Proximity Testing with Logarithmic Randomness

. A fundamental result dating to Ligero (Des. Codes Cryptogr. ’23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace’s failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO ’23).


Introduction
Proximity testing of linear block codes is an important target of many reductions, for example throughout the literature on succinct noninteractive proofs.In the basic version of this problem, a claimed codeword is tested for proximity to some given fixed linear block code, by means of an interactive protocol (or more generally, an interactive oracle proof ).The resulting protocol should accept genuine codewords with probability one; conversely, it should reject non-codewords with a probability closely related to the initial vector's distance from the code.It should also feature efficiency-say, measured in the number of oracle queries, or rounds of interaction-which grows favorably as a function of the code's block length (say, logarithmically).
In many applications, it is necessary to test whether a list of vectors consists entirely of words which are close to the code.This task is made precise as a proximity test for the code's interleaved code, defined as the set of matrices whose rows are all codewords, where the distance between two matrices is defined to be the number of columns at which the two matrices don't entirely agree.Indeed, proximity tests for interleaved linear codes reside at the heart of many recent zero-knowledge proof protocols, including Ames, Hazay, Ishai and Venkitasubramaniam's Ligero [AHIV23] and Golovnev et al.'s Brakedown [GLS + 23].
Interleaved proximity tests are typically effected by random linear combinations.In this paradigm, the verifier samples a uniformly random coefficient vector as long as the list is, requests the corresponding combination of the list elements, and finally subjects the combination to a standard proximity test.(Other tests use powers of a single element, as we discuss below.)In order for this reduction to be sound, it should hold that the linear subspace generated by the list feature related maximal and average distances from the code.More precisely, it should hold that the failure of the subspace's farthest element to be close to the code implies in turn that of the vast majority of the subspace's elements.This property is established for general linear codes by Ligero [AHIV23].In this setting, the notion of "closeness" is given meaning by means of a so-called proximity parameter (whose value, as we explain below, cannot be completely arbitrary).
A drawback of this approach stems from its communication and randomness complexity.Indeed, it requires that the verifier sample and send as many coefficients as there are elements in the list.Even in the random oracle model, this requirement can induce practical consequences, as it does, for example, in the setting of proof composition, in which the verifier's check must necessarily be encoded into a circuit.In fact, below, we explain how this issue impacts the zero-knowledge proof protocol Orion of Xie, Zhang and Song [XZS22, Fig. 4], and invalidates that protocol's stated polylogarithmic verifier complexity.

Our Contribution
We introduce a batching process for proximity tests of general linear codes-that is, a reduction from the interleaved code's proximity testing problem to the standard proximity testing problem-which consumes only logarithmically many random coefficients in the size m of the initial list of vectors.Moreover, our procedure's error parameter-which, by definition, upper-bounds the probability with which the verifier selects a proximal element despite testing a non-proximal subspace-exceeds by only a logarithmic multiplicative factor the "base" error parameter applicable to the standard affine parameter test (this latter parameter is given by the proximity-gap result of [AHIV23, Lem.A.1]).
In the particular setting of Reed-Solomon codes, a result of Ben-Sasson et al. [BSCI + 23, Thm.1.5] achieves a proximity test with sublinear randomness; indeed, that result uses just a single random parameter to test an m-generator subspace for proximity.Its error parameter, however, exceeds by a multiplicative factor of m − 1 that of the affine case.In the setting of general linear codes, Ben-Sasson, Kopparty, and Saraf [BSKS18, Thm.12] describe a single-parameter proximity test, which, on the other hand, incurs exponential soundness loss in the list size m.In view of these previous results, our protocol achieves a favorable randomness-soundness tradeoff; it requires only logarithmically many parameters, and incurs only logarithmic multiplicative soundness loss.Our test is the first that we know of which achieves a practical soundness error bound, and consumes sublinear randomness, in the setting of general linear codes.
An interleaved test's proximity parameter, by definition, captures the degree of proximity the test detects.Our result works only for proximity parameters smaller than a third of the code's distance.We inherit this range restriction from the state-of-the-art for standard (i.e., linear-complexity) proximity testing.This state-of-the-art-whose proof, attributed to Roth and Zémor, appears in a recent update to Ligero [AHIV23, § A] (see also Theorem 1 below)-establishes proximity gaps for affine lines for those proximity parameters smaller than a third of the code's distance.(Various strengthenings of this result in the Reed-Solomon setting have been attained by [BSCI + 23].)We note that the analogue of this latter result for more general proximity parameters-say, smaller than half of the code's distance (i.e., up to its unique decoding radius)-remains an important open problem; our work would immediately profit upon its hypothetical future resolution.
Our construction entails, roughly, that the verifier, given the initial list u 0 , . . ., u m−1 of vectors, sample logarithmically many random scalars r 0 , . . ., r log m−1 , send these to the prover, and finally request the combination of the vectors u 0 , . . ., u m−1 whose coefficient vector is given by the tensor product (or Kronecker product) . The verifier then subjects this latter combination to a standard proximity test.As above, in order for this maneuver to be sound, it should hold that, for each initial list for which the subspace ⟨u 0 , . . ., u m−1 ⟩ does not consist entirely of elements which are close to the code, most tuples (r 0 , . . ., r log m−1 ) ∈ F log m q yield tensor-products whose corresponding combinations are themselves far from the code.This is essentially what we prove in our main result, given in Section 3.
