How Cairo Provides Provable Computation

From Social Consensus to Mathematical Certainty: Understanding STARKs and the Future of Blockchain Verification

The Scientist Analogy

Traditional Blockchains = Peer Review Through Replication

The Ethereum/Bitcoin Model:

• Scientist (validator): “I ran experiment XYZ, got result ABC”

• Other scientists (validators): “Let me run XYZ myself...”

• All check: “I also got ABC” → consensus reached

• If someone gets a different result → reject their claim

This is exactly how replication studies work in science - the gold standard for verification is independent reproduction of results.

Cairo/STARKs = Mathematical Proof Instead of Replication

The StarkNet Model:

• Scientist: “I ran experiment XYZ, got result ABC, and here’s a mathematical proof that my procedure was valid“

• Other scientists: “Let me verify this proof...” (takes 1 minute instead of redoing the whole experiment)

• Proof checks out → “OK, I’m convinced you did it correctly”

This is more like mathematical proofs in papers - you don’t re-derive every theorem from first principles, you verify the logical steps.

Why This Matters

Traditional Science Replication:

• Takes time and resources

• Only a few labs can afford to replicate

• Still has trust issues (equipment calibration, methodology, honesty)

Blockchain Replication:

• Every validator must do it (expensive!)

• Linear cost scaling with number of validators

• Very robust - majority consensus provides security

Cryptographic Proofs:

• Verification is cheap and fast

• Mathematical certainty (not just “trust the majority”)

• Enables massive scaling

• Requires trusting the underlying cryptography

The Key Difference

• Replication approach: “I trust you because others independently verified”

• Proof approach: “I trust you because the math guarantees you couldn’t have faked this”

The STARK proof is like the scientist showing you their lab notebook, calculations, and a mathematical proof that IF they followed the scientific method correctly, THEN they must have gotten ABC. And the proof is structured so it’s computationally impossible to create a valid proof for a fake result.

---

When does computational integrity fail?

In traditional blockchains (Ethereum, etc.):

• Every validator re-executes every transaction

• If your node computes something, other nodes compute the same thing

• The issue isn’t “did the computation happen correctly” but rather “can we afford to have everyone re-execute everything?”

The real problem Cairo/STARKs solve is primarily scalability/economic:

1. Without proofs (traditional blockchains):

   • Computational integrity is guaranteed by redundancy

   • Every node does the same work

   • Very expensive, very slow

   • Gas fees are high because computation is replicated thousands of times

2. With proofs (Cairo/StarkNet):

   • Computation happens once off-chain

   • A proof certifies it was done correctly

   • On-chain verification is cheap

   • This enables scaling

Where integrity actually CAN fail:

Technical failures:

• Bugs in the Cairo compiler or VM

• Hardware errors during proof generation (rare but possible)

• Implementation bugs in the STARK proving system itself

Trust assumptions:

• Sequencer centralization - currently StarkNet has a centralized sequencer that decides transaction ordering

• Prover centralization - if only one entity generates proofs, they could censor or delay transactions

• Setup issues - bugs in system design matter

Business/operational problems:

• Censorship - even if proofs are valid, centralized operators can refuse to include transactions

• Liveness failures - if the prover goes offline, the system halts

• Upgradeability risks - governance can change smart contract logic

Comparison to other languages:

• Solidity/EVM: Computational integrity guaranteed by every node re-executing. Not a “correctness” issue but a “cost” issue.

• Traditional programming (Python, JavaScript): No cryptographic guarantees. You trust the computer, OS, and interpreter. Bugs, malware, or hardware failures can cause incorrect execution.

• Cairo’s innovation: Proves correct execution cryptographically. Separates computation from verification. The integrity guarantee is stronger than “trust your computer” applied to decentralized systems.

Answer: It’s primarily an economic/scalability problem - not that other systems execute incorrectly, but that they’re too expensive to verify. Cairo enables a new trust model: “prove you did it right” rather than “everyone redo it to check.”

What led Ethereum-like chains to have everyone re-execute transactions?

The Core Problem: Byzantine Consensus

Ethereum (and Bitcoin) need to solve: How do untrusted parties agree on a shared state when some participants might be malicious?

