3 Proof Systems

3.1 Simple Oracle Reductions

We start by introducing a number of simple oracle reductions that serve as fundamental building blocks for more complex proof systems. These components can be composed together to construct larger protocols.

3.1.1 Trivial Reduction

The simplest possible oracle reduction is one that performs no computation at all. Both the prover and verifier simply pass their inputs through unchanged. While seemingly trivial, this reduction serves as an important identity element for composition and provides a base case for lifting and lens operations.

Definition 98 DoNothing Reduction

The DoNothing reduction is a zero-round protocol with the following components:

Protocol specification: \(\mathsf{pSpec}:= []\) (empty protocol, no messages exchanged)
Prover: Simply stores the input statement and witness, and outputs them unchanged
Verifier: Takes the input statement and outputs it directly
Input relation: Any relation \(R_{\mathsf{in}} : \mathsf{StmtIn}\to \mathsf{WitIn}\to \mathsf{Prop}\)
Output relation: The same relation \(R_{\mathsf{out}} := R_{\mathsf{in}}\)

Theorem 99 DoNothing Perfect Completeness

The DoNothing reduction satisfies perfect completeness for any input relation.

The oracle version of DoNothing handles oracle statements by passing them through unchanged as well. The prover receives both non-oracle and oracle statements as input, and outputs them in the same form to the verifier.

3.1.2 Sending the Witness

A fundamental building block in many proof systems is the ability for the prover to transmit witness information to the verifier. The SendWitness reduction provides this functionality in both direct and oracle settings.

Definition 100 SendWitness Reduction

The SendWitness reduction is a one-round protocol where the prover sends the complete witness to the verifier:

Protocol specification: \(\mathsf{pSpec}:= [(\mathsf{P \! \! \rightarrow \! \! V}, \mathsf{WitIn})]\) (single message from prover to verifier)
Prover: Sends the witness \(\mathbb {w}\) as its single message
Verifier: Receives the witness and combines it with the input statement to form the output
Input relation: \(R_{\mathsf{in}} : \mathsf{StmtIn}\to \mathsf{WitIn}\to \mathsf{Prop}\)
Output relation: \(R_{\mathsf{out}} : (\mathsf{StmtIn}\times \mathsf{WitIn}) \to \mathsf{Unit}\to \mathsf{Prop}\) defined by \(((\mathsf{stmt}, \mathsf{wit}), ()) \mapsto R_{\mathsf{in}}(\mathsf{stmt}, \mathsf{wit})\)

Theorem 101 SendWitness Perfect Completeness

The SendWitness reduction satisfies perfect completeness.

In the oracle setting, we consider two variants:

Definition 102 SendWitness Oracle Reduction

The oracle version handles witnesses that are indexed families of types with oracle interfaces:

Witness type: \(\mathsf{WitIn}: \iota _w \to \mathsf{Type}\) where each \(\mathsf{WitIn}(i)\) has an oracle interface
Protocol specification: \(\mathsf{pSpec}:= [(\mathsf{P \! \! \rightarrow \! \! V}, \forall i, \mathsf{WitIn}(i))]\)
Output oracle statements: Combination of input oracle statements and the transmitted witness

Definition 103 SendSingleWitness Oracle Reduction

A specialized variant for a single witness with oracle interface:

Witness type: \(\mathsf{WitIn}: \mathsf{Type}\) with oracle interface
Protocol specification: \(\mathsf{pSpec}:= [(\mathsf{P \! \! \rightarrow \! \! V}, \mathsf{WitIn})]\)
Conversion: Implicitly converts to indexed family \(\mathsf{WitIn}: \mathsf{Fin}(1) \to \mathsf{Type}\)

Theorem 104 SendSingleWitness Perfect Completeness

The SendSingleWitness oracle reduction satisfies perfect completeness.

3.1.3 Oracle Equality Testing

One of the most fundamental oracle reductions is testing whether two oracles of the same type are equal. This is achieved through random sampling from the query space.

Definition 105 RandomQuery Oracle Reduction

The RandomQuery reduction tests equality between two oracles by random querying:

Input: Two oracles \(\mathsf{a}, \mathsf{b}\) of the same type with oracle interface
Protocol specification: \(\mathsf{pSpec}:= [(\mathsf{V \! \! \rightarrow \! \! P}, \mathsf{Query})]\) (single challenge from verifier)
Input relation: \(R_{\mathsf{in}}((), (\mathsf{a}, \mathsf{b}), ()) := (\mathsf{a} = \mathsf{b})\)
Verifier: Samples random query \(q\) and sends it to prover
Prover: Receives query \(q\), performs no computation
Output relation: \(R_{\mathsf{out}}((q, (\mathsf{a}, \mathsf{b})), ()) := (\mathsf{oracle}(\mathsf{a}, q) = \mathsf{oracle}(\mathsf{b}, q))\)

Theorem 106 RandomQuery Perfect Completeness

The RandomQuery oracle reduction satisfies perfect completeness: if two oracles are equal, they will agree on any random query.

The key security property of RandomQuery depends on the notion of oracle distance:

Definition 107 Oracle Distance

For oracles \(\mathsf{a}, \mathsf{b}\) of the same type, we define their distance as:

\[ \mathsf{distance}(\mathsf{a}, \mathsf{b}) := |\{ q : \mathsf{Query} \mid \mathsf{oracle}(\mathsf{a}, q) \neq \mathsf{oracle}(\mathsf{b}, q)\} | \]

We say an oracle type has distance bound \(d\) if for any two distinct oracles \(\mathsf{a} \neq \mathsf{b}\), we have \(\mathsf{distance}(\mathsf{a}, \mathsf{b}) \geq |\mathsf{Query}| - d\).

Theorem 108 RandomQuery Knowledge Soundness

If the oracle type has distance bound \(d\), then the RandomQuery oracle reduction satisfies round-by-round knowledge soundness with error probability \(\frac{d}{|\mathsf{Query}|}\).

Definition 109 RandomQueryWithResponse Variant

A variant of RandomQuery where the second oracle is replaced with an explicit response:

Input: Single oracle \(\mathsf{a}\) and target response \(r\)
Output relation: \(R_{\mathsf{out}}(((q, r), \mathsf{a}), ()) := (\mathsf{oracle}(\mathsf{a}, q) = r)\)

This variant is useful when one wants to verify a specific query-response pair rather than oracle equality.

We mention two special cases of RandomQuery that are useful for specific applications.

Polynomial Equality Testing

A common application of oracle reductions is testing equality between polynomial oracles. This is a specific instance of the RandomQuery reduction applied to polynomial evaluation oracles.

Definition 110 Polynomial Equality Testing

Consider two univariate polynomials \(P, Q \in \mathbb {F}[X]\) of degree at most \(d\), available as polynomial evaluation oracles. The polynomial equality testing reduction is defined as:

Input relation: \(P = Q\) as polynomials
Protocol specification: Single challenge of type \(\mathbb {F}\) from verifier to prover
Honest prover: Receives the random field element \(r\) but performs no computation
Honest verifier: Checks that \(P(r) = Q(r)\) by querying both polynomial oracles
Output relation: \(P(r) = Q(r)\) for the sampled point \(r\)

Theorem 111 Polynomial Equality Testing Completeness

The polynomial equality testing reduction satisfies perfect completeness: if \(P = Q\) as polynomials, then \(P(r) = Q(r)\) for any field element \(r\).

Theorem 112 Polynomial Equality Testing Soundness

The polynomial equality testing reduction satisfies round-by-round knowledge soundness with error probability \(\frac{d}{|\mathbb {F}|}\), where \(d\) is the maximum degree bound. This follows from the Schwartz-Zippel lemma: distinct polynomials of degree at most \(d\) can agree on at most \(d\) points.

The state function for this reduction corresponds precisely to the input and output relations, transitioning from checking polynomial equality to checking evaluation equality at the sampled point.

Batching Polynomial Evaluation Claims

Another important building block is the ability to batch multiple polynomial evaluation claims into a single check using random linear combinations.

TODO: express this as a lifted version of \(\mathsf{RandomQuery}\) over a virtual polynomial whose variables are the random linear combination coefficients.

Definition 113 Batching Polynomial Evaluation Claims

Consider an \(n\)-tuple of values \(v = (v_1, \ldots , v_n) \in \mathbb {F}^n\) and a polynomial map \(E : \mathbb {F}^k \to \mathbb {F}^n\). The batching reduction is defined as:

Protocol specification: Two messages:
1. Verifier sends random \(r \in \mathbb {F}^k\) to prover
2. Prover sends \(\langle E(r), v \rangle := \sum _{i=1}^n E(r)_i \cdot v_i\) to verifier
Honest prover: Computes the inner product \(\langle E(r), v \rangle \) and sends it
Honest verifier: Verifies that the received value equals the expected inner product
Extractor: Trivial since there is no witness to extract

Theorem 114 Batching Completeness

The batching polynomial evaluation reduction satisfies perfect completeness.

Remark 115 Batching Security

The security of this reduction depends on the degree and non-degeneracy properties of the polynomial map \(E\). The specific error bounds depend on the structure of \(E\) and require careful analysis of the polynomial’s properties.

3.1.4 Sending a Claim

The SendClaim reduction enables a prover to transmit a claim (oracle statement) to the verifier, who then verifies a relationship between the original and transmitted claims.

