Fast Reed-Solomon Interactive Oracle Proofs of Proximity

The family of Reed-Solomon (RS) codes plays a prominent role in the construction of quasilinear probabilistically checkable proofs (PCPs) and interactive oracle proofs (IOPs) with perfect zero knowledge and polylogarithmic verifiers. The large concrete computational complexity required to prove membership in RS codes is one of the biggest obstacles to deploying such PCP/IOP systems in practice. To advance on this problem we present a new interactive oracle proof of proximity (IOPP) for RS codes; we call it the Fast RS IOPP (FRI) because (i) it resembles the ubiquitous Fast Fourier Transform (FFT) and (ii) the arithmetic complexity of its prover is strictly linear and that of the verifier is strictly logarithmic (in comparison, FFT arithmetic complexity is quasi-linear but not strictly linear). Prior RS IOPPs and PCPs of proximity (PCPPs) required super-linear proving time even for polynomially large query complexity. For codes of block-length N, the arithmetic complexity of the (interactive) FRI prover is less than 6 * N, while the (interactive) FRI verifier has arithmetic complexity <= 21 * log N, query complexity 2 * log N and constant soundness - words that are delta-far from the code are rejected with probability min{delta * (1-o(1)),delta_0} where delta_0 is a positive constant that depends mainly on the code rate. The particular combination of query complexity and soundness obtained by FRI is better than that of the quasilinear PCPP of [Ben-Sasson and Sudan, SICOMP 2008], even with the tighter soundness analysis of [Ben-Sasson et al., STOC 2013; ECCC 2016]; consequently, FRI is likely to facilitate better concretely efficient zero knowledge proof and argument systems. Previous concretely efficient PCPPs and IOPPs suffered a constant multiplicative factor loss in soundness with each round of "proof composition" and thus used at most O(log log N) rounds. We show that when delta is smaller than the unique decoding radius of the code, FRI suffers only a negligible additive loss in soundness. This observation allows us to increase the number of "proof composition" rounds to Theta(log N) and thereby reduce prover and verifier running time for fixed soundness.

[1]  Morgen E. Peck A blockchain currency that beat s bitcoin on privacy [News] , 2016 .

[2]  Daniel A. Spielman,et al.  Linear-time encodable and decodable error-correcting codes , 1995, STOC '95.

[3]  Ronitt Rubinfeld,et al.  Self-testing polynomial functions efficiently and over rational domains , 1992, SODA '92.

[4]  Guy N. Rothblum,et al.  Constant-Round Interactive Proofs for Delegating Computation , 2016, Electron. Colloquium Comput. Complex..

[5]  Mihir Bellare,et al.  Linearity testing in characteristic two , 1996, IEEE Trans. Inf. Theory.

[6]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[7]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[8]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Or Meir,et al.  High-rate locally-correctable and locally-testable codes with sub-polynomial query complexity , 2016, STOC.

[10]  Manuel Blum,et al.  Self-testing/correcting with applications to numerical problems , 1990, STOC '90.

[11]  László Babai,et al.  Trading group theory for randomness , 1985, STOC '85.

[12]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[13]  Eli Ben-Sasson,et al.  On Probabilistic Checking in Perfect Zero Knowledge , 2016, IACR Cryptol. ePrint Arch..

[14]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[15]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[16]  Johan Håstad,et al.  Some optimal inapproximability results , 2001, JACM.

[17]  Andrew J. Blumberg,et al.  Verifying computations without reexecuting them , 2015, Commun. ACM.

[18]  Daniel A. Spielman,et al.  Nearly-linear size holographic proofs , 1994, STOC '94.

[19]  Jessica Schulze,et al.  Efficient Checking Of Polynomials And Proofs And The Hardness Of Approximation Problems , 2016 .

[20]  Adi Shamir,et al.  IP = PSPACE , 1992, JACM.

[21]  Madhu Sudan,et al.  Some improvements to total degree tests , 1995, Proceedings Third Israel Symposium on the Theory of Computing and Systems.

[22]  Eli Ben-Sasson,et al.  Short PCPs verifiable in polylogarithmic time , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[23]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[24]  Thilo Mie,et al.  Short PCPPs verifiable in polylogarithmic time with O(1) queries , 2009, Annals of Mathematics and Artificial Intelligence.

[25]  Joe Kilian,et al.  Probabilistically checkable proofs with zero knowledge , 1997, STOC '97.

[26]  Yael Tauman Kalai,et al.  Interactive PCP , 2007 .

[27]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[28]  Eli Ben-Sasson,et al.  Quasi-Linear Size Zero Knowledge from Linear-Algebraic PCPs , 2016, TCC.

[29]  Or Meir,et al.  Constant Rate PCPs for Circuit-SAT with Sublinear Query Complexity , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[30]  Irit Dinur,et al.  Locally Testing Direct Product in the Low Error Range , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[31]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[32]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[33]  Eli Ben-Sasson,et al.  Short PCPs with Polylog Query Complexity , 2008, SIAM J. Comput..

[34]  Carsten Lund,et al.  Proof verification and the hardness of approximation problems , 1998, JACM.

[35]  O. Ore Contributions to the theory of finite fields , 1934 .

[36]  Carsten Lund,et al.  Nondeterministic exponential time has two-prover interactive protocols , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[37]  Eli Ben-Sasson,et al.  A security analysis of Probabilistically Checkable Proofs , 2016, Electron. Colloquium Comput. Complex..

[38]  Shubhangi Saraf,et al.  Locally testable and Locally correctable Codes Approaching the Gilbert-Varshamov Bound , 2016, Electron. Colloquium Comput. Complex..

[39]  Ran Raz,et al.  A parallel repetition theorem , 1995, STOC '95.

[40]  Ran Raz,et al.  Two Query PCP with Sub-Constant Error , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[41]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[42]  Christof Zalka,et al.  Shor's discrete logarithm quantum algorithm for elliptic curves , 2003, Quantum Inf. Comput..

[43]  F. Moore,et al.  Polynomial Codes Over Certain Finite Fields , 2017 .

[44]  D. Spielman,et al.  Computationally efficient error-correcting codes and holographic proofs , 1995 .

[45]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[46]  Eli Ben-Sasson,et al.  Computational Integrity with a Public Random String from Quasi-Linear PCPs , 2017, EUROCRYPT.

[47]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[48]  Omer Reingold,et al.  Assignment testers: towards a combinatorial proof of the PCP-theorem , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[49]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[50]  Yuval Ishai,et al.  On Zero-Knowledge PCPs : Limitations , Simplifications , and Applications ∗ , 2015 .

[51]  Eli Ben-Sasson,et al.  Short Interactive Oracle Proofs with Constant Query Complexity, via Composition and Sumcheck , 2016, IACR Cryptol. ePrint Arch..

[52]  O. Ore On a special class of polynomials , 1933 .

[53]  Avi Wigderson,et al.  New Direct-Product Testers and 2-Query PCPs , 2012, SIAM J. Comput..

[54]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[55]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[56]  Stubbs,et al.  on a Concrete , 2022 .

[57]  Oded Goldreich,et al.  A Combinatorial Consistency Lemma with Application to Proving the PCP Theorem , 1997, RANDOM.

[58]  Eli Ben-Sasson,et al.  Robust pcps of proximity, shorter pcps and applications to coding , 2004, STOC '04.

[59]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[60]  Yuval Ishai,et al.  Probabilistically Checkable Proofs of Proximity with Zero-Knowledge , 2014, TCC.