Justin Thaler @SuccinctJT Twitter profile

Last Seen Profiles

@GiraffeShorts

@missknewhair

@SantokDewa84066

@Jeow6lAzc

@delirious_toad2

@Yasminiixx9

@xbirdceo

@bokeplokalmalam

@angelbcuriel

@one_reamman

@Massy__River

@Somms_N

@XiaoCha520

@KonradKulig_

@EIld09

@hanen__97

@PedroSAmorim

@suye958174

@the0nlysuperi0r

@rumblevideo

@ozawa_jimusho

@matsda2sh

@stw46

@sunandanlele

@janet46977166

@danianepg

@AAA_Scores

@BinorRaja

@MkhtA75057

@IVEstarship

@Pijet_Teraphiss

@FallGuysTrivia

@Dr_Turkey

@Gun_Fixed

@BinorRaja

@stw46

Justin Thaler

@SuccinctJT

6 months

1/ We're excited to share the initial release of Jolt, a new approach to zkVM design. Early benchmarks indicate it outperforms RISC Zero by ~6x and SP1 by up to 2x. Major optimizations are still in the pipeline.

109

118

615

Justin Thaler

@SuccinctJT

1 year

Introducing Lasso and Jolt, two new works that I hope will change how SNARKs are designed and built. You can read about them here: (1/6)

Introducing Lasso and Jolt

A new approach to SNARK design, which will improve performance, developer experience, and auditability, and by extension, building in web3

a16zcrypto.com

21

376

465

Justin Thaler

@SuccinctJT

1 year

In my latest blog post on SNARKs, I identify, and try to clear up, a variety of misconceptions that have been hindering progress and causing confusion. I hope this leads to more informed and accurate discourse surrounding this transformative technology!

17 misconceptions about SNARKs (and why they hold us back)

Clearing up 17 misconceptions about SNARKs to help create a shared, more accurate understanding of the design space

a16zcrypto.com

21

163

462

Justin Thaler

@SuccinctJT

2 years

I have some exciting news to share – I’ll be joining @a16zcrypto research as a Research Partner at the conclusion of this semester. (1/7)

38

51

323

Justin Thaler

@SuccinctJT

2 years

After my last post, I had a request from some folks to discuss the security of SNARKs as they are currently deployed. I've done so in this new post here: (1/9)

SNARK Security and Performance - a16z crypto

This post compares the security properties of different SNARKs, and also explores the tension between verification costs and security in practical post-quantum-secure SNARKs.

a16zcrypto.com

18

79

253

Justin Thaler

@SuccinctJT

11 months

In my latest blog posts, I delve into work just unveiled by Ben Diamond and Jim Posen (D&P) that, in my view, reshapes the landscape for hashing-based SNARKs. D&P have fine-tuned the Ligero/Brakedown polynomial commitment scheme... (1/5)

4

30

142

Justin Thaler

@SuccinctJT

2 years

A couple of talks I gave during a recent visit to a16z are now up on Youtube. Part 1: Part 2: (1/4)

21

25

138

Justin Thaler

@SuccinctJT

4 months

1/ Starting tomorrow, a fresh run of the Proofs, Arguments, and Zero-knowledge reading group will meet Wednesdays in the @__zkhack__ Discord at noon EST. The first session will give a broad overview of the SNARK design space + the costs of key operations.

5

19

129

Justin Thaler

@SuccinctJT

2 years

Known attacks on FRI when run non-interactively at 80 bits of security are feasible. This is not an academic question. It's about securing hundreds of millions of dollars of assets and a systemic risk to the rollup ecosystem. (1/3)

Eli Ben-Sasson

@EliBenSasson

2 years

@DCbuild3r @SuccinctJT An ACCURATE SCIENTIFIC comparison MUST USE SAME SAME CRYPTO assumptions (CRH, or ROM) for both systems. AND UNDER THOSE SAME ASSUMPTIONS SNARKs have 0 bits of security.

