wborgeaud

You could have invented garbled circuits

Wed, 27 May 2026 00:00:00 +0000

Garbled circuit is a cool protocol that solves the two-party secure computation problem, but like many cryptographic protocols, its description can look a bit mysterious.

In this post, I’ll show how one can stumble upon the construction of garbled circuits from first principles.

The problem

Alice has a private $a\in X$ and Bob has a private $b \in Y$. They want to evaluate a public function $f\colon X \times Y \to Z$ on their inputs $(a,b) \in X\times Y$, without Bob (resp. Alice) learning anything about $a$ (resp. $b$) except the result $f(a,b)$.

SuiCTF platform

Tue, 10 Feb 2026 00:00:00 +0000

As a way to learn more about Sui, Move, and vibe coding, I made this CTF platform with Sui Move challenges: https://suictf.com/.

Most challenges are still fairly easy, but I feel like they give a good way to get started in Move and the Sui tools. Note that all challenges were hand-written¹, LLMs were only used for the UI. Check it out!

Current models seem to do a terrible job at designing fun CTF challenges. ↩︎

Grand product arguments

Mon, 28 Aug 2023 00:00:00 +0000

$\newcommand{\F}{\mathbb{F}}$ $\newcommand{\c}{\text{comm}}$ $\newcommand{\i}{\mathbf{i}}$ $\newcommand{\z}{\mathbf{z}}$ $\newcommand{\r}{\mathbf{r}}$ $\newcommand{\eq}{\widetilde{\text{eq}}}$

HackMD version here.

Grand product arguments

Let $\F$ be a finite field and consider a vector $f = (f_0,\dots,f_{n-1})\in \F^n$, where $n=2^v$. Given some kind of commitment $\c_f$ to $f$ and a value $y\in\F$, we want to convince a verifier that the product of the elements of $f$ is $y$, $\prod f_i = y$.

In this note, I will describe different approaches to this problem using univariate polynomials as in Plonk or multivariate polynomials as in Quarks and Lasso.

The Walsh–Hadamard transform

Tue, 27 Jun 2023 00:00:00 +0000

In the ZKP world, we often use the Fast Fourier Transform (FFT) to go from univariate polynomials to their evaluations on a subgroup. The FFT has a less notorious analogue for multilinear polynomials: the Walsh–Hadamard transform (WHT). In this post, I’ll describe the WHT and explore its applications.

Univariate polynomials

Let $\mathbb{F}$ be a finite field and let $H<\mathbb{F}^*$ be a multiplicative subgroup of size $n=2^v$. Given a polynomial $f\in \mathbb{F}[X]^{<n}$ of degree less than $n$, we can use the FFT to compute its evaluation on $H$:

A simple multivariate AIR argument inspired by SuperSpartan

Thu, 22 Jun 2023 00:00:00 +0000

PDF version here and HackMD here.

We will consider the following basic version of AIR. Let $\mathbb{F}$ be a finite field and let $F \in \mathbb{F}[X_0,\dots,X_{2C-1}]$ be a constraint polynomial. An AIR witness for this instance is a table of $C$ columns $z_0,\dots,z_{C-1}$ of size $n=2^v$ such that for all $i=0,\dots,n-2$, $$ F(z_0[i],\dots,z_{C-1}[i],z_0[i+1],\dots,z_{C-1}[i+1])=0. $$

Multi-columns CCS (MCCCS)

CCS is a constraint system introduced in [STW23]¹ that generalizes common constraint systems such as R1CS, AIR, and Plonk. A CCS structure is given by

Applications of Riemann-Roch in cryptography

Wed, 15 Feb 2023 00:00:00 +0000

$$ \def\F{\mathbb{F}} \def\L{\mathcal{L}} \def\C{\mathcal{C}} $$

The Riemann-Roch theorem is a fundamental result in the study of curves. In this post, I’ll go through some of its applications in cryptography.

Divisors and the Riemann-Roch theorem

Let $C$ be an algebraic curve, i.e., a smooth projective variety of dimension one over a field $K$¹. The group of divisors $Div(C)$ is the free abelian group generated by points of $C$, i.e., elements of $Div(C)$ look like $D = \sum_{P\in C} n_P P$ where $n_P\in \mathbb{Z}$ is non-zero for only finitely many $P\in C$.

Proving AIRs with multivariate sumchecks

Sat, 21 May 2022 00:00:00 +0000

Algebraic Intermediate Representation (AIR) is a powerful arithmetization that can be extended to Randomized Air with Preprocessing (RAP), which includes popular systems like PLONK. See this great note by Ariel Gabizon for descriptions of these arithmetizations.

