Suyash Bagad
Research Team
\(10\times\) Faster Sumcheck
over Binary Tower Fields
Suyash Bagad
Ingonyama
Yuval Domb
Ingonyama
Justin Thaler
a16z & Georgetown University
Sumcheck: The new bottleneck
- Binius enables efficient SNARKs over binary fields
- Fast commitment scheme + sumcheck based IOPs
- Commitment part is so fast that sumcheck becomes the bottleneck
Credit: Radi Cojbasic's talk at zk summit 12.
- Binius enables efficient SNARKs over binary fields
- Fast commitment scheme + sumcheck based IOPs
- Commitment part is so fast that sumcheck becomes the bottleneck
- Aim: speed-up first few rounds of sumcheck
Credit: Radi Cojbasic's talk at zk summit 12.
Sumcheck: The new bottleneck
Sumcheck over Binary Fields
- Binary fields are fields of characteristic \(2\) of the form \(\textsf{GF}(2^n)\)
- When \(n = 1\), we get: \(\textsf{GF}(2)\) \(= \{0, 1\} \equiv \mathbb{F}_2\)
- Addition is bitwise XOR and multiplication is bitwise AND
- When \(n = 2\), the field \(\textsf{GF}(2^2)\) is a degree-2 extension of \(\textsf{GF}(2)\)
- Let \(m(x) = x^2 + x + 1\) be the irreducible polynomial
- Any polynomial \(p(x)\) over \(\mathbb{F}_2\) when divided by \(m(x)\) gives the remainder
- In binius sumcheck:
- The witness is from the base field \(\textsf{GF}(2)\) while
- But the challenge is from the extension field \(\textsf{GF}(2^{128})\)
- Running sumcheck naively results in lots of extension field multiplications
1x + 0
0x + 0
0x + 1
1x + 1
Multiplication in Binary Tower Fields
\textsf{GF}(2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^4)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^8)
\textcolor{grey}{0}
\textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1} \
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1}
\vdots
\vdots
\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}
\textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1} \
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1}
\vdots
\vdots
\textsf{GF}(2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^4)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^8)
Multiplication in Binary Tower Fields
\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}
\textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1} \
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1}
\vdots
\vdots
\textsf{GF}(2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^4)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^8)
Multiplication in Binary Tower Fields
\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}
\textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1} \
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1}
\vdots
\vdots
\textsf{GF}(2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^4)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^8)
Multiplication in Binary Tower Fields
\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}
\textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{grey}{0}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{grey}{0}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{grey}{0}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{grey}{0}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y +\textcolor{lightgreen}{1}x + \textcolor{grey}{0}
\textcolor{lightgreen}{1}xy + \textcolor{lightgreen}{1}y + \textcolor{lightgreen}{1}x + \textcolor{lightgreen}{1}
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1} \
\textcolor{lightgreen}{1} \
\textcolor{grey}{0} \
\textcolor{lightgreen}{1}
\vdots
\vdots
- Addition is bitwise XOR
- Multiplication?
a \cdot b
=(a_{\textit{h}}x + a_{\textit{l}}) \cdot (b_{\textit{h}}x + b_{\textit{l}})
\textsf{GF}(2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^2)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^4)
\ \xrightarrow[\text{extension}]{\text{deg-2}} \
\textsf{GF}(2^8)
Multiplication in Binary Tower Fields
- 4 smaller mult. in 1 large mult.