6

0

9

5

20

117

Justin Thaler

@SuccinctJT

2 years

I had a great time talking with @AnnaRRose ! We're starting a fresh reading group for Proofs, Arguments, and Zero-Knowledge sometime next month. If you're interested, join the Discord for scheduling and updates.

Zero Knowledge Podcast

@zeroknowledgefm

2 years

This week, @AnnaRRose chats with @SuccinctJT about his work on interactive proofs + SNARKs. Then discuss the making of his book Proofs, Arguments, and Zero Knowledge + the organic study group that formed around it over on the @__zkhack__ discord + more!

0

13

53

6

22

116

Justin Thaler

@SuccinctJT

1 year

I enjoyed getting into the weeds of Lasso+Jolt in this Study Club Session and fielding tons of thoughtful questions! It should be a useful resource for anyone looking to learn more about these tools.

Zero Knowledge Podcast

@zeroknowledgefm

1 year

Just published the latest ZK Study Club - @SuccinctJT hosts a session on Lasso and Jolt, moderated by @apruden08 and with awesome questions from @feministPLT , @rel_zeta_tech , @arantxazapico & more Subscribe on youtube for more study club videos!

0

11

63

5

15

94

Justin Thaler

@SuccinctJT

6 months

I enjoyed talking to @AnnaRRose & @GuilleAngeris on the @zeroknowledgefm podcast about Jolt, the sum-check protocol, and how SNARKs will evolve! I'm excited to see where these innovations take us next.

Episode 322: Definitions, Security and Sumcheck in ZK Systems with Justin Thaler

In this week’s episode, Anna and Guillermo catch up with Justin Thaler, Associate Professor at Georgetown and Research Partner at [...]

zeroknowledge.fm

1

28

105

Justin Thaler

@SuccinctJT

1 year

Thanks to @samrags_ and @moodlezoup , an initial Lasso implementation is now available, and we are looking for contributors to finish building Jolt. Here’s their overview: (5/6)

Understanding Lasso and Jolt, from theory to code

Introducing two new innovations, Lasso and Jolt, that present a fundamentally different approach to SNARK design.

a16zcrypto.com

5

11

98

Justin Thaler

@SuccinctJT

2 years

The third part of my talk series on SNARKs is now up! This final talk covers the main ideas that go into designing "polynomial IOPs", which form the information-theoretic core of most SNARKs. (1/2)

SNARK Design Part III with Justin Thaler | a16z crypto research talks

An even deeper dive into SNARKs (Succinct Non-interactive Argument of Knowledge) by Justin Thaler (Georgetown University). Justin recaps his earlier talks, a...

www.youtube.com

3

20

96

Justin Thaler

@SuccinctJT

2 years

Nice recent post on hardware acceleration and the sum-check protocol (or more generally any SNARK obtained by applying Fiat-Shamir to a logarithmic-round interactive protocol). Here is some additional context. (1/6)

Ingonyama

@Ingo_zk

2 years

Are we better off with Plonk and NTT rather than with HyperPlonk and MLE-SumCheck? 🤯 Answers in our latest blog 👀

2

23

113

3

21

96

Justin Thaler

@SuccinctJT

1 year

TLDR: A recent comparison of FRI to MSM-based commitments claims FRI is orders of magnitude better but in fact it is worse. Already, @Zac_Aztec provides important context and corrections to this slide in the following thread, but I would add several more:

Shahar Papini

@PapiniShahar

1 year

@EliBenSasson comparing FRI to EC based commitment schemes.

3

10

53

6

20

64

Justin Thaler

@SuccinctJT

4 months

1/ My latest blog post tackles key topics following Jolt's release: the unique benefits of the sum-check protocol, the impact of lookups on performance and simplicity, and nuances of benchmarking.

