于评估基于 Ring-LWE 的同态加密方案。

   • 在第二个中，我们使用 Rinocchio 自然地证明有关电路的陈述，例如\({\mathbb {Z}}_{2^{64}}\)，它与现实生活中的计算机体系结构（例如标准 CPU）密切匹配。