20 comments

[ 2.6 ms ] story [ 34.2 ms ] thread
*Zero knowledge crypto acceleration with FPGA
(comment deleted)
title: Accelerating zk-SNARKs - MSM and NTT algorithms on FPGAs with Hardcaml

Any reason the title deviates so much from original? Is it because of all the cool acronyms and code words? Here's a decoder:

zk-SNARK: zero-knowledge Succinct Non-Interactive Argument of Knowledge

MSM: Multi-Scalar Multiplication

Hardcaml: OCaml lib for hardware: https://github.com/janestreet/hardcaml

NTT: Number Theoretic Transform

Fair point, I changed the title!
Well how can I remove my extraneous garbage post, then? ;-)

I'm actually paying attention to this thread because I'm hoping people drop clues about what I should research or play with. Thanks a bunch - cool topic!

(comment deleted)
https://zprize.hardcaml.com contains a detailed technical write-up, which includes an overview of the MSMs and NTTs algorithms, some well-known methods to accelerate them (Pippenger's algorithm, Cooley-Tukey etc.) and a description of our implementation.

All code is open source! - https://github.com/fyquah/hardcaml_zprize

(Disclaimer: I'm one of the authors of the above blogpost)

(Edit: Added link to source code)

I looked at simple examples (counters, fibonacci generator) of hardcaml in the github repo, but I don't see any obvious advantages over systemverilog, verilog, or VHDL (the industry standard languages). Why would one use hardcaml over these?
From the article:

> We believe by using Hardcaml we were able to more efficiently and robustly come up with designs in the short competition period

So, the authors seem to believe they are more productive in it than other languages, and seem to be positioning it as a competitive advantage.

What abstractions does Hardcaml provide that makes them believe they are more productive in it?
The assumption of a trusted setup phase makes zkSNARKs somewhat obscure to use. Definitely, it does not fit for making evidence for voting where an adversary could have rigged a setup phase allowing to issue votes as sees fit.
You can include a very large set of people in the trusted setup, and if even one of them destroys their key the system is safe.

So far, there have been ceremonies which invite anyone to join who wants to, and anyone who participated and destroyed their own key knows that the trusted setup isn't compromised.

An entire community could participate for their local votes and they could each destroy their own key in order to have confidence in the result.

Interesting. I am concerned, however, that those ceremonies would not be protected against sabotage. For instance, if a few participants decide not to follow the protocol, the ceremony would need to be restarted. A question then, would the dishonest parties could be identified? That can be used as a reason in the face of security to limit who could join and in that way, sabotage the ceremony.

> An entire community could participate for their local votes and they could each destroy their own key in order to have confidence in the result.

Two problems. Dishonest voters spoil the process. Synchronically running multiparty ceremony between all participants at the same time (what if the voter could not make it, what if the server gets a DDOS attack in the process).

i have run large data centers with over 120,000 gpus... one thing that i learned in this process is that running hardware at scale and efficiency is very very difficult. it requires a lot of process and tooling to automate everything.

if anyone here has run FPGA's specifically, at this sort of scale, i'd love to talk to them.