A simple multivariate AIR argument inspired by SuperSpartan

We will consider the following basic version of AIR. Let

F

be a finite field and let

F \in F [X_{0}, \dots, X_{2 C - 1}]

be a constraint polynomial. An AIR witness for this instance is a table of

C

columns

z_{0}, \dots, z_{C - 1}

of size

n = 2^{v}

such that for all

i = 0, \dots, n - 2

F (z_{0} [i], \dots, z_{C - 1} [i], z_{0} [i + 1], \dots, z_{C - 1} [i + 1]) = 0.

Multi-columns CCS (MCCCS)

CCS is a constraint system introduced in [STW23]^[1] that generalizes common constraint systems such as R1CS, AIR, and Plonk. A CCS structure is given by

Matrices
$M_{0}, \dots, M_{t - 1} \in F^{m \times n}$ .
Multisets
$S_{0}, \dots, S_{q - 1}$ with elements in
${0, \dots, t - 1}$ .
Constants
$c_{0}, \dots, c_{q - 1} \in F$ .

A witness is a vector

z \in F^{n}

such that^[2]

\sum_{i = 0}^{q - 1} c_{i} \cdot ◯_{j \in S_{i}} M_{j} \cdot z = 0 .

We introduce a generalization, MCCCS, of CCS where the witness is structured as a table of

C

columns. The additional information required is

A function
$c : {0, \dots, t - 1} \to {0, \dots, C - 1}$ assigning a column to each matrix.

A witness is then a table of

C

columns

z_{0}, \dots, z_{C - 1} \in F^{n}

such that

\sum_{i = 0}^{q - 1} c_{i} \cdot ◯_{j \in S_{i}} M_{j} \cdot z_{c (j)} = 0 .

It is easy to see that MCCCS is equivalent to CCS by flattening/unflattening the columns.

Proving system for MCCCS

The SuperSpartan proving system can easily be modified to accommodate MCCCS. The only difference is that the prover commits to all MLE

{\tilde{Z}}_{j} (X)

of the columns and then equation (14) in [STW23] becomes

0 = \sum_{a \in {0, 1}^{\log m}} \tilde{eq} (τ, a) \cdot \sum_{i = 0}^{q - 1} c_{i} \cdot \prod_{j \in S_{i}} (\sum_{y \in {0, 1}^{\log n}} {\tilde{M}}_{j} (a, y) {\tilde{Z}}_{c (j)} (y)),

which can be proved with multiple calls to the sumcheck protocol.

AIR as a MCCCS

The AIR arithmetization is shown to be a special case of CCS in [STW23]. We show here that AIR can also be seen as a MCCCS with a very simple transformation.

Consider the AIR constraint polynomial

F \in F [X_{0}, \dots, X_{2 C - 1}]

, let

S_{0}, \dots, S_{q - 1}

be multisets with values in

{0, \dots, 2 C - 1}

representing the monomials of

F

, and let

c_{0}, \dots, c_{q - 1}

be the coefficients of these monomials, i.e.,

F (X_{0}, \dots, X_{2 C - 1}) = \sum_{i = 0}^{q - 1} c_{i} \prod_{j \in S_{i}} X_{j} .

Let

I_{n - 1}

be the identity matrix of size

n - 1

, let

A_{0}

be the

n \times n

matrix

A_{0} = [\begin{matrix} I_{n - 1} & 0 \\ 0 & 0 \end{matrix}]

and let

A_{1}

be the

n \times n

matrix

A_{1} = [\begin{matrix} 0 & I_{n - 1} \\ 0 & 0 \end{matrix}]

Note that for

A_{0}

and

A_{1}

the last row is only used for padding so that the matrix is square.

Finally, let

t = 2 C

M_{j} = A_{⌊ j / C ⌋}

, and

c (j) = j mod C

. Then the MCCCS with these parameters is equivalent to the original AIR.

Example

C = 2

and

F = X_{0} X_{1}^{2} - X_{2} - 2 X_{1} X_{3}

, the MCCCS constraint will be

A_{0} z_{0} \circ A_{0} z_{1} \circ A_{0} z_{1} - A_{1} z_{0} - 2 \cdot A_{0} z_{1} \circ A_{1} z_{1} = 0 .