3

17

68

Justin Thaler

@SuccinctJT

6 months

4/ And for a developer's perspective on Jolt, check out the blog post by @moodlezoup and @samrags_ . As Jolt paves the way for a new era in SNARK design, we're open to collaboration. If you're interested in contributing to its development, we'd love to hear

Building Jolt: A fast, easy-to-use zkVM

Releasing an open source implementation of Jolt for the RV32I instruction set, delivering on the promises of the Jolt paper.

a16zcrypto.com

6

3

59

Justin Thaler

@SuccinctJT

6 months

2/ Jolt isn't just a leap in speed; it's a paradigm shift. Powered by the sum-check protocol, it instantiates the lookup singularity, yielding the simplest and most extensible zkVM to date. And it shows that what makes VMs good for real hardware also makes them good for SNARKs.

16

0

59

Justin Thaler

@SuccinctJT

6 months

3/ Explore the concepts in my two latest blog posts: a less-technical overview and a comprehensive technical discussion

FAQs on Jolt’s initial implementation

Unpacking the technical specifics of Jolt, comparing its architecture and performance, discussing future steps

a16zcrypto.com

7

3

58

Justin Thaler

@SuccinctJT

2 years

To the extent that anyone might deem SNARKs that use elliptic curves as having 0 bits of security, StarkEx is also at 0 bits of security today due its use of ECDSA signatures, as is its L1, Ethereum. (3/3)

2

1

47

Justin Thaler

@SuccinctJT

2 years

These are the stakes. I congratulate StarkWare on upping the StarkNet (SHARP) verifier to 96 bits of security earlier this week as promised. However, the dYdX StarkEx verifier remains at 80 bits . I continue to believe that this is too low. (2/3)

Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x8edbf7fca1d435fadd4a3d560f706618fa98e6072187ab9bb98b75fe2b9754d5. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

etherscan.io

3

2

41

Justin Thaler

@SuccinctJT

1 year

@DCbuild3r @fede_intern At this point I'm aware of three criticisms/claims (not all from this thread) that haven't yet been addressed. Let me address each. 1) If we could do everything with lookups we would already be doing that. This misses two things. First, Lasso is more than an order of

2

4

32

Justin Thaler

@SuccinctJT

1 year

Lasso is a new lookup argument with a much faster prover and other attractive properties. Jolt builds on Lasso to offer a new paradigm in zkVM design. Together, we believe they realize @barrywhitehat 's vision of a "lookup singularity" for simpler/more auditable SNARKs. (2/6)

1

31

Justin Thaler

@SuccinctJT

1 year

Our preliminary benchmarks indicate the initial Lasso implementation is about 10x faster than Halo2’s lookup argument, and we expect 30x-40x after optimization. (4/6)

2

4

27

Justin Thaler

@SuccinctJT

1 year

@mitschabaude In terms of techniques, I do not actually think there is huge novelty in Lasso. The techniques are already there in Spark. Plus, I suspect you could get a lookup argument with similar costs to Lasso with c=1 from Plookup by simply replacing the grand product argument with

2

5

26

Justin Thaler

@SuccinctJT

2 years

Also check out two new ZK courses if you haven't already! and

[MIT IAP 2023] Modern Zero Knowledge Cryptography

The stream link is here for all lectures. Please reach out to [email protected] with any questions!

zkiap.com

1

0

24

Justin Thaler

@SuccinctJT

2 years

My own viewpoint is that sum-check-based SNARKs remain the most promising for minimizing total prover work, and that good hardware implementations will follow. (6/6)

3

1

24

Justin Thaler

@SuccinctJT

1 year

The papers are preliminary, and feedback on them is welcome! (6/6)

1

0

24

Justin Thaler

@SuccinctJT

2 years

I’ve already contributed to their robust content library: a 3-part lecture on SNARK design (), and posts on SNARK security and performance () and measuring SNARK performance () (5/7)

SNARK Security and Performance - a16z crypto

This post compares the security properties of different SNARKs, and also explores the tension between verification costs and security in practical post-quantum-secure SNARKs.

a16zcrypto.com

1

5

23

Justin Thaler

@SuccinctJT

11 months

Check out my two posts and , as well as Ben and Jim's post for a hardware-centric angle on these developments: (4/4)

1

7

22

Justin Thaler

@SuccinctJT

1 year

Huge thanks to co-authors @arasuarun @srinathtv and Riad Wahby by the way!

