feat: add provable params (#202)

towards INT-5601

---------

Co-authored-by: Jonathan Wang <[email protected]>

Author: zlangley

crates/cuda-backend/examples/fibonacci.rs

@@ -53,9 +53,8 @@ fn main() {
 
     let airs = any_rap_arc_vec![air];
 
-    let gpu_engine = GpuBabyBearPoseidon2Engine::new(
-        FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
-    );
+    let gpu_engine =
+        GpuBabyBearPoseidon2Engine::new(FriParameters::standard_with_100_bits_security(LOG_BLOWUP));
     let gpu_trace = gpu_engine.device().transport_matrix_to_device(&cpu_trace);
 
     let cpu_air_ctx = AirProvingContext::<CpuBackend<SC>>::simple(cpu_trace, public_values.clone());
@@ -72,9 +71,8 @@ fn main() {
 
     // CPU    // CPU
     println!("\nStarting CPU proof");
-    let cpu_engine = BabyBearPoseidon2Engine::new(
-        FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
-    );
+    let cpu_engine =
+        BabyBearPoseidon2Engine::new(FriParameters::standard_with_100_bits_security(LOG_BLOWUP));
     let cpu_pk = cpu_engine.device().transport_pk_to_device(&pk_host);
     let cpu_proof = cpu_engine.prove(&cpu_pk, cpu_ctx);
     cpu_engine.verify(&vk, &cpu_proof).unwrap();

crates/cuda-backend/examples/keccakf.rs

@@ -69,7 +69,7 @@ fn main() {
         // ----- CPU keygen once, shared by all threads -----
         let air = TestAir(KeccakAir {});
         let engine_cpu = BabyBearPoseidon2Engine::new(
-            FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
+            FriParameters::standard_with_100_bits_security(LOG_BLOWUP),
         );
 
         let mut keygen_builder = engine_cpu.keygen_builder();
@@ -108,7 +108,7 @@ fn main() {
 
                         println!("[task {t}] Starting GPU proof");
                         let engine_gpu = GpuBabyBearPoseidon2Engine::new(
-                            FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
+                            FriParameters::standard_with_100_bits_security(LOG_BLOWUP),
                         );
 
                         let pk_dev = engine_gpu.device().transport_pk_to_device(&pk_host);

crates/cuda-backend/examples/trace_committer.rs

@@ -77,7 +77,7 @@ fn main() {
     let gpu_time = std::time::Instant::now();
     let gpu_device = GpuDevice::new(
         GpuConfig::new(
-            FriParameters::standard_with_100_bits_conjectured_security(log_blowup),
+            FriParameters::standard_with_100_bits_security(log_blowup),
             shift,
         ),
         None,

crates/stark-backend/tests/cached_lookup/instrumented.rs

@@ -6,7 +6,7 @@ use openvm_stark_backend::{
 use openvm_stark_sdk::{
     config::{
         baby_bear_poseidon2::{self, engine_from_perm},
-        fri_params::{standard_fri_params_with_100_bits_conjectured_security, SecurityParameters},
+        fri_params::{standard_fri_params_with_100_bits_security, SecurityParameters},
         log_up_params::log_up_security_params_baby_bear_100_bits,
     },
     dummy_airs::interaction::dummy_interaction_air::DummyInteractionAir,
@@ -102,7 +102,7 @@ fn instrumented_verifier_comparison(
 #[ignore = "bench"]
 fn instrument_cached_trace_verifier() -> eyre::Result<()> {
     let fri_params = [1, 2, 3, 4]
-        .map(standard_fri_params_with_100_bits_conjectured_security)
+        .map(standard_fri_params_with_100_bits_security)
         .to_vec();
     let data_sizes = get_data_sizes();
 

