A brief history of Lookup Arguments

1 Introduction

Mainly refer to the April 2023 article "A Brief History of Lookup Arguments" by the Ingonyama team.

In recent years, the research hot spots of zk-SNARKs include:

Make ZKP proof more succinct
Reduce Prover time and Verifier time

However, most SNARKs are still limited by arithmetic operations that easily convert to polynomials. Arithmetic operations that are easily converted to polynomials are often called "SNARK-friendly", while other "SNARK-unfriendly" operations remain unsolved.

Until 2018, Jonathan Bootle and others published the paper "BCG+18 Nearly linear-time zero-knowledge proofs for correct program execution" , a lookup protocol was proposed to handle certain SNARK-unfriendly operations. The lookup protocol is used to prove the following statement:

已知table $T=\{t_i\}_{i=0,\cdots,N-1}$ with distinct values ("rows")
一组lookups $F=\{f_j\}_{j=0,\cdots,m-1}$ (There may be duplicate values)
Proof: All lookups are included in the table, that is, $F\subseteq T$ 。

table $T$ is usually public, while lookups are usually private witnesses.
Can:

Treat the table as all legal values of a specific variable
Lookups are the values of the variables given by the execution of a specific program.
Then, the above statement means that the variable maintains the legal status during the entire execution process.
Unless explicitly stated, it is assumed $m < N$ , and in most cases $m\ll N$ 。

This article focuses on the evolution of various lookup arguments and their variants, focusing on:

plookup: Ariel Gabizon et al. 2020 paper plookup: A simplified polynomial protocol for lookup tables
cq: Liam Eagen et al.’s 2022 paper cq: Cached quotients for fast lookups

2. Use of lookup argument

2.1 Scope check

When checking numbers $x$ 在 $\{0,1,\cdots,N-1\}$ 范围内，其中 $N=2^n$ .
The corresponding arithmetic constraint method is:

set义 $n$ Number $b_0,\cdots,b_{n-1}$ ，检查对于每个 $i$ ，有 $b_i\in\{0,1\}$ ，且 $\sum_{i}b_i2^i=x$ . Common demand $n + 1$ Promise.
If necessary $Range check of m$ numbers requires $(m\log N)$ Personal promise.

With the help of lookup argument, only one lookup constraint is needed to check $m$ Contains digits $\{0,1,\cdots,N-1 \}$ . The overhead of such a lookup constraint will be introduced later. And when $When N$ is not power of 2, the above arithmetic constraint method will be cumbersome, and the lookup argument does not need to be concerned $N$ Yes or no power of 2.

2.2 Finite field functions

The lookup argument can be used to implement an arbitrary (finite domain) function by simply defining a table with the complete input and output values of the function. Can be used to implement functions with any number of variables.

as widely used in hash calculations $k$ -bit XOR function. Following the logic of Section 2.1 and using arithmetic constraints, it will require $6 k$ constraints. With the lookup argument, you can directly use table $T$ come to fruition, inside table $T$ 的rows为：
$t_i=(A,B,C)$
Among them:

对于每个 $i$ ， $A,B\in\{0,1,\cdots,2^k-1\}$ 为2个 $k$ Different combinations of-bit numbers, and $C=A\oplus B$ 。
整个table $T$ have $2^{2k}$ rows, and each row demand exists $3 k$ bits。
- hit $k = When 32$ (a common value for many hash functions), such a table is completely impractical.
- hit $k = When 16$ , such a table requires 24GB of storage space, which is not practical for most application scenarios.

2.3 Better XOR

The 16-bit table chip for SHA-256 in Halo2 implements a better bit-wise XOR function by using zero-interleaving and lookup argument.
zero-interleaving refers to representing numbers in binary:
$A=\sum_{l=0 }^{k-1}a_l2^l$
Then add a '0' bit between any 2 original bits, so that:
$A'=\sum_{l=0}^{k-1}a_l4^l$
Two XOR imports $A, B$ After zero-interleaving, there is $A^{'}, B^{'}$ 。计算 $C^{''} = A^{'} + B^{'}$ ，则 $C^{The bit in the even position of ''}$ is $C=A\oplus B$ . C ′ ′ C'' $C^{''}$ 获得 $C$ ，Customer $C^{''}$ is decomposed into odd bits and even bits:
$C''=\sum_{l=0}^{k-1}c_l^{even}4^l+2\sum_{l=0}^{ k-1}c_{l}^{odd}4^l$

thereby:

