Cysic will accelerate the arrival of ZK's endgame.
Written by Peng SUN, Foresight News
Have you ever thought that PoW will return to Ethereum? Through Cysic, I see the possibility.
Last May, Vitalik said in Montenegro that “in the next 10 years, zk-SNARKs with ZK as the underlying technology will be as important as blockchain”, which marked that Ethereum chose ZK. A year later, Vitalik flew to Hong Kong and once again stated that ZK is the future of Ethereum, and pointed out that hardware acceleration is the direction to break through the bottleneck of zk-SNARKs.
The discussion about ZKP acceleration has a long history, and academia and industry have been studying how to optimize the ZK algorithm for acceleration. But as another solution, hardware acceleration has only attracted attention in 2022. This year may be the first year of ZKP hardware acceleration. ZPrize , the highest quality and most technologically advanced hardware acceleration ZKP technology competition platform in the field of zero-knowledge cryptography led by Aleo, was officially launched. Paradigm's " Hardware Acceleration of ZKP " and IOSG's " Why We Are Optimistic about Zero-Knowledge Proof Hardware Acceleration " were published one after another. The author noticed that some people said "the algorithm is not enough, the hardware will make up for it", and their words revealed disdain for hardware acceleration, but as ZPrize said:
While zero-knowledge cryptography has made huge progress in the past few years in terms of software and algorithms, hardware acceleration has been a direction that only a few have explored. Many people forget that modern cryptography techniques only became practical after being natively implemented in CPUs. Hardware acceleration does not necessarily mean ASICs, it also means new ways to optimize GPUs, CPUs, FPGAs, and mobile devices (alone or in combination) to generate zero-knowledge proofs faster.
Most people are beginning to recognize that ZKP hardware acceleration is inseparable from Aleo's PoSW in 2023, which introduces economic incentives for MSM and NTT computing. The protagonist of today's story is not Aleo, but Cysic, a real-time ZK proof generation layer that provides a full set of solutions for GPU, FPGA, and ASIC. They are about to release two ZK DePIN devices, ZK Air and ZK Pro, and will start pre-sales of mining machines in the near future. It can be said that Cysic is not just a service provider for the B-side, but it will undertake all computing power requirements in ZK computing scenarios. Its adaptability to different ZK algorithms enables it to build a DePIN network and open B-side services to C-side users with various computing powers. In other words, anyone can enter the Cysic network, and the more participating users, the higher the computing power, and the faster the ZK proof. Ultimately, ZK is ubiquitous and integrated into daily life.
This narrative is so fascinating that I never thought that the unattainable ZKP hardware acceleration could be so close to ordinary people! Today, Foresight News will take a deep look at ZKP hardware acceleration, Cysic features and its hardware products, and DePIN network infrastructure to see what Cysic wants to do and how big its market potential is.
Betting on the ZKP hardware acceleration market: Cysic background and vision
Cysic is a real-time ZK proof generation and verification layer founded in August 2022, providing ZK Compute as a Service (ZK-CaaS) based on self-developed ASIC, FPGA, and GPU chips. In February 2023, Cysic completed a $6 million seed round of financing, led by Polychain Capital, with participation from HashKey, SNZ Holding, ABCDE, A&T Capital, and Web3.com Foundation. In October of the same year, Cysic won the first prize of ZPrize "Beat the Best (FPGA/GPU)" with FPGA.
The founding team of Cysic has an extraordinary background and strong strength. Co-founder Leo Fan is responsible for the system architecture and cryptography research of Cysic. After obtaining a master's degree in computer science from the Chinese Academy of Sciences, he went to Cornell University to pursue a doctorate in computer science. While in school, he also worked as a researcher at IC3, Yahoo, Bell Labs, and IBM. After graduation, Leo joined Algorand to be responsible for cryptography research. Currently, he is also an assistant professor in the Department of Computer Science at Rutgers University. Co-founder Bowen Huang quit his doctorate at Yale University and received a master's degree from Yale University. Currently, he is mainly responsible for chip and supply chain management at Cysic. Previously, he worked as a research engineer at the Institute of Computing Technology, Chinese Academy of Sciences. Based on their keen understanding of cryptography and hardware acceleration, they realized before 2022 that ZK is the ultimate expansion solution for the entire blockchain industry, and hardware acceleration is the inevitable technical route to achieve this final solution.
