Janno Siim
LightNews LightNews
banner
jannosiim.bsky.social
Janno Siim
@jannosiim.bsky.social
170 followers 160 following 23 posts
Lecturer in Cryptography at the University of Tartu.
From Estonia.
ZK proofs, SNARKs, security assumptions.
Homepage: https://sites.google.com/view/jannosiim
Posts Replies Media Videos
Reposted by Janno Siim
eprint.ing.bot
On Reed–Solomon Proximity Gaps Conjectures (Elizabeth Crites, Alistair Stewart) ia.cr/2025/2046
Abstract. We disprove a range of conjectures for Reed-Solomon codes underpinning the security and efficiency of many modern proof systems, including SNARKs based on FRI (Ben-Sasson-Bentov-Horesh-Riabzev, ICALP’18), DEEP-FRI (Ben-Sasson-Goldberg-Kopparty-Saraf, ITCS’20), STIR (Arnon-Chiesa-Fenzi-Yogev, CRYPTO’24), and WHIR (Arnon-Chiesa-Fenzi-Yogev, preprint). Concretely, we prove that the following conjectures are false: 1. The correlated agreement up-to-capacity conjecture of Ben-Sasson-Carmon-Ishai-Kopparty-Saraf (J. ACM’23), 2. The mutual correlated agreement up-to-capacity conjecture of WHIR, 3. The list-decodability up-to-capacity conjecture of DEEP-FRI, which follows from existing results in the literature. We then propose minimal modifications to these conjectures up to the list-decoding capacity bound. Our second main contribution is a proof that correlated agreement with small enough error probability implies list decoding of Reed-Solomon codes. Thus, any future results on our correlated agreement conjectures with small enough error probability would imply similar results in classical list decoding. A reduction from proximity gaps to list-decodability was heretofore a natural open problem. Image showing part 2 of abstract.
November 5, 2025 at 8:58 PM
Reposted by Janno Siim
tjesi.bsky.social
The EU Parliament has published a new proposal for Chat Control to mass-surveil all digital communication in Europe. The proposal is ineffective, weakens secure communication, and violates basic human privacy. This must be stopped immediately. #ChatControl
csa-scientist-open-letter.org/Sep2025
csa-scientist-open-letter.org
September 9, 2025 at 11:11 AM
Reposted by Janno Siim
helger.bsky.social
Really happy to have Jens Groth visiting us in Tartu and giving a seminar on ZK, zkVMs, and AI on Tuesday
August 17, 2025 at 3:41 PM
jannosiim.bsky.social
This is some mind-blowing stuff :o
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jul 16
Gödel in Cryptography: Effectively Zero-Knowledge Proofs for NP with No Interaction, No Setup, and Perfect Soundness (Rahul Ilango) ia.cr/2025/1296
Abstract. A zero-knowledge proof demonstrates that a fact (like that a Sudoku puzzle has a solution) is true while, counterintuitively, revealing nothing else (like what the solution actually is). This remarkable guarantee is extremely useful in cryptographic applications, but it comes at a cost. A classical impossibility result by Goldreich and Oren [J. Cryptol. ’94] shows that zero-knowledge proofs must necessarily sacrifice basic properties of traditional mathematical proofs — namely perfect soundness (that no proof of a false statement exists) and non-interactivity (that a proof can be transmitted in a single message). Contrary to this impossibility, we show that zero-knowledge with perfect soundness and no interaction is effectively possible. We do so by defining and constructing a powerful new relaxation of zero-knowledge. Intuitively, while the classical zero-knowledge definition requires that an object called a simulator actually exists, our new definition only requires that one cannot rule out that a simulator exists (in a particular logical sense). Using this, we show that every falsifiable security property of (classical) zero-knowledge can be achieved with no interaction, no setup, and perfect soundness. This enables us to remove interaction and setup from (classical) zero-knowledge in essentially all of its applications in the literature, at the relatively mild cost that such applications now have security that is “game-based” instead of “simulation-based.” Our construction builds on the work of Kuykendall and Zhandry [TCC ’20] and relies on two central, longstanding, and well-studied assumptions that we show are also necessary. The first is the existence of non-interactive witness indistinguishable proofs, which follows from standard assumptions in cryptography. The second is Krajícek and Pudlák’s 1989 conjecture that no optimal proof system exists. This is one of the main conjectures in the field of proof complexity and is the natural finitistic analogue of the impossibility of Hilbert’s second problem (and, hence, also Gödel’s incompleteness theorem). Our high-level idea is to use these assumptions to construct a prover and verifier where no simulator exists, but the non-existence of a simulator is independent (in the logical sense of unprovability) of an arbitrarily strong logical system. One such logical system is the standard axioms of mathematics: ZFC. Image showing part 2 of abstract. Image showing part 3 of abstract.
July 16, 2025 at 3:39 PM
jannosiim.bsky.social
Springer just sent an "Urgent" email that many authors from Crypto 2025 (all from ZK community) have broken references provided as "?" in their camera-ready version:
July 16, 2025 at 11:25 AM
jannosiim.bsky.social
Our paper with Roberto Parisella and Maiara Bollauf was accepted to CiC. We extend DL <=> CDH reduction by den Boer and Maurer.