Besides its attractive asymptotic profile and its simplicity, our construction is moreover strongly motivated by its applications to polynomial commitment schemes, as we now explain.Indeed, a certain approach to the problem of multilinear polynomial commitmentwhich appears to date to Ligero [AHIV23], and is explicitly isolated in the subsequent work Brakedown [GLS + 23]-makes use of a suitable error-correcting code.This scheme, which we call the Brakedown multilinear polynomial commitment scheme, proceeds by collating the coefficients of a given multilinear polynomial into the rows of a matrix, and then encoding this matrix row-wise (under the particular linear block code chosen for use).Crucially, if the resulting matrix is close to an interleaved codeword, then the committed polynomial is well-defined, and may be extracted.The Brakedown scheme thus subjects the encoded matrix to an interleaved proximity test (the "testing" phase), before finally requesting its underlying polynomial's evaluation (the "evaluation" phase).The observation underlying our work is that if our batching procedure is used for the interleaved proximity test-and if the verifier's evaluation point is random (a minor condition which holds in all applications we're aware of)-then the testing and evaluation phases of the Brakedown scheme become identical, and can be consolidated.The resulting gains in simplicity and efficiency are substantial.For example, we reduce the proof size of the Brakedown scheme-regardless of the code used-by a factor of √ 2. In the special case that a linear-time-encodable code is used (as it is in Brakedown [GLS + 23] and Orion [XZS22]), we moreover improve both the prover's and verifier's respective runtimes by a factor of 2, up to lower-order terms.We provide further details in Section 4.
We briefly sketch our proof (see also Theorem 2 below).Our proof makes blackbox use of the proximity gaps result for affine lines due to Roth and Zémor (see Theorem 1 below, in which we present a thorough, and somewhat simpler, proof of this result).Essentially, we observe that the tensor product exhibits a recursive substructure, whereby, when a ℓ-variable tensor product is used as a combination vector, the resulting combination is itself an interpolation, over an affine line, of two ℓ − 1-variable tensor combinations.Under the hypothesis whereby many among the initial ℓ-tensor combinations are close to the code, we manage to deduce that many ℓ − 1-tensor combinations yield lines which contain large close-to-the-code subsets.Applying Theorem 1 to these lines, we conclude that both ℓ − 1-combinations themselves frequently reside close to the code, thereby "pushing down" the initial hypothesis to two half-sized instances of the problem.Inducting, we reach the base case, which is once again simply Theorem 1. Finally, we show that two half-dimensional subspaces which individually exhibit correlated agreement may be "reconciled", so as to yield correlated agreement on their sum.We isolate a condition under which this reconciliation can be performed, whereby both ℓ − 1-tensors are simultaneously as far as is possible from the code (in that they disagree with the code everywhere outside of the correlated agreement set of the subspace in which they reside).The difficult part is to produce an appropriate such ℓ − 1-tensor (i.e., for which both combinations are far from the code).To achieve this, we bound the sizes of the "bad" sets within which the relevant ℓ − 1-tensors become spuriously close to the code; this in turn entails a union bound over the vanishing loci of ℓ − 1-variate polynomials, each bounded in size by the Schwartz-Zippel lemma.This latter technique can be viewed as a multivariate generalization of an idea which, in univariate form, appears throughout several prior works (see e.g.Roth and Zémor [AHIV23, § A] and Ben-Sasson, Kopparty, and Saraf [BSKS18, Lem.8]).The idea whereby a maximally far element of a subspace can, in a sense, "force agreement" between words appears, implicitly, in a proof of Ben-Sasson et al. [BSCI + 23, § 6.3].
Section 4-in which, applying our new proximity test, we describe a certain improved scheme for multilinear polynomial commitment-also presents technical difficulties.The difficult part is to show that our polynomial commitment scheme features witness-extended emulation.We note that emulation is trivial for codes which admit efficient decoders, like the Reed-Solomon codes used by Ligero [AHIV23, § A]; we, however, treat general codes.When efficient decoding is not assumed, emulation becomes much more difficult (and requires rewinding).Indeed, our scheme imposes somewhat sophisticated demands on the emulator, which must collect a sequence of passing proximity tests with linearly independent combination vectors.We introduce a new emulation strategy, departing significantly from Brakedown's.Our emulator is actually quite simple, and is inspired by that of Bootle et al.'s classic forking lemma [BCC + 16, Lem.1].Its analysis, however, is challenging, and introduces a handful of new ideas.The main technical issue is that a malicious prover could, in principle, act in such a way as to thwart the emulator, by, say, outputting successful proofs with vastly higher probability when the verifier's challenge vector yields a tensor belonging to some proper subspace.In particular, its conditional distribution of proofsthat is, these proofs' distribution, conditioned on success-may depart radically from uniform, and may tend towards certain events which cause the emulator to fail.Our idea is to show that if the prover's success probability is sufficiently high-specifically, higher than the square root of that of the failure events, a quantity which, though likewise negligible, decays much more slowly-then this conditional distribution necessarily concentrates away from the failure events.The idea is to "split the difference" in the exponent (the square root operation has precisely the effect of halving the superlogarithmic decay function implicit in the failure probability's exponent).This square root is overwhelmingly higher than the failure probability itself; on the other hand, it's still negligible.We compare our proof strategy to Brakedown's [GLS + 23, Lem.3] at the end of Subsection 4.2 below.
In Subsection 4.3 below, we describe how our technique improves the efficiency of the Ligero-style scheme.Indeed, we exhibit a √ 2-factor improvement to that protocol's proof size, up to lower-order terms, for each input polynomial size.In the setting of a linear-time encodable code, we also improve the protocol's prover and verifier time by at least twofold, up to lower-order terms, for each input polynomial size.

Prior Work
Ideas related to ours appear throughout several prior works.Ligero appears to have initiated the study of proximity gaps; we use extensively that work's proximity gap result for affine spaces [AHIV23, § A].In fact, the proof of that result resides in partial form across the two stated results [AHIV23, Lem.4.3] and [AHIV23, Lem.A.1].The former is due to Ames, Hazay, Ishai and Venkitasubramaniam, and appears in the original, 2017 conference version of that work; the latter, on the other hand, is attributed by the authors to Roth and Zémor, and was added in a subsequent update.We observe that the former result-that is, [AHIV23, Lem.4.3]-in fact already contains most of the techniques required to make the proof go through.Roth and Zémor's [AHIV23, Lem.A.1], on the other hand, introduces the idea of replacing both generators of the line with elements which are close to the code (though in an unnecessarily complicated form, in which the elements are assumed moreover to reside close to the origin).We synthesize and simplify these various ideas in our treatment below, given in Theorem 1.
