- Topic
46k Popularity
21k Popularity
15k Popularity
12k Popularity
76k Popularity
- Pin
- 🎉 The #CandyDrop Futures Challenge# is live — join now to share a 6 BTC prize pool!
📢 Post your futures trading experience on Gate Square with the event hashtag — $25 × 20 rewards are waiting!
🎁 $500 in futures trial vouchers up for grabs — 20 standout posts will win!
📅 Event Period: August 1, 2025, 15:00 – August 15, 2025, 19:00 (UTC+8)
👉 Event Link: https://www.gate.com/candy-drop/detail/BTC-98
Dare to trade. Dare to win. - 📢 Gate Square Exclusive: #WXTM Creative Contest# Is Now Live!
Celebrate CandyDrop Round 59 featuring MinoTari (WXTM) — compete for a 70,000 WXTM prize pool!
🎯 About MinoTari (WXTM)
Tari is a Rust-based blockchain protocol centered around digital assets.
It empowers creators to build new types of digital experiences and narratives.
With Tari, digitally scarce assets—like collectibles or in-game items—unlock new business opportunities for creators.
🎨 Event Period:
Aug 7, 2025, 09:00 – Aug 12, 2025, 16:00 (UTC)
📌 How to Participate:
Post original content on Gate Square related to WXTM or its - 🎉 Attention Alpha fans! Alpha’s latest TAG airdrop goes live today at 10 AM—first come, first served!
💰 Don’t forget to share your airdrop or points screenshot on Gate Square with the hashtag #ShowMyAlphaPoints# for a chance to win a share of the $200 token mystery box!
🥇 Top points winner: $100
✨ 5 outstanding posts: $20 each
📸 Pro tips:
Add a caption like “I earned ____ with Alpha. So worth it”
Share your points-earning tips or redemption experience for a better chance to win!
📅 Activity deadline: August 10, 18:00 UTC
Let’s go! See you tonight: https://www.gate.com/announcements/article - Hey Square fam! How many Alpha points have you racked up lately?
Did you get your airdrop? We’ve also got extra perks for you on Gate Square!
🎁 Show off your Alpha points gains, and you’ll get a shot at a $200U Mystery Box reward!
🥇 1 user with the highest points screenshot → $100U Mystery Box
✨ Top 5 sharers with quality posts → $20U Mystery Box each
📍【How to Join】
1️⃣ Make a post with the hashtag #ShowMyAlphaPoints#
2️⃣ Share a screenshot of your Alpha points, plus a one-liner: “I earned ____ with Gate Alpha. So worth it!”
👉 Bonus: Share your tips for earning points, redemption experienc - 🎉 The #CandyDrop Futures Challenge is live — join now to share a 6 BTC prize pool!
📢 Post your futures trading experience on Gate Square with the event hashtag — $25 × 20 rewards are waiting!
🎁 $500 in futures trial vouchers up for grabs — 20 standout posts will win!
📅 Event Period: August 1, 2025, 15:00 – August 15, 2025, 19:00 (UTC+8)
👉 Event Link: https://www.gate.com/candy-drop/detail/BTC-98
Dare to trade. Dare to win.
Binius STARKs: Innovations and Optimizations on Binary Fields
Analysis of the Principles of Binius STARKs and Considerations for Optimization
1 Introduction
One major reason for the inefficiency of STARKs is that most of the numerical values in actual programs are quite small, such as indices in for loops, boolean values, counters, etc. However, to ensure the security of proofs based on Merkle trees, when using Reed-Solomon encoding to expand the data, many additional redundant values will occupy the entire field, even if the original values themselves are very small. To address this issue, reducing the size of the field has become a key strategy.
As shown in Table 1, the bit width of the first generation STARKs is 252 bits, the second generation STARKs has a bit width of 64 bits, and the third generation STARKs has a bit width of 32 bits. However, the 32-bit bit width still has a large amount of wasted space. In comparison, the binary field allows for direct bit manipulation, resulting in compact and efficient encoding without any wasted space, namely the fourth generation STARKs.
Table 1: STARKs Derivative Path
| Generation | Bit Width | Representative System | |------|----------|----------| | Generation 1 | 252 bit | StarkWare STARKs | | 2nd Generation | 64 bit | Plonky2 | | 3rd Generation | 32 bit | BabyBear | | Generation 4 | 1 bit | Binius |
Compared to the finite fields discovered in recent years, such as Goldilocks, BabyBear, and Mersenne31, the study of binary fields can be traced back to the 1980s. Currently, binary fields are widely used in cryptography, with typical examples including:
Advanced Encryption Standard ( AES ), based on F28 field;
Galois Message Authentication Code ( GMAC ), based on F2128 field;
QR code, using Reed-Solomon encoding based on F28;
The original FRI and zk-STARK protocols, as well as the Grøstl hash function that made it to the finals of SHA-3, which is based on the F28 field, are a very suitable hash algorithm for recursion.
