International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Plonk is Simulation Extractable in ROM Under Falsifiable Assumptions

Authors:
Helger Lipmaa , University of Tartu
Download:
Search ePrint
Search Google
Conference: TCC 2025
Abstract: Solving a long-standing open problem, Faonio, Fiore, and Russo proved that the widely used Plonk zk-SNARK is simulation extractable. However, their proof assumes both the random oracle model (ROM) and the algebraic group model. We prove that the same holds in the ROM under falsifiable assumptions. We combine the template of Faust et al., who proved that simulation extractability follows from knowledge soundness, (weak) unique response, and trapdoorless zero-knowledge, with the recent result of Lipmaa, Parisella, and Siim (Crypto 2025), who proved that Plonk has knowledge soundness in the ROM under falsifiable assumptions. For this, we prove that Plonk satisfies new variants of the weak unique response and trapdoorless zero-knowledge properties. We prove that several commonly used gadgets, like the linearization trick, are not trapdoorless zero-knowledge when considered as independent commit-and-prove zk-SNARKs.
BibTeX
@inproceedings{tcc-2025-36268,
  title={Plonk is Simulation Extractable in ROM Under Falsifiable Assumptions},
  publisher={Springer-Verlag},
  author={Helger Lipmaa},
  year=2025
}