[−][src]Function zkp_stark::prove
pub fn prove(
constraints: &Constraints,
trace: &TraceTable
) -> Result<Proof, Error>
Produce a Stark proof.
Input
A ConstraintSystem
which captures the claim that is made.
A TraceTable
which is the witness to this claim.
A ProofParams
object which configures the proof.
Output
A ProverChannel
.
Proof construction
A new ProverChannel
is initialized with the public input.
Step 1: Low degree extension of the trace table.
The trace table is interpolated to an evaluation domain that is larger by a
factor params.blowup
. It is also offset by a cofactor (currently fixed to
the default generator of the field, 3
).
$$ T_{i, j} = P_j(\omega_{\text{trace}}^i) $$
A merkle tree is constructed over this evaluation domain and commited to the channel.
$$ \text{Leaf}_i = (T_0(x_i), T_1(x_i), \dots ) $$
where $x_i = 3 \cdot \omega_{\mathrm{lde}}^i$.
Step 2: Constraint commitment
For each constraint, two random value $\alpha_i$ and $\beta_i$ are drawn from the channel. The constraints are combined as
$$ C(x) = \sum_i (\alpha_i + \beta_i \cdot x^{d_i}) \cdot C_i(x) $$
where $d_i$ is the adjustment degree,
$$ d_i = \mathrm{target\_degree} - \deg C_i $$
The adjustment degrees are there to prevent make sure that the final polynomial is a sum of all constraint polynomials aligned on the lowest coefficient, and on the highest coefficient. This guarantees that constraint degrees are enforced exactly. (Non-enforcement on the low end would mean a term of negative degree $x^{-1}$ would be accepted).
The resulting polynomial $C$ is now split in $\mathrm{d}$ polynomials such that
$$ C(x) = A_0(x^{\mathrm{d}}) + x \cdot A_1(x^{\mathrm{d}}) + x^2 \cdot A_2(x^{\mathrm{d}}) + \cdots + x^{{\mathrm{d}} -1}\cdot A_{\mathrm{d}}(x^{\mathrm{d}}) $$
where $\deg A_i \leq \text{trace\_length}$.
For a linear constraint system this does nothing and we have $A_0 = C$, for a quadratic constraint system $A_0$ and $A_1$ contain all the odd and even coefficients of $C$ respectively.
A merkle tree is constructed over the LDE values of the $A$ polynomials and committed to the channel.
$$ \text{Leaf}_i = (A_0(x_i), A_1(x_i), \dots ) $$
Step 3: Divide out the deep points and combine
A random value $z$ is drawn from the channel.
For each trace polynomial, $T_i(z)$ and $T_i(\omega \cdot z)$ are written to the proof. For each combined constraint polynomial, $A_i(z^{\mathrm{d}})$ is written to the proof.
The points are then divided out of the polynomials, with each trace polynomial being treated twice:
$$ T_i'(x) = \frac{T_i(x) - T_i(z)}{x - z} $$
$$ T_i''(x) = \frac{T_i(x) - T_i(\omega \cdot z)}{x - \omega \cdot z} $$
Similarly for the constraint polynomials:
$$ A_i'(x) = \frac{A_i(x) - A_i(z^{\mathrm{d}})}{x - z^{\mathrm{d}}} $$
For each trace polynomial, two random values $\alpha_i$ and $\beta_i$ are drawn from the channel. For each constraint polynomial, one random value $\gamma_i$ is drawn.
All polynomial are combined in a single final polynomial:
$$ P(x) = \sum_i \left( \alpha_i \cdot T_i'(x) + \beta_i \cdot T_i''(x)\right) + \sum_i \gamma_i \cdot A_i'(x) $$
Step 4: Create FRI layers
The final polynomial $P$ is evaluated on the LDE domain. A Merkle tree is constructed of these values and committed to the proof.
A random value $\alpha$ is drawn from the channel. Take $P_0$ to be our final polynomial, then
$$ P_{i+1}(x^2) = \left( P_i(x) + P_i(-x) \right) + \frac{\alpha}{x} \left( P_i(x) - P_i(-x) \right) $$
This is the same as taking all the odd coefficients, multiplying them by $\alpha$ and adding them to the even coefficients.
This reduction step can be repeated using $\alpha^2, \alpha^4, \dots$ instead of $\alpha$. Once sufficient reductions are made, a new Merkle tree is constructed, committed too, a new random value $\alpha$ is drawn and the FRI layering process repeats.
The number of reduction steps in between each commitment is specified using
the params.fri_layout
parameter. The default recommendation is to do three
reductions between each layer, as this optimizes proof size.
Once the degree of the polynomial is sufficiently low, it is written to the channel in coefficient form.
Step 5: Proof of work
A random challenge is drawn from the channel and a proof of work is solved.
The solution is written to the channel. The difficulty is specified by the
params.pow_bits
parameter.
Step 6: Decommit queries
Random values $x_i$ from the LDE domain are drawn from the channel to form
our queries. The total number of queries is specified by params.queries
.
The values are sorted.
The trace polynomial values at the query locations are written to the channel:
$$ T_0(x_0), T_1(x_0), \dots, T_0(x_1), T_1(x_1), \dots $$
A merkle proof is provided linking these values to the earlier commitment.
Similarly, the combined constraint polynomial values are written to the channel:
$$ A_0(x_0), A_1(x_0), \dots, A_0(x_1), A_1(x_1), \dots $$
And again a merkle proof is provided linking these values to the earlier commitment.
Then the values of the final polynomial are provided:
$$ P(x_0), P(x_1), \dots $$
the merkle proof for these values links them to the commitment at the start of the FRI layer.
Now the set of points $x_i$ is squared while maintaining the sorted order. Duplicate points are removed. This is repeated unit we reach the reduction for the next FRI commitment.
Values for the next committed FRI layer are provided:
$$ P_i(x_0), P_i(x_1), \dots $$
with merkle proofs to that layer. This process is repeated for all FRI layer commitments.