Skip to content

EIP-0045: Native STARK Proof Verification Opcode#103

Open
a-shannon wants to merge 3 commits into
ergoplatform:masterfrom
a-shannon:eip-0045-native-stark-verifier
Open

EIP-0045: Native STARK Proof Verification Opcode#103
a-shannon wants to merge 3 commits into
ergoplatform:masterfrom
a-shannon:eip-0045-native-stark-verifier

Conversation

@a-shannon
Copy link
Copy Markdown

@a-shannon a-shannon commented Apr 29, 2026
edited
Loading

Summary

This EIP proposes a native verifyStark opcode for Ergo, enabling post-quantum STARK proof verification as a first-class L1 primitive.

The opcode verifies proofs for registered verifier profiles rather than arbitrary AIR. Each vmType maps to an immutable consensus profile fixing the field, extension tower, Merkle hash, Fiat-Shamir hash, FRI parameters, proof format, public-input format, and cost table version.

What

  • Opcode: verifyStark(proofChunks, publicInputs, imageId, vmType, costParams)
  • Cryptographic suite: BabyBear, Ext16, Poseidon1 Merkle commitments with 52-byte digests, Blake2b-256 Fiat-Shamir transcript
  • Verifier profiles: vmType registry for audited STARK/zkVM profiles, not generic user-supplied AIR
  • Transcript binding: profile hash, vmType, imageId, publicInputs, and cost parameters are domain-separated before challenge generation
  • eUTXO safety: public-input binding guidance so contracts bind proofs to the current transaction context
  • AOT safety: O(1) pre-execution cost calculation with fail-fast bounds checks
  • Conformance: required Known Answer Tests for field encoding, Poseidon1, Fiat-Shamir, serialization, malformed proof rejection, and AOT costing

Network Parameter Proposal

This EIP proposes increasing maxTransactionSize from 96 KB to 256 KB.

With Poseidon1 Merkle commitments using 52-byte digests:

  • Minimal AIR / D=16: approximately 97.9 KB proof before transaction framing. It exceeds the current 96 KB transaction limit once overhead is included, but fits under 256 KB.
  • Full zkVM / D=27: approximately 317 KB proof. It does not fit in a single 256 KB transaction and requires zero-conf chaining, recursion/aggregation, reduced trace width, or a future proof-carrier strategy.

Security Model

  • FRI / Fiat-Shamir: Q=35 and blowup B=2048 target >=128-bit post-quantum soundness under the standard QROM modeling assumption for Blake2b-256.
  • Merkle binding: Poseidon1 Merkle commitments use 13 BabyBear capacity elements, giving approximately 134-bit quantum collision resistance under BHT-style collision attacks.
  • Hash separation: Poseidon1 is used for Merkle commitments; Blake2b-256 is used for Fiat-Shamir transcript generation.
  • Scope control: bridge protocols, source-chain commitment formats, proof transport boxes, and standalone Poseidon1 hashing are explicitly left to companion standards.

Companion Material

Feedback is especially welcome on the verifier profile registry, transcript domain separation, AOT cost model, and activation path.

EIP-0045: Native STARK Proof Verification Opcode
7e57537 
Adds a native verifyStark opcode to the Ergo protocol, enabling post-quantum
verifiable computation via hardcoded zkVM registries (RISC Zero, SP1, Valida).

Key features:
- BabyBear Ext16 field with >=128-bit PQ security (no grinding)
- Registry-based zkVM AIR architecture (not generic AIR)
- AOT-safe JIT cost model with fail-fast and negative value guards
- Batched Merkle openings + Radix-8 FRI folding
- Proposes maxTransactionSize increase from 96 KB to 256 KB
- Soft-fork activation via miner voting
@a-shannon a-shannon mentioned this pull request Apr 29, 2026
Closed
@a-shannon
Copy link
Copy Markdown
Author

a-shannon commented Apr 29, 2026

Reference implementation PR: ergoplatform/sigmastate-interpreter#1116

Current test coverage: 159 tests across 3 suites:

  • 114 standalone STARK verifier engine tests (field axioms, tower algebra, Poseidon1, Merkle, FRI, Fiat-Shamir, DEEP-ALI)
  • 26 Known Answer Tests (hardcoded regression guards for BabyBear, Ext16, Poseidon1)
  • 15 integration tests (OpCode slot, serialization roundtrip, AOT costing boundaries, DoS protection)
  • 4 base integration tests (P2P roundtrip, cost charge, negative params)

@a-shannon a-shannon mentioned this pull request Apr 29, 2026
Draft
a-shannon added 2 commits April 30, 2026 11:25
docs(EIP-0045): Add Cryptographic Rationale & Formal Security Analysis
2a9257f 
Companion document for EIP-0045 providing:
- JIT complexity barrier motivation (Section 1)
- BabyBear Ext16 tower + Poseidon1/Blake2b-256 instantiation (Section 2)
- DEEP-FRI protocol mechanics with Montgomery batch inversion (Section 3)
- 4 formal adversary games with BCS QROM reduction (Section 4)
- AOT DoS shield guarantee (Section 5)

Key result: Q=35, B=2048 satisfies lambda_PQ >= 128 with 1 bit of margin
under the BCS quadratic extraction penalty (2^256 * 2^-385 = 2^-129).
docs: harden EIP-0045 verifier specification
ea62e50
a-shannon

This comment was marked as off-topic.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@a-shannon