Folding for Arbitrary Polynomial Custom Gates and Lookups

(with thanks to Yi Sun, Jonathan Wang, Lev Soukhanov, Nicolas Mohnblatt)

This hasn't been checked. Use at your own risk.

Nova introduced a folding scheme for R1CS circuits. A folding scheme is a way to aggregate multiple satisfying witnesses to a constraint system (in Nova's case, an R1CS circuit), so that multiple verifications can be combined into one. Under the hood, folding works by taking a random linear combination of the witnesses; the R1CS equations need to be generalized to "relaxed R1CS" constraints, which are stable under linear combination.

Our goal here is to show how Nova-style folding can be generalized to any polynomial "custom gate". The idea is sketched in Sangria in Section 3.3. In addition, we provide a useful special case that has not yet been done: folding lookups. (We also have a separate writeup of folding lookups at Origami.)

1. Preliminaries

A bit of algebra

We'll start with a general algebraic identity.

Let

p (x)

be a homogenous polynomial of degree

d

n

variables (where

x = (x_{1}, x_{2} \dots, x_{n})

Then there are

d - 1

polynomials

Δ^{1} p, Δ^{2} p, \dots, Δ^{n - 1} p

of degree at most

d

2 n

variables such that

p (x + r y) = p (x) + r^{d} p (y) + \sum_{k = 1}^{d - 1} r^{k} Δ^{k} p (x, y) .

The construction is simple. Write

p (x)

as a linear combination of monomials

x_{i_{1}} x_{i_{2}} \dots x_{i_{d}}

p (x) = \sum a_{i_{1}, i_{2}, \dots, i_{d}} x_{i_{1}} x_{i_{2}} \dots x_{i_{d}} .

(It's OK if some of the indices are equal to each other. For example, the monomial

x_{1}^{2}

has

i_{1} = i_{2} = 1

. Also, this expression is not unique, and that's OK too. For example,

x_{1} x_{2}

could be rewritten as

x_{2} x_{1}

or even

2 x_{1} x_{2} - x_{2} x_{1}

The polynomial

Δ^{k} p (x)

can be computed as follows: for any monomial,

Δ^{k} (x_{i_{1}} x_{i_{2}} \dots x_{i_{d}})

is the sum of the

(\binom{d}{k})

terms obtained by replacing

k

of the

d

variables

x_{i_{j}}

with

y_{i_{j}}

. For example:

\begin{aligned} Δ^{1} (x_{1} x_{2}) & = x_{1} y_{2} + y_{1} x_{2} \\ Δ^{2} (x_{1} x_{2} x_{3}) & = x_{1} y_{2} y_{3} + y_{1} x_{2} y_{3} + y_{1} y_{2} x_{3} \\ Δ^{1} (x_{1}^{3}) & = Δ^{1} (x_{1} x_{1} x_{1}) = x_{1} y_{1} y_{1} + y_{1} x_{1} y_{1} + y_{1} y_{1} x_{1} . \end{aligned}

What if

p

is not homogenous? To match the notation in Nova, we'll homogenize by introducing an extra variable.

For any polynomial

p (x)

of degree at most

d

n

variables, we'll define a homogenous polynomial

p^{h o m o g} (x, u)

of degree

d

n + 1

variables, as follows.

Write

p (x) = \sum_{d^{'} = 0}^{d} p_{d^{'}} (x),

where

p_{d^{'}} (x)

is homogenous of degree

d^{'}

. In other words,

p_{d^{'}} (x)

is just the sum of all the degree-

d^{'}

terms in

p (x)

. Then define

p^{h o m o g} (x, u) = \sum_{d^{'} = 0}^{d} u^{d - d^{'}} p_{d^{'}} (x) .

In other words, to make

p^{h o m o g} (x, u)

from

p (x)

, just multiply each term of

p (x)

by whatever power of

u

is needed to make the degree come out to

d

For future reference, it's worth noting that

p (x) = p^{h o m o g} (x, 1) .

TODO: an example that reformulates Sangria in this notation.

Commitments

We'll assume a hiding, binding, additively homomorphic commitment scheme

Com (p p, x, ρ)

. We'll denote a commitment to a vector

V

\overset{―}{V} = Com (p p, V, ρ)

. For clarity of notation, sometimes we will write

Com (V) := Com (p p, V, ρ)

when the arguments are obvious from context.

