úÎ!Ï&Â6à      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ ‰ Š ‹ Œ  Ž   ‘ ’ “ ” • – — ˜ ™ š › œ  ž Ÿ   ¡ ¢ £ € ¥ Š § š © ª « ¬ ­ ® ¯ ° ± ² ³ Ž µ ¶ · ž ¹ º » Œ œ Ÿ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ßNoneN bulletproofsOrder of the curve bulletproofsGenerator of the curve bulletproofsH = aG where a is not known bulletproofsGenerate vector of generators in a deterministic way from the curve generator g by applying H(encode(g) || i) where H is a secure hash function bulletproofsGenerate vector of generators in a deterministic way from the curve generator h by applying H(encode(h) || i) where H is a secure hash function bulletproofs}A random oracle. In the Fiat-Shamir heuristic, its input is specifically the transcript of the interaction up to that point.à bulletproofsCCharacteristic of the underlying finite field of the elliptic curveá bulletproofs’Iterative algorithm to generate H. The important thing about the H value is that nobody gets to know its discrete logarithm "k" such that H = kGNone7M× bulletproofs Prime field with characteristic _q  bulletproofsUse new instead of this constructor  bulletproofsTurn an integer into an Fq( number, should be used instead of the Fq constructor. bulletproofsMultiplicative inverse bulletproofsAdditive identity bulletproofsMultiplicative identity bulletproofs=Euclidean algorithm to compute inverse in an integral domain a  None79.Ë & bulletproofsIndependent generator Gs " G^n' bulletproofsIndependent generator Hs " G^n( bulletproofsiInternally fixed group element H " G for which there is no known discrete-log relation among Gs, Hs, bG+ bulletproofseVector of values l that the prover uses to compute lCommits in the recursive inner product algorithm, bulletproofseVector of values r that the prover uses to compute rCommits in the recursive inner product algorithm/ bulletproofs}Vector of commitments of the elements in the original vector l whose size is the logarithm of base 2 of the size of vector l0 bulletproofs}Vector of commitments of the elements in the original vector r whose size is the logarithm of base 2 of the size of vector r1 bulletproofskRemaining element of vector l at the end of the recursive algorithm that generates the inner-product proof2 bulletproofskRemaining element of vector r at the end of the recursive algorithm that generates the inner-product proof$%&'()*+,-.21/0-.21/0)*+,$%&'(None; ? bulletproofs2Return a vector containing the first n powers of a@ bulletproofs<Hadamard product or entry wise multiplication of two vectorsD bulletproofs Add two points of the same curveE bulletproofs&Substract two points of the same curveF bulletproofs2Multiply a scalar and a point in an elliptic curveG bulletproofsLCreate a Pedersen commitment to a value given a value and a blinding factorL bulletproofsUAppend minimal amount of zeroes until the list has a length which is a power of two.M bulletproofs5Given n, append zeroes until the list has length 2^n.N bulletproofs.Calculate ceiling of log base 2 of an integer.M bulletproofsn bulletproofs$list which should have length <= 2^n bulletproofslist which will have length 2^n;<=>?@ABCDEFGHIJKLMNOPQRSTU=>;<?@ABCDEFGHIJKLMNOPQRSTUNone`Ue bulletproofs)The upper bound of the range is too largef bulletproofs&Value is not within the range requiredg bulletproofs(Values are not within the range requiredh bulletproofs*Dimension n is required to be a power of 2k bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add upl bulletproofsDBlinding factor required for the Verifier to verify commitments A, Sm bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) · r(x)n bulletproofs…Commitment to aL and aR, where aL and aR are vectors of bits such that aL · 2^n = v and aR = aL " 1^n . A = ± · H + aL · G + aR · Ho bulletproofsACommitment to new vectors sL, sR, created at random by the Proverp bulletproofs%Pedersen commitment to coefficient t1q bulletproofs%Pedersen commitment to coefficient t2r bulletproofswInner product argument to prove that a commitment P has vectors l, r " Z^n for which P = l · G + r · H + ( l, r ) · Us bulletproofsTEncode the value v into a bit representation. Let aL be a vector of bits such that  aL,2^nJ = v (put more simply, the components of a L are the binary digits of v).t bulletproofsBits of v reversed. v =  a,2^n$ = a_0 * 2^0 + ... + a_n-1 * 2^(n-1)v bulletproofs£In order to prove that v is in range, each element of aL is either 0 or 1. We construct a complementary  