LatticeBlindFold: Towards The First Zero-Knowledge Lattice-Based Folding Scheme
Bringing NovaBlindFold's zero-knowledge guarantees into the post-quantum world
The Problem
The intersection of Zero-Knowledge (ZK) proofs and succinct protocols forms a central and rapidly evolving focus in modern cryptography; enabling parties to prove the validity of a computation without revealing the underlying data, while maintaining computational efficiency is a key challenge.
A fruitful framework for this line of work stems from folding schemes. The Nova folding scheme (in its NovaBlindFold incarnation [KST21, KS23, KV25]) provides a systematic method for introducing zero-knowledge on top of existing protocols.
This is an active line of research driven by achieving a modular approach. Among others, VEIL [DHRR26] is a recent example of such efforts to achieve lightweight and efficient zero-knowledge proofs within this structure.
Motivated by post-quantum security and improved computational efficiency, we work towards devising LatticeBlindFold, a novel folding scheme that represents the lattice-based analogue of NovaBlindFold.
Motivation: ZK-fying a Folding-Based SNARK
The Blinding-Folding Paradigm
A folding scheme is (naively) an interactive protocol $\Pi:\mathcal{R}^k\to \mathcal{R}$ that compresses $k$ instances of a relation $\mathcal{R}$ into a single accumulated instance; the verification of the accumulated instance then suffices, with high probability, to verify all the starting instances. Repeated application yields a SNARK: the prover reduces a large computation to a single, efficiently checkable instance. Nova and its variants (HyperNova, SuperNeo) follow this paradigm;
However, with the exception of Nova, these folding schemes are not zero-knowledge as the transcript of a folding step leaks information about the witnesses being folded.
The question that NovaBlindFold [KS23] addresses is:
Can we make a blinding folding scheme (that is, zero-knowledge) without introducing a separate ZK argument layer?
The answer is yes, as captured by the following key definition.
A folding reduction $\Pi\colon \mathcal{R}\times \mathcal{R}' \to \mathcal{R}$ is blinding if there exists a sampling algorithm $\mathsf{sample}$ and a simulator $\mathcal{S}$ such that the interaction transcript is computationally indistinguishable from a simulated one, given only the instances (not the witnesses).
More precisely, the mechanism is the following:
- Sample a randomized instance-witness pair $(u_r,w_r)\gets \mathsf{sample}$ independently of the real witness $(u,w)$.
- Fold the two pairs $((u_r, w_r), (u, w))$ together; by linearity the output witness is $w_{out} = \rho \cdot w_r + w$ for a verifier challenge $\rho$.
- Because $w_r$ is freshly random and $\rho$ is a verifier challenge (unknown to the prover at sampling time), $w_{out}$ is computationally indistinguishable from a fresh sample from $\mathsf{sample}$.
- The prover can transmit $w_{out}$ in the clear (no hiding commitment is needed) because the randomization is already baked in.
This yields zero-knowledge essentially for free on top of any SNARK, as long as the folding scheme satisfies a blinding property (i.e., the output instance-witness distribution is independent of the input witnesses when one input is freshly random).
The Nova folding scheme is blinding. However, the HyperNova one does not satisfy such a property, but only a weaker one. This second property, called randomizing, does not guarantee zero-knowledge, but only that the folded instance-witness pair is indistinguishable from a randomly sampled pairs.
The Lattice Gap
Almost all widely used lattice-based folding schemes, like LatticeFold [BC24] and SuperNeo [NS26], are generalizations of the HyperNova protocol. In our discussion we focus on SuperNeo [NS26] as it is the foundation of our LatticeBlindFold.
Do you want to know more about lattice-based folding schemes and the main techniques behind SuperNeo (and its predecessor Neo)? See this post by Alberto Centelles!
SuperNeo is a folding scheme for the norm-bounded CCS relation $\mathsf{CCS}(b,\mathcal{L})$ (see below or [Definition 12, NS26]) over the cyclotomic ring $\mathrm{R}_{\mathbb{F}} = \mathbb{F}[X]/(\Phi(X))$ where $\mathbb{F}$ is a small field and $\Phi$ is a cyclotomic polynomial. The scheme achieves knowledge soundness and completeness, but it is not blinding (i.e. zero-knowledge). Concretely, this property fails at two points:
- during the execution of the Sum-Check protocol as we reveal bits of information through the random evaluation of the polynomial, and
- when the prover sends hint values for checking that the Sum-Check protocol has been executed correctly: $y'_{i,j} = \tilde{M}_j \cdot z_i(r') \in \mathrm{R}_{\mathbb{K}}$, $\forall\, i \in [K+k]$, $\forall\, j \in [t]$, where $\mathbb{K}$ is a suitable finite extension of $\mathbb{F}$. These are linear functions of the witnesses $z_i$ evaluated at a random point $r' \in \mathbb{K}^{\log m}$.
LatticeBlindFold
The goal of LatticeBlindFold is to produce a blinding folding scheme over lattices, that is, the lattice analogue of NovaBlindFold. Beyond achieving zero-knowledge, the lattice setting offers two independent advantages over NovaBlindFold:
- Small-field arithmetic. SuperNeo operates over fields $\mathbb{F}$ of 61-64 bits and its quadratic extension(s) $\mathbb{K}$ with 122-128 bits rather than a 254-bit prime-order field required by elliptic-curve-based SNARKs. Constraint systems naturally expressed over small fields benefit directly.
- Post-quantum security. All hardness assumptions reduce to Ring-SIS/Module-SIS over $\mathrm{R}_{\mathbb{F}}$ (see below or this blog post), which is believed to be hard even for quantum adversaries. In contrast, NovaBlindFold's security rests on the discrete logarithm problem, broken in polynomial time by Shor's algorithm.
Main application: ICME Labs Jolt Atlas
The main reason for devising LatticeBlindFold stems from the Jolt Atlas paper [BCDG26] by ICME Labs and its interaction with the Jolt zkVM. In the paper, the authors obtain zero-knowledge by the NovaBlindFold trick, but the increasingly pressing need for a post-quantum-safe transition, together with the improvements of working over small fields, pushed us to devise a lattice-based analogue of NovaBlindFold. Moreover, more and more teams (including the Jolt one) are working on lattice-based architectures, and this work fits perfectly within that framework; see for example Justin Thaler's take in this a16z-crypto blog post.
