Computing the sum-check round's polynomial

Setup

Recall from our previous note that the Specialized Sum-Check protocol allows to prove a statement of the form

\sum_{(x_{0}, \dots, x_{v}) \in {0, 1}^{v + 1}} g (f_{0} (x_{0}, \dots, x_{v}), \dots, f_{m} (x_{0}, \dots, x_{v})) = C,

where

f_{0}, \dots, f_{m}

are multi-linear polynomials defined over some field

F

g

is any multivariate polynomial

F^{v + 1} \to F

, and

C

is some arbitrary value. During each round of the protocol, the prover is asked to build the following univariate polynomial:

s_{i} (X_{0}) = \sum_{(x_{i + 1}, \dots, x_{v}) \in {0, 1}^{v - i}} g (f_{0} (r_{0}, \dots, r_{i - 1}, X_{0}, x_{i + 1}, x_{v}), \dots, f_{m} (r_{0}, \dots, r_{i - 1}, X_{0}, x_{i + 1}, x_{v})),

where

r_{0}, \dots, r_{i - 1}

are random variables from the previous rounds.

In this note, we will discuss how to efficiently compute that polynomial

s_{i}

Preliminaries

Polynomials can either be stored in coefficient form, or evaluation form. For example, given a simple polynomial

f (x) = a x + b

, we could store

f

coefficient form:
$[a, b]$
evaluation form:
$[f (0), f (1)]$

In general, for a polynomial of degree

d

, we need to store

d + 1

distinct evaluations. Barycentric evaluation is an algorithm that can be used to evaluate a polynomial stored in evaluation form.

We will be storing

s_{i}

using evaluation form. Specifically, we will limit

s_{i}

to be at most degree

d

, and store

s_{i}

[s_{i} (0), s_{i} (1), . . ., s_{i} (d)]

Also, the multi-linear

f_{0}, \dots, f_{m}

will have the evaluations of

r_{0}, \dots, r_{i - 1}

already bound. That is, we will actually be working with some similar

f_{j}^{'}

, defined as

f_{j}^{'} (x_{i}, \dots, x_{v}) = f_{j} (r_{0}, \dots, r_{i - 1}, x_{i}, \dots, x_{v})

. Therefore, the sum-check round univariate polynomial

s_{i}

will actually be built as:

s_{i} (X_{0}) = \sum_{(x_{i + 1}, \dots, x_{v}) \in {0, 1}^{v - i}} g (f_{0}^{'} (X_{0}, x_{i + 1}, x_{v}), \dots, f_{m}^{'} (X_{0}, x_{i + 1}, x_{v}),),

Key multi-linear polynomial identity

Our algorithm will make use of a very useful identity of affine functions.

Let's begin with a simple univariate affine function:

h (x) = a x + b

. The identity is:

h (x) = (1 - x) h (0) + x h (1)

This is relatively easy to show:

\begin{aligned} (1 - x) h (0) + x h (1) & = (1 - x) b + x (a + b) \\ = b - b x + a x + b x \\ = b + a x \\ = h (x) \end{aligned}

Note that multi-linear polynomials are affine in each of their variables. For example, take a 2-variate multi-linear function

h_{2} (x_{0}, x_{1}) = a x_{0} x_{1} + b x_{0} + c x_{1} + d

. We will show that it is affine in

x_{0}

\begin{aligned} h_{2} (X_{0}, x_{1}) & = a X_{0} x_{1} + b X_{0} + c x_{1} + d \\ = (a x_{1} + b) X_{0} + (c x_{1} + d) \end{aligned}

We used a capitalized

X_{0}

to accentutate the fact that we're treating

x_{1}

as constant. Since

(a x_{1} + b)

and

(c x_{1} + d)

are constants, then

h_{2}

is affine in

X_{0}

. The same argument can be used to show that

h_{2}

is affine in

x_{1}

as well. And this is not limited to only 2 variables - it is true for any arbitrary number of variables.

