Efficient Proofs of Computational Integrity from Code ...

E�cient Proofs of Computational Integrityfrom Code-Based Interactive Oracle Proofs

Sarah Bordage

Project-team GRACELIX, Ecole Polytechnique, Institut Polytechnique de Paris

Inria Saclay Ile-de-France

GT Codes et CryptographieJune 17, 2021

Verifiable Computing

Powerful Prover Weak Verifier

Please, run program F on input x for me.

I want to quickly checkif your result is correct.

On input (F , x), output result yand proof of correctness π

y, π On input (F , x, y, π),accept i� π is a valid prooffor statement “y = F (x)”

• Completeness: Verifier V always accepts honest proof

• Soundness: For any malicious P , Pr[P convinces V to accept incorrect statement] = negl

• E�ciency: verification time, length of π� time for computing F (x)

Remark: sublinear time(V) requires |description of the computation| � | running time of the computation|,V should not “unroll” the computation.

1 / 24

A view of the “proofs-space” (by crypto assumptions)

CRHF, ROM DLOG KoE/AGM/GGM Group of(pairing-based) unknown order

2013 Pinocchio [PGHR]

2014 [BCTV]

2016 ZKBoo [GMO] [BCCGP] [Groth16]

SCI [BBC+] [GM]

2017 Ligero [AHIV] Bulletproof [BBB+] (ZK) vSQL [ZGK+]

Hyrax [WTS+]

2018 Stark [BBHR] vRAM [ZGK+]

Aurora [BCR+]

2019 Fractal [COS] Spartan [Setty] Sonic [MBK+] Supersonic [BFS]

Succinct Aurora [BCG+] Halo [BGH] Plonk [GWC]

RedShift [KPV] Marlin [CHM+]

Virgo [ZXZS] Libra [XZZ+]

2020 Virgo++ [ZWZZ] Mirage [KKPS]

Some implementations of succinct non-interactive arguments for general computations

2 / 24

Outline

1. IOP-based succinct non-interactive arguments

2. STARK Arithmetization

3. Reed-Solomon Proximity Testing

3 / 24

IOP-based succinct non-interactivearguments

Probabilistically Checkable Proofs

[Fortnow-Rompel-Sipser’88, Babai-Fortnow-Levin-Szegedy’91, Arora-Safra’92, Arora-Lund-Motwani-Sudan-Szegedy’98, ...]

Given a relationR of instance-witness pairs (x,w), denote LR = {x | ∃w, (x,w) ∈ R}.

Probabilistically checkable proof system(PCP)

P(x,w) V(x)π

oracle

output: 1 or 0

Completeness: ∀(x,w) ∈ R, ∃π,Vπ(x) = 1Soundness: ∀x /∈ LR,∀π,Pr[Vπ(x) = 0] > 1/2

For verifiable computing,important measures are:

• time(P),

• time(V),

• query complexity q,

• proof length l.

4 / 24

PCP-based succinct interactive argument

P(x,w) V(x)

computationallybounded

CRHF H : {0, 1}∗ → {0, 1}κ

π ← P(x,w)root = MTreeH(π)

Sample unif. at randomquery set Q of size q

paths= (MProofsH(π[k]))k∈Q

π|Q, paths

Check Merkle proofs

Output 1 i� Vπ(x) = 1

q = |Q| , l = |π|

From q-queries PCP of length l:

• Communication = Oκ(q log l),

• time(P) = time(P) +Oκ(l),

• time(V) = time(V) +Oκ(q log l).

• [Kilian’92] PCP (P,V) + collision-resistant hashings interactive argument (P,V) for NP with sublinear communication.

5 / 24

PCP-based succinct non-interactive argument

P(x,w) V(x)

RO H : {0, 1}∗ → {0, 1}κ

π ← P(x,w)root = MTreeH(π)

Q← H(x|| root)

paths= (MProofsH(π[k]))k∈Q

root, π|Q, paths

Q← H(x|| root)Check Merkle proofs

Output 1 i� Vπ(x) = 1

q = |Q| , l = |π|

From q-queries PCP of length l:

• [Kilian’92] PCP (P,V) + collision-resistant hashings interactive argument (P,V) for NP with sublinear communication.

• [Micali’00] Kilian’s protocol + Fiat-Shamir paradigm (H random oracle; Q← H(x, root)) succinct non-interactive argument for NP in the Random Oracle Model.

