Nico
LightNews LightNews
nmohnblatt.me
Nico
@nmohnblatt.me
300 followers 170 following 55 posts
picious until proven otherwise.

Cryptography research and auditing at zkSecurity. Recurring co-host on the ZKPodcast.

nmohnblatt.me
Posts Replies Media Videos
nmohnblatt.me
Amazing work from Yoichi giving a Lean proof of my recent FRI security paper (w/ Albert Garreta and Benedikt Wagner)

Super interesting workflow as well, combining TeX-to-Lean models with regular coding agents. I think we'll see a lot more of this moving forward!
pirapira.bsky.social Yoichi Hirai @pirapira.bsky.social · 10d
I'm helping formal verification of arithmetic circuits (clean) and formalization of cryptography (round-by-round soundness of FRI). I want to connect these with implementations.

round-by-round soundness of FRI: blog.zksecurity.xyz/posts/simple...
clean: blog.zksecurity.xyz/posts/clean/
Lean4 formalization of
A Lean4 formalization of the paper
blog.zksecurity.xyz
January 27, 2026 at 9:44 AM
nmohnblatt.me
Great short article from Moxie. Right in time for family dinners and questions about AI and privacy

confer.to/blog/2025/12...
Confessions to a data lake
I’ve been building Confer: end-to-end encryption for AI chats. With Confer, your conversations are encrypted so that nobody else can see them. Confer can’t read them, train on them, or hand them over ...
confer.to
December 24, 2025 at 1:58 PM
Reposted by Nico
eprint.ing.bot
Laminate: Succinct SIMD-Friendly Verifiable FHE (Kabir Peshawaria, Zeyu Liu, Ben Fisch, Eran Tromer) ia.cr/2025/2285
Abstract. In outsourcing computation to untrusted servers, one can cryptographically ensure privacy using Fully Homomorphic Encryption (FHE) or ensure integrity using Verifiable Computation (VC) such as SNARK proofs. While each is practical for some applications in isolation, efficiently composing FHE and VC into Verifiable Computing on Encrypted Data (VCoED) remains an open problem. We introduce Laminate, the first practical method for adding integrity to BGV-style FHE, thereby achieving VCoED. Our approach combines the blind interactive proof framework with a tailored variant of the GKR proof system that avoids committing to intermediate computation states. We further introduce variants employing transcript packing and folding techniques. The resulting encrypted proofs are concretely succinct: 270kB, compared to 1TB in prior work, to evaluate a batch of B = 2¹⁴ instances of size n = 2²⁰ and depth d = 32. Asymptotically, the proof size and verifier work is O(dlog (Bn)), compared to Ω(BNlog n) in prior work (for ring dimension N). Unlike prior schemes, Laminate utilizes the full SIMD capabilities of FHE for both the payload circuit evaluation and proof generation; adds only constant multiplicative depth on top of payload evaluation while performing Õ(n) FHE operations; eliminates the need for witness reduction; and is field-agnostic. The resulting cost of adding integrity to FHE, compared to assuming honest evaluation, is  ∼ 12× to  ∼ 36× overhead (for deep multiplication-heavy circuits of size 2²⁰), which is  > 500× faster than the state-of-the-art. Image showing part 2 of abstract.
December 22, 2025 at 5:27 PM
nmohnblatt.me
Also wrote a blog post that explains the proof in a shorter format and with less formality

blog.zksecurity.xyz/posts/fri-se...
October 30, 2025 at 3:24 PM
nmohnblatt.me
Trying to reduce some headaches!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Oct 30
A Simplified Round-by-round Soundness Proof of FRI (Albert Garreta, Nicolas Mohnblatt, Benedikt Wagner) ia.cr/2025/1993
Abstract. The FRI protocol (ICALP ’18) is one of the most influential and widely deployed building blocks at the core of modern SNARK systems. While its concrete security is well understood, existing security proofs are intricate and technically complex. In this work, we present a significantly simpler security analysis of FRI, in particular its round-by-round soundness. Our approach is more accessible to a broader audience, lowering the barrier to understanding this fundamental protocol. Furthermore, the simplicity of our analysis may pave the way for future formal verification efforts of modern SNARK constructions.
October 30, 2025 at 1:24 PM
Reposted by Nico
zkhack.dev
It’s time to reveal the ZK Whiteboard S3 Module 1... because it's LIVE!

