úÎ!È|½ZÁ      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk l m n o p q r s t u v w x y z { | } ~  € ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ Ž ‘ ’ “ ” • – — ˜ ™ š › œ ž Ÿ   ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Safe "#79=>?X_k}  bulletproofsIndependent generator Gs " G^n bulletproofsIndependent generator Hs " G^n bulletproofsiInternally fixed group element H " G for which there is no known discrete-log relation among Gs, Hs, bG bulletproofseVector of values l that the prover uses to compute lCommits in the recursive inner product algorithm bulletproofseVector of values r that the prover uses to compute rCommits in the recursive inner product algorithm  bulletproofs}Vector of commitments of the elements in the original vector l whose size is the logarithm of base 2 of the size of vector l  bulletproofs}Vector of commitments of the elements in the original vector r whose size is the logarithm of base 2 of the size of vector r  bulletproofskRemaining element of vector l at the end of the recursive algorithm that generates the inner-product proof bulletproofskRemaining element of vector r at the end of the recursive algorithm that generates the inner-product proof    None"#.7=>?HVX_k1ž bulletproofsH = aG where a is not known bulletproofsGenerate vector of generators in a deterministic way from the curve generator g by applying H(encode(g) || i) where H is a secure hash function bulletproofsGenerate vector of generators in a deterministic way from the curve generator h by applying H(encode(h) || i) where H is a secure hash function bulletproofs}A random oracle. In the Fiat-Shamir heuristic, its input is specifically the transcript of the interaction up to that point. bulletproofs’Iterative algorithm to generate H. The important thing about the H value is that nobody gets to know its discrete logarithm "k" such that H = kG bulletproofs2Return a vector containing the first n powers of a bulletproofs<Hadamard product or entry wise multiplication of two vectors bulletproofs Dot product  bulletproofsEntry wise sum! bulletproofsEntry wise subtraction" bulletproofs5Double exponentiation (Shamir's trick): g0^x0 + g1^x1# bulletproofs?Raise every point to the corresponding exponent, sum up results$ bulletproofsLCreate a Pedersen commitment to a value given a value and a blinding factor) bulletproofsUAppend minimal amount of zeroes until the list has a length which is a power of two.* bulletproofs5Given n, append zeroes until the list has length 2^n.+ bulletproofs.Calculate ceiling of log base 2 of an integer.* bulletproofsn bulletproofs$list which should have length <= 2^n bulletproofslist which will have length 2^n !"#$%&'()*+,-./012 !"#$%&'()*+,-./012None"#%79=>?X_kWa? bulletproofs)The upper bound of the range is too large@ bulletproofs&Value is not within the range requiredA bulletproofs(Values are not within the range requiredB bulletproofs*Dimension n is required to be a power of 2E bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add upF bulletproofsDBlinding factor required for the Verifier to verify commitments A, SG bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) · r(x)H bulletproofs…Commitment to aL and aR, where aL and aR are vectors of bits such that aL · 2^n = v and aR = aL " 1^n . A = ± · H + aL · G + aR · HI bulletproofsACommitment to new vectors sL, sR, created at random by the ProverJ bulletproofs%Pedersen commitment to coefficient t1K bulletproofs%Pedersen commitment to coefficient t2L bulletproofswInner product argument to prove that a commitment P has vectors l, r " Z^n for which P = l · G + r · H + ( l, r ) · UM bulletproofsTEncode the value v into a bit representation. Let aL be a vector of bits such that  aL,2^nJ = v (put more simply, the components of a L are the binary digits of v).N bulletproofsBits of v reversed. v =  a,2^n$ = a_0 * 2^0 + ... + a_n-1 * 2^(n-1)P bulletproofs£In order to prove that v is in range, each element of aL is either 0 or 1. We construct a complementary  vector aR = aL " 1^n and require that aL %æ aR = 0 hold.Q bulletproofs_Add non-relevant zeros to a vector to match the size of the other vectors used in the protocolR bulletproofs7Obfuscate encoded bits with challenges y and z. z^2 *  aL,2^n + z *  aL" 1^n " aR, y^n +  aL,aR · y^n) = (z^2) * v The property holds because  aL" 1^n " aR, y^n = 0 and  aL · aR, y^n = 0T bulletproofsôWe need to blind the vectors aL, aR to make the proof zero knowledge. The