updated FRI notes, with STIR main idea

README.md

@@ -11,7 +11,7 @@ Notes, code and documents done while reading books and papers.
 - [Notes on Weil pairing](weil-pairing.pdf)
 - [Notes on Sigma protocol and OR proofs](sigma-or-notes.pdf)
 - [Notes on Reed-Solomon codes](notes_reed-solomon.pdf)
-- [Notes on FRI](notes_fri.pdf)
+- [Notes on FRI and STIR](notes_fri_stir.pdf)
 - [Notes on Spartan](notes_spartan.pdf)
 - [Notes on Nova](notes_nova.pdf)
 - [Notes on HyperNova](notes_hypernova.pdf)

notes_fri_stir.tex

@@ -25,7 +25,7 @@
 {\endinnerlemma}
 
 
-\title{Notes on FRI}
+\title{Notes on FRI and STIR}
 \author{arnaucube}
 \date{February 2023}
 
@@ -39,6 +39,8 @@
 	These notes are for self-consumption, are not complete, don't include all the steps neither all the proofs.
 
 	An implementation of FRI can be found at\\ \href{https://github.com/arnaucube/fri-commitment}{https://github.com/arnaucube/fri-commitment} \cite{fri-impl}.
+
+	Update(2024-03-22): notes on STIR \cite{cryptoeprint:2024/390} from explanations by \href{https://hecmas.github.io/}{Héctor Masip Ardevol} \cite{hectormasipardevol}.
 \end{abstract}
 
 \tableofcontents
@@ -303,6 +305,30 @@ V has $f(z)$ and $g(z)$ openings, so can verify
 $$g(z) = (f(z)-f(r))\cdot (z-r)^{-1}$$
 
 
+\section{STIR (main idea)}
+\emph{Update from 2024-03-22, notes from Héctor Masip Ardevol (\href{https://hecmas.github.io/}{https://hecmas.github.io}) explanations.}
+
+\vspace{0.3cm}
+Let $p \in \mathbb{F}[x]^{<n}$.
+
+In FRI we decompose $p(x)$ as
+$$p(x) = p_e(x^2) + x \cdot p_o(x^2)$$
+with $p_e, p_o \in \mahtbb{F}[x]^{<n}$ containing the even and odd powers respectively.
+
+The next FRI polynomial is
+$$p_1(x) = p_e(x) + \alpha p_o(x)$$
+for $\alpha \in^R \mathbb{F}$.
+
+In STIR, this would be $q(x)=x^2$,
+$$Q(z,y) = p_e(y) + z \cdot p_o(y)$$
+and then, $p(x) = Q(x, q(x))$. And $Q$ fullfills the degree from Fact 4.6 from the STIR paper.
+
+We can generalize to a $q$ with bigger degree, or with another shape, and adapting $Q$ on the choice of $q$.
+
+eg. for $q(x)=x^3$, we can take
+$$Q(z,y) = p_1(y) + z \cdot p_2(y) + z^2 \cdot p_3(y)$$
+with $p_1, p_2, p_3 \in \mathbb{F}[x]^{<n/3}$ with coefficients taken every 3 powers alternating.
+
 \bibliography{paper-notes.bib}
 \bibliographystyle{unsrt}
 

paper-notes.bib

@@ -81,6 +81,15 @@
       note = {\url{https://eprint.iacr.org/2019/1020}},
       url = {https://eprint.iacr.org/2019/1020}
 }
+@misc{cryptoeprint:2024/390,
+      author = {Gal Arnon and Alessandro Chiesa and Giacomo Fenzi and Eylon Yogev},
+      title = {{STIR}: Reed–Solomon Proximity Testing with Fewer Queries},
+      howpublished = {Cryptology {ePrint} Archive, Paper 2024/390},
+      year = {2024},
+      note = {\url{https://eprint.iacr.org/2024/390}},
+      url = {https://eprint.iacr.org/2024/390}
+}
+
 
 @misc{cryptoeprint:2021/370,
       author = {Abhiram Kothapalli and Srinath Setty and Ioanna Tzialla},
@@ -96,6 +105,11 @@
       note = {\url{https://sites.google.com/site/vincenzoiovinoit/}},
       url = {https://sites.google.com/site/vincenzoiovinoit/}
 }
+@misc{hectormasipardevol,
+      title = {{Héctor Masip Ardevol}},
+      note = {\url{https://hecmas.github.io}},
+      url = {https://hecmas.github.io}
+}
 @misc{fri-impl,
       note = {\url{https://github.com/arnaucube/fri-commitment}},
       url = {https://github.com/arnaucube/fri-commitment}