Sumcheck in GPU
Sumcheck Primer
- Given a polynomial g:Fμ→F and X={xi}i∈[μ] compute the sum
H=X∈Bμ∑g(x1,x2,…,xμ)
\begin{aligned}
H = \sum_{X \in B_\mu} g(x_1, x_2, \dots, x_\mu)
\end{aligned}
- Naively, a verifier would require ∣Bμ∣=2μ evaluations of g(.)
- Sumcheck protocol requires O(μ+λ) verifier work
- Here λ is the cost to evaluate g(.) at some r∈Fμ
- Prover's work is O(2μ), i.e. linear in no of constraints
g1(X1):=∑x2…g(X1,x2,…,xm)
g2(X2):=∑x3…g(r1,X2,x3,…,xm)
v=?g1(0)+g1(1)
g1(r1)=?g2(0)+g2(1)
g3(X3):=∑x4…g(r1,r2,X3,x4,…,xm)
gμ(Xμ):=g(r1,r2,…,rμ−1,Xμ)
g2(r2)=?g3(0)+g3(1)
gμ−1(rμ−1)=?gμ(0)+gμ(1)
gμ(rμ)=?g(r1,r2,…,rμ)
Prover P
Verifier V
g1
r1
g2
g3
gμ
rμ−1
r2
⋮
⋮
⋮
Sumcheck for MLE Polynomials
- Given a vector f∈F2μ, we can write its (unique) multi-linear extension f(X) as:
f(0,0,…,0,0)←f[0]
f(\textcolor{lightgrey}{0, 0, \dots, 0, 0}) \leftarrow \textcolor{orange}{\vec{f}[0]}
f(0,0,…,0,1)←f[1]
f(\textcolor{lightgrey}{0, 0, \dots, 0,} \textcolor{skyblue}{1}) \leftarrow \textcolor{orange}{\vec{f}[1]}
f(0,0,…,1,0)←f[2]
f(\textcolor{lightgrey}{0, 0, \dots, } \textcolor{skyblue}{1} \textcolor{lightgrey}{,0}) \leftarrow \textcolor{orange}{\vec{f}[2]}
f(1,1,…,1,0)←f[2μ−2]
f(\textcolor{skyblue}{1, 1, \dots, 1} \textcolor{lightgrey}{,0}) \leftarrow \textcolor{orange}{\vec{f}[2^\mu-2]}
f(1,1,…,1,1)←f[2μ−1]
f(\textcolor{skyblue}{1, 1, \dots, 1, 1}) \leftarrow \textcolor{orange}{\vec{f}[2^\mu-1]}
f(X):= (1−Xμ)(1−Xμ−1)…(1−X2)(1−X1)f[0] + (1−Xμ)(1−Xμ−1)…(1−X2)X1f[1] + (1−Xμ)(1−Xμ−1)…X2(1−X1)f[2] + ⋮ XμXμ−1…X2(1−X1)f[2μ−2] + XμXμ−1…X2X1f[2μ−1].
\begin{aligned}
f(\mathbf{X}) := & \
\textcolor{lightgrey}{(1-X_\mu)(1-X_{\mu-1})\dots}\textcolor{lightgrey}{(1-X_2)}\textcolor{lightgrey}{(1-X_1)}\textcolor{orange}{\vec{f}[0]} \ + \\
& \ \textcolor{lightgrey}{(1-X_\mu)(1-X_{\mu-1})\dots}\textcolor{lightgrey}{(1-X_2)}\textcolor{skyblue}{X_1}\textcolor{orange}{\vec{f}[1]} \ + \\
& \ \textcolor{lightgrey}{(1-X_\mu)(1-X_{\mu-1})\dots}\textcolor{skyblue}{X_2}\textcolor{lightgrey}{(1-X_1)}\textcolor{orange}{\vec{f}[2]} \ + \\
& \ \vdots \\
& \ \textcolor{skyblue}{X_\mu X_{\mu-1} \dots}\textcolor{skyblue}{X_2}\textcolor{lightgrey}{(1-X_1)}\textcolor{orange}{\vec{f}[2^\mu-2]} \ + \\
& \ \textcolor{skyblue}{X_\mu X_{\mu-1} \dots}\textcolor{skyblue}{X_2}\textcolor{skyblue}{X_1}\textcolor{orange}{\vec{f}[2^\mu-1]}. \\
\end{aligned}
⟹
\implies
⋮
\vdots
- MLEs makes sumcheck prover's computation faster and parallelisable
- Computing round polynomials is easy
⟹
\implies
r1(Xμ)=(1−Xμ)(f[0]+f[1]+⋯+f[2μ−1−1])
\begin{aligned}
r_1(X_\mu) = (1-X_\mu) \Big( \textcolor{lightgreen}{\vec{f}[0] + \vec{f}[1] + \dots + \vec{f}[2^{\mu-1}-1]} \Big)
\end{aligned}
+ Xμ(f[2μ−1]+⋯+f[2μ−1])
+ \ X_\mu \Big( \textcolor{orange}{\vec{f}[2^{\mu-1}] + \dots + \vec{f}[2^{\mu}-1]} \Big)
Sums of halves → easy!
