International Association
for Cryptologic Research

Hash-based succinct non-interactive arguments (SNARGs) are a widely studied and deployed class of proof systems. The security of practical hash-based SNARGs relies on two combinatorial parameters of its underlying linear code $\mathcal{C}$: a distance-preservation error $\varepsilon(\mathcal{C},\delta)$ and the list size $|\Lambda(\mathcal{C}, \delta)|$ (both parametrized by a proximity parameter $\delta$). Optimistically, one might hope that these parameters are bounded all the way to the capacity regime: when the proximity parameter $\delta$ approaches the minimum distance of the code $\delta(\mathcal{C})$. Perhaps too optimistically, several deployed hash-based SNARGs indeed operate in this regime, and initiatives such as the Ethereum Proximity Prize investigate to which extent soundness is preserved in this setting.

We present a minimal toy protocol whose analysis captures most of the complexity of state-of-the-art hash-based SNARGs, and present a generic attack whose success probability depends on the list size $|\Lambda(\mathcal{C}, \delta)|$. Further, we investigate the common settings when the code $\mathcal{C}$ is an extension code over a field $\mathbb{F}$ of a base code $\mathcal{C}_\mathbb{B}$ over a small base field $\mathbb{B}$. In this setting, we show that classical combinatorial lower bounds on the list-size of the code yields strong attacks that affect the regimes in which hash-based SNARGs operate in practice.