from pcp to zk-stark - biu · 2019. 2. 21. · sudan, eran tromer, salil vadhan, madars virza, avi...
TRANSCRIPT
![Page 1: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/1.jpg)
From PCP to ZK-STARKEli Ben-Sasson|Chief Scientist (East) | February 2019
![Page 2: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/2.jpg)
Overview
4
1 2 3
CryptoproofsPCP, IOP
STIK, STARKFRI
Concrete Questions
zk-STARK | February 2019
![Page 3: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/3.jpg)
Proofs of Computational Integrity (CI)
5
INTEGRITY
The quality of being honest(Dictionary)
zk-STARK | February 2019
![Page 4: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/4.jpg)
Proofs of Computational Integrity (CI)
6
INTEGRITY
The quality of being honest(Dictionary)
COMPUTATIONAL INTEGRITY
The quality of a computation being executed honestly
zk-STARK | February 2019
![Page 5: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/5.jpg)
Proofs of Computational Integrity (CI)
7
INTEGRITY
The quality of being honest(Dictionary)
COMPUTATIONAL INTEGRITY
The quality of a computation being executed honestly
CI Statement: total=$138.16
Verifier: Party checking proof (here: Customer)
Prover: Party producing proof (here: Grocer)
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
zk-STARK | February 2019
![Page 6: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/6.jpg)
Proofs of Computational Integrity (CI)
8
INTEGRITY
The quality of being honest(Dictionary)
COMPUTATIONAL INTEGRITY
The quality of a computation being executed honestly
Grocery receipts are proofs of computational integrity
Proof is (i) deterministic, (ii) error free, (iii) one-shot(non-interactive)
Verification via naive re-execution of computation
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
zk-STARK | February 2019
![Page 7: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/7.jpg)
Proofs of Computational Integrity (CI)
9
INTEGRITY
The quality of being honest(Dictionary)
COMPUTATIONAL INTEGRITY
The quality of a computation being executed honestly
Grocery receipts are proofs of computational integrity
Proof is (i) deterministic, (ii) error free, (iii) one-shot(non-interactive)
Modern CI proofs have (i) randomness, (ii) small error, (iii) interaction; in return, offer many benefits…
Verification via naive re-execution of computation
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
zk-STARK | February 2019
![Page 8: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/8.jpg)
10
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
Modern Computational Integrity proofs [GMR85]
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
zk-STARK | February 2019
![Page 9: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/9.jpg)
Modern Computational Integrity proofs [GMR85]
11
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
zk-STARK | February 2019
![Page 10: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/10.jpg)
Modern Computational Integrity proofs [GMR85]
12
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
naïve verifier prover
Pro
of
acti
vity
ti
me
Computation time
(logT)2
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
zk-STARK | February 2019
![Page 11: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/11.jpg)
Modern Computational Integrity proofs [GMR85]
13
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation C
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
zk-STARK | February 2019
![Page 12: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/12.jpg)
Modern Computational Integrity proofs [GMR85]
14
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation C
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
Generic CI statement: Computation C, with public input x and auxiliary private input w, reached output y in T steps
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 13: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/13.jpg)
15
Privacy examples
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation
Zcash shielded transaction: shield payer, payee and payment amount
Paid taxes on all my 2018 transactions, without revealing them
My crypto exchange is in the black, without showing my positions
…
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
Modern Computational Integrity proofs [GMR85]
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 14: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/14.jpg)
16
Scalability examples
naïve verifier prover
Pro
of
acti
vity
ti
me
Computation timeNaïve computation time Verifier time Prover time
Mega (220) 400 400·Mega
Giga (230) 900 900·Giga
Tera (240) 1600 1600·Tera
Peta (250) 2500 2500·Peta
(logT)2
Modern Computational Integrity proofs [GMR85]
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 15: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/15.jpg)
17
Scalability examples
naïve verifier prover
Pro
of
acti
vity
ti
me
Computation time
(logT)2
Proof scalability can solve blockchain scalability problems
Suppose computing latest Bitcoin state takes 1Peta (250) steps
A single prover spends 2500·250 steps, posts proof
All other nodes verify exponentially faster, in 2500 steps
Modern Computational Integrity proofs [GMR85]
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 16: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/16.jpg)
18
tl;dr my research: PCP-based proofs, concrete efficiency
naïve verifier prover
Pro
of
acti
vity
ti
me
Computation time
(logT)2
1995: ZK w/ scalable verifier was “galactic algorithm”
2018: scalable ZK realized in code for meaningful computation
using scalable PCPs and Interactive Oracle Proofs (IOPs)
Modern Computational Integrity proofs [GMR85]
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 17: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/17.jpg)
19
naïve verifier prover
Pro
of
acti
vity
ti
me
Computation time
(logT)2
Co-authors [2001-2019]: Iddo Bentov, Alessandro Chiesa, Michael Forbes, Ariel Gabizon, Daniel Genkin, Oded Goldreich, Lior Goldberg, Tom Gur, Matan Hamilis, Prahladh Harsha, Yinon Horesh, Yohay Kaplan, Swastik Kopparty, Or Meir, Evgenya Pergament, Michael Riabzev, ShubhangiSaraf, Mark Silberstein, Hennig Stichtenoth, Nicholas Spooner, Madhu Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson.