Definition 116 SendClaim Oracle Reduction

The SendClaim reduction is a one-round protocol for claim transmission:

Protocol specification: \(\mathsf{pSpec}:= [(\mathsf{P \! \! \rightarrow \! \! V}, \mathsf{OStmtIn})]\) (single oracle message)
Input: Statement and single oracle statement (via \(\mathsf{Unique}\) index type)
Prover: Sends the input oracle statement as protocol message
Verifier: Executes oracle computation \(\mathsf{relComp} : \mathsf{StmtIn}\to \mathsf{OracleComp}[\mathsf{OStmtIn}]_{\mathcal{O}} \mathsf{Unit}\)
Output oracle statements: Sum type \(\mathsf{OStmtIn}\oplus \mathsf{OStmtIn}\) containing both original and transmitted claims
Output relation: \(R_{\mathsf{out}}((), \mathsf{oracles}) := \mathsf{oracles}(\mathsf{inl}) = \mathsf{oracles}(\mathsf{inr})\)

Theorem 117 SendClaim Perfect Completeness

The SendClaim oracle reduction satisfies perfect completeness when the input relation matches the oracle computation requirement.

Remark 118 SendClaim Development Status

The SendClaim reduction is currently under active development in the Lean formalization. Several components including the verifier embedding and completeness proof require further implementation. The current version represents a specialized case that may be generalized in future iterations.

3.1.5 Claim Reduction

A fundamental building block for constructing complex proof systems is the ability to locally reduce one type of claim to another. The ReduceClaim reduction provides this functionality through mappings between statement and witness types.

Definition 119 ReduceClaim Reduction

The ReduceClaim reduction is a zero-round protocol that transforms claims via explicit mappings:

Protocol specification: \(\mathsf{pSpec}:= []\) (no messages exchanged)
Statement mapping: \(\mathsf{mapStmt} : \mathsf{StmtIn}\to \mathsf{StmtOut}\)
Witness mapping: \(\mathsf{mapWit} : \mathsf{WitIn}\to \mathsf{WitOut}\)
Prover: Applies both mappings to input statement and witness
Verifier: Applies statement mapping to input statement
Input relation: \(R_{\mathsf{in}} : \mathsf{StmtIn}\to \mathsf{WitIn}\to \mathsf{Prop}\)
Output relation: \(R_{\mathsf{out}} : \mathsf{StmtOut}\to \mathsf{WitOut}\to \mathsf{Prop}\)
Relation condition: \(R_{\mathsf{in}}(\mathsf{stmt}, \mathsf{wit}) \iff R_{\mathsf{out}}(\mathsf{mapStmt}(\mathsf{stmt}), \mathsf{mapWit}(\mathsf{wit}))\)

Theorem 120 ReduceClaim Perfect Completeness

The ReduceClaim reduction satisfies perfect completeness when the relation condition holds.

Definition 121 ReduceClaim Oracle Reduction

The oracle version additionally handles oracle statements through an embedding:

Oracle statement mapping: Embedding \(\mathsf{embedIdx} : \iota _{\mathsf{out}} \hookrightarrow \iota _{\mathsf{in}}\)
Type compatibility: \(\mathsf{OStmtIn}(\mathsf{embedIdx}(i)) = \mathsf{OStmtOut}(i)\) for all \(i\)
Oracle embedding: Maps output oracle indices to corresponding input oracle indices

Remark 122 ReduceClaim Oracle Completeness

The oracle version’s completeness proof is currently under development in the Lean formalization.

3.1.6 Claim Verification

Another essential building block is the ability to verify that a given predicate holds for a statement without requiring additional witness information.

Definition 123 CheckClaim Reduction

The CheckClaim reduction is a zero-round protocol that verifies predicates:

Protocol specification: \(\mathsf{pSpec}:= []\) (no messages exchanged)
Predicate: \(\mathsf{pred} : \mathsf{StmtIn}\to \mathsf{Prop}\) (decidable)
Prover: Simply stores and outputs the input statement with unit witness
Verifier: Checks \(\mathsf{pred}(\mathsf{stmt})\) and outputs statement if successful
Input relation: \(R_{\mathsf{in}}(\mathsf{stmt}, ()) := \mathsf{pred}(\mathsf{stmt})\)
Output relation: \(R_{\mathsf{out}}(\mathsf{stmt}, ()) := \mathsf{True}\) (trivial after verification)

Theorem 124 CheckClaim Perfect Completeness

The CheckClaim reduction satisfies perfect completeness.

Definition 125 CheckClaim Oracle Reduction

The oracle version handles predicates that require oracle access:

Oracle predicate: \(\mathsf{pred} : \mathsf{StmtIn}\to \mathsf{OracleComp}[\mathsf{OStmtIn}]_{\mathcal{O}} \mathsf{Prop}\)
Never-fails condition: \(\mathsf{pred}(\mathsf{stmt})\) never fails for any statement
Oracle computation: Verifier executes oracle computation to check predicate
Input relation: Defined via oracle simulation of the predicate

Theorem 126 CheckClaim Oracle Perfect Completeness

The CheckClaim oracle reduction satisfies perfect completeness.

Remark 127 CheckClaim Security Analysis

The round-by-round knowledge soundness proofs for both reduction and oracle versions are currently under development in the Lean formalization.

3.2 The Sum-Check Protocol

This section documents our formalization of the sum-check protocol. We first describe the sum-check protocol as it is typically described in the literature, and then present a modular description that maximally relies on our general oracle reduction framework.

3.2.1 Standard Description

Protocol Parameters

The sum-check protocol is parameterized by the following:

\(R\): the underlying ring (for soundness, required to be finite and an integral domain)
\(n \in \mathbb {N}\): the number of variables (and the number of rounds for the protocol)
\(d \in \mathbb {N}\): the individual degree bound for the polynomial
\(\mathcal{D}: \{ 0, 1, \ldots , m-1\} \hookrightarrow R\): the set of \(m\) evaluation points for each variable, represented as an injection. The image of \(\mathcal{D}\) as a finite subset of \(R\) is written as \(\text{Image}(\mathcal{D})\).
\(\mathcal{O}\): the set of underlying oracles (e.g., random oracles) that may be needed for other reductions. However, the sum-check protocol itself does not use any oracles.

Input and Output Statements

For the standard description of the sum-check protocol, we specify the complete input and output data:

Input Statement.

The claimed sum \(T \in R\).

Input Oracle Statement.

The polynomial \(P \in R[X_0, X_1, \ldots , X_{n-1}]_{\leq d}\) of \(n\) variables with bounded individual degrees \(d\).

Input Witness.

None (the unit type).

Input Relation.

The sum-check relation:

\[ \sum _{x \in (\text{Image}(\mathcal{D}))^n} P(x) = T \]

Output Statement.

The claimed evaluation \(e \in R\) and the challenge vector \((r_0, r_1, \ldots , r_{n-1}) \in R^n\).

Output Oracle Statement.

The same polynomial \(P \in R[X_0, X_1, \ldots , X_{n-1}]_{\leq d}\).

Output Witness.

None (the unit type).

Output Relation.

The evaluation relation:

\[ P(r_0, r_1, \ldots , r_{n-1}) = e \]

Protocol Description

The sum-check protocol proceeds in \(n\) rounds of interaction between the prover and verifier. The protocol reduces the claim that a multivariate polynomial \(P\) sums to a target value \(T\) over the domain \((\text{Image}(\mathcal{D}))^n\) to the claim that \(P\) evaluates to a specific value \(e\) at a random point \((r_0, r_1, \ldots , r_{n-1})\).

In each round, the prover sends a univariate polynomial of bounded degree, and the verifier responds with a random challenge. The verifier performs consistency checks by querying the polynomial oracle at specific evaluation points. After \(n\) rounds, the protocol terminates with an output statement asserting that \(P(r_0, r_1, \ldots , r_{n-1}) = e\), where the challenges \((r_0, r_1, \ldots , r_{n-1})\) are the random values chosen by the verifier during the protocol execution.

The protocol is described as an oracle reduction, where the polynomial \(P\) is accessed only through evaluation queries rather than being explicitly represented.

Security Properties

We prove the following security properties for the sum-check protocol:

Theorem 128 Perfect Completeness

The sum-check protocol satisfies perfect completeness. That is, for any valid input statement and oracle statement satisfying the input relation, the protocol accepts with probability 1.

Theorem 129 Knowledge Soundness

The sum-check protocol satisfies knowledge soundness. The soundness error is bounded by \(n \cdot d / |R|\), where \(n\) is the number of rounds, \(d\) is the degree bound, and \(|R|\) is the size of the field.

Theorem 130 Round-by-Round Knowledge Soundness

The sum-check protocol satisfies round-by-round knowledge soundness with respect to an appropriate state function (to be specified). Each round maintains the security properties compositionally, allowing for modular security analysis.

Implementation Notes

Our formalization includes several important implementation considerations:

Oracle Reduction Level.

This description of the sum-check protocol stays at the oracle reduction level, describing the protocol before being compiled with concrete cryptographic primitives such as polynomial commitment schemes for \(P\). The oracle model allows us to focus on the logical structure and security properties of the protocol without being concerned with the specifics of how polynomial evaluations are implemented or verified.

Abstract Protocol Description.

The protocol description above does not consider implementation details and optimizations that would be necessary in practice. For instance, we do not address computational efficiency, concrete polynomial representations, or specific algorithms for polynomial evaluation. This abstraction allows us to establish the fundamental security properties that any concrete implementation must preserve.

Degree Constraints.

To represent sum-check as a series of Interactive Oracle Reductions (IORs), we implicitly constrain the degree of the polynomials via using subtypes such as \(R[X]_{\leq d}\) and appropriate multivariate polynomial degree bounds. This is necessary because the oracle verifier only gets oracle access to evaluating the polynomials, but does not see the polynomials in the clear.

Polynomial Commitments.

When this protocol is compiled to an interactive proof (rather than an oracle reduction), the corresponding polynomial commitment schemes will enforce that the declared degree bounds hold, by letting the (non-oracle) verifier perform explicit degree checks.

Formalization Alignment.

TODO: Align the sum-check protocol formalization in Lean to use \(n\) variables and \(n\) rounds (as in this standard description) rather than \(n+1\) variables and \(n+1\) rounds. This should be achievable by refactoring the current implementation to better match the standard presentation.

