Current system.

We can do sumcheck of the form
$(P \land Q) (x) eq (x; q)$ .
Formally,
$(P \land Q) (x)$ is defined as
$\sum b_{i} P_{i} (x) Q_{i} (x)$ , where
$P_{i}, Q_{i}$ are coordinate polynomials of
$P, Q$ .
$P_{i}$ and
$Q_{i}$ can be expressed through Frobenius twists of
$P$ and
$Q$ , but it is only needed for verifier on the last stage, so prover does not keep twists of
$P$ and
$Q$ ever.

2.1. Prover does it in
$2$ phases. In 1st phase, taking
$c$ rounds, it works roughly normally, but operates over the quadratic polynomial
$P \land Q$ , computed on the subset
$(0, 1, \infty)^{c + 1} \times (0, 1)^{n - c - 1}$ .

On i-th round,
$i \leq c$ it keeps the restriction
$(P \land Q) (r_{0}, . ., r_{i - 1}, x_{i}, . . ., x_{n - 1})$ .
When it needs to answer the query - i.e. send univariate polynomial
$U (t) = \sum_{x_{> i}} (P \land Q) (r_{< i}, t, x_{> i}) eq (r_{< i}, t, x_{> i}; q)$ it exploits the fact that
$eq (r_{< i}, t, x_{> i}; q)$ is split as
$eq (r_{< i}, t, x_{> i}; q) = eq (r_{< i}; q_{< i}) eq (t; q_{i}) eq (x_{> i}; q_{> i})$

This allows us to not manipulate with polynomials of degree
$3$ directly until the last stage -
$eq (r_{< i}; q_{< i}) eq (t; q_{i})$ terms do not depend on
$x_{> i}$ , and so can be evicted from the sum. I.e. we compute the sum
$W (t) = \sum_{x_{> i}} (P \land Q) (r_{< i}, t, x_{> i}) eq (x_{> i}; q_{i})$

and then adjust it as
$U (t) = eq (r_{< i}; q_{< i}) eq (t; q_{i}) W (t)$ . This last stage is done in coefficient form, and the summation itself is done in evaluation form - i.e. it is just 3 sums

$W (t) = \sum_{x_{> i}} (P \land Q) (r_{< i}, t, x_{> i}) eq (x_{> i}; q_{i})$

for
$t = 0, 1, \infty$ - which we can compute because we have the evaluations of
$(P \land Q) (r_{0}, . ., r_{i - 1}, t, x_{i + 1}, . . ., x_{n - 1})$ for
$t = 0, 1, \infty$ .

2.2 After
$c$ phases, prover no longer has required data (as we have computed extension only on
$3^{c + 1} \times 2^{n - c - 1}$ subset), and can not proceed further. This is when we change strategy, and compute
$P_{i} (r_{0}, . . ., r_{c}, x_{> c})$ and
$Q_{i} (r_{0}, . . ., r_{c}, x_{> c})$ (using RESTRICT functionality).

2.3 Optimality considerations. First phase requires work roughly proportional to
$(3 / 2)^{c + 1} N$ . Second phase requires work roughly proportional to
$\frac{128}{2^{c}} N$ . By trial and error, I have found that the optimal inflection point is
$c = 5$ , however,
$c = 4, c = 6$ are somewhat close.
Normal sumcheck would end with prover's claims about values of
$P_{i} (r), Q_{i} (r)$ . We employ an additional argument to convince verifier in this values. Namely, for any number a, its i-th coordinate
$a_{i}$ satisfies
$a_{i} = π (γ_{i} a)$ where
$π (x) = \sum_{0 \leq j < 128} {Fr}^{j} (x)$ , and
$γ_{i}$ is a dual basis to our standard basis
$b_{i}$ w.r.t. to the bilinear form
$⟨ x, y ⟩ = π (x y) = (x y)_{0}$

Therefore, our prover actually communicates values of

({Fr}^{j} P) (r)

, and verifier locally recovers intended

P_{i} (r)

-s.

