Lasso

As they already explained in previous presentations, I skip the parts for Multilinear extensions, SNARKs, Polynomial commitment scheme, Polynomial IOP and the .

$m$-sparse refers to multilinear polynomials $g: \mathbb{F}^l \rightarrow \mathbb{F}$ in $l$ variables such that $g(x) \neq 0$ for at most $m$ values of $x \in \{0,1\}^l$. In other words, $g$ has at most $m$ non-zero coefficients in its multilinear Lagrange polynomial basis. If $m \ll 2^l$, only a tiny fraction of the possible coefficients are non-zero. If $m = \Theta(2^l)$, we refer to such $g$ as a dense polynomial.

A multilinear polynomial $g: \mathbb{F}^l \rightarrow \mathbb{F}$ can be represented uniquely by the list of tuples $L$ such that for all $i \in \{0,1\}^l, (\mathsf{to}\text{-}\mathsf{field}(i), g(i)) \in L$ if and only if $g(i) \neq 0$.

Here, $\mathsf{to}\text{-}\mathsf{field}$ is the canonical injection from $\{0,1\}^l$ to $\mathbb{F}$ and $\mathsf{to}\text{-}\mathsf{bits}$ is the inverse mapping. You can think of them as transformations between a field element and its binary representation.

We refer to $L$ as the dense representation of a sparse polynomial $g$.

A multilinear polynomial $g$ in $l$ variables is a sparse multilinear polynomial if $|\mathsf{DenseRepr}(g)|$ is sub-linear in $\Theta(2^l)$. Otherwise, it is a dense multilinear polynomial.

For a lookup argument from $a \in \mathbb{F}^m$ to $t \in \mathbb{F}^n$, it suffices for a prover to show that it knows a sparse matrix $M \in \mathbb{F}^{m \times n}$ such that (1) for each row of $M$, only one cell has a value of 1 and the rest are zeroes and that (2) $M \cdot t = a$.

Below demonstrates a simple example of demonstrating that $a = [2, 3, 0]$ is a valid lookup into the table $t = [0, 1, 2, 3]$. You can see that $M$ is indeed sparse.

for an ${r} \in \mathbb{F}^{\log m}$ randomly sampled by the verifier.

To run a sumcheck protocol on this equation to prove it, the verifier should be able to evaluate $\widetilde{M}({r},{y}) \cdot \tilde{t}({y})$ at some random $y$ succintly, i.e. with a cost independent of $n$, regarding that the size of lookup table might be very large. Clearly, we cannot achieve this by committing to $\widetilde{M}$ and $\tilde{t}$ using normal PCS.

$M$ is a sparse matrix where only $m$ elements out of $m \times n$ are non-zero. Hence, the above is efficiently provable by having the prover commit to the sparse polynomial $\widetilde{M}$ using $\mathsf{Surge}$, which is a generalization of $\mathsf{Spark}$ for $\mathsf{Lasso}$, and instead of commiting to the enormous $t$, sending only its succint description assuming that it is structured in a way we define. Once we have such a commitment scheme, we instantly obtain the desired lookup argument.

$\mathsf{Spark}$, as explained above, is a polynomial commitment scheme for sparse polynomials. Let $g$ be a ($\log N$)-variate multilinear polynomial with sparsity $m$. The prover commits to a unique dense representation of the sparse polynomial $g$, which is the list that specifies only the multilinear Lagrange bases with non-zero coefficients. When the verifier requests an evaluation $g(r)$, the prover returns the claimed evaluation $v$ along with the evaluation proof.

Let $c$ be such that $N = m^c$ without loss of generality. There is a simple algorithm that takes as input the dense representation of $g$ and outputs $g(r)$ in $O(c \cdot m)$ time.

Decompose the $\log N = c \log m$ variables of $r$ into $c$ blocks, each of size $\log m$, writing $r = (r_1, ..., r_c) \in (\mathbb{F}^{\log m})^c$. Then any ($\log N$)-variate Lagrange basis polynomial evaluated at $r$ can be expressed as a product of $c$ smaller Lagrange basis polynomials. With $O(c\cdot m)$ cost of pre-computing a write-once memory, each basis polynomial can be calculated by $c$ memory look-ups and extra field operations.

Let $N = 2^6$, $c = 3$ and $m = 2^2$.

