I built systems where a bug means someone gets hurt. Now I build systems that protect people's Bitcoin. CTO @pogun_io.
Joined February 2022
- Tweets 136
- Following 123
- Followers 250
- Likes 85
3 Photos and videos
Jun 11
The Mithril certificate verifier is exactly the kind of program zkVMs are built to prove.
A zero-knowledge virtual machine, or zkVM, is a small computer that runs a program and produces a cryptographic proof that the program ran correctly.
1
1
12
410
Jun 11
This makes one specific operational pattern possible: incrementally verifiable computation. Yesterday's proof can be fed into today's run as input. Today's program verifies yesterday's proof and adds new work on top, producing one proof that attests the whole history. Each day pays for the day's new work, not the entire history.
1
2
29
Jun 11
A zkVM that runs the Mithril certificate verifier produces a proof attesting "this certificate was checked and passed." Recursive proof verification lets a chain of certificates be proved as a chain of proofs, each step building on the last, all the way back to a known genesis.
4
31
Jun 10
Parsing one Mithril certificate in the standard library costs 800 million cycles inside a zero-knowledge virtual machine. Not verifying. Parsing.
1
3
138
Jun 10
That number is why a ZK proof of a Mithril certificate chain had not existed. Every other piece had been in place: the cryptography, the aggregator network operating on Cardano mainnet, the zkVMs capable of running this kind of verification.
The obstacle was operational: lifting the standard verifier into the zkVM unchanged produced a per-step cost that made running the proof infeasible.
1
2
64
Jun 10
The standard verifier was written for ordinary execution. Its dependency tree assumes broad library availability and big-integer libraries that allocate freely.
The zkVM cost model rewards different choices: ordinary allocation is paid in proving time, while specific cryptographic operations can route through hardware-accelerated precompiles. The verifier was built for a different cost model.
The gap was not in the cryptography. The gap was in the engineering layer between the cryptography and the proving system.
2
52
Torben Poguntke retweeted
Dear ZK Cardano devs! I have upstreamed the changes needed to snarkjs to run their tooling on Cardano (so we can have something that @identhree maintains).
If you want this merged, please voice our need on the linked GH issue #498!
github.com/iden3/snarkjs/pul…
7
29
169
12,546
Torben Poguntke retweeted
The vote passed ❤️
A big thank you to everyone who voted yes for the IO Plutus proposal, and also to everyone who took the time to read, discuss, challenge, and think about it seriously.
As a small token of gratitude, I made a little toy application: a zero-knowledge (1/6)
7
23
95
7,731
May 29
The signing mechanism inside Mithril is a per-message lottery.
For each message the protocol attests, every registered party signs the message with their BLS private key and then evaluates a deterministic eligibility function over that signature and an index slot.
1
1
6
279
May 29
A certificate reaches the protocol's stake threshold when k distinct lottery indices have been won across the signer set. Since eligibility scales with stake via phi_f, reaching k wins requires aggregate participation above a target stake fraction.
The protocol parameters (m, k, phi_f) are tuned so that an adversary needs to control at least that target fraction of total stake to produce a valid certificate. The security of the certificate is the security of the stake that signed it.
1
2
57
May 29
What this buys is a primitive that other systems can rely on without re-running Cardano's consensus: a stake-weighted attestation over the chain's state, verifiable against a hardcoded genesis key.
The threshold structure makes forgery cost equivalent to acquiring a stake fraction of the network, the lottery makes participation cheap and distributable across hundreds of operators, and the certificate size is bounded by k regardless of how many signers exist in total.
2
43