Efficient Proofs of Computational Integrity from Code ...
Transcript of Efficient Proofs of Computational Integrity from Code ...
E�cient Proofs of Computational Integrityfrom Code-Based Interactive Oracle Proofs
Sarah Bordage
Project-team GRACELIX, Ecole Polytechnique, Institut Polytechnique de Paris
Inria Saclay Ile-de-France
GT Codes et CryptographieJune 17, 2021
Verifiable Computing
Powerful Prover Weak Verifier
Please, run program F on input x for me.
I want to quickly checkif your result is correct.
3
3
On input (F , x), output result yand proof of correctness π
y, π On input (F , x, y, π),accept i� π is a valid prooffor statement “y = F (x)”
• Completeness: Verifier V always accepts honest proof
• Soundness: For any malicious P , Pr[P convinces V to accept incorrect statement] = negl
• E�ciency: verification time, length of π� time for computing F (x)
Remark: sublinear time(V) requires |description of the computation| � | running time of the computation|,V should not “unroll” the computation.
1 / 24
A view of the “proofs-space” (by crypto assumptions)
CRHF, ROM DLOG KoE/AGM/GGM Group of(pairing-based) unknown order
2013 Pinocchio [PGHR]
2014 [BCTV]
2016 ZKBoo [GMO] [BCCGP] [Groth16]
SCI [BBC+] [GM]
2017 Ligero [AHIV] Bulletproof [BBB+] (ZK) vSQL [ZGK+]
Hyrax [WTS+]
2018 Stark [BBHR] vRAM [ZGK+]
Aurora [BCR+]
2019 Fractal [COS] Spartan [Setty] Sonic [MBK+] Supersonic [BFS]
Succinct Aurora [BCG+] Halo [BGH] Plonk [GWC]
RedShift [KPV] Marlin [CHM+]
Virgo [ZXZS] Libra [XZZ+]
2020 Virgo++ [ZWZZ] Mirage [KKPS]
Some implementations of succinct non-interactive arguments for general computations
2 / 24
Outline
1. IOP-based succinct non-interactive arguments
2. STARK Arithmetization
3. Reed-Solomon Proximity Testing
3 / 24
IOP-based succinct non-interactivearguments
Probabilistically Checkable Proofs
[Fortnow-Rompel-Sipser’88, Babai-Fortnow-Levin-Szegedy’91, Arora-Safra’92, Arora-Lund-Motwani-Sudan-Szegedy’98, ...]
Given a relationR of instance-witness pairs (x,w), denote LR = {x | ∃w, (x,w) ∈ R}.
Probabilistically checkable proof system(PCP)
P(x,w) V(x)π
oracle
output: 1 or 0
Completeness: ∀(x,w) ∈ R, ∃π,Vπ(x) = 1Soundness: ∀x /∈ LR,∀π,Pr[Vπ(x) = 0] > 1/2
For verifiable computing,important measures are:
• time(P),
• time(V),
• query complexity q,
• proof length l.
4 / 24
PCP-based succinct interactive argument
P(x,w) V(x)
computationallybounded
CRHF H : {0, 1}∗ → {0, 1}κ
π ← P(x,w)root = MTreeH(π)
root
Sample unif. at randomquery set Q of size q
Q
paths= (MProofsH(π[k]))k∈Q
π|Q, paths
Check Merkle proofs
Output 1 i� Vπ(x) = 1
q = |Q| , l = |π|
From q-queries PCP of length l:
• Communication = Oκ(q log l),
• time(P) = time(P) +Oκ(l),
• time(V) = time(V) +Oκ(q log l).
• [Kilian’92] PCP (P,V) + collision-resistant hashings interactive argument (P,V) for NP with sublinear communication.
5 / 24
PCP-based succinct non-interactive argument
P(x,w) V(x)
computationallybounded
RO H : {0, 1}∗ → {0, 1}κ
π ← P(x,w)root = MTreeH(π)
Q← H(x|| root)
paths= (MProofsH(π[k]))k∈Q
root, π|Q, paths
Q← H(x|| root)Check Merkle proofs
Output 1 i� Vπ(x) = 1
q = |Q| , l = |π|
From q-queries PCP of length l:
• Communication = Oκ(q log l),
• time(P) = time(P) +Oκ(l),
• time(V) = time(V) +Oκ(q log l).
• [Kilian’92] PCP (P,V) + collision-resistant hashings interactive argument (P,V) for NP with sublinear communication.
