The Succinct ZK residency is a 1 month in-person program hosted in Succinct’s San Francisco Office from September 23rd to October 18th. Recent advances in general-purpose ZK like SP1 have finally made it possible to iterate quickly with ZK with fast performance needed for real-world use-cases.

The purpose of the residency is to bring together teams that are either integrating ZK into an existing product or working on net-new ZK applications to an in-person hub to collaborate, exchange ideas, learn, get feedback and mentorship. Working together IRL to ideate and push the space forward.

• With existing products, we hope to accelerate development timelines with tight, in-person collaboration with the Succinct team.
• With new projects exploring novel use cases, we hope to enable exploration and ideation that can lead to longer term projects or even companies.

(Building with SP1 is not required, the residency is a broader gathering of the ZK ecosystem).

If you are interested in the program, apply now. Applications are accepted on a rolling basis (until August 30th) and due to limited space, we recommend that teams apply as early as possible.

On a personal note–my cofounder John and I met at the 0xPARC summer residency. It was one of the most generative times of my life. The people and teams that came out of that residency are working on the bleeding edge of interesting ideas in ZK & applied cryptography. We want to recreate a similar environment for the ZK builders of today.

Who should participate

Growth Stage ZK Integrators‍

If you have an established product that is integrating ZK, send engineering talent to work side by side with the Succinct team and other ZK practitioners to ship a year’s worth of progress in an intensely focused “1 month hackathon”.

‍Early Stage Builders

If you’re early in your product journey and ZK is a core component, join us and work together with other ZK natives for real time protocol design feedback. Get a peek at the bleeding edge of ZK being developed in real time.

Exploration Stage Devs

If you’re a solo builder or small group of devs exploring and experimenting with new ZK-powered ideas, join the residency to collaborate and ideate with others. Come and rapidly iterate through different ideas together.

Confirmed Teams:

• Several engineers from Polygon Labs are joining us to work on the AggLayer
• Shumo Chu (co-founder & CEO) and an engineer from Nebra are joining us to build out their 2nd generation proof aggregation protocol
• Sina.eth & Joe from Witness are building in the verifiable attestation space
• Aayush Gupta (co-founder) & other engineers from ZK Email are coming to build a more expressive ZK email experience

Focus Areas

Track 1: Upgrade the stack. ZKPs are critical to make blockchains actually scalable and private. This track is ideal for teams who have an existing product they want to make better with ZKPs or teams building next-generation versions of current blockchain infra built with ZKPs from the ground up. Ideas we are excited by include:

• Making existing rollup frameworks incorporate ZKPs (OP stack, Arbitrum Nitro, etc.)
• New rollup architectures (based rollup, etc.) that benefit from ZKPs
• Make every bridge a ZK bridge (integrating optimized ZK light clients across existing bridges that support modular security mechanisms).
• Make state machines provable (MoveVM, SVM, etc.)  
• Proof Aggregation
• Scaling Bitcoin with ZKP rollups
• Scaling onchain data access and computation with ZK coprocessors

Track 2: Real-world ZK. ZKPs have applications even beyond blockchain use cases. There are many teams exploring this nascent space. New ideas that excited us include:

• P2P payments
• ZK based identity and Self-Sovereign Identity
• Web Proofs
• An Adobe photoshop plugin that generates ZKPs for every image edit (attested image editing)
• ZKML
• Credible auctions
• Data supply chain

Confirmed Advisors & Programming

World class advisors and mentors: including Georgios (CTO @ Paradigm, built Reth, Foundry, etc.), Uma Roy (co-founder of Succinct), Dev Ojha (co-founder of Osmosis)

Weekly seminars and Q&A with industry leaders every Tuesday:

• Guillermo Angeris on resource pricing in a ZK world
• Shumo Chu on proof aggregation
• Howard Wu (founder of of Aleo)
• Jason Morton (founder of EZKL)
• and more to be announced soon!

Happy hours + team presentations with people across the ecosystem every Thursday

Other Details

When: September 23rd to October 18th (4 weeks)

Where: The Succinct office (in San Francisco, near the Embarcadero) where every resident will have a dedicated workspace + desks

Stipend: There will be optional shared AirBnbs for housing and weekday meals that will be covered by Succinct. Additional discretionary funding for flights + relocation reimbursement (if not covered by your company) can be covered by Succinct on a case by case basis.

Grant Funding Support: Additional discretionary grant funding is available for builders

Deliverables & Goals: A shipped integration or product throughout the course of the residency, along with a technical write up.

Apply Now

Because applications are accepted on a rolling basis and due to limited space we HIGHLY recommend teams to apply earlier than later. Fill out the application here.

Timeline:

• Submission due date: August 30th
• Final acceptance notifications: September 6th
• Program start: September 23rd
• Program end: October 18th

Our updated performance benchmarks for SP1’s latest production-ready release (v1.1.1). Experience unparalleled performance with our new GPU prover.

TL;DR: SP1’s new GPU prover achieves state of the art performance, with the cheapest cloud costs vs. alternative zkVMs by up to 10x, across a diverse set of blockchain workloads like light clients and EVM rollups.

SP1’s performance has improved by an order of magnitude since our launch in February, thanks to relentless performance engineering and our new GPU prover. With SP1’s v1.1.1 release, SP1 is the market-leading zkVM on both performance and cost for workloads like light clients and EVM rollups.

