Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Bulletproofs Works

How Bulletproofs Works

A walk-through of the math behind Bulletproofs.
Given at Monero Village at DEFCON27.

Cathie Yun

August 11, 2019
Tweet

More Decks by Cathie Yun

Other Decks in Education

Transcript

  1. Cathie Yun, applied cryptographer A U G U S T

    1 1 , 2 0 1 9 Bulletproofs - deep dive
  2. Motivation

  3. Why do we care about 
 zero knowledge proofs? 3

  4. Non-confidential transaction 4 5 4 3 6 INPUTS OUTPUTS 5

    + 4 3 + 6
  5. Confidential transaction (broken) 5 A = Com(5) B = Com(4)

    C = Com(3) D = Com(6) INPUTS OUTPUTS A + B C + D Additively homomorphic commitment
  6. Confidential transaction (broken) 6 A = Com(5) B = Com(4)

    C = Com(-1) D = Com(10) INPUTS OUTPUTS A + B C + D OH NO!!!
  7. Confidential transaction 7 A = Com(5) B = Com(4) C

    = Com(3) proof(C) D = Com(6) proof(D) INPUTS OUTPUTS A + B C + D ZK proof that amount is in range
  8. Why do we care about
 Bulletproofs? 8

  9. 9 What are Bulletproofs? • Efficient zero knowledge proof system

    • Bulletproofs paper: Bünz, Bootle, Boneh, Poelstra, Wuille, Maxwell • 3x performance improvement over paper from UCL • UCL paper (EUROCRYPT’16): Bootle, Cerulli, Chaidos, Groth, Petit • Introduces the efficient inner product argument
  10. Zero knowledge proofs in blockchains 10 Bulletproofs provide O(log(N)) proof

    sizes,
 less than 1 Kb for most cases. Fast verification with Ristretto and AVX2;
 scales well via batching and aggregation. No trusted setup -
 cheap on-the-fly initialization of verification circuit Blockchain requirement Constrained proof size
 (all nodes must receive and verify proofs) Fast verification 
 (low latency - all verifiers must sync quickly) Ad hoc logic
 (different value flows,
 custom smart contracts)
  11. Understanding the paper

  12. 12

  13. 13

  14. 14

  15. 15 https://doc-internal.dalek.rs/bulletproofs/notes/range_proof/index.html

  16. None
  17. 17 Bulletproof building block: inner products Σ = c =

    <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n). c
  18. 18 a b c = <a, b> alo ahi blo

    bhi
  19. 19 a b c = <a, b> alo ahi blo

    bhi a' c' = <a', b'> a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > Prover gets random challenge scalar x from verifier b'
  20. 20 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
  21. 21 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
  22. 22 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
  23. 23 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo>
 c' = c + x2·L + x-2·R let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
  24. 24 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> let’s call this L let’s call this R Prover sends L, R to verifier Repeat! same as c = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo>
 c' = c + x2·L + x-2·R a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
  25. 25 a b c = <a, b> Prover sends a',

    b', c' to verifier Base Case: Prover a' b' c' = a'·b' Verifier checks 
 c' == a'·b'
  26. Omitted details 26 • How the challenge scalars are actually

    generated (Fiat-Shamir) • All operations are actually over commitments instead of plain values • How we can use multi-exponentiation to acheive faster verification
  27. 27 Bulletproof building block: inner products Σ = c =

    <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n). c
  28. 28 Bulletproof range proofs math & crypto 0≤v<2n How do

    we express a range as an inner product? c=⟨a,b⟩
  29. “math & crypto” 29 0 ≤ v < 2n We

    want to prove: If this is true, then v must be a binary number of length n. v = Σ x If v=3, n=4 0 0 1 1 23 22 21 20
  30. “math & crypto” 30 0 ≤ v < 2n We

    want to prove: If this is true, then v must be a binary number of length n. 0 0 1 1 v = 23 22 21 20 Σ Let’s call this aL v = ⟨aL, 2n⟩ x
  31. Proving bits of v are actually bits 31 0 0

