LogUp-GKR

Prerequisites: See and for more details

In the arithmetization of PLONK or AIR, witnesses and public values are commonly filled into a table. Here, let’s assume there are an input polynomial $A(X)$ and a table polynomial $S(X)$. Typically, the number of the rows is in the form of a power of 2. In this case, the columns of the table are interpreted as polynomials, and the rows are interpreted as the domain. In the example below, the columns of the table are interpreted as univariate polynomials, and $\omega$ is the 4-th root of unity. Therefore, $\omega^4 = 1$ holds.

In the table above, $A(X)$ can be expressed as follows, where $L_i$​ refers to the Lagrange Basis. (See for more information.)

On the other hand, if the domain is expressed as a boolean hypercube as shown below, it can also be interpreted as a multivariate polynomial. (Here, $X$, unlike the previous example, represents a 2-dimensional vector.)

In the table above, $A(X)$ can be expressed as follows. (See for more details)

Lookup tries to prove that all the unique values in set $\bm{A}$ are also in set $\bm{S}$. In practice, $\bm{S}$ is much smaller and consists of unique, non-repeating values.

All rows larger than $\bm{A}$ and $\bm{S}$ are filled with zeros. In Halo2 Lookup, new polynomials (or auxiliary columns) $A'(𝑋)$ and $S'(𝑋)$ are created as shown below. Before creating $A'(𝑋)$ and $S'(𝑋)$, $A(𝑋)$ and $S(𝑋)$ must be committed. (For convenience, $L_0(X)$ is included below, but it is not actually a committed polynomial.)

$A'(X)$ is a polynomial derived from sorting $A(X)$ and $S'(X)$ must satisfy one of the following conditions:

If it is the first row, the values of $A'(X)$ and $S'(X)$ must be the same.

The values of $A'(X)$ and its preceding column $A'(ω^{-1}X)$ must be the same.

If $A'(X)$ and $A'(ω^{-1}X)$ are not the same, $A'(X)$ and $S'(X)$ must have the same values.

If it can be proven that $A'(X)$ and $S'(X)$ satisfy the constraints above, the previously discussed MultiSet Check can now be applied. A new polynomial $Z(X)$ is then defined to run MultiSet Check, which must satisfy the following constraints. The column representing $Z(X)$ is referred to as the running product column.

The next row $Z(ωX)$ is the value obtained by multiplying the current $Z(X)$ by $(A(X) + \beta)(S(X) + \gamma)$ and dividing by $(A'(X) + \beta)(S'(X) + \gamma)$.

The last row must equal either 0 or 1. While a value of 1 is trivial, 0 occurs when $\beta$ and $\gamma$ are sampled in such a way that either the numerator or denominator becomes zero, causing all subsequent entries to be filled with zeros.

For example, if $\beta = 2$ and $\gamma = 3$, $Z(X)$ will be filled as follows. Before constructing $Z(X)$, $A'(X)$ and $S'(X)$ must be committed (For convenience, $L_{\mathsf{last}}(X)$ is included below, but it is not actually a committed polynomial). Since the index of the last row is 4, $L_{\mathsf{last}}(\omega^4) = 1$.

In a Polynomial Interactive Oracle Protocol (PIOP), we use a Polynomial Commitment Scheme (PCS) to transform the problem into an Interactive Oracle Protocol (IOP). The verifier must open several values via the oracle to check the correctness of the relationship above. Assuming we open at $x$, the maximum number of values per polynomial to open is 2.

Since this could break the ZK property, additional random values $a$ to $j$ are added to two columns as shown in the table below. (For convenience, $\mathsf{Blind}(X)$ is included but is not actually a committed polynomial.)

When using Halo2 Lookup, if there are $n$ input polynomials referencing $S(X)$, there are $3n$ columns to commit, as there are $n$ values of each $A'$, $S'$, and $Z$. The downside of this method is inefficiency, as the same $S(X)$ is referenced repeatedly, requiring redundant computations with $S(X)$ and $S'(X)$. Considering that Lookup is often used to verify ranges, this cost cannot be ignored.

For more details, refer to .

In the , the protocol is described for multivariate polynomials, but here it is described for univariate polynomials as used in Scroll Halo2.

Let us assume there are two polynomials referencing $\bm{S}$, as shown below:

To solve the problem above, let us create a polynomial $m(X)$ that indicates the degree of multiplicity. Before creating $m(X)$, $A_0(X)$, $A_1(X)$, and $S(X)$ must be committed.

Based on this, let us assume that, as before, a running product column $Z(X)$ is created. However, with $m(X)$ expressed as an exponent, it can no longer be represented as a polynomial.

