FRI API Documentation
Overview​
The Fast Reed-Solomon Interactive Oracle Proof of Proximity (FRI) protocol is used to efficiently verify that a given polynomial has a bounded degree.
The Prover asserts that they know a low-degree polynomial F(x) of degree d, and they provide oracle access to a Reed-Solomon (RS) codeword representing evaluations of this polynomial over a domain L:
where α is a primitive root of unity, and (for ) is the domain size.
How it works​
The proof construction consists of three phases: the Commit and Fold Phase, the Proof of Work Phase (optional), and the Query Phase. Using a Fiat-Shamir (FS) scheme, the proof is generated in a non-interactive manner, enabling the Prover to generate the entire proof and send it to the Verifier for validation. The polynomial size must be a power of 2 and is passed to the protocol in evaluation form.
Prover​
Commit and Fold Phase​
- The prover commits to the polynomial evaluations by constructing a Merkle tree.
- A folding step is performed iteratively to reduce the polynomial degree.
- In each step, the polynomial is rewritten using random coefficients derived from Fiat-Shamir hashing, and a new Merkle tree is built for the reduced polynomial.
- This process continues recursively until the polynomial reaches a minimal length.
- Currently, only a folding factor of 2 is supported.
Proof of Work Phase (Optional)​
- If enabled, the prover is required to find a nonce such that, when hashed with the final Merkle tree root, the result meets a certain number of leading zero bits.
Query Phase​
- Using the Fiat-Shamir transform, the prover determines the random query indices based on the previously committed Merkle roots.
- For each sampled index, the prover provides the corresponding Merkle proof, showing that the value is part of the committed Merkle tree.
- The prover returns all required data as the FriProof, which is then verified by the verifier.
Verifier​
- The verifier checks the Merkle proofs to ensure the sampled values were indeed committed to in the commit phase.
- The verifier reconstructs the Fiat-Shamir challenges from the prover's commitments and verifies that the prover followed the protocol honestly.
- The folding relation is checked for each sampled query.
- If all checks pass, the proof is accepted as valid.
C++ API​
Configuration structs​
There are two key configuration structs related to the Fri protocol.
FriConfig​
The FriConfig struct is used to specify parameters for the FRI protocol. It contains the following fields:
stream: icicleStreamHandle: The CUDA stream for asynchronous execution. Ifnullptr, the default stream is used.folding_factor: size_t: The factor by which the codeword is folded in each round.stopping_degree: size_t: The minimal polynomial degree at which folding stops.pow_bits: size_t: Number of leading zeros required for proof-of-work. If set, the optional proof-of-work phase is executed.nof_queries: size_t: Number of queries computed for each folded layer of FRI.are_inputs_on_device: bool: If true, the input polynomials are stored on the device (e.g., GPU); otherwise, they remain on the host (e.g., CPU).is_async: bool: If true, it runs the hash asynchronously.ext: ConfigExtension*: Backend-specific extensions.
The default values are:
// icicle/fri/fri_config.h
struct FriConfig {
icicleStreamHandle stream = nullptr;
size_t folding_factor = 2;
size_t stopping_degree = 0;
size_t pow_bits = 16;
size_t nof_queries = 100;
bool are_inputs_on_device = false;
bool is_async = false;
ConfigExtension* ext = nullptr;
};
Currently, only a folding factor of 2 is supported.
FriTranscriptConfig​
The FriTranscriptConfig<TypeParam> class is used to specify parameters for the Fiat-Shamir scheme used by the FRI protocol. It contains the following fields:
hasher: Hash: The hash function used to generate randomness for Fiat-Shamir.domain_separator_label: std::vector<std::byte>round_challenge_label: std::vector<std::byte>commit_phase_label: std::vector<std::byte>nonce_label: std::vector<std::byte>public_state: std::vector<std::byte>seed_rng: TypeParam: The seed for initializing the RNG.
The encoding is little endian.
There are three constructors for FriTranscriptConfig<TypeParam>:
- Default constructor:
// icicle/fri/fri_transcript_config.h
FriTranscriptConfig()
: m_hasher(create_keccak_256_hash()), m_domain_separator_label({}), m_commit_phase_label({}), m_nonce_label({}),
m_public({}), m_seed_rng(F::zero())
- Constructor with byte vector for labels:
FriTranscriptConfig(
Hash hasher,
std::vector<std::byte>&& domain_separator_label,
std::vector<std::byte>&& round_challenge_label,
std::vector<std::byte>&& commit_phase_label,
std::vector<std::byte>&& nonce_label,
std::vector<std::byte>&& public_state,
F seed_rng)
: m_hasher(std::move(hasher)), m_domain_separator_label(std::move(domain_separator_label)),
m_round_challenge_label(std::move(round_challenge_label)),
m_commit_phase_label(std::move(commit_phase_label)), m_nonce_label(std::move(nonce_label)),
m_public(std::move(public_state)), m_seed_rng(seed_rng)
- Constructor with
const char*arguments for labels:
FriTranscriptConfig(
Hash hasher,
const char* domain_separator_label,
const char* round_challenge_label,
const char* commit_phase_label,
const char* nonce_label,
std::vector<std::byte>&& public_state,
F seed_rng)
: m_hasher(std::move(hasher)), m_domain_separator_label(cstr_to_bytes(domain_separator_label)),
m_round_challenge_label(cstr_to_bytes(round_challenge_label)),
m_commit_phase_label(cstr_to_bytes(commit_phase_label)), m_nonce_label(cstr_to_bytes(nonce_label)),
m_public(std::move(public_state)), m_seed_rng(seed_rng)
Generating FRI Proofs​
To generate a proof, first, an empty proof needs to be created. The FRI proof is represented by the FriProof<TypeParam> class:
// icicle/fri/fri_proof.h
template <typename F>
class FriProof
The class has a default constructor FriProof() that takes no arguments.
