ZK Study Club: Sumcheck Arguments and Their Applications

Sumcheck Arguments and
their Applications
Jonathan Bootle (IBM Research – Zurich)
Alessandro Chiesa (UC Berkeley)
Katerina Sotiraki (UC Berkeley)
https://ia.cr/2021/333
1

Succinct arguments
P V
⋮
10
Common
input
𝑥1 = 4
𝑥2 = 1
⋮
Witness
Completeness: if the
witness is valid, the
verifier accepts
Soundness: if the
witness is invalid, the
verifier rejects
Knowledge soundness:
(later)
Succinctness: the messages are much
smaller than the witness
2

The sumcheck protocol [LFKN92]
P V
Given a polynomial 𝑝(𝑋1, … , 𝑋ℓ) over a field 𝔽 and a value 𝑢 ∈ 𝔽,
prove that σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) = 𝑢
𝑞1 ∈ 𝔽[𝑋1] Checks that
σ𝜔1∈𝐻 𝑞1 𝜔1 = 𝑢
σ𝜔2∈𝐻 𝑞2 𝜔2 = 𝑞1(𝑟1)
⋮
σ𝜔ℓ∈𝐻 𝑞ℓ 𝜔ℓ = 𝑞ℓ−1(𝑟ℓ−1)
⋮
Computes polynomials
𝑞𝑖 𝑋𝑖 =
σ𝜔∈𝐻ℓ−𝑖 𝑝(𝑟1, . . , 𝑟𝑖−1, 𝑋𝑖, 𝜔𝑖+1, . . , 𝜔ℓ)
Soundness: If σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) ≠ 𝑢 then V accepts with probability at most
ℓ⋅deg(𝑝)
|𝔽|
.
Communication
ℓ ⋅ deg 𝑝 elements of 𝔽
𝑟1 ← 𝔽
𝑞ℓ ∈ 𝔽[𝑋ℓ]
𝑟ℓ ← 𝔽
Evaluates 𝑝 to check that
𝑝(𝑟1, … , 𝑟ℓ) = 𝑞ℓ(𝑟ℓ)
3

The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
4

The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
https://zkproof.org/2020/03/16/sum-checkprotocol/
5

Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
6

Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
https://www.coindesk.com/aim-fire-bulletproofs-breakthrough-privacy-blockchains
[BBBPWM18] implemented in Rust, Haskell, Javascript, and deployed by
Blockstream, and in Monero, Mimblewimble and more…
7

From two bodies of work…
…to a unified perspective
Sumchecks and
commitment schemes
[VSBW13], [Wah+17], [ZGKPP17],
[WTSTW18], [XZZPS19],
[BCRSVS19], [BCGGRS19],
[ZXZS20], [CHMVW20], [COS20],
[CFQR20], [BFHVXZ20], [Set20]
Sumcheck arguments
(this work)
[BCCGP16], [BBBPWM18],
[LMR19], [BMMTV19], [PLS19],
[HKR19], [BHRRS20], [ACR20],
[ACF20], [BFS20], [BLNS20],
[AC20], [BDFG21], [BHRRS21],
[LA21], [ACK21]
Folding techniques
Sumcheck
protocol
9

General goal:
succinct arguments for commitment openings
P V
Common input:
• commitment 𝐶
• commitment key 𝑐𝑘
Succinctness goal:
communication ≪ |𝑚|
⋮
Focus: commitments
with special structure
Claim: ∃ 𝑚 such that
𝐶 = Com 𝑐𝑘, 𝑚
10

A new notion :
sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 = ෍
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
Example: Pedersen commitments 𝐶 = 𝑎1 ⋅ 𝑔1 + ⋯ + 𝑎𝑛 ⋅ 𝑔𝑛
𝐻 = −1,1
𝑅 = 𝔽𝑝
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
𝕂 = 𝔾, 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ = σ 𝑔𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
ℂ = 𝔾
𝑓: 𝑎, 𝑔 → 𝑎 ⋅ 𝑔
commitment
space ℂ is an
𝑅-module
𝕄 = 𝔽𝑝, 𝑝𝑚 𝑋1, … , 𝑋ℓ = σ 𝑎𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
11

