Quickstart

Hi there! Welcome to the official Remainder documentation/tutorial. For the code reference, see this site. Note that Remainder is specifically a GKR/Hyrax prover and that this tutorial assumes familiarity with basic concepts in zero-knowledge and interactive proofs. For a gentler introduction to the basics behind verifiable computation, interactive proofs, and zero-knowledge, see Chapter 1 of Justin Thaler's wonderful manuscript.

The documentation is split into four primary parts:

The first is an intuitive introduction to the "GKR" interactive proof scheme for layered circuits. The name "GKR" refers to Goldwasser, Kalai, and Rothblum, the co-authors of the paper which first introduced the notion of proving the correctness of layered circuits' outputs with respect to their inputs via sumcheck. If you are not familiar with GKR concepts, we strongly recommend you read this section before engaging with either of the next two sections or even the quickstart below.
The second follows from the first and dives a tad deeper into the specific methodology of layerwise relationships, prover claims, etc. and explains the various concepts behind GKR in a loosely mathematical fashion.
The third is a guide to Remainder's frontend where we explain how the theoretical concepts described in earlier sections can be used in practice. It contains a lot of examples with runnable Rust code, and it can be studied independently or in conjunction with the second section.
The final is an introduction to the Hyrax interactive proof protocol, a "wrapper" around the GKR protocol which offers computational zero-knowledge using blinded Pedersen Commitments.

In addition, we provide a concise "how-to" quickstart here. This quickstart covers the basics of using Remainder as a GKR proof system library, including the following:

Circuit description generation
Appending inputs to a circuit description
Proving and verifying

Creating a Layered (GKR) Circuit

See frontend/examples/tutorial.rs for code reference. To run the test yourself, navigate to the Remainder_CE root directory and run the following command:

cargo run --package frontend --example tutorial

To define a layered circuit, we must describe the circuit's inputs, intermediate layers and relationships between them, and output layers. We'll first take a look at the build_circuit() function. The first line is

#![allow(unused)]
fn main() {
let mut builder = CircuitBuilder::<Fr>::new();
}

This creates a new CircuitBuilder instance with native field Fr (BN254's scalar field). The CircuitBuilder is where all circuit components (nodes) will be aggregated and compiled into a full layered circuit.

The next line is

#![allow(unused)]
fn main() {
let lhs_rhs_input_layer =
    builder.add_input_layer("LHS RHS input layer", LayerVisibility::Committed);
let expected_output_input_layer =
    builder.add_input_layer("Expected output", LayerVisibility::Public);
}

This adds two input layers to the circuit (see the Input Layer page for more details). Note that an input layer is one which gets all claims on it bundled together and is treated as a single polynomial (multilinear extension) when the prover decides how to divide the circuit inputs to commit to each one.

In this example we separate the input data into two separate input layers because we want some of them to be committed instead of publicly known. This means that the verifier should only be able to see polynomial commitments to the MLEs on such input layers (see Committed Inputs). Depending on the proving backend used (plain GKR vs. Hyrax), committed layers can act as private layers in the sense that the verfier learns nothing about their contents when verifying a proof (more on that later on).

We then have the following:

#![allow(unused)]
fn main() {
let lhs = builder.add_input_shred("LHS", 2, &lhs_rhs_input_layer);
let rhs = builder.add_input_shred("RHS", 2, &lhs_rhs_input_layer);
let expected_output = builder.add_input_shred("Expected output", 2, &lhs_rhs_input_layer);
}

We add three input "shred"s to the circuit, the first two being subsets of the data in the "LHS RHS input layer", and the last one being (the entire) "Expected output" layer. Each "shred" has 2 variables (i.e. has $2^{2} = 4$ evaluations, and is identified with a unique string, e.g. "RHS"). The difference between an input layer and an input "shred" is that the latter refers to a specific subset of the input layer's data which should be treated as a contiguous chunk to be used as input to a later layer within the circuit.

We begin adding layers to the circuit:

#![allow(unused)]
fn main() {
let multiplication_sector = builder.add_sector(lhs * rhs);
}

Notice that even though lhs and rhs are input "shred"s from the same input layer, because we added them as separate "shred"s earlier, we can now use them as separate inputs to be element-wise multiplied against one another. In general, input layers are treated as a single entity by the verifier, while input shreds are treated as subsets of input layers which the prover can use as inputs to other layers within the circuit.

This first layer is a "sector", which is the Remainder way of referring to structured layerwise relationships. This simply means that with evaluations $[a, b, c, d]$ in lhs and $[e, f, g, h]$ in rhs, the resulting layer should hold the element-wise product of the evaluations in lhs and those in rhs, i.e. $[a e, b f, c g, d h]$ .

We add another layer to the circuit:

#![allow(unused)]
fn main() {
let subtraction_sector = builder.add_sector(multiplication_sector - expected_output);

builder.set_output(&subtraction_sector);
}

This layer is another element-wise operator, but where we element-wise subtract all of the values rather than multiply them. Here, we are semantically subtracting the expected_output from the earlier layer we created which was the element-wise product of the values in lhs and rhs (see this section for more details). The resulting layer should be zero if the two are element-wise equal, and we thus call builder.set_output() on the resulting layer, which tells the circuit builder that this layer's values should be publicly revealed to the verifier (and that no future layer depends on the values).

Finally, we create the layered circuit from its components:

#![allow(unused)]
fn main() {
builder.build().expect("Failed to build circuit")
}

This creates a Circuit<Fr> struct which contains the layered circuit description (see GKRCircuitDescription), the mapping between nodes and layers (see CircuitEvalMap), and the state for circuit inputs which have been partially populated already.

Populating Circuit Inputs

First, we instantiate the circuit description which we created above (see the function main()):

#![allow(unused)]
fn main() {
let base_circuit = build_circuit();
let mut prover_circuit = base_circuit.clone();
let verifier_circuit = base_circuit.clone();
}

Note that we additionally create prover and verifier "versions" of the circuit. The reason for this is that the prover will want to attach input data to the circuit, whereas the verifier will want to receive those inputs from the proof itself and will not independently attach inputs to the circuit this time around. We additionally note that in general, rather than generating the circuit description once and then cloning for the prover and verifier, we will usually generate the circuit description and serialize it, then distribute the description to both the proving and verifying party. The above emulates this but in code.

The next step to proving the correctness of the output of a GKR circuit is to provide the circuit with all of its inputs (including hints for "verification" rather than "computation" circuits, e.g. the binary decomposition of a value; note that Remainder currently does not have features which assist with computing such "hint" values and these will have to be manually computed outside of the main prove() function). In the case of our example circuit, we have the following:

#![allow(unused)]
fn main() {
let lhs_data = vec![1, 2, 3, 4].into();
let rhs_data = vec![5, 6, 7, 8].into();
let expected_output_data = vec![5, 12, 21, 32].into();
}

The vec!s above define the integer values belonging to the input "shreds" which we declared earlier in our circuit description definition (recall that "shreds" are already assigned to input layers). Additionally, since we declared earlier that e.g. let lhs = builder.add_input_shred("LHS", 2, &input_layer);, where the 2 represents the number of variables as the argument of the multilinear extension representing that input "shred", we have $2^{2}$ values within each input "shred", i.e. 4 evaluations for each of the above.

We ask the circuit to set the above data using our string tags for the input "shred"s (note that we need an exact string match here).

#![allow(unused)]
fn main() {
prover_circuit.set_input("LHS", lhs_data);
prover_circuit.set_input("RHS", rhs_data);
prover_circuit.set_input("Expected output", expected_output_data);
}

Generating a GKR proof

We next "finalize" the circuit for proving, i.e. check that all declared input "shred"s have data associated to them, combine their data with respect to their declared input layer sources, and set up parameters for polynomial commitments to input layers, e.g. Ligero PCS.

#![allow(unused)]
fn main() {
let provable_circuit = prover_circuit
    .gen_provable_circuit()
    .expect("Failed to generate provable circuit");
}

Finally, we run the prover using the "runtime-optimized" configuration:

#![allow(unused)]
fn main() {
let (proof_config, proof_as_transcript) =
    prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);
}

This function returns a ProofConfig and a TranscriptReader<Fr, PoseidonSponge<Fr>>. The former tells the verifier which configuration it should run in to verify the proof, and the latter is a transcript representing the full GKR proof (see Proof/Transcript section for more details).

Verifying the GKR proof

To verify the proof, we first take the circuit description and prepare it for verification:

#![allow(unused)]
fn main() {
let verifiable_circuit = verifier_circuit
    .gen_verifiable_circuit()
    .expect("Failed to generate verifiable circuit");
}

Finally, we verify:

#![allow(unused)]
fn main() {
verify_circuit_with_proof_config::<Fr, PoseidonSponge<Fr>>(
    &verifiable_circuit,
    &proof_config,
    proof_as_transcript,
);
}

This function uses the provided proof_config and executes the GKR verifier against the verifiable_circuit, i.e. the verifier-ready circuit description. The function crashes if the proof does not verify for any reason, although in this case it should pass.

Congratulations! You have just:

Created your first layered circuit description,
Attached data to the circuit input layers,
Proven the correctness of the circuit outputs against the inputs, and
Verified the resulting GKR proof!

GKR Background

This section describes the basics of GKR, including necessary notation, mathematical concepts, and arithmetization, as well as a high-level description of how proving and verification works in theory.

Notation Glossary

Note that each of these definitions will be described in further detail in the sections to come, but are aggregated here for convenience.

Symbol	Description
$F$	A finite field.
$C$	Layered arithmetic circuit.
$d$	Depth of the circuit $C$ .
$L_{i}$	Layer $i$ of the circuit, such that any node on $L_{i}$ is the result of a computation from nodes in layers $j$ and $k$ , such that $j, k > i$ . (Note that the GKR literature conventionally labels its circuit layers backward, from $d$ for the input layer to $0$ for the output layer for a $d + 1$ -layered circuit. We follow this convention in our documentation.)
$val_{i} (x)$	The value of $C$ at node $x$ , such that $x$ is a label for a node in $L_{i}$ . We say that $x$ has $s_{i}$ bits.
$f$	A function $F^{n} \to F$ . This is the unique multilinear extension encoding the function $f : {0, 1}^{n} \to F .$
$add_{i, j, k} (z, x, y)$	A function: ${0, 1}^{s_{i} + s_{j} + s_{k}} \to {0, 1}$ which indicates whether $val_{i} (z) = val_{j} (x) + val_{k} (y) .$
$mul_{i, j, k} (z, x, y)$	A function: ${0, 1}^{s_{i} + s_{j} + s_{k}} \to {0, 1}$ which indicates whether $val_{i} (z) = val_{j} (x) \cdot val_{k} (y) .$

High-level Description

GKR is an interactive protocol which was first introduced by Goldwasser, Kalai, and Rothblum [2008]. It proves the statement that $C (y) = 0$ , where $C$ is a layered arithmetic circuit, and $y$ is the input to the circuit.

At a high-level, it works by reducing the validity of the output of the circuit (typically denoted as layer $0$ , $L_{0} (x) = 0$ , for a circuit with depth $d + 1$ ), to the previous layer of computation in the circuit, $L_{1} .$ Eventually, these statements reduce to a claim an evaluation of the input as a polynomial. If the input $y$ is encoded as the coefficients of a polynomial $f$ , we are left to prove that $f (x) = c$ .

The later sections unpack these reductions, showing how we can reduce the claim that $C (y) = 0$ to a polynomial evaluation at a random point.

Why GKR?

GKR has several key advantages when compared with other proof systems:

Not having to cryptographically commit to the entire "circuit trace":
- In general, proof systems which use e.g. PlonK-ish or R1CS/GR1CS arithmetization require a polynomial commitment to all circuit values.
- The size of this commitment often determines the memory/runtime/proof size/verification time of such systems, as the PCS (rather than the IOP) tends to be the bottleneck re: the aforementioned metrics.
- GKR, on the other hand, does not require a commitment to any "intermediate" values within the circuit, i.e. those which can be computed using addition/multiplication from other values present within the circuit.
- For certain layered circuits (e.g. neural network circuits, where the intermediate activation values "flow" through the model and can be fully computed from the weights and model input), this substantially reduces the number of circuit values which require cryptographic operations (e.g. circuit-friendly hash function, MSM, FFT), reducing the bottleneck which the PCS step normally imposes.
Natively multilinear IOP which depends almost wholly on sumcheck and other linear, embarrassingly parallel operations -- sumcheck is an extremely fast, field-only primitive which is extremely parallelizable and lends itself to various small field + extension field optimizations, resulting in an extremely fast prover.
Easy lookup integration with both LogUp and Lasso. The former, in particular, is expressible via a very lovely structured circuit, and is time-optimal within GKR with respect to the number of lookups (linear # of field operations in number of witnesses to be looked up + lookup table size).

Interactive Protocol

In the following sections, we start with some necessary background, such as Multilinear Extensions and the Sumcheck Interactive Protocol. We then move on to use these two primitives in order to build out the GKR protocol, which involves encoding layer-wise relationships within the circuit $C$ as sumcheck statements.

Finally, we move on to some protocols used within the Remainder codebase, such as claim aggregation, and detail the differences between what we call "canonic" GKR and "structured" GKR, both of which are implemented in Remainder.

Statement Encoding

The GKR protocol specifically works with statements of the form $C (y) = 0$ , where $C$ is a layered arithmetic circuit. Define a singular value, $0$ , to be the output layer, $L_{0}$ , and the input values $y_{i}$ to make up the input layer, $L_{d}$ .

For any layer, the following invariant holds: if a value is in $L_{i}$ , then it must be the result of a binary operation involving values in layers $j, k$ such that $j > i, k > i$ . It is possible that $j = k$ , but not necessary.

These binary operations are usually referred to as "gates." In the following tutorial we will be focusing on two gates: $add$ gates, which are represented by the following function:

$add (z, x, y) : {0, 1}^{s_{i} + s_{j} + s_{k}} \mapsto {0, 1} = {1, 0, if val_{j} (x) + val_{k} (y) = val_{i} (z) otherwise$ and $mul$ gates: $mul (z, x, y) : {0, 1}^{s_{i} + s_{j} + s_{k}} \mapsto {0, 1} = {1, 0, if val_{j} (x) \cdot val_{k} (y) = val_{i} (z) otherwise$

In other words, if we think of a physical representation of $C$ , the binary gates represent the "wires" of the circuit. They show how the values from wires belonging in previous layers of the circuit can be used to compute a value in a future layer (from input to output). In fact, for every value with label $z$ in layer $i \neq = 0 : \exists x, y$ such that $add (z, x, y) = 1$ or $mul (z, x, y) = 1$ for $x, y$ as labels for values in layers $j, k > i$ .

Example

Let's look at the following layered arithmetic circuit with depth $d$ = 3:

Diagram representing an example of a layered arithmetic circuit

In this case, $add (4, 0, 1) = 1$ and $mul (4, 0, 1) = 0$ , but $mul (7, 4, 1) = 1$ . Notice how the circuit naturally falls in "layers" based on the dependencies of values.

Multilinear Extensions (MLEs)

Let $f (x_{1}, x_{2}, \dots, x_{n})$ be a function $\in F^{n} \mapsto F$ . Its multilinear extension $f (x_{1}, \dots, x_{n})$ is defined such that $f$ is linear in each $x_{j} \in F$ , and where $f (x) = f (x) \forall x \in {0, 1}^{n}$ .

Equality MLE

In order to explicitly formulate $f$ in terms of $f$ , let us define the following indicator function:

$eq (x; z) : {0, 1}^{2 n} \mapsto {0, 1} = {1, 0, if x = z otherwise .$

Fortunately, $eq (x; z) : {0, 1}^{2 n} \to {0, 1}$ has an explicit formula which is linear in each of $x_{i}$ , or the bits of $x$ . Intuitively, if $x = z$ , then each of its bits must be equal. In boolean logic, this is the same thing as saying $(x_{i} = z_{i} = 0)$ OR $(x_{i} = z_{i} = 1)$ for all of the bits $i$ (which is an AND over all of the bits $i$ ).

When our inputs $x_{i}, z_{i} \in {0, 1}$ this statement can be expressed as the following product: $i = 1 \prod n (1 - x_{i}) (1 - z_{i}) + x_{i} z_{i} .$ Taking the multilinear extension of $eq$ simply means allowing for non-binary inputs $x_{i}, z_{i} \in F$ , because the polynomial is already linear in each variable. Since for all binary $x_{i}, z_{i} \in {0, 1}$ we have that $eq (x; z) = eq (x; z)$ , the above definition of $eq (x; z)$ is an actual multilinear extension of $eq$ .

Construction from $eq$

We now have a polynomial extension of $eq (x, z)$ which happens to be (by construction) linear in the $x$ variables (again, denote this function $eq$ ). We can now define the multilinear extension of any function, as hoped for above:

$f (x_{1}, \dots, x_{n}) = z_{1}, ..., z_{n} \in {0, 1}^{n} \sum eq (x; z) \cdot f (z_{1}, \dots, z_{n})$

where $z_{i}$ are the bits of $z$ .

Why is the above a valid multilinear extension of $f$ ? The idea here is that when evaluating $f$ on any $x_{1}, ..., x_{n} \in {0, 1}^{n}$ , we have $eq (x; z) = 0$ for all $z \neq = x$ (since both $z$ and $x$ are binary, $eq (x; z) = eq (x; z)$ behaves exactly like the boolean equality function), and thus all the terms in the above summation over $z_{1}, ..., z_{n} \in {0, 1}^{n}$ are zero except for the term where $z = x$ , where we have $eq (x; z) = 1$ , and the value of that term is exactly $f (z_{1}, ..., z_{n}) = f (x_{1}, ..., x_{n})$ .

Another nice property of multilinear extensions which can be proven is that they are uniquely defined. I.e., $\sum_{z_{i} \in {0, 1}} eq (x; z) \cdot f (z_{1}, \dots, z_{n})$ is the only multilinear function in $n$ variables which extends $f$ .

Example

Let $f (x_{1}, x_{2}, x_{3}) = 2 x_{1}^{2} x_{3} + 4 x_{2} x_{3}^{3} + 3 x_{1} x_{2}^{2} x_{3} + 5 x_{1} + 6 x_{2} + 3.$ Let us first build a table of evaluations of $f$ for $x_{i} \in {0, 1} :$

$(x_{1}, x_{2}, x_{3})$	$f (x_{1}, x_{2}, x_{3})$
$(0, 0, 0)$	$3$
$(0, 0, 1)$	$3$
$(0, 1, 0)$	$9$
$(0, 1, 1)$	$13$
$(1, 0, 0)$	$8$
$(1, 0, 1)$	$10$
$(1, 1, 0)$	$14$
$(1, 1, 1)$	$23$

We also build a table for $eq (x; z)$ for $x_{i} \in {0, 1}$ in terms of $z$ :

$(z_{1}, z_{2}, z_{3})$	$eq (x; z)$
$(0, 0, 0)$	$(1 - x_{1}) (1 - x_{2}) (1 - x_{3})$
$(0, 0, 1)$	$(1 - x_{1}) (1 - x_{2}) (x_{3})$
$(0, 1, 0)$	$(1 - x_{1}) (x_{2}) (1 - x_{3})$
$(0, 1, 1)$	$(1 - x_{1}) (x_{2}) (x_{3})$
$(1, 0, 0)$	$(x_{1}) (1 - x_{2}) (1 - x_{3})$
$(1, 0, 1)$	$(x_{1}) (1 - x_{2}) (x_{3})$
$(1, 1, 0)$	$(x_{1}) (x_{2}) (1 - x_{3})$
$(1, 1, 1)$	$(x_{1}) (x_{2}) (x_{3})$

Then, using the formula for $f (x_{1}, \dots, x_{n}) = \sum_{z_{i} \in {0, 1}} eq (x; z) \cdot f (z_{1}, \dots, z_{n})$ , we get the explicit formula:

$f (x_{1}, \dots, x_{n}) = 3 (1 - x_{1}) (1 - x_{2}) (1 - x_{3}) + 3 (1 - x_{1}) (1 - x_{2}) (x_{3}) + 9 (1 - x_{1}) (x_{2}) (1 - x_{3}) + 13 (1 - x_{1}) (x_{2}) (x_{3}) + 8 (x_{1}) (1 - x_{2}) (1 - x_{3}) + 10 (x_{1}) (1 - x_{2}) (x_{3}) + 14 (x_{1}) (x_{2}) (1 - x_{3}) + 23 (x_{1}) (x_{2}) (x_{3})$ .

From here you can verify that $f (x) = f (x)$ when $x \in {0, 1}^{n}$ , and that $f (x)$ is linear in each of the $x$ variables.

Sumcheck

(Most of the content of this section is from Section 4.1 in Proofs, Args, and ZK by Justin Thaler, which has more detailed explanations of the below.)

This section will first cover the background behind the sumcheck protocol, and then provide an introduction as to why this may be useful in verifying the computation of layerwise arithmetic circuits.

The sumcheck protocol is an interactive protocol which verifies claims of the form: $H = ? x_{i} \in {0, 1} \sum f (x_{1}, \dots, x_{n}) .$ In this statement, $f$ is not necessarily multilinear, and $H \in F$ .

In other words, the prover, $P$ , claims that the sum of the evaluations of a function $f : F^{n} \to F$ over the boolean hypercube of dimension $n$ is $H .$ Naively, the verifier $V$ can verify this statement by evaluating this sum themselves in $O (2^{n})$ time assuming oracle access to $f$ (being able to query evaluations of $f$ in $O (1)$ time), with perfect completeness (true claims are always identified by the verifier) and perfect soundness (false claims are always identified by the verifier).

Sumcheck relaxes the perfect soundness to provide a probabilistic protocol which verifies the claim in $O (n \cdot d)$ time with a soundness error of $\leq \frac{n \cdot d}{∣ F ∣}$ where $d$ is the maximum degree of any variable $x_{1}, \dots, x_{n}$ .

The Interactive Protocol

We start with a straw-man interactive protocol which still achieves perfect completeness and soundness in verifier time $O (2^{n})$ and prover time $O (2^{n}) .$ Then, we build on this version of the protocol and introduce randomness to achieve $O (n \cdot d)$ verifier time, with a soundness error of $\leq \frac{n \cdot d}{∣ F ∣} .$

A non-probabilistic protocol

Note that the sum we are trying to verify can be rewritten as such: $H = ? x_{1} \in {0, 1} \sum x_{2} \in {0, 1} \sum x_{3} \in {0, 1} \sum \dots x_{n} \in {0, 1} \sum f (x_{1}, \dots, x_{n}) .$ Let's say $P$ sends $V$ the following univariate: $f_{1} (X) = ? x_{2} \in {0, 1} \sum x_{3} \in {0, 1} \sum \dots x_{n} \in {0, 1} \sum f (X, x_{2}, \dots, x_{n}) .$ One way for $P$ to communicate $g (X)$ to $V$ the univariate $g (X)$ is to send $d + 1 = degree (g) + 1$ evaluations of $g (X)$ . While $P$ can alternatively send coefficients, we focus on this method of defining a univariate and assume $P$ sends the evaluations $g (0), g (1), \dots, g (d)$ to $V$ .

$V$ can verify whether $H$ is correct in relation to $f_{1} (X)$ by checking whether $H = f_{1} (0) + f_{1} (1) .$ In other words, we have reduced the validity of claim that $H$ is the sum of the evaluations of $f$ over the $n$ -dimensional boolean hypercube to the claim that $f_{1} (X)$ is the univariate polynomial over a smaller sum.

Now the verifier has evaluations $f_{1} (0), f_{1} (1)$ to verify. We can similarly reduce this to claims over even smaller summations. Namely, now the prover sends over the following univariates: $f_{2, j} (X) = ? x_{3} \in {0, 1} \sum x_{4} \in {0, 1} \sum \dots x_{n} \in {0, 1} \sum f (j, X, x_{2}, \dots, x_{n}), \forall j \in [0, 1] .$

$P$ and $V$ keep engaging in such reductions until $V$ is left to verify $2^{n}$ evaluations of $f$ : this is exactly the evaluations of $f$ over the boolean hypercube, assuming that $V$ has oracle access to $f$ (it can query evaluations of $f$ in $O (1)$ time).

We have transformed the naive solution, where $V$ just evaluates the summation on their own, into an interactive protocol. In the next section we will go over how to slightly modify this by adding randomness to significantly reduce the costs incurred by $P$ and $V$ .

Schwartz-Zippel Lemma

As a brief interlude, let us go over the Schwartz-Zippel Lemma, which we can use to modify the straw-man protocol. It states that if $f (x)$ is a nonzero polynomial with degree $d$ , then the probability that $f (r) = 0$ for some random value $r$ sampled from a set $S$ is upper-bounded by $\frac{d}{∣ S ∣}$ .

This is can be seen because by the Fundamental Theorem of Alegbra, $f (x)$ has at most $d$ roots. We take the probability that we randomly sampled one of those roots out of a set of size $∣ S ∣$ .

In the case of sumcheck, we consider the polynomial to be over a field $F$ , and our randomly sampled element to be uniformly sampled from $F$ .

Introducing randomness

Our main blow-up with the straw-man interactive protocol came from the exponentially growing number of claims $V$ had to verify, ending up with $2^{n}$ evaluations of $f$ at the end. Instead, if we found a way for the reduction from $f_{i} (X)$ to claims on $f_{i + 1} (X)$ (or the reduction from the claim of $H$ to claims on $f_{1} (X)$ ) to be a one-to-one reduction in terms of number of claims, rather than one claim reduced to two claims, $V$ would only have to verify $n$ claims, and $P$ would only have to send over $n$ univariate polynomials.

Let us keep the first step the same, where $P$ first sends the following univariate polynomial: $f_{1} (X) = ? x_{2} \in {0, 1} \sum x_{3} \in {0, 1} \sum \dots x_{n} \in {0, 1} \sum f (X, x_{2}, \dots, x_{n}) .$

Now, $V$ checks whether $H = g (0) + g (1) .$ Instead of $P$ sending both $f_{2, 0} (X)$ and $f_{2, 1} (X)$ , $V$ uniformly samples a random challenge $r_{1}$ from $F$ and sends this to $P .$ $P$ sends a single univariate: $f_{2} (X) = ? x_{3} \in {0, 1} \sum x_{4} \in {0, 1} \sum \dots x_{n} \in {0, 1} \sum f (r_{1}, X, x_{3}, \dots, x_{n}) .$ $V$ checks whether $f_{1} (r_{1}) = f_{2} (0) + f_{2} (1) .$ This process is repeated iteratively, until finally in the last round, where $P$ sends $V$ the following:

$f_{n} (X) = ? f (r_{1}, \dots, r_{n - 1}, X) .$

Assuming the verifier has oracle access to $f$ , the verifier can check whether $f_{n} (r_{n}) = f (r_{1}, \dots, r_{n})$ . The difference between this protocol and the naive protocol above is that at each step, instead of individually verifying $f_{i} (0)$ and $f_{i} (1)$ , $V$ sends $P$ a "challenge" $r_{i}$ in which $P$ responds to by sending over the appropriate univariate polynomial. Therefore we have achieved a one-to-one claim reduction, and the verifier having to only verify one equation per round.

Soundness Intuition

We provide brief intuition for the soundness bound from the above protocol. At any step $i$ , the prover can cheat by sending a different univariate polynomial $h_{i} (X)$ instead of the expected $f_{i} (X)$ such that $h_{i} (r_{i}) = f_{i} (r_{i})$ , but $h_{i} (X) \neq = f_{i} (X)$ . This allows them to, ultimately, prove a different original statement: that the sum $\sum_{x \in {0, 1}^{n}} f (x) = H^{'} \neq = H$ . Because $V$ sends $r_{i}$ to $P$ , we can be confident that $P$ does not adversarially choose $r_{i}$ to be one of the roots of $h_{i} (X) - f_{i} (X)$ . Then, by the Schwartz-Zippel lemma, the probability that $r_{i}$ happened to be one of the "zeros" of $h_{i} (X) - f_{i} (X) = \frac{d _{i}}{∣ F ∣}$ where $d_{i}$ is the degree of $h_{i} (X) - f_{i} (X) .$

Example

We do a short example of the sumcheck protocol in the integers. Let $f (x) = 3 x_{1} x_{2}^{2} + 4 x_{3} x_{2} + 5 x_{1}^{3} x_{3} + 2.$ $P$ rightfully claims that $\sum_{x_{1} \in {0, 1}} \sum_{x_{2} \in {0, 1}} \sum_{x_{1} \in {0, 1}} f (x_{1}, x_{2}, x_{3}) = H = 40.$ In order to verify this claim, $P$ and $V$ engage in a sumcheck protocol.

$P$ sends $V$ the univariate: $f_{1} (X) = x_{2} \in {0, 1} \sum x_{3} \in {0, 1} \sum (3 X x_{2}^{2} + 4 x_{3} x_{2} + 5 X^{3} x_{3} + 2) = 10 X^{3} + 6 X + 12.$ $V$ verifies that $(f_{1} (0) = 12) + (f_{1} (1) = 28) = 40 = H .$ Then, $V$ samples the challenge $r_{1} = 5$ and now $P$ computes: $f_{2} (X) = x_{3} \in {0, 1} \sum (3 (5) X^{2} + 4 X x_{3} + 5 (5)^{3} x_{3} + 2) = 30 X^{2} + 4 X + 629.$

$V$ checks that $(f_{2} (0) = 629) + (f_{2} (1) = 663) = 1292 = f_{1} (5) .$ Next, $V$ samples another challenge $r_{2} = 7$ and sends it to $P$ who then computes and sends $f_{3} (X) = 653 X + 737.$ Finally, $V$ samples another random challenge $r_{3} = 3$ and checks whether $f_{3} (3) = f (5, 7, 3) .$ Indeed, $f_{3} = 2696 = f (5, 7, 3) .$

Why Sumcheck?

In the previous section, we introduced the notion of a multilinear extension of a polynomial $f$ , which is defined as $f (x_{1}, \dots, x_{n}) = z_{i} \in {0, 1} \sum eq (x; z) \cdot f (z_{1}, \dots, z_{n}) .$ Notice that naturally, a multilinear extension is defined by taking the sum over a boolean hypercube, which is what sumcheck proves claims over.

In the next section, we will go over how we can encode layers of circuits as multilinear extensions, and prove statements about the output of these layers using sumcheck.

Encoding Layers in GKR

At this point, we have all the puzzle pieces needed to describe the GKR protocol -- layered arithmetic circuits, multilinear extensions, and sumcheck. This section talks about how we can tie all of these concepts together to verify claims on the output of an arithmetic circuit.

Grounding Example

We start with an example layered arithmetic circuit. Throughout this tutorial, we will provide this concrete example while simultaneously providing the generic steps of GKR.

Diagram representing example circuit whose output we are going to verify

Note some differences from the way this circuit is labeled as opposed to the example in the statement encoding section. Over here, we let the output be a nonzero value for the sake of the example (we explain how to transform any circuit with nonzero output to a circuit with zero output in a future section). Additionally, note that the gate labels start from $0$ in each layer, as opposed to the labels being unique throughout the entire circuit in the previous example. Because our gates $add_{i, j, k}$ and $mul_{i, j, k}$ are unique per triplet of layers $(i, j, k)$ , we can start from $0$ in labeling the gates at the start of each layer.

In this example, $P$ claims that the output of the following circuit is $45.$ Note that beyond the values in the input, and the actual structure of the circuit (what we refer to as the circuit description), $V$ does not need any more information to verify the output of the circuit by computation:

Diagram representing the information the verifier needs to verify the circuit

This is because every node in every layer $L_{i}$ with $i < d$ can be computed as the result of gates applied to nodes in previous layers.

At a high level, for the rest of this section we focus on encoding layers in two ways: as an MLE of its own, and using its relationship to other layers (via gates). We can equate these two encodings because they are of the same thing (the values in a single layer). With that, we have an equation we can perform a sumcheck over.

Encoding Layer Nodes as an MLE

We start by encoding the input layer in our example, and then show how this extends to the general case. More concretely, we want an MLE $V_{j} (x)$ such that $V_{j} (x) = val_{j} (x) .$ Although it might not be immediately evident, because we eventually want to invoke the sumcheck protocol, it is useful to consider the inputs $x$ as bit-strings rather than integral values.

Example

Therefore, for example, we want $V_{3} (0, 1) = 3$ because $val_{3} (1) = 3$ and the bit-string $01$ represents $1$ . Another way of restating our problem statement of encoding the input layer as some MLE $V_{3} (x_{1}, x_{2})$ is to say "when $x = z$ , output $val_{3} (z) .$

Here we can leverage the power of the $eq$ MLE: $V_{3} (x_{1}, x_{2}) = b_{1}, b_{2} \sum eq (x_{1}, x_{2}; b_{1}, b_{2}) \cdot V_{3} (b_{1}, b_{2}),$ or in other words: $V_{3} (x_{1}, x_{2}) = 5 (1 - x_{1}) (1 - x_{2}) + 3 (1 - x_{1}) x_{2} + 2 x_{1} (1 - x_{2}) + 5 x_{1} x_{2} .$ You can independently verify that at each of the node input label values, $V (x)$ outputs the correct value.

General

Note that we conveniently defined the node labels to start from $0$ and naturally enumerate the nodes in each layer in our definition of $V_{3} (x_{1}, x_{2})$ above. This allows us to generally extend the function $f (x) = val_{i} (x)$ which represents the nodes of layer $i$ into the following MLE: $V_{i} (x) = z \in {0, 1}^{s_{i}} \sum eq (x; z) val_{i} (z)$ where $s_{i}$ is the $lo g$ number of nodes in layer $i$ .

Encoding Layers using their Relationship to other Layers

Another note we made when presenting the above diagram was that the only information that $V$ needs to know immediately is the values of the input itself and the structure of the circuit. This is because the values of the future layers are determined by nodes in previous layers and the gates that connect them. Let's formalize this statement below.

Example

In the running example, let's fill in the layer $L_{2} :$ Diagram with input and next layer filled in

We were able to fill this in because: $val_{2} (0) val_{2} (1) val_{2} (2) = = = val_{3} (1) + val_{3} (2) val_{3} (0) \cdot val_{3} (2) val_{3} (1) \cdot val_{3} (3)$

So, while one way to write the MLE representing $L_{2}$ , as explained in the previous section, is $V_{2} (x_{1}, x_{2}) = 5 (1 - x_{1}) (1 - x_{2}) + 10 (1 - x_{1}) x_{2} + 15 x_{1} (1 - x_{2}),$ we can also represent it by its relationship to the nodes in $L_{3} :$ $V_{2} (x_{1}, x_{2}) = + + eq (x_{1}, x_{2}; 0, 0) (V_{3} (0, 1) + V_{3} (1, 0)) eq (x_{1}, x_{2}; 0, 1) (V_{3} (0, 0) \cdot V_{3} (1, 0)) eq (x_{1}, x_{2}; 1, 0) (V_{3} (0, 1) \cdot V_{3} (1, 1))$ Note that in this definition, we still are linear in the variables $x_{1}, x_{2} .$

General

Now we go over how to write $V_{i} (x_{1}, x_{2})$ in terms of $V_{j} (z)$ for $j > i .$ Recall the definition of $add_{i, j, k} (z, x, y)$ and $mul_{i, j, k} (z, x, y)$ . For example, in the case of $L_{2}$ : $add_{2, 3, 3} ((0, 0), (0, 1), (1, 0)) = 1 mul_{2, 3, 3} ((0, 1), (0, 0), (1, 0)) = 1 mul_{2, 3, 3} ((1, 0), (0, 1), (1, 1)) = 1.$

If we use the indicator functions $add$ and $mul$ to translate the example above: $V_{i} (x) = z \in {0, 1}^{s_{i}} \sum x^{'} \in {0, 1}^{s_{j}} \sum y^{'} \in {0, 1}^{s_{k}} \sum (eq (x; z) add_{i, j, k} (z, x^{'}, y^{'}) [val_{j} (x^{'}) + val_{k} (y^{'})] + eq (x; z) mul_{i, j, k} (z, x^{'}, y^{'}) [val_{j} (x^{'}) \cdot val_{k} (y^{'})])$ where $s_{i}, s_{j}, s_{k}$ are the number of bits needed to represent the node labels of that respective layer. We know that $val_{j} (x^{'})$ and $val_{k} (y^{'})$ can be computed using MLEs for $L_{j}$ and $L_{k}$ , so we can rewrite the above as: $V_{i} (x) = z \in {0, 1}^{s_{i}} \sum x^{'} \in {0, 1}^{s_{j}} \sum y^{'} \in {0, 1}^{s_{k}} \sum (eq (x; z) add_{i, j, k} (z, x^{'}, y^{'}) [V_{j} (x^{'}) + V_{k} (y^{'})] + eq (x; z) mul_{i, j, k} (z, x^{'}, y^{'}) [V_{j} (x^{'}) \cdot V_{k} (y^{'})]) .$ More detail and examples on transforming these indicator gate functions into MLEs are described in the section on canonic GKR.

Using the Equivalence between Layer Encodings

Now we have enough information to show how we can reduce claims on one layer to claims on the output of an MLE encoding a source layer (closer to the circuit input layer) for that layer.

Example

We start with the MLE encoding the output. $P$ claims that the output of the circuit is $45$ , i.e., $V_{0} = 45$ . Then, at any random point $V$ challenges $P$ with, say $g$ , because $V_{0}$ is a constant function, an honest $P$ claims that $V_{0} (g) = 45$ .

Another way, as expressed above to write $V_{0} (g)$ is as:

$45 = ? V_{0} (g) = z \in {0, 1}^{s_{0}} \sum x^{'} \in {0, 1}^{s_{j}} \sum y^{'} \in {0, 1}^{s_{k}} \sum (eq (g; z) add_{0, 1, 1} (z, x^{'}, y^{'}) [V_{1} (x^{'}) + V_{1} (y^{'})] + eq (g; z) mul_{0, 1, 1} (z, x^{'}, y^{'}) [V_{1} (x^{'}) \cdot V_{1} (y^{'})]) .$

Note that while we expicitly write $z$ to maintain consistency between earlier examples, in this case, because there is only one output, there are no $z$ variables. Therefore, $add_{0, 1, 1} (z, x, y)$ and $mul_{0, 1, 1} (z, x, y)$ are constant functions, and their extensions are equal to their value in their first position: $add_{0, 1, 1} (0, x, y)$ and $mul_{0, 1, 1} (0, x, y)$ .

$P$ and $V$ engage in a sumcheck protocol to verify this claim of the sum of a polynomial over the boolean hypercube. Recall that sumcheck requires binding the variables that the sum is over (in this case, $z, x^{'}, y^{'}$ ), one by one, with random challenges.

If we follow the sumcheck protocol as is, at the end, $x$ is bound to $u$ and $y$ is bound to $v$ . Let's say the prover's final univariate is $f_{s_{j} + s_{k}} (X)$ and the verifier's final challenge is $v_{k} .$ Then, we end with the final claim:

$f_{s_{k} + s_{k}} (v_{k}) = ? add_{0, 1, 1} (0, u, v) [V_{1} (u) + V_{1} (v)] + mul_{0, 1, 1} (0, u, v) [V_{1} (u) \cdot V_{1} (v)] .$

$V$ knows the structure of the circuit, so they can compute $add_{0, 1, 1} (p, u, v), mul_{0, 1, 1} (p, u, v)$ on their own. Additionally, $eq$ is publically computable, so $V$ computes that on their own as well. Normally, sumcheck would require $V$ make a query to an "oracle" to verify the claimed values $V_{1} (u) = ? c_{1}$ and $V_{1} (v) = ? h_{2}$ .

However, instead we say that $P$ "reduces" the claim that $V_{0} (g) = ? 45$ to two claims on $V_{1} : V_{1} (u) = ? c_{1}; V_{1} (v) = ? c_{2} .$

Similarly, $V_{1}$ has a relationship to MLEs in later layers, so the sumcheck on $V_{1}$ will reduce to claims on these MLEs, eventually propagating to claims on the input layer.

For another example of claim reduction for structured GKR, see this section.

General

In general, GKR works very similarly to the example above. We cover the case where $V$ expects the output of the circuit to be $0$ . $P$ receives a challenge from $V, g$ and claims that the MLE representing $L_{0}$ still evaluates to $0$ over that random point. I.e., $P$ claims that $V_{0} (g) = 0.$ Using the encoding of $V_{0}$ using later layers, $P$ reduces its claim on the output of the circuit to evaluations of MLEs representing future layers.

Note that there is an exponential blow-up of claims when reducing claims on one layer to the next. We describe a protocol to aggregate claims (and therefore achieve a one-to-one reduction) in the claims section.

Circuit Description

Throughout this section, we refer to $V$ using the description of the circuit in order to evaluate the gates or to understand the layerwise relationships on their own. The circuit description is something agreed upon beforehand with $P$ and $V$ and visible to both parties -- it is the "shape" of the circuit, which includes how many nodes each layer contains, the number of layers, and which gates connect nodes from layer to layer.

Therefore, the circuit description of our example circuit is this:

Example Circuit Description

Note: Transforming a Circuit to have Zero Output

In Remainder, $V$ expects circuits to have output $0$ . This is because certain types of circuits (such as those resulting from LogUp) require the output to specifically be $0$ , and $V$ needs to specifically verify this fact.

If a circuit does not have output $0$ , one way to transform this is to add the negative of the expected output to the input. The last layer of the circuit can be the sum of this expected output, and the actual output of the circuit. This results in a circuit with the output layer evaluating to $0$ . We show this transformation applied to our example above:

Example Transforming to Zero Output

GKR Theory Overview

Read the introduction and ready to dive into some deeper GKR theory concepts? Let's go!

Structured ("Sector") GKR

Source: Tha13, section 5 ("Time-Optimal Protocols for Circuit Evaluation").

Review: Equality MLE

We begin by briefly recalling the $eq$ MLE (see this section for more details). We first consider the binary string equality function $eq : {0, 1}^{2 n} \mapsto {0, 1}$ , where

$eq (X_{1}, ..., X_{n}; Y_{1}, ..., Y_{n}) = {10 if \forall i : X_{i} = Y_{i} otherwise$

This function is $1$ if and only if $X$ and $Y$ are equal as binary strings, and $0$ otherwise. We can extend this to a multilinear extension via the following -- consider $eq : F^{2 n} \mapsto F$ , where

$eq (X_{1}, ..., X_{n}; Y_{1}, ..., Y_{n}) = i = 1 \prod n (1 - X_{i}) (1 - Y_{i}) + X_{i} Y_{i}$

Structured Layerwise Relationship

See Tha13, page 25 ("Theorem 1") for a more rigorous treatment. Note that Remainder does not implement Theorem 1 in its entirety, and that many circuits which do fulfill the criteria of Theorem 1 are currently not expressible within Remainder's circuit frontend.

Structured layerwise relationships can loosely be thought of as data relationships where the bits of the index of the "destination" value in the $i$ 'th layer are a (optionally subset) permutation of the bits of the index of the "source" value in the $j$ 'th layer for $j > i$ . As a concrete example, we consider a layerwise relationship where the destination layer is half the size, and its values are the element-wise products of the two halves of the source layer's values: Let $V_{i} (Z_{1}, Z_{2})$ represent the MLE of the destination layer, and let $V_{j} (Z_{1}, Z_{2}, Z_{3})$ represent the MLE of the source layer.

Let the evaluations of $V_{j}$ over the hypercube be $[a, b, c, d, e, f, g, h]$ . Then we wish to create a layerwise relationship such that the evaluations of $V_{i}$ over the hypercube are $[a e, b f, c g, d h]$ . We can actually write this as a simple rule in terms of the (integer) indices of $V_{i}$ as follows:

$V_{i} (z) = V_{j} (z) \cdot V_{j} (4 + z)$

If we allow for our arguments to be the binary decomposition of $z$ rather than $z$ itself, we might have the following relationship:

$V_{i} (z_{1}, z_{2}) = V_{j} (0, z_{1}, z_{2}) \cdot V_{j} (1, z_{1}, z_{2})$

where $0 z_{1} z_{2}$ is the binary representation of $z$ and $1 z_{1} z_{2}$ is the binary representation of $4 + z$ . This is in fact very close to the exact form-factor of the polynomial layerwise relationship which we should create between the layers -- we now consider the somewhat un-intuitive relationship

$V_{i} (Z_{1}, Z_{2}) = b_{1}, b_{2} \in {0, 1}^{2} \sum eq (Z_{1}, Z_{2}; b_{1}, b_{2}) \cdot V_{j} (0, b_{1}, b_{2}) \cdot V_{j} (1, b_{1}, b_{2})$

One way to read the above relationship is the following: for any (binary decomposition) $Z_{1}, Z_{2}$ , the value of the $i$ 'th layer at the index represented by $Z_{1}, Z_{2}$ should be $V_{j} (0, Z_{1}, Z_{2}) \cdot V_{j} (1, Z_{1}, Z_{2})$ . We are summing over all possible values of the hypercube above, $b_{1}, b_{2} \in {0, 1}^{2}$ , and for each value we check whether the current iterated hypercube value $b_{1}, b_{2}$ "equals" the argument $Z_{1}, Z_{2}$ value. If so, we contribute $V_{j} (0, b_{1}, b_{2}) \cdot V_{j} (1, b_{1}, b_{2})$ to the sum and if not, we contribute zero to the sum.

In this way we see for $Z_{1}, Z_{2} \in {0, 1}$ that all of the summed values will be zero except for when $b_{1}, b_{2}$ are exactly identical to $Z_{1}, Z_{2}$ , and thus only the correct value $V_{j} (0, b_{1}, b_{2}) \cdot V_{j} (1, b_{1}, b_{2})$ will contribute to the sum (and thus the value of $V_{i} (Z_{1}, Z_{2})$ ).

As described, the above relationship looks extremely inefficient in some sense -- why bother summing over all the hypercube values when we already know that all of them will be zero because $eq$ will evaluate to zero at all values except one?

The answer is that it's not enough to only consider $V_{i} (Z_{1}, Z_{2})$ for binary $Z_{1}, Z_{2}$ , as our claims will be of the form $V_{i} (g_{1}, g_{2}) = c$ , where $g_{1}, g_{2}, c \in F$ , and $V_{i}$ is the multilinear extension of $V_{i}$ (see claims section for more information on prover claims). Another way to see this is that the above relationship is able to be shown for each $Z_{1}, Z_{2} \in {0, 1}$ , but we want to make sure that the relationship holds for all $Z_{1}, Z_{2} \in {0, 1}$ . Rather than checking each index individually, it's much more efficient to check a "random combination" of all values simultaneously by evaluating $V_{i}$ at a random point $g_{1}, g_{2}$ . We thus have, instead, that

$V_{i} (Z_{1}, Z_{2}) = b_{1}, b_{2} \in {0, 1}^{2} \sum eq (Z_{1}, Z_{2}; b_{1}, b_{2}) \cdot V_{j} (0, b_{1}, b_{2}) \cdot V_{j} (1, b_{1}, b_{2})$

Since $V_{i}$ is identical to $V_{i}$ (and similarly for $eq$ and $V_{j}$ ) everywhere on the hypercube, the above relationship should still hold for all binary $Z_{1}, Z_{2}$ . Moreover, the above relationship is now one which we can directly apply sumcheck to, since we have a summation over the hypercube!

But wait, you might say. This still seems wasteful -- why are we bothering with this summation and $eq$ polynomial? Why can't we just have something like

$V_{i} (Z_{1}, Z_{2}) = V_{j} (0, Z_{1}, Z_{2}) \cdot V_{j} (1, Z_{1}, Z_{2})$

Unfortunately the above relationship cannot work, as $Z_{1}, Z_{2}$ are linear on the LHS and quadratic on the RHS. The purpose of the summation and $eq$ polynomial is to "linearize" the RHS and quite literally turn any high degree polynomial (such as $V_{j} (0, Z_{1}, Z_{2}) \cdot V_{j} (1, Z_{1}, Z_{2})$ ) into its unique multilinear extension (recall the definition of multilinear extension).

We see that the general pattern of creating a "structured" layerwise relationship is as follows:

First, write the relationship in terms of the binary indices of values between each layer. In our case, $V_{i} (z_{1}, z_{2}) = V_{j} (0, z_{1}, z_{2}) \cdot V_{j} (1, z_{1}, z_{2})$ .
Next, replace $z_{i}$ on the LHS of the equation with formal variable $Z_{i} \in F$ , and allow the LHS to be a multilinear extension. We now have $V_{i} (Z_{1}, Z_{2})$ on the LHS.
Next, replace $z_{i}$ on the RHS of the equation with boolean $b_{i}$ values and add an $eq$ predicate between $Z_{i}, b_{i}$ , and add a summation over all $b_{i}$ values. Additionally, extend all $V_{j}$ to their multilinear extensions $V_{j}$ (this is importantly only for sumcheck):

$V_{i} (Z_{1}, Z_{2}) = b_{1}, b_{2} \in {0, 1}^{2} \sum eq (Z_{1}, Z_{2}; b_{1}, b_{2}) \cdot V_{j} (0, b_{1}, b_{2}) \cdot V_{j} (1, b_{1}, b_{2})$

Structured "Selector" Variables

Some relationships between layers are best expressed piece-wise. For example, let's say that we have a destination layer, $V_{i} (Z_{1}, Z_{2})$ , and a source layer of the same size, $V_{j} (Z_{1}, Z_{2})$ , where we'd like to square the first two evaluations but double the last two.

In other words, if $V_{j} (Z_{1}, Z_{2})$ has evaluations $[a, b, c, d]$ over the boolean hypercube, then $V_{i} (Z_{1}, Z_{2})$ should have evaluations $[a^{2}, b^{2}, 2 c, 2 d]$ . If we follow our usual protocol for writing the layerwise relationship here, we would have something like the following for the "integer index" version of the relationship:

$V_{i} (z) = {V_{j} (z)^{2} 2 \cdot V_{j} (z) if z < 2 otherwise$

We notice that in binary form, $z < 2$ whenever $z_{1} = 0$ (and $z \geq 2$ when $z_{1} = 1$ ). We can thus re-write the above as

$V_{i} (z_{1}, z_{2}) = (1 - z_{1}) \cdot V_{j} (0, z_{2})^{2} + z_{1} \cdot 2 \cdot V_{j} (1, z_{2})$

In other words, when $z_{1} = 0$ the second summand on the RHS is zero, and the first summand is just $V_{j} (0, z_{2}) = V_{j} (z_{1}, z_{2})$ since we already know that $z_{1} = 0$ , and vice versa for when $z_{1} = 1$ . At a first glance, this may look similar to the earlier example in which we took the products of adjacent pairs of layer values, but the two are not the same --

First, the current setup is semantically quite different; in the previous example we applied a binary "shrinking" transformation between the source and destination layers by multiplying pairs of values, while in the current example we are "splitting" the circuit into two semantic halves and applying a different unary operation element-wise to each half.
Second, the current setup actually has its $z_{1}$ variable outside of the argument to an MLE representing data in a previous layer. This is precisely what allows us to "select" between the two semantic halves of the circuit and compute an element-wise squaring in the first and a doubling in the second.

Applying the third transformation rule from above and extending everything into its multilinear form, we get

$V_{i} (Z_{1}, Z_{2}) = b_{1}, b_{2} \in {0, 1}^{2} \sum eq (Z_{1}, Z_{2}; b_{1}, b_{2}) \cdot [(1 - b_{1}) \cdot V_{j} (0, b_{2})^{2} + b_{1} \cdot 2 \cdot V_{j} (1, b_{2})]$

However, now the observation that $eq$ should only apply to variables which are nonlinear on the RHS is helpful here -- notice that although $b_{2}$ as a variable would be quadratic on the RHS, $b_{1}$ is linear and can thus be removed from the summation altogether and replaced directly with $Z_{1}$ :

$V_{i} (Z_{1}, Z_{2}) = b_{2} \in {0, 1} \sum eq (Z_{2}; b_{2}) \cdot [(1 - Z_{1}) \cdot V_{j} (0, b_{2})^{2} + Z_{1} \cdot 2 \cdot V_{j} (1, b_{2})]$

This layerwise relationship form-factor is called a "selector" in Remainder terminology and in general refers to an in-circuit version of an "if/else" statement where MLEs representing the values of layers can be broken into power-of-two-sized pieces.

Why Structured Circuits?

Compared to canonic GKR, structured circuits are good for two reasons -- verifier runtime and circuit description size. Note that every layerwise relationship which can be expressed as a structured layer (using $eq$ ) can be written as an equivalent series of $add$ and $mul$ gate layers.

