Formal verification of the S-two AIR
Abstract: StarkWare's S-two prover provides an efficient means for establishing, on blockchain, that a program written in the Cairo virtual machine language runs to completion. The latter claim is encoded by an algebraic intermediate representation (AIR) that captures the semantics of the Cairo language. The AIR asserts the existence of tables of values from a finite field satisfying certain algebraic constraints. A cryptographic interactive proof system, circle STARK, provides an efficiently-checked certificate that the AIR is satisfied. We describe our verification, using the Lean 4 proof assistant, that the AIR encoding is sound, which is to say, the satisfiability of the AIR implies the computational claim.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
Explaining “Formal verification of the S-two AIR”
What this paper is about (overview)
This paper is about making sure that a special kind of math “receipt” used on blockchains is trustworthy. StarkWare’s S-two system lets someone prove, very efficiently, that a program (written for the Cairo virtual machine) really ran from start to finish and did what it was supposed to do—without revealing all the details. The proof is built from algebra (polynomials over a finite field) and is checked by a verifier. The authors use a tool called the Lean 4 proof assistant (think: a super-strict math checker) to prove a soundness theorem: if the algebraic proof (called an AIR) says “everything checks out,” then there really is a valid program run that matches it.
What the authors set out to do (key objectives)
In plain terms, they wanted to show:
- If the S-two proof passes its checks, then a real execution of the Cairo program exists that goes from the agreed-upon start to the agreed-upon finish.
- The many moving parts (“components”) of the proof system fit together correctly: what one part asks for is supplied by another, and all these exchanges are consistent.
- A special checking method called “logup” (which uses a bit of randomness) really catches cheating with extremely high probability.
- Numbers used in the proof (small “Felt” numbers) correctly represent the bigger numbers used by the Cairo machine (“Felt252”), even though they live in different number systems.
How they did it (methods and approach)
To explain the approach, it helps to introduce a few ideas with simple analogies.
What is an AIR?
An AIR (Algebraic Intermediate Representation) is like a big checklist written in algebra. Instead of saying “step 1: do X” in words, it says “these polynomials must equal zero.” If all the polynomials check out, the checklist passes.
What are components and messages?
The AIR is built from components, like Lego blocks. Each component:
- Provides some data (“yields”)—like posting answers on a bulletin board.
- Uses some data (“uses”)—like taking needed values off that board. The system checks that whenever a component “uses” a value, some component actually “yielded” that exact value. This is organized in “relations,” which are just categories of tuples (small lists of numbers) that must match up.
There are two kinds of matching:
- Subset matching: every used tuple must appear among the yielded tuples.
- Chain matching: for special tuples that represent machine states, the multiset of used states equals the multiset of yielded states, so the states connect in a single chain from the start state to the end state.
This chaining is how the system proves “there is a valid step-by-step execution.”
What is the logup protocol?
Imagine tallying how many times each tuple appears, but you don’t want to list them all. Logup uses a trick: it mixes all tuples together with a secret random number so that if someone changes even one tuple, the final mixed value almost surely changes. If the mixed-value check passes, then with very high probability all the uses are truly included in the yields (or match in chains). The authors prove this reasoning is solid and only fails with a tiny probability.
What is Lean 4 and formal verification?
Lean is like a super-strict math teacher that checks every single step of a proof. The authors re-created the essential parts of StarkWare’s AIR-building code in Lean, then proved theorems about it. They focused on the parts where mistakes would be most subtle (the constraints and the message matching) and stated some reasonable assumptions for the rest (like certain bookkeeping that connects all parts together).
How do small and big numbers fit together?
The S-two proofs use numbers in a field modulo the prime (call these Felts), because that’s fast for cryptography. But the Cairo virtual machine runs over a different, much larger field modulo a 252-bit prime (Felt252). To bridge the two:
- Each big Felt252 number is represented as 28 small chunks, each under (9 bits). Think of writing a long number in base using 28 digits.
- Range checks guarantee each chunk is small enough.
- The authors prove that the way these chunks are used and checked really represents the big numbers correctly in the places that matter.
What specific components did they model and prove correct?
They modeled a fixed set of components in Lean:
- RangeCheck: enforces that numbers are within certain bounds.
- MemoryAddrToId and MemoryIdToValue: connect memory addresses to unique IDs, then IDs to values (this speeds up copying values).
- VerifyInstruction: checks that a memory location contains a properly formed instruction (offsets and flags are valid and in range).
- Opcode components: each enforces one kind of machine step (like “add” or “jump”), using the verified instruction and memory to produce the next machine state .
They then used chain matching to connect all the step-by-step states into one complete execution from the agreed start to the agreed finish.
What they found (main results) and why it matters
The main result is a soundness theorem. In friendly terms: if all component tables satisfy their algebraic constraints, the logup checks pass, the random choice avoids a tiny “bad set,” and a few reasonable assumptions hold (like the uniqueness of certain memory mappings and correct public memory entries), then:
- There exists a full memory assignment extending the public data.
- There exists a sequence of machine states that starts at the agreed start state, ends at the agreed final state, and each step follows the Cairo rules.
- The number of steps is bounded (at most about steps in this setup).
This matters because it upgrades trust. It says: “These efficiently checkable proofs really do correspond to real computations,” and a rigorous computer-checked proof in Lean backs that up. For blockchains and smart contracts—where mistakes are costly—this kind of assurance is a big deal.
Why this is important (implications and impact)
This work strengthens confidence in S-two’s proofs on-chain: verifiers can quickly check a proof and be assured that it corresponds to a genuine run of the program. It also shows a practical way to verify very complex proof systems by:
- Breaking them into components with clear responsibilities.
- Using message matching (subset and chain) to link components reliably.
- Applying randomness (logup) to deter cheating with high probability.
- Carefully translating large-number reasoning into small-number arithmetic with range checks.
There are limits and next steps. The proof focuses on soundness (no false positives) rather than completeness (always being able to produce a proof). Some parts of the system’s global wiring are assumed correct (and could be verified in future work). Still, this is a strong foundation for safer, faster, and more reliable cryptographic proofs that power modern blockchain applications.
Knowledge Gaps
Knowledge gaps, limitations, and open questions
Below is a consolidated list of what remains missing, uncertain, or unexplored in the paper, phrased as actionable items for future work.
- Unverified AIR-builder bookkeeping: Prove that the production infrastructure correctly aggregates all component lookup terms into the cumulative logup constraints (relation IDs, tuple arities, and chain vs. subset classification), and that these match the Lean-modeled
ComponentLookupCall/AirBuilderoutputs for each release. - Preprocessed columns soundness: Mechanize proofs (or certified checks) that preprocessed columns contain exactly the agreed values and enforce the required uniqueness properties (e.g., distinct addresses in
MemoryAddrToId, distinct IDs inMemoryIdToValue), closing the current assumptionsIsMemAssignandIsRangeCheckAssign. - Primality assumptions: Replace
Fact (Nat.Prime Stwo.P)andFact (Nat.Prime Felt252Prime)with machine-checked primality proofs (or link to verified certificates) to shrink the trusted computing base. - Cryptographic randomness and Fiat–Shamir: Formalize the random challenge selection (extension-field sampling, PRNG/Fiat–Shamir) and provide a cryptographic argument that the implemented sampler yields negligible soundness error consistent with the algebraic “small bad set” bounds proved in Lean.
- Quantified soundness error: Give explicit, tight bounds (in Lean) on the bad-set sizes for all logup relations used in the S-two AIR, and relate them to the concrete security parameters of the deployed circle STARK.
- Extension-field formalization: Model the specific extension field used for logup challenges and its algebraic properties in Lean, and prove all required independence/non-degeneracy facts instead of assuming them.
