Paper 2024/721

Real-world Universal zkSNARKs are non-malleable

Antonio Faonio, EURECOM
Dario Fiore, IMDEA Software
Luigi Russo, EURECOM

Simulation extractability is a strong security notion of zkSNARKs that guarantees that an attacker who produces a valid proof must know the corresponding witness, even if the attacker had prior access to proofs generated by other users. Notably, simulation extractability implies that proofs are non-malleable and is of fundamental importance for applications of zkSNARKs in distributed systems. In this work, we study sufficient and necessary conditions for constructing simulation-extractable universal zkSNARKs via the popular design approach based on compiling polynomial interactive oracle proofs (PIOP). Our main result is the first security proof that popular universal zkSNARKs, such as PLONK and Marlin, as deployed in the real world, are simulation-extractable. Our result fills a gap left from previous work (Faonio et al. TCC’23, and Kohlweiss et al. TCC’23) which could only prove the simulation extractability of the “textbook” versions of these schemes and does not capture their optimized variants, with all the popular optimization tricks in place, that are eventually implemented and deployed in software libraries.

Available format(s)
Cryptographic protocols
Publication info
polynomial commitmentsnon-malleabilitysimulation-extractabilityzero-knowledgecommit-and-proveIOP
Contact author(s)
antonio faonio @ eurecom fr
dario fiore @ imdea org
russol @ eurecom fr
2024-05-11: approved
2024-05-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Antonio Faonio and Dario Fiore and Luigi Russo},
      title = {Real-world Universal zkSNARKs are non-malleable},
      howpublished = {Cryptology ePrint Archive, Paper 2024/721},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.