Author: Loopy Lu, BeWater
Recently, Vitalik Buterin’s surprise visit to the Hong Kong Blockchain Conference excited all the attendees. And this also reflects the current situation of the encryption market to a certain extent. Recently, the trend of Ethereum has been slightly weaker than that of the Bitcoin ecosystem. The fragmentation of Ethereums liquidity and limited performance have once again brought it into question.
At this conference, Vitalik gave clear suggestions for the future progress of Ethereum. In the keynote speech Reaching the Limits of Protocol Design, Vitalik actively looked forward to the role of ASIC chips. With the help of ASIC chips for hardware acceleration of ZK calculations, the efficiency and security of Ethereum can be raised to a new level.
To interpret ZK hardware acceleration, we naturally have to start with ZK. ZKP is not a completely new concept. Since the 1980s, computer scientists have been continuously exploring in this direction. Currently, popular ZK Rollup projects are being launched one after another, and more ZK applications are emerging. Correspondingly, ZK technology and the market are constantly evolving. We found that ZK hardware acceleration is maturing, ZK + DePIN mode is emerging, and ZKP in this cycle seems to be different from before.
Zero-Knowledge Proof (ZKP) is known as the Holy Grail in the field of encryption technology. It not only introduces new solutions to the long-standing privacy protection problem, but also provides a powerful solution to the blockchain expansion problem that has existed for many years. s solution.
As we all know, the efficiency problem of ZK has been troubling many users and project developers.Vitalik said at the Hong Kong conference that although advanced cryptography-based protocols such as ZK-SNARKs, MPC, FHE (fully homomorphic encryption) and BLS aggregation are developing rapidly, they also have efficiency and security issues.
(Image source: Foresight News)
Among them, the Ethereum Slot block time is 12 seconds, the normal block verification time is about 400 milliseconds, and the ZK-SNARK proof time is about 20 minutes. Ethereums goal is to achievereal-time proof。
In order to solve this problem,Vitalik gives three solutions, respectively Parallelization and Aggregation Tree, using SNARK algos and hashing to improve efficiency,ZK hardware acceleration using ASICs.
We do not judge the pros and cons of the three solutions, but only conduct an in-depth discussion of ZK’s hardware acceleration here. This article attempts to start from ZKP and explain to investors why Vitalik is optimistic about hardware acceleration, a track that is rarely mentioned at present? What are the differences between similar terms such as ZK acceleration, ZK and ZK Rollups? How to accurately distinguish them?
From the perspective of the entire ecosystem, why is the hardware acceleration track important? What value does it provide to Ethereum, ZK, and the entire crypto world? We will use Cysic as an example to discuss the past, present and future of hardware acceleration in detail.
What is the role of hardware acceleration that Vitalik is optimistic about?
For the encryption world, ZKP (SNARKs/STARKs) is regarded as the Holy Grail of scaling technology. zk-SNARKs verifies the correctness of the original calculation through Verification Computation, that is, the prover (Prover) first generates a concise proof (Succinct Proof) for the original calculation, and the verifier (Verifier) uses smaller-scale calculations to verify the proof (Proof). correctness.
Among various expansion plans, ZKP has promoted the development of off-chain computing. That is, the transaction is no longer executed on the first-layer network, but is completed in an off-chain rollup, and partial data such as the status roots of multiple transactions are packaged and released to the main network to complete verification and settlement. Mainnet nodes can verify the transaction history on Rollup through ZKP, and its security is still guaranteed by one layer. ZKP solves the trust problem in the verification process mathematically through zero-knowledge proof, and requires a small space on the chain. ZK Rollup can achieve dozens of times the transaction processing speed and processing efficiency compared to one layer.
