Jekyll2022-05-16T19:48:28+05:30http://localhost:4000/homepage/feed.xmlSuyash Bagad© Suyash Bagad. Powered by Jekyll.
Personal WebpageSummer Internship in Applied Cryptography2021-04-17T00:00:00+05:302021-04-17T00:00:00+05:30http://localhost:4000/homepage/project/2021/04/17/summer-internshipWe are seeking candidates for the role of junior cryptography engineer for summer internship.
This would be a fully remote, 6 to 8 week internship.
Ideally, we expect students from second and third year of engineering with a math background to apply.
Apply only after reading about the projects and if you are interested in working on any one of them.
If you are shortlisted, you will get a mail from us.
Apply [here](https://forms.gle/FYVVTJnaTbnoXG1p7) before April 22, 23:59 IST.
<object data="{{ site.baseurl }}/assets/pdfs/intern-projects-summer-2021.pdf" width="100%" height="1050" type='application/pdf'>
</object>Personal WebpageWe are seeking candidates for the role of junior cryptography engineer for summer internship. This would be a fully remote, 6 to 8 week internship. Ideally, we expect students from second and third year of engineering with a math background to apply. Apply only after reading about the projects and if you are interested in working on any one of them. If you are shortlisted, you will get a mail from us.Monero Bulletproofs+ Security Audit2021-02-10T00:00:00+05:302021-02-10T00:00:00+05:30http://localhost:4000/homepage/project/2021/02/10/bp-plus-auditWe have finished the Bulletproofs+ security audit for Monero.
We have incorporated suggestions and comments from the Monero Research Lab and we are releasing the final report:
<a href="{{ site.baseurl }}/assets/pdfs/bulletproofs_plus_audit_report_v1.1.pdf"> Monero Bulletproofs+ Security Audit - v1.1</a>
This is joint work with [Omer Shlomovits](https://www.omershlomovits.com/) and Prof. [Claudio Orlandi](https://cs.au.dk/~orlandi/) of [ZenGo X](https://zengo.com/research/).Personal WebpageWe have finished the Bulletproofs+ security audit for Monero. We have incorporated suggestions and comments from the Monero Research Lab and we are releasing the final report: Monero Bulletproofs+ Security Audit - v1.1Comparing Bulletproofs+ and Bulletproofs - Part III2020-07-03T00:00:00+05:302020-07-03T00:00:00+05:30http://localhost:4000/homepage/project/2020/07/03/bulletproofs_plus_part3{% katexmm %}
In this third part on comparing [Bulletproofs+](https://eprint.iacr.org/2020/735.pdf) and [Bulletproofs](https://eprint.iacr.org/2017/1066.pdf), we will delve into the math of aggregate verification of the range proofs. We compare the verification speeds of both of the protocols qualitatively as well as quantitatively. Please read blogs [1](https://suyash67.github.io/homepage/project/2020/07/03/bulletproofs_plus_part1.html), [2](https://suyash67.github.io/homepage/project/2020/07/03/bulletproofs_plus_part2.html) for a primer on Bulletproofs and Bulletproofs+.
### Aggregated Range Proof Protocols
An aggregated range proof implies proving that each of the quantity $a_j \in \mathbb{Z}_q$ for $j=1,2,\dots,m$ is in the range $[0,2^n - 1]$ using a single proof. An aggregated Bulletproofs and Bulletproofs+ proofs have the following structure.
{% katex display %}
\begin{aligned}
\texttt{crs}_{bp} &= \{ \textbf{g}, \textbf{h} \in \mathbb{G}^{n\cdot m}, \ g,h \in \mathbb{G}, \ \textbf{V}=(V_1,V_2, \dots, V_m) \in \mathbb{G}^m \} \\[6pt]
\texttt{wit}_{bp} &= \{ \textbf{a}, \mathbf{f} \in \mathbb{Z}_q^m \} \\[6pt]
\texttt{stmt}_{bp} &= \{ V_j = g^{a_j} h^{f_j} \text{ and } a_j \in [0,2^{n}-1] \ \forall j \in [m] \} \\[6pt]
\Pi_{bp} &= \left\{ A,S,T_1,T_2, (\textbf{L,\ R}) = \big( L_i, R_i \big)_{j=1}^{\text{log}_2(nm)} \in \mathbb{G}^{2 \times \text{log}_2(nm)}, \tau, \hat{t}, \mu, a,b \in \mathbb{Z}_q \right\}
\end{aligned}
{% endkatex %}
{% katex display %}
\Pi_{bp+} = \left\{ A,(\textbf{L,\ R}) = \big( L_i, R_i \big)_{j=1}^{\text{log}_2(nm)} \in \mathbb{G}^{2 \times \text{log}_2(nm)}, r',s',\delta' \in \mathbb{Z}_q, A',B' \in \mathbb{G} \right\}
{% endkatex %}
Note that the $\texttt{crs, wit, stmt}$ remain unchanged for Bulletproofs+.
### Bulletproofs Verification
Given an aggregated BP proof, a verifier needs to check the following:
{% katex display %}
\tag{1}
g^{\hat{t}} \cdot h^{\tau} \stackrel{?}{=} g^{\delta(y,z)} \cdot \textbf{V}^{z^2 \cdot \textbf{z}^m} \cdot T_1^x \cdot T_2^{x^2}
{% endkatex %}
{% katex display %}
\tag{2}
\text{verify-ipp}(\textbf{g}, \textbf{h}', g^{x_u}, Ph^{-\mu}g^{x_u \cdot \hat{t}}, \hat{t})
{% endkatex %}
where $\textbf{h}' = (h_1, h_2^{y^{-1}}, \dots, h_{mn}^{y^{1-mn}})$.
Note that the verifier can compute $P$ as
$$\tag{3} P = A \cdot S^x \cdot \textbf{g}^{-z \cdot \textbf{1}^{mn}} \cdot (\textbf{h}')^{z \cdot \textbf{y}^{mn} + \textbf{d}}$$
where $\textbf{d} = (z^2 \cdot \textbf{2}^n, z^3 \cdot \textbf{2}^n, \dots, z^{m+1} \cdot \textbf{2}^n) \in \mathbb{Z}^{mn}_q$ from publicly available information.