The solution they chose: Social consensus through redundant execution

Why Everyone Re-executes:

1. No Trusted Parties

• In 2015 when Ethereum launched, the design assumption was: “we can’t trust anyone”

• No single entity can be trusted to say “I executed this correctly, trust me”

• Solution: have everyone execute and compare results

2. Byzantine Fault Tolerance

• If you have N validators, and up to 1/3 are malicious or faulty

• By having everyone execute, honest majority can detect and reject invalid state transitions

• Any node that computes a different result is either buggy or malicious

3. Technology Limitations

• STARKs didn’t exist when Ethereum was designed (2013-2015)

• SNARKs existed but required trusted setups and weren’t practical for general computation

• Zero-knowledge proofs were mostly theoretical for this use case

4. Simplicity and Verifiability

• Re-execution is conceptually simple: “run the code, see what you get”

• Anyone can verify by running a node

• No complex cryptography required

The Tradeoff They Accepted:

Benefits:

• Maximum decentralization - anyone can verify

• No cryptographic assumptions beyond signatures

• Simple mental model

• Proven approach (Bitcoin did similar)

Costs:

• Every validator does redundant work

• Computation costs scale linearly with validators

• Gas fees reflect this inefficiency

• Blockchain bloat from storing everything

Ethereum chains have everyone re-execute because that was the only viable way to achieve trustless consensus with 2013-2015 technology. Proof systems enable a new model where you can have cryptographic certainty instead of social consensus through redundancy.

---

The Mathematics Behind STARKs

Level 1: The Basic Idea with Simple Arithmetic

Scenario: I claim I multiplied two numbers correctly.

My claim: “3 × 5 = 15”

Without proof (traditional blockchain):

• You: “Let me check... 3 × 5... yes, equals 15” ✓

• Everyone else also computes 3 × 5 = 15

• Consensus reached

With a proof system (simple version):

• Me: “3 × 5 = 15, and here’s a property that proves it...”

• I show you: “15 = 3 × 5 means 15 ÷ 3 should equal 5”

• You check: 15 ÷ 3 = 5 ✓ (assume easier to verify than compute from scratch for example)

This shows the concept: proving is about showing properties that would be impossible if the answer were wrong.

Level 2: Polynomial Commitments (The Key Insight)

Let’s say I executed a program with these steps:

Step 0: x = 2
Step 1: x = x + 3 = 5
Step 2: x = x × 2 = 10
Step 3: x = x - 1 = 9

The STARK Approach:

Instead of showing you each step, I encode this execution as a polynomial.

What’s a polynomial? Just: f(step) = value

For our example:

• f(0) = 2

• f(1) = 5

• f(2) = 10

• f(3) = 9

I can find a polynomial that goes through these points:

f(x) = -4/3 x³ + 5x² - 2/3 x + 2

Verifying :

• f(0) = 0 + 0 + 0 + 2 = 2 ✓

• f(1) = -4/3 + 5 - 2/3 + 2 = -6/3 + 7 = -2 + 7 = 5 ✓

• f(2) = -4/3(8) + 5(4) - 2/3(2) + 2 = -32/3 + 20 - 4/3 + 2 = -36/3 + 22 = -12 + 22 = 10 ✓

• f(3) = -4/3(27) + 5(9) - 2/3(3) + 2 = -36 + 45 - 2 + 2 = 9 ✓

Why is this useful?

Because polynomials have special properties! If I claim my execution is correct, the polynomial must satisfy certain constraints.

Level 3: Constraints and Checking

For the execution to be valid, transition rules must hold:

Rule 1: Each step follows from the previous

• Step 1 = Step 0 + 3

• Step 2 = Step 1 × 2

• Step 3 = Step 2 - 1

As polynomial constraints:

• f(1) = f(0) + 3 → 5 = 2 + 3 ✓

• f(2) = f(1) × 2 → 10 = 5 × 2 ✓

• f(3) = f(2) - 1 → 9 = 10 - 1 ✓

The magic: If I have the RIGHT polynomial (correct execution), these will all be true. If I try to cheat, I’d need a DIFFERENT polynomial that also satisfies all constraints.

Example of Trying to Cheat:

Let’s say I try to claim the result is 10 instead of 9:

Step 0: x = 2
Step 1: x = 5
Step 2: x = 10
Step 3: x = 10 (FAKE!)

Now I need a polynomial through: (0,2), (1,5), (2,10), (3,10)

After solving, the fake polynomial is:

g(x) = -7/6 x³ + 9/2 x² - 1/3 x + 2

Verify:

• g(0) = 2 ✓

• g(1) = -7/6 + 9/2 - 1/3 + 2 = 5 ✓

• g(2) = -7/6(8) + 9/2(4) - 1/3(2) + 2 = 10 ✓

• g(3) = -7/6(27) + 9/2(9) - 1/3(3) + 2 = 10 ✓

But when I check the constraint f(3) = f(2) - 1:

• Honest polynomial f(x): f(3) = 9, f(2) = 10, so 9 = 10 - 1 ✓

• Fake polynomial g(x): g(3) = 10, g(2) = 10, so 10 ≠ 10 - 1 ✗

The constraint fails! Even though both polynomials go through (0,2), (1,5), and (2,10), the fake polynomial doesn’t satisfy the transition rule at step 3.

