 היי, everyone, my name is Ilon Yugev. This is joint work with Daniel Nukrai and Yvetar Heitner. So this talk is about lower bounds on snards in the random oracle model. So let me give you a brief introduction. So what are snards with our succinct non-interactive arguments in the random oracle model? So this is a pover and a verifier. The pover wants to convince the verifier that some instance is in the language. So he sends a single short message pi to convince the verifier. And they both have access to a totally random function. So this is the random function. This is a totally random function that outputs some of the bits. And the security we have in this model is security against query-bounded povers that even might be computationally unbounded. So more formally we have t-epsilon security, meaning that for any x not in the language, any t-query may be potentially unbounded adversary. So this is an adversary that performs at most t-queries to the random oracle, but other than that computationally can be unbounded. So for any such pover, the probability that this pover outputs pi that makes the verifier accept is at most epsilon. And epsilon can be a function of t and lambda. So this is the security definition of snards in the random oracle model. Why do we study the random oracle model? So it's a very simple information theoretic model. It talks about probabilities of the random oracle. There's no computational assumptions here. There's beautiful constructions that we'll talk about. It actually supports lower bounds, as this talk suggested. So we can prove unconditional lower bounds about constructions. And finally, you can take the homeuristic, where you replace the random oracle with some specific lightweight cryptographic hash function, for example, chart 256. And what you get is a candidate construction, which is faster compute, so it doesn't involve all this heavy crypto, only on applying lightweight hash function. There's no trusted setup. And the construction you get is actually potentially post-quantum secure, as we don't have any quantum advantage over general hash functions. And this thing is actually widely used in practice. So what constructions do we have? So we have the Mikali and BCS construction. The Mikali is based on PCPs, and BCS is based on IOPs. Both of them take this information, 30 proof, and compile them to a snag. But the proof size in both of them is the same. So the proof size, the size of the snag that you need to send to the verifier is log T over epsilon squared. And here I'm hitting some lower order terms. This all tilde. So T is the running time with the cheating pover, and epsilon is its success probability. In a recent work with myself and Alessandro Chiesa, I've actually showed a variant of this construction that achieves log T over epsilon times log T. So slightly sub-quadratic. And if I put it on a scale, then we have the Mikali, we have the Cy construction, and then we have a trivial, like folklore, low bound and log T over epsilon. But between these two, this is wide open. And this leads us exactly to the result of this paper, which is actually the first non-trivial low bound epsilon snags. So assuming randomized ZTH, any natural ROM snag construction, so any natural construction, and I'm going to talk about this in a second, that has T epsilon soundness, must have a proof size of this. So log T over epsilon times log T over log Q, where Q is the running time of the honest pover. The number of queries the honest pover performs. Okay, so this is our main theorem. I'll already say that as a corollary, you get a low bound on sub-vector commitments. So similar with the similar natural flavor. So if you had a sub-vector commitment in the random oracle model, you would put it inside Mikali and get a snag that contradicts this theorem. Okay, what are natural constructions? So two requirements first. It's a non-adaptive verifier. So this means that the verifier performs its queries to the random oracle in a non-adaptive manner. Okay, it sends all the queries at once and gets all the responses. And two, some slightly stronger soundness notion called soldered soundness, where you're welcome to see the full talk to understand exactly what this says. But the point is that all known construction that we have actually satisfy our natural. They satisfy these conditions. Okay, and just to put it on the final slide. So we provide this low bound, which is almost tight with the upper bound of CY. Okay, up to this login and log cube factors. Okay, thank you. And please go to see the full talk.