[MINUTES] CCG Atlantic Weekly 2025-10-14 from meetings@w3c-ccg.org on 2025-10-14 (public-credentials@w3.org from October 2025)

From: <meetings@w3c-ccg.org>
Date: Tue, 14 Oct 2025 15:13:45 -0700
To: public-credentials@w3.org
Message-ID: <CA+ChqYdqm9Wk-0fOiWyv0NjMNo4hz0p4ZOYRnwmQ_pByFaFUpQ@mail.gmail.com>
Here's a summary of the W3C CCG Atlantic Weekly meeting held on 2025/10/14:
Meeting Summary

This meeting focused on a recap of the Google Web3 Zero Knowledge and AI
summit, followed by a discussion on Longfellow, a zero-knowledge proof
system.
Topics Covered:

   - *Google Web3 Zero Knowledge and AI Summit Recap:* Andrea D'Intino
   provided insights from the summit, discussing zero-knowledge proofs applied
   to fintech and AI. Key takeaways included the use of zero-knowledge proofs
   for anonymous transactions and AI-related applications like ensuring
   fairness in mortgage decisions.
   - *Longfellow Deep Dive:* The discussion centered on Longfellow, a
   zero-knowledge proof system, and its integration within Zen Room. Jaromil
   provided technical details, including the use of a Domain Specific Language
   (DSL) for circuit development.
   - *Comparisons and Trade-offs:* The advantages and disadvantages of
   Longfellow compared to BBS (Bulletproofs based Signature) were discussed,
   including its compatibility with existing hardware, the complexity of
   circuits, and performance considerations.
   - *Discussion on Post-Quantum Security:* The potential for Longfellow to
   be quantum-safe, as well as the ongoing debate around its post-quantum
   capabilities were mentioned.
   - *Benchmarks and Speed:* The speed benchmarks of Longfellow were
   discussed relative to BBS.

Key Points:

   - *Longfellow's Strengths:* Longfellow works with existing hardware,
   making it suitable for European digital identity initiatives.
   - *Circuit Complexity:* Creating and managing circuits is complex. The
   DSL that Jaromil is creating helps with this.
   - *Performance:* Longfellow is an order of magnitude slower than BBS,
   especially in SHA 256 verification.
   - *Privacy Concerns:* There are concerns that Google's API could expose
   data before zero-knowledge transformation.
   - *Post-Quantum Considerations:* The post-quantum security of Longfellow
   is still a topic of debate.

Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-atlantic-weekly-2025-10-14.md

Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-atlantic-weekly-2025-10-14.mp4
*CCG Atlantic Weekly - 2025/10/14 11:55 EDT - Transcript* *Attendees*

Alex Higuera, Andrea D'Intino, Benjamin Young, Dave Lehn, Dmitri Zagidulin,
Erica Connell, Fireflies.ai Notetaker Ivan, Greg Bernstein, Gregory Natran,
Harrison Tang, Hiroyuki Sano, Jaromil, Joe Andrieu, Kaliya Identity Woman,
Lucy Yang, Manu Sporny, Otto Mora, Parth Bhatt, Phillip Long, Rob Padula,
Ted Thibodeau Jr, Vanessa Xu, wendy seltzer
*Transcript*

Andrea D'Intino: Hello Harrison.

Harrison Tang: Hey, Andrea. How's it going?

Andrea D'Intino: All good.

Harrison Tang: Thank you. Thanks for taking time and jumping on and share I
always happy to see your cool background.

Andrea D'Intino: I was happy to see you guys.

Harrison Tang: By the way,…

Andrea D'Intino: Thank you.

Harrison Tang: real background, not fake.

Andrea D'Intino: It's only because my computer is not powerful enough to
have one of those animated backgrounds.

Andrea D'Intino: Then I have to resort to something real these days. Yes.

Harrison Tang: Nowadays reality is worth more than the virtual world,…

Harrison Tang: right?

Andrea D'Intino: Okay, Jar should be joining too. And he did something
today that expands…

Andrea D'Intino: what I'm going to show you. Let's see if you can demo it
later.

Harrison Tang: Sounds good.

Andrea D'Intino: And we still owe Manu an answer about quantum safe that we
do CVC.

Harrison Tang: I get it.

Andrea D'Intino: We haven't forgot that. It's just that we haven't done it
yet. Yeah.

Harrison Tang: We're all very swamped. I think now nowadays it's like the
conference season,…

Harrison Tang: So, yeah. Everyone is just out. Yeah. I will start in about
a minute and…

Andrea D'Intino: That's true.

Andrea D'Intino: That's true.

Harrison Tang: I'll go through the administrative stuff and then we'll hand
over to you.

Andrea D'Intino: Yeah, sounds good.

Harrison Tang: Yeah. Cool.

Andrea D'Intino: Hey Manu manager joined u I just mentioned that we know
that we owe you a reply about quantum safe diab

Andrea D'Intino: to CBC's. apologies for being very late. Likewise,

Manu Sporny: No problem. Appreciate that, Andre.