- Completeness (dual to soundness): Prove that (under documented resource bounds) the prover can always produce a satisfying AIR for any terminating Cairo trace intended by S-two, or precisely characterize the conditions under which completeness holds/fails (e.g., address/register ranges, trace length).
- Step and state bounds: Justify and, if possible, tighten or relax the constraints
n ≤ 2^29and the initial-state bound(initialState inp).strongly_bounded₀ 0; provide a per-instruction worst-case analysis ensuring no wrap-around in M31 for all register and PC updates, or propose alternative encodings if longer traces or larger addresses are required. - Bridging M31-to-Felt252 reasoning: Generalize and package the ad hoc boundedness lemmas into reusable theorems that systematically lift equalities and inequalities proved over M31 to equalities over ℕ/Felt252 (including precise preconditions for avoiding modular wrap-around).
- Felt252 encoding adequacy: Provide a complete, component-by-component proof that the 28×9-bit representation is handled correctly everywhere (including non-uniqueness of encodings, carry/borrow behaviors where relevant), and that all operations that rely on equality or ordering of Felt252 values cannot be subverted by alternative encodings.
- Specialized range checks: Replace the Lean “single
RangeCheck” abstraction with verified models of the actual production variants (rc20,rc9_9, etc.), or formally prove their equivalence to the simplified abstraction used in the soundness proof. - Instruction coverage: Deliver a coverage proof that the family of
Opcode(o)components collectively implements the full Cairo VM instruction set and all flag combinations, with no missing or dead cases. VerifyInstructionfidelity: Provide an end-to-end, bit-level proof thatVerifyInstructionexactly matches the Cairo instruction encoding (correct 16-bit offsets and 15 Boolean flags, no malformed encodings accepted), formally linked to the whitepaper’s specification.- Chain lookup sufficiency: Prove that multiset equality plus the external start/end states implies a single linearized execution trace covering all transitions (i.e., rules out disjoint cycles or branching), or add and verify explicit uniqueness constraints (e.g., in-/out-degree ≤ 1 per state) that make the implication hold.
- Memory function well-definedness (production): Mechanize that the production AIR enforces that address→ID and ID→value maps are total and single-valued (no collisions across components, consistency with public memory), not just assumed in Lean.
- Equivalence with production AIR: Build a translation checker or extraction pipeline that certifies the bit-for-bit equivalence between the AIR actually emitted by S-two (constraints, lookups, relation IDs, tuple lengths) and the Lean-spec model, across versions.
- Public memory lookups: Verify the pipeline from
InputData.mStarto the on-chain external lookups and their inclusion in the cumulative logup (closingPublicMem.LookupsAgree,RelInLookupsassumptions), including commitment verification for preprocessed columns. - End-to-end trust chain: Integrate verified compiler correctness from Cairo source to casm, and casm-to-AIR correctness, so that the full path (program → AIR → STARK proof → on-chain verification) is covered formally; currently only VM-semantics-to-AIR soundness is established.
- On-chain verifier alignment: Create a machine-checkable spec for the deployed verifier and prove that its constraint checks and randomness generation match the formal model (or supply a verified reference checker that replays the verification transcript against the Lean spec).
- Numeric bound tightness and scalability: Reassess numeric parameters (e.g., 229 trace bound) for real workloads; explore alternative representations or parameterizations (wider range tables, different word sizes) that preserve soundness while scaling completeness.
- Instruction-as-data interactions: Analyze and formalize corner cases where memory cells used as instructions are also used as data; prove that the AIR prevents inconsistencies or unintended bypasses of
VerifyInstructionconstraints in such scenarios. - Dynamic component composition: Generalize the Lean proof from a fixed component set to the production’s dynamically built component graph, or prove that the fixed set suffices for all supported Cairo programs, including future extensions.