有 $c_l^{even}$ 为 $C=A\oplus B$ ,
Also has by-products: $c_l^{odd}$ 为 $D=A\land B$ . $\land$ 表示bit-wise AND。
借助4次zero-interleaving table： $A,B,C,D\rightarrow A',B',C',D'$ , and an arithmetic constraint:
$A^{'} + B^{'} = C^{''} = C^{'} + 2 D^{'}$
possible time confirmation $A, The bit-wise XOR and bit-wise AND results of B$ .

hit $k = When 32$ , the above implementation is still unrealistically large, and a single table requires 48GB of storage space.
However, for $k = In the case of 16$ , the lookup table corresponding to the above implementation only requires 384kB.
The number of bits can be reduced in a SNARK-friendly way through slicing, that is, the arithmetic gate is introduced - which uses two 16-bit numbers $x_0,x_1$ is the input, and then the 32-bit number is finally obtained $x=x_0\cdot 1+x_1\cdot 2^{ 16}$ 。

2.4 Finite state machine

lookup table can be used to implement finite state machines. A state machine contains a set of states and state changes that depend on the inputs. The lookup table that implements the state machine contains all legal combinations of (current state, input, next state). The execution trace of the state machine is usually expressed as:
$state(j),input(j),next\_state (j))$

You can use the lookup argument to prove the legal execution of the state machine and prove the wiring constraints:
$next\_state(j )=state(j+1)$

The wiring constraint is SNARK-friendly.

3. Plookup

Plookup is one of the early lookup protocols and is a simplified version of the first lookup protocol.
The idea behind Plookup is:

已知向量 $t\in\mathbb{F}^N,f\in\mathbb{F}^m,s\in\mathbb{F}^{N+m}$ ，和双变量多项式：
$F(\beta,\gamma)=(1+\beta)^m\prod_{j=1}^{m}(\gamma+f_j)\prod_{i=1}^{N-1}(\gamma(1+\beta)+t_i+\beta t_{i+1})$
$G(\beta ,\gamma)=\prod_{k=1}^{m+N-1}(\gamma(1+\beta)+s_k+\beta s_{k+1})$
则有：
$F\equiv G \Leftrightarrow \left\{\begin{matrix} \{f_j\}\subseteq \{t_i\}, & 且 \\ s=(f,t) \text{ sorted by } t & \\ \end{matrix}\right.$
in:
- $\text{ sorted by } t$ ，表示 $The order of appearance of the values in s$ is the same as $The order of occurrence in t$ is the same, because there are $\{f_j\}\subseteq \{t_i\ }$ 。

若有 $\text{ sorted by } t$ ，且， $\{f_j\}\subseteq \{t_i\}$ ，则对于每个 $i=1,\cdots,N-1$ , all are different $k\in\{1,\ cdots,m+N-1\}$ ，使得：
$(\gamma (1+\beta)+t_i+\beta t_{i+1})=(\gamma(1+\beta)+s_k+\beta s_{k+1}) \tag{3.4}$
对于其它 $s_k=s_{k+1}$ Index value of $k$ ，存在 $j\in\{1,\cdots,m\}$ , use $f_j=s_k$ ，且：
$(1+\ beta)(\gamma+f_j)=(\gamma(1+\beta)+s_k+\beta s_{k+1}) \tag{3.5}$

General $\beta$ is regarded as a coefficient, then $F, G$ Watch it $\mathbb{F}[\gamma]$ polynomial, thus having a unique decomposition factor. By identifying the factors in the above equations 3.4 and 3.5, we can find that the factors are about the variables $\beta$ multi-format.

