bulletproof

package
v0.0.0-...-729ab49 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 24, 2020 License: MIT Imports: 11 Imported by: 0

README

Bulletproofs

Short Proofs for Confidential Transactions and More

Background

Background

Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. A bulletproof can be used to convince a verifier that an encrypted plaintext is well formed. For example, prove that an encrypted number is in a given range, without revealing anything else about the number. Compared to SNARKs, Bulletproofs require no trusted setup. However, verifying a bulletproof is more time consuming than verifying a SNARK proof.

Bulletproofs are designed to enable efficient confidential transactions in Bitcoin and other cryptocurrencies. Confidential transactions hide the amount that is transfered in the transaction. Every confidential transaction contains a cryptographic proof that the transaction is valid. Bulletproofs shrink the size of the cryptographic proof from over 10kB to less than 1kB. Moreover, bulletproofs support proof aggregation, so that proving that m transaction values are valid adds only O(log(m)) additional elements to the size of a single proof. If all Bitcoin transactions were confidential and used Bulletproofs, then the total size of the UTXO set would be only 17 GB, compared to 160 GB with the currently used proofs.

Bulletproofs have many other applications in cryptographic protocols, such as shortening proofs of solvency, short verifiable shuffles, confidential smart contracts, and as a general drop-in replacement for Sigma-protocols.

Assumtions

  • Discrete logarithm assumption

References

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddVectors 

func AddVectors(a []*big.Int, b []*big.Int) []*big.Int

AddVectors returns the vector z = a + b. This function will panic if the vectors are of different length.

func AddVectors3 

func AddVectors3(a []*big.Int, b []*big.Int, c []*big.Int) []*big.Int

AddVectors3 returns the vector z = a + b + c.

func ComputeChallenges 

func ComputeChallenges(V, g *ECPoint, proof BulletProof) (*big.Int,
	*big.Int, *big.Int, *big.Int, []*big.Int)

ComputeChallenges computes non-interactive challenges in the same way that is used in rangeProofCreate.

func Dot 

func Dot(a, b []*big.Int) *big.Int

Dot computes the inner product of two vectors of length n: a · b = a_1 * b_1 + a_2 * b_2 + ··· + a_n * b_n.

func GetB32 

func GetB32(num *big.Int) [32]byte

GetB32 returns a fixed size 32-byte slice containing the big-endian representation of num. This function will panic if the given number does not fit into 32 bytes.

func Hadamard 

func Hadamard(a, b []*big.Int) []*big.Int

Hadamard computes the vector given by element-wise multiplication of the two given vectors. a ○ b = (a_0*b_0 a_1*b_1 ... a_n*b_n). This function will panic if the vectors have different lengths.

func HashToScalars 

func HashToScalars(seed [32]byte, idx uint32) (*big.Int, *big.Int)

This mirrors the behaviour of secp256k1_scalar_chacha20 in libsecp256k1.

func Inv 

func Inv(z *big.Int) *big.Int

Inv returns the multiplicative inverse of z modulo the group order, i.e. z^-1 such that z * z^-1 = 1 mod N.

func IsQuadraticResidue 

func IsQuadraticResidue(y *big.Int) bool

IsQuadraticResidue returns true if there exists some x such that x*x = y mod P.

func ModSqrtFast 

func ModSqrtFast(x *big.Int) *big.Int

ModSqrtFast returns a value v such that v*v = x mod P. This is about twice as fast as ModSqrtOrig. See: https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294

func ModSqrtOrig 

func ModSqrtOrig(x *big.Int) *big.Int

ModSqrtOrig returns a value v such that v*v = x mod P.

func Mul 

func Mul(nums ...*big.Int) *big.Int

Mul returns the product of the given integers.

func Neg 

func Neg(z *big.Int) *big.Int

Neg returns the additive inverse of z modulo the group order, i.e. -z such that z + (-z) = 0 mod N.

func Ones 

func Ones(n int) []*big.Int

Ones returns a vector of length n where all elements are 1.

func ScalarMul 

func ScalarMul(vector []*big.Int, scalar *big.Int) []*big.Int

ScalarMul returns the vector that is the result of the scalar multiplication of vector and scalar.

func SerializePoints 

func SerializePoints(points []*ECPoint) []byte

SerializePoints returns a byte slice containing a bit vector that indicates whether the points

func Square 

func Square(z *big.Int) *big.Int

Square computes and returns z*z.

func SubScalars 

func SubScalars(a, b *big.Int) *big.Int

SubScalars returns the scalar a - b.

func SubVectors 

func SubVectors(a, b []*big.Int) []*big.Int

SubVectors returns the vector a - b. This function will panic if the vectors are of different lengths.

func Sum 

func Sum(nums ...*big.Int) *big.Int

Sum adds the given numbers and returns the total sum.

func VectorOf 

func VectorOf(n int, v *big.Int) []*big.Int

VectorOf returns a length n vector of vs.

