​

a Hardware-Optimized SNARK

Ulvetanna | Jim Posen, CTO

Hardware-Software Co-design Examples

NAND Flash SSDs

Flash memory has a limited number of write-erase cycles, forcing storage firmware and operating systems to implement wear-leveling

​

TPUs for Machine Learning quantize floating point values to 8-bits because of the improved efficiency of 8-bit integer multiplication

Source: https://towardsdatascience.com/

Source: https://www.kingston.com/

Profiling Keccak-256

• Keccak is the #1 bottleneck for ZK protocols scaling Ethereum
• Scroll’s halo2 uses KZG elliptic curve commitment scheme (256-bit prime)
• Plonky3 uses FRI commitment scheme (32-bit prime)
• Benchmarks are on a GCP c3-highcpu-22 (22 vCPU, 11 core)

Profiling Keccak-256

Four key steps account for majority of computation in both systems

1. Generating the witness
2. Committing the witness
1. Reed–Solomon encoding (NTT) + merkleization
2. Elliptic curve multiscalar multiplication (MSM)
3. Vanishing argument (lots of arithmetic circuit evaluations)
4. Opening proof (crypto magic)

Profiling Keccak-256

Plonky3 w/ Poseidon2

Plonky3 / Keccak

Why are towers of binary fields the right foundation for fast verifiable computing?

​

​

​

Why are towers of binary fields the right foundation for fast verifiable computing?

​

1. Efficient Arithmetic
2. Efficient Arithmetization

1. Efficient Arithmetic

Finite Field Arithmetic

Prime Fields 𝔽_p

Representation is not canonical

Addition is integer addition with a conditional subtraction

Multiplication is integer multiplication with a reduction method

• Barrett reduction
• Montgomery reduction
• Special reduction (Mersenne-31, Goldilocks-64)

Binary Fields 𝔽₂k

Representation is canonical

Addition is bitwise XOR

Multiplication is carryless multiplication with a reduction method

• Special (AES)
• Montgomery reduction (POLYVAL)
• Recursive reduction (Tower)

Prime vs Binary Field Multiplication

Carryless multiplication reduces propagation delay and enables higher clock speed

Source: “Exploring the Design Space of Prime Field vs. Binary Field ECC-Hardware Implementations”

Prime vs Binary Field Squaring

Squaring is much cheaper in binary fields because (X + Y)² = X² + Y²

Source: “Exploring the Design Space of Prime Field vs. Binary Field ECC-Hardware Implementations”

Binary Fields in Cryptography

Advanced Encryption Standard (AES) is based on 𝔽₂8

Galois Message Authentication Code (GMAC) is based on 𝔽₂128

Binary field elliptic curves are well-studied and very efficient in hardware

QR codes use Reed–Solomon encoding over 𝔽₂8

Original FRI and zk-STARK protocols

Grøstl SHA-3 finalist hash function is based on 𝔽₂8

Binary Tower Fields

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

𝔽₂128

Binary Tower Fields

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

𝔽₂128

𝔽₂32 𝔽₂32 𝔽₂32 𝔽₂32

Binary Tower Fields

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

𝔽₂128

𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8

𝔽₂32 𝔽₂32 𝔽₂32 𝔽₂32

Binary Tower Fields

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

0 0 1 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 0 1 0 1 0 1 0 0 1 0 ………… 0 1 0 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0

128 x 𝔽₂

𝔽₂128

𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8 𝔽₂8

𝔽₂32 𝔽₂32 𝔽₂32 𝔽₂32

Binary Tower Fields

CPU Benchmarks: Multiplications

We measure the time to multiply cryptographically large extension field elements, at least 128 bits. Benchmarks run on GCP C3 instance, Intel Sapphire Rapids.

​

FPGA Estimates: Multiplication

Our experiments measure logic utilization (silicon area) on Xilinx Ultrascale+ device family, which is implemented in 16nm TSMC process node, and associated propagation delays, which are the key indicators for achieving maximum operating frequency.

​

Vision Hash

Vision is an arithmetization-optimized hash function over binary fields

S-box uses both squaring and inversion

“Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols”

by Aly, Ashur, Ben-Sasson, Dhooghe, and Szepieniec

Vision Mark-32

Vision Mark-32 is an optimized instance of Vision using the 32-bit tower field

• S-box optimized with
• fast recursive inversion in the Wiedemann tower field
• arithmetic verification uses fast squaring
• linearized polynomial evaluation as an 𝔽₂-affine transformation
• MDS matrix optimized with
• 8-bit tower field coefficients and subfield multiplication
• novel polynomial basis additive NTT techniques

​

Joint effort with 3MI Labs (Tomer Ashur & Mairon Mahzoun)

Efficient Arithmetization

Plonky3 Keccak Arithmetization

• Plonky3 uses AIR arithmetization
• Each Keccak-f permutation is 24 rows
• One row has 2,328 1-bit columns and 404 16-bit columns
• Trace has 1,048 non-linear constraints

Plonky3 Keccak Arithmetization

• Plonky3 uses AIR arithmetization
• Each Keccak-f permutation is 24 rows
• One row has 2,328 1-bit columns and 404 16-bit columns
• Trace has 1,048 non-linear constraints

​

In order to commit 1-bit or 16-bit columns, STARKs must pad them to full field elements. This is up to a 32x loss in efficiency!

Embedding Overhead

Can we commit small values faster than large values?

• Using elliptic curve commitment schemes: yes, with caveats
• With FRI commitments: not below 32 bits

Embedding Overhead

Can we commit small values faster than large values?

• Using elliptic curve commitment schemes: yes, with caveats
• With FRI commitments: not below 32 bits
• With Binius: yes, using block-level encoding!

​

The Binius polynomial commitment scheme maximizes the information density of the committed data.

Binius: SNARKs over Towers of Binary Fields

Binius combines

• Arithmetization over towers of binary fields
• Multilinear poly IOP based on HyperPlonk
• Generalized Brakedown + FRI commitment that eliminates embedding overhead

Binius: SNARKs over Towers of Binary Fields

Binius combines

• Arithmetization over towers of binary fields
• Multilinear poly IOP based on HyperPlonk
• Generalized Brakedown + FRI commitment that eliminates embedding overhead

…also,

• A new multilinear shift argument
• Adaptation of Lasso lookup argument

Eliminating Embedding Overhead

• Instead of embedding single coefficients into an extension field, we embed chunks of coefficients into the tower algebra.
• Reed–Solomon encode with the tower algebra as the alphabet.
• Generalize Brakedown and BaseFold’s multilinear FRI PCS to operate over the tower algebra.

Binius Keccak Arithmetization

• Each Keccak-f permutation is 24 rows over 𝔽₂64 / 1,536 rows over 𝔽₂
• One row has 60 committed columns and 80 virtual columns
• Trace has 50 non-linear constraints and 10 linear constraints

Binius Keccak Arithmetization

In[25]

C[5]

C’[5]

D[5]

B[25]

Out[25]

64b

64b

Profiling Keccak-256

Benchmarks run on GCP c3-highcpu-22 (22 vCPU, 11 core)

Profiling: Keccak-f[1600]

Binius w/ Grøstl

Plonky3 w/ Keccak

Stay tuned!

​

@UlvetannaHQ

​

https://www.ulvetanna.io/

​

https://gitlab.com/UlvetannaOSS/binius