To see why structured layers are good for circuit description size, we compare the following layer-wise relationships which describe the same circuit wiring pattern, but with different verifier cost and circuit description complexities (let $Z = Z_{1}, ..., Z_{n}$ and $b = b_{1}, ..., b_{n}$ for shorthand). Firstly, the structured version, which computes an element-wise product between each pair of evaluations:

$V_{i} (Z_{1}, ..., Z_{n}) = b_{1}, ..., b_{n} \in {0, 1}^{n} \sum eq (Z; b) \cdot V_{j} (b_{1}, ..., b_{n - 1}, 0) \cdot V_{j} (b_{1}, ..., b_{n - 1}, 1)$

And secondly, the multiplication gate version:

$V_{i} (Z_{1}, ..., Z_{n}) = x \in {0, 1}^{n}, y \in {0, 1}^{n} \sum mul_{i, j, j} (Z, x, y) \cdot [V_{j} (x) \cdot V_{j} (y)]$

We first consider the verifier runtime for both. Note that the sumcheck verifier performs $O (1)$ operations per round of sumcheck, plus the work necessary for the oracle query. In the structured relationship's case, there are $n$ rounds of sumcheck, and assuming that $b_{1}, ..., b_{n}$ get bound to $r_{1}, ..., r_{n} \in F$ , the oracle query which the verifier must evaluate is of the form

$f_{n} (r_{n}) = ? eq (Z_{1}, ..., Z_{n}; r_{1}, ..., r_{n}) \cdot V_{j} (r_{1}, ..., r_{n - 1}, 0) \cdot V_{j} (r_{1}, ..., r_{n - 1}, 1)$

where $f_{n}$ is the $n$ 'th univariate polynomial which the prover sends during sumcheck. The prover sends the claimed values for both $V_{j} (r_{1}, ..., r_{n - 1}, 0)$ and $V_{j} (r_{1}, ..., r_{n - 1}, 1)$ , and so the verifier doesn't do any work there. The verifier additionally evaluates $eq (Z_{1}, ..., Z_{n}; r_{1}, ..., r_{n})$ on its own, which it can do in $O (n)$ time.

Next, we consider the verifier runtime for the multiplication gate case: let $x_{1}, ..., x_{n}$ be bound to $u_{1}, ..., u_{n} \in F$ and let $y_{1}, ..., y_{n}$ be bound to $v_{1}, ..., v_{n} \in F$ during sumcheck. The oracle query is then

$f_{n} (r_{n}) = ? mul_{i, j, j} (Z_{1}, ..., Z_{n}, u_{1}, ..., u_{n}, v_{1}, ..., v_{n}) \cdot [V_{j} (u_{1}, ..., u_{n}) \cdot V_{j} (v_{1}, ..., v_{n})]$

Similarly to the structured case, the prover sends claimed values for $V_{j} (u_{1}, ..., u_{n})$ and $V_{j} (v_{1}, ..., v_{n})$ , and so the verifier doesn't have to do any work here. However, the verifier must also evaluate $mul_{i, j, j} (Z_{1}, ..., Z_{n}, u_{1}, ..., u_{n}, v_{1}, ..., v_{n})$ on its own. This requires time linear to the sparsity of the $mul_{i, j, j}$ polynomial, i.e. $O (2^{n - 1})$ in this example, since there are $2^{n - 1}$ nonzero multiplication gates (one for each pair of values in layer $i + 1$ ).

A circuit description size comparison between the two can be seen in a very similar light. In particular, the representation of $eq$ requires just $O (n)$ words to store (assuming each word can hold an $n$ -bit value), as we simply enumerate the indices between the $Z_{i}$ 's and the $b_{i}$ 's. On the other hand, storing the sparse representation of $mul$ required for linear-time proving requires storing all nonzero evaluations, i.e. $O (2^{n - 1})$ such indices in the above example (although one might argue that the representation is quite structured and can therefore be further compressed).

A note on claims

The above example (and other similar layerwise relationships) give us a further prover speedup through the structure of the claims which arise from the oracle query during sumcheck. In particular, the claims which the prover makes to the verifier in the structured case are as follows:

$V_{j} (r_{1}, ..., r_{n - 1}, 0) = ? c_{0} V_{j} (r_{1}, ..., r_{n - 1}, 1) = ? c_{1}$

These claims can be aggregated with almost no additional cost to the prover and verifier, as the first $n - 1$ challenges are identical between the two and the last challenges are precisely a $0$ and a $1$ . In particular, the verifier can simply sample $r^{⋆}$ and have the prover instead show that

$V_{j} (r_{1}, ..., r_{n - 1}, r^{⋆}) = (1 - r^{⋆}) \cdot c_{0} + r^{⋆} \cdot c_{1}$

On the other hand, the claims generated by the multiplication gate version of the layer above are in the form

$V_{j} (u_{1}, ..., u_{n}) = ? c_{u} V_{j} (v_{1}, ..., v_{n}) = ? c_{v}$

These claims have no challenges in common, and can only be aggregated through interpolative or RLC claim aggregation, both of which are significantly more expensive than the above method.

Costs

In general (note that this does not capture all possible structured layer cases, but should be enough to give some intuition on the prover/verifier/proof size costs for most structured layers), let us assume that our layerwise relationship can be expressed in the following manner -- $V_{i} (Z_{1}, ..., Z_{n}) = b_{1}, ..., b_{n} \in {0, 1}^{n} \sum eq (Z_{1}, ..., Z_{n}; b_{1}, ..., b_{n}) [k = 1 \sum s ℓ = 1 \prod d V_{j_{k, ℓ}} (b_{1}, ..., b_{n})]$ In other words, we have a layerwise relationship over $n$ variables, where the values in $V_{i}$ are a function of those in layers $V_{j_{k, ℓ}}$ , where $j_{k, ℓ} > i$ , such that we have $s$ total summand "groups" of MLEs over $n$ variables of size up to $d$ , i.e. the total polynomial degree in each of the $b_{i}$ is $d + 1$ .

The prover costs are as follows:

For simplicity here, we assume that the prover has $O (1)$ access to any value in $eq (Z_{1}, ..., Z_{n}; b_{1}, ..., b_{n})$ (note that these evaluations must be either precomputed in linear time, e.g. Tha13, or can be streamed in linear time in a clever way, e.g. Rot24).
Additionally, we assume that the prover has $O (1)$ access to any value in any $V_{i_{k, ℓ}} (b_{1}, ..., b_{n})$ , since the prover presumably knows all of the circuit values ahead of time.
Finally, we assume that the prover can use the "bookkeeping table folding" trick from Tha13 to compute both $eq (Z_{1}, ..., Z_{n}; r_{1}, b_{2}, ..., b_{n})$ from $eq (Z_{1}, ..., Z_{n}; b_{1}, b_{2}, ..., b_{n})$ and $V_{i_{k, ℓ}} (Z_{1}, ..., Z_{n}; r_{1}, b_{2}, ..., b_{n})$ from $V_{i_{k, ℓ}} (Z_{1}, ..., Z_{n}; b_{1}, b_{2}, ..., b_{n})$ in $O (2^{n})$ field operations.
We thus see that in the first round of sumcheck, the prover must do the following:
- Evaluate each of the terms in the summation for every $b_{1}, ..., b_{n} \in {0, 1}^{n}$ and sum them together. Each evaluation takes $O (s d)$ field operations, as there are $s$ summands and each requires $d$ multiplications.
- Since there are $2^{n}$ values of $b_{1}, ..., b_{n}$ , the above costs $O (s \cdot d \cdot 2^{n})$ field operations. This is the total cost for the prover to compute the claimed sum for the first round.
- Next, the prover must evaluate the RHS of the sumchecked equation at $X = 0, ..., d + 1$ in the place of $b_{1}$ to compute the univariate sumcheck message. Each evaluation of $X$ , similarly to the above, costs $O (s \cdot d \cdot 2^{n})$ field operations.
- The total cost for the prover to compute the claimed sum + univariate message in the first round is thus $O (s \cdot d \cdot 2^{n} + (d + 1) \cdot s \cdot d \cdot 2^{n}) = O (s \cdot d (d + 2) \cdot 2^{n})$ field operations.
We can generalize the above to the $t$ 'th round of sumcheck (let $t = 0$ for the first round) by noting that rather than $n$ variables, there are $n - t$ variables which are being summed over in the outer sum. Since the other values $s, d$ remain constant, the prover's total cost is simply $O (s \cdot d (d + 1) \cdot 2^{n - t})$ .
Finally, as mentioned earlier, the prover can generate the necessary precomputed values from the $t$ 'th round from those of the $t - 1$ 'th round in $O ((s \cdot d + 1) \cdot 2^{n - t})$ , as there are $s \cdot d + 1$ MLEs (including the $eq$ polynomial) which need their bookkeeping tables to be "folded" in $O (2^{n - t})$ .
Putting it altogether, the prover's total cost across all sumcheck rounds is thus $t = 0 \sum n - 1 O (s \cdot d (d + 2) \cdot 2^{n - t}) + O ((s \cdot d + 1) \cdot 2^{n - t})$
Since the above is a geometric series in $2^{n}$ , we have that the prover's total cost across all rounds is simply $O (s \cdot d (d + 2) \cdot 2^{n + 1})$

The proof size is as follows:

For each of the $n$ rounds of sumcheck, the prover must send over a degree $d + 1$ univariate polynomial to the verifier. Additionally, the prover must send the original sum (although this is actually free in GKR since the verifier already has the prover-claimed sum implicitly through the prover's claim from a previous sumcheck's oracle query).
Finally, the prover must send over each of its claimed values for the $V_{j_{k, ℓ}} (r_{1}, ..., r_{n})$ at the end of sumcheck. There are at most $s \cdot d$ claims.
The proof size is thus simply $O ((d + 2) \cdot n + s \cdot d)$ field elements.

The verifier runtime is as follows:

For each round of sumcheck, let the prover's univariate polynomial message be $f_{t} (X) \in F^{< d + 2} [X]$ . The verifier samples a random challenge $r_{t} \leftarrow $ F$ and checks whether $f_{t - 1} (r_{t}) = ? f_{t} (0) + f_{t} (1)$
Since the verifier can evaluate $f_{t}$ and $f_{t - 1}$ in $O (d + 2)$ and performs this check for each of the $n$ rounds of sumcheck, they can compute all the intermediate checks in $O (n \cdot (d + 2))$ .
During the final oracle query, the verifier must check whether $f_{n} (r_{1}, ..., r_{n}) = ? eq (Z_{1}, ..., Z_{n}; r_{1}, ..., r_{n}) [k = 1 \sum s ℓ = 1 \prod d V_{j_{k, ℓ}} (r_{1}, ..., r_{n})]$
The verifier can compute $eq (Z_{1}, ..., Z_{n}; r_{1}, ..., r_{n})$ on its own in $O (n)$ , and has access to each of the prover-claimed values for $V_{j_{k, ℓ}} (r_{1}, ..., r_{n})$ . It can thus compute the RHS of the above in $O (n + s \cdot d)$ .
The verifier's total runtime is thus $O (n \cdot d + n + s \cdot d) = O ((s + n) \cdot d)$

c# Canonic GKR See XZZ+19, ZLW+20 for more details.

"Gate"-style layerwise relationship

Unlike the structured wiring pattern described in the previous section, "gate"-style layerwise relationships allow for an arbitrary wiring pattern between a destination layer and its source layer(s). In general, these layerwise relationships are defined via indicator functions $id, add, mul$ (these function like the $eq$ function in structured layerwise relationships, but allow for input wires whose indices have no relationship to those of the output wire). Consider, for example, the canonic layerwise GKR equation, which defines the relationship between a previous layer's MLE ( $V_{i + 1}$ below) and the current layer's MLE ( $V_{i}$ below): $V_{i} (z) = x, y \in {0, 1}^{2 s_{i + 1}} \sum add_{i + 1} (z, x, y) [V_{i + 1} (x) + V_{i + 1} (y)] + mul_{i + 1} (z, x, y) [V_{i + 1} (x) \cdot V_{i + 1} (y)]$ We define three types of gate layers within Remainder, although they are all quite similar in spirit.

Notation

Let $s_{i}$ denote the number of variables the MLE representing layer $i$ has (in other words, layer $i$ of the circuit has $2^{s_{i}}$ values).
Let $V_{i} (z) \in F^{< 2} [X_{1}, ..., X_{s_{i}}]$ be the MLE corresponding to values in the layer of the circuit which is the "destination" of the gate polynomial relationship.
Let $V_{j} (x) \in F^{< 2} [X_{1}, ..., X_{s_{j}}]$ be the MLE corresponding to values in (one) layer of the circuit which is the "source" of the gate polynomial relationship. Note that $j > i$ always.
Similarly, let $V_{k} (x) \in F^{< 2} [X_{1}, ..., X_{s_{k}}]$ be the MLE corresponding to values in (another) layer of the circuit which is a second "source" of the gate polynomial relationship. Note that $k > i$ always.

Identity Gate

Identity gates are defined in the following way: $id (z, x) : {0, 1}^{s_{i}} \times {0, 1}^{s_{j}} \mapsto {0, 1} where id (z, x) = {10 if V_{i} (z) = V_{j} (x) otherwise$ In other words, $id (z, x)$ is $1$ if and only if there is a gate from the $z$ 'th value in the $j$ 'th layer to the $x$ 'th value in the $i$ 'th layer. These can be thought of as "routing" gates or "copy constraints", as they directly pass a value from one layer to another. The MLE of the identity function above is defined as follows: $id : F^{< 2} [Z_{1}, ..., Z_{s_{i}}, X_{1}, ..., X_{s_{j}}] \mapsto F where id (g, u) = z \in {0, 1}^{s_{i}}, x \in {0, 1}^{s_{j}} \sum eq (g, z) \cdot eq (u, x) \cdot id (z, x)$ The polynomial relationship between the "destination" layer $i$ 's MLE and the "source" layer $j$ 's MLE is as follows: $V_{i} (g) = x \in {0, 1}^{s_{j}} \sum id (g, x) \cdot V_{j} (x)$ Assuming that $x$ gets bound to $u \in F^{s_{j}}$ during sumcheck, this layer produces two claims -- one on $id (g, u)$ and one on $V_{j} (u)$ . The former can be checked by the verifier directly (since it knows the circuit wiring and uses the definition of $id$ above), and the latter is proven by sumcheck over layer $j$ .

Example

We start with a "source" MLE $V_{j} (x_{0}, x_{1})$ over two variables with four evaluations, and wish to obtain a circular-shifted version of the evaluations of this MLE in layer $i$ , i.e. $V_{i} (z_{0}, z_{1})$ .

For example, let's say that the evaluations of $V_{j}$ are $[0, 1, 2, 3]$ . We wish for those of $V_{i}$ to be e.g. $[1, 2, 3, 0]$ . To do this, we can list the "nonzero" identity gate indices, i.e. $(z_{0}, z_{1}; x_{0}, x_{1})$ , such that $V_{i} (z_{0}, z_{1}) = V_{j} (x_{0}, x_{1})$ :

$(0, 0; 0, 1)$ : the zeroth evaluation of layer $i$ is equivalent to the first evaluation of layer $j$ .
$(0, 1; 1, 0)$ : the first evaluation of layer $i$ is equivalent to the second evaluation of layer $j$ .
$(1, 0; 1, 1)$ : similar reasoning as above.
$(1, 1; 0, 0)$ : similar reasoning as above.

For all other tuples over binary values we have that $id (z, x) = 0$ .

Costs

Over here, we go through some of the costs for the prover runtime, proof size, and verifier runtime when performing sumcheck over an identity gate layer. In order to provide some intuition, we analyze the costs of a particular example, which may not encapsulate the general example for identity gate layers.

Let us recall the identity gate sumcheck equation: $V_{i} (g) = x \in {0, 1}^{s_{j}} \sum id (g, x) \cdot V_{j} (x) .$ We can rewrite this as: $V_{i} (g) = z \in {0, 1}^{s_{i}} \sum x \in {0, 1}^{s_{j}} \sum eq (g, z) \cdot id (z, x) \cdot V_{j} (x) .$ As observed in XZZ+19, we only need to sum over the wirings which are non-zero (i.e., there exists a re-routing from label $x$ in layer $j$ to label $z$ in layer $i$ ). Call the set of non-zero wirings as $N$ (here, we say that $N \in O (2^{s_{i}} + 2^{s_{j}})$ , i.e. a constant number of wires for each input layer and output layer value). We can rewrite the summation as: $V_{i} (g) = (z, x) \in N \sum eq (g, z) \cdot V_{j} (x) .$

The prover cost for sumcheck over an identity gate layer is as follows:

The prover must first compute the evaluations of $eq (g, z) \cdot id (z, x)$ . By summing over the non-zero wirings in $N$ , XZZ+19 shows us how to compute an MLE with evaluations of this product in time $O (2^{s_{i}}) .$ This involves first pre-computing the table of evaluations of $eq (g, z)$ using the dynamic-programming algorithm in Tha13, and then appropriately summing over $N$ to fold in the evaluations of $id (z, x) .$
Next, the prover must compute sumcheck messages for the above relationship. The degree of each sumcheck message is $d = 2$ , and thus the prover sends $d + 1 = 3$ evaluations per round of sumcheck. Since we are sumchecking over $x \in {0, 1}^{s_{j}}$ , there are $s_{j}$ rounds of sumcheck and thus the prover cost is $d (d + 1) 2^{k}$ for the $k$ 'th round of sumcheck. The total prover sumcheck cost is thus $d (d + 1) k = 1 \sum s_{j} 2^{k} = d (d + 1) 2^{s_{j} + 1} .$
Letting $d^{2} = 4$ be a constant, the total prover runtime (pre-processing + sumcheck) is $O (2^{s_{i}} + 2^{s_{j}}) .$

The proof size for sumcheck over identity gate is as follows:

There are $s_{j}$ total sumcheck rounds, each with the prover sending over $3$ evaluations for a quadratic polynomial. The proof size is thus $3 s_{j}$ field elements, plus $1$ extra for the final claim on $V_{j} (x)$ .

The verifier cost for sumcheck over identity gate is as follows:

The verifier receives $s_{j}$ sumcheck messages with $3$ evaluations each, and each round it must evaluate those quadratic polynomials at a random point. Its runtime is thus $O (s_{j})$ with very small constants.

Add Gate

The concepts for addition and multiplication gates are very similar to that of identity gate above. For add gate, we have the binary wiring indicator predicate: $add (z, x, y) : {0, 1}^{s_{i}} \times {0, 1}^{s_{j}} \times {0, 1}^{s_{k}} \mapsto {0, 1} where add (z, x, y) = {10 if V_{i} (z) = V_{j} (x) + V_{k} (y) otherwise$ Here, we have that $add (z, x, y) = 1$ if and only if the $x$ 'th value in the $j$ 'th layer and the $y$ 'th value in the $k$ 'th layer sum to the $z$ 'th value in the $i$ 'th layer. The MLE of $add (z, x, y)$ is similar to that of $id$ : $add : F^{< 2} [Z_{1}, ..., Z_{s_{i}}, X_{1}, ..., X_{s_{j}}, Y_{1}, ..., Y_{s_{k}}] \mapsto F where add (g, u, v) = z \in {0, 1}^{s_{i}}, x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum eq (g, z) \cdot eq (u, x) \cdot eq (v, y) \cdot add (z, x, y)$ and the polynomial relationship is defined very similarly to that of identity gate: $V_{i} (g) = x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum add (g, x, y) \cdot [V_{j} (x) + V_{k} (y)]$ Assuming that $x$ gets bound to $u \in F^{s_{j}}$ and $y$ gets bound to $v \in F^{s_{k}}$ during sumcheck, a claim on this layer results in three total claims: one on $add (g, u, v)$ (which the verifier can compute from the circuit description and therefore check on its own), one on $V_{j} (u)$ , and one on $V_{k} (v)$ .

Example

We start with two "source" MLEs, $V_{j} (x_{0}, x_{1}), V_{k} (y_{0}, y_{1})$ over two variables with four evaluations each, and wish to add each value in the first with its $4 - idx$ "complementary value" in the second. The result should be the MLE representing layer $i$ , i.e. $V_{i} (z_{0}, z_{1})$ .

For example, let's say that the evaluations of $V_{j} (x_{0}, x_{1})$ are $[a, b, c, d]$ and those of $V_{k} (y_{0}, y_{1})$ are $[e, f, g, h]$ . We wish to add $a$ to $h$ , $b$ to $g$ , and so on. Then our "nonzero gate tuples" are as follows:

$(0, 0; 0, 0; 1, 1)$ : the zeroth value in the $i$ 'th layer is equivalent to the sum of the zeroth value in the $j$ 'th layer and the third value in the $k$ 'th layer.
$(0, 1; 0, 1; 1, 0)$ : the first value in the $i$ 'th layer is equivalent to the sum of the first value in the $j$ 'th layer and the second value in the $k$ 'th layer.
$(1, 0; 1, 0; 0, 1)$ : similar reasoning to the above.
$(1, 1; 1, 1; 0, 0)$ : similar reasoning to the above.

For all other binary tuples we have that $add (z, x, y) = 0$ , and our resulting MLE's evaluations should be as follows: $[a + h, b + g, c + f, d + e]$ .

Costs

Over here, we go through some of the costs for the prover runtime, proof size, and verifier runtime when performing sumcheck over an add gate layer. In order to provide some intuition, we analyze the costs of a particular example, which may not encapsulate the general example for add gate layers.

Let us recall the add gate sumcheck equation: $V_{i} (g) = x \in {0, 1}^{s_{j}} \sum y \in {0, 1}^{s_{k}} \sum add (g, x, y) \cdot [V_{j} (x) + V_{k} (y)]$ We can rewrite this as: $V_{i} (g) = z \in {0, 1}^{s_{i}} \sum x \in {0, 1}^{s_{j}} \sum y \in {0, 1}^{s_{k}} \sum eq (g, z) \cdot add (z, x, y) \cdot [V_{j} (x) + V_{k} (y)]$ As observed in XZZ+19, we only need to sum over the wirings which are non-zero (i.e., there exists a an addition from label $x$ in layer $j$ and label $y$ in layer $k$ to label $z$ in layer $i$ ). Call the set of non-zero wirings as $N$ . We can rewrite the summation as: $V_{i} (g) = (z, x, y) \in N \sum eq (g, z) \cdot add (z, x, y) \cdot [V_{j} (x) + V_{k} (y)]$

Mul Gate

Multiplication gate is nearly identical to addition gate. For mul gate, we have the binary wiring indicator predicate: $mul (z, x, y) : {0, 1}^{s_{i}} \times {0, 1}^{s_{j}} \times {0, 1}^{s_{k}} \mapsto {0, 1} where mul (z, x, y) = {10 if V_{i} (z) = V_{j} (x) \cdot V_{k} (y) otherwise$ Here, we have that $mul (z, x, y) = 1$ if and only if the the $z$ 'th value in the $i$ 'th layer equals the product of the $x$ 'th value in the $j$ 'th layer with the $y$ 'th value in the $k$ 'th layer. The MLE of $mul (z, x, y)$ is identical to that of $add$ : $mul : F^{< 2} [Z_{1}, ..., Z_{s_{i}}, X_{1}, ..., X_{s_{j}}, Y_{1}, ..., Y_{s_{k}}] \mapsto F where mul (g, u, v) = z \in {0, 1}^{s_{i}}, x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum eq (g, z) \cdot eq (u, x) \cdot eq (v, y) \cdot mul (z, x, y)$ and the polynomial relationship is defined nearly identically to that of $add$ gate: $V_{i} (g) = x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum mul (g, x, y) \cdot [V_{j} (x) \cdot V_{k} (y)]$ Assuming that $x$ gets bound to $u \in F^{s_{j}}$ and $y$ gets bound to $v \in F^{s_{k}}$ during sumcheck, a claim on this layer results in three total claims: one on $mul (g, u, v)$ (which the verifier can check on its own), one on $V_{j} (u)$ , and one on $V_{k} (v)$ .

Example

We start with two "source" MLEs, $V_{j} (x_{0}, x_{1}), V_{k} (y_{0}, y_{1})$ over two variables with four evaluations each, and wish to accumulate (add up) the product of the 0th and 2nd evaluations with that of the 1st and 3rd evaluations, and place this into the 0th evaluation in the resulting MLE. The result should be the MLE representing layer $i$ , i.e. $V_{i} (z_{0}, z_{1})$ , whose evaluations are all zero except for its 0th evaluation.

For example, let's say that the evaluations of $V_{j} (x_{0}, x_{1})$ are $[a, b, c, d]$ and those of $V_{k} (y_{0}, y_{1})$ are $[e, f, g, h]$ . We wish to multiply $a$ and $f$ , and $b$ and $e$ and have those be the zeroth evaluation of the resulting MLE, i.e. $V_{i} (0, 0)$ . We then wish to multiply $c$ and $h$ , and $d$ and $g$ and have those be the first evaluation of the resulting MLE, i.e. $V_{i} (0, 1)$ .

Then our "nonzero gate tuples" are as follows:

$(0, 0; 0, 0; 0, 1)$ : The zeroth value in the $j$ 'th layer multiplied by the first value in the $k$ 'th layer contributes to the zeroth value in the $i$ 'th layer.
$(0, 0; 0, 1; 0, 0)$ : The first value in the $j$ 'th layer multiplied by the zeroth value in the $k$ 'th layer contributes to the zeroth value in the $i$ 'th layer.
$(0, 1; 1, 0; 1, 1)$ : similar reasoning to the above.
$(0, 1; 1, 1; 1, 0)$ : similar reasoning to the above.

For all other binary tuples we have that $add (z, x, y) = 0$ , and our resulting MLE's evaluations should be as follows: $[a * f + b * e, c * h + d * g, 0, 0]$ . Note here for $mul$ that we are able to add multiple products to each output value in the $i$ 'th layer, and that the same is true for both $add$ and $id$ . In other words, we actually have unlimited addition fan-in and degree-2 multiplication fan-in.

Costs

Over here, we go through some of the costs for the prover runtime, proof size, and verifier runtime when performing sumcheck over a mul gate layer (note that costs for add gate are very similar). In order to provide some intuition, we analyze the costs of a particular example, which may not encapsulate the general example for add gate layers.

