polynomial iops for linear algebra relationsa polynomial iop is the abstract proof system tailored...
TRANSCRIPT
Polynomial IOPs for Linear Algebra Relations
Alan Szepieniec Yuncong [email protected] [email protected]
Nervos Foundation Shanghai Jiao Tong University
Abstract. This paper proposes new Polynomial IOPs for arithmetic cir-cuits. They rely on the monomial coefficient basis to represent the matri-ces and vectors arising from the arithmetic constraint satisfaction system,and build on new protocols for establishing the correct computation oflinear algebra relations such as matrix-vector products and Hadamardproducts. Our protocols give rise to concrete proof systems with succinctverification when compiled down with a cryptographic compiler whoserole is abstracted away in this paper. Depending only on the compiler,the resulting SNARKs are either transparent or rely on a trusted setup.
Keywords: SNARK · Polynomial IOP · Zero-Knowledge · Succinct Ver-ification
1 Introduction
Succinct Non-Interactive Arguments of Knowledge (SNARKs) enable a resource-constrained verifier to cryptographically verify the authentic computations of anuntrusted prover. The technology is particularly well-suited to the cryptocur-rency setting, where participants are typically anonymous, untrusted, and wherethe success of the network depends on the capability of lightweight nodes to ver-ify the network’s consensus (however that is defined). In this setting, there is alarge monetary incentive for malicious behavior.
Despite the flurry of rapid related and unrelated developments by diverseparties, two trends are emerging as good practice in this domain.
1. Functional separation in the compilation pipeline. The compilation processfor general purpose zero-knowledge proofs is separated into multiple stepswith clear boundaries. At the input of this pipeline is a computation, rep-resented either as program source code or as a circuit. A technique calledarithmetization turns this computation into a constraint system involvingnative operations over a finite field. The next step transforms this constraintsystem into an abstract proof system between two parties, prover P andverifier V, that are interactive Turing machines with access to unrealisticor unrealizable resources such as PCP oracles. The abstract proof systemsin this step typically achieve statistical or even perfect security. In the laststep, the cryptographic compilation, the unrealistic resources are replacedby cryptographic approximations that achieve the same functionality at theexpense of introducing computational hardness assumptions for security.
2. Polynomial IOP formalism. The abstract information-theoretical proof sys-tem in the step before cryptographic compilation could in principle rely ona variety of unrealistic resources, and build a sound proof system from theirmathematical properties. However, for the purpose establishing soundness,the Schwartz-Zippel lemma is an indispensable tool. The strategy is to re-duce the satisfaction of arithmetic constraints arising from the constraintsystem to series of identities of low-degree polynomials. By evaluating thesepolynomials in random points, their equality is tested probabilistically. Ifthe left and right hand sides of an equation represent identical polynomi-als, they are identical everywhere, but if they are unequal they are differentalmost everywhere. The Schwartz-Zippel lemma provides an exact concretequantification of the security lost due to this probabilistic approximation.A Polynomial IOP is the abstract proof system tailored to this strategy. Inthis formalism, the prover sends low degree polynomials to the verifier, andrather than reading the entire list of coefficients, the verifier queries thesepolynomials in a given point through an oracle interface. The cryptographiccompiler uses a polynomial commitment scheme to simulate this unrealisticresource.
These trends are visible in the rise of universal SNARKs with universal andupdatable structured reference strings (SRS’s) such as Sonic [11], PLONK [8],and Marlin [7]. The common idea here is to use the cryptographic pairing-basedmathematics only to realize polynomial commitment scheme, typically the KZGscheme [10]. Since the SRS is used only for the KZG scheme, it is independent ofthe preceding abstract proof system and the circuit it encodes; this independenceis precisely what enables updates to the SRS and its adaptation to any circuit.PLONK and Marlin independently formalize this abstraction and introduce theterms Polynomial Protocol and Algebraic Holographic Proof (AHP), respectively.This paper adopts the terminology of Bunz et al. [6], who introduce a newpolynomial commitment scheme (and hence a cryptographic compiler) based ongroups of unknown order and in the process explore the landscape of protocolsit can apply to.
These trends are also visible in the rise of IOPs based on Reed-Solomoncodes [1,4,3]. The underlying abstract protocols here are not explicitly Poly-nomial IOPs. However, their common feature is the reliance on Reed-Solomoncodewords as the proof oracles. Since Reed-Solomon codewords are obtained byevaluating polynomials in a domain of points whose cardinality is larger thanthe polynomials’ degree, these proof oracles uniquely identify the originatinglow-degree polynomials. As a result, a Reed-Solomon IOP is a Polynomial IOPin disguise.
Despite the spontaneous convergence onto Polynomial IOPs as a useful for-malism, there seems to be little agreement about the optimal interface betweenPolynomial IOPs and the arithmetic constraint systems that they realize. Arith-metic constraint systems typically express constraints using matrix algebra: interms of vectors, and matrix multiplication, but also Hadamard products, whichis a fancy word for the element-wise products of pairs of equal-length vectors. The
2
set of operations that Polynomial IOPs natively offer are somewhat different. Asa result, how the Polynomial IOP represents the objects in the arithmetic con-straint system and how it simulates the equations that constrain them, are thekey questions in the design process of Polynomial IOPs. The various answers tothese questions are what set the various Polynomial IOPs for arithmetic circuitsapart.
– Marlin and Aurora represent the objects of the arithmetic constraint system asthe Reed-Solomon codewords of polynomials. Standard techniques establishthe correct computation of a Hadamard product of such codewords. Thecomputation of a linear transform applied to such a codeword is reduced tochecking the sum of a related codeword.
– PLONK represents the vector of wire values as the values of a polynomialin a domain of points. A permutation argument establishes the assignmentof wires to gates and the standard techniques for Reed-Solomon codewordsestablish the consistency of inputs and outputs to addition and multiplicationgates.
– Sonic represents the vectors of left, right, and output wires of a series ofmultiplication gates as the coefficient vectors of three polynomials. The con-sistency of these multiplication gates, and of a linear transform, is establishedby checking several properties of bivariate polynomials. The paper further-more explains under which conditions these bivariate polynomials can besimulated with univariate ones.
Contributions. In this paper we propose a collection of new Polynomial IOPsfor arithmetic circuits called Claymore1. Succinct verification is achieved with anuntrusted preprocessing phase. When compiled down using any polynomial com-mitment scheme, the result is a concrete zk-SNARK with universal updatablestructured reference string, or transparent setup, depending only on the natureof the polynomial commitment scheme.
The arithmetic constraint system chosen to represent the arithmetic circuitis the Hadamard Product Relation (HPR), in which the witness consists of threevectors representing the left, right, and output wires of a list of multiplicationgates. We note that Sonic realizes a similar constraint satisfaction relation byreducing both the multplication and linear constraints into one large equation. InClaymore, the multiplication gate consistency and linear consistency are achievedin two separate steps, both of which rely on a collection of subprotocols for linearalgebra relations that we develop along the way. The separate steps are latermerged as an explicit optimization.
While the concrete cryptographic compilation is abstracted away, it is possi-ble to make arguments regarding the size of concrete proofs based on the com-munication complexity of the Polynomial IOP. In this respect, the dense variantof Claymore stands out as the number of polynomials transmitted in the onlinephase is only 4 – down 33.3% from the runner-up PLONK, whose number stands
1 A type of Scottish sword.
3
at 6. As a result, if the number of polynomials in the transcript is the dominantfactor of proof size, then Claymore will result in the smallest proofs.
There is a price to pay for this brevity: the degree of the largest-degree poly-nomial is much larger. For DenseClaymore this degree scales with roughly O(n2),where n is the size of the witness. Depending on the concrete cryptographiccompiler, this behavior is either a minor inconvenience, or a complete blockade,for SNARKifying large enough circuits. Alternatives such as PLONK and Marlinachieve O(n) scaling.
A question that arises when using the monomial coefficient basis, is whetherthis basis is equipped to deal with the sparse linear transformations that typicallycome from long-winded computations. We answer this question positively byproviding methods for dealing with sparse linear algebra relations, culminatingin a sparse variant of Claymore. This variant concretely outperforms Marlin interms of the number of polynomials in the transcript. While this number issmaller still for PLONK, one notes that PLONK does not support arbitrary fan-in for linear constraints, whereas Marlin and Claymore (both variants) do.
Motivation and applications. The motivation for this work is chiefly theoretical.By studying the interface between arithmetic circuits and Polynomial IOPs inisolation of other constraints and demands, we develop a protocol that achievesits target functionality exactly. As a result of this focus, our protocol is arguablysimpler than other protocols that achieve nominally the same thing. Complexityis the friend of mistakes, and our protocol may therefore be the preferred optionfor this reason even in circumstances where it is inferior in terms of performance.However, it is by no means clear that Claymore does perform worse in the generalcase, because this comparison is highly dependent on the parameters of thesituation.
When used in combination with a cryptographic compiler whereby the num-ber of polynomials in the transcript dominates the proof size, DenseClaymoreyields in the smallest proofs. As a result, DenseClaymore should be the SNARKof choice in settings where the bandwidth is the most critical optimization tar-get. Blockchains naturally satisfy this description when they have a fixed blockrate and size.
Furthermore, the dense variant of Claymore performs extremely well for shal-low arithmetic circuits, such as the verification circuits of lattice-based andMQ-based signature schemes, which typically involve operations on large ma-trices and vectors over a small finite field. As a result, a DenseClaymore-SNARKis an outstanding candidate for achieving post-quantum signature aggregation— or indeed, post-quantum signatures with various fancy properties that zero-knowledge proofs enable.
Using SNARKs in combination with other cryptographic tools points to auseful property that SNARKs frequently lack — they typically require a fi-nite field with a particular structure, such as a large multiplicative subgroupof smooth order. Sonic, Marlin, and PLONK all have this property. Using theSNARK in combination with a different cryptosystem that requires an incom-patible field, requires the SNARK to simulate the cryptosystem’s field operations
4
using the arithmetic constraint system of the SNARK. In contrast, Claymore in-duces no such costly simulation overhead as it works for any finite field.
The protocols proposed here promote simplicity by adopting a modular ap-proach. However, we observe that once the basic protocol has been composed,there are available optimizations that improve its characteristics at the cost ofviolating the boundaries between modules. This observation highlights the util-ity of separating design from optimization considerations. Note that it is only theoptimized SparseClaymore protocol that outperforms Marlin in the target met-ric, number of polynomials. The unoptimized version is inferior in all respects.Furthermore, optimized Claymore admits a proof of zero-knowledge that is sim-pler and more straightforward than the equivalent for the unoptimized version.Lastly, the optimizations stand on their own, and can possibly improve otherPolynomial IOPs beyond Claymore.
2 Preliminaries
2.1 Indexed Relations
Owing to their convenience, we use indexed relations [7]. An indexed relationis a set R of tuples (i,x,w), whose three components are called the index, in-stance, and witness, respectively. The separation between index and instancecaptures the intuition that some properties of concrete proofs for R should becomputable from i even before x is known. For instance, i can be the descrip-tion of an arithmetic circuit, x the values of the output wires, and w an assign-ment of values to all wires that makes the all gates consistent. The projection{(i,x) | (i,x,w) ∈ R} of triples inR onto the first two components is the indexedlanguage corresponding to R and is denoted by L(R).
2.2 Constraint Systems
A constraint system is a representation of a computation in terms of equationswith unknown variables. When there is an assignment to the unknown variablesthat satisfies all equations, we say the constraint system is satisfiable, and thisassignment is the witness. The index determines all fixed constants in the equa-tions, and the instance determines known variables that can vary independentlyof the index but are ultimately known by all parties involved.
The following constraint system is adapted from Bootle et al. [5].
Definition 1 (Hadamard Product Relation (HPR)). Let F be a finitefield. A triple (i, x, w) where i = (m,n,M) with m,n ∈ N, and M ∈ Fm×(1+3n),where x = x ∈ Fm, and where w = (wl,wr,wo) ∈ Fn × Fn × Fn; satisfies theHadamard Product Relation iff both
x = M
1wl
wr
wo
(1)
5
andwl ◦wr = wo , (2)
where ◦ denotes the Hadamard (i.e., entry-wise) product; and in this case wewrite (i,x,w) ∈ RHPR.
2.3 Interactive Proof Systems
Definition 2 (Interactive Proof System). Let R be an indexed relationwith corresponding relation language L(R). An interactive proof system is apair (P,V) of stateful interactive Turing machines such that: the input to P is(i,x,w), the input to V is (i,x); P and V exchange r = r(|i|) messages in total;and in the last step of the protocol V outputs a single bit b ∈ {>,⊥}. The systemsatisfies two more properties:
– Completeness — V accepts members of L(R): (i,x) ∈ L(R)⇒ b = >.– Soundness (with soundness error σ) — V rejects non-members of L(R) ex-
cept with probability at most σ taken over the all random coins involved:Pr[(i,x) 6∈ L(R)⇒ b = ⊥] ≥ 1− σ.
Soundness becomes a moot point when for the given index i every instance xhas a matching witness w such that (i,x,w) ∈ R. In this case a stronger notioncalled knowledge soundness [2] is preferred, which informally requires that anyadversary that successfully convinces the verifier can be made to leak a witnessby an extractor machine that has the same interface as the verifier but canadditionally reset the adversary to an earlier point in time without forgettingthe observed transcripts. In our context, all witnesses are encoded into oracles,and the prover displays knowledge of them simply by providing the oracles tothe verifier. As a result, at our level of abstraction, knowledge soundness followsautomatically from soundness. When the oracles are simulated by a concretecryptographic tool, knowledge soundness becomes an important considerationthat is not automatically satisfied. However, this cryptographic instantiation isbeyond the scope of this paper.
A proof system is zero-knowledge [9] if, informally, an authentic transcriptcould have been produced by an adversary who is ignorant of the witness. Moreformally, the distribution of authentic transcripts must be sampleable with publicinformation only.
Definition 3 (Honest-Verifier Zero-Knowledge). Let R be an indexed re-lation and let (P,V) be a proof system for R. Let tr ← 〈P(i,x,w),V(i,x)〉 denotethe assignment to the variable tr of the transcript arising from the interactionbetween P with input (i,x,w) and V with input (i,x). The proof system (P,V) ishonest-verifier zero-knowledge if there exists a polynomial-time Turing machineS such that the distribution D0 of authentic transcripts tr ← 〈P(i,x,w),V(i,x)〉,is identical to the distribution D1 of simulated transcripts tr ← S(i,x). WhenD0 and D1 are distinct, we consider the statistical distance and use the termStatistical Honest-Verifier Zero-Knowledge.
6
2.4 Polynomial IOP
Informally, a Polynomial IOP is an abstract proof system, where the proversends polynomials and the verifier, instead of reading the polynomials in theirentirety, is allowed to query the polynomial as oracles in select points.
Definition 4 (Polynomial IOP). Let R be an indexed relation with corre-sponding indexed language L(R), F some finite field, and d ∈ N a degree bound.A Polynomial IOP for R with degree bound d is a pair of interactive machines(P,V), satisfying the following description.
– (P,V) is an interactive proof for L(R) with r rounds, and with soundnesserror σ.
– P sends polynomials fi(X) ∈ F[X] of degree at most d to V.
– V is an oracle machine with access to a list of oracles, which contains oneoracle for each polynomial it has received from the prover.
– When an oracle associated with a polynomial fi(X) is queried on a pointzj ∈ F, the oracle responds with the value fi(zj).
– V sends challenges αk ∈ F to P.
– V is public coin.
In Appendix A we provide this alternative definition along with a transfor-mation between definitions to establish their equivalence. This transformationdoes lose some generality: queries in zj = 0 are not allowed and the sound-ness error increases by at most q · maxidi−minidi
|F|−1 , where q is the total number of
queries. However, these restrictions are not significant for typical applications ofPolynomial IOPs, where the field F is large.
With a minor extension, Polynomial IOPs can appropriately capture pre-processing. This extension introduces third machine, the indexer I. As its namesuggest, I reads only i, and it outputs a list of polynomials to which V has oracleaccess.
Definition 5 (Polynomial IOP with Preprocessing). Let R be an indexedrelation with corresponding language L(R). A Polynomial IOP with Preprocess-ing is a tuple of interactive machines (I,P,V) such that (P,V) is a PolynomialIOP for L(R) and such that
– I takes i for input and outputs a list of polynomials of degree at most d;
– V has oracle access to these polynomials in addition to the polynomials itreceives from P.
