**Home Edition** # Discussion notes #8.1: Sok - Hardware Accelerated Modular Multiplication for ZKProofs Presenter: Erdinc Ozturk and Justin Drake Authors: - Erdinc Ozturk - Justin Drake - Sean Gulley - Simon Peffers - Kelly Olson To be presented on 2020-05-14. Resources: * [Latest PDF version](https://docs.zkproof.org/pages/standards/accepted-workshop3/sok-hardware_acceleration.pdf) * [Miro Whiteboard](https://zkproof.org/workshop3-board) * [SoK Working Group](https://community.zkproof.org/g/SOK_WG_HARDWARE) * [Additional related links](https://hackmd.io/@HtwXZr-PTFCniCs7fWFSmQ/B1AwbdI_8) ---- ## Real-time notes _Note taker: Daira Hopwood_. Side channel attacks: * The ASIC itself should be timing side-channel resistant. * Daira: there could be non-timing side-channels, but I guess you're hosed anyway if an attacker can physically eavesdrop on the connection to the ASIC. Daira: will BLS12-381 still be commonly used in two years? * "If you use BLS12-381 you get a 1000x speed-up" is a nice incentive. * Many users now. IETF standardization project can nail down the details. > Expanded version: ---EranTromer > Q by Daira: BLS12-381 is usful, but is it going to be commonly used in 3 years? > A: It's the de facto default for blockchain projects. Ethereum 3.0, Cardno, Dfinity, Chia, others. Effort to standardize via IETF. De facto "standardization by brute force", espcially once ASICs for this curve exist. Question about recursion: BLS12-381 doesn't allow cycles. * UltraPLONK allows recursion with a single curve. * Daira: counterpoint -- cycles are still concretely much more efficient. * Daira: half-pairing cycles require BN (on the pairing-friendly side) because both curves must be prime-order. What are the resources required to optimize? * We're optimizing for throughput and memory. How flexible are ASICs in terms of changing firmware? * We define a specialized instruction set that includes higher-level abstractions. How are you planning to do the modular reductions? * Exploring three approaches: Montgomery, Barrett, lookup. > Others are welcome to augment/annotate using notes. Add your name. ---MyName