Marek Sefranek
Dipl.Ing. / BSc
Roles
 PreDoc Researcher
Publications (created while at TU Wien)

2024

How (Not) to Simulate PLONK
Sefranek, M. (2024). How (Not) to Simulate PLONK. In Security and Cryptography for Networks (pp. 96–117).
DOI: 10.1007/9783031710704_5 MetadataAbstract
PLONK is a zkSNARK system by Gabizon, Williamson, and Ciobotaru with proofs of constant size (0.5 KB) and sublinear verification time. Its setup is circuitindependent supporting proofs of arbitrary statements up to a certain size bound. Although deployed in several realworld applications, PLONK’s zeroknowledge property had only been argued informally. Consequently, we were able to find and fix a vulnerability in its original specification, leading to an update of PLONK in eprint version 20220629:105924. In this work, we construct a simulator for the patched version of PLONK and prove that it achieves statistical zero knowledge. Furthermore, we give an attack on the previous version of PLONK showing that it does not even satisfy the weaker notion of (statistical) witness indistinguishability. 
How to simulate PLONK: A formal security analysis of a zkSNARK
Sefranek, M. (2023). How to simulate PLONK: A formal security analysis of a zkSNARK [Diploma Thesis, Technische Universität Wien]. reposiTUm.
DOI: 10.34726/hss.2023.111120 MetadataAbstract
Zeroknowledge proofs enable proving a statement without revealing any information beyond its truth. This paradoxical notion has evolved over the last few decades from a theoretical concept to the wide adoption of highly efficient zeroknowledge proof systems in practice. At the forefront of this development are proof systems called zkSNARKs, which stands for zeroknowledge succinct noninteractive argument of knowledge. Not only do they avoid multiple rounds of interaction, but zkSNARKs also offer succinct proofs whose length is much shorter than the size of the proved statement, with some constructions even achieving constantsize proofs. Among the most recent stateoftheart constructions is the zkSNARK "PLONK" by Gabizon, Williamson, and Ciobotaru from 2019. It has constantsize proofs of only half a kilobyte and sublinear proof verification time. Furthermore, it only requires a single trusted setup of its public parameters to support proofs of any statement up to a certain size bound, making PLONK a universal and fully succinct zkSNARK. Although highly influential and implemented in several realworld applications, there is no formal security proof of its zero knowledge property. In this thesis, we disclose a vulnerability found in PLONK's implementation of zero knowledge and propose how to fix it. As a result, the PLONK protocol has been patched accordingly. Our primary contribution is a formal security proof establishing that the resulting version of PLONK achieves statistical zero knowledge. Towards this goal, we show how to simulate proofs up to an exponentially small difference without relying on any secret information used by the prover. Following the standard definition of zero knowledge, this implies that PLONK proofs reveal (statistically) zero information beyond the truth of the statement. Moreover, we conduct a rigorous security analysis of the entire PLONK protocol, proving the security of all its underlying components. This allows us to show a precise upper bound on PLONK's knowledge soundness error in the algebraic group model. Since the original proof given by the authors of PLONK relies on the same idealized model, our results help towards a better understanding of the security guarantees of PLONK in general.