A Note on the Unsoundness of vnTinyRAM's SNARK

Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of representing arithmetic circuits in a form amendable to highly efficient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12]. Subsequently, Parno, Gentry, Howell, and Raykova introduced an improved cryptographic protocol (and implementation), which they dubbed Pinocchio [13]. Ben-Sasson et al. [5] then introduced a lightly modified version of the Pinocchio protocol and implemented it as part of their libsnark distribution. Later work by the same authors employed this protocol [2–4, 10], as did a few works by others [1, 14]. Many of these works cite the version of the paper which was published at USENIX Security [6]. However, the protocol does not appear in that peer-reviewed paper; instead, it appears only in a technical report [5], where it is justified via a lemma that lacks a proof. Unfortunately, the lemma is incorrect, and the modified protocol is unsound. With probability one, an adversary can submit false statements and proofs that the verifier will accept. We demonstrate this theoretically, as well as with concrete examples in which the protocol’s implementation in libsnark accepts invalid statements. Fixing this problem requires different performance tradeoffs, indicating that the performance results reported by papers building on this protocol [1–4, 6, 10, 14] are, to a greater or lesser extent, inaccurate. 1 Background: Quadratic Arithmetic Programs Gennaro, Gentry, Parno, and Raykova (GGPR) introduced Quadratic Arithmetic Programs (QAPs) as a way of representing arithmetic circuits in a form amendable to highly efficient cryptographic protocols [11], particularly for verifiable computation and succinct non-interactive arguments [12] (and/or arguments of knowledge [7]). We recall their definition below, and then give a brief example of how to construct a QAP from an arithmetic circuit. Definition 1 (Quadratic Arithmetic Program (QAP) [11]) A QAP Q over field F contains three sets of m+1 polynomials V = {vk(x)}, W = {wk(x)},Y = {yk(x)}, for k ∈ {0 . . .m}, and a target polynomial t(x). Suppose F is a function that takes as input n elements of F and outputs n′ elements, for a total of N = n + n′ I/O elements. Then we say that Q computes F if: (c1, . . . ,cN) ∈ FN is a valid assignment of F’s inputs and outputs, if and only if there exist coefficients (cN+1, . . . ,cm) such that t(x) divides p(x), where: