skip to content
PSYCHO VIRTUAL

Proximity Is What You Want (1/5)

/ 6 min read

Proximity Is What You Want: Low-Degree Testing for Reed-Solomon Codes

Thanks to Giacomo Fenzi for helpful review and feedback. Full HackMD note can be found here

Reed-Solomon(RS) codes are an important tool within computer science. The deep history of these codes covers over fifty years of real-world applications. In many ways, they are the fundamental building block for how data is stored and transferred in the digital era.

RS-codes remain an extremely active and rich area of research in the field of theoretic computer science. The most exciting new area of research is within the context of zero-knowledge cryptography and interactive oracle proofs(IOP). Many of the properties that make RS-codes useful for working with data, also translate to the construction of efficient proof systems.

One of these properties is the concept of proximity testing. Given a codeword RS[F,L,d]RS[\mathbb{F}, L, d] and a function f:LFf:L \rightarrow \mathbb{F}, we can determine whether ff is a code-word or δ\delta-close to a code-word by querying ff at only a few locations. Specifically, we test a proximity to a low-degree polynomial pp with respect to LL:

Δ(f,p)δ\Delta(f,p) \le \delta

This property is extremely useful when building proof systems with low query-complexity.

This note is an outcome of my learning from a close study of the following papers [ACY23], [ACFY24], [BCIKS20], [VIT], [H22] and [ASZ]. Unless otherwise specified, all equations are derived from those sources. For an in-depth review of error-correcting codes [Gur04] is an invaluable resource.

We provide a high-level overview of the core tools used in building proximity tests and demonstrates several applications in the context of Interactive Oracle Proofs of Proximity (IOPP).

:::info For the purpose of this note, we focus exclusively on Interactive Oracle Proofs of Proximity (IOPP) and ignore Poly-IOPs. :::

Notation and Definitions

Assume the size of the domain L|L| and degree dd are both powers of two. And that LL is a smooth multiplicative subgroup of the finite-field F\mathbb{F}.

We define an Error-Correcting Code as:

Definition 1.0. An error-correcting code of length nn over an alphabet Σ\Sigma is a subset CΣnC \subseteq \Sigma^n. The code is linear if Σ=F\Sigma = \mathbb{F} is a field and CC is a subspace of Fn\mathbb{F}^n.

Definitions for Reed-Solomon Codes:

Definition 1.1. The Reed-Solomon code over field F\mathbb{F}, evaluation domain LFL ⊆ \mathbb{F}, and degree dNd ∈ N is the set of evaluations over LL of univariate polynomials (over F\mathbb{F}) of degree less than dd

When referring to polynomials and code-words we use the following definitions:

  1. We define the rate of RS[F,L,d]RS[\mathbb{F}, L, d] as ρ=dL\rho = {d\over|L|}.
  2. We use f^F<d[X]\hat{f} \in \mathbb{F}^{<d}[X] to refer to the nearest polynomial to ff on LL.

The Schwartz–Zippel Lemma is fundamental to various IOPPs and used extensively.

Lemma 1.2. For any non-zero polynomial f^:=F<d[X]\hat{f} := \mathbb{F}^{<d}[X] it holds that PrαF[p^(α)=0]dFPr_{\alpha \leftarrow \mathbb{F}}[\hat{p}(\alpha) = 0] \le {d \over |\mathbb{F}|}

The Random-Oracle Model(ROM) is used extensively in almost all interactive proof systems. Informally we define the ROM as:

Definition 1.3. For σN\sigma \in \mathbb{N}, we denote U(σ)\mathcal{U}(\sigma) as the uniform distribution of all function ff of the form f:{0,1}{0,1}σf:\{0,1\}^* \rightarrow \{0,1\}^{\sigma}. Or if ff is sampled uniformly from U(σ)\mathcal{U}(\sigma) then every output is a random σ\sigma-bit string.

What is Proximity?

The basic idea behind proximity testing is that for some set AFA \subset \mathbb{F} and some code V:=RS[F,L,d]V := RS[\mathbb{F},L,d] either all the members of the set are δ\delta-close to VV, or nearly all members of the set are far from VV. There is no case where half of AA is close and half is far.

A good definition for proximity in the context of Reed-Solomon codes comes from [BCIKS20].

Definition 1.1(Proximity Gaps): Let PΣnP \subset \Sigma^n be a property, and C2ΣnC \subset 2^{\Sigma^n} be a collection of sets. Let Δ\Delta be a distance measure on σn\sigma^n. We say that CC displays a (δ,ϵ)(\delta, \epsilon)-proximity gap with respect to PP under Δ\Delta if every SCS \in C satisfies exactly one of the following.

  1. PrsS[Δ(s,P)δ]=1Pr_{s\in S}[\Delta (s, P) \le \delta] = 1
  2. PrsS[Δ(s,P)δ]ϵPr_{s \in S}[\Delta (s, P) \le \delta] \le \epsilon

In this case δ\delta is called the proximity parameter, and ϵ\epsilon the error parameter.

