FRI Fast Reed-Solomon(RS ...

FRIFast

Reed-Solomon (RS)Interactive Oracle Proofs of Proximity (IOPP)

From ICALP 2018 presentation

Eli Ben-Sasson Iddo Bentov Yinon Horesh Michael Riabzev

February 2019

Overviewtl;dr: FRI is a fast, FFT-like, IOP solution for verifying deg(f ) < d

I motivationI main result, applicationsI FRI protocol dive-in

Reed Solomon (RS) codes [RS60]

I prominent role in algebraic coding and computational complexityI For S ⊂ F a finite field and ρ ∈ (0, 1] a rate parameter

RS[F,S , ρ] = f : S → F | deg(f ) < ρ|S |

I RS codes have many desirable properties, likeI maximum distance separable (MDS): rel. Hamming distance 1− ρI efficient, quasi-linear time encoding via FFTI efficient unique decoding [BW83] and list decoding [GS99]I used in quasi-linear PCPs [BS05] and constant rate IOPs [BCGRS16]

I notation:I d = ρ|S | − 1 is degree;I n = |S | is blocklength;I ∆ is relative Hamming distance

RS proximity testing (RPT) problem

I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])

while minimizing query complexity q.

I Answers:I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]


I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])

while minimizing query complexity q.I Answers:

I q = d + 1 required and sufficient [folklore]

I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]


I Question: Construct a verifier V that hasI oracle access to f (0) : S (0) → F and PCPP π : S (1) → FI completeness: If f (0) ∈ RS[F,S , ρ], then Pr[V accepts f (0)] = 1I soundness: otherwise, Pr[V rejects f (0)] ≥ ∆(f (0),RS[F,S (0), ρ])


I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]

I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]




I q = d + 1 required and sufficient [folklore]I q = O(1/δ), if verifier has oracle access to PCPP [AS+ALMSS98]I PCPP can have quasi-linear length n logO(1) n [BS08, D07]I IOPP can have linear length O(n) [BCF+16, BBGR16]





I Interactive Oracle Proof of Proximity (IOPP) model[BCS16,RRR16,BCF+16]I prover sends f (0) : S (0) → F; verifier sends random x (0)

I prover sends f (1) : S (1) → F; verifier sends random x (1)

I repeat for r roundsI verifier queries f (0), . . . , f (r); based on answers and (x (0), . . . , x (r−1))

verifier decides to accept/reject claim “f (0) ∈ RS[F, S (0), ρ

]”





I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv

4. for “small”, concrete, non-asymptotic values of n, (< 250), usingnon-asymptotic bounds (O,Ω,Θ)

I Why? 1–3 interesting theoretically, 4 important practically, for ZKsystems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .





I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv4. for “small”, concrete, non-asymptotic values of n, (< 250), using

non-asymptotic bounds (O,Ω,Θ)

I Why? 1–3 interesting theoretically, 4 important practically, for ZKsystems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .





I This work: IOPP model, minimize q and1. total proof length ` = |π1|+ . . .+ |πr |2. prover arithmetic complexity tp3. verifier arithmetic complexity tv4. for “small”, concrete, non-asymptotic values of n, (< 250), using

non-asymptotic bounds (O,Ω,Θ)I Why? 1–3 interesting theoretically, 4 important practically, for ZK

systems like Ligero [AHIV17], STARK [BBHR18], Aurora[BCRSVW19], . . .

Prior RS proximity testing (RPT) results

provercomp.

prooflength

verifiercomp.

querycomp.

roundcomp.

folklore 0 0 O(ρn) ρn 0PCP [ALM+92] nO(1) nO(1) nO(1) O

( 1δ

)1

PCP [BFL+90] n1+ε n1+ε 1δ

log1/ε n 1δ

log1/ε n 1PCPP [BS+05] n log1.5 n n log1.5 n 1

δlog5.8 n 1

δlog5.8 n 1

PCPP [D07, M09] n logc n n logc n 1δ

logc n O( 1δ

)1

IOPP [BCF+16] n logc n > 4 · n 1δ

logc n O( 1δ

)log log n

This work < 6 · n < n3 ≤ 21 · log n 2 log n log n

2

Overview

I motivation XI main result, applicationsI FRI protocol dive-in

Main Result — Fast RS IOPP (FRI)

Theorem (Informal)

For “nice” RS codes RS[F,S (0), ρ

], the FRI protocol satisfies

I tp(n) ≤ 6 · n and `(n) ≤ n/3I tv(n) ≤ 21 · log n and q(n) ≤ 2 log nI r(n) ≤ 1

2 log n (round complexity)I soundness (rejection prob.) δ − 2n

|F| for all f(0) that are

δ < δ0-far from code, δ0 ≈ 1−ρ4

Remarks1. “nice” codes means S (0) is either of following two:

1.1 2-smooth multiplicative group, i.e., |S (0)| = 2k , k ∈ N, or1.2 binary additive groups, i.e., S(0) an F2-linear space

2. first PCPP/IOPP for RS codes achieving simultaneousI linear prover complexity, tp = O(n), andI sub-linear verifier complexity, tv = o(n)


