Chapter 3: The Sum-Check Protocol

In late 1989, the field of complexity theory was stuck.

Researchers believed that Interactive Proofs were a relatively weak tool, capable of verifying only a handful of graph problems. The consensus was clear: interaction helped, but not by much.

Then came the email.

Noam Nisan, a master's student at Hebrew University, sent a draft to Lance Fortnow at the University of Chicago. It contained a protocol that used polynomials to verify something thought impossible: the permanent of a matrix. Fortnow showed it to his colleagues Howard Karloff and Carsten Lund. They realized the technique didn't just apply to matrices. It applied to everything in the polynomial hierarchy.

When the paper was released, it didn't just solve a problem. It caused a crisis. The result implied that "proofs" were far more powerful than anyone had imagined. Within weeks, Adi Shamir (the "S" in RSA) used the same technique to prove IP = PSPACE: interactive proofs could verify any problem solvable with polynomial memory, even if finding the solution took eons.

The engine powering this revolution was a single elegant idea: the sum-check protocol.

The sum-check protocol takes a claim that seems expensive to verify, the sum of a polynomial over all points of a high-dimensional domain, and reduces it to something trivial: a single evaluation at a random point. The verifier's work scales linearly with the number of variables, not exponentially with the size of the domain.

This chapter develops the sum-check protocol from first principles. We'll see exactly how the protocol works, why it's sound, and how any lie propagates through the protocol until it becomes a simple falsehood the verifier can catch. Along the way, we'll trace through complete worked examples with actual field values, because this protocol is too important to understand only abstractly.

The protocol requires only basic polynomial facts from Chapter 2 (Schwartz-Zippel, evaluation, degree). The next two chapters develop the polynomial representations used in practice: multilinear extensions (Chapter 4) enable linear-time provers and scale to domains of size $2^{128}$ , while univariate techniques (Chapter 5) offer smaller proofs via FFT-friendly structure. Sum-check itself is agnostic to representation; it works on any multivariate polynomial.

The Problem: Verifying Exponential Sums

Suppose a prover claims to know the value of the following sum:

$H = b_{1} \in {0, 1} \sum b_{2} \in {0, 1} \sum \dots b_{ν} \in {0, 1} \sum g (b_{1}, b_{2}, \dots, b_{ν})$

Here $g$ is a $ν$ -variate polynomial over a finite field $F$ , and the sum ranges over all $2^{ν}$ points of the boolean hypercube ${0, 1}^{ν}$ : the set of all binary strings of length $ν$ . Think of it as the corners of a $ν$ -dimensional cube, where each coordinate is either 0 or 1. For $ν = 3$ , these are the eight vertices $(0, 0, 0), (0, 0, 1), \dots, (1, 1, 1)$ . The prover says the answer is $H$ . Do you believe it?

A naive verifier would evaluate $g$ at every point of the hypercube and add up the results. But this requires $2^{ν}$ evaluations, exponential in the number of variables. For $ν = 100$ , this is hopelessly infeasible.

The sum-check protocol solves this problem. It allows a verifier to check the claimed value of $H$ with high probability, in time that is only linear in $ν$ and the time it takes to evaluate $g$ at a single random point. This represents an exponential speedup.

But how can you verify a sum without computing it? The answer lies in a beautiful idea: claim reduction via deferred evaluation. Instead of computing the sum directly, the verifier engages in a multi-round dialogue with the prover. In each round, the prover makes a smaller, more specific claim, and the verifier uses randomness to drill down on a single point. An initial lie, no matter how cleverly constructed, gets amplified at each step until it becomes a simple falsehood about a single evaluation, which the verifier catches at the end.

The Compression Game

Think of the sum-check protocol as a game of progressive compression, or better yet, as a police interrogation.

The suspect (prover) claims to have an alibi for every minute of a 24-hour day ( $2^{ν}$ moments). The detective (verifier) cannot review surveillance footage for the entire day. Instead, the detective asks for a summary: "Tell me the sum of your activities."

The suspect provides a summary polynomial.

The detective picks one random second ( $r_{1}$ ) and asks: "Explain this specific moment in detail." To answer, the suspect must provide a new summary for that specific timeframe. If the suspect lied about the total day, they must now lie about that specific second to make the math add up. The detective drills down again: "Okay, explain this millisecond."

The lie has to move. It has to hide in smaller and smaller gaps. Eventually, the detective asks about a single instant that can be fact-checked directly. If the suspect's story at that final instant doesn't match the evidence, the whole alibi crumbles.

More precisely: the prover holds an enormous object, a table of $2^{ν}$ values. The verifier wants to know their sum but cannot afford to examine the table. In round 1, the prover compresses the table into a univariate polynomial. The verifier probes it at a random point $r_{1}$ , and that answer becomes the new target: a compressed representation of a table half the size.

