WebGPU helps client Crypto/ZK

1 Introduction

Preface blog:

• Getting started with CUDA
• WebGPU+ZKP: Client Proof
• Getting Started with WebGPU

As noted in the November 2022 blog Efficient ECDSA & the case for client-side proving by the Personae Labs team:

A 5-minute proof generation time only available on high-end laptops is far from a viable user experience. For complete privacy, the "process of generating proofs" cannot be offloaded directly to the cloud, these proofs must be computed on the user's device. Otherwise, the user's public key needs to be sent to the server in plaintext to generate the user's proof, which gives the server enormous power—as long as the server is willing, it can destroy the user's anonymity.

For some privacy applications, it is necessary to generate proofs on the client side, but the current status quo is:

• Client-side ZK is slow.

Take the Groth16 browser benchmarks as an example:

• https://github.com/personaelabs/efficient-zk-ecdsa#run-benchmarks (JavaScript) pointed out: ECDSA_verify circuit corresponds to 163,239 constraints, running on M1 Pro Macbook Pro computer, it takes about 39 seconds to generate ECDSA_verify proof.
• https://github.com/tornadocash/tornado-core#specs (JavaScript+Solidity) points out that for a circuit with 28271 constraints, it takes about 10 seconds to generate the proof.

2. WebGPU: client-side GPU API

WebGPU is a relatively new API for the web:

• A successor to WebGL (2011)
• Initiated by Apple through the W3C in 2017, Google and Mozilla have also participated.
• Available for Google Chrome, Safari and Firefox from early 2023.
• A shader language called WGSL is used. Cuda and C++ are lower-level programming languages.
• The developer mode must be enabled for current use, such as:
  • chrome://flags/#enable-webgpu-developer-features
  • Firefox config flags：dom.webgpu.enabled, gfx.webgpu。

WebGPU:

• Not only graphics are supported: see https://threejs.org/examples/#webgpu_compute .
• Also supports computing

The accelerated performance of GPU has no doubts about the significance of Crypto/ZK:

• Ingonyama pointed out: GPU provides incredible performance, and its presence in the Crypto/ZK field will not be erased.
• ZPrize pointed out that by moving most of the time-consuming operations (MSM and FFT) in the proof generation process to the GPU for execution, the winning team's [PLONK-DIZK] proof time increased by 40%.
• Henzinger et al. pointed out that with the help of hardware acceleration, the single-server and multi-server performance of [Private Information Retrieval] has been improved. The performance of the new PIR protocol can be further improved through hardware acceleration in this complementary way.

However, the above are all explorations of server-side GPU acceleration, while client-side GPU acceleration is still in the stage of insufficient exploration.

2.1 WebGPU API

WebGPU API documentation can be found at:

• Mozilla Developer DocumentationWebGPU API

The basic architecture of WebGPU is:

it mainly includes:

• GPUAdapter: an abstraction for WebGPU implementation.
• GPUDevice: An abstraction of the underlying video card.
• GPUBuffer: Contains data copied back and forth with the GPU. Used to store input and output data.
• Shader: is the code sent to the GPU. Simpler than C++ and Cuda.
• Compute pipeline: Encapsulate the shader and GPUBuffer(s) flow to the GPU, and wait for the result.

WGSL shader code example:

the corresponding CPU and GPU performance comparison is:

3. Current status of WebGPU for Crypto/ZK

Some existing WebGPU Crypto-related basic algorithm libraries include:

• https://github.com/geometryresearch/wgsl-poseidon (Rust+TypeScript+WGSL): Implements the Poseidon hash function in WGSL based on the BN254 Scalar domain, which can run in the browser and on the command line.
• https://github.com/sampritipanda/msm-webgpu (WGSL+HTML+Python): Implements Vesta domain-based Pippenger algorithm MSM, and some other key elliptic curve arithmetic functions. [Note that wgsl does not support u64 operations, and implements modular operations based on u32 arrays. Modular operations based on u32 arrays can also refer to the scene in https://github.com/filecoin-project/ec-gpu/FIELD_LIMB_BITS == 32 . 】
• https://github.com/voidash/webgpu-examples (Rust+WGSL): Implemented BLS12-381 finite field operations.

4. The client WebGPU needs to be developed blank

Using WebGPU for client Crypto/ZK currently has the following gaps to be developed:

• Algorithm layer:
  • Implement Multi-scalar multiplication (MSM) and Number-theoretic transform (NTT) and iNTT.

Luke Pearson and the Cysic team noted:

Considering the flexibility, ease of deployment, and superior performance of GPUs, it is believed that GPU solutions will be realized months ahead of ASIC solutions.

Georgios Konstantopoulos pointed out:

MSM requires a lot of memory and is slow even when highly parallelized.
FFT requires random access to memory, making it unfriendly to hardware.
For this reason, market winners are likely to be those companies that focus on FPGAs rather than ASICs or GPUs.

4.1 Circom vs. WebGPU

Circom's current development tools are:

• condensed
• hardhat-circom

Circom is available for extremely large circuits:

• Circom-ecda

Circom currently has:

• Dark Forest ecology.
• Developer education.
• A large number of projects and graduates are involved in circom entrepreneurship.

Benchmarking Circom, WebGPU needs to pay attention to:

• Developer tools:
  • Debugging tools are immature. nothing now?
  • Most WGSL developers focus on graphics, not computation
• Domain programming language:
  • WGSL is nice, but a bit weird. Can higher level languages ​​be compiled to WGSL?
• Better abstraction for consumer GPUs:
  • Not all GPUs are created equal (e.g. phone GPU vs. computer GPU). Can WGSL run on some sort of GPU emulation layer.
• Safety Research:
  • Can malicious input be able to DOS client, or extract private data?
  • Will there be timing attacks or side-channel attacks?

4.2 Prospect of WebGPU Application

WebGPU application outlook:

• Implement efficient ZK Prover on mobile devices.
• Speed ​​up witness generation in the browser.
• Distributed Proof Network that enables any laptop user to participate.
• Distributed Private Information Retrieval network.

References

[1] Geometry team Koh Wei Jie's video sharing ZK Paris: Koh Wei Jie - Deep Dive into WebGPU on zkParis in July 2023
[2] Geometry team August 24, 2023 blog Accelerating Client-Side ZK with WebGPU