Chief Scientist Eli Ben Sassoon on Youtube Mar 16th, 2021
Cairo is the best way to write code that is as secure as L1 but with exponentially lower gas cost.
The computational integrity of Cairo runs is automagically and efficiently STARK-proved and placed on a blockchain.
Let's try to break that down.
computational integrity - Since computations are executed offchain for an L2 dapp, you can make sure that the computations are run correctly
In traditional world, we ensure integrity with audits and checks etc. For blockchains, computational integrity is achieved by naively replaying and verifying whole history of transactions. This does not scale.
STARKs achieve computational integrity using cryptographic proofs.
- Prover does the computation, and generates proof of computational integrity. True statements have good proof, false statements don't.
- Verifier checks proof. Doesn't need to trust prover, there's match/crypto to ensure prover can't cheat. Verifier is exponentially cheaper. This sits on L1.
- What is being proved? Computational integrity statement, specified by tuple (prog, initial state, final state, T-ime bound): "Exists inputs such that running prog from initial state w/inputs leads to final state in T steps"
To summarize, in blockchains, you can verify every single step one by one. In STARKs you verify the exact statement above, but not every single step. It does this by creating an Algebraic Intermediate Representation. Basically Cairo is language that compiles into AIR, a math formula, that can be used as a program signature or cryptographic proof.
This is why Cairo is so awkward, it's restricting the language to just what can be translated to math formula AIR.
StarkNet will not be zero-knowledge at launch. But it can be added later easily if there is strong developer demand.
Ok I get it know. It's amazing. Eli created a math formula that could do these proofs. Then he built a language that coders could use to generate the math formula. Generating it is tough, and done on the L2, but verifying it is easy and done on the L1. So on the L1 you can quickly glance at a program's signature/proof and say without it being on the L1 blockchain that the program did what it was supposed to.