Ian Miers

9.1K posts

Ian Miers banner
Ian Miers

Ian Miers

@secparam

CS Prof. Security and applied cryptography. Some highlights: Zerocash (zcash, et al. ), Zexe (Aleo, Aztec, etc ), zk-creds/zk-promises(...)

Washington DC/ UMD Katılım Nisan 2012
884 Takip Edilen12.2K Takipçiler
Ian Miers
Ian Miers@secparam·
I agree, zk-ml makes sense on smaller models. But that doesn't change the core question: when are you willing to pay for zk verifiability vs a tee vs (for open models) running it yourself. For you example with prompt injection: if a lab offers you 1% more per token for zk verified not injectable, 0.5% for TEE, and 0.01% for "we have a FIPS/ISO certified process" who will pay for zk? I think you have to find classes of use cases where TEEs don't work
English
1
0
0
79
Wyatt Benno
Wyatt Benno@wyatt_benno·
Depends on what you want to do. Here is one example. How do the labs detect prompt injection attacks? They use activation probs, SAE, j lens (more recently). Everyone downstream just trusts them. Or they try to Jerry rig some hard coded rules for their usecase; literally regex on agent text outputs.. But what if you did not need to trust the labs? Activation probs are tiny!, same with SAE, and j lens… if I run my model white box, I can prove to an untrusted 3rd party that I ran these checks in under 1s. This proof can be past agent to agent. *the fallacy here is people assume SoTa model inference… what about everything else? I have another dozen examples on how it works out really well in industry.
English
2
0
1
168
Ian Miers
Ian Miers@secparam·
Whats the premium the market will pay for zk inference vs inference in a TEE? For payments there's a clear reason we don't trust TEEs. And for identity, there's simply an availability problem: not enough programable trusted hardware on devices. Are there similar cases for inference?
English
4
1
6
554
Ian Miers
Ian Miers@secparam·
The nth committee member just sat there. No laptop. No phone. Just... watching the thesis defense. Like a psychopath. Unaware his participation was to meet the dean's committee size requirement.
English
1
0
10
1.1K
Ian Miers
Ian Miers@secparam·
Yes. And interestingly, it seems not to be a stylometry attack, its Vitalik's somewhat distinctive thinking and notation. Semantic stylometry, almost. The same attack might not catch Vitalik if he, e.g., was posting political commentary. But it might catch, e.g., a journalist, posting anonymously content they could not safely publish under their own byeline.
English
1
0
1
64
John Scott-Railton
John Scott-Railton@jsrailton·
@secparam Interesting case indeed! Highlights the enormous challenge faced by efforts to automagically obfuscate prompts before they are passed to frontier models
English
1
0
2
922
Ian Miers
Ian Miers@secparam·
This is a much more interesting case of AI deanonymization than the paper that was making the rounds. Here, it was someone trying to remain anonymous, but elements of their style made it through in detectable ways. Whereas the previous paper took non-anonymous posts, redacted the username, and simply observed folks writing under their own name included identifying details.
vitalik.eth@VitalikButerin

And ... we have a winner! My method when writing the post in 2024 was: I wrote it in Chinese, used qwen2.5 locally to translate it to English, then manually fixed all the bugs in the translation. Notice that the stylistic hints that his AI picked up on were intellectual habits and style of math and algorithm explanation, which bypassed my obfuscation strategy (which only covered prose) completely. firefly.social/post/x/2074176…

