applications
finite field arithmetic is not abstract mathematics — it is the computational substrate for proof systems, encryption, and verifiable computation. every application below runs on the Goldilocks field.
STARK proofs
a STARK (Scalable Transparent Argument of Knowledge) proves that a computation was performed correctly without revealing the computation's inputs. the prover transforms the computation into a set of polynomial constraints over F_p and demonstrates that these constraints hold.
the pipeline:
computation → execution trace → polynomial constraints → FRI commitment → proof
each step uses Goldilocks field operations:
| step | field operations |
|---|---|
| execution trace | field arithmetic per step (add, mul, S-box) |
| constraint evaluation | polynomial evaluation at trace rows |
| NTT | coefficient ↔ evaluation conversion |
| FRI folding | random linear combinations of polynomial evaluations |
| Merkle commitment | hemera hash of evaluation vectors |
the prover's cost is dominated by NTTs: O(N log N) field multiplications where N is the trace length. for a typical STARK with N = 2²⁰ trace rows, this is ~20 million field multiplications — about 100 ms on modern hardware.
the verifier's cost is O(log² N) — exponentially cheaper than the prover. this asymmetry is the power of STARKs.
recursive verification and F_{p²}. in recursive STARKs, the verifier runs inside a proof circuit. FRI challenges must come from F_{p²} (not F_p alone) to achieve 128-bit security — the base field gives only ~64 bits. the recursive verifier circuit performs F_{p²} arithmetic: multiplication, inversion, and addition over the extension. see fp2.
Poseidon2 hashing
hemera implements the Poseidon2 hash function over the Goldilocks field. every round of Poseidon2 consists of:
- S-box layer: apply x⁷ to state elements (3 field multiplications per element)
- linear layer: matrix-vector product over F_p (matrix of field elements × state vector)
- round constant addition: add precomputed field elements to state
the entire hash function is a sequence of field operations — no bit manipulation, no byte shuffling, no lookup tables. this makes hemera algebraically friendly: hashing inside a STARK proof adds ~1,200 constraints per hash invocation, compared to ~15,000 for bit-oriented hashes like SHA-256 or BLAKE3.
the linear layer uses the MDS (Maximum Distance Separable) matrix property: any t × t submatrix is invertible. this guarantees full diffusion — every output element depends on every input element after one round.
FHE (Fully Homomorphic Encryption)
Fully Homomorphic Encryption allows computation on encrypted data. the TFHE scheme operates over polynomial rings R_q = Z_q[X]/(X^N + 1), where operations are polynomial multiplication modulo X^N + 1.
when the ciphertext modulus q equals the Goldilocks prime p:
- polynomial multiplication uses the NTT over F_p
- the negacyclic convolution (mod X^N + 1) requires a twist by half-roots before the standard NTT
- ciphertext elements are Goldilocks field elements — no modulus switching at the proof boundary
this alignment is the "proof impedance" elimination: an FHE computation over F_p produces intermediate values that are already Goldilocks field elements. proving correctness of the FHE computation (inside a STARK) requires no field conversion — the prover works over the same field as the ciphertext.
polynomial commitment schemes
a polynomial commitment scheme (PCS) lets a prover commit to a polynomial and later prove its evaluation at any point. FRI (Fast Reed-Solomon Interactive Oracle Proof) is the PCS used in STARKs.
FRI works by iterated folding:
round 0: commit to f₀(x) on domain D₀ (via Merkle tree of hemera hashes)
round 1: receive random α₀, compute f₁(x) = f₀_even(x) + α₀ · f₀_odd(x)
commit to f₁ on domain D₁ (half the size)
round 2: repeat until constant polynomial
each round halves the polynomial degree. the folding uses field arithmetic (random linear combinations). the commitment uses hemera hashing. the verification uses Merkle inclusion proofs.
WHIR extends FRI with improved soundness analysis. the underlying field operations are identical.
error-correcting codes
Reed-Solomon codes over F_p encode data as polynomial evaluations. the code's distance (error tolerance) is n − k + 1 where n is the code length and k is the message length.
in the STARK context, the execution trace is encoded as a Reed-Solomon codeword (evaluation of the trace polynomial on a larger domain). the FRI protocol then tests that this codeword is close to a low-degree polynomial — which certifies the computation.
the encoding is an NTT (evaluate the polynomial at a larger set of roots of unity). the decoding, when needed, is an inverse NTT plus error correction.
verifiable computation
the general pattern: encode a computation as an arithmetic circuit over F_p, execute it to produce a trace, commit to the trace using polynomial commitments, and generate a proof that the trace satisfies the circuit's constraints.
program → arithmetic circuit → trace → commitment → proof
↑ ↓
└──────── verifier checks proof (O(log² N)) ───────┘
trident compiles programs to arithmetic circuits over the Goldilocks field. nox executes these circuits and produces the execution trace. hemera hashes the trace for commitment. the STARK prover generates the proof.
every component speaks Goldilocks. no field conversion at any boundary. this is the universal substrate property: one field for compilation, execution, hashing, and proving.
lookup arguments
modern proof systems use lookup arguments to efficiently prove that values appear in a predefined table. instead of encoding a lookup as arithmetic constraints (expensive), the prover demonstrates membership using a logarithmic-derivative technique:
Σᵢ 1/(α − tᵢ) = Σⱼ mⱼ/(α − vⱼ)
where tᵢ are table entries, vⱼ are looked-up values, mⱼ are multiplicities, and α is a random challenge. this equation is checked over F_p — the inversions and sums are all field operations.
the GFP's lut instruction is designed to accelerate exactly this pattern in hardware.
matrix arithmetic
large matrix-vector products over F_p appear in:
- Poseidon2 linear layers (16 × 16 matrices)
- neural network inference (weight matrices applied to activation vectors)
- recursive proof composition (inner product arguments)
each matrix entry is a field element. each multiply-accumulate is an fma operation. a 16 × 16 matrix-vector product requires 256 fma operations — the dominant cost of a Poseidon2 round.
see also
- ntt-theory — the transform powering polynomial operations
- polynomial-arithmetic — the algebraic framework
- goldilocks — why this prime, how its arithmetic works