The inner product proof in $(2)$ can be verified in a single multi-exponentiation equation [^1] as
$$
\tag{4}
\textbf{g}^{a \cdot \textbf{s}} \cdot \textbf{h}^{b \cdot \textbf{s}'} \cdot g^{x_u \cdot ab} \stackrel{?}{=} (Ph^{-\mu}) \cdot \prod_{j=1}^{\text{log}_2(nm)} L_j^{x_j^2} \cdot R_j^{x_j^{-2}}
$$
where $\textbf{s} = (s_1, s_2, \dots, s_{mn}), \textbf{s}' = (s_1^{-1}, s_2^{-1}, \dots, s_{mn}^{-1}) \in \mathbb{Z}_q^{mn}$ such that for all $i \in [nm]$
$$
s_i = \prod_{j=1}^{\text{log}_2(nm)} x_j^{b(i,j)}
\quad
\text{ where }
\quad
b(i,j) =
\begin{cases}
1 &\text{if $j$-th bit of } (i-1) \text{ is 1} \\
-1 &\text{otherwise}
\end{cases}
$$
and $(x_1, x_2, \dots, x_{\text{log}_2(nm)})$ are the challenges using in $\text{log}_2(nm)$ rounds of inner product protocol. Substituting $(3)$ in $(4)$ to get a single inner product proof check, we get
$$
\textbf{g}^{a \cdot \textbf{s}} \cdot \textbf{h}^{b \cdot \textbf{s}'} \cdot g^{x_u \cdot ab} \stackrel{?}{=}
\left(
A \cdot S^x \cdot \textbf{g}^{-z \cdot \textbf{1}^{mn}} \cdot (\textbf{h}')^{z \cdot \textbf{y}^{mn} + \textbf{d}} \cdot h^{-\mu} \cdot g^{x_u \cdot \hat{t}}
\right)
\cdot \prod_{j=1}^{\text{log}_2(nm)} L_j^{x_j^2} \cdot R_j^{x_j^{-2}}
$$
Bringing everything to the left, we have
$$
\textbf{g}^{a \cdot \textbf{s} + z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{b \cdot \textbf{s}' - z \cdot \textbf{1}^{mn} - (\textbf{y}')^{mn} \circ \textbf{d}} \cdot
g^{x_u (ab - \hat{t})} \cdot
h^{\mu} \cdot
A^{-1} \cdot
S^{-x} \cdot
\prod_{j=1}^{\text{log}_2(nm)} L_j^{-x_j^2} \cdot R_j^{-x_j^{-2}}
\stackrel{?}{=}
1
$$
where $\textbf{y}' = (1, y^{-1}, y^{-2}, \dots, y^{-mn+1})$. Substituting
$$
\begin{aligned}
\textbf{x}_L &= (-x_1^2, -x_2^2, \dots, -x_{\text{log}_2(nm)}^2) \\
\textbf{x}_R &= (-x_1^{-2}, -x_2^{-2}, \dots, -x_{\text{log}_2(nm)}^{-2}),
\end{aligned}
$$
we get
$$
\tag{5}
\textbf{g}^{a \cdot \textbf{s} + z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{b \cdot \textbf{s}' - z \cdot \textbf{1}^{mn} - (\textbf{y}')^{mn} \circ \textbf{d}} \cdot
g^{x_u (ab - \hat{t})} \cdot
h^{\mu} \cdot
A^{-1} \cdot
S^{-x} \cdot
\textbf{L}^{\textbf{x}_L} \cdot
\textbf{R}^{\textbf{x}_R}
\stackrel{?}{=}
1
$$
A verifier, thus, has to verify equations $(1), (5)$ to verify a BP range proof. We can re-write $(1)$ as
$$
\tag{6}
g^{\hat{t} - \delta(y,z)} \cdot
h^{\tau} \cdot
\textbf{V}^{-z^2 \cdot \textbf{z}^m} \cdot
\cdot T_1^{-x} \cdot
T_2^{-x^2}
\stackrel{?}{=}
1
$$
Lastly, she can combine equations $(5), (6)$ into a single multi-exponentiation check using a random scalar $c \in \mathbb{Z}_q$ as follows:
$$
\left(
g^{\hat{t} - \delta(y,z)} \cdot
h^{\tau} \cdot
\textbf{V}^{-z^2 \cdot \textbf{z}^m} \cdot
\cdot T_1^{-x} \cdot
T_2^{-x^2}
\right)^c
\cdot
\textbf{g}^{a \cdot \textbf{s} + z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{b \cdot \textbf{s}' - z \cdot \textbf{1}^{mn} - (\textbf{y}')^{mn} \circ \textbf{d}} \cdot
\\
g^{x_u (ab - \hat{t})} \cdot
h^{\mu} \cdot
A^{-1} \cdot
S^{-x} \cdot
\textbf{L}^{\textbf{x}_L} \cdot
\textbf{R}^{\textbf{x}_R}
\stackrel{?}{=}
1
\\
$$
$$
\tag{7}
\implies
\textbf{g}^{a \cdot \textbf{s} + z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{b \cdot \textbf{s}' - z \cdot \textbf{1}^{mn} - (\textbf{y}')^{mn} \circ \textbf{d}} \cdot
g^{x_u (ab - \hat{t}) + c(\hat{t} - \delta(y,z))} \cdot
h^{\mu + c\tau} \cdot
\\
A^{-1} \cdot
S^{-x} \cdot
\textbf{L}^{\textbf{x}_L} \cdot
\textbf{R}^{\textbf{x}_R} \cdot
\textbf{V}^{-c z^2 \cdot \textbf{z}^m} \cdot
\cdot T_1^{-c x} \cdot
T_2^{-c x^2}
\stackrel{?}{=}
1
$$
Thus, an aggregated BP range proof can be verified by a single multi-exponentiation check of size $2mn + 2\text{log}_2(mn) + m + 6$.
### Bulletproofs+ Verification
To verify an aggregated Bulletproofs+ range proof $\Pi_{bp+}$, a verifier needs to compute $\hat{A}$ and run the $\text{verify-}zk\text{-}\textsf{WIP}$.
$$
\tag{8}
\hat{A} = A \cdot
\textbf{g}^{-z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{z \cdot \textbf{1}^{mn} + \textbf{d} \circ \overleftarrow{y}^{mn}} \cdot
\textbf{V}^{y^{mn+1} \cdot z^2 \cdot \textbf{z}^m} \cdot g^{\zeta(y,z)}
\\[6pt]
\text{verify-}zk\text{-}\textsf{WIP}_{y}(\textbf{g}, \textbf{h}, g,h, \hat{A})
$$
where $\zeta(y,z) = (z - z^2) y \cdot \langle \textbf{1}^{mn},\textbf{y}^{nm} \rangle - zy^{mn+1} \cdot \langle \textbf{1}^{mn}, \textbf{d} \rangle$ and $\overleftarrow{y}^{nm} = (y^{mn}, y^{mn-1}, \dots, y)$.
