# ZK/SEC Quarterly > Security Research & Advanced Cryptography. Technical blog by ZK Security covering zero-knowledge proofs, cryptographic protocols, security audits, and formal verification. [ZK Security](https://www.zksecurity.xyz/) provides security audits, research, and development services for **zero-knowledge proofs** (ZKPs), **multi-party computation** (MPC), **fully homomorphic encryption** (FHE), **post-quantum cryptography** (PQC), and advanced cryptography more broadly. **Core Expertise Areas:** - ZK Security Audits: Circuit-level audits for Circom, Halo2, Noir, Plonky2, SP1, and custom proof systems - Protocol Security: Design review and implementation audits for cryptographic protocols and consensus mechanisms - Tooling & Research: Open-source tools, educational content, and original research on ZK proof systems - Formal Verification: Machine-checked proofs and formal analysis of cryptographic constructions - [ZK Security website](https://www.zksecurity.xyz/): Security audits and services - [Audit reports](https://reports.zksecurity.xyz/): Published security audit reports - [ZK bugs knowledge base](https://bugs.zksecurity.xyz/): Database of known ZK circuit vulnerabilities - [S-two Book](https://stwo.zksecurity.xyz/): Guide to writing AIRs with the Stwo prover - [Clean](https://github.com/Verified-zkEVM/clean): Formal verification DSL for ZK circuits in Lean4, created by ZK Security ## Blog Posts - [When LLM Review Cryptography Papers](https://blog.zksecurity.xyz/posts/llms-in-research.md) (educative, security, zk, AI): Google Research used Gemini to find a bug in a cryptography paper on SNARGs from LWE. We summarize how those events unfolded, look at their iterative self-correction prompting strategy and discuss the growing role of LLMs in academic research. - [zkao: Security That Compounds](https://blog.zksecurity.xyz/posts/zkao-launch.md) (zkao, security, zk, AI): Today we're launching zkao, a product by zkSecurity that makes AI security research work the way fuzzing works: not as a one-shot event, but as something you run continuously until coverage compounds. - [Optimistic One-Vote-Round Finality in BFT Consensus](https://blog.zksecurity.xyz/posts/one-voting-round-bft.md) (BFT, Consensus, PoS): An intuition-first walkthrough of why 33% BFT needs two voting rounds, how 20% designs get true one-round finality, and how an optimistic fast path can bridge the gap. - [Lean4 formalization of "A Simplified Round-by-round Soundness Proof of FRI"](https://blog.zksecurity.xyz/posts/simple-rbr-fri.md) (zk, FRI, security, lean, formal): A Lean4 formalization of the paper "A Simplified Round-by-round Soundness Proof of FRI" by Albert Garreta, Nicolas Mohnblatt, and Benedikt Wagner, completed using Harmonic's Aristotle agent and Claude Code. Welcome to the strange world of machine-led formalization of cryptography. - [Archetype x zkSecurity - Proof is in the Pudding: Privacy in Payment Networks](https://blog.zksecurity.xyz/posts/pudding-8-privacy.md) (educative, zk, privacy): In Session 08 of "Proof is in the Pudding," we explore how different networks have approached privacy over the years. From E-Cash and Monero to MobileCoin and Zether, we break down blind signatures, Pedersen commitments, stealth addresses, ring signatures, and more. This session provides a comprehensive tour of the techniques used to break linkability, hide addresses, and obscure transaction data in the name of privacy and safety. - [New Challenge Alert: Complete Both to Join zkSecurity](https://blog.zksecurity.xyz/posts/curve-machine.md): Think you have what it takes to join zkSecurity? We're raising the bar with a second challenge! Now candidates must complete both zkBank and our new Curve Machine challenge to prove their skills across the full spectrum of ZK security. Are you ready to take on both challenges? - [Learn Sumcheck, MLE, and HyperPlonk: An Interactive Tutorial with SageMath](https://blog.zksecurity.xyz/posts/sumcheck-tutorial.md) (educative, zk, sumcheck, hyperplonk, sagemath): A new interactive tutorial on Sumcheck, Multilinear Extensions, and HyperPlonk with complete SageMath implementations and exercises. Go beyond the theory and understand how these protocols actually work by implementing them yourself. - [Faster Sumchecks: Part I](https://blog.zksecurity.xyz/posts/faster-sumchecks.md) (educative, zk, sumcheck): In this blog post, we explore how to optimize the sumcheck protocol, particularly when working with values in a small field and randomness from a large field, as often needed in zkVMs. We introduce various algorithms aimed at reducing expensive operations, focusing on minimizing large multiplications. Starting from using simple evaluation tables to more sophisticated techniques like precomputing accumulators and leveraging Lagrange interpolation, we demonstrate how to efficiently organize computations to speed up proving times. Readers will gain insights into handling arithmetic operations within the sumcheck protocol and learn about optimizing specific cases in zero-knowledge proofs. - [Comparison of formal verification frameworks for arithmetic circuits](https://blog.zksecurity.xyz/posts/formal-verification-arithmetic-circuits.md): A hands-on comparison of formal verification frameworks for arithmetic circuits, evaluating those in the ACL2 Book (r1cs, PFCS), acl2-jolt, Garden (Rocq), zk-lean, sp1-lean, and Clean. Each framework is tested on reproducibility, available examples (from basic field elements to RISC-V VM instructions), and practical verification tasks including the IsZero and weighted-sum circuits. The evaluation includes both human and Claude Code's ability to work with each framework, revealing insights about installation difficulty, proof automation capabilities, and the maturity of publicly available examples. This post maps the current landscape of formally verified ZK circuits and discusses what's coming next in this rapidly evolving field. - [Sigma dance: commit, challenge, respond](https://blog.zksecurity.xyz/posts/sigma.md) (educative, zk): Learn the fundamentals of Σ-protocols through the classic Schnorr protocol, exploring the three-step dance of commit, challenge, and respond. This post walks through knowledge soundness and witness extraction, then shows how to compose Sigma proofs with AND/OR logic and Pedersen commitments. See working SageMath implementations, discover how Fiat-Shamir transforms interactive proofs into non-interactive signatures, and understand the deeper mathematical structure as proofs of knowledge of homomorphism pre-images. - [Circle STARKs: Part IV, Arithmetizing Circles](https://blog.zksecurity.xyz/posts/circle-starks-4.md) (educative, zk, fri): In this final part of our series on Circle STARKs, we tie together concepts from Mersenne prime fields, circle curves and bivariate polynomials to showcase a comprehensive Circle STARK protocol. We detail the process of arithmetization over the circle curve, introducing Circle FRI as a low-degree test and walk through the complete Circle STARK construction. Readers will explore how trace commitments, constraint batching and low-degree proofs combine for efficient verifiable computation, delving into the nuances of proof validity and security analysis. - [Proximity Gaps: What Happened and How Does It Affect our SNARKs](https://blog.zksecurity.xyz/posts/proximity-conjecture.md) (educative, security, zk): A series of recent papers just disproved the proximity gaps conjecture, which has everyone wondering if hash-based SNARKs are in trouble. We break down what actually happened using some helpful visuals—think of it as understanding which parameter choices are safe versus which ones are now confirmed to be risky. The post walks you through the different security zones (proven safe, conjectured safe, and definitely not safe), explains how these new results connect to other open math problems, and shows what it means for real-world SNARKs in terms of proof sizes and performance trade-offs. - [Playing with LaBRADOR: Building Compact Lattice-based Proofs with Recursion](https://blog.zksecurity.xyz/posts/labrador.md) (educative, zk, pqc, lattice): In this post, we explore LaBRADOR, a transparent, lattice-based proof system that achieves sublinear proof sizes through recursion. Built on the Module-SIS assumption, LaBRADOR lets a prover efficiently demonstrate knowledge of short vectors satisfying dot product