L2 BEAT data shows that the total TVL of the top five ZK Rollups has reached approximately US$3 billion. This figure is still far from the US$50 billion of Ethereum TVL and the US$91 billion of the entire DeFi market. We believe that as ZK technology matures, the penetration rate of ZK Rollup will inevitably increase further. After Ethereum completed the Cancun upgrade, the introduction of EIP-4844 significantly reduced Layer 2 fees. After each mainstream Layer 2 adapted Blob transactions, actual measurement data showed that the gas costs of each ZK Rollup dropped significantly. For example, Starknet dropped by approximately 85% and zkSync Era dropped by approximately 65%.
ZK-based projects on the market are growing rapidly. Among the projects based on ZK technology with a market value of more than US$1 billion, Polyhedra, Immutable, StakNet, zkSync, Mina, dYdX, etc. are well-known. This track can be roughly divided into three layers: infrastructure, ZK-Rollup, and ZK applications.
The infrastructure mainly includes programming frameworks and tools, ZKP proof market, hardware acceleration of proof generation, ZK machine learning, etc. Most of the projects in these tracks revolve around the generation and calculation of ZKP, and they provide a technical foundation for the deployment of ZK applications (whether network or dApp).
The one that attracts the most attention is ZK Rollup. The explosion of ZK Rollup provides ample support for the scalability and “mass adoption” narrative. Of course, on top of this there are various dApps that use ZK technology. Most of them use the characteristics of ZK to provide privacy and other applications for encrypted users.
However, the excessive computing resources required for ZK proof generation are a bottleneck that restricts further progress on the track.
How far is it from the implementation of the use case?
If ZK technology is so powerful, why is it still not widely adopted? The main reason is that the core algorithm and implementation mechanism of ZK technology are extremely complex. Currently, there are two main ZK proof systems that are widely used -zk-SNARKsandzk-STARKs. For example, zkSync, Aztec, Axiom, Scroll, Taiko, etc. all use proof systems based on zk-SNARK, while StarkNet, dYdX, Polygon, etc. use proof systems based on ZK-STARKs.
Using a zero-knowledge proof system typically involves:Calculation of even shots,Generate proof,Proof of Verification. The production proof step requires a lot of computing power.
Slap calculation is to express a primitive calculation into the form of a ZK circuit through a certain constraint language (such as R 1 CS). Taking zk-SNARKs as an example, currently commonly used proof systems include Groth 16, Marlin, and Halo/Halo 2. Among them, Groth 16 used R 1 CS as the constraint language for flat calculation. Newer proof systems, such as Halo/Halo 2, use the circuit constraint language of the Plonk system, which is widely used in some newer ZK projects, such as Scroll, Taiko, Aximo, etc.
As we mentioned before, the generation of ZK proofs is computationally intensive. Lets use KGZ-based Halo 2 as an example to briefly analyze the types of these calculations. First of all, after we construct the ZK circuit through the front-end constraint language, we will need to convert these circuits into polynomial form in some way, and the order of the polynomial is positively related to the scale of the circuit. Afterwards, some cryptographic means, such as KZG, will be used to finally convert these polynomials into a proof form. In this process, the main time-consuming calculation types include MSM and NTT.
MSM (Multi-Scalar Multiplication) calculationUsed to deal with elliptic curvescalculation. MSM is a core component in elliptic curve cryptography and is mainly used to generate and verify proofs. MSM type computing tasks account for about 60-70% of computing tasks.
NTT (Number Theoretic Transform) is aFast Fourier transform over finite fields(FFT)NTT is used to handle calculations related to polynomials. Among the calculations generated by ZK proofs, NTT type calculation tasks account for about 25% of all calculation tasks.
Although ZK-STARKs uses different algorithms, it also has its own performance bottlenecks. During the proof generation process, the prover needs to create a system of multiple constraints that must be satisfied simultaneously to generate a valid proof. These constraints are usually randomly generated. The FRI algorithm (Fast Recursive Integer Gaussian Sampling) user generates and verifies the Gaussian sampling in the proof to ensure the randomness of these constraints. Therefore, the efficiency of the FRI algorithm is crucial to the performance of ZK-STARKs.