At present, the ZK field is mainly based on two proof systems: zk-SNARKs and zk-STARKs. Among them, Zcash, Scroll, Taiko, Mina, Aztec, Manta, Anoma, etc. all use zk-SNARKs, while Starknet, StarkEx, zkSync (already transitioned to Boojum), etc. use zk-STARKs. In addition, there are ZK projects such as Ethereum historical data protocol Axiom and ZK technology developer Nil Foundation. According to Cysic's estimates, there are more than 50 head ZK projects with a total market value of more than 100 billion in the market, and the total valuation of the ZKP application track has exceeded 15 billion US dollars.
In the past two years, the ZK track has often been criticized for its long proof generation time and high resource requirements. Taking Scroll as an example, it takes at least 1 hour and more than 280GB of RAM to generate ZK proofs using GPU. Both of these have not only hindered the large-scale adoption of ZKP, but also delayed the commercialization of Ethereum. Although STARK is faster than SNARK in proof generation time, they both need to use hardware acceleration to increase the proof speed from hours to seconds. The vision of ZKP is to achieve simultaneous block generation with Ethereum. If the bottleneck cannot be broken, Vitalik's expected ZK "real-time proof" will not be realized.
On the other hand, although the Ethereum Foundation regards ZK as the future of expansion, the market share of ZK Rollup in the Ethereum L2 field is not convincing. Currently, the top 5 L2s in TVL all use Optimism Rollup, and ZK Rollup only accounts for 8.5% of the market share. The only ZK Rollup project with a market value of more than 1 billion US dollars is Starknet, which is largely due to the foundation's ecological incentives and airdrop expectations. Since the ZK track is highly valued, if hardware acceleration can largely solve the current difficulties, then the market potential is obvious.
Cysic is very ambitious. Their ultimate goal is to provide a full set of GPU + ASIC hardware acceleration solutions, targeting the computing power requirements of all ZK computing scenarios such as ZK Rollup, zkML, and ZK Bridge. As a transition, Cysic has developed its own FPGA acceleration hardware in the past year, which can cover a variety of proof systems such as Halo2, RapidSnark, and Plonky2x. Its versatility and flexibility are unprecedented, and the business market is even more vast.
What does ZKP hardware accelerate? Let’s start with the ZK proof system
After introducing the potential of Cysic and the ZKP hardware acceleration market, let's take a look at what ZKP hardware is accelerating. Fundamentally, what the hardware is accelerating is the ZK proof calculation. When it comes to calculation, it is a competition of computing power, which is why I think ZKP is bringing PoW back to Ethereum. But from a more micro perspective, what kind of calculations does ZKP hardware accelerate? Here, I will take the zk-SNARKs proof system as an example to explain the process from "arithmetisation" to proof generation and verification.
First of all, any transaction behavior of the user on the chain will be packaged into the Rollup off the chain, so the transaction behavior and transaction volume will determine the complexity of the circuit and ZK proof.
Secondly, when the transaction data is submitted, it will enter the "arithmeticization" process. The so-called "arithmeticization" is to construct these data into ZK circuits and convert them into mathematical formulas in the form of polynomials. Similar to normal program development, the ZK proof system is also divided into "front end" and "back end". "Front end" means that various types of transaction data need to be constructed into vector, matrix and other circuits through constraint languages such as R1CS and PLONK and converted into multiple polynomials. In layman's terms, it means converting circuit diagrams into mathematical formulas to express them, and mathematical formulas can be used to guide the circuits. This process is the "arithmeticization" process. The more complex the transaction and the more transactions, the larger the scale of the circuit will be and the more orders of the polynomials will be.
On the basis of arithmetic, it is necessary to build the "backend" of the ZK proof system to generate zero-knowledge proofs. The figure below shows the composition of the zk-SNARKs proof system (Justin Thaler believes that zk-STARK is a Fri-Based zk-SNARK), including two major parts: PIOP and PSC. Popular PIOPs include PLONK and GKR, and popular PSCs (polynomial commitment schemes) include FRI and KZG. Usually PLONK + IPA can build the Zcash version of the Halo2 proof system, PLONK + KZG can constitute the PSE/Scroll version of Halo2, and PLONK + FRI can constitute Plonky2. The current ZK proof systems mainly include Halo2 based on KZG, Groth 16, and so on.