Similar to the inner product argument, the verification in weighted inner product argument too can be expressed as a single equation by unrolling recursion.
$$
\tag{9}
\textbf{g}^{e \cdot r' \cdot \textbf{s}} \cdot
\textbf{h}^{e \cdot s' \cdot \textbf{s}'} \cdot
g^{r' \odot s'} \cdot
h^{\delta'}
\stackrel{?}{=}
(\hat{A})^{e^2} \cdot
\left(
\prod_{j=1}^{\text{log}_2(nm)} L_j^{e^2 \cdot x_j^2} \cdot R_j^{e^2 \cdot x_j^{-2}}
\right) \cdot
(A')^{e} \cdot B
$$
By substituting $\hat{A}$, the verification boils downs to a single multi-exponentiation check.
$$
\textbf{g}^{e \cdot r' \cdot \textbf{s}} \cdot
\textbf{h}^{e \cdot s' \cdot \textbf{s}'} \cdot
g^{r' \odot s'} \cdot
h^{\delta'}
\stackrel{?}{=}
\left(
A \cdot
\textbf{g}^{-z \cdot \textbf{1}^{mn}} \cdot
\textbf{h}^{z \cdot \textbf{1}^{mn} + \textbf{d} \circ \overleftarrow{y}^{mn}} \cdot
\textbf{V}^{y^{mn+1} \cdot z^2 \cdot \textbf{z}^m} \cdot g^{\zeta(y,z)}
\right)^{e^2} \cdot
\\
\left(
\prod_{j=1}^{\text{log}_2(nm)} L_j^{e^2 \cdot x_j^2} \cdot R_j^{e^2 \cdot x_j^{-2}}
\right) \cdot
(A')^{e} \cdot B
$$
$$
\implies
\textbf{g}^{e \cdot r' \cdot \textbf{s} + ze^2 \textbf{1}^{mn}} \cdot
\textbf{h}^{e \cdot s' \cdot \textbf{s}' - ze^2 \cdot \textbf{1}^{mn} - e^2 \cdot \textbf{d} \circ \overleftarrow{y}^{mn}} \cdot
g^{r' \odot s' - e^2\zeta(y,z)} \cdot
h^{\delta'} \cdot
A^{-e^2} \cdot
\\
\textbf{V}^{-e^2 y^{mn+1} \cdot z^2 \cdot \textbf{z}^m} \cdot
\textbf{L}^{\textbf{x}_L} \cdot
\textbf{R}^{\textbf{x}_R} \cdot
(A')^{-e} \cdot B^{-1}
$$
Note here, we have
$$
\begin{aligned}
\textbf{x}_L &= e^2 \cdot (-x_1^2, -x_2^2, \dots, -x_{\text{log}_2(nm)}^2) \\
\textbf{x}_R &= e^2 \cdot (-x_1^{-2}, -x_2^{-2}, \dots, -x_{\text{log}_2(nm)}^{-2}),
\end{aligned}
$$
Thus, an aggregated BP+ range proof can be verified by a single multi-exponentiation check of size $2mn + 2\text{log}_2(mn) + m + 5$.
### Comparison of Verification Times
The following plot shows verification times for BP and BP+ for $64$-bit range proofs over $\texttt{secp256k1}$ curve in Rust.
The code can be found [here](https://github.com/KZen-networks/bulletproofs).
Note that the verification speed can be further improved using [Pipenger's exponentiation algorithm](https://cr.yp.to/papers/pippenger.pdf) for computing a multi-exponentiation.
All simulations were performed on an Intel® Core™ i7-5500U CPU running at 2.40GHz.
<!--
| $m$ | BP Verification (ms) | BP+ Verification (ms) |
|:--: |:--------------------: |:---------------------: |
| 1 | 14.15 | 14.36 |
| 2 | 27.26 | 26.91 |
| 4 | 62.81 | 53.51 |
| 8 | 121.19 | 109.23 |
| 16 | 279.70 | 235.26 |
| 32 | 718.34 | 556.90 |
-->
<center>
{% include image.html name="bp_bp_plus_ver_plot-1.png" caption="Plot of verification times of $64$-bit BP and BP+ range proofs for different aggregation sizes $m$." %}
</center>
[^1]: The challenge $x_u$ is used to multiply the given inner product $\langle \textbf{a},\textbf{b} \rangle$ in the exponent of a generator $g \in \mathbb{G}$. BP paper uses $u \in \mathbb{G}$ in Protocol 1, 2 instead of $g$.
{% endkatexmm %}Personal WebpageIn this third part on comparing Bulletproofs+ and Bulletproofs, we will delve into the math of aggregate verification of the range proofs. We compare the verification speeds of both of the protocols qualitatively as well as quantitatively. Please read blogs 1, 2 for a primer on Bulletproofs and Bulletproofs+.Comparing Bulletproofs+ and Bulletproofs - Part II2020-07-03T00:00:00+05:302020-07-03T00:00:00+05:30http://localhost:4000/homepage/project/2020/07/03/bulletproofs_plus_part2{% katexmm %}
[Bulletproofs+](https://eprint.iacr.org/2020/735.pdf) is a recently proposed range proof which is similar in spirit to [Bulletproofs](https://eprint.iacr.org/2017/1066.pdf). Both of these range proof protocols enable proof sizes logarithmic in the number of bits of the range using a recursive inner product protocol. We will try to highlight a small but crucial difference in the design of the two protocols and discuss its implications on their performance.
### Logarithmic Range Proof Protocol
Suppose we wish to prove that a given quantity $a \in \mathbb{Z}_q$ is in the range $[0,2^n - 1]$.
Let the bitwise representation of $a$ be $\textbf{a}_L \in \{0,1\}^n$ and define vector $\textbf{a}_R \in \mathbb{Z}_q^n$ as
{% katex display %}
\textbf{a}_R \coloneqq \textbf{a}_L - \textbf{1}^n
{% endkatex %}
If we prove that $\textbf{a}_L$ and $\textbf{a}_R$ satisfy the following relations simultaneously,
{% katex display %}
\langle \textbf{a}_L, \textbf{2}^n \rangle = a, \qquad \textbf{a}_L \circ \textbf{a}_R = \textbf{0}^n, \qquad \textbf{a}_R = \textbf{a}_L - \textbf{1}^n,
{% endkatex %}
then it implies that $a$ indeed lies in the range $[0,2^n - 1]$. To use the inner product argument,
we need to embed the above constraints in an inner product form as follows.