A further conceptual predecessor to Brakedown [GLS + 23] appears in the form of Bootle et al. [BCC + 16, § 3]; that work presents a univariate polynomial commitment scheme, which, nonetheless, arranges the polynomial's coefficients into a square matrix, and commits to its rows.That work doesn't use an error-correcting code or Merkle hashing, and admits square-root-sized-as opposed to constant-sized-commitments.Moreover, it doesn't invoke a proximity test at all, so that our topic is inapplicable to it.
The work Bootle, Chiesa and Groth [BCG20] bears some resemblance to ours, though differs fundamentally.That work presents a protocol for R1CS in the tensor IOP model, as well as a compiler from tensor IOPs to standard IOPs.The latter compiler invokes a proximity test for so-called tensor codes.In that protocol, over the course of multiple rounds, the prover repeatedly "folds" an initial tensor, using verifier-supplied randomness, and, in each round, sends the resulting intermediate tensor to the verifier.While the security proof of that protocol invokes the proximity-gaps result [AHIV23, § A], that result is applied "fold-wise" to the prover's successive intermediate tensors.That proof's structure thus differs importantly from ours; our prover performs log m folds "in one shot", sending only the final result, and our protocol is constant-round.
Our polynomial commitment scheme, again, exploits the setting in which the verifier's point query is random.The insight whereby a polynomial commitment scheme suitable only for random points can be made more efficient than one suitable for arbitrary points appears to date to the work Marlin of Chiesa et al. [CHM + 20, § 6], though that work treats univariate polynomials.

Technical Overview
In this subsection, we discuss in further detail how our proximity gap result allows a certain well-known polynomial commitment scheme to be simplified and improved.Several recent constructions of succinct proofs-such as Brakedown [GLS + 23], Orion [XZS22], and Vortex [BS22]-make use of a particular subprotocol for multilinear polynomial commitment, which we call the Brakedown multilinear polynomial commitment scheme.The Brakedown scheme-like polynomial commitment schemes in general-allows the prover to commit to a polynomial, and later, given an evaluation point supplied by the verifier, to evaluate the polynomial at the given point, and finally to produce a proof attesting to its evaluation's correctness.
We observe that-in all of the above protocols-the verifier evaluates each committed polynomial only a random point, as opposed to at an arbitrary point.This latter fact is itself explained by the sum-check reduction, as we briefly explain.That protocol reduces the problem of obtaining the sum of a multivariate polynomial's respective evaluations over the unit cube to the problem of evaluating the polynomial once at a single point in its domain, which, crucially, is random (sampled throughout the course of the sum-check protocol).We refer to [Set20, § 3] for further details.In other words, these succinct proof protocols employ a tool which is more powerful than necessary.Capitalizing on this observation, we isolate a special sort of multilinear polynomial commitment scheme, suitable only for random queries (see Definition 3).Our restricted notion serves as a drop-in replacement for the standard scheme in all of the above applications.
We moreover introduce a new commitment scheme-suitable only for random samplerswhich significantly simplifies Brakedown's protocol, as we now explain.We observe that, in that variant of the Brakedown scheme which uses our batching procedure in lieu of the standard, linear-complexity proximity test (and where, once again, we assume that the verifier's evaluation point is random), the resulting "testing" and "evaluation" phases become identical, and can be consolidated.This measure yields gains in both simplicity and efficiency.Indeed, our approach reduces the Brakedown commitment scheme's proof size by a √ 2 factor, and also significantly improves the prover's and verifier's concrete computational costs in the random-evaluation setting.
This observation-i.e., whereby a polynomial commitment scheme suitable only for random evaluation points may be made more efficient than one suitable for arbitrary evaluation points-dates back to Chiesa et al.'s Marlin [CHM + 20, § 6], in which the polynomial commitment schemes at hand are proven secure only for so-called "admissible query samplers" (we note, separately, that that work treats commitments to arbitrarydegree, and univariate, polynomials).In that setting, a query sampler is, by definition, an efficient algorithm which determines where the polynomials at hand are to be evaluated; a query sampler is said to be admissible if (roughly) it necessarily requests that each polynomial at hand be evaluated at least once on some point drawn uniformly from a superpolynomially-sized set (with additional queries also permissible).
The case of Orion.Beyond its efficiency advantages, our approach moreover resolves a more serious obstacle in the setting of proof composition.Indeed, in typical applicationswhich assume the random oracle model-the verifier need not send its combination coefficients explicitly to the prover, as both parties may generate them locally by the means of queries to the random oracle.The generation and transmission of these coefficients, in this setting, thus do not impact the protocol's verifier or communication complexity.In contrast, in the setting of proof composition-in which the verifier's check is necessarily encoded into a circuit-the random oracle introduces problems.For one, it must be instantiated concretely, so that it ceases to be a (true) random oracle.This fact may affect the security analysis of the inner protocol.Separately, hash function evaluations are expensive to encode in circuits.To evade these issues, many protocols extract the inner verifier's generation of the relevant random coefficients from the relevant circuit, and stipulate that the outer verifier instead populate them directly, as public inputs to the outer proof.
This latter strategy may impact the computational complexity of the outer verifier, particularly when, say, the inner verifier uses a proximity test in the style of [AHIV23, § A] or [BSCI + 23, Thm.1.6] (with linear randomness complexity in the list size).For example, the Orion zero-knowledge proof protocol of Xie, Zhang and Song [XZS22, Prot.4] proves satisfiability of a size-N arithmetic circuit by recursively invoking a linear-randomness batched proximity test on a list of Θ( √ N ) vectors, and moreover delegates the randomnessgeneration required by this latter task to the outermost verifier.This strategy makes the computational complexity of its outermost verifier Ω( √ N ), and invalidates its stated O(log 2 N ) complexity.