Let $g(x) = 1$ for $x = 000001, ..., 000100$. Otherwise, $g(x) = 0$ for $x \in \{0,1\}^6$. Subscript 1, 2, and 3 each denotes the 2-bits length partition of the 6-bits binary string. $\mathcal{X}_i(r)$ is equal to $\widetilde{\mathsf{eq}}(i, r)$.

Observe that the evaluation of $g(x)$ on some $r$ can be decomposed in this way:

The memory is composed of $c(=3)$ subtables $t_1, t_2$ and $t_3$ where each $t_i$ is a table of size $m$ populated by the values from $\mathcal{X}_{0,0}({r_i})$ to $\mathcal{X}_{1,1}({r_i})$. Each subtable can be computed by the prover in $O(m)$, leading to a total computation cost of $O(c \cdot m)$.

Notice that this is cheaper with a factor of $\log m$ than a naive approach, whose cost is $O(m \log N)$ since there are $m$ Lagrange basis polynomials with $\log N$ variables.

The efficiency of the algorithm above comes from the fact that $g$ is sparse. $\mathsf{Spark}$ is merely a SNARK as an argument that the prover correctly ran this algorithm on the committed description of $g$. For simplicity, in the demonstrations below, we talk about the special case where $c = 2$ and then expand it for a general result.

Let $D$ be a $m$-sparse ($2\log m$)-variate multilinear polynomial, as we fixed the value of $c$ to be 2. For now, you can think of $D$ as an $m \times m$ matrix with only $m$ nonzero elements.

When its dense representation is given, one can express its evaluation as below, by decomposing the ($2\log m$)-variate Lagrange basis polynomial into two ($\log m$)-variate Lagrange basis polynomial.

Let's introduce three ($\log m$)-variable multilinear polynomials $\mathsf{val}$, $\mathsf{row}$ and $\mathsf{col}$, which extend the dense representation of $D$. That is, $k \in \{0,1\}^{\log m}$ iterates the m nonzero elements in $D$ in some canonical order, and for each $k$, there exist some $i, j$ such that $\mathsf{row}(k) = \mathsf{to}\text{-}\mathsf{field}(i)$, $\mathsf{col}(k) = \mathsf{to}\text{-}\mathsf{field}(j)$ and $\mathsf{val}(k) = D(i, j)$.

$\mathsf{val}$ maps $k$ to each value of the nonzero elements and $\mathsf{row}$ and $\mathsf{col}$ maps $k$ to a corresponding location of it in $D$(or, equivalently, to the index of each two subtables in Algorithm 1).

Let $E_{rx}(k) = \widetilde{\mathsf{eq}}(\mathsf{to}\text{-}\mathsf{bits}(\mathsf{row}(k)), r_x)$ and $E_{ry}(k) = \widetilde{\mathsf{eq}}(\mathsf{to}\text{-}\mathsf{bits}(\mathsf{col}(k)), r_y)$ each of which are ($\log m$)-variate. We define a PIOP for proving the evaluation of $D$ at $(r_x, r_y)$. We assume that $\mathsf{val}$ is committed to beforehand.

$\mathcal{P} \rightarrow \mathcal{V}$ : $E_{rx}(k)$ and $E_{ry}(k)$ as oracles.

$\mathcal{P} \leftrightarrow \mathcal{V}$ : run the sumcheck reduction to reduce this statement

$\mathsf{val}(r_z) \stackrel{?}{=} v_{val}$

$E_{rx}(r_z) \stackrel{?}{=} v_{E_{rx}}$ and $E_{ry}(r_z) \stackrel{?}{=} v_{E_{ry}}$.

where the claimed values are provided by $\mathcal{P}$ and $r_z$ is randomly sampled by $\mathcal{V}$ at the end of the sumcheck protocol.

$\mathcal{V}$ : check if the three equalities above hold with an oracle query to each of the polynomials.

A key part of achieving a sound argument with the PIOP above is to enable the verifier to check that the committed $E_{rx}$ and $E_{ry}$ are built correctly, i.e.

$\forall k \in \{0,1\}^{\log m}, E_{rx}(k) = \widetilde{\mathsf{eq}}(\mathsf{to}\text{-}\mathsf{bits}(\mathsf{row}(k)), r_x)$

$\forall k \in \{0,1\}^{\log m}, E_{ry}(k) = \widetilde{\mathsf{eq}}(\mathsf{to}\text{-}\mathsf{bits}(\mathsf{col}(k)), r_y)$.

