Skip to content

The Procedure

Our protocol for batch evaluation of sum claims

Here, we get to the "grand finale" of this site. Our setup is a list of polynomials t0,,tn1t_0, \ldots , t_{n - 1}, respectively of sizes 0,,n1\ell_0, \ldots , \ell_{n - 1}, all defined over Tτ\mathcal{T}_\tau, and jointly committed to in just the way prescribed by our batch commitment procedure. That is, we've actually committed to just a single, massive, piecewise polynomial t(X0,,X1)t^*(X_0, \ldots , X_{\ell^* - 1}), which takes the values that the individual polynomials t0,,tn1t_0, \ldots , t_{n - 1} respectively do on various subcubes of B\mathcal{B}_{\ell^*} (and zero-fills the remaining vertices).

We now fix a list of sum claims, each of the form

sj,0=?vBjtj(v)Aj(v).\begin{equation*}s_{j, 0} \stackrel{?}= \sum_{v \in \mathcal{B}_{\ell_j}} t_j(v) \cdot A_j(v).\end{equation*}

Here, the Aj(X0,,Xj1)A_j(X_0, \ldots , X_{\ell_j - 1}) are further transparent polynomials that arise during the ring-switching reduction. We don't need to worry what these polynomials even are for the purposes of this page; we merely need the fact that they're transparent (i.e., efficiently evaluable by the verifier at any given point).

Our goal in this page will be to jointly evaluate all of these sum claims. Our algorithm will essentially run FRI, our front-loaded sumcheck, and our piecewise evaluation procedure together, in an interleaved way, and using just one stream of random challenges for all three algorithms.

Some Preliminaries

We now record our evaluation protocol. We drop a slightly simplified variant in which a certain oracle skipping optimization is omitted. (We refer to [DP24, § 6.2] for a description of this optimization.)

We write f(0):S(0)Tτf^{(0)} : S^{(0)} \to \mathcal{T}_\tau for the result of the prover's initial commitment. Here, S(0)TτS^{(0)} \subset \mathcal{T}_\tau is a Reed–Solomon domain of size 2+R2^{\ell^* + \mathcal{R}}. We moreover fix the usual sequence of further FRI domains S(0),,S()S^{(0)}, \ldots , S^{(\ell^*)}, as well as the 2-to-1 folding maps q(i):S(i)S(i+1)q^{(i)} : S^{(i)} \to S^{(i + 1)}. Using these, we get a FRI folding procedure, which, given a word f(i):S(i)Tτf^{(i)} : S^{(i)} \to \mathcal{T}_\tau and a folding challenge riTτr_i \in \mathcal{T}_\tau, produces a folded word f(i+1)fold(f(i),ri)f^{(i + 1)} \coloneqq \mathsf{fold}(f^{(i)}, r_i), a map f(i+1):S(i+1)Tτf^{(i + 1)} : S^{(i + 1)} \to \mathcal{T}_\tau.

We moreover use a notational device which we've already used in the previous two pages. We assume as usual that the polynomials t0,,tn1t_0, \ldots , t_{n - 1} are arranged in sorted order, so that 0n1\ell_0 \geq \cdots \geq \ell_{n - 1} holds. Moreover, for each j{0,,}j \in \{0, \ldots , \ell^*\}, we are going to write ji{0,,n}j_i \in \{0, \ldots , n\} for the minimal j{0,,n}j \in \{0, \ldots , n\} for which ji\ell_j \leq i holds. We note that j=0j_{\ell^*} = 0 necessarily holds; moreover, j0=nj_0 = n will too, provided we assume that each j\ell_j is positive—which we do now. Finally, the elements j0jj_0 \geq \cdots \geq j_{\ell^*} will be nonincreasing.

The Steps

Here is our algorithm. Again, to reiterate, we are trying to batch-process a list of sum claims of the form

sj,0=?vBjtj(v)Aj(v),\begin{equation*}s_{j, 0} \stackrel{?}= \sum_{v \in \mathcal{B}_{\ell_j}} t_j(v) \cdot A_j(v),\end{equation*}

where the tj(X0,,Xj1)t_j(X_0, \ldots , X_{\ell_j - 1}) are batch-committed and the Aj(X0,,Xj1)A_j(X_0, \ldots , X_{\ell_j - 1}) are transparent. The verifier initializes claim datastructures T0,,Tn1T_0, \ldots , T_{n - 1}, each featuring .claim.\text{claim} and .next.\text{next} fields. The verifier initializes Tj.nextj+1T_j.\text{next} \coloneqq j + 1 for each j{0,,n1}j \in \{0, \ldots , n - 1\}.