The approach whereby single-parameter batching-i.e., using powers of a single random parameter-is instead used does not resolve the issue.Indeed, that approach would prohibitively increase the protocol's soundness error, by a factor linear in the list length Θ( √ N ) in the Reed-Solomon case [BSCI + 23, Thm.1.5], and-what is much worse-by an exponential factor in the case of general codes [BSKS18, Thm.12].
Our protocol.We now sketch slightly more thoroughly how our batching procedure allows the Brakedown multilinear polynomial commitment scheme to be simplified (in the random-evaluation setting).We recall that the Brakedown scheme begins by collating the m 2 coefficients of a given multilinear polynomial in 2 • log m variables (say), expressed moreover with respect to the Lagrange basis over the unit cube {0, 1} 2•log m , into the rows of an m × m matrix.This matrix is then encoded row-wise, using some fixed linear block code; the resulting matrix is finally committed to.(In Ligero [AHIV23], as well as in Shockwave [GLS + 23], the Reed-Solomon code is used; in Brakedown [GLS + 23, § 4.2], a newly introduced linear-time-encodable code is used instead.)Crucially, if the committed matrix is close to an interleaved codeword, then the committed polynomial is well-defined, and may be extracted.
The Brakedown-style scheme thus proceeds in two phases.In the testing phase, the verifier applies an interleaved proximity test to the committed matrix.Specifically, the verifier reduces the interleaved proximity problem given by the initial matrix to a standard proximity testing problem, by means of a random combination of its rows.It then solves the latter by directly requesting the message underlying the combination (which is well-defined if the prover is honest), encoding the supplied message, and finally probabilistically testing it for equality with the combination by means of queries at random columns.
Having established the matrix's proximity to the interleaved code, the verifier initiates the evaluation phase, in which the committed polynomial is evaluated at the verifier's chosen point.In light of the of committed polynomial's assumed structure, this latter phase may be effected by means of a further combination of the committed rows (and a further proximity test), where-this time-the coefficient vector is a tensor.Indeed, it is straightforward to check that for each multilinear polynomial t(X 0 , and each point (r 0 , . . ., r 2•log m−1 ) ∈ F 2•log m q , we have that t (r 0 , . . ., r 2•log m−1 ) equals: where both vectors above contain tensor products in the sense of Section 2 below, and where the length-m rows t 0 , . . ., t m−1 contain t's collated Lagrange coefficients.It follows that if the verifier requests the message m−1 i=0 during the evaluation phase, then it may calculate t's value at (r 0 , . . ., r 2•log m−1 ) by means of the further local calculation t is random, then this latter evaluation procedure becomes identical to our batched proximity test, and can supplant the testing phase altogether.

Background and Notation
We generally adopt the notation of [AHIV23] and [BSCI + 23].A code of length n over the alphabet Σ is a subset of Σ n .We write q for a prime power, F q for the finite field of order q, and C ⊂ F n q for a linear [n, k, d]-code over F q .We write w(u) for the Hamming weight of a vector, d for the Hamming distance, and d(u, C) := min v∈C d(u, v) for the distance from a point to a code.We finally write ∆(u, v) ⊂ {0, . . ., n − 1} for the disagreement set between u and a codeword v.The puncturing of a code C at an index set M ⊂ {0, . . ., n − 1} is the projection of C onto the set of components indexed {0, . . ., n − 1} \ M .
Given a linear code C ⊂ F n q and an integer m ≥ 1, we have its corresponding mfold interleaved code, defined as the subset C m ⊂ F n q m ∼ = F m q n .We understand this latter set as a length-n block code over the alphabet F m q .In particular, its elements are naturally identified with matrices in F m×n q , where two such matrices differ at a column if they differ at any of that column's components.We write matrices (u i ) say, of {0, . . ., n − 1}, of size at most e, for which, for each i ∈ {0, . . ., m − 1}, the row u i admits a codeword v i ∈ C for which u i | {0,...,n−1}\D = v i | {0,...,n−1}\D .We emphasize that the subset D ⊂ {0, . . ., n−1} is fixed, and does not vary as the row-index i ∈ {0, . . ., m − 1} varies.In this circumstance, following the terminology of [BSCI + 23], we say that the vectors (u i ) m−1 i=0 feature correlated agreement outside of the set D, or that they feature e-correlated agreement.We note that the condition whereby the vectors (u i ) We define the tensor product of vectors inductively on length-two vectors of the form (1 − r, r), where r ∈ F q ; that is, we stipulate that (s 0 , . . ., sm In particular, we thereby give meaning to iterated expressions of the form (1 − r 0 , r 0 ) ⊗ • • • ⊗ (1 − r ℓ−1 , r ℓ−1 ) by left-association (the natural extension of this definition to operands of arbitrary length is associative).We note that the tensor product operation is not commutative.For notational purposes, we use the abbreviation ℓ−1 i=0 (1 − r i , r i ) to refer to the above expression (where the left-to-right order is again understood), which is a length-2 ℓ vector.We note that this vector in fact consists precisely of the evaluations at the fixed point (r 0 , . . ., r ℓ−1 ) ∈ F ℓ q of the 2 ℓ Lagrange basis polynomials in F q [X 0 , . . ., X ℓ−1 ], taken with respect to the evaluation set {0, 1} ℓ ⊂ F ℓ q .
Indeed, this latter basis is precisely the list of polynomials We note that these polynomials are F q -linearly independent elements of F q [X 0 , . . ., X ℓ−1 ], where we view the latter ring as an F q -vector space.
