úÎ!ÓhÇŹĘ      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno p q r s t u v w x y z { | } ~  €  ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ  Ž   ‘ ’ “ ” • – — ˜ ™ š › œ  ž Ÿ   Ą ˘ Ł ¤ Ľ Ś § ¨ Š Ş Ť Ź ­ Ž Ż ° ą ˛ ł ´ ľ ś ˇ ¸ š ş ť ź ˝ ž ż Ŕ Á Â Ă Ä Ĺ Ć Ç Č ÉNone"#.7=>?EHMSX_k° bulletproofsOrder of the curve bulletproofsGenerator of the curve bulletproofsH = aG where a is not known bulletproofsGenerate vector of generators in a deterministic way from the curve generator g by applying H(encode(g) || i) where H is a secure hash function bulletproofsGenerate vector of generators in a deterministic way from the curve generator h by applying H(encode(h) || i) where H is a secure hash function bulletproofs}A random oracle. In the Fiat-Shamir heuristic, its input is specifically the transcript of the interaction up to that point.Ę bulletproofsCCharacteristic of the underlying finite field of the elliptic curveË bulletproofs’Iterative algorithm to generate H. The important thing about the H value is that nobody gets to know its discrete logarithm "k" such that H = kG   None"#.7=>?EHMSVX_kŮ  bulletproofs<Type family to extract the characteristic of the prime field  bulletproofs Prime field Fq with characteristic _q  None"#.79=>?EHMSX_k*ľ  bulletproofsIndependent generator Gs " G^n bulletproofsIndependent generator Hs " G^n bulletproofsiInternally fixed group element H " G for which there is no known discrete-log relation among Gs, Hs, bG bulletproofseVector of values l that the prover uses to compute lCommits in the recursive inner product algorithm bulletproofseVector of values r that the prover uses to compute rCommits in the recursive inner product algorithm bulletproofs}Vector of commitments of the elements in the original vector l whose size is the logarithm of base 2 of the size of vector l bulletproofs}Vector of commitments of the elements in the original vector r whose size is the logarithm of base 2 of the size of vector r bulletproofskRemaining element of vector l at the end of the recursive algorithm that generates the inner-product proof bulletproofskRemaining element of vector r at the end of the recursive algorithm that generates the inner-product proof  None"#.7=>?EHMSX_k9° # bulletproofs2Return a vector containing the first n powers of a$ bulletproofs<Hadamard product or entry wise multiplication of two vectors( bulletproofs Add two points of the same curve) bulletproofs&Substract two points of the same curve* bulletproofs2Multiply a scalar and a point in an elliptic curve+ bulletproofs5Double exponentiation (Shamir's trick): g0^x0 + g1^x1, bulletproofs?Raise every point to the corresponding exponent, sum up results- bulletproofsLCreate a Pedersen commitment to a value given a value and a blinding factor2 bulletproofsUAppend minimal amount of zeroes until the list has a length which is a power of two.3 bulletproofs5Given n, append zeroes until the list has length 2^n.4 bulletproofs.Calculate ceiling of log base 2 of an integer.3 bulletproofsn bulletproofs$list which should have length <= 2^n bulletproofslist which will have length 2^n#$%&'()*+,-./0123456789:;#$%&'()*+,-./0123456789:;None"#%.79=>?EHMSX_k_ƒH bulletproofs)The upper bound of the range is too largeI bulletproofs&Value is not within the range requiredJ bulletproofs(Values are not within the range requiredK