constraints, general enough to express R1CS. The protocol’s key ideas include amortized openings, outer commitments, and a strategy to shrink the witness after each round of recursion. Together, these techniques make LaBRADOR a powerful, scalable framework for post-quantum zero-knowledge proofs. - [Stay in Range: Deeper Into Bulletproofs](https://blog.zksecurity.xyz/posts/bulletproofs-range-proofs.md) (educative, zk, ipa, bulletproofs): This article breaks down how Bulletproofs enable range proofs: proofs that a hidden value lies within a range without revealing it. Starting from bit decomposition, it shows how to express and combine constraints into a single inner product, then make the proof zero-knowledge with blinding polynomials and commitments. By the end, you’ll understand how systems like Monero’s confidential transactions prove valid amounts while keeping values private. - [Announcing the S-two Book](https://blog.zksecurity.xyz/posts/stwo-book.md) (announcement, educative, zk, stark): We're thrilled to share our collaboration with Starkware on the S-two book. If you're curious about writing AIRs with the S-two prover, implementing Cairo AIR in S-two, or how Circle STARKs are utilized, this post is for you. Dive in to explore these insights and deepen your understanding of these fascinating topics. - [Common Circom Pitfalls and How to Dodge Them — Part 2](https://blog.zksecurity.xyz/posts/circom-pitfalls-2.md) (educative, security, zk, tools, circom): This post is the second part of our series on Circom pitfalls. While part 1 covered issues with assertions, hints, and aliasing, this one explores unsafe component usage and the subtle fact that Circom’s comparison operators work over signed integers. - [Why does FRI work?](https://blog.zksecurity.xyz/posts/fri-security.md) (educative, security, zk, fri): This blog post explains the security intuition behind the FRI protocol, which proves that a function is close to a valid Reed-Solomon codeword. It introduces the "prover message graph," a layered structure that visualizes how correct and incorrect folds affect verification. We conclude that if too many folds are inconsistent, the verifier will likely reject, but if most are correct, the initial function must be close to a proper codeword. - [Unfolding the Bulletproofs Magic: A SageMath Deep Dive](https://blog.zksecurity.xyz/posts/bulletproofs-sage.md) (educative, zk, ipa, bulletproofs): In this post, we dive deep into the Inner Product Argument (IPA), the mathematical core of Bulletproofs. Starting from simple vector folding, we build up to a full zero-knowledge proof with Pedersen commitments, explore how the mysterious `L` and `R` terms appear, and finish with smart verifier optimizations. All illustrated with clear, runnable SageMath code. - [Breaking Down Bulletproofs: No Pairings, No Trusted Setup](https://blog.zksecurity.xyz/posts/bulletproofs-intuitions.md) (educative, zk, ipa, bulletproofs): Learn how Bulletproofs enables efficient zero-knowledge proofs without trusted setups by computing inner products in a verifiable way. This post breaks down the core folding technique that reduces large vectors to single elements through recursive compression, making proofs both compact and fast to verify. Used in Monero, Mina's Kimchi, and Zcash's Halo 2, Bulletproofs is a practical alternative to pairing-based schemes. - [Archetype x zkSecurity - Proof is in the Pudding: The Other Dark Forest (Offchain Public Keys)](https://blog.zksecurity.xyz/posts/pudding-7-offchain-pks.md) (educative, zk): In Session 07 of "Proof is in the Pudding," we explore the other dark forest—the realm of offchain public keys. We dive into zkLogin, ZK Email, and ZKPassport, examining how these protocols handle authentication and privacy. We also discuss the issue of unlinkability in privacy protocols and why replacing traditional signature verifications with zero-knowledge proofs could unlock more interesting and powerful ZK products. - [Archetype x zkSecurity - Proof in the Pudding: Introduction to Data Availability (Sampling)](https://blog.zksecurity.xyz/posts/pudding-6-DA.md) (educative, zk, data-availability): In the latest "Proof is in the Pudding" session, we team up with Archetype to break down the essentials of Data Availability Sampling. We dive into how rollups and Ethereum's DA system work, explore the role of DA chains, and touch on the basics of verifiable sharding. This introduction is perfect for anyone curious about the foundations of data availability sampling and how these concepts are playing out in the blockchain world. - [Halo2's Elegant Transcript As Proof](https://blog.zksecurity.xyz/posts/halo2-elegant-transcript.md) (educative, zk, halo2, plonk): In this blog post, we explore a clever design in Zcash's halo2 implementation for securing the Fiat-Shamir transformation. By using a mutable transcript, the process ensures that values are automatically absorbed, reducing potential bugs. You'll find explanations of the distinct roles of `write` and `read` functions for points and scalars, highlighting how this abstraction makes the prover-verifier interaction seamless and secure. If you're curious about the inner workings of cryptographic protocols, this is a fascinating read. - [Kocher's Timing Attack: A Journey from Theory to Practice](https://blog.zksecurity.xyz/posts/timing-kocher.md) (educative, security, cryptanalysis): Paul Kocher's 1996 timing attack showed how microsecond differences in execution time could leak private keys from RSA implementations. This tutorial recreates the attack journey from clean operation counting through noisy wall-clock measurements to sophisticated engineering solutions. Learn the variance distinguisher, explore schoolbook modular arithmetic, and discover the measurement techniques that make practical timing attacks possible despite system noise. - [𝒫𝔩𝔬𝔫𝒦: A Hands-On Deep Dive](https://blog.zksecurity.xyz/posts/plonk-tutorial.md) (educative, zk, plonk): 𝒫𝔩𝔬𝔫𝒦’s many layers (selector polynomials, wiring permutations, quotient tests, random challenges and KZG commitments) can be overwhelming. Our zkSecurity tutorial uses a single running example to demystify them all. Build tables and interpolate low-degree BN254 polynomials, encode gate and wiring constraints, run deterministic and probabilistic zero-tests, then layer in randomness and KZG commitments to produce a full Fiat–Shamir proof. Grab the Jupyter Notebook (Sage or Cocalc), or work in your favorite language with our guided test cases. - [Circle STARKs: Part III, Circle FFT](https://blog.zksecurity.xyz/posts/circle-starks-3.md) (educative, zk, fri): In this blog post, we explore how to efficiently implement polynomial operations using Circle FFT in the context of STARKs, drawing parallels with the Cooley-Tukey FFT. We discuss how the Circle FFT handles bivariate polynomials over the circle group, replacing traditional multiplicative subgroups with twin-cosets. You'll discover the nuanced process of decomposing and recomposing polynomials using projection and squaring maps, leading to efficient computations. We also address the gap between the polynomial degree space and the space spanned by Circle FFT. This is a fascinating dive into the heart of polynomial computations in cryptography. - [Uncovering the Query Collision Bug in Halo2: How a Single Extra Query Breaks Soundness](https://blog.zksecurity.xyz/posts/halo2-query-collision.md) (security, zk, halo2, plonk): We recently discovered a subtle but important soundness issue in Halo2, which we’ve named the query collision bug. It affects certain edge-case circuits and was present in widely used versions, including the main Zcash implementation and PSE’s fork. We disclosed the issue to the relevant teams—including Zcash, PSE, and Axiom, all of whom have since patched it. While no known production circuits were affected, the bug reveals a surprising vulnerability in the proving system that deserves attention. - [Bug Hunt: Zero-Knowledge, Full-Paranoia, and the AI That Stares Back](https://blog.zksecurity.xyz/posts/snarksentinel.md) (announcement, tools, security, zk, circom, ai): Over the past year, we've been diving into whether AI can effectively identify bugs in zero-knowledge circuits and applications, sparking questions about the future of auditing. This led us to develop SnarkSentinel, an AI-powered auditing tool. We'll share what worked, what didn’t, and