Linear-Time Polynomial Holographic Interactive Oracle Proofs with Logarithmic-Time Verification for Rank-1 Constraint System from Lookup Protocol

Abstract

Modern SNARKs are constructed using polynomial Interactive Oracle Proofs (IOPs) and polynomial commitments. In this work, we introduce a novel polynomial holographic IOP for the $\mathcal{NP}$-Complete language Rank-1 Constraint System (R1CS), where holographic IOP means that the proof system supports preprocessing. Our construction achieves linear-time proving, logarithmic-time verification, and constant query complexity. For an R1CS instance with size O(N) over a sufficiently large finite field, the prover’s time is O(N), the verifier’s time is O(log N), and the query complexity is O(1). By combining our polynomial holographic IOP with the recent polynomial commitment scheme Orion, we obtain a transparent SNARK for R1CS with remarkable performance: the prover’s time is O(N), the verifier’s time is O(log² N), and the proof size is O(log² N). The core technique in our construction is the classical SumCheck protocol, which enables us to efficiently check whether an n-variate polynomial sums to a specific value on a given domain, such as {0, 1}ⁿ. Additionally, we showcase how to achieve holography from the lookup protocol, which allows us to efficiently verify that all elements in a vector are contained in another vector. We introduce a new polynomial IOP for the lookup relation with a linear-time prover.

1. Introduction

SNARKs [1,2,3,4], which stands for succinct non-interactive arguments of knowledge, is a cryptographic protocol that enables the verification of the correctness of computations. SNARKs are particularly useful in scenarios where privacy and efficiency are paramount, such as blockchain and decentralized applications. The main goal of SNARKs is to provide a succinct and efficient way to prove the validity of computations or statements, also known as proofs, while minimizing the computational and communication overhead. In a SNARK protocol, a prover generates a proof attesting to the correctness of a computation, and a verifier efficiently verifies the proof’s validity.

In order to construct a SNARK for a particular computation, it is necessary to represent the computation using a specific form. One commonly used computational model for this purpose is the arithmetic circuit. Given an arithmetic circuit $\mathcal{C}$ with an input $x_{\mathrm{in}}$ and output $x_{\mathrm{out}}$, the prover aims to convince the verifier that $\mathcal{C}\left(x_{\mathrm{in}}\right)=x_{\mathrm{out}}$. To achieve this, we can define a transcript w, which represents the values of every wire in the circuit except for the input/output wires. In addition to w, we can define a vector $z=(x_{\mathrm{in}},x_{\mathrm{out}},w)$ that includes the values of every wire in the circuit, including the input/output wires. The prover executes the arithmetic circuit correctly if and only if the vector z satisfies certain constraints imposed by the circuit. For example, let us consider a multiplicative gate in the arithmetic circuit where $z_i$ and $z_j$ are the inputs to the gate, and $z_k$ is the output of this gate. In this case, the constraint imposed by the gate is that the output $z_k$ must equal the product of the inputs $z_i$ and $z_j$, i.e., $z_k=z_i·z_j$.

The Rank-1 Constraint System (R1CS) is the most commonly used constraint system for representing arithmetic circuit constraints. For a sufficiently large finite field $\mathbb{F}$, an R1CS instance includes three matrices, $A,B,C\in {\mathbb{F}}^{N\times N}$ with dimension $N\times N$ and a vector $x\in {\mathbb{F}}^{N_{in}}$ with length $N_{in}$, where $N_{in}<N$. The matrices A, B, and C are a representation of an arithmetic circuit, and the vector x is the public input/output of the circuit. If the prover executes the circuit correctly, then he will obtain a vector $w\in {\mathbb{F}}^{N-N_{in}}$, which represents the values of every wire in the circuit except for the input/output wires. The constraint for correctness is given by the equation $Az\circ Bz=Cz$, where $z=(x,w)$ is the combined vector of the input/output and inner wire values, and ∘ denotes the pair-wise product. For example, consider the arithmetic circuit in Figure 1; the prover wants to convince the verifier that $x_5=(x_1+x_2)\times (x_3\times x_4)$. After executing the circuit, the prover will obtain the values of the intermediate wires, i.e., $w_6$ in Figure 1. To convince the verifier of the correctness of the computation, the prover must prove that $w_6$ satisfies the following constraints for the two multiplicative gates (we compress the constraint for an additive gate to a multiplicative gate):

$$\begin{array}{cc}\hfill & x_3·x_4=w_6\hfill \\ \hfill & (x_1+x_2)·w_6=x_5.\hfill \end{array}$$

(1)

Consider the matrices A, B, and C, defined as follows:

$$A=\left(\begin{array}{cccccc}1& 1& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0\end{array}\right),B=\left(\begin{array}{cccccc}0& 0& 0& 0& 0& 1\\ 0& 0& 0& 1& 0& 0\end{array}\right),C=\left(\begin{array}{cccccc}0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 1\end{array}\right).$$

Let $z=(x,w)=(x_1,x_2,x_3,x_4,x_5,w_6)$, where $x=(x_1,x_2,x_3,x_4,x_5)$ represents the input/output variables and $w=\left(w_6\right)$ represents the intermediate wire values. It can be observed that the constraints in Equation (1) are satisfiable if and only if the R1CS relation $Az\circ Bz=Cz$ is satisfied. By evaluating the expressions on both sides of the equation, we have the following:

$$\left(\begin{array}{cccccc}1& 1& 0& 0& 0& 0\\ 0& 0& 1& 0& 0& 0\end{array}\right)\left(\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\\ w_6\end{array}\right)\circ \left(\begin{array}{cccccc}0& 0& 0& 0& 0& 1\\ 0& 0& 0& 1& 0& 0\end{array}\right)\left(\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\\ w_6\end{array}\right)=\left(\begin{array}{cccccc}0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 1\end{array}\right)\left(\begin{array}{c}{x}_1\\ x_2\\ x_3\\ x_4\\ x_5\\ w_6\end{array}\right).$$

If the R1CS relation is satisfiable, the prover can provide evidence to convince the verifier of the correctness of the computation. In an instance of R1CS, each matrix is sparse, meaning that the number of non-zero elements in each matrix is $O\left(N\right)$. The transformation from an arithmetic circuit to an R1CS instance demonstrates that R1CS is $\mathcal{NP}$-Complete.

Modern SNARKs are typically constructed using two main components: an information-theoretic probabilistic proof system called polynomial Interactive Oracle Proofs (IOPs) [5] and a cryptographic tool called a polynomial commitment [6]. Finally, we can achieve non-interactivity via a standard Fiat–Shamir transformation [7] if the polynomial IOP and polynomial commitments are public coin.

• Polynomial IOP. IOP [5] combines the definition of Interactive Proofs (IPs) [8,9] and Probabilistic Checkable Proofs (PCPs) [10,11]. In each round, the prover will send some proofs to the verifier, and the verifier can access these proofs at any location. After the interaction, the verifier either accepts or rejects them. Polynomial IOP [12,13] is a special kind of IOP. In the polynomial IOP, all proofs sent by the prover are polynomial oracles, and the verifier can query these polynomial oracles at any location to obtain the corresponding evaluations of these polynomials.
• Polynomial commitment. Polynomial commitment [6] is a cryptographic tool that enables the prover to commit to a polynomial f and later provide a short proof $\pi$ to the verifier, demonstrating that $f\left(x\right)=y$ for a specific query x made by the verifier. The commitment scheme ensures that the prover cannot change the polynomial after the commitment is made, and the proof $\pi$ convinces the verifier of the correctness of the evaluated value y without revealing the polynomial’s details.

Many papers [12,13,14] have already provided numerous methods on how to combine polynomial IOPs with polynomial commitment to construct SNARK. In our work, we primarily focus on constructing a polynomial IOP for R1CS to achieve a linear-time prover and a logarithmic-time verifier. However, it is important to note that achieving sublinear verification is not possible for arbitrary R1CS instances. This is because the verifier needs to access and process the entire instance, which includes reading all the matrices involved in the R1CS representation. Therefore, the verifier’s time complexity is inherently bound by the size of the instance being proven. To achieve a logarithmic-time verifier, we allow a one-time public offline preprocessing phase for arbitrary R1CS instances. In this phase, an entity called the indexer receives the three matrices A, B, and C as input and generates some polynomial oracles corresponding to these matrices. The verifier then can access these oracles at any location without reading the full description of these three matrices. Importantly, the offline phase of generating the polynomial oracles only relies on the circuit description provided by the matrices A, B, and C. It does not depend on the specific input x to the circuit. Therefore, the offline phase needs to be executed only once for a given R1CS instance, regardless of the different inputs that may be provided.

Proof systems that incorporate an offline preprocessing phase are commonly referred to as holographic proofs [15], a term that carries historical significance but may not accurately convey the nature of such systems. A polynomial IOP with an offline preprocessing phase is commonly referred to as a polynomial holographic IOP [13,16]. We recall the definition of polynomial holographic IOPs in Section 2.4. Furthermore, our definition of the polynomial oracles supports different query forms, which will be discussed in Section 2.4.1.

1.1. Related Works

Constructing SNARKs for $\mathcal{NP}$-Complete problems (such as R1CS) is currently a prominent research topic in the fields of cryptography and computational complexity. The initial construction of SNARKs originated from the well-known PCP theorem [10,11]. The PCP theorem establishes that any $\mathcal{NP}$ statement can be verified by a constant number of queries to the proof. By combining the Merkle tree scheme [17] with the Fiat–Shamir transformation [7], we can obtain a SNARK based on the PCP theorem.

However, constructing SNARKs directly from the PCP theorem is known to be impractical due to the high complexity and overhead involved. The PCP theorem provides theoretical guarantees but does not offer efficient constructions in practice. The first practical SNARK, called Pinocchio [18], was constructed using linear PCP [19], which is a variant of the PCP model where the proof sent by the prover is a linear function. Pinocchio specifically aimed to construct a SNARK for Quadratic Arithmetic Programs (QAPs) [20], which is an $\mathcal{NP}$-Complete problem that can be efficiently transformed from R1CS. Building upon Pinocchio, Groth16 [21] further optimized the construction, achieving a proof size consisting of only three group elements, which is currently the smallest known proof size for SNARKs. Furthermore, they proved the impossibility of achieving a proof size of 1. However, all of these works rely on a trusted setup process to generate a common reference string (CRS). The CRS contains certain cryptographic parameters and keys that are used during the SNARK construction. It is crucial to keep the CRS secret and securely generated by a trusted third party. Otherwise, if the CRS is compromised or manipulated, the prover could potentially deceive the verifier by producing fraudulent proofs.

While it is true that constructing SNARKs directly from the PCP theorem is known to be inefficient, one advantage of such constructions is their transparency (no need for a trusted third party) and security assumptions. Unlike the linear PCP model, PCP-based SNARKs only rely on the random oracle model for their security. In recent years, there has been renewed interest in PCP-based constructions. Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner introduced a new probabilistic proof model called IOP [5]. It can be viewed as an interactive version of the PCP model. Benedikt Bünz, Ben Fisch, and Alan Szepieniec introduced a restriction to the IOP model and proposed the concept of polynomial IOP [12]. In this model, the prover’s proof is represented as a polynomial oracle. Starting from their work, the construction of modern SNARKs can be viewed as a combination of two main components: polynomial IOP and polynomial commitment. The polynomial IOP provides information-theoretic security, meaning that its security is based on mathematical properties rather than any specific cryptographic assumptions. On the other hand, the polynomial commitment scheme relies on cryptographic assumptions. For example, In PCP-based constructions, the polynomial commitment scheme is formed by combining the low-degree testing scheme [22] and the Merkle tree scheme [17]. The security of this polynomial commitment scheme relies on the assumption that we view the hash function used in the Merkle tree scheme as a random oracle, and no trusted setup is required for such a scheme.

Some polynomial commitment schemes, like the KZG (Kate–Zaverucha–Goldberg) scheme [6], require a trusted setup process. However, they offer advantages such as small proof sizes and efficient verification. In SNARKs based on these schemes, along with suitable polynomial IOPs, a trusted third party is still needed to generate the common reference string (CRS). However, the key difference from earlier SNARKs based on linear PCP is that a single trusted setup can now support multiple circuits. This advancement allows for the construction of universal SNARKs [13,14,23,24], where a single trusted setup suffices for many circuits. Furthermore, in these schemes, the CRS is updatable, which means that the CRS can be updated by several parties, and the security of the system is guaranteed as long as at least one of the parties involved in the update process is honest.

Several transparent polynomial commitment schemes do not require a trusted setup. Examples of such schemes include the Fast Reed–Solomon Interactive Oracle Proof of proximity (FRI) protocol [25], which is a low-degree testing based scheme derived from the PCP literature, and Bulletproofs [26], which is an inner product-based scheme. SNARKs constructed from these polynomial commitment schemes are also transparent, meaning they do not rely on trusted setups [12,27,28,29,30,31]. However, it is important to note that transparent SNARKs generally have larger proof sizes and longer verification times compared to universal SNARKs.

The SNARKs mentioned before all have a prover with quasilinear time complexity, which means that the prover’s runtime is $O(N·\mathrm{polylog}N)$ with the circuit size N. One of the primary reasons for the quasilinear prover time in the mentioned SNARKs is the execution of the Fast Fourier Transform (FFT) algorithm for polynomial operations. Ongoing research and development efforts are focused on further reducing the cost for the prover. Bootle et al. [32] made significant contributions in this area by introducing the first SNARK that achieves a linear-time $\left(O\right(N\left)\right)$ prover and a proof size of $O\left(\sqrt{N}\right)$. Their construction relies on the utilization of a linear-time encodable error-correcting code. Building upon their initial work, Bootle et al. [33] continued to optimize the proof size in their subsequent construction. They achieved a proof size of $O\left(N^{ϵ}\right)$ for any constant $ϵ$ by leveraging the concept of tensor IOP and tensor codes. Furthermore, Bootle et al. [34] made additional advancements by employing a proof composition technique, which enabled them to achieve a proof size of $\mathrm{polylog}\left(N\right)$. This breakthrough not only significantly reduces the proof size but also maintains a linear-time prover.

Golovnev et al. [35] made an intriguing observation regarding the transformation from tensor IOP to standard IOP, as described by Bootle et al. They recognized that this transformation can be interpreted as a form of polynomial commitment. Building upon this insight, Golovnev et al. derived a polynomial commitment scheme from the work of Bootle et al. [33] This newly devised polynomial commitment scheme exhibited desirable properties, including a linear-time prover and a proof size of $O\left(\sqrt{N}\right)$. Capitalizing on these advancements, Golovnev et al., in conjunction with the polynomial IOP for R1CS known as Spartan [36], developed a novel SNARK for R1CS called Brakedown [35]. Brakedown achieved a linear-time prover and sublinear verification. Similar to the PCP-based SNARKs, Brakedown is transparent and post-quantum. The security guarantees of Brakedown rely on the random oracle model.

IOP, as a variant of PCP, has also received significant attention from the theoretical computer science research community. Many works are dedicated to studying the lower bounds of IOPs [37,38,39], aiming to understand their inherent computational limitations and capabilities. In the field of PCP, there is an important conjecture called the sliding-scale conjecture [40]. Arnon et al. [39] proved that constructing an IOP protocol satisfying certain properties implies the truth of this conjecture. Recent work by Arnon et al. [41] has made important progress in this direction by constructing an IOP that comes very close to satisfying the desired properties. In theoretical computer science, another important application of PCP is in the study of hardness of approximation [11]. Recent research [42] has explored the use of IOP to prove the hardness of approximation results.

The lookup protocol, which is a key tool for achieving holography in our work, was initially proposed by Bootle et al [43]. Its purpose is to enable the prover to convince the verifier that all elements in a vector are contained in another vector. Building upon Bootle et al.’s work, Gabizon and Williamsom simplified the protocol and introduced a novel version called plookup [44]. However, the prover time of their construction is $O(N·\log N)$. Bootle et al. [33] previously presented a linear-time lookup protocol in the tensor IOP model. In our work, we follow their approach and present a linear-time lookup protocol in the polynomial IOP model. This allows us to achieve efficient holography while maintaining linear-time complexity.

1.2. Motivation, Results, and Discussion

1.2.1. Motivation

Achieving succinctness is the most critical and challenging goal in the construction of SNARKs. Succinctness requires both a short proof size and fast verification time; verification time should be sublinear in the size of the circuit being proven. Several prior works have made significant progress toward this goal, but each has certain limitations that motivate our approach.

Spartan [36] was the first protocol for R1CS that achieved logarithmic verification time. They introduced the concept of computation commitments to preprocess the circuit and employed the GKR protocol for proof generation. However, Spartan lacked a rigorous formal proof of security, leaving room for improvement in both soundness and practicality.

Marlin [13], another protocol for R1CS, not only achieved logarithmic verification time but also introduced the influential concept of “holography”, where the verifier benefits from preprocessing. However, Marlin’s prover complexity is $O\left(N\log N\right)$.

BCG20 [33] constructed a protocol for R1CS with linear-time proving. However, their protocol had two key drawbacks: (1) the verifier’s complexity was $O\left(N^{ϵ}\right)$ for some small constant $ϵ$, rather than logarithmic, and (2) they employed a tensor IOP model instead of polynomial IOP. This tensor-based approach hindered compatibility with modern polynomial commitment schemes, limiting its practicality for real-world deployment.

Our work builds upon the core ideas of BCG20 [33], including the use of the SumCheck and lookup protocols. However, we overcome their limitations by achieving logarithmic verification time while maintaining linear-time proving. Crucially, our protocol is constructed under the polynomial IOP model, allowing for combination with any polynomial commitment scheme. This advancement enables us to construct a highly efficient, transparent SNARK for R1CS with better performance across proof size, verification time, and prover complexity.

1.2.2. Our Results

In our work, we propose a novel polynomial holographic IOP for R1CS. For an R1CS instance $(A,B,C,x)$ defined over a finite field $\mathbb{F}$, where $A,B,C\in {\mathbb{F}}^{N\times N}$ and $\left|x\right|$ denotes the size of the public input/output, we achieve a linear-time prover and polylogarithmic-time verifier. Specifically, our offline phase runs in $O\left(N\right)$ time, while the online phase requires $O\left(N\right)$ time for the prover and $O(\log N+|x\left|\right)$ time for the verifier. By combining our polynomial IOP with a linear-time polynomial commitment scheme, such as the state-of-the-art Orion [45], we can construct a SNARK with a prover time complexity of $O\left(N\right)$, a verifier time complexity of $O({\log }^{2}N+|x\left|\right)$, and a proof size complexity of $O\left({\log }^{2}N\right)$. Our contributions include:

• A definition of polynomial holographic IOP with different query forms. The polynomial oracles in our definition of the polynomial holographic IOP support different query forms. Specifically, our polynomial oracle is specified by a vector $a=(a\left(0\right),a\left(1\right),\cdots ,a(N-1))\in {\mathbb{F}}^N$ with length $N=2^n$. The verifier can query this oracle in one form with an element $r\in \mathbb{F}$, and the oracle returns a value $\overline{a}(r)$, which is equal to

  $$\sum _{i=0}^{N-1}a\left(i\right)·r^i.$$
  The verifier can also query this oracle in another form with a vector $r\in {\mathbb{F}}^n$, and the oracle returns a value $\widehat{a}\left(r\right)$, which is equal to

  $$\sum _{v\in {\{0,1\}}^n}\left(\prod _{i\in \left[n\right]}\left(\left(1-v_i\right)·\left(1-r_i\right)+v_i·r_i\right)\right)·a\left(v\right).$$
  This returned value comes from the multilinear extension of a, which is explained in more detail in Section 2.2. We provide the definition of a polynomial holographic IOP with different query forms in Section 2.4. We believe that incorporating different query forms into polynomial oracles makes it more flexible and convenient to construct polynomial IOPs. However, combining this type of polynomial IOP with polynomial commitment to construct a SNARK is more challenging because not all polynomial commitment schemes support this query mode.
• A linear-time polynomial IOP for R1CS. We construct a new polynomial IOP for R1CS with a linear-time prover and polylogarithmic-time verifier. The core technique in our construction is the classical SumCheck protocol [46], which has been used to prove many celebrated results in complexity theory such as $\mathcal{IP}=\mathcal{PSPACE}$ [47]. Suppose $w\in {\mathbb{F}}^{N-\left|x\right|}$ is the witness of an R1CS instance $(A,B,C,x)$; let $z=(x,w)\in {\mathbb{F}}^N$ and $z_A=Az$, $z_B=Bz$, $z_C=Cz$. Our construction consists of three parts:

  −

  RowCheck. A polynomial IOP (Section 3.1) check that $z_A\circ z_B=z_C$, where ∘ denotes the pair-wise product.

