Basefold | a41-labs

Last updated 3 months ago

Introduction

is a new Polynomial Commitment Scheme that is field-agnostic, with verifier complexity of and prover complexity of . While the RS-code used in FRI-IOPP requires an FFT-friendly field, BaseFold eliminates this constraint by introducing the concept of random foldable code, making it usable with sufficiently large fields.

Background

Constant Polynomial in FRI-IOPP

In FRI, the following polynomial is folded using a random value .

After the first round, the polynomial becomes:

If this folding process is repeated times, the resulting polynomial will eventually reduce to a constant polynomial, which looks like:

This constant polynomial is identical to the evaluation of the multilinear polynomial at point .

Q(X_0, X_1, X_2, \dots,X_k) = c_0+ c_1X_0 + c_2X_1 + \cdots + c_{2^{k-1} -1}X_0X_1\cdots X_{k}

Protocol Explanation

Foldable Code

It is well-known that RS (Reed-Solomon) codes are a type of , and the encoding of linear codes can be represented as a matrix-vector multiplication. For example, the encoding of an -RS code, when and , can be represented as follows:

The matrix on the left can be transformed into the matrix on the right by applying a row permutation.

If we divide the matrix on the right into four parts, the red and yellow-colored sections are identical and correspond to the matrix used in RS encoding when and . The green-colored section is equivalent to multiplying the red matrix by a . Similarly, the blue-colored section is equivalent to multiplying the red matrix by another diagonal matrix .

If the matrix used in the encoding of a linear code takes the form above, it is referred to as a foldable linear code. Let us define this more formally.

Let , for every . A -foldable linear code is a with a generator matrix and rate with the following properties:

the diagonal matrices satisfies that for every .
the matrix equals (up to row permutation)\

G_i = \begin{bmatrix} G_{i−1} & G_{i−1} \\ G_{i−1} \cdot T_{i-1} & G_{i−1} \cdot T'_{i-1} \\ \end{bmatrix}

Random Foldable Code

To design a linear code that is foldable and efficiently encodable regardless of its finite field, BaseFold uses this algorithm:

Set , where is a distribution that outputs with 100% probability. Such a is referred to as a -foldable distribution.
Sample and set .
Generate using .
Repeat steps 2 and 3 until a of the desired size is obtained.

This type of code is called a Random Foldable Code (RFC). The paper demonstrates that this code has good relative minimum distance. For those interested, refer to Section 3.1 of the paper. Additionally, it is noted that this is a special case of punctured . For further details, consult Appendix D of the paper.

Encoding Algorithm

The encoding can be computed recursively as follows:

If , return .
Unpack matrix into a pair of matrix .
Set , , and then pack a pair of matrices to matrix.

This approach is valid and can be proven inductively:

If , , which holds by definition.
If , holds because of the recursive construction of .

\begin{align*} l + t \circ r &= \mathsf{Enc}_{i-1}(m_l) + \mathsf{diag}(T_{i-1}) \circ \mathsf{Enc}_{i-1}(m_r) \\ &= m_l \cdot G_{i-1} + \mathsf{diag}(T_{d-1}) \circ (m_r \cdot G_{i-1}) \\ &= m_l\cdot G_{i-1} + m_r \cdot G_{i-1} \cdot T_{i-1} \end{align*} \\ \begin{align*} l - t \circ r &= \mathsf{Enc}_{i-1}(m_l)- \mathsf{diag}(T_{i-1}) \circ \mathsf{Enc}_{i-1}(m_r )\\ &= m_l \cdot G_{i-1} - \mathsf{diag}(T_{i-1}) \circ (m_r \cdot G_{i-1}) \\ &= m_l\cdot G_{i-1} - m_r \cdot G_{i-1} \cdot T_{i-1} \end{align*} \\ (l+t\circ r, l-t \circ r) = (m_l, m_r) \cdot \begin{bmatrix} G_{i-1} &G_{i-1} \\ G_{i-1} \cdot T_{i-1} & G_{i-1} \cdot -T_{i-1} \end{bmatrix} = m \cdot G_i

BaseFold IOPP

To use this in IOPP, we need to ensure that is indeed an encoded random linear combination derived from . To demonstrate this, let represent the message at the -th layer and the oracle (or block) at the -th layer. Then, the following holds:

\begin{align*} \pi_{i+1} &= m_{i+1}\cdot G_{i+1} \\ &= m_{i+1} \cdot \begin{bmatrix} G_i & G_i \\ G_i \cdot T_i & G_i \cdot T_i' \end{bmatrix} \\ &= [\mathsf{Enc}_i(m_{i+1, l}) + \mathsf{diag}(T_i) \circ \mathsf{Enc}_i(m_{i+1, r}) || \mathsf{Enc}_i(m_{i+1, l}) + \mathsf{diag}(T_i') \circ \mathsf{Enc}_i(m_{i+1, r}) ] \end{align*}

