A. StarkNet
Cairo VM execution is compiled to AIR, proven with STARKs, recursively aggregated, and settled on Ethereum.
zk-STARK · AIR + FRI · Post-Quantum
Run a real (if small) STARK in your browser — build a trace polynomial and AIR constraints, commit with a SHA-256 Merkle tree, and watch a FRI low-degree test decide whether the proof is accepted or the cheat is caught.
This demo runs a real (if small) STARK in your browser over the STARK-101 field p = 3·2³⁰ + 1: a trace polynomial, a constraint quotient, a SHA-256 Merkle commitment, and a genuine FRI low-degree test. The one idea everything builds toward — a tampered trace is caught by the proof system itself, not by recomputing Fibonacci — is demonstrated live in Exhibit 05.
Both prove a statement was computed correctly while revealing little about how. They differ in what they trust and what they cost.
| Property | STARK | SNARK (Groth16 / PLONK) |
|---|---|---|
| Trusted setup | None — transparent, public randomness from transcript hashing | Required (per-circuit or universal ceremony) |
| Cryptographic assumption | Collision-resistant hash + FRI soundness | Pairings / discrete log (elliptic curves) |
| Post-quantum | Conjectured secure | Broken by Shor's algorithm |
| Proof size | Large (~45–200 KB) | Tiny (Groth16 ~128 bytes) |
| Prover scaling | Quasi-linear in computation size | Quasi-linear, larger constants |
| Core stack | AIR constraints + FRI + hash commitments | R1CS/Plonkish + polynomial commitments + pairings |
AIR expresses a computation as a trace (a table of field elements) plus constraints that every honest trace must satisfy. We use single-column Fibonacci: t[0] = t[1] = 1 and t[i+2] = t[i+1] + t[i].
The prover interpolates the trace into a polynomial f of degree below the trace length. "The trace is valid" becomes "f is genuinely low degree" — the claim FRI will later test.
It will only ever open a handful of committed points and run a low-degree test.
Here is the step every STARK explainer skips. Exhibit 02 showed a broken constraint as a nonzero residual. But FRI does not test residuals — it tests degree. This panel is the converter between the two.
The transition rule t[i+2] = t[i+1] + t[i] becomes a polynomial C(x)The constraint polynomial: C(x) = f(w²x) − f(wx) − f(x). It is zero at every trace step where the rule holds. that must be zero at every step. So C should be divisible by the vanishing polynomialZ(x) is zero at exactly the trace steps the rule covers. If C is zero there too, Z divides C with no remainder. Z(x) that is zero at exactly those steps. The prover commits to the quotientQ(x) = C(x) / Z(x). It is a genuine low-degree polynomial only when the division is clean — i.e. only when every constraint held. Q(x) = C(x) / Z(x). Watch what the division does:
Q low degree; a nonzero remainder forces Q’s degree up to nearly the domain size. That degree explosion is exactly the signal the next exhibit’s FRI test rejects — so a broken constraint and a failed low-degree test are the same event, seen twice.FRI proves a committed polynomial is close to low degree using only hashes and verifier challenges — no trusted setup. Each round halves the degree and the domain. After enough rounds, an honest polynomial becomes a single constant. That final constant is the whole verdict.
Roughly: queries × folds × 2 openings × path length × 32-byte hashes.
x and −x, the two parents of one child) and combines them through x² into a single point one row down.Soundness comes from two knobs: the blowup (code rate) and the number of FRI queries. More of either buys security bits — and costs proof size and verifier time. Move the sliders.
Recursive STARK aggregation compresses many proofs into one L1-submitted proof — central to StarkNet and other rollups. Fiat-Shamir turns verifier randomness into transcript-derived hash challenges, making everything non-interactive in the random-oracle model.
The practical question is never "is 100 KB big?" but "does trust minimization plus post-quantum posture justify the bytes?" Off-chain, it almost always does; under tight on-chain gas, often not.
Generate a proof to see how few committed values the verifier inspects.
The verifier opens a few evaluations of the trace polynomial. Without protection, those points leak information about the witness. The zero-knowledge fix masks the trace as f′(x) = f(x) + (xᴺ−1)·r(x) with fresh random r: on the trace domain f′ = f (so every constraint is untouched), but on the opened coset points the values are blinded by randomness independent of the witness.
Below we draw many masked openings of the same point with fresh randomness and compare them to a witness-free simulator that just emits uniform field elements. If masking works, the two distributions are indistinguishable and the true value never stands out.
The verifier opens the trace polynomial at a fixed point. Click repeatedly: the secret value f(x) never changes, but the value the verifier actually receives is different every single time — fresh randomness blinds it.
Now draw many masked openings of that same point and pile them into a histogram. Overlay a simulator that knows no secret at all and just emits uniform noise. If masking works, the two shapes are indistinguishable.
Because the masked value looks like uniform noise no matter what the secret was, the secret cannot be read off it. That “the two distributions match” is the hiding property.
Already implemented here: per-constraint degree adjustment (αᵢ + βᵢ·x^(D−dᵢ), so a cheater cannot hide a high-degree term in a low-degree slot) and optional zero-knowledge masking of the trace polynomial (demonstrated just above).
Real security parameters. Production systems target ~100-bit soundness: a larger blowup and dozens of queries (see Exhibit 04's calculator), plus longer traces (2¹⁰–2²⁴ rows) interpolated with NTTs instead of the O(n²) Lagrange interpolation used here for clarity.
A full zero-knowledge proof. We verify the masking empirically (openings independent of the witness). A production claim also exhibits a simulator that reproduces entire transcripts — commitments, paths, and FRI layers — without the witness, and masks the composition and FRI layers too.
DEEP / out-of-domain sampling. Stronger soundness samples the composition at a random point outside the evaluation domain, tightening the proximity gap. The core idea — commit, then prove low degree — is identical.
Cairo VM execution is compiled to AIR, proven with STARKs, recursively aggregated, and settled on Ethereum.
Application-specific scaling for exchanges and games, including dYdX v3, ImmutableX, and Sorare deployments.
A RISC-V zkVM proving general computation with STARK internals, commonly SNARK-wrapped for compact on-chain verification.
A STARK-based VM with AIR constraints and a recursion pipeline for compressed proofs.