Struct winter_verifier::ProofOptions

source · [−]

pub struct ProofOptions { /* private fields */ }

Expand description

STARK protocol parameters.

These parameters have a direct impact on proof soundness, proof generation time, and proof size. Specifically:

Hash function - proof soundness is limited by the collision resistance of the hash function used by the protocol. For example, if a hash function with 128-bit collision resistance is used, soundness of a STARK proof cannot exceed 128 bits.
Finite field - proof soundness depends on the size of finite field used by the protocol. This means, that for small fields (e.g. smaller than ~128 bits), field extensions must be used to achieve adequate security. And even for ~128 bit fields, to achieve security over 100 bits, a field extension may be required.
Number of queries - higher values increase proof soundness, but also increase proof size.
Blowup factor - higher values increase proof soundness, but also increase proof generation time and proof size. However, higher blowup factors require fewer queries for the same security level. Thus, it is frequently possible to increase blowup factor and at the same time decrease the number of queries in such a way that the proofs become smaller.
Grinding factor - higher values increase proof soundness, but also may increase proof generation time. More precisely, proof soundness is bounded by num_queries * log2(blowup_factor) + grinding_factor.

Implementations

source

impl ProofOptions

source

pub const MIN_BLOWUP_FACTOR: usize = 2usize

Smallest allowed blowup factor which is currently set to 2.

The smallest allowed blowup factor for a given computation is derived from degrees of constraints defined for that computation and may be greater than 2. But no computation may have a blowup factor smaller than 2.

source

pub fn new(
    num_queries: usize,
    blowup_factor: usize,
    grinding_factor: u32,
    hash_fn: HashFunction,
    field_extension: FieldExtension,
    fri_folding_factor: usize,
    fri_max_remainder_size: usize
) -> ProofOptions

Returns a new instance of ProofOptions struct constructed from the specified parameters.

Panics

Panics if:

num_queries is zero or greater than 128.
blowup_factor is smaller than 4, greater than 256, or is not a power of two.
grinding_factor is greater than 32.
fri_folding_factor is not 4, 8, or 16.
fri_max_remainder_size is smaller than 32, greater than 1024, or is not a power of two.

source

pub fn num_queries(&self) -> usize

Returns number of queries for a STARK proof.

This directly impacts proof soundness as each additional query adds roughly log2(blowup_factor) bits of security to a proof. However, each additional query also increases proof size.

source

pub fn blowup_factor(&self) -> usize

Returns trace blowup factor for a STARK proof.

This is the factor by which the execution trace is extended during low-degree extension. It has a direct impact on proof soundness as each query adds roughly log2(blowup_factor) bits of security to a proof. However, higher blowup factors also increases prover runtime, and may increase proof size.

source

pub fn grinding_factor(&self) -> u32

Returns query seed grinding factor for a STARK proof.

Grinding applies Proof-of-Work/ to the query position seed. An honest prover needs to perform this work only once, while a dishonest prover will need to perform it every time they try to change a commitment. Thus, higher grinding factor makes it more difficult to forge a STARK proof. However, setting grinding factor too high (e.g. higher than 20) will adversely affect prover time.

source

pub fn hash_fn(&self) -> HashFunction

Returns a hash functions to be used during STARK proof construction.

Security of a STARK proof is bounded by collision resistance of the hash function used during proof construction. For example, if collision resistance of a hash function is 128 bits, then soundness of a proof generated using this hash function cannot exceed 128 bits.

source

pub fn field_extension(&self) -> FieldExtension

Specifies whether composition polynomial should be constructed in an extension field of STARK protocol.

Using a field extension increases maximum security level of a proof, but also has non-negligible impact on prover performance.

source

pub fn domain_offset(&self) -> B where
B: StarkField,

Returns the offset by which the low-degree extension domain is shifted in relation to the trace domain.

Currently, this is hard-coded to the primitive element of the underlying base field.

source

pub fn to_fri_options(&self) -> FriOptions

Returns options for FRI protocol instantiated with parameters from this proof options.

Trait Implementations

source

impl Clone for ProofOptions

source

fn clone(&self) -> ProofOptions

Returns a copy of the value. Read more

1.0.0 · source

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

source

impl Debug for ProofOptions

source

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more

source

impl Deserializable for ProofOptions

source

fn read_from<R>(source: &mut R) -> Result<ProofOptions, DeserializationError> where
R: ByteReader,

Reads proof options from the specified source and returns the result.

Errors

Returns an error of a valid proof options could not be read from the specified source.

source

fn read_batch_from<R>(
 source: &mut R,
 num_elements: usize
) -> Result<Vec<Self, Global>, DeserializationError> where
 R: ByteReader,

Reads a sequence of bytes from the provided source, attempts to deserialize these bytes into a vector with the specified number of Self elements, and returns the result. Read more

source