3.1 Plookup definition

Plookup uses the following definition:

1）取 $m = N - 1$ ，Young insufficiency $N = m + 1$ , then the last element needs to be repeated to fill the corresponding lookups list until it satisfies $N = m + 1$ 。
2） $H=\{g,\cdots,g^N=1\}$ 为 $\mathbb{F}$ Middle order $N$ 的multiplicative subgroup。
3) For vectors $p=\mathbb{F}^N$ , define polynomial $p(x)\in\mathbb{F} [X]_{<N}$ , so that the vector value is the evaluation value of the polynomial, that is, it satisfies $p_i=p(g^i)$ 。
4）令 $L_i(x)\in\mathbb{F}[X]_{<N}$ 为基于 $H$ 's part $i$ The image of Lagrange city is full of feet $L_i(g^j)=\delta_{ij }$ (for Kronecker delta).
5） $s\in \mathbb{F}^{2N-1}$ 为 $(f, t)$ sorted by $t$ 。

3.2 Plookup protocol

The final Plookup protocol is:

1) Prover calculates and merges 2 polynomials $h_1,h_2\in\mathbb{F}[x]_ {<N}$ commits such that for each $i=1,\cdots,N$ , Yes: [Shu, General $s$ The vector is divided into half on the left and right, and then interpolated to obtain $h_1,h_2$ Multiple format. ]
$h_1(g^i)=s_i$
$h_2(g^i)=s_{N+i-1}$
2) Verifier sends random value to Prover $\beta,\gamma$ 。
3) Prover calculates and corrects the polynomial $Z\in \mathbb{F}[x]_{<N}$ Polynomial commitment, $Z$ Definition $F(\beta,\gamma)/G( \beta,\gamma)$ ，有：
$Z (g) = 1$
对于 $i=2,\cdots,N-1$ ，有 $Z(g^i)=\frac{(1+\beta)^{i-1}\prod_{l=1}^{i-1}(\gamma +f_l)(\gamma(1+\beta)+t_l+\beta t_{l+1})}{\prod_{l=1}^{i-1}(\gamma (1+\beta)+s_l+\ beta s_{l+1})(\gamma(1+\beta)+s_{N+l}+\beta s_{N+l+1})}\tag{3.9}$
$Z(g^N)=1$
4) Verifier owns $x\in H$ 、Identities：
$L_1(x )(Z(x)-1)=0\tag{3.11}$
$L_N(x)(Z(x)-1)=0\tag{3.12}$
$L_N(x)(h_1(x)-h_2(gx))=0\tag{3.13}$
$(x-g^N)Z(x)(1+\beta)(\gamma+f(x))(\gamma(1+\beta)+t(x)+\beta t(gx))=(x-g^N)Z(gx)(\gamma(1+\beta)+h_1(x)+\beta h_1(gx))(\gamma(1+\beta)+h_2(x)+\beta h_2(gx))\tag{3.14}$

Note that the constructed $Z (x)$ polynomial, in Eq. 3.9 On the basis of , the numerator and denominator are multiplied by the same multiplier term. That means, the $N$ after, $F, The equivalence of G$ implies that all terms can be reduced, ultimately obtaining 1. Equations 3.11 and 3.12 check $Z(g)=Z(g^N)=1$ , while Equation 3.14 checks that each evaluation value indeed adds the correct multiplier term - the added $(x-g^N)$ $Z (g^{N})$ 和 $Z(g^{N+1})=Z(g)$ .

3.3 Plookup overhead

The Plookup protocol does not rely on any special commitment scheme. usually:

Prover runtime为 $O(N\log N)$ domain operations (to construct polynomials from evaluations values), and $O (N)$ Personal group calculation (hereafter Construction multi-format $Z$ ）。
When using the KZG commitment scheme, its proof size is 5 group elements and 9 domain elements, and the Verifier runtime is 2 pairing functions.

3.4 Plookup generalization and optimization

The Plookup protocol can be generalized to multiple witness polynomials $f_1,\cdots,f_w\in\mathbb{F }[x]_{<m}$ 和多个tables $t_1,\cdots,t_w\in\mathbb{F}[x]_{<N}$ . Verifier selects a random value $\alpha$ , then these polynomials can be aggregated as:
$t=\sum_{l=1}^ {w}\alpha^lt_l$
$f=\sum_{l=1}^{w}\alpha^lf_l$

Then process as before $f, t$ 。

If table is a set of consecutive integers, then there is $t_{l+1}=t_l+1$ , then the 3.9 method in the Plookup protocol can be simplified as:
$Z(g^i)=\frac{\prod_{l=1}^{i- 1}(\gamma+f_l)(\gamma+t_l)}{\prod_{l=1}^{i-1}(\gamma+s_l)(\gamma+s_{N+l})}$

The corresponding Verifier checks also need to be adjusted accordingly.

Another generalization of the Plookup protocol is the plonkup protocol, see Luke Pearson et al.'s 2022 paperPlonkup: Reconciling plonk with plookup, plonkup protocol It integrates plonk and plookup, and supports the introduction of efficient lookup tables with general plonk gates.

4. cq protocol

The main problems with the plookup protocol are:

对于 $m\ll N$ , the plookup protocol is expensive.

Since the advent of the plookup protocol, multiple lookup protocols have been iterated. Compared with the previous protocol, each new lookup protocol is more effective $The dependence of N$ has been reduced. The core ideas behind these new lookup protocols are:

Move most table calculations to precalculation.

As of April 2023, the best lookup protocol is cq, see Liam Eagen et al.'s 2022 papercq: Cached quotients for fast lookups.

4.1 Logarithmic Derivative

The cq protocol is based on the following Logarithmic Derivative trick:

2-piece multi-frame formula $p(x)=\prod_{a\in A}(x+a) $ 和 $q(x)=\prod_{b\in B}(x+b)$ are equal if and only if the following rational functions are equal:
$\frac{p'(x)}{p(x)}=\sum_{a\in A}\frac{1}{x+a} $
$\frac{q'(x)}{q(x)}=\sum_{b\in B}\frac{1}{x+b}$

Same Yu $p (x) = q (x)$ ，Advanced $p^{'} (x) / p (x) = q^{'} (x) / q (x)$ is trivial, and Rebellion, Yu $p^{'} (x) / p (x) = q^{'} (x) / q (x)$ ，有：
$(\frac{p(x)}{q(x)})'=\frac{p'(x)q(x)-q'(x)p(x)}{q^2(x)}=0$

That means, there $p (x) / q (x) = c$ , inside $c$ is a constant value. However, since $p (x), q (x)$ 's leading system equality 1, there is $c = 1$ 且 $p (x) = q (x)$ 。从而，lookups $f$ 包含在table $t$ 中，当且仅当：
$\sum_{i=1}^{N}\frac{m_i}{x+t_i}=\sum_{j=1}^{m}\frac{1}{x+f_j}\tag{4.4}$
Among them:

$m_i$ 为lookup $f_j$ 中 $t_i$ The number of times the value appears. Note that each $t_i$ is unique, and $f_j$ values support duplication, and for many $t_i$ 可以有 $m_i$ The value is 0.

The core idea of the cq protocol is to test the 4.4 equation at a random point $x=\beta$ .

4.2 Adjust cq protocol identity to Sumcheck

determinable multifunction $A (x), B (x)$ ，使得其evaluations值为：
$A_i=\frac{m_i}{\beta+t_i},i=1,\cdots,N \tag{4.5}$
$B_j=\frac{1}{\beta+f_j},j=1,\cdots,m$

To do the cq protocol identity check of equation 4.4.

Here are:

$A_i=A(g^i)$ , inside $g$ order为 $N$ 的multiplicative subgroup $V\subset \mathbb{F}$ 的generator。
$B_j=B(w^j)$ , inside $w$ order为 $m$ 的multiplicative subgroup $H\subset \mathbb{F}$ 的generator。

Basic point $\beta$ , in order to satisfy the relationship in Equation 4.4, $A_i,B_j$ Demand sufficiency $\sum_i A_i=\sum_j B_j$ , and these polynomial evaluations based on multiplicative groups follow:
$\sum_{i=1}^{N }A_i=N\cdot A(0)$
$\sum_{i=j}^{m}B_j=m\cdot B(0)$

Then, Prover must prove:
$N\cdot A(0)=m\cdot B(0 )\tag{4.9}$

This corresponds to the univariate sumcheck problem.

4.3 quotient polynomial of cq protocol

多项式：
$p(x)=A(x)(T(x)+\beta)-m(x)$
$q(x)=B(x)(F(x)+\beta)-1$
Inside:

$T (x), m (x), F (x)$ 多项式的evaluation值分别为 $t_i,m_i,f_j$ 。
对于 $V$ ， $p (x)$ 's evaluation list required 0.
对于 $H$ ， $q (x)$ 's evaluation list required 0.