how our journey with AI could impact auditing. From early challenges with Circom to innovative methods like retrieval-augmented generation and agent-led probing, we'll give you a peek into our findings, including both successes and setbacks with bug detection. Discover how AI might enhance or change the landscape of auditing and what this means for developers and security pros alike. - [Trust, But Measure: A Friendly Intro to TEEs with Intel TDX](https://blog.zksecurity.xyz/posts/pudding-4-TEEs.md) (educative, TEE, security): In the latest session of "Proof is in the Pudding," we teamed up with Archetype to explore the basics of Trusted Execution Environments. Through a collaborative whiteboarding session, we break down key concepts and practical applications, making this tech topic accessible and engaging. Dive in to discover how these environments can enhance digital security in a straightforward way. - [Uncovering the Phantom Challenge Soundness Bug in Solana's ZK ElGamal Proof Program](https://blog.zksecurity.xyz/posts/solana-phantom-challenge-bug.md) (security, zk, solana): In June 2025, we uncovered a serious soundness issue in Solana's ZK ElGamal Proof Program that could let attackers manipulate confidential token transfers undetected. We worked with the Anza team to quickly address the flaw by pausing and disabling vulnerable components. This post dives into the root cause, which was a subtle mistake in handling prover-generated challenges within sigma OR proofs, revealing broader lessons in zero-knowledge protocol security. If you're interested in cryptographic protocol design, this could provide valuable insights. - [Common Circom Pitfalls and How to Dodge Them — Part 1](https://blog.zksecurity.xyz/posts/circom-pitfalls-1.md) (educative, security, zk, tools, circom): Programming in Circom comes with its fair share of challenges. After reviewing numerous Circom codebases, we’ve identified certain anti-patterns that occur frequently. In this series, we’ll provide a comprehensive overview of these issues to help you avoid the most common pitfalls. Of course, this won’t be a complete list of every mistake possible (Circom has plenty of ways to trip you up). But the footguns we’ll cover are the ones that tend to catch developers off guard the most. - [Proofs On A Leash: Post-Quantum Lattice SNARK With Greyhound](https://blog.zksecurity.xyz/posts/greyhound.md) (educative, zk, pqc, lattice): In this engaging blog post, we dive into the future of cryptography by exploring how lattice-based proof systems could fend off the quantum threat. We break down Greyhound, a promising lattice-based solution, explaining its transparent nature, efficient construction, and adaptability with today's systems. Along the way, you'll get a glimpse of key concepts like lattices, Ajtai commitments, and how Greyhound cleverly ensures security and efficiency. Whether you’re curious about the cutting-edge of cryptographic research or just want to understand the basics of quantum-resistant solutions, this post offers both depth and clarity. - [Optimizing Barrett Reduction: Tighter Bounds Eliminate Redundant Subtractions](https://blog.zksecurity.xyz/posts/barrett-tighter-bound.md) (educative): In this blog post, we explore an optimization for Barrett reduction, a popular method for modular arithmetic. We discovered that the error bound can be tighter than traditionally thought, meaning you often only need a single subtraction instead of two. This tweak can speed up cryptographic operations like those in the RustCrypto library by 14% when applied to NIST curves, which is a game changer for both encryption and performance. Dive into the details to see how this simple change can lead to significant improvements in real-world applications! - [Variants of KZG: Part I, Univariate](https://blog.zksecurity.xyz/posts/kzg-1.md) (educative, zk): In this blog post, we dive into the world of polynomial commitment schemes (PCS), which are crucial for constructing most practical SNARKs. We cover the basics of how PCS works, focusing on KZG10, known for its efficiency in proof size and verification time. You'll learn about the essential properties of binding and hiding and explore technical concepts like homomorphism, batching, and unconditionally hiding. We break down various methods to achieve these features, offering insight into how PCS maintains the security and privacy of polynomials in cryptographic systems. Get ready to understand these powerful concepts and their applications in modern cryptography! - [Accelerating ZK Proving with WebGPU: Techniques and Challenges](https://blog.zksecurity.xyz/posts/webgpu.md) (educative, tools, zk, zkvm): Hey there! We're diving into how leveraging WebGPU can revolutionize client-side proving for privacy-preserving zero-knowledge apps. By tackling the usual time and memory bottlenecks with innovative techniques like using GPUs, we're achieving significant performance gains. We'll share our experiences using WebGPU with various frameworks, offering insights into optimizing operations and managing data transfer efficiently. Plus, learn about the challenges and exciting potential of integrating WebGPU into zero-knowledge frameworks. Join us to explore the future of privacy tech! - [Introducing clean, a formal verification DSL for ZK circuits in Lean4](https://blog.zksecurity.xyz/posts/clean.md) (announcement, tools, zk, formal-verification): We're diving into our new project called **clean**, aimed at creating an embedded DSL and formal verification framework for Zero Knowledge (ZK) circuits using Lean4. Imagine being able to not only define ZK circuits but also formally prove their correctness—sounds like a game-changer, right? We'll walk you through our process of building a robust library of reusable, verified circuit gadgets, focusing on the importance of soundness and completeness. Plus, you'll get a peek at some cool examples like 8-bit addition and how we're tackling ZKVM design with techniques borrowed from Fibonacci sequences. It's exciting stuff, and if you're curious about how we're paving the way for bug-free ZK circuits, this is a read you won't want to miss! - [Auditing Self: Collaborating with Celo on Privacy and Identity Infrastructure](https://blog.zksecurity.xyz/posts/self-audit.md) (educative, security, zk, audit, identity): We recently teamed up with Celo for an in-depth security audit of the Self project, exploring its innovative approach to on-chain identity using biometric passports and zero-knowledge proofs. During our three-week dive, we examined everything from cryptographic primitives to smart contract architecture and a unique proof delegation system using AWS Nitro Enclaves. The Celo team impressed us with their commitment and responsiveness, and we collaborated on refining the system with strategic improvements. Curious about the nitty-gritty details and our insights? Check out the full report! - [BitVM: Unlocking Arbitrary Computation on Bitcoin Through Circuit Abstractions](https://blog.zksecurity.xyz/posts/bitvm.md) (educative, zk, bitcoin): We're diving into the world of Bitcoin's UTXO model and how recent advancements like BitVM can overcome its limitations, allowing for more complex computations without changing Bitcoin's core. This blog post explores cutting-edge techniques like covenants, statefulness, and circuit models, showing how they enable intricate logic on Bitcoin. We'll break down how these innovations make trustless cross-chain transactions possible, and highlight the potential of optimistic protocols to optimize the on-chain footprint. If you're curious about the future of Bitcoin's capabilities, this is the deep dive you need! - [Projects That Shaped Modern zkVMs — Part 1](https://blog.zksecurity.xyz/posts/zkvm-projects-1.md) (educative, zk, zkvm): Curious about how zero-knowledge virtual machines (zkVMs) make computing more secure without the hassle? We delve into the fascinating world of zkVMs, where you can program in high-level languages like Rust or C and let cryptography handle the complexity. We'll explore the evolution of these innovative systems through projects like Cairo and RISC Zero, while touching on the unique benefits and technical insights each brings. Plus, learn about groundbreaking techniques for optimizing zkVMs with projects like Jolt, and discover a range of other influential zkVM initiatives. Get ready for an