Galois FRI-Binius: Joseph Johnston's Idea

In this note, I will try to explicate an idea suggested to us by Joseph Johnston.

Normal FRI-Binius & Notation

In normal FRI-Binius, the prover kicks off the sumcheck by sending the verifier

s_{0} := {(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

. This information is enough for the verifier to compute

t (r)

; indeed, the verifer can just compute

\sum_{u \in B_{κ}} s_{0, u} \cdot \tilde{eq} (u_{0}, \dots, u_{κ - 1}, r_{0}, \dots, r_{κ - 1})

and compare this thing to the claimed evaluation

s

The tricky observation there is that the quantity

s_{0}

above is also nothing other than the column representation of

φ_{1} (t^{'}) (φ_{0} (r_{κ}), \dots, φ_{0} (r_{ℓ - 1}))

, which itself equals

\sum_{v \in B_{ℓ^{'}}} t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1}) \cdot \tilde{eq} (φ_{0} (r_{κ}), \dots, φ_{0} (r_{ℓ - 1}), X_{0}, \dots, X_{ℓ^{'} - 1}) .

By running a sumcheck on this above thing, over the algebra, the prover and verifier can thus reduce the validity of

s_{0}

to that of

t^{'} (r_{0}^{'}, \dots, r_{ℓ^{'} - 1}^{'})

Joseph's Idea

The first nontrivial claim is that the vector

s_{0} := {(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

above—which, as we already saw, contains just the required data to compute

t (r_{0}, \dots, r_{ℓ - 1})

—is itself in turn "equivalent", up to a matrix mult, to the further data

s^{'} := {(φ^{{u}} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

. Here, we write

φ

for the Frobenius, i.e., the thing that generates

Gal (L / K)

. In particular:

Claim 1. We have the matrix identity:

[\begin{matrix} φ^{0} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) \\ ⋮ \\ φ^{2^{κ} - 1} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) \end{matrix}] = [\begin{matrix} φ^{{u}} (β_{v}) \end{matrix}] \cdot [\begin{matrix} t (0, \dots, 0, r_{κ}, \dots, r_{ℓ - 1}) \\ ⋮ \\ t (1, \dots, 1, r_{κ}, \dots, r_{ℓ - 1}) \end{matrix}] .

Proof. It's enough to fix arbitrary

(r_{κ}, \dots, r_{ℓ - 1}) \in L^{ℓ^{'}}

and

u \in B_{κ}

and prove that

φ^{{u}} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) \overset{?}{=} \sum_{v \in B_{κ}} φ^{{u}} (β_{v}) \cdot t (v ‖ r)

. To this end, we carry out the following calculation:

\begin{aligned} φ^{{u}} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) & = \sum_{w \in B_{ℓ^{'}}} φ^{{u}} (t^{'} (w)) \cdot \tilde{eq} (r_{[κ :]}, w) \\ = \sum_{w \in B_{ℓ^{'}}} φ^{{u}} (\sum_{v \in B_{κ}} t (v ‖ w) \cdot β_{v}) \cdot \tilde{eq} (r_{[κ :]}, w) \\ = \sum_{w \in B_{ℓ^{'}}} (\sum_{v \in B_{κ}} t (v ‖ w) \cdot φ^{{u}} (β_{v})) \cdot \tilde{eq} (r_{[κ :]}, w) \\ = \sum_{v \in B_{κ}} φ^{{u}} (β_{v}) \cdot (\sum_{w \in B_{ℓ^{'}}} t (v ‖ w) \cdot \tilde{eq} (r_{[κ :]}, w)) \\ = \sum_{v \in B_{κ}} φ^{{u}} (β_{v}) \cdot t (v ‖ r), \end{aligned}

which is what we want. The second equality above is just the definition of

t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1})

. In the third, we distribute the Frobenius, and also use the fact that each

t (v ‖ w) \in K

(and is fixed by the Frobenius).

Claim 2. The matrix

M

—i.e., whose

(u, v)^{th}

entry is

φ^{{u}} (β_{v})

—is invertible.
Proof. This nontrivial fact is exactly [LN97, Lem. 3.51].

