Analysis of Binius STARKs Principles and Optimization Thoughts

1 Introduction

One of the main reasons for the inefficiency of STARKs is that most of the values in actual programs are quite small, such as indices in for loops, boolean values, counters, etc. However, to ensure the security of proofs based on Merkle trees, many additional redundant values occupy the entire field when using Reed-Solomon coding to expand the data, even if the original values themselves are very small. To address this issue, reducing the size of the field has become a key strategy.

The bit width of the 1st generation STARKs encoding is 252 bits, the bit width of the 2nd generation STARKs encoding is 64 bits, and the bit width of the 3rd generation STARKs encoding is 32 bits, but the 32-bit encoding still has a lot of wasted space. In contrast, the binary field allows direct manipulation of bits, resulting in a compact and efficient encoding without any wasted space, which is the 4th generation STARKs.

Compared to recent discoveries in finite fields such as Goldilocks, BabyBear, and Mersenne31, the study of binary fields can be traced back to the 1980s. Currently, binary fields are widely used in cryptography, with typical examples including:

• Advanced Encryption Standard ( AES ), based on the F28 field;

• Galois Message Authentication Code ( GMAC ), based on the F2^128 field;

• QR code, using Reed-Solomon encoding based on F28;

• The original FRI and zk-STARK protocols, as well as the Grøstl hash function that entered the SHA-3 finals, which is based on the F28 field and is a very suitable hash algorithm for recursion.

When using smaller fields, the extension field operation becomes increasingly important for ensuring security. The binary field used by Binius must rely entirely on extension fields to guarantee its security and practical usability. Most polynomials involved in Prover computations do not need to enter the extension field and can operate solely in the base field, achieving high efficiency in smaller fields. However, random point checking and FRI computations still need to delve into larger extension fields to ensure the required level of security.

When constructing a proof system based on binary fields, there are two practical issues: the size of the field used for calculating the trace representation in STARKs should be greater than the degree of the polynomial; when committing to a Merkle tree in STARKs, Reed-Solomon encoding is required, and the size of the field should be greater than the size after encoding expansion.

Binius proposed an innovative solution that addresses these two issues separately and achieves this by representing the same data in two different ways: first, by using multivariate (specifically multilinear) polynomials instead of univariate polynomials to represent the entire computation trajectory via their values on "hypercubes"; secondly, since the length of each dimension of the hypercube is 2, standard Reed-Solomon extensions cannot be performed like in STARKs, but the hypercube can be treated as a square, allowing for Reed-Solomon extensions based on that square. This method greatly improves coding efficiency and computational performance while ensuring security.

2 Principle Analysis

The construction of most SNARKs systems currently typically includes the following two parts:

• Information-Theoretic Polynomial Interactive Oracle Proof (PIOP): PIOP, as the core of the proof system, transforms the input computational relationship into verifiable polynomial equations. Different PIOP protocols allow the prover to gradually send polynomials through interaction with the verifier, enabling the verifier to validate the correctness of the computation by querying the evaluation results of a small number of polynomials. Existing PIOP protocols include: PLONK PIOP, Spartan PIOP, and HyperPlonk PIOP, each of which processes polynomial expressions differently, thereby affecting the performance and efficiency of the entire SNARK system.

• Polynomial Commitment Scheme (PCS): The Polynomial Commitment Scheme is used to prove whether the polynomial equations generated by PIOP hold true. PCS is a cryptographic tool through which the prover can commit to a certain polynomial and later verify the evaluation results of that polynomial while hiding other information about the polynomial. Common polynomial commitment schemes include KZG, Bulletproofs, FRI (Fast Reed-Solomon IOPP), and Brakedown, among others. Different PCS have varying performance, security, and applicable scenarios.

Depending on specific requirements, different PIOPs and PCS can be selected, combined with suitable finite fields or elliptic curves, to construct proof systems with different attributes. For example:

• Halo2: combines PLONK PIOP and Bulletproofs PCS, based on the Pasta curve. When designing Halo2, emphasis was placed on scalability and removing the trusted setup in the ZCash protocol.

• Plonky2: Combines PLONK PIOP and FRI PCS, based on the Goldilocks field. Plonky2 is designed for efficient recursion. When designing these systems, the chosen PIOP and PCS must match the finite field or elliptic curve used to ensure the correctness, performance, and security of the system. The choice of these combinations not only affects the proof size and verification efficiency of SNARKs but also determines whether the system can achieve transparency without a trusted setup and whether it can support extended features such as recursive proofs or aggregated proofs.

Binius: HyperPlonk PIOP + Brakedown PCS + binary fields. Specifically, Binius includes five key technologies to achieve its efficiency and security. First, the arithmetic based on towers of binary fields forms the foundation of its computation, allowing simplified operations within binary fields. Second, Binius adapts the HyperPlonk product and permutation checks in its interactive Oracle proof protocol (PIOP), ensuring secure and efficient consistency checks between variables and their permutations. Third, the protocol introduces a new multilinear shift proof, optimizing the efficiency of verifying multilinear relationships over small fields. Fourth, Binius employs an improved Lasso lookup proof, providing flexibility and strong security to the lookup mechanism. Finally, the protocol uses a Small-Field polynomial commitment scheme, enabling efficient proof systems over binary fields and reducing the overhead typically associated with large fields.