Prover creates randomly vectors sL and sR. On creating these, the Prover can send commitments to these vectors; these are properly blinded vector Pedersen commitments:U bulletproofs (z " z^2) *  1^n,y^n " z^3 * 1^n,2^nV bulletproofs)Check that a value is in a specific rangeW bulletproofs)Check that a value is in a specific rangeX bulletproofsdCompute commitment of linear vector polynomials l and r P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs'&3475689<:=;>BA@?CDLFEKJIHGMNOPQRSTUVWX&CDLFEKJIHG>BA@?89<:=;34756MNOPQRSTUVWXNone"#$7=>?X_`k]za bulletproofsTOptimized non-interactive verifier using multi-exponentiation and batch verificationa bulletproofsRange upper bound bulletproofsGenerators Gs, Hs, h bulletproofs Commitment P bulletproofs>Proof that a secret committed value lies in a certain intervalaaNone"#$7=>?X_`kcb bulletproofsdGenerate proof that a witness l, r satisfies the inner product relation on public input (Gs, Hs, h)b bulletproofsGenerators Gs, Hs, h bulletproofscCommitment P = A + xS " zG + (z*y^n + z^2 * 2^n) * hs' of vectors l and r whose inner product is t bulletproofs=Vectors l and r that hide bit vectors aL and aR, respectivelybb None "#7=>?X_kd  abba  None"#$7=>?X_`kt*c bulletproofsCVerify that a commitment was computed from a value in a given ranged bulletproofsªVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual valuee bulletproofsEVerify the inner product argument for the vectors l and r that form tc bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain intervald bulletproofsDimension n of the vectors bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge ze bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zcdecdeNone"#$7=>?X_`kƒ½f bulletproofsCVerify that a commitment was computed from a value in a given rangeg bulletproofsªVerify the constant term of the polynomial t t = t(x) = t0 + t1*x + t2*x^2 This is what binds the proof to the actual original Pedersen commitment V to the actual valueh bulletproofsEVerify the inner product argument for the vectors l and r that form tf bulletproofsRange upper bound bulletproofsCommitments of in-range values bulletproofs>Proof that a secret committed value lies in a certain intervalg bulletproofsDimension n of the vectors bulletproofsCommitment of in-range value bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zh bulletproofsDimension n of the vectors bulletproofs>Proof that a secret committed value lies in a certain interval bulletproofs Challenge x bulletproofs Challenge y bulletproofs Challenge zfghfghNone "#7=>?X_`k’i bulletproofs4Prove that a list of values lies in a specific rangej bulletproofs&Generate range proof from valid inputsÁ bulletproofsÿ–Compute l and r polynomials to prove knowledge of aL, aR without revealing them. We achieve it by transferring the vectors l, r. The two terms of the dot product above are set as the constant term, while sL, sR are the coefficient of x^1 , in the following two linear polynomials, which are combined into a quadratic in x: l(x) = (a L " z1 n ) + s L x r(x) = y^n %æ (aR + z * 1^n + sR * x) + z^2 * 2^n bulletproofsSCompute polynomial t from polynomial r t(x) = l(x) · r(x) = t0 + t1 * x + t2 * x^2i bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsj bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsijij None "#7=>?X_k™ k bulletproofs+Prove that a value lies in a specific rangel bulletproofs&Generate range proof from valid inputsk bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsl bulletproofs)Upper bound of the range we want to prove bulletproofs;Values we want to prove in range and their blinding factorsklklNone "#7=>?X_k™³>?@ABCDGHIJKEFLfklCDGHIJKEFL>?@ABklfNone "#7=>?X_kšÙ>?@ABCDGHIJKEFLcijCDGHIJKEFL>?@ABijc None"#%79=>?X_k´o bulletproofs;aL " F^n. Vector of left inputs of each multiplication gatep bulletproofs<aR " F^n. Vector of right inputs of each multiplication gateq bulletproofs7aO " F^n. Vector of outputs of each multiplication gatet bulletproofs6Vectors of left and right inputs and vector of outputsu bulletproofs%Vector of commited input values " F^mv bulletproofs1Vector of blinding factors for input values " F^my bulletproofsWL " F^(Q x n)z bulletproofsWR " F^(Q x n){ bulletproofsWO " F^(Q x n)~ bulletproofsFWeights for vectors of left and right inputs and for vector of outputs bulletproofs%Weigths for a commitments V of rank m€ bulletproofsVector of constants of size Qƒ bulletproofs‡Blinding factor of the T1 and T2 commitments, combined into the form required to make the committed version of the x-polynomial add up„ bulletproofsDBlinding factor required for the Verifier to verify commitments A, S… bulletproofsaDot product of vectors l and r that prove knowledge of the value in range t = t(x) = l(x) · r(x)† bulletproofsCommitment to vectors aL and aR‡ bulletproofsCommitment to vectors aOˆ bulletproofsACommitment to new vectors sL, sR, created at random by the Prover‰ bulletproofs!Commitments to t1, t3, t4, t5, t6Œ bulletproofsThe number of gates is too high bulletproofs'The number of gates is not a power of 2Ž bulletproofsdPad circuit weights to make n be a power of 2, which is required to compute the inner product proof bulletproofstPad assignment vectors to make their length n be a power of 2, which is required to compute the inner product proof9mnqporsvutwx{zy|}~€‚‰‡†Š„ƒˆ…‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥9‹Œ‚‰‡†Š„ƒˆ…|}~€wx{zyrsvutmnqpoŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥ None "#%7=>?X_k¸¡¿ bulletproofs`Verify that a zero-knowledge proof holds for an arithmetic circuit given committed input values¿¿ None "#%7=>?X_kºùÀ bulletproofs^Generate a zero-knowledge proof of computation for an arithmetic circuit with a valid witnessÀÀNone "#7=>?X_k»— mnopqrstuvwxyz{|}€~‚…ˆƒ„Š†‡‰¿À À¿‚…ˆƒ„Š†‡‰|}€~rstuvwxyz{mnopqSafe "#7=>?X_k½5ÃÄÅÆÇÈÉÊË !"#$%&'()*+,-./0123456789:;<=>?@ABBCDEFFGHIJKLMNOPPQRSTUVWXYZ[\]^_`abcdefghijklmnmopmopnq n q r r s t u v v w x y z z { | } ~ ~  € ‚ ‚ Q R S ƒ „ U … X † ‡ O ˆ ‰ a Š ‹ Œ > Ž ‘ ’ “ ” • – — ˜ ™ š › œ ž Ÿ   ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ m n·¸¹º»¼½¾¿ÀÁ)bulletproofs-1.1.0-FP4S76deUzfBfGRiiGUv0Q'Bulletproofs.InnerProductProof.InternalBulletproofs.Utils Bulletproofs.RangeProof.Internal'Bulletproofs.InnerProductProof.Verifier%Bulletproofs.InnerProductProof.Prover%Bulletproofs.MultiRangeProof.Verifier Bulletproofs.RangeProof.Verifier#Bulletproofs.MultiRangeProof.ProverBulletproofs.RangeProof.Prover'Bulletproofs.ArithmeticCircuit.Internal'Bulletproofs.ArithmeticCircuit.Verifier%Bulletproofs.ArithmeticCircuit.ProverBulletproofs.InnerProductProofBulletproofs.RangeProofBulletproofs.MultiRangeProofBulletproofs.ArithmeticCircuitPaths_bulletproofsInnerProductBasebGsbHsbHInnerProductWitnesslsrsInnerProductProoflCommitsrCommitslr$fShowInnerProductProof$fEqInnerProductProof$fGenericInnerProductProof$fNFDataInnerProductProof$fShowInnerProductWitness$fEqInnerProductWitness$fShowInnerProductBase$fEqInnerProductBasehgshsoracle pointToBS generateH powerVectorhadamarddot^+^^-^ addTwoMulPsumExpscommit isLogBase2logBase2 logBase2MslicepadToNearestPowerOfTwopadToNearestPowerOfTwoOflog2CeilrandomNchooseBlindingVectorsshamirYshamirZshamirXshamirX'shamirUTPolyt0t1t2LRPolysl0l1r0r1RangeProofErrorUpperBoundTooLargeValueNotInRangeValuesNotInRange NNotPowerOf2 RangeProof tBlindingmutaCommitsCommitt1Committ2Commit productProof encodeBitreversedEncodeBitreversedEncodeBitMulticomplementaryVector fillWithZerosobfuscateEncodedBitsobfuscateEncodedBitsSinglecommitBitVectorsdelta checkRange checkRangescomputeLRCommitment$fShowRangeProof$fEqRangeProof$fGenericRangeProof$fNFDataRangeProof$fShowRangeProofError$fEqRangeProofError$fGenericRangeProofError$fNFDataRangeProofError verifyProof generateProof verifyTPolyverifyLRCommitmentgenerateProofUnsafe AssignmentaLaRaO ArithWitness assignment commitmentscommitBlinders GateWeightswLwRwO ArithCircuitweightscommitmentWeightscsArithCircuitProofaiCommitaoCommittCommitsArithCircuitProofError TooManyGates padCircuit padAssignmentcommitBitVector shamirGxGxGshamirGsevaluatePolynomial multiplyPolyvectorMatrixProductvectorMatrixProductTmatrixVectorProduct powerMatrix matrixProductinsertAt genIdenMatrix genZeroMatrixcomputeInputValuesgaussianReducesubstituteMatrixsolveLinearSystemarithCircuitGenarithAssignmentGenarithWitnessGen$fArbitraryArithCircuit$fArbitraryAssignment$fArbitraryArithWitness$fShowArithCircuitProofError$fEqArithCircuitProofError$fShowArithCircuitProof$fEqArithCircuitProof$fGenericArithCircuitProof$fNFDataArithCircuitProof$fShowGateWeights$fEqGateWeights$fGenericGateWeights$fNFDataGateWeights$fShowArithCircuit$fEqArithCircuit$fGenericArithCircuit$fNFDataArithCircuit$fShowAssignment$fEqAssignment$fGenericAssignment$fNFDataAssignment$fShowArithWitness$fEqArithWitness$fGenericArithWitness$fNFDataArithWitnesscomputeLRPolys computeTPolyversion getBinDir getLibDir getDynLibDir getDataDir getLibexecDir getSysconfDirgetDataFileName