A technical dive
We are happy to discuss this work and to share an early draft. If you are interested in the details, feel free to reach out to me (Luca) or to Wyatt Benno : help@icme.io
We collect here a few technical details and describe, rather formally, the LatticeBlindFold protocol.
Notation and preliminaries
We start by introducing all the necessary notation and preliminaries.
Let $\Phi$ be a fixed cyclotomic polynomial. As in SuperNeo, we work over the following extensions of rings:
$$\mathbb{F} \subseteq \mathbb{K},\quad \mathbb{F}[X]/(\Phi(X)) \subseteq \mathbb{K}[X]/(\Phi(X)).$$
We represent ring elements either as polynomials or, through their coefficients, as vectors in the base field; for ease of exposition, we will pass from one description to the other interchangeably.
We fix three norm-bound parameters:
- $b$ (usually set to $b=2$),
- $B=b^k$ (usually set as $k\in [10,14]$), and
- $B_{\mathsf{com}}$ (usually set as $B_{\mathsf{com}}\approx B$).
$b$ and $B$ represent the norm bound for the folding process, while $B_{\mathsf{com}}$ is the norm bound for the lattice-based commitment schemes.
Why are these parameters necessary?
In the lattice-based world, we need to consider this extra constraint on our vectors/ring elements as Ajtai commitments are binding only if the norms of the messages and random salts are bounded; see below!
We also set $K$ as the number of instance-witness pairs that we simultaneously fold.
Commitment schemes
We introduced bounding constraints above, so let's discuss the two commitment schemes we employ in our LatticeBlindFold protocol: the Ajtai commitment scheme and the BDLOP/ABDLOP [BDL+16]/[LNP22] one.
The Ajtai commitment
The Ajtai commitment scheme is the canonical succinct lattice-based commitment. Given two uniformly random matrices $\mathbf{A}_1,\mathbf{A}_2 \in \mathrm{R}_{\mathbb{F}}^{n \times m}$ (for suitable $m$ and $n$), the commitment to a small-norm message $\mathbf{x} \in \mathrm{R}_{\mathbb{F}}^m$, $\|\mathbf{x}\|_{\infty} < B_{\mathsf{com}}$, with small-norm randomness $\mathbf{r} \in \mathrm{R}_{\mathbb{F}}^m$, $\|\mathbf{r}\|_{\infty} < B_{\mathsf{com}}$, is simply $c = \mathbf{A}_1\cdot \mathbf{r} + \mathbf{A}_2\cdot \mathbf{x}$ in $\mathrm{R}_{\mathbb{F}}$. The commitment is homomorphic and, most importantly, succinct, that is, the output $c \in \mathrm{R}_{\mathbb{F}}^n$ has dimension $n$ independent of the message size $m$.
Binding reduces to the Short Integer Solution (SIS) problem: any two openings $(c, \mathbf{r}_1, \mathbf{x}_1)$ and $(c, \mathbf{r}_2, \mathbf{x}_2)$ with $\mathbf{x}_1 \ne \mathbf{x}_2$ yield a short non-zero vector $$\mathbf{A}_2(\mathbf{r}_1 - \mathbf{r}_2) = \mathbf{A}_1(\mathbf{x}_2 - \mathbf{x}_1).$$
Once the message or randomness norm exceeds $\mathrm{Char}(\mathbb{F})/2$, the SIS reduction breaks down entirely and the commitment offers no binding guarantee. This norm sensitivity is precisely what makes Ajtai commitments unsuitable for hiding certain values in LatticeBlindFold.
The BDLOP/ABDLOP commitment
The BDLOP scheme [BDL+16] and its augmented variant ABDLOP [LNP22] address the norm-sensitivity problem in the Ajtai commitment scheme above by separating the message from the randomness at the level of the commitment matrix.
Given uniformly random public matrices $\mathbf{A}_1 \in \mathrm{R}_{\mathbb{F}}^{n_1 \times m}$ and $\mathbf{A}_2 \in \mathrm{R}_{\mathbb{F}}^{n_2 \times m}$, the BDLOP commitment to a message $\mathbf{m} \in \mathrm{R}_{\mathbb{F}}^{n_2}$ with small-norm randomness $\mathbf{s}_1 \in \mathrm{R}_{\mathbb{F}}^m$, $\|\mathbf{s}_1\|_\infty < B_{\mathsf{com}}$, is the pair
$$\mathbf{t} = (\mathbf{t}_1, \mathbf{t}_2) = (\mathbf{A}_1 \mathbf{s}_1, \mathbf{A}_2 \mathbf{s}_1 + \mathbf{m}) \in \mathrm{R}_{\mathbb{F}}^{n_1} \times \mathrm{R}_{\mathbb{F}}^{n_2}.$$
ABDLOP extends this with a second randomness vector $\mathbf{s}_2$ and a third matrix $\mathbf{B}$, producing $(\mathbf{A}_1 \mathbf{s}_1 + \mathbf{A}_2 \mathbf{s}_2, \mathbf{B}\mathbf{s}_2 + \mathbf{m})$; this separates the binding randomness into two components with independently controllable norms.
Crucially, the message $\mathbf{m}$ appears additively and in full in the output, so the scheme is non-succinct (the commitment size grows linearly with $|\mathbf{m}|$) but binding holds for messages of arbitrary norm, not just small ones.
Why also considering non-succinct commitment schemes? The reason will will become clear below, when we need to hide some hint values to achieve zero-knowledge.
The ABDLOP commitment scheme is endowed with a zero-knowledge opening algorithm.
Relations and Interactive Reductions
We report here the key relations. We will employ only the first and the third in the LatticeBlindFold protocol. Before writing the (somewhat informal) definitions, let us fix:
- $\mathcal{L}$ to be a linear map of modules; in the application, $\mathcal{L}$ is the commitment morphism in the Ajtai commitment scheme.
- a multilinear polynomial $f$ of maximal degree $u$ in $t$ variables, and $t$ matrices $M_1,\ldots, M_t$ defining the circuit constraints.
We can now define:
- $\mathsf{CCS}(b,\mathcal{L})$: instances $x$ and witnesses $w$ such that $c = \mathcal{L}([x, w])$, $\|[x,w]\|_{\infty} < b$, and the CCS multilinear polynomial evaluates to zero over the Boolean hypercube.
