The Sum-check Protocol

We define the sum-check protocol as a series of Interactive Oracle Reductions (IORs), where the underlying polynomials are represented using Mathlib's noncomputable types Polynomial and MvPolynomial.

Other files will deal with implementations of the protocol, and we will prove that those implementations derive security from that of the abstract protocol.

Protocol Specification

The sum-check protocol is parameterized by the following:

• R: the underlying ring (for soundness, required to be finite and a domain)
• n + 1 : ℕ+: the number of variables (also number of rounds)
• deg : ℕ: the individual degree bound for the polynomial
• D : Fin m ↪ R: the set of m evaluation points for each variable (for some m), represented as an injection Fin m ↪ R. The image of D as a finite subset of R is written as Finset.univ.map D.
• oSpec : OracleSpec ι: the set of underlying oracles (e.g. random oracles) that may be needed for other reductions. However, the sum-check protocol does not use any oracles.

The sum-check relation has no witness. The statement for the i-th round, where i : Fin (n + 2), contains:

• target : R, which is the target value for sum-check
• challenges : Fin i → R, which is the list of challenges sent from the verifier to the prover in previous rounds

There is a single oracle statement, which is:

• poly : MvPolynomial (Fin (n + 2)) R, the multivariate polynomial that is summed over

The sum-check relation for the i-th round checks that:

∑ x ∈ (univ.map D) ^ᶠ (n + 1 - i), poly ⸨challenges, x⸩ = target.

Note that the last statement (when i = n) is the output statement of the sum-check protocol.

For i = 0, ..., n, the i-th round of the sum-check protocol consists of the following:

1. The prover sends a univariate polynomial pᵢ ∈ R⦃≤ deg⦄[X] of degree at most deg. If the prover is honest, then we have:

   pᵢ(X) = ∑ x ∈ (univ.map D) ^ᶠ (n - i), poly ⸨X ⦃i⦄, challenges, x⸩.

Here, poly ⸨X ⦃i⦄, challenges, x⸩ is the polynomial poly evaluated at the concatenation of the prior challenges challenges, the i-th variable as the new indeterminate X, and the rest of the values x ∈ (univ.map D) ^ᶠ (n - i).

In the oracle protocol, this polynomial pᵢ is turned into an oracle for which the verifier can query for evaluations at arbitrary points.

2. The verifier then sends the i-th challenge rᵢ sampled uniformly at random from R.

3. The (oracle) verifier then performs queries for the evaluations of pᵢ at all points in (univ.map D), and checks that: ∑ x in (univ.map D), pᵢ.eval x = target.

   If the check fails, then the verifier outputs failure.

   Otherwise, it outputs a statement for the next round as follows:

   • target is updated to pᵢ.eval rᵢ
   • challenges is updated to the concatenation of the previous challenges and rᵢ

Notes & TODOs

An annoying issue is that we need to index over i : Fin (n + 2), not i : Fin (n + 1). This is because existing Fin functions works better with n + 1 which is clearly positive, and not i : Fin (n + 1) (which would imply n > 0, but this fact is not apparent).

Note that to represent sum-check as a series of IORs, we will need to implicitly constrain the degree of the polynomials via using subtypes, such as Polynomial.degreeLE and MvPolynomial.degreeOf. This is because the oracle verifier only gets oracle access to evaluating the polynomials, but does not see the polynomials in the clear.

When this is compiled to an interactive proof, the corresponding polynomial commitment schemes will enforce that the declared degree bound holds, via letting the (non-oracle) verifier perform explicit degree checks.

There are some generalizations that we could consider later:

• Generalize to degs : Fin (n + 2) → ℕ and domain : Fin (n + 2) → (Fin m ↪ R), e.g. can vary the degree bound and the summation domain for each variable

• Generalize the challenges to come from a suitable subset of R (e.g. subtractive sets), and not necessarily the whole domain. This is used in lattice-based protocols.

• Sumcheck over modules instead of just rings. This will require extending MvPolynomial to have such a notion of evaluation, something like evalModule (x : σ → M) (p : MvPolynomial σ R) : M, where we have [Module R M].

