Valentinus Sofa 🎗

Asynchronous DKG with O(n^2) communication and O(1) time, assuming only a plain PKI setup 🔥🔥🔥 With Renas Bacho and Gilad Stern: https://t.co/CbjHxWuJPp Previously, async DKG required either O(k) time and O(n^{2+1/k}) communication, or silent setup with a cubic-communication setup phase And yes: running multiple instances concurrently is trivial :-)

Today, we're releasing version 1 of zkao. If you don't know what zkao is: it's deep research for finding bugs in codebases implementing cryptography. We're opening the tool to the public, but still gating it with a KYB to prevent people from scanning code they don't own. Link 👇🏼

Our statement on the UK government’s demand that all content on all devices sold or used in the country be scanned, on the presumption of nudity, using a dystopian combination of age verification and content scanning. This proposal will not safeguard children. It endangers us all. https://t.co/VdWe9uhi8p

A new paper with Dmitry Krachun! https://t.co/bF92RbpWzP The basic idea: To randomly combine pedersen/KZG commitments, we usually choose λ-bit scalars for each one, and do an MSM - requiring roughly λn adds. This can be a bit better with pippenger; but in this paper we completely eliminate the multiplicative dependence between the two parameters - getting n^2+λ adds. How do we do it? - First encode the commitments in a code requiring few adds for encoding. Here there is much room for improvement if someone can analyze codes like RAA with O(n) adds over a large prime field. Currently we use an RS code, with evaluation domain 1,2,..2n rather than roots of unity. The cool thing is that for this domain the encoding can be computed in n^2 adds via "forward differencing". -Second, do λ steps of "double and random add" - at each iteration we double the current point and add a random index of the codeword. We use Fourier analysis to show if we started with a non-zero vector, the result is non-zero with high probability.