In particular, we show that in BLS12-381 n-PDL (Power DL) is equivalent to n-Diffie-Hellman exponent assumption.
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jun 10
Revisiting Discrete Logarithm Reductions (Maiara F. Bollauf, Roberto Parisella, Janno Siim) ia.cr/2025/1079
Abstract. A reduction showing that the hardness of the discrete logarithm (DL) assumption implies the hardness of the computational Diffie-Hellman (CDH) assumption in groups of order p, where p − 1 is smooth, was first presented by den Boer [Crypto, 88].} We also consider groups of prime order p, where p − 1 is somewhat smooth (say, every prime q that divides p − 1 is less than 2¹⁰⁰). Several practically relevant groups satisfy this condition. 1. We present a concretely efficient version of the reduction for such groups. In particular, among practically relevant groups, we obtain the most efficient and tightest reduction in the literature for BLS12-381, showing that DL = CDH. 2. By generalizing the reduction, we show that in these groups the n-Power DL (n-PDL) assumption implies n-Diffie-Hellman Exponent (n-DHE) assumption, where n is polynomial in the security parameter. On the negative side, we show there is no generic reduction, which could demonstrate that n-PDL implies the n-Generalized Diffie-Hellman Exponent (n-GDHE) assumption. This is in stark contrast with the algebraic group model, where this implication holds. Image showing part 2 of abstract.
June 11, 2025 at 2:18 PM
Reposted by Janno Siim
josephhall.org
"Trump scraps Biden software security, AI, post-quantum encryption efforts in new executive order" by @ericjgeller.com www.cybersecuritydive.com/news/trump-c... (updated EO 14144 text using Gemini 2.5 Pro here: docs.google.com/document/d/1... )
Trump scraps Biden software security, AI, post-quantum encryption efforts in new executive order
The White House accused the Biden administration of trying to “sneak problematic and distracting issues into cybersecurity policy.”
www.cybersecuritydive.com
June 7, 2025 at 12:05 PM
Reposted by Janno Siim
helger.bsky.social
New accepted paper at Crypto 2025:
"On Knowledge-Soundness of Plonk in ROM from Falsifiable Assumptions" (Helger Lipmaa, Roberto Parisella, Janno Siim), with ex-students Roberto and @jannosiim.bsky.social (Janno is also now a colleague)
May 5, 2025 at 12:15 PM
Reposted by Janno Siim
matthewdgreen.bsky.social
In other news, Google is deploying age/ID verification based on ZK proofs. blog.google/products/goo...
It’s now easier to prove age and identity with Google Wallet
Learn more about new Google Wallet updates, including new ways to use your digital ID for age and identity verification.
blog.google
May 1, 2025 at 11:02 PM
Reposted by Janno Siim
politico.eu
Europe's most famous technology law, the GDPR, is next on the hit list as the EU pushes ahead with its regulatory killing spree to slash laws it reckons are weighing down its businesses.
Europe’s GDPR privacy law is headed for red tape bonfire within ‘weeks’
Long seen as untouchable in Brussels, the GDPR is next on the list of the EU’s crusade against overregulation.
www.politico.eu
April 3, 2025 at 7:34 AM
jannosiim.bsky.social
Join us in Tartu to work on SNARKs and ZK proofs. 👇

We intend to build a strong ZK research group here + I think it's a really cool place to live and work: virtualtour.ut.ee/en/84-univer...
March 28, 2025 at 11:59 AM
Reposted by Janno Siim
sw17.ch
Just doing some reading about the design of cryptographic protocols.
A screenshot of the Wikipedia page for Alice and Bob, but with all occurrences of "Alice and Bob" replaced with "Hegseth and Waltz".
March 25, 2025 at 1:19 AM
Reposted by Janno Siim
helger.bsky.social
Our group in Tartu (me and
@jannosiim.bsky.social
and some PhD students) have additional openings for a postdoc and a PhD student; see crypto.cs.ut.ee/Main/OpenPos... (iacr.org/jobs link will hopefully be up in a few days). Apply by email to me
Cryptography Research Group
crypto.cs.ut.ee
March 23, 2025 at 10:27 AM
jannosiim.bsky.social
In Sofia
March 23, 2025 at 10:24 AM
Reposted by Janno Siim
proofnerd.bsky.social
The list of accepted talks for ProTeCS 2025 is now online.
We are looking forward to exciting talks about cryptographic proofs and proof techniques. Thanks to everyone who submitted a proposal!