Each round, the table shrinks by half while the verifier accumulates random coordinates. After $ν$ rounds, the "table" has size 1: a single value. The verifier can compute that value herself.

Honest compression is consistent, but lies leave fingerprints. If the prover's initial polynomial doesn't represent the true sum, it must differ from the honest polynomial somewhere. The random probes find these differences with overwhelming probability. A cheating prover would need to predict all $ν$ random challenges in advance; against cryptographic randomness, that's impossible.

The Protocol Specification

Let's make this precise. The sum-check protocol verifies a claim of the form:

$H = (b_{1}, \dots, b_{ν}) \in {0, 1}^{ν} \sum g (b_{1}, \dots, b_{ν})$

where $g$ is a $ν$ -variate polynomial of degree at most $d$ in each variable. (More generally, each variable $X_{j}$ can have its own degree bound $d_{j}$ ; we use uniform $d$ for simplicity.) The verifier must know these degree bounds before the protocol begins—they're part of the problem specification, not something the prover provides. If the prover could claim arbitrary degree bounds, soundness would collapse: a high-degree polynomial can pass through any finite set of points while matching an honest polynomial elsewhere. The sum ranges over boolean points, but $g$ is a polynomial over the field $F$ and can have degree greater than 1. For example, $g (X_{1}, X_{2}) = X_{1}^{2} + X_{2}^{2} + X_{1} X_{2}$ has $d = 2$ ; when we sum over ${0, 1}^{2}$ , we get $g (0, 0) + g (0, 1) + g (1, 0) + g (1, 1) = 0 + 1 + 1 + 3 = 5$ . The degree bound $d$ matters because it determines how many coefficients the prover must send in each round: a degree- $d$ univariate polynomial requires $d + 1$ coefficients. The protocol proceeds in $ν$ rounds.

Round 1

The prover computes and sends a univariate polynomial $g_{1} (X_{1})$ , claimed to equal:

$g_{1} (X_{1}) = (b_{2}, \dots, b_{ν}) \in {0, 1}^{ν - 1} \sum g (X_{1}, b_{2}, \dots, b_{ν})$

In words: $g_{1}$ is the polynomial obtained by summing $g$ over all boolean values of the last $ν - 1$ variables, leaving $X_{1}$ as a formal variable.

The verifier performs two checks:

Consistency check: Verify that $g_{1} (0) + g_{1} (1) = H$ . This ensures the prover's polynomial is consistent with the claimed total sum.
Degree check: Verify that $g_{1}$ has degree at most $d$ in $X_{1}$ . This is necessary for soundness; without it, the protocol breaks completely. (We'll see why shortly.)

If either check fails, the verifier rejects. Otherwise, she samples a random field element $r_{1} \leftarrow F$ and sends it to the prover.

The verifier now evaluates the prover's polynomial at this random point, computing $V_{1} = g_{1} (r_{1})$ . This value represents what the prover is implicitly asserting about a reduced sum. The verifier doesn't compute this sum herself; she simply records what the prover's polynomial claims it to be. This $V_{1}$ becomes the target for round 2: the prover must now justify that the sum over $2^{ν - 1}$ points, with the first variable fixed to $r_{1}$ , actually equals $V_{1}$ .

The verifier has now reduced the original claim about a sum over $2^{ν}$ points to a new claim about a sum over $2^{ν - 1}$ points. Specifically, the prover is now implicitly claiming that:

$g_{1} (r_{1}) = (b_{2}, \dots, b_{ν}) \in {0, 1}^{ν - 1} \sum g (r_{1}, b_{2}, \dots, b_{ν})$

Why the degree check matters: The soundness argument relies on Schwartz-Zippel: two distinct degree- $d$ polynomials agree on at most $d$ points, so a random evaluation catches the difference with probability $\geq 1 - d /∣ F ∣$ . But what if the prover sends a high-degree polynomial instead?

Suppose the true sum is $H^{*} = 6$ but the prover claims $H = 100$ . The honest polynomial is $s_{1} (X) = 2 X + 2$ , with $s_{1} (0) + s_{1} (1) = 6$ . The prover needs a polynomial passing through $(0, a)$ and $(1, b)$ where $a + b = 100$ .

Without a degree bound, the cheating prover can construct a degree- $(∣ F ∣ - 1)$ polynomial $g_{1}$ with two properties:

$g_{1} (0) + g_{1} (1) = 100$ (passes the consistency check with the false claim $H = 100$ )
$g_{1} (r) = s_{1} (r)$ for every $r \in / {0, 1}$ (agrees with the honest polynomial everywhere the verifier might query)

A degree- $(∣ F ∣ - 1)$ polynomial has $∣ F ∣$ coefficients, enough freedom to prescribe its value at every point in $F$ independently. So the prover sets $g_{1} (0) = a$ , $g_{1} (1) = b$ (with $a + b = 100$ ), and $g_{1} (r) = s_{1} (r)$ for all other $r$ .

Here is why this is devastating. The verifier samples some $r_{1} \in / {0, 1}$ and computes the reduced claim $V_{1} = g_{1} (r_{1})$ . Since $g_{1} (r_{1}) = s_{1} (r_{1})$ , this reduced claim is correct: it equals the true partial sum $\sum_{b_{2}, \dots, b_{ν}} g (r_{1}, b_{2}, \dots, b_{ν})$ . From this point on, the prover can follow the honest protocol for rounds 2 through $ν$ , and the final oracle check will pass. The false sum $H = 100$ was injected in round 1, but the cheat left no trace in any subsequent round.

The degree bound is the handcuffs. It forces the polynomial to be stiff. If it must pass through the wrong sum, its stiffness forces it to miss the honest polynomial almost everywhere else.

Formal argument: Suppose the prover sends $g_{1} \neq = s_{1}$ with $de g (g_{1}) \leq d$ . The difference $g_{1} - s_{1}$ is a non-zero polynomial of degree at most $d$ , so it has at most $d$ roots. Therefore $g_{1}$ and $s_{1}$ agree on at most $d$ points. When the verifier samples $r_{1}$ uniformly from $F$ , the probability that $g_{1} (r_{1}) = s_{1} (r_{1})$ is at most $d /∣ F ∣$ . If $g_{1} (r_{1}) \neq = s_{1} (r_{1})$ , the cheating prover is now committed to a false claim that propagates through subsequent rounds.

Round $j$ (for $j = 2, \dots, ν$ )

At the start of round $j$ , the verifier holds a value $V_{j - 1} = g_{j - 1} (r_{j - 1})$ from the previous round. This represents the prover's implicit claim about a sum over $2^{ν - j + 1}$ points.

The prover sends the next univariate polynomial $g_{j} (X_{j})$ , claimed to equal:

$g_{j} (X_{j}) = (b_{j + 1}, \dots, b_{ν}) \in {0, 1}^{ν - j} \sum g (r_{1}, \dots, r_{j - 1}, X_{j}, b_{j + 1}, \dots, b_{ν})$

The verifier checks:

Consistency check: $g_{j} (0) + g_{j} (1) = V_{j - 1}$
Degree check: $de g (g_{j}) \leq d$

If checks pass, she samples $r_{j} \leftarrow F$ and computes $V_{j} = g_{j} (r_{j})$ .

Final Check (After Round $ν$ )

After $ν$ rounds, the verifier has received $g_{ν} (X_{ν})$ and chosen $r_{ν}$ . The prover's final claim is that $g_{ν} (r_{ν}) = g (r_{1}, \dots, r_{ν})$ .

The verifier now evaluates $g$ at the single point $(r_{1}, \dots, r_{ν})$ , using her "oracle access" to $g$ , and checks whether this equals $g_{ν} (r_{ν})$ .

If the values match, she accepts. Otherwise, she rejects.

A Note on Oracle Access

In complexity theory, we say the verifier has "oracle access" to $g$ . Sometimes this is trivial: if $g$ encodes a multiplication gate, the verifier knows that $g (a, b) = a \cdot b$ and just plugs in the random values $r_{1}, \dots, r_{ν}$ . No magic needed.

But in many SNARK constructions, $g$ depends on the prover's private data. The verifier cannot evaluate $g$ on her own, because she doesn't know the inputs that define it. Sum-check has done its job, reducing an exponential sum to one evaluation, but the verifier is stuck at the last step. How this gap is closed (using polynomial commitment schemes) is a central question we return to in Chapter 9.

Why Does This Work?

Completeness

If the prover is honest, all checks pass trivially. The polynomials $g_{j}$ are computed exactly as specified, so the consistency checks hold by construction. The verifier accepts.

Soundness

The soundness argument is more subtle and relies on the polynomial rigidity we developed in Chapter 2.

Suppose the prover's initial claim is false: the true sum is $H^{*} \neq = H$ . For the first consistency check to pass, the prover must send some polynomial $g_{1} (X_{1})$ such that $g_{1} (0) + g_{1} (1) = H$ .

Let $s_{1} (X_{1})$ be the true polynomial: the one computed by honestly summing $g$ over the hypercube. By assumption, $s_{1} (0) + s_{1} (1) = H^{*} \neq = H$ . So the prover's polynomial $g_{1}$ must be different from $s_{1}$ .

This is exactly where rigidity traps the cheater. The prover wants to send a polynomial that passes through the lie ( $H$ ) but behaves like the truth ( $H^{*}$ ) everywhere else. Rigidity makes this impossible. The polynomial is too stiff: if $g_{1} \neq = s_{1}$ , they can agree on at most $d$ points.

By the Schwartz-Zippel lemma, when the verifier samples a random $r_{1}$ from $F$ , the probability that $g_{1} (r_{1}) = s_{1} (r_{1})$ is at most $d /∣ F ∣$ .

With overwhelming probability, $g_{1} (r_{1}) \neq = s_{1} (r_{1})$ . The prover has "gotten lucky" only if the random challenge happened to land on one of the few points where the two polynomials agree.

But what does $g_{1} (r_{1}) \neq = s_{1} (r_{1})$ mean? It means the prover is now committed to defending a false claim in round 2: he must convince the verifier that the sum $\sum_{b_{2}, \dots} g (r_{1}, b_{2}, \dots)$ equals $g_{1} (r_{1})$ , when in fact it equals $s_{1} (r_{1})$ .

The same logic cascades through all $ν$ rounds. In each round, either the prover gets lucky (probability $\leq d /∣ F ∣$ ) or he's forced to defend a new false claim. By the final round, the prover must convince the verifier that $g_{ν} (r_{ν}) = g (r_{1}, \dots, r_{ν})$ , but the verifier checks this directly.

By a union bound, the total probability that a cheating prover succeeds is at most:

$δ_{s} \leq \frac{ν \cdot d}{∣ F ∣}$

In cryptographic applications, $∣ F ∣$ is enormous (e.g., $2^{256}$ ), so this probability is negligible.

Worked Example: Honest Prover and Cheating Prover

Let's trace through the entire protocol with actual values: first with an honest prover, then with a cheater. Seeing both cases with the same polynomial makes the soundness argument concrete.

Setup: Consider the polynomial $g (x_{1}, x_{2}) = x_{1} + 2 x_{2}$ over a large field $F$ . We have $ν = 2$ variables.

Goal: The prover wants to convince the verifier of the sum over ${0, 1}^{2}$ :

$H = g (0, 0) + g (0, 1) + g (1, 0) + g (1, 1) = 0 + 2 + 1 + 3 = 6$

The Honest Case

Round 1: The prover claims $H = 6$ and sends:

$g_{1} (X_{1}) = g (X_{1}, 0) + g (X_{1}, 1) = (X_{1} + 0) + (X_{1} + 2) = 2 X_{1} + 2$

The verifier checks: $g_{1} (0) + g_{1} (1) = 2 + 4 = 6 = H$ . $✓$

She samples $r_{1} = 5$ and computes $V_{1} = g_{1} (5) = 12$ .

Round 2: The prover sends $g_{2} (X_{2}) = g (5, X_{2}) = 5 + 2 X_{2}$ .

The verifier checks: $g_{2} (0) + g_{2} (1) = 5 + 7 = 12 = V_{1}$ . $✓$

She samples $r_{2} = 10$ .

Final check: The verifier queries her oracle for $g (5, 10) = 25$ and compares to $g_{2} (10) = 25$ . They match. Accept.

The Cheating Case

Now suppose the prover lies: he claims $H = 7$ instead of the true sum $H^{*} = 6$ .

Round 1: To pass the consistency check, the prover must send some $g_{1} (X_{1})$ with $g_{1} (0) + g_{1} (1) = 7$ . The true polynomial $s_{1} (X_{1}) = 2 X_{1} + 2$ sums to 6, so he can't use it.

He sends a lie: $g_{1} (X_{1}) = X_{1} + 3$ . Check: $g_{1} (0) + g_{1} (1) = 3 + 4 = 7$ . $✓$

The verifier samples $r_{1} = 5$ .

Prover's value: $g_{1} (5) = 8$
True value: $s_{1} (5) = 12$

The prover is now committed to defending a false claim: $\sum_{x_{2}} g (5, x_{2}) = 8$ . But the true sum is $g (5, 0) + g (5, 1) = 5 + 7 = 12$ .

Round 2: The prover needs $g_{2} (0) + g_{2} (1) = 8$ . He sends $g_{2} (X_{2}) = 3 + 2 X_{2}$ .

The verifier samples $r_{2} = 10$ .

Final check:

Prover claims: $g_{2} (10) = 3 + 20 = 23$
Verifier queries oracle: $g (5, 10) = 25$

$23 \neq = 25$ . Reject.

The Moral

The initial lie forced the prover to send polynomials different from the true ones. By Schwartz-Zippel, the random challenges almost certainly landed on points where these polynomials disagreed. The lie didn't just persist; it amplified through the rounds until it became a simple, detectable falsehood.

Notice what happened to the cheating prover. After sending the first dishonest polynomial, they weren't free. The verifier's random challenge $r_{1} = 5$ created a new constraint: the prover must now justify that $\sum_{x_{2}} g (5, x_{2}) = 8$ . But they didn't choose 5; the verifier did, unpredictably. The prover is forced to fabricate an answer for a question they couldn't anticipate.

Each round tightens the trap. The second lie must be consistent with the first. The third with the second. Each fabrication constrains the next, and the prover never controls which constraints they'll face. By the final round, the accumulated lies have painted the cheater into a corner: they must claim that $g (5, 10) = 23$ when any honest evaluation reveals 25. The system of fabrications collapses under its own weight.

The prover's only hope is that every random challenge happens to land on a point where the cheating polynomial agrees with the true one. For degree- $d$ polynomials over a field of size $∣ F ∣$ , this probability is at most $d /∣ F ∣$ per round, negligible in cryptographic settings.

The Protocol Flow: A Visual Guide

The following diagram traces the claim reduction through each round:

flowchart TB
    subgraph init["INITIAL CLAIM"]
        I["H = Σ g(b₁, b₂, ..., bᵥ) over 2ᵛ points"]
    end

    subgraph r1["ROUND 1"]
        R1P["Prover sends g₁(X₁)"]
        R1V["Verifier checks: g₁(0) + g₁(1) = H"]
        R1C["Verifier picks random r₁"]
        R1N["New claim: g₁(r₁) = Σ g(r₁, b₂, ..., bᵥ)<br/>over 2ᵛ⁻¹ points"]
        R1P --> R1V --> R1C --> R1N
    end

    subgraph dots["..."]
        D["ν rounds total"]
    end

    subgraph rv["ROUND ν"]
        RVP["Prover sends gᵥ(Xᵥ)"]
        RVV["Verifier checks: gᵥ(0) + gᵥ(1) = gᵥ₋₁(rᵥ₋₁)"]
        RVC["Verifier picks random rᵥ"]
        RVN["Final claim: gᵥ(rᵥ) = g(r₁, r₂, ..., rᵥ)<br/>A SINGLE POINT!"]
        RVP --> RVV --> RVC --> RVN
    end

    subgraph final["FINAL CHECK"]
        F1["Verifier evaluates g(r₁, ..., rᵥ) directly"]
        F2{"g(r₁,...,rᵥ) = gᵥ(rᵥ)?"}
        F3["✓ ACCEPT"]
        F4["✗ REJECT"]
        F1 --> F2
        F2 -->|Yes| F3
        F2 -->|No| F4
    end

    init --> r1 --> dots --> rv --> final

The reduction is exponential: $2^{ν} \to 2^{ν - 1} \to 2^{ν - 2} \to \dots \to 2^{0} = 1$ .

Application: Counting Satisfying Assignments (#SAT)

The sum-check protocol becomes truly powerful when combined with arithmetization: the process of translating discrete, combinatorial problems into the language of polynomials over finite fields. We touched on #SAT in Chapter 2 as motivation for why polynomials matter in complexity theory. Now we see exactly how the translation works and why it enables efficient verification. The full theory of arithmetization will occupy later chapters; for now, we need just enough to see sum-check in action.

The #SAT problem: Given a boolean formula $ϕ$ with $ν$ variables, count how many of the $2^{ν}$ possible assignments make $ϕ$ true.

This is a canonical #P-complete problem, even harder than NP. Verifying the count naively requires checking all $2^{ν}$ assignments. But with sum-check, a prover can convince a verifier of the correct count in polynomial time.

Arithmetization of Boolean Formulas

The key insight is to transform the boolean formula into a polynomial that equals 1 on satisfying assignments and 0 otherwise.

Step 1: Arithmetize literals

The variable $x_{i}$ stays as $x_{i}$
The negation $\neg x_{i}$ becomes $1 - x_{i}$

Over ${0, 1}$ , these give the right values: if $x_{i} = 1$ , then $\neg x_{i} = 0$ , and $1 - x_{i} = 0$ . $✓$

Step 2: Arithmetize clauses Consider a clause $C = (z_{1} \lor z_{2} \lor z_{3})$ where each $z_{i}$ is a literal. The clause is false only when all three literals are false. So:

$g_{C} (x) = 1 - (1 - z_{1}) (1 - z_{2}) (1 - z_{3})$

where each $z_{i}$ is the polynomial form of the literal.

Example: For the clause $C = (x_{1} \lor \neg x_{2} \lor x_{3})$ : $g_{C} (x_{1}, x_{2}, x_{3}) = 1 - (1 - x_{1}) \cdot x_{2} \cdot (1 - x_{3})$

This equals 0 precisely when $x_{1} = 0$ , $x_{2} = 1$ , $x_{3} = 0$ : the only assignment that falsifies the clause.