- $\mathsf{CE}(b,\mathcal{L})$: instances $x$ and witnesses $w$ such that $z=[x,w]$, $\|[x,w]\|_{\infty} < b$, and the evaluation relation extending $\mathsf{CCS}(b,\mathcal{L})$ with evaluation claims $\{y_j = \bar{M}_j \cdot z(r)\}_{j\in [t]}$ at a random point $r \in \mathbb{K}^{\log m}$.
- $\mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})$ – the committed evaluation relation: instances $x$ and witnesses $w$ in $\mathsf{CE}(b,\mathcal{L})$ where each instance additionally carries ABDLOP commitments $\{C_j := \mathsf{Commit}(y_j, s_j) \in \mathrm{R}_{\mathbb{K}}^2 \}_{j\in [t]}$ and the corresponding witness carries the salts $\{s_j \in \mathrm{R}_{\mathbb{K}}^2\}_{j\in [t]}$ with $\|s_j\|_{\infty} < B_{\mathsf{com}}$.
For computational reasons, we will restrict our focus to R1CS constraints rather than more general CCS: in particular, $f=Y_1\cdot Y_2 - Y_3$, $u=2$ and $t=3$. Everything can be generalized to CCS, however, the computational overhead grows accordingly.
Strong sampling sets
All folding schemes provide aggregation through linear accumulation; the verifier samples random coefficients $\rho_1, \ldots, \rho_{K+k}$ and the prover folds via $z_{\mathrm{out}} = \sum_i \rho_i z_i$.
Now, focusing on lattice-based protocols: if the $\rho_i$ are sampled from all of $\mathrm{R}_\mathbb{F}$, the product $\rho_i z_i$ can have norm up to $|\mathbb{F}| \cdot \|z_i\|_{\infty}$, causing exponential norm explosion. Strong sampling sets prevent this by ensuring random linear combinations have bounded norm growth.
A subset $C \subseteq \mathrm{R}_\mathbb{F}$ is a strong sampling set if:
1. Any two distinct elements $a, b \in C$ satisfy $\|a - b\|_{\infty} < \mathbf{b}_{\mathrm{inv}}$, where $\mathbf{b}_{\mathrm{inv}}$ is the low-norm invertibility threshold.
2. The expansion factor is bounded:
$$T(C) := \max_{\substack{v \in \mathrm{R}_\mathbb{F} \\ \rho \in C}} \frac{\|\rho v\|_{\infty}}{\|v\|_{\infty}} \leq O(\deg(\Phi) \cdot \max_{\rho \in C} \|\rho\|_\infty).$$
- The invertibility threshold guarantees that any chosen difference is invertible in the ring $\mathrm{R}_{\mathbb{F}}$; this is crucial for witness extraction in the security proofs.
- The expansion factor says that for any vector $v$ with $\|v\|_{\infty} < b$, multiplying by $\rho \in C$ gives $\|\rho v\|_{\infty} \leq T(C) \cdot b$. When folding $K+k$ witnesses, the norm of the combined witness is bounded by $(K+k) \cdot T(C) \cdot b$.
In practice, $C$ is constructed as the set of all ring elements with coefficients in a small interval $[-\beta, \beta]$. This gives expansion factor $T(C) \approx O(\deg(\Phi) \cdot \beta)$. For typical cyclotomic rings and parameters, $T(C)$ is a modest constant (e.g., $\sim 10^3$ for degree-64 rings).
Role in LatticeBlindFold
In LatticeBlindFold, the verifier samples coefficients from $C$ rather than uniformly from $\mathrm{R}_\mathbb{F}$. This ensures:
- Folded witnesses remain norm-bounded: $z_{\mathrm{out}} = \sum_i \rho_i z_i$ satisfies $\|z_{\mathrm{out}}\|_{\infty} < B = b^k$;
- Folded commitment salts remain binding-safe: $s_j = \sum_i \rho_i s_{i,j}$ satisfies $\|s_j\|_{\infty} < B_{\mathrm{com}}$.
The parameter constraint is $(K+k) \cdot T(C) \cdot (b-1) < B$, which is satisfied by tuning $b$ and $k$ appropriately.
The main building blocks
We present here the two main techniques we use for achieving zero-knowledge in our folding scheme.
ZK-fying Sum-Check: masking and committing
The Sum-Check protocol
The Sum-Check protocol is one of the most important protocols in modern cryptography. It is an interactive protocol allowing a prover to convince the verifier that the sum of a multivariate polynomial $p(x_1,\ldots,x_N)$ over a given domain (usually the Boolean hypercube) is equal to a provided known value, say $P$:
$$\sum_{\vec{x}\in \{0,1\}^N}p(\vec{x}) = P.$$
The Problem
SuperNeo's first reduction step ([Protocol 1, NS26]) uses the Sum-Check protocol to verify that constraint polynomials evaluate to zero over the Boolean hypercube. However, Sum-Check is inherently not zero-knowledge: the transcript reveals partial evaluations of the polynomial being checked, which encode information about the witness values.
The Solution: Libra-Style Masking
We hide the constraint polynomial $Q(\vec{X})$ under a random masking polynomial $p(\vec{X})$ with the same partial degrees. The protocol proceeds as follows:
- Prover computes masking polynomial:
$$p(\vec{X}) = a_0 + \sum_{i=1}^{\ell} p_i(X_i), \quad
p_i(X_i) = \sum_{j=1}^{d_i} a_{i,j} X_i^j$$
where each $d_i = \deg_{X_i}(Q)$, and all coefficients $a_{i,j}$ are sampled uniformly at random. - Prover commits and reveals aggregate:
The prover computes $C_p = \mathrm{Commit}(p)$ and $P = \sum_{\vec{x} \in \{0,1\}^{\log m}} p(\vec{x})$, and sends $(C_p, P)$ to the verifier. - Verifier sends challenge:
The verifier samples a uniformly random challenge $\zeta \leftarrow \mathbb{F}^\times$ and sends it to the prover. - Both parties run masked Sum-Check:
Define the combined polynomial
$$q(\vec{X}) := p(\vec{X}) + \zeta \cdot Q(\vec{X})$$
with claimed sum
$$ H := P + \zeta \cdot T.$$
Both prover and verifier execute the standard Sum-Check protocol on $(q, H)$, which reduces to an evaluation claim $H' = q(\vec{r}')$ at a random point $\vec{r}' \in \mathbb{K}^{\log m}$. - Commitment Checks:
During the last step, both prover and verifier open the commitment of $g$ at $r$: $(g(r), \pi) \gets \text{Open}(g, r)$.
