Lightnews — Scholar-powered news

Reposted by Nico

ZK Hack @zkhack.dev · Sep 3

It’s time to reveal the ZK Whiteboard S3 Module 1... because it's LIVE!

🥁🥁🥁🥁

How to Build Hash Functions, with Jean-Philippe (JP) Aumasson @aumasson.jp & @nicomnbl.bsky.social

Watch the full module here: zkhack.dev/whiteboard/s...

3 4

Reposted by Nico

NiixARTs @niixarts.bsky.social · Aug 1

Time has changed

70 5.1K 14K

Reposted by Nico

ZK Hack @zkhack.dev · Jul 10

The ZK Podcast released an episode on local-first software this week!

@arro.bsky.social and @nicomnbl.bsky.social chat w @grjte.sh & @goblinoats.com about the foundations of local-first architecture, CRDTs and how ZK can be incorporated into these models.

zeroknowledge.fm/podcast/367/

Local-First with grjte and Goblin Oats - ZK PODCAST

In this episode, Anna Rose and Nico Mohnblatt speak with Goblin Oats from Tonk and grjte from Bain Capital Crypto […]

zeroknowledge.fm

5 14

Nico @nicomnbl.bsky.social · Jun 23

Is this available on iOS too?

1

Nico @nicomnbl.bsky.social · Jun 23

Don't think this was the case for everyone but for me it was about keeping my phone number private (before Signal introduced usernames)

2

Nico @nicomnbl.bsky.social · Jun 23

I'm kind of conflicted over this.

Up to now my Signal has been almost exclusively for personal use and Telegram exclusively for connecting at conferences. And I've come to value this clean separation

To the point where I have said no to connecting over Signal

2 1

Reposted by Nico

weijie @kohweijie.com · Jun 11

2/ As such, I wrote a research note to help cryptography engineers fully understand both techniques: baincapitalcrypto.com/a-deep-dive-...

A Deep Dive into Logjumps: a Faster Modular Reduction Algorithm

Logjumps is a recently discovered technique for modular reduction over large prime fields.

baincapitalcrypto.com

1 1 3

Reposted by Nico

Christian Knabenhans @cknabs.bsky.social · May 20

I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.

➔ github.com/lattirust

lattirust

Lattice zero-knowledge/succinct arguments, and more - lattirust

github.com

2 16 32

Nico @nicomnbl.bsky.social · May 9

I wrote a thing on my colleagues Andrija and Guille's latest work

ZK Hack @zkhack.dev · May 9

In this article, @nicomnbl.bsky.social compares Ligerito and WHIR, explaining their similarities, the main differences, and what we can learn from them.

nmohnblatt.github.io/ligerito-and...

Comparing Ligerito and WHIR

Ligerito is a freshly released multilinear polynomial commitment scheme that combines ideas from Ligero with the Sumcheck protocol. It is based on error-correcting codes and is proven secure in the…

nmohnblatt.github.io

2

Nico @nicomnbl.bsky.social · May 7

Video or it didn't happen 👀

Nico @nicomnbl.bsky.social · Mar 3

Story of the ZK whiteboard series S2! The grant that supported it, how we came up with the topics, participation of our esteemed speakers, some crazy editing and how the bonus modules came to be

ZK Hack @zkhack.dev · Mar 3

🎬 ZKWS S2: The Full Journey 🎬

How did the second season of ZK Whiteboard Sessions come to life – a thread.

TLDR: Check out the 8-module series on YouTube (link in bio), and the "FRI edition" Study Group starting on Tuesday March 4 on ZK Hack Discord (link in bio)!

🧵👇

2

Nico @nicomnbl.bsky.social · Feb 28

But this might not work in your case depending on how strict you want to be on the caveat you mentioned

3

Nico @nicomnbl.bsky.social · Feb 28

The usual pattern is:
1. arrange the keys into a Merkle tree and give each signer their authentication path in that tree
2. signer produces a signature on the data
3. signer produces a ZKP that signature verifies against some public key, and that this public key is included in the Merkle tree

1 3

Nico @nicomnbl.bsky.social · Feb 26

Part 2 starts with important terminology (pre-quantum vs post-quantum vs quantum). Or then explains how to make Bitcoin and Ethereum post-quantum secure via signature lifting and then talks about using quantum computers to make digital money

zeroknowledge.fm/podcast/297/

2/2

Nico @nicomnbl.bsky.social · Feb 26

from the archive: Or Sattath came on the ZKPodcast to discuss quantum computing and its impact on cryptography. These two are some of my 𝐟𝐚𝐯𝐨𝐮𝐫𝐢𝐭𝐞 episodes of the show.

Part 1 covers the computation model, why it breaks some cryptography and effects on mining

zeroknowledge.fm/podcast/288/

1/2

1 1 1

Nico @nicomnbl.bsky.social · Feb 25

A step towards fixing the recent attack on a Fiat-Shamir'd variant of GKR.

Tl;dr: do proof-of-work before deriving the FS challenge, this will make the hash prohibitively expensive to compute in-circuit.

Caveat: they only prove the security of their transform for 1-round protocols

ePrint Updates @eprint.ing.bot · Feb 25

Towards a White-Box Secure Fiat-Shamir Transformation (Gal Arnon, Eylon Yogev) ia.cr/2025/329

Abstract. The Fiat–Shamir transformation is a fundamental cryptographic technique widely used to convert public-coin interactive protocols into non-interactive ones. This transformation is crucial in both theoretical and practical applications, particularly in the construction of succinct non-interactive arguments (SNARKs). While its security is well-established in the random oracle model, practical implementations replace the random oracle with a concrete hash function, where security is merely assumed to carry over.

