ZK Hints
Daily Digest 每日摘要 View All 查看全部
Carmon et al. proposed S-two, a circle STARK over the Mersenne prime field, formalizing the flat AIR circuit model and providing in-depth security analysis of proof of proximity, highlighting cross-domain correlated agreement. Carmon等人在论文中提出了S-two,一种基于梅森素数域的circle STARK,形式化了flat AIR电路模型并深入分析了其邻近证明的安全性,强调了跨域相关协议的重要性。
Key Points: 要点:
- • S-two is a circle STARK implementation over the Mersenne prime field (modulus p=2^31-1) S-two是基于梅森素数域(模数p=2^31-1)的circle STARK实现
- • Formalizes the flat AIR circuit model used by modern ZK virtual machines 形式化了flat AIR电路模型,这是现代零知识虚拟机常用的算术化范式
- • Provides in-depth security analysis of proof of proximity for flat AIRs 深入分析了flat AIR邻近证明的安全性,特别关注多表证明的可靠性误差控制
- • Highlights importance of cross-domain correlated agreement for multi-table proofs 强调了跨域相关协议概念对多表证明的重要性
- • Shows multi-table circle FRI satisfies this notion up to Johnson bound 展示了多表circle FRI满足Johnson界内的相关协议要求
- • Discusses conjectures on list-decodability and line-decodability of Reed-Solomon codes 讨论了Reed-Solomon码列表可解码性和线可解码性的两个合理猜想
Yang et al. conducted a systematization of knowledge on zkVMs in their paper, decomposing them into ISA, VM, and proving layers, and evaluated representative systems for performance, scalability, and usability. Yang等人在论文中对zkVM进行了系统化研究,将其分解为ISA、VM和证明三层,并评估了代表性系统的性能、可扩展性和可用性。
Key Points: 要点:
- • zkVM is a key infrastructure for proving program execution correctness, widely used in blockchain rollups, privacy-preserving ML, and off-chain computation. zkVM作为证明程序执行正确性的基础设施,在区块链Rollup、隐私保护机器学习和链下计算中广泛应用
- • Existing zkVMs have heterogeneous designs in instruction formats, trace layouts, and proving backends, making system relationships hard to understand. 现有zkVM在指令格式、执行轨迹布局和证明后端上存在异构设计,导致系统关系难以理解
- • Proposes a three-layer decomposition: ISA layer for instruction semantics, VM layer for program execution, and proving layer for final proof generation. 论文提出三层分解框架:ISA层定义指令语义,VM层捕获程序执行,证明层生成最终证明
- • Conducted comprehensive experimental evaluation of representative zkVMs using this framework to analyze design impacts on performance, scalability, and usability. 通过分层框架对代表性zkVM进行了全面的实验评估,分析设计选择对性能、可扩展性和可用性的影响
- • Summarized key observations and outlined potential directions for zkVM design and implementation. 总结了主要观察结果,并展望了zkVM设计和实现的潜在发展方向
- • Bridges the gap between theory and practice, offering insights for standardization and optimization of zkVMs. 研究有助于弥合理论与实践的差距,为zkVM的标准化和优化提供参考
Yin et al. proposed a human-extractable ZK proof of knowledge (HE-ZKPoK) protocol in their paper, using CAPTCHA puzzles to defend against Dark DAO vote-buying attacks without specialized hardware. Yin等人在论文中提出了一种人类可提取的ZK知识证明(HE-ZKPoK)协议,通过结合CAPTCHA谜题来防御Dark DAO的投票购买攻击,无需依赖专用硬件。
Key Points: 要点:
- • Dark DAO uses MPC or TEE for key encumbrance to enable automated vote-buying, attacking inalienable authentication in remote e-voting Dark DAO利用MPC或TEE进行密钥约束,实现自动化投票购买,攻击远程电子投票系统的不可剥夺认证
- • Existing defenses rely on TEE or ASIC, difficult to deploy on blockchain 现有防御方案依赖TEE或ASIC,难以在区块链上部署
- • HE-ZKPoK protocol forces prover to solve human-extractable CAPTCHA puzzles and complete standard ZKPoK HE-ZKPoK协议要求证明者解决人类可提取的CAPTCHA谜题并完成标准ZK知识证明
- • Any human can extract witness by looking at prover's CAPTCHA queries and puzzles 任何人类实体仅通过查看证明者的CAPTCHA查询和关联谜题即可提取见证
- • Assuming humans cannot encumber secrets, vote-selling exposes private key, deterring vote-buying 假设人类无法约束秘密,如果选民出售选票,其私钥将完全暴露,从而阻止投票购买