Now progressing onwards, we see moreover that the left-hand vector above itself can be made to relate to the evaluations of the single polynomal

t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1})

at a number of different places. Indeed, we have:

[\begin{matrix} φ^{0} (t^{'} (φ^{- 0} (r_{κ}), \dots, φ^{- 0} (r_{ℓ - 1}))) \\ ⋮ \\ φ^{2^{κ} - 1} (t^{'} (φ^{- (2^{κ} - 1)} (r_{κ}), \dots, φ^{- (2^{κ} - 1)} (r_{ℓ - 1}))) \end{matrix}] = [\begin{matrix} φ^{0} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) \\ ⋮ \\ φ^{2^{κ} - 1} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}) \end{matrix}] .

Moreover, given only the left-hand vector above, the verifier can locally "peel off" the

φ^{{u}}

s, in order to obtain the further vector:

[\begin{matrix} t^{'} (φ^{- 0} (r_{κ}), \dots, φ^{- 0} (r_{ℓ - 1})) \\ ⋮ \\ t^{'} (φ^{- (2^{κ} - 1)} (r_{κ}), \dots, φ^{- (2^{κ} - 1)} (r_{ℓ - 1})) \end{matrix}] .

The nice thing about this is that it's just

t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1})

evaluated at a number of different points, namely the "componentwise Galois orbit" of

(r_{κ}, \dots, r_{ℓ - 1}) \in L^{ℓ^{'}}

. The idea now is that we're going to use [Fig. 3, RR21]-style batching on this set of claims. This will entail a single sumcheck which takes place entirely over
$L$ .

Summary of Protocol

We will now sketch the end-to-end protocol.

In the commitment phase, the prover commits to the packed polynomial
$t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1}) \in L [X_{0}, \dots, X_{ℓ^{'} - 1}]^{⪯ 1}$ just like it usually does.

In the eval phase, the parties have a joint evaluation point

(r_{0}, \dots, r_{ℓ - 1})

and a claimed evaluation

s

. The prover has

t (X_{0}, \dots, X_{ℓ - 1}) \in K [X_{0}, \dots, X_{ℓ - 1}]^{⪯ 1}

Prover sends verifier
$s_{0}$ , which is claimed to be
${(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}$ .
Verifier checks
$\sum_{u \in B_{κ}} s_{0, u} \cdot \tilde{eq} (r_{0}, \dots, r_{κ - 1}, u_{0}, \dots, u_{κ - 1}) \overset{?}{=} s$ .
Verifier then sets:

$[\begin{matrix} s^{'} \end{matrix}] := [\begin{matrix} M \end{matrix}] \cdot [\begin{matrix} s_{0} \end{matrix}],$
understood as an
$L$ -matrix mult. Verifier then moreover sets:

$[\begin{matrix} \hat{s} \end{matrix}] := [\begin{matrix} φ^{- {u}} (s^{'}) \end{matrix}];$
by this notation, we mean that the verifier applies
$φ^{- {u}}$ to each entry of
$s^{'}$ —i.e., with the exponent
$- {u}$ varying—in order to get
$\hat{s}$ .

The prover and verifier now run an [RR21]-style batched sumcheck on the claims

{\hat{s}}_{u} \overset{?}{=} t^{'} (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1}))

, for

u \in B_{κ}

. Unwinding what this means, we have:

The verifier samples random challenges
$(r_{0}^{″}, \dots, r_{κ - 1}^{″})$ ; sends them to the prover.
The verifier defines the initial sumcheck claim
$s_{0}^{*} := \sum_{u \in B_{κ}} {\hat{s}}_{u} \cdot \tilde{eq} (r^{″}, u)$ .
Meanwhile, prover defines:

$h (X_{0}, \dots, X_{ℓ^{'} - 1}) := t^{'} (X_{0}, \dots, X_{ℓ^{'} - 1}) \cdot \sum_{u \in B_{κ}} \tilde{eq} (r^{″}, u) \cdot \tilde{eq} (X, φ^{- {u}} (r_{[κ :]}))$
here, we slightly abuse notation by writing
$φ^{- {u}} (r_{[κ :]}) := (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1}))$ .
The prover and verifier now run a normal sumcheck over L on the polynomial
$h (X_{0}, \dots, X_{ℓ^{'} - 1})$ , for
$ℓ^{'}$ rounds. In parallel, they also FRI-fold.
At the very end, the verifier has a final sumcheck claim, which we'll call
$s_{ℓ^{'}}^{*}$ , as well as a final FRI oracle, which we'll call
$c$ . At this point, the verifier checks

$s_{ℓ^{'}}^{*} \overset{?}{=} c \cdot \sum_{u \in B_{κ}} \tilde{eq} (r^{″}, u) \cdot \tilde{eq} (r^{'}, φ^{- {u}} (r_{[κ :]}));$
here,
$r^{'} := (r_{0}^{'}, \dots, r_{ℓ^{'} - 1}^{'})$ is the point sampled during the course of the sumcheck.
Finally, the verifier does FRI querying.

