244 Photos and videos
ECDSA is one of the most intellectually offensive constructions in modern cryptography.
It's ugly.
It's hard to thresholdize.
Indeed, every research grant and venture capital dollar spent on it is, in a final sense, a theft from better cryptography.
x.com/secparam/status/206565…
So what originally got me thinking of DSA as mangled Schnorr (beyond the obvious patent avoidance issue), was a version of ECDSA someone put up at RWC 2016.
Its a little hard to read, so I just asked Gemini for a cleanup version with Schnorr and Elgamal next to it.
Its not a perfect fit. But its kinda interesting.
8
2
47
5,269
Two fun facts about ECDSA:
1) ECDSA is basically a Schnorr signature, needlessly mangled to avoid a now-expired patent.
2) The nonce reuse bug is a "feature": Schnorr sigs are a tweaked ZK proof that you know a private key. And ZK proofs need an extractor. Its special soundness.
4
10
93
10,201
Here's an interesting question: what is the difference between a group encrypted messaging system and an encrypted Google doc ?
Assume we have an ordering of messages.
Developers from Signal (including its protocol's co-creator) along with Microsoft and Harvard unveil Encrypted Spaces, an open-source codebase for a new generation of private collaboration apps. Think Slack, Discord, Google Docs, all end-to-end encrypted. wired.com/story/signal-alums…
6
1
16
8,953
I got asked about Arc's "privacy" proposal:
1)its not private and I hope they don't say it is. A private zone is a TEE, ran by an admin, who sees and controls everything.
2) These ideas aren't knew, but a promising integration of them is great.
3) We can get better privacy.
Jun 10
Since we started the project, I’ve been telling the @circle team that this will be the last privacy solution in blockchain space.
And we delivered.
What we have built is not just privacy-preserving smart contracts. Instead, it's a paradigm shift in how blockchains, composability, and privacy need to co-exist. The design addresses the two core failures of prior privacy systems: lack of composability and a painful developer journey.
Pure cryptographic privacy is elegant, but expensive and hard to scale in practice. Instead, this design builds on the now-established trend of cryptographic enclave technologies.
What we’ve built is a parallel execution environment on @arc :
Arc public blockchain continues processing cleartext blocks, while the Arc privacy sector operates as a parallel privacy-preserving virtual machine that processes encrypted transactions.
State, transactions, and user accounts remain hidden. Validators cannot inspect what’s inside, even if they try to snoop or are compromised. Yet they continue producing blocks for both public and private states in sync, committing to each state tree.
That is also a major difference from designs that rely on access control, which inevitably creates failure points and data exposure risk.
The public and private state composition is the game changer for developing. For the first time, users can move between private and public state within the same block space. No bridge. No extra wallet layer. No separate accounts. A single transaction can move between private and public execution with zero friction.
Furthermore, the environment gives users post-quantum protection by design. Transactions and accounts remain encrypted, and public keys stay protected under post-quantum secure algorithms. Any account or asset created inside the privacy sector is automatically post-quantum secure.
The result: a fully composable privacy sector on @arc that is post-quantum secure and seamlessly interoperable with public execution.
This is the last privacy layer in Web3.
See the whitepaper: 6778953.fs1.hubspotuserconte…
@circle @arc
12
13
123
12,843
Even most smart contracts, e.g., for access control or identity, are local execution. So, whether you use a TEE or a ZK proof to verify it, you don't a) need to send your data to someone else, b) they don't need to retain it.
For darkpools and AMMs, the story is different.
2
4
588
It's 2026. If your paper includes threshold key escrow for lawful access, don't worry about titling the paper, just write the breach headline. "RUSTY BEAR APT breaches EU Secure Escrow Service; finds OLDBAY TORNADO had keys since July."
It’s 2026. If you’re writing papers that say “this key escrow capability will be split among a judicial enforcement arm and the police” in the US it’s time to just be clear that you’re proposing full government cleartext access.
1
3
23
3,066
Zcash wants a turnstile to audit the supply. But as we saw with the Sprout->Sapling turnstile, organic migration is slow.
Proposal: An incentivized turnstile. Run a lottery where your chances of winning are proportional to the funds you move. Possibly can be private.
8
1
62
5,501
Hilariously dumb thought experiment: suppose Zcash offered a shielded pool with no exit until formally verified profs existed.
Everyone who wanted privacy could stay in the pool and transact.
Everyone who wants to speculate could hold transparent zec until formal verification.
1
14
1,336
Hidden inflation bugs are a real, sobering risk (for now). But using it to push centralized panoptoochains as the privacy solution is dead wrong.
To paraphrase Churchill: In the morning, ZK payments will be formally verified. And your tech will still be disgustingly un-private.
3
23
128
6,435
Zcash ( and Aleo, Aztec, payy, etc) should double down on formal verification. Anecdotally, advances in coding agents make it straightforward if you have the expertise to write theorems/specs. But the flip side is, advances in AI mean this won't be the last zk bug.
Where were going:
- Every circuit formally verified
- Written in R1CS, the simplest arithmetization
- Automated fuzzing
- Over-audited by humans and an army of AI
10
4
77
12,706
I don't have a good picture of where resources are allocated in the community, but this needs to be a major focus. And it needs to be overseen by folks with expertise. Because the other problem is: you can generate ai slop for theorems too, people do, and then its worthless.
11
838
This is obviously a joke. But if your first reaction is, "Who would pay to develop technology so robots can take over the moon?" or "Fusion, sureee...", then you should be asking the exact same questions about who's going to finance the necessary advances in quantum computing.
2
2
8
784
What happens in private AI chats won't stay in private AI chats. Folks insist on keeping chat histories and AIs learn preferences. So your phone is now a liability. All it takes is one person typing into it, "Tell me what I'm most embarrassed by." And thats assuming Meta,...
today we're launching Incognito Chat with Meta AI, a new way to have completely private conversations with AI. built on top of our Private Processing technology, Incognito Chat lets you talk to Meta AI in a way that is invisible to anyone else.
when you start an Incognito Chat with Meta AI, you're creating a private, temporary conversation that only you can see. your messages are processed in a secure environment that even Meta cannot access. your conversations are not saved and, by default, your messages disappear. this sets a new industry standard for privacy when having sensitive conversations with AI.
2
4
27
4,344
That's assuming Meta's business goals don't change. What’s secured now can be unsecured later. Imagine Meta rolling out features that use your AI, with "memory," outside of incognito. Of course, there's an opt-out hidden in a sea of dark patterns, but realistically, it’s moot.
2
509