Some of the Polynomial IOPs in this paper are designed for modular com-position. As a result, V does not begin with an empty list of polynomial oracles.In order to define the relations that these Polynomial IOPs realize, we denoteby [fi(X)] a polynomial fi(X) that was sent to V by I or P at some earlier stageand to which V has oracle access.
7
3 Dense Linear Algebra Relations
3.1 Inner Product
Bunz et al. [6] are the first to sketch a Polynomial IOP that realizes an innerproduct relation between two vectors. Our variant improves on this protocol asit involves one polynomial less. This optimization comes at the cost of doublingthe maximum degree and increasing the number of points of evaluation. For oddorder fields, the degree doubling can be avoided.
Formally, the relation realized by both protocols is
Rip =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣
i = dx = ([fa(X)], [fb(X)], c)w = (fa(X), fb(X))
fa(X) =∑di=0 aiX
i
fb(X) =∑di=0 biX
i
c =∑di=0 aibi
. (3)
description: decides L(Rip)inputs: i : dinputs: x : ([fa(X)], [fb(X)], c)inputs: w : (fa(X), fb(X))begin
P computes h(X)← fa(X2) · fb(X−2) ·X2d + fa(X−2) · fb(X2) ·X2d+1
P computes h(X)← h(X) mod X2d
P sends h(X) of degree at most 2d− 1 to V
V samples z$←− F\{0} and queries ([fa(X)], [fb(X)], [h(X)]) in (z2, z2, z)
and in (z−2, z−2, z−1)V receives ya = fa(z2), y∗a = fa(z−2), yb = fb(z
2), y∗b = fb(z−2),
yh = h(z), and y∗h = h(z−1)
V tests yh + z2d · c+ z2d+1 · c+ z4d+1 · y∗h?= ya · y∗b · z2d + y∗a · yb · z2d+1
Protocol 1: InnerProduct
Theorem 1 (Security of InnerProduct). Protocol InnerProduct of Protocol 2 isa Polynomial IOP for L(Rip) with completeness and soundness with soundnesserror σ = 4d+1
|F|−1 .
Proof. The protocol revolves around the symmetric polynomial identity
h(X) +X2d · c+X2d+1 · c+X4d+1 · h(X−1) =
fa(X2) · fb(X−2) ·X2d + fa(X−2) · fb(X2) ·X2d+1 . (4)
8
The verifier tests this identity by sampling left and right hand sides in a randompoint z. Since this is an identity whenever c = aTb, completeness follows. Forsoundness, consider when the test passes but the left and right hand sides of (4)are unequal. There are at most 4d + 1 points z where left and right hand sidesare equal, since both hands are bounded by this degree. By the Schwartz-Zippellemma, the probability of a false accept is σ = 4d+1
|F|−1 . ut
Note that for odd characteristic fields, it is possible to avoid interleaving thecoefficients and rely instead on the simpler symmetric polynomial identity
h(X) +Xd · 2 · c+X2d · h(X−1) =
fa(X) · fb(X−1) ·Xd + fa(X−1) · fb(X) ·Xd . (5)
We proceed in this paper with the interleaving variant in order to avoid loss ofgenerality.
3.2 Batched Inner Product
We can batch multiple invocations of protocol InnerProduct into a single proto-col that requires the prover to send only one polynomial oracle. Formally, therelation is given by
Rbip =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (m, d)x = {([fai
(X)], [fbi(X)], ci)}mi=1
w = {(fai(X), fbi(X))}mi=1
fai(X) =
∑dj=0 aijX
i
fbi(X) =∑dj=0 bijX
i
ci =∑dj=0 aijbij
. (6)
Theorem 2 (Security of BatchedInnerProduct). Protocol BatchedInnerProductof Protocol 2 is a Polynomial IOP for L(Rbip) with completeness and soundnesswith soundness error σ = m+4d+1
|F|−1 .
Proof. Let H(X,Y ) =∑mi=1 hi(X) · Y i−1 and H(X,Y ) = H(X,Y ) mod X2d.
Note that h(X) = H(X,α).The protocol revolves around the symmetric polynomial identity
H(X,Y ) +
m∑i=1
(X2d · ci +X2d+1 · ci) · Y i−1 +X4d+1 · H(X−1, Y ) =
m∑i=1
(fai(X2) · fbi(X−2) ·X2d + fai
(X−2) · fbi(X2) ·X2d+1) · Y i−1 . (7)
The verifier tests this identity by sampling left and right hand sides in arandom point (z, α). Since this is an identity whenever ci = aT
i bi for all i from 1
9
description: decides L(Rbip)inputs: i : (m, d)inputs: x : {([fai(X)], [fbi(X)], ci)}mi=1
inputs: w : {(fai(X), fbi(X))}mi=1
begin
P computes hi(X)← fai(X2) · fbi(X
−2) ·X2d + fai(X−2) · fbi(X
2) ·X2d+1
for i from 1 to mV samples α
$←− F\{0} and sends α to PP computes h(X)←
∑mi=1 hi(X) · αi−1 mod X2d
P sends h(X) of degree at most 2d− 1 to V
V samples z$←− F\{0} and queries ({([fai(X)], [fbi(X)])}mi=1, [h(X)]) in
({z2, z2}mi=1, z) and in ({z−2, z−2}mi=1, z−1)
V receives ya,i = fai(z2), y∗a,i = fa(z−2), yb,i = fbi(z
2), y∗b,i = fbi(z−2) for
i from 1 to m, and yh = h(z), y∗h = h(z−1)
V tests yh +∑m
i=1(z2d · ci + z2d+1 · ci) · αi−1 + z4d+1 · y∗h?=∑m
i=1(ya,i · y∗b,i · z2d + y∗a,i · yb,i · z2d+1) · αi−1
Protocol 2: BatchedInnerProduct
to m, completeness follows. For soundness, consider when the test passes but theleft and right hand sides of (7) are unequal. For any H(X,Y ), there are at mostm + 4d + 1 points (z, α) where left and right hand sides are equal, since bothhands are bounded by this degree. By the (two-dimensional) Schwartz-Zippellemma, the probability of a false accept is σ = m+4d+1
|F|−1 . ut
3.3 Modular Reduction
We start with a protocol that will be used as a subprotocol in the sequel. Thisprotocol establishes that one polynomial, r(X), is the remainder after division ofa second polynomial f(X), by a third, d(X). This third polynomial is assumedto be known, but the protocol can be naturally amended to allow V only oracleaccess to [d(X)]. Formally, the relation is given by
Rreduce =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣
i = (df , dr)x = ([f(X)], [r(X)], d(X))w = (f(X), r(X))∃q(X) ∈ F[X] . f(X) = q(X) · d(X) + r(X)deg(f) ≤ dfdeg(r) ≤ dr
. (8)
Theorem 3 (Security of ModReduce). Protocol ModReduce of Protocol 3 is aPolynomial IOP for L(Rreduce) with completeness and soundness with soundnesserror σ = df/|F|.
Proof. completeness follows from construction: dividing f(X) by d(X) gives quo-tient q(X) and remainder r(X). Therefore, f(X) = q(X) · d(X) + r(X) is an
10
description: decides L(Rreduce)inputs: i : (df , dr)inputs: x : ([f(X)], [r(X)], d(X))inputs: w : (f(X), r(X))begin
P computes q such that f(X) = q(X) · d(X) + r(X)P sends q(X) of degree at most df − deg(d) to V
V samples z$←− F\{0} and queries [f(X)], [q(X)], and [r(X)] in z
V receives yf = f(z), yq = q(z), and yr = r(z)
V tests yf?= yq · d(z) + yr
Protocol 3: ModReduce
identity of polynomials and guaranteed to hold everywhere including in the pointz.
For soundness, observe that when r(X) 6≡ f(X) mod d(X) then d(X) doesnot divide f(X)− r(X). As a result, f(X) 6= q(X) ·d(X) + r(X) is an inequalityof polynomials with degree deg(d) + deg(q) = df . Due to the Schwartz-Zippellemma, the left and right hand sides can evaluate to the same value in at mostdf choices for z. The probability of V accepting when r(X) 6≡ f(X) mod d(X) istherefore σ = df/|F|.
What is left to argue is that P fails to convince V when the congruencer(X) ≡ f(X) mod d(X) holds, but r(X) is not equal to the remainder afterdivision of f(X) by d(X). The representatives of the congruence class of r(X) areapart by polynomials of degree at least deg(d), there is only one representativeof degree at most dr < deg(d). The index value dr therefore already constrainsr(X) to a unique polynomial. ut
3.4 Matrix-Vector Product
The next protocol involves two polynomials that represent vectors in the mono-mial coefficient basis. It establishes that the one vector is the result of applyinga linear transformation to the other. This linear transformation itself can beknown and computed explicitly by the verifier. However, for succinct verifiers itis more appealing to encode this matrix into a polynomial oracle. Depending onthe context, either the protocol’s preprocessing phase produces this oracle, oranother external protocol does.
Specifically Let a ∈ Fn and b ∈ Fm and M ∈ Fm×n with the element in row iand column j (both indices starting at zero) indexed as M[i,j]. These objects arerepresented as polynomials with a[i] being ith element of a and simultaneouslythe coefficient of the monomial Xi in fa(X), and similarly for b, b[i], and fb(X).When encoded into polynomial form, the matrix is encoded in row-first order,specifically fM (X) =
∑m−1i=0
∑n−1j=0 M[i,j]X
in+j . The protocol establishes that
11
b = Ma. Formally, the relation is given by
Rmvp =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣
i = (m,n,M)x = ([fa(X)], [fb(X)])w = (fa(X), fb(X))
fa(X) =∑n−1i=0 a[i]X
i for somea ∈ Fn
fb(X) =∑m−1i=0 b[i]X
i for some b ∈ Fmb = Ma
. (9)
description: decides L(Rmvp)inputs: i : (m,n,M)inputs: x : ([fa(X)], [fb(X)])inputs: w : (fa(X), fb(X))// pre-processingbegin
I computes fM (X)←∑m−1
i=0
∑n−1j=0 M[i,j]X
in+j
I sends fM (X) of degree at most mn− 1 to P and V
begin
V samples α$←− F and sends α to P
P computes r(X)← fM (X)modXn − αP sends r(X) of degree at most n− 1 to VP and V run ModReduce with i
(1) = (mn− 1, n− 1),x(1) = ([fM (X)], [r(X)], Xn − α), and w
(1) = (fM (X), r(X))V queries [fb(X)] in α and receives yαTb = fb(α)P and V run InnerProduct with i
(2) = n− 1, x(2) = ([r(X)], [fa(X)], yαTb),and w
(2) = (r(X), fa(X))
Protocol 4: DenseMVP
Theorem 4 (Security of DenseMVP). Protocol DenseMVP of Protocol 4 is aPolynomial IOP for L(Rmvp) with completeness and soundness with soundnesserror σ = mn+m+4n−5
|F|−1 .
12
Proof. Let αT = (α0, α1, · · · ) and rT = αTM , and consider the equations
b = Ma (10)
αTb = αTMa (11)
m−1∑i=0
αib[i] = rTa (12)
fb(α) =
n−1∑i=0
r[i]a[i] (13)
yαTb = coeffs(r(X)) · coeffs(fa(X)) (14)
(i(2),x(2)) = (n− 1, ([r(X)], [fa(X)], yαTb)) ∈ L(Rip) . (15)
Furthermore, observe that the coefficient vector of r(X) matches r, by substi-tuting Xn by α in the expression for fM (X):
m−1∑i=0
n−1∑j=0
M[i,j]Xin+j Xn 7→α−−−−→ r(X) =
m−1∑i=0
n−1∑j=0
M[i,j]αiXj (16)
=
n−1∑j=0
(m−1∑i=0
M[i,j]αi
)Xj (17)
=
n−1∑j=0
r[j]Xj . (18)
Completeness follows from the implications (10) ⇒ (11) ⇔ (12) ⇔ (13) ⇒ (14)⇒ (15).
For soundness, there are 3 events that can cause V to accept despite b 6= Ma:
1. (10) 6⇐ (11). The probability of this event is at most m−1|F|−1 due to the
Schwartz-Zippel lemma.2. (13) 6⇐ (14) because r(X) is not the remainder of fM (X) after division byXn − α. The probability of this event is at most mn−1
|F| , the soundness error
of ModReduce.3. (14) 6⇐ (15), because yαTb is not the inner product of the coefficient vectors ofr(X) and fa(X). The probability of this event is at most 4n−3
|F| , the soundness
error of InnerProduct.
By the union bound, the soundness error of DenseMVP is bounded by σ =mn+m+4n−5|F|−1 . ut
Note that after unrolling, the verifier the DenseMVP protocol tests two poly-nomial identities. One arises from expanding ModReduce, and the other arisesfrom InnerProduct. Both polynomial identities involve the polynomial r(X), andas a result it can be eliminated and the identities merged. We present the un-rolled and optimized version in Appendix C.1.
13
To see that this merger has no effect on soundness, observe that the inequalitylhs1 6= lhs2 implies r(X) 6= lhs1 or r(X) 6= lhs2. The verifier therefore acceptsthis false instance with a probability bounded by the same soundness error asthe unoptimized protocol. This optimization strategy translates more generallyto (some) other Polynomial IOPs: to eliminate a polynomial that is common totwo identities, move it to the right hand side and then equate both left handsides.
3.5 Hadamard Product
The next protocol establishes that the Hadamard (or component-wise) productof two vectors is equal to a third. These vectors are represented as the coefficientvectors of polynomials fa(X), fb(X), and fc(X) such that c = a◦b and a, b, c ∈Fd+1. The protocol relies on the fact that c = a ◦ b implies αT(a ◦ b) = αTc for
all vectors α. In other words, one can simply sample a random scalar α$←− F, and
check the inner product of α ·a with b against the inner product αTc. Note thatthe right hand side of this check amounts to fc(α) and the operands in the lefthand side amount to the coefficient vectors of fa(αX) and fb(X), respectively.Formally, the relation is given by
Rhadamard =
(i,x,w)
∣∣∣∣∣∣∣∣i = dx = ([fa(X)], [fb(X)], [fc(X)])w = (fa(X), fb(X), fc(X))∀i ∈ {0, . . . , d} . aibi = ci
. (19)
description: decides L(Rhadamard)inputs: i: dinputs: x: [fa(X)], [fb(X)], [fc(X)]inputs: w: fa(X), fb(X), fc(X)begin
V samples α$←− F\{0} and sends α to P
P evaluates y ← fc(α)V queries [fc(X)] in α and receives y = fc(α)P and V run InnerProduct with i
(1) = d, x(1) = ([fa(αX)], [fb(X)], y),w
(1) = (fa(αX), fb(X)), where V simulates [fa(αX)] using [fa(X)] andthe scalar α
Protocol 5: Hadamard
Theorem 5 (Security of Hadamard). Protocol Hadamard of Protocol 9 is aPolynomial IOP for L(Rhadamard) with completeness and soundness with sound-ness error σ = (5d + 1)/(|F| − 1).
14
Proof. Consider the following sequence of equations.
a ◦ b = c (20)
αT · (a ◦ b) = αT · c (21)
d∑i=0
(αia[i])b[i] =
d∑i=0
αic[i] (22)
coeffs(fa(αX)) · coeffs(fb(X)) = fc(α) (23)
coeffs(fa(αX)) · coeffs(fb(X)) = y (24)
(i,x) = (d, ([fa(αX)], [fb(X)], y)) ∈ L(RInnerProduct) (25)
Completeness follows from the sequence of implications (20) ⇒ (21) ⇔ (22)⇔ (23) ⇔ (24) ⇒ (25).
For soundness, consider when the reverse implications fail.
– (20) 6⇐ (21). This event happens with probability at most d/(|F|− 1) due tothe Schwartz-Zippel lemma.
– (24) 6⇐ (25). This event happens with probability at most (4d + 1)/(|F|−1),the soundness error of InnerProduct.
Therefore, the probability that V accepts even though a ◦ b 6= c is bounded byσ = (5d + 1)/(|F| − 1). ut
4 Sparse Linear Algebra Relations
The purpose of this section is to present an analogue of the DenseMVP Polyno-mial IOP but that works when the matrix M is represented sparsely, i.e., as alist of nonzero coefficients and their coordinates. The full, formal presentation ofthis protocol is rather lengthy, and so we defer it to Appendix B. Here we presentan intuitive, high-level overview with just enough detail so that the reader couldreconstruct the deferred formal presentation.
4.1 High-Level Overview
Let M ∈ Fm×n be a matrix with only K nonzero elements, such that it can berepresented as M =
∑K−1k=0 erow(k)e
Tcol(k) · val(k), where ei is the ith unit vector,
where row, col : N → N indicate the column and row of the kth element, andwhere val : N → F indicates its value. We detail a protocol to establish thaty = Mx. We first explain the steps from a high level point of view.
