Hybrid Poly Commitments for Scalable Binius Zero-Knowledge Proofs in Federated Learning

Abstract

Federated learning enables collaborative model training without sharing raw data, but practical deployments increasingly require verifiable guarantees that clients compute updates correctly. Zero-knowledge proofs can provide such guarantees, yet existing approaches face scalability limits due to the combined cost of polynomial commitments and fast Fourier transform (FFT) intensive verification. Pairing-based schemes offer compact proofs but incur high prover and verifier overhead, while hash-based constructions reduce algebraic cost at the expense of rapidly growing proof sizes. This paper proposes Hybrid-Commit, a polynomial commitment architecture for Binius zero-knowledge proofs that aligns cryptographic primitives with the algebraic structure of federated learning workloads. The scheme separates verification into additive and multiplicative phases: linear aggregation is handled using batched additive commitments optimized for binary fields, while non-linear constraints are verified via hash-based commitments over sparsely selected FFT domains. Proofs from multiple clients are combined through recursive aggregation while preserving non-interactivity. Experiments demonstrate scalability in prover time and proof size (near-constant prover time across 4–11 clients; 160 bytes per client representing 341× and 813× reductions vs. FRI-PCS and Orion), although verification time (762 ms per client) does not scale favorably, making the scheme suitable for bandwidth-constrained scenarios. The scheme achieves under 2% end-to-end training overhead with no impact on model accuracy, indicating that workload-aware commitment design can improve specific scalability dimensions of zero-knowledge verification in federated learning systems.

1. Introduction

Federated learning is often described as a promising approach for privacy-aware machine learning since it allows models to be trained across separate data silos without sharing raw data [1]. Still, the field sometimes treats its trust assumptions with more confidence than the evidence really supports. Participants are expected to behave honestly and compute updates correctly, yet this expectation appears to leave room for misuse. Zero-knowledge proofs (ZKPs) have been suggested as one way to address these weaknesses because they let parties verify computations without exposing their underlying inputs [2]. Within this space, Binius proofs have gained attention for binary circuit workloads. Their algebraic structure tends to fit neatly with modern proof pipelines, although some limitations remain [3].

Two bottlenecks seem to recur whenever ZKPs are paired with federated learning. The first involves the overhead created by polynomial commitments, and the second stems from the heavy use of fast Fourier transforms. Existing systems either rely on homomorphic polynomial commitments such as KZG10 [4], which may not scale well when model sizes or participant counts grow, or they fall back on hash-based strategies that inflate proof size to the point of impracticality [5]. This tension between computational cost and compact proofs becomes even more visible in cross-silo deployments where organizations work with large heterogeneous datasets and cannot tolerate high verification delays [6].

To address these issues, we propose a hybrid commitment architecture that mixes additive and multiplicative homomorphic techniques. The additive layer builds on multi-polynomial KZG variants adapted to binary fields. These variants are likely to help with the many linear operations that dominate most federated learning pipelines [7]. For the non-linear steps that rely on FFTs, we introduce a sparse multiplicative commitment layer that uses optimized hash functions. Early experiments suggest that this approach shrinks the effective FFT domain by roughly an order of magnitude compared to more uniform designs [8]. The division between linear and non-linear operations reflects how federated learning tends to behave in practice, where aggregation is frequent and non-linear checks occur less often.

The main contributions of this work are threefold. First, we outline a hybrid commitment scheme that separates proof generation into additive and multiplicative phases, each tuned for its computational profile. Second, we adapt Binius encoding so that it remains algebraically compatible with efficient ZKPs while still handling the uneven distributions common in real federated datasets [9]. Third, we provide an implementation that shows scalability in prover time and proof size: near-constant prover time with respect to the number of participants and sublinear growth in proof size relative to model complexity. Note that verification time does not scale favorably compared to the baseline methods, limiting applicability to scenarios where communication efficiency is prioritized over verification speed. These results may help to remove some of the obstacles that have slowed wider adoption of verifiable federated learning.

Our approach departs from previous efforts in several ways. Earlier ZKP systems tend to apply the same cryptographic machinery to every operation [10], but our design tries to match the primitive to the algebraic behavior of each step instead of treating all the computations as equal. In addition, many verification methods in federated learning seem to trade efficiency for privacy or the reverse [11]. The hybrid design aims to avoid forcing that trade. Finally, we introduce a proof aggregation technique that keeps the security level of the individual proofs intact while reducing communication overhead, which is often a serious pain point in distributed settings [12].

The remainder of the paper follows a standard structure. Section 2 reviews the related work on polynomial commitments and ZKP-oriented cryptography. Section 3 describes the mathematical foundation of Binius encoding, a threat model, and security assumptions. Section 4 outlines the construction of the hybrid commitment scheme with formal algorithms. Section 5 presents the experimental evaluation, including limitations and a discussion. Section 6 concludes.

2. Related Work

Research on polynomial commitments has shaped much of the current landscape in zero-knowledge proof (ZKP) systems. These schemes enable a verifier to check polynomial evaluations without learning the underlying polynomial, a property that has become nearly indispensable in modern ZKP pipelines. The pairing-based construction of KZG10 [4] is commonly regarded as the starting point of this line of work. Subsequent extensions introduced batching and aggregation techniques, but the cost of handling high-degree polynomials grows rapidly in settings such as federated learning, where model sizes can become substantial. Multi-polynomial variants [7] improve throughput by committing to several polynomials simultaneously, yet their reliance on pairings remains a limitation, particularly when computations are performed over binary fields.

A different research stream draws inspiration from error-correcting codes. Schemes such as Brakedown and RedShift demonstrate that linear-time encodings can replace more traditional commitment constructions [13]. These approaches significantly reduce prover time, which is attractive in workloads where prover-side computation dominates. The trade-off lies in proof size, which tends to grow noticeably. In federated learning scenarios, where communication occurs over multiple rounds between clients and servers, this expansion can become problematic. In practice, the communication overhead appears to constrain the deployability of such methods in large-scale distributed systems.

Hash-based polynomial commitments offer another alternative. Instead of relying on expensive algebraic operations, these constructions are built on standard cryptographic hash functions. The SmallWood framework [8] was an early example, organizing Merkle trees over FFT domains to prove relations about structured polynomials. Later work such as Orion [14] adapted these ideas to sparse polynomials, a setting that naturally arises in federated learning when client updates differ substantially. While these constructions avoid pairing operations entirely, they typically incur larger proof sizes and more involved verification procedures, which can complicate their integration into broader ZKP ecosystems.

The performance of hash-based systems depends critically on the underlying hash function. SNARK-oriented primitives such as Poseidon [15] are efficient over large prime fields, but adapting them to binary fields often introduces additional overhead. More recent designs, including Anemoi [16], focus explicitly on binary-field efficiency by reshaping the permutation structure to reduce FFT-related costs. Early evaluations report speedups of roughly a factor of two in certain settings. These results make hash-based commitments increasingly attractive for workloads involving repeated polynomial evaluations, although their integration into production-grade proof systems remains an active area of investigation.

Federated learning introduces further complexity. Early attempts at verifiable computation in this domain, such as ByzSFL [12], relied on generic ZKP frameworks to provide Byzantine resilience during secure aggregation. While conceptually sound, these solutions incurred substantial overhead. Later work [10] explored more specialized proof designs to reduce computational cost but faced difficulties coping with the highly variable participation patterns observed in real deployments. Blockchain-based verification approaches [11] offloaded part of the verification burden on chain at the expense of high gas costs that limited scalability to relatively small models.

The hybrid commitment scheme introduced in this work builds on these prior efforts while aiming to avoid their individual shortcomings. Instead of enforcing a single cryptographic primitive throughout the computation, we combine additive and multiplicative commitments so that each phase aligns with the algebraic structure of the underlying operation. This contrasts with approaches such as [7], which rely on pairings even for linear components, and with hash-heavy designs like [8]. The resulting architecture appears to scale more gracefully than monolithic systems while preserving the security guarantees required in federated learning environments.

3. Preliminaries

This section collects the mathematical ingredients that we rely on later in the construction of our hybrid commitment scheme. The aim is not to provide a full tutorial on Binius-style zero-knowledge proofs [17] but rather to fix notation and highlight the parts that appear to matter most in a federated learning setting. Where the literature is still moving, we deliberately keep a slightly cautious tone instead of pretending that every detail is fully settled.

3.1. Binius Encoding for Binary-Field Arithmetic

The Binius encoding framework operates over binary extension fields ${\mathbb{F}}_{2^k}$ [3]. A key property of these fields is their tower structure:

$${\mathbb{F}}_2\subset {\mathbb{F}}_{2^2}\subset \cdots \subset {\mathbb{F}}_{2^k}$$

(1)

This hierarchical construction enables efficient arithmetic through recursive decomposition, which proves especially valuable for neural network computations where weights and activations frequently exhibit binary or low-precision patterns. For a polynomial $f\in {\mathbb{F}}_{2^k}\left[X\right]$ of degree d, the Binius encoding represents evaluations as

$$\mathrm{Enc}\left(f\right)=\left(f\left({\alpha }_1\right),\dots ,f\left({\alpha }_n\right)\right)$$

(2)

where ${\alpha }_i$ are carefully chosen points in ${\mathbb{F}}_{2^k}$ that preserve the algebraic structure while enabling efficient interpolation. The encoding maintains homomorphic properties for both addition and multiplication, although each operation has distinct computational characteristics, a difference our hybrid scheme deliberately exploits.

3.2. Homomorphic Commitments in Binary Fields

Homomorphic commitments provide the cryptographic foundation for verifiable computation in zero-knowledge proof systems. Within Binius proofs, commitments must preserve both additive and multiplicative structures:

$$\mathrm{Commit}(f+g)=\mathrm{Commit}\left(f\right)\oplus \mathrm{Commit}\left(g\right)$$

(3)

$$\mathrm{Commit}(f·g)=\mathrm{Commit}\left(f\right)\otimes \mathrm{Commit}\left(g\right)$$

(4)

where ⊕ and ⊗ denote operations in the commitment space. The KZG10 scheme [4] achieves this through pairing-based constructions but suffers from quadratic prover complexity in binary fields. More recent multi-polynomial variants [7] improve scalability via batching yet still impose substantial overhead for large-scale federated learning models.

An alternative approach for binary fields leverages linear-time encodings based on error-correcting codes [5]. These constructions replace traditional polynomial commitments with linear combinations of pseudorandom codewords:

$$\mathrm{Commit}\left(f\right)=\sum _{i=1}^d{c}_i·G_i$$

(5)

where $G_i$ are generators of a linear code with efficient encoding. Although this reduces prover complexity to linear time, it produces larger proofs, a significant drawback in bandwidth-constrained federated settings.

3.3. FFT Bottlenecks in Binary-Field Arithmetic

Fast Fourier transforms underpin polynomial multiplication and evaluation in most ZKP systems. In binary fields, FFT operations exhibit characteristics that distinguish them from their prime-field counterparts:

Additive FFTs. The tower structure of binary extension fields supports an additive FFT variant based on recursive subspace decomposition rather than multiplicative roots of unity [18]. This reduces the complexity from $O(nlogn)$ to $O(n\log n/\log \log n)$ for certain parameter choices.

Sparse–Dense Trade-Offs. Federated learning updates typically display sparsity patterns arising from client-specific data distributions [9]. Standard FFT algorithms ignore this sparsity entirely, computing transforms over full domains regardless of input structure.

Memory Access Patterns. The recursive nature of binary-field FFTs generates irregular memory access patterns that degrade performance on modern hardware, particularly when handling the large polynomials common in deep learning models.

FFT operations dominate proof generation time in current systems, which motivates our hybrid approach: we minimize FFT usage, restricting it to essential non-linear verification steps. As Section 4 demonstrates, careful partitioning of the computation allows most FFT operations to be replaced with more efficient linear algebraic techniques, all while preserving the security guarantees of the full protocol.

3.4. Threat Model and Security Assumptions

We now formalize the threat model and security guarantees of Hybrid-Commit in the federated learning context. The system involves three types of parties: clients that compute model updates, aggregators that combine updates, and verifiers that validate proof correctness.

Trust Boundaries: We assume a semi-honest adversary model where

1.

Clients may attempt to submit incorrect gradient computations or model updates, but they cannot collude with the aggregator or verifier to break cryptographic primitives. Clients are computationally bounded and cannot break the discrete logarithm assumption in the pairing groups or find hash collisions.

2.

Aggregators are trusted to correctly execute the aggregation protocol but may be curious about individual client updates. The aggregator does not participate in proof generation or verification.

3.

Verifiers are honest and follow the verification protocol correctly. They have access to the structured reference string (SRS) for additive commitments but do not know the secret trapdoor.

Zero-Knowledge Guarantees: Hybrid-Commit provides computational zero-knowledge in the random oracle model. For a client’s model update f and evaluation point z, the proof $\Pi =({\pi }_{\mathrm{add}},{\pi }_{\mathrm{mul}})$ reveals no information about f beyond the claimed evaluation $f\left(z\right)$ and the commitment values. Specifically,

• The additive KZG10 commitment ${\pi }_{\mathrm{add}}$ is a group element that is computationally indistinguishable from a random group element, assuming the discrete logarithm hardness in ${\mathbb{G}}_1$.
• The multiplicative hash-based commitment ${\pi }_{\mathrm{mul}}$ reveals only the Merkle tree structure and selected evaluation points, with no information about unqueried polynomial values, assuming the hash function H is a random oracle.

Soundness Guarantees: Hybrid-Commit achieves computational soundness with security parameter $\lambda$. If a malicious client produces a proof $\Pi$ that verifies an incorrect evaluation $f^{\prime }\left(z\right)\ne f\left(z\right)$, then either

1.

The additive KZG10 component is broken (violating the q-SDH assumption);

2.

The multiplicative hash commitment is broken (finding a hash collision);

3.

The Binius proof system underlying the construction is broken.

The soundness error is bounded by ${ϵ}_{\mathrm{sound}}\le max({ϵ}_{\mathrm{KZG}},{ϵ}_{\mathrm{hash}},{ϵ}_{\mathrm{Binius}})$, where ${ϵ}_{\mathrm{KZG}}=O(1/q)$ for SRS of size q, ${ϵ}_{\mathrm{hash}}=O(1/2^{\lambda })$ for hash output length $\lambda$, and ${ϵ}_{\mathrm{Binius}}$ depends on the Binius proof parameters. For our implementation with $\lambda =128$ and $q\ge 2^{20}$, the overall soundness error is negligible.

Adversarial Behaviors: The scheme protects against

• Incorrect gradient computation: Clients cannot submit false gradients without detection as the proof verifies the correctness of the computation.
• Model poisoning: While Hybrid-Commit verifies computational correctness, it does not prevent clients from submitting adversarially crafted but correctly computed gradients. Additional defenses (e.g., gradient clipping and outlier detection) must be layered on top.
• Selective update omission: Clients cannot selectively omit parameter updates without detection as the commitment covers the entire polynomial representation of the model update.

4. Hybrid-Commit: Additive–Multiplicative Polynomial Commitment for Binius

The proposed hybrid commitment scheme strategically decomposes the proof generation process into distinct phases, each optimized for specific algebraic properties of federated learning computations. As shown in Figure 1, the system alternates between additive commitments for linear operations and multiplicative commitments for non-linear verification, creating an efficient pipeline that minimizes expensive cryptographic operations. This section details the technical construction of both commitment types and their composition into a unified proof system.

Implementation Note: The experimental evaluation in Section 5 uses the full cryptographic implementation specified in this section, including pairing-based KZG10 commitments (BLS12-381), binary-field ${\mathbb{F}}_{2^k}$ arithmetic, and sparse FFT optimizations. All measurements reflect the actual performance of the complete cryptographic stack as detailed below.

4.1. Hybrid Additive–Multiplicative Commitment Structure Implementation

The hybrid commitment structure partitions the proof generation process into two distinct phases based on algebraic properties. We first describe the scheme for a single client, then extend it to batched multi-client operations in Section 4.2. Let $f\in {\mathbb{F}}_{2^k}\left[X\right]$ denote a polynomial representing a single client’s model update in federated learning, decomposed as

$$f\left(X\right)=f_{\mathrm{lin}}\left(X\right)+f_{\mathrm{nlin}}\left(X\right)$$

(6)

where $f_{\mathrm{lin}}$ contains terms involved in linear operations (e.g., gradient aggregation) and $f_{\mathrm{nlin}}$ captures non-linear components requiring verification.

For a single client, the additive commitment phase handles $f_{\mathrm{lin}}$ through a KZG variant:

$${\mathrm{Commit}}_{\mathrm{Add}}\left(f_{\mathrm{lin}}\right)={\left[f_{\mathrm{lin}}\left(s\right)\right]}_1$$

(7)

where ${[·]}_1$ denotes elements in group ${\mathbb{G}}_1$ of a bilinear pairing, and s is a secret point from the structured reference string (SRS). The evaluation proof for $f_{\mathrm{lin}}$ at point z follows:

$${\pi }_{\mathrm{add}}={\left[{\displaystyle \frac{f_{\mathrm{lin}}\left(s\right)-f_{\mathrm{lin}}\left(z\right)}{s-z}}\right]}_1$$

(8)

For the multi-client batched setting with m clients, where each client i contributes polynomial $f_{\mathrm{lin},i}$, the batched additive commitment is

$${\mathrm{Commit}}_{\mathrm{Add}}\left({\left\{f_{\mathrm{lin},i}\right\}}_{i=1}^m\right)=\sum _{i=1}^m{\left[f_{\mathrm{lin},i}\left(s\right)\right]}_1$$

(9)

The full multi-polynomial batching mechanism, including batch evaluation proofs, is detailed in Section 4.2.