A growing body of work has given theoretical examples of protocols that remain secure under the Fiat–Shamir transformation in the random oracle model but become insecure when instantiated with any white-box implementation of the hash function. Recent research has shown how these attacks can be applied to natural cryptographic schemes, including real-world systems. These attacks rely on a general diagonalization technique, where the protocol exploits its access to the white-box implementation of the hash function. These attacks cast serious doubt on the security of cryptographic systems deployed in practice today, leaving their soundness uncertain.

We propose a new Fiat–Shamir transformation (XFS) that aims to defend against broad family of attacks, including the white-box attacks mentioned above. Our approach is designed to be practical, with minimal impact on the efficiency of the prover and verifier and on the proof length. At a high level, our transformation combines the standard Fiat–Shamir technique with a new type of proof-of-work that we construct.

We provide strong evidence for the security of our transformation by proving its security in a relativized random oracle model. Specifically, we show that diagonalization attacks on the standard Fiat–Shamir transformation can be mapped to analogous attacks within this model, meaning they do not rely on a concrete instantiation of the random oracle. In contrast, we prove unconditionally that our XFS variant of the Fiat–Shamir transformation remains secure within this model. Consequently, any successful attack on XFS must deviate from known techniques and exploit aspects not captured by our model.

We hope that our transformation will help preserve the security of systems relying on the Fiat–Shamir transformation.

1

Nico @nicomnbl.bsky.social · Feb 23

sigh

2 5

Nico @nicomnbl.bsky.social · Feb 22

Correct!

1 1

Nico @nicomnbl.bsky.social · Feb 21

Terrible news

Matthew Green @matthewdgreen.bsky.social · Feb 21

New public statement from Apple:

“As of Friday, February 21, Apple can no longer offer Advanced Data Protection as a feature to new users in the UK.”

2

Nico @nicomnbl.bsky.social · Feb 17

Sublinear prover?!?! Incredible result!

ePrint Updates @eprint.ing.bot · Feb 17

On the Power of Polynomial Preprocessing: Proving Computations in Sublinear Time, and More (Matteo Campanelli, Mario Carrillo, Ignacio Cascudo, Dario Fiore, Danilo Francati, Rosario Gennaro) ia.cr/2025/238

Abstract. Cryptographic proof systems enable a verifier to be convinced of of a computation’s correctness without re-executing it; common efficiency requirements include both succinct proofs and fast verification. In this work we put forth the general study of cryptographic proof systems with sublinear proving time (after a preprocessing). Prior work has achieved sublinear proving only for limited computational settings (e.g., vector commitments and lookup arguments), relying on specific assumptions or through non-black-box use of cryptographic primitives. In this work we lift many of these limitations through the systematic study of a specific object: polynomial commitments (PC) with sublinear proving time, a choice motivated by the crucial role that PC play in the design of efficient cryptographic schemes.
Our main result is a simple construction of a PC with sublinear prover based on any vector commitment scheme (VC) and any preprocessing technique for fast polynomial evaluation. We prove that this PC satisfies evaluation binding, which is the standard security notion for PC, and show how to expand our construction to achieve the stronger notion of knowledge soundness (extractability). The first application of our result is a construction of “index-efficient” SNARKs meaning that the prover is sublinear, after preprocessing, in the size of the index (i.e., the NP-relation describing the proven statement). Our main technical contribution is a method to transform a class of standard Polynomial Interactive Oracle Proofs (PIOPs) into index-efficient PIOPs. Our construction of index-efficient SNARKs makes black-box use of such index-efficient PIOPs and a PC with sublinear prover. As a corollary, this yields the first lookup argument for unstructured tables in which the prover is sublinear in the size of the table, while making only black-box use of a VC and thus allowing instantiations from generic assumptions such as collision-resistant hash functions. Prior lookup arguments with sublinear provers were only known with non-black-box use of cryptographic primitives, or from pairings. Finally, our last application is a transformation that builds UC-secure SNARKs from simulation-extractable ones, with an approximately linear overhead in proving time (as opposed to quadratic in prior work).

1 7

Nico @nicomnbl.bsky.social · Feb 7

Bit of a tradeoff. We have O(1) proofs and verifiers using univariate polynomials, whereas sumcheck gives at best O(log(circuit))

1 1

Nico @nicomnbl.bsky.social · Feb 6

It replaces the "quotient polynomial". This was the method used to succinctly check that all the Plonk contraints or AIR rows are satisfied.

The advantage is that with sumcheck the prover no longer needs to perform polynomial division and therefore can run in linear time

1

Nico @nicomnbl.bsky.social · Feb 6

The original description has it as an IP (no oracles). And the messages are actually super short: for a MV polynomial with degree at most d in each variable, the prover only needs to send d field elements in each round

1 1

Reposted by Nico

Matthew Green @matthewdgreen.bsky.social · Jan 30

Look folks. I want BlueSky to succeed, because we need an alternative to X. I also know this is an insane time. But if we want to create a usable alternative, people are going to have to start posting occasionally about something else.

20 14 180

Nico @nicomnbl.bsky.social · Jan 29

😳😳