References

[JACM:LFKN92]

[C:BooChiSot21]

theorem Sumcheck.PMF.bind_eq_zero {α β : Type u_1} {p : PMF α} {f : α → PMF β} {b : β} : (p >>= f) b = 0 ↔ ∀ (a : α), p a = 0 ∨ (f a) b = 0

def Sumcheck.Spec.Simpler.InputOracleStatement (R : Type) [CommSemiring R] (d : ℕ) : Unit → Type

Equations

• Sumcheck.Spec.Simpler.InputOracleStatement R d x✝ = ↥(Polynomial.degreeLE R ↑d)

def Sumcheck.Spec.Simpler.OutputOracleStatement (R : Type) [CommSemiring R] (d : ℕ) : Unit ⊕ Unit → Type

Equations

• Sumcheck.Spec.Simpler.OutputOracleStatement R d x✝ = ↥(Polynomial.degreeLE R ↑d)

def Sumcheck.Spec.Simpler.inputRelation (R : Type) [CommSemiring R] (d : ℕ) {m : ℕ} (D : Fin m ↪ R) : R × ((i : Unit) → InputOracleStatement R d i) → Unit → Prop

Equations

• Sumcheck.Spec.Simpler.inputRelation R d D (target, oStmt) x✝ = (∑ x ∈ Finset.map D Finset.univ, Polynomial.eval x ↑(oStmt ()) = target)

def Sumcheck.Spec.Simpler.outputRelation (R : Type) [CommSemiring R] (d : ℕ) : R × ((i : Unit ⊕ Unit) → OutputOracleStatement R d i) → Unit → Prop

Equations

• Sumcheck.Spec.Simpler.outputRelation R d (chal, oStmt) x✝ = (Polynomial.eval chal ↑(oStmt (Sum.inl ())) = Polynomial.eval chal ↑(oStmt (Sum.inr ())))

@[reducible]

def Sumcheck.Spec.Simpler.pSpec (R : Type) [CommSemiring R] (d : ℕ) : ProtocolSpec 2

Equations

• Sumcheck.Spec.Simpler.pSpec R d = ![(Direction.P_to_V, ↥(Polynomial.degreeLE R ↑d)), (Direction.V_to_P, R)]

instance Sumcheck.Spec.Simpler.instIsSingleRoundPSpec (R : Type) [CommSemiring R] (d : ℕ) : (pSpec R d).IsSingleRound

instance Sumcheck.Spec.Simpler.instToOracleMessagePSpec (R : Type) [CommSemiring R] (d : ℕ) : ToOracle ((pSpec R d).Message default)

Equations

• Sumcheck.Spec.Simpler.instToOracleMessagePSpec R d = id instToOraclePolynomialDegreeLE

instance Sumcheck.Spec.Simpler.instVCVCompatibleChallengePSpec (R : Type) [CommSemiring R] (d : ℕ) [VCVCompatible R] : VCVCompatible ((pSpec R d).Challenge default)

Equations

• Sumcheck.Spec.Simpler.instVCVCompatibleChallengePSpec R d = id inferInstance

def Sumcheck.Spec.Simpler.prover (R : Type) [CommSemiring R] (d : ℕ) : OracleProver (pSpec R d) []ₒ R Unit R Unit (InputOracleStatement R d) (OutputOracleStatement R d)

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.Simpler.verifier (R : Type) [CommSemiring R] (d : ℕ) {m : ℕ} (D : Fin m ↪ R) [VCVCompatible R] : Verifier (pSpec R d) []ₒ (R × ((i : Unit) → InputOracleStatement R d i)) (R × ((i : Unit ⊕ Unit) → OutputOracleStatement R d i))

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.Simpler.reduction (R : Type) [CommSemiring R] (d : ℕ) {m : ℕ} (D : Fin m ↪ R) [VCVCompatible R] : Reduction (pSpec R d) []ₒ (R × ((i : Unit) → InputOracleStatement R d i)) Unit (R × ((i : Unit ⊕ Unit) → OutputOracleStatement R d i)) Unit

Equations

• Sumcheck.Spec.Simpler.reduction R d D = { prover := Sumcheck.Spec.Simpler.prover R d, verifier := Sumcheck.Spec.Simpler.verifier R d D }

instance Sumcheck.Spec.Simpler.instFintypeResponseChallengePSpec (R : Type) [CommSemiring R] (d : ℕ) (i : (pSpec R d).ChallengeIndex) : Fintype (ToOracle.Response ((pSpec R d).Challenge i))

Equations

• Sumcheck.Spec.Simpler.instFintypeResponseChallengePSpec R d = sorry

instance Sumcheck.Spec.Simpler.instInhabitedResponseChallengePSpec (R : Type) [CommSemiring R] (d : ℕ) (i : (pSpec R d).ChallengeIndex) : Inhabited (ToOracle.Response ((pSpec R d).Challenge i))