The verifier then checks the commitment by: $\text{Verify}(\text{com}_g, g(r), r, \pi)$.
If reject, abort.
Why This Is (99%) Zero-Knowledge
Since $p$ is a uniformly random polynomial with the same degree profile as $Q$, the combined polynomial $q = p + \zeta Q$ is computationally indistinguishable from a uniformly random polynomial of those degrees (by the randomness of $p$ and the verifier challenge $\zeta$ sampled after the prover commits to $p$). Each round of Sum-Check thus reveals an evaluation of an essentially uniformly random polynomial, leaking no information about $Q$ or the witness. The simulator can generate an indistinguishable transcript by sampling $p$ and $\zeta$ as above and running the standard Sum-Check on $p + \zeta Q$, without access to the real witness.
This masking technique is adapted from the Libra protocol's zero-knowledge Sum-Check [Construction 1, §4.1, XZZ+19]. The key differences in LatticeBlindFold are that we commit to the masking polynomial $p$ using a lattice-based commitment (ABDLOP/Hachi modification) rather than a polynomial commitment scheme, we operate over ring arithmetic (via the SuperNeo embedding) rather than group arithmetic, and we further hide the final evaluation of the polynomial $p$. The remaining zero-knowledge argument transfers cleanly: the masking polynomial hides the constraint polynomial for the duration of the Sum-Check, and by commitment hiding, the verifier cannot distinguish a real transcript from one generated by a simulator that samples $p$ fresh.
However, let us stress the following fundamental remark.
Moreover, if we can allow the verifier to learn this small piece of information, then we proceed via the ABDLOP commitment scheme and pass the evaluations in plain.
How do we handle this problem?
We can introduce the following modification as in [§13.3,Tha22].
Masking the Final Evaluation
The technique described in [§13.3,Tha22] is rather technical therefore we opt for a more informal treatment and refer the reader to Thaler's book for all the details.
The key idea is that the verifier must eventually learn some evaluation in Sum-Check and that must not depend on the witness. The trick is therefore not to hide the evaluation protocol, but to ensure that the passed evaluation is itself statistically independent of the witness by dealing with a slightly bigger polynomial.
Circuits and Transcripts: Sum-Check is now a circuit
Suppose we have an arithmetic circuit $C$ of size $S$ ($S=2^k$ for simplicity); to each gate we associate a unique binary label $a \in {0,1}^k$.
Let $W:{0,1}^k \to \mathbb{F}$ denote the circuit transcript; this will be the whole transcript of the masked Sum-Check protocol discussed above.
For every gate label $a$, $W(a)$ is the value carried by gate $a$ when the circuit is evaluated on the public input $x$ and witness $w$. Thus (W) is simply a table of $S$ field elements; computing $W$ requires evaluating the circuit once.
We can then consider the multilinear extension of $W$
$$\widetilde{W} := \sum_{a\in{0,1}^k}W(a) \cdot \chi_a(X),$$
where the $\chi_a$'s are the standard Boolean Lagrange basis polynomials
$$\chi_a(X):=\prod_{j=1}^{k}\Big((1-a_j)(1-X_j)+a_jX_j\Big).$$
Now, for a random $r\in\mathbb{F}^k$, the verifier learns $\widetilde{W}(r)=\sum_a W(a)\chi_a(r)$ which is a (nontrivial) linear combination of all transcript values; since the transcript is determined by the witness, $\widetilde W(r)$ contains witness information.
Randomized Extension
To fix this, the prover chooses $c_1,c_2\leftarrow\mathbb{F}$ uniformly and defines
$$Z(X) := \widetilde{W}(X)+ c_1\cdot X_1\cdot (1-X_1) + c_2\cdot X_2\cdot(1-X_2).$$
Why these particular terms?
Observe that $X_i(1-X_i)=0$ for $X_i\in{0,1}$, hence $Z(a)=\widetilde{W}(a)=W(a)$ for every Boolean point $a$.
Thus all circuit constraints remain exactly the same and nothing changes on the hypercube.
Let's give a name to the functions introduced above:
$$m_1(X)=X_1(1-X_1), \quad m_2(X)=X_2(1-X_2).$$
Then $Z(X)=\widetilde{W}(X)+c_1m_1(X)+c_2m_2(X)$ and the functions (m_1,m_2) satisfy:
- Vanishing Property (as above): $m_i(a)=0$ for every Boolean point $a$, and
- Non-Vanishing Property: for $r_i\notin{0,1}^k$, $m_i(r)=r_i(1-r_i)\neq 0$.
Why One Evaluation Becomes Uniform
Suppose the verifier eventually obtains $Z(r)$. Then
$$Z(r)=\widetilde{W}(r) + m_1(r)c_1 + m_2(r)c_2.$$
Fixing $\alpha_1=m_1(r)$ and $\alpha_2=m_2(r)$, we immediately have that: if $r_1,r_2\notin{0,1}$, then $\alpha_1,\alpha_2\neq 0$. Hence, one can deduce that adding the fixed quantity ($\widetilde{W}(r)$) preserves uniformity; therefore, $Z(r)$ is uniformly distributed and statistically independent of the witness.
Why two random coefficients?
This comes from the structure of the GKR [GKR08] verification, from which this technique is adapted from; cf. [Tha22].
A Final Remark
The masking protocol actually works over a modification of the polynomial $Z$ defined above, dealing with $3\times$ the variables and involving the wiring predicates $\widetilde{Add}$, $\widetilde{Mult}$, $\widetilde{I}$, $\widetilde{\mathsf{io}}$ (we refer to [Tha22] for their precise definition), which are tricky to compute for general circuits (but feasible for the most common ones; cf. [4.6.6, Tha22]).
Moreover, the modification requires to sample challenges in $\mathbb{F}-\{0,1\}$ (not altering soundness).
We point out that the complexity of this modification does not change from the usual Sum-Check one (clearly the constants in front of the asymptotic grow).
Commit-and-Prove: commit to the hints
The Problem
After the Sum-Check protocol on $Q(\vec{X})$ reduces the claim to a single evaluation point $\vec{r}'$, the prover must send the new hint values:
$$ y'_{i,j} = \overline{M}_j \cdot z_i(\vec{r}') \in \mathrm{R}_{\mathbb{K}}, \quad \forall i \in [K+k], \; j \in [t]$$
where $z_i$ are the witness vectors and $\overline{M}_j$ are the matrices encoding the structure. If sent in the clear, these are linear functions of the witnesses evaluated at a random point; therefore a (dis)honest verifier learns significant structural information.
The Solution: ABDLOP Commitments to Hints
Instead of revealing $y'_{i,j}$ in the clear, the prover commits to each hint value (with its randomness salt) using the ABDLOP scheme and sends only the commitment. The verifier checks constraint equalities at the level of commitments, never seeing the actual evaluations.
- Prover computes and commits to new hints:
After the Sum-Check phase (which determines $\vec{r}'$), the prover computes:
$$y'_{i,j} := \overline{M}_j \cdot z_i(\vec{r}') \in \mathrm{R}_{\mathbb{K}}$$
and samples fresh ABDLOP randomness:
$$s'_{i,j}, s'_{i,prod}, s'_{i,cube} \in \mathrm{R}_{\mathbb{K}}^2, \quad \|s'_{i,j}\|_{\infty}, \|s'_{i,prod}\|_{\infty}, \|s'_{i,cube}\|_{\infty} < B_{\mathrm{com}}.$$
The prover then commits:
$$C_{i,j}' := \mathrm{Commit}(y'_{i,j}, s'_{i,j}) \in \mathrm{R}_{\mathbb{K}}^2,$$
$$C_{i,prod}' := \mathrm{Commit}(y'_{i,1}\cdot y'_{i,2}, s'_{i,prod}) \in \mathrm{R}_{\mathbb{K}}^2,$$
and
$$C_{i,cube}':=\mathrm{Commit}(y'_{i,1}\cdot y'_{i,1}\cdot y'_{i,1}, s'_{i,cube})\in \mathrm{R}_{\mathbb{K}}^2,$$
and sends the commitments $\{C'_{i,j},C_{i,prod}',C_{i,cube}'\}_{i,j,l}$ to the verifier.
Recall that each salt $s_{i,*}$ is composed of two components, one for the Ajtai part ($s_{i,*,1}$) and one for the BDLOP one ($s_{i,*,2}$). - Verifier checks equalities on commitments:
Instead of checking numerical equalities on the $y'_{i,j}$ values, the verifier computes the expected commitment from the prior round via the homomorphic property of ABDLOP.- Setting $\mathrm{ct}$ as the maps that extracts the constant term and $\mathrm{cf}$ the one which extracts the coefficient vector associated with a ring element, we define:
- $c_F := \sum_{i=1}^{K} \gamma^{i-1} \cdot \mathrm{Commit}\big(f(\mathrm{ct}(y'_{i,1}), \mathrm{ct}(y'_{i,2}), \mathrm{ct}(y'_{i,3}))\big)$ – the R1CS constraint polynomial,
- $c_N := \sum_{i=1}^{K+k} \gamma^{i-1} \cdot \mathrm{Commit}\left( \prod_{j=-b+1}^{b-1} (\mathrm{ct}(y'_{i,1}) - j) \right)$ – the norm constraint polynomial,
- $c_E := \mathrm{eq}(\vec{r}', \vec{r}) \sum_{i=K+1}^{K+k} \sum_{j,\ell} \gamma^{I(i,j,\ell)} \cdot \left(\mathrm{Commit}(\mathrm{cf}(y'_{i,j}))\right)_\ell$ – the Sum-Check hint-helped verification polynomial.
- Setting $\mathrm{ct}$ as the maps that extracts the constant term and $\mathrm{cf}$ the one which extracts the coefficient vector associated with a ring element, we define:
- The prover computes (stored in memory from the previous commitments) all the values $B\cdot s_{i,*,2}$ and sends the verifier the sum $S_{2,\mathsf{F}} + S_{2,\mathsf{N}} + S_{2,\mathsf{E}}$, for
- $S_{2,\mathsf{F}}=\mathsf{eq}(r', \alpha) \cdot\sum_{i=1}^{K} \gamma^{i-1} \left(\mathsf{ct}(B\cdot s_{i,prod,2}) - \mathsf{ct}(B\cdot s_{i,3,2})\right)$,
- $S_{2,\mathsf{N}}=\mathsf{eq}(r', \alpha) \cdot\sum_{i=1}^{K+k} \gamma^{i-1} \left(\mathsf{ct}(B\cdot s_{i,cube,2}) - \mathsf{ct}(B\cdot s_{i,1,2})\right)$,
- $S_{2,\mathsf{E}}=\mathsf{eq}(r', r) \cdot\sum_{i=K+1}^{K+k}\sum_{j=1}^{t}\sum_{\ell=1}^{d} \gamma^{I(i,j,\ell)} \left(\mathsf{cf}(B\cdot s_{i,j,2})_\ell\right)$.
- The verifier then checks:
$$v + S_{2,\mathsf{F}} + S_{2,\mathsf{N}} + S_{2,\mathsf{E}} \stackrel{?}{=} \mathsf{eq}(r', \alpha) \cdot (c_{\mathsf{F}} + \gamma^K \cdot c_{\mathsf{N}}) + \gamma^{2K+k} \cdot c_{\mathsf{E}},$$
where $v$ is the claimed final evaluation value.
- The norm of the aggregated salt is likely not bounded. However, this does not represent an issue, as we only require the final "commitment" for checking consistency and we do not require binding for the final aggregated value.
- Here we use in a consistent manner the fact that the coefficient extraction map $\mathrm{cf}(\cdot)_\ell$ commutes with the ABDLOP commitment map, which is the key algebraic property exploited throughout LatticeBlindFold when checking equalities on committed ring-element coefficients.
- Moreover, sharing the sum $S_{2,\mathsf{F}} + S_{2,\mathsf{N}} + S_{2,\mathsf{E}}$ does not break soundness since an attacker can, at most, recover sums of salts, but not the individual ones; note that here we must consider suitable dimensions for the commitments to ensure enough bits of security.
The LatticeBlindFold Protocol
Now that all the characters of our play have been presented, we can describe the LatticeBlindFold protocol. As in SuperNeo, our folding scheme is obtained as a combination of three reductions $\Pi_{\mathsf{LatticeBlindFold}}:= \Pi_{\mathsf{DEC}}' \circ \Pi_{\mathsf{RLC}}' \circ \Pi_{\mathsf{R1CS}}'$
$$ \Pi_{\mathsf{LatticeBlindFold}}\colon \mathsf{CCS}(b,\mathcal{L})^K\times \mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})^k \to \mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})^k.$$
We discuss each reduction individually.