bulletproofs*Dimension n is required to be a power of 2N bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add upO bulletproofsDBlinding factor required for the Verifier to verify commitments A, SP bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) ˇ r(x)Q bulletproofs…Commitment to aL and aR, where aL and aR are vectors of bits such that aL ˇ 2^n = v and aR = aL " 1^n . A = ą ˇ H + aL ˇ G + aR ˇ HR bulletproofsACommitment to new vectors sL, sR, created at random by the ProverS bulletproofs%Pedersen commitment to coefficient t1T bulletproofs%Pedersen commitment to coefficient t2U bulletproofswInner product argument to prove that a commitment P has vectors l, r " Z^n for which P = l ˇ G + r ˇ H + ( l, r ) ˇ UV bulletproofsTEncode the value v into a bit representation. Let aL be a vector of bits such that  aL,2^nJ = v (put more simply, the components of a L are the binary digits of v).W bulletproofsBits of v reversed. v =  a,2^n$ = a_0 * 2^0 + ... + a_n-1 * 2^(n-1)Y bulletproofsŁIn order to prove that v is in range, each element of aL is either 0 or 1. We construct a complementary  vector aR = aL " 1^n and require that aL %ć aR = 0 hold.Z bulletproofs_Add non-relevant zeros to a vector to match the size of the other vectors used in the protocol[ bulletproofs7Obfuscate encoded bits with challenges y and z. z^2 *  aL,2^n + z *  aL" 1^n " aR, y^n +  aL,aR ˇ y^n) = (z^2) * v The property holds because  aL" 1^n " aR, y^n = 0 and  aL ˇ aR, y^n = 0] bulletproofsôWe need to blind the vectors aL, aR to make the proof zero knowledge. The Prover creates randomly vectors sL and sR. On creating these, the Prover can send commitments to these vectors; these are properly blinded vector Pedersen commitments:^ bulletproofs (z " z^2) *  1^n,y^n " z^3 * 1^n,2^n_ bulletproofs)Check that a value is in a specific range` bulletproofs)Check that a value is in a specific rangea bulletproofsdCompute commitment of linear vector polynomials l and r P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs'&<=@>?ABECDFGKJIHLMUONTSRQPVWXYZ[\]^_`a&LMUONTSRQPGKJIHABECDF<=@>?VWXYZ[\]^_`aNone"#$.7=>?EHMSX_`keÄj bulletproofsTOptimized non-interactive verifier using multi-exponentiation and batch verificationj bulletproofsRange upper bound bulletproofsGenerators Gs, Hs, h bulletproofs Commitment P bulletproofs>Proof that a secret committed value lies in a certain intervaljjNone"#$.7=>?EHMSX_`kkók bulletproofsdGenerate proof that a witness l, r satisfies the inner product relation on public input (Gs, Hs, h)k bulletproofsGenerators Gs, Hs, h bulletproofscCommitment P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs' of vectors l and r whose inner product is t bulletproofs=Vectors l and r that hide bit vectors aL and aR, respectivelykkNone"#.7=>?EHMSX_klš jkkj None"#$.7=>?EHMSX_`k|ěl bulletproofsCVerify that a commitment was computed from a value in a given rangem bulletproofsŞVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual valuen bulletproofsEVerify the inner product argument for the vectors l and r that form tl bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain intervalm bulletproofsDimension n of the vectors bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zn bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zlmnlmn None"#$.7=>?EHMSX_`kŒ§o bulletproofsCVerify that a commitment was computed from a value