the new dragon book cover is incredible

Presenting my paper on keyed-verification anonymous credentials at @acm_ccs in Taipei in just a few hours! 🗞️ https://t.co/wEVZ9VdSN2 Exciting to present it in the very same venue where I wrote a big chunk of it while attending @rightscon!

Thrilled to have been invited to College de France for a seminar about zero-knowledge and online anonymity! https://t.co/r3i7w3xaPW

[talking about meditation] @alpeh_v “I think shooting a gun is very zen”

A key takeaway: for 20 years, we’ve relied on a notion called indifferentiability to use random oracles over arbitrary-length spaces—but it’s not sufficient for knowledge soundness.

Thrilled to announce that my latest paper with Alessandro Chiesa has been accepted to TCC, the IACR conference on the theory of cryptography!

The road to hell is paved with good intentions

cooking some minor revisions before updating the ePrint at

I will talk about my paper on anonymous credentials and designated-verifier kzg in october at ACM CCS 2025 in Taipei!

*sniff* *pulls shirt* You know, this is perfect - *gestures wildly* - this is the ultimate perversity of capitalism at its purest. Here we have Anthropic, this company claiming to build "AI for humanity," and what do they do? They create this digital cocaine, this Claude Code,

Very serious vlog about very serious things Biggest protest to date outside the courthouse in support of Roman Storm

Yesterday, @cathieyun gave a great talk at @ietf 123 on the importance of standardizing Sigma protocols and our ongoing work toward a standard for zero-knowledge proofs! You can watch the talk here: https://t.co/S9uhw8fi3V

The paper is huge — it’s been a journey to nail down a proof. I think it’s a solid step forward in narrowing down Fiat-Shamir attacks and characterizing the concrete security of ZKPs. It’s also been really helpful in shaping what a standard for Fiat-Shamir should look like.

We updated our paper on Fiat-Shamir! We now take a closer look at the gap between what symmetric cryptography has focused on for over 10 years (indifferentiability) and what is actually needed for the soundness of ZKPs and SNARKs (something stronger!). https://t.co/uifvzYU0Sf

As the encrypted conversation shifts from "is it encrypted or not" to more modern techniques requiring refined reasoning, how do we help engineers and policy makers understand intricate security notions?

I've thought a lot of the inherent politics embedded in the APIs we design, and is a perfect example.

Anonymous tokens with hidden metadata are anonymous digital certificates with an "encrypted metadata" field. In our paper, this field is hardcoded to have length 1. If you put n bits, you can partition the anonymity set into 2^n slices.

Excited to see Apple and Google create an Internet Draft for a primitive I co-invented. A bit less excited to see the API reframed to make it possible to void any reasonable privacy guarantee. https://t.co/S1BRPZ3lT4

We prevent this in two places: 1) If you don't include a prover message in the Fiat-Shamir transformation, it won't be incorporated into the (NI) proof string. 2) When declaring the domain separator, you must explicitly specify which messages the interactive protocol transmits.

The bug is fixed in https://t.co/RFaHQOtAAq and boils down to the developer forgetting to include the sumcheck prover messages in the Fiat-Shamir transformation