DEEP FRI

Brief recap of FRI

In FRI, our starting point is an input function $f^{(0)} : \mathcal{L}^{(0)} \rightarrow \mathbb{F}$ where $\mathbb{F}$ is a finite field, $\mathcal{L}^{(0)} \subset \mathbb{F}$ is the evaluation domain. The FRI protocol is a two-phase protocol (the two phases are called COMMIT and QUERY) that convinces a verifier that $f^{(0)}$ is close to the Reed-Solomon code $\mathsf{RS}[\mathbb{F}, \mathcal{L}^{(0)}, \rho]$.

COMMIT phase:

1. For $i = 0$ to $r - 1$:

   1. The verifier picks uniformly random $\beta_i \in \mathbb{F}$ and sends it to the prover.

   2. The prover sends a merkle proof of a function $f^{(i+1)} : \mathcal{L}^{(i+1)} \rightarrow \mathbb{F}$. (In the case of an honest prover, $f^{(i+1)} = f^{(i)}_{\mathsf{even}} + \beta_if^{(i)}_{\mathsf{odd}}$).

2. The prover sends a value $C \in \mathbb{F}_q$. (In the case of an honest prover, $f^{(r)}$ is the constant function with value = $C$).

QUERY phase: (executed by the Verifier)

1. Repeat $l$ times:

   1. Pick $x_0 \in \mathcal{L}^{(0)}$ uniformly at random.

   2. For $i = 0$ to $r - 1$:

      1. Define $x_{i+1} \in \mathcal{L}^{(i+1)}$ by $x_{i+1} = x_i^2$.

      2. Query $f^{(i)}$ at $x_i$ and $-x_i$ to compute $f^{(i)}_{\mathsf{even}}(x_{i+1})$ and $f^{(i)}_{\mathsf{odd}}(x_{i+1})$.

      3. Query $f^{(i+1)}(x_{i+1})$ and if $f^{(i)}_{\mathsf{even}}(x_{i+1}) + \beta_i f^{(i)}_{\mathsf{odd}}(x_{i+1})\neq f^{(i+1)}(x_{i+1})$, then REJECT.

2. If $f^{(r)}(x_r) \neq C$, then REJECT.

3. ACCEPT

Properties

• Prover time $\leq 6n$, proof length $\leq \frac{n}{3}$

• Verifier time $\leq 21 \log n$, query complexity $\leq 2 \log n$

• Round complexity = $\frac{\log n}{2}$

• Soundness: Rejection probability of $\delta$-far words $\approx\delta-o(1)$ (which basically means it is a bit smaller but that is ignorable), for sufficiently small $\delta < \delta_0$

  • A word $w$ is said to be $\delta$-far from the code $\mathcal{C}$ if its Hamming distance from every codeword in $\mathcal{C}$ is at least $\delta n$)

  • $\delta_0$ is a positive constant that depends mainly on the code rate.

• In other words: Probability of rejecting $\delta$-far word is approximately $\min(\delta, \delta_0)$.

Understanding the Soundness

The soundness of a proximity testing protocol can be described by a soundness function $s(\cdot)$ that takes as input a proximity parameter $\delta$, and outputs the minimum rejection probability of the verifier, where this minimum is taken over all words that are $\delta$-far from the code.

where $Pr_{rej}(w)$ is the rejection probability of the word $w$.

For codes of $ho \geq 1/3$, $\delta_0$ becomes non-positive so the FRI protocol becomes meaningless. Even when considering the ideal case of $ho \rightarrow 0\Rightarrow \delta_0 \rightarrow 1/4$. This rather low soundness means that many tests must be applied in order to reach a target soundness error. For example, to achieve a target soundness error of $2^{-\lambda}$, then how many tests do we need?

This shows that for 128-bit security, we need more than 300 queries. So to reduce this number, we need to have a better soundness lower bound.

Improvements in the soundness lower bound

Following the limitations of FRI, there were some works that improved upon the $\delta_0$.

1. Improved bound from Lemma 3.1 of [BGKS20]:

From the second result, we can see that when $ho \rightarrow 0$, $\delta_0 \rightarrow 1$ which is a big improvement for the soundness of FRI. Building on top of that, Lemma 3.1 improved the number of tests required for $\lambda$ bit security from $\frac{4\lambda}{\log\frac{1}{\rho}}$ to $\frac{3\lambda}{\log\frac{1}{\rho}}$ which is ~25% less.

In addition, Lemma 3.1 is shown to be tight under a special case:

1. $\mathbb{F}$ is a binary field

2. $ho = 1/8$ precisely

3. Evaluation domain $D$ equals all of $\mathbb{F}$

Therefore, we needed something different to break this soundness barrier and the DEEP (Domain Extension for Eliminating Pretenders) method was introduced.

DEEP FRI

First, what do we mean by “pretenders”? Let's say a malicious prover has a very large degree polynomial that agrees on all of $\mathcal{L}^{(0)}$ with a low-degree polynomial. Then how does the verifier differentiate between such pretenders and an actual low-degree polynomial? If we sample $x_0\in \mathcal{L}^{(0)}$, we won't find any discrepancies. Therefore, we attempt to sample outside the evaluation domain using quotient functions.

Quotienting

If $f^{(0)}$ is indeed evaluations of low-degree polynomial $P(X)$ on $D$ then verifier should be able to query $P$ on an arbitrary $z\in\mathbb{F}$. Suppose the prover claims $P(z)=a$, then $P(X) - a$ is divisible by $X-z$ so let's denote it as:

COMMIT phase:

1. For $i = 0$ to $r - 1$:

   1. The verifier picks uniformly random $\beta_i, z_i \in \mathbb{F}$.

   2. The prover sends $f^{(i)}_{even}(z_i) + \beta_i f^{(i)}_{odd}(z_i)=a$.

   3. The prover sends a merkle proof of a function $f^{(i+1)} : L^{(i+1)} \rightarrow \mathbb{F}$. (In the case of an honest prover, $f^{(i+1)}(X)=\mathsf{QUOTIENT}(f^{(i)}_{\mathsf{even}}(X) + \beta_i f^{(i)}_{\mathsf{odd}}(X), z_i, a))$.

2. The prover sends a value $C \in \mathbb{F}_q$. (In the case of an honest prover, $f^{(r)}$ is the constant function with value = $C$).

QUERY phase: (executed by the Verifier)

1. Repeat $l$ times:

   1. Pick $x_0 \in \mathcal{L}^{(0)}$ uniformly at random.

   2. For $i = 0$ to $r - 1$:

      1. Define $x_{i+1} \in \mathcal{L}^{(i+1)}$ by $x_{i+1} = x_i^2$.

      2. Query $f^{(i)}$ at $x_i$ and $-x_i$ to compute $f^{(i)}_{\mathsf{odd}}(x_{i+1})$ and $f^{(i)}_{\mathsf{even}}(x_{i+1})$.

      3. If $\frac{(f^{(i)}_{\mathsf{even}}(x_{i+1}) + \beta_i f^{(i)}_{\mathsf{odd}}(x_{i+1})) - a}{(x_{i+1} - z_i)}\neq f^{(i+1)}(x_{i+1})$, then REJECT.

2. If $f^{(r)}(x_r) \neq C$, then REJECT.

3. ACCEPT

Resulting soundness

As a result of applying the DEEP technique, the soundness claim was improved to:

Final Remarks

References: