Math & Engineering

Multi-Party Computation

2026-05-04T00:00:00+00:00

Work in progress.</strong> This note is a work in progress with many loose ends and unfinished sentences.</p>

Multi-Party Computation</h1>
I am only considering linear MPC in the semi-honest setting. My goal here is to present it its most general algebraic form.</p>
Secret Sharing</h2>
Linear Secret Sharing</h3>
A linear secret sharing scheme is a method to store a secret value from a space $Z</span> over a number of parties by handing each a secret share</em> from a space U</span>. We adapt the definitions from (Cascudo et al. 2018), (Abspoel et al. 2020):</p>$
Informaly, a secret sharing scheme assigns shares to participants such that the shares encode a secret. To ensure privacy, which we will define later, there is an element of randomness in this assignment. In the linear version the secrets and shares come from linear spaces, or more generally modules over some ring and decoding is a linear operation.</p>
Definition 1.</strong> (Linear Secret Sharing</em>) Let $R</span> be a ring, let U</span> and Z</span> be R</span>-modules, and let n \geq 1</span>. An n</span>-party R</span>-linear secret-sharing scheme</em> with share alphabet U</span> and secret module Z</span> consists of an R</span>-submodule C \subseteq U^{n}</span> together with a surjective R</span>-module homomorphism \psi:C \rightarrow Z</span>.</p>$
The elements of $C</span> are the valid share vectors, and \psi(c)</span> is the secret encoded by c</span>. A sharing \lbrack z\rbrack</span> of a secret z \in Z</span> is sampled from the fiber \psi^{- 1}(z)</span>. When the fibers are finite, the default distribution is uniform.</p> </div>$
The language of rings and modules may seem a unfamiliar to cryptographers more acustomed to fields and vector spaces, but this generalization is practically useful as we can work over computer native data types.</p>
Example.</strong> (3-party sharing of bytes</em>) Take $R = U = Z = {\mathbb{Z}}/2^{8}{\mathbb{Z}}</span>, the ring of unsigned bytes, and C = R^{3}</span> with \psi(c) = c_{0} + c_{1} + c_{2}</span>. To share a secret z</span> we draw r_{0},r_{1}\overset{\ \$}{\leftarrow}R</span> and take \lbrack z\rbrack = \left( r_{0},r_{1},z - r_{0} - r_{1} \right)</span>.</p> </div>$
Informally, a subset of parties $\mathcal{A} \subseteq \lbrack n\rbrack</span> is a reconstructing set if the assigned subset of shares c_{\mathcal{A}}</span> corresponds to a unique secret z \in Z</span> for any sharing c \in C</span>. We can formalize this by observing that share the selection map \pi_{\mathcal{A}}</span> is a linear map which ‘forgets” the subspace \ker\pi_{\mathcal{A}}|_{C}</span>. If this is contained in the subspace \ker\psi</span> ignored by reconstruction, then the secret is unique.</p>$
Definition 2.</strong> (Reconstruction</em>) A set $\mathcal{A} \subseteq \lbrack n\rbrack</span> is a reconstructing set</em> if \ker\pi_{\mathcal{A}}|_{C} \subseteq \ker\psi</span>.</p>$
We say that $\mathcal{S}</span> has r</span>-reconstruction</em> if for all \mathcal{A} \subseteq \lbrack n\rbrack</span> with |\mathcal{A}| \geq r</span>, \mathcal{A}</span> is a reconstructing set.</p> </div>$
Similarly, a subset of parties $\mathcal{A} \subseteq \lbrack n\rbrack</span> is a privacy set if for any sharing c \in C</span>, the shares c_{\mathcal{A}}</span> reveal no information about the secret. This is taken in the information-theoretic sense: given knowledge of a prior distribution of the secret, learning c_{\mathcal{A}}</span> does not change the posterior distribution. As \pi_{\mathcal{A}}</span> and \psi</span> are both linear, it is sufficient to require that c_{\mathcal{A}}</span> is compatible with every value of z</span>.</p>$
Definition 3.</strong> (Privacy</em>) A set $\mathcal{A} \subseteq \lbrack n\rbrack</span> is a privacy set</em> if the product morphism \left( \pi_{\mathcal{A}},\psi \right):C \rightarrow \pi_{\mathcal{A}(C)} \times Z</span> is surjective.</p>$
We say that $\mathcal{S}</span> has t</span>-privacy</em> if for all \mathcal{A} \subseteq \lbrack n\rbrack</span> with |\mathcal{A}| \leq t</span>, \mathcal{A}</span> is a privacy set.</p> </div>$
We also introduce a notion of efficiency, the rate</p>

Definition 4.</strong> (Rate</em>) Given a LSSS with secret space $Z</span> and share space U</span>, its rate</em> is \rho = \frac{\log|Z|}{n \cdot \log|U|}.</span> The inverse \rho^{- 1}</span> is known as the information ratio</em>.</p> </div> </div>$
Intuitively, the information ratio is the total storage size of the secret shares as a multiple of the size of the secrets. It is bounded by requirements on reconstruction and privacy. Notably there are schemes with $|Z| > |U|</span>, e.g. vector secret sharing</em>.</p>$
Example.</strong> (Additive Sharing</em>) For any ring $R</span> (in fact, any group) and n > 0</span>, there exist an additive sharing</em> R</span>-LSSS with n</span>-reconstruction and (n - 1)</span>-privacy given by Z = U = R</span> and \psi(\mathbf{u}) = \sum_{i}u_{i}</span>.</p> </div>$
Example.</strong> (Shamir Sharing</em>) Consider</p> </div>

Lemma 5.</strong> (Embedding</em>) Given an $R</span>-LSSS with secret space Z</span> and an injective linear map p:Y \rightarrow Z</span>, there exists an R</span>-LSSS with secret space Y</span>.</p> </div> </div>$
Proof.</strong> Since $p^{- 1}</span> is surjective the composition p^{- 1} \circ \psi</span> is a surjective homomorphism which forms the reconstruction map for an R</span>-LSSS with secret space Y</span>, share space U</span> and code space C</span>.</p> </div>$

Lemma 6.</strong> (Concatenation</em>) Given $R</span>-LSSSs with secret spaces Y,Z</span>, we can construct an R</span>-LSSS with secret space Y \times Z</span>.</p> </div> </div>$
Proof.</strong> Follows from taking the direct product of $Z</span>, U</span>, C</span> and \psi</span>.</p> </div>$
From this lemma follows that given an $R</span>-LSSSs for Z</span>, we can construct an LSSS with secret space Z^{n}</span> for any n</span>.</p>$
Secret Computation</h2>
Local Realizability</h3>
In MPC we not want to share secrets, we also want to do computations on them and obtain a secret sharing of the result. Sometimes this can be done locally, by doing operations on the shares directly without communicating with the other parties.</p>
Definition 7.</strong> (Local Realizability</em>) Given sharing schemes $\left( Z_{i},C_{i},\psi_{i} \right)</span> and a map f:Z_{1} \times \cdots \times Z_{k} \rightarrow Z</span> we say that f</span> is locally realizable</em> if there exists a target scheme (Z,C,\psi)</span> and a map g:U_{1} \times \cdots \times U_{k} \rightarrow U</span> such that, for all c_{i} \in C_{i}</span> we have \psi\left( \hat{g}(c_{1},\ldots,c_{k}) \right) = f\left( \psi_{1}\left( c_{1} \right),\ldots,\psi_{k\left( c_{k} \right)} \right)</span>, where \hat{g}</span> is g</span> applied coordinatewise.</p> </div>$
Lemma 8.</strong> A realizable map necessarily degrades the code proportional to the polynomial degree of the map.</p> </div>
Lemma 9.</strong> (Affine is free</em>) Any affine map $f:</span></p> </div>$
Example.</strong> (Replicated Sharing</em>) Given a ring $R</span>, there exists a 3-party R</span>-LSSS with 2</span>-reconstruction and 1</span>-privacy given by Z = R</span>, U = R^{2}</span>, and</p>$
$\begin{aligned} C & = \operatorname{span}\left\{ \begin{pmatrix} (1,0) \\ (0,0) \\ (0,1) \end{pmatrix},\begin{pmatrix} (0,1) \\ (1,0) \\ (0,0) \end{pmatrix},\begin{pmatrix} (0,0) \\ (0,1) \\ (1,0) \end{pmatrix} \right\} \\ \psi(a,b,c) & = a_{0} + b_{0} + c_{0.} \end{aligned}</span></p>$
Put differently, to share a secret $z</span>, create additive shares z_{0},z_{1},z_{2}</span> such that z = z_{0} + z_{1} + z_{2}</span>, and then give each party two shares: party one receives \left( z_{0},z_{1} \right)</span>, party two receives \left( z_{1},z_{2} \right)</span> and party three \left( z_{2},z_{0} \right)</span>. Given such a sharing of two secrets a</span>, b</span> each party</p>$
Given sharings of two secrets</p>
$x = x_{0} + x_{1} + x_{2}\quad\text{ and }\quad y = y_{0} + y_{1} + y_{2},</span></p>$
each party can locally compute one additive share of the product:</p>
$\begin{aligned} p_{0} & = x_{0}y_{0} + x_{0}y_{1} + x_{1}y_{0}, \\ p_{1} & = x_{1}y_{1} + x_{1}y_{2} + x_{2}y_{1}, \\ p_{2} & = x_{2}y_{2} + x_{2}y_{0} + x_{0}y_{2.} \end{aligned}</span></p>$
These satisfy</p>
$p_{0} + p_{1} + p_{2} = \left( x_{0} + x_{1} + x_{2} \right)\left( y_{0} + y_{1} + y_{2} \right) = x \cdot y.</span></p>$
Thus $p_{0},p_{1},p_{2}</span> are additive shares of x \cdot y</span>, but</p> </div>$
Example.</strong> (Reed–Solomon</em>)</p> </div>
Beaver Tuples</h3>
Definition 10.</strong> (Beaver Tuples</em>) Let $Z_{1},\ldots,Z_{k},Z</span>be R</span>-algebras. Given a polynomial map f:Z_{1} \times \cdots \times Z_{k} \rightarrow Z</span>, construct a polynomial expansion of f</span> around an arbitrary point r</span> as</p>$
$f(r + \delta) = \sum_{\alpha}g_{\alpha}(r) \cdot \delta^{\alpha}</span></p>$
where $r</span> and \delta</span> are vectors, \alpha \in {\mathbb{N}}^{k}</span> sums over all the monomial degrees and \delta^{\alpha}</span> is the monomial \prod_{i}\delta_{i}^{\alpha_{i}}</span>.</p>$
Given a schemes $\mathcal{A}</span>, \mathcal{B}</span>, and a random r\overset{\ \$}{\leftarrow}Z_{1} \times \cdots \times Z_{k}</span>, then \left( \lbrack r\rbrack_{\mathcal{A}},\left( \left\lbrack g_{\alpha}(r) \right\rbrack_{\mathcal{B}} \right)_{\alpha} \right)</span> is a Beaver tuple</em> for f</span>.</p> </div>$
Beaver Tuples can be used to evaluate arbitrary maps.</p>
Protocol 11.</strong> (Beaver Evaluation</em>) Given $\lbrack z\rbrack_{\mathcal{A}}</span> and a map f</span> the parties want to compute \left\lbrack f(z) \right\rbrack_{\mathcal{B}}</span>.</p>$

A dealer provides a Beaver tuple $\left( \lbrack r\rbrack_{\mathcal{A}},\left( \left\lbrack g_{\alpha}(r) \right\rbrack_{\mathcal{B}} \right)_{\alpha} \right)</span>.</p> </li>$

The parties compute the affine $\lbrack\delta\rbrack_{\mathcal{A}} = \lbrack z\rbrack_{\mathcal{A}} - \lbrack r\rbrack_{\mathcal{A}}</span> locally.</p> </li>$

The parties exchange shares and reveal $\delta</span> to eachother.</p> </li>$

The parties compute the affine $\left\lbrack f(r + \delta) \right\rbrack_{\mathcal{B}} = \sum_{\alpha}\left\lbrack g_{\alpha}(r) \right\rbrack_{\mathcal{B}} \cdot \delta^{\alpha}</span> locally.</p> </li> </ol>$
We now have $\left\lbrack f(r + \delta) \right\rbrack_{\mathcal{B}} = \left\lbrack f(x) \right\rbrack_{\mathcal{B}}</span>.</p> </div>$
Note that step one does not depend on $\lbrack z\rbrack_{\mathcal{A}}</span> and can be done as a preprocessing step if f</span> is fixed. The protocol preserves privacy because \delta</span> by itself does not reveal anything about z</span>. This follows from the that fact (\delta,r)</span> is a valid additive secret sharing of z</span> and r</span> is never revealed.</p>$
A special case of this is a simple folklore protocol to switch schemes and convert $\lbrack z\rbrack_{\mathcal{A}}</span> to \lbrack z\rbrack_{\mathcal{B}}</span>:</p>$
Example.</strong> (Scheme switching</em>) Consider $f(x) = x</span>, then f(r + \delta) = r \cdot \delta^{0} + 1 \cdot \delta^{1}</span> so g_{0}(r) = r</span> and g_{1}(x) = 1</span>. Given r\overset{\ \$}{\leftarrow}R</span> the Beaver tuple, leaving out constants, is \left( \lbrack r\rbrack_{\mathcal{A}},\lbrack r\rbrack_{\mathcal{B}} \right)</span>.</p>$
Given shares $\lbrack z\rbrack_{\mathcal{A}}</span> and a tuple, the parties compute \lbrack\delta\rbrack_{\mathcal{A}} = \lbrack z\rbrack_{\mathcal{A}} - \lbrack r\rbrack_{\mathcal{A}}</span> and reveal \delta</span>. Each party then computes \lbrack z\rbrack_{\mathcal{B}} = \lbrack r\rbrack_{\mathcal{B}} + \delta \cdot \lbrack 1\rbrack_{\mathcal{B}}</span>.</p> </div>$
Another special case is for multiplication, this is how it was originally presented by Beaver:</p>
Example.</strong> (Beaver Multiplication</em>) Consider $f\left( x_{0},x_{1} \right) = x_{0} \cdot x_{1}</span> and construct</p>$
$\begin{aligned} f\left( r_{0} + \delta_{0},r_{1} + \delta_{1} \right) & = \left( r_{0} + \delta_{0} \right) \cdot \left( r_{1} + \delta_{1} \right) \\ & = \left( r_{0} \cdot r_{1} \right) \cdot \delta_{0}^{0}\delta_{1}^{0} + r_{0} \cdot \delta_{0}^{0}\delta_{1}^{1} + r_{1} \cdot \delta_{0}^{1}\delta_{1}^{0} + 1 \cdot \delta_{0}^{1}\delta_{1}^{1}. \end{aligned}</span></p>$
From this we find the coefficient polynomials</p>
$\begin{aligned} g_{00}(r) & = r_{0} \cdot x_{1} & g_{01}(r) & = r_{0} \\ g_{10}(r) & = r_{1} & g_{11}(r) & = 1. \end{aligned}</span></p>$
Take $\mathcal{A} = \mathcal{B}</span> for simplicity. After removing duplicate and constant values, the resulting Beaver tuple is \left( \left\lbrack r_{0} \right\rbrack,\left\lbrack r_{1} \right\rbrack,\left\lbrack r_{0} \cdot r_{1} \right\rbrack \right)</span>.</p>$
Given shares of $\left\lbrack z_{0} \right\rbrack,\left\lbrack z_{1} \right\rbrack</span>, using the protocol above the parties reveal \delta_{i} = z_{i} - r_{i}</span> and compute</p>$
$\left\lbrack z_{0} \cdot z_{1} \right\rbrack = \left\lbrack r_{0} \cdot r_{1} \right\rbrack + \left\lbrack r_{0} \right\rbrack \cdot \delta_{1} + \left\lbrack r_{1} \right\rbrack \cdot \delta_{0} + \delta_{0} \cdot \delta_{1.}</span></p> </div>$
References</h2>

Abspoel, Mark, Ronald Cramer, Ivan Damgård, Daniel Escudero, Matthieu Rambaud, Chaoping Xing, and Chen Yuan. 2020. “Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over $\mathbb{Z}/p^k\mathbb{Z}</span>.” https://eprint.iacr.org/2020/1256</a>.</p> </div>$

Cascudo, Ignacio, Ronald Cramer, Chaoping Xing, and Chen Yuan. 2018. “Amortized Complexity of Information-Theoretically Secure MPC Revisited.” Cryptology ePrint Archive, Paper 2018/429. https://eprint.iacr.org/2018/429</a>.</p> </div> </div>

Uniqueness

2026-05-04T00:00:00+00:00

Probabilistic Uniqueness</h1>
Ground Truth</h2>
Consider a set of observations $\mathcal{O}</span> and a binary relation \mathord{\sim} \subseteq \mathcal{O} \times \mathcal{O}</span> such that a \sim b</span> means that the observations are of the same entity. Then \sim</span> is an equivalence relation and the unique entities</em> are given by the quotient set \mathcal{O}/\mathord{\sim}</span>.</p>$
Noisy Equivalence</h2>
Now consider we can not observe $a \sim b</span> directly, but only through a noisy channel \hat{\sim}</span>. This is modelled through the two probabilities of false-match-rate</em> (FMR) and false-non-match-rate</em> (FNMR).</p>$
$\Pr(a\mathrel{\hat{\sim}}b~|~a \nsim b)</span></p>$
$\Pr(a\mathrel{\hat{\nsim}}b~|~a \sim b)</span></p>$
Noisy Distances</h2>
Assume a distance function $d:\mathcal{O} \times \mathcal{O} \rightarrow {\mathbb{R}}_{\geq 0}</span> and probability mass functions</p>$
$\begin{aligned} p_{\text{same}}(d) & = \Pr(d(a,b) = d~|~a \sim b) \\ p_{\text{diff}}(d) & = \Pr(d(a,b) = d~|~a \nsim b) \end{aligned}</span></p>$
Approximate Uniqueness</h2>
We can imaging candidate relations $\hat{\sim}</span> and a probability distribution over them. There are 2^{n^{2}}</span> possible relations, but not all of them are equivalence relations. The number of equivalence relations is given by the Bell numbers B_{n}</span>. While also super-exponential, it grows much slower. This suggest the equivalence relation is a useful constraint.</p>$

Physics

2026-05-01T00:00:00+00:00

Physics</h1>
QM from Decoherence</h2>

List Decoding

2025-10-27T00:00:00+00:00

List Decoding MDS Codes</h1>
$\gdef\p#1{\left({#1}\right)} \gdef\set#1{\left\{{#1}\right\}} \gdef\ceil#1{\left\lceil{#1}\right\rceil} \gdef\norm#1{\left|{#1}\right|} \gdef\setn#1{\mathcal{#1}} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\F{\mathbb{F}} \gdef\om{\mathrm{\omega}} \gdef\wt{\operatorname{wt}} \gdef\d{\operatorname{d}} \gdef\A{\operatorname{A}} \gdef\Aut{\operatorname{Aut}} \gdef\Iso{\operatorname{Iso}} \gdef\L{\operatorname{L}} \gdef\span{\operatorname{span}} \gdef\rank{\operatorname{rank}} \gdef\supp{\operatorname{supp}} \gdef\n{\operatorname{n}} \gdef\H{\operatorname{H}} </span></p>$
Ground rules:</p>

Avoid polynomials.</em> This is a combinatorics and linear algebra game. For good measure we also avoid generator polynomials.</li>
Avoid ratios.</em> No rate, relative distance, etc. This is a discrete problem.</li>
Avoid Hamming balls.</em> High dimensional spheres</a> are counter-intuitive. Hamming balls are counter-intuitive. High dimensional Hamming balls are doubly counter-intuitive.</li>
Numerically test</em> all theorems and conjectures. We are doing exploration and conjecture testing.</li>
Exhaustively explore</em> all instances up to practical limits. Edge cases can be very informative.</li> </ul>
The theory is of linear codes is essentially linear algebra with extra vocabulary and an odd almost-norm: the Hamming weight. Given a finite field $\F_q</span> and a linear space \F_q^n</span> (called the ambient space</em>). Then a linear code</em> \setn C</span> is a subspace \setn C \subseteq \F_q^n</span>. The dimension</em> of the code is k = \dim \setn C</span>. A linear code with these q, n, k</span> parameters are is denoted a [n,k]_q</span>-code.</p>$
Preliminaries on MDS Codes</h2>
Hamming Weight and Distance</h3>
Definition 1.</strong> (Hamming weight</em>) Given a vector $\vec v \in \F_q^n</span>, its support</em> \supp(\vec v) \subseteq [0,n)</span> is the set of indices of its non-zero coordinates,</p>$
$\supp(\vec v) = \set{i \in [0,n) \mid v_i \neq 0} \text{,} </span></p>$
and its weight</em> $\wt(\vec v) \in [0,n]</span> is the number of non-zero coordinates, denoted as</p>$
$\wt(\vec v) = \norm{\supp(\vec v)} \text{.} </span></p>$
Given a subset $\setn{S} \subseteq \F_q^n</span>, its weight</em> is</p>$
$\wt(\setn S) = \min_{\vec v \in \setn S \setminus \{\vec 0\}} \wt(\vec v) </span></p>$
and its weight distribution</em> is the sequence for $i \in [0,n]</span></p>$
$\A_i(\setn S) = \norm{\set{\vec v \in \setn S \mid \wt(\vec v) = i}} \text{.} </span></p> </div>$
The Hamming weight is almost a norm on $\F_q^n</span>, except that it does not satisfy homogeneity: instead \wt(\alpha \cdot \vec v) = \wt(\vec v)</span> for all \alpha \in \F_q^\times</span>. It does however satisfy the triangle inequality \wt(\vec u + \vec v) \leq \wt(\vec u) + \wt(\vec v)</span>, non-negativity \wt(\vec v) \geq 0</span> and positive definiteness \wt(\vec v) = 0</span> iff \vec v = \vec 0</span>. Furthermore, the distance derived from it, \d(\vec u, \vec v) = \wt(\vec u - \vec v)</span> is a proper metric on \F_q^n</span>.</p>$
The Hamming weight and the ambient space are invariant under permutations of the coordinates or scalings of individual coordinates. Together these are represented by monomial matrices</em>, essentially permutation matrices where the non-zero entries can be any non-zero field element. It can be shown that together with field automorphisms of $\F_q</span> these are all automorphisms of \F_q^n</span> and the Hamming weight.</p>$
Definition 2.</strong> (Linear code</em>) A $[n,k,d]_q</span>-code</em> \setn C</span> is a subspace \setn C \subseteq \F_q^n</span> of length</em> n</span>, dimension</em> k</span>, and minimum distance</em> d = \wt(\setn C)</span>. When d</span> is not specified, we simply write [n,k]_q</span>-code. The members of \setn C</span> are called codewords</em>. A [n,k]_q</span> code \setn C</span> can be represented as the row space of a generator matrix</em> \mat G \in \F_q^{k \times n}</span> of rank k</span>:</p>$
$\setn C = \set{\vec m \cdot \mat G \mid \vec m \in \F_q^k} \text{.} </span></p>$
A generator matrix in the form $\mat G = [\mat I_k \mid \mat P]</span> is said to be in systematic form</em> with \mat P</span> is the parity matrix</em> and the first k</span> coordinates an information-set</em> of \setn C</span>. The dual</em> of \setn C</span> is the [n,n-k]_q</span> code \setn C^\perp</span>, a generator of the dual code is called a parity-check matrix</em> of \setn C</span>.</p>$
Two codes $\setn C_1, \setn C_2 \subseteq \F_q^n</span> are monomially equivalent</em> if there exists a monomial matrix \mat M \in \F_q^{n \times n}</span> such that \setn C_2 = \setn C_1 \cdot \mat M = \set{\vec c \cdot \mat M \mid \vec c \in \setn C_1}</span>.</p> </div>$
Note.</strong> In coding theory, one refers only to the set of codewords without specifying how</em> messages are encoded into codewords. In other words, the encoding map $\mathsf{enc} : \setn M \to \setn C</span> is not specified and there are many valid encodings for the same code. Typically encoding is done through multiplication by a generator matrix.</p>$
I'm being loose here with the choice of coordinates and the definition of information set. For the codes we will consider, this doesn't matter.</p>
Given any invertible matrix $\mat M \in \F_q^{k \times k}</span>, the generator matrix \mat G' = \mat M \cdot \mat G</span> generates the same code \setn C</span>. Similarly, given a matrix \mat M \in \F_q^{n \times n}</span> then \mat G' = \mat G \cdot \mat M</span> generates the code \setn C' = \setn C \cdot \mat M</span>. If \mat M</span> is a monomial matrix, then \setn C</span> and \setn C'</span> are monomially equivalent codes. Monomial equivalence preserves all the aspects of a code we care about here: dimension, minimum distance, weight distribution, list decoding size, etc.</p>$
Lemma 2.</strong> (MacWilliam equations</em>) Given $[n,k]_q</span> code \setn C</span> we have have the following relations between its weight distribution and that of its dual code \setn C^\perp</span>, for i \in [0,n]</span>:</p>$
$\sum_{j \in [0,n-i]} \binom{n - j}{i} \A_j(\setn C) = q^{k-i} \sum_{j \in [0, i]} \binom{n - j}{n-i} \A_j(\setn C^\perp) \text{.} </span></p> </div>$
We know that by definition $0 \leq \A_i \leq \binom{n}{i} (q-1)^{i}</span>. We also have \sum_{i \in [0,n]} \A_i(\setn C) = q^k</span> and \sum_{i \in [0,n]} \A_i(\setn C^\perp) = q^{n-k}</span>. Together with the MacWilliams equations this forms an integer linear program to bound the weight distribution of any [n,k]_q</span> code.</p>$
MDS Codes</h3>
A well known theorem in coding theory is the Singleton bound, which limits the minimum distance $d</span> of a code for given n</span> and k</span>.</p>$
Lemma 2.</strong> (Singleton bound</em>) Given $[n,k]_q</span> code \setn C</span> we have</p>$
$d = \wt(\setn C) \leq n - k + 1 \text{.} </span></p> </div>$
Codes that achieve this bound with equality are called maximum distance separable (MDS) codes</em>. There are various equivalent definitions of MDS codes, we list some of them here:</p>
Lemma 4.</strong> Given a $[n,k]_q</span> code \setn C</span> the following are equivalent:</p>$

