Joseph Spadavecchia <joseph@o1labs.org> X:1 T:Inner Product Symphony M: 4/4 C:Trad. K:G |:c1G1 c2G2|c3G3 c4G4|c5G5 c6G6|c7G7 c8G8| $$ \newcommand{\field}[1]{\mathbb{#1}}

1. Univariate sumcheck theorem The univariate sumcheck theorem for multiplicative subgroups (question arose during cq reading group) This is to prove that for a multiplicative subgroup $G$ of size $n$, any polynomial $f(X)$ of degree $< n$ satisfies that $sum(f(x)) = n · f(0) = s$ for all $x \in G$. This is equivalent to saying that there exist quotient and remainder polynomials such that $f(X) = q(X)*Z(X) + X · r(X) + s/n.$ Let’s understand why this holds. First ($\Rightarrow$): We can express any polynomial without loss of generality as $f(X) = q(X) · Z(X) + X · r(X) + c$ , where $Z$ is the vanishing polynomial over $G$. Remember we are performing the sum of f(X) over all x in G. Then, all Z(x) by definition will vanish to zero. Then the claim reduces to checking that s = sum(x·r(x)) + n · c for x in G. Then, define r'(X) = X · r(X) , this is a polynomial of degree < n and any sum over all x in G of such polynomials are 0 iff they evaluate to zero in 0. This means that sum(r'(x)) = 0 because 0 · r(0) = 0 and then s = n · c which implies that c = s / n. (edited) Second ($\Leftarrow$): If p(X) can be expressed as q(X) Z(X) + Xr(X) + s/n then the sum of p(x) is sum[ q(x) Z(x) + xr(x) ] + n · s / n and then sum(p(x)) = s.

secp256k1 Group order $\phi = 115792089237316195423570985008687907852837564279074904382605163141518161494337$ (256 bits) Field modulus $f = 2^{256} - 2^{32} - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1$ (256 bits) Faster combined scalar multiplication One of the most expensive parts of signature verification are the elliptic curve scalar multiplications $$

Here's some notes from my visit to zkSummit. 1. Demystifying zk Programming Howard Wu This talk was an overview of the Aleo (Autonomous Ledger Executions Off-chain) blockchain. Their aims for the platform are Improve efficiency by avoiding re-execution Support privacy