This note attempts to be a summary of the Basefold paper and talk by Binyi Chen.

The paper makes three major contributions that are all interlinked. It introduces

a linear code (which we call "foldable code") that generalizes the Reed-Solomon code such that it no longer requires FFT-friendly fields,
an Interactive Oracle of Proximity (IOPP), which uses the foldable code, and can be thought of as FRI but for multilinear polynomials, and
a polynomial commitment scheme for multilinear polynomials, which mixes the IOPP and sum-check together.

Let's dive in!

Foldable code

The authors present a code family that generalizes Reed-Solomon code such that the code is still linear, but doesn't rely on FFT-friendly fields. The code family is defined as

\begin{aligned} E n c_{d + 1} (m_{l} | | m_{r}) = & [E n c_{d} (m_{l}) + t_{l}^{(d)} \circ E n c_{d} (m_{r})] | | \\ [E n c_{d} (m_{l}) + t_{r}^{(d)} \circ E n c_{d} (m_{r})] \end{aligned}

where "

| |

" represents concatenation, and

\begin{aligned} m & = m_{l} | | m_{r}, m \in F^{2^{d + 1}}, \\ E n c_{d} : & F^{2^{d}} \to F^{2^{d + c}}, \\ t_{l}^{(d)} & \in F^{2^{d + c}}, \\ t_{r}^{(d)} & \in F^{2^{d + c}} . \end{aligned}

In words,

2^{c}

is the blowup factor.

t_{l}^{(d)}

and

t_{r}^{(d)}

are parameters of the code.

The Basefold authors define
$E n c_{d + 1}$ as being "foldable".

Notice that

{t_{l}^{(d)}}_{d = 0}^{d = k}

{t_{r}^{(d)}}_{d = 0}^{d = k}

and

E n c_{0}

, where

2^{k}

is the length of the original message to encode, fully define the code. That is, each assignment of values to these parameters results in a different code. We will defer to the paper and the talk for how those values are chosen in practice.

Linearity of the code

The only property of interest for this discussion is that

E n c_{0}

is a linear function; that is, it can be represented is a

1 \times 2^{c}

matrix. We can then show by induction that

E n c_{d}

for all

d

are also linear. That is, assuming that

E n c_{d}

is linear, show that

E n c_{d + 1}

is linear. Let

M

be the matrix that represents

E n c_{d}

. Then,

\begin{aligned} E n c_{d + 1} (m_{l} | | m_{r}) & = [M m_{l} + t_{l}^{(d)} \circ M m_{r}] | | [M m_{l} + t_{r}^{(d)} \circ M m_{r}] \\ = [M m_{l} + T_{l} M m_{r}] | | [M m_{l} + T_{r} M m_{r}] \\ = [\begin{array}{c} M & T_{l} M & 0 & 0 \\ 0 & 0 & M & T_{r} M \end{array}] [\begin{array}{c} m_{l} \\ m_{r} \end{array}] \end{aligned}

where

T_{l}^{(d)}

is a diagonal matrix where the entries along the diagonal are the elements of

t_{l}^{(d)}

(and similarly for

T_{r}^{(d)}

). Hence, since

E n c_{d + 1}

can be represented by a matrix, it is linear, which completes the proof sketch.

Reed-Solomon generalization check

This section can be safely skipped upon first read

We claimed earlier that the code presented above is a generalization of the Reed-Solomon code. Hence, we need to show that there exists

{t_{l}^{(d)}}_{d = 0}^{d = k}

{t_{r}^{(d)}}_{d = 0}^{d = k}

and

E n c_{0}

which result in a Reed-Solomon code.

Recall the definition of a Reed-Solomon code. For

f (x) \in F [X]^{\leq 2^{d + 1}}

(i.e.

f (x)

is a polynomial of degree less or equal than

2^{d + 1}

R S_{d + 1} (f (x)) = f (x) [ω, ω^{2}, \dots, ω^{2^{d + 1 + c}}]

where the brackets signify that

f (x)

is evaluated over all these points, the result stored in a list of corresponding length.

ω

is the generator of a group of size

2^{d + 1 + c}

f(x) even/odd decomposition

Next, define

f_{e} (x)

and

f_{o} (x)

to be the polynomials whose coefficients correspond to the event and odd coefficients of

f (x)

, respectively. For example, if

f (x) = a x^{3} + b x^{2} + c x + d

, then

f_{e} (x) = a x + c

and

f_{o} (x) = b x + d

. Formally, this is written as

f (x) = f_{e} (x^{2}) + x \cdot f_{o} (x^{2})

$R S_{d + 1}$ decomposition

Next, since the Reed-Solomon code is linear, the following holds:

\begin{aligned} R S_{d + 1} (f (x)) & = R S_{d + 1} (f_{e} (x^{2}) + x \cdot f_{o} (x^{2})) \\ = R S_{d + 1} (f_{e} (x^{2})) + R S_{d + 1} (x) \circ R S_{d + 1} (f_{o} (x^{2})) \end{aligned}

where

\circ

is the Hadamard product.

Next, notice the following

\begin{aligned} R S_{d + 1} (f_{e} (x^{2})) & = f_{e} (x^{2}) [ω, ω^{2}, \dots, ω^{2^{d + 1 + c}}] \\ = f_{e} (x) [ω^{2}, ω^{4}, \dots, ω^{2^{d + 2 + c}}] \\ = f_{e} (x) [ω^{2}, ω^{4}, \dots, ω^{2^{d + 1 + c}}, ω^{2}, ω^{4}, ω^{2^{d + 1 + c}}] \\ = R S_{d} (f_{e} (x)) | | R S_{d} (f_{e} (x)) \end{aligned}

Naturally, the same holds for

R S_{d + 1} (f_{o} (x^{2}))

. Therefore, we can rewrite

R S_{d + 1} (f (x))

\begin{aligned} R S_{d + 1} (f (x)) = \\ R S_{d} (f_{e} (x)) + [ω, ω^{2}, \dots, ω^{2^{d + c}}] \circ R S_{d} (f_{o} (x)) | | \\ R S_{d} (f_{e} (x)) + [ω^{2^{d + c} + 1}, \dots, ω^{2^{d + c + 1}}] \circ R S_{d} (f_{o} (x)) \end{aligned}

Notice that this fits the foldability property, where

\begin{aligned} m_{l} = f_{e} (x) \\ m_{r} = f_{o} (x) \\ t_{l} = [ω, ω^{2}, \dots, ω^{2^{d + c}}] \\ t_{r} = [ω^{2^{d + c} + 1}, \dots, ω^{2^{d + c + 1}}] \end{aligned}

This comes with a caveat. The foldability property requires the coefficients of

f_{e} (x)

to be stored in the left part of

m

, followed by the coefficients of

f_{o} (x)

. And this must be true recursively. Hence, if

f (x) = a_{7} x^{7} + \dots + a_{1} x + a_{0}

then

f (x)

's coefficients must be stored as

[a_{0}, a_{4}, a_{2}, a_{6}, a_{1}, a_{5}, a_{3}, a_{7}]

We leave it as an exercise to verify why this is correct.

IOPP

The Basefold paper introduces a new Interactive Oracle Proof of Proximity (IOPP) analogous to FRI, but for multilinear polynomials. That is, the protocol convinces the verifier that the prover has a multilinear polynomial (or, to be more precise, a function "close" to one). Where FRI uses Reed-Solomon codes, Basefold's IOPP uses the foldable code presented in the previous sections. Finally, similar to FRI, Basefold's IOPP also has a "commit" phase, where the prover commits to codes using Merkle trees for a number of layers, and a "query" phase, where the verifier queries random points in the codes to check for consistency between the layers.

Formally, the goal of the prover is to show that it has some polynomial

f^{(d)} \in F [X_{1}, \dots, X_{d}]^{\leq 1}

. Throughout this post, we will assume that all multilinear polynomials

f (x_{1}, \dots, x_{n}) = f_{l} (x_{1}, \dots, x_{n - 1}) + x_{n} \cdot f_{r} (x_{1}, \dots, x_{n - 1})

are stored as

f = f_{l} (x_{1}, \dots, x_{n - 1}) | | f_{r} (x_{1}, \dots, x_{n - 1})

in coefficient form. In words,

f_{l}

is the multilinear polynomial formed from all the coefficients of

f

which do not have an

x_{n}

term, while

f_{r}

is the multilinear polynomial formed formed from the coefficients which do have an

x_{n}

term.

For example, if

f (x_{1}, x_{2}) = a x_{1} x_{2} + b x_{1} + c x_{2} + d

, then

f_{l} (x_{1}) = b x_{1} + d

and

f_{r} (x_{1}) = a x_{1} + c

. Therefore,

f

would be stored as an array of coefficients in the following order:

[b, d, a, c]

Commit phase

In the first round, the prover encodes

f^{(d)} (x_{1}, \dots, x_{d})

π^{(d)} = E n c_{d} (f^{(d)})

, where

π^{(d)} \in F^{2^{d + c}}

. It builds a Merkle tree, where elements of

π^{(d)}

are the leaves of the tree, and sends the Merkle root to the verifier.