protecs-workshop.gitlab.io/accepted
List of ProTeCS accepted talks - Part 1: - Lazy “Twenty Questions” as a Proof Principle — How a pen-and-paper one-liner becomes an EasyCrypt library (François Dupressoir, University of Bristol) - Is it better or worse (UC-wise) (Saskia Bayreuther, KASTEL Security Research Labs, Karlsruhe Institute of Technology) - Special Soundness of Non-Interactive Polynomial Commitment Schemes (Janno Siim, University of Tartu) - Towards formally verifying the security reductions of the TLS 1.3 key schedule in SSBee (Amirhosein Rajabi, Aalto University) - What can the Algebraic Group Model tell us about proof techniques in the Generic Group Model? (Jake Januzelli, Oregon State University) List of ProTeCS accepted talks - Part 2: - Privacy Proofs for Anonymous Communication Networks (Christoph Coijanovic, Karlsruhe Institute of Technology (KIT)) - Expected (polynomial) time in cryptography (Michael Klooß, Karlsruhe Institute of Technology) - Commit-and-Prove System for Vectors and Applications to Threshold Signing (Cavit Özbay, Hasso Plattner Institute, University of Potsdam) - The Power of Halting in Security Games (Igors Stepanovs) - The Humble Power of the T-tranformation (Hans Heum, Norwegian University of Science and Technology)
March 21, 2025 at 9:05 PM
jannosiim.bsky.social
Excited to read this :)
eprint.ing.bot ePrint Updates @eprint.ing.bot · Mar 21
On Extractability of the KZG Family of Polynomial Commitment Schemes (Juraj Belohorec, Pavel Dvořák, Charlotte Hoffmann, Pavel Hubáček, Kristýna Mašková, Martin Pastyřík) ia.cr/2025/514
Abstract. We present a unifying framework for proving the knowledge-soundness of KZG-like polynomial commitment schemes, encompassing both univariate and multivariate variants. By conceptualizing the proof technique of Lipmaa, Parisella, and Siim for the univariate KZG scheme (EUROCRYPT 2024), we present tools and falsifiable hardness assumptions that permit black-box extraction of the multivariate KZG scheme. Central to our approach is the notion of a canonical Proof-of-Knowledge of a Polynomial (PoKoP) of a polynomial commitment scheme, which we use to capture the extractability notion required in constructions of practical zk-SNARKs. We further present an explicit polynomial decomposition lemma for multivariate polynomials, enabling a more direct analysis of interpolating extractors and bridging the gap between univariate and multivariate commitments. Our results provide the first standard-model proofs of extractability for the multivariate KZG scheme and many of its variants under falsifiable assumptions.
March 21, 2025 at 8:32 AM
Reposted by Janno Siim
drl3c7er.bsky.social
We have extended the submission deadline for the International Workshop on Foundations and Applications of Privacy-Enhancing Cryptography (PrivCrypt) by two weeks to April 4, 2025, AoE. Please help spread the word and consider submitting your work to join us in Munich in Summer 😎
drl3c7er.bsky.social Daniel Slamanig @drl3c7er.bsky.social · Jan 24
We are organising the International Workshop on Foundations and Applications of Privacy-Enhancing Cryptography (PrivCrypt) - co-located with ACNS 2025 end of June in beautiful Munich.

Submission deadline is March 21, 2025 (AoE).

Please help spread the word! 🙏

privcryptworkshop.github.io
PrivCrypt 2025
privcryptworkshop.github.io
March 20, 2025 at 8:12 AM
jannosiim.bsky.social
www.sesame.com/research/cro...

I forgot after one minute that I'm not talking to a human. I guess the movie "Her" is the reality now
March 12, 2025 at 1:21 PM
Reposted by Janno Siim
malb.bsky.social
Together with @kennyog.bsky.social we're organising a meeting at Eurocrypt to discuss how the, let's say, "dramatically changing political landscape" affects cryptography and our community, both domestically in some countries but also internationally eurocrypt.iacr.org/2025/communi...
Wednesday, May 7, 14:30-16:00 (Room TBD): Cryptography in a Changing World: Navigating Geopolitical Uncertainty and Security Risks Join us to discuss what we as a community can and should do in light of a dramatically changing political landscape, both domestically for some of us and internationally for all of us. We don't have ideas to pitch to you, but we think it will be useful to meet and to start a discussion. For more information: Martin Albrecht and Kenny Paterson.
March 11, 2025 at 9:53 AM
Reposted by Janno Siim
borisfouotsa.bsky.social
16th International Conference on Cryptology AFRICACRYPT 2025
July 21-23, 2025 – Rabat, Morocco 🇲🇦

Extended submission deadline in 1 week:
africacrypt2025.sciencesconf.org
Submit your best results !

