# SNARK-friendly Symmetric Encryption

### Problem Statement <a href="#pdf-page-irv4kkrrgx0wknv1rljw-problem-statement" id="pdf-page-irv4kkrrgx0wknv1rljw-problem-statement"></a>

We want an encryption scheme that would work well in arithmetic circuits (for SNARKS). So both the key and the input to the encryption should be $$m∈\mathbb{F}^n$$ vectors (with $$\mathbb{F}$$ being the field).

### Solution <a href="#pdf-page-irv4kkrrgx0wknv1rljw-solution" id="pdf-page-irv4kkrrgx0wknv1rljw-solution"></a>

**Keygen**: generate key $$x∈\mathbb{F}$$ uniformly at random

**Encrypt:**

* **Input:** message $$m\in\mathbb{F}^n$$, key $$x\in\mathbb{F}$$
* Sample a nonce $$k\in\mathbb{F}$$ uniformly at random. Compute $$a=hash(k,x)\in\mathbb{F}$$
* Compute $$r\_i​=hash(a,i)$$ for $$i=1,2,…,n$$ and let $$r\in\mathbb{F}^n$$ be the resulting vector
* Compute $$e=m+r$$ (note $$e\in\mathbb{F}^n$$)
* Output $$(k,e)$$

**Decrypt:**

* **Input:** ciphertext $$(k,e)$$, key $$x\in\mathbb{F}$$,
* Compute $$r\in\mathbb{F}^n$$ based on $$k,x$$ as above
* compute $$m=e−r$$
* Output $$m$$

Total cost for encryption and decryption is: $$≈n⋅G\_{hash}$$​ where $$G\_{hash}$$​ is the number of gates one hashing costs.