enlightening journey into secure computation! - [Looking for an internship in 2025?](https://blog.zksecurity.xyz/posts/internship-2025.md) (announcement): Thinking about diving into the world of cryptography and cutting-edge tech? We're on the lookout for bright minds to join us for internships in areas like ZK, MPC, and post-quantum cryptography. Our past interns have tackled exciting projects like exploring ZK circuit vulnerabilities and delving into RISC-V zkVMs. If you want a fast track to an interview, try out the zkBank challenge, or simply send us your resume. Come join us and see where the journey takes you! - [Archetype x zkSecurity (Whiteboard Session) - Proof is in the Pudding: How to prove false statements](https://blog.zksecurity.xyz/posts/pudding3.md) (educative, security, zk, gkr): In our third whiteboard session with Archetype, we dive into the fascinating world of cryptographic protocols by breaking down the intricacies of the Fiat-Shamir security model and the GKR protocol. Whether you're a cryptography enthusiast or just curious about how these complex mechanisms enhance security, this is a chance to explore the theories with us in a friendly and digestible way. Don't miss the opportunity to expand your understanding of this cutting-edge topic! - [Circle STARKs: Part II, Circles](https://blog.zksecurity.xyz/posts/circle-starks-2.md) (educative, zk, fri): In this blog post, we dive into the fascinating world of Circle STARKs, exploring the algebra of complex numbers and how they can be extended to any field. We revisit the concept of the unit circle and its unique group structure, which allows for cool operations like squaring and doubling angles. You'll discover how these ideas apply to finite fields, creating intriguing structures like the twin-coset and standard position coset. The post leads us to understand vanishing polynomials, crucial in STARKs, and sets the stage for exploring the circle FFT in upcoming discussions. Perfect for anyone curious about cutting-edge cryptographic techniques! - [A Gentle Introduction to the MPC-in-the-Head Transformation](https://blog.zksecurity.xyz/posts/mpcith-intro.md) (educative, zk, MPC): In this blog post, we dive into the fascinating world of zero-knowledge proofs using the MPC-in-the-Head transformation—a clever method that constructs proof systems from any secure multiparty computation protocol. Originally proposed in 2007, this transformation uses a creative approach involving "imaginary parties" to prove knowledge without revealing it. We explain how this technique can be applied to develop post-quantum signature schemes, providing insights into its practical implications and efficiency. By exploring these concepts, readers will uncover a unique intersection of cryptography and computer science. - [Uncovering and Fixing an Inflation Bug in Aleo](https://blog.zksecurity.xyz/posts/aleo-bug.md) (security, zk, audit, aleo): In November 2024, we found a significant inflation bug in the Aleo mainnet that could have allowed token minting without proper checks. We immediately informed the Aleo team, who swiftly addressed the issue with no detected exploitation. This post dives into the inner workings of Aleo and explains how transitions and records operate, providing insight into how the vulnerability was discovered and resolved. It's an intriguing look at blockchain security, zero-knowledge proofs, and the importance of thorough type checks to ensure robust protocol integrity. - [Beyond L2s Maturity: A Formal Approach to Building Secure Blockchain Rollups](https://blog.zksecurity.xyz/posts/l2_formal_paper.md) (educative, security, zk, formal-verification): In our latest blog post, we dig into the fascinating world of blockchain rollups, focusing on their security and how they help Ethereum scale while maintaining its core values of decentralization. We'll break down the concepts of Optimistic and ZK-Rollups, discuss the importance of projects like L2BEAT in assessing rollup maturity, and introduce our formal model for ensuring rollup security. If you're curious about how forced transactions, safe blacklisting, and upgradeability are shaping the future of Ethereum, this is a read you won't want to miss. - [Introducing bugs.zksecurity.xyz a knowledge base for ZK bugs](https://blog.zksecurity.xyz/posts/zkbugs-website.md) (announcement, security, tools, zk): We're thrilled to introduce our new site, [bugs.zksecurity.xyz](https://bugs.zksecurity.xyz/), a hub for exploring past vulnerabilities in ZK circuits. Dive into our growing catalog of documented bugs and learn how we've reproduced some with comprehensive scripts. Discover evaluations of prominent security tools like Circomspect and Picus, and see where they shine or stumble. We're calling on the community to join us in expanding this invaluable resource—whether by adding bugs, reproducing them, or improving our platform. Let's collaborate to elevate ZK security together! - [An Introduction to Interactive Theorem Provers](https://blog.zksecurity.xyz/posts/introduction-to-interactive-theorem-provers.md) (educative, tools, formal-verification): Kevin Buzzard, a mathematician with a cautious view on human-checked proofs, found solace in interactive theorem provers, which verify mathematical proofs much like type-checking in programming. We explore how these tools, which are gaining traction in fields like applied cryptography, ensure rigorous and reliable proofs. With Lean as our focus, you'll discover how to dive into this fascinating world, see a proof in action, and learn how this technology is revolutionizing areas like zero-knowledge virtual machines. Curious about building rock-solid, machine-verified proofs? Check out our beginner-friendly guide! - [A Technical Dive into Jolt: The RISC-V zkVM](https://blog.zksecurity.xyz/posts/how-jolt-works.md) (educative, zk, zkvm): In our latest post, we take you inside the workings of Jolt, a zero-knowledge virtual machine for the RISC-V architecture. This post breaks down the three main components that prove execution correctness: instruction lookup, offline memory checking, and the Rank-1 Constraint System (R1CS). By exploring these elements, you'll get a grasp on how Jolt ensures VM execution is accurate and reliable, using innovative methods like Lasso lookup arguments and the Spartan protocol. Join us as we unravel this cutting-edge zkVM, which not only promises simplicity but also the potential for exciting advancements. - [zkVM Security: What Could Go Wrong?](https://blog.zksecurity.xyz/posts/zkvm-security.md) (educative, security, zk, zkvm): Ever wondered how zkVMs simplify the use of zero-knowledge proofs in coding? We dive into how they let developers focus more on application logic by abstracting complex cryptographic aspects, using familiar languages like Rust or C++. But hold on, it's not all smooth sailing—despite these benefits, a single bug anywhere in the complex system of compilers, proof systems, or verification can lead to serious security issues. In the post, we break down the zkVM workflow, explore common vulnerabilities at each phase, and highlight the importance of understanding these layers to build more secure, zk-powered applications. Curious about how this all plays out? Let’s unravel it together! - [Improving the Security of the Jolt zkVM](https://blog.zksecurity.xyz/posts/jolt-findings.md) (security, zk, audit, zkvm): We recently explored a16z’s Jolt zkVM to bolster its security, discovering significant bugs in the process. Our findings revealed vulnerabilities that could allow malicious provers to forge proofs, highlighting the crucial role of manual reviews in catching these issues. Jolt, with its unique approach using the Lasso lookup technique, aims to improve prover efficiency and system scalability. With these bugs now fixed, this work underscores the importance of thorough audits in ensuring the reliability of advanced zkVM technology. Stay tuned as we continue to delve into zkVM security insights. - [Unveiling the Magic Behind Starknet: A Deep Dive into New Specifications](https://blog.zksecurity.xyz/posts/starknet-specs.md) (educative, zk): In our deep dive into Starknet's cryptographic components, we tackled the challenge of missing comprehensive specifications by reverse-engineering and publishing draft specs. Readers can explore our work on key protocols like Starknet Channels and STARK Verifier, with an