Polylogarithmic Proofs for Multilinears over Binary Towers

Benjamin E. Diamond Jim Posen

Irreducible Irreducible
[email protected] [email protected]

Abstract
We present a succinct polynomial commitment scheme for multilinears over tiny binary fields, includ-
ing that with just two elements. To achieve this, we develop two main ideas. Our first adapts Zeilberger,
Chen and Fisch’s BaseFold (’23) PCS to the binary setting; it uses FRI (ICALP ’18)’s lesser-known
binary variant, and reveals a new connection between that work and Lin, Chung and Han (FOCS ’14)’s
additive NTT. We moreover present a novel large-field-to-small-field compiler for polynomial commitment
schemes. Using a technique we call “ring-switching”, our compiler generically bootstraps any multilinear
PCS over a large, power-of-two degree extension field into a further PCS over that field’s ground field.
The resulting small-field PCS lacks embedding overhead, in that its commitment cost is identical to that
of the large-field scheme on each input size (measured in bits). We attain concretely small proofs for
enormous binary multilinears, shrinking the proofs of Diamond and Posen (’23) by an order of magnitude.

1 Introduction
In recent work, Diamond and Posen [DP23] introduce a sublinear argument designed to capture certain
efficiencies available in towers of binary fields. Using a “block-level encoding” technique, that work evades,
at least during its commitment phase, the embedding overhead prone to arise whenever tiny fields are
used, especially in those protocols that critically use Reed–Solomon codes. That work’s key polynomial
commitment scheme features opening proofs whose size and verifier complexity both grow on the order of
the square root of the size (i.e., measured in total data bits) of the committed polynomial.
In this work, we present a multilinear polynomial commitment scheme—again designed for small binary
fields—whose proof size and verifier complexity grow only polylogarithmically in the size of the committed
polynomial. Our starting point is Zeilberger, Chen and Fisch’s BaseFold PCS [ZCF23, § 5], a multilinear
PCS for large prime fields. BaseFold’s polynomial commitment scheme [ZCF23, § 5] identifies a new connec-
tion between Ben-Sasson, Bentov, Horesh and Riabzev’s [BBHR18] celebrated FRI IOP of proximity and
multilinear polynomials. Specifically, that work observes that, in the setting of prime-field FRI, when the
FRI folding arity is fixed at 2, the constant value of the prover’s final FRI oracle relates to the univariate
coefficients of its FRI message just as a multilinear’s evaluation relates to its multilinear coefficients in the
monomial basis. This fact underlies BaseFold’s use of FRI within its multilinear polynomial commitment
scheme. On the other hand, since the scheme’s evaluation point is typically known in advance to the prover,
whereas FRI’s folding challenges of course must not be, BaseFold moreover interleaves into its FRI fold-
ing phase an execution of the sumcheck protocol, thereby reducing the evaluation of the multilinear at the
known query point to its evaluation at the random point sampled during FRI. We describe BaseFold further
in Subsection 1.2 below.
We note that FRI has figured in both univariate and multilinear commitment schemes previously. All
prior such uses of FRI, however—with the exception of [ZCF23, § 5]—invoke “quotienting”, and so suffer
from embedding overhead, a phenomenon described at length in [DP23]. We refer to Haböck [Hab22] for a
description of FRI’s use as a univariate commitment scheme. In the multilinear setting, we note briefly an
approach proposed by Chen, Bünz, Boneh and Zhang [CBBZ23, § B], which itself makes blackbox use of a
univariate commitment scheme such as FRI. Interestingly, that scheme—assuming the FRI-based univariate
scheme—resembles [ZCF23, § 5], at least during its commitment phase. Its evaluation phase, however,
generically invokes the underlying univariate scheme’s evaluation protocol logarithmically many times.

1
1.1 Our Contributions
To make something like BaseFold PCS [ZCF23, § 5] work in our setting, we must overcome two main
obstacles. Firstly, while BaseFold accepts any large field and any “foldable” code, that work emphasizes
the odd-characteristic case, and especially that of Reed–Solomon codes over large prime fields. It does not
examine the case of binary fields. Though FRI itself works over binary fields—and was in fact originally
presented in that setting [BBHR18, § 3]—the even–odd coefficient-folding behavior essential to [ZCF23, § 5]
fails to persist in the binary arena, at least for FRI-folding maps chosen generically. In Section 3 below,
we discuss how to choose those maps in such a way as to cause the desired folding behavior to reemerge.
Our treatment makes necessary a careful analysis of Lin, Chung and Han’s additive NTT [LCH14], and
demonstrates a hitherto-unremarked connection between those two works.
Our second main obstacle pertains to the fact that BaseFold is designed for large-field multilinears.
Indeed, as the work [DP23] explains in detail, it is difficult—given only a large-field scheme—to define a small-
field scheme that inherits the “right” security and efficiency guarantees. Specifically, the small-field scheme
should commit polynomials as efficiently as the large-field scheme commits equally-sized polynomials (i.e.,
in bits). (In particular, embedding the small-field polynomial coefficient-wise into the large field wouldn’t
suffice.) In Section 4 below, we describe a generic and extremely efficient reduction from large-field schemes to
small-field schemes. Given an extension L / K of degree 2κ , our technique reduces the problem of committing
an ℓ-variate multilinear over K to that of committing an ℓ := ℓ − κ-variate multilinear over L (which contains
the “same amount of data”). Our scheme’s commitment phase leverages a packing technique present already
in [DP23]. Its evaluation phase introduces a new idea that we call “ring-switching”, loosely inspired by
Ron-Zewi and Rothblum [RR24, Fig. 2]’s “code-switching” technique. We roughly describe our approach as
follows, deferring our full treatment to Section 4. Informally, we observe that the evaluation of the given
K-polynomial at a desired point can be reduced to that of its packed L-polynomial at a random point, up to
the execution of an ℓ-round sumcheck in the tensor algebra L ⊗K L, a ring which contains L in “two different
ways”. (That object can be viewed as a generalization of the tower algebra data structure of [DP23, § 3.4].)
In Section 6 below, we combine the ideas of Sections 3 and 4 into a single, streamlined construction.
That construction yields an extremely efficient small-field PCS for binary multilinears. In Subsection 6.2
below, we benchmark our combined scheme in detail, showing that its proofs are smaller than those of [DP23,
Cons. 3.11] by between fourfold and a hundredfold.

1.2 Technical Overview

We sketch in advance various aspects of our technical approach.

Remarks on FRI-folding. Each honest FRI prover begins with the evaluation of some polynomial
P2ℓ −1 j (0)
P (X) := j=0 aj · X over its initial domain S . Under certain mild conditions—specifically, if the
folding factor η divides ℓ, and the recursion is carried out to its end—the prover’s final oracle will be identi-
cally constant over its domain (and in fact, the prover will rather send the verifier this latter constant in the
clear). What will the value of this constant be, as a function of P (X) and of the verifier’s folding challenges?
In the setting of prime field multiplicative FRI, the folding maps q (i) all take the especially simple form
η
X 7→ X 2 . BaseFold [ZCF23, § 5] makes the interesting observation whereby—again, in the prime field
setting, for η now moreover set to 1, and for q (0) , . . . , q (ℓ−1) defined in just this way—the prover’s final FRI
response will be nothing other than a0 + a1 · r0 + a2 · r1 + · · · + a2ℓ −1 · r0 · · · · rℓ−1 , where r0 , . . . , rℓ−1 are
the verifier’s FRI folding challenges. That is, it will be exactly the evaluation of the multilinear polynomial
a0 + a1 · X0 + a2 · X1 + · · · + a2ℓ −1 · X0 · · · · Xℓ−1 at the point (r0 , . . . , rℓ−1 ).
η
What about in characteristic 2? In this setting, the simple folding maps X 7→ X 2 no longer work,
as [BBHR18, § 2.1] already remarks. (These maps are nowhere 2-to-1, and in fact are field isomorphisms.)
Rather, we must set as our q (i) certain linear subspace polynomials of degree 2η . FRI does not suggest precise
values for these polynomials, beyond merely demanding that they feature the right linear-algebraic syntax.
That is, each q (i) ’s kernel must reside entirely inside the domain S (i) ; we discuss this requirement further in
Subsection 2.4 below. Given syntactically valid subspace polynomials q (i) chosen otherwise arbitrarily—and,
we emphasize, FRI does not suggest a choice—the constant value of the prover’s final oracle will relate in a
complicated way to the coefficient vector (a0 , . . . , a2ℓ −1 ) and to the verifier’s folding challenges ri .

2
The additive NTT and FRI. We recall briefly the “additive NTT” of Lin, Chung, and Han [LCH14] (we
refer to Subsection 2.3 below for a thorough description). We fix a binary field L of degree more than ℓ. The
2ℓ −1
work [LCH14] defines a “novel polynomial basis” (Xj (X))j=0 of the L-vector space consisting of polynomials

2ℓ −1
over L of degree less than 2ℓ (which, of course, is not the standard monomial L-basis X j j=0 of that space).
P2ℓ −1
The work [LCH14] moreover presents an algorithm which, on input a polynomial P (X) := j=0 aj · Xj (X)
expressed with respect to the novel basis, computes P (X)’s “additive NTT”. That is, the algorithm computes,
from P (X)’s coefficient vector (a0 , . . . , a2ℓ −1 ), the set of P (X)’s evaluations over S ⊂ L, itself any affine
F2 -linear subspace of L satisfying certain natural conditions (and in quasilinear time in the size of S).
In the binary-field setting, we recover in the following way the “classical” FRI folding pattern identified
above. For expository purposes, we fix η = 1 (though cf. Subsection 3.2 below). We stipulate first of all that
the prover use the coefficients (a0 , . . . , a2ℓ −1 ) of its input multilinear as the coefficients in Lin, Chung and
P2ℓ −1
Han [LCH14]’s novel polynomial basis of its initial univariate FRI polynomial P (X) := j=0 aj · Xj (X).
(This basis serves further to make P (X) evaluable over S (0) in quasilinear time, a essential additional role.)
Essentially, our insight is that, if we choose the FRI subspace maps q (0) , . . . , q (ℓ−1) appropriately, then
the prover’s final FRI oracle becomes once again meaningfully related to P (X)’s initial coefficient vector
(a0 , . . . , a2ℓ −1 ); that is, it becomes—as it was in the prime-field setting—a0 + a1 · r0 + a2 · r1 + · · · + a2ℓ −1 · r0 ·
· · · rℓ−1 . Specifically, we opt to define the maps q (0) , . . . , q (ℓ−1) precisely so that they factor Lin, Chung and
 ℓ
Han [LCH14, § II. C.]’s “normalized subspace vanishing polynomials” W ci (X) ; that is, we define them
i=0
in such a way that Wci (X) = q (i−1) ◦ · · · ◦ q (0) holds for each i ∈ {0, . . . , ℓ} (see Corollary 3.4). We explain
our construction in detail in Subsection 3.1 below.
Upon defining the maps q (0) , . . . , q (ℓ−1) in this way, we recover a familiar, Fourier-theoretic characteri-
2ℓ −1
zation of the novel basis polynomials (Xj (X))j=0 , as well as a reinterpretation of Lin, Chung and Han’s
algorithm [LCH14, § III.] along more classical lines (see Remark 3.14). We reproduce this Fourier-theoretic
identity—which appears as (2) below—here:
(i+1) (i+1)
P (i) (X) = P0 (q (i) (X)) + X · P1 (q (i) (X)).
P2ℓ−i −1 (i)
Above, the index i ∈ {0, . . . , ℓ − 1} is arbitrary. We write P (i) (X) = j=0 aj · Xj (X) for an arbitrary
 2ℓ−i −1
(i)
polynomial expressed with respect to the basis Xj (X) , the so-called ith -order novel polynomial
j=0
basis (we refer to Theorem 3.12 below for a thorough definition of our higher-order novel polynomial bases,
(i+1) (i+1)
as well as to Remark 3.15 for further discussion). The polynomials P0 (X) and P1 (X) are P (i) (X)’s
 2ℓ−i−1 −1
(i+1)
even and odd refinements (these are expressed with respect to the i + 1st -order basis Xj (X) ).
i=0
As we argue below, this choice of maps q (0) , . . . , q (ℓ−1) allows us to recover the coefficient-folding behavior
of prime-field FRI (i.e., which was exploited by [ZCF23, § 5]). Indeed, by using the polynomial identity above,
and by expressing each polynomial at hand with respect to the appropriate higher-order novel polynomial
basis, we successfully establish the required FRI folding pattern (see in particular Lemma 3.13).

A new FRI folding mechanism. As it happens, we opt moreover to modify FRI itself, so as to induce a
Lagrange-style, as opposed to a monomial-style, folding pattern in the coefficient domain. In our FRI variant,
the value of the prover’s final oracle becomes rather a0 · (1 − r0 ) · · · · · (1 − rℓ−1 ) + · · · + a2ℓ −1 · r0 · · · · rℓ−1 ,
the evaluation at (r0 , . . . , rℓ−1 ) of the polynomial whose coefficients in the multilinear Lagrange basis—and
not in the multilinear monomial basis—are (a0 , . . . , a2ℓ −1 ). We moreover introduce a multilinear style of
many-to-one FRI folding, which contrasts with FRI’s univariate approach [BBHR18, § 3.2]. We describe our
FRI folding variant in Subsection 3.2 below (see in particular Definitions 3.6 and 3.8, as well as Remark 3.7).
Interestingly, our FRI-folding variant makes necessary a sort of proximity gap different from that invoked by
the original FRI protocol. Indeed, while the soundness proof [Ben+23, § 8.2] of FRI uses the proximity gap
result [Ben+23, Thm. 1.5] for low-degree parameterized curves, our security treatment below instead uses a
tensor-folding proximity gap of the sort recently established by Diamond and Posen [DP24, Thm. 2]. In fact,
we use rather a sharpening of that result, achieved in recent work of Diamond and Gruen [DG24, Cor. 3.7].

3
Miscellanea. Throughout Subsection 3.1, we examine in detail various further aspects of binary-field
FRI. For example—even in the abstract IOP model—we must necessarily fix F2 -bases of the respective
Reed–Solomon domains S (i) , in order to interpret committed functions f (i) : S (i) → L as L-valued strings
(that is, must implicitly lexicographically “flatten” each domain S (i) using some ordered F2 -basis of it,
known to both the prover and the verifier). The choice of these bases matters. Indeed, for F2 -bases of
S (i) and S (i+1) chosen arbitrarily, the fundamental operation which associates to each y ∈ S (i+1) its fiber
−1
q (i) ({y}) ⊂ S (i) —which both the prover and the verifier must perform repeatedly—could come to assume

2
complexity on the order of dim S (i) bit-operations, even after a linear-algebraic preprocessing phase.
We moreover suggest a family of bases for the respective domains S (i) with respect to which the maps
(i)
q come to act simply by projecting away their first η coordinates. In particular, the application of each
−1
map q (i) —in coordinates—becomes free; the preimage operation q (i) ({y}) comes to amount simply to
that of prepending η arbitrary boolean coordinates to y’s coordinate representation. While bases with these
properties can of course be constructed in FRI even for maps q (i) chosen arbitrarily, our procedure yields
a basis of the initial domain S (0) which coincides with that expected by the additive NTT of [LCH14]. In
particular, our prover may use as is the output of the additive NTT as its 0th FRI oracle, without first
subjecting that output to the permutation induced by an appropriate change-of-basis transformation on
S (0) . We believe that these observations stand to aid all implementers of binary-field FRI.

Ring-switching. We sketch in slightly more detail our ring-switching technique (we again refer also to Sec-
tion 4 below). We fix an input multilinear t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 over K and a desired evalua-
tion point (r0 , . . . , rℓ−1 ) ∈ Lℓ ; we moreover set ℓ′ := ℓ − κ, and write t′ (X0 , . . . , Xℓ′ −1 ) ∈ L[X0 , . . . , Xℓ′ −1 ]⪯1
for t(X0 , . . . , Xℓ−1 )’s packed polynomial in the sense of Definition 2.1. (We recall from [DP23, § 3] that
t′ (X0 , . . . , Xℓ′ −1 )’s vector of Lagrange coefficients arises from t(X0 , . . . , Xℓ−1 )’s by a process which inter-
prets each successive chunk consisting of 2κ of that latter vector’s components as a single L-element.) To
learn the desired datum t(r0 , . . . , rℓ−1 ), it certainly doesn’t suffice merely to learn the single evaluation
t′ (r0′ , . . . , rℓ′ ′ −1 ), either for (r0′ , . . . , rℓ′ ′ −1 ) := (rκ , . . . , rℓ−1 ) or else for (r0′ , . . . , rℓ′ ′ −1 ) otherwise chosen. In-
deed, to learn that latter quantity alone would entail a sort of information loss, as is noted in [DP23, § 3].
To mitigate this information loss, we work in a ring which contains L as a subring. Specifically, we work
in the ring A := L ⊗K L, the tensor product of L with itself over K (we view here L as a K-algebra).
Concretely, this ring represents a sort of two-dimensional data structure, which contains two isomorphic
copies of L (in its leftmost column and its topmost row, respectively); we refer also to Figure 1 below. We
first examine in detail the ring structure of A := L ⊗K L (see also Subsection 2.5). Indeed, we note the
“vertical” and “horizontal” embeddings φ0 : L → A and φ1 : L → A of L into A; we argue that the images
of these subrings act on the algebra respectively “column-wise” and “row-wise”.
Using these observations, we argue further that the desired evaluation t(r0 , . . . , rℓ−1 ) can be obtained—
up to a Θ(2κ )-time postprocessing step on the part of the verifier—instead from the A-element
φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )). Indeed, we explain this complicated expression as follows. We em-
bed t′ (X0 , . . . , Xℓ′ −1 )’s coefficients horizontally into the algebra, and embed the trailing components
(rκ , . . . , rℓ−1 ) vertically. Exploiting the ring structure of A, we conclude that this latter sort of embed-
ding captures exactly the partial evaluation of our original multilinear t(X0 , . . . , Xℓ−1 ) at the trailing suffix
′
(rκ , . . . , rℓ−1 ) ∈ Lℓ . (Our detailed correctness proof appears as Theorem 4.2 below.)
Though this maneuver doesn’t alone solve our problem, it makes applicable the sumcheck protocol over
the ring A. In the second step of our reduction, we take exactly this step, drawing our sumcheck challenges
′
from the horizontal copy of L in A. In this way, we reduce
the desired evaluation φ
1 (t )(φ0 (rκ ), . . . , φ0 (rℓ−1 ))
′ ′ ′ ′ ′ ′
to the further evaluation φ1 (t ) φ1 (r0 ), . . . , φ1 (rℓ′ −1 ) = φ1 t (r0 , . . . , rℓ′ −1 ) , for random coordinates
(r0′ , . . . , rℓ′ ′ −1 ) in L. This latter expression depends only on the subring φ1 (L) ⊂ A, and so has nothing
to do with A proper. To procure t′ (r0′ , . . . , rℓ′ ′ −1 ) we may thus blackbox-invoke the underlying large-field
PCS over L. In practice, we batch the “rows” of our sumcheck over A, and conduct it rather over L.
We note a final benefit of our technique. Our ring-switching compiler reduces the problem of K-evaluation
to that of L-evaluation. Applied to simultaneously to many instances—which themselves pertain to different
subfields K of L, say—our compiler thus reduces its initial batch of claims to a set of further claims over
the single field L. These latter claims can then be batch-evaluated. Informally, our ring-switching technique
makes possible batching “across different fields”. We discuss batching further in Section 5 below.

4
Performance. In Subsection 6.2 below, we thoroughly benchmark our scheme, measuring both its proof
size and its prover and verifier complexities. Our scheme performs comparably with the state-of-the-art
Plonky3 scheme on polynomials with 32-bit coefficients, and roundly outperforms that scheme on polynomials
over smaller fields (by an order of magnitude or more). Our scheme’s proof sizes are comparable to those of
Plonky3, and beat those of [DP23] by an order of magnitude.

1.3 Prior Work

The works most relevant to this one are Zeilberger, Chen and Fisch’s BaseFold [ZCF23] and Diamond and
Posen [DP23]. BaseFold’s PCS [ZCF23, § 5] introduces the connection between FRI folding and multilinear
evaluation upon which our large-field PCS rests. That work uses only prime-field FRI, and does not attempt
to support small fields (with or without embedding overhead).
The work [DP23] initiates the use of towers of binary fields in SNARKs, and moreover develops several
ideas which presage ours, including its tower algebra [DP23, Def. 3.8]. That work moreover isolates the
notion of small-field polynomial commitment schemes, and supplies a key instantiation [DP23, Cons. 3.11].
We note that [DP23] presents not just a multilinear polynomial commitment scheme, but moreover an entire
toolbox of “virtual polynomial protocols” [DP23, § 4] and a high-level SNARK [DP23, § 5]. This work
presents only an improved polynomial commitment scheme. The higher-level content of [DP23] remains
perfectly applicable in our setting; indeed, our scheme serves as a drop-in replacement for that of [DP23,
§ 3], and serves the purposes of [DP23, §§ 4–5] exactly as [DP23, § 3] does.
During our large-field scheme’s security proof (see Theorems 3.16), we draw variously on the works
[BBHR18] and [Ben+23]. Neither of those works contain results which serve as stated to achieve our purposes;
rather, we must instead selectively extract and adapt their ideas. Indeed, our soundness proof must concern
itself not merely with the prover’s oracles’ proximity, but moreover with their consistency. In any case,
the essential ideas of our Lemmas 3.24 and 3.25 below are implicit in [BBHR18, § 4.2.2]; moreover, our
Proposition 3.20 below can be viewed as an adaptation to our setting of a technique of [Ben+23, § 8.2].
Our ring-switching reduction (see Construction 4.1 below) is loosely inspired by Ron-Zewi and Rothblum
[RR24, Fig. 2]’s “code-switching” technique, as we now explain. Indeed, our respective techniques share a few
structural similarities. Both begin with an encoding procedure on the part of the prover. That work, which
aims throughout to bring the total length of its oracles close to that of its witness, uses a high-rate tensor
code; we simply use a standard, low-rate Reed–Solomon code (albeit in conjunction with our “packing”
technique). During its inner IOPP, [RR24, Fig. 2] uses a special sumcheck-like protocol for high-rate tensor
codes [RR24, Fig. 4]. Finally, both our protocol and [RR24, Fig. 2] decide the appropriate reduction target
using a suitable “internal” protocol. Informally, both our protocol and Ron-Zewi and Rothblum [RR24,
Fig. 2]’s uses a sumcheck to translate an “unfavorable” environment into a “favorable” one. We believe that
that the analogy between that work’s sumcheck and ours is loose; our sumcheck much-more-closely resembles
the standard sumcheck for multilinear polynomials.
We do not yet, in this work, use the list-decoding proximity gap [Ben+23, Thm. 5.1]. We leave as a
future research direction the adaptation of this work to the list-decoding regime.

Acknowledgements. We would like to acknowledge our colleagues at Irreducible for their insights and
contributions to the Binius implementation of these techniques. We would like to gratefully thank An-
gus Gruen, Ulrich Haböck, Raju Krishnamoorthy, Justin Thaler and Benjamin Wilson, whose collective
comments and suggestions contributed significantly to this work. We thank Ron Rothblum for patiently
explaining code-switching to us.

2 Background and Notation

We write N for the nonnegative integers. All fields in this work are finite. We fix a binary field L. For each
ℓ ∈ N, we write Bℓ for the ℓ-dimensional boolean hypercube {0, 1}ℓ ⊂ Lℓ . We occasionally identify Bℓ with
Pℓ−1
the integer range {0, . . . 2ℓ − 1} by mapping v 7→ {v} := i=0 2i · vi . The rings we treat are nonzero and
commutative with unit. For our purposes, an algebra A over a field L is a commutative ring A together with
|R|
an embedding of rings L ,→ A. For L a field and R ⊂ Lϑ a subset, we write µ(R) := |L| ϑ.

5
2.1 Lagrange and Monomial Forms
We review various normal forms for multilinear polynomials, following [DP23, § 2.1]. An ℓ-variate polynomial
in K[X0 , . . . , Xℓ−1 ] is multilinear if each of its indeterminates appears with individual degree at most 1; we
write K[X0 , . . . , Xℓ−1 ]⪯1 for the set of multilinear polynomials over K in ℓ indeterminates. Clearly, the set
of monomials (1, X0 , X1 , X0 · X1 , . . . , X0 · · · · · Xℓ−1 ) yields a K-basis for K[X0 , . . . , Xℓ−1 ]⪯1 ; we call this
basis the multilinear monomial basis in ℓ variables.
We introduce the 2 · ℓ-variate polynomial
ℓ−1
Y
fq(X0 , . . . , Xℓ−1 , Y0 , . . . , Yℓ−1 ) :=
e (1 − Xi ) · (1 − Yi ) + Xi · Yi .
i=0

It is essentially the content of Thaler [Tha22, Fact. 3.5]) that the set (f eq(X0 , . . . , Xℓ−1 , v0 , . . . , vℓ−1 ))v∈Bℓ
yields a K-basis of the space K[X0 , . . . , Xℓ−1 ]⪯1 .
For each fixed (r0 , . . . , rℓ−1 ) ∈ Lℓ , the vector (f
eq(r0 , . . . , rℓ−1 , v0 , . . . , vℓ−1 ))v∈Bℓ takes the form
ℓ−1
!
Y
ri · vi + (1 − ri ) · (1 − vi ) = ((1 − r0 ) · · · · · (1 − rℓ−1 ), . . . , r0 · · · · · rℓ−1 ).
i=0 v∈Bℓ
Nℓ−1
We call this vector the tensor product expansion of the point (r0 , . . . , rℓ−1 ) ∈ Lℓ , and denote it by i=0 (1 −
ri , ri ). We note that this latter vector can be computed in Θ(2ℓ ) time (see e.g. [Tha22, Lem. 3.8]).
As a notational device, we introduce the further 2 · ℓ-variate polynomial:
ℓ−1
Y
on(X0 , . . . , Xℓ−1 , Y0 , . . . , Yℓ−1 ) :=
mg 1 + (Xi − 1) · Yi ;
i=0

we note that (g
mon(X0 , . . . , Xℓ−1 , v0 , . . . , vℓ−1 ))v∈Bℓ yields the multilinear monomial basis in ℓ indeterminates.

2.2 Error-Correcting Codes

We recall details on codes, referring throughout to Guruswami [Gur06]. A code of block length n over the
alphabet Σ is a subset of Σn . In Σn , we write d for the Hamming distance between two vectors (i.e., the
number of components at which they differ). We fix a field L. A linear [n, k, d]-code over L is a k-dimensional
linear subspace C ⊂ Ln for which d(v0 , v1 ) ≥ d holds for
 each unequal pair of elements v0 and v1 of C. nThe
unique decoding radius of the [n, k, d]-code C ⊂ Ln is d−1 2 ; indeed, we note that, for each word u ∈ L , at
most one codeword v ∈ C satisfies d(u, v) < d2 (this fact is a direct consequence of the triangle inequality).
For u ∈ Ln arbitrary, we write d(u, C) := minv∈C d(u, v) for the distance between u and the code C.
For each linear code C ⊂ Ln and each integer m ≥ 1, we define C’s m-fold interleaved code as the
subset C m ⊂ (Ln ) ∼
m n
= (Lm ) . We understand this latter set as a length-n block code over the alphabet
L . In particular, its elements are essentially matrices in Lm×n each of whose rows is a C-element. We
m
m−1
write matrices (ui )i=0 ∈ Lm×n row-wise. By definition of C m , two matrices in Lm×n differ at a column if
m−1 m×n
they differ at any of that column’s components.
 That a matrix (ui )i=0 ∈ L is within distance e to the
m−1
code C m —in which event we write dm (ui )i=0 , C m ≤ e—thus entails precisely that there exists a subset
 
m−1
D := ∆m (ui )i=0 , C m , say, of {0, . . . , n − 1}, of size at most e, for which, for each i ∈ {0, . . . , m − 1}, the
row ui admits a codeword vi ∈ C for which ui |{0,...,n−1}\D = vi |{0,...,n−1}\D .
We recall Reed–Solomon codes (see [Gur06, Def. 2.3]). For notational convenience, we consider only
Reed–Solomon codes whose message and block lengths are powers of two. We fix nonnegative message
ℓ+R
length and rate parameters ℓ and R, as well as a subset S ⊂ L ofn size 2ℓ+R . We write C ⊂ L2o for the
ℓ
ℓ+R ℓ ≺2
Reed–Solomon code RSL,S [2 , 2 ], itself defined to be the set (P (x))x∈S P (X) ∈ L[X] . That is,
RSL,S [2ℓ+R , 2ℓ ] is the set of those 2ℓ+R -tuples which arise as the evaluations of some polynomial of degree
ℓ
less than 2ℓ over S. The distance of RSL,S [2ℓ+R , 2ℓ ] is d = 2ℓ+R − 2ℓ + 1. We write Enc : L[X]≺2 → LS for
the encoding function which maps P (X) to its tuple of evaluations over S.

6
 We recall the Berlekamp–Welch algorithm for Reed–Solomon decoding within the unique decoding radius
(see [Gur06, Rem. 4]).

Algorithm 1 (Berlekamp–Welch [Gur06, Rem. 4].)

1: procedure DecodeReedSolomon (f (x))x∈S
allocate A(X) and B(X) of degrees 2 and 2ℓ+R − d−1
 d−1   
2: 2 − 1; write Q(X, Y ) := A(X) · Y + B(X).
3: interpret the equalities Q(x, f (x)) = 0, for x ∈ S, as a system of 2ℓ+R equations in 2ℓ+R +1 unknowns.
4: by finding a nonzero solution of this linear system, obtain values for the polynomials A(X) and B(X).
5: if A(X) ∤ B(X) then return ⊥.
6: write P (X) := −B(X)/A(X).
7: return P (X).

We note that the unknown polynomial Q(X, Y ) above indeed has d−1 + 1 + 2ℓ+R − d−1
   
2 2 = 2ℓ+R + 1
coefficients, as required.
Upon being given an input word f : S → L for which d(f, C) < d2 , Algorithm 1 necessarily returns the
unique polynomial P (X) of degree less than 2ℓ for which d(f, Enc(P (X))) < d2 holds. Indeed, this is simply
the correctness of Berlekamp–Welch algorithm on input assumed to reside within the unique decoding radius;
we refer to [Gur06, Rem. 4] for a thorough treatment.

2.3 The Novel Polynomial Basis

We recall in detail the novel polynomial basis of Lin, Chung and Han [LCH14, § II.]. We fix again a
binary field L, of degree r, say, over F2 . For our purposes, a subspace polynomial over L is a polynomial
W (X) ∈ L[X] which splits completely over L, and whose roots, each of multiplicity 1, form an F2 -linear
subspace of L. For a detailed treatment of subspace polynomials, we refer to Berlekamp [Ber15, § 11]. We
recall that, for each subspace polynomial W (X) ∈ L[X], the evaluation map W : L → L is F2 -linear.
ℓ
For each fixed ℓ ∈ {0, . . . , r − 1}, the set L[X]≺2 of polynomials of degree less than 2ℓ is a 2ℓ -dimensional
ℓ ℓ
vector space over L. Of course, the set (1, X, X 2 , . . . , X 2 −1 ) yields a natural L-basis of L[X]≺2 . Lin,
ℓ
Chung and Han define a further L-basis of L[X]≺2 —called the novel polynomial basis—in the following
way. We fix once and for all an F2 -basis (β0 , . . . , βr−1 ) of L (which we view as an r-dimensional vector
space over its subfield F2 ). For each i ∈ {0, . . . , ℓ − 1}, we write Ui := ⟨β0 , . . . , βi−1 ⟩ for Q the F2 -linear span
of the prefix (β0 , . . . , βi−1 ), and define the subspace vanishing polynomial Wi (X) := u∈Ui X − u, as well
as its normalized variant W ci (X) := Wi (X) (we note that βi ̸∈ Ui , so that Wi (βi ) ̸= 0). In words, for each
Wi (βi )
i ∈ {0, . . . , ℓ − 1}, Wi (X) vanishes precisely on Ui ⊂ L; W ci (X) moreover satisfies W c (X)(βi ) = 1. Finally,
ℓ
Pℓ−1i k
for each j ∈ {0, . . . , 2 − 1}, we write (j0 , . . . , jℓ−1 ) for the bits of j—so that j = k=0 2 · jk holds—and set
Qℓ−1 c ji ℓ
Xj (X) := i=0 W i (X) . We note that, for each j ∈ {0, . . . , 2 − 1}, Xj (X) is of degree j. We conclude that
2ℓ −1
the change-of-basis matrix from (1, X, . . . , X ) to (X0 (X), X1 (X), . . . , X2ℓ −1 (X)) is triangular (with an
ℓ
everywhere-nonzero diagonal), so that this latter list indeed yields a L-basis of L[X]≺2 .
As in Subsection 2.4 above, we now fix moreover a rate parameter R ∈ {1, . . . , r − ℓ} and an F2 -subspace
S ⊂ L of dimension ℓ + R; now, we require moreover that S contain the F2 -subspace Uℓ := ⟨β0 , . . . , βℓ−1 ⟩.
For each subspace S ⊂ L of this form, Lin, Chung and Han [LCH14, § III.]’s Θ(ℓ·2ℓ+R )-time algorithm serves
P2ℓ −1
to compute, on input the polynomial P (X) := j=0 aj · Xj (X) (expressed in coordinates with respect to
the novel polynomial basis), its encoding (P (x))x∈S .
In Remark 3.14 below, we suggest a new interpretation of Lin, Chung and Han’s algorithm [LCH14, § III.],
based on the techniques of this paper. For now, for self-containedness, we record here the key algorithm in
full, in our notation. We note that Algorithm 2’s equivalence with [LCH14, § III.] is not obvious; we explain
the correctness of our description in Remark 3.14 below. In what follows, we fix as above the degree and
P2ℓ −1
rate parameters ℓ and R. We finally fix a polynomial P (X) = j=0 aj · Xj (X); we write b : Bℓ+R → L for
2ℓ −1
(aj )j=0 ’s 2R -fold tiling; in other words, for each v ∈ Bℓ+R , we set b(v0 , . . . , vℓ+R−1 ) := a{(v0 ,...,vℓ−1 )} .

7
Algorithm 2 (Lin–Chung–Han [LCH14, § III.].)
 
1: procedure AdditiveNTT (b(v))v∈B
ℓ+R

2: for i ∈ {ℓ − 1, . . . , 0} (i.e., in downward order) do

3: for (u, v) ∈ Bℓ+R−i−1 × Bi do
Pℓ+R−i−2
4: define the twiddle factor t := k=0 uk · W
ci (βi+1+k ).
5: overwrite first b(u ∥ 0 ∥ v) += t · b(u ∥ 1 ∥ v) and then b(u ∥ 1 ∥ v) += b(u ∥ 0 ∥ v).
6: return (b(v))v∈Bℓ+R .

We note that the twiddle factor t above depends only on u, and not on v, and can be reused accordingly.
Finally, in the final return statement above, we implicitly identify Bℓ+R ∼ = S using the standard basis
β0 , . . . , βℓ+R−1 of the latter space (see also Subsection 3.1 below).

2.4 FRI
We recall Ben-Sasson, Bentov, Horesh and Riabzev’s [BBHR18] Fast Reed–Solomon Interactive Oracle Proof
of Proximity (FRI). For L a binary field, and size and rate parameters ℓ and R fixed, FRI yields an IOP of
proximity for the Reed–Solomon code RSL,S [2ℓ+R , 2ℓ ]; here, we require that S ⊂ L be an F2 -linear subspace
(of dimension ℓ + R, of course). That is, FRI yields an IOP for the claim whereby some oracle [f ]—i.e.,
ℓ
representing a function f : S → L—is close to a codeword (P (x))x∈S (here, P (X) ∈ L[X]≺2 represents
a polynomial of degree less than 2ℓ ). FRI’s verifier complexity is polylogarithmic in 2ℓ . We abbreviate
ρ := 2−R , so that RSL,S [2ℓ+R , 2ℓ ] is of rate ρ.
Internally, FRI makes use of a folding constant η—which we fix to be 1—as well as a fixed, global sequence
of subspaces and maps of the form:

q (0) q (1) q (2) q (ℓ−1)

S = S (0) −−→ S (1) −−→ S (2) −−→ · · · −−−−→ S (ℓ) . (1)

Here, for each i ∈ {0, . . . , ℓ − 1}, q (i) is a subspace polynomial of degree 2η = 2, whose kernel, which is
1-dimensional, is moreover contained in S (i) . By linear-algebraic considerations, we conclude that S (i+1) ’s
F2 -dimension is 1 less than S (i) ’s is; inductively, we conclude that each S (i) is of dimension ℓ + R − i.

2.5 Tensor Products of Fields

We record algebraic preliminaries, referring throughout to Lang [Lan02, Ch. XVI]. We fix a field extension
L / K. We define the tensor product A := L ⊗K L of L with itself over K as in [Lan02, Ch. XVI § 6]. Here, we
view L as a K-algebra; the resulting object A := L ⊗K L is likewise a K-algebra. We would like to sincerely
thank Benjamin Wilson for first suggesting to us this tensor-theoretic perspective on the tower algebra of
[DP23, § 3.4].
We recall from [Lan02, Ch. XVI, § 1] the natural K-bilinear mapping φ : L × L → L ⊗K L which sends
φ : (α0 , α1 ) 7→ α0 ⊗ α1 . We write φ0 and φ1 for φ’s restrictions to the subsets L × {1} and {1} × L of L × L,
and moreover identify these latter subsets with L. That is, we write φ0 : α 7→ α ⊗ 1 and φ1 : α 7→ 1 ⊗ α, both
understood as maps L → A. We claim that these maps are injective (i.e., that they’re not identically zero).
We follow Lang [Lan02, Ch. XVI, § 2, Prop. 2.3]. The mapping f : L × L → L sending f : (α0 , α1 ) 7→ α0 · α1
is K-bilinear; by the universal property of the tensor product, f induces a K-linear map h : L ⊗K L → L,
for which, for each α ∈ L, h(α ⊗ 1) = f (α, 1) = α · 1 = α holds; we see that α ⊗ 1 = 0 if and only if α = 0.
We assume once and for all that deg(L / K) is a power of 2, say 2κ . We fix a K-basis (βv )v∈Bκ of L. We
moreover impose the simplifying assumption whereby β(0,...,0) = 1. By [Lan02, Ch. XVI, § 2, Cor. 2.4], the
set (βu ⊗ βv )(u,v)∈Bκ ×Bκ yields a K-basis of A. We thus see that each A-element is, concretely, a 2κ × 2κ
arrayPof K-elements. For each a ∈ A given, there is a unique 2κ -tuple of L-elements (av )v∈Bκ for which
a = v∈Bκ av ⊗ βv holds. (Indeed, this is just [Lan02,PCh. XVI, § 2, Prop. 2.3].) Similarly, there is a
unique 2κ -tuple of L-elements (au )u∈Bκ for which a = u∈Bκ βu ⊗ au holds. We call the tuples (av )v∈Bκ
and (au )u∈Bκ a’s column and row representations, respectively.
We depict the tensor algebra in Figure 1 below.

8
 2κ
⟨1 ⊗ 1⟩ ⟨1 ⊗ β1 ⟩ ⟨1 ⊗ β2κ −1 ⟩



 ⟨1 ⊗ 1⟩ K K φ1 (L) K




⟨β1 ⊗ 1⟩ K






κ 
2 A ..
φ0 (L)


 .









⟨β ⊗ 1⟩ K ··· K

2κ −1

Figure 1: A depiction of our “tensor algebra” data structure.

The maps φ0 and φ1 respectively embed L into A’s left-hand column and top row. That is, the image
of φ0 : L ,→ A is the set of K-arrays which are 0 except in their respective left-most columns; the image of
φ1 : L ,→ A is the set of K-arrays which are 0 outside of their top rows. We finally characterize concretely
the products φ0 (α) · a P
and φ1 (α) · a, for elements α ∈ L andP a ∈ A arbitrary. It is a straightforward to
show that φ0 (α) · a = v∈Bκ (α · av ) ⊗ βv and φ1 (α) · a = u∈Bκ βu ⊗ (α · au ) both hold; here, we again
write (av )v∈Bκ and (au )u∈Bκ for a’s column and row representations. That is, φ0 (α) · a differs from a by
column-wise multiplication by α; φ1 (α) · a differs from a by row-wise multiplication by α. In short, φ0
operates on columns; φ1 operates on rows.
Below, the tensor algebra A := L ⊗K L plays a critical role in our “ring-switching” technique (see Section
4). For now, we record a simple polynomial-packing operation, which is implicit in [DP23,
κ P§ 3.4]. We obtain
a natural K-isomorphism K 2 → L via the basis-combination procedure (αv )v∈Bκ 7→ v∈Bκ αv · βv . By
applying this map in “chunks”, we may associate to any ℓ-variate K-polynomial an ℓ−κ-variate L-polynomial.
Definition 2.1. For each extension L/K, with K-basis (βv )v∈Bκ say, and each multilinear t(X0 , . . . , Xℓ−1 ) ∈
K[X0 , . . . , Xℓ−1 ]⪯1 , we write ℓ′ := ℓ − κ, and define the ′
P packed polynomial t (X0 , . . . , Xℓ′ −1 ) ∈
⪯1 ′
L[X0 , . . . , Xℓ −1 ] by declaring, for each v ∈ Bℓ , that t : v 7→ u∈Bκ t(u0 , . . . , uκ−1 , v0 , . . . , vℓ′ −1 ) · βu .
′ ′

Definition 2.1 replaces each little-endian chunk—consisting of 2κ adjacent K-elements—of

t(X0 , . . . , Xℓ−1 )’s Lagrange coefficient vector with a single L-element, by basis-combining that chunk.
We emphasize that Definition 2.1’s packing procedure is reversible (see also [DP23, Thm. 3.9]); that is,
t′ (X0 , . . . , Xℓ′ −1 ) can be “unpacked”. We note that Definition 2.1 is essentially the same as [DP23, § 4.3].
We finally write φ1 (t′ )(X0 , . . . , Xℓ′ −1 ) ∈ A[X0 , . . . , Xℓ′ −1 ] for the result of embedding t′ (X0 , . . . , Xℓ′ −1 ),
componentwise, along the inclusion φ1 : L ,→ A.

2.6 Binary Towers

We recall towers of binary fields, referring throughout to [DP23, § 2.3]. For simplicity, we present only
Wiedemann’s tower [Wie88]; on the other hand, our results go through without change on other binary
towers (cf. e.g. the Cantor tower given in Li et al. [Li+18, § 2.1]). That is, we set T0 := F2 and T1 :=
F2 [X0 ]/(X02 + X0 + 1), as well as, for each ι > 1, Tι := Tι−1 /(Xι−1 2
+ Xι−2 · Xι−1 + 1). Fan and Paar


[FP97] observe that the multiplication and inversion operations in Wiedemann’s tower admit O 2log(3)·ι -
time algorithms.
The monomial F2 -basis of the binary tower Tτ is (βv )v∈Bτ := (g mon(X0 , . . . , Xτ −1 , v0 , . . . , vτ −1 ))v∈Bτ .
More generally, for each pair of integers ι ≥ 0 and τ ≥ ι, the set (g mon(Xι , . . . , Xτ −1 , v0 , . . . , vτ −ι−1 )v∈Bτ −ι
likewise yields a Tι -basis of Tτ ; we again write (βv )v∈Bτ −ι for this basis.
The tower algebra data structure of Diamond and Posen [DP23, § 3.4] is essentially nothing other than
Tτ ⊗Tι Tι+κ . We use tensor-notation in this work; we thus avoid referring to that algebra directly. In this
work, we moreover only consider “square” tensors (i.e., of the same field with itself). That work’s “constant”
and “synthetic” embeddings correspond to our embeddings φ0 and φ1 , respectively.

9
2.7 Proximity Gaps
We turn to proximity gaps, following Ben-Sasson, et al., [Ben+23], Diamond and Posen [DP24], and Diamond
and Gruen [DG24]. Throughout this subsection, we again fix a Reed–Solomon code C := RSL,S [2ℓ+R , 2ℓ ];
we moreover write d := 2ℓ+R − 2ℓ + 1 for C’s distance. In the following results, for notational convenience,
we abbreviate n := 2ℓ+R for the Reed–Solomon code C’s block length.
We recall the notion of proximity gaps, both over affine lines [DG24, Def. 2.1] and over tensor combinations
[DG24, Def. 2.3]. The following key result
 entails that
 Reed–Solomon codes exhibit proximity gaps for affine
lines, for each proximity parameter e ∈ 0, . . . , d−1
2 within the unique decoding radius.

