And it's here! Our analysis on concrete vs provable security for FRI is now public. Specifically, our paper examines the potential security loss that would occur if the widely used conjectures about the soundness of the FRI protocol turn out to be false: that would potentially
Lets breakdown this Intel SGX (TEE) breach.
Disclaimer: This breach primarily affects processors that are now End of Life (EOL). However, these processors are still widely used in certain embedded systems, making this breach relevant for those environments.
Relevance of
Intel HW is too complex to be absolutely secure! After years of research we finally extracted Intel SGX Fuse Key0, AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX. Here's the key from a genuine Intel CPU😀
@lexfridman
Jeffrey Epstein has strengths and flaws. Watren Buffet has strengths and flaws. I may be wrong, but I think we need to consider all 4 of these categories with an open mind....... see what I missed there, beside both being financiers?
And it's here! In this work, we establish new results on the Fiat-Shamir security of several protocols widely used in practice: FRI, batched FRI, and most Plonk-like zk SNARKs that use low-degree proximity testing as a subroutine. Why should you care?
1/3
Just published this blog post on the recent progress on verifying ECDSA signatures privately, using zk proofs. Verifying these signatures privately allows for clean anonymous credentials compatible with your existing Ethereum (and many more) addresses. 1/2
vitalik wants STARKed posiden instead of verkle trees but true snark variant connoisseurs want BINIUSed grøstl for the stronger existing hash crypto-analysis
Never thought I'd be giving a talk at a church. Let alone a talk titled "Anonymous Credentials in the Real World." Cryptography might be soon coming to a church near you!
Groth16: The proofs are small and fast, but need a trusted setup
PLONK: Universal, efficient, and we ditched the trusted setup
PLONKY2: Like PLONK, but with even more optimization magic
Sonic: Updatable and versatile proofs
Bulletproofs: No trusted setup, range proofs on point
Microsoft: We have world class AI research
Google: We have world class AI research
Meta: We’re one or two steps behind in AI research
Apple: We’re not talking, but we have a bunch of AI research
Amazon: You bought a toilet seat last week, do you want a toilet seat this week?
The reward structure for cryptanalysis work is broken.
Cryptographers and cryptanalysts who uncover vulnerabilities in widely-used hash functions and symmetric encryption algorithms contribute immensely to global security. Yet, their rewards are often limited to academic
Update from on Intel SGX (TEE) Breach: clarifications and mitigations
Earlier this week
@_markel___
reported extracting Intel SGX Fuse Key0 (Root Provisioning Key) and Root Sealing Key (FK1), both critical to the SGX Root of Trust. Statement from Intel contextualizes this
This is a pretty alarming result. Before models/agents get deployed in important decision-making scenarios such as law enforcement, healthcare etc. we’re going to need a public registrar of models trained from scratch in some non-backdoorable fashion.
There are more than 400K models on
@huggingface
. It would probably take more than a decade to review all of them. Is it possible to check whether any of them has undetectable backdoors?
Our main result is an efficient construction of undetectable
Please attend my upcoming talk on a new paper with
@matthew_d_green
. This work aims to answer the following question: Can crypto hardware manufacturers subvert/backdoor these devices to reap the rewards? We study this for proof-of-work mining, VDFs, & all "puzzle" primitives. 1/n
💡 Upcoming Research Seminar!
🗓️ Monday 7th November, 16:00 UTC.
🗣️
@PratyushRT
📘 Algorithm-Substitution Attacks on Cryptographic Puzzles.
Save the date via the link below 👇
We shipped the first anonymous credentials for YC founders! Just published this blogpost diving into more details. With zk tech maturing, it's very exciting to build consumer apps utilizing the progress!
@ketlxyz
@bigwhalelabs
Happy to announce that our paper, “Time-Deniable Signatures” has been accepted to
@PET_Symposium
2023. Looking forward to the conference in 🇨🇭 Lausanne 🇨🇭
Congrats to my coauthors
@gabrie_beck
@matthew_d_green
Abhishek Jain and Arka Rai Choudhuri!