Thus, for , the following conditions are satisfied, where is the length of :

\pi_{i+1}[j] = \mathsf{Enc}_i(m_{i+1, l})[j] + \mathsf{diag}(T_i)[j] \cdot \mathsf{Enc}_i(m_{i+1, r})[j] \\ \pi_{i+1}[j + n_i] = \mathsf{Enc}_i(m_{i+1, l})[j] + \mathsf{diag}(T_i')[j] \cdot \mathsf{Enc}_i(m_{i+1, r})[j]

The values and are evaluations of the polynomial at and , respectively. When using the sampled value at each -th layer, can be constructed as follows, ensuring that encodes the message :

\begin{align*} \pi_i[j] &= f(\alpha_i) \\ &= \mathsf{Enc}_i(m_{i+1, l})[j] + \alpha_i \cdot \mathsf{Enc}_i(m_{i+1, r})[j] \\ &=\mathsf{Enc}_i(m_{i+1, l} + \alpha_i \cdot m_{i+1, r})[j] \end{align*}

Using this property, an IOPP (Interactive Oracle Proof of Proximity) can be designed. Here, refers to the computation of a degree-1 polynomial such that .

Prover witness: the polynomial

For from to :

The verifier samples and sends it to the prover.
For each index , the prover
1. sets .
2. sets .
The prover outputs oracle .

The verifier samples an index .
For from to , the verifier
1. queries oracle entries .
2. computes .
3. checks that .
4. if and , update .
If is a valid codeword w.r.t. generator matrix , output accept, otherwise output reject.

Multilinear PCS based on interleaving BaseFold IOPP

When performing the sumcheck protocol, the problem is reduced to an evaluation claim. Interestingly, the BaseFold IOPP shares a similar structure: given an input oracle that encodes a polynomial , the final oracle sent by the honest prover in the IOPP protocol is precisely an encoding of a random evaluation , where .

Thus, the sumcheck protocol and the IOPP protocol can be executed interleaved, sharing the same random challenge. At the end, the verifier needs to check whether the evaluation claim , obtained through the sumcheck protocol, matches the final prover message from the IOPP protocol. It performs as follows:

Public input: oracle , point , claimed evaluation

Prover witness: the polynomial

The prover sends the following to the verifier:

h_d(X) =\sum_{\bm{b} \in \{0, 1\}^{d-1}} f(\bm{b}, X) \cdot \widetilde{\mathsf{eq}}_r(\bm{b}, X), \\ \widetilde{\mathsf{eq}}_r(X_0, X_1, \dots, X_{d-1}) = \prod_{i = 0}^{d-1}(r_i \cdot X_i + (1 - r_i)(1 - X_i))

For from to :
Verifier samples and sends to the prover.
For each , the prover
1. sets .
2. sets .
The prover outputs oracle .
if , the prover sends verifier.

h_i(X) =\sum_{\bm{b} \in \{0, 1\}^{i-1}} f(\bm{b}, X, r_i, \dots, r_{d-1}) \cdot \widetilde{\mathsf{eq}}_z(\bm{b}, X, r_i, \dots, r_{d-1})

The verifier checks that
1. outputs accept.
2. and for every , .
3. .

Conclusion

In a 256-bit PCS:

BaseFold compared to field-agnostic Brakedown:
- Prover time: Slower
- Verifier time: Faster
- Proof size: Bigger with a small number of variables but smaller with a large number of variables.
BaseFoldFri compared to the non-field-agnostic ZeromorphFri:
- Prover time: Faster
- Verifier time: Faster
- Proof size: Larger

In a 64-bit PCS:

BaseFold compared to field-agnostic Brakedown:
- Prover time: Slower
- Verifier time: Faster
- Proof size: Smaller
BaseFoldFri compared to the non-field-agnostic ZeromorphFri:
- Prover time: Faster
- Verifier time: Slower
- Proof size: Larger

In a 256-bit SNARK:

BaseFold compared to field-agnostic Brakedown:
- Prover time: Faster with a small number of variables but similar with a large number of variables.
- Verifier time: Faster
- Proof size: Smaller
BaseFoldFri compared to the non-field-agnostic ZeromorphFri:
- Prover time: Similar
- Verifier time: Similar
- Proof size: Larger

In a 64-bit SNARK:

Both BaseFold and BaseFoldFri, compared to Zeromorph:
- Prover time: Similar
- Verifier time: Slower with a small number of variables but faster with a large number of variables.
- Proof size: Larger