Harrison Tang: All right, we'll start. so welcome everyone to this week's
W3C CCG meeting. today we invited Andrea here to actually share his
insights from attending the Google's web 3 zero knowledge and AI summit
that happened about a few weeks ago. but before we start, I just want to
quickly go over the administrative stuff. first of all just want to remind
everyone about the code of ethics and professional conduct. obviously we've
been doing that but it's always good to start a meeting with that quick
reminder. Just want to make sure we hold respectful and constructive
conversations here. A quick note about the intellectual property. anyone
can participate in these calls.

Harrison Tang: However, all substantive contributions to the CCG work items
must be member of the CCG with full IPR agreements so you can join and get
the account via the W3C CPG website and…

Harrison Tang: if you have any questions or encounter any problems please
feel free to reach out to any of the chairs. All right. these calls are
automatically recorded and transcribed and the bot will actually send out
the video audio recording as well as the transcriptions in the next 24
hours.

Andrea D'Intino: Thank you,…

Andrea D'Intino: Arizona. Before you go on, one question. I believe we were
here to talk about Longfellow.

Andrea D'Intino: Is that K? Okay.

Harrison Tang: Today I have it for the hold on a second.

Harrison Tang: I have it for the web 3 zero knowledge and AI summit and
then the November 4th is on the W conformance interoperability and
marketplace. actually sorry loan no long.

Harrison Tang: Yeah, I think the zero knowledge summit you guys talk about
long, right? …

Andrea D'Intino: The zeon summit was an event organized by Google in July
that I attended and…

Andrea D'Intino: I presented something. But if you ask me to do a report
about the event, then I'm not prepared. I can tell you roughly what has
been said and what I saw. But I'm not sure that you want to sit here to
listen to my stories about that event.
00:05:00

Harrison Tang: So maybe we can do a quick recap of the event and…

Andrea D'Intino: I don't know. that is not correct.

Harrison Tang: then we can get to the long fellow. my understanding is the
long fellow was also presented at the event. Is that correct?

Andrea D'Intino: So okay I can span a few words about that event because I
think that it starts making sense for everyone working in identity and…

Andrea D'Intino: then we can look at long fellow details if it makes sense
for let me see if I can still find the link for the event.

Harrison Tang: Yeah, that sounds good.

Harrison Tang: I'll just go through the rest of the quick administrative
stuff and…

Andrea D'Intino: Heat

Harrison Tang: then we'll jump right into the AI summit and then the event
and then we can talk about loan fellow. Does that sound All right. So, a
quick moment for introductions and re read reintroductions. Anyone wants to
kind of unmute and introduce yourself if you're new to the community. I
just want to take a moment for the announcements and reminders. Anyone want
to share any announcements reminders? Money, please.

Manu Sporny: Yeah. a couple of the first thing is that the W3C verifiable
credential working group has officially adopted the VC render method and
the VC confidence method. Those specifications have been handed over to the
official working group. They are now officially we are going to start
working on the official standards track starting this Thursday at 10 a.m.
Eastern. We are probably going to have to move that call because a bunch of
people either can or can't make it. So, we'll shuffle things around. It'll
probably land Wednesdays at 11:00 a.m. Eastern, which is the same time that
the verifiable credential working group calls happen.

Manu Sporny: we have some new editors for those specs. thank you very much
to Dimmitri and Joe and Denin and Patrick St. Louis for volunteering to
edit those specs. and that work is going to continue through the rest until
it's a standard. So that's the first thing is we're going to start meeting
weekly again to work on those specifications. The incubation calls will
continue until we get the rest of the items in the credentials community
group incubated. okay. So that's the first item.

Manu Sporny: the second item is that this happened a couple of weeks ago,
but as I mentioned on the mailing list, the California DMV has released a
new California driver's license and identification card with advanced
security features on it. those security features are a verifiable
credential. So, every single California driver's license that is going to
be printed an identification card is printed from now on out will have a
W3C verifiable credential on the back of it. That is 34 million people in
California over the next couple of years. So, that's huge news.
congratulations to everyone in this group for helping to incubate the work
that went into that.

Manu Sporny: So, that live and in production. It's publicly known. if you
get a new driver's license, you will get one of these driver's licenses in
California. There's a verification site that you can use that's free to the
public. anyone in the world can use those to see if you're dealing with a
legitimate driver's license or not. and it follows VC2O a verifiable
credential 20 data model and the verifiable credential barcode
specification that we have been incubating. So there is a reason that the
spec has a driver's license example in it and California is that reason.
again congrats to everyone. That's it.

Harrison Tang: Thank Any other announcements reminders? You got to move
through California just like any updates or questions on the Last calls for
the announcements, reminders, work items. All right, Andrea, let's get to
the Man on you, please.
00:10:00

Manu Sporny: I'm sorry. Totally forgot. we're going to have a data in
integrity call next week and we're going to have some guests on that call.
We had to move the call to Thursday at 10:00 a.m. It's already been updated
in the schedule, but we're going to have the ski sign people come in and
chat with us. Ski sign is a new postquantum cryptography scheme. we're
going to find out if it has the potential to do unlinkable digital
signatures. that happens at 10:00 a.m. Thursday the 23rd. that's

Harrison Tang: Thanks.

