IOP of Proximity to Algebraic Geometry codes Sarah Bordage Jade - PowerPoint PPT Presentation

IOP of Proximity to Algebraic Geometry codes Sarah Bordage Jade Nardi LIX, Ecole Polytechnique, Institut Polytechnique de Paris Inria November 19, 2020 https://eccc.weizmann.ac.il/report/2020/165/

Algebraic Geometry (AG) codes Let C be an algebraic curve defined over a finite field F . Divisors. A divisor D on C is a formal sum of points D = � n P P . Its degree is deg D := � n P and support is Supp( D ) := { P ∈ C | n p � = 0 } . D ≤ D ′ if n P ≤ n ′ P for every P . A function f on C defines a principal divisor ( f ) := � P v P ( f ) P . � �� � valuation Riemann-Roch space of D . L C ( D ) = { f ∈ F ( C ) | ( f ) ≥ − D } ∪ { 0 } . Embedding of RR spaces: If D ≤ D ′ , then L C ( D ) ⊂ L C ( D ′ ) . AG codes Given P ⊂ C ( F ) of size n := |P| and a divisor D on C s.t. Supp( D ) ∩ P = ∅ , the AG code C = C ( C , P , D ) is defined as the image by ev : L C ( D ) → F n . We always choose D so that ev is injective: F n ! F P and C ( C , P , D ) = { f : P → F | f coincides with a fct in L C ( D ) } . 1 / 10

Group action and Kani’s splitting of Riemann-Roch spaces Let C be a curve over a field F and let Γ = � γ � ≃ Z /m Z a group of automorphisms of C s.t gcd( m, | F | ) = 1 . Set the projection map π : C → C ′ := C / Γ . Take ζ ∈ F a primitive m th root of unity. • Γ acts on the functions on C : γ · f = f ◦ γ for any fct f on C . • There exists a function µ on C s.t. γ · µ = ζµ [Kani’86]. For any Γ -invariant divisor D on C , the action of Γ on L C ( D ) gives m − 1 � L C ( D ) j where L C ( D ) j := { g ∈ L C ( D ) | γ · g = ζ j g } . L C ( D ) = j =0 [Kani’86] L C ( D ) j ≃ µ j π ∗ ( L C ′ ( E j )) where E j := � 1 m π ∗ ( D + j ( µ )) � 1 is a divisor on C ′ . m − 1 � µ j π ∗ L C ′ ( E j ) Splitting of Riemann-Roch spaces: L C ( D ) = j =0 m − 1 � µ j f j ◦ π . For every f ∈ L C ( D ) , there exist m fcts f j ∈ L C ′ ( E j ) s.t. f = j =0 1 Notation : � n D � := �� nP � P , for a divisor D = � 1 n P P and integer n > 0 . n 2 / 10

Kani’s result on C = P 1 �� 1 �� m − 1 � µ j π ∗ L C ′ [Kani’86]: L C ( D ) = mπ ∗ ( D + j ( µ )) . j =0 FRI context: For evaluation domain P = � [1 : ω ] � where ω has order 2 r . • γ : [ X 0 : X 1 ] �→ [ X 0 : − X 1 ] acts on P 1 and � γ � ≃ Z / 2 Z , • Define projection π : P 1 → P 1 by π [ X 0 : X 1 ] := [ X 2 0 : X 2 1 ] , Consider the RS code RS [ F , P , d + 1] viewed as the AG code C = C ( P 1 , P , dP ∞ ) , where P ∞ = [0 : 1] . Kani’s result with µ = x := X 1 X 0 ( γ · x = − x ) yields to ( ( x ) = [1 : 0] − P ∞ ) �� d � � �� d − 1 � � L P 1 ( dP ∞ ) = π ∗ L P 1 + xπ ∗ L P 1 P ∞ P ∞ , 2 2 � deg f 0 ≤ � d � , i.e. any polynomial f of degree ≤ d can be written f ( x ) = f 0 ( x 2 ) + xf 1 ( x 2 ) with deg f 1 ≤ � d − 1 � 2 . 2 → Proximity to C = C ( C , P , D ) reduced to proximity to C ′ = C ( P 1 , P ′ , � d � P ∞ ) where P ′ = π ( P ) . 2 Remark : For odd d , � d � = � d − 1 � , i.e. L P 1 ( dP ∞ ) is split into 2 “copies” of the same space. 2 2 3 / 10