Get started with our latest prover today through the beta version of Succinct’s prover network (sign up here). Top teams like Polygon, Celestia, Avail and more have already generated more than 10,000 proofs and proven trillions of cycles on our prover network.

SP1’S new GPU prover achieves state-of-the-art performance with up to 10X+ cheaper cloud costs

We benchmark SP1 against RISC0 on three real-world workloads (Tendermint, Reth Block 17106222, and Reth Block 19409768) using a variety of cost-efficient AWS and Lambda Labs GPUs with on-demand pricing.

We note that RISC0’s latest benchmarks against SP1 misleadingly compared our CPU performance to their GPU results. We conducted a fair, apples-to-apples comparison on identical hardware, revealing the significant advantages of our highly optimized GPU prover and precompile-centric architecture.

Our benchmarks are performed across a variety of GPU instances, ranging from AWS g6.xlarge, AWS g6.2xlarge, AWS g6.16xlarge, Lambda Labs NVIDIA A6000, and Lambda Labs NVIDIA A100. We report the cheapest cost across all machines for each zkVM. For more methodology and a raw data sheet, refer to the methodology section.

Key Takeaway. If you’re building a rollup, SP1’s proving costs per block are 10x cheaper than any other zkVM. With readily-available GPU instances on the cloud, SP1 already achieves around a tenth of a cent proving cost per transaction for average Ethereum blocks.

Use it today. If your team wants to take advantage of our GPU prover, it is available on our prover network beta today. Follow the instructions here to sign up. It will be officially available for local usage in the upcoming weeks.

Why is SP1 the most performant ZKVM?

The performance gap between SP1 and alternative zkVMs is attributable to several key factors.

SP1’s precompile-centric architecture. SP1 has support for a flexible precompile system that can accelerate any operation, including secp256k1 and ed25519 signature verification, and sha256 and keccak256 hash functions, decreasing RISC-V cycle counts between 5-10x for many programs. Most real-world workloads (especially light clients and rollups) are dominated by repetitive operations like hashing and elliptic curve operations. SP1 has been designed from the ground up to have its precompiles (which are hand-written, optimized circuits for specific operations) offer performance competitive with ZK circuits for these use-cases, while preserving the flexibility and developer experience of a zkVM.

SP1 is 100% open-source, allowing teams like Argument (formerly known as Lurk Labs) and Scroll to implement custom precompiles for their own use-cases that have dramatically decreased cycle count and  accelerated proof generation time. Reach out here if you’re interested in doing something similar.

The idea of precompiles inside zkVMs has become an industry standard since we first introduced SP1, with it becoming a part of RISC0, Valida, Nexus, and Jolt's roadmaps. Today, SP1 is the only production-ready zkVM with extensive precompiles for all the cryptographic operations that matter (keccak256, sha256, secp256k1 and ed25519 signature verification, bn254 and bls12-381 arithmetic, and soon to include bn254 and bls12-381 pairing verification).

A two-phase prover for efficient read-write memory. SP1 uses a novel memory argument which uses a single challenge from the verifier to implement consistent memory across multiple proofs. Because of this, our proof system doesn’t pay the overhead of merkelized memory, which can add significant overhead to proving workloads.

Fundamental proof system efficiencies. We use a lower blowup factor (2 versus 4), use next-generation lookup arguments (i.e., the log derivative-based LogUp), and use a variant of FRI in Plonky3 that allows us to commit to tables of different sizes which gives us more efficient trace area utilization.

Methodology

We benchmark SP1 on v1.1.1 and RISC0 on v1.0.0. We describe the methodology to our benchmarks below.

• Real-world programs. We benchmark with programs that reflect genuine real-world usecases, like a Tendermint light client and Reth with 2 Ethereum blocks.
• End-to-end proving time. We measure only witness generation and proving time, excluding prover setup and verification.
• Constant proof size. Both systems generate proofs of constant size, using recursive verification of proofs for long RISC-V executions.
• Precompiles. Whenever available, we enable precompiles for both SP1 and RISC0.
• Hardware Acceleration. We enable hardware acceleration whenever available on both CPU and GPU. On CPU, SP1 has support for AVX and NEON, while RISC0 does not. On GPU, both SP1 and RISC0 have support for CUDA.

We do not benchmark against Valida and Jolt as the projects are still early in development and cannot run most of our benchmarking programs and do not have support for recursion.

Lastly, note that due to the very complex, multi-dimensional nature of zkVM performance (including factors like hardware, single-node vs. multi-node performance, memory usage, recursion cost, hash function selection) these benchmarks only present a simplified view of performance. We tried our best to provide as fair of a comparison as possible, although it is difficult for a single benchmark to capture all nuances.

All benchmarks are reproducible using the repository here and here is a full breakdown of our results.

Performance Roadmap

SP1’s performance is improving everyday and we expect it to continue improving significantly over the upcoming months. A quick preview of what to expect:

• A next-generation recursion system. We’re working on a new architecture for our recursion system which can combine the performance of circuit-based recursion while supporting precompiles. This will improve end-to-end performance by ~2x.
• Optimizing our two-phase prover approach. Right now we utilize a two-phase prover to have a more efficient representation of read-write memory. We recently discovered a method that will dramatically cut down the cost of phase 1 proving. This will improve end-to-end performance by 1.5x-2x.
• Better arithmetization in costly AIRs. We also have discovered better ways to arithmetize our mostly commonly used tables, such as the CPU, which will cut down proving time by another 33% for certain workloads. This will improve performance by 1.5x.
• And much more.

