EVM-Verifiable Post-Quantum Client-Side SNARK

# EVM-Verifiable Post-Quantum Client-Side SNARK *Status: preliminary proof size results and client-side benchmark results; gas benchmarking in progress.* ## Abstract *This note summarizes the current status of an EVM-verifiable post-quantum client-side SNARK project.* *In a reduced-security smoke test against the state-of-the-art (SotA) baseline (previous WHIR Solidity verifier[^solwhir]), our Spartan-WHIR[^ourcode] produces the smallest proof among the evaluated systems. Its WHIR proof is **11368 bytes**, compared with **30724 bytes** in the baseline. Its **total proof size is 13995 bytes**, which is still smaller than the **PCS proof alone** in that baseline.* *These results show that the current SotA can already be improved on proof size, so it is worth continuing toward gas measurements and higher-security parameter settings.* *A second result is that our general direction appears feasible for client-side proving. Our current prover time and RAM benchmarks indicate that the candidate systems fit within the intended client-side setting.* [^ourcode]: https://github.com/alxkzmn/spartan-whir-dev ## 1. Goal The goal is a SNARK with the following properties: * **post-quantum soundness**, * **direct EVM verification**, * **transparent setup**, * **client-side feasible proving**. ## 2. Why this direction is justified The SotA Solidity WHIR verifier (`sol-whir`)[^solwhir] is the strongest reference point we are aware of for direct on-chain verification of a post-quantum SNARK. Our current measurements already improve on that baseline. In particular, **Spartan-WHIR**[^ourcode] gives a total proof of **13,995 bytes**, while the public baseline reports **30,724 bytes** for the WHIR proof alone. The other tested WHIR-based candidates - Hyperplonk-WHIR[^hp] and Whirlaway[^waway] also reduce the WHIR proof size relative to the same baseline. [^hp]: https://github.com/alxkzmn/csp-benchmarks/tree/the-definitive-csp/hyperplonk [^waway]: https://github.com/alxkzmn/csp-benchmarks/tree/the-definitive-csp/whirlaway The SotA WHIR verifier demonstrated 1.9 MGas[^solwhir] verification cost under 100 bits of security for a 2^22 size polynomial. We expect our resulting SNARK to verify 2^22-sized circuits under 1 MGas under 100-bit security. See the table below for comparison of the SotA on-chain verification costs. |ZKP system|Verification gas cost| |-|-| |Groth16|348K[^bbgas]| |***Our Target***|***<1M***| |***sol-whir***|***1.9M***[^solwhir]| |Barretenberg|2.4M[^bbgas]| ## 3. Current proof benchmark The following parameters were used for the smoke test (taken from the baseline): * polynomial degree **k = 18**, * **security bits = 80** *[TODO bench with 128 bits]*, * **soundness = CapacityBound**, * **pow_bits = 30**, * **folding_factor = 4**, * **starting_log_inv_rate = 6**, * **rs_domain_initial_reduction_factor = 1** where available, * **KoalaBear field with quartic extension** for the Plonky3-based systems. ### 3.1 Proof size benchmark results | System | WHIR proof (bytes) | PIOP proof (bytes) | Total proof (bytes) | Prime Field | | ----------------- | ------------------:| ------------------:| -------------------:| --- | | **WHIR baseline**[^solwhir] | **30724** | - | **30724** | Bn254 | | **Spartan-WHIR**[^ourcode] | **11368** | 2627 | **13995** | KoalaBear | | Whirlaway[^waway] | 19735 | 94728 | 114463 | KoalaBear | | HyperPlonk[^hp] | 19509 | 125224 | 144789 | KoalaBear | ### 3.2 Immediate observations * **Spartan-WHIR has the smallest total proof size** among the systems evaluated. * All three candidate systems produce a **smaller WHIR proof** than the baseline. * **Spartan-WHIR’s full proof is smaller than the baseline WHIR PCS proof alone**. Relative to the **30724-byte** public baseline WHIR proof: * **Spartan-WHIR** is about **2.70x** smaller. * **Whirlaway** is about **1.56x** smaller. * **HyperPlonk** is about **1.57x** smaller. ## 4. Client-side feasibility The tested SNARKs are feasible for client-side