• [Micali’00] Kilian’s protocol + Fiat-Shamir paradigm (H random oracle; Q← H(x, root)) succinct non-interactive argument for NP in the Random Oracle Model.
6 / 24
Interactive Oracle Proofs
[Ben–Sasson-Chiesa-Spooner’16, Reingold-Rothblum-Rothblum’16]
IOP system(P,V) is an IOP system for relationR with soundnesserror ε if
Completeness:∀(x,w) ∈ R,Pr[〈P (x,w), V π1,...,πr (x)〉 = 1] = 1.
Soundness:∀x /∈ LR, ∀P ,Pr[〈P (x,w), V π1,...,πr (x)〉 = 1] ≤ ε.
Proof length l =∑|πi|
Query complexity q = number of queries to π1, . . . , πr
P(x,w) V(x)m0
π1
m1
π2
...
mr−1
πr
output: 1 or 0
7 / 24
IOP-based succinct non-interactive argument [Ben–Sasson-Chiesa-Spooner’16]
P(x,w) V(x)
computationallybounded
CRHF H : {0, 1}∗ → {0, 1}κ
For each round iπi ← P(x,w)
rooti = MTreeH(πi) rootiSample unif. at random
query set QiQi
pathsi= (MProofsH(πi[k]))k∈Qi πi|Qi , pathsi
Check Merkle proofs
Output 1 i� Vπ1,...,πr (x) = 1
q =∑|Qi| , l =
∑|πi|
From q-queries IOP with length l:
• Communication = Oκ(q log l),
• time(P) = time(P) +Oκ(l),
• time(V) = time(V) +Oκ(q log l).
Interactive argument from Merkle TreesIOP system (P,V)︸ ︷︷ ︸
information theoretic
+ hash functions︸ ︷︷ ︸collision-resistant
=⇒ succinct interactive argument (P,V)
8 / 24
IOP-based succinct non-interactive argument [Ben–Sasson-Chiesa-Spooner’16]
P(x,w) V(x)
computationallybounded
CRHF H : {0, 1}∗ → {0, 1}κ
For each round iπi ← P(x,w)
rooti = MTreeH(πi) rootiSample unif. at random
query set QiQi
pathsi= (MProofsH(πi[k]))k∈Qi πi|Qi , pathsi
Check Merkle proofs
Output 1 i� Vπ1,...,πr (x) = 1
From q-queries IOP with length l:
• Communication = Oκ(q log l),
• time(P) = time(P) +Oκ(l),
• time(V) = time(V) +Oκ(q log l).
Remove interaction: Qi deduced fromRO(x||root1|| . . . ||rooti−1||Q0|| . . . ||Qi−1)
Non-interactive argument from Merkle Trees + Fiat-ShamirIOP system (P,V)︸ ︷︷ ︸
information theoretic
+ hash functions︸ ︷︷ ︸random oracle
=⇒ succinct non-interactive argument (P,V)
9 / 24
ZK-STARK
Computational integrity language L:Instances (F, x, y, T ) such that running program F within T cycles on public input x and auxiliary (secret)witness w leads to output y.
STARK (Scalable Transparent ARgument of Knowledge) [Ben–Sasson-Bentov-Horesh-Riabzev’18]
non-interactive argument of knowledge for “machine computations”, with or without zero-knowledge
Prover Verifier Communication complexity Setup Post-QuantumOκ(T log2 T ) H Oκ(log2 T ) H Oκ(log2 T ) transparent yes
Construct an IOP system (P,V) for L with:
time(P) = O(T log2 T ) time(V) = O(n) +O(log(T )), l = O(T log T ), q = O(log T ),
then apply [BCS’16] transformation.
Applications:Allows verification of multiple programs in a single proof (StarkEx, Cairo).One can build PQ signatures from ZK-STARKs (see Ziggy STARK).
10 / 24
STARK Arithmetization:From computational integrity tolow-degree testing
STARK: Toy example
Toy program
• Public input: x ∈ F, steps T (T � |F|)
• Private output: K ∈ FT , K = (K0,K1, . . . ,KT−1)Program F (x, T,K):
For i = 0 to T − 1:x← x3 + Ki
return x
Execution tracex0 K0x1 K1x2 K2... ...
xT−2 KT−2xT−1 KT−1xT 0
Valid i�
x0 = x
xT = y
xi+1 = x3i +Ki
Computational integrity statement for ZK-STARK:
“Given program F , public input (x, T ) and public output y, I know secret K such that F (x, T,K) = y.”
