. @VitalikButerin is right: privacy must be integrated directly into wallets. But, while smooth UX is necessary, it is not sufficient for broader adoption of privacy in web3. Privacy must be on by default, regulatory compliant & free. How do we make it accessible for all? 🧵

More alpha dripping from the Kinexys Project EPIC report by @jpmorgan, just for you, anon: Onchain privacy for institutions matters on three fronts: 1. Anonymity 2. Confidentiality 3. Auditability Without these three, no serious institution will ever deploy assets onchain 🧵

Until @TornadoCash is fully cleared from the OFAC list, onchain privacy will suffer low adoption. What if we could provide users with a compliant privacy tool? At @NPLabs_ we propose one such design: it's like Tornado, but with an anonymity revoker. Curious how it works? 🧵

To `withdraw` funds, the user must create a zero-knowledge proof (actual ZK!) attesting to: 1. Knowledge of the randomness used in generating the commitment 2. Membership in the Merkle Tree of commitments They also publish part of their randomness to prevent double spending ↩️

As I've been diving deep into privacy for blockchains over the last months, I naturally assumed that everyone in web3 is familiar with how @TornadoCash works - at least at a high level. I was recently surprised that many had no clue. Here's my CT explainer of Tornado Cash 🧵

Tokenized funds on public blockchains: $3B Global assets under management: $98T Yes, that's T for TRILLION. The onchain tokenized assets account for 0.003% of the TAM. For traditional investors, data privacy is a baseline requirement.

Provable Anti Money Laundering would combine AI models for flagging suspicious activity with verifiable SNARK techniques (such as @ezklxyz's tooling for zkML) to "identify and stop high-risk activity without compromising a user’s privacy" - as desired. It's the North Star, but:

We are stuck with programmable privacy. Private payments have been possible with ZCash or Tornado, but a fully private, programmable chain (like EVM) remains elusive. “zkRollups” are not private! (see my linked thread for details) So, why are we stuck? And is there any hope? 🧵

Unstoppable technical blogging only from @NPLabs_: Today, we have a deep dive into arithmetic circuits (AC): their usage in SNARKs, our Rust implementation, and the relation (no pun intended) between AC and Rank-1 Constraint System. Blog: tl;dr in 🧵:

As part of our exploration at @NPLabs_ into plonky3 and recursive proofs, we've been working on an implementation of hybrid-hash Merkle Trees. We have a technical primer for you: and a high-level summary in this 🧵:

Last year, @Istvan_A_Seres, @cryptonoemi and @josephbonneau published the Naysayer Proofs paper, proposing optimistic verification of SNARKs. We present the first instantiation of Naysayer proofs for Ligero & Brakedown polynomial commitment schemes:

iykyk

Looks like there is some renewed interest in Rabin-Williams signatures out there. Sharing my old implementation in case this helps the community. There is no audit, use at your own risk: Rabin-Williams has a much faster verifier than RSA, because it involves squaring instead of exponentiation (or, put simply, exponent e=2). Its security relies on the difficulty of finding quadratic residues mod n (composite), which follows from the difficulty of factoring n.

Another deep dive from @NPLabs_ just landed, this time in the zkML land: Our goal is to highlight how changes in the number of model parameters impact the tradeoff between accuracy of ML models vs. proving time for verifiable inference.

Why will interoperability of rollups win vs. single chain with massive throughput? Because apps will benefit from modifications to the underlying execution engine (e.g. EVM). These chains, with minor modifications each, can still be interoperable and provide much better UX.

The first piece of writing we have for you as the newly rebranded @NPLabs_ is a deep dive into the Ligero Polynomial Commitment Scheme (PCS): We review its soundness analysis and study the number of column openings required for a target security level.