  −

  LinCheck. A polynomial IOP (Section 3.2) check that for all $U\in \{A,B,C\}$, $z_U=Uz$.

  −

  ConsistencyCheck. A polynomial IOP (Section 3.3) check that the first $\left|x\right|$ elements of z are exactly x.

  We present the non-holographic part of our protocol in Section 3 and show how to achieve holography in Section 4.
• A linear-time polynomial IOP for lookup relation. The lookup protocol, which allows us to verify whether all elements in one vector are contained in another vector, is highly beneficial in our pursuit of holography, as described in [33]. We present a novel linear-time polynomial IOP for the lookup condition, inspired by the work of Bootle et al. [33]. Their research introduced a linear-time lookup protocol in the tensor IOP model. Our construction consists of two parts:

  −

  CSLCheck. A polynomial IOP (Section 4.3.1) check of whether one vector is a cyclic left shift of another vector.

  −

  ProductCheck. A polynomial IOP (Section 4.3.2) check of whether the product of all elements in a vector is equal to a specific value.

  In Section 4.2, we will demonstrate the utilization of the lookup protocol to achieve holography, while in Section 4.3.3, we will provide a comprehensive description of the lookup protocol.

Based on the protocols mentioned above, we construct the polynomial IOP for R1CS. The properties of each protocol are summarized in

Table 1. Properties of all protocols.

Protocol	Round	Communication	Query	Verifier’s	Prover’s	Soundness
		Complexity	Complexity	Time	Time	Error
RowCheck	$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O\left(\log N\right)$	$O\left(N\right)$	${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$
LinCheck	$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O\left(\log N\right)$	$O\left(N\right)$	${\displaystyle \frac{1+3\log N}{\left|\mathbb{F}\right|}}$
ConsistencyCheck	0	0	$O\left(1\right)$	$O\left(\right|x\left|\right)$	$O\left(\right|x\left|\right)$	${\displaystyle \frac{\log \left|x\right|}{\left|\mathbb{F}\right|}}$
PIOP for R1CS	$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O(\log N+|x\left|\right)$	$O\left(N\right)$	${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$
CSLCheck	0	0	$O\left(1\right)$	$O\left(\log M\right)$	0	${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$
ProductCheck	$O\left(\log M\right)$	$O\left(\log M\right)$	$O\left(1\right)$	$O\left(\log M\right)$	$O\left(M\right)$	${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$
Lookup	$O\left(\log M\right)$	$O\left(\log M\right)$	$O\left(1\right)$	$O\left(\log M\right)$	$O\left(M\right)$	${\displaystyle \frac{6M+N}{\left|\mathbb{F}\right|}}$
PHIOP for R1CS	$O\left(\log M\right)$	$O\left(\log M\right)$	$O\left(1\right)$	$O\left(\log M\right)$	$O\left(M\right)$	$O\left({\displaystyle \frac{M}{\left|\mathbb{F}\right|}}\right)$

, where PIOP for R1CS refers to the non-holographic protocol, PHIOP refers to the holographic protocol, N denotes the number of rows and columns in the R1CS matrices, and M denotes the number of non-zero entries in the matrices.

1.2.3. Discussion

Our polynomial IOP for R1CS achieves a query complexity of $O\left(1\right)$, where the query complexity refers to the number of queries made by the verifier to the polynomial oracles. When combining our polynomial IOP with the polynomial commitment Orion [45], we obtain an efficient SNARK of invoking Orion only a constant number of times. Since the polynomial commitment Orion has $O\left(N\right)$ prover time, $O\left({\log }^{2}N\right)$ verifier time, and $O\left({\log }^{2}N\right)$ proof size, our final SNARK has $O\left(N\right)$ prover time, $O(|x|+{\log }^{2}N)$ verifier time, and $O\left({\log }^{2}N\right)$ proof size. We provide an overview of some classical and recent works about SNARKs for R1CS in

Table 2. Efficiency comparison of some known SNARKs for R1CS with circuit size $O\left(N\right)$ and public input/output x.

Protocol	Proof Model	Prover’s Time	Verifier’s Time	Proof Size
Groth16 [21]	Linear PCP	$O\left(N\log N\right)$	$O\left(1\right)$	$O\left(1\right)$
Marlin [13]	Polynomial IOP	$O\left(N\log N\right)$	$O(\log N+|x\left|\right)$	$O\left(1\right)$
[31]	IOP	$O\left(N\log N\right)$	$O({\log }^{2}N+|x\left|\right)$	$O\left({\log }^{2}N\right)$
[33]	Tensor IOP	$O\left(N\right)$	$O\left(N^{ϵ}\right)$	$O\left(N^{ϵ}\right)$
[48]	Tensor IOP	$O\left(N\right)$	$O\left(\mathrm{polylog}\right(N)+|x\left|\right)$	$O\left(\mathrm{polylog}\right(N\left)\right)$
Brakedown [35]	Polynomial IOP	$O\left(N\right)$	$O\left(\sqrt{N}\right)$	$O\left(\sqrt{N}\right)$
Our work	Polynomial IOP (together with Orion)	$O\left(N\right)$	$O({\log }^{2}N+|x\left|\right)$	$O\left({\log }^{2}N\right)$

.

While our proposed protocol achieves good prover efficiency, verifier complexity, and proof size, it does have an important limitation: the requirement for a sufficiently large finite field. To ensure the soundness of the protocol, the size of the field must be at least as large as the size of the circuit being proven ($\left|\mathbb{F}\right|\ge \mathrm{\Omega }\left(N\right)$). The complexity analysis of our protocol assumes that a single field operation (addition, subtraction, and multiplication) is treated as an atomic operation. However, as the field size increases, the time required for each atomic operation also increases. This dependency on large fields can lead to efficiency overhead.

2. Preliminaries

2.1. Indexed Relation

Recall that a relation $\mathcal{R}$ is a set of tuples $(\mathbb{x},\mathbb{w})$ where $\mathbb{x}$ is the instance and $\mathbb{w}$ is the witness. If $\mathcal{R}$ is an $\mathcal{NP}$ relation, then $\mathcal{R}$ can be decided in polynomial time. Let $\mathcal{L}\left(\mathcal{R}\right)$ be the corresponding language, i.e., $\mathcal{L}\left(\mathcal{R}\right)=\left\{\mathbb{i}:\exists \mathbb{w},\mathrm{such}\mathrm{that}(\mathbb{x},\mathbb{w})\in \mathcal{R}\right\}$. If $\mathcal{L}\left(\mathcal{R}\right)$ is an $\mathcal{NP}$ language, then there exists a polynomial time decider D; if the instance $\mathbb{x}\in \mathcal{L}$, then there exists a witness $\mathbb{w}$ with polynomial size such that $D(\mathbb{x},\mathbb{w})=1$. An $\mathcal{NP}$ proof system for an $\mathcal{NP}$ language $\mathcal{L}\left(\mathcal{R}\right)$ is a protocol between an unlimited prover and a polynomial time verifier. For a public input $\mathbb{x}$, the prover wants to convince the verifier that $x\in \mathcal{L}$. The prover can send the witness $\mathbb{w}$ to the verifier, and the verifier can decide whether $(\mathbb{x},\mathbb{w})\in \mathcal{R}$ in polynomial time.

In order to achieve holographic proof, we consider the indexed relation. An indexed relation $\mathcal{R}$ is a set of triples $(\mathbb{i},\mathbb{x},\mathbb{w})$ where $\mathbb{i}$ is the index, $\mathbb{x}$ is the instance, and $\mathbb{w}$ is the witness. If $\mathcal{R}$ is an indexed $\mathcal{NP}$ relation, then $\mathcal{R}$ can be decided in polynomial time. The corresponding language $\mathcal{L}\left(\mathcal{R}\right)$ consists of pairs $(\mathbb{i},\mathbb{x})$. If $\mathcal{L}\left(\mathcal{R}\right)$ is an indexed $\mathcal{NP}$ language, then there exists a polynomial time decider D; if the instance $(\mathbb{i},\mathbb{x})\in \mathcal{L}\left(\mathcal{R}\right)$, then there exists a witness $\mathbb{w}$ with polynomial size such that $D(\mathbb{i},\mathbb{x},\mathbb{w})=1$. A holographic $\mathcal{NP}$ proof system for an indexed $\mathcal{NP}$ language $\mathcal{L}\left(\mathcal{R}\right)$ consists of two phases: an offline phase executed by the indexer, where the indexer takes the index $\mathbb{i}$ as the input and outputs the encoding (polynomial oracle in our work) of $\mathbb{i}$, and an online phase executed by the prover and verifier, where the prover can send the witness $\mathbb{w}$ to the verifier, and the verifier can decide whether $(\mathbb{i},\mathbb{x},\mathbb{w})\in \mathcal{R}$ by querying the encoding of $\mathbb{i}$ produced by the indexer. This enables the verifier to avoid reading the entire description of $\mathbb{i}$, reducing the runtime of the verifier to sublinear in $\left|\mathbb{i}\right|$.

For example, the indexed Boolean circuit satisfiability relation $\mathcal{R}$ consists of triples $(\mathbb{i},\mathbb{x},\mathbb{w})$, where $\mathbb{i}$ is the description of a Boolean circuit, $\mathbb{x}$ is the partial assignment of the input, and $\mathbb{w}$ is the remaining assignment such that the output of the circuit is 1. In the traditional $\mathcal{NP}$ proof system, the verifier must read the entire description of the circuit $\mathbb{i}$, so the verifier’s cost is at least $\left|\mathbb{i}\right|$ in such a case. In the holographic $\mathcal{NP}$ proof system, the verifier can query the encoding of the circuit $\mathbb{i}$, which is produced by the indexer in the offline phase, so we can achieve the verifier’s cost to sublinear in the circuit size $\left|\mathbb{i}\right|$.

In this paper, we will focus on the indexed R1CS relation, which serves as a representation of the arithmetic circuit computation. The formal definition of the indexed R1CS relation, denoted as ${\mathcal{R}}_{R1CS}$, is as follows:

Definition 1.

Let $\mathbb{F}$ be a finite field and A, B, C be three sparse matrices over $\mathbb{F}$ with dimensions $N\times N$. Each matrix has at most $M=O\left(N\right)$ non-zero entries. Suppose $N_{in}\le N$; let $x\in {\mathbb{F}}^{N_{in}}$ and $w\in {\mathbb{F}}^{N-N_{in}}$ be two vectors. Then, the indexed R1CS relation ${\mathcal{R}}_{R1CS}$ is the set of all triples

$$\left(\mathbb{i},\mathbb{x},\mathbb{w}\right)=\left(\left(\mathbb{F},A,B,C,N,M,N_{in}\right),x,w\right),$$

such that $Az\circ Bz=Cz$, where $z=(x,w)\in {\mathbb{F}}^N$, and ∘ denotes the pair-wise product. Without loss of generality, we assume that N, M and $N_{in}$ are powers of 2, i.e., $N=2^n$, $M=2^m$, and $N_{in}=2^{n_{in}}$. Let $\mathcal{L}\left({\mathcal{R}}_{R1CS}\right)$ be the corresponding language.

It is easy to see that $\mathcal{L}\left({\mathcal{R}}_{R1CS}\right)$ is an $\mathcal{NP}$ language since we can verify the equation $Az\circ Bz=Cz$ in polynomial time. Additionally, any instance of arithmetic circuit satisfiability can be efficiently reduced to an instance of R1CS. This reduction demonstrates that the language $\mathcal{L}\left({\mathcal{R}}_{R1CS}\right)$ is $\mathcal{NP}$-Complete.

In the industry, R1CS has also gained significant attention. Through certain compilers [49,50,51], a program or code snippet can be transformed into an instance of R1CS. If the prover accurately executes the program, the prover can obtain a witness regarding the R1CS instance, which allows the R1CS relation to be satisfied. This enables a mechanism where the execution of a program can be verified using the R1CS relation, ensuring the integrity and correctness of the program’s execution.

2.2. Multilinear Extension

We define a $2n$-variate polynomial $\widehat{\chi }(X,Y):{\mathbb{F}}^{2n}\to \mathbb{F}$ such that

$$\widehat{\chi }(X,Y)=\prod _{i\in \left[n\right]}\left((1-X_i)·(1-Y_i)+X_i·Y_i\right),$$

(2)

where $\left[n\right]=\left\{1,2,\cdots ,n\right\}$. Note that for all $x,y\in {\{0,1\}}^n$, this polynomial has the following properties:

$$\widehat{\chi }(x,y)=\left\{\begin{array}{c}1,\mathrm{if}x=y,\hfill \\ 0,\mathrm{if}x\ne y.\hfill \end{array}\right.$$

(3)

Suppose $f:{\{0,1\}}^n\to \mathbb{F}$ is a function defined on the Boolean hypercube; the multilinear extension of f is the multivariate polynomial $\widehat{f}:{\mathbb{F}}^n\to \mathbb{F}$ such that $\widehat{f}\left(v\right)=f\left(v\right)$ for all $v\in {\{0,1\}}^n$. Formally,

$$\widehat{f}\left(X\right)=\sum _{v\in {\{0,1\}}^n}\widehat{\chi }(v,X)·f\left(v\right)=\sum _{v\in {\{0,1\}}^n}\left(\prod _{i\in \left[n\right]}\left(\left(1-v_i\right)·\left(1-X_i\right)+v_i·X_i\right)\right)·f\left(v\right).$$

(4)

The polynomial family ${\left\{\widehat{\chi }(v,X)\right\}}_{v\in {\{0,1\}}^n}$ is also known as the Lagrange bases. If we view the function f as a vector of length $2^n$, then the multilinear extension of f is an inner product of f and the Lagrange bases.

Given any vector $r\in {\mathbb{F}}^n$, and assuming that all values of f on the Boolean hypercube are known, $\widehat{f}\left(r\right)$ can be computed in $O(n·2^n)$ time using Equation (4). Using dynamic programming, we can reduce the time complexity to $O\left(2^n\right)$, but this comes with an additional space overhead.

Theorem 1

([52]). For any positive integer n, suppose $f:{\{0,1\}}^n\to \mathbb{F}$ is a function defined on the Boolean hypercube, $\widehat{f}:{\mathbb{F}}^n\to \mathbb{F}$ is the multilinear extension of f; given $f\left(a\right)$ for all $a\in {\{0,1\}}^n$ and an arbitrary vector $r\in \mathbb{F}$ as input, we can compute $\widehat{f}\left(r\right)$ in time $O\left(2^n\right)$ and space $O\left(2^n\right)$.

2.3. Schwartz–Zippel Lemma

The soundness analysis of our construction is heavily based on the Schwartz–Zipple Lemma, which we state below:

Lemma 1

(Schwartz–Zippel Lemma [53]). Let $\mathbb{F}$ be a field, and $f:{\mathbb{F}}^n\to \mathbb{F}$ is a non-zero n-variate polynomial with total degree of at most d. Then, for any finite set $S\subseteq \mathbb{F}$,

$$\underset{r\leftarrow S^n}{\mathit{Pr}}\left[f\left(r\right)=0\right]\le {\displaystyle \frac{d}{\left|S\right|}}.$$

2.4. Polynomial Holographic IOP

IOP [5] is a proof system that combines the features of PCP [10,11] and IP [8,9]. In the PCP model, the prover convinces the verifier of the truth of a statement by providing a proof that can be efficiently verified by making a small number of queries to the proof via oracle access. In the IOP model, similar to the IP model, the prover and verifier engage in an interactive protocol where the prover provides proofs in multiple rounds of interaction. This allows for more flexibility between the prover and verifier.

A holographic IOP refers to a proof system that consists of two distinct phases: an offline phase and an online phase. During the offline phase, the indexer takes the index as input and generates a set of precomputed proofs. During the online phase, the prover and verifier engage in a traditional IOP. The verifier can also query the precomputed proofs generated in the offline phase via oracle access. This prevents the verifier from reading the full description of the index, and the verifier can be implemented with sublinear time complexity relative to the size of the index.

In a polynomial holographic IOP [12,13,16], each proof generated by the indexer or prover is a polynomial oracle. The verifier is empowered to make queries to these oracles at any location. Moreover, in Section 2.4.1, we will elaborate on the various query forms available to the verifier when querying the polynomial oracles. The introduction of a polynomial oracle that supports different query forms enables the design of polynomial holographic IOP to be more flexible and convenient.

2.4.1. Polynomial Oracles with Different Query Forms

A polynomial oracle can be specified by a vector $a=\left(a\left(0\right),a\left(1\right),\cdots ,a(N-1)\right)\in {\mathbb{F}}^N$; we assume that the length of the vector is a power of two, i.e., $N=2^n$. We denote the polynomial oracle specified by vector a as $\tilde{a}$. The verifier has the flexibility to query the polynomial oracle using different query forms, which are as follows:

• Univariate canonical form: In this form, when the verifier queries the polynomial oracle $\tilde{a}$ with an element $r\in \mathbb{F}$, the oracle returns the value ${\sum }_{i=0}^{N-1}a\left(i\right)·r^i$. To represent this returned value, we use the notation $\stackrel{-}{a}$, which denotes the polynomial $\stackrel{-}{a}\left(X\right)={\sum }_{i=0}^{N-1}a\left(i\right)·X^i$.
• Multilinear Lagrange form: In this form, when the verifier queries the polynomial oracle $\tilde{a}$ with a vector $r\in {\mathbb{F}}^n$ ($n=\log N$), the oracle returns the value

  $$\widehat{a}\left(r\right)=\sum _{v\in {\{0,1\}}^n}\widehat{\chi }(v,r)·a\left(v\right)=\sum _{v\in {\{0,1\}}^n}\left(\prod _{i\in \left[n\right]}\left(\left(1-v_i\right)·\left(1-r_i\right)+v_i·r_i\right)\right)·a\left(v\right),$$

  we can view every element of $\{0,1,\cdots ,N-1\}$ as a binary string with length $n=\log N$. Note that $\widehat{a}$ is the multilinear extension of a.

These two query modes are sufficient to construct the polynomial IOP in this paper. It is possible to define additional query modes to further enhance the flexibility of the polynomial oracle.

2.4.2. Polynomial Holographic IOP with Different Query Forms

A polynomial holographic IOP with different query forms for an indexed relation $\mathcal{R}$ is a protocol among three parties: an indexer, a prover, and a verifier. The protocol executes in two distinct stages: an offline preprocessing phase and an online verification phase.

In the offline phase, the indexer outputs some polynomial oracles from the index $\mathbb{i}$. This preprocessing stage is deterministic and instance-agnostic.

In the online phase, the prover seeks to establish the membership claim $(\mathbb{i},\mathbb{x},\mathbb{w})\in \mathcal{R}$, where the prover’s input is $(\mathbb{i},\mathbb{x},\mathbb{w})$ and the verifier’s input is $\mathbb{x}$ with some indexer’s precomputed polynomial oracles. The interaction proceeds through multiple rounds, where:

• The verifier transmits randomly generated challenge values.
• The prover responds with either polynomial oracles or standard messages (read entirely by the verifier). The verifier employs varied query forms (as detailed in Section 2.4.1) to query the polynomial oracles at any chosen point. Ultimately, the verifier renders an acceptance or rejection decision.

Let $\mathcal{L}\left(\mathcal{R}\right)$ induced by $\mathcal{R}$, the protocol satisfies:

• Perfect Completeness. Any $(\mathbb{i},\mathbb{x},\mathbb{w})\in \mathcal{R}$ ensures the verifier’s certainty of acceptance.
• Soundness bound $ϵ$. For any $(\mathbb{i},\mathbb{x})\notin \mathcal{L}\left(\mathcal{R}\right)$, for any prover’s strategy, no adversarial prover strategy can induce acceptance with probability exceeding $ϵ$.

Protocol performance is quantified through:

• Rounds. Count of interactive rounds.
• Communication complexity. Total size of non-oracle messages.
• Query complexity. Number of oracle queries made by the verifier.
• Prover’s time. The prover’s execution time.
• Verifier’s time. The verifier’s execution time.

A polynomial holographic IOP is public-coin if all verifier-generated randomness is transparently disclosed. This characteristic enables conversion to non-interactive protocols via the Fiat–Shamir heuristic [7] under the random oracle model. All constructions presented in this work adopt this public-coin framework.

2.5. SumCheck Protocol

The SumCheck protocol [46] is a fundamental component for probabilistic proofs. Many celebrated results in complexity theory such as $\mathcal{IP}=\mathcal{PSPACE}$ [47] and $\mathcal{NEXP}=\mathcal{MIP}$ [54] have been obtained using this technique. Given a finite field $\mathbb{F}$, suppose $f\in \mathbb{F}\left[X_1,\cdots ,X_n\right]$ is an n-variate polynomial and $\gamma \in \mathbb{F}$; the purpose of the protocol is for the prover to convince the verifier that

$$\sum _{a_1\in \{0,1\}}\sum _{a_2\in \{0,1\}}\cdots \sum _{a_n\in \{0,1\}}f\left(a_1,a_2,\cdots ,a_n\right)=\gamma .$$

(5)

Obviously, the verifier can compute $\gamma$ from Equation (5) by evaluating f at all points in ${\{0,1\}}^n$. This takes time $O(2^n·T)$, where T is the cost to compute f at a single point in ${\mathbb{F}}^n$. Using the SumCheck protocol, with the help of a prover, we can reduce the verifier’s time complexity to $O(nd+T)$, where d is the maximal individual degree of f. This is an exponential improvement in efficiency. The SumCheck protocol works as follows:

Protocol 1.

SumCheck protocol:

Inputs.

• Prover’s input:

  −

  An n-variate polynomial f with maximal individual degree d.

• Verifier’s input:

  −

  An n-variate polynomial f with maximal individual degree d.

  −

  An element $\gamma \in \mathbb{F}$ provided by the prover.

Goal.

• The prover convinces the verifier that $\gamma ={\sum }_{a\in {\{0,1\}}^n}f\left(a\right)$.

The protocol:

1. 

In the first round, the prover sends a univariate polynomial

$$f_1\left(X_1\right)=\sum _{\left(a_2,\cdots ,a_n\right)\in {\{0,1\}}^{n-1}}f\left(X_1,a_2,\cdots ,a_n\right).$$

the verifier checks that $\gamma =f_1\left(0\right)+f_1\left(1\right)$ and rejects it if this equation does not hold. The verifier samples a random element $r_1$ from $\mathbb{F}$ and sends $r_1$ to the prover.

2. 

In the i-th round, where $1<i<n$, the prover sends a univariate polynomial

$$f_i\left(X_i\right)=\sum _{\left(a_{i+1},\cdots ,a_n\right)\in {\{0,1\}}^{n-i}}f\left(r_1,\cdots ,r_{i-1},X_i,a_{i+1},\cdots ,a_n\right).$$

the verifier checks that $f_{i-1}\left(r_{i-1}\right)=f_i\left(0\right)+f_i\left(1\right)$ and rejects it if this equation does not hold. The verifier samples a random element $r_{i+1}$ from $\mathbb{F}$ and sends $r_{i+1}$ to the prover.

3. 

In the n-th (final) round, the prover sends a univariate polynomial

$$f_n\left(X_n\right)=f\left(r_1,\cdots ,r_{n-1},X_n\right).$$

The verifier checks that $f_{n-1}\left(r_{n-1}\right)=f_n\left(0\right)+f_n\left(1\right)$ and rejects it if this equation does not hold. The verifier samples a random element $r_n$ from $\mathbb{F}$ and computes $f\left(r_1,\cdots ,r_n\right)$, and it accepts it if and only if $f_n\left(r_n\right)=f\left(r_1,\cdots ,r_n\right)$.

The completeness of the SumCheck protocol is straightforward. For the soundness, it can be shown by induction on n that if ${\gamma }^{\prime }$ does not equal the value $\gamma$ in Equation (5), then $\mathbf{V}$ is accepted with a probability of at most ${\displaystyle \frac{nd}{\left|\mathbb{F}\right|}}$. Recall that d is the maximal individual degree of f. The efficiency of this protocol is shown in

Table 3. Efficiency of SumCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(n\right)$	$O(n·d)$	1	$O(n·d)+T$	$O(2^n·d·T)$	${\displaystyle \frac{nd}{\left|\mathbb{F}\right|}}$

.

In our work, when the SumCheck protocol is applied, the verifier does not receive the polynomial f explicitly as input. Instead, the verifier has access to the polynomial oracle $\tilde{f}$. Specifically, f in our case is always a composition of multilinear polynomials. As a result, the polynomial oracle $\tilde{f}$ can be specified by some vectors which correspond to the evaluations of the multilinear polynomials on the Boolean hypercube. The verifier can query this oracle using the multilinear Lagrange form.

3. Linear Time Polynomial IOP for R1CS

We construct a polynomial IOP for R1CS with a linear time prover. In the R1CS relation, the prover wants to convince the verifier that the equation $Az\circ Bz=Cz$ holds (∘ is the pairwise product), where $A,B,C\in {\mathbb{F}}^{N\times N}$, $z=(x,w)\in {\mathbb{F}}^N$, $x\in {\mathbb{F}}^{N_{in}}$, and $w\in {\mathbb{F}}^{N-N_{in}}$ is the witness of the relation. The prover computes $z_A=Az,z_B=Bz,z_C=Cz$ and sends the polynomial oracles ${\tilde{z}}_A,{\tilde{z}}_B,{\tilde{z}}_C$ to the verifier. Without loss of generality, we assume N is the power of 2. Let $n=\log N$. In order to verify whether the R1CS relation holds, the verifier need to perform the following check:

• RowCheck: check that $z_A\circ z_B=z_C$, namely, for all $i\in {\{0,1\}}^n$, $z_A\left(i\right)·z_B\left(i\right)=z_C\left(i\right)$ (the index starts from 0).
• LinCheck: check that $z_A=Az,z_B=Bz,z_C=Cz$. Intuitively, since for all $i\in {\{0,1\}}^n$, $z_A\left(i\right)={\sum }_{j\in {\{0,1\}}^n}A(i,j)·z\left(j\right)$, the SumCheck protocol is naturally suitable for this task.
• ConsistencyCheck: check that the first $N_{in}$ elements of z are exactly x.

In this section, we assume the indexer has sent the polynomial oracles $\tilde{A}$, $\tilde{B}$, $\tilde{C}$ to the verifier in the offline phase. The verifier can query $\tilde{A}$ ($\tilde{B}$, $\tilde{C}$) at any point $(x,y)\in {\mathbb{F}}^{2n}$ to obtain $\widehat{A}(x,y)$ ($\widehat{B}(x,y)$, $\widehat{C}(x,y)$). We will show how to achieve holography setting in Section 4.

3.1. RowCheck

In this section, we give the RowCheck protocol. Suppose $z_A,z_B,z_C\in {\mathbb{F}}^N$ are three vectors. Given three polynomial oracles ${\tilde{z}}_A$, ${\tilde{z}}_B$, and ${\tilde{z}}_C$, the purpose of RowCheck is for the prover to convince the verifier that $z_A\circ z_B=z_C$, where ∘ denotes the pairwise product for two vectors. Let $n=\log N$. We can view the vectors $z_A,z_B,z_C$ as three functions on the Boolean hypercube, namely $z_A,z_B,z_C:{\{0,1\}}^n\to \mathbb{F}$. Let ${\widehat{z}}_A,{\widehat{z}}_B,{\widehat{z}}_C:{\mathbb{F}}^n\to \mathbb{F}$ be the multilinear extension of $z_A,z_B,z_C$. If the vector relation $z_A\circ z_B=z_C$ holds, then ${\widehat{z}}_A\left(v\right)·{\widehat{z}}_B\left(v\right)-{\widehat{z}}_C\left(v\right)=0$ for all $v\in {\{0,1\}}^n$.

Let $G\left(X\right)={\widehat{z}}_A\left(X\right)·{\widehat{z}}_B\left(X\right)-{\widehat{z}}_C\left(X\right)$. We want to check that $G\left(X\right)$ vanishes on the Boolean hypercube ($G\left(v\right)=0$ for all $v\in {\{0,1\}}^n$). This task is often referred to as ZeroTest. In the worst case, the verifier should query all $2^n$ points from polynomial oracles ${\tilde{z}}_A,{\tilde{z}}_B,{\tilde{z}}_C$ to obtain ${\widehat{z}}_A\left(v\right),{\widehat{z}}_B\left(v\right),{\widehat{z}}_C\left(v\right)$ for all $v\in {\{0,1\}}^n$, since the polynomial $G\left(X\right)$ may be zero everywhere except for one point on the Boolean hypercube. We can construct an efficient protocol for ZeroTest by reducing this task to SumCheck. We define a new polynomial $H:{\mathbb{F}}^n\to \mathbb{F}$,

$$H\left(X\right)=\sum _{v\in {\{0,1\}}^n}\widehat{\chi }(v,X)·G\left(v\right)=\sum _{v\in {\{0,1\}}^n}\left(\prod _{i\in \left[n\right]}\left((1-v_i)·(1-X_i)+v_i·X_i\right)\right)·G\left(v\right).$$

(6)

We have the following lemma:

Lemma 2.

If $G\left(v\right)=0$ for all $v\in {\{0,1\}}^n$, then $\underset{\tau \leftarrow {\mathbb{F}}^n}{\mathit{Pr}}[H\left(\tau \right)=0]=1$. If there exists $v\in {\{0,1\}}^n$ such that $G\left(v\right)\ne 0$, then $\underset{\tau \leftarrow {\mathbb{F}}^n}{\mathit{Pr}}[H\left(\tau \right)=0]\le {\displaystyle \frac{n}{\left|\mathbb{F}\right|}}$.

Proof. 

If $G\left(v\right)=0$ for all $v\in {\{0,1\}}^n$, then H is a zero polynomial; namely, for all $\tau \in {\mathbb{F}}^n$, $H\left(\tau \right)=0$. If there exists $v\in {\{0,1\}}^n$ such that $G\left(v\right)\ne 0$, then $\underset{\tau \leftarrow {\mathbb{F}}^n}{\mathbf{Pr}}[H\left(\tau \right)=0]\le {\displaystyle \frac{n}{\left|\mathbb{F}\right|}}$ based on the Schwartz–Zippel Lemma (Lemma 1), since the degree of each variable in H is at most one. □

The random vector $\tau \in {\mathbb{F}}^n$ is chosen and sent by the verifier. After receiving the random vector, the prover and verifier run the SumCheck protocol on the statement “${\sum }_{v\in {\{0,1\}}^n}h\left(v\right)=0$”, where $h\left(X\right)=\left({\prod }_{i\in \left[n\right]}\left((1-X_i)·(1-{\tau }_i)+X_i·{\tau }_i\right)\right)·G\left(X\right)$. We describe the RowCheck protocol as follows:

Protocol 2.

RowCheck Protocol:

Inputs.

• Prover’s input:

  −

  Three vectors $z_A,z_B,z_C\in {\mathbb{F}}^N$.

• Verifier’s input:

  −

  Three polynomial oracles ${\tilde{z}}_A$, ${\tilde{z}}_B$, ${\tilde{z}}_C$.

Goal.

• The prover convinces the verifier that $z_A\circ z_B=z_C$, where ∘ denotes the pairwise product for two vectors.

The protocol:

1. 

The verifier samples $\tau \leftarrow {\mathbb{F}}^n$ and sends it to the prover.

2. 

Let $h\left(X\right)=\widehat{\chi }(X,\tau )·\left({\widehat{z}}_A\left(X\right)·{\widehat{z}}_B\left(X\right)-{\widehat{z}}_C\left(X\right)\right)$. The prover and verifier run SumCheck protocol for the claim “${\sum }_{v\in {\{0,1\}}^n}h\left(v\right)=0$”.

In the last round of the SumCheck protocol, the verifier should compute $h\left(X\right)$ at a random point $r\in {\mathbb{F}}^n$, which can be done by querying ${\tilde{z}}_A,{\tilde{z}}_B,{\tilde{z}}_C$ at r and computing

$$\prod _{i\in \left[n\right]}\left((1-r_i)·(1-{\tau }_i)+r_i·{\tau }_i\right)$$

in $O\left(n\right)=O\left(\log N\right)$ time.

The maximal individual degree of h is at most 3. Since $G\left(X\right)={\widehat{z}}_A\left(X\right)·{\widehat{z}}_B\left(X\right)-{\widehat{z}}_C\left(X\right)$ has an individual degree of at most 2, this introduces an additional soundness error ${\displaystyle \frac{3n}{\left|\mathbb{F}\right|}}$. Together with Lemma 2, the soundness error of the RowCheck protocol is ${\displaystyle \frac{4n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$ and is union bound.

We analyze the time complexity of the prover. In the j-th round of the SumCheck protocol, the prover should send a polynomial

$$h_j\left(X_j\right)=\sum _{v_{j+1},\cdots ,v_n\in \{0,1\}}h(r_1,r_2,\cdots ,r_{j-1},X_j,v_{j+1},\cdots ,v_n).$$

Since $h_j\left(X_j\right)$ has a degree of at most 3, the prover can specify $h_j\left(X_j\right)$ by sending $h_j\left(0\right)$, $h_j\left(1\right)$, $h_j\left(2\right)$, $h_j\left(3\right)$, and the verifier can reconstruct the polynomial using a standard interpolation in constant time. From Theorem 1, the cost of the prover in the j-th round is $O(4·2^{n-j}·2^n)=O\left(2^{2n-j}\right)$. Overall, the total cost of the prover in the RowCheck protocol is ${\sum }_{j=1}^{n}O\left(2^{2n-j}\right)=O\left(2^{2n}\right)=O\left(N^2\right)$.

Using a similar idea to the proof of Theorem 1, the prover can be implemented in time $O\left(N\right)$ [55,56]. For completeness, we will present the details of how to implement the prover in linear time. Note that $\widehat{\chi }(X,\tau ),{\widehat{z}}_A\left(X\right),{\widehat{z}}_B\left(X\right),{\widehat{z}}_C\left(X\right)$ are multilinear polynomials. We will show the following lemma:

Lemma 3.

Suppose $\widehat{f}:{\mathbb{F}}^n\to \mathbb{F}$ is a multilinear polynomial and we can evaluate $\widehat{f}$ at all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$. Then, for every $j\in \left[n\right]$, the following quantities can be computed in time $O\left(2^{n-j}\right)$:

$${\left\{\widehat{f}(r_1,\cdots ,r_{j-1},\{0,1,2,3\},v_{j+1},\cdots v_n)\right\}}_{v_{j+1},\cdots v_n\in \{0,1\}},$$

(7)

where $r_1,r_2,\cdots ,r_n$ are random elements in $\mathbb{F}$.

Proof. 

We show this fact via induction on j. Let

$$p_j(X_j,X_{j+1},\cdots ,X_n)=\widehat{f}(r_1,\cdots ,r_{j-1},X_j,X_{j+1},\cdots ,X_n)$$

(8)

and

$$p_{j-1}(X_{j-1},X_i,\cdots ,X_n)=\widehat{f}(r_1,\cdots ,r_{j-2},X_{j-1},X_j,\cdots ,X_n),$$

(9)

we wish to compute $p_j(x_j,v_{j+1},\cdots ,v_n)$ for all $x_j\in \{0,1,2,3\}$ and $v_{j+1},\cdots ,v_n\in \{0,1\}$. Based on the induction hypothesis, assuming that we have computed $p_{j-1}(x_{j-1},v_j,\cdots ,v_n)$ for all $x_{j-1}\in \{0,1,2,3\}$ and $v_j,\cdots ,v_n\in \{0,1\}$ in time $O\left(2^{n-(j-1)}\right)$. Note that

$$p_{j-1}(X_{j-1},X_j\cdots ,X_n)=X_{j-1}·p_{j-1}(1,X_j,\cdots ,X_n)+(1-X_{j-1})·p_{j-1}(0,X_j,\cdots ,X_n),$$

(10)

since the polynomial $p_{j-1}$ is multilinear. We can express $p_j(X_j,X_{j+1},\cdots ,X_n)$ via the following:

$$\begin{array}{cc}\hfill p_j(X_j,X_{j+1},\cdots ,X_n)& =p_{j-1}(r_{j-1},X_j\cdots ,X_n)\hfill \\ \hfill & =r_{j-1}·p_{j-1}(1,X_j,\cdots ,X_n)+(1-r_{j-1})·p_{j-1}(0,X_j,\cdots ,X_n).\hfill \end{array}$$

(11)

For $x_j\in \{0,1\}$, and for $v_{j+1},\cdots ,v_n\in \{0,1\}$, we can compute the following:

$$p_j(x_j,v_{j+1},\cdots ,v_n)=r_{j-1}·p_{j-1}(1,x_j,\cdots ,v_n)+(1-r_{j-1})·p_{j-1}(0,x_j,\cdots ,v_n).$$

(12)

From the induction hypothesis, the values $p_{j-1}(1,x_j,\dots ,v_n)$ and $p_{j-1}(0,x_j,\dots ,v_n)$ have already been computed when $x_j\in \{0,1\}$. Therefore, we can obtain $p_j(x_j,v_{j+1},\dots ,v_n)$ for $x_j\in \{0,1\}$ immediately. For $x_j\in \{2,3\}$, note that

$$p_j(x_j,v_{j+1},\cdots ,v_n)=x_j·p_j(1,v_{j+1},\cdots ,v_n)+(1-x_j)·p_j(0,v_{j+1},\cdots ,v_n),$$

(13)

since $p_j$ is multilinear. Hence, we can obtain $p_j(x_j,v_{j+1},\cdots ,v_n)$ for all $x_j\in \{0,1,2,3\}$, $v_{j+1},\cdots ,v_n\in \{0,1\}$ in time $O\left(2^{n-j}\right)$.