... Today, we’ll discuss only the computational integrity part.
“Given program F , public input (x, T ) and public output y, there exists K such that F (x, T,K) = y.”
11 / 24
STARK: Toy example
Toy program
• Public input: x ∈ F, steps T (T � |F|)
• Private output: K ∈ FT , K = (K0,K1, . . . ,KT−1)Program F (x, T,K):
For i = 0 to T − 1:x← x3 + Ki
return x
Execution tracex0 K0x1 K1x2 K2... ...
xT−2 KT−2xT−1 KT−1xT 0
Valid i�
x0 = x
xT = y
xi+1 = x3i +Ki
Computational integrity statement for ZK-STARK:
“Given program F , public input (x, T ) and public output y, I know secret K such that F (x, T,K) = y.”
... Today, we’ll discuss only the computational integrity part.
“Given program F , public input (x, T ) and public output y, there exists K such that F (x, T,K) = y.”
11 / 24
Toy example: Arithmetization I
P and V agree on ω ∈ F× of order T + 1, which defines G := 〈ω〉. They also define:
• “Contraint polynomial” C(X0, X1, Y0) = Y0 − (X30 +X1)
• “Boundaries” polynomial B ∈ F[X]≤1 such that B(1) = x and B(ωT ) = y
• Vanishing polynomial Z(X) =∏T−1i=0 (X − ωi) = XT+1−1
X−ωT
P interpolates P0, P1 ∈ F[X]≤T such that for all i ∈ {0, ..., T} , P0(ωi) = xi and P1(ωi) = Ki.
Valid execution trace ⇐⇒
x0 = x,
xT = y,
C(xi,Ki, xi+1) = 0, for 0 ≤ i < T
⇐⇒
P0(ω0) = B(ω0),P0(ωT ) = B(ωT ),C(P0(ωi), P1(ωi), P0(ωi+1)) = 0, for 0 ≤ i < T
⇐⇒{
(X − 1)(X − ωT ) divides P0(X)−B(X)Z(X) divides C(P0(X), P1(X), P0(hX))
12 / 24
Toy example: Arithmetization I
P and V agree on ω ∈ F× of order T + 1, which defines G := 〈ω〉. They also define:
• “Contraint polynomial” C(X0, X1, Y0) = Y0 − (X30 +X1)
• “Boundaries” polynomial B ∈ F[X]≤1 such that B(1) = x and B(ωT ) = y
• Vanishing polynomial Z(X) =∏T−1i=0 (X − ωi) = XT+1−1
X−ωT
P interpolates P0, P1 ∈ F[X]≤T such that for all i ∈ {0, ..., T} , P0(ωi) = xi and P1(ωi) = Ki.
Valid execution trace ⇐⇒
x0 = x,
xT = y,
C(xi,Ki, xi+1) = 0, for 0 ≤ i < T
⇐⇒
P0(ω0) = B(ω0),P0(ωT ) = B(ωT ),C(P0(ωi), P1(ωi), P0(ωi+1)) = 0, for 0 ≤ i < T
⇐⇒{
(X − 1)(X − ωT ) divides P0(X)−B(X)Z(X) divides C(P0(X), P1(X), P0(hX))
12 / 24
Toy example: Arithmetization I
P and V agree on ω ∈ F× of order T + 1, which defines G := 〈ω〉. They also define:
• “Contraint polynomial” C(X0, X1, Y0) = Y0 − (X30 +X1)
• “Boundaries” polynomial B ∈ F[X]≤1 such that B(1) = x and B(ωT ) = y
• Vanishing polynomial Z(X) =∏T−1i=0 (X − ωi) = XT+1−1
X−ωT
P interpolates P0, P1 ∈ F[X]≤T such that for all i ∈ {0, ..., T} , P0(ωi) = xi and P1(ωi) = Ki.
Valid execution trace ⇐⇒
x0 = x,
xT = y,
C(xi,Ki, xi+1) = 0, for 0 ≤ i < T
⇐⇒
P0(ω0) = B(ω0),P0(ωT ) = B(ωT ),C(P0(ωi), P1(ωi), P0(ωi+1)) = 0, for 0 ≤ i < T
⇐⇒{
(X − 1)(X − ωT ) divides P0(X)−B(X)Z(X) divides C(P0(X), P1(X), P0(hX))
12 / 24
Toy example: Arithmetization II
Valid execution trace ⇐⇒
{Q0(X) = P0(X)−B(X)
(X−1)(X−ωT ) ∈ Fq [X]≤T−2
Q1(X) = C(P0(X),P1(X),P0(hX))Z(X) ∈ Fq [X]≤2T
Reed-Solomon encodingRS[F, D, k] ⊂ FD : evaluations on D ⊂ F of polynomials of degree < k.
