Open Sourcing HyperPlonk
Tue, January 31, 2023
Today we are happy to announce that we are open-sourcing our implementation of HyperPlonk under the open-source MIT license. We are collaborating with the Ethereum Foundation on integrating HyperPlonk with the popular Halo2 library and frontend. We hope that this will benefit the community and that HyperPlonk can become a vital component for zkEVMs and other rollup solutions.
We are also pleased to share that the HyperPlonk paper has been accepted by the EUROCRYPT conference.
Our work on HyperPlonk complements our efforts in building a decentralized sequencer (read more about it here, here, and here). Our Espresso sequencer can sequence transactions for arbitrary rollups, but we are optimistic that HyperPlonk-based rollups will be among the fastest and can take full advantage of the Espresso sequencer’s speed.
HyperPlonk is a zero-knowledge proof system that is designed for large circuits as it removes the requirement for FFTs (fast Fourier transforms) and is more parallel than other proof systems. It also enables high-degree custom gates, which are important for designing efficient proofs for complex circuits.
HyperPlonk is specifically designed for super-large circuits, but even starting from about 16,000 gates, HyperPlonk outperforms our state-of-the-art Jellyfish Plonk implementation in both single and multi-threaded mode:
Implementation details and polynomial commitments
Our implementation is written in Rust and uses the arkworks library as the backend. This makes the implementation very flexible, as it can be used with any elliptic curve. Currently, the implementation uses the multilinear version of the KZG polynomial commitment (first described here). Our implementation is very modular and can support other polynomial commitment schemes (such as the Bulletproofs IPA or FRI-based ones). In fact, in the paper, we introduce Orion+, a super-fast polynomial commitment scheme that is optimized for very large circuits. It is based on Orion, which is the PCS with the fastest-known prover time, but unlike Orion, Orion+ has very small proofs (about 6 KB).
We also measured the different components of our system and can see that the sumcheck MLE operations currently dominate. There are further optimizations regarding this component that we haven’t implemented yet.
Supporting frontends and future work
Currently, our HyperPlonk implementation requires that you directly encode the gates using selector and wiring polynomials. There are multiple frontends, such as our Jellyfish frontend, the Halo2 frontend, or Circom, that could make this process significantly easier. We are glad that this step of open-sourcing will contribute to the Ethereum Foundation’s Privacy Scaling Exploration group with their effort of integrating Halo2 and HyperPlonk.
Additionally, there are significant optimizations, such as further batching and faster sumcheck implementations, that we haven’t implemented yet. These will make HyperPlonk even faster. We also recently wrote a post on how to run a variant of sumcheck that is particularly optimized for custom hardware and alleviates the concerns about hardware-friendliness raised in a different blog post.