English
4
10
42
9.4K
Ian Miers
Ian Miers@secparam·
On the scale of American privacy emergencies, where does "The census no longer has differential privacy" fall? Its an honest question. To me, it clearly isn't in the top 10 privacy issues. But perhaps its in the top 10 which are plausibly solvable?
English
7
0
17
2K
Ian Miers
Ian Miers@secparam·
@zkDragon @thedrekal @ZecHub @Zcash Threshold signatures for a chain with zk proofs are ... somewhat unnecessary long term. You can just prove you have sufficient signatures from keys needed to authorize the transaction. Works with existing signing hardware and captures richer semantics.
English
3
0
4
145
Dev 🧪
Dev 🧪@zkDragon·
So I'm tracking two problems in FROST right now, both easily resolvable. 1) Zcash mainnet requires you to reveal something about when you sign a tx. So everyone could tell that a multisig signed. This is removed in the Ironwood upgrade. 2) A Frost DKG needs to be deployed in Zcash. But many parties have done this. @LitProtocol @NEARProtocol have done it before, just needs to get adapted for Zcash
English
5
1
22
707
TheBigDre(P.M arc)
TheBigDre(P.M arc)@thedrekal·
Feb 21, 2025. Bybit signs a routine transfer from cold wallet to warm wallet. The screen shows the right address. The transaction does something else entirely. $1.5B gone in minutes. Largest crypto theft ever. No system is unbreakable. That's not the point of this thread. The point: Incidents at this scale expose how little the industry invests in operational privacy and modern threshold cryptography; until it's too late. The signers didn't lose a key. They approved a transaction they never meant to approve, because the interface lied to them. That's not a crypto failure. That's a trust-surface failure. Securing billions in digital assets means defending on every front at once: Private key management. Insider threats. Social engineering. Infrastructure compromise. Metadata leakage. Public visibility of treasury ops. Miss one, and it doesn't matter how strong the rest are. Transparent multisig is auditable by design. Which means it's also readable by design. 👀Balances. 👀Transaction history. 👀Counterparties. 👀Counterparties. 👀 Timing of every move. You don't necesssaryily have to hack a treasury you can already see. Metadata isn't background noise. It's the reconnaissance layer. It tells an attacker who to target, when to strike, and how your organization is structured even before they touch a single key. Everyone hardens the signing flow. Almost no one hardens the trail leading to it. This is what shielded treasury operations solve. Zcash's shielded addresses hide balances, transaction history, and counterparties; not just amounts. The entire operational picture disappears from public view. No visible balance to size up. No visible pattern of who moves funds and when. You strip the intelligence away before an attacker even starts planning. One caveat: shielding protects what's visible. It says nothing about your signing process. That's a different layer and the best tool for that is FROST. F.R.O.S.T : Flexible Round-Optimized Schnorr Threshold signatures. The modern evolution of multisig, and the layer that protects how a signature actually gets made. Classic multisig: multiple independent signatures approve on-chain. FROST: a group jointly produces ONE signature. Via distributed key generation (DKG), the full private key never exists in one place; not even for a second. Each party holds a share. Nothing more. Think less "multiple locks on one door," more "a seal that only opens if enough separately-held fragments combine in the moment and the whole key is never reassembled anywhere." That's the difference between multisig and threshold signing. The output is one compact Schnorr signature; indistinguishable from a single signer's. No visible threshold, no visible signer set, no fingerprint saying "this was 3-of-5." And it's fast: two rounds to sign, or one round with pre-processing. Less overhead, same security. Here's the thesis: 1. Privacy protects your operational information. 2. Threshold cryptography protects your signing process. Two different attack surfaces. One combined defense. Neither is a silver bullet alone. Together, an attacker now has to beat your opsec, compromise a threshold of independently-held key shares, AND do it against a wallet that isn't leaking a roadmap of your treasury. That's defense-in-depth, not a marketing claim. The tooling is live. @ZcashFoundation FROST repo: a Rust implementation built as frost-core plus ciphersuite crates; a real reference implementation, not a whitepaper with no code behind it. For Zcash-native compatibility: reddsa, with RedPallas ciphersuite support and ZIP-312 re-randomized FROST, that's the piece that keeps threshold-signed transactions unlinkable, so nothing leaks about who signed. To actually run it: frost-tools ships frostd (a coordination server) and frost-client (a CLI), plus demos for trusted-dealer setup, DKG, coordinator, and participant flows. Community forks like @BlockchainComns zcash-frost-tools extend it further. ZF says the reference work is done. Integration is the open frontier now. This stack is generic enough to underpin real infrastructure: ✅Institutional custody. ✅DAO treasuries. ✅Payroll systems. ✅MPC infra. ✅Payment processors. ✅Exchange cold storage. ✅Enterprise wallets. ✅Cross-chain apps. Not theoretical. Buildable! Picture a DAO treasury: 1. 3-of-5 signers 2. Globally distributed, 3. Funds in the Orchard pool, 4. FROST handling the signing. No visible balance on-chain. No visible signer set. No pattern for an attacker to study before they even try anything. That's the model.