Moreover, as we assume that actually verifier only has access to

P

, we recall that

({Fr}^{j} P) (r) = {Fr}^{j} (P ({Fr}^{- j} r))

and thus it is equivalent to querying polynomial

P

in an inverse Frobenius orbit of

r

Multiopening reduction

Naive approach

In order for our system to be useful, we need to provide an additional argument, which will, for a polynomial

P

, reduce the statements

P ({Fr}^{i} r)

to a single opening in some different point

r^{'}

. There is a very classic, standard multiopening argument, working as follows:

For some points
$q_{0}, . . ., q_{k - 1}$ (not necessarily Frobenius orbit), prover claims:
$P (q_{i}) = s_{i}$
Verifier sends challenge
$u$ .
Now, prover, trivially, has the following folded claim:
$\sum_{i} u^{i} (P (q_{i}) - s_{i}) = 0$
Replace with sumchecks and rearrage:
$\sum_{i} u^{i} ((\sum_{x} P (x) eq (x; q_{i})) - s_{i}) = 0$
$\sum_{x} P (x) (\sum_{i} u^{i} eq (x; q_{i})) = \sum_{i} u^{i} s_{i}$
Run the sumcheck.

Improvement 1

Crucially, for arbitrary set of opening points

q_{i}

, this argument requires

k N

from the prover in order to compute

\sum_{i} u^{i} eq (x; q_{i})

. In our case, however, this is unacceptable, as we have

128

opening points. But they are not random, and

eq ({Fr}^{i} r; x)

is actually

= {Fr}^{i} eq (r, x)

(Frobenius is a homomorphism, and coefficients of eq are just some algebraic expressions of

r

). Therefore, we can write

\sum_{i} u^{i} eq (x; {Fr}^{i} r) = \sum_{i} u^{i} {Fr}^{i} eq (x; r)

This means, that we can just compute

eq (x; r)

, and then apply to its values a single

128 \times 128

boolean matrix

\sum_{i} u^{i} {Fr}^{i}

. This is definitely cheaper than computing

eq (x; {Fr}^{i} r)

separately! However, matrix application is still a heavy operation (much heavier than multiplication).

Improvement 2 (unimpl, likely unnecessary)

There is an alternative path, which suggests to instead operate with polynomials

S_{i} (x) = eq (x, r) P_{i} (x)

The main feature here is that

eq (x; {Fr}^{j} r) P_{i} (x) = {Fr}^{j} S_{i}

because

P_{i}

has values in

F_{2}

, and hence is invariant under Frobenius mapping.

Now, for the reason which will be clear very soon, we will run the sumcheck in a reverse order of variables.

Claim. On

j

-th round of sumcheck, with previous challenges denoted as

r_{n - 1}^{'}, r_{n - 2}^{'}, . . ., r_{n - j - 1}^{'}

it is enough to compute sums

\sum_{x_{< n - j - 1}} S_{i} (x_{< n - j - 1}, t, r_{> n - j - 1}^{'}) = eq (x_{< n - j - 1}, t, r_{> n - j - 1}^{'}; r) P_{i} (x_{< n - j - 1}, t, r_{> n - j - 1}^{'})

The sum over

x

-s can then be compressed into

eq (t, r_{n - j - 1}) P_{i} (r_{< n - j - 1}, t, r_{> n - j - 1}^{'})

This is very efficient, because we already know polynomials

P_{i} (r_{< n - j - 1}, x_{\geq n - j - 1})

from the second phase of our previous algorithm (we currently do not save them, but we can). This allows us to skip first few rounds almost completely - the remaining sum is proportional in size to

2^{j}

. Which is exactly the reason why we want to run this sumcheck in reverse order of variables!