Another popular arithmetization is given by R1CS. Two categories of proving systems based on R1CS are those using multivariate techniques (e.g. Spartan) and those using univariate techniques (e.g. Marlin).

To the best of my knowledge, every current AIR-based proving system uses univariate techniques. In this note, I’ll discuss what a multivariate AIR-based proving system could look like.

The case for centralized rollups

Mon, 25 Apr 2022 00:00:00 +0000

Conventional wisdom is that rollups should be decentralized. In fact, most rollups have decentralization of sequencers/validators/provers on their roadmaps. In this post, I argue that fully centralized rollups are viable and secure.

What does a centralized rollup look like?

In a centralized rollup, a single actor controls sequencing and block production. Users send transactions directly to this actor, i.e, there is no public mempool. This actor then constructs a block with some of the transactions it has received and pushes them to L1, along with a state transition validity proof in the case of a zk-rollup.

ECFFT on the BN254 base field in Rust

Sat, 16 Oct 2021 00:57:25 -0700

$$ \def\F{\mathbb{F}} $$

tl;dr: A Rust implementation of the ECFFT here: https://github.com/wborgeaud/ecfft-bn254.

The last post was about the ECFFT algorithm by Eli Ben-Sasson, Dan Carmon, Swastik Kopparty and David Levit. At the end of the post, I mentioned that it would be fairly straightforward to implement the ECFFT algorithms in low-level languages like Rust by doing all the mathematical precomputations in Sage.

Well I have done exactly that and implemented the EXTEND and ENTER operations in Rust for the base field of the BN254 curve. This field has order

The ECFFT algorithm

Sat, 07 Aug 2021 00:57:25 -0700

$$ \def\F{\mathbb{F}} $$

This post is about a recent paper by Eli Ben-Sasson, Dan Carmon, Swastik Kopparty and David Levit. In this paper the authors present an amazing new generalization of the classic FFT algorithm that works in all finite fields. This post will give an overview of the algorithm and a simple implementation in Sage. I highly recommend reading the paper for more details and background.

The classic FFT algorithm

Let $p$ be a prime number, $n=2^k$ with $n \mid p-1$, $\langle w \rangle = H < \F_p^*$ a subgroup of size $n$. The classic FFT algorithm can be used to evaluate a polynomial $P(X)=\sum_{i=0}^n a_i X^i$ of degree $<n$ on $H$ in $O(n\log n)$. Note that the naive algorithm of evaluating $P$ at every point of $H$ takes $O(n^2)$ operations.
The FFT works by writing $P$ as $$P(X) = P_0(X^2) + XP_1(X^2)$$ where $P_0, P_1$ are the polynomials of degree $< n/2$ of even and odd coefficients of $P$.
Thus, given the evaluation of $P_0$ and $P_1$ on $H^2$, we can recover the evaluation of $P$ on $H$ with $O(n)$ operations.

Cairo Games Vol 2: Writeup

Mon, 19 Apr 2021 00:00:00 +0000

Here are my solutions to the second edition of the Cairo Games.

Nu

This problem was pretty straightforward. We have to find to integers x,y<2^128 such that x*y=17 in the prime field used by Cairo. We can easily get such a pair as follows:

from sympy import divisors
    P = 2**251 + 17 * 2**192 + 1
    BOUND = 2**128
    target = P + 17

    for d in divisors(target):
        n = target // d
        if n < BOUND and d < BOUND:
            break
    ids.x = n
    ids.y = d

Pakhet

We get a graph on 18 vertices as an adjacency matrix. We then have to find a path of length 18 path in this graph such that

Donjon CTF Writeup: Secret RNG

Sat, 31 Oct 2020 03:57:25 -0700

TLDR

This was a very nice challenge in the Donjon CTF. The goal was to reverse engineer the state of the PRNG math/rand in the Go standard library to guess the private key of a signature scheme and sign a given message. I solved this challenge by using the SMT solver Z3 to automagically recover the RNG state.