From MVP to bivariate polynomial evaluation. A key component of thedense matrix-vector multiplication protocol is the evaluation of (fM (X) mod Xn−α) at the point z, where fM (X) is the polynomial associated with the matrix
15
M , i.e., fM (X) =∑m−1i=0
∑n−1j=0 M[i,j]X
in+j . This step can equivalently be inter-
preted as the evaluation of the bivariate polynomial fM (X,Y ) =∑m−1i=0
∑n−1j=0 M[i,j]X
iY j
in the point (α, z). In other words, if we can achieve sparse bivariate polynomialevaluation, then we can achieve sparse matrix-vector products.
From bivariate polynomials to univariate monomial vectors. The re-duction goes one step further: it is possible to achieve sparse bivariate poly-nomial evaluation given a procedure that establishes that the vector of coef-ficients of a dense polynomial is the same as the vector of monomials of asparse univariate polynomial when evaluated in a given point. To see this,observe that a sparse bivariate polynomial f(X,Y ) =
∑K−1k=0 ckX
akY bk can
be evaluated in a point (x, y) using the polynomials fc(Z) =∑K−1k=0 ckX
k,
fx(X) =∑K−1k=0 xakXk, and fy(X) =
∑K−1k=0 ybkXk, simply by performing one
Hadamard and one InnerProduct subprotocol. This reduction does introduce aproblem, namely fx(X) and fy(X) cannot be known before V supplies x and y.So how does P commit to them, and how does V verify that the received oraclesmatch with the commitment?
From univariate monomial vector to bit matrix. Let’s focus on fx(X), asfy(X) proceeds analogously. This polynomial can be represented by a bit matrixB, which takes the value 1 in cells (ak, k) and 0 elsewhere. Let H = maxk ak,x = (x0, x, x2, . . . , xH−1)T, and z = (z0, z, z2, . . . , zK−1)T. Then B representsthe polynomial fx(X) since fx(z) = xBz.
From bit matrix to Lagrange and Vandermonde matrices. The idea isto decompose the matrix B ∈ FH×K as the product of two matrices, L ∈ FH×Hand R ∈ FH×K . Let H ⊂ F be a set of H distinct elements of F and ϕ : N→ Ha canonical mapping from {0, . . . ,H−1} to H. L is the Lagrange matrix, whosehth row is the coefficient vector of Lh(X), which is the Lagrange polynomialtaking the value 1 in ϕ(h) and 0 in all other points of H. Symbolically:
Lh(X) =
H−1∑i=0
L[h,i]Xi =
H−1∏i = 0i 6= h
X − ϕ(i)
ϕ(h)− ϕ(i). (26)
R is the Vandermonde matrix, whose rows are the (Hadamard) powers of (ϕ(ak))K−1k=0 .Specifically:
R =
1 1 · · · 1
ϕ(a0) ϕ(a1) · · · ϕ(aK−1)ϕ(a0)2 ϕ(a1)2 · · · ϕ(aK−1)2
...... · · ·
...ϕ(a0)H−1 ϕ(a1)H−1 · · · ϕ(aK−1)H−1
. (27)
16
To verify that LR = B, observe that the inner product between L[h,:] and R[:,k]
is equal to Lh(ϕ(ak)). When V provides (x, z) hoping to obtain xTBz, P willrespond with [xTL] and [Rz] (in polynomial form), and both proceed to anInnerProduct protocol. We will refer to these vectors as the Lagrange and Van-dermonde vectors, respectively. The next question is, how and against what doesV verify them?
Verifying the Lagrange vector. After sending x and receiving the vector(encoded as a polynomial oracle) [xTL], V sends γ to P, who responds with thevector [Lγ], where γ = (1, γ, γ2, . . . , γH−1)T. Let ZH(X) be the unique monicpolynomial of degree degree H−1 that vanishes on H. By repeating the equation
Lh(γ) · (γ − ϕ(h)) =ZH(γ)∏H−1
i = 0i 6= h
(ϕ(h)− ϕ(i))(28)
for every h, V can check Lγ using a Hadamard subprotocol, assuming that Por I previously committed to oracles for fϕ(X) =
∑H−1h=0 ϕ(h)Xh and fH(X) =∑H−1
h=0
(∏i∈{0...H−1}\{h}(ϕ(h)− ϕ(i))
)−1· Xh. The next step is to query the
oracles [xL] and [Lγ] in γ and x, respectively and verify that the responsesmatch.
Verifying the Vandermonde Vector. A similar technique allows V to verifythe Vandermonde vector. After sending z and receiving [Rz] back, V sends δ,and P responds with [δTR]. Next, V checks that for every k ∈ {0, . . . ,K − 1},(
H−1∑i=0
(δ · ϕ(ak))i
)· (δϕ(ak)− 1) = (δϕ(ak))
H − 1 (29)
using another Hadamard protocol and the precommitted oracle fa(X) =∑K−1k=0 ϕ(ak)Xk.
Lastly, V queries [Rz] in δ to see if the response matches with [δR] when queriedin z.
Batching Lagrange and Vandermonde Vectors. In order to establish thecorrect evaluation of the bivariate polynomial, the prover must establish thecorrect production of two univariate monomial vectors. A naıve implementationinvokes the Lagrange vector and the Vandermonde vector procedure twice. How-ever, it turns out to be possible to merge these two invocations, and save a totalof 4 polynomials. We treat this optimization explicitly in Appendix C.
5 A Polynomial IOP for Arithmetic Circuits
5.1 The Protocol
The next protocol, Protocol 6 puts many of the previously developed tools to-gether into a Polynomial IOP (with preprocessing) for arithmetic circuits as
17
captured by the HPR. To differentiate our protocol from other similar ones, wename it Claymore.
description: realizes Rhpr
inputs: i: (m,n,M) with M ∈ Fm×(3n+1)
inputs: x: x ∈ Fn
inputs: w: (wl,wr,wo) ∈ Fn × Fn × Fn
// preprocessingbegin
I runs MVP.I on i(1) = (m, 3n+ 1,M)
// onlinebegin
P computes fwl ←∑n−1
j=0 wl[j]Xj , fwr ←
∑n−1j=0 wr[j]X
j , and
fwo ←∑n−1
j=0 wo[j]Xj
P sends fwl(X), fwr(X), and fwo(X), all of degrees at most n− 1, to VP computes f1w(X)← 1 +Xfwl(X) +Xn+1fwr(X) +X2n+1fwo(X)P computes fx(X), whose coefficient vectors correspond tox = M (1|wl
T|wrT|wo
T)T
P and V run MVP with i(1) = (m, 3n+ 1,M) , x(1) = ([f1w(X)], [fx(X)]),
w(1) = (f1w(X), fx(X)) where V simulates [f1w(X)] using
f1w(X) = 1 +Xfwl(X) +Xn+1fwr(X) +X2n+1fwo(X), [fwl(X)],[fwr(X)], and [fwo(X)]; and where V computes [fx(X)] locally usingx = x
P and V run Hadamard with i(2) = n− 1,
x(2) = ([fwl(X)], [fwr(X)], [fwo(X)]), w(2) = (fwl(X), fwr(X), fwo(X))
Protocol 6: Claymore
Theorem 6 (Security of Claymore). Protocol Claymore of Protocol 6 is a Poly-nomial IOP for RHPR with completeness and soundness error σ ≤ σHadamard +σMVP.
Proof. Completeness follows from construction. Since the arguments are com-puted honestly, the subprotocols succeed and guarantee equalities (1) and (2),respectively.
Soundness. If the HPR instance is a false instance, then x 6= M(1|wlT|wr
T|woT)T
or wl◦wr 6= wo. As a result either the Hadamard protocol succeeds despite beingrun on a false instance, or the MVP protocol succeeds despite being run on afalse instance. The probabilities of these events are respectively at most σHadamard
and at most σMVP. ut
5.2 The Role of Preprocessing
The preprocessing phase can be omitted. In this case, V must compute fM (X)locally. This task requires O(mn) work, or only O(K) if the matrix M has only
18
K nonzero elements and is represented as such. When this phase is omitted,Claymore should be compared to the Polynomial IOP underlying Aurora [4].
When used with preprocessing, Claymore achieves fast verification. Specif-ically, the matrix M which determines the circuit being proved, is processedby the indexer. For long and drawn-out computations, this matrix is typicallysparse and the SparseMVP is suitable. However, for short and especially shallowcomputations, DenseMVP is the better option. Depending on the choice of MVPprotocol, the matching soundness error should be considered.
5.3 Optimizations
Batch the Inner Product Protocols. Note that the unrolled SparseClaymoreprotocol consists of 10 invocations of InnerProduct protocol. We can replace theseInnerProduct protocols by the BatchedInnerProduct protocol presented in Proto-col 2. To see that this replacement does not affect the soundness, note thatthe InnerProduct subprotocols do not involve any verifier randomness and wecan safely postpone them to the end of the Claymore protocol. Next, we replacethem with a BatchedInnerProduct, unifying the degrees by the maximal degreeof these polynomials. The prover passes the original InnerProduct protocols withhigh probability if and only if the prover passes the BatchedInnerProduct protocolwith high probability.
Batch the Sparse Vector Protocols. We also present an alternative versionof SparseBiEval by batching the two instances of VandermondeVector and the twoLagrangeVector protocols. This optimization eliminates four polynomial oraclesat the cost of doubling the polynomial degrees. We present the protocol detailsand security proofs in Appendix C.2.
Concatenate Left and Right Wire Vectors Instead of sending three witnesspolynomials (fwl(X), fwr(X), fwo(X)), the prover can get away with sendingonly two: (fwi(X), fwo(X)) where fwi(X) = fwl(X)+Xn ·fwr(X). This concate-nation is already implicit in the matrix-vector product subprotocol. The input tothe Hadamard subprotocol should be x = ([fwi(X)], [Xn·fwi(X)], [Xn·fwo(X)]).The subprotocol then establishes thatwl
wr
0n
◦0n
wl
wr
=
0nwo
0n
, (30)
which is clearly equivalent to the original Hadamard relation. With this tech-nique, the polynomials are degree 3n− 1, and so the soundness error is (15n−4)/(|F| − 1) instead of (5n− 4)/(|F| − 1).
This optimization also preserves zero knowledge. To see this, observe thatany distinguisher D that uses fwi(X) can be simulated with a distinguisher D′
that uses fwl(X) and fwr(X). As a result, the optimized protocol lacks zeroknowledge only if the protocol before applying the optimization also lacks it.
19
6 Zero-Knowledge
The strategy for achieving zero-knowledge consists of appending q randomizersto the initial wire vectors wl, wr, and wo. The randomizers will make the witnesspolynomials q-wise independent, meaning that no distinguisher restricted to atmost q queries will obtain any infomation about the witness.
description: realizes RHPR
inputs: i: (m,n,M) with M ∈ Fm×n
inputs: x: x ∈ Fn
inputs: w: (wl,wr,wo) ∈ Fn × Fn × Fn
inputs: additional parameters: qoffline preprocessing:
I runs Claymore.I on i(1) = (m,n+ q,M ′ =(
M[:,0:(n+1)] 0m×q M[:,(n+1):(2n+1)] 0m×q M[:,(2n+1):(3n+1)] 0m×q
))
online phase:// compute witness polynomial with randomizers
P samples r(l)$←− Fq and r(r)
$←− Fq
P and V run Claymore with i(1) = (m,n+ q,M ′), x(1) = x,
w(1) = ((wl
T|r(l)T), (wrT|r(r)T), (wo
T|r(l)T ◦ r(r)T))
Protocol 7: ZKClaymore
It is tricky to define zero knowledge the context of Polynomial IOPs. Thedistinguisher D can always query the received oracles in enough points to inter-polate and then extract the witness. The notion is only meaningful when thenumber of queries bounded by some parameter. We furthermore restrict the dis-tinguisher’s queries to be distributed identically to that of an honest verifier; thisrestriction therefore corresponds to honest-verifier zero knowledge. As a result,we are not concerned with finding a complete description of the polynomials thatmake up the transcript. Instead, we are only concerned with the verifier’s viewof the transcript. This view corresponds to the list of queries and responses tothe various oracles.
Theorem 7. When q ≥ 6, the Polynomial IOP ZKClaymore of protocol 7 hasstatistical honest-verifier zero-knowledge if all the InnerProduct subprotocols arereplaced by a single invocation of BatchedInnerProduct. Concretely, the statisticaldistance between the verifier’s view of authentic transcript versus the verifier’sview of simulated transcript is bounded by 75+12n+12q
|F|−1 .
Proof. We show how S produces the verifier view for (i,x) without knowledgeof w. In the process, we establish that this view is indistinguishable from thatof an authentic protocol execution.
The protocol ZKClaymore consists of an invocation to Hadamard protocoland an invocation to either the dense or sparse variant of MVP. Note that bothprotocols DenseMVP and SparseMVP consists of:
20
1. a query to fx(X) at uniformly random α$←− F\{0};
2. a protocol invocation (ModReduce in DenseMVP, or SparseBiEval in SparseMVP)with inputs that are independent of wl,wr,wo;
3. an invocation of InnerProduct on input f1w(X) and another polynomial (r(X)in DenseMVP or fαTM (X) in SparseMVP), denoted by ft(X) hereafter, thatis also independent of wl,wr,wo.
Since S knows M and x, S can compute all polynomials that do not depend onwitnesses honestly, i.e., as the honest P would. We therefore restrict attentionto polynomials that depend on the witness.
What remains is to demonstrate how to sample the verifier view for InnerProducton input f1w(X) and ft(X), and for Hadamard on input fwl(X), fwr(X) andfwo(X). These two subprotocols contribute two polynomial pairs to the BatchedInnerProductprotocol. It suffices to sample the verifier view for the BatchedInnerProduct pro-tocol just for these two polynomial pairs, because the remaining pairs are inde-pendent of the witness.
This view consists of several elements, namely:
1. Uniformly random z, β2. yh = h(z), y∗h = h(z−1)3. The verifier view contributed by the InnerProduct protocol in MVP:
(a) yl = fwl(z2), y∗l = fwl(z
−2)(b) yr = fwr(z
2), y∗r = fwr(z−2)
(c) yo = fwo(z2), y∗o = fwo(z
−2)(d) yt = ft(z
2), y∗t = ft(z−2) (S samples these honestly)
4. The verifier view contributed by the top-level Hadamard protocol:(a) Uniformly random γ and yo2 = fwo(γ)(b) yl2 = fwl((γz)
2), y∗l2 = fwl((γz)−2)
(c) Note that yr = fwr(z2) and y∗r = fwr(z
−2) have already been determinedby the MVP item
In the verifier view of an honest run, the above values satisfy:
yh + (z6(n+q) + z6(n+q)+1) · (fx(α) + β · yo2) + z12(n+q)+1y∗h = (31)
((yl + yr + yo) · y∗t + β · yl2 · yr) · z6(n+q) + ((y∗l + y∗r + y∗o) · yt + β · y∗l2 · yr) · z6(n+q)+1 .
S samples uniformly random α, β, γ, z$←− F\{0} and computes yt, y
∗t honestly.
Next, S samples yl, y∗l , yl2 , y
∗l2
as follows. Note that except for few choices ofz and γ, the following matrix contains at least one 4× 4 invertible submatrix inthe last q columns.
Z1 =
1 z2 z4 · · · z2(n+q−1)
1 z−2 z−4 · · · z−2(n+q−1)
1 (γz)2 (γz)4 · · · (γz)2(n+q−1)
1 (γz)−2 (γz)−4 · · · (γz)2(n+q−1)
The last four elements of r(l) are uniformly random over F, so (yl, y
∗l , yl2 , y
∗l2
)T =
Z1 · (wlT|r(l)T)T is uniformly random over F4, and S samples them as such.
21
Next, S samples yr, y∗r , yo, y
∗o , yo2 as follows. Note that except for few choices
of z, γ and r(l), the following matrix contains at least one 5 × 5 invertible sub-matrix in the last q columns.
Z2 =
1 z2 z4 · · · z2(n+q−1)
1 z−2 z−4 · · · z−2(n+q−1)
wl[0] wl[1] · z2 wl[2] · z4 · · · r(l)[q−1] · z
2(n+q−1)
wl[0] wl[1] · z−2 wl[2] · z−4 · · · r(l)[q−1] · z
−2(n+q−1)
wl[0] wl[1] · γ wl[2] · γ2 · · · r(l)[q−1] · γ
n+q−1
The last 5 elements of r(r) are uniformly random over F and independent
from r(l), so (yr, y∗r , yo, y
∗o , yo2) = Z2 · (wr
T|r(r)T)T is uniformly random over F5,and S samples them as such.
