How (Not) to Simulate PLONK

Abstract

PLONK is a zk-SNARK system by Gabizon, Williamson, and Ciobotaru with proofs of constant size (0.5 KB) and sublinear verification time. Its setup is circuit-independent supporting proofs of arbitrary statements up to a certain size bound.

Although deployed in several real-world applications, PLONK’s zero-knowledge property had only been argued informally. Consequently, we were able to find and fix a vulnerability in its original specification, leading to an update of PLONK in eprint version 20220629:105924.

In this work, we construct a simulator for the patched version of PLONK and prove that it achieves statistical zero knowledge. Furthermore, we give an attack on the previous version of PLONK showing that it does not even satisfy the weaker notion of (statistical) witness indistinguishability.

A Proofs

1.1 A.1 ZK Implies WI

We prove that zero knowledge, as formalized in Definition 5, implies witness indistinguishability, as formalized in Definition 6, for zk-SNARKs.

Proof

Assume \(\mathrm \Pi = (\textsf{Setup}, \textsf{Preproc}, \textsf{Prove}, \textsf{Verify})\) is zero-knowledge. Let \(\mathcal {A}\) be an arbitrary adversary against the witness indistinguishability of \(\mathrm \Pi \). Without loss of generality, assume that \(\mathbbm {w}_0 \ne \mathbbm {w}_1\). Construct the two adversaries \(\mathcal {A} _0, \mathcal {A} _1\) against zero knowledge of \(\mathrm \Pi \) that behave exactly as \(\mathcal {A}\), but instead of returning \((\mathbbm {i}, \mathbbm {x}, \mathbbm {w}_0, \mathbbm {w}_1, \textsf{st})\) as their first output, \(\mathcal {A} _0\) only returns \((\mathbbm {i}, \mathbbm {x}, \mathbbm {w}_0, \textsf{st})\), and \(\mathcal {A} _1\) only returns \((\mathbbm {i}, \mathbbm {x}, \mathbbm {w}_1, \textsf{st})\).

For \(i \in \{0, 1\}\), let \(\texttt{I}_{\mathcal {A} _i, \mathcal {P}}\) and \(\texttt{I}_{\mathcal {A} _i, \mathcal {S}}\) denote the two events from the definition of zero knowledge, in which \(\mathcal {A} _i\) is interacting with the honest prover \(\mathcal {P}\) or the simulator \(\mathcal {S}\), respectively. Then we have

$$\begin{aligned} \bigl |\Pr [\texttt{I}_{\mathcal {A} _0, \mathcal {P}}] - \Pr [\texttt{I}_{\mathcal {A} _0, \mathcal {S}}]\bigr | &\le \textsf{negl}(\lambda ), \end{aligned}$$

(1)

$$\begin{aligned} \bigl |\Pr [\texttt{I}_{\mathcal {A} _1, \mathcal {P}}] - \Pr [\texttt{I}_{\mathcal {A} _1, \mathcal {S}}]\bigr | &\le \textsf{negl}(\lambda ), \end{aligned}$$

(2)

which together implies

$$\begin{aligned} \bigl |\Pr [\texttt{I}_{\mathcal {A} _0, \mathcal {P}}] - \Pr [\texttt{I}_{\mathcal {A} _1, \mathcal {P}}]\bigr | \le \textsf{negl}(\lambda ). \end{aligned}$$

(3)

Note that this expression is equivalent to \(\mathcal {A}\) ’s advantage in breaking the witness indistinguishability of \(\mathrm \Pi \), which is therefore also negligible.    \(\square \)

1.2 A.2 Proof of Lemma 1

We give a proof of Lemma 1, which is used to blind the prover’s witness polynomials in PLONK in a way that reveals no information about the witness.

Proof

For all \(i \in [k]\), we have

$$\begin{aligned} \tilde{f}(x_i) = f(x_i) + Z_S(x_i) \rho (x_i), \end{aligned}$$

where the values \(f(x_i), Z_S(x_i)\) are fixed and \(Z_S(x_i) \ne 0\) (due to \(x_i \in \mathbb {F}_p\setminus S\)). Since the product of any fixed \(a \in \mathbb {F}_p^*\) and random \(b \in \mathbb {F}_p\) is uniform in \(\mathbb {F}_p\), all we need to show is that the values \(\rho (x_1), \dots , \rho (x_k)\) are distributed independently and uniformly in \(\mathbb {F}_p\), which is a well-known claim for any random degree-\((k - 1)\) polynomial such as \(\rho \in \mathbb {F}_p^{\scriptscriptstyle (\le k - 1)}[X]\). One way to see this, is by fixing any distinct \(x_1, \dots , x_k \in \mathbb {F}_p\) and observing that for any choice of \(y_1, \dots , y_k \in \mathbb {F}_p\) there is a unique degree-\((k - 1)\) polynomial interpolating the points \((x_1, y_1), \dots , (x_k, y_k)\). Formally, there are \(p^k\) distinct degree-\((k - 1)\) polynomials over \(\mathbb {F}_p\), which corresponds to the number of choices for \(y_1, \dots , y_k \in \mathbb {F}_p\). Furthermore, there cannot be any two distinct polynomials \(f_1 \not \equiv f_2 \in \mathbb {F}_p^{\scriptscriptstyle (\le k - 1)}[X]\) interpolating the same set of points \((x_1, y_1), \dots , (x_k, y_k)\), since otherwise the non-zero, degree-\((k - 1)\) polynomial \(f_1 - f_2\) would have at least k roots, which is a contradiction.    \(\square \)