We assume |D| ≥ 2(T + 1), |D| = Θ(T ), and D ∩G = ∅.
P sends oracle functions f0, f1, g0, g1 ∈ FD ,supposedly evaluations on D of P0(X), P1(X), Q0(X), Q1(X), respectively.
Valid execution trace ⇐⇒
f0, f1 ∈ RS[F, D, T + 1]g0 ∈ RS[F, D, T − 1]g1 ∈ RS[F, D, 2T + 1]
13 / 24
Toy example: Arithmetization II
Valid execution trace ⇐⇒
{Q0(X) = P0(X)−B(X)
(X−1)(X−ωT ) ∈ Fq [X]≤T−2
Q1(X) = C(P0(X),P1(X),P0(hX))Z(X) ∈ Fq [X]≤2T
Reed-Solomon encodingRS[F, D, k] ⊂ FD : evaluations on D ⊂ F of polynomials of degree < k.
We assume |D| ≥ 2(T + 1), |D| = Θ(T ), and D ∩G = ∅.
P sends oracle functions f0, f1, g0, g1 ∈ FD ,supposedly evaluations on D of P0(X), P1(X), Q0(X), Q1(X), respectively.
Valid execution trace ⇐⇒
f0, f1 ∈ RS[F, D, T + 1]g0 ∈ RS[F, D, T − 1]g1 ∈ RS[F, D, 2T + 1]
13 / 24
Toy example: Arithmetization III
Assume f0, f1 ∈ RS[F, D, T + 1]. Then,
• (x0 6= x or xT 6= y) =⇒ ∆(g0,RS[F, D, T − 1]) ≥ 1− T+1|D| ∆ relative Hamming distance
• ∃i, xi+1 6= x3i +Ki =⇒ ∆(g1,RS[F, D, 2T + 1]) ≥ 1− 3T+1
|D|
Arithmetization:
{valid execution trace RS codewordsincorrect execution trace words far from any RS codewords
Consistency at a random location
V samples s ∈ D and requests f0(s), f1(s), f0(ω · s), g0(s), g1(s),
computes B(s) and Z(s) (in O(log T ) F-ops), then checks:
1. g0(s) · (s− 1) · (s− ωT ) ?= f0(s)−B(s) soundness error ≤ T|D|
2. g1(s) · Z(s) ?= C(f0(s), f1(s), f0(ω · s)) soundness error ≤ 3T|D|
V rejects if one of the test fails.
Low-degree compliance
Instead of RS membership test: V must be able to test proximity to RS code with O(log T ) queries.
14 / 24
Toy example: Arithmetization III
Assume f0, f1 ∈ RS[F, D, T + 1]. Then,
• (x0 6= x or xT 6= y) =⇒ ∆(g0,RS[F, D, T − 1]) ≥ 1− T+1|D| ∆ relative Hamming distance
• ∃i, xi+1 6= x3i +Ki =⇒ ∆(g1,RS[F, D, 2T + 1]) ≥ 1− 3T+1
|D|
Arithmetization:
{valid execution trace RS codewordsincorrect execution trace words far from any RS codewords
Consistency at a random location
V samples s ∈ D and requests f0(s), f1(s), f0(ω · s), g0(s), g1(s),
computes B(s) and Z(s) (in O(log T ) F-ops), then checks:
1. g0(s) · (s− 1) · (s− ωT ) ?= f0(s)−B(s) soundness error ≤ T|D|
2. g1(s) · Z(s) ?= C(f0(s), f1(s), f0(ω · s)) soundness error ≤ 3T|D|
V rejects if one of the test fails.
Low-degree compliance
Instead of RS membership test: V must be able to test proximity to RS code with O(log T ) queries.
14 / 24
Reed-Solomon Proximity Testing
Reed-Solomon Proximity Testing
Reed-Solomon proximity testingInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then the test always accepts.Soundness: If ∆
(f,RS[F, D, k]
)> δ, then the test accepts with probability ≤ err(δ).