TheBigDre(P.M arc) tweet media
English
3
7
18
1.7K
Ian Miers
Ian Miers@secparam·
Or perhaps the emergency is "we cannot reject differential privacy, its the best privacy solution we have." But then, we can ask the same question: For the top 10 privacy problems we have, how many is it a solution for?
English
0
0
5
440
Ian Miers
Ian Miers@secparam·
@valkenburgh They even make tiny keychain ones that are powered off your phone.
English
0
0
4
307
Ian Miers
Ian Miers@secparam·
As computer science scales as a research field, some assumptions no longer hold. Like O(1) access to the list of submitted papers.
English
0
0
20
1.4K
Ian Miers
Ian Miers@secparam·
@shaananc @ben_golub So in Australia, a department chair is a more serious position because its more akin to a dean?
English
1
0
3
43
Shaanan Cohney
Shaanan Cohney@shaananc·
@ben_golub Depends on the country and size of dept! In Australia it’s legit a senior role with serious decision making authority. We don’t have the same type of collegial structure.
English
1
0
2
360
Ben Golub
Ben Golub@ben_golub·
A small pet peeve It's really silly when non-academics interpret being chair of an academic department as a mark of seniority That's not the way academia works! Chairs are critical administrators but it's more like being the chair of a co-op board than Director at Meta
English
43
10
326
78.8K
Ian Miers
Ian Miers@secparam·
@NeerajKA Reminding people that the only chance they have at privacy is online, assuming it's not outlawed.
English
0
0
1
376
Neeraj K. Agrawal
Neeraj K. Agrawal@NeerajKA·
Is there a not annoying reason to be wearing the meta glasses
English
26
1
50
15.7K
Ian Miers
Ian Miers@secparam·
The lattice underlords can't bicker about garbled circuit security paramatters. 😄 In all seriousness though, what did you mean by: "hash-based proofs are useful even if lattice-based proving becomes more efficient." Is this about security assumptions, or do you think there are applications where it’s a better choice?
English
1
0
2
50
Ian Miers
Ian Miers@secparam·
Hash based sigs + snarks strikes me as a weird corner case, especially for blockchains. It seems to end up being recursive proofs in disguise. If we have really fast SNARKs, your sig might as well be MAC(sk,m)=tag AND pk=H(sk). And even if not (e.g., hardware wallets), you might end up with clients doing the proof over the hashsig. So aggregation is of proofs.
English
2
1
4
99
Ron Rothblum
Ron Rothblum@ronrothblum·
@secparam @recmo 1. I think hash-based proofs are useful even if lattice based proving becomes more efficient. 2. Interesting to see what end applications people care about. Hash-based signature aggregation seems to be one but would love to see more.
English
1
0
1
108
Ian Miers
Ian Miers@secparam·
@octal Conflating shoplifting, digital piracy, and fair evasion is .... an interesting editorial choice.
Ian Miers tweet media
English
1
0
7
248
Ian Miers
Ian Miers@secparam·
Like I said, its good work, and a 7x improvement on STOTA is useful. Period. What would be a good end-to-end benchmark for future systems for boolean circuits If we move beyond hashes as the benchmark ? Whats the biggest bottleneck? Like assume we are in lattice folding land and don't care about merkle tree openings for recursion.
English
1
0
2
87
Ron Rothblum
Ron Rothblum@ronrothblum·
@secparam @recmo I think of it as a system for efficiently proving batched Boolean computations - standard hashes are a natural application, but really anything you can express efficiently as repetitions of a Boolean circuit works
English
1
0
6
180
Ian Miers
Ian Miers@secparam·
Once the camera is inside your car or the client side scanning bot is in your phone, you no longer control what gets reported. One overnight update and the rules change. You have to watch what you say. And the consequences for speech are much worse than a speeding ticket.
English
1
2
13
898
Ian Miers
Ian Miers@secparam·
Imagine an AI dashcam that reports you for distracted driving or changing lanes without signaling. But don't worry, the footage never leaves your car. This is exactly what the EU is trying to do to end-to-end encrypted chat apps. Client-side surveillance is still surveillance.
English
1
5
29
1.7K
Ian Miers
Ian Miers@secparam·
@zkproofs @recmo Its a frequently quoted metric. And there are good reasons for that, its concrete. But it’s also very easy for the metric to become a target. For folks to say, “Great, we got rid of zk-friendly hashes.” Or “We got the equivalent of specialized CPU instructions for hashes.”
English
0
0
2
41
Pratyush Mishra
Pratyush Mishra@zkproofs·
@secparam @recmo But SNARK researchers aren’t only focusing on hash throughput. That’s one metric that’s important for one workload, but people are considering general computation too! In fact that’s the vast majority of research
English
1
0
1
43