Paper 2019/119

On the security of the BCTV Pinocchio zk-SNARK variant

Ariel Gabizon

Abstract

The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for *any* public input given a valid proof for *some* public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from the CRS, provided a certain linear algebraic condition is satisfied by the QAP polynomials.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
zk-SNARKs
Contact author(s)
ariel gabizon @ gmail com
History
2019-02-13: revised
2019-02-13: received
See all versions
Short URL
https://ia.cr/2019/119
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/119,
      author = {Ariel Gabizon},
      title = {On the security of the BCTV Pinocchio zk-SNARK variant},
      howpublished = {Cryptology ePrint Archive, Paper 2019/119},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/119}},
      url = {https://eprint.iacr.org/2019/119}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.