Let us recall the mul gate sumcheck equation: $V_{i} (g) = x \in {0, 1}^{s_{j}} \sum y \in {0, 1}^{s_{k}} \sum mul (g, x, y) \cdot [V_{j} (x) \cdot V_{k} (y)]$ We can rewrite this as: $V_{i} (g) = z \in {0, 1}^{s_{i}} \sum x \in {0, 1}^{s_{j}} \sum y \in {0, 1}^{s_{k}} \sum eq (g, z) \cdot mul (z, x, y) \cdot [V_{j} (x) \cdot V_{k} (y)]$ As observed in XZZ+19, we only need to sum over the wirings which are non-zero (i.e., there exists a an addition from label $x$ in layer $j$ and label $y$ in layer $k$ to label $z$ in layer $i$ ). Call the set of non-zero wirings as $N$ (we assume that there are at most $N \in O (2^{s_{i}} + 2^{s_{j}} + 2^{s_{k}})$ nonzero mul gate values). We can rewrite the summation as: $V_{i} (g) = (z, x, y) \in N \sum eq (g, z) \cdot [V_{j} (x) \cdot V_{k} (y)]$

The prover cost for sumcheck over a mul gate layer is as follows:

The prover must first compute the evaluations of $\sum_{y, z} eq (g, z) \cdot V_{j} (x) \cdot V_{k} (y)$ for $x$ where $(z, x, y) \in N$ . XZZ+19 splits this pre-processing into two phases (note that proving the $add$ gate layer follows the same strategy). First, we precompute (or stream) the values in $eq (g, z)$ in $O (2^{s_{i}})$ .
Next, we compute the "phase 1" preprocessing, where we sumcheck over the $x$ variables. Here, we can directly evaluate $V_{j} (x)$ while "folding" $eq (g, z) \cdot V_{k} (y)$ by summing over the $y$ variables. Similarly, in the second phase, when we compute sumcheck messages over $y$ and already have evaluations for $V_{k} (y)$ , we can "fold" $eq (g, z) \cdot V_{j} (x)$ by summing over the $x$ variables. Both of these preprocessing steps take $O (N) = O (2^{s_{i}} + 2^{s_{j}} + 2^{s_{k}})$ time.
After preprocessing, the prover must compute sumcheck messages for the above relationship. Similarly to the preprocessing step above, sumcheck is done in two phases. First, the prover binds the $x$ variables, and then it binds the $y$ variables. The degree of each sumcheck message is $d = 2$ , and thus the prover sends $d + 1 = 3$ evaluations per round of sumcheck (this is the same for add gate). Since we are sumchecking over $x \in {0, 1}^{s_{j}}$ and $y \in {0, 1}^{s_{k}}$ , there are $s_{j} + s_{k}$ rounds of sumcheck and thus the prover cost is $d (d + 1) 2^{k}$ for the $k$ 'th round of sumcheck. The total prover sumcheck cost is thus $d (d + 1) (t = 1 \sum s_{j} 2^{t} + t = 1 \sum s_{k} 2^{t}) = d (d + 1) (2^{s_{j} + 1} + 2^{s_{k} + 1}) .$
Letting $d^{2} = 4$ be a constant, the total prover runtime (pre-processing + sumcheck) is $O (2^{s_{i}} + 2^{s_{j}} + 2^{s_{k}}) .$

The proof size for sumcheck over mul gate layer is as follows:

There are $s_{j}$ + $s_{k}$ total sumcheck rounds, each with the prover sending over $3$ evaluations for a quadratic polynomial. The proof size is thus $3 (s_{j} + s_{k})$ field elements, plus $2$ extra for the final claims on $V_{j} (x)$ and $V_{k} (y)$ .

The verifier cost for sumcheck over mul gate layer is as follows:

The verifier receives $s_{j} + s_{k}$ sumcheck messages with $3$ evaluations each, and each round it must evaluate those quadratic polynomials at a random point. Its runtime is thus $O (s_{j} + s_{k})$ with very small constants.

GKR Claims

Claim definition

"Claims" in GKR are statements which the prover has yet to show correctness for. As described earlier, the first step in proving the correctness of a GKR circuit (after sending over all circuit inputs, both public and committed) is to take the circuit's (public) output layer $V_{0}$ and send over all of its evaluations to the verifier.

For example, let's say that we have a circuit whose output layer contains 4 elements, i.e. whose representative MLE can be described by $V_{0} (x_{1}, x_{2}) : F^{2} \mapsto F$ . Additionally, let's say that these evaluations are $[a_{1}, a_{2}, a_{3}, a_{4}]$ , such that

$V_{0} (0, 0) = a_{1} V_{0} (0, 1) = a_{2} V_{0} (1, 0) = a_{3} V_{0} (1, 1) = a_{4}$

These four equalities above are actually the first claims whose validity the prover wishes to demonstrate to the verifier. The verifier doesn't know what the true values of $V_{0}$ are, of course, but would be able to check each of these relationships with the prover's help via sumcheck. This would be rather expensive, however, as the number of claims is exactly equal to the number of circuit outputs/evaluations within the circuit's output layer. Instead, the verifier can sample some randomness and have the prover prove the following:

$Sample r_{1}, r_{2} \leftarrow $ F a^{⋆} = assign (1 - r_{1}) (1 - r_{2}) (a_{1}) + (1 - r_{1}) (r_{2}) (a_{2}) + (r_{1}) (1 - r_{2}) (a_{3}) + (r_{1}) (r_{2}) (a_{4}) Prove V_{0} (r_{1}, r_{2}) = ? a^{⋆}$

Note that the above follows precisely from the definition of a multilinear extension (MLE), and it can indeed be viewed exactly as the evaluation of $V_{0}$ at the random points $r_{1}, r_{2}$ . The protocol takes a slight soundness hit here, as a cheating prover might get away with an incorrect circuit output (say, $V_{0}^{*} \neq = V_{0}$ , but $V_{0}^{*} (r_{1}, r_{2}) = V_{0} (r_{1}, r_{2})$ ), but the probability of such an occurrence is $\frac{1}{∣ F ∣}$ , as non-identical MLEs only intersect at exactly one point via the Schwartz-Zippel lemma.

In general, claims take the following form:

$V_{i} (g_{1}, ..., g_{s_{i}}) = c_{i}$

In other words, the prover wishes to convince the verifier that the evaluation of the MLE representing the $i$ 'th layer at the challenge $g_{1}, ..., g_{s_{i}} \in F^{s_{i}}$ is $c_{i} \in F$ .

Claim Propagation

For another example of claim propagation/reduction, see this section. Note that the below example uses a structured GKR relationship while the other example uses a canonic GKR relationship.

Recall the general sumcheck relationship for a function $f : F^{n} \mapsto F$ ; the prover claims that the following relationship is true for $H \in F$ :

$H = b_{1}, ..., b_{n} \in {0, 1}^{n} \sum f (b_{0}, ..., b_{n})$

Assuming that $b_{1}, ..., b_{n}$ are bound to $r_{1}, ..., r_{n} \in F$ during the sumcheck process, the final verifier check within sumcheck is the following, where the RHS must be an "oracle query", i.e. the verifier must know that the evaluation of $f$ on $r_{1}, ..., r_{n}$ is correct:

$f_{n} (r_{n}) = ? f (r_{1}, ..., r_{n})$

How does this oracle query actually get evaluated in GKR? The answer is claims and sumcheck over claims for a previous layer. Specifically, let's consider the following relationship (see structured GKR section for more information about the $eq$ polynomial and this kind of layerwise relationship):

$V_{i + 1} (X_{1}, ..., X_{n}) = b_{1}, ..., b_{n} \sum eq (X_{1}, ..., X_{n}; b_{1}, ..., b_{n}) \cdot V_{i} (b_{1}, ..., b_{n})^{2}$

This is the polynomial relationship between layer $i$ and layer $i + 1$ of a circuit where the $i + 1$ 'th layer's values are exactly those of the $i$ 'th layer's values squared. For example, if the evaluations of $V_{i}$ are $[a_{1}, a_{2}, a_{3}, a_{4}]$ then we expect the evaluations of $V_{i + 1}$ to be $[a_{1}^{2}, a_{2}^{2}, a_{3}^{2}, a_{4}^{2}]$ .

The prover starts with a claim

$V_{i} (g_{1}, ..., g_{n}) = c_{i}$

for $g_{1}, ..., g_{n}, c_{i} \in F$ , and wishes to prove it to the verifier. It does so by running sumcheck on the RHS of the above equation, i.e.

$c_{i} = ? b_{1}, ..., b_{n} \sum eq (g_{1}, ..., g_{n}; b_{1}, ..., b_{n}) \cdot V_{i + 1} (b_{1}, ..., b_{n})^{2}$

Let $b_{1}, ..., b_{n}$ be bound to $r_{1}, ..., r_{n} \in F$ during the rounds of sumcheck. Additionally, let $f_{n} (X_{n})$ be the univariate polynomial the prover sends in the $n$ 'th round of sumcheck. The oracle query check is then

$f_{n} (r_{n}) = ? eq (g_{1}, ..., g_{n}; r_{1}, ..., r_{n}) \cdot V_{i + 1} (r_{1}, ..., r_{n})^{2}$

The verifier is able to compute $eq (g_{1}, ..., g_{n}; r_{1}, ..., r_{n})$ on its own in $O (n)$ time, but unless $V_{i + 1}$ is an MLE within an input layer of the GKR circuit, they will not be able to determine the value of $V_{i + 1} (r_{1}, ..., r_{n})$ . Instead, the prover sends over a new claimed value $c_{i + 1} = ? V_{i + 1} (r_{1}, ..., r_{n})$ , and the verifier checks that

$f_{n} (r_{n}) = ? eq (g_{1}, ..., g_{n}; r_{1}, ..., r_{n}) \cdot c_{i + 1}^{2}$

The only thing left to check is whether $V_{i + 1} (r_{1}, ..., r_{n}) = ? c_{i + 1}$ . Notice, however, that this now a new claim on an MLE residing in layer $i + 1$ , and that we started with a claim on layer $i$ . In other words, we've reduced the validity of a claim on layer $i + 1$ to that of a claim on layer $i$ , which is the core idea behind GKR: start with claims on circuit output layers, and reduce those using sumcheck to claims on earlier layers of the circuit. Eventually all remaining claims will be those on circuit input layers, which can be directly checked via either a direct verifier MLE evaluation for public input layers, or a PCS evaluation proof for committed input layers.

Claim Aggregation

In the above example, we reduced a single claim on layer $i$ to claim(s) on MLEs residing in previous layers. What happens when there are multiple claims on the same layer, e.g.

$V_{i} (g_{1}^{(1)}, ..., g_{n}^{(1)}) = ? c_{i}^{(1)} V_{i} (g_{1}^{(2)}, ..., g_{n}^{(2)}) = ? c_{i}^{(2)} ⋮ V_{i} (g_{1}^{(m)}, ..., g_{n}^{(m)}) = ? c_{i}^{(m)}$

One method would be to simply run sumcheck $m$ times, once for each of the above claims, and reduce to $\geq 2 m$ separate claims on MLEs residing in previous layers. This strategy, however, leads to an exponential number of claims in the depth of the circuit, which is undesirable.

Instead, Remainder implements two primary modes of claim aggregation, i.e. methods for using a single sumcheck to prove the validity of many claims on the same MLE.

RLC (Random Linear Combination) Claim Aggregation

Additional reading: See XZZ+19, page 10 ("Combining two claims: random linear combination").

The idea behind RLC claim aggregation is precisely what it sounds like: the prover shows that a random linear combination of the claimed values indeed equals the corresponding random linear combination of the summations on the RHS of e.g. the third equation in the above section. The implementation of RLC claim aggregation within Remainder works for structured layers and gate layers, but not for matrix multiplication layers or input layers (as explained below).

We defer to the corresponding pages for more detailed explanations of the layerwise relationships, but review their form factors here and show how RLC claim aggregation can be done for each here.

Structured Layers

We start with structured layers, and use the same example relationship from above:

$V_{i} (X_{1}, ..., X_{n}) = b_{1}, ..., b_{n} \sum eq (X_{1}, ..., X_{n}; b_{1}, ..., b_{n}) \cdot V_{i + 1} (b_{1}, ..., b_{n})^{2}$

For simplicity, we aggregate two claims rather than $m$ claims, but the methodology generalizes in a straightforward fashion. Our aggregated claim is constructed as follows:

$Sample α \leftarrow $ F Let c_{i}^{⋆} = c_{i}^{(1)} + α \cdot c_{i}^{(2)}$

Similarly, we take an RLC of the summations and create a new summation to sumcheck over (we let $b = b_{1}, ..., b_{n}$ and $g^{(j)} = g_{1}^{(j)}, ..., g_{n}^{(j)}$ for concision):

$c_{i}^{⋆} = ? b_{1}, ..., b_{n} \sum eq (g^{(1)}; b) \cdot V_{i} (b) + α \cdot b_{1}, ..., b_{n} \sum eq (g^{(2)}; b) \cdot V_{i + 1} (b)^{2} = b_{1}, ..., b_{n} \sum [eq (g^{(1)}; b) + α \cdot eq (g^{(2)}; b)] \cdot V_{i + 1} (b)^{2}$

For structured layers, in other words, the prover and verifier simply take a random linear combination of the claims and perform sumcheck over a polynomial which is identical to the original layerwise relationship polynomial but with the $eq$ term replaced with an RLC of $eq$ terms in the same manner as the RLC of the original claims.

Gate Layers

A similar idea applies to gate layers. We use mul gate as the example layerwise relationship here:

$V_{i} (Z_{1}, ..., Z_{s_{i}}) = x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum mul (Z, x, y) \cdot [V_{j} (x) * V_{k} (y)]$

Again, we aggregate just two claims for simplicity, although the idea generalizes very naturally to $m$ claims:

$Sample α \leftarrow $ F Let c_{i}^{⋆} = c_{i}^{(1)} + α \cdot c_{i}^{(2)}$

The polynomial relationship to run sumcheck over is constructed using a similar idea as that of structured layers:

$c_{i}^{⋆} = ? x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum mul_{i, j, k} (g^{(1)}, x, y) \cdot V_{j} (x) \cdot V_{k} (y) + α \cdot x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum mul_{i, j, k} (g^{(2)}, x, y) \cdot V_{j} (x) \cdot V_{k} (y) = x \in {0, 1}^{s_{j}}, y \in {0, 1}^{s_{k}} \sum [mul_{i, j, k} (g^{(1)}, x, y) + α \cdot mul_{i, j, k} (g^{(2)}, x, y)] \cdot [V_{i} (x) \cdot V_{i} (y)]$

Rather than taking a linear combination of the $eq$ polynomials, we instead take a linear combination of the $mul_{i, j, k}$ polynomials.

Costs

The prover costs for RLC claim aggregation are as follows -- assume that we are working with a structured layer (the analysis is similar for gate layers) and that the degree of every sumcheck variable is $d$ (in the above example for a structured layer, $d = 3$ ). Additionally, assume that we have $m$ claims over a layer with $n$ variables.

As shown above, RLC claim aggregation for structured layers simply involves "factoring out" the $eq$ term between each of the $g^{(i)}$ 's and the $b$ 's. Rather than multiplying the structured polynomial relationship by a single $eq$ , we multiply by an RLC of $m$ $eq$ terms.
For each additional $eq$ term, the prover incurs an additional $d + 1$ evaluations worth of work (across a single sumcheck round). Evaluating $eq$ can be done in $O (2^{j})$ time by the prover for $j$ variables, and thus the total cost (for $m$ claims) is $m \cdot (d + 1) \cdot j = 1 \sum n 2^{j}$
across all rounds of sumcheck. The total prover runtime is thus $O (m \cdot d \cdot 2^{n + 1})$ .

The proof size is identical to that of the single-claim sumcheck case, since the degree of the sumcheck messages do not change.

Finally, the verifier cost is slightly increased. Specifically, during intermediate rounds of sumcheck the verifier does not do any additional work (compared to the single-claim sumcheck case), but during the oracle query the verifier must evaluate $m$ separate instances of $eq$ at fixed points. This takes the verifier $O (mn)$ additional time.

Matrix Multiplication Layers (counterexample)

Prerequisite: matrix multiplication layers page.

For matrix multiplication layers: consider $A B = ? C$ , and consider the sumcheck relationship $C (X, Z) = ? \sum_{y \in {0, 1}^{j}} A (X, y) \cdot B (y, Z)$ .

In matrix multiplication layers, the claim is always of the form $C (g_{X}, g_{Z}) = ? c$ , and the prover proceeds by first binding $A (g_{X}, Y)$ and $B (Y, g_{Z})$ before showing that $c = \sum_{y \in {0, 1}^{j}} A (g_{X}, y) \cdot B (y, g_{Z})$ . In the RLC claim aggregation case, we have claims $C (g_{X}, g_{Z}) = ? c C (g_{X}^{'}, g_{Z}^{'}) = ? c^{'}$ Where $g_{X} \neq = g_{X}^{'}$ and $g_{Z} \neq = g_{Z}^{'}$ (otherwise they would be claims from the same "source" layer and would therefore be identical). The verifier samples random challenge $α \leftarrow $ F$ . In this case, our sumcheck relationship is the following: $c + α c^{'} = ? y \in {0, 1}^{j} \sum A (g_{X}, y) \cdot B (y, g_{Z}) + α [A (g_{X}^{'}, y) \cdot B (y, g_{Z}^{'})]$ Because $g_{X} \neq = g_{X}^{'}$ and $g_{Z} \neq = g_{Z}^{'}$ , there is no way to factor the above expression's RHS to combine terms in any way, and thus RLC claim aggregation is equivalent to not aggregating claims at all and simply running two separate sumchecks on $c = ? y \in {0, 1}^{j} \sum A (g_{X}, y) \cdot B (y, g_{Z}) c^{'} = ? y \in {0, 1}^{j} \sum A (g_{X}^{'}, y) \cdot B (y, g_{Z}^{'})$

Input Layers (counterexample)

For input layers: RLC claim aggregation combines claims $V_{d} (g_{1}, ..., g_{n}) = ? c_{d} V_{d} (g_{1}^{'}, ..., g_{n}^{'}) = ? c_{d}^{'}$ into a single claimed statement $V_{d} (g_{1}, ..., g_{n}) + α V_{d} (g_{1}^{'}, ..., g_{n}^{'}) = ? c_{d} + α \cdot c_{d}^{'}$ For public inputs, the verifier must evaluate each of $V_{d} (g_{1}, ..., g_{n})$ and $V_{d} (g_{1}^{'}, ..., g_{n}^{'})$ on their own, and thus nothing is gained by the combination.

For committed inputs, a polynomial commitment scheme may allow for cheaper evaluation proofs in the above form (vs. two separate evaluation proofs; one for each claim), but this is generally not the case.

Interpolative Claim Aggregation

Additional reading: See Tha13, page 15 ("reducing to verification of a single point"), for another description of the protocol, and Mod24, page 15 (Section 3.4, "Claim aggregation"), for a thorough description + optimization.

Interpolative claim aggreation works by having the prover and verifier both compute an interpolating polynomial $ℓ : F \mapsto F^{n}$ , such that for the claims described earlier, i.e.

$V_{i} (g_{1}^{(1)}, ..., g_{n}^{(1)}) = ? c_{i}^{(1)} V_{i} (g_{1}^{(2)}, ..., g_{n}^{(2)}) = ? c_{i}^{(2)} ⋮ V_{i} (g_{1}^{(m)}, ..., g_{n}^{(m)}) = ? c_{i}^{(m)}$

we have that

$ℓ (1) = g_{1}^{(1)}, ..., g_{n}^{(1)} ℓ (2) = g_{1}^{(2)}, ..., g_{n}^{(2)} ⋮ ℓ (m) = g_{1}^{(m)}, ..., g_{n}^{(m)}$

Note that the degree of $ℓ$ is $m - 1$ , as there are $m$ points for each of the $n$ coordinates which must be interpolated.

The prover then sends over the polynomial $V_{i} \circ ℓ : F \mapsto F$ , i.e. the restriction of $V_{i}$ to points in $F^{n}$ generated by $ℓ$ . Note that the degree of $V_{i} \circ ℓ$ is $(m - 1) \cdot n$ , as $V_{i}$ is multilinear in each of its variables, and each of those variables is degree at most $m - 1$ in the input variable $X$ for $(V_{i} \circ ℓ) (X)$ .

The verifier samples $r^{⋆} \leftarrow $ F$ and sends it to the prover. The prover and verifier both compute $ℓ (r^{⋆}) = r_{1}^{⋆}, ..., r_{n}^{⋆}$ , and the prover proves the single claim

$V_{i} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = ? (V_{i} \circ ℓ) (r^{⋆})$

where $V_{i} \circ ℓ$ was sent by the prover and the verifier evaluates it at $r^{⋆}$ on its own.

Costs

The prover cost for interpolative claim aggregation is as follows:

Given $m$ claims with $n$ variables each, $ℓ$ is a $m - 1$ -degree function in each of its components, and since $V_{i}$ is multilinear in each of its $n$ variables, $V_{i} \circ ℓ$ is a univariate polynomial with degree $n (m - 1)$ . The prover must send $n (m - 1) + 1$ evaluations to the verifier, although the first $m$ have already been sent implicitly in the form of the $m$ claims.
The prover thus must evaluate $V_{i} \circ ℓ$ at $n (m - 1) + 1 - m = (n - 1) (m - 1)$ points. Each evaluation requires the prover to evaluate $ℓ$ in $O (mn)$ time, and then $V_{i}$ in $O (2^{n})$ time. The prover's total runtime is thus $O ((n - 1) (m - 1) \cdot (mn + 2^{n})) = O (mn 2^{n})$ .

The proof size for interpolative claim aggregation is as follows:

As reasoned earlier in the prover cost section, the prover sends over $(n - 1) (m - 1)$ evaluations of $V_{i} \circ ℓ$ . The proof size is thus $O (mn)$ field elements.

The verifier runtime for interpolative claim aggregation is as follows:

The verifier receives evaluations of $V_{i} \circ ℓ$ from the prover and evaluates it at a random point $r^{⋆}$ . This takes $O (mn)$ time. Additionally, the verifier evaluates $ℓ (r^{⋆})$ , which takes $O (mn)$ time as well. The verifier's total runtime is thus $O (mn)$ .

Optimizations

Remainder has a few built-in optimizations for interpolative claim aggregation which substantially lower the prover costs for claims with "structure" within their evaluation points. For more details, see Mod24, page 15 (Claim Aggregation section).

Matrix Multiplication Layer

A GKR "matrix multiplication" layer is one which takes as input two MLEs $A, B$ and outputs a single MLE $C$ whose evaluations are the flattened matrix multiplication of the evaluations of $A$ and $B$ .

Canonic matrix multiplication is defined as the following, given matrices $A \in F^{M \times L}, B \in F^{L \times N}$ resulting in $C \in F^{M \times N}$ :

$C_{i, k} = j = 0 \sum L - 1 A_{i, j} \cdot B_{j, k}$

where the above holds for $0 \leq i < M$ , $0 \leq k < N$ . We instead consider the multilinear extensions of the above matrices, such that

$A : F^{< 2} [X_{0}, ..., X_{m - 1}, Y_{0}, ..., Y_{ℓ - 1}]$
$B : F^{< 2} [Y_{0}, ..., Y_{ℓ - 1}, Z_{0}, ..., Z_{n - 1}]$
$C : F^{< 2} [X_{0}, ..., X_{m - 1}, Z_{0}, ..., Z_{n - 1}]$

where $m = lo g_{2} (M), ℓ = lo g_{2} (L), n = lo g_{2} (N)$ . Then for all $X \in {0, 1}^{m}$ and $Z \in {0, 1}^{n}$ we have

$C (X, Z) = Y \in {0, 1}^{ℓ} \sum A (X, Y) \cdot B (Y, Z)$

(Note that the above is also necessarily true for general $X \in F^{m}, Z \in F^{n}$ , as multilinear extensions are uniquely defined by their evaluations over the boolean hypercube.) We wish to prove this relationship to the verifier using sumcheck. We can do this using Schwarz-Zippel against $C$ as follows: rather than checking the above relationship for all $X \in {0, 1}^{m}, Z \in {0, 1}^{n}$ , the verifier can sample challenges $r_{X} \leftarrow $ F^{m}, r_{Z} \leftarrow $ F^{n}$ and instead check the following relationship:

$C (r_{X}, r_{Z}) = Y \in {0, 1}^{ℓ} \sum A (r_{X}, Y) \cdot B (Y, r_{Z})$

This is a sumcheck over just $ℓ$ variables, and yields two claims (assume that $Y$ is bound to $r_{Y} \leftarrow $ F^{ℓ}$ during sumcheck) –

$A (r_{X}, r_{Y}) = ? c_{A}$
$B (r_{Y}, r_{Z}) = ? c_{B}$

Costs

The prover cost for sumcheck over matrix multiplication is as follows:

The prover must first compute the evaluations of $A (r_{X}, Y)$ and $B (Y, r_{Z})$ for $Y \in {0, 1}^{ℓ}$ . It already has the evaluations of $A (X, Y)$ and $B (Y, Z)$ , and thus this preprocessing step takes $O (M L) + O (L N) = O (L (M + N))$ .
Next, the prover must compute sumcheck messages for the above relationship. The degree of each sumcheck message is $d = 2$ , and thus the prover sends $d + 1 = 3$ evaluations per round of sumcheck. Since we are sumchecking over $Y \in {0, 1}^{ℓ}$ , there are $ℓ$ rounds of sumcheck and thus the prover cost is $d (d + 1) 2^{j}$ for the $j$ 'th round of sumcheck. The total prover sumcheck cost is thus $d (d + 1) j = 1 \sum ℓ 2^{j} = d (d + 1) 2^{ℓ + 1}$
The prover's total cost (preprocessing + sumcheck) is $O (L (M + N + d^{2}))$ . Letting $d^{2} = 4$ be a constant and allowing square matrices with $M = N = L$ , the prover's total cost is $O (N^{2})$ , which is asymptotically optimal for matrix multiplication.

The proof size for sumcheck over matrix multiplication is as follows:

There are $ℓ$ total sumcheck rounds, each with the prover sending over $3$ evaluations for a quadratic polynomial. The proof size is thus $3 ℓ$ field elements, plus $2$ extra for the final claims on $A$ and $B$ .

The verifier cost for sumcheck over matrix multiplication is as follows:

The verifier receives $ℓ$ sumcheck messages with $3$ evaluations each, and each round it must evaluate those quadratic polynomials at a random point. Its runtime is thus $O (ℓ)$ with very small constants.

GKR Input Layer

We have now seen that a GKR interactive proof begins with the prover making a claim $V_{0} (r_{1}^{(0)}, ..., r_{n}^{(0)}) = c_{0}$ on the layered circuit's output layer $V_{0}$ and reducing this claim via sumcheck and claim aggregation to claims on layers closer to the circuit's input layer, e.g. $V_{1} (r_{1}^{(1)}, ..., r_{n}^{(1)}) = c_{1}$ .

At the end of this process, we should be left with only claims on input layer(s), e.g.

$V_{d} (r_{1}^{(d, 1)}, ..., r_{n}^{(d, 1)}) = c_{d}^{(1)} V_{d} (r_{1}^{(d, 2)}, ..., r_{n}^{(d, 2)}) = c_{d}^{(2)} ⋮ V_{d} (r_{1}^{(d, m)}, ..., r_{n}^{(d, m)}) = c_{d}^{(m)}$

These claims are optionally aggregated via interpolative claim aggregation (note that RLC claim aggregation does not work for input layer claims; see here for more details) into a single claim

$V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = c_{d}^{⋆}$

which the verifier must check on its own, optionally with help from the prover. There are several types of input layers, and we describe the methodology for each.

