Struct winter_verifier::ProofOptions

source · 
pub struct ProofOptions { /* private fields */ }
Expand description

STARK protocol parameters.

These parameters have a direct impact on proof soundness, proof generation time, and proof size. Specifically:

  1. Hash function - proof soundness is limited by the collision resistance of the hash function used by the protocol. For example, if a hash function with 128-bit collision resistance is used, soundness of a STARK proof cannot exceed 128 bits.
  2. Finite field - proof soundness depends on the size of finite field used by the protocol. This means, that for small fields (e.g. smaller than ~128 bits), field extensions must be used to achieve adequate security. And even for ~128 bit fields, to achieve security over 100 bits, a field extension may be required.
  3. Number of queries - higher values increase proof soundness, but also increase proof size.
  4. Blowup factor - higher values increase proof soundness, but also increase proof generation time and proof size. However, higher blowup factors require fewer queries for the same security level. Thus, it is frequently possible to increase blowup factor and at the same time decrease the number of queries in such a way that the proofs become smaller.
  5. Grinding factor - higher values increase proof soundness, but also may increase proof generation time. More precisely, proof soundness is bounded by num_queries * log2(blowup_factor) + grinding_factor.

Implementations

Smallest allowed blowup factor which is currently set to 2.

The smallest allowed blowup factor for a given computation is derived from degrees of constraints defined for that computation and may be greater than 2. But no computation may have a blowup factor smaller than 2.

Returns a new instance of ProofOptions struct constructed from the specified parameters.

Panics

Panics if:

  • num_queries is zero or greater than 128.
  • blowup_factor is smaller than 4, greater than 256, or is not a power of two.
  • grinding_factor is greater than 32.
  • fri_folding_factor is not 4, 8, or 16.
  • fri_max_remainder_size is smaller than 32, greater than 1024, or is not a power of two.

Returns number of queries for a STARK proof.

This directly impacts proof soundness as each additional query adds roughly log2(blowup_factor) bits of security to a proof. However, each additional query also increases proof size.

Returns trace blowup factor for a STARK proof.

This is the factor by which the execution trace is extended during low-degree extension. It has a direct impact on proof soundness as each query adds roughly log2(blowup_factor) bits of security to a proof. However, higher blowup factors also increases prover runtime, and may increase proof size.

Returns query seed grinding factor for a STARK proof.

Grinding applies Proof-of-Work/ to the query position seed. An honest prover needs to perform this work only once, while a dishonest prover will need to perform it every time they try to change a commitment. Thus, higher grinding factor makes it more difficult to forge a STARK proof. However, setting grinding factor too high (e.g. higher than 20) will adversely affect prover time.

Returns a hash functions to be used during STARK proof construction.

Security of a STARK proof is bounded by collision resistance of the hash function used during proof construction. For example, if collision resistance of a hash function is 128 bits, then soundness of a proof generated using this hash function cannot exceed 128 bits.

Specifies whether composition polynomial should be constructed in an extension field of STARK protocol.

Using a field extension increases maximum security level of a proof, but also has non-negligible impact on prover performance.

Returns the offset by which the low-degree extension domain is shifted in relation to the trace domain.

Currently, this is hard-coded to the primitive element of the underlying base field.

Returns options for FRI protocol instantiated with parameters from this proof options.

Trait Implementations

Returns a copy of the value. Read more
Performs copy-assignment from source. Read more
Formats the value using the given formatter. Read more

Reads proof options from the specified source and returns the result.

Errors

Returns an error of a valid proof options could not be read from the specified source.

Reads a sequence of bytes from the provided source, attempts to deserialize these bytes into a vector with the specified number of Self elements, and returns the result. Read more
This method tests for self and other values to be equal, and is used by ==. Read more
This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason. Read more

Serializes self and writes the resulting bytes into the target.

Serializes self into a vector of bytes.
Serializes all elements of the source and writes these bytes into the target. Read more
Returns an estimate of how many bytes are needed to represent self. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more
Immutably borrows from an owned value. Read more
Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Should always be Self
The resulting type after obtaining ownership.
Creates owned data from borrowed data, usually by cloning. Read more
Uses borrowed data to replace owned data, usually by cloning. Read more
The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.