It remains to sample yh, y∗h such that the equation (31) holds. Since we can
solve for y∗h given the other, we only need to show that yh is uniformly randomover F.
Let hhad(X) = (fwl((γX)2)fwr(X−2)+Xfwl((γX)−2)fwr(X
2))·X2(n+q−1) modX2(n+q−1). It suffices to show that hhad(z) is uniformly random, because y∗h is apolynomial in β and this polynomial has hhad(z) as a coefficient. Observe thathhad(z) is equal to
(wlT|r(l)T) · diagonal(1, γ2, · · · , γ2n+2q−2)·
0 z2(n+q)−3 z2(n+q)−5 · · · z5 z3 zz2(n+q−2) 0 z2(n+q)−3 · · · z7 z5 z3
z2(n+q−3) z2(n+q−2) 0 · · · z9 z7 z5
......
.... . .
......
...z4 z6 z8 · · · 0 z2(n+q)−3 z2(n+q)−5
z2 z4 z6 · · · z2(n+q−2) 0 z2(n+q)−3
1 z2 z4 · · · z2(n+q−3) z2(n+q−2) 0
(
wr
r(r)
).
(32)
Therefore, hhad(z) is the inner product of (wlT|r(l)T) with another vector that
depends only on z, γ, and (wrT|r(r)T). This vector is linearly independent from
the rows of Z2 with overwhelming probability. Put this vector into Z2 as thelast row and let the resulting matrix be Z ′2. Then (yr, y
∗r , yo, y
∗o , yo2 , yh) = Z ′2 ·
(wrT|r(r)T)T is uniformly random over F6, and S samples them as such.To complete the argument, except with a negligible failure probability cor-
responding to the matrices Z1 or Z ′2 being singular, S samples a verifier viewfrom a distribution that is identical to the distribution of verifier views of anauthentic protocol execution. The distinguishing advantage of any distinguisherD is bounded by the S’s failure probability, which is a negligible function of thefield size.
To obtain the concrete bound, start by observing that Z1 is a Vander-monde matrix whose second column consists of four uniformly sampled quadratic
22
residues. Its rightmost square submatrix is singular only if duplicates are sam-pled, so
Pr[det(Z1,[:,n+q−4:n+q−1]) = 0] ≤ 1
(|F| − 1)/2· 2
(|F| − 1)/2· 3
(|F| − 1)/2=
48
|F| − 1.
(33)As for the rightmost square submatrix of Z ′2, we reason about the rows, and
consider the conditions that make them zero or a multiple of rows consideredearlier.
– Rows 0 and 1 are sequences of powers of z2 and z−2. Both these rows arenonzero and they are not collinear unless z2 = 1, which occurs with proba-biliy 2/(|F| − 1).
– Rows 2, 3, and 4 are the Hadamard product of r(l)[q−6:q−1] with a vector of
powers of z2, z−2, and γ. Considering z and γ fixed, the probability over
random r(l)[q−1], r
(l)[q−2], r
(l)[q−3] that row 2 is in the span of rows 0 and 1, is at
most 1/|F|. Likewise, the probability over random r(l)[q−1], r
(l)[q−2], r
(l)[q−3], r
(l)[q−4]
that row 3 is in the span of rows 0, 1, and 2 is at most 1/|F|. And likewise,
the probability over random r(l)[q−1], r
(l)[q−2], r
(l)[q−3], r
(l)[q−4], r
(l)[q−5] that row 4 is in
the span of rows 0, 1, 2, and 3, is at most 1/|F|.– Row 5 contains terms that are linear in r
(l)[q−1], . . . , r
(l)[q−6]. The coefficient
matrix operating on the r(l)[q−1:q−6] is given (via row-vector-matrix multipli-
cation) by ΓZ3, where Γ is the diagonal matrix with powers of γ on itsdiagonal, and where Z3 is the bottom-right 6×6 Toeplitz matrix of Eqn. 32.Since γ is sampled to be invertible, Γ is invertible as well. The determinantof a 6 × 6 Toeplitz matrix is a degree 6 multivariate expression in the ar-guments. The determinant of this particular Toeplitz matrix is a nonzeropolynomial of degree 21 + 12n + 12q. Since z is sampled from F\{0}, andby the Schwartz-Zippel lemma, Z3 is singular with probability bounded by(21 + 12n + 12q)/(|F| − 1). Assuming Z3 is invertible, sampling row 5 uni-
formly at random is equivalent to sampling r(l)[q−1] through r
(l)[q−6] uniformly
at random. Consequently, the probability that row 5 lies in the span of rows0 through 4 is 1/|F|.
By the union bound, we have
Pr[det(Z ′2,[:,n+q−6:n+q−1]) = 0] ≤ 27 + 12n+ 12q
|F| − 1. (34)
Consequently, the statistical distance in distributions of the view of theverifier of authentic transcripts versus simulated transcripts, is bounded by75+12n+12q|F|−1 . ut
7 Comparison
We compare both variants of Claymore to some other Polynomial IOPs fromthe literature, namely Sonic, PLONK, Marlin, and Aurora. Of these Polynomial
23
IOPs, the first three give rise to SNARKs after cryptographic compilation. Incontrast, Aurora gives rise to a proof system generating short proofs but whoseverifier complexity is linear in the size of the witness. Importantly, Claymore iscomparable to both types of proof system: with preprocessing, it gives rise to aSNARK; when preprocessing is omitted, the proofs remain short at the expenseof linear verifier complexity.
Table 1 contains an overview of the comparison. It considers the followingkey performance indicators for Polynomial IOPs.
– The number of polynomials sent by I during the offline preprocessing phase.This number determines the size of the universal or structured referencestrings. While this number contributes to the complexity of I, this complexityis generally speaking not a make or break factor.
– The number of polynomials sent by P during the online proving phase. Thisnumber contributes to the size of the proof and to the complexity of both Pand V.
– The number of evaluations. This number contributes to the size of the proof,as well as indirectly to the complexity of P and V.
– The number of distinct points for evaluation. Some cryptographic compilers(e.g., [6]) enable the merger of two polynomial evaluations provided thatthey are being evaluated in the same point. This number limits the numberof times this optimization can be applied.
– The maximum degree of all polynomials. This number contributes to indexerand prover complexity in two ways. First, before cryptographic compilation, Iand P operate on polynomials of this degree and their complexity is affectedaccordingly. The exception is if the polynomials are sparse, or otherwiseexhibit a structure that enable fast computation. Second, some cryptographiccompilers induce overheads that are superlinear in this degree.
Table 1. Comparison between Claymore and other Polynomial IOPs from the literature,with respect to key performance indicators.
# polynomials# evaluations # distinct points max. degree
offline / online
Sonic [11] 12M/3M + 7 11M + 3 9M + 2 O(n)PLONK [8] 8 / 6 7 2 12(n+ a)Marlin [7] 9 / 12 18 3 6k + 6Aurora [4] - / 7 8 2 max(m,n)
DenseClaymore 1 / 4 18 8 m(3n+ 1)− 1SparseClaymore 8 / 10 45 21 6K − 1
For Sonic, n refers to the number of multiplication gates. However, due totheir technique for simulating bivariate polynomials, the addition gates havefan-in bounded by a parameter M . As a result of converting the original circuit
24
into one with this fan-in bound, a number of multiplication gates may have tobe added, thus explaining the Landau notation.
For PLONK, n refers to the number of multiplication gates and a refers tothe number of addition gates, all of which have fan-in 2. We note that there isa variant of PLONK with larger proofs and smaller prover time, which is notshown in the table.
Aurora does not have a preprocessing phase and as a result the verifier’s com-plexity is linear in the number of nonzero elements in the matrices A,B,C fromthe R1CS tuple. Marlin uses the same mechanics but uses preprocessing to shrinkthe verifier’s workload for the matrix multiplication; this technique requires 9polynomials in the uniform or structured reference string (3 per matrix) and afew more in the online protocol. The parameter k denotes the largest number ofnonzero elements of {A,B,C}.
Marlin, PLONK, and Aurora work in the Reed-Solomon codeword basis andcrucially rely on the structure of the field or of its multiplicative group. In con-trast, Sonic and Claymore work for any field.
8 Conclusion
The protocols proposed in this paper challenge the notion that the Reed-Solomoncodeword basis is the appropriate basis for representing objects from the arith-metic constraint system in a Polynomial IOP. Instead, the monomial coefficientbasis provides a natural and intuitive representation for these objects. In thisbasis, the native operations on polynomials are identifiable with the matrix oper-ations in the arithmetic constraint system. Moreover, this basis does not imposeany restrictions on the structure of the field. The resulting Polynomial IOP forarithmetic constraint systems outperforms similar constructions based on theReed-Solomon codeword basis, at least as far as the number of polynomials inthe transcript is concerned.
The modular approach followed in this paper admits a piece by piece presen-tation and analysis that benefits simplicity and accessibility. Nevertheless, somenoteworthy optimizations violate the boundaries implicit in this modular struc-ture. These optimizations are of independent interest as they may also applyelsewhere; perhaps they have straightforward analogues in the Reed-Solomoncodeword domain.
In some cases it is possible to eliminate polynomials. In particular, when apolynomial is queried exactly twice and is involved in exactly two polynomialidentities. By moving this polynomial to the left hand side, and equating theright hand sides, the polynomial identities are merged and the polynomial inquestion is eliminated, all without impacting soundness.
After unrolling a Polynomial IOP, InnerProduct subprotocols appear in greatnumbers and many places. They can all be batched. In addition to saving polyno-mials, this batching facilitates a simpler and more direct proof of zero-knowledgethat would not be possible otherwise.
25
Batching may apply in more places still. For instance, the sparse MVP proce-dure benefits from two invocations of a subprotocol that establishes that a givenvector is a Lagrange vector, and two more that another vector is a Vandermondevector. The Lagrange and Vandermonde vector protocols can be merged in orderto save polynomials. In fact, this merger extends to multivariate polynomials inmore than two variables.
Concatenating the vectors of left and right wires saves one polynomial, butonly if the Hadamard subprotocol can be made to work with the concatenatedvector. In particular, this adaptation requires a shifting the protocol’s secondand third arguments. Performing this shift in either basis is possible, but thisshift highlights an interesting difference. In the Reed-Solomon codeword basis,the query to the polynomial oracle is multiplied by a constant factor; in themonomial coefficient basis, however, it is the response that is multiplied by afactor that depends on the query.
Acknowledgements. Both authors are supported by the Nervos Foundation.
References
1. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: Lightweight Sub-linear Arguments Without a Trusted Setup. In: Thuraisingham, B.M., Evans,D., Malkin, T., Xu, D. (eds.) ACM CCS 2017. pp. 2087–2104. ACM (2017),https://doi.org/10.1145/3133956.3134104
2. Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F.(ed.) CRYPTO 1992s. Lecture Notes in Computer Science, vol. 740, pp. 390–420.Springer (1992), https://doi.org/10.1007/3-540-48071-4_28
3. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge withno trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, PartIII. Lecture Notes in Computer Science, vol. 11694, pp. 701–732. Springer (2019).https://doi.org/10.1007/978-3-030-26954-8 23
4. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.:Aurora: Transparent Succinct Arguments for R1CS. In: Ishai, Y., Rijmen, V. (eds.)EUROCRYPT 2019 , Part I. Lecture Notes in Computer Science, vol. 11476, pp.103–128. Springer (2019), https://doi.org/10.1007/978-3-030-17653-2_4
5. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient Zero-KnowledgeArguments for Arithmetic Circuits in the Discrete Log Setting. In: Fischlin,M., Coron, J. (eds.) EUROCRYPT 2016, Part II. Lecture Notes in ComputerScience, vol. 9666, pp. 327–357. Springer (2016), https://doi.org/10.1007/
978-3-662-49896-5_12
6. Bunz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK Compilers.In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020 Part I. Lecture Notes inComputer Science, vol. 12105, pp. 677–706. Springer (2020), https://eprint.
iacr.org/2019/1229.pdf
7. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.P.: Marlin: Pre-processing zksnarks with universal and updatable SRS. In: Canteaut, A., Ishai, Y.(eds.) EUROCRYPT 2020 Part I. Lecture Notes in Computer Science, vol. 12105,pp. 738–768. Springer (2020), https://eprint.iacr.org/2019/1047.pdf
26
8. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations overlagrange-bases for oecumenical noninteractive arguments of knowledge. IACRCryptology ePrint Archive 2019, 953 (2019), https://eprint.iacr.org/2019/953
9. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactiveproof-systems (extended abstract). In: Sedgewick, R. (ed.) ACM STOC. pp. 291–304. ACM (1985). https://doi.org/10.1145/22145.22178
10. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to poly-nomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LectureNotes in Computer Science, vol. 6477, pp. 177–194. Springer (2010), https:
//doi.org/10.1007/978-3-642-17373-8_11
11. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: Zero-knowledge snarksfrom linear-size universal and updatable structured reference strings. In: Cavallaro,L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019. pp. 2111–2128. ACM(2019), https://eprint.iacr.org/2019/099.pdf
A Definitional Equivalence: Polynomial IOPs with andwithout Individual Degree Bounds
Definition 4 presents one possible definition for the notion that is PolynomialIOP, namely where there is one degree bound d that applies to all polynomials.However, all the protocols presented in this paper provide individual degreebounds for each polynomial, corresponding to another possible definition. Thediscussion following Definition 4 argues that no generality is lost by switchingbetween the two options. We now formalize this intuition.
Definition 6 (Polynomial IOP with Individual Degree Bounds). Let Rbe an indexed relation with corresponding indexed language L(R), F some finitefield, and δ : N→ N a function that maps polynomial indices to their respectivedegree bounds. A Polynomial IOP for R with individual degree bounds δ is apair of interactive machines (P,V), satisfying the following description.
– (P,V) is an interactive proof for L(R) with r rounds, and with soundnesserror σ.
– P sends polynomials fi(X) ∈ F[X] of degree at most δ(i) to V.– V is an oracle machine with access to a list of oracles, which contains one
oracle for each polynomial it has received from the prover.– When an oracle associated with a polynomial fi(X) is queried on a pointzj ∈ F, the oracle responds with the value fi(zj).
– V sends challenges αk ∈ F to P.– V is public coin.
Showing the equivalence in one direction turns out to be trivial. The nextlemma establishes that a Polynomial IOP with individual degree bounds (6) cansimulate a Polynomial IOP with a single degree bound (4).
Lemma 1 ((4)⇒ (6)). Let (P,V) be a Polynomial IOP with degree bound d fora relation R with soundness error σ according to Definition 4. Then (P,V) is
27
a Polynomial IOP with individual degree bounds δ(i) = d for R with soundnesserror σ according to Definition 6.
Proof. The difference between the two definitions is that the ith polynomialfi(X) is guaranteed to be of degree at most δ(i) rather than d. In this particularcase, δ(i) = d, so there is no difference at all. ut
The other direction of the equivalence is more involved as it requires a com-piler and comes with a (negligible) soundness degradation. Let C(P) and C(V)denote the compiled prover and verifier, respectively. The compiler starts bycomputing d = maxiδ(i). The compiled prover and verifier then mimick theoriginal prover and verifier, except for the following changes:
– Whenever P sends polynomial fi(X) whose degree is bounded by δ(i), C(P)sends polynomial f?i (X) = Xd−δ(i) · fi(X).
– Whenever V queries a polynomial oracle [fi(X)] in a point zj 6= 0 to obtainvalue yj = fi(zj), C(V) queries [f?i (X)] in zj , obtains response y?j = f?i (zj),
and proceeds as V would with value yj = y?j /zd−δ(i)j .
Lemma 2 ((6) ⇒ (4)). Let (P,V) be a Polynomial IOP with individual degreebounds δ(i) for a relation R with soundness error σ and q queries to polynomialsin points from F\{0} according to Definition 6. Then (C(P),C(V)) is a Polyno-mial IOP with degree bounds d = maxiδ(i) for R with soundness error at most
σ + q · maxiδ(i)−miniδ(i)|F|−1 and q queries according to Definition 4.
Proof. Completeness follows from construction. All polynomials are bounded in
degree by d, and C(V ) obtains values yj = f?i (zj)/zd−δ(i)j = fi(zj), i.e., indentical
to what V obtains.