Thus, quotient polynomials can be defined $Q_A(x),Q_B(x)$ 为：
$Q_A(x)=\frac{A(x)(T(x)+\beta)-m(x)}{Z_V(x)}\tag{4.12}$
$Q_B(x)=\frac{B(x)(F(x)+\beta)-1}{Z_H(x)}\tag{4.13}$
Among them:

$Z_V(x),Z_H(x)$ Separation $V, The vanishing polynomial of H$ .

Prover needs to prove 2 things:

1）Kichido multi-function $A,B,Q_A,Q_B,F,m$ 。
2) These polynomials satisfy the relationships of equations 4.9, 4.12, and 4.13 above.

If the KZG commitment scheme is used, it only needs to use pairing to check these equation relationships. However, these statements will be further divided next.

In the 4.4 cq protocol, prove that it knows polynomials $A$ and its sum

When using KZG commitment value $[\phi(x)]_1$ To prove that it knows polynomials $\phi(x)$ When, Prover Association Its existence $z$ points are evaluated to define a new polynomial:
$P_{ \phi}=\frac{\phi(x)-\phi(z)}{x-z}$
and send the promised value $[P_{\phi}]_1$ 。Verify the pairing function:
$e([\phi(x)]_1-[\phi(z)]_1,[1]_2)=e([P_{\phi}]_1,[x-z] _2)$

let it be rewritten as：
$e([\phi(x)]_1-[\phi(z)]_1+z\cdot [P_{\phi}]_1,[1] _2)=e([P_{\phi}]_1,[x]_2)$

makes the second parameter of the pairing function always $1]_2$ or $x]_2$ 。

踺证明其道多项style $A$ ，对 $A$ existing $x = 0$ 点进行evaluate，有：
$P_A(x)=\frac{A(x)-A(0)}{x}$
并受诺 $P_A]_1$ , then use:
$e([A(x)]_1-[A(0)]_1,[1]_2)=e([P_A(x)]_1,[x]_2)$
Come here.

4.5 cq协议中， $B$ polynomial low degree testing

Know polynomials for proof $B$ ：

First prove the polynomial $B$ 的degree确实 $< m$ 。

Attention, no demand $A (x)$ 's degree、inherited The maximum degree of support for SRS.

In the KZG commitment scheme, to prove the polynomial $B$ 的degree确实 $< m$ , can be determined:
$P_B(x)=\frac {B(x)-B(0)}{x}$
Then commit $[P_B(x)\cdot x^{N-m+1}]_1$ ，最后测试：
$e([P_B(x)]_1,[x^{N-m+1}]_2)=e([P_B(x)\cdot x^{N-m+1}]_1,[1]_2)$

Attention, young $B (x)$ 中有degree $\geq m$ will be included in the commitment value $[P_B( x)\cdot x^{N-m+1}]_1$ , while SRS does not support degree $\geq N$ .

4.6 In the cq protocol, Cached Quotients are used to prove the equation relationship in 4.12)

可通过如下testing：
$e([A(x)]_1,[T(x)]_2)=e([Q_A(x)]_1,[Z_V(x)]_2)\cdot e([m(x)]_1-\beta [A(x)]_1,[1]_2)$

To check the relationship of equation 4.12).

in:

$T]_2,[Z_V]_2,[1]_2,[x]_2$ All are independent of lookups and can be precalculated.
Prover需计算： $[A(x)]_1,[Q_A(x)]_1,[m(x)]_1,A(0),[\frac{A(x)-A(0)}{x}]_1$ 。
- The computational complexity of these is $O (m)$ ，Because of demand Accounting lookups. Waka $t_i$ does not exist in lookups, then there are $m_i=0,A_i=0$ 。
- Just exists $Q_A(x)]_1$ 计许为 $O (N)$ . Basic solution plan:
  - 预计算cached quotients：
    $Q_i(x)=\frac{L_i(x)(T(x)-t_i)}{Z_V(x)}=\frac{T(x)-t_i}{k^i(x-g^i)}\tag{4.22}$
    Among them:
    - $L_i(x)$ Lagrange multi-format
    - $L_i(x)=\frac{Z_V(x)}{k^i(x-g^i)}$
    - $k^i=Z_V'(g^i)=(x^N-1)'|_{x=g^i}=N\cdot g_i^{N-1}=\frac{N}{g^i}$
    - 使用NTT， $Q_i(x)$ 's calculation amount $O(N\log N)$ 。
    - 使用 $Q_i(x)$ ， $Q_A]_1$ The calculation amount of is $O (m)$ ，有：
      $[Q_A(x)]_1=\sum_{A_i\neq 0}A_i\cdot [Q_i(x)]_1$
      Inside $A_i$ is 4.5) Polynomial in the equation $A (x)$ 的evaluation值。