See you in Rabat 🇲🇦 in July 2025.
16th International Conference on Cryptology, Africacrypt 2025 - Sciencesconf.org
Africacrypt 2025 is organized by the ENSIAS College of Mohammed V University in Rabat with partnership of the General Directorate of Information Systems Security (DGSSI), Morocco.
africacrypt2025.sciencesconf.org
March 3, 2025 at 1:49 PM
Reposted by Janno Siim
fakeiacr.bsky.social
Because of new tariffs, submissions to crypto with a non US author have a 20% reduction to their page limit.
February 4, 2025 at 5:48 AM
jannosiim.bsky.social
Today, I started as a crypto lecturer at the University of Tartu. A new life begins🙂
February 3, 2025 at 12:58 PM
jannosiim.bsky.social
Really cool result following some of the ideas of our EC24 paper with @helger.bsky.social and Roberto
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jan 28
DewTwo: a transparent PCS with quasi-linear prover, logarithmic verifier and 4.5KB proofs from falsifiable assumptions (Benedikt Bünz, Tushar Mopuri, Alireza Shirzad, Sriram Sridhar) ia.cr/2025/129
Abstract. We construct the first polynomial commitment scheme (PCS) that has a transparent setup, quasi-linear prover time, log N verifier time, and log log N proof size, for multilinear polynomials of size N. Concretely, we have the smallest proof size amongst transparent PCS, with proof size less than 4.5KB for N ≤ 2³⁰. We prove that our scheme is secure entirely under falsifiable assumptions about groups of unknown order. The scheme significantly improves on the prior work of Dew (PKC 2023), which has super-cubic prover time and relies on the Generic Group Model (a non-falsifiable assumption). Along the way, we make several contributions that are of independent interest: PoKEMath, a protocol for efficiently proving that an arbitrary predicate over committed integer vectors holds; SIPA, a bulletproofs-style inner product argument in groups of unknown order; we also distill out what prior work required from the Generic Group Model and frame this as a falsifiable assumption.
January 29, 2025 at 11:39 AM
Reposted by Janno Siim
stefanotessaro.bsky.social
I wonder if we can attack more examples where (1) circuits are adaptively chosen by the adversary, and (2) security proof is in the ROM. It always felt like playing with fire (because ROM does not model potential circuit dependence on the hash function), and this work nicely confirms the concern.
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jan 27
How to Prove False Statements: Practical Attacks on Fiat-Shamir (Dmitry Khovratovich, Ron D. Rothblum, Lev Soukhanov) ia.cr/2025/118
Abstract. The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex hash function. The FS transform is known to be sound in the random oracle model (i.e., when the hash function is modeled as a totally random function). However, when instantiating the random oracle using a concrete hash function, there are examples of protocols in which the transformation is not sound. So far all of these examples have been contrived protocols that were specifically designed to fail. In this work we show such an attack for a standard and popular interactive succinct argument, based on the GKR protocol, for verifying the correctness of a non-determinstic bounded-depth computation. For every choice of FS hash function, we show that a corresponding instantiation of this protocol, which was been widely studied in the literature and used also in practice, is not (adaptively) sound when compiled with the FS transform. Specifically, we construct an explicit circuit for which we can generate an accepting proof for a false statement. We further extend our attack and show that for every circuit C and desired output y, we can construct a functionally equivalent circuit C^(*), for which we can produce an accepting proof that C^(*) outputs y (regardless of whether or not this statement is true). This demonstrates that any security guarantee (if such exists) would have to depend on the specific implementation of the circuit C, rather than just its functionality. Lastly, we also demonstrate versions of the attack that violate non-adaptive soundness of the protocol – that is, we generate an attacking circuit that is independent of the underlying cryptographic objects. However, these versions are either less practical (as the attacking circuit has very large depth) or make some additional (reasonable) assumptions on the underlying cryptographic primitives. Image showing part 2 of abstract.
January 27, 2025 at 1:40 PM
jannosiim.bsky.social
The most unlikely mashup
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jan 22
An Introduction to Protein Cryptography (Hayder Tirmazi, Tien Phuoc Tran) ia.cr/2025/089
Abstract. We introduce protein cryptography, a recently proposed method that encodes data into the amino acid sequences of proteins. Unlike traditional digital encryption, this approach relies on the inherent diversity, complexity, and replication resistance of biological macromolecules, making them highly secure against duplication or tampering. The experimental realization of protein cryptography remains an open problem. To accelerate experimental progress in this area, we provide an accessible and self-contained introduction to the fundamentals of cryptography for biologists with limited mathematical and computational backgrounds. Furthermore, we outline a framework for encoding, synthesizing, and decoding information using proteins. By enabling biologists to actively engage in the development of protein cryptography, this work bridges disciplinary boundaries and paves the way for applications in secure data storage.
January 22, 2025 at 11:18 AM