Home

tl;dr: Who said you can only sumcheck your multivariate polynomials? $\sum_{i\in[n]} a(\omega^i)b(\omega^i)$ can be proved with two size-$n$ multiexps and 6 FFTs! And verified with a size-4 multipairing (and a bit more?).

tl;dr: “All is well. All is well.” – Ranchoddas Shamaldas Chanchad

tl;dr: ZK relations are hard to implement. Implement them twice: once in a ZK DSL and once in a sane language. Enshrine a mandatory prover service that checks the sane implementation before creating a ZKP. This way, bugs in the ZK DSL implementation cannot be exploited as long as the prover service is honest.

A few tips and tricks for my next, long motorcyle trip.

tl;dr: Definition of vector commitment (VC) schemes (e.g., Merkle trees, KZG-based, Pointproofs[^GRWZ20], aSVC[^TABplus20], etc. can all satisfy this definition.)

tl;dr: It’s 2025. Do you know why Schnorr signatures are always better than ECDSA?

tl;dr: Pointcheval-Sanders (PS) is the coolest most versatile signature scheme I know of!

tl;dr: Inspired by a tweet1, we explore whether, given (1) an R1CS and (2) some “powers-of-$\tau$”, we could construct a cryptographic proof that a Groth16 VK was derived from them. This should make it more efficient for folks to ensure that an on-chain VK corresponds to some published ZK circuit code (e.g., circom). Nonetheless, this is not suf...