🥁🥁🥁🥁

How to Build Hash Functions, with Jean-Philippe (JP) Aumasson @aumasson.jp & @nicomnbl.bsky.social

Watch the full module here: zkhack.dev/whiteboard/s...
September 3, 2025 at 8:08 AM
Reposted by Nico
niixarts.bsky.social
Time has changed
August 1, 2025 at 8:15 AM
Reposted by Nico
zkhack.dev
The ZK Podcast released an episode on local-first software this week!

@arro.bsky.social and @nicomnbl.bsky.social chat w @grjte.sh & @goblinoats.com about the foundations of local-first architecture, CRDTs and how ZK can be incorporated into these models.

zeroknowledge.fm/podcast/367/
Local-First with grjte and Goblin Oats - ZK PODCAST
In this episode, Anna Rose and Nico Mohnblatt speak with Goblin Oats from Tonk and grjte from Bain Capital Crypto […]
zeroknowledge.fm
July 10, 2025 at 4:49 PM
Reposted by Nico
kohweijie.com
2/ As such, I wrote a research note to help cryptography engineers fully understand both techniques: baincapitalcrypto.com/a-deep-dive-...
A Deep Dive into Logjumps: a Faster Modular Reduction Algorithm
Logjumps is a recently discovered technique for modular reduction over large prime fields.
baincapitalcrypto.com
June 11, 2025 at 12:40 AM
Reposted by Nico
cknabs.bsky.social
I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.

github.com/lattirust
lattirust
Lattice zero-knowledge/succinct arguments, and more - lattirust
github.com
May 20, 2025 at 2:55 PM
nmohnblatt.me
I wrote a thing on my colleagues Andrija and Guille's latest work
May 9, 2025 at 4:09 PM
nmohnblatt.me
Story of the ZK whiteboard series S2! The grant that supported it, how we came up with the topics, participation of our esteemed speakers, some crazy editing and how the bonus modules came to be
zkhack.dev ZK Hack @zkhack.dev · Mar 3
🎬 ZKWS S2: The Full Journey 🎬

How did the second season of ZK Whiteboard Sessions come to life – a thread.

TLDR: Check out the 8-module series on YouTube (link in bio), and the "FRI edition" Study Group starting on Tuesday March 4 on ZK Hack Discord (link in bio)!

🧵👇
March 3, 2025 at 6:49 PM
nmohnblatt.me
from the archive: Or Sattath came on the ZKPodcast to discuss quantum computing and its impact on cryptography. These two are some of my 𝐟𝐚𝐯𝐨𝐮𝐫𝐢𝐭𝐞 episodes of the show.

Part 1 covers the computation model, why it breaks some cryptography and effects on mining

zeroknowledge.fm/podcast/288/

1/2
February 26, 2025 at 3:20 PM
nmohnblatt.me
A step towards fixing the recent attack on a Fiat-Shamir'd variant of GKR.

Tl;dr: do proof-of-work before deriving the FS challenge, this will make the hash prohibitively expensive to compute in-circuit.