Here we go:

  • The verifier samples a batching challenge αTτ\alpha \gets \mathcal{T}_\tau and sends it to the prover. As in the front-loaded sumcheck, the verifier computes the batched sum claim:
s0j=0n1αjsj,0.\begin{equation*}s^*_0 \coloneqq \sum_{j = 0}^{n - 1} \alpha^j \cdot s_{j, 0}.\end{equation*}
  • For each round j{0,,1}j \in \{0, \ldots , \ell^* - 1\}, the prover and verifier proceed as:
    • The prover computes the round polynomial gi(X)=j=0ji1αjvBji1Cj(r0,,ri1,X,v0,,vji2),\begin{equation*}g_i(X) = \sum_{j = 0}^{j_i - 1} \alpha^j \cdot \sum_{v \in \mathcal{B}_{\ell_j - i - 1}} C_j(r_0, \ldots , r_{i - 1}, X, v_0, \ldots , v_{\ell_j - i - 2}),\end{equation*} and sends it to the verifier. Here, the upper limit ji{0,,n}j_i \in \{0, \ldots , n\} is as we've already explained.
    • The verifier checks whether si=?gi(0)+gi(1)s^*_i \stackrel{?}= g_i(0) + g_i(1) holds.
    • The verifier samples riTτr_i \gets \mathcal{T}_\tau and sends it to the prover. The verifier moreover computes the updated sum claim: si+1gi(ri).\begin{equation*}s^*_{i + 1} \coloneqq g_i(r_i).\end{equation*}
    • The prover computes f(i+1)fold(f(i),ri)f^{(i + 1)} \coloneqq \mathsf{fold}(f^{(i)}, r_i), and commits f(i+1)f^{(i + 1)} to the string oracle (unless we're in the last round i=1i = \ell^* - 1, in which case the prover just sends the constant value cf()(0)c \coloneqq f^{(\ell)}(0)).
    • For each j{ji+1,,ji1}j \in \{j_{i + 1}, \ldots , j_i - 1\} (these are exactly the j{0,,n1}j \in \{0, \ldots , n - 1\} for which which j=i+1\ell_j = i + 1 holds), the prover nondeterministically sends the "now-ready" claimed evaluation bj,j=tj(r0,,ri).\begin{equation*}b_{j, \ell_j} = t_j(r_0, \ldots , r_i).\end{equation*}
    • Again for each j{ji+1,,ji1}j \in \{j_{i + 1}, \ldots , j_i - 1\}, the verifier does the following things:
      • It mutates si+1=αjbj,jAj(r0,,ri).\begin{equation*}s^*_{i + 1} \mathrel{-}= \alpha^j \cdot b_{j, \ell_j} \cdot A_j(r_0, \ldots , r_i).\end{equation*} The quantity Aj(r0,,ri)A_j(r_0, \ldots , r_i) it just computes directly, which it can, since it's transparent.
      • It moreover marks: Tj.claimbj,j.\begin{equation*}T_j.\text{claim} \coloneqq b_{j, \ell_j}.\end{equation*}
    • Now, the verifier kicks off a "smoothing" step for lower-dimensional subcubes. It initializes kjik \coloneqq j_i, and then runs the following loop. While k<nk < n:
      • The verifier sets c0Tk.claimc_0 \coloneqq T_k.\text{claim}.
      • If Tk.next<nT_k.\text{next} < n, then the verifier sets c1Tk.next.claimc_1 \coloneqq T_k.\text{next}.\text{claim} and overwrites Tk.next=Tk.next.nextT_k.\text{next} = T_k.\text{next}.\text{next}. Otherwise, the verifier sets c10c_1 \coloneqq 0.
      • In any case, the verifier overwrites Tk.claim=(1ri)c0+ric1T_k.\text{claim} = (1 - r_i) \cdot c_0 + r_i \cdot c_1, and also updates k=Tk.nextk = T_k.\text{next}.
  • At the very end, the verifier requires s=?0s^*_{\ell^*} \stackrel{?}= 0.
  • The verifier moreover requires c=?T0.claimc \stackrel{?}= T_0.\text{claim}, where cc is the final constant FRI value.
  • The verifier kicks off FRI querying.

Security Claim

The claim is that if the verifier accepts all of its checks above, then (except with low probability) all of the individual sum claims sj,0=?vBjtj(v)Aj(v)s_{j, 0} \stackrel{?}= \sum_{v \in \mathcal{B}_{\ell_j}} t_j(v) \cdot A_j(v) were valid. The security proof is not simple, but it combines essentially the respective security proofs of FRI, front-loaded sumcheck, and piecewise evaluation. A rigorous treatment of a simpler case–in which just one polynomial is being committed—can be found in [DP24, § 3.3].