When using smaller fields, the field extension operation becomes increasingly important for ensuring security. The binary field used by Binius relies entirely on field extension to guarantee its security and practical usability. Most polynomials involved in Prover calculations do not need to enter the extension field and can operate only in the base field, achieving high efficiency in small fields. However, random point checks and FRI computations still need to delve into larger extension fields to ensure the required security.
When constructing a proof system based on binary fields, there are two practical problems: in STARKs, the size of the field used to calculate the trace representation must be larger than the degree of the polynomial; in STARKs, when committing to the Merkle tree, Reed-Solomon encoding must be performed, and the size of the field used must be larger than the size after encoding expansion.
Binius proposed an innovative solution that addresses both issues separately and achieves this by representing the same data in two different ways: first, using multivariate ( specifically multivariate ) polynomials instead of univariate polynomials, representing the entire computation trajectory through its values on "hypercubes" (; secondly, since each dimension of the hypercube has a length of 2, it cannot perform standard Reed-Solomon expansion like STARKs, but the hypercube can be viewed as a square ), on which Reed-Solomon expansion is based. This method greatly improves coding efficiency and computational performance while ensuring security.
2 Principle Analysis
The construction of most SNARKs systems currently usually includes the following two parts:
Information-Theoretic Polynomial Interactive Oracle Proof, PIOP(: PIOP serves as the core of the proof system, transforming the input computational relationships into verifiable polynomial equations. Different PIOP protocols allow the prover to gradually send polynomials through interaction with the verifier, enabling the verifier to validate the correctness of the computation by querying the evaluation results of a small number of polynomials. Existing PIOP protocols include: PLONK PIOP, Spartan PIOP, and HyperPlonk PIOP, each of which processes polynomial expressions differently, thus affecting the performance and efficiency of the entire SNARK system.
Polynomial Commitment Scheme ) Polynomial Commitment Scheme, PCS (: Polynomial commitment schemes are used to prove whether a polynomial equation generated by PIOP holds true. PCS is a cryptographic tool through which the prover can commit to a certain polynomial and later verify the evaluation result of that polynomial while hiding other information about the polynomial. Common polynomial commitment schemes include KZG, Bulletproofs, FRI ) Fast Reed-Solomon IOPP (, and Brakedown, among others. Different PCS have different performance, security, and applicable scenarios.
According to specific requirements, choose different PIOP and PCS, and combine with suitable finite fields or elliptic curves to construct proof systems with different attributes. For example:
• Halo2: Combined from PLONK PIOP and Bulletproofs PCS, based on the Pasta curve. When designing Halo2, the focus was on scalability and removing the trusted setup from the ZCash protocol.
• Plonky2: combines PLONK PIOP with FRI PCS and is based on the Goldilocks field. Plonky2 is designed for efficient recursion. When designing these systems, the chosen PIOP and PCS must match the finite field or elliptic curve used to ensure the correctness, performance, and security of the system. The choice of these combinations not only affects the proof size and verification efficiency of the SNARK but also determines whether the system can achieve transparency without a trusted setup and whether it can support extended features such as recursive proofs or aggregate proofs.
Binius: HyperPlonk PIOP + Brakedown PCS + binary fields. Specifically, Binius includes five key technologies to achieve its efficiency and security. First, the arithmetic based on tower binary fields )towers of binary fields( forms the foundation of its computation, allowing for simplified operations within the binary field. Second, Binius adapts HyperPlonk product and permutation checks in its interactive Oracle proof protocol )PIOP(, ensuring secure and efficient consistency checks between variables and their permutations. Third, the protocol introduces a new multilinear shift proof, optimizing the efficiency of verifying multilinear relationships over small fields. Fourth, Binius employs an improved Lasso lookup proof, providing flexibility and robust security for the lookup mechanism. Finally, the protocol utilizes a small field polynomial commitment scheme )Small-Field PCS(, enabling an efficient proof system over binary fields and reducing the overhead typically associated with large fields.
) 2.1 Finite Fields: Arithmetic Based on Towers of Binary Fields
Tower binary fields are key to achieving fast verifiable computation, mainly due to two aspects: efficient computation and efficient arithmetic. Binary fields essentially support highly efficient arithmetic operations, making them an ideal choice for cryptographic applications that are sensitive to performance. In addition, the structure of binary fields supports a simplified arithmetic process, meaning that operations performed over binary fields can be represented in a compact and easily verifiable algebraic form. These features, combined with the ability to fully leverage their hierarchical characteristics through tower structures, make binary fields particularly suitable for scalable proof systems such as Binius.
