Post by Ankita Singh

The sumcheck protocol is the most reused primitive in modern ZK. It appears in Spartan, HyperPlonk, Lasso, Jolt, GKR, and virtually every proof system built in the last 3 years. If Schwartz-Zippel is the foundation, sumcheck is the workhorse. The problem: you have a multivariate polynomial f(x₁, ..., xₙ) and you want to prove its sum over all binary inputs equals a claimed value H: H = Σ f(x₁, ..., xₙ) over all (x₁, ..., xₙ) ∈ {0,1}ⁿ That's 2ⁿ terms. For n = 30, over a billion evaluations. The verifier can't compute this. The sumcheck approach: the prover "peels off" one variable at a time across n rounds. Round 1: prover sends g₁(X₁) = Σ over remaining variables. Verifier checks g₁(0) + g₁(1) = H. Picks random r₁. Round 2: prover sends g₂(X₂) with x₁ fixed to r₁. Verifier checks g₂(0) + g₂(1) = g₁(r₁). Picks random r₂. After n rounds, all variables are fixed. The verifier checks ONE evaluation: f(r₁, ..., rₙ). That's it. Exponential sum verified with linear work. Soundness comes from Schwartz-Zippel at every round. If the prover lies about any gᵢ, the random challenge catches it with overwhelming probability. How does ZK use this? → The GKR protocol verifies layered circuits by running sumcheck at each layer, reducing output claims to input claims. The verifier never evaluates the full circuit. → Spartan showed sumcheck can replace FFTs entirely. R1CS constraints become a multivariate polynomial, verified directly via sumcheck. No FFT means no powers-of-2 restriction, linear prover time, and no trusted setup. → HyperPlonk combines PLONK's custom gates with sumcheck over multilinear polynomials. Gate constraints become sumcheck instances. The FFT bottleneck disappears. → Lasso and Jolt use sumcheck for lookup arguments. Instead of sorting-based lookups (Plookup), they use sumcheck-based memory checking. This makes lookups over massive tables feasible. Jolt's entire zkVM treats the RISC-V ISA as one giant lookup table verified by sumcheck. The pattern: sumcheck works natively with multilinear polynomials (degree 1 per variable). Each round, the prover sends a linear polynomial - just 2 coefficients. Communication is minimal. Why sumcheck is becoming universal: it avoids FFTs (linear prover), it's commitment-scheme-agnostic (works with KZG, FRI, IPA), and it's modular (plug it in wherever you need to verify a sum). The proof system landscape is converging on sumcheck as the core primitive. Understanding it deeply means understanding the engine powering the next generation of ZK. n rounds. n random challenges. One final evaluation. The exponential sum collapses to a single point. What proof system primitive do you think is most underappreciated? Let me know in the comments.