@benadida
@mspecter
@matthew_d_green
There's also (sort of) a follow-up paper we put out on Time-deniable Signatures: these can only be verified for a limited period of time. Once this time window passes, the signature is deniable, i.e., the original signer can equivocate the signature.
Excited to announce that this work will be published + presented at Asiacrypt 2023! First IACR paper for me to be accepted on the first submission attempt 🙃
And it's here! In this work, we establish new results on the Fiat-Shamir security of several protocols widely used in practice: FRI, batched FRI, and most Plonk-like zk SNARKs that use low-degree proximity testing as a subroutine. Why should you care?
1/3
Account abstraction and smart-contract wallets are set to improve the safety of all Ethereum accounts. Just published this blog post exploring the impact this will have on the onchain identity-based infrastructure, apps, and cryptography. 1/2
Going forward, I will post my favorite cryptography/security/privacy paper from the latest eprint update every week.
This week's pick: this work on securely erasing sensitive data (keys etc.) from memory. The consequences can be catastrophic and exploits worked on OpenSSL.
1/2
Just published this blog post on the state of open-source protocols for E2E encrypted communication in the group setting. We discuss protocols from
@signalapp
@xmpp
and
@matrixdotorg
! Another very interesting area of cryptography other than zk. 1/2
New paper alert!
We prove and establish new relationships between various soundness notions for interactive oracle proofs (IOPs). Many recent constructions of efficient zk proofs, such as the Plonk-ish, RedShift, Fractal, etc. are compiled from IOPs.
Why should you care? 1/2
Our
#cryptography
research team���s newest paper is live 🔥 They analyze notions of security for Interactive Oracle Proofs (IOP), namely Special Soundness, and Round-by-round (RBR) (knowledge) soundness.
TLDR👇🧵
By Nethermind's
@0xAlbertG
&
@mpfzajac
Putting out a new academic paper is almost like releasing a film or a show - you have to advertise it to get the word out! Especially in crypto/zk. From podcast appearances and invited research seminars to tweeting threads and media coverage, there's a lot of work to be done
Struggling with performance goals for your
#zkproofs
powered app/dapp? Here's a more in-depth look at optimizing your framework:
📊 Key aspects: prover time, proof size, verifier time
1/ Too many constraints in your Circom-built proof circuit? Consider these options:
So Alex Block and I are going to release this soon. We *do not propose an improved attack* but show that concrete security deployments are not at the same level as provable security. The projects we did this analysis for are
@0xPolygon
@RiscZero
@the_matter_labs
@StarkWareLtd
@socrates1024
I'm disappointed that Intel screwed up and left the root key in an accesible location. And this definitely reduces confidence in all the later processors. Wondering if it makes sense for them to have a cloud-only TEE like
@awscloud
Nitro. These types of attacks that affect an
The recent blog post on stealth addresses by
@VitalikButerin
ends with how wallets should move to a multi-address model: a fresh address for every app. Just published this response post exploring this technical direction further.
@bigwhalelabs
Excited to announce that this work will be published in a special issue of the Journal of Cryptology! Highly recommend submitting foundational work there, the reviews were very high quality and helped us improve this work further.
New paper alert!
We prove and establish new relationships between various soundness notions for interactive oracle proofs (IOPs). Many recent constructions of efficient zk proofs, such as the Plonk-ish, RedShift, Fractal, etc. are compiled from IOPs.
Why should you care? 1/2
A sad reality of the market downturn is that grant funding for future-focused research goes away first. Future-focused research does not generate revenue in the short term and hence is the first direction that's dropped in a funding crunch. However, most cool and exciting
Many prominent zk applications (at Starkware, Polygon, Mina, Dusk, Nil) are deploying FRI-based and Plonk-like proof systems. We fill the gap in security analyses and provide general tools for doing so for certain similar protocols. 3/3
@SuccinctJT
@0xAlbertG
@mpfzajac
@benadida
@mspecter
@matthew_d_green
There's also (sort of) a follow-up paper we put out on Time-deniable Signatures: these can only be verified for a limited period of time. Once this time window passes, the signature is deniable, i.e., the original signer can equivocate the signature.