Among them, "canonical" refers to the unique and direct representation of an element in the binary field. For example, in the most basic binary field F2, any k-bit string can be directly mapped to a k-bit binary field element. This is different from prime fields, which cannot provide such a canonical representation within a given bit length. Although a 32-bit prime field can be contained within 32 bits, not every 32-bit string can uniquely correspond to a field element, whereas the binary field has the convenience of this one-to-one mapping. In the prime field Fp, common reduction methods include Barrett reduction, Montgomery reduction, and special reduction methods for specific finite fields such as Mersenne-31 or Goldilocks-64. In the binary field F2k, common reduction methods include special reduction ( as used in AES ), Montgomery reduction ### as used in POLYVAL (, and recursive reduction ) such as Tower (. The paper "Exploring the Design Space of Prime Field vs. Binary Field ECC-Hardware Implementations" points out that the binary field does not require carrying in addition and multiplication operations, and the squaring operation in the binary field is very efficient because it follows the simplification rule of )X + Y (2 = X2 + Y 2.
As shown in Figure 1, a 128-bit string: this string can be interpreted in multiple ways within the context of binary fields. It can be viewed as a unique element in a 128-bit binary field, or parsed as two 64-bit tower field elements, four 32-bit tower field elements, 16 8-bit tower field elements, or 128 F2 field elements. This flexibility of representation incurs no computational overhead; it is merely a typecast of the bit string )typecast(, which is a very interesting and useful property. At the same time, smaller field elements can be packed into larger field elements without additional computational overhead. The Binius protocol takes advantage of this feature to improve computational efficiency. Furthermore, the paper "On Efficient Inversion in Tower Fields of Characteristic Two" explores the computational complexity of multiplication, squaring, and inversion operations in n-bit tower binary fields ) decomposed into m-bit subfields (.
![Bitlayer Research: Analysis of Binius STARKs Principles and Optimization Thoughts])https://img-cdn.gateio.im/webp-social/moments-5775a629f494c4e01e2b74d864fa4100.webp(
Figure 1: Tower Binary Field
) 2.2 PIOP: Adapted HyperPlonk Product and Permutation Check ------ Applicable to binary fields
The PIOP design in the Binius protocol draws on HyperPlonk and employs a series of core checking mechanisms to verify the correctness of polynomials and multivariable sets. These core checks include:
GateCheck: Verify if the confidential witness ω and public input x satisfy the circuit operation relation C(x, ω)=0 to ensure the circuit operates correctly.
PermutationCheck: Verify whether the evaluation results of two multivariate polynomials f and g on the Boolean hypercube are a permutation relation f###x( = f)π(x)(, to ensure the consistency of the arrangement among polynomial variables.
LookupCheck: Verify whether the evaluation of the polynomial is in the given lookup table, that is, f(Bµ) ⊆ T)Bµ(, ensuring that certain values are within the specified range.
MultisetCheck: Check if two multivariable sets are equal, that is, {)x1,i,x2,(}i∈H={)y1,i,y2,(}i∈H, ensuring consistency among multiple sets.
ProductCheck: Check whether the evaluation of the rational polynomial on the Boolean hypercube is equal to a declared value ∏x∈Hµ f)x( = s, to ensure the correctness of the polynomial product.
ZeroCheck: Verifying whether a multivariable polynomial at any point on the Boolean hypercube is zero ∏x∈Hµ f)x( = 0, ∀x ∈ Bµ, to ensure the distribution of the polynomial's zeros.
SumCheck: Checking whether the sum of a multivariate polynomial equals the declared value ∑x∈Hµ f)x( = s. By transforming the evaluation problem of multivariate polynomials into that of univariate polynomial evaluation, it reduces the computational complexity for the verifier. Additionally, SumCheck allows for batching by introducing random numbers to construct linear combinations for batching multiple sum verification instances.
BatchCheck: Based on SumCheck, verify the correctness of multiple multivariate polynomial evaluations to improve protocol efficiency.
Although Binius and HyperPlonk have many similarities in protocol design, Binius has made improvements in the following three areas:
ProductCheck optimization: In HyperPlonk, ProductCheck requires that the denominator U is non-zero everywhere on the hypercube, and the product must equal a specific value; Binius simplifies this check by specializing that value to 1, thereby reducing computational complexity.
Handling of the Division by Zero Issue: HyperPlonk fails to adequately handle division by zero cases, leading to an inability to assert the non-zero issue of U on the hypercube; Binius correctly addresses this issue, allowing Binius's ProductCheck to continue processing even when the denominator is zero, enabling generalization to any product value.
Cross-column PermutationCheck: HyperPlonk does not have this feature; Binius supports PermutationCheck across multiple columns, allowing Binius to handle more complex polynomial permutation scenarios.
Therefore, Binius has improved the existing PIOPSumCheck mechanism, enhancing the flexibility and efficiency of the protocol, especially in providing stronger functional support when handling more complex multivariable polynomial verifications. These improvements not only address the limitations in HyperPlonk but also lay the foundation for future proof systems based on binary fields.
) 2.3 PIOP: New multilinear shift argument------Applicable