Level 4: Why You Don’t Need to Check Everything

Here’s where it gets clever. You don’t need to check all the points!

Mathematical fact: If two polynomials of degree d are different, they can agree on at most d points.

Our honest polynomial f(x) and fake polynomial g(x) are both degree 3, so they can match at most 3 points. They happen to match at x=0, x=1, x=2, but they differ everywhere else.

Example: You ask me to check at x=2.5 (between steps 2 and 3):

Honest polynomial f(x) = -4/3 x³ + 5x² - 2/3 x + 2:

• f(2.5) = -4/3(15.625) + 5(6.25) - 2/3(2.5) + 2

• f(2.5) = -20.833 + 31.25 - 1.667 + 2 = 10.75

Fake polynomial g(x) = -7/6 x³ + 9/2 x² - 1/3 x + 2:

• g(2.5) = -7/6(15.625) + 9/2(6.25) - 1/3(2.5) + 2

• g(2.5) = -18.229 + 28.125 - 0.833 + 2 = 11.063

The polynomials give different values at x=2.5! You can now check if my claimed polynomial satisfies the constraints at this random point.

Scaling this up:

If:

• My execution has 1000 steps (degree ~1000 polynomial)

• You randomly check 100 points

• All 100 points satisfy the constraints

Probability I’m cheating: approximately 100/1000 = 10%

But if you check at random secret points I can’t predict, and they all pass, you can be 99.9999% sure I’m honest.

In practice: STARKs check enough random points to make cheating probability less than 2^(-100) (essentially impossible).

Level 5: The Actual STARK Construction

Now let’s see how real STARKs work:

Step 1: Execution Trace

Cairo program execution creates a trace table:

Step | PC | Memory[0] | Memory[1] | Operation
0    | 0  | 2         | 0         | LOAD
1    | 1  | 2         | 3         | ADD
2    | 2  | 5         | 2         | MULT
3    | 3  | 10        | 1         | SUB

Step 2: Encode as Polynomials

Each column becomes a polynomial:

• PC_poly(0)=0, PC_poly(1)=1, PC_poly(2)=2, PC_poly(3)=3

• Mem0_poly(0)=2, Mem0_poly(1)=2, Mem0_poly(2)=5, Mem0_poly(3)=10

• etc.

Step 3: Define Constraints

For example, the ADD operation constraint:

If Operation[i] = ADD, then:
Memory[0][i+1] = Memory[0][i] + Memory[1][i]

As a polynomial equation:

(Op_poly(x) - ADD) × (Mem0_poly(x+1) - Mem0_poly(x) - Mem1_poly(x)) = 0

What this means:

• If Operation is ADD, the first term is 0, so the equation forces the memory to update correctly

• If Operation is NOT ADD, the constraint doesn’t apply

Step 4: Commit to Polynomials

Instead of sending you the full polynomial, I use a Merkle tree to commit:

• Evaluate polynomial at many points (say 1 million points)

• Put them in a Merkle tree

• Send you only the root hash

Step 5: Random Checking

You (the verifier) say: “Prove to me that constraint #5 holds at random point x=847582”

I provide:

• The values at x=847582 (with Merkle proofs)

• You check the constraint equation

• Repeat for many random points

Step 6: FRI Protocol (The Deepest Magic)

The final piece: proving the committed data actually represents a LOW DEGREE polynomial.

Why? Because if I could use a high-degree polynomial, I could cheat by making it pass through any points you check.

FRI (Fast Reed-Solomon Interactive Oracle Proof) repeatedly:

1. Takes your polynomial f(x)

2. Splits it: f(x) = f_even(x²) + x·f_odd(x²)

3. You send random challenge α

4. Creates new polynomial: f’(x) = f_even(x) + α·f_odd(x)

5. Repeat until polynomial is constant

Each round roughly halves the degree. If I started with a high-degree polynomial, this would fail.

