feat: rbrKnowledgeSoundness of BinaryBasefold & ring-switching by chung-thai-nguyen · Pull Request #296 · Verified-zkEVM/ArkLib

chung-thai-nguyen · 2026-01-25T08:42:48Z

[ ] incremental bad event analysis

github-actions · 2026-01-25T08:45:27Z

🤖 Gemini PR Summary

Establishes Round-by-Round (RBR) Knowledge Soundness for the Binary Basefold and Ring-Switching protocols, completing a core milestone in the formal verification of the Binius proof system. The proofs utilize an incremental bad event analysis to bound the probability of adversarial cheating across multiple protocol rounds.

Mathematical & Algebraic Foundations

Probabilistic Bounds: Formalizes the Schwartz-Zippel Lemma (univariate specializations), union bounds, and independent repetition theorems to calculate protocol soundness error.
Polynomial Identities: Introduces lemmas for iteratedQuotientMap and MvPolynomial degree bounds, establishing the congruence properties required for Basefold’s folding logic.
Incremental Analysis: Implements "bad event" tracking logic to accumulate failure probabilities across sequential protocol steps.

Binary Basefold Soundness

Extractor Implementation: Defines a multilinear polynomial extractor with post-decoding radius checks to ensure prover messages are bounded to valid codewords.
Folding Verification: Proves that folding a multilinear extension down to its final level results in a constant function, formally verifying Propositions 4.20 and 4.23 of the Binius design.
Protocol Composition: Establishes RBR soundness for individual components—Fold, Commit, Relay, and Final Sumcheck—before composing them into a unified protocol proof.

Ring-Switching & IOPCS Composition

Small-Field IOPCS: Instantiates an Interactive Oracle Proof Commitment Scheme (IOPCS) by composing Ring-Switching with Binary Basefold, providing a complete proof of perfect completeness and RBR knowledge soundness.
Strict Relations: Refactors protocol relations into "strict" forms to distinguish between requirements for perfect completeness and rigorous knowledge soundness.
Extraction Logic: Formalizes extraction for the Ring-Switching batching phase and associated sumcheck protocols.

Integration & Infrastructure

FRI-Binius Refinement: Integrates Basefold and Ring-Switching into the broader FRI-Binius framework, refactoring verifiers to use modular implementations from the BBFSmallFieldIOPCS namespace.
OracleReduction Enhancements: Adds "unroll" lemmas and probability simplification theorems to the OracleReduction library to streamline reasoning for multi-round protocols.
Simulation Lemmas: Extends ToVCVio with stateful loop simulation and bridge lemmas to align VCVio probability notations with ArkLib standards.

Analysis of Changes

Metric	Count
📝 Files Changed	29
✅ Lines Added	13361
❌ Lines Removed	1511

Lean Declarations

✏️ **Removed:** 26 declaration(s)

abbrev fullInputRelation in ArkLib/ProofSystem/Binius/RingSwitching/General.lean
abbrev fullOutputRelation in ArkLib/ProofSystem/Binius/RingSwitching/General.lean
lemma k_succ_mul_ϑ_le_ℓ {k : Fin (ℓ / ϑ)} : (k.val + 1) * ϑ ≤ ℓ in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma lt_r_of_lt_ℓ {h_ℓ_add_R_rate : ℓ + 𝓡 < r} {x : ℕ} (h : x < ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def strictFinalFoldingStateProp (t : MultilinearPoly L ℓ) {h_le : ϑ ≤ ℓ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def extractSuffixFromChallenge (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma oracleWitnessConsistency_relay_preserved in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def oracleWitnessConsistency in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma k_succ_mul_ϑ_le_ℓ_₂ {k : Fin (ℓ / ϑ)} : (k.val * ϑ + ϑ) ≤ ℓ in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma k_mul_ϑ_lt_ℓ {k : Fin (ℓ / ϑ)} : in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def NBlockMessages in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
def badEventExistsProp in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def finalFoldingStateProp {h_le : ϑ ≤ ℓ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def decomposeChallenge (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
abbrev MLPEvalStatement in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
def queryRbrKnowledgeError in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def finalSumcheckRbrKnowledgeError : ℝ≥0 in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
def commitStepHEq (i : Fin ℓ) (hCR : isCommitmentRound ℓ ϑ i) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma extractSuffixFromChallenge_congr_destIdx in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def queryCodeword (j : Fin (toOutCodewordsCount ℓ ϑ (Fin.last ℓ))) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma lt_r_of_le_ℓ {h_ℓ_add_R_rate : ℓ + 𝓡 < r} {x : ℕ} (h : x ≤ ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def getChallengeSuffix (k : Fin (ℓ / ϑ)) (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) : in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma polyToOracleFunc_eq_getFirstOracle in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def commitStepEmbed (i : Fin ℓ) (hCR : isCommitmentRound ℓ ϑ i) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def proximityChecksSpec (γ_challenges : in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
def challengeSuffixToFin (k : Fin (ℓ / ϑ)) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean

✏️ **Added:** 255 declaration(s)