The probability distributions we consider are exclusively uniform over sets of the form We write µ(R) for the probability mass of the subset R ⊂ F ℓ q ; that is, µ(R) := |R| q ℓ .We recall certain notions related to Merkle trees.We fix parameters m and n, which we assume to be powers of 2; throughout, we write (u i ) m−1 i=0 for an m × n matrix with entries in F q .For each j ∈ {0, . . ., n − 1}, we write (u i,j ) m−1 i=0 for the j th column of (u i ) m−1 i=0 .For our purposes, a Merkle tree on the data (u i ) m−1 i=0 is a tree whose leaves take the form H (u i,j ) , for j ∈ {0, . . ., n − 1}, and where each internal node is the hash of the concatenation of its children.A Merkle opening or Merkle path is the data of a column (u i,j ) m−1 i=0 , for some j ∈ {0, . . ., n − 1}, together with the respective siblings of those nodes contained in the path from the j th leaf to the root.For each j ∈ {0, . . ., n − 1}, the Merkle opening (u i,j ) m−1 i=0 , h 0 , . . ., h log n−1 is valid against the Merkle root c if the following algorithm returns true: write j = (j log n−1 , . . ., j 0 ) for the bits of j ∈ {0, . . ., n − 1}.1a below illustrates a Merkle opening.We shade in grey the actual contents of the Merkle opening (i.e., the data it explicitly supplies).We moreover enclose in a solid border those nodes whose values are "determined" by the Merkle opening.Figure 1b below depicts a collection of distinct Merkle openings.In that figure, we shade in grey those nodes explicitly included in some Merkle path; moreover, as before, we enclose in a solid line those nodes collectively determined by the tree's Merkle paths.

The Proximity Gap for Affine Lines
We now recapitulate a key result due to Ames Proof.We write 0 and u ′ 1 span the same affine line as u 0 and u 1 do, the theorem's hypothesis is certainly fulfilled with respect to u ′ 0 and u ′ 1 .On the other hand, if e also holds, as we presently argue.Indeed, fixing codewords i=0 ≤ e, as well as constants s 0 and s 1 in F q for which u Trivially, v 0 and v 1 are both codewords; we moreover argue that ∆ 2 (u i ) both hold, by definition.These latter equalities imply that u 0,j = v 0,j and u 1,j = v 1,j themselves hold, since u 0 and u 1 relate to u ′ 0 and u ′ 1 just as v 0 and v 1 relate to v ′ 0 and v ′ 1 .We conclude that j ̸ ∈ ∆ 2 (u i ) It thus suffices to prove the theorem for u ′ 0 and u ′ 1 .Our construction of these latter elements implies that d (u ′ 0 , C) ≤ e and d (u ′ 1 , C) ≤ e hold.We write v ′ 0 and v ′ 1 for codewords for which ) ≤ e, respectively, hold.We suppose for contradiction that the conclusion of the theorem is false with respect to u ′ 0 and u ′ 1 , so that d 2 (u ′ i ) We note that (u ′ i ) , we write for the set of parameters r ∈ F q at which (1 − r) | > e (by the above argument), applying the identity We finally observe that for each j outside of this intersection, the set R j is either {0} or {1}.Specifically, for j We fix an element r * ∈ R * , and write v * ∈ C, say, for the (uniquely determined) codeword for which d q , and the theorem's hypothesis is false with respect to u ′ 0 and u ′ 1 .
Remark 1.A result exactly analogous to Theorem 1-with identical parameters-holds for arbitrary-dimensional affine subspaces, and can moreover be proven using Theorem 1.In fact, precisely this reduction is carried out in [BSCI + 23, § 6.3] (in the list-decoding setting no less, though that work's approach is straightforwardly specialized).Since we don't need this more general result below, we omit its treatment.
Remark 2. Theorem 1 is sharp, in the sense that its false witness probability e+1 q cannot be decreased.This fact is demonstrated by the following example of Ben-Sasson et al. [BSCI + 23, Rem.1.1].We fix an [n, k, d]-code C ⊂ F n q , and set e ∈ 0, . . ., d−1 3 arbitrarily.We assume that q > e + 1 and d > 1.We fix distinct elements x 0 , . . ., x e of F q , and set u 0 := (x 0 , . . ., x e , 0, . . ., 0) and u 1 := (x 0 − 1, . . ., x e − 1, 0, . . ., 0).Writing again Indeed, for each i ∈ {0, . . ., e}, we clearly have d ((1 On the other hand, for each r ̸ ∈ {x 0 , . . ., x e }, we claim that d clearly holds; on the other hand, for each nonzero codeword v ∈ C, we have by the reverse triangle inequality that where, in the final step, we use the guarantee 2 • e + 1 < d (a consequence of 3 • e < d if e > 0, or else of d > 1 in the case e = 0).We see that Pr q .On the other hand, the conclusion d 2 (u i ) 1 i=0 , C 2 ≤ e of Theorem 1 certainly fails to hold, since it would imply that R * = F q , whereas we have instead that |R * | = e + 1.
In the Reed-Solomon setting, Ben-Sasson et al. [BSCI + 23, Thm.1.4] achieve an analogue of Theorem 1 for e as high as the unique decoding radius, albeit with an upperbound n q on the false witness probability somewhat worse than that of e+1 q attained by Theorem 1. (They also present results beyond the unique decoding radius, which feature, on the other hand, much-more-complicated bounds.)We record the following analogue of this statement in our setting: Conjecture 1.We wonder whether Theorem 1 holds even for proximity parameters e ∈ 0, . . ., d−1 2 .

Main Result
We now describe our new interleaved-to-standard reduction for proximity testing.We assume in what follows that the list length m is a power of 2. In our test, we use the tensor product expression (1 − r 0 , r 0 ) ⊗ • • • ⊗ (1 − r log m−1 , r log m−1 ), where the elements r 0 , . . ., r log m−1 of F q are independently random, as a combination vector over the input list; our error parameter exceeds that of the affine case by a multiplicative factor of 2 • log m.We make blackbox use of Theorem 1 throughout.We abbreviate ℓ := log m.
