99

# How Bulletproofs Works

A walk-through of the math behind Bulletproofs.
Given at Monero Village at DEFCON27. August 11, 2019

## Transcript

1. ### Cathie Yun, applied cryptographer A U G U S T

1 1 , 2 0 1 9 Bulletproofs - deep dive

+ 4 3 + 6
5. ### Confidential transaction (broken) 5 A = Com(5) B = Com(4)

C = Com(3) D = Com(6) INPUTS OUTPUTS A + B C + D Additively homomorphic commitment
6. ### Confidential transaction (broken) 6 A = Com(5) B = Com(4)

C = Com(-1) D = Com(10) INPUTS OUTPUTS A + B C + D OH NO!!!
7. ### Confidential transaction 7 A = Com(5) B = Com(4) C

= Com(3) proof(C) D = Com(6) proof(D) INPUTS OUTPUTS A + B C + D ZK proof that amount is in range

9. ### 9 What are Bulletproofs? • Efficient zero knowledge proof system

• Bulletproofs paper: Bünz, Bootle, Boneh, Poelstra, Wuille, Maxwell • 3x performance improvement over paper from UCL • UCL paper (EUROCRYPT’16): Bootle, Cerulli, Chaidos, Groth, Petit • Introduces the efficient inner product argument
10. ### Zero knowledge proofs in blockchains 10 Bulletproofs provide O(log(N)) proof

sizes,  less than 1 Kb for most cases. Fast verification with Ristretto and AVX2;  scales well via batching and aggregation. No trusted setup -  cheap on-the-fly initialization of verification circuit Blockchain requirement Constrained proof size  (all nodes must receive and verify proofs) Fast verification   (low latency - all verifiers must sync quickly) Ad hoc logic  (different value flows,  custom smart contracts)

16. None
17. ### 17 Bulletproof building block: inner products Σ = c =

<a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b>   in size and verification time O(log(n)) instead of O(n). c

bhi
19. ### 19 a b c = <a, b> alo ahi blo

bhi a' c' = <a', b'> a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > Prover gets random challenge scalar x from verifier b'
20. ### 20 a b c = <a, b> alo ahi blo

bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>  + x2·<alo, bhi>  + x-2·<ahi, blo> a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
21. ### 21 a b c = <a, b> alo ahi blo

bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>  + x2·<alo, bhi>  + x-2·<ahi, blo> same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
22. ### 22 a b c = <a, b> alo ahi blo

bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>  + x2·<alo, bhi>  + x-2·<ahi, blo> let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
23. ### 23 a b c = <a, b> alo ahi blo

bhi c' = <a', b'> = <alo, blo> + <ahi, bhi>  + x2·<alo, bhi>  + x-2·<ahi, blo>  c' = c + x2·L + x-2·R let’s call this L let’s call this R same as c a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
24. ### 24 a b c = <a, b> alo ahi blo

bhi c' = <a', b'> let’s call this L let’s call this R Prover sends L, R to verifier Repeat! same as c = <alo, blo> + <ahi, bhi>  + x2·<alo, bhi>  + x-2·<ahi, blo>  c' = c + x2·L + x-2·R a' a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > b'
25. ### 25 a b c = <a, b> Prover sends a',

b', c' to verifier Base Case: Prover a' b' c' = a'·b' Verifier checks   c' == a'·b'
26. ### Omitted details 26 • How the challenge scalars are actually

generated (Fiat-Shamir) • All operations are actually over commitments instead of plain values • How we can use multi-exponentiation to acheive faster verification
27. ### 27 Bulletproof building block: inner products Σ = c =

<a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b>   in size and verification time O(log(n)) instead of O(n). c
28. ### 28 Bulletproof range proofs math & crypto 0≤v<2n How do

we express a range as an inner product? c=⟨a,b⟩
29. ### “math & crypto” 29 0 ≤ v < 2n We

want to prove: If this is true, then v must be a binary number of length n. v = Σ x If v=3, n=4 0 0 1 1 23 22 21 20
30. ### “math & crypto” 30 0 ≤ v < 2n We

want to prove: If this is true, then v must be a binary number of length n. 0 0 1 1 v = 23 22 21 20 Σ Let’s call this aL v = ⟨aL, 2n⟩ x
31. ### Proving bits of v are actually bits 31 0 0

1 1 v = Σ x 20 21 22 23 Let’s call the vector of bits aL Let’s make a vector aR that is aL - 1n. aL = bits of v aR = bits of v - 1n = aL - 1n Iff the bits of v are actually bits (0s or 1s), then this will be true: aL ∘aR = 0n -1 -1 0 0 0 0 0 0 0 0 1 1
32. ### Putting it together 32 0 ≤ v < 2n We

want to prove: We can do this by proving: 1) v = ⟨aL,2n⟩ 2) aL∘aR = 0n 3) aR = aL - 1n binary structure of v bits are actually bits (0s or 1s) relation between bit representations
33. ### Recap 33 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩  aL∘aR = 0n

aR = aL - 1n
34. ### Building block: combining statements 34 Prover wants to prove that:

Verifier provides a random challenge scalar Prover combines the original statements: Since the prover cannot predict x, if the latter statement holds then with probability 1-1/p the first statements hold.
35. ### Building block: combining statements 35 Prover wants to prove that:

Prover combines the original statements: Since the prover cannot predict y, if the latter statement holds then with probability 1-n/p the first statements hold. This can also be written as: This can also be written as: Verifier provides a random challenge scalar
36. ### Combining vector statements 36 Previous equations: Rewritten: Combined into inner

product: v = ⟨aL,2n⟩  aL ∘aR = 0n   aR = aL - 1n aL ∘aR = 0n   aL - 1n - aR = 0n ⟨aL ∘aR , yn⟩= 0  ⟨aL - 1n - aR , yn⟩ = 0 Verifier provides a random challenge scalar y:
37. ### Combining vector statements: again! 37 Combined into one equation: Previous

equations: v = ⟨aL,2n⟩  ⟨aL ∘aR , yn⟩= 0  ⟨aL - 1n - aR , yn⟩ = 0 z2·⟨aL,2n⟩ +   z·⟨aL ∘aR , yn⟩ +  ⟨aL - 1n - aR , yn⟩   = z2·v Verifier provides a random challenge scalar z:
38. ### Re-arranging the terms 38 Rewritten: just a lot of  annoying

algebra Previous equations: z2·⟨aL,2n⟩ +   z·⟨aL ∘aR , yn⟩ +  ⟨aL - 1n - aR , yn⟩   = z2·v ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩ = z2·v + (y, z)

40. ### Recap 40 0≤v<2n t=⟨l,r⟩ v = ⟨aL,2n⟩  aL∘aR = 0n

aR = aL - 1n ⟨aL-z·1n, aR ∘yn + z2 ·2n+z·yn⟩   = z2·v + (y, z)
41. ### ⟨ aL-z·1n , aR ∘yn + z2 ·2n+z·yn ⟩ =

z2·v + (y, z) Pieces of the inner product statement 41 f(aL) g(aR) h(v)
42. ### 42 Additively homomorphic commitment if A + B = C

+ D Com(A) + Com(B) = Com(C) + Com(D) then 2·E = F 2·Com(E) = Com(F) then if
43. ### Convert into commitments 43 aL aR v Com(aL) Com(aR) Com(v)

⟨ f(aL) , g(aR) ⟩ = h(v) This works if we have an additively homomorphic commitment scheme ⟨ f(Com(aL)) , g(Com(aR)) ⟩ = h(Com(v))
44. ### 44 c Bulletproof building block: inner products Σ = c

= <a, b> x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c = <a, b>   in size and verification time O(log(n)) instead of O(n).
45. ### Omitted details 45 • How the challenge scalars are actually

generated (Fiat-Shamir) • How the commitments work (Pedersen Commitments, homomorphism) • How the values are blinded, and how we commit to the blinding factors
46. ### Performance of 64-bit rangeproof verification 46 IFMA = 0.7 milliseconds

3x faster than libsecp256k1, 7x faster than Monero. 2x faster than libsecp256k1, 4.6x faster than Monero. with SIMD backends in curve25519-dalek AVX2 = 1.04 milliseconds