Practical Applications
Overview
The paper presents a machine-checked soundness proof (in Lean 4) for StarkWare’s S-two AIR: if the AIR’s polynomial constraints and lookup (logup) relations are satisfied, then there exists a Cairo VM execution trace from the agreed initial state to the final state consistent with a partial memory assignment. The work introduces a compositional component/message architecture, a verified logup protocol for subset and chain relations, and a practical method to reason about computations over a 252-bit field using constraints over a 31-bit field (via range-checked chunking). Below are concrete applications grounded in these findings, methods, and innovations.
Immediate Applications
- Smart-contract and rollup assurance on Starknet (sector: finance/blockchain)
- What: Stronger trust in S-two-based proofs that Cairo programs executed correctly on L2, because AIR soundness is machine-checked.
- Tools/workflows: Integrate the Lean proof artifact into release/audit pipelines for S-two and Cairo contracts; publish proof commitments alongside protocol versions; CI checks for AIR changes.
- Assumptions/dependencies: Correctness of preprocessed columns and AIR construction plumbing; cryptographic soundness of STARKs and randomness selection; primality of the underlying fields; only soundness (not completeness) is proven.
- Formal audits of Cairo libraries and system contracts (sector: software/finance)
- What: Use the formal Cairo VM semantics and the S-two soundness theorem to derive end-to-end guarantees for Cairo libfuncs and critical system contracts (e.g., dict ops, signature checks).
- Tools/workflows: Lean specs + Cairo code audit; replay existing methodology from earlier Cairo proofs with S-two’s AIR.
- Assumptions/dependencies: Manual modeling effort; assumed correctness of parts of the AIR infrastructure not modeled in Lean.
- Regression-safe S-two upgrades (sector: blockchain/software tooling)
- What: Gate changes to AIR components (e.g., opcodes, range-check widths) on proof preservation; breakages surface immediately via Lean checks.
- Tools/workflows: Mirror AIR builder logic in Lean; bind CI to rerun proofs when component code changes.
- Assumptions/dependencies: Ongoing effort to keep the Lean model synchronized with production code; unchanged trust base for cryptographic and SDK code.
- Independent verifier implementations and consistency checks (sector: cryptography/software)
- What: Implement third-party verifiers guided by the formal statement of constraints and logup semantics; cross-check S-two verifier outputs.
- Tools/workflows: Spec-driven test harnesses that generate/verify logup constraints and chain relations as encoded in the formalization.
- Assumptions/dependencies: Accurate extraction of tuples used by the production AIR builder; alignment on randomness derivation and relation indices.
- Reusable logup protocol for lookups and chaining (sector: cryptography)
- What: Adopt the verified subset and chain lookup scheme for other AIRs/circuits to ensure use⊆yield and multiset chaining properties with high probability.
- Tools/workflows: Port logup construction and “bad set” avoidance logic; apply to lookups (e.g., range tables, permutation arguments) in other STARK/PLONK-like systems.
- Assumptions/dependencies: Same probabilistic soundness guarantees; proper tuple construction and domain separation for relations.
- Engineering patterns for large-field values via small-field constraints (sector: cryptography)
- What: Apply the “28×9-bit” chunking with range checks to represent Felt252 values efficiently over M31 in other protocols.
- Tools/workflows: Library gadgets for chunking, range-checking, and equality/arithmetics via bounded natural-number reasoning.
- Assumptions/dependencies: Careful bounds to avoid aliasing; correct handling of multiple valid encodings when working modulo the large prime.
- Developer education and onboarding (sector: education)
- What: Use the Lean repository and the component/message model to teach Cairo VM semantics, AIRs, and zero-knowledge soundness.
- Tools/workflows: Hands-on exercises that modify a component and re-run proofs; in-repo tutorials.
- Assumptions/dependencies: Basic Lean and Cairo familiarity.
- Improved debugging of proof failures (sector: software development)
- What: Map verifier failures back to specific component constraints or lookup relations using the structured semantics in Lean.
- Tools/workflows: Diagnostic tooling linking constraint indices/relations to Lean definitions and source code.
