Batched opening proof

The final stage (stage 8) of Jolt is the batched opening proof. Over the course of the preceding stages, we obtain polynomial evaluation claims that must be proven using the polynomial commitment scheme's opening proof. Instead of proving these openings "just-in-time", we accumulate them and defer the opening proof to the last stage (see ProverOpeningAccumulator and VerifierOpeningAccumulator for how this accumulation is implemented). By waiting until the end, we can batch-prove all of the openings, instead of proving them individually. This is important because the Dory opening proof is relatively expensive for the prover, so we want to avoid doing it multiple times.

Claim reduction sumchecks

Throughout the earlier stages of Jolt, various components generate multiple polynomial evaluation claims that need to be consolidated before the final opening proof. Conceptually, claim reduction sumchecks are instantiation of the "Multiple polynomials, multiple points" subprotocol.

These claim reduction sumchecks serve two purposes:

Reduce the number of claims that need to be virtualized by a subsequent sumcheck. E.g. if the same virtual polynomial $P$ is opened at two different points $r_{1}$ and $r_{2}$ , a claim reduction can be applied to avoid running two instances of the sumcheck that virtualized $P$ .
Reduce the number of claims that need to be proven via PCS opening proof. While we can leverage the homomorphic properties of Dory in the Multiple polynomials, same point subprotocol, we must first reduce multiple opening points to a single, unified opening point.

The claim reduction sumchecks can be found in jolt-core/src/zkvm/claim_reductions/ and include:

Instruction lookups (instruction_lookups.rs): Aggregates instruction lookup claims (lookup outputs and operands) from Spartan.
Registers (registers.rs): Reduces register read/write claims (rd, rs1, rs2) from Spartan.
RAM RA (ram_ra.rs): Consolidates the four RAM read-address (RA) claims from various RAM-related sumchecks (raf evaluation, read-write checking, Val evaluation, Val-final evaluation) into a single claim for the RA virtualization sumcheck.
Increments (increments.rs): Reduces claims related to increment checks.
Hamming weight (hamming_weight.rs): Reduces hamming weight-related claims.
Advice (advice.rs): Reduces claims from advice polynomials.
Bytecode (bytecode.rs): Reduces committed bytecode openings into the shared Stage 8 final opening layout.
Program image (program_image.rs): Reduces the committed initial-memory image into the same final opening layout.

How claim reduction sumchecks work

A claim reduction sumcheck takes multiple polynomial evaluation claims, potentially at different evaluation points, and consolidates them into a single claim (or fewer claims) using the sumcheck protocol. The general pattern is:

Input: Multiple polynomial evaluation claims of the form $P_{i} (r_{i}) = v_{i}$
Batching: Random challenge $γ$ is sampled from the transcript to batch the claims together
Sumcheck: Prove a sumcheck identity of the form: $x \sum eq (r_{1}, x) \cdot P_{1} (x) + γ \cdot eq (r_{2}, x) \cdot P_{2} (x) + \dots = v_{1} + γ \cdot v_{2} + \dots$
Output: Polynomial evaluation claims of the form $P_{i} (r^{'}) = v_{i}^{'}$ for a single, unified point $r^{'}$ derived from the sumcheck challenges.

Final reduction

After the claim reduction sumchecks have consolidated related claims, we perform a final reduction to prepare for the Dory opening.

We apply the Multiple polynomials, same point subprotocol to reduce the claims to a single claim, namely the evaluation of an RLCPolynomial representing a random linear combination of all the opened polynomials.

On the verifier side, this entails taking a linear combination of commitments. Since Dory is an additively homomorphic commitment scheme, the verifier is able to do so.

Precommitted polynomials and final opening layout

Most Stage 8 polynomials are trace-domain polynomials: their shape is determined by the padded execution trace and the address domain. Some committed polynomials, however, are fixed independently of the trace. Examples include bytecode chunks, the program image, and trusted or untrusted advice. In the implementation these independently committed objects are called precommitted polynomials.

The goal of Stage 8 is still the same: every committed polynomial should be opened at one batched Dory proof. The subtlety is that a precommitted polynomial keeps the Dory matrix shape it had when it was committed, while the trace-domain polynomials use Jolt's native trace layout.

We use the following terminology:

Native trace layout: the Dory layout induced by trace-domain polynomials, with $ℓ_{T} + ℓ_{K}$ variables.
Embedded precommitted polynomial: a precommitted polynomial whose committed Dory matrix fits inside the native trace layout. It is embedded by top-left zero padding.
Dominant precommitted polynomial: a precommitted polynomial that is larger than the native trace layout. It determines an enlarged final opening layout.
Final opening layout: the Dory matrix used by the single Stage 8 opening proof. This is the native trace layout when no dominant precommitted polynomial exists, and the enlarged layout otherwise.

