Non-Native Arithmetic and CRT Codes

(Proposer: Liam Eagen)

Motivation

In many types of programmable cryptography, we often encounter the problem of “non-native arithmetic.” That is, while our SNARK is defined over a field of characteristic we would like to prove statements about arithmetic in some other field . In some cases this is easy, for example if is small, but in many cases it is very expensive.

Residue Number Systems

One way to do this would be to encode a value over first as an integer , and then as a collection of small residues of modulo many small primes. Fix a sequence of primes and let the residues be . If then we can do arithmetic with these residues. So long as the result does not exceed , this will let us perform integer arithmetic. We can construct from the residues using the Chinese Remainder Theorem.

Batch Size Test for RNS values

This final point, that this works only for values smaller than , is crucial, since it requires that the prover demonstrate all the inputs to an integer relation are small. This is expensive, since we cannot efficiently measure the size of an integer from its residues modulo small primes. Thus we would like to be avoid “materializing” these values outside of the RNS as much as possible.

One natural way to minimize the cost of the materialization is to materialize a linear combination of values all at once. In the simplest case, suppose we have a two that are given in RNS form and we want to show . Then suppose we choose a random challenge and show that where . We can check that is correctly constructed using only arithmetic mod . What is the probability that and satisfy their constraints as a function of and ? Assume . hint: we want to make this arbitrarily small.

Issue: small rationals

Unfortunately, this doesn’t quite work. Suppose for small and . Then the probability that is a sufficiently small integer is , independent of . This is because there is exactly residue class of such that . This cancels the denominator and causes to be an integer even though are not.

However, in the spirit of the problem this is not really an issue. If is larger than , then these rational values have perfectly valid reductions mod . The modified question is then, given , what is the probability that where and for some parameter .

Extending to Proximity Gaps

Given this, can we extend this result to a proximity gap? That is, if is close in a CRT code what can we say about ?