Accelerating Hash-Based Polynomial Commitment Schemes with Linear Prover Time

Florian Hirner; Florian Krieger; Constantin Piber; Sujoy Sinha Roy

Paper 2024/1918

Accelerating Hash-Based Polynomial Commitment Schemes with Linear Prover Time

Florian Hirner

, Graz University of Technology

Florian Krieger

, Graz University of Technology

Constantin Piber, Graz University of Technology

Sujoy Sinha Roy

, Graz University of Technology

Abstract

Zero-knowledge proofs (ZKPs) are cryptographic protocols that enable one party to prove the validity of a statement without revealing any information beyond its truth. A central building block in many ZKPs are polynomial commitment schemes (PCS) where constructions with \textit{linear-time provers} are especially attractive. Two such examples are Brakedown and its extension Orion which enable linear-time and quantum-resistant proving by leveraging linear-time encodable Spielman codes. However, these PCS operate over large datasets, creating significant computational bottlenecks. For example, committing to and proving a degree polynomial requires around 1.1 GB of data while taking 463 seconds on a high-end server CPU. This work addresses the performance bottleneck in Orion-like PCS by optimizing their most critical operations: Spielman encoding and Merkle commitments. These operations involve Gigabytes of data and suffer from random off-chip memory access patterns that drastically reduce off-chip bandwidth. We resolve this issue and introduce \textit{inverted expander graphs} to eliminate random writes and reduce off-chip memory accesses by over 50\%. Additionally, we propose an on-the-fly graph sampling method that avoids streaming large auxiliary data by generating expander graphs dynamically on-chip. We also provide a formal security proof for our proposed graph transformation. Beyond encoding, we accelerate Merkle Tree construction over large data sets through a scalable multi-pass SHA3 pipeline. Finally, we reutilize existing hardware components used in commitment to accelerate the so-called proximity and consistency checks during proof generation. Building upon these concepts, we present the first hardware architecture for PCS -- with linear prover time -- on a Xilinx Alveo U280 FPGA. In addition, we discuss the practical challenges of manually partitioning, placing, and routing our large-scale architecture to efficiently map it to the multi-SLR and HBM-equipped FPGA. The final implementation achieves a speedup of two orders of magnitude for full proof generation, covering commitment and proving steps. When combined with Virgo as an outer CP-SNARK protocol, our accelerator reduces end-to-end latency by up to 3.85 --- close to the theoretical maximum of 3.9.

Note: The paper was revised in April 2025.

Metadata

Available format(s): PDF
Category: Implementation
Publication info: Preprint.
Keywords: Zero-Knowledge Proof Orion Brakedown Spielman Code FPGA
Contact author(s): florian hirner @ iaik tugraz at
florian krieger @ iaik tugraz at
sujoy sinharoy @ iaik tugraz at
History: 2025-04-20: last of 3 revisions; 2024-11-26: received; See all versions
Short URL: https://ia.cr/2024/1918
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1918,
      author = {Florian Hirner and Florian Krieger and Constantin Piber and Sujoy Sinha Roy},
      title = {Accelerating Hash-Based Polynomial Commitment Schemes with Linear Prover Time},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1918},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1918}
}