0

22

Justin Thaler

@SuccinctJT

2 years

The web3 community's open ethos means that a16z crypto researchers can work with anyone, and contribute to the ecosystem as a whole, not only to the firm. I can't wait to embark on this adventure and look forward to sharing more as I learn and grow with the team (7/7)

5

1

20

Justin Thaler

@SuccinctJT

1 year

The key technical tools underlying Lasso and Jolt are the sum-check protocol and Spark, the sparse polynomial commitment scheme from Spartan (which itself uses sum-check). I'll have more to say about these tools in the coming weeks. (3/6)

1

0

20

Justin Thaler

@SuccinctJT

2 years

I am thrilled to be working with brilliant colleagues, not only in the research group, but throughout the entire firm, including @eddylazzarin @Tim_Org @smc90 @samrags_ (6/7)

1

19

Justin Thaler

@SuccinctJT

1 year

@fede_intern Thanks for the reply. I agree that in general the community is nowhere near precise enough in cost accounting, as discussed at length in my recent "misconceptions" blog post. However, with a precise accounting it is indeed possible to understand the ballpark concrete costs of

0

2

18

Justin Thaler

@SuccinctJT

2 years

This space is experiencing an explosion of innovation, and I think this technology can be transformative. But if we prioritize performance over security, we may cause people to lose trust in the technology and potentially see misappropriated funds in the process. (7/9)

1

2

16

Justin Thaler

@SuccinctJT

1 year

None of the above is investment advice, for more info go to

Disclosures | Andreessen Horowitz

Views expressed in “posts” (including podcasts, videos, and social media) are those of the individual a16z personnel quoted therein and are not the views of AH Capital Management, L.L.C. (“a16z”) or...

a16z.com

3

0

16

Justin Thaler

@SuccinctJT

2 years

@EliBenSasson At any rate, the protocols we use to secure millions of dollars of assets must not be breakable today. For that reason, FRI should not be run non-interactively at 80 bits of security if it is securing anything of value. (3/3)

0

16

Justin Thaler

@SuccinctJT

2 years

The upshot is that some deployed SNARKs are being run at "80 bits of security" - which is not as well-defined a term as it may seem. My post unpacks this and explains why I think it is not enough. (2/9)

1

0

14

Justin Thaler

@SuccinctJT

2 years

The tweet I'm responding to suggests that a protocol using non-hashing cryptography be deemed to have 0 bits of security when compared to a hashing-based one. This immediately leads to nonsensical conclusions, or at least ones that @EliBenSasson presumably disagrees with (2/3)

1

0

14

Justin Thaler

@SuccinctJT

11 months

...particularly when it's used to commit to small values. When combined with sum-check-based SNARKs like Lasso and Jolt, this paves the way for much faster SNARKs for standard hash functions like Keccak. The domino effect? (2/5)

1

14

Justin Thaler

@SuccinctJT

2 years

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. See for more info. (9/9)

1

12

Justin Thaler

@SuccinctJT

2 years

These issues mainly arise in post-quantum-secure SNARKs (PQ-SNARKs), which in today's deployments means FRI-based ones. This might be for a combination of reasons. (3/9)

1

0

13

Justin Thaler

@SuccinctJT

1 year

@fede_intern @yezhang1998 FYI there's been some nice improvements to Brakedown: I'm excited about this approach to polynomial commitments and hopeful we'll see further improvements soon.