Kaliya Identity Woman: We have the internet identity workshop coming up
next week.

Kaliya Identity Woman: It's finally here. And that's Tuesday through
Thursday at the Computer History Museum in Mountain View, California. and
then the Agentic Internet workshop is happening on Friday. It's an IIW
inspired event, but it's totally separate to support AI protocol creators
coming together. so I'll put both links in the chat.

Harrison Tang: All Last thought on announcements reminders. Ammonu. Joe has
a question. If the data integrity conflicts with BCWG spec refinement Yeah,…

Manu Sporny: Yes, it does. We have to fix that. we're trying to move
meetings around. We have so many meetings in this community and in the VCWG
that they're starting to stomp on each other. So, we're going to try and
fix that before it happens. that's

Harrison Tang: good problem to have. All right, last call for
announcements, reminders. All right,…

Harrison Tang: Andrea, do you want to start with a kind of quick recap of
the AI summit and then we'll get to Long Fellow right afterwards? Yeah.

Andrea D'Intino: Yes. …

Andrea D'Intino: I'm posting the link of the event here where you can see
the list of speakers and the topics. Can you see my screen?

Harrison Tang: Yes.

Andrea D'Intino: So it was a online two-day live event with 20 minutes
presentations. I think there were 5 20 30 something and the title is zero
knowledge so it's web three column zero knowledge and AI summit.

Andrea D'Intino: So the technological topic was ze knowledge proofs applied
on these two micro categories. generic zero knowledge and AI if you ask me
what the topics were I can tell you that it was roughly 40% of the people
were talking about blockchain I think only for fintech so zeon proofs to do
anonymous transactions then 40% we're talking about ze proof in AI

Andrea D'Intino: which I think I can say a word or two about it now and 20%
of the people whether I didn't remember or I didn't understand a lot of it
felt like rocket science in about half the situation after the presentation
I could have a grasp of the technology while I didn't understand the use
case in 50% of the presentation I didn't understand the technology at all I
had a very hard time understanding ing the use cases. U I'm going to go
through some of them. so when it comes to zonage proof for fintech, the use
case is pretty straightforward because it's typically some form of
anonymous transactions where the transaction is allowed via an anonymous
credential aka proof.

Andrea D'Intino: when it comes to AI. So, ze knowledge proof was used
typically for proof of computation and proof of training which is something
that I've been listening to the full first day and I honestly could not
picture what the use case could look like until Dan Bonet came on scene. I
believe that most of the people in this chat know For those who don't, Dan
Bonet the surname is one of the three surnames that make up the Bonet Lin
Shaham I believe it is. So there is a BLS for the BS curve and that's a
different B.
00:15:00

Andrea D'Intino: But for the signature the name comes from this guy who is
a very authoritative cryptographer who worked in Stanford is I guess seven
years old or something. He was on stage for 30 minutes along with Abi
Shalat who is used to be an academic now he's working at Google on proof so
namely a long fellow they did the form was called something fire shooting
so one guy was shooting a question the other guy was replying but ended up
being a show from Don who is an excellent speaker was very very good on
stage page was funny. it made it look very easy that for us normals to
normal mortals to understand these things.

Andrea D'Intino: what caught my attention in Dan Bonet's presentation is
that he said he was cheering for a number of technological achievements
that happened this year and he said the first one is that this year for the
first time we could create a zero knowledge proof of the whole Ethereum
blockchain or something like this. There was something about speed and
performance. there was something about computing and then he jumped to
explaining the importance of zeon knowledge proof in the AI world. at least
that's what I remember of what he explained the use case he portraited was
imagine that you want to get a mortgage.

Andrea D'Intino: Imagine that when you want to get a mortgage, the first
thing you do is you chat with the chatbot of your bank. Imagine that the
LLM starts asking you questions and you reply and the LLM tells you, "Sorry
sir, we cannot serve we cannot allow you we're not going to give you
mortgage." So the zeal proof for proof of training a proof of computation
for this allowing mortgages was to be used in order to make sure that the
LLM didn't decide whether to not to give the mortgage.

Andrea D'Intino: based on racial reasons. This gave me an understanding of
how this could make sense and yeah that was probably the most enlightening
thing I heard in the last couple days said that I saw most of the
presentations. first of all, one step back. This event was organized by the
Google Cloud division. I guess I don't know for sure I guess and I heard
that most of the people presenting on scene were people using Google cloud
plat platforms. most of they came from the area.

Andrea D'Intino: they were connected with some of the local universities
and most of them also were backed by the local VCs. So to me it felt a
geographically very concentrated events where most of the people were
coming from the Bay Area. I might be wrong about this but that's the
impression I had. The only presentation that really caught my attention was
by someone at it was in the second day was but this guy Coinbase X for 2.
So this guy was on stage for 20 minutes. his talk was very dense and he was
very good at explaining what they were looking for.