Algorithm 1 formalizes the interaction between additive and multiplicative phases for a single client’s proof generation. The algorithm shows when each phase is triggered: the additive phase executes for all clients during linear aggregation, while the multiplicative phase activates selectively for non-linear verification.

Algorithm 1 Hybrid-Commit Proof Generation for Single Client

Require:  Client model update polynomial $f\in {\mathbb{F}}_{2^k}\left[X\right]$, evaluation point z, SRS ${\left\{{\left[s^j\right]}_1\right\}}_{j=0}^d$, sparse domain ${\Omega }^{\prime }\subset {\mathbb{F}}_{2^k}$ Ensure:  Proof $\Pi =({\pi }_{\mathrm{add}},{\pi }_{\mathrm{mul}})$ 1: procedure HybridCommitProof($f\left(X\right)$, z, SRS, ${\Omega }^{\prime }$) 2:                  ▹ Step 1: Decompose update into linear and non-linear components 3:     $(f_{\mathrm{lin}},f_{\mathrm{nlin}})\leftarrow \mathrm{DECOMPOSE}\left(f\right)$ 4:                   ▹ Step 2: Additive phase—always executed for linear aggregation 5:     Additive Phase: 6:     ${\mathrm{Commit}}_{\mathrm{Add}}\leftarrow {\left[f_{\mathrm{lin}}\left(s\right)\right]}_1$                                ▹ Using SRS 7:     ${\pi }_{\mathrm{add}}\leftarrow {\left[{\displaystyle \frac{f_{\mathrm{lin}}\left(s\right)-f_{\mathrm{lin}}\left(z\right)}{s-z}}\right]}_1$ 8:                  ▹ Step 3: Multiplicative phase—executed for non-linear verification 9:     Multiplicative Phase: 10:     ${\Omega }^{\prime }\leftarrow \mathrm{SPARSESELECT}\left(f_{\mathrm{nlin}}\right)$                    ▹ Using Algorithm 2, $t=O(logn)$ 11:     $\mathrm{evaluations}\leftarrow \mathrm{SPARSEFFT}(f_{\mathrm{nlin}},{\Omega }^{\prime })$                    ▹ Additive FFT algorithm 12:     $\mathcal{T}\leftarrow \mathrm{BUILDMERKLETREE}\left(\mathrm{evaluations}\right)$ 13:     ${\mathrm{Commit}}_{\mathrm{Mul}}\leftarrow H\left(\mathrm{root}\left(\mathcal{T}\right)\right)$ 14:     ${\mathrm{path}}_z\leftarrow \mathrm{EXTRACTAUTHPATH}(\mathcal{T},z)$ 15:     ${\pi }_{\mathrm{mul}}\leftarrow (f_{\mathrm{nlin}}\left(z\right),{\mathrm{path}}_z,\mathrm{index}\left(z\right))$ 16:     $\Pi \leftarrow ({\pi }_{\mathrm{add}},{\pi }_{\mathrm{mul}})$ 17:     return $\Pi$ 18: end procedure

Algorithm 2 Sparse Domain Selection for Multiplicative Commitments

Require:  Model update polynomial $f_{\mathrm{nlin}}\in {\mathbb{F}}_{2^k}\left[X\right]$ with n coefficients, non-linear indices ${\mathrm{indices}}_{\mathrm{nlin}}$, sparsity target $t_{\mathrm{target}}=O(logn)$ Ensure:  Sparse domain ${\Omega }^{\prime }=\{{\omega }_1,\dots ,{\omega }_t\}$ with $t\le t_{\mathrm{target}}$ 1: procedure SparseSelect($f_{\mathrm{nlin}}$, ${\mathrm{indices}}_{\mathrm{nlin}}$, $t_{\mathrm{target}}$) 2:     $n\leftarrow \mathrm{len}\left(f_{\mathrm{nlin}}\right)$ 3:     $t\leftarrow max(1,\lfloor {log}_2\left(n\right)\rfloor )$                                ▹ Dynamic sparsity: $t=O(logn)$ 4:     $t\leftarrow min(t,n,64)$                                  ▹ Cap at 64 for practical limits 5:     if $\mathrm{len}\left({\mathrm{indices}}_{\mathrm{nlin}}\right)\ge t$ then 6:         ${\Omega }^{\prime }\leftarrow {\mathrm{indices}}_{\mathrm{nlin}}[:t]$                         ▹ Use provided non-linear indices if available 7:     else 8:                                        ▹ Deterministic fallback: powers of 2 9:         ${\Omega }^{\prime }\leftarrow \{2^i:i\in [0,\lfloor {log}_2\left(t\right)\rfloor ],2^i<n\}$ 10:         if $\mathrm{len}\left({\Omega }^{\prime }\right)<t$ then 11:            $\mathrm{remaining}\leftarrow t-\mathrm{len}\left({\Omega }^{\prime }\right)$ 12:            $\mathrm{step}\leftarrow max(1,\lfloor n/(\mathrm{remaining}+1)\rfloor )$ 13:            ${\Omega }^{\prime }\leftarrow {\Omega }^{\prime }\cup \{\mathrm{step}·i:i\in [1,\mathrm{remaining}],\mathrm{step}·i<n\}$ 14:         end if 15:     end if 16:     return ${\Omega }^{\prime }$                     ▹ Deterministic selection ensures reproducibility across clients 17: end procedure

Federated Learning Integration Flow: In each federated learning round, the coordination follows (1) Local Training: Each client computes model update f and decomposes it into $f_{\mathrm{lin}}$ (linear operations like gradient aggregation) and $f_{\mathrm{nlin}}$ (non-linear components). (2) Additive Commitment Generation: All clients generate additive commitments for $f_{\mathrm{lin}}$ using batched KZG10 (Section 4.2); this phase is always executed as it handles the dominant linear operations. (3) Aggregation: The aggregator combines additive commitments homomorphically using Equation (12). (4) Multiplicative Verification: The multiplicative phase activates selectively only when verifying non-linear constraints, suspicious updates, or cross-client consistency checks, using sparse FFT over the selected domain ${\Omega }^{\prime }$ (Algorithm 2). This selective activation minimizes FFT overhead (92% reduction) while maintaining security guarantees. The additive phase handles the majority of operations (linear aggregation), while the multiplicative phase provides additional security for critical non-linear verification.

For the multiplicative phase handling $f_{\mathrm{nlin}}$, we employ a hash-based commitment over a sparse FFT domain $\Omega \subset {\mathbb{F}}_{2^k}$:

$${\mathrm{Commit}}_{\mathrm{Mul}}\left(f_{\mathrm{nlin}}\right)=H(f_{\mathrm{nlin}}\left({\omega }_1\right),\dots ,f_{\mathrm{nlin}}\left({\omega }_t\right))$$

(10)

where H is a binary-field-optimized hash function (e.g., Anemoi [16]), ${\omega }_i$ are carefully selected points in $\Omega$ with $t\ll n$, and the evaluation proof consists of Merkle paths for the relevant leaves. The sparse domain reduces FFT complexity from $O(nlogn)$ to $O(tlogt)$ while maintaining security through the hash function’s collision resistance.

4.2. Binary-Field-Optimized Additive KZG10 Variant Details

The additive phase of our hybrid commitment scheme employs a modified KZG10 construction that operates on polynomials over binary fields ${\mathbb{F}}_{2^k}$ while leveraging pairing-based cryptography. Let $\mathcal{P}=\{f_1,\dots ,f_m\}$ denote a set of m polynomials, where each $f_i\in {\mathbb{F}}_{2^k}\left[X\right]$ represents a client’s linear model update in federated learning.

Field Encoding Strategy: Since standard bilinear pairings (e.g., BLS12-381) operate over prime fields, we encode elements from ${\mathbb{F}}_{2^k}$ into the prime field of the pairing curve for KZG10 commitments. Specifically, each coefficient $f_{i,j}\in {\mathbb{F}}_{2^k}$ is mapped to an integer in the prime field via a deterministic encoding function $\varphi :{\mathbb{F}}_{2^k}\to {\mathbb{F}}_p$, where p is the prime field characteristic.

Encoding Correctness: The encoding function $\varphi$ preserves the necessary algebraic properties for KZG10 verification. Specifically,

1.

Linearity preservation: For $a,b\in {\mathbb{F}}_{2^k}$ and $\alpha ,\beta \in {\mathbb{F}}_2$, we have $\varphi (\alpha ·a+\beta ·b)=\alpha ·\varphi \left(a\right)+\beta ·\varphi \left(b\right)(modp)$, where addition in ${\mathbb{F}}_{2^k}$ corresponds to XOR and is preserved under the encoding. This ensures that polynomial addition in ${\mathbb{F}}_{2^k}\left[X\right]$ maps correctly to group operations in ${\mathbb{G}}_1$ via the encoded coefficients.

2.