∆ relative Hamming distance
Naive proximity test
1. Query k + 1 entries of f ∈ FD : f(x0), . . . , f(xk),
2. Compute poly P (X) of degree < k by interpolating {(xi, f(xi)); 0 ≤ i ≤ k − 1}
3. Tester accepts i� P (xk) = f(xk).
Soundness: V accepts with proba Prxk [P (xk) 6= f(xk)] ≤ 1−∆(f,RS[F, D, k]).
Problem: query complexity k + 1 is linear in |D| with |D| = Θ(k).
How to achieve logarithmic verification time? V will need some auxiliary proof from P ...We also want a fast prover (linear in |D|) IOP of Proximity (IOPP) for RS code.
15 / 24
Reed-Solomon Proximity Testing
Reed-Solomon proximity testingInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then the test always accepts.Soundness: If ∆
(f,RS[F, D, k]
)> δ, then the test accepts with probability ≤ err(δ).
∆ relative Hamming distance
Naive proximity test
1. Query k + 1 entries of f ∈ FD : f(x0), . . . , f(xk),
2. Compute poly P (X) of degree < k by interpolating {(xi, f(xi)); 0 ≤ i ≤ k − 1}
3. Tester accepts i� P (xk) = f(xk).
Soundness: V accepts with proba Prxk [P (xk) 6= f(xk)] ≤ 1−∆(f,RS[F, D, k]).
Problem: query complexity k + 1 is linear in |D| with |D| = Θ(k).
How to achieve logarithmic verification time? V will need some auxiliary proof from P ...We also want a fast prover (linear in |D|) IOP of Proximity (IOPP) for RS code.
15 / 24
Reed-Solomon IOP of Proximity
RS IOP of ProximityInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then ∃P Pr[〈P,V〉 = 1] = 1Soundness: If ∆
(f,RS[F, D, k]
)> δ, then ∀P Pr[〈P,V〉 = 1] ≤ err(δ)
∆ relative Hamming distance
Fast Reed-Solomon IOPP:FRI Protocol
[Ben–Sasson-Bentov-Horesh-Riabzev’18]# rounds < log |D|# queries < 2 log |D|)prover time < 6|D|verifier time < 21 log |D|)proof length < |D|/3soundness “ ' 1− δ”
P V
f0 = f
α0
f1α1
f2
...αr−1
fr
16 / 24
Halving the size of the problem by folding
Assume there exists ω ∈ F× of order a large power of 2.Given k = 2r and evaluation domain D = 〈ω〉 of size n = |D| and closed under negation
How to check proximity of f0 : D → F to the code RS[F, D, k] ?
Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)
For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)
• For α ∈ F, define Fold [fi, α] : Di+1 → F by Fold [fi, α] (y) = u0(y) + α · u1(y)
CompletenessFor all α ∈ F, Fold [RSi, α] ⊆ RSi+1
Observe: for all x ∈ Di,
Fold [fi, α] (x2) =fi(x) + fi(−x)
2+ α
fi(x)− fi(−x)2x
.
Local computabilityFor any y ∈ Di+1, compute Fold [fi, α] (y) with only 2 queries to fi.
17 / 24
Halving the size of the problem by folding
Assume there exists ω ∈ F× of order a large power of 2.Given k = 2r and evaluation domain D = 〈ω〉 of size n = |D| and closed under negation
How to check proximity of f0 : D → F to the code RS[F, D, k] ?
Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)
• For α ∈ F, define Fold [fi, α] : Di+1 → F by Fold [fi, α] (y) = u0(y) + α · u1(y)
CompletenessFor all α ∈ F, Fold [RSi, α] ⊆ RSi+1
Observe: for all x ∈ Di,
Fold [fi, α] (x2) =fi(x) + fi(−x)
2+ α
fi(x)− fi(−x)2x
.
Local computabilityFor any y ∈ Di+1, compute Fold [fi, α] (y) with only 2 queries to fi.
17 / 24
Halving the size of the problem by folding
Assume there exists ω ∈ F× of order a large power of 2.Given k = 2r and evaluation domain D = 〈ω〉 of size n = |D| and closed under negation
How to check proximity of f0 : D → F to the code RS[F, D, k] ?
Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)
• For α ∈ F, define Fold [fi, α] : Di+1 → F by Fold [fi, α] (y) = u0(y) + α · u1(y)
CompletenessFor all α ∈ F, Fold [RSi, α] ⊆ RSi+1
Observe: for all x ∈ Di,
Fold [fi, α] (x2) =fi(x) + fi(−x)
2+ α
fi(x)− fi(−x)2x
.
Local computabilityFor any y ∈ Di+1, compute Fold [fi, α] (y) with only 2 queries to fi.