Using Kani’s result to fold Let C be a curve over a field F on which acts Γ ≃ Z /m Z , with the projection map π : C → C / Γ . FRI’s idea: proximity to an AG-code C = C ( C , P , D ) reduced to proximity to an AG-code C ′ = C ( C / Γ , P ′ , D ′ ) m − 1 � [Kani’86] µ j ⇒ ◦ π . We need: – a Γ - invariant divisor D = f = f j ∈ ∈ j =1 L C ( D ) L C / Γ ( E j ) – an evaluation set P = union of Γ -orbits of size | Γ | ( Γ acts freely on P ). Take P ′ = π ( P ) ( |P ′ | = |P| /m ) and D ′ is a divisor on C / Γ s.t. L C / Γ ( D ′ ) ⊇ L C / Γ ( E j ) . 1. Split f : P → F into m functions f j : P ′ → F . m − 1 � 2. For any z ∈ F , define folding of f as the function Fold [ f, z ] : P ′ → F s.t. Fold [ f, z ] = z j f j . j =0 → Fold [ · , z ] ( C ) ⊆ C ′ 4 / 10

The folding operator m − 1 � z j f j : (First attempt) If we define Fold [ f, z ] = j =0 � Completeness: Fold [ · , z ] ( C ) ⊆ C ′ . � Locality: For any P ∈ P ′ , compute Fold [ f, z ] ( P ) with m queries to f . interpolate the set of m points � ( µ ( Q ) , f ( Q )) | Q ∈ π − 1 ( { P } ) � . If ∆( f, C ) > δ , then ∆( Fold [ f, z ] , C ′ ) > δ ′ (w.h.p.). � Distance preservation: ∈ L ( D ′ ) \ L ( E j ) ! We need to ensure that f j / 5 / 10

The folding operator m − 1 � z j f j : (First attempt) If we define Fold [ f, z ] = j =0 � Completeness: Fold [ · , z ] ( C ) ⊆ C ′ . � Locality: For any P ∈ P ′ , compute Fold [ f, z ] ( P ) with m queries to f . interpolate the set of m points � ( µ ( Q ) , f ( Q )) | Q ∈ π − 1 ( { P } ) � . If ∆( f, C ) > δ , then ∆( Fold [ f, z ] , C ′ ) > δ ′ (w.h.p.). � Distance preservation: ∈ L ( D ′ ) \ L ( E j ) ! We need to ensure that f j / Define balancing functions ν j ∈ F ( C / Γ) s.t. h ∈ L ( E j ) iff both h ∈ L ( D ′ ) and ν j h ∈ L ( D ′ ) . (on P 1 : if deg ν = 1 , then deg h ≤ d − 1 iff deg h, deg νh ≤ d ) We assume there exists ν j ∈ F ( C / Γ) such that ( ν j ) ∞ = D ′ − E j . (for simplicity, take D ′ = E 0 .) → Need to carefully define D ′ , otherwise such functions ν j may not exist. − 5 / 10

The folding operator m − 1 � z j f j : (First attempt) If we define Fold [ f, z ] = j =0 � Completeness: Fold [ · , z ] ( C ) ⊆ C ′ . � Locality: For any P ∈ P ′ , compute Fold [ f, z ] ( P ) with m queries to f . interpolate the set of m points � ( µ ( Q ) , f ( Q )) | Q ∈ π − 1 ( { P } ) � . If ∆( f, C ) > δ , then ∆( Fold [ f, z ] , C ′ ) > δ ′ (w.h.p.). � Distance preservation: ∈ L ( D ′ ) \ L ( E j ) ! We need to ensure that f j / Define balancing functions ν j ∈ F ( C / Γ) s.t. h ∈ L ( E j ) iff both h ∈ L ( D ′ ) and ν j h ∈ L ( D ′ ) . (on P 1 : if deg ν = 1 , then deg h ≤ d − 1 iff deg h, deg νh ≤ d ) We assume there exists ν j ∈ F ( C / Γ) such that ( ν j ) ∞ = D ′ − E j . (for simplicity, take D ′ = E 0 .) → Need to carefully define D ′ , otherwise such functions ν j may not exist. − (Final attempt) For any ( z 1 , z 2 ) ∈ F 2 , define Fold [ f, ( z 1 , z 2 )] : P ′ → F s.t. m − 1 � m − 1 � z j z j Fold [ f, ( z 1 , z 2 )] = 1 f j + 2 ν j f j . j =0 j =1 5 / 10

Foldable AG codes An AG code C 0 = C ( C 0 , P 0 , D 0 ) is said to be foldable if we can repeat the previous process: 1. There exists a large solvable group G ∈ Aut( C 0 ) acting freely on P 0 , G = G 0 B G 1 B · · · B G r = 1 composition series → Γ i := G i / G i +1 ≃ Z /p i Z → Sequence of curves ( C i ) s.t. C i +1 := C i / Γ i → Sequence of evaluation points ( P i ) s.t. P i +1 = π i ( P i ) |P i +1 | = |P i | /p i 2. There exists a “nice” sequence of divisors ( D i ) , i.e. for each i : – D i is supported by Γ i -fixed points, – for every 0 ≤ j < p i , E i,j ≤ D i +1 , ([Kani’86] L ( D i ) is split into p i smaller spaces L ( E i,j ) ) – for every 0 ≤ j < p i , there exists ν i +1 ,j ∈ F ( C i +1 ) s.t. ( ν i +1 ,j ) ∞ = D i +1 − E i,j . A foldable AG code C 0 = C ( C 0 , P 0 , D 0 ) induces a sequence of AG codes ( C i = C ( C i , P i , D i )) . 6 / 10

Overview of the AG-IOPP f 0 COMMIT Phase ( F , C 0 , P 0 , D 0 ) Prover Verifier z 0 ← F 2 f 1 f 1 = Fold [ f 0 , z 0 ] z 1 ← F 2 f 2 = Fold [ f 1 , z 1 ] f 2 . . . . . . z r − 1 ← F 2 f r f r = Fold [ f r − 1 , z r − 1 ] Final test: f r ∈ C r 7 / 10

Overview of the AG-IOPP f 0 QUERY Phase Round consistency tests: ( F , C 0 , P 0 , D 0 ) Sample Q 0 ∈ P 0 , Define query path ( Q 1 , . . . , Q r ) s.t. Q i +1 = π i ( Q i ) . Prover Verifier z 0 ← F 2 ? f 1 f 1 ( Q 1 ) = Fold [ f 0 , z 0 ] ( Q 1 ) z 1 ← F 2 ? f 2 f 2 ( Q 2 ) = Fold [ f 1 , z 1 ] ( Q 2 ) . . . . . . z r − 1 ← F 2 ? f r f r ( Q r ) = Fold [ f r − 1 , z r − 1 ] ( Q r ) ? Final test: f r ∈ C ( C r , P r , D r ) 7 / 10

Overview of the AG-IOPP f 0 ( F , C 0 , P 0 , D 0 ) Prover Verifier z 0 ← F 2 Completeness: f 1 If f 0 ∈ C 0 , V accepts with proba 1. z 1 ← F 2 f 2 Soundness: (relies on [BKS18] and [BGKS19]) If f 0 is δ -far from C 0 , V accepts with proba . . err ( δ ) < err commit + ( err query ( δ )) α . α : repetition parameter z r − 1 ← F 2 f r 7 / 10