WHIR
Presentation: https://youtu.be/JdHqAIMihxg
Introduction
WHIR is a follow-up paper to STIR, and it has advanced in 2 key aspects: verification speed and use of multilinear polynomials over univariate polynomials. WHIR can replace existing protocols such as FRI, STIR, and Basefold.
Background
Please refer to Basefold and STIR in advance.
Constrained RS (CRS) Code
An RS (Reed-Solomon) code with field , evaluation domain , and degree can be interpreted as evaluations over either a univariate polynomial or a multilinear polynomial as follows:
where is defined as:
A CRS (Constrained Reed-Solomon) code extends the traditional RS code by introducing additional evaluation constraint .
Recall that is defined as:
To incorporate the additional constraint ,
where is defined as: (and we call this weight polynomial, which we'll explain later).
Hence, CRS (Constrained Reed-Solomon) code code can be written as:
Protocol Explanation
Brief Overview
The query complexity in WHIR remains the same as in STIR because the same idea of reducing the rate is applied. WHIR also uses Out-Of-Domain Sampling, which is employed in STIR. However, WHIR does not use Quotienting, or Degree Correction. Instead, it introduces two new methods, described below:
Sumcheck
For each round in the Sumcheck protocol, the verifier provides a random value, and the prover reduces the number of variables by one. With each variable reduction, the degree is also reduced by one. After rounds of sumcheck, variables can be eliminated, reducing the degree by . This is the folding method used in WHIR, differing from the -fold approach in STIR.
For example, when , the process operates as follows. First, let us assume that the evaluation constraint claimed by the CRS in the previous round is as follows:
The prover provides the verifier with a univariate polynomial defined as follows to prove the constraint:
The verifier then checks the following condition and rejects if the two sides are not equal:
The verifier samples a random and sends it to the prover.
The prover, using the random value , provides the verifier with another univariate polynomial ₁ defined as follows:
The verifier checks the following condition and rejects if the two sides are not equal:
The verifier samples a random value and sends it to the prover.
The folded polynomial can then be constructed as follows:
Weight Polynomial
Out-Of-Domain Sampling
The verifier samples random value .
The prover sends .
Shift queries
The verifier samples random values . The is the evaluation domain in each round , and the value represents the number of queries required in each round , determined by the security parameter .
For each , the verifier obtains by querying :
and is defined as:
where .
Recursive Claims
The verifier samples random value .
Using the random values and the computed results, the prover and the verifier constructs and , which will be used in the new .
The Full WHIR Protocol
Parameters
a constrained Reed-Solomon code ;
an iteration count ;
folding parameter such that ;
evaluation domain where is a smooth coset of with order ;
repetition parameters with ;
define and ;
define and .
Inputs
The verifier has oracle access to . In the honest case, and the prover receives such that and .
Query(Prover side)
Initial sumcheck: Set . For :
The prover sends . In the honest case, .
The verifier samples . Append to set .
Main loop: For :
Send folded function: The prover sends . In the honest case, is the evaluation of over .
Out-of-domain sample: The verifier sends . Set .
Out-of-domain reply: The prover sends . In the honest case, .
Shift message: The verifier samples and . Set .
Sumcheck rounds: Set . For :
The prover sends . In the honest case, where .
The verifier samples . Append to set .
Send final polynomial: The prover sends . In the honest case .
Sample final randomness: The verifier samples .
Query(Verifier side)
Check initial sumcheck:
Check that .
Check that for .
Check main loop: For :
Let .
Compute the points by querying at the appropriate locations.
Check that .
Check that for every .
Check final polynomial:
Check that, for every , where .
For set
Check that .
Conclusion
The figure above is a table comparing BaseFold, FRI, STIR, and WHIR. It shows that WHIR, like STIR, has the lowest query complexity. Additionally, WHIR also achieves the lowest verifier time complexity. (For details on how WHIR's verifier time complexity is calculated, refer to Section 2.1.4, "Verifier Efficiency," in the paper.)
The benchmarking results, as derived from the table above, show a similar trend. In the ZK Summit 12 presentation, Eylon Yogev highlighted that WHIR has lower on-chain gas costs than Groth16. Given that Groth16 is widely recognized for its low on-chain gas costs, this suggests an exciting possibility: we may not need to combine STARK-based proof generation with Groth16 verification in the future. This could mark the beginning of a more efficient era, though significant progress is still needed to make it a reality. For now, Groth16 verification remains the most cost-effective option. For more details, see this discussion.
References
Last updated