Theorem 2.2 (Ben-Sasson, et al. [Ben+23, Thm. 4.1]). For each proximity parameter e ∈ 0, . . . , d−1
  
2
ℓ+R
and each pair of words u0 and u1 in L2 , if
n
Pr [d((1 − r) · u0 + r · u1 , C) ≤ e] > ,
r∈L |L|
 
1
then d2 (ui )i=0 , C 2 ≤ e.

Diamond and Gruen [DG24, Thm. 3.1], making use of a result of Angeris, Evans and Roh [DG24,
Thm. 3.6], show that each code C for which the conclusion of Theorem 2.2 holds also exhibits tensor-style
proximity gaps in the sense of Diamond and Posen [DP24, Thm. 2] (although they sharpen by a factor of
two that result’s false witness probability). Applying their result to Theorem 2.2, those authors obtain:
Corollary 2.3 (Diamond–Gruen [DG24, Cor. 3.7]). For each proximity parameter e ∈ 0, . . . , d−1
  
2 , each
2ℓ+R
tensor arity ϑ ≥ 1, and each list of words u0 , . . . , u2ϑ −1 in L , if
     
u0
h N
ϑ−1
i
.. n
Pr d i=0 (1 − ri , ri )
· , C  ≤ e > ϑ · ,
     
(r0 ,...,rϑ−1 )∈Lϑ
. |L|
u2ϑ −1

2ϑ −1
ϑ
 ϑ

then d2 (ui )i=0 , C 2 ≤ e.

2.8 Security Definitions

We record security definitions. We begin by defining various abstract oracles, following [DP23, § 4.1].

L
FUNCTIONALITY 2.4 (FVec —vector oracle).
An arbitrary alphabet L is given.
• Upon receiving (submit, m, f ) from P, where m ∈ N and f ∈ LBm , output (receipt, L, [f ]) to all
parties, where [f ] is some unique handle onto the vector f .
• Upon receiving (query, [f ], v) from V, where v ∈ Bm , send V (result, f (v)).

λ,ℓ
FUNCTIONALITY 2.5 (FPoly —polynomial oracle).
A security parameter λ ∈ N and a number-of-variables parameter ℓ ∈ N are given. The functionality
constructs and fixes a field L (allowed to depend on λ and ℓ).
• Upon receiving (submit, t) from P, where t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 , output
(receipt, [t]) to all parties, where [t] is some unique handle onto the polynomial t.

• On input (query, [t], r) from V, where r ∈ Lℓ , send V (result, t(r0 , . . . , rℓ−1 )).

10
 λ,K,ℓ
FUNCTIONALITY 2.6 (FSFPoly —small-field polynomial oracle).
A security parameter λ ∈ N, a number-of-variables parameter ℓ ∈ N, and a ground field K are given.
The functionality constructs and fixes a field extension L / K (allowed to depend on λ, ℓ and K).

• Upon receiving (submit, t) from P, where t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 , output
(receipt, [t]) to all parties, where [t] is some unique handle onto the polynomial t.
• On input (query, [t], r) from V, where r ∈ Lℓ , send V (result, t(r0 , . . . , rℓ−1 )).

An IOP, by definition, is a protocol in which P and V may make free use of the abstract Functionality
2.4; in a PIOP, the parties may instead use Functionality 2.5. Interactive oracle polynomial commitment
schemes (IOPCSs) serve to bridge these two models. They’re IOPs; that is, they operate within the abstract
computational model in which Functionality 2.4 is assumed to exist. On the other hand, they “emulate” the
more-powerful Functionality 2.5, in the sense that each given PIOP—by inlining in place of each of its calls
to Functionality 2.5 an execution of the IOPCS—stands to yield an equivalently secure IOP.
Departing slightly from previous works, we treat polynomial commitment in the IOP model ; that is, for
our purposes, a “polynomial commitment scheme” is an IOP (i.e., a protocol in which a string oracle is
available to both parties) which captures the commitment, and subsequent evaluation, of a polynomial. Our
approach contrasts with that taken by various previous works (we note e.g. Diamond and Posen [DP23] and
Setty [Set20]). Those works opt to define polynomial commitment schemes in the plain (random oracle)
model, noting that a plain PCS, upon being inlined into a secure PIOP, yields a sound argument. This
latter approach absorbs the Merklization process both into the PCS and into the composition theorem. Our
approach bypasses this technicality, and separates the relevant concerns. Indeed, given a PIOP, we may first
inline our IOPCS into it; on the resulting IOP, we may finally invoke generically the compiler of Ben-Sasson,
Chiesa and Spooner [BCS16]. This “two-step” compilation process serves to transform any secure PIOP into
a secure argument in the random oracle model.
We also define the security of IOPCSs differently than do [Set20, Def. 2.11] and [DP23, § 3.5]. Our
definition below requires that E extract t(X0 , . . . , Xℓ−1 ) immediately after seeing A’s commitment (that is,
before seeing r, or observing any evaluation proofs on the part of A). This work’s IOPCS constructions indeed
meet this stricter requirement, owing essentially to their use of Reed–Solomon codes, which are efficiently
decodable. (In the setting of general —that is, not-necessarily-decodable—codes, extraction becomes much
more complicated, and requires rewinding.) On the other hand, our strict rendition of the IOPCS notion
makes its key composability property—that is, the fact whereby a secure IOPCS, upon being inlined into
a secure PIOP, yields a secure IOP—easier to prove. (We believe that this composability property should,
on the other hand, nonetheless hold even under various weakenings of Definition 2.8.) We note that our
approach makes the definition of an “opening” procedure—as well as of binding analysis—unnecessary.
Rather, Definition 2.8’s adversary A is “bound” to t in the much-stricter sense whereby E has already
extracted t before r ∈ Lℓ has even been selected or A has participated in any opening proofs. In this
light, we note that binding—as it appears in Spartan-style [Set20] definitions like [DP24, Def. 2]—essentially
serves as a weak substitute for the sort of up-front extraction typified by Definition 2.8, necessary only when
up-front extraction is not possible (i.e., when efficient decoding is not available).
Definition 2.7. An interactive oracle polynomial commitment scheme (IOPCS) is a tuple of algorithms
Π = (Setup, Commit, P, V) with the following syntax:
• params ← Π.Setup(1λ , ℓ). On input the security parameter λ ∈ N and a number-of-variables parameter
ℓ ∈ N, outputs params, which includes, among other things, a field L.
• [f ] ← Π.Commit(params, t). On input params and a multilinear polynomial t(X0 , . . . , Xℓ−1 ) ∈
L[X0 , . . . , Xℓ−1 ]⪯1 , outputs a handle [f ] to a vector.
• b ← ⟨P([f ], s, r; t), V([f ], s, r)⟩ is an IOP, in which the parties may jointly leverage the machine FVec
L
.
ℓ
The parties have as common input a vector handle [f ], an evaluation point (r0 , . . . , rℓ−1 ) ∈ L , and
a claimed evaluation s ∈ L. P has as further input a multilinear polynomial t(X0 , . . . , Xℓ−1 ) ∈
K[X0 , . . . , Xℓ−1 ]⪯1 . V outputs a success bit b ∈ {0, 1}.

11
 The IOPCS Π is complete if the obvious correctness property holds. That is, for each multilin-
ear polynomial t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 and each honestly generated commitment [f ] ←
Π.Commit(params, t), it should hold that, for each r ∈ Lℓ , setting s := t(r0 , . . . , rℓ−1 ), the honest prover
algorithm induces the verifier to accept with probability 1, so that ⟨P([f ], s, r; t), V([f ], s, r)⟩ = 1.
We now define the security of IOPCSs.

Definition 2.8. For each interactive oracle polynomial commitment scheme Π, security parameter λ ∈ N,
and number-of-variables parameter ℓ ∈ N, PPT query sampler Q, PPT adversary A, and PPT emulator E,
we define the following experiment:
• The experimenter samples params ← Π.Setup(1λ , ℓ), and gives params, including L, to A and E.

• The adversary, after interacting arbitrarily with the vector oracle, outputs a handle [f ] ← A(params).
• On input A’s record of interactions with the oracle, E outputs t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 .
• The query sampler outputs (r0 , . . . , rℓ−1 ) ← Q(params); A responds with an evaluation claim s ← A(r).
• The experimenter defines the following two random bits:

– By running the evaluation IOP with A as V, obtain the bit b ← ⟨A(s, r), V([f ], s, r)⟩.
?
– Obtain the further bit b′ := t(r0 , . . . , rℓ−1 ) = s.

The IOPCS Π is secure if, for each PPT adversary A, there is a PPT emulator E and a negligible function
negl such that, for each λ ∈ N, each ℓ ∈ N, and each PPT query sampler Q, Pr[b = 1 | b′ = 0] ≤ negl(λ).
We finally record a variant of Definition 2.7 in which the parties may fix a small coefficient field K.
Definition 2.9. A small-field interactive oracle polynomial commitment scheme (small-field IOPCS) is a
tuple of algorithms Π = (Setup, Commit, P, V) with the following syntax:
• params ← Π.Setup(1λ , ℓ, K). On input the security parameter λ ∈ N, a number-of-variables parameter
ℓ ∈ N and a field K, outputs params, which includes, among other things, a field extension L / K.
• [f ] ← Π.Commit(params, t). On input params and a multilinear polynomial t(X0 , . . . , Xℓ−1 ) ∈
K[X0 , . . . , Xℓ−1 ]⪯1 , outputs a handle [f ] to a vector.

• b ← ⟨P([f ], s, r; t), V([f ], s, r)⟩ is an IOP, in which the parties may jointly leverage the machine FVec
L
.
ℓ
The parties have as common input a vector handle [f ], an evaluation point (r0 , . . . , rℓ−1 ) ∈ L , and
a claimed evaluation s ∈ L. P has as further input a multilinear polynomial t(X0 , . . . , Xℓ−1 ) ∈
K[X0 , . . . , Xℓ−1 ]⪯1 . V outputs a success bit b ∈ {0, 1}.
We define the security of small-field IOPCSs Π exactly as in Definition 2.8, except that we require that
E output a polynomial t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 .

3 Simple Binary-Field IOPCS

In this section, we develop a basic form of our main IOPCS (see Definition 2.7). This section’s IOPCS does
not operate over small fields; its goal is essentially to make BaseFold’s IOPCS [ZCF23, § 5] work in the binary
setting. To achieve this, we must develop a degree of machinery. Indeed, we must first use FRI’s binary-field
variant [BBHR18]. In the binary setting, in order to recover the even–odd FRI folding behavior essential
to BaseFold, we must further specialize binary-field FRI. That is, we must carefully choose that protocol’s
codeword domains S (i) ⊂ L (for i ∈ {0, . . . , l}) and its two-to-one collapsing maps q (i) : S (i) → S (i+1) (for
i ∈ {0, . . . , l − 1}). Our choice serves to make FRI compatible with Lin, Chung and Han’s [LCH14] additive
NTT.

12
3.1 Using FRI in Novel Polynomial Basis
We begin by proposing a specific construction of those subspace polynomials q (0) , . . . , q (ℓ−1) invoked internally
by FRI. Throughout this section, we fix a binary field L, with F2 -basis (β0 , . . . , βr−1 ). Throughout the
remainder of this subsection—and in fact, the entire paper—we impose the simplifying assumption whereby
β0 = 1. We fix moreover a size parameter ℓ ∈ {0, . . . , r − 1} and a rate parameter R ∈ {1, . . . , r − ℓ}. We
finally recall the subspace vanishing polynomials Wci (X) ∈ L[X], for i ∈ {0, . . . , ℓ − 1}, which we now view as
F2 -linear maps W ci : L → L, as well as their non-normalized counterparts Wi : L → L (see Subsection 2.3).
We begin by defining our FRI domains and folding maps.
Definition 3.1. For each i ∈ {0, . . . , ℓ}, we define the domain

S (i) := W
ci (⟨β0 , . . . , βℓ+R−1 ⟩).

Moreover, for each i ∈ {0, . . . , ℓ − 1}, we define

2
Wi (βi )
q (i) (X) := · X · (X + 1).
Wi+1 (βi+1 )

For each i ∈ {0, . . . , ℓ − 1}, the map q (i) (X) is a linear subspace polynomial of degree 2. A priori, this
map’s kernel could relate arbitrarily to the domain S (i) ⊂ L; moreover, the image of its restriction S (i)

to(i+1)
(i+1) (i) (i)
could relate arbitrarily to S . In the following sequence of results, we prove that in fact q S =S
(0) (ℓ−1)
holds for each i ∈ {0, . . . , ℓ − 1}. In particular, the chain of maps q , . . . , q and the spaces S , . . . , S (ℓ)
(0)

yield a valid global parameterization of the FRI protocol (in the sense of Subsection 2.4).

Lemma 3.2. For each i ∈ {0, . . . , ℓ − 1}, we have the equality q (i) ◦ W
ci = W
ci+1 of polynomials.

Proof. We invoke the following direct calculation:

2
ci (X) = Wi (βi ) · W
   
q (i) ◦ W ci (X) · Wci (X) + 1 (by definition of q (i) .)
Wi+1 (βi )
2
Wi (βi ) Wi (X) Wi (X) + Wi (βi )
= · · (by definition of W
ci .)
Wi+1 (βi+1 ) Wi (βi ) Wi (βi )
Wi (X) · (Wi (X) + Wi (βi ))
= (cancellation of Wi (βi )2 .)
Wi+1 (βi+1 )
Wi+1 (X)
= (recursive characterization of Wi+1 (X).)
Wi+1 (βi+1 )
=Wci+1 (X). (by definition of W
ci+1 (X).)

In the second-to-last step, we exploit the recursive identity Wi+1 (X) = Wi (X) · (Wi (X) + Wi (βi )), itself a
basic consequence of the definitions of Wi+1 and Wi and of the linearity of Wi .


Theorem 3.3. For each i ∈ {0, . . . , ℓ − 1}, q (i) S (i) = S (i+1) .
Proof. Using Lemma 3.2, we obtain:
   
q (i) S (i) = q (i) Wci (⟨β0 , . . . , βℓ+R−1 ⟩) (by definition of S (i) .)
ci+1 (⟨β0 , . . . , βℓ+R−1 ⟩)
=W (by Lemma 3.2.)
(i+1)
=S (⟨β0 , . . . , βℓ+R−1 ⟩). (again by definition of S (i+1) .)

This completes the proof of the theorem.

As a further corollary, Lemma 3.2 shows that the polynomials q (0) , . . . , q (ℓ−1) collectively “factor” the
normalized subspace polynomials W
c0 , . . . , W
cℓ , at least provided we assume β0 = 1.

13
 ci = q (i−1) ◦ · · · ◦ q (0) holds.
Corollary 3.4. If β0 = 1, then, for each i ∈ {0, . . . , ℓ}, W
Proof. In the base case i = 0, we must show that W
c0 equals the empty composition (namely X itself). To
show this, we recall that W0 (X) = X; moreover, we have:
X X
W
c0 (X) = = = X,
W0 (β0 ) β0
where, in the last step, we use our assumption β0 = 1.
For i ∈ {0, . . . , ℓ − 1} arbitrary, Lemma 3.2 shows that W ci+1 = q (i) ◦ W
ci . Applying induction to W
ci , we
conclude that this latter map in turn equals q (i) ◦ · · · ◦ q (0) .
We note finally the following result.
 
Corollary 3.5. For each i ∈ {0, . . . , ℓ}, the set W ci (βℓ+R−1 ) is an F2 -basis of the space S (i) .
ci (βi ), . . . , W

Proof. Indeed, the subspace Vi := ⟨βi , . . . , βℓ+R−1 ⟩ is clearly a subspace of ⟨β0 , . . . , βℓ+R−1 ⟩, so that in
turn W ci (⟨β0 , . . . , βℓ+R−1 ⟩), which itself equals S (i) (by Definition 3.1). On the other hand, the
ci (Vi ) ⊂ W
restriction of Wi to Vi is necessarily injective, since W
c ci ’s kernel ⟨β0 , . . . , βi−1 ⟩ intersects Vi trivially. Since S (i)
 
is ℓ + R − i-dimensional, we conclude by a dimension count that W ci (βℓ+R−1 ) spans S (i) .
ci (βi ), . . . , W
D E
The bases W ci (βℓ+R−1 ) = S (i) , for i ∈ {0, . . . , ℓ}, serve to simplify various aspects of
ci (βi ), . . . , W
our protocol’s implementation. For example, expressed in coordinates with respect to these bases, each
map q (i) : S (i) → S (i+1) acts simply by projecting away its 0th -indexed component (indeed, for each i ∈
{0, . . . , ℓ − 1}, q (i) maps (W ci (βi ), . . . , W
ci (βℓ+R−1 )) to (0, W
ci+1 (βi+1 ), . . . , W
ci+1 (βℓ+R−1 ))). Similarly, for
(i+1)
each i ∈ {0, . . . , ℓ − 1} and each y ∈ S , the two L-elements x ∈ S (i) for which q (i) (x) = y differ
th
precisely at their 0 components, and elsewhere agree with y’s coordinate representation. Below, we often
identify S (i) ∼ = Bℓ+R−i as sets, using these bases; moreover, where possible, we eliminate altogether the maps
q (0) , . . . , q (ℓ−1) from our descriptions. These measures make our protocol’s description and implementation
more transparent.

3.2 FRI Folding, Revisited

We now introduce a new FRI-like folding mechanism. We recall that FRI [BBHR18, § 3.2] makes use of
a folding arity constant η. FRI stipulates that, to fold a given oracle, the prover interpolate a univariate
polynomial of degree less than 2η on each coset of the given oracle, and finally evaluate the resulting
polynomials collectively at the verifier’s challenge point. We introduce a new, multilinear folding mechanism
as follows. Informally, we stipulate that the verifier send a fixed and positive—and yet arbitrary—number ϑ of
folding challenges, and that the prover fold its oracle, again coset-wise, using a length-2ϑ tensor combination
(in the sense of Subsection 2.1) of the verifier’s challenges over each coset. Below, we again write L for a
binary field.
Definition 3.6.
We fix an index i ∈ {0, . . . , ℓ − 1} and a map f (i) : S (i) → L. For each r ∈ L, we define the
map fold f (i) , r : S (i+1) → L by setting, for each y ∈ S (i+1) :
   
(i)
  h i x1 −x 0 f (x0 )
fold f (i) , r : y 7→ 1 − r r ·  · ,
−1 1 f (i) (x1 )
−1
where we write (x0 , x1 ) := q (i) ({y}) for the fiber of q (i) over y ∈ S (i+1) .
(i)


Remark 3.7. Definition  3.6’s quantity
 fold f , r (y) is closely related—and yet not equivalent—to FRI’s
(i)
expression interpolant f q(i) −1 ({y}) (r). (FRI’s variant, however, admits a similar matrix expression.) The
essential point is that FRI’s variant induces a monomial fold, as opposed to a Lagrange fold; that is, if we
were to use FRI’s variant instead of our own, then our Lemma 3.13 below would remain true, albeit with
P2ℓ−i−1 −1 (i+1)
the alternate conclusion P (i+1) (X) = j=0 (a2j + ri′ · a2j+1 ) · Xj (X). Our entire theory admits a
parallel variant in this latter setting, though that variant introduces further complications.

14
 We finally record the following iterated extension of Definition 3.6.
Definition 3.8. We fix a positive folding factor ϑ, an index i ∈ {0, . . .
, ℓ − ϑ}, and a map f (i)
: S (i) → L.

For each tuple (r0 , . . . , rϑ−1 ) ∈ Lϑ , we abbreviate fold f (i) , r0 , . . . , rϑ−1 := fold · · · fold f (i) , r0 , · · · , rϑ−1 .
We have the following mathematical characterization of this iterated folding operation:
Lemma 3.9. For each positive folding factor ϑ, each index i ∈ {0, . . . , ℓ − ϑ}, and each y ∈ S (i+ϑ) , there is
a 2ϑ × 2ϑ invertible matrix My ,which depends only on y ∈ S (i+ϑ) , such that, for each function f (i) : S (i) → L
and each tuple (r0 . . . , rϑ−1 ) ∈ Lϑ of folding challenges, we have the matrix identity:
   
f (i) (x0 )
..
  h i    
fold f (i) , r0 , . . . , rϑ−1 (y) =
Nϑ−1
j=0 (1 − rj , rj )
· · ,
   
 My   .
   
f (i) (x2ϑ −1 )

−1
where the right-hand vector’s values (x0 , . . . , x2ϑ −1 ) represent the fiber q (i+ϑ−1) ◦ · · · ◦ q (i) ({y}) ⊂ S (i) .
Proof. We prove the result by induction on ϑ. In the  base caseϑ = 1, the claim is a tautology, in view of
x1 −x0
Definition 3.6. We note that that definition’s matrix   is invertible, since its determinant x1 − x0
−1 1
is nonzero (and in fact equals 1, a fact we shall use below).
We thus fix a folding factor ϑ > 1, and suppose that the claim holds for ϑ − 1. We write (z0 , z1 ) :=
(i+ϑ−1) −1

−1
q ({y}), as well as (x0 , . . . , x2ϑ −1 ) := q (i+ϑ−1) ◦ · · · ◦ q (i) ({y}). Unwinding Definition 3.8, we


recursively express the relevant quantity fold f (i) , r0 , . . . , rϑ−1 (y)—which, for typographical reasons, we call
f—in the following way:
" # " #
fold f (i) , r0 , . . . , rϑ−2 (z0 )


−z0
h i z
1
f = 1 − rϑ−1 rϑ−1 · · (i)


−1 1 fold f , r0 , . . . , rϑ−2 (z1 )
   
f (i) (x0 )
  
Nϑ−2

 Mz 0
− rj , rj )
  
−z0 j=0 (1
h i
z1 ..
= 1 − rϑ−1 · ·  · · .
  
rϑ−1 Nϑ−2  .
−1 1 j=0 (1 − rj , r j )    
Mz
| {z } 1
f (i) (x2ϑ −1 )
these matrices may be interchanged.