Equations

• Sumcheck.Spec.Simpler.instInhabitedResponseChallengePSpec R d = sorry

instance Sumcheck.Spec.Simpler.instFiniteRangeChallengeIndexPSpecToOracleSpecChallenge (R : Type) [CommSemiring R] (d : ℕ) : [(pSpec R d).Challenge]ₒ.FiniteRange

Equations

• Sumcheck.Spec.Simpler.instFiniteRangeChallengeIndexPSpecToOracleSpecChallenge R d = ToOracle.instFiniteRangeToOracleSpecOfFintypeOfInhabitedResponse (Sumcheck.Spec.Simpler.pSpec R d).Challenge

instance Sumcheck.Spec.Simpler.instNonemptyQueryLogPEmptyEmptySpec_arkLib : Nonempty []ₒ.QueryLog

instance Sumcheck.Spec.Simpler.instNonemptyFullTranscriptPSpec (R : Type) [CommSemiring R] (d : ℕ) [VCVCompatible R] : Nonempty (pSpec R d).FullTranscript

@[simp]

theorem Sumcheck.Spec.Simpler.probFailure_bind_eq_zero_iff {ι : Type u} {spec : OracleSpec ι} {α β : Type u} [spec.FiniteRange] (oa : OracleComp spec α) (ob : α → OracleComp spec β) : [⊥|oa >>= ob] = 0 ↔ [⊥|oa] = 0 ∧ ∀ x ∈ oa.support, [⊥|ob x] = 0

@[simp]

theorem Sumcheck.Spec.Simpler.loggingOracle.probFailure_simulateQ {ι : Type u} {spec : OracleSpec ι} {α : Type u} [spec.FiniteRange] (oa : OracleComp spec α) : [⊥|(OracleComp.simulateQ loggingOracle oa).run] = [⊥|oa]

@[simp]

theorem Sumcheck.Spec.Simpler.WriterT.run_map {α β ω : Type u} {m : Type u → Type v} [Monad m] [Monoid ω] (x : WriterT ω m α) (f : α → β) : (f <$> x).run = Prod.map f id <$> x.run

@[simp]

theorem Sumcheck.Spec.Simpler.probFailure_liftComp {ι : Type u} {spec : OracleSpec ι} {α : Type u} {ι' : Type w} {superSpec : OracleSpec ι'} [spec.FiniteRange] [superSpec.FiniteRange] [h : MonadLift spec.OracleQuery superSpec.OracleQuery] (oa : OracleComp spec α) : [⊥|oa.liftComp superSpec] = [⊥|oa]

@[simp]

theorem Sumcheck.Spec.Simpler.liftComp_support {ι : Type u} {spec : OracleSpec ι} {α : Type u} {ι' : Type w} {superSpec : OracleSpec ι'} [h : MonadLift spec.OracleQuery superSpec.OracleQuery] (oa : OracleComp spec α) : (oa.liftComp superSpec).support = oa.support

theorem Sumcheck.Spec.Simpler.neverFails_map_iff' {ι : Type u} {spec : OracleSpec ι} {α β : Type u} (oa : OracleComp spec α) (f : α → β) : (f <$> oa).neverFails ↔ oa.neverFails

theorem Sumcheck.Spec.Simpler.perfect_completeness (R : Type) [CommSemiring R] (d : ℕ) {m : ℕ} (D : Fin m ↪ R) [VCVCompatible R] : Reduction.perfectCompleteness (inputRelation R d D) (outputRelation R d) (reduction R d D)

structure Sumcheck.Spec.Statement (R : Type) (n : ℕ) (i : Fin (n + 2)) : Type

Statement for sum-check, parameterized by the ring R, the number of variables n, and the round index i : Fin (n + 2)

Note that when i = Fin.last (n + 1), this is the output statement of the sum-check protocol

• target : R
• challenges : Fin ↑i → R

@[reducible]

def Sumcheck.Spec.OracleStatement (R : Type) [CommSemiring R] (n deg : ℕ) : Fin 1 → Type

Equations

• Sumcheck.Spec.OracleStatement R n deg x✝ = ↥(MvPolynomial.restrictDegree (Fin (n + 1)) R deg)

def Sumcheck.Spec.relation (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) (i : Fin (n + 2)) : Statement R n i × ((i : Fin 1) → OracleStatement R n deg i) → Unit → Prop

The sum-check relation for the i-th round, for i ≤ n

Equations

• One or more equations did not get rendered due to their size.