We finish the proof by showing that in the base case, when $j=1$, the following quantities can be computed in time $O\left(2^{n-1}\right)=O\left(2^n\right)$:

$${\left\{\widehat{f}(\{0,1,2,3\},v_2,\cdots v_n)\right\}}_{v_2,\cdots v_n\in \{0,1\}}.$$

(14)

For $x_1\in \{0,1\}$, we can compute $\widehat{f}(x_1,v_2,\cdots ,v_n)$ for all $v_2,\cdots ,v_n\in \{0,1\}$ in $O\left(2^n\right)$ time based on the assumption (we can evaluate $\widehat{f}$ at all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$). For $x_1\in \{2,3\}$, we can also compute $\widehat{f}(x_1,v_2,\cdots ,v_n)$ in constant time using the following equation:

$$\widehat{f}(x_1,v_2,\cdots ,v_n)=x_1·\widehat{f}(1,v_2,\cdots ,v_n)+(1-x_1)·\widehat{f}(0,v_2,\cdots ,v_n).$$

(15)

In total, we can compute $\widehat{f}(x_1,v_2,\cdots v_n)$ for all $x_1\in \{0,1,2,3\}$ and all $v_2,v_3,\cdots ,v_n\in \{0,1\}$ in time $O\left(2^n\right)$. □

${\widehat{z}}_A\left(X\right)$, ${\widehat{z}}_B\left(X\right)$ and ${\widehat{z}}_C\left(X\right)$ satisfy the requirements of Lemma 3 because they are multilinear polynomials. To see why we can evaluate all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$, notice that $z_a,z_b,z_c$ are vectors of length $2^n$. We can consider them as three arrays of length $2^n$, so we can access any entry in time $O\left(1\right)$. Indeed, we can evaluate ${\widehat{z}}_A\left(X\right)$, ${\widehat{z}}_B\left(X\right)$, and ${\widehat{z}}_C\left(X\right)$ at any point in ${\{0,1\}}^n$ in time $O\left(1\right)$ and all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$. The polynomial $\widehat{\chi }(X,\tau )$ is also suitable for Lemma 3 from the following lemma.

Lemma 4.

Let $\tau \in {\mathbb{F}}^n$ and $\widehat{\chi }(X,Y)={\prod }_{i\in \left[n\right]}\left((1-X_i)·(1-Y_i)+X_i·Y_i\right)$. Then, we can evaluate $\widehat{\chi }(X,\tau )$ at all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$.

Proof. 

See Appendix A. □

We have demonstrated that $\widehat{\chi }(X,\tau )$, ${\widehat{z}}_A\left(X\right)$, ${\widehat{z}}_B\left(X\right)$, and ${\widehat{z}}_C\left(X\right)$ all satisfy the requirements of Lemma 3. Since $h\left(X\right)=\widehat{\chi }(X,\tau )·\left({\widehat{z}}_A\left(X\right)·{\widehat{z}}_B\left(X\right)-{\widehat{z}}_C\left(X\right)\right)$, it follows that we can evaluate $h_j\left(0\right)$, $h_j\left(1\right)$, $h_j\left(2\right)$, $h_j\left(3\right)$ in time $O\left(2^{n-j}\right)$, where

$$h_j\left(X_j\right)=\sum _{v_{j+1},\cdots ,v_n\in \{0,1\}}h(r_1,r_2,\cdots ,r_{j-1},X_j,v_{j+1},\cdots ,v_n).$$

In other words, the cost of the prover in j-th round of the SumCheck is $O\left(2^{n-j}\right)$, so the total cost of the prover in the RowCheck is ${\sum }_{j=1}^{n}O\left(2^{n-j}\right)$ = $O\left(2^n\right)=O\left(N\right)$, which is linear.

We summarize the properties of the RowCheck protocol in

Table 4. Properties of RowCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O\left(\log N\right)$	$O\left(N\right)$	${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$

. The communication complexity represents the number of non-oracle elements sent by the prover, which is $O\left(n\right)=O\left(\log N\right)$ since in every round, the prover just sends 4 elements. The query complexity represents the number of queries made by the verifier to the polynomial oracles, which is 3.

3.2. LinCheck

3.2.1. Single LinCheck

Suppose $A\in {\mathbb{F}}^{N\times N}$ is a matrix, and $z,z_A\in {\mathbb{F}}^N$ are two vectors with length N. Given three polynomial oracles $\tilde{A}$, $\tilde{z}$, ${\tilde{z}}_A$, the purpose of LinCheck is for the prover to convince the verifier that $z_A=Az$. ${\tilde{z}}_A$, $\tilde{z}$ are polynomial oracles sent by the prover, and $\tilde{A}$ is a polynomial oracle provided by the indexer, which we will implement in the next section. Let $n=\log N$. We can view $z_A,z,A$ as three functions on the Boolean hypercube, namely $z_A,z:{\{0,1\}}^n\to \mathbb{F}$ and $A:{\{0,1\}}^{2n}\to \mathbb{F}$ (or $A:{\{0,1\}}^n\times {\{0,1\}}^n\to \mathbb{F}$). Let ${\widehat{z}}_A,\widehat{z},\widehat{A}$ be low-degree extensions of $z_A,z,A$. If the relation $z_A=Az$ holds, then for all $u\in {\{0,1\}}^n$, ${\widehat{z}}_A\left(u\right)={\sum }_{v\in {\{0,1\}}^n}\widehat{A}(u,v)·\widehat{z}\left(v\right)$. In other words, the polynomial ${\widehat{z}}_A\left(X\right)-{\sum }_{v\in {\{0,1\}}^n}\widehat{A}(X,v)·\widehat{z}\left(v\right)$ vanishes on the Boolean hypercube. We can utilize the ZeroTest method from the RowCheck protocol to verify this relationship. Fortunately, ZeroTest is not necessary here since ${\widehat{z}}_A\left(X\right)$ and ${\sum }_{v\in {\{0,1\}}^n}\widehat{A}(X,v)·\widehat{z}\left(v\right)$ are multilinear polynomials with an equal number of variables. If two multilinear polynomials agree on the Boolean hypercube, then they must be the same. We can apply the standard polynomial identity test to check that the polynomial relation holds; that is, sampling a random vector $r_x\leftarrow {\mathbb{F}}^n$ and checking that ${\widehat{z}}_A\left(r_x\right)={\sum }_{v\in {\{0,1\}}^n}\widehat{A}(r_x,v)·\widehat{z}\left(v\right)$. Based on the Schwartz–Zippel Lemma, if ${\widehat{z}}_A\left(X\right)\ne {\sum }_{v\in {\{0,1\}}^n}\widehat{A}(X,v)·\widehat{z}\left(v\right)$, then the test will pass with a probability of at most ${\displaystyle \frac{n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{\log N}{\left|\mathbb{F}\right|}}$.

The verifier samples $r_x\leftarrow {\mathbb{F}}^n$ and queries ${\tilde{z}}_A$ at $r_x$ to obtain ${\widehat{z}}_A\left(r_x\right)$. Suppose ${\delta }_A={\widehat{z}}_A\left(r_x\right)$. Next, we can check ${\delta }_A={\sum }_{v\in {\{0,1\}}^n}\widehat{A}(r_x,v)·\widehat{z}\left(v\right)$ via the SumCheck protocol. In the last round of the SumCheck protocol, the verifier should compute $\widehat{A}(r_x,Y)·\widehat{z}\left(Y\right)$ at a random point $r_y$, which can be done by querying $\tilde{z}$ at $r_y$ to obtain $\widehat{z}\left(r_y\right)$, querying $\tilde{A}$ at $(r_x,r_y)$ to obtain $\widehat{A}(r_x,r_y)$, and computing $\widehat{A}(r_x,r_y)·\widehat{z}\left(r_y\right)$ in constant time. The round complexity of the protocol is $O\left(n\right)=O\left(\log N\right)$. The time complexity of the verifier is also $O\left(\log N\right)$ since the cost of each round is constant in the SumCheck protocol.

The polynomial $\widehat{A}(r_x,Y)·\widehat{z}\left(Y\right)$ has a maximal individual degree of 2 since $\widehat{A}(r_x,Y)$ and $\widehat{z}\left(Y\right)$ are multilinear. From Table 3, we find that the soundness of the SumCheck is ${\displaystyle \frac{2n}{\left|\mathbb{F}\right|}}$. Overall, the soundness error of the LinCheck protocol is ${\displaystyle \frac{3n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{3\log N}{\left|\mathbb{F}\right|}}$ and is union bound.

Similar to the RowCheck protocol, we can utilize Lemma 3 to implement the prover in linear time. In Section 3.2.2, we will present the complete LinCheck protocol and provide the necessary details on how to achieve the linear time prover.

3.2.2. Batched LinCheck

In order to verify the R1CS relation, three LinCheck protocols are required to check that $z_A=Az$, $z_B=Bz$, and $z_C=Cz$. Namely, the verifier samples $r_x\leftarrow {\mathbb{F}}^n$ and queries ${\tilde{z}}_A,{\tilde{z}}_B,{\tilde{z}}_C$ at $r_x$ to obtain ${\widehat{z}}_A\left(r_x\right)$, ${\widehat{z}}_B\left(r_x\right)$, ${\widehat{z}}_C\left(r_x\right)$. Suppose ${\delta }_A={\widehat{z}}_A\left(r_x\right),{\delta }_B={\widehat{z}}_B\left(r_x\right),{\delta }_C={\widehat{z}}_C\left(r_x\right)$. The verifier should check the three claims “${\delta }_A={\sum }_{v\in {\{0,1\}}^n}\widehat{A}(r_x,v)·\widehat{z}\left(v\right)$”, “${\delta }_B={\sum }_{v\in {\{0,1\}}^n}\widehat{B}(r_x,v)·\widehat{z}\left(v\right)$”, and “${\delta }_C={\sum }_{v\in {\{0,1\}}^n}\widehat{C}(r_x,v)·\widehat{z}\left(v\right)$” by running three SumCheck protocols in parallel.

In this section, we present a method to merge these three LinCheck protocols into a single one. Before running the SumCheck protocol, the verifier samples three random elements $r_A,r_B,r_C\leftarrow \mathbb{F}$ and sends them to the prover. The prover and verifier run the SumCheck protocol for the following single claim:

$$\sum _{M\in \{A,B,C\}}{r}_M·{\delta }_M=\sum _{v\in {\{0,1\}}^n}\left(\sum _{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,v)·\widehat{z}\left(v\right)\right).$$

(16)

We describe the batched LinCheck protocol as follows:

Protocol 3.

Batched LinCheck Protocol:

Inputs.

• Prover’s input:

  −

  Four vectors $z,z_A,z_B,z_C\in {\mathbb{F}}^N$, three matrices $A,B,C\in {\mathbb{F}}^{N\times N}$.

• Verifier’s input:

  −

  Four polynomial oracles $\tilde{z},{\tilde{z}}_A$, ${\tilde{z}}_B$, ${\tilde{z}}_C$ provided by the prover.

  −

  Three polynomial oracles $\tilde{A},\tilde{B},\tilde{C}$ provided by the indexer.

Goal.

• The prover convinces the verifier that $z_A=Az$, $z_B=Bz$ and $z_C=Cz$.

The protocol:

1. 

The verifier samples $r_x\leftarrow {\mathbb{F}}^n$ and queries ${\tilde{z}}_A,{\tilde{z}}_B,{\tilde{z}}_C$ at $r_x$. Suppose the return values are ${\delta }_A$, ${\delta }_B$ and ${\delta }_C$.

2. 

The verifier samples $r_A,r_B,r_C\leftarrow \mathbb{F}$, and sends them to the prover.

3. 

The prover and verifier run the SumCheck protocol for the following claim:

$$\sum _{M\in \{A,B,C\}}{r}_M·{\delta }_M=\sum _{v\in {\{0,1\}}^n}\left(\sum _{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,v)·\widehat{z}\left(v\right)\right).$$

The following lemma states that combining the three LinCheck protocols into one protocol would increase the soundness error by ${\displaystyle \frac{1}{\left|\mathbb{F}\right|}}$.

Lemma 5.

Suppose ${\delta }_M\ne {\sum }_{v\in {\{0,1\}}^n}\widehat{M}(r_x,v)·\widehat{z}\left(v\right)$ for some $M\in \{A,B,C\}$, and $r_A,r_B,r_C$ are sampled uniformly random from $\mathbb{F}$. Then, the equation

$$\sum _{M\in \{A,B,C\}}{r}_M·{\delta }_M=\sum _{v\in {\{0,1\}}^n}\left(\sum _{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,v)·\widehat{z}\left(v\right)\right)$$

holds with probability at most ${\displaystyle \frac{1}{\left|\mathbb{F}\right|}}$.

Proof. 

Without loss of generality, assuming that ${\delta }_A\ne {\sum }_{v\in {\{0,1\}}^n}\widehat{A}(r_x,v)·\widehat{z}\left(v\right)$, then

$$\begin{array}{cc}\hfill \left({\delta }_A-\sum _{v\in {\{0,1\}}^n}\widehat{A}(r_x,v)·\widehat{z}\left(v\right)\right)·X_1& +\left({\delta }_B-\sum _{v\in {\{0,1\}}^n}\widehat{B}(r_x,v)·\widehat{z}\left(v\right)\right)·X_2\hfill \\ \hfill & +\left({\delta }_C-\sum _{v\in {\{0,1\}}^n}\widehat{C}(r_x,v)·\widehat{z}\left(v\right)\right)·X_3\hfill \end{array}$$

is a non-zero polynomial with three variables and total degree 1. The result follows immediately from the Schwartz–Zippel Lemma. □

Now, we analyze the soundness error of the batched LinCheck protocol.

Lemma 6.

Suppose $z_A\ne Az$ or $z_B\ne Bz$ or $z_C\ne Cz$. Then, in the Batched LinCheck protocol, the verifier accepts with probability at most ${\displaystyle \frac{1+3n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{1+3\log N}{\left|\mathbb{F}\right|}}$.

Proof. 

See Appendix B. □

In the last round of the SumCheck protocol, the verifier should compute ${\sum }_{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,Y)·\widehat{z}\left(Y\right)$ at a random point $r_y\in {\mathbb{F}}^n$, which can be done by querying $\widehat{z}$ at $r_y$, querying $\widehat{A}$, $\widehat{B}$, $\widehat{C}$ at $(r_x,r_y)$, and computing $\widehat{M}(r_x,r_y)·\widehat{z}\left(r_y\right)$ for all $M\in \{A,B,C\}$ in constant time. The round complexity of the protocol is $O\left(n\right)=O\left(\log N\right)$. The time complexity of the verifier is also $O\left(\log N\right)$ since the cost of each round of the SumCheck protocol is constant.

We will show that we can implement the prover in linear time in the batched LinCheck protocol. The main cost of the protocol is running the SumCheck protocol for the claim

$$\sum _{M\in \{A,B,C\}}{r}_M·{\delta }_M=\sum _{v\in {\{0,1\}}^n}\left(\sum _{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,v)·\widehat{z}\left(v\right)\right).$$

Let $P\left(Y\right)={\sum }_{M\in \{A,B,C\}}{r}_M·\widehat{M}(r_x,Y)·\widehat{z}\left(Y\right)$. Tn the j-th round of the SumCheck protocol, since the individual degree of $P\left(Y\right)$ is 2, the prover should compute $P_j\left(0\right)$, $P_j\left(1\right)$, $P_j\left(2\right)$ and send them to the verifier, where $P_j\left(Y_j\right)={\sum }_{v_{j+1},\cdots ,v_n\in \{0,1\}}P(r_{y,1},\cdots r_{y,j-1},Y_j,v_{j+1},\cdots ,v_n)$ and $r_{y,1},\cdots r_{y,j-1}$ are uniformly random elements sampled from $\mathbb{F}$ by the verifier. Similar to the RowCheck protocol, we can show that the prover can evaluate $P_j\left(0\right)$, $P_j\left(1\right)$ and $P_j\left(2\right)$ in $O\left(2^{n-j}\right)$ time from Lemma 3. Without loss of generality, it is sufficient to show that the following quantities can be computed in $O\left(2^{n-j}\right)$ time:

$${\left\{\widehat{A}(r_x,r_{y,1},\cdots r_{y,j-1},\{0,1,2\},v_{j+1},\cdots ,v_n)\right\}}_{v_{j+1},\cdots ,v_n\in \{0,1\}}$$

(17)

and

$${\left\{\widehat{z}(r_{y,1},\cdots r_{y,j-1},\{0,1,2\},v_{j+1},\cdots ,v_n)\right\}}_{v_{j+1},\cdots ,v_n\in \{0,1\}},$$

(18)

where $r_x\in {\mathbb{F}}^n$ is a uniformly random vector, and $r_{y,1},\cdots ,r_{y,j-1}\in \mathbb{F}$ are uniformly random elements in $\mathbb{F}$. For quantities (18), we can apply Lemma 3 directly since $\widehat{z}$ is multilinear and the prover knows all evaluations of $\widehat{z}\left(v\right)$ for all $v\in {\{0,1\}}^n$ ($\widehat{z}\left(v\right)=z\left(v\right)$ for all $z\in \{0,1\}$). To apply Lemma 3, we need to prove the following lemma, which is similar to Lemma 4.

Lemma 7.

Let $r_x\in \mathbb{F}$, and $\widehat{A}(X,Y):{\mathbb{F}}^{2n}\to \mathbb{F}$ is the multilinear extension of matrix A. Then, we can evaluate $\widehat{A}(r_x,Y)$ at all points in ${\{0,1\}}^n$ in time $O\left(2^n\right)$.

Proof. 

See Appendix C. □

From Lemma 7, we can apply Lemma 3 to the polynomial $\widehat{A}(r_x,Y)$, and the quantities (17) can be computed in $O\left(2^{n-j}\right)$ time. Therefore, in the j-th round of the SumCheck in the batched LinCheck protocol, the prover can be implemented in time $O\left(2^{n-j}\right)$. In total, the prover time in the batched LinCheck protocol is ${\sum }_{j=1}^{n}O\left(2^{n-j}\right)=O\left(2^n\right)=O\left(N\right)$.

We summarize the properties of the batched LinCheck in the

Table 5. Properties of batched LinCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O\left(\log N\right)$	$O\left(N\right)$	${\displaystyle \frac{1+3\log N}{\left|\mathbb{F}\right|}}$

below, where N represents the size of matrix $A,B,C$ and vector z. The communication complexity represents the number of non-oracle elements sent by the prover, which is $O\left(n\right)=O\left(\log N\right)$ since in every round, the prover just sends 3 elements. The verifier should query ${\widehat{z}}_A$, ${\widehat{z}}_B$, ${\widehat{z}}_C$ at $r_x$, query $\widehat{z}$ at $r_y$, and query $\widehat{A}$, $\widehat{B}$, $\widehat{C}$ at $(r_x,r_y)$. Therefore, the query complexity is 7.