In the second step above, we apply the inductive hypothesis on both z0 and z1 . That hypothesis fur-
nishes the nonsingular, 2ϑ−1 × 2ϑ−1 matrices Mz0 and Mz1 ; we note moreover that the union of the fibers

−1
−1
−1
q (i+ϑ−2) ◦ · · · ◦ q (i) ({z0 }) and q (i+ϑ−2) ◦ · · · ◦ q (i) ({z1 }) is precisely q (i+ϑ−1) ◦ · · · ◦ q (i) ({y}). In-
terchanging the two matrices bracketed above, we further reexpress this quantity as:
     
f (i) (x )
0
 diag(z ) diag(−z )   Mz
" N # 1 0
ϑ−2 0

j=0 (1 − rj , rj )
h i   
..
= 1 − rϑ−1 rϑ−1 · · · · .
     
Nϑ−2 .
j=0 (1 − r ,
j jr )      
diag(−1) diag(1) Mz1
f (i) (x2ϑ −1 )

By the standard recursive substructure of the tensor product, the product of the left-hand two matrices
Nϑ−1
equals exactly j=0 (1 − rj , rj ). On the other hand, the product of the two 2ϑ × 2ϑ nonsingular matrices
above is itself nonsingular, and supplies the required 2ϑ × 2ϑ matrix My .
We emphasize that, in Lemma 3.9, the matrix My depends only on y ∈ S (i+ϑ) —and of course on ϑ and
i ∈ {0, . . . , ℓ − ϑ}—but not on the map f (i) or the folding challenges (r0 , . . . , rϑ−1 ) ∈ Lϑ .
Remark 3.10. Interestingly, the matrix My of Lemma 3.9 is nothing other than that of the inverse additive
NTT [LCH14, § III. C.] on the coset (x0 , . . . , x2ϑ −1 ); i.e., it’s the matrix which, on input the evaluations of
some polynomial of degree less than 2ϑ on the set of elements (x0 , . . . , x2ϑ −1 ), returns the coefficients—with
respect to the ith -order novel basis (see Remark 3.15 below)—of that polynomial.

15
3.3 Simple IOPCS
We now present our “simple” IOPCS construction, an instantiation of Definition 2.7 based on BaseFold’s
IOPCS [ZCF23, § 5] and on the material of our Subsections 3.1 and 3.2 above. In order to present a
notationally simpler variant of our protocol, we assume below that ϑ | ℓ; this requirement is not necessary.

CONSTRUCTION 3.11 (Simple Large-Field IOPCS).

We define Π = (Setup, Commit, P, V) as follows.
• params ← Π.Setup(1λ , ℓ). On input 1λ and ℓ, choose a constant, positive rate parameter R ∈ N
and a binary field L/F2 whose degree r (say) over F2 satisfies r = ω(log λ) and r ≥ ℓ+R. Initialize
L
the vector oracle FVec . Fix a folding factor ϑ | ℓ and a repetition parameter γ = ω(log λ). Fix
an arbitrary F2 -basis (β0 , . . . , βr−1 ) of L. Write (X0 (X), . . . , X2ℓ −1 (X)) for the resulting novel
ℓ
L-basis of L[X]≺2 , and fix the domains S (0) , . . . , S (ℓ) and the polynomials q (0) , . . . , q (ℓ−1) as in
ℓ+R
Subsection 3.1. Write C (0) ⊂ L2 for the Reed–Solomon code RSL,S (0) [2ℓ+R , 2l ].

• [f ] ← Π.Commit(params, t). On input t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 , use t’s Lagrange
coefficientsP(t(v))v∈Bℓ as the coefficients, in the novel polynomial basis, of a univariate polynomial
P (X) := v∈Bℓ t(v) · X{v} (X), say. Using Algorithm 2, compute the Reed–Solomon codeword
f : S (0) → L defined by f : x 7→ P (x). Submit (submit, ℓ + R, f ) to the vector oracle FVec L
. Upon
L
receiving (receipt, ℓ + R, [f ]) from FVec , output the handle [f ].

We define (P, V) as the following IOP, in which both parties have the common input [f ], s ∈ L, and
(r0 , . . . , rℓ−1 ) ∈ Lℓ , and P has the further input t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 .
• P writes h(X0 , . . . , Xℓ−1 ) := t(X0 , . . . , Xℓ−1 ) · e
fq(r0 , . . . , rℓ−1 , X0 , . . . , Xℓ−1 ).
• P and V both abbreviate f (0) := f and s0 := s, and execute the following loop:
1: for i ∈ {0, . . . , ℓ − 1} do
P sends V the univariate polynomial hi (X) := v∈Bℓ−i−1 h(r0′ , . . . , ri−1
′
P
2: , X, v0 , . . . , vℓ−i−2 ).
?
3: V requires si = hi (0) + hi (1). V samples ri′ ← L, sets si+1 ′ ′

:= hi (ri ), and sends P ri .
(i+1) (i+1) (i) ′
4: P defines f :S → L as the function fold f , ri of Definition 3.6.
5: if i + 1 = ℓ then P sends c := f (ℓ) (0, . . . , 0) to V.
6: else if ϑ | i + 1 then P submits (submit, ℓ + R − i − 1, f (i+1) ) to the oracle FVec L
.
?
• V requires sℓ = c · e
fq(r0 , . . . , rℓ−1 , r0′ , . . . , rℓ−1
′
).
• V executes the following querying procedure:
1: for γ repetitions do
2: V samples v ← Bℓ+R randomly.
3: for i ∈ {0, ϑ, . . . , ℓ − ϑ} (i.e., taking ϑ-sized steps) do

4: for each u ∈ Bϑ , V sends query, [f (i) ], (u0 , . . . , uϑ−1 , vi+ϑ , . . . , vℓ+R−1 ) to the oracle.
?
5: if i > 0 then V requires ci = f (i) (vi , . . . , vℓ+R−1 ).
V defines ci+ϑ := fold f (i) , ri′ , . . . , ri+ϑ−1
′


6: (vi+ϑ , . . . , vℓ+R−1 ).
?
7: V requires cℓ = c.

In our commitment procedure above, we give meaning to the commitment of f by implicitly identifying
S (0) =∼ Bℓ+R as sets (as discussed above); similarly, in the prover’s line 6 above, we identify Bℓ+R−i−1 ∼ =
S (i+1) . Conversely, in its lines 4 and 6 above, the verifier must implicitly identify the Bℓ+R−i -elements
(u0 , . . . , uϑ−1 , vi+ϑ , . . . , vℓ+R−1 )u∈Bϑ with S (i) -elements—and the Bℓ+R−i−ϑ -element (vi+ϑ , . . . , vℓ+R−1 )
with an S (i+ϑ) -element—in order to appropriately apply Definition
3.8. We note that, in line 6, V has
precisely the information it needs to compute fold f (i) , ri′ , . . . , ri+ϑ−1
′
(vi+ϑ , . . . , vℓ+R−1 ) (namely, the values

−1
(i)
of f on the fiber (u0 , . . . , uϑ−1 , vi+ϑ , . . . , vℓ+R−1 ) ∼
= q (i+ϑ−1)
◦ · · · ◦ q (i) ({(vi+ϑ , . . . , vℓ+R−1 )})).
u∈Bϑ

16
 The completness of Construction 3.11’s evaluation IOP is not straightforward. For instance, it is simply
not obvious what the folding operation of line 4 does to the coefficients of the low-degree polynomial P (i) (X)
underlying f (i) . (Though our folding operation departs slightly from FRI’s—we refer to Remark 3.7 for a
discussion of this fact—the conceptual obstacle is essentially the same.) Indeed, the completeness proof of
generic FRI [BBHR18, § 4.1.1] tells us that the folded function f (i+1) represents the evaluations of some
polynomial P (i+1) (X) of appropriate degree on the domain S (i+1) . But which one? The proof of [BBHR18,
§ 4.1.1] fails to constructively answer this question, in that it invokes the generic characteristics of the
multivariate reduction—called Q(i) (X, Y )—of P (i) (X) by Y − q (i) (X). (We refer to e.g. von zur Gathen and
Gerhard [GG13, Alg. 21.11] for a thorough treatment of multivariate division.) It seems simply infeasible to
analyze by hand the execution of the multivariate division algorithm with sufficient fidelity as to determine
with any precision the result P (i+1) (Y ) = Q(i) (ri′ , Y ) (though we don’t rule out that a proof could in principle
be achieved by this means).
ℓ−i
Instead, we introduce certain, carefully-selected L-bases of the spaces L[X]≺2 , for i ∈ {0, . . . , ℓ} (so-
called “higher-order” novel polynomial bases). As it turns out, the respective coefficients of P (i) (X) and
P (i+1) (X) with respect to these bases are tractably related; their relationship amounts to an even–odd tensor-
fold by the FRI challenge ri′ . Proceeding by induction, we obtain the desired characterization of c.
Theorem 3.12. The IOPCS Π = (Setup, Commit, P, V) of Construction 3.11 is complete.
P
Proof. Provided that P is honest, s P
= t(r0 , . . . , rℓ−1 ) will hold. Since t(r0 . . . , rℓ−1 ) = v∈Bℓ h(v), this guar-
antee in turn implies that s = s0 = v∈Bℓ h(v) will hold, so that, by the completeness of the sumcheck, V’s
?
checks si = hi (0)+hi (1) will pass. Finally, sℓ = h(r0′ , . . . , rℓ−1
′
) = t(r0′ , . . . , rℓ−1
′
eq(r0 , . . . , rℓ−1 , r0′ , . . . , rl−1
)·f ′
)
?
too will hold. To argue the completeness of V’s check sℓ = c · e fq(r0 , . . . , rℓ−1 , r0′ , . . . , rℓ−1
′
) above, it thus
′ ′
suffices to argue that, for P honest, c = t(r0 , . . . , rℓ−1 ) will hold.
We introduce a family of further polynomial bases. For each i ∈ {0, . . . , ℓ − 1}, we define the ith -order
subspace vanishing polynomials W c (i) , . . . , W
c (i) (i) (i+1)
◦ q (i) , . . . , q (ℓ−2) ◦ · · · ◦ q (i) ,
0 ℓ−i−1 as the polynomials X, q , q
(i) (i+k−1) (i)
c := q
respectively (that is, W k ◦ · · · ◦ q , for each k ∈ {0, . . . , ℓ − i − 1}). Finally, we define the
(i) Qℓ−i−1 c (i) jk
ith -order novel polynomial basis by setting X := j W k=0 , for each j ∈ {0, . . . , 2ℓ−i − 1} (here, again,
k
we write (j0 , . . . , jℓ−i−1 ) for the bits of j). We adopt the notational convention whereby the ℓth -order basis
(ℓ)
consists simply of the constant polynomial X0 (X) = 1. Below, we use a certain inductive relationship
 2ℓ−i −1  2ℓ−i−1 −1
(i) (i+1)
between the bases Xj (X) and Xj (X) ; that is, for each j ∈ {0, . . . , 2ℓ−i−1 − 1}, the
j=0 j=0
(i) (i) (i+1) (i)
(i+1) (i)

polynomials X2j (X) and X2j+1 (X) respectively equal Xj q (X) and X · Xj q (X) .

Lemma 3.13. Fix an index i ∈ {0, . . . , ℓ − 1}. If f (i) : S (i) → L is exactly the evaluation over S (i) of the
P2ℓ−i −1 (i)
polynomial P (i) (X) = j=0 aj ·Xj (X), then, under honest prover behavior, f (i+1) : S (i+1) → L is exactly
P2ℓ−i−1 −1 (i+1)
the evaluation over S (i+1) of the polynomial P (i+1) (X) = j=0 ((1 − ri′ ) · a2j + ri′ · a2j+1 ) · Xj (X).

Proof. Given P (i) (X) as in the hypothesis of the lemma, we introduce the even and odd refinements
(i+1) P2ℓ−i−1 −1 (i+1) (i+1) P2ℓ−i−1 −1 (i+1)
P0 (X) := j=0 a2j · Xj (X) and P1 (X) := j=0 a2j+1 · Xj (X) of P (i) (X). We
note the following key polynomial identity:
(i+1) (i+1)
P (i) (X) = P0 (q (i) (X)) + X · P1 (q (i) (X)); (2)

This identity is a direct consequence of the definitions of the higher-order novel polynomial bases.
We turn to the proof of the lemma. We claim that f (i+1) (y) = P (i+1) (y) holds for each y ∈ S (i+1) , where
(i+1)
P (X) is as in the lemma’s hypothesis. To this end, we let y ∈ S (i+1) be arbitrary; we moreover write
−1
(x0 , x1 ) := q (i) ({y}) for the fiber of q (i) over y. We begin by examining the values P (i) (x0 ) and P (i) (x1 ).
For each b ∈ {0, 1} we have:
   
(i+1) (i+1)
P (i) (xb ) = P0 q (i) (xb ) + xb · P1 q (i) (xb ) (by the identity (2).)
(i+1) (i+1)
= P0 (y) + xb · P1 (y). (using q (i) (xb ) = y.)

17
Using now our assumption whereby f (i) (xb ) = P (i) (xb ) for each b ∈ {0, 1}, and unwinding the prescription
of Definition 3.6, we obtain:
   
(i)
h i x 1 −x 0 P (x 0 )
f (i+1) (y) = 1 − ri′ ri′ ·  ·  (by our hypothesis on f (i) , and by Definition 3.6.)
(i)
−1 1 P (x1 )
     
(i+1)
h i x1 −x0 1 x0 P0 (y)
= 1 − ri′ ri′ ·  · ·  (by the calculation just performed above.)
(i+1)
−1 1 1 x1 P1 (y)
 
h i P (i+1) (y)
= 1 − ri′ ri′ ·  0  (cancellation of inverse matrices.)
(i+1)
P1 (y)
(i+1) (i+1)
= P (i+1) (y). (by the definitions of P0 (X), P1 (X), and P (i+1) (X).)
  
x1 −x0 1 x0
To achieve the third equality above, we note that the matrices   and   are inverses; there,
−1 1 1 x1


we use the guarantee x1 − x0 = 1, a basic consequence of Definition 3.1 (or rather of ker q (i) = {0, 1}).
 ℓ−1  2ℓ −1
Applying Corollary 3.4, we note finally that Wc (0) and X
(0)
themselves equal precisely the
k j
k=0 j=0
standard subspace vanishing and novel basis polynomials, respectively. It follows that in the base case
i = 0 of Lemma 3.13—and again assuming honest behavior by the prover—we have that f (0) will equal the
(0)
evaluation over S (0) of P (0) (X) := P (X) = v∈Bℓ t(v) · X{v} (X). Applying Lemma 3.13 repeatedly, we
P

conclude by induction that f (ℓ) will equal the evaluation over S (ℓ) of the constant polynomial v∈Bℓ t(v) ·
P
fq(r0′ , . . . , rℓ−1
e ′
, v0 , . . . , vℓ−1 ) = t(r0′ , . . . , rℓ−1
′
), so that c = t(r0′ , . . . , rℓ−1
′
) will hold, as desired.
The completeness of the verifier’s query phase is self-evident (and is just as in [BBHR18, § 4.1.1]); we
note that V applies to each oracle f (i) the same folding procedure that P does. This completes the proof of
completeness.

Remark 3.14. Using the techniques of Subsection 3.1 and of Theorem 3.12 above, we are able to suggest a
new explanation of the additive NTT algorithm of Lin, Chung and Han [LCH14, § III.], and of its correctness;
we note also our Algorithm 2 above. (We refer finally to Li, et al. [Li+18, Alg. 2] for a further perspective.) We
P2ℓ−i −1 (i)
fix an index i ∈ {0, . . . , ℓ−1} and a polynomial P (i) (X) := j=0 aj ·Xj (X), expressed with respect to the
ith -order novel basis. The key idea is that the values of P (i) (X) on the domain S (i) can be derived—using only

(i+1) (i+1)
Θ 2ℓ+R−i K-operations—given the values of P (i) (X)’s even and odd refinements P0 (X) and P1 (X)
(as in the proof of Lemma 3.13) over the domain S (i+1) . This is a direct consequence of the identity (2) above.
−1
Indeed, applying that identity, we see that, for y ∈ S (i+1) arbitrary, with fiber (x0 , x1 ) := q (i) ({y}), say, we
(i+1) (i+1) (i+1) (i+1)
have the equalities P (i) (x0 ) := P0 (y) + x0 · P1 (y) and P (i) (x1 ) := P0 (y) + x1 · P1 (y). Since x0
(i) (i)
and x1 in fact differ by exactly 1, we see that P (x1 ) can be computed from P (x0 ) using a single further
K-addition. We recover the key butterfly diagram of [LCH14, Fig. 1. (a)] (see also Algorithm 2 above) upon
carrying out this procedure recursively, with the convention whereby we flatten (using the space’s canonical
basis) and interleave the two copies of S (i+1) at each instance. The base case of the recursion consists of
the 2ℓ -fold interleaving of the domain S (ℓ) , into which P (0) ’s coefficients are tiled 2R times. The final stage
of the butterfly diagram yields the desired evaluation of P (0) (X) on S (0) . Algorithm 2’s twiddle factors in
its ith stage, then, are nothing other than the respective first lifts x0 of y, as the image y = q (i) (x0 ) varies
Pℓ+R−i−2
throughout S (i+1) . These latter elements x0 , in turn, take precisely the form k=0 uk · W
ci (βi+1+k ), for
u ∈ Bℓ+R−i−1 = S ∼ (i+1) th
arbitrary; indeed, we suppress throughout the 0 canonical basis element W ci (βi ) = 1
(i)
of S , since that element is subsumed into each butterfly. We find it interesting that the same polynomial
identity underlies both the correctness of [LCH14, § III.] and our above analysis of FRI’s folding.

18
Remark 3.15. Though it seems inessential to the proof of Theorem 3.12, it is interesting to note that, for
 2ℓ−i −1
(i)
each i ∈ {0, . . . , ℓ − 1}, the ith -order basis Xj is itself a novel polynomial basis in its own right,
 j=0 
namely that attached to the set of vectors W ci (βℓ−1 ) . Equivalently, the ith -order subspace
ci (βi ), . . . , W
 ℓ−i−1
vanishing polynomials W c (i) are simply the subspace vanishing polynomials attached to this latter
k
k=0 D E  
set of vectors. Indeed, for each k ∈ {0, . . . , ℓ − i − 1}, W ci (βi+k−1 ) ⊂ ker W
ci (βi ), . . . , W c (i) certainly
k

holds, since Wc (i) ◦ W ci = q (i+k−1) ◦ · · · ◦ q (i) ◦ W

ci = Wci+k , which annihilates ⟨β0 , . . . , βi+k−1 ⟩ (here, we use
k
(i) c (i) = q (i+k−1) ◦ · · · ◦ q (i) ’s kernel can be of
the definition of Wk and Lemma 3.2). On the other hand, W
c
k
dimension at most k (say by degree considerations), while the vectors W ci (βi ), . . . , W
ci (βi+k−1 ) are linearly
independent (a consequence of Corollary 3.5). We conclude that the above containment is an equality.
 ℓ−i−1
Finally, the subspace polynomials W c (i) are normalized. Indeed, using Lemma 3.2 again, we see that,
k
 k=0   
(i) ci (βi+k ) = q (i+k−1) ◦ · · · ◦ q (i) ◦ W
for each k ∈ {0, . . . , ℓ − i − 1}, W
c
k W ci (βi+k ) = W ci+k (βi+k ) = 1 holds.

We now prove the security of Construction 3.11. Our key technical results below (see Propositions 3.20
and 3.23), essentially, jointly constitute a variant of FRI’s soundness statement [BBHR18, § 4.2.2]. Our
proofs of these results incorporate—albeit in an attenuated way—various ideas present in [BBHR18, § 4.2.2]
and [Ben+23, § 8.2]. We also introduce a number of new ideas, which, by and large, pertain to our new
folding technique (see Subsection 3.2).
We note that our protocol seems not to admit a security proof which invokes that of FRI in a strictly
blackbox manner. Rather, our security argument—and, it would seem, any conceivable analysis of Construc-
tion 3.11—must inevitably concern itself not merely with the distance from the code of A’s initial committed
word, but moreover with the consistency of its oracles, and in particular with whether its final oracle value
c relates as it should to its initial oracle. Our key FRI-theoretic compliance condition appears as Definition
3.17 below.
Theorem 3.16. The IOPCS Π = (Setup, Commit, P, V) of Construction 3.11 is secure (see Definition 2.8).
Proof. We define a straight-line emulator E as follows.
1. By inspecting A’s messages to the vector oracle, E immediately recovers the function f : S (0) → L
underlying the handle [f ] output by A.
2. E runs the Berlekamp–Welch decoder (i.e., Algorithm 1) on the word f : S (0) → L. If that algorithm
outputs PP (X) = ⊥ or if deg(P (X)) ≥ 2ℓ , then E sets t(X0 , . . . , Xℓ−1 ) := 0. Otherwise, E expresses
P (X) = v∈Bℓ t(v) · X{v} (X) in coordinates with respect to the novel polynomial basis. E writes
t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 for the multilinear whose Lagrange coordinates are (t(v))v∈Bℓ .
3. E outputs t(X0 , . . . , Xℓ−1 ) and terminates.
We now argue that E fulfills the requirements of Definition 2.8 with respect to the protocol Π. We write
(r0 , . . . , rℓ−1 ) ∈ Lℓ for the evaluation point output by Q and s ∈ L for A’s response. We must show
that, conditioned on s ̸= t(r0 , . . . , rℓ−1 ), the probability that V accepts is negligible. We thus assume that
s ̸= t(r0 , . . . , rℓ−1 ).
As in Construction 3.11, we write P h(X0 , . . . , Xℓ−1 ) := t(X0 , . . . , Xℓ−1 ) · e fq(r0 , . . . , rℓ−1 , X0 , . . . , Xℓ−1 ).
Since, as before, t(r 0 , . . . , r ℓ−1 ) = v∈Bℓ h(v), our assumption s ̸
= t(r 0 , . . . , r ℓ−1 ) amounts to the condition
s ̸= v∈Bℓ h(v). The soundness analysis of the sumcheck (we refer to Thaler [Tha22, § 4.1]) states that,
P
?
under this very assumption, the probability that the verifier accepts its checks si = hi (0) + hi (1) and
sℓ = h(r0′ , . . . , rℓ−1
′ 2·ℓ
) holds is at most |L| over V’s choice of its folding challenges (r0′ , . . . , rℓ−1′
). We thus
assume that sℓ ̸= h(r0′ , . . . , rℓ−κ−1
′
) = t(r0′ , . . . , rℓ−1
′
fq(r0 , . . . , rℓ−1 , r0′ , . . . , rℓ−1
)·e ′
).
?
This inequality implies that V will reject its check sℓ = c · e fq(r0 , . . . , rℓ−1 , r0′ , . . . , rℓ−1
′
) so long as c =
′ ′ ′ ′
t(r0 , . . . , rℓ−1 ) holds. To prove the theorem, it thus suffices to argue that either c = t(r0 , . . . , rℓ−1 ) will hold
or V will accept its FRI-querying phase with negligible probability. To achieve this, we turn to FRI.

