Paper 2019/119
On the security of the BCTV Pinocchio zk-SNARK variant
Ariel Gabizon
Abstract
The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for *any* public input given a valid proof for *some* public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from the CRS, provided a certain linear algebraic condition is satisfied by the QAP polynomials.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint. MINOR revision.
- Keywords
- zk-SNARKs
- Contact author(s)
- ariel gabizon @ gmail com
- History
- 2019-02-13: revised
- 2019-02-13: received
- See all versions
- Short URL
- https://ia.cr/2019/119
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/119, author = {Ariel Gabizon}, title = {On the security of the {BCTV} Pinocchio zk-{SNARK} variant}, howpublished = {Cryptology {ePrint} Archive, Paper 2019/119}, year = {2019}, url = {https://eprint.iacr.org/2019/119} }