3.3. ConsistencyCheck

Suppose $z\in {\mathbb{F}}^N$ is a vector of length N, and $x\in {\mathbb{F}}^{N_{in}}$ is a vector of length $N_{in}$. Given a polynomial oracle $\tilde{z}$ and a vector x, the purpose of ConsistencyCheck is for the prover to convince the verifier that the first $N_{in}$ elements of z are exactly x. Let $n=\log N$, $n_{in}=\log N_{in}$. We can view $z,x$ as two functions on the Boolean hypercube, namely $z:{\{0,1\}}^n\to \mathbb{F}$ and $x:{\{0,1\}}^{n_{in}}\to \mathbb{F}$. Let $\widehat{z},\widehat{x}$ be low-degree extensions of $z,x$. If the first $N_{in}$ elements of z are exactly x, then for all $v\in 0^{n-n_{in}}\times {\{0,1\}}^{n_{in}}$ ($v=(0,\cdots ,0,v_1,\cdots ,v_{n_{in}})$), we have $\widehat{z}\left(v\right)=\widehat{x}\left(v^{\prime }\right)$, where $v^{\prime }=(v_1,\cdots ,v_{n_{in}})\in {\{0,1\}}^{n_{in}}$. Therefore, the following polynomial identity holds:

$$\widehat{z}(0,\cdots ,0,X_1,\cdots ,X_{n_{in}})=\widehat{x}(X_1,\cdots ,X_{n_{in}}).$$

(19)

The verifier samples a random $r\in {\mathbb{F}}^{n_{in}}$ and checks that

$$\widehat{z}(0,\cdots ,0,r_1,\cdots ,r_{n_{in}})=\widehat{x}(r_1,\cdots ,r_{n_{in}}).$$

(20)

Based on the Schwartz–Zippel Lemma, if Equation (19) does not hold, then the verifier will accept it with a probability of at most ${\displaystyle \frac{n_{in}}{\left|\mathbb{F}\right|}}={\displaystyle \frac{\log N_{in}}{\left|\mathbb{F}\right|}}$ since both sides are multilinear polynomial with $N_{in}$ variables. Note that the prover does not need to do anything in this protocol. The verifier should query the oracle $\tilde{z}$ at point $(0,\cdots ,0,r_1,\cdots ,r_{n_{in}})$ and compute $\widehat{x}(r_1,\cdots ,r_{n_{in}})$, which takes time $O\left(N_{in}\right)$. We summarize the properties of the ConsistencyCheck protocol in the

Table 6. Properties of the ConsistencyCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
0	0	$O\left(1\right)$	$O\left(N_{in}\right)$	$O\left(N_{in}\right)$	${\displaystyle \frac{\log N_{in}}{\left|\mathbb{F}\right|}}$

below, where $N_{in}=\left|x\right|$ represents the size of x.

3.4. Polynomial IOP for R1CS

We provide a comprehensive description of the polynomial IOP for R1CS by combining the RowCheck, LinCheck, and ConsistencyCheck protocols. In the context of this section, we assume that the indexer, who prepares the R1CS index $A,B,C\in {\mathbb{F}}^{N\times N}$, has already sent three polynomial oracles $\tilde{A}$, $\tilde{B}$ and $\tilde{C}$ to the verifier before the interaction between the prover and the verifier. The verifier can query $\tilde{A}$, $\tilde{B}$ and $\tilde{C}$ at any points $(r_x,r_y)\in {\mathbb{F}}^{2n}$ to obtain $\widehat{A}(r_x,r_y)$, $\widehat{B}(r_x,r_y)$ and $\widehat{C}(r_x,r_y)$, where $\widehat{A}$, $\widehat{B}$ and $\widehat{C}$ are multilinear extensions of A, B, and C. We describe the polynomial IOP for R1CS as follows:

Protocol 4.

Polynomial IOP for R1CS:

Inputs.

• Prover’s input:

  −

  Three matrices $A,B,C\in {\mathbb{F}}^{N\times N}$.

  −

  A vector $x\in {\mathbb{F}}^{N_{in}}$, a vector $w\in {\mathbb{F}}^{N-N_{in}}$.

• Verifier’s input:

  −

  Three polynomial oracles $\tilde{A},\tilde{B}$, $\tilde{C}$ provided by the indexer.

  −

  A vector $x\in {\mathbb{F}}^{N_{in}}$.

Goal.

• Let $z=(x,w)\in {\mathbb{F}}^N$. The prover convinces the verifier that $Az\circ Bz=Cz$, where ∘ denotes the pairwise product.

The protocol:

1. 

The prover computes $z_A=Az$, $z_B=Bz$, $z_C=Cz$ and sends four polynomial oracles $\tilde{z}$, $\widetilde{z_A}$, $\widetilde{z_B}$, $\widetilde{z_C}$ to the verifier.

2. 

The prover and verifier run the RowCheck protocol (Protocol 2) to check that $z_A\circ z_B=z_C$.

3. 

The prover and verifier run the batched LinCheck protocol (Protocol 3) to check that $z_A=Az$, $z_B=Bz$, and $z_C=Cz$.

4. 

The prover and verifier run the ConsistencyCheck protocol to check that the first $N_{in}$ elements of z are exactly x.

The round complexity, communication complexity, query complexity, and the cost of the prover and verifier of this protocol are from Table 4, Table 5 and Table 6. For all matrices $U\in \{A,B,C\}$, it is worth noting that they are sparse matrices, meaning that there are only a limited number of non-zero elements in each matrix. Specifically, there are only $O\left(N\right)$ non-zero elements in each matrix. Consequently, the cost for computing the matrix–vector product $z_U=Uz$ for each U is $O\left(N\right)$. For the soundness error of the protocol, we present the following lemma.

Lemma 8.

Let ${\mathcal{R}}_{R1CS}$ be the indexed R1CS relation and $\mathcal{L}\left({\mathcal{R}}_{R1CS}\right)$ be the corresponding $\mathcal{NP}$ language. If $(\mathbb{i},\mathbb{x})\notin \mathcal{L}\left({\mathcal{R}}_{R1CS}\right)$, then for any prover, the verifier accepts with probability at most ${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$.

Proof. 

Since $(\mathbb{i},\mathbb{x})\notin {\mathcal{L}}_{\mathcal{R}}$, there is no $\mathbb{w}$ such that $(\mathbb{i},\mathbb{x},\mathbb{w})\in {\mathcal{R}}_{R1CS}$. In the context of the R1CS relation, there is no $w\in {\mathbb{F}}^{N_{in}}$ such that $Az\circ Bz=Cz$, where $z=(x,w)\in {\mathbb{F}}^N$.

Fix a malicious prover and suppose the four polynomial oracles sent by the prover are ${\tilde{z}}^{\ast },{\tilde{z}}_A^{\ast },{\tilde{z}}_B^{\ast },{\tilde{z}}_C^{\ast }$, and the corresponding vectors are $z^{\ast },z_A^{\ast },z_B^{\ast },z_C^{\ast }$. Then, one of the following conditions must hold:

• $z_A^{\ast }\circ z_B^{\ast }\ne z_C^{\ast }$. Based on the soundness error of the RowCheck protocol (Protocol 2) from Table 4, the verifier will accept it with a probability of at most ${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$.
• $z_M^{\ast }\ne Mz$ for some $M\in \{A,B,C\}$. Based on the soundness error of the batched LinCheck protocol (Protocol 3) from Table 5, the verifier will accept it with a probability of at most ${\displaystyle \frac{1+3\log N}{\left|\mathbb{F}\right|}}$.
• $z^{\ast }$ is not consistent with the vector x. Based on the soundness error of the ConsistencyCheck protocol from Table 6, the verifier will accept it with a probability of at most ${\displaystyle \frac{\log N_{in}}{\left|\mathbb{F}\right|}}$.

Therefore, the verifier will accept it with a probability of at most $max\{{\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}},{\displaystyle \frac{1+3\log N}{\left|\mathbb{F}\right|}},$${\displaystyle \frac{\log N_{in}}{\left|\mathbb{F}\right|}}\}={\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$.

If the three conditions mentioned above do not hold—specifically, if $z_A^{\ast }\circ z_B^{\ast }=z_C^{\ast }$, $z_M^{\ast }=Mz$ for all $M\in \{A,B,C\}$, and $z^{\ast }$ is consistent with the vector x—then we can consider taking $w^{\ast }$ as the last $N-N_{in}$ elements of $z^{\ast }$. In this case, it holds that $((A,B,C),x,w^{\ast })\in {\mathcal{R}}_{R1CS}$, which contradicts our initial assumption. □

We summarize the properties of the polynomial IOP for the R1CS protocol in the

Table 7. Properties of the polynomial IOP for R1CS.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log N\right)$	$O\left(\log N\right)$	$O\left(1\right)$	$O(\log N+N_{in})$	$O\left(N\right)$	${\displaystyle \frac{4\log N}{\left|\mathbb{F}\right|}}$

below. It should be noted that the logarithmic verification of the protocol is based on the assumption that the indexer has already sent the three polynomial oracles $\tilde{A}$, $\tilde{B}$ and $\tilde{C}$ to the verifier.

4. Achieving Holography

In the holographic setting [13,29], we divide the protocol into two parts: an offline phase that produces an encoding of the circuit by the deterministic indexer, and an online phase that checks that the $\mathcal{NP}$ relation holds via interactions between the prover and verifier. We have finished the description of the online phase in Section 3, except that we assume that the indexer has completed the preprocessing task and has sent three polynomial oracles $\tilde{A}$, $\tilde{B}$, $\tilde{C}$ to the verifier. The verifier can query these oracles at any points $(r_x,r_y)\in {\mathbb{F}}^{2n}$ to obtain $\widehat{A}(r_x,r_y)$, $\widehat{B}(r_x,r_y)$ and $\widehat{C}(r_x,r_y)$. Without these oracles, in the final round of the LinCheck protocol, the verifier should evaluate the polynomial $\widehat{A},\widehat{B},\widehat{C}$ at a random point $(r_x,r_y)$, which costs at least $O\left(2^n\right)=O\left(N\right)$ time, even if the matrices are sparse ($O\left(N\right)$ non-zero elements for each matrix). In this section, we will demonstrate the implementation of the indexer. We provide a deterministic algorithm for preprocessing the circuit during the offline phase. Next, we will modify the verifier’s method of computing $\widehat{U}(r_x,r_y)$ for all $U\in \{A,B,C\}$ in the online phase.

In the R1CS instance, we represent the circuit by three matrices, A, B, and C of size $N\times N$. The simplest approach is to send the three polynomial oracles $\tilde{A}$, $\tilde{B}$, and $\tilde{C}$ directly. Indeed, due to the size of these matrices being $N^2$, even when using the fastest available polynomial commitment scheme, the time complexity of the committer will not be lower than $O\left(N^2\right)$. Remember that in the R1CS instance, for all $U\in \{A,B,C\}$, U is a sparse matrix, i.e., the number of non-zero elements in U is $O\left(N\right)$. Therefore, the multilinear extension $\widehat{U}$ of U is sparse, i.e, there are only $O\left(N\right)$ non-zero coefficients in the polynomial $\widehat{U}$. Let $n=\log N$; $\widehat{U}$ is a multiliear polynomial with $2n$ variables. To construct a linear-time ($O\left(N\right)$ time) prover SNARK, we aim to represent the $2n$-variate polynomial $\widehat{U}(X,Y)$ using a set of $O\left(n\right)$-variate polynomials for all $U\in \{A,B,C\}$.

We will implement the algorithm for the indexer in Section 4.1, and we will show how to represent the $2n$-variate polynomial $\widehat{U}(X,Y)$ using a set of $O\left(n\right)$-variate polynomials. The indexer will send these polynomial oracles to the verifier in the offline phase. As mentioned before, for all $U\in \{A,B,C\}$, the verifier should compute $\widehat{U}(r_x,r_y)$ in the LinCheck protocol. In the actual protocol, the value $\widehat{U}(r_x,r_y)$ is provided by the prover. Suppose the prover sends a value ${\gamma }_U$ and claims that ${\gamma }_U=\widehat{U}(r_x,r_y)$. In Section 4.2, we will present a protocol for verifying the condition ${\gamma }_U=\widehat{U}(r_x,r_y)$. We demonstrate that this condition can be checked using the lookup protocol [43,44], which enables the prover to convince the verifier that all elements in one vector, $v_1$, are contained within another vector, $v_2$. However, the classical lookup protocol proposed by Gabizon and Williamson [44] is not suitable for our purposes because their prover’s cost is quasilinear, whereas we require the prover to operate in strictly linear time. Therefore, in Section 4.3, we will introduce a new polynomial IOP specifically designed for the lookup condition. This protocol will meet our requirement of linear time implementation for the prover.

4.1. Offline Phase

The index $\mathbb{i}$ consists of three matrices, A, B, and C. The encoding scheme used in our work is derived from Marlin [13] and Zhang et al.’s work [31], but their constructions support univariate polynomials, whereas we are using multivariate polynomials.

We describe the algorithm of the indexer. The input of the indexer is the index $\mathbb{i}=(A,B,C)$, where $A,B,C\in {\mathbb{F}}^{N\times N}$. Similar to Marlin, for all $U\in \{A,B,C\}$, we assume that the non-zero elements of U are presented in some canonical order (e.g., row-wise or column-wise). Let $\left|\right|U\left|\right|$ be the number of non-zero elements of matrix U; note that $\left|\right|U\left|\right|=O\left(N\right)$. Let m be the smallest integer such that $2^m\ge max\left\{\left|\right|A\left|\right|,\left|\right|B\left|\right|,\left|\right|C\left|\right|\right\}$, and let $M=2^m$. Note that $M=O\left(N\right)$ since all matrices are sparse. For all $U\in \{A,B,C\}$, we define ${\mathbf{val}}_U:{\{0,1\}}^m\to \mathbb{F}$ such that ${\mathbf{val}}_U\left(k\right)=k$-th non-zero element of U if $0\le k<\left|\right|U\left|\right|$ (we start the index from 0), and ${\mathbf{val}}_U\left(k\right)=0$ if $k\ge \left|\right|U\left|\right|$. Let $\varphi :{\{0,1\}}^n\to \mathbb{F}$ be a canonical injection from ${\{0,1\}}^n$ to $\mathbb{F}$ and ${\varphi }^{-1}$ be its inverse, where $n=\log N$. For $k\in {\{0,1\}}^m$ with $0\le k<\left|\right|U\left|\right|$, let $R_k$ ($C_k$) be the row (column) index of the k-th non-zero entry in U (note that $R_k,C_k\in {\{0,1\}}^n$). Define two functions ${\mathbf{row}}_U$, ${\mathbf{col}}_U:{\{0,1\}}^m\to \mathbb{F}$ such that ${\mathbf{row}}_U\left(k\right)=\varphi \left(R_k\right)$, ${\mathbf{col}}_U\left(k\right)=\varphi \left(C_k\right)$ if $0\le k<\left|\right|U\left|\right|$, and let ${\mathbf{row}}_U\left(k\right)$, ${\mathbf{col}}_U\left(k\right)$ be 0 if $k\ge \left|\right|U\left|\right|$. Let ${\widehat{\mathbf{val}}}_U$, ${\widehat{\mathbf{row}}}_U$, ${\widehat{\mathbf{col}}}_U:{\mathbb{F}}^m\to \mathbb{F}$ be the multilinear extension of ${\mathbf{val}}_U$, ${\mathbf{row}}_U$, ${\mathbf{col}}_U$. The following lemma states that the multilinear extension of U can be computed from ${\widehat{\mathbf{val}}}_U$, ${\widehat{\mathbf{row}}}_U$, ${\widehat{\mathbf{col}}}_U$.

Lemma 9.

Let $\widehat{U}(X,Y)={\sum }_{k\in {\{0,1\}}^m}\widehat{\chi }(X,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k\right)\right))·\widehat{\chi }(Y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k\right)\right))·{\widehat{\mathbf{val}}}_U\left(k\right)$, where $\widehat{\chi }(X,Y)={\prod }_{i\in \left[n\right]}\left((1-X_i)·(1-Y_i)+X_i·Y_i\right)$. Then, the following two properties hold:

• $\forall (x,y)\in {\{0,1\}}^n\times {\{0,1\}}^n$, $\widehat{U}(x,y)=U(x,y)$,
• $\widehat{U}(X,Y)$ is multilinear.

These two properties imply that $\widehat{U}$ is the multilinear extension of U.

Proof. 

From the definition of $\widehat{U}(X,Y)$, we know it is a multilinear polynomial, since $\widehat{\chi }$ is multilinear. For any $(x,y)\in {\{0,1\}}^n\times {\{0,1\}}^n$, it holds that $\widehat{\chi }(x,y)=1$ if $x=y$ and $\widehat{\chi }(x,y)=0$ if $x\ne y$. Therefore, $\widehat{\chi }(x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k\right)\right))\ne 0$ if and only if $x={\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k\right)\right)$. Similarly, $\widehat{\chi }(y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k\right)\right))\ne 0$ if and only if $y={\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k\right)\right)$. It follows that for all $(x,y)\in {\{0,1\}}^n\times {\{0,1\}}^n$:

• if $U(x,y)$ is the $k^{\ast }$-th non-zero entry of U, then ${\widehat{\mathbf{row}}}_U\left(k^{\ast }\right)=\varphi \left(x\right)$ and ${\widehat{\mathbf{col}}}_U\left(k^{\ast }\right)=\varphi \left(y\right)$, i.e., ${\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k^{\ast }\right)\right)=x$ and ${\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k^{\ast }\right)\right)=y$. Therefore,

  $$\begin{array}{cc}\hfill \widehat{U}(x,y)& =\sum _{k\in {\{0,1\}}^m}\widehat{\chi }(x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k^{\ast }\right)\right))·\widehat{\chi }(y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k^{\ast }\right)\right))·{\widehat{\mathbf{val}}}_U\left(k^{\ast }\right)\hfill \\ \hfill & =\widehat{\chi }(x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k^{\ast }\right)\right))·\widehat{\chi }(y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k^{\ast }\right)\right))·{\widehat{\mathbf{val}}}_U\left(k^{\ast }\right)\hfill \\ \hfill & ={\widehat{\mathbf{val}}}_U\left(k^{\ast }\right)={\mathbf{val}}_U\left(k^{\ast }\right)\hfill \\ \hfill & =k^{\ast }\text{-}\mathrm{th}\mathrm{non}\text{-}\mathrm{zero}\mathrm{entry}\mathrm{in}U=U(x,y).\hfill \end{array}$$

  (21)
• if $U(x,y)=0$, then $\widehat{U}(x,y)$ is also 0. Otherwise, if $\widehat{U}(x,y)\ne 0$, then there exists a $k^{\ast }\in {\{0,1\}}^m$ such that $\widehat{\chi }(x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k^{\ast }\right)\right))=1$, $\widehat{\chi }(y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k^{\ast }\right)\right))=1$ and ${\widehat{\mathbf{val}}}_U\left(k^{\ast }\right)\ne 0$. This implies that $U(x,y)$ is the $k^{\ast }$-th non-zero entry in U, which contradicts our assumption.