19
 We begin by defining various notions, adapting [BBHR18, § 4.2.1]. For each i ∈ {0, ϑ, . . . , ℓ} (i.e.,
ℓ+R−i
ascending in ϑ-sized steps), we write C (i) ⊂ L2 for the Reed–Solomon code RSL,S (i) [2ℓ+R−i , 2ℓ−i ]. We
recall that C (i) is of distance di := 2ℓ+R−i −2ℓ−i +1. We write f (0) , f (ϑ) , . . . , f (ℓ−ϑ) for the oracles committed
by A; we moreover write f (ℓ) : S (ℓ) → L for the identically-c
function (here, c ∈ L is A’s final FRI message).
For each i ∈ {0, ϑ, . . . , ℓ − ϑ}, we write ∆ f (i+ϑ) , g (i+ϑ) ⊂ S (i+ϑ) for the disagreement set between the
ℓ+R−i−ϑ

elements f (i+ϑ) and g (i+ϑ) of L2 ; that is, ∆ f (i+ϑ) , g (i+ϑ) is the set of elements y ∈ S (i+ϑ) for which


f (i+ϑ) (y) ̸= g (i+ϑ) (y). We moreover write ∆(i) f (i) , g (i) ⊂ S (i+ϑ) for the fiber-wise disagreement set of the
ℓ+R−i

elements f (i) and g (i) of L2 . That is, ∆(i) f (i) , g (i) ⊂ S (i+ϑ) denotes the set of elements y ∈ S (i+ϑ)

−1
for which the respective restrictions of f (i) and g (i) to the fiber q (i+ϑ−1) ◦ · · · ◦ q (i) ({y}) ⊂ S (i) are not




identically equal. We define d(i) f (i) , C (i) := ming(i) ∈C (i) ∆(i) f (i) , g (i) . We note that, if d(i) f (i) , C (i) <
di+ϑ
d f (i) , Ck(i) < d2i a fortiori holds. (Each offending fiber contributes at most 2ϑ errors; on the other


2 , then j
hand, 2ϑ · di+ϑ2 −1 ≤ di2−1 .) In any case, in case the oracle f (i) : S (i) → L is such that d f (i) , L(i) < d2i
 

happens to hold, we write f (i) ∈ L(i) for the unique codeword for which d f (i) , f (i) < d2i .

We record the following key compliance condition:

Definition 3.17. For each index i ∈ {0, ϑ, . . . , ℓ − ϑ}, we say that A’s ith oracle f (i) is compliant if the
conditions d(i) f (i) , C (i) < d2i , d f (i+ϑ) , C (i+ϑ) < di+ϑ = fold f (i) , ri′ , . . . , ri+ϑ−1
′


(i+ϑ)


2 , and f all hold.
We first argue that if A submits oracles which are all compliant, then c = t(r0′ , . . . , rℓ−1 ′
) will hold,
so that V will reject (as the above argument shows). Indeed, under this assumption, we note first that
d f (0) , C (0) < d20 will hold. We see that Algorithm 1 will terminate successfully in step 2 above; we write

t(X0 , . . . , Xℓ−1 ) ∈ L[X0 , . . . , Xℓ−1 ]⪯1 for the polynomial output by E in that step. We now apply
PDefinition
3.17 repeatedly. In the base case i = 0, we note that f (0) will be the encoding of P (0) (X) = v∈Bℓ t(v) ·
(0)
X{v} (X), precisely by E’s construction of (t(v))v∈Bℓ . On the other hand, for each i ∈ {0, ϑ, . . . , ℓ − ϑ},
ℓ−i
writing P (i) (X) ∈ L[X]
≺2 for the polynomial for which Enc(P (i) ) = f (i) holds, our assumption f (i+ϑ) =
(i) ′ ′
fold f , ri , . . . , ri+ϑ−1 implies that f (i+ϑ) will be exactly the encoding of that polynomial P (i+ϑ) (X) ∈
ℓ−i−ϑ
L[X]≺2 which results from repeatedly applying to P (i) (X) the conclusion of Lemma 3.13 (with the
folding challenges ri′ , . . . , ri+ϑ−1′
). Carrying out the induction, we see that f (ℓ) will itself be identically equal
fq r0 , . . . , rℓ−1 , v0 , . . . , vℓ−1 = t(r0′ , . . . , rℓ−1
′ ′ ′
), so that c = t(r0′ , . . . , rℓ−1 ′
P

to v∈Bℓ t(v) · e ) will hold. We have
just seen above that, in precisely this setting, V will reject.
It thus suffices to argue that if any among A’s oracles i ∈ {0, ϑ, . . . , ℓ − ϑ} is not compliant, then V will
again reject (except perhaps with negligible probability). This is exactly Proposition 3.23 below. In order to
prepare for that proposition, we record a sequence of lemmas. We begin with the following elementary fact.
Lemma 3.18. For each i ∈ {0, ϑ, . . . , ℓ − ϑ}, if d f (i) , C (i) < d2i , then, for each tuple of folding challenges

(ri′ , . . . , ri+ϑ−1
′
) ∈ Lϑ , we have that ∆ fold f (i) , ri′ , . . . , ri+ϑ−1 ′
, fold f (i) , ri′ , . . . , ri+ϑ−1
′





⊂ ∆(i) f (i) , f (i) .


Proof. We proceed by contraposition; we fix an element y ̸∈ ∆(i) f (i) , f (i) . By definition of that latter set,
we conclude immediately that the restrictions f (i) (q(i+ϑ−1) ◦···◦q(i) )−1 ({y}) = f (i) (q(i+ϑ−1) ◦···◦q(i) )−1 ({y}) are
identically equal. Applying Definition
3.8, we see under this guarantee that, regardless of the challenges
(ri′ , . . . , ri+ϑ−1
′
), fold f (i) , ri′ , . . . , ri+ϑ−1
′
(y) = fold f (i) , ri′ , . . . , ri+ϑ−1
′


(y) necessarily also holds.
We now define a sequence of bad folding events. Our definition of Ei is case-based, and depends on the
status of f (i) . If f (i) is within the (fiber-wise) unique decoding radius, then Ei captures the event whereby the
generic inclusion of Lemma 3.18 becomes strict. Otherwise, Ei captures the “bad batching” event whereby
fold(f (i) , ri′ , . . . , ri+ϑ−1
′
) becomes close to C (i+ϑ) .
Definition 3.19. For each i ∈ {0, ϑ, . . . , ℓ − ϑ}, we define the bad subset Ei ⊂ Lϑ as the set of tuples
(ri′ , . . . , ri+ϑ−1
′
) ∈ Lϑ for which, as the case may be:
d
: ∆(i) f (i) , f (i) ̸⊂ ∆ fold f (i) , ri′ , . . . , ri+ϑ−1
′
, fold f (i) , ri′ , . . . , ri+ϑ−1
′






in case d(i) f (i) , C (i) < i+ϑ 2
.
d
(i+ϑ)
di+ϑ
: d fold f (i) , ri′ , . . . , ri+ϑ−1
′


in case d(i) f (i) , C (i) ≥ i+ϑ 2
,C < 2 .

20
 |Ei |
We now bound the bad subsets Ei of Definition 3.19. We recall that µ(Ei ) := |L|ϑ
denotes the probability
mass of the set Ei ⊂ Lϑ .
|S (i+ϑ) |
Proposition 3.20. For each i ∈ {0, ϑ, . . . , ℓ − ϑ}, µ(Ei ) ≤ ϑ · |L| holds.

Proof. We treat separately the two cases of Definition 3.19.

We begin with the first case. We fix an element y ∈ ∆(i) f (i) , f (i) , we moreover write Eiy ⊂ Lϑ for


′
the set of tuples (ri′ , . . . , ri+ϑ−1 ′
) ∈ Lϑ for which y ̸∈ ∆ fold f (i) , ri′ , . . . , ri+ϑ−1 ′
, fold f (i) , ri′ , . . . , ri+ϑ−1




.
We argue that µ(Eiy ) ≤ |L| ϑ
. This latter claim suffices to complete the proof of the first case; indeed, since
Ei = y∈∆(i) (f (i) ,f (i) ) Eiy , assuming the claim, we conclude that µ(Ei ) ≤ ∆(i) f (i) , f (i) · |L|

ϑ ϑ
≤ |S (i+ϑ) | · |L|
S
.
(i) (i) (i)

(i) (i)
For y ∈ ∆ f , f chosen as above, we apply Lemma 3.9 to the words f and f . Applying that
lemma, we see that (ri′ , . . . , ri+ϑ−1′
) ∈ Eiy holds if and only if we have the following matrix identity:
   
f (i) (x0 ) − f (i) (x0 )
..
h i    
Nϑ−1
0= − ′ ′ · · , (3)
   
j=0 (1 ri+j , ri+j )

My
  . 
f (i) (x2ϑ −1 ) − f (i) (x2ϑ −1 )

−1

where we again write (x0 , . . . , x2ϑ −1 ) := q (i+ϑ−1) ◦ · · · ◦ q (i) ({y}). Our hypothesis y ∈ ∆(i) f (i) , f (i)
entails precisely that the right-hand vector of (3) is not identically zero. By Lemma 3.9, My is non-
singular; we conclude that the image of the right-hand vector of (3) under My is likewise not identi-
cally zero. Writing (a0 , . . . , a2ϑ −1 ) for this latter vector—which, we repeat, is not zero—we conclude
y ϑ ϑ
P Ei ⊂ L is precisely the vanishing locus in L of the ϑ-variate polynomial s(X0 , . . . , Xϑ−1
that
ϑ
) :=
v∈Bϑ a {v} · e
f q(X0 , . . . , X ϑ−1 , v0 , . . . , v ϑ−1 ) over L. Since s(X0 , . . . , X ϑ−1 )’s values on the cube {0, 1} ⊂ Lϑ
are exactly (a0 , . . . , a2ϑ −1 ), s(X0 , . . . , Xϑ−1 ) is certainly not zero. Applying the Schwartz–Zippel lemma to
s(X0 , . . . , Xϑ−1 ), we conclude that the relevant locus Eiy ⊂ Lϑ is of mass at most µ(Eiy ) ≤ |L| ϑ
, as required.
≥ di+ϑ
(i) (i) (i)


We turn to the second case of Definition 3.19; in particular, we assume that d f , C 2 . We
 2ϑ −1
(i+ϑ)
define an interleaved word fj —i.e., a 2ϑ × 2ℓ+R−i−ϑ matrix, with entries in L—in the following
j=0
way. For each y ∈ S (i+ϑ) , writing My for the matrix guaranteed to exist by Lemma 3.9, we define the
column:      
(i+ϑ)
f0 (y) f (i) (x0 )
.. ..
     
 :=  · . (4)
     
 . My .
     
(i+ϑ)
f2ϑ −1 (y) f (i) (x2ϑ −1 )
 2ϑ −1
(i+ϑ)
We note that the resulting 2ϑ × 2ℓ+R−i−ϑ matrix fj —i.e., that whose columns are given by the
j=0
respective left-hand sides of (4), for y ∈ S (i+ϑ) —satisfies, for each (ri′ , . . . , ri+ϑ−1
′
) ∈ Lϑ ,
 
(i+ϑ)
f0
..
  h i  
fold f (i) , ri′ , . . . , ri+ϑ−1
′ Ni+ϑ−1
= (1 − rj′ , rj′ ) · . (5)
 
j=i  . 
(i+ϑ)
f2ϑ −1

Indeed, this is essentially the content of Lemma 3.9, which we apply here jointly to all elements y ∈ S (i+ϑ) .
 2ϑ −1
(i+ϑ)
We claim that the interleaved word fj constructed in this way is far from the interleaved code
j=0
ϑ
(i+ϑ) 2
C .
ϑ
 2ϑ −1 2ϑ


di+ϑ (i+ϑ) di+ϑ
Lemma 3.21. Under our hypothesis d(i) f (i) , C (i) ≥ 2 , we have d2 fj , C (i+ϑ) ≥ 2 .
j=0

21
  2ϑ −1 2ϑ
(i+ϑ)
Proof. We fix an arbitrary interleaved codeword gj ∈ C (i+ϑ) . We define a “lift” g (i) ∈ C (i)
j=0
 2ϑ −1 P2ℓ−i−ϑ −1
(i+ϑ) (i+ϑ)
of gj in the following way. Writing, for each j ∈ {0, . . . , 2ϑ − 1}, Pj (X) := k=0 aj,k ·
j=0
(i+ϑ)
Xk (X) for the polynomial—expressed in coordinates with respect to the i + ϑth -order novel polynomial
(i+ϑ) (i+ϑ)
basis—for which gj = Enc(Pj ) holds, we define
ϑ
2X −1 2ℓ−i−ϑ
X−1
(i) (i)
P (X) := aj,k · Xk·2ϑ +j ;
j=0 k=0

that is, P (i) ’s list of ith -order coefficients is precisely the 2ϑ -fold interleaving of the polynomials
(i+ϑ) (i+ϑ)
P0 (X), . . . , P2ϑ −1 (X)’s respective lists of i + ϑth -order coefficients. Finally, we define g (i) := Enc(P (i) ).
 2ϑ −1
(i+ϑ)
We argue that the codeword g (i) ∈ C (i) constructed in this way stands in relation to gj just
j=0
 2ϑ −1
(i+ϑ)
as f (i) does to fj (i.e., it also satisfies a matrix identity analogous to (4) for each y ∈ S (i+ϑ) ). To
j=0
prove this, we fix an arbitrary element y ∈ S (i+ϑ) ; we moreover fix a row-index j ∈ {0, . . . , 2ϑ − 1}. We write
Pϑ−1 (i+ϑ)
(j0 , . . . , jϑ−1 ) for the bits of j (i.e., so that j = k=0 2k ·jk holds). We first note that the functions gj and
(i)

(i+ϑ)
fold g , j0 , . . . , jϑ−1 agree identically over the domain S . Indeed, this is a direct consequence of Lemma
(i+ϑ)
3.13 and of the construction of g (i) (gj (y)’s underlying polynomial’s coefficients are the j th refinement
of g (i) ’s underlying polynomial’s). On the other hand, applying Lemma 3.9 to y ∈ S (i+ϑ) and g (i) , with the

folding tuple (j0 , . . . , jϑ−1 ), we see that the dot product between My ’s j th row and g (i) (x0 ), . . . , g (i) (x2ϑ −1 )

(i+ϑ)
is exactly fold g (i) , j0 , . . . , jϑ−1 (y) = gj (y), where the latter equality was just argued.
Since g (i) ∈ C (i) is a codeword, our hypothesis d(i) f (i) , C (i) ≥ di+ϑ


2 applies to it. That hypothesis
di+ϑ (i+ϑ)
entails precisely that, for at least 2 elements y ∈ S , the restrictions f (i) (q(i+ϑ−1) ◦···◦q(i) )−1 ({y}) and
g (i) (q(i+ϑ−1) ◦···◦q(i) )−1 ({y}) are not identically equal. For each such y ∈ S (i+ϑ) , since My is nonsingular (and
 2ϑ −1  2ϑ −1
(i+ϑ) (i+ϑ)
since both f (i) and g (i) satisfy (4)), we conclude that the columns fj (y) and gj (y) are in
j=0 j=0
ϑ
2 −1  ϑ
2 −1 
2ϑ
 ϑ

(i+ϑ) (i+ϑ)
turn unequal. Since gj was arbitrary, we conclude that d2 fj , C (i+ϑ) ≥ di+ϑ
2 .
j=0 j=0

Applying Lemma 3.21, we conclude directly that the contraposition j of Theorem

k 2.3 is fulfilled with
, the proximity parameter e := di+ϑ2 −1 , and the interleaved word
ℓ+R−i−ϑ
respect to the code C (i+ϑ) ⊂ L2
 2ϑ −1
(i+ϑ)
fj . That theorem’s contraposition immediately implies that the set Ei ⊂ Lϑ consisting of those
j=0
tuples (ri′ , . . . , ri+ϑ−1
′
) ∈ Lϑ for which d fold f (i) , ri′ , . . . , ri+ϑ−1
′
< di+ϑ

(i+ϑ)

,C 2 holds—and here, we use
2 ℓ+R−i−ϑ |S (i+ϑ)
|
(5)—is of mass at most µ(Ei ) ≤ ϑ · |L| = ϑ · |L| , as required.

2ℓ+R
Proposition 3.22. The probability that any among the bad events E0 , Eϑ , . . . , Eℓ−ϑ occurs is at most |L| .

Proof. Applying Proposition 3.20, we upper-bound the quantity of interest as:

ϑ ϑ ϑ 2ϑ 2ℓ+R
· 2ℓ+R−ϑ + · · · + 2R ≤ · 2ℓ+R−ϑ ≤


· (|Sϑ | + · · · + |Sℓ |) = · ϑ ,
|L| |L| |L| 2 − 1 |L|

which completes the proof. In the last two steps, we use the geometric series formula and the inequality
ϑ
2ϑ −1
≤ 1 (which holds for each ϑ ≥ 1), respectively.
In light of Proposition 3.22, we freely assume that none of the events E0 , Eϑ , . . . , Eℓ−ϑ occurs. Under
this assumption, we finally turn to the following key proposition.

22
Proposition 3.23. If any of A’s oracles is not compliant, then V accepts with at most negligible probability.
Proof. We suppose that at least one of A’s oracles is not compliant; we write i∗ ∈ {0, ϑ, . . . , ℓ − ϑ} for A’s
highest-indexed noncompliant oracle.
∗ ∗
d∗
Lemma 3.24. For i∗ ∈ {0, ϑ, . . . , ℓ − ϑ} as above, we have d fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , f (i +ϑ) ≥ i 2+ϑ .

∗ ∗ ∗
d∗ ∗ ∗
Proof. Assuming first that d(i ) f (i ) , C (i ) < i 2+ϑ , we write f (i ) ∈ C (i ) for the codeword for which
∗ ∗ ∗
d∗ ∗ ∗
∆(i ) f (i ) , f (i ) < i 2+ϑ . We note that d f (i ) , f (i ) < d2i∗ a fortiori holds; by Definition 3.17 and our


∗ ∗
choice of i , we thus must have in turn f (i +ϑ) ̸= fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 . On the other hand, by Lemma
∗


∗ ∗ ∗
d∗ ∗ ∗
3.18, ∆(i ) f (i ) , f (i ) < i 2+ϑ implies that d fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 <




di∗ +ϑ (i∗ ) ′ ∗
, ri∗ , . . . , ri′∗ +ϑ−1 , f (i +ϑ) is at least:



2 . Finally, by the reverse triangle inequality, d fold f
 ∗  ∗    ∗   ∗ 
d f (i +ϑ) , fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 − d fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 .
∗ ∗ ∗
Since f (i +ϑ) and fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 are unequal codewords in C (i +ϑ) , this quantity in turn is


d∗ d∗
greater than di∗ +ϑ − i 2+ϑ ≥ i 2+ϑ , and the proof of the first case is complete.
∗ ∗ ∗
d∗
In the case d(i ) f (i ) , C (i ) ≥ i 2+ϑ , our assumption whereby Ei∗ didn’t occur implies, by def-
∗ ∗ d∗ ∗ ∗
inition, that d fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , C (i +ϑ) ≥ i 2+ϑ . Since f (i +ϑ) ∈ C (i +ϑ) is a codeword,



∗ ∗ d∗
d fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , f (i +ϑ) ≥ i 2+ϑ in particular holds, and the proof is again complete.

∗
(i∗ +ϑ)

Lemma 3.25. Whenever its suffix (vi∗ +ϑ , . . . , vℓ+R−1 ) ∈ ∆ fold f (i ) , ri′∗ , . . . , ri+ϑ−1
′
,f , V rejects.
Proof. We fix an iteration of the query phase’s outer loop for which the lemma’s hypothesis holds. We fix
an arbitrary index i ∈ {i∗ , i∗ + ϑ, . . . , ℓ − ϑ}. If V rejects before finishing the inner loop 3’s ith iteration, then
there’s nothing to prove. We argue that, conditioned on V reaching the end of its ith iteration, we have the
inductive conclusion ci+ϑ ̸= f (i+ϑ) (vi+ϑ , . . . , vℓ+R−1 ) as of the end of that
iteration.
∗
In the base case i = i∗ , V assigns ci∗ +ϑ := fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 (vi∗ +ϑ , . . . , vℓ+R−1 ) inline on line 6.
∗
On the other hand, the hypothesis of the lemma is precisely fold f (i ) , ri′∗ , . . . , ri+ϑ−1 ′


(vi∗ +ϑ , . . . , vℓ+R−1 ) ̸=
(i∗ +ϑ) (i ∗
+ϑ)
f (vi∗ +ϑ , . . . , vℓ+R−1 ); we conclude immediately that ci∗ +ϑ ̸= f (vi∗ +ϑ , . . . , vℓ+R−1 ) will hold as of
the end of the i∗th iteration, as desired.
We fix an index i ∈ {i∗ +ϑ, . . . , ℓ−ϑ}. As of the beginning of the ith iteration, by induction, we have the hy-
pothesis ci ̸= f (i) (vi , . . . , vℓ+R−1 ). If f (i) (vi , . . . , vℓ+R−1 ) = f (i) (vi , . . . , vℓ+R−1 ) moreover holds, then we see
immediately that V will reject on line 5; indeed, in this case ci ̸= f (i) (vi , . . . , vℓ+R−1 ) = f (i) (vi , . . . , vℓ+R−1 )
will hold. We conclude that, conditioned on V reaching the end of its ith iteration, we necessarily
have
f (i) (vi , . . . , vℓ+R−1 ) ̸= f (i) (vi , . . . , vℓ+R−1 ), or in other words (vi , . . . , vℓ+R−1 ) ∈ ∆ f (i) , f (i) . This guar-


antee implies a fortiori that (vi+ϑ , . . . , vℓ+R−1 ) ∈ ∆(i) f (i) , f (i) , by definition of this latter set. Us-
ing our assumption whereby the event Ei didn’t

occur, we conclude in turn that (vi+ϑ , .
. . , vℓ−1 ) ∈
∆ fold f (i) , ri′ , . . . , ri+ϑ−1
′
, fold f (i) , ri′ , . . . , ri+ϑ−1
′
. Since f (i+ϑ) = fold f (i) , ri′ , . . . , ri+ϑ−1 ′


(a conse-
∗ (i) ′ ′

(i+ϑ)


quence of the maximality of i ), this latter set itself equals ∆ fold f , ri , . . . , ri+ϑ−1 , f . We conclude
(i) ′ ′

(i+ϑ)
that fold f , ri , . . . , ri+ϑ−1 (vi+ϑ , . . . , vℓ+R−1 ) ̸= f (vi+ϑ , . . . , vℓ+R−1 ), so that, after its assignment on
line 6, V will obtain ci+ϑ ̸= f (i+ϑ) (vi+ϑ , . . . , vℓ+R−1 ), thereby preserving the inductive hypothesis.
Carrying through the induction, we see finally that either V will abort before finishing its inner loop 3
or else it will have cℓ ̸= f (ℓ) (vℓ , . . . , vℓ+R−1 ) as of its final check 7. Since c = f (ℓ) (vℓ , . . . , vℓ+R−1 ) holds
?
identically for each v ∈ BR (by definition of this latter oracle), we see that V will reject its check cℓ = c.
We return to the proposition. Lemma 3.24 guarantees (i.e., assuming Ei∗ doesn’t occur) that ci∗ +ϑ ∈
∗ ∗ d∗
∆ fold f (i ) , ri′∗ , . . . , ri′∗ +ϑ−1 , f (i +ϑ) will hold with probability at least |S (i∗1+ϑ) | · i 2+ϑ ≥ 12 − 2·21R in each

of the verifier’s query iterations. By Lemma 3.25, the verifier will reject in each such iteration (i.e., assuming
γ
none of the events Ei∗ +ϑ , . . . , Eℓ−ϑ occurs). We see that V will accept with probability at most 12 + 2·21R ,
which is negligible (we recall that R is a positive constant). This completes the proof of the proposition.
Our proof of Proposition 3.23 completes the proof of the theorem.

23
 We postpone our analysis of Construction 3.11’s efficiency to Section 6, in which we present our unified
small-field scheme. For now, we note that Construction 3.11’s commitment phase entails a Reed–Solomon
encoding on the part of the prover; using the additive NTT (see Algorithm 2 above), the prover can compute
this encoding in Θ(ℓ · 2ℓ ) time. Construction 3.11’s evaluation phase entails, for both parties, an execution
of ℓ-variate FRI and of an ℓ-variate sumcheck, both over L. In view of standard algorithms (we refer to
[BBHR18, § 4.4] Thaler [Tha22, Lem. 4.5]), these tasks amount collectively to Θ(2ℓ ) L-operations for the
prover and Θ(ℓ) L-operations for the verifier. The BCS-compiled [BCS16] variant of the protocol imposes
rather Θ(λ · log2 (ℓ)) work on the verifier.

4 Ring-Switching
In this section, we introduce a generic small-field-to-large-field compiler, suitable for any finite field K and
any extension L / K of power-of-two degree (not necessarily of characteristic 2). Our reduction technique
serves to “bootstrap” any standard interactive oracle polynomial commitment scheme over L (in the sense
of Definition 2.7) into a small-field scheme over K (in the sense of Definition 2.9).
It would certainly be possible, on input a small-field polynomial t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 ,
simply to embed t(X0 , . . . , Xℓ−1 ) along K ⊂ L and to use a large-field IOPCS generically on the result. This
strategy, however, would suffer from at least two defects. (We refer to [DP23] for a thorough discussion of
this matter, and merely summarize it here.) For one, it would be inefficient; it would treat each K-element
as an L-element, thereby blowing up by a factor of deg(L / K) the sizes of the witness data and of the
various other internal values at play. Further, it would yield an inadequate security guarantee. Indeed, it
would allow the emulator to extract an L-polynomial, as opposed to a K-polynomial; that is, it would fail
to guarantee to the verifier that the prover actually committed a polynomial defined over K.
Our approach, in contrast, reduces the problem of committing a K-polynomial to that of committing
an L-polynomial of identical size in bits (i.e., on fewer variables). Moreover, our K-polynomial evaluation
protocol adds to that of the underlying L-polynomial only a small, logarithmic overhead. We informally
summarize our approach. We write κ ≥ 0 for the integer for which 2κ = deg(L / K) holds, and write
ℓ′ := ℓ − κ. We take for granted the contents of Subsection 2.5 above. In particular, we recall the tensor
algebra A := L ⊗K L, as well as the two embeddings φ0 : L ,→ A and φ1 : L ,→ A. We finally fix a
polynomial t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 , and write t′ (X0 , . . . , Xℓ′ −1 ) ∈ L[X0 , . . . , Xℓ′ −1 ]⪯1 for its
packed polynomial in the sense of Definition 2.1. During our commitment phase, we stipulate simply that
the prover commit to the packed polynomial t′ (X0 , . . . , Xℓ′ −1 ) over L.
Our evaluation phase is based on two reductions. The first is that, in order to learn t(r0 , . . . , rℓ−1 ),
for some evaluation point (r0 , . . . , rℓ−1 ) ∈ Lℓ given, it suffices—up to a small, Θ(2κ )-time postprocess-
ing step on the part of the verifier—instead to learn φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )). Here, we again write
φ1 (t′ )(X0 , . . . , Xℓ′ −1 ) for the coefficientwise horizontal embedding of t′ (X0 , . . . , Xℓ′ −1 ) along φ1 : L ,→ A.
That is, we may chunk and horizontally embed t(X0 , . . . , Xℓ−1 )’s coordinates, and moreover vertically embed
all but κ of (r0 , . . . , rℓ−1 )’s components, and evaluate the resulting thing over A. By dotting the columns of
Nκ−1
the resulting A-element φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) with i=0 (1−ri , ri ), V may learn its desired evaluation
t(r0 , . . . , rℓ−1 ). (We rigorously demonstrate the correctness of this reduction in Theorem 4.2 below.)
Our second reduction begins with the standard multilinear expansion
X
φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) = φ1 (t′ )(v0 , . . . , vℓ′ −1 ) · e
fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), v0 , . . . , vℓ′ −1 ),
v∈Bℓ′

and observes that—up to an execution of a special sort of sumcheck, which we explain presently—the desired
evaluation of φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) may in turn be reduced to that of φ1 (t′ )(φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 )),
′
for random elements (r0′ , . . . , rℓ′ ′ −1 ) ∈ Lℓ sampled during the sumcheck. Indeed, our sumcheck is of the
polynomial ĥ(X0 , . . . , Xℓ′ −1 ) := φ1 (t′ )(X0 , . . . , Xℓ′ −1 ) · e
fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), X0 , . . . , Xℓ′ −1 )) over A. On
the other hand, we draw our sumcheck challenges from the subring φ1 (L) ⊂
A. The essential point is that
the final reduction target φ1 (t′ )(φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 )) = φ1 t′ (r0′ , . . . , rℓ′ ′ −1 ) of this latter sumcheck “lives”
entirely in the subring φ1 (L) ⊂ A, which is itself isomorphic to L. To learn φ1 (t′ )(φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 )),
the parties may thus make blackbox use of the large-field scheme over L.

24
 We observe further that the above-outlined sumcheck on the A-polynomial h(X0 , . . . , Xℓ′ −1 )—i.e., with
φ1 (L)-valued challenges—amounts to 2κ parallel sumchecks over L (each proceeding “row-wise”). In Con-
struction 4.1 below, we opt moreover to tensor-batch these latter sumchecks, using further random batching
constants (r0′′ , . . . , rκ−1
′′
) ← Lκ sampled by the verifier. Our sumcheck thus takes place entirely over L.

4.1 Ring-Switching Protocol

We now record our ring-switching reduction.

CONSTRUCTION 4.1 (Ring-Switching Compiler).

A large-field scheme Π′ = Setup′ , Commit′ , P ′ , V ′ is given. We define the small-field scheme Π =

(Setup, Commit, P, V) as follows.

• params ← Π.Setup(1λ , ℓ, K). On input 1λ , ℓ, and K, run and output Π′ .Setup′ (1λ , ℓ′ ), where ℓ′ is
such that the field L / K returned by that routine, of degree 2κ over K say, satisfies ℓ′ = ℓ − κ.
• [f ] ← Π.Commit(params, t). On input t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 , fix the packed poly-
nomial t′ (X0 , . . . , Xℓ′ −1 ) ∈ L[X0 , . . . , Xℓ′ −1 ]⪯1 as in Definition 2.1; output Π′ .Commit′ (params, t′ ).
We define (P, V) as the following IOP, in which both parties have the common input [f ], s ∈ L, and
(r0 , . . . , rℓ−1 ) ∈ Lℓ , and P has the further input t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 .

• P computes ŝ := φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) and sends V the A-element ŝ.
?
• V decomposes ŝ =:
P P
v∈Bκ ŝv ⊗ βv . V requires s = v∈Bκ ŝv · e
fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ).
• V samples batching scalars (r0′′ , . . . , rκ−1
′′
) ← Lκ and sends them to P.
• P again writes t′ (X0 , . . . , Xℓ′ −1 ) ∈ L[X0 , . . . , Xℓ′ −1 ]⪯1 for t(X0 , . .P . , Xℓ−1 )’s packed polynomial.
For each w ∈ Bℓ′ , P
P decomposes e fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) =: u∈Bκ Aw,u · βu . P defines the
function A : w 7→ u∈Bκ e fq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ) · Aw,u on Bℓ′ and writes A(X0 , . . . , Xℓ′ −1 )
for its multilinear extension. P defines h(X0 , . . . , Xℓ′ −1 ) := t′ (X0 , . . . , Xℓ′ −1 ) · A(X0 , . . . , Xℓ′ −1 ).
• V decomposes ŝ =: u∈Bκ βu ⊗ ŝu , and sets s0 := u∈Bκ ŝu · e fq(r0′′ , . . . , rκ−1
′′
P P
, u0 , . . . , uκ−1 ).
• P and V execute the following loop:
1: for i ∈ {0, . . . , ℓ′ − 1} do
P sends V the polynomial hi (X) := w∈Bℓ′ −i−1 h r0′ , . . . , ri−1
′
P

2: , X, w0 , . . . , wℓ′ −i−2 .
?
3: V requires si = hi (0) + hi (1). V samples ri′ ← L, sets si+1 := hi (ri′ ), and sends P ri′ .

• P computes s′ := t′ (r0′ , . . . , rℓ′ ′ −1 ) and sends V s′ .

• V sets e := e
fq φ0 (rκ ), . . . , φ0 (rℓ−1 ), φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 ) and decomposes e =: u∈Bκ βu ⊗ eu .

P

?
• V requires sℓ′ = s′ · fq(r0′′ , . . . , rκ−1
′′
P
u∈Bκ eu · e , u0 , . . . , uκ−1 ).

• P and V engage in the evaluation protocol b′ ← ⟨P ′ ([f ], s′ , r′ ; t′ ), V ′ ([f ], s′ , r′ )⟩; V outputs b′ .

Theorem 4.2. If Π′ = Setup′ , Commit′ , P ′ , V ′ is complete, then Π = (Setup, Commit, P, V) also is.

Proof. We must prove three main things. First, we must show that, if P constructs ŝ ∈ A honestly, then V’s
? P
check s = v∈Bκ e fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ) · ŝv will pass.
P Further, we must show that V’s quantity s0 :=
′′ ′′
P
u∈Bκ e
f q(r0 , . . . , r κ−1 , u0 , . . . , u κ−1 ) · ŝu will satisfy s 0 = w∈Bℓ′ h(w), so that V will accept throughout its
sumcheck. Finally, we must show that V’s final check will pass; this
Platter task amounts to showing that e’s
row-representation e = u∈Bκ βu ⊗ eu satisfies A(r0′ , . . . , rℓ′ ′ −1 ) = u∈Bκ eu · e fq(r0′′ , . . . , rκ−1
′′
P
, u0 , . . . , uκ−1 ).
Interestingly, V must decompose ŝ both column-wise and row-wise during the course of its execution.

25
 We begin with the first fact above. If P operates as prescribed, then its initial message ŝ ∈ A will satisfy:
X
ŝ := φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) = φ1 (t′ )(w) · e
fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ). (6)
w∈Bℓ′

By the definition of φ1 (t′ )(X0 , . . . , Xℓ′ −1 ), for each w ∈ Bℓ , we have the column decomposition φ1 (t′ )(w) =
P
′

v∈Bκ t(v0 , . . . , vκ−1 , w0 , . . . , wℓ −1 ) ⊗ βv . On the other hand, e fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) =
′

φ0 (f
eq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 )). Using the column-multiplication rule, we obtain, for each summand
w ∈ Bℓ of the sum (6) above, the column decomposition φ0 (f
P
′ eq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 )) · φ1 (t′ )(w) =
eq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ −1 ) · t(v0 , . . . , vκ−1 , w0 , . . . , wℓ′ −1 )) ⊗ βv . Inlining this expression into the
v∈Bκ (f
′

sum (6) above, we obtain:

X
ŝ = φ1 (t′ )(w) · e fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) (by (6).)
w∈Bℓ′
!
X X
= eq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) · t(v0 , . . . , vκ−1 , w0 , . . . , wℓ′ −1 )) ⊗ βv
(f (column values.)
w∈Bℓ′ v∈Bκ
 
X X
=  fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) · t(v0 , . . . , vκ−1 , w0 , . . . , wℓ′ −1 ) ⊗ βv
e (rearranging sums.)
v∈Bκ w∈Bℓ′
X
= t(v0 , . . . , vκ−1 , rκ , . . . , rℓ−1 ) ⊗ βv , (fundamental property of multilinears.)
v∈Bκ
P
so that, in particular, V’s column-decomposition ŝ = v∈Bκ ŝv ⊗ βv will satisfy, for each v ∈ Bκ , ŝv =
t(v0 , . . . , vκ−1 , rκ , . . . , rℓ−1 ). We conclude finally that V will check:
?
X
s= ŝv · e
fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ) (by definition of V’s check.)
v∈Bκ
X
= t(v0 , . . . , vκ−1 , rκ , . . . , rℓ−1 ) · e
fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ) (by the calculation just carried out.)
v∈Bκ

= t(r0 , . . . , rℓ−1 ), (fundamental property of multilinears.)

?
an equality which holds precisely P’s initial claim s = t(r0 , . . . , rℓ−1 ) is valid. We thus see that V will accept
? P
its check s = v∈Bκ ŝv · e
fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ).
We turn to the sumcheck. As a notational device, we define the A-valued polynomial:

ĥ(X0 , . . . , Xℓ′ −1 ) := φ1 (t′ )(X0 , . . . , Xℓ′ −1 ) · e

fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), X0 , . . . , Xℓ′ −1 )).

Informally, we must show that P’s polynomial h(X0 , . . . , Xℓ′ −1 ) above is a “row-combination” of
Nκ−1
ĥ(X0 , . . . , Xℓ′ −1 ) by the vector i=0 (1 − ri′′ , ri′′ ).
On the one hand, we note immediately that
X X
ĥ(w) = φ1 (t′ )(w) · e
fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) = φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) = ŝ,
w∈Bℓ′ w∈Bℓ′

where the last equality holds precisely when P constructs ŝ honestly.

On the other hand, for each w ∈ Bℓ′ :

ĥ(w) = φ1 (t′ )(w) · e

fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) (by definition of ĥ.)
!
X
= (1 ⊗ t′ (w)) · βu ⊗ Aw,u (by the definitions of φ1 (t′ ) and of Aw,u .)
u∈Bκ
X
′
= βu ⊗ (t (w) · Aw,u ). (distributing and using the multiplicative structure of A.)
u∈Bκ

26
We explain in slightly further detail the second equality above. Indeed, we use first the fact—already noted
above—whereby e fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) = φ0 (f eq(rκ , . . .P
, rℓ−1 , w0 , . . . , wℓ′ −1 )). On the other
hand, since the basis decomposition e fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) = u∈Bκ Aw,u · βu holds by definition
of
P the elements Aw,u , the row representation of this quantity’s image under φ0 can be none other than
u∈Bκ βu ⊗ Aw,u , which is what appears above.
Combining the above two calculations, we conclude that, if P is honest, then
!  
X X X X X
ŝ = ĥ(w) = βu ⊗ (t′ (w) · Aw,u ) = βu ⊗  t′ (w) · Aw,u  (7)
w∈Bℓ′ w∈Bℓ′ u∈Bκ u∈Bκ w∈Bℓ′

will hold, so that V’s row decomposition ŝ = u∈Bκ βu ⊗ ŝu will satisfy ŝu = w∈Bℓ′ t′ (w) · Aw,u for each
P P
u ∈ Bκ . We conclude that, if P constructs ŝ correctly, then
X X
h(w) = t′ (w) · A(w) (by definition of h(X0 , . . . , Xℓ′ −1 ).)
w∈Bℓ′ w∈Bℓ′
X X
= t′ (w) · fq(r0′′ , . . . , rκ−1
e ′′
, u0 , . . . , uκ−1 ) · Aw,u (by definition of A(X0 , . . . , Xℓ′ −1 ).)
w∈Bℓ′ u∈Bκ
X X
= fq(r0′′ , . . . , rκ−1
e ′′
, u0 , . . . , uκ−1 ) · t′ (w) · Aw,u (interchanging the above sums.)
u∈Bκ w∈Bℓ′
X
= fq(r0′′ , . . . , rκ−1
e ′′
, u0 , . . . , uκ−1 ) · ŝu (by (7) and the remarks below it.)
u∈Bκ

= s0 (by definition of the verifier.)

P
will hold, so that P’s sumcheck claim s0 = w∈Bℓ′ h(w) will be valid, and V will accept throughout the
course of its sumcheck, by the completeness of that latter protocol.
We turn to V’s final check. If P is honest, then s′ = t′ (r0′ , . . . , rℓ′ ′ −1 ) will hold; moreover, by definition
′ ′
of the sumcheck, we will have sℓ′ = Ph(r0 , . . . , rℓ′ −1′′). To treat V’s final check, it thus suffices to argue that
′ ′ ′ ′ ′ ′′
h(r0 , . . . , rℓ′ −1 ) = t (r0 , . . . , rℓ′ −1 ) · u∈Bκ eu · e fq(r0 , . . . , rκ−1 , u0 , . . . , uκ−1 ) will hold; to show this, it in turn
suffices, by definition of h(X0 , . . . , Xℓ′ −1 ), to prove that
X
A(r0′ , . . . , rℓ′ ′ −1 ) = eu · efq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ).
u∈Bκ

We proceed as follows. We note first that:

fq φ0 (rκ ), . . . , φ0 (rℓ−1 ), φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 )

e=e (by definition.)
X
′ ′


= fq(φ0 (rκ ), . . . , φ0 (rℓ−1 ), w0 , . . . , wℓ′ −1 ) · e
e fq φ1 (r0 ), . . . , φ1 (rℓ′ −1 ), w0 , . . . , wℓ′ −1 (see below.)
w∈Bℓ′
X
fq(r0′ , . . . , rℓ′ ′ −1 , w0 , . . . , wℓ′ −1 )


= eq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 )) · φ1 e
φ0 (f (pulling out φ0 and φ1 .)
w∈Bℓ′
!
X X
fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 )


= βu ⊗ Aw,u · 1⊗e (again by definition of the Aw,u .)
w∈Bℓ′ u∈Bκ
 
X X
= βu ⊗  fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 ).
Aw,u · e (multiplying in A and rearranging.)
u∈Bκ w∈Bℓ′

To achieve the second equality above, we note that the multilinears e

P fq(X0 , . . . , Xℓ′ −1 , Y0 , . . . , Yℓ′ −1 ) and
fq(X0 , . . . , Xℓ −1 , w0 , . . . , wℓ −1 )· e
w∈Bℓ′ e
′ ′ fq(Y0 , . . . , Yℓ −1 , w0 , . . . , wℓ −1 ) are necessarily identical, since they
′ ′

agree identically on the cube B2·ℓ′ . We would like to thank Raju Krishnamoorthy for suggesting this argument
to us.

27
 P P
We see that the verifier’s row-decomposition e = u∈Bκ βu ⊗ eu will satisfy eu = w∈Bℓ′ Aw,u ·
fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 ) for each u ∈ Bκ . We conclude finally V will have
e
 
X X X
fq(r′′ , u) =
eu · e  fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 ) · e
Aw,u · e fq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 )
u∈Bκ u∈Bκ w∈Bℓ′
!
X X
= fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 )
e · Aw,u · fq(r0′′ , . . . , rκ−1
e ′′
, u0 , . . . , uκ−1 )
w∈Bℓ′ u∈Bκ
X
= fq(w0 , . . . , wℓ′ −1 , r0′ , . . . , rℓ′ ′ −1 ) · A(w0 , . . . , wℓ′ −1 )
e
w∈Bℓ′

= A(r0′ , . . . , rℓ′ ′ −1 ),

which is exactly what we needed to show. This completes the proof of completeness.
Remark 4.3. We explain in slightly more rigorous terms the “information loss” which would result if the
parties merely evaluated t′ (rκ , . . . , rℓ−1 ), as opposed to using the tensor algebra. During Theorem 4.2’s
proof, we show that ŝv = t(v0 , . . . , vκ−1 , rκ , . . . , rℓ−1 ) holds for each v ∈ Bκ . On the other hand,
X
t′ (rκ , . . . , rℓ−1 ) = t′ (w) · e
fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 )
w∈Bℓ′
!
X X
= t(v0 , . . . , vκ−1 , w0 , . . . , wℓ′ −1 ) · βv ·e
fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 )
w∈Bℓ′ v∈Bκ
 
X X
=  t(v0 , . . . , vκ−1 , w0 , . . . , wℓ′ −1 ) · e
fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) · βv
v∈Bκ w∈Bℓ′
X
= t(v0 , . . . , vκ−1 , rκ , . . . , rℓ−1 ) · βv
v∈Bκ
X
= ŝv · βv .
v∈Bκ
P
We see that, while the information contained in ŝ = v∈Bκ ŝv ⊗ βv suffices to recover t(r0 , . . . , rℓ−1 ) (as
the
P proof of Theorem 4.2 above shows), the datum t(rκ , . . . , rℓ−1 ) would yield, rather, the basis-combination
v∈Bκ ŝv · βv of ŝ’s columns. Since the K-basis (βv )v∈Bκ is certainly not linearly P independent over L,
this latter combination reflects ŝ only “lossfully”. We note that, interestingly, v∈Bκ ŝ · βv = h(ŝ) holds;
here, h : L ⊗K L → L is the canonical K-linear map defined on simple tensors by multiplication (we recall
Subsection 2.5 above). That is, t(rκ , . . . , rℓ−1 ) relates to φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) exactly by the map h,
which is of course not injective. We would like to thank Raju Krishnamoorthy for explaining this fact to us.
fq φ0 (rκ ), . . . , φ0 (rℓ−1 ), φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 ) .