In the upcoming weeks, we’ll be sharing a more comprehensive overview of our performance roadmap and the future costs you can expect when proving with SP1.

Interested in using SP1?

SP1 is chosen by the best teams for production usage of ZKPs. We’re proud to be working with incredible partners, including Polygon, Celestia, Avail, Hyperlane, Taiko, Sovereign, Nebra, LayerN, Noble, Interchain Foundation, Witness, Nubit, Alpen and many others who are using SP1 for a diversity of use-cases such as rollups, interoperability, bridging, coprocessors, proof aggregation, verifiable attestations and more.

If you’re interested in using SP1 for any of your protocol’s ZKP needs, feel free to get started with the docs and also fill out this form to schedule a call with me or Uma.

In its February release, SP1 did not have recursion and onchain verification, limiting it to offchain use-cases. Today, we are excited to announce the implementation of SP1’s performant STARK recursion, enabling blazing fast end-to-end ZK proof generation with onchain verification on any EVM-compatible chain.

With this testnet launch, SP1 is the fastest, feature-complete zkVM for developers. It is the only zkVM that is fully open-source, supports the Rust standard library, has customizable precompiles for state of the art performance, and leverages the latest techniques in STARKs for performant recursion and onchain verification. Furthermore, SP1’s novel precompile-centric architecture for common operations like hashing, elliptic curve operations, and more allows for an order of magnitude performance gain for blockchain use-cases like ZK rollups, ZK bridges, and more.

Get started with the docs today or clone the project template.

SP1 is the fastest, feature-complete zkVM

Get started today: Developers can get started by following the installation instructions and creating a new project with “cargo prove new” or cloning the template repo here. Follow the docs to write programs that implement ZK light clients, ZK rollups and more. Using SP1’s SDK, developers can deploy an SP1 EVM verifier to any testnet of their choosing and generate Groth16 proofs that can be verified onchain for ~300,000 gas.

SP1 is the only zkVM with all of the features that developers need:

• Can write Rust (including std) and use existing crates: With SP1, developers can utilize existing Rust crates (including revm, alloy, tendermint-rs, serde, json, etc.) to write verifiable programs. SP1 has standard library support, allowing developers to code in Rust as they normally would.
• Recursion + Onchain verification: SP1 uses performant STARK recursion and a Groth16 STARK to SNARK wrapper to shrink the size of SP1 proofs to one that can be verifiable on any EVM chain for ~300k gas.
• Blazing fast performance: SP1’s novel “precompile-centric” architecture allows for extremely fast and cost-effective proof generation (often by an order of magnitude) for common blockchain applications like ZK rollups (including zkEVMs), ZK light clients and more.
• 100% open-source: SP1 is 100% open-source, with all constraint logic in the open and an MIT licensed codebase.
• SP1 recursion within SP1: for many use-cases, like proof aggregation or rollups, the ability to verify an SP1 proof within SP1 is critical for chaining together many proofs. SP1 supports efficient SP1 recursion and users can check out an example of this functionality in this example repository.

SP1 Mainnet Timeline: For the past few months, we have been getting SP1 audited by several world-class ZK auditing firms (alongside Plonky 3, one of SP1’s core open-source dependencies). Expect more details on SP1’s mainnet timeline in the upcoming weeks!

SP1 outperforms other zkVMs by an order of magnitude

Over the past few months, SP1’s performance has improved significantly thanks to support for AVX-512 in Plonky3, batched lookup arguments, optimized prover memory usage, and improved arithmetization. We benchmark SP1 and Risc0 on end to end proving time to get an onchain verifiable proof on a suite of realistic programs, including Merkle proof verification, a Tendermint light client and a type 1 zkEVM that leverages Reth.

We’re excited to see the vision of a precompile-centric architecture for zkVMs become a standard across the industry. RISC0 and Jolt have both recently announced that their roadmaps include adding support for precompiles. It will be interesting to revisit these results when these features get implemented by others.

Note that benchmarking is always a point in time comparison and given the complex, multi-dimensional nature of zkVM performance, any benchmark presents only a simplified view of performance. We choose to benchmark on CPU, similar to the open-source JOLT zkVM benchmark repo, but Risc0 also has support for GPUs.

SP1’s Recursion Architecture

To build performant recursion, we built an entirely new proving stack (the first open-source zkVM recursion stack) that allows for programmable verification of SP1 proofs.

• Recursion zkVM. A zkVM that implements our recursion-specific ISA (leveraging many similar primitives from our core RISC-V VM) and is heavily optimized for succinct verification.
• Recursion DSL. A custom Rust-based domain-specific-language that natively supports fields, extension fields, accelerated recursion primitives, and ZK-friendly memory. We implement a STARK verification program in this DSL.
• Recursion Compiler. A compiler that compiles programs written in the recursion DSL into multiple target backends, including our Recursion zkVM ISA and a Gnark circuit (used for PLONK-KZG verification of STARK proofs).

We believe that this toolchain, including our recursion DSL and recursion compiler, are generally useful public goods that can be utilized by many different teams to implement recursion for new proof systems, including JOLT and Binius. Please reach out to us if you’re interested in using this tooling and we are happy to provide guidance!

