Cryptology ePrint Archive: Report 2019/119

On the security of the BCTV Pinocchio zk-SNARK variant

Ariel Gabizon

Abstract: The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for *any* public input given a valid proof for *some* public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from the CRS, provided a certain linear algebraic condition is satisfied by the QAP polynomials.

Category / Keywords: cryptographic protocols / zk-SNARKs

Date: received 5 Feb 2019, last revised 13 Feb 2019

Contact author: ariel gabizon at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20190213:175829 (All versions of this report)

Short URL: ia.cr/2019/119


[ Cryptology ePrint archive ]