In 4.7 cq protocol, prove the equation relationship of 4.9) 4.13)

Introduce another random value $x=\gamma$ ：

First for the polynomial:
$P_F(x)=\frac{F(x)-F( \gamma)}{x-\gamma}$
$P_{B,\gamma}(x)=\frac{P_B(x)-P_B(\gamma)}{x-\gamma}$
Commitment to prove knowledge $F(\gamma),P_B(\gamma)$ 。
可通过验证：
$e([F(x)]_1-[F(\gamma)]_1+\gamma [P_F(x)]_1,[1]_2)=e([P_F(x)]_1,[x]_2)\tag{4.28}$
$e([P_B(x)]_1-[P_B(\gamma)]_1+\gamma [P_{B,\gamma}(x)]_1,[1]_2)=e([P_{B,\gamma}(x)]_1,[x]_2)\tag{4.29}$
come $B (x), F (x)$ 确实evaluate到 $B(\gamma),F(\gamma)$ , so you can use these evaluations values to prove the required relationships.
Identify:
$Q_{b,\gamma}=\frac{(B(\gamma)-B(0)+A(0)\cdot N/m)(F(\gamma)+\beta )-1}{Z_H(\gamma)}\tag{4.30}$
$P_{Q_B}(x)=\frac{Q_B(x)-Q_{b,\gamma}}{x-\gamma}$
Then send the commitment value $[Q_{b,\gamma}]_1,[P_{Q_B}( x)]_1$ , which can be verified by the following pairing equation:
$e([Q_B(x)]_1-[Q_{b,\gamma}]_1+\gamma [P_{ Q_B}(x)]_1,[1]_2)=e([P_{Q_B}(x)]_1,[x]_2)\tag{4.32}$
Note that this construction can simultaneously prove the following statements:
$Q_{B} (γ) = \frac{( B ( γ )) ( F ( γ ) + β ) - 1}{WITH _{H} ( x )}$
$B(0)\cdot m=A(0)\cdot N$
This ends the entire proof.

4.8 Proof batching of cq protocol

The last three proofs have similar structures, and the cq protocol can batch them into a single protocol - by introducing new random variables $\eta$ ，and define：
$c(x)=P_B(x)+\eta F(x)+\eta^2 Q_B(x)$
$v=P_B(\gamma)+\eta F(\gamma)+\eta^2 Q_{b,\gamma}$
$P_{\gamma}(x)=P_{B,\gamma}(x)+\eta P_F(x )+\eta^2 P_{Q_B}(x)$

Then, aggregate 4.28), 4.29), and 4.32) into a single check:
$e([c(x)]_1-[v]_1+\gamma[P_{\gamma}( x)]_1,[1]_2)=e([P_{\gamma}(x)]_1,[x]_2)$

4.9 cq complete agreement

4.9.1 Setup phase

Both Prover and Verifier have public input $t_i$ ， $i=1,\cdots,N$ . The following process is performed by a trusted party:

1) Select a random value $x\in \mathbb{F}$ ，输出 ${[x^i]_1\}_{i=0}^{N-1}$ sum ${[x^i]_2\}_{i=0}^{N}$ 。数字 $x$ required.
2) Calculate and output $Z_V(x)]_2$ 。
3）电影 $T(x)=\sum_i t_iL_i(x)$ . Calculation out $T(x)]_2$ 。
4）对于每个 $i=1,\cdots,N$ , accounting for export:
- According to equation 4.22), calculate and output $Q_i(x)]_1$
- $L_i(x)]_1$
- $[\frac{L_i(x)-L_i(0)}{x}]_1$

The output of the setup phase forms SRS and is sent to both Prover and Verifier.

4.9.2 Proving stage

Prover obtains private witness value $f_j$ ， $j=1,\cdots,m$ , and what Verifier obtains is the commitment value of these inputs $[F(x)]_1 $ . These inputs need to originate from the same trusted party to reach consensus on the issues to be proven.

The process of the cq protocol proof phase is:
Insert image description here
Note that Verifier is calculated according to the equation 4.30) $Q_{b,\gamma} $ , its demand $B(\gamma),B(0)$ Prover . However, Prover has sent it $P_{B}(\gamma)=(B(\gamma)-B(0 ))/\gamma$ $Q_{b,\gamma}=\frac{(P_B(\gamma)\cdot \gamma+A(0)\cdot N/m); (F(\gamma)+\beta)-1}{Z_H(\gamma)}$ ,And then,Verify the solution: $γ$
$Q_{b, γ} = \frac{( P _{B} ( γ ) \cdot γ + A ( 0 ) \cdot N / m ) ( F ( γ ) + β ) - 1}{WITH _{H} ( γ )}$

4.10 cq protocol, further batching and aggregation

Fiat-Shamir transformation can be used to convert the above protocol to non-interactive. At this time, the proof content is:
$\pi_{cq}=\{[m]_1,[A]_1, [Q_A]_1,[Q_B]_1,[P_A]_1,[P_B]_1,[P_Bx^{N-m+1}]_1,[P_{\gamma}]_1,P_B(\gamma),F( \gamma),A(0)\}$
Among them:

The first 8 are group elements
The last three are field elements

The corresponding pairing equation is:
$e([P_B(x)]_1,[x^{N-m+1}]_2)=e([P_B(x)\cdot x^{ N-m+1}]_1,[1]_2)$
$e([A(x)]_1, [T(x)]_2)=e([Q_A(x)]_1,[Z_V(x)]_2)\cdot e([m(x)]_1-\beta[A(x)]_1,[1]_2)$
$e([A(x)]_1-[A(0)]_1,[1]_2)=e([P_A(x)]_1,[x]_2)$
$e([c(x)]_1-[v]_1+\gamma [P_{\gamma}(x)]_1,[1]_2)=e([P_{\gamma}(x)]_1,[x]_2)$

Introduce new random values $\mu\in \mathbb{F}$ , it is easy to batch the last two pairing equations above as:
$e([c(x)]_1-[v]_1+\gamma [P_{\gamma}(x)]_1+\mu ([A(x)]_1 -[A(0)]_1), [1]_2)=e([P_{\gamma}(x)]_1+\mu [P_A(x)]_1,[x]_2)$
再引入 $\rho\in \mathbb{F}$ , in each pairing function batch, is:
$e([P_{\gamma}(x)]_1+\mu [P_A(x)]_1,[x]_2)\cdot e(\rho[P_B(x)]_1,[x^{N-m +1}]_2)=e([c(x)]_1-[v]_1+\gamma [P_{\gamma}(x)]_1+\mu ([A(x)]_1-[A(0) ]_1)+\rho [P_B(x)\cdot x^{N-m+1}]_1,[1]_2)$

再引入 $\sigma\in\mathbb{F}$ , batch it with the second pairing equation into a single pairing equation. Definition:
$L_a=[P_{\gamma}(x)]_1+\mu [P_A(x )]_1$
$L_b=\rho [P_B(x)]_1$
$L_c=\sigma [A(x)]_1$
$L_d=-\sigma [Q_A(x)]_1$
$R=[c(x)]_1-[v]_1+\gamma [P_{\gamma }(x)]_1+\mu([A(x)]_1-[A(0)]_1)+\rho [P_B(x)\cdot x^{N-m+1}]_1+\sigma([ m(x)]_1-\beta[A(x)]_1)$

The single pairing equation of the final batch is:
$e(L_a,[x]_2)\cdot e( L_b, [x^{N-m+1}]_2)\cdot e(L_c,[T(x)]_2)\cdot e(L_d,[Z_V(x)]_2)=e(R,[1 ]_2)$

Since the second parameter in each pairing function above only depends on the setup, different proofs with the same setup are introduced by introducing new random parameters $\chi \in\mathbb{F}$ , independent proof:
$e(\sum_k\chi ^kL_{a,k},[x]_2)\cdot e(\sum_k\ chi^kL_{b,k},[x^{N-m+1}]_2)\cdot e(\sum_k\chi^kL_{c,k},[T(x)]_2)\cdot e( \sum_kL_{d,k},[Z_V(x)]_2)=e(\sum_kR_k,[1]_2)$

4.11 cq protocol overhead

Different from the plookup protocol, the cq protocol is highly dependent on the KZG commitment scheme.