Public Inputs

Public input layers are circuit inputs where the prover sends the values to the verifier in the clear. In particular, this means that the verifier knows the full set of evaluations of $V_{d}$ over ${0, 1}^{n}$ and can evaluate the MLE on its own. Thus:

Before the prover generates the output layer claim challenges ( $r_{1}^{(0)}, ..., r_{n}^{(0)}$ above), they send these evaluations to the verifier by absorbing them into the transcript.
When the verifier is ready to check the claim $V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = c_{d}^{⋆}$ , they use the aforementioned evaluations to directly evaluate $V_{d}$ at $r_{1}^{⋆}, ..., r_{n}^{⋆}$ and check that the evaluation is indeed the claimed $c_{d}^{⋆}$ .

Committed Inputs

Committed input layers are circuit inputs where the prover sends a commitment to the values (generally as a polynomial commitment). Committed inputs are not directly revealed to the verifier (although they may leak information unless a zero-knowledge polynomial commitment scheme, like Hyrax, is used), and thus the prover must additionally help the verifier when they wish to check the input claim $V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = c_{d}^{⋆}$ by providing an evaluation proof, which roughly shows that the polynomial which the prover committed to earlier actually evaluates to $c_{d}^{⋆}$ at the evaluation point $r_{1}^{⋆}, ..., r_{n}^{⋆}$ .

(See KZG10, page 6, and Tha24, page 188 for more details). Let $λ \in N$ be the security parameter. Let $V_{d} \in F^{< 2} [X_{1}, ..., X_{n}]$ be the MLE which the prover wishes to commit to. Let $r_{1}^{⋆}, ..., r_{n}^{⋆} \in F^{n}$ be the evaluation point, and let $c_{d}^{⋆}$ be the claimed value. Roughly speaking, a polynomial commitment scheme (PCS) consists of the following four functions:

$KeyGen : λ \mapsto {ck, vk}$ . $ck$ here is the commitment key which the prover has access to while committing and generating evaluation proofs, and $vk$ here is the verification key which the verifier has access to while checking an evaluation proof. This function takes in a single security parameter $λ$ such that the resulting commitment scheme has roughly $λ$ bits of soundness.
$Commit : ck, V_{d} \mapsto com$ . The $Commit$ function takes in an MLE (for our purposes; in general this can be a univariate or multivariate polynomial of higher degree) and generates a commitment to be sent to the verifier.
$Eval : ck, com, r_{1}^{⋆}, ..., r_{n}^{⋆}, c_{d}^{⋆} \mapsto π$ . The $Eval$ function takes in an evaluation point $r_{1}^{⋆}, ..., r_{n}^{⋆} \in F^{n}$ and produces an evaluation proof $π$ that the original polynomial which was committed to in $com$ actually evaluates to $c_{d}^{⋆}$ . Note that the verifier uses $vk$ to check the evaluation proof $π$ .
$Open : com, f \in F^{< 2} [X_{1}, ..., X_{n}] \mapsto {0, 1}$ . The $Open$ function takes in a commitment and an MLE $f$ and outputs whether that MLE is the one committed to by $com$ , i.e. whether $f = V_{d}$ .

In addition to the above, a commitment scheme must satisfy hiding and evaluation binding.

Hiding implies that given a commitment $com$ and fewer than $2^{n}$ evaluation pairs, an adversary cannot determine the evaluation $V_{d} (h_{1}, ..., h_{n})$ for a point $h_{1}, ..., h_{d}$ not in the set of evaluation pairs.
Evaluation binding implies that given an evaluation point $r_{1}^{⋆}, ..., r_{n}^{⋆}$ and a claimed value $c_{d}^{⋆} \neq = V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆})$ , a prover should be able to produce an accepting evaluation proof $π$ for generated $com$ with negligible probability.

In general, we run $KeyGen$ once and distribute the resulting $ck, vk$ to the prover and verifier, and focus on the $Commit$ and $Eval$ functions. During the interactive GKR protocol, the prover and verifier do the following:

The prover invokes the $Commit$ functionality on $V_{d}$ and sends the resulting $com$ to the verifier. They send this value to the verifier before any claims on output layers (including challenges) are generated. Note that this takes the place of the prover sending the evaluations of $V_{d}$ in the public inputs section above.
After the prover has sent all circuit inputs to the verifier in either committed or direct evaluation form, the verifier generates the output claim challenges and the prover and verifier engage in the GKR claim reduction protocols until we're left with a single claim $V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = c_{d}^{⋆}$ .
The prover then invokes the $Eval$ functionality on $com$ and the aforementioned $r_{1}^{⋆}, ..., r_{n}^{⋆}, c_{d}^{⋆}$ values to produce evaluation proof $π$ , which the verifier receives and checks.

Remainder's GKR prover uses a non-ZK version of the PCS implicit in AHIV17 (also explicitly described in the GLS+21 paper as Shockwave), which we briefly detail in our documentation's Ligero PCS page. Remainder's Hyrax prover uses the ZK PCS explicitly described within WTS+17, which we briefly detail in our documentation's Hyrax PCS page.

"Fiat-Shamir" Inputs

A third type of circuit "input" is that of a "Fiat-Shamir" challenge value. These inputs are different from the others in the sense that the prover does not supply them at all, but rather the (interactive) verifier sends them after the prover has committed to all other input values. These values are used when the circuit itself is computing a function which requires a random challenge (see LogUp, e.g., for one usage of such challenges). In general, claims on these layers are checked via the following:

First, as mentioned, the (interactive) prover sends all other inputs (both public and committed) to the verifier.
Next, the verifier sends random values (we can view these as the evaluations of $V_{d}$ over ${0, 1}^{n}$ ) to the prover as challenge values.
When the verifier needs to check a claim $V_{d} (r_{1}^{⋆}, ..., r_{n}^{⋆}) = c_{d}^{⋆}$ on the Fiat-Shamir input layer, it can do so by simply referencing the evaluations it generated earlier to evaluate $V_{d}$ at $r_{1}^{⋆}, ..., r_{n}^{⋆}$ and ensure that the evaluation is actually $c_{d}^{⋆}$ , exactly as is the case for public inputs.

Ligero Polynomial Commitment Scheme

References: GLS+21, page 46, AER24.

Prerequisites

Committed input layers

As described within the committed input layers section, the Ligero polynomial commitment scheme (PCS) consists of a $Commit$ and an $Eval$ phase such that

During $Commit$ , the prover sends a commitment $co m$ for the input layer MLE $V_{d}$ .
After running the rest of the GKR claim reduction process, we are left with a claim $V_{d} (r_{1}, ..., r_{n}) = ? c_{d}$ .
During $Eval$ , the prover sends an evaluation proof $π$ showing that $V_{d} (r_{1}, ..., r_{n}) = c_{d}$ .

Short Introduction to Reed-Solomon Codes

We provide a brief introduction to Reed-Solomon codes, as these are prominently featured within the Ligero construction. First, we describe a few properties of general linear codes which will be useful:

An $[n, k, l]_{p}$ -linear code $C$ is a subspace $C \subseteq F^{n}$ of dimension $k$ (i.e. $C$ is spanned by $k$ linearly independent basis vectors of length $n$ each) where $u \in C$ implies that $∣ u ∣_{0} \geq l$ for all nonzero codewords $u$ .
We define the Hamming weight $∣ u ∣_{0}$ is the number of nonzero entries in $u$ .
For all distinct $u \neq = v \in C$ we have that $∣ u - v ∣_{0} \geq l$ , since the difference of two codewords is itself a codeword.
The encoding step of a linear code can be described by a matrix-vector multiplication $G x$ , where $x \in F^{k}$ is the unencoded message and $G \in F^{n \times k}$ is the code's generator matrix. For simplicity we will just use $Enc$ as the encode function notation.
We call $ρ = \frac{k}{n}$ the rate of the code, as it describes (the inverse of) how much redundancy the code has. $ρ^{- 1} = \frac{n}{k}$ is then the "expansion factor", or how much larger the codeword is than the original message.

Next, consider the set of (univariate) polynomials $F^{< d} [X]$ of degree $< d$ and a domain $L \subseteq F$ . Let $f \in F^{d}$ .

Let $\overset{ˉ}{f}$ be the restriction of $f$ to $L \mapsto F$ . Note that $\overset{ˉ}{f}$ can be treated as just a vector of length $∣ L ∣$ by taking its evaluations ${f (x_{1}), f (x_{2}), ..., f (x_{n}) ∣ x_{i} \in L}$ .
We define a Reed-Solomon code $RS [F, L, d] = {\overset{ˉ}{f} : L \mapsto F ∣ f \in F^{< d} [X]}$ , i.e. all the restrictions of $f$ to evaluations over $L$ for degree $< d$ functions $f$ .
If we let $d < ∣ L ∣$ and call the evaluation domain size $n$ , then an RS code is just an $[n, d, l = (n - d + 1)]_{p}$ linear code (codewords are the evaluations of $f$ over $L$ , and the un-encoded messages are just polynomials of degree $< d$ , which can be specified with $d$ coefficients).
Note that two polynomials of degree $\leq d - 1$ agree on at most $d - 1$ points, and thus the Hamming distance between codewords is $n - (d - 1) = n - d + 1$ .

The last property of Reed-Solomon codes is extremely useful for the purposes of code-based PCSs such as Ligero and FRI -- if we have that $n = 2 d$ , for example, then for two polynomials $f, g \in F^{< d} [X]$ where $f \neq = g$ we have that $∣ Enc (f) - Enc (g) ∣_{0} \geq d + 1$ , which is over half of the evaluation domain. This intuitively makes it very easy for a verifier to catch a prover who commits to one polynomial's codeword and attempts to evaluate using another's, since sampling even a single random point within $L$ will reveal the difference with probability $> \frac{1}{2}$ .

Vector-Matrix-Vector Product Observation

(Reader's note: the construction described here is identical to that in the Hyrax PCS section.) Let our input layer MLE $V_{d} (X_{1}, ..., X_{n})$ have evaluations $a_{1}, ..., a_{2^{n}}$ over $X_{1}, ..., X_{n} \in {0, 1}^{n}$ (for example, $a_{1} = V_{d} (0, ..., 0)$ ).

As described in the introduction above, the prover is trying to show that $V_{d} (r_{1}, ..., r_{n}) = c_{d}$ . As described in the Hyrax PCS section, one way to compute the evaluation is as follows:

$[a_{1} a_{2} \dots a_{2^{n}}] \cdot (1 - r_{1}) \cdot (1 - r_{2}) \cdot ... \cdot (1 - r_{n}) (1 - r_{1}) \cdot (1 - r_{2}) \cdot ... \cdot r_{n} ⋮ r_{1} \cdot r_{2} \cdot ... \cdot r_{n}$

The column vector on the right can be viewed as the tensor product $\otimes_{i = 1}^{n} (1 - r_{i}, r_{i})$ and we will use this shorthand going forward. Just this observation, however, is not enough to motivate our description of Ligero PCS. Instead, we consider an alternative formulation for the evaluation $V_{d} (r_{1}, ..., r_{n})$ .

Rather than simply linearly arranging the coefficients of $V_{d}$ as above, we can instead arrange them in a square matrix (for now, assume that $n$ is even) of size $2^{n /2} \times 2^{n /2}$ by enumerating the coefficients in row-major order:

$M = a_{1} a_{2^{n /2} + 1} ⋮ a_{2^{n} - 2^{n /2}} a_{2} a_{2^{n /2} + 2} ⋮ a_{2^{n} - 2^{n /2} + 1} \dots \dots ⋱ \dots a_{2^{n /2}} a_{2^{n /2 + 1}} ⋮ a_{2^{n}}$

Given the matrix formulation of $V_{d}$ above, we can write the evaluation of $V_{d} (r_{1}, \dots, r_{n})$ as the following vector-matrix-vector product:

$[\otimes_{i = n /2 + 1}^{n} (1 - r_{i}, r_{i})] \cdot a_{1} a_{2^{n /2} + 1} ⋮ a_{2^{n} - 2^{n /2} + 1} a_{2} a_{2^{n /2} + 2} ⋮ a_{2^{n} - 2^{n /2} + 2} \dots \dots ⋱ \dots a_{2^{n /2}} a_{2^{n /2 + 1}} ⋮ a_{2^{n}} \cdot [\otimes_{i = 1}^{n /2} (1 - r_{i}, r_{i})]^{⊤}$

We denote the left vector as $L \in F^{2^{n /2}}$ and the right vector as $R \in F^{2^{n /2}}$ . This allows us to create the following PCS:

Commitment Phase

The commitment phase of Ligero works as follows:

Let $M_{i}$ be the $i$ 'th row of $M$ , $1 \leq i \leq 2^{n /2}$ . Recall that $M_{i} \in F^{2^{n /2}}$ since $M$ is a square matrix.

First, the prover treats the values within $M_{i}$ as the (monomial basis, i.e. usual) coefficients of a degree- $2^{n /2} - 1$ univariate polynomial. They compute $M_{i} = Enc (M_{i})$ using a Reed-Solomon encoding function. Let $ρ$ be the code rate; we then have that $M \in F^{2^{n /2} \times ρ^{- 1} 2^{n /2}}$ .
The encoded matrix now looks like the following: $M = —— Enc (M_{1}) —— —— Enc (M_{2}) —— ⋮ —- Enc (M_{2^{n /2}}) —-$

The prover commits to $M$ as follows:

Using a cryptographic hash function $H : F^{*} \mapsto F$ , the prover first computes a hash over each column:

$com_{j} = H (M_{1, j}, ..., M_{ρ^{- 1} 2^{n /2}, j})$

Next, the prover takes the vector of column-wise commitments and computes a Merkle tree using those commitments as the leaves. In other words, the bottom layer of the tree is $[com_{1}, ..., com_{2^{n /2}}]$ , with pairs of leaves being hashed, and the root of the tree $root_{M} = Merkleize ([com_{1}, ..., com_{2^{n /2}}])$ is the commitment.
The (interactive) prover sends $root$ to the verifier. Note that with this commitment setup, the verifier is able to "open" any column of $M$ and ensure that it is consistent with the commitment $root_{M}$ .

Evaluation Phase

The prover wishes to show that $L \cdot M \cdot R = c_{d}$ . It does so by first computing $L \cdot M \in F^{2^{n /2}}$ and sends this to the (interactive) verifier (note that the prover is sending product of $L$ against the unencoded $M$ ). Since the verifier doesn't (yet) trust this value, we'll denote its view of this prover message as $U = ? L \cdot M$ .

The verifier asserts that $U \cdot R = c_{d}$ . If the prover is honest and $U = L \cdot M$ then this proves that the evaluation was correct.

The verifier then computes $U = Enc (U)$ , with $U \in F^{ρ^{- 1} 2^{n /2}}$ . To ensure that the prover computed $U$ correctly, it will check random values in $U$ against $L \cdot M$ .

Note that because $Enc$ is a linear operation, we have that $Enc (L \cdot M) = L \cdot Enc (M)$ , where $Enc (M)$ is the row-wise encoding as described earlier (check this for yourself -- use the intuition that Reed-Solomon encoding is just polynomial evaluation over a domain)

The verifier picks a set of indices $j \in J$ and "opens" those columns of $M$ . For each $j$ , the prover sends over $M_{\cdot, j}$ , as well as a Merkle path for $com_{j}$ against $root_{M}$ .

The verifier checks that $H (M_{\cdot, j}) = com_{j}$ , and verifies the Merkle path from $com_{j}$ to the $root_{M}$ it received during the commit phase.

The verifier is now convinced that the columns which the prover sent over are columns of the $M$ which was committed to during the commitment phase.

Finally, the verifier checks that $L \cdot M_{\cdot, j} = U_{j}$ . This last check ensures that the prover sent $U$ honestly -- if they attempted to cheat by sending $L \cdot M^{'}$ for some $M^{'} \neq = M$ , we have that each row of $Enc (M)$ would differ from each row of $Enc (M^{'})$ in at least $(1 - ρ)$ proportion of coordinates (as mentioned earlier, we generally have $ρ \leq \frac{1}{2}$ ), and therefore WHP (using a result from AER24), that $U$ (the honest $L \cdot Enc (M)$ ) differs from $\tilde{U^{'}}$ (the dishonest $L \cdot Enc (M^{'})$ ) in at least $(1 - ρ)$ proportion of coordinates as well.

With $∣ J ∣$ queries, the verifier catches a cheating prover at least

$1 - ρ^{∣ J ∣}$

proportion of the time. We set $∣ J ∣$ such that the above probability is at least $1 - 2^{- λ}$ , where $λ$ is our security parameter.

Costs

Assume that the prover is committing to a multilinear polynomial in $n$ variables. Let our code rate be $ρ^{- 1}$ , and assume that a Reed-Solomon encoding for a message with $2^{n /2}$ coefficients to a codeword with $∣ L ∣ = ρ^{- 1} 2^{n /2}$ evaluations can be computed in time $O (∣ L ∣ lo g_{2} ∣ L ∣)$ . Let $J$ be the set of columns we query during the evaluation phase.

Prover Cost

During the commitment phase, the prover first computes the encoded matrix of coefficients $M$ by encoding each row of $M$ . There are $2^{n /2}$ rows and each row's encoding takes $O (∣ L ∣ lo g_{2} ∣ L ∣)$ time for a total runtime of $O (2^{n /2} ∣ L ∣ lo g_{2} ∣ L ∣)$ .
Next, the prover computes hashes of the columns of $M$ , and then constructs a Merkle tree comprised of those for the final commitment. This costs $O (ρ^{- 1} 2^{n} + ρ^{- 1} 2^{n /2})$ hashes.
During the evaluation phase, the prover first computes $L \cdot M$ and sends the result to the verifier. This takes $O (2^{n})$ operations.
Next, the prover sends over $∣ J ∣$ columns plus associated Merkle proofs to the verifier. The prover doesn't need to compute anything here, so this is free for the prover.
Assuming the cost of a single hash is $O (h)$ , the total prover computation is $O (2^{n /2} ∣ L ∣ lo g_{2} ∣ L ∣ + h (ρ^{- 1} 2^{n}) + 2^{n})$

Proof Size

The commitment is a single Merkle root, and is thus just one field element.
The evaluation proof consists of the following for each column $j \in J$ :
- A column of $M$ with $2^{n /2}$ field elements
- A Merkle path with $lo g_{2} ∣ L ∣$ field elements
Thus the total proof size is $1 + ∣ J ∣ \cdot [2^{n /2} + lo g_{2} ∣ L ∣]$ field elements.

Verifier Cost

During the commitment phase, the verifier receives a single Merkle root element and does nothing else.
During the evaluation phase, the verifier first receives the prover's claimed $U = ? L \cdot M$ and computes $U = Enc (U)$ . The encoding step takes $O (∣ L ∣ lo g_{2} ∣ L ∣)$ field operations.
Next, the verifier computes $U \cdot R$ and checks this against the claimed evaluation value. This requires $O (2^{n /2})$ field operations.
Next, the verifier receives $∣ J ∣$ columns of $M$ from the prover. For each column, the verifier must
- Compute a hash over $2^{n /2}$ elements to get the column hash value.
- Check the Merkle proof over a path of length $lo g_{2} ∣ L ∣$ against the root received in the commit phase.
The verifier's runtime for the check phase is $O (∣ J ∣ \cdot [2^{n /2} + lo g_{2} ∣ L ∣])$ hashes.
The verifier's total runtime is $O (∣ L ∣ lo g_{2} ∣ L ∣ + 2^{n /2} + h \cdot ∣ J ∣ \cdot [2^{n /2} + lo g_{2} ∣ L ∣])$

What is a lookup argument?

A lookup argument demonstrates that a given multiset of values (the "witness") contains only values from a prescribed set (the "lookup table").

Common applications of lookup arguments

Lookup arguments find various applications. For example, in a "range check", the values of the witness are constrained to belong to a contiguous range of values. This is useful when a purported digital decomposition in base $B$ is provided to the circuit as input, and it is therefore necessary, in particular, to check that the digits are indeed in the range $0 \dots B - 1$ . The lookup table in this case is just this range.

Another example that occurs in the context of machine learning is checking the computation of an arbitrary function $f$ (e.g. a non-linearity like the sigmoid) in circuit. Conceptually, in this application the lookup table consists of all valid input-output pairs $(x, f (x))$ , and the witness consists of those pairs that are used. Circuits work only with individual field elements, so a random linear combination of the input and output of each input-output pair is formed, i.e. $(x, y) \mapsto x + cy$ where $c$ is a challenge provided by the verifier. When a lookup is used to encode a function in this way, it is referred to as an "indexed lookup" (whereas a range check is an example of an "unindexed lookup").

Naive lookups and their limits

Certain lookups can be implemented in circuit in a direct and elementary fashion. For example, to perform a range check for purported binary digits, it is sufficient to check that the polynomial $b (1 - b)$ vanishes for all the digits. This of course generalizes to higher bases. However, this solution is inefficient for large (e.g. >16) bases. In such cases, and also for typical applications of indexed lookups, a more sophisticated lookup argument is significantly more efficient. To this end, Remainder implements the LogUp lookup argument of Papini and Haböck.

LogUp

(We describe only the outline of LogUp. If interested in further details, see here.)

Let $w$ denote an MLE of witness values (with $M$ variables) and let $t$ denote the MLE of table values (with $N$ values). For example, when performing a range check on purported base 256 digits, the entries of $w$ are the purported digits, while $t$ contains the values 0 .. 255 (and $N = 8$ ). LogUp additionally involves some auxilliary information in the form of the multiplicities $m$ . This MLE has the same length as the table $t$ , and specifies the number of times that each table element occurs in the witness. To continue the example, if $w = 233, 233, 0, 1$ , then $m_{0} = 1, m_{1} = 1, m_{233} = 2$ with all other entries being zero. The multiplicities $m$ , like the table values $t$ , are not computed in circuit, but rather provided as inputs.

LogUp demonstrates that the following equality holds in the field of fractions: $i = 0 \sum 2^{M} - 1 \frac{1}{X - w _{i}} = j = 0 \sum 2^{N} - 1 \frac{m _{j}}{X - t _{j}} .$ Under the assumption that the table values are distinct, this equality is equivalent to the statement: "the entries of $w$ contain only entries of $t$ , and the value $t_{j}$ occurs in $w$ with multiplicity $m_{j}$ ".

This equality can be checked using a specialized GKR circuit that is implemented in Remainder. In addition to $w, t, m$ , this circuit also takes in a challenge provided by the verifier (that is substituted in place of the indeterminate).

Important note on soundness

The implementation of LogUp in Remainder assumes that the field size is significantly larger than the table size and the witness size, and moreover that the witness length is less than the characteristic of the field. These assumptions will always hold for practical tables and witness in the current implementation of Remainder, since it uses the scalar field of the BN254 curve. It should be noted, however, that if Remainder were to be adapted to "small" fields (e.g. 32 bit fields) then soundness problems will arise for large tables and witnesses.

Fiat-Shamir: Creating Non-interactive GKR proofs

As described earlier, both sumcheck and GKR are interactive proofs with many rounds of messages exchanged between a prover and a verifier. However, Remainder is built as a non-interactive proof system, where the transformation we apply is the Fiat-Shamir heuristic, with every prover message being "absorbed" into the state of a hash function with a sponge mode (Poseidon instantiated over the BN-254 scalar field, in our case) and every verifier message being "squeezed" from that same hash sponge.

We note that both sumcheck and GKR have been proven round-by-round sound, i.e. despite being a non-constant-round interactive protocol, can still achieve soundness in the random oracle model when instantiated with a hash function believed to be indistinguishable from a random oracle.

Sponge Functions as Random Oracles

The sponge construction transforms a fixed-length input, fixed-length output permutation function $f$ into a variable-length input, variable-length output function $F$ which can be shown to behave indistinguishably from a random oracle given that the fixed-length permutation function itself is indistinguishable from an ideal random permutation. As mentioned earlier, Remainder uses the Poseidon sponge (i.e. a standard sponge construction instantiated over the Poseidon fixed-length permutation), and since we assume that the Poseidon permutation is indeed indistinguishable from an ideal random permutation, we only require security in the random oracle model.

Fiat-Shamir for Sumcheck

We describe the Fiat-Shamir transformation for the sumcheck sub-protocol as an example. As before, let $H = ? x_{i} \in {0, 1} \sum f (x_{1}, \dots, x_{n})$ be the statement over which we are running sumcheck, i.e. the prover claims that $H$ is the sum for a multi-variate polynomial $f$ , and the verifier wishes to check this. Recall that in the interactive version of sumcheck, the prover first computes the univariate function

$f_{1} (X) = x_{2}, ..., x_{n} \in {0, 1}^{n - 1} \sum f (X, x_{2}, ..., x_{n})$

and sends its coefficients to the verifier. The verifier then samples a random challenge $r_{1} \leftarrow $ F$ and sends this back to the prover. Let $H$ be the sponge function instantiation for the random oracle. The prover instead invokes the following:

$H . absorb (f_{1} (X)) r_{1} \leftarrow H . squeeze ()$

where $absorb$ and $squeeze$ invoke the corresponding sponge functionality over $H$ . The rest of the sumcheck rounds proceed in a similar fashion. In the $i$ 'th round, the prover computes

$f_{i} (X) = x_{i + 1}, ..., x_{n} \in {0, 1}^{n - i - 1} \sum f (r_{1}, ..., r_{i - 1}, X, x_{i + 1}, ..., x_{n})$

and invokes the sponge function via

$H . absorb (f_{i} (X)) r_{i} \leftarrow H . squeeze ()$

after receiving $r_{n}$ , in the interactive version of the protocol the prover would then send the claim $c = ? f (r_{1}, ..., r_{n})$ to the verifier. Instead, we again call $absorb$ on this value:

$H . absorb (c)$

In other words, whenever the prover sends a message to the verifier in the interactive version of the protocol, they instead $absorb$ that message into the sponge function, and whenever the verifier sends a challenge to the prover in the interactive protocol, the prover instead calls $squeeze$ on the sponge function to sample the challenge instead.

Proof/Transcript

Please read the Fiat-Shamir documentation page before this one!

Transcript

A Remainder Transcript consists of all of the explicit sponge function operations which take place during the generation of a non-interactive (GKR) proof. As mentioned in the Fiat-Shamir documentation page, the prover can interact with the sponge function $H$ in two primary ways, exactly corresponding with the interactive version of the protocol:

When the prover would send a message $m$ to the verifier in the interactive version of the protocol, they instead invoke $H . absorb (m)$ .
When the verifier would send a challenge $r_{i}$ to the prover in the interactive version of the protocol, the prover instead invokes $r_{i} \leftarrow H . squeeze ()$ .

