TY - GEN
T1 - Deep-FRI
T2 - 11th Innovations in Theoretical Computer Science Conference, ITCS 2020
AU - Ben-Sasson, Eli
AU - Goldberg, Lior
AU - Kopparty, Swastik
AU - Saraf, Shubhangi
N1 - Funding Information:
Funding Swastik Kopparty: Research supported in part by NSF grants CCF-1253886, CCF-1540634, CCF-1814409 and CCF-1412958, and BSF grant 2014359. Some of this research was done while visiting the Institute for Advanced Study. Shubhangi Saraf : Research supported in part by NSF grants CCF-1350572, CCF-1540634 and CCF-1412958, BSF grant 2014359, a Sloan research fellowship and the Simons Collaboration on Algorithms and Geometry. Some of this research was done while visiting the Institute for Advanced Study.
Publisher Copyright:
© Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty, and Shubhangi Saraf.
PY - 2020/1
Y1 - 2020/1
N2 - Motivated by the quest for scalable and succinct zero knowledge arguments, we revisit worst-case-to-average-case reductions for linear spaces, raised by [Rothblum, Vadhan, Wigderson, STOC 2013]. The previous state of the art by [Ben-Sasson, Kopparty, Saraf, CCC 2018] showed that if some member of an affine space U is δ-far in relative Hamming distance from a linear code V – this is the worst-case assumption – then most elements of U are almost-δ-far from V – this is the average case. However, this result was known to hold only below the “double Johnson” function of the relative distance δV of the code V , i.e., only when δ < 1 − (1 − δV )1/4. First, we increase the soundness-bound to the “one-and-a-half Johnson” function of δV and show that the average distance of U from V is nearly δ for any worst-case distance δ smaller than 1 − (1 − δV )1/3. This bound is tight, which is somewhat surprising because the one-and-a-half Johnson function is unfamiliar in the literature on error correcting codes. To improve soundness further for Reed Solomon codes we sample outside the box. We suggest a new protocol in which the verifier samples a single point z outside the box D on which codewords are evaluated, and asks the prover for the value at z of the interpolating polynomial of a random element of U. Intuitively, the answer provided by the prover “forces” it to choose one codeword from a list of “pretenders” that are close to U. We call this technique Domain Extending for Eliminating Pretenders (DEEP). The DEEP method improves the soundness of the worst-case-to-average-case reduction for RS codes up their list decoding radius. This radius is bounded from below by the Johnson bound, implying average distance is approximately δ for all δ < 1 − (1 − δV )1/2. Under a plausible conjecture about the list decoding radius of Reed-Solomon codes, average distance from V is approximately δ for all δ. The DEEP technique can be generalized to all linear codes, giving improved reductions for capacity-achieving list-decodable codes. Finally, we use the DEEP technique to devise two new protocols: An Interactive Oracle Proof of Proximity (IOPP) for RS codes, called DEEP-FRI. The soundness of the protocol improves upon that of the FRI protocol of [Ben-Sasson et al., ICALP 2018] while retaining linear arithmetic proving complexity and logarithmic verifier arithmetic complexity. An Interactive Oracle Proof (IOP) for the Algebraic Linking IOP (ALI) protocol used to construct zero knowledge scalable transparent arguments of knowledge (ZK-STARKs) in [Ben-Sasson et al., eprint 2018]. The new protocol, called DEEP-ALI, improves soundness of this crucial step from a small constant < 1/8 to a constant arbitrarily close to 1.
AB - Motivated by the quest for scalable and succinct zero knowledge arguments, we revisit worst-case-to-average-case reductions for linear spaces, raised by [Rothblum, Vadhan, Wigderson, STOC 2013]. The previous state of the art by [Ben-Sasson, Kopparty, Saraf, CCC 2018] showed that if some member of an affine space U is δ-far in relative Hamming distance from a linear code V – this is the worst-case assumption – then most elements of U are almost-δ-far from V – this is the average case. However, this result was known to hold only below the “double Johnson” function of the relative distance δV of the code V , i.e., only when δ < 1 − (1 − δV )1/4. First, we increase the soundness-bound to the “one-and-a-half Johnson” function of δV and show that the average distance of U from V is nearly δ for any worst-case distance δ smaller than 1 − (1 − δV )1/3. This bound is tight, which is somewhat surprising because the one-and-a-half Johnson function is unfamiliar in the literature on error correcting codes. To improve soundness further for Reed Solomon codes we sample outside the box. We suggest a new protocol in which the verifier samples a single point z outside the box D on which codewords are evaluated, and asks the prover for the value at z of the interpolating polynomial of a random element of U. Intuitively, the answer provided by the prover “forces” it to choose one codeword from a list of “pretenders” that are close to U. We call this technique Domain Extending for Eliminating Pretenders (DEEP). The DEEP method improves the soundness of the worst-case-to-average-case reduction for RS codes up their list decoding radius. This radius is bounded from below by the Johnson bound, implying average distance is approximately δ for all δ < 1 − (1 − δV )1/2. Under a plausible conjecture about the list decoding radius of Reed-Solomon codes, average distance from V is approximately δ for all δ. The DEEP technique can be generalized to all linear codes, giving improved reductions for capacity-achieving list-decodable codes. Finally, we use the DEEP technique to devise two new protocols: An Interactive Oracle Proof of Proximity (IOPP) for RS codes, called DEEP-FRI. The soundness of the protocol improves upon that of the FRI protocol of [Ben-Sasson et al., ICALP 2018] while retaining linear arithmetic proving complexity and logarithmic verifier arithmetic complexity. An Interactive Oracle Proof (IOP) for the Algebraic Linking IOP (ALI) protocol used to construct zero knowledge scalable transparent arguments of knowledge (ZK-STARKs) in [Ben-Sasson et al., eprint 2018]. The new protocol, called DEEP-ALI, improves soundness of this crucial step from a small constant < 1/8 to a constant arbitrarily close to 1.
KW - Interactive oracle proofs of proximity
KW - Low degree testing
KW - STARK
UR - http://www.scopus.com/inward/record.url?scp=85078030774&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85078030774&partnerID=8YFLogxK
U2 - 10.4230/LIPIcs.ITCS.2020.5
DO - 10.4230/LIPIcs.ITCS.2020.5
M3 - Conference contribution
AN - SCOPUS:85078030774
T3 - Leibniz International Proceedings in Informatics, LIPIcs
BT - 11th Innovations in Theoretical Computer Science Conference, ITCS 2020
A2 - Vidick, Thomas
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
Y2 - 12 January 2020 through 14 January 2020
ER -