Winterfell: A STARK prover and verifier
- We’re releasing Winterfell, our implementation of a STARK Prover / Verifier for Crates.io
- Winterfell is an easy-to-use, open source implementation of STARKs for security and privacy applications.
- One potential application for Winterfell’s zero-knowledge evidence is the privacy and scalability of the blockchain.
“Any sufficiently advanced technology is indistinguishable from magic.” —The third law of Clarke
What if the average developer could benefit from evidence of Computational Integrity (CI) that would normally require a deep understanding of cryptography to implement?
CI proofs, of which Zero Knowledge Proofs (ZKPs) are a subset, are a cryptographic technology that allows you to do seemingly impossible things. For example, you can do a calculation and get a result. You can then use CI evidence to convince anyone that you did the calculation correctly without them having to do the calculation again. And you can check this accuracy in a few milliseconds, regardless of how complex or lengthy the original calculation was. In order to make the performance of CI proofs accessible to the general public, we developed Winterfell, a universal STARK (Scalable Transparent Arguments of Knowledge) examiner and verifier. We are happy to release version v0.1 of the library on crates.io.
Another important property of this CI evidence is the ability to hide some (or all) of the inputs that were used to perform the calculation. This is the zero knowledge aspect. For example, you can prove that a number falls within a certain range without revealing the exact value of the number (these types of evidence are usually called range evidence). Or you could do something as complex as comparing two sequences of numbers, a public one and a private one (known only to you), and proving to everyone beyond doubt that there is a match or not between them.
The magic of the ZKPs
The general ideas behind ZKPs were developed as early as the 1980s, but this area of cryptography has interest explodes Lately driven in part by emerging applications in the blockchain space. Over a dozen new test systems have appeared in the past few years. Some of them have even been used in manufacturing where tens of billions of dollars depend on their security properties. However, ZKPs are far from mainstream, mainly for two reasons:
- Until recently, the use of ZKPs in applications required experienced cryptographers with many years of experience. The situation is a little better now as there are a lot of relatively accessible materials and more projects trying to make ZKPs accessible to the average developer. But even today, even for experienced software engineers to understand different test systems and the compromises that come with them, it requires deep know-how and / or a steep learning curve.
- While the verification of a ZK proof is extremely fast and requires very few computing resources, the generation of a proof is a computationally intensive process. It can take seconds or even minutes (or many CPU cores) to build evidence for even relatively simple calculations. Only relatively recent advances in cryptography and implementation improvements have made a large part of the calculations for ZKPs practical. And work is ongoing to expand the set of computations for which evidence is feasible.
We developed Winterfell to fill these loopholes and make ZKPs available to regular developers.
Winterfell is here
Winterfell is a universal STARK reviewer and verifier, written in rust at Novi research. General purpose means that Winterfell can produce CI proofs for every calculation. Basically, for any program that can be described with a Turing-complete language, we can use Winterfell to generate CI evidence (although this would be much easier for some programs than others).
Winterfell uses STARKs, a proof-of-computation scheme developed by Eli Ben-Sasson, Michael Riabzev et al. Compared to many other CI test systems, STARKs have a number of attractive properties, including:
- STARKs are based on very few cryptographic assumptions. In fact, the only cryptographic primitive we need to make STARKs work is a collision-resistant hash function (e.g. SHA256). This also makes STARKs resistant to potential attacks from opponents with quantum computers.
- In contrast to many other test systems, STARKs are completely transparent. This means we don’t have to go through complicated trustworthy setup ceremonies to start using STARKs. Trusted setups are a potential vulnerability in other zero-knowledge protocols because a compromised trusted setup allows attackers to create falsified CI evidence. STARKs are immune to this.
- Compared to other systems, the STARK evidence generation is extremely fast when it comes to uniform calculations or calculations with regular structures. Fortunately, the vast majority of programs people write have such regular structures. In addition, pretty much every single step of the STARK proof generation process can be massively parallelized. We can often accelerate the generation of proofs by distributing them to more and more CPU cores.
None of the individual characteristics listed above are unique to STARKs. However, no other test system combines lean cryptography, transparency and performance to the extent that STARKs do. Winterfell takes full advantage of these advantages while abstracting away most of the complexity. For example, the proof generation can be distributed over several CPU cores in order to drastically reduce the proof generation time (see our benchmarks here). In addition, we have plans to enable fully distributed proof generation across multiple machines and we have already started work in this direction.
Winterfell is not only powerful, but also highly configurable. This means that you can dynamically optimize almost all parameters of the STARK protocol in order to achieve specific performance and security goals. We are able to achieve such a high level of configurability without sacrificing performance or code clarity by relying on Rust’s zero-cost abstractions.
Lastly, and perhaps most importantly, you don’t have to be a cryptographer to use Winterfell. As mentioned earlier, Winterfell abstracts most of the complexity of the STARK protocol. The user is only responsible for describing his calculation in a format that the STARK auditor / auditor can understand. This format is known as intermediate algebraic representation (AIR), and the step of translating a program into AIR is known as arithmetic.
Winterfell provides a relatively simple interface to describe AIR for any computation. However, the concept of arithmetization is unfamiliar to most developers, so there will be a learning curve.
To make it easier for you to get started, we’ve put together an end-to-end Tutorial to define AIR for a very simple calculation. We also have examples of more interesting calculations in the Examples box, from something as simple as a Fibonacci sequence to something as sophisticated as aggregating hash-based signatures. And if you want to dig a little deeper into the theory, we recommend checking out two excellent blog posts from StarkWare: Arithmetization I and Arithmetization II.
Once you are comfortable with writing AIRs, using Winterfell to generate STARK proofs becomes relatively easy. For example, AIR requires less than 100 lines of code for a Fibonacci sequence and can be put together in about 15 minutes. Even for the relatively complicated example of hash-based signature aggregation mentioned above, the AIR is described in about 600 lines of code (although it took several days to put it together).
Another point worth mentioning: we wrote Winterfell as a series of modular boxes, all of which will also be posted on Crates.io today. While we use these boxes to build a STARK test system, many of them are general enough to be used as building blocks in other CI test systems. For example, for low grade tests, we use the FRI protocol included in the Winter friday Box that is also used as a building block for several other evidence systems (e.g. Fractals and Aurora), which should be transparent and post-quantum. So we hope that our work will help implementers of these protocols do their jobs faster and more efficiently.
Recent advances in ZKPs are being driven by emerging use cases in the blockchain space. In particular, ZKPs offer attractive solutions for perhaps two of the most pressing blockchain challenges: data protection and scalability. However, ZKPs also have numerous application possibilities outside of the blockchain space.
While there are still some engineering challenges to overcome before large-scale demonstration of computational integrity can be seen as practical, we believe Winterfell is an important stepping stone to putting a well-studied topic of academic research into practice. And we hope that the security and data protection community will also benefit from a user-friendly open source implementation of STARKs.
Please take a look at the Winterfell deposit, and don’t hesitate to open questions for comments and leave feedback!