$\setn C</span> is MDS.</li>$
$\setn C^\perp</span> is MDS.</li>$
$\wt(\setn C) = d = n - k + 1</span>.</li>$
Any set of $k</span> coordinates is an information set.</li>$
Any $k</span> columns of a generator matrix of \setn C</span> are linearly independent.</li>$
Every parity matrix $\mat P</span> is superregular</em>, i.e., all square submatrices of \mat A</span> are invertible.</li>$
For every $\setn S \subseteq [0,n)</span> with \norm{\setn S} = d</span> there is a codeword \vec c \in \setn C</span> with support \supp(\vec c) = \setn S</span>.</li>$
For every
Sumcheck 2025-10-27T00:00:00+00:00 Sumcheck</h1> $\gdef\vec#1{\mathbf{#1}} \gdef\F{\mathbb{F}} </span></p>$ Given a field $\F</span>, and a linear space V</span> over \F</span> given by the tensor product</p>$ $V = T_1 \otimes T_2 \otimes \cdots \otimes T_n \text{.} </span></p>$ The prover has a tensor $T \in V</span> and wants to prove some linear functional f(T) = s</span>.</p>$ Verifiers perspective</h1> Verifier has a sum $s_0</span>.</p>$ In the first round it receives a (typically short) vector $\vec v_1</span>. And verifies \vec w_1 \cdot \vec v_1 = s_0</span> for some public vector \vec w_1</span>. It then sends a random challenge r_1</span>. It sets s_1 \leftarrow \vec s_1(r_1) \cdot \vec v_1</span> for some public vector valued function \vec s_1(r_1)</span>.</p>$ This repeats for several rounds and verifier is left with $s_n</p> What does this prove to the verifier?</p> $s_n = \vec s_n(r_n) \cdot \vec v_n</span> and \vec w_n \cdot \vec v_n = s_{n-1}</span></p>$ Merkle Multi-Proofs 2025-10-16T00:00:00+00:00 Merkle Multi-Proofs</h1> $\gdef\p#1{\left({#1}\right)} \gdef\setp#1{\left\{{#1}\right\}} \gdef\stirlingii#1#2{{{#1} \brace {#2}}} \gdef\setn#1{\mathcal{#1}} \gdef\floor#1{\left\lfloor#1\right\rfloor} \gdef\ceil#1{\left\lceil#1\right\rceil} \gdef\vec#1{\mathbf{#1}} \gdef\H{\mathsf{hash}} \gdef\bar#1{\left\lvert{#1}\right\rvert} \gdef\Exp#1{\mathbb{E}\!\left[{#1}\right]} \gdef\Var#1{\operatorname{Var}\!\p{#1}} \gdef\Cov#1{\operatorname{Cov}\!\p{#1}} \gdef\intersection{\cap} \gdef\empty{\varnothing} </span></p>$ Vector commitments, and specifically Merkle proofs, are the heart of every hash-based proof system. They are responsible for a large part of proof size and verifier work, yet we don't have sharp estimates of either. This is largely due to a complex dependency on the distribution of opened indices. In hash-based proof systems, this distribution is uniformly random with replacement, which lets us derive the concrete results that follow.</p> Key results are exact minimum, maximum, mean, variance and probability mass functions of proof size and verifier work, plus approximations and a way to implement Merkle caps purely verifier side.</p> Definition 1.</strong> A Vector Commitment Scheme</em> for a set $\setn S</span> has \mathsf{commit}</span>, \mathsf{open}</span> and \mathsf{verify}</span> algorithms.</p>$ The $\mathsf{commit}</span> algorithm takes a vector \vec v \in {\setn S}^n</span> and outputs a commitment C</span> to \vec v</span>.</li>$ The $\mathsf{open}</span> algorithm takes a commitment C</span>, a list of m</span> indices \vec i \in [0,n)^m</span> and values \vec y \in {\setn S}^m</span> and outputs a proof \pi</span> that \vec v_{\vec{i}_j} = \vec y_j</span> for all j \in [0,m)</span>.</li>$ The $\mathsf{verify}</span> algorithm takes C, \vec i, \vec y, \pi</span> and outputs true if the proof is valid and false otherwise.</li> </ul> </div> The canonical example of a vector commitment scheme is a Merkle tree</em>. There are many expositions of this, so I'll just write a quick definition:</p> Definition 2.</strong> Given a two-to-one hash function \H: \setn H \times \setn H \rightarrow \setn H</span>, a Merkle tree</em> of height h</span> is a vector commitment scheme for n = 2^h</span> values of \setn H</span>.</p> The \mathsf{commit}</span> algorithm takes a vector \vec v \in {\setn H}^n</span> and constructs a perfect binary tree with \vec v_i</span> as the i</span>-th leaf and each node value computed by taking the hash of the child values. The commitment C \in \setn H</span> is the value of the root node.</li> The \mathsf{open}</span> algorithm takes \vec i</span> and marks the corresponding leaves and their ancestors. The proof \pi \in \setn H^\ast</span> are the values of nodes and leaves that are not marked but have a marked parent.</li> The \mathsf{verify}</span> algorithm takes C, \vec i, \vec y, \pi</span> and applies \H</span> repeatedly to compute all node values it knows all child values of. This will eventually compute the root node, which is then verified to equal C</span>.</li> </ul> We called nodes in \pi</span> the revealed nodes</em> and the ones computed in \mathsf{verify}</span> the computed nodes</em>.</p> </div> The variant presented here uses compressed multi-proofs</em>. We also allow \vec i</span> to be in arbitrary order and contain repeated values. The revealed indices and values \vec i, \vec y</span> are not part of the proof \pi</span> as the assumption is prover and verifier already established these by other means.</p> This scheme naturally extends to imperfect trees and higher- or even mixed-arity trees. This allows vector lengths that are not a power of two and can reduce tree depth if this is beneficial. The definition above uses a single hash function for all nodes, but it works with arbitrary hash functions for each node as long as prover and verifier pick the same ones. In verifier circuits the hash function cost for prover and verifier can be wildly different and it would make sense to pick a prover-favorable hash function for the deeper nodes and a verifier-favorable hash function for the nodes closer to the top. Neither of these extensions are considered in this analysis.</p> In the aforementioned application in hash-based proof systems, the indices \vec i</span> are generated by m</span> uniform random draws from [0,n)</span> with repetition. Knowing the distribution of \vec i</span> we can compute the distribution of the proof size \bar{\pi}</span>, i.e. the number of revealed nodes, and the number of hashes the verifier has to compute, i.e. the number of computed nodes. Finally we will look at a verifier implementation with deterministic control flow.</p> Number of Computed Nodes</h1> The number of hashes a verifier needs to perform is the number of computed nodes: non-leaf nodes that are marked. Given a Merkle proof of height h</span> with m</span> uniformly random openings with replacement, let C_d</span> be the number of computed nodes at level d \in [0,h)</span> of the tree. This creates a set of random variables C_d</span> in the choice of openings. Importantly these random variables are not independent as the computation of a node at level d</span> implies the computation of its parent at level d+1</span>.</p> Equivalently, consider a uniform random draw of m</span> infinite binary strings \setn M \subset \setp{0,1}^\infty</span>. Take \setn M_d \subset \setp{0,1}^d</span> to be the set of prefixes of length d</span> of elements in \setn M</span>. We have that C_d = \bar{\setn M_d}</span>, the number of distinct prefixes of length d</span> in \setn M</span>.</p> The distribution of C_d</span> is the occupancy distribution of throwing m</span> balls into 2^d</span> bins uniformly at random with replacement. This is a well-known problem in probability theory and combinatorics. The probability mass function is given by</p> \Pr[C_d = k] = \frac{k!}{2^{d \cdot m}} \binom{2^d}{k} \stirlingii{m}{k} </span></p> where \binom{n}{k}</span> is the binomial coefficient and \stirlingii{m}{k}</span> is the Stirling number of the second kind. The support for m > 0</span> is k \in [1, \min(2^d, m)]</span>, but note that C_d</span> is also bounded by C_{d+1} \in [C_d, 2 \cdot C_d]</span> due to the tree structure.</p> Expected Value</h2> Take p_d = 1 - (1 - 2^{-d})^m</span> to be the probability that a node at level d</span> is computed. The expected number of computed nodes at level d</span> is then \mathbb{E}[C_d] = 2^d \cdot p_d</span>. The total number of computed nodes C</span> is C = \sum_{d \in [0,h)} C_d</span> and therefore</p> \boxed{ \mathbb{E}[C] = \sum_{d \in [0,h)} 2^d \cdot \p{1 - \p{1- 2^{-d}}^m} } </span></p> This exact expression can be efficiently evaluated in O(h)</span>. For m \ll 2^h</span> we can also approximate it well with m \cdot (h - \log_2 m + 0.11)</span>.</p> Support</h2> Let the k \in [k_{\min}(h,m), k_{\max}(h,m)]</span> be the support such that \Pr[C = k] > 0</span>. Then</p> k_{\min}(h, m) = \begin{cases} 0 & \text{if } m = 0 \\ h & \text{otherwise} \\ \end{cases} </span></p> follows from the minimal case where all m</span> openings fall on the same leaf. Similarly, the maximum follows from distributing the m</span> openings as spread out as possible on each level, so k_{\max}(h, m) = \sum_{d \in [0,h)} \min(2^d, m)</span>. This can be written in closed form as</p> k_{\max}(h, m) = \begin{cases} 0 & \text{if } m = 0 \\ 2^{\floor{\log_2 m} + 1} + m \cdot (h - \floor{\log_2 m} - 1) - 1 & \text{if } 1 \leq m < 2^h \\ 2^h -1 & \text{if } m \geq 2^h \text{.} \end{cases} </span></p> def</span> support</span>(</span>h</span>:</span> int</span>,</span> m</span>:</span> int</span>) -> (</span>int</span>,</span> int</span>):</span></span> if</span> m</span> ==</span> 0</span> or</span> h</span> ==</span> 0</span>:</span></span> return</span> (</span>0</span>,</span> 0</span>$ Inner Product Commitments 2025-10-14T00:00:00+00:00 Inner Product Commitment Schemes</h1> $\gdef\p#1{\left({#1}\right)} \gdef\Norm#1{\left\lVert{#1}\right\rVert} \gdef\range#1{\left[#1\right)} \gdef\setn#1{\mathcal{#1}} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\F{\mathbb{F}} </span></p>$ Definition 1.</strong> An $\F_q</span>-Inner Product Commitment Scheme</em> is a tuple of algorithms (\mathsf{commit}</span>, \mathsf{open}</span>, \mathsf{verify})</span> such that.</p>$ $\mathsf{commit}</span> algorithm takes a vector \vec v \in \F_q^n</span> and outputs a commitment C</span> to \vec v</span>.</li>$ The $\mathsf{open}</span> algorithm takes \vec v, C</span>, a vector \vec w \in \F_q^n</span>, and a value y \in \F_q</span> and outputs a proof \pi</span> that the inner product \vec v \cdot \vec w</span> equals y</span>.</li>$ The $\mathsf{verify}</span> algorithm takes C, \vec w, y, \pi</span> and outputs true if the proof is valid and false otherwise.</li> </ul> </div> Let's look at how Ligerito and WHIR construct such a scheme.</p>$ Tree Occupancy Distributions</h2> Lemma 2.</strong> The Occupancy Distribution</em> $\mathcal{D}(n, m)</span> is the distribution by throwing n</span> balls uniformly at random into m</span> bins and counting the number of bins which contain at least one ball. Given X \sim \mathcal{D}(n, m)</span>, the probability that X</span> takes the value k</span> is</p>$ $\Pr[X = k] = \frac{\binom{m}{k} \cdot S(n, k) \cdot k!}{m^n} </span></p>$ where $S(n, k)</span> is the Stirling number of the second kind.</p> </div>$ Linear Codes</h2> Definition 2.</strong> A Linear Code</em> $C</span> over a field \F_q</span> is a subspace of \F_q^n</span>. The elements of C</span> are called codewords</em>. The dimension</em> of the code is the dimension of C</span> as a vector space over \F_q</span>. The minimum distance</em> d</span> of the code is the minimum Hamming distance between any two distinct codewords in C</span>. A linear code with parameters [n, k, d]</span> has length</em> n</span>, dimension</em> k</span>, minimum distance</em> d</span>, rate</em> \rho = k/n</span> and expansion</em> \rho^{-1} = n /k</span>. The generator matrix G</span> of a linear code is a k \times n</span> matrix whose rows form a basis for the code.</p> </div>$ Hamming Weight</em> Take $\Norm{\vec v}_0</span> to mean the number of non-zero entries in \vec v</span>. Despite notation it is not a proper norm as it fails homogeneity.</p>$ We will work over vectors of size $2^k</span> for some integer k</span>. These can be reshaped into matrices of size 2^l \times 2^{k-l}</span> for some integer l \in \range{0,k}</span>. Denote this \mathsf{Mat}_{k\,l}(\vec v)</span>, where we can drop the k</span> if it is clear from context.</p>$ Commitment</h2> Given a vector $\vec v \in \F_q^n</span>, the commitment algorithm works as follows:</p>$ Parameters:</p> Field $\F_q</span>.</li>$ Vector size $n = 2^k</span>.</li>$ Matrix dimensions $l \in \range{0,k}</span>.</li>$ Vector commitment scheme $\setn{VC}</span> of size m</span>.</li>$ Code $\setn C</span> with parameters [m, 2^{k - l}, d]</span> and generator matrix \mat G</span>.</li>$ Code $\setn C'</span> with parameters [m', 2^{k - l}, d']</span> and generator matrix \mat G'</span>.</li>$ Number of out-of-domain samples $n_o</span>.</li> </ul> Steps:</p> Reshape \vec v</span> into a matrix \mat V</span> of size 2^l \times 2^{k -l}</span>.</li> Encode rows using the generator matrix: \mat V' = \mat V \cdot \mat G</span>.</li> Commit to the columns of \mat V'</span> using \setn{VC}</span>.</li> Pick challenges \setn{S} \subseteq \range{0, n'}</span> by uniformly drawing n_0</span> samples.</li> Compute \mat V''</span> by encoding the rows of \mat V'' = \mat V \cdot \mat G'_{\setn S}</span>.</li> Send \mat V''</span>.</li> </ol> Transcript size (ignoring dedpulication in \setn S</span>):</p> \mathsf{hash} + n_0 \cdot 2^l \cdot \mathsf{field} </span></p> Opening</h2> Parameters:</p> Commitment parameters as above.</li> Vector \vec w \in \F_q^n</span>.</li> Value y \in \F_q</span>.</li> Number of in-domain samples n_i</span>.</li> Number of folds f</span>.</li> </ul> Steps:</p> Reshape \vec w</span> into a matrix \mat W</span> of size 2^l \times 2^{k -l}</span>.</li> Pick challenges \setn{T} \subseteq \range{0, 2^{k-l}}</span> by uniformly drawing n_i</span> samples.</li> Compute $\</li> </ol> Adding Zero-Knowledge</h2> References</h1> ACFY24</a> Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev (2024). WHIR: Reed–Solomon Proximity Testing with Super-Fast Verification.</li> NA25</a> Andrija Novakovic, Guillermo Angeris (2025). Ligerito: A Small and Concretely Fast Polynomial Commitment Scheme.</li> </ul> k \cdot \p{\frac{n}{k} + \log \frac{n}{k}} </span></p> https://ethereum.github.io/consensus-specs/ssz/merkle-proofs/?utm_source=chatgpt.com#merkle-multiproofs</p>$ Succinct Multi-Linear Extensions 2025-10-10T00:00:00+00:00 Succinct Multi-Linear Extensions</h1> $\gdef\p#1{\left({#1}\right)} \gdef\ceil#1{\left\lceil{#1}\right\rceil} \gdef\floor#1{\left\lfloor{#1}\right\rfloor} \gdef\set#1{\left\{#1\right\}} \gdef\range#1{\left[#1\right)} \gdef\setn#1{\mathcal{#1}} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\F{\mathbb{F}} </span></p>$ Many interactive proof systems rely on multi-linear extensions (MLEs) that can be efficiently evaluated, e.g. Jolt (NTZ25</a> appendix A for Jolt, see also the source code</a> for many examples), SuperSpartan (STW23</a> section 5) , or GKR (Tha13</a>, Tha23</a> section 4.6.6).</p> Despite their importance, it is not easy to come up with specific efficient MLEs, or even get a sense of what is possible. At least, that was the case for me until I read HJR+25</a> "Jagged Polynomial Commitments" and played with the ideas presented there and in this article. It turns out a lot more is possible than I initially expected! In the process I learned how to</p> avoid needing power-of-two alignment,</li> arbitrarily mask and move coefficients around to efficiently pack of polynomials,</li> generally manipulate coefficient indices in a structured way,</li> trivially construct many common lookup tables,</li> solve the small field inner product embedding problems from a previous post.</li> </ul> So, time to get good at succinct MLEs!</p> Multi-Linear Extensions</h1> Here follows a brief review of multi-linear extensions (MLEs) and their properties. For a more extensive treatment see Tha23</a> § 3.5.</p> Denote with $\mathsf{bits}_k: \mathbb{N} \rightarrow \F_q^k</span> the bitvector \vec b \in \{0,1\}^k</span> such that i = \sum_{j \in [0,k)} b_j \cdot 2^{k-j-1}</span>, i.e. in big-endian order. We will leave the field \F_q</span> implicit and often drop the subscript k</span> when it is clear from context.</p>$ Definition 1.</strong> A $k</span>-variable Multi-Linear Extension (MLE) evaluation</em> is a map</p>$ $\mathsf{MLE}_k: \F_q^{2^k} \times \F_q^k \rightarrow \F_q </span></p>$ such that $\mathsf{MLE}_k(\vec w, \mathsf{bits}(i)) = w_i</span> for all i \in [0,2^k)</span> and \mathsf{MLE}_k(\vec w, \vec r)</span> is a polynomial in \vec r</span> of degree at most 1 in each variable.</p> </div>$ Now we show this map is unique and present several equivalent definitions.</p> Lemma 2.</strong> The MLE evaluation map is unique and equivalent to the recursion</p> $\begin{align*} \mathsf{MLE}_0([w_0], []) &= w_0 \\[4pt] \mathsf{MLE}_{k+1}([\vec w_0 \, \vec w_1], [r_0 \, \vec r]) &= u_0 + r_0 \cdot (u_1 - u_0) \\ \text{ where } u_i &= \mathsf{MLE}_k(\vec w_i, \vec r) \text{.} \end{align*} </span></p> </div>$ Proof:</em> Uniqueness follows from the fact that there are $2^k</span> interpolation points and a polynomial of degree at most 1 in each of k</span> variable has at most 2^k</span> coefficients.</p>$ Multi-linearity in $\vec r</span>: The base case is trivial. For the inductive case, it is a linear combination of \mathsf{MLE}</span>s in the \vec r</span> variables and is linear in the new r_0</span> variable.</p>$ Interpolation: The base case is trivial. For the inductive case, observe that for $b \in \{0,1\}, i \in [0,2^k)</span> we have</p>$ $\mathsf{MLE}_{k+1}([\vec w_0 \, \vec w_1], [b \, \mathsf{bits}_k(i)]) = \mathsf{MLE}_k(\vec w_b, \mathsf{bits}_k(i)) = w_{b, i} </span></p>$ and since concatenation results in $[\vec w_0 \, \vec w_1]_{b \cdot 2^k + i} = w_{b,i}</span> and \mathsf{bits}_{k+1}(b \cdot 2^k + i) = [b\, \mathsf{bits}_k(i)]</span>, the interpolation property holds.</p> </div> </p>$ This definition can be evaluated in $2^k-1</span> field multiplications, additions and subtractions. This makes it an O(n)</span> operation algorithm where n = 2^k</span>. Since in general all n</span> coefficients of \vec w</span> are needed to compute the result, O(n)</span> is optimal. But as we will see, if \vec w</span> has some special structure, we can do better.</p>$ Another common and useful expression is in terms of Lagrange basis polynomials, which in the context of MLEs are commonly denoted as $\mathsf{eq}_i(\vec r)</span>:</p>$ Lemma 3.</strong> The MLE evaluation map is equivalent to</p> $\mathsf{MLE}_k(\vec w, \vec r) = \sum_{i \in [0, 2^k)} \mathsf{eq}_{k\,i}(\vec r) \cdot w_i </span></p>$ where</p> $\mathsf{eq}_{k\,i}(\vec r) = \prod_{j \in [0, k)} \begin{cases} 1- r_j & \mathsf{bits}_k(i)_j = 0 \\ r_j & \mathsf{bits}_k(i)_j = 1 \text{.} \end{cases} </span></p> </div>$ Proof:</em> Observe that $\mathsf{eq}_i(\vec r)</span> is linear in each r_j</span> and for i,j \in [0, 2^k)</span> we have</p>$ $\mathsf{eq}_i(\mathsf{bits}(j)) = \begin{cases} 1 & i = j \\ 0 & i \neq j \end{cases} </span></p>$ which makes $\mathsf{eq}_i</span> a multi-linear Lagrange basis for \{0,1\}^k</span>. The properties of the expression for \mathsf{MLE}</span> follow from this.</p> </div> </p>$ We can rewrite this lemma using the tensor product notation $\otimes</span>:</p>$ Lemma 4.</strong> The MLE evaluation map is equivalent to the inner product</p> $\mathsf{MLE}_k(\vec w, \vec r) = \vec w \cdot \p{\bigotimes_{i \in \range{0,k}} \begin{bmatrix} 1 - r_i \\ r_i \end{bmatrix} } \text{.} </span></p> </div>$ From this equivalent definition it follows directly that the MLE is linear in the $\vec w</span> argument:</p>$ Lemma 5.</strong> (Linearity</em>) For all $\alpha, \beta \in \F_q</span> and \vec w, \vec w' \in \F_q^{2^k}</span> and \vec r \in \F_q^k</span> we have</p>$ $\mathsf{MLE}(\alpha \cdot \vec w + \beta \cdot \vec w', \vec r) = \alpha \cdot \mathsf{MLE}(\vec w, \vec r) + \beta \cdot \mathsf{MLE}(\vec w', \vec r) \text{.} </span></p> </div>$ However, it does not follow that the MLE is linear in the $\vec r</span> argument. Instead it is multi-linear, i.e. linear in each variable separately, which is a much weaker property.</p>$ The MLE evaluation respects the symmetries of the hyper-cube. The hypercube $\{0,1\}^k</span> has a large symmetry group, the$ hyper-octahedral group</a> $B_k</span> of order k! \cdot 2^k</span> which is generated by permutations of the k</span> axes and reflections in each axis. The MLE respects these symmetries in the following sense:</p>$ Lemma 6.</strong> (Hypercube Symmetries</em>) Every symmetry of the hyper-cube $\sigma \in B_k</span> induces an equivalent symmetry on the \vec w</span> and \vec r</span>:</p>$ $\mathsf{MLE}_k(\sigma_w(\vec w), \vec r) = \mathsf{MLE}_k(\vec w, \sigma_r(\vec r)) \text{.} </span></p> </div>$ Proof:</em> It suffices to show this for the generators of the group, which come in two types:</p> Permutation of axes</em>: $\sigma_r(\vec r) = (r_{\pi(0)}, \dots, r_{\pi(k-1)})</span> for some permutation \pi</span> on [0,k)</span> and \sigma_w(\vec w) = (w_{\pi'(0)}, \dots, w_{\pi'(2^k - 1)})</span> where \pi'</span> is the permutation on [0,2^k)</span> induced by \pi</span> on the bit representations of the indices.</p> </li>$ Reflection in axis $j</span></em>: \sigma_r(\vec r) = (r_0, \dots, 1 - r_j, \dots, r_{k-1})</span> and \sigma_w(\vec w) = (w_{0 \oplus 2^j}, \dots, w_{i \oplus 2^j}, \dots, w_{(2^k - 1) \oplus 2^j})</span> where \oplus</span> is bitwise XOR.</p> </li> </ol>$ It is sufficient to show that the left and right side of the equation are MLEs and agree on the interpolation points $\set{0,1}^k</span>. The only non-trivial case is the right side of the reflection, where we note that 1 - r_j</span> is still linear in r_j</span>.</p> </div> </p>$ The ability to permute variables plays nicely with other lemma's that allow us to split or combine variables. For example, we can compose two MLE evaluations into one:</p> Lemma 7.</strong> (Tensor Composition</em>) Given $k, k'</span> and \vec w \in \F_q^{2^k}</span>, \vec w' \in \F_q^{2^{k'}}</span>, \vec r \in \F_q^k</span>, and \vec r' \in \F_q^{k'}</span> we have</p>$ $\mathsf{MLE}_k(\vec w, \vec r) \cdot \mathsf{MLE}_k(\vec w', \vec r') = \mathsf{MLE}_{k+k'}(\vec w \otimes \vec w', [\vec r\, \vec r']) \text{.} </span></p> </div>$ In the opposite direction, factoring an $\mathsf{MLE}</span> is hard as \vec w</span> doesn't generally have a tensor decomposition. But when we fix \vec r'</span> to a bitvector we can do it:</p>$ Lemma 8.</strong> (Partial Fixing</em>) Given $\vec w \in \F_q^{2^{k +l}}</span>, \vec r \in \F_q^k</span>, and \vec b \in \set{0,1}^{l}</span> we have</p>$ $\mathsf{MLE}_{k+l}(\vec w, [\vec r\, \vec b]) = \mathsf{MLE}_{k}(\vec w', \vec r) </span></p>$ where $\vec w' \in \F_q^{2^k}</span> is given by w'_i = w_{i \cdot 2^{l} + j}</span> with j</span> such that \vec b = \mathsf{bits}_{l}(j)</span>.</p> </div>$ That concludes the basic properties of general</em> MLE evaluations. We will now look at special cases for $\vec w</span> that allow efficient evaluation of \mathsf{MLE}_k(\vec w, \vec r)</span>, i.e. sub-linear in the size of \vec w</span> or, equivalently, sub-exponential in k</span>.</p>$ Tensor Weights</h1> For succinct verification we need to restrict $\vec w</span> to vectors that allow MLE evaluation in O(\log n)</span> or better (where n = 2^k</span>). A simple but useful class is those where \vec w</span> can be decomposed as the tensor product of 2</span>-vectors.</p>$ Lemma 9.</strong> Given $\vec t_0,\dots,\vec t_{k-1} \in \F_q^2</span>, there is an O(k)</span> algorithm to compute \mathsf{MLE}_k(\vec w, \vec r)</span> where</p>$ $\vec w = \bigotimes_{i \in [0,k)} \vec t_i \text{.} </span></p> </div>$ Proof:</em> Consider the base case $\mathsf{MLE}_0([1], []) = 1</span> and recursion:</p>$ $\begin{align*} \mathsf{MLE}_{k+1}(\vec t_0 \otimes \vec w', [r_0, \vec r]) &= \p{(\vec t_0)_0 \cdot (1 - r_0) + (\vec t_0)_1 \cdot r_0} \cdot \mathsf{MLE}_k(\vec w', \vec r) \end{align*} </span></p>$ The recursive step is linear in $r_0</span> and for r_0 \in \{0,1\}</span> we have (\vec t_0)_0</span> or (\vec t_0)_1</span> times the MLE in the remaining variables, which results in the MLE of the tensor product by induction. Finally the algorithm is O(k)</span> since it does O(1)</span> work per variable.</p> </div>$ This class is closed under the hypercube symmetries, as permutations just permute the $\vec t_i</span> and reflections swap the two elements of some \vec t_i</span>. We can also scale a tensor program by scaling one of the \vec t_i</span>, but we can not generally add two tensor programs as the sum of two tensor products is not generally a tensor product. However, tensor weights are closed under element-wise multiplication of the weights vectors by taking the element-wise products of the \vec t_i</span>. This extends to element-wise exponentiation, division and inverses.