The verifier then sends a random

r_{d} \in_{R} F

. The prover uses this random value to build the multilinear polynomial for the next layer:

f^{(d - 1)} (x_{1}, \dots, x_{d - 1}) = f_{l}^{(d)} (x_{1}, \dots, x_{d - 1}) + r_{d} \cdot f_{r}^{(d)} (x_{1}, \dots, x_{d - 1})

The protocol repeats similarly for another

d - 1

rounds.

Notice: by construction,
$f^{d - 1} (x_{1}, \dots, x_{d - 1}) = f^{d} (x_{1}, \dots, x_{d - 1}, r_{d})$ . In words,
$f^{d - 1}$ is
$f^{d}$ where the last variable has been fixed to
$r_{d}$ . If we extend this observation all the way down to the last round,
$f^{0} = f^{d} (r_{1}, \dots, r_{d})$ , for random
$r_{1} \dots r_{d}$ . This will be an important point in the last section when we talk about the Basefold polynomial commitment scheme.

Query phase

The goal of the query phase is for the verifier to check the consistency between

π^{(j)}

and

π^{(j - 1)}

for

j \in {d, \dots 1}

. Concretely, from 2 points in

π^{(j)}

, the verifier will be able to compute a single point in

π^{(j - 1)}

, for which the prover will send a Merkle proof. In order to do that, we will need to make use of the foldability property and linearity of the code.

Let

π^{(d)} = π_{l}^{(d)} | | π_{r}^{(d)}

. Recall that the foldability property of the code states that

\begin{aligned} π_{l}^{(d)} & = E n c_{d - 1} (f_{l}^{(d)}) + t_{l}^{(d)} \circ E n c_{d - 1} (f_{r}^{(d)}) \\ π_{r}^{(d)} & = E n c_{d - 1} (f_{l}^{(d)}) + t_{r}^{(d)} \circ E n c_{d - 1} (f_{r}^{(d)}) \end{aligned}

For readability purposes, we will define the following variables

\begin{array}{r} E_{l} = E n c_{d - 1} (f_{l}^{(d)}) \\ E_{r} = E n c_{d - 1} (f_{r}^{(d)}) \end{array}

With this we are ready to start discussing how queries work. The verifier samples

i \in {0, \dots, 2^{d + c - 1}}

. The prover sends

π_{l}^{(d)} [i]

π_{r}^{(d)} [i]

, and their corresponding Merkle proofs.

Next, the verifier infers

E_{l} [i]

and

E_{r} [i]

. The previous definition of

π_{l}^{(d)}

and

π_{r}^{(d)}

, when zooming in on the

i^{t h}

index, can be written as

[\begin{matrix} 1 & t_{l}^{(d)} [i] \\ 1 & t_{r}^{(d)} [i] \end{matrix}] [\begin{matrix} E_{l} [i] \\ E_{r} [i] \end{matrix}] = [\begin{matrix} π_{l}^{(d)} [i] \\ π_{r}^{(d)} [i] \end{matrix}]

or equivalently,

[\begin{matrix} E_{l} [i] \\ E_{r} [i] \end{matrix}] = {[\begin{matrix} 1 & t_{l}^{(d)} [i] \\ 1 & t_{r}^{(d)} [i] \end{matrix}]}^{- 1} [\begin{matrix} π_{l}^{(d)} [i] \\ π_{r}^{(d)} [i] \end{matrix}]

Finally, recall from the commit phase that

π^{(d - 1)} = E n c_{d - 1} (f^{(d - 1)}) = E n c_{d - 1} (f_{l}^{(d)} + r_{d} \cdot f_{r}^{(d)})

We can use the linearity property of the code to get

E n c_{d - 1} (f_{l}^{(d)} + r_{d} \cdot f_{r}^{(d)}) = E n c_{d - 1} (f_{l}^{(d)}) + r_{d} \cdot E n c_{d - 1} (f_{r}^{(d)}) = E_{l} + r_{d} \cdot E_{r}

When we focus on a single index

i

, we get

π^{(d - 1)} [i] = E_{l} [i] + r_{d} \cdot E_{r} [i]

Hence, the verifier was able to compute

π^{(d - 1)} [i]

, which was our initial goal.

Note that
$π^{(d - 1)} [i]$ either lies in the first or second half of
$π^{(d - 1)}$ ; that is,
$π^{(d - 1)} [i] = π_{l}^{(d - 1)} [\frac{i}{2}]$ when
$i < \frac{| π^{(d - 1)} |}{2}$ , or
$π^{(d - 1)} [i] = π_{r}^{(d - 1)} [\frac{i}{2}]$ otherwise. Whichever one it is, the prover only needs to send the Merkle proof for it, since the verifier already computed the value. Naturally, the prover also needs to send the value & Merkle proof for the other half (which the verifier didn't compute).