SP1’s updated performance vs. JOLT

We also benchmark SP1 against the newly released JOLT to provide an updated view of how SP1 compares, given its latest performance improvements. JOLT is still a work in progress, and currently does not support recursion or on-chain verification, cannot accelerate workloads with precompiles, has a relatively small upper bound on the maximum cycle count (~16 million), and only supports the RISCV32I variant of RISC-V which does not support instructions for multiplications or divisions. As a result, we can only benchmark JOLT on simple programs, such as their SHA-2 chain program used in their benchmarks (shown below). Nonetheless, given JOLT’s recency and room for further optimizations, we are impressed with its performance and find it quite an interesting line of work.

We show that SP1 out-performs JOLT for similar proof size and similar cycle count.

Appendix

End to end benchmarking on recursion and time to get to EVM verifiable Groth16 proof.

Benchmarking Methodology

The benchmarking programs can be found in this repo, including Merkle Proof Verification (SSZ withdrawals), the Tendermint ZK Light Client and SP1-Reth. For each program, we generated a proof for both zkVMs, and patched all relevant crates (including the revm, reth, sha2, crypto-bigint, curve25519-dalek and k256 crates). The “# of Cycles'” column is the number of RISC-V instructions executed by the program. The proof generation time is in seconds. Note that the cycle count for the Tendermint and Reth program is provided as 2 numbers because it is significantly smaller in the SP1 zkVM because of SP1's first-class support for precompiles. Note that all the times in the above table do not represent latency as that can be decreased with parallelized proof generation across the core and recursive stages. The core proving time + recursive proving time is the time it takes to get to a constant-sized proof. Note that SP1’s Groth16 wrapper time also includes a “shrinking” stage not present in Risc0 that adds a constant overhead of ~50 seconds, which is why the timing in that phase is longer.

SP1 was benchmarked using the poseidon2 hash function and all standard settings. All other settings were the default Risc0 prover settings in their version 0.21 release. The benchmark was run on a AWS Linux CPU machine (r7i.16xlarge) with 64 vCPUs and 512GB of RAM, with a 3-year reserved pricing of $1.92 per hour.

SP1 vs. JOLT benchmark

We benchmark JOLT with its default settings and SP1 using the poseidon hash function and with a shard size of 2^21 to make the proof size comparable to JOLT’s. The benchmark was run on a AWS Linux CPU machine (r7i.16xlarge) with 64 vCPUs and 512GB of RAM, with a 3-year reserved pricing of $1.92 per hour.

NB: Note that due to the very complex, multi-dimensional nature of zkVM performance (including factors like hardware, single-node vs. multi-node performance, memory usage, recursion cost, hash function selection) these benchmarks only present a simplified view of performance. We tried our best to provide as fair of a comparison as possible, although it is difficult for a single benchmark to capture all nuances.

We're thrilled to announce we've raised $55M led by Paradigm to make zero knowledge proofs accessible to any developer. The total raised comes across a Seed and Series A round with participation from Robot Ventures, Bankless Ventures, Geometry, ZK Validator and angels including Sreeram Kannan from Eigenlayer, Sandeep Nailwal and Daniel Lubarov from Polygon and Elad Gil.

ZK proofs are one of the most critical technologies to blockchain scaling, interoperability and privacy, but are too complex for most developers today. Succinct’s mission is to lower this barrier with our zkVM, SP1, and our decentralized prover network.

SP1 is the first 100% open-source zkVM performant enough to rival custom ZK circuits. With SP1, developers can use ZK with normal programming languages, reuse existing crates and libraries, and iterate quickly with auditable and maintainable code. SP1 shows that an extremely optimized, general-purpose system can match the performance of hand-written, specialized approaches that have historically been the only option.

The Succinct Prover Network, under active development, is a hosted infrastructure layer for any application to outsource proof-generation for open-source proof systems. Applications using SP1 (or other zkVMs) will be able to deploy programs to the network with 1 click and get fast, cheap proofs generated by a set of specialized provers. Users of this open protocol benefit from the networks’ economies of scale and strong liveness guarantees of a set of decentralized provers.

Get Involved

Today, teams like Celestia, Wormhole, Lido, Avail, Near, and Gnosis are using Succinct’s infrastructure to build ZK-enabled applications. We’re excited for SP1 and the Succinct prover network to make it possible for any developer to build with ZK. If you want to build a ZK application with maintainable and auditable Rust code, reach out today.

We’re hiring!

There’s still a lot more to build at Succinct to further accelerate ZK adoption. We are a small, highly-technical team based in San Francisco, that ships high-quality code at the frontier of ZK. We are hiring for a variety of engineering roles to continually improve SP1 and build towards the mainnet launch of our decentralized prover network. If this mission resonates with you, apply here: https://jobs.ashbyhq.com/succinct.

Acknowledgements

We’re excited to continue working with Paradigm, including collaborating with Dan Robinson on designing optimal mechanisms for proof pricing, Georgios Konstantopoulos on realizing an endgame vision of all blockchain infrastructure incorporating ZKPs built with Rust code, and of course Doug Feagin and Charlie Noyes for their unwavering support.

We’d also like to shout out the rest of our investors and advisors, including Daniel Lubarov from Polygon Zero, Jacob Arluck from Celestia, Tarun Chitra from Robot, and many others that have helped us on our journey.

