STIR proof of proximity
STIR introduces a number of improvements to the protocol described above. Specifically, STIR progressively lowers the code rate, which reduces the number of verifier queries and makes testing easier. Because the rate is lowered after each round, each iteration requires fewer queries. This leads to reduced hash-complexity and fewer authentication paths.
Each STIR iteration reduces both the rate and the size of the evaluation domain. A key difference to note, is while FRI reduces both domain and degree the difference remains constant, while in STIR the domain is reduced by a constant and the rate by .
Protocol Overview
Our goal is to reduce the testing of a function from to , where is the folding factor, is the shifted domain, and is the testing parameter.
Note: Assume
Each iteration of STIR consists of:
- Sample folding randomness
- V: Samples and sends
- Send folded function
- P: sends
- is the evaluation of the polynomial over
- is the extension of to a polynomial of degree less than
- Out-of-Domain Sample
- V: sends
- Out-of-Domain Reply
- P: sends , in the honest case
- Shift queries
- V: For every , sample
- V: Obtain by querying the virtual oracle where
Finally, the next function is defined as , where and is the function where and .
Note: that the verifier has virtual oracle access to through it’s oracle access to .
Shifted Domains
For each iteration in STIR we reduce the size of the domain by a constant factor (in the paper which leads to linear proof length, but this isn’t needed and can even be ).
The domain is shifted to .
Since is even, and only contains odd powers of , this guarantees that . We can easily visualize this relation as:
The shift which ensures that is disjoint from improves query complexity and reduces proof length.
Code Rate
The big idea behind RS-codes(and error-correcting codes) in general, is that we want to encode a message into a longer, redundant string which we call a code-word. Because, this code-word needs to be transmitted and decoded over a noisy channel, we need redundancy to ensure the original message doesn’t get lost. We measure this redundancy via the code rate, which is the ratio of size of the message to the size of the code-word. Intuitively the rate of a RS-code describes the codes density. Thus, a lower rate makes testing easier. The two main drivers for reducing rate in the protocol are the size of the domain and the size of the folding factor .
- A larger domain reduces the rate and number of queries in the next round, but also increases prover costs because the size of the FFT domain is larger.
- A larger drives down the rate and the polynomial degree faster. However, this increases verifier costs because the verifier needs to compute larger folds.
For STIR, assuming an initial rate , folding parameter , and an evaluation domain , we finding the new rate for each round by setting , and calculating the new rate as .
Virtual Functions
Throughout the protocol, the verifier sometimes has oracle access to a function but wants to query a different (but related) function . For example, in the following equation the verifier would first query at the desired value, and then add 5 to the result.
STIR Setup
Ingredients
- a Field
- an iteration count
- an initial degree parameter that is a power of 2
- folding parameters
- evaluation domains
- repetition parameters
- out of domain repetition parameters
STIR Prover
-
Initial Function:
P: Let be an oracle functions, let , and let the prover have access to the polynomial
-
Initial Folding:
V:
-
Interaction phase loop: for
- Send folded function:
- P: sends function
- Where is domain evaluation of
- Out-of-Domain Samples:
- V: sends
- Out-of-Domain Replies:
- P: sends
- Where is the evaluation of
- STIR Messages:
- V: sends
- V: sends
- Define next polynomial and send hole fills:
- P: define
- P: define
- P: define
- P: send oracle messages
- P: define degree corrected polynomial as
- Proceeed to next round with
- Send folded function:
-
Final round
- Calculate
- Send coeffiecents of to V
STIR Verifier
-
Loop: For
- For every query at
- Define
- These are the values we know placed into a set
- Let be the function where:
- Set
- Define virtual oracle as:
-
Consistency with final polynomial:
- Sample random points
- Check that for every
-
Consistency with Ans:
- For every and every query and check that
Ref
[ACY23] Gal Arnon, Alessandro Chiesa, and Eylon Yogev. “IOPs with Inverse Polynomial Soundness Error”. In: 64th IEEE Annual Symposium on Foundations of Computer Science (FOCS 2023), Santa Cruz, CA, USA, November 6-9, 2023. IEEE, 2023, pp. 752–761. https://eprint.iacr.org/2023/1062.pdf
[ACFY24] Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, and Eylon Yogev. “STIR: Reed–Solomon proximity testing with fewer queries”. Cryptology ePrint Archive, Report 2024/390. 2024. https://eprint.iacr.org/2024/390
[BCIKS20] Eli Ben-Sasson, Dan Carmon, Yuval Ishai, Swastik Kopparty, and Shubhangi Saraf. “Proximity gaps for Reed-Solomon codes”. In Proceedings of the 61st Annual Symposium on Foundations of Computer Science (FOCS 2020), 2020. https://eprint.iacr.org/2020/654
[BGKS20] Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty, and Shubhangi Saraf. “DEEP-FRI: Sampling Outside the Box Improves Soundness”. In: Proceedings of the 11th Innovations in Theoretical Computer Science Conference (ITCS 2020). 2020, 5:1–5:32. https://eprint.iacr.org/2019/336.pdf
[BBHR18b] Eli Ben-Sasson, Iddo Bentov, Ynon Horesh, and Michael Riabzev. “Fast Reed-Solomon Interactive Oracle Proofs of Proximity”. In Proceedings of the 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018), 2018. https://drops.dagstuhl.de/storage/00lipics/lipics-vol107-icalp2018/LIPIcs.ICALP.2018.14/LIPIcs.ICALP.2018.14.pdf
[Gur07] Venkatesan Guruswami. “Algorithmic results in list decoding”. In Foundations and Trends in Theoretical Computer Science, volume 2(2), 2007. https://www.cs.cmu.edu/~venkatg/pubs/papers/listdecoding-NOW.pdf
[Gur04] Venkatesan Guruswami. “List decoding of error-correcting codes”. In Lecture Notes in Computer Science, no. 3282, Springer, 2004. https://www.cs.cmu.edu/~venkatg/pubs/papers/frozen.pdf
[H22] Ulrich Haböck. “A summary on the FRI low degree test”. Cryptology ePrint Archive, Report 2022/1216. 2022. https://eprint.iacr.org/2022/1216.pdf
[VIT] Vitalik Buterin. “STARKs, part 2: Thank goodness for FRI”. Vitalik’s blog, 2017. https://vitalik.eth.limo/general/2017/11/22/starks_part_2.html
[ASZ] Alan Szepieniec. “Anatomy of STARKs: FRI”. 2020. https://aszepieniec.github.io/stark-anatomy/fri
[FEN] Giacomo Fenzi. “STIR Parameters”. Giacomo Fenzi’s blog, 2024. https://gfenzi.io/blurbs/stir-parameters/