Proving system for AIR

The MLE of the matrices

A_{0}

and

A_{1}

are simple. We have

A_{0} [i, j] = eq (i, j) - eq (i, n - 1) \cdot eq (j, n - 1)

and

A_{1} [i, j] = next (i, j),

where

next (i, j) = eq (i + 1, j)

is defined in Section 5.1 of [STW23]. Therefore the MLE of

A_{0}

\tilde{A_{0}} (x, y) = \tilde{eq} (x, y) - \tilde{eq} (x, n - 1) \cdot \tilde{eq} (y, n - 1)

which can be evaluated in time

O (v = \log n)

, and the MLE of

A_{1}

\tilde{A_{1}} (x, y) = \tilde{next} (x, y)

which can also be evaluated in time

O (v)

, as shown in Theorem 2 of [SWT23]. See also below for a description of

\tilde{next}

Therefore, oracle access to

\tilde{A_{0}}

and

\tilde{A_{1}}

is not required by the verifier.

Cyclic constraints

Some versions of AIR use cyclic constraints, i.e., the constraint polynomial also vanishes at

i = n - 1

F (z_{0} [n - 1], \dots, z_{C - 1} [n - 1], z_{0} [0], \dots, z_{C - 1} [0]) = 0.

The MCCCS for AIR can be adapted to support this by using the matrices

A_{0} = I_{n} = [\begin{matrix} I_{n - 1} & 0 \\ 0 & 1 \end{matrix}]

and

A_{1} = [\begin{matrix} 0 & I_{n - 1} \\ 1 & 0 \end{matrix}] .

The MLE of these matrices can also be computed in time

O (v)

using the following identites

\tilde{A_{0}} (x, y) = \tilde{eq} (x, y)

and

\tilde{A_{1}} (x, y) = \tilde{next} (x, y) + \tilde{eq} (x, n - 1) \cdot \tilde{eq} (y, 0) .

Handling public inputs

AIR is often used to arithmetize an execution trace. For example, zkVMs often have the structure of an AIR where the first row contains the input of the program and the last row contains the output. Each other row represents a cycle in the zkVM.

For this reason, we might want (parts of) the first and last rows to be public inputs in the proving system. This can be achieved in the proving system for MCCCS as follows.

Say we want the first element of column

z_{i}

to be public. Instead of committing to the MLE of the full column, the prover commits to the MLE of

z_{i}^{'} = (0 z_{i} [1. .])

, the same column with the first element set to 0. Then, the verifier can compute the value

{\tilde{Z}}_{i} (r_{y})

using the relation

{\tilde{Z}}_{i} (r_{y}) = {\tilde{Z^{'}}}_{i} (r_{y}) + z_{i} [0] \cdot χ_{0} (r_{y}),

where

χ_{0}

is the 0-th Lagrange basis multilinear polynomial, which can be evaluated in

O (v)

A similar modification can be used to make the last row public.

When the constraint is an arithmetic circuit

In applications, the constraint polynomial

F (X_{0}, \dots, X_{2 C - 1})

is rarely given in sum-of-monomials form. Most of the time, it is given as an arithmetic circuit. The circuit representation can be much more efficient than the sum-of-monomials representation. For example,

F (X_{0}, \dots, X_{2 C - 1}) = (X_{0} + \dots + X_{2 C - 1})^{2}

takes

2 C - 1

additions and

1

multiplication to evaluate as an arithmetic circuit, but is a sum of

2 C^{2} + C

monomials. So the (MC)CCS representation can be very inefficient, especially when the number of columns in the AIR is large.

However, it is easy to generalize (MC)CCS to work with arithmetic circuits. Let

C

be an arithmetic circuit^[3] with

t

inputs

x_{0}, \dots, x_{t - 1}

and

1

output

C (x_{0}, \dots, x_{t - 1})

. Then, we can modify the CCS constraint equation to be

C (M_{0} \cdot z, \dots, M_{t - 1} \cdot z) = 0,

where the circuit is evaluated on the

t

vectors entrywise.