Follow us at @SuccinctLabs and at succinct.xyz

We’re excited to announce SP1 Reth: an open-source proof of concept that showcases how any rollup can build a performant (type-1, bytecode compatible) zkEVM with less than 2000 lines of maintainable Rust code using SP1. SP1 Reth is an early POC, but already achieves incredible performance (around $0.01-$0.02 proving cost for an average Ethereum transaction) by leveraging SP1’s open-source, customizable precompile system, with substantial improvements to come. SP1 Reth points to a future where all rollups can become ZK rollups, utilizing the magic of ZKPs with maintainable software written in Rust.

The future of EVM rollups is a maintainable zkEVM, written in Rust.

Optimistic rollups face many challenges: 7 day withdrawal times, complicated interoperability, and (in some cases) reliance on multisigs in production instead of a fraud proof mechanism. ZK rollups leverage cryptographic truth and provide a solution to these problems, making them the endgame solution for scaling Ethereum. But today, creating a zkEVM requires a long, expensive development period from a specialized team with expertise in hand-rolling a custom ZK stack.

This complex process is why we built SP1:  a 100% open-source, customizable zkVM with performance competitive with custom circuits. With SP1, any rollup team can build a zkEVM in Rust that reuses components from existing open-source libraries and node software, with performance good enough for practical use.

The SP1 Reth proof of concept leverages existing components from the open-source Ethereum ecosystem (Reth, Revm, Alloy, Zeth) with less than 2000 LOC, and generates a ZKP of execution of full Ethereum blocks (proven with SP1). This approach has significant advantages over the status quo of zkEVMs built with custom circuits.

Because of code reuse, SP1 Reth is far more maintainable and secure, with a smaller audit surface compared to custom circuits. The usage of normal code allows for any developer to easily customize the zkEVM when adding new precompiles or making other changes.  Finally, the development time for SP1 Reth is 100x faster than with custom circuits and requires no specialized expertise.

Leveraging SP1’s open-source, customizable precompile layer for state-of-the-art performance

SP1 is 100% open-source and fully customizable, with a “precompile” system that can accelerate almost any performance bottleneck without much additional recursion overhead. This precompile system is critical for achieving SP1 Reth’s state-of-the-art performance.

SP1 Reth achieves $0.01-0.02 proving cost on typical Ethereum transactions

We benchmark SP1 Reth’s performance on a range of Ethereum blocks, showing state-of-the-art results on proving cost: $0.01-0.02 average proving cost per transaction in typical Ethereum blocks. Rollups already pay Ethereum between $0.10-$0.25 for calldata for L2 transactions–making the $0.02 cost for a ZKP of transaction execution negligible compared to DA costs, and quite practical for most L2s today.

Our benchmarks measure end-to-end proving time on a single AWS machine with 64CPUs and 512GB of RAM. Cost is calculated based on AWS reserve pricing. In production, latency can be significantly decreased with parallelized proving across a cluster. See our appendix for a detailed methodology.

Recently, Polygon Zero announced a type 1 compatible zkEVM with custom plonky2 circuits with proving costs of $0.2-0.5 per block ($0.002 to $0.003 per transaction). This benchmark shows that with a 100% open-source, customizable zkVM like SP1, the cost of proving a zkEVM implementation written in a general-purpose language is already within an order of magnitude of the cost of custom circuit-based approaches (currently 5-6x).

The Key Insight: Leveraging Precompiles for SOTA performance

Previous general-purpose zkVMs have required large clusters for proving zkEVM programs with a cost of ~$10-20 of compute per block. SP1 Reth leverages SP1’s precompile system for an order of magnitude reduction in cost, making proof generation of a zkEVM written in Rust finally practical.

SP1’s 100% open-source and customizable precompile system is the key reason why SP1 Reth’s performance is competitive with custom circuits. The key insight is most of the time spent verifying execution of an Ethereum block is in repetitive, expensive cryptographic operations like hash functions or signature verification. With SP1’s multi-table, precompile-centric architecture, the cost of “precompiles” for these operations is very similar to the cost one would pay in a circuit. Because overall cost is dominated by these precompiled operations, the overhead of a zkVM ends up mattering very little: the 80-20 principle in action.

SP1 Reth uses the precompiles that SP1 has to offer today: keccak, secp256k1, and sha256. But because SP1 is 100% open-source and customizable, there is a clear path to further reductions in proving cost, as other performance bottlenecks can also be precompiled, including big integer arithmetic and more. If you want to become an open-source contributor and help us on this mission, check out the list of Github issues in SP1 today.  

Orders of magnitude improvements to come

SP1 Reth is a simple POC and only a preview of what is possible with SP1. There are several orders of magnitude improvements on the way that we are excited about.

Precompile BigInt: Ethereum uses 256 bit arithmetic, resulting in a significant amount of zkVM cycles being spent in BigInt operations. It is straightforward to add a BigInt precompile to SP1 that will reduce this performance bottleneck.

Optimized Serde/Deserde: Right now, many of the zkVM cycles are spent on memory operations around serializing and deserializing inputs. It should be possible to utilize more efficient zero-copy Serde/Deserde libraries that reduce cycle count and improve performance significantly.

Specialized Hardware on the Succinct Proving Network: The Succinct proving network will provide a competitive marketplace for the best hardware teams to compete on proof generation costs by leveraging custom hardware–making costs go down another 10-100x.