We now let ℓ > 1 be arbitrary, and assume the hypothesis of the theorem.By way of induction, we construct two smaller instances of the problem, each of size ℓ − 1, and establish the theorem's hypothesis on these instances.We prepare the process by introducing notation.For each tuple (r 0 , . . ., r ℓ−2 ) ∈ F ℓ−1 q and each b ∈ {0, 1}, we record the following abbreviation, involving an appropriate half-list of the initial list (u i ) We emphasize that each combination M b := M b (r 0 , . . ., r ℓ−2 ) depends on a fixed choice of tuple (r 0 , . . ., r ℓ−2 ) ∈ F ℓ−1 q ; we slightly abuse notation by omitting this tuple.Our recursive approach relies on the following identity, valid for each (r 0 , . . ., r ℓ−1 ) ∈ F ℓ q : This identity follows directly from the definition of the tensor product, and is easily verified by means of an explicit calculation.We finally define various loci in F ℓ−1 q .We write for the loci consisting of those ℓ − 1-tuples for which M 0 and M 1 (respectively) are at most e-far from the code.We finally write, for each (r 0 , . . ., r ℓ−2 ) ∈ F ℓ−1 q , p(r 0 , . . ., r ℓ−2 ) := Pr and set R * := (r 0 , . . ., r ℓ−2 ) ∈ F ℓ−1 q p(r 0 , . . ., r ℓ−2 ) > e+1 q .In words, R * ⊂ F ℓ−1 q is that locus consisting of those ℓ − 1-tuples whose resulting combinations M 0 and M 1 (with the initial matrix's lower and upper halves, respectively) span a line a substantial proportion of whose elements reside close to the code.
Proof.Indeed, that (r 0 , . . ., r ℓ−2 ) ∈ R * holds entails, by definition, that the hypothesis of Theorem 1 holds with respect to the affine line spanned by the relevant combinations M 0 and M 1 .That theorem implies that d(M 0 , C) ≤ e (so that (r 0 , . . ., r ℓ−2 ) ∈ R 0 ) and Proof.The result follows from a probability decomposition argument, as we explain below: The first step is the hypothesis of the theorem; the second step follows from the recursive substructure explained above.To achieve the final step, we upper-bound the second-to-last expression slice-wise, either by e+1 q or by 1, depending on whether the slice (r 0 , . . ., r ℓ−2 ) ? ∈ R * .In this way, we obtain the upper-bound e+1 q •Pr (r0,...,r ℓ−2 )∈F ℓ−1 q p(r 0 , . . ., r ℓ−2 ) ≤ e+1 q + Pr (r0,...,r ℓ−2 )∈F ℓ−1 q p(r 0 , . . ., r ℓ−2 ) > e+1 q From the entire inequality, we conclude finally that q , as desired.This completes the proof of the lemma.Upon combining Lemmas 1 and 2, we immediately conclude that the probabilities µ(R 0 ) and µ(R 1 ) are both themselves greater than 2 • (ℓ − 1) • e+1 q .In other words, the hypothesis of the theorem is fulfilled with respect to the parameter ℓ − 1 and to both of the half-sublists (u i ) and (u i ) This justifies our inductive use of the theorem with respect to these half-sublists.
We thus conclude the consequence of the theorem with respect to the sublists (u i ) for these sublists' interleaved distances, as well as D 0 and D 1 for their corresponding (correlated) disagreement subsets of {0, . . ., n − 1}.We finally write for their corresponding lists of close codewords.By analogy with M 0 and M 1 , for each (r 0 , . . ., r ℓ−2 ) ∈ F ℓ−1 q and each b ∈ {0, 1}, we moreover write: We define further loci in F ℓ−1 q , for b ∈ {0, 1}: We understand these loci as the subsets of the parameter space at which M 0 and M 1 (respectively) become closer to N 0 and N 1 than correlated agreement demands.
The following lemma shows that the loci B 0 and B 1 are not too large: Proof.We let b ∈ {0, 1} be arbitrary, and prove the result for B b .For each index j ∈ D b , we write R b,j := (r 0 , . . ., for the locus in F ℓ−1 q on which M b and N b "spuriously agree" at the index j.We note that each R b,j ⊂ F ℓ−1 q is precisely the vanishing locus of a certain combination of the ℓ − 1variate multilinear Lagrange basis polynomials, where the combination vector-because j ∈ D b -is not identically zero.We conclude that the combination is itself nonzero; the Schwartz-Zippel lemma in turn implies that µ(R b,j ) ≤ ℓ−1 q .These sets' union thus has mass at most µ For the following lemma, we recall the set R * ⊂ F ℓ−1 q introduced above.
q ; on the other hand, Lemma 3 gives that the masses µ(B 0 ) and µ(B 1 ) are each at most (ℓ − 1) • e q .
By Lemma 4, there necessarily exists some element (r * 0 , . . ., r * ℓ−2 ) ∈ R * \ (B 0 ∪ B 1 ).We write M * It follows that D 0 ∪ D 1 ⊂ D * .We conclude that (u i ) and (u i ) i=2 ℓ−1 have mutual correlated agreement outside of the set D 0 ∪ D 1 of size at most e * ≤ e.This completes the proof of the theorem.
Remark 3. The false witness probability 2 • ℓ • e+1 q of Theorem 2 seems not to be sharp; for example, we wonder whether the factor of 2 can be eliminated.

Polynomial Commitment
In this section, we present our main multilinear polynomial commitment scheme, and analyze its efficiency.
, and an opening hint u, Π.Open verifies the claimed decommitment t of c, using u.
3. The output of the experiment is defined to be 1 if Π.Open params, c; t 0 , u 0 , Π.Open params, c; t 1 , u 1 , and t 0 ̸ = t 1 all hold; otherwise, it is defined to be 0.