Future Extensions

Several generalizations are considered for future work:

Variable Degree Bounds: Generalize to \(d : \{ 0, 1, \ldots , n+1\} \to \mathbb {N}\) and \(\mathcal{D} : \{ 0, 1, \ldots , n+1\} \to (\{ 0, 1, \ldots , m-1\} \hookrightarrow R)\), allowing different degree bounds and summation domains for each variable.
Restricted Challenge Domains: Generalize the challenges to come from suitable subsets of \(R\) (e.g., subtractive sets), rather than the entire domain. This modification is used in lattice-based protocols.
Module-based Sum-check: Extend to sum-check over modules instead of just rings. This would require extending multivariate polynomial evaluation to modules, defining something like \(\text{evalModule} : (R^n \to M) \to R[X_0, \ldots , X_{n-1}] \to M\) where \(M\) is an \(R\)-module.

The sum-check protocol, as described in the original paper and many expositions thereafter, is a protocol to reduce the claim that

\[ \sum _{x \in \{ 0, 1\} ^n} P(x) = c, \]

where \(P\) is an \(n\)-variate polynomial of certain individual degree bounds, and \(c\) is some field element, to the claim that

\[ P(r) = v, \]

for some claimed value \(v\) (derived from the protocol transcript), where \(r\) is a vector of random challenges from the verifier sent during the protocol.

In our language, the initial context of the sum-check protocol is the pair \((P, c)\), where \(P\) is an oracle input and \(c\) is public. The protocol proceeds in \(n\) rounds of interaction, where in each round \(i\) the prover sends a univariate polynomial \(s_i\) of bounded degree and the verifier sends a challenge \(r_i \gets \mathbb {F}\). The honest prover would compute

\[ s_i(X) = \sum _{x \in \{ 0, 1\} ^{n - i - 1}} P(r_1, \ldots , r_{i - 1}, X, x), \]

and the honest verifier would check that \(s_i(0) + s_i(1) = s_{i - 1}(r_{i - 1})\), with the convention that \(s_0(r_0) = c\).

3.2.2 Modular Description

Round-by-Round Analysis

Our modular approach breaks down the sum-check protocol into individual rounds, each of which can be analyzed as a two-message Interactive Oracle Reduction. This decomposition allows us to prove security properties compositionally and provides a more granular understanding of the protocol’s structure.

Round-Specific Statements.

For the \(i\)-th round, where \(i \in \{ 0, 1, \ldots , n\} \), the statement contains:

\(\text{target} \in R\): the target value for sum-check at this round
\(\text{challenges} \in R^i\): the list of challenges sent from the verifier to the prover in previous rounds

The oracle statement remains the same polynomial \(P \in R[X_0, X_1, \ldots , X_{n-1}]_{\leq d}\).

Round-Specific Relations.

The sum-check relation for the \(i\)-th round checks that:

\[ \sum _{x \in (\text{Image}(\mathcal{D}))^{n-i}} P(\text{challenges}, x) = \text{target} \]

Note that when \(i = n\), this becomes the output statement of the sum-check protocol, checking that \(P(\text{challenges}) = \text{target}\).

Individual Round Protocol

For \(i = 0, 1, \ldots , n-1\), the \(i\)-th round of the sum-check protocol consists of the following:

Step 1: Prover’s Message.

The prover sends a univariate polynomial \(p_i \in R[X]_{\leq d}\) of degree at most \(d\). If the prover is honest, then:

\[ p_i(X) = \sum _{x \in (\text{Image}(\mathcal{D}))^{n-i}} P(\text{challenges}_0, \ldots , \text{challenges}_{i-1}, X, x) \]

Here, \(P(\text{challenges}_0, \ldots , \text{challenges}_{i-1}, X, x)\) is the polynomial \(P\) evaluated at the concatenation of:

the prior challenges \(\text{challenges}_0, \ldots , \text{challenges}_{i-1}\)
the \(i\)-th variable as the new indeterminate \(X\)
the remaining values \(x \in (\text{Image}(\mathcal{D}))^{n-i}\)

In the oracle protocol, this polynomial \(p_i\) is turned into an oracle for which the verifier can query evaluations at arbitrary points.

Step 2: Verifier’s Challenge.

The verifier sends the \(i\)-th challenge \(r_i\) sampled uniformly at random from \(R\).

Step 3: Verifier’s Check.

The (oracle) verifier performs queries for the evaluations of \(p_i\) at all points in \(\text{Image}(\mathcal{D})\), and checks that:

\[ \sum _{x \in \text{Image}(\mathcal{D})} p_i(x) = \text{target} \]

If the check fails, the verifier outputs \(\texttt{failure}\). Otherwise, it outputs a statement for the next round as follows:

\(\text{target}\) is updated to \(p_i(r_i)\)
\(\text{challenges}\) is updated to the concatenation of the previous challenges and \(r_i\)

Single Round Security Analysis

Definition 131 Single Round Protocol

The \(i\)-th round of sum-check consists of:

Input: A statement containing target value and prior challenges, along with an oracle for the multivariate polynomial
Prover’s message: A univariate polynomial \(p_i \in R[X]_{\leq d}\)
Verifier’s challenge: A random element \(r_i \gets R\)
Output: An updated statement with new target \(p_i(r_i)\) and extended challenges

Theorem 132 Single Round Completeness

Each individual round of the sum-check protocol is perfectly complete.

Theorem 133 Single Round Soundness

Each individual round of the sum-check protocol is sound with error probability at most \(d / |R|\), where \(d\) is the degree bound and \(|R|\) is the size of the field.

Theorem 134 Round-by-Round Knowledge Soundness

The sum-check protocol satisfies round-by-round knowledge soundness. Each individual round can be analyzed independently, and the soundness error in each round is bounded by \(d / |R|\).

Virtual Protocol Decomposition

We now proceed to break down this protocol into individual messages, and then specify the predicates that should hold before and after each message is exchanged.

First, it is clear that we can consider each round in isolation. In fact, each round can be seen as an instantiation of the following simpler "virtual" protocol:

Definition 135

In this protocol, the context is a pair \((p, d)\), where \(p\) is now a univariate polynomial of bounded degree. The predicate / relation is that \(p(0) + p(1) = d\).
The prover first sends a univariate polynomial \(s\) of the same bounded degree as \(p\). In the honest case, it would just send \(p\) itself.
The verifier samples and sends a random challenge \(r \gets R\).
The verifier checks that \(s(0) + s(1) = d\). The predicate on the resulting output context is that \(p(r) = s(r)\).

The reason why this simpler protocol is related to a sum-check round is that we can emulate the simpler protocol using variables in the context at the time:

The univariate polynomial \(p\) is instantiated as \(\sum _{x \in (\text{Image}(\mathcal{D}))^{n - i - 1}} P(r_0, \ldots , r_{i - 1}, X, x)\).
The scalar \(d\) is instantiated as \(T\) if \(i = 0\), and as \(s_{i - 1}(r_{i - 1})\) otherwise.

It is "clear" that the simpler protocol is perfectly complete. It is sound (and since there is no witness, also knowledge sound) since by the Schwartz-Zippel Lemma, the probability that \(p \ne s\) and yet \(p(r) = s(r)\) for a random challenge \(r\) is at most the degree of \(p\) over the size of the field.

Theorem 136

The virtual sum-check round protocol is sound.

Note that there is no witness, so knowledge soundness follows trivially from soundness.

Theorem 137

The virtual sum-check round protocol is knowledge sound.

Moreover, we can define the following state function for the simpler protocol

Definition 138 State Function

The state function for the virtual sum-check round protocol is given by:

The initial state function is the same as the predicate on the initial context, namely that \(p(0) + p(1) = d\).
The state function after the prover sends \(s\) is the predicate that \(p(0) + p(1) = d\) and \(s(0) + s(1) = d\). Essentially, we add in the verifier’s check.
The state function for the output context (after the verifier sends \(r\)) is the predicate that \(s(0) + s(1) = d\) and \(p(r) = s(r)\).

Seen in this light, it should be clear that the simpler protocol satisfies round-by-round soundness.

Theorem 139

The virtual sum-check round protocol is round-by-round sound.

In fact, we can break down this simpler protocol even more: consider the two sub-protocols that each consists of a single message. Then the intermediate state function is the same as the predicate on the intermediate context, and is given in a "strongest post-condition" style where it incorporates the verifier’s check along with the initial predicate. We can also view the final state function as a form of "canonical" post-condition, that is implied by the previous predicate except with small probability.

3.3 The Spartan Protocol

3.3.1 Preliminaries

The Spartan protocol is designed to prove the satisfiability of Rank-1 Constraint System (R1CS). An R1CS instance is defined by a set of matrices \((A, B, C)\) over a field \(\mathbb {F}\) (more generally the definition makes sense over any semiring \(\mathsf{R}\)), and it is satisfied by a public input \(x\) and a private witness \(w\) if the combined vector \(z = (x, w)\) satisfies the relation:

\[ (A \cdot z) \circ (B \cdot z) = (C \cdot z) \]

where \(\circ \) denotes the Hadamard (entry-wise) product. Our formalization follows the definition in ArkLib/ProofSystem/ConstraintSystem/R1CS.lean.

3.3.2 Description in Paper

Figure 3.1 is the description of the Spartan protocol from the original paper [ 10 ] . Note that in this section, we only formalize the Polynomial IOP (PIOP) aspect of Spartan. In the PIOP model, the prover does not commit to polynomials using a Polynomial Commitment Scheme (PCS). Instead, the verifier is given oracle access to the polynomials. Therefore, steps involving ‘PCS.Setup‘, ‘PCS.Commit‘, and ‘PCS.Eval‘ are replaced by simple oracle interactions.

figures/spartan-description.png

Figure 3.1 The Spartan protocol description, from the original paper.

