Multipoint opening argument

Consider the commitments $A, B, C, D$ to polynomials $a (X), b (X), c (X), d (X)$ . Let's say that $a$ and $b$ were queried at the point $x$ , while $c$ and $d$ were queried at both points $x$ and $ω x$ . (Here, $ω$ is the primitive root of unity in the multiplicative subgroup over which we constructed the polynomials).

To open these commitments, we could create a polynomial $Q$ for each point that we queried at (corresponding to each relative rotation used in the circuit). But this would not be efficient in the circuit; for example, $c (X)$ would appear in multiple polynomials.

Instead, we can group the commitments by the sets of points at which they were queried: ${x} A B {x, ω x} C D$

For each of these groups, we combine them into a polynomial set, and create a single $Q$ for that set, which we open at each rotation.

Optimization steps

The multipoint opening optimization takes as input:

A random $x$ sampled by the verifier, at which we evaluate $a (X), b (X), c (X), d (X)$ .
Evaluations of each polynomial at each point of interest, provided by the prover: $a (x), b (x), c (x), d (x), c (ω x), d (ω x)$

These are the outputs of the vanishing argument.

The multipoint opening optimization proceeds as such:

Sample random $x_{1}$ , to keep $a, b, c, d$ linearly independent.
Accumulate polynomials and their corresponding evaluations according to the point set at which they were queried: q_polys: $q_{1} (X) q_{2} (X) = = a (X) c (X) + + x_{1} b (X) x_{1} d (X)$ q_eval_sets:
```
        [
            [a(x) + x_1 b(x)],
            [
                c(x) + x_1 d(x),
                c(\omega x) + x_1 d(\omega x)
            ]
        ]
```
NB: q_eval_sets is a vector of sets of evaluations, where the outer vector corresponds to the point sets, which in this example are ${x}$ and ${x, ω x}$ , and the inner vector corresponds to the points in each set.
Interpolate each set of values in q_eval_sets: r_polys: $r_{1} (X) s . t . r_{2} (X) s . t . r_{1} (x) r_{2} (x) r_{2} (ω x) = = = a (x) + x_{1} b (x) c (x) + x_{1} d (x) c (ω x) + x_{1} d (ω x)$
Construct f_polys which check the correctness of q_polys: f_polys $f_{1} (X) f_{2} (X) = = \frac{q _{1} ( X ) - r _{1} ( X )}{X - x} \frac{q _{2} ( X ) - r _{2} ( X )}{( X - x ) ( X - ω x )}$

If $q_{1} (x) = r_{1} (x)$ , then $f_{1} (X)$ should be a polynomial. If $q_{2} (x) = r_{2} (x)$ and $q_{2} (ω x) = r_{2} (ω x)$ then $f_{2} (X)$ should be a polynomial.
Sample random $x_{2}$ to keep the f_polys linearly independent.
Construct $f (X) = f_{1} (X) + x_{2} f_{2} (X)$ .
Sample random $x_{3}$ , at which we evaluate $f (X)$ : $f (x_{3}) = = f_{1} (x_{3}) \frac{q _{1} ( x _{3} ) - r _{1} ( x _{3} )}{x _{3} - x} + + x_{2} f_{2} (x_{3}) x_{2} \frac{q _{2} ( x _{3} ) - r _{2} ( x _{3} )}{( x _{3} - x ) ( x _{3} - ω x )}$
Sample random $x_{4}$ to keep $f (X)$ and q_polys linearly independent.
Construct final_poly, $f ina l_p o l y (X) = f (X) + x_{4} q_{1} (X) + x_{4}^{2} q_{2} (X),$ which is the polynomial we commit to in the inner product argument.

The halo2 Book

Multipoint opening argument

Optimization steps