Paper 2023/1705

BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes

Hadas Zeilberger, Yale University
Binyi Chen, Espresso Systems
Ben Fisch, Yale University
Abstract

This works introduces Basefold, a new $\textit{field-agnostic}$ Polynomial Commitment Scheme (PCS) for multilinear polynomials that has $O(\log^{2}(n))$ verifier costs and $O(n \log n)$ prover time. An important application of a multilinear PCS is constructing Succinct Non-interactive Arguments (SNARKs) from multilinear polynomial interactive oracle proofs (PIOPs). Furthermore, field-agnosticism is a major boon to SNARK efficiency in applications that require (or benefit from) a certain field choice. Our inspiration for Basefold is the Fast Reed-Solomon Interactive-Oracle Proof of Proximity (FRI IOPP), which leverages two properties of Reed-Solomon (RS) codes defined over "FFT-friendly'' fields: $O(n \log n)$ encoding time, and a second property that we call foldability. We first introduce a generalization of the FRI IOPP that works over any foldable linear code in linear time. Second, we construct a new family of linear codes which we call $\textit{random foldable codes}$, that are a special type of punctured Reed-Muller codes, and prove tight bounds on their minimum distance. Unlike RS codes, our new codes are foldable and have $O(n \log n)$ encoding time over ${any}$ sufficiently large field. Finally, we construct a new multilinear PCS by carefully interleaving our IOPP with the classical sumcheck protocol, which also gives a new multilinear PCS from FRI. Basefold is 2-3 times faster than prior multilinear PCS constructions from FRI when defined over the same finite field. More significantly, using Hyperplonk (Eurocrypt, 2022) as a multilinear PIOP backend for apples-to-apples comparison, we show that Basefold results in a SNARK that has better concrete efficiency across a range of field choices than with any prior multilinear PCS in the literature. Hyperplonk with Basefold has a proof size that is more than $10$ times smaller than Hyperplonk with Brakedown and its verifier is over $30$ times faster for circuits with more than $2^{20}$ gates. Compared to FRI, Hyperplonk with Basefold retains efficiency over any sufficiently large field. For illustration, with Basefold we can prove ECDSA signature verification over the secp256k1 curve more than $20$ times faster than Hyperplonk with FRI and the verifier is also twice as fast. Proofs of signature verification have many useful applications, including offloading blockchain transactions and enabling anonymous credentials over the web.

Note: A major update on the Experiments section and minor updates on the abstract and introduction

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
SNARKPolynomial Commitment SchemeIOPError-Correcting Codes
Contact author(s)
hadas zeilberger @ yale edu
binyi @ cs stanford edu
ben fisch @ yale edu
History
2024-02-22: revised
2023-11-03: received
See all versions
Short URL
https://ia.cr/2023/1705
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1705,
      author = {Hadas Zeilberger and Binyi Chen and Ben Fisch},
      title = {BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1705},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1705}},
      url = {https://eprint.iacr.org/2023/1705}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.