Libra

[Libra] is a protocol integrating GKR sumcheck protocol for IOP and modified multilinear KZG (zkVPD in the paper).

Chap3: GKR Protocol with Linear Prover Time

The core of the chapter is to develop a linear time O(2)O(2^\ell) prover for the sumcheck protocol used in GKR protocol.

Recall in the standard sumcheck protocol of the polynomial gF2[X]g\in\mathbb{F}_2[X] requires the prover to compute

si(Xi)=bi+1,,bf(r1,,ri1,Xi,bi+1,,b)s_i(X_i)=\sum_{b_{i+1},\dots,b_\ell}f(r_1,\dots,r_{i-1},X_i,b_{i+1},\dots,b_{\ell})

for the only multilinear extension fFq[X]f\in\mathbb{F}_q[X] in the ii -th round, which takes a time of O(2dTf)O(2^\ell dT_f) . dd is for sending a function si(Xi)s_i(X_i) which has degree less than degf=d\deg f=d requires to set at most dd evaluations of XiX_i on different points. Then the prover sends the dd values to the verifier.

GKR protocol

The goal of GKR protocol is to prove for public C:FnFkC:\mathbb{F}^n\mapsto\mathbb{F}^k and xx , the prover knows the output C(x)C(x) . The GKR protocol acts like an IOP in SNARK systems.

Assume the arithmetic circuit CC is of a layered structure, with depth dd and SiS_i gates on the ii -th layer, si=logSis_i=\log S_i and S0=kS_0=k , Sd=nS_d=n . The circuit graph has the output gate on the ontly gate of the 00 -th layer. The functions addi,muli:{0,1}2si+si1{0,1}\mathsf{add}_i,\mathsf{mul}_i:\{0,1\}^{2s_i+s_{i-1}}\mapsto\{0,1\} are encodings of the wiring in between each layer, e.g. if the sum of the output of aa -th gate and bb -th gate on the ii -th layer is the cc -th gate on the (i1)(i-1) -th layer, then addi(a,b,c)=1\mathsf{add}_i(a,b,c)=1 . Thus we define the output function Vi:{0,1}siFV_i:\{0,1\}^{s_i}\mapsto\mathbb{F} that takes bb as binary string, and output the value. We have

Vi(z)=x,y{0,1}si+1(addi(z,x,y)(Vi+1(x)+Vi+1(y))+muli(z,x,y)Vi+1(x)Vi+1(y))V_i(z)=\sum_{x,y\in\{0,1\}^{s_{i+1}}}\left(\mathsf{add}_i(z,x,y)(V_{i+1}(x)+V_{i+1}(y))+\mathsf{mul}_i(z,x,y)V_{i+1}(x)V_{i+1}(y)\right)

for every z{0,1}siz\in\{0,1\}^{s_{i}} iff the circuit value is legal. Below we assume that all functions are linearized to F\mathbb{F} .

The verifying goal is V0(z)=V_0(z)=… for all z{0,1}kz\in\{0,1\}^{k} . Thus the verifier randomly pick gg and after that runs a sumcheck protocol to verify

V0(g)=x,y{0,1}s1(add0(g,x,y)(V1(x)+V1(y))+mul0(g,x,y)V1(x)V1(y)):=x,yf0(x,y).V_0(g)=\sum_{x,y\in\{0,1\}^{s_1}}\left(\mathsf{add}_0(g,x,y)(V_1(x)+V_1(y))+\mathsf{mul}_0(g,x,y)V_1(x)V_1(y)\right):=\sum_{x,y}f_0(x,y).

