HyperPlonk

Part \(1\)

Arithmetic Circuit

A typical computational problem: find solutions to the equation (i.e. \(\textsf{stmt}\))

\(w_1^2 \cdot w_2 + w_1 + 1 = 22\)

\times

w_1

w_2

\times

Witness: \(w \equiv (w_1=3, w_2=2)\), public inputs: \(\ell \equiv (c=1, z=22)\)
I can convince you that I know a solution \(w\) to \(\{\textsf{stmt}, \ell\}\) without revealing \(w\)
PLONK: Circuit size: \(n=4\), prover: \(\mathcal{O}(n\cdot\text{log}n)\), proof size and verifier: \(\mathcal{O}(1)\)

\iff

Gate Constraints

\times

w_1

w_2

\times

Gate	Constraint

w_1 \times w_1 = x_1

x_1 \times w_1 = x_2

w_2 + c = x_3

x_2 + x_3 = z

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

A gate constraint with inputs \((a, b, c)\) is written as:

\textcolor{gray}{\textsf{q}_L} a + \textcolor{grey}{\textsf{q}_R} b + \textcolor{grey}{\textsf{q}_M} a \times b + \textcolor{grey}{\textsf{q}_O} c + \textcolor{grey}{\textsf{q}_C} = 0

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{1

\textcolor{grey}{0}

}

w_1

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_1

w_2

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_2

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

Prove that each gate identity is zero
Convert vectors \((a, \dots, \textcolor{grey}{\textsf{q}_C})\) to polynomials:

\textcolor{gray}{\textsf{q}_L(X)} a(X) + \textcolor{grey}{\textsf{q}_R(X)} b(X) + \textcolor{grey}{\textsf{q}_M(X)} a(X) b(X) + \textcolor{grey}{\textsf{q}_O(X)} c(X) + \textcolor{grey}{\textsf{q}_C(X)} = 0

Gate Constraints

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{1

\textcolor{grey}{0}

}

f(X)

\omega^0

\omega^1

\omega^2

\omega^3

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

x_1

w_2

x_2

w_1

w_2

x_3

\underbrace{\hspace{5cm}}_{H}

Gate Constraints

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{1

\textcolor{grey}{0}

}

f(X)

\omega^0

\omega^1

\omega^2

\omega^3

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

w_2

x_3

w_1

x_1

w_2

x_2

a(X)

Plonk uses univariate polynomials to represent witness and selector vectors
The arithmetic identity must be 0 over \(H\)
That is: \(\forall x \in H\) we should have

\underbrace{\hspace{5cm}}_{H}

f_{\text{arith}}(x) := \textcolor{gray}{\textsf{q}_L(x)} a(x) + \textcolor{grey}{\textsf{q}_R(x)} b(x) + \textcolor{grey}{\textsf{q}_M(x)} a(x) b(x) + \textcolor{grey}{\textsf{q}_O(x)} c(x) + \textcolor{grey}{\textsf{q}_C(x)} = 0

Gate Constraints

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textcolor{grey}{1

\textcolor{grey}{0}

}

f(X)

\omega^0

\omega^1

\omega^2

\omega^3

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

w_2

x_3

w_1

x_1

w_2

x_2

a(X)

\underbrace{\hspace{5cm}}_{H}

We know that \(f_{\text{arith}}(X)\) must be \(0\) on \(H\)
Thus, the set of roots of \(f_{\text{arith}}(X)\) must be \(\supseteq H\)

\begin{aligned} \implies f_{\text{arith}}(X) &= \textcolor{grey}{(X-\omega^0)(X-\omega^1)(X-\omega^2)(X-\omega^3)} \cdot t_{\text{arith}}(X) \\[5pt] &= \textcolor{grey}{Z_H(X)} \cdot t_{\text{arith}}(X) \end{aligned}

Thus, if we compute \(t_{\text{arith}(X)} = \frac{f_{\text{arith}}(X)}{Z_H(X)}\) and send it to verifier, we're done!