open invitation to join us in refining these efforts. Curious to see what we've pieced together? Check out our drafts and get involved! - [Become a Halo2 Hero: Master Zero-Knowledge Proofs with Our New Course](https://blog.zksecurity.xyz/posts/halo2-course.md) (educative, zk, halo2, plonk): We're teaming up with the Zircuit team to bring you a new course on Halo2 development that's perfect for Rust developers eager to dive into creating Halo2 circuits from scratch. No need to be a cryptographer or have prior knowledge of Halo2, PlonK, or zkSNARKs—our course starts with the basics and guides you through building increasingly complex circuits. By the end, you'll be a Halo Hero! Plus, you'll have access to complete, runnable code examples on GitHub. Ready to start your Halo2 journey? Check it out! - [noname 3.0: Native Hints, Standard Library, Compiler Visualizer, And More!](https://blog.zksecurity.xyz/posts/noname-stdlib.md) (announcement, tools, zk): We're super excited to introduce noname 3.0, our zk programming language inspired by Rust and Golang, now achieving full feature parity with Circom. This update brings native hints, a standard library, debugging features, and a lot more to enhance developer experience. Dive into how hint functions work with an 'unsafe' keyword to balance innovation and security, explore our new stdlib modules, and see how the compiler pipeline visualizer can help you understand the compiling process. Plus, check out our next steps and how you can contribute to shaping noname's future. - [10 Must-Read Papers That Shaped Modern Zero-Knowledge Proofs](https://blog.zksecurity.xyz/posts/ten-zk-papers.md) (educative, zk, zkvm): Zero-knowledge proofs have come a long way in 40 years, thanks to groundbreaking work from many brilliant minds. We're taking you on a tour of the key milestones in this fascinating journey, from the foundational concepts in 1985 by Goldwasser, Micali, and Rackoff, to modern applications and innovations like STARKs and zkVMs. You'll get a taste of major papers and projects that have pushed these proofs from theoretical curiosity to practical and scalable solutions. Dive into the history, understand the evolution, and see how these cryptographic marvels continue to shape the future of secure computation! - [ZNARKs: SNARKs for The Integers](https://blog.zksecurity.xyz/posts/znarks.md) (educative, zk): Hey there! Interested in learning about SNARKs that work beyond finite fields? We’ve been diving into $\mathbb{Z}$NARKs, which are SNARKs tailored for computations involving integers. Our latest post unpacks this intriguing area, showing how we can construct efficient proof systems for integer-based computations. You'll discover nifty tricks like range checks without bit decomposition and mixed field emulation, plus how these techniques can simplify RSA computations. Intrigued by the idea of using randomness for more reliable proofs or exploring an intellectual curiosity like $\mathbb{Q}$-circuits? This post covers it all, including a peek into the future of polynomial commitments. Dive in and explore with us! - [Stone CLI: Making Cairo programming more accessible](https://blog.zksecurity.xyz/posts/stone-cli.md) (tools, zk): We're excited to introduce the Stone CLI, our new tool designed to simplify the process of proving and verifying Cairo programs. Working alongside the StarkWare team, we've streamlined the toolchain for developers, making it easier to compile, run, and prove these programs with less hassle. You'll get the scoop on how to seamlessly use the Stone CLI across various verifiers, serialize proofs, and even create Ethereum-compliant proofs using the bootloader. Dive in to see how we're making life easier for both beginners and seasoned Cairo enthusiasts! - [Archetype x zkSecurity (Whiteboard Session) - Proof is in the Pudding: zkTLS](https://blog.zksecurity.xyz/posts/zktls.md) (educative, zk, zkvm): In our "Proof is in the Pudding" series, hosted with Archetype, we dive into the world of zkTLS—also known as zkOracles, HTTPz, or MPC-TLS. You'll get the inside scoop on various approaches like public oracles, TEE methods such as TownCrier, and hybrid models using MPC protocols. It's a perfect chance to explore cutting-edge TLS technologies and see how they shape secure communication. Check out the recorded session on Archetype's channel! - [WE-KZG: Encrypt to KZG.](https://blog.zksecurity.xyz/posts/kzg-we.md) (educative, zk): Ever wondered if you could create a ciphertext that's only decrypted when a polynomial inside a commitment has a particular value? We’ve explored this notion using KZG commitments in our latest Asiacrypt 2024 paper. Dive into the elegant world of Witness Encryption and see how it can be applied in cool ways like Laconic Oblivious Transfer. This approach keeps things as efficient as regular KZG operations and might just spark some creative applications of your own! Curious to learn more? Let’s explore together! - [zkHack x zkSecurity (Whiteboard Session) - What is Zero-Knowledge (like, actually)?](https://blog.zksecurity.xyz/posts/zk.md) (educative, zk): We're excited to join zkHack's new season of whiteboard sessions, where you'll dive into the real meaning of "Zero Knowledge" with Nicolas Mohnblatt and David Wong. Discover when true zero-knowledge is at play, explore the differences between honest and dishonest verifiers, and understand why adaptive models are preferred. We'll unpack methods for generating hiding commitments and give you a comprehensive overview of the zero-knowledge aspects of PLONK. Don't miss out on this opportunity to expand your understanding of ZK and its various applications! - [Archetype x zkSecurity (Whiteboard Session) - Proof is in the Pudding: Arithmetization](https://blog.zksecurity.xyz/posts/arithmetization.md) (educative, zk): Join us for a deep dive into the fascinating world of arithmetization as David from our team breaks down the process of converting logical statements into algebraic forms to create arithmetic circuits, essential for constructing ZK proofs. This unedited recording from our "Proof is in the Pudding" series offers a unique opportunity to grasp these foundational concepts, perfect for anyone keen on unlocking the mechanics behind zero-knowledge proofs. Curious? Check out the session on Archetype's channel! - [A challenge on the Jolt zkVM](https://blog.zksecurity.xyz/posts/jolt-challenge.md) (announcement, security, zk, zkvm): Last weekend, we had a blast crafting challenges for a CTF event at the MOCA Italian hacker camp. One cryptography challenge, "2+2=5," involved the Jolt zkVM and a RISC-V program. In this post, we share the ins and outs of the challenge, the clever use of a modified Jolt library, and how we managed to prove an invalid execution without triggering verification alarms. Get ready to dive into the world of Jolt and pick up some nifty insights on exploiting cryptographic systems like a true hacker. - [zkSecurity took part in judging the latest zkHack Montreal](https://blog.zksecurity.xyz/posts/zkhack.md) (announcement, security, zk): We recently had the thrill of judging the latest zkHack competition in Montreal, where developers, researchers, and enthusiasts dove into the world of zero-knowledge proofs and privacy tech. The projects were incredibly innovative, featuring creative applications like ZK breathalyzers and ZK & GPS solutions. Check out the exciting results and insights from this year's event—you won't want to miss what these brilliant minds are bringing to the table! - [Reproducing and Exploiting ZK Circuit Vulnerabilities](https://blog.zksecurity.xyz/posts/zkbugs.md) (announcement, security, zk): Check out our latest blog post where we dive into the world of Zero-Knowledge Proof (ZKP) vulnerabilities, sharing our insights from replicating known ZK circuit weaknesses. We’ve launched a GitHub repo with detailed scripts to help you understand, reproduce, and learn from these vulnerabilities. Discover how this hands-on approach aids in grasping attack vectors, testing fixes, and enriching educational resources. Whether you're a researcher or a developer, this post is packed with info to enhance your knowledge and skills in ZKP security. Plus, find out how you can contribute to expanding this invaluable resource! - [noname 2.0: Unlocking Numeric Generics, Folding Schemes, and a Playground](https://blog.zksecurity.xyz/posts/noname-v2.md) (announcement, tools, zk): We're