pub struct ProofOptions { /* private fields */ }Expand description
STARK protocol parameters.
These parameters have a direct impact on proof soundness, proof generation time, and proof size. Specifically:
- Finite field - proof soundness depends on the size of finite field used by the protocol. This means, that for small fields (e.g. smaller than ~128 bits), field extensions must be used to achieve adequate security. And even for ~128 bit fields, to achieve security over 100 bits, a field extension may be required.
- Number of queries - higher values increase proof soundness, but also increase proof size.
- Blowup factor - higher values increase proof soundness, but also increase proof generation time and proof size. However, higher blowup factors require fewer queries for the same security level. Thus, it is frequently possible to increase blowup factor and at the same time decrease the number of queries in such a way that the proofs become smaller.
- Grinding factor - higher values increase proof soundness, but also may increase proof
generation time. More precisely, conjectured proof soundness is bounded by
num_queries * log2(blowup_factor) + grinding_factor. - Batching method for constraint composition polynomial - either independent random values per
constraint are used in the computation of the constraint composition polynomial or powers of
a single random value are used instead. The first type of batching is called
Linearwhile the second is calledAlgebraic. - Batching method for DEEP polynomial - either independent random values per multi-point quotient are used in the computation of the DEEP polynomial or powers of a single random value are used instead.
Another important parameter in defining STARK security level, which is not a part of ProofOptions is the hash function used in the protocol. The soundness of a STARK proof is limited by the collision resistance of the hash function used by the protocol. For example, if a hash function with 128-bit collision resistance is used, soundness of a STARK proof cannot exceed 128 bits.
In addition, partition options (see PartitionOptions) can be provided to split traces during
proving and distribute work across multiple devices. Taking the main segment trace as an
example, the prover will split the main segment trace into num_partitions parts, and then
proceed to hash each part row-wise resulting in num_partitions digests per row of the trace.
Finally, num_partitions digests (per row) are combined into one digest (per row) and at this
point a vector commitment scheme can be called. In the case when num_partitions is equal to
1 (default) the prover will hash each row in one go producing one digest per row of the trace.
Implementations§
Source§impl ProofOptions
impl ProofOptions
Sourcepub const MIN_BLOWUP_FACTOR: usize = 2usize
pub const MIN_BLOWUP_FACTOR: usize = 2usize
Smallest allowed blowup factor which is currently set to 2.
The smallest allowed blowup factor for a given computation is derived from degrees of constraints defined for that computation and may be greater than 2. But no computation may have a blowup factor smaller than 2.
Sourcepub const fn new(
num_queries: usize,
blowup_factor: usize,
grinding_factor: u32,
field_extension: FieldExtension,
fri_folding_factor: usize,
fri_remainder_max_degree: usize,
batching_constraints: BatchingMethod,
batching_deep: BatchingMethod,
) -> ProofOptions
pub const fn new( num_queries: usize, blowup_factor: usize, grinding_factor: u32, field_extension: FieldExtension, fri_folding_factor: usize, fri_remainder_max_degree: usize, batching_constraints: BatchingMethod, batching_deep: BatchingMethod, ) -> ProofOptions
Returns a new instance of ProofOptions struct constructed from the specified parameters.
§Panics
Panics if:
num_queriesis zero or greater than 255.blowup_factoris smaller than 2, greater than 128, or is not a power of two.grinding_factoris greater than 32.fri_folding_factoris not 2, 4, 8, or 16.fri_remainder_max_degreeis greater than 255 or is not a power of two minus 1.
Sourcepub const fn with_partitions(
self,
num_partitions: usize,
hash_rate: usize,
) -> ProofOptions
pub const fn with_partitions( self, num_partitions: usize, hash_rate: usize, ) -> ProofOptions
Updates the provided ProofOptions instance with the specified partition parameters.
§Panics
Panics if:
num_partitionsis zero or greater than 16.hash_rateis zero or greater than 256.
Sourcepub const fn num_queries(&self) -> usize
pub const fn num_queries(&self) -> usize
Returns number of queries for a STARK proof.
This directly impacts proof soundness as each additional query adds roughly
log2(blowup_factor) bits of security to a proof. However, each additional query also
increases proof size.
Sourcepub const fn blowup_factor(&self) -> usize
pub const fn blowup_factor(&self) -> usize
Returns trace blowup factor for a STARK proof.
