Paper 2025/1698

SNARK Lower Bounds via Communication Complexity

Rishabh Bhadauria
Alexander R. Block, University of Illinois at Chicago
Prantar Ghosh, Tennessee Tech University
Justin Thaler, a16z crypto research, Georgetown University
Abstract

We initiate the study of lower bounding the verification time of Succinct Non-interactive ARguments of Knowledge (SNARKs) built in the Polynomial Interactive Oracle Proof + Polynomial Commitment Scheme paradigm. The verification time of these SNARKs is generally dominated by the polynomial commitment scheme, and so we want to understand if polynomial commitment schemes admit lower bounds on the verification time. By recognizing that polynomial commitment schemes are also often built by applying cryptography to some information-theoretic core protocol, we seek to separate this core from the cryptography in a way that meaningfully captures the verification time required by the polynomial commitment scheme verifier. We provide strong evidence that several polynomial commitment schemes have (nearly) optimal verifier times. Our evidence comes from connecting polynomial commitment schemes to certain information-theoretic protocols known as communication protocols from the field of communication complexity, a link which we believe to be of independent interest. Through this lens, we model the verifier work in the cryptographic protocols as information (i.e., number of bits) exchanged between parties in the communication protocols, allowing us to leverage lower bounds from communication complexity. These lower bounds give strong evidence that the verifier time in these polynomial commitment schemes must be at least the number of bits exchanged in the communication protocol. We extract the communication protocol cores of three polynomial commitment schemes and lower bound the bits exchanged in these cores. The lower bounds we obtain match (up to poly-logarithmic factors) the best-known (asymptotic) verification times of the polynomial commitment schemes we examine in this work. Specifically, we show that for univariate/multilinear polynomials of size $N=2^n$: - the communication core of Hyrax PCS (Wahby et al., S&P 2016) requires $\Omega(\sqrt{N})$ bits to be exchanged; - the communication core of Bulletproofs PCS (Bootle et al., EUROCRYPT 2016; Bünz et al., S&P 2018) requires $\Omega(N)$ bits to be exchanged; and - the communication core of Dory PCS (Lee, TCC 2021) requires $\Omega(\log(N))$ bits to be exchanged. Our results strongly suggest a negative answer to a longstanding open question on whether the Bulletproofs verifier can be made sublinear time.

Note: Full version of paper published at TCC 2025 (https://doi.org/10.1007/978-3-032-12287-2_15).

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A minor revision of an IACR publication in TCC 2025
DOI
10.1007/978-3-032-12287-2_15
Keywords
Interactive ProofsLower boundsSNARKsComputational Complexity
Contact author(s)
rishabh bhadauria @ gmail com
alexander r block @ gmail com
pghosh @ tntech edu
justin r thaler @ gmail com
History
2025-12-18: last of 2 revisions
2025-09-18: received
See all versions
Short URL
https://ia.cr/2025/1698
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/1698,
      author = {Rishabh Bhadauria and Alexander R. Block and Prantar Ghosh and Justin Thaler},
      title = {{SNARK} Lower Bounds via Communication Complexity},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1698},
      year = {2025},
      doi = {10.1007/978-3-032-12287-2_15},
      url = {https://eprint.iacr.org/2025/1698}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.