Remainder's TranscriptSponge captures exactly these operations. You will generally work with the TranscriptWriter and TranscriptReader structs. The TranscriptWriter is the prover's view of the transcript, and the prover can add Operations to the internal Transcript struct. When the prover is finished appending all of their messages (and squeezing challenges where appropriate) to/from the TranscriptWriter struct, they can then eject the internal Transcript and send this directly to the verifier (e.g. as bytes), as the Transcript includes all of the proof data and can be treated as the GKR proof itself (note that this is slightly different from the structured proof within Hyrax). The verifier can feed this struct into the constructor of a TranscriptReader (again, mostly a convenience wrapper around a Transcript for the verifier to read prover messages from and sample Fiat-Shamir challenges from while maintaining its own hash function's sponge state) and consume the Operations in the same order to perform verification.

Appending Input Elements

See append_input_elements() for more details. There is a special function for appending input elements (i.e. all elements which the prover needs to communicate to the verifier before the first output claim challenge is generated), ProverTranscript::append_input_elements(), which should be called. This function provides some insurance against the attack on non-interactive GKR described in this paper by creating a long hash chain (1000 iterations of SHA-256, specifically) for each input -- in general, this prevents most circuits (due to their limited depth) from being able to generate the hash chain value themselves and thus carry out the attack. In general, however, we emphasize that all circuits used in production should be audited to mitigate such attack potential.

Frontend Components

The basic component of a GKR circuit is a layer. A layer is defined as an MLE plus polynomial relationship which explicitly states how each evaluation of that MLE (over the boolean hypercube) is related to evaluations of MLEs within previous layers.

Remainder Components Overview

The layer types which are supported in GKR are as follows:

"Structured" layers, which define the regular-wiring layerwise relationships described in the "structured GKR" section.
"Gate" layers, which define the arbitrary-wiring layerwise relationships described in the "canonic GKR" section.
"Matmult" layers, which define the matrix multiplication-like layerwise relationships described in the "matmult" section.
"Lookup" layers, which define the lookup (LogUp) arguments described in the "lookup" section.

Additionally, we provide an example of how to compile into a Hyrax-provable circuit rather than a GKR-provable one in this section.

Remainder Circuit Definition

Circuits in Remainder are created via a "compilation" process. In essence:

Circuit writers (that's you!) define the layer types and layer-wise relationships by defining Nodes of the variety as described above.
Circuit writers (still you!) also define the input layers and "shred"s within each input layer for the circuit.
Additionally, each type of Node requires as input references to other Nodes which act as he "source data" for that node's outputs. The data type used in Remainder for storing those references is a NodeRef<F>. The circuit builder returns such references every time a new node is added to the circuit.
Once all of these relationships have been defined, Remainder will compile the set of nodes + source relationships into a layered circuit which can be run and proven/verified. Note that there are a couple of compilation options here, including compiling into the shallowest possible circuit by "combining" layers which are topologically oblivious (i.e. any layerwise ordering is valid).

Sector Layer Frontend Tutorial

To express structured layer-wise relationships in Remainder, we can use a Structured GKR Layer, a.k.a "Sector" layer. A Sector layer is defined through an AbstractExpression<F> type, also simply called "Expression" in this tutorial. Expressions can be built by combining MLEs. To refer to an MLE we use the NodeRef<F> values returned by the circuit builder when the respective MLE was added. MLEs can be combined through overloaded binary operators (currently available are +, -, * for addition, subtraction and multiplication respectively), or using a Selector.

Let's walk through a few examples of the usage of Sector layers using Remainder circuit building interface.

Example 1: Multiplying two MLEs

We start with a simple circuit that multiplies two MLEs element-wise: an MLE $V_{1} (z_{0}, z_{1})$ with evaluations (over the boolean hypercube) $[a, b, c, d]$ with an MLE $V_{2} (z_{0}, z_{1})$ with evaluations $[e, f, g, h]$ , to produce the MLE $V_{3} (z_{0}, z_{1}) = V_{1} (z_{0}, z_{1}) \cdot V_{2} (z_{0}, z_{1})$ with evaluations $[a \cdot e, b \cdot f, c \cdot g, d \cdot h]$ .

To express this in Remainder, we can simply write:

#![allow(unused)]
fn main() {
/* ... define the input layer `input_layer` ... */

// Define the input shreds for `V_1` and `V_2`.
let v1 = builder.add_input_shred("MLE 1", 2, &input_layer);
let v2 = builder.add_input_shred("MLE 2", 2, &input_layer);

// Define the Sector layer that performs the multiplication operation.
let v3 = builder.add_sector(v1 * v2); 
}

In this example the input MLEs to the Sector were input shreds, but in general they can be any node appearing in the circuit. We can, for example, follow the above code segment with:

#![allow(unused)]
fn main() {
let v4 = builder.add_sector(&v3 * &v3);
}

which squares the entries of the MLE $V_{3}$ .

Implmentation Note: The reason we're borrowing v3 is an unfortunate quirk of the way the NodeRef<F> type is implemented. It is a wrapper around a weak pointer, and thus not Copy-able. This means that the multiplication operator will try to take ownership of its two operands, and after the first occurance of v3 has moved, the second one will fail with a compile error. To avoid unneseccary cloning, we provide an implementation of the Mul trait for borrowed operands as well (e.g. &NodeRef<F>) to allow developers to use the succinct borrowed syntax we presented above when there is a need to reuse NodeRef<F>s.

Expressions may be combined into a single Sector layer. For example, previously we expressed the relation $V_{4} (z_{0}, z_{1}) = (V_{1} (z_{0}, z_{1}) * V_{2} (z_{0}, z_{1}))^{2}$ using two layers, but we could have equivalently written:

#![allow(unused)]
fn main() {
let v4 = builder.add_sector( (&v1 * &v2) * (&v1 * &v2) );
}

See run_example_1a() in frontend/examples/sector.rs for the full code of the preceeding examples.

Efficiency Note: It's important to note that the two alternative ways of defining v4 presented above result in different circuits, even though they're semantically equivalent. The circuit's structure (number of layers, expression structure etc.) can affect the prover/verifier runtime. Refer to Section 3: GKR Theory for more information.

What would happen if we tried to multiple two MLEs of different sizes? You might expect that element-wise operations are not well defined if the two MLEs are not of the same size, but there is a mathematically natural interpretation for such a formula, which we adopt in Remainder.

Let $V_{1} (z_{0}, z_{1})$ be an MLE on two variables, and $V_{2} (z_{0})$ be an MLE on only one variable. One natural interpretation for the expression $V_{1} \cdot V_{2}$ is an MLE $V_{3} (z_{0}, z_{1})$ on two variables defined by $V_{3} (z_{0}, z_{1}) = V_{1} (z_{0}, z_{1}) \cdot V_{2} (z_{0})$ , i.e. equating the common MLE variables starting from the left.

Viewing the MLEs as evaluation vectors, if $V_{1} = [a, b, c, d]$ and $V_{2} = [e, f]$ , then $V_{3} = [a \cdot e, b \cdot e, c \cdot f, d \cdot f]$ .

See run_example_1b() in frontend/examples/sector.rs for a working example.

Example 2: Spliting MLEs

Recall the first example of a Structured layer we saw in Section 3.1 which performed the operation $V_{2} (z_{0}, z_{1}) = V_{1} (0, z_{0}, z_{1}) \cdot V_{1} (1, z_{0}, z_{1})$ on the 3-variable MLE $V_{1}$ with evaluations $[a, b, c, d, e, f, g, h]$ to produce $[a \cdot e, b \cdot f, c \cdot g, d \cdot h]$ .

With what we've seen so far, it's not clear how to express this relation in Remainder. If we have a NodeRef<F> instance for the $V_{1}$ MLE, it refers by default to the entire MLE. But here, we'd like to refer to a subset of that MLE, in particular one for which a prefix of its variables has been fixed to a certain binary string.

Remainder provides a special kind of node to be used during circuit creation to take any node refering to an MLE $V (z_{0}, z_{1}, \dots, z_{n - 1})$ and generate $2^{k}$ NodeRef<F> instances refering to the MLEs $V (k 0, \dots, 0, 0, z_{0}, \dots, z_{n - k - 1}), V (k 0, \dots, 0, 1, z_{0}, \dots, z_{n - k - 1}), \dots, V (k 1, \dots, 1, 1, z_{0}, \dots, z_{n - k - 1})$ for any integer $1 \leq k \leq n$ . Conceptually, a Split node is splitting the MLE's evaluation table into $2^{k}$ parts which can be referenced separately.

Having this tool handy, we can now implement the example from Section 3.1 as follows:

#![allow(unused)]
fn main() {
// The Input MLE [a, b, c, d, e, f, g, h].
let mle = builder.add_input_shred("Input MLE", 3, &input_layer);

// Split the MLE into two halves (k = 1): left = [a, b, c, d] and right = [e, f, g, h].
let [left, right]: [_; 2] = builder.add_split_node(&mle, /* k = */ 1).try_into().unwrap();

// Multiply the two halves together using a sector node and the expression `left * right`,
// producing the output MLE [a*e, b*f, c*g, d*h].
let sector = builder.add_sector(left * right);
}

You can see a full working example in run_example_2() in frontend/examples/sector.rs.

Efficiency Note: A Split node does not get compiled into a GKR layer. It's a construct used only during circuit building to do all the necessary bookkeeping.

Example 3: Using constants in Expressions.

We've seen how to write expressions involving MLEs, but sometimes it's also useful to include constants from the field $F$ we're operating on. For example, the expression $V_{3} (z_{0}, z_{1}) = V_{1} (z_{0}, z_{1}) + 42 \cdot V_{2} (z_{0}, z_{1})$ is a valid Structured layer relationship.

We can express the multiplication by a constant above simply by multiplying v2: NodeRef<F> with a value F::from(42) of type F:

#![allow(unused)]
fn main() {
/* ... create nodes for `v1` and `v2` ... */

let v3 = builder.add_sector(v1 + v2 * F::from(42));
}

It's important to note here that the multiplication needs to happen with the constant on the right. The compiler would reject the expression F::from(42) * v2 in the above context. This is due to subtle quirk of how Rust's operator overloading interracts with Rust's rule of forbidding the implementation of external traits for externals types: in this case F may be a field type defined outside the Remainder crate and std::ops::Mul, an external trait, cannot be implemented for it inside the Remainder crate.

See run_example_3() in frontend/examples/sector.rs for a full working example.

Note: It is also possible to express this relation by adding a constant MLE $V_{const, 42}$ (on zero variables) with evaluation table equal to $[42]$ , and thus expressing $V_{3}$ as: $V_{3} (z_{0}, z_{1}) = V_{1} (z_{0}, z_{1}) + V_{const, 42} () \cdot V_{2} (z_{0}, z_{1})$ . Essentially treating the constant as an input parameter. However this can be inefficient since it complicates the expression to be proven (potentially affecting the prover's/verifier's runtime), as well as increases the size of the generated proof because all the constant values would need to be included in the transcript.

Exmaple 4: Using Selectors in Expressions.

"Selectors", introduced in Section 3.1, are a a structured way to express certain "if-then-else" expressions inside a circuit.

Recall the following linear expression we used as an example in Section 3.1:

$V_{2} (z_{0}, z_{1}) = (1 - z_{0}) \cdot V_{1} (0, z_{1}) \cdot V_{1} (0, z_{1}) + z_{1} \cdot 2 \cdot V_{1} (1, z_{1})$

We argued it represents the transformation $[a, b, c, d] \to [a^{2}, b^{2}, 2 c, 2 d]$ , where each entry of the output MLE is either the square or the double the respective entry of the input MLE, and the choice of operation depends on the index of the value in the evaluation table of the output MLE.

The general construct $(1 - z_{0}) \cdot E_{1} + z_{0} \cdot E_{2}$ , where $E_{1}, E_{2}$ are arbitrary expressions, can be expressed in Remainder using the macro sel_expr!(E_1, E_2) for E_1, E_2: AbstractExpression<F>. The macro produces an expression, which can directly be fed into a Sector node.

All that remains is to use a Split node to get node references to V_1(0, z_1) and V_1(1, z_1), and we can implement $V_{2}$ as:

#![allow(unused)]
fn main() {
/* ... create a node for `v1` ... */

// Split V1 into V1_l(z_1) = V1(0, z_1) and V1_r(z_1) = V1(1, z_1).
let [v1_l, v1_r]: [_; 2] = builder.add_split_node(&v1, 1).try_into().unwrap();

// Selector layer.
let v2 = builder.add_sector(sel_expr!(&v1_l * &v1_l, &v1_r * F::from(2)));
}

See run_example_4() in frontend/examples/sector.rs for a full working example.

Gate Frontend Tutorial

We build off of the theory introduction to "gate layers" in GKR, in the Canonic GKR section. The following section shows examples on how to create these layers, defined by wirings and the binary operation they denote, in Remainder.

NOTE: The diagrams differ from the circuit (as written in our code example) in one subtle way: we subtract the "expected output" from the output of the gate layer in the code to verify that the circuit computed the correct value. This is equivalent to this section on transforming a circuit to have zero output.

Example 1: Binary Gate

Diagram

Let us define the following layerwise relationship, as a small GKR circuit:

Diagram representing binary gate

Code

The way we would represent the above diagram as a GKR circuit in Remainder is below, which can also be found in our codebase at frontend/examples/binary_gate.rs:

#![allow(unused)]
fn main() {
fn build_example_binary_gate_circuit<F: Field>(
    input_num_vars_lhs: usize,
    input_num_vars_rhs: usize,
    wiring: Vec<(u32, u32, u32)>,
    binary_operation: BinaryOperation,
    output_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    // The left-hand side candidates for the input to the binary gate
    let lhs_input = builder.add_input_shred("LHS candidates for binary gate", input_num_vars_lhs, &public);
    // The right-hand side candidates for the input to the binary gate
    let rhs_input = builder.add_input_shred("RHS candidates for binary gate", input_num_vars_rhs, &public);
    // The expected output of the gate operation
    let expected_output = builder.add_input_shred("Expected output", output_num_vars, &public);

  
    let gate_result = builder.add_gate_node(&lhs_input, &rhs_input, wiring, binary_operation, None);
   
    let output = builder.add_sector(gate_result - expected_output);
    builder.set_output(&output);

    builder.build().unwrap()
}

#[test]
pub fn binary_gate_example() {
    const LHS_NUM_VARS: usize = 3;
    const RHS_NUM_VARS: usize = 2;
    const OUTPUT_NUM_VARS: usize = 2;

    // Example inputs to the gate function
    let lhs_mle: MultilinearExtension<Fr> = vec![5, 7, 2, 9, 13, 1, 11, 2].into();
    let rhs_mle: MultilinearExtension<Fr> = vec![11, 13, 15, 3].into();
    // Example wiring
    let wiring = vec![
        (0, 0, 1), 
        (0, 1, 3),
        (1, 5, 3),
        (2, 6, 2),
        (2, 7, 1),
        (3, 2, 0),
    ];
    let expected_output_mle: MultilinearExtension<Fr> = vec![28, 4, 41, 13].into();


    // Create circuit description
    let mut prover_circuit =
        build_example_binary_gate_circuit::<Fr>(LHS_NUM_VARS, RHS_NUM_VARS, wiring, BinaryOperation::Add, OUTPUT_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("LHS candidates for binary gate", lhs_mle.clone());
    prover_circuit.set_input("RHS candidates for binary gate", rhs_mle.clone());
    prover_circuit.set_input("Expected output", expected_output_mle.clone());

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach inputs.
    verifier_circuit.set_input("LHS candidates for binary gate", lhs_mle);
    verifier_circuit.set_input("RHS candidates for binary gate", rhs_mle);
    verifier_circuit.set_input("Expected output", expected_output_mle);

    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}
}

Example 2: Identity Gate

Diagram

Let us define the following layerwise relationship, as a small GKR circuit:

Diagram representing identity gate

Code

The way we would represent the above diagram as a GKR circuit in Remainder is below, which can also be found in our codebase at frontend/examples/identity_gate.rs:

#![allow(unused)]
fn main() {
fn build_example_identity_gate_circuit<F: Field>(
    source_num_vars: usize,
    wiring: Vec<(u32, u32)>,
    output_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    // The MLE that we are routing via the wiring
    let source = builder.add_input_shred("Source for identity gate", source_num_vars, &public);
    // Expected result of the wiring
    let expected_output = builder.add_input_shred("Expected output", output_num_vars, &public);
    
    let gate_result = builder.add_identity_gate_node(&source, wiring, output_num_vars, None);
   
    let output = builder.add_sector(gate_result - expected_output);
    builder.set_output(&output);

    builder.build().unwrap()
}

#[test]
pub fn id_gate_example() {
    const SOURCE_NUM_VARS: usize = 3;
    const OUTPUT_NUM_VARS: usize = 2;

    // The example input MLE.
    let source_mle: MultilinearExtension<Fr> = vec![5, 7, 2, 9, 13, 1, 11, 2].into();
    // Example wiring.
    let wiring = vec![
        (0, 1), 
        (0, 3),
        (1, 7),
        (2, 6),
        (2, 5),
        (3, 2),
    ];
    let expected_output_mle: MultilinearExtension<Fr> = vec![16, 2, 12, 2].into();


    // Create circuit description.
    let mut prover_circuit =
        build_example_identity_gate_circuit::<Fr>(SOURCE_NUM_VARS, wiring, OUTPUT_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("Source for identity gate", source_mle.clone());
    prover_circuit.set_input("Expected output", expected_output_mle.clone());

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit.
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach inputs.
    verifier_circuit.set_input("Source for identity gate", source_mle);
    verifier_circuit.set_input("Expected output", expected_output_mle);

    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}
}

Example 3: Dataparallel Binary Gate

Diagram

Let us define the following layerwise relationship, as a small GKR circuit:

Diagram representing dataparallel binary gate

Code

The way we would represent the above diagram as a GKR circuit in Remainder is below, which can also be found in our codebase at frontend/examples/binary_gate_dataparallel.rs:

#![allow(unused)]

fn main() {
fn build_example_binary_gate_circuit_dataparallel<F: Field>(
    num_dataparallel_vars: usize,
    input_num_vars_lhs: usize,
    input_num_vars_rhs: usize,
    wiring: Vec<(u32, u32, u32)>,
    binary_operation: BinaryOperation,
    output_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    // The input candidates for the left-hand side of the gate
    let lhs_input = builder.add_input_shred("LHS candidates for binary gate", input_num_vars_lhs, &public);
    // The input candidates for the right-hand side of the gate
    let rhs_input = builder.add_input_shred("RHS candidates for binary gate", input_num_vars_rhs, &public);
    // The expected output of the gate operation
    let expected_output = builder.add_input_shred("Expected output", output_num_vars, &public);

  
    let gate_result = builder.add_gate_node(&lhs_input, &rhs_input, wiring, binary_operation, Some(num_dataparallel_vars));
   
    let output = builder.add_sector(gate_result - expected_output);
    builder.set_output(&output);

    builder.build().unwrap()
}

#[test]
pub fn binary_gate_dataparallel_example() {
    const NUM_DATAPARALLEL_VARS: usize = 1;
    const LHS_NUM_VARS: usize = 3;
    const RHS_NUM_VARS: usize = 2;
    const OUTPUT_NUM_VARS: usize = 2;

    // Example inputs
    let lhs_mle: MultilinearExtension<Fr> = vec![5, 7, 2, 9, 13, 1, 11, 2].into();
    let rhs_mle: MultilinearExtension<Fr> = vec![11, 13, 15, 3].into();
    // Example wiring: Is repeated across (1 << [NUM_DATAPARALLEL_VARS]) copies of the circuit
    let wiring = vec![
        (0, 0, 1), 
        (0, 3, 0),
        (1, 2, 1),
    ];
    let expected_output_mle: MultilinearExtension<Fr> = vec![38, 15, 33, 14].into();


    // Create circuit description
    let mut prover_circuit =
        build_example_binary_gate_circuit_dataparallel::<Fr>(NUM_DATAPARALLEL_VARS, LHS_NUM_VARS, RHS_NUM_VARS, wiring, BinaryOperation::Add, OUTPUT_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("LHS candidates for binary gate", lhs_mle.clone());
    prover_circuit.set_input("RHS candidates for binary gate", rhs_mle.clone());
    prover_circuit.set_input("Expected output", expected_output_mle.clone());

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach inputs.
    verifier_circuit.set_input("LHS candidates for binary gate", lhs_mle);
    verifier_circuit.set_input("RHS candidates for binary gate", rhs_mle);
    verifier_circuit.set_input("Expected output", expected_output_mle);

    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}

}

Example 4: Dataparallel Identity Gate

Diagram

Let us define the following layerwise relationship, as a small GKR circuit:

Diagram representing dataparallel identity gate

Code

The way we would represent the above diagram as a GKR circuit in Remainder is below, which can also be found in our codebase at frontend/examples/identity_gate_dataparallel.rs:

#![allow(unused)]
fn main() {
fn build_example_identity_gate_circuit_dataparallel<F: Field>(
    num_dataparallel_vars: usize,
    source_num_vars: usize,
    wiring: Vec<(u32, u32)>,
    output_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    // The MLE that we are routing via the wiring
    let source = builder.add_input_shred("Source for identity gate", source_num_vars, &public);
    // Expected routing result from the wiring
    let expected_output = builder.add_input_shred("Expected output", output_num_vars, &public);
    
    let gate_result = builder.add_identity_gate_node(&source, wiring, output_num_vars, Some(num_dataparallel_vars));
   
    let output = builder.add_sector(gate_result - expected_output);
    builder.set_output(&output);
    
    builder.build().unwrap()
}

#[test]
pub fn id_gate_dataparallel_example() {
    const NUM_DATAPARALLEL_VARS: usize = 1;
    const SOURCE_NUM_VARS: usize = 3;
    const OUTPUT_NUM_VARS: usize = 2;

    // Example input
    let source_mle: MultilinearExtension<Fr> = vec![5, 7, 2, 9, 13, 1, 11, 2].into();
    // Example wiring. This is repeated across (1 << [NUM_DATAPARALLEL_VARS]) copies of the circuit.
    let wiring = vec![
        (0, 1), 
        (0, 3),
        (1, 2),
    ];
    let expected_output_mle: MultilinearExtension<Fr> = vec![16, 2, 3, 11].into();


    // Create circuit description
    let mut prover_circuit =
        build_example_identity_gate_circuit_dataparallel::<Fr>(NUM_DATAPARALLEL_VARS, SOURCE_NUM_VARS, wiring, OUTPUT_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("Source for identity gate", source_mle.clone());
    prover_circuit.set_input("Expected output", expected_output_mle.clone());

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach inputs.
    verifier_circuit.set_input("Source for identity gate", source_mle);
    verifier_circuit.set_input("Expected output", expected_output_mle);

    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}
}

MatMult Layer Usage Tutorial

Let's see how we can use a MatMult layer to prove the computation of the following matrix product:

$A_{in} \in F^{3 \times 3} 012123234 \cdot B_{in} \in F^{3 \times 2} 345456 = C_{in} \in F^{3 \times 2} 142638173247$

Recall that a MatMult layer requires all dimensions of all the matrices involved in the product to be exact powers of two. We can always guarantee this property by padding the original matrices with zero columns and/or rows as follows:

$A \in F^{4 \times 4} 0120123023400000 \cdot B \in F^{4 \times 2} 34504560 = C \in F^{4 \times 2} 14263801732470$

How do we represent matrices as MLEs? In Remainder's implementation of the MatMult layer, we follow the convention of representing an $2^{m} \times 2^{n}$ matrix as an MLE whose evaluations on the hypercube are given by a vector in $F^{2^{m + n}}$ which represents a row-major flattened view of the matrix.

For example, here's how we'd represent matrices $A, B, C$ defined above as MLEs:

$A : B : C : [row 1 0, 1, 2, 0, row 2 1, 2, 3, 0, row 3 2, 3, 4, 0, row 4 0, 0, 0, 0] [3, 4, 4, 5, 5, 6, 0, 0] [14, 17, 26, 32, 38, 47, 0, 0]$

A MatMult layer is a specialized layer which, given the MLEs $A, B$ representing matrices $A : F^{2^{m} \times 2^{n}}, B : F^{2^{n} \times 2^{k}}$ , it computes the output MLE $C$ representing matric $C : F^{2^{m} \times 2^{k}}$ such that $C = A \cdot B$ .

To prove the computation of matrix product in Remainder, we can simply subtract the expected $C$ from the result of the MatMult layer and constraine the result to be the all-zero vector.

The only remaining complication to address is that typically it's not reasonable to expect the input to be given in an already padded form. In such a case, we'd have to perform the padding in circuit. In the example above, this would mean transforming MLE representations of matrices $A_{in}, B_{in}, C_{in}$ , to the MLEs $A, B, C$ .

This is easy to do with an Identity Gate layer, as we'll see in the following example.

Example: Input given in un-padded row-major order

A natural way to represent the original, unpadded matrices $A_{in}, B_{in}, C_{in}$ given previously, would be by just flattening the matrices in row-major order, as the following MLEs:

$A_{in} : F^{4} \mapsto F : B_{in} : F^{3} \mapsto F : C_{in} : F^{3} \mapsto F : [0, 1, 2, 1, 2, 3, 2, 3, 4, implicit padding 0, \dots, 0] [3, 4, 4, 5, 5, 6, implicit padding 0, 0] [14, 17, 26, 32, 38, 47, implicit padding 0, 0]$

Notice how in this case the MLEs for matrices $B, C$ are already in the expected format. And in fact this will be the case every time the number of columns is an exact power of two. The number of rows doesn't really affect the matrix padding because Remainder is already implicitly padding every MLE with zeros when the number of evaluations given is not an exact power of two.

