Putting it all Together

So far, we've gone over the Hyrax Primitives, and how these various primitives come together to prove more complex protocols, such as Proof of Sumcheck and Claim Aggregation. Now we go over how to put all of these together to construct a Zero-Knowledge GKR proof using the Hyrax transformation.

1. $\mathcal{P}$ commits to the input of the GKR circuit using a polynomial commitment scheme. For Hyrax circuits, this is via the Hyrax PCS.
2. For every GKR layer, $\mathcal{P}$ commits to its sumcheck messages at each round by committing to the coefficients of the univarate that makes up each round using Pedersen Commitments.
3. At the end of sumcheck, $\mathcal{P}$ commits to the values it claims on "underlying" MLEs.
4. If any of these values involved a product of MLEs, such as ${\tilde{V}}_i(0,r_1,\dots ,r_n)\cdot {\tilde{V}}_i(1,r_1,\dots ,r_n)$, then $\mathcal{P}$ commits to its claim for ${\tilde{V}}_i(0,r_1,\dots ,r_n)$, as $v_A$, the claim for ${\tilde{V}}_i(1,r_1,\dots ,r_n)$ as $v_B$, and the product ${\tilde{V}}_i(0,r_1,\dots ,r_n)\cdot {\tilde{V}}_i(1,r_1,\dots ,r_n)$ as $v_0$. This is because $\mathcal{V}$ only needs $v_0$ to compute the evaluation $f(r_1,\dots ,r_n)$, but:
5. $\mathcal{P}$ needs to prove to $\mathcal{V}$ that $v_0$ is a commitment to the product of the underlying messages in $v_A$ and $v_B$. Therefore $\mathcal{P}$ and $\mathcal{V}$ engage in the necessary proofs of product for this GKR layer over commitments on underlying MLEs.
6. $\mathcal{P}$ and $\mathcal{V}$ engage in proof of sumcheck for this layer.
7. For the next layer, if it is not the input layer, $\mathcal{P}$ and $\mathcal{V}$ engage in a proof of claim aggregation depending on the type of claim aggregation used. They both have an aggregated claim (or RLC of claims) to do the next layer of sumcheck over, and repeat steps 1-6 until the input layer.

At the input layer, $\mathcal{P}$ and $\mathcal{V}$ either produce $m$ separate input layer proofs, or must engage in interpolative claim aggregation because we do not have a future layer of sumcheck to reduce to. Finally, $\mathcal{P}$ ends up with a claim on the input to the circuit at a random point. We engage in an evaluation proof using the Hyrax PCS to prove this final claim.