6 / 24

Interactive Oracle Proofs

[Ben–Sasson-Chiesa-Spooner’16, Reingold-Rothblum-Rothblum’16]

IOP system(P,V) is an IOP system for relationR with soundnesserror ε if

Completeness:∀(x,w) ∈ R,Pr[〈P (x,w), V π1,...,πr (x)〉 = 1] = 1.

Soundness:∀x /∈ LR, ∀P ,Pr[〈P (x,w), V π1,...,πr (x)〉 = 1] ≤ ε.

Proof length l =∑|πi|

Query complexity q = number of queries to π1, . . . , πr

P(x,w) V(x)m0

mr−1

output: 1 or 0

7 / 24

IOP-based succinct non-interactive argument [Ben–Sasson-Chiesa-Spooner’16]

P(x,w) V(x)

CRHF H : {0, 1}∗ → {0, 1}κ

For each round iπi ← P(x,w)

rooti = MTreeH(πi) rootiSample unif. at random

query set QiQi

pathsi= (MProofsH(πi[k]))k∈Qi πi|Qi , pathsi

Check Merkle proofs

Output 1 i� Vπ1,...,πr (x) = 1

q =∑|Qi| , l =

∑|πi|

From q-queries IOP with length l:

Interactive argument from Merkle TreesIOP system (P,V)︸︷︷︸

information theoretic

+ hash functions︸︷︷︸collision-resistant

=⇒ succinct interactive argument (P,V)

8 / 24

IOP-based succinct non-interactive argument [Ben–Sasson-Chiesa-Spooner’16]

P(x,w) V(x)

CRHF H : {0, 1}∗ → {0, 1}κ

For each round iπi ← P(x,w)

rooti = MTreeH(πi) rootiSample unif. at random

query set QiQi

pathsi= (MProofsH(πi[k]))k∈Qi πi|Qi , pathsi

Check Merkle proofs

Output 1 i� Vπ1,...,πr (x) = 1

From q-queries IOP with length l:

Remove interaction: Qi deduced fromRO(x||root1|| . . . ||rooti−1||Q0|| . . . ||Qi−1)

Non-interactive argument from Merkle Trees + Fiat-ShamirIOP system (P,V)︸︷︷︸

information theoretic

+ hash functions︸︷︷︸random oracle

=⇒ succinct non-interactive argument (P,V)

9 / 24

ZK-STARK

Computational integrity language L:Instances (F, x, y, T ) such that running program F within T cycles on public input x and auxiliary (secret)witness w leads to output y.

STARK (Scalable Transparent ARgument of Knowledge) [Ben–Sasson-Bentov-Horesh-Riabzev’18]

non-interactive argument of knowledge for “machine computations”, with or without zero-knowledge

Prover Verifier Communication complexity Setup Post-QuantumOκ(T log2 T ) H Oκ(log2 T ) H Oκ(log2 T ) transparent yes

Construct an IOP system (P,V) for L with:

time(P) = O(T log2 T ) time(V) = O(n) +O(log(T )), l = O(T log T ), q = O(log T ),

then apply [BCS’16] transformation.

Applications:Allows verification of multiple programs in a single proof (StarkEx, Cairo).One can build PQ signatures from ZK-STARKs (see Ziggy STARK).

10 / 24

STARK Arithmetization:From computational integrity tolow-degree testing

STARK: Toy example

Toy program

• Public input: x ∈ F, steps T (T � |F|)

• Private output: K ∈ FT , K = (K0,K1, . . . ,KT−1)Program F (x, T,K):

For i = 0 to T − 1:x← x3 + Ki

return x

Execution tracex0 K0x1 K1x2 K2... ...

xT−2 KT−2xT−1 KT−1xT 0

Valid i�

x0 = x

xT = y

xi+1 = x3i +Ki

Computational integrity statement for ZK-STARK:

“Given program F , public input (x, T ) and public output y, I know secret K such that F (x, T,K) = y.”

... Today, we’ll discuss only the computational integrity part.

“Given program F , public input (x, T ) and public output y, there exists K such that F (x, T,K) = y.”

11 / 24

STARK: Toy example

Toy program

• Public input: x ∈ F, steps T (T � |F|)

• Private output: K ∈ FT , K = (K0,K1, . . . ,KT−1)Program F (x, T,K):

For i = 0 to T − 1:x← x3 + Ki

return x

Execution tracex0 K0x1 K1x2 K2... ...

xT−2 KT−2xT−1 KT−1xT 0

Valid i�

x0 = x

xT = y

xi+1 = x3i +Ki

Computational integrity statement for ZK-STARK:

“Given program F , public input (x, T ) and public output y, I know secret K such that F (x, T,K) = y.”

... Today, we’ll discuss only the computational integrity part.

“Given program F , public input (x, T ) and public output y, there exists K such that F (x, T,K) = y.”

11 / 24

Toy example: Arithmetization I

P and V agree on ω ∈ F× of order T + 1, which defines G := 〈ω〉. They also define:

• “Contraint polynomial” C(X0, X1, Y0) = Y0 − (X30 +X1)

• “Boundaries” polynomial B ∈ F[X]≤1 such that B(1) = x and B(ωT ) = y

• Vanishing polynomial Z(X) =∏T−1i=0 (X − ωi) = XT+1−1

X−ωT

P interpolates P0, P1 ∈ F[X]≤T such that for all i ∈ {0, ..., T} , P0(ωi) = xi and P1(ωi) = Ki.

Valid execution trace ⇐⇒

x0 = x,

xT = y,

C(xi,Ki, xi+1) = 0, for 0 ≤ i < T

⇐⇒

P0(ω0) = B(ω0),P0(ωT ) = B(ωT ),C(P0(ωi), P1(ωi), P0(ωi+1)) = 0, for 0 ≤ i < T

⇐⇒{

(X − 1)(X − ωT ) divides P0(X)−B(X)Z(X) divides C(P0(X), P1(X), P0(hX))

12 / 24

X−ωT

x0 = x,

xT = y,

C(xi,Ki, xi+1) = 0, for 0 ≤ i < T

⇐⇒

⇐⇒{

12 / 24

X−ωT

x0 = x,

xT = y,

C(xi,Ki, xi+1) = 0, for 0 ≤ i < T

⇐⇒

⇐⇒{

12 / 24

Toy example: Arithmetization II

{Q0(X) = P0(X)−B(X)

(X−1)(X−ωT ) ∈ Fq [X]≤T−2

Q1(X) = C(P0(X),P1(X),P0(hX))Z(X) ∈ Fq [X]≤2T

Reed-Solomon encodingRS[F, D, k] ⊂ FD : evaluations on D ⊂ F of polynomials of degree < k.

We assume |D| ≥ 2(T + 1), |D| = Θ(T ), and D ∩G = ∅.

P sends oracle functions f0, f1, g0, g1 ∈ FD ,supposedly evaluations on D of P0(X), P1(X), Q0(X), Q1(X), respectively.

f0, f1 ∈ RS[F, D, T + 1]g0 ∈ RS[F, D, T − 1]g1 ∈ RS[F, D, 2T + 1]

13 / 24

Toy example: Arithmetization II

{Q0(X) = P0(X)−B(X)

(X−1)(X−ωT ) ∈ Fq [X]≤T−2

Q1(X) = C(P0(X),P1(X),P0(hX))Z(X) ∈ Fq [X]≤2T

Reed-Solomon encodingRS[F, D, k] ⊂ FD : evaluations on D ⊂ F of polynomials of degree < k.

We assume |D| ≥ 2(T + 1), |D| = Θ(T ), and D ∩G = ∅.

P sends oracle functions f0, f1, g0, g1 ∈ FD ,supposedly evaluations on D of P0(X), P1(X), Q0(X), Q1(X), respectively.

f0, f1 ∈ RS[F, D, T + 1]g0 ∈ RS[F, D, T − 1]g1 ∈ RS[F, D, 2T + 1]

13 / 24

Toy example: Arithmetization III

Assume f0, f1 ∈ RS[F, D, T + 1]. Then,

• (x0 6= x or xT 6= y) =⇒ ∆(g0,RS[F, D, T − 1]) ≥ 1− T+1|D| ∆ relative Hamming distance

• ∃i, xi+1 6= x3i +Ki =⇒ ∆(g1,RS[F, D, 2T + 1]) ≥ 1− 3T+1

Arithmetization:

{valid execution trace RS codewordsincorrect execution trace words far from any RS codewords

Consistency at a random location

V samples s ∈ D and requests f0(s), f1(s), f0(ω · s), g0(s), g1(s),

computes B(s) and Z(s) (in O(log T ) F-ops), then checks:

1. g0(s) · (s− 1) · (s− ωT ) ?= f0(s)−B(s) soundness error ≤ T|D|

2. g1(s) · Z(s) ?= C(f0(s), f1(s), f0(ω · s)) soundness error ≤ 3T|D|

V rejects if one of the test fails.

