FRI Fast Reed-Solomon(RS ...
Transcript of FRI Fast Reed-Solomon(RS ...
FRIFast
Reed-Solomon (RS)Interactive Oracle Proofs of Proximity (IOPP)
From ICALP 2018 presentation
Eli Ben-Sasson Iddo Bentov Yinon Horesh Michael Riabzev
February 2019
Overviewtl;dr: FRI is a fast, FFT-like, IOP solution for verifying deg(f ) < d
I motivationI main result, applicationsI FRI protocol dive-in
Reed Solomon (RS) codes [RS60]
I prominent role in algebraic coding and computational complexityI For S ⊂ F a finite field and ρ ∈ (0, 1] a rate parameter
RS[F,S , ρ] = f : S → F | deg(f ) < ρ|S |
I RS codes have many desirable properties, likeI maximum distance separable (MDS): rel. Hamming distance 1− ρI efficient, quasi-linear time encoding via FFTI efficient unique decoding [BW83] and list decoding [GS99]I used in quasi-linear PCPs [BS05] and constant rate IOPs [BCGRS16]
I notation:I d = ρ|S | − 1 is degree;I n = |S | is blocklength;I ∆ is relative Hamming distance
Reed Solomon (RS) codes [RS60]
I prominent role in algebraic coding and computational complexityI For S ⊂ F a finite field and ρ ∈ (0, 1] a rate parameter
RS[F,S , ρ] = f : S → F | deg(f ) < ρ|S |
I RS codes have many desirable properties, likeI maximum distance separable (MDS): rel. Hamming distance 1− ρI efficient, quasi-linear time encoding via FFTI efficient unique decoding [BW83] and list decoding [GS99]I used in quasi-linear PCPs [BS05] and constant rate IOPs [BCGRS16]
I notation:I d = ρ|S | − 1 is degree;I n = |S | is blocklength;I ∆ is relative Hamming distance
Reed Solomon (RS) codes [RS60]
I prominent role in algebraic coding and computational complexityI For S ⊂ F a finite field and ρ ∈ (0, 1] a rate parameter
RS[F,S , ρ] = f : S → F | deg(f ) < ρ|S |
I RS codes have many desirable properties, likeI maximum distance separable (MDS): rel. Hamming distance 1− ρI efficient, quasi-linear time encoding via FFTI efficient unique decoding [BW83] and list decoding [GS99]I used in quasi-linear PCPs [BS05] and constant rate IOPs [BCGRS16]
I notation:I d = ρ|S | − 1 is degree;I n = |S | is blocklength;I ∆ is relative Hamming distance
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.
I Answers:I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]
I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]
I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
I Interactive Oracle Proof of Proximity (IOPP) model[BCS16,RRR16,BCF+16]I prover sends f (0) : S (0) → F; verifier sends random x (0)
I prover sends f (1) : S (1) → F; verifier sends random x (1)
I repeat for r roundsI verifier queries f (0), . . . , f (r); based on answers and (x (0), . . . , x (r−1))
verifier decides to accept/reject claim “f (0) ∈ RS[F, S (0), ρ
]”
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv
4. for “small”, concrete, non-asymptotic values of n, (< 250), usingnon-asymptotic bounds (O,Ω,Θ)
I Why? 1–3 interesting theoretically, 4 important practically, for ZKsystems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv4. for “small”, concrete, non-asymptotic values of n, (< 250), using
non-asymptotic bounds (O,Ω,Θ)
I Why? 1–3 interesting theoretically, 4 important practically, for ZKsystems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .
RS proximity testing (RPT) problem
I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])
while minimizing query complexity q.I Answers:
I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]
I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv4. for “small”, concrete, non-asymptotic values of n, (< 250), using
non-asymptotic bounds (O,Ω,Θ)I Why? 1–3 interesting theoretically, 4 important practically, for ZK
systems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .
Prior RS proximity testing (RPT) results
provercomp.
prooflength
verifiercomp.
querycomp.
roundcomp.