Andrea D'Intino: Coinbase believes that the future of payment is
agentbased. So, they're working on a protocol designed to enable agents to
pay in a smooth way. They named the protocol X400andro2 because 4002 is the
web error for payw walls not allowing to go to. So they are working on a
protocol to allow agents to pay remotely. Okay.
00:20:00

Andrea D'Intino: said that me and Jar were invited to this event because
around February one of our colleagues came back from a conference
mentioning that he saw something very interested from Google namely the
paper on which long hall sadk is based. So this was actually published in
the end of 24. 12 December 24 we heard about this I think in early
February. This caught our attention.

Andrea D'Intino: Reading after we spent a couple of weeks, we decided to
reach out to the authors and we found this guy who is funny enough is also
Italian. he did his PhD at MIT in the '9s. And only after a while we
realized that we knew the guy very well already because he happens to be
the author of FFTW the first transform in the west.

Jaromil: one of the most used libraries in multimedia.

Andrea D'Intino: Okay.

Jaromil: Yeah, in the last 20

Andrea D'Intino: So we got in touch with them. we met them a couple of
times. They mentioned that they had some code they were about to publish
and as soon as they published it. They gave us access to the source code
which is now open to everybody but I believe that we were among first ones
that looked at it and I actually do remember that Abishalat was meetings.
No sorry did it present here Abishalat long fellow no I think that was with
open wallet foundation so it did not present am I right Harrison correct
and…

Harrison Tang: I think they did Mario please.

Manu Sporny: Yeah, they presented at a data integrity call.

Andrea D'Intino: I think I was there I just want to so they open the source
code to

Andrea D'Intino: us and we started working with it. About a month later, we
integrated it into Zen room and there was a very large identity conference
in Geneva in July this year. There were about 2,000 people. I think the
largest Europe has ever seen. And at that conference, we did show our
implementation running in Xandum inside a native Android app which I can
show to you right now. So, you can see my phone here, right? So, this is a
native Android app that you can also find

Andrea D'Intino: That's a source code. And here you have a built APK if you
want to play with it. So, here's my phone. So, this was born as a basic app
to test Xan on the first two things we don't care about. I'm going to jump
to long file ZK generate proof. So the code I don't know how well you can
read here. Can make it a little bit bigger but that's as good as it gets.
Yes. Here we go. So what you read here is the actual Zen code.
00:25:00

Andrea D'Intino: So this is the domain specific language that we map on top
of the various libraries we use. Now I'm going to show you what it looks
like and then I'm going to show you how it's working behind the curtain. So
this is the script that generated the knowledge proof. Here we have an
hardcoded circuit which is some 300 kilobytes. So it was too big to fit in
here. And this is the input data that we pass to the circuit. The input
data has to be somewhere below let me see if I can find Somewhere down here
you have a document. Okay.

Andrea D'Intino: Okay, this is very very hard to find but anyway I can
paste everything later for those…

Jaromil: Andrea, there is a diagram on the benchmark that you can show…

Andrea D'Intino: who yes okay I'll show you something more visual in a
minute.

Jaromil: which is

Andrea D'Intino: This is the input that needs to be passed along fellow.
The input contains a transcript a which is something the drama will
explain. It contains an M do. Right now it only supports M do and the
circuit that will generate the Z proof. When I press execute Zen code, I
can do it here. Yes, it takes a bit less than a second to generate the Z
proof. And the Z proof you can see here that K and all this thing that goes
down. you can see the scroll bar here going down.

Andrea D'Intino: So this is 400 kilobytes. we also have a micros service
that we implemented using our tech. So if I press verify online, it's going
to take a little over a second. Here we go. And here you read verified via
zk.api.foru which I'm going to show you now. api.fork.u. So this thing here
is the micros service that we have set up for testing. All of everything
you're seeing is open source. Here you have the three APIs that exposes
where one generates a circuit and this one I don't think one right now
because it takes 30 seconds. This generates a proof which is not something
we're using on a micros service. This verifies the proof.

Andrea D'Intino: So the thing we have just done is calling this API here
with the payload coming from the phone and this is what happens this is how
you can play with it if Jeremy would do you want to say a few words about
how we integrate the long fellow in Zen room. Okay.

Jaromil: Yes. Yes. So, I had just this slide which is a diagram just to
make you understand how the algorithm works and this is what Andrea showed
you in graph. So there is a circuit generated which is sort of compiled
program and this compiled program takes some input which in this case is an
M do just like a function it takes arguments.

Jaromil: So for instance the attributes of this M do some of them and
generates a zero knowledge proof and this same program is necessary like a
binary to verify. So in fact we have a situation that has a r prover that
uses this ile the circuit in compiled form to produce a proof and a
verifier that takes the proof and the circuit and the issue public key
hopefully from a bid or something to verify.

