Minimal hash-based zkVM, targeting recursion and aggregation of hash-based signatures, for a Post-Quantum Ethereum.
Documentation: PDF
- multilinear with WHIR
- SuperSpartan, with AIR-specific optimizations
- Logup / Logup*
The VM design is inspired by the famous Cairo paper.
123 bits of security. Johnson bound + degree 5 extension of koala-bear -> no proximity gaps conjecture. (TODO 128 bits, which requires hash digests bigger than 8 koala-bears).
Machine: M4 Max 48GB (CPU only)
| Benchmark | Current | Target |
|---|---|---|
| Poseidon2 (16 koala-bears) | 560K Poseidon2 / s |
n/a |
| 2 -> 1 Recursion | 1.35 s |
0.25 s |
| XMSS aggregation | 554 XMSS / s |
1000 XMSS / s |
Expect incoming perf improvements.
To reproduce:
cargo run --release -- poseidon --log-n-perms 20cargo run --release -- recursion --n 2cargo run --release -- xmss --n-signatures 1350
(Small detail remaining in recursion: final (multilinear) evaluation of the guest program bytecode, there are multiple ways of handling it... TBD soon)
WHIR intial rate = 1/4. Proof size ≈ 380 KiB. TODO: Merkle pruning + WHIR batch opening -> 256 KiB. (To go below 256 KiB -> rate 1/8 or 1/16 in the final recursion).