zkDaily - 2026-02-10

零知识证明 zkDaily

ZKP Frontier Tracker 🎯

Tue

02.10

2026

Data Matching in Unequal Worlds and Applications to Smart Contracts

Paper

https://cic.iacr.org/p/2/4/33

Dmitry Khovratovich Compression Hash

Khovratovich et al. proposed a novel hybrid compression method in their paper, enabling the use of two different hash functions in SNARK proofs to optimize both on-chain gas usage and prover time.

Notes

Long statements in Groth16 are costly; hashing helps but is expensive in contracts or circuits
Hybrid compression uses two hashes: one circuit-optimized, one for on-chain verification
Defined joint UHF hardness and proved it in random oracle model
Benchmarks show near-optimal gas and prover time
8KB statement: 10s prover time, 270K gas vs 290s (SHA-256) or 5M gas (Poseidon)
Two-party protocol for cross-hash input equality with efficient communication

Collected by @icerdesign

零知识证明 zkDaily

Q&A Deep Dive 💬

Tue

02.10

2026

What core problem does this work solve, and why is it a pain point in smart contracts?

It addresses the high cost of verifying long statements in SNARK-based smart contracts. Compressing statements creates a dilemma: SHA-256 is cheap on-chain but expensive in circuits, while Poseidon is the opposite. Hybrid Compression resolves this by letting the contract and circuit use different hash functions while still binding the same statement securely.

How does Joint UHF Hardness differ from standard collision resistance?

Joint UHF Hardness does not ask for collisions under a single hash function. Instead, it requires that even when the seed is derived from two different hashes, producing a UHF collision remains hard. It is weaker but better aligned with the actual protocol, and holds in the random oracle model.

Why is Hybrid Compression particularly suitable for rollups and zkVMs?

Rollups and zkVMs often have very large public inputs such as batched transactions or execution traces. Hybrid Compression allows on-chain batch evaluation with SHA-256 while keeping Poseidon inside the circuit for prover efficiency. This decoupling is especially valuable for recursive proofs and zkVM architectures.

Prompted by @icerdesign