Jaromil: That's how it works and yes there are a number of implementations.
I'm happy to show you this is known to Frigo. I agree with the author to
maintain this which is not really a fork but I made it public just today.
this one and on this community build you find our modification to the
upstream code of Google.
00:30:00

Jaromil: Google is interested in putting it inside its Google API but I
believe that there is a threat to privacy because then there is nothing
ensuring that there is no telemetry done on the MDO before the
transformation in that case so it's desirable to put it inside your own
application which opens up also discussion about sandboxing in browsers so
this is a wall parenthesis that I will not open now if you're interested.
There is a lot of history in the W3C about this and the history I have
recalled here and talk about it in the sing in our security interest group.
I'm giving you links in the chat.

Jaromil: So there are privacy implications in using ZK in the same API of
the OS which will be able to see the data before it gets transformed.
Therefore I am working on removing the dependency of OpenSSL making it
completely static and portable and make it a static library that can be
included in software. So what you see here is our not yet announced
repository for the community version for maintaining commits to it and I'm
welcoming also more community and I have some news which maybe shouldn't be
on record because I want to tell our colleagues at Google before releasing

Jaromil: but yeah, I'll tell you I'll glance over it because it's
interesting to understand. So this is a little bit of where we are at now.
I have a compiled version of long fellow inma. We are the only one
providing it right now. because it required quite some changes also in the
assembler. We used the SIMD 18 128 assembler.

Jaromil: You have to consider this thing is highly optimized from the start
because any other zero knowledge proof circuit based is much slower than
this and so yeah here you build soon will be provided and a cle on which
I'm working on and there is a new thing which I can show you

Jaromil: Maybe and it makes sense because as you understood there is a
compiler involved into this program and this will become the facto a
compiler for zero knowledge circuits which need to be versioned. and are a
point of vulnerability. So the circuit could do malevolent things. So it
should be reviewed and it should be carefully versioned.

Jaromil: what I'd like to show you just on my screen, I haven't released
yet this code is the first DSL built on long fellow ZK circuit making. this
is a DSL I've just built. So I'm going to first show it to Frigo to the
authors and then find a name for it probably LZ KCC. And this is the facto
compiles a zero knowledge circuit because they pass M do in zero knowledge
space.
00:35:00

Jaromil: They verify the E CDSA signature. They verify the 256 things. some
other people may want to have larger parsers. For instance, for JSON, for a
W3C verifiable credentials, for a JWT, there is one. And so far they are
built in highly templated version 17 code which is a hard to read and hard
to manage and maintain. So I started building this little thing which is a
mapping of the way Yeah.

Jaromil: Here you see the primitives are used inside in this case to verify
age in another case to verify a simple range proof of if a number is in a
range and this will be a DSL. So what I predict is that out of this new
very performant cir zero knowledge circuit we will have a language for zero
knowledge proofs that can parse actual documents and this makes a big
difference between zero knowledge proofs that verify only a value and zero
knowledge proofs that can parse the whole document which is a much more
secure and verifiable

Jaromil: level processing approach. Yes. M

Manu Sporny: This is great news Jerem the question I have so it's great
that there's a language to make circuit development easier it's great that
it's higher level in a DSL there's one thing that I have an intuition on
the circuits and that is that at least the ones that are being created for
MDO are highly specific right There has to be a circuit for over 18.

Manu Sporny: There has to be a circuit for, your home address or…

Jaromil: Yeah, There.

Manu Sporny: whatever and so each one of those requires a separate circuit
to be coded up, built and then Meaning that let's say we have a credential
that has 50 properties. Those are potentially 50 different circuits that
would have to be compiled if all we're checking for is one property at a
time.

Jaromil: Yeah. Yeah.

Manu Sporny: And then okay, so that's good. that was the first intuition is
there's kind of an explosion in circuits that we have to manage.

Jaromil: That's why I made DSL…

Manu Sporny: Right.

Jaromil: because our clients are asking for tailored circuits and no one
can do it. So we think there is No.

Manu Sporny:

Manu Sporny: Yeah. Yeah. but I guess the main concern I have here is that
this is kind of the approach that was taken with the CL signature stuff
before sovereign and There were these templates that you had to use to do
some of the zero knowledge stuff and the management and distribution of
those templates was difficult especially when we get into combinatorial
checking in ble a credential. Right? So if you want to check is this person
a resident of this state and are they over 18 that is yet another
cryptographic circuit right?

Manu Sporny: Okay.

Jaromil: No, you can combine circuits in long fellow.

Jaromil: We can take a circuit for another thing and it can logically end.
Yeah.

Manu Sporny: What's the word? you have to ensure that the binding is to the
same M do right. it has to be some kind of binding that the same input was
provided for both circuits, and that's okay. so all this to say that I'm
concern I feel like we're retreading the same complexity problem that we
had with signatures meaning that the whole reason that the work on BBS took
an enormous amount of effort to make sure that we did not have to publish
circuits or there wasn't this combinatorial explosion of circuits or we had
to be

Manu Sporny: ble to prove that the same input document was used for the
same proof there so that I don't know…

Jaromil: Nothing. These are only signatures.