</p>$ This is a very useful class of weights, as it allows us to evaluate polynomials in some useful bases. Here are some multi-linear examples:</p> Example 10.</strong> (Multi-Linear Monomial Basis</em>) Given $\vec x \in \F_q^k</span> the tensor weights for evaluating a multi-linear polynomial in monomial basis are \vec t_i = \begin{bmatrix} 1 & x_i \end{bmatrix}</span>.</p> </div>$ Example 11.</strong> (Multi-Linear Boolean Hypercube Basis</em>) Given $\vec x \in \F_q^k</span> the tensor weights for evaluating a polynomial in the \{0,1\}^k</span> multi-linear basis are \vec t_i = \begin{bmatrix} 1 - x_i & x_i \end{bmatrix}</span>.</p> </div>$ Example 12.</strong> (General Multi-Linear Hypercube Basis</em>) Given $\vec x \in \F_q^k</span> the tensor weights for evaluating a polynomial in the \{a_i,b_i\}_{i \in [0,k)}</span> multi-linear basis are</p>$ $\vec t_i = \begin{bmatrix} \displaystyle \frac{x_i - b_i}{a_i - b_i} & \displaystyle \frac{x_i - a_i}{b_i - a_i} \end{bmatrix} \text{.} </span></p> </div>$ To do.</strong> The $\set{0, \infty}^k</span> basis.</p>$ We can also do some univariate evaluation, but it is much more restrictive. Monomial evaluation works:</p> Example 13.</strong> (Univariate Monomial Basis</em>) Given $x \in \F_q</span> the weights vector for evaluating a polynomial in the univariate monomial basis has w_i = x^i</span> and tensor weights \vec t_i = \begin{bmatrix} 1 & x^{2^i} \end{bmatrix}</span>.</p> </div>$ Evaluation on one or two Lagrange points are just degenerate multi-linears. We can also do three Lagrange points (where we ignore $w_4</span>), but barely:</p>$ Example 14.</strong> (Univariate 3-Point Lagrange Basis</em>) Given Lagrange basis points $x_0,x_1,x_2 \in \F_q</span> and evaluation point x \in \F_q</span>,</p>$ $\begin{align*} \vec t_0 &= \begin{bmatrix} \displaystyle (x - x_2) \\[1em] \displaystyle \frac{(x - x_0)}{(x_2 - x_1) \cdot (x_1 - x_0)^{-1}} \end{bmatrix} & \vec t_1 &= \begin{bmatrix} \displaystyle \dfrac{(x - x_1)}{(x_0 - x_1) \cdot (x_0 - x_2)} \\[1em] \displaystyle \frac{(x - x_0)}{(x_1 - x_0) \cdot (x_1 - x_2)} \end{bmatrix} \text{.} \\ \end{align*} </span></p> </div>$ This is cheating a bit, as $\vec w</span> is length 4</span> and we simply ignore the last element. To show that we can't do better, we first introduce a lemma that succinctly characterizes tensor weights:</p>$ Lemma 15.</strong> (Face Identities</em>) For $m < k</span> and i,k \in \range{0, 2^m}</span> and j,l \in \range{0,2^{k-m}}</span> we have for tensor weights \vec w</span>:</p>$ $w_{i + j \cdot 2^m} \cdot w_{k + l \cdot 2^m} - w_{i + l \cdot 2^m} \cdot w_{k + j \cdot 2^m} = 0 \text{.} </span></p>$ These identities correspond to the faces of the $k</span>-hypercube and they are necessary and sufficient conditions for \vec w</span> to be a tensor product of 2</span>-vectors.</p> </div>$ Proof:</em> To show necessity split $\vec w</span> in two parts \vec w = \vec w' \otimes \vec w''</span> with \vec w' \in \F_q^{2^l}</span> and \vec w'' \in \F_q^{2^{k-l}}</span> such that w_{i + j \cdot 2^l} = w'_i \cdot w''_j</span> and similar for the other terms. Then the identity becomes trivially true:</p>$ $w'_i \cdot w''_j \cdot w'_k \cdot w''_l - w'_i \cdot w''_l \cdot w'_k \cdot w''_j = 0 \text{.} </span></p>$ To show sufficiency, we use induction on $k</span>. The base case k = 1</span> is trivial. For the inductive case, split \vec w</span> in two halves \vec w = [\vec w_0\, \vec w_1]</span>. We will show that \vec w_1 = \alpha \cdot \vec w_0</span> for some \alpha</span> and then we can take \vec t_0 = [1\, \alpha]</span> and use the inductive hypothesis on \vec w_0</span> to get the remaining \vec t_i</span>. Consider the face identities for m = 1</span>, i=0</span>, k=1</span> and all j,l \in \range{0,2^{k-1}}</span> which we can rewrite as</p>$ $\frac{w_{0 + j \cdot 2}}{w_{1 + j \cdot 2}} = \frac{w_{0 + l \cdot 2}}{w_{1 + l \cdot 2}} \text{.} </span></p>$ If all the $w_{1 + j \cdot 2} = 0</span> then we set \alpha = 0</span> and we are done. Otherwise they all have the same ratio, which we take as \alpha</span>.</p> </div> </p>$ We can now show that no dense univariate basis exists for more than $2</span> points using tensor weights:</p>$ Lemma 16.</strong> For $k > 1</span> it is not possible to construct a univariate basis for n \geq 2^k</span> interpolation points using weights tensors.</p> </div>$ Proof:</em> The $n>2^k</span> case is trivial. For n = 2^k</span> we are looking for tensor weights such that w_i = l_i(x)</span> where l_i</span> is the i</span>-th Lagrange basis polynomial for some set of points \set{x_j}_{j \in \range{0, n}}</span>. Pick four corners of a face of the hyper-cube, a, b, c,d</span>, the face identity becomes</p>$ $l_a(x) \cdot l_b(x) - l_c(x) \cdot l_d(x) = 0 \text{.} </span></p>$ This identity needs to hold for any $x</span> and the left side is a degree 2(n-1)</span> polynomial. Taking the derivative we get</p>$ $\p{l_a(x) \cdot l_b'(x) + l_a'(x) \cdot l_b(x)} - \p{l_c(x) \cdot l_d'(x) + l_c'(x) \cdot l_d(x)} = 0 \text{.} </span></p>$ For $x=x_a</span> we have l_a(x_a) = 1</span> and l_b(x_a) = l_c(x_a) = l_d(x_a) = 0</span> and the above simplifies to l_b'(x_a) = 0</span>, which contradicts every zero of l_b'</span> being simple.</p> </div> </p>$ It's an open question (to me at least) if a dense univariate Lagrange basis MLE can be computed efficiently.</p> While tensor weights already capture a surprisingly useful class of succinct MLEs, they remain limited to factorizable structures and are, for example, not closed under addition. To go further, we can replace each scalar by a matrix, allowing more complex linear combinations of partial results. This leads to Weighted Ordered Binary Decision Diagram</em>.</p> Weighted OBBDs</h1> A large class of efficient MLEs can be constructed by replacing the scalars in the tensors by matrices. This was first introduced in HR18</a> in the proof of thm. 5.4, later refined in HJR+25</a> § 4.1 where they are called read-once matrix branching program</em>s. We will use terminology more in line with Weg00</a>, augmented with terms from automata theory.</p> Definition 17.</strong> A Weighted Ordered Binary Decision Diagram</em> (WOBDD</em>) consists of permutation $\pi</span> on \range{0,k}</span> and weight matrices</p>$ $\set{\mat M_{i\,0},\mat M_{i\,1} \in \mathbb{F}_q^{\,u_i \times u_{i+1}}}_{i \in [0,k)} \text{.} </span></p>$ where $u_i</span> are matrix dimensions such that the initial and final dimension u_0 = u_k = 1</span>. The evaluation of the program in \vec r</span> is then defined as</p>$ $\prod_{i \in [0,k)} \p{ (1 - r_{\pi(i)}) \cdot \mathrm{M}_{i\,0} + r_{\pi(i)} \cdot \mathrm{M}_{i\,1} } \text{.} </span></p>$ We call $\max_i u_i</span> the width</em> of the WOBDD. When the permutation is given, we call it a \pi</span>-WOBDD</em>.</p> </div>$ Note.</strong> This definition differs from HJR+25</a> and literature on weighted automata in allowing matrices of varying dimensions. The requirement that $u_0 = u_l = 1</span> ensures that the result is a scalar, where in other literature this is achieved using separate source and sink vectors. This mostly makes the notation cleaner, but it's easy to convert between the two.</p>$ Let's establish that these are indeed MLE evaluations and can be evaluated efficiently.</p> Lemma 18.</strong> A WOBDD is an MLE evaluation for $\vec w \in \F_q^{2^k}</span> where</p>$ $w_i = \prod_{j \in [0,k)} \mathrm{M}_{j\, b_{\pi(i)}} </span></p>$ where $\vec b = \mathsf{bits}_k(i)</span>. If the width is bounded evaluation takes O(k)</span> operations.</p> </div>$ Proof:</em> Each $r_i</span> appears only once in the product and the expression is linear in each r_i</span>, hence it is multi-linear in \vec r</span>. For r_i \in \set{0, 1}</span> the values of w_i</span> follow directly from the definition.</p> </div>$ To show how this work, let's look at a simple example that interpolates over the vector $\vec w = (0, 1, \dots, 2^k -1)</span>.</p>$ Example 19.</strong> (Popcount</em>) We can construct a WOBDD for the MLE of $w_i = \mathsf{popcount}(i) \pmod{\F_q}</span> using permutation \pi = \mathsf{id}</span> and matrices</p>$ $\begin{align*} \mat M_{0\,b} &= \begin{bmatrix} 1 & b \end{bmatrix} & \mat M_{i\,b} &= \begin{bmatrix} 1 & b \\ 0 & 1 \end{bmatrix} & \mat M_{k-1\,b} &= \begin{bmatrix} b \\ 1 \end{bmatrix} \text{.} \end{align*} </span></p> </div>$ Example 20.</strong> (Counter</em>) We can construct a WOBDD for the MLE of $w_i = i \pmod{\F_q}</span> using permutation \pi = \mathsf{id}</span> and matrices</p>$ $\begin{align*} \mat M_{0\,b} &= \begin{bmatrix} 2 & b \end{bmatrix} & \mat M_{i\,b} &= \begin{bmatrix} 2 & b \\ 0 & 1 \end{bmatrix} & \mat M_{k-1\,b} &= \begin{bmatrix} b \\ 1 \end{bmatrix} \text{.} \end{align*} </span></p> </div>$ In Jolt there are many lookup tables for $m</span>-arry functions where the k</span>-bit inputs a_0, a_1, \dots, a_{m-1} \in \range{0,2^k}</span> are combined into an index i = \sum_{j \in [0,m)} a_j \cdot 2^{j \cdot k}</span> into the weight vector \vec w \in \F_q^{m \cdot k}</span>. The goal is then to find a succinct MLE for this \vec w</span>. For boolean binary operations we can do this as</p>$ Example 21.</strong> (Bitwise Operation</em>) Given a boolean binary operation $\ast</span> such as AND, OR or XOR, we can construct a WOBDD for the \mathsf{MLE}_{2\cdot k}</span> evaluation of</p>$ $w_{\vec a \, \vec b} =\sum_{i \in \range{0,k}} 2^i \cdot \p{a_i \ast b_i} \pmod{\F_q} \text{.} </span></p>$ Pick interleaved permutation $\pi = (a_0, b_0, a_1, b_1, \dots)</span> and matrices</p>$ $\begin{align*} \mat M_{2\cdot i+1\,b} &= \begin{bmatrix} 1 & 0 & (1 - b) & b \\ 0 & 1 & 0 & 0 \end{bmatrix} & \mat M_{0\,b} &= \begin{bmatrix} 1 & 0 & 1 - b & b \end{bmatrix} \\ \mat M_{2\cdot i\,b} &= \begin{bmatrix} 1 & 0 \\ 0 & 1 \\ 0 & 2^i \cdot (b \ast 0) \\ 0 & 2^i \cdot (b \ast 1) \end{bmatrix} & \mat M_{k-1\,b} &= \begin{bmatrix} 0 \\ 1 \\ 2^i \cdot (b \ast 0) \\ 2^i \cdot (b \ast 1) \end{bmatrix} \text{.}\\ \end{align*} </span></p> </div>$ When we have WOBDDs for two vectors $\vec w, \vec w'</span> we can combine them in several ways to get WOBDDs for new vectors. The following lemma's show three useful constructions.</p>$ Lemma 22.</strong> (Linear Combinations</em>) Given two $\pi</span>-WOBDDs for \vec w, \vec w'</span> we can construct a \pi</span>-WOBDD for \vec w''</span> where w''_i = \alpha \cdot w_i + \beta \cdot w'_i</span> by taking block matrices</p>$ $\begin{align*} \mat M_{0\,j}'' &= \begin{bmatrix} M_{0\, j} & M_{0, j}' \end{bmatrix} & \mat M_{ij}'' &= \begin{bmatrix} \mat M_{ij} & 0 \\[4pt] 0 & \mat M_{ij}' \end{bmatrix} & \mat M_{k-1\,l}'' &= \begin{bmatrix} \alpha \cdot \mat M_{k-1\,j} \\[4pt] \beta \cdot \mat M_{k-1\,j}' \end{bmatrix} \text{.} \end{align*} </span></p>$ The width of the resulting WOBDD is the sum of the widths of the input WOBDDs.</p> </div> Lemma 23.</strong> (Multiplication</em>) Given two $k</span>-variable \pi</span>-WOBDDs for \vec w, \vec w'</span> we can construct a \pi</span>-WOBDD$ for \vec w''</span> where w''_i = w_i \cdot w'_i</span> by taking tensor product matrices</p>$ $\mat M_{ij}'' = \mat M_{ij} \otimes \mat M_{ij}'\text{.} </span></p>$ The width of the resulting WOBDD is the product of the widths of the input WOBDDs.</p> </div> Lemma 24.</strong> (Reversing</em>) Given a WOBDD with permutation $i_0, \dots, i_{k-1}</span> we can construct an equivalent WOBDD of same width with the reversed permutation i_{k-1},\dots,i_0</span> by transposing matrices \mat M_{i\,b}' = \mat M_{(k-i-1)\,b}^{\mathsf{T}}</span>.</p> </div>$ Lemma 25.</strong> (Composition</em>) Given a $k</span> variable WOBDD and k'</span> variable WOBDD we can construct a k+k'</span> variable WOBBD for \vec w''</span> such that w''_{i + j\cdot2^{k}} = w_i \cdot w'_j</span> by concatenating the permutations and matrices.</p> </div>$ Using these constructions we can e.g. build a lookup table for squaring by taking the counter from example 20 and multiplying it with itself using lemma 23.</p> We could generalize the WOBDD definition by replacing the permutation with a set partitioning of $r_i</span> into subvectors \vec r_i \in \F_q^{k_i}</span>, having 2^{k_i}</span> matrices for each i</span> and evaluating using the \mathrm{eq}</span> polynomials:</p>$ $\prod_{i \in [0,l)} \sum_{j \in [0, 2^{k_i})} \mathrm{eq}_{k_i\,j}(\vec r_i) \cdot \mathrm{M}_{ij}\text{.} </span></p>$ This allows for a time-space trade-off, especially if we can eliminate a large intermediate $u_i</span> value. For simplicity we will not consider this generalization further.</p>$ Transducers</h1> To create more powerful manipulations of WOBDDs we introduce transducers</em>, which are like weighted non-deterministic finite transducers (WFSTs) except they have a layered structure. They also extend the read-once branching programs from HJR+25</a> and OR-OBDDs from Weg00</a>.</p> Definition 26.</strong> An Non-deterministic Weighted Ordered Binary Decision Transducer</em>, is a matrix $\mat T \in \F_q^{2^k \times 2^k}</span> specified as follows:</p>$ There is an input permutation $\pi</span> on \range{0,k}</span>.</li>$ There are layered sets of states $\setn{S}_0,\dots,\setn{S}_k</span>.</li>$ For each $i \in \range{0,k}</span> there is a transition weight function \delta_i : \setn{S}_i \times \set{0,1} \times \setn{S}_{i+1} \times \set{0,1} \rightarrow \F_q </span> such that in state s</span> on input bit b</span> we can transition to state s'</span> outputting bit b'</span> with weight \delta_i(s, b, s', b')</span>.</li> </ul> Take \widehat{\setn{S}} = S_0 \times S_1 \times \cdots \times S_k</span> then the matrix \mat T</span> is specified by summing over all paths while accumulating weights multiplicatively,</p> \mat T_{i j} = \sum_{\vec s \in \widehat{\setn S}} \prod_{l \in \range{0, k}} \delta_l(s_l, \mathsf{bits}(i)_{\pi(l)}, s_{l+1}, \mathsf{bits}(j)_{\pi(l)}) \text{.} </span></p> The width</em> of the transducer is \max_i |\setn{S}_i|</span>. For a given \pi</span> we call it a \pi</span>-transducer</em>.</p> </div> Transducers can be used to transform WOBDDs such that each resulting weight is a a linear combination of the original weights:</p>$ Lemma 27.</strong> (Transducer Action</em>) Given a $\pi</span>-transducer \mat T</span> and a \pi</span>-WOBDD for \vec w</span> we can construct a \pi</span>-WOBDD for \vec w' = \mat T \cdot \vec w</span> using the block matrices</p>$ $(\mat M'_{i\, b})_{s\,s'} = \sum_{b' \in \set{0,1}} \delta_i(s, b, s', b') \cdot \mat M_{i\, b'} </span></p>$ where the initial and final dimension are collapsed to $1</span> by summation. The width of resulting WOBDD is at most the product of the width of the original WOBDD and the width of the transducer.</p> </div>$ Proof:</em> For each path in $T</span>, the construction picks the matrices from the original program according to the output and multiplies them.</p> </div> </p>$ The non-determinism complicates things compared to the deterministic read-once branching programs (ROBP) from HJR+25</a>, but it also makes it more powerful. For one, it allows us to reverse the permutation without increasing the width. Without non-determinism, many useful programs can only be expressed in either MSB or LSB order and we would not be able to combine them. The class of efficiently computable functions is also larger (see e.g. Weg00</a> thm 12.2.1). In terms of the matrix $\mat T</span>, adding the output bit allows us to go from diagonal matrices to (generalized) permutation matrices and adding non-determinism allows us to go dense matrices.</p>$ For convenience, we will talk about Most-Significant Bit first</em> (MSB</em>) and Least-Significant Bit first</em> (LSB</em>) transducers, where the input permutation is $\pi(i) = i</span> and \pi(i) = k-i-1</span> respectively. When the transducer is deterministic we specify transitions as a function \delta_i: \setn{S}_i \times \set{0,1} \rightarrow \setn{S}_{i+1} \times \set{0,1} \times \F_q</span>. We also omit the output and weight when they equal the input and 1</span> respectively. We say we associate a weight to an initial/final state</em> to mean applying the weight to each transition entering or leaving that state respectively.</p>$ To show the utility of this class, let's look at some simple examples of transducers. The first example does a MSB lexicographic comparison with a constant:</p> Example 28.</strong> (MSB Comparison</em>) A comparison for $c \in \range{0, 2^{k}}</span> is constructed as an MSB-transducer with states \setn S_0 = \set{\mathtt{equal}}, \setn S_i = \set{\mathtt{less}, \mathtt{equal}, \mathtt{greater}}</span> and transition function</p>$ $\begin{align*} \delta_i(\mathtt{less}, b) &= \mathtt{less} \\[4pt] \delta_i(\mathtt{equal}, b) &= \begin{cases} \mathtt{less} & \text{if } b < \mathsf{bits}(c)_{k-i-1} \\ \mathtt{equal} & \text{if } b = \mathsf{bits}(c)_{k-i-1} \\ \mathtt{greater} & \text{if } b > \mathsf{bits}(c)_{k-i-1} \end{cases} \\[6pt] \delta_i(\mathtt{greater}, b) &= \mathtt{greater} \text{.} \end{align*} </span></p>$ We associate weights to the final state $(\mathtt{less}, \mathtt{equal}, \mathtt{greater})</span> as (1, 0, 0)</span>, (1, 1, 0)</span>, (0, 1, 0)</span>, (1, 0 ,1)</span>, (0, 1, 1)</span> or (0, 0, 1)</span> to get the transducers for <</span>, \leq</span>, =</span>, \neq</span>, \geq</span>, ></span> respectively.</p> </div>$ This method is width 3. There is also a width 2 LSB-transducer using subtraction:</p> Example 29.</strong> (LSB Comparison</em>) A comparison for $c \in \range{0, 2^{k}}</span> is constructed as an LSB-transducer with states \setn S_0 = \set{0}, \setn S_i = \set{0,1}</span> and transition function</p>$ $\delta_i(s, b) = \begin{cases} 1 & \text{if } b < s + \mathsf{bits}(c)_{k-i-1} \\[4pt] 0 & \text{otherwise} \\[4pt] \end{cases} </span></p>$ The weights associating to the final state can be set to $(0, 1)</span>, (1, 0)</span> to get the transducers for <</span>, \geq</span> respectively.</p> </div>$ The next example shows the utility of the output function to permute the weights, in this case shift them by any amount:</p> Example 30.</strong> (Shift</em>) For a cyclic rotation of the indices by an amount $c \in \range{0,2^k}</span> we construct a LSB-transducer with states \setn S_0 = \set{0}, \setn S_i = \set{0,1}</span> representing the carry bit, and transition function \delta_i(s, b) = (s', b')</span> where</p>$ $\begin{align*} t &= s + b + \mathsf{bits}(c)_{k-i-1} \\[4pt] (s', b') &= (\floor{t / 2}, t \bmod 2) \text{.} \end{align*} </span></p>$ The weights associated with final states can then be set to $(1, 1), (1,0), (0,1)</span> for cyclic rotation, left shift, and right shift (of 2^k - c</span>) respectively.</p> </div>$ Combining these two examples we can move any contiguous range of weights from a WOBDD to anywhere in the weight vector and set the rest to zero. In Inner Product Commitment Schemes this allows us to pack many polynomials of various shapes in a single commitment and open them with appropriately shifted weights, i.e. to move the range of weights $\range{0,c}</span> to \range{d, c+d}</span> and set all other zero we can apply a less-than-c</span> followed by a d</span>-right shift. This expands the width by 4</span>. Neither c</span> nor d</span> need to be powers of two.</p>$ Another interesting example to show the expressiveness of transducers is division, which for an arbitrary (but small) $c</span> transforms the weights as w_i' = w_{\floor{i / c}}</span> using a width c</span>.</p>$ Example 31.</strong> (Division</em>) For a floored division of the indices by an amount $c</span> we construct an MSB-transducer with states \setn S_0 = \set{0}, \setn S_i = \range{0,c}</span> and transition function \delta_i(s, b) = (s', b')</span> where</p>$ $\begin{align*} t &= 2 \cdot s + b \\ (s', b') &= (t \bmod c, \floor{t / c}) \text{.} \end{align*} </span></p> </div>$ Finally we show the power of non-determinism to construct dense matrices $\mat T</span> in bounded width:</p>$ Example 32.</strong> (Hadamard Transform</em>) For a Hadamard transform of the weights such that $w_i' = \sum_{j \in [0, 2^k)} (-1)^{i \cdot j} \cdot w_j</span> we construct a LSB-transducer with one state \setn S_i = \set{\circ}</span> and transition weight function</p>$ $\delta_i(\circ, b, \circ, b', ) = (-1)^{b \cdot b'} \text{.} </span></p> </div>$ Example 33.</strong> (Prefix Sum</em>) For a prefix sum of the weights such that $w_i' = \sum_{j \in [0, i]} w_j</span> we construct an MSB-transducer with states \setn S_0 = \set{\mathsf{eq}}, \setn S_i = \set{\mathsf{lt}, \mathsf{eq}}</span> and transition weight function</p>$ $\begin{align*} \delta_i(\mathsf{lt}, b, \mathsf{lt}, b') &= 1 \text{ for all } b, b' \\ \delta_i(\mathsf{eq}, b, \mathsf{eq}, b) &= 1 \text{ for all } b \\ \delta_i(\mathsf{eq}, 1, \mathsf{lt}, 0) &= 1 \\ \delta_i(s,b, s', b') &= 0 \text { otherwise.} \\ \end{align*} </span></p> </div>$ Extension fields and embeddings</h1> With these tool, we can tackle the problem from my post on "Embedding Inner Products"</a>. Recall the setup, we have an inner product commitment scheme</p> Definition 34.</strong> An $\F_q</span>-Inner Product Commitment Scheme</em> is a tuple of algorithms (\mathsf{commit}</span>, \mathsf{open}</span>, \mathsf{verify})</span> such that.</p>$ $\mathsf{commit}</span> algorithm takes a vector \vec v \in \F_q^n</span> and outputs a commitment C</span> to \vec v</span>.</li>$ The $\mathsf{open}</span> algorithm takes \vec v, C</span>, a vector \vec w \in \F_q^n</span>, and a value y \in \F_q</span> and outputs a proof \pi</span> that the inner product \vec v \cdot \vec w = \sum_{i \in [0,n)} v_i \cdot w_i</span> equals y</span>.</li>$ The $\mathsf{verify}</span> algorithm takes C, \vec w, y, \pi</span> and outputs true if the proof is valid and false otherwise.</li> </ul> </div> In Ligerito and WHIR the running time of \mathsf{verify}</span> is O(\log n)</span> iff there is a succinct MLE for \vec w</span>. Those schemes also require that \F_q</span> is cryptographically large, which we can achieve by taking an extension field \F_{q^d}</span> and an embedding:</p>$ Definition 35.</strong> An embedding</em> of $\F_q</span> in \F_{q^d}</span> is given by a \vec c \in \F_{q^d}^p</span> such that the embedding map \mathsf{embed}_{\vec c}: \F_q^n \rightarrow \F_{q^d}^{n'}: \vec w \mapsto \vec w'</span> with n' = \ceil{n / p}</span> is</p>$ $w_i' = \sum_{j \in [0, p)} c_j \cdot w_{i \cdot p + j} \text{.} </span></p>$ Furthermore, when $p = d</span> we call it a packed embedding</em> and when \vec c = [1]</span> we call it the natural embedding</em>.</p> </div>$ We then apply embeddings to $\vec v</span> and \vec w</span> and use an \F_{q^d}</span>-inner product commitment scheme and extract the \F_q</span> result from the \F_{q_d}</span> inner product. With careful choice of embeddings this can work.</p>$ Lemma 36.</strong> (Embedding Inner Products</em>) For towers of extensions with suitable moduli, there exist packed embeddings $\vec c, \vec c'</span> such that for any \vec v, \vec w \in \F_q^n</span> we have</p>$ $\vec v \cdot \vec w = \mathsf{unembed}( \mathsf{embed}_{\vec c}(\vec v) \cdot \mathsf{embed}_{\vec c'}(\vec w)) \text{.} </span></p>$ where $\mathsf{unembed}: \F_{q^d} \rightarrow \F_q</span> simply takes the constant coefficient.</p> </div>$ Proof:</em> See "Embedding Inner Products"</a>.</p> </div> </p> This raises the question: If we have a succinct MLE for $\vec w \in \F_q^n</span>, can we get a succinct MLE for \vec w' = \mathsf{embed}_{\vec c}(\vec w) \in \F_{q^d}^{n'}</span>? It turns out we often can, using transducers.</p>$ Example 37.</strong> (Folding Transducer</em>) For a weighted sum of indices such that $w'_i = \sum_{j \in [0, p)} c_j \cdot w_{i \cdot p + j}</span> we can construct a LSB-transducer with states \setn S_i = \range{0,p}</span> and transition function \delta_i(s, b) = (s', b')</span> where</p>$ $\begin{align*} t &= s + p \cdot b \\ (s', b') &= (t \bmod 2, \floor{t / 2}) \text{.} \end{align*} </span></p>$ where the weights for the initial states are $(c_0, \dots, c_{p-1})</span> and the weights for the final states are (1, 0, \dots, 0)</span>. This transducer has width p</span>.</p> </div>$ With this transducer, we can answer the question above positively for MSB- and LSB-WOBDDs:</p> Lemma 38.</strong> (Embedding Succinct MLEs</em>) Given an embedding $\vec c \in \F_{q^d}^p</span> and a MSB- or LSB-WOBDD for \vec w \in \F_q^n</span> we can construct a WOBDD for \vec w' = \mathsf{embed}_{\vec c}(\vec w)</span> with width at most p</span> times the width of the original WOBDD.</p> </div>$ Proof:</em> Reverse the original WOBDD if needed to make it LSB. Lift the matrices from $\F_q</span> to \F_{q^d}</span> (i.e. take the natural embedding), then apply the folding transducer above.