Last month, Irredudible, the company founded to use field programmable gate array chips (FPGAs) to accelerate zero-knowledge proofs (ZKPs) shut down. This came only a couple months after they announced a pivot away from FPGAs and into high-performance software implementations of ZKPs.

This surprised a lot of people in the industry. The conventional wisdom was that zero-knowledge proofs deserve custom hardware, just like AI workloads do. Both AI and ZKPs require computers to perform a lot of complex heavy-duty computations, but the result of all those computations should be valuable enough to make custom hardware worthwhile. In the case of AI, that result is a computer you can talk to. In the case of zero-knowledge proofs, it’s a mathematical way to guarantee you did a computation, without actually revealing the results.

This has a ton of valuable use cases. You can, for example, use a ZKP to prove that an AI model was trained with a specific approved dataset, without any adversarial examples secretly baked in. But by far, the largest use-case for ZKPs is in cryptocurrency. Zcash uses ZKPs to create a fully anonymous blockchain. Zero-knowledge rollups can improve the efficiency of blockchains by doing some computation off-chain, and only storing the proofs on-chain.

However, in the past year or so, we’ve been seeing the companies working on custom ZKP hardware struggle. Ignoyama started focusing purely on software, rather than FPGA hardware, and their core libraries started to hedge into high-performance implementations of post-quantum cryptography algorithms, rather than focusing purely on ZKPs. Fabric Cryptography’s ZKP chip still hasn’t hit the market after multiple years of promises. Irreducible shut down.

So clearly, AI workloads and ZKPs aren’t the same. AI chip companies are succeeding, while ZKP hardware companies are struggling. What are the key differences?

ZKPs are much more diverse

Most AI workloads are fairly similar. They consist of a lot of floating point matrix multiplications, and then a smaller amount of nonlinear activation functions. Some workloads might need 32-bit floating point numbers, while some might only need 8-bit floating point numbers, and some workloads may require specific nonlinearities that are difficult to implement efficiently — but for the most part, most AI workloads don’t look wildly different from one another.

Different ZKP algorithms, on the other hand, can be extremely different from one another. Some ZKPs, like Binius, operate on binary tower fields using bitwise operations. Plonky2 requires number-theoretic transforms, which require significant memory bandwidth. Groth16 requires less memory bandwidth, but operates on 381-bit integers. And other ZKP schemes like Halo2 and Bulletproofs have their own computational bottlenecks.

If you’re building hardware, this is a huge problem. For example, Fabric Cryptography’s VPU features 384-bit ALUs, which will be totally underutilized when running the bit-sliced operations required by Binius. And importantly, ZKPs aren’t standardized the way that conventional cryptography algorithms are. This put Irreducible in a tough spot. They could spend their time developing the best hardware in the world for one specific ZKP, but if a new ZKP suddenly becomes popular, they have to go back to the drawing board.

This is part of why Irreducible tried to advocate for Binius as a proving scheme. If they encouraged everybody to stop trying out new ZKPs and pick one algorithm that was well-suited to Irreducible’s hardware, that could solve the problem of needing to constantly support new algorithms. But there are already so many different L2 rollups and privacy-focused blockchains that already have non-Binius ZKPs baked into their protocols. By the time Irreducible shut down, there were no publicly deployed, production L2 rollups or privacy chains that used Binius.

Notably, conventional cryptographic hardware accelerators don’t have this problem, because conventional cryptography is standardized. Most cryptographic accelerators only accelerate a single algorithm; Rambus sells a separate SHA-2, SHA3, and AES engine! In the world of conventional cryptography, flexibility and cryptographic agility is a value-add; only the best solutions on the market, like BTQ’s QCIM, offer support for multiple algorithms, and inferior inflexible solutions still maintain substantial market share. In the world of ZKPs, though, support for multiple wildly different algorithms is a baseline requirement that companies like Irreducible and Fabric failed to meet.

But that’s still only half the answer. It’s extremely difficult, but it’s definitely possible to build flexible cryptographic hardware. It’s possible to partner with specific L2s to get them to use your specific ZKP algorithm. And yet Irreducible still failed. Why?

The ZKP market is much smaller than the AI market

It’s obvious that the generative AI market is huge, even if a significant portion of that market is cheating on high school essays and generating slop. The same simply isn’t true of zero-knowledge proofs

Zcash may have a $7B market cap, but the vast majority of Zcash transactions don’t even use the private zero-knowledge proof transaction features. Scroll, one of the largest ZK-rollups, has a total value locked that fluctuates between $100M and $1B. That’s the same size as a large seed round for an AI startup.

Ultimately, most cryptocurrency users don’t care much about the privacy features ZKPs offer. As the cryptocurrency industry has evolved, it’s become less focused cryptocurrency as a means of exchange, and more on cryptocurrency as an investment. And as large institutions invest in cryptocurrency, this only becomes more true.

Now, this isn’t necessarily a bad thing! More institutional investment activity could reduce volatility and help make cryptocurrency into a reliable part of a complete investment portfolio. But zero-knowledge proofs aren’t a key technology to enable that. The key features that ZKPs enable are private transactions and more efficient rollups with significantly lower transaction fees. These are valuable in the use-cases where cryptocurrency is transacted as a means of exchange, not used as an investment.

Again, this isn’t something that’s true of conventional cryptography hardware. There are over 50 billion secure elements in the world, and that doesn’t include the cryptographic hardware accelerators inside of nearly every laptop, desktop, and smartphone SoC on the planet. Cryptography is necessary to guarantee basic privacy and security, so secure cryptography hardware is a requirement to comply with nearly every privacy-related regulation from any government in the world, creating massive demand.

Ironically, it’s the decentralized nature of cryptocurrency that reduces the demand for ZKP hardware. Investors care much more about cryptocurrency as an investment, rather than its ability to enable efficient or private transactions. And because there’s no central authority to enforce privacy regulations, ZKPs fall by the wayside. It’s unfortunate, because Irreducible’s technology was great… the crypto community just didn’t really want it.