deploy: 7c86f8e

rfcs/starknet/channel.html

@@ -77,6 +77,8 @@
     </section>
     <section>
 <h2>Overview</h2>
+<aside class="warning">This specification is work-in-progress.</aside>
+
 <p>A channel is an object that mimics the communication channel between the prover and the verifier, and is used to abstract the <a href="https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic">Fiat-Shamir transformation</a> used to make the protocol non-interactive.</p>
 <p>The Fiat-Shamir transformation works on public-coin protocols, in which the messages of the verifier are pure random values. To work, the Fiat-Shamir transformation replaces the verifier messages with a hash function applied over the transcript up to that point.</p>
 <p>A channel is initialized at the beginning of the protocol, and is instantiated with a hash function. It is implemented as a continuous hash that "absorbs" every prover messages and which output can be used to produce the verifier's challenges.</p>

rfcs/starknet/fri.html

@@ -79,6 +79,8 @@
     </section>
     <section>
 <h2>Overview</h2>
+<aside class="warning">This specification is work-in-progress.</aside>
+
 <p>We briefly give an overview of the FRI protocol, before specifying how it is used in the StarkNet protocol.</p>
 <section>
 <h3>FRI</h3>
@@ -355,7 +357,6 @@ <h3>FRI constants</h3>
 <p><strong><code>MAX_LAST_LAYER_LOG_DEGREE_BOUND = 15</code></strong>. TKTK</p>
 <p><strong><code>MAX_FRI_LAYERS = 15</code></strong>. The maximum number of layers in the FRI protocol. This means that the protocol can test that committed polynomials exist and are of degree at most <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><msup><mn>2</mn><mrow><mn>15</mn></mrow></msup></mrow></math>. (TODO: double check)</p>
 <p><strong><code>MAX_FRI_STEP = 4</code></strong>. The maximum number of layers that can be skipped in FRI (see the overview for more details).</p>
-<p><strong><code>MONTGOMERY_R = 3618502788666127798953978732740734578953660990361066340291730267701097005025</code></strong>. The Montgomery form of <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><msup><mn>2</mn><mrow><mn>256</mn></mrow></msup><mspace width="1em" /><mi>mod</mi><mspace width="0.333em" /><mtext>STARK_PRIME</mtext></mrow></math>:</p>
 </section>
 <section>
 <h3>TODO: Step generators</h3>

rfcs/starknet/merkle.html

@@ -77,14 +77,20 @@
     </section>
     <section>
 <h2>Overview</h2>
+<aside class="warning">This specification is work-in-progress.</aside>
+
 <p>Commitments of polynomials are done using <a href="https://en.wikipedia.org/wiki/Merkle_tree">Merkle trees</a>. The Merkle trees can be configured to hash some parameterized number of the lower layers using a circuit-friendly hash function (Poseidon).</p>
+</section>
+<section>
+<h2>Dependencies</h2>
 <ul>
-<li>TODO: why montgomery form?</li>
+<li>the verifier-friendly hash is <code>hades_permutation(s1, s2, 2)</code> always setting the last field element to <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><mn>2</mn></mrow></math></li>
+<li>the default hash is either keccak256 or blake2s</li>
 </ul>
 </section>
 <section>
-<h2>Dependencies</h2>
-<p>TODO: hash</p>
+<h2>Constants</h2>
+<p><strong><code>MONTGOMERY_R = 3618502788666127798953978732740734578953660990361066340291730267701097005025</code></strong>. The Montgomery form of <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><msup><mn>2</mn><mrow><mn>256</mn></mrow></msup><mspace width="1em" /><mi>mod</mi><mspace width="0.333em" /><mtext>STARK_PRIME</mtext></mrow></math>.</p>
 </section>
 <section>
 <h2>Vector commitments</h2>
@@ -101,6 +107,7 @@ <h2>Table commitments</h2>
 <li>the composition polynomial in the <a href="stark.html">STARK verifier specification</a> is a table commitment where each leaf is a hash of the evaluations of the composition polynomial columns at the same point</li>
 <li>the FRI layer commitments in the <a href="fri.html">FRI verifier specification</a> are table commitments where each leaf is a hash of the evaluations of the FRI layer columns at associated points (e.g. <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><mi>v</mi></mrow></math> and <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><mrow><mo>&#x02212;</mo><mi>v</mi></mrow></math>)</li>
 </ul>
+<p>Note that values are multiplied to the <code>MONTGOMERY_R</code> constant before being hashed as leaves in the tree. TODO: explain why</p>
 </section>
 <section>
 <h2>Index to Path Conversion</h2>

rfcs/starknet/stark.html

@@ -77,6 +77,8 @@
     </section>
     <section>
 <h2>Overview</h2>
+<aside class="warning">This specification is work-in-progress.</aside>
+
 <p>In this section we give an overview of the STARK protocol.</p>
 <aside class="note">Note that the protocol implemented closely resembles the high-level explanations of the <a href="https://eprint.iacr.org/2021/582">ethSTARK paper</a>, as such we refer to it in places.</aside>
 

source/starknet/channel.md

@@ -9,6 +9,8 @@ tags: ["starknet", "fiat-shamir"]
 
 ## Overview
 
+<aside class="warning">This specification is work-in-progress.</aside>
+
 A channel is an object that mimics the communication channel between the prover and the verifier, and is used to abstract the [Fiat-Shamir transformation](https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic) used to make the protocol non-interactive.
 
 The Fiat-Shamir transformation works on public-coin protocols, in which the messages of the verifier are pure random values. To work, the Fiat-Shamir transformation replaces the verifier messages with a hash function applied over the transcript up to that point.

source/starknet/fri.md

@@ -13,6 +13,8 @@ tags: ["starknet", "fri"]
 
 ## Overview
 
+<aside class="warning">This specification is work-in-progress.</aside>
+
 We briefly give an overview of the FRI protocol, before specifying how it is used in the StarkNet protocol.
 
 ### FRI
@@ -356,8 +358,6 @@ We use the following constants throughout the protocol.
 
 **`MAX_FRI_STEP = 4`**. The maximum number of layers that can be skipped in FRI (see the overview for more details).
 
-**`MONTGOMERY_R = 3618502788666127798953978732740734578953660990361066340291730267701097005025`**. The Montgomery form of $2^{256} \mod \text{STARK_PRIME}$:
-
 ### TODO: Step generators
 
 * we are in a coset, so a fixed value `g=3` is chosen

source/starknet/merkle.md

@@ -9,13 +9,18 @@ tags: ["starknet", "PCS", "Merkle tree", "hash-based commitments"]
 
 ## Overview
 
-Commitments of polynomials are done using [Merkle trees](https://en.wikipedia.org/wiki/Merkle_tree). The Merkle trees can be configured to hash some parameterized number of the lower layers using a circuit-friendly hash function (Poseidon).
+<aside class="warning">This specification is work-in-progress.</aside>
 
-* TODO: why montgomery form?
+Commitments of polynomials are done using [Merkle trees](https://en.wikipedia.org/wiki/Merkle_tree). The Merkle trees can be configured to hash some parameterized number of the lower layers using a circuit-friendly hash function (Poseidon).
 
 ## Dependencies
 
-TODO: hash
+* the verifier-friendly hash is `hades_permutation(s1, s2, 2)` always setting the last field element to $2$
+* the default hash is either keccak256 or blake2s
+
+## Constants
+
+**`MONTGOMERY_R = 3618502788666127798953978732740734578953660990361066340291730267701097005025`**. The Montgomery form of $2^{256} \mod \text{STARK_PRIME}$.
 
 ## Vector commitments
 
@@ -35,6 +40,8 @@ A few examples:
 * the composition polynomial in the [STARK verifier specification](stark.html) is a table commitment where each leaf is a hash of the evaluations of the composition polynomial columns at the same point
 * the FRI layer commitments in the [FRI verifier specification](fri.html) are table commitments where each leaf is a hash of the evaluations of the FRI layer columns at associated points (e.g. $v$ and $-v$)
 
+Note that values are multiplied to the `MONTGOMERY_R` constant before being hashed as leaves in the tree. TODO: explain why
+
 ## Index to Path Conversion
 
 Random evaluation of the polynomial might produce an index in the range $[0, 2^h)$ with $h$ the height of the tree. Due to the way the tree is indexed, we have to convert that index into a path. To do that, the index is added with the value $2^h$ to set its MSB.
@@ -57,4 +64,4 @@ In the following example, the height of the table commitment is $6$ (and the hei
 
 ### Note on commitment multiple evaluations under the same leaf
 
-TKTK
+TKTK

source/starknet/stark.md

@@ -9,6 +9,8 @@ tags: ["starknet", "stark", "ethSTARK"]
 
 ## Overview
 
+<aside class="warning">This specification is work-in-progress.</aside>
+
 In this section we give an overview of the STARK protocol.
 
 <aside class="note">Note that the protocol implemented closely resembles the high-level explanations of the <a href="https://eprint.iacr.org/2021/582">ethSTARK paper</a>, as such we refer to it in places.</aside>