[Resource Topic] 2019/119: On the security of the BCTV Pinocchio zk-SNARK variant

Welcome to the resource topic for 2019/119

On the security of the BCTV Pinocchio zk-SNARK variant

Authors: Ariel Gabizon


The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for any public input given a valid proof for some public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from the CRS, provided a certain linear algebraic condition is satisfied by the QAP polynomials.

ePrint: https://eprint.iacr.org/2019/119

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .