STARKs 101

Trace - $a$

Generator of G - $g$

Trace Polynomial - $f(x)$

Constraints on ${a_n}$ that needs to be satisfied in order to convince the verifier of our statement

$a_0 = 1$

$a_{1022} = 2338775057$

$a_{n+2} = a_{n+1}^2 + a_n^2$

The first reduction is to convert the constraints on ${a_n}$ to constraints on the trace polynomial $f(x)$.

$a_0 = 1$ is the same as saying $f(x) = 1$, where $x$ is $g^0$.

Similarly, $a_{1022} = 2338775057$ can be thought of as $f(x) = 2338775057$ where $x = g^{1022}$

Lastly, the constraint $a_{n+2} = a_{n+1}^2 + a_n^2$ can be converted to:

$f(g^2x) = f(gx)^2 + f(x)^2$ for $x = g^i$, $0 \leq i \leq 1020$

So, instead of saying $f(x) = 1$ for $x = g^0$, we could also reframe that as:

$f(x) - 1 = 0$, for $x = g^0$

Similarly, $f(x) - 2338775057 = 0$, for $x = g^{1022}$

And lastly, $f(g^2x) - f(gx)^2 - f(x)^2 = 0$, for $x = g^i$, $0 \leq i \leq 1020$

So this basically means for the first constraint polynomial in this reduction, $g^0$ is a root

For the second constraint polynomial in this reduction, $g^{1022}$ is a root

For the last constraint polynomial in this reduction, $g^i$, $0 \leq i \leq 1020$ are the roots

Given the theorem that if $(x-z)$ divides $p(x)$ then $z$ is a root of $p(x)$, the above reduction can be boiled down to the following:

$g^0$ is a root of $f(x) - 1$ can be written as:

$(f(x) - 1) / (x - g^0)$ is a polynomial

$g^{1022}$ is a root of $f(x) - 2338775057$ can be written as:

$(f(x) - 2338775057) / (x - g^{1022})$ is a polynomial

$(f(g^2x) - f(gx)^2 - f(x)^2) / \prod_{i=0}^{1020}(x - g^i)$

$\prod_{i=0}^{1023}(x-g^i)$ can be written as $x^{1024} - 1$

Now notice there is a difference in the $i$ values of pi. So to make it equivalent to $p_2x$ we divide the polynomial in 6 by the added $i$ value polynomials.

$p_0(x)$,$p_1(x)$,$p_2(x)$ are polynomials

$CP = \alpha_0.p_0(x) + \alpha_1.p_1(x) + \alpha_2.p_2(x)$

Where all the $\alpha$ are random field elements

$CP$ is a polynomial $\iff$ all $p_i$'s are polynomials

The goal here is to show that $CP$ is a polynomial which in turn will prove that all the constraints are satisfied and our initial statement was true.

We won't prove that $CP$ is a polynomial

We will prove that $CP$ is close to a polynomial of low degree.

The distance between function $f$ and polynomial $P$ is the number of points where $f(x) \neq p(x)$

For example, here the $f(x)$ and $p(x)$ disagree on 5 points, so the distance between them is 5.

So, a function $f$ is close to a polynomial $p$ if $D(f,p)$ is small.

Our goal is to prove that the $CP$ is close to a polynomial of low degree. AND WE ACHIEVE THAT VIA FRI PROTOCOL.

Receive random $\beta$

As you can see above, $CP(x)$ keeps on getting halved until we have to prove $deg(CP_{10}) < 1$ and Domain is also less (8).

The verifier stops sending random $\beta$ values now since a polynomial that is bounded by degree 1 is actually a constant.

Each polynomial $P(x)$ can be split into an even and odd part like this:

$P(x) = g(x^2) + xh(x^2)$

Here's an example of the split $P_0(x) = 5x^5 + 3x^4 + 7x^3 + 2x^2 + x + 3$

It will be split into $g$ and $xh$ in the following fashion:

$g(x^2) = 3x^4 + 2x^2 + 3$

$xh(x^2) = 5x^5 + 7x^3 + x$

Now we receive the random $\beta$. This is what convinces the verifier that the prover didn't cheat, bc this can convince the verifier that the prover did not calculate the values in advance.

$P_1(y) = g(y) + \beta h(y)$

Now $g(y) = 3y_2 + 2y + 3$

And $h(y) = 5y_2 + 7y + 1$

So, $P_1(y) = (3 + 5\beta)y^2 + (2 + 7\beta)y + 3 + \beta$

Therefore, $deg(P_1) \leq deg(P_0)/2$

Then in Ch3 we applied the FRI protocol to prove that CP was close to a polynomial of a low-degree and we committed each layer of FRI, ie, $CP_1$ Root, $CP_2$ Root, ...., $CP_{10}$ Root.

Now how this would work out is, that the verifier will send $q$ random elements and the prover will provide a validation data for each.

For that, the prover will send $f(x)$, $f(gx)$, $f(g^2x)$ for a given $x$.

This is enough information for the verifier to themselves calculate $CP_0(x)$, based on the formula below

$CP_{i+1}(x^2) = g(x^2) + \beta h(x^2)$

And both $g(x^2)$ and $h(x^2)$ can be calculated only via $CP_i(x)$ and $CP_i(-x)$ like this:

Therefore, the verifier can computer $CP_{i+1}(x^2)$ by only getting $CP_i(x)$ and $CP_i(-x)$ from the prover

Assuming that step 8 is clear, then the prover will send the value of $CP_1(-x^2)$ and from that value and from the $CP_1(x^2)$ calculated in step 8, the verifier will be able to check the value of $CP_2(x^4)$ and on and on until $CP_{10}$.

The prover is sending out these elements such as $f(x)$, $f(gx)$, $f(g^2)$, but remember we did not commit these individual elements but rather the hash of the merkle tree root, so how do we convince the verifier that we did indeed commit these elements into the Merkle tree?

So, if you look at the left side (commitment), we are sending order of $log(n)$ elements in the commitment phase and then for a single query $q$, we are sending order of $log(n)$ path (from Merkle leaf to root). So, overall complexity is $O(log^2n)$

Now, for $q$ different queries, we need to send data in order of: $q * O(log^2n)$. But since $q$ is constant, the data remains of order $O(log^2n)$.