Tools for Reed-Solomon Codes
At the heart of low-degree testing are a few basic tools and concepts which enable us to transform a code or list of codes into a low-degree polynomial and test proximity to the original code. Taken as a whole these tools represent the fundamental mathematical building blocks for working with RS-codes.
Correlated Agreement
This theorem states that if many random linear combination of two or more functions are -close to a Reed-Solomon code-word then the original function must be a code-word. Specifically, we want to know whether following holds true:
The theorem is laid out in full in the [BSCI20] and stated as follows.
Theorem 1 For with rate . Given the proximity parameter and words for which
where is the error-bounds. There exists polynomials belonging to and set of density on which coincide with . Specifically:
for every value of .
Correlated Agreement is extremely useful for building reduction arguments. Say we have a list of code-words and a code and would like to verify that they are all close to . Correlated agreement enables us to take a random linear combination of and prove its proximity to . If is close to then all the members of must also be close to .
Correlated agreement will power our next technique polynomial folding, and also enable us to efficiently batch polynomials.
:::info See appendix for how we derive the soundness error bound , this derivation is closely linked to the specific decoding regime used. :::
Polynomial Folding
At the heart of protocols like FRI and STIR, is a reduction operation in which a polynomial of size is step-wise reduced via random folding a polynomial of size using a folding parameter . To achieve this, we “wrap” the polynomial around a random folding challenge -supplied by the verifier. This preserves the function’s proximity to the Reed-Solomon code while reducing the degree.
First we give two important facts for a polynomial :
Fact 1. For every there exists a unique bivariate polynomial with and so that .
Note: can be computed efficiently given and . Observe, if then .
Fact 2. For every with and , the polynomial has degree .
We define the folding of a polynomial as:
Definition 1.2. Given a polynomial [X], a folding factor , and a folding challenge , we define the polynomial as follows. Let be the bivariate polynomial derived from with . Then we define PolyFold as:
And we define the folding of a function as:
Definition 1.3. Let be a function, a folding factor , and a folding challenge . For every , let be the polynomial where for every such that . We then define Fold as
We compute by interpolating the values into the polynomial and evaluate this polynomial at .
Now let’s look a little more closely at the mechanics of folding a polynomial.
First we take a polynomial , and we split it into even and odd terms. Assuming .
Thus for and , we have:
Our goal is then to derive a new polynomial
from assuming is a random value provided by the verifier.
First we reduce our domain from to so that , and then we evaluate both and on the reduced domain i.e. and multiply by and perform a Langrange Interpolation to derive which is then evaluated on the reduced domain and sent to the verifier as .
Out-of-Domain Sampling
One of our primary goals when designing any IOP is to reduce query complexity, we want to make queries from the verifier easy and cheap. One way to do this is to work in list-decoding, where instead of working with a single correct output we instead work with a list of outputs, one of which is correct. However, now the codeword sent by the prover doesn’t have a single unique closest code-word. This gives the prover lots of power. To solve this, we allow the verifier to send a random out-of-domain(OOD) sample which forces the prover to choose one of the close polynomials. Thus increasing soundness.
In practice, whenever the prover wishes to show that for function there exists two points which has at least one polynomial which is close to and where . Instead of sending the prover sends where is the evalution over . The verifier then samples a random field element and the prover responds with the following evaluation .
:::info Generally FRI does not use out-of-domain sampling in the main protocol and instead “pushes” this sampling to the arithmetization level. See the DEEP-ALI paper for how this is done in practice. :::
Combining Functions of Varying Degree
In each round of the IOPP, the verifier queries a quotiented function and tests for low degree. Because this is the most computationally expensive part of the protocol we would like to only run this test once. Because of correlated agreement we know that we can produce a random linear combination of the functions and test those. However, we run into a problem when the functions being tested are of different degrees.
To overcome this problem, we can combine functions of varying degrees using geometric sums.
Fact.1.0 Let be a field, be a field element, and be a natural number.
Assuming a proximity error bounded by .
Definition.1.1 Given target degree , shifting parameters , functions and degrees we define as:
Note: If we only want to correct degree then we can use
Quotienting
Quotienting is a method of enforcing constraints on a function . Roughly, if the polynomial corresponding to the RS-code does not satisfy the constraints, then the resulting quotient will be far from low-degree, which can then be detected by a low-degree test.
Because the verifier has query access to all on the field , we need some constraints to enforce consistency and ensure that queries are limited to , while only have access to evaluations of on . Without these constraints, the prover would have to send the evaluation of on the entire field , which would result in an enormous proof size.
We formally define Quotienting as:
Definition 1.4. For function , set , and functions , let be the polynomial with for every , and let be the unique non-zero polynomial with for every .
The quotient function is defined as:
Definition 1.5. For polynomial and set , let be the unique non-zero polynomial with for every .
The polynomial quotient is defined as:
Where is the unique non-zero polynomial with for every .
REF
[ACFY24] Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, and Eylon Yogev. “STIR: Reed–Solomon proximity testing with fewer queries”. Cryptology ePrint Archive, Report 2024/390. 2024. https://eprint.iacr.org/2024/390
[H22] Ulrich Haböck. “A summary on the FRI low degree test”. Cryptology ePrint Archive, Report 2022/1216. 2022. https://eprint.iacr.org/2022/1216.pdf