in a given rangep bulletproofsŞVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual valueq bulletproofsEVerify the inner product argument for the vectors l and r that form to bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain intervalp bulletproofsDimension n of the vectors bulletproofsCommitment of in-range value bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zq bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zopqopq None"#.7=>?EHMSX_`k›Ÿr bulletproofs4Prove that a list of values lies in a specific ranges bulletproofs&Generate range proof from valid inputsĚ bulletproofs˙–Compute l and r polynomials to prove knowledge of aL, aR without revealing them. We achieve it by transferring the vectors l, r. The two terms of the dot product above are set as the constant term, while sL, sR are the coefficient of x^1 , in the following two linear polynomials, which are combined into a quadratic in x: l(x) = (a L " z1 n ) + s L x r(x) = y^n %ć (aR + z * 1^n + sR * x) + z^2 * 2^nÍ bulletproofsSCompute polynomial t from polynomial r t(x) = l(x) ˇ r(x) = t0 + t1 * x + t2 * x^2r bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorss bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsrsrs None"#.7=>?EHMSX_k˘Gt bulletproofs+Prove that a value lies in a specific rangeu bulletproofs&Generate range proof from valid inputst bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsu bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorstutuNone"#.7=>?EHMSX_kŁGHIJKLMPQRSTNOUotuLMPQRSTNOUGHIJKtuoNone"#.7=>?EHMSX_k¤cGHIJKLMPQRSTNOUlrsLMPQRSTNOUGHIJKrsl None"#%.79=>?EHMSX_kž3x bulletproofs;aL " F^n. Vector of left inputs of each multiplication gatey bulletproofs<aR " F^n. Vector of right inputs of each multiplication gatez bulletproofs7aO " F^n. Vector of outputs of each multiplication gate} bulletproofs6Vectors of left and right inputs and vector of outputs~ bulletproofs%Vector of commited input values " F^m bulletproofs1Vector of blinding factors for input values " F^m‚ bulletproofsWL " F^(Q x n)ƒ bulletproofsWR " F^(Q x n)„ bulletproofsWO " F^(Q x n)‡ bulletproofsFWeights for vectors of left and right inputs and for vector of outputsˆ bulletproofs%Weigths for a commitments V of rank m‰ bulletproofsVector of constants of size QŒ bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add up bulletproofsDBlinding factor required for the Verifier to verify commitments A, SŽ bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) ˇ r(x) bulletproofsCommitment to vectors aL and aR bulletproofsCommitment to vectors aO‘ bulletproofsACommitment to new vectors sL, sR, created at random by the Prover’ bulletproofs!Commitments to t1, t3, t4, t5, t6• bulletproofsThe number of gates is too high– bulletproofs'The number of gates is not a power of 2— bulletproofsdPad circuit weights to make n be a power of 2, which is required to compute the inner product proof˜ bulletproofstPad assignment vectors to make their length n be a power of 2, which is required to compute the inner product proof9vwzyx{|~}€„ƒ‚…†ˆ‡‰Š‹’“Œ‘Ž”•–—˜™š›œžŸ Ą˘Ł¤ĽŚ§¨ŠŞŤŹ­Ž9”•–Š‹’“Œ‘Ž…†ˆ‡‰€„ƒ‚{|~}vwzyx—˜™š›œžŸ Ą˘Ł¤ĽŚ§¨ŠŞŤŹ­Ž None"#%.7=>?EHMSX_kÂ{Č bulletproofs`Verify that a zero-knowledge proof holds for an arithmetic circuit given committed input valuesČČNone"#%.7=>?EHMSX_kÄűÉ bulletproofs^Generate a zero-knowledge proof of computation for an arithmetic circuit with a valid witnessÉÉNone"#.7=>?EHMSX_kĹÁ vwxyz{|}~€‚ƒ„…†‰‡ˆŠ‹Ž‘Œ“’ČÉ ÉȊ‹Ž‘Œ“’…†‰‡ˆ{|}~€‚ƒ„vwxyzNone"#.7=>?EHMSX_kLJÎĎĐŃŇÓÔŐÖ  !"#$$%&''()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMMNOPQQRSTUVWXYZ[[\]^_`abcdefghijklmnopqrstuvwxyxz{ x z { y | y | } } ~  €   ‚ ƒ „ … … † ‡ ˆ ‰ ‰ Š ‹ Œ   \ ] ^ Ž  `  c ‘ ’ Z “ ” l • – — I ˜ ™ š › œ  ž Ÿ   Ą ˘ Ł ¤ Ľ Ś § ¨ Š Ş Ť Ź ­ Ž Ż ° ą ˛ ł ´ ľ ś ˇ ¸ š ş ť ź ˝ ž ż Ŕ Á xyÂĂ Ä ĹĆÇČÉĘËĚÍÎ)bulletproofs-1.0.1-19OL1KfDIOwGdlR0HXS25aBulletproofs.CurveBulletproofs.Fq'Bulletproofs.InnerProductProof.InternalBulletproofs.Utils Bulletproofs.RangeProof.Internal'Bulletproofs.InnerProductProof.Verifier%Bulletproofs.InnerProductProof.Prover%Bulletproofs.MultiRangeProof.Verifier Bulletproofs.RangeProof.Verifier#Bulletproofs.MultiRangeProof.ProverBulletproofs.RangeProof.Prover'Bulletproofs.ArithmeticCircuit.Internal'Bulletproofs.ArithmeticCircuit.Verifier%Bulletproofs.ArithmeticCircuit.ProverBulletproofs.InnerProductProofBulletproofs.RangeProofBulletproofs.MultiRangeProofBulletproofs.ArithmeticCircuitPaths_bulletproofscurve_q_b_aghgshsoracle pointToBSPFFqInnerProductBasebGsbHsbHInnerProductWitnesslsrsInnerProductProoflCommitsrCommitslr$fShowInnerProductProof$fEqInnerProductProof$fGenericInnerProductProof$fNFDataInnerProductProof$fShowInnerProductWitness$fEqInnerProductWitness$fShowInnerProductBase$fEqInnerProductBase powerVector hadamardpdot^+^^-^addPsubPmulP addTwoMulPsumExpscommit isLogBase2logBase2 logBase2MslicepadToNearestPowerOfTwopadToNearestPowerOfTwoOflog2CeilrandomNchooseBlindingVectorsshamirYshamirZshamirXshamirX'shamirUTPolyt0t1t2LRPolysl0l1r0r1RangeProofErrorUpperBoundTooLargeValueNotInRangeValuesNotInRange NNotPowerOf2 RangeProof tBlindingmutaCommitsCommitt1Committ2Commit productProof encodeBitreversedEncodeBitreversedEncodeBitMulticomplementaryVector fillWithZerosobfuscateEncodedBitsobfuscateEncodedBitsSinglecommitBitVectorsdelta checkRange checkRangescomputeLRCommitment$fShowRangeProof$fEqRangeProof$fGenericRangeProof$fNFDataRangeProof$fShowRangeProofError$fEqRangeProofError$fGenericRangeProofError$fNFDataRangeProofError verifyProof generateProof verifyTPolyverifyLRCommitmentgenerateProofUnsafe AssignmentaLaRaO ArithWitness assignment commitmentscommitBlinders GateWeightswLwRwO ArithCircuitweightscommitmentWeightscsArithCircuitProofaiCommitaoCommittCommitsArithCircuitProofError TooManyGates padCircuit padAssignmentcommitBitVector shamirGxGxGshamirGsevaluatePolynomial multiplyPolyvectorMatrixProductvectorMatrixProductTmatrixVectorProduct powerMatrix matrixProductinsertAt genIdenMatrix genZeroMatrixcomputeInputValuesgaussianReducesubstituteMatrixsolveLinearSystemarithCircuitGenarithAssignmentGenarithWitnessGen$fArbitraryArithCircuit$fArbitraryAssignment$fArbitraryArithWitness$fShowArithCircuitProofError$fEqArithCircuitProofError$fShowArithCircuitProof$fEqArithCircuitProof$fGenericArithCircuitProof$fNFDataArithCircuitProof$fShowGateWeights$fEqGateWeights$fGenericGateWeights$fNFDataGateWeights$fShowArithCircuit$fEqArithCircuit$fGenericArithCircuit$fNFDataArithCircuit$fShowAssignment$fEqAssignment$fGenericAssignment$fNFDataAssignment$fShowArithWitness$fEqArithWitness$fGenericArithWitness$fNFDataArithWitness_p generateHcomputeLRPolys computeTPolyversion getBinDir getLibDir getDynLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName