Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [starks]

18 questions
10
votes
1 answer

Why invent new hash functions for zero-knowledge proofs?

Recently, new hash functions were invented. Their primary purpose is serving the needs of zero-knowledge proof systems. I'm talking about Poseidon-256, Starkad-256, etc. See the paper. What is the main advantage of those hash functions against…
Paul Miller
  • 340
  • 1
  • 12
4
votes
1 answer

Transparent Setup of SNARKs

The STARKs paper states Third, and most important, ZK-PCPs are transparent (or “public randomness” ), which means that the randomness used by the verifier is public; in particular, setting up a ZK-PCP requires no external trusted setup…
Cryptonaut
  • 1,106
  • 7
  • 19
3
votes
0 answers

It is possible to verify the computation of a hash function without actually proving it in zero knowledge?

Let me first introduce the context: Let's say that we have a hash function evaluation: $$h = H(x, y),$$ where $x$ and $y$ are the public and the private input of the hash function $H$, respectively. Then, if I want to prove to someone that this…
Bean Guy
  • 772
  • 3
  • 11
3
votes
1 answer

Use zk-STARK for post-quantum signature scheme?

Could you not use zk-STARK for a post-quantum signature scheme? Your private key is a random symmetric encryption key, your public key is the hash of the encryption key. To sign you run an algorithm to encrypt a hash of data-to-be-signed with your…
LightTunnelEnd
  • 262
  • 1
  • 7
3
votes
1 answer

STARKs for arbitrary computation

I have been reading Vitalik's series on STARKs recently (Part 1, 2 and 3). It is a nice and very understandable read for a layman like me. Brutal summary of my current understanding Vitalik outlines the following technique to prove the correctness…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
2
votes
1 answer

Why are zk-STARK quantum secure?

I have a rough idea of how STARK work, but I want to know which part makes them quantum secure. Is it because when the prover generates the proof they use the random number from the Merkle root, which cannot be guessed by a quantum algorithm?
Fieldza555
  • 21
  • 2
2
votes
1 answer

Is the STARK Curve a SafeCurve?

SafeCurves defines criterias for choosing safe curves in elliptic-curve cryptography. STARK Curve defines a Stark-friendly elliptic curve that can be used with ECDSA. I was wondering: Is the STARK Curve a SafeCurve?
oberstet
  • 447
  • 1
  • 5
  • 12
2
votes
0 answers

Assumptions underlying the soundness of STARKs

STARKs have recently received quite a lot of attention due to their small proof size and supposedly simple assumptions. The paper introduction itself seems to mainly state that their construction is solely based on collision-resistant hash…
Cryptonaut
  • 1,106
  • 7
  • 19
2
votes
0 answers

The state of the art in zero-knowledge proofs

I am not aware of modern cryptographic protocols, hence my next questions may be too stupid for experts. If so, I am sorry in advance. Instead, I am an academic researcher in (fast secure implementation of) elliptic curve cryptography, so I want to…
Dimitri Koshelev
  • 495
  • 2
  • 8
2
votes
1 answer

Unable to understand Eli Ben Sasson's STARK arithmetization & proof example

This is from this video - https://www.youtube.com/watch?v=9VuZvdxFZQo Bob has a list of length $10^6$. Bob wants to convince Alice that every number in the list is between 1 & 10. Alice needs to verify it with just 2 queries & 99% certainty. This is…
user93353
  • 2,348
  • 3
  • 28
  • 49
2
votes
1 answer

Generic name for R1CS vs. AIR

In the zero-knowledge cryptography nomenclature, we have multiple representations of arbitrary computation suitable for submission to various proof backends (e.g. Groth16). Two specific examples spring to mind: rank-1 constraint systems (R1CS) and…
jmcph4
  • 121
  • 3
1
vote
1 answer

Why Zk-SNARKs are Argument of Knowledge if a Knowledge Extractor exists?

From what I know, proving the existance of a Knowledge Extractor implies perfect soundness. So why in zk-SNARKs (and similar) we talk about Arguments of Knowledge, where the soundness property is only computational (a.k.a, secure only from…
Andrea Farneti
  • 151
  • 8
1
vote
1 answer

Linear combination IOP for SNARK registers

The STARK paper says Our ZK-STARK uses a separate Reed-Solomon codeword for each register, leading to w many codewords, each of lower degree n · c. At first glance this tradeoff may seem wasteful, because we now have to solve an RPT problem for…
Daniel Lubarov
  • 417
  • 2
  • 9
1
vote
1 answer

How does the verification step operations using FRI polynomial commitments in zk-STARKs?

I have been going through the lectures in ZKP MOOC here youtube series. I am trying to understand the zk-STARKs discussed in video ZKP MOOC Lecture 8: FRI-based Polynomial Commitments and Fiat-Shamir. In this video, the lecturer discusses zk-STARK…
INDUKURI MANI VARMA 21911012
  • 51
  • 5
1
vote
0 answers

ZK-STARK soundness

I've been reading about ZK-STARK. There's an example that appears in several blogs. The most detailed explanation of that specific example which I have found so far is in this blog. The description of the example (the requirement) is: Suppose that…
artificial_inspector
  • 11
  • 1
1
2