Lookup (Type 2) #

Recap of types #

Type	Description	Recap	This
lookup1	$Arr [i] \in {0, 1}$	Each element of array $Arr$ is in ${0, 1}$ (or another small set).
lookup2	$Arr [i] \in Table$	Each element of array $Arr$ is in a disclosed table of values $Table$ .	✅

Relation #

$R_{lookup 2} := {\begin{cases} (Arr, T) \end{cases} | \begin{array}{l} Arr [i] \in T, 0 \leq i \leq n - 1, \\ {Poly}_{Arr} = FFT . Interp (ω, Arr), \\ {Poly}_{T} = FFT . Interp (ω, T), \\ K_{Arr} = KZG . Commit ({Poly}_{Arr}), \\ K_{T} = KZG . Commit ({Poly}_{T}), \end{array}}$

Intuition #

The prover ( $P$ ) holds an array $Arr$ of $n$ integers from $Z_{q}$ : $[a_{0}, a_{1}, a_{2}, \dots, a_{n - 1}]$ . It will produce a succinct (independent of $n$ ) proof that each value in $Arr$ is the element of a public table $T$ . The prover will encode $Arr$ and $T$ into polynomials: ${Poly}_{Arr}$ and ${Poly}_{T}$ . Assume $Arr$ is equal to $T$ , then the prover can complete the proof by simply performing the product check or the permutation check between $Arr$ and $T$ . However, if $Arr$ is not equal to $T$ (this is the case we want to solve), the prover needs to reveal the points where $Arr$ equals to $T$ , which makes zero knowledge impossible. Thus, the prover needs to construct auxiliary polynomial(s) to prove the constraints between $Arr$ and $T$ are desired.

There are different approaches to achieving the lookup argument, e.g., halo2 and Plookup. We will discuss these two approaches as follows.

halo2 #

The lookup argument in halo2 requires the prover to construct two auxiliary vectors, ${Arr}^{'}$ and $T^{'}$ , where ${Arr}^{'}$ is the permutation of $Arr$ and sorted (ascending or descending does not matter), $T^{'}$ is the permutation of $T$ and sorted by $Arr$ . For any two sets $A, B$ such that $A \subset B$ , we say $B$ is sorted by $A$ when the elements in $A$ have the same order as they do in $B$ . Let us demonstrate the halo2 lookup argument with a concrete example, $Arr = {1, 2, 1, 6, 4, 5, 3, 0}, T = Z_{8}$ . The prover constructs ${Arr}^{'}$ and $T^{'}$ such that

{Arr}^{'} = {0, 1, 1, 2, 3, 4, 5, 6}

T^{'} = {0, 1, 7, 2, 3, 4, 5, 6}

We can observe that ${Arr}^{'} [i]$ is equal to $T^{'} [i]$ or ${Arr}^{'} [i - 1]$ . Since ${Arr}^{'} [i - 1]$ does not exist when $i = 0$ , we have to enforce the other rule, ${Arr}^{'} [0] = T^{'} [0]$ . With these two constraints and the proof that ${Arr}^{'}$ is the permutation of $Arr$ and $T^{'}$ is the permutation of $T$ , the prover can prove each element in $Arr$ exists in $T$ .

Plookup #

We start with an unoptimized version of Plookup that is conceptually simpler than the final version and is still fully succinct. The inputs are: an array containing the values of the lookup table $T$ of size $n_{1}$ ; and an array of length $n_{2}$ (typically longer than $n_{1}$ but not necessarily) that will be proven to contain only values from somewhere in $T$ .

The prover will create 5 helper arrays ( ${Acc}_{1}$ to ${Acc}_{5}$ ) to demonstrate this overall property ( $Arr [i] \in T$ for all $i$ ). The helper arrays will each be of size $n_{1} + n_{2}$ with the exception of ${Acc}_{4}$ which is $n_{2}$ . They are as follows:

${Acc}_{1} = Arr | | T$
${Acc}_{2} = Sort ({Acc}_{1})$
${Acc}_{3} [i] = {Acc}_{2} [i + 1] - {Acc}_{2} [i]$
${Acc}_{4} [i] = T [i + 1] - T [i]$
${Acc}_{5} = {Acc}_{4} | | {0}^{n_{2}}$ where $n_{1} = | Arr |$

It is probably worth an example at this point.

$T = [7, 0, 15, 3]$
$Arr = [7, 0, 15, 15, 7, 7, 15, 0, 0, 7, 15, 7]$
${Acc}_{1} = [7, 0, 15, 15, 7, 7, 15, 0, 0, 7, 15, 7, 7, 0, 15, 3]$
${Acc}_{2} = [7, 7, 7, 7, 7, 7, 0, 0, 0, 0, 15, 15, 15, 15, 15, 3]$
${Acc}_{3} = [0, 0, 0, 0, 0, - 7, 0, 0, 0, 15, 0, 0, 0, 0, - 12, ⊥]$
${Acc}_{4} = [- 7, 15, - 12, ⊥]$
${Acc}_{5} = [- 7, 15, - 12, ⊥, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]$

The first array ${Acc}_{1}$ is the concatenation for $Arr$ and $T$ . The intuition for this is as follows. Every element of $Arr$ is in $T$ (what is being proven) but the converse is not true, not every element of $T$ is necessarily in $Arr$ . By constructing ${Acc}_{1}$ , the prover has an array where every element of $T$ appears at least once. This will be convenient later. Additionally, if the prover can show every element in ${Acc}_{1}$ is in $T$ , it implies every element in the original $Arr$ is in $T$ so it can now move forward with ${Acc}_{1}$ .

