CryptoDB
Accelerating Hash-Based Polynomial Commitment Schemes with Linear Prover Time
| Authors: | |
|---|---|
| Download: | |
| Abstract: | Zero-knowledge proofs (ZKPs) are cryptographic protocols that enable one party to prove the validity of a statement without revealing any information beyond its truth. Central building blocks in many ZKPs are polynomial commitment schemes (PCS) where constructions with linear-time provers are especially attractive. Two such examples are Brakedown and its extension Orion, which enable linear-time and quantum-resistant proving by leveraging linear-time encodable Spielman codes. However, these PCS operate over large datasets, creating significant computational bottlenecks. For example, committing to and proving a degree 228 polynomial requires around 1.1 GB of data while taking 463 seconds on a high-end server CPU.This work addresses the performance bottleneck in Orion-like PCS by optimizing their most critical operations: Spielman encoding and Merkle commitments. These operations involve Gigabytes of data and suffer from random off-chip memory access patterns that drastically reduce off-chip bandwidth. We resolve this issue and introduce inverted expander graphs to eliminate random writes and reduce off-chip memory accesses by over 50%. Additionally, we propose an on-the-fly graph sampling method that avoids streaming large auxiliary data by generating expander graphs dynamically on-chip. We also provide a formal security proof for our proposed graph transformation. Beyond encoding, we accelerate Merkle Tree construction over large data sets through a scalable multi-pass SHA3 pipeline. Finally, we reutilize existing hardware components used in commitment to accelerate the so-called proximity and consistency checks during proof generation.Building upon these concepts, we present the first hardware architecture for PCS – with linear prover time – on an Xilinx Alveo U280 FPGA. In addition, we discuss the practical challenges of manually partitioning, placing, and routing our large-scale architecture to efficiently map it to the multi-SLR and HBM-equipped FPGA. The final implementation achieves a speedup of two orders of magnitude for full proof generation, covering commitment and proving steps. When combined with Virgo as an outer CP-SNARK protocol, our accelerator reduces end-to-end latency by up to 3.85x – close to the theoretical maximum of 3.9x. |
BibTeX
@article{tches-2025-35978,
title={Accelerating Hash-Based Polynomial Commitment Schemes with Linear Prover Time},
journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
publisher={Ruhr-Universität Bochum},
volume={2025},
pages={341-385},
url={https://tches.iacr.org/index.php/TCHES/article/view/12413},
doi={10.46586/tches.v2025.i4.341-385},
author={Florian Hirner and Florian Krieger and Constantin Piber and Sujoy Sinha Roy},
year=2025
}