Paper 2024/848

How (Not) to Simulate PLONK

Marek Sefranek, TU Wien
Abstract

PLONK is a zk-SNARK system by Gabizon, Williamson, and Ciobotaru with proofs of constant size (0.5 KB) and sublinear verification time. Its setup is circuit-independent supporting proofs of arbitrary statements up to a certain size bound. Although deployed in several real-world applications, PLONK's zero-knowledge property had only been argued informally. Consequently, we were able to find and fix a vulnerability in its original specification, leading to an update of PLONK in eprint version 20220629:105924. In this work, we construct a simulator for the patched version of PLONK and prove that it achieves statistical zero knowledge. Furthermore, we give an attack on the previous version of PLONK showing that it does not even satisfy the weaker notion of (statistical) witness indistinguishability.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
zero knowledgezk-SNARKssimulatorvulnerability
Contact author(s)
marek sefranek @ tuwien ac at
History
2024-05-31: approved
2024-05-30: received
See all versions
Short URL
https://ia.cr/2024/848
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/848,
      author = {Marek Sefranek},
      title = {How (Not) to Simulate {PLONK}},
      howpublished = {Cryptology ePrint Archive, Paper 2024/848},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/848}},
      url = {https://eprint.iacr.org/2024/848}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.