- Updating original polynomial with challenge α1 is tricky
f(α1,0,…,0,0)←(1−α1)f[0]+α1f[2μ−1]
f(\alpha_1\textcolor{lightgrey}{, 0, \dots, 0, 0}) \leftarrow (1-\alpha_1)\textcolor{lightgreen}{\vec{f}[0]} + \alpha_1\textcolor{orange}{\vec{f}[2^{\mu-1}]}
f(α1,0,…,0,1)←(1−α1)f[1]+α1f[2μ−1+1]
f(\alpha_1\textcolor{lightgrey}{, 0, \dots, 0, }\textcolor{skyblue}{1}) \leftarrow (1-\alpha_1)\textcolor{lightgreen}{\vec{f}[1]} + \alpha_1\textcolor{orange}{\vec{f}[2^{\mu-1}+1]}
f(α1,0,…,1,0)←(1−α1)f[2]+α1f[2μ−1+2]
f(\alpha_1\textcolor{lightgrey}{, 0, \dots, }\textcolor{skyblue}{1} \textcolor{lightgrey}{, 0}) \leftarrow (1-\alpha_1)\textcolor{lightgreen}{\vec{f}[2]} + \alpha_1\textcolor{orange}{\vec{f}[2^{\mu-1}+2]}
Sumcheck for MLE Polynomials
f(X)
f(\mathbf{X})
Round computation can be parallelised
Round i+1 depends on round i challenge
Need to process all terms to compute challenge
f1,o
f_{1,o}
f1,e
f_{1,e}
∑
\sum
∑
\sum
hash
\textsf{hash}
α1
\alpha_1
f2,o
f_{2,o}
f2,e
f_{2,e}
∑
\sum
∑
\sum
hash
\textsf{hash}
α2
\alpha_2
f3,o
f_{3,o}
f3,e
f_{3,e}
∑
\sum
∑
\sum
hash
\textsf{hash}
α3
\alpha_3
f4,o
f_{4,o}
f4,e
f_{4,e}
hash
\textsf{hash}
α4
\alpha_4
Sumcheck for R1CS
Aˉz∘Bˉz=Cˉz
\begin{bmatrix}
\\
& \bar{A} & \\
\\
\end{bmatrix}
\hspace{-6pt}
\begin{bmatrix}
\\
\vec{z}\\
\\
\end{bmatrix}
\circ
\begin{bmatrix}
\\
& \bar{B} & \\
\\
\end{bmatrix}
\hspace{-6pt}
\begin{bmatrix}
\\
\vec{z}\\
\\
\end{bmatrix}
=
\begin{bmatrix}
\\
& \bar{C} & \\
\\
\end{bmatrix}
\hspace{-6pt}
\begin{bmatrix}
\\
\vec{z}\\
\\
\end{bmatrix}
\underbrace{\hspace{2.6cm}}
2μ
2^\mu
F(x):=(y∈Bμ∑A(x,y)z(y))(y∈Bμ∑B(x,y)z(y))−y∈Bμ∑C(x,y)z(y)
F(x) := \Bigg(\sum_{y \in \mathbb{B}_\mu}A(x,y)z(y)\Bigg)\Bigg(\sum_{y \in \mathbb{B}_\mu}B(x,y)z(y)\Bigg) - \sum_{y \in \mathbb{B}_\mu}C(x,y)z(y)
x∈Bμ∑γxF(x)=0
\sum_{x\in \mathbb{B}_\mu}\gamma_x F(x) = 0
⟹F(x)=0∀x∈Bμ
\implies F(x) = 0 \quad \forall x \in \mathbb{B}_\mu
We need to prove that F is 0 on all points of Bμ
G(x):=(y∈Bμ∑A(x,y)z(y))(y∈Bμ∑B(x,y)z(y))−y∈Bμ∑C(x,y)z(y)eq(x,τ)
G(x) := \left(\Bigg(\sum_{y \in \mathbb{B}_\mu}A(x,y)z(y)\Bigg)\Bigg(\sum_{y \in \mathbb{B}_\mu}B(x,y)z(y)\Bigg) - \sum_{y \in \mathbb{B}_\mu}C(x,y)z(y)\right)
\textcolor{orange}{\textsf{eq}(x, \tau)}
G(x):=a(x)b(x)eq(x)−c(x)eq(x)
G(x) := a(x)b(x)\textsf{eq}(x) - c(x)\textsf{eq}(x)
- We need sumcheck on sums of products of MLE polynomials
- Trivial to extend sumcheck for one polynomial to sums of products
A:F2μ→F
A: \mathbb{F}^{2 \mu} \rightarrow \mathbb{F}
B:F2μ→F
B: \mathbb{F}^{2 \mu} \rightarrow \mathbb{F}
C:F2μ→F
C: \mathbb{F}^{2 \mu} \rightarrow \mathbb{F}
z:Fμ→F
z: \mathbb{F}^{\mu} \rightarrow \mathbb{F}
combineG(a,b,c,d):=abd−cd
\textsf{combine}_G(a,b,c,d) := abd - cd
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
(1−αi)
(1-\alpha_i)
(αi)
(\alpha_i)
+
+
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
L(1−α,α)
L_{(1-\alpha, \alpha)}
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
f1′(X)
f'_1(\mathbf{X})
f2′(X)
f'_2(\mathbf{X})
f3′(X)
f'_3(\mathbf{X})
f4′(X)
f'_4(\mathbf{X})
f5′(X)
f'_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
f1′(X)
f'_1(\mathbf{X})
f2′(X)
f'_2(\mathbf{X})
f3′(X)
f'_3(\mathbf{X})
f4′(X)
f'_4(\mathbf{X})
f5′(X)
f'_5(\mathbf{X})
f1,o
f_{1,o}
f1,e
f_{1,e}
f2,o
f_{2,o}
f2,e
f_{2,e}
f3,o
f_{3,o}
f3,e
f_{3,e}
f4,o
f_{4,o}
f4,e
f_{4,e}
f5,o
f_{5,o}
f5,e
f_{5,e}
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri+1(X)
r_{i+1}(X)
hash
\textsf{hash}
αi+1
\alpha_{i+1}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
*This isn't quite what we need, we need to show that independent sumchecks sum to a certain sum.
