Recall from our previous note that the Specialized Sum-Check protocol allows to prove a statement of the form
where are multi-linear polynomials defined over some field , is any multivariate polynomial , and is some arbitrary value. During each round of the protocol, the prover is asked to build the following univariate polynomial:
where are random variables from the previous rounds.
In this note, we will discuss how to efficiently compute that polynomial .
Polynomials can either be stored in coefficient form, or evaluation form. For example, given a simple polynomial , we could store as
In general, for a polynomial of degree , we need to store distinct evaluations. Barycentric evaluation is an algorithm that can be used to evaluate a polynomial stored in evaluation form.
We will be storing using evaluation form. Specifically, we will limit to be at most degree , and store as .
Also, the multi-linear will have the evaluations of already bound. That is, we will actually be working with some similar , defined as . Therefore, the sum-check round univariate polynomial will actually be built as:
Our algorithm will make use of a very useful identity of affine functions.
Let's begin with a simple univariate affine function: . The identity is:
This is relatively easy to show:
Note that multi-linear polynomials are affine in each of their variables. For example, take a 2-variate multi-linear function . We will show that it is affine in :
We used a capitalized to accentutate the fact that we're treating as constant. Since and are constants, then is affine in . The same argument can be used to show that is affine in as well. And this is not limited to only 2 variables - it is true for any arbitrary number of variables.
Hence, our identity for multi-linear polynomials becomes:
In the algorithm described below, we will need to evaluate at successive points: . Ultimately, this will translate into evaluating each multilinear similarly: , for all .
For each instantiation of , instead of naively evaluating some times, we will only evaluate it twice: and . Then, we use the identity to get all the other evaluations:
To simplify the notation, in this algorithm we will make use of vector addition and scalar mutliplication. That is, if and , then , and .
The goal of the algorithm is to compute , which concretely, means computing , since is stored in evaluation form as previously discussed.