After skipping first few rounds (and not later than when

n - j - 1

reaches

c

) we can just compute

\sum u^{i} eq (x_{< n - j - 1}, r_{\geq n - j - 1}^{'}; {Fr}^{i} r)

by replacing

eq (x_{< n - j - 1}, r_{\geq n - j - 1}^{'}; {Fr}^{i} r) = eq (x_{< n - j - 1}; {Fr}^{i} r_{< n - j - 1}) eq (r_{\geq n - j - 1}^{'}; {Fr}^{i} r_{\geq n - j - 1})

, and computing

\sum (u^{i} eq (r_{\geq n - j - 1}^{'}; {Fr}^{i} r_{\geq n - j - 1})) eq (x_{< n - j - 1}; {Fr}^{i} r_{< n - j - 1})

Optimization from Improvement 1 can be used here, though it is not strictly necessary, as this is already very efficient.

How to do XORs.

The system described above is enough to build ANDplonk - a version of PlonK, which supports, together with normal additions and multiplications, a bitwise AND operation. This, however, is not efficient for hashes, the main reason being that additions (XOR operations) will not be free in such arithmetization.

Sumchecks, however, do allow us to do very efficient linear operations.

Assume we are given some linear matrix

M (y; x)

(with some efficiency assumptions, stated later). Then, application of this matrix to the vector of values is, by definition, a following sum:

(M P) (y) = \sum_{x} M (y; x) P (x)

This allows us to reduce claims about

M P

to claims about

P

, using the sumcheck:

(M P) (r) = \sum_{x} M (r; x) P (x)

Efficiency requirements:

Prover must be able to apply matrix: i.e. compute
$M P$ from
$P$ efficiently.
Prover must be able to apply transposed matrix: i.e. compute
$M (r; x) = M^{t} eq (r; x)$ efficiently.

In particular, let us assume that our linear transforms are slightly vectorized, i.e. matrix actually works on chunks of size

2^{k}

and not whole

2^{n}

. Then, we can even compute the following reduced sumcheck:

\sum_{x_{\geq k}} M (r_{< k}; x_{< k}) P (x, r_{\geq k})

which reduces the claim about evaluation of

M P (r)

to the evaluation of

P (r_{< k}^{'}, r_{\geq k})

This is somewhat better for verifier (less rounds), and much better for the prover if it knows

$P (x, r_{\geq k})$ in advance - which, funnily enough, exactly what happens in our scenario, due to

$M$ represeneting linear part of the round of the keccak hash - and hence being invertible.
Us knowing
$M P (x; r_{\geq k})$ from the previous sumcheck, and hence being able to compute
$P (x, r_{\geq k})$ by applying
$M^{- 1}$ .

Hashcaster

We construct a succinct proof system with efficient vectorized boolean operations.

While it can, potentially, be used for a lot of different application, the most obvious one is an efficient non-arithmetic hashes. Considering that the resulting proofs are still quite large, we believe that in many cases it will be embedded into some sort of external SNARK.

This motivates our name choice - we call our system Hashcaster, for its ability to turn non-arithmetic hashes into arithmetic ones (required for its verification in the embedding SNARK).

Idea

Recently, starting from Binius, there was a lot of attention related to extension fields of

F_{2}

. Creating proof systems over such fields is challenging, however, they do, by default, provide us at least with a very efficient vectorized XOR operator (linear addition over

F_{2}

Our main insight is the idea that we can also express AND operator (coordinate-wise multiplication) in appropriate basis through algebraic operations: additions, multiplications and, crucially, Frobenius morphism.

We adapt the sumcheck protocol for Frobenius twists of polynomials.

Preliminaries

Representing bitwise AND algebraically

In what follows, we will mainly consider the field

K = F_{2}^{128}

. This is done mainly for simplicity, and we believe that our result extends to other extensions. This can be done if the need arises.

Let's consider a quadratic extension,

F_{2^{k + 1}} / F_{2^{k}}

Definition. Artin-Schreier mapping

a_{k}

is defined by formula

a_{k} (x) = x^{2^{k}} - x

Lemma.