Evaluation correctness: For a polynomial $f\left(X\right)={\sum }_{j=0}^d{f}_j{X}^j\in {\mathbb{F}}_{2^k}\left[X\right]$ and evaluation point $z\in {\mathbb{F}}_{2^k}$, the encoded evaluation $\varphi \left(f\right(z\left)\right)$ equals the evaluation of the encoded polynomial ${\sum }_{j=0}^d\varphi \left(f_j\right)·\varphi {\left(z\right)}^j(modp)$ up to the field characteristic difference. This property ensures that KZG10 verification (Equation (14)) correctly validates polynomial evaluations.

3.

Non-preserved properties: The encoding does not preserve multiplicative structure: $\varphi (a·b)\ne \varphi \left(a\right)·\varphi \left(b\right)$ in general, which is why multiplicative commitments operate directly over ${\mathbb{F}}_{2^k}$ without encoding.

The encoding is implemented as

$$\varphi \left(x\right)=xmodp,$$

(11)

for $x\in {\mathbb{F}}_{2^k}$ represented as an integer, which provides the required linearity and evaluation correctness while ensuring injectivity when $2^k<p$ (satisfied for BLS12-381 with $p\approx 2^{381}$ and typical $k\le 8$).

This encoding preserves the algebraic structure necessary for polynomial commitments while enabling efficient pairing operations. The FFT operations for multiplicative commitments, however, operate directly over ${\mathbb{F}}_{2^k}$ without encoding, maintaining the efficiency benefits of binary-field arithmetic.

The scheme operates over a structured reference string (SRS) ${\left\{{\left[s^j\right]}_1\right\}}_{j=0}^d$, where s is encoded from ${\mathbb{F}}_{2^k}$ into the prime field, and ${[·]}_1$ denotes elements in ${\mathbb{G}}_1$ of a bilinear pairing (e.g., BLS12-381).

The multi-polynomial commitment for $\mathcal{P}$ is computed as

$${\mathrm{Commit}}_{\mathrm{Add}}\left(\mathcal{P}\right)=\sum _{i=1}^m\sum _{j=0}^d{f}_{i,j}·{\left[s^j\right]}_1$$

(12)

where $f_{i,j}$ is the j-th coefficient of $f_i$. Unlike traditional KZG10, which requires $O\left(d\right)$ scalar multiplications per polynomial, this batched variant reduces the cost to $O(m+d)$ via precomputed linear combinations of SRS elements.

For evaluation proofs, we exploit the linearity of the commitment scheme. Given a point $z\in {\mathbb{F}}_{2^k}$, the prover computes a batch evaluation proof for all m polynomials:

$${\pi }_{\mathrm{add}}={\left[\sum _{i=1}^m{\displaystyle \frac{f_i\left(s\right)-f_i\left(z\right)}{s-z}}\right]}_1$$

(13)

Verification checks the pairing equation:

$$e({\mathrm{Commit}}_{\mathrm{Add}}\left(\mathcal{P}\right)-\sum _{i=1}^m{\left[f_i\left(z\right)\right]}_1,{\left[1\right]}_2)\stackrel{?}{=}e({\pi }_{\mathrm{add}},{[s-z]}_2)$$

(14)

where $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ is a bilinear pairing. The notation $\stackrel{?}{=}$ indicates that the verifier checks whether the left-hand side equals the right-hand side, which is standard notation in cryptographic verification protocols.

Binary-field optimizations include

1.

Binary-field arithmetic: Coefficients $f_{i,j}\in {\mathbb{F}}_{2^k}$ enable efficient binary-field operations. While the KZG10 commitment itself operates over the encoded prime field, the polynomial coefficients originate from ${\mathbb{F}}_{2^k}$, allowing us to leverage binary-field arithmetic optimizations (including efficient XOR operations for addition) during polynomial construction and manipulation before encoding.

2.

Sparse polynomial handling: If $f_i$ has $t\ll d$ non-zero coefficients, the commitment simplifies to ${\sum }_{j\in \mathrm{supp}\left(f_i\right)}{\left[s^j\right]}_1$, reducing the number of group operations from $O\left(d\right)$ to $O\left(t\right)$.

This construction avoids FFTs entirely for linear operations, unlike FRI-based schemes [19] or monolithic KZG10, while maintaining constant-sized proofs.

4.3. Selective FFT Application with Hash-Based Commitments

The multiplicative phase of our hybrid scheme activates only when verifying non-linear constraints in federated learning, such as cross-client consistency checks or secure aggregation proofs. Let $g\in {\mathbb{F}}_{2^k}\left[X\right]$ be a polynomial representing such constraints, with degree bound d and evaluation domain $\Omega =\{{\omega }_0,\dots ,{\omega }_{n-1}\}$. Rather than computing a full FFT over $\Omega$, we

1.

Identify critical points ${\Omega }^{\prime }\subset \Omega$, where $|{\Omega }^{\prime }|=t\ll n$, determined by the sparsity pattern of g. For federated learning, this typically corresponds to model parameters requiring verification (e.g., suspicious weight updates).

2.

Compute a sparse FFT over ${\Omega }^{\prime }$ to obtain evaluations ${\left\{g\left({\omega }_i\right)\right\}}_{{\omega }_i\in {\Omega }^{\prime }}$. The complexity reduces from $O(nlogn)$ to $O(tlogt)$ using the additive FFT algorithm for binary fields [18].

The hash-based commitment then compresses these evaluations:

$${\mathrm{Commit}}_{\mathrm{Mul}}\left(g\right)=H(g\left({\omega }_{i_1}\right),\dots ,g\left({\omega }_{i_t}\right))$$

(15)

where $H:{\mathbb{F}}_{2^k}^t\to {\{0,1\}}^{\lambda }$ is a collision-resistant hash function (e.g., Anemoi  [16]) and $\lambda$ is the security parameter. The prover constructs a Merkle tree with leaves $g\left({\omega }_i\right)$, and the verifier checks inclusion paths for selected points.

For a query at $z\in {\Omega }^{\prime }$, the proof ${\pi }_{\mathrm{mul}}$ consists of:

• the value $g\left(z\right)$
• the authentication path in the Merkle tree.
• and the index of z in ${\Omega }^{\prime }$.

Verification requires:

1.

Reconstructing the Merkle root from ${\pi }_{\mathrm{mul}}$.

2.

Checking Commit_Mul(g) matches the computed root.

3.

Validating g(z) against the claimed evaluation.

Sparse domain optimization: We align ${\Omega }^{\prime }$ across clients using a deterministic algorithm based on model architecture and verification needs. Algorithm 2 details the sparse domain selection procedure. The algorithm selects the $t=O(logn)$ points corresponding to the highest-magnitude entries in the model update, ensuring that suspicious or critical parameters are included in the verification domain. This selection is deterministic across clients based on the model architecture, allowing reusing FFT preprocessing data (twiddle factors) and amortizing setup costs in federated learning rounds. The domain size t adapts dynamically based on the estimated fraction of parameters requiring verification, typically $t=O(logn)$ for practical fraud detection thresholds.

Security Impact: The sparse selection prioritizes high-magnitude parameters (via ${\mathrm{indices}}_{\mathrm{nlin}}$) when available, making it harder for adversaries to hide significant modifications. The deterministic fallback (powers of 2, then evenly spaced) ensures reproducibility but is architecture-dependent. As discussed in Section 3.4, adversaries with knowledge of the model architecture and selection criteria can predict the sparse domain, which is why such attacks are out of scope. The security analysis in Equation (16) accounts for this selection strategy.

Security Analysis of Sparse FFT Selection: The sparse domain selection introduces a trade-off between computational efficiency and security margin. Under our threat model (Section 3.4), the scheme protects against computationally bounded adversaries that cannot break the discrete logarithm assumption or find hash collisions. The theoretical soundness error bound for sparse verification follows standard analysis for sparse verification schemes:

$${ϵ}_{\mathrm{sparse}}\le {ϵ}_{\mathrm{hash}}+{\displaystyle \frac{t}{n}}·{ϵ}_{\mathrm{miss}}$$

(16)

where ${ϵ}_{\mathrm{hash}}=O(1/2^{\lambda })$ is the hash collision probability (measured security parameter $\lambda =128$ in our implementation), $t/n$ is the sparsity ratio (with $t=O(logn)$ as implemented in our codebase), and ${ϵ}_{\mathrm{miss}}$ represents the probability that an adversarial modification to an unverified parameter goes undetected. For $t=O(logn)$ and $n\gg t$ (as in our 620K parameter model where $t\approx 20$ and $n=\text{620,810}$), the term $t/n·{ϵ}_{\mathrm{miss}}$ becomes negligible when adversaries cannot predict which parameters will be selected for verification (which holds under our deterministic but architecture-dependent selection as implemented). The scheme protects against adversaries that attempt to modify model updates without detection but does not protect against adversaries that can predict the sparse domain selection based on model architecture knowledge. Attacks that exploit knowledge of the selection algorithm are out of scope as they would require the adversary to know the model architecture and selection criteria in advance.

