There have been rumors in the market recently that Stark is going to launch a cryptocurrency! It is a very wise choice to launch a cryptocurrency when the market is doing well.
Here, I want to review the basic technical principles of Stark. I have been recording them intermittently before, and now I will organize them here (although it is still a bit messy).
Computational Integrity#
Computational Integrity ensures that the output of a computation is correct.
Step 1: Arithmeticization#
Generating Execution Trace#
The execution trace is actually a list, where each row represents a computational step.
Represent the execution trace as a polynomial.
Expand the polynomial to a larger field.
Polynomial Constraints#
Polynomial constraints ensure that all polynomial constraints are satisfied only when the execution trace represents a valid computation.
Use polynomial constraints to transform it into another polynomial, such that it is a low-degree polynomial only when the execution trace of the new polynomial is valid.
The work of the Verifier mainly involves two tasks:
- Querying the synthesized polynomial at a random position.
- Based on these queries, checking if the polynomial is low-degree.
Succinctness#
There is still one work that has not been completed, which is the S in STARK, succinctness. Succinctness consists of the following two parts:
- Using a small number of queries.
- Completing very few calculations for each query.
During the query, the calculation amount can be reduced by using the method shown in the figure below. By using the characteristics of this group, we can view the execution trace as the evaluation of a polynomial on a subgroup of the field, and the polynomial constraints for evaluation are about this subgroup. As a result, the verification time of the Verifier is reduced to logarithmic order. With this feature, we can construct more complex execution traces, but the constraints must be consistent with a subgroup of the field.
Mathematical Background:
Integer Modulo n Multiplicative Group#
Multiplicative Inverse
For any element a in the group G, there exists a unique inverse element a', which satisfies the property aa' = a'a = e, where e is the identity element of the group.
For example, what is the multiplicative inverse of 4 modulo 7?
4X ≡ 1 mod 7
This equation is equivalent to finding an X and K that satisfy
4X = 7K + 1
where X and K are integers.
If ax ≡ 1 mod f, then the multiplicative inverse of a modulo f is called x. It can also be represented as ax ≡ 1 (mod f).
When a and f are coprime, there is a solution for the multiplicative inverse modulo f. If they are not coprime, there is no solution. If f is a prime number, any number from 1 to f-1 is coprime with f, which means there is exactly one multiplicative inverse modulo f between 1 and f-1.
Modular Arithmetic
Modular arithmetic, also known as modular division, allows operations to be performed in a finite space. Through modular arithmetic, mathematicians have established a new system of operations that is consistent with the traditional mathematical operation system. In this new operation system, various structures in the traditional system, including polynomials known as "conventional mathematics," can be discussed. Cryptographers especially like this new operation system.
The modular arithmetic system also has the four basic operations and exponentiation, but its division operation is more complex to implement. Generally, it is necessary to first find the multiplicative inverse of the divisor and convert the division into multiplication for calculation.
In practice, a prime number p is usually used as the modulus:
Fermat's Little Theorem
If a is an integer and p is a prime number, then a^p - a is a multiple of p.
Fermat's Little Theorem can also be used to find the multiplicative inverse, which is the basis for division in the modular arithmetic system.
Fermat's Little Theorem also has a corollary. In the modular arithmetic space, if p-1 is a multiple of k, the size of the value space of x => x^k is (p-1)/k+1.
Extended Euclidean Algorithm
The Euclidean algorithm, also known as the Euclidean division algorithm, is used to find the greatest common divisor of two numbers. The extended Euclidean algorithm can also be used to find the multiplicative inverse in the modular arithmetic.
Montgomery Algorithm
When there is division in modular arithmetic, all divisions are converted into multiplications through the multiplicative inverse. However, finding the multiplicative inverse is also cumbersome and time-consuming when a large number of multiplicative inverses need to be calculated. The Montgomery algorithm simplifies the calculation by converting multiple multiplicative inverse operations into multiple multiplications and one inverse operation.
Fast Fourier Transform
In the calculation process of zk-STARK, there are many operations that require the calculation of polynomial coefficients from point values, and the calculation of point values from polynomial coefficients. Lagrange interpolation can also be used for calculation, but its time complexity is O(n^2), while the fast Fourier transform has a time complexity of O(n*log(n)). For example, if interpolation is needed for 1 million points, the Lagrange method requires 100 trillion calculations, while the fast Fourier transform only requires 20 million calculations. However, the fast Fourier transform has requirements for the sampling points, which need to be exponentially increasing and the number of points needs to satisfy 2^k.
Low-Degree Testing - FRI Algorithm
The degree of a polynomial refers to the highest power. Suppose we know the values of n points of a polynomial, how can we prove that its degree is at most m (m < n-1, according to the Lagrange interpolation algorithm, n points can determine a polynomial of degree at most n-1)? A relatively simple method is to first use m+1 points to obtain a polynomial of degree m, and then verify that all other points lie on this polynomial. However, when m is large, the computational complexity of this method increases linearly. The FRI algorithm can verify the above problem with a computational complexity less than m.
The idea is as follows. Suppose there are N (e.g., 1 billion) points in a polynomial of degree less than m (e.g., 1 million). Let f(x) = x^12012 + x^11011 + x^3005 + x^1001 + x + 1, and now let y = x^1000, we can get g(x, y) = x^12y^12 + x^11y^11 + x^5y^3 + xy + x + 1. For g(x, y), when y is fixed, for x, the degree of the polynomial is less than 1000; similarly, when x is fixed, for y, the degree of the polynomial is also less than 1000.
zk-STARK Proof Approach
- Each step of the program corresponds to a value, and all steps combined form a computation trace, which corresponds to a polynomial P(n).
- Each step of the computation trace generates a constraint C(p) = 0.
- Combine the trace polynomial and the constraint polynomial to obtain D(x) = C(p(x), p(x-1), ...).
- The combined polynomial D(x) is zero at every step of the computation trace, that is, it has roots Z(x) = (x-x_1)(x-x_2)...(x-x_n).
- Use the FRI algorithm to perform low-degree testing on the polynomial T(x) = D(x)/Z(x).
Translation: