From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 20 Apr 2026 13:13:13 -0700 Received: from mail-ot1-f57.google.com ([209.85.210.57]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wEuzY-0005ZW-S0 for bitcoindev@gnusha.org; Mon, 20 Apr 2026 13:13:13 -0700 Received: by mail-ot1-f57.google.com with SMTP id 46e09a7af769-7dc3cb93f2esf6416887a34.3 for ; Mon, 20 Apr 2026 13:13:12 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1776715986; cv=pass; d=google.com; s=arc-20240605; b=LNY2GvPu/ReqS5Dvyamj/+1xr76NQcEix2c+vOJsMY7Up2WLI6vNDbYK1Sg1nFlcAf nEOtLYnksMdIWRdNj21j7FbD9jZ2biv5WHoxu8bmQqcL1HDdmnSb+ahsBZ6Q7BaZtEUD uiDH9vvQ/IGxbIIo6wbim7NXYTdm8By69Iaun4aVEjbekcw2f/BephT6gmsP/KH3H4Fl 4sQI3bHiUK/Io6xvZTJfHiuUflEC65mNqEQi9RDbCFF87TAIodZjJj74kN419C9bkZh+ lF3NKhJUCMYODWwZ8CPBB6RC37IuDX9GmCMzxR/H6Mnic44h0EQoVXOjUZmlb7z9qEUf 7ZQw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=EeI6g0Mgyt2qwykjG2CCVAoTrOOld8JjWfqm+A7osEI=; fh=ra3da9yp8a94iZZ7g2zzaptGyJlrVK/6yUv3vpGtwz8=; b=PIKdwGHsiyDXQpmEi3IW8MK7IfWm71dgyIGkTtn1QHHt8Z5Gi2Z3k/fz87N6s3JPt2 CzYSWl+iIVDY04Q4eWCctRLser0dQa5nxmr419+PR3pu2vRaLEmaijqMzeVdzyi6L1Q3 tieImQBEyMAZbQ587AcP44JLn0WkFpEHDi7jI6/fghL5058DS9wLzwHrrvBRGNtfLMe9 iNiYWSXapf0MZaxoR5J2UihsR1h/BO/gaok639z2rQOU4aO95AbtZBFAHaIZB4qrM+Bw qVsldGBfx5y2YF6GtaR8v+JOJH5EN//Z6nUpZottNogbq5Tsoc0UXct5RkcwcIH2tidx mItQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=s0huAAa7; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::1036 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776715986; x=1777320786; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=EeI6g0Mgyt2qwykjG2CCVAoTrOOld8JjWfqm+A7osEI=; b=QzkfxsoPdYreEeJCvINo5bG9wu7XxFVXqMhLcksQ4yTKmVz2yKKmsZM4+xtYRIo8Uv ona/yTJQIqpseZozNGN4j39cS89E78sANHPn9cHfTUwxqTqAWjA2cGPnAHEClwq1htR9 qPPfar+MrXyC8nUt+3IbQyfIGNeXfrkkVoxtNvk2KnrDfiHoeWB3L7jab50V9WlNum4J tS9JljDW/EPZYUZ5A5Mq/vNjv4NuTlZKwTJOk96xBIqBNrWX18ube1ZC4x+phBSILxF7 tZGSNrxoqKHhXyg7HRZv4VhFEN7zj5rX2DSwGXsRCE1+21S8sgdNQYOTkjedph2iHQb1 Qx5Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776715986; x=1777320786; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EeI6g0Mgyt2qwykjG2CCVAoTrOOld8JjWfqm+A7osEI=; b=UsK/EL8tH+FPZ4cFIVvuekQm+dGbOOGyTJWWc0BwDUkEShjnvAYYZ5M07oo6TXTnlF vtnhSen5Vtv7GYveGapQyDR/Qi9pZd4EN5oicZCJZ6lcAADhkBO5EsFkZ9nguDpuIfe9 kK6MQpuWnIXUVMLL9o4SSChNO+BYTyK4rj1Ov6puohEAYq5SHUroaWMg3j/2EyRKedsJ jJlDzD5pDnT9QrseGcrOOFP3FZxakDhxAAsWPdUh7dzoChq7sfViod7NEKah30icg1SW qCgvfiNrgsRR2dzgxGmufqTuJVAv8UmnJXrWerV9uiJzO80OUP9ynutD6d5+8hASeYn1 Smxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776715986; x=1777320786; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=EeI6g0Mgyt2qwykjG2CCVAoTrOOld8JjWfqm+A7osEI=; b=YAGjiY3ZYnliSZIxb5ksLAJjzjeyiqVAcC3qxOQxKTb4FQ1VSCYBebkkDhdmWZHBbt VEc6HuyyOzNUdhF0Bgj7sIw9odqudFGfRtDpqEL9gARuUknzYT/4RmdWz/NHBhJd73cF cCVM0gzYkeG9YHHqvdtUSiF3ByDqVGh2DT6iZ2tTIYJ/jwJMaSVxPe6GnuEJiJT9e2M2 iHeaaSA98xxCe0aboDiLzHlr2jZewvsrCz5cI6dRxJ+nto4Bkw6kzkTl8BjsmCnFLCIS nnSmUGXN7uEnS7t9nagXxv028Bnw10yW0mw0VczhEhhVhCcBPyLvoBpoOgPegKixrEyS 9SSQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AFNElJ/1rEao6Dpnl9kz8P0jnGah6Y83EtEVVR1XVHejuNhZC+uziXQPSC8yzkG2/h9mzkGeooVd6kgKgrp4@gnusha.org X-Gm-Message-State: AOJu0Ywj8fWaKvseumZYh8ReysTth5K2OFlxFFusaCm5nd/byo1hj6ft eEeefUttL+LPInN8r3xOf0NlGBgivTlY3YnNiwzVHI5zBQvyBO8qF85e X-Received: by 2002:a05:6820:6acf:b0:694:8d83:a349 with SMTP id 006d021491bc7-6948d83a5a4mr2333968eaf.23.1776715986307; Mon, 20 Apr 2026 13:13:06 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiJseIHsCi74ln0vZny9N024lxIZhUHSsNP5HzHju8XCRw==" Received: by 2002:a05:6871:295:b0:417:5927:12e9 with SMTP id 586e51a60fabf-4280c660f3dls2608834fac.2.-pod-prod-01-us; Mon, 20 Apr 2026 13:13:01 -0700 (PDT) X-Received: by 2002:a05:6808:f87:b0:467:da0d:5395 with SMTP id 5614622812f47-4799ca6ffcemr7950946b6e.41.1776715981077; Mon, 20 Apr 2026 13:13:01 -0700 (PDT) Received: by 2002:a54:4898:0:b0:479:9f23:6621 with SMTP id 5614622812f47-4799f236c9emsb6e; Mon, 20 Apr 2026 12:49:07 -0700 (PDT) X-Received: by 2002:a05:6830:2802:b0:7d7:ef0a:1ce9 with SMTP id 46e09a7af769-7dc951bf3c6mr10609378a34.14.1776714545724; Mon, 20 Apr 2026 12:49:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776714545; cv=pass; d=google.com; s=arc-20240605; b=BAlkPm99pXy0enYFxTHhIfw110qTNQcZ6HidVDDAFavkvJn/CL3NFTYR6zsWuS2DWW FnItQw+97hP618F5f8XhLifh6nmQ1Ku+7MMvMGQ6TD3hh61WOybig0i8D5dmHShKum44 xbm4dYyyny5LMSAsbxj8cDYskvJKjoO40o8grL845MkAEuWxRyME1FB/JZ3X3Pnmo//x vvZD3v9A/g4wciURqykmL3sNUnlKNfRr+6RJVmRiihg708HkvDCYvBxJI/8Y6QIupORC OsnK7AtxnIgsw/l0TD5vHQUdqDCxFSR1a+uj0yhtXwq3kzygot3XZogx621QLYpr3Rat g2hw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=t7cMhvknQUnHVWX4Bp9vIHhTXSKEFEbmaEXjmBbTLhM=; fh=hTGF7suDjJjvUvo/zygKJuZon3Lg2LVk+/pyJJU5ipI=; b=QBHGbi2dmSGyNsfBxJr+We0nkc74/phtDl9BQ6Rh01kVSZ1w0Bdt8hGOaMKG+bWBbB vxtLWWCQ9oQBRonC+AOog821mIxbosoTzljJSneOl4LLoca5qX6IM7/5TvMBkVERRJE6 bhBGVmrz0zzbE5cemrM1eNJK7LFLGJ5xVTbLhUzQHWjtLEYbnkeEbTTPoNVXfwv1BPXO xC46vlVjy2yS9IO6aYhPTZH9B1seHlPv9uizPJOFL3Snu66utzY0P/U2I+QynC7QA1ZN rLLnoxrWY6Re6f0PL58oDS9xP7icLABdJMz5KLXcOMdfGkJ0bBA8RdkibQ7wGwhyflMR m4bA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=s0huAAa7; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::1036 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com. [2607:f8b0:4864:20::1036]) by gmr-mx.google.com with ESMTPS id 46e09a7af769-7dcca592b93si96875a34.0.2026.04.20.12.49.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Apr 2026 12:49:05 -0700 (PDT) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::1036 as permitted sender) client-ip=2607:f8b0:4864:20::1036; Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-35fc258aaa4so2116316a91.2 for ; Mon, 20 Apr 2026 12:49:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776714545; cv=none; d=google.com; s=arc-20240605; b=X8Hq5ntWUOLbL68JWu1EWIuO4cDSC3Qp6zg4ELaw4nO9CAuR14cMEt1SX/Ome1Bhry 2oQMYUlKCg1i3Man50Y5IH8ou26/AOJu76oPJIC/yNxdxZKYJrHRR+fgh3IjOTFt4oMD jro4c34kH8uKZm3F6wfpwf6uhdIUC5+aVi/GdLxdXuwqyoUXSomCk2H7I4hoTrkzcU+2 WPQ9buBSn5Q+GFtox3z6GEXTxO21fbGj0xuDI8byk8u6ug1Slwdi3VNoM8YsBKl3m/kl H3p8EGsWwXoov/Bj5dqKFbZjfwdgY/eXr+DVVTwkHUxBbkSByGHLn964CJ8R1B0URb2x 2TYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=t7cMhvknQUnHVWX4Bp9vIHhTXSKEFEbmaEXjmBbTLhM=; fh=hTGF7suDjJjvUvo/zygKJuZon3Lg2LVk+/pyJJU5ipI=; b=cghfTHZwKkquuUr7Yj96iMg9LeExpuzh4iykCRdwsiVlXyGDM/L3i6z1vlNn2Zn/Xq lMohRX6VhTbwp0fLUskHNbX66wq9D2tL6C08rfh3kR+wzHUHA+Za/nP8PsJmxbwISVLE I42ndrwP/SkGPKTB0c7OqsXO47B/30G5czr7RITVqrlUnFqL8fgw6dfudjsvQ1Fr4FCi o9MzcJqHRyxEjhIhRmRTuE/4DUqgnq7HaC80dbxmYxdsomxZ8+dZsIf66+4t4ftQrlND kIzFAaFSYIYJ3VxdBzCudev18U8atT483lccYhCE831bkfbRNvQoNcCvpWri5ubNle0I R+iQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: AeBDieumgTYGlOf4JYQ0dHkK8AhU0I+BkRbYnfX4VszR2nlDo5i7bObQQNLTDwn95Gm 4ntapoUs8hmQMitWDiTZPhgtxmH6U7IXmsZp0zI+p3XnktO1E3iJ6mOdjkDvqbjKkAs7dZ2pU6N oE0ad0sB3HbKulBF4tM1Of96UgqbHfAtum99zNFeohpdcg++nlGF3Bd8dN2mYHwh/hWZS0Cu2tA 7mBqeM3T4llLB59L2AnWY6dO4CjZT3m2pIWaRMXQPD0C1MPFGm7NLxUc5+L1T0g605CGJxpAGDT 9hWe0uZgU2O/nlD60ARfyUvId9G8ptpCWKefQP5Xow7uqcXN5YbTW69jPcKzV8mtGcYvYIUaOnR VJDVAXmGTloo4qw5jVfzx1LIrJ3FtckxMx0/2EKLhei3WzDiwhKpf2UGO/BzDVqRiQwOAhbxTh6 QSzlUi1uSGIjr308CHZk/4eH0EO0al7+DHNUXGqZn0wfuR89jkVqbdsDvqyf9sx6dd8rFZvT6mj p5/sxET5bVxr+Stfj8mFWpz54WJV2c= X-Received: by 2002:a17:90b:2ec7:b0:35f:c0d7:ac54 with SMTP id 98e67ed59e1d1-3614041aa7amr15737998a91.12.1776714544711; Mon, 20 Apr 2026 12:49:04 -0700 (PDT) MIME-Version: 1.0 References: <6d80c39a-952f-4358-874a-61368e0a9911@mailbox.org> In-Reply-To: <6d80c39a-952f-4358-874a-61368e0a9911@mailbox.org> From: Ethan Heilman Date: Mon, 20 Apr 2026 15:48:28 -0400 X-Gm-Features: AQROBzDNeC9as77I_pX7Cq4_Me1bhhI9ZgJV7zzeO1tC8ebBf_I_EzCHSMPEUWk Message-ID: Subject: Re: [bitcoindev] Benchmarking SLH-DSA STARK Aggregation To: remix7531 Cc: bitcoindev@googlegroups.com Content-Type: multipart/alternative; boundary="0000000000004e0a02064fe9975a" X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=s0huAAa7; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::1036 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --0000000000004e0a02064fe9975a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable How does this change if Poseidon hash is used instead of SHA256? On Mon, Apr 13, 2026 at 5:27=E2=80=AFAM 'remix7531' via Bitcoin Development= Mailing List wrote: > Hi all, > > Following Ethan Heilman's "Post Quantum Signatures and Scaling Bitcoin" > post [0], which proposed using STARKs to aggregate PQ signatures per > block and raised the concern that proof generation could give large > miners an unfair advantage if too expensive, I ran some benchmarks to > put numbers on this. > > Full write-up with charts: > https://remix7531.com/post/slh-dsa-stark-bench/ > > I built a proof-of-concept [1] that aggregates N SLH-DSA-SHA2-128s (FIPS > 205) signature verifications into a single STARK proof using RISC Zero's > zkVM with its SHA-256 precompile. > > Results (wall-clock proving time, succinct proofs): > > N RTX 5090 B200 CPU (Ryzen 8640U) Proof size > 1 4.1 s 4.2 s 14 min 17 s 218 KiB > 8 28.9 s 19.5 s 1 h 14 min 222 KiB > 64 3 min 31 s 2 min 33 s -- 247 KiB > 512 26 min 28 s 20 min 3 s -- 454 KiB > > Key findings: > - Proving scales roughly linearly with N. > - ~3.1 s/sig on RTX 5090, ~2.3 s/sig on B200. > - Proof size grows sublinearly: 218 KiB (N=3D1) to 454 KiB (N=3D512), > vs 3.8 MiB of raw signatures at N=3D512. > - Verification is constant at ~12-15 ms regardless of N. > - B200 is only 1.3x faster than RTX 5090. The workload is > compute-bound; RISC Zero limits segment size (PO2) to 22. > > At 3.1 s/sig, proving a full block on a single RTX 5090 would take over > 2 hours. That is too slow as-is, but this is a general-purpose zkVM > upper bound. Several things could improve this: > > 1. Dedicated AIR and prover: S-two's benchmarks [2] show their prover > running SHA-256 chains up to 85x faster than RISC Zero's SHA-256 > precompile on CPU. SLH-DSA verification has overhead beyond SHA-256 > that is not accelerated, so the real-world speedup is unclear. > > What speedup could we realistically expect from a custom AIR and > prover built specifically for SLH-DSA verification? I would love > to hear from someone with more experience building STARK provers. > > 2. Preprocessing: if transactions are proven as they enter the > mempool and proofs are aggregated recursively, most proving work > shifts to before the block is mined. Only a final aggregation step > remains. This needs clever batching algorithms, probably grouping > by fee level. > > How much of the per-block proving cost could preprocessing > realistically eliminate? > > 3. Multi-GPU: STARK segment proving is embarrassingly parallel. RISC > Zero has experimental multi-GPU support. A cluster divides the > workload proportionally. > > Kudinov and Nick's Bitcoin-optimized SPHINCS+ [3] reduces SHA-256 > compression calls by roughly 3x, which would also reduce the number > of cycles a STARK prover needs per signature. That said, I lean > toward sticking with NIST-standardized SLH-DSA for the ecosystem > benefits (vetted implementations, HSM support, hardware acceleration > path) and letting miners run a larger GPU cluster to compensate, but > that is a trade-off worth discussing. > > > Best > remix7531 > > > [0] https://groups.google.com/g/bitcoindev/c/wKizvPUfO7w > [1] https://github.com/remix7531/slh-dsa-stark-bench > [2] https://docs.starknet.io/learn/S-two-book/benchmarks > [3] https://eprint.iacr.org/2025/2203 > > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/6d80c39a-952f-4358-874a-6136= 8e0a9911%40mailbox.org > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAEM%3Dy%2BW1akMzJbiTR7Yj6d%2Bu4jO-eMo1%2B6GgjErF6PWySVks2Q%40mail.gmail.co= m. --0000000000004e0a02064fe9975a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
How does this change if Poseidon hash is used instead of S= HA256?

On Mon, Apr 13, 2026 at 5:27=E2=80=AFAM '= remix7531' via Bitcoin Development Mailing List <bitcoindev@googlegroups.com> wrote:
<= /div>
Hi all,

Following Ethan Heilman's "Post Quantum Signatures and Scaling Bit= coin"
post [0], which proposed using STARKs to aggregate PQ signatures per
block and raised the concern that proof generation could give large
miners an unfair advantage if too expensive, I ran some benchmarks to
put numbers on this.

Full write-up with charts:
https://remix7531.com/post/slh-dsa-stark-bench/
I built a proof-of-concept [1] that aggregates N SLH-DSA-SHA2-128s (FIPS 205) signature verifications into a single STARK proof using RISC Zero'= s
zkVM with its SHA-256 precompile.

Results (wall-clock proving time, succinct proofs):

=C2=A0=C2=A0 N=C2=A0 =C2=A0 =C2=A0 RTX 5090=C2=A0 =C2=A0 =C2=A0 B200=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0CPU (Ryzen 8640U)=C2=A0 =C2=A0Proof size
=C2=A0=C2=A0 1=C2=A0 =C2=A0 =C2=A0 4.1 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04= .2 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 14 min 17 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0218 KiB
=C2=A0=C2=A0 8=C2=A0 =C2=A0 =C2=A0 28.9 s=C2=A0 =C2=A0 =C2=A0 =C2=A0 19.5 s= =C2=A0 =C2=A0 =C2=A0 =C2=A01 h 14 min=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 222= KiB
=C2=A0=C2=A0 64=C2=A0 =C2=A0 =C2=A03 min 31 s=C2=A0 =C2=A0 2 min 33 s=C2=A0= =C2=A0--=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 247= KiB
=C2=A0=C2=A0 512=C2=A0 =C2=A0 26 min 28 s=C2=A0 =C2=A020 min 3 s=C2=A0 =C2= =A0--=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 454 KiB=

Key findings:
- Proving scales roughly linearly with N.
- ~3.1 s/sig on RTX 5090, ~2.3 s/sig on B200.
- Proof size grows sublinearly: 218 KiB (N=3D1) to 454 KiB (N=3D512),
=C2=A0=C2=A0 vs 3.8 MiB of raw signatures at N=3D512.
- Verification is constant at ~12-15 ms regardless of N.
- B200 is only 1.3x faster than RTX 5090. The workload is
=C2=A0=C2=A0 compute-bound; RISC Zero limits segment size (PO2) to 22.

At 3.1 s/sig, proving a full block on a single RTX 5090 would take over
2 hours. That is too slow as-is, but this is a general-purpose zkVM
upper bound. Several things could improve this:

1. Dedicated AIR and prover: S-two's benchmarks [2] show their prover =C2=A0=C2=A0 =C2=A0running SHA-256 chains up to 85x faster than RISC Zero&#= 39;s SHA-256
=C2=A0=C2=A0 =C2=A0precompile on CPU. SLH-DSA verification has overhead bey= ond SHA-256
=C2=A0=C2=A0 =C2=A0that is not accelerated, so the real-world speedup is un= clear.

=C2=A0=C2=A0 =C2=A0What speedup could we realistically expect from a custom= AIR and
=C2=A0=C2=A0 =C2=A0prover built specifically for SLH-DSA verification? I wo= uld love
=C2=A0=C2=A0 =C2=A0to hear from someone with more experience building STARK= provers.

2. Preprocessing: if transactions are proven as they enter the
=C2=A0=C2=A0 =C2=A0mempool and proofs are aggregated recursively, most prov= ing work
=C2=A0=C2=A0 =C2=A0shifts to before the block is mined. Only a final aggreg= ation step
=C2=A0=C2=A0 =C2=A0remains. This needs clever batching algorithms, probably= grouping
=C2=A0=C2=A0 =C2=A0by fee level.

=C2=A0=C2=A0 =C2=A0How much of the per-block proving cost could preprocessi= ng
=C2=A0=C2=A0 =C2=A0realistically eliminate?

3. Multi-GPU: STARK segment proving is embarrassingly parallel. RISC
=C2=A0=C2=A0 =C2=A0Zero has experimental multi-GPU support. A cluster divid= es the
=C2=A0=C2=A0 =C2=A0workload proportionally.

Kudinov and Nick's Bitcoin-optimized SPHINCS+ [3] reduces SHA-256
compression calls by roughly 3x, which would also reduce the number
of cycles a STARK prover needs per signature. That said, I lean
toward sticking with NIST-standardized SLH-DSA for the ecosystem
benefits (vetted implementations, HSM support, hardware acceleration
path) and letting miners run a larger GPU cluster to compensate, but
that is a trade-off worth discussing.


Best
remix7531


[0] https://groups.google.com/g/bitcoindev/c/wKi= zvPUfO7w
[1] https://github.com/remix7531/slh-dsa-stark-bench=
[2] https://docs.starknet.io/learn/S-two-book/be= nchmarks
[3] https://eprint.iacr.org/2025/2203


--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/6d80c= 39a-952f-4358-874a-61368e0a9911%40mailbox.org.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.= com/d/msgid/bitcoindev/CAEM%3Dy%2BW1akMzJbiTR7Yj6d%2Bu4jO-eMo1%2B6GgjErF6PW= ySVks2Q%40mail.gmail.com.
--0000000000004e0a02064fe9975a--