A basic of Binius: Towers of Binary Fields

In blockchain technology, reducing computational complexity has always been one of its primary goals. One effective approach to achieving this is by reducing the bit width of the computation field. For example, SNARKs based on elliptic curves perform arithmetic operations in fields with bit widths of 256 or higher, while STARKs have evolved from using the 64-bit Goldilocks field to the 31-bit Mersenne31 and BabyBear fields. Beyond the efficiency of the prime numbers themselves during modular operations, the significant reduction in bit width has led to Plonky2 being hundreds of times faster than its predecessor, Plonky. Following this trajectory, one might wonder: is it possible to set the field width to 1, specifically

F_{2}

? The Ulvetanna (IRREDUCIBLE) team addressed this question in their research paper titled Succinct Arguments over Towers of Binary Fields [1], implemented it in Rust with their project, Binius: a Hardware-Optimized SNARK [2][3].

Since its release, Binius has garnered significant attention in the ZK (Zero-Knowledge) community. The LambdaClass team has provided several technical analyses [4][5][6], and Vitalik Buterin offered a more accessible explanation [7]. In this article, we will explore the foundations of Binius, focusing on the Towers of Binary Fields, from both a technical and implementation perspective.

Binary Fields

The implementation of Binius is based on Binary Fields. In Binius, Binary Fields are constructed using towers of field extensions.

The simplest Binary Field is

F 2

, which contains only two elements

0, 1

, with operations performed modulo 2: addition corresponds to bitwise XOR, and multiplication corresponds to bitwise AND. By choosing an irreducible polynomial

m (x) = x^{2} + x + 1

over

F 2

, we can form the field

F_{2^{2}}

, where the elements are remainders of polynomials of degree at most 1,

r (x) = a x + b

(with

a, b \in 0, 1

While one method to extend fields involves taking remainders using irreducible polynomials, Binius employs a more efficient approach: the use of Multilinear Lagrange polynomials as a basis for tower extensions. This method allows for recursive field extensions, where each extension field is nested within the previous one.

The Specific Implementation of Tower Extensions is as Follows:
First,

τ 0 = F 2

;
Then,

τ 1 = \frac{F 2 [x 0]}{(x 0^{2} + x_{0} + 1)}

;
Next,

τ k = \frac{F 2 [x k - 1]}{(x {k - 1}^{2} + x k - 1 x k - 2 + 1)}

From the construction process of the field extensions, it is clear that the extensions satisfy the following relationship:

τ 0 \subset τ 1 \subset τ 2 \subset \dots \subset τ m

. For

k \geq 0

, the field extension can also be expressed in the direct form of a ring as:

τ_{k} = F_{2} [x_{0,} \dots, x_{k - 1}] / (x_{0}^{2} + x_{0} + 1, \dots, x_{k - 1}^{2} + x_{k - 2} x_{k - 1} + 1)

Based on this implementation, different extensions can be obtained as follows:

$τ_{0} = {0, 1}$
$τ_{1} = {0 + 0 x_{0}, 1 + 0 x_{0}, 0 + 1 x_{0}, 1 + 1 x_{0}}$ , or
$τ_{1} = {τ_{0}, 0 + 1 x_{0}, 1 + 1 x_{0}}$
$τ_{2} = {\begin{aligned} 0 + 0 x_{0} + 0 x_{1} + 0 x_{0} x_{1}, 1 + 0 x_{0} + 0 x_{1} + 0 x_{0} x_{1}, 0 + 1 x_{0} + 0 x_{1} + 0 x_{0} x_{1}, \\ 1 + 1 x_{0} + 0 x_{1} + 0 x_{0} x_{1}, \dots, 1 + 1 x_{0} + 1 x_{1} + 1 x_{0} x \end{aligned}}$ , Or
$τ_{2} = {τ_{1}, 0 + 0 x_{0} + 1 x_{1} + 0 x_{0} x_{1}, \dots, 1 + 1 x_{0} + 1 x_{1} + 1 x_{0} x_{1}}$

From the Elements Contained in the Extended Field
It is evident that for an element

b 0 b 1 b 2 \dots b 2^{k} - 1

derived from

τ k

, it can be decomposed into the sum of two parts:

b l o + x k - 1 b h i

(where

b l o, b h i \in τ k - 1

). For example,

1100101010001111 = 11001010 + 1000111 \times x 3

, where

11001010, 10001111 \in τ_{2}

. By iteratively decomposing, we can finally express:

1100101010001111 = 1 + x_{0} + x_{2} + x_{2} x_{1} + x_{3} + x_{2} x_{3} + x_{0} x_{2} x_{3} + x_{1} x_{2} x_{3} + x_{0} x_{1} x_{2} x_{3}

Additionally, for

k > 0

, since

x_{k}^{2} = x k x k - 1 + 1

, addition and multiplication can be efficiently implemented in the binary extended field.

Implementation of Binary Fields

Irreducible provides the open-source Rust implementation of Binius [3]. The source code includes complete implementations and operations for the Tower of Binary Fields [8,9,10].

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 1: Implementation of the Construction of the Tower of Binary Fields

In [8], as shown in Figure 1, the implementation includes the complete definition of operations for binary fields and the construction of the Tower of Binary Fields. The Tower of Binary Fields, supporting up to a 128-bit binary field, is defined as follows:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 2: 128-bit Wide Tower of Binary Fields

Additionally, [8] provides test and verification code for the Tower of Binary Fields and related operations.

References
[1] https://eprint.iacr.org/2023/1784
[2] https://www.irreducible.com/posts/binius-hardware-optimized-snark
[3] https://gitlab.com/IrreducibleOSS/binius
[4] SNARKs on binary fields: Binius - Part 1 (lambdaclass.com)
[5] SNARKs on binary fields: Binius - Part 2 (lambdaclass.com)
[6] How Binius is helping move the ZK industry forward (lambdaclass.com)
[7] https://vitalik.eth.limo/general/2024/04/29/binius.html
[8] binius/crates/field/src/binary_field.rs at main · IrreducibleOSS/binius · GitHub
[9] binius/crates/field/src/binary_field_arithmetic.rs at main · IrreducibleOSS/binius · GitHub
[10] binius/crates/field/src/extension.rs at main · IrreducibleOSS/binius · GitHub

A basic of Binius: Towers of Binary Fields

Binary Fields

Implementation of Binary Fields

Read more

Circle FFT and its implementation

Babylon: An Extremely Appealing Protocol Scaling Bitcoin to Secure PoS Chains

Onis Litepaper of Ola

Babylon+Ola