As in the SuperSpartan proving system for CCS, it is easy to see that (except with negligible probability) this constraint is equivalent to

0 = \sum_{a \in {0, 1}^{\log m}} \tilde{e q} (τ, a) C (u_{0}, \dots, u_{t - 1}), with u_{i} = \sum_{y \in {0, 1}^{\log n}} \tilde{M_{i}} (a, y) \cdot \tilde{Z} (y),

where

τ \in F^{\log m}

is a random vector. This can be proved using an instantiation of the sumcheck protocol for the inner sum, as well as

t

instantiations of the sumcheck protocol for the values

u_{i}

$\tilde{next}$ and higher order shifts

The function

\tilde{n e x t} (x, y)

is described in section 5.1 of [STW23]. It is based on the following algorithm to check that

y = x + 1

using little-endian bit decomposition.

Let

x_{k} = 0

be the first

0

bit of

x

, so that the little-endian bit decomposition of

x

x = 1 \dots 10 x_{k + 1} \dots x_{v - 1} .

Then

y = x + 1

if and only if

y_{i} = 0

for

i < k

y_{k} = 1

, and

x_{i} = y_{i}

for all

i > k

, i.e.,

y = 0 \dots 01 x_{k + 1} \dots x_{v - 1} .

We can check this with the multilinear polynomial

g_{k} (x, y) = (\prod_{i = 0}^{k - 1} x_{i} (1 - y_{i})) (1 - x_{k}) y_{k} \tilde{eq} (x_{k + 1}, y_{k + 1}) \dots \tilde{eq} (x_{v - 1}, y_{v - 1}) .

The big product checks that the first bits of

x

are

1

and those of

y

are

0

, the term

(1 - x_{k}) y_{k}

checks that

x_{k} = 0

and

y_{k} = 1

, and the

\tilde{eq}

terms check that the remaining bits are equal.

Then we simply have

\tilde{next} (x, y) = \sum_{k = 0}^{v - 1} g_{k} (x, y) .

Note that if

x = 2^{v} - 1

has all

1

bits, then

\tilde{next} (x, y) = 0

for all

y

since the

1 - x_{k}

term is

0

for all

k

. Finally, note that

g_{0} (x, y)

can be computed in time

O (v)

and that

g_{k + 1} (x, y)

can be computed in time

O (1)

given

g_{k} (x, y)

using

g_{k + 1} (x, y) = g_{k} (x, y) \frac{x_{k} (1 - y_{k}) (1 - x_{k + 1}) y_{k + 1}}{x_{k - 1} (1 - y_{k - 1}) (1 - x_{k}) y_{k} \tilde{eq} (x_{k + 1}, y_{k + 1})} .

Therefore,

\tilde{next} (x, y)

can be computed in time

O (v)

It can sometimes be useful to consider higher order shifts, that is constraints of the form

F (z_{0} [i], \dots, z_{C - 1} [i], z_{0} [i + s], \dots, z_{C - 1} [i + s]) = 0,

where

s > 1

. The above argument can be adapted for this case by using the modified function

{next}_{s} (i, j) = eq (i + s, j)

. We will only consider the case where

s = 2^{e}

, but the general case can also be done (I think).

To check

y = x + 2^{e}

, we observe that it is equivalent to checking that the first

e

bits of

x

and

y

are equal and that the remaining bits satisfy the

next

relation. That is,

{\tilde{next}}_{s} (x, y) = \tilde{eq} (x_{0}, y_{0}) \dots \tilde{eq} (x_{e - 1}, y_{e - 1}) \tilde{next} (x_{e}, \dots, x_{v - 1}, y_{e}, \dots, y_{v - 1}),

which can also be computed in time

O (v)

Customizable constraint systems for succinct arguments, Srinath Setty and Justin Thaler and Riad Wahby, eprint.iacr.org/2023/552. ↩︎
Disregarding public inputs for now. ↩︎
Here we consider usual arithmetic circuits over the field
$F$ with binary addition and multiplication gates, as well as unary gates for multiplication by a constant:
${g_{c}}_{c \in F}$ with
$g_{c} (x) = c x$ . ↩︎

A simple multivariate AIR argument inspired by SuperSpartan

Multi-columns CCS (MCCCS)

Proving system for MCCCS

AIR as a MCCCS

Example

Proving system for AIR

Cyclic constraints

Handling public inputs

When the constraint is an arithmetic circuit

next~ and higher order shifts

Read more

Grand product arguments

Rectification theorem

$\tilde{next}$ and higher order shifts