{% katex display %}
\langle \textbf{a}_L, \textbf{2}^n \rangle = a, \qquad
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n \rangle = 0, \qquad
\langle \textbf{a}_L - \textbf{a}_R - \textbf{1}^n, \textbf{y}^n \rangle = 0.
\hspace{2cm}
(1)
{% endkatex %}
Using a random scalar $z \in \mathbb{Z}_q$, we combine the above inner product relations to get a single inner product relation as follows.
{% katex display %}
z^2 \cdot \langle \textbf{a}_L, \textbf{2}^n \rangle +
z \cdot \langle \textbf{a}_L - \textbf{a}_R - \textbf{1}^n, \textbf{y}^n \rangle +
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n \rangle = z^2 \cdot a, \\[6pt]
\implies
\langle \textbf{a}_L, z^2 \cdot \textbf{2}^n \rangle +
\langle \textbf{a}_L - \textbf{a}_R - \textbf{1}^n, z \cdot \textbf{y}^n \rangle +
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n \rangle = z^2 \cdot a,
{% endkatex %}
Combining first and third terms, we get
{% katex display %}
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n \rangle +
\langle \textbf{a}_L - \textbf{a}_R - \textbf{1}^n, z \cdot \textbf{y}^n \rangle,
= z^2 \cdot a
{% endkatex %}
Splitting the second inner product,
{% katex display %}
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n \rangle +
\langle \textbf{a}_L, z \cdot \textbf{y}^n \rangle +
\langle \textbf{a}_R, -z \cdot \textbf{y}^n \rangle
= z^2 \cdot a + z \cdot \langle \textbf{y}^n, \textbf{1}^n \rangle,
{% endkatex %}
Combining first two terms and rewritting the third term, we get
{% katex display %}
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n \rangle +
\langle \textbf{a}_R \circ \textbf{y}^n, -z \cdot \textbf{1}^n \rangle
= z^2 \cdot a + z \cdot \langle \textbf{y}^n, \textbf{1}^n \rangle,
{% endkatex %}
Adding $\langle z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n, -z \cdot \textbf{1}^n \rangle = -z^3 \cdot \langle \textbf{2}^n,\textbf{1}^n \rangle - z^2 \cdot \langle \textbf{y}^n,\textbf{1}^n \rangle$ on both sides,
{% katex display %}
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n \rangle +
\langle \textbf{a}_R \circ \textbf{y}^n, -z \cdot \textbf{1}^n \rangle +
\langle z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n, -z \cdot \textbf{1}^n \rangle \\[4pt]
=
z^2 \cdot a + (z-z^2) \cdot \langle \textbf{y}^n, \textbf{1}^n \rangle -
z^3 \cdot \langle \textbf{2}^n,\textbf{1}^n \rangle,
{% endkatex %}
Combining second and third terms and substituting $\delta(y,z) = z^2 \cdot a + (z-z^2) \cdot \langle \textbf{y}^n, \textbf{1}^n \rangle - z^3 \cdot \langle \textbf{2}^n,\textbf{1}^n \rangle,$ we get
{% katex display %}
\langle \textbf{a}_L, \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n \rangle +
\langle \textbf{a}_R \circ \textbf{y}^n + z^2 \cdot \textbf{2}^n + z \cdot \textbf{y}^n, -z \cdot \textbf{1}^n \rangle
=
y^{n+1} \cdot a+ \delta(y,z),
{% endkatex %}
Combining the two terms on LHS, we get
{% katex display %}
\langle
\textbf{a}_L -z \cdot \textbf{1}^n,
\textbf{y}^n \circ (\textbf{a}_R + z \cdot \textbf{1}^n) + z^2 \cdot \textbf{2}^n
\rangle
=
y^{n+1} \cdot a+ \delta(y,z).
{% endkatex %}
Hereafter, the two vectors in the above inner product are our new *embedded* secrets and we can use the inner product argument to prove the knowledge of these vectors and in turn prove that $a \in [0, 2^n-1]$.
Before doing so, we need to blind the embedded secret vectors since they contain our original secrets.
We do so by adding randomly chosen $\textbf{s}^L, \textbf{s}^R \in \mathbb{Z}_q^n$ to respective embedded vectors. Without going into the exact details of the protocol, such blinding makes the interaction between prover and verifier lengthy resulting in increased prover communication.
### Bulletproofs+
The weighted WIP protocol (as described in [previous]({{ site.baseurl }}/project/2020/07/03/bulletproofs_plus_part1.html) blog) w.r.t. $\overrightarrow{y}^n$ is a tailored protocol for proving a product relation between two hidden vectors $\textbf{a}_L$ and $\textbf{a}_R$ and the challenge $\overrightarrow{y}^n$ with zero-knowledge. Therefore, the prover doesn't need to blind the embedded secret vectors as in the case of Bulletproofs, saving significant prover communication.
Let us rewrite the inner product relation between embedded secret vectors in a weighted inner product form. Using scalars $(y^{n+1}, z \cdot \overrightarrow{y}^n, \overrightarrow{y}^n) \in \mathbb{Z}_q^{2n+1}$, we combine the inner product relations in $(1)$ to get a single inner product relation as follows.
{% katex display %}
y^{n+1} \cdot \langle \textbf{a}_L, \textbf{2}^n \rangle +
z \cdot \langle \textbf{a}_L - \textbf{a}_R - \textbf{1}^n, \overrightarrow{y}^n \rangle +
\langle \textbf{a}_L, \textbf{a}_R \circ \overrightarrow{y}^n \rangle = y^{n+1} \cdot a,
{% endkatex %}
Simplifying the above equation into a single inner product relation, we get
{% katex display %}
\langle
\textbf{a}_L -z \cdot \textbf{1}^n,
\overrightarrow{y}^n \circ (\textbf{a}_R + z \cdot \textbf{1}^n) + y^{n+1} \cdot \textbf{2}^n
\rangle
=
y^{n+1} \cdot a - \zeta(y,z),
{% endkatex %}
where $\zeta(y,z)= zy^{n+1} \cdot \langle \textbf{2}^n,\textbf{1}^n \rangle + (z^2-z) \cdot \langle \textbf{1}^n,\overrightarrow{y}^n \rangle$. We can write the above expression in a weighted inner product form for a constant $y \in \mathbb{Z}_q$
{% katex display %}
(\textbf{a}_L -z \cdot \textbf{1}^n)
\odot_y
(\textbf{a}_R + z \cdot \textbf{1}^n + \textbf{2}^n \circ \overleftarrow{y}^n)
=
y^{n+1} \cdot a - \zeta(y,z).
