Tweet

Matthew Green

9 Jul, 8 tweets, 2 min read

Every article I read on (ZK) rollups almost gets to the real problem, and then misses it. The real problem is the need for storage. ZK proofs won’t solve this.

I keep reading these articles that talk about the problems with rollups. And they’re good articles! E.g.: medium.com/dragonfly-rese…

But they always reach a point where they realize that the problem is state storage, and then they handwave that the solution is going to be something like Mina or zkSync, which don’t fully solve the state storage problem.

The problem here is that smart contract systems have three kinds of state:

1. Public state (eg total supply of an ERC20)
2. User-owned state (eg your balance in an ERC20)
3. Useless cruft (eg a specific set of transaction structures, block headers, etc.)

ZK-style rollups can help eliminate most of the cruft (category 3).

In principle they can also push storage responsibility for some types of user-owned state onto the users themselves (with a lot of careful engineering work.)

So what’s left is “only” public contract state.

But that public contract state has to be held in a place where it is guaranteed to be available for a while, and can even be moved around if rollup servers die. I feel like all current public discussion discounts the scaling limitations this will create.

Note that I’m not saying “nobody is working on this”. Lots of people are thinking about it. I just don’t think people are publicly explaining how much of a giant PITA it will be. And how ZK solutions (even if they work) will just leave you stuck with a state storage problem.

And I’m afraid that given the incentives, there’s a very simple solution to all of this: just keep the state on a centralized server, rather than designing it to be available and move around.

But once you do that, you may as well just be Binance Smart Chain.

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @matthew_d_green

Matthew Green

@matthew_d_green

9 Jul

https://twitter.com/verge/status/1413178494893309952

Wait, why would we care if they were hacked? Wouldn’t that just mean more people worldwide gained access to an effective vaccine?

https://twitter.com/verge/status/1413178494893309952

Is this what it feels like to become a pirate?

Ok having actually, you know, looked at the article — it’s about disruptive hacking. Stopping that seems like it’d be a pretty good thing.

Read 4 tweets

Matthew Green

@matthew_d_green

7 Jul

https://twitter.com/japi999/status/1412667455319728131

This new EU legislation granting providers the right to “voluntarily” scan private messages doesn’t break encryption, or take us to a regime of mandatory mass surveillance. But it definitely sets the stage.

https://twitter.com/japi999/status/1412667455319728131

What’s remarkable about this stuff is that it’s phrased as “protecting children from child abuse”. And as a parent I appreciate that. But has anyone explored, empirically, if any of this surveillance actually works to stop the problem?

Here in the US we’ve built an enormous surveillance system to detect instances of child sexual abuse material, it’s been running for years, and the number of reports is going up exponentially.

How many pedophiles are there? Isn’t it a smallish number?

Read 8 tweets

Matthew Green

@matthew_d_green

6 Jul

I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. In the sense that I’ve never seen so many broken things in one simple piece of code. donjon.ledger.com/kaspersky-pass…

Like seriously, WTF is even happening here. Why are they sampling *floats*? Why are they multiplying them together? Is this witchcraft?

And here, Kaspersky decided that instead of picking a random password, they should bias the password to be non-random and thus “less likely to be on a cracker list”. 🤦🏻‍♂️

Read 13 tweets

Matthew Green

@matthew_d_green

4 Jul

I’m struggling to understand how a 1-bit hash error can get irreversibly incorporated into CT, while all the blockchains of the world hum along happily. groups.google.com/a/chromium.org…

The problem here is not that a hash can be corrupted, because that happens. The problem is that somehow the totally “breaks” the CT log? Seems like an avoidable design error. But it’s early and I’m still drinking my coffee.

Anyway, it seems to me that every cryptographic system should be built with the assumption that something (memory, network, 56K phone modem) will introduce errors, and the system will detect those errors — but not by exploding.

Read 5 tweets

Matthew Green

@matthew_d_green

16 Jun

This is an amazing paper. It implies (with strong statistical evidence) that the design of a major mobile-data encryption algorithm — used in GPRS data — was deliberately backdoored by its designer. eprint.iacr.org/2021/819

The GPRS standards were extensions to the GSM (2G/3G) mobile standard that allowed phones to use data over cellular networks. This was before LTE. For security, the standards included encryption to provide over-the-air security for your data. 2/

As is “normal” for telephony standards, the encryption was provided by two custom ciphers: GEA-1 and GEA-2. While there were strong export control regulations in place for crypto, there’s little overt indication that either of these ciphers was deliberately weakened. 3/

Read 14 tweets