Step 3: Arithmetize the full formula For a CNF formula $ϕ = C_{1} \land C_{2} \land \dots \land C_{m}$ , the formula is satisfied when all clauses are satisfied:

$g_{ϕ} (x_{1}, \dots, x_{ν}) = j = 1 \prod m g_{C_{j}} (x_{1}, \dots, x_{ν})$

Over ${0, 1}^{ν}$ , this product equals 1 if all clauses are satisfied and 0 otherwise.

The Protocol

The number of satisfying assignments is:

$# S A T (ϕ) = (b_{1}, \dots, b_{ν}) \in {0, 1}^{ν} \sum g_{ϕ} (b_{1}, \dots, b_{ν})$

This is exactly a sum over the boolean hypercube! The prover can use the sum-check protocol to convince the verifier of this count.

Degree analysis: For a 3-CNF formula, each clause polynomial has degree at most 3. With $m$ clauses, the product $g_{ϕ}$ has total degree at most $3 m$ . The degree in any single variable is at most $3 m$ as well (though often much smaller due to variable sharing).

Verifier's work: The verifier performs $ν$ rounds of sum-check, checking polynomials of degree at most $3 m$ . The final check requires evaluating $g_{ϕ}$ at a random point; this takes $O (m)$ time since $g_{ϕ}$ is a product of $m$ clause polynomials.

Total verifier time: $O (ν \cdot m)$ , polynomial in the formula size, despite the exponentially large space of assignments.

Worked Example: A Tiny #SAT Instance

Consider the formula $ϕ = (x_{1} \lor x_{2}) \land (\neg x_{1} \lor x_{2})$ with $ν = 2$ variables and $m = 2$ clauses.

Step 1: Arithmetize.

Clause 1: $(x_{1} \lor x_{2}) \to 1 - (1 - x_{1}) (1 - x_{2}) = x_{1} + x_{2} - x_{1} x_{2}$

Clause 2: $(\neg x_{1} \lor x_{2}) \to 1 - x_{1} (1 - x_{2}) = 1 - x_{1} + x_{1} x_{2}$

Full formula: $g_{ϕ} (x_{1}, x_{2}) = (x_{1} + x_{2} - x_{1} x_{2}) (1 - x_{1} + x_{1} x_{2})$

Step 2: Evaluate on ${0, 1}^{2}$ .

$(x_{1}, x_{2})$	Clause 1	Clause 2	$g_{ϕ}$	$ϕ$ satisfied?
$(0, 0)$	$0$	$1$	$0$	No
$(0, 1)$	$1$	$1$	$1$	Yes
$(1, 0)$	$1$	$0$	$0$	No
$(1, 1)$	$1$	$1$	$1$	Yes

Step 3: Count.

$# S A T (ϕ) = (b_{1}, b_{2}) \in {0, 1}^{2} \sum g_{ϕ} (b_{1}, b_{2}) = 0 + 1 + 0 + 1 = 2$

The formula has exactly 2 satisfying assignments: $(0, 1)$ and $(1, 1)$ (both require $x_{2} = 1$ ).

The prover uses sum-check to convince the verifier of this count. The polynomial $g_{ϕ}$ has degree 2 in each variable (degree 4 total), so each round polynomial has degree at most 2, requiring 3 field elements per round.

The Magic of Deferred Evaluation

The sum-check protocol embodies a profound principle: you don't need to compute a sum to verify it.

Consider what the verifier actually does:

She receives polynomials $g_{1}, g_{2}, \dots, g_{ν}$ from the prover.
She checks consistency: does $g_{j} (0) + g_{j} (1)$ equal the previous round's value?
She checks degree bounds.
At the very end, she evaluates $g$ at a single random point.

The verifier never computes any intermediate sums. She never evaluates $g$ at any point of the boolean hypercube. All the hard work, computing the actual sums, is done by the prover. The verifier merely checks that the prover's story is internally consistent.

This is claim reduction in action. Each round, the claim shrinks:

Round 0: "The sum over $2^{ν}$ points is $H$ "
Round 1: "The sum over $2^{ν - 1}$ points (at a random slice) is $V_{1}$ "
Round 2: "The sum over $2^{ν - 2}$ points is $V_{2}$ "
...
Round $ν$ : "The value at one specific point is $V_{ν}$ "

By the end, we've reduced an exponential claim to a trivial one. And the random challenges ensure that any cheating at an earlier stage propagates into a detectable error at the final stage.

Complexity Analysis

Let's be precise about the efficiency gains.

Prover complexity: In round $j$ , the prover must compute a univariate polynomial of degree at most $d$ . To specify this polynomial, the prover evaluates it at $d + 1$ points (say, $0, 1, 2, \dots, d$ ). For each such point $α$ , the prover computes:

$g_{j} (α) = (b_{j + 1}, \dots, b_{ν}) \in {0, 1}^{ν - j} \sum g (r_{1}, \dots, r_{j - 1}, α, b_{j + 1}, \dots, b_{ν})$

This requires summing over $2^{ν - j}$ terms. Across all rounds, the prover's total work is:

$O (j = 1 \sum ν (d + 1) \cdot 2^{ν - j}) = O (d \cdot 2^{ν})$

The prover does work proportional to the size of the hypercube, but crucially, this is what the prover would need to do anyway to compute the sum. The sum-check protocol doesn't add significant overhead to the prover. Note that achieving $O (2^{ν - j})$ per round (rather than recomputing from scratch each time) requires an algorithmic trick: maintaining and folding intermediate arrays so that each round reuses the previous round's work. Chapter 19 develops this technique in detail.

Verifier complexity: In each round, the verifier:

Receives a degree- $d$ polynomial (specified by $d + 1$ coefficients)
Checks that $g_{j} (0) + g_{j} (1)$ equals the previous value
Samples a random field element
Evaluates $g_{j}$ at the random point

This is $O (d)$ work per round, or $O (ν d)$ total.

At the end, the verifier evaluates $g$ at a single point $(r_{1}, \dots, r_{ν})$ . Let $T$ be the time to evaluate $g$ at one point. The verifier's total work is:

$O (ν d + T)$

The speedup: The verifier avoids evaluating $g$ at $2^{ν}$ points, an exponential savings. If $g$ arises from a "structured" computation (like a circuit or formula), then $T$ is polynomial in the description of that structure, making the whole protocol efficient.

Communication complexity: The prover sends $ν$ univariate polynomials, each of degree at most $d$ . Naively, this requires $d + 1$ field elements per polynomial (to specify the coefficients), for a total of $ν (d + 1)$ field elements. But there's a trick.

The one-coefficient trick: At each round, the verifier checks $s_{i} (0) + s_{i} (1) = V_{i - 1}$ . This is one linear equation in the polynomial's coefficients, so the polynomial has only $d$ degrees of freedom, not $d + 1$ .

Write $s_{i} (X) = c_{0} + c_{1} X + c_{2} X^{2} + \dots + c_{d} X^{d}$ . Then: $s_{i} (0) + s_{i} (1) = c_{0} + (c_{0} + c_{1} + c_{2} + \dots + c_{d}) = 2 c_{0} + c_{1} + c_{2} + \dots + c_{d} = V_{i - 1}$

So: $c_{1} = V_{i - 1} - 2 c_{0} - c_{2} - c_{3} - \dots - c_{d}$ .

The prover sends only $(c_{0}, c_{2}, c_{3}, \dots, c_{d})$ , and the verifier recovers $c_{1}$ from the constraint. This saves one field element per round: $ν d$ field elements total instead of $ν (d + 1)$ .

For the common case of multilinear polynomials ( $d = 1$ ), this halves communication: one field element per round instead of two.

Soundness error: As computed earlier, the probability that a cheating prover succeeds is at most $ν d /∣ F ∣$ . For a 256-bit field and reasonable values of $ν$ and $d$ , this is negligible.

Why Sum-Check Enables Everything Else

The sum-check protocol is not just one protocol among many; it's the foundation upon which much of modern verifiable computation is built.

The celebrated IP = PSPACE theorem, which shows that every problem solvable in polynomial space has an efficient interactive proof, uses sum-check as its core building block. The LFKN protocol arithmetizes quantified boolean formulas and applies sum-check recursively. To verify that an arithmetic circuit was evaluated correctly, the GKR protocol (Chapter 7) expresses the relationship between adjacent circuit layers as a sum over a hypercube, then uses sum-check to reduce a claim about one layer to a claim about the next, peeling back the circuit layer by layer until we reach the inputs.

Many of today's practical succinct arguments (Spartan, HyperPlonk, and the entire family of "sum-check based" SNARKs) use sum-check as their information-theoretic core. The protocol's structure, where a prover commits to polynomials and a verifier checks random evaluations, maps cleanly onto polynomial commitment schemes. As we'll see in the next chapter, multilinear polynomials (those with degree at most 1 in each variable) have a natural correspondence with functions on the boolean hypercube. Sum-check works especially elegantly with multilinear polynomials, and this paradigm has become one of the two major approaches to building modern proof systems.

For years after the initial theoretical breakthroughs, practical SNARK systems moved away from sum-check toward other approaches (PCPs, linear PCPs, univariate techniques). But recently, sum-check has made a dramatic comeback. Systems like Lasso and Jolt use sum-check at their core, achieving remarkable prover efficiency. It turns out that sum-check provers can run in linear time for structured polynomials, and the protocol meshes beautifully with modern polynomial commitment schemes. We'll explore this renaissance in depth in Chapter 19.