Copy Constraints

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textcolor{grey}{1

\textcolor{grey}{0}

}

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

w_2

x_3

\textsf{S}_{\sigma_1}

\textsf{S}_{\sigma_2}

\textsf{S}_{\sigma_3}

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{\omega^0 \rightarrow 2}

\textcolor{grey}{\omega^1 \rightarrow 3}

\textcolor{grey}{k_1\omega^0 \rightarrow 1}

\textcolor{grey}{\omega^2 \rightarrow 5}

\textcolor{grey}{\omega^3 \rightarrow 6}

\textcolor{grey}{k_1\omega^1 \rightarrow 7}

\textcolor{grey}{k_1\omega^2 \rightarrow 8}

\textcolor{grey}{k_1\omega^3 \rightarrow 9}

\textcolor{grey}{k_2\omega^0 \rightarrow 4}

\textcolor{grey}{k_2\omega^1 \rightarrow 10}

\textcolor{grey}{k_2\omega^2 \rightarrow 11}

\textcolor{grey}{k_2\omega^3 \rightarrow 12}

z_{i+1} = z_i \frac{ (a_i \textcolor{grey}{+ \beta \omega^i + \gamma}) (b_i \textcolor{grey}{+ \beta k_1\omega^i + \gamma}) (c_i \textcolor{grey}{+ \beta k_2\omega^i + \gamma})} { (a_i \textcolor{grey}{+ \beta \sigma_1(i) + \gamma}) (b_i \textcolor{grey}{+ \beta \sigma_2(i) + \gamma}) (c_i \textcolor{grey}{+ \beta \sigma_3(i) + \gamma}) }

Compute permutation values: \(z_1=1\) and for \(i \in \{1, 2, \dots, n-1\}\)

In terms of polynomials, we need to prove: \(\forall x \in H\)

Z(x\omega) ( (a(x) \textcolor{grey}{+ \beta S_{\sigma_1}(x) + \gamma}) (b(x) \textcolor{grey}{+ \beta S_{\sigma_2}(x) + \gamma}) (c(x) \textcolor{grey}{+ \beta S_{\sigma_3}(x) + \gamma}) ) \\[3pt] - ( (a(x) \textcolor{grey}{+ \beta x + \gamma}) (b(x) \textcolor{grey}{+ \beta k_1x + \gamma}) (c(x) \textcolor{grey}{+ \beta k_2x + \gamma}) ) = 0

Drawbacks of Plonk

Compute quotient polynomial \(t(X)\)

\begin{aligned} t(X) =& \left(a(X)b(X)\textcolor{gray}{q_M(X)} + a(X)\textcolor{gray}{q_L(X)} + b(X)\textcolor{gray}{q_R(X)} + c(X)\textcolor{gray}{q_O(X)} + \textcolor{gray}{q_C(X)}\right){\scriptsize \frac{1}{Z_H(X)}} + \\ & (a(X) \textcolor{grey}{+ \beta X + \gamma}) (b(X) \textcolor{grey}{+ \beta k_1X + \gamma}) (c(X) \textcolor{grey}{+ \beta k_2X + \gamma}) (z(X)) {\scriptsize\frac{\alpha}{Z_H(X)}} -\\ & (a(X) \textcolor{grey}{+ \beta S_{\sigma_1}(X) + \gamma}) (b(X) \textcolor{grey}{+ \beta S_{\sigma_2}(X) + \gamma}) (c(X) \textcolor{grey}{+ \beta S_{\sigma_3}(X) + \gamma}) (z(X\omega)) {\scriptsize\frac{\alpha}{Z_H(X)}} +\\ & (z(X) - 1)\textcolor{gray}{L_1(X)} {\scriptsize\frac{\alpha^2}{Z_H(X)}} \end{aligned}

\textsf{arithmetic gate constraint}: 3n

\textsf{copy constraint}: 4n

In summary, we convert identities into univariate polynomial identities.
Then, we prove that each of the polynomial identities is 0 on a subgroup \(H\).
Computing \(t(X)\) requires the \(\textcolor{forestgreen}{4n}\)-evaluation form of polynomials.
Thus, lots of FFTs and iFFTs needed for the \(\textcolor{forestgreen}{4n}\)-evaluation form
Problem 1: For zkEVM circuits (\(\approx 2^{30}\)), FFTs become the bottleneck as \(\mathcal{O}(4n. \text{log}(4n))\)
Problem 2: High-degree gates increase the FFT and MSM complexity

