2024-06-28

Introduction to ZK-STARKs

$\def\F{\mathtt {F}} \def\X{\mathtt {X}} \def\Y{\mathtt {Y}} \def\Z{\mathtt {Z}}$

Disclaimer: contains math

If you don't understand something
- Not your fault, this stuff is hard
- Nobody understands it fully
If you don't understand anything
- My fault, anything can be explained at some level
If you do understand everything
- Collect your Turing Award & Fields Medal
- Many open questions

Zero knowledge proofs

We know some algorithm $\F(\X, \Y)$ .

I give you $\X$ and $\Z$ and proof that “I know an $\Y$ such that $\F(\X, \Y) = \Z$ ” without revealing $\Y$ .

$\X$ public input, old balances.
$\Y$ secret input, trades.
$\Z$ public output, new balances.

Scalable DEX

“I know an $\Y$ such that $\F(\X, \Y) = \Z$ ”

public input $\X$ : (merkle root of) old balances.
secret input $\Y$ : trades.
public output $\Z$ : (merkle root of) new balances.

$\F$ verifies maker and taker signatures on the trades and updates the balances.

Naive solution

I give you $\X$ , $\Y$ and $\Z$ .
You compute $\F(\X, \Y)$ and verify that it is $\Z$ .

Problems:

📀 I need to send data size $O(\X + \Y + \Z)$ , i.e. all the trades.
💾 We want $O(\X + \Z + \F)$ , only merkle roots.
⏳ You need to do computations $O(\F)$ .
⌛ We want constant gas.
🤫 You now know $\Y$ , the secret input.
🤷 We don't care.

Math refresher: Polynomials


Constant	$a_0$
Linear	$a_0 + a_1 x$
Parabola	$a_0 + a_1 x + a_2 x^2$
Cubic	$a_0 + a_1 x + a_2 x^2 + a_3 x^3$
Quartic	$a_0 + a_1 x + a_2 x^2 + a_3 x^3 + a_4 x^4$
...	$a_0 + a_1 x + a_2 x^2 + \cdots + a_n x^n$

Can be uniquely described in three ways:

$n + 1$ Coefficients
$n + 1$ Points
$n$ Zeros* and a scaling factor

(* Zeros might be imaginary.)

Can do math with them:

Add $\deg (P + Q) = \max (\deg P, \deg Q)$ .
Multiply $\deg (P \times Q) = \deg P + \deg Q$ .
Divide $\deg \frac{P}{Q} = \deg P - \deg Q$
Division works when zeros match.

Toy example: Fibonnacci

We want to prove the 1000-th Fibonacci number starting from a public and a secret value. Take $\F(\X, \Y) = \Z$ to mean the following:

$\begin{aligned} F_0 &:= \X & F_i &:= F_{i - 2} + F_{i - 1} \\ F_1 &:= \Y & \Z &:= F_{1000} \\ \end{aligned}$

Computational trace

Computation with $n$ steps and $w$ registers. The trace $T$ is a $n \times w$ table. Here $n = 1000$ and $w = 2$ . Restate algorithm as constraints on $T_{i}$

Example: $\X = 3$ , $\Y = 4$ :

n	$T_{n, 0}$	$T_{n, 1}$
0	3	4
1	4	7
2	7	11
3	11	18
...	...	...
999	$F_{999}$	$F_{1000}$

Encode the algorithm as a set of transition constraints:

$\begin{aligned} T_{i + 1, 0} &= T_{i, 1} & T_{i + 1, 1} &= T_{i, 0} + T_{i, 1} \end{aligned}$

and boundary constraints:

$\begin{aligned} T_{0, 0} &= \X & T_{999, 1} &= \Z & \end{aligned}$

‟I know $y$ such that $f(x,y)=z$ .”

$\Leftrightarrow$

‟I know a trace $T$ such that the constraints hold.”

Trace polynomials

For each register $j$ , create a polynomial $P_j(x)$ of degree $999$ such that $P_j(i) = T_{i, j}$ for $i = 0 \dots 999$ .

(Actual implementation uses $P_j(ω^i) = T_{i, j}$ with $ω$ a $n$ -root of unity to allow $O(n \log n)$ FFT and FRI. Also rounds $n$ up to the next power of two. Ignore for now.)

Consider the constraint $T_{i + 1, 1} = T_{i, 0} + T_{i, 1}$ for $i = 0 \dots 999$ :

$\Leftrightarrow P_1(i + 1) = P_0(i) + P_1(i)$ for $i = 0 \dots 999$

$\Leftrightarrow P_1(i + 1) - (P_0(i) + P_1(i)) = 0$ for $i = 0 \dots 999$

$\Leftrightarrow Q(x) = P_1(x + 1) - (P_0(x) + P_1(x))$ is zero when $x$ is an integer $0 \dots 999$ .

$R(x) = (x - 0) \cdot (x - 1)\cdot (x - 2) \dots (x - 999)$ is a polynomial and is zero only when $x$ is an integer $0 \dots 999$ .

This means

$C(x) = \frac{Q(x)}{R(x)}$

is also a polynomial.

Create functions that are polynomial only when the constraints are satisfied:

Transition constraints:

$\begin{aligned} T_{i + 1, 0} &= T_{i, 1} &⇒&& C_0(x) &= \frac {P_0(x + 1) - P_1(x)} {\prod^i_{[0 … 998]}\left( x - i\right)} \\ T_{i + 1, 1} &= T_{i, 0} + T_{i, 1} &⇒&& C_1(x) &= \frac {P_1(x + 1) - (P_0(x) + P_1(x))} {\prod^i_{[0\dots998]}\, (x - i)} \end{aligned}$

Boundary constraints:

$\begin{aligned} T_{0, 0} &= X &⇒&& C_2(x) &= \frac {P_0(x) - X} {x - 0} \\ T_{999, 1} &= Z &⇒&& C_3(x) &= \frac {P_1(x) - Z} {x - 999} \\ \end{aligned}$

‟I know $y$ such that $f(x,y)=z$ .”

$\Leftrightarrow$

‟I know a trace $T$ such that the constraints hold.”

$\Leftrightarrow$

‟I know polynomials $P_0$ and $P_1$ such that $C_0$ , $C_1$ , $C_2$ , $C_3$ are polynomial.”

Interactive proof

I give you $\X$ , $\Z$ and a merkle roots of $P_0$ and $P_1$ .

You give me random values $α_0$ , $α_1$ , $α_2$ , $α_3$ .

Fast Reed-Solomon Interactive Oracle Proof II

$P(x) = a_0 + a_1 x + a_2 x^2 + a_3 x ^3 \cdots + a_n x^n$

Given a random number $β$ , we can fold the coefficients and get a polynomial of degree $\frac{n}{2}$ .

$P'(x) = (a_0 + a_1 β) + (a_2 + a_3 β) x + \cdots + ( a_{n-1} + a_n β) x^{\frac n2}$

This can be computed using:

$P'(x) = P(x) + \left( \frac{β}{2x} - \frac{1}{2}\right) \left(P(x) - P(-x) \right)$

$P(x) = a_0 + a_1 x + a_2 x^2 + a_3 x ^3 \cdots + a_n x^n$

Given a random number $β$ , we can fold the coefficients and get a polynomial of degree $\frac{n}{2}$ .

$P'(x) = (a_0 + a_1 β) + (a_2 + a_3 β) x + \cdots + ( a_{n-1} a_n β) x^{\frac n2}$

$P'(x) = P(x) + \left( \frac{β}{2x} - \frac{1}{2}\right) \left(P(x) - P(-x) \right)$

$\begin{aligned} P(x) ={}& a_0 &{}+{}& a_1 x &{}+{}& a_2 x^2 &{}+{}& a_3 x ^3 &{}+{}& \cdots &{}+{}& a_{n-1} x^{n-1} &{}+{}& a_n x^n \\ P(-x) ={}& a_0 &{}-{}& a_1 x &{}+{}& a_2 x^2 &{}-{}& a_3 x ^3 &{}+{}& \cdots &{}-{}& a_{n-1} x^{n-1} &{}+{}& a_n x^n \\ P(x) - P(-x) ={}& && 2a_1 x && &{}+{}& 2a_3 x ^3 &{}+{}& \cdots &{}+{}& 2 a_{n-1} x^{n-1} \\ \\ \frac{β}{2x} \left(P(x) - P(-x)\right) ={}& a_1 β && &{}+{}& a_3 β x^2 && &{}+{}& \cdots &{}+{}& a_{n-1} β x^{n-2} \\ \\ \frac{1}{2} \left(P(x) - P(-x)\right) ={}& a_1 x && &{}+{}& a_3 x^3 && &{}+{}& \cdots &{}+{}& a_{n-1} β x^{n-1} \\ \\ (\frac{β}{2x}-\frac{1}{2}) \left(P(x) - P(-x)\right) ={}& a_1 β &{}-{}& a_1 x &{}+{}& a_3 β x^2 &{}-{}& a_3 x^3 &{}+{}& \cdots &{}+{}& a_{n-1} β x^{n-1} \\ \end{aligned}$

$P'(x) = (a_0 + a_1 β) + (a_2 + a_3 β) x + \cdots + ( a_{n-1} + a_n β) x^{\frac n2}$

I compute $C(x) = α_0 \cdot C_0(x) + α_1 \cdot C_1(x) + α_2 \cdot C_2(x) + α_3 \cdot C_3(x)$ .

I give you the merkle root of $C$ and claim $\deg C = 1024$ .

You give me a random value $𝛽_0$ .

I give you the merkle root of $C'$ and claim $\deg C' = 512$ .

You give me a random value $𝛽_1$ .

...

I give you the constant $C''$ .

You verify $C''$ using $\X$ , $\Y$ , the $α$ s and the $𝛽$ s.

Fiat-Shamir transform

All you do is give me random numbers. Why don't I replace you by a pseudo random number generator!

Seed PRNG with all prover messages, extract random 'verfier' messages.

Send all the proof at once.