skip to content
PSYCHO VIRTUAL

Sketch of the BaseFold Protocol

/ 2 min read

cryptography, zero-knowledge proofs, polynomial commitment schemes, reed-solomon codes, multi-linear polynomials

Overview

The Fast Reed-Solomon Interactive Oracle Proofs of Proximity (FRI) protocol, introduced in 2018, brought significant advances to zero-knowledge cryptography through its innovative polynomial folding technique. By progressively reducing the degree of committed polynomials, FRI achieved remarkable efficiency gains in verifier costs, making it a cornerstone of STARK proof systems.

However, FRI’s original design was optimized for univariate polynomials p(X)F[X]p(X) ∈ F[X], limiting its direct applicability to multivariate polynomials P(X1,...,Xn)F[X1,...,Xn]P(X₁,...,Xₙ) ∈ F[X₁,...,Xₙ]. This constraint posed challenges for proof systems that needed to handle more complex computational statements.

The BaseFold protocol addresses this limitation by extending FRI’s folding technique to multivariate polynomials. It cleverly combines FRI’s efficiency with the well-established sumcheck protocol, using the latter to reduce multivariate evaluation claims to univariate ones that can be handled by FRI-like folding. This synthesis represents a significant advancement in polynomial commitment schemes, enabling more expressive and efficient zero-knowledge proofs.

Preliminaries

Let FF be a finite field. We denote the set of univariate polynomials of degree less than 2n2^n by:

Pn=F[X]<2nP_n = F[X]^{<2^n}

The nn-dimensional Boolean hypercube over FF is the set Hn=0,1nH_n = {0,1}^n, regarded as a subset of FnF^n. A multivariate polynomial PF[X1,...,Xn]P \in F[X_1,...,X_n] in nn variables is multilinear if it is at most linear in each variable (i.e., degXi(P)1deg_{X_i}(P) \leq 1 for every ii), taking the form:

P(X1,...,Xn)=i=(i1,...,in)0,1nciX1i1...XninP(X_1,...,X_n) = \sum_{i=(i_1,...,i_n)\in{0,1}^n} c_i\cdot X_1^{i_1}\cdot...\cdot X_n^{i_n}

where ciFc_i \in F. For any x=(x1,...,xn)Fn\vec{x} = (x_1,...,x_n) \in F^n, we write P(x)P(\vec{x}) for the value P(x1,...,xn)P(x_1,...,x_n). The nn-dimensional Lagrange kernel (also called eq()eq() in several works) is the multilinear polynomial:

L(X1,...,Xn,Y1,...,Yn)=i=1n(1(Xi+Yi)+2XiYi)L(X_1,...,X_n,Y_1,...,Y_n) = \prod_{i=1}^n (1 - (X_i + Y_i) + 2\cdot X_i\cdot Y_i)

For y0,1n\vec{y} \in {0,1}^n, its specialization L(X1,...,Xn,y)L(X_1,...,X_n,\vec{y}) is the unique multilinear polynomial that evaluates to 1 at y\vec{y} and 0 elsewhere on HnH_n. This yields the evaluation inner product:

P,L(.,y)Hn=xHnP(x)L(x,y)=P(y)\langle P, L(.,\vec{y})\rangle_{H_n} = \sum_{\vec{x}\in H_n} P(\vec{x})\cdot L(\vec{x},\vec{y}) = P(\vec{y})

We use Ci=RS2ni[F,Di]C_i = RS_{2^{n-i}}[F,D_i] to denote the Reed-Solomon code over the domain DiD_i at step ii of the protocol, where D=D0D = D_0 is the initial evaluation domain and subsequent domains DiD_i are obtained through projection maps πi\pi_i.

Protocol

BaseFold