In this section we write:

$ℓ_{T}$ for the number of cycle variables, i.e. the log trace length
$ℓ_{K}$ for the number of address variables, i.e. the log address-space size
$ℓ_{B}$ for the number of extra variables contributed by the dominant precommitted polynomial beyond the native trace layout

With that notation, the final opening layout has

$D = ℓ_{T} + ℓ_{K} + ℓ_{B} .$

Equivalently, Stage 8 works in a Dory matrix of size $2^{ν_{D}} \times 2^{σ_{D}}$ where

$σ_{D} = ⌈ \frac{D}{2} ⌉, ν_{D} = D - σ_{D} .$

Here $ν_{D}$ is the number of row variables and $σ_{D}$ is the number of column variables. This matches the implementation in DoryGlobals::balanced_sigma_nu() and the split used by PrecommittedClaimReduction::project_dory_round_permutation_for_poly().

The native trace layout is the special case $ℓ_{B} = 0$ . The design constraint is that dominant precommitted polynomials should not force the earlier trace-domain sumchecks to run over a padded trace. So Jolt schedules the final-opening reductions as follows:

the cycle stage (Stage 6b) has exactly $ℓ_{T} + ℓ_{B}$ rounds
the address stage (Stage 7) has exactly $ℓ_{K}$ rounds
precommitted reductions are forward-loaded so they see the extra dominant coordinates
native trace-domain reductions are backward-loaded so their old round scheduling is preserved

This keeps trace-domain work native through the earlier stages and leaves Stage 8 with only one normalization problem: all produced opening points must be interpreted inside the final opening layout.

If some precommitted polynomial already has $D$ variables, we call it a dominant precommitted polynomial. Otherwise there is no dominant precommitted polynomial, $ℓ_{B} = 0$ , and the final opening layout is just the native trace layout.

How Native Polynomials Sit In The Final Layout

Native trace-domain polynomials are placed in the final opening layout according to the Dory layout. As a concrete example, take $D = 5$ . Since Dory uses a balanced split, this means:

$σ_{D} = 3, ν_{D} = 2,$

so the final Dory matrix has $2^{2} = 4$ rows and $2^{3} = 8$ columns, for a total of $2^{5} = 32$ slots.

`CycleMajor` dense placement

Take a dense polynomial with $ℓ_{T} = 3$ variables and coefficients

$a_{000}, a_{001}, a_{010}, a_{011}, a_{100}, a_{101}, a_{110}, a_{111} .$

In CycleMajor, the dense polynomial is written across the top of the final matrix, so only the lowest $ℓ_{T}$ index bits vary:

Final 4 x 8 matrix

          col000   col001   col010   col011   col100   col101   col110   col111 
row00   | a_000  | a_001  | a_010  | a_011  | a_100  | a_101  | a_110  |  a_111 |
row01   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |
row10   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |
row11   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |    .   |

so the first $2$ bits are fixed and only the last $3$ bits vary.

`AddressMajor` dense placement

Now take the same final opening layout $D = 5$ , but the dense polynomial should use the highest $ℓ_{T} = 3$ bits. Then its coefficients are written into slots whose last $ℓ_{K} + ℓ_{B} = 2$ bits are zero:

In the same $4 \times 8$ matrix this looks like:

Final 4 x 8 matrix

          col000   col001   col010   col011   col100   col101   col110   col111
row00   | a_000  |    .   |    .   |    .   | a_001  |    .   |    .   |    .   |
row01   | a_010  |    .   |    .   |    .   | a_011  |    .   |    .   |    .   |
row10   | a_100  |    .   |    .   |    .   | a_101  |    .   |    .   |    .   |
row11   | a_110  |    .   |    .   |    .   | a_111  |    .   |    .   |    .   |

The same idea applies to one-hot polynomials:

in CycleMajor, they use the lowest $ℓ_{T} + ℓ_{K}$ bits
in AddressMajor, they use the highest $ℓ_{T} + ℓ_{K}$ bits, so the trailing $ℓ_{B}$ bits are zero

When Address-Major Dense Stride Exceeds The Row Width

In AddressMajor, dense polynomials are embedded with stride $2^{ℓ_{K} + ℓ_{B}}$ . Sometimes that stride is larger than the number of columns of the final Dory matrix. This is the special branch handled in dory/wrappers.rs.