$\Pi_{\mathsf{R1CS}}'$: Committing to Hints and Masking Sum-Check
The first reduction is the core reduction for achieving zero-knowledge. Here we make use of both the masking and the commit-and-prove techniques we discussed above. We
- replace plaintext hints with ABDLOP commitments, and
- mask the Sum-Check polynomial.
- Setup: The prover constructs the polynomial (as in the unblinded version):
$$Q(\vec{X}) := \mathsf{eq}(\vec{X}, \alpha) \cdot (\mathsf{F}(\vec{X}) + \gamma^K \cdot \mathsf{NC}(\vec{X})) + \gamma^{2K+k} \cdot \mathsf{Eval}(\vec{X}) \in \mathbb{K}[\vec{X}]$$
where $\mathsf{F}$ encodes the R1CS constraints, $\mathsf{NC}$ encodes norm constraints, and $\mathsf{Eval}$ encodes prior evaluation claims. The claimed Sum-Check sum is
$$T = \sum_{i,j,\ell} \gamma^{I(i,j,\ell)} \cdot \mathsf{cf}(y_{i,j})_{\ell}.$$ - Masking: The prover engages with the verifier in the masking procedures recalled in the sections "ZK-fying Sum-Check: masking and committing" and "Masking the Final Evaluation" above.
In particular, the prover samples a suitable masking polynomial $p$, commits to it, say with commitment $C_p$, and sends the commitment together with the purported sum $P$ to the verifier. The verifier picks a challenge $\zeta$.
Prover and verifier can now engage in the Libra-style Sum-Check protocol for the polynomial $p+\zeta \cdot Q$ and purported sum $P+\zeta\cdot T$ as described above. - Committing to hints: After Sum-Check reduces to an evaluation point $r' \in \mathbb{K}^{\log m}$, the prover computes and commits to the new hint values $C_{i,j}'$, $C_{i,prod}'$, and $C_{i,cube}'$ (see above for the precise definition).
Then, the verifier checks the evaluation claim at the level of commitments, as described in the section "Commit-and-Prove: commit to the hints" above.
This reduction is not sound on its own, as a malicious prover can forge commitment equalities. Soundness is recovered only after composing with the second reduction (which takes care of folding instance-witness pairs together), where the random challenges bind the commitments to the actual witness values.
- Output relation: The output of this reduction is in $\mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})^{K+k}$ carrying $\{C'_{i,j} = \mathsf{Commit}(y'_{i,j})\}_{j\in [t]}$ in the instance and $\{y'_{i,j}, s'_{i,j}\}_{j\in [t]}$ in the witness.
$\Pi_{\mathsf{RLC}}'$: Folding Committed Instances
The second step of the folding protocol is a random linear combination step. Here we must fold not just the witnesses and instances, but also the ABDLOP commitments and their salts.
- The verifier samples $\rho_{1},\ldots, \rho_{K+k}$ from the fixed strong sampling set $C$ (as in the section "Strong sampling sets" above) and computes:
$$c \gets \sum_i \rho_i \cdot c_i, \quad x \gets \sum_i \rho_i \cdot x_i.$$ - The prover computes the folded witness $z \gets \sum_i \rho_i \cdot z_i$ and the folded hint values $y_j \gets \sum_i \rho_i \cdot y_{i,j}$.
By the homomorphic property of ABDLOP:
$$\mathsf{Commit}(y_j, s_j) = \sum_i \rho_i \cdot\mathsf{Commit}(y_{i,j}, s_{i,j}),$$
where $s_j = \sum_i \rho_i \cdot s_{i,j}$. - The verifier checks this equality on commitments.
Since $B<B_{\mathsf{com}}$, we can deduce that also the randomness is suitably bounded.
- Output relation: The output of this reduction is in $\mathsf{CE}_{\mathsf{com}}(B,\mathcal{L},\mathsf{Commit})$ carrying $\{C_{j} = \mathsf{Commit}(y_{j})\}_{j\in [t]}$ in the instance and $\{y_{j}, s_{j}\}_{j\in [t]}$ in the witness.
$\Pi_{\mathsf{DEC}}'$: Decomposing Commitment Salts
The final reduction recovers the correct (product) relation $\mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})^k$ by reducing the norm of the claims from $B= b^k$ to $b$, which allows us to continue folding R1CS constraints.
This last step in SuperNeo is rather straightforward, as each is decomposed in base-$b$. Because we need to keep track of the commitment salts, in our protocol we split the input salt in a way that keeps each piece small and computationally unpredictable. The required decomposition is:
$$s_j = \sum_{i=0}^{k-1} b^i \cdot s_{i,j} \in \mathrm{R}_{\mathbb{K}},\, \text{ with } \|s_{i,j}\|_{\infty} \leq B_{\mathsf{com}}.$$
If this equation is satisfied, then the final verification check looks like
$$\mathsf{Commit}(y_j, s_j)\stackrel{?}{=} \sum_{i=0}^{k-1} b^{i-1} \cdot \mathsf{Commit}(y_{i,j}, s_{i,j}).$$
Our main setting is the case where $\mathbb{F}$ is a prime field and $\mathbb{K}$ is a quadratic extension of $\mathbb{F}$; in this fashion, we can treat elements in $\mathbb{K}$ (respectively, $\mathrm{R}_{\mathbb{K}}$) as pairs of elements in $\mathbb{F}$ (respectively, $\mathrm{R}_{\mathbb{F}}$). Clearly, the argument can be expanded to handle more general field extensions. In particular, we represent $s$ as the matrix
$$ s = (s_{j,c})_{j=0,c=0}^{\deg \Phi - 1, 1}\in \mathbb{F} ^{(\deg \Phi - 1)\times 2}.$$
The algorithm draws its inspiration from the signed-digit representation of numbers in base $b$. It first handles the salts associated with the higher powers of $b$ and then adjusts the values in the sampling of the $1$-st and the $0$-th random salts.
1. Fix budget $B' = \lfloor (B_{\mathsf{com}} -2^2)/ (2^k - 1)\rfloor$ (here we assume that $B_{\mathsf{com}} -2^2) > (2^k - 1)$).
2. We denote the $i$-th salt by $s_i$ and understand it as the matrix $s_i=(s_{i,j,c})_{j=0,c=0}^{\deg \Phi - 1, 1}$; here $c$ indexes the pair of coordinates representing an element of $\mathbb{K}$.
