• Stars
    star
    535
  • Rank 82,940 (Top 2 %)
  • Language
    Haskell
  • License
    BSD 3-Clause "New...
  • Created over 6 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup

Buletproofs

Bulletproofs are short zero-knowledge arguments of knowledge that do not require a trusted setup. Argument systems are proof systems with computational soundness.

Bulletproofs are suitable for proving statements on committed values, such as range proofs, verifiable suffles, arithmetic circuits, etc. They rely on the discrete logarithmic assumption and are made non-interactive using the Fiat-Shamir heuristic.

The core algorithm of Bulletproofs is the inner-product algorithm presented by Groth [2]. The algorithm provides an argument of knowledge of two binding vector Pedersen commitments that satisfy a given inner product relation. Bulletproofs build on the techniques of Bootle et al. [3] to introduce a communication efficient inner-product proof that reduces overall communication complexity of the argument to only where is the dimension of the two vectors of commitments.

Range proofs

Bulletproofs present a protocol for conducting short and aggregatable range proofs. They encode a proof of the range of a committed number in an inner product, using polynomials. Range proofs are proofs that a secret value lies in a certain interval. Range proofs do not leak any information about the secret value, other than the fact that they lie in the interval.

The proof algorithm can be sketched out in 5 steps:

Let be a value in and a vector of bit such that . The components of are the binary digits of . We construct a complementary vector and require that holds.

  • - where and are blinded Pedersen commitments to and .

    

    

  • - Verifier sends challenges and to fix and .

  • - where and are commitments to the coefficients , of a polynomial constructed from the existing values in the protocol.

    

    

    

     ,     

  • - Verifier challenges Prover with value .

  • - Prover sends several commitments that the verifier will then check.

    

    

See Prover.hs for implementation details.

The interaction described is made non-interactive using the Fiat-Shamir Transform wherein all the random challenges made by V are replaced with a hash of the transcript up until that point.

Inner-product range proof

The size of the proof is further reduced by leveraging the compact inner product proof.

The inner-product argument in the protocol allows to prove knowledge of vectors and , whose inner product is and the commitment is a commitment of these two vectors. We can therefore replace sending () with a transfer of () and an execution of an inner product argument.

Then, instead of sharing and , which has a communication cost of elements, the inner-product argument transmits only elements. In total, the prover sends only group elements and 5 elements in

Aggregating Logarithmic Proofs

We can construct a single proof of range of multiple values, while only incurring an additional space cost of for additional values , as opposed to a multiplicative factor of when creating independent range proofs.

The aggregate range proof makes use of the inner product argument. It uses () group elements and 5 elements in .

See Multi range proof example

Usage

Single range proof

import Data.Curve.Weierstrass.SECP256K1 (Fr)
import qualified Bulletproofs.RangeProof as RP
import Bulletproofs.Utils (commit)

testSingleRangeProof :: Integer -> (Fr, Fr) -> IO Bool
testSingleRangeProof upperBound (v, vBlinding) = do
  let vCommit = commit v vBlinding

  -- Prover
  proofE <- runExceptT (RP.generateProof upperBound (v, vBlinding))

  -- Verifier
  case proofE of
    Left err -> panic (show err)
    Right proof@RP.RangeProof{..}
      -> pure (RP.verifyProof upperBound vCommit proof)

Multi range proof

import Data.Curve.Weierstrass.SECP256K1 (Fr)
import qualified Bulletproofs.MultiRangeProof as MRP
import Bulletproofs.Utils (commit)

testMultiRangeProof :: Integer -> [(Fr, Fr)] -> IO Bool
testMultiRangeProof upperBound vsAndvBlindings = do
  let vCommits = fmap (uncurry commit) vsAndvBlindings

  -- Prover
  proofE <- runExceptT (MRP.generateProof upperBound vsAndvBlindings)

  -- Verifier
  case proofE of
    Left err -> panic (show err)
    Right proof@RP.RangeProof{..}
      -> pure (MRP.verifyProof upperBound vCommits proof)

Note that the upper bound must be such that , where is also a power of 2. This implementation uses the elliptic curve secp256k1, a Koblitz curve, which has 128 bit security. See Range proofs examples for further details.

Zero-knowledge proofs for Arithmetic Circuits

An arithmetic circuit over a field and variables is a directed acyclic graph whose vertices are called gates.

Arithmetic circuit can be described alternatively as a list of multiplication gates with a collection of linear consistency equations relating the inputs and outputs of the gates. Any circuit described as an acyclic graph can be efficiently converted into this alternative description.