@matthew_d_green
and I suspected that mining devices can be backdoored for a while. The exact attack vector from our FC '24 paper is now being uncovered as a real-world threat. How much can manufacturers benefit from these backdoors? In this thread:
Wow just figured out Bitmain's latest fuckery in real time.
I'll give you the back story...
Once upon a time Bitmain was grinding merkle roots instead of nonces aka "covert ASICBOOST".
This gave them an advantage over other miners who didn't know this was possible. One company
Curious about novel applications of
#zkproofs
! What unique use cases are you working on, and which specific proof system are you utilizing? Let's also talk about your tech stack for deployment. Which tools and platforms are you leveraging to bring your zk proof projects to life?
Been working on this with
@Istvan_A_Seres
and
@OmerShlomovits
for a few months now. In the problem of bequeathing cryptoassets a testator wishes to bequeath cryptoassets - e.g. secrets, static keys or cryptocurrency - to their heirs.
As an example, let's consider the history of breaking the MD5 hash function.
MD5, designed by Ron Rivest in 1991 as a secure replacement for MD4, was intended to be robust against vulnerabilities. Yet, as early as 1993, Den Boer and Bosselaers found a "pseudo-collision" in the
The "death of privacy" with LLM proliferation is not a sudden event, but a slow, almost imperceptible process - much like death by a thousand cuts. Each interaction with centralized LLM providers adds another small wound to our privacy.
Every query, every conversation with
What is the impact of this?
While this is not a better attack, it implies that there is a honeypot for attackers if a better attack is found. Following is a list of applications where FRI-based SNARKs/proof systems are used:
– zkEVMs/Rollups. FRI-based SNARKs are currently
I don't get why people give folks working on zk a hard time for using weird abbreviations. Do y'all really prefer we say "Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge" every time instead of just Plonk ??
"We haven't fully spec'ed [squisher circuits] out, as Honk and Goblin Plonk schemes are still being improved! .. we'll need some extra circuit(s) to squish a Honk proof into a Standard Plonk or Fflonk proof .."
are zk people okay
My pick for the best paper from eprint updates this week: 2024/1395
Apple’s iMessage PQ3 post-quantum security update has now been formally verified!
Earlier this year, Apple announced a significant cryptographic security upgrade in iMessage history with the introduction of
Not a lot of folks understand this very important difference in deploying code in trusted execution environments. There are two different ways to get remote attestations in SGX: EPID vs DCAP.
Remote attestation ensures that the code running on a TEE is exactly what it claims to
@PratyushRT
Yes! DCAP is plain old signatures*, EPID is a fancy ring signature. When we had TEEs client side, this is important for client privacy, and Intel in the loop is a given. But now we run TEEs server side and don't want Intel in the loop, and the *p256 sigs in DCAP are hard enough
This week's pick for the best paper on eprint follows up on my thread about cryptanalysis incentives: While many argue that breaks in symmetric crypto aren't a huge concern, recent events prove otherwise. Case in point: last week's break of XCB, an algorithm standardized in IEEE
The reward structure for cryptanalysis work is broken.
Cryptographers and cryptanalysts who uncover vulnerabilities in widely-used hash functions and symmetric encryption algorithms contribute immensely to global security. Yet, their rewards are often limited to academic
Glaze emerged as a proposed solution to the problem of generative models increasingly threatening artists' livelihoods by mimicking their unique styles without permission. The recent attack (by
@florian_tramer
and Nicholas Carlini) that breaks Glaze serves as another important
Some thoughts by Nicholas Carlini and me about Glaze, and how the actions of it's developers might not be in the best interest for the security of their user base:
Proud to have been the first engineering fellow
@CeloHQ
. Learned a lot while designing an efficient Zero Knowledge protocol to enable each user on the Celo ecosystem to prove the correctness of their Eigentrust score. Thanks to
@marekolszewski
@CeloHQ
.
