Verify all proofs

Suppose you have a polynomial

P

, and the sample proofs

Q_{i} = ⌊ \frac{P}{X^{16} - ω^{i * 16}} ⌋

Goal: verify all proofs.

Note that for all

i

Q_{i} * (X^{16} - ω^{i * 16}) = P - I_{i}

, where

I_{i}

is the

d e g < 16

interpolant of the i'th subgroup.

We can combine all of these equations with a random linear combination:

\sum Q_{i} * (X^{16} - ω^{i * 16}) * r_{i} = \sum (P - I_{i}) * r_{i}

Now let us play with this equation:

\sum (Q_{i} * r_{i}) * X^{16} - \sum (Q_{i} * w^{i * 16} * r_{i}) = P * \sum r_{i} - \sum (I_{i} * r_{i})

We now convert this into a pairing equation:

e (\sum (Q_{i} * r_{i}), [X^{16}]) \div e (\sum (Q_{i} * w^{i * 16} * r_{i}), [1]) = e (P * \sum r_{i} - \sum (I_{i} * r_{i}), [1])

Let us go through this term-by-term.

$\sum (Q_{i} * r_{i})$ is a simple size
$\frac{N}{16}$ fast linear combination.
$\sum Q_{i} * w^{i * 16} * r_{i}$ is a simple size
$\frac{N}{16}$ fast linear combination.
$P * \sum r_{i}$ is a multiplication after N field operations
$\sum (I_{i} * r_{i})$ involves the calculation of
$\frac{N}{16}$ size-16 interpolants; with Lagrange interpolation this can be done in
$\approx 16 * N$ field operations; FFTs may speed this up but at these small scales only slightly. Adding up the interpolants and converting the result into a point is trivial.