ZP1 targets 128-bit security using:

• Field: Mersenne-31 (M31) with quartic extension QM31
• FRI: DEEP-FRI with Circle STARK structure
• Hash: Blake3 (256-bit output)

• Prime: p = 2^31 - 1
• Field size: ~31 bits
• Not sufficient alone for 128-bit security

• Quartic extension of M31
• Order: (2^31 - 1)^4 ≈ 2^124
• Provides ~124 bits of security against algebraic attacks

Current configuration in fri.rs:

num_queries: 30        // Query soundness
final_degree: 8        // Final layer polynomial degree
folding_factor: 2      // Binary folding

FRI soundness error is approximately:

ε_FRI ≤ (1 - ρ)^num_queries * max(d/|D|, ε_proximity)

Where:

• ρ = rate = degree/domain_size (typically 1/4 with 4x blowup)
• num_queries = 30
• d = polynomial degree
• |D| = domain size

With 30 queries and rate 1/4:

• Per-query soundness: ~2 bits
• Total FRI soundness: ~60 bits from queries alone

// In fri.rs FriConfig::new()
num_queries: 60,  // Changed from 30

This doubles soundness bits from FRI.

Perform FRI over QM31 instead of M31 for challenges:

• Each query provides ~4 bits (vs ~2 with M31)
• 32 queries → ~128 bits

Add proof-of-work requirement:

• Require grinding_factor leading zeros
• Adds grinding_factor bits of security

1. Increase num_queries to 60 for immediate 120-bit security
2. Document security assumptions for audit preparation
3. Add configurable security levels (80/100/128 bit options)

• Circle STARK Paper
• DEEP-FRI Security
• ZisK 128-bit Analysis