How does ${Acc}_{1}$ compare to $T$ ? They both have the same elements but ${Acc}_{1}$ has a bunch of extra duplicates of values. Also the appearance of elements in ${Acc}_{1}$ are in a different (arbitrary) order. Next the prover will sort the values of ${Acc}_{1}$ , grouping all duplicates together, and having them appear in the same order as the original $T$ (which does not have to be sorted).

Now how does ${Acc}_{2}$ compare to $T$ ? They have the same elements in the same order (including 3 which is not in the original $Arr$ ) however ${Acc}_{2}$ has a bunch of duplicates of some of the elements. Next we want to “flag” all the elements that are duplicates. The way we do this is to take the difference between each neighbouring elements. If the neighbouring elements are the same (duplicates), this is will place a 0 in that position. If they are not, a non-zero number will appear instead.

This is straight-forward until we hit the last element in ${Acc}_{2}$ and ${Acc}_{3}$ which has no “next” element in the array. We will leave it for now as an arbitrary integer $⊥$ .

We have marked the duplicates elements but have some other integers when neighbouring elements are not the same. The idea is do the same thing with $T$ and we create ${Acc}_{4}$ , which we then pad with $n_{2}$ zeros.

${Acc}_{5} = [- 7, 15, - 12, ⊥, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]$

If ${Acc}_{5}$ is a permutation of ${Acc}_{3}$ and everything else is correctly constructed, then all elements in $Arr$ are from $T$ .

The prover will show that ${Acc}_{1}$ is constructed correctly with the $concat$ gadget. It will not prove that ${Acc}_{2}$ is sorted correctly (if it does not sort it correctly, the protocol will not work) but it will prove that ${Acc}_{2}$ is a permutation of ${Acc}_{1}$ using $shuffle 1 ({Acc}_{1}, {Acc}_{2})$ . It will prove ${Acc}_{3}$ is constructed correctly by $add 1 ({Acc}_{2} [i + 1], - {Acc}_{2} [i])$ and ${Acc}_{3}$ is $add 1 (T [i + 1], - T [i])$ . Last, it will prove that ${Acc}_{5}$ is correctly formed with $concat$ and finally, that it is a permutation of ${Acc}_{3}$ with $shuffle 1 ({Acc}_{5}, {Acc}_{3})$ .

$T$ to the end of $Arr$ does not change anything about the argument

In fact, the only difference between ${Acc}_{1}$ and $T$ itself is that there are several duplicates

With these arrays, the following constraints are demonstrated:

Uses $concat$ gadget
Uses $shuffle 1 ({Acc}_{1}, {Acc}_{2})$
Uses $add 1 ({Acc}_{2} [i + 1], - {Acc}_{2} [i])$
Uses $add 1 (T [i + 1], - T [i])$
Uses $concat$ and then $shuffle 1 ({Acc}_{5}, {Acc}_{3})$

Unlike halo2, Plookup requires only one auxiliary vector, $S$ , where $S$ is the union set of $Arr$ and $T$ , and sorted by $T$ . The prover encodes $Arr$ , $T$ , and $S$ into polynomials: ${Poly}_{Arr}$ , ${Poly}_{T}$ , and ${Poly}_{S}$ , and computes $\prod {Poly}_{Arr} \cdot \prod {Poly}_{T}$ and $\prod {Poly}_{S}$ with some random challenges. The theorem tells us the two products are equal if and only if: $Arr \subset T$ , and $S = (Arr, T)$ and sorted by $T$ .

Protocol Details #

halo2 #

Array Level #

$P$ and $V$ are given a public table $T$
$P$ holds an array $Arr = [a_{0}, a_{1}, a_{2}, \dots, a_{n - 1}]$ of $n$ integers ( $a_{i} \in Z_{q}$ )
$P$ computes an array ${Arr}^{'} = [a_{0}^{'}, a_{1}^{'}, a_{2}^{'}, \dots, a_{n - 1}^{'}]$ of $n$ integers ( $a_{i}^{'} \in Z_{q}$ ) such that:
- ${Arr}^{'}$ is a permutation of $Arr$ and sorted in ascending or descending
$P$ computes an array $T^{'}$ such that:
- $T^{'}$ is a permutation of $T$ and sorted by ${Arr}^{'}$
${Arr}^{'}$ and $T^{'}$ have the following relations:
- ${Arr}^{'} [0] = T^{'} [0]$
- ${Arr}^{'} [i] = T^{'} [i] ∣ {Arr}^{'} [i - 1], i \neq 0$

Polynomial Level #

We assume arrays $Arr$ , ${Arr}^{'}$ , $T$ , and $T^{'}$ are encoded as the y-coordinates into a univariant polynomial where the x-coordinates (called the domain $H_{κ}$ ) are chosen as the multiplicative group of order $κ$ with generator $ω \in G_{κ}$ (see Background for more). In short, $ω^{0}$ is the first element and $ω^{κ - 1}$ is the last element of $H_{κ}$ . If $κ$ is larger than the length of the array, the array can be padded with elements of value 1 (which will not change the product).