- Assumptions/dependencies: Accurate cross-referencing between production AIR builder and Lean model; logging of relation IDs and tuple formats.
- Policy and compliance narratives for provable computation (sector: policy/finance)
- What: Provide regulators and auditors with machine-checked claims about soundness under explicit assumptions, bolstering compliance for zk-rollups and on-chain finance.
- Tools/workflows: Human-readable summaries derived from formal statements; independent expert attestations referencing Lean proofs.
- Assumptions/dependencies: Clear articulation of probabilistic soundness, randomness requirements, and unverified infrastructure steps.
Long-Term Applications
- End-to-end formally verified rollup stack (sector: blockchain/software/hardware)
- What: Extend formal proofs to the Cairo compiler, AIR generator plumbing, cryptographic protocols, and verifier, minimizing the trusted computing base.
- Tools/products: Verified compiler passes (Cairo→casm), verified AIR builders, certified verifiers; possibly verified hardware accelerators for provers.
- Assumptions/dependencies: Significant formalization effort; stable specifications; collaboration across compiler, crypto, and hardware teams.
- Automated AIR synthesis from specs with proof certificates (sector: software tooling)
- What: Generate AIR components and logup constraints directly from high-level specs and emit Lean proofs alongside the AIR description.
- Tools/products: Spec-to-AIR compilers integrated with Lean proof generation; proof-carrying AIR artifacts.
- Assumptions/dependencies: Mature spec languages; automation for proof search; robust CI/CD integration.
- Cross-VM verification frameworks (EVM/WASM/RISC-V) (sector: blockchain/software)
- What: Port the component/message and chain-lookup blueprint to other VMs to obtain formal soundness for diverse zkVM stacks.
- Tools/products: VM-specific VerifyInstruction and opcode components; shared logup libraries; standardized relation schemas.
- Assumptions/dependencies: VM semantics fixed and modeled in Lean; similar lookup efficiency can be achieved; per-VM range and field constraints.
- Interoperable proof standards and bridges (sector: blockchain interoperability)
- What: Standardize message/lookup relations and chain semantics to compose proofs across L2s and bridges with formal guarantees.
- Tools/products: Relation registries, cross-domain lookup adapters, composite proof verifiers.
- Assumptions/dependencies: Community consensus on standards; consistent domain separation for relations; sustained governance.
- Verifiable off-chain compute and data pipelines (sector: cloud/AI/data)
- What: Use sound AIRs and chain lookups to attest step-by-step data transformations or ML inference pipelines, checked on-chain or by auditors.
- Tools/products: zk job markets where providers must commit to sound AIRs; pipeline-stage components with chained proofs.
- Assumptions/dependencies: Efficient encoding of non-VM computations; scalability of proof generation; domain-specific gadgets.
- RegTech frameworks for zk attestations (sector: policy/finance)
- What: Regulatory acceptance of machine-checked zk-proofs for compliance (e.g., solvency, transaction constraints) built on sound AIR components.
- Tools/products: Policy-aligned specs; audit dashboards that link reports to Lean-backed proofs.
- Assumptions/dependencies: Jurisdictional buy-in; clarity on probabilistic soundness and failure probabilities.
- Supply-chain and process verification via chain lookups (sector: logistics/manufacturing)
- What: Model each process step as a component and use chain relations to prove the integrity of end-to-end workflows.
- Tools/products: Domain-specific AIRs for traceability; on-chain verification for critical checkpoints.
- Assumptions/dependencies: Feasible representation of processes as algebraic constraints; data availability and integrity.
- Advanced developer tooling and analyzers for Cairo (sector: software development)
- What: IDE/static analyzers grounded in the formal semantics to detect soundness-impacting patterns, resource bounds, and unsafe encodings.
- Tools/products: Lints for range/overflow, opcode misuse; auto-suggested proof obligations for tricky code.
- Assumptions/dependencies: Stable language semantics and libraries; integration with compiler internals.
