Help, lattice folks what does this mean?
12.02.2026 18:45
๐ 0
๐ 0
๐ฌ 0
๐ 0
Help, lattice folks what does this mean?
Abstract. Zero-Knowledge Authorization (ZKA) systems allow users to prove possession of externally issued credentials (e.g., JSON Web Tokens) without revealing the credentials in full via the usage of Zero-Knowledge Proofs (ZKP). They are increasingly promoted as privacy-preserving and decentralized alternatives for authorization, and are already deployed in practice, with proposals for higher-stakes settings such as government access-control frameworks. In this work, we show that the security and privacy of zkLoginโthe most widely deployed ZKA systemโcannot only be reduced to the underlying ZKP. Instead, zkLogin critically depends on non-cryptographic assumptions about JWT/JSON parsing, issuer trust policy, architectural binding, and execution-environment integrity: none of which are specified or enforced as protocol-level properties. Via an analysis of the public documentation, source code and surveys on wallets and public endpoints, we identify three broad classes of vulnerabilities in zkLogin: (i) permissive, non-canonical claim extraction that admits malformed JWTs; (ii) transformation of short-lived authentication artifacts into durable authorization credentials without enforcing their issuance context (issuer, audience, subject and temporal validity binding), which enables cross-application impersonation and misuseโparticularly in browser-based deployments that expose systemโs material; and (iii) systemic centralization and privacy risks arising from reliance on a small set of issuers and outsourced proving infrastructure, including disclosure of user identity attributes to third-party services without consent. We note that none of the vulnerabilities identified are cryptographic in nature. Overall, our findings demonstrate that zkLogin inherits, and in some cases amplifies, fragilities of web-based authentication ecosystems, and that the security of the system cannot be reduced only to the ZKPs
Image showing part 2 of abstract.
Analysis and Vulnerabilities in zkLogin (Sofia Celi, Hamed Haddadi, Kyle Den Hartog) ia.cr/2026/227
On using LLMs for research (beyond basic prompts). Section 3.2 is specifically about catching a bug in a recent SNARG paper
arxiv.org/abs/2602.03837
Amazing work from Yoichi giving a Lean proof of my recent FRI security paper (w/ Albert Garreta and Benedikt Wagner)
Super interesting workflow as well, combining TeX-to-Lean models with regular coding agents. I think we'll see a lot more of this moving forward!
I haven't had a look actually. But I suspect that's the only viable option for now
Great short article from Moxie. Right in time for family dinners and questions about AI and privacy
confer.to/blog/2025/12...
Abstract. In outsourcing computation to untrusted servers, one can cryptographically ensure privacy using Fully Homomorphic Encryption (FHE) or ensure integrity using Verifiable Computation (VC) such as SNARK proofs. While each is practical for some applications in isolation, efficiently composing FHE and VC into Verifiable Computing on Encrypted Data (VCoED) remains an open problem. We introduce Laminate, the first practical method for adding integrity to BGV-style FHE, thereby achieving VCoED. Our approach combines the blind interactive proof framework with a tailored variant of the GKR proof system that avoids committing to intermediate computation states. We further introduce variants employing transcript packing and folding techniques. The resulting encrypted proofs are concretely succinct: 270kB, compared to 1TB in prior work, to evaluate a batch of Bโ=โ2ยนโด instances of size nโ=โ2ยฒโฐ and depth dโ=โ32. Asymptotically, the proof size and verifier work is O(dlogโ(Bn)), compared to ฮฉ(BNlogโn) in prior work (for ring dimension N). Unlike prior schemes, Laminate utilizes the full SIMD capabilities of FHE for both the payload circuit evaluation and proof generation; adds only constant multiplicative depth on top of payload evaluation while performing Oฬ(n) FHE operations; eliminates the need for witness reduction; and is field-agnostic. The resulting cost of adding integrity to FHE, compared to assuming honest evaluation, is โโผโ12ร to โโผโ36ร overhead (for deep multiplication-heavy circuits of size 2ยฒโฐ), which is โ>โ500ร faster than the state-of-the-art.
Image showing part 2 of abstract.
Laminate: Succinct SIMD-Friendly Verifiable FHE (Kabir Peshawaria, Zeyu Liu, Ben Fisch, Eran Tromer) ia.cr/2025/2285
agreed. Although I would love to see it run in a TEE, same way Signal are doing theirs. Otherwise, we are still uploading our contacts to an untrusted server
Also wrote a blog post that explains the proof in a shorter format and with less formality
blog.zksecurity.xyz/posts/fri-se...
Trying to reduce some headaches!
Itโs time to reveal the ZK Whiteboard S3 Module 1... because it's LIVE!
๐ฅ๐ฅ๐ฅ๐ฅ
How to Build Hash Functions, with Jean-Philippe (JP) Aumasson @aumasson.jp & @nicomnbl.bsky.social
Watch the full module here: zkhack.dev/whiteboard/s...
Time has changed
The ZK Podcast released an episode on local-first software this week!
@arro.bsky.social and @nicomnbl.bsky.social chat w @grjte.sh & @goblinoats.com about the foundations of local-first architecture, CRDTs and how ZK can be incorporated into these models.
zeroknowledge.fm/podcast/367/
Is this available on iOS too?
Don't think this was the case for everyone but for me it was about keeping my phone number private (before Signal introduced usernames)
I'm kind of conflicted over this.
Up to now my Signal has been almost exclusively for personal use and Telegram exclusively for connecting at conferences. And I've come to value this clean separation
To the point where I have said no to connecting over Signal
2/ As such, I wrote a research note to help cryptography engineers fully understand both techniques: baincapitalcrypto.com/a-deep-dive-...
I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.
โ github.com/lattirust
I wrote a thing on my colleagues Andrija and Guille's latest work
Video or it didn't happen ๐
Story of the ZK whiteboard series S2! The grant that supported it, how we came up with the topics, participation of our esteemed speakers, some crazy editing and how the bonus modules came to be
But this might not work in your case depending on how strict you want to be on the caveat you mentioned
The usual pattern is:
1. arrange the keys into a Merkle tree and give each signer their authentication path in that tree
2. signer produces a signature on the data
3. signer produces a ZKP that signature verifies against some public key, and that this public key is included in the Merkle tree
Part 2 starts with important terminology (pre-quantum vs post-quantum vs quantum). Or then explains how to make Bitcoin and Ethereum post-quantum secure via signature lifting and then talks about using quantum computers to make digital money
zeroknowledge.fm/podcast/297/
2/2
from the archive: Or Sattath came on the ZKPodcast to discuss quantum computing and its impact on cryptography. These two are some of my ๐๐๐ฏ๐จ๐ฎ๐ซ๐ข๐ญ๐ episodes of the show.
Part 1 covers the computation model, why it breaks some cryptography and effects on mining
zeroknowledge.fm/podcast/288/
1/2
A step towards fixing the recent attack on a Fiat-Shamir'd variant of GKR.
Tl;dr: do proof-of-work before deriving the FS challenge, this will make the hash prohibitively expensive to compute in-circuit.
Caveat: they only prove the security of their transform for 1-round protocols
sigh
Correct!
Terrible news
Sublinear prover?!?! Incredible result!