Caveat: they only prove the security of their transform for 1-round protocols
eprint.ing.bot ePrint Updates @eprint.ing.bot · Feb 25
Towards a White-Box Secure Fiat-Shamir Transformation (Gal Arnon, Eylon Yogev) ia.cr/2025/329
Abstract. The Fiat–Shamir transformation is a fundamental cryptographic technique widely used to convert public-coin interactive protocols into non-interactive ones. This transformation is crucial in both theoretical and practical applications, particularly in the construction of succinct non-interactive arguments (SNARKs). While its security is well-established in the random oracle model, practical implementations replace the random oracle with a concrete hash function, where security is merely assumed to carry over. A growing body of work has given theoretical examples of protocols that remain secure under the Fiat–Shamir transformation in the random oracle model but become insecure when instantiated with any white-box implementation of the hash function. Recent research has shown how these attacks can be applied to natural cryptographic schemes, including real-world systems. These attacks rely on a general diagonalization technique, where the protocol exploits its access to the white-box implementation of the hash function. These attacks cast serious doubt on the security of cryptographic systems deployed in practice today, leaving their soundness uncertain. We propose a new Fiat–Shamir transformation (XFS) that aims to defend against broad family of attacks, including the white-box attacks mentioned above. Our approach is designed to be practical, with minimal impact on the efficiency of the prover and verifier and on the proof length. At a high level, our transformation combines the standard Fiat–Shamir technique with a new type of proof-of-work that we construct. We provide strong evidence for the security of our transformation by proving its security in a relativized random oracle model. Specifically, we show that diagonalization attacks on the standard Fiat–Shamir transformation can be mapped to analogous attacks within this model, meaning they do not rely on a concrete instantiation of the random oracle. In contrast, we prove unconditionally that our XFS variant of the Fiat–Shamir transformation remains secure within this model. Consequently, any successful attack on XFS must deviate from known techniques and exploit aspects not captured by our model. We hope that our transformation will help preserve the security of systems relying on the Fiat–Shamir transformation. Image showing part 2 of abstract. Image showing part 3 of abstract.
February 25, 2025 at 4:01 PM
nmohnblatt.me
sigh
February 23, 2025 at 1:20 AM
nmohnblatt.me
Terrible news
matthewdgreen.bsky.social Matthew Green @matthewdgreen.bsky.social · Feb 21
New public statement from Apple:

“As of Friday, February 21, Apple can no longer offer Advanced Data Protection as a feature to new users in the UK.”
February 21, 2025 at 4:31 PM
nmohnblatt.me
Sublinear prover?!?! Incredible result!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Feb 17
On the Power of Polynomial Preprocessing: Proving Computations in Sublinear Time, and More (Matteo Campanelli, Mario Carrillo, Ignacio Cascudo, Dario Fiore, Danilo Francati, Rosario Gennaro) ia.cr/2025/238
Abstract. Cryptographic proof systems enable a verifier to be convinced of of a computation’s correctness without re-executing it; common efficiency requirements include both succinct proofs and fast verification. In this work we put forth the general study of cryptographic proof systems with sublinear proving time (after a preprocessing). Prior work has achieved sublinear proving only for limited computational settings (e.g., vector commitments and lookup arguments), relying on specific assumptions or through non-black-box use of cryptographic primitives. In this work we lift many of these limitations through the systematic study of a specific object: polynomial commitments (PC) with sublinear proving time, a choice motivated by the crucial role that PC play in the design of efficient cryptographic schemes. Our main result is a simple construction of a PC with sublinear prover based on any vector commitment scheme (VC) and any preprocessing technique for fast polynomial evaluation. We prove that this PC satisfies evaluation binding, which is the standard security notion for PC, and show how to expand our construction to achieve the stronger notion of knowledge soundness (extractability). The first application of our result is a construction of “index-efficient” SNARKs meaning that the prover is sublinear, after preprocessing, in the size of the index (i.e., the NP-relation describing the proven statement). Our main technical contribution is a method to transform a class of standard Polynomial Interactive Oracle Proofs (PIOPs) into index-efficient PIOPs. Our construction of index-efficient SNARKs makes black-box use of such index-efficient PIOPs and a PC with sublinear prover. As a corollary, this yields the first lookup argument for unstructured tables in which the prover is sublinear in the size of the table, while making only black-box use of a VC and thus allowing instantiations from generic assumptions such as collision-resistant hash functions. Prior lookup arguments with sublinear provers were only known with non-black-box use of cryptographic primitives, or from pairings. Finally, our last application is a transformation that builds UC-secure SNARKs from simulation-extractable ones, with an approximately linear overhead in proving time (as opposed to quadratic in prior work). Image showing part 2 of abstract. Image showing part 3 of abstract.
February 17, 2025 at 6:52 AM
Reposted by Nico
matthewdgreen.bsky.social
Look folks. I want BlueSky to succeed, because we need an alternative to X. I also know this is an insane time. But if we want to create a usable alternative, people are going to have to start posting occasionally about something else.
January 30, 2025 at 11:27 PM
nmohnblatt.me
These two lectures by @danboneh.bsky.social for @zkhack.bsky.social are the best explanation of IOPPs, FRI and its variants by a country mile. Cannot recommend them enough