def projTranscriptChallengeInner {T C L : Type} : (T × C × L) → T × C in ArkLib/OracleReduction/Completeness.lean
lemma incrementalFoldingBadEvent_of_k_eq_0_is_false in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
def getChallengeSuffix (k : Fin (ℓ / ϑ)) (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def largeFieldInvocationStmtLens : OracleStatement.Lens in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma qMap_total_fiber_congr_dest in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
lemma logical_consistency_checks_passed_of_mem_support_V_run {σ : Type} in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma affineProximityGap_RS_interleaved_contrapositive in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma foldStep_oracleWitnessConsistency_unique_witMid (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def nonLastSingleBlockFoldRelayRbrKnowledgeError (bIdx : Fin (ℓ / ϑ - 1)) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma folded_lifted_IC_eq_IC_row_polyToOracleFunc (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma k_mul_ϑ_lt_ℓ {k : Fin (ℓ / ϑ)} : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma support_simulateQ_bind_run_eq in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma fiberwiseDisagreementSet_congr_sourceDomain_index (sourceIdx₁ sourceIdx₂ : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
theorem map_failure (f : α → β) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
def logical_checkSingleRepetition in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma getFiberPoint_eq_qMap_total_fiber in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma Polynomial.toMvPolynomial_ne_zero_iff (p : Polynomial R) (i : σ) : in ArkLib/ToMathlib/MvPolynomial/Equiv.lean
lemma fold_agreement_of_fiber_agreement (i : Fin ℓ) (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma prop_4_20_bad_event_probability (i : Fin ℓ) (steps : ℕ) [NeZero steps] in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma logical_computeFoldedValue_eq_iterated_fold in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem prob_pow_bound_of_forall in ArkLib/Data/Probability/Instances.lean
lemma challengeTensorExpansion_bitsOfIndex_is_eq_indicator {n : ℕ} (k : Fin (2 ^ n)) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma prop_4_20_2_case_1_fiberwise_close_incremental in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma logical_queryFiberPoints_eq_fiberEvaluations in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem support_ite (p : Prop) [Decidable p] in ArkLib/ToVCVio/Lemmas.lean
instance instOracleInterfaceMessagePSpecFold : in ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean
def extractMLP (i : Fin ℓ) (f : (sDomain 𝔽q β h_ℓ_add_R_rate) ⟨i, by omega⟩ → L) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma Polynomial.toMvPolynomial_totalDegree_le [Nontrivial R] (p : Polynomial R) (i : σ) : in ArkLib/ToMathlib/MvPolynomial/Equiv.lean
theorem probEvent_proj_transcript_challenge in ArkLib/OracleReduction/Completeness.lean
def bbfAbstractOStmtIn : AbstractOStmtIn L ℓ' where in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def getLiftCoeffs (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def batchingCoreRbrKnowledgeError in ArkLib/ProofSystem/Binius/FRIBinius/General.lean
theorem support_map_const_pure {γ : Type u} (result : β) (x : γ) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
def batchingMismatchPoly (msg0 s_bar : TensorAlgebra K L) : MvPolynomial (Fin κ) L in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
theorem probEvent_StateT_run_ignore_state {α : Type} in ArkLib/OracleReduction/Completeness.lean
def logical_proximityChecksSpec in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma extractSuffixFromChallenge_congr_destIdx in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma iterated_fold_to_level_ℓ_eval in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
theorem probEvent_simulateQ_run_ignore_state {α : Type} in ArkLib/OracleReduction/Completeness.lean
lemma foldingBadEventAtBlock_snoc_castSucc_eq (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
theorem probEvent_soundness_goal_unroll_log' in ArkLib/OracleReduction/Completeness.lean
lemma firstOracleWitnessConsistency_unique in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma prop_4_20_2_case_2_fiberwise_far_incremental in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def MLPEvalWitness_to_BBF_Witness (stmt : MLPEvalStatement (L in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma finalSumcheckStep_is_logic_complete : in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
lemma fixFirstVariablesOfMQP_zero_eq in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma fiberwiseClose_congr_sourceDomain_index (sourceIdx₁ sourceIdx₂ : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
lemma pair_fiberwiseDistance_steps_zero_eq_hammingDist in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
def foldCommitKnowledgeError (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma batching_pack_unpack_id (t' : MultilinearPoly L ℓ') : in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma lt_r_of_le_ℓ {h_ℓ_add_R_rate : ℓ + 𝓡 < r} {x : ℕ} (h : x ≤ ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def projTranscriptChallenge {T C L S : Type} : ((T × C × L) × S) → T × C in ArkLib/OracleReduction/Completeness.lean
lemma highestBadBlock_is_bad in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def badBlockProp in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma fold_preTensorCombine_eq_affineLineEvaluation_split in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def foldWitMid (i : Fin ℓ) : Fin (2 + 1) → Type in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def AbstractOStmtIn.toStrictRelInput (aOStmtIn : AbstractOStmtIn L ℓ') : in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
lemma exists_path_of_mem_support_forIn_unit {σ α : Type} [spec.FiniteRange] in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma foldStep_rbrExtractionFailureEvent_imply_sumcheck_or_badEvent (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma incrementalBadEventExistsProp_relay_preserved (i : Fin ℓ) (hNCR : ¬ isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma ENNReal.coe_div_of_NNReal {a b : NNReal} : in ArkLib/Data/Nat/Bitwise.lean
theorem map_pure (f : α → β) (a : α) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
lemma mem_support_stateful_guard_iff {σ : Type} {p : Prop} [Decidable p] in ArkLib/ToVCVio/SimulationInfrastructure.lean
theorem support_map_pure (f : α → β) (a : α) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
def logical_queryFiberPoints in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma k_succ_mul_ϑ_le_ℓ {k : Fin (ℓ / ϑ)} : (k.val + 1) * ϑ ≤ ℓ in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma prop_4_20_2_incremental_bad_event_probability in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def masterStrictKStateProp (aOStmtIn : AbstractOStmtIn L ℓ') (stmtIdx : Fin (ℓ' + 1)) in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
instance instOracleInterfaceMessagePSpecSumcheckRound : in ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean
lemma preTensorCombine_of_lift_interleavedCodeword_eq_self (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma polyToOracleFunc_eq_getFirstOracle in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def nonLastSingleBlockCommitIdx (bIdx : Fin (ℓ / ϑ - 1)) : Fin ℓ in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma map_pure (f : α → β) (a : α) : in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma incrementalBadEventExistsProp_fold_step_backward (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma extractMLP_some_of_isCompliant_at_zero in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
instance largeFieldInvocationExtractorLens_rbr_knowledge_soundness in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma oracleFoldingConsistencyProp_commit_step_backward (i : Fin ℓ) (hCR : isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
theorem probOutput_uniformOfFintype_eq_Pr in ArkLib/OracleReduction/Completeness.lean
def largeFieldInvocationOracleReduction : in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma batching_rbrExtractionFailureEvent_imply_badBatchingEvent in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma extractMLP_some_of_oracleFoldingConsistency in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
theorem prob_pow_of_forall_finFun in ArkLib/Data/Probability/Instances.lean
def incrementalFoldingBadEvent in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
def finalSumcheckVerifierCheck in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
lemma foldCommitKnowledgeError_eq (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma fun_eta_expansion_apply {α β : Type*} (f : α → β) (x : α) : (f x) = (fun x => f x) x in ArkLib/Data/Misc/Basic.lean
lemma mem_support_StateT_bind_run {σ α β : Type} in ArkLib/ToVCVio/SimulationInfrastructure.lean
theorem map_ite [Monad m] (f : α → β) (p : Prop) [Decidable p] in ArkLib/ToVCVio/Lemmas.lean
lemma oracleFoldingConsistencyProp_relay_preserved (i : Fin ℓ) (hNCR : ¬ isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def nonLastSingleBlockRbrKnowledgeError (bIdx : Fin (ℓ / ϑ - 1)) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
theorem probEvent_runWithLogToRound_ignore_log in ArkLib/OracleReduction/Completeness.lean
lemma extracted_t_poly_eval_eq_final_constant in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def largeFieldInvocationCtxLens : OracleContext.Lens in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def foldStepFreshDoomPreservationEvent (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def strictBatchingInputRelation : in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
theorem nonLastSingleBlockOracleVerifier_rbrKnowledgeSoundness in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma AbstractOStmtIn.toStrictRelInput_subset_toRelInput (aOStmtIn : AbstractOStmtIn L ℓ') : in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
def finalSumcheckStepLogic : in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
def finalSumcheckProverComputeMsg in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
theorem tsum_uniform_Pr_eq_Pr in ArkLib/OracleReduction/Completeness.lean
lemma mapOStmtOut_eq_mkVerifierOStmtOut_relayStep in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
theorem probOutput_eq_PMF_apply in ArkLib/OracleReduction/Completeness.lean
lemma firstOracleWitnessConsistencyProp_unique (t₁ t₂ : MultilinearPoly L ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def logical_stepCondition (oStmt : ∀ j, OracleStatement 𝔽q β (h_ℓ_add_R_rate in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma tsum_mul_le_of_le_of_sum_le_one_nnreal {α : Type*} in ArkLib/OracleReduction/Completeness.lean
theorem Pr_or_le {α : Type} (D : PMF α) in ArkLib/Data/Probability/Instances.lean
lemma iteratedSumcheck_rbrExtractionFailureEvent_imply_badSumcheck (i : Fin ℓ') in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
theorem bbf_fullOracleVerifier_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def foldRelayKnowledgeError (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma iterated_fold_to_const_strict in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
lemma fiberwise_disagreement_isomorphism (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma finalSumcheckStep_verifierCheck_passed in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
instance instFiniteRange_Empty_append_pSpecBatchingChallenge : in ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean
def badSumcheckEventProp (r_i' : L) (h_i h_star : L⦃≤ 2⦄[X]) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma qMap_total_fiber_congr_source in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
lemma batching_doom_escape_probability_bound in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma probEvent_bind_factor {α β : Type} in ArkLib/ToVCVio/SimulationInfrastructure.lean
def finalSumcheckStepOracleConsistencyProp {h_le : ϑ ≤ ℓ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
def finalSumcheckStepFoldingStateProp {h_le : ϑ ≤ ℓ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma lemma_4_24_dist_folded_ge_of_last_noncompliant (i_star : Fin ℓ) (steps : ℕ) [NeZero steps] in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem fullOracleVerifier_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/FRIBinius/General.lean
theorem largeFieldInvocationOracleReduction_perfectCompleteness (hInit : init.neverFails) : in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def largeFieldInvocationExtractorLens : Extractor.Lens in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma probEvent_StateT_run'_factor {σ α : Type} (init : ProbComp σ) in ArkLib/ToVCVio/SimulationInfrastructure.lean
def queryCodeword (j : Fin (toOutCodewordsCount ℓ ϑ (Fin.last ℓ))) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma fiberwiseClose_steps_zero_iff_UDRClose in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
lemma badEventExistsProp_iff_incrementalBadEventExistsProp_last in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma iteratedQuotientMap_succ_comp in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma prob_uniform_suffix_mem in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma sumcheckConsistency_at_last_simplifies in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
def getLiftPoly (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma batchingMismatchPoly_nonzero_of_embed_ne in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma projectToMidSumcheckPoly_at_last_eq in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma foldStep_doom_escape_probability_bound (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
theorem probEvent_PMF_eq_Pr {α : Type} (pmf : PMF α) (P : α → Prop) [DecidablePred P] : in ArkLib/OracleReduction/Completeness.lean
lemma strictBatchingInputRelation_subset_batchingInputRelation : in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma incrementalFoldingBadEvent_eq_foldingBadEvent_of_k_eq_ϑ in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
theorem probOutput_uniform_eq_Pr in ArkLib/OracleReduction/Completeness.lean
def badBatchingEventProp (y : Fin κ → L) (msg0 s_bar : TensorAlgebra K L) : Prop in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
def foldStepWitBeforeFromWitMid (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma distFromCode_fin1_eq [DecidableEq (Fin 1 → A)] (u : ι → Fin 1 → A) (C : Set (ι → A)) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem prop_4_23_singleRepetition_proximityCheck_bound in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma UDRClose_of_fin_eq {i j : Fin r} (hij : i = j) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def foldStepHStarFromWitMid (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma prob_poly_agreement_degree_one {R : Type} [CommRing R] [IsDomain R] [Fintype R] in ArkLib/Data/Probability/Instances.lean
lemma batching_compute_s0_sub_eq_eval_mismatch in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma finalCodeword_zero_eq_t_eval in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
lemma logical_checkSingleRepetition_of_mem_support_forIn_body {σ : Type} in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
lemma foldRelayKnowledgeError_eq (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma goodBlock_implies_UDRClose in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem qMap_total_fiber_injective (i : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
lemma lt_r_of_lt_ℓ {h_ℓ_add_R_rate : ℓ + 𝓡 < r} {x : ℕ} (h : x < ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma support_guard_bind {ι : Type} {spec : OracleSpec ι} [spec.FiniteRange] in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma fiberwiseDisagreementSet_steps_zero_eq_disagreementSet in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
def finalSumcheckVerifierStmtOut in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
def rbrExtractionFailureEvent {ι : Type} {oSpec : OracleSpec ι} {StmtIn WitIn WitOut : Type} {n : ℕ} in ArkLib/ProofSystem/Binius/BinaryBasefold/ReductionLogic.lean
lemma iteratedQuotientMap_congr_k in ArkLib/Data/FieldTheory/AdditiveNTT/AdditiveNTT.lean
lemma hammingDist_fin1_eq [DecidableEq (Fin 1 → A)] {u v : ι → Fin 1 → A} : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma sumcheckConsistency_MLPEvalWitness_to_BBF_Witness_of_eval in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def finalSumcheckKnowledgeError (m : pSpecFinalSumcheckStep (L in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
lemma extractMLP_eq_some_iff_pair_UDRClose (f : (sDomain 𝔽q β h_ℓ_add_R_rate) ⟨0, by omega⟩ → L) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma k_succ_mul_ϑ_le_ℓ_₂ {k : Fin (ℓ / ϑ)} : (k.val * ϑ + ϑ) ≤ ℓ in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma fold_eq_multilinearCombine_preTensorCombine_step1 in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def queryRbrKnowledgeError_singleRepetition in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem soundness_unroll_runToRound_2_pSpec_2 in ArkLib/OracleReduction/Completeness.lean
lemma foldStepHStarFromWitMid_eq_of_oracleWitnessConsistency (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma multilinearWeight_bitsOfIndex_eq_indicator {n : ℕ} (j k : Fin (2 ^ n)) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma foldStepWitMidOracleConsistency_unique (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def strictSumcheckRoundRelationProp (aOStmtIn : AbstractOStmtIn L ℓ') (i : Fin (ℓ' + 1)) in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
theorem prop_4_23_singleRepetition_proximityCheck_bound in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma iteratedSumcheck_doom_escape_probability_bound (i : Fin ℓ') in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
lemma multilinearCombine_recursive_form_first {ϑ : ℕ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def lastBlockRbrKnowledgeError (k : (pSpecLastBlock (L in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma witnessStructuralInvariant_MLPEvalWitness_to_BBF_Witness in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
theorem soundness_unroll_runToRound_0_pSpec_1_V_to_P in ArkLib/OracleReduction/Completeness.lean
lemma exists_rel_path_of_mem_support_forIn_stateful {ι : Type} {spec : OracleSpec ι} [spec.FiniteRange] in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma prop_4_20_case_2_fiberwise_far (i : Fin ℓ) (steps : ℕ) [NeZero steps] in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem probEvent_soundness_goal_unroll_log in ArkLib/OracleReduction/Completeness.lean
theorem soundness_unroll_runToRound_1_V_to_P_pSpec_2 in ArkLib/OracleReduction/Completeness.lean
def foldStepWitMidOracleConsistency (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma fiberwiseClose_implies_jointProximityNat (i : Fin ℓ) (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma batching_compute_eq_from_hafter in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
def fiberDiff (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma not_jointProximityNat_of_not_jointProximityNat_split in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma probability_bound_badBatchingEventProp in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma finalSumcheck_honest_message_eq_f_zero in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
def logical_checkSingleFoldingStep in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma lemma_4_21_interleaved_word_UDR_far (i : Fin ℓ) (steps : ℕ) [NeZero steps] in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def preTensorCombine_WordStack (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def finalSumcheckProverWitOut : Unit in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
def foldKStateProps {i : Fin ℓ} (m : Fin (2 + 1)) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma preTensorCombine_row_eq_fold_with_binary_row_challenges in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma map_failure (f : α → β) : in ArkLib/ToVCVio/SimulationInfrastructure.lean
theorem soundness_unroll_runToRound_1_P_to_V_pSpec_2 in ArkLib/OracleReduction/Completeness.lean
lemma roundRelation.of_fin_eq {i j : Fin (ℓ + 1)} (h : i = j) : in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
def strictfinalSumcheckStepFoldingStateProp (t : MultilinearPoly L ℓ) {h_le : ϑ ≤ ℓ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma simulateQ_forIn_stateful_comp {ι : Type} {spec : OracleSpec ι} in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma qMap_total_fiber_congr_source_apply in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
def badBlockSet in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma fiberwiseClose_fold_implies_affineLineEval_close in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def extractSuffixFromChallenge (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma map_eval_sumToIter_rename_finSum_zero in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
theorem unroll_rbrKnowledgeSoundness in ArkLib/OracleReduction/Completeness.lean
def queryRbrKnowledgeError in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma disagreement_fold_subset_fiberwiseDisagreement (i : Fin ℓ) (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma preTensorCombine_is_interleavedCodeword_of_codeword (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def splitEvenOddRowWiseInterleavedWords {ϑ : ℕ} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem nonLastBlocksOracleVerifier_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma batching_compute_s0_eq_eval_MLE in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
lemma simulateQ_forIn_stateful_run_eq {ι : Type} {spec : OracleSpec ι} in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma prob_poly_agreement_degree_two {R : Type} [CommRing R] [IsDomain R] [Fintype R] in ArkLib/Data/Probability/Instances.lean
lemma strictSumcheckRoundRelation_subset_sumcheckRoundRelation (aOStmtIn : AbstractOStmtIn L ℓ') in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
lemma mem_support_pure_stateT_run {ι σ α : Type} {spec : OracleSpec ι} (x : α) (s s' : σ) (y : α) : in ArkLib/ToVCVio/Lemmas.lean
def getRowPoly (i : Fin ℓ) (steps : ℕ) {destIdx : Fin r} in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma iterated_fold_first (i : Fin r) {midIdx destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean
lemma mem_support_pure_state {ι σ α : Type} {spec : OracleSpec ι} (x : α) (s s' : σ) (y : α) : in ArkLib/ToVCVio/Lemmas.lean
lemma batchingMismatchPoly_totalDegree_le in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
def iteratedSumcheckWitMid (i : Fin ℓ') : Fin (2 + 1) → Type in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
lemma probEvent_StateT_run'_pure {σ α : Type} in ArkLib/ToVCVio/SimulationInfrastructure.lean
theorem singleRepetition_proximityCheck_bound in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
theorem probEvent_StateT_run'_eq_tsum in ArkLib/OracleReduction/Completeness.lean
lemma probability_bound_badSumcheckEventProp (h_i h_star : L⦃≤ 2⦄[X]) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma not_badBlock_of_lt_highest in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
def strictSumcheckRoundRelation (aOStmtIn : AbstractOStmtIn L ℓ') (i : Fin (ℓ' + 1)) : in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean
def logical_computeFoldedValue in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem support_map_failure (f : α → β) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
def blockBadEventExistsProp in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
theorem lemma_4_25_reject_if_suffix_in_disagreement in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma firstOracleWitnessConsistency_unique (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
def decomposeChallenge (v : sDomain 𝔽q β h_ℓ_add_R_rate ⟨0, by omega⟩) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma prob_schwartz_zippel_univariate_deg {R : Type} [CommRing R] [IsDomain R] [Fintype R] in ArkLib/Data/Probability/Instances.lean
def checkSingleRepetition_foldRel in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean
theorem map_const_pure {γ : Type u} (result : β) (x : γ) (s : σ) : in ArkLib/ToVCVio/Lemmas.lean
lemma incrementalBadEventExistsProp_commit_step_backward (i : Fin ℓ) (hCR : isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
theorem sumcheckLoopOracleVerifier_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
def challengeSuffixToFin (k : Fin (ℓ / ϑ)) in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma MLPEvalRelation_of_round0_local_and_structural in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
theorem QueryImpl_append_impl_inr_stateful in ArkLib/OracleReduction/Completeness.lean
def strictBatchingInputRelationProp (stmt : BatchingStmtIn L ℓ) in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
theorem QueryImpl_append_impl_inr_stateful_run' in ArkLib/OracleReduction/Completeness.lean
theorem rbrKnowledgeSoundness_of_eq_error in ArkLib/OracleReduction/Security/RoundByRound.lean
lemma prop_4_20_case_1_fiberwise_close (i : Fin ℓ) (steps : ℕ) [NeZero steps] in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem lastBlockOracleVerifier_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
def incrementalBadEventExistsProp in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
instance largeFieldInvocationCtxLens_complete : in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
def reducedMLPEvalStatement_to_BBF_Statement (stmt : MLPEvalStatement (L in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
theorem FullTranscript.mk1_eq_snoc {pSpec : ProtocolSpec 1} (msg0 : pSpec.«Type» 0) : in ArkLib/OracleReduction/Basic.lean
def nonLastBlocksRbrKnowledgeError in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
lemma not_jointProximityNat_of_not_jointProximityNat_evenOdd_split in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
theorem bbf_fullOracleReduction_perfectCompleteness (hInit : init.neverFails) : in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean
lemma ENNReal.tsum_mul_le_of_le_of_sum_le_one {α : Type*} {f g : α → ℝ≥0∞} {ε : ℝ≥0∞} in ArkLib/OracleReduction/Completeness.lean
def fullRbrKnowledgeError in ArkLib/ProofSystem/Binius/FRIBinius/General.lean
abbrev nBlocks : ℕ in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma batchingMismatchPoly_nonzero_of_ne in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean
def bbfMLIOPCS : MLIOPCS L ℓ' where in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean

✏️ **Affected:** 20 declaration(s) (line number changed)

theorem iteratedSumcheckOracleReduction_perfectCompleteness in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean moved from L325 to L330
def UDRClose (i : Fin r) (h_i : i ≤ ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L169 to L216
def pSpecFinalSumcheck in ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean moved from L43 to L46
def BinaryBasefoldAbstractOStmtIn : (RingSwitching.AbstractOStmtIn (L in ArkLib/ProofSystem/Binius/FRIBinius/Prelude.lean moved from L51 to L53
def queryKStateProp (m : Fin (1 + 1)) in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean moved from L1745 to L1921
def finalSumcheckKStateProp {m : Fin (1 + 1)} (tr : Transcript m (pSpecFinalSumcheckStep (L in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean moved from L1159 to L1485
def disagreementSet (i : Fin r) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L120 to L120
lemma checkSingleRepetition_probFailure_eq_zero in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean moved from L1205 to L894
def pair_fiberwiseClose (i : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L162 to L208
instance sumcheckFoldExtractorLens_rbr_knowledge_soundness in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean moved from L268 to L313
def fiberwiseClose (i : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L155 to L201
def batchingRBRKnowledgeError : ℝ≥0 in ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean moved from L408 to L432
def fiberwiseDistance (i : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L142 to L187
theorem finalSumcheckOracleVerifier_rbrKnowledgeSoundness {σ : Type} in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean moved from L1208 to L1650
lemma iterated_fold_to_level_ℓ_is_constant in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean moved from L2204 to L2351
def sumcheckFoldKnowledgeError (j : (pSpecSumcheckFold 𝔽q β (ϑ in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean moved from L1137 to L1545
theorem multilinear_eval_eq_sum_bool_hypercube (challenges : Fin ℓ → L) (t : ↥L⦃≤ 1⦄[X Fin ℓ]) : in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean moved from L361 to L366
def firstOracleWitnessConsistencyProp (t : MultilinearPoly L ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean moved from L1284 to L831
def pair_fiberwiseDistance (i : Fin r) {destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean moved from L136 to L180
theorem coreInteraction_rbrKnowledgeSoundness : in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean moved from L1308 to L1775

sorry Tracking

✅ **Removed:** 9 `sorry`(s)

def sumcheckFoldKnowledgeError in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
instance : ∀ j, OracleInterface ((pSpecSumcheckRound (L in ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean
theorem fullOracleVerifier_rbrKnowledgeSoundness {𝓑 : Fin 2 ↪ L} : in ArkLib/ProofSystem/Binius/RingSwitching/General.lean
theorem foldRelayOracleVerifier_rbrKnowledgeSoundness in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
def finalSumcheckKStateProp {m : Fin (1 + 1)} (tr : Transcript m (pSpecFinalSumcheckStep (L in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
theorem foldCommitOracleVerifier_rbrKnowledgeSoundness in ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean
theorem iteratedSumcheckOracleVerifier_rbrKnowledgeSoundness (i : Fin ℓ') : in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean
theorem finalSumcheckOracleVerifier_rbrKnowledgeSoundness [Fintype L] {σ : Type} in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean
theorem finalSumcheckOracleVerifier_rbrKnowledgeSoundness {σ : Type} in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean

❌ **Added:** 18 `sorry`(s)

lemma mapOStmtOut_eq_mkVerifierOStmtOut_relayStep in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma extractMLP_eq_some_iff_pair_UDRClose (f : (sDomain 𝔽q β h_ℓ_add_R_rate) ⟨0, by omega⟩ → L) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma oracleFoldingConsistencyProp_relay_preserved (i : Fin ℓ) (hNCR : ¬ isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma exists_path_of_mem_support_forIn_unit {σ α : Type} [spec.FiniteRange] in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma firstOracleWitnessConsistencyProp_unique (t₁ t₂ : MultilinearPoly L ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma exists_rel_path_of_mem_support_forIn_stateful {ι : Type} {spec : OracleSpec ι} [spec.FiniteRange] in ArkLib/ToVCVio/SimulationInfrastructure.lean
lemma fiberwiseClose_steps_zero_iff_UDRClose in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
lemma badEventExistsProp_iff_incrementalBadEventExistsProp_last in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma incrementalBadEventExistsProp_relay_preserved (i : Fin ℓ) (hNCR : ¬ isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma ENNReal.coe_div_of_NNReal {a b : NNReal} : in ArkLib/Data/Nat/Bitwise.lean
lemma extracted_t_poly_eval_eq_final_constant in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma incrementalBadEventExistsProp_commit_step_backward (i : Fin ℓ) (hCR : isCommitmentRound ℓ ϑ i) in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
theorem soundness_unroll_runToRound_2_pSpec_2 in ArkLib/OracleReduction/Completeness.lean
theorem lemma_4_25_reject_if_suffix_in_disagreement in ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean
lemma fiberwiseDisagreementSet_steps_zero_eq_disagreementSet in ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean
lemma incrementalBadEventExistsProp_fold_step_backward (i : Fin ℓ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean
lemma extractMLP_some_of_isCompliant_at_zero in ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean
lemma iterated_fold_first (i : Fin r) {midIdx destIdx : Fin r} (steps : ℕ) in ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean

🎨 **Style Guide Adherence**

Based on the ArkLib style guide, here are the violations in the provided code changes:

Documentation and Headers

ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:1: Missing standard file header including copyright, license (Apache 2.0), and authors. (Rule: "Use standard file headers...")
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:1: Missing module docstring (/-! ... -/). (Rule: "Each file should start with a /-! ... -/ block...")
ArkLib/OracleReduction/Completeness.lean:534: Theorem tsum_mul_le_of_le_of_sum_le_one_nnreal is missing a docstring. (Rule: "Every definition and major theorem should have a docstring.")
ArkLib/OracleReduction/Completeness.lean:559: Lemma ENNReal.tsum_mul_le_of_le_of_sum_le_one is missing a docstring. (Rule: "Every definition and major theorem should have a docstring.")
ArkLib/OracleReduction/Completeness.lean:945: Theorem probEvent_PMF_eq_Pr is missing a docstring. (Rule: "Every definition and major theorem should have a docstring.")
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean:742: Lemma projectToMidSumcheckPoly_at_last_eval is missing a docstring.
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean:829: Definition firstOracleWitnessConsistencyProp is missing a docstring.
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean:1017: Structure MLPEvalStatement is missing a docstring.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:89: Lemma probability_bound_badSumcheckEventProp is missing a docstring.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:223: Definition logical_queryFiberPoints is missing a docstring.
ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean:91: Definition strictBatchingInputRelationProp is missing a docstring.

Naming Conventions

ArkLib/OracleReduction/Completeness.lean:559: ENNReal.tsum_mul_le_of_le_of_sum_le_one violates the snake_case rule for theorems and the acronym rule for ENNReal. (Rule: "Theorems and Proofs: snake_case", "Acronyms: Treat as words")
ArkLib/OracleReduction/Completeness.lean:583: unroll_rbrKnowledgeSoundness violates the snake_case rule. (Rule: "Theorems and Proofs: snake_case")
ArkLib/OracleReduction/Completeness.lean:945: probEvent_PMF_eq_Pr violates snake_case and acronym rules (PMF).
ArkLib/OracleReduction/Completeness.lean:1011: probOutput_uniformOfFintype_eq_Pr violates snake_case.
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean:876: extractMLP violates the acronym rule. Should be extractMlp. (Rule: "Acronyms: Treat as words")
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean:967: extractMLP_eq_some_iff_pair_UDRClose violates snake_case and acronym rules (MLP, UDR).
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:223: logical_queryFiberPoints violates the lowerCamelCase rule for functions. Should be logicalQueryFiberPoints. (Rule: "Functions and Terms: lowerCamelCase")
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:234: logical_computeFoldedValue violates the lowerCamelCase rule for functions.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:287: logical_checkSingleRepetition violates lowerCamelCase.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:406: preTensorCombine_WordStack violates lowerCamelCase. Should be preTensorCombineWordStack.
ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean:59: reducedMLPEvalStatement_to_BBF_Statement violates lowerCamelCase and the acronym rule (BBF).
ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean:748: bbfMLIOPCS violates the acronym rule. Should be bbfMliopcs.

Syntax and Formatting

ArkLib/OracleReduction/Completeness.lean:538: Proof contains empty lines. (Rule: "Avoid empty lines inside definitions or proofs.")
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:84: let P₀: L[X]_(2 ^ ℓ) missing space after colon. (Rule: "Put spaces on both sides of :")
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:1060: Line exceeds 100 characters (approx. 330 chars). (Rule: "Keep lines under 100 characters.")
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:1121: Proof of h_per_point_card contains empty lines.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:2085: Line exceeds 100 characters.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:84: Uses => in function definition (fun ω => ...). (Rule: "Prefer fun x ↦ ... over λ x, ....")
ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean:273: Instance instOracleInterfaceMessagePSpecFold uses := instead of where. (Rule: "Use the where syntax for defining instances...")

Normal Forms

ArkLib/Data/Nat/Bitwise.lean:85: Lemma ENNReal.coe_div_of_NNReal contains a sorry. (While not explicitly forbidden by style, it violates formalization goals mentioned in "Roadmap Goals").

