Nico
LightNews LightNews
nicomnbl.bsky.social
Nico
@nicomnbl.bsky.social
290 followers 160 following 51 posts
picious until proven otherwise.

Cryptography research and auditing at zkSecurity. Recurring co-host on the ZKPodcast.

Troubadour at HMLTD. ♟ 1. b3.

nmohnblatt.github.io
Posts Replies Media Videos
nicomnbl.bsky.social
Also wrote a blog post that explains the proof in a shorter format and with less formality

blog.zksecurity.xyz/posts/fri-se...
October 30, 2025 at 3:24 PM
nicomnbl.bsky.social
Trying to reduce some headaches!
eprint.ing.bot ePrint Updates @eprint.ing.bot · 16d
A Simplified Round-by-round Soundness Proof of FRI (Albert Garreta, Nicolas Mohnblatt, Benedikt Wagner) ia.cr/2025/1993
Abstract. The FRI protocol (ICALP ’18) is one of the most influential and widely deployed building blocks at the core of modern SNARK systems. While its concrete security is well understood, existing security proofs are intricate and technically complex. In this work, we present a significantly simpler security analysis of FRI, in particular its round-by-round soundness. Our approach is more accessible to a broader audience, lowering the barrier to understanding this fundamental protocol. Furthermore, the simplicity of our analysis may pave the way for future formal verification efforts of modern SNARK constructions.
October 30, 2025 at 1:24 PM
Reposted by Nico
zkhack.dev
It’s time to reveal the ZK Whiteboard S3 Module 1... because it's LIVE!

🥁🥁🥁🥁

How to Build Hash Functions, with Jean-Philippe (JP) Aumasson @aumasson.jp & @nicomnbl.bsky.social

Watch the full module here: zkhack.dev/whiteboard/s...
September 3, 2025 at 8:08 AM
Reposted by Nico
niixarts.bsky.social
Time has changed
August 1, 2025 at 8:15 AM
Reposted by Nico
zkhack.dev
The ZK Podcast released an episode on local-first software this week!

@arro.bsky.social and @nicomnbl.bsky.social chat w @grjte.sh & @goblinoats.com about the foundations of local-first architecture, CRDTs and how ZK can be incorporated into these models.

zeroknowledge.fm/podcast/367/
Local-First with grjte and Goblin Oats - ZK PODCAST
In this episode, Anna Rose and Nico Mohnblatt speak with Goblin Oats from Tonk and grjte from Bain Capital Crypto […]
zeroknowledge.fm
July 10, 2025 at 4:49 PM
Reposted by Nico
kohweijie.com
2/ As such, I wrote a research note to help cryptography engineers fully understand both techniques: baincapitalcrypto.com/a-deep-dive-...
A Deep Dive into Logjumps: a Faster Modular Reduction Algorithm
Logjumps is a recently discovered technique for modular reduction over large prime fields.
baincapitalcrypto.com
June 11, 2025 at 12:40 AM
Reposted by Nico
cknabs.bsky.social
I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.

github.com/lattirust
lattirust
Lattice zero-knowledge/succinct arguments, and more - lattirust
github.com
May 20, 2025 at 2:55 PM
nicomnbl.bsky.social
I wrote a thing on my colleagues Andrija and Guille's latest work
May 9, 2025 at 4:09 PM
nicomnbl.bsky.social
Story of the ZK whiteboard series S2! The grant that supported it, how we came up with the topics, participation of our esteemed speakers, some crazy editing and how the bonus modules came to be
zkhack.dev ZK Hack @zkhack.dev · Mar 3
🎬 ZKWS S2: The Full Journey 🎬

How did the second season of ZK Whiteboard Sessions come to life – a thread.

TLDR: Check out the 8-module series on YouTube (link in bio), and the "FRI edition" Study Group starting on Tuesday March 4 on ZK Hack Discord (link in bio)!

🧵👇
March 3, 2025 at 6:49 PM
nicomnbl.bsky.social
from the archive: Or Sattath came on the ZKPodcast to discuss quantum computing and its impact on cryptography. These two are some of my 𝐟𝐚𝐯𝐨𝐮𝐫𝐢𝐭𝐞 episodes of the show.

Part 1 covers the computation model, why it breaks some cryptography and effects on mining

zeroknowledge.fm/podcast/288/

1/2
February 26, 2025 at 3:20 PM
nicomnbl.bsky.social
A step towards fixing the recent attack on a Fiat-Shamir'd variant of GKR.

Tl;dr: do proof-of-work before deriving the FS challenge, this will make the hash prohibitively expensive to compute in-circuit.

