Sumcheck Protocol

Carlos Lira

Oct 20, 2024 — 2 min read

The Sumcheck protocol is an efficient tool to develop succinct arguments.

It is relied upon by many proof systems, such as Lasso/Jolt by a16z crypto, HyperPlonk, Binius, Spartan, and GKR.

Sumcheck was first proposed by Lund, Fortnow, Karloff, & Nisan in 1992.

The sumcheck protocol is an interactive protocol working over multivariate polynomials, that is, polynomials in many variables, such as p(x1,x2) = 1 + x2 + 5 x1x2 + x1^6.

The prover tries to convince the verifier that the sum of all the evaluations of the polynomial over some set is equal to some number.

For the previous polynomials, we could try to evaluate over (0,0), (1,0), (0,1), and (1,1) and sum the results (the answer is 13).

This reduces the amount of work that the verifier needs to do to check the statement.

Using the sumcheck protocol, the verifier can check the correctness of the result in O(n + cost to evaluate the polynomial at one point), where n is the number of variables, (whereas computing over all possible values takes O(2^n)).

This enables many interesting protocols, such as the zero check.

On a high-level overview, the verifier will ask the prover to sum over all variables except the first one, obtaining a univariate polynomial.

The verifier can then check the sum by evaluating the univariate polynomial over the set and summing.

To ensure that the prover didn’t give a false polynomial, the verifier will select a random point and will apply the sumcheck protocol to the n - 1 variable polynomial.

The Sumcheck protocol proceeds in n rounds, where the prover and verifier exchange messages:

The verifier can check (for the Boolean hypercube) that g1(0)+g1(1) = S0 and that g1(x1) has a degree bounded by the maximum allowable degree.

The sumcheck protocol is complete and has a soundness error equal to n d / |F|, where d is the maximum degree for each variable and |F| is the size of the field. The proof size consists of O(nd) field elements.

If you want to learn more about the Sumcheck protocol, you can read Proofs, Arguments, and Zero-Knowledge by Justin Thaler, and Ingonyama’s super sumcheck.

Introduction: Hash functions in Cryptography

Cryptographic Hash Functions (CHF) are fundamental to securing the digital world. From protecting passwords to enabling blockchain and zero-knowledge (ZK) systems, CHFs play a crucial role in ensuring the integrity, security, and privacy of data. This blog is the first in a series where we’ll explore the world of

ZK-News - 13th-18th November '24

✨ ZK-Newsflash! ✨ Here are the highlights of what happened in the ZK space from 13th to 18th November '24. Aligned Devcon Recap! 🎉 Alignoors, we all agree that this must have been the best Devcon so far. We are delighted to see so much excitement around the activities and being so

ZK-News - 4th-12th November '24

✨ ZK-Newsflash! ✨ Here are the highlights of what happened in the ZK space from 4th to 12th November. Discover our agenda at Devcon. 🚀 Alignoors, we're excited to share the Aligned Devcon Agenda with you. It's packed with engaging sessions, including the participation of our co-founders: ✅ Federico Carrone

A Series On Hash Functions

The development and use of integrity/zero-knowledge (ZK) proofs has accelerated over the past few years. The introduction of general purpose ZK virtual machines, which allow us to write and prove Rust code, has made developing verifiable applications easier and faster. We have blockchains like Mina that prove every block

Read more

Introduction: Hash functions in Cryptography

ZK-News - 13th-18th November '24

ZK-News - 4th-12th November '24

A Series On Hash Functions