plookup: A simplified polynomial protocol for lookup tables

Ariel Gabizon; Zachary J.  Williamson

Paper 2020/315

plookup: A simplified polynomial protocol for lookup tables

Ariel Gabizon and Zachary J. Williamson

Abstract

We present a protocol for checking the values of a committed polynomial $f \in F_{< n} [X]$ over a multiplicative subgroup $H \subset F$ of size $n$ , are contained in the values of a table $t \in F^{d}$ . Our protocol can be viewed as a simplification of one from Bootle et. al [BCGJM, ASIACRYPT 2018] for a similar problem, with potential efficiency improvements when $d \leq n$ . In particular, [BCGJM]'s protocol requires comitting to several auxiliary polynomials of degree $d \cdot \log n$ , whereas ours requires three commitments to auxiliary polynomials of degree $n$ , which can be much smaller in the case $d \sim n$ . One common use case of this primitive in the zk-SNARK setting is a ``batched range proof'', where one wishes to check all of 's values on are in a range . We present a slightly optimized protocol for this special case, and pose improving it as an open problem.

Note: typo, ack: Luke Pearson

Metadata

Available format(s): PDF
Publication info: Preprint. MINOR revision.
Keywords: zk-SNARKs Polynomial Commitment Schemes
Contact author(s): ariel @ aztecprotocol com
History: 2020-11-20: last of 4 revisions; 2020-03-15: received; See all versions
Short URL: https://ia.cr/2020/315
License: CC BY

BibTeX

@misc{cryptoeprint:2020/315,
      author = {Ariel Gabizon and Zachary J.  Williamson},
      title = {plookup: A simplified polynomial protocol for lookup tables},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/315},
      year = {2020},
      url = {https://eprint.iacr.org/2020/315}
}