    1 1 v = Σ x 20 21 22 23 Let’s call the vector of bits aL Let’s make a vector aR that is aL - 1n. aL = bits of v aR = bits of v - 1n = aL - 1n Iff the bits of v are actually bits (0s or 1s), then this will be true: aL ∘aR = 0n -1 -1 0 0 0 0 0 0 0 0 1 1
  32. Putting it together 32 0 ≤ v < 2n We

    want to prove: We can do this by proving: 1) v = ⟨aL,2n⟩ 2) aL∘aR = 0n 3) aR = aL - 1n binary structure of v bits are actually bits (0s or 1s) relation between bit representations
  33. Recap 33 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩
 aL∘aR = 0n

    
 aR = aL - 1n
  34. Building block: combining statements 34 Prover wants to prove that:

    Verifier provides a random challenge scalar Prover combines the original statements: Since the prover cannot predict x, if the latter statement holds then with probability 1-1/p the first statements hold.
  35. Building block: combining statements 35 Prover wants to prove that:

    Prover combines the original statements: Since the prover cannot predict y, if the latter statement holds then with probability 1-n/p the first statements hold. This can also be written as: This can also be written as: Verifier provides a random challenge scalar
  36. Combining vector statements 36 Previous equations: Rewritten: Combined into inner

    product: v = ⟨aL,2n⟩
 aL ∘aR = 0n 
 aR = aL - 1n aL ∘aR = 0n 
 aL - 1n - aR = 0n ⟨aL ∘aR , yn⟩= 0
 ⟨aL - 1n - aR , yn⟩ = 0 Verifier provides a random challenge scalar y:
  37. Combining vector statements: again! 37 Combined into one equation: Previous

    equations: v = ⟨aL,2n⟩
 ⟨aL ∘aR , yn⟩= 0
 ⟨aL - 1n - aR , yn⟩ = 0 z2·⟨aL,2n⟩ + 
 z·⟨aL ∘aR , yn⟩ +
 ⟨aL - 1n - aR , yn⟩ 
 = z2·v Verifier provides a random challenge scalar z:
  38. Re-arranging the terms 38 Rewritten: just a lot of
 annoying

    algebra Previous equations: z2·⟨aL,2n⟩ + 
 z·⟨aL ∘aR , yn⟩ +
 ⟨aL - 1n - aR , yn⟩ 
 = z2·v ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩ = z2·v + (y, z)
  39. 39 https://doc-internal.dalek.rs/bulletproofs/notes/range_proof/index.html#combining-inner-products

  40. Recap 40 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩
 aL∘aR = 0n

    
 aR = aL - 1n ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩ 
 = z2·v + (y, z)
  41. ⟨ aL-z·1n , aR ∘yn + z2 ·2n+z·yn ⟩ =

    z2·v + (y, z) Pieces of the inner product statement 41 f(aL) g(aR) h(v)
  42. 42 Additively homomorphic commitment if A + B = C

    + D Com(A) + Com(B) = Com(C) + Com(D) then 2·E = F 2·Com(E) = Com(F) then if
  43. Convert into commitments 43 aL aR v Com(aL) Com(aR) Com(v)

    ⟨ f(aL) , g(aR) ⟩ = h(v) This works if we have an additively homomorphic commitment scheme ⟨ f(Com(aL)) , g(Com(aR)) ⟩ = h(Com(v))
  44. 44 c Bulletproof building block: inner products Σ = c

    = <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n).
  45. Omitted details 45 • How the challenge scalars are actually

    generated (Fiat-Shamir) • How the commitments work (Pedersen Commitments, homomorphism) • How the values are blinded, and how we commit to the blinding factors
  46. Performance of 64-bit rangeproof verification 46 IFMA = 0.7 milliseconds

    3x faster than libsecp256k1, 7x faster than Monero. 2x faster than libsecp256k1, 4.6x faster than Monero. with SIMD backends in curve25519-dalek AVX2 = 1.04 milliseconds