npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@guildofweavers/genstark

v0.7.6

Published

zk-STARK generation library

Downloads

11

Readme

genSTARK

This library is intended to help you quickly and easily generate STARK-based proofs of computation using JavaScript. The goal is to take care of as much boilerplate code as possible, and let you focus on the specifics of your computations.

Background

A STARK is a novel proof-of-computation scheme that allows you to create an efficiently verifiable proof that a computation was executed correctly. The scheme was developed by Eli-Ben Sasson and team at Technion-Israel Institute of Technology. STARKs do not require an initial trusted setup, and rely on very few cryptographic assumptions. See references for more info.

Disclaimer

DO NOT USE THIS LIBRARY IN PRODUCTION. At this point, this is a research-grade library. It has known and unknown bugs and security flaws.

Install

$ npm install @guildofweavers/genstark --save

Usage

Here is a trivial example of how to use this library. In this example, the computation is just adding 2 to the current value at each step. That is: xn+1 = xn + 2.

import { instantiateScript } from '@guildofweavers/genstark';

// define a STARK for this computation
const fooStark = instantiateScript(Buffer.from(`
define Foo over prime field (2^32 - 3 * 2^25 + 1) {

    secret input startValue: element[1];

    // define transition function
    transition 1 register {
        for each (startValue) {
            init { yield startValue; }
            for steps [1..63] { yield $r0 + 2; }
        }
    }

    // define transition constraints
    enforce 1 constraint {
        for all steps { enforce transition($r) = $n; }
    }
}`));

// create a proof that if we start computation at 1, we end up at 127 after 64 steps
const assertions = [
    { register: 0, step: 0,  value: 1n   },  // value at first step is 1
    { register: 0, step: 63, value: 127n }   // value at last step is 127
];
const proof = fooStark.prove(assertions, [[1n]]);

// verify that if we start at 1 and run the computation for 64 steps, we get 127
const result = fooStark.verify(assertions, proof);
console.log(result); // true

There are a few more sophisticated examples in this repository:

When you run the examples, you should get a nice log documenting each step. Here is an example output of running 128-bit MiMC STARK for 213 steps:

Starting STARK computation
Set up evaluation context in 146 ms
Generated execution trace in 52 ms
Computed execution trace polynomials P(x) in 7 ms
Low-degree extended P(x) polynomials over evaluation domain in 83 ms
Serialized evaluations of P(x) and S(x) polynomials in 92 ms
Built evaluation merkle tree in 87 ms
Computed composition polynomial C(x) in 574 ms
Combined P(x) and S(x) evaluations with C(x) evaluations in 50 ms
Computed low-degree proof in 231 ms
Computed 48 evaluation spot checks in 2 ms
STARK computed in 1327 ms
--------------------
Proof serialized in 8 ms; size: 94.58 KB
--------------------
Proof parsed in 6 ms
--------------------
Starting STARK verification
Set up evaluation context in 9 ms
Computed positions for evaluation spot checks in 1 ms
Decoded evaluation spot checks in 1 ms
Verified evaluation merkle proof in 4 ms
Verified transition and boundary constraints in 52 ms
Verified low-degree proof in 14 ms
STARK verified in 85 ms
--------------------
STARK security level: 96

API

You can find complete API definitions in genstark.d.ts. Here is a quick overview of the provided functionality:

Defining a STARK

The simplest way to create a STARK for a computation is to instantiate it from AirScript source like so:

const myStark = new instantiateScript(source, options, logger);

where:

  • source is the AirScript source code. If this parameter is a Buffer, it is expected to contain AirScript code in UTF8 format. If the parameter is a string, it is expected to be a path to a file containing AirScript code.
  • options is an optional parameter with additional STARK options.
  • logger is an optional logger. The default logger prints output to the console, but it can be replaced with anything that complies with the Logger interface.

STARK options

When provided, STARK options parameter should have the following form:

| Property | Description | | ------------------ | ----------- | | extensionFactor? | Number by which the execution trace is "stretched." Must be a power of 2 at least 2x of the constraint degree, but cannot exceed 32. This property is optional, the default is smallest power of 2 that is greater than 2 * constraint degree. | | exeQueryCount? | Number of queries of the execution trace to include into the proof. This property is optional; the default is 80; the max is 128. | | friQueryCount? | Number of queries of the columns of low degree proof to include into the proof. This property is optional; the default is 40; the max is 64. | | hashAlgorithm? | Hash algorithm to use when building Merkle trees for the proof. Currently, can be one of the following values: sha256, blake2s256. This property is optional; the default is sha256. | | wasm | A flag indicating whether to use WebAssembly optimizations. This proper is optional, the default is true. |

Note: WASM-optimization is available for certain finite fields and hash functions. If the field or the hash function you are using does not support WASM-optimization, a warning will be printed and its JavaScript equivalents will be used. In general, WASM optimization can speed up STARK proof time by 2x - 5x.

You can also instantiate a STARK from AirAssembly source, or even from an AirSchema object:

const myStark = new instantiate(source, component, options, logger);

where:

  • source is either Buffer with AirAssembly source code, a string that is a path to a file with AirAssembly source code, or an AirSchema object.
  • component is a name of the component within AirAssembly source from which the STARK is to be instantiated. If this parameter is omitted the default component will be instantiated.
  • options is an optional parameter with additional STARK options.
  • logger is an optional logger. The default logger prints output to the console, but it can be replaced with anything that complies with the Logger interface.

Generating proofs

Once you have a Stark object, you can start generating proofs using Stark.prove() method like so:

const proof = myStark.prove(assertions, inputs?, seed?);

where:

  • assertions is an array of Assertion objects (also called boundary constraints). These assertions specify register values at specific steps of a valid computation. At least 1 assertion must be provided.
  • inputs is an array of values initializing all declared inputs. This parameter must be provided only if the STARK requires inputs.
  • seed is an array of seed values for initializing execution trace. This parameter must be provided only if the STARK requires initialization from seed values.

Inputs

Handling of inputs deserves a bit more explanation.

If you've instantiated a STARK from AirScrip source, you don't need to worry about the seed parameter as AirScript does not support explicit trace initialization. However, STARKs instantiated from AirScript source always require inputs parameter. The shape of this parameter will depend on how you've defined your inputs (see AirScript documentation for more info).

For example, if your input declaration looks like this:

public input foo: element[1];

your inputs array will need to contain a single element which will be an array of values for input foo. For example:

[[1n, 2n]]

If you've declared more than one input, like so:

public input foo: element[1];
public input bar: element[1];

your inputs array will need to contain an array of values for each declared input. For example:

[[1n, 2n], [3n, 4n]]

Here, the [1n, 2n] values are assigned to input foo and [3n, 4n] values are assigned to input bar.

If you've declared nested inputs like so:

public input foo: element[1];
public input bar: element[1][1];

your inputs object may look like so:

[[1n, 2n], [[3n, 4n], [5n, 6n]]]

Here, for each value of foo, we need to provide a list of value for bar.

AirAssembly inputs

If you've instantiated a STARK from AirAssembly source, you may need to provide values for both inputs and seed parameters based on what is required by AirAssembly declaration. The inputs parameter requirements are defined via input registers, while seed parameter requirements are defined via trace initializer.

Verifying proofs

Once you've generated a proof, you can verify it using Stark.verify() method like so:

const result = myStark.verify(assertions, proof, publicInputs?);

where:

  • assertions is the same array of Assertion objects that was passed to the prove() method.
  • proof is the proof object that was generated by the prove() method.
  • publicInputs is an array of values for initializing all declared public inputs.

Verifying a proof basically attests to something like this:

If you start with some set of inputs (known to the prover), and run the computation for the specified number of steps, the execution trace generated by the computation will satisfy the specified assertions.

Assertions

Assertions (or boundary constraints) are objects that specify the exact value of a given mutable register at a given step. An assertion object has the following form:

interface Assertion {
    register: number;   // index of a mutable register
    step    : number;   // step in the execution trace
    value   : bigint;   // value that the register should have at the specified step
}

Performance

Some very informal benchmarks run on Intel Core i5-7300U @ 2.60GHz (single thread):

| STARK | Field Size | Degree | Registers | Steps | Proof Time | Proof Size | | ----------------------------- | :--------: | :----: | :-------: | :------------: | :--------: | :--------: | | MiMC | 128 bits | 3 | 1 | 213 | 1.3 sec | 95 KB | | MiMC | 128 bits | 3 | 1 | 217 | 23 sec | 147 KB | | MiMC | 256 bits | 3 | 1 | 213 | 11.5 sec | 108 KB | | MiMC | 256 bits | 3 | 1 | 217 | 230 sec | 165 KB | | Merkle Proof (Rescue, d=8) | 128 bits | 5 | 8 | 28 | 300 ms | 60 KB | | Merkle Proof (Rescue, d=16) | 128 bits | 5 | 8 | 29 | 600 ms | 72 KB | | Merkle Proof (Poseidon, d=8) | 128 bits | 8 | 12 | 29 | 900 ms | 74 KB | | Merkle Proof (Poseidon, d=16) | 128 bits | 8 | 12 | 210 | 1.8 sec | 84 KB |

STARKs in the above examples have security parameters set to provide ~96 bits security.

Note 1: Rescue and Poseidon hash function instantiations are not really "apples-to-apples" - refer to here and here for exact parameters.

Note 2: Currently, STARKs in 128-bit fields are able to take advantage of WebAssembly optimization, and thus, are much faster than STARKs in 256-bit fields.

References

This library is originally based on Vitalik Buterin's zk-STARK/MiMC tutorial. Other super useful resources:

Vitalik Buterin's blog series on zk-STARKs:

StarkWare's STARK Math blog series:

Other STARK libraries:

License

MIT © 2020 Guild of Weavers