Note on Foldable Codes
/ 7 min read
This work is supported by a grant from the Mina Foundation
Introduction
Polynomial Commitment Schemes (PCS) are fundamental cryptographic primitives in zero-knowledge proofs, built either on elliptic curve cryptography (e.g., KZG construction) or on error-correcting codes with hash functions (e.g., FRI protocol). Elliptic curve-based PCS offer succinct proofs but are computationally intensive, while hash-based PCS are computationally lighter but result in larger proofs.
Given that PCS often bottleneck proof generation, there is significant interest in developing schemes that combine succinctness with prover efficiency. Multivariate polynomials, particularly multilinear ones where each variable has degree at most one, have become increasingly prominent. They enhance protocols like Spartan’s sum-check by improving efficiency and enabling better parallel computation.
However, existing FRI-based PCS support only univariate polynomials, creating a gap with modern proof systems that utilize multivariate polynomials. Recent research focuses on extending the FRI protocol to accommodate multivariate polynomials by constructing efficiently foldable codes.123
In this note, we explore various approaches to building such codes, addressing the challenges and potential solutions in adapting PCS to better serve contemporary proof systems.
Preliminaries
Polynomial Commitment Schemes
A polynomial commitment scheme consists of the following algorithms:
-
Setup: Given a security parameter and the number of variables , output public parameters .
-
Commit: Given an -variate multilinear polynomial and , output a commitment and randomness .
-
Evaluate: Given , , a point , and , output a proof that .
-
Verify: Given , , , , and , output indicating whether the proof is valid.
Multilinear Extensions
For any function , there exists a unique multilinear polynomial known as the multilinear extension of . This polynomial satisfies for all , effectively extending the domain of from the Boolean hypercube to the entire field . Each variable in has degree at most one, ensuring that the polynomial remains multilinear.
Linear Codes
A linear code over is an injective linear mapping . The code is a -dimensional subspace of with minimum Hamming distance , where and denotes the Hamming distance between and .
Correlated Agreement
The correlated agreement principle states that if a random linear combination of two vectors is -close to a codeword in a linear code, then both and are individually -close to some codewords, with discrepancies on the same coordinates.4
Formally, let be randomly chosen. If there exists a codeword such that , then there exist codewords satisfying:
- ,
- ,
The sets , , and are equal.
Foldable Codes
In the context of interactive oracle proofs (IOPs) and polynomial commitment schemes, foldable codes are linear error-correcting codes that support an operation called folding. Folding allows the prover to transform codewords or polynomial evaluations into a compressed form with reduced length or degree while preserving the code’s structural properties essential for verification. A code is considered foldable if it enables such transformations without losing the ability to detect and correct errors.5
Foldable linear codes use encoding algorithms denoted as:
where each encoding step transforms a message of size to one of size . These codes are parameterized by vectors such that, for all and for each index , the vectors satisfy . This property ensures the linear independence of the vectors during the folding process.
The “foldability” of the code refers to the ability to combine two encoded halves (left and right) of the message into a single encoding by folding, as expressed by the equation:
This folding mechanism relies on the fact that the vectors and act as evaluation points, and the encodings of the left and right halves are composed based on their coefficient and evaluation forms. Examples of foldable codes include the well-known Reed-Solomon codes.
BaseFold
BaseFold is a field-agnostic Polynomial Commitment Scheme that achieves verifier costs and prover time by generalizing the FRI protocol to work with any foldable linear code.6
The key innovation is demonstrating that random foldable codes maintain good relative minimum distance over any sufficiently large field, enabling efficient SNARKs that can work natively in any field without expensive field emulation.
The following sections follow the excellent “Basefold in the List Decoding Regime”7 paper.
Folding Protocol
The first step in Basefold is to transform a multilinear polynomial into its univariant representation by evaluating over a boolean hypercube .
With ranging from to , since there are points in the hypercube .
The commitment is calculated by evaluating the univariant polynomial over an evaluation domain . We then split the univariant polynomial into odd and even parts(in the same manner as the FRI protocol).
Which generalizes too:
And concludes with the base case:
Where are the verifier supplied randomness.
Essentially FRI-like folding results from partial evaluations of the multilinear extensions.
Interleaved sum-check and folding
Use multivariate sumcheck protocol to evaluate the final inner product.
The fundamental observation is that the same randomness used in the FRI folding rounds is used in the sumcheck protocol.
BaseFold IOP
Commit Phase
The prover computes sumcheck polynomials in each round:
This polynomial aggregates evaluations over smaller hypercubes at each round , determined by previously fixed challenges and the query point .
Instead of sending sumcheck polynomials directly, the prover sends a linear polynomial:
This simplifies the prover’s work by sending a linear polynomial , which the verifier uses to reconstruct the sumcheck polynomials efficiently.
The sumcheck polynomial is derived from the linear polynomial:
This equation connects the sumcheck polynomial with the folding of Reed-Solomon codes, relating the folding to partial evaluations of the polynomial.
At the last step of the sumcheck protocol, the value of the polynomial at random point is:
After all rounds, the protocol reduces to evaluating at a random point derived from the verifier’s challenges.
Query Phase
The verifier queries the committed polynomials to check consistency:
This equation ensures consistency in folding at every round, verifying that the sumcheck and folding operations align.
Footnotes
-
Brehm, M., Chen, B., Fisch, B., Resch, N., Rothblum, R. D., & Zeilberger, H. (2024). Blaze: Fast SNARKs from Interleaved RAA Codes. Cryptology ePrint Archive, Paper 2024/1609. ↩
-
Guo, Y., Liu, X., Huang, K., Qu, W., Tao, T., & Zhang, J. (2024). DeepFold: Efficient Multilinear Polynomial Commitment from Reed-Solomon Code and Its Application to Zero-knowledge Proofs. Cryptology ePrint Archive, Paper 2024/1595. ↩
-
Zhang, Z., Li, W., Guo, Y., Shi, K., Chow, S. S. M., Liu, X., & Dong, J. (2024). Fast RS-IOP Multivariate Polynomial Commitments and Verifiable Secret Sharing. USENIX Security Symposium. ↩
-
Ben-Sasson, E., Bentov, I., Horesh, Y., & Riabzev, M. (2017). Fast Reed-Solomon Interactive Oracle Proofs of Proximity. Electron. Colloquium Comput. Complex. ↩
-
Chen, B. https://chancharles92.github.io/slides/BaseFold.pdf ↩
-
Zeilberger, H., Chen, B., & Fisch, B. (2023). BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes. Cryptology ePrint Archive, Paper 2023/1705. ↩
-
Haböck, U. (2024). Basefold in the List Decoding Regime. Cryptology ePrint Archive, Paper 2024/1571. ↩