Alternative Polynomial Representation

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{1

\textcolor{grey}{0}

}

f(X,Y)

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

x_1

w_2

x_2

w_1

w_2

x_3

(0,0)

(1,0)

(0,1)

(1,1)

Alternative Polynomial Representation

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{q}_L

\textsf{q}_R

\textsf{q}_M

\textsf{q}_O

\textsf{q}_M

\textsf{q}_O

\textsf{q}_C

\textsf{q}_O

\textsf{q}_M

\textcolor{grey}{1

\textcolor{grey}{0}

}

f(X,Y)

x_1

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_2

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

x_3

\textcolor{grey}{1}

\textcolor{grey}{0}

\textcolor{grey}{1}

\textcolor{grey}{0}

w_1

x_1

w_2

x_2

w_1

w_2

x_3

w_1

w_2

x_3

(0,0)

(1,0)

(0,1)

(1,1)

w_1

x_1

w_2

x_2

Use \(\mu\)-variate polynomials with \(\mu=\text{log}_2n\)
Boolean hypercube: \(B_\mu = \{0,1\}^\mu\)
Prove that a multi-variate polynomial is 0 on \(B_\mu\)
- Use sumcheck! But how?
Convert all of the identities to sumcheck!

Multi-variate Polynomials

Boolean hypercube: \(B_\mu = \{0,1\}^\mu\), let \(n:=2^\mu\)
\(\mathcal{F}_\mu^{\le d}:\) Set of multi-variate polynomials \(\mathbb{F}[X_1, X_2, \dots, X_\mu]\) s.t. \(\text{deg}(X_j) \le d \ \ \forall j \in [\mu]\)
Given \(f(X_1, X_2, X_3)\), we define its MLE \(\hat{f}\in \mathcal{F}_\mu^{\le 1}\) as:

f_0

f_1

f_3

f_2

f_4

f_6

f_5

f_7

\begin{aligned} \hat{f}(X_1, X_2, X_3) := & \ \textcolor{grey}{(1-X_3)}\textcolor{grey}{(1-X_2)}\textcolor{grey}{(1-X_1)}f_0 \ + \\ & \ \textcolor{grey}{(1-X_3)}\textcolor{grey}{(1-X_2)}(X_1)f_1 \ + \\ & \ \textcolor{grey}{(1-X_3)}(X_2)\textcolor{grey}{(1-X_1)}f_2 \ + \\ & \ \vdots \\ & \ (X_3)(X_2)\textcolor{grey}{(1-X_1)}f_4 \ + \\ & \ (X_3)(X_2)(X_1)f_7 \ + \\ \end{aligned}

Merge two \(f,g\in \mathcal{F}_{\mu}\) to get \(h \in \mathcal{F}_{\mu+1}\)

\textsf{merge}(f,g) = (1-X_0)f(X_1, \dots, X_\mu) + X_0g(X_1, \dots, X_\mu)

g_0

g_1

g_3

g_2

g_4

g_6

g_5

g_7

X_0=0

X_0=1

HyperPlonk Buildup

L_i

R_i

O_i

Gate constraint: \(\forall \vec{x} \in B_\mu\)

\begin{aligned} & \textcolor{grey}{S_{\textsf{add}}(\vec{x})} \Big( \textcolor{pink}{M(0,0,\vec{x})} + \textcolor{lightgreen}{M(0,1,\vec{x})} \Big) + \textcolor{grey}{S_{\textsf{mul}}(\vec{x})} \Big(\textcolor{pink}{M(0,0,\vec{x})} \cdot \textcolor{lightgreen}{M(0,1,\vec{x})}) + \\ & \textcolor{grey}{S_{\textsf{gate}}(\vec{x})} G\Big[ \textcolor{pink}{M(0,0,\vec{x})}, \textcolor{lightgreen}{M(0,1,\vec{x})} \Big] - \textcolor{skyblue}{M(1,0,\vec{x})} = 0 \end{aligned}