zkhack.dev/whiteboard/s...
zkhack.dev/whiteboard/s...
January 29, 2025 at 12:50 PM
nmohnblatt.me
programmable* cryptography

* programming difficulty may vary, developer discretion is advised.
January 27, 2025 at 7:01 PM
Reposted by Nico
kohweijie.com
Want to send crypto to Bluesky users? It's possible!

Their keypairs are for the secp256k1 curve, which Ethereum also uses. That means you can derive an ETH address from their publicly accessible signing keys.
January 24, 2025 at 3:31 AM
nmohnblatt.me
oh hello @zkhack.bsky.social 👀👀
January 23, 2025 at 12:58 AM
nmohnblatt.me
Straight to the reading list!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jan 8
How to use your brain for cryptography without trustworthy machines (Wakaha Ogata, Toi Tomita, Kenta Takahashi, Masakatsu Nishigaki) ia.cr/2025/026
Abstract. In this work, we study cryptosystems that can be executed securely without fully trusting all machines, but only trusting the user’s brain. This paper focuses on signature scheme. We first introduce a new concept called “server-aided in-brain signature,’’ which is a cryptographic protocol between a human brain and multiple servers to sign a message securely even if the user’s device and servers are not completely trusted. Second, we propose a concrete scheme that is secure against mobile hackers in servers and malware infecting user’s devices.
January 9, 2025 at 4:04 PM
Reposted by Nico
eprint.ing.bot
ZODA: Zero-Overhead Data Availability (Alex Evans, Nicolas Mohnblatt, Guillermo Angeris) ia.cr/2025/034
Abstract. We introduce ZODA, short for ‘zero-overhead data availability,’ which is a protocol for proving that symbols received from an encoding (for tensor codes) were correctly constructed. ZODA has optimal overhead for both the encoder and the samplers. Concretely, the ZODA scheme incurs essentially no incremental costs (in either computation or size) beyond those of the tensor encoding itself. In particular, we show that a slight modification to the encoding scheme for tensor codes allows sampled rows and columns of this modified encoding to become proofs of their own correctness. When used as part of a data availability sampling protocol, both encoders (who encode some data using a tensor code with some slight modifications) and samplers (who sample symbols from the purported encoding and verify that these samples are correctly encoded) incur no incremental communication costs and only small additional computational costs over having done the original tensor encoding. ZODA additionally requires no trusted setup and is plausibly post-quantum secure.
January 9, 2025 at 3:04 PM
nmohnblatt.me
mobile proving ftw
 Pratyush Mishra @zkproofs.bsky.social · Dec 7
Excited to share our new work, Scribe!
Scribe is a new low-memory SNARK that is able to prove arbitrarily-large circuits while using minimal memory.
Joint work with my excellent student coauthors Anubhav, Tushar, Karan, and Steve. (1/4)

Link: eprint.iacr.org/2024/1970
Title of the paper: Scribe: Low-memory SNARKs via Read-Write Streaming
December 8, 2024 at 2:40 AM