📄 **Per-File Summaries**

ArkLib.lean: This change adds imports for BinaryBasefold soundness and RingSwitching small field IOPCS modules to the library.
ArkLib/Data/FieldTheory/AdditiveNTT/AdditiveNTT.lean: This change introduces the iteratedQuotientMap_congr_k lemma to establish a congruence property for iteratedQuotientMap when its iteration count parameter is replaced by an equal value.
ArkLib/Data/Misc/Basic.lean: Added the fun_eta_expansion_apply lemma to provide an applied version of the function eta expansion identity.
ArkLib/Data/Nat/Bitwise.lean: Added the lemma ENNReal.coe_div_of_NNReal, which states that the quotient of two NNReal values coerced to ENNReal equals the coercion of their quotient.
ArkLib/Data/Probability/Instances.lean: This PR adds the union bound, theorems for the probability of independent repetitions, and specific univariate specializations of the Schwartz-Zippel lemma for low-degree polynomials.
ArkLib/OracleReduction/Basic.lean: This change introduces the theorem FullTranscript.mk1_eq_snoc to prove the equivalence between constructing a single-round transcript via FullTranscript.mk1 and appending a message to an empty transcript.
ArkLib/OracleReduction/Completeness.lean: Introduces unroll lemmas and probability simplification theorems for round-by-round knowledge soundness to facilitate reasoning about probabilistic bounds in protocol security proofs.
ArkLib/OracleReduction/Security/RoundByRound.lean: Added theorems to facilitate the substitution of pointwise-equivalent error terms in round-by-round knowledge soundness definitions.
ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean: This update refines the Binary Basefold proof system by introducing incremental bad-event tracking, enhancing the multilinear polynomial extractor with post-decoding radius checks, and refactoring core definitions and theorems related to protocol consistency and folding.
ArkLib/ProofSystem/Binius/BinaryBasefold/Code.lean: This update refines the fiberwise distance and disagreement definitions to better handle domain index casting and introduces the incrementalFoldingBadEvent definition along with several supporting lemmas to facilitate incremental soundness proofs for the folding protocol.
ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean: This change establishes the round-by-round knowledge soundness for the Binius Binary Basefold core interaction phase by composing the soundness proofs of individual protocol rounds and blocks.
ArkLib/ProofSystem/Binius/BinaryBasefold/Prelude.lean: This change introduces theorems for the injectivity of quotient fiber maps and the first-step decomposition of iterated folds, while refining the proof that folding a multilinear extension to its final level results in a constant function equal to its evaluation.
ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean: This file completes the formal verification of the Binius Binary Basefold Query Phase by introducing new theorems and definitions that establish round-by-round knowledge soundness, bridging the operational implementation of the verifier with its logical proximity testing bounds.
ArkLib/ProofSystem/Binius/BinaryBasefold/ReductionLogic.lean: This update introduces the rbrExtractionFailureEvent predicate for round-by-round knowledge soundness proofs and simplifies the final sumcheck step logic by utilizing higher-level folding lemmas.
ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean: This new Lean file formalizes the soundness of the Binary Basefold protocol's query phase by introducing definitions for the verifier's proximity check logic and proving several key theorems—including Propositions 4.20 and 4.23—that bound the probability of bad folding events and proximity check failures.
ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean: Defined and refactored missing typeclass instances for the Binary Basefold protocol's messages, challenges, and domains.
ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean: This file establishes the round-by-round knowledge soundness for the Fold, Commit, Relay, and Final Sumcheck steps of the Binary Basefold protocol by introducing new extractors and knowledge state properties, defining round-specific error bounds, and completing the corresponding soundness proofs.
ArkLib/ProofSystem/Binius/FRIBinius/General.lean: This change refactors the FRI-Binius proof system components to utilize stricter relations and simplified parameter passing while introducing new definitions and a theorem to establish the round-by-round knowledge soundness of the full oracle verifier.
ArkLib/ProofSystem/Binius/FRIBinius/Prelude.lean: Refactors the BinaryBasefoldAbstractOStmtIn definition to utilize a modular implementation from the BBFSmallFieldIOPCS namespace and introduces new Fact assumptions regarding the linear independence and normalization of the basis $\beta$.
ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean: This file instantiates a small-field Interactive Oracle Proof Commitment Scheme (IOPCS) by composing the Ring-Switching protocol with the Binary Basefold protocol, introducing the bbfMLIOPCS definition alongside proofs for its end-to-end perfect completeness and round-by-round knowledge soundness.
ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean: Formalizes the completeness and knowledge soundness proofs for the Binius ring-switching batching phase by introducing strict relations and completing the extraction logic.
ArkLib/ProofSystem/Binius/RingSwitching/General.lean: Updates the ring-switching protocol's security properties by adopting strict input relations and completing the round-by-round knowledge soundness proof.
ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean: Introduces strict initial compatibility relations and corresponding strict sumcheck round relations to distinguish between requirements for perfect completeness and knowledge soundness.
ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean: Refactor the Ring-Switching protocol specification to reuse the Binary Basefold final sumcheck step and simplify associated oracle and typeclass instances.
ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean: This change implements the round-by-round knowledge soundness proofs for the Ring Switching sumcheck protocol by defining the necessary extractors and knowledge state properties.
ArkLib/ToMathlib/MvPolynomial/Equiv.lean: Adds lemmas proving that Polynomial.toMvPolynomial preserves non-zero values and that its total degree is bounded by the original polynomial's natural degree.
ArkLib/ToVCVio/Lemmas.lean: Adds lemmas characterizing the support and mapping behavior of StateT computations within OracleComp.
ArkLib/ToVCVio/SimulationInfrastructure.lean: This PR extends the simulation infrastructure with lemmas for stateful loop simulation and provides bridge lemmas between VCVio and ArkLib probability notations.
ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean: This file introduces the finalSumcheckStepLogic definition and multiple auxiliary lemmas to refactor the final sumcheck step using the ReductionLogicStep infrastructure, while completing formal proofs for the perfect completeness and round-by-round knowledge soundness of the core FRI-Binius interaction phase.

Last updated: 2026-03-02 03:14 UTC.

alexanderlhicks · 2026-02-10T01:30:54Z

FYI I'll merge the 4.26 PR first, so keep an eye out for any proofs breaking when that happens.

chung-thai-nguyen · 2026-02-10T02:09:03Z

@alexanderlhicks Sure I will take a look.

alexanderlhicks · 2026-02-20T16:25:39Z

/review

External:
https://eprint.iacr.org/2024/504.pdf
https://eprint.iacr.org/2023/1784.pdf

Internal:
ArkLib/Data/CodingTheory/
ArkLib/Data/Polynomial

Comments:
Please review for correctness with respect to ArkLib internals and the external reference papers.

github-actions · 2026-02-20T17:07:03Z

🤖 AI Review (with external context)

🤖 AI Review

Overall Summary:
Summary of Code Review

The Pull Request is not ready for merge due to critical misformalizations and significant gaps in the proofs.

Mathematical Errors: ArkLib/Data/Nat/Bitwise.lean introduces a false lemma regarding ENNReal division (missing a non-zero denominator hypothesis), and ArkLib/ToVCVio/SimulationInfrastructure.lean contains invalid lemmas that fail to account for early termination in forIn loops.
Implementation Defects: ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean contains an off-by-one indexing error for protocol challenges, and ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean has type mismatches in the verifier definition.
Incomplete Security Proofs: Several critical components, including the Ring-Switching soundness instance and FRIBinius unique decoding properties, are admitted with sorry rather than proven, leaving the protocol's security unverified.

📄 **Review for `ArkLib.lean`**

This review focuses on the changes to ArkLib.lean.

Global Context Alignment
The changes involve adding two new imports:

import ArkLib.ProofSystem.Binius.BinaryBasefold.Soundness
import ArkLib.ToMathlib.MvPolynomial.Conversions

These additions are consistent with the provided reference documents, specifically the "Binary BaseFold" paper (Section 4), which discusses the security (soundness) of the protocol. The addition of Soundness likely corresponds to the formalization of Theorem 4.17 (Security of Binary BaseFold). The Conversions module likely supports the various basis conversions (Monomial to Lagrange, Novel Polynomial Basis) discussed throughout the papers (e.g., Subsection 2.3 of the 2024 paper).

Implementation Analysis

ArkLib.lean acts as a top-level aggregation file for the library.
The diff simply exposes two new modules to users of the library.
Given the prompt assurance that the code compiles, these files exist and are valid Lean modules.
There is no logical implementation, type definitions, or theorem statements within this specific file to check for misformalization (off-by-one errors, universe levels, etc.).

Verdict
The changes are Correct.

The modifications correctly update the library manifest to include new functionality related to Binary BaseFold soundness and multivariate polynomial conversions. No misformalization issues are present in this file.

📄 **Review for `ArkLib/Data/Misc/Basic.lean`**

Review of ArkLib/Data/Misc/Basic.lean

Verdict: Correct

The changes in this file are formally correct and compile successfully.

Detailed Analysis:

fun_eta_expansion_apply:
- Definition: lemma fun_eta_expansion_apply {α β : Type*} (f : α → β) (x : α) : (f x) = (fun x => f x) x := rfl
- Logic: This lemma asserts the definitional equality between f x and the beta-redex (λ x, f x) x. In Lean's dependent type theory, (fun x => f x) x reduces to f x. Therefore, rfl is a valid proof.
- Context: This complements the existing fun_eta_expansion lemma (which asserts f = λ x, f x). While simp or definitional equality checks often handle this automatically, having an explicit lemma can be useful for specific rewrite operations.
- Naming/Shadowing: The variable name x is used both as the argument to the lemma and the bound variable in the lambda. While this creates shadowing, Lean resolves the bound variable correctly within the lambda scope, making the term equivalent to (λ y, f y) x. This usage is consistent with the notation in the preceding lemma.

No misformalizations or issues were found.

📄 **Review for `ArkLib/Data/Nat/Bitwise.lean`**

This file contains a critical misformalization.

1. Analysis of Implementation

Logic: The new lemma ENNReal.coe_div_of_NNReal asserts that division commutes with the coercion from NNReal to ENNReal.
Correctness: This statement is false without a hypothesis that the denominator b is non-zero.
- In NNReal (which inherits division from Real), division by zero is typically defined as 0 (i.e., x / 0 = 0). Therefore, the right-hand side ((a / b) : NNReal) : ENNReal evaluates to 0 when b = 0.
- In ENNReal, 0 is not invertible, and 0⁻¹ = ∞. Division is defined such that x / 0 = x * ∞. For a ≠ 0, (a : ENNReal) / 0 evaluates to ∞.
- Thus, if a ≠ 0 and b = 0, the LHS is ∞ and the RHS is 0.
Context: The lemma immediately following it in the diff, ENNReal.coe_div_of_NNRat, correctly includes the hypothesis (hb : b ≠ 0). The omission in the new lemma appears to be an oversight.
File Organization: The content of this diff (lemmas regarding ENNReal and NNRat) is completely unrelated to the file name ArkLib/Data/Nat/Bitwise.lean. While this might be a pre-existing issue in the file, adding more unrelated lemmas exacerbates the organizational problem.

2. Check for Misformalization

Incorrect Assumptions/Side-Conditions: [Critical] The lemma ENNReal.coe_div_of_NNReal is missing the precondition b ≠ 0.

3. Verdict & Feedback

Verdict: Incorrect.

Critical Issue:
The lemma ENNReal.coe_div_of_NNReal is mathematically false as stated because it lacks a non-zero hypothesis for the denominator. In Lean/Mathlib, division by zero typically results in 0 for NNReal but ∞ (infinity) for ENNReal.

Corrected Code:

lemma ENNReal.coe_div_of_NNReal {a b : NNReal} (hb : b ≠ 0) :
  ((a : ENNReal) / (b : ENNReal)) = (((a / b) : NNReal): ENNReal) := by
  -- This is equivalent to `ENNReal.coe_div hb` in Mathlib
  sorry

Minor Issue:
The file ArkLib/Data/Nat/Bitwise.lean seems to contain lemmas about ENNReal and NNRat, which contradicts the file path and module name. These should ideally be moved to a file like ArkLib/Data/ENNReal/Basic.lean or similar.

📄 **Review for `ArkLib/Data/Probability/Instances.lean`**

The formalization in ArkLib/Data/Probability/Instances.lean appears correct and consistent with the external reference documents and standard probability theory in Lean.

Detailed Analysis:

Union Bound (Pr_or_le):
- The theorem correctly formalizes $\Pr[A \lor B] \le \Pr[A] + \Pr[B]$ using indicator functions and the tsum formulation of probability for PMF.
- The proof steps correctly bound $\mathbb{1}_{A \lor B} \le \mathbb{1}_A + \mathbb{1}_B$ and apply linearity of the sum.
Probability Splitting (prob_pow_of_forall_finFun):
- The theorem correctly states that for independent uniform samples, the probability of a conjunction of identical predicates is the power of the individual probabilities.
- The inductive proof rigorously handles the isomorphism between Fin (n+1) → A and A × (Fin n → A) (implied by prob_split_last_uniform_sampling_of_finFun) and the product rule for independent events via cardinalities.
Schwartz-Zippel Lemmas:
- prob_schwartz_zippel_univariate_deg: Correctly adapts the multivariate Schwartz-Zippel lemma to MvPolynomial (Fin 1) R, bounding the zero probability by d / |R|. The manual casting between NNRat, Real, and ENNReal is verbose but correct.
- prob_poly_agreement_degree_one: Correctly reduces the equality of two univariate polynomials p, q (degree $\le 1$) to the zero-testing of their difference. It correctly lifts Polynomial to MvPolynomial and applies the Schwartz-Zippel bound 1 / |R|.
- prob_poly_agreement_degree_two: Analogous to the degree one case, correctly bounding the collision probability by 2 / |R|.

Note on Consistency:

prob_poly_agreement_degree_one uses the generic prob_schwartz_zippel_mv_polynomial lemma (inferring $d=1$), while prob_poly_agreement_degree_two uses the specialized prob_schwartz_zippel_univariate_deg lemma (passing $d=2$). Both approaches are mathematically valid and result in the correct bounds.

Verdict:
The formalization is correct.

-- No corrections required.

📄 **Review for `ArkLib/OracleReduction/Completeness.lean`**

Verdict: Correct with Issues

The formalization in ArkLib/OracleReduction/Completeness.lean is generally correct and aligns with the mathematical intuition for round-by-round knowledge soundness and probability bound unrolling. The added lemmas for simplifying probability events (probEvent) and handling tsum (infinite sums) are logically sound.

However, there is one Major issue regarding an incomplete proof.

Findings:

Incomplete Proof (sorry):
- Severity: Major
- Location: soundness_unroll_runToRound_2_pSpec_2 (end of section SoundnessUnrolling).
- Issue: The proof ends with dsimp [FullTranscript.mk2] followed by sorry. This indicates the theorem soundness_unroll_runToRound_2_pSpec_2 is not fully proven. While the statement describes the unrolling of the prover's execution for 2 rounds (P->V, V->P), the equality between the recursive runToRound and the explicit do block is not established.
- Recommendation: Complete the proof. The proof likely requires unifying the transcript structure constructed by the recursive runToRound steps with the FullTranscript.mk2 definition.
Minor Style/Formatting:
- Location: probEvent_soundness_goal_unroll_log.
- Issue: Double space in simp only at *.
- Recommendation: Remove extra space.

Correctness Checks:

Logic of unroll_rbrKnowledgeSoundness: The derivation $\Pr[E] = \sum_s \Pr[S=s] \cdot \Pr[E | S=s] \le \sum_s \Pr[S=s] \cdot \varepsilon = \varepsilon$ is correctly formalized using ENNReal.tsum_mul_le_of_le_of_sum_le_one and probEvent_bind_eq_tsum.
Indices: The usage of i.1.castSucc and i.1.succ in unroll_rbrKnowledgeSoundness correctly captures the transition between round $i$ and $i+1$ in the context of the knowledge state function.
Oracle Implementation: QueryImpl_append_impl_inr_stateful correctly asserts that routing queries to the right-hand side of a sum implementation (Sum.inr) targets challengeQueryImpl.

