question about STARK boundary constraints? thanks.

โš“ Neptune    ๐Ÿ“… 2024-12-14    ๐Ÿ‘ค wuxiu    ๐Ÿ‘๏ธ 57      

wuxiu

Hi all,

Iโ€™m wondering why the boundary constraints doesnโ€™t include the input element which is included in the trace when I read the source code of stark-anatomy:https://github.com/aszepieniec/stark-anatomy/blob/master/code/rescue_prime.py

def boundary_constraints( self, output_element ):
    constraints = []

    # at start, capacity is zero
    constraints += [(0, 1, self.field.zero())]

    # at end, rate part is the given output element
    constraints += [(self.N, 0, output_element)]

    return constraints
๐Ÿท๏ธ STARK AIR

aszepieniec    2024-12-16 ๐Ÿ‘ ๐Ÿ‘Ž

In this context, we are proving knowledge of the preimage of a hash digest. The input cannot be constrained because the verifier is supposed to be ignorant of this value. Phrased differently, if the input were constrained, then the verifer would be able to extract the secret input, defeating the security of the entire construction.

1

wuxiu    2024-12-17 ๐Ÿ‘ ๐Ÿ‘Ž [op]

Thanks. But if in the context of computation integrity and there is no need to keep the input secret, then the input could be in the boundary constraints, is my understanding correct?

2

aszepieniec    2024-12-19 ๐Ÿ‘ 1 ๐Ÿ‘Ž

Exactly correct!

An example could be a proof of correct compilation. The initial source code is known, and so is the resulting executable. There is no secret information. The point of the proof in this context is to save time: you either compile the source yourself (expensive) or you verify the attached proof (cheap).

3