Low-degree compliance

Instead of RS membership test: V must be able to test proximity to RS code with O(log T ) queries.

14 / 24

Toy example: Arithmetization III

Assume f0, f1 ∈ RS[F, D, T + 1]. Then,

• (x0 6= x or xT 6= y) =⇒ ∆(g0,RS[F, D, T − 1]) ≥ 1− T+1|D| ∆ relative Hamming distance

• ∃i, xi+1 6= x3i +Ki =⇒ ∆(g1,RS[F, D, 2T + 1]) ≥ 1− 3T+1

Arithmetization:

{valid execution trace RS codewordsincorrect execution trace words far from any RS codewords

Consistency at a random location

V samples s ∈ D and requests f0(s), f1(s), f0(ω · s), g0(s), g1(s),

computes B(s) and Z(s) (in O(log T ) F-ops), then checks:

1. g0(s) · (s− 1) · (s− ωT ) ?= f0(s)−B(s) soundness error ≤ T|D|

2. g1(s) · Z(s) ?= C(f0(s), f1(s), f0(ω · s)) soundness error ≤ 3T|D|

V rejects if one of the test fails.

Low-degree compliance

Instead of RS membership test: V must be able to test proximity to RS code with O(log T ) queries.

14 / 24

Reed-Solomon Proximity Testing

Reed-Solomon proximity testingInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then the test always accepts.Soundness: If ∆

(f,RS[F, D, k]

)> δ, then the test accepts with probability ≤ err(δ).

∆ relative Hamming distance

Naive proximity test

1. Query k + 1 entries of f ∈ FD : f(x0), . . . , f(xk),

2. Compute poly P (X) of degree < k by interpolating {(xi, f(xi)); 0 ≤ i ≤ k − 1}

3. Tester accepts i� P (xk) = f(xk).

Soundness: V accepts with proba Prxk [P (xk) 6= f(xk)] ≤ 1−∆(f,RS[F, D, k]).

Problem: query complexity k + 1 is linear in |D| with |D| = Θ(k).

How to achieve logarithmic verification time? V will need some auxiliary proof from P ...We also want a fast prover (linear in |D|) IOP of Proximity (IOPP) for RS code.

15 / 24

Reed-Solomon Proximity Testing

Reed-Solomon proximity testingInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then the test always accepts.Soundness: If ∆

(f,RS[F, D, k]

)> δ, then the test accepts with probability ≤ err(δ).

Naive proximity test

1. Query k + 1 entries of f ∈ FD : f(x0), . . . , f(xk),

2. Compute poly P (X) of degree < k by interpolating {(xi, f(xi)); 0 ≤ i ≤ k − 1}

3. Tester accepts i� P (xk) = f(xk).

Soundness: V accepts with proba Prxk [P (xk) 6= f(xk)] ≤ 1−∆(f,RS[F, D, k]).

Problem: query complexity k + 1 is linear in |D| with |D| = Θ(k).

How to achieve logarithmic verification time? V will need some auxiliary proof from P ...We also want a fast prover (linear in |D|) IOP of Proximity (IOPP) for RS code.

15 / 24

Reed-Solomon IOP of Proximity

RS IOP of ProximityInput: a code RS[F, D, k], a parameter δInput oracle: f : D → FCompleteness: If f ∈ RS[F, D, k], then ∃P Pr[〈P,V〉 = 1] = 1Soundness: If ∆

(f,RS[F, D, k]

)> δ, then ∀P Pr[〈P,V〉 = 1] ≤ err(δ)

Fast Reed-Solomon IOPP:FRI Protocol

[Ben–Sasson-Bentov-Horesh-Riabzev’18]# rounds < log |D|# queries < 2 log |D|)prover time < 6|D|verifier time < 21 log |D|)proof length < |D|/3soundness “ ' 1− δ”

f0 = f

...αr−1

16 / 24

Halving the size of the problem by folding

Assume there exists ω ∈ F× of order a large power of 2.Given k = 2r and evaluation domain D = 〈ω〉 of size n = |D| and closed under negation

How to check proximity of f0 : D → F to the code RS[F, D, k] ?

Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)

For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)

• For α ∈ F, define Fold [fi, α] : Di+1 → F by Fold [fi, α] (y) = u0(y) + α · u1(y)

CompletenessFor all α ∈ F, Fold [RSi, α] ⊆ RSi+1

Observe: for all x ∈ Di,

Fold [fi, α] (x2) =fi(x) + fi(−x)

fi(x)− fi(−x)2x

Local computabilityFor any y ∈ Di+1, compute Fold [fi, α] (y) with only 2 queries to fi.

17 / 24

Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)

fi(x)− fi(−x)2x

17 / 24

Define sequence of RS codes: RSi := RS[F, Di, k/2i] with D0 = D and Di := 〈ω2i 〉(same rate ρ = k/n)For each round i, reduce proximity to RSi to RSi+1:• Split fi(X) into u0, u1, such that fi(X) = u0(X2) +Xu1(X2)

fi(x)− fi(−x)2x

17 / 24

Folding preserves distance to the code

Let ε = ε(|F| , n, ρ) = Oρ

Distance preservationLet δ < 1−√ρ. If ∆(fi,RSi) > δ, then

Prα∈F

[∆(Fold [fi, α] ,RSi+1) < δ] < ε

Proof relies on:

Theorem [Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]

Let C ⊆ FD be a RS code of rate ρ and let u0, u1 : D → F. For any δ < 1−√ρ, if

Prα∈F

[∆(u0 + αu1, C) < δ] > 1− ε,

then, there exist c0, c1 ∈ C and T ⊂ D such that

• |T | ≥ (1− δ) |D|

• u0|T = c0|T and u1|T = c1|T

18 / 24

Folding preserves distance to the code - proof sketch

Prα∈F

[∆(Fold [fi, α] ,RSi+1) < δ] < ε

Proof sketch:Idea: assume Fold [fi, α] is δ-close of RSi+1 for many α’s, reconstruct a codeword v ∈ RSi which is δ-close to fi.

• Apply BCIKS’20 on Fold [fi, α] = u0 + αu1 =⇒ ∃v0, v1 ∈ RSi+1 such that

T = {y ∈ Di+1 | u0(y) = v0(y) AND u1(y) = v1(y)}

is of size |T | ≥ (1− δ) |Di+1|,

• Consider polynomial r(X) = v0(X2) +Xv1(X2) of degree < k/2i,

• Then, the evaluation of r(X) on Di agrees with f on the set{x ∈ Di | x2 ∈ T

}of size

≥ (1− δ) |Di|.

19 / 24

Folding preserves distance to the code - proof sketch

Prα∈F

[∆(Fold [fi, α] ,RSi+1) < δ] < ε

Proof sketch:Idea: assume Fold [fi, α] is δ-close of RSi+1 for many α’s, reconstruct a codeword v ∈ RSi which is δ-close to fi.

• Apply BCIKS’20 on Fold [fi, α] = u0 + αu1 =⇒ ∃v0, v1 ∈ RSi+1 such that

T = {y ∈ Di+1 | u0(y) = v0(y) AND u1(y) = v1(y)}

is of size |T | ≥ (1− δ) |Di+1|,

• Consider polynomial r(X) = v0(X2) +Xv1(X2) of degree < k/2i,

• Then, the evaluation of r(X) on Di agrees with f on the set{x ∈ Di | x2 ∈ T

}of size

≥ (1− δ) |Di|.

19 / 24

FRI Protocol: COMMIT phase

f0 = f

...αr−1

Honest prover computes:

COMMIT Phase

f1 = Fold [f0, α0]

f2 = Fold [f1, α1]

fr = Fold [fr−1, αr−1]

fr?∈ RS[F, D(2r), k/2r]

Global consistency test:

QUERY Phase

Sample s ∈ D0 and check

f1(s2) ?= Fold [f0, α0] (s2)

f2(s4) ?= Fold [f1, α1] (s4)...

fr(s2r ) ?= Fold [fr−1, αr−1] (s2r )

Final test: fr?∈ RSr

output: 1 or 0

20 / 24

FRI Protocol: QUERY phase

f0 = f

...αr−1

Honest prover computes:

COMMIT Phase

f1 = Fold [f0, α0]

f2 = Fold [f1, α1]

fr = Fold [fr−1, αr−1]

fr?∈ RS[F, D(2r), k/2r]

Global consistency test:

QUERY Phase

Sample s ∈ D0 and check

f1(s2) ?= Fold [f0, α0] (s2)

f2(s4) ?= Fold [f1, α1] (s4)...

fr(s2r ) ?= Fold [fr−1, αr−1] (s2r )

Final test: fr?∈ RSr

output: 1 or 0

20 / 24

FRI Protocol: Soundness

What can go wrong?• COMMIT:

Event Badi = “at round i, Fold [·, αi] does not preserve distance to thecode.”