Bulletproofs present a protocol to generate zero-knowledge argument for arithmetic circuits using the inner product argument, which allows to get a proof of size elements and include committed values as inputs to the arithmetic circuit.

In the protocol, the Prover proves that the hadamard product of and and a set of linear constraints hold. The input values used to generate the proof are then committed and shared with the Verifier.

import Data.Curve.Weierstrass.SECP256K1 (Fr)
import Data.Field.Galois (rnd)
import Bulletproofs.ArithmeticCircuit
import Bulletproofs.Utils (hadamard, commit)

--  Example:
--  2 linear constraints (q = 2):
--  aL[0] + aL[1] + aL[2] + aL[3] = v[0]
--  aR[0] + aR[1] + aR[2] + aR[3] = v[1]
--
--  4 multiplication constraints (implicit) (n = 4):
--  aL[0] * aR[0] = aO[0]
--  aL[1] * aR[1] = aO[1]
--  aL[2] * aR[2] = aO[2]
--  aL[3] * aR[3] = aO[3]
--
--  2 input values (m = 2)

arithCircuitExample :: ArithCircuit Fr
arithCircuitExample = ArithCircuit
  { weights = GateWeights
    { wL = [[1, 1, 1, 1]
           ,[0, 0, 0, 0]]
    , wR = [[0, 0, 0, 0]
           ,[1, 1, 1, 1]]
    , wO = [[0, 0, 0, 0]
           ,[0, 0, 0, 0]]
    }
  , commitmentWeights = [[1, 0]
                        ,[0, 1]]
  , cs = [0, 0]
  }

testArithCircuitProof :: ([Fr], [Fr]) -> ArithCircuit Fr -> IO Bool
testArithCircuitProof (aL, aR) arithCircuit = do
  let m = 2

  -- Multiplication constraints
  let aO = aL `hadamard` aR

  -- Linear constraints
      v0 = sum aL
      v1 = sum aR

  commitBlinders <- replicateM m rnd
  let commitments = zipWith commit [v0, v1] commitBlinders

  let arithWitness = ArithWitness
        { assignment = Assignment aL aR aO
        , commitments = commitments
        , commitBlinders = commitBlinders
        }

  proof <- generateProof arithCircuit arithWitness

  pure (verifyProof commitments proof arithCircuit)

See Aritmetic circuit example for further details.

References:

  1. Bunz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G. "Bulletproofs: Short Proofs for Confidential Transactions and More". Stanford, UCL, Blockstream, 2017

  2. Groth J. "Linear Algebra with Sub-linear Zero-Knowledge Arguments". University College London, 2009

  3. Bootle J., Cerully A., Chaidos P., Groth J, Petit C. "Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting". University College London and University of Oxford, 2016.

Notation:

  • : Hadamard product
  • :Inner product
  • : Vector

Disclaimer

This is experimental code meant for research-grade projects only. Please do not use this code in production until it has matured significantly.

License

Copyright 2018-2022 Stephen Diehl

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

More Repositories

1

write-you-a-haskell

Building a modern functional compiler from first principles. (http://dev.stephendiehl.com/fun/)
Haskell
3,347
star
2

wiwinwlh

What I Wish I Knew When Learning Haskell
Haskell
2,565
star
3

kaleidoscope

Haskell LLVM JIT Compiler Tutorial
Haskell
1,029
star
4

numpile

A tiny 1000 line LLVM-based numeric specializer for scientific Python code.
Jupyter Notebook
403
star
5

gevent-tutorial

Gevent tutorial for the Working Python Developer
HTML
382
star
6

wasm

Haskell compiler infastructure for WebAssembly
WebAssembly
358
star
7

tinyjit

Haskell JIT
Haskell
181
star
8

minichat

Minimal realtime chat application ( Tutorial )
Python
132
star
9

kaylee

MapReduce with ZeroMQ
Python
121
star
10

repline

Haskeline wrapper for GHCi-like REPL interfaces
Haskell
107
star
11

papers

95
star
12

popping-the-crypto-bubble

A no holds barred and unrelenting hatchet job of the crypto community, with all its bad ideas and bad actors put into a historical context of market manias and financial populism.
TeX
91
star
13

dive-into-ghc

Dive into GHC
Haskell
82
star
14

arithmetic-circuits

Arithmetic circuits for zero knowledge proof systems
Haskell
82
star
15

zurihac-crypto

Small minimal examples of modern cryptographic techniques in Haskell
Haskell
79
star
16