Main result: sumcheck arguments
Theorem 1:
Let CM be a commitment scheme which is sumcheck-friendly and
invertible. Given a commitment key 𝑐𝑘 and a commitment 𝐶, the
sumcheck protocol applied to
(with one extra verifier check) is a succinct argument of knowledge for
the claim ∃𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚), with
Sumcheck
works over
rings and
modules
Think 𝑂(log |𝑚|)
𝑝 𝑋1, … , 𝑋ℓ = 𝑓 𝑝𝑚 𝑋1, … , 𝑋ℓ , 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ ∈ ℂ[𝑋1, … , 𝑋ℓ]
• completeness • soundness • communication ℓ ⋅ deg 𝑝
12

Application: succinct arguments for NP
[LMR19], [BMMTV19], [PLS19],
[HKR19], [BHRRS20], [ACR20],
[ACF20], [BFS20], [BLNS20],
[AC20], [BDFG21], [BHRRS21],
[LA21], [ACK21]
scalar-product
arguments
for bilinear modules
Step 1: reduce NP
statements to
scalar products
Step 2: use efficient
subroutine for
scalar-products
Sumcheck
protocol
Sumchecks and
commitment schemes
Folding techniques
Sumcheck arguments
(this work)
13

Application to R1CS over rings
R1CS problem over a ring 𝑹: given matrices 𝐴, 𝐵, 𝐶 ∈ 𝑅𝑛×𝑛
, does there
exist 𝑧 ∈ 𝑅𝑛
satisfying 𝐴𝑧 ∘ 𝐵𝑧 = 𝐶𝑧?
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒) be a “secure” bilinear module where 𝑀𝐿 is a
ring. Let 𝐼 ⊆ 𝑀𝐿 be a suitable ideal. There is a ZK succinct argument of
knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 log 𝑛 elems of 𝑀𝑇
Has enough structure for Pedersen and Schnorr
Bilinear module: a triple of modules (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) over the same ring
with a bilinear map 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇.
14

Lattice-based succinct arguments for R1CS
Corollary: Let 𝑑 be a power of 2, 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1
and similarly for 𝑅𝑞. Then assuming SIS is hard over 𝑅𝑞, there is a zero-
knowledge succinct argument of knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑅𝑝 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems of 𝑅𝑞
Concurrent work:
• [LA21] gives impossibility results and improvements for lattice POKs
• [ACK21] gives lattice-based succinct arguments for NP
15

Open questions
• Analyse the post-quantum
security of sumcheck arguments
• Investigate new lattice
instantiations [LA21] and concrete
performance improvements
• Give instantiations of
[BFS20,Lee21,BHHRS21] in our
framework (or a generalization)
16

Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
Many more details
and results in the
paper!
18

19
sumcheck protocol for
෍
𝜔 ∈ −1,1 log(𝑛)
𝑝𝑎 ഫ
𝜔 𝑝ഫ
𝐺 ഫ
𝜔 = 𝑛 𝐶
Sumcheck argument for Pedersen
Common input:
• commitment 𝐶 ∈ 𝔾
• key ഫ
𝐺 ∈ 𝔾𝑛
Claim: ∃പ
𝑎 ∈ 𝔽𝑛 s.t. 𝐶 = പ
𝑎, ഫ
𝐺
V
𝑝ഫ
𝑎 പ
𝑟
𝑟 ← 𝔽log(𝑛)
𝑞1, … , 𝑞log 𝑛
𝑟
“split-and-fold technique”
[BCCGT16] is equivalent!
(See App. A in the paper)
P
Opening:
പ
𝑎 ∈ 𝔽𝑛
പ
𝑎
Communication: 3 log 𝑛 𝔾 + (log 𝑛 + 1) 𝔽
Verifier computation: O 𝑛 𝔾
𝑞1 1 + 𝑞1 −1 = 𝑛𝐶?
𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 =
𝑞log(𝑛)−1(𝑟log 𝑛 −1)?
⋮
Consistency check:
𝑝𝑎 𝑟 𝑝𝐺 𝑟 = 𝑞log 𝑛 (𝑟log 𝑛 )?

