1. Caulk: Lookup
Arguments
in Sublinear Time
Vitalik Buterin
Dmitry Khovratovich
Arantxa Zapico Mary Maller Anca Nitulescu
Mark Simkin
Universitat Pompeu Fabra Ethereum Foundation Protocol Labs

2. MOTIVATION

3. MEMBERSHIP PROOFS
pk1
pk2
pk3
pk4
pk5
pk6
pk7
pk8
pk9
pk10

4. MEMBERSHIP PROOFS
pk3
pk4
pk5
pk6
pk7
pk8
pk9
pk10
pk1
pk2

5. MEMBERSHIP PROOFS
pk3
pk4
pk5
pk6
pk7
pk8
pk9
pk10
pk1
pk2
sk2

6. RANGE PROOFS

7. RANGE PROOFS

8. RANGE PROOFS
N1
N2
N

9. LOOKUP TABLES

10. LOOKUP TABLES

11. LOOKUP TABLES

12. STATE OF THE ART

13. STATE OF THE ART
Discrete-log

14. STATE OF THE ART
Transparent setup
Linear prover and
verifier
Discrete-log

15. STATE OF THE ART
Transparent setup
Linear prover and
verifier
RSA Accumulators
Discrete-log

16. STATE OF THE ART
Transparent setup
Linear prover and
verifier
RSA Accumulators
Discrete-log
Constant prover
Trusted parameters

17. STATE OF THE ART
Transparent setup
Linear prover and
verifier
Merkle Trees
RSA Accumulators
Discrete-log
Constant prover
Trusted parameters

18. STATE OF THE ART
Transparent setup
Linear prover and
verifier
Merkle Trees
RSA Accumulators
Discrete-log
Transparent setup
Need a zkSNARK on top
Constant prover
Trusted parameters

19. STATE OF THE ART
Pairing-based
Transparent setup
Linear prover and
verifier
Merkle Trees
RSA Accumulators
Discrete-log
Transparent setup
Need a zkSNARK on top
Constant prover
Trusted parameters

20. STATE OF THE ART
Pairing-based
Transparent setup
Linear prover and
verifier
Merkle Trees
RSA Accumulators
Discrete-log
Constant proof +
verifier
Linear prover
Transparent setup
Need a zkSNARK on top
Constant prover
Trusted parameters

21. CAULK
Pairing-based

22. CAULK
Pairing-based
Logaritmic prover + constant proof
log(log) verifier

23. DEFINITION

24. DEFINITION

25. DEFINITION
Everything in
is also in
Position-hiding linkability for two VC schemes

26. KZG

27. KZG
(v1
,…,vN
)

28. KZG
(v1
,…,vN
)

29. KZG
(v1
,…,vN
)
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1

30. KZG
(v1
,…,vN
)
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1
{λi
(X)} , λi
(⍵i-1
)=1, λi
(⍵j
)=0

31. KZG
C(X)=Σi
vi
λi
(X)
(v1
,…,vN
)
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1
{λi
(X)} , λi
(⍵i-1
)=1, λi
(⍵j
)=0

32. KZG
C(X)=Σi
vi
λi
(X) C(⍵i-1
)=vi
(v1
,…,vN
)
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1
{λi
(X)} , λi
(⍵i-1
)=1, λi
(⍵j
)=0

33. ROOTS OF UNITY
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1

34. ROOTS OF UNITY
1. Sparse Lagrange and vanishing polynomials
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1

35. ROOTS OF UNITY
1. Sparse Lagrange and vanishing polynomials
zH
(X)=XN
-1 λi
(X)= (⍵i-1
(XN
-1)) ((X-⍵i-1
)N)-1
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1

36. ROOTS OF UNITY
1.
2.
Sparse Lagrange and vanishing polynomials
Any u such that uN
=1 is an Nth root of unity
zH
(X)=XN
-1 λi
(X)= (⍵i-1
(XN
-1)) ((X-⍵i-1
)N)-1
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1

37. ROOTS OF UNITY
1.
2.
Sparse Lagrange and vanishing polynomials
Any u such that uN
=1 is an Nth root of unity
zH
(X)=XN
-1 λi
(X)= (⍵i-1
(XN
-1)) ((X-⍵i-1
)N)-1
H={1,⍵,⍵2
,…,⍵N-1
}, ⍵N
=1
If uN
=1 u=⍵something

38. KZG + TABDFK

39. KZG + TABDFK
C(X)=Σi
vi
λi
(X)

40. KZG + TABDFK
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:

41. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:

42. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])

43. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])

44. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])

45. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])
CI
(X)=ΣiƐ I
vi
τi
(X)

46. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])
CI
(X)=ΣiƐ I
vi
τi
(X)
HI
={⍵i-1
}iƐ I

47. KZG + TABDFK
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])

48. KZG + TABDFK
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])
Verifier checks
e([C(x)], [CI
(x)])=e([ΠiƐ I
(x-⍵i-1
)],[QI
(x)])

49. KZG + TABDFK
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)
C(X)-vi
=(X-⍵i-1
)Qi
(X)
Qi
(X) and QI
(X) are linear in N!!!
C(X)=Σi
vi
λi
(X)
Prover sends [vi
],[(x-⍵i-1
)],[Qi
(x)]
s.t:
Prover sends [CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)]
s.t:
Verifier checks
e([C(x)],[vi
])=e([(x-⍵i-1
)],[Qi
(x)])
Verifier checks
e([C(x)], [CI
(x)])=e([ΠiƐ I
(x-⍵i-1
)],[QI
(x)])

50. KZG + TABDFK
Precompute ([Q1
(x)],...,[QN
(x)])

51. KZG + TABDFK
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)

52. KZG + TABDFK
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)

53. KZG + TABDFK
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)

54. KZG + TABDFK
{Qi
(X)}iƐ I
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)

55. KZG + TABDFK
{Qi
(X)}iƐ I
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)

56. KZG + TABDFK
{Qi
(X)}iƐ I QI
(X)=ΣiƐI
ki
Qi
(X)
Precompute ([Q1
(x)],...,[QN
(x)])
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)

57. KZG + TABDFK
C(X)-vi
=(X-⍵i-1
)Qi
(X)
C(X)-CI
(X)=ΠiƐ I
(X-⍵i-1
) QI
(X)
{Qi
(X)}iƐ I
Prover depends
on |I|=m
QI
(X)=ΣiƐI
ki
Qi
(X)
Precompute ([Q1
(x)],...,[QN
(x)])

58. KZG + TABDFK
C(X)=Σi
vi
λi
(X) is public
proofI
=([CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)])
proofi
=([vi
],[(x-⍵i-1
)],[Qi
(x)])

59. KZG + TABDFK
C(X)=Σi
vi
λi
(X) is public
proofI
=([CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)])
proofi
=([vi
],[(x-⍵i-1
)],[Qi
(x)])
Blind vi
,CI
(X)

60. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
proofI
=([CI
(x)+zI
(x)s(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)])
proofi
=([vi
+hr],[(x-⍵i-1
)],[Qi
(x)])

61. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
proofI
=([a],[ΠiƐ I
(x-⍵i-1
)],[QI
(x)])
proofi
=([a],[(x-⍵i-1
)],[Qi
(x)])

62. KZG + TABDFK
C(X)=Σi
vi
λi
(X) is public
proofI
=([CI
(x)],[ΠiƐ I
(x-⍵i-1
)], [QI
(x)])
proofi
=([vi
],[(x-⍵i-1
)],[Qi
(x)])
Blind Qi
(X),QI
(X)

63. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind Qi
(X),QI
(X)
proofI
=([a],[ΠiƐ I
(x-⍵i-1
)],[r1
-1
QI
(x)+r(x)])
proofi
=([a],[(x-⍵i-1
)],[Qi
(x)+sh)])

64. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
Blind Qi
(X),QI
(X)
proofI
=([a],[ΠiƐ I
(x-⍵i-1
)],[QI
])
proofi
=([a],[(x-⍵i-1
)],[Qi
])

65. KZG + TABDFK
C(X)=Σi
vi
λi
(X) is public
proofI
=([CI
(x)],[ΠiƐ I
(x-⍵i-1
)],[QI
])
proofi
=([vi
],[(x-⍵i-1
)],[Qi
])
Blind ,(X-⍵i-1
),ΠiƐ I
(X-⍵i-1
)

66. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind ,(X-⍵i-1
),ΠiƐ I
(X-⍵i-1
)
proofI
=([a],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])
proofi
=([a],[a(x-⍵i-1
)],[Qi
])

67. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
Blind Qi
(X),QI
(X)
Blind ,(X-⍵i-1
),ΠiƐ I
(X-⍵i-1
)
proofI
=([a],[zI
],[QI
])
proofi
=([a],[z],[Qi
])

68. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
Blind Qi
(X),QI
(X)
Blind ,(X-⍵i-1
),ΠiƐ I
(X-⍵i-1
)
proofI
=([a],[zI
],[QI
])
proofi
=([a],[z],[Qi
])
Well formation

69. C(X)=Σi
vi
λi
(X) is public
CHALLENGES
Blind vi
,CI
(X)
Blind Qi
(X),QI
(X)
Blind ,(X-⍵i-1
),ΠiƐ I
(X-⍵i-1
)
Well formation
proofI
=([a],[zI
],[QI
])
proofi
=([a],[z],[Qi
])