• QUERY: chosen queried path does not catch any errors.

Pr [V accepts ] ≤ Prαi∈F

[∪r−1i=0 Badi

]︸︷︷︸

errcommit

+ Prs∈D

[V accepts | ∩r−1

i=0 Badi]

︸︷︷︸errquery

Theorem: Soundness [Ben–Sasson-Kopparty-Saraf’18, Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]For any δ < 1−√ρ, if ∆(f,RS[F, D, k]) > δ, then V accepts with proba at most

err(δ) < errcommit + (errquery)l

< r · ε(|F| , n, ρ) + (1− δ)l

after l repetitions of the QUERY phase.

21 / 24

FRI Protocol: Soundness

What can go wrong?• COMMIT:

Event Badi = “at round i, Fold [·, αi] does not preserve distance to thecode.”

• QUERY: chosen queried path does not catch any errors.

Pr [V accepts ] ≤ Prαi∈F

[∪r−1i=0 Badi

]︸︷︷︸

errcommit

+ Prs∈D

[V accepts | ∩r−1

i=0 Badi]

︸︷︷︸errquery

Theorem: Soundness [Ben–Sasson-Kopparty-Saraf’18, Ben–Sasson-Carmon-Ishai-Kopparty-Saraf’20]For any δ < 1−√ρ, if ∆(f,RS[F, D, k]) > δ, then V accepts with proba at most

err(δ) < errcommit + (errquery)l

< r · ε(|F| , n, ρ) + (1− δ)l

after l repetitions of the QUERY phase.

21 / 24

Soundness analysis I

Let δi = min(∆(fi,RSi), 1−

√ρ))

.Bounding errcommit:BADi = “∆(Fold [fi, αi] ,RSi+1) < δi”.

By distance preservation: Pr[BADi] ≤ ε,thus Pr

[∪r−1i=0 Badi

]︸︷︷︸errcommit

≤ r · ε

Bounding errquery:Suppose no BADi occurs.Consider graph with vertices D0 ∪D1 ∪ · · · ∪Dr ,and we’ll say that:

• y ∈ Di+1 is green if fi+1(y) = Fold [fi, αi] (y)

• y ∈ Di+1 is red if fi+1(y) 6= Fold [fi, αi] (y)

V accepts i� every vertices of the queried path are green.

Modify the entries of f1, . . . , fr−1 to keep only the last red vertex along the path.

Modification process does not a�ect green vertices rejection proba does not increase.

22 / 24

√ρ))

[∪r−1i=0 Badi

≤ r · ε

V accepts i� every vertices of the queried path are green.

22 / 24

√ρ))

[∪r−1i=0 Badi

≤ r · ε

V accepts i� every vertices of the queried path are green.Pr[V accepts] = 6

16 = 38

22 / 24

√ρ))

[∪r−1i=0 Badi

≤ r · ε

16 = 38

22 / 24

√ρ))

[∪r−1i=0 Badi

≤ r · ε

16 = 38

Modification process does not a�ect green vertices rejection proba does not increase.22 / 24

Soundness analysis II

Considering the modified oracles, define Ei+1 = {y ∈ Di+1 | y is red, i.e. fi+1(y) 6= Fold [fi, αi] (y)}.If no BADi occurs, V rejects with proba at most

Prs∈D0

[∃i ∈ {1, . . . , r} , s2i ∈ Ei

r∑i=1

Prs∈D0

[s2i ∈ Ei

r∑i=1

|Ei||Di|

Triangular inequality:

∆(Fold [fi, αi] , fi+1)︸︷︷︸= |Ei+1||Di+1|

+∆(fi+1,RSi+1) ≥ ∆(Fold [fi, αi] ,RSi+1)︸︷︷︸≥δi

We deduce that for all i < r − 1, |Ei+1||Di+1| ≥ δi − δi+1, since:

• If δi+1 < δi, then δi+1 < 1−√ρ, and thus δi+1 = ∆(fi+1,RSi+1). δi = min(∆(fi,RSi), 1−

√ρ)

• Otherwise δi − δi+1 ≤ 0, thus it’s clear.

