Unlocking the lookup singularity with Lasso

Eurocrypt |

This paper introduces Lasso, a new family of lookup arguments, which allow an untrusted prover to commit to a vector

𝑎𝐹𝑚

and prove that all entries of a reside in some predetermined table

𝑡𝐹𝑛

. Lasso’s performance characteristics unlock the so-called «lookup singularity». Lasso works with any multilinear polynomial commitment scheme, and provides the following efficiency properties. For

𝑚

lookups into a table of size

𝑛

, Lasso’s prover commits to just

𝑚+𝑛

field elements. Moreover, the committed field elements are small, meaning that, no matter how big the field

𝐹

is, they are all in the set

{0,...,𝑚}

. When using a multiexponentiation-based commitment scheme, this results in the prover’s costs dominated by only

𝑂(𝑚+𝑛)

group operations (e.g., elliptic curve point additions), plus the cost to prove an evaluation of a multilinear polynomial whose evaluations over the Boolean hypercube are the table entries. This represents a significant improvement in prover costs over prior lookup arguments (e.g., plookup, Halo2’s lookups, lookup arguments based on logarithmic derivatives).

Unlike all prior lookup arguments, if the table

𝑡

is structured (in a precise sense that we define), then no party needs to commit to

𝑡

, enabling the use of much larger tables than prior works (e.g., of size

2128

or larger). Moreover, Lasso’s prover only «pays» in runtime for table entries that are accessed by the lookup operations. This applies to tables commonly used to implement range checks, bitwise operations, big-number arithmetic, and even transitions of a full-fledged CPU such as RISC-V. Specifically, for any integer parameter

𝑐>1

, Lasso’s prover’s dominant cost is committing to

3𝑐𝑚+𝑐𝑛1/𝑐

field elements. Furthermore, all these field elements are “small”, meaning they are in the set

{0,...,max(𝑚,𝑛1/𝑐,𝑞)1}

, where

𝑞

is the maximum value in

𝑎

.

Lasso’s starting point is Spark, a time-optimal polynomial commitment scheme for sparse polynomials in Spartan (CRYPTO 2020). We first provide a stronger security analysis for Spark. Spartan’s security analysis assumed that certain metadata associated with a sparse polynomial is committed by an honest party (this is acceptable for its purpose in Spartan, but not for Lasso). We prove that Spark remains secure even when that metadata is committed by a malicious party. This provides the first «standard» commitment scheme for sparse multilinear polynomials with optimal prover costs. We then generalize Spark to directly support a lookup argument for both structured and unstructured tables, with the efficiency characteristics noted above.