□

The indexer sends the 10 functions ${\mathbf{val}}_U$, ${\mathbf{row}}_U$, ${\mathbf{col}}_U:{\{0,1\}}^m\to \mathbb{F}$ for all $U\in \{A,B,C\}$ and $\varphi :{\{0,1\}}^n\to \mathbb{F}$ to the prover (we can view these functions as vectors of length $2^m$ or $2^n$) and sends ten polynomial oracles ${\widetilde{\mathbf{val}}}_U$, ${\widetilde{\mathbf{row}}}_U$, ${\widetilde{\mathbf{col}}}_U$ for all $U\in \{A,B,C\}$ and $\tilde{\varphi }$ to the verifier. The verifier can query ${\widetilde{\mathbf{val}}}_U$, ${\widetilde{\mathbf{row}}}_U$, ${\widetilde{\mathbf{col}}}_U$ at any point $r\in {\mathbb{F}}^m$ to obtain ${\widehat{\mathbf{row}}}_U\left(r\right)$, ${\widehat{\mathbf{col}}}_U\left(r\right)$, ${\widehat{\mathbf{val}}}_U\left(r\right)$ and query $\tilde{\varphi }$ at any point $r\in {\mathbb{F}}^n$ to obtain $\widehat{\varphi }\left(r\right)$. The cost of the indexer is $O\left(M\right)=O\left(N\right)$ since there are at most $O\left(N\right)$ non-zero elements in each matrix. We describe the offline phase as follows:

Protocol 5.

Offline Phase for Encoding the Circuit:

Inputs.

• Indexer’s input:

  −

  Three matrices $A,B,C\in {\mathbb{F}}^{N\times N}$. (Assume that the non-zero elements of each matrix are presented in some canonical order.)

Goal.

• The indexer sends ten functions (vectors) ${\left\{{\mathbf{val}}_U,{\mathbf{row}}_U,{\mathbf{col}}_U\right\}}_{U\in \{A,B,C\}}$ and ϕ to the prover and sends ten polynomial oracles ${\left\{{\widetilde{\mathbf{val}}}_U,{\widetilde{\mathbf{row}}}_U,{\widetilde{\mathbf{col}}}_U\right\}}_{U\in \{A,B,C\}}$ and $\tilde{\varphi }$ to the verifier.

The protocol:

• The indexer specifies a canonical injection $\varphi :{\{0,1\}}^n\to \mathbb{F}$.
• The indexer find m such that m is the smallest integer such that $2^m\ge \{A,B,C\}$, and let $M=2^m$. Then, for all $U\in \{A,B,C\}$, we perform the following step:

  1. 

  Initial three vectors ${\mathbf{val}}_U,{\mathbf{row}}_U,{\mathbf{col}}_U$ with length M.

  2 

  For $0\le k<\left|\right|U\left|\right|$:

  (a) 

  Suppose that $R_k$ ($C_k$) is the row (column) index of the k-th non-zero entry in U.

  (b) 

  Set ${\mathbf{val}}_U\left(k\right)=U(R_k,C_k)$, ${\mathbf{row}}_U\left(k\right)=\varphi \left(R_k\right)$, ${\mathbf{col}}_U\left(k\right)=\varphi \left(C_k\right)$.

  3. 

  For $\left|\right|U\left|\right|\le k<M-1$:

  (a) 

  Set ${\mathbf{val}}_U\left(k\right)={\mathbf{row}}_U\left(k\right)={\mathbf{col}}_U\left(k\right)=0$.

• The indexer sends ten functions (vectors) ${\left\{{\mathbf{val}}_U,{\mathbf{row}}_U,{\mathbf{col}}_U\right\}}_{U\in \{A,B,C\}}$ and ϕ to the prover.
• The indexer sends ten polynomial oracles ${\left\{{\widetilde{\mathbf{val}}}_U,{\widetilde{\mathbf{row}}}_U,{\widetilde{\mathbf{col}}}_U\right\}}_{U\in \{A,B,C\}}$ and $\tilde{\varphi }$ to the verifier.

4.2. Online Phase

In Section 3.2, we assume that the indexer has provided the three polynomial oracles $\tilde{A},\tilde{B},\tilde{C}$. The verifier can query these oracles to obtain $\widehat{A}$, $\widehat{B}$, $\widehat{C}$ at any point. However, in the actual protocol, the indexer provides ten polynomial oracles ${\widetilde{\mathbf{val}}}_U$, ${\widetilde{\mathbf{row}}}_U$, ${\widetilde{\mathbf{col}}}_U$ for all $U\in \{A,B,C\}$ and $\tilde{\varphi }$. Remember that in the last round of the batched LinCheck protocol, the verifier should evaluate $\widehat{A},\widehat{B},\widehat{C}$ at a random point $(r_x,r_y)$. In the actual protocol, we delegate the task of computing $\widehat{U}(r_x,r_y)$ for all $U\in \{A,B,C\}$ to the prover. We then verify the validity of the evaluation using the SumCheck protocol and the polynomial oracles provided by the indexer.

In the batched LinCheck protocol, the verifier samples two random vectors $r_x,r_y\in {\mathbb{F}}^n$. These vectors are chosen randomly and independently by the verifier. At the end of the protocol, the verifier sends these vectors to the prover. Suppose the prover responds with ${\gamma }_U$ and claims that ${\gamma }_U=\widehat{U}(r_x,r_y)$. For all $U\in \{A,B,C\}$, the verifier should check that the provided values are indeed correct. From Lemma 9, we know that

$${\gamma }_U=\widehat{U}(r_x,r_y)=\sum _{k\in {\{0,1\}}^m}\widehat{\chi }(r_x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k\right)\right))·\widehat{\chi }(r_y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k\right)\right))·{\widehat{\mathbf{val}}}_U\left(k\right).$$

(22)

At first glance, the SumCheck protocol seems suitable for checking this equation, and it is indeed employed in the Marlin protocol [13] using univariate polynomials. However, a potential challenge arises in the last round of the SumCheck protocol when the verifier needs to compute ${\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(r_k\right)\right)$ for a random vector $r_k\in {\mathbb{F}}^m$. The function ${\varphi }^{-1}$ may not be defined for ${\widehat{\mathbf{row}}}_U\left(r_k\right)$ if $r_k$ does not belong to the binary domain ${\{0,1\}}^m$, as the corresponding ${\widehat{\mathbf{row}}}_U\left(r_k\right)$ might not fall within the range of the mapping $\varphi :{\{0,1\}}^n\to \mathbb{F}$. Furthermore, it should be noted that the function ${\varphi }^{-1}$ is not a polynomial. Consequently, we cannot directly apply the SumCheck protocol to verify Equation (22).

To address this issue, we define two functions $P_{rx},P_{ry}:{\{0,1\}}^m\to \mathbb{F}$ such that for all $k\in {\{0,1\}}^m$,

• $P_{rx}\left(k\right)=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\widehat{\mathbf{row}}}_U\left(k\right)\right))=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\mathbf{row}}_U\left(k\right)\right))$,
• $P_{ry}\left(k\right)=\widehat{\chi }(r_y,{\varphi }^{-1}\left({\widehat{\mathbf{col}}}_U\left(k\right)\right))=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\mathbf{col}}_U\left(k\right)\right))$.

Let ${\widehat{P}}_{rx},{\widehat{P}}_{ry}:{\mathbb{F}}^m\to \mathbb{F}$ be the multilinear extension of $P_{rx},P_{ry}$. The prover sends the polynomial oracles ${\tilde{P}}_{rx},{\tilde{P}}_{ry}$. Then, the prover and verifier run the SumCheck protocol for the following claim:

$${\gamma }_U=\sum _{k\in {\{0,1\}}^m}{\widehat{P}}_{rx}\left(k\right)·{\widehat{P}}_{ry}\left(k\right)·{\widehat{\mathbf{val}}}_U\left(k\right).$$

(23)

The polynomials ${\widehat{P}}_{rx}$, ${\widehat{P}}_{ry}$ and ${\widehat{\mathbf{val}}}_U$ are multilinear, so we can implement the prover in $O\left(2^m\right)=O\left(M\right)=O\left(N\right)$ time from Lemma 3. After the SumCheck protocol, the verifier should check that for all $k\in {\{0,1\}}^m$:

• $P_{rx}\left(k\right)=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\mathbf{row}}_M\left(k\right)\right))$,
• $P_{ry}\left(k\right)=\widehat{\chi }(r_y,{\varphi }^{-1}\left({\mathbf{col}}_M\left(k\right)\right))$.

In Spartan [36] and Brakedown [35], they use an offline memory-checking technique [57] to verify that these two conditions hold. They create an additional circuit specifically for the checking procedure and utilize another SNARK to convince the verifier that the checking procedure has been executed correctly. In our work, we propose a new polynomial IOP that eliminates the need for the second SNARK to check these conditions. A crucial component in our construction is the lookup protocol [44], which allows the prover to convince the verifier that all elements in a vector $v_1$ are contained within another vector $v_2$. We first show how to check the above conditions using the lookup protocol as a subroutine, then we revise the classical lookup protocol to fit our setting.

Let ${\widehat{T}}_{rx}\left(X\right)=\widehat{\chi }(r_x,X)$ and ${\widehat{T}}_{ry}\left(X\right)=\widehat{\chi }(r_y,X)$. We define two vectors $T_{rx}$ and $T_{ry}$ with length $2^n$ such that the i-th ($i\in {\{0,1\}}^n$) entry of $T_{rx}$ ($T_{ry}$) is ${\widehat{T}}_{rx}\left(i\right)$ (${\widehat{T}}_{ry}\left(i\right)$). Note that we can also view $P_{rx}$ and $P_{ry}$ as two vectors of length $2^m$. The key observation is that for all $k\in {\{0,1\}}^m$, if $P_{rx}\left(k\right)=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\mathbf{row}}_U\left(k\right)\right))$, then $P_{rx}\left(k\right)=T_{rx}\left({\varphi }^{-1}\left({\mathbf{row}}_U\left(k\right)\right)\right)$, i.e., the k-th entry of $P_{rx}$ is exactly the ${\varphi }^{-1}\left({\mathbf{row}}_U\left(k\right)\right)$-th entry of $T_{rx}$. Therefore, the function (vector) $P_{rx}$ is constructed correctly if and only if for all $k\in {\{0,1\}}^m$, there exists an $i\in {\{0,1\}}^n$ such that $\left(P_{rx}\left(k\right),{\varphi }^{-1}\left({\mathbf{row}}_U\left(k\right)\right)\right)=\left(T_{rx}\left(i\right),i\right)$. This is equivalent to $\left(P_{rx}\left(k\right),{\mathbf{row}}_U\left(k\right)\right)=\left(T_{rx}\left(i\right),\varphi \left(i\right)\right)$ since $\varphi$ is a injection. Let $(P_{rx},{\mathbf{row}}_U)$ be a vector of length $M=2^m$, and the k-th (index starts from 0) entry of the vector is a tuple $\left(P_{rx}\left(k\right),{\mathbf{row}}_U\left(k\right)\right)$. Let $(T_{rx},\varphi )$ be a vector of length $N=2^n$, and the i-th entry of the vector is a tuple $\left(T_{rx}\left(i\right),\varphi \left(i\right)\right)$. We have argued that every element of the vector $(P_{rx},{\mathbf{row}}_U)$ is contained within the vector $\left(T_{rx},\varphi \right)$. We use the shorthand $\left(P_{rx},{\mathbf{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$ to represent the lookup relation. Similarly, we can define two vectors $\left(P_{ry},{\mathbf{col}}_U\right)$ and $(T_{ry},\varphi )$. The function (vector) $P_{ry}$ is constructed correctly if and only if $\left(P_{ry},{\mathbf{col}}_U\right)\subseteq \left(T_{ry},\varphi \right)$. We can apply the lookup protocol to check whether the two conditions hold. In this section, we use the lookup protocol as a black-box subroutine. We will provide a detailed construction of the lookup protocol in the subsequent section. We describe the protocol for checking ${\gamma }_U=\widehat{U}(r_x,r_y)$ as follows:

Protocol 6.

Protocol for Checking ${\gamma }_U=\widehat{U}(r_x,r_y)$:

Inputs.

• Prover’s input:

  −

  A matrix $U\in {\mathbb{F}}^{N\times N}$,

  −

  Four functions (vectors) ${\mathit{col}}_U,{\mathit{row}}_U,{\mathit{val}}_U,\varphi$ provided by the indexer in the offline phase,

  −

  Two random vectors $r_x,r_y\in {\mathbb{F}}^n$ ($n=\log N$) provided by the verifier.

• Verifier’s input:

  −

  Two random vectors $r_x,r_y\in {\mathbb{F}}^n$,

  −

  Four polynomial oracles ${\widetilde{\mathit{row}}}_U,{\widetilde{\mathit{col}}}_U,{\widetilde{\mathit{val}}}_U,\tilde{\varphi }$ provided by the indexer. The verifier has the ability to query the former three oracles at any point r in ${\mathbb{F}}^m$ and the last oracle at any point r in ${\mathbb{F}}^n$.

  −

  A element ${\gamma }_U\in \mathbb{F}$ provided by the prover.

Goal.

• The prover convinces the verifier that ${\gamma }_U=\widehat{U}(r_x,r_y)$.

The protocol:

1. 

Let ${\widehat{T}}_{rx}\left(X\right)=\widehat{\chi }(r_x,X)$ and ${\widehat{T}}_{ry}\left(X\right)=\widehat{\chi }(r_y,X)$. The prover constructs two vectors $T_{rx},T_{ry}$ of length $N=2^n$ (we can view these two vectors as two functions from ${\{0,1\}}^n$ to $\mathbb{F}$) such that $T_{rx}\left(i\right)={\widehat{T}}_{rx}\left(i\right)=\widehat{\chi }(r_x,i)$ and $T_{ry}\left(i\right)={\widehat{T}}_{ry}\left(i\right)=\widehat{\chi }(r_y,i)$ for all $i\in {\{0,1\}}^n$.

2. 

The prover constructs two vectors $P_{rx},P_{ry}$ of length $M=2^m$ (we can view these two vectors as two functions from ${\{0,1\}}^m$ to $\mathbb{F}$) such that $P_{rx}\left(k\right)=T_{rx}\left({\varphi }^{-1}\left({\mathit{row}}_U\left(k\right)\right)\right)=\widehat{\chi }(r_x,{\varphi }^{-1}\left({\mathit{row}}_U\left(k\right)\right))$ and $P_{ry}\left(k\right)=T_{ry}\left({\varphi }^{-1}\left({\mathit{col}}_U\left(k\right)\right)\right)=\widehat{\chi }(r_y,{\varphi }^{-1}\left({\mathit{col}}_U\left(k\right)\right))$ for all $k\in {\{0,1\}}^m$. Then, it sends the polynomial oracles ${\tilde{P}}_{rx},{\tilde{P}}_{ry}$ to the verifier.

3. 

The prover and verifier run the SumCheck protocol to check the following claim:

$${\gamma }_U=\sum _{k\in {\{0,1\}}^m}{\widehat{P}}_{rx}\left(k\right)·{\widehat{P}}_{ry}\left(k\right)·{\widehat{\mathit{val}}}_U\left(k\right)$$

4. 

The prover and verifier run the lookup protocol to check the following two claims:

• $\left(P_{rx},{\mathit{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$,
• $\left(P_{ry},{\mathit{col}}_U\right)\subseteq \left(T_{ry},\varphi \right)$.

We analyze the properties of Protocol 6 without considering the lookup protocol. In the last round of the SumCheck protocol of step 3, the verifier should compute ${\widehat{P}}_{rx}\left(r_k\right)·{\widehat{P}}_{ry}\left(r_k\right)·{\widehat{\mathbf{val}}}_U\left(r_k\right)$ for a random vector $r_k\in {\mathbb{F}}^m$. The verifier can query ${\tilde{P}}_{rx}$, ${\tilde{P}}_{ry}$, ${\widetilde{\mathbf{val}}}_U$ at $r_k\in {\mathbb{F}}^m$ to obtain ${\widehat{P}}_{rx}\left(r_k\right)$, ${\widehat{P}}_{ry}\left(r_k\right)$, ${\widehat{\mathbf{val}}}_U\left(r_k\right)$. The verifier can compute their product in constant time. The soundness error of the protocol is ${\displaystyle \frac{3n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{3\log N}{\left|\mathbb{F}\right|}}$ from Table 3, since ${\widehat{P}}_{rx}$, ${\widehat{P}}_{ry}$, ${\widehat{\mathbf{val}}}_U$ are multilinear. In step 1 of the protocol, the prover should construct two vectors $T_{rx}$ and $T_{ry}$ with length $2^n$. This is equivalent to evaluating $\widehat{\chi }(r_x,X)$ and $\widehat{\chi }(r_y,X)$ at all points in the Boolean hypercube ${\{0,1\}}^n$. According to Lemma 4, the cost for the prover is $O\left(2^n\right)=O\left(N\right)$. In step 2 of the protocol, the prover constructs two vectors, $P_{rx}$ and $P_{ry}$ with length $2^m$. Each entry of these vectors is taken from $T_{rx}$ and $T_{ry}$, respectively. This implies that $P_{rx}$ and $P_{ry}$ can be constructed in $O\left(M\right)=O\left(N\right)$ time. In step 3 of the protocol, the cost of the prover for the SumCheck protocol is $O\left(M\right)=O\left(N\right)$ according to Lemma 3. This is because the polynomials ${\widehat{P}}_{rx}$, ${\widehat{P}}_{ry}$, and ${\widehat{\mathbf{val}}}_U$ are multilinear, and the prover can evaluate these polynomials at all points in the Boolean hypercube ${\{0,1\}}^m$ in $O\left(M\right)$ time. (The vectors $P_{rx}$ and $P_{ry}$ are constructed by the prover himself, and the vector ${\mathbf{val}}_U$ is sent by the indexer.)

Ignoring the lookup protocol, we summarize the properties of Protocol (6) in the

Table 8. Properties of Protocol (6).

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log N\right)$	$O\left(\log N\right)$	3	$O\left(\log N\right)$	$O\left(N\right)$	${\displaystyle \frac{3\log N}{\left|\mathbb{F}\right|}}$

below. The round and communication complexity are both determined by the SumCheck protocol.

4.3. Lookup Protocol

In this section, we propose a lookup protocol to check that the condition $\left(P_{rx},{\mathbf{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$ holds (the same protocol can be applied to check $\left(P_{ry},{\mathbf{col}}_U\right)\subseteq \left(T_{ry},\varphi \right)$). We will replace the condition $\left(P_{rx},{\mathbf{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$ with the simpler inclusion $a\subseteq b$ using the standard randomized hashing scheme, where $a\in {\mathbb{F}}^M$ and $b\in {\mathbb{F}}^N$. The verifier samples a random element $\xi \in \mathbb{F}$ to the prover, then the prover defines two new vectors $a\in {\mathbb{F}}^M$ ($M=2^m$) and $b\in {\mathbb{F}}^N$ ($N=2^n$) such that for all $k\in {\{0,1\}}^m$, $a\left(k\right)=P_{rx}\left(k\right)+\xi ·{\mathbf{row}}_M\left(k\right)$, and for all $i\in {\{0,1\}}^n$, $b\left(i\right)=T_{rx}\left(i\right)+\xi ·\varphi \left(i\right)$. Remember that $\varphi$ is a natural canonical injection from ${\{0,1\}}^n$ to $\mathbb{F}$. It is not hard to see that $\left(P_{rx},{\mathbf{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$ if and only if $a\subseteq b$, except with a small probability. Formally, we have the following claim:

Lemma 10.