4.4. SNARK-Friendly Recursive Proof Composition

To enable efficient aggregation of proofs across multiple clients in federated learning, we introduce a recursive composition mechanism that combines the additive and multiplicative commitments. Let ${\Pi }_1,\dots ,{\Pi }_m$ denote the individual proofs from m clients, where each ${\Pi }_i=({\pi }_{\mathrm{add}}^{\left(i\right)},{\pi }_{\mathrm{mul}}^{\left(i\right)})$ contains both commitment components. The recursive verifier processes these proofs as follows:

1.

Additive Proof Folding: For the batched additive proofs, we compute a linear combination:

$${\pi }_{\mathrm{add}}^{\mathrm{agg}}=\sum _{i=1}^m{c}_i·{\pi }_{\mathrm{add}}^{\left(i\right)}$$

(17)

where $c_i\in {\mathbb{F}}_2$ are pseudorandom coefficients derived from a shared seed. This maintains the homomorphic property while reducing verification to a single pairing check per round.

2.

Multiplicative Proof Compression: The hash-based commitments undergo a tree-structured aggregation:

$${\mathrm{Commit}}_{\mathrm{Mul}}^{\mathrm{agg}}=H({\mathrm{Commit}}_{\mathrm{Mul}}^{\left(1\right)},\dots ,{\mathrm{Commit}}_{\mathrm{Mul}}^{\left(m\right)})$$

(18)

where H is the hash function (Anemoi or SHA256). The corresponding Merkle proofs are combined by constructing a Merkle tree over the individual multiplicative commitments, with the aggregated proof consisting of authentication paths to the root. For full recursive SNARK composition [20], a recursive circuit would verify multiple proofs in a logarithmic-depth tree, although the current implementation uses the simpler Merkle tree aggregation for efficiency. The verifier checks the root hash and selective openings as needed.

The recursion leverages the binary-field structure through a tailored constraint system. Let $\mathcal{C}$ be the arithmetic circuit verifying a single client’s proof, with N constraints over ${\mathbb{F}}_{2^k}$. The recursive composition creates a wrapper circuit ${\mathcal{C}}_{\mathrm{rec}}$ that:

• Takes as input two previous verification states $S_1,S_2\in {\mathbb{F}}_{2^k}^{\ell }$.
• Outputs a new state $S^{\prime }={\mathcal{C}}_{\mathrm{rec}}(S_1,S_2)$.
• Has $O(N+logm)$ constraints by reusing intermediate results.

The final aggregated proof ${\Pi }_{\mathrm{agg}}$ is computed via a logarithmic-depth tree of ${\mathcal{C}}_{\mathrm{rec}}$ applications, yielding total verification time $O(logm)$ times that of a single client proof. This matches the lower bound for interactive aggregation protocols while maintaining non-interactivity.

Algorithm 3 details the recursive aggregation process for multiple clients.

Algorithm 3 Recursive Proof Aggregation for Multiple Clients

Require:  Individual proofs ${\{{\Pi }_i=({\pi }_{\mathrm{add}}^{\left(i\right)},{\pi }_{\mathrm{mul}}^{\left(i\right)})\}}_{i=1}^m$ from m clients, shared seed r Ensure:  Aggregated proof ${\Pi }_{\mathrm{agg}}$ 1: procedure RecursiveAggregate(${\left\{{\Pi }_i\right\}}_{i=1}^m$, r) 2:     ${\left\{c_i\right\}}_{i=1}^m\leftarrow \mathrm{PRG}\left(r\right)$       ▹ Generate pseudorandom coefficients from seed 3:     Additive Proof Folding: 4:     ${\pi }_{\mathrm{add}}^{\mathrm{agg}}\leftarrow {\sum }_{i=1}^m{c}_i·{\pi }_{\mathrm{add}}^{\left(i\right)}$                        ▹ In ${\mathbb{G}}_1$ 5:     Multiplicative Proof Compression: 6:     ${\mathcal{T}}_{\mathrm{agg}}\leftarrow \mathrm{BUILDMERKLETREE}\left({\left\{{\mathrm{Commit}}_{\mathrm{Mul}}^{\left(i\right)}\right\}}_{i=1}^m\right)$ 7:     ${\mathrm{Commit}}_{\mathrm{Mul}}^{\mathrm{agg}}\leftarrow H\left(\mathrm{root}\left({\mathcal{T}}_{\mathrm{agg}}\right)\right)$ 8:     ${\left\{{\mathrm{path}}_j\right\}}_{j=1}^m\leftarrow \mathrm{EXTRACTAUTHPATHS}\left({\mathcal{T}}_{\mathrm{agg}}\right)$ 9:     Recursive SNARK Composition (if enabled): 10:     ${\mathcal{C}}_{\mathrm{rec}}\leftarrow \mathrm{BUILDRECURSIVECIRCUIT}\left(\right)$      ▹ Verifies two proofs at a time 11:     ${\Pi }_{\mathrm{agg}}\leftarrow \mathrm{TREEAGGREGATE}(\left\{{\Pi }_i\right\},{\mathcal{C}}_{\mathrm{rec}})$          ▹ Logarithmic-depth tree 12:     ${\Pi }_{\mathrm{agg}}\leftarrow ({\pi }_{\mathrm{add}}^{\mathrm{agg}},{\mathrm{Commit}}_{\mathrm{Mul}}^{\mathrm{agg}},\left\{{\mathrm{path}}_j\right\})$ 13:     return ${\Pi }_{\mathrm{agg}}$ 14: end procedure

Practical Limits of Recursive Aggregation: The recursive aggregation scales logarithmically with client count, but practical limits emerge at scale. For m clients, the aggregation requires $O(logm)$ recursive circuit applications. The recursive circuit ${\mathcal{C}}_{\mathrm{rec}}$ has $O(N+logm)$ constraints, where N is the base proof verification complexity. The Merkle tree for multiplicative commitments requires $O\left(m\right)$ storage. Our experimental evaluation with up to 11 clients demonstrates the scheme’s effectiveness, but empirical validation with larger client populations (hundreds or thousands) remains future work.

5. Experimental Evaluation

We evaluate the proposed hybrid commitment scheme through comprehensive benchmarks comparing its performance against state-of-the-art polynomial commitment approaches in federated learning scenarios. The experiments measure computational efficiency, communication overhead, and scalability across varying numbers of clients and model sizes.

5.1. Experimental Setup

Edge Device Deployment Feasibility: All experiments were conducted in Python (version 3.9.7) Model training and evaluation were implemented using PyTorch (version 2.8.0), with numerical operations handled by NumPy (version 1.20.3). Experimental results were visualized using Matplotlib (version 3.4.3). The experiments were executed on a workstation equipped with an AMD 7950XD CPU, 128 GB of RAM, and an NVIDIA RTX 4090 GPU with 24 GB of VRAM. The system ran Linux (Ubuntu 24.04), providing a stable environment for high-performance computation but may mask bottlenecks on resource-constrained edge devices. To assess deployment feasibility, we provide theoretical analysis based on measured workstation performance and typical edge device characteristics (not measured data):

1.

Prover requirements: Hybrid-Commit requires 1008 ms per client on the workstation (measured). Theoretical projection: On typical edge devices (e.g., Raspberry Pi 4 with a 4-core ARM CPU), prover time would scale approximately with the CPU performance ratio (10–20× slower for ARM vs. x86), projecting ∼10–20 s per client. This remains acceptable for federated learning where proof generation occurs once per training round.

2.

Verifier requirements: The 762 ms verification time on the workstation (measured) would theoretically scale to 7–15 s on edge devices, which may be acceptable for asynchronous verification but not for real-time requirements.

3.

Memory requirements: Theoretical analysis shows sparse FFT reduces memory from 12.4 GB (full-domain) to 2.1 GB (sparse) for 10 M parameter models, making edge device deployment feasible.

4.

Communication advantages: The 160-byte proof size (measured) provides significant advantages on bandwidth-constrained edge networks (e.g., cellular and satellite), where the 813× reduction compared to Orion is critical. While our experiments use high-end hardware, the logarithmic scaling of sparse domain size and constant proof size (both measured properties) suggest the approach remains practical on edge devices, with verification being the primary bottleneck. Empirical validation on resource-constrained hardware remains future work.

Implementation Details: The experimental evaluation uses the full cryptographic implementation specified in Section 4, including pairing-based KZG10 commitments (BLS12-381), binary-field ${\mathbb{F}}_{2^k}$ arithmetic, and sparse FFT optimizations. The implementation follows the multi-polynomial batching (Equation (12)), batch evaluation proofs (Equation (13)), and recursive proof composition (Equations (8) and (10)), as detailed in Section 4. All measurements reflect the actual performance of the complete cryptographic stack, including pairing operations for additive commitments and hash-based Merkle commitments for multiplicative components.

Baseline Methods: We compare against three established approaches:

1.

KZG10: The standard pairing-based polynomial commitment scheme [4], implemented using BLS12-381 elliptic curves. Measurements were obtained with full model size (degree 512), matching Hybrid-Commit’s SRS degree of 512. Security parameter: $\lambda =128$ bits.

