GKR Explained: From Cubes to Curves
Soundness via Sum-Check, Folding, and Multilinear Extensions

\[ f_2(x_2) = \sum_{b_3,...,b_k \in \{0,1\}}{f(r_1,x_2,b_3...,b_k)} \]

• V checks if \(S_1 = f_2(0) + f_2(1)\)
• V then picks a random value \(r_2 \in \mathbb F \) and sends to P

Now in the next round, P need to prove the further reduced sum-check problem \(S_2\) with \(x_1, x_2\) being replaced by fixed \(r_1, r_2\): \[ S_2 = f_2(r_2) = \sum_{b_3,...,b_k \in \{0,1\}}{f(r_1,r_2,b_3,...,b_k)} \]

\[ f_i(x_i) = \sum_{b_{i+1},...,b_k \in \{0,1\}}{f(r_1,...,r_{i-1},x_i,b_{i+1}...,b_k)} \]

• V checks if \(S_{i-1} = f_i(0) + f_i(1)\)
• V then picks a random value \(r_i \in \mathbb F \) and sends to P

Now in the next round, P need to prove the further reduced sum-check problem \(S_i\) with \((x_1,...,x_i)\) being replaced by fixed \((r_1,...,r_i)\): \[ S_i = f_i(r_i) = \sum_{b_{i+1},...,b_k \in \{0,1\}}{f(r_1,...,r_i,b_{i+1}...,b_k)} \]

\[ f_k(x_k) = f(r_1,...,r_{k-1},x_k) \]

• V checks if \(S_{k-1} = f_k(0) + f_k(1)\)
• V then picks a random value \(r_k \in \mathbb F \) and performs the final check

\[ f_k(r_k) \stackrel{?}{=} f(r_1,...,r_k) \] This means V is now perform computation on its own to check that whether the evaluation of \(r_k\) on constructed \(f_k\) by P is equal to the evaluation of \((r_1,...,r_k)\) on the multivariate polynomial \(f\) in the sum-check problem.

The soundness comes from the final check, if \(f_k\) is incorrectly constructed by a dishonest P, then the probability that \(f_k(r_k) = f(r_1,...,r_k)\) is only \(\frac{d}{|\mathbb F |}\), where \(d\) is the total degree of polynomial \(f\) over finite field \(\mathbb F\), according to the DeMillo-Lipton-Schwartz-Zippel lemma, which is unconditionally secure without any crypto assumption.

Current table \(T=v\). Then \[ c_0 = \underbrace{v_{000}+v_{001}+v_{010}+v_{011}}_{\text{all with } x_1=0},\qquad c_1 = \underbrace{(v_{100}-v_{000})}_{\text{pair }(000,100)} + \underbrace{(v_{101}-v_{001})}_{\text{pair }(001,101)} + \underbrace{(v_{110}-v_{010})}_{\text{pair }(010,110)} + \underbrace{(v_{111}-v_{011})}_{\text{pair }(011,111)}. \] Send \(p_1(x_1)=c_0+c_1x_1\) and receive \(r_1\).

Fold \(x_1=r_1\):

Replace each pair by \((1-r_1)v_{0}+r_1 v_{1}\) to get \(T^{(1)}=(g_{00},g_{01},g_{10},g_{11})\)

\[ c_0=g_{00}+g_{01},\qquad c_1=(g_{10}-g_{00})+(g_{11}-g_{01}). \] Send \(p_2(x_2)\), receive \(r_2\), fold to \(T^{(2)}=(h_0,h_1)\).

\[ c_0=h_0,\qquad c_1=h_1-h_0. \] Send \(p_3(x_3)\), receive \(r_3\). The final fold gives \(g(r_1,r_2,r_3)\).

Each step is one linear pass over the current table; no recomputation.

The sum-check protocol run at each GKR layer must target a fixed low-degree polynomial before the interaction begins. For that, we need freeze the output address by sampling \(r_a \in \mathbb F\) up front that pins layer polynomial down and prevents the prover from adapting it mid-protocol.

\[ \tilde{w}_o(r_a) = \sum_{b,c \in \{0,1\}^{2s_{bc}}} \widetilde{add}(r_a, b, c) \cdot (\tilde{w_i}(b) + \tilde{w_i}(c)) + \widetilde{mul}(r_a, b, c) \cdot \tilde{w_i}(b) \cdot \tilde{w_i}(c) \]