- • Provides hardware-free alternative solution to Dark DAO 该方案为Dark DAO提供了一种无需专用硬件的替代解决方案
@powdr_labs has open-sourced powdr-wasm, an optimized zkVM for WASM built on @openvm_org and the crush ISA, with early benchmarks showing 1.5x fewer trace cells and faster proof times compared to RISC-V (OpenVM), and support for Go guests via WASI. @powdr_labs 团队开源了powdr-wasm,这是一个基于@openvm_org和crush ISA优化的zkVM,早期基准测试显示相比RISC-V(OpenVM)减少1.5倍追踪单元并提升证明速度,同时支持通过WASI运行Go程序。
Key Points: 要点:
- • powdr-wasm is a zkVM optimized for WASM, built on OpenVM and the crush ISA powdr-wasm是基于OpenVM和crush ISA构建的zkVM,专为WASM优化
- • Early benchmarks show 1.5x fewer trace cells and faster proof times vs. RISC-V (OpenVM) 早期基准测试显示,相比RISC-V(OpenVM),追踪单元减少1.5倍,证明时间更快
- • Supports Go guests via WASI, expanding zkVM use cases 支持通过WASI运行Go程序,扩展了zkVM的应用场景
- • Aims to improve performance and efficiency of zkVM in WASM environments 该项目旨在提升zkVM在WASM环境下的性能和效率
- • Open-source release facilitates community involvement and further optimization 开源发布有助于社区参与和进一步优化
- • Combines WASM and ZKP technologies to advance zero-knowledge proofs in WebAssembly ecosystems 结合WASM和ZKP技术,推动零知识证明在WebAssembly生态系统中的应用
Davide Crapis and Vitalik Buterin discuss a ZK API usage credit protocol in their blog, addressing privacy, security, and efficiency in API metering, especially for LLM inference. Davide Crapis 和 Vitalik Buterin 在博客中讨论了ZK API使用信用协议,旨在解决API计量中的隐私、安全和效率问题,特别适用于LLM推理等场景。
Key Points: 要点:
- • API metering struggles to balance privacy, security, and efficiency; Web2 auth and on-chain payments fall short. API计量在隐私、安全和效率间难以平衡,传统Web2认证和链上支付各有不足。
- • Uses RLN for anonymous deposits and anti-abuse, preventing spam and double-spending. 提出用RLN实现匿名充值和反滥用,防止垃圾请求和双花。
- • Enables variable-cost APIs; users prove solvency and privacy via refund tickets and ZK proofs. 支持可变费用API,用户通过退款票据和ZK证明展示余额,同时保护隐私。
- • Dual staking enforces policy: servers can penalize but not profit, ensuring transparency. 引入双重质押,违反政策时服务器可惩罚但无法获利,提升透明度。
- • Considers homomorphic encryption to optimize refunds and simplify client/ZK logic. 探讨同态加密优化退款累积,简化客户端数据和ZK电路。
Bootle et al. proposed ring-based lookup arguments in their paper, extending Plookup and LogUp protocols for batch verification of RAM programs, addressing compatibility in post-quantum schemes. Bootle等人在论文中提出了基于环的查找参数,扩展了Plookup和LogUp协议,并应用于RAM程序的批量验证,解决了后量子方案中的兼容性问题。
Key Points: 要点:
- • Existing lookup arguments are field-based, incompatible with ring-based post-quantum lattice schemes. 现有查找参数基于域设计,与基于环的后量子格方案不兼容
- • Systematic security issues arise when translating field techniques to rings; some known arguments are vulnerable. 将域技术迁移到环时存在系统性安全问题,部分已知参数易受攻击
- • Extend Plookup and LogUp polynomial IOPs to ring R=Zq[X]/(Xd+1). 扩展Plookup和LogUp多项式IOP到环R=Zq[X]/(Xd+1)
- • Combine with lattice-based polynomial commitments for succinct lattice-based lookup arguments. 结合基于格假设的多项式承诺,构建简洁的格基查找参数
- • Apply ring lookups for batch verification of RAM updates with arbitrary ring elements. 应用环查找参数实现RAM更新的批量验证,支持任意环元素
- • Provides key components for post-quantum ZK systems, improving efficiency for arithmetization-unfriendly operations. 为后量子ZK证明系统提供关键组件,提升算术不友好操作效率
Robin Salen announced a new Plonky3 release with faster lookups, high-arity folding, N-ary Merkle trees and caps, Poseidon2 optimizations, and Poseidon1 support. Robin Salen宣布Plonky3发布新版本,包含更快的查找、高元折叠、N元Merkle树和Merkle caps、Poseidon2优化及Poseidon1支持等多项改进。
Key Points: 要点:
- • New Plonky3 release, described as the most impactful and ambitious so far Plonky3新版本发布,号称最具影响力和雄心勃勃的版本
