Research at Ethereum Foundation
France
Joined August 2014
- Tweets 3,087
- Following 2,083
- Followers 1,922
- Likes 911
Pinned Tweet
My journey as a researcher began with a PhD in applied math for the automotive & aeronautic industries!
Every day now, I'm amazed by the parallels between solving physics problems and building eth future.
Blockchain draws from so many fields — an often underappreciated fact!
Great open question from @SuccinctJT.
Feels like we’re entering the era of designs that go beyond the VM abstraction — where performance drives architecture, not the other way around.
13/13 Conclusion: The fastest SNARKs are built on this new blueprint.
They use sum-check as the PIOP, combined with techniques (sparse sums, virtual polynomials, small-value preservation) to exploit the structure of the computation.
This is the path to faster, simpler provers.
12/13 Case Study: Jolt (a RISC-V zkVM).
Jolt's speed comes from not using generic circuits. It exploits the repeated structure of a CPU.
• Instruction Fetch: Shout (lookup)
• Register Access: Twist (read/write)
• Instruction Logic: Shout (batch eval)
• RAM Access: Twist
11/13 This is far more efficient than the "old" way via permutation checks (e.g., PLONK). That approach forces the prover to:
1. Commit to an extra sorted copy of the trace (more cost).
2. Use grand products (which aren't small-value preserving).
10/13 These ideas are combined in modern memory-checking protocols:
• Shout: A batch evaluation / lookup argument (read-only memory).
• Twist: A read/write memory-checking argument.
These protocols embrace sparsity, using sparse sum-checks & virtual polynomials.
9/13 Another key tool: Virtual Polynomials.
The lesson: Don't commit to a massive polynomial P if you don't have to. Instead, commit to smaller polynomials p1, p2 & define P as a low-degree function of them. Sum-check can still "query" P by reducing to queries on p1, p2.
8/13 The fastest provers exploit structure. A key technique is sparse sum-checks.
If summing N items (e.g., N=2^128) but only T are non-zero (e.g., T=2^30), a naive O(N) prover is impossible. We need an O(T) prover. The prefix-suffix algorithm is one way to do this.
7/13 The survey frames PCSes as "cryptographically wrapped" PIOPs:
• KZG = The quotienting PIOP in the exponent. (Problem: q(X) isn't small-value preserving).
• Bulletproofs/IPA = The sum-check protocol in the exponent.
(Problem: Turns fast field-ops into slow scalar-mul).
6/13 Prover cost is dominated by commitments. These are fast for sparse vectors or data with small values (small-value preservation).
The quotient polynomial q(X) loses sparsity and small-value properties, making the prover's main task (committing to q) slow.
5/13 The article contrasts two main PIOP (Polynomial IOP) approaches:
1. Quotienting: (e.g., KZG) Proves P(X) = Q(X) * Z(X).
2. Sum-check: (e.g., Spartan, Jolt) Proves Σ g(x) = C.
The "old" way (PCPs -> SNARKs) used quotienting. The modern way builds directly on sum-check.
4/13 This creates a clear performance hierarchy:
• Slowest: SNARKs that don't use sum-check.
• Faster: SNARKs that use sum-check naively.
• Fastest: SNARKs that combine sum-check with techniques to aggressively exploit repeated computational structure.
3/13 This is where sum-check shines. It's an information-theoretic protocol using interaction and randomness to offload work.
It lets a prover prove a large sum Σ g(x) = C by having the verifier check g(r) at just 1 random point r.
Prover work = O(N),
Verifier work = O(log N).
2/13 SNARK prover bottleneck:
1. Commit Cost: Committing to witnesses/advice is cryptographically expensive.
2. Proof Cost: All committed data must then be proven "well-formed," adding more work.
Design principle for fast provers: Commit to as little data as possible.
1/13 A new survey from @SuccinctJT: the sum-check protocol is the foundation for all fast SNARK provers.
The key thesis: Prover time is dominated by (1) commitment cost and (2) proving data is well-formed. Sum-check, when used correctly, minimizes both. 🧵
Just merged this one, a new optimization in hand in our WHIR ecosystem repo, and not a minor one.
Strong engineering/research work from @class_lambda folks on optimizing sumcheck, applying the Bagad et al. approach efficiently within WHIR!
github.com/tcoratger/whir-p3…
Twist and Shout via logup* by @georgwiese
powdr.org/papers/twist_shout…
tcoratger retweeted
An exciting update from myself and @benediamond (eprint.iacr.org/2025/2010). We show that the 𝘶𝘱-𝘵𝘰-𝘤𝘢𝘱𝘢𝘤𝘪𝘵𝘺 proximity gaps conjecture is 𝗳𝗮𝗹𝘀𝗲. More precisely, given any pair c, d we construct codes whose error grows faster than nᶜ / (q ⋅ (ρ η)ᵈ).
Strong engineering/research work from @class_lambda folks on optimizing sumcheck, applying the Bagad et al. approach efficiently within WHIR!
github.com/tcoratger/whir-p3…
Once a Validator, Not Always a Validator by @commonwarexyz team
commonware.xyz/blogs/reshare