In terms of soundness, C(V) implies that V accepts a false instance or thatfor some polynomial [fi(X)] and query zj , X
d−δ(i) · fi(X) 6= f?i (X) but fi(zj) =
f?i (zj)/zd−δ(i)j . Any one of these latter events occurse with probability at most
d−miniδ(i)|F|−1 due to Schwartz-Zippel. Since there are q queries where this might
occur, the soundness error of (C(P),C(V)) is bounded by σ+ q · maxiδ(i)−miniδ(i)|F|−1 .
ut
B Sparse Matrix-Vector Product
B.1 Formal Presentation
The formal presentation of the sparse matrix-vector multiplication protocol,which follows, builds the protocol hierarchically. We therefore follow the high-level overview but in reverse order.
28
Vandermonde Vector. The VandermondeVector protocol realizes the followingrelation
Rvv =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (H,K,ϕ(h), {ak}K−1k=0 )x = (z, [fz(X)])w = fz(X)
R =
ϕ(a0)0 ϕ(a1)0 · · ·ϕ(a0)1 ϕ(a1)1 · · ·
......
. . .
fz(X) =
∑H−1i=0 ziX
i
z = (1 , z , z2 , · · · , zK−1)T
z = Rz
. (35)
description: decides L(Rvv)inputs: i: H,K,ϕ(h), {ak}K−1
k=0
inputs: x: z, [fz(X)]inputs: w: fz(X)// pre-processingbegin
I computes fϕ(ak)(X)←∑K−1
k=0 ϕ(ak)Xk and
fϕ(ak)H (X)←
∑K−1k=0 ϕ(ak)HXk
I sends fϕ(ak)(X) and fϕ(ak)H (X), both of degree at most K − 1, to P and
V// onlinebegin
V samples δ$←− F\{0} and sends δ to P
P computes δ ← (δ0, δ1, . . . , δH−1)T, δ ← RTδ, and fδ(X)←∑K−1
i=0 δiXi
P sends fδ(X) of degree at most K − 1 to VV queries [fδ(X)] in z and receives y0 = fδ(z)V queries [fz(X)] in δ and receives y1 = fz(δ)
V checks y1?= y0
P and V run Hadamard with i(1) = H − 1,
x(1) = ([fδ(X)], [δ · fϕ(ak)(X)− fI(X)], [δ · fϕ(ak)
H (X)− fI(X)]),
w(1) = (fδ(X), δH · fϕ(ak)(X)− fI(X), δH · fϕ(ak)
H (X)− fI(X)), where
V simulates [δ · fϕ(ak)(X)− fI(X)], [δH · fϕ(ak)H (X)− fI(X)] using the
oracles [fϕ(ak)(X)], [fϕ(ak)H (X)] and the known scalar δ, in combination
with computing fI(X) =∑K−1
k=0 Xk locally
Protocol 8: VandermondeVector
Theorem 8 (Security of VandermondeVector). Protocol VandermondeVectoris a Polynomial IOP for Rvv with completeness and soundness with soundnesserror σ ≤ H+5K−5
|F|−1 .
29
Proof. Consider the following sequences of equations.
z = Rz (36)
δTz = δTRz (37)
fz(δ) = fδ(z) (38)
y1 = y0 , (39)
and
∀k ∈ {0, . . . ,K − 1} .
(H−1∑h=0
(δ · ϕ(k))h
)· (1− δ · ϕ(ak)) = 1− (δ · ϕ(ak))
H
(40)(δTR
)◦ (1− δ · ϕ(ak))
K−1k=0 =
(1− (δ · ϕ(ak))
H)K−1k=0
(41)
fδ(X) ◦(δ · fϕ(ak)(X)− fI(X)
)= δH · fϕ(ak)H (X)− fI(X) (42)
(i(1),x(1)) = (43)
(K − 1, [fδ(X)], [δ · fϕ(ak)(X)− fI(X)], [δH · fϕ(ak)H (X)− fI(X)]) ∈ L(Rhadamard) .
Completeness follows from the sequences of implications a) (36) ⇒ (37) ⇔(38) ⇔ (39), and b) (40) ⇔ (41) ⇔ (42) ⇒ (43). Sequence (a) holds for anymatrix R. Sequence (b) starts with the equation for a geometric sum derivedfrom the matrix R as defined as in Eqn. 27.
For soundness, consider when the reverse implications fail. There are twosuch cases:
– (36) 6⇐ (37). By the Schwartz-Zippel lemma, the probability of this event isbounded by H−1
|F|−1 .
– (42) 6⇐ (43). The probability of this event is captured by the soundness errorof Hadamard, σHadamard ≤ 5K−4
|F|−1 .
By the Union Bound, the soundness error of VandermondeVector is bounded byσ ≤ H+5K−5
|F|−1 . ut
Lagrange Vector. The LagrangeVector protocol realizes the following relation
Rlv =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (H,ϕ(h))x = (x, [fx(X)])w = fx(X)
L =
Lϕ(0),0 Lϕ(0),1 · · ·Lϕ(1),0 Lϕ(1),1 · · ·...
.... . .
fx(X) =
∑H−1i=0 xiX
i
x = (1 , x , x2 , · · · , xH−1)T
x = xTL
. (44)
30
Polynomial IOPs for Linear Algebra Relations 31
description: decides L(Rlv)inputs: i: H,ϕ(h)inputs: x: x, [fx(X)]inputs: w: fx(X)// pre-processingbegin
I computes fϕ(h)(X)←∑H−1
h=0 ϕ(h)Xh, ZH(X)←∏H−1
h=0 (X − ϕ(h)) and
fH(X)←∑H−1
h=0
(∏i∈{0...H−1}\{h}(ϕ(h)− ϕ(i))
)−1
·Xh
I sends fϕ(h)(X), fH(X), both of degree at most H − 1, and ZH(X) ofdegree at most H, to P and V
// onlinebegin
V samples γ$←− F\{0} and sends γ to P
P computes γ ← (γ0, γ1, . . . , γH−1)T, γ ← Lγ, and fγ(X)←∑H−1
i=0 γiXi
P sends fγ(X) of degree at most H − 1 to VV queries [fγ(X)] in x and receives y0 = fγ(x)V queries [fx(X)] in γ and receives y1 = fx(γ)
V checks y1?= y0
V queries [ZH(X)] in γ and receives u = ZH(γ)P and V run Hadamard with i
(1) = H − 1,x(1) = ([fγ(X)], [γfI(X)− fϕ(h)(X)], [ufH(X)]),
w(1) = (fγ(X), γfI(X)− fϕ(h)(X), ufH(X)), where V simulates
[γfI(X)− fϕ(h)(X)], [ufH(X)] using the oracles [fϕ(h)(X)], [fH(X)] and
the known scalar γ, in combination with computing fI(X) =∑H−1
h=0 Xh
locally
Protocol 9: LagrangeVector
Theorem 9 (Security of LagrangeVector). Protocol LagrangeVector is a Poly-nomial IOP for Rlv with completeness and soundness with soundness errorσ ≤ 6H−5
|F|−1 .
Proof. Consider the following sequences of equations.
xT = xTL (45)
xTγ = xTLγ (46)
fx(γ) = fγ(x) (47)
y1 = y0 , (48)
and
∀h ∈ {0, . . . ,H − 1} .Lh(γ) =
H−1∏i = 0i 6= h
γ − ϕ(i)
ϕ(h)− ϕ(i)(49)
∀h ∈ {0, . . . ,H − 1} .Lh(γ) · (γ − ϕ(h)) =ZH(γ)∏H−1
i = 0i 6= h
(ϕ(h)− ϕ(i))(50)
(Lγ) ◦ (γ − ϕ(h))H−1h=0 = ZH(γ)
∏i∈{0...H−1}\{h}
(ϕ(h)− ϕ(i))
−1H−1
h=0
(51)
fγ(X) ◦ (γfI(X)− fϕ(X)) = ufH(X) (52)
(i(1),x(1)) = (53)
(H − 1, [fγ(X)], [γfI(X)− fϕ(h)(X)], [ufH(X)]) ∈ L(Rhadamard) .
Completeness follows from the sequences of implications a) (45) ⇒ (46) ⇔(47) ⇔ (48), and b) (49) ⇔ (50) ⇔ (51) ⇔ (52) ⇒ (53). Sequence (a) holdsfor any matrix L. Sequence (b) starts with the definition of Lagrange basispolynomials, and holds when the rows of L are exactly the coefficient vectors ofthe Lagrange basis polynomials. Recall that Lagrange basis polynomial indexedby h takes the value 1 in ϕ(h) and 0 in all other points of H.
For soundness, consider when the reverse implications fail. There are twosuch cases:
– (45) 6⇐ (46). By the Schwartz-Zippel lemma, the probability of this event isbounded by H−1
|F|−1 .
– (52) 6⇐ (53). The probability of this event is captured by the soundness errorof Hadamard, σHadamard ≤ 5H−4
|F|−1 .
By the Union Bound, the soundness error of LagrangeVector is bounded by σ ≤6H−5|F|−1 . ut
32
Sparse Univariate Polynomial Evaluation. In terms of sparse univariatepolynomial evaluation, we actually achieve something more generic. Let f(X) =∑K−1k=0 Xak . The next protocol establishes that fz(X) =
∑K−1k=0 zakXk is indeed
the polynomial whose vector of coefficients corresponds to the monomials off(X) when evaluated in z. By evaluating fz(X) in X = 1, one obtains theevaluation f(z).
The protocol SparseMonomialVector realizes the following relation.
Rsmv =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣i = (H,K, {ak}K−1k=0 )x = (z, [fz(X)])w = (fz(X))
fz(X) =∑K−1k=0 zakXk
H = maxk ak
(54)
description: decides L(Rsmv)inputs: i: H,K, {ak}K−1
k=0
inputs: x: z, [fz(X)]inputs: w: fz(X)// pre-processingbegin
I selects any mapping ϕ : N→ F such that {0, . . . , H − 1} are mapped todistinct elements
I runs VandermondeVector.I with i(1) = (H,K,ϕ(h), {ak}K−1
k=0 )I runs LagrangeVector.I with i
(2) = (H,ϕ(h))
// onlinebegin
P computes fz(X) =∑H−1
h=0 zhLh(X) where Lh(X) is the unique monic
polynomial that evaluates to 1 in ϕ(h) and to 0 in all other points of HP sends fz(X) of degree at most H − 1 to VP and V run LagrangeVector with i
(2) = (H,ϕ(h)), x(2) = (z, [fz(X)]), andw
(2) = fz(X)
V samples y$←− F\{0} and sends y to P
V queries [fz(X)] in y and receives x = fz(y)
P computes fy(X)←∑H−1
h=0
(∑K−1k=0 ϕ(ak)hyh
)Xh, whose coefficient
vector corresponds to Ry with y = (1, y, . . . , yK−1)T ∈ FK
P sends fy(X) of degree at most H − 1 to VP and V run VandermondeVector with i
(1) = (H,K,ϕ(h), {ak}K−1k=0 ),
x(1) = (y, [fy(X)]), and w
(1) = fy(X)P and V run InnerProduct with i
(3) = H − 1, x(3) = ([fz(X)], [fy(X)], x),and w
(3) = (fz(X), fy(X))
Protocol 10: SparseMonomialVector
33
Theorem 10. (Security of SparseMonomialVector) Protocol SparseMonomialVectoris a Polynomial IOP for Rsmv with completeness and soundness with soundnesserror σ ≤ 11H+6K−14
|F|−1 .
Proof. Consider the following sequence of equations.
fz(X) =
K−1∑k=0
zakXk (55)
fz(y) =
K−1∑k=0
zakyk (56)
fz(y) = zTBy (57)
fz(y) = zTLRy (58)
fz(y) = zTRy (59)
fz(y) = zTy (60)
(i,x) = (H − 1, ([fz(X)], [fy(X)], x)) ∈ Rip (61)
In these formulae, we define z and y as the vectors of coefficients of fz(X) andfy(X), respectively.
Completeness follows from the sequence of implications (55) ⇒ (56) ⇔(57) ⇔ (58) ⇒ (59) ⇒ (60) ⇒ (61). For soundness, consider when the reverseimplications fail.
– (55) 6⇐ (56). This event happens with probability at most K−1|F|−1 due to the
Schwartz-Zippel lemma.
– (58) 6⇐ (59). This event implies that LagrangeVector succeeded despite beingrun on a false instance. This happens with probability at most equal to thesoundness error of that protocol, σLagrangeVector ≤ 6H−5
|F|−1 .
– (59) 6⇐ (60). This event implies that VandermondeVector succeeded despitebeing run on a false instance. This happens with probability at most equalto the soundness error of that protocol, σVandermondeVector ≤ H+5K−5
|F|−1 .
– (60) 6⇐ (61). This event implies that InnerProduct succeeded despite beingrun on a false instance. This happens with probability at most equal to thesoundness error of that protocol, σInnerProduct ≤ 4H−3
|F|−1 .
By the Union Bound, the probability that any one of these events occurs isbounded by σ ≤ 11H+6K−14
|F|−1 . ut
An important class of sparse univariate polynomials are those that representpermutation matrices. As a consequence, protocol SparseMonomialVector canbe used to establish that two polynomials have the same coefficients, exceptpermuted according to a committed permutation. We omit the details of thisdigression.
34
Sparse Bivariate Polynomial Evaluation. The relation realized by the pro-tocol SparseBiEval is given as follows.
Rsbe =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣
i = (H,K, {ak}K−1k=0 , {bk}K−1k=0 , {ck}
K−1k=0 )
x = (u, v, w)w = ∅H = max(maxk{ak},maxk{bk})f(X,Y ) =
∑K−1k=0 ckX
akY bk
f(u, v) = w
(62)
description: decides L(Rsbe)inputs: i: H,K, {ak}K−1
k=0 , {bk}K−1k=0 , {ck}
K−1k=0
inputs: x: u, v, winputs: w: ∅// pre-processingbegin
I selects any mapping ϕ : N→ F such that {0, . . . , H − 1} are mapped todistinct elements
I runs SparseMonomialVector.I with i(1) = (H,K, {ak}K−1
k=0 )I runs SparseMonomialVector.I with i
(2) = (H,K, {bk}K−1k=0 )
I computes fc(X)←∑K−1
k=0 ckXk
I sends fc(X) of degree at most K − 1 to P and V
// onlinebegin
P computes fu(X)←∑K−1
k=0 uakXk, fv(X)←∑K−1
k=0 vbkXk, and
fuv(X)←∑K−1
k=0 uakvbkXk
P sends fu(X), fv(X), and fuv(X), all of degree at most K − 1, to VP and V run SparseMonomialVector with i
(1) = (H,K, {ak}K−1k=0 ),
x(1) = (u, [fu(X)]), and w
(1) = fu(X)P and V run SparseMonomialVector with i
(2) = (H,K, {bk}K−1k=0 ),
x(2) = (v, [fv(X)]), and w
(2) = fv(X)P and V run Hadamard with i
(3) = K − 1,x(3) = ([fu(X)], [fv(X)], [fuv(X)]), and w
(3) = (fu(X), fv(X), fuv(X))P and V run InnerProduct with i
(4) = K − 1, x(4) = ([fuv(X)], [fc(X)], w),and w
(4) = (fuv(X), fc(X))
Protocol 11: SparseBiEval
Theorem 11 (Security of SparseBiEval). Protocol SparseBiEval is a Polyno-mial IOP for Rsbi with completeness and soundness with soundness error σ =22H+21K−35|F|−1 .
35
Proof. Consider the following sequence of equations.
f(u, v) = w (63)
K−1∑k=0
ckuakvbk = w (64)
coeffs(fuv(X)) · coeffs(fc(X)) = w (65)
(coeffs(fu(X)) ◦ coeffs(fv(X))) · coeffs(fc(X)) = w (66)
(coeffs(fu(X)) ◦ coeffs(fv(X))) · (ck)K−1k=0 = w (67)(
coeffs(fu(X)) ◦(vbk)K−1k=0
)· (ck)
K−1k=0 = w (68)(
(uak)K−1k=0 ◦
(vbk)K−1k=0
)· (ck)
K−1k=0 = w (69)
Completeness follows from the sequence of implications (63) ⇔ (64) ⇒(65) ⇒ (66) ⇔ (67) ⇒ (68) ⇒ (69). For soundness, consider when the reverseimplications fail.
– (64) 6⇐ (65). This event happens with probability at most equal to thesoundness error of InnerProduct, σInnerProduct ≤ 4K−3
|F|−1 .
– (65) 6⇐ (66). This event happens with probability at most equal to thesoundness error of Hadamard, σHadamard ≤ 5K−4
|F|−1 .
– (67) 6⇐ (68). This event happens with probability at most equal to thesoundness error of SparseMonomialVector, σSparseMonomialVector ≤ 11H+6K−14
|F|−1 .