But no matter which route is adopted, the huge amount of calculation makes the calculation time extremely slow. Therefore, how to speed up these calculations and improve the efficiency of proof generation has become the key to limiting the popularity of ZKP today.
In order to solve this problem, using hardware for computing acceleration has become a feasible solution. At present, the market has produced multiple hardware acceleration solutions, but there is no standard answer as to which hardware to choose.
There are currently three mainstream hardware acceleration solutions in the ZKP market. Their flexibility from high to low is GPU, FPGA, and ASIC.
Since some steps in the ZKP algorithm (such as polynomial multiplication and FFT transformation) can be processed in parallel, using GPUs can naturally complete the calculation process in the ZKP algorithm more efficiently, just like graphics card mining many years ago. But the problem is,The flexibility and versatility of GPUs makes it difficult to outperform FPGAs.
FPGA can be programmed to implement specific logic functions. This ending solution provides higher efficiency while also maintaining a certain degree of flexibility, allowing the circuit to be customized as needed. After optimizing for a specific ZKP algorithm,FPGAs perform better than GPUs。
ASICs are specialized chips tailored for specific tasks. Just as ASIC mining machines provide powerful computing power for Bitcoin, ZKPs ASIC hardware acceleration can also provide the highest level of performance optimization for the computing process. But generally speakingASIC can only fit a single solution, cannot be used universally for all existing ZKP proof tasks. More general ASIC chips will encounter greater adjustments from design to tape-out.
ASIC has the most powerful computing power, but the limitation lies in flexibility. Because of the diversity of ZK algorithms, acceleration solutions still require accelerating multiple algorithms. Considering that ZKP proofs are constantly being introduced on the market, the rapid reconfiguration capability of FPGA gives it the advantage of being reused in multiple scenarios and can flexibly adapt to different proof system requirements. Therefore, under the current market conditions, as a hardware acceleration service provider, it can only provide ASIC chip services that only accelerate a single proof system, which is not the best choice at this moment.
But don’t ASICs have the potential to explode in the future? The answer is naturally no.
Choosing the right proof system is a very important decision. Due to the extremely high design cost of ZK circuits, once the proof system is determined,ZK projects rarely change the proof system easily. After project parties invest resources in developing circuits for a specific proof system, they usually do not easily replace the system. Although FPGA provides a certain degree of flexibility, ASIC can still provide a high computing performance ratio for ZK projects that have been identified and put into development, which is especially important for large-scale, computationally intensive ZK applications. Therefore, although the initial development cost of ASIC is high, the high revenue ratio brought after successful tape-out still has a place in the market. Therefore, ASIC solutions have a certain stability and demand in the market.
For the foreseeable future, ASIC acceleration solutions will remain hardware acceleratedfinal solutionone.
Let’s take the Cysic project on the hardware acceleration track as an example. Cysic provides full hardware acceleration services including FPGA, ASIC, and GPU. These acceleration services can not only improve the production efficiency of specific ZK proofs, but also adapt to the needs of different blockchain platforms/ZK projects.
For example, Cysic developed an FPGA-based MSM computing accelerator called SolarMSM. This solution significantly improves the efficiency of MSM calculations and can handle large-scale MSM tasks in a short time. Judging from the data, Cysics SolarMSM can easily complete MSM calculations of 2³⁰ in 300 ms, which is at the top level in the industry.
Through this hardware acceleration, Cysic is able to effectively reduce the time required for ZK proof generation, thereby making ZKP-based blockchain applications and protocols more efficient and practical. This is of great significance in promoting the widespread application of ZKP technology, especially in scenarios that require fast and efficient proof generation.
Currently, Cysic has implemented the POC design work of the MSM acceleration solution. The FPGA-based POC has the highest performance among all currently public FPGA-MSM hardware acceleration results, which is more than 1 – 2 orders of magnitude higher than the current public benchmark results. ASIC design and tape-out work is also in progress. In the future, Cysic will develop 12 nm ASIC chips in the second phase. The goal is to realize that the computing power of a single ASIC chip can support MSM, NTT, and other cryptography underlying operators, while reducing the power consumption of a single chip to two orders of magnitude.