Summary: The logic is sound, but the file contains an unfinished proof (sorry) which must be addressed before the PR can be fully accepted as correct code.

📄 **Review for `ArkLib/OracleReduction/Security/RoundByRound.lean`**

This file adds two utility theorems, Verifier.rbrKnowledgeSoundness_of_eq_error and OracleVerifier.rbrKnowledgeSoundness_of_eq_error. These theorems allow replacing the error bound function ε₁ in a Round-by-Round (RBR) knowledge soundness proof with a pointwise-equal function ε₂.

This is a standard helper lemma in formalization, useful for cleaning up error terms (e.g., simplifying complex arithmetic expressions derived from reductions into cleaner bounds stated in papers).

Analysis of the changes:

Verifier.rbrKnowledgeSoundness_of_eq_error:
- Logic: The theorem assumes verifier satisfies RBR knowledge soundness with error ε₁. It unfolds the definition, extracts the witnesses (intermediate witness type, extractor, etc.), and constructs a proof for ε₂ by rewriting ε₂ i to ε₁ i using the hypothesis h_ε.
- Correctness: The logic is sound. If a predicate holds for a bound B and A = B, it holds for A. Using pointwise equality (∀ i, ...) inside the definition's quantifier avoids the need for function extensionality on the error function itself.
- Context: Assumes init and impl are section variables available in scope, which is consistent with the provided compilation guarantee.
OracleVerifier.rbrKnowledgeSoundness_of_eq_error:
- Logic: This lifts the previous theorem to OracleVerifier. Since OracleVerifier.rbrKnowledgeSoundness is defined directly via toVerifier.rbrKnowledgeSoundness (visible in the diff context), this delegation is correct.

Verdict:
The changes are correct and consistent with the repository's purpose of formalizing security reductions.

Formalization Verdict: Correct.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean`**

Based on the review of the diff for ArkLib/ProofSystem/Binius/BinaryBasefold/Basic.lean against the provided context and the external reference papers (Diamond & Posen), the changes appear to be a correct formalization of the Binary BaseFold protocol logic.

Summary of Changes:

Correctness of Sumcheck Projection: projectToMidSumcheckPoly_at_last_eq correctly establishes that at the end of the sumcheck protocol (dimension 0), the polynomial is constant and equals the product of evaluations.
Oracle & Bad Event Logic: The modification to foldingBadEventAtBlock to use stmtIdx instead of oracleIdx is crucial and correct. It ensures that proximity gaps (bad events) are checked based on the number of folding challenges available (stmtIdx), which is the correct "time" parameter, rather than the count of committed oracles.
Final Verification Logic: finalSumcheckStepOracleConsistencyProp and finalSumcheckStepFoldingStateProp correctly restructure the final check. By relying on the updated badEventExistsProp (which now correctly covers the final folding step due to the index fix), the logic is simplified and the explicit finalFoldingBadEvent becomes redundant, justifying its removal.
Property Preservation: New lemmas (..._relay_preserved, ..._commit_step_backward) are added (though stubbed with sorry) to support the inductive proofs of soundness, correctly modeling the protocol flow between "relay" and "commitment" rounds.
Novel Basis Alignment: The extractMLP lemma correctly references polynomialFromNovelCoeffsF₂, aligning with the paper's use of the Lin-Chung-Han novel polynomial basis for small-field commitments.

Minor Findings:

Naming Convention: The definition strictfinalSumcheckStepFoldingStateProp uses lowercase final (strictfinal...) whereas other definitions use CamelCase (strictFinal... or final...). This is a stylistic inconsistency but does not affect correctness.
Incomplete Proofs: Several key lemmas (extractMLP_eq_some_iff_pair_UDRClose, badEventExistsProp_relay_preserved, etc.) are stubbed with sorry. Assuming the intention is to define the statement structure for later proof, the statements themselves are logically consistent with the protocol design.

Verdict:
The formalization is Correct.

-- Suggestion for naming consistency (optional):
-- strictfinalSumcheckStepFoldingStateProp -> strictFinalSumcheckStepFoldingStateProp

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean`**

Analysis:

The file ArkLib/ProofSystem/Binius/BinaryBasefold/CoreInteractionPhase.lean defines the oracle verifiers and corresponding knowledge soundness proofs for the interaction phase of the Binary BaseFold protocol. This corresponds to the folding phase of the polynomial commitment scheme described in the referenced paper ("Polylogarithmic Proofs for Multilinears over Binary Towers").

The diff replaces sorry placeholders with complete proofs for the Round-by-Round Knowledge Soundness (RBR KS) of various protocol components: foldRelay (folding without commitment), foldCommit (folding with commitment), nonLastSingleBlock (a block of $\vartheta$ rounds ending in a commitment), nonLastBlocks (sequence of such blocks), lastBlock (the final set of rounds without an oracle commitment), and sumcheckFold (the composition of all blocks).

Correctness of Composition: The proofs make extensive use of generic composition lemmas (append_rbrKnowledgeSoundness, seqCompose_rbrKnowledgeSoundness, castInOut_rbrKnowledgeSoundness) provided by ArkLib. This modular approach is robust.
- FoldRelay & FoldCommit: These are defined as append compositions of atomic steps. The proofs correctly construct the combined knowledge error using Sum.elim.
- Non-Last Blocks: Defined as a sequence of foldRelay steps followed by one foldCommit. The indices are handled carefully (0 to ϑ-2 vs ϑ-1).
- Last Block: Defined as a sequence of foldRelay steps. This correctly reflects the specification where the final value is sent in the clear rather than committed via an oracle (hence isNeCommitmentRound holds for the last step).
- SumcheckFold: Defined as an append of nonLastBlocks and lastBlock. The knowledge error definition is simplified to use Sum.elim, removing previous complex indexing arithmetic.
Indexing and Bounds:
- The code assumes $\ell$ is a multiple of $\vartheta$ (implied by hdiv usage in proofs).
- nonLastBlocks iterates over ℓ/ϑ - 1 blocks.
- lastBlock handles the final ϑ rounds.
- The index calculations (e.g., bIdx * ϑ + i) correctly map block-local indices to global round indices.
- The use of Fin (ℓ + 1) for relations correctly accounts for $\ell$ rounds producing $\ell+1$ relations (initial to final).
Specification Alignment: The structure aligns with the "Oracle-skipping" technique described in the paper, where commitments occur every $\vartheta$ rounds. The distinct handling of the last block matches the protocol ending with a scalar value transmission.

Conclusion: The formalization is correct and follows established patterns in the library.

Verdict: Correct.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean`**

Verdict: Correct.

The formalization in ArkLib/ProofSystem/Binius/BinaryBasefold/QueryPhase.lean correctly implements the Round-by-Round knowledge soundness for the Binius Query Phase, aligning with the external specification (specifically Proposition 4.23 of the Diamond-Gruen 2025 paper).

Observations:

Refactoring: The extensive deletions and the new import (Soundness.lean) indicate a clean refactoring where common definitions and properties have been moved to shared modules, which is good practice.
RBR Logic: The definition of queryKStateProp and queryKnowledgeStateFunction correctly captures the RBR logic:
- State 0: Corresponds to finalSumcheckRelOutProp (success of previous phase).
- State 1: Corresponds to logical_proximityChecksSpec (success of query phase checks).
- The soundness theorem (queryOracleVerifier_rbrKnowledgeSoundness) correctly bounds the probability of the failure event (State 0 False AND State 1 True) using singleRepetition_proximityCheck_bound.
Proof Holes (sorry): The new lemma logical_checkSingleRepetition_of_mem_support_forIn_body contains several sorrys. These are exclusively related to arithmetic bounds (e.g., proving k.val - 1 < ℓ / ϑ) and index casting for the sDomain type. While these proofs are pending, the propositions they guard are mathematically true given the constraints ϑ | ℓ and ℓ > 0. This does not constitute a misformalization of the cryptographic logic.
Witness Extraction: The use of Unit for the intermediate witness (witMid) and the identity extractor in queryRbrExtractor is correct for the Query Phase, which does not involve Prover-to-Verifier messages that transmit new witness information (only oracle openings).

The implementation is verified to be logically consistent with the protocol design.

-- No corrections needed.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/ReductionLogic.lean`**

This file contains the logic for reduction steps in the Binius Binary Basefold protocol, specifically defining the relationship between rounds and the extraction logic for knowledge soundness.

The changes include:

Namespace simplification: Moving from Binius.BinaryBasefold.CoreInteraction to Binius.BinaryBasefold.
Definition of rbrExtractionFailureEvent: This introduces a formal predicate for the "bad event" in Round-By-Round (RBR) knowledge soundness proofs.
Renaming and Cleanup: Renaming strictFinalFoldingStateProp to strictfinalSumcheckStepFoldingStateProp (and similar variants) to likely match refactored definitions elsewhere, and removing an unused OracleInterface instance.

Review of rbrExtractionFailureEvent:
The definition correctly formalizes the extraction failure condition:

It posits the existence of a valid witness for the next round (witMid at i.1.succ).
It asserts that the witness extracted for the current round (extractor.extractMid ... at i.1.castSucc) is invalid.
It correctly handles transcript management by concatenating the challenge challenge to the current transcript when checking the next witness or running the extractor.
The indices i.1.castSucc (current state) and i.1.succ (next state) correctly map the challenge index i to the protocol states.

Verdict:
The formalization in this file is correct. The added extraction failure event aligns with standard definitions for recursive/folding arguments, and the renamings appear consistent with the intent to clarify the "final sumcheck step" properties.

Feedback:

The implementation of rbrExtractionFailureEvent is mathematically sound and correctly uses the type hierarchy (Prop, dependent types for witnesses/transcripts).
The naming strictfinalSumcheckStepFoldingStateProp uses a lowercase f in final, which is stylistically inconsistent with CamelCase (e.g., strictFinalSumcheck...), but valid if it matches the definition.

No formalization issues found.

-- No corrections needed.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean`**

This file formalizes the soundness properties of the Binary BaseFold protocol, specifically corresponding to the proximity gap and query phase logic described in Section 4 of "Polylogarithmic Proofs for Multilinears over Binary Towers".

Analysis of the Implementation:

Alignment with Specification:
- Proximity Gaps (Lemmas 4.21, 4.22): The code correctly implements the logic for proving the proximity gap.
  - lemma_4_21_interleaved_word_UDR_far corresponds to the paper's Lemma 4.22 (Interleaved Distance Preservation). It correctly establishes that if a function is fiber-wise far from the code, its interleaved representation is also far.
  - prop_4_20_case_2_fiberwise_far applies the tensor product proximity gap (referenced from DG25) to bound the probability of the "bad batching" event when the function is fiber-wise far.
- Bad Event Probability (Prop 4.20): prop_4_20_bad_event_probability correctly combines the "fiber-wise close" and "fiber-wise far" cases to bound the probability of the folding bad event $E_i$, matching the paper's Proposition 4.21 (with the labeling difference noted in the code). The bound steps * domain_size / |L| matches $\vartheta \cdot |S(i+\vartheta)| / |L|$.
- Query Logic (Lemmas 4.25, 4.26):
  - lemma_4_24_dist_folded_ge_of_last_noncompliant implements the logic of Paper Lemma 4.25, showing that if a block is non-compliant, the folded function is far from the unique decoding of the next block.
  - lemma_4_25_reject_if_suffix_in_disagreement implements the induction of Paper Lemma 4.26, showing that a disagreement in the suffix leads to verifier rejection. (Note: The proof contains a sorry for the inductive step h_fold_ne_const, but the statement is correct).
- Final Bound (Prop 4.23): prop_4_23_singleRepetition_proximityCheck_bound correctly calculates the total soundness error for a single repetition as $1/2 + 1/(2 \cdot 2^\mathcal{R})$.
Implementation Details:
- Lifting: The construction of lift_interleavedCodeword via getRowPoly and getLiftCoeffs correctly formalizes the "inverse folding" operation needed to relate interleaved codewords back to domain codewords. This is crucial for the reduction in Lemma 4.22.
- Matrix/Tensor Isomorphism: fiberwise_disagreement_isomorphism and related lemmas correctly formalize the linear algebraic relationship between fiber evaluations and the matrix-vector product form of folding (Lemma 4.9 in the paper).
- Indexing: The use of Fin (ℓ/ϑ) for block indices and the translation to Fin r domain indices (j * ϑ) handles the block-wise structure of the protocol correctly under the assumption ϑ ∣ ℓ.
Formalization Quality:
- The use of OracleComp monads for the verifier logic (QueryPhase namespace) alongside "Logical" counterparts (LogicalOracleVerification) is a good pattern for separating the probabilistic/interactive definitions from the algebraic properties needed for proofs.
- sorrys: There are two admitted proofs (prop_4_22_bad_event_exists_bound and part of lemma_4_25_reject_if_suffix_in_disagreement). While this makes the file formally incomplete, the definitions and theorem statements are correct and align with the paper. The admitted steps correspond to standard union bounds and inductive propagation of inequality, which are mathematically sound.

Verdict:
The formalization is correct with respect to the provided specification papers. The definitions of bad events, compliance, and the geometric reductions for proximity gaps are accurately translated.

