def verify_mimc_proof(inp, logsteps, logprecision, output, proof): p_root, d_root, branches, p_proof, d_proof = proof start_time = time.time() steps = 2**logsteps precision = 2**logprecision # Get (steps)th root of unity root_of_unity = pow(7, (modulus - 1) // precision, modulus) skips = precision // steps # Verifies the low-degree proofs assert verify_low_degree_proof(p_root, root_of_unity, p_proof, steps) assert verify_low_degree_proof(d_root, root_of_unity, d_proof, steps * 2) # Performs the spot checks samples = spot_check_security_factor // (logprecision - logsteps) positions = get_indices(blake(p_root + d_root), precision - skips, samples) for i, pos in enumerate(positions): # Check C(P(x)) = Z(x) * D(x) x = pow(root_of_unity, pos, modulus) p_of_x = verify_branch(p_root, pos, branches[i * 3]) p_of_rx = verify_branch(p_root, pos + skips, branches[i * 3 + 1]) d_of_x = verify_branch(d_root, pos, branches[i * 3 + 2]) zvalue = f.div( pow(x, steps, modulus) - 1, x - pow(root_of_unity, (steps - 1) * skips, modulus)) assert (p_of_rx - p_of_x**3 - x - zvalue * d_of_x) % modulus == 0 print('Verified %d consistency checks' % (spot_check_security_factor // (logprecision - logsteps))) print('Verified STARK in %.4f sec' % (time.time() - start_time)) return True
def verify_mimc_proof(inp, steps, round_constants, output, proof): p_root, d_root, b_root, l_root, branches, fri_proof = proof start_time = time.time() assert steps <= 2**32 // extension_factor assert is_a_power_of_2(steps) and is_a_power_of_2(len(round_constants)) assert len(round_constants) < steps precision = steps * extension_factor # Get (steps)th root of unity G2 = f.exp(7, (modulus-1)//precision) skips = precision // steps # Gets the polynomial representing the round constants skips2 = steps // len(round_constants) constants_mini_polynomial = fft(round_constants, modulus, f.exp(G2, extension_factor * skips2), inv=True) # Verifies the low-degree proofs assert verify_low_degree_proof(l_root, G2, fri_proof, steps * 2, modulus, exclude_multiples_of=extension_factor) # Performs the spot checks k1 = int.from_bytes(blake(p_root + d_root + b_root + b'\x01'), 'big') k2 = int.from_bytes(blake(p_root + d_root + b_root + b'\x02'), 'big') k3 = int.from_bytes(blake(p_root + d_root + b_root + b'\x03'), 'big') k4 = int.from_bytes(blake(p_root + d_root + b_root + b'\x04'), 'big') samples = spot_check_security_factor positions = get_pseudorandom_indices(l_root, precision, samples, exclude_multiples_of=extension_factor) last_step_position = f.exp(G2, (steps - 1) * skips) for i, pos in enumerate(positions): x = f.exp(G2, pos) x_to_the_steps = f.exp(x, steps) p_of_x = verify_branch(p_root, pos, branches[i*5]) p_of_g1x = verify_branch(p_root, (pos+skips)%precision, branches[i*5 + 1]) d_of_x = verify_branch(d_root, pos, branches[i*5 + 2]) b_of_x = verify_branch(b_root, pos, branches[i*5 + 3]) l_of_x = verify_branch(l_root, pos, branches[i*5 + 4]) zvalue = f.div(f.exp(x, steps) - 1, x - last_step_position) k_of_x = f.eval_poly_at(constants_mini_polynomial, f.exp(x, skips2)) # Check transition constraints C(P(x)) = Z(x) * D(x) assert (p_of_g1x - p_of_x ** 3 - k_of_x - zvalue * d_of_x) % modulus == 0 # Check boundary constraints B(x) * Q(x) + I(x) = P(x) interpolant = f.lagrange_interp_2([1, last_step_position], [inp, output]) zeropoly2 = f.mul_polys([-1, 1], [-last_step_position, 1]) assert (p_of_x - b_of_x * f.eval_poly_at(zeropoly2, x) - f.eval_poly_at(interpolant, x)) % modulus == 0 # Check correctness of the linear combination assert (l_of_x - d_of_x - k1 * p_of_x - k2 * p_of_x * x_to_the_steps - k3 * b_of_x - k4 * b_of_x * x_to_the_steps) % modulus == 0 print('Verified %d consistency checks' % spot_check_security_factor) print('Verified STARK in %.4f sec' % (time.time() - start_time)) return True
def verify_mimc_proof(inp, logsteps, logprecision, output, proof): p_root, d_root, k_root, l_root, branches, fri_proof = proof start_time = time.time() steps = 2**logsteps precision = 2**logprecision # Get (steps)th root of unity root_of_unity = pow(7, (modulus-1)//precision, modulus) skips = precision // steps # Verifies the low-degree proofs assert verify_low_degree_proof(l_root, root_of_unity, fri_proof, steps * 2) # Performs the spot checks k = int.from_bytes(blake(p_root + d_root), 'big') samples = spot_check_security_factor // (logprecision - logsteps) positions = get_indices(l_root, precision - skips, samples) for i, pos in enumerate(positions): # Check C(P(x)) = Z(x) * D(x) x = pow(root_of_unity, pos, modulus) p_of_x = verify_branch(p_root, pos, branches[i*5]) p_of_rx = verify_branch(p_root, pos+skips, branches[i*5 + 1]) d_of_x = verify_branch(d_root, pos, branches[i*5 + 2]) k_of_x = verify_branch(k_root, pos, branches[i*5 + 3]) l_of_x = verify_branch(l_root, pos, branches[i*5 + 4]) zvalue = f.div(pow(x, steps, modulus) - 1, x - pow(root_of_unity, (steps - 1) * skips, modulus)) assert (p_of_rx - p_of_x ** 3 - k_of_x - zvalue * d_of_x) % modulus == 0 assert (l_of_x - d_of_x - k * p_of_x * pow(x, steps, modulus)) % modulus == 0 print('Verified %d consistency checks' % (spot_check_security_factor // (logprecision - logsteps))) print('Verified STARK in %.4f sec' % (time.time() - start_time)) print('Note: this does not include verifying the Merkle root of the constants tree') print('This can be done by every client once as a precomputation') return True
def verify_low_degree_proof(merkle_root, root_of_unity, proof, maxdeg_plus_1, modulus, exclude_multiples_of=0): f = PrimeField(modulus) # Calculate which root of unity we're working with testval = root_of_unity roudeg = 1 while testval != 1: roudeg *= 2 testval = (testval * testval) % modulus # Powers of the given root of unity 1, p, p**2, p**3 such that p**4 = 1 quartic_roots_of_unity = [1, f.exp(root_of_unity, roudeg // 4), f.exp(root_of_unity, roudeg // 2), f.exp(root_of_unity, roudeg * 3 // 4)] # Verify the recursive components of the proof for prf in proof[:-1]: root2, branches = prf print('Verifying degree <= %d' % maxdeg_plus_1) # Calculate the pseudo-random x coordinate special_x = int.from_bytes(merkle_root, 'big') % modulus # Calculate the pseudo-randomly sampled y indices ys = get_pseudorandom_indices(root2, roudeg // 4, 40, exclude_multiples_of=exclude_multiples_of) # For each y coordinate, get the x coordinates on the row, the values on # the row, and the value at that y from the column xcoords = [] rows = [] columnvals = [] for i, y in enumerate(ys): # The x coordinates from the polynomial x1 = f.exp(root_of_unity, y) xcoords.append([(quartic_roots_of_unity[j] * x1) % modulus for j in range(4)]) # The values from the original polynomial row = [verify_branch(merkle_root, y + (roudeg // 4) * j, prf) for j, prf in zip(range(4), branches[i][1:])] rows.append(row) columnvals.append(verify_branch(root2, y, branches[i][0])) # Verify for each selected y coordinate that the four points from the # polynomial and the one point from the column that are on that y # coordinate are on the same deg < 4 polynomial polys = f.multi_interp_4(xcoords, rows) for p, c in zip(polys, columnvals): assert f.eval_quartic(p, special_x) == c # Update constants to check the next proof merkle_root = root2 root_of_unity = f.exp(root_of_unity, 4) maxdeg_plus_1 //= 4 roudeg //= 4 # Verify the direct components of the proof data = [int.from_bytes(x, 'big') for x in proof[-1]] print('Verifying degree <= %d' % maxdeg_plus_1) assert maxdeg_plus_1 <= 16 # Check the Merkle root matches up mtree = merkelize(data) assert mtree[1] == merkle_root # Check the degree of the data powers = get_power_cycle(root_of_unity, modulus) if exclude_multiples_of: pts = [x for x in range(len(data)) if x % exclude_multiples_of] else: pts = range(len(data)) poly = f.lagrange_interp([powers[x] for x in pts[:maxdeg_plus_1]], [data[x] for x in pts[:maxdeg_plus_1]]) for x in pts[maxdeg_plus_1:]: assert f.eval_poly_at(poly, powers[x]) == data[x] print('FRI proof verified') return True
def verify_low_degree_proof(merkle_root, root_of_unity, proof, maxdeg_plus_1): # Calculate which root of unity we're working with testval = root_of_unity roudeg = 1 while testval != 1: roudeg *= 2 testval = (testval * testval) % modulus # Verify the recursive components of the proof for prf in proof[:-1]: root2, branches = prf print('Verifying degree <= %d' % maxdeg_plus_1) # Calculate the pseudo-random x coordinate special_x = int.from_bytes(merkle_root, 'big') % modulus # Calculate the pseudo-randomly sampled y indices ys = get_indices(root2, roudeg // 4, 40) # Verify for each selected y coordinate that the four points from the polynomial # and the one point from the column that are on that y coordinate are on the same # deg < 4 polynomial for i, y in enumerate(ys): # The x coordinates from the polynomial x1 = pow(root_of_unity, y, modulus) xcoords = [(quartic_roots_of_unity[j] * x1) % modulus for j in range(4)] # The values from the polynomial row = [verify_branch(merkle_root, y + (roudeg // 4) * j, prf) for j, prf in zip(range(4), branches[i][1:])] # Verify proof and recover the column value values = [verify_branch(root2, y, branches[i][0])] + row # Lagrange interpolate and check deg is < 4 p = lagrange_interp_4(row, xcoords, modulus) assert f.eval_poly_at(p, special_x) == verify_branch(root2, y, branches[i][0]) # Update constants to check the next proof merkle_root = root2 root_of_unity = pow(root_of_unity, 4, modulus) maxdeg_plus_1 //= 4 roudeg //= 4 # Verify the direct components of the proof data = [int.from_bytes(x, 'big') for x in proof[-1]] print('Verifying degree <= %d' % maxdeg_plus_1) assert maxdeg_plus_1 <= 32 # Check the Merkle root matches up mtree = merkelize(data) assert mtree[1] == merkle_root # Check the degree of the data poly = fft(data, modulus, root_of_unity, inv=True) for i in range(maxdeg_plus_1, len(poly)): assert poly[i] == 0 print('FRI proof verified') return True
def test_merkletree(): t = merkelize(range(128)) b = mk_branch(t, 59) assert verify_branch(t[1], 59, b) == 59 print('Merkle tree works')
def test_merkletree(): t = merkelize([x.to_bytes(32, 'big') for x in range(128)]) b = mk_branch(t, 59) assert verify_branch(t[1], 59, b, output_as_int=True) == 59 print('Merkle tree works')