a stark verifer is created, which is defined on proof.py
DecommitmentData defines decommit record.
class DecommitmentData:
def __init__(self, index, value, authentication_path, merkle_root):
self.index = index
self.value = value
self.authentication_path = authentication_path
self.merkle_root = merkle_root
Proof collects x, g*x, g^2 * x, cp layers proof, trace_domain, lde_domain. verify() will check
- all merkle proofs
- check same LDE root and final values
- check cp0(x), f(x), f(gx), f(g^2x) relationship
- check cpi(x), cpi(-x), cp{i+1}(x^2) relationships
- check sibling cps have same merkle root, lde_domain[idx]^2 == lde_domain[sibling_idx]^2
class Proof:
x_proof: DecommitmentData
gx_proof : DecommitmentData
g2x_proof : DecommitmentData
cp_proof : list[DecommitmentData]
final_values: list[FieldElement]
trace_domain: list[FieldElement]
lde_domain: list[FieldElement]
run the following commands to check
python3 fibonacci_square.py
python3 fibonacci_square_claimed_degree_less_than_512.py
python3 fibonacci_square_change_1_trace_value.py
python3 fibonacci_square_change_1_lde_value.py
Issue in original stark101
-
in Stark101-part2.ipynb, an uninitalized channel is used, whjch result alpha0=0 in get_CP() function,
def get_CP(channel): alpha0 = channel.receive_random_field_element() alpha1 = channel.receive_random_field_element() alpha2 = channel.receive_random_field_element() return alpha0*p0 + alpha1*p1 + alpha2*p2
test_channel = Channel() #uninitalized channel CP_test = get_CP(test_channel) assert CP_test.degree() == 1023, f'The degree of cp is {CP_test.degree()} when it should be 1023.' assert CP_test(2439804) == 838767343, f'cp(2439804) = {CP_test(2439804)}, when it should be 838767343' print('Success!')
beside that, in turorial_seesions.py channel is initialied corrrect
def part1(): ... ... ch = Channel() ch.send(mt.root) #channel initialied corrrect return t, g, points, h_gen, h, domain, p, ev, mt, ch
-
p2's denominator in Stark101-part2.ipynb is different from that in turorial_seesions.py
denom2 = (X**1024 - 1) / ((X - g**1021) * (X - g**1022) * (X - g**1023)) # x^1024 -1
in turorial_seesions.py
def part2(): ... ... coef = [FieldElement(1)] + [FieldElement(0)] * 1023 + [FieldElement(-1)] # 1-x^1024 ... ... return cp, cp_ev, cp_mt, ch, domain
The above issuses cause part3's test fail(starkware-industries#8), in this repo the second issue is fixed.
A tutorial for a basic STARK (Scalable Transparent ARgument of Knowledge) protocol to prove the calculation of a Fibonacci-Square sequence, as designed for StarkWare Sessions, and authored by the StarkWare team.
Note that it was written assuming that the user has reviewed and understood the presentations at the beginning of each part.
This tutorial has a series of videos available here to review. Slides and links (to this repositories' content) are also included.
- Install Jupyter lab
cd tutorial
jupyter lab NotebookTutorial.ipynb
During the tutorial you’ll generate a STARK proof for the 1023rd element of the FibonacciSq sequence over a finite field. In this section, we explain what this last sentence means.
In the tutorial we will work with a finite field of prime size. This means we take a prime number p, and then work with integers in the domain {0, 1, 2, …, p – 1}. The idea is that we can treat this set of integers in the same way we treat real numbers: we can add them (but we need to take the result modulo p, so that it will fall back in the set), subtract them, multiply them and divide them. You can even define polynomials such as f ( x ) = a+ bx2 where the coefficients a,b and the input x are all numbers in this finite set. Since the addition and multiplication are done modulo p, the output _f _ ( x ) will also be in the finite set. One interesting thing to note about finite fields, which is different from real numbers, is that there is always an element, g, called the generator (in fact there is more than one), for which the sequence 1, g, g2, g3, g4, ... , gp-2 (whose length is p - 1 ) covers all the numbers in the set but 0 (modulo p, of course). Such a geometric sequence is called a cyclic group. We will supply you with python classes that implement these things so you don’t have to be familiar with how these are implemented (though the algorithm for division in a finite field is not that trivial).
For the tutorial we define a sequence that resembles the well known Fibonacci sequence. In this sequence any element is the sum of squares of the two previous elements. Thus the first elements are:
1, 1, 2, 5, 29, 866, ...
All the elements of the sequence will be from the finite field (which means that both squaring and addition is computed modulo p).
We will create a proof for the claim “The 1023rd element of the FibonacciSq sequence is …”. By “proof” we don’t mean a mathematical proof with logical deductions. Instead, we mean some data which can convince whomever reads it that the claim is correct. To make it more formal we define two entities: Prover and Verifier. The Prover generates this data (the proof). The Verifier gets this data and checks for its validity. The requirement is that if the claim is false, the Prover will not be able to generate a valid proof (even if it deviates from the protocol).
STARK is a specific protocol which describes the structure of such proof and defines what the Prover and Verifier have to do.
We recommend you take a look at our STARK math blog posts (Arithmetization I & II specifically). You don’t need to read them thoroughly before running through the tutorial, but it can give you better context on what things you can create proofs for, and what a STARK proof looks like. You should definitely give them a read after you have completed this tutorial in full.
For every two polynomials f ( x ) and g ( x ), there exist two polynomials q ( x ) and r ( x) called the quotient and remainder of the division f ( x ) by g ( x ). They satisfy f ( x ) = g ( x ) * q ( x ) + r ( x ) and the degree of r ( x ) is smaller than the degree of g ( x ).
For example, if f ( x ) = x3 + x + 1 and g ( x ) = x2 + 1 then q ( x ) = x and r ( x ) = 1. Indeed, x3 + x + 1 = ( x2 + 1 ) * x + 1.
When a polynomial satisfies f (a) = 0 for some specific value a (we say that a is a root of f ), we don’t have remainder (r ( x ) = 0) when dividing it by (x - a) so we can write f ( x ) = (x - a) * q ( x ), and deg( q ) = deg( f ) - 1. A similar fact is true for k roots. Namely, if ai is a root of f for all i = 1, 2, …, k, then there exists a polynomial q of degree deg(f) - k for which f ( x ) = ( x - a1 )( x - a2 ) … ( x - ak ) * q ( x ) .
-
Nigel Smart’s “Cryptography Made Simple” – Chapter 1.1: Modular Arithmetic.
-
Arora and Barak’s “Computational Complexity: A Modern Approach” – Appendix: Mathematical Background, sections A.4 (Finite fields and Groups) and A.6 (Polynomials).