In addition, Cysic has also actively embraced GPU-based acceleration solutions, providing more flexible ZK and even AI computing acceleration services.
As long as ZKP can be calculated faster, the crypto world will be one step closer to capturing the ZKP Holy Grail.
DePIN primitives drive market growth
The importance of hardware acceleration is unquestionable. The main doubt of another investor is how big the market size will be for ZK hardware acceleration?
Paradigm has predicted that the market size of ZK acceleration is similar to the size of the POW mining market. As mentioned earlier, with the completion of the Cancun upgrade, the larger-scale adoption of ZK Rollup will bring significant demand for ZK computing.
Privacy protection is another major market need. Companies such as Semaphore, MACI, Penumbra, and Aztec Network are exploring leveraging ZK technology to enhance user privacy and drive mass adoption. At the same time, the field of identity verification is also one of the main use cases of ZK technology, including the popular WorldID, as well as projects such as Sismo, Clique, and Axiom, all of which are committed to applying ZK technology to identity management to provide a safer and more privacy-protecting system. solution.
ZKML (Zero-Knowledge Machine Learning) is another rapidly developing field. With the explosion of AI, it is imperative to verify that AI works correctly and transparently. ZKML can enable inference and other aspects to be uploaded to the chain, and theoretically it will be verified without revealing the specific content.
Therefore, whetherZK Rollup Broad adoption, privacy, and more dApp the emergence, or ZKML The development of ZKP has increased the demand for ZKP acceleration.
However, the ZK acceleration threshold is still high and is still extremely unfriendly to many small and medium-sized projects. Many ZKP demanders still need to purchase acceleration hardware in a centralized manner and deploy acceleration services by themselves. And you also need to choose the appropriate acceleration solution based on your own ZKP generation continuation route.
A resilient validator network (ZK prover network) has become a consensus solution in the industry. The new product form of ZK Compute-as-a-Service (ZK CaaS, ZK Computing as a Service) formed on this basis will solve the above dilemma.
Take Cysic for example. Cysic will use accelerated hardware to form a verifier network. FPGA, ASIC or other hardware can provide users with ZK accelerated computing power in the network, and personal devices can also be connected to it. For ZK project parties, when computing power support is needed for ZKP verification, they can directly access Cysic’s ZK computing power network without the need for hardware procurement. There is no need to pay too much attention to the details of the specific acceleration plan. Currently, Cysic has launched tens of thousands of high-end graphics cards, reserve sufficient ZK computing power for the verifier network.
Currently, Cysic has reached cooperation with many projects such as Scroll, zk P2P, Inference, Kinetex, etc., covering ZK Rollup, ZKML, application layer and other types of projects. The certification systems it uses include Halo 2, RapidSnark, Plonky2x and other systems. , Therefore, Cysic’s accelerated computing solution has high flexibility and versatility.
Cysic configures the supply and demand of computing power in a cryptographically native, decentralized manner. The supply side of ZK computing power has been upgraded from centralized and non-scalable hardware to a computing power network that can be accessed by all users. It also provides individual investors with opportunities to participate more deeply in the market. On the demand side, ZK CaaS can provide greater flexibility and stability for ZK computing, and the decentralized market can more efficiently schedule and match the supply and demand of computing power through smart contracts.
Therefore, ZK CaaS turns hardware acceleration into an out-of-the-box service and creates a scenario where everyone can accelerate ZK computing. It uses DePINs network of decentralized hardware facilities to transform the ZK field and provide Proprietary or idle computing power provides revenue, making it possible for us to once again usher in the blue ocean of ZK + DePIN mining.
Reference:
ABCDE: Why should we invest in Cysic? 》, Siyuan Han
《New Paradigm in Designing ZK-ASICs, the zkVM way》, Cysic
《ZK Hardware Acceleration: The Past, the Present and the Future》, Luke Pearson Cysic Team