</p> </div> </p>$ This solves it for inner product commitments, but often there are more parts to a protocol and these may not necessarily allow for packed embeddings. For example if we have a naturally embedded sumcheck round, we may need to evaluate $\mathsf{MLE}(\vec v', \vec r)</span> for some \vec r \in \F_{q^d}^k</span> where \vec v' \in \F_q^{2^k}</span> is the natural embedding of \vec v</span>.</p>$ We can do this using an inner product with MLE evaluation weights for $\vec r</span> (see example 11). But now we have an inner product between \vec v \in \F_q</span> and \vec w \in \F_{q^d}</span> vector and can only do inner products in \F_q</span>. We can easily solved this by taking any basis \beta_0, \dots, \beta_{d-1}</span> of \F_{q^d}</span> over \F_q</span> and expressing the \F_{q^d}</span> inner product as a sum of d</span> \F_q</span> inner products, each with a different set of weights \vec w^{(l)}</span> which are the coefficients of \vec w</span> in the basis such that \vec w = \sum_{l \in \range{0,d}} \beta_l \cdot \vec w^{(l)}</span> and \vec v \cdot \vec w = \sum_{l \in \range{0,d}} \beta_l \cdot \p{\vec v \cdot \vec w^{(l)}}</span>. But this raises the question:</p>$ If we have a succinct MLE for $\vec w \in \F_{q^d}^n</span> and some basis \vec \beta</span> of \F_{q^d}</span> over \F_q</span>, can we get an succinct MLEs for each of the d</span> coefficient vectors \vec w^{(l)} \in \F_q^n</span>?</p>$ It turns out, we can, for any WOBDD in fact:</p> Lemma 39.</strong> (Lowering</em>) Given a $\F_{q^d}</span> WOBDD and a basis \beta_0, \dots, \beta_{d-1}</span> of \F_{q^d}</span> we can construct WOBDDs for each of the d</span> coefficient vectors \vec w^{(l)} \in \F_q^{2^k}</span> such that w_i = \sum_{l \in [0,d)} w_i^{(l)} \cdot \beta_l</span>. Take the original permutation and block matrices</p>$ $(\mat M'_{i\,b})_{u\,v} = \mathsf{mul}_{\vec \beta}((\mat M_{i\,b})_{u\,v}) </span></p>$ where $\mathsf{mul}_{\vec \beta}(t)</span> is the matrix of the \F_q</span>-linear map x \mapsto t \cdot x</span> in basis \vec \beta</span>. The initial matrix is multiplied by the \beta</span> representation of 1</span>. The final matrix is turned into d</span> vectors by taking its columns, each of these final matrices computes the WOBDD for one of the coefficient vectors. The new WOBDDs has d</span> times the original width.</p> </div>$ It makes sense to extend the definition of WOBDDs to allow vector results so that we can skip selecting the final column and compute all $d</span> evaluations in one pass. If we do this, the evaluation is optimal as it performs exactly the operations that the original WOBDD would have done, just expressed in the basis. To use it in the above packing, we then still need to apply the folding transducer which multiplies the width by p</span> again. It also lifts all the intermediate values to \F_{q^d}</span>, though the matrices remain in \F_q</span>. On the other hand, we gain some efficiency by packing requiring \floor{\log_2 p}</span> fewer variables.</p>$ Further Thoughts and Questions</h1> General WOBDDs are not closed under addition, even though we know efficient MLEs are. Can we find a more powerful class that is closed under addition? Since the set of $\pi, \pi_{\text{reversed}}</span>-WOBDDs are closed under addition, we need a way to add incompatible programs. I suspect a weighted version of FBDDs might work, where we sum over merging paths, but I haven't worked out the details.</li>$ We have shown transducers to be equivalent to matrices / linear maps. Can we characterize which linear maps are succinctly representable as transducers?</li> We could extend transducers with matrix weights on the transitions and tensor products when applied to a WOBDD. I don't see a good use for this yet, but it may prove to be more powerful in the same way that WOBDDs are more powerful than tensor weights. Though I suspect it is redundant with the states.</li> Some examples can be optimized when $c = 2^{k'} \cdot c'</span> for odd c</span> by splitting off the 2^{k'}</span> part using variable tricks. This can probably be implemented as an optimization pass on the transducer state machine. In general the current implementation can do more optimization such as dead state elimination.</li>$ For Weighted Finite Automata there is good literature on minimization, which can likely be augmented to apply to WOBDDs. Similarly there is literature on minimizing state-machines/transducers.</li> For Jolt style lookup tables we could imagine a variant of transducers where we can see the $m</span>-arry input as m</span> parallel bit streams and have transitions that read one bit from each stream at a time.</li> </ul>$ References</h1> Weg00</a> Ingo Wegner (2000). Branching Programs and Binary Decision Diagrams.</li> DKV09</a> Manfred Droste, Werner Kuich, Heiko Vogler (2009). Handbook of Weighted Automata.</li> Juk12</a> Stasys Jukna (2012). Boolean Function Complexity.</li> Tha13</a> Justin Thaler (2013). Time-Optimal Interactive Proofs for Circuit Evaluation.</li> HR18</a> Justin Holmgren, Ron D. Rothblum (2018). Delegating computations with (almost) minimal time and space overhead.</li> Tha23</a> Justin Thaler (2023). Proofs, Arguments, and Zero Knowledge.</li> STW23</a> Srinath Setty, Justin Thaler, Riad Wahby (2023). Customizable constraint systems for succinct arguments</li> HJR+25</a> Tamir Hemo, Kevin Jue, Eugene Rabinovich, Gyumin Roh, Ron D. Rothblum (2025). Jagged Polynomial Commitments.</li> NTZ25</a> Vineet Nair, Justin Thaler, Michael Zhu (2025). Proving CPU Executions in Small Space</li> </ul> Sage Implementation</h1> def</span> bits</span>(</span>F</span>,</span> k</span>,</span> i</span>):</span></span> assert</span> i</span> <</span> 2</span>^</span>k</span></span> return</span> vector</span>(</span>F</span>,</span> reversed</span>(</span>ZZ</span>(</span>i</span>).</span>digits</span>(</span>2</span>,</span> padto</span>=</span>k</span>)))</span></span></code></pre>def</span> unbits</span>(</span>bits</span>):</span></span> return</span> sum</span>(</span>Integer</span>(</span>b</span>)</span> *</span> 2</span>^</span>(</span>len</span>(</span>bits</span>)</span> -</span> i</span> -</span> 1</span>)</span> for</span> i</span>,</span> b</span> in</span> enumerate</span>(</span>bits</span>))</span></span></code></pre>def</span> msb</span>(</span>k</span>):</span></span> P</span> =</span> Permutations</span>(</span>range</span>(</span>k</span>))</span></span> return</span> P</span>(</span>range</span>(</span>k</span>))</span></span></code></pre>def</span> lsb</span>(</span>k</span>):</span></span> P</span> =</span> Permutations</span>(</span>range</span>(</span>k</span>))</span></span> return</span> P</span>(</span>range</span>(</span>k</span>)[::</span>-</span>1</span>])</span></span></code></pre>def</span> eq</span>(</span>k</span>,</span> i</span>,</span> r</span>):</span></span> if</span> i</span> >=</span> 2</span>^</span>k</span>:</span></span> raise</span> ValueError</span>(</span>f</span>"index i=</span>{</span>i</span>}</span> larger than 2^</span>{</span>k</span>}</span> = </span>{</span>2</span>^</span>k</span>}</span>"</span>)</span></span> if not</span> isinstance</span>(</span>r</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"r is not a vector"</span>)</span></span> if</span> len</span>(</span>r</span>)</span> !=</span> k</span>:</span></span> raise</span> ValueError</span>(</span>"length of r is not k = </span>{k}</span>"</span>)</span></span> </span> F</span> =</span> r</span>.</span>base_ring</span>()</span></span> result</span> =</span> F</span>.</span>one</span>()</span></span> for</span> j</span> in</span> range</span>(</span>k</span>):</span></span> if</span> i</span> &</span> (</span>1</span> <<</span> (</span>k</span> -</span> j</span> -</span> 1</span>))</span> ==</span> 0</span>:</span></span> result</span> *=</span> F</span>.</span>one</span>()</span> -</span> r</span>[</span>j</span>]</span></span> else</span>:</span></span> result</span> *=</span> r</span>[</span>j</span>]</span></span> return</span> result</span></span></code></pre>def</span> mle</span>(</span>w</span>,</span> x</span>):</span></span> if not</span> isinstance</span>(</span>w</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"w is not a vector"</span>)</span></span> if not</span> isinstance</span>(</span>x</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"x is not a vector"</span>)</span></span> if</span> w</span>.</span>base_ring</span>()</span> !=</span> x</span>.</span>base_ring</span>():</span></span> raise</span> ValueError</span>(</span>"w and x are not over the same field"</span>)</span></span> if</span> len</span>(</span>w</span>)</span> !=</span> 2</span>^</span>len</span>(</span>x</span>):</span></span> raise</span> ValueError</span>(</span>"length of w is not a 2^len(x)"</span>)</span></span> </span> k</span> =</span> len</span>(</span>x</span>)</span></span> def</span> rec</span>(</span>lo</span>,</span> hi</span>,</span> i</span>):</span></span> if</span> i</span> ==</span> k</span>:</span></span> return</span> w</span>[</span>lo</span>]</span></span> mid</span> =</span> (</span>lo</span> +</span> hi</span>)</span> //</span> 2</span></span> u0</span> =</span> rec</span>(</span>lo</span>,</span> mid</span>,</span> i</span> +</span> 1</span>)</span></span> u1</span> =</span> rec</span>(</span>mid</span>,</span> hi</span>,</span> i</span> +</span> 1</span>)</span></span> return</span> u0</span> +</span> x</span>[</span>i</span>]</span> *</span> (</span>u1</span> -</span> u0</span>)</span></span> </span> return</span> rec</span>(</span>0</span>,</span> len</span>(</span>w</span>),</span> 0</span>)</span></span></code></pre>Class WOBDD</h2> class</span> WOBDD</span>:</span></span> def</span> __init__</span>(</span>self</span>,</span> field</span>,</span> k</span>,</span> permutation</span>,</span> matrices</span>):</span></span> if not</span> permutation</span> in</span> Permutations</span>(</span>range</span>(</span>k</span>)):</span></span> raise</span> TypeError</span>(</span>f</span>"</span>{</span>permutation</span>}</span> not in </span>{</span>Permutations</span>(</span>range</span>(</span>k</span>))</span>}</span>"</span>)</span></span> </span> # Make sure matrix set size is correct</span></span> if not</span> isinstance</span>(</span>matrices</span>,</span> list</span>):</span></span> raise</span> TypeError</span>(</span>f</span>"matrices is not a list of list of matrices"</span>)</span></span> if</span> len</span>(</span>matrices</span>)</span> !=</span> k</span>:</span></span> raise</span> ValueError</span>(</span>f</span>"Number of matrix sets does not equal </span>{</span>k</span>}</span>"</span>)</span></span> u</span> =</span> 1</span></span> v</span> =</span> None</span></span> for</span> (</span>i</span>,</span> mis</span>)</span> in</span> enumerate</span>(</span>matrices</span>):</span></span> if not</span> isinstance</span>(</span>mis</span>,</span> list</span>)</span> or</span> len</span>(</span>mis</span>)</span> !=</span> 2</span>:</span></span> raise</span> TypeError</span>(</span>f</span>"matrices[</span>{</span>i</span>}</span>] is not a pair of matrices"</span>)</span></span> for</span> (</span>j</span>,</span> m</span>)</span> in</span> enumerate</span>(</span>mis</span>):</span></span> if not</span> isinstance</span>(</span>m</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Matrix</span>):</span></span> raise</span> TypeError</span>(</span>f</span>"matrices[</span>{</span>i</span>}</span>][</span>{</span>j</span>}</span>] is not a matrix"</span>)</span></span> if</span> m</span>.</span>base_ring</span>()</span> !=</span> field</span>:</span></span> raise</span> TypeError</span>(</span>f</span>"matrices[</span>{</span>i</span>}</span>][</span>{</span>j</span>}</span>] is not a matrix over the field"</span>)</span></span> v</span> =</span> v</span> or</span> m</span>.</span>ncols</span>()</span></span> if</span> i</span> ==</span> k</span> -</span> 1</span>:</span></span> v</span> =</span> 1</span></span> if</span> m</span>.</span>dimensions</span>()</span> !=</span> (</span>u</span>,</span> v</span>):</span></span> raise</span> TypeError</span>(</span>f</span>"matrices[</span>{</span>i</span>}</span>][</span>{</span>j</span>}</span>] is not of dimension </span>{</span>u</span>}</span> x </span>{</span>v</span>}</span>"</span>)</span></span> (</span>u</span>,</span> v</span>)</span> =</span> (</span>v</span>,</span> None</span>)</span></span> </span> self</span>.</span>field</span> =</span> field</span></span> self</span>.</span>k</span> =</span> k</span></span> self</span>.</span>permutation</span> =</span> permutation</span></span> self</span>.</span>matrices</span> =</span> matrices</span></span> </span> def</span> random</span>(</span>field</span>,</span> k</span>,</span> permutation</span>=</span>None</span>,</span> max_width</span>=</span>5</span>):</span></span> permutation</span> =</span> permutation</span> or</span> Permutations</span>(</span>range</span>(</span>k</span>)).</span>random_element</span>()</span></span> u</span> =</span> [</span>1</span>]</span> +</span> [</span>randint</span>(</span>1</span>,</span> max_width</span>)</span> for</span> _</span> in</span> range</span>(</span>k</span>-</span>1</span>)]</span> +</span> [</span>1</span>]</span></span> matrices</span> =</span> []</span></span> for</span> i</span> in</span> range</span>(</span>k</span>):</span></span> V</span> =</span> MatrixSpace</span>(</span>field</span>,</span> u</span>[</span>i</span>],</span> u</span>[</span>i</span>+</span>1</span>])</span></span> matrices</span>.</span>append</span>([</span>V</span>.</span>random_element</span>(),</span> V</span>.</span>random_element</span>()])</span></span> return</span> WOBDD</span>(</span>field</span>,</span> k</span>,</span> permutation</span>,</span> matrices</span>)</span></span> </span> def</span> __repr__</span>(</span>self</span>):</span></span> return</span> f</span>"WOBDD width=</span>{</span>self</span>.</span>width</span>()</span>}</span> over </span>{</span>VectorSpace</span>(</span>self</span>.</span>field</span>,</span> self</span>.</span>k</span>)</span>}</span>"</span></span> </span> def</span> __call__</span>(</span>self</span>,</span> r</span>):</span></span> if</span> isinstance</span>(</span>r</span>,</span> Integer</span>)</span> or</span> isinstance</span>(</span>r</span>,</span> int</span>):</span></span> r</span> =</span> bits</span>(</span>self</span>.</span>field</span>,</span> self</span>.</span>k</span>,</span> r</span>)</span></span> if not</span> isinstance</span>(</span>r</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"r is not a vector"</span>)</span></span> if</span> r</span>.</span>base_ring</span>()</span> !=</span> self</span>.</span>field</span>:</span></span> raise</span> ValueError</span>(</span>"r is not over the field"</span>)</span></span> r</span> =</span> [</span>r</span>[</span>self</span>.</span>permutation</span>[</span>i</span>]]</span> for</span> i</span> in</span> range</span>(</span>self</span>.</span>k</span>)]</span></span> M</span> =</span> matrix</span>(</span>self</span>.</span>field</span>, [</span>1</span>])</span></span> for</span> ri</span>, [</span>Mi0</span>,</span> Mi1</span>]</span> in</span> zip</span>(</span>r</span>,</span> self</span>.</span>matrices</span>):</span></span> M</span> *=</span> (</span>1</span> -</span> ri</span>)</span> *</span> Mi0</span> +</span> ri</span> *</span> Mi1</span></span> return</span> M</span>[</span>0</span>,</span>0</span>]</span></span> </span> def</span> width</span>(</span>self</span>):</span></span> return</span> max</span>(</span>m</span>.</span>nrows</span>()</span> for</span> ms</span> in</span> self</span>.</span>matrices</span> for</span> m</span> in</span> ms</span>)</span></span> </span> def</span> weights</span>(</span>self</span>):</span></span> return</span> vector</span>(</span>self</span>.</span>field</span>, [</span>self</span>(</span>i</span>)</span> for</span> i</span> in</span> range</span>(</span>2</span>^</span>self</span>.</span>k</span>)])</span></span> </span> def</span> assert_compatible</span>(</span>self</span>,</span> other</span>):</span></span> if</span> self</span>.</span>field</span> !=</span> other</span>.</span>field</span>:</span></span> raise</span> ValueError</span>(</span>"Not in same field"</span>)</span></span> if</span> self</span>.</span>permutation</span> !=</span> other</span>.</span>permutation</span>:</span></span> raise</span> ValueError</span>(</span>"Different permutation"</span>)</span></span> </span> def</span> is_compatible</span>(</span>self</span>,</span> other</span>):</span></span> try</span>:</span></span> self</span>.</span>assert_compatible</span>(</span>other</span>)</span></span> except</span>:</span></span> return</span> False</span></span> return</span> True</span></span> </span> def</span> lift</span>(</span>self</span>,</span> field</span>):</span></span> if not</span> field</span>.</span>has_coerce_map_from</span>(</span>self</span>.</span>field</span>):</span></span> raise</span> ValueError</span>(</span>f</span>"Can not lift from </span>{</span>self</span>.</span>field</span>}</span> to </span>{</span>field</span>}</span>"</span>)</span></span> matrices</span> =</span> [[</span>m</span>.</span>change_ring</span>(</span>field</span>)</span> for</span> m</span> in</span> ms</span>]</span> for</span> ms</span> in</span> self</span>.</span>matrices</span>]</span></span> return</span> WOBDD</span>(</span>field</span>,</span> self</span>.</span>k</span>,</span> self</span>.</span>permutation</span>,</span> matrices</span>)</span></span> </span> def</span> lower</span>(</span>self</span>,</span> F</span>,</span> i</span>):</span></span> (</span>V</span>,</span> v_to_f</span>,</span> f_to_v</span>)</span> =</span> self</span>.</span>field</span>.</span>vector_space</span>(</span>F</span>)</span></span> basis</span> =</span> [</span>v_to_f</span>(</span>x</span>)</span> for</span> x</span> in</span> V</span>.</span>basis</span>()]</span></span> </span> def</span> mul</span>(</span>x</span>):</span></span> return</span> matrix</span>([</span>f_to_v</span>(</span>x</span> *</span> beta</span>)</span> for</span> beta</span> in</span> basis</span>])</span></span> </span> def</span> lower_matrix</span>(</span>matrix</span>):</span></span> return</span> block_matrix</span>([[</span>mul</span>(</span>x</span>)</span> for</span> x</span> in</span> row</span>]</span> for</span> row</span> in</span> matrix</span>.</span>rows</span>()])</span></span> </span> matrices</span> =</span> [[</span>lower_matrix</span>(</span>m</span>)</span> for</span> m</span> in</span> ms</span>]</span> for</span> ms</span> in</span> self</span>.</span>matrices</span>]</span></span> e</span> =</span> f_to_v</span>(</span>1</span>)</span></span> matrices</span>[</span>0</span>]</span> =</span> [</span>matrix</span>(</span>e</span> *</span> m</span>)</span> for</span> m</span> in</span> matrices</span>[</span>0</span>]]</span></span> e</span> =</span> V</span>.</span>basis</span>()[</span>i</span>]</span></span> matrices</span>[</span>-</span>1</span>]</span> =</span> [</span>matrix</span>(</span>m</span> *</span> e</span>).</span>T</span> for</span> m</span> in</span> matrices</span>[</span>-</span>1</span>]]</span></span> return</span> WOBDD</span>(</span>F</span>,</span> self</span>.</span>k</span>,</span> self</span>.</span>permutation</span>,</span> matrices</span>)</span></span> </span> def</span> __add__</span>(</span>self</span>,</span> other</span>):</span></span> if not</span> isinstance</span>(</span>other</span>,</span> WOBDD</span>):</span></span> return</span> NotImplemented</span></span> self</span>.</span>assert_compatible</span>(</span>other</span>)</span></span> matrices</span> =</span> [</span></span> [</span>block_matrix</span>([[</span>m1</span>,</span> m2</span>]])</span> for</span> (</span>m1</span>,</span> m2</span>)</span> in</span> zip</span>(</span>self</span>.</span>matrices</span>[</span>0</span>],</span> other</span>.</span>matrices</span>[</span>0</span>])],</span></span> ]</span></span> for</span> i</span> in</span> range</span>(</span>1</span>,</span> len</span>(</span>self</span>.</span>matrices</span>)</span> -</span> 1</span>):</span></span> matrices</span> +=</span> [</span></span> [</span>block_matrix</span>([[</span>m1</span>,</span> 0</span>], [</span>0</span>,</span> m2</span>]])</span> for</span> (</span>m1</span>,</span> m2</span>)</span> in</span> zip</span>(</span>self</span>.</span>matrices</span>[</span>i</span>],</span> other</span>.</span>matrices</span>[</span>i</span>])],</span></span> ]</span></span> matrices</span> +=</span> [</span></span> [</span>block_matrix</span>([[</span>m1</span>], [</span>m2</span>]])</span> for</span> (</span>m1</span>,</span> m2</span>)</span> in</span> zip</span>(</span>self</span>.</span>matrices</span>[</span>-</span>1</span>],</span> other</span>.</span>matrices</span>[</span>-</span>1</span>])],</span></span> ]</span></span> return</span> WOBDD</span>(</span>self</span>.</span>field</span>,</span> self</span>.</span>k</span>,</span> self</span>.</span>permutation</span>,</span> matrices</span>)</span></span> </span> def</span> __mul__</span>(</span>self</span>,</span> other</span>):</span></span> #</span> TODO</span>: Scalar multiplication.</span></span> if not</span> isinstance</span>(</span>other</span>,</span> WOBDD</span>):</span></span> return</span> NotImplemented</span></span> self</span>.</span>assert_compatible</span>(</span>other</span>)</span></span> matrices</span> =</span> [</span></span> [</span>m1</span>.</span>tensor_product</span>(</span>m2</span>)</span> for</span> (</span>m1</span>,</span> m2</span>)</span> in</span> zip</span>(</span>m1s</span>,</span> m2s</span>)]</span></span> for</span> (</span>m1s</span>,</span> m2s</span>)</span> in</span> zip</span>(</span>self</span>.</span>matrices</span>,</span> other</span>.</span>matrices</span>)</span></span> ]</span></span> return</span> WOBDD</span>(</span>self</span>.</span>field</span>,</span> self</span>.</span>k</span>,</span> self</span>.</span>permutation</span>,</span> matrices</span>)</span></span> </span> def</span> reverse</span>(</span>self</span>):</span></span> P</span> =</span> Permutations</span>(</span>range</span>(</span>self</span>.</span>k</span>))</span></span> permutation</span> =</span> P</span>(</span>self</span>.</span>permutation</span>[::</span>-</span>1</span>])</span></span> matrices</span> =</span> []</span></span> for</span> mis</span> in</span> self</span>.</span>matrices</span>[::</span>-</span>1</span>]:</span></span> matrices</span> +=</span> [[</span>m</span>.</span>transpose</span>()</span> for</span> m</span> in</span> mis</span>]]</span></span> </span> return</span> WOBDD</span>(</span>self</span>.</span>field</span>,</span> self</span>.</span>k</span>,</span> permutation</span>,</span> matrices</span>)</span></span></code></pre>WOBDD Examples</h2> def</span> popcount</span>(</span>F</span>,</span> k</span>):</span></span> matrices</span> =</span> (</span></span> [[</span>Matrix</span>(</span>F</span>, [[</span>1</span>,</span> b</span>]])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]]</span> +</span></span> [[</span>Matrix</span>(</span>F</span>, [</span></span> [</span>1</span>,</span> b</span>],</span></span> [</span>0</span>,</span> 1</span>]</span></span> ])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]</span> for</span> i</span> in</span> range</span>(</span>1</span>,</span>k</span>-</span>1</span>)]</span> +</span></span> [[</span>Matrix</span>(</span>F</span>, [[</span>b</span>], [</span>1</span>]])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]])</span></span> return</span> WOBDD</span>(</span>F</span>,</span> k</span>,</span> lsb</span>(</span>k</span>),</span> matrices</span>)</span></span></code></pre>def</span> counter</span>(</span>F</span>,</span> k</span>,</span> start</span>=</span>0</span>):</span></span> matrices</span> =</span> (</span></span> [[</span>Matrix</span>(</span>F</span>, [[</span>2</span>,</span> start</span> +</span> b</span>]])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]]</span> +</span></span> [[</span>Matrix</span>(</span>F</span>, [</span></span> [</span>2</span>,</span> b</span>],</span></span> [</span>0</span>,</span> 1</span>]</span></span> ])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]</span> for</span> i</span> in</span> range</span>(</span>1</span>,</span>k</span>-</span>1</span>)]</span> +</span></span> [[</span>Matrix</span>(</span>F</span>, [[</span>b</span>], [</span>1</span>]])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]]])</span></span> return</span> WOBDD</span>(</span>F</span>,</span> k</span>,</span> lsb</span>(</span>k</span>),</span> matrices</span>)</span></span></code></pre>def</span> bitwise</span>(</span>F</span>,</span> k</span>,</span> op</span>):</span></span> permutation</span> =</span> Permutations</span>(</span>range</span>(</span>2</span> *</span> k</span>))([</span>j</span> for</span> i</span> in</span> range</span>(</span>k</span>)</span> for</span> j</span> in</span> [</span>i</span>,</span> i</span>+</span>k</span>]])</span></span> matrices</span> =</span> []</span></span> matrices</span>.