2. The Protocol

We'll describe a folding scheme for AIRs, a form of polynomial constraint system. An AIR

P

is a collection of polynomials

f_{1}, \dots, f_{ℓ}

2 w

variables over a finite field

F

. An execution trace

T

for

P

is an array of elements

T_{r, c}

F

, with

n

rows, each of width

w

. In order for the trace

T

to be valid, it is required that, when we substitute into any

f_{i}

the

2 w

elements of any two consecutive rows of

T

, the result equals zero:

f_{i} (T_{j, 1}, T_{j, 2}, \dots, T_{j, w}, T_{j + 1, 1}, T_{j + 1, 2}, \dots, T_{j + 1, w}) = 0.

The folding scheme we're about to describe works for more general polynomial constraint systems as well. All that matters is that a valid trace be defined by some fixed collection of polynomial equations in the entries. It is not necessary that each polynomial only involve entries from two consecutive rows. Nonetheless, we'll continue working within the AIR framework.

To start, we introduce the main object, a relaxed AIR, in the style of Sangria. The main idea of a relaxed AIR, like the relaxed R1CS analogue from Nova, is a polynomial constraint that involves a "slack term."

Relaxed AIR

We'll write

f_{i} (T)

for the length-

n

vector whose

j

-th entry is

f_{i}

applied to rows

j

and

j + 1

T

f_{i} (T_{j, 1}, T_{j, 2}, \dots, T_{j, w}, T_{j + 1, 1}, T_{j + 1, 2}, \dots, T_{j + 1, w}) .

(Rows wrap around, so row

n

is the same as row

0

A relaxed AIR instance is satisfied by a trace

T

(i.e. an

n

-by-

w

array of elements of

F

), vectors

E_{1}, E_{2}, \dots, E_{ℓ} \in F^{n}

, and a scalar

u \in F

, if

f_{i}^{h o m o g} (T_{j, 1}, T_{j, 2}, \dots, T_{j, w}, T_{j + 1, 1}, T_{j + 1, 2}, \dots, T_{j + 1, w}, u) = (E_{i})_{j},

for each

i

and

j

We'll write

f_{i}^{h o m o g} (T, u)

for the vector whose

j

-th entry is

f_{i}^{h o m o g} (T_{j, 1}, T_{j, 2}, \dots, T_{j, w}, T_{j + 1, 1}, T_{j + 1, 2}, \dots, T_{j + 1, w}, u) .

Since

f_{i}^{h o m o g}

is a polynomial in

2 w + 1

variables, the construction at the top of the page defines polynomials

Δ^{k} f_{i}^{h o m o g}

2 (2 w + 1)

variables. We'll write

Δ^{k} f_{i}^{h o m o g} (T^{1}, u^{1}; T^{2}, u^{2})

for the vector whose

j

-th entry is

Δ^{k} f_{i}^{h o m o g} (T_{j, 1}^{1}, \dots, T_{j + 1, w}^{1}, u^{1}, T_{j, 1}^{2}, \dots, T_{j + 1, w}^{2}, u^{2}) .

A relaxed AIR instance

(E_{i}, u)

consists of slack vectors

E_{1}, \dots, E_{ℓ} \in F^{n}

and a scalar

u \in F

. A witness for such an instance is an

n

-by-

w

matrix

T

of field elements such that

f_{i}^{h o m o g} (T, u) = E_{i},

for all

i

Clearly, any AIR instance can be promoted to a relaxed AIR instance by setting

u = 1

and

E = 0

. The main idea in folding AIR instances is that by converting them to relaxed AIR instances, the computations can be more easily combined.

Committed relaxed AIR

A committed relaxed AIR instance

(f_{i}, ρ, \overset{―}{E_{i}}, u, \overset{―}{T})

consists of polynomials

f_{1}, \dots, f_{ℓ}

, randomness

ρ

(to be used by the commitment scheme) a commitment to a slack vector

E = (E_{1}, \dots, E_{ℓ})

, a scalar

u

, and a commitment

\overset{―}{T}

to an

n

-by-

w

matrix of scalars. A witness to the committed relaxed AIR instance

(f_{i}, \overset{―}{E_{i}}, \overset{―}{T})

is a tuple

(E, T, ρ)

a slack vector
$E$ and
an
$n$ -by-
$w$ matrix
$T$ ,

such that

\overset{―}{T} = Com (p p, T, ρ)

\overset{―}{E} = Com (p p, E, ρ)

, and

f_{i}^{h o m o g} (T, u) = E_{i}

The Folding Scheme

We'll describe a folding scheme for relaxed AIR instances. Suppose a prover and a verifier have an AIR

P

, i.e. they both know the collection of polynomials

f_{i}

. The prover is given two relaxed AIR instances

(T^{1}, E^{1}, u^{1})

and

(T^{2}, E^{2}, u^{2})

. The verifier knows only the scalars

u^{1}

and

u^{2}

Let

d_{i}

be the degree of the polynomial

f_{i}

, and let

Δ^{k} f_{i}^{h o m o g}

be as defined above.

