Overview:
When discussing algorithms, cryptographers speak of the Sumcheck protocol with a hushed voice and a tone of awe. Not because of it’s complexity or difficulty, but because of the sheer beauty of the protocol.
The Sumcheck protocol seeks to prove that a claimed sum H∈Fp is in fact equal to:
H:=x1∈{0,1}∑x2∈{0,1}∑...xn∈{0,1}∑f(x1,x2,...,xn)
Or in other words that the sum of evaluations to a multilinear polynomial over some boolian inputs is equal to what is claimed.
Protocol:
Setup:
Let’s start with an extremely simple function.
ϕ(x1,x2,x3)=x1 AND (x2 OR x3)
Say we want to compute the number of boolian inputs which result in a true output, without running all the computation ourselves. We can do this by running a structured Interactive Oracle Proof (IOP), between a prover and a verifier. The function above arithmitizes to the following formula.
f(x1,x2,x3)=x1⋅(x2+x3)−(x2⋅x3)
To calculate H the prover first computes the value of f0(x1,x2,x3) at all boolian inputs.
f(0,0,0)=0⋅(0+0)−(0⋅0)=0f(1,0,0)=1⋅(0+0)−(0⋅0)=0f(0,1,0)=0⋅(1+0)−(1⋅0)=0f(0,0,1)=0⋅(0+1)−(0⋅1)=0f(0,1,1)=0⋅(1+1)−(1⋅1)=−1f(1,1,0)=1⋅(1+0)−(1⋅0)=1f(1,0,1)=1⋅(0+1)−(0⋅1)=1f(1,1,1)=1⋅(1+1)−(1⋅1)=1
Summing the values, we see that f0=2.
Now that we have the basic of the algorithm set up we are ready to start the actual IOP.
Round 1:
P sends the following univeriate polynomial to V:
f1(X1):=x0∈0,1,..,xn∈0,1∑f(X1,x1,...,xn)
V checks that f1 is of degree at most d≤deg1(d) and that H=f1(0)+f1(1). The verifier does this by computing a partial sum of f1 leaving the first variable free.
f(X1,0,0)=X1⋅(0+0)−(0⋅0)=0f(X1,1,0)=X1⋅(1+0)−(1⋅0)=X1f(X1,0,1)=X1⋅(0+1)−(0⋅1)=X1f(X1,1,1)=X1⋅(1+1)−(1⋅1)=2X1−1
Leaving us with f1(X1)=4X1−1.
Round 2:
Now V checks that f0=f1(0)+f1(1).
Becuase we know that f0=2 and f1(X1)=4X1−1, the verifier is able to confirm that 2=4(0)−1+4(1)−1.
Round 3:
V selects a random field element r1∈Fp and sends it to P. Becuase Fp is a field, all operations within the field will occur modulos p.
Note: For the rest of this walkthrough assume p=10 and r1=4.
Round 4:
P replaces x1 with the random variable r1.
f2(X2):=x0∈{0,1},..,xn∈{0,1}∑f(r1,X2,...,xn)
Round 5:
For the 1<j<n rounds, P sends the univeriate polynomial:
fj(Xj):=x0∈{0,1},..,xn∈{0,1}∑f(r1,...,rj,Xj,...,xn)
And v checks that fj−1(rj−1)=fj(0)+fj(1).
If the check passes, V sends rj∈F to P.
In our example round, X1 is replaced by r1 and the next variable x2 is left free.
f(4,X2,0)=4⋅(X2+0)−(X2⋅0)=4X2f(4,X2,1)=4⋅(X2+1)−(X2⋅1)=3X2+4
This results in f2(X2)=7X2+4.
Which we then check against:
f1(r1) mod 10=f2(0)+f2(1) mod 10(4(4)−1) mod 10=(7⋅0+4+7⋅1+4) mod 10(15) mod 10=(15) mod 10
This round passes.
Becuase we are working with three variables we will cycle through one more time.
f(4,4,X3)=4⋅(4+X3)−(4⋅X3)=16
Which results in f3=16−12X3.
f2(r2) mod 10=f3(0)+f3(1) mod 10(7⋅4+4) mod 10=16+16(32) mod 10=(32) mod 10
All checks pass and we can proceed to the final round!
Round 6:
In the final round, P sends the univeriate polynomial:
fn(Xn)=f(r1,...,rn−1,Xn)
V checks that fn is of degree at most d≤degn(d).
V checks that fn−1(Xn−1)=fn(0)+fn(1).
Finally, V chooses a random rn∈F and evaluates f(r1,...,rn) via an oracle query to f.
If fv(rv)=f(r1,...,rv), V accepts.
And so our Sumcheck passed. We now know enough to accept the claim from P that H was computed correctly.
Protocol Costs
The cost of running the Sumcheck protocol is determined by the number of n variables in f. For each variable, Sumcheck will conduct a single round. The cost of the protocol can be measured in terms of the cost of the P to V communication, as well as in terms of the cost incurred by each algorithm running individually.
Communication Cost:
For v rounds of the protocol, to total prover to verifier communication costs can be calculated as:
O(i=1∑vdegi(f))
Verifier Time:
For v rounds of protocol, with T being the cost of the oracle query to f, the verifier time can be calculated as:
O(v+i=1∑vdegi(f))+T
Prover Time:
O(i=1∑vdegi(f)⋅2v−i⋅T)
However, if the degree of f is degi(f)=O(1) for all i, then the prover time is just:
O(2v⋅T)
Reference
[G22] Sam Green “Introduction to the Sum-Check Protocol” 2022 https://semiotic.ai/articles/sumcheck-tutorial/
[LFKN92] Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. Algebraic methods for inter-active proof systems. J. ACM, 39:859–868, October 1992.
https://dl.acm.org/doi/pdf/10.1145/146585.146605
[S21] Gabriel Soule “GKR Lectures: The Sum-Check Protocol” 2021 https://drive.google.com/file/d/1tU50f-IpwPdCEJkZcA7K0vCr7nwwzCLh/view?pli=1
[T17] Justin Thayler “The Sum-Check Protocol (lecture notes)” 2017 https://people.cs.georgetown.edu/jthaler/sumcheck.pdf
[T20] Justin Thayler “The Unreasonable Power of the Sum-Check Protocol” 2020
https://zkproof.org/2020/03/16/sum-checkprotocol
[T23] Justin Thayler “Proofs, Arguments, and Zero-Knowledge” 2023 https://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.pdf