After stripping away the polynomial commitment scheme, the protocol has the following structure:

Setup:

This step is part of the polynomial commitment scheme and is not part of the PIOP we formalize.

Interaction:

The interaction is between a prover \(\mathcal{P}\) with witness \(w\) and a verifier \(\mathcal{V}\) with public inputs \((\mathbb {F}, A, B, C, \text{io}, m, n)\).

\(\mathcal{P}\): Sends oracle access to the multilinear extension of the witness, \(\tilde{w}\), to \(\mathcal{V}\). In the original paper, this is a commitment \((C,S) \leftarrow \text{PC.Commit}(\text{pp}, \tilde{w})\).
\(\mathcal{V}\): Samples a random challenge \(\tau \in \mathbb {F}^{\log m}\) and sends it to \(\mathcal{P}\).
Let \(T_1 = 0\), \(\mu _1 = \log m\), \(\ell _1 = 3\). These are parameters for the first sum-check protocol.
\(\mathcal{V}\): Samples a random challenge \(r_x \in \mathbb {F}^{\mu _1}\).
Sum-check#1. A sum-check protocol is executed. The verifier receives the claimed evaluation \(e_x\). The prover of the sum-check has oracle access to a polynomial \(G_{io, \tau }\), and the verifier has oracle access to \(r_x\). The parameters for this sub-protocol are \((\mu _1, \ell _1, T_1)\).
\(\mathcal{P}\): Computes evaluations \(v_A = \tilde{A}(r_x)\), \(v_B = \tilde{B}(r_x)\), \(v_C = \tilde{C}(r_x)\) and sends them to \(\mathcal{V}\). \(\tilde{A}, \tilde{B}, \tilde{C}\) are multilinear extensions of the matrices \(A, B, C\).
\(\mathcal{V}\): Aborts if \(e_x \neq (v_A \cdot v_B - v_C) \cdot \tilde{\text{eq}}(r_x, \tau )\). This is the verifier’s check for the first sum-check.
\(\mathcal{V}\): Samples random challenges \(r_A, r_B, r_C \in \mathbb {F}\) and sends them to \(\mathcal{P}\).
Let \(T_2 = r_A \cdot v_A + r_B \cdot v_B + r_C \cdot v_C\), \(\mu _2 = \log n\), \(\ell _2 = 2\). These are parameters for the second sum-check protocol. Note: The image states \(\mu _2 = \log m\), which is likely a typo and should be \(\log n\).
\(\mathcal{V}\): Samples a random challenge \(r_y \in \mathbb {F}^{\mu _2}\).
Sum-check#2. Another sum-check protocol is executed. The verifier receives the claimed evaluation \(e_y\).
\(\mathcal{P}\): Computes \(v \leftarrow \tilde{w}(r_y[1..])\) and sends \(v\) to \(\mathcal{V}\).
This step involves a polynomial commitment evaluation proof. In our PIOP formalization, this check is not needed as the verifier has direct oracle access to \(\tilde{w}\).
\(\mathcal{V}\): This step is part of the evaluation proof check, so it is omitted.
\(\mathcal{V}\): Computes \(v_Z \leftarrow (1 - r_y[0]) \cdot \tilde{w}(r_y[1..]) + r_y[0] \cdot \widetilde{(\text{io}, 1)}(r_y[1..])\). This reconstructs the evaluation of the combined input-witness vector polynomial \(\tilde{z}\).
\(\mathcal{V}\): Queries oracles for \(\tilde{A}, \tilde{B}, \tilde{C}\) at \((r_x, r_y)\) to get \(v_1, v_2, v_3\).
\(\mathcal{V}\): Aborts if \(e_y \neq (r_A \cdot v_1 + r_B \cdot v_2 + r_C \cdot v_3) \cdot v_Z\). This is the final check.
\(\mathcal{V}\): Outputs 1.

3.3.3 Formalization using IOR Composition

3.4 Stir

3.4.1 Tools for Reed Solomon codes

Random linear combination as a proximity generator

Theorem 140

Let \(\mathcal{C}:= \mathrm{RS}[\mathbb {F},\mathcal{L},d]\) be a Reed Solomon code with rate \(\rho :=\frac{d}{|\mathcal{L}|}\) and let \(B^*(\rho ):=\sqrt{\rho }\). For every \(\delta \in (0,1 - B^*(\rho ))\) and functions \(f_0,\ldots ,f_{m-1} : \mathcal{L}\to \mathbb {F}\), if

\[ \Pr _{r\leftarrow \mathbb {F}}\! \Bigl[ \Delta \Bigl(\sum _{j=0}^{m-1} r^j\cdot {f_j},\mathrm{RS}[\mathbb {F},\mathcal{L},d]\Bigr) \le \delta \Bigr]{\gt}\mathsf{err}^*(d,\rho ,\delta ,m), \]

then there exists a subset \(S \subseteq \mathcal{L}\) with \(|S| \ge (1 - \delta )\cdot |L|\), and for every \(i \in [m]\), there exists \(u \in \mathrm{RS}[\mathbb {F},\mathcal{L},d]\) such that \(f_i(S) = u(S)\).

Above, \(\mathsf{err}^*(d,\rho ,\delta ,m)\) is defined as follows:

if \(\delta \in \left(0,\frac{1-\rho }{2}\right]\) then

\[ \mathsf{err}^*(d,\rho ,\delta ,m)=\frac{(m-1)\cdot d}{\rho \cdot |\mathbb {F}|} \]
if \(\delta \in \Bigl(\frac{1-\rho }{2}, 1-\sqrt{\rho }\Bigr)\) then

\[ \mathsf{err}^*(d,\rho ,\delta ,m)=\frac{(m-1)\cdot {d}^2}{|\mathbb {F}|\cdot {\Bigl(2\cdot \min \{ 1-\sqrt{\rho }-\delta ,\frac{\sqrt{\rho }}{20}\} \Bigr)}^7} \]

Univariate Function Quotienting

In the following, we start by defining the quotient of a univariate function.

Definition 141

Let \(f:\mathcal{L}\to \mathbb {F}\) be a function, \(S\subseteq \mathbb {F}\) be a set, and \(\mathsf{Ans},\mathsf{Fill}: S\rightarrow \mathbb {F}\) be functions. Let \(\hat{\mathsf{Ans}}\in \mathbb {F}^{{\lt}|S|}[X]\) be the (unique) polynomial with \(\hat{\mathsf{Ans}}(x)=\mathsf{Ans}(x)\) for every \(x\in S\), and let \(\hat{V}_S\in \mathbb {F}^{{\lt}|S|+1}[X]\) be the unique non-zero polynomial with \(\hat{V}_S(x)=0\) for every \(x\in S\). The quotient function \(\mathsf{Quotient}\bigl(f,S,\mathsf{Ans},\mathsf{Fill}\bigr): \mathcal{L}\to \mathbb {F}\) is defined as follows:

\[ \forall x \in \mathcal{L}, \quad \mathsf{Quotient}\bigl(f, S, \mathsf{Ans}, \mathsf{Fill} \bigr)(x) := \left\{ \begin{array}{ll} \mathsf{Fill}(x) & \text{if } x \in S \\[6pt] \dfrac {f(x) - \hat{\mathsf{Ans}}(x)}{\hat{V}_S(x)} & \text{otherwise} \end{array} \right. \]

Next we define the polynomial quotient operator, which quotients a polynomial relative to its output on evaluation points. The polynomial quotient is a polynomial of lower degree.

Definition 142

Let \(\hat{f}\in \mathbb {F}^{{\lt}d}[X]\) be a polynomial and \(S\subseteq \mathbb {F}\) be a set, let \(\hat{V}_S\in \mathbb {F}^{{\lt}|S|+1}[X]\) be the unique non-zero polynomial with \(\hat{V}_S(x)=0\) for every \(x\in S\). The polynomial quotient \(\mathsf{PolyQuotient}(\hat{f},S)\in \mathbb {F}^{{\lt}d-|S|}[X]\) is defined as follows:

\[ \mathsf{PolyQuotient}(\hat{f},S)(X):=\frac{\hat{f}(X)-\hat{\mathsf{Ans}}(X)}{\hat{V}_S(X)} \]

where \(\hat{Ans}\in \mathbb {F}^{{\lt}|S|}[X]\) is the unique non-zero polynomial with \(\hat{Ans}(x)=\hat{f}(x)\) for every \(x \in S\).

The following lemma, implicit in prior works, shows that if the function is “quotiented by the wrong value”, then its quotient is far from low-degree.

Lemma 143

Let \(f:\mathcal{L}\rightarrow \mathbb {F}\) be a function, \(d\in \mathbb {N}\) be the degree parameter, \(\delta \in (0,1)\) be a distance parameter, \(S\subseteq \mathbb {F}\) be a set with \(|S|{\lt}d\), and \(\mathsf{Ans},\mathsf{Fill}:S\rightarrow \mathbb {F}\) are functions. Suppose that for every \(u\in \mathsf{List}(f,d,\delta )\) there exists \(x\in S\) with \(\hat{u}(x)\neq \mathsf{Ans}(x)\). Then

\[ \Delta (\mathsf{Quotient}(f,S,\mathsf{Ans},\mathsf{Fill}),\mathrm{RS}[\mathbb {F},\mathcal{L},d-|S|])+\frac{|T|}{|\mathcal{L}|}{\gt}\delta , \]

where \(T:=\{ x\in \mathcal{L}\cap S: \hat{\mathsf{Ans}}(x)\neq f(x)\} \).

