I'm trying to understand how lattice-based schemes with the Reed-Solomon proximity testing work and why the scheme in Bootle's et. al. Fig 3 has no aborts at all (nor big number of repetitions).
TLDR: How do PCPs and Reed-Solomon allow to avoid aborts and multiple repeats in Bootle's et. al. exact proof? I see no aborts and the challenge space is not a bit string either. Plus, they require just two repeats. So how does it work?
In classical crypto, say based on the DDH hardness assumption, we work with rings (or fields - depends). In lattices, we deal with subset of a ring (we need only those elements of the ring that have a small norm). So, all problems with "just using classical crypto tricks" boil down to the fact that this subset is not closed under addition or multiplication.
If we do crypto using the classical approach and big challenges, we will leak the secret with some probability (if the resulting element would not have a small norm). Ok for one-time signatures, bad for public key crypto. Sure, one can use a bit as a challenge and get Stern-type proofs, but it requires lots of repeats.
Then the concept of aborts appeared. If the resulting element had a big norm and could leak the secret - abort and restart protocol.
It all makes sense. We keep our subring but sometimes have to do the re-runs. We can try to increase the distribution of the masking parameter, do a parallel repetition, etc. But the core concept remains: our ring is not complete, and sometimes we hit a bad element and are forced to restart.
However, I do not understand how Bootle et. al manage to avoid aborts in their scheme. Do they use some Stern-like approach, which does not result in hundreds of re-runs? Is it because they work with many LWE instances, and big elements are somehow masked? Are Reed-Solomon codes somehow turning lattice subring into a closed ring?