folklore 0 0 O(ρn) ρn 0PCP [ALM+92] nO(1) nO(1) nO(1) O
( 1δ
)1
PCP [BFL+90] n1+ε n1+ε 1δ
log1/ε n 1δ
log1/ε n 1PCPP [BS+05] n log1.5 n n log1.5 n 1
δlog5.8 n 1
δlog5.8 n 1
PCPP [D07, M09] n logc n n logc n 1δ
logc n O( 1δ
)1
IOPP [BCF+16] n logc n > 4 · n 1δ
logc n O( 1δ
)log log n
This work < 6 · n < n3 ≤ 21 · log n 2 log n log n
2
Overview
I motivation XI main result, applicationsI FRI protocol dive-in
Main Result — Fast RS IOPP (FRI)
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈ 1−ρ4
Remarks1. “nice” codes means S (0) is either of following two:
1.1 2-smooth multiplicative group, i.e., |S (0)| = 2k , k ∈ N, or1.2 binary additive groups, i.e., S(0) an F2-linear space
2. first PCPP/IOPP for RS codes achieving simultaneousI linear prover complexity, tp = O(n), andI sub-linear verifier complexity, tv = o(n)
Main Result — Fast RS IOPP (FRI)
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4
Remarks1. “nice” codes means S (0) is either of following two:
1.1 2-smooth multiplicative group, i.e., |S (0)| = 2k , k ∈ N, or1.2 binary additive groups, i.e., S(0) an F2-linear space
2. first PCPP/IOPP for RS codes achieving simultaneousI linear prover complexity, tp = O(n), andI sub-linear verifier complexity, tv = o(n)
Main Result — Fast RS IOPP (FRI)
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ 1
4 [BGKS19]
Remarks1. “nice” codes means S (0) is either of following two:
1.1 2-smooth multiplicative group, i.e., |S (0)| = 2k , k ∈ N, or1.2 binary additive groups, i.e., S(0) an F2-linear space
2. first PCPP/IOPP for RS codes achieving simultaneousI linear prover complexity, tp = O(n), andI sub-linear verifier complexity, tv = o(n)
Main Result — Fast RS IOPP (FRI)
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Remarks1. “nice” codes means S (0) is either of following two:
1.1 2-smooth multiplicative group, i.e., |S (0)| = 2k , k ∈ N, or1.2 binary additive groups, i.e., S(0) an F2-linear space
2. first PCPP/IOPP for RS codes achieving simultaneousI linear prover complexity, tp = O(n), andI sub-linear verifier complexity, tv = o(n)
Main Result — Fast RS IOPP (FRI)
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
0 0.2 0.4 0.6 0.8 1
0
0.2
0.4
0.6
0.8
1
ρ
δ 0
upper boundJohnson boundunique decoding[BKS18] lower bound[BGKS19] tight boundthis work
FRI applications: (i) computational integrity and (ii) privacy
Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.
FRI applications: (i) computational integrity and (ii) privacy
Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.
LemmaCI is NEXP-complete
FRI applications: (i) computational integrity and (ii) privacy
Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.
LemmaCI is NEXP-complete
Definition (proof system)An proof system S for L is a pair S = (V,P) satisfyingI efficiency V is randomized polynomial time; P unbounded item
completeness x ∈ L⇒ Pr [V(x)↔ P(x) acc] = 1I soundness x 6∈ L⇒ Pr [V(x)↔ P(x) acc] ≤ 1/2
FRI applications: (i) computational integrity and (ii) privacy
Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.
LemmaCI is NEXP-complete
Definition (argument system)An argument system S for L is a pair S = (V,P) satisfyingI efficiency V is randomized polynomial time; P is similarly boundedI completeness x ∈ L⇒ Pr [V(x)↔ P(x) acc] = 1I soundness x 6∈ L⇒ Pr [V(x)↔ P(x) acc] ≤ 1/2
FRI applications: (i) computational integrity and (ii) privacy
Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.
LemmaCI is NEXP-complete
Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness
FRI applications: (i) computational integrity and (ii) privacy
Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness
1. privacy-preserving proof of computational integrityI Proof and verification time may be longer than TI Useful for asserting properties of private, crypto-committed data
2. compression of computation/data, with computational integrityI meaningful when tv T or ` witness-sizeI useful for compressing blockchain history
I Scalable Transparent ARguments of Knowledge [BBHR18]I C++ implementation: github.com/elibensasson/libSTARKI achieves Thm above, quasi-linear tp, “post-quantum secure”I FRI is a major contributor to STARK efficiency
FRI applications: (i) computational integrity and (ii) privacy
Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness
1. privacy-preserving proof of computational integrityI Proof and verification time may be longer than TI Useful for asserting properties of private, crypto-committed data
2. compression of computation/data, with computational integrityI meaningful when tv T or ` witness-sizeI useful for compressing blockchain history
I Scalable Transparent ARguments of Knowledge [BBHR18]I C++ implementation: github.com/elibensasson/libSTARKI achieves Thm above, quasi-linear tp, “post-quantum secure”I FRI is a major contributor to STARK efficiency
FRI applications: (i) computational integrity and (ii) privacy
Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness
1. privacy-preserving proof of computational integrityI Proof and verification time may be longer than TI Useful for asserting properties of private, crypto-committed data
