**On Succinct Non-Interactive Arguments in Relativized Worlds**

*Megan Chen and Alessandro Chiesa and Nicholas Spooner*

**Abstract: **Succinct non-interactive arguments of knowledge (SNARKs) are cryptographic proofs with strong efficiency properties. Applications of SNARKs often involve proving computations that include the SNARK verifier, a technique called recursive composition. Unfortunately, SNARKs with desirable features such as a transparent (public-coin) setup are known only in the random oracle model (ROM). In applications this oracle must be heuristically instantiated and used in a non-black-box way.

In this paper we identify a natural oracle model, the low-degree random oracle model, in which there exist transparent SNARKs for all NP computations relative to this oracle. Informally, letting $\mathcal{O}$ be a low-degree encoding of a random oracle, and assuming the existence of (standard-model) collision-resistant hash functions, there exist SNARKs relative to $\mathcal{O}$ for all languages in $\mathsf{NP}^{\mathcal{O}}$. Such a SNARK can directly prove a computation about its own verifier. This capability leads to proof-carrying data (PCD) in the oracle model $\mathcal{O}$ based solely on the existence of (standard-model) collision-resistant hash functions.

To analyze this model, we introduce a more general framework, the linear code random oracle model (LCROM). We show how to obtain SNARKs in the LCROM for computations that query the oracle, given an accumulation scheme for oracle queries in the LCROM. Then we construct such an accumulation scheme for the special case of a low degree random oracle.

**Category / Keywords: **foundations / succinct arguments, proof-carrying data, random oracles

**Original Publication**** (with major differences): **IACR-EUROCRYPT-2022

**Date: **received 24 Mar 2022

**Contact author: **megchen at bu edu, alessandro chiesa at epfl ch, nicholas spooner at warwick ac uk

**Available format(s): **PDF | BibTeX Citation

**Version: **20220328:143443 (All versions of this report)

**Short URL: **ia.cr/2022/383

[ Cryptology ePrint archive ]