Grand product arguments

Let

F

be a finite field and consider a vector

f = (f_{0}, \dots, f_{n - 1}) \in F^{n}

, where

n = 2^{v}

.
Given some kind of commitment

{comm}_{f}

f

and a value

y \in F

, we want to convince a verifier that the product of the elements of

f

y

\prod f_{i} = y

Using AIR constraints

This problem can be solved using univariate polynomials and AIR constraints. This is the approach taken in Plonk^[1].

Let

c_{i} = \prod_{j \leq i} f_{j}

be the vector of cumulative products of

f

. The equality

\prod f_{i} = y

is equivalent to

c_{n - 1} = y

. Therefore, a protocol to prove this equality is to commit to both

f

and

c

and check the following AIR constraints

$c_{0} = f_{0}$ ,
$c_{i + 1} = c_{i} \cdot f_{i + 1}$ for all
$i < n - 1$ ,
$c_{n - 1} = y$ .

Using GKR

This is the approach of [Tha13, 5.3.1]^[2].
For

0 \leq k \leq v

, we consider the vector

g_{k}

of size

2^{k}

given by

g_{k, i} = \prod_{i \cdot 2^{v - k} \leq j < (i + 1) \cdot 2^{v - k}} f_{j} .

Note that

g_{v} = f

and

g_{0}

is the constant

y

. The vector

g_{k}

can be seen as the

k

-th layer in the binary multiplication tree with leaves

f

.
These vectors satisfy the relations

g_{k, i} = g_{k + 1, 2 i} \cdot g_{k + 1, 2 i + 1} .

Seeing

g_{k}

as a function

{0, 1}^{k} \to F

instead, the relation becomes

g_{k} (i) = g_{k + 1} (i, 0) \cdot g_{k + 1} (i, 1) .

Therefore, the MLEs

{\tilde{g}}_{k}

satisfy

{\tilde{g}}_{k} (i) = {\tilde{g}}_{k + 1} (i, 0) \cdot {\tilde{g}}_{k + 1} (i, 1) .

and thus for any

z \in F^{k}

we have

{\tilde{g}}_{k} (z) = \sum_{i \in {0, 1}^{k}} \tilde{eq} (z, i) \cdot {\tilde{g}}_{k + 1} (i, 0) \cdot {\tilde{g}}_{k + 1} (i, 1) .

The evaluation of this sum can be proved using the sumcheck protocol. At the end of the protocol, the verifier needs to evaluate

{\tilde{g}}_{k + 1}

(r, 0)

and

(r, 1)

for a random

r \in F^{k}

The trick to do so efficiently is to consider the degree one univariate polynomial

h (t) = {\tilde{g}}_{k + 1} (r, t)

for

t \in F

. We have

h (0) = {\tilde{g}}_{k + 1} (r, 0) and h (1) = {\tilde{g}}_{k + 1} (r, 1)

therefore to send

h

it is sufficient to send

{\tilde{g}}_{k + 1} (r, 0)

and

{\tilde{g}}_{k + 1} (r, 1)

(which are anyways required by the verifier). Then the verifier sends a random

u \in F

and uses the sumcheck protocol to check that

h (u) = {\tilde{g}}_{k + 1} (r, u) .

Therefore, proving an opening

{\tilde{g}}_{k} (z)

can be reduced to a sumcheck argument and an opening

{\tilde{g}}_{k + 1} (r, u)

The strategy to prove

\prod f_{i} = g_{0} = y

is then clear:

Reduce the evalutation proof
$g_{0} = y$ to a sumcheck argument and an evaluation
${\tilde{g}}_{1} (r_{1})$ .
For
$k = 1, \dots, v - 1$ , reduce the evalutation proof
${\tilde{g}}_{k} (r_{k})$ to a sumcheck argument and an evaluation
${\tilde{g}}_{k + 1} (r_{k + 1})$ .
The last evaluation
${\tilde{g}}_{v} (r_{v}) = \tilde{f} (r_{v})$ is proved using the commitment to
$f$ .

Costs

Prover: A sumcheck argument costing
$O (2^{k})$ for
$k = 0 \dots v - 1$ and an evaluation proof for
$f$ , so in total
$O (n) + prover cost of evaluation proof$ . The commited polynomial is
$f$ of size
$n$ .
Verifier: A sumcheck argument costing
$O (k)$ for
$k = 0 \dots v - 1$ and an evaluation proof for
$f$ , so in total
$O (v^{2}) + verifier cost of evaluation proof$ .
Proof size: A sumcheck argument of size
$O (k)$ for
$k = 0 \dots v - 1$ and an evaluation proof for
$f$ , so in total
$O (v^{2}) + size of evaluation proof$ .