ArkLib/ProofSystem/Binius/BinaryBasefold/Soundness.lean:

-- No changes needed.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean`**

The changes in ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean define necessary type class instances (OracleInterface, SelectableType, FiniteRange, Fintype) for the messages and challenges within the Binary BaseFold protocol specification.

Review of Changes:

OracleInterface for pSpecFold (Hunk 1):
- The previous implementation attempted to define the OracleInterface for pSpecFold.Message using pattern matching on the step index j, seemingly conflating messages and challenges or assuming a specific index structure.
- The new implementation correctly splits this into two separate instances: one for (pSpecFold (L:=L)).Message j and one for (pSpecFold (L:=L)).Challenge j.
- It uses OracleInterface.instDefault for both. This aligns with the protocol description where the sumcheck messages ($h_i(X)$) and challenges ($r'_i$) are sent in the clear (not as oracles that need querying).
SelectableType for Query Challenges (Hunk 2):
- This instance defines how to sample the verification query challenges.
- The type Fin γ_repetitions → ↥(sDomain 𝔽q β h_ℓ_add_R_rate 0) corresponds to sampling $\gamma$ vectors from the domain $S(0)$ (identified with $B^{\ell+R}$). This matches the verifier's action in the query phase (Step 4.2 of Construction 4.12 in the reference paper).
- The proof script establishes that index 0 is valid for the domain sequence (requiring 0 < ℓ + R, which is satisfied by valid parameters) and derives the SelectableType instance for the vector from the instance for the scalar sDomain.
FiniteRange and Fintype Instances (Hunk 3 & 4):
- Instances for FiniteRange are added for pSpecFold messages/challenges and others.
- An explicit Fintype instance is added for the query challenge vector.
- The use of sorry for the proofs of finiteness properties is acceptable for structural formalization, as the underlying types (vectors over finite fields) are mathematically finite.

Verdict:
The formalization is correct and consistent with the external specification.

ArkLib/ProofSystem/Binius/BinaryBasefold/Spec.lean

-- No corrections required.

📄 **Review for `ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean`**

File: ArkLib/ProofSystem/Binius/BinaryBasefold/Steps.lean

Verdict: Incorrect Formalization & Incomplete Implementation

General:
The file implements the Knowledge State functions and RBR Extractors for the Binary Basefold protocol steps. The logic generally follows the Basefold/Binius specification (sumcheck + folding). However, there are significant issues regarding indexing, unused code, misleading comments, and unfinished proofs (sorry).

Critical Issues:

Off-by-One / Indexing Error in foldKStateProp:
- In foldKStateProp (lines 463-479), the case m = ⟨2, _⟩ retrieves the challenge using:
```
let r_i' : L := tr.challenges ⟨1, rfl⟩
```
- The Fold step typically consists of 1 message ($h_i$) and 1 challenge ($r_i$). In ArkLib.ProtocolSpec, if a protocol has one challenge step, it corresponds to ChallengeIdx 0 (i.e., Fin 1).
- Accessing challenges 1 suggests the protocol has at least 2 challenges, or the index is incorrect. If pSpecFold follows the standard [ProverMsg, VerifierChal] structure (2 steps), the challenge corresponds to step 1 but is stored at index 0 in the challenge vector.
- This is corroborated by foldStep_rbrExtractionFailureEvent... which uses FullTranscript.mk2 h_i r_i'. mk2 typically constructs a transcript from Msg 0 and Chal 0.
- Fix: Change tr.challenges ⟨1, rfl⟩ to tr.challenges ⟨0, rfl⟩ (assuming standard 1-challenge round). Check pSpecFold definition.
Confusing/Incorrect Variable Naming in foldStep_doom_escape_probability_bound:
- Line 673: (r_i' : (pSpecFold (L := L)).Message ⟨0, rfl⟩)
- The variable r_i' is typed as a Message (prover's $h_i$), but named like a Challenge ($r_i'$).
- Later in the proof, y (drawn from $ᵖ L) represents the actual challenge.
- Fix: Rename r_i' to h_i or msg to avoid confusion with the actual challenge y (or r_i' in other contexts).
Incomplete Proofs (sorry):
- Several critical lemmas contain sorry, making the formalization incomplete:
  - mapOStmtOut_eq_mkVerifierOStmtOut_relayStep: Correctness of oracle update.
  - extractMLP_some_of_oracleFoldingConsistency: Linking proximity to unique decoding.
  - extracted_t_poly_eval_eq_final_constant: Core correctness of the reduction.
  - foldStep_rbrExtractionFailureEvent_imply_sumcheck_or_badEvent: Backward preservation of bad events (essential for soundness).

Major Issues:

Redundant Definition:
- foldKStateProps (lines 1182-1227) appears to be a near-duplicate of foldKStateProp (lines 429-479).
- foldKnowledgeStateFunction uses foldKStateProp.
- Fix: Remove foldKStateProps to avoid confusion and code bloat.
Misleading Comment in foldKnowledgeError:
- Line 394: let err_SC := (2 : ℝ≥0) / (Fintype.card L)
- The comment above says: Sumcheck error (1/|L|).
- The code (2/|L|) is correct for the Basefold sumcheck (involving degree-2 polynomials), as supported by the Basefold paper.
- Fix: Update the comment to reflect the code (2/|L|).

Minor Issues:

foldWitMid and Extractor Flow:
- The logic for foldWitMid and foldRbrExtractor (extracting WitMid 1 from WitMid 2) correctly implements the "backward extraction" required for RBR soundness (given a valid output witness, recover the valid input witness). This is correct but subtle.

Corrected Code Snippet (Indexing & Comment):

-- In foldKStateProp (m=2)
let r_i' : L := tr.challenges ⟨0, rfl⟩ -- Changed from 1 to 0

-- In foldKnowledgeError
/-- Definition of the per-round RBR KS error for Binary FoldFold.
This combines the Sumcheck error (2/|L|) and the LDT Bad Event probability.
For round i : rbrKnowledgeError(i) = err_SC + err_BE where
- err_SC = 2/|L| (Schwartz-Zippel for degree 2) -- Updated comment
...
-/

📄 **Review for `ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean`**

Verdict: Correct

Feedback:

The changes in ArkLib/ProofSystem/Binius/FRIBinius/CoreInteractionPhase.lean are correctly formalized and align with the specification of the FRIBinius protocol (combining Ring-Switching Sumcheck with Binary Basefold).

Correctness of sumcheckFoldExtractorLens: The change in toFunB to use innerWitIn.t instead of outerWitOut.t is correct. InnerWitIn represents the witness state at the beginning of the inner reduction (Basefold step 0), where t is the polynomial being committed. OuterWitIn represents the witness for the Ring-Switching Sumcheck, where t' is the packed polynomial. Since Ring-Switching's commitment is defined as packing followed by the inner commitment, these polynomials effectively carry the same data, and mapping innerWitIn.t to outerWitIn.t' allows reconstruction of the outer witness from the inner one.
Use of strictSumcheckRoundRelation: Updating sumcheckFoldCtxLens_complete and related theorems to use strictSumcheckRoundRelation is consistent with the use of BinaryBasefold.strictRoundRelation and ensures that the relations hold exactly (functionally) rather than just on evaluations, which is crucial for composability and correctness of the reduction.
Final Sumcheck Step Implementation: The extensive addition of the FinalSumcheckStep logic (prover, verifier, extractor, and soundness proofs) is rigorously implemented using the ReductionLogicStep framework.
- Completeness: finalSumcheckStep_is_logic_complete and finalSumcheckOracleReduction_perfectCompleteness correctly establish that an honest prover satisfies the verifier.
- Soundness: finalSumcheckKnowledgeStateFunction correctly implements the extraction logic for the Round-by-Round (RBR) knowledge soundness. Specifically, toFun_next correctly deduces the validity of the witness at step $m=0$ given the verifier's check at step $m=1$ (checking $s_{target} = eq \cdot c$) and the consistency of the oracle folding (extracting $t$ such that $c = t(r)$).
- Verifier Logic: The verifier check stmtIn.sumcheck_target = eq_tilde_eval * c faithfully reproduces the check described in the header and the referenced Diamond-Posen paper.
No Misformalizations Found:
- Indices and boundaries (e.g., Fin.last ℓ') are handled correctly.
- The usage of ReductionLogicStep and OracleVerifier infrastructure is consistent with the rest of the codebase.
- The removal of sorrys and their replacement with valid proofs (e.g., using simpa with lenses) is verified.

The formalization is robust and correct.

📄 **Review for `ArkLib/ProofSystem/Binius/FRIBinius/General.lean`**

Verdict: Correct

The formalization in ArkLib/ProofSystem/Binius/FRIBinius/General.lean appears correct and consistent with the provided global context and the expected patterns of the ArkLib codebase.

Observations & Verification:

Refactoring of BinaryBasefoldAbstractOStmtIn: The changes systematically update the instantiation of BinaryBasefoldAbstractOStmtIn across all definitions (batchingCoreVerifier, fullOracleVerifier, etc.). The shift to named arguments ((β := β) (h_l := h_l) ...) and the inclusion of the hypothesis h_l (likely connecting dimensions ℓ and ℓ') is consistent with a dependency refactor aimed at explicitness and type safety.
Soundness vs. Completeness Relations:
- Completeness: The perfectCompleteness theorem uses "strict" relations (e.g., BatchingPhase.strictBatchingInputRelation, RingSwitching.strictSumcheckRoundRelation). This correctly models that an honest prover behaves deterministically and satisfies the strongest form of the constraints.
- Soundness: The newly added rbrKnowledgeSoundness theorem uses standard relations (e.g., BatchingPhase.batchingInputRelation). This correctly models that for security, we only need to extract a valid witness satisfying the protocol's core logical constraints, not necessarily one constructed exactly as the honest prover would. This distinction is standard in formal verification of proof systems.
Round-by-Round Knowledge Soundness: The new theorem fullOracleVerifier_rbrKnowledgeSoundness correctly composes the soundness proofs of the sub-components.
- It uses OracleVerifier.append_rbrKnowledgeSoundness to combine the Batching+Core phase with the Query phase.
- It correctly defines the combined error function fullRbrKnowledgeError using Sum.elim over the disjoint challenge indices.
- The internal decomposition of V₁ (Batching+Core) into its sub-components mirrors the structure of batchingCoreVerifier perfectly.
External Consistency: The structure Batching -> Core Interaction -> Query aligns with the Binius protocol description in the reference paper (Ring-Switching followed by Binary BaseFold).

No misformalizations or logical errors were found in the diff. The code compiles as stated, and the semantic changes are sound.

📄 **Review for `ArkLib/ProofSystem/Binius/FRIBinius/Prelude.lean`**

Review of ArkLib/ProofSystem/Binius/FRIBinius/Prelude.lean

Verdict: Incorrect (Incomplete)

The formalization accurately reflects the definitions in the external reference (Paper 2024/504), specifically Construction 4.12's commitment phase relation. However, the file contains an admitted proof (sorry) for a critical security property and contains a likely incorrect type instantiation in a proof script, suggesting copy-paste errors or parameter confusion.

Issues:

Missing Proof (Critical):
The field initialCompatibility_unique is implemented with sorry. This field asserts the Unique Decoding property (that pair_UDRClose implies equality of the underlying polynomials). While the comment correctly identifies the mathematical justification (Triangle inequality + Unique Decoding Radius), the formal proof is absent. This renders the formalization of the security properties incomplete.
Incorrect Index Type in Proof Script (Minor/Code Smell):
In the proof of strictInitialCompatibility_implies_initialCompatibility, the code distance is accessed using index i := (0 : Fin (2 ^ κ)).
```
have h_dist_pos :
    0 < Binius.BinaryBasefold.BBF_CodeDistance K β ... (i := (0 : Fin (2 ^ κ)))
```
In Binary BaseFold (and this specific instance), the "rounds" or "dimensions" are usually indexed by Fin ℓ' (the number of variables after packing). 2^κ corresponds to the extension degree of $L/K$. Unless ℓ' = 2^κ (which is generally false), passing Fin (2^κ) is semantically incorrect, even if it allows 0 to be passed. This relies on BBF_CodeDistance presumably ignoring the type of the index to determine the geometry, or worse, it might cause BBF_CodeDistance to calculate the distance for a code of the wrong dimension (though likely still positive, making the specific lemma 0 < d accidentally true).
Confusing/Incorrect Comment (Minor):
The comment inside initialCompatibility describes t' as:
-- here t is the ℓ'-variate novel-packed large-field polynomial in K of the original ℓ-variate small-field polynomial in L
This appears to swap K and L or mislabel them. In the standard Ring-Switching context (and supported by the code P₀ : L[X]...), K is the small base field, and L is the large extension field. t' is a polynomial over L. The original polynomial was over K. The comment should likely read: "...polynomial in L ... of the original ... in K".

Suggestions for Correction:

Implement initialCompatibility_unique: Provide the proof based on the metric space properties of the Hamming distance and the code's minimum distance parameter d.
Fix Index Type: Change (i := (0 : Fin (2 ^ κ))) to (i := (0 : Fin (BinaryBasefold.toOutCodewordsCount ℓ' ϑ (i:=0)))) or the appropriate type reflecting the number of FRI rounds (likely Fin ℓ').
Update Comment: Correct the description of t' to reflect that it is an $L$-polynomial derived from a $K$-polynomial.

