CryptoDB
Plonk is Simulation Extractable in ROM Under Falsifiable Assumptions
Authors: |
|
---|---|
Download: | |
Conference: | TCC 2025 |
Abstract: | Solving a long-standing open problem, Faonio, Fiore, and Russo proved that the widely used Plonk zk-SNARK is simulation extractable. However, their proof assumes both the random oracle model (ROM) and the algebraic group model. We prove that the same holds in the ROM under falsifiable assumptions. We combine the template of Faust et al., who proved that simulation extractability follows from knowledge soundness, (weak) unique response, and trapdoorless zero-knowledge, with the recent result of Lipmaa, Parisella, and Siim (Crypto 2025), who proved that Plonk has knowledge soundness in the ROM under falsifiable assumptions. For this, we prove that Plonk satisfies new variants of the weak unique response and trapdoorless zero-knowledge properties. We prove that several commonly used gadgets, like the linearization trick, are not trapdoorless zero-knowledge when considered as independent commit-and-prove zk-SNARKs. |
BibTeX
@inproceedings{tcc-2025-36268, title={Plonk is Simulation Extractable in ROM Under Falsifiable Assumptions}, publisher={Springer-Verlag}, author={Helger Lipmaa}, year=2025 }