The multilinear polynomial commitment scheme Π is said to be binding if, for each PPT adversary A, there exists a negligible function negl(λ) for which, for each λ ∈ N and ℓ = O(log λ), Pr Binding Π,ℓ A (λ) ≤ negl(λ).
2. The adversary outputs a commitment c ← A(params).
The multilinear polynomial commitment scheme Π is said to be extractable with respect to the query sampler Q if, for each PPT adversary A, there exists an expected PPT emulator E for which, for each PPT distinguisher D, the distributions Real Π,ℓ Q,A,E,D (λ) The following definition is a simplification of [CHM + 20, Def.6.5], which requires that Q sample uniformly randomly ([CHM + 20, Def.6.5] permits Q to instead sample uniformly from a superpolynomially large set).Definition 4. The query sampler Q is admissible if, for each λ and ℓ, and each parameter set params ← Π.Setup(1 λ , ℓ), containing the field size q say, it holds that (r 0 , . . ., r 2•ℓ−1 ) ← Q(params) is uniform over F 2•ℓ q .

Our Construction
We now instantiate our concrete scheme Π in the random oracle model.We use Merkle tree commitments, in a manner which evokes Ben-Sasson, Chiesa and Spooner [BSCS16]'s transformation from interactive oracle proofs to non-interactive random oracle proofs.
, each featuring an accompanying Merkle path against c.
• V computes Enc(t ′ ).For each j ∈ J, V verifies the Merkle path attesting to (u i,j ) m−1 i=0 , and moreover requires that Finally, V requires s In the last step of Construction 3 above, we write Enc : F m q → F n q for C's encoding function.Our scheme is clearly complete.We note that the requirement n = 2 O(ℓ) is necessary merely for C to be efficiently encodable.The requirement d = Ω(n) entails that C has constant relative distance.
We moreover have the following security guarantees: Theorem 4. The scheme of Construction 3 is binding.
Proof.We fix an adversary A who outputs a commitment c and pairs (t 0 , u 0 ) and (t 1 , u 1 ).Assuming that Π.Open params, c; t 0 , u 0 and Π.Open params, c; t 1 , u 1 both hold, we argue as follows.We write M 0 and M 1 for the subsets of {0, . . ., n − 1} respectively missing from the hints u 0 and u 1 .We moreover write: On the one hand, our hypothesis immediately implies that |X| < d.On the other hand, we claim that ∆ m Enc(t 0 i ) ⊂ X.Indeed, proceeding by contraposition, we fix an index j ̸ ∈ X.Since j ̸ ∈ M 0 ∪ M 1 , we see that the hints u 0 and u 1 respectively Merkle-open the columns u 0 i,j m−1 i=0 and u 1 i,j m−1 i=0 against c, so that-barring an oracle collision on the part of A-these columns are necessarily identical.On the other hand, since j , we see that Since Enc is injective, we conclude finally that t 0 = t 1 .
Theorem 5.If the query sampler Q is admissible, then the scheme of Construction 3 is extractable.
3. E moreover defines: while true do 3: rewind A to its initial point (i.e., immediately after outputting c).
E writes (r 0,0 , . . ., r 0,2•ℓ−1 ) for the randomness it used in A's initial proof above and t ′ 0 for the message sent by A during the course of its initial proof.By running the routine ExtractProof () above m − 1 further times, E extends these quantities to matrices (t outputs (s, π; ⊥, u).

5.
Otherwise, E performs the matrix operation: the polynomial whose coefficients (in the multilinear Lagrange basis) are given by the concatenation of (t i ) m−1 i=0 's rows, and outputs (s, π; t, u).
In the algorithm TreeBuilder, we understand the conditions 2 and 4 as demanding that the relevant preimages be well-formed.That is, in case h does arise as the output of a prior query, whose input, however, is malformed (in that it doesn't match the format demanded), we understand the relevant condition as failing to be fulfilled.If h arises as the output of multiple, distinct, well-formed preimages, then we stipulate that E select arbitrarily among these preimages (this event can only occur if A finds an oracle collision).
We now argue that E runs in expected polynomial time in λ.We write ε for the probability that A passes, conditioned on its state as of the point at which it first outputs c (this probability is taken over the coins of both Q and V, and over the further coins of A).We note that, for each fixed c, E proceeds beyond step 2 above with probability exactly ε.Moreover, each execution of ExtractProof terminates in expected time exactly 1 ε , since that algorithm's line 6 passes with probability exactly ε per iteration of that algorithm.Finally, TreeBuilder is straight-line and polynomial time.We conclude that E's total expected runtime is at most that of TreeBuilder plus 1 + ε • m−1 ε = m times the time it takes to run Construction 3 once; this total time is thus polynomial in λ (and independent of c and ε).
We now analyze the distribution returned by E. We note that the outputs (c, s, π) upon which D runs are identically distributed in the distributions Real Π,ℓ Q,A,E,D (λ) and Emul Π,ℓ Q,A,E,D (λ).It thus suffices to show that it holds in at most a negligible proportion of executions of A, Q and E that, simultaneously, Π.Verify (params, c, s, (r 0 , . . ., r 2•ℓ−1 ), π) = 1 and either Π.Open(params, t; c, u) = 0 or t(r 0 , . . ., r 2•ℓ−1 ) ̸ = s.We write Q(λ) for a polynomial upper bound on the number of random oracle queries A makes.We recall from [BSCS16, § A.1] that it holds with probability at most Q(λ) 2 +1 2 λ , which is negligible, that A outputs-during any particular among its executions-either a valid Merkle path on a missing column j ∈ M or, for some j ̸ ∈ M , a valid Merkle opening (u i,j ) m−1 i=0 inconsistent with the matrix extracted by E in step 1 above.
