Local Proofs Approaching the Witness Length

Abstract

Interactive oracle proofs ( \(\mathsf {IOP} \) s) are a hybrid between interactive proofs and \(\mathsf {PCP} \) s. In an \(\mathsf {IOP} \) the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a \(\mathsf {PCP} \) ). Efficient \(\mathsf {IOP} \) s are currently at the core of leading practical implementations of highly efficient proof-systems. In this work we construct, for a large class of \(\mathsf {NP} \) relations, \(\mathsf {IOP} \) s in which the communication complexity approaches the witness length. More precisely, for any \(\mathsf {NP} \) relation for which membership can be decided in polynomial-time with bounded polynomial space (i.e., space n ξ for some sufficiently small constant ξ > 0; e.g., \(\mathsf {SAT} \) , \(\mathsf {Hamiltonicity} \) , \(\mathsf {Clique} \) , \(\mathsf {Vertex\text{-}Cover} \) , etc.) and for any constant γ > 0, we construct an \(\mathsf {IOP} \) with communication complexity (1 + γ ) · n , where n is the original witness length. The number of rounds, as well as the number of queries made by the \(\mathsf {IOP} \) verifier, are constant. This result improves over prior works on short \(\mathsf {IOP} \) s/ \(\mathsf {PCP} \) s in two ways. First, the communication complexity in these short \(\mathsf {IOP} \) s is proportional to the complexity of verifying the \(\mathsf {NP} \) witness, which can be polynomially larger than the witness size. Second, even ignoring the difference between witness length and non-deterministic verification time, prior works incur (at the very least) a large constant multiplicative overhead to the communication complexity. In particular, as a special case, we also obtain an \(\mathsf {IOP} \) for \(\mathsf {CircuitSAT} \) with communication complexity (1 + γ ) · t , for circuits of size t and any constant γ > 0. This improves upon the prior state-of-the-art work of Ben Sasson  et al.  (ICALP, 2017) who construct an \(\mathsf {IOP} \) for \(\mathsf {CircuitSAT} \) with communication length c · t for a large (unspecified) constant c ≥ 1. Our proof leverages the local testability and (relaxed) local correctability of high-rate tensor codes, as well as their support of a sumcheck-like procedure. In particular, we bypass the barrier imposed by the low rate of multiplication codes (e.g., Reed-Solomon, Reed-Muller or AG codes) - a key building block of all known short \(\mathsf {PCP} \) / \(\mathsf {IOP} \) constructions.