Hekate ZK Engine

Zero-knowledge proof system over binary tower fields. Streaming architecture. Bounded memory. Edge-native.

Hekate proves computations in GF(2^128) using Sumcheck + Brakedown PCS with O(N) prover time and O(N) memory. No FFTs, no trace materialization, no server-grade RAM. Proves ML-KEM decapsulation and ML-DSA signature verification on a laptop and mobile.

Why it exists

Existing ZK provers — RISC Zero, Plonky2/3, Binius, Stwo, Winterfell — materialize the full execution trace in RAM before proving, then run FFT-based commitments that blow memory up another 2x–8x. Real workloads sit on a 128 GB+ floor; Plonky3 swap-deaths past 2^24, Binius needs 76 GB just for Keccak at 2^20. That floor kills client-side proving — no mobile, no browser, no edge node.

Hekate streams through the trace, folds in-place, and discards intermediate state. Peak memory is bounded per-table, not per-computation. A 2^24 Keccak proof runs in 29.7 GB on a consumer laptop where Plonky3 and Binius crash.

What it does

• Binary tower field arithmetic — GF(2^8) through GF(2^128), recursive tower extension, hardware-accelerated via PMULL/CLMUL. Constant-time by default.
• Chiplet architecture — Independent AIR tables (Keccak, AES, RAM, NTT, ML-KEM, ML-DSA) with their own traces and commitments. Linked by LogUp bus. No column waste, no forced padding.
• Virtual packing — Keccak stores 1600 bits in 25 physical B64 columns instead of 1600 bit columns. 16x memory savings.
• Linear-code commitments — Brakedown PCS: O(N) prover, O(N) memory. No FFT blowup. Merkle tree over encoded columns only — raw trace never hashed (true ZK).
• Post-quantum crypto suite — ML-DSA (Dilithium) signature verification, ML-KEM (Kyber) decapsulation, AES-128/256, all proven natively in binary fields without bit-decomposition overhead.

Hardware

Status

Verifier, core SDK, and chiplets are being open-sourced. Prover and recursive engine remain closed-source, licensed as proprietary binaries.