From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 13 Apr 2026 02:28:05 -0700 Received: from mail-oa1-f58.google.com ([209.85.160.58]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wCDaO-0001Ja-BG for bitcoindev@gnusha.org; Mon, 13 Apr 2026 02:28:04 -0700 Received: by mail-oa1-f58.google.com with SMTP id 586e51a60fabf-41c47598af2sf6383675fac.3 for ; Mon, 13 Apr 2026 02:28:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776072478; cv=pass; d=google.com; s=arc-20240605; b=fUaZ5M4uDiG4nL3Zue1aZTYmu2HEPRAkDvsIPmNxNROP9hR8Kx7qvWuRUco9DGiLu1 HfsWOvve/ALSeyUY5OFFohGnhDaSi/hOyokp7tGXWTLFQ4NdO26Z5FSBkQFkWWm7hdEe 3LvqaOW1NCpiyeUmo9bdwCQ1MUUjj9tVsGveKah8ClWEkxxdoS63EIBjCg1nDZUoePVa LI7mSBDgJPTT9D84Hn7jthCt112NwDoXJvif9p/qn8yI3PGA6/krnuUt6UFbo1AXXQi4 GX7ucixyoHPdqO4wY82VqWPnKSUHgLQy20X7Jax4fTFhvblYe7viHN4yZYVW9EqAwHXz rKDg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:content-transfer-encoding :content-language:to:subject:from:mime-version:date:message-id :dkim-signature; bh=6bXjOHhNWt02byPDOzkp8sbvUU5r8M/Z5SjdBdxh93U=; fh=VWp+9VJjGTWueSyY1auPxirJm9mbZxfgBCgRkO9SAbk=; b=VXsZ1QTPRQKIZb65mX0ocvYAmxztvWMBb9HbHM9RpfLCLBRj5zwucEQpgKRJ4UUrgl UPMZZWvpgLDfLYnumV4mqSMhHJrmOI8O7nNIrhkOqV6ZPnGLJdurPc7SQdpKtiy3CBJS GzMBV+MKFAyV0HDCOJCiL565ieQDLDl8z2NeiqJyQMUzacs7xta/fSmGDlcqd+beYbuX D6mK6a53A/gpmN0adqSYMvZvh6duVZEgNdsBFYS92aTqWHsnm72Brt9liRqR89mmAAY7 wxCjb7ZIOTu4bPS5PK6KYrBFIxPdnxkC9WoeXrieVbk3QdiEcF8FXlfUWAV5M0pzW28V RV2Q==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mailbox.org header.s=mail20150812 header.b=GkhqNLBe; spf=pass (google.com: domain of remix7531@mailbox.org designates 80.241.56.161 as permitted sender) smtp.mailfrom=remix7531@mailbox.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mailbox.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776072478; x=1776677278; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender :content-transfer-encoding:content-language:to:subject:from :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=6bXjOHhNWt02byPDOzkp8sbvUU5r8M/Z5SjdBdxh93U=; b=QeghJu8ERh0yKX7QgtLDsMIAhh2FE3HOODCSB/mYtYVyXfTn6vC2WxNbUlQA0Jgb+m KjSEOJuoKpJjBn4XtBTuY3y/tj7dzDpMu9VoMJeiic3MGLkQ90tq28I14V7Kr/eHNxZI xc+vbAU+81LevFi7ITXGbP+lsE9S6zaI6ZasHt+cXXYrauzYSO4FPcWS7+6Ui1PpReJK X+gI7zjIFoGg+80VYcX3lej7yg5Ngjf01cxFMxIvE7p+oil42EXIKUoYbCIfoq5JgHfr 3AgtF95A+6I2iVweS8++w3Wnil+X8v1232EQoOb3WhFUJO7E8rSkVB/9+R4+M1WwDzkN 8FDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776072478; x=1776677278; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender :content-transfer-encoding:content-language:to:subject:from :mime-version:date:message-id:x-beenthere:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6bXjOHhNWt02byPDOzkp8sbvUU5r8M/Z5SjdBdxh93U=; b=auXc/XZswncgCN+BVeJjldj/YyPfgYl6lM3VRBm2a4No9vqgrawU6LyuwX7732nzZ3 nyDBc2gqKO72B9dUCELMb1OYpoPZaWy0pSzzWc/K5LlvkUSipqZT1bOU8omRL2Ot66Em /kMMnTS8O5GBarUVqieGk+/kUuUJ4amzrVLpgd7j6KQ3cqJ9iwbrS34/mp0+guS0lkY3 PBAUr/3ne+THH2x2iziD8J6iIFyj5TnnyhhwmE48PWT5c1ULuAjReqK8ygZ/yDckG6Ku nTrqMupDbSAeWFR13vM0K75rUNX8z5KIMEbP+0VBuHrLlL4yhwB1KnuOyPgJPibgGbSX lAZQ== X-Forwarded-Encrypted: i=2; AFNElJ+J0Na+Wf+bzWl8JUyxOkefrKAtQytQAE+gySOKTToIguZWvA6MQV3LADpaZF5leXRCPr1t/4N2dm49@gnusha.org X-Gm-Message-State: AOJu0Yx10Rpa3goGmResgAAqGFOz37XNxqOKDdnFfkYTgfMoEAxZOZ9b yyBy69v3H4hvnGDT22Pw5Sk3yt++kNZW58p1YMmBEIksjgErQs7nm3uJ X-Received: by 2002:a05:6870:b621:b0:3ec:4475:9baf with SMTP id 586e51a60fabf-423e1080239mr6814634fac.26.1776072477539; Mon, 13 Apr 2026 02:27:57 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiIWiEpLVjpe1t9d010lgaBxOmN9B+yHdlwHIU/UfPb2Yw==" Received: by 2002:a05:6870:e9a9:b0:423:478c:291e with SMTP id 586e51a60fabf-423dd9b07bals1254479fac.2.-pod-prod-03-us; Mon, 13 Apr 2026 02:27:51 -0700 (PDT) X-Received: by 2002:a05:6808:c238:b0:464:1d9f:f9f3 with SMTP id 5614622812f47-4789f605579mr6231633b6e.26.1776072471835; Mon, 13 Apr 2026 02:27:51 -0700 (PDT) Received: by 2002:a05:600c:529b:b0:488:965a:b7a8 with SMTP id 5b1f17b1804b1-488cf323ff6ms5e9; Mon, 13 Apr 2026 02:05:39 -0700 (PDT) X-Received: by 2002:a05:600c:609a:b0:485:3e00:944a with SMTP id 5b1f17b1804b1-488d68ae78amr167350965e9.9.1776071138315; Mon, 13 Apr 2026 02:05:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776071138; cv=none; d=google.com; s=arc-20240605; b=A7hefujR2jpSiWcpf+gXiyPw6ppM/+V7EsiBDvja5njdJdybQlGsRM/536ZwlU1gaY T/018gJTgEzEOExzBYoqIEtTvRzo9yLsfCgRb7kejaZ6JyAekV02QfM89zx3v6fWuX5p FhLKwXrESxLYoa1KgqjC8hmqzZL0v37TpeItqowyDC117xuivoDcEapLOEiRlrpcWf+s FNPWElQBrPhbKWPKOQAnw6lAgvUXuDRi5g402gyQqs/N7yJntolWL+FkrJcJWE+fXRhZ ePft0VQv8LF7jBkCA37/sYJgryZXci12rxKDQmGPNJwVm6O71jksqsfAE2PZ3P7q1goV PX+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:content-language:to:subject:from :mime-version:date:message-id:dkim-signature; bh=DXNQf9aDY2VFFWExEgrNg3LosIQZOYGMk+sbem6d9jY=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=XQfd7OraFOWRO8dcYIBr8eMlSDgn8E+gylF6QLXJpHU0Amd4mASqWrxMDRq7QD3xWA rlzrEeLEyKiIXRKUft8jQtBo3i3iDpWEjrKXASXOXOMBSlty7V/VPMLIYOQXv16GGk5M RjXtIEfLTymdhTybNXiD2nY24z9NVyRKeAK1DlshNYrRSKmUUK4wlQPo3MxdaHwjSI4k 96pWgSseIX+fzkOPnGNkTMWoBg8X9UCnj0UhCWN/1/4c+v6oleiqX/Jg3wODlsHWv/Xp ucf2HVNf6AbXQxtOrCUP++hbV+wianzw4UpGjH+Da7tAS1Axhx2tNSF0VVaLFDbp+sAU IJfw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mailbox.org header.s=mail20150812 header.b=GkhqNLBe; spf=pass (google.com: domain of remix7531@mailbox.org designates 80.241.56.161 as permitted sender) smtp.mailfrom=remix7531@mailbox.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mailbox.org Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org. [80.241.56.161]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-488d67a4642si1212035e9.1.2026.04.13.02.05.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 02:05:38 -0700 (PDT) Received-SPF: pass (google.com: domain of remix7531@mailbox.org designates 80.241.56.161 as permitted sender) client-ip=80.241.56.161; Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4fvM275HbWz9syZ for ; Mon, 13 Apr 2026 11:05:35 +0200 (CEST) Message-ID: <6d80c39a-952f-4358-874a-61368e0a9911@mailbox.org> Date: Mon, 13 Apr 2026 11:05:29 +0200 MIME-Version: 1.0 From: "'remix7531' via Bitcoin Development Mailing List" Subject: [bitcoindev] Benchmarking SLH-DSA STARK Aggregation To: bitcoindev@googlegroups.com Content-Language: en-US Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-MBO-RS-ID: f38943a2cbb45465dc6 X-MBO-RS-META: o4h9q4nfxbm5a8q6iqh19dhhm1wppfad X-Original-Sender: remix7531@mailbox.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mailbox.org header.s=mail20150812 header.b=GkhqNLBe; spf=pass (google.com: domain of remix7531@mailbox.org designates 80.241.56.161 as permitted sender) smtp.mailfrom=remix7531@mailbox.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mailbox.org X-Original-From: remix7531 Reply-To: remix7531 Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) Hi all, Following Ethan Heilman's "Post Quantum Signatures and Scaling Bitcoin" post [0], which proposed using STARKs to aggregate PQ signatures per block and raised the concern that proof generation could give large miners an unfair advantage if too expensive, I ran some benchmarks to put numbers on this. Full write-up with charts: https://remix7531.com/post/slh-dsa-stark-bench/ I built a proof-of-concept [1] that aggregates N SLH-DSA-SHA2-128s (FIPS 205) signature verifications into a single STARK proof using RISC Zero's zkVM with its SHA-256 precompile. Results (wall-clock proving time, succinct proofs): =C2=A0 N=C2=A0 =C2=A0 =C2=A0 RTX 5090=C2=A0 =C2=A0 =C2=A0 B200=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0CPU (Ryzen 8640U)=C2=A0 =C2=A0Proof size =C2=A0 1=C2=A0 =C2=A0 =C2=A0 4.1 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04.2 s= =C2=A0 =C2=A0 =C2=A0 =C2=A0 14 min 17 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A021= 8 KiB =C2=A0 8=C2=A0 =C2=A0 =C2=A0 28.9 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 19.5 s=C2= =A0 =C2=A0 =C2=A0 =C2=A01 h 14 min=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 222 Ki= B =C2=A0 64=C2=A0 =C2=A0 =C2=A03 min 31 s=C2=A0 =C2=A0 2 min 33 s=C2=A0 =C2= =A0--=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 247 KiB =C2=A0 512=C2=A0 =C2=A0 26 min 28 s=C2=A0 =C2=A020 min 3 s=C2=A0 =C2=A0--= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 454 KiB Key findings: - Proving scales roughly linearly with N. - ~3.1 s/sig on RTX 5090, ~2.3 s/sig on B200. - Proof size grows sublinearly: 218 KiB (N=3D1) to 454 KiB (N=3D512), =C2=A0 vs 3.8 MiB of raw signatures at N=3D512. - Verification is constant at ~12-15 ms regardless of N. - B200 is only 1.3x faster than RTX 5090. The workload is =C2=A0 compute-bound; RISC Zero limits segment size (PO2) to 22. At 3.1 s/sig, proving a full block on a single RTX 5090 would take over 2 hours. That is too slow as-is, but this is a general-purpose zkVM upper bound. Several things could improve this: 1. Dedicated AIR and prover: S-two's benchmarks [2] show their prover =C2=A0 =C2=A0running SHA-256 chains up to 85x faster than RISC Zero's SHA-= 256 =C2=A0 =C2=A0precompile on CPU. SLH-DSA verification has overhead beyond S= HA-256 =C2=A0 =C2=A0that is not accelerated, so the real-world speedup is unclear= . =C2=A0 =C2=A0What speedup could we realistically expect from a custom AIR = and =C2=A0 =C2=A0prover built specifically for SLH-DSA verification? I would l= ove =C2=A0 =C2=A0to hear from someone with more experience building STARK prov= ers. 2. Preprocessing: if transactions are proven as they enter the =C2=A0 =C2=A0mempool and proofs are aggregated recursively, most proving w= ork =C2=A0 =C2=A0shifts to before the block is mined. Only a final aggregation= step =C2=A0 =C2=A0remains. This needs clever batching algorithms, probably grou= ping =C2=A0 =C2=A0by fee level. =C2=A0 =C2=A0How much of the per-block proving cost could preprocessing =C2=A0 =C2=A0realistically eliminate? 3. Multi-GPU: STARK segment proving is embarrassingly parallel. RISC =C2=A0 =C2=A0Zero has experimental multi-GPU support. A cluster divides th= e =C2=A0 =C2=A0workload proportionally. Kudinov and Nick's Bitcoin-optimized SPHINCS+ [3] reduces SHA-256 compression calls by roughly 3x, which would also reduce the number of cycles a STARK prover needs per signature. That said, I lean toward sticking with NIST-standardized SLH-DSA for the ecosystem benefits (vetted implementations, HSM support, hardware acceleration path) and letting miners run a larger GPU cluster to compensate, but that is a trade-off worth discussing. Best remix7531 [0] https://groups.google.com/g/bitcoindev/c/wKizvPUfO7w [1] https://github.com/remix7531/slh-dsa-stark-bench [2] https://docs.starknet.io/learn/S-two-book/benchmarks [3] https://eprint.iacr.org/2025/2203 --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 6d80c39a-952f-4358-874a-61368e0a9911%40mailbox.org.