Code Snippet (Correction for Comment):

  initialCompatibility := fun ⟨t', oStmt⟩ =>
    -- here t' is the ℓ'-variate novel-packed large-field polynomial in L of the original ℓ-variate small-field polynomial in K
    Binius.BinaryBasefold.firstOracleWitnessConsistencyProp K β (h_ℓ_add_R_rate := h_ℓ_add_R_rate)
      t' (f₀ := Binius.BinaryBasefold.getFirstOracle K β oStmt)

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean`**

Verdict: Incorrect

The formalization in ArkLib/ProofSystem/Binius/RingSwitching/BBFSmallFieldIOPCS.lean is incorrect due to incomplete proofs (sorry), probable type errors in the verifier definition, and reliance on unproven lemmas for witness consistency.

Critical Issues:

Incomplete Proofs (sorry):
The file contains sorry placeholders in two critical locations, rendering the formalization incomplete and the security guarantees unverified:
- In sumcheckConsistency_witMLPToWitness0_of_eval: The proof that the witness construction satisfies the sumcheck consistency property is missing.
- In bbfMLIOPCS instance: The rbrKnowledgeSoundness field is defined with sorry. This means the soundness of the bbfMLIOPCS—and by extension the entire composed protocol—is assumed as an axiom rather than derived from the underlying Binary Basefold soundness.
Type Mismatches in bbfOracleVerifier:
The definition of bbfOracleVerifier contains type mismatches in the assignments to embed and hEq.
- bbfV acts on Statement (SumcheckBaseContext L ℓ') 0, so bbfV.embed has type Statement ... -> OStmtIn.
- bbfOracleVerifier is an OracleVerifier for InitialStatement (L := L) (ℓ := ℓ'), so its embed field expects InitialStatement ... -> OStmtIn.
- Direct assignment embed := bbfV.embed is incorrect because the domains do not match. The same applies to hEq. You must compose with initialToStatement0.
Correction Snippet:
```
def bbfOracleVerifier :
    OracleVerifier (oSpec := []ₒ) ... :=
  let bbfV := (fullOracleReduction ...).verifier
  { verify := fun stmt challenges =>
      bbfV.verify (initialToStatement0 stmt) challenges
    -- Corrected: pre-compose with initialToStatement0
    embed := fun stmt => bbfV.embed (initialToStatement0 stmt)
    hEq := fun stmt challenges h => bbfV.hEq (initialToStatement0 stmt) challenges h }
```

Major Issues:

Validity of bbf_fullOracleVerifier_rbrKnowledgeSoundness:
This theorem relies on the bbfMLIOPCS instance. Since bbfMLIOPCS.rbrKnowledgeSoundness is implemented as sorry, the top-level theorem bbf_fullOracleVerifier_rbrKnowledgeSoundness essentially proves nothing about the cryptographic security of the implementation, as it rests on an unproven assumption within the instance definition.

Minor Issues:

Use of SelectableType:
firstOracleWitnessConsistency_unique requires [SelectableType L]. While likely available in the context of finite fields used here, ensure this class is instantiated for the concrete fields intended for use (e.g., tower fields) to avoid synthesis failures later.

General Feedback:
The architectural approach of wrapping the full Binary Basefold protocol as an MLIOPCS instance to be used by Ring-Switching is logically sound and aligns with the external references (using a large-field PCS to commit to the packed polynomial). initialToStatement0 correctly maps the initial small-field evaluation claim to the round-0 sumcheck claim of Binary Basefold. However, the implementation is currently in a draft state with critical holes in the proofs and definitions.

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean`**

Review of ArkLib/ProofSystem/Binius/RingSwitching/BatchingPhase.lean

The changes in this file correctly formalize the knowledge soundness proof for the batching phase of the Ring-Switching protocol, aligning with Theorem 3.5 of the reference paper (Diamond & Posen, 2024).

Verdict: Correct

Detailed Analysis:

Strict Input Relations: The introduction of strictBatchingInputRelation and its usage in batchingStepLogic correctly distinguishes between the relation required for perfect completeness (strict equality) and the relaxed relation often sufficient for soundness. This is a standard pattern in this codebase to ensure perfectCompleteness holds.
Soundness & The Mismatch Polynomial:
- The definition of batchingMismatchPoly corresponds exactly to the polynomial $S(X) = \sum_{u} (\hat{s}_u - \bar{s}_u) \cdot \widetilde{eq}(u, X)$ described in the proof of Theorem 3.5 in the paper.
- batchingMismatchPoly_nonzero_of_embed_ne correctly establishes that if the prover's message $\hat{s}$ (msg0) differs from the honest evaluation $\bar{s}$ (s_bar), then $S(X) \not\equiv 0$. This relies on the injectivity of the basis decomposition, which is handled correctly via decompose_tensor_algebra_rows.
- probability_bound_badBatchingEventProp correctly applies the Schwartz-Zippel lemma. The degree of $S(X)$ is bound by $\kappa$ (since it is a multilinear extension in $\kappa$ variables), and the field size is $|L|$, yielding the bound $\kappa / |L|$.
Knowledge State & Extraction:
- The batchingKStateProp definition for $m=1$ correctly asserts knowledge of a witness $t'$ such that the prover's message matches the embedded evaluation.
- The lemma batching_rbrExtractionFailureEvent_imply_badBatchingEvent correctly demonstrates that if the extractor fails (i.e., KState 1 is false but KState 2 is true), it implies that the prover sent an incorrect $\hat{s}$ that nevertheless satisfied the verifier's check $s_0 = \text{compute_s0}(\hat{s}, r'')$. This is precisely the "bad batching event" (collision of $S(r'')$).
Integration:
- batchingOracleVerifier_rbrKnowledgeSoundness properly unrolls the reduction and sums the error probabilities over transcripts, applying the per-transcript bound derived from the bad batching event.

The formalization is logically sound and consistent with the external specifications.

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/General.lean`**

Verdict: Correct

The formalization changes in ArkLib/ProofSystem/Binius/RingSwitching/General.lean appear correct and consistent with the provided context and the logic of modular proof system composition in ArkLib.

Analysis:

Relation Definitions (Hunks 1, 2, 3, 5):
- The removal of fullInputRelation and fullOutputRelation abbreviations and their inline replacement is a safe refactoring.
- The switch to strictBatchingInputRelation and mlIOPCS.toStrictRelInput in the Completeness proofs (perfectCompleteness) is appropriate. Completeness requires that an honest prover with a valid witness satisfies the verifier. "Strict" relations typically define the exact functional transformation of witnesses performed by the honest prover.
- The retention of batchingInputRelation and mlIOPCS.toRelInput in the Soundness proofs (rbrKnowledgeSoundness) is also correct. Soundness generally establishes that if a verifier accepts, an extractor can produce some witness satisfying the relation, which is what the non-strict relations typically capture.
Error Function Type Fix (Hunk 4):
- The change in batchingCoreRbrKnowledgeError from BatchingPhase.batchingRBRKnowledgeError κ L K to fun _ => BatchingPhase.batchingRBRKnowledgeError (κ:=κ) (L:=L) wraps a constant error term into a constant function. This is necessary because OracleVerifier composition expects the error bound to be a function of the challenge index, even if it is constant. This fixes a type mismatch.
Soundness Proof Cleanup (Hunk 5):
- The soundness proof previously contained sorry placeholders. These have been replaced with valid composition steps.
- The use of OracleVerifier.append_rbrKnowledgeSoundness twice correctly composes the three phases: Batching -> Sumcheck (Core Interaction) -> Base PCS (mlIOPCS).
- The use of OracleVerifier.rbrKnowledgeSoundness_of_eq_error with h_ε := by intro i; rfl confirms that the error bound defined in fullRbrKnowledgeError (which sums the errors of the components) definitionally matches the error bound resulting from the append operations.
- The update to the instance implicit omit syntax ([∀ i, ...]) corrects the specification for dependent instances.
No Misformalization Detected:
- No off-by-one errors or recursion issues were found in the diff.
- Universe levels and type hierarchies appear consistent with the library's design.
- Assumptions regarding SelectableType are refined but sound.

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean`**

Verdict: Correct

The changes in ArkLib/ProofSystem/Binius/RingSwitching/Prelude.lean correctly introduce a distinction between "strict" and "initial" (relaxed) compatibility relations for oracle statements. This allows the formalization to distinguish between properties that hold for honest witnesses (like completeness) and those that must hold for any valid witness (like soundness), which is crucial for the Ring-Switching context where witnesses are constrained to subfields.

Analysis:

MLPEvalRelation: The equality flip is semantically equivalent and aligns with standard Lean rewriting conventions (rewriting evaluation to the claim).
AbstractOStmtIn: The addition of strictInitialCompatibility and the implication lemma strictInitialCompatibility_implies_initialCompatibility correctly formalizes the notion that honest generation is a subset of valid opening. The uniqueness axiom correctly captures the binding property of the ideal oracle.
MLIOPCS: The introduction of strictPerfectCompleteness and the update to the input relation in the existing completeness field (assuming the modified field is indeed perfectCompleteness) correctly tighten the completeness requirement to hold for strictly compatible (honest) inputs.
masterKStateProp Refactoring: The extraction of localChecks makes the property reusable for both strict and relaxed settings. masterStrictKStateProp is correctly defined using the strict compatibility relation.
Subset Lemmas: toStrictRelInput_subset_toRelInput and strictSumcheckRoundRelation_subset_sumcheckRoundRelation are correctly proven, ensuring that the strict relation is indeed a sub-relation of the standard one.

Note:
The diff appears to modify an existing completeness field to use toStrictRelInput and also adds a strictPerfectCompleteness field. While this might seem redundant if they define the same property, it does not introduce logical incorrectness. It ensures that the protocol satisfies strict completeness. Assuming the broader file structure handles the field names appropriately, the formalization logic within the diff is correct.

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean`**

The changes in ArkLib/ProofSystem/Binius/RingSwitching/Spec.lean involve refactoring the protocol specifications and instances to leverage definitions from ArkLib/ProofSystem/Binius/BinaryBasefold/Spec and to remove incomplete code (the sorry in the OracleInterface instance).

Detailed Review:

Imports and Open Namespaces:
- The addition of import ArkLib.ProofSystem.Binius.BinaryBasefold.Spec and open Binius.BinaryBasefold allows reusing the specification components from the Binary BaseFold implementation. This is logical given that Ring-Switching reduces to a Large-Field PCS (like BaseFold), and they share structure (e.g., sumcheck).
pSpecFinalSumcheck Refactoring:
- The definition is changed from an explicit ProtocolSpec 1 to pSpecFinalSumcheckStep (L := L).
- Correctness: In the Ring-Switching protocol (Construction 3.1, Step 7), the prover sends the final evaluation $s' = t'(r')$ to the verifier. This is a single message interaction of a field element from P to V. Assuming pSpecFinalSumcheckStep in BinaryBasefold defines exactly this (standard final step of a sumcheck), the refactoring is correct and improves modularity.
Instance Updates (OracleInterface):
- pSpecBatching: The pattern matching | ⟨0, h0⟩ => nomatch h0 is replaced with fun _ => OracleInterface.instDefault.
  - Context: pSpecBatching likely corresponds to Steps 1-3 of Construction 3.1: P sends $\hat{s}$ (Round 0, P $\to$ V), V checks, V sends $r''$ (Round 1, V $\to$ P). Round 0 typically has no challenge (Challenge type is Empty), while Round 1 has a challenge ($r''$).
  - Logic: The previous code handled Empty via nomatch. The new code uses instDefault. This assumes OracleInterface has an instance for Empty (or whatever the challenge type is) that behaves trivially or correctly. Given that the code compiles, this instance resolution is valid.
- pSpecSumcheckRound: The sorry is removed and replaced with instDefault.
  - Context: A sumcheck round involves P sending a polynomial (Round 0, P $\to$ V, Challenge Empty) and V sending a challenge (Round 1, V $\to$ P, Challenge L).
  - Logic: This fixes an incomplete formalization (sorry). As with pSpecBatching, it relies on instDefault handling the challenge types correctly.
Instance Removals:
- Instances for OracleInterface, SelectableType, Fintype, and Inhabited for pSpecFinalSumcheck are removed.
- Correctness: Since pSpecFinalSumcheck is now defined as pSpecFinalSumcheckStep (and marked @[reducible]), the type class inference system will locate the instances associated with pSpecFinalSumcheckStep (defined in BinaryBasefold). This eliminates code duplication.
Finite Range Instance:
- instance instFiniteRange_Empty_append_pSpecBatchingChallenge is simply named. No logic change.

Alignment with External Reference:

The pSpecSumcheckLoop corresponds to Step 6 of Construction 3.1 (the sumcheck loop).
The pSpecFinalSumcheck corresponds to Step 7 (sending the final evaluation).
The overall structure of pSpecCoreInteraction combining these is consistent with the protocol flow described in the paper.

Verdict:
The changes are correct. They improve code maintenance by reusing specifications and fixing missing instances (sorry).

Formalization Status: Correct.