Description

Connecting to nc ots-sig.donjon-ctf.io 4001, we get:

Public key: djX6vqVMj0fTZGIhJFgN1VHLgGgaBxWEhvxp1MzB09s=
Enter signature: test
You failed! Private key was: 8GB6ClgHLz0nGU40Zwj8eKcH/CPl6sDKQEQX5cbiy1TPVf8ccI2yjr8HiOQwpwCj4VSQmS36+bIWBgkM3HO4Ny7pBvE0yGtJY9v3sVuaYeUU5h/rqYBpMjUAXBj5jfljRnVAXl50AKQvD5IYzU5IP6F5mJV/ZgT7MQ912/j/Q0+ug8Bj9q/+T6iO8tQfsui857XR/KIw85+EP5gRhUJi09Jjl36iFC2jyvqNQdjTpdJ4cQN8PO8RIAXCJlPT7upvD5uhQ0CiL+1KQRUPgWPK77SvNwUD++IboU4SBwP1DDFDrnqOZ7GmEncgT0VkLlQW9kWdfxM1HqQvSQmNqiUwK6Xps12qXi8ib07rnYkcV4eJ0QVGho6uuk8aGXhfJoArf2fGUzqhaNZIQGjsXBaoAfG7mka+SSlM4cGzvn5xA59yZ2H9H8C72ADiTtfF5cUSniT7QsMXWUjJrrsupUbOyapRH40DJ1fTeLgDZ1ly3CzN8dXKjItxcyuNONDCd5MvfdPIBsrApCY6Uu25rbG1q91C8t5YLVM0l90GoLdpJlJLfF/02jHNmkoYsc/Jyg8PyRuwBXj47mtbD/AViomNbkX2th9gUXfEVeMPzP1QqDJ6CC7sdkmdBspuyQtF6nX/pM5pXNDAOvFYuBdwfCPvCEAonXQqKUYXkqyZ82YACNhtmXgkBjkhO4b6RiOGKHVNQDqtCUmvSuk0VNebMGHrWmBSdjrM7FXVVI+f6Z7tik8ctxHYrJyU1XFervwlmAmbvhx1FOP8OwutpS9EViIne2HxN6dNaJTvVWfyPAOrdA9su7FKAh+HyrQfvlTwPEJEYW5Md9aX5jT1f2f76IiLyIG1S/gy8G/zb+WDsVVzspLV0aLw3Ce9jgJeBaMhGvZ93b+90xt86oKSDwueAM7JTjxgeNJOL0B3pr7QzlRhMRCxDl6veUfQ7o5q9YzOr1RI7cMINeyW7oQhqkyaoXa8Am4BH6LiWzmLOjMY4SiE5QPO4RVj95EhRVYFAtrrnUDMwZAftSjqhBq3qLXGNnLXm4QSwmgjaGOJ0wXqdH6BryXKALFB/hhUAFdW0YMdZzAOd27adHH2YDvDDeGvimJpAVmHDNDG1pLDHjlgXXc4QQP8TpmvhcSqJx7wgY8v/qcj00VREI+uI3F6CJScW2N8Bsa9mSzHpiyclCYkQyM4G8MEXGdfMm0CoLzeyZLf6P2sRtRjnGdbkdp3QP7frlDVOjUAe+8gsBu2K+PhyoZ6Rn+oNOMVWuftIEsy68KkEPwgy1AIwtWAEQKD3T+yRSNmRK1rznLr2HFTQJK0RI4OuBWDvmrlf4pSqC3Ri9uDcki/DOcTpVzwejOSSTrn1zYafTmeVN9JLzTHfIkdjQxSRJiOrgFxE0Rd/9iDeioj8VFBlvFkM5WX2Op2WKZefQVCuTs4ccnHt56V49yxukM0CeA=

We also get a single Go script:

Isogeny-based crypto Part 1: The SIDH protocol

Sat, 10 Oct 2020 03:57:25 -0700

This is the first post in a series on isogeny-based crypto. Instead of writing yet another introduction, I redirect you instead to the great introduction to SIDH by Craig Costello: Supersingular isogeny key exchange for beginners.

Today’s post will then be in the form of a Sage notebook walking through the examples in the paper. This also gives a good intro to how isogenies work in Sage.

The notebook source is available here: github.com/wborgeaud/isobeg

Anomalous Curves Part 3: Formal groups

Wed, 29 Apr 2020 08:57:07 -0700

$$ \def\F{\mathbb{F}} $$

$$ \def\Q{\mathbb{Q}} \def\F{\mathbb{F}} \def\Z{\mathbb{Z}} \def\M{\mathcal{M}} \def\G{\hat{\mathbb{G}}} \def\O{\mathcal{O}} $$

This is part three of the series on anomalous curves. Go here for part one and here for part two.

