As the encrypted conversation shifts from "is it encrypted or not" to more modern techniques requiring refined reasoning, how do we help engineers and policy makers understand intricate security notions?.

I've thought a lot of the inherent politics embedded in the APIs we design, and is a perfect example.

Anonymous tokens with hidden metadata are anonymous digital certificates with an "encrypted metadata" field. In our paper, this field is hardcoded to have length 1. If you put n bits, you can partition the anonymity set into 2^n slices.

Excited to see Apple and Google create an Internet Draft for a primitive I co-invented. A bit less excited to see the API reframed to make it possible to void any reasonable privacy guarantee.

We prevent this in two places: .1) If you don't include a prover message in the Fiat-Shamir transformation, it won't be incorporated into the (NI) proof string. 2) When declaring the domain separator, you must explicitly specify which messages the interactive protocol transmits.

The bug is fixed in .and boils down to the developer forgetting to include the sumcheck prover messages in the Fiat-Shamir transformation.

SpongeFiSh, which superseeds Merlin, would have prevented this Solana bug! 🧽🐟

Eurocrypt! Tomorrow I’ll be speaking at a few workshops in Madrid:. 9:45 AM at — on anonymous credentials. 11:00 AM at — on ideal permutations and zk proofs. 4:35 PM back at — in a chat with Carmela.

"Beyond the Circuit" was accepted at IACR's Communications in Cryptology! It contains a few simple protocols for simplifying foreign arithmetic in zero-knowledge proofs. Formally we introduce "Σ-reductions": "Σ-protocols" with "reductions of knowledge". 🗞️

RT @OpenObservatory: We are excited to share that we are designing & implementing anonymous credentials within OONI Probe to protect and in….

RT @lorenzofb: Italy, once again, being one of the wildest places in the world in terms of hacking stories.

new paper on anonymous credentials is out!

RT @it4sec: MIFARE Classic (FM11RF08S) cards have been found to be backdoored by the manufacturer, allowing all user-defined keys to be dum….

RT @bpreneel1: Three decades after Shor's breakthrough paper, NIST has posted the first post-quantum cryptographic FIPS standards .203: ML-….

I was invited again to talk at NIST! this time about boring cryptography (still zkps tho) .🗓️ Wednesday, July 24⋅4:00 – 5:00pm CEST.

RT @IRIF_Paris: [📢 We are hiring - Postdoc position]. We invite applications for several fully-funded postdoctoral positions (1-2 years) to….

RT @m2magician: We just released @arkworks_rs v0.5.0-alpha!. If you're using arkworks in your project, consider upgrading and giving us ear….

@StefanoMTessaro ughhh apologies everyone. it's obviously @ChenzhiZhu5.

Oblivious Issuance of Proofs will be at CRYPTO this year 🎉.This was joint work with @StefanoMTessaro, @ChenziZhu5, and Greg Zaverucha!

Did a review for Securedrop, the whistleblowing system used by Forbes, New York Times, The Guardian, Al Jazeera and more !.