excited to introduce the preview of noname 2.0, packed with features that make developing advanced ZK circuits easier than ever. This update includes flexible generic-sized arrays, seamless integration with folding schemes for IVC, and an interactive online playground to test and share code. We've also optimized R1CS constraint generation to boost performance. Plus, there are numerous community-driven enhancements and bug fixes that make the language more robust and user-friendly. Dive in to explore the specifics of our journey, learn from the contributions of our vibrant open-source community, and see how noname is evolving into a more versatile tool for developers. - [Exploring Leo: A Primer on Aleo Program Security](https://blog.zksecurity.xyz/posts/aleo-program-security.md) (security, zk, audit, aleo): In this blog post, we dive into Aleo, a blockchain platform that leverages zero-knowledge cryptography for creating private and scalable decentralized applications. You'll discover how Leo, its Rust-like programming language, simplifies app development by allowing developers to focus on robust privacy features without delving deep into cryptographic complexities. We also explore Leo's unique design, offering practical tips on avoiding common pitfalls and potential vulnerabilities like underflows and unauthorized access. Whether you're a developer curious about building privacy-focused solutions or just intrigued by blockchain innovation, you'll find valuable insights here. - [Verifying Cairo proofs on Ethereum](https://blog.zksecurity.xyz/posts/stark-evm-adapter.md) (tools, zk): We've been teaming up with StarkWare to create the EVM adapter, and we're thrilled to say that we've recently verified Cairo proofs on the Ethereum mainnet! Building on the work of Andrew Milson and Aditya Bisht, we're making StarkWare’s technology more accessible to everyone. Our blog dives into how Cairo programs are verified on Ethereum and showcases our new library, `stark-evm-adapter`, which helps parse Cairo proofs for Ethereum. Interested in seeing how it works? Check out our demo and learn how to integrate this tech into your system. Plus, stay tuned for future updates as we refine and expand this exciting tool! - [Beyond the Whitepaper: Where BFT Consensus Protocols Meet Reality](https://blog.zksecurity.xyz/posts/bft_paper.md) (educative, consensus, formal-verification): We’ve teamed up with Matter Labs and Sigma Zero to dive deep into the security of Byzantine Fault Tolerant (BFT) consensus protocols. In our new paper, we explore real-world vulnerabilities found in BFT systems, including popular algorithms like BA*, HotStuff, and Paxos. You'll discover insights into subtle bugs, cryptographic issues, and the challenges of translating theoretical models into secure, working code. Whether you’re designing or implementing these protocols, our findings offer valuable lessons and strategies for creating more secure and reliable distributed systems. Check it out—it’s a must-read for anyone working with BFT! - [Renegade Audit: When ZK meets MPC](https://blog.zksecurity.xyz/posts/renegade-audit.md) (security, zk, MPC, audit): We recently had the pleasure of auditing Renegade's circuits and smart contracts, and it was a great experience. Over three weeks, our team explored their top-notch code and documentation, with the Renegade team providing awesome support throughout. Curious how it all went? Dive into our full report for the inside scoop! - [FRIDA: Data-Availability Sampling from FRI](https://blog.zksecurity.xyz/posts/frida.md) (announcement, tools, security, zk, fri): We've just dropped a blog post exploring the cool world of Ethereum's latest EIP-4844 upgrade and how it tackles the data-availability conundrum with Proto-Danksharding. Get ready to dive into the intricacies of making data more accessible (and less pricey) by using nifty concepts like blobs and polynomial evaluations. Plus, we dish on the role of FRI in data-availability sampling and how it can streamline things even more. Curious? Check out the details and see how this all shapes Ethereum's future! - [zkSecurity x Bain Capital (Whiteboard Session): Unveiling the Power of Multi-Party Computation](https://blog.zksecurity.xyz/posts/mpc.md) (educative, MPC): We're thrilled to share that we're featured in Bain Capital Crypto's Whiteboards series! In the first episode, David and Guillermo Angeris dive deep into the intriguing world of Multi-Party Computation (MPC). Join them as they break down complex concepts like additively-shared secrets and Shamir Secret Sharing, making the cutting-edge tech behind MPC accessible and engaging. Check out the full episode for some engaging insights and reach out to us if you're looking for MPC stack auditors! - [Circle STARKs: Part I, Mersenne](https://blog.zksecurity.xyz/posts/circle-starks-1.md) (educative, zk, fri): Discover the intriguing world of Circle STARKs and how they can supercharge zero-knowledge proofs. This blog post sets the stage for a fascinating series about utilizing Mersenne prime fields to achieve lightning-fast arithmetic operations in STARK systems. You'll explore recent breakthroughs that make these fields more practical despite their previous limitations, and you'll get a sneak peek at what’s to come, including delving into group structures and implementing circle FFTs. If you're keen on cryptography and zero-knowledge proofs, this series will unveil how modern advancements are pushing the boundaries of what's possible. - [The State of Security Tools for ZKPs](https://blog.zksecurity.xyz/posts/zksecurity-tools.md) (educative, security, tools, zk): Zero-knowledge proofs (ZKPs) have come a long way from theory to real-world applications like blockchains and private transactions. We’ve been busy auditing various ZKP implementations and developing tools to improve circuit safety and security. In this blog post, we’ll explore how vulnerabilities can crop up in SNARK systems and the current state of tools designed to spot these issues. From circuit bugs to the often-overlooked frontend and backend layers, we cover how various analysis techniques and formal verification approaches are evolving to ensure robust ZKP systems. Dive in to discover the potential and current challenges in ZKP security! - [noname meets Ethereum: Integration with SnarkJS](https://blog.zksecurity.xyz/posts/noname-r1cs.md) (educative, tools, zk): We're excited to share that our programming language, noname, now supports R1CS, making it easier to write zero-knowledge (ZK) circuits and deploy them on Ethereum using SnarkJS. This update introduces an alternative to the common Circom language, with a simple and intuitive syntax inspired by Rust and Golang. In this post, we illustrate how to deploy a noname-based Sudoku circuit on Ethereum, demonstrating core benefits like proving a solution's correctness without revealing it. Dive in to explore how noname could potentially unify the fragmented zkSNARK ecosystem and simplify your circuit writing process! - [Ditch the Pump & Dump Drama: Your ZK Tech Hub Awaits](https://blog.zksecurity.xyz/posts/zknews.md) (announcement): We're excited to share our latest project, zkNews—your go-to hub for all things zero-knowledge. This link aggregator keeps you updated with the latest ZK news, groundbreaking research, and cutting-edge projects. Dive into the ZK world, stay informed with breaking announcements, and explore innovative tools and applications. Join our beta and help shape the future of zkNews with your feedback—big plans are in the works, and we'd love you to be a part of it! - [A Year of ZK Security](https://blog.zksecurity.xyz/posts/a-year-of-zksecurity.md) (announcement): A year after launching, we've grown and evolved alongside the world of zero-knowledge proofs, uncovering bugs and learning the ins and outs of ZK technology. From circuit audits to developing our own tools like Circomscribe, it’s been a wild ride. We've discovered how easy it is to misstep with ZK code, especially as these systems grow complex and impact financial security. As zkVMs gain popularity, we're excited about the challenges ahead and are expanding our expertise. Want to dive into the world of ZK with us? Check out our latest projects and even take on our zkBank challenge! - [ZPrize Came To An End! Who And How Did They Win $500,000?](https://blog.zksecurity.xyz/posts/zprize-final.md) (announcement, zk): In