Hyped for all these amazing events
@EthereumDenver
! Rough schedule as follows:
-
@priv_alliance
UPA Privacy Summit on Feb 27
-
#zkDayDenver
on Feb 28
- Future Computing Research Workshop by
@DelendumV
on Mar 1: my talk on anonymous credentials is here!
- Mar 2-3 and evenings
What are some good ways to manage research papers you've read already so that you can quickly grab the gist if you come back an year later. Any particular techniques and annotation tricks you use?
#phdlife
#phdchat
#AcademicChatter
@AcademicChatter
#Web3
/
#crypto
conferences should learn something from how academic conferences are run. Recently, sessions on zk/privacy engineering at crypto conferences feel repetitive + from the same people. The presentation spots are not based on merit, but on a who-you-know metric. 1/n
I will be giving a talk on "Anonymous Credentials in the Real World" at the Future Computing Research Workshop on March 1st. Inviting all zk and cryptography enthusiasts coming to
@EthereumDenver
! Many exciting talks in one action-packed day. 1/2
FS transform allows proving the non-interactive security of interactive proof systems/protocols. Some works claim FS-security of their proof system/protocol, but only under the assumption that certain many-round sub-protocols (like FRI) of the overall protocol are FS-secure. 2/3
@pseudotheos
This is a misnomer/misrepresentation created by use cases in the industry, started by zk-rollups that only focus on succinctness. The actual cryptographic definition of zero-knowledge/ZK proofs inherently includes privacy.
If you're a founder or vc at
#SBC23
and want to join our anonymous, zk-based socials
@ketlxyz
come find me to get a physical sign-up token. I'm in the Bay Area from tomorrow for a week, attending some pre and post-SBC events as well. Excited to meet old friends and make new ones!
@gakonst
I agree, but at the same time this is not the end state for TEEs. Ultimately, any one should be able to dockerize any open-source codebase and run it in an enclave. This is already possible with Nitro enclaves, others should come up to the same quality of tooling.
I will be presenting our work on time-deniable signatures first thing today in the Authentication track at
#pets23
! Co-author
@gabrie_beck
is also here, come say hi to us 🙂
Happy to announce that our paper, “Time-Deniable Signatures” has been accepted to
@PET_Symposium
2023. Looking forward to the conference in 🇨🇭 Lausanne 🇨🇭
Congrats to my coauthors
@gabrie_beck
@matthew_d_green
Abhishek Jain and Arka Rai Choudhuri!
So satisfying to see many months of our team's product, protocol, dev and design work come to fruition :)
Come join an exclusive, anonymous community of founders and VCs!
Excited to launch ketl - our decentralized anonymous app for top founders & vcs on
@ProductHunt
today.
Seamless web2 like UX but:
- decentralized via
@0xPolygon
- open source
- anonymous verification through zk
Would love your support today:
@0xPolygon
@RiscZero
@the_matter_labs
@StarkWareLtd
Please tag people from these projects and I’ll send them a copy before we put the paper out next week. Again, this is not an attack just improved knowledge about the right deployment parameters for FRI-based proof systems.
We cannot have thousands of chains that remain active, so how does a blockchain die? Let's start by reflecting on the state of the market from 10 years ago today. One of the top 3 projects was ahead of its time and is dead today.
"Just another governance token" - a common
@kobigurk
@_markel___
It's difficult to fully assess the impact of this vulnerability without complete details, and Intel's response is understandably framed to protect its interests and reputation.
Scroll: We're optimizing EVM compatibility
Polygon Hermez: We're perfecting zkSync 2.0
zkSync: We're focusing on high-level languages
Starkware: We're focusing on compiling to a zk-friendly language
Ethereum users: Can we just get some faster transactions, please? 😅
Microsoft: We have world class AI research
Google: We have world class AI research
Meta: We’re one or two steps behind in AI research
Apple: We’re not talking, but we have a bunch of AI research
Amazon: You bought a toilet seat last week, do you want a toilet seat this week?