crates/stark-backend/tests/cached_lookup/prove.rs

@@ -19,7 +19,7 @@ use openvm_stark_backend::{
 use openvm_stark_sdk::{
     config::{
         baby_bear_poseidon2::{engine_from_perm, random_perm},
-        fri_params::{standard_fri_params_with_100_bits_conjectured_security, SecurityParameters},
+        fri_params::{standard_fri_params_with_100_bits_security, SecurityParameters},
         log_up_params::log_up_security_params_baby_bear_100_bits,
         FriParameters,
     },
@@ -172,7 +172,7 @@ fn compare_provers(
 #[ignore = "bench"]
 fn bench_cached_trace_prover() -> eyre::Result<()> {
     let fri_params = [1, 2, 3, 4]
-        .map(standard_fri_params_with_100_bits_conjectured_security)
+        .map(standard_fri_params_with_100_bits_security)
         .to_vec();
     let data_sizes = get_data_sizes();
 

crates/stark-sdk/examples/compute_quotient_dag.rs

@@ -53,9 +53,8 @@ fn main() {
     let mut rng = create_seeded_rng();
     let air = TestAir(KeccakAir {});
 
-    let engine = BabyBearPoseidon2Engine::new(
-        FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
-    );
+    let engine =
+        BabyBearPoseidon2Engine::new(FriParameters::standard_with_100_bits_security(LOG_BLOWUP));
     let mut keygen_builder = engine.keygen_builder();
     let _air_id = keygen_builder.add_air(Arc::new(air));
     let pk = keygen_builder.generate_pk();

crates/stark-sdk/examples/interactions.rs

@@ -22,9 +22,8 @@ type Val = BabyBear;
 fn main() {
     setup_tracing();
 
-    let engine = BabyBearPoseidon2Engine::new(
-        FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
-    );
+    let engine =
+        BabyBearPoseidon2Engine::new(FriParameters::standard_with_100_bits_security(LOG_BLOWUP));
     let mut keygen_builder = engine.keygen_builder();
 
     let sender_air = DummyInteractionAir::new(1, true, 0);

crates/stark-sdk/examples/keccakf.rs

@@ -44,9 +44,9 @@ fn main() {
         let mut rng = create_seeded_rng();
         let air = TestAir(KeccakAir {});
 
-        let engine = BabyBearPoseidon2Engine::new(
-            FriParameters::standard_with_100_bits_conjectured_security(LOG_BLOWUP),
-        );
+        let engine = BabyBearPoseidon2Engine::new(FriParameters::standard_with_100_bits_security(
+            LOG_BLOWUP,
+        ));
         let mut keygen_builder = engine.keygen_builder();
         let air_id = keygen_builder.add_air(Arc::new(air));
         let pk = keygen_builder.generate_pk();

crates/stark-sdk/src/config/fri_params.rs

@@ -26,13 +26,19 @@ impl FriParameters {
     }
 
     pub fn standard_fast() -> Self {
-        standard_fri_params_with_100_bits_conjectured_security(1)
+        standard_fri_params_with_100_bits_security(1)
     }
 
+    #[deprecated(note = "use standard_with_100_bits_security instead")]
     pub fn standard_with_100_bits_conjectured_security(log_blowup: usize) -> Self {
+        #[allow(deprecated)]
         standard_fri_params_with_100_bits_conjectured_security(log_blowup)
     }
 
+    pub fn standard_with_100_bits_security(log_blowup: usize) -> Self {
+        standard_fri_params_with_100_bits_security(log_blowup)
+    }
+
     pub fn max_constraint_degree(&self) -> usize {
         (1 << self.log_blowup) + 1
     }
@@ -41,7 +47,7 @@ impl FriParameters {
     /// If the environment variable `OPENVM_FAST_TEST` is set to "1", then the parameters are **not
     /// secure** and meant for fast testing only.
     ///
-    /// In production, use `Self::standard_with_100_bits_conjectured_security` instead.
+    /// In production, use `Self::standard_with_100_bits_security` instead.
     pub fn new_for_testing(log_blowup: usize) -> Self {
         if let Ok("1") = std::env::var("OPENVM_FAST_TEST").as_deref() {
             Self {
@@ -52,15 +58,65 @@ impl FriParameters {
                 query_proof_of_work_bits: 0,
             }
         } else {
-            Self::standard_with_100_bits_conjectured_security(log_blowup)
+            Self::standard_with_100_bits_security(log_blowup)
         }
     }
 }
 