In the last round of sumcheck protocol, the verifier gets f0(u1,v1)f_0(u_1,v_1) from the prover where u,vFu,v\in\mathbb{F} are challenges from the verifier. To verify the f0(u,v)f_0(u,v) , the verifier needs to know V1(u1)V_1(u_1) and V1(v1)V_1(v_1) , so the prover sends V1(u1)V_1(u_1) and V1(v1)V_1(v_1) and tries to convince the verifier these are correct. The verifier first checks if f0(u1,v1)=(add0(g,x,y)(V1(x)+V1(y))+mul0(g,x,y)V1(x)V1(y))f_0(u_1,v_1)=\left(\mathsf{add}_0(g,x,y)(V_1(x)+V_1(y))+\mathsf{mul}_0(g,x,y)V_1(x)V_1(y)\right) . Then the verifier checks that the values are correctly calculated. If we run two sumchecks, the proof size and time will be exponential in dd .

So we use interpolation to combine two claims; in the original GKR protocol, the interpolation is on the domain, i.e. let γ:FFs0\gamma:\mathbb{F}\mapsto\mathbb{F}^{s_0} be a line where γ(0)=u1,γ(1)=v1\gamma(0)=u_1,\gamma(1)=v_1 and h(x)=V1(γ(x))h(x)=V_1(\gamma(x)) ; then prove h(r)=V1(γ(r))h(r)=V_1(\gamma(r)) for a random point on the line.

The Libra uses combination in the range (as [1] has proposed) and considers a random combination α1V1(u1)+β1V1(v1)\alpha_1V_1(u_1)+\beta_1V_1(v_1) and the next sumcheck is run to verify

α1V1(u1)+β1V1(v1)=x,y{0,1}s2[(α1add1(u1,x,y)+β1add1(v1,x,y))(V1(x)+V1(y))+(α1mul1(u1,x,y)+β1mul1(v1,x,y))V1(x)V1(y)]:=x,yf1(x,y).\begin{align*}\alpha_1V_1(u_1)+\beta_1V_1(v_1)&=\sum_{x,y\in\{0,1\}^{s_2}}\big[(\alpha_1\mathsf{add}_1(u_1,x,y)+\beta_1\mathsf{add}_1(v_1,x,y))(V_1(x)+V_1(y))+(\alpha_1\mathsf{mul}_1(u_1,x,y)+\beta_1\mathsf{mul}_1(v_1,x,y))V_1(x)V_1(y)\big]\\&:=\sum_{x,y}f_1(x,y). \end{align*}

The procedure goes on and on for d1d-1 rounds. In the final round, the verifier gets Vd(ud)V_d(u_d) and Vd(vd)V_d(v_d) . Only then does the verifier access the oracle OracleVd\mathsf{Oracle}_{V_d} to see if the two values are correct.

O(2)O(2^\ell) provers for the sumcheck protocol

In the last section we directly used the sumcheck protocol on a function that is a sum of multiplication of multilinear functions. Here we use \ell to denote the numbers of variables of the polynomial VV ’s. If we use the original sumcheck protocol, the prover time will be O(22)O(2^{2\ell}) for the add\mathsf{add} polynomial has 22\ell variables.

If we consider that the result polynomial is sparse(in domain, i.e. on many points it evaluates to zero), the sumcheck prover will be much faster rather then O(22)O(2^{2\ell}) . The paper mentioned a O(2)O(\ell 2^\ell) approach and a O(2)O(2^\ell) approach. We can verify that the function

f(x,y)=(addi(z,x,y)(Vi+1(x)+Vi+1(y))+muli(z,x,y)Vi+1(x)Vi+1(y)),x,y{0,1}si+1f(x,y)=\left(\mathsf{add}_i(z,x,y)(V_{i+1}(x)+V_{i+1}(y))+\mathsf{mul}_i(z,x,y)V_{i+1}(x)V_{i+1}(y)\right),\quad x,y\in\{0,1\}^{s_{i+1}}

is indeed a sparse function for there are at most 2si2^{s_i} tuples (z,x,y)(z,x,y) that makes addi\mathsf{add}_i and muli\mathsf{mul}_i evaluate to 11 . So in this section we assume that ff is non-zero only on at most 22^\ell points in {0,1}3\{0,1\}^{3\ell} .