Brakedown's expander code

This write-up summarizes the sampling analysis of the expander code from Brakedown [GLSTW21]. We elaborate their convexity argument for general linear expansion bounds, and we combine their approach...

eprint.iacr.org

0

2

13

Justin Thaler

@SuccinctJT

4 months

2/ Here's a link to the ZKHack Discord: and once you join, the reading group's channel can be found here:

Discord - Group Chat That’s All Fun & Games

Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.

discord.com

1

0

14

Justin Thaler

@SuccinctJT

2 years

Given the sophisticated nature of these protocols, experts need to feel comfortable candidly discussing their security and that of the contracts that implement them. This post is my attempt to set an example in this regard. (6/9)

1

0

13

Justin Thaler

@SuccinctJT

2 years

I hope the post is informative and sparks a discussion about best practices and norms, both in deploying SNARKs and talking about them. (8/9)

1

0

11

Justin Thaler

@SuccinctJT

11 months

Amplified recursion capabilities for Ligero/Brakedown, overcoming the hurdles of their somewhat large verification costs. This addresses the primary obstacle keeping them from wide deployment. (3/5)

1

0

12

Justin Thaler

@SuccinctJT

1 year

@mitschabaude I agree that people are already doing decomposition for tables like bitwiseAND. This is explicit in Sam and Michael's post on "Understanding Lookups": The advantages of Lasso are a matter of performance, generality, and perspective. An example might

2

1

12

Justin Thaler

@SuccinctJT

1 year

@dimahledba @apriori0x @LoganJastremski @StarkWareLtd The dYdX StarkEx verifier remains at 80 bits of security today.

Justin Thaler

@SuccinctJT

2 years

These are the stakes. I congratulate StarkWare on upping the StarkNet (SHARP) verifier to 96 bits of security earlier this week as promised. However, the dYdX StarkEx verifier remains at 80 bits . I continue to believe that this is too low. (2/3)

3

2

41

1

0

12

Justin Thaler

@SuccinctJT

2 years

@weikengchen StarkWare already works over the 251-bit prime (see Section 3.1.1 here: ). The prime matches the field used in StarkEx ECDSA signatures . So increasing security here requires increasing number of FRI queries, not the field size.

1

0

10

Justin Thaler

@SuccinctJT

2 years

With FRI, there is a tension between verifier costs and security, and the proofs are on the larger side. So this tension may get resolved in favor of performance over security. (4/9)

1

0

11

Justin Thaler

@SuccinctJT

11 months

None of the above should be taken as investment advice; please see for more information.

Disclosures | Andreessen Horowitz

Views expressed in “posts” (including podcasts, videos, and social media) are those of the individual a16z personnel quoted therein and are not the views of AH Capital Management, L.L.C. (“a16z”) or...

a16z.com

1

0

10

Justin Thaler

@SuccinctJT

2 years

Also, the security of non-PQ SNARKs is determined by the elliptic curve they choose to use, and the community has largely coalesced around a handful of curves with good security. (5/9)

1

0

11

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @Zac_Aztec EC-based schemes are definitely best if working over large fields (either because an application calls for that, or because it simplifies implementation). 6-12 field ops per ~20-bit-committed-value is a tough bar to clear. To commit to N values, (subsequent improvements to)

0

11

Justin Thaler

@SuccinctJT

2 years

To add to to this, SNARKs that avoid both FRI and sum-check (PlonK, Marlin, Groth16) require FFTs (and multiexps), so the memory locality issues noted above apply to these SNARKs as well. (5/6)

2

0

11

Justin Thaler

@SuccinctJT

11 months

To achieve scalable SNARK provers, a complete reconfiguration of today’s deployments is needed, from polynomial IOPs and commitment schemes to hash functions and zkVM design. My posts unpack what should change. (4/5)

1

0

11

Justin Thaler

@SuccinctJT

2 years

I believe blockchains will transform society’s mechanisms for establishing trust & privacy, and that they raise deep technical and intellectual questions. And I expect that a16z crypto research will play a central role in shaping this emerging discipline. (2/7)

1

0

11

Justin Thaler

@SuccinctJT

2 years

@FlyingNobita Some extra detail for anyone following along: We saw that Freivalds' algorithm for verifying n x n matrix multiplication has soundness error 1/|F|, while an variant using univariate rather than n-variate polynomials has error (n-1)/|F|.