{% endkatex %}
Now, the prover can compute a Pedersen commitment to vectors $\textbf{a}_L$ and $\textbf{a}_R$ as
$A = \textbf{g}^{\textbf{a}_L} \textbf{h}^{\textbf{a}_R} h^{\alpha}$ for a random $\alpha \in \mathbb{Z}_q$ and a Pedersen commitment to the amount $V = g^{a}h^{\gamma}$ for a random $\gamma \in \mathbb{Z}_q$. Hereafter, the prover as well as the verifier can compute a Pedersen vector commitment to the vectors in the weighted inner product relation. Concretely, the prover computes the secrets $\hat{\textbf{a}}_L = (\textbf{a}_L -z \cdot \textbf{1}^n)$, $\hat{\textbf{a}}_R = (\textbf{a}_R + z \cdot \textbf{1}^n + \textbf{2}^n \circ \overleftarrow{y}^n)$ and $\hat{\alpha} = \alpha + \gamma \cdot y^{n+1}$.
The verifier can compute Pedersen vector commitment to $\hat{\textbf{a}}_L, \hat{\textbf{a}}_R$ from publicly available information as
{% katex display %}
\hat{A} =
\underbrace{\textbf{g}^{\hat{\textbf{a}}_L} \cdot
\textbf{h}^{\hat{\textbf{a}}_R} \cdot
g^{\hat{\textbf{a}}_L \odot_y \hat{\textbf{a}}_R} \cdot
h^{y^{n+1} \cdot \gamma }}_{\textsf{Prover}}
=
\underbrace{A \cdot
\textbf{g}^{-z \cdot \textbf{1}^n} \cdot
\textbf{h}^{z \cdot \textbf{1}^n + \textbf{2}^n \circ \overleftarrow{y}^n} \cdot
V^{y^{n+1}} \cdot g^{-\zeta(y,z)}}_{\textsf{Verifier}}
{% endkatex %}
Hereafter, the prover can run $zk\textrm{-}\textsf{WIP}(\textbf{g}, \textbf{h}, g, h, \hat{A}; \hat{\textbf{g}}, \hat{\textbf{g}}, \hat{\alpha})$.
### Performance Comparison
Although the construction of Bulletproofs and Bulletproofs+ is very similar, we expect some differences in their performances. We will analyse the differences in proof sizes and running times.
#### Proof sizes
For secret vector size $n$, the proof size of the inner product (IP) argument used in Bulletproofs is $2\lceil \text{log}_2(n) \rceil$ elements in $\mathbb{G}$ and $2$ elements in $\mathbb{Z}_q$.
On the other hand, the proof size for the weighted inner product (WIP) argument is $2\lceil \text{log}_2(n) \rceil + 2$ elements in $\mathbb{G}$ and $3$ elements in $\mathbb{Z}_q$.
The additional elements in the WIP argument as against IP argument is because WIP argument is zero-knowledge and IP argument is not zero-knowledge. We summarise the proof sizes of aggregated Bulletproofs and Bulletproofs+ protocols in the following table. Note that if $m$ is the number of proofs aggregated, the proof size increases by only $2\lceil \text{log}_2(m) \rceil$ group elements.
<p align=center><EM>Table 1. Proof size comparison</EM></p>
| | # Elements in $\mathbb{G}$ | # Elements in $\mathbb{Z}_q$ |
Inner Product | $2\lceil \text{log}_2(n) \rceil$ | $2$ |
Bulletproofs (aggregated) | $2\lceil \text{log}_2(n) + \text{log}_2(m) \rceil + 4$ | $5$ |
Weighted Inner Product | $2\lceil \text{log}_2(n) \rceil + 2$ | $3$ |
Bulletproofs+ (aggregated) | $2\lceil \text{log}(n) + \text{log}_2(m) \rceil + 3$ | $3$ |
#### Running Times
We have implemented Bulletproofs+ in the existing implementation of Bulletproofs in KZen-Networks' [bulletproofs](https://github.com/KZen-networks/bulletproofs) library.
The prover and verifier's computation is $\mathcal{O}(n)$ in both Bulletproofs and Bulletproofs+.
However, verification can significantly boosted by using a single multi-exponentiation check (read [this](https://github.com/KZen-networks/bulletproofs/pull/20#discussion_r436681850) to briefly understand how multi-exponentiation works).
Batching proofs together further improves generation and verification times.
In most cryptocurrency systems, range proofs are required for proving that amounts hidden in Pederson commitments are 64-bit non-negative integers.
Thus, we compare proof sizes [^1] and running times for $n=64$ and different batching configurations as shown in the following table.
All simulations were performed on an Intel® Core™ i7-5500U CPU running at 2.40GHz.
### Applicability to Grin
[Grin](https://grin.mw/) is a cryptocurrency project built using the [MimbleWimble](https://github.com/mimblewimble/grin/blob/master/doc/intro.md) protocol.
It promises scalability, privacy and fungibility all at once.
The amounts in Grin are hidden in *outputs* which are Pedersen commitments.
Each output on the Grin blockchain is accompanied by a range proof proving that the amount hidden in it is in the range $[0,2^{64}-1]$. These range proofs constitute about 98% of the total blockchain size.
Thus, range proofs with smaller proof sizes are very crucial.
Grin currently [employs](https://github.com/mimblewimble/grin/pull/711) Bulletproofs.
We can further improve the range proofs used in Grin by employing Bulletproofs+.
For a March 2020 snapshot of the Grin blockchain, we have $N_b = 612,102$ valid blocks.