</span>append</span>([</span>Matrix</span>(</span>F</span>, [[</span>1</span>,</span> 0</span>,</span> 1</span>-</span>b</span>,</span> b</span>]])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]])</span></span> for</span> i</span> in</span> range</span>(</span>k</span>-</span>1</span>):</span></span> matrices</span>.</span>append</span>([</span>Matrix</span>(</span>F</span>, [</span></span> [</span>1</span>,</span> 0</span>,</span> 0</span>,</span> 0</span>],</span></span> [</span>0</span>,</span> 1</span>,</span> 2</span>^</span>(</span>k</span> -</span> i</span> -</span> 1</span>)</span> *</span> op</span>(</span>b</span>,</span> 0</span>),</span> 2</span>^</span>(</span>k</span> -</span> i</span> -</span> 1</span>)</span> *</span> op</span>(</span>b</span>,</span> 1</span>)]</span></span> ]).</span>T</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]])</span></span> matrices</span>.</span>append</span>([</span>Matrix</span>(</span>F</span>, [</span></span> [</span>1</span>,</span> 0</span>,</span> 1</span>-</span>b</span>,</span> b</span>],</span></span> [</span>0</span>,</span> 1</span>,</span> 0</span>,</span> 0</span>],</span></span> ])</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]])</span></span> i</span> =</span> k</span> -</span> 1</span></span> matrices</span>.</span>append</span>([</span>Matrix</span>(</span>F</span>, [[</span>0</span>,</span> 1</span>,</span> 2</span>^</span>(</span>k</span> -</span> i</span> -</span> 1</span>)</span> *</span> op</span>(</span>b</span>,</span> 0</span>),</span> 2</span>^</span>(</span>k</span> -</span> i</span> -</span> 1</span>)</span> *</span> op</span>(</span>b</span>,</span> 1</span>)]]).</span>T</span> for</span> b</span> in</span> [</span>0</span>,</span>1</span>]])</span></span> return</span> WOBDD</span>(</span>F</span>,</span> 2</span>*</span>k</span>,</span> permutation</span>,</span> matrices</span>)</span></span></code></pre>Class Transducer</h2> class</span> Transducer</span>:</span></span> def</span> __init__</span>(</span>self</span>,</span> field</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transitions</span>):</span></span> if not</span> permutation</span> in</span> Permutations</span>(</span>range</span>(</span>k</span>)):</span></span> raise</span> TypeError</span>(</span>f</span>"</span>{</span>permutation</span>}</span> not in </span>{</span>Permutations</span>(</span>range</span>(</span>k</span>))</span>}</span>"</span>)</span></span> # Expand repeated rules to lists</span></span> if not</span> isinstance</span>(</span>transitions</span>,</span> list</span>):</span></span> transitions</span> =</span> [</span>transitions</span>]</span> *</span> k</span></span> if not</span> len</span>(</span>transitions</span>)</span> ==</span> k</span>:</span></span> raise</span> TypeError</span>(</span>f</span>"len(transitions) is </span>{</span>len</span>(</span>transitions</span>)</span>}</span> not </span>{</span>k</span>}</span>"</span>)</span></span> </span> # Validate, extract reachable states by layer, and relabel states to [0, len(states))</span></span> states</span> =</span> [</span>len</span>(</span>initial_states</span>)]</span></span> labels</span> =</span> initial_states</span></span> transition_relation</span> =</span> []</span></span> for</span> i</span>,</span> transitions</span> in</span> enumerate</span>(</span>transitions</span>):</span></span> # Expand functions to relations</span></span> if</span> callable</span>(</span>transitions</span>):</span></span> relation</span> =</span> []</span></span> for</span> s</span> in</span> range</span>(</span>states</span>[</span>-</span>1</span>]):</span></span> for</span> b</span> in</span> [</span>0</span>,</span> 1</span>]:</span></span> [</span>next_state</span>,</span> output</span>,</span> weight</span>]</span> =</span> transitions</span>(</span>i</span>,</span> labels</span>[</span>s</span>],</span> b</span>)</span></span> relation</span>.</span>append</span>([</span>s</span>,</span> b</span>,</span> next_state</span>,</span> output</span>,</span> weight</span>])</span></span> transitions</span> =</span> relation</span></span> else</span>:</span></span> transitions</span> =</span> [[</span>labels</span>.</span>index</span>(</span>s</span>),</span> b</span>,</span> ns</span>,</span> o</span>,</span> w</span>]</span> for</span> [</span>s</span>,</span>b</span>,</span>ns</span>,</span>o</span>,</span>w</span>]</span> in</span> transitions</span> if</span> s</span> in</span> labels</span>]</span></span> for</span> [</span>s</span>,</span> b</span>,</span> ns</span>,</span> o</span>,</span> w</span>]</span> in</span> transitions</span>:</span></span> assert</span> b</span> in</span> [</span>0</span>,</span>1</span>]</span></span> assert</span> o</span> in</span> [</span>0</span>,</span>1</span>]</span></span> # Remove zero-weight transitions</span></span> transitions</span> =</span> [[</span>s</span>,</span> b</span>,</span> ns</span>,</span> o</span>,</span> w</span>]</span> for</span> [</span>s</span>,</span>b</span>,</span>ns</span>,</span>o</span>,</span>w</span>]</span> in</span> transitions</span> if</span> w</span> !=</span> 0</span>]</span></span> labels</span> =</span> list</span>(</span>set</span>(</span>t</span>[</span>2</span>]</span> for</span> t</span> in</span> transitions</span>))</span></span> states</span>.</span>append</span>(</span>len</span>(</span>labels</span>))</span></span> transition_relation</span>.</span>append</span>([[</span>s</span>,</span> b</span>,</span> labels</span>.</span>index</span>(</span>n</span>),</span> o</span>,</span> w</span>]</span> for</span> [</span>s</span>,</span>b</span>,</span>n</span>,</span>o</span>,</span>w</span>]</span> in</span> transitions</span>])</span></span> #</span> TODO</span>: Backwards reachability pass, general minimization, pow-2 tricks</span></span> </span> self</span>.</span>field</span> =</span> field</span></span> self</span>.</span>k</span> =</span> k</span></span> self</span>.</span>permutation</span> =</span> permutation</span></span> self</span>.</span>states</span> =</span> states</span></span> self</span>.</span>initial_states</span> =</span> initial_states</span></span> self</span>.</span>transition</span> =</span> transition_relation</span></span> </span> def</span> __repr__</span>(</span>self</span>):</span></span> return</span> f</span>"Transducer on </span>{</span>self</span>.</span>k</span>}</span> bits of width </span>{</span>self</span>.</span>width</span>()</span>}</span>"</span></span> </span> def</span> width</span>(</span>self</span>):</span></span> return</span> max</span>(</span>self</span>.</span>states</span>)</span></span> </span> def</span> paths</span>(</span>self</span>,</span> input</span>):</span></span> if</span> isinstance</span>(</span>input</span>,</span> Integer</span>)</span> or</span> isinstance</span>(</span>input</span>,</span> int</span>):</span></span> input</span> =</span> bits</span>(</span>GF</span>(</span>2</span>),</span> self</span>.</span>k</span>,</span> input</span>)</span></span> if not</span> isinstance</span>(</span>input</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"input is not a vector"</span>)</span></span> for</span> ri</span> in</span> input</span>:</span></span> if</span> ri</span> !=</span> 0</span> and</span> ri</span> !=</span> 1</span>:</span></span> raise</span> ValueError</span>(</span>"input is not a bitvector"</span>)</span></span> input</span> =</span> [</span>input</span>[</span>self</span>.</span>permutation</span>[</span>i</span>]]</span> for</span> i</span> in</span> range</span>(</span>self</span>.</span>k</span>)]</span></span> </span> paths</span> =</span> [(</span>s</span>,[],</span> self</span>.</span>field</span>(</span>1</span>))</span> for</span> s</span> in</span> self</span>.</span>initial_states</span>]</span></span> output</span> =</span> []</span></span> for</span> input</span>,</span> transitions</span> in</span> zip</span>(</span>input</span>,</span> self</span>.</span>transition</span>):</span></span> next_paths</span> =</span> []</span></span> for</span> [</span>state</span>,</span> outputs</span>,</span> weight</span>]</span> in</span> paths</span>:</span></span> for</span> [</span>s</span>,</span> b</span>,</span> ns</span>,</span> o</span>,</span> w</span>]</span> in</span> transitions</span>:</span></span> if</span> b</span> !=</span> input</span> or</span> s</span> !=</span> state</span>:</span></span> continue</span></span> next_paths</span>.</span>append</span>((</span>ns</span>,</span> outputs</span> +</span> [</span>o</span>],</span> weight</span> *</span> w</span>))</span></span> paths</span> =</span> next_paths</span></span> </span> def</span> unpermute</span>(</span>l</span>):</span></span> result</span> =</span> [</span>None</span>]</span> *</span> self</span>.</span>k</span></span> for</span> i</span> in</span> range</span>(</span>self</span>.</span>k</span>):</span></span> result</span>[</span>self</span>.</span>permutation</span>[</span>i</span>]]</span> =</span> l</span>[</span>i</span>]</span></span> return</span> result</span></span> </span> return</span> [(</span>unpermute</span>(</span>o</span>),</span> w</span>)</span> for</span> (</span>s</span>,</span> o</span>,</span> w</span>)</span> in</span> paths</span>]</span></span> </span> def</span> matrix</span>(</span>self</span>):</span></span> m</span> =</span> matrix</span>(</span>self</span>.</span>field</span>,</span> 2</span>^</span>self</span>.</span>k</span>,</span> 2</span>^</span>self</span>.</span>k</span>)</span></span> for</span> i</span> in</span> range</span>(</span>2</span>^</span>self</span>.</span>k</span>):</span></span> for</span> (</span>j</span>,</span> w</span>)</span> in</span> self</span>.</span>paths</span>(</span>i</span>):</span></span> m</span>[</span>i</span>,</span> unbits</span>(</span>j</span>)]</span> =</span> w</span></span> return</span> m</span></span> </span> def</span> action</span>(</span>self</span>,</span> wobdd</span>):</span></span> if not</span> isinstance</span>(</span>wobdd</span>,</span> WOBDD</span>):</span></span> raise</span> TypeError</span>(</span>"wobdd is not a WOBDD"</span>)</span></span> if</span> self</span>.</span>permutation</span> !=</span> wobdd</span>.</span>permutation</span>:</span></span> raise</span> TypeError</span>(</span>"wobdd is not compatible"</span>)</span></span> #</span> TODO</span>: This fails in the degenerate case where there are zero states.</span></span> </span> matrices</span> =</span> []</span></span> for</span> (</span>i</span>, (</span>transitions</span>,</span> Mi</span>))</span> in</span> enumerate</span>(</span>zip</span>(</span>self</span>.</span>transition</span>,</span> wobdd</span>.</span>matrices</span>)):</span></span> u</span>,</span> v</span> =</span> Mi</span>[</span>0</span>].</span>dimensions</span>()</span></span> blocks</span> =</span> [[[</span>matrix</span>(</span>wobdd</span>.</span>field</span>,</span> u</span>,</span> v</span>)</span> for</span> _</span> in</span> range</span>(</span>self</span>.</span>states</span>[</span>i</span> +</span> 1</span>])]</span> for</span> _</span> in</span> range</span>(</span>self</span>.</span>states</span>[</span>i</span>])]</span> for</span> _</span> in</span> range</span>(</span>2</span>)]</span></span> for</span> [</span>s</span>,</span> b</span>,</span> ns</span>,</span> o</span>,</span> w</span>]</span> in</span> transitions</span>:</span></span> blocks</span>[</span>b</span>][</span>s</span>][</span>ns</span>]</span> +=</span> w</span> *</span> Mi</span>[</span>o</span>]</span></span> mi</span> =</span> [</span>block_matrix</span>(</span>m</span>)</span> for</span> m</span> in</span> blocks</span>]</span></span> if</span> i</span> ==</span> 0</span>:</span></span> mi</span> =</span> [</span>matrix</span>(</span>sum</span>(</span>M</span>.</span>rows</span>()))</span> for</span> M</span> in</span> mi</span>]</span></span> elif</span> i</span> ==</span> self</span>.</span>k</span> -</span> 1</span>:</span></span> mi</span> =</span> [</span>matrix</span>(</span>sum</span>(</span>M</span>.</span>columns</span>())).</span>T</span> for</span> M</span> in</span> mi</span>]</span></span> </span> matrices</span>.</span>append</span>(</span>mi</span>)</span></span> return</span> WOBDD</span>(</span>wobdd</span>.</span>field</span>,</span> self</span>.</span>k</span>,</span> self</span>.</span>permutation</span>,</span> matrices</span>)</span></span></code></pre>Transducer Examples</h2> def</span> less_than</span>(</span>F</span>,</span> k</span>,</span> c</span>):</span></span> permutation</span> =</span> lsb</span>(</span>k</span>)</span></span> initial_states</span> =</span> [</span>0</span>]</span></span> c</span> =</span> bits</span>(</span>ZZ</span>,</span> k</span>,</span> c</span>)[::</span>-</span>1</span>]</span></span> def</span> transition</span>(</span>i</span>,</span> state</span>,</span> input_bit</span>):</span></span> next_state</span> =</span> 1</span> if</span> input_bit</span> <</span> state</span> +</span> c</span>[</span>i</span>]</span> else</span> 0</span></span> output_bit</span> =</span> input_bit</span></span> weight</span> =</span> 1</span> if</span> i</span> <</span> k</span>-</span>1</span> else</span> next_state</span></span> return</span> (</span>next_state</span>,</span> output_bit</span>,</span> weight</span>)</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transition</span>)</span></span></code></pre>def</span> shift</span>(</span>F</span>,</span> k</span>,</span> c</span>,</span> kind</span>=</span>'left'</span>):</span></span> if</span> kind</span> ==</span> 'left'</span>:</span></span> weights</span> =</span> [</span>1</span>,</span>0</span>]</span></span> elif</span> kind</span> ==</span> 'right'</span>:</span></span> c</span> =</span> 2</span>^</span>k</span> -</span> c</span></span> weights</span> =</span> [</span>0</span>,</span>1</span>]</span></span> elif</span> kind</span> ==</span> 'cyclic'</span>:</span></span> weights</span> =</span> [</span>1</span>,</span>1</span>]</span></span> else</span>:</span></span> raise</span> ValueError</span>(</span>f</span>"Unknown kind </span>{</span>kind</span>}</span>"</span>)</span></span> </span> permutation</span> =</span> lsb</span>(</span>k</span>)</span></span> initial_states</span> =</span> [</span>0</span>]</span></span> c</span> =</span> bits</span>(</span>ZZ</span>,</span> k</span>,</span> c</span>)[::</span>-</span>1</span>]</span></span> def</span> transition</span>(</span>i</span>,</span> s</span>,</span> b</span>):</span></span> t</span> =</span> s</span> +</span> b</span> +</span> c</span>[</span>i</span>]</span></span> next_state</span> =</span> t</span> //</span> 2</span></span> output_bit</span> =</span> t</span> %</span> 2</span></span> weight</span> =</span> weights</span>[</span>next_state</span>]</span> if</span> i</span> ==</span> k</span> -</span> 1</span> else</span> 1</span></span> return</span> (</span>next_state</span>,</span> output_bit</span>,</span> weight</span>)</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transition</span>)</span></span></code></pre>def</span> division</span>(</span>F</span>,</span> k</span>,</span> c</span>):</span></span> permutation</span> =</span> msb</span>(</span>k</span>)</span></span> initial_states</span> =</span> [</span>0</span>]</span></span> def</span> transition</span>(</span>i</span>,</span> state</span>,</span> input_bit</span>):</span></span> t</span> =</span> 2</span> *</span> state</span> +</span> input_bit</span></span> next_state</span> =</span> t</span> %</span> c</span></span> output_bit</span> =</span> t</span> //</span> c</span></span> weight</span> =</span> 1</span></span> return</span> (</span>next_state</span>,</span> output_bit</span>,</span> weight</span>)</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transition</span>)</span></span></code></pre>def</span> hadamard</span>(</span>F</span>,</span> k</span>):</span></span> permutation</span> =</span> lsb</span>(</span>k</span>)</span></span> initial_states</span> =</span> 's'</span></span> transitions</span> =</span> []</span></span> for</span> i</span> in</span> range</span>(</span>k</span>):</span></span> transitions</span>.</span>append</span>([</span></span> (</span>'s'</span>,</span> 0</span>,</span> 's'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'s'</span>,</span> 0</span>,</span> 's'</span>,</span> 1</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'s'</span>,</span> 1</span>,</span> 's'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'s'</span>,</span> 1</span>,</span> 's'</span>,</span> 1</span>,</span> F</span>(</span>-</span>1</span>))</span></span> ])</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transitions</span>)</span></span></code></pre>def</span> prefix_sum</span>(</span>F</span>,</span> k</span>):</span></span> permutation</span> =</span> msb</span>(</span>k</span>)</span></span> initial_states</span> =</span> 'eq'</span></span> transitions</span> =</span> []</span></span> for</span> i</span> in</span> range</span>(</span>k</span>):</span></span> transitions</span>.</span>append</span>([</span></span> (</span>'lt'</span>,</span> 0</span>,</span> 'lt'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'lt'</span>,</span> 0</span>,</span> 'lt'</span>,</span> 1</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'lt'</span>,</span> 1</span>,</span> 'lt'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'lt'</span>,</span> 1</span>,</span> 'lt'</span>,</span> 1</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'eq'</span>,</span> 0</span>,</span> 'eq'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'eq'</span>,</span> 1</span>,</span> 'lt'</span>,</span> 0</span>,</span> F</span>(</span>1</span>)),</span></span> (</span>'eq'</span>,</span> 1</span>,</span> 'eq'</span>,</span> 1</span>,</span> F</span>(</span>1</span>)),</span></span> ])</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transitions</span>)</span></span></code></pre>def</span> fold</span>(</span>F</span>,</span> k</span>,</span> coeffs</span>):</span></span> p</span> =</span> len</span>(</span>coeffs</span>)</span></span> permutation</span> =</span> lsb</span>(</span>k</span>)</span></span> initial_states</span> =</span> range</span>(</span>p</span>)</span></span> def</span> transition</span>(</span>i</span>,</span> carry</span>,</span> input_bit</span>):</span></span> t</span> =</span> carry</span> +</span> p</span> *</span> input_bit</span></span> next_carry</span> =</span> t</span> //</span> 2</span></span> output_bit</span> =</span> t</span> %</span> 2</span></span> weight</span> =</span> coeffs</span>[</span>carry</span>]</span> if</span> i</span> ==</span> 0</span> else</span> 1</span></span> if</span> i</span> ==</span> k</span> -</span> 1</span>:</span></span> weight</span> =</span> 1</span> if</span> next_carry</span> ==</span> 0</span> else</span> 0</span></span> return</span> (</span>next_carry</span>,</span> output_bit</span>,</span> weight</span>)</span></span> return</span> Transducer</span>(</span>F</span>,</span> k</span>,</span> permutation</span>,</span> initial_states</span>,</span> transition</span>)</span></span></code></pre> Embedding Inner Products 2025-09-19T00:00:00+00:00 Embedding Inner Products</h1> $\gdef\p#1{\left({#1}\right)} \gdef\ceil#1{\left\lceil{#1}\right\rceil} \gdef\norm#1{\left|{#1}\right|} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\F{\mathbb{F}} \gdef\i{\mathrm{i}} \gdef\j{\mathrm{j}} </span></p>$ In cryptographic protocols it's useful to compute inner products over small fields $\F_p</span> while using a large extension field \F_{p^d}</span>. The naive approach of embedding \F_p</span> into \F_{p^d}</span> directly incurs a d</span> overhead in memory and d^2</span> overhead in multiplications. In this article I present an approach based on bilinear embeddings that is simple, has no memory overhead, and only a d</span> overhead in multiplications.</p>$ Inner Product Commitment Schemes</h2> Recent commitment schemes such as WHIR (AC+24</a>) and Ligerito (NA25</a>) are not just multivariate polynomial commitment schemes, but something more general: inner product commitment schemes. Let's quickly define these:</p> Definition 1.</strong> An Inner Product Commitment Scheme</em> has $\mathsf{commit}</span>, \mathsf{open}</span> and \mathsf{verify}</span> algorithms.</p>$ The $\mathsf{commit}</span> algorithm takes a vector \vec v \in \F_q^n</span> and outputs a commitment C</span> to \vec v</span>.</li>$ The $\mathsf{open}</span> algorithm takes a commitment C</span>, a vector \vec w \in \F_q^n</span> and a value y \in \F_q</span> and outputs a proof \pi</span> that the inner product \vec v \cdot \vec w = \sum_{i \in [0,n)} v_i \cdot w_i</span> equals y</span>.</li>$ The $\mathsf{verify}</span> algorithm takes C, \vec w, y, \pi</span> and outputs true if the proof is valid and false otherwise.</li> </ul> </div> Observe that this generalizes over polynomial commitment schemes: Take \vec v</span> to be coefficients in some basis and \vec w</span> to be evaluations of the basis polynomials at a certain point. This works regardless of the basis so this includes Lagrange, monomial and multivariate bases.</p> Aside: Verifier Succinctness</h3> In the definition above, the verifier needs to process a vector \vec w</span> of size n</span>. This is not ideal, as we would like the verifier's work to be sub-linear in n</span>. Both WHIR and Ligerito only require the verifier to compute a single value from \vec w</span>:</p> \widetilde{w} = \sum_{i \in [0,n)} \mathrm{eq}_i(\vec x) \cdot w_i </span></p> for some \vec x \in \F_q^k</span>. Here k \geq \log_2 n</span> and \mathrm{eq}_i(\vec x)</span> is the multi-linear basis polynomial that is 1 at i</span> and 0 at all other indices, with indices interpreted as corners on the \{0,1\}^k</span> hypercube.</p> In the general case, this requires O(n)</span> work, but for many useful structures of \vec w</span> this can be computed more efficiently. Classifying these efficient structures is a topic for a future post. For now I'll just note that they include monomial and multi-linear polynomial basis evaluation, so an inner product commitment scheme with this succinctness property is also a succinct polynomial commitment scheme.</p>$ Small Fields and Bilinear Embeddings</h2> For technical reasons, we want to use WHIR over a large field, i.e. $\norm{\F_q} > 2^{128}</span>. However, many applications require inner products over a small field, e.g. \F_p</span> for p</span> a 31-bit prime. Typically this is solved by using a field extension \F_{p^d}</span> with d</span> large enough that \norm{\F_{p^d}} > 2^{128}</span>.</p>$ One can then take the natural embedding of $\F_p^n</span> into \F_{p^d}^n</span> by mapping each element of \F_p</span> to its representation in \F_{p^d}</span>. Applying this to both vectors, the inner product can be computed in \F_{p^d}</span>. The downside of this approach is that the vectors grow in size by a factor d</span> in memory, and the computation by a factor d^2</span>. To reduce this overhead, several solutions have been proposed, notably Ring-Switching ($ DP24</a>) as used in Binius. Here I'll present a different, simpler approach that generalizes over a clever embedding discovered by Bryan Gillespie for inner products in multi-party computation (BG+24</a> eq. 2).</p> Inner products are an example of a bilinear map, and the general embedding of bilinear maps in finite algebras looks like this:</p> Definition 2.</strong> Given a bilinear map $f:𝔽^n × 𝔽^m → 𝔽^k</span> and a finite 𝔽</span>-algebra K</span>, an embedding</em> or packing</em> of f</span> in K</span> is a triplet of linear maps (\mat A, \mat B, \mat C)</span> such that for all \vec x ∈ 𝔽^n, \vec y ∈ 𝔽^m</span> we have</p>$ $f(\vec x, \vec y) = \mat C \p{\mat A \vec x ⋅_K \mat B \vec y } </span></p>$ where $\mat A: 𝔽^n → K, \mat B: 𝔽^m → K</span> and \mat C: K → 𝔽^k</span>, and ⋅_K</span> denotes multiplication in K</span>.</p> </div>$ Note that $K</span> is isomorphic to 𝔽^l</span> for some l</span> and given a representation of K</span> the \mat A, \mat B, \mat C</span> are represented by matrices.</p>$ Lemma 3.</strong> If $f</span> is symmetric (i.e. f(x,y) = f(y,x)</span> for all x, y</span>) and (\mat A, \mat B, \mat C)</span> is an embedding, then so is (\mat B, \mat A, \mat C)</span>.</p> </div>$ This lemma is useful as we will have $\mat A</span> the identity and this allows us to choose to apply \mat B</span> to either the committed vector or the weights vector.</p>$ Results for Inner Products</h2> The main result we'll derive here is</p> Lemma 4.</strong> $\F_q</span> inner products can be embedded in \F_{q^d}</span> for d = 2^n \cdot 3^m</span> with \mat A = \mat I</span>, \mat B</span> a sparse matrix and \mat C</span> the projection on the first coordinate.