Ker (a_{k}) = F_{2^{k}}

Im (a_{k}) = F_{2^{k}}

Proof. Clearly, for every

x \in F_{2}^{k}

it holds that

x^{2^{k}} - x = 0

(by generalized Fermat little theorem). Conversely, it no other element satisfies such property, because equation

x^{2^{k}} - x = 0

can not have more than

2^{k}

roots. This proves that the kernel of

a_{k}

is indeed

F_{2}^{k}

Now, the image of the mapping has dimension

2^{k + 1} - 2^{k} = 2^{k}

, so to prove that it coincides with

F_{2}^{k}

it is enough to see that every element

s \in F_{2}^{k}

has a preimage:

x^{2^{k}} - x = s

. But this is a quadratic polynomial, so it has a root in a quadratic extension of

F_{2}^{k}

, and there is a single quadratic extension for each finite field - in this case,

F_{2}^{k + 1}

◼

Definition. Now, we compose

a_{k}

-s through the tower of extensions:

π (x) = a_{1} \circ \dots \circ a_{7} \circ a_{8} (x)

Lemma.

Im (π) = F_{2}

Proof obvious (applying facts that we already know about

a_{k}

We will frequently abuse the notation and treat

π

F_{2}

-valued linear function on space

F_{2}^{128}

Now, pick any

F_{2}

-basis

r_{0}, . . ., r_{127}

F_{2}^{128}

. We define linear functions

π_{i} (x) = π (r_{i} x)

Note that these are also linearly independent.

Definition. Chosen basis

b_{0}, . . ., b_{127}

is a dual basis to

π_{i}

-s, i.e. satisfying

π_{i} (b_{j}) = δ_{i j}

Lemma. Actually, any basis can be chosen for appropriate choices of

r

-s, because the mapping

r \mapsto π (r x)

is an isomorphism with dual space.

Proof. Assume converse. Then, there is

r \neq 0

such that linear function

π (r x)

0

. However, we know that

π (x)

is nonzero, and substituting

x = y / r

we recover original

π

. Therefore, it is an isomorphism, and so for any basis

b_{i}

the corresponding collection

r_{i}

can be found.

We will normally choose basis

b

to correspond with our main computation basis, and find

r_{i}

-s using this procedure.

This allows us to express bitwise AND (in basis

b_{i}

) through an algebraic formula:

x \land y = \sum_{i} b_{i} π_{i} (x) π_{i} (y)

Moreover, this formula is actually quadratic in

x, y

and their Frobenius twists.

Linearized formula for
$π$

We observe, that actually

π (x)

admits a rather simple expression:

π (x) = \sum_{i} {Fr}^{i} (x)

i.e. it is a sum over whole Frobenius orbit. One can show that composition of these mappings for a sequence of extensions is once again mapping of this form.

Frobenius twists of polynomials

Consider a polynomial

P

(potentially, multivariate), given in coefficient form. Let us denote

P_{>> k}

the application of

k

-th power of Frobenius mapping to it. Then, it is well known that

P_{>> k} (x) = {Fr}^{k} (P ({Fr}^{- k} (x)))

(or, explicitly,

(P (x^{1 / p^{k}}))^{p^{k}}

Note, that this operation also applies Frobenius mapping to the values of a polynomial on points defined over

F_{2}

. This is extremely important, as sumcheck will operate on a boolean hypercube

B^{n} = {0, 1}^{n}

In what follows, we will frequently need to compute values of a polynomial in Frobenius orbit. We give an efficient prover for this subroutine:

Efficently evaluating multilinear polynomial in Frobenius orbit

Suppose we are given a multilinear polynomial

P (x)

in evaluation form (and we will denote corresponding table of values

P [i]

). We want to compute it in points

r, r^{2}, r^{2^{2}}, . . ., {Fr}^{i} (r), . . .