+/// Pre-defined FRI parameters with 100 bits of provable security, meaning we do
+/// not rely on any conjectures about Reed–Solomon codes (e.g., about proximity
+/// gaps) or the ethSTARK Toy Problem Conjecture.
+///
+/// The value `num_queries` is chosen so that the verifier accepts a δ-far
+/// codeword for δ = (1 - 2**(-log_blowup)) with probability at most 2^{-80}.
+/// I.e., we target the unique-decoding radius. We require 20 PoW bits
+/// just before the query phase begins to boost the soundness to 100 bits.
+///
+/// Assumes that:
+/// - the challenge field has size at least 2^123
+/// - for `log_blowup = 1`, multi-FRI will be run with at most width 30000 at any level
+/// - for `log_blowup > 1`, multi-FRI will be run with at most width 2000 at any level
+pub fn standard_fri_params_with_100_bits_security(log_blowup: usize) -> FriParameters {
+    let fri_params = match log_blowup {
+        1 => FriParameters {
+            log_blowup,
+            log_final_poly_len: 0,
+            num_queries: 193,
+            commit_proof_of_work_bits: 16,
+            query_proof_of_work_bits: 20,
+        },
+        2 => FriParameters {
+            log_blowup,
+            log_final_poly_len: 0,
+            num_queries: 118,
+            commit_proof_of_work_bits: 12,
+            query_proof_of_work_bits: 20,
+        },
+        3 => FriParameters {
+            log_blowup,
+            log_final_poly_len: 0,
+            num_queries: 97,
+            commit_proof_of_work_bits: 12,
+            query_proof_of_work_bits: 20,
+        },
+        4 => FriParameters {
+            log_blowup,
+            log_final_poly_len: 0,
+            num_queries: 88,
+            commit_proof_of_work_bits: 12,
+            query_proof_of_work_bits: 20,
+        },
+        _ => todo!("No standard FRI params defined for log blowup {log_blowup}",),
+    };
+    tracing::debug!("FRI parameters | log_blowup: {log_blowup:<2} | num_queries: {:<2} | commit_proof_of_work_bits: {:<2} | query_proof_of_work_bits: {:<2}", fri_params.num_queries, fri_params.commit_proof_of_work_bits, fri_params.query_proof_of_work_bits);
+    fri_params
+}
+
 /// Pre-defined FRI parameters with 100 bits of conjectured security.
 /// Security bits calculated following ethSTARK (<https://eprint.iacr.org/2021/582.pdf>) 5.10.1 eq (19)
 ///
 /// Assumes that the challenge field used as more than 100 bits.
+#[deprecated(note = "use standard_fri_params_with_100_bits_security instead")]
 pub fn standard_fri_params_with_100_bits_conjectured_security(log_blowup: usize) -> FriParameters {
     let fri_params = match log_blowup {
         // plonky2 standard fast config uses num_queries=84: https://github.com/0xPolygonZero/plonky2/blob/41dc325e61ab8d4c0491e68e667c35a4e8173ffa/starky/src/config.rs#L49
@@ -116,7 +172,7 @@ impl SecurityParameters {
     }
     pub fn standard_100_bits_with_fri_log_blowup(log_blowup: usize) -> Self {
         Self {
-            fri_params: FriParameters::standard_with_100_bits_conjectured_security(log_blowup),
+            fri_params: FriParameters::standard_with_100_bits_security(log_blowup),
             log_up_params: log_up_security_params_baby_bear_100_bits(),
         }
     }