We measure proximity using the fractional Hamming distance, defined as:

δ(f,p)=1L{xL:f(x)p(x)}\delta(f,p) = {1 \over |L|} \cdot |\{x \in L:f(x) \ne p(x)\}|

Because we know that all members of a set are either δ\delta-close to a code-word, or nearly all members are far from a code-word, we only need to test a few members of a set know with a high degree of certainty whether the set is close to a codeword.

Interactive Oracle Proofs of Proximity(IOPP)

Interactive Oracle Proofs are a subset of proof systems that combine elements of interactive proofs and probabilistic proofs. An IOP of Proximity(IOPP) as described here, seeks to prove proximity to a polynomial of low-degree via a structured public-coin interaction between a prover and a verifier.

We assume the IOP interaction occurs over kk-rounds, and the relation we seek to prove is defined as R={(x,y,w)}\mathcal{R} =\{(\mathbb{x},\mathbb{y}, \mathbb{w})\}. The prover receives (x,y,w)(\mathbb{x}, \mathbb{y}, \mathbb{w}) as input, and the verifier receives x\mathbb{x} and oracle access to y\mathbb{y}. For every round i[k]i \in [k], the verifier sends a random message αi\alpha_i to the prover. In return, the prover sends a proof string πi\pi_i to the verifier. At the end of the protocol, the verifier makes some queries to y\mathbb{y} and the proof string π1,...,πk\pi_1,...,\pi_k and outputs the final decision.

For an IOPP with a relation R={(x,w)}\mathcal{R} =\{(\mathbb{x},\mathbb{w})\} and a tuple of two interactive algorithms IOP=(P,V)IOP = (P,V) in which PP is an interactive algorithm and VV is an interactive oracle algorithm, we test the proximity of code C:=RS[F,L,d]\mathcal{C} := RS[\mathbb{F}, L, d] given the pair (x,w)(\mathbb{x},\mathbb{w}) where x\mathbb{x} is the code parameters and wC\mathbb{w} \in \mathcal{C} is a codeword. We test for:

  • Completeness: For every (x,w)R(\mathbb{x}, \mathbb{w}) \in \mathbb{R}

    Prp1,..,pk[Vw,π1,..,πk(x,p1,..,pk)=1      π1P(x,w)...πkP(x,w,p1,..,pk)]=1{Pr \atop p_1,..,p_k} \left[ V^{w, \pi_1,..,\pi_k}(\mathbb{x}, p_1,..,p_k) = 1 \; \Bigg| \; \begin{align} \; \pi_1 \leftarrow P(\mathbb{x}, \mathbb{w}) \\... \\ \pi_k \leftarrow P(\mathbb{x}, \mathbb{w}, p_1,..,p_k ) \end{align} \right] = 1
  • Proximity For every (x,w)(\mathbb{x}, \mathbb{w}) pair where w\mathbb{w} is δδ-far in relative Hamming distance from any w\mathbb{w}' where (x,w)R(\mathbb{x},\mathbb{w}) ∈ \mathbb{R} and any unbounded malicious prover P~\tilde{P}

    Prp1,..,pk[Vw,π1,..,πk(x,p1,..,pk)=1      π1P~(x,w)...πkP~(x,w)]B(δ){Pr \atop p_1,..,p_k} \left[ V^{\mathbb{w}, \pi_1,..,\pi_k}(\mathbb{x}, p_1,..,p_k) = 1 \; \Bigg| \; \begin{align} \; \pi_1 \leftarrow \tilde{P}(\mathbb{x}, \mathbb{w}) \\... \\ \pi_k \leftarrow \tilde{P}(\mathbb{x}, \mathbb{w}) \end{align} \right] \le \mathbb{B}(\delta)

REF

[ACFY24] Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, and Eylon Yogev. “STIR: Reed–Solomon proximity testing with fewer queries”. Cryptology ePrint Archive, Report 2024/390. 2024. https://eprint.iacr.org/2024/390

[BCIKS20] Eli Ben-Sasson, Dan Carmon, Yuval Ishai, Swastik Kopparty, and Shubhangi Saraf. “Proximity gaps for Reed-Solomon codes”. In Proceedings of the 61st Annual Symposium on Foundations of Computer Science (FOCS 2020), 2020. https://eprint.iacr.org/2020/654

[BGKS20] Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty, and Shubhangi Saraf. “DEEP-FRI: Sampling Outside the Box Improves Soundness”. In: Proceedings of the 11th Innovations in Theoretical Computer Science Conference (ITCS 2020). 2020, 5:1–5:32. https://eprint.iacr.org/2019/336.pdf

[BBHR18b] Eli Ben-Sasson, Iddo Bentov, Ynon Horesh, and Michael Riabzev. “Fast Reed-Solomon Interactive Oracle Proofs of Proximity”. In Proceedings of the 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018), 2018. https://drops.dagstuhl.de/storage/00lipics/lipics-vol107-icalp2018/LIPIcs.ICALP.2018.14/LIPIcs.ICALP.2018.14.pdf