Correctness

Assuming the truth of Claim 1, we argue correctness in the following way. If the prover is honest, then

s_{0} = {(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

will hold; by Claim 1, the verifier will have

s^{'} = {(φ^{{u}} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}} = {(φ^{{u}} (t^{'} (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1}))))}_{u \in B_{κ}}

. We see that the verifier will finally in turn have

\hat{s} = {(t^{'} (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1})))}_{u \in B_{κ}}

The rest comes down to the correctness of Rothblum-style batching. In particular, you need to convince yourself that

\sum_{v \in B_{ℓ^{'}}} h (v) = \sum_{u \in B_{κ}} \tilde{eq} (r^{″}, u) \cdot t^{'} (φ^{- {u}} (r_{[κ :]})) = \sum_{u \in B_{κ}} \tilde{eq} (r^{″}, u) \cdot {\hat{s}}_{u} = s_{0}^{*}

will hold. The first equality involves interchanging a sum, and is essentially the "content" of [Fig. 3, RR21]'s completeness statement. The second equality holds assuming the prover was honest; this was just calculated above. The third equality is by definition on the verifier's part. Thus if the prover is honest, then its sumcheck claim will be true. The verifier's final step amounts to evaluating

h (r_{0}^{'}, \dots, r_{ℓ^{'} - 1}^{'})

; here,

c

is used as a standin for

t^{'} (r_{0}^{'}, \dots, r_{ℓ^{'} - 1}^{'})

Efficiency

The efficiency of the above protocol is quadratic for the verifier in

2^{κ}

. Indeed, you can see this already in the verifier's multipliation

s^{'} := [M] \cdot s_{0}

. Actually, it is interesting to ask whether there is a kind of "Galois NTT", which would allow multiplication by

[M]

to be carried out in

O (κ \cdot 2^{κ})

time.

A further question is the verifier's computation of

\hat{s} := φ^{- {u}} (s^{'})

above. It seems that the verifier needs to do "triangularly many" applications of the inverse Frobenius here; i.e., for each

u \in B_{κ}

, the computation

{\hat{s}}_{u} := φ^{- {u}} (s_{u}^{'})

will take

{u}

inverse Frobeniuses. Up to the issue of forward versus inverse (which shouldn't matter, since we can just "invert the triangle", using cyclicity), this will again take quadratic total work in

2^{κ}

As far as proof cost: the total cost is a FRI-run on something

ℓ^{'}

-variate over

L

and then also a sumcheck on something

ℓ^{'}

-variate over

L

. So it seems that we are getting 0 embedding overhead whatsoever (for the prover—the verifier needs to do some work).

Security

The fascinating fact is that Claim 2 is necessary for security. As a sketch, we need to argue that if

t (r_{0}, \dots, r_{ℓ - 1}) \neq s

, then

V

will reject. First off, assuming that (i.e. that the prover's claim is false), we immediately get the claim that if

s_{0} = {(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

then

V

will reject its check 2. above. We may thus assume that

s_{0} \neq {(t (u_{0}, \dots, u_{κ - 1}, r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}}

. In this case, assuming Claim 2, we have that

M

is injective; we may thus assume further that

s^{'} \neq {(φ^{{u}} (t^{'}) (r_{κ}, \dots, r_{ℓ - 1}))}_{u \in B_{κ}} = {(φ^{{u}} (t^{'} (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1}))))}_{u \in B_{κ}}

will hold. Thus we finally get that

\hat{s} \neq {(t^{'} (φ^{- {u}} (r_{κ}), \dots, φ^{- {u}} (r_{ℓ - 1})))}_{u \in B_{κ}}

will hold, since everything Frobenius-related is invertible. This then comes down to the soundness of (tensor-style) Rothblum batching, and the usual arguments of FRI-Binius. Thus the soundness overhead of this protocol over and above normal FRI-Binius is that of the tensor-style batch, which is

O (\frac{κ}{| L |})

References

[LN97]: Lidl, Rudolf and Niederreiter, Harald. Finite Fields. 1997.
[RR21]: Ron-Zewi, Noga and Rothblum, Ron. Local Proofs Approaching the Witness Length. Journal of the ACM.