Out of domain sampling

Lemma 144

Let \(f:\mathcal{L}\rightarrow \mathbb {F}\) be a function, \(d\in \mathbb {N}\) be a degree parameter, \(s\in \mathbb {N}\) be a repetition parameter, and \(\delta \in [0,1]\) be a distance parameter. If \(\mathrm{RS}[\mathbb {F},\mathcal{L},d]\) be \((d,l)\)-list decodable then

\[ \begin{array}{rcl} \Pr _{\substack {r_0, \ldots , r_{s-1} \gets \mathbb {F}\setminus \mathcal{L}}} \left[ \begin{array}{c} \exists \text{ distinct } u, u’ \in \mathsf{List}(f, d, \delta ): \\ \forall i \in [s],\ \hat{u}(r_i) = \hat{u}’(r_i) \end{array} \right] & \leq & \binom {l}{2} \cdot \left( \frac{d- 1}{|\mathbb {F}| - |\mathcal{L}|} \right)^s \\ & \leq & \left( \frac{l^2}{2} \right) \cdot \left( \frac{d}{|\mathbb {F}| - |\mathcal{L}|} \right)^s \end{array} \]

Folding univariate functions

STIR relies on \(k\)-wise folding of functions and polynomials - this is similar to prior works, although presented in a slightly different form. As shown below, folding a function preserves proximity from the Reed-Solomon code with high probability. The folding operator is based on the following fact, decomposing univariate polynomials into bivariate ones.

Lemma 145

Given a polynomial \(\hat{q}\in \mathbb {F}[X]\):

For every univariate polynomial \(\hat{f}\in \mathbb {F}[X]\), there exists a unique bivariate polynomial \(\hat{Q}\in \mathbb {F}[X,Y]\) with:

\[ \mathsf{deg}_X(\hat{Q}) := \left\lfloor \frac{\mathsf{deg}(\hat{f})}{\mathsf{deg}(\hat{q})} \right\rfloor ,\quad \mathsf{deg}_Y(\hat{Q}) {\lt} \mathsf{deg}(\hat{q}) \]

such that \(\hat{f}(Z)=\hat{Q}(\hat{q}(Z),Z)\). Moreover, \(\hat{Q}\) can be computed efficiently given \(\hat{f}\) and \(\hat{q}\). Observe that if \(\mathsf{deg}(\hat{f}){\lt}t\cdot \mathsf{deg}(\hat{q})\) then \(\mathsf{deg}(\hat{Q}){\lt}t\).
For every \(\hat{Q}[X,Y]\) with \(\mathsf{deg}_X(\hat{Q}){\lt}t\) and \(\mathsf{deg}_Y(\hat{Q}){\lt}\mathsf{deg}(\hat{q})\), the polynomial \(\hat{f}(Z)=\hat{Q}(\hat{q}(Z),Z)\) has degree \(\mathsf{deg}(\hat{f}){\lt}t\cdot \mathsf{deg}(\hat{q})\).

Below, we define folding of a polynomial followed by folding of a function.

Definition 146

Given a polynomial \(\hat{f}\in \mathbb {F}^{{\lt}d}[X]\), a folding parameter \(k\in \mathbb {N}\) and \(r\in \mathbb {F}\), we define a polynomial \(\mathsf{PolyFold}(\hat{f},k,r)\in \mathbb {F}^{d/k}[X]\) as follows. Let \(\hat{Q}[X,Y]\) be the bivariate polynomial derived from \(\hat{f}\) using Fact 145 with \(\hat{q}(X):=X^k\). Then \(\mathsf{PolyFold}(\hat{f},k,r)(X):=\hat{Q}(X,r)\).

Definition 147

Let \(f:\mathcal{L}\rightarrow \mathbb {F}\) be a function, \(k\in \mathbb {N}\) a folding parameter and \(\alpha \in \mathbb {F}\). For every \(x\in {\mathcal{L}}^k\), let \(\hat{p}_x\in \mathbb {F}^{{\lt}k}[X]\) be the polynomial where \(\hat{p}_x(y)=f(y)\) for every \(y\in {\mathcal{L}}\) such that \(y^k=x\). We define \(\mathsf{Fold}(f,k,\alpha ):\mathcal{L}\rightarrow \mathbb {F}\) as follows.

\[ \mathsf{Fold}(f,k,\alpha ):=\hat{p}_x(\alpha ). \]

In order to compute \(\mathsf{Fold}(f,k,\alpha )(x)\) it suffices to interpolate the \(k\) values \(\{ f(y):y\in \mathcal{L}\text{ s.t. }y^k=x\} \) into the polynomial \(\hat{p}_x\) and evaluate this polynomial at \(\alpha \).

The following lemma shows that the distance of a function is preserved under folding. If a functions \(f\) has distance \(\delta \) to a Reed-Solomon code then, with high probability over the choice of folding randomness, its folding also has a distance of \(\delta \) to the “\(k\)-wise folded” Reed-Solomon code.

Lemma 148

For every function \(f:\mathcal{L}\rightarrow \mathbb {F}\), degree parameter \(d\in \mathbb {N}\), folding parameter \(k\in \mathbb {N}\), distance parameter \(\delta \in (0,\min \{ {\Delta (\mathsf{Fold}[f,k,r^{\mathsf{fold}}],\mathrm{RS}[\mathbb {F},{\mathcal{L}}^k, d/k]),1-{\mathsf{B}}^*(\rho )}\} )\), letting \(\rho :=\frac{d}{|\mathcal{L}|}\),

\[ \Pr _{r^{\mathsf{fold}}\gets \mathbb {F}}[\Delta (\mathsf{Fold}[f,k,r^{\mathsf{fold}}],\mathrm{RS}[\mathbb {F},{\mathcal{L}}^k, d/k]){\lt}\delta ]{\gt}\mathsf{err}^*(d/k,\rho ,\delta ,k). \]

Above, \({\mathsf{B}}^*\) and \({\mathsf{err}}^*\) are the proximity bound and error (respectively) described in Section ??.

Combine functions of varying degrees

We show a new method for combining functions of varying degrees with minimal proximity require- ments using geometric sums. We begin by recalling a fact about geometric sums.

Lemma 149

Let \(\mathbb {F}\) be a field, \(r\in \mathbb {F}\) be a field element, \(a\in \mathbb {N}\) be a natural number. Then

\[ \sum _{i=0}^{a} r^i := \left\{ \begin{array}{ll} \displaystyle \left(\frac{1 - r^{a+1}}{1 - r}\right) & \text{if } r \neq 1 \\[6pt] a + 1 & \text{if } r = 1 \end{array} \right. \]

Definition 150

Given target degree \(d^*\in \mathbb {N}\), shifting parameter \(r\in \mathbb {F}\), functions \(f_0,\ldots ,f_{m-1}:\mathcal{L}\rightarrow \mathbb {F}\), and degrees \(0\leq d_0,\ldots ,d_{m-1}\leq {d}^*\), we define \(\mathsf{Combine}(d^*,r,(f_0,d_0),\ldots ,(f_{m-1},d_{m-1})):\mathcal{L}\rightarrow \mathbb {F}\) as follows:

\[ \begin{array}{rcl} \mathsf{Combine}(d^*, r, (f_0, d_0), \ldots , (f_{m-1}, d_{m-1}))(x) & := & \displaystyle \sum _{i=0}^{m-1} r_i \cdot f_i(x) \cdot \left( \sum _{l=0}^{d^* - d_i} (r \cdot x)^l \right) \\[10pt]& = & \left\{ \begin{array}{ll} \displaystyle \sum _{i=0}^{m-1} r_i \cdot f_i(x) \cdot \left( \dfrac {1 - (x r)^{d^* - d_i + 1}}{1 - x r} \right) & \text{if } x \cdot r \neq 1 \\[8pt] \displaystyle \sum _{i=0}^{m-1} r_i \cdot f_i(x) \cdot (d^* - d_i + 1) & \text{if } x \cdot r = 1 \end{array} \right. \end{array} \]

Above, \(r_i:=r^{i-1+\sum _{j{\lt}i}(d^*-d_j)}\).

Definition 151

Given target degree \(d^*\in \mathbb {N}\), shifting parameter \(r\in \mathbb {F}\), function \(f:\mathcal{L}\rightarrow \mathbb {F}\), and degree \(0\leq d\leq d^*\), we define \(\mathsf{DegCor}(d^*,r,f,d)\) as follows.

\[ \begin{array}{rcl} \mathsf{DegCor}(d^*, r, f, d)(x) & := & \displaystyle f(x) \cdot \left( \sum _{l=0}^{d^* - d} (r \cdot x)^l \right) \\[10pt]& = & \left\{ \begin{array}{ll} \displaystyle f(x) \cdot \left( \dfrac {1 - (x r)^{d^* - d_i + 1}}{1 - x r} \right) & \text{if } x \cdot r \neq 1 \\[8pt] \displaystyle f(x) \cdot (d^* - d_i + 1) & \text{if } x \cdot r = 1 \end{array} \right. \end{array} \]

(Observe that \(\mathsf{DegCor}(d^*,r,f,d)=\mathsf{Combine}(d^*,r,(f,d))\).)

Below it is shown that combining multiple polynomials of varying degrees can be done as long as the proximity error is bounded by \((\min {\{ 1-{\mathsf{B}}^*(\rho ),1-\rho -1/|\mathcal{L}|\} })\).