Types

type BulletProof 

type BulletProof struct {
	T1 *ECPoint // A commitment to the t_1 coefficient of t(X).
	T2 *ECPoint // A commitment to the t_2 coefficient of t(X).
	A  *ECPoint // A commitment to aL and aR.
	S  *ECPoint // A commitment to the blinding vectors sL and sR.

	Ls, Rs []*ECPoint // The log(n) points from the inner product proof.
	// contains filtered or unexported fields
}

BulletProof is a zero knowledge argument of knowledge that a committed value lies withing a specific range. See rangeProofCreate for a full explanation of these values.

func (*BulletProof) Bytes 

func (p *BulletProof) Bytes() []byte

Bytes serializes the range proof.

func (*BulletProof) Read 

func (p *BulletProof) Read(r io.Reader) error

Read deserializes a single proof.

type ECPoint 

type ECPoint struct {
	X *big.Int
	Y *big.Int
}

ECPoint is a group element of the secp256k1 curve in affine coordinates.

func DeserializePoints 

func DeserializePoints(buf []byte, num uint) ([]*ECPoint, error)

DeserializePoints parses num points that have been serialized using SerializePoints.

func EncodeFieldElementToCurve 

func EncodeFieldElementToCurve(t *big.Int) *ECPoint

EncodeFieldElementToCurve uses the Shallue–van de Woestijne encoding from the paper "Indifferentiable Hashing to Barreto-Naehrig Curves" to map the given field element to a point on secp256k1. Note that this implementation is not constant time.

func GeneratorsCreate 

func GeneratorsCreate(n int) []*ECPoint

GeneratorsCreate creates and returns a list of nothing-up-my-sleeve generator points.

func HadamardP 

func HadamardP(a []*ECPoint, b []*ECPoint) []*ECPoint

HadamardP computes the element-wise point addition of the two vectors. This function will panic if the vectors have different lengths.

func ScalarMulPoint 

func ScalarMulPoint(point *ECPoint, scalar *big.Int) *ECPoint

ScalarMulPoint multiplies a point by a scalar.

func ScalarMulPoints 

func ScalarMulPoints(scalars []*big.Int, points []*ECPoint) *ECPoint

ScalarMulPoints multiplies each point with the corresponding scalar and sums the results. This function will panic if the number of scalars and points differ.

func ScalarMultAll 

func ScalarMultAll(scalar *big.Int, points ...*ECPoint) *ECPoint

ScalarMultAll multiplies all points by the given scalar and sums the results.

func ScalarMultArray 

func ScalarMultArray(xi *big.Int, points []*ECPoint) []*ECPoint

ScalarMultArray multiplies each point in the vector points by the scalar xi and returns them as a vector.

func SumPoints 

func SumPoints(points ...*ECPoint) *ECPoint

SumPoints adds the given curve points and returns the total sum.

func (*ECPoint) Add 

func (p *ECPoint) Add(p2 ECPoint) ECPoint

Add adds points p and p2 and returns the resulting point

func (*ECPoint) Bytes 

func (p *ECPoint) Bytes() []byte

Vector Pedersen Commitment Given an array of values, we commit the array with different generators for each element and for each randomness.

Bytes compresses and serializes the point.

func (*ECPoint) Equals 

func (p *ECPoint) Equals(other *ECPoint) bool

Equals returns true if the given point is the same.

func (*ECPoint) Mult 

func (p *ECPoint) Mult(s *big.Int) ECPoint

Mult multiplies point p by scalar s and returns the resulting point

func (*ECPoint) Neg 

func (p *ECPoint) Neg() ECPoint

Neg returns the additive inverse of point p

func (*ECPoint) Read 

func (p *ECPoint) Read(r io.Reader) error

Read deserializes a compressed elliptic curve point from the reader.

func (*ECPoint) String 

func (p *ECPoint) String() string

String prints the coordinates of this point.

type Prover 

type Prover struct {
	G, H              []*ECPoint // a set of nothing-up-my-sleeve generator points on secp256k1.
	ValueGenerator    *ECPoint   // the generator point used for committing to a value.
	BlindingGenerator *ECPoint   // the generator point used for blinding factors.
	// contains filtered or unexported fields
}

Prover is a range proof prover and verifier.

func NewProver 

func NewProver(n int) *Prover

NewProver returns a new instance of a range proof Prover that supports proving and verifying values up to 2^n-1.

func (*Prover) CreateRangeProof 

func (v *Prover) CreateRangeProof(V *ECPoint, value, gamma *big.Int,
	nonce [32]byte, message [16]byte) (BulletProof, error)

CreateRangeProof creates a zero knowledge argument of knowledge that convinces a verifier that the committed value lies within a specific range.

func (*Prover) Verify 

func (v *Prover) Verify(V *ECPoint, proof BulletProof) bool

Verify takes a committed value V and checks whether the supplied range proof is valid to prove that V commits to a 64-bit positive integer.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.