Rose

touched grass

Today we're launching early access to Zwap. Trustless, shielded cross-chain swaps for Zcash. In and out of Orchard, trusting no one. Live now: app.zwap.exchange

We're hiring a Growth Lead at Atheon Someone who actually understands ZK infrastructure and knows how to build an audience that does too. You'll own the voice of Atheon and build the audience from the ground up. If high ownership is what you're looking for, this is that.

zk is no longer niche, it’s aesthetic now.💅🎨

sf:- a tech guy’s dream and honestly so prettyyyy

@worldcoinfnd’s sf office is prettyy solidd, very sam altman energyyy

@iponikar here for a workstation, need to meet some ppl

@0xrosetteeee What are you cooking at SF?

flew on the Airbus A380 recently, definitely lives up to the “world’s best” tag.

@nitanshu already booked, it’s the A350 hehe

@0xrosetteeee on your return do try either B747 - sfo to fra Or A350 - sf to trk

@nitanshu damn that’s a solid first intl flight

@0xrosetteeee A380 is pure majesty always glad of the fact that my first intl flight was A380

@0xanmol @worldcoinfnd @dcbuilder hehe yeah here for 2 weeks, let’s see what all I can explore on the weekends, thanks for the recs!

@0xrosetteeee @worldcoinfnd Woah sick, sf is great, dont forget to take out time to go to a few parks/hikes, souvla on chestnut is a great greek spot i discovered Say hi to @dcbuilder if he is still there 👀

@0xanmol j here for some work with the @worldcoinfnd team.

@0xrosetteeee Emirates elite What are u upto in sf

@khushi_on_twt count me in

anyone going to codex hackathon in bangalore next weekend?

Cross-chain swaps shouldn’t leak your entire trade graph. Today’s standard (HTLCs) makes swaps trivially linkable across chains via shared hash. We’re introducing Zwap - a new atomic swap construction compatable across programmable and UTXO chains that removes that assumption entirely. Instead of hash correlation, we use: • ECDH-based key aggregation → Shared signing key = s · b • Zero-knowledge binding proof → Ties secret to both locks (off-chain) • Trustless execution → Fixed recipients, zero MEV surface What this unlocks: → No shared on-chain identifier across chains → Cryptographic unlinkability → Compatible with Bitcoin, Litecoin, Zcash (no protocol changes) HTLC swaps are easy to trace. Zwap removes that linkage at the protocol level. This moves us closer to eliminating cross-chain linkage at the protocol level. Explore it here: zwap.atheon.xyz

yeah, the constraint format is standard R1CS, but the witness includes FS challenges; we call this GR1CS internally. The key requirement is the ability to sample challenges between witness commitments, which works naturally with any multi-round proving protocol. and thanks for the paper, looks interesting, will check it out 👀

@0xrosetteeee @atheonxyz Makes sense! 👌 Thanks for clarifying! Super nice work. It would be informative to mention the “interactive” R1CS part in the title, lest people dig in the blog and find out the hard way it does not apply to vanilla R1CS.

SHA256 is everywhere in crypto, but inside zk circuits it becomes one of the biggest bottlenecks. Most implementations pay a huge cost because SHA256 was never designed to be circuit-friendly. In our latest write-up by @0xrosetteeee, we explore how to make SHA256 significantly cheaper in R1CS. Key ideas: • Spread-based encoding for bitwise ops • Dynamic bit-width optimization • Single-constraint multi-operand additions • LogUp batching and micro-optimizations This design achieves state-of-the-art SHA256 compression in R1CS among existing open-source implementations. This is particularly important for mobile proving environments, where witness size directly impacts memory usage. Full deep dive ↓

@blockchainbalak good luck ser

Next Chapter If you were to ask me which moment divided my life into before and after, I would tell you: it was the day I joined Spheron, the day we began building something from nothing. For most, Spheron is a company. For me, it became something harder to name - a place where I left pieces of myself. I gave it what I could. Not everything was visible. Much of it never will be. But I knew, in the quiet way one knows such things, that I had offered it my fullest effort. Now I am stepping aside - not leaving, but changing shape. From co-founder to core-contributor. The distinction matters to me, even if it is difficult to explain. Prashant & Mitrashish. What we shared is not easily summarized. I learned from you both in ways I am still understanding. I hope we find ourselves, someday, at the beginning of something again. I wish Spheron every success. I mean this the way one means the things that cost something to say.

yeah, the key dependency is the ability to sample FS challenges during the proof, which assumes a multi-round protocol. In our setup (WHIR PCS), that falls out naturally since the protocol already alternates between commitments and challenges. Vanilla Groth16 is single-pass with a fixed witness, so there’s no place to inject that randomness.

@0xrosetteeee @atheonxyz Hm, so IIUC this technique is not proof-system agnostic? For example, would it work in vanilla Groth16 or would you need UltraGroth techniques that give you randomness “for free” in the (now interactive) R1CS?

Great points on Poseidon, we actually use Poseidon2 wherever we control the primitive (Merkle trees, attestation, nullifiers). But the core use case here is passport verification, where we don’t get that choice. Since everything is signed with RSA-SHA256 (X.509), we have to recompute the exact same hashes. That’s exactly why making SHA-256 cheaper in R1CS matters for us, it’s not optional, it’s a hard constraint.

Exactly the proving system choice is everything. The bottleneck profile flips completely depending on where you land. SHA-256 in R1CS is brutal with 25,000+ constraints per hash. Fine on a server, falls apart on mobile with a 3-4 second UX budget. We use Poseidon as the primary in-circuit primitive - ZK-native, roughly 8x fewer constraints. SHA-256 stays at the boundary layer where external systems expect standard hash outputs. On the server side our STARK pipeline runs biometric verification at 38.5 microseconds per auth with 2.17 million sustained per second, so the proof system overhead is effectively invisible at scale. The harder problem is continuous authentication - behavioral biometrics throughout a session, not just at login. We're working with keystroke dynamics, input patterns, and device state signals accumulated across a session window. Single session commitment rather than per-event proving is what makes it viable on constrained hardware. We need to amortize the proof cost across the entire behavioral signal set instead of paying it per event. For endpoint attestation on mobile device integrity, network jurisdiction, session continuity -we're benchmarkibg sub-20ms per individual proof component and sub-50ms for a fully aggregated attestation bundle on ARM silicon, with verification under a microsecond. Proof size comes in under 200 bytes, which keeps it compatible with standard HTTP header transport. No custom protocol needed. Never a dull moment. If I can help in any way say the word.

after n rejections and 2(n+1) round trips to delhi, finally got my US visa, just in time for the war 💀🇺🇸