70. [z]=[a(x-⍵i-1
)]
Well formation
m=1

71. [z]=[a(x-⍵i-1
)]
1
2
3
4
Well formation
m=1

72. [z]=[a(x-⍵i-1
)]
1
2
3
4
Well formation
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)

73. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)

74. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
New set of roots of unity! V
Lagrange polynomials {µj
(X)}
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)

75. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
Prove f5
=b/a, and for j = 6,...,log(N)+5 fj
=fj-1
fj-1
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)

76. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
Prove f5
=b/a, and for j = 6,...,log(N)+5 fj
=fj-1
fj-1
Should be ⍵i-1
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)

77. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
Should be ⍵i-1
f5+j
is the 2j
th power
of ⍵i-1
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)
Prove f5
=b/a, and for j = 6,...,log(N)+5 fj
=fj-1
fj-1

78. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
Prove flog(N)+5
=1
m=1
Prove [z]=[ax+b] (b=a⍵i-1
)
Prove f5
=b/a, and for j = 6,...,log(N)+5 fj
=fj-1
fj-1

79. [z]=[a(x-⍵i-1
)]
1
2
3
4
Construct f(X) of degree log(N)+6,
f(X)=Σj
fj
µj
(X)
Well formation
Prove flog(N)+5
=1
(b/a)N
=1 !!!
Prove [z]=[ax+b] (b=a⍵i-1
)
m=1
Prove f5
=b/a, and for j = 6,...,log(N)+5 fj
=fj-1
fj-1

80. m>1
proofI
=([CI
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

81. m>1
proofI
=([ΠiƐ I
vi
τi
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

82. m>1
HI
={⍵i-1
}iƐ I
proofI
=([ΠiƐ I
vi
τi
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

83. m>1
HI
={⍵i-1
}iƐ I
“I” unknown to the verifier!
proofI
=([ΠiƐ I
vi
τi
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

84. m>1
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
proofI
=([ΠiƐ I
vi
τi
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

85. m>1
aj
=vi
for some i,for all j
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
proofI
=([ΠiƐ I
vi
τi
(x)],[r1
ΠiƐ I
(x-⍵i-1
)],[QI
])

86. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]

87. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04

88. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

89. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u=(⍵i-1
)iƐ I
but with repetitions
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

90. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

91. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
The roots used in zI
with
repetitions
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

92. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
=us-1
us-1
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

93. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

94. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
The coeficients in us
(X) are the 2s
power of the uj
s
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

95. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
The coeficients in us
(X) are the 2s
power of the uj
s
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

96. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
3. Prove ulog(N)
=(1,1,…,1)
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

97. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
3. Prove ulog(N)
(X)=Σ1µj
(x)
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

98. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
3. Prove ulog(N)
(X)=Σ1µj
(x)
All the 2log(N)
th powers of the uj
s are 1!
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

99. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]
1. Set u(X)=Σ⍵i-1
µj,i
(x)=Σuj
µj
(x)
2. Compute us
(X)=us-1
(X)us-1
(X) mod zV
(X)
3. Prove ulog(N)
(X)=Σ1µj
(x)
All the Nth powers of the uj
s are 1!

100. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

101. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

102. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([zI
(⍵something
)],[1])= e([0],[Q2
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

103. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([zI
(⍵something
)],[1])= e([0],[Q2
])
[zI
] is well formed
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

104. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

105. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([C(⍵something
)]-[CIsomething
])= e([QI
],[0])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

106. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([vsomething
]-[CIsomething
])= e([QI
],[0])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[CI
] contains a subvector of v
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

107. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
e([CI
(u(x))]- [ϕ(x)],[1])= e([zV
],[Q3
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

108. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
e([CI
(⍵something
)]- [aj
],[1])= e([0],[Q3
])
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

109. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04 e([vsomething
)]- [aj
],[1])= [0]
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

110. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04 e([vsomething
)]- [aj
],[1])= [0]
Everyting in a is also in v
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

111. m>1
proofI
=([CI
],[zI
],[QI
])
[C(x)=Σi
vi
λi
(x) ],[ϕ(x)=Σj
aj
µj
(x)]
01
02
03
04 e([vsomething
)]- [aj
],[1])= [0]
Position-hiding linkability!!!
[u(x)] with Nth roots of unity as coefficients in {µj
(X)}
e([C(x)]-[CI
])= e([QI
],[zI
])
e([zI
(u(x))],[1])= e([zV
],[Q2
])
[zI
]=[r1
ΠiƐ I
(x-⍵i-1
)]

112. IMPLEMENTATION

113. IMPLEMENTATION

114. CREDITS: This presentation template was
created by Slidesgo,including icons by
Flaticon,infographics & images by Freepik
THANKS!
https://eprint.iacr.org/2022/621