Taking Groth16 as an example, we can flatten the calculation process and express it as a C-SAT (circuit satisfiability) problem through the R1CS constraint form, and then reduce the C-SAT problem to the QAP satisfiability problem. Finally, we will get a series of public polynomials Ui(x), Vi(x), Wi(x), T(x) and vector a, where vector a contains public inputs and secrets, and they satisfy the relationship shown in the figure below. For the QAP satisfiability problem, it is simple to verify the QAP given a, but it is very difficult to solve a in reverse through public polynomials. Then we will transform the authenticity and integrity of the calculation process into the problem of proving that Prover has a(i). This step is particularly important for the construction of the ZKP backend.
As for the backend of ZKP, it can be divided into three stages: Setup, Prover, and Verifier, and some parameters are used in each stage. We need to input the arithmetic polynomial and the one-time secret random number R (the source of the concept of "trusted setup") into Setup at the same time. After the setup, the Sp and Sv parameters are used to allow Prover and Verifier to generate and verify proofs. During this process, Prover needs public input and secret to perform calculations and generate proofs; Verifier can verify through proofs and public inputs. In this process, Verifier will not know what the secret is.
In the process of generating proofs by Prover, a lot of calculations are required. So how to make the calculation of proof generation faster? This is where hardware comes in. Under the current circumstances, the only solution is to use hardware to improve computing power. The higher the computing power, the shorter the time consumption.
Different proof systems have different computationally expensive cryptographic primitives. In the PLONK + KZG proof system, the two most time-consuming types of calculations are MSM (Multi-Scalar Multiplication) and NTT (Number Theoretic Transform). In zk-STARK, the main computational bottlenecks are NTT and Merkle Hash. MSM mainly handles calculations related to elliptic curves, and NTT is FFT (Fast Fourier Transform) acting on finite fields. It can be understood as a variant and optimization of FTT, which is used to handle calculations related to polynomials. At present, almost all mainstream ZK protocols use these two calculations extensively, and they together account for 80-95% of the proof generation time. Generally speaking, MSM computing tasks will account for 60-70% of all computing tasks, and NTT will account for 25%. Of course, the ratio of the two will vary in different implementations. You can either accelerate MSM or NTT according to the proportion of computing tasks, or accelerate both at the same time.
FPGA as a transition, ZK ASIC as the end point
Dialectically speaking, the large workload of the computing task also means that these are relatively simple pipeline operations, as long as the computing power is strong enough. Since the algorithm of ZK proof calculation is deterministic, it only needs to repeat the calculation of the generation of the proof result, so the dedicated hardware architecture implementation for specific operations has more advantages than software implementation. If parallel computing can be achieved, the difficulty of calculation will be greatly reduced. Coincidentally, both MSM and NTT can be accelerated by high-performance hardware and support parallel computing.
Cysic Technology Progress and Roadmap
As mentioned above, Cysic's ultimate goal is to do ZK ASIC acceleration and provide a full set of ASIC hardware acceleration solutions including MSM and NTT computing. But as Leo Fan said , "Before doing ASIC, you need to do a lot of testing and prototyping on FPGA."
In the past year, Cysic has completed the first phase of POC design work and developed FPGA-based computing accelerators such as MSM, NTT, and Poseidon Merkle Tree, as well as an end-to-end ZK hardware acceleration solution covering the entire workflow.
Cysic FPGA prototype (under assembly)
According to the latest published data, Cysic's SolarMSM can complete 2³⁰-scale MSM calculations in 0.195 seconds, which is the highest performance solution among all publicly available FPGA-MSM hardware acceleration results. SolarNTT can complete 2³⁰-scale NTT calculations in 0.218 seconds. At the same time, Cysic's current FPGA acceleration solution has been applied to Scroll's ZK calculations, and 2²²-scale MSM and NTT calculations can be completed in about 1 millisecond (0.001 seconds).