Our Solution
- We devise two new algorithms for running sumcheck over "small" fields
- Minimise \(\textsf{ee}\) multiplications (at the cost of additional \(\textsf{bb}\) multiplications)
- Generalises for sumcheck over large fields when witnesses are small
- Comparison with Gruen's approach of the univariate-skip technique:
- Our approach leads to lower proof size
- Our techniques apply to existing sum-check-based SNARKs “as is”
- Applicability to composition polynomial may lead to memory overheads
Implementation
Results
d=2
d=3
Toom-cook
Schoolbook
Switchover round \(t\)
Factor improvement \((t_{\textsf{naive}} / t_{\textsf{algo}})\) for \(n=20\)
Product Sumcheck
p(x) := p_1(x) \cdot p_2(x) \cdots p_d(x)
- We need sumcheck to prove (multilinear) polynomial relations like
- Sumcheck round polynomial in round \(i\)
s_i(c) := \sum_{x \in \{0, 1\}^{\ell - i}} p(r_1, r_2, \dots, r_{i - 1}, c, x)
= \sum_{x \in \{0, 1\}^{\ell - i}} \prod_{j=1}^{d} p_j(r_1, r_2, \dots, r_{i - 1}, c, x)
Product of extension-field elements
Product Sumcheck
s_i(c) := \sum_{x \in \{0, 1\}^{\ell - i}} p(r_1, r_2, \dots, r_{i - 1}, c, x)
= \sum_{x \in \{0, 1\}^{\ell - i}} \prod_{j=1}^{d} p_j(r_1, r_2, \dots, r_{i - 1}, c, x)
Product of extension-field elements
Product Sumcheck
p(r_1, c, x) = \textcolor{grey}{(1-r_1)} \cdot \textcolor{red}{p(0, c, x)} \quad + \quad
\textcolor{grey}{r_1} \cdot \textcolor{lightgreen}{p(1, c, x)}
q(r_1, c, x) = \textcolor{grey}{(1-r_1)} \cdot \textcolor{red}{q(0, c, x)} \quad + \quad
\textcolor{grey}{r_1} \cdot \textcolor{lightgreen}{q(1, c, x)}
\implies p(r_1, c, x) \cdot q(r_1, c, x) =
\begin{aligned}
&\textcolor{grey}{(1-r_1)(1-r_1)} \cdot& & \textcolor{red}{p(0, c, x) \ q(0, c, x)} \ + \\
&\textcolor{grey}{(1-r_1)r_1} \cdot & & \textcolor{red}{p(0, c, x)}\ \textcolor{lightgreen}{q(1, c, x)} \ + \\
&\textcolor{grey}{r_1(1-r_1)} \cdot & & \textcolor{lightgreen}{p(1, c, x)}\ \textcolor{red}{q(0, c, x)} \ + \\
&\textcolor{grey}{r_1r_1} \cdot & & \textcolor{lightgreen}{p(1, c, x)\ q(1, c, x)}
\end{aligned}
Product of Linear Polynomials
- Let \(f_1, f_2, \dots, f_d\) be linear polynomials s.t.
- Using school-book multiplication
\implies (d - 1) \cdot 2^d \ \textsf{bb}
Efficient Product of Linear Polynomials
- Degree of \(f\) is \(d\). To compute \(f(x)\):
- Evaluate each \(f_j\) on \(d + 1\) points \(\{e_0, e_1, \dots, e_d\}\)
- Compute point-wise multiplication on all \(d\) points to get \([f(e_0), \dots, f(e_d)]\)
\implies
\implies
\implies (d - 1) \cdot (d + 1) \ \textsf{bb}
Schoolbook method
Toom-Cook method
\implies (d - 1) \cdot (d + 1) \ \textsf{bb}
\implies (d - 1) \cdot 2^d \ \textsf{bb}
Efficient Product of Linear Polynomials
Schoolbook method
Toom-Cook method
Efficient Product of Linear Polynomials
Back to Sumcheck
\implies
\implies
s_i(c) = \sum_{x \in \{0, 1\}^{\ell - i}} \prod_{j=1}^{d} p_j(r_1, r_2, \dots, r_{i - 1}, c, x)
- Round polynomial expression:
Let us call this \(G_i(c, x)\)
Back to Sumcheck
Why Toom-cook?
d=2
d=3
Toom-cook
Schoolbook
Switchover round \(t\)
Factor improvement \((t_{\textsf{naive}} / t_{\textsf{algo}})\) for \(n=20\)
0.6 \text{ MB}
84 \text{ MB}
10x Faster Sumcheck over Binary Tower Fields
By Suyash Bagad
