Bob's protocol uses a sumcheck argument to prove the sum of
Here is the verifier algorithm as implemented in verifier.rs:
- Initialize Fiat-Shamir randomness with protocol name, statement (domain D, commitment to f, claimed sum), and commitments to s, h, g.
- Generate a random
$\xi$ and an opening challenge. - Check the batch proof for the claimed evaluations of f, s, h, g at
$\xi$ . - Verify that
$deg(g) <= |D|$ - 2 and$s(\xi) + f(\xi) = \xi * g(\xi) + h(\xi) * Z_h + sum * |D|^{-1}$ (where$Z_h$ is the vanishing polynomial of$D$ ).
The idea behind this check is that if
There are 2 things wrong with this:
- as is, the verifier interprets the sum of s + f as the sum of f,
- the prover can choose s such that it cancels out with f (to avoid this, the verifier should generate a random field element c after V has committed to s, and then run sumcheck for
$c * f + s$ . Such approach is used in Aurora).
This leads to a following algorithm for a malicious prover (claiming sum = 0):
- Set
$s = -f$ ,$g = h = 0$ . - Commit to s, g, h.
- Initialize Fiat-Shamir randomness with Protocol name, statement, commitments to s, h, g.
- Generate a random
$\xi$ and an opening challenge. - Evaluate f, s, h, g at
$\xi$ and generate a batch proof.
The only information that V learns is