About

Benedikt Bünz is an Assistant Professor of Computer Science at NYU Courant and the cofounder and chief scientist of Espresso Systems. His research focuses on applied cryptography, consensus, and game theory, particularly in relation to cryptocurrencies. He aims to enhance the privacy, usability, and security of blockchain protocols by applying novel theoretical insights with real-world applications. His main research interests lie in the science of blockchains, utilizing tools from applied cryptography, game theory, and consensus mechanisms. Bünz is actively involved in teaching, including a course on the cryptography of blockchains at NYU. His work includes significant contributions to zero-knowledge proof systems, verifiable delay functions, and scalable proof systems, which have been deployed in various blockchain systems such as Monero, Mobilecoin, Chia, Filecoin, and Ethereum 2.0. Through his research, he addresses critical challenges in blockchain technology, including privacy, scalability, and ecological impact.

Research topics

• Computer Science
• Computer Security
• Discrete mathematics
• Mathematics
• Database
• Programming language
• Theoretical computer science
• World Wide Web
• Operating system
• Algorithm

Selected publications

• zkPHIRE: A Programmable Accelerator for ZKPs over HIgh-degRee, Expressive Gates

  2026-01-31

  article

  Zero-Knowledge Proofs (ZKPs) have emerged as a powerful tool for secure and privacy-preserving computation. ZKPs enable one party to convince another of a statement's validity without revealing anything else. This capability has profound implications in many domains, including: machine learning, blockchain, image authentication, and electronic voting. Despite their potential, ZKPs have seen limited deployment because of their exceptionally high computational overhead, which manifests primarily during proof generation. To mitigate these overheads, a (growing) body of researchers have proposed hardware accelerators and GPU implementations of kernels and complete protocols. Prior art spans a wide variety of ZKP schemes that vary significantly in computational overhead, proof size, verifier cost, protocol setup, and trust. The latest, and widely used ZKP protocols are intentionally designed to balance these trade-offs. A particular challenge in modern ZKP systems is supporting complex, high-degree gates using the SumCheck protocol. We address this challenge with a novel programmable accelerator to efficiently handle arbitrary custom gates via SumCheck. Our accelerator achieves upwards of <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$1000 \times$</tex> geomean speedup over CPU-based SumChecks across a range of gate types. We include this unit in zkPHIRE, a programmable, full-system accelerator that accelerates the HyperPlonk protocol. zkPHIRE achieves <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$1486 \times$</tex> geomean speedup over CPU and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$11.87 \times$</tex> geomean speedup over the state-of-the-art at iso-area. Together, these results demonstrate compelling performance while scaling to large problem sizes (upwards of 2<sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">30</sup> constraints) and maintaining small proof sizes (<tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$4-5$</tex> KB).

  PublisherDOI

• Linear-Time Accumulation Schemes

  Lecture notes in computer science · 2025-12-01 · 2 citations

  book-chapterOpen access1st authorCorresponding
  PublisherOA PDFDOI

• Context-Dependent Threshold Decryption and Its Applications

  Lecture notes in computer science · 2025-12-06 · 1 citations

  book-chapterOpen access
  PublisherOA PDFDOI

• Verifiable Delay Function

  2025-01-01 · 1 citations

  book-chapter1st authorCorresponding
  PublisherDOI

• KZH-Fold: Accountable Voting from Sublinear Accumulation

  2025-11-19 · 1 citations

  articleSenior author

  Accumulation schemes are powerful primitives that enable distributed and incremental verifiable computation with less overhead than recursive SNARKs. However, existing schemes with constant-size accumulation verifiers, suffer from linear-sized accumulators and deciders, leading to linear-sized proofs that are unsuitable in distributed settings. Motivated by the need for bandwidth efficient accountable voting protocols, (I) We introduce KZH, a novel polynomial commitment scheme, and (II) KZH-fold, the first sublinear accumulation scheme with a constant-size verifier (3 group scalar multiplications) and O(n1/2 ) accumulator size and decider time. Our scheme generalizes to achieve accumulator and decider complexity of k • n1/k with a verifier of size k. Using the BCLMS compiler, (III) we build the first IVC/PCD scheme with sublinear proof and decider. (IV) Next, we propose a new approach to non-uniform IVC, where the cost of proving a step is proportional to the maximum size of all instruction circuits, and unlike previous approaches, the witness size is not linear in the number of instructions. (V) Leveraging these advancements, we demonstrate the power of KZH-fold by implementing an accountable voting scheme using a novel signature aggregation protocol supporting millions of nodes, significantly reducing communication overhead and verifier time compared to BLS-based aggregation. We implemented and benchmarked our protocols, and KZH-fold achieves a 2000x reduction in communication and a 50x improvement in decider time over Nova when proving 2000 Poseidon hashes, at the cost of 3x the prover time.