Modern Computational Integrity proofs [GMR85]
tl;dr my research : PCP-based proofs, concrete efficiency
Privacy (Zero Knowledge, ZK): Prover’s private inputs are shielded
Scalability: for computation lasting T cycles, proofs
Universality (Turing Completeness): apply to any computation
generated in ~ T cycles (quasi-linear in T), and
verified exponentially faster than T (~ log T cycles)
IP, ZK, CS, PCP, MIP, IPCP, LPCP, PCIP, IOP, …
Transparency: All verifier messages are public random coins
zk-STARK | February 2019
![Page 18: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/18.jpg)
Many flavors of proof systems
Variety of theoretical
constructions
(past 30 yrs)
PCP based, linear PCPs, elliptic curve+pairing based succinct
NIZKs, proofs for muggles, quadratic span/arithmetic
programs (QAP/QSP), interactive oracle proofs (IOP), …
zk-STARK | February 2019
![Page 19: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/19.jpg)
Many flavors of proof systems
22
Variety of theoretical
constructions
(past 30 yrs)
…andimplementations
(past 5 yrs)
PCP based, linear PCPs, elliptic curve+pairing based succinct
NIZKs, proofs for muggles, quadratic span/arithmetic
programs (QAP/QSP), interactive oracle proofs (IOP), …
Pinocchio, libsnark, Zcash, Pepper, Buffet, ZKboo, Ligero, Bulletproofs,
Hyrax, libstark, Aurora, ...
See zkp.science
zk-STARK | February 2019
![Page 20: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/20.jpg)
Overview
23
1 2 3
CryptoproofsPCP, IOP
STIK, STARKFRI
Concrete Questions
zk-STARK | February 2019
![Page 21: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/21.jpg)
zk-STARK definition [BBHR18]
24
zk
S
T
AR
K
zero knowledge: private inputs are shielded
Scalable: proofs for CI of computation lasting T cycles are • generated in roughly T cycles (quasi-linear in T), and• verified exponentially faster than T (roughly log T cycles)
Transparent: verifier messages are random coins; no trusted setup
ARgument of Knowledge: proof can be generated only by party
knowing private input (formally: an efficient procedure can extract the secrets from a prover)
An argument system is a zk-STARK if it satisfies:
zk-STARK | February 2019
![Page 22: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/22.jpg)
zk-STARK definition [BBHR18]
25
An argument system is a zk-STARK if it satisfies:
zk
S
T
AR
K
zero knowledge: private inputs are shielded
Scalable: proofs for CI of computation lasting T cycles are • generated in roughly T cycles (quasi-linear in T), and• verified exponentially faster than T (roughly log T cycles)
Transparent: verifier messages are random coins; no trusted setup
ARgument of Knowledge: proof can be generated only by party
knowing private input (formally: an efficient procedure can extract the secrets from a prover)
• STARKs may be interactive (use blockchain as source of transparent randomness), gives shorter & safer proofs
• 1st STARK implementation: SCI-POC [BCG+16]; 1st zk-STARK: libstark [BBHR18]
zk-STARK | February 2019
![Page 23: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/23.jpg)
PCPs and polylogarithmic verification
“In this setup, a single reliable PC can monitor the operation of a herd of supercomputers working with possibly extremely powerful but unreliable software and untested hardware” [Babai, Fortnow, Levin, 1991]
Setup: to prove 𝑥 ∈ 𝐿 for some 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 )
• Verifier has oracle access to PCP 𝜋,
• Verifier runs in time poly(𝑛 + log (𝑇(𝑛))
• If 𝑥 ∈ 𝐿 then exists 𝜋 accepted w.p. 1
• If 𝑥 ∈ 𝐿 then all 𝜋 rejected w.p. > ½
26
V
Commitment
(Merkle tree root)Kilian 92
zk-STARK | February 2019
![Page 24: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/24.jpg)
PCP and scalability [BFL, BFLS, AS, AL, K, M 1991-4]
27
naïve verifier
Proof activity
time
Computation time
Verification = proving
Naive:
PCP:
Poly-logarithmic verification
1995
𝜅 =𝑇
𝑇𝑉
zk-STARK | February 2019
![Page 25: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/25.jpg)
PCP and scalability [BFL, BFLS, AS, ALMSS, K, M 1991-4]
28
Proof activity
time
Computation time
Verification = proving
Naive:
PCP:
Poly-logarithmic verification
1995
naïve verifier
Verifier compute/unit of time
𝜅 =𝑇
𝑇𝑉
zk-STARK | February 2019
![Page 26: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/26.jpg)
PCP and scalability [BFL, BFLS, AS, ALMSS, K, M 1991-4]
29
naïve verifier prover
Proof activity
time
Computation time
Verification = proving
Naive:
Polynomial proving time
Poly-logarithmic verification
1995Prover compute/unit of time
PCP:
𝜅 =𝑇
𝑇𝑉Verifier compute/unit of time
zk-STARK | February 2019
![Page 27: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/27.jpg)
PCP and scalability [BS, BGHSV, D, M, 2003-8]
30
naïve verifier prover
Proof activity
time
Computation time
Verification = proving
Naive:
Quasi-linear proving
PCP:
Poly-logarithmic verification
2006Prover compute/unit of time
𝜅 =𝑇
𝑇𝑉
zk-STARK | February 2019
![Page 28: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/28.jpg)
PCPs and polylogarithmic verification
“In this setup, a single reliable PC can monitor the operation of a herd of supercomputers working with possibly extremely powerful but unreliable software and untested hardware. “ [Babai, Fortnow, Levin, 1991]
Setup: to prove 𝑥 ∈ 𝐿 for some 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 )
• Verifier has oracle access to PCP 𝜋,
• Verifier runs in time poly(𝑛 + log (𝑇(𝑛))
• If 𝑥 ∈ 𝐿 then exists 𝜋 accepted w.p. 1
• If 𝑥 ∈ 𝐿 then all 𝜋 rejected w.p. > ½
31
V
zk-STARK | February 2019
![Page 29: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/29.jpg)
Interactive Oracle Proofs (IOP) [RRR16, BCS16]
IOP setup: to prove 𝑥 ∈ 𝐿 for some 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 )
• Verifier has oracle access to 1st oracle 𝜋0,
• Verifier sends public randomness 𝑟0
32
V
𝜋0𝑟0
zk-STARK | February 2019
![Page 30: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/30.jpg)
Interactive Oracle Proofs (IOP) [RRR16, BCS16]
IOP setup: to prove 𝑥 ∈ 𝐿 for some 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 )
• Verifier has oracle access to 1st oracle 𝜋0,
• Verifier sends public randomness 𝑟0
• Verifier has oracle access to 2nd oracle 𝜋0
• …
33
V
𝜋0
𝜋1
𝜋2
𝑟0
𝑟1
zk-STARK | February 2019
![Page 31: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/31.jpg)
Interactive Oracle Proofs (IOP) [RRR16, BCS16]
IOP setup: to prove 𝑥 ∈ 𝐿 for some 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 )
• Verifier has oracle access to 1st oracle 𝜋0,
• Verifier sends public randomness 𝑟0
• Verifier has oracle access to 2nd oracle 𝜋0
• …
• Verifier runs in time poly(𝑛 + log (𝑇(𝑛))
• If 𝑥 ∈ 𝐿 then ∃𝜋0, 𝜋1, … , 𝜋𝑡 accepted w.p. 1
• If 𝑥 ∈ 𝐿 then all ∀𝜋 rejected w.p. > ½
34
V
𝜋0
𝜋1
𝜋2
𝑟0
𝑟1
zk-STARK | February 2019
![Page 32: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/32.jpg)
Scalable Transparent ARgument of Knowledge (STARK)
35
V
𝜋0
𝜋1
𝜋2
Commitment
(Merkle tree root)
𝑟0
𝑟1
zk
S
T
AR
K
zero knowledge: private inputs are shielded
Scalable: proofs for CI of computation lasting T cycles are • generated in roughly T cycles (quasi-linear in T), and• verified exponentially faster than T (roughly log T cycles)
Transparent: verifier messages are random coins; no trusted setup
ARgument of Knowledge: proof can be generated only by party
knowing private input (formally: an efficient procedure can extract the secrets from a prover)
An argument system is a zk-STARK if it satisfies:
zk-STARK | February 2019
![Page 33: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/33.jpg)
IOP tl;dr
With IOPs, can prove results that are yet unknown in PCP model
• 2-round IOP with perfect ZK, non-adaptive verifier for NP [BCGV16]
• Doubly-efficient, constant round, Interactive Proofs [RRR16]
• O(1)-round IOP with linear bit-length proofs and constant query comp [BCGRS17]
• Proximity protocols for Reed-Solomon with linear arithmetic complexity and logarithmic query complexity [BBHR18]
• …
• Concretely efficient ZK-STARKs [BBC+16, BBHR18, …]
36zk-STARK | February 2019
![Page 34: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/34.jpg)
PCP and scalability [BS, BGHSV, D, M, 2003-8]
37
naïve verifier prover
Proof activity
time
Computation time
2006Prover compute/unit of time
Verifier compute/unit of time
𝜅 =𝑇
𝑇𝑉
V
Commitment
(Merkle tree root)
zk-STARK | February 2019
![Page 35: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/35.jpg)
IOP and Scalability [BBC+16, BBHR18]
38
naïve verifier prover
Proof activity
time
Computation time
2018Prover compute/unit of time
Verifier compute/unit of time
𝜅 =𝑇
𝑇𝑉
V
𝜋0
𝜋1
𝜋2
Commitment
(Merkle tree root)
𝑟0
𝑟1
zk-STARK | February 2019
![Page 36: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/36.jpg)
IOP and Scalability
39
naïve verifier prover
Proof activity
time
Computation time
12/2018Prover compute/unit of time
ZOOM IN
39
10.015.0
25.0
50.0
98.0
197.0
396.0
814.0
1,674.0
3,436.0
6,625.0
14,503.0
29,424.0
72,179.0
5.6 6.1 7.2 7.6 8.3 8.9 9.1 9.7 10.6 11.3 11.2 12.5 13.9 15.4
0.2
0.4
0.8
1.6
3.2
6.4
12.8
25.6
51.2
102.4
204.8
409.6
819.2
1,638.4
1 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192
STARK prover STARK verifier Naïve
Proof activity
time (ms)
#Pedersen hashes (log scale)
T480 laptopi7-8550U CPU@ 1.80GHzQuad-core32 GB DDR4 RAM
STARK Prover/Naive ratio ~ 35X
zk-STARK | February 2019
![Page 37: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/37.jpg)
Scalable Transparent IOP of Knowledge (STIK) [BBHR18]
Definition:
An IOP for 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 ) is said to be:• Scalable if both of following hold:
• Proving time T𝑃 = ෨𝑂 𝑇 𝑛 + 𝑝𝑜𝑙𝑦 𝑛 = 𝑇 𝑛 ⋅log𝑂 1 𝑇 𝑛 + 𝑝𝑜𝑙𝑦(𝑛)
• Verifying time TV = poly log 𝑇(𝑛)
• Transparent if all verifier messages are public random coins (Arthur-Merlin protocols)
• IOP of Knowledge if exists Extractor E that extracts in time 𝑝𝑜𝑙𝑦 𝑇(𝑛) a witness 𝑤 for membership of 𝑥 ∈ 𝐿, from ``good’’ prover P𝑥
40
V
𝜋0
𝜋1
𝜋2
𝑟0
𝑟1
zk-STARK | February 2019
![Page 38: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/38.jpg)
Strict STIK (arithmetic complexity)
41
Definition:
An STIK for 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 ) is• Strictly Scalable if both of following hold:
• Proving time T𝑃 = 𝑂 𝑇 𝑛 log 𝑇(𝑛)
• Verifying time TV = O(log 𝑇(𝑛)) + ෨𝑂(𝑛)
Thm [B, Chiesa, Goldberg, Gur, Riabzev, Spooner, 2019]:
Every 𝐿 ∈ 𝑁𝑇𝐼𝑀𝐸(𝑇 𝑛 ) has a strict (ZK)-STIK, where 𝑇𝑃 , 𝑇𝑉are measured using arithmetic complexity over field of size 𝑂(𝑇 𝑛 )
Question: Strict STIK, Boolean complexity?
V
𝜋0
𝜋1
𝜋2
𝑟0
𝑟1
zk-STARK | February 2019
![Page 39: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/39.jpg)
Interactive Oracle Proofs of Proximity (IOPP) [RRR16, BCS16]
IOPP: to prove oracle 𝑓 close to code 𝐶 ⊂ 𝐹𝑛
• Verifier sends public randomness 𝑟0
• Verifier has oracle access to 1st oracle 𝜋1
• …
• Verifier runs in time poly(𝑛 + log (𝑇(𝑛))
• If 𝑓 ∈ 𝐶 then ∃𝜋0, 𝜋1, … , 𝜋𝑡 accepted w.p. 1
• Otherwise, ∀𝜋 rejected w.p. >𝑠(Δ 𝑓, 𝐶 )
• 𝑠 is soundness function, want to maximize it
42
V
𝜋0
𝜋1
𝜋2
𝑟0
𝑟1
zk-STARK | February 2019
![Page 40: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/40.jpg)
Fast Reed-Solomon IOPP (FRI) [B, Bentov, Horesh, Riabzev 2018]
43
Definition: Reed-Solomon code (low deg polys)𝑅𝑆 𝐹, 𝑆, 𝜌 = 𝑓: 𝑆 → 𝐹 deg 𝑓 < 𝜌|𝑆|}
Thm [BBHR 2018]:
∀𝑆 ⊆ 𝐹, 𝑆 is a group of size 𝑁 = 2𝑛,the code 𝑅𝑆 𝐹, 𝑆, 𝜌 has a (fast) IOPP with
• 𝑇𝑃 ≤ 6 ⋅ 𝑁
• 𝑇𝑉 ≤ 21 ⋅ log𝑁
• 𝑠 𝛿 ≥ min 𝛿0, 𝛿 for 𝛿0 ≈1−𝜌
4 New: 𝛿0 ≈ 1 − 𝜌1
3 [BGKS19]
𝛿0 ≈ 1 − 𝜌1
4 [BKS18]
Question: Is 𝑠 𝛿 ≥ 𝛿 −𝑆
𝐹
𝑂(1)for 𝛿 as large as 1 − 𝜌?
𝜌
𝛿0
zk-STARK | February 2019
![Page 41: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/41.jpg)
Overview
44
1 2 3
CryptoproofsPCP, IOP
STIK, STARKFRI
Concrete Questions
zk-STARK | February 2019
![Page 42: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/42.jpg)
Theory questions with practical impact
1. Strict STIK, Boolean complexity• 𝑇𝑃 = 𝑂(𝑇 𝑛 log 𝑇(𝑛)) and 𝑇𝑃 = 𝑂(log 𝑇(𝑛))
• Approach: use AG codes over constant alphabets
• Requires quasi-linear encoding time for AG codes
2. Better soundness analysis for FRI
• Is 𝑠 𝛿 ≥ 𝛿 −𝑆
𝐹
𝑂(1)for 𝛿 greater than 1 − 𝜌
1
3 ?
• Reaching Johnson bound (1 − √𝜌)? Beyond it?
3. Sliding scale conjecture for IOP and STIK?• Currently soundness error greater than rate (𝜌)
• Want soundness error closer to poly(1
|F|)
• Perhaps simpler to solve for IOPs than for PCPs?
zk-STARK | February 2019 45
![Page 43: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/43.jpg)
Crypto-Security Questions
1. STARK-friendly crypto primitives• SHA2/3 STARK “cost” ≈ 104
• Pedersen STARK “cost” ≈ 103
• MiMC/Jarvis/Friday “cost” ≈ 102 [AGRRT16, AD18]
• How low can you get? Algebraic security analysis?
2. STARK/STIK security analysis• Best efficient attack on FRI? on other PCPs/PCPPs? [BBGR16]
3. STARK-friendly commitments and accumulators• Replace Merkle trees with more efficient data structures? [LM18, BBF18]
• With Merkle trees in RO model, do you need 𝜆 or 2𝜆 bits RO to reach 2−𝜆
soundness error?
4. How to formally verify a STIK/STARK constraint system?
46zk-STARK | February 2019
![Page 44: From PCP to ZK-STARK - BIU · 2019. 2. 21. · Sudan, Eran Tromer, Salil Vadhan, Madars Virza, Avi Wigderson. Modern Computational Integrity proofs [GMR85] tl;dr my research : PCP-based](https://reader033.vdocuments.us/reader033/viewer/2022051901/5fef8c71d356a37dc660be57/html5/thumbnails/44.jpg)
Questions?we’re hiring: [email protected] more: [email protected]