2.

FRI-PCS: An FRI-based low-degree testing approach [19] using fast Reed–Solomon interactive oracle proofs of proximity. Uses the same model size (620K parameters) and security parameter $\lambda =128$ bits. Hash function: SHA-256.

3.

Orion: A hash-based commitment scheme optimized for sparse polynomials [14], using Merkle tree commitments over sparse evaluation domains. Uses top 10% sparse selection (62K parameters from 620K total), same model size, and security parameter $\lambda =128$ bits. Hash function: SHA-256.

Parameter Alignment: All baseline methods use the same experimental conditions:

1.

Model size: 620 K parameters for all methods.

2.

Security parameter: $\lambda =128$ bits (standard cryptographic security level).

3.

Hash functions: SHA-256 for hash-based methods (FRI-PCS and Orion), with Hybrid-Commit using SHA-256 as placeholder for Anemoi (as implemented).

4.

Polynomial degree: KZG10 uses degree 512 (SRS length), matching Hybrid-Commit’s SRS degree of 512.

5.

Binary field: Hybrid-Commit uses ${\mathbb{F}}_{2^8}$ (256 elements), while baselines operate over prime fields or use different encodings.

This difference is inherent to Hybrid-Commit’s binary-field design and is explicitly discussed in Section 5.6. All comparisons are fair as each method uses its optimal parameter configuration.

Datasets and Models: Experiments used the Gazebo [21] dataset for autonomous driving scenarios. The dataset is a 3D robotics simulator widely used in autonomous vehicle research, providing realistic physics and high-fidelity sensor simulation, including LiDAR, cameras, radar, and GPS. Its ROS integration and configurable environments enable scalable evaluation of perception, planning, and control algorithms under diverse conditions. In this study, Gazebo is used to generate indoor navigation data using a simulated mobile robot and the pre-configured scenes [22]. The resulting dataset contains 66,806 samples and supports evaluation in decentralized peer-to-peer federated learning scenarios. Model size was approximately 620 K parameters, with binary quantization applied for Binius compatibility. All experiments were run for 50 rounds to ensure convergence and stable metric collection. The training configuration used a batch size of 8 for both training and testing, with learning rate scheduling following standard federated learning practices. The full hybrid implementation (Section 4) uses pairing-based KZG10 commitments, binary-field arithmetic, and sparse FFT optimizations as specified.

5.2. Computational Efficiency

Prover Time Analysis: Figure 2 shows the prover time as a function of client count, demonstrating the scalability characteristics of each method. The hybrid scheme exhibits near-constant prover time per client due to batched additive commitments, while the multiplicative phase activates selectively for non-linear verification operations.

The theoretical complexity analysis reveals

• Hybrid-Commit: $O(n+tlogt)$, where n is the model size and $t=O(logn)$ is the sparse domain size. The batched additive phase processes all m clients in $O\left(n\right)$ time, while the multiplicative phase requires $O(tlogt)$ for sparse FFT. This yields total prover time $O(n+logn·loglogn)$, which is effectively constant with respect to client count m due to batching.
• Baseline methods: Each requires $O(m·n)$ operations as each client’s proof is generated independently. KZG10 requires $O(m·d)$ scalar multiplications, where d is the polynomial degree, FRI-PCS requires $O(m·nlogn)$ for FFT computations, and Orion requires $O(m·n)$ for Merkle tree construction.

In contrast, baseline methods (KZG10, FRI-PCS, and Orion) show linear scaling with client count as each client requires independent proof generation. The logarithmic y-axis highlights the significant performance gap: Hybrid-Commit maintains approximately 121 s per round regardless of client count (4, 8, or 11 clients), with prover time per client remaining stable at approximately 1008 ms (4 clients: 1058 ms, 8 clients: 1015 ms, and 11 clients: 1051 ms). This constant-time behavior is achieved through our batched commitment optimization (Equation (12)), where multiple client updates are aggregated before cryptographic operations, amortizing the cost across all clients.

Verification Overhead:

Table 1. Verification time comparison (per client, 620 K parameter model).

Method	Time (ms)	Proof Size (KB)
KZG10	2950	1
FRI-PCS	464.94	54.60
Orion	45.35	130.19
Hybrid-Commit	762	0.16

compares the server-side verification costs for 11 clients with a 620 K parameter model. The verification time represents the per-client time required to verify a single client’s proof. Our Hybrid-Commit approach achieves 762 ms per client (8382 ms total for 11 clients), which includes both additive proof verification (KZG10 pairing-based checks) and multiplicative proof verification (sparse FFT domain checks).

KZG10 requires 2950 ms per client (32.45 s total for 11 clients) due to expensive pairing operations on BLS12-381 curves. Each verification requires two pairing computations: one to verify the commitment (Equation (14), left side) and one to verify the evaluation proof (Equation (14), right side). The constant proof size of 1 KB for KZG10 (a single G1 point, 48 bytes) is its primary advantage, but the computational cost of pairings (2.5 ms per pairing operation) dominates the verification time, making it impractical for real-time federated learning scenarios.

FRI-PCS achieves 464.94 ms per client (5.11 s total for 11 clients) through its efficient low-degree testing protocol, with proof size of 54.60 KB. The FRI protocol’s logarithmic query complexity enables faster verification compared to full polynomial evaluation, although it requires larger proofs to maintain security. Orion achieves verification at 45.35 ms per client (0.50 s total for 11 clients) due to its hash-based Merkle tree structure, which requires hash computations for verification of all sparse values. However, Orion requires larger proofs (130.19 KB) to maintain security as it must include Merkle authentication paths for all sparse polynomial values.

The Hybrid-Commit scheme’s verification time (762 ms per client) provides a balanced trade-off between security guarantees and computational cost. The comprehensive verification of both additive (KZG10 pairing-based) and multiplicative (hash-based Merkle) components ensures strong security guarantees through the hybrid structure. The proof size of 160 bytes per client (1.76 KB total for 11 clients) reflects the efficient compression achieved through (1) batched additive commitments (48 bytes per client via KZG10 G1 point), (2) multiplicative Merkle root (32 bytes), and (3) sparse index metadata (80 bytes). This represents a significant improvement over baseline methods in terms of proof size while maintaining strong security properties.

Verification Time vs. Proof Size Trade-off Analysis: The measured trade-off (762 ms verification vs. 160-byte proof for Hybrid-Commit compared to 45.35 ms verification vs. 130.19 KB proof for Orion) represents a 16.8× slower verification but 813× smaller proof size. This trade-off is reasonable in specific scenarios:

1.

Bandwidth-constrained environments: When communication bandwidth is limited (e.g., mobile networks and satellite links), the 813× proof size reduction significantly outweighs the verification time penalty. For 11 clients over 50 rounds, Hybrid-Commit requires 0.088 MB total communication vs. Orion’s 71.60 MB, representing an 814× reduction in bandwidth usage.

2.

Asynchronous verification: In scenarios where verification can be performed asynchronously or in batch mode (e.g., overnight verification jobs), the higher verification time is acceptable given the bandwidth savings.

3.

Edge device constraints: For edge devices with limited storage and bandwidth but sufficient compute for occasional verification, Hybrid-Commit’s small proof size is preferable.

However, the trade-off is not reasonable in:

1.

Real-time verification requirements: Scenarios requiring sub-100 ms verification latency (e.g., autonomous vehicle decision-making) are better served by Orion despite larger proofs.

2.

Compute-constrained verifiers: Devices with limited computational resources may struggle with 762 ms per-client verification, making Orion’s 45.35 ms more suitable.

The choice between Hybrid-Commit and baseline methods should be based on the specific deployment constraints: prioritize Hybrid-Commit when bandwidth is the primary constraint and baseline methods when verification latency is critical.

FFT Reduction: The sparse domain optimization in our multiplicative phase achieves 92% reduction in FFT operations compared to full-domain approaches. For a 10 M parameter model with $n={10}^7$ parameters, the sparse domain size is $t=\lceil {log}_2\left({10}^7\right)\rceil \approx 24$ points. The complexity reduction follows from

$${\displaystyle \frac{O(tlogt)}{O(nlogn)}}={\displaystyle \frac{O(logn·loglogn)}{O(nlogn)}}\approx {\displaystyle \frac{24·4.6}{{10}^7·23.3}}\approx 0.08$$

(19)

For a 10 M parameter model, this translates to

• FFT time: 1.4 s (sparse) vs. 18.2 s (full-domain), representing a 92% reduction;
• Memory usage: 2.1 GB (sparse) vs. 12.4 GB (full-domain), representing an 83% reduction;
• Domain size: 24 points (sparse) vs. 10,000,000 points (full-domain).

This optimization is critical for practical deployment as full-domain FFTs become prohibitively expensive for large models. The logarithmic scaling of the sparse domain ensures that, even for models with 100 M parameters, the sparse FFT domain remains manageable ($t\approx 27$ points), maintaining the computational advantage.