Suppose $\left(P_{rx},{\mathit{row}}_U\right)⊈\left(T_{rx},\varphi \right)$. Let ξ be a random element from $\mathbb{F}$. Define two vectors $a\in {\mathbb{F}}^M$ and $b\in {\mathbb{F}}^N$:

• $a=P_{rx}+\xi ·{\mathit{row}}_U$,
• $b=T_{rx}+\xi ·\varphi$.

Then, $a\subseteq b$ with a probability of at most ${\displaystyle \frac{N}{\left|\mathbb{F}\right|}}$.

Proof. 

There exists at least one $k^{\ast }\in {\{0,1\}}^m$ such that $(P_{rx}\left(k^{\ast }\right),{\mathbf{row}}_U\left(k^{\ast }\right)))\notin (T_{rx},\varphi )$, since $\left(P_{rx},{\mathbf{row}}_U)\right)⊈\left(T_{rx},\varphi \right)$. If $a\subseteq b$, then there exists an $i^{\ast }\in {\{0,1\}}^n$ such that

$$P_{rx}\left(k^{\ast }\right)+\xi ·{\mathbf{row}}_M\left(k^{\ast }\right)=T_{rx}\left(i^{\ast }\right)+\xi ·\varphi \left(i^{\ast }\right).$$

(24)

There exists at most one $\xi \in \mathbb{F}$ such that Equation (24) holds, i.e., Equation (24) holds with a probability of at most ${\displaystyle \frac{1}{\left|\mathbb{F}\right|}}$ for a particular $i^{\ast }$. Based on the union boundary, there exists $i^{\ast }\in {\{0,1\}}^n$ such that Equation (24) holds with a probability of at most ${\displaystyle \frac{2^n}{\left|\mathbb{F}\right|}}$. Therefore, $a\subseteq b$ with a probability of at most ${\displaystyle \frac{2^n}{\left|\mathbb{F}\right|}}={\displaystyle \frac{N}{\left|\mathbb{F}\right|}}$. □

Gabizon and Williamson [44] proposed a lookup protocol for checking the $a\subseteq b$ condition. Their construction relies on the following lemma:

Lemma 11.

Let $a\in {\mathbb{F}}^M$ and $b\in {\mathbb{F}}^N$. Then, $a\subseteq b$ if and only if there exists $s\in {\mathbb{F}}^{N+M}$ such that

$$\begin{array}{cc}\hfill \prod _{j=0}^{N+M-1}(X& ·(1+Y)+s\left(j\right)+s^{CSL}\left(j\right)·Y)\hfill \\ \hfill & ={(1+Y)}^M\prod _{j=0}^{M-1}(X+a\left(j\right))\prod _{j=0}^{N-1}(X·(1+Y)+b\left(j\right)+b^{CSL}\left(j\right)·Y),\hfill \end{array}$$

(25)

where $b^{CSL}=(b\left(1\right),b\left(2\right),\cdots ,b(N-1),b\left(0\right))$ and $s^{CSL}=(s\left(1\right),s\left(2\right),\cdots ,s(M+N-1),s\left(0\right))$ are the cyclic shifts left of b and s. We can construct $s\in {\mathbb{F}}^{N+M}$ as follows: Initialize a vector $s=b$. Then for each $j\in {\{0,1\}}^m$ ($m=\log M$), find $s\left(i\right)$ in s such that $a\left(j\right)=s\left(i\right)$ (at least one entry exists since $a\subseteq b$) and insert $a\left(j\right)$ after $s\left(i\right)$ in s.

To check that Equation (25) holds, we can apply a standard polynomial identity testing scheme; namely, we can sample two random elements $\alpha ,\beta \leftarrow \mathbb{F}$ and check

$$\begin{array}{cc}\hfill \prod _{j=0}^{N+M-1}(\alpha & ·(1+\beta )+s\left(j\right)+s^{CSL}\left(j\right)·\beta )\hfill \\ \hfill & ={(1+\beta )}^M\prod _{j=0}^{M-1}(\alpha +a\left(j\right))\prod _{j=0}^{N-1}(\alpha ·(1+\beta )+b\left(j\right)+b^{CSL}\left(j\right)·\beta ).\hfill \end{array}$$

(26)

If Equation (25) does not hold, then the test will pass with a probability of at most ${\displaystyle \frac{2(M+N)}{\left|\mathbb{F}\right|}}$ from the Schwartz–Zippel Lemma. Gabizon and Williamson verified the Equation (26) by performing a ZeroTest on a multiplicative subgroup of $\mathbb{F}$, resulting in a quasilinear prover time. However, their approach is not suitable for our work, as we require the prover to be implemented in strictly linear time. We will give a new polynomial IOP for the lookup condition with a linear time prover in this section. Our construction is inspired by the work of Bootle et al. [33], where they introduced a protocol based on the tensor IOP model.

Without loss of generality, we assume that the vectors a and b have the same length, which is M (we can pad b with $M-N$ repetitions of the last element). Therefore, s is a vector with length $M+M=2M=2^{m+1}$. We can view the vectors $a,b,s$ as three functions defined on the Boolean hypercube, i.e., $a,b:{\{0,1\}}^m\to \mathbb{F}$ and $s:{\{0,1\}}^{m+1}\to \mathbb{F}$. Let $\widehat{a},\widehat{b}:{\mathbb{F}}^m\to \mathbb{F}$ and $\widehat{s}:{\mathbb{F}}^{m+1}\to \mathbb{F}$ be the multilinear extensions of $a,b,s$. The prover sends three polynomial oracles $\tilde{a},\tilde{b},\tilde{s}$ to the verifier. (Note that in the actual protocol, the prover needs not send the oracle $\tilde{a}$, since for any $v\in {\mathbb{F}}^m$, the verifier can obtain $\widehat{a}\left(v\right)$ from ${\widehat{P}}_{rx}\left(v\right)$ and ${\widehat{\mathbf{row}}}_U\left(v\right)$. Let $b^{CSL},s^{CSL}$ be the cyclic shift left of $b,s$, and let ${\widehat{b}}^{CSL}:{\mathbb{F}}^m\to \mathbb{F}$ and ${\widehat{s}}^{CSL}:{\mathbb{F}}^{m+1}\to \mathbb{F}$ be the multilinear extension. The prover sends the polynomial oracles ${\tilde{b}}^{CSL},{\tilde{s}}^{CSL}$ to the verifier. The verfier can query the polynomial oracles $\tilde{a}$, $\tilde{b}$, ${\tilde{b}}^{CSL}$ at any point $v_1\in {\mathbb{F}}^m$ to obtain $\widehat{a}\left(v_1\right)$, $\widehat{b}\left(v_1\right)$, ${\widehat{b}}^{CSL}\left(v_1\right)$ and query the polynomial oracles $\tilde{s}$, ${\tilde{s}}^{CSL}$ at any point $v_2\in {\mathbb{F}}^{m+1}$ to obtain $\widehat{s}\left(v_2\right)$, ${\widehat{s}}^{CSL}\left(v_2\right)$.

The verifier samples two random elements $\alpha ,\beta \leftarrow \mathbb{F}$ and sends them to the prover. The prover constructs three functions (vectors) $F_a,F_b:{\{0,1\}}^m\to \mathbb{F}$ and $F_s:{\{0,1\}}^{m+1}\to \mathbb{F}$ such that for all $i\in {\{0,1\}}^m$ and $j\in {\{0,1\}}^{m+1}$:

$$\begin{array}{cc}\hfill & F_a\left(i\right)=\alpha +a\left(i\right),\hfill \\ \hfill & F_b\left(i\right)=\alpha ·(1+\beta )+b\left(i\right)+b^{CSL}\left(i\right)·\beta ,\hfill \\ \hfill & F_s\left(j\right)=\alpha ·(1+\beta )+s\left(j\right)+s^{CSL}\left(j\right)·\beta .\hfill \end{array}$$

(27)

The prover computes

$$\begin{array}{cc}\hfill & f_a=\prod _{i\in {\{0,1\}}^m}{F}_a\left(i\right),\hfill \\ \hfill & f_b=\prod _{i\in {\{0,1\}}^m}{F}_b\left(i\right),\hfill \\ \hfill & f_s=\prod _{j\in {\{0,1\}}^{m+1}}{F}_s\left(j\right).\hfill \end{array}$$

(28)

Let ${\widehat{F}}_a,{\widehat{F}}_b:{\mathbb{F}}^m\to \mathbb{F}$ and ${\widehat{F}}_s:{\mathbb{F}}^{m+1}\to \mathbb{F}$ be the multilinear extension of $F_a,F_b$ and $F_s$. Then, the prover sends the polynomial oracles ${\tilde{F}}_a,{\tilde{F}}_b,{\tilde{F}}_s$ and non-oracle messages $f_a,f_b,f_s$ to the verifier. The verfier can query the polynomial oracles ${\tilde{F}}_a$, ${\tilde{F}}_b$ at any point $v_1\in {\mathbb{F}}^m$ to obtain ${\widehat{F}}_a\left(v_1\right)$, ${\widehat{F}}_b\left(v_1\right)$ and query the polynomial oracles ${\tilde{F}}_s$ at any point $v_2\in {\mathbb{F}}^{m+1}$ to obtain ${\widehat{F}}_s\left(v_2\right)$. Note that in the actual protocol, which will be provided in Section 4.3.3, the prover does not need to send the polynomial oracles ${\tilde{F}}_a,{\tilde{F}}_b$, and ${\tilde{F}}_s$. This is because for any $v_1\in {\{0,1\}}^m$ and $v_2\in {\{0,1\}}^{m+1}$, the verifier can obtain ${\widehat{F}}_a\left(v_1\right)$, ${\widehat{F}}_b\left(v_1\right)$, and ${\widehat{F}}_s\left(v_2\right)$ using the values of $\widehat{a}\left(v_1\right)$, $\widehat{b}\left(v_1\right)$, ${\widehat{b}}^{CSL}\left(v_1\right)$, $\widehat{s}\left(v_2\right)$, and ${\widehat{s}}^{CSL}\left(v_2\right)$. In this section, we request that the prover sends these polynomial oracles for the sole purpose of making the structure of the protocol more clear.

The verifier first checks that $f_s={(1+\beta )}^M·f_a·f_b$ and rejects it if the equation does not hold. Next, the verifier checks that $b^{CSL}$ and $s^{CSL}$ are the cyclic shifts left of b and s by running the Cyclic Shift Left Check (CSLCheck) protocol, which will be constructed in the Section 4.3.1. Finally, the verifier checks Equations (28) by running the ProductCheck protocol, which will be constructed in Section 4.3.2. In Section 4.3.3, we present a detailed explanation and analysis of the lookup protocol.

4.3.1. CSLCheck Protocol

Suppose $b,b^{CSL}\in {\mathbb{F}}^M$ are two vectors with length M. Given two polynomial oracles $\tilde{b}$ and ${\tilde{b}}^{CSL}$, the verifier checks that for all $i\in {\{0,1\}}^m$ ($M=2^m$), $b\left(i\right)=b^{CSL}(M-1)$ if $i=0$, $b\left(i\right)=b^{CSL}(i-1)$ otherwise. Indeed, the verifier checks that $b^{CSL}$ is the cyclic shift left of b.

Let $\overline{b}\left(X\right)={\sum }_{i=0}^{M-1}b\left(i\right)·X^i$ and ${\overline{b}}^{CSL}\left(X\right)={\sum }_{i=0}^{M-1}{b}^{CSL}\left(i\right)·X^i$. If $b^{CSL}$ is the cyclic shift left b, then ${\overline{b}}^{CSL}\left(X\right)={\sum }_{i=0}^{M-1}{b}^{CSL}\left(i\right)·X^i={\sum }_{i=1}^{M-1}b\left(i\right)·X^{i-1}+b\left(0\right)·X^{M-1}$. Therefore, the following polynomial identity holds:

$$\overline{b}\left(X\right)-X·{\overline{b}}^{CSL}\left(X\right)=b\left(0\right)·(1-X^M).$$

(29)

The verifier checks that the above polynomial identity holds via standard polynomial identity testing. Namely, the verifier first samples a random element $r_s\leftarrow \mathbb{F}$. Then, the verifier can obtain $b\left(r_s\right)$ by querying the polynomial oracle $\tilde{b}$ in the univariate canonical form, as mentioned in Section 2.4.1. Note that in our work, the verifier always queries the polynomial oracles in the multilinear Lagrange form, except for in this section. Similarly, the verifier can obtain ${\overline{b}}^{CSL}\left(r_s\right)$ by querying the polynomial oracle ${\tilde{b}}^{CSL}$ in the univariate canonical form. Next, the verifier queries $\tilde{b}$ at 0 to obtain $b\left(0\right)$ (note that in the actual protocol, the verifier can compute $b\left(0\right)$ by itself since $b\left(0\right)=T_{rx}\left(0\right)+\xi ·\varphi \left(0\right)$) and computes $r_s^M$ in $O\left(\log M\right)$ time. Finally, the verifier checks that $\overline{b}\left(r_s\right)-r_s·{\overline{b}}^{CSL}\left(r_s\right)=b\left(0\right)·(1-r_s^M)$ holds. Based on the Schwartz–Zippel Lemma, if $b^{CSL}$ is not the cyclic shift left of b, then the verifier will accept it with a probability of at most ${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$. We describe the protocol for checking the cyclic shift left as follows:

Protocol 7.

CSLCheck Protocol:

Inputs.

• Prover’s input:

  −

  Two vectors $b,b^{CSL}\in {\mathbb{F}}^M$.

• Verifier’s input:

  −

  Two polynomial oracles $\tilde{b}$, ${\tilde{b}}^{CSL}$.

Goal.

• The prover convinces the verifier that $b^{CSL}$ is the cyclic shift left of b.

The protocol:

1. 

The verifier samples $r_s\leftarrow \mathbb{F}$, and queries $\tilde{b}$, ${\tilde{b}}^{CSL}$ at $r_s$ in the univariate canonical form. Suppose the return values are $\overline{b}\left(r_s\right)$ and ${\overline{b}}^{CSL}\left(r_s\right)$.

2. 

The verifier queries $\tilde{b}$ at 0 to obtain $b\left(0\right)$ (regardless of the query form, the return value is always $b\left(0\right)$).

3. 

The verifier checks that

$$\overline{b}\left(r_s\right)-r_s·{\overline{b}}^{CSL}\left(r_s\right)=b\left(0\right)·(1-r_s^M)$$

(30)

We summarize the properties of the CSLCheck protocol in the

Table 9. Properties of the CSLCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
0	0	$O\left(1\right)$	$O\left(\log M\right)$	0	${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$

below. Note that there is nothing for the prover to do in this protocol. Remember that $m=\log M$.

4.3.2. ProductCheck Protocol

Suppose $F_a\in {\mathbb{F}}^M$ is a vector with length M. Given a polynomial oracle ${\tilde{F}}_a$, an element $f_a\in \mathbb{F}$, the verifier checks that $f_a={\prod }_{i\in {\{0,1\}}^m}{F}_a\left(i\right)$ ($M=2^m$). We utilize the partial product technique from PLONK to construct the ProductCheck protocol. The prover first constructs three functions, $F_{ax},F_{ay},F_{az}:{\{0,1\}}^m\to \mathbb{F}$ such that every entry of the vectors is a partial product of $F_a$. Formally, for all $i\in {\{0,1\}}^m$:

$$\begin{array}{cc}\hfill & F_{ax}\left(i\right)=1\mathrm{if}i=0,\mathrm{and}{F}_{ax}\left(i\right)=\prod _{j=0}^{i-1}{F}_a\left(j\right)\mathrm{otherwise},\hfill \\ \hfill & F_{ay}\left(i\right)=\prod _{j=0}^i{F}_a\left(j\right),\hfill \\ \hfill & F_{az}\left(i\right)=1\mathrm{if}i=M-1,\mathrm{and}{F}_{az}\left(i\right)=\prod _{j=0}^i{F}_a\left(j\right)\mathrm{otherwise}.\hfill \end{array}$$

(31)

We can view these three functions as vectors of length M. Note that $F_{az}$ is the cyclic shift left of $F_{ax}$, and $F_{ay}$ and $F_{az}$ are the same vectors except for the last element.

$$\begin{array}{cc}\hfill & F_{ax}=\left(1,F_a\left(0\right),F_a\left(0\right)·F_a\left(1\right),\cdots ,\prod _{j=0}^{M-2}{F}_a\left(j\right)\right)\hfill \\ \hfill & F_{ay}=\left(F_a\left(0\right),F_a\left(0\right)·F_a\left(1\right),\cdots \prod _{j=0}^{M-1}{F}_a\left(j\right)\right),\hfill \\ \hfill & F_{az}=\left(F_a\left(0\right),F_a\left(0\right)·F_a\left(1\right),\cdots ,\prod _{j=0}^{M-2}{F}_a\left(j\right),1\right).\hfill \end{array}$$

(32)

The prover sends three polynomial oracles ${\tilde{F}}_{ax}$, ${\tilde{F}}_{ay}$ and ${\tilde{F}}_{az}$ to the verifier.

The verifier first checks that $F_a\circ F_{ax}=F_{ay}$, where ∘ denotes the pairwise product of two vectors. Indeed, the verifier checks that for all $i\in {\{0,1\}}^m$, it holds that $F_a\left(i\right)·F_{ax}\left(i\right)=F_{ay}\left(i\right)$. Note that this task is identical to the problem addressed by the RowCheck protocol described in Section 3.1. Next, the verifier proceeds to check whether $F_{az}$ corresponds to the cyclic shift left of $F_{ax}$, employing the protocol outlined in Section 4.3.1. In the CSLCheck protocol, the verifier will query ${\tilde{F}}_{ax}$ at 0 to obtain $F_{ax}\left(0\right)$. The verifier will reject it if it is not equal to 1. Then, the verifier samples a random vector $r_p\leftarrow {\mathbb{F}}^m$, queries ${\tilde{F}}_{ay},{\tilde{F}}_{ay}$ at point $r_p$, and checks

$${\widehat{F}}_{ay}\left(r_p\right)-{\widehat{F}}_{az}\left(r_p\right)=(f_a-1)·\prod _{i\in \left[m\right]}{r}_{p,i},$$

(33)

where $r_{p,i}$ is the i-th entry of $r_p\in {\mathbb{F}}^m$. If the prover is honest, then

$$\begin{array}{cc}\hfill {\widehat{F}}_{ay}\left(X\right)-{\widehat{F}}_{az}\left(X\right)& =\sum _{v\in {\{0,1\}}^m}{F}_{ay}\left(v\right)·\widehat{\chi }(v,X)-\sum _{v\in {\{0,1\}}^m}{F}_{az}\left(v\right)·\widehat{\chi }(v,X)\hfill \\ \hfill & =F_{ay}(M-1)·\widehat{\chi }(\overrightarrow{1},X)-F_{az}(M-1)·\widehat{\chi }(\overrightarrow{1},X)\hfill \\ \hfill & =(\prod _{j=0}^{M-1}{F}_a\left(j\right)-1)·\widehat{\chi }(\overrightarrow{1},X)\hfill \\ \hfill & =(f_a-1)·\prod _{i\in \left[m\right]}{X}_i,\hfill \end{array}$$

(34)

$\overrightarrow{1}$ denotes the all 1 vector $(1,1,\cdots ,1)$. Therefore, $\widehat{\chi }(\overrightarrow{1},X)={\prod }_{i\in \left[m\right]}((1-X_i)·(1-1)+X_i·1)={\prod }_{i\in \left[m\right]}{X}_i$. We describe the ProductCheck protocol as follows:

Protocol 8.