This is the factor by which the execution trace is extended during low-degree extension. It
has a direct impact on proof soundness as each query adds roughly log2(blowup_factor)
bits of security to a proof. However, higher blowup factors also increases prover runtime,
and may increase proof size.
Sourcepub const fn grinding_factor(&self) -> u32
pub const fn grinding_factor(&self) -> u32
Returns query seed grinding factor for a STARK proof.
Grinding applies Proof-of-Work to the query position seed. An honest prover needs to perform this work only once, while a dishonest prover will need to perform it every time they try to change a commitment. Thus, higher grinding factor makes it more difficult to forge a STARK proof. However, setting grinding factor too high (e.g. higher than 20) will adversely affect prover time.
Sourcepub const fn field_extension(&self) -> FieldExtension
pub const fn field_extension(&self) -> FieldExtension
Specifies whether composition polynomial should be constructed in an extension field of STARK protocol.
Using a field extension increases maximum security level of a proof, but also has non-negligible impact on prover performance.
Sourcepub const fn domain_offset<B>(&self) -> Bwhere
B: StarkField,
pub const fn domain_offset<B>(&self) -> Bwhere
B: StarkField,
Returns the offset by which the low-degree extension domain is shifted in relation to the trace domain.
Currently, this is hard-coded to the primitive element of the underlying base field.
Sourcepub fn to_fri_options(&self) -> FriOptions
pub fn to_fri_options(&self) -> FriOptions
Returns options for FRI protocol instantiated with parameters from this proof options.
Sourcepub fn partition_options(&self) -> PartitionOptions
pub fn partition_options(&self) -> PartitionOptions
Returns the [PartitionOptions] used in this instance of proof options.
Sourcepub fn constraint_batching_method(&self) -> BatchingMethod
pub fn constraint_batching_method(&self) -> BatchingMethod
Returns the [BatchingMethod] defining the method used for batching the constraints during
the computation of the constraint composition polynomial.
Linear batching implies that independently drawn random values per constraint will be used to do the batching, while Algebraic/Horner batching implies that powers of a single random value are used.
Depending on other parameters, Algebraic/Horner batching may lead to a small reduction in the security level of the generated proofs, but avoids extra calls to the random oracle (i.e., hash function).
Sourcepub fn deep_poly_batching_method(&self) -> BatchingMethod
pub fn deep_poly_batching_method(&self) -> BatchingMethod
Returns the [BatchingMethod] defining the method used for batching the multi-point
quotients defining the DEEP polynomial.
Linear batching implies that independently drawn random values per multi-point quotient will be used to do the batching, while Algebraic/Horner batching implies that powers of a single random value are used.
Depending on other parameters, Algebraic/Horner batching may lead to a small reduction in the security level of the generated proofs, but avoids extra calls to the random oracle (i.e., hash function).
Trait Implementations§
Source§impl Clone for ProofOptions
impl Clone for ProofOptions
Source§fn clone(&self) -> ProofOptions
fn clone(&self) -> ProofOptions
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for ProofOptions
impl Debug for ProofOptions
Source§impl Deserializable for ProofOptions
impl Deserializable for ProofOptions
Source§fn read_from<R>(source: &mut R) -> Result<ProofOptions, DeserializationError>where
R: ByteReader,
fn read_from<R>(source: &mut R) -> Result<ProofOptions, DeserializationError>where
R: ByteReader,
Reads proof options from the specified source and returns the result.
§Errors
Returns an error of a valid proof options could not be read from the specified source.
Source§fn read_from_bytes(bytes: &[u8]) -> Result<Self, DeserializationError>
fn read_from_bytes(bytes: &[u8]) -> Result<Self, DeserializationError>
Source§impl PartialEq for ProofOptions
impl PartialEq for ProofOptions
Source§impl Serializable for ProofOptions
impl Serializable for ProofOptions
Source§fn write_into<W>(&self, target: &mut W)where
W: ByteWriter,
fn write_into<W>(&self, target: &mut W)where
W: ByteWriter,
Serializes self and writes the resulting bytes into the target.
Source§fn get_size_hint(&self) -> usize
fn get_size_hint(&self) -> usize
Source§impl<E> ToElements<E> for ProofOptionswhere
E: StarkField,
impl<E> ToElements<E> for ProofOptionswhere
E: StarkField,
Source§fn to_elements(&self) -> Vec<E>
fn to_elements(&self) -> Vec<E>
Encodes these proof options into 3 field elements.