</p> </div>$ The restriction on the extension degree is likely not necessary in practice but it is hard to prove. Furthermore,</p> Let's focus on embedding $\F_q^d</span> inner products in \F_{q^d}</span>. Larger vectors can be handled by zero padding to the next largest multiple of d</span> and doing a k=\ceil{\frac{n}{d}}</span>-sized inner product in \F_{q^d}^k</span>.</p>$ Lemma 5.</strong> Given a field $\F_{q^d}</span> over \F_q</span> represented by \F_q [X]/(X^d - m_1 ⋅ X - m_0)</span>, there exists an embedding of the \F_q^d</span> inner product in \F_{q^d}</span> with \mat A</span> the identity \mat I</span>, \mat C</span> the projection on the first coefficient (1, 0, \dots, 0)</span>, and \mat B</span> the monomial matrix</p>$ $\begin{bmatrix} 1 & 0 & 0 & \cdots & 0 & 0 \\ 0 & 0 & 0 & \cdots & 0 & m_0^{-1} \\ 0 & 0 & 0 & \cdots & m_0^{-1} & 0 \\ \vdots & \vdots &\vdots & \ddots & \vdots & \vdots \\ 0 & 0 & m_0^{-1} & \cdots & 0 & 0\\ 0 & m_0^{-1} & 0 & \cdots & 0 & 0 \end{bmatrix}\text{.} </span></p> </div>$ Proof:</em> The embedding of vectors $(a_0, a_1, \dots, a_{d-1})</span> and (b_0, b_1, \dots, b_{d-1})</span> results in</p>$ $\begin{align*} a & = a_0 + a_1 \cdot X + \cdots + a_{d-1} \cdot X^{d-1} \\ b & = b_0 + m_0^{-1} \cdot \p{ b_{d-1} \cdot X + \cdots + b_1 \cdot X^{d-1}} \\ \end{align*} </span></p>$ The product $a⋅b</span> has powers up to X^{2⋅(d-1)}</span>. Note that in the quotient we have X^d = m_0 + m_1 ⋅ X</span>. Of the unreduced product, only X^0</span> and X^d</span> contribute to the constant term of the reduced result. To see this, consider a term X^{d + k}</span> with k ∈ [1, d-2]</span>:</p>$ $X^{d + k} = (m_0 + m_1 ⋅ X) ⋅ X^k = m_0⋅X^k + m_1⋅X^{k+1} </span></p>$ since $k >0</span> and k+1 < d</span> this does not contribute to X^0</span>. Thus the constant term is given by</p>$ $a_0 \cdot b_0 + m_0 \cdot \p{a_1 \cdot m_0^{-1} \cdot b_1 + \cdots + a_{d-1} \cdot m_0^{-1} \cdot b_{d-1}} </span></p>$ which is the inner product as required.</p> </div> Note that the $\mat B</span> matrix is a$ monomial matrix</a> over $\F_q</span>, i.e. a generalized permutation matrix that allows for non-zero entries other than 1. These can be applied in at most n</span> multiplications.</p>$ Example 6.</strong> Complex Numbers</em>. The field $\mathbb{C}</span> is \mathbb{R}[X]/(X^2 + 1)</span>. Here m_1 = 0</span> and m_0 = -1</span>. The embedding matrix \mat B</span> is thus</p>$ $\mat B = \begin{bmatrix} 1 & 0 \\ 0 & -1 \end{bmatrix}\text{.} </span></p>$ The map $\mat B</span> happens to correspond to complex conjugation. The inner product of two real vectors (a_0, a_1)</span> and (b_0, b_1)</span> can thus be computed as the real part of</p>$ $(a_0 + a_1 \i) \cdot \overline{(b_0 + b_1 \i)} = (a_0 b_0 + a_1 b_1) + (a_1 b_0 - a_0 b_1) \i \text{.} </span></p> </div>$ Lemma 5 requires an irreducible polynomial of the form $X^d - m_1 ⋅ X - m_0</span> over \F_q</span>. Such polynomials are typically easy to find. It is however hard to prove</em> that they exist. By construction they always exist for d=2</span> and by the Hansen–Mullen theorem ($ HM92</a> conj. B, later proven) we know they exist for $d=3</span>, but beyond that it is hard to prove. Instead, to get to larger fields we can use towers</em> of extensions.</p>$ Lemma 7.</strong> (Towers</em>) Given a $\F_q^m</span> inner product embedding in \F_{q^m}</span> given by (\mat A_m, \mat B_m, \mat C_m)</span> and an \F_{q^m}^n</span> inner product embedding in \F_{q^{m \cdot n}}</span> given by (\mat A_n, \mat B_n, \mat C_n)</span>, we can construct an \F_q^{m \cdot n}</span> inner product embedding in \F_{q^{m \cdot n}}</span> as</p>$ $(\mat A_n' \cdot (\mat I_n \otimes \mat A_m), \mat B_n' \cdot (\mat I_n \otimes \mat B_m), \mat C_m \cdot \mat C_n') </span></p>$ where $\mat A_n', \mat B_n', \mat C_n'</span> are \mat A_n, \mat B_n, \mat C_n</span> represented with coefficients in \F_q</span>, \mat I_n</span> is the n \times n</span> identity matrix and \otimes</span> denotes the Kronecker product.</p> </div>$ Proof:</em> Given vectors $\vec x, \vec y ∈ \F_q^{m \cdot n}</span> we can interpret them as \vec x = (\vec x_0, \vec x_1, \dots, \vec x_{n-1})</span> and \vec y = (\vec y_0, \vec y_1, \dots, \vec y_{n-1})</span> with \vec x_i, \vec y_i ∈ \F_q^m</span>. Using the first embedding we turn this into an \F_{q^m}^n</span> inner product</p>$ $\sum_{i \in [0,n)} \vec x_i \cdot \vec y_i = \sum_{i \in [0,n)} \mat C_m \p{\mat A_m \vec x_i ⋅_{\F_{q^m}} \mat B_m \vec y_i} = \mat C_m \p{\sum_{i \in [0,n)} \mat A_m \vec x_i ⋅_{\F_{q^m}} \mat B_m \vec y_i}\text{.} </span></p>$ This $\F_{q^m}^n</span> inner product is over two vectors</p>$ $\begin{align*} \vec{\widetilde x} &= (\mat A_m \vec x_0, \mat A_m \vec x_1, \dots, \mat A_m \vec x_{n-1}) = (\mat I_n \otimes \mat A_m) \vec x \\ \vec{\widetilde y} &= (\mat B_m \vec y_0, \mat B_m \vec y_1, \dots, \mat B_m \vec y_{n-1}) = (\mat I_n \otimes \mat B_m) \vec y \text{.} \end{align*} </span></p>$ Applying the second embedding we get</p> $\begin{align*} C_n \p{\mat A_n \vec{\widetilde x} ⋅_{\F_{q^{m \cdot n}}} \mat B_n \vec{\widetilde y}} &= C_n \p{\mat A_n' \cdot (\mat I_n \otimes \mat A_m) \vec x ⋅_{\F_{q^{m \cdot n}}} \mat B_n' \cdot (\mat I_n \otimes \mat B_m) \vec y} \text{.} \end{align*} </span></p>$ where we used the mixed-product property of the Kronecker product. Finally, we need to apply $\mat C_m</span> to get back to \F_q</span>, and this gets us the desired result.</p> </div>$ Observe that the Kronecker product of identity matrices is an identity matrix, the Kronecker product of monomial matrices is a monomial matrix and the product of the first-coordinate projections is a first-coordinate projection. This proofs Lemma 4 by induction, starting from the base cases $d=2</span> and d=3</span> from Lemma 5 and applying Lemma 7 repeatedly.</p>$ While $\mat B_n</span> is monomial this does not guarantee that \mat B_n'</span> is monomial. In practice we can and want to find values of m_0</span> that make this the case, and if we do then monomiality is preserved in towering.</p>$ Example 8.</strong> Mersenne 31</em>. Take $p = 2^{31} - 1</span> and a tower of extensions over \F_p</span> as:</p>$ $\begin{align*} \F_{p^2} &= \F_p [\i]/(\i^2 + 1) \\ \F_{p^6} &= \F_{p^2} [\j]/(\j^3 - 5) \end{align*} </span></p>$ then inner products can be embedded in $\F_{p^6}</span> with \mat B =</span></p>$ $\begin{pmatrix} 1 & \phantom{-}0 & 0 & 0 & 0 & 0 \\ 0 & -1 & 0 & 0 & 0 & 0 \\ 0 & \phantom{-}0 & 0 & 0 & \phantom{-}5^{-1} & 0 \\ 0 & \phantom{-}0 & 0 & 0 & 0 & -5^{-1} \\ 0 & \phantom{-}0 & \phantom{-}5^{-1} & 0 & 0 & 0 \\ 0 & \phantom{-}0 & 0 & -5^{-1} & 0 & 0 \\ \end{pmatrix}\text{.} </span></p> </div>$ The method presented here prescribes a particular representation of the field $\F_{q^d}</span>, but one can use any representation and make the appropriate change of basis to (\mat A, \mat B, \mat C)</span> matrices. This won't necessarily preserve their sparsity, but it will still be an embedding. Fortunately, the prescribed representation is already very efficient and typical of what one would choose in practice.</p>$ Overhead</h2> The embedding is perfect in the sense that no memory is wasted. The overhead to apply $\mat B</span> is also minimal, as it is a monomial matrix. The main overhead is in the field multiplications.</p>$ Directly evaluating the inner product would take $n</span> multiplications in \F_q</span>. Using the embedding in \F_{q^d}</span>, we need k = \ceil{\frac{n}{d}}</span> multiplications in \F_{q^d}</span>. Each multiplication in \F_{q^d}</span> takes d^2</span> multiplications in \F_q</span> using schoolbook multiplication. Thus the overhead is</p>$ $\frac{d^2 \cdot k}{n} \leq \frac{d^2 \cdot (n/d + 1)}{n} = d + \frac{d^2}{n} \text{.} </span></p>$ For the expected case of $n \gg d</span> the number of multiplications increases roughly by the extension degree d</span>.</p>$ Open questions</h1> What is the most efficient embedding for other bilinear operations, e.g. matrix multiplication?</li> Is there a generalization of the towers lemma beyond inner products?</li> Before we project to the first coordinate, we have a bilinear map $\F_q^d × \F_q^d → \F_q^d</span>. What is this map? Is it useful?</li>$ If $\vec w</span> is has a succinct evaluation of \widetilde w</span>, can we also compute \widetilde{\mat B \vec w}</span> efficiently?</li>$ This embedding works for linear sumchecks, but what about quadratic sumchecks?</li> We can probably generalize this further and try to embed $\F_{q^e}^n</span> inner products in \F_{q^d}</span> for d \neq e</span>. What is the best we can do here?</li> </ul>$ References</h1> HM92</a> Tom Hansen, Gary L. Mullen (1992). Primitive Polynomials over Finite Fields.</li> DP24</a> Benjamin E. Diamond, Jim Posen (2024). Polylogarithmic Proofs for Multilinears over Binary Towers.</li> BG+24</a> Remco Bloemen, Bryan Gillespie, Daniel Kales, Philipp Sippl, Roman Walch (2024). Large-Scale MPC: Scaling Private Iris Code Uniqueness Checks to Millions of Users.</li> AC+24</a> Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev (2024). WHIR: Reed–Solomon Proximity Testing with Super-Fast Verification.</li> NA25</a> Andrija Novakovic, Guillermo Angeris (2025). Ligerito: A Small and Concretely Fast Polynomial Commitment Scheme.</li> </ul> Sage Implementation</h1> Here is a Sage implementation of the $\mat A</span>, \mat B</span> embeddings described above:</p>$ def</span> embed</span>(</span>x</span>,</span> extension_field</span>,</span> kind</span>):</span></span> # Check vector</span></span> if not</span> isinstance</span>(</span>x</span>,</span> sage</span>.</span>structure</span>.</span>element</span>.</span>Vector</span>):</span></span> raise</span> TypeError</span>(</span>"x is not a vector"</span>)</span></span> if</span> x</span>.</span>base_ring</span>()</span> is</span> extension_field</span>:</span></span> return</span> x</span></span> if</span> x</span>.</span>base_ring</span>()</span> is not</span> extension_field</span>.</span>base_ring</span>():</span></span> if</span> extension_field</span>.</span>degree</span>()</span> ></span> 1</span>:</span></span> # Tower: Recursively embed in base field first.</span></span> x</span> =</span> embed</span>(</span>x</span>,</span> extension_field</span>.</span>base_ring</span>(),</span> kind</span>)</span></span> else</span>:</span></span> raise</span> ValueError</span>(</span>"x is not a vector over the base field"</span>)</span></span> </span> # Check extension</span></span> X</span> =</span> extension_field</span>.</span>gen</span>()</span></span> m</span> =</span> extension_field</span>.</span>modulus</span>()</span></span> d</span> =</span> m</span>.</span>degree</span>()</span></span> if</span> m</span>[</span>d</span>]</span> !=</span> 1</span> or</span> list</span>(</span>m</span>.</span>dict</span>().</span>keys</span>())</span> not in</span> [[</span>0</span>,</span> 1</span>,</span> d</span>], [</span>0</span>,</span> d</span>]]:</span></span> raise</span> ValueError</span>(</span>"extension not of form X^d - m_1 X - m_0"</span>)</span></span> </span> # Compute embedding coefficients</span></span> if</span> kind</span> ==</span> 'A'</span>:</span></span> c</span> =</span> [</span>X</span>^</span>i</span> for</span> i</span> in</span> range</span>(</span>d</span>)]</span></span> elif</span> kind</span> ==</span> 'B'</span>:</span></span> a</span> =</span> 1</span>/</span>(</span>-</span>m</span>[</span>0</span>])</span></span> c</span> =</span> [</span>X</span>^</span>0</span>]</span> +</span> [</span>a</span> *</span> X</span>^</span>(</span>d</span> -</span> i</span>)</span> for</span> i</span> in</span> range</span>(</span>1</span>,</span> d</span>)]</span></span> else</span>:</span></span> raise</span> ArgumentError</span>(</span>"kind must be 'A' or 'B'"</span>)</span></span> </span> # Compute embedded vector (implicitly zero-pads)</span></span> r</span> =</span> vector</span>(</span>extension_field</span>, [</span>0</span>]</span> *</span> ((</span>len</span>(</span>x</span>)</span> +</span> d</span> -</span> 1</span>)</span> //</span> d</span>) )</span></span> for</span> i</span> in</span> range</span>(</span>len</span>(</span>x</span>)):</span></span> r</span>[</span>i</span> //</span> d</span>]</span> +=</span> c</span>[</span>i</span> %</span> d</span>]</span> *</span> x</span>[</span>i</span>]</span></span> return</span> r</span></span></code></pre> And here's a test for various extension of M31:</p> F</span> =</span> GF</span>(</span>2</span>^</span>31</span> -</span> 1</span>)</span></span> R</span> =</span> PolynomialRing</span>(</span>F</span>,</span> 'X'</span>)</span></span> X</span> =</span> R</span>.</span>gen</span>()</span></span> </span> # Plain extensions over F</span></span> F2</span>.</span><</span>i</span>> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>2</span> +</span> 1</span>)</span></span> F3</span> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>3</span> -</span> 5</span>,</span> 'X'</span>)</span></span> F4</span> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>4</span> -</span> X</span> -</span> 1</span>,</span> 'X'</span>)</span></span> F5</span> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>5</span> -</span> 5</span> *</span> X</span> -</span> 1</span>,</span> 'X'</span>)</span></span> F6</span> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>6</span> -</span> 5</span>,</span> 'X'</span>)</span></span> F8</span> =</span> F</span>.</span>extension</span>(</span>X</span>^</span>8</span> -</span> 16</span> *</span> X</span> -</span> 1</span>,</span> 'X'</span>)</span></span> </span> # Towered extensions over F2</span></span> R2</span> =</span> PolynomialRing</span>(</span>F2</span>,</span> 'X'</span>)</span></span> X</span> =</span> R2</span>.</span>gen</span>()</span></span> F22</span> =</span> F2</span>.</span>extension</span>(</span>X</span>^</span>2</span> -</span> X</span> -</span> 2</span> *</span> i</span>,</span> 'X'</span>)</span></span> F23</span> =</span> F2</span>.</span>extension</span>(</span>X</span>^</span>3</span> -</span> 5</span>,</span> 'X'</span>)</span></span> </span> for</span> n</span> in</span> range</span>(</span>100</span>):</span></span> for</span> _</span> in</span> range</span>(</span>100</span>):</span></span> # Generate random vectors of length n</span></span> x</span> =</span> VectorSpace</span>(</span>F</span>,</span> n</span>).</span>random_element</span>()</span></span> y</span> =</span> VectorSpace</span>(</span>F</span>,</span> n</span>).</span>random_element</span>()</span></span> expected</span> =</span> x</span> *</span> y</span></span> </span> for</span> FE</span> in</span> [</span>F</span>,</span> F2</span>,</span> F3</span>,</span> F4</span>,</span> F5</span>,</span> F6</span>,</span> F8</span>,</span> F22</span>,</span> F23</span>]:</span></span> assert</span> FE</span>.</span>is_field</span>()</span></span> </span> # Embed in FE and compute FE dot product</span></span> xe</span> =</span> embed</span>(</span>x</span>,</span> FE</span>,</span> 'A'</span>)</span></span> ye</span> =</span> embed</span>(</span>y</span>,</span> FE</span>,</span> 'B'</span>)</span></span> result</span> =</span> xe</span> *</span> ye</span></span> </span> # (Recursively) extract constant coefficient</span></span> while</span> result</span>.</span>parent</span>()</span> !=</span> F</span>:</span></span> result</span> =</span> result</span>[</span>0</span>]</span></span> </span> # Check against base field dot product</span></span> assert</span> result</span> ==</span> expected</span></span></code></pre> Nullifiers 2025-01-12T00:00:00+00:00 Nullifiers</h1> It’s important to note that the nullifiers exist for one purpose only: to provide anonymity while preventing an account from repeating an action. For this to make sense at all creating accounts needs to be gated somehow. For anonymous currency (where nullifiers originate) an account is created on receiving a coin. In our case it is created on biometrically proven uniqueness.</p> Nullifiers achieve their purpose by assigning each (account, action) pair a verifiably unique pseudo-random number, the nullifier. The same account repeating the same action can then be blocked by rejecting repeated nullifiers. Anonymity is achieved by the pseudo-randomness of the nullifiers, which can not be linked back to accounts using public information. In our implementation, the nullifier is the hash of the private key with the action. The associated public key is publicly attached to the account. This allows the user to generate a zk-proof that it generated the nullifier correctly.</p> Note that while the zk-proof in the process also proofs knowledge of the private key and allows signing a message, this a side-effects and could also be implemented in other ways. The major drawback of this approach is that it permanently attaches a unique private key to the user, or at least for the duration of the repeat protection. Knowledge of this key allows computing all the account’s nullifiers, thus a leak also implies full traceability of this account’s actions. Conversely, a loss of key means permanent inability to generate nullifiers for the account.</p> Nullifiers as we use them are just one way of achieving the purpose, and others could be imagined. It is however, to the best of our knowledge, the only way to achieve the whole goal in a fully decentralized setting. In situations where we do not care about anonymity, repeated actions or decentralization, we don’t need nullifiers and could substitute other methods with different trade-offs. Specifically: If we don’t care about anonymity, regular signatures suffice. If we don’t care about repeatability, zk-signatures suffice. If we allow limited repeatability, reset counters If we don’t care about decentralization and verifiability, a trusted service can provide repeat-prevention while keeping users secret. If we don’t care about decentralization, a trusted service can generate verifiable nullifiers.</p> Before we go further I want to address the wide-spread abuse of our nullifiers. They are not intended to be re-used! By design they are there to prevent an action from re-occurring (e.g. double-spend in the case of anonymous currencies). So the idea of using them as ‘logins’ is wrong and there can be no problem of replayability.</p> The major drawback of nullifiers having long-lived keys is exacerbated by our abuse of nullifiers and our reliance on its side-effect of signing. A more conformant design for one-per-human accounts would use a nullifier to gate account creation, and then use traditional methods to do authentication, authorization, recovery, etc. If this account needs anonymity, it can use its own methods (including nullifiers using a different keypair) to achieve that. This doesn’t solve all the problems of WorldID nullifier private keys, but should limit the impact of leak to deanonymization and loss to ability to create new accounts.</p> Oluś: a Pure CPS Language 2025-01-12T00:00:00+00:00 Oluś: a Pure Continuation-Passing-Style Language</h1> fact n</span> return</span>:</span></span> if</span> (</span>is_zero n</span>) (:</span>return</span> 1</span>) (:)</span></span> return</span> (</span>mul</span> n</span> (</span>fact</span> (</span>sub n</span> 1</span>)))</span></span></code></pre> I've always been facinated by programming languages and proof systems (they are closely related). In particular I'm fascinated by expressive minimal languages like Lisp, Forth and Metamath. These repesent some stable local optima in the design space of languages. They are simple, expressive and powerful. They are also very different from each other. I've been exploring for a long time what the next stable optimum may look like, and I gravitated towards a language that takes continuation-passing-style to the extreme. As far as I know, such a language has not been implemented before.</p> Over many years I've build several compilers (e.g. 1</a> 2</a> 3</a> 4</a>) for variants of this language, some of which had unique properties. Pure CPS does not require a stack and one compiler produced x86 assembly that did not use a stack at all. This frees up rsp</code> as a general purpose register, and, mostly for fun, I also made it use push</code> and pop</code> when writing/reading from a data structure if it was pointed to by rsp</code>. I'm sure it would have posed an interesting challenge to reverse engineers.</p> Continuation Passing Style</h1> Scott Encoding</h2> In CPS Scott encoding correspods to a match</code> operator.</p> Syntax and Sugar</h1> Refrences</h1> Steele (1978). RABBIT: A Compiler for SCHEME</li> Kranz (1986). ORBIT: An Optimizing Compiler for Scheme.</li> Appel (1992). Compiling with Continuations.</li> Baker's . CONS Should Not CONS Its Arguments.</li> Jim, Appel. Continuation-passing, Closure-passing Style.</li> Danvy, Filinski. Representing Control: A Study of the CPS Transformation.</li> Danvy, Filinski. Abstracting Control.</li> Danvy, Filinski. A Syntactic Theory of Control and State in Imperative Higher-Order Programming Languages.</li> Danvy, Filinski. A Functional Abstraction of Typed Contexts.</li> Sergey Dmitriev . Closure Inlining.</li> </ul> https://github.com/roc-lang/roc</p> https://legacy.cs.indiana.edu/~dyb/papers/3imp.pdf</p> https://arxiv.org/pdf/2009.05539</p> https://arxiv.org/pdf/2502.20546</p> Field Extensions 2025-01-08T00:00:00+00:00 Field Extensions</h1> $\gdef\p#1{\left({#1}\right)} \gdef\norm#1{\left|{#1}\right|} \gdef\F{\mathbb{F}} \gdef\i{\mathrm{i}} \gdef\j{\mathrm{j}} \gdef\om{\mathrm{\omega}} </span></p>$ Given a prime field $\F_p</span> with p = 2^{31} - 1</span>. Because p</span> is a Mersenne prime, it can be implemented particularly efficiently. It also neatly fits into a 32-bit integer allowing fast SIMD and GPU implementations and efficient use of memory.</p>$ While fast, this field has two downsides: it does not support efficient NTTs and it is not large enough to effectively use the Schwartz-Zippel lemma. We can address both by constructing a larger field extension.</p> The smallest generator of the multiplicative group is $7</span>, with order</p>$ $\norm{\F_p^\times} = 2 \cdot 3^2 \cdot 7 \cdot 11 \cdot 31 \cdot 151 \cdot 331 </span></p>$ The size of the field is almost 31-bits:</p> $\log_2 \norm{\F_p} \approx 31 - 6.7\cdot10^{-10} </span></p>$ Complex Extension</h2> Note that $-1</span> is not a square if \F_p</span> and thus X^2 + 1</span> is irreducible over \F_p</span>. We can thus construct \F_{p^2}</span> by the extension \F_p[X]/(X^2 + 1)</span>. Because of analogy with complex numbers, we will call the root \i</span> and for a + b \cdot \i</span> we cann a</span> the real</em> and b</span> the imaginary</em> component.</p>$ The complex extension has a generator $12 + \i</span> with order</p>$ $\norm{\F_{p^2}^\times} = 2^{32} \cdot 3^2 \cdot 7 \cdot 11 \cdot 31 \cdot 151 \cdot 331 </span></p>$ So we can now efficiently perform NTTs up to size $2^{32}</span>, larger than \F_p</span> itself! If we are ambitious, we can also implement 3^2</span>, and use Rader's NTT to 7</span> to 2 \cdot 3</span>.</p>$ Note that the 8-th roots of unity have nice structure:</p> $\{ \pm 1, \pm i, \pm 2^{15} \pm 2^{15}\cdot\i \} </span></p>$ The Frobenius endomorphism is given in coefficient form by the map</p> $\begin{bmatrix} 1 & 0 \\ 0 & -1 \end{bmatrix} </span></p>$ which is also known as complex conjugation</em>.</p> Larger extensions</h2> The complex extension is still not large enough for some cryptographic purposes:</p> $\log_2 \norm{\F_p} \approx 62 - 1.34\cdot10^{-9} </span></p>$ With a target security of about $128</span> bits, we need to look at a degree 4, 5 or 6 extension. We elliminate 5 as it does not have F_{p^2}</span> as a subfield. The degree 4 extension is slightly under our security target, and in practice we actually need some overhead. So we look at the degree 6 extension.</p>$ Let's construct $\F_{p^6}</span> as a cubic extension over \F_{p^2}</span>, some low Hamming weight cubic non-roots in \F_{p^2}</span> are 5, 1 + 2 \cdot \i, 2 + \i, \dots</span>. Let's pick the irriducible polynomial X^3 - 5</span> and construct \F_{p^2}[X]/(X^3 - 5)</span>. We'll write the new cube root of 5</span> as \j</span> with \j^3 = 5</span> so we now have values a + b \cdot \j + c \cdot \j^2</span> where a, b, c</span> themselves are complex.</p>$ $\begin{bmatrix} 1 & 0 & 0 \\ 0 & \om_3 & 0 \\ 0 & 0 & \om_3^2 \end{bmatrix} </span></p>$ Where $\om_3 = 1513477735</span>. Together with conjugation, these generate the six elements of the automorphism group of \F_{p^6}</span>.</p>$ Dot products</h2> We are interested in computing dot product over the vector space $\F_p^n</span>. We want to do this by efficiently representing the vector space using elements of \F_{p^6}</span>.