Proof of Sumcheck

A key observation that the Hyrax protocol makes is that the verifier's sumcheck "checks," i.e. that $g_{i} (0) + g_{i} (1) = g_{i - 1} (r_{i - 1})$ , and the final oracle query, can be modeled as linear equations.

At each round, $P$ "sends" $V$ the univariate $g_{i} (X)$ by committing to its coefficients using Pedersen scalar commitments. Let $a_{i, 0}, \dots, a_{i, n}$ (to get commitments $C_{a_{i, 0}}, \dots, C_{a_{i, n}}$ ) be the coefficients for a degree $n$ univariate, where $a_{i, j}$ is the coefficient of the $j$ -th degree term.

Notice that $g_{i} (0)$ is simply $a_{i, 0}$ and $g_{i} (1)$ is $\sum_{j} a_{i, j}$ . Then $g_{i} (0) + g_{i} (1)$ is $2 a_{i, 0} + a_{i, 1} + \dots + a_{i, n}$ . We can compute the commitment to this using just the commitments to the coefficients as $2 C_{a_{i, 0}} + C_{a_{i, 1}} + \dots + C_{a_{i, n}}$ . Similarly, the evaluation $g_{i - 1} (r_{i - 1})$ can be computed using commitments to the coefficients of $g_{i - 1}$ as $\sum_{j} r^{j} C_{a_{i - 1, j}}$ . For each intermediate round of sumcheck, we simply have to compute a proof of equality between the two commitments $2 C_{a_{i, 0}} + \sum_{j} C_{a_{i, j}}$ and $\sum_{k} r^{k} C_{a_{i - 1, k}}$ .

We can formulate the verifier's checks as a matrix vector product where the matrix $M$ contains the linear combination coefficients over the prover's messages, and the vector $π$ contains the prover's sumcheck messages as coefficients of the univariate polynomial in each round. Let round $i$ 's univariate have $d_{i}$ coefficients. Then, we can write the verifier's checks as such:

$M = d_{0} 21 \dots 1 - 1 - r_{0} \dots - r_{0}^{d_{0} - 1} d_{1} 21 \dots 1 - 1 - r_{1} \dots - r_{1}^{d_{1} - 1} d_{2} 21 \dots 1 ⋱ - 1 - r_{n - 1} \dots - r_{n - 1}^{d_{n - 1} - 1} d_{n} 21 \dots 1 - 1 - r_{n} \dots - r_{n}^{d_{n} - 1} π = C_{a_{0, 1}} C_{a_{0, 2}} ⋮ C_{a_{0, d_{0}}} ⋮ C_{a_{n, 1}} C_{a_{n, 2}} ⋮ C_{a_{n, d_{n}}}$

To encode all of the verifier's sumcheck checks in one go, we have $V$ check that:

$M \cdot π = H 0 ⋮ 0 ?$

The final $?$ represents the fact that the final dot product in the matrix-vector product $M \cdot π$ is not $0$ . In fact, it should be exactly equal to the value that $V$ receives when it does the final "oracle query" in sumcheck. This is discussed next.

Every non-specified entry in the matrix $M$ is $0$ , and it has dimension $(n + 1) \times \sum_{i} d_{i}$ . $π$ has dimension $\sum_{i} d_{i} \times 1$ . Its product has dimension $(n + 1) \times 1$ . The sum $H$ represents $P$ 's original claim for the sumcheck expression -- the sum of the first univariate $g_{0} (0) + g_{0} (1)$ should be equal to the sum, which is what the first row of the matrix multiplied by $π$ encodes.

Note that we can do a proof of dot product for each of the row of the matrix with $π$ as the private vector, and each entry in the resultant vector as the claimed dot product.

However, there is a small subtlety: every $d_{i}$ coefficients in $π$ must be committed to before the challenge $r_{i}$ is sampled for sumcheck. Otherwise, $P$ can modify the commitments to make false claims using its knowledge of $r_{i} .$ Therefore, $π$ is committed to incrementally, and after each commitment $r_{i}$ is sampled. Finally, $V$ and $P$ engage in a proof of dot product for every row of the matrix $M$ .

The final "oracle query"

Over here we have encoded all of $V$ 's checks except for the final oracle query. Recall that at the end of sumcheck, $P$ has claims on underlying MLEs. In the Hyrax universe, $P$ commits to the claims it has on each of these MLEs, say via the commitments $v_{0}, \dots, v_{k} .$ Then $V$ can combine these commitments linearly to compute a commitment to the expected value $f (r_{1}, \dots, r_{n}) .$ Then, we expand the matrix $M$ to have $k$ additional columns and add the coefficients $V$ needs to compute the linear combination of $v_{0}, \dots, v_{k}$ to the last (the $n$ -th) row of $M$ , and $π$ has $k$ additional entries with the commitments $v_{0}, \dots, v_{n}$ . Then $V$ can expect the result of the final dot product to be $0$ .

Example

We provide a minimal example to show how $M$ and $π$ are constructed. Assume $P$ and $V$ are engaging in sumcheck over the claim that $V_{i} (g_{1}, g_{2}) = H$ , and via layerwise encoding, $V_{i} (z) = \sum_{x_{i}, y_{i}, z_{i} \in {0, 1}} add (z_{1}, z_{2}; x_{1}, x_{2}; y_{1}) (V_{i + 1} (x_{1}, x_{2}) + V_{i + 1} (y_{1})) .$ There are $3$ rounds of sumcheck (for each of the $x$ and $y$ ) variables, where $r_{1}, r_{2}$ bind to $x_{1}, x_{2}$ and $r_{3}$ is bound to $x_{3}$ . At the end of sumcheck, $P$ commits to $V_{i + 1} (r_{1}, r_{2})$ and $V_{i + 1} (r_{3})$ as $V_{0}$ and $V_{1} .$

$M, π$ look like this: $M = 2 - 1 00 1 - r_{1} 00 1 - r_{1}^{2} 00 02 - 1 0 01 - r_{2} 0 01 - r_{2}^{2} 0 002 - 1 001 - r_{3} 001 - r_{3}^{2} 000 add (g_{1}, g_{2}; r_{1}, r_{2}; r_{3}) 000 add (g_{1}, g_{2}; r_{1}, r_{2}; r_{3})$

$π = C_{a_{0, 1}} C_{a_{0, 2}} C_{a_{0, 3}} C_{a_{1, 1}} C_{a_{1, 2}} C_{a_{1, 3}} C_{a_{2, 1}} C_{a_{2, 2}} C_{a_{2, 3}} V_{0} V_{1}$

And their result that $V$ expects, which it can compute on its own is:

$M \cdot π = H 0 ⋮ 0$

Optimizations

There is an optimization specified in the original Hyrax paper which allows us to take the random linear combination of the rows of $M$ and do $n$ proofs of dot product of just size $d_{i}$ where $d_{i}$ is the number of coefficients in the univariate of round $i$ , rather than $n$ proofs of dot product of size $n \cdot d_{i}$ . We don't go into how to formulate this optimization, but suggest reading the original paper and specifically the "squashing $V$ 's checks" section. We have implemented this optimization in Remainder.

The Remainder Book

Proof of Sumcheck

The final "oracle query"

Example

Optimizations