Welcome to the resource topic for 2022/621

Title:
Caulk: Lookup Arguments in Sublinear Time

Authors: Arantxa Zapico, Vitalik Buterin, Dmitry Khovratovich, Mary Maller, Anca Nitulescu, Mark Simkin

We present position-hiding linkability for vector commitment schemes: one can prove in zero knowledge that one or m values that comprise commitment cm all belong to the vector of size N committed to in C. Our construction Caulk can be used for membership proofs and lookup arguments and outperforms all existing alternatives in prover time by orders of magnitude. For both single- and multi-membership proofs Caulk beats SNARKed Merkle proofs by the factor of 100 even if the latter instantiated with Poseidon hash. Asymptotically our prover needs O(m^2 + m\log N) time to prove a batch of m openings, whereas proof size is O(1) and verifier time is O(\log(\log N)). As a lookup argument, Caulk is the first scheme with prover time sublinear in the table size, assuming O(N\log N) preprocessing time and O(N) storage. It can be used as a subprimitive in verifiable computation schemes in order to drastically decrease the lookup overhead. Our scheme comes with a reference implementation and benchmarks.

ePrint: https://eprint.iacr.org/2022/621

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .

A post was split to a new topic: Verifier’s Knowledge of the Number of Unique Elements

The paper deals with a bivariate polynomial, and instead of using KZG polynomial commitment for bivariate polynomials of the form P(X, Y) (of degrees d_1 −1 in X and d_2 −1 in Y), it transforms it to a univariate polynomial and commits of the form [P(x^{d_2},x)]_1. Is there a justification for why the commitment to the X variable is raised by d_2?