ProductCheck Protocol:

Inputs.

• Prover’s input:

  −

  A vector $F_a\in {\mathbb{F}}^M$.

• Verifier’s input:

  −

  A polynomial oracle ${\tilde{F}}_a$.

  −

  A single field element $f_a\in \mathbb{F}$.

Goal.

• The prover convinces the verifier that $f_a={\prod }_{i\in {\{0,1\}}^m}{F}_a\left(i\right)$ ($m=\log M$).

The protocol:

1. 

The prover constructs three vectors $F_{ax}$, $F_{ay}$, $F_{az}$ with length $M=2^m$ (three functions $F_{ax},F_{ay},F_{az}:{\{0,1\}}^m\to \mathbb{F}$) such that for all $i\in {\{0,1\}}^m$:

$$\begin{array}{cc}\hfill & F_{ax}\left(i\right)=1\mathit{if}i=0,\mathit{and}{F}_{ax}\left(i\right)=\prod _{j=0}^{i-1}{F}_a\left(j\right)\mathit{otherwise},\hfill \\ \hfill & F_{ay}\left(i\right)=\prod _{j=0}^i{F}_a\left(j\right),\hfill \\ \hfill & F_{az}\left(i\right)=1\mathit{if}i=M-1,\mathit{and}{F}_{az}\left(i\right)=\prod _{j=0}^i{F}_a\left(j\right)\mathit{otherwise}.\hfill \end{array}$$

(35)

The prover sends three polynomial oracles ${\tilde{F}}_{ax}$, ${\tilde{F}}_{bx}$, ${\tilde{F}}_{cx}$ to the verifier.

2. 

The prover and verifier run the RowCheck protocol (Protocol 2) to check that $F_a\circ F_{ax}=F_{ay}$.

3. 

The prover and verifier run the CSLCheck protocol (Protocol 7) to check that $F_{az}$ is the cyclic shift left of $F_{ax}$. During the CSLCheck phase, the verifier will query ${\tilde{F}}_{ax}$ at 0 to obtain $F_{ax}\left(0\right)$ and reject it if $F_{ax}\left(0\right)\ne 1$.

4. 

The verifier samples a random vector $r_p\leftarrow {\mathbb{F}}^m$ and queries ${\tilde{F}}_{ay}$, ${\tilde{F}}_{az}$ at point $r_p$ to obtain ${\widehat{F}}_{ay}\left(r_p\right)$ and ${\widehat{F}}_{az}\left(r_p\right)$. Finally, the verifier checks the following:

$${\widehat{F}}_{ay}\left(r_p\right)-{\widehat{F}}_{az}\left(r_p\right)=(f_a-1)·\prod _{i\in \left[m\right]}{r}_{p,i}.$$

(36)

From Table 4 and Table 9, the verifier’s cost is $O\left(\log M\right)$ and the prover’s cost is $O\left(M\right)$ in steps 2 and 3 of the ProductCheck protocol. In the final step, the verifier needs to compute ${\prod }_{i\in \left[m\right]}{r}_{p,i}$ for a randomly chosen vector $r_p\leftarrow {\mathbb{F}}^m$, which can be done in $O\left(\log M\right)$ time. Hence, the total cost of the verifier in this protocol is $O\left(\log M\right)$. The prover’s cost is also $O\left(M\right)$ in step 1, as every entry of the three vectors is a partial product of $F_a$. Therefore, the total cost of the prover in this protocol is $O\left(M\right)$.

The round and communication complexity (non-oracle messages) are determined by the RowCheck protocol, which is $O\left(\log M\right)$. The query complexity of the RowCheck protocol and CSLCheck protocol is both 3, and in step 4, the query complexity is 2. Therefore, the total query complexity in the ProductCheck protocol is 8, which is constant.

For the soundness error of the ProductCheck protocol, we have the following lemma:

Lemma 12.

If $f_a\ne {\prod }_{i\in {\{0,1\}}^m}{F}_a\left(i\right)$, then in Protocol (8), the verifier accepts it with a probability of at most ${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$.

Proof. 

See Appendix D. □

We summarize the properties of the ProductCheck protocol in the

Table 10. Properties of the ProductCheck protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log M\right)$	$O\left(\log M\right)$	$O\left(1\right)$	$O\left(\log M\right)$	$O\left(M\right)$	${\displaystyle \frac{M}{\left|\mathbb{F}\right|}}$

below.

4.3.3. Putting Everything Together

In this section, we present a detailed explanation and analysis of the Lookup protocol. Remember that the purpose of the lookup protocol is for the prover to convince the verifier that $\left(P_{rx},{\mathbf{row}}_U\right)\subseteq \left(T_{rx},\varphi \right)$. (The same protocol can be applied to check $\left(P_{ry},{\mathbf{col}}_U\right)\subseteq \left(T_{ry},\varphi \right)$.) To align the lengths of the vectors $\left(T_{rx},\varphi \right)$ and $\left(P_{rx},{\mathbf{row}}_U\right)$, the prover pads the vector $\left(T_{rx},\varphi \right)$, which has a length of $N=2^n$, such that it matches the length of $\left(P_{rx},{\mathbf{row}}_U\right)$, which is $M=2^m$. The prover can just pad $\left(T_{rx},\varphi \right)$ with $M-N$ repetitions of the last element. Let $(T_{rx}^{\prime },{\varphi }^{\prime })$ be the vector after padding. We have the following lemma:

Lemma 13.

Let ${\widehat{T}}_{rx}^{\prime }$, ${\widehat{\varphi }}^{\prime }$ be the multilinear extension of $T_{rx}^{\prime },{\varphi }^{\prime }$; then,

• ${\widehat{T}}_{rx}^{\prime }\left(X\right)={\prod }_{i\in [m-n]}(1-X_i)·\left({\widehat{T}}_{rx}\left(X^{\prime }\right)-T_{rx}(N-1)\right)+T_{rx}(N-1)$,
• ${\widehat{\varphi }}^{\prime }\left(X\right)={\prod }_{i\in [m-n]}(1-X_i)·\left(\widehat{\varphi }\left(X^{\prime }\right)-\varphi (N-1)\right)+\varphi (N-1)$,

where $X^{\prime }=(X_{m-n+1},X_{m-n+2},\cdots ,X_m)$.

Proof. 

See Appendix E. □

The above lemma states that for any points $v\in {\mathbb{F}}^m$, the verifier can compute ${\widehat{T}}_{rx}^{\prime }\left(v\right)$ by itself and compute ${\widehat{\varphi }}^{\prime }\left(v\right)$ by querying $\widehat{\varphi }$ at $v^{\prime }=(v_{m-n+1},v_{m-n+2},\cdots ,v_m)\in {\mathbb{F}}^n$. Now, we describe the complete lookup protocol.

Protocol 9.

Lookup Protocol:

Inputs.

• Prover’s input:

  −

  Two vectors $\left(P_{rx},{\mathit{row}}_U\right)$ with length $M=2^m$ and $\left(T_{rx},\varphi \right)$ with length $N=2^n$ ($M=O\left(N\right)$).

• Verifier’s input:

  −

  Two polynomial oracles ${\widetilde{\mathit{row}}}_U$, $\tilde{\varphi }$ provided by the indexer.

  −

  A polynomial oracle ${\tilde{P}}_{rx}$ provided by the prover.

Goal.

• The prover convinces the verifier that $\left(P_{rx},{\mathit{row}}_U\right)\subseteq \left(T_{rx},\varphi \right).$

The protocol.

1. 

The prover pads $(T_{rx},\varphi )$ with $M-N$ repetitions of the last element. Let $(T_{rx}^{\prime },{\varphi }^{\prime })$ be the vector after padding.

2. 

The verifier samples a random element $\xi \in \mathbb{F}$ and sends it to the prover.

3. 

The prover computes two vectors $a,b\in {\mathbb{F}}^M$:

• $a=P_{rx}+\xi ·{\mathit{row}}_U$,
• $b=T_{rx}^{\prime }+\xi ·{\varphi }^{\prime }$,

and constructs a vector $s\in {\mathbb{F}}^{2M}$ that satisfies Lemma 11. Formally, the prover does the following:

• Initialize a vector $\mathit{freq}$ with length N, where the i-th (index starts from 0) element ${\mathit{freq}}_i$ represents the frequency of $\varphi \left(i\right)$ appearing in vector ${\mathit{row}}_U$. Scan the vector ${\mathit{row}}_U$ to deduce the vector $\mathit{freq}$.
• Initialize a vector s with length $2M$ and perform a linear scan on s, where for each $j\in {\{0,1\}}^m$, if $j<N-1$, insert ${\mathit{freq}}_j+1$ copies of $T_{rx}^{\prime }\left(j\right)+\xi ·{\varphi }^{\prime }\left(j\right)$ into s. If $j\ge N-1$, insert ${\mathit{freq}}_{N-1}+M-N+1$ copies of $T_{rx}^{\prime }\left(j\right)+\xi ·{\varphi }^{\prime }\left(j\right)=T_{rx}(N-1)+\xi ·\varphi (N-1)$ into s. It is easy to verify that the vector s we have constructed satisfies Lemma 11.

The prover then sets $b^{CSL}$ and $s^{CSL}$ to be the cyclic shift left of b and s. Then, the prover sends four polynomial oracles $\tilde{b}$, ${\tilde{b}}^{CSL}$, $\tilde{s}$, and ${\tilde{s}}^{CSL}$.

4. 

The verifier checks that $\widehat{b}\left(X\right)={\widehat{T}}_{rx}^{\prime }\left(X\right)+\xi ·{\widehat{\varphi }}^{\prime }\left(X\right)$ via the standard polynomial testing technique. In other words, the verifier samples $r_b=(r_{b,1},r_{b,2},\cdots ,r_{b,m})\in {\mathbb{F}}^m$, queries $\tilde{b}$ at $r_b$ to obtain $\widehat{b}\left(r_b\right)$ and queries $\tilde{\varphi }$ at $r_b^{\prime }$ to obtain $\widehat{\varphi }\left(r_b^{\prime }\right)$, where $r_b^{\prime }=(r_{b,m-n+1},r_{b,m-n+2},\cdots ,r_{b,m})\in {\mathbb{F}}^n$. The verifier then queries $\tilde{\varphi }$ at $\overrightarrow{1}=(1,1,\cdots ,1)$ to obtain $\widehat{\varphi }\left(\overrightarrow{1}\right)=\varphi (N-1)$ and checks that

$$\begin{array}{cc}\hfill \widehat{b}\left(r_b\right)=\prod _{i\in [m-n]}& (1-r_{b,i})·\left(\widehat{\chi }\left(r_x,r_b^{\prime }\right)-\prod _{i\in \left[n\right]}{r}_{x,i}\right)+\prod _{i\in \left[n\right]}{r}_{x,i}\hfill \\ \hfill & +\xi ·\left(\prod _{i\in [m-n]}(1-r_{b,i})·\left(\widehat{\varphi }\left(r_b^{\prime }\right)-\varphi (N-1)\right)+\varphi (N-1)\right),\hfill \end{array}$$

(37)

since ${\widehat{T}}_{rx}\left(X\right)=\widehat{\chi }(r_x,X)={\prod }_{i\in \left[n\right]}\left((1-r_{x,i})·(1-X_i)+r_{x,i}·X_i\right)$. Equation (37) is deduced from Lemma 13.

5. 

The verifier samples two random elements $\alpha ,\beta \in \mathbb{F}$ and sends it to the prover.

6. 

The prover constructs three functions $F_a,F_b:{\{0,1\}}^m\to \mathbb{F}$ and $F_s:{\{0,1\}}^{m+1}\to \mathbb{F}$ such that for all $i\in {\{0,1\}}^m$ and $j\in {\{0,1\}}^{m+1}$:

$$\begin{array}{cc}\hfill & F_a\left(i\right)=\alpha +a\left(i\right),\hfill \\ \hfill & F_b\left(i\right)=\alpha ·(1+\beta )+b\left(i\right)+b^{CSL}\left(i\right)·\beta ,\hfill \\ \hfill & F_s\left(j\right)=\alpha ·(1+\beta )+s\left(j\right)+s^{CSL}\left(j\right)·\beta .\hfill \end{array}$$

(38)

Next, the prover computes the following:

$$\begin{array}{cc}\hfill & f_a=\prod _{i\in {\{0,1\}}^m}{F}_a\left(i\right),\hfill \\ \hfill & f_b=\prod _{i\in {\{0,1\}}^m}{F}_b\left(i\right),\hfill \\ \hfill & f_s=\prod _{j\in {\{0,1\}}^{m+1}}{F}_s\left(j\right).\hfill \end{array}$$

(39)

Then, the prover sends three elements $f_a,f_b,f_s$ to the verifier.

7. 

The verifier checks that $f_s={(1+\beta )}^M·f_a·f_b$.

8. 

The prover and verifier then run three ProductCheck protocols (Protocol 8) in parallel to verify Equation (39). Let ${\widehat{F}}_a,{\widehat{F}}_b:{\mathbb{F}}^m\to \mathbb{F}$, and ${\widehat{F}}_s:{\mathbb{F}}^{m+1}\to \mathbb{F}$ be the multilinear extensions of $F_a$, $F_b$, and $F_s$. During the execution of the ProductCheck protocol, the verifier should compute ${\widehat{F}}_a$, ${\widehat{F}}_b$, and ${\widehat{F}}_s$ at some random points $t_a,t_b\in {\mathbb{F}}^m$, and $t_s\in {\mathbb{F}}^{m+1}$ (step 2 of Protocol (8)).

• To obtain ${\widehat{F}}_a\left(t_a\right)$, the verifier queries ${\tilde{P}}_{rx}$ at $t_a$ to obtain ${\widehat{P}}_{rx}\left(t_a\right)$, queries ${\widetilde{\mathit{row}}}_U$ at $t_a$ to obtain ${\widehat{\mathit{row}}}_U\left(t_a\right)$, and computes

  $${\widehat{F}}_a\left(t_a\right)=\alpha +\widehat{a}\left(t_a\right)=\alpha +{\widehat{P}}_{rx}\left(t_a\right)+\xi ·{\widehat{\mathit{row}}}_U\left(t_a\right).$$
• To obtain ${\widehat{F}}_b\left(t_b\right)$, the verifier queries $\tilde{b}$ at $t_a$ to obtain $\widehat{b}\left(t_a\right)$, queries ${\tilde{b}}^{CSL}$ at $t_a$ to obtain ${\widehat{b}}^{CSL}\left(t_a\right)$, and computes

  $${\widehat{F}}_b\left(t_b\right)=\alpha ·(1+\beta )+\widehat{b}\left(t_b\right)+{\widehat{b}}^{CSL}\left(t_b\right)·\beta .$$
• To obtain ${\widehat{F}}_s\left(t_s\right)$, the verifier queries $\tilde{s}$ at $t_s$ to obtain $\widehat{s}\left(t_s\right)$, queries ${\tilde{s}}^{CSL}$ at $t_s$ to obtain ${\widehat{s}}^{CSL}\left(t_s\right)$, and computes

  $${\widehat{F}}_s\left(t_s\right)=\alpha ·(1+\beta )+\widehat{s}\left(t_s\right)+{\widehat{s}}^{CSL}\left(t_s\right)·\beta .$$

9. 

The prover and verifier then execute two CSLCheck protocols (Protocol 7) in parallel to verify that $b^{CSL}$ and $s^{CSL}$ are cyclic shifts left of b and s, respectively.

From Table 9 and Table 10, the verifier’s cost is $O\left(\log M\right)$ in the CSLCheck and ProductCheck phases. In step 4 of the protocol, the verifier can compute the right-hand side of Equation (37) in $O\left(m\right)=O\left(\log M\right)$ time. Therefore, the total cost of the verifier in Protocol (9) is $O\left(\log N\right)+O\left(\log M\right)=O\left(\log M\right)$. The query complexity of this protocol is constant; specifically, $O\left(1\right)$. This is because each sub-protocol has a constant query complexity, and in step 4, the verifier makes three queries to the polynomial oracles. The round and communication complexity are determined by the ProductCheck protocol, which is $O\left(\log M\right)=O\left(\log M\right)$.

We then analyze the prover’s cost in Protocol (9). In step 3, when constructing the vector $s\in {\mathbb{F}}^{2M}$, the prover first scans the vector ${\mathbf{row}}_U$ to deduce a frequency vector $\mathbf{freq}$ and then construct vector s from $\mathbf{freq}$ by performing a linear scan on s. The total cost of step 3 is $O\left(N\right)+O\left(M\right)=O\left(M\right)$. In step 6, the prover should construct two vectors with length M and one vector with length $2M$ and compute the entry product of each vector, which takes time $O\left(M\right)$. From Table 10, the prover’s cost in the ProductCheck is $O\left(M\right)$. Therefore, the total cost of the prover in Protocol 9 is $O\left(M\right)+O\left(N\right)=O\left(M\right)$.

For the soundness error of the lookup protocol, we have the following lemma:

Lemma 14.

If $\left(P_{rx},{\mathit{row}}_U\right)⊈\left(T_{rx},\varphi \right)$, then in Protocol (9), for any prover’s strategy, the verifier accepts it with a probability of at most ${\displaystyle \frac{6M+N}{\left|\mathbb{F}\right|}}$.

Proof. 

See Appendix F. □

We summarize the properties of the lookup protocol in the

Table 11. Properties of the lookup protocol.

Round	Communication	Query	Verifier’s	Prover’s	Soundness
	Complexity	Complexity	Time	Time	Error
$O\left(\log M\right)$	$O\left(\log M\right)$	$O\left(1\right)$	$O\left(\log M\right)$	$O\left(M\right)$	${\displaystyle \frac{6M+N}{\left|\mathbb{F}\right|}}$

below.

5. Conclusions

In our work, we present a novel polynomial holographic IOP for the $\mathcal{NP}$-Complete language R1CS. We achieve linear-time proving and logarithmic-time verification. We achieve holography from the lookup protocol, and we design a polynomial IOP for the lookup relation with linear-time proving. Together with some suitable polynomial commitments (such as Orion [45]), we obtain a SNARK with an optimal-time prover, polylogarithmic-time verifier, and polylogarithmic proof size. However, our construction relies on a sufficiently large finite field ($\left|\mathbb{F}\right|\ge \mathrm{\Omega }\left(N\right)$) to achieve a small soundness error, as the soundness error is determined by the Schwartz–Zippel Lemma in our work. There is still limited research on constructing SNARKs over small finite fields (e.g., in ${\mathbb{F}}_2$).