Therefore, we can sample each entry, for each slot $i = 2, \ldots, k-1$, uniformly from $\{-B', \ldots, B'\}$.
3. For slot $i = 1$:
- compute the sums $v_{j,c}= s_{j,c} - \sum_{i=2}^{k-1}2^i \cdot s_{i,j,c}$;
- sample, for each $j$ and $c$, $\tilde{v}_{j,c}\gets\{-B', \ldots, B'\}$ and then apply a parity correction so that $\tilde{v}_{j,c} \equiv v_{j,c} \pmod{2}$; here we adjust $\tilde{v}_{j,c}$ by $\pm 1$ to match the parity requirement above;
- assign $s_{1,j,c} \gets \tilde{v}_{j,c}$.
4. For slot $i = 0$:
- set $s_{0,j,c} \gets \tfrac{1}{2}\cdot (s_{j,c} - \sum_{i=1}^{k-1}2^i \cdot s_{i,j,c})$ (which is even by the parity correction above and makes sense in $\mathbb{Z}$).
Let us recall that in SuperNeo, the authors consider the $\mathsf{split}_b$ algorithm: this is the $b$-ary decomposition algorithm in $\mathbb{F}$ (once we embed $[-b,b]\subset \mathbb{F}$).
We are finally ready to describe the reduction $\Pi_{\mathsf{DEC}}'$.
- The prover computes the decomposition:
$$(z_1, \ldots, z_k)\gets \mathrm{split}_b(z)$$
and
$$(s_{0,j}, \ldots, s_{k-1,j}) \gets \mathrm{SaltDec}(s_j) \quad \forall j \in [t].$$
For each piece $z_i$, the prover computes:
$$c_i \gets \mathcal{L}(z_i), \, y_{i,j} \gets \overline{M}_j \cdot z_i(\vec{r}), \, C_{i,j} \gets \mathsf{Commit}(y_{i,j}, s_{i,j})$$
and sends $\{c_i, C_{i,j}\}_{i \in [k], j \in [t]}$ to the verifier. - The verifier decomposes the instance: $(x_1, \ldots, x_k) \gets \mathrm{split}_b(x)$.
- The verifier checks the decomposition equalities on both instances and commitments:
$$c \stackrel{?}{=} \sum_{i=1}^{k} b^{i-1} \cdot c_i$$
and
$$\mathsf{Commit}(y_j, s_j) \stackrel{?}{=} \sum_{i=1}^{k} b^{i-1} \cdot C_{i,j} \quad \forall j \in [t]$$
where the second equation exploits the homomorphic property of ABDLOP - Output relation: The output of $\Pi_{\mathsf{DEC}}'$ is in $\mathsf{CE}_{\mathsf{com}}(b,\mathcal{L},\mathsf{Commit})^k$, carrying
- as instance: $\{c_i, x_i, \vec{r}, C_{i,j}\}_{i \in [k], j \in [t]}$, and
- as witness: $\{z_i, y_{i,j}, s_{i,j}\}_{i \in [k], j \in [t]}$.
A remark on the security proofs
To not overburden the reader, we decide not to dive into the proofs in this blog post but delegate them to the main technical paper. Even though the paper is still a work in progress, we would like to notice that the proof flow is rather standard and follows a combination of the Strong-Weak Composition Theorem of SuperNeo [Theorem 6, NS26] and the construction of a suitable simulator for proving the blinding property, building on [Lemma 5, KS23].
A complexity comparison with Nova and SuperNeo
We report here a few efficiency measures of our protocol when compared to Nova (over a 254-bit field) and SuperNeo (over a 64-bit field). We do not discuss them in detail as we will provide a complete analysis in the upcoming paper; however, we wish to provide some measurements and discuss trade-offs.
First of all, let us note that, stripped of all constants, we still maintain the asymptotic behavior of SuperNeo.
| Metric | LatticeBlindFold (Small Fields) | SuperNeo (Small Fields) | Nova (Large Field) |
| Prover Time | $\mathcal{O}(m)$ | $\mathcal{O}(m)$ | $\mathcal{O}(N + m \log m)$ |
| Verifier Time | $\mathcal{O}(l + \log m)$ | $\mathcal{O}(l + \log m)$ | $\mathcal{O}(l)$ |
| Communication | $\mathcal{O}(\log m)$ | $\mathcal{O}(\log m)$ | $\mathcal{O}(1)$ |
Note that here $m$ represents the number of constraints, $l$ is the public input size, and $N$ represents the number of non-zero matrix entries.
The trade-off is clear from construction: the prover's running time and the proof size need to grow. However, these preliminary measurements show that the protocol remains feasible. We wish to remark that here we are trying to bound the efficiency measurements from above and they will improve after a fine-tuning analysis.
| Metric | Nova (Large Field) | LatticeBlindFold (Small Field) |
| Total Field Operations | ≈ $2.24 \times 10^7$ (254-bit) | ≈ $1.00 \times 10^{10}$ (64-bit) |
| Amortized Cost per Mult. | ≈ $40$ cycles | ≈ $1.5$ cycles |
| Estimated CPU Cycles | ≈ $8.94 \times 10^8$ cycles | ≈ $15.02 \times 10^9$ cycles |
| Prover Latency (16-Core) | ≈ $242.2$ Milliseconds | ≈ $1252.0$ Milliseconds |
In terms of proof sizes we have:
- LatticeBlindFold: ≈ 842-862 KB per step.
- SuperNeo: ≈ 72 KB per step.
- Nova: ≈ 128-200 B per step.
Note that the numbers related to the prover are computed with $m=2^{20}$, $l=2^{13}$, and $N=3m$.
On the other hand, the verifier benefits from a huge boost, since most work is handled by the prover.
| Execution Metric | Nova (Large Field) | LatticeBlindFold (Small Field) |
| Total Field Operations | ≈ $1.25 \times 10^5$ (254-bit $\mathbb{F}$) | ≈ $1.02 \times 10^6$($\mathbb{F}$-equiv., 64-bit) |
| Total Algorithmic Load | ≈ $5.00 \times 10^6$ cycles | ≈ $1.53 \times 10^6$ cycles |
| Single-Threaded Latency | ≈ $1.67$ Milliseconds | ≈ $0.51$ Milliseconds |
| Parallel Efficiency ($\eta_{\text{parallel}}$) | ≈ 15% | ≈ 80% |
| Multi-Threaded Latency (4-Core) | $1.48$ Milliseconds | ≈ $0.20$ Milliseconds |
Note that here we simply say that Nova does not show strong improvements when run on a single thread, while lattice-based protocols gain a performance boost over multiple threads.
Let us remark that we compute these approximations considering Amdahl's law.
Present and future work
As of today, we are finalizing the technical paper and we plan to make it public as soon as possible. To the best of our knowledge, this is the first work approaching this line of research, and we hope it will be the first of many.
As noted in the comparison section above, we still aim for further improvements to obtain a performance result on par with NovaBlindFold; these will come both from a careful fine-tuning process and, on the engineering/hardware side, from leveraging parallelization techniques (and GPUs).
Present and future research
This work leaves us with several questions, from the rather simple ones, like
What if we consider random projections for norm checking rather than including them in the Sum-Check protocol?
or
Could some techniques from Cyclo [GLLO26] be introduced in our work?
to the more advanced, like
Is TBA the right polynomial commitment scheme? If so, can we improve further?
Are there some workarounds for using Hachi?
Can we further aggregate commitments in our zk-fying process for constructing LatticeBlindFold?
If so, we would be able to reduce proof size.
Does there exist a succinct lattice-based (polynomial) commitment scheme with high compression and high efficiency, which allows committing to messages of any norm size?
This might allow us to replace the ABDLOP commitment of the masking polynomial with a succinct one.
and
All folding schemes fold instance-witness pairs with a linear combination, but is there a different method for producing a folding?
Replacing linear combinations would get rid of norm checks and restrictions (in total or partially).
Conclusion
To conclude, we summarize what we've covered, starting with a recap that LatticeBlindFold's aim is to bring the blinding paradigm of NovaBlindFold to the lattice-based foundations of SuperNeo.
We consider a combination of Libra-style polynomial masking and non-succinct ABDLOP commitments, for plugging the information leaks inherent to standard lattice folding. We achieve (conditional on the construction of the extractable, zero-knowledge Multivariate PCS working over extension fields) the construction of the LatticeBlindFold folding scheme, which
- allows to introduce ZK on top of existing protocols,
- works over small-field arithmetic for lightweight computation, and
- is quantum resistant due to the hardness of Ring/Module-SIS assumptions,
but at the cost of additional prover work and a larger proof size.
While this work represents an ongoing, evolving effort tailored for next-generation architectures (like ICME Labs' Jolt Atlas), the broader implications are clear: we can introduce zero-knowledge on top of proof systems while preserving post-quantum security.
ICME Labs: help@icme.io
Acknowledgments
Many thanks to (in alphabetical order) Wyatt Benno, Alberto Centelles, Antoine Douchet, Khalil Gibran for several discussion and their valuable feedback.
References
- [BC24] - Boneh, D. & Chen, H. – LatticeFold: A Lattice-based Folding Scheme and its Applications to Succinct Proof Systems, 2024, https://eprint.iacr.org/2024/257.
- [BCDG26] - Benno, A., Centelles, J., Douchet, P., & Gibran, M. – Jolt Atlas: Verifiable Inference via Lookup Arguments in Zero Knowledge, 2026, https://arxiv.org/abs/2602.17452.
- [BDL+16] - Baum, C., Damgård, I., Lyubashevsky, V., Oechsner, A., & Peikert, C. – More Efficient Commitments from Structured Lattice Assumptions, 2016, https://eprint.iacr.org/2016/997.
- [BS22] - Beullens, W. & Seiler, G. – LaBRADOR: Compact Proofs for R1CS from Module-SIS, 2022, https://eprint.iacr.org/2022/1341.
- [CFW26] - Chiesa, A., Fenzi, E., & Weissenberg, T. – Zero-knowledge IOPPs for Constrained Interleaved Codes, 2026, https://eprint.iacr.org/2026/391.
- [DHRR26] - Dalal, R., Hemo, T., Rabinovich, E., & Rothblum, R. – VEIL: Lightweight Zero-Knowledge for Hash-Based Multilinear Proof Systems, 2026, https://eprint.iacr.org/2026/683.
- [GLLO26] - Garreta, A., Lipmaa, H., Luhaäär, J., & Osadnik, E. – Cyclo: Lightweight Lattice-based Folding via Partial Range Checks, 2026, https://eprint.iacr.org/2026/359.
- [GKR08] - S. Goldwasser, Y. T. Kalai, and G. N. Rothblum – Delegating computation: interactive proofs for muggles. In STOC, pages 113–122, 2008.
- [KLNO25] - Klooß, M., Lai, R. W. F., Nguyen, K., & Osadnik, E. – RoK and roll — Verifier-efficient Random Projection for Õ(λ)-size Lattice Arguments, 2025, https://eprint.iacr.org/2025/1220.
- [KS23] - Kothapalli, A. & Setty, S. – HyperNova: Recursive Arguments for Customizable Constraint Systems, 2023, https://eprint.iacr.org/2023/573.
- [KST21] - Kothapalli, A., Setty, S., & Tzialla, I. – Nova: Recursive Zero-Knowledge Arguments from Folding Schemes, 2021, https://eprint.iacr.org/2021/370.
- [KV25] - Kaviani, D. & Setty, S. – Vega: Low-Latency Zero-Knowledge Proofs over Existing Credentials, 2025, https://eprint.iacr.org/2025/2094.
- [LNP22] - Lyubashevsky, V., Nguyen, A., & Plancon, M. – Lattice-based Zero-Knowledge Proofs and Applications, 2022, https://eprint.iacr.org/2022/284.
- [NOZ26] - Nguyen, N. K., O’Rourke, G., & Zhang, J. – Hachi: Efficient Lattice-Based Multilinear Polynomial Commitments over Extension Fields, 2026, https://eprint.iacr.org/2026/156
- [NS26] - Nguyen, A. & Setty, S. – Neo and SuperNeo: Post-quantum Folding with Pay-per-Bit Costs over Small Fields, 2026, https://eprint.iacr.org/2026/242.
- [Tha22] - Thaler J. – Proofs, arguments, and zero-knowledge. Foundations and Trends® in Privacy and Security, 4(2–4):117–660, 2022, https://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.pdf
- [XZZ+19] - Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., & Song, D. – Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation, 2019, https://eprint.iacr.org/2019/317.
Cryptography and Mathematics researcher.