</p>$ Observe that $\F_{p^2}</span> can be seen as an algebra over the vector space \F_p^2</span>. Equiped with a bilinear operator</p>$ $(a_0 + a_1 \cdot \i) \cdot (b_0 + b_1 \cdot \i) = (a_0 \cdot b_0 - a_1 \cdot b_1) + (a_0 \cdot b_1 + a_1 \cdot b_0) \cdot \i </span></p>$ Observe that the constant term is almost a dot product of the vectors $(a_0, a_1)</span> and (b_0, b_1)</span>. To fix it we only need to flip the sign on a_1</span> or b_1</span>.</p>$ Observe that $\F_{p^6}</span> can be seen as an algebra over the vector space \F_{p^2}^3</span>.</p>$ $\begin{aligned} (a_0 + a_1 \cdot j + a_2 \cdot \j^2) \cdot (b_0 + b_1 \cdot j + b_2 \cdot \j^2) = &\\ (a_0 \cdot b_0 + 5 \cdot a_1 \cdot b_2 + 5 \cdot a_2 \cdot b_1) +& \\ (a_0 \cdot b_1 + a_1 \cdot b_0 + 5 \cdot a_2 \cdot b_2) \cdot \j +& \\ (a_0 \cdot b_2 + a_1 \cdot b_1 + a_2 \cdot b_0) \cdot \j^2 \end{aligned} </span></p>$ Extension</h2> When we create an extension $\F[X]/(f)</span> with some polynomial f(X)</span>, we artificially create an element \alpha</span> that is a root of f</span>, i.e. f(\alpha) = 0</span> by decree.</p>$ If we have a different field of same degree, but with a different polynomial $g</span> then this will have a different artificial root \beta</span> such that g(\beta) = 0</span>.</p>$ From ??? theorem it follows that these fields are isomorphic. That means there are functions between them such that:</p> $\phi(a + b) = \phi(a) + \phi(b)</span></li>$ $\phi(a \cdot b) = \phi(a) \cdot \phi(b)</span></li> </ol> From this it follows that \phi</span> preserves the identity elements 0, 1</span>.</p> It also follows that for c \in \F_p</span> \phi(c \cdot a) = c \cdot \phi(a)</span>.</p> \phi(c) = c</span></p> \phi(0) = \phi(0 + 0) = \phi(0) + \phi(0)</span></p> From this it follows that \phi(\alpha)</span> is a root of f</span> in \F_\beta</span>. There are exactly n</span> such roots. When we pick such a root, \phi</span> is fully specified.</p> Field Isomorphisms</h2> Definition 1.</strong> A field isomorphism</em> is a bijective function between two fields A, B</span> such that for a, b \in A</span>:</p> \begin{aligned} \phi(a + b) &= \phi(a) + \phi(b) \\ \phi(a \cdot b) &= \phi(a) \cdot \phi(b) \end{aligned} </span></p> </div> Lemma 1.</strong> If \phi</span> is a field isomorphism, then \phi^{-1}</span> is too.</p> </div> Proof:</em> We need to proof \phi^{-1}(a + b) = \phi^{-1}(a) + \phi^{-1}(b)</span>, substitute this back into the relation for \phi</span> and apply \phi^{-1}</span> to both sides: \begin{aligned} \phi(\phi^{-1}(a) + \phi^{-1}(b)) &= \phi(\phi^{-1}(a)) + \phi(\phi^{-1}(b)) \\ \phi(\phi^{-1}(a) + \phi^{-1}(b)) &= a + b \\ \phi^{-1}\p{\phi(\phi^{-1}(a) + \phi^{-1}(b))} &= \phi^{-1}\p{a + b} \\ \phi^{-1}(a) + \phi^{-1}(b) &= \phi^{-1}\p{a + b} \\ \end{aligned} </span> Similarly for multiplication.</p> </div> </p> Lemma 2.</strong> Field isomorphism perserve 0</span> and 1</span>. Given fields A, B</span> and an isomorphism \phi: A \to B</span> we have \begin{aligned} \phi(0_A) &= 0_B \\ \phi(1_A) &= 1_B \end{aligned} </span></p> </div> Proof:</em> Consider \begin{aligned} \phi(0_A) &= \phi(0_A + 0_A) \\ &= \phi(0_A) + \phi(0_A) \end{aligned} </span> Subtracting \phi(0_A)</span> from both sides we obtain 0_B = \phi(0_A)</span>. Now consider \begin{aligned} \phi(1_A) &= \phi(1_A \cdot 1_A) \\ &= \phi(1_A) \cdot \phi(1_A) \\ 0_B &= \phi(1_A) \cdot (1_B - \phi(1_A)) \end{aligned} </span> The two solutions are \phi(1_A) = 0_B</span> and \phi(1_A) = 1_B</span>. If A</span> and B</span> are non-trivial then 0_B \neq 1_B</span> and the first solution is not possible because \phi</span> is bijective and the preimage of 0_B</span> is 0_A</span>. Therefore, \phi(1_A) = 1_B</span>.</p> </div> Lemma 3.</strong> Isomorphism perserves the base field, for n \in \F_p</span>, we have \phi(n_A) = n_B</span>.</p> </div> Proof:</em> This follows from 1</span> generating the prime order subfield: \phi(n_A) = \phi\p{\sum_{i\in[0,n)} 1_A} =\sum_{i\in[0,n)} \phi(1_A) = \sum_{i\in[0,n)} 1_B = n_B </span></p> </div> </p> Lemma 4.</strong> Field isomorphisms are vector space isomorphisms.</p> </div> Given a basis, vector space isomorphism are represented by invertible matrices.</p> Lemma 5.</strong> The isomorphism is fully specified by the map of the extension generator, and there are exactly n</span> isomorphisms.</p> </div> Definition 2.</strong> A field automorphism</em> is a field isomorphism from A</span> onto itself.</p> </div> Lemma 6.</strong> The Frobenius map x \mapsto x^p</span> is a field automorphism.</p> </div> Lemma 6.</strong> The Frobenius map generates all n</span> field automorphisms.</p> </div> References</h1> [Len91] H. Lenstra (1991). Finding isomorphism between finite fields. [Len91]: https://people.tamu.edu/~rojas//lenstraFq.pdf</li> </ul> https://arxiv.org/abs/math/9204234</p> https://www.math.u-bordeaux.fr/~ballombe/fpisom.ps</p>$ Hensel Lifting 2025-01-08T00:00:00+00:00 Hensel Lifting</h1> $\gdef\p#1{\left({#1}\right)} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\F{\mathbb{F}} \gdef\Z{\mathbb{Z}} \gdef\vd{𝛅} </span></p>$ There are many variants of Hensel's lemma and the one derived here is for quadratic lifting of multivariate roots. This is useful solving systems of polynomial equations in modular and Galois rings. One starts by finding a solution in the residue field where other methods may be available (e.g. exhaustive search). Once found, these residue field solutions are 'lifted' to progressively larger rings until a solution in the target ring is found. See Mur05</a>, Gro24</a> and Con24</a> for alternative lemmas and further elaboration of the multivariate case.</p> Algebraic Preliminaries</h2> A ring</em> is a set of numbers with operations of addition and multiplication (in this post assumed finite, unital and commutative). There is also a notion of division, but unlike fields this does not necessarily work for all non-zero numbers. An ubiquitous example of a ring is $\Z_{2^{64}}</span>, the ring of 64-bit unsigned integers that all computers use. In this ring, multiplicative inverses exist only for odd numbers.</p>$ An ideal</em> for a ring $R</span> is a subset I</span> that is closed under addition and multiplication, including multiplication by any element of R</span>. If the values of I</span> are all the R</span>-multiples of a single element p</span>, we write I = (p)</span> and called it a principal ideal</em>. The trivial ideals are (0) = \{0\}</span> and (1) = R</span>. The ring \Z_{2^{64}}</span> has the ideals</p>$ $(1), (2), (2^2), (2^3), …, (2^{63}), (0). </span></p>$ We can also define the product of two ideals as $I ⋅ J = \{i ⋅ j \mid i \in I, j \in J\}</span>. The product of two ideals is itself an ideal. We say an ideal I</span> squares to zero</em> if I ⋅ I = (0)</span>. This just means that for each a, b \in I</span> we have a ⋅ b = 0</span>. In \Z_{2^{64}}</span> the ideals (2^k)</span> for k ≥ 32</span> square to zero.</p>$ A quotient ring</em> $R/I</span> is the set of all cosets r + I = \{r + i \mid i \in I\}</span> with addition and multiplication defined as (r + I) + (s + I) = (r + s) + I</span> and (r + I) ⋅ (s + I) = (r ⋅ s) + I</span>. The quotient ring is a ring itself, and captures the idea of 'modulo I</span>' arithmetic. In fact, \Z_{2^{64}}/(2^k) = \Z_{2^k}</span> is the ring of integers modulo 2^k</span>.</p>$ An interesting theorem is that the quotient ring $R/I</span> is a field if and only if I</span> is maximal</em>, meaning there is no ideal J</span> such that I ⊂ J ⊂ R</span>. In the ring \Z_{2^{64}}</span> the ideal (2)</span> is maximal, producing the field \Z_{2^{64}}/(2) = \F_2</span>.</p>$ Ideal Taylor Expansion</h2> Hensel lifting is analogous to Newton's method, and it starts with an analogue of Taylor expansion:</p> Lemma 1.</strong> Given ring $R</span> with ideal I</span> that squares to zero and polynomial f \in R[X]</span> then for x \in R</span> and δ \in I</span>, we have</p>$ $\begin{equation} f(x + δ) = f(x) + f'(x) ⋅ δ. \end{equation} </span></p> </div>$ Proof:</em> Assume $f(x) = x^m</span> and consider the binomial theorem for f(x + δ)</span>:</p>$ $(x + δ)^m = \sum_{i \in [0,m]} \binom{m}{i} ⋅ x^{m-i} ⋅ δ^i </span></p>$ the terms $i > 2</span> cancel due to δ^2 = 0</span>, leaving only</p>$ $x^m + m ⋅ x^{m-1} ⋅ δ = f(x) + f'(x) ⋅ δ. </span></p>$ This proofs the case for $f(x) = x^m</span>. By linearity it thus holds for all polynomials f \in R[x]</span>.</p> </div>$ Curiously this result is exact. Where in real numbers truncating the Taylor expansion results in an error with some bound, in the present setting the result is exact. An explanation for this can be found in the theory of $p</span>-adic numbers, where closeness is defined in terms of how small the ideal is that contains the difference. This can be made rigorous using a counterintuitive but entirely valid alternative norm, but such a treatment is out of scope here.</p>$ The lemma generalizes to the multi-variate case as one would expect:</p> Lemma 2.</strong> Given ring $R</span> with ideal I</span> that squares to zero and polynomial map f: R^n \rightarrow R^m</span> then for \vec x \in R^n</span> and \vd \in I^n</span>, we have</p>$ $\begin{equation} f(\vec x + \vd) = f(\vec x) + \mat J_f (\vec x) ⋅ \vd \end{equation} </span></p>$ where the Jacobian</em> $\mat J_f: R^n \rightarrow R^{m × n}</span> is given by</p>$ $\begin{equation} \mat J_{i j} (\vec x) = \frac{\partial f_i}{\partial x_j} (\vec x). \end{equation} </span></p> </div>$ Proof:</em> Consider coordinates $f_i</span> and apply the multi-binomial theorem analogous to lemma 1.</p> </div>$ Lifting Roots</h2> Lifting is the process of taking a solution from a quotient ring $R/I</span> to R</span> itself:</p>$ Definition 3.</strong> (Lift)</em> Given ring $R</span> with ideal I</span>, polynomial map f: R^n → R^m</span>, and \vec x \in R^n</span> such that</p>$ $f(\vec x) = \vec 0 \pmod I </span></p>$ then lifts</em> of $\vec x</span> are \vec x' \in R^n</span> such that</p>$ $\begin{aligned} \vec x' &= \vec x \pmod I \\ f(\vec x') &= \vec 0. \end{aligned} </span></p> </div>$ Lemma 4.</strong> (Hensel Lifting)</em> Suppose the ideal $I</span> squares to zero, then lifts of \vec x</span> are given by \vec x' = \vec x + \vd</span> with \vd \in I^n</span> solutions of</p>$ $\begin{equation} -f(\vec x) = \mat J _f (\vec x) ⋅ \vd. \end{equation} </span></p>$ In particular if $\mat J _f (\vec x)</span> is invertible there is a unique solution given by</p>$ $\begin{equation} \vec x' = \vec x - \mat J_f^{-1} (\vec x) ⋅ f(\vec x). \end{equation} </span></p> </div>$ Proof:</em> Follows directly from lemma 2 and $f(\vec x + \vd) = \vec 0</span>.</p> </div>$ As familiar from linear algebra, $\mat J_f (\vec x)</span> is invertible if and only if its determinant is invertible. It follows that if the determinant is invertible \operatorname{mod} I</span>, it is also invertible in R</span>. So if we have a chain of rings R/(p^k)</span>, and \mat J_f (\vec x)</span> is invertible in the first, it is invertible in all rings. In this case the solution can be uniquely lifted to all the rings.</p>$ Implementation and Optimization</h2> As an optimization, we often do not need to solve equation $(4)</span> in R</span> but can instead pick a smaller ring:</p>$ Lemma 5.</strong> Given principal ideal $I=(p)</span> that squares to zero and ideal J</span> such that I ⋅ J = (0)</span>, equation (4)</span> can be solved in R/J</span> by setting \vd = \vd' ⋅ p</span> where \vd'</span> is the solution of</p>$ $\begin{equation} -\frac{f(\vec x)}{p} = \mat J _f (\vec x) ⋅ \vd' \pmod J. \end{equation} </span></p> </div>$ Proof:</em> Equation 4 is linear with both sides in $I</span>. As an R</span>-module the ideal I</span> is isomorhpic to R/J</span> by the map x \mapsto x / p</span> and the result follows.</p> </div>$ Typically we use Hensel lifting over a ring $R</span> with ideals (p^s)</span> for s \in [0,k]</span> where (p)</span> is maximal and (p^k) = (0)</span>. We first find an initial solution in the residue field R/(p)</span> and then lift it to R/(p^2)</span> using I = J = (p)</span>. Then we can either continue lifting to R/(p^4)</span>, R/(p^16)</span>, …, R/(p^k) = R</span> using I_i = J_i = \p{p^{2^i}}</span>. Or alternatively, we can fix J = R/(p)</span> and lift to R/(p^3), R/(p^4), …</span> with I_i = (p^i)</span>. The former is known as quadratic lifting</em> and the latter linear lifting</em>. The quadratic method grows faster, but requires arithmetic in progressively larger rings. The linear method requires more iteration, but all arithmetic is in the residue field. Which one is faster depends on the specifics, but typically the quadratic method is preferred.</p>$ Other Functions</h2> Note that the machinery of Hensel lifting works for any function $f</span> for which an f'</span> can be defined such that lemma 1 holds. In particular it holds for rational functions with the familiar derivative:</p>$ Lemma 6.</strong> Given $f(x) = p(x)/q(x)</span> such that lemma 1 holds for p</span> and q</span>, then lemma 1 holds for f</span> with derivative</p>$ $\begin{equation} f'(x) = \frac{p'(x) ⋅ q(x) - p(x) ⋅ q'(x)}{(q(x))^2}. \end{equation} </span></p> </div>$ Proof:</em> Expand definitions,</p> $f(x + δ) = \frac{p(x + δ)}{q(x + δ)} = \frac{p(x) + p'(x) ⋅ δ}{q(x) + q'(x) ⋅ δ} </span></p>$ drop the argument $(x)</span> for brevity,</p>$ $\frac{p + p' ⋅ δ}{q + q' ⋅ δ} = \frac{(p + p' ⋅ δ)⋅ (q - q' ⋅ δ)}{(q + q' ⋅ δ) ⋅ (q - q' ⋅ δ)} = \frac{p⋅q + (p'⋅q - p⋅q')⋅δ}{q^2} </span></p>$ and thus</p> $f(x + δ) = \frac{p}{q} + \frac{p'⋅q - p⋅q'}{q^2} ⋅ δ = f(x) + f'(x) ⋅ δ. </span></p> </div>$ With this we can construct an efficient method for computing inverses in $R</span> by lifting the root a^{-1}</span> of f(x) = x^{-1} - a</span>. This results in lifting equation x' = x ⋅ (2 - a ⋅ x)</span>, which is the basis of the fastest know inversion methods for \Z_{2^{64}}</span> (see Rey22</a> for an overview). Implemented in Rust with further optimizations this looks like:</p>$ fn</span> ring_inv</span>(</span>a</span>:</span> u64</span>)</span> -></span> u64</span> {</span></span> let mut</span> x</span> =</span> a</span>.</span>wrapping_mul</span>(</span>3</span>)</span> ^</span> 2</span>;</span> // Initial guess correct to 5 bits</span></span> let mut</span> y</span> =</span> 1</span>.</span>wrapping_sub</span>(</span>a</span>.</span>wrapping_mul</span>(</span>x</span>));</span></span> for</span> _</span> in</span> 0</span>..</span>3</span> {</span> // Successively lift to 10, 20 and 40 bits</span></span> x</span> =</span> x</span>.</span>wrapping_mul</span>(</span>y</span>.</span>wrappining_add</span>(</span>1</span>));</span></span> y</span> =</span> y</span>.</span>wrapping_mul</span>(</span>y</span>);</span></span> }</span></span> x</span>.</span>wrapping_mul</span>(</span>y</span>.</span>wrappining_add</span>(</span>1</span>))</span> // Final lift to 80 bits (only 64 computed)</span></span> }</span></span></code></pre>References</h1> Mur05</a> Daniel Murfet (2005). Hensel’s Lemma.</li> Rey22</a> Marc B Reynolds (2022). Integer multiplicative inverse via Newton's method.</li> Gro24</a> Joshua A. Grochow (2024). A note on multivariate Hensel lifting.</li> Con24</a> Keith Conrad (2024). A multivariable Hensel's Lemma.</li> </ul> Winograd NTT 2025-01-08T00:00:00+00:00 Winograd NTT</h1> $\gdef\vec#1{\mathbf{#1}} \gdef\F{\mathbb{F}} \gdef\ω{\mathrm{ω}} \gdef\A{\mathsf{\small A}} \gdef\Mc{\mathsf{\small M^c}} </span></p>$ Definition 1.</strong> (Number Theoretic Transform)</em>. Given a finite field $\F</span> with primitive n</span>-th root of unity \omega_n</span> and a vector \vec a \in \F^n</span> the number theoretic transform</em> (NTT) \vec b \in \F^n</span> of \vec a</span> is \begin{equation} b_j = \sum_{i \in [n]} \ω_n^{i ⋅ j} ⋅ a_i. \end{equation} </span></p> </div>$ As stated, equation $(1)</span> requires n^2 ⋅ \Mc + n⋅(n-1) ⋅ \A</span> operations in \F</span> where \Mc</span> is the cost of a multiplication by constant and \A</span> is the cost of an addition in \F</span>.</p>$ NTT is a Polynomial Evaluation</h2> Construct a polynomial $P(x) = a_n ⋅ x^n + a_{n-1} ⋅ x^{n-1} + \ldots + a_1 ⋅ x + a_0</span>, then b_j = P(\omega_n^j)</span>.</p>$ References</h1> https://cr.yp.to/arith/tangentfft-20070919.pdf</p> WHIR 2024-11-20T00:00:00+00:00 WHIR Multilinear Polynomial Commitments.</h1> $\gdef\delim#1#2#3{\mathopen{}\mathclose{\left#1 #2 \right#3}} \gdef\p#1{\delim({#1})} \gdef\ps#1{\delim\{{#1}\}} \gdef\F{\mathbb F} \gdef\vec#1{\mathbf{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\eq{\operatorname{eq}} \gdef\∀{\mathop{\huge ∀}\limits} </span></p>$ WHIR combines the ideas from STIR with those from Basefold to achieve a very performant polynomial commitment scheme for multilinear polynomials.</p> $\Sigma</span>-IOPs</h2> Given a multilinear polynomial f ∈ \F[\vec X]</span> commited to by the prover and a weight polynomial</em> w \in \F[Z, \vec X]</span> known to the prover and verifier, WHIR allows the verifier to check the following sum:</p> \begin{align} \sum_{\vec b \in \ps{0,1}^m} w\p{f(\vec b), \vec b} = σ \end{align} </span></p> This includes multivariate evaluation f(\vec r) = h</span> by setting weights w(z, \vec x) = z ⋅ \eq(\vec x, \vec r)</span>, which in turn contains univariate evaluation as a special case by evaluating f(\bar x)</span> using the map</p> \begin{aligned} \bar x : \F &\rightarrow \F^m \\ x &\mapsto (x, x^2, x^4, x^8, …, x^{2^{m - 1}})\text{.} \end{aligned} </span></p> If we have multiple such claims w_i, σ_i</span> they can be batched together using a random challenge \gamma</span> as</p> \begin{aligned} w(z, \vec x) = \sum_i γ^i ⋅ w_i\p{z, \vec x} && σ = \sum_i γ^i ⋅ σ_i\text{.} \end{aligned} </span></p>$ Commitment</h2> To commit $f</span> it is Reed-Solomon encoded, i.e. evaluated over a foldable domain \mathcal{L}</span> with rate \rho = \frac{2^m}{|\mathcal{L}|} < 1</span>. These values are commited in a Merkle tree. Denote with \mathcal{L}^{(2^k)}</span> the k</span>-folded domain.</p>$ To boost soundness, the verifier can provide random challenges $z_i \in \F</span> where the prover responds with f(\bar z_i)</span>. These evaluations are then included in the initial weight polynomial in an opening.</p>$ Opening</h2> Given a commitment to $f</span>, the prover can proof a claim of the form (1)</span> using the protocol:</p>$ While $m</span> is large:$ Prover</strong> and verifier</strong> run $k</span> rounds of sumcheck to reduce (1)</span> to a claim of the form \sum_{\vec b \in \ps{0,1}^{m-k}} w\p{f(\vec r, \vec b), \vec r, \vec b} = h </span> where \vec r \in \F^k</span> is a random vector.</li>$ Prover</strong> commits to $f'(\vec x) = f(\vec r, \vec x)</span> on \mathcal{L}^{(2)}</span>. Note that this reduces the rate by 2^{k-1}</span>.</li>$ Verifier</strong> send a random challenge $z_0 \in \F</span>.</li>$ Prover</strong> sends the evaluation $y_0 = f'(\bar z_0)</span>.</li>$ For $i \in [1,t]</span> Verifier</strong> sends a random challenge z_i \in \mathcal{L}^{(2^k)}</span>.</li> Verifier</strong> and prover</strong> evaluate y_i=f'(\bar z_i)</span> by querying f</span>.</li> </ol> </li> Prover</strong> and verifier</strong> do n</span> bits of proof-of-work.</li> Prover</strong> and verifier</strong> repeat with the updated claim with m' = m - k</span> \sum_{\vec b \in \ps{0,1}^{m'}} w'\p{f'(\vec b), \vec b} = h + \sum_{i \in [t]} \gamma^{i+1} ⋅ y_i </span> where the weight polynomial is updated as w'\p{z, \vec x} = w\p{z, \vec r, \vec x} + z ⋅ \sum_{i \in [t]} \gamma^{i + 1} ⋅ \eq(\bar z_i, \vec x)\text{.} </span></li> </ol> </li> Prover</strong> sends f</span> (now small) in full.</li> Prover</strong> and verifier</strong> run sumcheck to reduce (1)</span> to a claim of the form w\p{f(\vec r), \vec r} = h </span> for random \vec r \in \F^m</span>.</li> Verifier</strong> checks the claim by evaluating z=f(\vec r)</span> and w(z, \vec r)</span>.</li> </ol> For evaluation proofs the final w</span> contains only a small number of \eq</span> terms and can be efficiently computed by the verifier. If w</span> is more complex (as is the case for GR1CS below) the prover can provide a proof of evaluation of w(z, \vec r)</span>.</p> GR1CS</h2> A generalized R1CS</em> relation for a vector \vec z = (\vec z_{\text{public}}, \vec z_{\text{private}})</span> is a collection of constraints of the form</p> L_i\p{\mat M_{i0}⋅\vec z, \mat M_{i1}⋅\vec z, …, \mat M_{in}⋅\vec z} = \vec 0 </span></p> where L_i</span> is a multivariate polynomial evaluated element-wise over the input vectors and \mat M_{ij}</span> are matrices. For example an R1CS instance has a single constraint L(a,b,c) = a ⋅ b - c</span> with three corresponding matrices.</p> Take f</span> to be the MLE of \vec z</span> such that f(0, ⋯)</span> is the MLE of \vec z_{\text{public}}</span> and f(1, ⋯)</span> is the MLE of \vec z_{\text{private}}</span> and take M(\vec x, \vec y)</span> to be the MLE of \mat M</span>. Define f_{ij}</span> to be</p> f_{ij}(\vec x) = \sum_{\vec y \in \ps{0,1}^m} M_{ij}(\vec x, \vec y) ⋅ f(\vec y)\text{.} </span></p> Observe that f_{ij}</span> is a quadratic polynomial that evaluates to the vector \mat M_{ij}⋅\vec z</span> on \ps{0,1}^m</span>.</p> Prover</strong> sends f(0, ⋯)</span> in full and a commitment to f(1, ⋯)</span>.</li> Verifier</strong> sends a random challenge \gamma \in \F</span>.</li> Prover</strong> and verifier</strong> run zero-check on the claim \∀_{\vec x \in \ps{0,1}^m} \quad \sum_i \gamma^i ⋅ L_i\p{…, f_{ij}(\vec x), …} = 0 </span> to reduce it to \begin{align} \sum_i \gamma^i ⋅ L_i\p{…,f_{ij}(\vec r_1), …} ⋅\eq(\vec r_1, \vec r_2) = h \end{align} </span></li> Prover</strong> and verifier</strong> use WHIR to provide values for \sum_{\vec b \in \ps{0,1}^{m-1}} M_{ij}(\vec r_1, 1, \vec b) ⋅ f(1, \vec b) </span> by providing values computing the weighted sums w_{ij}(z, \vec x) = z ⋅ M_{ij}(\vec r_1, 1, \vec x) </span></li> Verifier</strong> computes values f_{ij}(\vec r_1)</span> and checks (2)</span>.</li> </ol> References</h2> https://github.com/WizardOfMenlo/whir</a></p> </li> ACFY24</a> Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev (2024). WHIR: Reed–Solomon Proximity Testing with Super-Fast Verification.</p> </li> </ul>$ Multivariate Lookup 2024-11-18T00:00:00+00:00 Multivariate Lookup Arguments</h1> $\gdef\delim#1#2#3{\mathopen{}\mathclose{\left#1 #2 \right#3}} \gdef\p#1{\delim({#1})} \gdef\ps#1{\delim\{{#1}\}} \gdef\vec#1{\mathbf{#1}} \gdef\eq{\operatorname{eq}} </span></p>$ Most lookup</a> protocols are based on univariate polynomials. In the multivariate sumcheck</a> setting can use different techniques from the Lasso line of work.</p> Lookup arguments</em> and indexed lookup arguments</em>.</p> Grand Products</h2> A grand product reduces a claim of the form $a = \prod_{\vec x} p(\vec x)</span> to a claim of the form p(\vec r) = h</span> for some \vec r, h</span>.</p>$ Tha13</a> Proposition 2 proposes a GKR-like protocol specialized for the grand product case.</p> $p_{i+1}(z) = \sum_{p \in \ps{0,1}^{n_i}} \eq (z,p) \cdot p_i(p, 0) \cdot p_i(p, 1) </span></p>$ SL20</a> Lemma 5.1</p> To prove</p> $p = \prod_{x \in \ps{0,1}^n} v(x) </span></p>$ $g(\vec z) = \sum_{\vec x \in \ps{0,1}^n} \eq (\vec z, \vec x) ⋅ \p{ f(1, \vec x) - f(\vec x, 0) ⋅ f(\vec x, 1) } </span></p>$ $g(\vec r_0) = 0</span></li>$ $f(0, \vec r_1) = v(\vec r_1)</span></li>$ $f(\vec 1, 0) = p</span></li> </ol> Batching of grand products.</p>$ STW23</a> appendix E.</p> Multiset Equality</h2> Offline Memory Checking</h2> Spark / Surge</h2> Lasso</h2> LogUp-GKR</h2> Generalized Lasso</h2> References</h2> Tha13</a> Justin Thaler (2013). "Time-Optimal Interactive Proofs for Circuit Evaluation"</li> Set19</a> Srinath Setty (2019). Spartan: Efficient and general-purpose zkSNARKs without trusted setup.</li> STW23</a> Srinath Setty, Justin Thaler, Riad Wahby (2023). Unlocking the lookup singularity with Lasso.</li> PH23</a> Shahar Papini, Ulrich Haböck (2023). Improving logarithmic derivative lookups using GKR.</li> Sou23</a> Lev Soukhanov (2023). Power circuits: a new arithmetization for GKR-styled sumcheck.</li> </ul> Brakedown and Shockwave 2024-07-23T00:00:00+00:00 Brakedown and Shockwave</h1> $\gdef\setn#1{\mathcal{#1}} \gdef\mat#1{\mathrm{#1}} \gdef\vec#1{\mathbf{#1}} \gdef\enc{\mathsf{enc}} </span></p>$ From GLS⁺21</a>. Like in Hyrax, we will create a commitment to a matrix $\mat M ∈ 𝔽^{n×m}</span> such that we can later compute double contractions s = \vec p ⋅ \mat M ⋅ \vec q = \sum_{ij} \mat M_{ij}⋅p_i⋅q_j </span> for some arbitrary vectors \vec p, \vec q</span>.</p>$ Take a linear code $\enc: 𝔽^m→𝔽^M</span> with rate ρ = m/M</span>. When instantiated with a linear-time encoding codes, it is known as Brakedown Polynomial Commitments. When instantiated with Reed-Solomon codes, it is known as Ligero Polynomial Commitments$ AHIV17</a>. (And when used to instantiate Spartan they are known as Brakedown and Shockwave respectively.)</p> Commitment</h3> Prover has $\mat M ∈ 𝔽^{n×m}</span>.</p>$ Prover</strong> sends the column-wise Merkle-hash of $\mat E = [\enc(\mat M_i)]_{i∈[n]}</span>.