Lemma 152

Let \(d^*\) be a target degree, \(f_0,\ldots ,f_{m-1}:\mathcal{L}\rightarrow \mathbb {F}\) be functions, \(0\leq d_0,\ldots ,d_{m-1}\leq d^*\) be degrees, \(\delta \in \min {\{ 1-{\mathsf{B}}^*(\rho ),1-\rho -1/|\mathcal{L}|\} }\) be a distance parameter, where \(\rho =d^*/|\mathcal{L}|\). If

\[ \Pr _{r\gets \mathbb {F}}[\Delta (\mathsf{Combine}(d^*,r,(f_0,d_0),\ldots ,(f_{m-1},d_{m-1})),\mathrm{RS}[\mathbb {F},\mathcal{L},d^*])]{\gt}\mathsf{err}^*(d^*,\rho ,\delta ,m\cdot (d^*+1)-\sum _{i=0}^{m-1}d_i), \]

then there exists \(S\subseteq \mathcal{L}\) with \(|S|\geq (1-\delta )\cdot |\mathcal{L}|\), and

\[ \forall i\in [m-1],\exists u\in \mathrm{RS}[\mathbb {F},\mathcal{L},d_i], f_i(S)=u(S). \]

Note that this implies \(\Delta (f_i,\mathrm{RS}[\mathbb {F},\mathcal{L},d_i]){\lt}\delta \) for every \(i\). Above, \({\mathsf{B}}^*\) and \({\mathsf{err}}^*\) are the proximity bound and error (respectively) described in the proximity gap theorem.

3.4.2 Stir Main theorems

Theorem 153 STIR Main Theorem

Consider the following ingrediants:

A security parameter \(\lambda \in \mathbb {N}\).
A Reed-Solomon code \(\mathrm{RS}[\mathbb {F},\mathcal{L},d]\) with \(\rho :=\frac{d}{|\mathcal{L}|}\) where \(d\) is a power of \(2\), and \(\mathcal{L}\) is a smooth domain.
A proximity parameter \(\delta \in (0,1-1.05\cdot \sqrt{\rho })\).
A folding parameter \(k\in \mathbb {N}\) that is power of \(2\) with \(k\geq 4\).

If \(|\mathbb {F}|=\Omega (\frac{\lambda \cdot 2^\lambda \cdot d^2\cdot {|\mathcal{L}|}^2}{\log (1/\rho )})\), there is a public-coin IOPP for \(\mathrm{RS}[\mathbb {F},\mathcal{L},d]\) with the following parameters:

Round-by-round soundness error \(2^{-\lambda }\).
Round complexity: \(M:=O(\log _k{d})\).
Proof length: \(|\mathcal{L}|+O_k(\log {d})\).
Query complexity to the input: \(\frac{\lambda }{-\log {(1-\delta )}}\).
Query complexity to the proof strings: \(O_k(\log {d}+\lambda \cdot \log {\Big(\frac{\log {d}}{\log {1/\rho }}\Big)})\).

Lemma 154

Consider \((\mathbb {F},M,d,k_0,\ldots ,k_M,\mathcal{L}_0,\ldots ,\mathcal{L}_M,t_0,\ldots ,t_M)\) and for every \(i\in \{ 0,\ldots ,M\} \), let \(d_i:=\frac{d}{\prod _{j{\lt}i}k^j}\) and \(\rho _i:=d_i/|\mathcal{L}_i|\). For every \(f\notin \mathrm{RS}[\mathbb {F},\mathcal{L}_0,d_0]\) and every \(\delta _0,\ldots ,\delta _M\) where

\(\delta _0\in (0,\Delta (f,\mathrm{RS}[\mathbb {F},\mathcal{L}_0,d_0])]\cap (0,1-{\mathsf{B}}^*(\rho _0))\)
for every \(0{\lt}i\leq M\): \(\delta _i\in (0,\min {\{ 1-\rho _i-\frac{1}{|\mathcal{L}_i|},1-{\mathsf{B}^*(\rho _i)}\} })\), and
for every \(0{\lt}i\leq M\): \(\mathrm{RS}[\mathbb {F},\mathcal{L}_i,d_i]\) is \((\delta _i,l_i)\)-list decodable,

There exists an IOPP with above parameters, that has round-by-round soundness error \((\epsilon ^{\mathsf{fold}},\epsilon ^{\mathsf{out}}_1,\epsilon ^{\mathsf{shift}}_1,\ldots ,\epsilon ^{\mathsf{out}}_M,\epsilon ^{\mathsf{shift}}_M,\epsilon ^{\mathsf{fin}})\) where:

\(\epsilon ^{\mathsf{fold}}\leq \mathsf{err}^*(d_0/k_0,\rho _0,\delta _0,k_0)\).
\(\epsilon ^{\mathsf{out}}_i\leq \frac{l^2_i}{2}\cdot {\big(\frac{d_i}{|\mathbb {F}|-|\mathcal{L}_i|}\big)}^s\)
\(\epsilon ^{\mathsf{shift}}_i\leq {(1-\delta _{i-1})}^{t_{i-1}}+\mathsf{err}^*(d_i,\rho _i,\delta _i,t_{i-1}+s)+\mathsf{err}^*(d_i/k_i,\rho _i,\delta _i,k_i)\).
\(\epsilon ^{\mathsf{fin}}\leq {(1-\delta _M)}^{t_M}\).

Above, \({\mathsf{B}}^*\) and \({\mathsf{err}}^*\) are the proximity bound and error (respectively) described in Section ??.

3.5 Whir

3.5.1 Tools for Reed Solomon codes

Mutual Correlated Agreement as a Proximity Generator

Definition 155

Let \(\mathcal{C}\subseteq \mathbb {F}^{\mathcal{L}}\) be a linear code. We say that \(\mathsf{Gen}\) is a proximity generator for \(\mathcal{C}\) with proximity bounds \({\mathsf{B}}\) and \(\mathsf{err}\) if the following implication holds for \(f_0,\ldots ,f_{\mathsf{par}\ell -1} : \mathcal{L}\rightarrow \mathbb {F}\) and \(\delta \in (0,1-{\mathsf{B}}(\rho ,\mathsf{par}\ell ))\). If

_r_0,…,r_parℓ-1←Gen[Δ(∑_i[0,(parℓ-1)] r_i ·f_i, C) ≤δ] > err(C,parℓ,δ),

then there exists \(S\subseteq \mathcal{L}\), \(|S|{\gt}(1-\delta )\cdot |\mathcal{L}|\), and \(\forall i \in [0, (\mathsf{par}\ell -1)]\), \(\exists u \in \mathcal{C}, \forall x \in S\), \(f_i(x)=u(x)\).

Theorem 156

Let \(\mathcal{C}= \mathrm{RS}[\mathbb {F},\mathcal{L},m]\) be a Reed Solomon code with rate \(\rho = 2^m/|\mathcal{L}|\). \(\mathsf{Gen}(\alpha ,\mathsf{par}\ell )=\{ 1,\alpha ,\ldots ,\alpha ^{\mathsf{par}\ell -1}\} \) is a proximity generator for \(\mathcal{C}\) with proximity bounds \({\mathsf{B}}(\rho ,\mathsf{par}\ell )=\sqrt{\rho }\) and \(\mathsf{err}(C,\mathsf{par}\ell ,\delta )\) defined below.

if \(\delta \in \left(0,\frac{1-\rho }{2}\right]\) then

\[ \mathsf{err}(\mathcal{C},\mathsf{par}\ell ,\delta )=\frac{(m-1)\cdot d}{\rho \cdot |\mathbb {F}|} \]
if \(\delta \in \Bigl(\frac{1-\rho }{2}, 1-\sqrt{\rho }\Bigr)\) then

\[ \mathsf{err}(\mathcal{C},\mathsf{par}\ell ,\delta )=\frac{(m-1)\cdot {d}^2}{|\mathbb {F}|\cdot {\Bigl(2\cdot \min \{ 1-\sqrt{\rho }-\delta ,\frac{\sqrt{\rho }}{20}\} \Bigr)}^7} \]

Definition 157

Let \(\mathcal{C}\) be a linear code. We say that \(\mathsf{Gen}\) be a proximity generator with mutual correlated agreement with proximity bounds \({\mathsf{B}}^\star \) and \(\mathsf{err}^\star \), if for \(f_0,\ldots ,f_{\mathsf{par}\ell -1}:\mathcal{L}\rightarrow \mathbb {F}\) and \(\delta \in (0,1-{\mathsf{B}}^\star (\mathcal{C},\mathsf{par}\ell ))\) the following holds.

\[ \Pr _{(r_0, \ldots , r_{\mathsf{par}\ell -1}) \leftarrow \mathsf{Gen}(\mathsf{par}\ell )} \left[ \exists S \subseteq \mathcal{L}\; \; s.t.\; \; \begin{array}{l} |S| \geq (1 - \delta ) \cdot |\mathcal{L}| \\ \land \; \exists u \in \mathcal{C}, u(S) = \sum _{j \in [0,(\mathsf{par}\ell -1)]} r_j \cdot f_j(S) \\ \land \; \exists i \in [0,(\mathsf{par}\ell -1)], \forall u’ \in \mathcal{C}, u’(S) \neq f_i(S) \end{array}\right] \leq \mathsf{err}^\star (\mathcal{C}, \mathsf{par}\ell , \delta ). \]

Lemma 158

Let \(\mathcal{C}\) be a linear code with minimum distance \(\delta _{\mathcal{C}}\) and let \(\mathsf{Gen}\) be a proximity generator for \(\mathcal{C}\) with proximity bound \({\mathsf{B}}\) and error \(\mathsf{err}\). Then \(\mathsf{Gen}\) has mutual correlated agreement with proximity bound \({\mathsf{B}}^\star (\mathcal{C}, \mathsf{par}\ell ) = \min \{ 1 - \delta _{\mathcal{C}}/2, \mathsf{B}(\mathcal{C}, \mathsf{par}\ell )\} \) and error \(\mathsf{err}^\star (\mathcal{C}, \mathsf{par}\ell , \delta ) := \mathsf{err}(\mathcal{C}, \mathsf{par}\ell , \delta )\).