📄 **Review for `ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean`**

Verdict & Feedback

The changes in ArkLib/ProofSystem/Binius/RingSwitching/SumcheckPhase.lean are Correct.

The implementation of the sumcheck phase for the Ring-Switching protocol is rigorous and aligns with the expected behavior described in the Binius papers (specifically the reduction logic for multilinear polynomials).

Highlights of the Review:

Strict Relations: The switch to strictSumcheckRoundRelation improves precision for soundness proofs, ensuring exact equality constraints are propagated.
Round-by-Round Extraction: The definitions of iteratedSumcheckRbrExtractor and finalSumcheckRbrExtractor correctly implement the witness extraction logic.
- For the iterated step, the extractor handles the backward reconstruction of the polynomial $H$ from the next round's witness.
- For the final step, it correctly bridges the sumcheck witness to the underlying polynomial evaluation claim.
Knowledge State & Soundness:
- iteratedSumcheckKStateProp and finalSumcheckKStateProp accurately capture the verification state invariants at each step of the protocol.
- The proof of iteratedSumcheck_doom_escape_probability_bound correctly applies the Schwartz-Zippel lemma for degree-2 polynomials (arising from the product of a multilinear polynomial and the multilinear equality indicator), yielding the expected $2/|L|$ error bound.
Composition: The composition of the sumcheck loop and the final step in coreInteraction_rbrKnowledgeSoundness correctly aggregates the knowledge errors. The handling of the final step's empty challenge index is logically sound.

No issues regarding off-by-one errors, type hierarchies, or universe levels were found. The integration with ArkLib's OracleReduction and BinaryBasefold modules is consistent.

📄 **Review for `ArkLib/ToMathlib/MvPolynomial/Equiv.lean`**

The changes in ArkLib/ToMathlib/MvPolynomial/Equiv.lean introduce two lemmas concerning the map Polynomial.toMvPolynomial, which embeds univariate polynomials into multivariate polynomials (presumably mapping $X \mapsto X_i$). These lemmas are standard results required for handling polynomial embeddings in the context of the referenced cryptographic protocols (specifically for degree bounds in Schwartz-Zippel applications).

Verdict: The formalization is Correct.

Analysis:

Polynomial.toMvPolynomial_ne_zero_iff:
- Logic: Proves that the embedding is injective (preserves non-zero status). This relies on toMvPolynomial_injective, which is consistent with the map being an algebraic embedding $R[X] \hookrightarrow R[X_\sigma]$.
- Correctness: The proof script is sound.
Polynomial.toMvPolynomial_totalDegree_le:
- Logic: Proves that the total degree of the embedded polynomial $P(X_i)$ is bounded by (and in fact equal to, for non-trivial rings) the natural degree of $P(X)$.
- Steps:
  1. Decomposes $p$ into a sum of monomials: rw [p.as_sum_support].
  2. Distributes the map over the sum: rw [map_sum].
  3. Bounds the degree of the sum by the max degree of terms: refine MvPolynomial.totalDegree_finsetSum_le ?_.
  4. Analyzes the degree of a single monomial term $c X_i^n$.
- Observation: The line rw [← Polynomial.as_sum_support p] inside the intro n hn block appears to be superfluous.
  - At this point in the proof, the goal concerns the degree of a specific mapped monomial term. The term p only appears on the RHS as p.natDegree.
  - The initial rw [p.as_sum_support] at the start of the proof likely only rewrote the occurrence of p on the LHS (((toMvPolynomial i) p).totalDegree). Thus, the RHS p.natDegree remains p.natDegree.
  - Consequently, there is no sum expression involving p in the goal for rw [← ...] to match and rewrite back to p.
  - While this does not affect the validity of the theorem (as the rewrite likely fails or is a no-op if it succeeds in a weird way, and the subsequent tactics solve the goal correctly), it is good practice to remove dead code.
- Assumptions: The instance [Nontrivial R] is correctly added to support MvPolynomial.totalDegree_X_pow.

Feedback:

Minor Code Cleanup: In Polynomial.toMvPolynomial_totalDegree_le, the tactic rw [← Polynomial.as_sum_support p] seems unnecessary. The goal at that state should be ((toMvPolynomial i) (monomial n (p.coeff n))).totalDegree ≤ p.natDegree (or simplified version thereof), and p.natDegree on the RHS should theoretically not have been unfolded by the first rewrite. If it compiles, it's harmless, but consider removing it for clarity.

The definitions and theorems align well with the algebraic needs of the external reference papers, specifically regarding polynomial embeddings and degree management for proximity tests.

📄 **Review for `ArkLib/ToVCVio/Lemmas.lean`**

This file introduces several lemmas related to the StateT monad transformer applied to OracleComp, specifically concerning the support of computations, pure, map, failure, and if-then-else constructs.

Analysis of Changes:

mem_support_pure_stateT_run & mem_support_pure_state:
- These lemmas correctly characterize the support of (pure x : StateT ...).run s. Since pure x in StateT results in the state-value pair (x, s) lifted into the inner monad (here OracleComp), the support is exactly the singleton set {(x, s)}.
- The logic (y, s') ∈ {(x, s)} ↔ y = x ∧ s' = s is correct.
map_ite:
- Asserts that StateT.map distributes over if-then-else. This is standard for functional transformations and relies on split_ifs which is the correct tactic.
map_pure:
- Asserts map f (pure a) = pure (f a) in StateT.
- StateT.map f (pure a) s expands to pure (a, s) >>= λ (x, s'), pure (f x, s') (conceptually).
- Assuming the OracleComp monad satisfies the left identity law definitionally (common for inductive definitions of probability monads in Lean), this reduces to pure (f a, s). The use of rfl confirms this definitional equality holds in the context.
map_failure:
- Asserts mapping over failure remains failure. Assuming failure >>= f = failure definitionally, rfl is correct.
support_map_pure & support_map_failure:
- These derive the support set for the operations defined above.
- map f (pure a) yields pure (f a, s), support is {(f a, s)}. Correct.
- map f failure yields failure, support is ∅. Correct.
map_const_pure & support_map_const_pure:
- Specializations of map_pure where the function is constant. Useful for rewriting. Logic is identical to map_pure.
support_ite:
- Asserts support distributes over if-then-else. Correct.

Conclusion:
The formalization is consistent with standard monadic properties and the behavior of StateT. No off-by-one errors, type hierarchy misuses, or incorrect assumptions were found. The code aligns with the goal of providing utility lemmas for verifying probabilistic computations involving state.

Verdict:
The changes are correct.

ArkLib/ToVCVio/Lemmas.lean

No changes needed.

📄 **Review for `ArkLib/ToVCVio/SimulationInfrastructure.lean`**

Review of `ArkLib/ToVCVio/SimulationInfrastructure.lean`

Verdict

Incorrect

The formalization contains two lemmas (exists_path_of_mem_support_forIn_unit and exists_rel_path_of_mem_support_forIn_stateful) whose statements are logically false for the general forIn function used in the premises. While these lemmas are marked with sorry, their stated types represent a misformalization of the properties of forIn, which supports early termination (ForInStep.done).

Critical Issues

1. Invalid Claims about `forIn` Trajectories

Both exists_path_of_mem_support_forIn_unit and exists_rel_path_of_mem_support_forIn_stateful assert that if a forIn loop returns a result in its support, there exists a full execution trace involving every element of the input list l.

Problem: The forIn function allows the loop body f to return ForInStep.done b. In such cases, the loop terminates immediately, returning b. Subsequent elements in l are never processed.
Consequence:
- In exists_path_of_mem_support_forIn_unit, the conclusion ∀ x ∈ l, ... fails if the loop exits early before reaching x.
- In exists_rel_path_of_mem_support_forIn_stateful, the existence of sequences bs and ss of length l.length + 1 satisfying the step condition for ∀ k (specifically requiring ForInStep.yield) is impossible if the loop exited via done.
Fix: Either these lemmas must be restricted to forM / mapM (which do not support early exit), or the hypothesis must assert that the loop body f never returns ForInStep.done (or that the specific result res was reached via a path of yields).

Corrected Snippet (Example for exists_path...):

lemma exists_path_of_mem_support_forIn_unit {σ α : Type} [spec.FiniteRange]
    (l : List α) (f : α → PUnit → StateT σ ProbComp (ForInStep PUnit))
    (s_init s_final : σ) (u : PUnit)
    -- Add hypothesis ensuring no early exit, or restrict f's return type
    (h_yield : ∀ x u s, ∀ r ∈ ((f x u).run s).support, ∃ u', r.1 = ForInStep.yield u')
    (h_mem : (u, s_final) ∈ ((forIn l PUnit.unit f).run s_init).support) :
    ∀ x ∈ l, ∃ s_pre s_post,
      (ForInStep.yield PUnit.unit, s_post) ∈ ((f x PUnit.unit).run s_pre).support := by
  sorry

General Observations

Simulation Lemmas: The lemmas simulateQ_forIn_stateful_run_eq and simulateQ_forIn_stateful_comp are correct. They rely on simulateQ being a monad morphism (distributing over bind/pure), which preserves the recursive structure of forIn.
Probability Bridge: The probability notation bridge lemmas correctly utilize OracleComp.probEvent_bind_eq_tsum to factorize probabilities over monadic binds.
Support Lemmas: The lemmas regarding support and StateT (mem_support_stateful_guard_iff, support_simulateQ_bind_run_eq, etc.) are formally correct derived from the definitions.

chung-thai-nguyen changed the title ~~soundness BBF~~ feat: rbrKnowledgeSoundness of BinaryBasefold & ring-switching Jan 26, 2026

chung-thai-nguyen changed the base branch from main to binarybasefold-proofs January 27, 2026 03:40

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 9 times, most recently from f911ee6 to ccfb501 Compare February 2, 2026 17:07

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 7 times, most recently from f84047a to 16bbca7 Compare February 6, 2026 16:38

alexanderlhicks self-assigned this Feb 7, 2026

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 6 times, most recently from 7654f36 to 1631470 Compare February 9, 2026 16:52

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 2 times, most recently from 26a1095 to c57ce1a Compare February 11, 2026 07:35

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 3 times, most recently from 2098d79 to 56eb214 Compare February 12, 2026 17:03

feat: soundness of binarybasefold

b07e368

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 5 times, most recently from 3372ee6 to b3afeae Compare February 24, 2026 15:55

incremental bad fold events

220554a

chung-thai-nguyen force-pushed the soundness-binarybasefold branch from b3afeae to 220554a Compare February 24, 2026 17:12

fill sorrys

35c8649

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 2 times, most recently from 1828956 to 909194e Compare February 26, 2026 10:45

chung-thai-nguyen added 2 commits February 26, 2026 11:41

updates on iterated_fold identities

39687bd

simple ring-switching-binary-basefold composition

4188fde

chung-thai-nguyen force-pushed the soundness-binarybasefold branch 10 times, most recently from b9f882e to 9762d73 Compare March 1, 2026 18:00

incremental bad event proofs

7a85577

chung-thai-nguyen force-pushed the soundness-binarybasefold branch from 9762d73 to 7a85577 Compare March 2, 2026 03:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: rbrKnowledgeSoundness of BinaryBasefold & ring-switching#296

feat: rbrKnowledgeSoundness of BinaryBasefold & ring-switching#296
chung-thai-nguyen wants to merge 6 commits intobinarybasefold-proofsfrom
soundness-binarybasefold

chung-thai-nguyen commented Jan 25, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Jan 25, 2026 •

edited

Loading

Documentation and Headers

Naming Conventions

Syntax and Formatting

Normal Forms

Uh oh!

alexanderlhicks commented Feb 10, 2026

Uh oh!

chung-thai-nguyen commented Feb 10, 2026

Uh oh!

alexanderlhicks commented Feb 20, 2026

Uh oh!

github-actions bot commented Feb 20, 2026

1. Analysis of Implementation

2. Check for Misformalization

3. Verdict & Feedback

Review of `ArkLib/ToVCVio/SimulationInfrastructure.lean`

Verdict

Critical Issues

1. Invalid Claims about `forIn` Trajectories

General Observations

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

chung-thai-nguyen commented Jan 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🤖 Gemini PR Summary

Mathematical & Algebraic Foundations

Binary Basefold Soundness

Ring-Switching & IOPCS Composition

Integration & Infrastructure

Documentation and Headers

Naming Conventions

Syntax and Formatting

Normal Forms

Uh oh!

alexanderlhicks commented Feb 10, 2026

Uh oh!

chung-thai-nguyen commented Feb 10, 2026

Uh oh!

alexanderlhicks commented Feb 20, 2026

Uh oh!

github-actions bot commented Feb 20, 2026

🤖 AI Review (with external context)

🤖 AI Review

1. Analysis of Implementation

2. Check for Misformalization

3. Verdict & Feedback

Review of ArkLib/ToVCVio/SimulationInfrastructure.lean

Verdict

Critical Issues

1. Invalid Claims about forIn Trajectories

General Observations

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

chung-thai-nguyen commented Jan 25, 2026 •

edited

Loading

github-actions bot commented Jan 25, 2026 •

edited

Loading

Review of `ArkLib/ToVCVio/SimulationInfrastructure.lean`

1. Invalid Claims about `forIn` Trajectories