L2 Cache
r1(1)(X)
r_1^{(1)}(X)
α1(1)
\alpha_1^{(1)}
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
r1(2)(X)
r_1^{(2)}(X)
α1(2)
\alpha_1^{(2)}
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
r1(3)(X)
r_1^{(3)}(X)
α1(3)
\alpha_1^{(3)}
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
Not the most optimal use of L2 cache
Verifier generates (k+n) challenges
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
r1(2)(X)
r_1^{(2)}(X)
α1(2)
\alpha_1^{(2)}
r1(1)(X)
r_1^{(1)}(X)
α1(1)
\alpha_1^{(1)}
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
r1(2)(X)
r_1^{(2)}(X)
α1(2)
\alpha_1^{(2)}
r1(1)(X)
r_1^{(1)}(X)
α1(1)
\alpha_1^{(1)}
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
Sumcheck in GPU
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
L2 Cache
\underbrace{\hspace{4.25cm}}
ℓ
\ell
r1(4)(X)
r_1^{(4)}(X)
α1(4)
\alpha_1^{(4)}
r1(3)(X)
r_1^{(3)}(X)
α1(3)
\alpha_1^{(3)}
r1(5)(X)
r_1^{(5)}(X)
α1(5)
\alpha_1^{(5)}
Relocation of data within L2 cache
Optimal usage of L2 cache
Sumcheck in GPU
Verifier generates (2k+n) challenges
- Main hurdle: L2 cache size is just 96MB
- Can fit an R1CS sumcheck instance of size ≤219
- For larger instances, we need to read and write to memory to update the state
- Alternatively, we can break a large sumcheck instance into several smaller instances
sumcheck221()= sumcheck219()+β⋅sumcheck219()+ β2⋅sumcheck219()+β3⋅sumcheck219()
\begin{aligned}
\textsf{sumcheck}_{2^{21}}
\begin{pmatrix}
& & \\
& \\
\end{pmatrix}
= &\
\textsf{sumcheck}_{2^{19}}(\quad)
+
\beta \cdot \textsf{sumcheck}_{2^{19}}(\quad) + \\
&\
\beta^2 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
+
\beta^3 \cdot \textsf{sumcheck}_{2^{19}}(\quad)
\end{aligned}
Path Forward
-
Idea 1: Independent sumchecks
- Still need to show ∑jcj=c - additional overhead
- Better ideas to show that?
-
Idea 2: Multi-variate round polynomials
- First round polynomial:
- r1(X)=∑xj∈{0,1},j=1f(X,x2,x3,…,xμ)
- What if round polynomials were bi-variate polynomials:
- r1(X,Y)=∑xj∈{0,1},j=1,2f(X,Y,x3,x4,…,xμ)
- First round polynomial:
-
Idea 3: Bulletproofs-like folding
- Convert a sumcheck problem to a bulletproofs problem (lot of MSMs)
- Run k bulletproofs rounds until sumcheck size is ≤2l
-
Idea 4: Ternary hypercube
- Will help reduce rounds in sumcheck but is that useful to us?
f1(X)
f_1(\mathbf{X})
f2(X)
f_2(\mathbf{X})
f3(X)
f_3(\mathbf{X})
f4(X)
f_4(\mathbf{X})
f5(X)
f_5(\mathbf{X})
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
L(1,0)
L(1,0)
L(0,1)
L(0,1)
L(−1,2)
L(-1,2)
L(−2,3)
L(-2,3)
L(−3,4)
L(-3,4)
L(−4,5)
L(-4,5)
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
combine
\textsf{combine}
ri(X)
r_i(X)
hash
\textsf{hash}
αi
\alpha_i
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
∑
\sum
Sumcheck in GPU
Sumcheck in GPU
By Suyash Bagad
Sumcheck in GPU
- 121