Today, I’ll prove the two missing results from the last post:

Theorem (VII.2.2 in Silverman): There is a group structure on $p\Z_p$ (that we denote $\hat{E}(p\Z_p)$) such that the map $$ E_1(\Q_p) \to \hat{E}(p\Z_p): [x:y:1] \mapsto -\frac x y $$ is a group isomorphism, that also induces isomorphisms $E_n(\Q_p)\to \hat{E}(p^n\Z_p)$.

Anomalous Curves Part 2: p-adic niceties

Wed, 22 Apr 2020 13:57:07 -0700

$$ \def\F{\mathbb{F}} $$

$$ \def\Q{\mathbb{Q}} \def\F{\mathbb{F}} \def\Z{\mathbb{Z}} $$

This is part two of the series on anomalous curves. Go here for part one.

Today, I’ll give a sketch of the construction of Smart’s attack. This attack combines two elliptic curve tools:

The reduction map of an elliptic curve over a local field.
The formal group of an elliptic curve.

I will focus on the first one, and leave the details of the second for another post.

Anomalous Curves Part 1: Don't be clever with your elliptic curve order

Tue, 21 Apr 2020 13:57:07 -0700

$$ \def\F{\mathbb{F}} $$

Have you ever been confused by the numbers $p,q,r$ in a paper dealing with elliptic curves? Some paper use $q$ for the order of the elliptic curve over a field of order $p$. Conveniently, other papers use the exact opposite notation, while some get original and use $r$ for the field size, or the order of a subgroup of the curve, or something else…

What if I told you there are curves where $p=q=r$? We could decide to only use these curves and never have to go back on page 2 of a paper to see what are $p,q$ or $r$!

Membership proofs from polynomial commitments

Thu, 16 Apr 2020 13:57:25 -0700

$$ \def\com{\mathbf{com}} $$

Recently, Dan Boneh, Ben Fisch, Ariel Gabizon, and Zac Williamson (BFGW) published a writeup showing how to create range proofs from polynomial commitments. As a mental exercise, I wanted to see how to use polynomial commitments to create membership proofs instead. Membership proofs can be seen as a generalization of range proofs, if certain homomorphic properties hold (that’s something I learned first from this article). For example for Pedersen commitments, we have:

Understanding Verifiable Delay Functions (with a Rust implementation)

Sat, 30 Nov 2019 13:57:25 -0700

I have been reading about Verifiable Delay Functions (VDF) recently and wanted to write a short post explaining what they are and what they can be used for. This post relies mainly on the papers: Efficient verifiable delay functions, Wesolowski and A Survey of Two Verifiable Delay Functions, Boneh et al. I also recommend this podcast with Joseph Bonneau.

Definition

A VDF is a function $f_T: \mathcal{X} \to \mathcal{Y}$ that takes a long time to compute but is fast to verify. Concretely, this means that $f_T$ takes $T$ steps to compute regardless of the number of parallel processors, and having computed $f(x)=y$, a prover can produce a proof $\pi$, such that a verifier can quickly check (say in time $O(\log T)$) that $f(x)=y$ using $\pi$.

Use Rust in React Native through WebAssembly

Thu, 14 Nov 2019 13:57:25 -0700

This post shows how to use Rust functions in a React Native project through WebAssembly. I struggled quite a bit to find an easy way to make it work, so I thought I’d share my findings. You can find the code for this post here.

Here’s the TLDR:

Create a wasm-pack project exposing the Rust functions you want to export.
Serve a web page exposing these functions through message events.
Use a React Native WebView of this web page.
Call Rust functions by sending messages to the WebView.

Pros and Cons

Pros

One alternative is to use native modules but it is a pain to setup with Rust and React Native, and requires lots of different configurations for Android and iOS.
Another alternative is to serve wasm files locally on the app and use them in a WebView. This is also a pain to setup since local files need to be put in different places in Android and iOS, and you will get a bunch of permission errors along the way.
The solution shown here is very easy to setup, works out of the box, and allows for a clear separation between the Rust and React Native development.

Cons

The device needs an Internet connection to download the web page.
Mild privacy issue since one can track requests to the web server. But all computations using WebAssembly are done locally on the device. In particular, the parameters to the Rust functions will not be sent to the server.
Probably quite slower than using the native modules.

Prototype

This gives an example of this structure with a simple Rust function that adds two numbers.

About

Mon, 01 Jan 0001 00:00:00 +0000

Interested in mathematics and cryptography.

Contact

Mon, 01 Jan 0001 00:00:00 +0000

Mail: williamborgeaud@gmail.com

Twitter: @williamborgeaud

Github: @wborgeaud