@[reducible]

def Sumcheck.Spec.pSpec (R : Type) [CommSemiring R] (deg : ℕ) : ProtocolSpec 2

Protocol specification for the i-th round of the sum-check protocol

Consists of a message from prover to verifier of degree at most deg, and a message from verifier to prover of a field element in R.

Equations

• Sumcheck.Spec.pSpec R deg = ![(Direction.P_to_V, ↥(Polynomial.degreeLE R ↑deg)), (Direction.V_to_P, R)]

instance Sumcheck.Spec.instIsSingleRoundPSpec (R : Type) [CommSemiring R] (deg : ℕ) : (pSpec R deg).IsSingleRound

instance Sumcheck.Spec.instToOracleMessagePSpec (R : Type) [CommSemiring R] (deg : ℕ) : ToOracle ((pSpec R deg).Message default)

Recognize that the (only) message from the prover to the verifier has type R⦃≤ deg⦄[X], and hence can be turned into an oracle for evaluating the polynomial

Equations

• Sumcheck.Spec.instToOracleMessagePSpec R deg = id instToOraclePolynomialDegreeLE

instance Sumcheck.Spec.instVCVCompatibleChallengePSpec (R : Type) [CommSemiring R] (deg : ℕ) [VCVCompatible R] : VCVCompatible ((pSpec R deg).Challenge default)

Recognize that the challenge from the verifier to the prover has type R, and hence can be sampled uniformly at random

Equations

• Sumcheck.Spec.instVCVCompatibleChallengePSpec R deg = id inferInstance

@[reducible]

def Sumcheck.Spec.proverState (R : Type) [CommSemiring R] (n deg : ℕ) (i : Fin (n + 1)) : ProverState 2

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.proverIn (R : Type) [CommSemiring R] (n deg : ℕ) (i : Fin (n + 1)) : ProverIn (Statement R n i.castSucc × ((i : Fin 1) → OracleStatement R n deg i)) Unit ((proverState R n deg i).PrvState 0)

Prover input for the i-th round of the sum-check protocol, where i < n

Equations

• Sumcheck.Spec.proverIn R n deg i = { input := fun (x : Sumcheck.Spec.Statement R n i.castSucc × ((i : Fin 1) → Sumcheck.Spec.OracleStatement R n deg i)) (x_1 : Unit) => x }

theorem Sumcheck.Spec.sumcheck_roundPoly_degreeLE (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) (i : Fin (n + 1)) {challenges : Fin ↑i.castSucc → R} {poly : MvPolynomial (Fin (n + 1)) R} (hp : poly ∈ MvPolynomial.restrictDegree (Fin (n + 1)) R deg) : ∑ x ∈ Finset.map D Finset.univ ^ᶠ (n - ↑i), Polynomial.map (MvPolynomial.eval (Fin.append challenges x ∘ Fin.cast ⋯)) ((MvPolynomial.finSuccEquivNth R i) poly) ∈ Polynomial.degreeLE R ↑deg

Auxiliary lemma for proving that the polynomial sent by the honest prover is of degree at most deg

def Sumcheck.Spec.proverRound (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) (i : Fin (n + 1)) : ProverRound (pSpec R deg) oSpec

Prover interaction for the i-th round of the sum-check protocol, where i < n.

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.proverOut (R : Type) [CommSemiring R] (n deg : ℕ) (i : Fin (n + 1)) : ProverOut (Statement R n i.succ × ((i : Fin 1) → OracleStatement R n deg i)) Unit ((proverState R n deg i).PrvState (Fin.last 2))

Since there is no witness, the prover's output for each round i < n of the sum-check protocol is trivial

Equations

• Sumcheck.Spec.proverOut R n deg i = { output := fun (x : (Sumcheck.Spec.proverState R n deg i).PrvState (Fin.last 2)) => (x, ()) }

def Sumcheck.Spec.prover (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) (i : Fin (n + 1)) : OracleProver (pSpec R deg) oSpec (Statement R n i.castSucc) Unit (Statement R n i.succ) Unit (OracleStatement R n deg) (OracleStatement R n deg)

The overall prover for the i-th round of the sum-check protocol, where i < n. This is only well-defined for n > 0, since when n = 0 there is no protocol.