Comparison of GPU, FPGA and ASIC
As for why the ultimate goal and the second stage are to develop ASIC, we have to go back to the comparison of acceleration hardware. The advantages of hardware acceleration are reduced power consumption, reduced latency, improved parallelism, increased throughput, and better utilization of the area and functional components on the integrated circuit. Generally speaking, due to the long calculation time and high energy consumption of CPU, it is basically not included in the scope of adoption. The three main types of acceleration hardware on the market are GPU, FPGA and ASIC, and they have different focuses in terms of versatility and efficiency.
Currently, almost all ZK projects are using GPUs for hardware acceleration, because GPUs are popular enough to become the only hardware acceleration carrier before dedicated hardware is produced. For ZK hardware acceleration vendors, GPUs are currently the most economical and configurable hardware choice. Through software-level support such as CUDA SDK, the multi-core structure of GPUs is also suitable for parallelization of calculations such as MSM. However, GPUs have some limitations. For example, the use of graphics cards such as 3080, 3090, and 4090 is easily restricted by the hardware platform, such as the motherboard bandwidth.
Like GPUs, FPGAs are programmable and reconfigurable at runtime. They can be reused for different algorithms based on system specifications and specific applications, and are more versatile and flexible. At the same time, FPGAs are also more suitable for FFT and NTT calculation types. In the final analysis, after the FPGA hardware was developed, it also became a software game. In addition, although a single FPGA cannot beat a GPU, when many FPGAs are connected together, their performance is many times higher than that of a GPU. At the same time, the hardware cost of a top-level FPGA is 3 times cheaper than that of a top-level GPU. In terms of energy efficiency, since the GPU needs to be connected to a host device, and the host device consumes a lot of power, the energy efficiency of the FPGA is 10 times higher. However, compared with GPUs, the acquisition cost of FPGA chips and the supporting requirements of the supply chain are relatively high.
ASIC is a special chip customized to meet a specific need. Its high performance and strong computing power have been regarded as the ultimate solution by ZK hardware acceleration manufacturers including Cysic. However, the business logic of ASIC is "write-once", non-programmable, and can only be used for a specific single task, and cannot process multiple ZK algorithms in parallel. ASIC is superior to GPU and FPGA in performance and energy consumption, but requires a longer production cycle. In addition, as a capital-intensive game, the production cost of ASIC is also higher.
Source: Amber Group
After a comprehensive comparison, we can understand why Cysic first chose self-developed FPGA acceleration hardware. Because ASIC is not yet universal, the cost is too high, and the time to market is long, FPGA is the best solution to seize the market in the transition period. Specifically, Cysic's FPGA hardware can adapt to a variety of ZK proof systems such as Halo2, RapidSnark, Plonky2x, and can execute all the mainstream ZK algorithms today (referring to the computing operations in ZK proof generation). In other words, FPGA can adapt to any computing power requirements of ZK computing scenarios, including ZK Rollup, ZKML, ZK Bridge, etc. At the same time, ZK proof generation not only has high computing requirements, but also high memory requirements. Today, the proof generation of the Scroll zkEVM circuit requires at least 280 GB of RAM. In the face of this demand, FPGA can be continuously stacked to expand memory capacity.
Self-developed FPGA does not mean that Cysic has given up GPU and ASIC. Cysic is also developing GPU-based hardware acceleration solutions, trying to provide more flexible ZK and AI computing acceleration services. Currently, the Cysic GPU computing network has linked hundreds of thousands of high-end 3090/4090 computing graphics cards.
Cysic graphics card and computer room
Their internal data has shown that Cysic CUDA SDK is 50%-80% faster than the latest open source framework, and uses the GPU SDK to provide proof generation services for multiple top ZK projects. At the same time, Cysic's ASIC design and tape-out work is also in progress.
ZKP + DePIN: The Starry Sky of Cysic Network
If it is just ZKP acceleration hardware, then Cysic does not seem to need too much embellishment. But in 2024, when Helium Mobile is in the forefront and io.net is in the back, the emergence of DePIN also gives Cysic more room for imagination.
What Cysic really wants to do is a Prover Network based on ZKP hardware acceleration. It will not only connect self-developed hardware such as FPGA, GPU, ASIC, etc. to the Prover Network, but will also allow community users to provide various types of computing power, and increase economic incentives and governance for ZK proof generation calculations by building a decentralized computing power network.