Manu Sporny: I don't know if there's a solution for that with the long
fellow approach have you heard of any kind of more general generalized
approaches to this…

Manu Sporny: where there we could have circuits that were performant in
could address that commentorial issue I'm highlighting Yes,…
00:40:00

Andrea D'Intino: Mano, sorry.

Andrea D'Intino: You mentioned Seal. do you mean

Manu Sporny: that's correct.

Jaromil: So Otto Mora in the chat also pose a question and he knows about
Cir and Noir.

Jaromil: There are other circuitbased zero knowledge implementations and we
should first make a difference between a circuit based and zero knowledge
algorithms that are standing per se like BBS. circuit based they allow to
build a circuit and that can grow to a calculator but it can also grow to a
wall parser or a b 64 decoder.

Jaromil: So they do everything inside the zero knowledge space which gives
a degree of security and privacy that is qualitatively different and the
difference from silk and noir to reply you autoto so far that I see you see
it also in my benchmarks is speed and this is also what frio and shellat
are very proud of at Google they're very proud of this and in fact it's

Jaromil: True. the speed of their implementation is amazing compared to
others. So they have a JWT stub decoder B 64. They have field
implementation for ES256 P256 but also they have a ST for SEC P256 the
Bitcoin curve and they can adapt it to other elliptic curves. It could
grow. so I could make a joke there's no point in doing this but they could
build a BBS signature credential verifier in long fellow So it is
qualitatively different and it opens up a space for failure as you say
surface.

Jaromil: So just like it was for every new language built in production
immediately like solidity for Ethereum there will be major fails. Please
auto

Otto Mora: No, great great to hear that. I mean, yeah, it was interesting.
I think yes, the use case that initially the Longfellow guys was very MDOC
optimized as you were describing and then it's great to see that now we can
have a more general purpose use case and circuits that could be built and
then the other thing that I wanted to add. So great great work there Jamil
and team but I wanted to add the other part to Manu's question perhaps you
guys can come up with a general purpose reusable circuits right so that you
don't have the need to have circuits for every type of data structure for
instance in privado ID we use ident 3 and we use circom and we came up with
that sitk query language over there that I just shared in the chat

Otto Mora: And it is composed of a series of reusable circuits that just
prove specific questions about the fields in the credentials is this field
greater is in this range. So maybe something similar like that could be the
answer. in addition to using link proofs, To solve the other issue to be
able to not have this complexity of tons of different circuits just have
generic circuit tools that you can reuse and with some usage of link proofs
or some other implementation be able to do that.

Otto Mora: I know that also the open ID community is very interested in
this idea of a setk query language. I think they call it credential query
language or something like that. But maybe we can have our own flavor of
this

Andrea D'Intino: Oops.

Jaromil: Thanks for the link to very interesting. will look into your query
language and yes linkage proofs will be possible the authority of people
producing certain circuits for instance Google plans to sign them and
version them and say this we guarantee for this sort of applications will
be important and…

Otto Mora: Good work.

Jaromil: and also reviewing the code that's why I'm trying to make a DSL
But yes, Manu, this does look like, we were also big fans of BBS and we
implemented BBS but it looks like right now in Europe as the thing gaining
most momentum.
00:45:00

Jaromil: I know fairly well from past times Paulo de Rosa and the fact that
the European Commission is accelerating the standardization of long fellow
ZK and Google is playing along. they announced age verification pilot and u
they published one independent security review and they are working on
another two I think.

Harrison Tang: Sorry, I have a kind of a I guess more basic questions is
that what's the pros and cons and trade-off between kind of a BBS
cryptography based zero knowledge proof versus loan fellow I know fellow is
you can use on the ECDSA the more traditional cryptography but what are I
guess the tradeoffs and…

Harrison Tang: in situations we use BPS. What situations we use nonfellow

Jaromil: in a case of long fellow you have a zero knowledge verification of
an existing signature so you don't have to switch the signature so the
biggest tradeoff that motivates the European Commission to do…

Jaromil: what they are doing with this algorithm is the fact that it can
verify signatures produced by the TE in hardware and therefore comply with
the hardware attestation as in having the secret key in the secure element
and therefore existing devices can produce signatures that can be verified
by this zero knowledge profile.

Harrison Tang: Then what's the point of using BBS then?

Jaromil: this nonfo solved this…

Harrison Tang: I mean it sounds like long fellow has all the advantages,
right?

Jaromil: because BBS required a particular setup of BLS 3812 curve and uses
pairing as well.

Jaromil: So, yeah, it does replace somehow at the moment.

Andrea D'Intino: Maybe I can help and…

Andrea D'Intino: give a little bit of context. So according to the people
at Google Longfellow was built on input from people working at the European
Commission on European digital identity. I don't know how many of you are
based in Europe, how aware you are with it, but it's quite a big thing in
Europe. So next year, every European member state will have to provide
their citizen and residents And the identity wallets currently they are
stuck to ECDSA on P256 or EDSA or RSA.