schnorr-nizk

Schnorr Protocol for Non-interactive Zero-Knowledge Proofs
Haskell
74
star
17

cabal-edit

A utility for managing Hackage dependencies and manipulating Cabal files from the command line.
Haskell
74
star
18

haskell-vim-proto

Basic starter config for Vim and Haskell
Vim Script
64
star
19

double-ratchet

Double ratchet algorithm for E2E encryption
Haskell
59
star
20

pairing

Optimised bilinear pairings over elliptic curves
Haskell
55
star
21

zeromq-chat

A gevent + Django + Socket.IO + ZeroMQ chat example
Python
53
star
22

galois-field

Finite field and algebraic extension field arithmetic
Haskell
50
star
23

aos-signature

Abe-Ohkubo-Suzuki Linkable Ring Signatures
Haskell
48
star
24

pynanomsg

Python bindings for nanomsg
Python
47
star
25

sonic

Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings
Haskell
45
star
26

subpy

Python subsets
Python
41
star
27

elliptic-curve

A polymorphic interface for elliptic curve operations
Haskell
41
star
28

vim-ormolu

Plugin for formatting Haskell source code
Vim Script
39
star
29

llvm-tutorial-standalone

DEPRECATED (Use: https://github.com/llvm-hs/llvm-hs-kaleidoscope )
Haskell
37
star
30

oblivious-transfer

Oblivious transfer for multiparty computation
Haskell
36
star
31

cats

Generate commutative diagrams inside of Pandoc with Tikz
TeX
35
star
32

hakyll-bootstrap

Basic Hakyll + Bootstrap site
HTML
28
star
33

pyrewrite

Python term rewriting
Python
27
star
34

paris-fp

Paris Functional Programming Meetup
Haskell
27
star
35

dotfiles

My config files
Vim Script
24
star
36

llvm-codegen

Code generation utils for LLVM
Haskell
23
star
37

numpush

Shared Memory Numpy ( Deprecated, See https://github.com/ContinuumIO/blaze )
Python
22
star
38

shamir

Shamir Secret Sharing
Haskell
19
star
39

galois-fft

Finite field polynomial arithmetic based on fast Fourier transforms
Haskell
19
star
40

datetime

Financial datetimes and holiday recurrence rules
Haskell
18
star
41

haskell-picosat

Haskell bindings for PicoSAT solver
C
16
star
42

haskell-warp-rest

A Haskell web application using acid-state and scotty
JavaScript
16
star
43

vim-cabalfmt

Cabal-fmt vim plugin for formatting Cabal package files
Vim Script
15
star
44

picologic

Symbolic logic expressions
Haskell
14
star
45

jquery-mathml

Superset of jQuery for working with MathML
JavaScript
12
star
46

cooking-generics

http://www.stephendiehl.com/posts/generics.html
Haskell
12
star
47

print

Simple printing with Text
Haskell
11
star
48

beamer_template

A toolchain to make beautiful Beamer presentations without fussing with LaTeX.
Python
11
star
49

haskell-linenoise

Lightweight readline library for Haskell
C
10
star
50

llvm-pp

A pretty printer for llvm-general-pure. (DEPRECATED: https://github.com/llvm-hs/llvm-hs-pretty/ )
Haskell
7
star
51

gevent_viz

Visualize gevent Greenlet context switches
Python
7
star
52

bnlc

Binary lambda calculus
Python
6
star
53

pycraig

Python library for scraping data from Craigslist
C
6
star
54

commentary

HTML
5
star
55

ts

C
5
star
56

validation

Applicative data validation
Haskell
5
star
57

cfrac

Continued fractions for arithmetic
Haskell
5
star
58

concurrent-timer

Concurrent timer
Haskell
4
star
59

websocket-logger

A in-browser logging console for debugging realtime communication
JavaScript
3
star
60

agents-experiment

Toy language
Haskell
3
star
61

unirewrite

Generic term rewriting
Haskell
3
star
62

tipy

Preprocessor for Python tutorials
Python
3
star
63

equation-editor

A lightweight extensible Javascript equation editor
JavaScript
3
star
64

pretty-latex

Utilities for pretty printing LaTeX from Haskell
Haskell
3
star
65

py-control-flow

Visualize python control flow
Python
3
star
66

pure-python

Cython interface for Pure
C
2
star
67

church-numbers

Lambda Calculus in Python
Python
2
star
68

vector-eigenvalues

C
2
star
69

pymathml

Fork of sourceforge.net/projects/pymathml
Python
1
star
70

rpygtk

A GTK based frontend for R
Python
1
star