Notice however that this implicit padding is not the same as the matrix padding we described earlier. Compare for example the MLE $A$ given earlier, with that of $A_{in}$ . To pad matrix $A$ in the way MatMult expects, we can use custom wirings on an Identity Gate Layer to re-wire the values of MLE $A_{in}$ into the right places and get MLE $A$ . In this case the wiring look like:

$[(0, 0), (1, 1), (2, 2), (4, 3), (5, 4), (6, 5), (8, 6), (9, 7), (10, 8)]$

The wirings of the Identity Gate Layer

Here's the complete code for this example, which can also be found in our repository atfrontend/examples/matmult.rs:

#![allow(unused)]
fn main() {
const PADDED_MATRIX_A_LOG_NUM_ROWS: usize = 2;
const PADDED_MATRIX_A_LOG_NUM_COLS: usize = 2;
const PADDED_MATRIX_B_LOG_NUM_ROWS: usize = 2;
const PADDED_MATRIX_B_LOG_NUM_COLS: usize = 1;

const MATRIX_A_NUM_VARS: usize = 4;
const MATRIX_B_NUM_VARS: usize = 3;
const MATRIX_C_NUM_VARS: usize = 3;

let matrix_a_data: MultilinearExtension<Fr> = vec![0, 1, 2, 1, 2, 3, 2, 3, 4].into();
let matrix_b_data: MultilinearExtension<Fr> = vec![3, 4, 4, 5, 5, 6].into();
let matrix_c_data: MultilinearExtension<Fr> = vec![14, 17, 26, 32, 38, 47].into();

let matrix_a_padding_wiring = vec![
    (0, 0),
    (1, 1),
    (2, 2),
    (4, 3),
    (5, 4),
    (6, 5),
    (8, 6),
    (9, 7),
    (10, 8),
];

let mut builder = CircuitBuilder::<Fr>::new();

let inputs = builder.add_input_layer("Matrices", LayerVisibility::Public);

let matrix_a = builder.add_input_shred("Matrix A", MATRIX_A_NUM_VARS, &inputs);
let matrix_b = builder.add_input_shred("Matrix B", MATRIX_B_NUM_VARS, &inputs);
let expected_matrix_c =
    builder.add_input_shred("Expected Matrix C", MATRIX_C_NUM_VARS, &inputs);

let padded_matrix_a =
    builder.add_identity_gate_node(&matrix_a, matrix_a_padding_wiring, MATRIX_A_NUM_VARS, None);

let matrix_c = builder.add_matmult_node(
    &padded_matrix_a,
    (PADDED_MATRIX_A_LOG_NUM_ROWS, PADDED_MATRIX_A_LOG_NUM_COLS),
    &matrix_b,
    (PADDED_MATRIX_B_LOG_NUM_ROWS, PADDED_MATRIX_B_LOG_NUM_COLS),
);

let output = builder.add_sector(matrix_c - expected_matrix_c);
builder.set_output(&output);

let circuit = builder.build().unwrap();

// Create circuit description.
let mut prover_circuit = circuit.clone();
let mut verifier_circuit = circuit.clone();

prover_circuit.set_input("Matrix A", matrix_a_data.clone());
prover_circuit.set_input("Matrix B", matrix_b_data.clone());
prover_circuit.set_input("Expected Matrix C", matrix_c_data.clone());

let provable_circuit = prover_circuit.gen_provable_circuit().unwrap();

// Prove the circuit.
let (proof_config, proof_as_transcript) =
    prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

// Create verifier circuit description and attach inputs.
verifier_circuit.set_input("Matrix A", matrix_a_data);
verifier_circuit.set_input("Matrix B", matrix_b_data);
verifier_circuit.set_input("Expected Matrix C", matrix_c_data);

let verifiable_circuit = verifier_circuit.gen_verifiable_circuit().unwrap();
verify_circuit_with_proof_config(&verifiable_circuit, &proof_config, proof_as_transcript);
}

Note: In the previous example we hard-coded the wirings corresponding to the case of padding a * $3 \times 3$ matrix MLE. For the general case, one can easily generate the correct wirings for *padding for any matrix dimensions.

Example 1: u8 range check

The following example, building on the section where we discuss LogUp Theory, uses a lookup to check that the provided values are in the range $0 \dots 255$ . See also frontend/examples/lookup.rs:

fn build_example_lookup_circuit<F: Field>(
    table_num_vars: usize,
    witness_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    // Lookup table is typically public
    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    let table = builder.add_input_shred("Table", table_num_vars, &public);

    // Witness values are typically private, as are multiplicities
    let private = builder.add_input_layer("Private", LayerVisibility::Private);
    let witness = builder.add_input_shred(
        "Witness",
        witness_num_vars,
        &private,
    );
    let multiplicities = builder.add_input_shred(
        "Multiplicities",
        table_num_vars,
        &private,
    );

    // Create the circuit components
    let fiat_shamir_challenge_node = builder.add_fiat_shamir_challenge_node(1);
    let lookup_table = builder.add_lookup_table(&table, &fiat_shamir_challenge_node);
    let _lookup_constraint = builder.add_lookup_constraint(
        &lookup_table, &witness, &multiplicities);

    builder.build().unwrap()
}

/// Example demonstrating a range check using a lookup table.
fn main() {
    const TABLE_NUM_VARS: usize = 8;
    const WITNESS_NUM_VARS: usize = 2;
    const RANGE_LIMIT: u64 = 1 << TABLE_NUM_VARS; // 256

    // The lookup table contains the values 0 thru 255
    let table_mle = MultilinearExtension::new(
        (0u64..RANGE_LIMIT).map(|x| Fr::from(x)).collect(),
    );
    // Some example witness values to be range checked
    let witness_values = vec![233u64, 233u64, 0u64, 1u64];
    // Count the number of times each value occurs to build the multiplicities MLE.
    let mut multiplicities: Vec<u32> = vec![0; RANGE_LIMIT as usize];
    witness_values.iter().for_each(|value| {
            multiplicities[*value as usize] += 1;
    });
    let witness_mle: MultilinearExtension<Fr> = witness_values.into();
    let multiplicities_mle: MultilinearExtension<Fr> = multiplicities.into();

    // Create circuit description
    let mut prover_circuit =
        build_example_lookup_circuit::<Fr>(TABLE_NUM_VARS, WITNESS_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("Table", table_mle.clone());
    prover_circuit.set_input("Witness", witness_mle);
    prover_circuit.set_input("Multiplicities", multiplicities_mle);

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach lookup table as public
    // input to it.
    verifier_circuit.set_input("Table", table_mle);
    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}

Example 2: sigmoid function

The following example uses an indexed lookup to check that the provided input and output values correspond under the sigmoid function. Inputs and outputs are both scaled and discretized: for all integers $2^{9} \leq i < 2^{9}$ , the corresponding field element $i \in F$ represents the real value $i / 2^{5}$ . See also remainder_frontend/examples/indexed_lookup.rs:

fn build_example_indexed_lookup_circuit<F: Field>(
    table_num_vars: usize,
    witness_num_vars: usize,
) -> Circuit<F> {
    let mut builder = CircuitBuilder::<F>::new();

    // Lookup table is typically public
    let public = builder.add_input_layer("Public", LayerVisibility::Public);
    let table_input = builder.add_input_shred("Table input", table_num_vars, &public);
    let table_output = builder.add_input_shred("Table output", table_num_vars, &public);

    // Witness values are typically private, as are multiplicities
    let private = builder.add_input_layer("Private", LayerVisibility::Private);
    let witness_input = builder.add_input_shred(
        "Witness input",
        witness_num_vars,
        &private,
    );
    let witness_output = builder.add_input_shred(
        "Witness output",
        witness_num_vars,
        &private,
    );
    let multiplicities = builder.add_input_shred(
        "Multiplicities",
        table_num_vars,
        &private,
    );

    // A Fiat-Shamir challenge node is needed to combine input and output values
    let rlc_fiat_shamir_challenge_node = builder.add_fiat_shamir_challenge_node(1);

    // Combine input and output values for the indexed lookup
    let table_values = builder.add_sector(&table_input + &rlc_fiat_shamir_challenge_node * &table_output);
    let witness_values = builder.add_sector(&witness_input + &rlc_fiat_shamir_challenge_node * &witness_output);

    // Add the usual lookup components
    let logup_fiat_shamir_challenge_node = builder.add_fiat_shamir_challenge_node(1);
    let lookup_table = builder.add_lookup_table(&table_values, &logup_fiat_shamir_challenge_node);
    let _lookup_constraint = builder.add_lookup_constraint(
        &lookup_table, &witness_values, &multiplicities);

    builder.build().unwrap()
}

fn main() {
    // Uses an indexed lookup to check the application of a function defined by a lookup table.
    // The sigmoid function is used.
    // Inputs and outputs are both scaled and discretized: for all integers `2^9 <= i < 2^9`, the corresponding field element $i \in \mathbb{F}$ represents the real value $i / 2^8$.
    const TABLE_NUM_VARS: usize = 10;
    const WITNESS_NUM_VARS: usize = 2;
    let range_limit: i64 = 1 << (TABLE_NUM_VARS - 1);

    let sigmoid = |x: i64| -> i64 {
        // Sigmoid function scaled by 2^5
        let x_real = (x as f64) / 32.0;
        let sigmoid_real = 1.0 / (1.0 + (-x_real).exp());
        (sigmoid_real * 32.0).round() as i64
    };

    // The lookup table will contain the input and output values for the sigmoid for input values
    let input_values_mle: MultilinearExtension<Fr> = (-range_limit..range_limit).collect::<Vec<_>>().into();
    let output_values_mle: MultilinearExtension<Fr> = (-range_limit..range_limit)       
        .map(|x| sigmoid(x))
        .collect::<Vec<_>>()
        .into();

    // Some example witness input values to be evaluated through the lookup table
    let witness_input_values = vec![-20i64, 0i64, 12i64, 12i64];
    let witness_output_values: Vec<i64> = witness_input_values
        .iter()
        .map(|&x| sigmoid(x))
        .collect();
    let witness_input_mle: MultilinearExtension<Fr> = witness_input_values.clone().into();
    let witness_output_mle: MultilinearExtension<Fr> = witness_output_values.into();

    // Count the number of times each (input, output) pair occurs to build the multiplicities MLE.
    let mut multiplicities : Vec<u32> = vec![0; 1 << TABLE_NUM_VARS];
    witness_input_values.iter().for_each(|&input_value| {
        // Compute the index in the table for the (input, output) pair
        let index = input_value + range_limit;
        multiplicities[index as usize] += 1;
    });
    let multiplicities_mle: MultilinearExtension<Fr> = multiplicities.into();

    // Create circuit description
    let mut prover_circuit =
        build_example_indexed_lookup_circuit::<Fr>(TABLE_NUM_VARS, WITNESS_NUM_VARS);
    let mut verifier_circuit = prover_circuit.clone();

    prover_circuit.set_input("Table input", input_values_mle.clone());
    prover_circuit.set_input("Table output", output_values_mle.clone());
    prover_circuit.set_input("Witness input", witness_input_mle.clone());
    prover_circuit.set_input("Witness output", witness_output_mle.clone());
    prover_circuit.set_input("Multiplicities", multiplicities_mle);

    let provable_circuit = prover_circuit.finalize().unwrap();

    // Prove the circuit
    let (proof_config, proof_as_transcript) =
        prove_circuit_with_runtime_optimized_config::<Fr, PoseidonSponge<Fr>>(&provable_circuit);

    // Create verifier circuit description and attach lookup table as public
    // input to it.
    verifier_circuit.set_input("Table input", input_values_mle);
    verifier_circuit.set_input("Table output", output_values_mle);
    let (verifiable_circuit, predetermined_public_inputs) =
        verifier_circuit.gen_verifiable_circuit().unwrap();
    verify_circuit_with_proof_config(
        &verifiable_circuit,
        predetermined_public_inputs,
        &proof_config,
        proof_as_transcript,
    );
}

Hyrax Frontend Tutorial

This tutorial closely resembles the one for Remainder's GKR prover/verifier, i.e. the one written in the quickstart section. The code for the Hyrax frontend tutorial is here, and can be run from the Remainder_CE root directory via the following command:

cargo run --package frontend --example hyrax_tutorial

Note that although this tutorial is a code-only, standalone tutorial, we would very strongly encourage you to read through at least the Hyrax introduction section to get a better understanding of what the various code pieces represent and why Hyrax is one of several options for converting GKR into a fully zero-knowledge protocol.

Setting up the circuit

This uses the exact same code/circuit as the one from the quickstart, and we encourage you to check out that section to understand the structure of the circuit described here. Indeed, the Circuit<F> generation function within frontend/examples/hyrax_tutorial.rs is a copy/paste of the one in frontend/examples/tutorial.rs.

As a quick reminder, the circuit we defined (see build_circuit()) has two input layers, one private/committed and one public. The private/committed input layer contains two sub-inputs, "LHS" and "RHS", and the public input layer contains a single sub-input, "Expected output". In the GKR case/tutorial, we used the (non-ZK) Ligero PCS to commit to and open the committed input layer at a challenge point, and in the Hyrax case, the prover will be using the zero-knowledge Hyrax PCS to do the same.

#![allow(unused)]
fn main() {
let lhs_rhs_input_layer =
    builder.add_input_layer("LHS RHS input layer", LayerVisibility::Committed);
let expected_output_input_layer =
    builder.add_input_layer("Expected output", LayerVisibility::Public);
}

Recall that we create two copies of the Circuit<F>: one for the prover (to attach private and public input data to), and one for the verifier (no data attached):

#![allow(unused)]
fn main() {
// Create the base layered circuit description.
let base_circuit = build_circuit();
let mut prover_circuit = base_circuit.clone();
let verifier_circuit = base_circuit.clone();
}

Similarly to the GKR tutorial, we generate input data for the circuit and attach them to the prover circuit:

#![allow(unused)]
fn main() {
// Generate circuit inputs.
let lhs_data = vec![1, 2, 3, 4].into();
let rhs_data = vec![5, 6, 7, 8].into();
let expected_output_data = vec![5, 12, 21, 32].into();

// Append circuit inputs to their respective input "shreds" in the prover's
// view of the circuit.
prover_circuit.set_input("LHS", lhs_data); // This is committed!
prover_circuit.set_input("RHS", rhs_data); // This is committed!
prover_circuit.set_input("Expected output", expected_output_data); // This is public!
}

Setting up the proving environment

Next, we create a pair of proving/verification configs. We won't elaborate on the specific configuration options here, but the idea is that they are effectively a group of global context variables which affect certain proving/verification options (e.g. trading off runtime vs. memory usage, whether to use certain optimizations, etc.). Note that in the quickstart, we hid the config + macro API with another wrapper for simplicity, but are exposing the options here. For now, we will stick with the "Hyrax compatible runtime-optimized default" option:

#![allow(unused)]
fn main() {
// Create GKR circuit prover + verifier configs which work with Hyrax
let hyrax_circuit_prover_config =
    GKRCircuitProverConfig::hyrax_compatible_runtime_optimized_default();
let hyrax_circuit_verifier_config =
    GKRCircuitVerifierConfig::new_from_prover_config(&hyrax_circuit_prover_config, false);
}

Similarly to how we needed to create a ProvableCircuit<F> in the GKR tutorial, we invoke a similar function here, gen_hyrax_provable_circuit(), to gather our previously attached circuit inputs and prepare the circuit for proving:

#![allow(unused)]
fn main() {
// Create a version of the circuit description which the prover can use.
// Note that in this case, we create a "Hyrax-provable" circuit rather than
// a "GKR-provable" one.
let mut hyrax_provable_circuit: HyraxProvableCircuit<Bn256Point> = prover_circuit
    .gen_hyrax_provable_circuit()
    .expect("Failed to generate provable circuit");
}

Next, we prepare a couple of structs which are specific to Hyrax proving. First, we create a Pedersen committer, which creates and keeps track of the group generators to be used in proving (see our Hyrax overview and Pedersen commitments sections for more details here).

Importantly, the public string used to instantiate the committer must be agreed upon between the prover and verifier. This ensures a "nothing-up-my-sleeve number" verification setting where a malicious prover cannot cheat by picking a set of generators for which they e.g. know a discrete log relationship between, which would allow them to break the soundness of the protocol:

#![allow(unused)]
fn main() {
// The Pedersen committer creates and keeps track of the shared generators
// between the prover and verifier. Note that the generators are created
// deterministically from the public string.
let prover_pedersen_committer =
    PedersenCommitter::new(512, "Hyrax tutorial Pedersen committer", None);
}

Next, we set up the RNG required for generating blinding factors within the protocol -- note that the example used here is insecure for simplicity. In practice, please instantiate the blinding factor RNG with a CSPRNG.

#![allow(unused)]
fn main() {
// WARNING: This is for tutorial purposes ONLY. NEVER use anything but a CSPRNG for generating blinding factors!
let mut blinding_rng = thread_rng();
}

Finally, we set up an inverse Vandermonde matrix, which helps us convert univariate polynomials from evaluation to coefficient form. This is helpful for the Hyrax verifier in the interpolative claim aggregation case, since $V_{i} (ℓ (r^{⋆}))$ can only be easily evaluated by the verifier when the polynomial $V_{i} (ℓ (x))$ is sent in Pedersen commitments to coefficients rather than evaluations:

#![allow(unused)]
fn main() {
// The Vandermonde inverse matrix allows us to convert from evaluations
// to coefficients for interpolative claim aggregation. Note that the
// coefficient form allows the verifier to directly check relationships
// via the homomorphic properties of the curve.
let mut vandermonde_converter = VandermondeInverse::new();
}

Proving

We instantiate a prover transcript over the protocol's elliptic curve's base field for Fiat-Shamir:

#![allow(unused)]
fn main() {
// Finally, we instantiate a transcript over the base field. Note that
// prover messages are elliptic curve points which can be encoded as base
// field tuples, while verifier messages are scalar field elements of that
// curve. Thanks to Hasse's theorem, this results in a negligible completeness
// loss in the non-interactive case as we always attempt to coerce a base
// field challenge into a scalar field element and panic if the base field
// element sampled was larger than the scalar field modulus.
let mut prover_transcript: ECTranscript<Bn256Point, PoseidonSponge<Fq>> =
    ECTranscript::new("Hyrax tutorial prover transcript");
}

We are finally ready to generate the Hyrax proof! Note that the perform_function_under_prover_config!() macro ensures (even within a multi-threaded environment) that the function passed in will only be called and be run in its entirety under the state set by hyrax_circuit_prover_config.

#![allow(unused)]
fn main() {
// Use the `perform_function_under_prover_config!` macro to run the
// Hyrax prover's `prove` function with the above arguments, under the
// prover config passed in.
let (proof, proof_config) = perform_function_under_prover_config!(
    // This is a hack to get around the macro's syntax for struct methods
    // rather than function calls.
    |w, x, y, z| hyrax_provable_circuit.prove(w, x, y, z),
    &hyrax_circuit_prover_config,
    &prover_pedersen_committer,
    &mut blinding_rng,
    &mut vandermonde_converter,
    &mut prover_transcript
);
}

Verification

Similarly to the verification process in the GKR tutorial, we first collect verifier-known inputs (in this case, there are none) and create a (Hyrax) verifier-ready version of the circuit:

#![allow(unused)]
fn main() {
// We generate a "Hyrax-verifiable" circuit from the `Circuit` struct,
// but do not attach any circuit inputs to it (these must come from
// the proof itself).
let hyrax_verifiable_circuit = verifier_circuit
    .gen_hyrax_verifiable_circuit()
    .expect("Failed to generate Hyrax verifiable circuit");
}

The verifier creates its own Pedersen committer and derives the agreed-upon generators from scratch:

#![allow(unused)]
fn main() {
// The verifier can (and should) derive the elliptic curve generators on
// its own from the public string and check the proof against these.
let verifier_pedersen_committer =
    PedersenCommitter::new(512, "Hyrax tutorial Pedersen committer", None);
}

Finally, the verifier instantiates its own Fiat-Shamir transcript:

#![allow(unused)]
fn main() {
// The verifier instantiates its own transcript.
let mut verifier_transcript: ECTranscript<Bn256Point, PoseidonSponge<Fq>> =
    ECTranscript::new("Hyrax tutorial verifier transcript");
}

And we commence verification using the perform_function_under_verifier_config!() macro, which is identical in behavior to the above perform_function_under_prover_config!() macro call, but with consistency against the hyrax_circuit_verifier_config rather than the prover one.

#![allow(unused)]
fn main() {
// Finally, we verify the proof using the above committer + transcript, as
// well as the Hyrax verifier config generated from the prover one earlier.
perform_function_under_verifier_config!(
    verify_hyrax_proof,
    &hyrax_circuit_verifier_config,
    &proof,
    &hyrax_verifiable_circuit,
    &verifier_pedersen_committer,
    &mut verifier_transcript,
    &proof_config
);
}

And that's it! You've now created your first Hyrax-provable/verifiable circuit and generated and verified a Hyrax zero-knowledge proof. Note that aside from the couple of additional structs we needed to supply to the prover/verifier (e.g. the Pedersen committer, the blinding factor RNG, the Vandermonde inverse matrix, and defining the curve whose scalar field is the one used in the circuit), the entire circuit definition + input data attachment process was identical to that of the GKR tutorial from earlier -- this is all by design, and in large part due to the fact that so many of the GKR prover/verifier operations can be so neatly wrapped (if done carefully and modular-ly) by Pedersen commitments!

Hyrax Interactive Protocol

Hyrax is a transformation to the GKR protocol which makes it zero knowledge. The GKR protocol as explained in our GKR Tutorial is not zero knowledge on its own. Recall that in the section about what GKR Proofs look like, we mention that GKR proofs contain the sumcheck messages from the sumcheck protocol performed for each layer of the arithmetic circuit.

Each of these sumcheck messages are the evaluations of a very particular univariate polynomial, constructed based on the data contained within that layer. Therefore, each of these evaluations leak a little bit of information on the data contained within a circuit, and these can be used to construct a system of equations that reveal some information about private inputs to a circuit.

Therefore, in use cases which require a zero knowledge proof of the output of a circuit, we use the Hyrax interactive protocol to transform GKR circuits into a variant which produces a zero knowledge proof. The high-level overview of the protocol is that rather than $P$ sending $V$ evaluations of the univariates directly, $P$ sends $V$ Pedersen commitments of these evaluations, and $V$ is able to verify these commitments to sumcheck messages by taking advantage of the additive homomorphism of Pedersen commitments.

For the remainder of this chapter we use additive group notation because this is the notation our code in Remainder is written in.

Background

The Hyrax protocol is defined over any cyclic group $G$ of prime order. We break down what this means below.

Group: A group $G$ is an algebraic structure which is closed under a chosen binary operation, usually called the group operation. This means that if $a \in G$ and $b \in G$ , and the group operation of $G$ is denoted by $⋆$ , $a ⋆ b \in G$ . Additionally, $G$ satisfies the following properties:
- Associativity: $\forall a, b, c \in G, a ⋆ (b ⋆ c) = (a ⋆ b) ⋆ c$ .
- Identity $\exists e \in G$ such that $\forall a, a ⋆ e = e ⋆ a = a$ .
- Inverses $\forall a \in G, \exists b$ such that $a ⋆ b = b ⋆ a = e$ .
Order: The number of elements in a group, denoted by $∣ G ∣$ .
Finite: $G$ is finite if it has finitely many elements.
Cyclic: $G$ is cyclic if it contains a generator $g$ such that $\forall a \in G, \exists n$ such that $n g ⋆ g ⋆ \dots ⋆ g = a$ . In this case, we say that $G$ is generated by $g$ , meaning by composing $g$ with itself $k$ times, where $k \in [0, ℓ - 1]$ and $ℓ = ∣ G ∣$ , we can enumerate every element of $G .$
Prime Order: A group has prime order if $∣ G ∣$ is prime.

In Remainder, we instantiate Hyrax over an elliptic curve group, denoted below as $G$ , with prime order (defined by the trait PrimeOrderCurve).

Elliptic curve consists of points in a finite field satisfying the equation $y^{2} = x^{3} + a x + b$ . An elliptic curve group's binary operation is "point addition," which we denote with $+$ . If we add $a \in G$ to itself $k$ times, we call this operation "scalar multiplication," denoted by $ka$ . While we won't go into full detail on elliptic curves in this tutorial, we define some operations that will make it easier to follow the rest of this section and the codebase. For more information on elliptic curves, you can read these notes on an introduction to elliptic curves.

Base Field: If $g \in G$ , $g$ is defined by coordinates on a plane (either two or three, depending on the notation being used as explained below). Each of the coordinates of $x$ belong to the base field, which we denote as $F_{q} .$ For example, if $g = (a, b)$ , then $a, b \in F_{q}$ .
Scalar Field: The scalar field is the field $F_{p}$ , where $p = ∣ G ∣$ , whose equivalence classes are the integers $[0, p - 1] .$ In other words, because $G$ is cyclic, it contains a generator $g .$ $\forall a \in G$ , $a = k g$ for some $k \in [0, p - 1] .$
Group Element: A group element $g \in G$ is a point on the coordinate plane, and can be represented in many ways. We present the three types of representations used in the Remainder codebase below:
- Affine Coordinates: Affine coordinates are elliptic curve points represented in the traditional 2D plane, and are denoted as $(x, y)$ .
- Projective Coordinates: Projective coordinates are points on the projective plane, represented by $(x, y, z)$ where each point is the value in the appropriate dimension. To convert an affine coordinate $(x, y)$ to its projective coordinates, simply multiply each coordinate by some element $z \in F_{q}$ to get $(z x, zy, z)$ . For every affine coordinate, there is a class of projective coordinates that define the same point. To go from a projective coordinate $(x, y, z)$ to its equivalent affine coordinate, the value is simply $(x z^{- 1}, y z^{- 1})$ .
- Jacobian Coordinates: A jacobian coordinate $(x, y, z) \in G$ represents the affine coordinate $(x z^{- 2}, y z^{- 3})$ .
Point at Infinity: Note that it is not possible to define the appropriate affine coordinate corresponding to a projective coordinate if $z = 0.$ This is exactly the point at infinity, represented by the point $(0, 1, 0)$ .

Roadmap

For the rest of this chapter, we will first cover the Hyrax primitives, which allows us to prove properties of different blinded Pedersen commitments, such as proving that two commitments which look different (are different group elements) commit to the same message without having to open the commitment, or that the prover knows the message used to produce a commitment without having to open the commitment. We then move on to more complex proofs over Pedersen commitments such as Proof of Sumcheck and Proof of Claim Aggregation which prove that the prover has properly executed sumcheck or claim aggregation. Finally, we show how the primitives and more intermediate protocols can be put together to produce a valid GKR proof which only consists of blinded Pedersen commitments.

Pedersen Commitments

We continue to work in the elliptic curve group of prime order $G$ in this section with the group operation of point addition (denoted by $+$ ). Pedersen commitments are based on the discrete logarithm hardness assumption. Let $g$ be the generator of $G$ . This hardness assumption states that given a group element $a \in G$ , and knowing $g$ , it is computationally hard to find the "discrete logarithm" of $a$ , namely, the scalar field element $k$ such that $k g = a$ .

Commitment Schemes

Before explaining what Pedersen commitments are, we briefly provide background on commitment schemes. Commitment schemes allow a party to commit to a message $m$ in the form of a commitment $c$ . Note that the setup and definition for a polynomial commitment scheme is similar but with some subtle differences, as polynomial commitment schemes deal with committing to a message which is a bounded-degree polynomial such that a proof for evaluation at a later-determined point can be provided, while a commitment scheme in the sense of a Pedersen commitment more generally commits to a message (and can also be used as a PCS via proof-of-dot-product).