Claim: σഫ
𝜔∈ −1,1 log(𝑛) 𝑝ഫ
𝑎 ഫ
𝜔 𝑝ഫ
𝐺 ഫ
𝜔 = 𝑛 പ
𝑎, ഫ
𝐺 (recall 𝑝𝑟 ഫ
𝑋 = σ𝑖=1
𝑛
𝑟Ӊ
𝑖𝑋1
𝑖1
⋯ 𝑋log(𝑛)
𝑖log(𝑛)
)
Completeness (part 1)
Lemma: If പ
𝑎, ഫ
𝐺 = 𝐶, then the verifier accepts with probability 1.
It suffices to show the following claim.
Sumcheck argument: Pedersen
෍
ഫ
𝜔∈ −1,1 log(𝑛)
𝑝ഫ
𝑎 ഫ
𝜔 𝑝ഫ
𝐺 ഫ
𝜔 𝑛 പ
𝑎, ഫ
𝐺
hypothesis
what the sumcheck
protocol checks
𝑛𝐶
20

Completeness (part 2)
σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 cancels monomials of odd degree in any variable, e.g., 𝑋1𝑋2
2
𝑋3
2
𝑝𝑎 𝑋 𝑝𝐺 𝑋
Hence, σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 receives contributions from monomials 𝑋1
2𝑖1
⋯ 𝑋log(𝑛)
2𝑖log(𝑛)
Monomials of the form 𝑋1
2𝑖1
⋯ 𝑋log(𝑛)
2𝑖log(𝑛)
arise from 𝑎 Ӊ
𝑖𝑋1
𝑖1
⋯ 𝑋log 𝑛
𝑖log 𝑛
∙ 𝐺 Ӊ
𝑖𝑋1
𝑖1
⋯ 𝑋log 𝑛
𝑖log 𝑛
Claim: σ𝜔∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 = 𝑛 𝑎, 𝐺 (recall 𝑝𝑟 𝑋 = σ𝑖=1
𝑛
𝑟Ӊ
𝑖𝑋1
𝑖1
⋯ 𝑋log(𝑛)
𝑖log(𝑛)
)
21
𝑖1, … , 𝑖log 𝑛 ∈ {0,1}

What kind of soundness? Knowledge soundness
There exists an extractor that given a suitable tree of accepting transcripts for a
commitment key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚).
Soundness (part 1)
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
P V
𝑞1
⋮
𝑟1
𝑞ℓ
𝑟ℓ
E
message
𝑚
22

Lemma: There exists an extractor that, given a 3-ary tree of accepting transcripts for
key ഫ
𝐺 and commitment 𝐶, finds an opening 𝑎 such that 𝐶 = 𝑎, 𝐺 .
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
𝟑𝐥𝐨𝐠 𝒏 −𝟏 openings of size 2 for 𝑞ℓ−1 𝑟ℓ −1 with key ഫ
𝐺ℓ−1 ∈ 𝔾2
𝟑𝐥𝐨𝐠 𝒏
openings of size 1 for 𝑞ℓ 𝑟ℓ with key 𝑝𝐺 പ
𝑟 ∈ 𝔾
𝟑𝒊−𝟏 openings of size 𝟐𝐥𝐨𝐠 𝒏 −𝒊+𝟏 for 𝑞𝑖−1 𝑟𝑖−1 with key ഫ
𝐺𝑖−1 ∈ 𝔾2log 𝑛 −𝑖+1
where ഫ
𝐺𝑖−1 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, ഫ
𝑋 .
1 opening of size 𝟐𝐥𝐨𝐠 𝒏
= 𝒏 for 𝑛𝐶 with key ഫ
𝐺 ∈ 𝔾𝑛
Round 1
Round 𝒊
Round 𝐥𝐨𝐠(𝐧)
Soundness (part 2)
23