Lemma 159

Let \(\mathcal{C}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) be a Reed Solomon code with rate \(\rho \). The function \(\mathsf{Gen}(\mathsf{par}\ell ; \alpha ) = (1, \alpha , \ldots , \alpha ^{\mathsf{par}\ell - 1})\) is a proximity generator for \(\mathcal{C}\) with mutual correlated agreement with proximity bound \({\mathsf{B}}^\star (\mathcal{C}, \mathsf{par}\ell ) := \frac{1 + \rho }{2}\) and error \(\mathsf{err}^\star (\mathcal{C}, \mathsf{par}\ell , \delta ) = \frac{(\mathsf{par}\ell - 1) \cdot 2^m}{\rho \cdot |\mathbb {F}|}\).

Theorem 160

The function \(\mathsf{Gen}(\mathsf{par}\ell ; \alpha ) := (1, \alpha , \ldots , \alpha ^{\mathsf{par}\ell - 1})\) is a proximity generator with mutual correlated agreement for every smooth Reed Solomon code \(\mathcal{C}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) (with rate \(\rho := 2^m / |\mathcal{L}|\)). We give two conjectures, for the parameters of the proximity bound \({\mathsf{B}}^\star \) and the error \(\mathsf{err}^\star \):

Up to the Johnson bound: \({\mathsf{B}}^\star (\mathcal{C}, \mathsf{par}\ell ) := \sqrt{\rho },\) and

\[ \mathsf{err}(\mathcal{C}, \mathsf{par}\ell , \delta ) := \frac{(\mathsf{par}\ell - 1) \cdot 2^m}{|\mathbb {F}| \cdot \left( 2 \cdot \min \left\{ 1 - \sqrt{\rho } - \delta , \frac{\sqrt{\rho }}{20} \right\} \right)^7}. \]
Up to capacity: \({\mathsf{B}}^\star (\mathcal{C}, \mathsf{par}\ell ) := \rho \), and there exist constants \(c_1, c_2, c_3 \in \mathbb {N}\) such that for every \(\eta {\gt} 0\) and \(0 {\lt} \delta {\lt} 1 - \rho - \eta \):

\[ \mathsf{err}^\star (\mathcal{C}, \mathsf{par}\ell , \delta ) := \frac{(\mathsf{par}\ell - 1)^{c_2} \cdot \delta ^{c_2}}{\eta ^{c_1} \cdot \rho ^{c_1 + c_2} \cdot |\mathbb {F}|}. \]

Mutual correlated agreement preserves list decoding

Lemma 161

Let \(\mathcal{C}\subseteq \mathbb {F}^{\mathcal{L}}\) be a linear code with minimum distance \(\delta _{\mathcal{C}}\), and let \(\mathsf{Gen}\) be a proximity generator for \(\mathcal{C}\) with mutual correlated agreement with proximity bound \({\mathsf{B}}^\star \) and error \(\mathsf{err}^\star \). Then, for every \(f_0, \ldots , f_{\mathsf{par}\ell -1} : \mathcal{L}\to \mathbb {F}\) and \(\delta \in (0, \min \{ \delta _{\mathcal{C}}, 1 - {\mathsf{B}}^\star (\mathcal{C}, \mathsf{par}\ell )\} )\):

\[ \Pr _{\substack {\alpha \leftarrow \{ 0,1\} ^{w^\star } \\ \boldsymbol {r} := \mathsf{Gen}(\mathsf{par}\ell ; \alpha )}} \left[ \Lambda \left(\mathcal{C}, \sum _{j \in [0,(\mathsf{par}\ell -1)]} r_j \cdot f_j, \delta \right) \neq \left\{ \sum _{j \in [0,(\mathsf{par}\ell -1)]} r_j \cdot u_j : \boldsymbol {u} \in \Lambda \left(\mathcal{C}^\ell , (f_0, \ldots , f_{\mathsf{par}\ell -1}), \delta \right) \right\} \right] \leq \mathsf{err}^\star (\mathcal{C}, \mathsf{par}\ell , \delta ). \]

Folding univariate functions

Definition 162

Let \(\mathsf{extract}:\mathcal{L}^{2^{k+1}}\rightarrow \mathcal{L}^{2^k}\) be a function. There exists \(x \in \mathcal{L}\), such that \(y = x^{2^{k+1}}\in \mathcal{L}^{2^{k+1}}\). Then \(\mathsf{extract}\) returns \(z = \sqrt{y} = x^{2^k}\in \mathcal{L}^{2^k}\) such that \(y = z^2\).

Definition 163

Let \(f : \mathcal{L}^{2^k} \to \mathbb {F}\) be a function, and \(\alpha \in \mathbb {F}\). We define \(\mathrm{Fold_f}(f, {\alpha }) : \mathcal{L}^{(2^{k+1})} \to \mathbb {F}\) as follows:

\[ \forall x \in \mathcal{L}^{2^k}, y \in \mathcal{L}^{2^{k+1}}, \quad \mathrm{Fold_f}(f, \alpha )(y) := \frac{f(x) + f(-x)}{2} + \alpha \cdot \frac{f(x) - f(-x)}{2 \cdot x}. \]

In order to compute \(\mathrm{Fold_f}(f, \alpha )(y)\) it suffices to query \(f\) at \(x\) and \(-x\), by retrieving \(x=\mathsf{extract}(y)\).

Definition 164

For \(k \leq m\) and \(\vec{\alpha } = (\alpha _0, \ldots , \alpha _{k-1}) \in \mathbb {F}^k\) we define \(\mathrm{Fold}(f, \vec{\alpha }) : \mathcal{L}^{2^k} \to \mathbb {F}\) to equal \(\mathrm{Fold}(f, \vec{\alpha }) := f_k\) where \(f_k\) is defined recursively as follows: \(f_0 := f\), and \(f_i := \mathrm{Fold_f}(f_{i-1}, \alpha _i)\).

Definition 165

For a set \(S \subseteq \mathbb {F}^{\mathcal{L}}\) we denote \(\mathrm{Fold_{S}}(S, \vec{\alpha }) := \{ \mathrm{Fold_{S}}(f, \vec{\alpha }) \mid f \in S\} \).

Lemma 166

Let \(f : \mathcal{L}\to \mathbb {F}\) be a function, \(\vec{\alpha } \in \mathbb {F}^k\) folding randomness and let \(g := \mathrm{Fold}(f, \vec{\alpha })\). If \(f \in \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) and \(k \leq m\), then \(g \in \mathrm{RS}[\mathbb {F}, \mathcal{L}^{2^k}, m - k]\), and further the multilinear extension of \(g\) is given by \(\hat{g}(X_k, \ldots , X_{m-1}) := \hat{f}(\vec{\alpha }, X_k, \ldots , X_{m-1})\) where \(\hat{f}\) is the multilinear extension of \(f\).

Block relative distance

Definition 167

Let \(\mathcal{L}\subseteq \mathbb {F}\) be a smooth evaluation domain and \(k \in \mathbb {N}\) be a folding parameter. For \(z \in \mathcal{L}^{2^k}\), define \(\mathrm{Block}(\mathcal{L}, i, k, z) := \{ x \in \mathcal{L}, y \in \mathcal{L}^{2^i} : y^{2^{k-i}} = z \} \).

Definition 168

Let \(\mathcal{C}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) be a smooth Reed Solomon code and let \(f, g : \mathcal{L}^{2^i} \to \mathbb {F}\). We define the \((i,k)\)-wise block relative distance as

\[ \Delta _{r}(\mathcal{C}, i, k, f, g) = \frac{ \left| \left\{ z \in \mathcal{L}^{2^k} : \exists y \in \mathrm{Block}(\mathcal{L}, i, k, z), f(y) \neq g(y) \right\} \right| }{ |\mathcal{L}^{2^k}| } \]

Definition 169

For \(S \subseteq \mathbb {F}^{\mathcal{L}}\), we let \(\Delta _{r}(\mathcal{C}, i, k, f, S) := \min _{g \in S} \Delta _{r}(\mathcal{C}, i, k, f, g)\).

Note that \(\Delta _{r}(\mathcal{C}, 0, 0, f, g) = \Delta (f, g)\) for any \(\mathcal{C}\). We define the block list decoding of a codeword.

Definition 170

For a smooth Reed Solomon code \(\mathrm{RS}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\), proximity parameter \(\delta \in [0,1]\), and \(f : \mathcal{L}^{2^i} \to \mathbb {F}\), we let

\[ \Lambda _{r}(\mathcal{C}, i, k, f, \delta ) := \{ u \in \mathcal{C}\mid \Delta _{r}(\mathcal{C}, i, k, f, u) \leq \delta \} , \]

denote the list of codewords in \(\mathcal{C}\) within relative block distance at most \(\delta \) from \(f\).

Lemma 171

For any \(\mathcal{C}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\), \(k \in \mathbb {N}\), and \(f, g : \mathcal{L}^{2^i} \to \mathbb {F}\), we have that \(\Delta (f, g) \leq \Delta _{r}(\mathcal{C}, i, k, f, g)\). Consequently, \(\Lambda _{r}(\mathcal{C}, i, k, f, \delta ) \subseteq \Lambda (\mathcal{C}, f, \delta )\) for \(\delta \in [0,1]\).