vector aR = aL " 1^n and require that aL %æ aR = 0 hold.w bulletproofs_Add non-relevant zeros to a vector to match the size of the other vectors used in the protocolx bulletproofs7Obfuscate encoded bits with challenges y and z. z^2 *  aL,2^n + z *  aL" 1^n " aR, y^n +  aL,aR · y^n) = (z^2) * v The property holds because  aL" 1^n " aR, y^n = 0 and  aL · aR, y^n = 0z bulletproofsôWe need to blind the vectors aL, aR to make the proof zero knowledge. The Prover creates randomly vectors sL and sR. On creating these, the Prover can send commitments to these vectors; these are properly blinded vector Pedersen commitments:{ bulletproofs (z " z^2) *  1^n,y^n " z^3 * 1^n,2^n| bulletproofs)Check that a value is in a specific range} bulletproofs)Check that a value is in a specific range~ bulletproofsdCompute commitment of linear vector polynomials l and r P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs'&YZ][\^_b`cadhgfeijrlkqponmstuvwxyz{|}~&ijrlkqponmdhgfe^_b`caYZ][\stuvwxyz{|}~None"#$X`f6ƒ bulletproofsTOptimized non-interactive verifier using multi-exponentiation and batch verificationƒ bulletproofsRange upper bound bulletproofsGenerators Gs, Hs, h bulletproofs Commitment P bulletproofs>Proof that a secret committed value lies in a certain intervalƒƒNone$`kå„ bulletproofsdGenerate proof that a witness l, r satisfies the inner product relation on public input (Gs, Hs, h)„ bulletproofsGenerators Gs, Hs, h bulletproofscCommitment P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs' of vectors l and r whose inner product is t bulletproofs=Vectors l and r that hide bit vectors aL and aR, respectively„„Nonel+$%&'()*+,-.21/0ƒ„„ƒ-.21/0$%&'()*+,None"#$`{î… bulletproofsCVerify that a commitment was computed from a value in a given range† bulletproofsªVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual value‡ bulletproofsEVerify the inner product argument for the vectors l and r that form t… bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain interval† bulletproofsDimension n of the vectors bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge z‡ bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge z…†‡…†‡ None"#$`‹9ˆ bulletproofsCVerify that a commitment was computed from a value in a given range‰ bulletproofsªVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual valueŠ bulletproofsEVerify the inner product argument for the vectors l and r that form tˆ bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain interval‰ bulletproofsDimension n of the vectors bulletproofsCommitment of in-range value bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zŠ bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zˆ‰Šˆ‰Š None"#X`™Ñ‹ bulletproofs4Prove that a list of values lies in a specific rangeŒ bulletproofs&Generate range proof from valid inputsâ bulletproofsÿ–Compute l and r polynomials to prove knowledge of aL, aR without revealing them. We achieve it by transferring the vectors l, r. The two terms of the dot product above are set as the constant term, while sL, sR are the coefficient of x^1 , in the following two linear polynomials, which are combined into a quadratic in x: l(x) = (a L " z1 n ) + s L x r(x) = y^n %æ (aR + z * 1^n + sR * x) + z^2 * 2^nã bulletproofsSCompute polynomial t from polynomial r t(x) = l(x) · r(x) = t0 + t1 * x + t2 * x^2‹ bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsŒ bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factors‹Œ‹Œ NoneŸù bulletproofs+Prove that a value lies in a specific rangeŽ bulletproofs&Generate range proof from valid inputs bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsŽ bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsŽŽNone GdefghijmnopqklrˆŽijmnopqklrdefghŽˆNone¡defghijmnopqklr…‹Œijmnopqklrdefgh‹Œ… None"#%79Xº‘ bulletproofs;aL " F^n. Vector of left inputs of each multiplication gate’ bulletproofs<aR " F^n. Vector of right inputs of each multiplication gate“ bulletproofs7aO " F^n. Vector of outputs of each multiplication gate– bulletproofs6Vectors of left and right inputs and vector of outputs— bulletproofs%Vector of commited input values " F^m˜ bulletproofs1Vector of blinding factors for input values " F^m› bulletproofsWL " F^(Q x n)œ bulletproofsWR " F^(Q x n) bulletproofsWO " F^(Q x n)  bulletproofsFWeights for vectors of left and right inputs and for vector of outputs¡ bulletproofs%Weigths for a commitments V of rank m¢ bulletproofsVector of constants of size Q¥ bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add