This report concerns the Groth16 prover when used with commitments (as in frontend.Committer). To simplify exposition of the issue, I will focus on the case of a single commitment, to only private witnesses. But the issue should be present whenever commitments are used that include private witnesses. The commitment to private witnesses w_i is computed as c = sum_i w_i * b_i where b_i would be ProvingKey.CommitmentKeys[0].Basis[i] in the code. While this is a binding commitment, it is not hiding. In practice, an adversary will know the points b_i, as they are part of the proving key, and can verify correctness of a guess for the values of w_i by computing c' as the right hand side of the above formula, and checking whether c' is equal to c. I attach a proof of concept that demonstrates this. This breaks the perfect zero-knowledge property of Groth16, so the Groth16 scheme using commitments to private witnesses as implemented by gnark fails to be a zk-SNARK. The code indicates that the extension to Groth16 given by the commitments follows the paper "Recursion over Public-Coin Interactive Proof Systems; Faster Hash Verification" by Alexandre Belling, Azam Soleimanian, and Olivier Begassat. In that paper, it seems that commitments are applied to what were originally public inputs, which are moved to private witnesses for efficiency reasons. In any case, that paper does not discuss any hiding/privacy/zero-knowledge properties of their protocols. So for the use-cases envisioned…Read More