Checking the above is equivalent to checking if an untrusted prover ran Algorithm 1 above (which is the case where $c = 2$ and the two subtables correspond to $E_{rx}$ and $E_{ry}$), i.e., that the prover initialized the memory with correct values and the subsequent memory read operations occurred in a correct manner. We introduce offline memory checking, which is a protocol that reduces such memory consistency argument to a multiset equality check.

The checker maintains two local state sets : $\mathsf{RS}$ and $\mathsf{WS}$. $\mathsf{RS}$ is initially empty. For $\mathsf{M}$-sized memory, $\mathsf{WS}$ is initialized as following : for all $i \in [N^{1/c}]$, the tuple $(i, v_i, 0)$ is included. Here, the first element is the index, second one is the value and the third one is the accessed count of each memory slot.

For each read operation at address $a$, suppose that the untrusted memory responds with a value-count pair $(v, t)$. Then the checker updates its local state as follows:

$\mathsf{RS} \leftarrow \mathsf{RS} \cup \{(a, v, t)\}$

store $(v, t+1)$ at address $a$ in the untrusted memory, and

$\mathsf{WS} \leftarrow \mathsf{WS} \cup \{(a,v,t+1)\}$.

If for every read operation, the untrusted memory returns the tuple last written to that location, then there exists a set $\mathsf{S}$ with cardinality $\mathsf{M}$ consisting of tuples of the form $(k, v_k, t_k)$ for all $k \in [\mathsf{M}]$ such that $\mathsf{WS} = \mathsf{RS} \cup \mathsf{S}$, where $\mathsf{S}$ is simply the current memory view. Conversely, if the untrusted memory ever returns a value $v$ for a memory read $k \in [\mathsf{M}]$ which does not equal the value initially written to cell $k$, then there does not exist any set $\mathsf{S}$ such that $\mathsf{WS} = \mathsf{RS} \cup \mathsf{S}$.

You can see that there exist an $\mathsf{S}$ such that $\mathsf{WS} = \mathsf{RS} \cup \mathsf{S}$, and the $\mathsf{S}$ is equal to the final memory view.

Now we define the counter polynomials. Given the size $\mathsf{M}$ memory and a list of $m$ addresses involved in read operations, one can compute two vectors $C_r \in \mathbb{F}^m$ and $C_f \in \mathbb{F}^{\mathsf{M}}$ where $C_r[k]$ stores the 'correct' count that would have been returned for $k$-th read operation and $C_f[j]$ stores the 'correct' final count stored at memory location $j$ after the $m$ read operations. Computing these requires $O(m)$ operations over $\mathbb{F}$.

Let $\textsf{read\_ts} = \widetilde{C_r}$, $\textsf{write\_cts} = \widetilde{C_r} + 1$, and $\mathsf{final\_cts} = \widetilde{C_f}$. We refer to these polynomials as counter polynomials.

Regarding a ($2 \log M$)-variate multilinear polynomial, suppose that ($\mathsf{row, col, val}$) is committed in advance, and

are the polynomials sent by the prover at the beginning of the evaluation proof. Notice that the verifier can manually compute $\mathsf{write\_cts}_{\mathsf{row}}$ and $\mathsf{write\_cts}_{\mathsf{col}}$.

If $E_{rx}$ is correctly computed, i.e. $\forall k \in \{0,1\}^{\log m}, E_{rx}(k) = \widetilde{\mathsf{eq}}(\mathsf{to}\text{-}\mathsf{bits}(\mathsf{row}(k)), r_x)$,

then the following holds : $\mathsf{WS} = \mathsf{RS} \cup \mathsf{S}$, where

$\mathsf{WS} = \{(\textsf{to-field}(i), \widetilde{\mathsf{eq}}(i, r_x), 0): i \in \{0,1\}^{\log \mathsf{M}} \} \cup \{ (\mathsf{row}(k), E_{rx}(k), \textsf{write\_cts}_{\mathsf{row}}(k)) : k \in \{0,1\}^{\log m} \} ;$

$\mathsf{RS} = \{(\mathsf{row}(k), E_{rx}(k), \textsf{read\_ts}_{\mathsf{row}}(k)) : k \in \{0,1\}^{\log m}\};$ and