Using formulas from previous section, we know that

P ({Fr}^{- i} (r)) = {Fr}^{- i} ((P_{>> i}) (r))

Naively, this would require us to compute all Frobenius shifts of

P

, and evaluate them.

Naive cost (counting only asymptotic terms):

$N$ multiplications to compute the Lagrange kernel
$eq (r, x)$ .
$128 N$ Frobeniuses to compute shifts of
$P$ .
$128 N$ multiplications and
$128 N$ additions to compute inner products of shifts with Lagrange kernels.

This cost is very significant, and would render protocol completely impractical. We suggest the following improved method:

We split each
$P$ into standard basis, obtaining 128 tables with values in
$F_{2}$ :
$P (x) = \sum_{i < 128} b_{i} P_{i} (x)$
We evaluate each
$P_{i} (r)$ , and compute their Frobenius orbits, as
$P_{i} ({Fr}^{j} (r)) = {Fr}^{j} (P_{i} (r))$ , due to its values living in
$F_{2}$ .
We linearly combine the results back:
$P ({Fr}^{i} (r)) = \sum_{i < 128} b_{i} P_{i} ({Fr}^{i} (r))$ .

Then, we can estimate the improved cost:

$N$ multiplications to obtain
$eq (r, x)$ .
$128 N$ additions and
$128 N$ conditional choices (multiplication by bit) to compute all
$P_{i} (r)$ .
Constant work to combine the results back.

This makes such evaluation comparable in costs with single evaluations.

Efficiently convincing the verifier about these evaluations (DEPRECATED, CHECK REAL METHOD ABOVE)

Assume that we are given a polynomial

P

, and are trying to convince verifier that

P ({Fr}^{i} (r)) = c_{i}

. Polynomial is committed, so we can open it in any a single point. Then, there is a standard sumcheck argument, reducing multiple openings (in points

r_{i}

) to a single one:

Verifier sends challenge value

γ

, and we perform the sumcheck for the following equation:

P (x) (\sum_{i} γ^{i} eq (x; r_{i})) = \sum_{i} γ^{i} c_{i}

In the end of sumcheck,

x

will be specialized to some single random value

r^{'}

, and verifier will only need to check single opening

P (r^{'})

, and compute some constant amount of values

eq (r^{'}; r_{i})

So, this sumcheck is very efficient for the verifier, the question is how to make it efficient for the prover. Naively evaluating

eq (x; r_{i})

is out of question.

We suggest the following improved method.

Split
$r$ into
$(r_{-} | r_{+})$ of half size.
Perform sumcheck
$\sum_{i} γ^{i} ((P (x_{-} | {Fr}^{i} (r_{+})) eq (x_{-}; {Fr}^{i} (r_{-})))$
Note that we can evaluate the tables
$P (x_{-} | {Fr}^{i} (r_{+}))$ efficiently, using the argument from the previous section (for each
$x_{-}$ ).
Tables
$eq (x_{-}; {Fr}^{i} (r_{-}))$ will be evaluated naively, which requires
$128 \sqrt{N}$ multiplications.
This sumcheck spits out specialization
$x_{-} \to r_{-}^{'}$ , and now we are required to compute evaluations
$P (r_{-}^{'}, {Fr}^{i} (r_{+}))$ .
Which is normal naive protocol from before.

This method is efficient provided that

\sqrt{N} >> 128

, which happens in all realistic scenarios.

Evaluating
$P \land Q$ in a point

Important prover subroutine is evaluating a quadratic polynomial

P \land Q = \sum_{i} b_{i} π_{i} (P) π_{i} (Q)

in a point. Simplest approach is just computing its coefficients (there are

3^{n} = N^{\log_{2} (3)}

terms), and evaluating it directly. There are somewhat better approaches if

N

is large enough: one can compute

P_{i} = π_{i} (P)

Q_{i} = π_{i} (Q)

, evaluate them in

r

(which requires 256 N additions, because these polynomials are over

F_{2}

, and compute

\sum_{i} b_{i} P_{i} (r) Q_{i} (r)

For very small

N

-s this method is worse, because it hides the constant

256

multiplications to combine the evaluation

P_{i} (r)

and

Q_{i} (r)

into a single answer.

