This note attempts to be a summary of the Basefold paper and talk by Binyi Chen.
The paper makes three major contributions that are all interlinked. It introduces
Let's dive in!
The authors present a code family that generalizes Reed-Solomon code such that the code is still linear, but doesn't rely on FFT-friendly fields. The code family is defined as
where "" represents concatenation, and
In words, is the blowup factor. and are parameters of the code.
The Basefold authors define as being "foldable".
Notice that , and , where is the length of the original message to encode, fully define the code. That is, each assignment of values to these parameters results in a different code. We will defer to the paper and the talk for how those values are chosen in practice.
The only property of interest for this discussion is that is a linear function; that is, it can be represented is a matrix. We can then show by induction that for all are also linear. That is, assuming that is linear, show that is linear. Let be the matrix that represents . Then,
where is a diagonal matrix where the entries along the diagonal are the elements of (and similarly for ). Hence, since can be represented by a matrix, it is linear, which completes the proof sketch.
This section can be safely skipped upon first read
We claimed earlier that the code presented above is a generalization of the Reed-Solomon code. Hence, we need to show that there exists , and which result in a Reed-Solomon code.
Recall the definition of a Reed-Solomon code. For (i.e. is a polynomial of degree less or equal than ),
where the brackets signify that is evaluated over all these points, the result stored in a list of corresponding length. is the generator of a group of size .
Next, define and to be the polynomials whose coefficients correspond to the event and odd coefficients of , respectively. For example, if , then and . Formally, this is written as
Next, since the Reed-Solomon code is linear, the following holds:
where is the Hadamard product.
Next, notice the following
Naturally, the same holds for . Therefore, we can rewrite as
Notice that this fits the foldability property, where
This comes with a caveat. The foldability property requires the coefficients of to be stored in the left part of , followed by the coefficients of . And this must be true recursively. Hence, if
then 's coefficients must be stored as
We leave it as an exercise to verify why this is correct.
The Basefold paper introduces a new Interactive Oracle Proof of Proximity (IOPP) analogous to FRI, but for multilinear polynomials. That is, the protocol convinces the verifier that the prover has a multilinear polynomial (or, to be more precise, a function "close" to one). Where FRI uses Reed-Solomon codes, Basefold's IOPP uses the foldable code presented in the previous sections. Finally, similar to FRI, Basefold's IOPP also has a "commit" phase, where the prover commits to codes using Merkle trees for a number of layers, and a "query" phase, where the verifier queries random points in the codes to check for consistency between the layers.
Formally, the goal of the prover is to show that it has some polynomial . Throughout this post, we will assume that all multilinear polynomials are stored as in coefficient form. In words, is the multilinear polynomial formed from all the coefficients of which do not have an term, while is the multilinear polynomial formed formed from the coefficients which do have an term.
For example, if , then and . Therefore, would be stored as an array of coefficients in the following order: .
In the first round, the prover encodes as , where . It builds a Merkle tree, where elements of are the leaves of the tree, and sends the Merkle root to the verifier.
The verifier then sends a random . The prover uses this random value to build the multilinear polynomial for the next layer:
The protocol repeats similarly for another rounds.
Notice: by construction, . In words, is where the last variable has been fixed to . If we extend this observation all the way down to the last round, , for random . This will be an important point in the last section when we talk about the Basefold polynomial commitment scheme.
The goal of the query phase is for the verifier to check the consistency between and for . Concretely, from 2 points in , the verifier will be able to compute a single point in , for which the prover will send a Merkle proof. In order to do that, we will need to make use of the foldability property and linearity of the code.
Let . Recall that the foldability property of the code states that
For readability purposes, we will define the following variables
With this we are ready to start discussing how queries work. The verifier samples . The prover sends , , and their corresponding Merkle proofs.
Next, the verifier infers and . The previous definition of and , when zooming in on the index, can be written as
or equivalently,
Finally, recall from the commit phase that
We can use the linearity property of the code to get
When we focus on a single index , we get
Hence, the verifier was able to compute , which was our initial goal.
Note that either lies in the first or second half of ; that is, when , or otherwise. Whichever one it is, the prover only needs to send the Merkle proof for it, since the verifier already computed the value. Naturally, the prover also needs to send the value & Merkle proof for the other half (which the verifier didn't compute).
The same process then repeats for each round. In the last round, the prover only sends the Merkle proof for . The verifier ensures that the Merkle proof check passes with the value of that it computed, completing the query.
Note: we use to signify the index in the last round, where .
As in FRI, the verifier performs a number of queries, depending on the desired security level (i.e. the more queries, the more secure).
The Basefold polynomial commitment scheme relies heavily on sum-check. Refer to this article for a refresher.
The Basefold paper culiminates into a polynomial commitment scheme (PCS) for multilinear polynomials. That is, it allows a prover to commit to a multilinear polynomial , and convince the verifier that for some point chosen by the verifier. The core idea is to interleave sum-check and the IOPP.
In this section, we will freely switch between the equalivalent notations for vectors : .
First, we rewrite in a form that is amenable to being sum-checked.
where is the -dimensional boolean hypercube, and . The above equality is true by definition of multilinear polynomials.
For a refresher on multilinear polynomials, see this article.
Recall that sum-check requires the verifier to be able to evaluate at a random point generated during the protocol. The key realization to make is that in the commit phase of IOPP, the last polynomial computed by the prover ! So if we reuse the same random generated in the IOPP for sum-check, then the verifier can use sent by the prover as its query .
Note: this requires the prover to send in the last step of the IOPP instead of . The verifier can then compute on its own in constant time.
Hence, the PCS protocol is as follows:
In a sense, sum-check almost gives you a multilinear PCS; the only missing piece is that last query . But the prover already computes that query , as well as all intermediary polynomials (, , etc) during the protocol. Hence, the core idea of the Basefold PCS is to commit to these intermediary polynomials, and in a way, have the verifier track the correct transformation from to .
But in order to do that, what was missing is a linear code for multilinear polynomials that allows the verifier to track the correct transformation between codewords (i.e. the "foldable" property). Additionally, it's crucial for the IOPP to be computing (that is, the same computation done during sum-check).
All in all, the Basefold PCS is a very clever construction at the intersection of all these ideas.