Land of Sumcheck

Prerequisite:

multilinear polynomials
low degree extension

Multilinear extensions

A multivariate polynomial $g$ is multilinear if the degree of the polynomial in each variable is at most one.

let $f : {0, 1}^{v} \to F$ be any function mapping the v-dimensional hypercube to $F$ , then multilinear extension of $f$ is $g$ , a $v$ -variate polynomial that agrees with $f$ on all $x \in {0, 1}^{v}$ .

Why multilinear extensions?

Allows to represent domain of length 2^v into v variable multilinear polynomial, which is way less than univariate polynomials where $v - 1$ variable polynomial is needed to represent length $v$ domain.

Using SZ lemma, verifier gains power over prover as if two functions $f, f^{'}$ differ at even one point in ${0, 1}^{v}$ , then their extension $g, g^{'}$ disagree almost everywhere, precisely agree at most $\frac{d}{∣ F ∣}$ .

Prove that a function $f : {0, 1}^{v} \to F$ has a unique multilinear extension $f$ over $F$ . a

Lagrange interpolation

f (x_{1}, x_{2}, \dots, x_{v}) = w \in {0, 1}^{v} \sum f (w) \cdot e q (x_{1}, \dots, x_{v})

where for any $w = (w_{1}, \dots, w_{v})$ , $e q_{w} (x)$ is called equality polynomial,

e q (x_{1}, \dots, x_{v}) = i = 1 \prod v (x_{i} w_{i} + (1 - x_{i}) (1 - w_{i}))

Sumcheck protocol

To Prove: $\sum_{i = 0}^{n} f = c$

More precisely, sumcheck protocol is used to prove a v-variate polynomial defined over a Finite field $F$ .

H := b_{1} \in {0, 1} \sum b_{2} \in {0, 1} \sum \dots b_{v} \in {0, 1} \sum g (b_{1}, \dots, b_{v})

Let’s see how the protocol behaves:

$P \to V : C$ claiming $C$ to equal to $H$
round 1: $P$ sends a univariate polynomial: $g_{1} (X_{1}) = \sum_{x_{2}, \dots, x_{v} \in {0, 1}^{v - 1}} g (X_{1}, x_{2}, \dots, x_{v})$
$V$ checks that $C_{1} = g_{1} (0) + g_{1} (1)$ , and $de g_{1} (g) \leq de g (X_{1})$
$r \in F \leftarrow V$ , and sends to $P$
round i:
- $P \to V : g_{j} (X_{j}) = \sum_{x_{j + 1}, \dots, x_{v} \in {0, 1}^{v - i}} g (r_{1}, \dots, r_{i - 1}, X_{j}, x_{j + 1}, \dots, x_{v}) \forall i \in [2, v - 1]$
- $V$ checks $g_{j} (0) + g_{j} (1) = g_{j - 1} (r_{j - 1})$ and sends $r_{j} \in F$ to $P$
last round: $P \to V : g_{v} (X_{v}) = g (r_{1}, \dots, r_{v - 1}, X_{v})$
- $V$ checks $g_{v} (0) + g_{v} (1) = g_{v - 1} (r_{v - 1})$ , and $de g (g_{v}) \leq d e g (X_{v} \in g)$
- checks with oracle query access to $g$ that $g (r_{1}, \dots, r_{v}) = g_{v} (r_{v})$

Efficiency:

$P$ : for each round i: $O (1 + de g_{i} (g)) \cdot 2^{v - j}$ terms are sent

Univariate sumcheck

Introduced in Aurora Paper, univariate sumcheck proves relation for a univariate polynomial $f (x)$ of degree $d$ and subset $H \subseteq F$ :

a \in H \sum f (a) = 0

Properties of protocol:

rounds: $O (lo g d)$
proof complexity: $O (d)$
query complexity: $O (lo g d)$
prover operations: $O (d lo g ∣ H ∣)$
verifier operations: $O (lo g d + lo g^{2} ∣ H ∣)$

Uses theorem stated by Byott and Chapman BC99 that $\sum_{a \in H} f (a) = 0$ iff $f$ has degree less than $∣ H ∣ - 1$ . Prove this using FRI protocol by BBHR18b which has proof complexity $O (lo g d)$ and proof length $O (d)$ . For case when degree $d > ∣ H ∣ - 1$ : we observe that we can split any polynomial $f$ into two polynomials $g$ and $h$ such that $f (x) \equiv g (x) + \prod_{α \in H} (x - α) \cdot h (x)$ with $d e g (g) < ∣ H ∣$ and $d e g (h) < d - ∣ H ∣$ ; in particular, $f$ and $g$ agree on $H$ , and thus so do their sums on $H$ .

\hat{f} a \in H \sum \hat{f} (a) \equiv \overset{g}{^} + Z_{H} \cdot \hat{h} \equiv a \in H \sum (\overset{g}{^} (a) + Z_{H} \cdot \hat{h} (a)) = β a \in H \sum a^{∣ H ∣ - 1}

https://hackmd.io/@kIJ38IbETaGkxGkcxhrNVg/HycoeJUJh?utm_source=preview-mode&utm_medium=rec

GKR

$P$ and $V$ agrees to a circuit. $P$ proves $V$ , the output of the circuit.

Taken from jolt repo:

GKR is a SNARK protocol for binary trees of multiplication / addition gates. The standard form allows combinations of both using a wiring predicate $\tilde{V}_{i}$ , and two additional MLEs $\tilde{a dd}_{i}$ and $\tilde{m u lt}_{i}$ .

$V_{i} (j)$ evaluates to the value of he circuit at the $i$ -th layer in the $j$ -th gate. For example $\tilde{V}_{1} (0)$ corresponds to the output gate.

$a dd_{i} (j)$ evaluates to 1 if the $j$ -th gate of the $i$ -th layer is an addition gate.

$m u lt_{i} (j)$ evaluates to 1 if the $j$ -th gate of the $i$ -th layer is a multiplication gate.

The sumcheck protocol is applied to the following:

\tilde{V}_{i} (z) = (p, ω_{1}, ω_{2}) \in {0, 1}^{s_{i} + 2 s_{i + 1}} \sum f_{i, z} (p, ω_{1}, ω_{2}),

where

f_{i} (z, p, ω_{1}, ω_{2}) = β_{s_{i}} (z, p) \cdot \tilde{a dd}_{i} (p, ω_{1}, ω_{2}) (\tilde{V}_{i + 1} (ω_{1}) + \tilde{V}_{i + 1} (ω_{2})) + \tilde{m u lt}_{i} (p, ω_{1}, ω_{2}) \tilde{V}_{i + 1} (ω_{1}) \cdot \tilde{V}_{i + 1} (ω_{2})

β_{s_{i}} (z, p) = j = 1 \prod s_{i} ((1 - z_{j}) (1 - p_{j}) + z_{j} p_{j}) .

Lasso and Jolt implement the Thaler13 version of GKR which is optimized for the far simpler case of a binary tree of multiplication gates. This simplifies each sumcheck to:

\tilde{V}_{i} (z) = p \in {0, 1}^{s_{i}} \sum g_{z}^{(i)} (p),

where

g_{z}^{(i)} (p) = β_{s_{i}} (z, p) \cdot \tilde{V}_{i + 1} (p, 0) \cdot \tilde{V}_{i + 1} (p, 1)

GKR is utilized in memory-checking for the multi-set permutation check.

lonerapier.xyz

Explorer

Land of Sumcheck

Multilinear extensions

Lagrange interpolation

Sumcheck protocol

Univariate sumcheck

GKR

Resources

Graph View

Table of Contents

Backlinks