Paper 2022/178

Lower Bound on SNARGs in the Random Oracle Model

Abstract

Succinct non-interactive arguments (SNARGs) have become a fundamental primitive in the cryptographic community. The focus of this work is constructions of SNARGs in the Random Oracle Model (ROM). Such SNARGs enjoy post-quantum security and can be deployed using lightweight cryptography to heuristically instantiate the random oracle. A ROM-SNARG is \emph{$$-sound} if no $$-query malicious prover can convince the verifier to accept a false statement with probability larger than $$. Recently, Chiesa-Yogev (CRYPTO '21) presented a ROM-SNARG of length $$ (ignoring $$ factors, for $$ being the instance size). This improvement, however, is still far from the (folklore) lower bound of $$. Assuming the \textit{randomized exponential-time hypothesis}, we prove a tight lower bound of $$ for the length of {$$-sound} ROM-SNARGs. Our lower bound holds for constructions with non-adaptive verifiers and strong soundness notion called \textit{salted soundness}, restrictions that hold for \emph{all} known constructions (ignoring contrived counterexamples). We prove our lower bound by transforming any short ROM-SNARG (of the considered family) into a same length ROM-SNARG in which the verifier asks only a \emph{few} oracles queries, and then apply the recent lower bound of Chiesa-Yogev (TCC '20) for such SNARGs.

Note: Minor fixes.