Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Singularity>Discussion>BN254 security level
GeneralOverview
Findings
Critical (8)
High (3)
Medium (5)
Low (3)
Informational (5)
DiscussionSome specifications are inaccurateMiMC hash-length extension attackBN254 security levelReturn value of `uniswapLiquidityProvision`Assumption on non-fungible position identifiersRemoved Uniswap positions are keptGas saving in MerkleTreeOperatorGas savings and specification of Mimc254Confusing argument orderCentralization risks
Audit ResultsSummary

BN254 security level

The default proving backend of Noir is Aztec's Barretenberg, which uses the curve BN254 together with the Grumpkin curve as a cycle of curves.

With the recent advance in optimizing the special tower number field sieve (STNFS), the BN254 curve is not anymore 128-bit security but estimated to be around 102 bits. It means that the security level of the proofs generated by the Barretenberg backend have the same level of security. Zcash has switched to BLS12-381 curve for this reason.

The proof system is not directly at risk at the moment of writing the report, but it may not be excluded that future advances in the ongoing research would lower the security level of this curve. A long-term project would be to use a different proving backend with a larger security margin.

Zellic © 2024Back to top ↑