$\mathsf{S} = \{(\textsf{to-field}(i), \widetilde{\mathsf{eq}}(i, r_x), \textsf{final\_cts}_{\textsf{row}}(i)): i \in \{0,1\}^{\log {\mathsf{M}}} \}.$

The high-level conclusion of the memory checking above is that when $E_{rx}$ is the polynomial that is produced by an untrusted memory, the checker (verifier) initializes the memory with $\widetilde{\mathsf{eq}}(i, r_x)$ which are the expected 'correct' values, and then by checking if the memory lookups are correctly done for each of the $E_{rx}(k)$, the verifier is convinced that the provided $E_{rx}$ is correct. The same logic is applied for $E_{ry}$.

In reality, the verifier doesn't perform the check above manually. Instead, to check that $\mathcal{H}_{\tau, \gamma}(\mathsf{WS}) = \mathcal{H}_{\tau, \gamma}(\mathsf{RS}) \cdot \mathcal{H}_{\tau, \gamma}(\textsf{S})$, two parties run a grand product argument, which is a multiset equality check that is performed via a GKR protocol whose circuit is simply a binary tree of multiplication gates. Since running a GKR protocol is reduced to a single evaluation of the input vector on a random value sampled by the verifier, and the verifier virtually has an oracle access to all of the required polynomials assuming they are committed by the prover (or is able to evaluate by himself), the memory check above can be done efficiently with a few evaluation proofs. For a more detailed explanation on the grand product argument, refer to of the paper.

We will generalize the above protocol, $\mathsf{Spark}$, so that it supports an arbitrary value for $c$ rather than a fixed value of 2, which implies that the gigantic lookup table can be decomposed into even smaller subtables of size $N^{1/c}$.

Subsequently we will specialize $\mathsf{Spark}$ for $\mathsf{Lasso}$ with some cost optimization exploiting the properties of lookup arguments. Eventually, we will further generalize $\mathsf{Spark}$ by relaxing the conditions that make a table 'structured' for $\mathsf{Lasso}$ to be applied. With these modifications altogether, we introduce $\mathsf{Surge}$, as a sparse polynomial commitment scheme for $\mathsf{Lasso}$ and its final PIOP.

Supporting $\log N = c \log m$ variables, rather than $2 \log m$.

$c$ can be interpreted as the number of the subtables which are the result of decomposition of the original table of size $N$. We can simply factor $\widetilde{\mathsf{eq}}_{c \log \mathsf{m}}$ into a product of $c$ terms, instead of two terms, each of which are a $(\log m)$-variate multilinear Lagrange basis polynomial. Hence, from this point, we use the notation of $\mathsf{dim_i}(x)$ for $i \in [c]$, for representing the injection from a boolean hypercube to an index in each subtable, instead of $\mathsf{row}(x)$ and $\mathsf{col}(x)$.

As we saw in Equation (1), the sparse $m \times N$ matrix $M$ that we want to commit to can only have value 1 as its non-zero element. It means that the polynomial $\mathsf{val}(x)$ is also fixed to 1 and the commitment to it is unnecessary. We can save one polynomial to commit to with this per each lookup argument.

Furthermore, if we let $c = 2$ and sample $r_x$ from $\mathbb{F}^{\log m}$ and $r_y$ from $\mathbb{F}^{\log N}$ (this means that each $r_x$ and $r_y$ represents the row index and column index of matrix $M$), since each row has exactly one non-zero element, $\textsf{to-bits}(\textsf{row}(k))$ is simply $k$. $E_{rx}(k) = \widetilde{\mathsf{eq}}(k, r_x)$ can be evaluated by verifier on its own, thus there is no need for committing to it or proving its well-formness.

$M$ is a 4 x 4 matrix with sparsity of 4. Let $k$ be a two bits binary string for indexing 4 nonzero elements, i.e. $k = 00, 01, 10, 11$. The table below is the description of mapping $\mathsf{row}$ and $\mathsf{col}$. It is obvious that the mapping $\mathsf{row}(k)$ is simply an iteration from 0 to 3, which is virtually equal to $k$. This is because there are exactly one nonzero element per each row. Therefore, it is unnecessary to commit to the polynomial $E_{rx}(k)$, as well as $\mathsf{val}(k)$. Check the table below.