Take a real example:

final opening layout $D = 7$ , so the balanced Dory matrix is $2^{3} \times 2^{4} = 8 \times 16$
dense polynomial has $ℓ_{T} = 2$ variables, so it has 4 coefficients
therefore $ℓ_{K} + ℓ_{B} = 5$ , so the stride is $2^{5} = 32$

Since the row width is only 16, consecutive coefficients jump by two whole rows:

coeff a_00 -> slot  0 -> row 0, col 0
coeff a_01 -> slot 32 -> row 2, col 0
coeff a_10 -> slot 64 -> row 4, col 0
coeff a_11 -> slot 96 -> row 6, col 0

and the matrix picture is:

8 x 16 final matrix

row0  | a_00  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row1  |  .    .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row2  | a_01  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row3  |  .    .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row4  | a_10  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row5  |  .    .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row6  | a_11  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |
row7  |  .    .  .  .  .  .  .  .  .  .  .  .  .  .  .  . |

So the logical embedding is unchanged, but it is no longer a convenient row-local chunking. Because polynomial lengths are powers of two, the placement still stays aligned: either the stride is a multiple of the row width, so the polynomial occupies the same column range in every row it touches, or the stride divides the row width, so it stays in a fixed column but appears only in every few rows, as in the example above.

Final Dory Opening Point

In summary

in CycleMajor, the native dense / one-hot layout consumes the low bits of the final Dory point, so any extra precommitted variables must sit on the high side
in AddressMajor, the native layout consumes the high bits, so any extra precommitted variables must sit on the low side
each block appears in reverse because we always bind polynomials during claim reduction sumchecks from low to high bits

Now we study two cases: If there is a dominant precommitted polynomial, let the raw cycle-stage challenges be

$[x_{1}, x_{2}, \dots, x_{ℓ_{B}}, x_{ℓ_{B} + 1}, \dots, x_{ℓ_{B} + ℓ_{T}}]$

and the raw address-stage challenges be

$[y_{1}, y_{2}, \dots, y_{ℓ_{K}}] .$

The final big-endian Dory opening point is obtained by normalizing these challenges into Dory order.

For AddressMajor:

$[x_{ℓ_{B} + ℓ_{T}}, x_{ℓ_{B} + ℓ_{T} - 1}, \dots, x_{ℓ_{B} + 1} ∥ y_{ℓ_{K}}, y_{ℓ_{K} - 1}, \dots, y_{1} ∥ x_{ℓ_{B}}, x_{ℓ_{B} - 1}, \dots, x_{1}]$

For CycleMajor:

$[x_{ℓ_{B}}, x_{ℓ_{B} - 1}, \dots, x_{1} ∥ y_{ℓ_{K}}, y_{ℓ_{K} - 1}, \dots, y_{1} ∥ x_{ℓ_{B} + ℓ_{T}}, x_{ℓ_{B} + ℓ_{T} - 1}, \dots, x_{ℓ_{B} + 1}]$

Each block is reversed, and the extra $ℓ_{B}$ variables move to different sides depending on the layout.

If there is no dominant precommitted polynomial, then the final point is anchored by the ordinary native openings:

in this case the final opening layout is just the native trace layout, so $ℓ_{B} = 0$
let $r_{inc}$ be the cycle-stage opening point from IncClaimReduction
let $r_{ham}$ be the full opening point from HammingWeightClaimReduction, decomposed as $r_{ham} = [r_{addr} ∥ r_{cyc}]$ where $r_{addr}$ has length $ℓ_{K}$

These are already normalized opening points. In CycleMajor, compute_final_opening_point() checks that the IncClaimReduction opening point agrees with the native cycle suffix $r_{cyc}$ . When there are no extra dominant coordinates, this means $r_{inc} = r_{cyc}$ .

Then:

For AddressMajor:

$r_{final} = [r_{inc} ∥ r_{addr}]$

For CycleMajor:

$r_{final} = r_{ham} = [r_{addr} ∥ r_{inc}] .$

The implementation is located in compute_final_opening_point() in jolt-core/src/zkvm/mod.rs.

Embedded Precommitted Polynomials

The verifier already has the commitment to an embedded precommitted polynomial. That commitment is computed under the convention that the polynomial occupies the top-left block of its own balanced Dory matrix, meaning the earliest rows and earliest columns. So when we embed that polynomial into the final opening layout, we must preserve that same top-left placement; otherwise the verifier would be checking the Dory proof against a different layout from the one encoded in the commitment.

