Sum-check protocol

A sum-check protocol is a cryptographic protocol for the construction of interactive proof systems,^[1] used widely in zero-knowledge protocols.^[2]

History

The sum-check protocol was created by Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan and formalized in 1990.^[3]^[1]

Concept

In an interactive proof, the goal is for a verifier V to offload an expensive computation to an untrusted prover P.^[4] The sum-check protocol allows the prover to convince the verifier that the sum of a multivariate polynomial is equal to a known value.^[2] The goals of the sum-check protocol are to make the verifier run in time linear to the input size, to keep the proof logarithmically small, and to keep the prover efficient.^[4]

For a v-variate polynomial g defined over a finite field $\mathbb {F}$ , the prover provides the verifier with the following sum:^[5]

$H:=\sum _{b_{1}\in \{0,1\}}\sum _{b_{2}\in \{0,1\}}\cdots \sum _{b_{v}\in \{0,1\}}g(b_{1},\ldots ,b_{v}).$

Without a prover, the verifier has to perform $2^{n}$ evaluations of g to verify the statement, which is a very large runtime. With the sumcheck protocol, the verifier's runtime is $O(v+{\text{[the cost to evaluate }}g{\text{ at a single input in }}\mathbf {F} ^{v}])$ .^[4]

Limitations

Proof size

The sum-check protocol leads to proofs that are of at least logarithmic length.^[4]

Zero-knowledge and succinctness

The protocol is not zero-knowledge by itself, and like all interactive proofs, it is not succinct for NP statements.^[4]

zk-SNARK proofs combine the sum-check protocol with commitment schemes to obtain zero-knwoledge and succinct arguments.^[4]^[6]

References

^ ^a ^b Lund, Carsten; Fortnow, Lance; Karloff, Howard; Nisan, Noam (1992-10-01). "Algebraic methods for interactive proof systems". Journal of the ACM. 39 (4): 859–868. doi:10.1145/146585.146605. ISSN 0004-5411.
^ ^a ^b "The intuition behind the sum-check protocol in 5 minutes - cryptologie.net". cryptologie.net. Retrieved 2025-08-25.
^ Lund, C.; Fortnow, L.; Karloff, H.; Nisan, N. (1990-10-01). "Algebraic methods for interactive proof systems". Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science. pp. 2–10 vol.1. doi:10.1109/FSCS.1990.89518. ISBN 0-8186-2082-X.
^ ^a ^b ^c ^d ^e ^f Thaler, Justin (2020-03-16). "The Unreasonable Power of the Sum-CheckProtocol". ZKProof Standards. Retrieved 2025-08-25.
^ Thaler, Justin (July 18, 2023). "3.1, 4.1, 4.2". Proofs, Arguments, and Zero-Knowledge (PDF). Georgetown University. p. 33.
^ Bagad, Suyash; Domb, Yuval; Thaler, Justin (2024), The Sum-Check Protocol over Fields of Small Characteristic, 2024/1046, retrieved 2025-08-25

External links

Thaler, Justin (July 18, 2023). "3.1, 4.1, 4.2". Proofs, Arguments, and Zero-Knowledge (PDF). Georgetown University.
Tauman Kalai, Yael (2023). "Lecture 1: Interactive Proofs and the Sum-Check Protocol". MIT OpenCourseWare, Advanced Topics in Cryptography. Archived from the original on 20 March 2025. Retrieved 2025-08-25.

[:0-1] Lund, Carsten; Fortnow, Lance; Karloff, Howard; Nisan, Noam (1992-10-01). "Algebraic methods for interactive proof systems". Journal of the ACM. 39 (4): 859–868. doi:10.1145/146585.146605. ISSN 0004-5411.

[:1-2] "The intuition behind the sum-check protocol in 5 minutes - cryptologie.net". cryptologie.net. Retrieved 2025-08-25.

[3] Lund, C.; Fortnow, L.; Karloff, H.; Nisan, N. (1990-10-01). "Algebraic methods for interactive proof systems". Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science. pp. 2–10 vol.1. doi:10.1109/FSCS.1990.89518. ISBN 0-8186-2082-X.

[:2-4] ^ ^a ^b ^c ^d ^e ^f Thaler, Justin (2020-03-16). "The Unreasonable Power of the Sum-CheckProtocol". ZKProof Standards. Retrieved 2025-08-25.

[5] Thaler, Justin (July 18, 2023). "3.1, 4.1, 4.2". Proofs, Arguments, and Zero-Knowledge (PDF). Georgetown University. p. 33.

[6] Bagad, Suyash; Domb, Yuval; Thaler, Justin (2024), The Sum-Check Protocol over Fields of Small Characteristic, 2024/1046, retrieved 2025-08-25

[1]

[2]

[3]

[4]

[5]

[6]