The total number of outputs on the Grin blockchain were $N_o = 3,185,556$ out of which $N_{utxo} = 124,034$ are UTXOs (unspent transaction outputs). The total number of transactions (equals to the number of kernels) in Grin were $N_{tx} = 1,765,941$. Thus, we have
- Number of outputs per transactions: $n_{optx} = \frac{N_o}{N_{tx}} = 1.80 \approx 2$
- Number of outputs per block: $n_{opbl} = \frac{N_o}{N_{b}} = 5.20 \approx 6$
- Number of trasactions per block: $n_{txpbl} = \frac{N_{tx}}{N_{b}} = 2.88 \approx 3$
Therefore, using Bulletproofs+, 200 bytes per transaction can be saved.
Since we have 3 transactions per block on an average, 600 bytes per block can be saved.
The typical number of Grin blocks mined in a day is 1500 (~1 block per minute).
This implies that everyday, on an average, 1 MB of data can be saved from being added on to the blockchain,
Further, if a transaction contains large number of outputs, the fees for inclusion of that transaction is higher because of its greater size. Thus, transaction fees also would be reduced slightly on employing Bulletproofs+.
Further, currently the UTXO set contains $\approx 165,000$ outputs. If we were to employ Bulletproofs+, the UTXO set size would reduce by about 16 MB.
Moreover, proof generation and verification can be faster by 20% and 16% respectively using Bulletproofs+ in place of Bulletproofs.
### Applicability to Monero
[Monero](https://web.getmonero.org/) is one of the first privacy-centered cryptocurrency project built on the [CryptoNote](https://cryptonote.org/whitepaper.pdf) protocol. The amounts in Monero are also Pedersen commitments and the Bulletproofs is [used](https://github.com/monero-project/monero/tree/master/src/ringct) to prove that they are in the range $[0,2^{64}-1]$. Thus, Bulletproofs+ could be used instead of Bulletproofs to improve performance.
More specifically, each Monero transaction contains $2.5$ outputs on an average.
This means that each transaction is accompanied by $2.5$ range proofs (Bulletproofs as of now).
As Monero uses the $\texttt{Ed25519}$ curve, the size of a single Bulletproofs proof is $676$ bytes [^2].
This could be reduced by $96$ bytes by using Bulletproofs+.
In effect, about $240$ bytes per transaction could be saved.
Average number of transactions on 16th July was $11,417$.
This implies that about $2.7$ MB of data can be saved everyday [^4].
From the start of 2020 till date, on an average $28$ MB of data is added daily to the blockchain [^5].
Therefore, Bulletproofs+ can save about $10\%$ of the data being added to the Monero blockchain!
The running times of Bulletproofs and Bulletproofs+ over $\texttt{Ed25519}$ curve are noted below in Table 3.
Note that the underlying Edwards curve's operations are used from [cryptoxide](https://lib.rs/crates/cryptoxide) library which is slower than the optimized operations in the more recent [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek)'s implementation.
As we are interested only in comparison as of now, slower operations in the underlying curve library won't matter [^6]. Bulletproofs+ shows a $21\%$ faster proof generation and $17\%$ faster proof verification than Bulletproofs. Although these numbers would slightly vary when the underlying library for group operations changes, they still look quite promising from a user (prover) as well as miner (verifier) point of view!
[^1]: Grin uses $\texttt{secp256k1}$ curve in which private keys are $32$ bytes in size and public keys are $33$ bytes. Thus, the size of an element in $\mathbb{G}$ is $33$ bytes and that of an element in $\mathbb{Z}_q$ is $32$ bytes.
[^2]: Monero uses the Edwards curve $\texttt{Ed25519}$ in which public and private keys are $32$ bytes each.
[^3]: Monero Block Explorer, https://moneroblocks.info/stats/transaction-stats
[^4]: If we assume that the range proofs for outputs per block are aggregated (i.e. they are owned by a single entity), then Bulletproofs+ can save about $1.1$ MB of data.
[^5]: Monero Blockchain Growth, https://moneroblocks.info/stats/blockchain-growth
[^6]: The differences in running times of BP and BP+ will of course vary for different underlying curve implementations.
<!-- <p align=center><EM>Performance comparison of Bulletproofs and Bulletproofs+ over $\texttt{secp256k1}$ curve</EM></p> -->
<TABLE border="1">
<TR align=center><EM>Table 2. Performance comparison of Bulletproofs and Bulletproofs+ over $\texttt{secp256k1}$ curve</EM></TR>
<TR><TH rowspan="3">$m$
<TR><TH colspan="2">Proof size (B)<TH colspan="2">Generation time (ms)<TH colspan="2">Verification time (ms)
<TR><TH>BP<TH>BP+<TH>BP<TH>BP+<TH>BP<TH>BP+
<TR><TH>1
<TD>688<TD>591
<TD>75.0<TD>59.3 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>20.9%</small>
<TD>30.8<TD>25.3 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>17.8%</small>
<TR><TH>4
<TD>820<TD>723
<TD>295.1<TD>234.1 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>20.7%</small>
<TD>116.1<TD>97.5 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>16%</small>
<TR><TH>8
<TD>886<TD>789
<TD>590.9<TD>473.5 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>19.8%</small>
<TD>229.1<TD>197.5 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>13.8%</small>
<TR><TH>16
<TD>952<TD>855
<TD>1187.4<TD>978.0 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>17.6%</small>
<TD>469.4<TD>406.3 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>13.5%</small>
<TR><TH>32
<TD>1018<TD>921
<TD>2344.9<TD>2127.2 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>9.3%</small>
<TD>927.7<TD>885.6 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>4.5%</small></TD>
<!-- <p align=center><EM>Performance comparison of Bulletproofs and Bulletproofs+ over $\texttt{Ed25519}$ curve</EM></p> -->
<TABLE border="1">
<TR align=center><EM>Table 3. Performance comparison of Bulletproofs and Bulletproofs+ over $\texttt{Ed25519}$ curve</EM></TR>
<TR><TH rowspan="3">$m$
<TR><TH colspan="2">Proof size (B)<TH colspan="2">Generation time (ms)<TH colspan="2">Verification time (ms)
<TR><TH>BP<TH>BP+<TH>BP<TH>BP+<TH>BP<TH>BP+
<TR><TH>1
<TD>672<TD>576
<TD>140.5<TD>109.8 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>21.8%</small>
<TD>56.5<TD>46.8 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>17.2%</small>
<TR><TH>4
<TD>800<TD>704
<TD>550.3<TD>431.6 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>21.5%</small>
<TD>214.3<TD>179.4 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>16.3%</small>
<TR><TH>8
<TD>864<TD>768
<TD>1095.8<TD>864.8 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>21.0%</small>
<TD>423.5<TD>359.0 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>15.2%</small>
<TR><TH>16
<TD>928<TD>832
<TD>2190.3<TD>1772.0 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>19.0%</small>
<TD>839.8<TD>730.0 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>13.0%</small>
<TR><TH>32
<TD>992<TD>896
<TD>4392.0<TD>3687.4 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>14.8%</small>
<TD>1702.4<TD>1528.3 <small style="color:green"><i class="fas fa-long-arrow-alt-down" style="color:green"></i>10.2%</small></TD>
<!-- </TABLE> -->
{% endkatexmm %}Personal WebpageBulletproofs+ is a recently proposed range proof which is similar in spirit to Bulletproofs. Both of these range proof protocols enable proof sizes logarithmic in the number of bits of the range using a recursive inner product protocol. We will try to highlight a small but crucial difference in the design of the two protocols and discuss its implications on their performance.Comparing Bulletproofs+ and Bulletproofs - Part I2020-07-03T00:00:00+05:302020-07-03T00:00:00+05:30http://localhost:4000/homepage/project/2020/07/03/bulletproofs_plus_part1{% katexmm %}
[Bulletproofs+](https://eprint.iacr.org/2020/735.pdf) is a recently proposed range proof which is similar in spirit to [Bulletproofs](https://eprint.iacr.org/2017/1066.pdf). Both of these range proof protocols enable proof sizes logarithmic in the number of bits of the range using a recursive inner product protocol. Bulletproofs relies on the improved inner product protocol [^1] while Bulletproofs+ uses a weighted inner product protocol [^2].
