Soundness — Part 3

Our proof of soundness requires a few preliminary statements, stated next. The proof of soundness follows in the next sub-section.

Preliminaries The following claim discusses interpolants, using the definition and notation from Ap- pendix B.1.

Claim D.1. LetS ⊆ _Fandd, k ∈ _Nsatisfyd+ 2k < |S|. Givenf: S → _Fdefine f(x)ˆ =4 xk·f(x). Suppose that both deg interpolantf < d+k anddeg

interpolantfˆ

< d+k. Then we also have

Proof. LetP(X) =interpolantf and letQ(X)=4 Xk·P(X); bothP, Qare viewed as members ofF[X]. By assumptiondeg(P)< d+k, sodeg(Q) < d+ 2k < |S|. The multi-point evaluation ofQon domain

Sis precisely the functionfˆ. The uniqueness of the interpolant, along with the observationdeg(Q)<|S|, imply thatinterpolantfˆ=Q. Therefore, the assumptiondeg(interpolantfˆ)< d+kgivesdeg(Q)< d+k. By constructiondeg(P) = deg(Q)−kand this completes the proof.

The next lemma says that linear spaces whose members are “close on average” to a linear error correcting code, have small support.

Lemma D.2(Proximity to codes implies small support). LetC ⊂ _FS _{be an}

F-linear code of blocklength

≤ |F|and relative distanceδ. Fixc >6/δ. SupposeV ⊂FS satisfies

Pr v∈span(V) ∆H(v, C)≤ 1 c >1/|_F|.

Then there existsS0 ⊂Sof densityµ(S0/S)≥1−2 c >1−

δ

3 such thatV|S0 ⊆C|S0.

The proof of the lemma above requires a result from [95] (stated as Lemma 1.6 there). We recall and prove that lemma next, then prove Lemma D.2.

Lemma D.3(Average distance amplification). LetC ⊂_FS _{be a linear space. Iff}

1, . . . , fk ∈FS are such that there existsfithat is-far fromCin relative Hamming distance, then

Pr r1,...,rk∈F " ∆H k X i=1 rifi, C ! ≤/2 # ≤1/|_F|

Proof of Lemma D.2. By Lemma D.3 we have

∀v∈span(V), ∆H(v, C)≤

2

c. (51)

Since 2/c < δ/2 by assumption, we conclude that the codeword of C that is closest to v ∈ span(V) is unique, denote it by¯v. DefineSv

4

={x∈S|v(x)6= ¯v(x)}and forV0 ⊆span(V)letSV0 =∪_v∈V0S_v. To

prove Lemma D.2 it suffices to show

µ S_span(V)/S

≤ 2

c (52)

by settingS0 =S\Sspan(V).

We prove (52) by way of contradiction, namely, we show that µ(Sspan(V)/S) > 2c and (51) together imply that (51) is false, so (52) holds.

Write v = ¯v+v0 wherev0 has relative Hamming weightµ(Sv0/S). Abusing notation, we identifyv

withv0 and henceforth assume the codeword closest tovis0and thatSv denotes the support ofv, i.e., the set of its nonzero entries.

Since (51) impliesµ(Sv/S)< δ/3, if (52) is false then there exists someV0 ⊂V such that

µ(SV0/S)∈ 2 c, 4 c ⊆ 2 c, δ− 2 c

The containment follows because 4/c < 2δ/3 < δ −2/c. By linearity of expectation, the expected support size of a random word in span(V0) is precisely (1−1/|_F|)|SV0| which is strictly greater than (1−1/|SV0|)|S_V0|because|S_V0| <|S| ≤ |_F|. Thus, it must be the case that somev ∈ span(V0)is fully

supported onSV0 which means that the relative support size ofvis in 2

c, δ− 2 c

; we concludevhas relative distanceµ(SV0/S)>2/cfromC, contradicting (51) and completing the proof.

Soundness analysis

Proof of Item 3 of Theorem B.15. We prove the contrapositive: If neither item 3a nor item 3b of Theo- rem B.15 hold, which means both of the following items hold:

1. Prh∆H f(0),RS[F, L, ρmax] ≤ δ 2ζ i >1/|_F| 2. Prh∆H g(0),RS[F, Lcmp, ρcmp] ≤ δ 2ζ i >1/|_F|

Thenx∈APR. Details follow.

We apply Lemma D.2 to Item 1 above, while setting the constantcin that lemma to

c=4 2ζ

δ (53)

The assumptions of Lemma D.2 hold becauseζ >3(cf. Equation (7)) andδ≤1−ρmax, hencec >6/(1−

ρmax)as required by Lemma D.2. By that lemma we deduce the existence of a setS ⊂ L, µ(S/L) ≤ 2_c such that for allτ ∈ T we have both

wτ|_L\S ∈RS[F, L, ρmax]|L\Sand x|L|·(ρmax−ρτ)_·wτ |_L\S ∈RS[F, L, ρmax]|L\S. (54) Letd= deg wτ|_L\S

< ρmax· |L|andk=|L| ·(ρmax−ρτ). We have

d+ 2k <|L|(ρmax+ 2(ρmax−ρτ))<|L| ·3ρmax<|L\S|.

The last inequality follows fromρmax ≤ 1/4 and|S| ≤ 2/c ≤ 1/4 (see Equations (7) and (53)). So by Claim D.1 we conclude

∀τ ∈ T wτ|_L\S ∈RS[F, L, ρτ]|L\S. (55) LetH0 ={x∈Lcmp| N(x)∩S 6=∅}; a union bound gives|H0| ≤ Θ|S|. Letwτ0 be the low degree extension ofwτ|L\Sto domainL, noticingw0τ ∈RS[F, L, ρτ]. Letw0 ={wτ |τ ∈ T }. Recall the assump- tion thatxhasδ-distance, and letCbe the linear code of minimal distanceδthat containsRS[F, Lcmp, ρcmp] as required by Item 2). By Equation (55) and Item 2 we concludeφN[w0]∈ C for eachφ ∈Φ. Thus, to

complete our soundness analysis, we need only show thatφN [w0]∈RS[F, Lcmp, ρcmp]for eachφ∈Φ. Consider the set of functions

φN

w0

|φ∈Φ ∪ {gmask}

and letV denote the linear span of this set. Since, by assumption,φN [w0]agrees withφN [w]onLcmp\H0, we conclude thatg(0)|_Lcmp\H0 ∈V_Lcmp\H0. Therefore, if there exists even one member of{φN[w

0_]|φ∈Φ}

that does not belong toRS[F, Lcmp, ρcmp], then Lemma D.3 implies

Pr ∆H g(0),RS[F, Lcmp, ρcmp] ≤ 1 2 ·(δ−µ(H0/Lcmp)) ≤1/|_F|

which contradicts Item 2 stated at the beginning of this proof, because _2ζδ ≤ 1

2(δ−µ(H0/Lcmp))by our choice ofζin Equation (7). Therefore we conclude that

∀φ∈Φ, φN w0∈RS[F, Lcmp, ρcmp] (56)

and hencew0satisfiesx, completing the soundness analysis.

Remark D.4(Potential for improvement of soundness analysis). The×2ζloss in soundness, compared to distanceδ, is due to two factors. Lemma D.3 “costs” a×2factor, and the union bound used in the proof above incurs another×1 + Θ_|L|L|

cmp|

loss. It remains an interesting open problem to decide if either factor is actually required (cf. Conjectures B.16 and B.17).