New preprint is up! We put it up so we can submit to poster sessions, I will write more about it when it gets accepted.
09.03.2026 02:12
π 1
π 0
π¬ 0
π 0
New preprint is up! We put it up so we can submit to poster sessions, I will write more about it when it gets accepted.
credit where credit is due: this AI generated code is the only research-grade cryptography code I have ever seen that tried to properly do domain separation.
typod zero-knowledge as "aero-knowledge". we're going aero knowledge baby π
this mistake is really scary because i can definitely see somebody looking at this and thinking "yeah looks fine"
when hashing a multiset with m elements in a field of size k, this achieves a security level of O(k^(1/(1 + log m)))!!! (see www.enseignement.polytechnique.fr/informatique...)
adventures in vibe coding cryptography: I was asked to review some AI generated cryptography code. It implemented a multiset hash function which computed the hash of a multiset by hashing each element individually with Poseidon, and then adding them together as field elements.
another complaint about zkVMs that isn't frequently brought up: for reasonably large programs, compiling/running your code takes a few minutes, which is super disruptive to staying focused.
a unique winter sight in College Park: a common sledding location is the hill next to the IONQ office :)
The other hair tearing moment is that we wanted our RISC-Zero code to interoperate with some optimized Nova circuits. Poseidon is comically slow on RISC-Zero because of the inefficiency of compiling large field operations to a 32 bit ISA (like 500k-1 million CPU cycles per hash).
I was looking over the former student's code and you could make it 3x faster by patching in the SHA-256 precompile. Like a 1 line change which is kind of buried in the documentation makes this fairly natural code 3x faster.
I have to work on a project for grad school which uses the RISC-Zero zkVM. Reiterating a hot take I have had previously: zkVMs are not actually that developer friendly as soon as you need to try to optimize your code in any way!
There was a small proof I was stuck on, so I asked a few different AI assistants to help me prove it. They were all wrong, but ChatGPT did give a correct outline of a proof, where it was correct after working out the details.
and this is why they thought our application of Fiat Shamir is insecure.
i now realize that the reviewer's real issue is that they don't understand how a proof system like Spartan supports random in-circuit challenges (you generate randomness that depends on the private witness w by hashing the value of the polynomial commitment to the witness)
they also confused fixed point and floating point arithmetic and then used that confusion as a point against us.
and then says our protocol is potentially insecure because of this. Is this not common knowledge??? If you incorrectly implement F-S, the protocol will be insecure.
i got rejection #4 of grad school today! I got a new insane reviewer highlight: Our paper says "this protocol can be made noninteractive via the Fiat-Shamir transform" in a few places, and the reviewer comments "if you don't pass everything into the F-S hash function, this would be insecure".
this is especially true in systems when you would be posting to the chain really frequently (once per user login or once per bid in an auction). Of course, "blockchain" sounds cooler than "CDN/transparency log", but I would love papers to be more realistic about these systems design details.
when you have a public, append-only database, I think the main insight should be that you can put it in a CDN/transparency log and thus be able to serve it very efficiently, and not something about blockchains.
applied cryptography take: when a lot of cryptography papers need a publicly verifiable, append-only database, they almost always write "blockchain," when I think they should be writing "blockchain/transparency log". there are rarely economic incentives that would make a public blockchain make sense
a large percentage of my bluesky posts have been complaining about reviewers but it has been super frustrating recently
i have spent a really frustrating amount of time in grad school re reading stuff I wrote and asking "how could a reviewer misread this and use this as an excuse to reject the paper without reading the rest of it"
please use it! I wonder how many undiscovered issues of this form are in the cryptography literature.
I have used this simple technique to find issues in 3 of the 4 papers I have reviewed in grad school so far:
When reading a proof/protocol, just ask yourself "is every quantity that needs to be polynomially bounded for this to work actually poly bounded?"
the one near my old job was playing obscure songs by The Smiths i think they get super niche sometimes
i finished my last class of grad school! i am done with classes for life! (hopefully)
"Some random background character from Les MisΓ©rables"
x.com/dailyportalz...
Japan's "Mundane Halloween" costume contest is back!
Each year website DailyPortalZ holds a contest where people dress up as something super duper ordinary.
Here's a thread of some of my favorites from the 2025 contest!
#MundaneHalloween
Grok research mode is the only one that was ever free and none of the queries I ran were more useful than regular LLM conversation. it would just make the same types of mistakes as a regular LLM and then run with them for a much longer response.
this is more than 100 GB of public parameters! this is so rage inducing since it's a rebuttal response and there's no way to respond. also i feel like i've seen this misconception in the SNARK space a few times that cq/lasso are complete magic and have no drawbacks whatsoever.