### Improved Inner Product Argument
The recursive inner product argument introduced in [1] gives an argument of knowledge for the language given by
{% katex display %}
\mathcal{L}_{\textsf{IP}}(\sigma) =
\bigg\{
\underbrace{\textbf{g}, \textbf{h} \in \mathbb{G}^n, P \in \mathbb{G}, c \in \ \mathbb{Z}_q}_{\textsf{statement}}; \
\underbrace{\textbf{a}, \textbf{b} \in \mathbb{Z}_q^n}_{\textsf{witness}}
\ \bigg| \
\underbrace{P = \textbf{g}^{\textbf{a}} \cdot \textbf{h}^{\textbf{b}} \cdot u^{c}
\ \wedge \ c = \langle \textbf{a}, \textbf{b} \rangle}_{\textsf{relation}}
\bigg\}
{% endkatex %}
where $\sigma = (\mathbb{G}, q = |\mathbb{G}|, u \in \mathbb{G})$ is the *common reference string* (crs).
Note that $P$ is a Pedersen vector commitment to $\textbf{a}, \textbf{b} \in \mathbb{Z}_q^n$.
We can write the witness as $\textbf{a} = (\textbf{a}_L, \textbf{a}_R) \in \mathbb{Z}_q^{\frac{n}{2} \times 2}$ and $\textbf{b} = (\textbf{b}_L, \textbf{b}_R) \in \mathbb{Z}_q^{\frac{n}{2} \times 2}$.
Similarly, the base vectors can be written as $\textbf{g} = (\textbf{g}_L, \textbf{g}_R) \in \mathbb{G}^{\frac{n}{2} \times 2}$ and $\textbf{h} = (\textbf{h}_L, \textbf{h}_R) \in \mathbb{G}^{\frac{n}{2} \times 2}$. Now, we compute Pedersen vector commitments to the vector tuples $(\textbf{a}_L, \textbf{b}_R)$ and $\textbf{a}_R, \textbf{b}_L$ as
{% katex display %}
L = \textbf{g}_R^{\textbf{a}_L} \cdot \textbf{h}_L^{\textbf{b}_R} \cdot u^{\langle \textbf{a}_L, \textbf{b}_R\rangle}, \quad
R = \textbf{g}_L^{\textbf{a}_R} \cdot \textbf{h}_R^{\textbf{b}_L} \cdot u^{\langle \textbf{a}_R, \textbf{b}_L\rangle}.
{% endkatex %}
Given a challenge scalar $x \in \mathbb{Z}_q$, we can blind the original witness to get
{% katex display %}
\hat{\textbf{a}} = x\textbf{a}_L + x^{-1}\textbf{a}_R, \quad
\hat{\textbf{b}} = x^{-1}\textbf{b}_L + x\textbf{b}_R.
{% endkatex %}
The 4-tuple $(L,R,\hat{\textbf{a}}, \hat{\textbf{b}})$ becomes a valid proof of knowledge of the witness.
This can be verified by checking the following
{% katex display %}
L^{x^2} \cdot P \cdot R^{x^{-2}} =
(\textbf{g}_L^{x^{-1}} \circ \textbf{g}_R^x)^{\hat{\textbf{a}}}
\cdot
(\textbf{h}_L^{x} \circ \textbf{h}_R^{x^{-1}})^{\hat{\textbf{b}}}
\cdot u^{\langle \hat{\textbf{a}}, \hat{\textbf{b}}\rangle}
{% endkatex %}
Instead of publishing vectors $(\hat{\textbf{a}}, \hat{\textbf{b}})$, we can further repeat the same process of dividing $(\hat{\textbf{a}}, \hat{\textbf{b}})$ in halves and compute $(L_1,R_1,\hat{\textbf{a}}_1, \hat{\textbf{b}}_1)$ and so on until we are left with scalars $(\hat{a},\hat{b}) \in \Z_q$.
This is the main idea of the log-sized inner product protocol and the proof is of the form
{% katex display %}
(L, R),\ (L_1, R_1), \ \ldots, \ (L_{\lceil \text{log}_2n \rceil - 1}, R_{\lceil \text{log}_2n \rceil - 1}), \ (\hat{a},\hat{b}).
{% endkatex %}
Note that the above argument is perfectly complete and sound, but not zero-knowledge.
This is because we cannot construct a PPT simulator who could generate a valid transcript given statement and the crs.
### Weighted Inner Product Argument
The weighted inner product argument uses a weighted inner product operation $\odot_y: \mathbb{Z}^{n}_q \times \mathbb{Z}^{n}_q \mapsto \mathbb{Z_q}$ defined as
{% katex display %}
\textbf{a} \odot_{y} \textbf{b} = \langle \textbf{a}, \overrightarrow{y} \circ \textbf{b} \rangle
{% endkatex %}
where $\overrightarrow{y} = (y, y^2, \ldots, y^n) \in \mathbb{Z}_q^n$ and $n = |\textbf{a}| = |\textbf{b}|$. The weighted inner product is essentially a way to combine multiple equations into a single equation. For instance,
$\textbf{a} \circ \textbf{b} = \textbf{c} \in \mathbb{Z}_q^n$ represent $n$ distinct equations.