We redefine the term 'structured' to be more comprehensive and well-defined for the properties that the lookup tables may have. If (1) a lookup table $t$ can be expressed as a tensor product of $c \geq 2$ smaller tables (i.e. decomposible), and (2) for each subtable its multilinear extension polynomial can be evaluated quickly (i.e. MLE-structured), we regard such table $t$ as structured and Lasso can be applied.

Suppose that there is an integer $k \geq 1$ and $\alpha = k \cdot c$ tables $T_1, ..., T_{\alpha}$ of size $N^{1/c}$ along with an $\alpha$-variate multilinear polynomial $g$ such that the following holds.

It means that each element of $T$ can be briefly expressed by each corresponding element in $T_1, ..., T_{\alpha}$.

A table for a range check in the first example ($[1, ..., 2^{128} ]$) can be easily expressed in the way above with $k = 1$ and $c = 32$, for instance.

If and only if $M \cdot t = a$, the equation above holds, with a soundness error $\log m / |\mathbb{F}|$. In $\mathsf{Lasso}$, after committing to $\widetilde{M}$(by committing to $\mathsf{dim_1}, ..., \mathsf{dim_c}$) and $\tilde{a}$, the verifier sends random sampled $r$ to see if above holds.

Let $\mathsf{nz}(i)$ denote the unique nonzero column in row $i$ of $M$. We can rewrite the LHS as following:

And with the decomposibility of $T$,

for some $E_1, ..., E_{\alpha}$, above is equal to $\tilde{a}(r)$, using the sum-check protocol and

$E_1, ..., E_{\alpha}$ are built with correct lookups into the subtables $T_1, ..., T_{\alpha}$, using the offline memory checking.

Assuming that the verifier can evaluates the MLE of each subtables quickly, both parties can participate in the protocol only with the short descriptions about the subtables, without ever fully materializing the entire lookup table $T$ throughout the protocol.

$\mathcal{P}$ has committed to $c$ multilinear polynomials $\mathsf{dim_1}, ..., \mathsf{dim_c}$, each over $\log m$ variables.

$\mathcal{P} \rightarrow \mathcal{V}$ : 2$\alpha$ different ($\log m$)-variate multilinear polynomials $E_1, ..., E_{\alpha}$, $\textsf{read\_ts}_1$,..., $\textsf{read\_ts}_{\alpha}$ and $\alpha$ different ($\log N / c$)-variate multilinear polynomials $\textsf{final\_cts}_1$, ..., $\textsf{final\_cts}_{\alpha}$.

// $E_i$ is purported to specify the values of each of the $m$ reads into $T_i$.

// $\textsf{read\_ts}$ and $\textsf{final\_cts}$ are the "counter polynomials" for each memory slot of the subtables after the computation.

$\mathcal{V}$ and $\mathcal{P}$ apply the sumcheck protocol to the polynomial $h(k) := \widetilde{\mathsf{eq}}(r,k) \cdot g(E_1(k), ..., E_{\alpha}(k))$ which reduces the check of the sum of $h(k)$ on the boolean hypercube to : $E_i(r_z) \stackrel{?}{=} v_{E_i}$ for $i = 1, ..., \alpha$.

$\mathcal{V}$ : check if the above equalities hold with one oracle query to each $E_i$.

// Up to this point, the correctness of $E_i$ is are not guaranteed yet. $\mathcal{V}$ and $\mathcal{P}$ runs the offline memory checking to check that $E_i(j)$ equals $T_i[\mathsf{dim}_i(j)]$ for all $j \in \{0,1\}^{\log m}$.

$\mathcal{V} \rightarrow \mathcal{P}$ : $\tau, \gamma \in_{R} \mathbb{F}$.

// In practice, $c$ instances of the sumcheck protocol below can be reduced to a single run of a sumcheck applied to random linear combinations of the polynomials.

$\mathcal{V} \leftrightarrow \mathcal{P}$ : For $i = 1, ..., {\alpha}$, run a GKR-based grand products protocol to reduce the check $\mathcal{H}_{\tau, \gamma}(\mathsf{WS}) \stackrel{?}{=} \mathcal{H}_{\tau, \gamma}(\mathsf{RS}) \cdot \mathcal{H}_{\tau, \gamma}(\textsf{S})$ to the following checks: