Skip to content

Mathematizing Constraint Arrays

Connecting oblong-multilinearized constraint arrays to the witness

While defining both our AND and MUL constraints, we made use of "constraint arrays", arrays zz whose elements take the form

z[x](y,op,s)Lxzop(w[y],s),\begin{equation*}z[x] \coloneqq \bigoplus_{(y, \text{op}, s) \in L^z_x} \text{op}(w[y], s),\end{equation*}

for x{0,,ncons1}x \in \{0, \ldots , n_\text{cons} - 1\}. Here, nconsn_\text{cons} is the total number of constraints (either AND or MUL), and each LxzL^z_x is a list of shifted value indices. We recall that, by definition, each shifted value index (y,op,s)Lxz(y, \text{op}, s) \in L^z_x is an element of the set {0,,nwords1}×{sll,srl,sra}×{0,,63}\{0, \ldots , n_\text{words} - 1\} \times \{ \mathsf{sll}, \mathsf{srl}, \mathsf{sra}\} \times \{0, \ldots , 63\}.

Both our AND and MUL reductions closed out by outputting evaluation claims on the oblong-multilinearizations of these constraint arrays. In order to assess validity of these claims, we need to connect them mathematically to the witness.

By definition, the oblong-multilinearization of the array zz above is the unique oblong-multilinear polynomial

z^(I^,X0,,Xcons1)\begin{equation*}\widehat{z}(\widehat{I}, X_0, \ldots , X_{\ell_\text{cons} - 1})\end{equation*}

for which

z^(i^,x)=z[x]i\begin{equation*}\widehat{z}(\widehat{i}, x) = z[x]_i\end{equation*}

holds for each iB6i \in \mathcal{B}_6 and each xBconsx \in \mathcal{B}_{\ell_\text{cons}}. Our task now is to express this oblong-multilinearization z^(I^,X)\widehat{z}(\widehat{I}, X) as a polynomial in terms of w~(J,Y)\widetilde{w}(J, Y), the multilinearization of the prover's witness. The initial definition of z[x]z[x] above suggests that this should be possible; on the other hand, making everything algebraic is hard. We will have to put our shifted witness polynomials to use.

Later, we will undertake the actual task of reducing a claim on z^(I^,X)\widehat{z}(\widehat{I}, X) to one on w~(J,Y)\widetilde{w}(J, Y).

The Constraint Matrices

We thus fix (Lxz)x=0ncons1\left( L_x^z \right)_{x = 0}^{n_\text{cons} - 1}, a list-of-lists of shifted value indices.

We first re-express this data in matrix form. For each of the three shift types op{sll,srl,sra}\text{op} \in \{\mathsf{sll}, \mathsf{srl}, \mathsf{sra}\}, we define ncons×nwords×64n_\text{cons} \times n_\text{words} \times 64 "matrix" Zcons,opZ_{\text{cons}, \text{op}}—so, Zcons,opZ_{\text{cons}, \text{op}} is three-dimensional—by declaring that, for each x{0,,ncons1}x \in \{0, \ldots , n_\text{cons} - 1\}, y{0,,nwords1}y \in \{0, \ldots , n_\text{words} - 1\}, and s{0,,63}s \in \{0, \ldots , 63\},

Zcons,op[x,y,s]=1\begin{equation*}Z_{\text{cons}, \text{op}}[x, y, s] = 1\end{equation*}

if and only if the xxth constraint triple LxzL^z_x contains the triple (y,op,s)(y, \text{op}, s).

Thus, we get 3 three-dimensional matrices, namely Zcons,opZ_{\text{cons}, \text{op}} for each of the three op\text{op}. Note that we are implicitly assuming there are no duplicate shifted value indices in any of the lists LxzL^z_x. (Of course, having duplicates would be pointless, since they would get XOR'd out.)

Matrix Expressions

We now express each element z[x]z[x] of the constraint array zz, for x{0,,ncons1}x \in \{0, \ldots , n_\text{cons} - 1\}, as a matrix expression. Here, we use our shifted witness functions shiftop(w)(y,s)\textsf{shift}_\text{op}(w)(y, s). For each x{0,,ncons1}x \in \{0, \ldots , n_\text{cons} - 1\}, we claim that:

z[x]=ops=063y=0nwords1Zcons,op[x,y,s]shiftop(w)(y,s).\begin{equation*} z[x] = \sum_\text{op} \sum_{s = 0}^{63} \sum_{y = 0}^{n_\text{words} - 1} Z_{\text{cons}, \text{op}}[x, y, s] \cdot \textsf{shift}_\text{op}(w)(y, s).\end{equation*}

We recall that z[x](y,op,s)Lxzop(w[y],s)z[x] \coloneqq \bigoplus_{(y, \text{op}, s) \in L^z_x} \text{op}(w[y], s) by definition; the equality above follows essentially from the definition of the matrices Zcons,opZ_{\text{cons}, \text{op}}.

Multilinearizing

Now, we take multilinear extensions. At this point, we assume that ncons=2consn_\text{cons} = 2^{\ell_\text{cons}} and nwords=2wordsn_\text{words} = 2^{\ell_\text{words}} are both powers of 2.

By identifying the matrices Zcons,opZ_{\text{cons}, \text{op}} with their multilinear extensions, we can view them now as multilinear polynomials Z~cons,op(X,Y,S)\widetilde{Z}_{\text{cons}, \text{op}}(X, Y, S), each with coefficients in F2\mathbb{F}_2, and of cons+words+6\ell_\text{cons} + \ell_\text{words} + 6 variables. Similarly, we have already seen that the shifted witness functions shiftop(w)(y,s)\textsf{shift}_\text{op}(w)(y, s) can be multilinearized. Multilinearizing everything, we obtain a multilinear polynomial, on 6+cons6 + \ell_\text{cons} variables, F2\mathbb{F}_2-valued on the cube:

z~(I,X)opsB6yBwordsZ~cons,op(X,y,s)shift~op(w)(I,y,s).\begin{equation*}\widetilde{z}(I, X) \coloneqq \sum_\text{op} \sum_{s \in \mathcal{B}_6} \sum_{y \in \mathcal{B}_{\ell_\text{words}}} \widetilde{Z}_{\text{cons}, \text{op}}(X, y, s) \cdot \widetilde{\textsf{shift}}_\text{op}(w)(I, y, s).\end{equation*}

It's again true essentially by construction that, for each iB6i \in \mathcal{B}_6 and xBconsx \in \mathcal{B}_{\ell_\text{cons}}, z~(i,x)=z[x]i\widetilde{z}(i, x) = z[x]_i.

Using Shift Indicators

We showed already that the shifted witness polynomials shift~op(w)(I,y,S)\widetilde{\textsf{shift}}_\text{op}(w)(I, y, S) can themselves be expressed using shift indicators. Unrolling that step now, we obtain the following equivalent expression for the multilinear z~(I,X)\widetilde{z}(I, X) defined above:

z~(I,X)=opsB6yBwordsjB6Z~cons,op(X,y,s)shift-ind~op(I,j,s)w~(j,y).\begin{equation*}\widetilde{z}(I, X) = \sum_\text{op} \sum_{s \in \mathcal{B}_6} \sum_{y \in \mathcal{B}_{\ell_\text{words}}} \sum_{j \in \mathcal{B}_6} \widetilde{Z}_{\text{cons}, \text{op}}(X, y, s) \cdot \widetilde{\textsf{shift-ind}}_\text{op}(I, j, s) \cdot \widetilde{w}(j, y).\end{equation*}

These are identically equal (as polynomials) to the above expressions we gave; they just unroll the shifted witness polynomials and rearrange the sums.

Oblong-Multilinearizing

Now, we apply the standard oblong-multilinearization construction to z~(I,X)\widetilde{z}(I, X). In this way, we obtain the expression:

z^(I^,X)=jB6sB6opyBwordsiB6δD(I^,i^)Z~cons,op(X,y,s)shift-ind~op(i,j,s)w~(j,y).\begin{equation*}\widehat{z}(\widehat{I}, X) = \sum_{j \in \mathcal{B}_6} \sum_{s \in \mathcal{B}_6} \sum_\text{op} \sum_{y \in \mathcal{B}_{\ell_\text{words}}} \sum_{i \in \mathcal{B}_6} \delta_D(\widehat{I}, \widehat{i}) \cdot \widetilde{Z}_{\text{cons}, \text{op}}(X, y, s) \cdot \widetilde{\textsf{shift-ind}}_\text{op}(i, j, s) \cdot \widetilde{w}(j, y).\end{equation*}

The polynomial z^(I^,X)\widehat{z}(\widehat{I}, X) obtained in this way indeed yields the one we set out to obtain above. Indeed, by the standard property of the oblong-multilinearization transformation, for each iB6i \in \mathcal{B}_6 and each xBconsx \in \mathcal{B}_{\ell_\text{cons}}, z^(i^,x)=z~(i,x)\widehat{z}(\widehat{i}, x) = \widetilde{z}(i, x); on the other hand, we have already seen that that latter quantity equals z[x]iz[x]_i. Thus,

z^(i^,x)=z[x]i\begin{equation*}\widehat{z}(\widehat{i}, x) = z[x]_i\end{equation*}

holds for each iB6i \in \mathcal{B}_6 and each xBconsx \in \mathcal{B}_{\ell_\text{cons}}, a condition that uniquely characterizes the polynomial z^(I^,X)\widehat{z}(\widehat{I}, X).