The prover

P

and the verifier

V

carry out the following protocol.

Protocol 1

$P$ computes commitments
$\overset{―}{X}$ for
$X \in {T^{1}, T^{2}, E_{i}^{1}, E_{i}^{2}}$ and their openings
$ρ_{X}$ (meaning that for all
$X$ ,
$\overset{―}{X} = Com (p p, X, ρ_{X})$ holds) and sends them to
$V$ .
For each constraint polynomial
$f_{i}$ , and each degree
$1 \leq k \leq d_{i} - 1$ ,
$P$ also computes the cross term

$B_{i, k} = Δ^{k} f_{i}^{h o m o g} (T^{1}, u^{1}; T^{2}, u^{2})$ (a vector of length
$n$ ).
$P$ computes commitments and openings for
$\overset{―}{B_{i, k}}$ and sends them to
$V$ .
$V$ samples a random folding challenge
$r \in F$ , and sends
$r$ to
$P$ .
$P$ computes
$T = T^{1} + r T^{2}$ and, for each
$i$ ,
$E_{i} = E_{i}^{1} + r^{d_{i}} E_{i}^{2} + \sum_{k = 1}^{d_{i} - 1} r^{k} B_{i, k} .$ These values
$T$ and
$E_{i}$ give a folded relaxed AIR witness.
Both
$P$ and
$V$ compute
$u = u^{1} + r u^{2},$
$\overset{―}{T} = \overset{―}{T^{1}} + r \overset{―}{T^{2}},$ and, for each
$i$ ,
$\overset{―}{E_{i}^{1}} + r^{d_{i}} \overset{―}{E_{i}^{2}} + \sum_{k = 1}^{d_{i} - 1} r^{k} \overset{―}{B_{i, k}} .$

Like Nova, this folding process can be iterated. Steps 2-5 allow two committed relaxed AIR instances to be folded into one, at the cost of sending just

4 + \sum_{i = 1}^{ℓ} d_{1} - 1

commitments to the verifier. One can iterate the procedure to fold an arbitrary number of committed relaxed AIR instances together, one by one. At the end, the prover only has to convince the verifier that the final

(E, T)

is a witness to the folded instance.

3. Application: Lookups

In Origami, we apply our procedure to Halo2 lookup checks.

Technically speaking, this is not an exact special case of the protocol since

β

and

γ

play the role of verifier-supplied randomness that does not fit in the framework. Instead, lookups are a special case of a slight generalization of Protocol 1 that includes verifier randomness.

Appendix

A.1 Knowledge Soundness

Here we'll argue that the folding procedure satisfies knowledge soundness. In other words, a prover can't convince a verifier to accept a proof (with more than negligible probability) unless the prover itself knows witnesses

(E^{1}, T^{1})

and

(E^{2}, T^{2})

We'll prove this by a "rewinding" argument. Imagine an "extractor" that is allowed to interact with the prover by rewinding it to a previous state. In practice, the extractor will feed the prover different random challenges

r

and see what response it gives to each.

Let

d

be the largest of the

d_{i}

's, so that all the constraint polynomials

f_{i}

have degree at most

d

. Suppose we are given two committed relaxed AIR instances

(f_{i}, \overset{―}{E_{i}^{1}}, u^{1}, \overset{―}{T^{1}})

and

(f_{i}, \overset{―}{E_{i}^{2}}, u^{2}, \overset{―}{T^{2}})

(for the same AIR

P = (f_{1}, \dots, f_{ℓ})

). We are also given

d + 1

transcripts of the prover-verifier interaction, with

d + 1

different values of

r

, say

r_{(1)}, \dots, r_{(d + 1)}

Each transcript contains the same commitments

\overset{―}{B_{i, k}}

. Furthermore, each transcript gives witnesses

E (r_{(j)})

T (r_{(j)})

, and

u (r_{(j)}) = u^{1} + r_{(j)} u^{2},

that satisfy the relaxed AIR condition:

f_{i}^{h o m o g} (T (r_{(j)}), u (r_{(j)})) = E_{i} (r_{(j)}) .

Furthermore, these witnesses are consistent with the commitments

\overset{―}{E_{i}^{1}}, \overset{―}{T^{1}}, \overset{―}{E_{i}^{2}}, \overset{―}{T^{2}}

, in that

\overset{―}{T (r_{(j)})} = \overset{―}{T^{1}} + r_{(j)} \overset{―}{T^{2}}

and

\overset{―}{E (r_{(j)})} = \overset{―}{E_{i}^{1}} + r_{(j)}^{d_{i}} \overset{―}{E_{i}^{2}} + \sum_{k = 1}^{d_{i} - 1} r_{(j)}^{k} \overset{―}{B_{i, k}} .

From this, the extractor needs to extract satisfying witnesses

E_{i}^{1}, T^{1}, E_{i}^{2}, T^{2}

to the original relaxed AIR. As in Nova, the extractor works by interpolation.

By linear interpolation, the extractor can find

T^{1}

and

T^{2}

such that

T (r_{(j)}) = T^{1} + r_{(j)} T^{2}

for

j = 1, 2

. Since the commitment scheme is linear, the

T^{1}

the extractor finds will satisfy

Com (p p, T^{1}, ρ_{T^{1}}) = \overset{―}{T^{1}}

, and similarly for

T^{2}

. Therefore, for every

j

we have

\overset{―}{T (r_{(j)})} = \overset{―}{T^{1}} + r_{(j)} \overset{―}{T^{2}} = Com (T (r_{(j)})),

so by the binding property of commitment, we have (with high probability) that

T (r_{(j)}) = T^{1} + r_{(j)} T^{2}

for all

j

Similarly, we'll recover

E_{i}^{1}, E_{i}^{2}

and

B_{i, k}

by Lagrange interpolation. Recall that the coefficients of any degree-

d

polynomial in one variable can be recovered from the value of the polynomial at

d + 1

distinct points. (This is purely a question of linear algebra, so the extractor can do it efficiently.) We are looking for

E_{i}^{1}, E_{i}^{2}

and

B_{i, k}

such that

E_{i} (r_{(j)}) = E_{i}^{1} + r_{(j)}^{d_{i}} E_{i}^{2} + \sum_{k = 1}^{d_{i} - 1} r_{(j)}^{k} B_{i, k} .

Well, this is simply an interpolation problem for a polynomial of degree

d_{i} \leq d

in the variable

r

; the unknowns

E_{i}^{1}, E_{i}^{2}

and

B_{i, k}

play the role of coefficients. Thus, for each

i

, we can find

E_{i}^{1}, E_{i}^{2}

and

B_{i, k}

by Lagrange interpolation on the first

d_{i} + 1

values

r_{(j)}

We know that

\overset{―}{E (r_{(j)})} = \overset{―}{E_{i}^{1}} + r_{(j)}^{d_{i}} \overset{―}{E_{i}^{2}} + \sum_{k = 1}^{d_{i} - 1} r_{(j)}^{k} \overset{―}{B_{i, k}},

so by linearity of commitment and linearity of Lagrange interpolation,

Com (p p, E_{i}^{1}, ρ_{E_{i}^{1}}) = \overset{―}{E_{i}^{1}}

Com (p p, E_{i}^{2}, ρ_{E_{i}^{2}}) = \overset{―}{E_{i}^{2}}

, and

Com (p p, B_{i, k}, ρ_{B_{i, k}}) = \overset{―}{B_{i, k}}

– in other words, the values

E_{i}^{1}, E_{i}^{2}, B_{i, k}

that the extractor finds are consistent with the given commitments.

Just like with

T (r_{(j)})

above, the hiding property of the commitment scheme then guarantees that (with all but negligible probability) we have

E_{i} (r_{(j)}) = E_{i}^{1} + r_{(j)}^{d_{i}} E_{i}^{2} + \sum_{k = 1}^{d_{i} - 1} r_{(j)}^{k} B_{i, k} .

for all

j

Finally, we need to show that

(E_{i}^{1}, u^{1}, T^{1})

and

(E_{i}^{2}, u^{2}, T^{2})

are satisfying witnesses for the original AIR. To this end, consider the equality

f_{i}^{h o m o g} (T^{1} + r T^{2}, u^{1} + r u^{2}) = E_{i}^{1} + r^{d_{i}} E_{i}^{2} + \sum_{k = 1}^{d_{i} - 1} r^{k} B_{i, k} .