Recall the four constraints we want to prove:

${Arr}^{'}$ is a permutation of $Arr$
$T^{'}$ is a permutation of $T$
The first value in ${Arr}^{'}$ equals to the first value in $T^{'}$
The rest of the values in ${Arr}^{'}$ are of the form ${Arr}^{'} [i] = T^{'} [i] ∣ {Arr}^{'} [i - 1], i \neq 0$

In polynomial form, the constraints are ( $α, β$ are challenges from $V$ ):

$\prod [α - {Poly}_{Arr} (X)] = \prod [α - {Poly}_{{Arr}^{'}} (X)]$
$\prod [β - {Poly}_{T} (X)] = \prod [β - {Poly}_{T^{'}} (X)]$
For $X = ω^{0}$ : ${Poly}_{{Arr}^{'}} (X) = {Poly}_{T^{'}} (X)$
For all $X \in H_{κ} ∖ ω^{0}$ : $[{Poly}_{{Arr}^{'}} (X) - {Poly}_{T^{'}} (X)] \cdot [{Poly}_{{Arr}^{'}} (X) - {Poly}_{{Arr}^{'}} (X \cdot ω^{- 1})] = 0$

We take care of the “for $X$ ” conditions by zeroing out the rest of the polynomial that is not zero. See the gadget zero1 for more on why this works.

${Poly}_{Vanish 1} (X) = \prod [α - {Poly}_{Arr} (X)] - \prod [α - {Poly}_{{Arr}^{'}} (X)] = 0$
${Poly}_{Vanish 2} (X) = \prod [β - {Poly}_{T} (X)] - \prod [β - {Poly}_{T^{'}} (X)] = 0$
${Poly}_{Vanish 3} (X) = [{Poly}_{{Arr}^{'}} (X) - {Poly}_{T^{'}} (X)] \cdot \frac{X^{κ} - 1}{X - ω^{0}} = 0$
${Poly}_{Vanish 4} (X) = [{Poly}_{{Arr}^{'}} (X) - {Poly}_{T^{'}} (X)] \cdot [{Poly}_{{Arr}^{'}} (X) - {Poly}_{{Arr}^{'}} (X \cdot ω^{- 1})] \cdot (X - ω^{0}) = 0$

Instead of proving ${Poly}_{Vanish 1}$ and ${Poly}_{Vanish 2}$ are vanishing through two permutation checks, we can construct an accumulator ${Poly}_{Z}$ to make it more efficient (the domain needs to be expanded to $2 κ$ , denoted by $k$ ):

${Poly}_{Z} (ω^{0}) = {Poly}_{Z} (ω^{k - 1}) = 1$
For all $X \in H_{κ} ∖ ω^{k - 1}$ : ${Poly}_{Z} (X \cdot ω) = {Poly}_{Z} (X) \cdot \frac{[{Poly}_{Arr} (X) + α] \cdot [{Poly}_{T} (X) + β]}{[{Poly}_{{Arr}^{'}} (X) + α] \cdot [{Poly}_{T^{'}} (X) + β]}$

Now we have the new ${Poly}_{Vanish 1}$ and ${Poly}_{Vanish 2}$ :

${Poly}_{Vanish 1} = [{Poly}_{Z} (X) - 1] \cdot \frac{X^{k} - 1}{(X - ω^{0}) \cdot (X - ω^{k - 1})} = 0$
${Poly}_{Vanish 2} = {{Poly}_{Z} (X \cdot ω) \cdot [{Poly}_{{Arr}^{'}} (X) + α] \cdot [{Poly}_{T^{'}} (X) + β] - {Poly}_{Z} (X) \cdot [{Poly}_{Arr} (X) + α] \cdot [{Poly}_{T} (X) + β]} \cdot (X - ω^{k - 1}) = 0$

These equations are true for every value of $X \in H_{k}$ (but not necessarily true outside of these values). To show this, we divide each polynomial by $X^{k} - 1$ , which is a minimal vanishing polynomial for $H_{k}$ that does not require interpolation to create. If the quotients are polynomials (and not rational functions), then ${Poly}_{Vanish 1} (X)$ , ${Poly}_{Vanish 2} (X)$ , ${Poly}_{Vanish 3} (X)$ , and ${Poly}_{Vanish 4} (X)$ must be vanishing on $H_{k}$ too. Specifically, the prover computes,

$Q_{1} (X) = \frac{{Poly}_{Vanish 1} (X)}{X^{k} - 1}$
$Q_{2} (X) = \frac{{Poly}_{Vanish 2} (X)}{X^{k} - 1}$
$Q_{3} (X) = \frac{{Poly}_{Vanish 3} (X)}{X^{k} - 1}$
$Q_{4} (X) = \frac{{Poly}_{Vanish 4} (X)}{X^{k} - 1}$

Instead of proving the four polynomials are zero polynomials one by one, we can linearly combine the four polynomials with a random challenge $ρ$ sent by $V$ to compute:

$W (X) = {Poly}_{Vanish 1} (X) + ρ \cdot {Poly}_{Vanish 2} (X) + ρ^{2} \cdot {Poly}_{Vanish 3} (X) + ρ^{3} \cdot {Poly}_{Vanish 4} (X) = 0$

When ${Poly}_{Vanish 1} (X), {Poly}_{Vanish 2} (X), {Poly}_{Vanish 3} (X), {Poly}_{Vanish 4} (X)$ are vanishing on the domain $H_{k}$ , $W (X)$ is also vanishing with high probability. Again, if and only if $W (X)$ is vanishing over the field $H_{k}$ , $Q (X) = W (X) / (X^{k} - 1)$ exists.

