Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Gnark support in Universal Proof Aggregation circuits>Discussion>Terminology confusion regarding LegoSNARK
GeneralOverview
Findings
Low (2)
Informational (3)
DiscussionDifferences in batch verification to integrate gnark proofsTerminology confusion regarding LegoSNARKConfusing implementation of InCircuitHash and FieldElementRepresentation for AssignedVerificationKeyDummy function for BatchEntry has confusing comments regarding commitmentsLength variables could be with or without commitmentOutdated or incorrect commentsConfusing behavior of native compute_challenge_pointsInaccuracies in the specificationAdditional check for well-constructed keccak inputs
Audit ResultsAssessment Results

Terminology confusion regarding LegoSNARK

The diff reviewed for this audit introduced support for the variant of Groth16 proofs emitted by gnark (with some restrictions on the number of commitments and that commitments must be for nonpublic witnesses).

The specification describes this variant of Groth16 as LegoSNARK's "commit-and-prove" extension, as defined in the LegoSNARK paper by Matteo Campanelli, Dario Fiore, and Anaïs Querol. However, this is not accurate. Instead, gnark's variant is custom and more closely related to the paper Recursion Over Public-Coin Interactive Proof Systems; Faster Hash Verification by Alexandre Belling, Azam Soleimanian, and Olivier Bégassat. While all three schemes involve commitments to witnesses, there are also a number of differences.

Zellic © 2025Back to top ↑