Core Math for Verifiable Computing

Table of Contents

1. Sumcheck Protocol

1.1. Multivariate Polynomials

\(k\)-variate polynomial \(f(x_1,...,x_k)\) over a finite field \(\mathbb F_p\)

  1. Variable degree \(d\): max degree of each variable
  2. Multilinear polynomial: \(d = 1\)

    E.g., \(f(x_1, x_2) = 5 + 4x_1 + 3x_2 + 2x_1x_2 \)

    The size of a multilinear polynomial (# of coefficients/monomials): \(N = 2^k \) (Binary Tree)

  3. Size of multivariate polynomial

    E.g., \(f(x_1, x_2) = 1 + x_2 + {x_2}^2 + x_1 + {x_1}{x_2} + {x_1}{x_2}^2 + {x_1}^2{x_2} + {x_1}^2{x_2}^2\)

    The size of a multivariate polynomial (# of coefficients/monomials): \(N = (d+1)^k \) (d-leaves Tree)

1.2. The Sumcheck Problem

\[ S = \sum_{b_1,...,b_k \in \{0,1\}}{f(b_1,...,b_k)} \] Where \(f\) is a multivariate polynomial, \(S\) is the sum of boolean hypercube evaluations of \(f\)

E.g., \(f(x_1, x_2) = 5 + 4x_1 + 3x_2 + 2x_1x_2 \to f(0, 0) = 5, f(0, 1) = 8, f(1, 0) = 9, f(1, 1) = 14 \to S = 36\)

  • Number of evaluations in the sum: \(2^k\)
  • Time to compute each evaluation: \(T\)
  • Total time to compute the sum: \(2^k \times T\)

1.3. The Sumcheck Protocol

The sumcheck protocol is an interactive proof protocol to prove the correctness of a sumcheck problem.

  1. Initial: P send the Claimed \(S\)

    \[ S = \sum_{b_1,...,b_k \in \{0,1\}}{f(b_1,...,b_k)} \]

  2. First Round: P construct univariate polynomial \(f_1 \in \mathbb F\) to V

    \[ f_1(x_1) = \sum_{b_2,...,b_k \in \{0,1\}}{f(x_1,b_2,...,b_k)} \]

    • V checks if \(S = f_1(0) + f_1(1)\)
    • V then picks a random value \(r_1 \in \mathbb F \) and sends to P

    Now in the next round, P need to prove the reduced sumcheck problem \(S_1\) with \(x_1\) being replaced by fixed \(r_1\): \[ S_1 = f_1(r_1) = \sum_{b_2,...,b_k \in \{0,1\}}{f(r_1,b_2,...,b_k)} \]

1.3.1. Second Round: P construct univariate polynomial \(f_2 \in \mathbb F\) to V

\[ f_2(x_2) = \sum_{b_3,...,b_k \in \{0,1\}}{f(r_1,x_2,b_3...,b_k)} \]

  • V checks if \(S_1 = f_2(0) + f_2(1)\)
  • V then picks a random value \(r_2 \in \mathbb F \) and sends to P

Now in the next round, P need to prove the further reduced sumcheck problem \(S_2\) with \(x_1, x_2\) being replaced by fixed \(r_1, r_2\): \[ S_2 = f_2(r_2) = \sum_{b_3,...,b_k \in \{0,1\}}{f(r_1,r_2,b_3,...,b_k)} \]

1.3.2. i-th Round: P construct univariate polynomial \(f_i \in \mathbb F\) to V

\[ f_i(x_i) = \sum_{b_{i+1},...,b_k \in \{0,1\}}{f(r_1,...,r_{i-1},x_i,b_{i+1}...,b_k)} \]

  • V checks if \(S_{i-1} = f_i(0) + f_i(1)\)
  • V then picks a random value \(r_i \in \mathbb F \) and sends to P

Now in the next round, P need to prove the further reduced sumcheck problem \(S_i\) with \((x_1,...,x_i)\) being replaced by fixed \((r_1,...,r_i)\): \[ S_i = f_i(r_i) = \sum_{b_{i+1},...,b_k \in \{0,1\}}{f(r_1,...,r_i,b_{i+1}...,b_k)} \]

1.3.3. The Last Round (round k): P construct univariate polynomial \(f_k \in \mathbb F\) to V

\[ f_k(x_k) = f(r_1,...,r_{k-1},x_k) \]

  • V checks if \(S_{k-1} = f_k(0) + f_k(1)\)
  • V then picks a random value \(r_k \in \mathbb F \) and performs the final check

\[ f_k(r_k) \stackrel{?}{=} f(r_1,...,r_k) \] This means V is now perform computation on its own to check that whether the evaluation of \(r_k\) on constructed \(f_k\) by P is equal to the evaluation of \((r_1,...,r_k)\) on the multivariate polynomial \(f\) in the sumcheck problem.