  PublisherDOI

• Need for zkSpeed: Accelerating HyperPlonk for Zero-Knowledge Proofs

  2025-06-20 · 6 citations

  preprintOpen access

  Zero-Knowledge Proofs (ZKPs) are a rapidly growing technique for privacy-preserving and verifiable computation.ZKPs enable one party (a prover: P) to prove to another (a verifier: V) that a statement is true or correct without revealing any additional information.This powerful capability has led to ZKPs being applied and proposed for application in blockchain technologies, verifiable machine learning, and electronic voting.However, ZKPs have yet to see widespread, ubiquitous adoption due to the exceptionally high computational complexity of the proving process.Naturally, there has been recent work to accelerate ZKP primitives and protocols using GPUs and ASICs.However, the protocols considered so far face one of two challenges: they require a trusted setup for each new application or generate large proofs with high verification costs, limiting their applicability in scenarios with numerous verifiers or strict verification time constraints.HyperPlonk is a state-of-theart ZKP protocol that supports both one-time, universal setup and small proof sizes/verification costs expected by publicly verifiable, consensus-based systems (e.g., blockchain).While HyperPlonk's setup and verifier properties are highly desirable, the proving phase is costly.A HyperPlonk prover must compute on large bitwidths (e.g., 255-381b) and polynomials (e.g., of degree 2 24 ), employs computationally (e.g., MSM) and bandwidth (e.g., SumCheck) intensive kernels, and the complete protocol comprises many steps, each constituting distinct kernels.We present an accelerator, zkSpeed, to

  PublisherOA PDFDOI

• MTU: The Multifunction Tree Unit for Accelerating Zero-Knowledge Proofs

  2025-10-17 · 1 citations

  preprintOpen access

  Zero-Knowledge Proofs (ZKPs) are critical for privacy-preserving techniques and verifiable computation. Many ZKP protocols rely on key kernels such as the SumCheck protocol and Merkle Tree commitments to enable their key security properties. These kernels exhibit balanced binary tree computational patterns, which enable efficient hardware acceleration. Although prior work has investigated accelerating these kernels as part of an overarching ZKP protocol, exploiting this common tree pattern remains relatively underexplored. We conduct a systematic evaluation of these tree-based workloads under different traversal strategies, analyzing performance on multi-threaded CPUs and the Multifunction Tree Unit (MTU) hardware accelerator. We introduce a hardware-friendly Hybrid Traversal for binary tree that improves parallelism and scalability while significantly reducing memory traffic on hardware. Our results show that MTU achieves up to $1478\times$ speedup over CPU at DDR-level bandwidth and that our hybrid traversal outperforms breadth-first search by up to $3\times$. These findings offer practical guidance for designing efficient hardware accelerators for ZKP workloads with binary tree structures.

  PublisherOA PDFDOI

• Good Things Come to Those Who Wait

  Lecture notes in computer science · 2025-01-01 · 2 citations

  book-chapter
  PublisherDOI

• Proofs for Deep Thought: Accumulation for Large Memories and Deterministic Computations

  Lecture notes in computer science · 2024-12-08 · 5 citations

  book-chapter1st authorCorresponding
  PublisherDOI

• A Survey of Two Verifiable Delay Functions Using Proof of Exponentiation

  IACR Communications in Cryptology · 2024-04-09 · 6 citations

  articleOpen access

  A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This paper surveys and compares two beautiful verifiable delay functions, one due to Pietrzak, and the other due to Wesolowski, In addition, we provide a new computational proof of security for one of them, present an attack on an incorrect implementation of the other, and compare the complexity assumptions needed for both schemes.

  PublisherOA PDFDOI

Frequent coauthors

• Dan Boneh

  Stanford University

  13 shared

• Ben Fisch

  10 shared

• Sven Seuken

  9 shared

• Benjamin Lubin

  Boston University

  9 shared

• Pratyush Mishra

  7 shared

• Alessandro Chiesa

  5 shared

• Joseph Bonneau

  New York University

  5 shared

• Nicholas Spooner

  New York University

  4 shared

Education

• Ph.D., Improving the Privacy, Scalability, and Ecological Impact

  Unknown

Awards & honors

• To appear at Eurocrypt 2025
• Published at ASIACRYPT 2024
• Published at EUROCRYPT 2023
• Published at CCS 2023
• Published at Usenix 2023