2. compression of computation/data, with computational integrityI meaningful when tv T or ` witness-sizeI useful for compressing blockchain history
I Scalable Transparent ARguments of Knowledge [BBHR18]I C++ implementation: github.com/elibensasson/libSTARKI achieves Thm above, quasi-linear tp, “post-quantum secure”I FRI is a major contributor to STARK efficiency
Overview
I motivation XI main result, applications XI FRI protocol dive-in
Overview of FRI protocol
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k
I write P(X ) = P0(X2) + X · P1(X
2)
I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime
Overview of FRI protocol
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k
I write P(X ) = P0(X2) + X · P1(X
2)
I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime
Overview of FRI protocol
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k
I write P(X ) = P0(X2) + X · P1(X
2)
I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime
Overview of FRI protocol
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k
I write P(X ) = P0(X2) + X · P1(X
2)
I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I notice 〈ω2〉 has size n/2
I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime
Overview of FRI protocol
Theorem (Informal)
For “nice” RS codes RS[F,S (0), ρ
], the FRI protocol satisfies
I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1
2 log n (round complexity)I soundness (rejection prob.) δ − 2n
|F| for all f(0) that are
δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1
3 [BGKS19]
Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k
I write P(X ) = P0(X2) + X · P1(X
2)
I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]
I Two-phase protocolI COMMIT: while i < k (0) − log 1
ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)
arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))
I QUERY: verifier queries oracles (prover not involved)
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]I Two-phase protocol
I COMMIT: while i < k (0) − log 1ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2
I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)
arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))
I QUERY: verifier queries oracles (prover not involved)
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]I Two-phase protocol
I COMMIT: while i < k (0) − log 1ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]
I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)arithmetic operations (so tp = O(n))
I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))
I QUERY: verifier queries oracles (prover not involved)
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]I Two-phase protocol
I COMMIT: while i < k (0) − log 1ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)
arithmetic operations (so tp = O(n))
I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))
I QUERY: verifier queries oracles (prover not involved)
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]I Two-phase protocol
I COMMIT: while i < k (0) − log 1ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)
arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant function
I (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))I QUERY: verifier queries oracles (prover not involved)
FRI Protocol
I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N
I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1
8
]I Two-phase protocol
I COMMIT: while i < k (0) − log 1ρ
I verifier sends randomness x(i)
I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)
arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))
I QUERY: verifier queries oracles (prover not involved)
Example: S (0) = F∗17, n = 24, ρ = 2−2
COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F
I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)
I termination: When i = k(0) − log 1/ρ prover sends constant function
QUERY phase: pick random s(0) ∈ S (0) and check path-to-root
Example: S (0) = F∗17, n = 24, ρ = 2−2
COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F
I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)
I termination: When i = k(0) − log 1/ρ prover sends constant functionQUERY phase: pick random s(0) ∈ S (0) and check path-to-root
Example: S (0) = F∗17, n = 24, ρ = 2−2
COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F
I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)
I termination: When i = k(0) − log 1/ρ prover sends constant functionQUERY phase: pick random s(0) ∈ S (0) and check path-to-root
Example: S (0) = F∗17, n = 24, ρ = 2−2
COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F
I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)
I termination: When i = k(0) − log 1/ρ prover sends constant functionQUERY phase: pick random s(0) ∈ S (0) and check path-to-root
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4
I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4
I write P(X ) = P0(X2) + X · P1(X
2), FFT-styleI then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I consider points in F× F on curve Y − X 2,
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I degX (Q) < 2; degY (Q) ≤ deg(P)/2I S (1) =