The soundness comes from the final check, if \(f_k\) is incorrectly constructed by a dishonest P, then the probability that \(f_k(r_k) = f(r_1,...,r_k)\) is only \(\frac{d}{|\mathbb F |}\), where \(d\) is the total degree of polynomial \(f\) over finite field \(\mathbb F\), according to the DeMillo-Lipton-Schwartz-Zippel lemma, which is unconditionally secure without any crypto assumption.

2. Multilinear Polynomials

2.1. Multilinear Polynomial from Coefficients

For an n-variate multilinear polynomial, the classic "coefficients" view stores the \(2^n\) numbers \(c_b\) array. \[ g(x_1, \dots, x_n) = \sum_{b \in \{0,1\}^n} c_b \prod_{i=1}^n x_i^{b_i} \] Where \(b = (b_1,...,b_n)\) is an n-bit vector indexing the monomials of a multilinear polynomial (i.e., \((b_i \in \{0,1\})\) is the i-th bit of the vector \(b\)), and because each exponent is 0 or 1, every variable appears at most linearly in any term.

In cryptography, multilinear polynomials often operating in a large finite field, which cannot include real numbers. (Predictable, efficient to evaluate & manipulate and can apply random evaluation on Schwartz-Zippel Lemma).

2.2. Multilinear Extensions from Values

In Arithmetic Circuits, which is a layered directed acyclic graph (DAG) where each gate computes an arithmetic operation (typically addition or multiplication) over a finite field, and where each gate in a layer depeneds only on gates from the previous layer). When we already know the circuits's wire-values on the boolean cube we can have the evaluation view of that circuit's multilinear polynomials. \[ (v_b \stackrel{\text{def}}{=} g(b_1,...,b_n))_{b \in \{0,1\}^n} \]

Unlike coefficients, the circuit's layer already spits these numbers \((v_b)\) out "for free", and these value is enough for us to use folding techniques to calculate its multilineal extensions (i.e., evaluating \(g(x)\) at \(x \in \{\mathbb F\}^n\))

2.3. Folding Technique

Because \(g\) is linear in each coordinate we have, and since we want evaluate this polynomial at random points \(r \in \{\mathbb F\}\), for every fixed \(x_2,...,x_n\), let: \(g(t) = g(t, x_2, ..., x_n)\) the degree of \(t\) in \(h\) is \(\leq\) 1, so there are scalars \(a, b \in \mathbb F\) with \(h(t) = a \cdot t + b\). In other words, once we "zoom in" on a single axis, the graph is always a straight line.

Evaluating at the only two Boolean values of \(t\), which completes define that linear function, where \(h(0) = b, h(1) = a + b\), these give \(a = h(1) - h(0), b = h(0)\), plug them back into \(h(t)\): \[ h(t) = (h(1) - h(0)) \cdot t + h(0) = (1-t) \cdot h(0) + t \cdot h(1) \] So for \(g(t) \in \mathbb F\), we have: \[ g(t,x_2,...,x_n) = (1 - t) \cdot g(0,x_2,...,x_n) + t \cdot g(1,x_2,...,x_n) \]

The right-hand side needs only the two "slices" where \(x_1\) is fixed to 0 or 1, repeat for the next variable and we will shrink \(2^n \to 2^{n-1} \to ... \to 1\) - the desired evaluations of gate values in the circuit.

Because \(g\) is degree-1 in every coordinate, we can evaluate it by a sequence of 1-dimensional linear interpolations: 

dimension   n:   size 2^n     -- fold along x1 -->
dimension n-1:   size 2^{n-1} -- fold along x2 -->
...
dimension   1:   size 2       -- fold along xn -->
dimension   0:   size 1       (the answer)

Cost: one addition and one multiplication per value per fold \(\to n \cdot 2^n\) operations, only combine all existing values of gates array.

2.4. Concrete Example

Folding is just repeated affine interpolation, turning the vector \(v\) into a single weighted sum, for \(n = 3 \), let:

\begin{aligned} r := (r_1,r_2,r_3) \in \mathbb F^3, \\ v := (v_{000},v_{001},v_{010},v_{011},v_{100},v_{101},v_{110},v_{111}), \\ \end{aligned}

Step 1 (fold \(x_1\)) size 4:

\begin{aligned} g_{00} &= (1-r_1)\,v_{000} + r_1\,v_{100},\\ g_{01} &= (1-r_1)\,v_{001} + r_1\,v_{101},\\ g_{10} &= (1-r_1)\,v_{010} + r_1\,v_{110},\\ g_{11} &= (1-r_1)\,v_{011} + r_1\,v_{111},\\[6pt] \end{aligned}

Step 2 (fold \(x_2\)) size 2:

\begin{aligned} h_{0} &= (1-r_2)\,g_{00} + r_2\,g_{10},\\ h_{1} &= (1-r_2)\,g_{01} + r_2\,g_{11},\\[6pt] \end{aligned}

Step 3 (fold \(x_3\)) size 1:

\begin{aligned} g(r_1,r_2,r_3) &= (1-r_3)\,h_{0} + r_3\,h_{1}. \end{aligned}

3. GKR Protocol

Author: vienna

Created: 2025-08-11 Mon 14:37

Validate