Caulk: Lookup Arguments in Sublinear Time

ABSTRACTWe present position-hiding linkability for vector commitment schemes: one can prove in zero knowledge that one or m values that comprise commitment \cm all belong to the vector of size N committed to in \com. Our construction \textsfCaulk can be used for membership proofs and lookup arguments and outperforms all existing alternatives in prover time by orders of magnitude. For both single- and multi-membership proofs the \textsfCaulk protocol beats SNARKed Merkle proofs by the factor of 100 even if the latter is instantiated with Poseidon hash. Asymptotically our prover needs O(m^2 + młog N) time to prove a batch of m openings, whereas proof size is O(1) and verifier time is O(łog(łog N)). As a lookup argument, \textsfCaulk is the first scheme with prover time sublinear in the table size, assuming O(Nłog N) preprocessing time and O(N) storage. It can be used as a subprimitive in verifiable computation schemes in order to drastically decrease the lookup overhead. Our scheme comes with a reference implementation and benchmarks.