Caveat: they only prove the security of their transform for 1-round protocols
eprint.ing.bot ePrint Updates @eprint.ing.bot · Feb 25
Towards a White-Box Secure Fiat-Shamir Transformation (Gal Arnon, Eylon Yogev) ia.cr/2025/329
Abstract. The Fiat–Shamir transformation is a fundamental cryptographic technique widely used to convert public-coin interactive protocols into non-interactive ones. This transformation is crucial in both theoretical and practical applications, particularly in the construction of succinct non-interactive arguments (SNARKs). While its security is well-established in the random oracle model, practical implementations replace the random oracle with a concrete hash function, where security is merely assumed to carry over. A growing body of work has given theoretical examples of protocols that remain secure under the Fiat–Shamir transformation in the random oracle model but become insecure when instantiated with any white-box implementation of the hash function. Recent research has shown how these attacks can be applied to natural cryptographic schemes, including real-world systems. These attacks rely on a general diagonalization technique, where the protocol exploits its access to the white-box implementation of the hash function. These attacks cast serious doubt on the security of cryptographic systems deployed in practice today, leaving their soundness uncertain. We propose a new Fiat–Shamir transformation (XFS) that aims to defend against broad family of attacks, including the white-box attacks mentioned above. Our approach is designed to be practical, with minimal impact on the efficiency of the prover and verifier and on the proof length. At a high level, our transformation combines the standard Fiat–Shamir technique with a new type of proof-of-work that we construct. We provide strong evidence for the security of our transformation by proving its security in a relativized random oracle model. Specifically, we show that diagonalization attacks on the standard Fiat–Shamir transformation can be mapped to analogous attacks within this model, meaning they do not rely on a concrete instantiation of the random oracle. In contrast, we prove unconditionally that our XFS variant of the Fiat–Shamir transformation remains secure within this model. Consequently, any successful attack on XFS must deviate from known techniques and exploit aspects not captured by our model. We hope that our transformation will help preserve the security of systems relying on the Fiat–Shamir transformation. Image showing part 2 of abstract. Image showing part 3 of abstract.
February 25, 2025 at 4:01 PM
nicomnbl.bsky.social
sigh
February 23, 2025 at 1:20 AM
nicomnbl.bsky.social
Terrible news
matthewdgreen.bsky.social Matthew Green @matthewdgreen.bsky.social · Feb 21
New public statement from Apple:

“As of Friday, February 21, Apple can no longer offer Advanced Data Protection as a feature to new users in the UK.”
February 21, 2025 at 4:31 PM
nicomnbl.bsky.social
Sublinear prover?!?! Incredible result!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Feb 17
On the Power of Polynomial Preprocessing: Proving Computations in Sublinear Time, and More (Matteo Campanelli, Mario Carrillo, Ignacio Cascudo, Dario Fiore, Danilo Francati, Rosario Gennaro) ia.cr/2025/238
Abstract. Cryptographic proof systems enable a verifier to be convinced of of a computation’s correctness without re-executing it; common efficiency requirements include both succinct proofs and fast verification. In this work we put forth the general study of cryptographic proof systems with sublinear proving time (after a preprocessing). Prior work has achieved sublinear proving only for limited computational settings (e.g., vector commitments and lookup arguments), relying on specific assumptions or through non-black-box use of cryptographic primitives. In this work we lift many of these limitations through the systematic study of a specific object: polynomial commitments (PC) with sublinear proving time, a choice motivated by the crucial role that PC play in the design of efficient cryptographic schemes. Our main result is a simple construction of a PC with sublinear prover based on any vector commitment scheme (VC) and any preprocessing technique for fast polynomial evaluation. We prove that this PC satisfies evaluation binding, which is the standard security notion for PC, and show how to expand our construction to achieve the stronger notion of knowledge soundness (extractability). The first application of our result is a construction of “index-efficient” SNARKs meaning that the prover is sublinear, after preprocessing, in the size of the index (i.e., the NP-relation describing the proven statement). Our main technical contribution is a method to transform a class of standard Polynomial Interactive Oracle Proofs (PIOPs) into index-efficient PIOPs. Our construction of index-efficient SNARKs makes black-box use of such index-efficient PIOPs and a PC with sublinear prover. As a corollary, this yields the first lookup argument for unstructured tables in which the prover is sublinear in the size of the table, while making only black-box use of a VC and thus allowing instantiations from generic assumptions such as collision-resistant hash functions. Prior lookup arguments with sublinear provers were only known with non-black-box use of cryptographic primitives, or from pairings. Finally, our last application is a transformation that builds UC-secure SNARKs from simulation-extractable ones, with an approximately linear overhead in proving time (as opposed to quadratic in prior work). Image showing part 2 of abstract. Image showing part 3 of abstract.
February 17, 2025 at 6:52 AM
Reposted by Nico
matthewdgreen.bsky.social
Look folks. I want BlueSky to succeed, because we need an alternative to X. I also know this is an insane time. But if we want to create a usable alternative, people are going to have to start posting occasionally about something else.
January 30, 2025 at 11:27 PM
nicomnbl.bsky.social
These two lectures by @danboneh.bsky.social for @zkhack.bsky.social are the best explanation of IOPPs, FRI and its variants by a country mile. Cannot recommend them enough

zkhack.dev/whiteboard/s...
zkhack.dev/whiteboard/s...
January 29, 2025 at 12:50 PM
nicomnbl.bsky.social
programmable* cryptography

* programming difficulty may vary, developer discretion is advised.
January 27, 2025 at 7:01 PM
Reposted by Nico
kohweijie.com
Want to send crypto to Bluesky users? It's possible!

