| The WhitePaper Reading Club Singapore + Aggregation Summit | 11/11/2024 |
|---|---|
| Hardware for ZK: Role of Hardware for ZK | Tim Robinson (Blueyard Ventures) |
| What is the role of Hardware for ZK cryptography? Is it over hyped? The future |
Summary
Zero Knowledge proofs allow blockchains to scale securely, and/or have privacy. ZK Proofs have historically been expensive and slow to create, and while big improvements have been made, we'll need specialized hardware to really take them mainstream and unlock their full potential.
Why This Is Important
By lowering the cost and time to generate proofs we can have cheaper transactions on ZK rollups as well as faster interoperability between these rollups, allowing for a horizontally scalable, composable ecosystem. They also allow for more experimentation with private chains and verification systems, and more user onboarding if the costs are roughly the same as non-private systems.
Key Innovation
ZK proofs were mostly generated on CPU's in the past, which often took hours and cost dollars per proof. Now there are companies building custom FPGA's and ASIC's to generate these proofs (or at least the most complex parts of them) as well a software that allows proving on consumer GPU's which is much faster and cheaper than CPU's, and allows for more client side proving.
Questions
Are there comparisons on the actual costs and price of performing various types of ZK proofs?
Notes: (i) It’s really hard to do head to head comparisons because of all the differences in proof systems, circuits being proved etc. Ingonyama has created a ZK Score to compare [1] but I haven’t seen a big table of results. (ii) Risc Zero has benchmarks on CPU’s / GPU’s [2]
Overview
Many companies are attempting to create ZK Hardware via different approaches. Some are starting with the software side - building software that can run a proving system on a GPU for now, and FPGA's and ASIC's later on. Some are building ASIC's to handle the more complex parts of proving such as MSM's (Multi-Scalar Multiplication) NTT's ( Number Theoretic Transform) while having FPGA's or GPU's handle the rest of the workload.
Background
(i) ZK Proof - Zero Knowledge Proof - A mathematical proof that anyone can use to verify some statement is correct in regards to some witness, without revealing any additional information. For example you can prove some code execution (statement) was done correctly in a data blob (witness) without having to re-execute that code. Or you can prove you’re from a certain country (statement) with your passport (witness) without giving any other details about your passport. (ii) DSL - Domain Specific Language - A custom language to write Zero Knowledge circuits in, that can then be proven using a prover. Examples include Circom and Noir. (iii) ZK Circuit - Some piece of computation written in a DSL that you want to be proven, for example a hash function computation, signature verification or merkel proof verification. (iv) ZK Proving System - A system that can take a ZK circuit and a statement + witness and create a proof of the statement in regards to the witness. Examples are Plonk, Groth16, STARK, Plonky2/3, Binius. These proving systems vary in their security levels, computations used, memory usage, and speed. (v) zkVM - Zero Knowledge VM - a virtual machine where developers can create programs using a common programming language and have that program be provable without any additional work. (vi) GPU's - Graphical Processing Unit - useful for ZK Proofs as they are highly parallelizable and with the rise of AI there is great tooling such as Cuda for creating custom programs for them. (vii) FPGA's - Field Programmable Gate Arrays - Custom hardware that can be more fine tuned for ZK proof generation. They can be reprogrammed with different algorithms or features over time as they are developed. (viii) ASIC's - Application-Specific Integrated Circuits - Custom hardware for ZK proof generation. These cannot be reprogrammed, so once made can only run the same code over and over.
Team
Accseal - Creating an ASIC chip called LEO
Aleo - Launched the Z-Prize for improving ZK hardware proving speeds. Building an L1 blockchain using ZK proving hardware produced by ZKTo.
Cysic - Creating hybrid chips that use ASIC's for specialized operations and FPGA's for more generic code.
Fabric Cryptography - Building a VPU, a custom chip that runs the RISC-V instruction set plus 40 ASIC chips for specialized operations.
Ingonyama - Producing ICICLE, software that can run ZK proofs on GPU's, as well as developing FPGA's/ASIC's that can run the same software faster.
Irreducible - Created Binius, a new proving system, along with custom hardware that can accelerate this system.
Succinct - Building SP1 - a zkVM that follows the RISC-V instruction set and can run on GPU's or other custom hardware.
Opinions
I think this hardware is necessary for ZK proofs to go mainstream. However because the field is changing so rapidly and ASIC's take a long time to produce (12 - 18 months) it makes more sense to create proving systems that can run on GPU's and once the rate of change is lower start to build FPGA's and ASIC's that can run the same code.
Components
| zkVM | (i) A Zero Knowledge Virtual Machine makes writing programs that can be proven easier than ever before. In the past to create a Zero Knowledge chain you have to implement every operation as a ZK Circuit using a DSL, which is a long and time consuming process, is prone to bugs, and few developers could do this well. (ii) With a zkVM you can instead write a program in a language like Rust or WebAssembly (depending on the VM) and the VM will know how to run it and create proofs that it ran correctly. (iii) The downside of a zkVM is they run far slower, sometimes 10 - 100x slower, than manually creating the circuits by hand. However the advantage is many of these VM's can now run on custom hardware that then speed them up again to the performance needed. (iv) Example zkVM’s are: Succinct SP1, Risc Zero, Valida, Jolt. ZKM (MIPS) |
|---|---|
| ASIC’s | ASIC’s are specialized pieces of hardware that only run one piece of software and cannot be changed once produced. They generally cost $5 - $25M to produce at scale and take 12 - 18 months from beginning to completion. They can often run operations an order of magnitude or more faster than the same thing on a GPU or FPGA. Because of these long lead times and constraints on changing the code most hardware companies are only utilizing ASIC’s for the most compute intensive, least changing parts of their proving software. In ZK Proofs the two most compute intensive components are Multi-scalar multiplications (MSM’s) and Number Theoretic Transform (NTT). Both of these are slow because of constant round trips to memory. |
| Fabric VPU | The VPU by Fabric Cryptography is a custom piece of hardware that combines a RISC-V CPU along with 40 Arithmetic Logic Units (ALU’s) on the one chip. It is designed for Plonky2/3 specifically and they worked closely with Polygon to do this. To address MSM and NTT slowdown issues it contains on-chip memory with very fast interconnects so that all proving can be done on card instead of having to reach out to system memory over the slower PCI-E bus. [3] |
| ICICLE | Icicle is software developed by Ingonyama that provides a toolkit to allow ZK Proving systems to run on hardware devices. For example the proving system can run some workload on the CPU and use the GPU to run MSM or NTT computations, which makes them run much faster. V1 & V2 of Icicle only supported Nvidia GPU’s as the compilation was done using CUDA. V3 was recently released and allows running on other hardware too such as FPGA’s. |
| Binius | Binius is a new proving system from Irreducible that is designed to work well with hardware acceleration. Irreducible created FPGA server clusters that accelerate computation of NTT’s and Merkel Trees with Poseidon hashing. These FPGA’s support Plonky2/3 and Binius. They’ve also made X-Check, a CPU with a custom instruction set architecture (ISA) for Binius. |
References
- https://www.ingonyama.com/blog/zk-score-zk-hardware-ranking-standard
- https://reports.risczero.com/benchmarks/Linux-cpu
- https://www.fabriccryptography.com/blog/polygon-plonkyThoughts!I've found some talks and reports doing small comparisons but no good large head to head comparisons on the different hardware types with different proving systems / VM's.I wonder where the boundary is between people that are building chips for ZK calculations, versus those optimizing software to run on various hardwareIt seems like they have most success when collaborating closely with one another. ASICS and FPGA's are mostly produced to be good at some specific proving systems rather than generically good at all.