17 unstable releases (7 breaking)
|Feb 21, 2024
|Dec 1, 2023
|Oct 23, 2023
|May 26, 2023
|Aug 24, 2021
#723 in Cryptography
8,074 downloads per month
Used in 13 crates (6 directly)
This crate contains an implementation of FRI prover and verifier used by the Winterfell STARK prover and verifier.
FRI stands for Fast Reed-Solomon Interactive Oracle Proof of Proximity, and is used in the STARK protocol for low-degree testing. Specifically, given a commitment to a set of evaluations of some function over domain D, the verifier can be convinced that the function is a polynomial of degree at most d, by making a small number of queries to the commitment.
FRI proofs are generated by a FRI prover in two steps:
- First, the commit phase of the protocol is executed via
build_layers()function. During this phase, the degree of the polynomial is repeatedly reduced by applying a degree-respecting projection, until the size of the domain over which the polynomial is evaluated falls under
max_remainder_sizeparameter. While performing the reduction, the prover writes a set of layer commitments into the
ProverChannel. These commitments should be recorded and sent to the verifier as they will be needed during the proof verification procedure.
- Then, the query phase of the protocol is executed via
build_proof()function. The output of this function is an instance of the
FriProofstruct. When FRI is executed as a part of the STARK protocol, FRI proof is included into a STARK proof.
FRI proofs are verified by a FriVerifier as follows:
- First, a FRI proof needs to be converted into a
VerifierChannel. This crate provides a default implementation of the verifier channel, but when FRI proof verification is executed as a part of the larger STARK protocol, STARK verifier handles this conversion.
- Then, a
FriVerifiershould be instantiated (via
new()function). This will execute the commit phase of the FRI protocol from the verifier's perspective - i.e., the verifier will read FRI layer commitments from the channel, and generates random values needed for layer folding.
- Finally, the query phase of the FRI protocol should be executed via
verify()function. Note that query values at the first FRI layer are provided to the
verify()function directly. The values at remaining layers, the verifier reads from the specified verifier channel.
This crates supports executing FRI protocol with dynamically configurable parameters including:
- Base STARK field,
- Extension field,
- Domain blowup factor,
- Hash function (used for Merkle tree commitments),
- Folding factor (used for degree reduction for each FRI layer),
- Maximum size of the last FRI layer.
This crate can be compiled with the following features:
std- enabled by default and relies on the Rust standard library.
stdand also enables multi-threaded proof generation.
no_std- does not rely on the Rust standard library and enables compilation to WebAssembly.
To compile with
no_std, disable default features via
When this crate is compiled with
concurrent feature enabled,
FriProver will build FRI layers using multiple threads. The number of threads can be configured via
RAYON_NUM_THREADS environment variable, and usually defaults to the number of logical cores on the machine.
- StarkWare's blog post on Low Degree Testing
- Fast Reed-Solomon Interactive Oracle Proofs of Proximity
- DEEP-FRI: Sampling Outside the Box Improves Soundness
- Swastik Kooparty's talk on DEEP-FRI
This project is MIT licensed.