Their keypairs are for the secp256k1 curve, which Ethereum also uses. That means you can derive an ETH address from their publicly accessible signing keys.
January 24, 2025 at 3:31 AM
nicomnbl.bsky.social
oh hello @zkhack.bsky.social 👀👀
January 23, 2025 at 12:58 AM
nicomnbl.bsky.social
Straight to the reading list!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Jan 8
How to use your brain for cryptography without trustworthy machines (Wakaha Ogata, Toi Tomita, Kenta Takahashi, Masakatsu Nishigaki) ia.cr/2025/026
Abstract. In this work, we study cryptosystems that can be executed securely without fully trusting all machines, but only trusting the user’s brain. This paper focuses on signature scheme. We first introduce a new concept called “server-aided in-brain signature,’’ which is a cryptographic protocol between a human brain and multiple servers to sign a message securely even if the user’s device and servers are not completely trusted. Second, we propose a concrete scheme that is secure against mobile hackers in servers and malware infecting user’s devices.
January 9, 2025 at 4:04 PM
Reposted by Nico
eprint.ing.bot
ZODA: Zero-Overhead Data Availability (Alex Evans, Nicolas Mohnblatt, Guillermo Angeris) ia.cr/2025/034
Abstract. We introduce ZODA, short for ‘zero-overhead data availability,’ which is a protocol for proving that symbols received from an encoding (for tensor codes) were correctly constructed. ZODA has optimal overhead for both the encoder and the samplers. Concretely, the ZODA scheme incurs essentially no incremental costs (in either computation or size) beyond those of the tensor encoding itself. In particular, we show that a slight modification to the encoding scheme for tensor codes allows sampled rows and columns of this modified encoding to become proofs of their own correctness. When used as part of a data availability sampling protocol, both encoders (who encode some data using a tensor code with some slight modifications) and samplers (who sample symbols from the purported encoding and verify that these samples are correctly encoded) incur no incremental communication costs and only small additional computational costs over having done the original tensor encoding. ZODA additionally requires no trusted setup and is plausibly post-quantum secure.
January 9, 2025 at 3:04 PM
nicomnbl.bsky.social
mobile proving ftw
 Pratyush Mishra @zkproofs.bsky.social · Dec 7
Excited to share our new work, Scribe!
Scribe is a new low-memory SNARK that is able to prove arbitrarily-large circuits while using minimal memory.
Joint work with my excellent student coauthors Anubhav, Tushar, Karan, and Steve. (1/4)

Link: eprint.iacr.org/2024/1970
Title of the paper: Scribe: Low-memory SNARKs via Read-Write Streaming
December 8, 2024 at 2:40 AM
nicomnbl.bsky.social
if someone tells you “succinct proofs are too short to leak information about the witness”, please send them this. The ZK property is not just a cool acronym.

baincapitalcrypto.com/chosen-insta...

This was also the theme of the "Zeitgeist" puzzle at ZK Hack 5!
December 4, 2024 at 6:39 PM
nicomnbl.bsky.social
New work!
December 4, 2024 at 12:25 AM
nicomnbl.bsky.social
These are incredible asymptotics! Has anyone looked into it / confirmed the result?
eprint.ing.bot ePrint Updates @eprint.ing.bot · Dec 2
LiLAC: Linear Prover, Logarithmic Verifier and Field-agnostic Multilinear Polynomial Commitment Scheme (Kyeongtae Lee, Seongho Park, Byeongjun Jang, Jihye Kim, Hyunok Oh) ia.cr/2024/1943
Abstract. In this paper, we propose LiLAC, a novel field-agnostic, transparent multilinear polynomial commitment scheme (MLPCS) designed to address key challenges in polynomial commitment systems. For a polynomial with N coefficients, LiLAC achieves 𝒪(N) prover time, 𝒪(logN) verifier time, and 𝒪(logN) proof size, overcoming the limitations of 𝒪(log²N) verification time and proof size without any increase in other costs. This is achieved through an optimized polynomial commitment strategy and the recursive application of the tensor IOPP, making LiLAC both theoretically optimal and practical for large-scale applications. Furthermore, LiLAC offers post-quantum security, providing robust protection against future quantum computing threats. We propose two constructions of LiLAC: a field-agnostic LiLAC and a field-specific LiLAC. Each construction demonstrates superior performance compared to the state-of-the-art techniques in their respective categories of MLPCS. First, the field-agnostic LiLAC is compared against Brakedown (CRYPTO 2023), which is based on a tensor IOP and satisfies field-agnosticity. In experiments conducted over a 128-bit field with a coefficient size of 2³⁰, the field-agnostic LiLAC achieves a proof size that is 3.7× smaller and a verification speed that is 2.2× faster, while maintaining a similar proof generation time compared to Brakedown. Furthermore, the field-specific LiLAC is evaluated against WHIR (ePrint 2024/1586), which is based on an FRI. With a 128-bit field and a coefficient size of 2³⁰, the field-specific LiLAC achieves a proof generation speed that is 2.8× faster, a proof size that is 27% smaller, and a verification speed that is 14% faster compared to WHIR. Image showing part 2 of abstract.
December 3, 2024 at 8:35 PM