17 / 24
Folding preserves distance to the code
Let ε = ε(|F| , n, ρ) = Oρ
(n2
|F|
).
Distance preservationLet δ < 1−√ρ. If ∆(fi,RSi) > δ, then
Prα∈F
[∆(Fold [fi, α] ,RSi+1) < δ] < ε
Proof relies on:
Theorem [Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]
Let C ⊆ FD be a RS code of rate ρ and let u0, u1 : D → F. For any δ < 1−√ρ, if
Prα∈F
[∆(u0 + αu1, C) < δ] > 1− ε,
then, there exist c0, c1 ∈ C and T ⊂ D such that
• |T | ≥ (1− δ) |D|
• u0|T = c0|T and u1|T = c1|T
18 / 24
Folding preserves distance to the code - proof sketch
Distance preservationLet δ < 1−√ρ. If ∆(fi,RSi) > δ, then
Prα∈F
[∆(Fold [fi, α] ,RSi+1) < δ] < ε
Proof sketch:Idea: assume Fold [fi, α] is δ-close of RSi+1 for many α’s, reconstruct a codeword v ∈ RSi which is δ-close to fi.
• Apply BCIKS’20 on Fold [fi, α] = u0 + αu1 =⇒ ∃v0, v1 ∈ RSi+1 such that
T = {y ∈ Di+1 | u0(y) = v0(y) AND u1(y) = v1(y)}
is of size |T | ≥ (1− δ) |Di+1|,
• Consider polynomial r(X) = v0(X2) +Xv1(X2) of degree < k/2i,
• Then, the evaluation of r(X) on Di agrees with f on the set{x ∈ Di | x2 ∈ T
}of size
≥ (1− δ) |Di|.
19 / 24
Folding preserves distance to the code - proof sketch
Distance preservationLet δ < 1−√ρ. If ∆(fi,RSi) > δ, then
Prα∈F
[∆(Fold [fi, α] ,RSi+1) < δ] < ε
Proof sketch:Idea: assume Fold [fi, α] is δ-close of RSi+1 for many α’s, reconstruct a codeword v ∈ RSi which is δ-close to fi.
• Apply BCIKS’20 on Fold [fi, α] = u0 + αu1 =⇒ ∃v0, v1 ∈ RSi+1 such that
T = {y ∈ Di+1 | u0(y) = v0(y) AND u1(y) = v1(y)}
is of size |T | ≥ (1− δ) |Di+1|,
• Consider polynomial r(X) = v0(X2) +Xv1(X2) of degree < k/2i,
• Then, the evaluation of r(X) on Di agrees with f on the set{x ∈ Di | x2 ∈ T
}of size
≥ (1− δ) |Di|.
19 / 24
FRI Protocol: COMMIT phase
P V
f0 = f
α0
f1α1
f2
...αr−1
fr
Honest prover computes:
COMMIT Phase
f1 = Fold [f0, α0]
f2 = Fold [f1, α1]
...
fr = Fold [fr−1, αr−1]
fr?∈ RS[F, D(2r), k/2r]
Global consistency test:
QUERY Phase
Sample s ∈ D0 and check
f1(s2) ?= Fold [f0, α0] (s2)
f2(s4) ?= Fold [f1, α1] (s4)...
fr(s2r ) ?= Fold [fr−1, αr−1] (s2r )
Final test: fr?∈ RSr
output: 1 or 0
20 / 24
FRI Protocol: QUERY phase
P V
f0 = f
α0
f1α1
f2
...αr−1
fr
Honest prover computes:
COMMIT Phase
f1 = Fold [f0, α0]
f2 = Fold [f1, α1]
...
fr = Fold [fr−1, αr−1]
fr?∈ RS[F, D(2r), k/2r]
Global consistency test:
QUERY Phase
Sample s ∈ D0 and check
f1(s2) ?= Fold [f0, α0] (s2)
f2(s4) ?= Fold [f1, α1] (s4)...
fr(s2r ) ?= Fold [fr−1, αr−1] (s2r )
Final test: fr?∈ RSr
output: 1 or 0
20 / 24
FRI Protocol: Soundness
What can go wrong?• COMMIT:
Event Badi = “at round i, Fold [·, αi] does not preserve distance to thecode.”
• QUERY: chosen queried path does not catch any errors.