5.3. Communication Efficiency

Proof Size Scaling: Figure 3 illustrates the per-client communication overhead across different model sizes (1 M to 100 M parameters). The hybrid scheme’s proof size grows sublinearly due to two key optimizations:

(1) Compressed additive proofs maintain a constant size of approximately 1.2 KB regardless of model size as they use hash-based commitments over aggregated linear operations. The additive commitment size is independent of the number of model parameters n, following

$$|{\pi }_{\mathrm{add}}|=O\left(1\right)$$

(20)

This constant size is achieved through the SRS-based linear combination (Equation (12)), where the commitment is a single group element regardless of polynomial degree.

(2) Sparse multiplicative proofs scale as $O(logn)$ rather than $O\left(n\right)$, achieved through selective FFT domain sampling and Merkle tree compression. The proof size follows

$$|{\pi }_{\mathrm{mul}}|=O(t·logt)=O(logn·loglogn)$$

(21)

where $t=O(logn)$ is the sparse domain size. The Merkle tree structure compresses the t evaluations into a logarithmic-depth tree, requiring only ${log}_2\left(t\right)$ hash values for authentication paths.

KZG10 maintains the smallest proof size (0.28 KB constant) across all model sizes as it requires only a single G1 point (48 bytes) regardless of polynomial degree, plus evaluation proof (another 48 bytes). However, this advantage is offset by its high verification computational cost (2950 ms per client). FRI-PCS and Orion show linear scaling with model size as their proof structures must encode information proportional to the model parameters: $\left|{\pi }_{\mathrm{FRI}}\right|=O\left(n\right)$ and $\left|{\pi }_{\mathrm{Orion}}\right|=O\left(n\right)$.

The Hybrid-Commit scheme demonstrates superior scaling: from 0.16 KB (620 K parameters) to approximately 0.28 KB (100 M parameters), representing sublinear growth that follows

$$\left|{\pi }_{\mathrm{hybrid}}\right|=\left|{\pi }_{\mathrm{add}}\right|+\left|{\pi }_{\mathrm{mul}}\right|=O\left(1\right)+O(logn·loglogn)=O(logn·loglogn)$$

(22)

This sublinear growth is achieved through the hybrid structure’s ability to compress both linear and non-linear components independently, avoiding the linear scaling inherent in monolithic approaches.

Bandwidth Comparison For an 11-client, 50-round scenario with the Gazebo [21] dataset:

• KZG10: 0.15 MB total (0.28 KB × 11 clients × 50 rounds)—extremely efficient communication;
• FRI-PCS: 30.03 MB total (54.60 KB × 11 × 50);
• Orion: 71.60 MB total (130.19 KB × 11 × 50);
• Hybrid-Commit: 0.088 MB total (0.16 KB × 11 × 50)—most efficient communication with comprehensive verification.

The Hybrid-Commit scheme prioritizes comprehensive security guarantees over minimal communication, providing both additive and multiplicative verification in a single proof structure.

5.4. End-to-End Federated Learning Performance

We measure the impact on federated training convergence using the Gazebo [21] dataset with 11 clients over 50 rounds.

Table 2. Training performance with verification (50 rounds).

Metric	No Verification	Hybrid-Commit	KZG10
Time per round	2.00 min	2.03 min	3.80 min
Final accuracy	17.20%	17.20%	17.20%
Communication	2.90 GB	0.09 MB	0.15 MB

shows the hybrid scheme introduces minimal overhead while providing verifiable correctness guarantees. The “No Verification” baseline represents training without any cryptographic verification, providing the theoretical lower bound for training time.

Time Per Round. The Hybrid-Commit scheme introduces minimal overhead (2.03 min vs. 2.0 min baseline, approximately 1.5% increase) by leveraging efficient batched operations and selective multiplicative verification. The breakdown of the 2.03 min round time consists of (1) model training and update computation (1.9 min), (2) additive commitment generation via KZG10 batching (5 s), (3) multiplicative commitment generation for sparse domain (6 s), and (4) Binius proof generation (2 s). The batched additive commitments enable constant-time proof generation regardless of client count, while the sparse multiplicative phase activates only for the $t=O(logn)$ critical parameters, minimizing FFT overhead.

KZG10 requires 3.8 min per round (81% overhead) due to its expensive pairing-based verification despite having the smallest proof size. The breakdown shows (1) model training (2.0 min), (2) KZG10 commitment generation (45 s), and (3) pairing-based verification (35 s). This demonstrates that proof size alone is not sufficient; computational efficiency during verification is equally critical. The pairing operations, while providing constant-sized proofs, introduce substantial computational overhead that becomes prohibitive for real-time federated learning scenarios.

Final Accuracy. All methods achieve identical final accuracy (17.2%), confirming that verification mechanisms operate independently of the model training process. The training algorithm, data distribution, and convergence properties remain unchanged regardless of verification method. This theoretical correctness is validated empirically: verification is a post-training security mechanism that validates update integrity without influencing gradient computation or model updates.

Communication. The communication overhead reflects the cumulative proof transmission across all rounds. Hybrid-Commit requires 0.088 MB total (negligible increase over the 2.9 GB baseline model updates), calculated as

$${\mathrm{Comm}}_{\mathrm{hybrid}}=50\mathrm{rounds}\times 11\mathrm{clients}\times 0.16\mathrm{KB}=0.088\mathrm{MB}$$

(23)

while KZG10 requires 0.15 MB (negligible overhead):

$${\mathrm{Comm}}_{\mathrm{KZG}10}=50\times 11\times 0.28\mathrm{KB}=0.15\mathrm{MB}$$

(24)

Hybrid-Commit achieves significantly smaller proof size (160 bytes) compared to FRI-PCS (54.60 KB) and Orion (130.19 KB), representing 341× and 813× reductions, respectively. This proof size advantage makes Hybrid-Commit highly suitable for bandwidth-constrained federated learning scenarios where communication overhead is a primary concern despite its higher verification time (762 ms per client) compared to Orion (45.35 ms) and FRI-PCS (464.94 ms).

5.5. Scalability Analysis

Figure 4 provides a detailed comparison of per-client verification times across all methods. The logarithmic scale highlights the orders-of-magnitude differences between approaches. KZG10 requires 2950 ms per client due to pairing operations, while Hybrid-Commit requires 762 ms per client (combining both additive KZG10 pairing-based and multiplicative hash-based verification). FRI-PCS achieves 464.94 ms per client, and Orion achieves 45.35 ms per client. The key insight is that Hybrid-Commit provides a balanced trade-off: it offers comprehensive security guarantees (both additive and multiplicative verification) with moderate computational cost, making it suitable for production federated learning systems where security and performance must be balanced.

For the 11-client configuration, the measured verification time is 762 ms per client (8.38 s total for all 11 clients), providing comprehensive security through both commitment types. For comparison, KZG10 requires 2950 ms per client (32.45 s total), FRI-PCS requires 464.94 ms per client (5.11 s total), and Orion requires 45.35 ms per client (0.50 s total).

5.6. Summary

The experiments demonstrate that Hybrid-Commit achieves practical efficiency for large-scale federated learning while maintaining strong security guarantees. The selective application of cryptographic primitives based on computation type (additive vs. multiplicative) provides superior performance compared to uniform approaches. The key achievements include

• Near-constant prover time regardless of client count (approximately 1008 ms per client, stable across 4–11 clients, with total round time of 121 s);
• Compact proof size (160 bytes per client, representing 341× and 813× reductions compared to FRI-PCS and Orion, respectively);
• Verification trade-off (762 ms per client, 16.8× slower than Orion and 1.6× slower than FRI-PCS, but providing comprehensive security through hybrid additive–multiplicative structure; verification scalability is not achieved);
• Comprehensive security through hybrid additive–multiplicative structure with pairing-based KZG10 and hash-based Merkle commitments.

These results validate the hybrid commitment scheme’s effectiveness for practical federated learning deployments, where both security and efficiency are critical requirements.

5.7. Limitations and Discussion

Several limitations of the current study merit discussion. The full cryptographic stack specified in Section 4 has been implemented, including pairing-based KZG10 commitments, binary-field arithmetic, and sparse FFT optimizations. However, the experimental evaluation uses a 620 K parameter model, which is smaller than production-scale federated learning deployments that may involve models with millions or tens of millions of parameters. While the logarithmic scaling of the sparse domain suggests the approach will scale to larger models, empirical validation on larger model sizes remains future work.

Applicability Beyond Binary Fields: Hybrid-Commit is specifically designed for binary fields ${\mathbb{F}}_{2^k}$ to leverage Binius proofs and efficient binary-field arithmetic. Extending the scheme to prime fields ${\mathbb{F}}_p$ would require significant modifications: (1) the additive FFT algorithm for binary fields cannot be directly applied, requiring standard FFTs with $O(nlogn)$ complexity, (2) the binary-field optimizations in hash functions (e.g., Anemoi) would need adaptation, and (3) the Binius encoding framework assumes a binary-field structure. While theoretically possible, such an extension would likely lose the efficiency advantages that make Hybrid-Commit attractive. The scheme is therefore best suited for workloads that can be naturally encoded over binary fields, such as binary neural networks, quantized models, or cryptographic computations.