By applying this, a new polynomial $Z(X)$ can be defined, which must satisfy the following constraints. The column representing this $Z(X)$ is referred to as the running sum column.

The next row $Z(\omega X)$ is the value obtained by adding $\frac{1} {(A_0(X) + \beta)} + \frac{1}{(A_1(X) + \beta)}$ to the current $Z(X)$ and subtracting $\frac{m(X)}{ (S(X) + \beta)}$.

Before constructing $Z(X)$, $m(X)$ must be committed. If $\beta=2$, $Z(X)$ will be filled as shown below. (For convenience, $L_0(X)$ and $L_{last}(X)$ are included below but are not actually committed polynomials.)

In Scroll Halo2, constraints are flexibly expressed with fractional sums, whereas in the original LogUp, they are strictly expressed with polynomial sums. This is also the case in and presented by Polygon Miden at ZKSummit 12.

With the strict method, the degree of the constraint polynomial can increase, which is why the original LogUp separately creates a helper function $h$ as shown below:

When using univariate LogUp, if there are $n$ input polynomials referencing $S(X)$, there are 2 columns to commit: $m(X)$ and $Z(X)$.

By introducing $m(X)$ in LogUp, the computational overhead is reduced. If $n$ is large, the reduction becomes even more significant. However, there is still overhead associated with generating and committing $Z(X)$. Can this overhead be eliminated?

In , inspired by Lasso, GKR is introduced to further enhance Lookup performance. The height of a layer as 3 can be represented as a layered circuit in GKR as follows:

Here, $+_F$ represents the fraction sum where $P_i(X)$ is the numerator and $Q_i(X)$ is the denominator.

Hence, $+_F$ is formally defined as below.

The prover sends $P_0(0)$, $Q_0(0)$, $P_0(1)$, $Q_0(1)$ to the verifier.

The verifier samples $ho_0$ and $\lambda_0$ and sends them to the prover.

The prover and verifier execute the sumcheck protocol to assert $S_0 = P_0(\rho_0) + \lambda_0 Q_0(\rho_0)$ over the equation below until the final layer.

For the final layer, the prover sends $P_{\mathsf{last}-1}(\rho_0, \dots, X), Q_{\mathsf{last}-1}(\rho_0, \dots, X)$ to the verifier.

The verifier computes $P_{\mathsf{last}-1}(\rho_0, \dots, 0) + \lambda_{\mathsf{last}-1} Q_{\mathsf{last}-1}(\rho_0, \dots, 0) + P_{\mathsf{last}-1}(\rho_0, …, 1) + \lambda_{\mathsf{last}-1} Q_{\mathsf{last}-1}(\rho_0, …, 1)$and compares it with the claim $S_{\mathsf{last}-2}$.

The verifier samples $\rho_{\mathsf{last}-1}$ and sends it to the prover.

The prover sends $S_{\mathsf{last} - 1} = P_{\mathsf{last}-1}(\rho_0, \dots, \rho_{n-1}) + \lambda_{\mathsf{last} - 1} Q_{\mathsf{last}-1}(\rho_0, \dots, \rho_{n-1})$ to the verifier.

The verifier queries $P_{\mathsf{last}-1}(\bm{X}) + \lambda_{\mathsf{last} - 1}Q_{\mathsf{last} - 1}(\bm{X})$ at $(\rho_0, \dots, \rho_{n-1})$ and compares the result with the $S_{\mathsf{last}-1}$.

For the final layer, the prover sends $P_{last-1}(\rho_0, \dots, X_{n-1}), Q_{last-1}(\rho_0, \dots, X_{n-1})$ to the verifier.

The verifier computes $P_{last-1}(\rho_0, \dots, 0) + \lambda_{last-1} Q_{last-1}(\rho_0, \dots, 0) + P_{last-1}(\rho_0, …, 1) + \lambda_{last-1} Q_{last-1}(\rho_0, …, 1)$and compares it with the claim $S_{last-2}$.

The verifier samples $ho_{last-1}$ and sends it to the prover.

The prover sends $P_{last-1}(\rho_0, \dots, \rho_{n-1})$ to the verifier.

The verifier compares $P_{last-1}(\rho_0, \dots, \rho_{n-1})$ with the claim $S_{last-1}$.

1 +

2 +

1 +

3 +

1 +

1 +

2 +

2 +

1 +

2 +

3 +

When using LogUp-GKR, if there are $n$ input polynomials referencing $S(X)$, only 1 column $m(X)$ needs to be committed. Additionally, the issue in LogUp with excessively high degrees of constraints has also been resolved.

Written by from