Deep-FRI: Sampling outside the box improves soundness

Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty, Shubhangi Saraf

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations


Motivated by the quest for scalable and succinct zero knowledge arguments, we revisit worst-case-to-average-case reductions for linear spaces, raised by [Rothblum, Vadhan, Wigderson, STOC 2013]. The previous state of the art by [Ben-Sasson, Kopparty, Saraf, CCC 2018] showed that if some member of an affine space U is δ-far in relative Hamming distance from a linear code V – this is the worst-case assumption – then most elements of U are almost-δ-far from V – this is the average case. However, this result was known to hold only below the “double Johnson” function of the relative distance δV of the code V , i.e., only when δ < 1 − (1 − δV )1/4. First, we increase the soundness-bound to the “one-and-a-half Johnson” function of δV and show that the average distance of U from V is nearly δ for any worst-case distance δ smaller than 1 − (1 − δV )1/3. This bound is tight, which is somewhat surprising because the one-and-a-half Johnson function is unfamiliar in the literature on error correcting codes. To improve soundness further for Reed Solomon codes we sample outside the box. We suggest a new protocol in which the verifier samples a single point z outside the box D on which codewords are evaluated, and asks the prover for the value at z of the interpolating polynomial of a random element of U. Intuitively, the answer provided by the prover “forces” it to choose one codeword from a list of “pretenders” that are close to U. We call this technique Domain Extending for Eliminating Pretenders (DEEP). The DEEP method improves the soundness of the worst-case-to-average-case reduction for RS codes up their list decoding radius. This radius is bounded from below by the Johnson bound, implying average distance is approximately δ for all δ < 1 − (1 − δV )1/2. Under a plausible conjecture about the list decoding radius of Reed-Solomon codes, average distance from V is approximately δ for all δ. The DEEP technique can be generalized to all linear codes, giving improved reductions for capacity-achieving list-decodable codes. Finally, we use the DEEP technique to devise two new protocols: An Interactive Oracle Proof of Proximity (IOPP) for RS codes, called DEEP-FRI. The soundness of the protocol improves upon that of the FRI protocol of [Ben-Sasson et al., ICALP 2018] while retaining linear arithmetic proving complexity and logarithmic verifier arithmetic complexity. An Interactive Oracle Proof (IOP) for the Algebraic Linking IOP (ALI) protocol used to construct zero knowledge scalable transparent arguments of knowledge (ZK-STARKs) in [Ben-Sasson et al., eprint 2018]. The new protocol, called DEEP-ALI, improves soundness of this crucial step from a small constant < 1/8 to a constant arbitrarily close to 1.

Original languageEnglish (US)
Title of host publication11th Innovations in Theoretical Computer Science Conference, ITCS 2020
EditorsThomas Vidick
PublisherSchloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
ISBN (Electronic)9783959771344
StatePublished - Jan 2020
Event11th Innovations in Theoretical Computer Science Conference, ITCS 2020 - Seattle, United States
Duration: Jan 12 2020Jan 14 2020

Publication series

NameLeibniz International Proceedings in Informatics, LIPIcs
ISSN (Print)1868-8969


Conference11th Innovations in Theoretical Computer Science Conference, ITCS 2020
Country/TerritoryUnited States

All Science Journal Classification (ASJC) codes

  • Software


  • Interactive oracle proofs of proximity
  • Low degree testing


Dive into the research topics of 'Deep-FRI: Sampling outside the box improves soundness'. Together they form a unique fingerprint.

Cite this