- Verified hardware prover pipelines (sector: hardware/energy)
- What: Combine verified arithmetic kernels and protocol implementations with hardware accelerators (GPU/ASICs) whose correctness is partially proven.
- Tools/products: High-assurance kernels; formal models of accelerator micro-ops.
- Assumptions/dependencies: Hardware design cooperation; practical formal verification for performance-critical code.
Key Assumptions and Dependencies (cross-cutting)
- Cryptographic: STARK soundness under standard assumptions; the pseudo-random challenge is outside a small bad set (negligible failure probability).
- Mathematical: Primality of M31 and Felt252 moduli; correct modeling of 252-bit values via 9-bit chunks with range checks and careful bound management.
- Engineering: Correctness of unmodeled AIR infrastructure (e.g., aggregation of lookups, preprocessed columns with distinctness); alignment between production code and Lean models.
- Scope: The work proves soundness (if AIR is satisfied then an execution exists); completeness (the prover can always produce such an AIR) is out of scope.
- Trust base: Reliance on Lean’s kernel and Mathlib; external audits and independent checkers can further reduce trust assumptions.
Glossary
- AIR builder: A global data structure used by the AIR-generation infrastructure to collect constraints and messages for components. "A central data structure, the AIR builder, maintains the list of components, and the polynomial constraints and messages associated to each."
- algebraic intermediate representation (AIR): A system of algebraic constraints that encodes a computation so it can be checked via cryptographic proofs. "The latter claim is encoded by an algebraic intermediate representation (AIR) that captures the semantics of the Cairo language."
- Cairo-AIR: The specific AIR encoding of the Cairo virtual machine semantics used in the system. "We refer to this AIR as the Cairo-AIR."
- Cairo virtual machine: The abstract machine executing Cairo programs, with registers and a field-based memory model. "The program is compiled to instructions for the Cairo virtual machine"
- CairoZero: A predecessor version of the Cairo language and toolchain. "CairoZero (a predecessor to the current version of Cairo)"
- casm: Short for Cairo assembly language; a lower-level representation of Cairo VM instructions. "In StarkWare terminology, “casm” is short for “Cairo assembly language,” which provides convenient representations of virtual machine code instructions."
- casm state: A triple (pc, fp, ap) over the underlying field, representing the VM registers in casm. "Thus, below and in our formalization, a “casm state” refers to a triple (pc, fp, ap) of elements of the underlying field."
- chain lookups: A special lookup mode requiring multiset equality of uses and yields to enforce chaining of state transitions. "The underlying cryptographic protocol has a special variant of the message-passing protocol, chain lookups, that ensures that the pairs (s, s′) verified by the relevant components chain together in this way."
- circle STARK: A particular STARK-based interactive proof system used to certify AIR satisfiability. "A cryptographic interactive proof system, circle STARK \cite{habock:levit:papini:24}, provides an efficiently-checked certificate that the AIR is satisfied."
- cumulative logup constraints: The global set of algebraic constraints produced by the logup protocol to enforce relations between use and yield tuples across components. "The satisfaction by these tuples of the cumulative logup constraints, which are explained in Section~\ref{section:logups}, guarantees, with high probability, that certain relations hold between the use and yield tuples of each relation."
- dependent type theory: The foundational logical framework underlying Lean, enabling types that depend on values. "Lean is based on a version of dependent type theory whose logical strength is just slightly stronger than Zermelo--Fraenkel set theory"
- extension field: A larger field containing the base field, used here to sample randomness for the logup argument. "it involves picking a pseudo-random field element from an extension field."
- Felt: An element of the prime field used by S-two (M31); shorthand for “field element.” "In our verification and below we refer to elements of the first field as Felts, short for “field elements,” and elements of the second field as Felt252s."
- Felt252: An element of the 252-bit prime field used by the Cairo VM. "In our verification and below we refer to elements of the first field as Felts, short for “field elements,” and elements of the second field as Felt252s."