3

1

11

Justin Thaler

@SuccinctJT

2 years

The breadth and depth of knowledge within the research group and its many visitors is incredible. I have learned a tremendous amount from them directly, as well as from the blog posts, podcasts, and videos produced since the group's inception just 7 months ago. (4/7)

1

10

Justin Thaler

@SuccinctJT

2 years

Several have reached out confused about this third tweet. Why do SNARKs using elliptic curves have 0 bits of security, that doesn't make sense? That's the point. (1/3)

1

0

10

Justin Thaler

@SuccinctJT

2 years

The group is uniquely focused on fundamentally understanding blockchains and on benefiting the ecosystem today. I think this two-pronged focus is maximally impactful, and also a lot of fun. (3/7)

1

0

9

Justin Thaler

@SuccinctJT

10 months

@rel_zeta_tech First, the estimates for GKR are too high by a factor of about 4. Details below. (Thaler13 didn't optimize constants well. I pay much more attention to them in this new paper: ) >Now we need to estimate the constant in the dynamic programming for all the

2

0

9

Justin Thaler

@SuccinctJT

1 year

@fede_intern FRI proofs with MBs of space? As one example, Polygon zkEVM requires 250+ GBs of space. The zkEVM circuit trace has 2^23 rows, 1164 columns, and RS rate of 1/2. I don't consider that circuit to be large, though this is subjective. (1/2)

1

0

9

Justin Thaler

@SuccinctJT

1 year

@_bfarmer @wyatt_benno @cmpeq Do you at least agree there should be two FFTs instead of one in the counts for FRI? *I don't think I understand the claim that a single MSM of length 2^25 is going to increase latency. 2^25 is tiny. There are hardware companies that can do 2^30-length MSMs in under a second

1

0

8

Justin Thaler

@SuccinctJT

2 years

I hope it's a useful resource, and coveys some of the magic that gives these protocols their power. (2/2)

1

2

7

Justin Thaler

@SuccinctJT

4 months

2/ Clarification: Only sum-check-based PIOPs can use multilinear polynomial commitment schemes. Jolt, the only zkVM today using sum-check exclusively, is uniquely positioned to leverage the Binius multilinear commitment. More details in the post:

Jolt: Clarifications, critiques, reflections

Addressing questions, clarifying misconceptions, and sharing his perspective, Justin Thaler discusses Jolt, our open source zkVM

a16zcrypto.com

1

3

8

Justin Thaler

@SuccinctJT

2 years

There has been work on hardware implementations of sum-check: Zebra () and Giraffe (). These works heavily exploit the essentially perfect memory locality of the sum-check prover in each round. (2/6)

Full accounting for verifiable outsourcing

Systems for verifiable outsourcing incur costs for a prover, a verifier, and precomputation; outsourcing makes sense when the combination of these costs is cheaper than not outsourcing. Yet, when...

eprint.iacr.org

1

2

8

Justin Thaler

@SuccinctJT

4 months

4/ What sets Jolt apart? It’s *both* its exclusive use of sum-check-based PIOPs and its maximal use of lookups. Simplicity comes from lookups; performance from both.

1

0

8

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @PratyushRT @0xAlbertG @mpfzajac It's the super-constant number of rounds. Applying Fiat-Shamir to an r-round protocol with lambda bits of security can result in a non-interactive protocol with only lambda/r bits of security. No one had ruled out such a security loss for FRI.

1

7

Justin Thaler

@SuccinctJT

1 year

@_bfarmer It's certainly possible to use curves over extension fields, but it requires a lot of care. The discrete log problem appears to be easier over extension fields at roughly equivalent total bit sizes, see for example this paper: (1/2)

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extens...

