# Univariate Polynomial Grand Sum ## Preliminaries ### Modular Arithmetic An intuitive example of modular arithmetic from our daily life is the "clock arithmetic". When we see "19:00" boarding time on a boarding pass, we know that it corresponds to "7" on the clock face. Formally, in this case we perform the modular reduction by the modulus 12: $$ 19 \equiv 7\pmod{12} $$ because the clock face only has twelve hours marked on it. ### Roots Of Unity In Modular Arithmetic An integer $$\omega$$ is an $$n$$-th root of unity modulo $$p$$ if $$\omega^n \equiv 1 \pmod{p}$$ In other words, $$\omega^n$$ "wraps around" due to modular reduction to yield exactly $$1$$. A particular case is when no integers smaller than $$n$$ yield $$1$$ modulo $$p$$. In this case, $$\omega$$ is called a *primitive* root of unity: $$\omega^k \not\equiv 1 \pmod{p}$$ for any $$0 < k < n$$. ### Roots Of Unity Example Let's observe a finite field of order $$p = 7$$: $$\mathbb{F}\_7 = {0, 1,2,3,4,5,6}$$. Let's see that $$2$$ and $$4$$ are the 3rd roots of unity in such a field: * $$2^3 \equiv 8 \equiv 1 \pmod{7}$$, so 2 is a 3rd root of unity modulo 7. * $$4^3 \equiv 64 \equiv 1 \pmod{7}$$, so 4 is another 3rd root of unity modulo 7. $$1$$ itself is a root of unity, too, and is called a trivial root of unity. ### Special Property Of The Sum Of Roots of Unity Let's consider a finite field $$\mathbb{F}\_p$$ that has $$n$$-th roots of unity. Let $$\omega$$ be a primitive $$n$$-th root of unity in $$\mathbb{F}\_p$$, which means $$\omega^n = 1$$ and no smaller positive power of $$\omega$$ equals $$1$$. The $$n$$-th roots of unity in $$\mathbb{F}\_p$$ are $$1, \omega, \omega^2, \ldots, \omega^{n-1}$$. **Claim**: $$1 + \omega + \omega^2 + \ldots + \omega^{n-1} = 0$$ (**the sum of all the roots of unity in a finite field is equal to zero**). **Proof**: Consider the sum $$S = 1 + \omega + \omega^2 + \ldots + \omega^{n-1}$$. We can multiply $$S$$ by $$\omega - 1$$, noting that $$\omega - 1 \neq 0$$ so that such a multiplication preserves the equality: $$ (\omega - 1)S = (\omega - 1)(1 + \omega + \omega^2 + \ldots + \omega^{n-1}) $$ Expanding the right hand side, we get: $$ \omega + \omega^2 + \omega^3 + \ldots + \omega^n - (1 + \omega + \omega^2 + \ldots + \omega^{n-1}) $$ Notice that if we were to expand further, every term except $$\omega^n$$ and $$-1$$ would cancel out: $$ (\omega - 1)S = \omega^n - 1 $$ Since $$\omega$$ is a primitive $$n$$-th root of unity, $$\omega^n = 1$$. So, $$\omega^n - 1 = 0$$. Therefore: $$ (\omega - 1)S = 0 $$ If the product of two factors is zero, at least one of them must be zero. We already established that $$\omega - 1 \neq 0$$, thus $$S$$ must be zero: $$S = 0$$. Therefore, $$ \boxed{1 + \omega + \omega^2 + \ldots + \omega^{n-1} = 0} $$ Let's also check it on our previous toy example of $$\mathbb{F}\_7$$ and $$n = 3$$: $$1 + 2 + 4 = 7 \equiv 0 \pmod{7}$$. Let's see how we can take advantage of *the sum of all roots of unity being zero* when applied to the proof of solvency. ## Data Structure & Commitment Scheme The desired commitment scheme for Summa should have the following properties: * Committing to the total liabilities of the Custodian that is the sum of all user balances; * Allowing to publicly reveal the total liabilities without revealing any information about user balances; * Allowing to prove the individual user inclusion into the commitment without revealing any information about other user balances; * Preserving the user privacy and hiding the user data (namely the user cryptocurrency balances); * Outperform the Merkle sum tree in