Final Dory matrix: 2^nu_D rows x 2^sigma_D columns
Smaller precommitted matrix: 2^nu_C rows x 2^sigma_C columns

                    left 2^sigma_C cols         remaining cols
                 +---------------------------+------------------+
top 2^nu_C rows  | smaller precommitted poly | not used by this |
                 |        lives here         |      poly        |
                 +---------------------------+------------------+
remaining rows   | not used by this poly     | not used by this |
                 |                           |      poly        |
                 +---------------------------+------------------+

Suppose the smaller precommitted polynomial has

$C = ν_{C} + σ_{C}$

variables, while the final point has

$D = ν_{D} + σ_{D} .$

Split the final point as

$r_{final} = [r_{row}^{hi} ∥ r_{row}^{lo} ∥ r_{col}^{hi} ∥ r_{col}^{lo}]$

where:

$r_{row}^{hi}$ has length $ν_{D} - ν_{C}$
$r_{row}^{lo}$ has length $ν_{C}$
$r_{col}^{hi}$ has length $σ_{D} - σ_{C}$
$r_{col}^{lo}$ has length $σ_{C}$

Then the smaller polynomial is evaluated on

$r_{small} = [r_{row}^{lo} ∥ r_{col}^{lo}] .$

The reason is that top-left embedding forces the missing high row bits and high column bits to be zero:

final row variables : [row_hi | row_lo]
final col variables : [col_hi | col_lo]

top-left embedding forces:
  row_hi = 0
  col_hi = 0

So if $P$ is the smaller polynomial and $P_{emb}$ is its embedding into the final matrix, then

$P_{emb} (r_{final}) = eq (r_{row}^{hi}, 0^{ν_{D} - ν_{C}}) \cdot eq (r_{col}^{hi}, 0^{σ_{D} - σ_{C}}) \cdot P (r_{small}) .$

The same selector appears when the final RLCPolynomial mixes a native trace-domain polynomial with an embedded precommitted polynomial:

$RLC coefficient \cdot P (r_{small}) \cdot eq (r_{row}^{hi}, 0^{ν_{D} - ν_{C}}) \cdot eq (r_{col}^{hi}, 0^{σ_{D} - σ_{C}}) .$

Permuting Precommitted Polynomial Variables

The precommitted sumchecks still bind variables low-to-high. But the final Dory point order is determined by the final opening layout, not by the order in which those rounds happen.

So Jolt permutes the variables of each precommitted polynomial before running the sumcheck. This keeps the sumcheck code simple while ensuring the final claim corresponds to the original polynomial at the correct Stage 8 point. This permutation is cheap because it is only a variable-position movement, so on the coefficient table it is just a bit permutation of the $2^{n}$ Boolean-hypercube evaluations.

Here is a concrete 3-variable example. Suppose the original polynomial is encoded by

point       000  001  010  011  100  101  110  111
P(point)     v0   v1   v2   v3   v4   v5   v6   v7

Now suppose the final opening layout wants the variables in the order $(c, b, a)$ rather than $(a, b, c)$ . Define

$P^{'} (u, v, w) = P (w, v, u) .$

Then the new coefficient table becomes

point        000  001  010  011  100  101  110  111
P'(point)     v0   v4   v2   v6   v1   v5   v3   v7

because

P'(000) = P(000)
P'(001) = P(100)
P'(010) = P(010)
P'(011) = P(110)
P'(100) = P(001)
P'(101) = P(101)
P'(110) = P(011)
P'(111) = P(111)

After the sumcheck finishes, normalize_opening_point() converts the collected challenges back into the true opening point of the original, non-permuted polynomial.

`RLCPolynomial`

Recall that all of the polynomials in Jolt fall into one of two categories: one-hot polynomials (the $ra$ and $wa$ arising in Twist/Shout), and dense polynomials (we use this to mean anything that's not one-hot).

We use the RLCPolynomial struct to represent a random linear combination (RLC) of multiple polynomials, which may include both dense and one-hot polynomials. We handle the two types separately:

We eagerly compute the RLC of the dense polynomials. So if there are $N$ dense polynomials, each of length $T$ in the RLC, we compute the linear combination of their coefficients and store the result in the RLCPolynomial struct as a single vector of length $T$ .
We lazily compute the RLC of the one-hot polynomials. So if there are $N$ one-hot polynomials, we store $N$ (coefficient, reference) pairs in RLCPolynomial to represent the RLC. Later in the Dory opening proof when we need to compute a vector-matrix product using RLCPolynomial, we do so by computing the vector-matrix product using the individual one-hot polynomials (as well as the dense RLC) and taking the linear combination of the resulting vectors.

JoltBook