We have until now deferred transcript/challenger initialization to the caller, as this made it easier to synchronize it with our recursive verifier. This left the public facing API for Lifted STARK quite fragile.
The goal is to provide a safe interface for prove/verify which would generate a fresh challenger and observe all necessary parameters and inputs.
This will require many documentation tweaks, ensuring that we point users to the safe method.
The non-trivial changes will probably be:
- Modifying the LiftedAir interface to provide an
air_id for a stable ordering.
- Implementing a default mechanism for observing an Air in a transcript.
Context:
I think we should try to avoid putting this burden on the caller.
It is true that for both options, and especially for option A that is relevant to us, committing to the permutation $\pi$ is redundant, but I would rather pay for that redundancy than risk the caller shooting themselves in the foot.
This is a good point. I think we should look into a safe version of the API which properly bounds the transcript to all the required components.
Regarding the absorption of the permutation by default, I agree. It wouldn't be a big change, but needs proper documentation updates.
This could be non-breaking change, so I'd postpone until the next release (issue coming soon).
One question is how hard it would be to make AIR identity part of the statement and backend API, or in other words, to make air_id explicit in the prover- and verifier-side instance specifications. Once we have that, the design could look like this
- The caller is free to pass the AIRs in any order.
- Each prover-side instance carries an explicit stable
air_id.
- The backend computes each AIR's log trace height from the witness and sorts internally by
(log_height, air_id).
- From that point on, the backend uses this single canonical order everywhere.
- The proof header stores the canonical ordered descriptors
(air_id, log_height)
- Those ordered descriptors are themselves absorbed into the Fiat–Shamir transcript, so AIR identity and ordering are backend-bound rather than caller-managed.
- The verifier reads those descriptors, validates them, reconstructs the same canonical ordering, and then matches the caller-provided AIRs by
air_id.
The usual way to treat heterogenous Airs is to use an enum-dispatch trait, so that they all have the same type (avoiding dynamic dispatch). The right approach is probably to add index field to the LiftedAir trait. This would be stable IDs we are looking for, and could be committed to in the backend.
I think this makes it easier to handle a Multi-Air configuration, with the possibility of having optional or duplicate traces (if that makes sense). In any case, this is very doable and we'll want to make sure these rough edges are properly handled.
Originally posted by @adr1anh in #969 (comment)
We have until now deferred transcript/challenger initialization to the caller, as this made it easier to synchronize it with our recursive verifier. This left the public facing API for Lifted STARK quite fragile.
The goal is to provide a safe interface for
prove/verifywhich would generate a fresh challenger and observe all necessary parameters and inputs.This will require many documentation tweaks, ensuring that we point users to the safe method.
The non-trivial changes will probably be:
air_idfor a stable ordering.Context:
This is a good point. I think we should look into a safe version of the API which properly bounds the transcript to all the required components.
Regarding the absorption of the permutation by default, I agree. It wouldn't be a big change, but needs proper documentation updates.
This could be non-breaking change, so I'd postpone until the next release (issue coming soon).
The usual way to treat heterogenous Airs is to use an enum-dispatch trait, so that they all have the same type (avoiding dynamic dispatch). The right approach is probably to add
indexfield to theLiftedAirtrait. This would be stable IDs we are looking for, and could be committed to in the backend.I think this makes it easier to handle a Multi-Air configuration, with the possibility of having optional or duplicate traces (if that makes sense). In any case, this is very doable and we'll want to make sure these rough edges are properly handled.
Originally posted by @adr1anh in #969 (comment)