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.verifier (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) [VCVCompatible R] (i : Fin (n + 1)) : Verifier (pSpec R deg) oSpec (Statement R n i.castSucc × ((i : Fin 1) → OracleStatement R n deg i)) (Statement R n i.succ × ((i : Fin 1) → OracleStatement R n deg i))

The (non-oracle) verifier of the sum-check protocol for the i-th round, where i < n + 1

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.oracleVerifier (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) [VCVCompatible R] (i : Fin (n + 1)) : OracleVerifier (pSpec R deg) oSpec (Statement R n i.castSucc) (Statement R n i.succ) (OracleStatement R n deg) (OracleStatement R n deg)

The oracle verifier for the i-th round, where i < n + 1

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.reduction (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) [VCVCompatible R] (i : Fin (n + 1)) : Reduction (pSpec R deg) oSpec (Statement R n i.castSucc × ((i : Fin 1) → OracleStatement R n deg i)) Unit (Statement R n i.succ × ((i : Fin 1) → OracleStatement R n deg i)) Unit

The sum-check reduction for the i-th round, where i < n and n > 0

Equations

• Sumcheck.Spec.reduction R n deg D oSpec i = { prover := Sumcheck.Spec.prover R n deg D oSpec i, verifier := Sumcheck.Spec.verifier R n deg D oSpec i }

def Sumcheck.Spec.oracleReduction (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) {ι : Type} (oSpec : OracleSpec ι) [VCVCompatible R] (i : Fin (n + 1)) : OracleReduction (pSpec R deg) oSpec (Statement R n i.castSucc) Unit (Statement R n i.succ) Unit (OracleStatement R n deg) (OracleStatement R n deg)

The sum-check oracle reduction for the i-th round, where i < n and n > 0

Equations

• Sumcheck.Spec.oracleReduction R n deg D oSpec i = { prover := Sumcheck.Spec.prover R n deg D oSpec i, verifier := Sumcheck.Spec.oracleVerifier R n deg D oSpec i }

theorem Sumcheck.Spec.oracleVerifier_eq_verifier {R : Type} [CommSemiring R] [VCVCompatible R] {n deg m : ℕ} {D : Fin m ↪ R} {ι : Type} {oSpec : OracleSpec ι} {i : Fin (n + 1)} : (oracleVerifier R n deg D oSpec i).toVerifier = verifier R n deg D oSpec i

The oracle verifier does the same thing as the non-oracle verifier

theorem Sumcheck.Spec.perfect_completeness {R : Type} [CommSemiring R] [VCVCompatible R] {n deg m : ℕ} {D : Fin m ↪ R} {ι : Type} {oSpec : OracleSpec ι} {i : Fin (n + 1)} [DecidableEq ι] [oSpec.FiniteRange] : OracleReduction.perfectCompleteness (relation R n deg D i.castSucc) (relation R n deg D i.succ) (oracleReduction R n deg D oSpec i)

Completeness theorem for sumcheck

def Sumcheck.Spec.stateFunction {R : Type} [CommSemiring R] [VCVCompatible R] {n deg m : ℕ} {D : Fin m ↪ R} {ι : Type} {oSpec : OracleSpec ι} [oSpec.FiniteRange] (i : Fin (n + 1)) : Reduction.StateFunction (Function.language (relation R n deg D i.castSucc)) (Function.language (relation R n deg D i.succ)) (verifier R n deg D oSpec i)

State function for round-by-round soundness

Equations

• One or more equations did not get rendered due to their size.

def Sumcheck.Spec.rbrExtractor {R : Type} [CommSemiring R] {n deg : ℕ} {ι : Type} {oSpec : OracleSpec ι} (i : Fin (n + 1)) : Reduction.RBRExtractor ↑↑i

Trivial extractor since witness is Unit

Equations

• Sumcheck.Spec.rbrExtractor i x✝² x✝¹ x✝ = ()

We give the type signature & security guarantees for the whole sum-check protocol (so that we could use it for other oracle reductions, e.g. Spartan, without needing to prove security of sum-check first)

def Sumcheck.Spec.Combined.pSpec (R : Type) [CommSemiring R] (n deg : ℕ) : ProtocolSpec ((n + 1) * 2)

Equations

• Sumcheck.Spec.Combined.pSpec R n deg i = if i % 2 = 0 then (Direction.P_to_V, ↥(Polynomial.degreeLE R ↑deg)) else (Direction.V_to_P, R)

instance Sumcheck.Spec.Combined.instToOracleMessagePSpec (R : Type) [CommSemiring R] (n deg : ℕ) (i : (pSpec R deg n).MessageIndex) : ToOracle ((pSpec R deg n).Message i)