Specializing the wiring MLEs at \(a = r_a\) converts them into functions of \((b,c)\) alone. Wirings can be represented by their dense value table \((\alpha^{add}, \alpha^{mul})\) over the Boolean cube, and then used to build dense MLEs:

\[ \boxed{% \begin{aligned} \alpha^{add}[b ∥ c] = \widetilde{\mathrm{add}}(r_a,b,c) &= \sum_{\text{ADD gates g}} \chi_{g.out}(r_a)\, \chi_{g.left}(b)\,\chi_{g.right}(c),\\[2mm] \end{aligned}} \]

and analogously \(\alpha^{mul}\). Here \(\chi_{g.out}(r_a)\) is the multilinear indicator for the output bits of gate \(g\), evaluated at the field point \(r_a\); on Boolean \(a\) it is a Kronecker delta, but at random \(r_a\) it is a weight in \(\mathbb F\). For a fixed Boolean \((b, c)\), the factors \(\chi_{g.left}(b), \chi_{g.right}(c)\) select exactly those gates whose input addresses equal \((b, c)\), so \(\alpha^{add}[b ∥ c]\) is the sum of \(\chi_{g.out}(r_a)\) over all such ADD gates (and similarly for MUL). We then instantiate the reduced wiring polynomials as MLEs from these tables.

Once we fix the output address \(a = r_a\), the wiring MLEs become functions of the input addresses only: \[ A(b,c) := \widetilde{\mathrm{add}}(r_a,b,c),\qquad M(b,c) := \widetilde{\mathrm{mul}}(r_a,b,c), \]

Both multilinear in \((b,c)\in\mathbb{F}^{2s}\). Let \(w(\cdot)\) be the MLE of the previous layer’s wire-values. The target function for sum-check is

\[ F(b,c) \;=\; A(b,c)\cdot\bigl(w(b)+w(c)\bigr)\;+\;M(b,c)\cdot w(b)\,w(c), \]

the claimed sum is

\[ H \;=\; \sum_{(b,c)\in\{0,1\}^{2s}} F(b,c). \]

In the \(k\)-th round the verifier fixes all but the current variable \(x\in\{b_j\}\cup\{c_j\}\) and asks the prover for the univariate polynomial \(p(x)\)

\[ p(x) \;=\; \sum_{\text{remaining }(b,c)} F(\cdot). \]

Because \(A,M\) are linear in each coordinate and \(w(b),w(c)\) are linear in the relevant coordinate, we have \(\deg p \le 2\):

• \(M(b, c) \cdot w(b) \cdot w(c) \) is (linear) \(\cdot\) (constant or linear) \(\cdot\) (constant or linear), because \(w(b)\) and \(w(c)\) are never \(x\)-dependent at the same time:
  • If \(x\in b\): \(\deg_x\big(A\cdot w(b)\big)\le 2\), \(\deg_x\big(A\cdot w(c)\big)\le 1\), \(\deg_x\big(M\cdot w(b)\cdot w(c)\big)\le 2\).
  • If \(x\in c\): symmetric (swap \(b\) and \(c\)).
  • \(\to\) \(M(b, c) \cdot w(b) \cdot w(c) \) is quadratic in \(x\).

Writing every linear factor as \((1-x)u_0 + x\,u_1\), the identity

\[ \bigl((1-x)a_0+x a_1\bigr)\bigl((1-x)w_0+x w_1\bigr) = a_0w_0 + (-2a_0w_0+a_1w_0+a_0w_1)x + (a_0w_0-a_1w_0-a_0w_1+a_1w_1)x^2, \]

shows that the contributions of \(A\cdot w(b)\), \(A\cdot w(c)\), and \(M\cdot w(b)\cdot w(c)\) to the coefficients \((c_0,c_1,c_2)\) of \(p(x)=c_0+c_1x+c_2x^2\) are simple sums of the four endpoint products \((a_0w_0, a_0w_1, a_1w_0, a_1w_1)\) (and linear terms when one factor is constant).

Here we again keep shrinking tables for the remaining cube in the current round:

• \(T_A,T_M\) for \(A,M\): current dense tables for \(A\) and \(M\) after all consumed folds.
• \(T_{w_b}\) for \(w(b)\) (when the next variable lies in \(b\)).
• \(T_{w_c}\) for \(w(c)\) (when the next variable lies in \(c\)).

While the verifier fixes \(x (b, c)\) to \(r\), all affected tables are folded, same idea with Thaler'13: Linear-time Sum-Check via Folding Table.

