Dependency graph

Legend

Boxes: definitions
Ellipses: theorems and lemmas
Blue border: the statement of this result is ready to be formalized; all prerequisites are done
Orange border: the statement of this result is not ready to be formalized; the blueprint needs more work
Blue background: the proof of this result is ready to be formalized; all prerequisites are done
Green border: the statement of this result is formalized
Green background: the proof of this result is formalized
Dark green background: the proof of this result and all its ancestors are formalized
Dark green border: this is in Mathlib

Definition

LaTeX

Definition 1.2

Let $k \in N$ be an integer, $F$ be a finite field and $L \subset F$ be a subset of $F$ . Then

L^{k} := {x^{k} s.t. x \in L}

LaTeX

Definition 2.11

Given target degree $d^{*} \in N$ , shifting parameter $r \in F$ , functions $f_{1}, \dots, f_{m} : L \to F$ , and degrees $0 \leq d_{1}, \dots, d_{m} \leq d^{*}$ , we define $Combine (d^{*}, r, (f_{1}, d_{1}), \dots, (f_{m}, d_{m})) : L \to F$ as follows:

\begin{aligned} Combine (d^{*}, r, (f_{1}, d_{1}), \dots, (f_{m}, d_{m})) (x) & := \sum_{i = 1}^{m} r_{i} \cdot f_{i} (x) \cdot (\sum_{l = 0}^{d^{*} - d_{i}} {(r \cdot x)}^{l}) \\ = {\begin{cases} \sum_{i = 1}^{m} r_{i} \cdot f_{i} (x) \cdot (\frac{1 - {(x r)}^{d^{*} - d_{i} + 1}}{1 - x r}) & x \cdot r \neq 1 \\ \sum_{i = 1}^{m} r_{i} \cdot f_{i} (x) \cdot (d^{*} - d_{i} + 1) & x \cdot r = 1 \end{cases} \end{aligned}

Above, $r_{1} := 1$ , $r_{i} := r^{i - 1 + \sum_{j < i} (d^{*} - d_{i})}$ for $i > 1$ .

LaTeX Lean

Definition 2.12

Given target degree $d^{*} \in N$ , shifting parameter $r \in F$ , function $f : L \to F$ , and degree $0 \leq d \leq d^{*}$ , we define $DegCor (d^{*}, r, f, d)$ as follows.

DegCor (d^{*}, r, f, d) (x) := f (x) \cdot (\sum_{i = 0}^{m} {(r \cdot x)}^{l}) = {\begin{cases} f (x) \cdot \frac{1 - {(x r)}^{d^{*} - d_{i} + 1}}{1 - x r} & x \cdot r \neq 1 \\ f (x) \cdot (d^{*} - d_{i} + 1) & x \cdot r = 1 \end{cases}

(Observe that $DegCor (d^{*}, r, f, d) = Combine (d^{*}, r, (f, d))$ .)

LaTeX

Definition 2.8

Let $f : L \to F$ be a function, $k \in N$ a folding parameter and $α \in F$ . For every $x \in L^{k}$ , let ${\hat{p}}_{x} \in F^{< k} [X]$ be the polynomial where ${\hat{p}}_{x} (y) = f (y)$ for every $y \in L$ such that $y^{k} = x$ . We define $Fold (f, k, α) : L \to F$ as follows.

Fold (f, k, α) := {\hat{p}}_{x} (α) .

In order to compute $Fold (f, k, α) (x)$ it suffices to interpolate the $k$ values ${f (y) : y \in L s.t. y^{k} = x}$ into the polynomial ${\hat{p}}_{x}$ and evaluate this polynomial at $α$ .

LaTeX

Definition 1.1Interactive Oracle Proofs of Proximity (IOPP)

A $k$ ‑round public‑coin interactive‑oracle proof of proximity (IOPP) for a ternary relation $R = {(x, y, w)}$ is an interactive protocol between a prover $P$ and a verifier $V$ defined as follows.

The prover receives $(x, y, w)$ , while the verifier receives $x$ and oracle access to $y$ .
For each round $i \in [k]$ the verifier sends a uniformly random message $α_{i}$ to the prover, who responds with a proof string $π_{i}$ .
After $k$ rounds, the verifier may query $y$ and the proof strings $π_{1}, \dots, π_{k}$ and finally outputs a decision bit.

Formally, let $IOP = (P, V)$ where $P$ is an interactive algorithm and $V$ is an interactive‑oracle algorithm. The protocol has perfect completeness and soundness error $β$ if the following conditions hold.

LaTeX

Definition 1.5

For a Reed-Solomon code $C := RS [F, L, d]$ , parameter $δ \in [0, 1]$ , and a function $f : L \to F$ , let $List (f, d, δ)$ denote the list of codewords in $C$ whose relative Hamming distance from $f$ is at most $δ$ . We say that $C$ is $(δ, l)$ -list decodable if

| List (f, d, δ) | \leq l for every function f .

LaTeX

Definition 2.7

Given a polynomial $\hat{f} \in F^{< d} [X]$ , a folding parameter $k \in N$ and $r \in F$ , we define a polynomial $PolyFold (\hat{f}, k, r) \in F^{d / k} [X]$ as follows. Let $\hat{Q} [X, Y]$ be the bivariate polynomial derived from $\hat{f}$ using Fact 2.6 with $\hat{q} (X) := X^{k}$ . Then $PolyFold (\hat{f}, k, r) (X) := \hat{Q} (X, r)$ .

LaTeX

Definition 2.3

Let $\hat{f} \in F^{< d} [X]$ be a polynomial and $S \subseteq F$ be a set, let ${\hat{V}}_{S} \in F^{< | S | + 1} [X]$ be the unique non-zero polynomial with ${\hat{V}}_{S} (x) = 0$ for every $x \in S$ . The polynomial quotient $PolyQuotient (\hat{f}, S) \in F^{< d - | S |} [X]$ is defined as follows:

PolyQuotient (\hat{f}, S) (X) := \frac{\hat{f} (X) - \hat{Ans} (X)}{{\hat{V}}_{S} (X)}

LaTeX

Definition 2.2

Let $f : L \to F$ be a function, $S \subseteq F$ be a set, and $Ans, Fill : S \to F$ be functions. Let $\hat{Ans} \in F^{< | S |} [X]$ be the (unique) polynomial with $\hat{Ans} (x) = Ans (x)$ for every $x \in S$ , and let ${\hat{V}}_{S} \in F^{< | S | + 1} [X]$ be the unique non-zero polynomial with ${\hat{V}}_{S} (x) = 0$ for every $x \in S$ . The quotient function $Quotient (f, S, Ans, Fill) : L \to F$ is defined as follows:

\forall x \in L, Quotient (f, S, Ans, Fill) (x) := {\begin{cases} Fill (x) & if x \in S \\ \frac{f (x) - \hat{Ans} (x)}{{\hat{V}}_{S} (x)} & otherwise \end{cases}

LaTeX

Definition 1.3Reed-Solomon Code

The Reed-Solomon code over finite field $F$ , evaluation domain $L \subseteq F$ and degree $d \in N$ is the set of evaluations (over $L$ ) of univariate polynomials (over $F$ ) of degree less than $d$ :

RS [F, L, d] := {f : L \to F | \exists \hat{f} \in F^{< d} [X] such that \forall x \in L, f (x) = \hat{f} (x)} .

The rate of $RS [F, L, d]$ is $ρ := \frac{d}{| L |}$ .

Given a code $C := RS [F, L, d]$ and a function $f : L \to F$ , we sometimes use $\hat{f} \in F^{< d} [X]$ to denote a nearest polynomial to $f$ on $L$ (breaking ties arbitrarily).

LaTeX

Lean

polynomialsUpTo
polynomialEvalOn
ReedSolomonCode

Lemma 2.13

Let $d^{*}$ be a target degree, $f_{1}, \dots, f_{m} : L \to F$ be functions, $0 \leq d_{1}, \dots, d_{m} \leq d^{*}$ be degrees, $δ \in min {1 - B^{*} (ρ), 1 - ρ - 1 / | L |}$ be a distance parameter, where $ρ = d^{*} / | L |$ . If

\underset{r \leftarrow F}{Pr} [Δ (Combine (d^{*}, r, (f_{1}, d_{1}), \dots, (f_{m}, d_{m})), RS [F, L, d^{*}])] > {err}^{*} (d^{*}, ρ, δ, m \cdot (d^{*} + 1) - \sum_{i = 1}^{m} d_{i}),

then there exists $S \subseteq L$ with $| S | \geq (1 - δ) \cdot | L |$ , and

\forall i \in [m], \exists u \in RS [F, L, d_{i}], f_{i} (S) = u (S) .

Note that this implies $Δ (f_{i}, RS [F, L, d_{i}]) < δ$ for every $i$ . Above, $B^{*}$ and ${err}^{*}$ are the proximity bound and error (respectively) described in Section 2.1.

LaTeX

Lemma 2.9

For every function $f : L \to F$ , degree parameter $d \in N$ , folding parameter $k \in N$ , distance parameter $δ \in (0, min {Δ (Fold [f, k, r^{fold}], RS [F, L^{k}, d / k]), 1 - B^{*} (ρ)})$ , letting $ρ := \frac{d}{| L |}$ ,

\underset{r^{fold} \leftarrow F}{Pr} [Δ (Fold [f, k, r^{fold}], RS [F, L^{k}, d / k]) < δ] > {err}^{*} (d / k, ρ, δ, k) .

Above, $B^{*}$ and ${err}^{*}$ are the proximity bound and error (respectively) described in Section 2.1.

LaTeX

Lemma 2.5

Let $f : L \to F$ be a function, $d \in N$ be a degree parameter, $s \in N$ be a repetition parameter, and $δ \in [0, 1]$ be a distance parameter. If $RS [F, L, d]$ be $(d, l)$ -list decodable then

\begin{aligned} \underset{r_{1}, \dots, r_{s} \leftarrow F ∖ L}{Pr} [\exists distinct u, u^{'} \in List (f, d, δ) : \forall i \in [s], \hat{u} (r_{i}) = {\hat{u}}^{'} (r_{i})] & \leq (\binom{l}{2}) \cdot {(\frac{d - 1}{| F | - | L |})}^{s} \\ \leq (\frac{l^{2}}{2}) \cdot {(\frac{d}{| F | - | L |})}^{s} \end{aligned}

LaTeX

Lemma 2.4

Let $f : L \to F$ be a function, $d \in N$ be the degree parameter, $δ \in (0, 1)$ be a distance parameter, $S \subseteq F$ be a set with $| S | < d$ , and $Ans, Fill : S \to F$ are functions. Suppose that for every $u \in List (f, d, δ)$ there exists $x \in S$ with $\hat{u} (x) \neq Ans (x)$ . Then

Δ (Quotient (f, S, Ans, Fill), RS [F, L, d - | S |]) + \frac{| T |}{| L |} > δ,

where $T := {x \in L \cap S : \hat{Ans} (x) \neq f (x)}$ .

LaTeX

Lemma 3.2

Consider $(F, M, d, k_{0}, \dots, k_{M}, L_{0}, \dots, L_{M}, t_{0}, \dots, t_{M})$ and $d_{0}, \dots, d_{M}$ as in Construction 3.2, and for every $0 \leq i \leq M$ let $ρ_{i} := d_{i} / | L_{i} |$ . For every $f \notin RS [F, L_{0}, d_{0}]$ and every $δ_{0}, \dots, δ_{M}$ where

$δ_{0} \in (0, Δ (f, RS [F, L_{0}, d_{0}])] \cap (0, 1 - B^{*} (ρ_{0}))$
for every $0 < i \leq M$ : $δ_{i} \in (0, min {1 - ρ_{i} - \frac{1}{| L_{i} |}, 1 - B^{*} (ρ_{i})})$ , and
for every $0 < i \leq M$ : $RS [F, L_{i}, d_{i}]$ is $(δ_{i}, l_{i})$ -list decodable,

STIR (Construction 3.2) has round-by-round soundness error $(ϵ^{fold}, ϵ_{1}^{out}, ϵ_{1}^{shift}, \dots, ϵ_{M}^{out}, ϵ_{M}^{shift}, ϵ^{fin})$ where:

$ϵ^{fold} \leq {err}^{*} (d_{0} / k_{0}, ρ_{0}, δ_{0}, k_{0})$ .
$ϵ_{i}^{out} \leq \frac{l_{i}^{2}}{2} \cdot {(\frac{d_{i}}{| F | - | L_{i} |})}^{s}$
$ϵ_{i}^{shift} \leq {(1 - δ_{i - 1})}^{t_{i - 1}} + {err}^{*} (d_{i}, ρ_{i}, δ_{i}, t_{i - 1} + s) + {err}^{*} (d_{i} / k_{i}, ρ_{i}, δ_{i}, k_{i})$ .
$ϵ^{fin} \leq {(1 - δ_{M})}^{t_{M}}$ .

Above, $B^{*}$ and ${err}^{*}$ are the proximity bound and error (respectively) described in Section 2.1.

LaTeX

Theorem 1.6Johnson bound

The Reed-Solomon code $RS [F, L, d]$ is $(1 - \sqrt{ρ} - η, \frac{1}{2 η ρ})$ -list-decodable for every $η \in (0, 1 - \sqrt{ρ})$ , where $ρ := \frac{d}{| L |}$ is the rate of the code.

LaTeX

Theorem 2.1

Let $C := RS [F, L, d]$ be a Reed-Solomon code with rate $ρ := \frac{d}{| L |}$ and let $B^{'} (ρ) := \sqrt{ρ}$ . For every $δ \in (0, 1 - B^{'} (ρ))$ and functions $f_{1}, \dots, f_{m} : L \to F$ , if

\underset{r \leftarrow F}{Pr} [Δ (\sum_{j = 1}^{m} r^{j - 1} \cdot f_{j}, RS [F, L, d]) \leq δ] > {err}^{'} (d, ρ, δ, m),

then there exists a subset $S \subseteq L$ with $| S | \geq (1 - δ) \cdot | L |$ , and for every $i \in [m]$ , there exists $u \in RS [F, L, d]$ such that $f_{i} (S) = u (S)$ .

Above, ${err}^{'} (d, ρ, δ, m)$ is defined as follows:

if $δ \in (0, \frac{1 - ρ}{2}]$ then

${err}^{'} (d, ρ, δ, m) = \frac{(m - 1) \cdot d}{ρ \cdot | F |}$
if $δ \in (\frac{1 - ρ}{2}, 1 - \sqrt{ρ})$ then

${err}^{'} (d, ρ, δ, m) = \frac{(m - 1) \cdot d^{2}}{| F | \cdot {(2 \cdot min 1 - \sqrt{ρ} - δ, \frac{\sqrt{ρ}}{20})}^{7}}$

LaTeX

Lean

err'
proximityGap

Theorem 3.1STIR Main Theorem

Consider the following ingrediants:

A security parameter $λ \in N$ .
A Reed-Solomon code $RS [F, L, d]$ with $ρ := \frac{d}{| L |}$ where $d$ is a power of $2$ , and $L$ is a smooth domain.
A proximity parameter $δ \in (0, 1 - 1.05 \cdot \sqrt{ρ})$ .
A folding parameter $k \in N$ that is power of $2$ with $k \geq 4$ .

If $| F | = Ω (\frac{λ \cdot 2^{λ} \cdot d^{2} \cdot {| L |}^{2}}{\log (1 / ρ)})$ , there is a public-coin IOPP for $RS [F, L, d]$ with the following parameters:

Round-by-round soundness error $2^{- λ}$ .
Round complexity: $M := O (\log_{k} d)$ .
Proof length: $| L | + O_{k} (\log d)$ .
Query complexity to the input: $\frac{λ}{- \log (1 - δ)}$ .
Query complexity to the proof strings: $O_{k} (\log d + λ \cdot \log (\frac{\log d}{\log 1 / ρ}))$ .

LaTeX