Lior Goldberg

Jeremy Avigad, Anat Ganor, Lior Goldberg et al.

StarkWare's S-two prover provides an efficient means for establishing, on blockchain, that a program written in the Cairo virtual machine language runs to completion. The latter claim is encoded by an algebraic intermediate representation (AIR) that captures the semantics of the Cairo language. The AIR asserts the existence of tables of values from a finite field satisfying certain algebraic constraints. A cryptographic interactive proof system, circle STARK, provides an efficiently-checked certificate that the AIR is satisfied. We describe our verification, using the Lean 4 proof assistant, that the AIR encoding is sound, which is to say, the satisfiability of the AIR implies the computational claim.

Jeremy Avigad, Lior Goldberg, David Levit et al.

Cryptographic interactive proof systems provide an efficient and scalable means of verifying the results of computation on blockchain. A prover constructs a proof, off-chain, that the execution of a program on a given input terminates with a certain result. The prover then publishes a certificate that can be verified efficiently and reliably modulo commonly accepted cryptographic assumptions. The method relies on an algebraic encoding of execution traces of programs. Here we report on a verification of the correctness of such an encoding of the Cairo model of computation with respect to the STARK interactive proof system, using the Lean 3 proof assistant.

Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty et al.

Motivated by the quest for scalable and succinct zero knowledge arguments, we revisit worst-case-to-average-case reductions for linear spaces, raised by [Rothblum, Vadhan, Wigderson, STOC 2013]. We first show a sharp quantitative form of a theorem which says that if an affine space $U$ is $δ$-far in relative Hamming distance from a linear code $V$ - this is the worst-case assumption - then most elements of $U$ are almost $δ$-far from $V$ - this is the average case. This leads to an optimal analysis of the soundness of the FRI protocol of [Ben-Sasson, et.al., eprint 2018] for proving proximity to Reed-Solomon codes. To further improve soundness, we sample outside the box. We suggest a new protocol which asks a prover for values of a polynomial at points outside the domain of evaluation of the Reed-Solomon code. We call this technique Domain Extending for Eliminating Pretenders (DEEP). We use the DEEP technique to devise two new protocols: (1) An Interactive Oracle Proof of Proximity (IOPP) for RS codes, called DEEP-FRI. This soundness of the protocol improves upon that of the FRI protocol while retaining linear arithmetic proving complexity and logarithmic verifier arithmetic complexity. (2) An Interactive Oracle Proof (IOP) for the Algebraic Linking IOP (ALI) protocol used to construct zero knowledge scalable transparent arguments of knowledge (ZK-STARKs) in [Ben-Sasson et al., eprint 2018]. The new protocol, called DEEP-ALI, improves soundness of this crucial step from a small constant $< 1/8$ to a constant arbitrarily close to $1$.