Theorem (Informal)






δ < δ0-far from code, δ0 ≈1−ρ4





Theorem (Informal)






δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ 1

4 [BGKS19]





Theorem (Informal)






δ < δ0-far from code, δ0 ≈1−ρ4 1− ρ14 1

3 [BGKS19]





Theorem (Informal)







3 [BGKS19]

0 0.2 0.4 0.6 0.8 1

0

0.2

0.4

0.6

0.8

1

ρ

δ 0

upper boundJohnson boundunique decoding[BKS18] lower bound[BGKS19] tight boundthis work

FRI applications: (i) computational integrity and (ii) privacy

Definition (Computational Integrity (CI))is the language of quadruples (M, T , xin, xout) such that nondeterministicmachine M, on input xin reaches output xout after T cycles, T in binary.



LemmaCI is NEXP-complete




Definition (proof system)An proof system S for L is a pair S = (V,P) satisfyingI efficiency V is randomized polynomial time; P unbounded item

completeness x ∈ L⇒ Pr [V(x)↔ P(x) acc] = 1I soundness x 6∈ L⇒ Pr [V(x)↔ P(x) acc] ≤ 1/2




Definition (argument system)An argument system S for L is a pair S = (V,P) satisfyingI efficiency V is randomized polynomial time; P is similarly boundedI completeness x ∈ L⇒ Pr [V(x)↔ P(x) acc] = 1I soundness x 6∈ L⇒ Pr [V(x)↔ P(x) acc] ≤ 1/2




Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness


Theorem ([BM88, GMR88, BFL88, BFL91 , BGKW88, FLS90,BFLS91, AS92, ALMSS92, K92, M94])CI has an argument system S = (V,P) that isI succinct: Verifier run-time poly(n, log T ); this bounds proof lengthI transparent (AM): verifier sends only public random coinsI private (ZK): proof preserves privacy of nondeterministic witness

1. privacy-preserving proof of computational integrityI Proof and verification time may be longer than TI Useful for asserting properties of private, crypto-committed data

2. compression of computation/data, with computational integrityI meaningful when tv T or ` witness-sizeI useful for compressing blockchain history

I Scalable Transparent ARguments of Knowledge [BBHR18]I C++ implementation: github.com/elibensasson/libSTARKI achieves Thm above, quasi-linear tp, “post-quantum secure”I FRI is a major contributor to STARK efficiency

https://github.com/elibensasson/libSTARK

Overview

I motivation XI main result, applications XI FRI protocol dive-in

Overview of FRI protocol

Theorem (Informal)







3 [BGKS19]

Recall the inverse Fast Fourier Transform (iFFT)I evaluate P(X ), deg(P) < n on 〈ω〉, ω is root of unity of order n = 2k

I write P(X ) = P0(X2) + X · P1(X

2)

I equivalently, P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2

I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime


Theorem (Informal)







3 [BGKS19]


I write P(X ) = P0(X2) + X · P1(X

2)


I notice 〈ω2〉 has size n/2

I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime


Theorem (Informal)







3 [BGKS19]


I write P(X ) = P0(X2) + X · P1(X

2)


I notice 〈ω2〉 has size n/2I so evaluate each of P0(Y ),P1(Y ) on 〈ω2〉, . . . , O(n log n) runtime

FRI Protocol

I Let S (0) ⊂ F∗ be 2-smooth mult. group: |S (0)| = 2k(0), k(0) ∈ N

I Let f (0) : S (0) → F, FRI for RS(0) = RS[F,S (0), ρ = 1

8

]

I Two-phase protocolI COMMIT: while i < k (0) − log 1

ρ

I verifier sends randomness x(i)

I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)

arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))

I QUERY: verifier queries oracles (prover not involved)

FRI Protocol



8

]I Two-phase protocol

I COMMIT: while i < k (0) − log 1ρ


I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2

I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)



FRI Protocol



8




I prover sends oracle f (i+1) : S(i+1) → F, |S(i+1)| = |S(i)|/2I completeness: If f (i) ∈ RS[F, S(i), ρ] then f (i+1) ∈ RS[F,S(i+1), ρ]

I each entry of f (i+1) computed from 2 distinct entries of f (i) via O(1)arithmetic operations (so tp = O(n))

I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))


FRI Protocol



8





arithmetic operations (so tp = O(n))

I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant functionI (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))


FRI Protocol



8





arithmetic operations (so tp = O(n))I #rounds ≤ k(0) = log nI last round (i = k(0) − log 1/ρ): prover sends constant function

I (notice |f (i+1)| = |f (i)|/2 so total proof length O(n))I QUERY: verifier queries oracles (prover not involved)

FRI Protocol



8







Example: S (0) = F∗17, n = 24, ρ = 2−2

COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F

I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)

I termination: When i = k(0) − log 1/ρ prover sends constant function

QUERY phase: pick random s(0) ∈ S (0) and check path-to-root

Example: S (0) = F∗17, n = 24, ρ = 2−2

COMMIT phase has log |S (0)| − log ρ= 2 rounds; during ith roundI verifier sends random x (i) ∈ FI prover sends next oracle f (i+1) : S (i+1) → F