Soundness (part 3)
In the protocol, 𝑞𝑖 𝑋 = σഫ
𝜔∈{−1,1 }ℓ−𝑖 𝑝ഫ
𝑎 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 .
So, 𝑞𝑖 𝑋 is quadratic.
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗), ഫ
𝐺𝑖
Then we can find 𝑞𝑖−1 𝑟𝑖−1 = 𝑞𝑖 1 + 𝑞𝑖 −1 = ഫ
𝜋′, ഫ
𝐺𝑖−1
Verifier’s check
24
Goal: find ഫ
𝜋 such that 𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1

Soundness (part 4)
ഫ
𝐺𝑘 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑘, ഫ
𝑋
= ഫ
𝜋(𝑗), (ഫ
𝐺𝑖−1,𝐿+ 𝑟𝑖
(𝑗)
ഫ
𝐺𝑖−1,𝑅)
= ഫ
𝜋 𝑗
, 𝑟𝑖
(𝑗)
ഫ
𝜋 𝑗
, ഫ
𝐺𝑖−1
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗)
, ഫ
𝐺𝑖
ഫ
𝜋 such that
𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1
linear algebra
25
Pedersen commitment is invertible.

Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
26

27
෍
𝜔 ∈ −1,1 log(𝑛)
𝑝𝑎 𝜔 𝑝ഫ
𝐺1
𝜔
𝑝𝑏 𝜔 𝑝ഫ
𝐺2
𝜔
𝑝𝑎 𝜔 𝑝𝑏 𝜔 𝑈
= 𝑛 𝐶
Common input:
• key ഫ
𝐺1, ഫ
𝐺2, 𝑈 ∈ 𝔾2𝑛+1
• commitment 𝐶 ∈ 𝔾3
Claim: ∃ പ
𝑎, പ
𝑏 ∈ 𝔽2𝑛 s.t. 𝐶 = പ
𝑎, ഫ
𝐺1 , പ
𝑏, ഫ
𝐺2 , പ
𝑎, പ
𝑏 𝑈
𝑝𝑎 പ
𝑟 , 𝑝𝑏(പ
𝑟)
Sumcheck argument for
scalar-product commitments
P
Opening:
പ
𝑎, പ
𝑏 ∈ 𝔽2𝑛
V
𝑟
Consistency check:
𝑝𝑎 𝑟 𝑝ഫ
𝐺1
𝑟
𝑝𝑏 𝑟 𝑝ഫ
𝐺2
𝑟
𝑝𝑎 𝑟 𝑝𝑏 𝑟 𝑈
= 𝑞ℓ(𝑟ℓ)?
𝑟 ← 𝔽log(𝑛)
പ
𝑎, പ
𝑏
Communication: succinct
Verifier computation: linear
𝑞1, … , 𝑞log 𝑛
𝑞1 1 + 𝑞1 −1 = 𝑛𝐶?
𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 =
𝑞log(𝑛)−1(𝑟log 𝑛 −1)?
⋮

Completeness and soundness
Lemma: The verifier accepts with probability 1.
𝐶 =
പ
𝑎, ഫ
𝐺1
പ
𝑏, ഫ
𝐺2
പ
𝑎, പ
𝑏 𝑈
𝑝ഫ
𝑎 ഫ
𝑋 𝑝ഫ
𝐺1
ഫ
𝑋
𝑝ഫ
𝑏 ഫ
𝑋 𝑝ഫ
𝐺2
ഫ
𝑋
𝑝𝑎 ഫ
𝑋 𝑝𝑏 ഫ
𝑋 𝑈
Follows from completeness for Pedersen
Lemma: If the commitment scheme is binding, there exists an extractor that, given a 4-ary
tree of accepting transcripts for key (ഫ
𝐺1, ഫ
𝐺2) and commitment 𝐶, finds an opening പ
𝑎, പ
𝑏
such that 𝐶 = 𝑎, 𝐺1 , 𝑏, 𝐺2 , 𝑎, 𝑏 𝑈 .
Similarly to Pedersen, we extract opening for each components. Using a computational
assumption and the larger tree, we show that third component is the scalar-product പ
𝑎, പ
𝑏 .
Scalar-product commitment is invertible.
Sumcheck argument:
Scalar-product commitment
28

Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
29

Sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 = ෍
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
commitment
space ℂ is an
𝑅-module
Sumcheck arguments for sumcheck-friendly commitments?
30

31
𝑝𝑚(പ
𝑟)
Sumcheck argument for
sumcheck-friendly commitments
𝑟 ← 𝔽ℓ
𝑟
Common input:
• key 𝑐𝑘
• commitment 𝐶
Claim: ∃𝑚 s.t. 𝐶 = σഫ
𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ
ω , 𝑝𝑐𝑘 ഫ
𝜔
P
Opening: 𝑚
V
Consistency check:
𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑞ℓ(𝑟ℓ)?
𝑚
Communication: sumcheck + |𝑝𝑚 പ
𝑟 |
Verifier computation: computation of 𝑝𝑐𝑘 𝑟 and 𝑓
𝑞1, … , 𝑞ℓ
σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶?
σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)?
⋮
σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶

Extractor works inductively as in Pedersen using invertibility in each layer
Completeness and soundness
Lemma: The verifier accepts with probability 1.
Follows directly from definition of sumcheck-friendly commitments
Lemma: If commitment scheme is invertible, there exists an extractor that, given a
suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚.
Sumcheck argument:
Sumcheck-friendly commitment
32

𝑟𝑖
(𝑲)
𝑟𝑖
(2)
Given polynomial 𝑞𝑖(𝑋) and “openings’’ 𝑝 1 ഫ
X , … , 𝑝(𝑲) ഫ
X such that
∀𝑗 ∈ 𝐾 ∶ 𝑞𝑖 𝑟(𝑗) = σഫ
𝜔∈𝐻ℓ−𝑖 𝑓 𝑝(𝑗)
ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖
(𝑗)
, ഫ
𝜔)
We can find polynomial 𝑝 such that σ𝜔∈𝐻 𝑞𝑖 (𝜔) = σഫ
𝜔∈𝐻ℓ−𝑖+1 𝑓 𝑝 ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖−1, ഫ
𝜔)
Invertibility
𝑟𝑖
(1)
𝑞𝑖
…
Property that allows to climb up the tree from layer to layer.
𝑝(1)
𝑝(2)
𝑝(𝐊)
K-
Invertible commitment schemes:
Pedersen commitments, scalar-product commitments, linear-function commitments
Extra variable 𝑋𝑖: 𝑝 “bigger” than 𝑝(𝑗)
Sumcheck argument:
Sumcheck-friendly commitment
33

Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
34

From groups to rings
Goal: an abstraction for mathematical structures where folding techniques can work
Everything so far extends to general 𝔽-vector spaces, e.g., bilinear groups [BMMTV19].
Scalar-product commitments for bilinear groups: ഫ
𝒂, ഫ
𝑮𝟏 , ഫ
𝒃, ഫ
𝑮𝟐 , ഫ
𝒂, ഫ
𝒃 ∈ 𝔾𝑻
𝟑
𝔾1 𝔾2
Lattices and groups of unknown order?
35

Messages Keys Commitments Assumption
small 𝑀𝐿 𝑀𝑅 𝑀𝑇 Bilinear Relation Assumption
From groups to rings:
bilinear modules
Norm checks: only “short” elements are valid messages
e.g., for ring-SIS
𝑹-module 𝑴: generalization of vector space over rings
Bilinear module: 𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒 such that • 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 are 𝑅-modules
• 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇 is 𝑅-bilinear
Pedersen example: 𝐶 = 𝑎1𝐺1 + ⋯ + 𝑎𝑛𝐺𝑛 = ⟨𝑎 , 𝐺⟩
‘Multiply’ message and key elements using 𝑒
Add the pieces together
Hard to find small 𝑎
such that 𝑎 , 𝐺 = 0
Can define polynomials over
message and key spaces
36