Folding preserves list decoding

Theorem 172

Let \(\mathcal{C}= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) be a smooth Reed Solomon code and \(k \leq m\). For \(0 \leq i \leq k\) let \(\mathcal{C}^{(i)} := \mathrm{RS}[\mathbb {F}, \mathcal{L}^{2^i}, m - i]\). Let \(\mathsf{Gen}(\mathsf{par}\ell ; \alpha ) = (1, \alpha , \ldots , \alpha ^{\mathsf{par}\ell - 1})\) be a proximity generator with mutual correlated agreement for the codes \(\mathcal{C}^{(0)}, \ldots , \mathcal{C}^{(k-1)}\) with proximity bound \({\mathsf{B}}^\star \) and error \(\mathsf{err}^\star \). Then for every \(f : \mathcal{L}\to \mathbb {F}\) and \(\delta \in \left(0, 1 - \max _{i \in [0,(k-1)]} \{ {\mathsf{B}}^\star (\mathcal{C}^{(i)}, 2) \} \right)\),

\[ \Pr _{\alpha \leftarrow \mathbb {F}^k} \left[ \mathrm{Fold_S}(\Lambda _{r}(\mathcal{C}, 0, k, f, \delta ), \alpha ) \neq \Lambda (\mathcal{C}^{(k)}, \mathrm{Fold}(f, \alpha ), \delta ) \right] {\lt} \mathsf{err}^{(k)}(\mathcal{C}, \delta ). \]

Lemma 173

Let \(\mathcal{C}:= \mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) be a Reed Solomon code, and \(k \leq m\) be a parameter. Denote \(\mathcal{C}' := \mathrm{RS}[\mathbb {F}, \mathcal{L}^{2}, m - 1]\). Then for every \(f : \mathcal{L}\to \mathbb {F}\) and \(\delta \in (0, 1 - {\mathsf{B}}^\star (\mathcal{C}', 2))\),

\[ \Pr _{\alpha \leftarrow \mathbb {F}} \left[ \mathrm{Fold_S}(\Lambda _{r}(\mathcal{C}, 0, k, f, \delta ), \alpha ) \neq \Lambda _{r}(\mathcal{C}', 1, k, \mathrm{Fold}(f, \alpha ), \delta ) \right] {\lt} \mathsf{err}^\star (\mathcal{C}', 2, \delta ). \]

Lemma 174

For every \(\alpha \in \mathbb {F}\), \(\mathrm{Fold_S}(\Lambda _{r}(\mathcal{C}, 0, k, f, \delta ), \alpha ) \subseteq \Lambda _{r}(\mathcal{C}', 1, k, \mathrm{Fold}(f, \alpha ), \delta )\).

Lemma 175

\[ \Pr _{\alpha \leftarrow \mathbb {F}} \left[ \Lambda _{r}(\mathcal{C}', 1, k, \mathrm{Fold}(f, \alpha ), \delta ) \not\subseteq \mathrm{Fold_S}(\Lambda _{r}(\mathcal{C}, 0, k, f, \delta ), \alpha ) \right] {\lt} \mathsf{err}^\star (\mathcal{C}', 2, \delta ). \]

Lemma 176

Let \(f : \mathcal{L}\rightarrow \mathbb {F}\) be a function, \(m \in \mathbb {N}\) be a number of variables, \(s \in \mathbb {N}\) be a repetition parameter, and let \(\delta \in [0,1]\) be a distance parameter. For every \(\vec{r_0}, \dots , \vec{r_{s-1}} \in \mathbb {F}^m\), the following are equivalent statements.

There exist distinct \(u, u' \in \Lambda (\mathrm{RS}[\mathbb {F}, \mathcal{L}, m], f, \delta )\) such that, for every \(i \in [0,s-1]\), \(\hat{u}(\vec{r_i}) = \hat{u}'(\vec{r_i})\).
There exists \(\sigma _0, \dots , \sigma _{s-1} \in \mathbb {F}\) such that

\[ \left| \Lambda (\mathrm{CRS}[\mathbb {F}, \mathcal{L}, m, ((Z \cdot \mathrm{eq}(\vec{r_0}, \cdot ), \sigma _0), \dots , (Z \cdot \mathrm{eq}(\vec{r_{s-1}}, \cdot ), \sigma _{s-1}))], f, \delta ) \right| {\gt} 1. \]

Lemma 177

Let \(f : \mathcal{L}\rightarrow \mathbb {F}\) be a function, \(m \in \mathbb {N}\) be a number of variables, \(s \in \mathbb {N}\) be a repetition parameter, and \(\delta \in [0,1]\) be a distance parameter. If \(\mathrm{RS}[\mathbb {F}, \mathcal{L}, m]\) is \((\delta , \ell )\)-list decodable then

\[ \Pr _{r_0, \dots , r_{s-1} \leftarrow \mathbb {F}} \left[ \begin{array}{c} \exists \sigma _0, \dots , \sigma _{s-1} \in \mathbb {F}\text{ s.t.} \\ \left| \Lambda (\mathrm{CRS}[\mathbb {F}, \mathcal{L}, m, ((Z \cdot \mathrm{eq}(\mathrm{pow}(r_{i}, m), \cdot ), \sigma _{i}))_{i \in [s]}], f, \delta ) \right| {\gt} 1 \end{array} \right] \]

\[ = \Pr _{r_0, \dots , r_{s-1} \leftarrow \mathbb {F}} \left[ \begin{array}{c} \exists \text{ distinct } u, u’ \in \Lambda (\mathrm{RS}[\mathbb {F}, \mathcal{L}, m], f, \delta ) \\ \text{ s.t. } \forall i \in [s],\ \hat{u}(\mathrm{pow}(r_i, m)) = \hat{u}’(\mathrm{pow}(r_i, m)) \end{array} \right] \]

\[ \leq \frac{\ell ^2}{2} \cdot \left( \frac{2^m}{|\mathbb {F}|} \right)^s. \]

Theorem 178

Consider \((\mathbb {F}, M, (k_i, m_i, \mathcal{L}_i, t_i)_{0 \leq i \leq M}, \widehat{w}_0, \sigma _0, m, d^\star , d)\) with the following ingrediants and conditions,

a constrained Reed Solomon code \(\mathrm{CRS}[\mathbb {F}, \mathcal{L}_0, m_0, \widehat{w}_0, \sigma _0]\);
an iteration count \(M \in \mathbb {N}\);
folding parameters \(k_0, \ldots , k_{M}\) such that \(\sum _{i=0}^{M} k_i \leq m\);
evaluation domains \(\mathcal{L}_0, \ldots , \mathcal{L}_{M} \subseteq \mathbb {F}\) where \(\mathcal{L}_i\) is a smooth coset of \(\mathbb {F}^*\) with order \(|\mathcal{L}_i| \geq 2^{m_i}\);
repetition parameters \(t_0, \ldots , t_M\) with \(t_i \leq |\mathcal{L}_i|\);
define \(m_0 := m\) and \(m_i := m - \sum _{j {\lt} i} k_j\);
define \(d^\star := 1 + \deg _{\mathbb {Z}}(\widehat{w}_0) + \max _{i \in [m_0]} \deg _{X_i}(\widehat{w}_0)\) and \(d := \max \{ d^\star , 3\} \).

For every \(f \notin \mathrm{CRS}[\mathbb {F}, \mathcal{L}_0, m_0, \widehat{w}_0, \sigma _0]\) and every \(\delta _0, \dots , \delta _{M}\) and \((\mathsf{par}\ell _{i,s})_{0 \leq i \leq M}^{0 \leq s \leq k_i}\) where

\(\delta _0 \in (0, \Delta (f, \mathrm{CRS}[\mathbb {F}, \mathcal{L}_0, m_0, \widehat{w}_0, \sigma _0]))\);
the function \(\mathsf{Gen}(\mathsf{par}\ell ; \alpha ) = (1, \alpha , \dots , \alpha ^{\mathsf{par}\ell -1})\) is a proximity generator with mutual correlated agreement for the codes \((\mathcal{C}_{\mathrm{RS}}^{(i,s)})_{0 \leq i \leq M}^{0 \leq s \leq k_i}\) where \(\mathcal{C}_{\mathrm{RS}}^{(i,s)} := \mathrm{RS}[\mathbb {F}, \mathcal{L}_i^{(2^s)}, m_i - s]\) with bound \({\mathsf{B}}^\star \) and error \(\mathsf{err}^\star \);
for every \(0 \leq i \le M\), \(\delta _i \in (0, 1 - {\mathsf{B}}^\star (\mathcal{C}_{\mathrm{RS}}^{(i,s)}, 2))\);
for every \(0 \leq i \le M\), \(\mathcal{C}_{\mathrm{RS}}^{(i,s)}\) is \((\ell _{i,s}, \delta _i)\)-list decodable.

Then there exists an IOPP for \(\mathrm{CRS}[\mathbb {F}, \mathcal{L}_0, m_0, \widehat{w}_0, \sigma _0]\) with above parameters, with round-by-round soundness error

\[ ((\varepsilon _{0,s}^{\mathrm{fold}})_{s \leq k_0},\ (\varepsilon _i^{\mathrm{out}},\ \varepsilon _i^{\mathrm{shift}})_{i \leq M},\ (\varepsilon _{i,s}^{\mathrm{fold}})_{i \in [M], s \leq k_i},\ \varepsilon ^{\mathrm{fin}}), \]

where:

\(\varepsilon _{0,s}^{\mathrm{fold}} \leq \dfrac {d^* \cdot \ell _{0,s-1}}{|\mathbb {F}|} + \mathrm{err}^*(\mathcal{C}_{\mathrm{RS}}^{(0,s)}, 2, \delta _0)\);
\(\varepsilon _i^{\mathrm{out}} \leq \dfrac {2^{m_i} \cdot \ell _{i,0}^2}{2 \cdot |\mathbb {F}|}\);
\(\varepsilon _i^{\mathrm{shift}} \leq (1 - \delta _{i-1})^{t_i - 1} + \dfrac {\ell _{i,0} \cdot (t_i - 1 + 1)}{|\mathbb {F}|}\);
\(\varepsilon _{i,s}^{\mathrm{fold}} \leq \dfrac {d \cdot \ell _{i,s-1}}{|\mathbb {F}|} + \mathrm{err}^*(\mathcal{C}_{\mathrm{RS}}^{(i,s)}, 2, \delta _i)\);
\(\varepsilon ^{\mathrm{fin}} \leq (1 - \delta _{M-1})^{t_M - 1}\).

3.6 The Spartan Protocol

3.7 The Ligero Polynomial Commitment Scheme