– (68) 6⇐ (69). This event happens with probability at most equal to thesoundness error of SparseMonomialVector, σSparseMonomialVector ≤ 11H+6K−14
|F|−1 .
By the Union Bound, the soundness error of SparseBiEval is bounded by σ ≤22H+21K−35|F|−1 . ut
Sparse Matrix-Vector Product. The relation that is realized by the sparsematrix-vector product protocol is essentially the same as the one realized by theregular (dense) matrix-vector product protocol. However, we restate this relationin such a way so as to stress that the matrix is represented sparsely, i.e., as alist of position-coefficient tuples rather than an array of coefficients.
Rsmvp =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (m,n, {ak}K−1k=0 , {bk}K−1k=0 , {ck}
K−1k=0 )
x = ([fa(X)], [fb(X)])w = (fa(X), fb(X))
fa(X) =∑n−1i=0 a[i]X
i for somea ∈ Fn
fb(X) =∑m−1i=0 b[i]X
i for some b ∈ Fm
M =∑K−1k=0 cke
Tak
ebkb = Ma
. (70)
36
description: decides L(Rsmvp)inputs: i: m,n, {ak}K−1
k=0 , {bk}K−1k=0 , {ck}
K−1k=0
inputs: x: [fa(X)], [fb(X)]inputs: w: fa(X), fb(X)// pre-processingbegin
I computes H ← max(m,n)I runs SparseBiEval.I with i
(1) = (H,K, {ak}K−1k=0 , {bk}
K−1k=0 , {ck}
K−1k−1 )
// onlinebegin
V samples α$←− F\{0} and sends α to P
P computes fαTM (X)←∑K−1
k=0 ckαakXbk
P sends fαTM (X) of degree at most n− 1 to VP computes s← fb(α)V queries [fb(X)] in α and receives s = fb(α)P and V run InnerProduct with i
(2) = n− 1, x(2) = ([fa(X)], [fαTM (X)], s),and w
(2) = (fa(X), fαTM (X))
V samples β$←− F\{0}
P computes w ← fαTM (β)V queries [fαTM (X)] in β and receives w = fαTM (β)P and V run SparseBiEval with i
(1) = (H,K, {ak}K−1k=0 , {bk}
K−1k=0 , {ck}
K−1k=0 ),
x(1) = (α, β, w), and w
(1) = ∅
Protocol 12: SparseMVP
Theorem 12 (Security of SparseMVP). Protocol SparseMVP is a Polyno-mial IOP for Rsmvp with completeness and soundness with soundness errorσ ≤ 5m+22H+21K−39
|F|−1 .
Proof. Consider the following sequence of equations.
b = Ma (71)
αTb = αTMa (72)
fb(α) = αTMa (73)
s = coeffs(fαTM (X)) · coeffs(fa(X)) (74)
s = coeffs(fM (α,X)) · coeffs(fa(X)) (75)
Completeness follows from the sequence of implications (71) ⇒ (72) ⇔(73) ⇒ (74) ⇒ (75). For soundness, consider when the reverse implicationsfail.
– (71) 6⇐ (72). Due to the Schwartz-Zippel lemma, this event occurs withprobability m−1
|F|−1 .
– (73) 6⇐ (74). This event occurs with probability bounded by the soundnesserror of InnerProduct, σInnerProduct ≤ 4m−3
|F|−1 .
37
– (74) 6⇐ (75). This event implies that fαTM (X) and fM (α,X) are distinctpolynomials. The probability that this distinction is not caught by the SparseBiEvalprotocol is bounded by that protocol’s soundness error, σSparseBiEval ≤ 22H+21K−35
|F|−1 .
By the Union Bound, the soundness error of SparseMVP is bounded by σ ≤5m+22H+21K−39
|F|−1 . ut
C Alternative and Optimized Protocols
C.1 DenseMVP
The protocol DenseMVP admits one merger of polynomial identities after un-rolling. We present the optimized protocol in several steps to simplify their ver-ification by the reader.
description: decides L(Rmvp)inputs: i : (m,n,M)inputs: x : ([fa(X)], [fb(X)])inputs: w : (fa(X), fb(X))// pre-processingbegin
I computes fM (X)←∑m−1
i=0
∑n−1j=0 M[i,j]X
in+j
I sends fM (X) of degree at most mn− 1 to P and V
begin
V samples α$←− F and sends α to P
P computes r(X)← fM (X)modXn − αP sends r(X) of degree at most n− 1 to VP and V run ModReduce with i
(1) = (mn− 1, n− 1),x(1) = ([fM (X)], [r(X)], Xn − α), and w
(1) = (fM (X), r(X))V queries [fb(X)] in α and receives yαTb = fb(α)P and V run InnerProduct with i
(2) = n− 1, x(2) = ([r(X)], [fa(X)], yαTb),and w
(2) = (r(X), fa(X))
Protocol 13: DenseMVP, original
38
Polynomial IOPs for Linear Algebra Relations 39
description: decides L(Rmvp)inputs: i : (m,n,M)inputs: x : ([fa(X)], [fb(X)])inputs: w : (fa(X), fb(X))// pre-processingbegin
I computes fM (X)←∑m−1
i=0
∑n−1j=0 M[i,j]X
in+j
I sends fM (X) of degree at most mn− 1 to P and V
begin
V samples α$←− F and sends α to P
P computes r(X)← fM (X)modXn − αP sends r(X) of degree at most n− 1 to VP and V run ModReduce with i
(1) = (mn− 1, n− 1),x(1) = ([fM (X)], [r(X)], Xn − α), and w
(1) = (fM (X), r(X))V queries [fb(X)] in α and receives yαTb = fb(α)// InnerProductbegin
P computes h(X)← r(X2) · fa(X−2) ·X2n−2 + r(X−2) · fa(X2) ·X2n−1
P computes h(X)← h(X) mod X2n−2
P sends h(X) of degree at most 2n− 3 to V
V samples z$←− F\{0} and queries ([r(X)], [fa(X)], [h(X)]) in (z2, z2, z)
and in (z−2, z−2, z−1)V receives ya = fa(z2), y∗a = fa(z−2), yh = h(z), and y∗h = h(z−1)V testsyh + z2n−2 · yαTb + z2n−1 · yαTb + z2n · y∗h
?= yr · y∗a · z2d + y∗r · ya · z2d+1
Protocol 14: DenseMVP, unrolled InnerProduct
40 A. Szepieniec and Y. Zhang
description: decides L(Rmvp)inputs: i : (m,n,M)inputs: x : ([fa(X)], [fb(X)])inputs: w : (fa(X), fb(X))// pre-processingbegin
I computes fM (X)←∑m−1
i=0
∑n−1j=0 M[i,j]X
in+j
I sends fM (X) of degree at most mn− 1 to P and V
begin
V samples α$←− F and sends α to P
P computes r(X)← fM (X)modXn − αP sends r(X) of degree at most n− 1 to V// ModReducebegin
P computes q(X) such that fM (X) = q(X) · (Xn − α) + r(X)P sends q(X) of degree at most (m− 1)n to V
V samples z$←− F\{0} and queries [fM (X)], [q(X)], and [r(X)] in z
V receives yf = fM (z), yq = q(z), and yr = r(z)
V tests yf?= yq · (zn − α) + yr
V queries [fb(X)] in α and receives yαTb = fb(α)// InnerProductbegin
P computes h(X)← r(X2) · fa(X−2) ·X2n−2 + r(X−2) · fa(X2) ·X2n−1
P computes h(X)← h(X) mod X2n−2
P sends h(X) of degree at most 2n− 3 to V
V samples z$←− F\{0} and queries ([r(X)], [fa(X)], [h(X)]) in (z2, z2, z)
and in (z−2, z−2, z−1)V receives ya = fa(z2), y∗a = fa(z−2), yh = h(z), and y∗h = h(z−1)V testsyh + z2n−2 · yαTb + z2n−1 · yαTb + z2n · y∗h
?= yr · y∗a · z2d + y∗r · ya · z2d+1
Protocol 15: DenseMVP, unrolled ModReduce
Polynomial IOPs for Linear Algebra Relations 41
description: decides L(Rmvp)inputs: i : (m,n,M)inputs: x : ([fa(X)], [fb(X)])inputs: w : (fa(X), fb(X))// pre-processingbegin
I computes fM (X)←∑m−1
i=0
∑n−1j=0 M[i,j]X
in+j
I sends fM (X) of degree at most mn− 1 to P and V
begin
V samples α$←− F and sends α to P
P computes r(X)← fM (X)modXn − α// ModReducebegin
P computes q(X) such that fM (X) = q(X) · (Xn − α) + r(X)P sends q(X) of degree at most (m− 1)n to V
V samples z$←− F\{0} and queries [fM (X)] and [q(X)] in z2 and in z−2
V receives yf = fM (z2), y∗f = fM (z−2), yq = q(z2), and y∗q = q(z−2)V sets yr ← yf − yq · (z2n − α) and y∗r ← y∗f − y∗q · (z−2n − α)
V queries [fb(X)] in α and receives yαTb = fb(α)// InnerProductbegin
P computes h(X)← r(X2) · fa(X−2) ·X2n−2 + r(X−2) · fa(X2) ·X2n−1
P computes h(X)← h(X) mod X2n−2
P sends h(X) of degree at most 2n− 3 to VV queries ([fa(X)], [h(X)]) in (z2, z) and in (z−2, z−1)V receives ya = fa(z2), y∗a = fa(z−2), yh = h(z), and y∗h = h(z−1)
// Merged testV testsyh + z2n−2 · yαTb + z2n−1 · yαTb + z2n · y∗h
?= yr · y∗a · z2d + y∗r · ya · z2d+1
Protocol 16: DenseMVP, eliminated r(X); optimized
C.2 Batched SparseBiEval
BiVandermonde Vector. We batch two VandermondeVector protocols intoa single protocol for efficiency. The BiVandermondeVector protocol realizes thefollowing relation
Rbvv =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (H,K,ϕ(h), {ak}K−1k=0 , {bk}K−1k=0 )
x = (z, [fz(X)])w = fz(X)
Ra =
ϕ(a0)0 ϕ(a1)0 · · ·ϕ(a0)1 ϕ(a1)1 · · ·
......
. . .
Rb =
ϕ(b0)0 ϕ(b1)0 · · ·ϕ(b0)1 ϕ(b1)1 · · ·
......
. . .
R =
(Ra 00 Rb
)fz(X) =
∑2H−1i=0 ziX
i
z = (1 , z , z2 , · · · , z2K−1)T
z = Rz
. (76)
Theorem 13 (Security of BiVandermondeVector). Protocol BiVandermondeVectoris a Polynomial IOP for Rbvv with completeness and soundness with soundnesserror σ ≤ 2H+10K−5
|F|−1 .
Proof. Consider the following sequences of equations.
z = Rz (77)
δTz = δTRz (78)
fz(δ) = fδ(z) (79)
y1 = y0 , (80)
and
∀k ∈ {0, . . . ,K − 1} .
(H−1∑h=0
(δ · ϕ(ak))h
)· (1− δ · ϕ(ak)) = 1− (δ · ϕ(ak))
H(81)(
H−1∑h=0
δH+h · ϕ(ak)h
)· (1− δ · ϕ(bk)) = δH ·
(1− (δ · ϕ(bk))
H)
(δTR
)◦(
(1− δ · ϕ(ak))K−1k=0 ‖ (1− δ · ϕ(bk))
K−1k=0
)=(
1− (δ · ϕ(ak))H)K−1k=0
∥∥∥∥(1− (δ · ϕ(bk))H)K−1k=0
· δH (82)
42
Polynomial IOPs for Linear Algebra Relations 43
description: decides L(Rbvv)inputs: i: H,K,ϕ(h), {ak}K−1
k=0 , {bk}K−1k=0
inputs: x: z, [fz(X)]inputs: w: fz(X)// pre-processingbegin
I computes fϕ(ak)(X)←∑K−1
k=0 ϕ(ak)Xk, fϕ(ak)H (X)←
∑K−1k=0 ϕ(ak)HXk,
fϕ(bk)(X)←∑K−1
k=0 ϕ(bk)Xk and fϕ(bk)H (X)←
∑K−1k=0 ϕ(bk)HXk
I sends fϕ(ak)(X), fϕ(ak)H (X), fϕ(bk)(X) and fϕ(bk)
H (X), all of degree atmost K − 1, to P and V
// onlinebegin
V samples δ$←− F\{0} and sends δ to P
P computes δ ← (δ0, δ1, . . . , δ2H−1)T, δ ← RTδ, and fδ(X)←∑2K−1
i=0 δiXi
P sends fδ(X) of degree at most 2K − 1 to VV queries [fδ(X)] in z and receives y0 = fδ(z)V queries [fz(X)] in δ and receives y1 = fz(δ)
V checks y1?= y0
P and V run Hadamard with i(1) = 2K − 1,
x(1) = ([fδ(X)], [δ · fϕ(ak)(X)− fI(X) + (δ · fϕ(bk)(X)− fI(X)) · δH ·XK ],
[δH · fϕ(ak)H (X)− fI(X) + (δH · fϕ(bk)
H (X)− fI(X)) · δH ·XK ]),
w(1) = (fδ(X), δH · fϕ(ak)(X)− fI(X) + (δH · fϕ(bk)(X)− fI(X)) · δH ·XK ,
δH · fϕ(ak)H (X)− fI(X) + (δH · fϕ(bk)
H (X)− fI(X)) · δH ·XK), where V
simulates [fϕ(ak)(δX)− fI(X) + (fϕ(bk)(δX)− fI(X)) · δH ·XK ] and[fϕ(ak)
H (δX)− fI(X) + (fϕ(bk)H (δX)− fI(X)) · δH ·XK ] using the
oracles [fϕ(ak)(X)], [fϕ(ak)H (X)], [fϕ(bk)(X)], [fϕ(bk)
H (X)] and the known
scalar δ, in combination with computing fI(X) =∑2K−1
k=0 Xk locally
Protocol 17: BiVandermondeVector
fδ(X) ◦(δ · fϕ(ak)(X)− fI(X) + (δ · fϕ(bk)(X)− fI(X)) · δH ·XK
)=
δH · fϕ(ak)H (X)− fI(X) +(δH · fϕ(bk)H (X)− fI(X)
)· δH ·XK (83)
(i(1),x(1)) = (2K − 1, [fδ(X)],
[δ · fϕ(ak)(X)− fI(X) + (δ · fϕ(bk)(X)− fI(X)) · δH ·XK ],
[δH · fϕ(ak)H (X)− fI(X) + (δH · fϕ(bk)H (X)− fI(X)) · δH ·XK)]
∈ L(Rhadamard) . (84)
Completeness follows from the sequences of implications a) (77) ⇒ (78) ⇔(79) ⇔ (80), and b) (81) ⇔ (82) ⇔ (83) ⇒ (84). Sequence (a) holds for anymatrix R. Sequence (b) starts with the equation for two geometric sums derivedfrom the matrix Ra and Rb as defined as in Eqn. 27.
For soundness, consider when the reverse implications fail. There are twosuch cases:
– (77) 6⇐ (78). By the Schwartz-Zippel lemma, the probability of this event isbounded by 2H−1
|F|−1 .
– (83) 6⇐ (84). The probability of this event is captured by the soundness errorof Hadamard, σHadamard ≤ 10K−4
|F|−1 .
By the Union Bound, the soundness error of BiVandermondeVector is boundedby σ ≤ 2H+10K−5
|F|−1 . ut
BiLagrange Vector. We batch two instances of LagrangeVector protocol into asingle protocol for efficiency. The BiLagrangeVector protocol realizes the followingrelation
Rlv =
(i,x,w)
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
i = (H,ϕ(h))x = (u, v, [fuv(X)])w = fuv(X)
L =
Lϕ(0),0 Lϕ(0),1 · · ·Lϕ(1),0 Lϕ(1),1 · · ·...
.... . .
fuv(X) =
∑H−1i=0 uiX
i +∑H−1i=0 viX
H+i
u = (1 , u , u2 , · · · , uH−1)T
v = (1 , v , v2 , · · · , vH−1)T
u = uTL v = vTL
. (85)
Theorem 14 (Security of BiLagrangeVector). Protocol BiLagrangeVector is aPolynomial IOP for Rblv with completeness and soundness with soundness errorσ ≤ 7H−5
|F|−1 .
44
Polynomial IOPs for Linear Algebra Relations 45
description: decides L(Rblv)inputs: i: H,ϕ(h)inputs: x: u, v, [fuv(X)]inputs: w: fuv(X)// pre-processingbegin
I computes fϕ(h)(X)←∑H−1
h=0 ϕ(h)Xh, ZH(X)←∏H−1
h=0 (X − ϕ(h)) and
fH(X)←∑H−1
h=0
(∏i∈{0...H−1}\{h}(ϕ(h)− ϕ(i))
)−1
·Xh
I sends fϕ(h)(X), fH(X), both of degree at most H − 1, and ZH(X) ofdegree at most H, to P and V
// onlinebegin
V samples γ$←− F\{0} and sends γ to P
P computes γ ← (γ0, γ1, . . . , γH−1)T, γ ← Lγ, and fγ(X)←∑H−1
i=0 γiXi
P sends fγ(X) of degree at most H − 1 to VV queries [fγ(X)] in u, v and receives y0 = fγ(u), y1 = fγ(v)V queries [fuv(X)] in γ and receives y2 = fuv(γ)
V checks y2?= y0 + γH · y1
V queries [ZH(X)] in γ and receives w = ZH(γ)P and V run Hadamard with i
(1) = H − 1,x(1) = ([fγ(X)], [γfI(X)− fϕ(h)(X)], [wfH(X)]),
w(1) = (fγ(X), γfI(X)− fϕ(h)(X), wfH(X)), where V simulates
[γfI(X)− fϕ(h)(X)], [wfH(X)] using the oracles [fϕ(h)(X)], [fH(X)] and
the known scalar γ, in combination with computing fI(X) =∑H−1
h=0 Xh
locally
Protocol 18: BiLagrangeVector
Proof. Consider the following sequences of equations.
uT = uTL vT = vTL (86)
uTγ + vTγ · γH = uTLγ + vTLγ · γH (87)
fuv(γ) = fγ(u) + fγ(v) · γH (88)
y2 = y0 + γH · y1 , (89)
and
∀h ∈ {0, . . . ,H − 1} .Lh(γ) =
H−1∏i = 0i 6= h
γ − ϕ(i)
ϕ(h)− ϕ(i)(90)
∀h ∈ {0, . . . ,H − 1} .Lh(γ) · (γ − ϕ(h)) =ZH(γ)∏H−1
i = 0i 6= h
(ϕ(h)− ϕ(i))(91)
(Lγ) ◦ (γ − ϕ(h))H−1h=0 = ZH(γ)
∏i∈{0...H−1}\{h}
(ϕ(h)− ϕ(i))
−1H−1
h=0
(92)
fγ(X) ◦ (γfI(X)− fϕ(X)) = wfH(X) (93)
(i(1),x(1)) = (94)
(H − 1, [fγ(X)], [γfI(X)− fϕ(h)(X)], [wfH(X)]) ∈ L(Rhadamard) .
Completeness follows from the sequences of implications a) (86) ⇒ (87) ⇔(88) ⇔ (89), and b) (90) ⇔ (91) ⇔ (92) ⇔ (93) ⇒ (94). Sequence (a) holdsfor any matrix L. Sequence (b) starts with the definition of Lagrange basispolynomials, and holds when the rows of L are exactly the coefficient vectors ofthe Lagrange basis polynomials. Recall that Lagrange basis polynomial indexedby h takes the value 1 in ϕ(h) and 0 in all other points of H.
For soundness, consider when the reverse implications fail. There are twosuch cases:
– (86) 6⇐ (87). By the Schwartz-Zippel lemma, the probability of this event isbounded by 2H−1
|F|−1 .
– (93) 6⇐ (94). The probability of this event is captured by the soundness errorof Hadamard, σHadamard ≤ 5H−4
|F|−1 .
By the Union Bound, the soundness error of BiLagrangeVector is bounded byσ ≤ 7H−5
|F|−1 . ut
Batched SparseBiEval Using the above two protocols, we obtain an improvedversion of the SparseBiEval protocol that saves four polynomial oracles at therelatively minor expense of doubling their degree. Protocol 19 verifies the relationRsbi defined by Eqn. 62.
46
Polynomial IOPs for Linear Algebra Relations 47
description: decides L(Rsbe)inputs: i: H,K, {ak}K−1
k=0 , {bk}K−1k=0 , {ck}
K−1k=0
inputs: x: u, v, winputs: w: ∅// pre-processingbegin
I selects any mapping ϕ : N→ F such that {0, . . . , H − 1} are mapped todistinct elements
I runs BiVandermondeVector.I with i(1) = (H,K, {ak}K−1
k=0 , {bk}K−1k=0 )
I runs BiLagrangeVector.I with i(2) = (H,ϕ(h))
I computes fc(X)←∑K−1
k=0 ckXk
I sends fc(X) of degree at most K − 1 to P and V
// onlinebegin
P computes fu‖v(X)←∑K−1
k=0 uakXk +∑K−1
k=0 vbkXk+K and
fuv(X)←∑K−1
k=0 uakvbkXk
P sends fu‖v(X) of degree at most 2K − 1 and fuv(X) of degree at mostK − 1, to V
Batched Lagrange vector:
P computes u← (1, u, u2, · · · , uH−1)T, u← uTL,v← (1, v, v2, · · · , vH−1)T, v← vTL
P computes fuv(X)←∑H−1
i=0 uiXi +∑H−1
i=0 viXi+H
P sends fuv(X) of degree at most 2H − 1 to VP and V run BiLagrangeVector with i
(2) = (H,ϕ(h)),x(2) = (u, v, [fuv(X)]), and w
(2) = fuv(X)
Batched Vandermonde vector:
V samples y$←− F\{0} and sends y to P
P computes y← (1, y, y2, · · · , y2K−1), y← Ry where R is as definedin Eqn. 76
P computes fy(X)←∑2K−1
i=0 ziXi
P sends fy(X) of degree at most 2K − 1 to VP and V run BiVandermondeVector withi(1) = (H,K, {ak}K−1
k=0 , {bk}K−1k=0 ), x(1) = (y, [fy(X)]), and
w(1) = fy(X)
V queries [fu‖v(X)] in y and receives s = fu‖v(y)
P and V run InnerProduct with i(3) = 2H − 1, x(3) = ([fuv(X)], [fy(X)], s),
and w(3) = (fuv(X), fy(X))
P and V run Hadamard with i(4) = 3K − 1,
x(4) = ([fu‖v(X)], [fu‖v(X) ·XK ], [fuv(X) ·XK ]), and
w(4) = (fu‖v(X), fu‖v(X) ·XK , fuv(X) ·XK) where V simulates
[fu‖v(X) ·XK ] and [fuv(X) ·XK ] using [fu‖v(X)] and [fuv(X)]respectively
P and V run InnerProduct with i(5) = K − 1, x(5) = ([fuv(X)], [fc(X)], w),
and w(5) = (fuv(X), fc(X))
Protocol 19: BatchedSparseBiEval
Theorem 15 (Security of BatchedSparseBiEval). Protocol BatchedSparseBiEvalis a Polynomial IOP for Rsbi with completeness and soundness with soundnesserror σ = 17H+31K−21
|F|−1 .
Proof. Consider the following sequences of equations.
fu‖v(X) =
K−1∑k=0
uakXk +
K−1∑k=0
vbkXk+K (95)
fu‖v(y) =
K−1∑k=0
uakyk +
K−1∑k=0
vbkyk+K (96)
fu‖v(y) = uT(ea0 , · · · , eaK−1)y[0:K] + vT(eb0 , · · · , ebK−1
)y[K:2K] (97)
fu‖v(y) = uTLRay[0:K] + vTLRby[K:2K] (98)
fu‖v(y) = uTRay[0:K] + vTRby[K:2K] (99)
fu‖v(y) = (uT‖vT)Ry (100)
fu‖v(y) = (uT‖vT) · y (101)
(i,x) = (2H − 1, ([fuv(X)], [fy(X)], s)) ∈ Rip (102)
and
f(u, v) = w (103)
K−1∑k=0
ckuakvbk = w (104)
coeffs(fuv(X)) · coeffs(fc(X)) = w (105)(coeffs(fu‖v(X)) ◦ coeffs(fu‖v(X) ·XK)
)[K:2K]
· coeffs(fc(X)) = w (106)(coeffs(fu‖v(X)) ◦ coeffs(fu‖v(X) ·XK)
)[K:2K]
· (ck)K−1k=0 = w (107)(
(uak)K−1k=0 ◦
(vbk)K−1k=0
)· (ck)
K−1k=0 = w (108)
Completeness follows from the sequences of implications: a) (95) ⇒ (96) ⇔(97)⇔ (98)⇒ (99)⇔ (100)⇒ (101)⇒ (102) and b) (103)⇔ (104)⇒ (105)⇒(106) ⇔ (107) ⇔ (108). For soundness, consider when the reverse implicationsfail.
– (95) 6⇐ (96). This event happens with probability at most 2K−1|F|−1 due to the
Schwartz-Zippel lemma.– (98) 6⇐ (99). This event implies that BiLagrangeVector succeeded despite
being run on a false instance. This happens with probability at most equalto the soundness error of that protocol, σBiLagrangeVector ≤ 7H−5
|F|−1 .
– (100) 6⇐ (101). This event implies that BiVandermondeVector succeeded de-spite being run on a false instance. This happens with probability at mostequal to the soundness error of that protocol, σBiVandermondeVector ≤ 2H+10K−5
|F|−1 .
48
– (101) 6⇐ (102). This event implies that InnerProduct succeeded despite beingrun on a false instance. This happens with probability at most equal to thesoundness error of that protocol, σInnerProduct ≤ 8H−3
|F|−1 .
– (104) 6⇐ (105). This event happens with probability at most equal to thesoundness error of InnerProduct, σInnerProduct ≤ 4K−3
|F|−1 .
– (105) 6⇐ (106). This event happens with probability at most equal to thesoundness error of Hadamard, σHadamard ≤ 15K−4
|F|−1 .
By the Union Bound, the soundness error of BatchedSparseBiEval is bounded byσ ≤ 17H+31K−21
|F|−1 . ut
D Call Graphs and Statistics
Table 2. Callgraph Statistics for Hadamard
protocol preprocessed input new oracles queried queried in
Hadamard - fa(X), fb(X), fc(X) h(X)fa(X) α2z2, α−2z−2
fb(X) z2, z−2
fc(X) αh(X) z, z−1
total: 0 3 1 7 5
Table 3. Callgraph Statistics for DenseMVP
protocol preprocessed input new oracles queried queried in
DenseMVP fM fa, fb qfb α6
- InnerProduct q, fM , fa h7
- h7 z8, (z8)−1
- q (z8)2, (z8)−2
- l (z8)2, (z8)−2
- fM (z8)2, (z8)−2
- fa (z8)2, (z8)−2
total: 1 2 2 9 5
49
50 A. Szepieniec and Y. Zhang
Table 4. Callgraph Statistics for DenseClaymore
protocol preprocessed input new oracles queried queried in
DenseClaymore fM fx fwl, fwr, fwo
- DenseMVP fM fwl, fwr, fwo, fx q- fx α0
- - InnerProduct q, fM , fwl, fwr, fwo h1
- - h1 z2, (z2)−1
- - q (z2)2, (z2)−2
- - l (z2)2, (z2)−2
- - fM (z2)2, (z2)−2
- - fwl (z2)2, (z2)−2
- - fwr (z2)2, (z2)−2
- - fwo (z2)2, (z2)−2
- Hadamard fwl, fwr, fwo
- fwo α3
- - InnerProduct fwl, fwr h4
- - h4 z5, (z5)−1
- - fwl (α3z5)2, (α3z5)−2
- - fwr (z5)2, (z5)−2
total: 1 1 6 20 12
with BatchedInnerProduct: 1 1 5 18 8
and witness concatenation: 1 1 4 16 8
Table 5. Callgraph Statistics for VandermondeVector
protocol preprocessed input new oracles queried queried in
VandermondeVector fϕ(ak), fϕ(ak)H fx fδ
fx δ0fδ z1
- Hadamard fδ, fϕ(ak), fϕ(ak)H
- fϕ(ak)H δH0 α2
- fI α2
- - InnerProduct fδ, fϕ(ak) h3
- - h3 z4, (z4)−1
- - fδ (α2z4)2, (α2z4)−2
- - fϕ(ak) (δ0z4)2, (δ0z4)−2
- - fI (z4)2, (z4)−2
total: 2 1 2 9 9
Table 6. Callgraph Statistics for LagrangeVector
protocol preprocessed input new oracles queried queried in
LagrangeVector fϕ(h), fH, ZH fx fγfx γ5fγ z6ZH γ5
- Hadamard fγ , fϕ(h), fH- fH α7
- - InnerProduct fγ , fϕ(h) h8
- - h8 z9, (z9)−1
- - fγ (α7z9)2, (α7z9)−2
- - fI (z9)2, (z9)−2
- - fϕ(h) (z9)2, (z9)−2
total: 3 1 2 10 9
Polynomial IOPs for Linear Algebra Relations 51
Table 7. Callgraph Statistics for SparseMonomialVector
protocol preprocessed input new oracles queried queried in
SparseMonomialVector fx fz, fyfx x31
- VandermondeVector fϕ(ak), fϕ(ak)H fy fδ
- fy δ32- fδ z33- - Hadamard fδ, fϕ(ak), fϕ(ak)
H
- - fϕ(ak)H δH32α34
- - fI α34
- - - InnerProduct fδ, fϕ(ak) h35
- - - h35 z36, (z36)−1
- - - fδ (α34z36)2, (α34z36)−2
- - - fϕ(ak) (δ32z36)2, (δ32z36)−2
- - - fI (z36)2, (z36)−2
- LagrangeVector fϕ(h), fH, ZH fz fγ- fz γ37- fγ z38- ZH γ37- - Hadamard fγ , fϕ(h), fH- - fH α39
- - - InnerProduct fγ , fϕ(h) h40
- - - h40 z41, (z41)−1
- - - fγ (α39z41)2, (α39z41)−2
- - - fI (z41)2, (z41)−2
- - - fϕ(h) (z41)2, (z41)−2
- InnerProduct fz, fy h42
- h42 z43, (z43)−1
- fz (z43)2, (z43)−2
- fy (z43)2, (z43)−2
total: 5 1 7 26 23
52 A. Szepieniec and Y. Zhang
Table 8. Callgraph Statistics for SparseBiEval
protocol preprocessed input new oracles queried queried in
SparseBiEval fc fu, fv, fuv- SparseMonomialVector fu fz, fy- fu x23- - VandermondeVector fϕ(ak), fϕ(ak)
H fy fδ- - fy δ24- - fδ z25- - - Hadamard fδ, fϕ(ak), fϕ(ak)
H
- - - fϕ(ak)H δH24α26
- - - fI α26
- - - - InnerProduct fδ, fϕ(ak) h27
- - - - h27 z28, (z28)−1
- - - - fδ (α26z28)2, (α26z28)−2
- - - - fϕ(ak) (δ24z28)2, (δ24z28)−2
- - - - fI (z28)2, (z28)−2
- - LagrangeVector fϕ(h), fH, ZH fz fγ- - fz γ29- - fγ z30- - ZH γ29- - - Hadamard fγ , fϕ(h), fH- - - fH α31
- - - - InnerProduct fγ , fϕ(h) h32
- - - - h32 z33, (z33)−1
- - - - fγ (α31z33)2, (α31z33)−2
- - - - fI (z33)2, (z33)−2
- - - - fϕ(h) (z33)2, (z33)−2
- - InnerProduct fz, fy h34
- - h34 z35, (z35)−1
- - fz (z35)2, (z35)−2
- - fy (z35)2, (z35)−2
- SparseMonomialVector fv fz, fy- fv x36- - VandermondeVector fϕ(bk), fϕ(bk)
H fy fδ- - fy δ37- - fδ z38- - - Hadamard fδ, fϕ(bk), fϕ(bk)
H