Remark 4.4. We discuss the verifier’s computation of e := e
Clearly, this computation amounts to O(ℓ′ ) arithmetic operations in the algebra A, and so can be carried out
in polylogarithmic time for the verifier in the worst case (we defer our full efficiency analysis to Subsection
6.2 below). Here, we discuss a concretely efficient procedure by whose aid the verifier may compute e, at
least in the characteristic 2 case. Indeed, we note first the following identity, valid only in characteristic 2:
′ ′
ℓY −1 ℓY −1
fq(X0 , . . . , Xℓ′ −1 , Y0 , . . . , Yℓ′ −1 ) :=
e (1 − Xi ) · (1 − Yi ) + Xi · Yi = 1 − Xi − Yi .
i=0 i=0

This identity suggests the correctness of the following algorithm:

1: initialize the A-element e := 1.
2: for i ∈ {0, . . . , ℓ′ − 1} do update e −= e · φ0 (rκ+i ) + e · φ1 (ri′ ).
3: return e.

28
This algorithm computes e using just 2 · ℓ′ “scaling operations”, ℓ′ vertical and ℓ′ horizontal. Here, we
mean by the term “scaling operation” the multiplication of an A-element by an L-element, itself embedded
into A either by φ0 or φ1 (as the case may be). As is made clear in Subsection 2.5, multiplications of
these latter sorts are easier to carry out than general A-by-A multiplications are, and in fact amount to 2κ
L-multiplications (i.e., either of each column of A or of each row of A by the fixed L-multiplicand).
We now prove the security of ring-switching.
Theorem 4.5. If Π′ = Setup′ , Commit′ , P ′ , V ′ is secure, then Π = (Setup, Commit, P, V) also is.

Proof. We write E ′ for the emulator for Π′ . We define an emulator E for Π as follows.
1. On input A’s record of interactions with the vector oracle, E internally runs t′ (X0 , . . . , Xℓ′ −1 ) ← E ′ .
2. If t′ = ⊥, then E outputs ⊥ and aborts.
3. By reversing Definition 2.1, E obtains t(X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 , which it outputs.
We argue that the emulator E defined in this way is secure. If E ′ outputs ⊥, then the probability with
which V ′ accepts is negligible, by the security of Π′ ; we thus ignore this set of cases. We assume that
t(X0 , . . . , Xℓ−1 ) ̸= ⊥ and that s ̸= t(r0 , . . . , rℓ−1 ); we argue, conditioned on this assumption, that V will
accept with at most negligible probability.
We first note that we may assume that P computes its first message ŝ ̸= φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 ))
incorrectly. Indeed, it is shown directlyPin the course of our proof of Theorem 4.2 above that, if ŝ =
φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) holds, then v∈Bκ ŝv · e fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ) = t(r0 , . . . , rℓ−1 ) also will;
we see that, in this latter case,

s ̸= t(r0 , . . . , rℓ−1 ) (by our initial assumption above whereby P’s claim is false.)
X
= ŝv · e fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ) (a consequence of ŝ = φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )).)
v∈Bκ

will hold, so that V will reject and we’re done. We thus assume that ŝ ̸= φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )).
′
P sake of notation, we abbreviate s := φ1 (t )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) for this latter quantity, and write
For the
s =: u∈Bκ βu ⊗ su for its row-decomposition.
Our hypothesis whereby ŝ ̸= s entails that the κ-variate polynomial
X
S(X0 , . . . , Xκ−1 ) := (ŝu − su ) · e
fq(X0 , . . . , Xκ−1 , u0 , . . . , uκ−1 )
u∈Bκ

is not identically zero. Applying Schwartz–Zippel to S(X0 , . . . , Xκ−1 ), we conclude that the probability,
over V’s choice of (r0′′ , . . . , rκ−1
′′
) ← Lκ , that S(r0′′ , . . . , rκ−1 ′′
) = 0 is at most |L| κ
, which is negligible. We thus
′′ ′′
assume that S(r0 , . . . , rκ−1 ) ̸= 0, which itself immediately entails that:
X X
s0 := ŝu · e fq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ) ̸= fq(r0′′ , . . . , rκ−1
su · e ′′
, u0 , . . . , uκ−1 ).
u∈Bκ u∈Bκ

On the other hand, by an argument identical to one already given during the proof of Theorem 4.2 above,
we have that: X X
h(w) = efq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ) · su ,
w∈Bℓ′ u∈Bκ

where here we abbreviate h(X0 , . . . , Xℓ′ −1 ) := t′ (X0 , . . . , Xℓ′ −1 ) · A(X0 , . . . , Xℓ′ −1 ) using the emulator’s
extracted polynomial t(X0 , . . . , Xℓ−1 ) (as opposed to the prover’s). Combining the P above two equations,
we conclude—again under our hypothesis whereby S(r0′′ , . . . , rκ−1 ′′
) ̸= 0—that s0 ̸= w∈Bℓ′ h(w). By the
soundness of the sumcheck,
we conclude that the′ probability with which V accepts throughout
that protocol
and sℓ′ = h r0′ , . . . , rℓ′ ′ −1 holds is at most 2·ℓ |L| . We thus assume that sℓ′ ̸
= h r0
′
, . . . , r ′
ℓ −1 , or in other
′

words that:
sℓ′ ̸= t(r0′ , . . . , rℓ′ ′ −1 ) · A(r0′ , . . . , rℓ′ ′ −1 ).

29
Under this latter assumption, we argue further that if P correctly sends s′ = t′ (r0′ , . . . , rℓ′ ′ −1 ), then V
will again reject. PIndeed, if it does, then—since, as the proof of Theorem 4.2 already demonstrates,
A(r0′ , . . . , rℓ′ ′ −1 ) = u∈Bκ eu · e
fq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ) holds—the verifier will obtain:
X
sℓ′ ̸= t(r0′ , . . . , rℓ′ ′ −1 ) · A(r0′ , . . . , rℓ′ ′ −1 ) = s′ · fq(r0′′ , . . . , rκ−1
eu · e ′′
, u0 , . . . , uκ−1 ),
u∈Bκ

and so will reject, as required. We thus assume that s′ ̸= t′ (r0′ , . . . , rℓ′ ′ −1 ). Under exactly this assumption,
the probability with which V ′ accepts is negligible, under our hypothesis whereby Π′ is secure.
We defer our analysis of the efficiency of Construction 4.1 to Section 6. We note informally that it has
no commitment overhead whatsoever; its evaluation overhead consists of an ℓ′ -variate sumcheck of degree
2, over L, plus a few row and column operations on algebra elements. As we explain in Subsection 6.2
below, the ideas of Gruen [Gru24, § 3] serve to further reduce the effective degree ofthat 
sumcheck from 2
κ+ℓ′
to 1. Finally, Construction 4.1 adds a small additional soundness error—that is, of O |L| —to that of the
underlying L-PCS.

5 Batching
In this section, we treat the batch-evaluation of many polynomials. We note that a technique of Ron-Zewi
and Rothblum [RR24, Fig. 3] serves to reduce the evaluation of some fixed polynomial at many points to
that of the same polynomial at just one point. It is not difficult to extend the technique [RR24, Fig. 3] so as
to make it capable of reducing the evaluation of many, possibly different polynomials at different points to
the evaluation of these polynomials at just one point (we refer to Chen, Bünz, Boneh and Zhang [CBBZ23,
§ 3.7] for a similar extension). Here, we discuss the target of this reduction; i.e., we discuss how to commit
to a batch of polynomials, and then later to evaluate all of those polynomials at a single given point. (The
resulting scheme should be more efficient than that which simply repeatedly invokes the underlying scheme.)
Our batching procedure is generic; that is, given any small-field scheme as in Definition 2.9, it yields a
corresponding commitment scheme suitable for multiple polynomials. To treat this scheme with full formality,
we would need to produce a batched analogue of Definition 2.9 and of its security definition. We skip these
tasks, as they are more-or-less rote.
We now record our batching reduction.

CONSTRUCTION 5.1 (Batching Reduction).

A non-batched small-field scheme Π′ = Setup′ , Commit′ , P ′ , V ′ is given. We define the batched small-

field scheme Π = (Setup, Commit, P, V) as follows.

• params ← Π.Setup(1λ , ℓ, m, K). On input 1λ , ℓ, m, and K, run and output Π′ .Setup′ (1λ , ℓ+m, K).

• [f ] ← Π.Commit params, (tz )z∈Bm . On input a batch (tz (X0 , . . . , Xℓ−1 ))z∈Bm of polynomials,

where, for each z ∈ Bm , tz (X0 , . . . , Xℓ−1 ) ∈ K[X0 , . . . , Xℓ−1 ]⪯1 , define an ℓ+m-variate multilinear
t′ (X0 , . . . , Xℓ+m−1 ) ∈ K[X0 , . . . , Xℓ+m−1 ]⪯1 according to the piecewise rule whereby, for each
z ∈ Bm and each w ∈ Bℓ , t′ (w0 , . . . , wℓ−1 , z0 , . . . , zm−1 ) := tz (w). Output Π′ .Commit′ (params, t′ ).
We define (P, V) as the following IOP, in which both parties have the common input [f ], (sz )z∈Bm , and
(r0 , . . . , rℓ−1 ) ∈ Lℓ , and P has the further input (tz (X0 , . . . , Xℓ−1 ))z∈Bm .
• V samples batching scalars (r0′′′ , . . . , rm−1
′′′
) ← Lm and sends them to P.
• P and V compute the evaluation claim s′ := z∈Bm sz · e fq(r0′′′ , . . . , rm−1
′′′
P
, z0 , . . . zm−1 ).

• P and V write (r0′ , . . . , rℓ+m−1

′
) := (r0 , . . . , rℓ−1 , r0′′′ , . . . , rm−1
′′′
).
• P and V engage in the evaluation protocol b′ ← ⟨P ′ ([f ], s′ , r′ ; t′ ), V ′ ([f ], s′ , r′ )⟩; V outputs b′ .

30
 We note that Construction 5.1 invokes the underlying scheme Π′ only once, on a polynomial
′
t (X0 , . . . , Xℓ+m−1 ) of total size equal to that of the batch (tz (X0 , . . . , Xℓ−1 ))z∈Bm . This scheme is thus
much more efficient—at least for V—than is the trivial alternative (i.e., than invoking Π′ 2m times).
Theorem 5.2. If Π′ = Setup′ , Commit′ , P ′ , V ′ is complete, then Π = (Setup, Commit, P, V) also is.

?
Proof. We must show that if P’s claims are true—in that sz = tz (r0 , . . . , rℓ−1 ) holds for each z ∈ Bm —then
?
the piecewise polynomial t′ (X0 , . . . , Xℓ+m−1 ) constructed by P will satisfy t′ (r′ ) = s′ . On the other hand,
X
s′ = fq(r0′′′ , . . . , rm−1
sz · e ′′′
, z0 , . . . zm−1 ) (by definition.)
z∈Bm
X
= fq(r0′′′ , . . . , rm−1
tz (r0 , . . . , rℓ−1 ) · e ′′′
, z0 , . . . zm−1 ) (assuming the truth of P’s initial claims.)
z∈Bm
X
= t′ (r0 , . . . , rℓ−1 , z0 , . . . , zm−1 ) · e
fq(r0′′′ , . . . , rm−1
′′′
, z0 , . . . zm−1 ) (definition of t′ (X0 , . . . , Xℓ+m−1 ).)
z∈Bm

= t′ (r0 , . . . , rℓ−1 , r0′′′ , . . . , rm−1

′′′
) (fundamental property of multilinears.)

will hold whenever the prover’s claims are true. This completes the proof of completeness.
Theorem 5.3. If Π′ = Setup′ , Commit′ , P ′ , V ′ is secure, then Π = (Setup, Commit, P, V) also is.

Proof. Our emulator E internally runs Π′ ’s emulator E’, so obtaining t′ (X0 , . . . , Xℓ+m−1 ) ∈
K[X0 , . . . , Xℓ+m−1 ]⪯1 ; given t′ (X0 , . . . , Xℓ+m−1 ), E defines, for each z ∈ Bm , tz (X0 , . . . , Xℓ−1 ) in such a
way that, for each w ∈ Bℓ , tz (w) := t′ (w0 , . . . , wℓ−1 , z0 , . . . , zm−1 ) holds. We claim that if, for any z ∗ ∈ Bm ,
the resulting polynomial tz∗ (X0 , . . . , Xℓ−1 ) satisfies sz∗ ̸= tz∗ (r0 , . . . , rℓ−1 ), then V will reject.
∗
To show this, we assume that, for some P z ∈ Bm , sz∗ ̸= tz∗ (r0 , . . . , rℓ−1 ). Under exactly this assumption,
the polynomial S(X0 , . . . , Xm−1 ) := z∈Bm (sz − tz (r0 , . . . , rℓ−1 )) · ef q(X0 , . . . , Xm−1 , z0 , . . . , zm−1 ) is not
identically zero, so that Schwartz–Zippel applies to it. We conclude that the chance that S(r0′′′ , . . . , rm−1 ′′′
)=
′′′ ′′′ m m ′′′ ′′′
0, over V’s choice of (r0 , . . . , rm−1 ) ← L , is at most |L| . On the other hand, if S(r0 , . . . , rm−1 ) ̸= 0, then
X
s′ = fq(r0′′′ , . . . , rm−1
sz · e ′′′
, z0 , . . . zm−1 ) (by definition.)
z∈Bm
X
̸= fq(r0′′′ , . . . , rm−1
tz (r0 , . . . , rℓ−1 ) · e ′′′
, z0 , . . . zm−1 ) (assuming that S(r0′′′ , . . . , rm−1
′′′
) ̸= 0.)
z∈Bm
X
= t′ (r0 , . . . , rℓ−1 , z0 , . . . , zm−1 ) · e
fq(r0′′′ , . . . , rm−1
′′′
, z0 , . . . zm−1 ) (by constuction of (tz )z∈Bm .)
z∈Bm

= t′ (r0 , . . . , rℓ−1 , r0′′′ , . . . , rm−1

′′′
) (fundamental property of multilinears.)

will hold, so that V will reject during Π′ , by the security of that protocol. This completes the proof.

6 Small-Field IOPCS
In this section, we describe our main, practice-oriented, small-field construction. This construction combines
the simple scheme of Section 3 with the ring-switching reduction of Section 4. We moreover streamline and
optimize the resulting combination, by unifying Construction 3.11’s sumcheck with that already required
within Construction 4.1. We also concretely benchmark this combined scheme.

6.1 Combined Small-Field Protocol

We present our full combined protocol below. Our protocol directly instantiates the generic small-field
template of Definition 2.9; we slightly specialize that template by requiring that the ground field K = Tι
be a binary tower field. We use the tensor algebra A := Tτ ⊗Tι Tτ , as well as the two ring embeddings
φ0 : Tτ ,→ A and φ1 : Tτ ,→ A.

31
CONSTRUCTION 6.1 (Combined Small-Field IOPCS).
We define Π = (Setup, Commit, P, V) as follows.
• params ← Π.Setup(1λ , ℓ, ι). On input 1λ , ℓ, and ι, choose a constant, positive rate parameter
R ∈ N and a tower height τ ≥ log(ω(log λ)) for which τ ≥ ι and 2τ ≥ ℓ − τ + ι + R. Write
Tτ
κ := τ − ι and ℓ′ := ℓ − κ. Initialize the vector oracle FVec . Fix a folding factor ϑ | ℓ′ and
a repetition parameter γ = ω(log(λ)). Write (X0 (X), . . . , X2ℓ′ −1 (X)) for the novel Tτ -basis of
ℓ′ ′ ′
Tτ [X]≺2 , and fix the domains S (0) , . . . , S (ℓ ) and the polynomials q (0) , . . . , q (ℓ −1) as in Subsection
ℓ′ +R ′ ′
3.1. Write C (0) ⊂ Tτ 2 for the Reed–Solomon code RSTτ ,S (0) [2ℓ +R , 2ℓ ].

• [f ] ← Π.Commit(params, t). On input t(X0 , . . . , Xℓ−1 ) ∈ Tι [X0 , . . . , Xℓ−1 ]⪯1 , construct as in

Definition 2.1 the packed polynomial t′ (X0 , . . . , Xℓ′ −1 ) ∈ Tτ [X0 , . . . , Xℓ′ −1 ]⪯1 . Write P (X) :=
′
P
v∈Bℓ′ t (v)·X{v} (X) for its univariate flattening. Using Algorithm 2, compute the Reed–Solomon
codeword f : S (0) → Tτ defined by f : x 7→ P (x). Submit (submit, ℓ′ + R, f ) to the vector oracle
Tτ
FVec . Upon receiving (receipt, ℓ′ + R, [f ]) from the oracle, output the commitment [f ].

We define (P, V) as the following IOP, in which both parties have the common input [f ], s ∈ Tτ , and
(r0 , . . . , rℓ−1 ) ∈ Tτℓ , and P has the further input t(X0 , . . . , Xℓ−1 ) ∈ Tι [X0 , . . . , Xℓ−1 ]⪯1 .
• P computes ŝ := φ1 (t′ )(φ0 (rκ ), . . . , φ0 (rℓ−1 )) and sends V the A-element ŝ.
?
• V decomposes ŝ =:
P P
v∈Bκ ŝv ⊗ βv . V requires s = v∈Bκ ŝv · e
fq(r0 , . . . , rκ−1 , v0 , . . . , vκ−1 ).
• V samples batching scalars (r0′′ , . . . , rκ−1
′′
) ← Tτκ and sends them to P.
• P again writes t′ (X0 , . . . , Xℓ′ −1 ) ∈ Tτ [X0 , . . . , Xℓ′ −1 ]⪯1 for t(X0 , . P . . , Xℓ−1 )’s packed polynomial.
For each w ∈ Bℓ′ , P
P decomposes e fq(rκ , . . . , rℓ−1 , w0 , . . . , wℓ′ −1 ) =: u∈Bκ Aw,u · βu . P defines the
function A : w 7→ u∈Bκ e fq(r0′′ , . . . , rκ−1
′′
, u0 , . . . , uκ−1 ) · Aw,u on Bℓ′ and writes A(X0 , . . . , Xℓ′ −1 )
for its multilinear extension. P defines h(X0 , . . . , Xℓ′ −1 ) := t′ (X0 , . . . , Xℓ′ −1 ) · A(X0 , . . . , Xℓ′ −1 ).
• V decomposes ŝ =: u∈Bκ βu ⊗ ŝu , and sets s0 := u∈Bκ ŝu · e fq(r0′′ , . . . , rκ−1
′′
P P
, u0 , . . . , uκ−1 ).

• P and V both abbreviate f (0) := f , and execute the following loop:

1: for i ∈ {0, . . . , ℓ′ − 1} do
P sends V the polynomial hi (X) := w∈Bℓ′ −i−1 h r0′ , . . . , ri−1
′
P

2: , X, w0 , . . . , wℓ′ −i−2 .
?
3: V requires si = hi (0) + hi (1). V samples ri′ ← Tτ , sets si+1 ′ ′

:= hi (ri ), and sends P ri .
(i+1) (i+1) (i) ′
4: P defines f :S → Tτ as the function fold f , ri of Definition 3.6.
′
5: if i + 1 = ℓ′ then P sends c := f (ℓ ) (0, . . . , 0) to V.
6: else if ϑ | i + 1 then P submits (submit, ℓ′ + R − i − 1, f (i+1) ) to the oracle.

• V sets e := e
fq φ0 (rκ ), . . . , φ0 (rℓ−1 ), φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 ) and decomposes e =: u∈Bκ βu ⊗ eu .

P

?
• V requires sℓ′ = c · fq(r0′′ , . . . , rκ−1
′′
P
u∈Bκ eu · e , u0 , . . . , uκ−1 ).

• V executes the following querying procedure:

1: for γ repetitions do
2: V samples v ← Bℓ′ +R randomly.
3: for i ∈ {0, ϑ, . . . , ℓ′ − ϑ} (i.e., taking ϑ-sized steps) do

4: for each u ∈ Bϑ , V sends query, [f (i) ], (u0 , . . . , uϑ−1 , vi+ϑ , . . . , vℓ′ +R−1 ) to the oracle.
?
5: if i > 0 then V requires ci = f (i) (vi , . . . , vℓ′ +R−1 ).
V defines ci+ϑ := fold f (i) , ri′ , . . . , ri+ϑ−1
′


6: (vi+ϑ , . . . , vℓ′ +R−1 ).
?
7: V requires cℓ′ = c.

The completeness and security of Construction 6.1 follow essentially directly from Sections 3 and 4 above.