We propose a generalization of exTNFS algorithm recently introduced by Kim and Barbulescu (CRYPTO 2016). The algorithm, exTNFS, is a state-of-the-art algorithm for discrete logarithm in $\mathbb{F}...

eprint.iacr.org

1

7

Justin Thaler

@SuccinctJT

2 years

At some point a third talk will likely be posted, focusing more on how SNARKs work and less on the intricacies of the rollup application. (4/4)

0

7

Justin Thaler

@SuccinctJT

1 year

@YupengZhang7 The mix of additive and multiplicative notations doesn't help. But many papers refer to group exponentiations/scalar-multiplications as "group operations" and refer to n exponentiations as "linear time". I don't think additive vs. multiplicative confusion explains that.

1

0

7

Justin Thaler

@SuccinctJT

4 months

6/ Check out the post for details . I will address additional topics as we continue to improve Jolt.

Jolt: Clarifications, critiques, reflections

Addressing questions, clarifying misconceptions, and sharing his perspective, Justin Thaler discusses Jolt, our open source zkVM

a16zcrypto.com

1

0

7

Justin Thaler

@SuccinctJT

1 year

@_bfarmer Since many FRI-based projects are breaking large circuits into small pieces and applying recursion, the prover bottleneck tends to be Merkle-hashing the result of an FFT. I think hashing 2n 251-bit field elements is about twice as expensive as n 256-bit field elements? (2/2)

1

0

5

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @PratyushRT @0xAlbertG @mpfzajac As far as we are aware, yes.

0

5

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @PratyushRT @0xAlbertG @mpfzajac Also, even for 2-round protocols, a factor-2 loss in bits of security would be catastrophic. And (ignoring FRI) lots of deployed protocols do use 2 rounds before being Fiat-Shamir-ed. The paper also rules out any loss of security in many such constant-round protocols.

1

5

Justin Thaler

@SuccinctJT

1 year

@mitschabaude @o1_labs Adding to this after reflection, we came upon the notion of decomposable tables because they naturally arise in sparse polynomial evaluation, where the "big table" is all Lagrange basis polynomials evaluated at the evaluation point r, and the subtables are Lagrange basis

1

0

6

Justin Thaler

@SuccinctJT

2 years

@_bfarmer @weikengchen One that I think we'll see soon is neural network training/inference, the bottleneck in which is often repeated matrix multiplication of small integers. I'm working on some others that I hope people will find compelling. (2/7)

2

0

6

Justin Thaler

@SuccinctJT

2 years

Hopefully, the talks will be useful to anyone who, like me, is trying to understand this application space. It was awesome to dive into the details of many innovative projects. More detailed statements about SNARK performance are in this blog post: (3/4)

1

0

6

Justin Thaler

@SuccinctJT

1 year

@_bfarmer Which leads some to express sentiments like: . I agree that small fields are very powerful for simulating native operations on many instruction set architectures (though some new work coming out in a few weeks will offer a counterpoint to that too). (2/2)

Matthew Green

@matthew_d_green

2 years

@cronokirby Curves over extension fields are scary.

2

0

5

1

5

Justin Thaler

@SuccinctJT

10 months

@nanne007 You are right, thanks a lot for the correction! (We may have originally written this text assuming m=log(N)/c for simplicity, and then later scrapped that. It's clearer to separate the sparsity parameter m and the memory size N^{1/c}, even if it's ultimately optimal to choose c

1

0

5

Justin Thaler

@SuccinctJT

2 years

In round i of sum-check, the prover can make one streaming pass over the data structure of size N/2^i. I don't believe FFTs have the same degree of memory locality, which is why many distributed FFT algorithms require all-to-all communication. (3/6)

2

0

5

Justin Thaler

@SuccinctJT

1 year

@m_ratsim @Zac_Aztec @EliBenSasson Vectorization of 256-bit ModMult is possible and in fact done in Curve25519-dalek, which uses AVX2 (for x86-64 processors). Note that this is for Crandall-style rather than Montgomery-style reductions (again, not all MSM-based commitments need pairing-friendly curves). See

2

0

5

Justin Thaler

@SuccinctJT

2 years

Nothing in the podcast should be taken as investment advice, see for more info.