This is an equality of polynomials of degree

d_{i}

r

that is known to hold for

d_{i} + 1

values of

r

. Therefore, the equality holds for all

r

. In particular, it holds for

r = 0

, so

f_{i}^{h o m o g} (T^{1}, u^{1}) = E_{i}^{1} .

On the other hand, since

f_{i}^{h o m o g}

is homogenous of degree

d_{i}

, we see that

f_{i}^{h o m o g} (s T^{1} + T^{2}, s u^{1} + u^{2}) = s^{d_{i}} E_{i}^{1} + E_{i}^{2} + \sum_{k = 1}^{d_{i} - 1} s^{d_{i} - k} B_{i, k}

holds for

d_{i} + 1

values of

s

, namely

s = r_{(j)}^{- 1}

. Therefore, this equality holds for all

s

, in particular for

s = 0

, so

f_{i}^{h o m o g} (T^{2}, u^{2}) = E_{i}^{2} .

This shows that the extractor can recover the two satisfying witnesses.

Knowledge Soundness for Lookups

It's worth explaining why folded lookup arguments satisfy knowledge soundness as well. Recall the overall shape of the lookup argument:

$P$ commits to
$A^{i}$ ,
$S^{i}$ ,
$A_{p}^{i}$ ,
$S_{p}^{i}$
$V$ sends challenges
$β$ and
$γ$ for the grand product
$P$ computes grand products
$Z^{i}$ and
$W^{i}$ , depending on
$β^{i}$ and
$γ^{i}$

Then the folding happens. To fold the instance into

I_{c m l}

$P$ commits to cross-terms
$B_{j}$
$V$ sends a challenge
$r$
$P$ updates the folded instance
$I_{c m l}$ .

In the proof of knowledge soundness above, the extractor rewinds to just before

V

sends the challenge

r

. The earlier challenges

β

and

γ

remain untouched. The conclusion is that the prover knows a witness

(u^{i}, β^{i}, γ^{i}, A^{i}, S^{i}, A_{p}^{i}, S_{p}^{i}, Z^{i}, W^{i})

that satisfies the seven polynomial relations

f_{1}, \dots, f_{7}

A separate argument (knowledge soundness for Halo2 lookups) shows that in fact the prover knows

A^{i}

and

S^{i}

satisfying the lookup condition.

A.2 Comparing with Nova and Sangria

Nova is a folding scheme for R1CS circuits. The R1CS structure is a special case of an AIR, where there is a single constraint polynomial

f_{1}

, of degree 2, having a specific form. Because the polynomial is of degree

d = 2

, there is only a single cross-term

B = B_{1, 1}

. The folding scheme described here generalizes Nova: if you apply this scheme to R1CS systems, you recover the original Nova folding scheme.

The idea that Nova-style folding can be generalized to arbitrary custom gates was introduced in Section 3.3 of Sangria.

aardvark

2023/03/30 22:38:54

The idea that Nov

Yes. I agree this is just filling in details to the comment in Sangria. We should say something (Edited)

Yan Zhang

2023/03/30 23:14:42

I put something in the opening. Maybe sufficient

gubsheep

2023/04/13 12:51:30

$\mathcal{P}$ computes commitments and openings for $\overline{B_{i, k}}$ and sends them to $\mathcal{V}$.

minor - why does V send the commitment challenge, instead of P just generating randomly? (Edited)

2023/04/20 04:45:21

yeah this is an oversight (Edited)

2023/04/20 04:51:15

we talked to Nico about this. I got confused about commitments (Edited)

Folding for Arbitrary Polynomial Custom Gates and Lookups

1. Preliminaries

A bit of algebra

Commitments

2. The Protocol

Relaxed AIR

Committed relaxed AIR

The Folding Scheme

3. Application: Lookups

Appendix

A.1 Knowledge Soundness

Knowledge Soundness for Lookups

A.2 Comparing with Nova and Sangria

Read more

Garbled Circuits for Three-Party Computation

Origami -- A Folding Scheme for Halo2 Lookups