an exciting collaboration with ZPrize, we embarked on a journey to discover the fastest proofs for ECDSA signatures, ultimately crowning two standout approaches as winners. The blog post delves into the innovative solutions that captured the $500,000 prize by pushing the boundaries of zero-knowledge proofs. The story offers a fascinating glimpse into how these cutting-edge techniques might pave the way for privacy-focused applications. Curious to know which teams came out on top and how they did it? Dive in to explore the thrilling results and what's next in the ZK space! - [Public report of Lighter ZK circuits](https://blog.zksecurity.xyz/posts/lighter-xyz.md) (security, zk, audit): We recently teamed up with Lighter to dive deep into their custom ZK circuits used for a verifiable orderbook matching on a Layer 2 exchange. Our findings show solid and well-structured code, thanks to their cooperative engineering team. The post gives a fascinating look into how Lighter’s ZK rollup ensures valid state transitions on Layer 1 through zero-knowledge proofs and the innovative structure of their order book matching process. It explains the roles of the main operation and exit hatch circuits, while also touching on how users can exit in emergencies. It's a great read if you're curious about how these systems maintain security and efficiency in decentralized finance. - [Partnership with StarkWare](https://blog.zksecurity.xyz/posts/starkware-partner.md) (announcement, zk): We're teaming up with StarkWare to enhance Ethereum's scalability using an exciting tool called the EVM adapter. This innovative open-source project takes proofs from the Stone Prover and makes them verifiable on Ethereum, showcasing the power of Cairo bootloader programs for Layer 2 scaling. By diving into our collaboration, you'll get a glimpse of StarkNet's ability to streamline transactions efficiently and how our joint efforts are driving this tech forward. Plus, our Stark Book offers a deeper technical dive for the curious minds! - [Public report of Darkfi circuits and crypto audit](https://blog.zksecurity.xyz/posts/darkfi.md) (security, zk, audit): In February 2024, we dived into a security audit of Darkfi's built-in contracts and circuits, putting them under the microscope to ensure everything checks out. Curious to know what we discovered while navigating the public Darkfi repository? Check out our full report for insights and findings. - [zkBank: you think you have what it takes to work at zkSecurity?](https://blog.zksecurity.xyz/posts/zkbank.md) (announcement, zk): Join us as we dive into the world of ZK through an exciting challenge called zkBank! Whether you're a bug-hunting enthusiast or just curious about zero-knowledge projects, this is your chance to test your skills and learn across various areas. Think you can crack it? Check out the details and see if you have what it takes. - [SoK: What don’t we know? Understanding Security Vulnerabilities in SNARKs](https://blog.zksecurity.xyz/posts/zkpaper.md) (educative, security, zk): We've teamed up with some of the top minds in academia and industry to dive deep into the world of zero-knowledge proofs (ZKPs) and their vulnerabilities. Our new paper catalogues hundreds of ZK vulnerabilities, breaking down their root causes and offering strategies to sidestep these pitfalls. By digging into real-life SNARK implementations, we aim to bolster the security of these cutting-edge systems with actionable insights and recommendations. Curious about what makes ZKPs tick and how to keep them secure? You might find this study just what you need! - [zkBitcoin: Use Zero-Knowledge Applications (zkapps) on Bitcoin](https://blog.zksecurity.xyz/posts/zkbitcoin.md) (announcement, zk): We're excited to introduce zkBitcoin, a new tool that lets you create zero-knowledge applications on Bitcoin using a minimal layer 2 protocol. This innovation opens up a world of complex, privacy-focused apps by enhancing Bitcoin's scripting capabilities. We're currently on testnet, so you can jump in and explore the possibilities. Check out our whitepaper or watch some videos for a deeper dive. It's an exciting time for Bitcoin development, and we can't wait to see what you'll build! - [Public report of Aleo's consensus (Bullshark)](https://blog.zksecurity.xyz/posts/aleo-consensus.md) (security, consensus, zk, audit, aleo): We recently audited Aleo's blockchain consensus and found it to be impressively well-documented and high-quality. Our collaboration with Aleo's cooperative team helped us uncover several key issues, and the insights from this audit were well-received. In the blog, we dive into Aleo's Bullshark consensus protocol, explaining its step-by-step process and unique pipelining techniques. We also explore how leaders ensure commitments in even rounds and discuss essential aspects like quorum intersection and garbage collection. Whether you're a blockchain enthusiast or just curious about cutting-edge consensus protocols, this post has got some fascinating details to offer! - [Public report of Aleo's synthesizer](https://blog.zksecurity.xyz/posts/aleo-synthesizer.md) (security, zk, audit, aleo): We were tasked with auditing Aleo's synthesizer for their blockchain, diving deep into its code and uncovering some important findings along the way. The synthesizer is crucial for deploying and executing user programs, utilizing zero-knowledge proofs to maintain privacy and efficiency. Readers will get a glimpse into how Aleo uses their Leo programming language, the intricate process of synthesizing proof circuits, and how function execution and program deployment flows occur on their platform. This post offers insights into Aleo’s unique approach to tackling challenges similar to those faced by Ethereum but with an innovative twist that includes privacy features and reduced costs. - [Public report of Sui's zkLogin audit](https://blog.zksecurity.xyz/posts/zklogin.md) (security, zk): We just finished an audit of the Sui Foundation's zkLogin application and we're sharing what we found: the code is well-documented, tested, and specified. The zkLogin is set to make user authentication on the blockchain secure but simple, replacing cryptographic keys with familiar SSO methods like Google or Facebook while preserving user privacy. We also dive into the technical details behind JWT verification, non-native arithmetic for RSA, and vector programming. Plus, learn about the trusted setup process for zkLogin, ensuring maximum security through a decentralized multi-party ceremony. If you're curious about the intricate mechanics behind zkLogin, this is a must-read. - [Public report of Reclaim protocol's ChaCha20 circuit](https://blog.zksecurity.xyz/posts/reclaim.md) (security, zk, audit): We audited Reclaim protocol's ChaCha20 circuits, diving deep into bit-level operations for a secure and efficient design. After a few iterations, we switched from a word-based to a bit-focused circuit approach, achieving a 10% enhancement in performance and size. We used Circom for implementation, with a focus on Groth16 system constraints. Our findings led Reclaim to revamp their strategy, honing in on bitwise logic for an effective flow without costly re-encodings. Curious about the technical journey and the final audit insights? We’ve got the details covered! - [Watch what we have to say about ZK security in the Node Guardians season 2 episode 1](https://blog.zksecurity.xyz/posts/nodeguardian.md) (announcement, educative, zk): Catch our cofounder David Wong on the latest episode of Node Guardians, where he chats about ZK security with Sam. Dive into the intriguing world of blockchain auditing, uncover the role math plays, and explore how auditors tackle challenges and rate vulnerabilities. Plus, get insights into the usefulness of formal verification. It's a must-watch for anyone curious about the future of ZK and the nitty-gritty of blockchain security! - [Listen to us on the latest episode of zeroknowledge.fm](https://blog.zksecurity.xyz/posts/zkpod.md) (announcement, zk): Join our cofounder David Wong on the latest zk podcast as he dives into his compelling journey through cryptography, from his early days as a security consultant to his pivotal roles in major projects like Facebook's crypto initiatives and Mina. Get an insider's view on how we approach auditing in a Zero Knowledge context, the