Cross-Table Lookups

The various STARK tables carry out independent operations, but on shared values. We need to check that the shared values are identical in all the STARKs that require them. This is where cross-table lookups (CTLs) come in handy.

Suppose STARK $S_{1}$ requires an operation -- say $Op$ -- that is carried out by another STARK $S_{2}$ . Then $S_{1}$ writes the input and output of $Op$ in its own table, and provides the inputs to $S_{2}$ . $S_{2}$ also writes the inputs and outputs in its rows, and the table's constraints check that $Op$ is carried out correctly. We then need to ensure that the inputs and outputs are the same in $S_{1}$ and $S_{2}$ .

In other words, we need to ensure that the rows -- reduced to the input and output columns -- of $S_{1}$ calling $Op$ are permutations of the rows of $S_{2}$ that carry out $Op$ . Our CTL protocol is based on logUp and is similar to our range-checks.

To prove this, the first step is to only select the rows of interest in $S_{1}$ and $S_{2}$ , and filter out the rest. Let $f^{1}$ be the filter for $S_{1}$ and $f^{2}$ the filter for $S_{2}$ . $f^{1}$ and $f^{2}$ are constrained to be in ${0, 1}$ . $f^{1} = 1$ (resp. $f^{2} = 1$ ) whenever the row at hand carries out $Op$ in $S_{1}$ (resp. in $S_{2}$ ), and 0 otherwise. Let also $(α, β)$ be two random challenges.

The idea is to create subtables $S_{1}^{'}$ and $S_{2}^{'}$ of $S_{1}$ and $S_{2}$ respectively, such that $f^{1} = 1$ and $f^{2} = 1$ for all their rows. The columns in the subtables are limited to the ones whose values must be identical (the inputs and outputs of $Op$ in our example).

Note that for design and constraint reasons, filters are limited to (at most) degree 2 combinations of columns.

Let ${c^{1, i}}_{i = 1}^{m}$ be the columns in $S_{1}^{'}$ an ${c^{2, i}}_{i = 1}^{m}$ be the columns in $S_{2}^{'}$ .

The prover defines a "running sum" $Z$ for $S_{1}^{'}$ such that: $Z_{n - 1}^{S_{1}} = \frac{1}{\sum _{j = 0}^{m - 1} α ^{j} \cdot c _{n - 1}^{1, j} + β} Z_{i + 1}^{S_{1}} = Z_{i}^{S_{1}} + f_{i}^{1} \cdot \frac{1}{\sum _{j = 0}^{m - 1} α ^{j} \cdot c _{i}^{1, j} + β}$

The second equation "selects" the terms of interest thanks to $f^{1}$ and filters out the rest.

Similarly, the prover constructs a running sum $Z^{S_{2}}$ for $S_{2}$ . Note that $Z$ is computed "upside down": we start with $Z_{n - 1}$ and the final sum is in $Z_{0}$ .

On top of the constraints to check that the running sums were correctly constructed, the verifier checks that $Z_{0}^{S_{1}} = Z_{0}^{S_{2}}$ . This ensures that the columns in $S_{1}^{'}$ and the columns in $S_{2}^{'}$ are permutations of each other.

In other words, the CTL argument is a logUp lookup argument where $S_{1}^{'}$ is the looking table, $S_{2}^{'}$ is the looked table, and $S_{1}^{'} = S_{2}^{'}$ (all the multiplicities are 1). For more details about logUp, see the next section.

To sum up, for each STARK $S$ , the prover:

constructs a running sum $Z_{i}^{l}$ for each table looking into $S$ (called looking sums here),
constructs a running sum $Z^{S}$ for $S$ (called looked sum here),
sends the final value for each running sum $Z_{i, 0}^{l}$ and $Z_{0}^{S}$ to the verifier,
sends a commitment to $Z_{i}^{l}$ and $Z^{S}$ to the verifier.

Then, for each STARK $S$ , the verifier:

computes the sum $Z = \sum_{i} Z_{i, 0}^{l}$ ,
checks that $Z = Z_{0}^{S}$ ,
checks that each $Z_{i}^{l}$ and $Z^{S}$ was correctly constructed.