Skip to main content
Version: v6 (Hypercube)

Zerocheck

Code: crates/hypercube/src/verifier/shard.rs::verify_zerocheck

The goal of the zerocheck protocol is two-fold:

  • verify the evaluations at the GKR point r\vec{r} chosen above.
  • verify that the constraints (specified via AIRs) hold on all rows (except for the padded rows).

Actually the zerocheck does not fully verify these claims but rather it reduces them to a claim about the multilinear extension of the sparse representation - this will be fed into the subsequent jagged step.

The zerocheck protocol proceeds as follows. First, the challenger samples three random extension field elements

  • α\alpha, for a RLC over the constraints.
  • β\beta, for batching the claimed evaluations from GKR.
  • λ\lambda for an RLC over the chips in zerocheck.

We now discuss the zerocheck per chip - combining will be done using λ\lambda as an RLC.

The usual manner in which zerocheck is used is to reduce the claim that

C(p1(x),p2(x),,pn(x))=0C(p_1(x), p_2(x), \cdots, p_n(x)) = 0

for all x{0,1}Hx \in \{0, 1\}^H to claims about the individual underlying multilinears p1,,pnp_1,\dots,p_n. This is done by first choosing a random zz and checking that

xeq(x,z)C(p1(x),,pn(x))=0\sum_{x} \text{eq}(x, z) \cdot C(p_1(x), \cdots, p_n(x)) = 0

via the sumcheck protocol, where this will reduce to an evaluation claim of p1,,pnp_1, \cdots, p_n on another random point. However, since we pad with zeroes, and CC may not evaluate to zero on an all-zero row, the claim actually is that

constraint(x)=C(p1(x),,pn(x))C(0,,0)geq(x,real height)=0\text{constraint}(x) = C(p_1(x), \cdots, p_n(x)) - C(0, \cdots, 0) \cdot \text{geq}(x, \text{real height}) = 0

for all x{0,1}Hx \in \{0,1\}^H, where geq:FmFmgeq : \mathbb{F}^m \to \mathbb{F}^m is a multilinear polynomial that given a,ba,b checks that bab \geq a.

At the same time, we also want to verify that GKR evaluation claims at rr are correct. Thus, we check that

xeq(x,r)batch open(x)=batch open(r)\sum_x \text{eq}(x, r) \cdot \text{batch open}(x) = \text{batch open}(r) batch open(x)=RLC(β,(p1(x),,pn(x)))=βp1(x)+β2p2(x)++βnpn(x)\text{batch open}(x) = \text{RLC}(\beta, (p_1(x), \cdots, p_n(x))) = \beta p_1(x) + \beta^2 p_2(x) + \cdots + \beta^{n} p_n(x)

Since rr is already random, we can use this as our random zz for the zerocheck. This means that we're just checking

xeq(x,r)(constraint(x)+batch open(x))=batch open(r)\sum_{x} \text{eq}(x, r) \cdot (\text{constraint}(x) + \text{batch open}(x)) = \text{batch open}(r)

where the latter sum can be computed from the GKR evaluation claims.

We run the sumcheck here, and we would require

eq(z,r)(constraint(z)+batch open(z))\text{eq}(z, r) \cdot (\text{constraint}(z) + \text{batch open}(z))

which can be derived from all the column evaluations at zz. We hash in the claimed openings p1(z),,pn(z)p_1(z), \cdots, p_n(z) at the end of the zerocheck function.