STIR

Codewords must correspond to polynomials of (at most) a prescribed degree d or else be classified as invalid. In the example above, our required $d$ is 1. Since the red codeword in the rightmost figure has a degree of 2, it does not satisfy the condition of being a degree of 1 and is therefore invalid; however as the red codewords in the middle two graphs are of degree 1, they are valid. From this, we can infer that given $N$ and $d$, uniquely valid codewords must differ from each other by at least $N - d$ (3 in this example) values.

Now, imagine that a function is $\delta$-far from the code. This means that there is a fraction $\delta = \frac{N - d}{ N} = 1 - \frac{d}{ N}$ of the function’s values that deviate from what would be expected if it belonged to the code. The remaining $1−\delta$ portion agrees with the code, meaning that these points behave as if the function were correct.

When the verifier makes only a limited number of queries, there’s a chance it might sample only from the portion of the function that agrees with the code—the $1−\delta$ part. If the verifier’s queries happen to avoid the parts where the function diverges (the $\delta$-far parts), completeness would require the verifier to conclude that the function is close to the code.

This is why, with a limited number of queries, there’s a trade-off: more queries increase confidence that the function is close to the code, while fewer queries make it easier for the function to “pass” without actually being in close proximity. This is why the probability $(1−\delta)^t$ becomes significant, where $t$ is the number of queries. This probability is known as the soundness error, and reducing it enhances the protocol’s security. Here rate ρ is defined as $\frac{d + 1}{ N}$, so $\delta \approx 1 - \rho$. Therefore, lowering the rate preserves security while minimizing the number of queries required.

Here, $m$ represents each round, and $k$ is a constant that is a power of 2.

1. $k$-fold: This method creates a degree $\frac{d}{ k}$ polynomial $g$ from a degree d polynomial $f$ using random values, with the following features.

The verifier should be able to compute the next round’s evaluations using $k$ evaluations obtained from the previous round.

The distance between $f$ and $g$ should be preserved with high probability.

folded degree at round

domain size at round

rate at round

2. Quotienting: After creating a polynomial through $k$-folding, its validity needs to be checked. Since FRI and STIR use domains of different sizes, the method used in FRI cannot be applied here. Instead, as shown in the diagram below, a method called Quotienting is used with the following features:

The verifier should be able to compute $\mathsf{Quotient}(x)$ from a sampled point x in the domain excluding $S$ in $\mathbb{F}$.

Suppose that every codeword close to f disagrees from $\hat{p}$ (which is derived from $p$ and $S$). Then $\mathsf{Quotient}(f, S, p)$ is far from the code.

3. Out Of Domain Sampling: Multiple polynomials may satisfy the conditions above, so out of domain sampling narrows it down to the one unique polynomial. To do this, additional random points are added to the subdomain $S$ used in Quotienting, and values from substituting f at these points are added to $p$.

4. Degree Correction: The degree of the Quotient polynomial becomes $\deg(f) - |S|$, which isn’t a power of 2 as required at the beginning of each round. Therefore, a technique is needed to adjust it to a power of 2, called Degree Correction. It maintains the following characteristics:

The verifier should be able to compute $\mathsf{DegCor}(f)$ from $f$.

The distance between $f$ and $\mathsf{DegCor}(f)$ should be preserved with high probability.

(The argument size can be found at this , and it can be considered equivalent to the proof size.)

In conclusion, these four techniques collectively reduce the rate, enabling a reduction in the number of queries. This approach is referred to as "Shift," resulting in the protocol name of STIR (Shift To Improve Rate). Recently, the same authors of the STIR paper presented a new technique called , which was introduced at zkSummit 12, so interested readers may consider watching the presentation. I’ve skipped the explanation of how STIR achieves $O(\log d + \lambda \log \log d)$. For those interested in the details, please refer to sections C.1 and C.2 of the paper.

Written by from

Reviewed by from