Checking univariate identities in linear time

By Justin Drake && Ariel Gabizon && Izaak Meckler

Let

The typical way to do such checks is via computing a quotient, e.g.

Comparison to hyperplonk

Lately, people have been using sumcheck and multilinear polynomials to get

In general, for an identity

Depending on the structure of

Preliminaries

Denote by

We make frequent use of how this decomposition behaves under multiplication. For example, given polys

We make crucial use of the fact that

Lemma:
Given polys

proof:
Suppose that

Similarly, we can argue the above implies

In the other direction, assume

Basic case - a Hadamard check

Given KZG commitments to polynomials

1. The prover interpolates on

   $H^{\prime }$ three polynomials of deg
   $<n/2$
   • $h_0:=f_e\cdot g_{e}mod{Z}_{H^{\prime }}$
   • $h_1:=f_e\cdot g_o+f_o\cdot g_{e}mod{Z}_{H^{\prime }}$
   • $h_2:=f_o\cdot g_{o}mod{Z}_{H^{\prime }}$
     Note that this can be done in
     $O(n)$ operations:
     we can compute
     $f_e,f_o,g_e,g_o$ on any point
     $a^2\in H^{\prime }$ using
     the values of
     $f,g$ on
     $a,-a\in H$.
     And thus in
     $O(n)$ time we can compute representations to
     $h_0,h_1,h_2$
     in the Lagrange base
     $L^{\prime }$ of
     $H^{\prime }$.

2. The prover computes and sends

   $KZG$-commitments to
   $h_0,h_1,h_2$.
   This can be done in
   $O(n)$
   $G_1$ operations, assuming we precompute the commitments to the basis functions in
   $L^{\prime }$.

3. The prover shows that

   • $h_e=h_0+X^2{h}_2$.
   • $h_o=h_1$.
     by the verifier choosing random
     $\alpha \in F$ and checking that
     
     $$h(\alpha )=h_0({\alpha }^2)+{\alpha }^2{h}_2({\alpha }^2)+\alpha \cdot h_1({\alpha }^2).$$

4. Verifier chooses random

   $r\in F$.

5. Prover sends commitments to

   $f^{\prime }=f_e+r\cdot f_o,g^{\prime }=g_e+r\cdot g_o$.

6. Verifier checks these commitments are correct at

   $\gamma ={\beta }^2$ for random
   $\beta$ (using the fact that
   $f_e(\gamma ),f_o(\gamma )$ can be evaluated using
   $f(\beta ),f(-\beta )$).

7. The verifier computes the commitment to

   $h^{\prime }:=h_0+r{h}_1+r^2{h}_2$ from the commitments to
   $h_0,h_1,h_2$.

8. Prover and verifier recursively run the protocol to check that

   $f^{\prime }\cdot g^{\prime }=h^{\prime }$ on
   $H^{\prime }$.

Efficiency:
We have

Soundness
Since

• $f_e{g}_e=h_0$ on
  $H^{\prime }$
• $f_e{g}_o+f_o{g}_e=h_1$ on
  $H^{\prime }$,
• $f_o{g}_o=h_2$ on
  $H^{\prime }$

as the coefficient of each power of

• $(f\cdot g{)}_e=f_e\cdot g_e+X^2{f}_o\cdot g_o$
• $(f\cdot g{)}_o=f_e\cdot g_o+f_o\cdot g_e$

it follows that the recursive check tells us that on

• $(f\cdot g{)}_e=h_e$
• $(f\cdot g{)}_o=h_o$

which from the lemma tells us that

General Identities

In the general case, we have committed polynomials

We will similarly reduce to a check over

For some

To start, we need a slightly cumbersome definition.
Given

For example, when

• $P_0=X_1{X}_2{X}_3$
• $P_1=X_1{X}_2{Y}_3+X_1{Y}_2{X}_3+Y_1{X}_2{X}_3$
• $P_2=X_1{Y}_2{Y}_3+Y_1{Y}_2{X}_3+Y_1{X}_2{Y}_3$
• $P_3=Y_1{Y}_2{Y}_3$

1. The prover computes on

   $H^{\prime }$ the evaluations of
   $d+1$ polynomials
   $h_0,\dots ,h_d$ of deg
   $<n/2$. Where
   
   $$h_i:=P_i(f_{1,e},\dots ,f_{k,e},f_{1,o},\dots ,f_{k,o})mod{Z}_{H^{\prime }}$$

   We claim the evaluations of the

   $\{h_i\}$ can be computed by
   $O(n\cdot d)$ evaluations of
   $P$ and
   $O(n\cdot (k+d\log d))$ additional field operations.

   To that end let

   $D\subseteq F$ be a smooth domain of size at least
   $d+1$. In practice when using power-of-two size domains,
   $D$ will have size equal to the smallest power of two greater than
   $d$, so size at most
   $2d$.

   • For each

     $a\in H^{\prime }$, we will simultaneously compute
     $h_0(a),\dots ,h_d(a)$:
     • Consider the univariate polynomial
       
       $$p_a(Z):=P(f_{1,e}(a)+Z{f}_{1,o}(a),\dots ,f_{k,e}(a)+Z{f}_{k,o}(a))$$
       For each
       $\delta \in D$, compute
       $p_a(\delta )$. Note that since we have access to the evalutions of the
       $f_{i,e}$ and
       $f_{i,o}$ on
       $H^{\prime }$, the computation of
       $p_a(\delta )$ only involves
       $k$ multiplications and additions followed by an evaluation of
       $P$.
       Then perform an iFFT on those evaluations to obtain the coefficients of
       $p_a$. By definition of the
       $P_j$,
       $p_a(Z)$ is equal to
       
       $$\sum _{j=0}^d{Z}^j{P}_j(f_{1,e}(a),\dots ,f_{k,e}(a),f_{1,o}(a),\dots ,f_{k,o}(a))=\sum _{j=0}^d{h}_j(a)Z^j$$
       Therefore, the coefficients of
       $p_a$ that we have computed are precisely
       $h_0(a),\dots ,h_d(a)$ as desired.

   This procedure involves

   $\frac{n}{2}\cdot d$ evaluations of
   $P$ and
   $\frac{n}{2}$ FFTs of size
   $O(d)$, which gives it the claimed efficiency.

2. The prover computes and sends

   $KZG$-commitments to
   $$h_0,h_1,\dots h_d$$.
   This takes
   $O(dn)$
   $G_1$ operations, assuming we precompute the commitments to the basis functions in
   $L^{\prime }$.

3. The prover shows that

   • $h_e=\sum _{i=0}^{d/2}{X}^{2i}{h}_{2i}(X)$.
   • $h_o=\sum _{i=0}^{d/2-1}{X}^{2i}{h}_{2i+1}(X)$.
     by the verifier choosing random
     $\alpha \in F$ and checking that
     
     $$h(\alpha )=\sum _{i=0}^d{\alpha }^i{h}_i({\alpha }^2)$$

4. Verifier chooses random

   $r\in F$.

5. For

   $i\in [k]$, the Prover sends commitments to
   $f_i^{\prime }=f_{i,e}+r\cdot f_{i,o}$.

6. Verifier checks these commitments are correct at

   $\gamma ={\beta }^2$ for random
   $\beta$ (using the fact that
   $f_{i,e},f_{i,o}$ can be evaluated using
   $f_i(\beta ),f_i(-\beta )$).

7. The verifier computes the commitment to

   $h^{\prime }:=\sum _{i=0}^d{r}^i{h}_i$ from the commitments to
   $\{h_i\}$.

8. Prover and verifier recursively run the protocol to check that

   $P(f_1^{\prime },\dots ,f_k^{\prime })=h^{\prime }$ on
   $H^{\prime }$.

Soundness
Similarly, to the Hadamard check case, one can check the protocol guarantees

• $P(f_1,\dots ,f_k{)}_e=h_e$
• $P(f_1,\dots ,f_k{)}_o=h_o$
  on
  $H^{\prime }$.

Which from the lemma tells us that