Notes

• Widely used Plonky3 Merkle tree secures ~$4B in assets
• Its underlying 2-to-1 compression function lacks collision-resistance and one-wayness, potentially undermining security
• Common countermeasure is pre-hashing data before use as leaves
• First rigorous security analysis of this Merkle tree design, showing Plonky3 approach is sound
• Demonstrates (strong) position-binding and extractability
• Enhances confidence in Plonky3 for SNARKs and vector commitments applications

• Plonky3 Merkle树因其高效性被广泛部署，通过集成到多个简洁论证系统中，目前保障约40亿美元资产
• 其底层2对1压缩函数不具备抗碰撞性甚至单向性，初看可能危及整个Merkle树安全
• 常用对策是在使用数据作为叶子节点前进行预哈希处理
• 本研究首次对该Merkle树设计进行严格安全分析，证明Plonky3方法实际上是安全的
• 具体展示了（强）位置绑定和可提取性特性
• 研究结果增强了Plonky3在SNARKs和向量承诺等应用中的可信度