x2 | x ∈ S (0)
is mult. group, |S (1)| = |S (0)|/2
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
FRI COMMIT — single round
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X
2) + X · P1(X2), FFT-style
I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I degX (Q) < 2; degY (Q) ≤ deg(P)/2I S (1) =
x2 | x ∈ S (0)
is mult. group, |S (1)| = |S (0)|/2
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
COMMIT roundI Verifier picks random x (0) ∈ FI f (1) = Q(x (0),Y )|S(1)
I each entry of f (1) interpolatedfrom two entries of f (0)
I deg(f (1)) = degY (Q) < ρ|S (1)|
FRI vs. inverse FFT
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I find P(X ) that interpolates f (0)
I write P(X ) = P0(X2) + X · P1(X
2), FFT-styleI then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I degX (Q) < 2; degY (Q) ≤ deg(P)/2I S (1) =
x2 | x ∈ S (0)
is mult. group, |S (1)| = |S (0)|/2
0 1 2 3 4 5 6 7 8 9 10111213141516∞12345678910111213141516
I P0(Y ) = Q(0,Y ),P1(Y ) = Q(∞,Y )
I let g0 = Q(0,Y )|S (1) ,g1 = Q(∞,Y )|S(1)
I compute g0, g1, O(n) stepsI recurse on g0, g1
FRI vs. inverse FFT
I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I find P(X ) that interpolates f (0)
I write P(X ) = P0(X2) + X · P1(X
2), FFT-styleI then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2
I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2
I degX (Q) < 2; degY (Q) ≤ deg(P)/2I S (1) =
x2 | x ∈ S (0)
is mult. group, |S (1)| = |S (0)|/2
0 1 2 3 4 5 6 7 8 9 10111213141516∞12345678910111213141516
I P0(Y ) = Q(0,Y ),P1(Y ) = Q(∞,Y )
I let g0 = Q(0,Y )|S (1) ,g1 = Q(∞,Y )|S(1)
I compute g0, g1, O(n) stepsI recurse on g0, g1
Soundness analysis — low error
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
For simplicity, suppose f (0) is δ < 1−ρ4 -far from 0
I y ∈ S (1) good if f (0)(x0) = f (0)(x1) = 0 for x20 = x2
1 = y
I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δ
I interpolant of bad row has at most 1 root
I w.p. 1− |S(1)||F| , x
(0) misses roots of bad rows; call such x (0) goodI prover left with two bad options:
I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;
Soundness analysis — low error
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
For simplicity, suppose f (0) is δ < 1−ρ4 -far from 0
I y ∈ S (1) good if f (0)(x0) = f (0)(x1) = 0 for x20 = x2
1 = y
I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δI interpolant of bad row has at most 1 root
I w.p. 1− |S(1)||F| , x
(0) misses roots of bad rows; call such x (0) goodI prover left with two bad options:
I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;
Soundness analysis — low error
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
For simplicity, suppose f (0) is δ < 1−ρ4 -far from 0
I y ∈ S (1) good if f (0)(x0) = f (0)(x1) = 0 for x20 = x2
1 = y
I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δI interpolant of bad row has at most 1 root
I w.p. 1− |S(1)||F| , x
(0) misses roots of bad rows; call such x (0) good
I prover left with two bad options:I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;
Soundness analysis — low error
0 2 4 6 8 10 12 14 16
12345678910111213141516
1 2 3 4 5 6 7 8 9 10111213141516
For simplicity, suppose f (0) is δ < 1−ρ4 -far from 0
I y ∈ S (1) good if f (0)(x0) = f (0)(x1) = 0 for x20 = x2
1 = y
I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δI interpolant of bad row has at most 1 root
I w.p. 1− |S(1)||F| , x
(0) misses roots of bad rows; call such x (0) goodI prover left with two bad options:
I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;
Summary
I first RPT solution with tp = O(n) and tv = O(log n)
I nearly optimal soundness for δ < δ0
I what’s δ0? (higher lines are better)
Summary
I first RPT solution with tp = O(n) and tv = O(log n)
I nearly optimal soundness for δ < δ0I what’s δ0? (higher lines are better)
0 0.2 0.4 0.6 0.8 1
0
0.2
0.4
0.6
0.8
1
ρ
δ 0[BBHR18] lower bound[BKS18] lower boundupper boundunique decodingJohnson bound
Summary
I first RPT solution with tp = O(n) and tv = O(log n)
I nearly optimal soundness for δ < δ0I what’s δ0? (higher lines are better)
0 0.2 0.4 0.6 0.8 1
0
0.2
0.4
0.6
0.8
1
ρ
δ 0[BBHR18] lower bound[BKS18] lower boundupper boundunique decodingDEEP-FRI [BGKS19]FRI tight [BGKS19]
I New protocol: DEEP-FRI [B, Goldberg, Kopparty, Saraf 2019]I DEEP-FRI: Domain Extending for Eliminating Pretenders FRII like FRI, has linear proving complexity, logarithmic verifer complexityI DEEP-FRI soundness reaches Johnson bound δ0 ≈ 1−√ρI Under plausible list decoding conjecture, reaches δ0 ≈ 1− ρ
Summary
I first RPT solution with tp = O(n) and tv = O(log n)
I nearly optimal soundness for δ < δ0I what’s δ0? (higher lines are better)
I QuestionsI “sliding scale” soundness-error ≈ 1/poly(|F|) for RS-IOPPs?
I want to learn more? [email protected] want to realize in practice? [email protected]
Summary
I first RPT solution with tp = O(n) and tv = O(log n)
I nearly optimal soundness for δ < δ0I what’s δ0? (higher lines are better)
I QuestionsI “sliding scale” soundness-error ≈ 1/poly(|F|) for RS-IOPPs?I want to learn more? [email protected] want to realize in practice? [email protected]