L_0

L_1

L_3

L_2

L_4

L_6

L_5

L_7

R_0

R_1

R_3

R_2

R_4

R_6

R_5

R_7

O_0

O_1

O_3

O_2

O_4

O_6

O_5

O_7

M(0,0,\vec{x}) \equiv L(\vec{x})

M(0,1,\vec{x}) \equiv R(\vec{x})

M(1,0,\vec{x}) \equiv O(\vec{x})

Copy constraint: permutation function \(\sigma: B_{\mu+2} \rightarrow B_{\mu+2}\)

\begin{aligned} \Big\{ \vec{x}, M(\vec{x}) \Big\}_{\vec{x} \in B_{\mu+2}} = \Big\{ \sigma(\vec{x}), M(\vec{x}) \Big\}_{\vec{x} \in B_{\mu+2}} \end{aligned}

Gate Constraint

Gate constraint: \(\forall \vec{x} \in B_\mu\)

\implies \Big\{f_{\textsf{gate}}(\vec{x}) = 0\Big\}_{\vec{x}\in B_{\mu+2}}

Sample a challenge vector \(\vec{r} \leftarrow \mathbb{F}^{\mu+2}\) and compute:

\begin{aligned} \hat{f}_{\textsf{gate}}(\vec{x}) = &\ f_{\textsf{gate},0} \cdot (1-r_{\mu+2})\dots(1-r_1)(1-r_0) \ + \\ &\ f_{\textsf{gate},1} \cdot (1-r_{\mu+2})\dots(1-r_1)(r_0) \ + \\ &\ \ \vdots \\ &\ f_{\textsf{gate},2^{\mu+2}-1} \cdot (r_{\mu+2})\dots(r_1)(r_0) \end{aligned}

ZeroCheck: Run a sum-check on \(\hat{f}_{\textsf{gate}}(\vec{X})\) with sum 0.

f_0

f_1

f_3

f_2

f_4

f_6

f_5

f_7

(1-r_3)(1-r_2)(1-r_1)

(1-r_3)(1-r_2)(r_1)

(r_3)(1-r_2)(r_1)

(1-r_3)(r_2)(r_1)

(1-r_3)(r_2)(1-r_1)

(r_3)(1-r_2)(r_1)

(r_2)(1-r_1)(1-r_0)

(r_3)(r_2)(r_1)

Copy Constraint

The permutation check: let \(\sigma: B_\mu \rightarrow B_\mu\) and \(f, g \in \mathcal{F}_{\mu}^{\le d}\) s.t.

\implies \Big\{g(\vec{x}) = f(\sigma(\vec{x}))\Big\}_{\vec{x}\in B_{\mu}}

Now we need to show that the sets of tuples are equal:

ProductCheck: Run a product-check on \(\frac{f'}{g'}(\vec{X})\) with product 1.

Define permutation selectors as:

s_{\textsf{id}}(\vec{x}) = \textsf{decimal}(\vec{x}), \quad s_{\sigma}(\vec{x}) = \textsf{decimal}(\sigma(\vec{x}))

\Big\{s_{\textsf{id}}(\vec{x}), f(\vec{x})\Big\}_{x \in B_\mu} = \Big\{s_{\sigma}(\vec{x}), g(\vec{x})\Big\}_{x \in B_\mu}

Define \(f'(\vec{x}) := f(\vec{x}) + \textcolor{grey}{\beta}s_{\textsf{id}}(\vec{x}) + \textcolor{grey}{\gamma}\) and \(g'(\vec{x}) := g(\vec{x}) + \textcolor{grey}{\beta}s_{\sigma}(\vec{x}) + \textcolor{grey}{\gamma}\)

Its enough to show that

\begin{aligned} \prod_{\vec{x} \in B_\mu} \frac{f'(\vec{x})}{g'(\vec{x})}=1 \end{aligned}

HyperPlonk PIOPs

\(\texttt{Gate Constraint}\)

\(\texttt{Copy Constraint}\)