Hence, our identity for multi-linear polynomials becomes:

h (x_{0}, x_{1}, \dots, x_{v}) = (1 - x_{0}) \times h (0, x_{1}, \dots, x_{v}) + x_{0} \times h (1, x_{1}, \dots, x_{v})

Use of the key identity in the algorithm

In the algorithm described below, we will need to evaluate

s_{i}

at successive points:

s_{i} (0), s_{i} (1), \dots, s_{i} (d)

. Ultimately, this will translate into evaluating each multilinear

f_{j}^{'}

similarly:

f_{j}^{'} (0, x_{i + 1}, \dots, x_{v}), f_{j}^{'} (1, x_{i + 1}, \dots, x_{v}), \dots, f_{j}^{'} (d, x_{i + 1}, \dots, x_{v})

, for all

(x_{i + 1}, \dots, x_{v}) \in {0, 1}^{v - i}

For each instantiation of

(x_{i + 1}, \dots, x_{v})

, instead of naively evaluating

f_{j}^{'}

some

d + 1

times, we will only evaluate it twice:

f_{j}^{'} (0, x_{i + 1}, \dots, x_{v})

and

f_{j}^{'} (1, x_{i + 1}, \dots, x_{v})

. Then, we use the identity to get all the other evaluations:

$f_{j}^{'} (2, x_{i + 1}, \dots, x_{v}) = - 1 \times f_{j}^{'} (0, x_{i + 1}, \dots, x_{v}) + 2 \times f_{j}^{'} (1, x_{i + 1}, \dots, x_{v})$
$f_{j}^{'} (3, x_{i + 1}, \dots, x_{v}) = - 2 \times f_{j}^{'} (0, x_{i + 1}, \dots, x_{v}) + 3 \times f_{j}^{'} (1, x_{i + 1}, \dots, x_{v})$
$\dots$
$f_{j}^{'} (d, x_{i + 1}, \dots, x_{v}) = - (d + 1) \times f_{j}^{'} (0, x_{i + 1}, \dots, x_{v}) + d \times f_{j}^{'} (1, x_{i + 1}, \dots, x_{v})$

The algorithm

To simplify the notation, in this algorithm we will make use of vector addition and scalar mutliplication. That is, if
$v_{1} = [a, b, c]$ and
$v_{2} = [d, e, f]$ , then
$v_{1} + v_{2} = [a + d, b + e, c + f]$ , and
$42 * v_{1} = [42 * a, 42 * b, 42 * c]$ .

The goal of the algorithm is to compute

s_{i} (X_{0})

, which concretely, means computing

s_{i} (0), s_{i} (1), \dots, s_{i} (d)

, since

s_{i}

is stored in evaluation form as previously discussed.

let
$s_{a c c} = [0, \dots, 0]$ be an array of
$d + 1$ variables initialized to
$0$ that will ultimately hold the evaluations of
$s_{i}$ at
$0, 1, \dots, d$ .
- The "acc" stands for "accumulator", as for each round of the coming loop, we will "accumulate" the results in this array.
- Only by the end of the loop will
  $s_{a c c}$ contain the evaluations
  $s_{i} (0), \dots, s_{i} (d)$ .
For each
$(x_{i + 1}, \dots, x_{v}) \in {0, 1}^{v - i}$
- Let
  $e v a l s_{0} = [f_{0}^{'} (0, x_{i + 1}, \dots, x_{v}), \dots, f_{m}^{'} (0, x_{i + 1}, \dots, x_{v})]$
- Let
  $e v a l s_{1} = [f_{0}^{'} (1, x_{i + 1}, \dots, x_{v}), \dots, f_{m}^{'} (1, x_{i + 1}, \dots, x_{v})]$
- Update
  $s_{a c c}$
  - $s_{a c c} [0] + = g (e v a l s_{0})$
  - $s_{a c c} [1] + = g (e v a l s_{1})$
  - $s_{a c c} [2] + = g (2 * e v a l s_{1} - e v a l s_{0})$
  - $s_{a c c} [3] + = g (3 * e v a l s_{1} - 2 * e v a l s_{0})$
  - $\dots$
  - $s_{a c c} [d] + = g (d * e v a l s_{1} - (d - 1) * e v a l s_{0})$
Return
$s_{a c c}$

Setup

Preliminaries

Key multi-linear polynomial identity

Use of the key identity in the algorithm

The algorithm

Read more

Basefold

LogUp-GKR

LogUp

The Sum-Check Protocol