- - - fϕ(bk)H δH37α39
- - - fI α39
- - - - InnerProduct fδ, fϕ(bk) h40
- - - - h40 z41, (z41)−1
- - - - fδ (α39z41)2, (α39z41)−2
- - - - fϕ(bk) (δ37z41)2, (δ37z41)−2
- - - - fI (z41)2, (z41)−2
- - LagrangeVector fϕ(h), fH, ZH fz fγ- - fz γ42- - fγ z43- - ZH γ42- - - Hadamard fγ , fϕ(h), fH- - - fH α44
- - - - InnerProduct fγ , fϕ(h) h45
- - - - h45 z46, (z46)−1
- - - - fγ (α44z46)2, (α44z46)−2
- - - - fI (z46)2, (z46)−2
- - - - fϕ(h) (z46)2, (z46)−2
- - InnerProduct fz, fy h47
- - h47 z48, (z48)−1
- - fz (z48)2, (z48)−2
- - fy (z48)2, (z48)−2
- Hadamard fu, fv, fuv- fuv α49
- - InnerProduct fu, fv h50
- - h50 z51, (z51)−1
- - fu (α49z51)2, (α49z51)−2
- - fv (z51)2, (z51)−2
- InnerProduct fuv, fc h52
- h52 z53, (z53)−1
- fuv (z53)2, (z53)−2
- fc (z53)2, (z53)−2
total: 8 0 19 65 57
Polynomial IOPs for Linear Algebra Relations 53
Table 9. Callgraph Statistics for SparseMVP
protocol preprocessed input new oracles queried queried in
SparseMVP fa, fb fαTM
fb αsmvp
fαTM βsmvp
- InnerProduct fa, fαTM h33
- h33 z34, (z34)−1
- fa (z34)2, (z34)−2
- fαTM (z34)2, (z34)−2
- SparseBiEval fc fu, fv, fuv- - SparseMonomialVector fu fz, fy- - fu x35- - - VandermondeVector fϕ(ak), fϕ(ak)
H fy fδ- - - fy δ36- - - fδ z37- - - - Hadamard fδ, fϕ(ak), fϕ(ak)
H
- - - - fϕ(ak)H δH36α38
- - - - fI α38
- - - - - InnerProduct fδ, fϕ(ak) h39
- - - - - h39 z40, (z40)−1
- - - - - fδ (α38z40)2, (α38z40)−2
- - - - - fϕ(ak) (δ36z40)2, (δ36z40)−2
- - - - - fI (z40)2, (z40)−2
- - - LagrangeVector fϕ(h), fH, ZH fz fγ- - - fz γ41- - - fγ z42- - - ZH γ41- - - - Hadamard fγ , fϕ(h), fH- - - - fH α43
- - - - - InnerProduct fγ , fϕ(h) h44
- - - - - h44 z45, (z45)−1
- - - - - fγ (α43z45)2, (α43z45)−2
- - - - - fI (z45)2, (z45)−2
- - - - - fϕ(h) (z45)2, (z45)−2
- - - InnerProduct fz, fy h46
- - - h46 z47, (z47)−1
- - - fz (z47)2, (z47)−2
- - - fy (z47)2, (z47)−2
- - SparseMonomialVector fv fz, fy- - fv x48- - - VandermondeVector fϕ(bk), fϕ(bk)
H fy fδ- - - fy δ49- - - fδ z50- - - - Hadamard fδ, fϕ(bk), fϕ(bk)
H
- - - - fϕ(bk)H δH49α51
- - - - fI α51
- - - - - InnerProduct fδ, fϕ(bk) h52
- - - - - h52 z53, (z53)−1
- - - - - fδ (α51z53)2, (α51z53)−2
- - - - - fϕ(bk) (δ49z53)2, (δ49z53)−2
- - - - - fI (z53)2, (z53)−2
- - - LagrangeVector fϕ(h), fH, ZH fz fγ- - - fz γ54- - - fγ z55- - - ZH γ54- - - - Hadamard fγ , fϕ(h), fH- - - - fH α56
- - - - - InnerProduct fγ , fϕ(h) h57
- - - - - h57 z58, (z58)−1
- - - - - fγ (α56z58)2, (α56z58)−2
- - - - - fI (z58)2, (z58)−2
- - - - - fϕ(h) (z58)2, (z58)−2
- - - InnerProduct fz, fy h59
- - - h59 z60, (z60)−1
- - - fz (z60)2, (z60)−2
- - - fy (z60)2, (z60)−2
- - Hadamard fu, fv, fuv- - fuv α61
- - - InnerProduct fu, fv h62
- - - h62 z63, (z63)−1
- - - fu (α61z63)2, (α61z63)−2
- - - fv (z63)2, (z63)−2
- - InnerProduct fuv, fc h64
- - h64 z65, (z65)−1
- - fuv (z65)2, (z65)−2
- - fc (z65)2, (z65)−2
total: 8 2 21 73 63
54 A. Szepieniec and Y. Zhang
Table 10. Callgraph Statistics for SparseClaymore
protocol preprocessed input new oracles queried queried in
SparseClaymore fx fwl, fwr, fwo
- SparseMVP fwl, fwr, fwo, fx fαTM
- fx αsmvp
- fαTM βsmvp
- - InnerProduct fwl, fwr, fwo, fαTM h146
- - h146 z147, (z147)−1
- - fwl (z147)2, (z147)−2
- - fwr (z147)2, (z147)−2
- - fwo (z147)2, (z147)−2
- - fαTM (z147)2, (z147)−2
- - SparseBiEval fc fu, fv, fuv- - - SparseMonomialVector fu fz, fy- - - fu x148- - - - VandermondeVector fϕ(ak), fϕ(ak)
H fy fδ- - - - fy δ149- - - - fδ z150- - - - - Hadamard fδ, fϕ(ak), fϕ(ak)
H
- - - - - fϕ(ak)H δH149α151
- - - - - fI α151
- - - - - - InnerProduct fδ, fϕ(ak) h152
- - - - - - h152 z153, (z153)−1
- - - - - - fδ (α151z153)2, (α151z153)−2
- - - - - - fϕ(ak) (δ149z153)2, (δ149z153)−2
- - - - - - fI (z153)2, (z153)−2
- - - - LagrangeVector fϕ(h), fH, ZH fz fγ- - - - fz γ154- - - - fγ z155- - - - ZH γ154- - - - - Hadamard fγ , fϕ(h), fH- - - - - fH α156
- - - - - - InnerProduct fγ , fϕ(h) h157
- - - - - - h157 z158, (z158)−1
- - - - - - fγ (α156z158)2, (α156z158)−2
- - - - - - fI (z158)2, (z158)−2
- - - - - - fϕ(h) (z158)2, (z158)−2
- - - - InnerProduct fz, fy h159
- - - - h159 z160, (z160)−1
- - - - fz (z160)2, (z160)−2
- - - - fy (z160)2, (z160)−2
- - - SparseMonomialVector fv fz, fy- - - fv x161- - - - VandermondeVector fϕ(bk), fϕ(bk)
H fy fδ- - - - fy δ162- - - - fδ z163- - - - - Hadamard fδ, fϕ(bk), fϕ(bk)
H
- - - - - fϕ(bk)H δH162α164
- - - - - fI α164
- - - - - - InnerProduct fδ, fϕ(bk) h165
- - - - - - h165 z166, (z166)−1
- - - - - - fδ (α164z166)2, (α164z166)−2
- - - - - - fϕ(bk) (δ162z166)2, (δ162z166)−2
- - - - - - fI (z166)2, (z166)−2
- - - - LagrangeVector fϕ(h), fH, ZH fz fγ- - - - fz γ167- - - - fγ z168- - - - ZH γ167- - - - - Hadamard fγ , fϕ(h), fH- - - - - fH α169
- - - - - - InnerProduct fγ , fϕ(h) h170
- - - - - - h170 z171, (z171)−1
- - - - - - fγ (α169z171)2, (α169z171)−2
- - - - - - fI (z171)2, (z171)−2
- - - - - - fϕ(h) (z171)2, (z171)−2
- - - - InnerProduct fz, fy h172
- - - - h172 z173, (z173)−1
- - - - fz (z173)2, (z173)−2
- - - - fy (z173)2, (z173)−2
- - - Hadamard fu, fv, fuv- - - fuv α174
- - - - InnerProduct fu, fv h175
- - - - h175 z176, (z176)−1
- - - - fu (α174z176)2, (α174z176)−2
- - - - fv (z176)2, (z176)−2
- - - InnerProduct fuv, fc h177
- - - h177 z178, (z178)−1
- - - fuv (z178)2, (z178)−2
- - - fc (z178)2, (z178)−2
- Hadamard fwl, fwr, fwo
- fwo α179
- - InnerProduct fwl, fwr h180
- - h180 z181, (z181)−1
- - fwl (α179z181)2, (α179z181)−2
- - fwr (z181)2, (z181)−2
total: 8 1 25 84 70
with BatchedInnerProduct: 8 1 16 66 40
and witness concatenation: 8 1 15 64 40
Table 11. Callgraph Statistics for BiVandermondeVector
protocol preprocessed input new oracles queried queried in
BiVandermondeVector fϕ(ak), fϕ(ak)H , fϕ(bk), fϕ(bk)
H fz fδfz δ0fδ z1
- Hadamard fδ, fϕ(ak), fϕ(bk), fϕ(ak)H , fϕ(bk)
H
- fϕ(ak)H α2
- fI α2
- fϕ(bk)H α2
- - InnerProduct fδ, fϕ(ak), fϕ(bk) h3
- - h3 z4, (z4)−1
- - fδ (α2z4)2, (α2z4)−2
- - fϕ(ak) (z4)2, (z4)−2
- - fI (z4)2, (z4)−2
- - fϕ(bk) (z4)2, (z4)−2
total: 4 1 2 12 9
Table 12. Callgraph Statistics for BiLagrangeVector
protocol preprocessed input new oracles queried queried in
BiLagrangeVector fϕ(h), fH, ZH fuv fγfuv γ0fγ z1ZH γ0
- Hadamard fγ , fϕ(h), fH- fH α2
- - InnerProduct fγ , fϕ(h) h3
- - h3 z4, (z4)−1
- - fγ (α2z4)2, (α2z4)−2
- - fI (z4)2, (z4)−2
- - fϕ(h) (z4)2, (z4)−2
total: 3 1 2 10 9
55
Table 13. Call graph statistics for BatchedSparseBiEval
protocol preprocessed input new oracles queried queried in
BatchedSparseBiEval fc fu‖v, fuv, fuv, fyfu‖v y10
- BiLagrangeVector fϕ(h), fH, ZH fuv fγ- fuv γ0- fγ z1- ZH γ0- - Hadamard fγ , fϕ(h), fH- - fH α2
- - - InnerProduct fγ , fϕ(h) h3
- - - h3 z4, (z4)−1
- - - fγ (α2z4)2, (α2z4)−2
- - - fI (z4)2, (z4)−2
- - - fϕ(h) (z4)2, (z4)−2
- BiVandermondeVector fϕ(ak), fϕ(ak)H , fϕ(bk), fϕ(bk)
H fy fδ- fy δ5- fδ z6- - Hadamard fδ, fϕ(ak), fϕ(bk), fϕ(ak)
H , fϕ(bk)H
- - fϕ(ak)H α7
- - fI α7
- - fϕ(bk)H α7
- - - InnerProduct fδ, fϕ(ak), fϕ(bk) h8
- - - h8 z9, (z9)−1
- - - fδ (α7z9)2, (α7z9)−2
- - - fϕ(ak) (z9)2, (z9)−2
- - - fI (z9)2, (z9)−2
- - - fϕ(bk) (z9)2, (z9)−2
- InnerProduct fuv, fy h11
- h11 z12, (z12)−1
- fuv (z12)2, (z12)−2
- fy (z12)2, (z12)−2
- Hadamard fu‖v, fu‖v, fuv- fuv α13
- - InnerProduct fu‖v, fu‖v h14
- - h14 z15, (z15)−1
- - fu‖v (z15)2, (z15)−2
- InnerProduct fuv, fc h16
- h16 z17, (z17)−1
- fuv (z17)2, (z17)−2
- fc (z17)2, (z17)−2
total: 8 0 11 40 32
56
Polynomial IOPs for Linear Algebra Relations 57
Table 14. Call graph statistics for SparseMVP but with BatchedSparseBiEval
protocol preprocessed input new oracles queried queried in
BiSparseMVP fa, fb fαTM
fb αsmvp
fαTM βsmvp
- InnerProduct fa, fαTM h0
- h0 z1, (z1)−1
- fa (z1)2, (z1)−2
- fαTM (z1)2, (z1)−2
- BatchedSparseBiEval fc fu‖v, fuv, fuv, fy- fu‖v y12- - BiLagrangeVector fϕ(h), fH, ZH fuv fγ- - fuv γ2- - fγ z3- - ZH γ2- - - Hadamard fγ , fϕ(h), fH- - - fH α4
- - - - InnerProduct fγ , fϕ(h) h5
- - - - h5 z6, (z6)−1
- - - - fγ (α4z6)2, (α4z6)−2
- - - - fI (z6)2, (z6)−2
- - - - fϕ(h) (z6)2, (z6)−2
- - BiVandermondeVector fϕ(ak), fϕ(ak)H , fϕ(bk), fϕ(bk)
H fy fδ- - fy δ7- - fδ z8- - - Hadamard fδ, fϕ(ak), fϕ(bk), fϕ(ak)
H , fϕ(bk)H
- - - fϕ(ak)H α9
- - - fI α9
- - - fϕ(bk)H α9
- - - - InnerProduct fδ, fϕ(ak), fϕ(bk) h10
- - - - h10 z11, (z11)−1
- - - - fδ (α9z11)2, (α9z11)−2
- - - - fϕ(ak) (z11)2, (z11)−2
- - - - fI (z11)2, (z11)−2
- - - - fϕ(bk) (z11)2, (z11)−2
- - InnerProduct fuv, fy h13
- - h13 z14, (z14)−1
- - fuv (z14)2, (z14)−2
- - fy (z14)2, (z14)−2
- - Hadamard fu‖v, fu‖v, fuv- - fuv α15
- - - InnerProduct fu‖v, fu‖v h16
- - - h16 z17, (z17)−1
- - - fu‖v (z17)2, (z17)−2
- - InnerProduct fuv, fc h18
- - h18 z19, (z19)−1
- - fuv (z19)2, (z19)−2
- - fc (z19)2, (z19)−2
total: 8 2 13 48 38
58 A. Szepieniec and Y. Zhang
Table 15. Call graph statistics for SparseClaymore but with batchedBatchedSparseBiEval
protocol preprocessed input new oracles queried queried in
SparseClaymore fx fwl, fwr, fwo
- BiSparseMVP fwl, fwr, fwo, fx fαTM
- fx αsmvp
- fαTM βsmvp
- - InnerProduct fwl, fwr, fwo, fαTM h0
- - h0 z1, (z1)−1
- - fwl (z1)2, (z1)−2
- - fwr (z1)2, (z1)−2
- - fwo (z1)2, (z1)−2
- - fαTM (z1)2, (z1)−2
- - BatchedSparseBiEval fc fu‖v, fuv, fuv, fy- - fu‖v y12- - - BiLagrangeVector fϕ(h), fH, ZH fuv fγ- - - fuv γ2- - - fγ z3- - - ZH γ2- - - - Hadamard fγ , fϕ(h), fH- - - - fH α4
- - - - - InnerProduct fγ , fϕ(h) h5
- - - - - h5 z6, (z6)−1
- - - - - fγ (α4z6)2, (α4z6)−2
- - - - - fI (z6)2, (z6)−2
- - - - - fϕ(h) (z6)2, (z6)−2
- - - BiVandermondeVector fϕ(ak), fϕ(ak)H , fϕ(bk), fϕ(bk)
H fy fδ- - - fy δ7- - - fδ z8- - - - Hadamard fδ, fϕ(ak), fϕ(bk), fϕ(ak)
H , fϕ(bk)H
- - - - fϕ(ak)H α9
- - - - fI α9
- - - - fϕ(bk)H α9
- - - - - InnerProduct fδ, fϕ(ak), fϕ(bk) h10
- - - - - h10 z11, (z11)−1
- - - - - fδ (α9z11)2, (α9z11)−2
- - - - - fϕ(ak) (z11)2, (z11)−2
- - - - - fI (z11)2, (z11)−2
- - - - - fϕ(bk) (z11)2, (z11)−2
- - - InnerProduct fuv, fy h13
- - - h13 z14, (z14)−1
- - - fuv (z14)2, (z14)−2
- - - fy (z14)2, (z14)−2
- - - Hadamard fu‖v, fu‖v, fuv- - - fuv α15
- - - - InnerProduct fu‖v, fu‖v h16
- - - - h16 z17, (z17)−1
- - - - fu‖v (z17)2, (z17)−2
- - - InnerProduct fuv, fc h18
- - - h18 z19, (z19)−1
- - - fuv (z19)2, (z19)−2
- - - fc (z19)2, (z19)−2
- Hadamard fwl, fwr, fwo
- fwo α20
- - InnerProduct fwl, fwr h21
- - h21 z22, (z22)−1
- - fwl (α20z22)2, (α20z22)−2
- - fwr (z22)2, (z22)−2
total: 8 1 17 59 45
with BatchedInnerProduct: 8 1 11 47 21
and witness concatenation: 8 1 10 45 21