Informal Definition of the Sumcheck protocol
Let π½ be a finite field and a subset β β π½. Let also π be the prover with unbounded computational power and π be the verifier with limited computational power, and π be an π-variable polynomial π: π½ π β π½ which has a degree π where π βͺ |π½|. Then, π wants to convince the verifier π such that:
where π is constant (π β π½). The protocol is denoted as (π(π), π π (π )).
More concretely, in this protocol, there are π rounds, corresponding to the number of variables in polynomial π. During each round, the prover transmits a degree two univariate polynomials to the verifier. To represent ππ , the prover can use only three field elements, either by sending its coefficients or its evaluations at three designated inputs in π½. The verifier performs simple randomized consistency checks on each message ππ by evaluating it at a few inputs and ensuring that the results are consistent with previous messages. The verifier can process each message sent by the prover in π(1) time, and at the end of the protocol, the verifier needs to evaluate π at a single point. Throughout the process, it is assumed that any addition or multiplication operation in πΉ takes π(1) time. More formally, the protocol works as follow:
The prover π prepares the function π1 (π₯) = π(π₯, π§2, β¦ , π§π ) and sends it to the verifier π.
π checks β π1 π£ββ (π£) = π .
π randomly selects a number π1 (β π½) and sends it to the prover.
π replace π₯1 with random π1 and free π§2 by variable π₯, then we get π2(π₯) = π(π1, π₯, π§3, β¦ , π§π).
Repeat Step 1 to 4 with π = ππ(ππ).
When π = π, the equality of π(π1, π2, π3, β¦ , ππ ) = ππ(ππ) is also checked.
The protocol will be successful if all checks are passed.
Last updated