Sumcheck

Given a polynomial \(g: \mathbb{F}^\mu \rightarrow \mathbb{F}\) and \(X = \{x_i\}_{i \in [\mu]}\) compute the sum

\begin{aligned} H = \sum_{X \in B_\mu} g(x_1, x_2, \dots, x_\mu) \end{aligned}

Intuition: evaluation on a boolean hypercube

\(g(x,y) = \frac{-4x}{(x^2+y^2+1)}\)

Naively, a verifier would require \(2^\mu\) evaluations of \(g(.)\)
Sumcheck protocol requires \(\mathcal{O}(\mu + \lambda)\) verifier work
Here \(\lambda\) is the cost to evaluate \(g(.)\) at some \(r \in \mathbb{F}^{m}\)
Prover's work is \(\mathcal{O}(2^\mu)\), i.e. linear in no of constraints

\begin{aligned} H = g(0,0) + g(0,1) + g(1,0) + g(1,1) \end{aligned}

= 0 + 0 - 2 - \frac{4}{3} = -\frac{10}{3}

Sumcheck

Honest prover starts by computing \(v = \sum_{X \in \{0,1\}^\mu}g(x_1, x_2, \dots, x_\mu)\)

\(g_1(\textcolor{orange}{X_1}) := \sum_{x_2\dots}g(\textcolor{orange}{X_1},x_2, \dots, x_m)\)

\(g_2(\textcolor{orange}{X_2}) := \sum_{x_3\dots}g(\textcolor{green}{r_1}, \textcolor{orange}{X_2}, x_3, \dots, x_m)\)

\(v \stackrel{?}{=} g_1(0) + g_1(1)\)

\(g_1(\textcolor{green}{r_1}) \stackrel{?}{=} g_2(0) + g_2(1)\)

\(g_3(\textcolor{orange}{X_3}) := \sum_{x_4\dots}g(\textcolor{green}{r_1}, \textcolor{green}{r_2}, \textcolor{orange}{X_3}, x_4, \dots, x_m)\)

\(g_\mu(\textcolor{orange}{X_\mu}) := g(\textcolor{green}{r_1}, \textcolor{green}{r_2}, \dots, \textcolor{green}{r_{\mu-1}}, \textcolor{orange}{X_\mu})\)

\(g_2(\textcolor{green}{r_2}) \stackrel{?}{=} g_3(0) + g_3(1)\)

\(g_{\mu-1}(\textcolor{green}{r_{\mu-1}}) \stackrel{?}{=} g_\mu(0) + g_\mu(1)\)

\(g_{\mu}(\textcolor{green}{r_{\mu}}) \stackrel{?}{=} g(\textcolor{green}{r_1}, \textcolor{green}{r_2}, \dots, \textcolor{green}{r_\mu})\)

Prover \(\mathcal{P}\)

Verifier \(\mathcal{V}\)

\(g_1\)

\(r_1\)

\(g_2\)

\(g_3\)

\(g_\mu\)

\(r_{\mu-1}\)

\(r_2\)

\(\vdots\)

Sumcheck Costs

Prover costs:
- In round \(i\in[\mu]\), evaluate \(g_i(\vec{x})\):
- \(g_i(\textcolor{orange}{X}) := \sum_{\vec{x}\in B_{\mu-i}}g(\textcolor{green}{r_1, \dots, r_{i-1}}, \textcolor{orange}{X}, \vec{x})\)
- \(\text{deg}_X(g_i) := \text{deg}_{x_i}(g)\)
- No of evaluations: \(|B_{\mu-i}| = 2^{\mu-i}\)
- Total evaluations: \(\sum_{i}\text{deg}_{x_i}(g) \cdot 2^{\mu-i}\)
- Thus, total evaluations \(O(2^\mu)\) if degree of each variable is \(O(1)\)
Verifier costs:
- In round \(i\), evaluate \(g_i(0), g_i(1), g_{i-1}(r_{i-1}) \implies O(\mu)\)
- Cost of evaluating \(g(\vec{x})\) on \(\vec{x} = (r_1, \dots, r_\mu)\)
Proof size:
- \(\sum_{i} (\text{deg}_{x_i}(g) + 1) \equiv O(\mu)\) if degree of each variable is \(O(1)\)

Non-Interactive Sumcheck

g_1(\textcolor{orange}{X_1}) := \sum_{x_2\dots}g(\textcolor{orange}{X_1},x_2, \dots, x_\mu)

\textcolor{skyblue}{[[g_1]],} \ \textcolor{lightgreen}{g_1(0), g_1(1), v}

g_2(\textcolor{orange}{X_2}) := \sum_{x_3\dots}g(\textcolor{green}{r_1}, \textcolor{orange}{X_2}, x_3, \dots, x_\mu)

\textcolor{skyblue}{[[g_2]],} \ \textcolor{lightgreen}{g_2(0), g_2(1), g_1(r_1)}

g_3(\textcolor{orange}{X_3}) := \sum_{x_4\dots}g(\textcolor{green}{r_1}, \textcolor{green}{r_2}, \textcolor{orange}{X_3}, x_4, \dots, x_\mu)

\textcolor{skyblue}{[[g_3]],} \ \textcolor{lightgreen}{g_3(0), g_3(1), g_2(r_2)}

\mu

g_\mu(\textcolor{orange}{X_\mu}) := g(\textcolor{green}{r_1}, \textcolor{green}{r_2}, \dots, \textcolor{green}{r_{\mu-1}}, \textcolor{orange}{X_m})

\textcolor{skyblue}{[[g_\mu]],} \ \textcolor{lightgreen}{g_\mu(0), g_\mu(1), g_{\mu-1}(r_{\mu-1})}

\vdots

\textcolor{grey}{\textsf{open}} \left( \left\{ g_i(X_i) \right\} \text{ at } \left\{ 0, 1, r_i \right\} \right) \quad \forall i \in [\mu]

\textcolor{skyblue}{\left\{[[q_1]], [[q_2]], \dots, [[q_{\mu+2}]]\right\},} \textcolor{lightgreen}{ g_\mu(r_\mu)}

Proof size: \(\#\mathbb{G} = 2\mu+2\) and \(\# \mathbb{F} = 3\mu\)
Prover computation with KZG:
- \(2\mu+2\) MSMs of size \((d+1),\)
- Evaluations: \(d\times 2^{\mu}\)

Verifier: 1 MSM of \(O(\mu)\) and 1 pairing
Prover computation with Shplonk:
- \(\mu+2\) MSMs of size \((d+1),\)
- Evaluations: \(d\times 2^{\mu}\)

Non-Interactive Sumcheck 🚀

\textcolor{grey}{\textsf{open}} \left( \left\{ g'_i(X_i) \right\} \text{ at } \{r_i\} \right) \quad \forall i \in [\mu]

Proof size: \(\mathbb{G} \rightarrow 2\mu+1, \mathbb{F} \rightarrow 2\mu\)
Prover computation improvement: \(\mu+2\) MSMs of size \(d\)

\textcolor{olive}{g_i(1)} := v - \textcolor{lightgreen}{g_i(0)}

v \leftarrow \textcolor{olive}{g_i(r_i)} := \textcolor{lightgreen}{g'_i(r_i)}\cdot r_i(1-r_i) + \textcolor{lightgreen}{g_i(0)}(1-r_i) +\textcolor{olive}{g_i(1)}(r_i)

The verifier can compute the other two evaluations using \(\textcolor{lightgreen}{g_i(0), g'(r_i)}\)

This would require prover to open \(g'_i(X)\) only at \(r_i\):

g_i(\textcolor{orange}{X}) := \sum_{x_i\dots}g(\textcolor{green}{r_1, \dots, r_{i-1},} \textcolor{orange}{X}, x_{i+1}, \dots, x_{\mu})

\begin{aligned} g'_i(\textcolor{orange}{X}) := \frac{ g_i(\textcolor{orange}{X}) - (1-\textcolor{orange}{X})g_i(0) + (\textcolor{orange}{X})g_i(1) } { \textcolor{orange}{X}(1-\textcolor{orange}{X}) } \end{aligned}

\textcolor{skyblue}{[[g'_i]],} \ \textcolor{lightgreen}{g_i(0), g'(r_i)}