Quarks

This is the approach of [SL20, Section 5]^[3].
Instead of using

v + 1

different functions

{g_{k} : {0, 1}^{k} \to F}_{k = 0}^{v}

, we can pack them into a single function

g : {0, 1}^{v + 1} \to F

given by

g (1^{l}, 0, x) = g_{v - l} (x) for x \in {0, 1}^{v - l},

and

g (1) = 0

. Note that

g (0, x) = g_{v} (x) = f (x)

for

x \in {0, 1}^{v}

and

g (1^{v}, 0) = g_{0} = y

. Furthermore, the relation between the adjacent functions

g_{k}

and

g_{k + 1}

becomes

g (1, x) = g (x, 0) \cdot g (x, 1) for x \in {0, 1}^{v} .

Let

h (x) = g (1, x) - g (x, 0) \cdot g (x, 1)

for

x \in {0, 1}^{v}

, then

\tilde{h}

is the zero polynomial, which we can check with the usual zero-check

0 = h (τ) = \sum_{x \in {0, 1}^{v}} \tilde{eq} (τ, x) (g (1, x) - g (x, 0) \cdot g (x, 1)),

where

τ

is a random verifier challenge, which is proved with a sumche
Therefore, the product

\prod f = y

can be proved by commiting to

\tilde{g}

and

using the sumcheck argument to prove
$h (τ) = 0$ ,
prove
$g (0, x) = f (x)$ by checking
$\tilde{g} (0, γ) = \tilde{f} (γ)$ for a random
$γ$ ,
open
$\tilde{g} (1^{v}, 0) = \prod f = y$ .

Costs

Prover: A sumcheck argument costing
$O (n)$ and evaluation proofs for
$g$ and
$f$ , so in total
$O (n) + prover cost of evaluation proofs$ . The commited polynomials are
$f$ of size
$n$ and
$g$ of size
$2 n$ .
Verifier: A sumcheck argument costing
$O (v + 1)$ and evaluation proofs for
$g$ and
$f$ , so in total
$O (v) + verifier cost of evaluation proofs$ .
Proof size: A sumcheck argument of size
$O (v)$ and evaluation proofs for
$g$ and
$f$ , so in total
$O (v) + size of evaluation proofs$ .

Note that compared to GKR, the verifier cost and proof size go from quadratic in

v

to linear in

v

, at the cost of more and larger evaluation proofs.

Hybrid approach

This is the approach of [SL20, Section 6]^[3:1], also used in Lasso^[4].
We can get the best of both approaches by combining them. Fix a number

1 \leq ℓ \leq v

, we use the Quarks approach for the first

ℓ + 1

layers

{g_{k}}_{k = 0}^{ℓ}

and the GKR approach for the last

v - l

layers

{g_{k}}_{k = ℓ + 1}^{v}

. Concretely, this means that in the Quarks protocol, we instead have

g (0, x) = g_{ℓ} (x)

for all

x \in {0, 1}^{ℓ}

, which we check by evalutating at a random value

γ

\tilde{g} (0, γ) = {\tilde{g}}_{ℓ} (γ)

.
The evaluation

{\tilde{g}}_{ℓ} (γ)

is computed using the GKR protocol, by reducing it to a sumcheck argument and an evaluation of

{\tilde{g}}_{ℓ + 1}

, and so on until an evaluation of

{\tilde{g}}_{v} = \tilde{f}

Costs

Prover:
$O (2^{ℓ})$ for Quarks +
$O (\sum_{k = ℓ + 1}^{v} 2^{k})$ for GKR, so
$O (n)$ in total, plus commitments to
$f$ of size
$n$ and
$g$ of size
$2^{ℓ + 1}$ .
Verifier:
$O (ℓ)$ for Quarks +
$O (\sum_{k = ℓ + 1}^{v} k) = O ((v - ℓ) \cdot v)$ , so
$O (ℓ + (v - ℓ) \cdot v)$ in total, plus cost of evaluation proofs.
Proof size: Similarly to the verifier costs,
$O (ℓ + (v - ℓ) \cdot v)$ in total, plus size of evaluation proofs.

For example, setting

ℓ = v - 3 \log v

, the proof size is

O (v - 3 \log v + 3 v \log v) = O (3 v \log v)

which is better than the proof size of

O (v^{2})

when using only GKR for large enough

v

. This comes at the cost of commiting to

g

of size

2^{v - 3 \log v + 1} = \frac{2 n}{v^{3}}

, which is much smaller than

2 n

, the corresponding size of

g

when using only Quarks.

Grand product arguments

Using AIR constraints

Using GKR

Costs

Quarks

Costs

Hybrid approach

Costs

Read more

Rectification theorem

A simple multivariate AIR argument inspired by *SuperSpartan*

A simple multivariate AIR argument inspired by SuperSpartan