upŠ bulletproofsDBlinding factor required for the Verifier to verify commitments A, S§ bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) · r(x)š bulletproofsCommitment to vectors aL and aR© bulletproofsCommitment to vectors aOª bulletproofsACommitment to new vectors sL, sR, created at random by the Prover« bulletproofs!Commitments to t1, t3, t4, t5, t6® bulletproofsThe number of gates is too high¯ bulletproofs'The number of gates is not a power of 2° bulletproofsdPad circuit weights to make n be a power of 2, which is required to compute the inner product proof± bulletproofstPad assignment vectors to make their length n be a power of 2, which is required to compute the inner product proof9“’‘”•˜—–™šœ›žŸ¡ ¢£€«©š¬Š¥ª§­®¯°±²³Žµ¶·ž¹º»ŒœŸ¿ÀÁÂÃÄÅÆÇ9­®¯£€«©š¬Š¥ª§žŸ¡ ¢™šœ›”•˜—–“’‘°±²³Žµ¶·ž¹º»ŒœŸ¿ÀÁÂÃÄÅÆÇ None"#%ŸeÞ bulletproofs`Verify that a zero-knowledge proof holds for an arithmetic circuit given committed input valuesÞÞNone"#%XÀ…ß bulletproofs^Generate a zero-knowledge proof of computation for an arithmetic circuit with a valid witnessßßNoneÀË ‘’“”•–—˜™š›œžŸ¢ ¡£€§ª¥Š¬š©«Þß ßÞ£€§ª¥Š¬š©«žŸ¢ ¡”•–—˜™š›œ‘’“SafeÂäåæçèéêëì !"#$%&'()*+,-./01234567789:;;<=>>?@ABCDEFGHIJKLM+NOPQRSTUVWXYZ[\]^_`abcdefghhijkllmnopqrstuvvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’  ‘ ’  “  “ ” ” • – — ˜ ˜ ™ š › œ œ  ž Ÿ     ¡ ¢ £ € € w x y ¥ Š { § ~ š © u ª « ‡ ¬ ­ ® a ¯ ° ± ² ³ Ž µ ¶ · ž ¹ º » Œ œ Ÿ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö× Ø ÙÚÛÜÝÞßàáâ)bulletproofs-0.2.1-Hu8Vmu6rNVl2CFONAuJmMZBulletproofs.CurveBulletproofs.Fq'Bulletproofs.InnerProductProof.InternalBulletproofs.Utils Bulletproofs.RangeProof.Internal'Bulletproofs.InnerProductProof.Verifier%Bulletproofs.InnerProductProof.Prover%Bulletproofs.MultiRangeProof.Verifier Bulletproofs.RangeProof.Verifier#Bulletproofs.MultiRangeProof.ProverBulletproofs.RangeProof.Prover'Bulletproofs.ArithmeticCircuit.Internal'Bulletproofs.ArithmeticCircuit.Verifier%Bulletproofs.ArithmeticCircuit.ProverBulletproofs.InnerProductProofBulletproofs.RangeProofBulletproofs.MultiRangeProofBulletproofs.ArithmeticCircuitPaths_bulletproofscurveqghgshsoracle pointToBSFqnewnormfqAddfqMulfqNegfqDivfqInvfqZerofqOnefqSquarefqCubefqPowerfqPower'inv asInteger euclideaninv'random$fFractionalFq$fNumFq$fShowFq$fEqFq$fBitsFq$fOrdFq $fGenericFq $fNFDataFqInnerProductBasebGsbHsbHInnerProductWitnesslsrsInnerProductProoflCommitsrCommitslr$fShowInnerProductProof$fEqInnerProductProof$fGenericInnerProductProof$fNFDataInnerProductProof$fShowInnerProductWitness$fEqInnerProductWitness$fShowInnerProductBase$fEqInnerProductBaseFieldfSquare AsInteger powerVector hadamardpdot^+^^-^addPsubPmulPcommit isLogBase2logBase2 logBase2MslicepadToNearestPowerOfTwopadToNearestPowerOfTwoOflog2CeilrandomNchooseBlindingVectorsshamirYshamirZshamirXshamirX'shamirU$fAsIntegerInteger $fAsIntegerFq $fFieldFqTPolyt0t1t2LRPolysl0l1r0r1RangeProofErrorUpperBoundTooLargeValueNotInRangeValuesNotInRange NNotPowerOf2 RangeProof tBlindingmutaCommitsCommitt1Committ2Commit productProof encodeBitreversedEncodeBitreversedEncodeBitMulticomplementaryVector fillWithZerosobfuscateEncodedBitsobfuscateEncodedBitsSinglecommitBitVectorsdelta checkRange checkRangescomputeLRCommitment$fShowRangeProof$fEqRangeProof$fShowRangeProofError$fEqRangeProofError verifyProof generateProof verifyTPolyverifyLRCommitmentgenerateProofUnsafe AssignmentaLaRaO ArithWitness assignment commitmentscommitBlinders GateWeightswLwRwO ArithCircuitweightscommitmentWeightscsArithCircuitProofaiCommitaoCommittCommitsArithCircuitProofError TooManyGates padCircuit padAssignmentcommitBitVector shamirGxGxGshamirGsevaluatePolynomial multiplyPolyvectorMatrixProductvectorMatrixProductTmatrixVectorProduct powerMatrix matrixProductinsertAt genIdenMatrix genZeroMatrix generateWvgenerateGateWeightsgenerateRandomAssignmentcomputeInputValuesgaussianReducesubstituteMatrixsolveLinearSystem$fShowArithCircuitProofError$fEqArithCircuitProofError$fShowArithCircuitProof$fEqArithCircuitProof$fGenericArithCircuitProof$fNFDataArithCircuitProof$fShowGateWeights$fEqGateWeights$fGenericGateWeights$fNFDataGateWeights$fShowArithCircuit$fEqArithCircuit$fGenericArithCircuit$fNFDataArithCircuit$fShowAssignment$fEqAssignment$fGenericAssignment$fNFDataAssignment$fShowArithWitness$fEqArithWitness$fGenericArithWitness$fNFDataArithWitnessp generateHcomputeLRPolys computeTPolyversion getBinDir getLibDir getDynLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName