A transparent, post-quantum zero-knowledge proof system implemented in Rust — no trusted setup, no elliptic curves, no pairings.
Built as a research foundation for Orbinum Network, an L1 blockchain that uses Groth16 for transaction privacy today. HYPER-SNARK explores what a future migration to a hash-only, quantum-resistant proof system would look like.
| Property | Value |
|---|---|
| Trusted setup | None (fully transparent) |
| Post-quantum | Yes — BLAKE3 hash-based, no pairings |
| Arithmetization | R1CS (Circom-compatible .r1cs / .wtns) |
| Hash function | BLAKE3 (256-bit) |
| Prover complexity | O(n log n) |
| Verifier complexity | O(log n) |
| Field | BN254 scalar field (254-bit prime) |
HYPER-SNARK is an IOP (Interactive Oracle Proof) compiled to a non-interactive proof via Fiat-Shamir. The protocol has three stages:
1. Arithmetization — An R1CS instance with m constraints and witness z is converted to univariate polynomials a(x), b(x), c(x) via IFFT over the domain H = {ω⁰, …, ω^{m−1}}. R1CS satisfaction is equivalent to the quotient polynomial h(x) = (a(x)·b(x) − c(x)) / Z_H(x) being a valid polynomial (i.e., division is exact).
2. Polynomial Commitment — Each polynomial is evaluated over a blowup domain (4× oversampled), committed as the root of a BLAKE3 Merkle tree, and opened at a random challenge point with Merkle authentication paths.
3. Verification — The verifier recomputes the Fiat-Shamir challenge r from the public transcript and checks:
By Schwartz-Zippel, a cheating prover succeeds with probability ≤ 2m/|F| ≈ 2⁻²⁴⁵.
For a deeper treatment of the protocol and security analysis, see docs/crypto-analysis.md.
Apple Silicon · release build · 3–5 iterations · 19 Mar 2026
| Circuit | Constraints | HS prove | HS verify | HS proof | G16 prove | G16 proof | PLONK prove | PLONK verify | PLONK proof |
|---|---|---|---|---|---|---|---|---|---|
| disclosure | 1,169 | 17.7 ms | 1.1 ms | 67.0 KB | 7.4 ms | 128 B | 924 ms | 314 ms | 2.2 KB |
| private_link | 1,035 | 14.5 ms | 1.0 ms | 68.8 KB | — | — | 958 ms | 325 ms | 2.2 KB |
| unshield | 11,782 | 59.8 ms | 2.2 ms | 105.6 KB | — | — | 4,662 ms | 326 ms | 2.2 KB |
| transfer | 41,468 | 152.8 ms | 6.4 ms | 136.3 KB | 104.2 ms | 128 B | 33,862 ms | 554 ms | 2.2 KB |
G16 proofs exist only for disclosure and transfer (the two circuits benchmarked in the Groth16 reference repo).
PLONK proof size is constant regardless of circuit size — that is a defining property of the scheme.
Run the comparison scripts yourself — see scripts/SCRIPTS.md.
- Rust 1.70+ —
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh - Node.js ≥ 18 — for witness generation (
npx snarkjs)
git clone https://github.com/orbinum/hyper-snark
cd hyper-snark
cargo build --release
cargo test # ~100 testsProves and verifies a built-in x*y=z, z+5=w circuit:
cargo run -- demo# 1. Fetch circuit artifacts from CDN
bash scripts/fetch-circuits.sh
# 2. Generate witnesses
bash scripts/gen-witnesses.sh
# 3. Prove
cargo run --release -- prove circuits/build/transfer.r1cs circuits/build/transfer_witness.wtns \
--proof proof.bin --public public.json
# 4. Verify
cargo run --release -- verify proof.bin public.jsonThe scripts/ directory contains ready-to-run benchmark and analysis tools for the Orbinum circuits (disclosure, transfer, unshield, private_link). Circuit artifacts are downloaded automatically from https://circuits.orbinum.io/v1.
| Script | Purpose |
|---|---|
fetch-circuits.sh |
Download .r1cs, .wasm, .ark from CDN with SHA-256 verification |
gen-witnesses.sh |
Generate .wtns witness files using snarkjs |
compare-with-groth16.sh |
Side-by-side benchmark: HYPER-SNARK vs Groth16 |
compare-with-plonk.sh |
Side-by-side benchmark: HYPER-SNARK vs PLONK |
profile-prover.sh |
Per-phase prover timing (FFT, Merkle, FRI, …) |
soundness-report.sh |
Engineering soundness bounds from config + .r1cs sizes |
Full usage and expected outputs: scripts/SCRIPTS.md
src/
├── config.rs # Protocol constants (security params, domain sizes)
├── field.rs # Prime field arithmetic (BN254 scalar field)
├── polynomial.rs # Univariate polynomial algebra (Horner, Lagrange, divmod)
├── fft.rs # Cooley-Tukey FFT / IFFT over finite fields
├── merkle.rs # Binary Merkle tree + authentication paths (BLAKE3)
├── commitment.rs # Hash-based polynomial commitment scheme
├── transcript.rs # Fiat-Shamir sponge (BLAKE3 absorb/squeeze)
├── r1cs.rs # Rank-1 Constraint System (R1CS)
├── circom_loader.rs # Binary parser for Circom .r1cs / .wtns files
├── proof.rs # Proof structure + bincode/zstd serialization
├── prover.rs # Full prover pipeline
├── verifier.rs # Verifier pipeline
└── utils.rs # File I/O, hex encoding, proof stats
| Document | Description |
|---|---|
| docs/crypto-analysis.md | Full cryptographic analysis: soundness, assumptions, limitations |
| docs/timeline/README.md | Research timeline — what was built and why |
| docs/research/deep-fri-stir-v2.md | Roadmap toward DEEP-FRI + STIR for smaller proofs |
| docs/research/pq-security.md | Post-quantum security analysis and parameter study |
| scripts/SCRIPTS.md | Benchmark scripts guide |
Key parameters in src/config.rs:
| Constant | Default | Description |
|---|---|---|
TARGET_SOUNDNESS_BITS |
96 | Target soundness level |
FRI_QUERY_ROUNDS |
20 | Merkle query rounds per polynomial (40 with pq-full) |
FRI_BLOWUP |
4 | Evaluation domain blowup factor |
HASH_BINDING_BITS |
128 | Merkle commitment binding security |
Security/performance profiles via environment:
HYPER_SNARK_PROFILE=pq # 32 FRI queries
HYPER_SNARK_PROFILE=pq-full # 40 FRI queries
HYPER_SNARK_PHASE_TIMING=1 # print per-phase prover timingThis is a research prototype:
- No hiding: commitments are binding but not perfectly hiding (no randomized blinding).
- No batching: each polynomial is committed and opened independently; FRI batching would reduce proof size ~4×.
- No recursion: no proof composition (Halo/Nova-style).
- Not production-audited: the soundness argument covers the quotient-identity check and Merkle binding, but does not yet include a formal FRI proximity proof.
AGPLv3 — See LICENSE. Copyright © 2026 Orbinum Network.