The correctness of sampling in the FRI (Fast Reed-Solomon IOPP) protocol is fundamental to its security and soundness. Here's why it must be precise:

• Purpose: FRI proves that a polynomial ( p(x) ) is (\epsilon)-close to a low-degree polynomial. Sampling ensures the verifier checks ( p(x) ) at random points to detect deviations.
• Risk of Incorrect Sampling: If sampling is biased or non-uniform (e.g., over a small subset of points), a malicious prover could construct a high-degree polynomial that passes the sampled points but is (\epsilon)-far from low-degree elsewhere. This would break soundness, allowing false proofs.

Completeness Assurance

• Purpose: An honest prover (where ( p(x) ) is truly close to low-degree) must pass all queries with high probability.
• Risk of Incorrect Sampling: If sampling misses critical regions (e.g., due to non-uniform randomness), the verifier might query points where the polynomial coincidentally matches a low-degree polynomial, even if the overall polynomial is not close. This could lead to false rejections of honest proofs.

Uniformity and Randomness

• Purpose: Queries must be uniformly random across the domain. This ensures no adversarial prover can "game" the system by anticipating or influencing the queried points.
• Risk of Non-Uniform Sampling: If the verifier uses a predictable or non-random sampling strategy (e.g., fixed points or a biased distribution), a prover could tailor a malicious polynomial to pass the specific queried points while deviating elsewhere. This compromises the protocol's security.

Binding the Prover

• Purpose: Sampling occurs after the prover commits to ( p(x) ). This binds the prover to their polynomial, as they cannot change it after seeing the queries.
• Risk of Early Sampling: If the verifier reveals queries before commitment, the prover could adjust ( p(x) ) to match the queries, invalidating the proof. Correct sampling ensures the prover is committed before queries are revealed.

Efficiency and Scalability

• Purpose: FRI reduces query complexity exponentially via "folding." Sampling must efficiently cover the domain without excessive overhead.
• Risk of Inefficient Sampling: If sampling is computationally expensive (e.g., using a slow RNG or complex sampling methods), it could negate FRI's efficiency benefits, making the protocol impractical.

Security Against Attacks

• Risk of Manipulated Sampling: If the sampling process is flawed (e.g., due to weak pseudorandomness), an attacker could:
  • Predict queries: Craft a polynomial that passes all expected queries.
  • Exploit biases: Target regions where deviations are likely to be missed. This could enable attacks like forging proofs for high-degree polynomials.

Example: What Happens with Incorrect Sampling?

Suppose the verifier samples points from a small subset of the domain (e.g., only even-indexed points). A malicious prover could:

1. Define ( p(x) ) to match a low-degree polynomial at even indices.
2. Make ( p(x) ) deviate arbitrarily at odd indices.
3. Pass all queries but fail the (\epsilon)-closeness condition.
   This breaks FRI's core promise.

Best Practices for Correct Sampling

• Uniform Randomness: Use a cryptographically secure RNG to sample points uniformly from the domain.
• Commitment-First Order: Prover commits to ( p(x) ) before sampling points.
• Domain Coverage: Ensure the sampling distribution covers the entire domain (e.g., via a field or subgroup).
• Transparency: Verifiers should publicly disclose sampling parameters (e.g., seed for the RNG) to prevent manipulation.

Conclusion

Correct sampling in FRI is non-negotiable for:

• Soundness: Preventing false proofs.
• Completeness: Accepting valid proofs.
• Security: Binding the prover and enabling efficient verification.
  Without it, FRI loses its cryptographic guarantees, undermining its use in SNARKs (e.g., STARKs) and other zero-knowledge systems.