With the "ZK wars" heating up, there's been a lot of discussion about the merits of each zkEVM, and a few misconceptions. I wrote a post which I hope will clarify things:
Daniel Lubarov
841 posts
Daniel Lubarov
@dlubarov
ZK engineer ๐ค
Joined March 2009
- Quick update: it's now over 2 million hashes per second ๐ช Recent speedups were mostly memory-related: avoiding copies, skipping zeroing, merging some FFT steps to keep things in cache, etc.Plonky3 will get very fast on the server side thanks to @FabricCrypto, but we haven't forgotten about CPU performance. In the past few weeks, things have gotten 2-4x faster, with my laptop (M3 Max) now proving ~1.7 million Poseidon2 hashes per second.
- Plonky3 is getting faster! On my M1 Macbook Air, it can prove around 750 Keccak-f permutations per second, ~5x more than Starky. This is an important metric for us (@0xPolygonZero), since Keccak is the main bottleneck in type-1 zkEVMs.
- We're excited to announce Plonky2, an implementation of PLONK+FRI which is focused on fast recursion. After experimenting with several approaches, we've reached a level of performance that we're happy with, with recursive proofs taking ~170 ms on a Macbook Pro.Today we're excited to announce Plonky2, our groundbreaking proof system and a major milestone for zero-knowledge cryptography and Ethereum scaling ๐๐ซblog.polygon.technology/introducing-plโฆ
- We recently finished Polygon Zero's aggregation circuit, which recursively verifies two inner proofs. Each inner proof can be an EVM proof or another aggregation proof, enabling aggregation in arbitrary tree structures.
- After some optimization work at @0xPolygonZero, Plonky3 is up to ~2,500 Keccak-f permutations per second on an M3 Max! In other words, we can prove one of the least ZK-friendly hashes at a rate of about 340 KB/s.We just fixed a dumb performance bug in Plonky3 - github.com/Plonky3/Plonkyโฆ A bit embarrassing, but on the plus side certain uses of Plonky3 are now much faster! On an M3 Pro we can prove over 1000 Keccak-f permutations per second.
- Plonky3 will get very fast on the server side thanks to @FabricCrypto, but we haven't forgotten about CPU performance. In the past few weeks, things have gotten 2-4x faster, with my laptop (M3 Max) now proving ~1.7 million Poseidon2 hashes per second.
- In AIR and PLONKish programming, we often find that wide arithmetizations work best. While vanilla PLONK uses 3 witness polynomials, Plonky2 uses 135 by default. We did that for a few reasons.
- We just fixed a dumb performance bug in Plonky3 - github.com/Plonky3/Plonkyโฆ A bit embarrassing, but on the plus side certain uses of Plonky3 are now much faster! On an M3 Pro we can prove over 1000 Keccak-f permutations per second.
- I think there's a bit too much focus on zkVM performance. Even with type-1 zkEVMs, proving costs should be negligible compared to gas fees.
- I wrote a little note to explore the ZK-friendliness of Verkle proofs: hackmd.io/@dlubarov/B1rVโฆ TLDR: Compared to binary Merkle proofs, it's hard to say which is more ZK-friendly; it will come down to a bunch of implementation details.Replying to @VitalikButerin @AFDudley0 and @MihailoBjelicSpecifically this is true for the ec-based proofs. Verkle tries are *bad* in our fri-based stark approach using small fields. As discussed earlier you can mitigate it by proving parts separately and combining them but that's tricky as well.
- For a few years now, we've been trying to figure out how to incorporate Mersenne fields like 2^31 - 1 into Plonky3, motivated by the prospect of doing several field muls in a single CPU cycle.Introducing Circle STARK ๐ต At Polygon Labs, weโve been heavily focused on improving ZK performance with Plonky3. For the past three months, we've collaborated closely with the @StarkWareLtd team to develop an incredibly fast proving system that will be incorporated into
- Replying to @VitalikButerinAwesome! We'll work on blake3 soon ๐ซก
- SP1 is really cool! - RISC-V code, but in a more zk-friendly format - Multiple coprocessors, connected with logUp - Easy to extend with other coprocessors - A novel approach to continuations - Built on Plonky3, for speed & flexibility - Fully open-source1/ We are excited to announce Succinct Processor 1 (SP1), our first generation, 100% open-source zkVM that proves arbitrary Rust programs. SP1 targets an order of magnitude performance improvement vs. existing zkVMs, and is already up to 28x faster for certain programs.