Equations

• Sumcheck.Spec.Combined.instToOracleMessagePSpec R n deg ⟨i, hDir⟩ = if h : i % 2 = 0 then ⋯.mpr inferInstance else ⋯.mpr ⋯.elim

instance Sumcheck.Spec.Combined.instVCVCompatibleChallengePSpec (R : Type) [CommSemiring R] (n deg : ℕ) [VCVCompatible R] (i : (pSpec R deg n).ChallengeIndex) : VCVCompatible ((pSpec R deg n).Challenge i)

Equations

• Sumcheck.Spec.Combined.instVCVCompatibleChallengePSpec R n deg ⟨i, hDir⟩ = if h : i % 2 = 0 then ⋯.mpr ⋯.elim else ⋯.mpr inferInstance

def Sumcheck.Spec.Combined.StmtIn (R : Type) : Type

Equations

• Sumcheck.Spec.Combined.StmtIn R = R

@[reducible]

def Sumcheck.Spec.Combined.OStmtIn (R : Type) [CommSemiring R] (n deg : ℕ) : Unit → Type

Equations

• Sumcheck.Spec.Combined.OStmtIn R n deg x✝ = ↥(MvPolynomial.restrictDegree (Fin (n + 1)) R deg)

def Sumcheck.Spec.Combined.WitIn : Type

Equations

• Sumcheck.Spec.Combined.WitIn = Unit

def Sumcheck.Spec.Combined.StmtOut (R : Type) (n : ℕ) : Type

Equations

• Sumcheck.Spec.Combined.StmtOut R n = (R × (Fin (n + 1) → R))

@[reducible]

def Sumcheck.Spec.Combined.OStmtOut (R : Type) [CommSemiring R] (n deg : ℕ) : Unit → Type

Equations

• Sumcheck.Spec.Combined.OStmtOut R n deg x✝ = ↥(MvPolynomial.restrictDegree (Fin (n + 1)) R deg)

def Sumcheck.Spec.Combined.WitOut : Type

Equations

• Sumcheck.Spec.Combined.WitOut = Unit

def Sumcheck.Spec.Combined.relIn (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) : StmtIn R × ((i : Unit) → OStmtIn R n deg i) → WitIn → Prop

Equations

• Sumcheck.Spec.Combined.relIn R n deg D (target, polyOracle) x✝ = (∑ x ∈ Finset.map D Finset.univ ^ᶠ (n + 1), (MvPolynomial.eval (x ∘ Fin.cast ⋯)) ↑(polyOracle ()) = target)

def Sumcheck.Spec.Combined.relOut (R : Type) [CommSemiring R] (n deg : ℕ) : StmtOut R n × ((i : Unit) → OStmtOut R n deg i) → WitOut → Prop

Equations

• Sumcheck.Spec.Combined.relOut R n deg ((target, challenges), polyOracle) x✝ = ((MvPolynomial.eval (challenges ∘ Fin.cast ⋯)) ↑(polyOracle ()) = target)

def Sumcheck.Spec.Combined.prover (R : Type) [CommSemiring R] (n deg : ℕ) : OracleProver (pSpec R deg n) []ₒ (StmtIn R) WitIn (StmtOut R n) WitOut (OStmtIn R n deg) (OStmtOut R n deg)

Equations

• Sumcheck.Spec.Combined.prover R n deg = sorry

def Sumcheck.Spec.Combined.verifier (R : Type) [CommSemiring R] (n deg : ℕ) : OracleVerifier (pSpec R deg n) []ₒ (StmtIn R) (StmtOut R n) (OStmtIn R n deg) (OStmtOut R n deg)

Equations

• Sumcheck.Spec.Combined.verifier R n deg = sorry

def Sumcheck.Spec.Combined.reduction (R : Type) [CommSemiring R] (n deg : ℕ) : OracleReduction (pSpec R deg n) []ₒ (StmtIn R) WitIn (StmtOut R n) WitOut (OStmtIn R n deg) (OStmtOut R n deg)

Equations

• Sumcheck.Spec.Combined.reduction R n deg = { prover := Sumcheck.Spec.Combined.prover R n deg, verifier := Sumcheck.Spec.Combined.verifier R n deg }

theorem Sumcheck.Spec.Combined.reduction_complete (R : Type) [CommSemiring R] (n deg : ℕ) {m : ℕ} (D : Fin m ↪ R) [VCVCompatible R] : OracleReduction.perfectCompleteness (relIn R n deg D) (relOut R n deg) (reduction R n deg)

Perfect completeness for the (full) sum-check protocol