Disclosures | Andreessen Horowitz

Views expressed in “posts” (including podcasts, videos, and social media) are those of the individual a16z personnel quoted therein and are not the views of AH Capital Management, L.L.C. (“a16z”) or...

a16z.com

0

4

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @DCbuild3r @fede_intern Yes, the log^2(n) hashes for GKR grand product are concretely and asymptotically fewer than the O(lambda * log^2(n)) hashes in FRI.

2

0

4

Justin Thaler

@SuccinctJT

2 years

@weikengchen Also, recursion brings both overhead and imperfectly-understood security, especially when new SNARK-friendly hash functions are used. Just because people are relying heavily on it today to keep circuit size in check does not mean they always will. (2/2)

1

0

4

Justin Thaler

@SuccinctJT

4 months

5/ The role of EVM precompiles in zkEVMs differs from the role of precompiles in zkVMs. Benchmarking SNARKs involves complexities, but it’s crucial to understand their innate performance characteristics.

1

0

4

Justin Thaler

@SuccinctJT

5 months

@NicolasRamsrud @a16zcrypto @samrags_ @moodlezoup Yes, you have to make sure the compiler from a high-level language down to bytecode for the VM is correct, in addition to the SNARK to prove that the bytecode was executed correctly. If the compiler and VM are widely used outside of the SNARK community and hence subjected to

1

3

Justin Thaler

@SuccinctJT

1 year

@cmpeq @_bfarmer I don't think ECDSA is an isolated example. Outside of SNARKs for VM abstractions, many applications involve proving statements about crypto-systems that inherently involve large fields. It's a mix. I'm trying to add nuance to the conversation, not switch to an opposite extreme.

1

0

4

Justin Thaler

@SuccinctJT

1 year

@dlubarov @PapiniShahar @rel_zeta_tech @_bfarmer @wyatt_benno @cmpeq Oh I see, thank you! I was confused by the combination of ambiguous parentheses and the slide ignoring the cost of additions in the FFT, which are ~40% of the multiplication costs according to the reference they are taken from (Table 1, Apple M1, here: ).

1

0

4

Justin Thaler

@SuccinctJT

2 years

As noted in the post's conclusion, FRI (on top of requiring FFTs) has the same logarithmic round folding structure as sum-check, and the post itself presumes that this folding is not the bottleneck in SNARKs that use FRI. (4/6)

1

0

4

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @DCbuild3r @fede_intern No, we don't need to commit to those. Those values are all computed by P via field work in sum-check with no explicit proof that P computed them correctly (sum-check itself implicitly checks this). Here's why this works:

1

0

4

Justin Thaler

@SuccinctJT

4 months

3/ I hope the community adopts sum-check-based PIOPs combined with the Binius commitment for performant SNARKs. However, fast curve-based SNARKs (like the initial version of Jolt) will remain vital, especially for proving statements like signature verification and Verkle trees.

1

0

4

Justin Thaler

@SuccinctJT

2 years

@rel_Aztec I agree that concretely lambda can be thought of as log N times a large-ish constant. But I think there are both asymptotic and concrete reasons to treat is as super-logarithmic, especially in research papers. (1/2)

1

0

3

Justin Thaler

@SuccinctJT

2 years

@weikengchen If FFT is not the bottleneck (say it's merkle-hashing, or multi-exp, or non-sum-check-related-field-ops), then sum-check shouldn't be either (1/2)

2

0

3

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @DCbuild3r @fede_intern You can view those values as lookups into an MLE-structured table, where we know in advance that the k'th lookup will be to the k'th entry. (continued)

1

0

3

Justin Thaler

@SuccinctJT

1 year

@rel_zeta_tech @DCbuild3r @fede_intern In Fig 4, E1, ..., Ec contain the results of all reads into subtables. In Spark, those subtables indeed contain large field values--they are all Lagrange basis polynomial evaluations at the evaluation point r. (continued)

1

0

3