By rearranging, we can get ${Poly}_{Zero} (X)$ as a true zero polynomial (zero at every value both in $H_{κ}$ and outside of it):

{Poly}_{Zero} (X) = {Poly}_{Vanish 1} (X) + ρ \cdot {Poly}_{Vanish 2} (X) + ρ^{2} \cdot {Poly}_{Vanish 3} (X) + ρ^{3} \cdot {Poly}_{Vanish 4} (X) - Q (X) \cdot (X^{n} - 1) = 0

Ultimately the halo2 lookup argument will satisfy the following constraints at the Commitment Level:

Show $Q (X)$ exists
Show ${Poly}_{Zero} (X)$ is correctly constructed from ${Poly}_{Z} (X)$ , ${Poly}_{Arr} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{{Arr}^{'}} (X)$ , and ${Poly}_{T^{'}} (X)$
Show ${Poly}_{Zero} (X)$ is a zero polynomial

Commitment Level #

The verifier will never see the arrays or polynomials themselves. They are undisclosed because they either (i) contain private data or (ii) are too large to examine and maintain a succinct proof system. Instead, the prover will use commitments.

The prover will write the following commitments to the transcript:

$K_{Z} = KZG . Commit ({Poly}_{Z} (X))$
$K_{Arr} = KZG . Commit ({Poly}_{Arr} (X))$
$K_{T} = KZG . Commit ({Poly}_{T} (X))$
$K_{{Arr}^{'}} = KZG . Commit ({Poly}_{{Arr}^{'}} (X))$
$K_{T^{'}} = KZG . Commit ({Poly}_{T^{'}} (X))$

The prover will generate a random challenge evaluation point (using strong Fiat-Shamir) on the polynomial that is outside of $H_{k}$ . Call this point $ρ$ . It will be used by the prover to create polynomial $Q (X)$ (see above) and the prover will write to the transcript:

$ρ$
$K_{Q} = KZG . Commit (Q (X))$

The prover will generate a second random challenge evaluation point (using strong Fiat-Shamir) on the polynomial that is outside of $H_{k}$ . Call this point $ζ$ . The prover will write the three points and opening proofs to the transcript:

$ζ$
${Poly}_{Z} (ζ) = KZG . Open (K_{Z}, ζ)$
${Poly}_{Z} (ζ ω) = KZG . Open (K_{Z}, ζ ω)$
${Poly}_{Arr} (ζ) = KZG . Open (K_{Arr}, ζ)$
${Poly}_{{Arr}^{'}} (ζ) = KZG . Open (K_{{Arr}^{'}}, ζ)$
${Poly}_{{Arr}^{'}} (ζ ω^{- 1}) = KZG . Open (K_{{Arr}^{'}}, ζ ω^{- 1})$
${Poly}_{T} (ζ) = KZG . Open (K_{T}, ζ)$
${Poly}_{T^{'}} (ζ) = KZG . Open (K_{T^{'}}, ζ)$
$Q (ζ) = KZG . Open (K_{Q}, ζ)$

To check the proof, the verifier uses the transcript to construct the value $Y_{Zero}$ as follows:

$Y_{Vanish 1} = [{Poly}_{Z} (ζ) - 1] \cdot \frac{(ζ^{k} - 1)}{(ζ - ω^{0}) \cdot (ζ - ω^{k - 1})}$
$Y_{Vanish 2} = {{Poly}_{Z} (ζ ω) \cdot [{Poly}_{{Arr}^{'}} (ζ) + α] \cdot [{Poly}_{T^{'}} (ζ) + β] - {Poly}_{Z} (ζ) \cdot [{Poly}_{Arr} (ζ) + α] \cdot [{Poly}_{T} (ζ) + β]} \cdot (ζ - ω^{k - 1})$
$Y_{Vanish 3} = [{Poly}_{{Arr}^{'}} (ζ) - {Poly}_{T^{'}} (ζ)] \cdot \frac{ζ^{k} - 1}{ζ - ω^{0}}$
$Y_{Vanish 4} = [{Poly}_{{Arr}^{'}} (ζ) - {Poly}_{T^{'}} (ζ)] \cdot [{Poly}_{{Arr}^{'}} (ζ) - {Poly}_{{Arr}^{'}} (ζ ω^{- 1})] \cdot (ζ - ω^{0})$
$Y_{Zero} = Y_{Vanish 1} + ρ \cdot Y_{Vanish 2} + ρ^{2} \cdot Y_{Vanish 3} + ρ^{3} \cdot Y_{Vanish 4} - Q (ζ) \cdot (ζ^{k} - 1)$

Finally, if the constraint system is true, the following constraint will be true (and will be false otherwise with overwhelming probability, due to the Schwartz-Zippel lemma on $ρ$ and $ζ$ ) :

$Y_{Zero} \overset{?}{=} 0$

Plookup #

Array Level #

$P$ and $V$ are given a public table $T = [t_{0}, t_{1}, t_{2}, \dots, t_{d - 1}]$ of $d$ integers ( $t_{i} \in Z_{q}$ )
$P$ holds an array $Arr = [a_{0}, a_{1}, a_{2}, \dots, a_{n - 1}]$ of $n$ integers ( $a_{i} \in Z_{q}$ )
$P$ constructs an array $S = (Arr, T) = [s_{0}, s_{1}, s_{2}, \dots, s_{n + d - 1}]$ of $n + d$ integers ( $s_{i} \in Z_{q}$ ) such that:
- $S$ is a union set of $Arr$ and $T$
- $S$ is sorted by $T$
$Arr$ , $T$ , and $S$ have the following relations:
- For each $i \in [0, d - 1)$ , there exists a $j \in [0, n + d - 1)$ such that $(t_{i}, t_{i + 1}) = (s_{j}, s_{j + 1})$
- Let $I$ be the set of those $d - 1$ indices, and let $I^{'} := [0, n + d - 1) ∖ I$ . For each $i \in I^{'}$ , there exists a $j \in [0, n)$ such that $s_{i} = s_{i + 1} = a_{j}$

Polynomial Level #

We assume arrays $Arr$ , $T$ , and $S$ are encoded as the y-coordinates into a univariant polynomial where the x-coordinates (called the domain $H_{κ}$ ) are chosen as the multiplicative group of order $κ$ with generator $ω \in G_{κ}$ (see Background for more). In short, $ω^{0}$ is the first element and $ω^{κ - 1}$ is the last element of $H_{κ}$ . If $κ$ is larger than the length of the array, the array can be padded with elements of value 1 (which will not change the product).

Recall the two constraints we want to prove:

For each $i \in [0, d - 1)$ , there exists a $j \in [0, n + d - 1)$ such that $(t_{i}, t_{i + 1}) = (s_{j}, s_{j + 1})$
Let $I$ be the set of those $d - 1$ indices, and let $I^{'} := [0, n + d - 1) ∖ I$ . For each $i \in I^{'}$ , there exists a $j \in [0, n)$ such that $s_{i} = s_{i + 1} = a_{j}$

In polynomial form, the constraints are ( $α, β$ are challenges from $V$ ):

$(1 + β)^{n} \prod_{i < n} [α + {Poly}_{Arr} (ω^{i})] \cdot \prod_{i < d - 1} [α (1 + β) + {Poly}_{T} (ω^{i}) + β {Poly}_{T} (ω^{i + 1})] = \prod_{i < n + d - 1} [α (1 + β) + {Poly}_{S} (ω^{i}) + β {Poly}_{S} (ω^{i + 1})]$

To efficiently prove the above polynomial holds, we can use a similar trick in halo2 lookup by constructing an accumulator :

${Poly}_{Z} (ω^{0}) = {Poly}_{Z} (ω^{n + d - 1}) = 1$
For $i \in [0, n + d - 1)$ : ${Poly}_{Z} (X ω) = {Poly}_{Z} (X) \cdot \frac{(1 + β) [α + {Poly}_{Arr} (X)] \cdot [α (1 + β) + {Poly}_{T} (X) + β {Poly}_{T} (X ω)]}{α (1 + β) + {Poly}_{S} (X) + β {Poly}_{S} (X ω)}$

However, the above accumulator does not exist because the degree of the denominator, ${Poly}_{S}$ , is different from ${Poly}_{Arr}$ and ${Poly}_{T}$ . Specifically, there are $n$ elements in $Arr$ , $d$ elements in $T$ , but $n + d$ elements in $S$ . Thus we have to decompose the denominator to make it have the same iteration as $Arr$ and $T$ do. It is worth noting for the numerator, the left term contains ${Poly}_{Arr} (X)$ while the right term contains ${Poly}_{T} (X)$ and ${Poly}_{T} (X ω)$ . Therefore, it will be convenient to assume $d = n + 1$ . The order of $S$ is $2 n + 1$ . To traverse $S$ in $n$ steps, we can halve it to $S_{l} = [s_{0}, s_{1}, \dots, s_{n - 1}, s_{n}]$ and $S_{h} = [s_{n}, s_{n + 1}, \dots, s_{2 n - 1}, s_{2 n}]$ , and prove $S_{l} [n] = S_{h} [0]$ . Then we can compute the accumulator such that:

${Poly}_{Z} (ω^{0}) = {Poly}_{Z} (ω^{κ - 1}) = 1$
For $X \in H_{n} ∖ ω^{κ - 1}$ : ${Poly}_{Z} (X ω) = {Poly}_{Z} (X) \cdot \frac{(1 + β) [α + {Poly}_{Arr} (X)] \cdot [α (1 + β) + {Poly}_{T} (X) + β {Poly}_{T} (X ω)]}{[α (1 + β) + {Poly}_{S_{l}} (X) + β {Poly}_{S_{l}} (X ω)] \cdot [α (1 + β) + {Poly}_{S_{h}} (X) + β {Poly}_{S_{h}} (X ω)]}$
For $X = ω^{κ - 1}$ : ${Poly}_{S_{l}} (X) = {Poly}_{S_{h}} (X ω)$

Similarly, we take care of the “for $X$ ” conditions by zeroing out the rest of the polynomial that is not zero. See the gadget zero1 for more on why this works.