both commitment phase and proving phase. We will demonstrate how a polynomial commitment can be used to achieve all of these properties. Let's consider a polynomial $$B(X)$$ that evaluates to an $$i$$-th user balance $$b\_i$$ at a "user's point" - some value $$x\_i$$ that is designated for this specific user: $$B(x\_i) = b\_i$$. We can call it a user balance polynomial. It is quite easy to construct such a polynomial using the Lagrange interpolation. The formula for the polynomial that interpolates these data points is: $$ B(X) = \sum\_{i=1}^{n} b\_i \cdot L\_i(X) $$ Where $$L\_i(X)$$ is the Lagrange basis polynomial defined as a product: $$ L\_i(X) = \prod\_{\substack{j=1 \ j \neq i}}^{n} \frac{X - x\_j}{x\_i - x\_j} $$ A polynomial constructed using the Lagrange interpolation is known to have the degree $$d = n - 1$$ where $$n$$ is the number of users (and the number of the corresponding balance evaluation points). The resulting polynomial should look like the following: $$ \boxed{B(X) = a\_0 + a\_1x + a\_2x^2 + ... + a\_{n-1} x^{n-1}} $$ Let's choose the $$x\_i$$ values as the $$i$$-th degrees of an $$n$$-th root of unity (assuming that we are performing all the calculations in the prime field with a sufficiently large modulus): $$\boxed{B(\omega^i) = b\_i}$$ where $$\omega$$ is the $$n$$-th primitive root of unity and $$i\in0..n-1$$. ## Grand Sum Of The Polynomial Evaluations To prove the solvency of the Custodian, we need to find its total liabilities by summing up all the user balances and to prove to the public that the sum is less than the assets owned by the Custodian. An individual $$i$$-th user balance is the evaluation of the polynomial at the $$\omega^i$$ value corresponding to the user: $$ B(\omega^i) = b\_i =a\_0 + a\_1(\omega^i)^1 + a\_2(\omega^i)^2 + ... + a\_{n-1} (\omega^i)^{n-1} $$ Let's calculate the sum $$S$$ of all the user balances as the sum of the polynomial evaluations: $$ \begin{align\*} S = \sum\limits\_{i=0..n-1} B(\omega^i)& = \&a\_0\quad& + \&a\_1\omega^{0\phantom{-1}}\quad & + & a\_2(\omega^{0\phantom{-1}})^2\quad & + & \cdots\quad & + & a\_{n-1} (\omega^{0\phantom{-1}})^{n-1} +\\ & + \&a\_0\quad& + \&a\_1\omega^{1\phantom{-1}}\quad & + & a\_2(\omega^{1\phantom{-1}})^2\quad & + & \cdots\quad & + & a\_{n-1} (\omega^{1\phantom{-1}})^{n-1} +\\ & + \&a\_0\quad& + \&a\_1\omega^{2\phantom{-1}}\quad & + & a\_2(\omega^{2\phantom{-1}})^2\quad & + & \cdots\quad & + & a\_{n-1} (\omega^{2\phantom{-1}})^{n-1} +\\ &&&&&\vdots \\ & + \&a\_0\quad& + \&a\_1\omega^{n-1}\quad & + & a\_2(\omega^{n-1})^2\quad & + & \cdots\quad & + & a\_{n-1} (\omega^{n-1})^{n-1} =\\ \\ \rlap{\text{(let's factor out each $a\_i$)}} \end{align\*} $$ $$ \begin{align\*}&=n a\_0 + a\_1(\underbrace{\omega^0 + \omega^1 + \omega^2 + \cdots +\omega^{n-1}}*{=0}) + \cdots + a*{n-1}(\underbrace{\omega^0 + \omega^1 + \omega^2 +\cdots+ \omega^{n-1} }\_{=0})^{n-1} = \\ &\rlap{\text{(using the property of the sum of all roots of unity inside the parentheses being zero)}} \\\quad \\&= n a\_0 \end{align\*} $$ Therefore, the grand sum of the user balances is simply the constant coefficient of the polynomial times the number of users: $$ \boxed{S = \sum\limits\_{i} B(\omega\_i) = n a\_0} $$ As it turns out, the Halo2 proving system is internally using the roots of unity as $$X$$ coordinates for the polynomial construction, and we will later see how we can take advantage of that. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://summa.gitbook.io/summa/cryptographic-primitives/univariate-polynomial-grand-sum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.