To generate a FRI proof using the Merkle Tree commit scheme, use one of the following functions:
- Directly call
prove_fri_merkle_tree:template <typename F>
eIcicleError prove_fri_merkle_tree(
const FriConfig& fri_config,
const FriTranscriptConfig<F>& fri_transcript_config,
const F* input_data,
const size_t input_size,
Hash merkle_tree_leaves_hash,
Hash merkle_tree_compress_hash,
const uint64_t output_store_min_layer,
FriProof<F>& fri_proof /* OUT */); - Use the
fri_merkle_treenamespace, which internally callsprove_fri_merkle_tree:This approach callsfri_merkle_tree::prove<TypeParam>( ... );prove_fri_merkle_treeinternally but provides a more structured way to access it.
input_data: const F*: Evaluations of The input polynomial.fri_proof: FriProof<F>&: The outputFriProofobject containing the generated proof.
merkle_tree_leaves_hash,merkle_tree_compress_hashandoutput_store_min_layerrefer to the hashes used in the Merkle Trees built in each round of the folding. For further information about ICICLE's Merkle Trees, see Merkle-Tree documentation and Hash documentation.
folding_factor must be divisible by merkle_tree_compress_hash.
An NTT domain is used for proof generation, so before generating a proof, an NTT domain of at least the input_data size must be initialized. For more information see NTT documentation.
NTTInitDomainConfig init_domain_config = default_ntt_init_domain_config();
ntt_init_domain(scalar_t::omega(log_input_size), init_domain_config)
:::
Example: Generating a Proof​
// Initialize ntt domain
NTTInitDomainConfig init_domain_config = default_ntt_init_domain_config();
ntt_init_domain(scalar_t::omega(log_input_size), init_domain_config);
// Define hashers for merkle tree
uint64_t merkle_tree_arity = 2;
Hash hash = Keccak256::create(sizeof(TypeParam)); // hash element -> 32B
Hash compress = Keccak256::create(merkle_tree_arity * hash.output_size()); // hash every 64B to 32B
// set transcript config
const char* domain_separator_label = "domain_separator_label";
const char* round_challenge_label = "round_challenge_label";
const char* commit_phase_label = "commit_phase_label";
const char* nonce_label = "nonce_label";
std::vector<std::byte>&& public_state = {};
TypeParam seed_rng = TypeParam::one();
FriTranscriptConfig<TypeParam> transcript_config(
hash, domain_separator_label, round_challenge_label, commit_phase_label, nonce_label, std::move(public_state),
seed_rng);
// set fri config
FriConfig fri_config;
fri_config.nof_queries = 100;
fri_config.pow_bits = 16;
fri_config.folding_factor = 2;
fri_config.stopping_degree = 0;
FriProof<TypeParam> fri_proof;
// get fri proof
eIcicleError err = fri_merkle_tree::prove<TypeParam>(
fri_config, transcript_config, scalars.get(), input_size, hash, compress, output_store_min_layer, fri_proof);
ICICLE_CHECK(err);
// Release ntt domain
ntt_release_domain<scalar_t>();
Verifying Fri Proofs​
To verify the FRI proof using the Merkle Tree commit scheme, use one of the following functions:
- Directly call
verify_fri_merkle_tree:
// icicle/fri/fri.h
template <typename F>
eIcicleError verify_fri_merkle_tree(
const FriConfig& fri_config,
const FriTranscriptConfig<F>& fri_transcript_config,
FriProof<F>& fri_proof,
Hash merkle_tree_leaves_hash,
Hash merkle_tree_compress_hash,
bool& valid /* OUT */);
- Use the
fri_merkle_treenamespac, which internally callsverify_fri_merkle_tree:
fri_merkle_tree::verify<TypeParam>( ... );
FriConfig and FriTranscriptConfig used for generating the proof must be identical to the one used for verification.
Example: Verifying a Proof​
bool valid = false;
eIcicleError err = fri_merkle_tree::verify<TypeParam>(
fri_config, transcript_config, fri_proof, hash, compress, valid);
ICICLE_CHECK(err);
ASSERT_EQ(true, valid); // Ensure proof verification succeeds
After calling fri_merkle_tree::verify, the variable valid will be set to true if the proof is valid, and false otherwise.