The overhead of the cq protocol is:

cq protocol will be plookup protocol $O(N\log N)$ The complexity is moved to the setup stage, so that these calculations only need to be done once for the same table.
The calculation of the cq protocol proof phase completely relies on $m$ , and it can be assumed that $m\ll N$ . [In other words, if $m\ll N$ condition is not met, there is no reason to use the cq protocol, and the performance of the plookup protocol will be better. 】
The workload of cq protocol Prover is $O(m\log m)$ 。
The cq protocol proof size and Verifier workload are both constants.

5. Lookup protocol evolution

This section will briefly introduce the improvements from plookup to cq, and review other lookup protocols between the two. Note that these lookup protocols explicitly rely on the KZG commitment scheme.
Insert image description here

5.1 Caulk

Arantxa Zapico et al.’s 2022 paper " Caulk: Lookup arguments in sublinear time" proposed the Caulk protocol.
The core idea behind the Caulk protocol is:

(here $O(N\log N)$ ) 袄计衡表 encoding，用该table searchable in $O(\log N)$
lookups also do similar encoding, so that the search complexity is $O(m\log N)$ , prove that the additional complexity of this encoding is $O( m^2)$ 。

Caulk protocol:

Precompute table as vanishing polynomial:
$Z_T(x)=\prod_{i=1}^ {N}(x-t_i)$
Calculate lookups similarly as:
$f(x)=\prod_{j=1}^{m }(x-f_j)$
Prover发送 $Z_T,f$ .
will prove: for $S\subseteq T$ ，有 $f=Z_S$
Convert to proof: $Z_{T\setminus S}(x)=Z_T(x)/ Z_S(x)$ One piece multi-format.
对于每个 $i=1,\cdots N$ ，caulk会预计算多项式：
$g_i(x)=Z_{T\setminus t_i}(x)$
In fact, these are cached quotients in the cq protocol.
若 $S\subseteq T$ , then there are certain numbers $c_j\in\mathbb{F}$ ，使得 $Z_{T\setminus S}(x)$ 可分解表示为：
$Z_{T\setminus S}(x)=\sum_{j=1}^{m}c_jg_{i(j)}(x)$
Prover仅需要计算 $Z_{T\setminus S}(x)$ The committed value of the polynomial, and Verifier only needs to use pairing check:
$[Z_{T\setminus S}])=e([ Z_T],[1])$

5.2 Caulk+ Protocol

Jim Posen et al. proposed the Caulk+ protocol in the 2022 paper "Caulk+: Table-independent lookup arguments":

The main shortcoming of the Caulk protocol is that it treats the table as a universal collection instead of encoding it as a group.
Caulk+ protocol: By precomputing the table, the shortcomings in the Caulk protocol are improved.
- Caulk+ treats the table as a multiplicative group, whose initial value is group generator powers.
- Thus eliminating the pair $N$ dependent, prove time仅为 $O(m^2)$ 。

5.3 Flookup protocol

Ariel Gabizon et al.’s 2022 paper "flookup: Fractional decompositionbased lookups in quasi-linear time independent of table size" proposed the flookup protocol :

increases preprocessing overhead to $O(N\log ^2 N)$
Reduced Prover runtime to $O(m\log^2 m)$
At the same time, the homomorphic properties of the commitment scheme are sacrificed, so that merging multiple lookups and tables is not supported.

5.4 Baloo Protocol

Arantxa Zapico et al.’s 2022 paper "Baloo: Nearly optimal lookup arguments" proposed the Baloo protocol, which is an optimization of the Caulk+ protocol Edition:

Replace lookups with a linear variant.
Then use univariate sumcheck to prove the polynomial it promises.
The preprocessing overhead is the same as Caulk+, which is $O(N\log N)$ 。
The Prover overhead is the same as that of flookup, which is $O(m\log^2 m)$ 。
Since the constants in the Baloo protocol are larger, the actual overhead of the Baloo protocol is slightly higher than that of flipup. However, it retains the homomorphic properties of the commitment scheme, thereby supporting the merging of multiple lookups and tables.