Pr [V accepts ] ≤ Prαi∈F
[∪r−1i=0 Badi
]︸ ︷︷ ︸
errcommit
+ Prs∈D
[V accepts | ∩r−1
i=0 Badi]
︸ ︷︷ ︸errquery
Theorem: Soundness [Ben–Sasson-Kopparty-Saraf’18, Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]For any δ < 1−√ρ, if ∆(f,RS[F, D, k]) > δ, then V accepts with proba at most
err(δ) < errcommit + (errquery)l
< r · ε(|F| , n, ρ) + (1− δ)l
after l repetitions of the QUERY phase.
21 / 24
FRI Protocol: Soundness
What can go wrong?• COMMIT:
Event Badi = “at round i, Fold [·, αi] does not preserve distance to thecode.”
• QUERY: chosen queried path does not catch any errors.
Pr [V accepts ] ≤ Prαi∈F
[∪r−1i=0 Badi
]︸ ︷︷ ︸
errcommit
+ Prs∈D
[V accepts | ∩r−1
i=0 Badi]
︸ ︷︷ ︸errquery
Theorem: Soundness [Ben–Sasson-Kopparty-Saraf’18, Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]For any δ < 1−√ρ, if ∆(f,RS[F, D, k]) > δ, then V accepts with proba at most
err(δ) < errcommit + (errquery)l
< r · ε(|F| , n, ρ) + (1− δ)l
after l repetitions of the QUERY phase.
21 / 24
Soundness analysis I
Let δi = min(∆(fi,RSi), 1−
√ρ))
.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.
By distance preservation: Pr[BADi] ≤ ε,thus Pr
[∪r−1i=0 Badi
]︸ ︷︷ ︸errcommit
≤ r · ε
Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:
• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)
• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)
V accepts i� every vertices of the queried path are green.
Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.
Modification process does not a�ect green vertices rejection proba does not increase.
22 / 24
Soundness analysis I
Let δi = min(∆(fi,RSi), 1−
√ρ))
.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.
By distance preservation: Pr[BADi] ≤ ε,thus Pr
[∪r−1i=0 Badi
]︸ ︷︷ ︸errcommit
≤ r · ε
Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:
• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)
• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)
V accepts i� every vertices of the queried path are green.
Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.
Modification process does not a�ect green vertices rejection proba does not increase.
22 / 24
Soundness analysis I
Let δi = min(∆(fi,RSi), 1−
√ρ))
.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.
By distance preservation: Pr[BADi] ≤ ε,thus Pr
[∪r−1i=0 Badi
]︸ ︷︷ ︸errcommit
≤ r · ε
Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:
• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)
• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)
V accepts i� every vertices of the queried path are green.Pr[V accepts] = 6
16 = 38
Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.
Modification process does not a�ect green vertices rejection proba does not increase.
22 / 24
Soundness analysis I
Let δi = min(∆(fi,RSi), 1−
√ρ))
.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.
By distance preservation: Pr[BADi] ≤ ε,thus Pr
[∪r−1i=0 Badi
]︸ ︷︷ ︸errcommit
≤ r · ε
Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:
• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)
• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)
V accepts i� every vertices of the queried path are green.Pr[V accepts] = 6
16 = 38
Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.
Modification process does not a�ect green vertices rejection proba does not increase.
22 / 24
Soundness analysis I
Let δi = min(∆(fi,RSi), 1−
√ρ))
.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.
By distance preservation: Pr[BADi] ≤ ε,thus Pr
[∪r−1i=0 Badi
]︸ ︷︷ ︸errcommit
≤ r · ε
Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:
• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)
• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)
V accepts i� every vertices of the queried path are green.Pr[V accepts] = 6
16 = 38
Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.
Modification process does not a�ect green vertices rejection proba does not increase.22 / 24
Soundness analysis II
Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most
Prs∈D0
[∃i ∈ {1, . . . , r} , s2i ∈ Ei
]=
r∑i=1
Prs∈D0
[s2i ∈ Ei
]=
r∑i=1
|Ei||Di|
.
Triangular inequality:
∆(Fold [fi, αi] , fi+1)︸ ︷︷ ︸= |Ei+1||Di+1|
+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸ ︷︷ ︸≥δi
.
We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:
• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−
√ρ)
• Otherwise δi − δi+1 ≤ 0, thus it’s clear.
Thus,∑r
i=1|Ei||Di|
≥∑r−1
i=0 (δi − δi+1) ≥ δ0 − δr = δ0.
Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2
|F|
)+(1−min
(δ, 1−√ρ
)).