The same process then repeats for each round. In the last round, the prover only sends the Merkle proof for

π^{(0)} [i^{(0)}]

. The verifier ensures that the Merkle proof check passes with the value of

π^{(0)} [i^{(0)}]

that it computed, completing the query.

Note: we use
$i^{(0)}$ to signify the index in the last round, where
$i^{(0)} = \frac{i}{2^{d}}$ .

As in FRI, the verifier performs a number of queries, depending on the desired security level (i.e. the more queries, the more secure).

Polynomial commitment scheme

The Basefold polynomial commitment scheme relies heavily on sum-check. Refer to this article for a refresher.

The Basefold paper culiminates into a polynomial commitment scheme (PCS) for multilinear polynomials. That is, it allows a prover to commit to a multilinear polynomial

f

, and convince the verifier that

f (z) = y

for some point

z \in F^{d}

chosen by the verifier. The core idea is to interleave sum-check and the IOPP.

In this section, we will freely switch between the equalivalent notations for vectors
$z \in F^{d}$ :
$z = (z_{1}, \dots, z_{d})$ .

First, we rewrite

f (z_{1}, \dots, z_{d})

in a form that is amenable to being sum-checked.

f (z_{1}, \dots, z_{d}) = \sum_{(x_{1}, \dots, x_{d}) \in B_{d}} f (x_{1}, \dots, x_{d}) \cdot e q_{z} (x_{1}, \dots, x_{d})

where

B_{d} = {0, 1}^{d}

is the

d

-dimensional boolean hypercube, and

e q_{z} (x_{1}, \dots, x_{d}) = \prod_{i = 1}^{d} x_{i} z_{i} + (1 - x_{i}) (1 - z_{i})

. The above equality is true by definition of multilinear polynomials.

For a refresher on multilinear polynomials, see this article.

Recall that sum-check requires the verifier to be able to evaluate

f (x) \cdot e q_{z} (x)

at a random point

r = (r_{1}, \dots, r_{d})

generated during the protocol. The key realization to make is that in the commit phase of IOPP, the last polynomial computed by the prover

f^{(0)} = f^{(d)} (r_{1}, \dots, r_{d})

! So if we reuse the same random

r

generated in the IOPP for sum-check, then the verifier can use

f^{(0)}

sent by the prover as its query

f^{(d)} (r)

Note: this requires the prover to send
$f^{(0)}$ in the last step of the IOPP instead of
$π^{(0)}$ . The verifier can then compute
$π^{(0)} = E n c_{0} (f^{(0)})$ on its own in constant time.

Hence, the PCS protocol is as follows:

Run the commit phase of the IOPP.
- This generates
  $r = (r_{1}, \dots, r_{d})$
Run sum-check, except reusing
$(r_{1}, \dots, r_{d})$ as random values
- Use
  $f^{(0)}$ as the value for
  $f^{(d)} (r_{1}, \dots, r_{d})$
- The final verifier check is
  $g_{1} (r_{1}) = f^{(0)} \cdot e q_{z} (r)$ , where
  $g_{1}$ is the last round polynomial sent by the prover.
Run the query phase of the IOPP

Pause and ponder

In a sense, sum-check almost gives you a multilinear PCS; the only missing piece is that last query

f^{(d)} (r)

. But the prover already computes that query

f^{(d)} (r)

, as well as all intermediary polynomials (

f^{(d - 1)} (x_{1}, \dots, x_{d - 1}) = f^{(d)} (x_{1}, \dots, x_{d - 1}, r_{d})

f^{(d - 2)} (x_{1}, \dots, x_{d - 2}) = f^{(d)} (x_{1}, \dots, x_{d - 2}, r_{d - 1}, r_{d})

, etc) during the protocol. Hence, the core idea of the Basefold PCS is to commit to these intermediary polynomials, and in a way, have the verifier track the correct transformation from

f^{(i)}

f^{(i - 1)}

But in order to do that, what was missing is a linear code for multilinear polynomials that allows the verifier to track the correct transformation between codewords (i.e. the "foldable" property). Additionally, it's crucial for the IOPP to be computing

f^{(i - 1)} = f_{l}^{(i)} + r_{i} f_{r}^{(i)}

(that is, the same computation done during sum-check).

All in all, the Basefold PCS is a very clever construction at the intersection of all these ideas.

Foldable code

Linearity of the code

Reed-Solomon generalization check

f(x) even/odd decomposition

RSd+1 decomposition

IOPP

Commit phase

Query phase

Polynomial commitment scheme

Pause and ponder

Read more

LogUp-GKR

LogUp

The Sum-Check Protocol

LogUp-GKR: The Air constraints

$R S_{d + 1}$ decomposition