37
𝑝𝑚(പ
𝑟)
𝑟 ← 𝒞ℓ
𝑟
common input:
• key 𝑐𝑘
• commitment 𝐶
claim: ∃𝑚 with 𝒎 ≤ 𝑩 s.t. 𝐶 = σഫ
𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ
𝜔 , 𝑝𝑐𝑘 ഫ
𝜔
P
Opening: 𝑚
with 𝒎 ≤ 𝑩
V
consistency check:
𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑣?
𝒑𝒎(പ
𝒓) ≤ 𝑩∗?
𝑚
sumcheck arguments
Natural bound for
evaluation of 𝒑𝒎 on 𝒞ℓ
𝑞1, … , 𝑞ℓ
⋮
Special challenge set ⊆ 𝑹!
(necessary even for
sumcheck protocol)
σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶?
σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)?
σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶

Arithmetic over rings might cause slackness factors and increase in norm.
e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵∗
soundness
Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable
tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds a relaxed opening 𝑚.
Challenges:
1. Linear algebra different over rings and modules
2. Norm considerations arise
Ring 𝒞 𝜉 𝛮
ℤ𝑞 𝑋
< 𝑋𝑑 + 1 >
{𝑋𝑖: 0 ≤ 𝑖 ≤ 2𝑑 − 1 } 8 𝑂(𝑑7)
Parameters for lattices:
Tighter analysis in
[LA21], [ACK21]
Tighter analysis in
[LA21], [ACK21]
38

e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵
R1CS over rings
Lemma (soundness): There exists an extractor that finds an R1CS witness.
Without slackness!
𝐶 = 𝑎/𝝃ℓ, 𝐺 with പ
𝑎/𝝃ℓ ≤ 𝐵′
Issues:
1. 𝜉 might not be invertible
2. പ
𝑎/𝜉ℓ might not be small
Ideal 𝐼 such that 𝜉 (mod 𝐼) is invertible, 𝑥 (mod 𝐼) small for all 𝑥
𝐶 = 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰), 𝐺 with പ
𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰) ≤ 𝐵′
A remark about our R1CS result:
39

Instantiations of bilinear modules
Assumption Messages Keys Commitments Ideal
BRA small 𝑀𝐿 𝑀𝑅 𝑀𝑇 𝐼
DLOG 𝔽𝑝 𝔾 𝔾 {0}
DPAIR[AFGHO10] 𝔾1 𝔾2 𝔾𝑇 {0}
UO [BFS20] small ℤ 𝔾 𝔾 𝑛ℤ for suitable small 𝑛
RSIS [Ajtai94] small 𝑅𝑞 𝑅𝑞
𝑑 𝑅𝑞
𝑑 𝑛ℤ for suitable small 𝑛
40

Summary of results
Theorem 1:
The sumcheck protocol applied to a sumcheck-friendly commitment scheme
is a succinct argument of knowledge of commitment openings.
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) be a
secure bilinear module with 𝑀𝐿 a
ring and 𝐼 ⊆ 𝑀𝐿 an ideal. There is a
ZK succinct argument of knowledge
for R1CS with
Corollary: Let 𝑝 ≪ 𝑞 primes,
𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1 and similarly
for 𝑅𝑞. Then assuming SIS is hard,
there is a ZK succinct argument of
knowledge for R1CS with
R1CS
Ring
Prover and verifier
time
Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems
R1CS
Ring
Prover and verifier
time
Proof size
𝑅𝑝 𝑂 𝑛 ops 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems 𝑅𝑞
42

Takeaways
• Many commitment schemes are
sumcheck friendly
• We can recast many different
cryptographic settings as bilinear modules
• In the paper: instantiations and
polynomial commitment schemes
43

Thanks!
[LMR19], [BMMTV19], [PLS19],
[HKR19], [BHRRS20], [ACR20],
[ACF20], [BFS20], [BLNS20],
[AC20], [BDFG21], [BHRRS21],
[LA21], [ACK21]
Sumcheck
protocol
https://ia.cr/2021/333
Sumchecks and
commitment schemes
Folding techniques
Sumcheck arguments
(this work)
44

ZK Study Club: Sumcheck Arguments and Their Applications

More Related Content

What's hot (20)

Similar to ZK Study Club: Sumcheck Arguments and Their Applications (20)

More from Alex Pruden (10)

Recently uploaded (20)

ZK Study Club: Sumcheck Arguments and Their Applications