32
6.2 Efficiency
We examine the efficiency of Construction 6.1, both asymptotic and concrete. Throughout our below analysis,
we view the coefficient size parameter ι and the Reed–Solomon rate parameter R as constants, though we
note in passing our protocol’s various dependencies on these values.
We note that it’s possible to achieve, for both parties, a merely-polylogarithmic dependence on the security
parameter λ—while retaining asymptotic security—by instantiating with appropriate care the extension
degree 2τ , the random oracle digest width, and the repetition parameter γ. (Specifically, it’s enough to
demand that these quantities grow strictly polylogarithmically—i.e., with exponent greater than 1—in λ.)
Since this fact is of essentially theoretical interest, we refrain from developing it (though we refer to [DP23,
Thm. 3.14] for a related treatment). We finally assume throughout that ϑ is bounded by a constant.
For Construction 6.1 to be well-defined; it’s necessary that 2τ ≥ ℓ − τ + ι + R hold. For the sake of
security, we moreover set 2τ ≥ Θ(λ). In sum, it suffices that 2τ ≥ Θ(λ + ℓ) hold; we assume as much
throughout. We moreover set γ := Θ(λ), and assume that the random oracle outputs digests of size Θ(λ).
We see that each Tτ -element takes Θ(λ + ℓ) bits to represent and each Tτ -operation takes poly(λ, ℓ) work (in
2
fact, O((λ + ℓ)log(3) ) is enough). Similarly, each A-element occupies 2ι · (2τ −ι ) = 22·τ −ι = Θ((λ + ℓ)2 ) bits,
and each A-operation again takes poly(λ, ℓ) work.
The commitment phase of Construction 6.1 amounts to a Reed–Solomon encoding operation in the code
′ ′
C (0) = RSTτ ,S (0) [2ℓ +R , 2ℓ ]. By Lin, Chung and Han [LCH14, § III. D.] (see also Algorithm 2), this operation
 ′
  ′
 ′ ′
can be carried out in Θ ℓ′ · 2ℓ +R = Θ ℓ′ · 2ℓ Tτ -operations (specifically, using ℓ′ · 2ℓ +R and ℓ′ · 2ℓ +R−1
Tτ -additions and Tτ -multiplications, respectively). The prover’s opening protocol entails a sumcheck on the
Tτ -polynomial h(X0 , . . . , Xℓ′ −1 )—whose individual degree in each variable is at most 2—and an execution
of our 2ϑ -ary multilinear FRI variant (see Subsection 3.2) on the ℓ′ -variate committed word f over Tτ . By
′
the sumcheck prover analysis of Thaler [Tha22, Lem. 4.5], the first task takes Θ(2ℓ ) Tτ -operations, which
′
represents Θ(2ℓ ) · poly(λ, ℓ) total work. It follows essentially by inspection that our prover’s FRI-incumbent
′ ′ ′
work amounts to Θ(2ℓ +R ) = Θ(2ℓ ) Tτ -operations, and thus again represents Θ(2ℓ ) · poly(λ, ℓ) total work.
′
We conclude that our prover is quasilinear in the packed length 2ℓ of its witness.
Construction 6.1’s verifier complexity is essentially that of the sumcheck verifier plus that of the FRI
′
verifier. These latter tasks entail Θ(ℓ′ ) and Θ(γ · 2ϑ · ℓϑ ) = Θ(ℓ′ · λ), respectively, Tτ -operations. These tasks
thus represent total work on the order of O(ℓ′ ) · poly(λ, ℓ) = poly(λ, ℓ) bit-operations for the verifier. Finally,
the verifier’s row and column combinations of ŝ and its row-combination of e all take Θ(2κ ) = Θ(2τ ) =
Θ(λ + ℓ) Tτ -operations, and so collectively represent poly(λ, ℓ) total work. The verifier’s computation of
fq φ0 (rκ ), . . . , φ0 (rℓ−1 ), φ1 (r0′ ), . . . , φ1 (rℓ′ ′ −1 ) takes Θ(ℓ′ ) A-operations, and so again represents just O(ℓ′ ) ·


e
poly(λ, ℓ) = poly(λ, ℓ) total work (see also Remark 4.4 above).
The non-oracle communication cost of Construction 6.1 (i.e., corresponding to those values sent directly
by the prover to the verifier) amounts to three Tτ -elements per round of the sumcheck, plus the A-elements
ŝ and e and the Tτ -element c.

The BCS transform. In the variant of Construction 6.1 in which, by means of the BCS transform
[BCS16], the use of the vector oracle is eliminated, the prover must moreover Merkle-hash f (0) during its
(ϑ) (ℓ′ −ϑ)
commitment phase, as well as the oracles  ′ f  , . . . , f ′  during its opening proof; these commitments
represent total work on the order of Θ 2ℓ +R = Θ 2ℓ hash evaluations. We note that for each query
repetition i ∈ {0, ϑ, . . . , ℓ′ − ϑ} and each v ∈ Bℓ′ +R−i−ϑ , the required leaves f (i) (u ∥ v) u∈B are naturally


ϑ
adjacent in the prover’s ith Merkle tree. We thus opt to send only a single shortened Merkle path, of height
only ℓ′ + R − i − ϑ, as well as the 2ϑ relevant field elements, at each such  query step. The total prover work
′ ℓ′
2 ϑ 2


during the query phase is thus O γ · λ · (ℓ + R) + ϑ · 2 · Θ(λ + ℓ) = O γ · (λ · ℓ ) . Using our further


assumption whereby γ = Θ(λ), we upper-bound the prover’s work during the query phase as O λ2 · ℓ2 .
In this non-oracle variant of the protocol—in which the verifier must check Merkle paths—the verifier’s
′
FRI cost becomes O γ · λ · (ℓ′ + R)2 + ℓϑ · 2ϑ · poly(λ, ℓ) , which is again O(ℓ2 ) · poly(λ, ℓ) = poly(λ, ℓ).
During the protocol’s query phase—and  assuming
 again the BCS-transformed
 version—we encounter
′
further a proof size cost on the order of O γ · λ · (ℓ′ + R)2 + ℓϑ · 2ϑ · Θ(λ + ℓ) = O λ2 · ℓ2 bits.

33
 In our concrete proof size analyses below, we incorporate various further optimizations. For example,
for each oracle i ∈ {0, ϑ, . . . , ℓ′ − ϑ}, we opt to send the entire j th layer of the Merkle tree—as opposed to
only its root—for some appropriately chosen constant j ≥ 0. Increasing j exponentially increases the fixed
size of each commitment, but also causes each among the γ subsequently sent paths to become shorter. The
optimal truncation height turns out to be j := ⌈log2 (γ)⌉. Each path sent, of course, is of size ℓ′ +R−i−ϑ−j.
As soon as i ∈ {0, ϑ, . . . , ℓ′ − ϑ} becomes so large that j > ℓ′ + R − i − ϑ holds, this convention becomes
nonsensical; at this point, we instruct our prover rather to terminate FRI early and send its entire message
to the verifier in the clear. (Of course, this measure moreover allows us to drop our requirement ϑ | ℓ′ ,
which we instated only for notational convenience.) Interestingly, in certain parameter regimes, the parties
stand to benefit by terminating FRI even earlier (i.e., even when j ≤ ℓ′ + R − i − ϑ still holds). Since this
phenomenon doesn’t appear in the particular problem instances we benchmark below, we have refrained
from treating it more explicitly (say, by developing a criterion designed to predict when exactly FRI should
be terminated). We leave for future work the establishment of closed-form formulae which serve to predict
the optimal oracle-skipping parameter ϑ and the optimal early-termination threshold, given as input only
ℓ′ , R, γ and j (as well as global parameters like τ , ι, and the hash digest width).
We further incorporate the various optimizations described in Gruen [Gru24, § 3]. Those optimizations
serve to reduce the communication cost of each polynomial hi (X) above from three field-elements per round
2·ℓ′ ′
to just one. They also decrease our protocol’s sumcheck-specific soundness error from |T τ|
to |Tℓτ | .

Concrete soundness. We record proof sizes for both this work and [DP23, Cons. 3.11]. In order to
appropriately select the query repetition parameter γ, we must examine the concrete security of our protocol
(we refer to [DP23, § 3.5] for an analogous analysis). It follows essentially from the proof of Theorem 3.16
that Construction 6.1’s concrete soundness error is bounded from above by
′ γ
ℓ′ 2ℓ +R

1 1
+ + + ; (8)
|Tτ | |Tτ | 2 2 · 2R

above, the first summand is sumcheck-specific, whereas the latter two reflect Propositions 3.22 and 3.23,
respectively. For each desired concrete security level Ξ, we thus set γ minimally so that (8) becomes bounded
′ ℓ′ +R
from above by Ξ. (Clearly, this is possible only when τ is sufficiently large that Ξ > |Tℓτ | + 2|Tτ | holds.) We
say in this case that Construction 6.1 attains − log2 (Ξ) bits of security.

Proof sizes. Our proof sizes appear in Table 1 below.

Total Data Size Num. Variables ℓ Coefficient Size ι [DP23, Cons. 3.11] Construction 6.1

32 MiB (228 bits) 22 6 0.753 MiB 0.227 MiB

25 3 1.003 MiB 0.227 MiB
28 0 2.849 MiB 0.229 MiB

512 MiB (232 bits) 26 6 4.532 MiB 0.334 MiB

29 3 5.682 MiB 0.334 MiB
32 0 11.300 MiB 0.336 MiB

8 GiB (236 bits) 30 6 11.329 MiB 0.465 MiB

33 3 22.572 MiB 0.465 MiB
36 0 61.064 MiB 0.467 MiB

Table 1: Proof sizes, including oracle-skipping, Merkle caps, and early FRI termination.

34
 In our proof size measurements above, we use a 128-bit field, and attain 96 bits of provable security. We
set R := 2 throughout, so that our code is of rate ρ = 41 . In Construction 6.1, we use between γ = 142 and
γ = 144 queries, as the case may be. We use the Merkle tree truncation height j := 8. We fix the folding
factor ϑ := 4, which happens to yield the smallest proofs throughout. The previous work [DP23, Cons. 3.11]
requires more queries—rather between γ = 231 and γ = 232, for the sizes we benchmark below—as [DP23,
Rem. 3.18] explains.
We see that our Construction 6.1 beats [DP23, Cons. 3.11] by as much as a hundredfold.

Concrete performance. We concretely benchmark this work’s Construction 6.1 above, as well as [DP23,
Cons. 3.11] and the univariate-FRI-based scheme Plonky3 . Our benchmarks of the first two schemes use
Binius, an open-source implementation of both [DP23] and this work.
In our benchmarks below, we again use a 128-bit field and attain 96 bits of provable security. We work
exclusively in the unique-decoding regime. We note that both [DP23, Cons. 3.11] and this work are proven
secure solely in that regime (as of yet). As for Plonky3, we note that it’s impossible to obtain 96 bits
of provable security in the list-decoding regime over a field of merely 128 bits. Indeed, the best-available
proximity gap in that regime—namely, [Ben+23, Thm. 5.1]—has a false witness probability [Ben+23, (5.3)]
which grows quadratically in its problem size. We see that each reasonably-large instance stands to overwhelm
that result’s 128-bit denominator (yielding a vacuous bound). Our benchmarks below thus reflect the best-
possible proof size attainable in Plonky3, conditioned on the 96-bit security level and the use of a 128-bit
field.
In [DP23] and
this work, we work over the 128-bit tower field T7 . In Plonky3 , we use the quartic extension
Fp [X]/ X 4 − 11 of the Baby Bear prime field Fp , where p := 231 − 227 + 1. Throughout, we use the code
rate ρ = 41 . We benchmark [DP23] and Construction 6.1 on ℓ-variate multilinear polynomials, for ℓ equal to
20, 24, and 28. In each case, we consider polynomials over Tι , for ι equal in turn to 0, 3 and 5 (i.e., with
coefficients of 1 bit, 8 bits and 32 bits). As far as Plonky3, we benchmark size-16 batches of polynomials
comprising total data size 2ℓ equal to 220 , 224 and 228 . In that setting, we consider only polynomials over
the 31-bit Baby Bear field Fp ; indeed, that scheme would not perform any better upon being given as input
a polynomial whose coefficients were “smaller” (albeit still Fp -elements).
In our concrete benchmarks both of this work and of Plonky3 below, we omit throughout the Merkle-
caps, oracle-skipping, and early-termination optimizations. (That is, in this work, we set ϑ := 1 and j := 0,
and moreover proceed analogously in Plonky3.) These omissions make our proofs become significantly larger
(and our prover and verifier slower to boot); we refer to Table 1 above for our protocol’s “true” proof sizes.
On the other hand, they make our comparison to Plonky3 below more direct, since that work also neglects
to include these optimizations, as currently written.
We explain our use of batching in our Plonky3 benchmarks. The most natural benchmark would have
compared our scheme’s performance on ℓ-variate multilinear polynomials to Plonky3’s on single, degree-2ℓ
univariate polynomials. We note, however, that Plonky3’s FRI-PCS implementation is heavily optimized
towards the case of batched polynomial commitments. In order to compare our works more fairly, we instead
run Plonky3 in the batched setting; that is, we benchmark it on batches of 24 univariate polynomials,
each of degree 2ℓ−4 , for each problem size ℓ. Separately, in our own, non-batched scheme, we nonetheless
incorporate a straightforward optimization which serves to reduce by 4 the number of butterfly stages
which our commitment phase must compute. In sum, both our scheme (operating on single multilinear
polynomials) and theirs (operating on size-16 batches of univariate polynomials) must nonetheless perform
NTT calculations of essentially the same shape and size. This fact makes our works naturally comparable.
In our CPU benchmarks below, we use throughout a Google Cloud machine of type c3-standard-22 with
an Intel Xeon Scalable (“Sapphire Rapids”) processor and 22 virtual cores. Both the Binius and Plonky3
implementations leverage AVX-512 accelerated instructions; Binius moreover uses the Intel GFNI instruction
set extension. We benchmark Plonky3 using both the Poseidon2 and Keccak-256 hashes (the former hash is
“recursion-friendly” in that work’s prime-field setting). We present singlethreaded and multithreaded results
in Tables 2 and 3 below, respectively.

35
Commit. Scheme Prob. Sz. ℓ Coef. Sz. (bits) Pf. Sz. (MiB) Commit (s) Prove (s) Verify (s)

Plonky3 20 31 0.593 0.3624 0.3048 0.02462

Baby Bear 24 31 0.866 6.019 4.993 0.03576
Poseidon 28 31 1.200 100.7 82.35 0.04847

Plonky3, 20 31 0.842 0.2620 0.2870 0.01273

Baby Bear 24 31 1.200 4.487 4.780 0.01811
Keccak-256 28 31 1.700 77.07 79.14 0.02420

[DP23, Cons. 3.11] 20 1 0.183 0.002260 0.003343 0.006843

8 0.205 0.01904 0.004669 0.004186
32 0.281 0.05717 0.01661 0.004562
24 1 0.725 0.02436 0.08347 0.02002
8 0.746 0.2166 0.07961 0.01296
32 1.010 0.8334 0.3536 0.01514
28 1 2.849 0.3979 1.553 0.07140
8 3.870 3.354 1.855 0.03974
32 3.884 20.51 10.63 0.07019

Construction 6.1 20 1 0.510 0.003212 0.01278 0.004076

8 0.729 0.02835 0.1236 0.005783
32 0.898 0.1175 0.3479 0.007369
24 1 0.813 0.0551 0.1922 0.006882
8 1.085 0.5081 1.980 0.009196
32 1.288 2.223 5.613 0.01117
28 1 1.186 1.097 3.331 0.01052
8 1.509 9.874 31.80 0.01335
32 1.748 41.93 90.32 0.01696

Table 2: Singlethreaded benchmarks.

36
 Commit. Scheme Prob. Sz. ℓ Coef. Sz. (bits) Pf. Sz. (MiB) Commit (s) Prove (s) Verify (s)

Plonky3 20 31 0.593 0.04214 0.05521 0.02475

Baby Bear 24 31 0.866 0.6071 0.7995 0.03566
Poseidon 28 31 1.200 10.26 15.17 0.04850

Plonky3 20 31 0.842 0.0385 0.05559 0.01306

Baby Bear 24 31 1.200 0.4633 0.8384 0.01862
Keccak-256 28 31 1.700 8.606 15.67 0.02481

[DP23, Cons. 3.11] 20 1 0.183 0.0009150 0.001191 0.005620

8 0.205 0.003452 0.001584 0.003842
32 0.281 0.007446 0.002126 0.003653
24 1 0.725 0.003712 0.008356 0.01272
8 0.746 0.04027 0.01007 0.008109
32 1.010 0.1596 0.03096 0.009585
28 1 2.849 0.09003 0.2212 0.04136
8 3.870 0.8228 0.2604 0.02645
32 3.884 3.327 0.8555 0.02902

Construction 6.1 20 1 0.510 0.001172 0.006706 0.004194

8 0.729 0.005159 0.02021 0.005891
32 0.898 0.01718 0.05467 0.007490
24 1 0.813 0.008364 0.02688 0.006973
8 1.085 0.07555 0.2201 0.009278
32 1.288 0.3341 0.6982 0.01123
28 1 1.186 0.1528 0.3303 0.01059
8 1.509 1.426 3.210 13.53
32 1.748 6.029 10.29 15.82

Table 3: Multithreaded benchmarks.

References
[BBHR18] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. “Fast Reed–Solomon Inter-
active Oracle Proofs of Proximity”. In: International Colloquium on Automata, Languages, and
Programming. Ed. by Ioannis Chatzigiannakis, Christos Kaklamanis, Dániel Marx, and Don-
ald Sannella. Vol. 107. Leibniz International Proceedings in Informatics. Dagstuhl, Germany:
Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 2018, 14:1–14:17.
[BCS16] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. “Interactive Oracle Proofs”. In: Inter-
national Conference on Theory of Cryptography. Vol. 9986. Berlin, Heidelberg: Springer-Verlag,
2016, pp. 31–60. isbn: 978-3-662-53644-5. doi: 10.1007/978-3-662-53644-5_2.

37
[Ben+23] Eli Ben-Sasson, Dan Carmon, Yuval Ishai, Swastik Kopparty, and Shubhangi Saraf. “Proximity
Gaps for Reed–Solomon Codes”. In: Journal of the ACM 70.5 (Oct. 2023). doi: 10 . 1145 /
3614423.
[Ber15] Elwyn Berlekamp. Algebraic Coding Theory. Revised Edition. World Scientific Publishing, 2015.
[CBBZ23] Binyi Chen, Benedikt Bünz, Dan Boneh, and Zhenfei Zhang. “HyperPlonk: Plonk with Linear-
Time Prover and High-Degree Custom Gates”. In: Advances in Cryptology – EUROCRYPT
2023. Ed. by Carmit Hazay and Martijn Stam. Vol. 14005. Lecture Notes in Computer Science.
Cham: Springer Nature Switzerland, 2023.
[DG24] Benjamin E. Diamond and Angus Gruen. Proximity Gaps in Interleaved Codes. Cryptology
ePrint Archive, Paper 2024/1351. 2024. url: https://eprint.iacr.org/2024/1351.
[DP23] Benjamin E. Diamond and Jim Posen. Succinct Arguments over Towers of Binary Fields. Cryp-
tology ePrint Archive, Paper 2023/1784. 2023. url: https://eprint.iacr.org/2023/1784.
[DP24] Benjamin E. Diamond and Jim Posen. “Proximity Testing with Logarithmic Randomness”. In:
IACR Communications in Cryptology 1.1 (Apr. 9, 2024). issn: 3006-5496. doi: 10 . 62056 /
aksdkp10.
[FP97] John L. Fan and Christof Paar. “On efficient inversion in tower fields of characteristic two”. In:
Proceedings of IEEE International Symposium on Information Theory. 1997.
[GG13] Joachim von zur Gathen and Jürgen Gerhard. Modern Computer Algebra. 3rd Edition. Cam-
bridge University Press, 2013.
[Gru24] Angus Gruen. Some Improvements for the PIOP for ZeroCheck. Cryptology ePrint Archive,
Paper 2024/108. 2024. url: https://eprint.iacr.org/2024/108.
[Gur06] Venkatesan Guruswami. Algorithmic Results in List Decoding. Vol. 2. Foundations and Trends
in Theoretical Computer Science 2. now publishers, 2006.
[Hab22] Ulrich Haböck. A summary on the FRI low degree test. Cryptology ePrint Archive, Paper
2022/1216. 2022. url: https://eprint.iacr.org/2022/1216.
[Lan02] Serge Lang. Algebra. Revised Third Edition. Vol. 211. Graduate Texts in Mathematics. Springer,
2002.
[LCH14] Sian-Jheng Lin, Wei-Ho Chung, and Yunghsiang S. Han. “Novel Polynomial Basis and Its Ap-
plication to Reed–Solomon Erasure Codes”. In: IEEE 55th Annual Symposium on Foundations
of Computer Science. 2014, pp. 316–325. doi: 10.1109/FOCS.2014.41.
[Li+18] Wen-Ding Li, Ming-Shing Chen, Po-Chun Kuo, Chen-Mou Cheng, and Bo-Yin Yang. “Frobenius
Additive Fast Fourier Transform”. In: ACM International Symposium on Symbolic and Algebraic
Computation. 2018. isbn: 9781450355506. doi: 10.1145/3208976.3208998.
[RR24] Noga Ron-Zewi and Ron Rothblum. “Local Proofs Approaching the Witness Length”. In: Jour-
nal of the ACM 71.3 (June 2024). doi: 10.1145/3661483. url: https://doi.org/10.1145/
3661483.
[Set20] Srinath Setty. “Spartan: Efficient and General-Purpose zkSNARKs Without Trusted Setup”. In:
Advances in Cryptology – CRYPTO 2020. Ed. by Daniele Micciancio and Thomas Ristenpart.
Cham: Springer International Publishing, 2020, pp. 704–737. isbn: 978-3-030-56877-1. doi: 10.
1007/978-3-030-56877-1_25.
[Tha22] Justin Thaler. Proofs, Arguments and Zero-Knowledge. Vol. 4. Foundations and Trends in Pri-
vacy and Security 2–4. now publishers, 2022.
[Wie88] Doug Wiedemann. “An Iterated Quadratic Extension of GF (2)”. In: The Fibonacci Quarterly
26.4 (1988), pp. 290–295.
[ZCF23] Hadas Zeilberger, Binyi Chen, and Ben Fisch. BaseFold: Efficient Field-Agnostic Polynomial
Commitment Schemes from Foldable Codes. Cryptology ePrint Archive, Paper 2023/1705. 2023.
url: https://eprint.iacr.org/2023/1705.

38