alin.apt

Rage against the [complex] machine! @aptos Keyless, at a glance, in one slide below 👇

@angeris @myceliummage

@myceliummage @alinush aaaaaa what the fuck

(forbidden) earnest blog poasting

@angeris @myceliummage Nope. Same error:

@alinush @myceliummage can you guys access guille.site directly?

@angeris @myceliummage You’re being very suspicious right now man… 😆

@veorq maybe tachyon? we’ll have to wait and see. (seanbowe.com/blog/tachyon-s…)

which blockchain privacy tech actually works as promised and does scale? PostgreSQL?

@angeris @myceliummage Not working for me either. But I share your frustrations…

@myceliummage wait really ? it’s loading for me (on my phone and laptop)

@badcryptobitch Never started. Hope I never have to…

So, are people still using discord?

The Shire has fined Mordor 450,000 silver pennies for failing to implement adequate age verification at the Black Gate.

@0xrosetteeee @atheonxyz Btw, there is an eprint called FREpack that similarly reduces constraints for SHA256. You may find it interesting to compare: eprint.iacr.org/2023/1240.pdf

@0xrosetteeee @atheonxyz Makes sense! 👌 Thanks for clarifying! Super nice work. It would be informative to mention the “interactive” R1CS part in the title, lest people dig in the blog and find out the hard way it does not apply to vanilla R1CS.

SHA256 is everywhere in crypto, but inside zk circuits it becomes one of the biggest bottlenecks. Most implementations pay a huge cost because SHA256 was never designed to be circuit-friendly. In our latest write-up by @0xrosetteeee, we explore how to make SHA256 significantly cheaper in R1CS. Key ideas: • Spread-based encoding for bitwise ops • Dynamic bit-width optimization • Single-constraint multi-operand additions • LogUp batching and micro-optimizations This design achieves state-of-the-art SHA256 compression in R1CS among existing open-source implementations. This is particularly important for mobile proving environments, where witness size directly impacts memory usage. Full deep dive ↓

I really think cryptographic randomness is the only way here 👇 (AIP-41: Move APIs for public randomness; github.com/aptos-foundati…)

Actually, I do enjoy talking about this: “Real randomness” is a sham… there’s no way to really (cryptographically) prove it’s “real.” You may say “signature from my space computer is enough” but it’s not easy to bootstrap meaningful trust in such systems (TEEs, etc.)

“Peer review breaks down; publication [..] loses meaning.” I, too, think this will happen 👇

@anshul_anand_7 That’s a bit of a note to self that I like to return to every year or so. I think I’ll do that now (thanks for the reminder!) and glad you enjoyed it! 🙏

alinush.github.io/2020/01/23/ego… This post by @alinush is such a good read. I read it 3 days ago, and there have so many instances, where i have had a quick recall of my reading and i can see how so very applicable they are!! A movement towards movement and less aggrandizement!

@0xrosetteeee @atheonxyz Hm, so IIUC this technique is not proof-system agnostic? For example, would it work in vanilla Groth16 or would you need UltraGroth techniques that give you randomness “for free” in the (now interactive) R1CS?

yes, FS. We split witnesses into w1 (pre-challenge) and w2 (post-challenge). First we commit to w1 via WHIR, then squeeze challenges from the Fiat-Shamir transcript, and solve w2 (lookup inverses, denominators, quotients) using those challenges. The lookup argument itself is LogUp-style.

Crypto is not just a ledger of transactions---it’s a ledger of truth and trust. That’s what makes Bitcoin valuable. For Bitcoin this requires burning energy on random number guessing. What if we could instead leverage massive, real-world computation to achieve the same level of security? This has been an outstanding open problem for more than 30 years in academia, and since the emergence of blockchains in industry. Last year, we proposed the first solution (eprint.iacr.org/2025/685). Our mathematical breakthrough suggests piggy-backing on matrix multiplications, the native operation of GPUs that power the AI revolution, from pre-training, post-training, to inference. The potential applications are endless: improving the unit-economics of LLMs, shifting AI-generated wealth back to users, and enabling new primitives such as settlement and even UBI systems for AI agents. Since then, we've worked hard turning the math into a fully operational system. From the algebra and CUDA kernels to a working L1 blockchain and a production LLM inference pipeline implementing this “2-for-1” technology. Today, we’re excited to share that the @prlnet is ready, and will soon enable serving SoTA LLMs while mining the blockchain at negligible additional cost. Along the way, we encountered many fascinating challenges. We’re now publishing them as a collaborative Polymath challenge, spanning open questions in math, systems and economics. If you’re interested, take a look and feel free to reach out: pearlpolymath.com. #PRL #AIMoney

@0xrosetteeee @atheonxyz I see. 🙏 Does your multiset check require randomness? Where do you get it from? FS?

@alinush @atheonxyz vanilla R1CS doesn’t have native lookup gates. Here, the lookups are encoded using a LogUp-style argument, where each lookup is reduced to standard R1CS constraints via inverse and multiset checks.

Don't hesitate: Are you interested?

You really can’t. Advance privacy-preserving tech!