EPID (Enhanced Privacy ID) was developed by Intel to provide secure, anonymous device authentication and is deployed in millions of Intel-enabled devices worldwide. It uses Intel's signature system to verify code integrity, relying heavily on Intel's centralized infrastructure.
@florian_tramer
As AI systems become increasingly integrated into our daily lives, the stakes for security and privacy tools in this domain continue to rise. The Glaze case study serves as a call to action for the AI/ML security community to adopt standards and practices akin to those in
Call for collaborators: Next semester, I'll be running a AI Safety Camp research project that explores how policy-based signatures can help with fine-grained access to powerful models. Links attached 👇
@florian_tramer
At the top publication venues maybe the open-sourcing of code for relevant papers should be a requirement to be eligible for awards if not a hard requirement for accepted papers.
This shift is crucial to ensure that proposed solutions truly protect users and don't inadvertently
Happy to share that I will be one of the mentors for the
#BUIDLathon
@EthereumDenver
and I’m super excited to support hackers and builders working on zk/privacy tech!
@pseudotheos
Need to be careful to not have an FTX-equivalent moment for zk. Bad security parameters, lack of expert reviews and a move-fast-and-break-things attitude: definitely not the way with new cryptography tech.
We informed all the relevant projects of this new analysis. In the full paper (link below) we also provide recommended parameters for deploying FRI with provable security of 100-bits. This work has been peer-reviewed already and has been accepted for publication at SCN '24. 3/3
Congrats to my co-authors Eran Tromer,
@secparam
, Christina Garman,
@MadarsV
, Allesandro Chiesa,
@EliBenSasson
for winning a “test of time” award at IEEE S&P for Zerocash!
The current UX of encrypted group chats leaves something to be desired. Would love to hear of instances where people wished they had better/more features on their group chats and why! Latest in our series on crypto x socials
@bigwhalelabs
2/2
@0xMert_
Interesting developments, but it's crucial to consider the full picture (correct me if I'm wrong on Solana's per transaction compute limits, not a Solana expert):
While ZK compression offers impressive state scaling on Solana, large-scale verifiable computation still faces
Been working on this with
@Istvan_A_Seres
and
@OmerShlomovits
for a few months now. In the problem of bequeathing cryptoassets a testator wishes to bequeath cryptoassets - e.g. secrets, static keys or cryptocurrency - to their heirs.
Can cryptography be AI's guardrail?
1/ Cryptography is intrinsically anti-AI: breaking discrete log or other cryptographic assumptions will probably be beyond the reach of AI even in the future
This strong foundation is a powerful tool for AI containment
While DCAP (Data Center Attestation Primitives) was developed by Intel for flexible and scalable attestation in enterprise environments, it is very well suited for decentralized environments. DCAP allows organizations to create and manage their own attestation systems. This
@GuidoVranken
Never heard of anyone I know using Bing/Yandex. Google search works great everyday, no hiccups, image search works amazingly well. Agree on that they need innovation but existing stuff not a replacement to Google’s search tech stack, but can be viewed as very complimentary!
@kobigurk
@_markel___
My understanding is that the extracted key (Fuse Key0) is encrypted and not in plain text. This implies that even if FK0 is obtained, the GWK (or Fuse Encryption Key) protecting it would also need to be compromised to make malicious use of FK0 feasible. And yes GWK has not been
@gakonst
@neha
@socrates1024
This is not accurate, the host can see memory access patterns but not read the memory: these are vastly different outcomes
Highly recommend this quality article on the actual impact of proof-of-work cryptocurrency mining. Following comparisons put things in perspective:
1/2
In contrast, folks like
@florian_tramer
and Nicholas Carlini demonstrate the kind of approach that the AI/ML security field should strive to emulate. Their work on analyzing Glaze exemplifies best practices: they openly released their attack code, provided thorough documentation
@rel_zeta_tech
If I remember correctly, trilinear maps can be used to construct iO
So the jump from bilinear to trilinear maps has massive cryptographic outcomes
As a cryptographer, I respect people who only communicate via Signal. Socially, though, it’s kinda sus if that’s your only means of communication. Maybe mix in some carrier pigeons for balance?