23 / 24
Soundness analysis II
Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most
Prs∈D0
[∃i ∈ {1, . . . , r} , s2i ∈ Ei
]=
r∑i=1
Prs∈D0
[s2i ∈ Ei
]=
r∑i=1
|Ei||Di|
.
Triangular inequality:
∆(Fold [fi, αi] , fi+1)︸ ︷︷ ︸= |Ei+1||Di+1|
+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸ ︷︷ ︸≥δi
.
We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:
• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−
√ρ)
• Otherwise δi − δi+1 ≤ 0, thus it’s clear.
Thus,∑r
i=1|Ei||Di|
≥∑r−1
i=0 (δi − δi+1) ≥ δ0 − δr = δ0.
Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2
|F|
)+(1−min
(δ, 1−√ρ
)).
23 / 24
Soundness analysis II
Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most
Prs∈D0
[∃i ∈ {1, . . . , r} , s2i ∈ Ei
]=
r∑i=1
Prs∈D0
[s2i ∈ Ei
]=
r∑i=1
|Ei||Di|
.
Triangular inequality:
∆(Fold [fi, αi] , fi+1)︸ ︷︷ ︸= |Ei+1||Di+1|
+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸ ︷︷ ︸≥δi
.
We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:
• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−
√ρ)
• Otherwise δi − δi+1 ≤ 0, thus it’s clear.
Thus,∑r
i=1|Ei||Di|
≥∑r−1
i=0 (δi − δi+1) ≥ δ0 − δr = δ0.
Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2
|F|
)+(1−min
(δ, 1−√ρ
)).
23 / 24
Soundness analysis II
Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most
Prs∈D0
[∃i ∈ {1, . . . , r} , s2i ∈ Ei
]=
r∑i=1
Prs∈D0
[s2i ∈ Ei
]=
r∑i=1
|Ei||Di|
.
Triangular inequality:
∆(Fold [fi, αi] , fi+1)︸ ︷︷ ︸= |Ei+1||Di+1|
+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸ ︷︷ ︸≥δi
.
We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:
• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−
√ρ)
• Otherwise δi − δi+1 ≤ 0, thus it’s clear.
Thus,∑r
i=1|Ei||Di|
≥∑r−1
i=0 (δi − δi+1) ≥ δ0 − δr = δ0.
Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2
|F|
)+(1−min
(δ, 1−√ρ
)).
23 / 24
Soundness analysis II
Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most
Prs∈D0
[∃i ∈ {1, . . . , r} , s2i ∈ Ei
]=
r∑i=1
Prs∈D0
[s2i ∈ Ei
]=
r∑i=1
|Ei||Di|
.
Triangular inequality:
∆(Fold [fi, αi] , fi+1)︸ ︷︷ ︸= |Ei+1||Di+1|
+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸ ︷︷ ︸≥δi
.
We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:
• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−
√ρ)
• Otherwise δi − δi+1 ≤ 0, thus it’s clear.
Thus,∑r
i=1|Ei||Di|
≥∑r−1
i=0 (δi − δi+1) ≥ δ0 − δr = δ0.
Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2
|F|
)+(1−min
(δ, 1−√ρ
)).
23 / 24
Conclusion
In a nutshell:Arithmetization:
• valid execution trace RS codewords
• incorrect execution trace words far from any RS codewords
Low-degree test: key-ingredient is a “folding operator” such that:
• codeword of big RS code 7→ codeword of small RS code
• locally computable
• word far from big RS code 7→ words far from small RS code (w.h.p)
What about other codes?Proximity testing to algebraic codes via IOPP, with linear prover and logarithmic verifier:
• Algebraic Geometry codes (joint work with Jade Nardi)https://eccc.weizmann.ac.il/report/2020/165/
• Reed-Muller and Tensor Products of RS codes (joint work with Daniel)
The challenging part is to construct folding operators satisfying “distance preservation”.
24 / 24
Conclusion
In a nutshell:Arithmetization:
• valid execution trace RS codewords
• incorrect execution trace words far from any RS codewords
Low-degree test: key-ingredient is a “folding operator” such that:
• codeword of big RS code 7→ codeword of small RS code
• locally computable
• word far from big RS code 7→ words far from small RS code (w.h.p)
What about other codes?Proximity testing to algebraic codes via IOPP, with linear prover and logarithmic verifier:
• Algebraic Geometry codes (joint work with Jade Nardi)https://eccc.weizmann.ac.il/report/2020/165/
• Reed-Muller and Tensor Products of RS codes (joint work with Daniel)
The challenging part is to construct folding operators satisfying “distance preservation”.
24 / 24