Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #67

Boosting the Performance of High-Assurance Cryptography: Parallel Execution and Optimizing Memory Access in Formally Verified Line-Point Zero-Knowledge

Samuel Dittmer, Karim Eldefrawy, Stéphane Graham-Lengrand, Steve Lu, Rafail Ostrovsky, and Vitor Pereira

2023 · 30th ACM Conference on Computer and Communications Security (CCS)

  • Theory
  • Applied
  • algorithm

What does the paper try to establish?

Can verified changes to data representation, memory access, and parallel scheduling make extracted Line-Point Zero-Knowledge code competitive with a hand-written implementation while preserving the protocol's security properties?

What is the proposed answer?

The 2023 paper presents sequential, parallel, list, and array optimizations proved in EasyCrypt and reports speedups up to about 3,000x. A 2025 peer-reviewed re-analysis subsequently found defects in the modeled soundness and zero-knowledge proofs and a randomness-generation gap in the extracted verifier. The performance contribution remains separately evidenced, but the represented sources no longer support the original claim that the resulting protocol implementation has the asserted end-to-end high-assurance security.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence Medium

The original paper and repository strongly document optimization and benchmark evidence, but peer-reviewed follow-up work materially contradicts the soundness, zero-knowledge, and extraction assurance. Medium reflects this mixed evidentiary state.

Extracted-code evaluation and speedup comparisons Public EasyCrypt and implementation materials Soundness and zero-knowledge model defects Extracted-verifier randomness gap and lessons
Auditability High

Public full text, code and proof artifacts, official metadata, and an independent technical audit expose both the original claims and later counterevidence.

Performance problem, approach, and reported contributions Public EasyCrypt and implementation materials Independent re-analysis and summary of findings
Production provenance Medium

Authorship, publication records, manuscript, and repository are documented, but contributor roles, exact artifact-to-paper commit identity, revision history, and toolchain provenance are incomplete.

Official publication identity Public EasyCrypt and implementation materials
External scrutiny High

Beyond CCS review, a later peer-reviewed paper independently reconstructed and adversarially tested the formal claims, identifying concrete attacks and implementation gaps.

Official publication identity Independent re-analysis and summary of findings Soundness and zero-knowledge model defects
Reception Low

The dated OpenAlex snapshot located 5 citations. Under the author-defined rule, 0 through 8 located citations is Low; the qualitative importance of a direct audit is recorded separately.

Dated citation-count snapshot Independent re-analysis and summary of findings
Contribution significance Medium

The work contributes substantial optimization and a reusable parallelization approach, but later findings substantially reduce the warranted security significance of the high-assurance claim.

List-based parallel optimization and split/aggregate framework Extracted-code evaluation and speedup comparisons Independent re-analysis and summary of findings

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Optimized formally verified LPZK

An optimization and proof-engineering paper for LPZK whose reported performance gains are accompanied by EasyCrypt verification; later peer-reviewed scrutiny found that the security model and extracted verifier did not establish the claimed end-to-end security.

Performance problem, approach, and reported contributions Independent re-analysis and summary of findings
  1. contribution

    Original answer, now qualified

    partially supported and materially qualified

    The paper answers yes by verifying transformations and extracting optimized OCaml that approaches the manual implementation. The speed result is documented, but the later audit shows that the formal development's security specification and extraction boundary were insufficient to justify the original high-assurance conclusion.

    Performance problem, approach, and reported contributions Extracted-code evaluation and speedup comparisons Soundness and zero-knowledge model defects Extracted-verifier randomness gap and lessons
  2. algorithm Optimization family implemented and verified relative to model

    The work develops four related variants that alter traversal, memory representation, and execution parallelism while proving equivalence obligations in EasyCrypt.

    List-based sequential optimization List-based parallel optimization and split/aggregate framework Array-based sequential and parallel variants
    1. algorithm

      List-sequential variant

      implemented

      The list-sequential transformation restructures verifier-side computation to reduce repeated circuit or list traversal while retaining a sequential list representation.

      List-based sequential optimization
    2. algorithm

      Array-sequential and array-parallel variants

      implemented

      Replacing linked-list access with arrays improves locality and supports both sequential and parallel extracted implementations.

      Array-based sequential and parallel variants
  3. claim group Claims and present evidence status mixed after followup

    Performance and transformation claims must be evaluated separately from soundness, zero-knowledge, and end-to-end assurance claims.

    Extracted-code evaluation and speedup comparisons Independent re-analysis and summary of findings
    1. claim

      Large performance improvement

      experimentally supported

      The evaluation reports speedups reaching roughly 3,000x over the prior extracted baseline and performance close to the hand-written LPZK implementation for the measured configurations.

      Extracted-code evaluation and speedup comparisons
  4. evidence group

    Evidence layers

    mixed

    EasyCrypt proofs support properties of the encoded programs and games, extracted-code benchmarks support performance, and the public repository supports inspection; later adversarial analysis tests whether those layers capture the intended cryptographic guarantees.

    LPZK baseline and EasyCrypt proof/extraction path Extracted-code evaluation and speedup comparisons Public EasyCrypt and implementation materials Independent re-analysis and summary of findings
  5. scrutiny 2025 independent security re-analysis independent peer reviewed critique

    The follow-up paper audits the proof models and implementation boundary and reports multiple security-critical discrepancies, making it essential context for interpreting the 2023 claims.

    Independent re-analysis and summary of findings
    1. counterevidence

      Soundness model permits false statements

      demonstrated attack

      The re-analysis reports that the EasyCrypt soundness model and proof are incorrect and supplies an attack under which the verifier can accept a false statement.

      Soundness and zero-knowledge model defects
    2. counterevidence

      Zero-knowledge model is deficient

      demonstrated model failure

      The re-analysis finds that the modeled zero-knowledge property does not exclude a verifier recovering the witness and also identifies a gap in the underlying pen-and-paper perfect-zero-knowledge argument under the analyzed interpretation.

      Soundness and zero-knowledge model defects
    3. counterevidence

      Randomness generation crosses the extraction boundary incorrectly

      implementation gap

      The extracted verifier combines randomness generation with verified logic in a way the re-analysis identifies as inconsistent with the proved model, so proof-to-code correspondence is not end-to-end.

      Extracted-verifier randomness gap and lessons
  6. limitation group Present boundaries materially revised by followup

    Formal verification establishes only a specified model and implementation boundary; it does not automatically validate the cryptographic definition, environmental assumptions, randomness interface, or extracted system.

    Independent re-analysis and summary of findings Extracted-verifier randomness gap and lessons

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Performance problem, approach, and reported contributions Abstract and Section 1
  2. LPZK baseline and EasyCrypt proof/extraction path Section 2
  3. List-based sequential optimization Section 3
  4. List-based parallel optimization and split/aggregate framework Section 4
  5. Array-based sequential and parallel variants Section 5
  6. Extracted-code evaluation and speedup comparisons Section 6 and performance figures
  7. Original assurance and performance conclusions Section 7, PDF page 28 in the ePrint version
  8. Public EasyCrypt and implementation materials LPZK subtree of the high-assurance-crypto repository
  9. Independent re-analysis and summary of findings Abstract, introduction, and overview of findings
  10. Soundness and zero-knowledge model defects Technical analyses of soundness, zero knowledge, and the underlying pen-and-paper proof, Sections 3-5
  11. Extracted-verifier randomness gap and lessons Extraction analysis and recommendations, Section 6 and conclusion
  12. Official publication identity ACM CCS 2023, DOI 10.1145/3576915.3616583
  13. Dated citation-count snapshot OpenAlex cited_by_count was 5 when accessed 2026-07-11