${Poly}_{Vanish 1} (X) = [{Poly}_{Z} (X) - 1] \cdot \frac{X^{n} - 1}{(X - ω^{0}) (X - ω^{κ - 1})} = 0$
$\begin{matrix} {Poly}_{Vanish 2} (X) = {{Poly}_{Z} (X ω) \cdot [α (1 + β) + {Poly}_{S_{l}} (X) + β {Poly}_{S_{l}} (X ω)] \cdot [α (1 + β) + {Poly}_{S_{h}} (X) + β {Poly}_{S_{h}} (X ω)] - \\ {Poly}_{Z} (X) \cdot (1 + β) [α + {Poly}_{Arr} (X)] \cdot [α (1 + β) + {Poly}_{T} (X) + β {Poly}_{T} (X ω)]} \cdot (X - ω^{κ - 1}) \end{matrix} = 0$
${Poly}_{Vanish 3} (X) = [{Poly}_{S_{l}} (X) - {Poly}_{S_{h}} (X ω^{n + 1})] \cdot \frac{X^{n} - 1}{X - ω^{κ - 1}} = 0$

These equations are true for every value of $X \in H_{n}$ (but not necessarily true outside of these values). To show this, we divide each polynomial by $X^{n} - 1$ , which is a minimal vanishing polynomial for $H_{n}$ that does not require interpolation to create. If the quotients are polynomials (and not rational functions), then ${Poly}_{Vanish 1} (X)$ , ${Poly}_{Vanish 2} (X)$ , and ${Poly}_{Vanish 3} (X)$ must be vanishing on $H_{n}$ too. Specifically, the prover computes,

$Q_{1} (X) = \frac{{Poly}_{Vanish 1} (X)}{X^{n} - 1}$
$Q_{2} (X) = \frac{{Poly}_{Vanish 2} (X)}{X^{n} - 1}$
$Q_{3} (X) = \frac{{Poly}_{Vanish 3} (X)}{X^{n} - 1}$

Instead of proving the three polynomials are zero polynomials one by one, we can linearly combine the three polynomials with a random challenge $ρ$ sent by $V$ to compute:

$W (X) = {Poly}_{Vanish 1} (X) + ρ \cdot {Poly}_{Vanish 2} (X) + ρ^{2} \cdot {Poly}_{Vanish 3} (X) = 0$

When ${Poly}_{Vanish 1} (X), {Poly}_{Vanish 2} (X), {Poly}_{Vanish 3} (X)$ are vanishing on the domain $H_{n}$ , $W (X)$ is also vanishing with high probability. Again, if and only if $W (X)$ is vanishing over the field $H_{n}$ , $Q (X) = W (X) / (X^{n} - 1)$ exists.

By rearranging, we can get ${Poly}_{Zero} (X)$ as a true zero polynomial (zero at every value both in $H_{n}$ and outside of it):

{Poly}_{Zero} (X) = {Poly}_{Vanish 1} (X) + ρ \cdot {Poly}_{Vanish 2} (X) + ρ^{2} \cdot {Poly}_{Vanish 3} (X) - Q (X) \cdot (X^{n} - 1) = 0

Ultimately the Plookup will satisfy the following constraints at the Commitment Level:

Show $Q (X)$ exists
Show ${Poly}_{Zero} (X)$ is correctly constructed from ${Poly}_{Z} (X)$ , ${Poly}_{Arr} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{S_{l}} (X)$ , and ${Poly}_{S_{h}} (X)$
Show ${Poly}_{Zero} (X)$ is a zero polynomial

Commitment Level #

The prover will write the following commitments to the transcript:

$K_{Z} = KZG . Commit ({Poly}_{Z} (X))$
$K_{Arr} = KZG . Commit ({Poly}_{Arr} (X))$
$K_{T} = KZG . Commit ({Poly}_{T} (X))$
$K_{S_{l}} = KZG . Commit ({Poly}_{S_{l}} (X))$
$K_{S_{h}} = KZG . Commit ({Poly}_{S_{h}} (X))$

The prover will generate a random challenge evaluation point (using strong Fiat-Shamir) on the polynomial that is outside of $H_{n}$ . Call this point $ρ$ . It will be used by the prover to create polynomial $Q (X)$ (see above) and the prover will write to the transcript:

$ρ$
$K_{Q} = KZG . Commit (Q (X))$

The prover will generate a second random challenge evaluation point (using strong Fiat-Shamir) on the polynomial that is outside of $H_{n}$ . Call this point $ζ$ . The prover will write the three points and opening proofs to the transcript:

$ζ$
${Poly}_{Z} (ζ) = KZG . Open (K_{Z}, ζ)$
${Poly}_{Z} (ζ ω) = KZG . Open (K_{Z}, ζ ω)$
${Poly}_{Arr} (ζ) = KZG . Open (K_{Arr}, ζ)$
${Poly}_{T} (ζ) = KZG . Open (K_{T}, ζ)$
${Poly}_{T} (ζ ω) = KZG . Open (K_{T}, ζ ω)$
${Poly}_{S_{l}} (ζ) = KZG . Open (K_{S_{l}}, ζ)$
${Poly}_{S_{l}} (ζ ω) = KZG . Open (K_{S_{l}}, ζ ω)$
${Poly}_{S_{h}} (ζ) = KZG . Open (K_{S_{h}}, ζ)$
${Poly}_{S_{h}} (ζ ω) = KZG . Open (K_{S_{h}}, ζ ω)$
$Q (ζ) = KZG . Open (K_{Q}, ζ)$

To check the proof, the verifier uses the transcript to construct the value $Y_{Zero}$ as follows:

$Y_{Vanish 1} = [{Poly}_{Z} (ζ) - 1] \cdot \frac{(ζ^{n} - 1)}{(ζ - ω^{0}) \cdot (ζ - ω^{κ - 1})}$
$\begin{matrix} Y_{Vanish 2} = {{Poly}_{Z} (ζ ω) \cdot [α (1 + β) + {Poly}_{S_{l}} (ζ) + β {Poly}_{S_{l}} (ζ ω)] \cdot [α (1 + β) + {Poly}_{S_{h}} (ζ) + β {Poly}_{S_{h}} (ζ ω)] - \\ {Poly}_{Z} (ζ) \cdot (1 + β) [α + {Poly}_{Arr} (ζ)] \cdot [α (1 + β) + {Poly}_{T} (ζ) + β {Poly}_{T} (ζ ω)]} \cdot (ζ - ω^{κ - 1}) \end{matrix}$
$Y_{Vanish 3} = [{Poly}_{S_{l}} (ζ) - {Poly}_{S_{l}} (ζ ω^{n + 1})] \cdot \frac{ζ^{n} - 1}{ζ - ω^{κ - 1}}$
$Y_{Zero} = Y_{Vanish 1} + ρ \cdot Y_{Vanish 2} + ρ^{2} \cdot Y_{Vanish 3} - Q (ζ) \cdot (ζ^{k} - 1)$

Finally, if the constraint system is true, the following constraint will be true (and will be false otherwise with overwhelming probability, due to the Schwartz-Zippel lemma on $ρ$ and $ζ$ ) :

$Y_{Zero} \overset{?}{=} 0$

Security Proof #

halo2 #

Completeness #

Any honest prover can do the computations explained above and create an accepting proof.

Soundness #

We prove knowledge soundness in the Algebraic Group Model (AGM). To do so, we must prove that there exists an efficient extractor $E$ such that for any algebraic adversary $A$ the probability of $A$ winning the following game is $negl (λ)$ .

Given $[g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{n - 1}}]$ , $A$ outputs commitments to ${Poly}_{Arr} (X)$ , ${Poly}_{{Arr}^{'}} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{T^{'}} (X)$ , $Q$
$E$ , given access to $A$ ’s outputs from the previous step, outputs ${Poly}_{Arr} (X)$ , ${Poly}_{{Arr}^{'}} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{T^{'}} (X)$ , $Q$
$A$ plays the part of the prover in showing that $Y_{Zero}$ is zero at a random challenge $ζ$
$A$ wins if
- $V$ accepts at the end of the protocol
- For some $i \in [0, κ - 1]$ , $Arr [i] \notin T$

Our proof is as follows:

To make $Y_{Zero}$ a zero polynomial, $A$ has to prove the four vanishing polynomials are correct. For ${Poly}_{Vanish 1}$ and ${Poly}_{Vanish 2}$ , the permutation check tells us the probability that $V$ accepts the proof is negligible if some elements in $Arr$ are not in $T$ . By the Schwartz-Zippel lemma, we know the probability that ${Poly}_{Vanish 3}$ is vanishing is negligible if ${Poly}_{{Arr}^{'}} (ω^{0}) \neq {Poly}_{T^{'}} (ω^{0})$ . Therefore, to win the KS game, $A$ has to prove ${Poly}_{Vanish 4}$ is correct with the winning condition (some elements in $Arr$ do not appear in $T$ ). Assume $Arr [i^{'}] \notin T, i > 0$ , to make such ${Poly}_{Vanish 4}$ exist, $Arr [i^{'}]$ has to equal to $Arr [i^{'} - 1]$ . And because $Arr [i^{'} - 1] \neq T [i^{'} - 1]$ , $Arr [i^{'} - 1]$ has to equal to $Arr [i^{'} - 2]$ . Thus, to make the winning condition hold, $Arr [i^{'}] = Arr [0]$ must hold, which contradicts to the condition of ${Poly}_{Vanish 3}$ , $Arr [0] = T [0]$ .

Zero-Knowledge #

Before we prove the above protocol is zero-knowledge, it is worth noting the protocol is different from the lookup argument of halo2 in the real world. Specifically, the real halo2 lookup optimizes the two permutation checks into one and fills the table with some random numbers for the PLONK-based proof system. We refer to the official halo2 handbook to see the details. To prove the above protocol is zero-knowledge, we do so by constructing a probabilistic polynomial time simulator $S$ which, for every (possibly malicious) verifier $V$ , can output a view of the execution of the protocol that is indistinguishable from the view produced by the real execution of the program.

The simulator $S$ generates an array ${Arr}^{*}$ by randomly filling it with elements from $T$ , then follows the same steps a prover would prove the lookup argument. $S$ computes ${Arr}^{*^{'}}, T^{'}$ and interpolates the four arrays into their respective polynomials, ${Poly}_{{Arr}^{*}} (X)$ , ${Poly}_{{Arr}^{*^{'}}} (X)$ , ${Poly}_{T} (X)$ , and ${Poly}_{T^{'}} (X)$ . It computes $Q^{*} (X)$ and finally outputs the commitments to each of these polynomials (and writes the commitments to the transcript). Then, it generates the random challenge $ζ^{*}$ (once again this is by strong Fiat-Shamir). It creates opening proofs for ${Poly}_{{Arr}^{*}} (ζ^{*}), {Poly}_{{Arr}^{*^{'}}} (ζ^{*}), Q^{*} (ζ^{*})$ , ${Poly}_{T} (ζ^{*} ω)$ , and ${Poly}_{T^{'}} (ζ^{*} ω)$ , and writes these to the transcript as well. Since $S$ knows each of the above polynomials, it can honestly compute this step and the proof will be accepted by $V$ . The transcript it generates this way will be indistinguishable from a transcript generated from a real execution, since ${PolyCommit}_{Ped}$ has the property of Indistinguishability of Commitments due to the randomization by $h^{\hat{ϕ} (x)}$ .