Properties

Commitment schemes are best described by the properties they satisfy. We informally define them below:

Hiding: This gives privacy to the party computing the commitment. I.e., given a commitment $c$ , it is computationally difficult to extract the message $m$ it was computed from. A stronger notion, the "statistical hiding" property, says that the distribution of commitments that could be computed from a message $m_{0}$ is computationally indistinguishable from the distribution of commitments that could be computed from a message $m_{1}$ .
Binding: This property gives security to the party receiving the commitment. It states that once given a commitment $c$ , the party who receives the commitment can be confident with up to negligible probability that the sender is tied to the message $c$ was computed from. In other words, the probability that $c$ is the commitment of two different messages $m_{0} \neq = m_{1}$ is very low.

Protocol

Commitment schemes entail two phases:

Commitment Phase: In the commitment phase, $P$ computes the commitment $c$ to its desired message $m$ and sends it to $V$ .
Evaluation Phase: In the evaluation phase, $V$ receives the commitment $c$ and verifies (the actual method of verifying depends on which commitment scheme is being used) whether $c$ is indeed the commitment to the correct message $m$ .

Pedersen Commitment Construction

A Pedersen Commitment is one way of committing to a message, a construction used throughout the Hyrax interactive protocol. Pedersen commitments require a transparent set-up where both $P$ and $V$ agree on a generator $g \in G$ .

Single Message Commitment

We commit to a message $m \in F_{p}$ by simply computing $c = m g$ . By the discrete log hardness assumption, it is hard to extract $m$ from $c$ , and because $g$ is a generator, $c$ can only be generated from $m$ .

Vector Pedersen Commitment

We commit to a list of messages $m_{1}, \dots, m_{n} \in F_{p}$ by first agreeing on $n$ generators $g_{1}, \dots, g_{n}$ and then computing $c = m_{1} g_{1} + m_{2} g_{2} + ... + m_{n} g_{n}$ . This is what is normally referred to as a multi-scalar multiplication in elliptic-curve cryptography.

Blinded Pedersen Commitment

In Remainder, we use blinded Pedersen commitments in order to guarantee statistical zero-knowledge (produce statistically hiding commitments as explained above). This involves the prover holding a random tape (usually instantiated by a cryptographic pseudo-random number generator), and the prover and verifier agreeing beforehand on a "blinding generator" $h$ . The prover simply adds $r h$ , which $r$ sampled from the random tape to its original, either Pedersen scalar commitment or vector commitment, to produce a blinded commitment. More succinctly, the blinded Pedersen commitment to a message $m$ is $m g + r h$ .

We go over how $V$ can verify that $c$ is indeed the commitment to a set of messages $m$ in future sections. Note that the size of both of these commitments is a single elliptic curve point, but the cost of computing these varies on the number of messages.

Hyrax Primitives

We go over various sigma protocols (interactive proofs with just 3 rounds of interaction) that allow the prover to prove various statements on its committed messages without having to open the commitment. For all of these protocols, let $g_{i} \in G$ be the message commitment generators, and $h \in G$ be the blinding generator. Let $F_{p}$ be the scalar field of $G$ . Assume the prover produces the blinding factor $r \in F_{p}$ using a cryptographic PRNG.

Proof of Opening

In a Proof of Opening, $P$ shows that given a commitment $C_{0} = xg + r h$ , $P$ knows the message $x$ and blinding factor $r$ used to generate this commitment.

$P \to V :$ $P$ samples $t_{1}, t_{2} \leftarrow $ F_{p}$ uniformly from the scalar field. $P$ computes and sends over $α = t_{1} g + t_{2} h .$
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z_{1} = x \cdot c + t_{1}$ , and $z_{2} = r \cdot c + t_{2}$ .
$V$ checks: $z_{1} g + z_{2} h = ? c C_{0} + α .$

Proof of Equality

In a Proof of Equality, $P$ convinces $V$ that two commitments $C_{0} = v_{0} g + s_{0} h$ and $C_{1} = v_{1} g + s_{1} h$ commit to the same value, i.e. $v_{0} = v_{1}$ . In other words $P$ knows that $v_{0} = v_{1}$ , but $V$ only has the blinded commitments, which look uniformly random (since $s_{0} h, s_{1} h$ are uniformly randomly distributed in $G$ for uniformly random $s_{0}, s_{1} \in F_{p}$ ).

$P \to V :$ $P$ first uniformly samples a random value $r$ from $F_{p}$ . $P$ computes $α = r h$ and sends to $V$ .
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z = c \cdot (s_{0} - s_{1}) + r$
$V$ checks: $z h = ? c (C_{0} - C_{1}) + α .$

Proof of Product

Proof of product shows that a commitment $Z = z g + r_{Z} h$ is a commitment to the product of the messages committed to in $X = xg + r_{X} h$ and $Y = y g + r_{Y} h .$ In other words, $P$ knows that $x \cdot y = z$ and wants to prove this to $V$ without revealing the messages and just using the commitments.

$P \to V :$ $P$ uniformly samples $b_{1}, \dots, b_{5}$ from $F_{p}$ and computes and sends over $α = b_{1} g + b_{2} h, β = b_{3} g + b_{4} h, δ = b_{3} X + b_{5} h .$
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z_{1} = b_{1} + c \cdot x z_{2} = b_{2} + c \cdot r_{X} z_{3} = b_{3} + c \cdot y z_{4} = b_{4} + c \cdot r_{Y} z_{5} = b_{5} + c \cdot (r_{Z} - r_{X} y)$
$V$ checks: $α + c X = ? z_{1} g + z_{2} h β + c Y = ? z_{3} g + z_{4} h δ + c Z = ? z_{3} X + z_{5} h$

Proof of Dot Product

Given $P$ 's commitment to a vector $x \in F_{p}^{n}$ , $C_{0} = x_{1} g_{1} + x_{2} g_{2} + \dots + x_{n} g_{n} + r_{0} h,$ and a public vector $a$ (known to both $V$ and $P$ ), and $P$ 's commitment to the claimed dot product $⟨ x, a ⟩ = y$ , which is $C_{1} = y g_{1} + r_{1} h,$ $P$ shows $V$ that they know a vector $x$ and blinding $r_{0}$ such that $⟨ x, a ⟩$ is equal to the message committed to in $C_{1}$ , and $C_{0}$ is a vector commitment for $x$ with blinding factor $r_{0}$ .

$P \to V :$ $P$ samples a random vector in $F_{p}^{n}$ , $d$ . $P$ samples $r_{δ}, r_{β}$ and computes and sends

$δ = d_{1} g_{1} + \dots + d_{n} g_{n} + r_{δ} h β = y g_{1} + r_{β} h$

$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$

$z = c \cdot x + d z_{δ} = c \cdot r_{0} + r_{δ} z_{β} = c \cdot r_{1} + r_{β}$ 4. $V$ checks:

$c C_{0} + δ = ? z_{1} g_{1} + \dots + z_{n} g_{n} + z_{δ} h c C_{1} + β = ? ⟨ z, a ⟩ g_{1} + z_{β} h$

Proof of Sumcheck

A key observation that the Hyrax protocol makes is that the verifier's sumcheck "checks," i.e. that $g_{i} (0) + g_{i} (1) = g_{i - 1} (r_{i - 1})$ , and the final oracle query, can be modeled as linear equations.

At each round, $P$ "sends" $V$ the univariate $g_{i} (X)$ by committing to its coefficients using Pedersen scalar commitments. Let $a_{i, 0}, \dots, a_{i, n}$ (to get commitments $C_{a_{i, 0}}, \dots, C_{a_{i, n}}$ ) be the coefficients for a degree $n$ univariate, where $a_{i, j}$ is the coefficient of the $j$ -th degree term.

Notice that $g_{i} (0)$ is simply $a_{i, 0}$ and $g_{i} (1)$ is $\sum_{j} a_{i, j}$ . Then $g_{i} (0) + g_{i} (1)$ is $2 a_{i, 0} + a_{i, 1} + \dots + a_{i, n}$ . We can compute the commitment to this using just the commitments to the coefficients as $2 C_{a_{i, 0}} + C_{a_{i, 1}} + \dots + C_{a_{i, n}}$ . Similarly, the evaluation $g_{i - 1} (r_{i - 1})$ can be computed using commitments to the coefficients of $g_{i - 1}$ as $\sum_{j} r^{j} C_{a_{i - 1, j}}$ . For each intermediate round of sumcheck, we simply have to compute a proof of equality between the two commitments $2 C_{a_{i, 0}} + \sum_{j} C_{a_{i, j}}$ and $\sum_{k} r^{k} C_{a_{i - 1, k}}$ .

We can formulate the verifier's checks as a matrix vector product where the matrix $M$ contains the linear combination coefficients over the prover's messages, and the vector $π$ contains the prover's sumcheck messages as coefficients of the univariate polynomial in each round. Let round $i$ 's univariate have $d_{i}$ coefficients. Then, we can write the verifier's checks as such:

$M = d_{0} 21 \dots 1 - 1 - r_{0} \dots - r_{0}^{d_{0} - 1} d_{1} 21 \dots 1 - 1 - r_{1} \dots - r_{1}^{d_{1} - 1} d_{2} 21 \dots 1 ⋱ - 1 - r_{n - 1} \dots - r_{n - 1}^{d_{n - 1} - 1} d_{n} 21 \dots 1 - 1 - r_{n} \dots - r_{n}^{d_{n} - 1} π = C_{a_{0, 1}} C_{a_{0, 2}} ⋮ C_{a_{0, d_{0}}} ⋮ C_{a_{n, 1}} C_{a_{n, 2}} ⋮ C_{a_{n, d_{n}}}$

To encode all of the verifier's sumcheck checks in one go, we have $V$ check that:

$M \cdot π = H 0 ⋮ 0 ?$

The final $?$ represents the fact that the final dot product in the matrix-vector product $M \cdot π$ is not $0$ . In fact, it should be exactly equal to the value that $V$ receives when it does the final "oracle query" in sumcheck. This is discussed next.

Every non-specified entry in the matrix $M$ is $0$ , and it has dimension $(n + 1) \times \sum_{i} d_{i}$ . $π$ has dimension $\sum_{i} d_{i} \times 1$ . Its product has dimension $(n + 1) \times 1$ . The sum $H$ represents $P$ 's original claim for the sumcheck expression -- the sum of the first univariate $g_{0} (0) + g_{0} (1)$ should be equal to the sum, which is what the first row of the matrix multiplied by $π$ encodes.

Note that we can do a proof of dot product for each of the row of the matrix with $π$ as the private vector, and each entry in the resultant vector as the claimed dot product.

However, there is a small subtlety: every $d_{i}$ coefficients in $π$ must be committed to before the challenge $r_{i}$ is sampled for sumcheck. Otherwise, $P$ can modify the commitments to make false claims using its knowledge of $r_{i} .$ Therefore, $π$ is committed to incrementally, and after each commitment $r_{i}$ is sampled. Finally, $V$ and $P$ engage in a proof of dot product for every row of the matrix $M$ .

The final "oracle query"

Over here we have encoded all of $V$ 's checks except for the final oracle query. Recall that at the end of sumcheck, $P$ has claims on underlying MLEs. In the Hyrax universe, $P$ commits to the claims it has on each of these MLEs, say via the commitments $v_{0}, \dots, v_{k} .$ Then $V$ can combine these commitments linearly to compute a commitment to the expected value $f (r_{1}, \dots, r_{n}) .$ Then, we expand the matrix $M$ to have $k$ additional columns and add the coefficients $V$ needs to compute the linear combination of $v_{0}, \dots, v_{k}$ to the last (the $n$ -th) row of $M$ , and $π$ has $k$ additional entries with the commitments $v_{0}, \dots, v_{n}$ . Then $V$ can expect the result of the final dot product to be $0$ .

Example

We provide a minimal example to show how $M$ and $π$ are constructed. Assume $P$ and $V$ are engaging in sumcheck over the claim that $V_{i} (g_{1}, g_{2}) = H$ , and via layerwise encoding, $V_{i} (z) = \sum_{x_{i}, y_{i}, z_{i} \in {0, 1}} add (z_{1}, z_{2}; x_{1}, x_{2}; y_{1}) (V_{i + 1} (x_{1}, x_{2}) + V_{i + 1} (y_{1})) .$ There are $3$ rounds of sumcheck (for each of the $x$ and $y$ ) variables, where $r_{1}, r_{2}$ bind to $x_{1}, x_{2}$ and $r_{3}$ is bound to $x_{3}$ . At the end of sumcheck, $P$ commits to $V_{i + 1} (r_{1}, r_{2})$ and $V_{i + 1} (r_{3})$ as $V_{0}$ and $V_{1} .$

$M, π$ look like this: $M = 2 - 1 00 1 - r_{1} 00 1 - r_{1}^{2} 00 02 - 1 0 01 - r_{2} 0 01 - r_{2}^{2} 0 002 - 1 001 - r_{3} 001 - r_{3}^{2} 000 add (g_{1}, g_{2}; r_{1}, r_{2}; r_{3}) 000 add (g_{1}, g_{2}; r_{1}, r_{2}; r_{3})$

$π = C_{a_{0, 1}} C_{a_{0, 2}} C_{a_{0, 3}} C_{a_{1, 1}} C_{a_{1, 2}} C_{a_{1, 3}} C_{a_{2, 1}} C_{a_{2, 2}} C_{a_{2, 3}} V_{0} V_{1}$

And their result that $V$ expects, which it can compute on its own is:

$M \cdot π = H 0 ⋮ 0$

Optimizations

There is an optimization specified in the original Hyrax paper which allows us to take the random linear combination of the rows of $M$ and do $n$ proofs of dot product of just size $d_{i}$ where $d_{i}$ is the number of coefficients in the univariate of round $i$ , rather than $n$ proofs of dot product of size $n \cdot d_{i}$ . We don't go into how to formulate this optimization, but suggest reading the original paper and specifically the "squashing $V$ 's checks" section. We have implemented this optimization in Remainder.

Proof of Claim Aggregation

There are two main methods of GKR claim aggregation used in Remainder, and we must provide proof that claims have been aggregated correctly for both methods, Random Linear Combination (RLC) and Interpolative Claim Aggregation, within the Hyrax framework as well.

Random Linear Combination (RLC) Claim Aggregation

Recall that RLC claim aggregation does not require a specific claim aggregation step, but rather just modifies the sumcheck equation for the next round. Therefore, the Hyrax $P$ does not need to provide a separate proof of claim aggregation, but instead in its proof of sumcheck, $V$ takes the random linear combination of the $add, mul,$ or $eq$ polynomials when computing the expected value of the "oracle query."

Interpolative Claim Aggregation

For interpolative claim aggregation, however, $P$ aggregates a set of $m$ claims given a challenge from $V$ , and $P$ and $V$ engage in sumcheck over this single claim. When working in the Hyrax proof system, $P$ must prove, via Pedersen commitments, that it computed the correct aggregated claim. In interpolative claim aggregation, $P$ computes and sends $V$ a polynomial $V_{i} \circ ℓ (X)$ (defined in the GKR interpolative claim aggregation section referenced earlier). Instead of sending this polynomial, $P$ sends $V$ commitments to each of its coefficients.

Say we are aggregating the claims: $V_{i} (g_{1}^{(1)}, g_{2}^{(1)}, \dots, g_{n}^{(1)}) = ? c_{i}^{(1)}, V_{i} (g_{1}^{(2)}, g_{2}^{(2)}, \dots, g_{n}^{(2)}) = ? c_{i}^{(2)}, ⋮ V_{i} (g_{1}^{(m)}, g_{2}^{(m)}, \dots, g_{n}^{(m)}) = ? c_{i}^{(m)} .$

We are aggregating $m$ claims each of $n$ variables -- let the coefficients of $V_{i} \circ ℓ (X)$ be $a_{0}, a_{1}, \dots, a_{(m - 1) \cdot n}$ , and let the commitments to them be $C_{a_{0}}, C_{a_{1}}, \dots, C_{a_{(m - 1) \cdot n}} .$

$V$ now has two things to verify: first, that the polynomial was computed by aggregating the given claims, and second, that the prover actually knows the values committed to within the commitments $C_{a_{i}} .$

By the definition of $V_{i} \circ ℓ (X)$ , this means that $V_{i} \circ ℓ (0) = c_{i}^{(1)}, V_{i} \circ ℓ (1) = c_{i}^{(2)}, \dots, V_{i} \circ ℓ (m - 1) = c_{i}^{(m)} .$ It can do this by homomorphically evaluating $V_{i} \circ ℓ (X)$ at these points using the commitments to the coefficients of this polynomial, and checking an additional proof of equality between that and the commitment to the claim $c_{i}^{(X + 1)} .$

Additionally, $P$ must prove to $V$ that it indeed knows the original coefficients $a_{0}, \dots, a_{(m - 1) \cdot n}$ without revealing them. For this, $P$ and $V$ can engage in $(m - 1) \cdot n + 1$ proofs of opening for each of the commitments to the coefficients.

After this, $V$ can sample the random challenge $r^{⋆}$ , and evaluates $V_{i} \circ ℓ (r^{⋆})$ using the commitments to its coefficients (via $\sum (r^{⋆})^{i} \cdot C_{H_{i}}$ ) to compute the aggregated claim.

Hyrax Polynomial Commitment Scheme

References: WTS+18, page 8.

Prerequisites

As described within the committed input layers section, the Hyrax polynomial commitment scheme (PCS) consists of a $Commit$ and an $Eval$ phase such that

During $Commit$ , the prover sends a commitment $com$ for the input layer MLE $V_{d}$ .
After running the rest of the Hyrax IP, we are left with a claim $V_{d} (r_{1}, ..., r_{n}) = ? c_{d}$ .
During $Eval$ , the prover sends an evaluation proof $π$ showing that $V_{d} (r_{1}, ..., r_{n}) = c_{d}$ .

A Simple Protocol

Note that for an MLE $V_{d} (X_{0}, \dots, X_{n})$ with coefficients in the Lagrange basis $a_{0}, \dots, a_{2^{n} - 1},$ the evaluation $V_{d} (r_{1}, ..., r_{n})$ can be represented by the following inner product:

$[a_{1} a_{2} \dots a_{2^{n}}] \cdot (1 - r_{1}) \cdot (1 - r_{2}) \cdot ... \cdot (1 - r_{n}) (1 - r_{1}) \cdot (1 - r_{2}) \cdot ... \cdot r_{n} ⋮ r_{1} \cdot r_{2} \cdot ... \cdot r_{n}$

In the future, we note that the latter vector is simply a tensor product of the smaller vectors $[1 - r_{i} r_{i}]$ , so we represent it as the tensor product $\otimes_{i = 0}^{n} (1 - r_{i}, r_{i}) .$

Indeed, this above observation allows us to create a very simple PCS with the help of proof-of-dot-product. In particular,

During the $KeyGen$ phase, we produce generators $g_{1}, ..., g_{2^{n}}, h$ .
During the $Commit$ phase, the prover generates a blinding factor $s_{0}$ and computes the commitment $com = s_{0} \cdot h + j = 1 \sum 2^{n} a_{j} \cdot g_{j}$
During the $Eval$ phase, the prover and verifier engage in a proof-of-dot-product, where
- The public vector is $\otimes_{i = 0}^{n} (1 - r_{i}, r_{i})$
- The committed vector is $com$
- The committed inner product value is $c_{d} \cdot g_{1} + s_{1} \cdot h$

We note that the size of the commitment is $O (1)$ since the commitment is a single group element. However, both the verifier runtime and communication cost are $O (2^{n})$ (as proof-of-dot-product incurs costs which are linear in the size of the vectors), which is less than ideal. Can we do better?

Vector-Matrix-Vector Product Observation

(Reader's note: the construction described here is identical to that in the Ligero PCS section.) Rather than simply linearly arranging the coefficients of $V_{d}$ as above, we can instead arrange them in a square matrix (for now, assume that $n$ is even) of size $2^{n /2} \times 2^{n /2}$ by enumerating the coefficients in row-major order:

$M = a_{1} a_{2^{n /2} + 1} ⋮ a_{2^{n} - 2^{n /2}} a_{2} a_{2^{n /2} + 2} ⋮ a_{2^{n} - 2^{n /2} + 1} \dots \dots ⋱ \dots a_{2^{n /2}} a_{2^{n /2 + 1}} ⋮ a_{2^{n}}$

Given the matrix formulation of $V_{d}$ above, we can write the evaluation of $V_{d} (r_{1}, \dots, r_{n})$ as the following vector-matrix-vector product:

We denote the left vector as $L \in F^{2^{n /2}}$ and the right vector as $R \in F^{2^{n /2}}$ . This allows us to create the following PCS:

Commitment Phase

We assume that $KeyGen$ has given the prover and verifier a set of common generators $g_{1}, ..., g_{2^{n /2}}, h_{1}, ..., h_{2^{n /2}}$ . The prover generates random blinding factors $s_{1}, ..., s_{2^{n /2}}$ and computes the following during the commit phase: $com = com_{1} com_{2} ⋮ com_{2^{n /2}}$ where $com_{k} = s_{k} \cdot h_{k} + \sum_{j = 1}^{2^{n /2}} a_{2^{n /2} \cdot (k - 1) + j} \cdot g_{2^{n /2} \cdot (k - 1) + j}$ is a Pedersen commitment to the $k$ 'th row of $M$ . where $com_{k} = s_{k} \cdot h_{k} + \sum_{j = 1}^{2^{n /2}} a_{2^{n /2} \cdot (k - 1) + j} \cdot g_{2^{n /2} \cdot (k - 1) + j}$ is a Pedersen commitment to the $k$ 'th row of $M$ . The prover sends $com$ to the verifier.

Evaluation Phase

The prover sends $com$ to the verifier, who computes a "squashed" commitment The verifier computes a "squashed" commitment $squashed_com = k = 1 \sum 2^{n /2} L_{k} \cdot com_{k}$ Note that the above is now a blinded Pedersen vector commitment to the vector-matrix product $L \cdot M$ . The verifier can do the above in $O (2^{n /2})$ group operations. Finally, the prover and verifier execute a proof-of-dot-product with the following:

The public vector is $R$
The committed vector is $squashed_com$
The committed inner product value is $c_{d} \cdot g_{1} + s_{1} \cdot h$

Note that unlike the simple protocol, this proof-of-dot-product is invoked over two vectors of length $2^{n /2}$ rather than $2^{n}$ . The final evaluation proof size is thus $O (2^{n /2})$ and the final verifier cost is also $O (2^{n /2})$ , although the commitment size is now increased to $O (2^{n /2})$ from $O (1)$ earlier.

Costs

Assume that the prover is committing to a multilinear polynomial in $n$ variables. Assume that $n$ is even, and that $g_{1}, ..., g_{2^{n /2}}, h \in G$ are our generators (we implicitly arrange down the polynomial's coefficients into a square matrix, although other matrix shapes are equally valid and result in different costs/proof sizes). For simplicity, assume that computing a multi-scalar multiplication over $k$ generators costs $O (k lo g_{2} ∣ F ∣)$ (this can be improved with e.g. Pippenger's, of course).

Prover Cost

During the commitment phase, the prover computes Pedersen vector commitments to each row of $M$ . Each Pedersen vector commitment is an MSM of length $2^{n /2}$ , and thus the total runtime is $O (2^{n /2} \cdot 2^{n /2} lo g_{2} ∣ F ∣)$ group operations.
During the evaluation phase, the prover computes a proof-of-dot-product over $squashed_com$ and $R$ . This requires roughly $O (2^{n /2})$ group operations.
The prover's total cost is thus $O (2^{n} lo g_{2} ∣ F ∣ + 2^{n /2})$ group operations.

Proof Size

The commitment size is one Pedersen vector commitment per row of the matrix, i.e. $O (2^{n /2})$ group elements.
The evaluation proof is a proof-of-dot-product where the vector is length $O (2^{n /2})$ , resulting in $O (2^{n /2})$ group elements being communicated.

Verifier Cost

During the commitment phase, the verifier receives row commitments $com_{1}, ..., com_{2^{n /2}}$ .
During the evaluation phase, the verifier first computes $squashed_com$ by itself, which requires computing a single MSM of length $2^{n /2}$ . This costs $O (2^{n /2} lo g_{2} ∣ F ∣)$ group operations.
Next, the verifier engages in verifying a proof-of-dot-product with the prover between $squashed_com$ and $R$ . This costs roughly $O (2^{n /2})$ group operations.
The verifier's total cost is thus $O (2^{n /2} \cdot (lo g_{2} ∣ F ∣ + 1))$ .

Putting it all Together

So far, we've gone over the Hyrax Primitives, and how these various primitives come together to prove more complex protocols, such as Proof of Sumcheck and Claim Aggregation. Now we go over how to put all of these together to construct a Zero-Knowledge GKR proof using the Hyrax transformation.

$P$ commits to the input of the GKR circuit using a polynomial commitment scheme. For Hyrax circuits, this is via the Hyrax PCS.
For every GKR layer, $P$ commits to its sumcheck messages at each round by committing to the coefficients of the univarate that makes up each round using Pedersen Commitments.
At the end of sumcheck, $P$ commits to the values it claims on "underlying" MLEs.
If any of these values involved a product of MLEs, such as $V_{i} (0, r_{1}, \dots, r_{n}) \cdot V_{i} (1, r_{1}, \dots, r_{n})$ , then $P$ commits to its claim for $V_{i} (0, r_{1}, \dots, r_{n})$ , as $v_{A}$ , the claim for $V_{i} (1, r_{1}, \dots, r_{n})$ as $v_{B}$ , and the product $V_{i} (0, r_{1}, \dots, r_{n}) \cdot V_{i} (1, r_{1}, \dots, r_{n})$ as $v_{0}$ . This is because $V$ only needs $v_{0}$ to compute the evaluation $f (r_{1}, \dots, r_{n})$ , but:
$P$ needs to prove to $V$ that $v_{0}$ is a commitment to the product of the underlying messages in $v_{A}$ and $v_{B}$ . Therefore $P$ and $V$ engage in the necessary proofs of product for this GKR layer over commitments on underlying MLEs.
$P$ and $V$ engage in proof of sumcheck for this layer.
For the next layer, if it is not the input layer, $P$ and $V$ engage in a proof of claim aggregation depending on the type of claim aggregation used. They both have an aggregated claim (or RLC of claims) to do the next layer of sumcheck over, and repeat steps 1-6 until the input layer.

At the input layer, $P$ and $V$ either produce $m$ separate input layer proofs, or must engage in interpolative claim aggregation because we do not have a future layer of sumcheck to reduce to. Finally, $P$ ends up with a claim on the input to the circuit at a random point. We engage in an evaluation proof using the Hyrax PCS to prove this final claim.

The Remainder Book