Build with SP1 Reth or SP1

The code for SP1 Reth can be found at: https://github.com/succinctlabs/sp1-reth and the code for SP1 can be found at: https://github.com/succinctlabs/sp1. Note that SP1 and SP1 Reth are in alpha and not intended for production use. Start building with SP1 today: https://succinctlabs.github.io/sp1/.

Contribute to SP1: If you’re interested in contributing to SP1 itself, check out the list of open issues in the Github repository!

If you are a rollup team interested in building with SP1 or extending SP1 Reth, please reach out to us by filling out this form.

Acknowledgements

SP1 Reth leverages a lot of high-quality, open-source work in the Ethereum ecosystem, including Reth, Revm, Alloy and Zeth. SP1 Reth utilizes core execution primitives from Reth & Revm, RPC types from Alloy, and a MPT library as well as inspiration on execution from Zeth (a zkEVM built with Risc0’s zkVM). We also want to acknowledge Polygon Zero’s plonky2 zkEVM that is type-1 compatible and utilizes plonky2 circuits.

Appendix

Benchmarking Methodology:

The benchmarking code was run from the sp1-reth repository: https://github.com/succinctlabs/sp1-reth. The details on how the benchmark was run can be found by running the command in the README.

We ran SP1 with the Poseidon hash function and shard size of 2^19. The benchmark was run on a AWS i4g.16xlarge Linux machine with NVME disk IO  with 64 vCPUs and 512GB of RAM, with a reserved pricing of $2.286 per hour and a spot pricing of $1.928 per hour. We used the reserved pricing for computing our proving costs. The end-to-end proving time does not include fetching of witnesses or runtime execution time, as that is single-threaded and would be run on a separate, inexpensive machine with a single CPU in a production setting.

NB: Note that due to the very complex, multi-dimensional nature of zkVM performance (including factors like hardware, single-node vs. multi-node performance, memory usage, recursion cost, hash function selection) these benchmarks only present a simplified view of performance. We tried our best to provide an intellectually honest assessment of cost, although it is difficult for a single benchmark to capture all nuances. Also because SP1 is still a work in progress, the performance numbers are not final and are expected to improve over time.

We’re excited to announce Succinct Processor 1 (SP1): our first-generation zero-knowledge virtual machine (zkVM) that verifies the execution of arbitrary Rust (or any LLVM-compiled language) programs. SP1 targets an order of magnitude performance improvement vs. existing zkVMs—its alpha release is already up to 28x faster for certain programs and competitive with circuit-based approaches.

SP1 is a 100% open-source, contributor-friendly public good that takes a collaborative approach towards building the best zkVM for rollups, coprocessors, and other ZKP applications. SP1 is continuously evolving—disrupting the status quo of black-box zkVMs that are hard to customize and keep up to date with the latest proof system advances. Start building with SP1 and contributing today.

The future of truth is programmable

Zero-knowledge proofs (ZKPs) are a powerful primitive that will enable a new generation of more secure, scalable and innovative blockchain architectures that rely on truth not trust. But ZKP adoption has been held back because it is “moon math”, requiring specialized knowledge in obscure ZKP frameworks and hard to maintain one-off deployments. Performant, general-purpose zkVMs, like SP1, will obsolete the current paradigm of specialized teams hand rolling their own custom ZK stack and create a future where all blockchain infrastructure, including rollups, bridges, coprocessors, and more, utilize ZKPs via maintainable software written in Rust (or other LLVM-compiled languages).

State-of-the-art performance

SP1 achieves state-of-the-art performance on several real-world workloads inspired by common blockchain use-cases like bridging and verifying Merkle proofs. Our performance is a result of multiple design choices that utilize the latest proof system advances, including a cross-table lookup architecture, a customizable “precompile” system that can accelerate almost any performance bottleneck without much additional recursion overhead, and more.

For the first time, SP1 shows that a general-purpose zkVM can have performance competitive with circuit-based approaches, while accelerating developer productivity by orders of magnitude.

SP1 outperforms existing zkVMs by up to 28x on real world workloads

We benchmark SP1 on a variety of programs, showing between 4-28x improvements on performance on three realistic workloads. Our benchmarks measure end-to-end proving time on a single machine with 64 ARM-based CPUs, and 512GB of RAM. In production, latency can be significantly decreased with parallelized proving across a cluster for both approaches.

SP1’s blazing fast speed is a game-changer for real-world applications like a ZK Tendermint light client, reducing proving time from 2.2 hours to 4.6 minutes. Read more about our methodology in the appendix.

SP1 is competitive with circuit-based approaches while improving developer productivity by over 100x

Perhaps more interesting than SP1’s state of the art performance against existing zkVMs, is that its precompile-centric architecture allows for performance competitive with (and sometimes exceeding) that of custom hand-rolled circuits. In the cases below, we benchmark programs proven with SP1 vs. SOTA custom circuits the Succinct team has previously written for a variety of important use-cases in production. In the case of the SSZ Merkle proof verification program, the VM is actually faster than the circuit as the flexibility of the VM allows for conditional computation that a circuit does not allow for.

Development time with SP1 is >100x faster and more maintainable than with custom circuits, while proof generation speed/cost remains competitive.

