I’m a senior research scientist at Offchain Labs. I mostly work on efficient zero-knowledge proof systems, their building blocks, their foundations and their applications. My interest is in cryptography at large.

I previously worked as a research scientist at Matter Labs and Protocol Labs and as a post-doctoral researcher at Aarhus University with Claudio Orlandi (2020-2021) and at the IMDEA Software Institute with Dario Fiore (2018-2020).

While at the Graduate Center of the City University of New York (CUNY), I worked with Rosario Gennaro; in 2018 both Rosario and CUNY made the careless blunder of giving me a PhD.

Research


My work has appearead at top- and high-rank cryptographic conferences. For a full list of publications, see my Google Scholar page. Below you can find my work organized by question/topic rather than year/conference.

In some of my latest projects I worked on problems as:

  • How to build efficient SNARKs for integers? [paper] [slides]
  • How can we best combine techniques from fast proof schemes (e.g., Spartan) with those from extremely succinct proofs (e.g., Groth16) obtaining a small (universal) setup? [Testudo paper] [Testudo blog post]
  • What are the efficiency tradeoffs of SNARKs with a single (universal) setup? [Lunar paper] [Anaïs Querol’s slides] [Lunar code]
  • Can we construct efficient commit-and-prove SNARKs (SNARKs over committed inputs) with a single (universal) setup? [Lunar paper] [ECLIPSE paper] [Lunar&ECLIPSE slides]
  • Can we design and compose specialized SNARKs efficiently and simply? [LegoSNARK paper] [slides] [LegoSNARK code]
  • How much can we decentralize authenticated data structures? [paper]
  • How can we prove set-membership efficiently and privately (applications to whitelisting, anonymous cryptocurrencies, etc.)? [paper] (see also Veksel and Curve Trees below)
  • How can we prove batch set-membership succinctly and efficiently compose it with other SNARKs? [HARiSA paper] [Talk by Dario Fiore]
  • Can we construct linear-map vector commitments from already deployed setups? How to make them maintainable generically? How to use them? [paper]
  • Can we extend existing lookup arguments so to apply them efficiently to zero-knowledge for machine learning? [paper]
  • How to construct simple verifiable DBs not relying on general-purpose SNARKs? [Tavloid post]

Witness-Encryption-like Primitives

  • Encryption to the Future: How can we emulate WE to pass state long-term in decentralized networks? [paper]
  • How to simply approximate witness encryption through witness-authenticated key exchange? [paper]
  • How to marry witness encryption and succinct functional commitments for fun and (theoretical&practical) profit? [paper] [slides]

On Theory for Cryptographic Proofs

  • Are zkVMs non-malleable? [paper]
  • What are theoretical limits for extractable arguments with nice composability features? [paper] [slides]
  • What role does the programmability of the random oracle play in the above? [paper]
  • How much can we push designated-verifier primitives to achieve some level of public-verifiability? [paper]
  • How to use obfuscation to compile designated-verifier primitives into publically verifiable ones? And can we compile other primitives in a similar manner? [paper]

Efficient Proofs in Cryptocurrencies

Proofs of Space

  • How to apply (non-trivially) polynomial evaluation techniques to make decentralized storage more scalable? [paper]

Rationality and Fine-Grained Cryptography

  • Is expressive, efficient “higher” crypto (e.g. MPC, FHE, VC) possible without cryptographic assumptions (at the cost of being secure against “weaker” adversaries)? [paper]
  • How to design protocols for verifiable computation when a server is economically incentivized (and with no cryptographic assumptions)? [thesis] [Sequential composability paper] [Space bounded computation paper]
  • How to make verifiable computation based on rational assumptions as efficient as modern SNARKs? And how to define “extractability” in the rational setting? [paper]
  • If I apply the Fiat-Shamir transform to make a rational protocol non-interactive does it stay secu…? Nope! [paper]

ZK Standards


Commit-and-Prove

I was co-chair of the working group leading the effort to standardize (commit/encrypt)-and-prove in zero-knowledge proofs. Some resources:

Comparing ZKPs

Teaching


Students I Officially Supervised


  • Agni Datta (current), M.Sc. Student @ Vellore Institute of Technology
  • Hamidreza Khoshakhlagh, PhD Student @ Aarhus University (graduated in 2022)
  • Luigi Russo, PhD Student @ Sorbonne & EURECOM (supervised during Luigi’s internship at Matter Labs in Summer ‘24)

Program Committees


  • CCS 2025
  • Eurocrypt 2025
  • CCS 2024
  • Asiacrypt 2023
  • CCS 2023
  • CIFRIS 2023
  • ACNS 2023
  • ACNS 2022
  • ICPC 2021

Software


  • SNARK libraries: LegoSNARK and Lunar
  • citerus, a tool to help retrieving cryptographic citations when writing papers in LaTeX.