I S (i+1) is 2-smooth multiplicative group, |S (i+1)| = |S (i)|/2I each entry of f (i+1) computed from 2 distinct entries of f (i)

I termination: When i = k(0) − log 1/ρ prover sends constant functionQUERY phase: pick random s(0) ∈ S (0) and check path-to-root

FRI COMMIT — single round

I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4

I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X

2) + X · P1(X2), FFT-style

I then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2

I let Q(X ,Y ) , P0(Y ) + X · P1(Y ),I Q(X ,Y ) ≡ P(X ) mod Y − X 2

I consider points in F× F on curve Y − X 2,

0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516


I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4

I write P(X ) = P0(X2) + X · P1(X

2), FFT-styleI then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2



0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516


I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I let P(X ) interpolate f (0), deg(P) < 4I write P(X ) = P0(X





0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516






I degX (Q) < 2; degY (Q) ≤ deg(P)/2I S (1) =

x2 | x ∈ S (0)

is mult. group, |S (1)| = |S (0)|/2

0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516







x2 | x ∈ S (0)

is mult. group, |S (1)| = |S (0)|/2

0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516

COMMIT roundI Verifier picks random x (0) ∈ FI f (1) = Q(x (0),Y )|S(1)

I each entry of f (1) interpolatedfrom two entries of f (0)

I deg(f (1)) = degY (Q) < ρ|S (1)|

FRI vs. inverse FFT

I suppose f (0) : F∗17 → F17 satisfies deg(f (0)) < 4I find P(X ) that interpolates f (0)

I write P(X ) = P0(X2) + X · P1(X

2), FFT-styleI then P(X ) ≡ P0(Y ) + X · P1(Y ) mod Y − X 2



x2 | x ∈ S (0)

is mult. group, |S (1)| = |S (0)|/2

0 1 2 3 4 5 6 7 8 9 10111213141516∞12345678910111213141516

I P0(Y ) = Q(0,Y ),P1(Y ) = Q(∞,Y )

I let g0 = Q(0,Y )|S (1) ,g1 = Q(∞,Y )|S(1)

I compute g0, g1, O(n) stepsI recurse on g0, g1

Soundness analysis — low error

0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516

For simplicity, suppose f (0) is δ < 1−ρ4 -far from 0

I y ∈ S (1) good if f (0)(x0) = f (0)(x1) = 0 for x20 = x2

1 = y

I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δ

I interpolant of bad row has at most 1 root

I w.p. 1− |S(1)||F| , x

(0) misses roots of bad rows; call such x (0) goodI prover left with two bad options:

I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;


0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516



1 = y

I otherwise, y ∈ S (1) badI fraction of bad y ’s in S (1) between δ and 2δI interpolant of bad row has at most 1 root

I w.p. 1− |S(1)||F| , x




0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516



1 = y


I w.p. 1− |S(1)||F| , x

(0) misses roots of bad rows; call such x (0) good

I prover left with two bad options:I let f (1) “jump” to be closer to non-zero RS-codeword; large error;I continue with f (1) close to 0;


0 2 4 6 8 10 12 14 16

12345678910111213141516

1 2 3 4 5 6 7 8 9 10111213141516



1 = y


I w.p. 1− |S(1)||F| , x



Summary

I first RPT solution with tp = O(n) and tv = O(log n)

I nearly optimal soundness for δ < δ0

I what’s δ0? (higher lines are better)

Summary


I nearly optimal soundness for δ < δ0I what’s δ0? (higher lines are better)

0 0.2 0.4 0.6 0.8 1

0

0.2

0.4

0.6

0.8

1

ρ

δ 0[BBHR18] lower bound[BKS18] lower boundupper boundunique decodingJohnson bound

Summary



0 0.2 0.4 0.6 0.8 1

0

0.2

0.4

0.6

0.8

1

ρ

δ 0[BBHR18] lower bound[BKS18] lower boundupper boundunique decodingDEEP-FRI [BGKS19]FRI tight [BGKS19]

I New protocol: DEEP-FRI [B, Goldberg, Kopparty, Saraf 2019]I DEEP-FRI: Domain Extending for Eliminating Pretenders FRII like FRI, has linear proving complexity, logarithmic verifer complexityI DEEP-FRI soundness reaches Johnson bound δ0 ≈ 1−√ρI Under plausible list decoding conjecture, reaches δ0 ≈ 1− ρ

Summary



I QuestionsI “sliding scale” soundness-error ≈ 1/poly(|F|) for RS-IOPPs?

I want to learn more? [email protected] want to realize in practice? [email protected]

Summary



I QuestionsI “sliding scale” soundness-error ≈ 1/poly(|F|) for RS-IOPPs?I want to learn more? [email protected] want to realize in practice? [email protected]

FRI Fast Reed-Solomon(RS ...

Documents

Transcript of FRI Fast Reed-Solomon(RS ...