In the following lemma, we write C for the puncturing of C at M . .On the other hand, by our hypothesis, We record a few remarks about our proof.Theorem 5's difficulty arises, roughly, from the fact that the conditional distribution of the messages t ′ and of the random vectors (r 0 , . . ., r 2•ℓ−1 ) ∈ F 2•ℓ q which E adds-that is, the distribution of these values, conditioned on A passing-can be highly arbitrary; A could, for example, output a successful proof with vastly higher probability when 2•ℓ−1 i=ℓ (1 − r i , r i ) resides in some fixed low-dimensional subspace A ⊂ F m q (let's say) than when it doesn't, thereby thwarting E's extraction.Our proof thus argues that if A succeeds with high enough probability-specifically, with probability greater than a certain cutoff which, crucially, is still negligible, but which decays much more slowly than that of the relevant failure events-then the conditional distribution of A's outputs necessarily concentrates away from these bad events.The key idea is that δ, by virtue of being negligible, necessarily admits an expression of the form δ = 2 −f (λ) , for some f (λ) = ω(log(λ)); we thus have in turn that √ δ takes the form 2 − 1 2 •f (λ) .This latter quantity is greater than δ by a factor of 2 1 2 •f (λ) , which is superpolynomial; on the other hand, it is itself nonetheless still negligible.This maneuver, whereby the exponent is halved, can be performed on any negligible function.Upon excluding from our treatment those executions for which ε √ δ, we find that, in the remaining executions, A's success probability is sufficiently "high" that failure events necessarily figure negligibly in it, regardless of A's strategy.This latter step is made precise by a Bayes-like argument.
Brakedown's proof.We compare our proof strategy to that of Brakedown [GLS + 23, Lems. 2 and 3], which proves a similar result.Brakedown's proof, essentially, handles the non-uniformity of A's conditional output distribution by stipulating that the emulator E filter "actively", using rejection sampling to curate an artificially uniform distribution over some sufficiently large set of coefficient vectors.This procedure requires that E "know" A's success probability ε.Brakedown's emulator brings about this state of affairs using various techniques, including a procedure of Hazay and Lindell [HL10, Thm.6.5.6] (which these latter authors attribute to Goldreich).Informally, Brakedown's approach makes the independence analysis of the emulator's coefficient vectors easier, since the relevant vectors are, by fiat, drawn from a uniform distribution over some set (cf. our Lemma 9).On the other hand, it makes the acquisition of these vectors more complicated, since it mandates that the emulator evaluate their membership in the relevant set.
We record a few possible issues with that proof as written, which seem, by and large, rectifiable.First of all, [GLS + 23, Lem.2] assumes a deterministic prover.This property is indeed used by that proof, namely in its assertion that E's inspection of P's response u ′ "enables E to determine whether r ∈ T ".Sure enough, the membership of each given r ∈ F m in T depends, in general, both on the coins P flips while constructing u and on the coins V flips while selecting its challenge columns.It would thus fail to hold-for randomized P-that E could even determine which among its candidates r reside in T , given these vectors' accompanying responses u ′ alone, let alone that those vectors r which do belong to T moreover feature responses u ′ which cause V to accept with probability ϵ/2 or more (over its choice of random columns).For randomized P, E may be able to rectify this issue by extracting not just one response u ′ from P, but many (running P with fresh random tape each time), and testing each u ′ for agreement with π vis-à-vis r.Alternatively, the proof would need to justify its assumption whereby P is deterministic.Interestingly, the most compelling strategy whereby this latter assumption might be justified appears to encounter an identical obstacle.That strategy would, it seems, proceed by showing that E may bootstrap any given random prover into a deterministic one, without excessively impacting that prover's probability of success.To do this, E would proceed by repeatedly sampling candidate random tapes for its random prover P until finding one which causes P to pass with "high" probability over V's coins.The problem of determining this suitable random tape is essentially the same as that-just discussed-of determining whether r ∈ T .
where, in the last step, we exploit the inductive hypothesis |D b | = e b ≤ e.On the other hand, B b = j∈D b R b,j .This completes the proof.
0 and M * 1 for the corresponding values of M 0 and M 1 , and moreover define N * 0 and N * 1 analogously.Because (r * 0 , . . ., r * ℓ−2 ) ∈ R * , an application of Theorem 1 to the line spanned by M * 0 and M * 1 yields a subset D * ⊂ {0, . . ., n − 1}, satisfying |D * | = e * , say, where e * ≤ e, together with codewords O 0 and O 1 which respectively agree with M * 0 and M * 1 outside of D * .For each b ∈ {0, 1}, because (r * 0 , . . ., r * ℓ−2 ) ̸ ∈ B b moreover holds, we have in fact the disagreement set equality ∆(M * b , N * b ) = D b (as opposed to a proper inclusion).We write ∆(M * b , O b ) for the disagreement set of M * b and O b .By definition of D * , ∆(M * b , O b ) ⊂ D * clearly holds; on the other hand, because d(M * b , N * b ) ≤ e b ≤ e and d(M * b , O b ) ≤ e * ≤ e simultaneously hold, unique decoding implies that N * b = O b , and that in fact ∆(M * b , O b ) = D b .We conclude that D b ⊂ D * .

1.
Having observed and collected A's queries up until the point of its outputting c, E initializes the empty matrix (u i ) m−1 i=0 .E defines the following algorithm, which is essentially a slight simplification of an algorithm, called Valiant's extractor, given in Ben-Sasson, Chiesa and Spooner [BSCS16, § A.1]. 1: procedure TreeBuilder (h, i, j) 2:if i = 0 and h ?= H (x i ) m−1 i=0arises as some oracle output then 3: overwrite the value of the j th column (u i,j ) else if i > 0 and h ?= H (h 0 ∥ h 1 ) arises as some oracle output then 5:
The theorem's hypothesis clearly implies that |R * | > e + 1 ≥ 1.We thus write r * 0 and r * 1 for two distinct elements of R * ; we moreover write u ′ 0