Built from day one to be customizable and maintained by a diverse ecosystem of contributors

Today, zkVMs are built monolithically by isolated companies, making them difficult to customize and keep updated with the latest advances. We challenge this approach. SP1  is 100% open-source (MIT/Apache 2.0) with no code obfuscation and built to be contributor friendly, with all development done in the open. Unlike existing zkVMs whose constraint logic is closed-source and impossible to modify, SP1 is modularly architected and designed to be customizable from day one. This customizability (unique to SP1) allows for users to add “precompiles” to the core zkVM logic that yield substantial performance gains, making SP1’s performance not only state of the art vs. existing zkVMs, but also competitive with circuits in a variety of use-cases.

Embracing the Open Source Bazaar

SP1 makes use of high-quality, production-grade open-source dependencies like Plonky3 where possible, to compound with the exponential progress of ZK innovation and build a zkVM that is future proof. We believe that the terminal zkVM is similar to the Linux project: free, open-source software that is permissively licensed and maintained by an active community of contributors from a diverse set of companies and geographies. Already, multiple teams and individuals have merged PRs to SP1, including Succinct Labs, Sina (CEO, Witness), Aayush (ZK email), Preston (CTO, Sovereign Labs) and more.

SP1 is still a work-in-progress and there is much more left to build. We are open-sourcing today in the spirit of transparency and inviting the community to build the best zkVM together with us.

Build with SP1

The code for SP1 can be found at this repository: https://github.com/succinctlabs/sp1. Note that SP1 is in alpha and not yet intended for production use.

Today, developers can write programs (including complex, large programs like a Tendermint light client) in Rust (with std support), generate proofs and verify them. SP1 already supports proving of programs of arbitrary length by sharding a long computation into smaller shards, and then generating a global proof of all shards. Start building with SP1 today: https://succinctlabs.github.io/sp1/.

Check out some of the exciting use cases that can be built on top of SP1:

• An optimized Tendermint light client
• An optimized Ethereum light client
• A stateless EVM coprocessor

Contribute to SP1: If you’re interested in contributing to SP1 itself, check out the list of open issues in the Github repository.

Roadmap: In the coming months, we plan on getting audits of the core VM constraints and logic, optimizing SP1’s performance and also adding support for recursive onchain verification which will allow for converting SP1’s STARK proofs to groth16, for cheap onchain usage in Ethereum smart contracts.

Acknowledgements

SP1 is built on the shoulders of giants in this space. We would like to thank StarkWare, for being the original pioneers of STARKs and zkVMs, the Polygon Zero Labs team for creating Plonky2 and Plonky3, foundational open-source dependencies upon which SP1 is built, Risc0 for the vision of a RISC-V zkVM, Daniel Lubarov and Max Gillet for work on Valida that pioneered the cross-table lookup architecture, Ulrich Habock for Logup, and countless other individuals in the ZK space that have inspired our work.

Appendix

Performance comparison with other zkVMs:

Performance comparison with circuits:

Benchmarking Methodology

The benchmarking programs can be found in the SP1 examples directory (Fibonacci, SSZ Merkle Proofs, Tendermint ZK Light Client). For each program, we generated a proof for both zkVMs, and patched all relevant crates (including the sha2, crypto-bigint and curve25519-dalek crates). The “# of Cycles'” column is the number of RISC-V instructions executed by the program. The proof generation time is in seconds and verification time is in milliseconds. Note that the cycle count for the Tendermint program is provided as 2 numbers because it is significantly smaller in the SP1 zkVM because of SP1's first-class support for precompiles, which are difficult to add in Risc0 because constraint logic is closed-source. SP1’s architecture allows for precompiles to be added without substantially impacting recursion overhead, significantly decreasing the cycle count of complex programs and thus improving proof generation performance. For all other programs, the cycle count is relatively similar between the two zkVMs.

We chose to use the poseidon hash function for both SP1 and the Risc0 zkVM as poseidon is a standard, recursion-friendly hash used by many teams. All other settings were the default Risc0 prover settings in their repository. The benchmark was run on a AWS Linux ARM CPU machine  (r6a.16xlarge) 64 vCPUs and 512GB of RAM, with a reserved pricing of $1.64 per hour.

NB: Note that due to the very complex, multi-dimensional nature of zkVM performance (including factors like hardware, single-node vs. multi-node performance, memory usage, recursion cost, hash function selection) these benchmarks only present a simplified view of performance. We tried our best to provide as fair of a comparison as possible, although it is difficult for a single benchmark to capture all nuances. Also because SP1 is still a work in progress, the performance numbers are not final and are expected to improve over time.

Succinct is building a decentralized prover network so that anyone can build blockchain applications and infrastructure secured by cryptographic truth, not trust. Succinct unifies the proof supply chain, providing highly available proof generation infrastructure with best-in-class pricing, for rollups, coprocessors and other applications using zero-knowledge proofs.

An era of truth, not trust.

Crypto is failing at its mission. We were promised transparent, verifiable, and trustless systems for global-scale coordination. Instead, we got bridge hacks, multisig L2s with no fraud proofs, and committees of 21 validators controlling billions of dollars.

The problem with trust is that it does not scale. Multisig or committee-based systems of small size have obvious problems, but even stake-based mechanisms with crypto-economic properties have their own inefficiencies: capital is a scarce resource and the operational overhead of recruiting staked parties, like node operators or watchers, is complex and time-intensive.