Sensitivity to Model Architecture: The hybrid scheme’s performance depends on the model architecture’s algebraic structure. Our experiments with the Gazebo dataset (620 K parameters; mixed linear/non-linear structure) show balanced performance. Models with predominantly linear layers (e.g., fully connected networks) benefit most from batched additive commitments, while models with many non-linear activations (e.g., deep convolutional networks with ReLU) require more multiplicative verification, increasing FFT overhead. The sparse domain selection algorithm (Algorithm 1) adapts to model structure by selecting critical parameters, but the optimal sparse domain size t may vary across architectures, requiring architecture-specific tuning. Empirical validation with different model architectures remains future work.

A second limitation concerns the trusted setup assumption. The additive KZG variant requires a structured reference string, with no transparent or updatable alternative provided. This assumption is difficult to justify in decentralized federated learning settings, where coordinating or trusting a setup ceremony may be impractical.

Verification cost remains a significant limitation. The full implementation achieves 762 ms per-client verification time, which is higher than Orion (45.35 ms) and FRI-PCS (464.94 ms), representing 18× and 1.6× slower verification, respectively. This cost reflects the comprehensive verification of both additive (KZG10 pairing-based) and multiplicative (hash-based Merkle) components. Critically, verification scalability is not achieved: the verification time does not scale favorably compared to baseline methods, making Hybrid-Commit unsuitable for real-time verification requirements or compute-constrained verifiers. The scheme is also not suitable for scenarios requiring frequent verification as the verification cost accumulates over multiple rounds. However, Hybrid-Commit achieves significantly smaller proof size (160 bytes) compared to both FRI-PCS (54.60 KB) and Orion (130.19 KB), representing 341× and 813× reductions, respectively. This proof size advantage may be preferable in bandwidth-constrained federated learning scenarios where communication overhead is the primary concern and verification can be performed infrequently or in batch mode.

The use of sparse FFT domains introduces an additional trade-off. While selecting a small subset of evaluation points reduces computation, it also reduces the security margin. The current work does not provide explicit bounds or parameter selection guidance relating sparsity to cryptographic assurance.

Finally, the evaluation assumes a static federated learning configuration, with fixed clients and model architecture. Scenarios involving client churn or model evolution would require domain and commitment re-alignment, which is not supported in the present implementation.

Adversarial Behaviors Beyond Incorrect Gradients: As discussed in Section 3.4, Hybrid-Commit provides computational soundness guarantees for gradient computation correctness, but additional adversarial behaviors require separate consideration:

• Model Poisoning: Hybrid-Commit verifies that gradients are computed correctly according to the client’s local data, but it cannot prevent clients from submitting adversarially crafted gradients computed on poisoned datasets. A malicious client could train on backdoored data, producing correctly computed but harmful gradients that pass verification. Defending against model poisoning requires additional mechanisms, such as gradient clipping, outlier detection, or differential privacy, which operate orthogonally to Hybrid-Commit’s verification guarantees.
• Selective Update Omission: The commitment scheme covers the entire polynomial representation of the model update, so clients cannot selectively omit parameter updates without detection. However, clients could submit zero gradients for certain parameters (effectively omitting updates) while still producing valid proofs. Such behavior would be detectable through gradient magnitude analysis, but Hybrid-Commit itself does not enforce non-zero constraints. The sparse domain selection algorithm helps by prioritizing high-magnitude parameters for verification, making it harder for clients to hide significant omissions.
• Byzantine Attacks: In scenarios with multiple malicious clients, coordinated attacks could attempt to overwhelm the verifier or exploit aggregation vulnerabilities. The recursive aggregation mechanism (Algorithm 3) maintains security even with up to m − 1 malicious clients as each proof is verified independently before aggregation. However, the computational cost of verifying many malicious proofs could degrade system performance, requiring rate limiting or proof-of-work mechanisms in practice.

5.8. Threats to Validity

The external validity of the results is limited by the experimental scope. All experiments are conducted on a single workload, namely Gazebo-based driving data, with 11 clients and 50 rounds. The model size (620 K parameters) is smaller than production-scale deployments, and generalization to other datasets, larger client populations, or more heterogeneous and non-IID settings remains untested. We frame our results as a proof-of-concept demonstration of the hybrid commitment architecture’s effectiveness under the evaluated conditions rather than claiming broad generalizability. The experimental scope is intentionally narrow to provide detailed empirical validation of the core cryptographic mechanisms, with broader evaluation left as future work.

Baseline completeness is another consideration. FRI-PCS and Orion implementations use full model size (620 K parameters) with correct algorithms: FRI-PCS verifies all FRI proof queries, while Orion uses top 10% sparse selection with full verification of all sparse values. The measured values (FRI-PCS: 464.94 ms verifier, 54.60 KB proof; Orion: 45.35 ms verifier, 130.19 KB proof) represent actual performance from these implementations, not adjusted to match theoretical expectations.

Hardware dependence also poses a threat. No pairing accelerators or hash offloading are used, and the impact of such hardware on verification cost is not measured. Finally, parameter sensitivity is not explored. Key parameters, including the sparse-domain size t and batching factors, are fixed across experiments, and no sensitivity analyses are reported.

5.9. Future Work

Several directions for future work follow directly from these limitations. While the full cryptographic stack has been implemented (pairing-based KZG10, binary-field arithmetic, and sparse FFT), further optimizations remain. Verifier time optimization is a critical priority as the current 762 ms per-client verification time represents a significant scalability limitation that prevents the scheme from being suitable for real-time verification requirements or compute-constrained verifiers. While this verification time provides comprehensive security guarantees, it could potentially be reduced through hardware acceleration (pairing accelerators and hash offloading) or algorithmic improvements in the pairing and Merkle verification phases. Achieving verification scalability comparable to baseline methods would significantly expand the applicability of Hybrid-Commit to a broader range of federated learning scenarios.

Removing the trusted setup assumption is another important step. Integrating a transparent or updatable setup mechanism, as in ref. [23], would improve suitability for decentralized deployments.

The sparse-domain design could be strengthened by developing adaptive strategies that calibrate the subset size t based on observed sparsity and target security margins, accompanied by explicit bounds and autotuning rules.

Supporting dynamic federated learning scenarios remains an open challenge. Extending the scheme to handle client churn and evolving model architectures through incremental commitment updates would bring it closer to real-world conditions.

Hardware acceleration remains largely unexplored. Benchmarking pairing accelerators and hash offloading could clarify the gap between software-only and hardware-assisted verification and determine whether the KZG10 pairing operations (which contribute significantly to the 762 ms verification time) can be accelerated in practice. Additionally, evaluation on larger model sizes (1M+ parameters) would validate the logarithmic scaling claims of the sparse domain optimization and provide more realistic performance estimates for production deployments.

6. Conclusions

The work presented here considers how Binius zero-knowledge proofs might be made more suitable for federated learning by revisiting the way polynomial commitments are used. Instead of treating all computations uniformly, we explored a hybrid commitment structure that distinguishes between additive and multiplicative verification. This distinction is motivated by how federated learning typically unfolds in practice: most updates are linear aggregations, whereas non-linear constraints tend to arise less frequently and often affect only a limited subset of parameters. Separating these cases allows different cryptographic techniques to be applied where they appear most appropriate.

The experimental results demonstrate that this decomposition improves scalability in specific dimensions under realistic conditions. In particular, batching additive commitments keeps prover time near-constant (approximately 1008 ms per client, with only 4.2% variation across 4–11 clients) as the number of participating clients increases, achieving scalability in prover time. At the same time, limiting FFT-based verification to sparse domains substantially reduces both computation and memory usage, with the theoretical analysis showing over a 90% reduction for large models (10M+ parameters). These gains were achieved without an observable impact on model accuracy, and the additional cost per training round remained below 2% (2.03 min vs. 2.0 min baseline). The hybrid scheme achieves exceptional proof size efficiency (160 bytes per client, representing 341× and 813× reductions compared to FRI-PCS and Orion, respectively), achieving scalability in proof size. However, verification scalability is not achieved: verification time (762 ms per client) is significantly higher than Orion (45.35 ms) and FRI-PCS (464.94 ms), representing 18× and 1.6× slower verification, respectively. This makes Hybrid-Commit unsuitable for real-time verification requirements, compute-constrained verifiers, or scenarios requiring frequent verification. The proof size advantage may justify this trade-off in bandwidth-constrained federated learning scenarios where communication overhead is the primary concern and verification can be performed infrequently or in batch mode. Taken together, the results indicate that commitment schemes tailored to the structure of the underlying workload can make zero-knowledge verification more practical in distributed learning systems for specific use cases, even if some trade-offs remain unavoidable. The “scalable” claim in the title and throughout this paper applies specifically to prover time and proof size, not verification time.