Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of representing arithmetic circuits in a form amendable to highly efficient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12]. Subsequently, Parno, Gentry, Howell, and Raykova introduced an improved cryptographic protocol (and implementation), which they dubbed Pinocchio [13]. Ben-Sasson et al. [5] then introduced a lightly modified version of the Pinocchio protocol and implemented it as part of their libsnark distribution. Later work by the same authors employed this protocol [2–4, 10], as did a few works by others [1, 14]. Many of these works cite the version of the paper which was published at USENIX Security [6]. However, the protocol does not appear in that peer-reviewed paper; instead, it appears only in a technical report [5], where it is justified via a lemma that lacks a proof. Unfortunately, the lemma is incorrect, and the modified protocol is unsound. With probability one, an adversary can submit false statements and proofs that the verifier will accept. We demonstrate this theoretically, as well as with concrete examples in which the protocol’s implementation in libsnark accepts invalid statements. Fixing this problem requires different performance tradeoffs, indicating that the performance results reported by papers building on this protocol [1–4, 6, 10, 14] are, to a greater or lesser extent, inaccurate. 1 Background: Quadratic Arithmetic Programs Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of representing arithmetic circuits in a form amendable to highly efficient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12] (and/or arguments of knowledge [7]). We recall their definition below, and then give a brief example of how to construct a QAP from an arithmetic circuit. Definition 1 (Quadratic Arithmetic Program (QAP) [11]) A QAP Q over field F contains three sets of m+1 polynomials V = {vk(x)}, W = {wk(x)},Y = {yk(x)}, for k ∈ {0 . . .m}, and a target polynomial t(x). Suppose F is a function that takes as input n elements of F and outputs n′ elements, for a total of N = n + n′ I/O elements. Then we say that Q computes F if: (c1, . . . ,cN) ∈ FN is a valid assignment of F’s inputs and outputs, if and only if there exist coefficients (cN+1, . . . ,cm) such that t(x) divides p(x), where:
[1]
Eli Ben-Sasson,et al.
Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs
,
2015,
2015 IEEE Symposium on Security and Privacy.
[2]
Michael Backes,et al.
ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data
,
2015,
2015 IEEE Symposium on Security and Privacy.
[3]
Craig Gentry,et al.
Pinocchio: Nearly Practical Verifiable Computation
,
2013,
2013 IEEE Symposium on Security and Privacy.
[4]
Craig Gentry,et al.
Quadratic Span Programs and Succinct NIZKs without PCPs
,
2013,
IACR Cryptol. ePrint Arch..
[5]
Eran Tromer,et al.
Cluster Computing in Zero Knowledge
,
2015,
EUROCRYPT.
[6]
Matthew K. Franklin,et al.
Identity-Based Encryption from the Weil Pairing
,
2001,
CRYPTO.
[7]
Nir Bitansky,et al.
From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again
,
2012,
ITCS '12.
[8]
Eli Ben-Sasson,et al.
Scalable Zero Knowledge Via Cycles of Elliptic Curves
,
2014,
Algorithmica.
[9]
Zuocheng Ren,et al.
Efficient RAM and control flow in verifiable outsourced computation
,
2015,
NDSS.
[10]
Eli Ben-Sasson,et al.
Zerocash: Decentralized Anonymous Payments from Bitcoin
,
2014,
2014 IEEE Symposium on Security and Privacy.
[11]
Eli Ben-Sasson,et al.
Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture
,
2014,
USENIX Security Symposium.
[12]
Craig Gentry,et al.
Separating succinct non-interactive arguments from all falsifiable assumptions
,
2011,
STOC '11.