As far as I know, there are no existing implementations of ZKPs to check Verkle proofs. Here I'll try to roughly sketch what the performance of such ZKPs could look like. Verkle proofs can be viewed as batch opening arguments, concretely for a Pedersen-style commitment scheme. When verifying a Verkle proof, most of the verifier work is in the batch reduction. This involves combining some (additively homomorphic) commitments and claimed evaluations, both using the same random scalars. See e.g. Dankrad's note. Curve choice Verkle trees are proposed to use the Bandersnatch curve. Like JubJub, it's defined over BLS12-381's scalar field. There are some good reasons for the choice of BLS12-381. It's already part of the Ethereum 2.0 design, and will have native EVM support with EIP-2537. It's also pairing-friendly, and is thought to have up to 117~120 bits of security (per NCC), favoring it over BN-254 which has up to ~100 bits. There are some downsides, though, which we'll touch on later.

Our vision: We want to make it practical to compile conventional code to a zkVM with reasonable performance. No zkVM today is optimized for this goal. We desire a VM with neither registers nor a dedicated stack, and one that has a small field size with low-degree constraints. We also want efficient compilation from LLVM IR to the set of VM instructions. Architecture The zkVM consists of a CPU and several coprocessors, which are connected with communication buses: graph TD; CPU* --- Memory*; CPU* --- Memory*; CPU* --- Memory*; CPU* --- Tip5*;

With the "zkEVM wars" heating up, there has been a lot of public discussion about the merits of different zkEVMs. There has been some misinformation as well, so we’d like to clarify some facts about Polygon zkEVM and how it compares to others. I’m biased, being that I work at Polygon, but I’ll try to keep the comparison fair. I’ll focus mainly on Polygon’s zkEVM and zkSync Era, since they are in production, and since I don’t know as much about other zkEVM projects. zkSync's zkEVM and prover make up over 100k lines of code. I did my best to give an accurate summary, but if there are any inaccuracies, please let me know and I will correct them. EVM compatibility Polygon zkEVM directly executes EVM bytecode. By Vitalik’s classifications, it is a type-3 zkEVM. It should become type-2 fairly soon; at the moment we're missing four precompiles. Scroll is also working toward a type-2 zkEVM. By contrast, zkSync Era uses a different bytecode format, with support for Solidity through a compiler they provide. This makes it a type-4 zkEVM: it supports Solidity, but not EVM bytecode itself. Tools such as Hardhat do not work out of the box, though it can be used with zkSync’s plugins.