TY - GEN
T1 - Lower Bound on SNARGs in the Random Oracle Model
AU - Haitner, Iftach
AU - Nukrai, Daniel
AU - Yogev, Eylon
N1 - Publisher Copyright:
© 2022, International Association for Cryptologic Research.
PY - 2022
Y1 - 2022
N2 - Succinct non-interactive arguments (SNARGs) have become a fundamental primitive in the cryptographic community. The focus of this work is constructions of SNARGs in the Random Oracle Model (ROM). Such SNARGs enjoy post-quantum security and can be deployed using lightweight cryptography to heuristically instantiate the random oracle. A ROM-SNARG is (t, ε) -sound if no t -query malicious prover can convince the verifier to accept a false statement with probability larger than ε. Recently, Chiesa-Yogev (CRYPTO ’21) presented a ROM-SNARG of length Θ(log (t/ ε) · log t) (ignoring log n factors, for n being the instance size). This improvement, however, is still far from the (folklore) lower bound of Ω(log (t/ ε) ). Assuming the randomized exponential-time hypothesis, we prove a tight lower bound of Ω(log (t/ ε) · log t) for the length of (t, ε) -sound ROM-SNARGs. Our lower bound holds for constructions with non-adaptive verifiers and strong soundness notion called salted soundness, restrictions that hold for all known constructions (ignoring contrived counterexamples). We prove our lower bound by transforming any short ROM-SNARG (of the considered family) into a same length ROM-SNARG in which the verifier asks only a few oracles queries, and then apply the recent lower bound of Chiesa-Yogev (TCC ’20) for such SNARGs.
AB - Succinct non-interactive arguments (SNARGs) have become a fundamental primitive in the cryptographic community. The focus of this work is constructions of SNARGs in the Random Oracle Model (ROM). Such SNARGs enjoy post-quantum security and can be deployed using lightweight cryptography to heuristically instantiate the random oracle. A ROM-SNARG is (t, ε) -sound if no t -query malicious prover can convince the verifier to accept a false statement with probability larger than ε. Recently, Chiesa-Yogev (CRYPTO ’21) presented a ROM-SNARG of length Θ(log (t/ ε) · log t) (ignoring log n factors, for n being the instance size). This improvement, however, is still far from the (folklore) lower bound of Ω(log (t/ ε) ). Assuming the randomized exponential-time hypothesis, we prove a tight lower bound of Ω(log (t/ ε) · log t) for the length of (t, ε) -sound ROM-SNARGs. Our lower bound holds for constructions with non-adaptive verifiers and strong soundness notion called salted soundness, restrictions that hold for all known constructions (ignoring contrived counterexamples). We prove our lower bound by transforming any short ROM-SNARG (of the considered family) into a same length ROM-SNARG in which the verifier asks only a few oracles queries, and then apply the recent lower bound of Chiesa-Yogev (TCC ’20) for such SNARGs.
KW - Random oracle
KW - SNARGs
KW - high-entropy sets
KW - lower bound
UR - http://www.scopus.com/inward/record.url?scp=85141708287&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-15982-4_4
DO - 10.1007/978-3-031-15982-4_4
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85141708287
SN - 9783031159817
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 97
EP - 127
BT - Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings
A2 - Dodis, Yevgeniy
A2 - Shrimpton, Thomas
PB - Springer Science and Business Media Deutschland GmbH
T2 - 42nd Annual International Cryptology Conference, CRYPTO 2022
Y2 - 15 August 2022 through 18 August 2022
ER -