The Sum-check Protocol

We define the sum-check protocol as a series of Interactive Oracle Reductions (IORs), where the underlying polynomials are represented using Mathlib's noncomputable types Polynomial and MvPolynomial. See SingleRound.lean for a single round of the protocol, and the definition of the sum-check relations.

In the future, we will have files that deal with implementations of the protocol, and we will prove that those implementations derive security from that of the abstract protocol.

Protocol Specification

The sum-check protocol is parameterized by the following:

• R: the underlying ring (for soundness, required to be finite and a domain)
• n + 1 : ℕ+: the number of variables (also number of rounds)
• deg : ℕ: the individual degree bound for the polynomial
• D : Fin m ↪ R: the set of m evaluation points for each variable (for some m), represented as an injection Fin m ↪ R. The image of D as a finite subset of R is written as Finset.univ.map D.
• oSpec : OracleSpec ι: the set of underlying oracles (e.g. random oracles) that may be needed for other reductions. However, the sum-check protocol does not use any oracles.

The sum-check relation has no witness. The statement for the i-th round, where i : Fin (n + 2), contains:

• target : R, which is the target value for sum-check
• challenges : Fin i → R, which is the list of challenges sent from the verifier to the prover in previous rounds

There is a single oracle statement, which is:

• poly : MvPolynomial (Fin (n + 2)) R, the multivariate polynomial that is summed over

The sum-check relation for the i-th round checks that:

∑ x ∈ (univ.map D) ^ᶠ (n + 1 - i), poly ⸨challenges, x⸩ = target.

Note that the last statement (when i = n) is the output statement of the sum-check protocol.

For i = 0, ..., n, the i-th round of the sum-check protocol consists of the following:

1. The prover sends a univariate polynomial pᵢ ∈ R⦃≤ deg⦄[X] of degree at most deg. If the prover is honest, then we have:

   pᵢ(X) = ∑ x ∈ (univ.map D) ^ᶠ (n - i), poly ⸨X ⦃i⦄, challenges, x⸩.

Here, poly ⸨X ⦃i⦄, challenges, x⸩ is the polynomial poly evaluated at the concatenation of the prior challenges challenges, the i-th variable as the new indeterminate X, and the rest of the values x ∈ (univ.map D) ^ᶠ (n - i).

In the oracle protocol, this polynomial pᵢ is turned into an oracle for which the verifier can query for evaluations at arbitrary points.

2. The verifier then sends the i-th challenge rᵢ sampled uniformly at random from R.

3. The (oracle) verifier then performs queries for the evaluations of pᵢ at all points in (univ.map D), and checks that: ∑ x in (univ.map D), pᵢ.eval x = target.

   If the check fails, then the verifier outputs failure.

   Otherwise, it outputs a statement for the next round as follows:

   • target is updated to pᵢ.eval rᵢ
   • challenges is updated to the concatenation of the previous challenges and rᵢ

Notes & TODOs

An annoying issue is that we need to index over i : Fin (n + 2), not i : Fin (n + 1). This is because existing Fin functions works better with n + 1 which is clearly positive, and not i : Fin (n + 1) (which would imply n > 0, but this fact is not apparent).

Note that to represent sum-check as a series of IORs, we will need to implicitly constrain the degree of the polynomials via using subtypes, such as Polynomial.degreeLE and MvPolynomial.degreeOf. This is because the oracle verifier only gets oracle access to evaluating the polynomials, but does not see the polynomials in the clear.

When this is compiled to an interactive proof, the corresponding polynomial commitment schemes will enforce that the declared degree bound holds, via letting the (non-oracle) verifier perform explicit degree checks.

There are some generalizations that we could consider later:

• Generalize to degs : Fin (n + 2) → ℕ and domain : Fin (n + 2) → (Fin m ↪ R), e.g. can vary the degree bound and the summation domain for each variable

• Generalize the challenges to come from a suitable subset of R (e.g. subtractive sets), and not necessarily the whole domain. This is used in lattice-based protocols.

• Sumcheck over modules instead of just rings. This will require extending MvPolynomial to have such a notion of evaluation, something like evalModule (x : σ → M) (p : MvPolynomial σ R) : M, where we have [Module R M].

References

[JACM:LFKN92]

[C:BooChiSot21]

def Sumcheck.Spec.pSpec (R : Type) [CommSemiring R] (d n : ℕ) : ProtocolSpec ((n + 1) * 2)

Equations

• Sumcheck.Spec.pSpec R d n i = if i % 2 = 0 then (Direction.P_to_V, ↥(Polynomial.degreeLE R ↑d)) else (Direction.V_to_P, R)

instance Sumcheck.Spec.instOracleInterfaceMessagePSpec (R : Type) [CommSemiring R] (d n : ℕ) (i : (pSpec R d n).MessageIdx) : OracleInterface ((pSpec R d n).Message i)

Equations

• Sumcheck.Spec.instOracleInterfaceMessagePSpec R d n ⟨i, hDir⟩ = if h : i % 2 = 0 then ⋯.mpr inferInstance else ⋯.mpr ⋯.elim

instance Sumcheck.Spec.instVCVCompatibleChallengePSpec (R : Type) [CommSemiring R] (d n : ℕ) [VCVCompatible R] (i : (pSpec R d n).ChallengeIdx) : VCVCompatible ((pSpec R d n).Challenge i)

Equations

• Sumcheck.Spec.instVCVCompatibleChallengePSpec R d n ⟨i, hDir⟩ = if h : i % 2 = 0 then ⋯.mpr ⋯.elim else ⋯.mpr inferInstance

def Sumcheck.Spec.StmtIn (R : Type) : Type

Equations

• Sumcheck.Spec.StmtIn R = R

@[reducible]

def Sumcheck.Spec.OStmtIn (R : Type) [CommSemiring R] (d n : ℕ) : Unit → Type

Equations

• Sumcheck.Spec.OStmtIn R d n x✝ = ↥(MvPolynomial.restrictDegree (Fin (n + 1)) R d)

def Sumcheck.Spec.WitIn : Type

Equations

• Sumcheck.Spec.WitIn = Unit

def Sumcheck.Spec.StmtOut (R : Type) (n : ℕ) : Type

Equations

• Sumcheck.Spec.StmtOut R n = (R × (Fin (n + 1) → R))

@[reducible]

def Sumcheck.Spec.OStmtOut (R : Type) [CommSemiring R] (d n : ℕ) : Unit → Type

Equations

• Sumcheck.Spec.OStmtOut R d n x✝ = ↥(MvPolynomial.restrictDegree (Fin (n + 1)) R d)

def Sumcheck.Spec.WitOut : Type

Equations

• Sumcheck.Spec.WitOut = Unit

def Sumcheck.Spec.relIn (R : Type) [CommSemiring R] (d : ℕ) {m : ℕ} (D : Fin m ↪ R) (n : ℕ) : StmtIn R × ((i : Unit) → OStmtIn R d n i) → WitIn → Prop

Equations

• Sumcheck.Spec.relIn R d D n (target, polyOracle) x✝ = (∑ x ∈ Finset.map D Finset.univ ^ᶠ (n + 1), (MvPolynomial.eval (x ∘ Fin.cast ⋯)) ↑(polyOracle ()) = target)

def Sumcheck.Spec.relOut (R : Type) [CommSemiring R] (d n : ℕ) : StmtOut R n × ((i : Unit) → OStmtOut R d n i) → WitOut → Prop

Equations

• Sumcheck.Spec.relOut R d n ((target, challenges), polyOracle) x✝ = ((MvPolynomial.eval (challenges ∘ Fin.cast ⋯)) ↑(polyOracle ()) = target)

def Sumcheck.Spec.prover (R : Type) [CommSemiring R] (d n : ℕ) : OracleProver (pSpec R d n) []ₒ (StmtIn R) WitIn (StmtOut R n) WitOut (OStmtIn R n d) (OStmtOut R n d)

Equations

• Sumcheck.Spec.prover R d n = sorry

def Sumcheck.Spec.verifier (R : Type) [CommSemiring R] (d n : ℕ) : OracleVerifier (pSpec R d n) []ₒ (StmtIn R) (StmtOut R n) (OStmtIn R n d) (OStmtOut R n d)

Equations

• Sumcheck.Spec.verifier R d n = sorry

def Sumcheck.Spec.reduction (R : Type) [CommSemiring R] (d n : ℕ) : OracleReduction (pSpec R d n) []ₒ (StmtIn R) WitIn (StmtOut R n) WitOut (OStmtIn R n d) (OStmtOut R n d)

Equations

• Sumcheck.Spec.reduction R d n = { prover := Sumcheck.Spec.prover R d n, verifier := Sumcheck.Spec.verifier R d n }