2.1 Finite Fields: Arithmetic based on towers of binary fields

Towering binary fields are key to achieving fast verifiable computation, primarily due to two aspects: efficient computation and efficient arithmetic. Binary fields inherently support highly efficient arithmetic operations, making them an ideal choice for cryptographic applications that are sensitive to performance. Furthermore, the structure of binary fields supports a streamlined arithmetic process, meaning that operations performed over binary fields can be represented in a compact and easily verifiable algebraic form. These features, combined with the ability to fully leverage its hierarchical characteristics through tower structures, make binary fields particularly well-suited for scalable proof systems such as Binius.

Among them, "canonical" refers to the unique and direct representation of elements in a binary field. For example, in the most basic binary field F2, any k-bit string can be directly mapped to a k-bit binary field element. This is different from prime fields, which cannot provide such a canonical representation within a fixed number of bits. Although a 32-bit prime field can be contained within 32 bits, not every 32-bit string can uniquely correspond to a field element, while the binary field possesses the convenience of this one-to-one mapping. In the prime field Fp, common reduction methods include Barrett reduction, Montgomery reduction, and special reduction methods for specific finite fields such as Mersenne-31 or Goldilocks-64. In the binary field F2k, commonly used reduction methods include special reduction (as used in AES), Montgomery reduction (as used in POLYVAL), and recursive reduction (like Tower). The paper "Exploring the Design Space of Prime Field vs. Binary Field ECC-Hardware Implementations" points out that in the binary field, both addition and multiplication operations do not require carry, and the squaring operation in the binary field is very efficient because it follows the simplified rule of (X + Y )2 = X2 + Y 2.

As shown in Figure 1, a 128-bit string: This string can be interpreted in multiple ways within the context of binary fields. It can be viewed as a unique element in a 128-bit binary field, or parsed as two 64-bit tower field elements, four 32-bit tower field elements, sixteen 8-bit tower field elements, or 128 F2 field elements. This flexibility in representation does not require any computational overhead, merely a typecast of the bit string, which is a very interesting and useful property. Meanwhile, small field elements can be packed into larger field elements without additional computational overhead. The Binius protocol leverages this feature to enhance computational efficiency. Additionally, the paper "On Efficient Inversion in Tower Fields of Characteristic Two" discusses the computational complexity of multiplication, squaring, and inversion operations in n-bit tower binary fields (which can be decomposed into m-bit subfields).

2.2 PIOP: Adapted HyperPlonk Product and PermutationCheck ------ Suitable for binary field

The PIOP design in the Binius protocol draws on HyperPlonk and employs a series of core checking mechanisms to validate the correctness of polynomials and multivariate sets. These core checks include:

1. GateCheck: Verify whether the confidential witness ω and the public input x satisfy the circuit computation relation C(x, ω)=0, to ensure the circuit operates correctly.

2. PermutationCheck: Verify whether the evaluation results of two multivariable polynomials f and g on the Boolean hypercube form a permutation relation f(x) = f(π(x)), to ensure the consistency of the arrangement among polynomial variables.

3. LookupCheck: Verify whether the evaluation of the polynomial is in the given lookup table, that is, f(Bµ) ⊆ T(Bµ), ensuring that certain values are within the specified range.

4. MultisetCheck: Check whether two multivariable sets are equal, that is, {(x1,i,x2,)}i∈H={(y1,i,y2,)}i∈H, ensuring consistency among multiple sets.

5. ProductCheck: Check whether the evaluation of the rational polynomial on the Boolean hypercube equals a declared value ∏x∈Hµ f(x) = s, to ensure the correctness of the polynomial product.

6. ZeroCheck: Verify whether a multivariable polynomial is zero at any point on the Boolean hypercube ∏x∈Hµ f(x) = 0, ∀x ∈ Bµ, to ensure the distribution of the polynomial's zeros.

7. SumCheck: To check whether the sum of a multivariate polynomial equals the declared value ∑x∈Hµ f(x) = s. By transforming the evaluation problem of multivariate polynomials into that of univariate polynomials, it reduces the computational complexity for the verifier. Additionally, SumCheck allows for batching by introducing random numbers to construct linear combinations for processing multiple sum check instances.

8. BatchCheck: Based on SumCheck, it verifies the correctness of multiple multivariable polynomial evaluations to improve protocol efficiency.

Although Binius and HyperPlonk have many similarities in protocol design, Binius has made improvements in the following three areas:

• ProductCheck Optimization: In HyperPlonk, the ProductCheck requires the denominator U to be non-zero everywhere on the hypercube, and the product must equal a specific value; Binius simplifies this check by specializing that value to 1, thereby reducing computational complexity.

• Handling of division by zero issues: HyperPlonk failed to adequately address division by zero situations, leading to an inability to assert that U is non-zero on the hypercube; Binius correctly handled this issue, allowing the ProductCheck of Binius to continue processing even when the denominator is zero, permitting generalization to any product value.

• Cross-column Permutation Check: HyperPlonk does not have this feature; Binius supports Permutation Check across multiple columns, enabling Binius to handle more complex polynomial arrangement scenarios.

Therefore, Binius has improved the existing PIOPSumCheck mechanism, enhancing the protocol's flexibility and efficiency, especially in providing stronger functional support when handling more complex multivariable polynomial verifications. These improvements not only address the limitations in HyperPlonk but also lay the foundation for future proof systems based on binary fields.

2.3 PIOP: New multilinear shift argument ------ applicable to boolean hypercube

In the Binius protocol, the construction and handling of virtual polynomials is one of the key technologies, enabling the effective generation and manipulation of polynomials derived from input handles or other virtual polynomials. Here are two key methods:

• Packing: This method optimizes operations by packing smaller elements located adjacent to each other in lexicographical order into larger elements. The Pack operator targets block operations of size 2κ and groups them.