bulletproofs

[ cryptography, library, program ] [ Propose Tags ]

Please see the README on GitHub at https://github.com/adjoint-io/bulletproofs#readme

[Skip to Readme]

Modules

[Index] [Quick Jump]

Bulletproofs

Downloads

bulletproofs-0.2.0.tar.gz [browse] (Cabal source package)
Package description (revised from the package)

Note: This package has metadata revisions in the cabal description newer than included in the tarball. To unpack the package including the revisions, use 'cabal get'.

Maintainer's Corner

Package maintainers

sdiehl

For package maintainers and hackage trustees

edit package information

Candidates

No Candidates

Versions [RSS]	0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 1.0.0, 1.0.1, 1.1.0
Change log	ChangeLog.md
Dependencies	arithmoi (<0.10), base (>=4.8 && <4.12), containers, cryptonite, memory, protolude (>=0.2 && <0.3), text [details]
License	LicenseRef-Apache
Author
Maintainer	Adjoint Inc (info@adjoint.io)
Revised	Revision 2 made by Bodigrim at 2021-08-30T17:35:46Z
Category	Cryptography
Home page	https://github.com/adjoint-io/bulletproofs#readme
Bug tracker	https://github.com/adjoint-io/bulletproofs/issues
Source repo	head: git clone https://github.com/adjoint-io/bulletproofs
Uploaded	by sdiehl at 2018-08-21T16:22:28Z
Distributions
Reverse Dependencies	2 direct, 0 indirect [details]
Downloads	4329 total (26 in the last 30 days)
Rating	(no votes yet) [estimated by Bayesian average]
Your Rating	λ λ λ
Status	Docs available [build log] Last success reported on 2018-08-21 [all 1 reports]

Readme for bulletproofs-0.2.0

[back to package description]

Bulletproofs are short zero-knowledge arguments of knowledge that do not require a trusted setup. Argument systems are proof systems with computational soundness.

Bulletproofs are suitable for proving statements on committed values, such as range proofs, verifiable suffles, arithmetic circuits, etc. They rely on the discrete logarithmic assumption and are made non-interactive using the Fiat-Shamir heuristic.

The core algorithm of Bulletproofs is the inner-product algorithm presented by Groth [2]. The algorithm provides an argument of knowledge of two binding vector Pedersen commitments that satisfy a given inner product relation. Bulletproofs build on the techniques of Bootle et al. [3] to introduce a communication efficient inner-product proof that reduces overall communication complexity of the argument to only 2log₂(n) where n is the dimension of the two vectors of commitments.

Range proofs

Bulletproofs present a protocol for conducting short and aggregatable range proofs. They encode a proof of the range of a committed number in an inner product, using polynomials. Range proofs are proofs that a secret value lies in a certain interval. Range proofs do not leak any information about the secret value, other than the fact that they lie in the interval.

The proof algorithm can be sketched out in 5 steps:

Let v be a value in [0, n) and a_L a vector of bit such that <a_L, 2ⁿ> = v. The components of a_L are the binary digits of v. We construct a complementary vector a_R = a_L − 1ⁿ and require that a_L ◦ a_R = 0 holds.

P -> V : A, S - where A and S are blinded Pedersen commitments to a_L and a_R.

$\ $ A = h \cdot \alpha + \textbf{g} \cdot \textbf{a}_L + \textbf{h} \cdot \textbf{a}_R \in \mathbb{G} $$

$\ $ S = h \cdot \rho + \textbf{g} \cdot \textbf{s}_L + \textbf{h} \cdot \textbf{s}_R \in \mathbb{G} $$

V -> P : y, z - Verifier sends challenges y and z to fix A and S.
P -> V : T₁, T₂ - where T₁ and T₂ are commitments to the coefficients t₁, of a polynomial t constructed from the existing values in the protocol.

$\ $ \textbf{l} = l(x) = \textbf{a}_L - z \cdot \textbf{1}^n + \textbf{s}_L \cdot x \in \mathbb{Z}^n_p$$

$\ $ \textbf{r} = r(x) = \textbf{y}^n \circ (\textbf{a}_R + z \cdot \textbf{1}^n + \textbf{s}_R \cdot x ) + z^2 \cdot \textbf{2}^n \in \mathbb{Z}^n_p $$

$\ $ t = \langle \textbf{l}, \textbf{r} \rangle \in \mathbb{Z}_p$$

$\ $T_i = g \cdot t_i + h \cdot \tau_i \in \mathbb{G}, \hspace{3em} i = {1, 2} $$

V -> P : x - Verifier challenges Prover with value x.
P -> V : tau, mu, t, l, r - Prover sends several commitments that the verifier will then check.

$\ $ \tau_x = \tau_2 \cdot x^2 + \tau_1 \cdot x + z^2 \cdot \gamma \in \mathbb{Z}_p $$

$\ $ \mu = \alpha + \rho \cdot x \in \mathbb{Z}_p $$

See Prover.hs for implementation details.

The interaction described is made non-interactive using the Fiat-Shamir Transform wherein all the random challenges made by V are replaced with a hash of the transcript up until that point.

Inner-product range proof

The size of the proof is further reduced by leveraging the compact O(log_n) inner product proof.

The inner-product argument in the protocol allows to prove knowledge of vectors l and r, whose inner product is t and the commitment P ∈ G is a commitment of these two vectors. We can therefore replace sending (tau, mu, t, l, r) with a transfer of (tau, mu, t) and an execution of an inner product argument.

Then, instead of sharing l and r, which has a communication cost of 2n elements, the inner-product argument transmits only 2 [log₂] + 2 elements. In total, the prover sends only 2 [log₂(n)] + 4 group elements and 5 elements in Z_p

Usage

import Bulletproofs.RangeProof

testProtocol :: Integer -> Integer -> IO Bool
testProtocol v vBlinding = do
  let vCommit = commit v vBlinding
      -- n needs to be a power of 2
      n = 2 ^ 8
      upperBound = 2 ^ n

  -- Prover
  proofE <- generateProof upperBound v vBlinding
  -- Verifier
  case proofE of
    Left err -> panic $ show err
    Right (proof@RangeProof{..})
      -> pure $ verifyProof upperBound vCommit proof

The dimension n needs to be a power of 2. This implementation offers support for the SECp256k1 curve, a Koblitz curve. Further information about this curve can be found in the Uplink docs: SECp256k1 curve

References:

Bunz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G. "Bulletproofs: Short Proofs for Confidential Transactions and More". Stanford, UCL, Blockstream, 2017
Groth J. "Linear Algebra with Sub-linear Zero-Knowledge Arguments". University College London, 2009
Bootle J., Cerully A., Chaidos P., Groth J, Petit C. "Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting". University College London and University of Oxford, 2016.

Notation:

◦ : Hadamard product
<> :Inner product
a: Vector

License

Copyright 2018 Adjoint Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.