How Bulletproofs Works

Transcript

1. Cathie Yun, applied cryptographer A U G U S T

   1 1 , 2 0 1 9 Bulletproofs - deep dive

2. Motivation

3. Why do we care about 
 zero knowledge proofs? 3

4. Non-confidential transaction 4 5 4 3 6 INPUTS OUTPUTS 5

   + 4 3 + 6

5. Confidential transaction (broken) 5 A = Com(5) B = Com(4)

   C = Com(3) D = Com(6) INPUTS OUTPUTS A + B C + D Additively homomorphic commitment

6. Confidential transaction (broken) 6 A = Com(5) B = Com(4)

   C = Com(-1) D = Com(10) INPUTS OUTPUTS A + B C + D OH NO!!!

7. Confidential transaction 7 A = Com(5) B = Com(4) C

   = Com(3) proof(C) D = Com(6) proof(D) INPUTS OUTPUTS A + B C + D ZK proof that amount is in range

8. Why do we care about
 Bulletproofs? 8

9. 9 What are Bulletproofs? • Efficient zero knowledge proof system

   • Bulletproofs paper: Bünz, Bootle, Boneh, Poelstra, Wuille, Maxwell • 3x performance improvement over paper from UCL • UCL paper (EUROCRYPT’16): Bootle, Cerulli, Chaidos, Groth, Petit • Introduces the efficient inner product argument

10. Zero knowledge proofs in blockchains 10 Bulletproofs provide O(log(N)) proof

    sizes,
 less than 1 Kb for most cases. Fast verification with Ristretto and AVX2;
 scales well via batching and aggregation. No trusted setup -
 cheap on-the-fly initialization of verification circuit Blockchain requirement Constrained proof size
 (all nodes must receive and verify proofs) Fast verification 
 (low latency - all verifiers must sync quickly) Ad hoc logic
 (different value flows,
 custom smart contracts)

11. Understanding the paper

12. 12

13. 13

14. 14

15. 15 https://doc-internal.dalek.rs/bulletproofs/notes/range_proof/index.html

16. None

17. 17 Bulletproof building block: inner products Σ = c =

    <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n). c

18. 18 a b c = <a, b> alo ahi blo

    bhi

19. 19 a b c = <a, b> alo ahi blo

    bhi a' c' = <a', b'> a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > Prover gets random challenge scalar x from verifier b'

20. 20 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'

21. 21 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'

22. 22 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo> let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'

23. 23 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo>
 c' = c + x2·L + x-2·R let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'

24. 24 a b c = <a, b> alo ahi blo

    bhi c' = <a', b'> let’s call this L let’s call this R Prover sends L, R to verifier Repeat! same as c = <alo, blo> + <ahi, bhi>
 + x2·<alo, bhi>
 + x-2·<ahi, blo>
 c' = c + x2·L + x-2·R a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'

25. 25 a b c = <a, b> Prover sends a',

    b', c' to verifier Base Case: Prover a' b' c' = a'·b' Verifier checks 
 c' == a'·b'

26. Omitted details 26 • How the challenge scalars are actually

    generated (Fiat-Shamir) • All operations are actually over commitments instead of plain values • How we can use multi-exponentiation to acheive faster verification

27. 27 Bulletproof building block: inner products Σ = c =

    <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n). c

28. 28 Bulletproof range proofs math & crypto 0≤v<2n How do

    we express a range as an inner product? c=⟨a,b⟩

29. “math & crypto” 29 0 ≤ v < 2n We

    want to prove: If this is true, then v must be a binary number of length n. v = Σ x If v=3, n=4 0 0 1 1 23 22 21 20

30. “math & crypto” 30 0 ≤ v < 2n We

    want to prove: If this is true, then v must be a binary number of length n. 0 0 1 1 v = 23 22 21 20 Σ Let’s call this aL v = ⟨aL, 2n⟩ x

31. Proving bits of v are actually bits 31 0 0

    1 1 v = Σ x 20 21 22 23 Let’s call the vector of bits aL Let’s make a vector aR that is aL - 1n. aL = bits of v aR = bits of v - 1n = aL - 1n Iff the bits of v are actually bits (0s or 1s), then this will be true: aL ∘aR = 0n -1 -1 0 0 0 0 0 0 0 0 1 1

32. Putting it together 32 0 ≤ v < 2n We

    want to prove: We can do this by proving: 1) v = ⟨aL,2n⟩ 2) aL∘aR = 0n 3) aR = aL - 1n binary structure of v bits are actually bits (0s or 1s) relation between bit representations

33. Recap 33 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩
 aL∘aR = 0n

    
 aR = aL - 1n

34. Building block: combining statements 34 Prover wants to prove that:

    Verifier provides a random challenge scalar Prover combines the original statements: Since the prover cannot predict x, if the latter statement holds then with probability 1-1/p the first statements hold.

35. Building block: combining statements 35 Prover wants to prove that:

    Prover combines the original statements: Since the prover cannot predict y, if the latter statement holds then with probability 1-n/p the first statements hold. This can also be written as: This can also be written as: Verifier provides a random challenge scalar

36. Combining vector statements 36 Previous equations: Rewritten: Combined into inner

    product: v = ⟨aL,2n⟩
 aL ∘aR = 0n 
 aR = aL - 1n aL ∘aR = 0n 
 aL - 1n - aR = 0n ⟨aL ∘aR , yn⟩= 0
 ⟨aL - 1n - aR , yn⟩ = 0 Verifier provides a random challenge scalar y:

37. Combining vector statements: again! 37 Combined into one equation: Previous

    equations: v = ⟨aL,2n⟩
 ⟨aL ∘aR , yn⟩= 0
 ⟨aL - 1n - aR , yn⟩ = 0 z2·⟨aL,2n⟩ + 
 z·⟨aL ∘aR , yn⟩ +
 ⟨aL - 1n - aR , yn⟩ 
 = z2·v Verifier provides a random challenge scalar z:

38. Re-arranging the terms 38 Rewritten: just a lot of
 annoying

    algebra Previous equations: z2·⟨aL,2n⟩ + 
 z·⟨aL ∘aR , yn⟩ +
 ⟨aL - 1n - aR , yn⟩ 
 = z2·v ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩ = z2·v + (y, z)

39. 39 https://doc-internal.dalek.rs/bulletproofs/notes/range_proof/index.html#combining-inner-products

40. Recap 40 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩
 aL∘aR = 0n

    
 aR = aL - 1n ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩ 
 = z2·v + (y, z)

41. ⟨ aL-z·1n , aR ∘yn + z2 ·2n+z·yn ⟩ =

    z2·v + (y, z) Pieces of the inner product statement 41 f(aL) g(aR) h(v)

42. 42 Additively homomorphic commitment if A + B = C

    + D Com(A) + Com(B) = Com(C) + Com(D) then 2·E = F 2·Com(E) = Com(F) then if

43. Convert into commitments 43 aL aR v Com(aL) Com(aR) Com(v)

    ⟨ f(aL) , g(aR) ⟩ = h(v) This works if we have an additively homomorphic commitment scheme ⟨ f(Com(aL)) , g(Com(aR)) ⟩ = h(Com(v))

44. 44 c Bulletproof building block: inner products Σ = c

    = <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b> 
 in size and verification time O(log(n)) instead of O(n).

45. Omitted details 45 • How the challenge scalars are actually

    generated (Fiat-Shamir) • How the commitments work (Pedersen Commitments, homomorphism) • How the values are blinded, and how we commit to the blinding factors

46. Performance of 64-bit rangeproof verification 46 IFMA = 0.7 milliseconds

    3x faster than libsecp256k1, 7x faster than Monero. 2x faster than libsecp256k1, 4.6x faster than Monero. with SIMD backends in curve25519-dalek AVX2 = 1.04 milliseconds