Thus,∑r

i=1|Ei||Di|

≥∑r−1

i=0 (δi − δi+1) ≥ δ0 − δr = δ0.

Conclude: If δ = ∆(f0,RS0) > 0, then Pr(V accept) ≤ Oρ(n2

)+(1−min

(δ, 1−√ρ

23 / 24

Prs∈D0

[∃i ∈ {1, . . . , r} , s2i ∈ Ei

r∑i=1

Prs∈D0

[s2i ∈ Ei

r∑i=1

|Ei||Di|

∆(Fold [fi, αi] , fi+1)︸︷︷︸= |Ei+1||Di+1|

√ρ)

Thus,∑r

i=1|Ei||Di|

≥∑r−1

i=0 (δi − δi+1) ≥ δ0 − δr = δ0.

)+(1−min

(δ, 1−√ρ

23 / 24

Prs∈D0

[∃i ∈ {1, . . . , r} , s2i ∈ Ei

r∑i=1

Prs∈D0

[s2i ∈ Ei

r∑i=1

|Ei||Di|

∆(Fold [fi, αi] , fi+1)︸︷︷︸= |Ei+1||Di+1|

√ρ)

Thus,∑r

i=1|Ei||Di|

≥∑r−1

i=0 (δi − δi+1) ≥ δ0 − δr = δ0.

)+(1−min

(δ, 1−√ρ

23 / 24

Prs∈D0

[∃i ∈ {1, . . . , r} , s2i ∈ Ei

r∑i=1

Prs∈D0

[s2i ∈ Ei

r∑i=1

|Ei||Di|

∆(Fold [fi, αi] , fi+1)︸︷︷︸= |Ei+1||Di+1|

√ρ)

Thus,∑r

i=1|Ei||Di|

≥∑r−1

i=0 (δi − δi+1) ≥ δ0 − δr = δ0.

)+(1−min

(δ, 1−√ρ

23 / 24

Prs∈D0

[∃i ∈ {1, . . . , r} , s2i ∈ Ei

r∑i=1

Prs∈D0

[s2i ∈ Ei

r∑i=1

|Ei||Di|

∆(Fold [fi, αi] , fi+1)︸︷︷︸= |Ei+1||Di+1|

√ρ)

Thus,∑r

i=1|Ei||Di|

≥∑r−1

i=0 (δi − δi+1) ≥ δ0 − δr = δ0.

)+(1−min

(δ, 1−√ρ

23 / 24

Conclusion

In a nutshell:Arithmetization:

• valid execution trace RS codewords

• incorrect execution trace words far from any RS codewords

Low-degree test: key-ingredient is a “folding operator” such that:

• codeword of big RS code 7→ codeword of small RS code

• locally computable

• word far from big RS code 7→ words far from small RS code (w.h.p)

What about other codes?Proximity testing to algebraic codes via IOPP, with linear prover and logarithmic verifier:

• Algebraic Geometry codes (joint work with Jade Nardi)https://eccc.weizmann.ac.il/report/2020/165/

• Reed-Muller and Tensor Products of RS codes (joint work with Daniel)

The challenging part is to construct folding operators satisfying “distance preservation”.

24 / 24

Conclusion

In a nutshell:Arithmetization:

• valid execution trace RS codewords

• incorrect execution trace words far from any RS codewords

Low-degree test: key-ingredient is a “folding operator” such that:

• codeword of big RS code 7→ codeword of small RS code

• locally computable

• word far from big RS code 7→ words far from small RS code (w.h.p)

What about other codes?Proximity testing to algebraic codes via IOPP, with linear prover and logarithmic verifier:

• Algebraic Geometry codes (joint work with Jade Nardi)https://eccc.weizmann.ac.il/report/2020/165/

• Reed-Muller and Tensor Products of RS codes (joint work with Daniel)

The challenging part is to construct folding operators satisfying “distance preservation”.

24 / 24

Efficient Proofs of Computational Integrity from Code ...

Documents

Transcript of Efficient Proofs of Computational Integrity from Code ...