- • Includes much faster lookups for improved performance 包含更快的查找功能,提升整体性能
- • Introduces high-arity folding to optimize proof generation 引入高元折叠技术,优化证明生成
- • Supports N-ary Merkle trees and Merkle caps for enhanced data structures 支持N元Merkle树和Merkle caps,增强数据结构
- • Major optimizations for Poseidon2 and adds Poseidon1 support 对Poseidon2进行重大优化,并支持Poseidon1
- • Additional improvements included, with details to be broken down 还包括其他多项改进,具体细节待进一步分解
@MatteoMer released Zolt, a Zig-based zkVM prover generating proofs verifiable by the a16z/jolt verifier, with zero dependencies and all cryptography implemented from scratch. @MatteoMer 发布了Zolt开源项目,这是一个用Zig语言实现的zkVM证明器,生成可被a16z/jolt验证器验证的证明,无需依赖外部库,所有密码学操作均从零实现。
Key Points: 要点:
- • Zolt is experimental and unaudited; not for production use. Zolt是一个实验性项目,未经审计,不建议用于生产环境
- • Generates ZK proofs for RISC-V ELF binaries, verifiable by upstream Jolt verifier. 支持生成RISC-V ELF二进制文件的ZK证明,验证兼容上游Jolt验证器
- • Zero dependencies and FFI; all cryptography implemented from scratch using Zig stdlib. 零依赖和零FFI,所有密码学(如域运算、配对、MSM、多项式承诺)均用Zig标准库实现
- • CLI includes proof generation, emulator run, and examples (e.g., Fibonacci, prime counting). 提供CLI工具,包括证明生成、模拟运行和示例程序(如斐波那契、素数计算)
- • Benchmarks show faster than Jolt (Rust) on some programs, slower on complex ones like prime counting. 性能基准显示,在部分程序上比Jolt(Rust)更快,但复杂程序如素数计算较慢
- • Clear project structure with modules for field arithmetic, polynomial commitments, Sumcheck, etc., aiding extensibility and audit. 项目结构清晰,包含字段运算、多项式承诺、Sumcheck协议等模块,便于扩展和审计
Frolov et al. proposed Icefish in their paper, conducting the first systematic study of zk-SNARKs for verifiable genomics, including building blocks like sequence alignment, and exploring two end-to-end applications: verifiable GWAS and CRISPR eligibility verification. Frolov等人在论文中提出了Icefish,首次系统研究zk-SNARK在可验证基因组学中的应用,包括序列比对等基础构建块,并探索了可验证全基因组关联研究和CRISPR资格验证两个端到端应用。
Key Points: 要点:
- • First systematic study of zk-SNARKs for verifiable genomics, addressing a gap in the field 首次系统研究zk-SNARK在可验证基因组学中的应用,填补了该领域空白
- • Developed zero-knowledge proofs for sequence alignment, 30x faster than prior art 开发了序列比对的零知识证明,速度比现有技术快30倍
- • Implemented verifiable GWAS ensuring data integrity and computational correctness with <20 min proving time 实现了可验证全基因组关联研究,确保数据完整性和计算正确性,证明时间小于20分钟
- • Proposed new zk-SNARK use case in gene engineering (e.g., CRISPR) for therapy eligibility verification without revealing DNA 提出了zk-SNARK在基因工程(如CRISPR)中的新应用场景,用于验证治疗资格而不泄露DNA序列
- • Designed storage-efficient indexes for large-scale genomic data, asymptotically reducing costs 设计了适用于大规模基因组数据的高效存储索引,渐近降低存储成本
- • Focuses on privacy and verification needs for highly sensitive genomic data 重点关注基因组数据这一高度敏感信息的隐私保护需求
Deegan et al. proposed two post-quantum HD wallet constructions in their paper, recovering BIP32's public key derivation functionality based on lattice assumptions, including schemes using ML-DSA and Raccoon-G. Deegan等人在论文中提出了两种后量子HD钱包构造,基于格假设恢复BIP32的公钥派生功能,包括使用ML-DSA和Raccoon-G的方案。
Key Points: 要点:
- • Two post-quantum HD wallet constructions recovering BIP32 public key derivation based on lattice assumptions 提出两种后量子HD钱包构造,基于格假设恢复BIP32公钥派生功能
- • First uses ML-DSA for hardened derivation with proofs of unlinkability and unforgeability 第一种使用ML-DSA支持硬化派生,证明不可链接性和不可伪造性
- • Second uses Raccoon-G variant enabling non-hardened public key derivation via Gaussian-distributed secrets 第二种使用Raccoon-G变体,通过高斯分布秘密实现非硬化公钥派生
