The Polynomial Commitment

There are many ways of constructing polynomial commitments, including the KZG commitment which relies on elliptic curves and the FRI commitment. Binius will rely on a different kind of polynomial commitment, which has the advantage that it can be made compatible with bits without much memory overhead.

The Brakedown Polynomial Commitment

Suppose we’d like a way for the prover to commit to some data in a way that’s compatible with the verifier learning (with help from the prover) a value in the multilinear extension of where . As a first attempt, one could simply have the prover hash the values , but there’s not a good way to reveal the value without opening the entire commitment and computing from scratch. Alternatively, one could write down all the values of over and commit to these. The benefit of this approach is that revealing requires just opening the commitment at a single location. However, this would require computation from the prover, which is far too expensive compared to the amount of raw data () the prover is actually trying to commit to. What’d we really like is a polynomial commitment scheme that uses a small linear factor overhead in the amount of computation needed.

Instead, we will rearrange the data so that instead of lying in a dimensional hybercube of length , it now lies in a dimensional square of length . Then, we will commit to a low degree extension of this square, which will only require the prover to compute additional values. But – the verifier wants to learn a point in the multilinear extension of , not the square extension – how can a square extension possibly be compatible with this task? It turns out that if we re-format into a square in the correct way, a random point in the multilinear extension of becomes a random point in the square extension of the square .

Mathematically, to turn the multilinear extension into a square extension , we will simply partition the variables of into two parts, and , and treat each part as a single variable. That is, we can view any tuple as a number in via an injective map . It might be helpful for now to imagine as the map sending a binary representation to its integer value, though later we will want a different to work over extension fields of . Our square encoding will be the -variate polynomial defined via . Note that the original values of are now located in the grid , and is the low degree extension of this square.

It turns out that as long as is a linear map, gets mapped to a random point in via the identity So now our task is simply to commit to , in a way that allows the verifier to learn a random point .

The Commitment

The prover begins with some values arranged into a square. She will first compute the horizontal encoding of as given by , namely the values

Next, she will compute a Merkle commitment of this table. If you aren’t familiar with Merkle commitments, their key property is that you can open parts of the committed word without opening the entire string. So for our case, this means that the prover can later reveal a value at a fraction of the cost of revealing the entire table. This Merkle hash will be the commitment to our polynomial .

Now, we have to answer two questions. First, how does the verifier know that the prover gave him a good, well formed commitment and not just some random string? And second, how can the verifier learn a value ?

Testing

For the first question, the verifier simply wants to check that the prover’s committed to a table where each row is a low degree polynomial. He’ll ask the prover for a random linear combination of the rows, which, if the prover were honest, would be a low degree polynomial. To save a bit on communication, the prover can simply send him the values of the sum on the first columns, which uniquely determines the rest of the low degree polynomial. The verifier also needs to check that the received low degree polynomial is in fact the random linear combination he asked for. To do this, he will spot check the claimed linear combination by asking for the values of the rows at a few random columns and checking them with the value of the claimed linear combination at . This ensures that the prover is actually giving the verifier the correct linear combination of the rows.

Why is this test good? It turns out that there’s a property of codes known as proximity testing which essentially states that if any of the committed rows are far from the code space, then a random linear combination will also be far from the code space with high probability. This means that if any of the rows aren’t low degree polynomials (or at least close to one), then their sum can’t possibly be the claimed low degree polynomial, so some of the spot checks should fail.

Evaluation

The second question is: how can the verifier evaluate ? It turns out he can do this the same way that testing works. He’ll ask for the linear combination of the rows given by , check consistency with the Merkle commitment, and then can simply take the ‘th value of the linear combination.

The Binius Polynomial Commitment

So far, we’ve described a polynomial commitment that works over large fields . In particular, each of the entries in each row and column is a field element. Even if the data values are binary values, they are treated and stored as (many bit) field elements, which can result in huge constant overhead in SNARK size. The innovation of the Binius polynomial commitment is the ability to work with bit values, without having to embed the bits in large fields first.

The key idea in the Binius commitment is the following: We can save representation overhead by batching bits into field elements. Already, a field element requires bits to represent: why not have these bits be the binary bits we were trying to encode? Specifically, let us group the bits in each row into groups of size , view each group as a single field element (so now we have a table of field elements), and then perform the encoding over this new table.

Testing and evaluation will still operate as before: the verifier will ask the prover for a linear combination of the rows, and then will check consistency via spot checks. This ensures that the commitment is to a well formed table of field elements where each row is a low degree polynomial.

However, for evaluation, we need to actually evaluate a given linear combination of the bits, not of the field elements. Currently, testing and evaluation are over field elements, that is, the verifier asks for a random linear combination of the rows in field element form. Instead, we need the verifier to be able to ask for any linear combination of the rows in bit form that it chooses.

Let us elaborate a bit on exactly what we need. At the end of the IOP, the verifier is looking to learn a given linear combination of . This linear combination is given by two sets of coefficients, and . The first set of coefficients tells how to sum the rows of bits to get a row of field elements, and tells how to sum the field elements within the row sum. If we could compute the row sum, then computing the final answer is straightforward. Unfortunately, since we’ve batched the bits into field elements, taking a linear combination of the rows could scramble the bits making up each field element, so that nowhere can we read the sum of the bits in each row.

The Tower Field

The answer, it turns out, is to use a special field that’s keeps its component bits in the same order under addition. This field is known as the tower field, and has order for some . It is defined inductively as follows.

It is not hard to check that the size of is , and that a -basis of consists of the elements

For instance, an basis of is given by the elements

This basis gives us a natural way batch bits into field elements, by regarding a collection of bits as the coefficients of this basis. We claim this field embedding solves our problems. Consider two field elements given by bits and . Then their sum equals and respects the mod behavior of each of the bits. So in particular, if we take any linear combination of the rows of our table, we get the same result whether we consider the rows as consisting of bits or field elements.

But, you say, didn’t the verifier want a -linear combination of the rows of bits, not just a -combination? That’s right, and we’ll solve this problem by again referring to the special properties of the tower field. Because has a basis, the verifier simply has to learn all coefficients of this basis, each of which is a linear combination of the rows. Then, using these linear combinations, the verifier can reconstruct what our row sum of field elements is supposed to be, sum them via , and obtain the desired linear combination of !

Testing and Evaluation

To summarize, the verifier will ask the prover for linear combinations of the rows. In the case of testing, these linear combinations will be random, but in the case of evaluation, these linear combinations will be that obtained from the bit decomposition of under the basis we described above. Then, once the prover gives the requested sums, the verifier will spot check the sums on a few randomly selected columns to verify that the given sums correspond to the committed bits. Finally, in the case of evaluation, the verifier can reconstruct the -row sum by summing the received rows over the basis, then compute the sum of the resulting row.

Complexity

Finally, we discuss the complexity parameters of the polynomial commitment. Let us say that the data is size bits long, and that . (For example, we could take to be the smallest field in the tower with at least elements.)