common pitfalls in ZK code, and how these insights shape our work. It's an engaging and informative chat for anyone fascinated by the world of cryptography and ZK technology! - [zkSecurity partners with ZPrize to make you win hundreds of thousands of dollars!](https://blog.zksecurity.xyz/posts/zprize.md) (announcement, zk): We're gearing up for this year's ZPrize competition, where we'll be hosting the High Throughput Signature Verification category. This challenge is all about creating the most efficient signature verification circuit using Aleo's Varuna proof system. Participants will work with ECDSA on the Bitcoin and Ethereum curve and the Ethereum hash function, keccak256. It's a great chance to dive into some of the hottest problems in arithmetic circuits and optimize cryptographic algorithms. If you're curious about pushing the boundaries in ZK, join us and share your feedback on our prize specification through our Discord channel. - [You like Circom but you find it confusing? Introducing Circomscribe](https://blog.zksecurity.xyz/posts/circomscribe.md) (announcement, tools, security, zk, circom): Dive into our exploration of Circomscribe, a nifty tool designed to illuminate the mysterious process of how your Circom code gets translated into constraints. We share insights from our experience with Circom circuit audits, highlighting common pitfalls developers face when their high-level intentions meet low-level reality. By showcasing how Circomscribe can help visualize this transition, we aim to empower developers to craft more bug-free, secure ZK applications. If you're keen on understanding the inner workings of Circom and enhancing your coding prowess, this post is your guide. - [Detecting boomerang values in zero-knowledge circuits using tag analysis](https://blog.zksecurity.xyz/posts/boomerang.md) (announcement, MPC): Ever wonder how zkApps ensure their execution is spot-on? This post digs into the idea of *boomerang values*—sneaky bugs that can crop up when zkApps mix in-circuit and out-of-circuit logic. We explore how these values disrupt your circuit's trustworthiness, especially when variables are reintegrated unverified. Plus, we share how tools like MIRAI's tag analysis can help spot these issues, making your zkApps more secure. Perfect for anyone into zero-knowledge applications or budding Rust enthusiasts looking for insights on taming complex bugs! - [Public report of auditing Penumbra's circuits](https://blog.zksecurity.xyz/posts/penumbra.md) (security, zk, audit): We conducted an audit of Penumbra's main circuits and found eight issues, including the critical "double spend" and "double vote" bugs, which the Penumbra team promptly fixed. Our findings highlight Penumbra's robust documentation and code testing. Readers will get insights into how Penumbra uses zero-knowledge proofs for privacy, its decentralized exchange features, and its governance model. The post also provides detailed pseudocode for various cryptographic protocols, emphasizing how Penumbra ensures secure and private transactions. It's a deep dive into the technical details for those intrigued by privacy-focused blockchain technologies. - [The zero-knowledge attack of the year might just have happened, or how Nova got broken](https://blog.zksecurity.xyz/posts/nova-attack.md) (security, zk): Last week, a surprising paper revealed a major vulnerability in Microsoft's Nova, a leading zero-knowledge proof (ZKP) system, that showcased a false computation with a valid proof. This discovery is especially intriguing given the complexity and robustness typically associated with ZKP systems. We had just launched our company to tackle bugs in ZKP frameworks, and while we anticipated issues, complete breakdowns of systems themselves are rare. Nova's issue revolved around cycles of elliptic curves, showing how small implementation oversights in complex cryptographic systems can lead to significant errors. This post dives into the intricate mechanics of Nova and the discovery process, offering a fascinating glimpse into why rigorous specifications are crucial in cryptography. - [noname: ZK app developers should be able to see down to the constraints](https://blog.zksecurity.xyz/posts/noname.md) (announcement, tools, zk): Zero-knowledge apps are evolving, and we've been diving into their two main forms: VM instructions and arithmetic circuits. Understanding the "assembly" layer is crucial for developers, especially when optimizing and ensuring security. We’ve played around with a new toy language called **noname**, blending Golang and Rust vibes to make zkApps more understandable. With **noname**, you get detailed insights about how your code translates into gates, offering a clearer picture of the underlying "assembly" and helping pinpoint compiler bugs. If you're curious about enhancing your low-level programming skills or peeking into circuit construction, check out our experiments and see if this inspires you to create better debugging tools! - [wasmati: You should write your WebAssembly in TypeScript](https://blog.zksecurity.xyz/posts/wasmati.md) (security, zk, audit): If you're into WebAssembly (Wasm) and want to speed up your JavaScript, this blog post is for you! We talk about our journey with Wasm and how we created a TypeScript library called wasmati that lets you write Wasm at the instruction level. You'll get the inside scoop on how this can significantly improve performance, especially for cryptography work. Plus, we showcase a real-world example comparing Wasm and JS bigint performance, proving that Wasm can be over four times faster. Dive in to see how we've combined the flexibility of TypeScript with the power of Wasm for high-performance coding. - [Do in secret. Assert in public. Don't under-constrain your prover's witness computation in ZK programs](https://blog.zksecurity.xyz/posts/underconstrain-bugs.md) (educative, security, zk): Curious about diving into zero-knowledge (ZK) application development? Our blog post is here to guide you through the common security pitfalls and mindset shifts essential for tackling ZK programming. We reflect on our journey from the early days of Mina Protocol to the dynamic space today, filled with tools like SnarkyJS and newer approaches to split the prover and verifier roles effectively. Discover the errors to avoid, like under-constraining data and letting divisors slip through unchecked, and learn how a solid review and audit process can save your ZK applications from disastrous security issues. Dive in to get the insights you need to navigate the ZK landscape confidently! - [ZK programmability adds a whole new layer to worry about](https://blog.zksecurity.xyz/posts/zksecurity.md) (announcement, security, zk): Zero-knowledge (ZK) programs are revolutionizing how developers can build secure systems by proving execution without exposing data, making them incredibly useful for privacy and security. However, they come with their own set of challenges. In this blog, we delve into these security implications and offer practical strategies to help developers navigate the risks. From understanding private inputs to the intricacies of proof systems and trusted setups, we unpack the complexities and provide insights on how to address potential pitfalls, ensuring you're well-prepared to harness the power of ZK programs effectively. - [Private delegated computation is here, and there will be bugs!](https://blog.zksecurity.xyz/posts/helloworld.md) (announcement): Dive into the intriguing world of zero-knowledge cryptography with us as we unravel its connection to trusted and confidential computing. Learn why this tech is making us rethink security like never before. From the evolution of private and delegated computing to the revolutionary power of zero-knowledge proofs, we'll explore how these advancements are shaping industries beyond cryptocurrencies. With big players like Microsoft jumping on board and the potential for new applications, zero-knowledge cryptography is poised to redefine digital trust. Join us on this journey as we launch our new security consultancy, designed to navigate and secure this cutting-edge landscape. ## Optional - [ZK Security on X](https://x.com/zaborski_): Follow for research updates - [ZK Security on GitHub](https://github.com/zksecurity): Open-source tools and resources - [Blog RSS Feed](https://blog.zksecurity.xyz/feed.xml): Subscribe to new posts