Now suppose the next unfixed variable \(x\) is in \(b\). Write each linear factor as \((1-x)\,u_0 + x\,u_1\), which is a two-point Lagrange interpolation where: \[ u_0 := f(0)\ \text{(value with }x=0\text{)}, \qquad u_1 := f(1)\ \text{(value with }x=1\text{)}. \]

Only \(b\)-endpoints depend on \(x\); \(c\)-quantities are constants this round. Expanding shows contributions to \(p(x)=c_0+c_1x+c_2x^2\):

\begin{aligned} A\cdot w(b):\quad & c_0 \mathrel{+}= \sum A_0 w_0, c_1 \mathrel{+}= -2\sum A_0 w_0 + \sum A_1 w_0 + \sum A_0 w_1,\\ & c_2 \mathrel{+}= \sum A_0 w_0 - \sum A_1 w_0 - \sum A_0 w_1 + \sum A_1 w_1;\\ A\cdot w(c):\quad & c_0 \mathrel{+}= \sum A_0\,w(c), c_1 \mathrel{+}= -\sum A_0\,w(c) + \sum A_1\,w(c), c_2 \mathrel{+}= 0;\\ M\cdot w(b)w(c):\quad & c_0 \mathrel{+}= \sum M_0\,w_0\,w(c),\\ & c_1 \mathrel{+}= -2\sum M_0\,w_0\,w(c) + \sum M_1\,w_0\,w(c) + \sum M_0\,w_1\,w(c),\\ & c_2 \mathrel{+}= \sum M_0\,w_0\,w(c) - \sum M_1\,w_0\,w(c) - \sum M_0\,w_1\,w(c) + \sum M_1\,w_1\,w(c). \end{aligned}

All sums are over the remaining \((b,c)\) cube, with the current \(x\) fixed at \(0\) or \(1\).

Let \[ u(t) \;=\; (1-t)\,b^\star + t\,c^\star \in \mathbb F^s, \qquad q(t) \;=\; w(u(t)). \]

Because \(w\) is multilinear in \(s\) coordinates and each coordinate of \(u(t)\) is affine in \(t\), the univariate q has degree \(\deg q \le s\). Note that:

\[ q(0)=w(b^\star) \qquad q(1)=w(c^\star) \]

The verifier chooses any \(s+1\) distinct nodes \(x_0,\dots,x_s\in\mathbb F\) (e.g., \(x_j=j\)) and asks the prover for the vector evaluations

\[ y_j \stackrel{?}{=} q(x_j)=w(u(x_j)), \qquad j=0,\dots,s. \]

These \(s+1\) values uniquely determine a degree-\(\le s\) polynomial.

We want basis polynomials \(\ell_0(t),\dots,\ell_s(t)\) of degree \(\le s\) on distinct nodes \(x_0,\dots,x_s\in\mathbb{F}\) with the Kronecker-delta property \[ \ell_j(x_k) = \delta_{jk} = \begin{cases} 1, & \text{if } k=j, \\ 0, & \text{if } k\neq j, \end{cases} \qquad \text{for all } j,k\in\{0,\dots,s\}. \]

A polynomial vanishing at all nodes except \(x_j\) is \(\prod_{m\ne j}(t-x_m)\).

Normalize it to take value \(1\) at \(t=x_j\), we get the definition of Lagrange polynomial:

\[ \ell_j(t) \;=\; \prod_{\substack{m=0\\ m\ne j}}^{s} \frac{t-x_m}{x_j-x_m}. \]

From Wikipedia: Although named after Joseph-Louis Lagrange, who published it in 1795, the method was first discovered in 1779 by Edward Waring. It is also an easy consequence of a formula published in 1783 by Leonhard Euler.

Kronecker-delta vs. Lagrange polynomial (same idea, different domains).

Similarity "delta":

Polynomial evaluate to \(1\) at their own node and \(0\) at all others. enable reconstruction of a polynomial from its values at those nodes.

Different domain/degree:

Lagrange (1-D, arbitrary nodes): On a set \(\{x_0,\dots,x_s\}\) in one dimension, \(\{\ell_j\}\) reconstructs a univariate degree-\(\le s\) polynomial from \(s{+}1\) samples.

Kronecker/multilinear indicators (n-D Boolean grid): On the Boolean hypercube \(\{0,1\}^n\), \[ \chi_b(x_1,\dots,x_n) \;=\; \prod_{i=1}^{n}(1-x_i)^{1-b_i}\,x_i^{\,b_i}, \qquad b\in\{0,1\}^n, \] forms a basis for multivariate polynomials that are degree \(\le 1\) in each coordinate (multilinear). It reconstructs from \(2^n\) vertex values.