The sum-check protocol is where the abstract power of polynomials (their rigidity, their compression of constraints, their amenability to random testing) first crystallizes into a concrete verification procedure. Every protocol we study from here forward either uses sum-check directly or is in dialogue with the principles it established.

The Last Mile: From Oracle Access to Polynomial Commitments

We noted earlier that the final check of sum-check requires evaluating $g (r_{1}, \dots, r_{ν})$ , and that sometimes the verifier cannot do this herself because $g$ depends on the prover's private data. This deserves a closer look, because the mechanism that closes this gap is what turns sum-check from a complexity-theoretic curiosity into a practical proof system.

Consider two representative scenarios.

When the verifier can compute $g$ directly. If $g$ is built entirely from public information, the final evaluation is straightforward. For instance, in the #SAT application above, $g_{ϕ}$ is a product of clause polynomials derived from the public formula $ϕ$ . The verifier knows $ϕ$ , so she can evaluate $g_{ϕ} (r_{1}, \dots, r_{ν})$ in $O (m)$ time. Similarly, in the GKR protocol (Chapter 7), the polynomial $g$ at each layer encodes the circuit's wiring pattern, which is public. No additional machinery is needed.

When $g$ depends on the prover's private witness. This is the harder and more common case in SNARK constructions. In systems like Spartan (Chapter 19), the polynomial $g$ involves the multilinear extension of the prover's private witness vector $w$ . (We develop multilinear extensions in Chapter 4.) The verifier can compute the public parts of $g$ at the random point, but the witness-dependent part requires a value she does not know.

Sum-check has reduced the exponential sum to a single evaluation, but the verifier cannot complete the check alone. The protocol needs one more ingredient: a way for the prover to credibly reveal a single evaluation of a polynomial she committed to earlier, without revealing the polynomial itself.

This ingredient is a polynomial commitment scheme (PCS), developed in Chapter 9. The mechanism is simple in outline:

Before sum-check begins, the prover sends a short, binding commitment $C$ to the witness polynomial. "Binding" means the prover cannot change the polynomial after sending $C$ .
During sum-check, the random challenges $r_{1}, \dots, r_{ν}$ are determined. The commitment was sent before any challenges were chosen, so the prover cannot adapt the polynomial to the challenge point.
After sum-check, the prover opens the commitment at $(r_{1}, \dots, r_{ν})$ : she provides the evaluation $v$ together with a proof $π$ that $v$ is consistent with $C$ . The verifier checks $π$ and uses $v$ to complete the final sum-check check.

This is where sum-check transitions from an information-theoretic protocol (what the literature calls an "Interactive Oracle Proof") to a cryptographic argument. The PCS replaces oracle access with commit-then-open. The prover is bound to a specific polynomial before seeing the evaluation point, and the succinctness of the commitment means the verifier never needs to see the full polynomial.

Every sum-check-based SNARK makes this transition at the final step. The oracle is not a black box. It is a commitment scheme.

Key Takeaways

The sum-check protocol verifies exponential sums efficiently: A prover can convince a verifier that $\sum_{b \in {0, 1}^{ν}} g (b) = H$ with the verifier doing only $O (ν)$ work, plus one evaluation of $g$ . The verifier never computes any sum herself.
Claim reduction is the key mechanism: Each round reduces a claim about $2^{k}$ points to a claim about $2^{k - 1}$ points. After $ν$ rounds, the exponential sum becomes a single evaluation.
Lies propagate and amplify: A false initial claim forces the prover to send dishonest polynomials. Random challenges catch the discrepancy with probability $1 - d /∣ F ∣$ per round. The lie can't hide; it gets cornered.
The degree bound is essential: Without it, a cheating prover could craft high-degree polynomials that pass consistency checks at 0 and 1 while matching the honest polynomial elsewhere. The degree bound forces rigidity.
Arithmetization connects sum-check to computation: Problems like #SAT encode as sums over the boolean hypercube. The prover does $O (2^{ν})$ work; the verifier does $O (ν)$ . This asymmetry is what makes verification useful.
The final evaluation is the bridge to cryptography: Sum-check reduces an exponential sum to one evaluation. When that evaluation depends on the prover's private data, a polynomial commitment scheme (Chapter 9) closes the gap: the prover commits before seeing the challenge point, then opens at the end. This is the "last mile" that turns the information-theoretic protocol into a SNARK.
Sum-check is foundational: IP = PSPACE, GKR, Spartan, Lasso, and most multilinear SNARKs build on sum-check. The protocol's comeback in practical systems (Chapter 19) shows it wasn't just theoretically elegant but practically powerful.

Minimizing Trust