23 unstable releases (10 breaking)
0.11.0 | Nov 24, 2024 |
---|---|
0.10.1 | Oct 30, 2024 |
0.9.0 | May 9, 2024 |
0.8.3 | Mar 15, 2024 |
0.2.0 | Aug 24, 2021 |
#1483 in Cryptography
6,641 downloads per month
Used in 34 crates
(7 directly)
640KB
11K
SLoC
Winter FRI
This crate contains an implementation of FRI prover and verifier used by the Winterfell STARK prover and verifier.
FRI stands for Fast Reed-Solomon Interactive Oracle Proof of Proximity, and is used in the STARK protocol for low-degree testing. Specifically, given a commitment to a set of evaluations of some function over domain D, the verifier can be convinced that the function is a polynomial of degree at most d, by making a small number of queries to the commitment.
Prover
FRI proofs are generated by a FRI prover in two steps:
- First, the commit phase of the protocol is executed via
build_layers()
function. During this phase, the degree of the polynomial is repeatedly reduced by applying a degree-respecting projection, until the size of the domain over which the polynomial is evaluated falls undermax_remainder_size
parameter. While performing the reduction, the prover writes a set of layer commitments into theProverChannel
. These commitments should be recorded and sent to the verifier as they will be needed during the proof verification procedure. - Then, the query phase of the protocol is executed via
build_proof()
function. The output of this function is an instance of theFriProof
struct. When FRI is executed as a part of the STARK protocol, FRI proof is included into a STARK proof.
Verifier
FRI proofs are verified by a FriVerifier as follows:
- First, a FRI proof needs to be converted into a
VerifierChannel
. This crate provides a default implementation of the verifier channel, but when FRI proof verification is executed as a part of the larger STARK protocol, STARK verifier handles this conversion. - Then, a
FriVerifier
should be instantiated (vianew()
function). This will execute the commit phase of the FRI protocol from the verifier's perspective - i.e., the verifier will read FRI layer commitments from the channel, and generates random values needed for layer folding. - Finally, the query phase of the FRI protocol should be executed via
verify()
function. Note that query values at the first FRI layer are provided to theverify()
function directly. The values at remaining layers, the verifier reads from the specified verifier channel.
Protocol parameters
This crates supports executing FRI protocol with dynamically configurable parameters including:
- Base STARK field,
- Extension field,
- Domain blowup factor,
- Hash function (used for Merkle tree commitments),
- Folding factor (used for degree reduction for each FRI layer),
- Maximum size of the last FRI layer.
Crate features
This crate can be compiled with the following features:
std
- enabled by default and relies on the Rust standard library.concurrent
- impliesstd
and also enables multi-threaded proof generation.no_std
- does not rely on the Rust standard library and enables compilation to WebAssembly.
To compile with no_std
, disable default features via --no-default-features
flag.
Concurrent execution
When this crate is compiled with concurrent
feature enabled, FriProver
will build FRI layers using multiple threads. The number of threads can be configured via RAYON_NUM_THREADS
environment variable, and usually defaults to the number of logical cores on the machine.
References
- StarkWare's blog post on Low Degree Testing
- Fast Reed-Solomon Interactive Oracle Proofs of Proximity
- DEEP-FRI: Sampling Outside the Box Improves Soundness
- Swastik Kooparty's talk on DEEP-FRI
License
This project is MIT licensed.
Dependencies
~3MB
~59K SLoC