It can be said that through Prover Network, Cysic has completely opened up a B-side acceleration service to C-side users, becoming a bridge between ZK project parties, computing power providers and community verifiers, which is unique in the current ZKP hardware acceleration market. Before this, it was not only difficult for ordinary users to understand ZKP, but it was also difficult to buy dedicated hardware to accelerate ZKP. But the Cysic network no longer requires users to master professional knowledge. Due to its versatility, users only need to provide computing power to enter the ZKP computing power network. Just imagine, the more users in the entire network, the more computing power, the faster the ZK proof speed will be, and "real-time proof" at the second level will be just around the corner.
In fact, after the merger of Ethereum in The Merge, the original PoW miners have a large number of idle GPUs, which is too valuable for Prover Network. However, most people may not have the corresponding hardware to participate in the DePIN network. What to do? How to introduce more community users and expand the incremental market? Cysic has done something that makes sense. They recently designed two ZK DePIN chips/devices, namely ZK Air and ZK Pro, which are expected to be launched in 2025.
As shown in the above picture, ZK Air is about the size of a power bank/laptop power bank. This is a lightweight and portable ZK DePIN device with a computing power greater than that of a top-level consumer graphics card. Users can connect it to a laptop, iPad, or even a mobile phone via Type-C, provide acceleration services for small-scale ZKPs through the Prover Network, and receive network rewards. At the same time, ZK Air can also be directly connected to a computer to generate timely ZK proofs locally. ZK Pro is similar to a traditional mining machine, mainly serving proprietary companies, and is suitable for large ZK projects such as zkRollup and zkML. For most users, ZK Air may be a more anticipated product.
ZKP hardware acceleration is a natural fit for DePIN. Unlike the io.net decentralized GPU network that is oriented towards AI and ML, Cysic is convinced that ZK is the future of the blockchain industry. With its self-developed hardware adapting to different ZK algorithms, it can accommodate the computing power requirements of any ZK computing scenario. In addition, with the ZK market valued at more than $15 billion, it has huge growth potential in the future.
Xiao Feng once said, "Blockchain is inherently built on DePIN, and Bitcoin hardware mining is a primary version of DePIN." ZKP hardware acceleration reminds me of Bitcoin's PoW mechanism, but with Prover Network, Cysic can truly build a computing power network belonging to ZKP. Just as PoW does not require permission, ZKP mining under the DePIN primitive will also truly become permissionless. However, ZKP mining is still different from PoW mining. In the traditional PoW mechanism, miners with higher and faster computing power can get block rewards, and the proof of work of others will be invalidated. Cysic's Prover Network does not have invalid workload, and users can always get incentives based on their computing power contribution.
Currently, users can participate in Cysic's activities on Galxe and obtain early badges, participate in NFT casting, and the test network that will be launched in May and June this year. According to Cysic, some early participants can receive NFT incentives. In addition, Cysic also plans to conduct TGE in the third and fourth quarters of this year.
references:
Georgios Konstantopoulos, Hardware Acceleration for Zero Knowledge Proofs , Paradigm, April 13, 2022.
Elena Burger, Decentralized Speed: Advances in Zero Knowledge Proofs , a16z crypto, April 15, 2022.
Amber Group, Need for Speed: Zero Knowledge , Sep 5, 2022.
IOSG: " Why we are optimistic about zero-knowledge proof hardware acceleration ", Nov, 2022.
ABCDE: Why we should invest in Cysic , Feb 18, 2023.
msfew, Criticism on ZK , April 20, 2023.
Trace, Accelerating Zero-Knowledge Proofs , Figment Capital, April 25, 2023.
Luke Pearson and the Cysic team, ZK Hardware Acceleration: The Past, the Present and the Future , April 27, 2023.
ZPrize, ZPRIZE II SPOTLIGHT: INTRODUCING THE ARCHITECTS: LEO FAN, CYSIC , Oct 10, 2023.
Loopy Lu: " Why is Vitalik optimistic about ZK hardware acceleration? ", BeWater, April 12, 2024.
Cysic, New Paradigm in Designing ZK-ASICs, the zkVM way , April 9, 2024.
Cysic: Towards the Verifiable Future of Ethereum: Cysic Helps Build a Trusted ZK Computing Network, 2024.
* This article was written with the help and guidance of ZK researcher Miles and ZK developer Paul, and we would like to express our special thanks!