Combining it together: ANDCHECK

We would like compute the following sumcheck on a boolean hypercube:

\sum_{x \in B^{n}} (P (x) \land Q (x)) \times eq (x; q)

which is treated as quadratic formula depending on Frobenius twists of

P

and

Q

Let's recall that the prover response is a univariate polynomial of degree

3

defined as:

U_{i} (t) = \sum_{x_{> i} \in B^{n - i - 1}} (P \land Q) (r_{< i}, t, x_{> i}) \times eq (r_{< i}, t, x_{> i}; q)

Which can be reaaranged as

U_{i} (t) = eq (r_{< i}, q_{< i}) eq (t, q_{i}) \sum_{x_{> i} \in B^{n - i - 1}} (P \land Q) (r_{< i}, t, x_{> i}) \times eq (x_{> i}, q_{> i})

which drops the degree in

t

under summation to 2.

Our main problem now is computing the restriction of

(P \land Q) (r,_{)}

, for which we have discussed some approaches in the previous section.

We split our protocol in

2

phases:

Phase 1:

This phase consists of

c

rounds, and we start by computing the table of evaluations of

P

Q

in the extended set of size

3^{c + 1} * 2^{n - c - 1}

, namely

(0, 1, \infty)^{c + 1} \times (0, 1)^{n - c - 1}

This requires us to compute

3^{c + 1} 2^{n - c - 1} - 2^{n}

additions (XORs).

Then, we also evaluate

P \land Q

on this whole subset, which requires

3^{c + 1} 2^{n - c - 1}

evaluations of

\land

(and

2^{n}

, presumably, were already done).

Note: this work will be insignificant compared to what is done next, however, this tradeoff might change if instead of

\land

we are using a more involved arithmetic circuit with multiple inputs and multiple arithmetic operations.

Next, we are ready to respond to verifier challenges. Prover enters the first round and does the following:

Compute evaluations of (P \land Q)(t, x_{>0}), for
$t \in {0, 1, \infty}$ , and add them up multiplied by
$eq (x_{> 0}, q_{> 0})$ . This requires
$3 * 2^{n - 1}$ multiplications.
Obtain challenge
$r_{0}$ from verifier.
Restrict our table on
$r_{0}$ . This represents the bulk of work, taking
$3^{c + 1} 2^{n - c - 1}$ multiplications.

Phase 2

In Phase 2, we explicitly maintain polynomials

P_{i} = π_{i} (P)

Q_{i} = π_{i} (Q)

. This slowdowns us a lot, so it makes sense to search for some balance. We believe

c = 5

should provide a reasonable tradeoff.

huwenqing0606

2024/09/19 21:24:51

split as

eq(x_{>i}; q_{>i}) ?

levs57

2024/09/25 14:34:59

yes, thanks. fixed!

2024/10/01 15:24:03

due to its values living in .

can we specify the reason? not quite get here

2024/10/07 02:50:07

I am suspecting what we actually need is Fr^{(k)}(P(x)) using this decomposition technique as this is the quantity needed in the sum-check? Actually we have Fr^{(k)}(P(x))=\sum_{j=0}^{127} Fr^{(k)}(b_j)P_j(x) from the decomposition technique provided here, and Fr^{(k)}(b_j) are fetched from the basis.

2024/10/07 20:36:56

of ,

why it is not Fr^j (P(r)) since P_i(r)=\pi(\gamma_i P(r)) according to the formula?

YolandaY

2024/12/26 20:24:17

This phase consists of rounds, and we start by computing the table of evaluations of , in the extended set of size , namely .

Do we have any additional sources for this part?