Plookup #

Completeness #

Any honest prover can do the computations explained above and create an accepting proof.

Soundness #

Given $[g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{n - 1}}]$ , $A$ outputs commitments to ${Poly}_{Arr} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{S} (X)$ , $Q$
$E$ , given access to $A$ ’s outputs from the previous step, outputs ${Poly}_{Arr} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{S} (X)$ , $Q$
$A$ plays the part of the prover in showing that $Y_{Zero}$ is zero at a random challenge $ζ$
$A$ wins if
- $V$ accepts at the end of the protocol
- For some $i \in [0, κ - 1]$ , $Arr [i] \notin T$

Our proof is as follows:

To make $Y_{Zero}$ a zero polynomial, $A$ has to prove the three vanishing polynomials are correct. It is easy to observe that ${Poly}_{Vanish 1}$ and ${Poly}_{Vanish 3}$ can be constructed even if some elements in $Arr$ do not appear in $T$ , so we focus on the ${Poly}_{Vanish 2}$ . By the soundness of the product check, we know $S$ must be the union set of $Arr$ and $T$ if we want to the product of $S [i]$ equals to the product of $Arr [i]$ and $T [i]$ . Recall the equation $A$ needs to prove:

(1 + β)^{n} \prod_{i < n} [α + {Poly}_{Arr} (ω^{i})] \cdot \prod_{i < d - 1} [α (1 + β) + {Poly}_{T} (ω^{i}) + β {Poly}_{T} (ω^{i + 1})] = \prod_{i < n + d - 1} [α (1 + β) + {Poly}_{S} (ω^{i}) + β {Poly}_{S} (ω^{i + 1})]

Thus, for each $i \in [0, d - 1]$ , there exists a factor in the right-hand side of the equation equal to $α (1 + β) + {Poly}_{T} (ω^{i}) + β {Poly}_{T} (ω^{i + 1})$ , which means $α (1 + β) + {Poly}_{T} (ω^{i}) + β {Poly}_{T} (ω^{i + 1}) = α (1 + β) + {Poly}_{S} (ω^{i}) + β {Poly}_{S} (ω^{i + 1})$ . We can get ${Poly}_{T} (ω^{i}) = {Poly}_{S} (ω^{i})$ and ${Poly}_{T} (ω^{i + 1}) = {Poly}_{S} (ω^{i + 1})$ for $i \in [0, d - 1]$ . Similarly, we can get ${Poly}_{Arr} (ω^{i}) = {Poly}_{S} (ω^{i}) = {Poly}_{S} (ω^{i + 1})$ for $i \in [0, n]$ . Since $n$ should be equal to or less than $d$ , when ${Poly}_{Arr} (ω^{i}) = {Poly}_{S} (ω^{i})$ , ${Poly}_{T} (ω^{i}) = {Poly}_{S} (ω^{i})$ must hold at the same time, which contradicts to the winning assumption. Therefore, the protocol is sound.

Zero-Knowledge #

To prove the above protocol is zero-knowledge, we do so by constructing a probabilistic polynomial time simulator $S$ which, for every (possibly malicious) verifier $V$ , can output a view of the execution of the protocol that is indistinguishable from the view produced by the real execution of the program.

The simulator $S$ generates an array ${Arr}^{*}$ by randomly filling it with elements from $T$ , then follows the same steps a prover would prove the lookup argument. $S$ computes $S_{l}$ , $S_{h}$ , and $Z$ and interpolates the five arrays into their respective polynomials, ${Poly}_{{Arr}^{*}} (X)$ , ${Poly}_{T} (X)$ , ${Poly}_{S_{l}} (X)$ , ${Poly}_{S_{h}} (X)$ , and ${Poly}_{Z} (X)$ . It computes $Q^{*} (X)$ and finally outputs the commitments to each of these polynomials (and writes the commitments to the transcript). Then, it generates the random challenge $ζ^{*}$ (once again this is by strong Fiat-Shamir). It creates opening proofs for ${Poly}_{{Arr}^{*}} (ζ^{*}), {Poly}_{T} (ζ^{*}), {Poly}_{T} (ζ^{*} ω), {Poly}_{S_{l}} (ζ^{*}), {Poly}_{S_{l}} (ζ^{*} ω), {Poly}_{S_{h}} (ζ^{*}), {Poly}_{S_{h}} (ζ^{*} ω), Q^{*} (ζ^{*}), {Poly}_{Z} (ζ^{*})$ , and ${Poly}_{Z} (ζ^{*} ω)$ , and writes these to the transcript as well. Since $S$ knows each of the above polynomials, it can honestly compute this step and the proof will be accepted by $V$ . The transcript it generates this way will be indistinguishable from a transcript generated from a real execution since ${PolyCommit}_{Ped}$ has the property of Indistinguishability of Commitments due to the randomization by $h^{\hat{ϕ} (x)}$ .