Andrea D'Intino: they didn't spend enough time thinking about privacy. So
at some point Google came up with the solution that would work on top of
the existing infrastructure. So you don't have to modify your issues
verifiers. You don't have to worry about the securing claim of the phone.
This runs on top is a plugandplay solution running on top of everything
that has been working already. And this is the winning card of Longfellow

Harrison Tang: Honey, do you have a comment? Yeah.

Manu Sporny: Yeah, I mean plus one to that. I think the biggest advantage
that Longfellow has is that it works with existing hardware out there,
that's the key thing and that's the key thing that the European Commission
kind of, was wanting and going for. there are some downsides, I mean, one
of them being this massive complexity when it comes to circuits. the so for
BBS doesn't need a circuit to do a proof, right?

Manu Sporny: So you can have something that has a BBS signature on it. It
can be a credential that has a 100 attributes in it. And with BBS, you
don't need a circuit at all. So Longfellow has this extra complexity that
we're pulling back in because we couldn't figure out how to do circuitless
proofs, So BBS has that advantage in that it's way more efficient. it does
use pairing based curves. it uses a new new curve scheme. and this is just
me personally saying I think the EU commission ran out of time. They didn't
think about privacy and they painted themselves into a corner and this was
the only thing that could pull them out of the privacy issue that they were
in.
00:50:00

Manu Sporny: I think one of the things that we will see though is that a
lot of the credentials that are issued will not get long fellow circuits
for every single attribute in that credential.

Andrea D'Intino: Thank you.

Manu Sporny: You will only be able to prove over 18. if you have a driver's
license there will be a number of those fields that you will not be able to
expose in zero knowledge or they'll be good coverage for driver's licenses
but they won't be good coverage for birth certificates or other things that
really should have unlinkable things on them. plus one I think huge props
to Abby and Matteo and Andre and Yarm for working on this stuff. but I
think we should also be very clear about there are things that Longfellow
can't do, we're going to support ECDSA. Remember we're on kind of this
postquantum there's going to be an issue here, right?

Manu Sporny: So we kick the can down the road a little bit with CA. If a
cryptographically relevant postquantum computer comes on the scene, It will
also break BBS, So, we currently and the nice thing about Longfellow is
that it is theoretically possible for it to work on postquantum signatures
as well.

Andrea D'Intino: Yeah.

Manu Sporny: Right? That's the other kind of I think benefit that
Longfellow has over BBS because postquantum Mhm.

Jaromil: It has to be seen this manu.

Jaromil: So there is a claim from the authors that hasn't been challenged
that long fellow is postquantum.

Manu Sporny: Mhm.

Jaromil: I can spot places where it's not and some arguments used for that
I sort of don't agree but the point is the SHA 256 verification right now
is extremely costly.

Jaromil: So doing I think SH 256 based or…

Jaromil: latish based calculations.

Jaromil: I don't think it will lose the grip. It will not hold the speed.

Manu Sporny: Yeah. Right.

Andrea D'Intino: So I sorry manu I think that you're talking about
different things…

Andrea D'Intino: because Manu what I was saying is that you can fit a
deliththium inside the long fellow and you probably can although it's going
to be slow but what Jerome is talking about is the fact that Google never
claimed But there are rumors saying that long fellow itself is already
quantum safe and John is mentioning that he can see places where it's not
quantum safe. So there is debate on the fact if long pello as it is today
is quantum safe. Some people believe it is

Manu Sporny: Yeah. Yeah. so they're a thing, this is not like a very clean
like it is very obvious we should be using Longfellow.

Jaromil: Yeah.

Manu Sporny: It's Longfellow does solve a number of critical things for the
UD work and…

Andrea D'Intino: Yeah.

Manu Sporny: it's the only thing given the constraints that can solve that
issue. but there are a number of downsides that come with it for example
which circuits are we going to trust? Who's going to say Google's going to
sign them? Does that mean that okay in and the way to get around that is
auditable source code. We compile the source code. We get the same hash
that they do. But then it's kind of like, okay, so what do the wallets do?
Do they just trust the Google registry? Is there an independent registry
that we're going to use for these circuits? So it creates these downstream
issues that, for example, we work very hard to not create in BBS.

Jaromil: It looks like they're going to create a registry of circuits and…

Manu Sporny: Yeah, which is the centralized floors and…

Jaromil: I think to comment on the specificity of Europe it gained momentum
like it break the political wall that we had in adoption of zero knowledge.

Manu Sporny: all that kind of stuff.

Jaromil: So in Europe some of us were very worried that the whole thing was
implemented without any zero knowledge mechanism and while BBS didn't win
the argument because of hardware at testation long fellow did. So the
hardware testation was the biggest argument against zero knowledge we
cannot implement it and with they had no more excuses. So there is a
political role to this algorithm that as you say it must be taken with a
grain of salt and knowing what you're using.

Jaromil: Yeah. Sure.

Harrison Tang: Sorry, I raised my hand. I have a question like Jerem and
Andrea, I know you have an article on the benchmark for long fellows. So,
do you mind actually summarize it very quickly? I'm curious is long fellows
like speed verification generation the speed about the same as BDS or
slower and then also earlier you showed that the proof is very very big.
00:55:00

Harrison Tang: Is that one of the biggest downside of Mono? I'm just
curious about these things.

