Sum-Check Protocol

Suppose we are given a v-variatev\text{-variate} polynomial gg defined over a finite field FF. The purpose of the sum-check protocol is for the prover to provide the verifier with the following sum:

H=b1{0,1}b2{0,1}...bv{0,1}g(b1,...,bv).H = \sum_{b_1 \in \{0, 1\}} \sum_{b_2 \in \{0, 1\}} ... \sum_{b_v \in \{0, 1\}} g(b_1, ..., b_v).

Note: In full generality, the sum-check protocol can compute the sum bBvg(b)\sum_{b \in B^v} g(b) for any BFB ⊆ F.

Protocol Description

  1. At the start of the protocol, the prover sends a value C1C_1 claimed to equal the value HH

  2. In the first round, PP sends the univariate polynomial g1(X1)g_1(X_1) claimed to equal

g1(X1)=(x2,...,xv){0,1}v1g(X1,x2,...,xv).g_1(X_1) = \sum_{(x_2,...,x_v) \in \{0, 1\}^{v-1}} g(X_1, x_2, ..., x_v).

VV checks that C1=g1(0)+g1(1)C_1 = g_1(0) + g_1(1) and that g1g_1 is a univariate polynomial of degree at most deg1(g)deg_1(g), rejecting if not. Here degj(g)deg_j(g) denotes the degree of g(X1,...,Xv)g(X_1,...,X_v) in variable XjX_j.

  1. VV chooses a random element r1Fr_1 \in F, and sends r1r_1 to PP

  2. In the jthj\text{th} round, for 1<j<v1 < j < v, PP sends a univariate polynomial gj(Xj)g_j(X_j) claimed to equal

gj(Xj)=(xj+1,...,xv){0,1}vjg(r1,...,rj1,Xj,xj+1,...,xv)g_j(X_j) = \sum_{(x_{j+1},...,x_v) \in \{0,1\}^{v-j}} g(r_1,...,r_{j-1}, X_j, x_{j+1}, ..., x_v)

VV checks that gjg_j is a univariate polynomial of degree at most degj(g)deg_j(g) and that gj1(rj1)=gj(0)+gj(1)g_{j-1}(r_{j-1}) = g_j(0) + g_j(1), rejecting if not.

  1. VV chooses a random element rjFr_j \in F, and sends rjr_j to PP.

  2. In Round vv, PP sends to VV a univariate polynomial gv(Xv)g_v(X_v) claimed to equal

gv(Xv)=g(r1,...,rv1,Xv).g_v(X_v) = g(r_1, ..., r_{v-1}, X_v).

VV checks that gvg_v is a univariate polynomial of degree at most degv(g)deg_v(g), rejecting if not, and also checks that gv1(rv1)=gv(0)+gv(1)g_{v-1}(r_{v-1}) = g_v(0) + g_v(1).

  1. VV chooses a random element rvFr_v \in F and somehow (by their own efforts or with some polynomial commitment scheme) evaluates g(r1,...,rv)g(r_1,...,r_v). VV checks that gv(rv)=g(r1,...,rv)g_v(r_v) = g(r_1,...,r_v), rejecting if not.

  2. If VV has not yet rejected, VV halts and accepts.

Properties

  • perfect completeness

  • soundness

Costs

Costs of the sum-check protocol when applied to a v-variatev\text{-variate} polynomial gg over FF. Here, degi(g)deg_i(g) denotes the degree of variable ii in gg, and TT denotes the cost of an oracle query to gg.

Communication
Rounds
V time
P time

O(i=1vdegi(g))O(\sum_{i=1}^v deg_i(g)) field elements

vv

O(v+i=1vdegi(g))+TO(v + \sum_{i=1}^v deg_i(g)) + T

O(2vT)if degi(g)=O(1)for all iO(2^v·T)\\\text{if }deg_i(g) = O(1) \\ \text{for all }i

PreviousInteractive ProofsNextGKR Protocol

Last updated