Crate winter_fri

This crate contains an implementation of the FRI protocol used by the Winterfell STARK prover and verifier.

FRI stands for Fast Reed-Solomon Interactive Oracle Proof of Proximity, and is used in the STARK protocol for low-degree testing. Specifically, given a commitment to a set of evaluations of some function over domain D, the verifier can be convinced that the function is a polynomial of degree at most d, by making a small number of queries to the commitment.

Proof generation

FRI proofs are generated by a FriProver in two steps:

1. First, the commit phase of the protocol is executed via build_layers() function. During this phase, the degree of the polynomial is repeatedly reduced by applying a degree-respecting projection, until the size of the domain over which the polynomial is evaluated falls under max_remainder_size parameter. While performing the reduction, the prover writes a set of layer commitments into the ProverChannel. These commitments should be recorded and sent to the verifier as they will be needed during the proof verification procedure.
2. Then, the query phase of the protocol is executed via build_proof() function. The output of this function is an instance of the FriProof struct. When FRI is executed as a part of the STARK protocol, FRI proof is included into a STARK proof.

When the crate is compiled with concurrent feature enabled, proof generation will be performed in multiple threads (usually, as many threads as there are logical cores on the machine). The number of threads can be configured via RAYON_NUM_THREADS environment variable.

Proof verification

FRI proofs are verified by a FriVerifier as follows:

1. First, a FRI proof needs to be converted into a VerifierChannel. This crate provides a default implementation of the verifier channel, but when FRI proof verification is executed as a part of the larger STARK protocol, STARK verifier handles this conversion.
2. Then, a FriVerifier should be instantiated (via new() function). This will execute the commit phase of the FRI protocol from the verifier’s perspective - i.e., the verifier will read FRI layer commitments from the channel, and generates random values needed for layer folding.
3. Finally, the query phase of the FRI protocol should be executed via verify() function. Note that query values at the first FRI layer are provided to the verify() function directly. The values at remaining layers, the verifier reads from the specified verifier channel.

Protocol parameters

The current implementation supports executing FRI protocol with dynamically configurable parameters including:

• Base STARK field,
• Extension field,
• Domain blowup factor,
• Hash function (used for Merkle tree commitments),
• Folding factor (used for degree reduction for each FRI layer),
• Maximum size of the last FRI layer.

References

• StarkWare’s blog post on Low Degree Testing
• Fast Reed-Solomon Interactive Oracle Proofs of Proximity
• DEEP-FRI: Sampling Outside the Box Improves Soundness
• Swastik Kooparty’s talk on DEEP-FRI

Modules

folding

Contains functions for folding FRI layers.

utils

Structs

DefaultProverChannel

Provides a default implementation of the ProverChannel trait.

DefaultVerifierChannel

Provides a default implementation of the VerifierChannel trait.

FriOptions

FRI protocol config options for proof generation and verification.

FriProof

A proof generated by a FRI prover.

FriProver

Implements the prover component of the FRI protocol.

FriVerifier

Implements the verifier component of the FRI protocol.

Enums

VerifierError

Defines errors which can occur during FRI proof verification.

Traits

ProverChannel

Defines an interface for a channel over which a prover communicates with a verifier.

VerifierChannel

Defines an interface for a channel over which a verifier communicates with a prover.