Concrete Example with Numbers

Execution: result = (2 + 3) × 4 = 20

Trace:

0: a=2, b=3
1: a=5, b=4  (after ADD)
2: a=20, b=4 (after MULT)

Polynomial encoding (simplified):

For points (0,2), (1,5), (2,20), we need: ax² + bx + c

• c = 2

• a + b + 2 = 5 → a + b = 3

• 4a + 2b + 2 = 20 → 4a + 2b = 18 → 2a + b = 9

From a + b = 3 and 2a + b = 9:

• a = 6, b = -3, c = 2

Polynomial: a_poly(x) = 6x² - 3x + 2

Verify:

• a_poly(0) = 0 - 0 + 2 = 2 ✓

• a_poly(1) = 6 - 3 + 2 = 5 ✓

• a_poly(2) = 24 - 6 + 2 = 20 ✓

Constraints:

Constraint 1 (ADD): a_poly(1) = a_poly(0) + b_poly(0)
Check: 5 = 2 + 3 ✓

Constraint 2 (MULT): a_poly(2) = a_poly(1) × b_poly(1)
Check: 20 = 5 × 4 ✓

Verification:

• You ask: “What’s a_poly(1.5)?” (random point between steps)

• I compute: 6(1.5)² - 3(1.5) + 2 = 13.5 - 4.5 + 2 = 11

• I provide Merkle proof this came from my committed polynomial

• You check constraints at x=1.5 (they must hold everywhere, not just at step boundaries)

Why I can’t cheat:
If I tried to claim result=30 instead of 20:

• I’d need a different polynomial through (0,2), (1,5), (2,30)

• That gives: h(x) = 13x² - 10x + 2

• When you check at random x=1.5: h(1.5) = 13(2.25) - 10(1.5) + 2 = 29.25 - 15 + 2 = 16.25

• But my honest polynomial gives: a_poly(1.5) = 11

• The constraint checks will fail at x=1.5 because the polynomials are different!

---

The Key Insights

1. Execution → Polynomial: Traces become polynomial evaluations

2. Correctness → Constraints: Valid execution means polynomials satisfy equations

3. Cheating → Different polynomial: Fake execution requires a different polynomial

4. Random checking: Different polynomials disagree at most places

5. Commitment: Can’t change polynomial after you choose random points

6. Low degree: FRI ensures I can’t use a tricky high-degree polynomial to pass checks

The math guarantees: if you check enough random points and all constraints pass, the probability I’m cheating is astronomically small (2^-100 or less).

---

What “Cairo Code is Provable” Actually Means

When we say Cairo code is provable, we mean:

1. Mathematical Certainty of Execution

• Every Cairo program execution can be accompanied by a cryptographic proof

• This proof mathematically guarantees that every instruction was executed correctly

• The proof guarantees that memory was accessed properly and all constraints were satisfied

• It’s computationally infeasible to create a fake proof for incorrect execution

2. Separating Computation from Verification

• Computation happens once (off-chain, by the prover)

• Verification is cheap (on-chain, by anyone)

• You don’t need to re-execute the program to verify it ran correctly

• You just need to verify the mathematical proof

3. Trustless Scalability

• Unlike Ethereum L1, you don’t need thousands of nodes re-executing the same computation

• One party computes, generates a proof

• Everyone else verifies the compact proof

• This enables massive scaling while maintaining security

4. Deterministic and Auditable

• Cairo is designed to be deterministic - same input always produces same output

• The execution trace is complete and auditable

• The proof system ensures no steps can be skipped or faked

5. Beyond “Trust Me”

Traditional approaches require:

• Trust the computer: Hope your hardware/OS/interpreter work correctly

• Trust the majority: In blockchains, trust that most validators are honest

Cairo/STARKs provide:

• Trust the math: Cryptographic guarantee that execution was correct

• No need to trust any individual party

• No need to replicate computation across thousands of nodes

The Practical Impact

For developers:

• Write Cairo smart contracts knowing they’re provably correct when executed

• Complex computations become feasible (not limited by gas costs)

• Can build applications that were impossible on traditional blockchains

For users:

• Lower transaction fees (verification is cheap)

• Faster finality (no need to wait for thousands of nodes)

• Same security guarantees as traditional blockchains

For the ecosystem:

• Enables true scaling solutions (StarkNet processes thousands of transactions)

• Preserves decentralization (anyone can verify proofs)

• Opens new possibilities (provable AI, gaming, complex DeFi)

The Trust Model Shift

Traditional blockchains: “Everyone does the work, majority decides what’s correct”

Cairo/STARKs: “One party does the work and proves it’s correct, everyone verifies the proof”

This is the fundamental innovation: replacing social consensus through redundancy with mathematical certainty through cryptographic proofs.

---

Summary

Cairo’s provability means that when a program executes, you get more than just a result - you get a mathematical proof that the execution followed all the rules. This proof is:

• Compact: Small enough to verify on-chain

• Fast to verify: Much faster than re-executing

• Cryptographically secure: Practically impossible to forge

• Complete: Covers every computational step

This is what enables StarkNet and other validity rollups to scale while maintaining the security guarantees of Ethereum. It’s a fundamental shift from “trust through replication” to “trust through mathematical proof.”