Consider the protocol is run on a multilinear polynomial ff . The former approach uses a list to store values; at the ii -th round it stores f(r1,,ri1,bi,,bn)f(r_1,\dots,r_{i-1},b_{i},\dots,b_n) for all bi,,bnb_i,\dots,b_n with r1,,ri1r_1,\dots,r_{i-1} are picked by the verifier. The idea utilizes the property that

f(r1,,ri1,ri,,bn)=(1ri)f(r1,,ri1,0,bi+1,,bn)+rif(r1,,ri1,1,bi+1,,bn)f(r_1,\dots,r_{i-1},r_{i},\dots,b_n)=(1-r_i)f(r_1,\dots,r_{i-1},0,b_{i+1},\dots,b_n)+r_if(r_1,\dots,r_{i-1},1,b_{i+1},\dots,b_n)

This method uses time O(22Tf+221+222++21+1)O(2^{2\ell}T_f+2^{2\ell-1}+2^{2\ell-2}+\dots+2^1+1) which is still quadratic. Since ff is sparse, the list takes down only O(2)O(2^\ell) of all the values; but the halving does not hold, thus the overall time is O(22Tf+21+2)O(2^{2\ell}T_f+\ell2^{\ell-1}+2^\ell) . Here comes the core of this chapter.

Here comes the main algorithm. We want to sumcheck the function f(x,y)=f1(g,x,y)f2(x)f3(y)f(x,y)=f_1(g,x,y)f_2(x)f_3(y) where there are at most O(2)O(2^\ell) non-zero positions and f2,f3:FFf_2,f_3:\mathbb{F}^\ell\mapsto\mathbb{F} , f1:F3Ff_1:\mathbb{F}^{3\ell}\mapsto\mathbb{F} , all multilinear. The idea is

hg(x)=yf1(g,x,y)f3(y),f(x,y)=xf2(x)hg(x)\begin{align*} h_g(x)&=\sum_y f_1(g,x,y)f_3(y),\\ f(x,y)&=\sum_x f_2(x)h_g(x) \end{align*}

and we run two sumcheck protocols shown in SumCheckProduct\mathsf{SumCheckProduct} below.

These two algorithms are the same as the former described ones, with time O(2)O(2^\ell) . But to run them we need bookkeeping tables for f1(g,x,y)f2(x)f3(y)f_1(g,x,y)f_2(x)f_3(y) .

where

To sum all up,

Remarks.

  • This algorithm 3 requires f(u)g(u)f(u)g(u) in the last round of interaction. So after step 2 in algorithm 6, the verifier needs to varify the value of yf1(g,u,y)f3(y)f2(u)\sum_y f_1(g,u,y)f_3(y)f_2(u) .
  • The procedure Precompute(g)\mathsf{Precompute}(g) is for constructing a bookkeeping table for the function Ig(z):=i=1[(1gi)(1zi)+gizi]I_g(z):=\prod_{i=1}^\ell [(1-g_i)(1-z_i)+g_iz_i] which evaluates to 11 if and only if g=zg=z . So hg(x)=y,zIg(z)f1(z,x,y)f3(y)h_g(x)=\sum_{y,z} I_g(z)f_1(z,x,y)f_3(y) and by the sparse condition, the sum has O(2)O(2^\ell) terms.
  • Similarly, f1(g,u,y)=z,xIg(z)Iu(x)f1(z,x,y)f_1(g,u,y)=\sum_{z,x}I_g(z)I_u(x)f_1(z,x,y) and the sum has also O(2)O(2^\ell) terms. This is shown in algorithm 5.
  • All the algorithms run in O(2)O(2^\ell) time.

Zero-Knowledge

zkVPD is the analogy of commitment schemes with zk properties.

References

[1] Chiesa, A., Forbes, M.A., Spooner, N.: A Zero Knowledge Sumcheck and its Applications. CoRR abs/1704.02086 (2017), http://arxiv.org/abs/1704.02086