With recent advances in zero-knowledge proofs (ZKPs), we have an opportunity to replace trust-based committees with cryptographic truth. Zero-knowledge proofs allow developers to irrevocably prove any statement, such as a blockchain’s state transition function or a proof of consensus. They are permissionless, with no dependency on external capital or operators for security, easily programmable to prove the validity of any statement, and efficient, requiring only one party for generating a proof which can be verified by anyone else in the world. Democratizing access to programmable truth will enable a new generation of more secure, scalable, and innovative architectures, within blockchain contexts and beyond, that rely on truth not trust.

Bringing programmable truth inside every application.

2023 was a turning point for production deployment of meaningful ZK systems, including Polygon Hermez, zkSync, and Scroll. The latest advances in proof system research, custom hardware and zkVM design will only accelerate this trend in 2024—making ZK broadly viable as the foundation for blockchain scaling.

The proof supply chain of today is broken and has not kept up with the pace of ZK innovation. It is fragmented, requiring developers of ZKP-based applications to set up inefficient, one-off deployments specific to their use-case, imposing high coordination overhead, creating reliance on centralized provers for liveness and slowing down development time. The integration of programmable truth in every part of the stack, including L2s, coprocessors, bridges, and more, necessitates more sophisticated ZK infrastructure–the motivation for Succinct Network.

Succinct is building a base layer for zero-knowledge proofs that creates a resilient and unified proof supply chain. We envision a ZKP ecosystem where a variety of applications and infrastructure seamlessly integrate the latest research in proof systems and custom hardware, while benefiting from the economies of scale and liveness guarantees of a decentralized network of provers. Succinct’s unified protocol aggregates proving demand across applications and provides the following benefits:

• For developers: a standardized interface to easily build with any open-source zkVM or proof system to secure your application with cryptographic truth.
• For applications: outsource your proving to a decentralized network of provers with strong liveness and censorship-resistance guarantees, that provides the cheapest pricing for proofs due to economies of scale of the network.
• For provers: participate in an open marketplace for proving and earn fees for generating proofs with cost-effectiveness and high reliability.

Succinct Network is a schelling point for the exponential progress of ZK innovation, breaking down existing walled gardens, and providing a unified protocol that accelerates ZK adoption.

Succinct Network Architecture: The First Unified Proof Supply Chain

The Succinct Network is an application-specific blockchain optimized for fast-finality, short-term censorship resistance, and sovereignty. It provides developers a unified protocol to build applications secured by programmable truth based on the latest advances in open-source proof systems, zkVMs, and hardware. It coordinates all parties in efficient price discovery of proof generation on a highly available decentralized network.

Use state of the art open-source proof systems or zkVMs: Proof system research has led to orders of magnitude improvements in prover overhead, allowing for a wide variety of complex applications to be proven in a ZKP. The rise of open-source and modular frameworks that implement the latest research has accelerated the production deployment of applications, once thought to be infeasible, including zkEVMs, ZK bridges, and more.

Succinct’s protocol provides a simple set of standards for any open-source proof system or zkVM that makes integration straightforward for application developers. These applications can be deployed through the Succinct Platform  (announced in November), the first “frontend” for the Succinct Network.  

Decentralized proof generation on a diversity of hardware with efficient price discovery: ZKP hardware acceleration has shown a future where proving costs decrease 10-100 fold with specialized hardware. Applications can utilize cryptographic truth with minimal tradeoffs on cost, making ZKPs viable for all infrastructure.

Today’s ZKP landscape requires applications to build and manage their own infrastructure—a challenging task as cost-effective proving increasingly requires custom hardware and efficient hardware utilization. With Succinct, applications simply submit proof requests to the network and an auction mechanism matches these requests with a diverse set of provers who run latest generation hardware. Users of Succinct’s network don’t have to run their own infrastructure and can be assured by the high liveness guarantees of the network itself.

Short-term censorship resistance ensures that the auction is fair (bids from provers cannot be censored) and fast-finality ensures that proof generation is coordinated with low latency. Provers are required to stake with the network to prevent griefing and the network’s consensus determines which prover can “claim” the proof (according to the auction results) to prevent duplicate work. The competitive free-market mechanism for pricing proofs guarantees applications get the cheapest possible costs.

Network economies of scale: Coordinating zero-knowledge proof generation on a decentralized marketplace benefits end-users through the economies of scale of proving and aggregation.

Proving costs decrease with better hardware utilization. The network aggregates demand, providing provers with proof orderflow from different applications, enabling them to invest in operating more efficient infrastructure, such as custom data centers and hardware for proof generation.

Aggregation decreases onchain verification costs. Proofs that are not latency sensitive can be aggregated into a single proof before being delivered on chain, reducing the verification cost of a zero-knowledge proof (~200K gas) by an order of magnitude.

Join Us

Today, teams like Celestia (Blobstream X), Avail (Vector bridge), Gnosis (native bridge) and others are building applications that utilize the unified standards of Succinct’s protocol and are deployed with Succinct’s platform (a “frontend” to the Succinct Network). Succinct’s ecosystem is rapidly expanding to include projects from all across the stack who benefit from programmable truth.

If your protocol wants to utilize decentralized proof generation or you’re a node operator or hardware team interested in participating in the network as a prover, please reach out here.  We will be announcing more details about Succinct Network and a testnet in the upcoming months.

We are hiring: If this problem space and mission resonate with you, we are hiring developers to join us in building this decentralized prover network and democratize access to zero knowledge proofs. Apply here.