The Lagrange interpolation is a method for constructing a unique polynomial that passes through a given set of data points with the lowest order.

and the verifier defines the committed univariate polynomial:

\[ \widehat q(t) \;=\; \sum_{j=0}^{s} y_j\,\ell_j(t). \]

This binds the prover to a single degree-\(\le s\) curve before the verifier reveals any fresh randomness.

Sample fresh \(t^\diamond\ \in \mathbb F\) uniformly and set

\[ \boxed{\; r^{(i-1)} := u(t^\diamond) = (1-t^\diamond)\,b^\star + t^\diamond c^\star, \qquad H^{(i-1)} := \widehat q(t^\diamond). \;} \] This yields a single scalar claim for the next (input) layer: "the previous layer’s MLE equals \(H^{(i-1)}\) at the point \(r^{(i-1)}\)."

If the prover deviates so that \(\widehat q(t)\neq q(t)=w(u(t))\), then the error \(\Delta(t):=\widehat q(t)-q(t)\) is a nonzero univariate with \(\deg\Delta\le s\).

By DeMillo-Lipton-Schwartz-Zippel lemma: \[ \Pr\big[\widehat q(t^\diamond)=q(t^\diamond)\big] \;\le\; \frac{s}{|\mathbb F|}. \] Hence, except with probability \(\le s/|\mathbb F|\), the next-layer claim \(H^{(i-1)}\) is false and will be caught as the protocol proceeds (certainly at the input check).

Invariant at layer \(i\):

Let \(w_i\) be the MLE of wire values at layer \(i\) (inputs are layer \(0\), outputs layer \(L\)). At the start of layer \(i\), the verifier holds a point \(r^{(i)}\in\mathbb F^{s_i}\) and a scalar \(H^{(i)}\in\mathbb F\) with the invariant \[ H^{(i)} \;=\; \widetilde{w_i}(r^{(i)}) \quad\text{(for an honest prover).} \]

One layer step \(i\) to \(i-1\):

First, pin the output address, set \(a:=r^{(i)}\) and define \[ F_i(b,c) \;=\; A_i(a,b,c)\cdot\bigl(w_{i-1}(b)+w_{i-1}(c)\bigr) \;+\; M_i(a,b,c)\cdot w_{i-1}(b)\,w_{i-1}(c). \] The wiring identity implies \[ H^{(i)} \;=\; \sum_{(b,c)\in\{0,1\}^{2s_{i-1}}} F_i(b,c). \]

Next, run local sum-check on \(F_i\). After \(2s_{i-1}\) rounds, obtain \(b^\star,c^\star\in\mathbb F^{s_{i-1}}\) and a value \(S^\star\) that should equal \(F_i(b^\star,c^\star)\).

Local identity check and compression

• Compute \(A:=A_i(a,b^\star,c^\star)\) and \(M:=M_i(a,b^\star,c^\star)\) from the circuit.
• Obtain \(s_{i-1}\!+\!1\) samples of \(q(t)=w_{i-1}\big((1-t)b^\star+tc^\star\big)\), form \(\widehat q\) via Lagrange, and verify \[ A\bigl(\widehat q(0)+\widehat q(1)\bigr)+M\,\widehat q(0)\widehat q(1) \stackrel{?}{=} S^\star. \]
• Draw \(t^\diamond\!\leftarrow\!\mathbb F\) and set \[ r^{(i-1)} := (1-t^\diamond)b^\star+t^\diamond c^\star, \qquad H^{(i-1)} := \widehat q(t^\diamond). \]

If the prover cheated, the handoff is wrong with probability at least \(1 - s_{i-1}/|\mathbb F|\).

Base case (input layer):

At \(i=0\), the verifier knows the input table and thus \(\widetilde{w_0}\). It checks

\[ \boxed{\;\widetilde{w_0}(r^{(0)}) \stackrel{?}{=} H^{(0)}.\;} \] Acceptance implies that all reductions were consistent; otherwise the proof is rejected.

The prover provides (or commits to) the output table. The verifier samples \(r^{(L)}\!\leftarrow\!\mathbb F^{s_L}\) and computes the initial claim \[ H^{(L)} := \widetilde{w_L}(r^{(L)}). \]

Verify \(\widetilde{w_0}(r^{(0)})=H^{(0)}\). If any deviation occurs, either a sum-check equality fails immediately, or the line test injects a bad claim that is caught later (with per-layer soundness error at most \(s_{i-1}/|\mathbb F|\)). The overall soundness error is the sum of these negligible terms.

For \(i \in \{L,\dots,1\}\), perform the layer step \(i\to i-1\) above to obtain \((r^{(i-1)},H^{(i-1)})\).