- • Modified Raccoon-G to publish full unrounded public keys preserving linearity 修改Raccoon-G以发布完整未舍入公钥,保持线性特性
- • Proved unlinkability and unforgeability under standard lattice assumptions 证明在标准格假设下的不可链接性和不可伪造性
- • Introduced method for generating rerandomizable Raccoon-G key pairs from fixed randomness 引入从固定随机性生成可重随机化Raccoon-G密钥对的方法
Tshuva et al. proposed collaborative incrementally verifiable computation in their paper, enabling multiple parties to jointly update succinct proofs during streaming computations with reduced overhead. Tshuva等人在论文中提出协作增量可验证计算,允许多方在流式计算中联合更新简洁证明,显著降低内存和通信开销。
Key Points: 要点:
- • Existing collaborative zkSNARKs suffer from high memory/communication overhead and lack updatability. 现有协作zkSNARK面临内存和通信开销大、缺乏可更新性等瓶颈
- • New scheme allows multiple parties to jointly update proofs at each step of streaming computation. 新方案支持多方在流式计算中每一步联合更新证明,避免从头重算
- • Constant communication overhead per step (with broadcast) and memory scaling with single step. 每步计算仅需常数通信开销和单步内存开销
- • Applicable to privacy-preserving healthcare data aggregation, audits, and joint ML models. 适用于隐私医疗数据聚合、隐私审计和联合机器学习等应用
- • Integrates IVC, folding, and MPC techniques to improve efficiency for large-scale datasets. 结合IVC、折叠和MPC技术,提升大规模数据集处理效率
- • Breaks scalability barriers of collaborative proofs, enabling practical deployment. 突破现有协作证明的扩展性限制,支持实际应用部署
Himanshu Sheoran and Valter Wik expose security flaws in six zkVM systems due to unbound claim data in Fiat-Shamir transcripts, enabling attackers to bypass cryptographic verification and prove impossible statements. Himanshu Sheoran和Valter Wik在博客中揭示了六个zkVM系统的安全漏洞,这些漏洞源于Fiat-Shamir转录中未绑定声明数据,允许攻击者绕过密码学验证,证明数学上不可能的陈述。
Key Points: 要点:
- • Flaws arise from unbound claim data in Fiat-Shamir transcripts, making challenges independent of values like claimed_sum. 漏洞源于Fiat-Shamir转录中未绑定声明数据,如claimed_sum和opening_claim,导致挑战独立于这些值。
- • Attackers can solve linear equations to adjust unbound values, passing verification for invalid executions. 攻击者可通过线性方程求解调整未绑定值,使验证通过,即使执行无效。
- • Affected systems: Jolt, Nexus, Cairo-M, Ceno, Expander, Binius64. 受影响系统包括Jolt、Nexus、Cairo-M、Ceno、Expander和Binius64。
- • In blockchain, this could create assets out of thin air. 在区块链场景中,此漏洞可能导致凭空创造资产。
- • Fix requires absorbing all verification-affecting values into transcript before challenge generation. 修复需确保影响验证的值在挑战生成前被吸收到转录中。
- • Jolt fixed via PR #981 on Oct 3, 2025; status of others unclear. Jolt已于2025年10月3日修复,其他系统状态未明确。
@zkSecurity analyzes recent ZK circuit exploits in a blog post, attributing them to Groth16 verifier setup errors where missing Phase 2 contributions cause identical γ and δ parameters, enabling proof forgery. @zkSecurity 在博客中分析了近期两起针对ZK电路的攻击事件,指出它们源于Groth16验证器设置错误,即缺少第二阶段贡献,导致验证密钥中的γ和δ参数相同,从而允许伪造证明。
Key Points: 要点:
- • Both exploits stem from Groth16 verifier setup errors in snarkjs, where missing Phase 2 contributions leave γ and δ parameters identical. 两起攻击均因snarkjs生成的Groth16验证器设置错误,缺少第二阶段贡献,使γ和δ参数相同
- • Losses: ~$1.5M and 5 ETH, discovered by white-hat hackers to prevent malicious attacks. 攻击导致约150万美元和5 ETH损失,由白帽黑客发现
- • Root cause: snarkjs sets γ and δ to the same generator point when initializing zkey 根源:snarkjs在初始化zkey时设置γ和δ为相同生成点
- • Phase 2 contribution is required to randomize δ 需通过第二阶段贡献随机化δ
- • Developers often overlook simple mistakes while focusing on complex parts 开发者常因关注复杂部分而忽略简单错误,
- • ZK DSLs are easy to misuse and lack foundational tooling support ZK DSL易误用且缺乏基础工具支持