</li> </ol>$ Evaluation</h3> In addtion to above, prover and verifier have $\vec p ∈ 𝔽^n</span>, \vec q ∈ 𝔽^m</span> and want to compute the double contraction s = \vec p ⋅ \mat M ⋅ \vec q</span>. The protocol is as above, with \vec r</span> substituted by \vec p</span>:</p>$ Verifier</strong> sends random $\mat R ∈ 𝔽^{k×n}</span>.</li>$ Prover</strong> sends $\mat U = [\vec p; \mat R]⋅ \mat M</span>.</li>$ Verfier</strong> computes $\mat C = [\enc(\mat U_i)]_{i∈[k]}</span>.</li>$ Verifier</strong> sends $\setn C ⊂ [m]</span>.</li>$ Prover</strong> decommits columns $\mat E_{\setn C}</span>.</li>$ Verifier</strong> checks $\mat C_{\setn C} = [\vec p; \mat R] ⋅ \mat E_{\setn C}</span>.</li>$ Verifier</strong> checks $s = \mat U_0 ⋅ \vec q</span></li> </ol>$ Parameter Choices for Reed-Solomon Codes</h3> Given security target $λ</span> in bits. Assuming the matrix dimensions and encoding rate are fixed, the main protocol parameters are the number of random combinations k</span> and queries |\setn C|</span>. Following$ GLS⁺21</a> theorem B.7 (see also reference implementation 1</a> 2</a>), these are set to:</p> $\begin{aligned} k = 1 + \left\lfloor \frac{λ - 1}{\log_2 |𝔽| - \log_2 M} \right\rfloor && |\setn C| = \left\lceil \frac{λ}{1 - \log_2 (1 + \frac{m}{M})} \right\rceil \end{aligned} </span></p>$ For $λ = 128</span> and large field |𝔽| ≥ 2^{200}</span> with reasonably sized M < 2^{64}</span> we will always have k = 1</span>. The number of queries |\setn C|</span> decays exponentially from about 2.5 ⋅ λ</span> for M = 2⋅m</span> down to λ</span> as M</span> increases.</p>$ The randomized checks created by $k</span> serve to verify that the commitment is constructed correctly. This only has to be done once, so for repeated evaluations or when the commitment is trusted we can set k=0</span> (see$ GLS⁺21</a> p. 12).</p> Question.</strong> Does the process of grinding as used in FRI help to boost soundness and reduce $|\setn C|</span>?</p>$ References</h2> AHIV17</a> Scott Ames, Carmit Hazay, Yuval Ishai & Muthuramakrishnan Venkitasubramaniam (2017). Ligero: Lightweight Sublinear Arguments Without a Trusted Setup.</li> BCG20</a> Jonathan Bootle, Alessandro Chiesa, and Jens Groth (2020). Linear-Time Arguments with Sublinear Verification from Tensor Codes</li> GLS⁺21</a> Alexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby (2021). Brakedown: Linear-time and field-agnostic SNARKs for R1CS.</li> </ul> Hyrax Commitments 2024-07-16T00:00:00+00:00 Hyrax Commitments</h1> $\gdef\p#1{\left({#1}\right)} \gdef\vec#1{\mathbf{#1}} \gdef\eq{\mathrm{eq}} \gdef\setn#1{\mathcal #1} </span></p>$ Hyrax commitments are introduced in WTS⁺17</a>. They are a polynomial commitment scheme designed for multi-linear extenstions</a> (MLEs).</p> Certain Multivariate Sums as Tensor Contractions</h2> Given a finite multi-variate basis $\setn B = \setn B_1 × \setn B_2 × ⋯ × \setn B_n</span> with \setn B_i ⊂ 𝔽</span> and a sum of the form \sum_{\vec b ∈ \setn B} g(\vec b) ⋅ \prod_{k ∈ [n]} e_k(b_k) </span> where g : 𝔽^n → 𝔽</span> and e_k: 𝔽 → 𝔽</span> are arbitrary and b_k</span> denotes the k</span>-th component of \vec b</span>. Given any binary partitioning [n] = \setn A ∪ \setn B</span> we can rewrite this as \sum_{\vec a ∈ \setn B_{\setn A}}\sum_{\vec b ∈ \setn B_{\setn B}} g(\vec a, \vec b) ⋅ \p{\prod_{k ∈ \setn A} e_k(a_k)} ⋅ \p{\prod_{k ∈ \setn B} e_k(b_k)} </span> Observe that the products only depend on \vec a</span> and \vec b</span> respectively. Since \setn B_{\setn A}</span> and \setn B_{\setn B}</span> are finite we can enumerate their values as \{\vec a_i\} = \setn B_{\setn A}</span> and \{\vec b_j\} = \setn B_{\setn B}</span> and define \begin{aligned} g_{ij} &= g(\vec a_i, \vec b_j) & u_i &= \prod_{k ∈ \setn A} e_k((\vec a_i)_k) & v_j &= \prod_{k ∈ \setn B} e_k((\vec b_j)_k) \end{aligned} </span> we can then rewrite the sum as a vector-matrix-vector product, also known as a rank-2</span> tensor contraction \sum_{i ∈ [|\setn B_{\setn A}|]}\sum_{j ∈ [|\setn B_{\setn B}|]} g_{ij} ⋅ u_i ⋅ v_j </span> This generalizes to q</span>-ary partitionings resulting in rank-q</span> tensors g</span> and q</span> vectors to contract with. Higher rank tensors do not appear to give an advantage in the Hyrax commitments described below.</p>$ MLE Evaluation as Rank-2 Tensor Contraction</h2> Recall a multi-linear extenion</a> $\tilde f: 𝔽^n → 𝔽</span> over \vec b ∈ \{0, 1\}^n</span> has 2^n</span> coefficients f_{\vec b} ∈ 𝔽</span> and is defined as \begin{aligned} \tilde{f}(\vec x) &= \sum_{\vec b ∈ [2^n]} f_{\vec b} ⋅ \eq(\vec b_, \vec x) \\ \end{aligned} </span> where \eq</span> is the$ equality function</em></a> that indicates $\vec b = \vec x</span> on the basis \{0, 1\}^n</span>. It is given explicitely by \begin{aligned} \eq(\vec x, \vec y) &= \prod_{i∈[n]} \eq(x_i, y_i) \\ \eq(x, y) &= x⋅y + (1-x)⋅(1-y)\\ \end{aligned} </span></p>$ Observe that for a given $\vec x</span> the sum \tilde{f}(\vec x)</span> satisfies the form required to rewrite as a rank-2 tensor contraction \sum_{\vec a \vec b} f_{\vec a \vec b} ⋅ u_{\vec a}(\vec x) ⋅ v_{\vec b}(\vec x)</span>.</p>$ Polynomial Evaluation as Rank-2 Tensor Contraction</h2> A $2^n</span>-term polynomial f</span> evaluated in x</span> is</p>$ $f(x) = \sum_{i ∈ [2^n]} f_i ⋅ \prod_{k∈[n]} \p{x^{2^k}}^{i_k} </span></p>$ where $i_k</span> denotes the k</span>-th bit of the number i</span>.</p>$ Hyrax Commitments</h2> Given a tensor contraction $\tilde f(\vec x) = \sum_{\vec a \vec b} f_{\vec a \vec b} ⋅ u_{\vec a}(\vec x) ⋅ v_{\vec b}(\vec x)</span> with f_{\vec a \vec b}</span> known to the prover and u_{\vec a}(\vec x)</span>, v_{\vec b}(\vec x)</span> known to prover and verifier. The prover wants to commit to f_{\vec a \vec b}</span> so that it can later open \tilde f(\vec x)</span>.</p>$ Take a linear vector commitment scheme $\operatorname{commit}: 𝔽^m → \setn C</span> that supports dot-product proofs. To commit to f_{\vec a \vec b}</span> the prover computes c_{\vec a} = \operatorname{commit}(f_{\vec a-})</span> where f_{\vec a-}</span> is the vector with \vec a</span> held fixed. The prover sends \{c_{\vec a} \}_{\vec a ∈ \setn B_{\setn A}}</span> to the verifier.</p>$ To open at $\vec x</span> the prover send \tilde{f}(\vec x)</span>, the prover and verifier compute vectors u_{\vec a} = u_{\vec a}(\vec x)</span> and v_{\vec b} = v_{\vec b}(\vec x)</span> and combine the commitments c = \sum_{\vec a ∈ \setn B_{\setn A}} u_{\vec a} ⋅ c_{\vec a}</span>. The prover and verifier then engage the dot-product-proof protocol to prove that \tilde{f}(\vec x)</span> is the dot produt of c</span> and v_{\vec b}</span>.</p>$ The size of the commitment is $|\setn B_{\vec A}|</span> times the size of a vector commitment. The size of the opening argument is a single dot-product-opening argument. The prover work to commit is |\setn B_{\vec A}|</span> times a size |\setn B_{\vec B}|</span> vector commitment. The prover and verifier work on opening is computing the vectors u_{\vec a}, v_{\vec b}</span>, the linear combination c</span> and the dot-product-argument.</p>$ The case where $|\setn B_{\vec A}| = |\setn B_{\vec B}| = \sqrt{|\setn B|}</span> is called the square-root</em> Hyrax commitment.</p>$ Pederson vector commitments</h2> To construct a linear vector commitment scheme for $𝔽^m</span> pick a discrete-log hard cyclic group of order |𝔽|</span> (note that this is also a 𝔽</span>-vector space). Pick random generators \mathrm h, \{\mathrm g_i\}_{i∈ [m]}</span>.</p>$ To commit to $\vec x ∈ 𝔽^m</span>, the prover picks random s ∈ 𝔽^×</span> and sends \mathrm c = s⋅\mathrm h + \sum_{i} x_i ⋅ \mathrm g_i</span>. The prover and verifier can compute linear combinations of the commitments, the prover also linearly combines the s</span> values. To open the prover sends s, \vec x</span> and the verifier checks the commitment.</p>$ When $m=1</span> we call this a scalar commitment scheme</em>.</p>$ Proof of Equality</h3> Given two commitments $\mathrm c_1, \mathrm c_2</span> with secrets s_1, s_2</span>. To proof they commit to the same vector without revealing,</p>$ Prover</strong> picks random $s ∈ 𝔽^×</span> and sends \mathrm c = s⋅\mathrm h</span>.</li>$ Verifier</strong> sends random $r \in 𝔽^\times</span>.</li>$ Prover</strong> sends $z = r \cdot (s_1 - s_2) + s</span>.</li>$ Verifier</strong> checks $z⋅\mathrm h = r ⋅ (\mathrm c_1 - \mathrm c_2) + \mathrm c</span></li> </ol>$ Proof of Product</h3> Given scalars $a, b, c</span>, and their commitments \mathrm c_a, \mathrm c_b, \mathrm c_c</span>, with secrets s_a, s_b, s_c</span>. To proof that a ⋅ b = c</span>,</p>$ Prover</strong> picks random $u, v, s_u, s_v, s_w ∈ 𝔽^×</span> and sends \begin{aligned} \mathrm u &= s_u ⋅ \mathrm h + u ⋅ \mathrm g \\ \mathrm v &= s_v ⋅ \mathrm h + v ⋅ \mathrm g \\ \mathrm w &= s_w ⋅ \mathrm h + v ⋅ \mathrm c_a \\ \end{aligned} </span></li>$ Verifier</strong> sends random $r \in 𝔽^\times</span>.</li>$ Prover</strong> sends $\begin{aligned} z_{s_a} &= s_u + r ⋅ s_a & z_a &= u + r ⋅ a \\ z_{s_b} &= s_v + r ⋅ s_b & z_b &= v + r ⋅ b \\ z &= s_w + r ⋅ (s_c - s_a ⋅ b) \\ \end{aligned} </span></li>$ Verifier</strong> checks that $\begin{aligned} \mathrm u + r ⋅ \mathrm c_a &= z_{s_a} ⋅ \mathrm h + z_a ⋅ \mathrm g \\ \mathrm v + r ⋅ \mathrm c_b &= z_{s_b} ⋅ \mathrm h + z_b ⋅ \mathrm g \\ \mathrm w + r ⋅ \mathrm c_c &= z ⋅ \mathrm h + z_b ⋅ \mathrm c_a \\ \end{aligned} </span></li> </ol> The first two equalities are straight forward, the last one's left and right side expand to</p> \begin{aligned} \mathrm w + r ⋅ \mathrm c_c &= s_w ⋅ \mathrm h + v ⋅ (s_a ⋅ \mathrm h + a ⋅\mathrm g) + r ⋅ (s_c ⋅ \mathrm h + c ⋅\mathrm g) \\ &= (s_w + v⋅s_a +r⋅s_c) ⋅ \mathrm h + (v ⋅ a + r⋅c)⋅\mathrm g \\ z ⋅ \mathrm h + z_b ⋅ \mathrm c_a &= (s_w + r ⋅ (s_c - s_a ⋅ b)) ⋅ \mathrm h + (v + r ⋅ b) ⋅ (s_a ⋅ \mathrm h + a ⋅\mathrm g) \\ &= (s_w + v ⋅ s_a + r ⋅ s_c) ⋅ \mathrm h + (v ⋅ a + r ⋅ b ⋅ a) ⋅ \mathrm g \\ \end{aligned} </span></p>$ Proof of Dot Product</h3> Given vector $\vec a</span> with commitment \mathrm c_a</span> and secret s_a</span>, a scalara c</span> with commitment \mathrm c_c</span> and secret s_c</span> and public vector \vec b</span>. To proof that c = \vec a ⋅ \vec b</span>,</p>$ Prover</strong> picks random $\vec s ∈ (𝔽^×)^m</span> and s_u, s_v ∈ 𝔽^×</span> and sends \begin{aligned} \mathrm u &= s_u ⋅ \mathrm h + \sum_i s_i ⋅ \mathrm g_i \\ \mathrm v &= s_v ⋅ \mathrm h + (\vec s ⋅ \vec b) ⋅ \mathrm g \\ \end{aligned} </span></li>$ Verifier</strong> sends random $r \in 𝔽^\times</span>.</li>$ Prover</strong> sends $\begin{aligned} z_u &= s_u + r ⋅ s_a \\ z_v &= s_v + r ⋅ s_c \\ \vec z &= \vec s + r ⋅ \vec a \\ \end{aligned} </span></li>$ Verifier</strong> checks $\begin{aligned} \mathrm u + r ⋅ \mathrm c_a &= z_u ⋅ \mathrm h + \sum_i z_i ⋅ \mathrm g_i \\ \mathrm v + r ⋅ \mathrm c_c &= z_v ⋅ \mathrm h + (\vec z ⋅ \vec b) ⋅ \mathrm g \\ \end{aligned} </span></li> </ol> The first equation is straightforward, the second one expands to</p> \begin{aligned} \mathrm v + r ⋅ \mathrm c_c &= s_v ⋅ \mathrm h + (\vec s ⋅ \vec b) ⋅ \mathrm g + r⋅(s_c⋅\mathrm h + c ⋅ \mathrm g) \\ &= (s_v + r ⋅ s_c)⋅ \mathrm h + (\vec s ⋅ \vec b + r ⋅ c) ⋅ \mathrm g \\ z_v ⋅ \mathrm h + (\vec z ⋅ \vec b) ⋅ \mathrm g &= (s_v + r ⋅ s_c) ⋅ \mathrm h + ((\vec s + r ⋅ \vec a) ⋅ \vec b) ⋅ \mathrm g \\ &= (s_v + r ⋅ s_c) ⋅ \mathrm h + (\vec s ⋅ \vec b + r ⋅ \vec a ⋅ \vec b) ⋅ \mathrm g \\ \end{aligned} </span></p> Bulletproofs</h2> To do.</strong> The above proof-of-dot-product has proof size linear in the vector length. In WTS⁺17</a> a Bulletproof based argument is presented that is logarithmic in vector length.</p> However, remember that in Hyrax the commited vector length is not |\setn B|</span> but tuneable and proof sizes \mathcal{O}(\sqrt{|\setn B|})</span> can be achieved without Bulletproofs.</p> References</h2> WTS⁺17</a> Riad S. Wahby, Ioanna Tzialla, Abhi Shelat, Justin. Thaler, and Michael Walfish (2017). Doubly-efficient zkSNARKs without trusted setup. In S&P, 2018.</li> </ul>$ GKR 2024-07-06T00:00:00+00:00 GKR</h1> $\gdef\delim#1#2#3{\mathopen{}\mathclose{\left#1 #2 \right#3}} \gdef\p#1{\delim({#1})} \gdef\ps#1{\delim\{{#1}\}} \gdef\F{\mathbb F} \gdef\set#1{\mathcal #1} \gdef\vec#1{\bm #1} \gdef\eq{\mathrm{eq}} \gdef\mul{\mathsf{mul}} \gdef\add{\mathsf{add}} \gdef\addc{\mathsf{add^C}} </span></p>$ Last year saw the publication of many interesting new proof systems that deviate from the pattern of doing plonkish-starkish arithmetization on top of a (univariate) polynomial commitment protocol. These new systems are broadly based on two mechanism: folding schemes and sumcheck+GKR. In this note I'll explore sumcheck and GKR.</p> GKR, introduced in 2008 respectively, is an relatively old protocol. I am not sure why it has thusfar received little attention from implementers, but I suspect it is because the proof sizes are not particularly small and the protocols are arguably more complicated. Proof size was the main metric to benchmark protocols on and here Groth16</a> is still king, with plonkish-starkish over KZG close behind. Now that it has become practical to recursively verify proofs this is less of a concern, a larger proof can be recursively verified in, say, a Groth16 proof and become small.</p> The main reason there is renewed interest in GKR protocols is prover complexity. Both Groth16 and plonkish arithmetization require the prover to do $O(n⋅\log n)</span> work in the size of the computation. Through clever use of multivariate polynomials the GKR based methods can achieve O(n)</span> prover complexity.</p>$ GKR</h2> In GKR08</a> we have a $k</span>-layered circuit with the first layer being the input and each further layer computed from the previous one by adding or multiplying two values. For simplicity let's assume each layer has the same number of values 2^n</span>. We encode each layers values on a \ps{0,1}^n</span> hypercube, creating multi-linear extensions w_i(\vec x)</span> for each layer i</span>. The inputs are encoded in w_0(\vec x)</span> and the output will be in w_k(\vec x)</span>. The circuit is encoded using two indicator functions, they are MLEs with the following values on the hypercube \ps{0,1}^{3⋅n}</span>:</p>$ $\begin{aligned} \mathrm{add}_i\p{\vec x, \vec y, \vec z} &= \begin{cases} 1 & w_{i+1}(\vec x) = w_i(\vec y) + w_i(\vec z)\\ 0 & \text{otherwise} \end{cases} \\ \mathrm{mul}_i\p{\vec x, \vec y, \vec z} &= \begin{cases} 1 & w_{i+1}(\vec x) = w_i(\vec y) ⋅ w_i(\vec z)\\ 0 & \text{otherwise} \end{cases} \\ \end{aligned} </span></p>$ Note that the order of $\vec y</span>, \vec z</span> is important to avoid double counting, there should be only one 1</span> per output node, i.e. for each value of \vec x</span>. With these circuit-encoding functions the values on the layers are related by</p>$ $w_{i+1}(\vec x) = \sum_{\vec y, \vec z ∈ \{0,1\}^n} \p{\hspace{.1em} \begin{aligned} &\phantom{+}\mathrm{add}_i\p{\vec x, \vec y, \vec z} ⋅ \p{w_i(\vec y) + w_i(\vec z)}\\ &+\mathrm{mul}_i\p{\vec x, \vec y, \vec z} ⋅ \p{w_i(\vec y) ⋅ w_i(\vec z)} \end{aligned} \hspace{.5em}} </span></p>$ By constuction this holds for $\vec x ∈ \ps{0,1}^n</span>. To see that it holds for all \vec x ∈ \F^n</span> observe that \mathrm{add}_i</span> and \mathrm{mul}_i</span> are MLEs in \vec x</span> and a linear combination of MLEs is also an MLE. Since MLEs are uniquely identified by their values on \ps{0,1}^n</span> they must be identical. Note that \mathrm{add}_i</span> and \mathrm{mul}_i</span> do not need to be multilinear in \vec y, \vec z</span>. In$ GKR08</a> a slightly more complex expression is used that does not require multilinearity in $\vec x</span> either. The above expression is due to$ T15</a>.</p> Prover</strong> sends the output values $w_k(\vec x)</span>.</li>$ Verifier</strong> sends random $\vec r_{\vec x} ∈ \F^n</span> and computes w_k(\vec r_{\vec x})</span>.</li>$ The prover</strong> and verifier</strong> run sumcheck on the relation between $w_{k}(\vec r_{\vec x})</span> and w_{k-1}(\vec x)</span> as above (using f</span> for the summand) w_k(\vec r_{\vec x}) = \sum_{\vec y, \vec z ∈ \ps{0,1}^n} f(\vec r_{\vec x}, \vec y, \vec z) </span> this results in \vec c ∈ \F</span>, random \vec r_{\vec y}, \vec r_{\vec z} ∈ \F^n</span> and a claim c = f\p{\vec r_{\vec x}, \vec r_{\vec y}, \vec r_{\vec z}}</span></li>$ Prover</strong> sends $w_{k-1}(\vec r_{\vec y})</span> and w_{k-1}(\vec r_{\vec z})</span>, to be proven in a moment.</li>$ Verifier</strong> computes $\mathrm{add}_{k-1}\p{\vec r_{\vec x}, \vec r_{\vec y}, \vec r_{\vec z}}</span> and \mathrm{mul}_{k-1}\p{\vec r_{\vec x}, \vec r_{\vec y}, \vec r_{\vec z}}</span> locally and checks c = f\p{\vec r_{\vec x}, \vec r_{\vec y}, \vec r_{\vec z}}</span>.</li>$ The prover</strong> and verifier</strong> reduce the two queries $w_{k-1}(\vec r_{\vec y})</span> and w_{k-1}(\vec r_{\vec z})</span> to one query w_{k-1}(\vec r_{\vec x}')</span>.</li>$ The prover</strong> and verifier</strong> run repeat steps 3-6 for $k-1</span> more times.</li>$ The prover</strong> and verifier</strong> use further methods to checks $w_0(\vec r_{\vec x})</span>.</li> </ol> This reduces a claim on the output values w_k(\vec x)</span> to a claim on the input values w_0(\vec r_{\vec x})</span>.</p> Note that it is assumed the verifier knows \mathrm{add}_i</span> and \mathrm{mul}_i</span> and it is economical for the verifier to evaluate it. Alternatively the prover can use a polynomial commitment scheme or other means to convey those values to the verifier.</p> This protocol can be straightforward generalized to support unequal sized layers n_i</span>, leading to potential further reductions in proof size and compute cost.</p> TODO: Analysis, especially complexity and proof size. Especially efficient evaluation of \mathrm{add}_i</span>, \mathrm{mul}_i</span>.</p>$ Q: The choice of addition and multiplication gates is natural, but also arbitrary. What other gates can be supported? S23</a> presents a clever scheme using an exponentiation operator.</p> Quickly evaluating $\add_i</span> and \mul_i</span> in random \vec r</span></h3> Observe that in a fully defined circuit each output node has either \add</span> or \mul</span> return 1</span> for it. So together they have one-hot on each corner of the \vec x</span> hypercube. We can construct this basis in</p> \p{2^{n+1} - 4}⋅\mul + n⋅\addc </span></p> operations.</p> \mul_i(\vec r_x, \vec r_y, \vec r_z) = \sum_{\vec x ∈ \set M} \eq(\vec x, \vec r_x)⋅ \eq(\vec y(\vec x),\vec r_y)⋅ \eq(\vec z(\vec x),\vec r_z) </span></p> What remains is computing the various \eq(\vec c_x, □)</span> values. Here \vec c_x</span> encodes the connectivity and is sparse: only 2^n</span> out of 2^{2⋅n}</span> values are used. We can however again assume that each node is an input at least once. So all values appear. We get 3⋅\p{2^{n+1} - 4}⋅\mul + 3⋅n⋅\addc </span></p> To compute the three lookup tables for the \eq</span>'s. Then to combine them into \add</span> and \mul</span> we need a further 2^{n + 1}⋅\mul </span></p>$ Compute the hypercube basis for $\eq(\vec c, \vec r_x)</span>, \eq(\vec c, \vec r_y)</span> and \eq(\vec c, \vec r_z)</span> in 3⋅2^n</span> space.</li>$ Use two acumulators $\add</span> and \mul</span>. For each entry in</li> </ol>$ See XZZ+19</a>.</p> References</h2> GKR08</a> Shafi Goldwasser, Yael Tauman Kalai, Guy N. Rothblum (2008). Delegating Computation: Interactive Proofs for Muggles.</li> CTY11</a> Graham Cormode, Justin Thaler, Ke Yi (2011). Verifying Computations with Streaming Interactive Proofs.</li> CMT12</a> Graham Cormode, Michael Mitzenmacher, Justin Thaler (2012). Practical Verified Computation with Streaming Interactive Proofs.</li> T13</a> Justin Thaler (2013). "Time-Optimal Interactive Proofs for Circuit Evaluation"</li> T15</a> Justin Thaler (2015). "A Note on the GKR Protocol"</li> CFS17</a> Alessandro Chiesa, Michael A. Forbes, Nicholas Spooner (2017). A Zero Knowledge Sumcheck and its Applications.</li> XZZ+19</a>: Tiancheng Xie et al. (2019). "Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation".</li> T20a</a> T20b</a>: Justin Thaler (2020). "The Unreasonable Power of the Sum-Check Protocol"</li> K22</a> Erich Kaltofen (2022). "The GKR Protocol Revisited"</li> PH23</a> Shahar Papini, Ulrich Haböck (2023). "Improving logarithmic derivative lookups using GKR"</li> S23</a> Lev Soukhanov (2023). "Power circuits: a new arithmetization for GKR-styled sumcheck"</li> T23a</a> Justin Thaler (2023). "Proofs, Arguments, and Zero-Knowledge". See also lecture notes</a> and older lecture notes</a></li> T23b</a> Justin Thaler (2023). The sumcheck protocol over fields of small characteristic.</li> G24</a> Ariel Gabizon (2024). zkWarsaw talk "The GKR method".</li> </ul> https://github.com/ingonyama-zk/papers/blob/main/sumcheck_201_chapter_1.pdf</p> https://eprint.iacr.org/2024/1046</p> BDT24</a> Suyash Bagad, Yuval Domb, Justin Thaler (2024). The Sum-Check Protocol over Fields of Small Characteristic.</li> </ul> Jolt 2024-07-02T00:00:00+00:00 Jolt</h1> $\gdef\mat#1{\mathrm{#1}} \gdef\p#1{\left({#1}\right)} \gdef\ceil#1{\left\lceil{#1}\right\rceil} \gdef\forall{\mathop{\huge ∀}\limits} </span></p>$ Notes studying Jolt. Per Michael Zhu's suggestion I will follow the lineage from Spice SAGL18</a>, Spartan S19</a>, Lasso STW23</a>, Jolt AST23</a>, Binius DP23</a>.</p> Spice</h2> Spartan</h2> Spartan (S19</a>) is a transparant zkSNARK for R1CS. Recal an R1CS instance over a field $𝔽</span> with n</span>-sparse m×m</span> matrices \mat A, \mat B, \mat C</span> such that a z=(1,\mathsf{pub},\mathsf{priv})</span> satisfies iff (\mat A⋅ z) ∘(\mat B ⋅ z) = \mat C ⋅ z</span>. We convert this to a$ sumcheck zero testing</a> statement $\begin{aligned} \forall_{x∈\{0,1\}^s}0={}& \p{\sum_{y∈\{0,1\}^s}\widetilde A(x,y)⋅\widetilde z(y)}⋅ \p{\sum_{y∈\{0,1\}^s}\widetilde B(x,y)⋅\widetilde z(y)}\\ &- \sum_{y∈\{0,1\}^s}\widetilde C(x,y)⋅\widetilde z(y) \end{aligned} </span> where \widetilde\square</span> denotes a multilinear extension and s=\ceil{\log_2 m}</span>.Batching the inner sumchecks, it takes two sumchecks to reduce this to (r_A⋅\widetilde A(r_x, r_y) + r_B⋅\widetilde B(r_x, r_y) + r_C⋅\widetilde C(r_x, r_y)) ⋅ \widetilde z(r_y) </span> For \widetilde z</span> the prover provides a hiding polynomial commitment to \mathsf{priv}</span> up front and reveals it at r_y</span> so that the verifier can compute \widetilde z(r_y)</span>. The verifier knows \widetilde A, \widetilde B, \widetilde C</span> and can evaluate it directly.</p>$ Evaluating the $\widetilde A, \widetilde B, \widetilde C</span> takes O(n)</span> work. To solve this the verifier pre-computes commitments to them and the prover computes openings. To be efficient, this requires a polynomial commitements scheme that is efficient for sparse polynomials. Consider \widetilde A</span> (the other cases are identical) we have the n</span> term sum \widetilde A(r_x, r_y) = \sum_{\begin{subarray}{c} i,j ∈ \{0,1\}^s \\[.3em] \mat A_{ij} ≠ 0 \end{subarray}} \mat A_{ij} ⋅ \widetilde{\operatorname{eq}}(i, r_x)⋅\widetilde{\operatorname{eq}}(j, r_y) </span> where \widetilde{\operatorname{eq}}</span> is the$ multilinear equality function</a>.</p> To evaluate this we create lookup tables for $\widetilde{\operatorname{eq}}(i, r_x)</span>, \widetilde{\operatorname{eq}}(j, r_y)</span> and the sequence of (i,j, \mat M_{ij})</span> tuples to sum over.</p>$ Create three vectors, $i</span>, j</span> and M_{ij}</span>.</p>$ References</h2> SAGL18</a> Srinath Setty, Sebastian Angel, Trinabh Gupta, and Jonathan Lee (2018). Proving the correct execution of concurrent services in zero-knowledge.</li> S19</a> Srinath Setty (2019). Spartan: Efficient and general-purpose zkSNARKs without trusted setup.</li> STW23</a> Srinath Setty, Justin Thaler, Riad Wahby (2023). Unlocking the lookup singularity with Lasso.</li> AST23</a> Arasu Arun, Srinath Setty, Justin Thaler (2023). Jolt: SNARKs for Virtual Machines via Lookups.</li> ST23</a> Srinath Setty, Justin Thaler (2023). BabySpartan: Lasso-based SNARK for non-uniform computation.</li> DP23</a> Benjamin E. Diamond, Jim Posen (2023). Succinct Arguments over Towers of Binary Fields.</li> </ul> Introduction to ZK-STARKs 2024-06-28T00:00:00+00:00 $\gdef\Z{\mathbb{Z}} \gdef\F{\mathbb{F}} </span></p>$ Introduction to ZK-STARKs</h1> $\gdef\F{\mathtt{F}} \gdef\X{\mathtt{X}} \gdef\Y{\mathtt{Y}} \gdef\Z{\mathtt{Z}} </span></p>$ Disclaimer: contains math</h2> If you don't understand something Not your fault, this stuff is hard</li> Nobody understands it fully</li> </ul> </li> If you don't understand anything My fault, anything can be explained at some level</li> </ul> </li> If you do</em> understand everything Collect your Turing Award & Fields Medal</li> Many open questions</li> </ul> </li> </ul> Zero knowledge proofs</h2> We know some algorithm $\F(\X, \Y)</span>.</p>$ I give you $\X</span> and \Z</span> and proof that “I know an \Y</span> such that \F(\X, \Y) = \Z</span>” without revealing \Y</span>.</p>$ $\X</span> public input, old balances.</li>$ $\Y</span> secret input, trades.</li>$