- Felt252 prime: The specific 252-bit prime modulus defining the Cairo VM field. "In the Cairo virtual machine, \lstinline{F} is the field of integers modulo the Felt252 prime, defined as follows:"
- kernel: The small, trusted core of a proof assistant that checks proofs against the axioms and rules. "by carefully-written code that is known as the kernel, or trusted computing base."
- Lean 4: A programming language and interactive proof assistant used for formal verification in the project. "For this project, we used the Lean 4 programming language and proof assistant"
- logup protocol: An algebraic lookup argument that enforces subset/chain relations between use and yield tuples with high probability. "Section~\ref{section:logups} breaks out an important ingredient, the logup protocol, which provides a general scheme for sharing information between components in an efficient way."
- lookup components: Components that only produce (yield) tuples for others to consume, without issuing their own uses. "Some components have only yield values, and are referred to in the S-two whitepaper as lookup components, since their function is to provide values for other components to use."
- Mathlib: The standard mathematical library for Lean, providing a large base of formalized mathematics. "users can draw on a large library, Mathlib \cite{mathlib}, of formalized mathematics"
- M31: The prime field Z/(231−1) used by the S-two AIR for efficiency. "The S-two AIR works over the field -- the field of integers modulo the prime , a value chosen carefully for efficient cryptographic computation."
- message buffer: The collection where evaluated use and yield tuples are tagged and stored for cross-component matching. "It therefore uses values in the message buffer tagged as coming from these components, and yields tuples consisting of 19 Felts satisfying the corresponding constraints."
- message channel: The abstraction over which components exchange use and yield tuples in the AIR. "the S-two AIR is best understood in terms of components exchanging messages over a message channel."
- multiset: A set-like collection where elements have multiplicities, used to enforce chain-equality between uses and yields. "requiring, for these lookups, that the multiset of use values equals the multiset of yield values"
- next state relation: The formal relation specifying how one VM register state transitions to the next under the Cairo semantics. "culminating in a definition of the next state relation for the virtual machine"
- opcode components: Per-instruction components that verify the correct state transition for a specific Cairo opcode. "\lstinline{Opcode} components: each of the opcode components takes as input a Cairo register state"
- preprocessed columns: Agreed, fixed columns embedded in the AIR so the prover and verifier share common data (e.g., ranges). "using a mechanism known as preprocessed columns \cite{habock:levit:papini:24}."
- proof assistant: Software that helps construct and mechanically check formal proofs within a foundational system. "A proof assistant provides a very strong guarantee that a formally-specified claim has a formal proof according to the axioms and rules of the axiomatic foundation."
- RangeCheck: A lookup component yielding small-range values so other components can verify bounds via lookups. "For example, a \lstinline{RangeCheck} component yields all values in the range for a fixed natural number ."
- soundness theorem: A result that shows if the AIR is satisfied, then the claimed computation actually exists (up to negligible error from the protocol). "our soundness theorem says that if a given instance of the S-two AIR encoding satisfies the Cairo-AIR with respect to a partial assignment to memory, then there is a full assignment to the memory and an execution trace of the Cairo virtual machine"
- STARK certificate: The proof artifact produced by a STARK protocol that certifies AIR satisfiability. "and that the STARK certificate warrants the satisfiability of the Cairo-AIR constraints."
- trusted computing base: The minimal set of components that must be correct for the guarantees to hold (e.g., the kernel). "by carefully-written code that is known as the kernel, or trusted computing base."
- use-yield correspondences: The matching between a component’s “uses” (inputs) and other components’ “yields” (outputs) enforced by the lookup protocol. "the existence of tables of values satisfying the polynomial constraints and the use-yield correspondences implies the existence of an execution trace of the Cairo machine code."
- ZMod: Lean’s type of integers modulo n, used to model finite fields. "Here \lstinline{ZMod n} is the Mathlib definition of the integers modulo \lstinline{n}."
Collections
Sign up for free to add this paper to one or more collections.