Binyi Chen
@binyi.bsky.social
Cryptographer
https://chancharles92.github.io/
https://chancharles92.github.io/
In sum, this means (i) more efficient folding SNARKs (no heavy hash-gadget proofs), (ii) better security (no FS-in-circuit hacks), and (iii) a new paradigm for more scalable post-quantum succinct proofs.
October 17, 2025 at 5:24 PM
In sum, this means (i) more efficient folding SNARKs (no heavy hash-gadget proofs), (ii) better security (no FS-in-circuit hacks), and (iii) a new paradigm for more scalable post-quantum succinct proofs.
We diverge from recursive folding and propose
(i) a lattice folding scheme that folds thousands of statements in one shot. So folding depth 1-2 is enough for most use cases;
(ii) a framework to turn any group or lattice folding schemes into SNARKs without embedding FS circuits.
(i) a lattice folding scheme that folds thousands of statements in one shot. So folding depth 1-2 is enough for most use cases;
(ii) a framework to turn any group or lattice folding schemes into SNARKs without embedding FS circuits.
October 17, 2025 at 5:24 PM
We diverge from recursive folding and propose
(i) a lattice folding scheme that folds thousands of statements in one shot. So folding depth 1-2 is enough for most use cases;
(ii) a framework to turn any group or lattice folding schemes into SNARKs without embedding FS circuits.
(i) a lattice folding scheme that folds thousands of statements in one shot. So folding depth 1-2 is enough for most use cases;
(ii) a framework to turn any group or lattice folding schemes into SNARKs without embedding FS circuits.
A recent groundbreaking attack (eprint.iacr.org/2025/118.pdf)
shows that proving FS inside SNARK circuits might be risky. Worse still, hashes are expensive to prove, and an efficiency bottleneck of existing folding-based IVC/PCD is indeed the overhead for proving hash computations.
shows that proving FS inside SNARK circuits might be risky. Worse still, hashes are expensive to prove, and an efficiency bottleneck of existing folding-based IVC/PCD is indeed the overhead for proving hash computations.
eprint.iacr.org
October 17, 2025 at 5:24 PM
A recent groundbreaking attack (eprint.iacr.org/2025/118.pdf)
shows that proving FS inside SNARK circuits might be risky. Worse still, hashes are expensive to prove, and an efficiency bottleneck of existing folding-based IVC/PCD is indeed the overhead for proving hash computations.
shows that proving FS inside SNARK circuits might be risky. Worse still, hashes are expensive to prove, and an efficiency bottleneck of existing folding-based IVC/PCD is indeed the overhead for proving hash computations.
Typical folding-based SNARKs rely on recursive folding: each step verifies the correctness of the previous step by running a folding verifier. However, folding verifiers are made non-interactive via Fiat-Shamir. So you must prove the hash computations of FS inside the circuit.
October 17, 2025 at 5:24 PM
Typical folding-based SNARKs rely on recursive folding: each step verifies the correctness of the previous step by running a folding verifier. However, folding verifiers are made non-interactive via Fiat-Shamir. So you must prove the hash computations of FS inside the circuit.