Jaromil: So the funny thing is that in my first article I put the benchmark
of BBS that you're seeing here together with long fellow to compare them
and…

Jaromil: Abby Shellat got a bit angry about that because he said they are
not comparable is true one is a cirquit Now there is a signature. So I
removed it because it really pissed him off. and so now you have to see it
on both articles. This is the article I have about BBS and I really made a
screenshot. I mean I made a cut and paste and put them together which is no
more.

Jaromil: So it's a question I also posed and yeah this is their stated
speed in their paper and this is what I verified even a bit faster on my
setup which is i9 5 GHz core and running on a single core of one threaded
compiled with O2 flags. So you can make your mind it will be a bit slower
on a mobile. Andrea showed it to you on a mobile. So my conclusion is that
this is one order of magnitude slower and this is especially because of the
SHA 256 verification.

Jaromil: So I can tell you from private conversations which it's not
confidential information with our friends at Google that they would like
ideally a jot without hash only with signature will be significantly faster
and still the signature could be produced in the te so reviewing certain
things of for instance they don't want to implement st jot and I agree with
them it has its shortcoming. I don't want to use bad words. it has obvious
shortcomings and choices and it's not readable and also there is no need
for SD jot really. So they rather do their own selective disclosure based
on jot without following that rule by standard operation.

Andrea D'Intino: Oops. Shoot.

Jaromil: And so yeah, one order of magnitude slower. And these are my
Hamming distance analysis is slightly lower than random.

Harrison Tang: Amazing. Thank you.

Jaromil: And yeah, keep in mind I brought up at our security interest group
the issue of security because I round up on that case here quick binary is
a new attack surface. Let's say it straight what Manu was explaining also.
there are random number generator attacks I believe and

Jaromil: I think there is one issue here which talking about privacy in
Audi the main issue I see I don't know if I have is that components must be
isolated from the environment so there is a problem that we face in the
moment in which Google offers this function of proving and verifying and
the circuits from the Google API.

Jaromil: That's why I'm trying to make it more simple to adopt
independently because if they offer it from their API as they intend to
then there is possible insurance that they are not triggering telemetry on
the M do before it's processed by zero knowledge which means and my policym
friends in Europe understand it very well that Google would know more about
ID presentations than governments. do because they could potentially
Google, Apple who holds the OS would potentially know more about the
presentations than the government and of course build dashboards to sell
them back to the government.
01:00:00

Jaromil: So it is sort of tricky and at the W3C we have some knowledge
about this because I write maybe here no I did a little slide about this if
you remember there was this infamous episode which generated some
constructive developments the infamous episode of DRM in browsers which
split camps and was very painful where Disney and Netflix and whatnot
started injecting libraries inside browsers closed source libraries that
would decode the media which is still the case.

Jaromil: So there is something to be learned from the solution that was
developed for Firefox by a gentleman whose name I have to recall at that
time. We're talking about 10 years ago. Firefox built a sandboxing
environment where a foreign binary shared object could be executed with
some insurance of sandboxing of enclaving let's say and these are the
slides that I presented at W3CC in August I

Jaromil: So I can show them briefly to Slideshow from beginning and share
this issue. Some of you may have been present talking about the issue is
that the MDO is presented in clear text to an API. the question is what is
that API? Is it air gapped?

Jaromil: What insurance we have that clear text is not processed with
telemetry before it's transformed with ZK the fact of making it privacy for
everyone but for the OS manufacturer and back then there is this
interesting blog post in 2014 Andreas Gal wrote about reconciling Mozilla's
mission and W3C which is interesting historical material I

Jaromil: to understand how this was handled at least to have a foreign
library. This is reverse. Now we have to be sure it's an all but different.
We have to be sure that the data is processed only by that library. And the
Jacko media plug-in built a sandbox which is still documented on
modzilla.org that did something that I suspect can be useful for us here.
And here I talk really in the interest of W3C members because when this
thing will get into browsers and if browsers provide a sandboxing
environment then they may be more trusted than mobile devices themselves.
But it's a difficult thing and of course it's not a silver bullet and if
you have a kernel running an application the kernel can access all the
memory anyway.

Jaromil: So it's one of the measures possible maybe but this issue I think
will come up when we use zero knowledge of this degree and present it the
wall document whereas for BBS this may be less of a Cheers.

Harrison Tang: All Thank This is a great discussion. Always so glad to have
you guys on. Thank you. Thanks a lot.

Andrea D'Intino: Guys, talk to you soon.

Jaromil: Thanks for sticking all the meeting. I've been a bit long. Yeah.
Cheers.

Harrison Tang: Yeah, I'm going to rewatch the recording. This is a great
discussion. Thanks a lot. All right. Have a good one.

Jaromil: You guys. Take care.
Meeting ended after 01:05:00 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Tuesday, 14 October 2025 22:13:55 UTC