In the ZKP community, it has long been discussed that the SumCheck protocol is asymptotically more efficient than the Number Theoretic Transform (NTT), requiring only $O(N)$ arithmetic versus $O(N \log N)$. At the same time, hardware accelerator designers propose that NTT is more hardware-friendly, benefiting from locality and data reuse, while SumCheck suffers from sequential, dependent rounds. Despite these competing intuitions, the hardware-system-level trade-offs between NTT- and SumCheck-based proving primitives remain insufficiently understood. Beyond individual accelerator design, this work presents, to our knowledge, the first hardware-system-level direct comparison of NTT- and SumCheck-based proving primitives under a unified architectural framework. We study them in the context of the ZeroCheck protocol, a common building block in zkSNARKs. We implement optimized systems for both primitives. Both are evaluated under the same level on-chip SRAM and off-chip bandwidth budgets. Our results show that there is no universal winner. Generally, SumCheck outperforms NTT for high-degree polynomials. For low-degree polynomials, performance depends on memory availability: under given SRAM budgets, NTT might deliver better performance for medium-sized workloads by exploiting data reuse. These findings, bridging cryptographic protocol design and hardware architecture, offer practical guidance for understanding the proving cost of NTT- and SumCheck-based zero-knowledge proof systems.

翻译：在零知识证明（ZKP）社区中，长期以来一直讨论SumCheck协议在渐近意义上比数论变换（NTT）更高效——只需$O(N)$次算术运算，而NTT需要$O(N \log N)$次。与此同时，硬件加速器设计者提出NTT更适用于硬件，因其受益于局部性和数据重用，而SumCheck则受限于顺序相关的轮次。尽管存在这些相互竞争的直觉，但基于NTT和SumCheck的证明原语在硬件系统层面的权衡仍未被充分理解。超越单个加速器设计，本工作提出了——据我们所知——首个在统一架构框架下对基于NTT和SumCheck的证明原语进行硬件系统级直接比较的研究。我们在zkSNARKs的通用构建模块ZeroCheck协议背景下对其进行研究。我们为两种原语实现了优化系统，并在相同的片上SRAM和片外带宽预算下进行评估。结果表明，不存在普遍胜者。通常，对于高次多项式，SumCheck优于NTT；对于低次多项式，性能取决于内存可用性：在给定SRAM预算下，NTT可能通过利用数据重用为中等规模工作负载提供更优性能。这些发现桥接了密码协议设计与硬件架构，为理解基于NTT和SumCheck的零知识证明系统的证明成本提供了实用指导。