proving. ![masking_80_keccak_proof_duration](https://hackmd.io/_uploads/SJkxGhaOZl.png) ![masking_80_keccak_peak_memory](https://hackmd.io/_uploads/HkygM2TOZx.png) *The figures show benchmark results of Hyperplobk and Whirlaway with 100 and 128 bits of security against the baseline of ProveKit* *[TODO add Spartan-WHIR CSP benchmarks]* Our current prover time and RAM benchmarks indicate that the candidate systems fit within the intended client-side setting. In this project, the feasibility cutoff for prover RAM is 4 GB, motivated by our prior survey of mobile hardware[^hwsurvey]. At this stage, the client-side prover speed is not the main goal. However, we use ProveKit as our baseline for performance as it is one of the most production-ready client-side WHIR-based ZK-SNARKs with satisfactory performance[^cspbenches]. WHIR PCS parameters allow fine-tuning of proving speed versus proof size. Since reducing proof size is our priority, we may end up with a SNARK whose proving speed could be worse than the current popular client-side systems[^cspbenches]. In that case we consider applying mobile GPU acceleration to the most demanding cryptographic primitives of our prover such as NTT *[TODO add more info on GPU acceleration]*. [^cspbenches]: https://ethproofs.org/csp-benchmarks [^hwsurvey]: https://hackmd.io/@clientsideproving/AvgMobileHardware ## 5. Next steps - Implementing the WHIR Solidity verifier over KoalaBear field, obtaining the gas benchmark data (early April) - Implementing full Spartan-WHIR verifier (April) ## 6. Future plans - Mobile GPU acceleration - Adding ZK: https://eprint.iacr.org/2026/391 - Adding frontend (Spartan is using R1CS arithmetization so a modified Circom with 31-bit field support may be a natural choice) ## Appendix A: Design Choices This section explains the choice of cryptographic primitives for our SNARK. ### A.1 WHIR for the PCS The SotA baseline[^solwhir] already shows that WHIR can support direct EVM verification, and this result has not yet been contested for a post-quantum ZK scheme. WHIR is a hash-based PCS that does not require a setup (is transparent). Therefore, WHIR enables three of the four desired properties of our SNARK, namely PQ-soundness, transparency and on-chain verifiability. [^solwhir]: https://ethresear.ch/t/on-the-gas-efficiency-of-the-whir-polynomial-commitment-scheme/21301 ### A.2 Spartan for the PIOP In the current measurements, **Spartan-WHIR** has by far the smallest non-PCS contribution among the tested systems: * **Spartan-WHIR PIOP proof:** **2627 bytes** * **Whirlaway PIOP proof:** **94728 bytes** * **HyperPlonk PIOP proof:** **125224 bytes** Besides that, Spartan-based SNARKs are know to have strong client-side performance (second-best[^cspbenches] for heavy workloads) while having a modest RAM footprint. Therefore, Spartan enables the remaining desired property of client-side feasibility. ### A.3 Small prime field A small field is attractive for multiple reasons: - smaller field elements reduce proof size and therefore reduce the calldata size; - small-field arithmetic is a natural fit for efficient prover implementations because it's well-suited to CPU optimizations like SIMD and may also create room for batching tricks on the EVM side when multiple small-field elements can be packed into a 256-bit word before reduction; - small fields are better suited for arithmetization of many kinds of circuits that don't require big values (and this is one of the reasons why the industry is gravitating towards them). We use a WHIR implementation[^whirp3] based on Plonky3 library offering a wide variety of efficient 31-bit fields (KoalaBear/BabyBear/Mersenne31). As we can see from the proof size benchmarks, KoalaBear field enables a [much smaller proof size](#31-Proof-size-benchmark-results) compared to Bn254 in the WHIR baseline. [^whirp3]: https://github.com/tcoratger/whir-p3/ ## Appendix B: Living research document A more detailed writeup can be found here: https://hackmd.io/@clientsideproving/whir-based [^bbgas]: https://blog.base.dev/benchmarking-zkp-systems