philzip

@vaibhavchellani @worldnetwork Hubble‘s ideas still live on to this day! worldcoin.org/blog/engineeri…

Super impressed with the team @worldnetwork Been supporting worldcoin since day1 with my work at Hubble Proud to be working together with @worldnetwork now as launch partners

@samrags_ and of course circom-witness-rs is only that fast because @recmo dropped a bunch of hidden gems in there: x.com/recmo/status/1…

A tale of Jolt implementation with a shoutout to @philzip. We've estimated that ~1/3 of Jolt's time will be spent on R1CS: a lightweight circuit that deals with simple constraints like program counter updates. We got this flow working and were surprised to find that witness generation was a bottleneck. ~64x slower than planned and dominating proving time. Jolt uses Circom-scotia by @LurkLab to compile Circom circuits to Bellpepper in order to prove using the Spartan2 backend. Circom-scotia depends on Circom's WASM witness generator. Witness generation is called once per step of the CPU, meaning the program was spinning up a WASM runtime for every step, then tossing it away, costing us 0.3ms per CPU step. A ridiculous strategy for our call pattern. Next we looked to the C++ witness generator, hoping to cheaply call it over FFI. Unfortunately the C++ witness generator is dependent on x86 assembly and we'd like to support ARM (notably for Apple Silicon). This is where @philzip came to save the day with circom-witness-rs. circom-witness-rs swaps the C++ x86 assembly field operations for native Rust functions via regex, creates a symbolic graph, optimizes, and serializes to binary. The binary can be run from Rust trivially. Our 64x slowdown is no more. Witness generation has been demoted from the critical path.

@tiagosada not even remotely

remote work doesn't work

@gakonst @dcbuilder @tiagosada Haven't seen anything for alloy / arkworks yet! We're only exposing some higher level APIs for e.g. proof generation or tx building (yet). Would be nice to have bindings that just re-export. UniFFI seems great for that. We're also publishing something on it soon.

@philzip @dcbuilder @tiagosada Have you seen any great Kotlin/Swift bindings to alloy/arkworks? Know you guys may have some for your apps but haven't dug myself.

what are the challenges today towards building consumer crypto apps? UI libraries? key mgmt? indexing user actions? what should be easy that is hard today?

Full Kotlin / Swift web3 libs are kind of a lost case, slim ffi wrappers (for ethers-rs / alloy / arkworks) are the play for wallets. The core is there, nice wrappers are still needed. Indexing is actually still a painpoint, everyone is / was building their own data pipeline. There is some good room for easy extendable indexers (for custom user tx).

cc @tiagosada @philzip, for me personally, it's been just making hard things simple for whomever the consumer is, my consumers are other developers for the most part, but even that has a trickle down effect all the way to the front facing user, the heavy lifting UX wise is definitely done by the app team. I'd say that there aren't a lot of web3 libraries for Kotlin / Swift, so everything needs to be preprocessed into APIs that those can easily consume and then just display data. I'm sure @tiagosada and @philzip know what the more consumer-facing challenges are

The nullifier is derived from *SK*. Agree that everything would be solved if it was derived from PK with this scheme, however list of PKs is small and easily exhausted through brute-force, thus privacy defeated. Epoch validity of nullifiers seems so far the easiest way to still allow for rotation. Another option to "fix" the scheme by finding other entropy that can be added to the PK in the nullifier.

The Semaphore ZKP can then be adjusted to additionally show the revealed nullifier is NOT derived using a PK from the public revocation list. This is more expensive, but could be cheaper with, say, ZKPs of a Merkle non-membership proof of the current PK in the revocation list.

A question about @sama's @worldnetwork: What happens when I lose my SK after registering with my iris? Or when my SK is stolen. Currently, nothing, it seems. I'm done. I can't recover my account (see #future-development" target="_blank" rel="nofollow noopener">whitepaper.worldcoin.org/technical-impl…). Disturbing, but potentially fixable (1/n) 🧵

@backaes @dcbuilder @bajpaiharsh244 you could make it more efficient by skipping the empty leaf proof by sticking to append-only and "socially agreeing" on the initial root (that it indeed just consists of empty leaves)

@backaes @dcbuilder @bajpaiharsh244 the batch insertion is basically just 2*n merkle proof verifications (each insert into the tree requires proof of empty leaf before and filled leaf afterwards). This trades off gas-heavy on-chain merklization in the semaphore contract with requring an off-chain sequencer

eat sleep if err != nil repeat

@heyellieday @m1guelpf @worldnetwork @dcbuilder yes, no doubt SecOps are important and logging creds is bad! for critical services there should also be log sanitizers before ingestion (e.g. we do this for other services that touch auth). I'm always here for civilized discussions :)

@philzip @m1guelpf @worldnetwork @dcbuilder appreciate the follow up. just overall, SecOps is something to really invest in and you don’t want to give bad actors more motivations to attempt an attack. and please, so i don’t get tilted again, respond like you just did if possible next time 😅

Its fine to have concerns or questions about @worldnetwork; we're always down to engage in good-faith conversations (if time allows). However, if you automatically assume we're evil, or especially if you hold my and @dcbuilder's age against the company, you're getting blocked.

