RISC Zero zkVM 1.2: Introducing Application-defined precompiles
TLDR;
zkVM 1.2 introduces a new approach to precompiles in zkVMs, enabling precompiles to be shipped with the application, rather than built into the zkVM.
For Boundless, this approach gives users more control, by removing the need for applications and provers to agree on a matching set of precompiles. Moreover, this approach avoids disruptions for projects in production, since new precompiles can be added without requiring a new verifier contract.
The performance impact of our precompiles is immediate and dramatic. Our partner Automata integrated our RSA precompile and instantly reduced their guest program’s cycle count from 39M to 217K, resulting in a ~180X cost reduction.
Our latest zkVM 1.2 release unlocks new capabilities in how precompiles work in zero-knowledge systems. We’re introducing a new approach called “application-defined precompiles” - a departure from traditional precompiles that have dominated zkVM architectures since 2021.
The History of Precompiles
The history of precompiles in zkVMs reflects a journey from fixed, protocol-dependent optimizations to the programmable future we're building today:
2021 Summer: The original pattern for using precompiles in zkVMs dates back to CAIRO’s “builtins,” described in Section 2.8 of the CAIRO paper.
2022 Spring: We first released the RISC Zero zkVM, we included a sha2 precompile, using the approach described in the CAIRO paper.
2022 Summer: Miden v0.2 introduces chiplets, which function as precompiles for hashing, bitwise operations, range checks, and memory operations.
2023 Spring: RISC Zero zkVM v0.15 added support for a “bigint” precompile, using techniques we learned from Alan Szepieniec (Triton-VM) and Hamish Ivey-Law (Polygon Zero).
2024 February: SP1 is released, adopting and championing the pre-compile centric design that Valida introduced.
2024 December: RISC Zero zkVM v1.2 introduces application-defined precompiles, enabling precompiles for algebraic primitives to be shipped with the application, rather than built into the zkVM.
Entering the Era of Application-defined Precompiles
zkVM 1.2 introduces a fundamental innovation in how precompiles work. Unlike traditional precompiles, which require extensive coordination between developers, provers, and verifiers, our application-defined precompiles bring several advances:
Universal Compatibility: Developers can deploy new precompiles without updating on-chain verifier contracts or coordinating with provers to use a new circuit.
Infrastructure Independence: Add optimizations without forking the zkVM or modify existing systems.
Boundless-Ready: Designed from the ground up to run on the Boundless protocol, bringing better ZK performance to all chains.
This independence means developers can optimize their applications immediately, while proof providers can serve any application without special configuration, a critical foundation for the future of decentralized proving.
How it works
Our new precompiles are made possible by our novel bigint architecture, a component of Zirgen. Zirgen includes an MLIR dialect called bigint, which we’ve used to build programs including ec_add and ec_double. We’ve used those bigint programs to build precompiles for key cryptographic operations like RSA andECDSA. signatures. Amazingly, Bonsai and Boundless can operate seamlessly without any knowledge of these precompiles. zkVM 1.2 includes the bones necessary to prove correctness of any bigint program, enabling the guest program to supply its own precompiles.
Under the hood, this is achieved through our novel application of Fiat-Shamir randomness. While zkVMs traditionally use this for permutation and lookup arguments, we've extended its application to enable precompiles for elliptic curve operations and other algebraic primitives. This breakthrough builds on ideas first proposed by Hamish Ivey-Law (Polygon Zero) and expanded by Alan Szepieniec (Triton-VM).
Performance at Scale
Our application-defined precompiles deliver performance gains at multiple levels. Like all precompiles, they remove RISC-V overhead from core cryptographic operations. However, we go further by leveraging Fiat-Shamir randomness in order to massively reduce the work required to verify elliptic curve operations and other algebraic primitives. For more details on the underlying cryptography, check out this talk from zkSummit.
The RISC Zero Advantage
Behind every zkVM precompile lies complex cryptographic engineering. Each precompile call generates witness data that must be proven to satisfy specific constraints and connect back to the main proof. This is where our approach stands out:
Built-in Integration
Our precompiles for algebraic operations are built directly into the main RISC-V program
This integration keeps the proving architecture simple and efficient
Results in minimal sequential dependencies during proof generation
By contrast, the approach used by Valida & SP1 requires an independent witness generation for each precompile. Moreover, all witness generation (for the main program and for all precompiles) must be generated before any proving can begin.
At first glance, this doesn’t seem like an issue, because one would assume that the costs of generating the witness are negligible compared to the costs of proving. But in reality, what we are observing in practice is that the end-to-end proving time for large-scale proving is bottlenecked by the witness generation.
As with the rest of our system, we’ve engineered our approach to precompiles for efficient horizontal scalability. In this case, this means that we aim to avoid sequential dependencies in our precompile architecture so that we can start the proving before we finish the witness generation.
What’s Next?
We're adding significant performance improvements across our stack. Our new Keccak precompile will deliver a 2X boost in proving performance for ETH block proving. Similarly, a 2x boost in performance from our upcoming major revision of our RISC-V circuit.
For developers, we're expanding our algebraic precompile framework to support a broader range of cryptographic primitives. This gives teams even more flexibility to optimize their specific use cases.
And of course, there's Boundless—the universal ZK protocol that brings these capabilities to all chains. Developer access is already live, and we're preparing for our public testnet launch. Start building today.
.png?table=block&id=159051eb-c1b5-80aa-8d8a-e5e41a797ecb&cache=v2)
.png%3Ftable%3Dblock%26cache%3Dv2%26id%3D143051eb-c1b5-80c9-96a2-c1a25aa9f777&w=640&q=75)