@heyellieday @m1guelpf @worldnetwork @dcbuilder Needless to say that my initial response got triggered by the way *how* you were reporting on those things, which seemed to be not motivated my seeking facts, but rather attention (e.g. jumping to the worst possible conclusions about the db).

@philzip @m1guelpf @worldnetwork @dcbuilder like fuck off if that’s gonna be your reply to valid critique

@heyellieday @m1guelpf @worldnetwork @dcbuilder why I'm saying seq. db ~= chain: it's independent and also will be permissionless. That's why rn batches help for privacy, later only scalability (it's untrusted). Anything extra needs to happen before. That's how the seq. is treated and e.g. does not receive insertions instantly

@philzip @m1guelpf @worldnetwork @dcbuilder see this is the immature responses i referred to in my earlier tweet. yes, i know *this* particular db acts as a queue before it’s batched on chain. so your reply is either in bad faith or it’s further proof every single one of you has no fucking clue what you’re doing. jfc.

@heyellieday @m1guelpf @worldnetwork @dcbuilder here's an insider tip: the contents of the db of signup sequencer are even available on-chain 😱

@m1guelpf @worldnetwork @dcbuilder ex. of concern: there has been a PR open for 3 weeks that fixes logging db password. so a motivated hacker has had 3+ weeks to gain access to a multitude of services containing the creds to an “encrypted at rest” db. show us u care and we might believe u. github.com/worldcoin/sign…

@heyellieday @m1guelpf @kesava_kirupa 1) That's staging, matching ts are just coincidence, prod is here 0xA8710B3ba329fc7B80a49F7C82E889D1340C99fb 2) Yes! Already doing batches. 3) Higher min batch size will be enforced, rn batches are ~tens of idComms 4) To link *usage* of the id, you need to know the *private key*

@m1guelpf @kesava_kirupa i'd suggest some sort of scheduling of on chain commitments with some random jitter for example to seperate from other signals. it does help they are batched and obvi will be much harder to infer once lots of inflow

in an outcome that should surprise no one, i was able to link an on-chain identity commitment with the single person in this photo (likely @kesava_kirupa) who scanned that evening. here is their commitment: mumbai.polygonscan.com/tx/0x0b1dced86… i'll leave next steps to the reader ;)

@ercwl @polarpunklabs @RokoMijic yes, that’s how it works!

@polarpunklabs i think technically your irisHash is hidden by ZKPs and there is no way to link someone’s iris to their financials but i could be wrong h/t @RokoMijic @philzip

@androolloyd @stonecoldpat0 acutally "weekly active safes" (*sending* 1 tx) doesn't look too bad either! (even though this metric is a bit unfair since it doesn't count any received txs e.g. airdrops to users) hacked together a quick dashboard here: dune.com/philzip/wld-sa…

@stonecoldpat0 Most are worldcoin though, which explains the high number on polygon and likely also has virtually no tx associated to them.

How many have never sent a single tx?

@tiagosada *recmo

scaling

@m1guelpf @andreasbigger got the tests to pass fren github.com/worldcoin/sema…

@andreasbigger not rlly, managed to fix that by switching the signal from a string to bytes32, what's messing with me now is that supplying a perfectly valid proof to the contract still makes the validation fail

✨ Rebuilt my setup, now with the Studio Display, a physical audio interface and a streaming PC Still need to figure out the best way to switch between mac/pc, but coming along nicely 😁

@tiagosada convince me you're an etherean in 12 words.

code is law

[New post] StealthDrop: Anonymous Airdrops Using ZK Proofs @nibnalin, @yush_g, and Adhyyan S. present StealthDrop, an anonymous airdrop utility using circom-ecdsa, enabling anonymous governance. (1/n) (post in README of github repo) 0xparc.org/blog

@chriswaclawek @niemerg @recmo and @recmo was faster again twitter.com/recmo/status/1…

@chriswaclawek @niemerg @recmo me when i haven't mentioned semaphore in a while:

Is there a way to prove you own one address in a set of Ethereum addresses without revealing which one?