The weighted inner product combines these equations to give a single equation of the form
{% katex display %}
\sum_{i=1}^{n} y^{i} \cdot (a_ib_i) = \textbf{a} \odot_{y} \textbf{b} = \langle \textbf{c}, \overrightarrow{y} \rangle
{% endkatex %}
The weighted inner product protocol is also bilinear and satisfies the following property [^3]
{% katex display %}
\textbf{a} \odot_{y} \textbf{b} = \textbf{a}_L \odot_{y} \textbf{b}_L + (y^{\frac{n}{2}} \cdot \textbf{a}_R) \odot_{y} \textbf{b}_R.
{% endkatex %}
We now wish to design a proof system based on the weighted inner product.
The language of the weighted inner product protocol becomes
{% katex display %}
\mathcal{L}_{\textsf{WIP}}(\sigma) =
\bigg\{
\underbrace{\textbf{g}, \textbf{h} \in \mathbb{G}^n, P \in \mathbb{G}, c \in \ \mathbb{Z}_q}_{\textsf{statement}}; \
\underbrace{\textbf{a}, \textbf{b} \in \mathbb{Z}_q^n}_{\textsf{witness}}
\ \bigg| \
\underbrace{P = \textbf{g}^{\textbf{a}} \cdot \textbf{h}^{\textbf{b}} \cdot u^{c}
\ \wedge \ c = \textbf{a} \odot_{y} \textbf{b}}_{\textsf{relation}}
\bigg\}
{% endkatex %}
Similar to the inner product protocol, suppose the prover commits to vectors $(\textbf{a}_L, \textbf{b}_R)$ and $(\textbf{a}_R, \textbf{b}_L)$ and the scalars $c_L = \textbf{a}_L \odot_{y} \textbf{b}_R, \ c_R = (y^{\frac{n}{2}} \cdot \textbf{a}_R) \odot_{y} \textbf{b}_L$,
the prover must convince the verifier of the relation $c = \textbf{a} \odot_y \textbf{b}$.
For this, we blind the original witness vectors using a challenge scalar $x \in \mathbb{Z}_q$.
{% katex display %}
\hat{\textbf{a}} = x\textbf{a}_L + x^{-1}(y^{\frac{n}{2}} \cdot \textbf{a}_R), \quad
\hat{\textbf{b}} = x^{-1}\textbf{b}_L + x\textbf{b}_R. \\[4pt]
\implies \hat{\textbf{a}} \odot_y \hat{\textbf{b}} = x^2c_L + c + x^{-2}c_R.
{% endkatex %}
Now, similar to the inner product argument, the 4-tuple $(L,R,\hat{\textbf{a}}, \hat{\textbf{b}})$ becomes a valid proof of knowledge of the witness. We can shrink this argument too to logarithmic in the size of witness vectors.
The WIP based argument presented in Bulletproofs+ paper is zero-knowledge as against the inner product argument.
This is achieved by including randomly chosen blinding factors $d_L, d_R \in \mathbb{Z}_q$ in computing the Pedersen vector commitments $L, R$ as
{% katex display %}
L = \textbf{g}_R^{\textbf{a}_L} \cdot \textbf{h}_L^{\textbf{b}_R} \cdot u^{\langle \textbf{a}_L, \textbf{b}_R\rangle} \cdot h^{d_L}, \quad
R = \textbf{g}_L^{\textbf{a}_R} \cdot \textbf{h}_R^{\textbf{b}_L} \cdot u^{\langle \textbf{a}_R, \textbf{b}_L\rangle} \cdot h^{d_R}.
{% endkatex %}
where $h \in \mathbb{G}$. Further, in the last round of the protocol, instead of sending $\hat{a}, \hat{b} \in \mathbb{Z}$, we use a sigma-like protocol yeilding constant communication and computation.
This is the main difference in the inner product and the weighted inner product arguments.
We will see in the next blog how this helps building Bulletproofs+ - a range proof protocol with proof size shorter than that of Bulletproofs.
### References and Notes
[^1]: Benedikt Bünz et al, "Bulletproofs: Short Proofs for Confidential Transactions and More", in *Cryptology ePrint Archive, Report 2017/1066*, Available at [https://eprint.iacr.org/2017/1066.pdf](https://eprint.iacr.org/2017/1066.pdf)
[^2]: Chung H. et al, "Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger", in *Cryptology ePrint Archive, Report 2020/735*, Available at [https://eprint.iacr.org/2020/735.pdf](https://eprint.iacr.org/2020/735.pdf).
[^3]: Note that $\textbf{a}_L \odot_{y} \textbf{b}_L = \langle \textbf{a}_L, (y,y^2, \ldots, y^{\frac{n}{2}}) \circ \textbf{b}_L \rangle$ for $\textbf{a}_L, \textbf{b}_L \in \mathbb{Z}_q^{\frac{n}{2}}$.
{% endkatexmm %}Personal WebpageBulletproofs+ is a recently proposed range proof which is similar in spirit to Bulletproofs. Both of these range proof protocols enable proof sizes logarithmic in the number of bits of the range using a recursive inner product protocol. Bulletproofs relies on the improved inner product protocol 1 while Bulletproofs+ uses a weighted inner product protocol 2. Benedikt Bünz et al, “Bulletproofs: Short Proofs for Confidential Transactions and More”, in Cryptology ePrint Archive, Report 2017/1066, Available at https://eprint.iacr.org/2017/1066.pdf ↩ Chung H. et al, “Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger”, in Cryptology ePrint Archive, Report 2020/735, Available at https://eprint.iacr.org/2020/735.pdf. ↩Understanding Inner Product Argument2020-06-28T00:00:00+05:302020-06-28T00:00:00+05:30http://localhost:4000/homepage/project/2020/06/28/inner-product-argument{% katexmm %}
The [Bulletproofs](https://eprint.iacr.org/2017/1066.pdf) paper introduces a log-sized inner-product argument and thereafter constructs the state-of-the-art range proof protocol in non-trusted setup setting.
We will discuss the inner-product argument and how it motivated the idea of recursive proof systems like [Halo](https://eprint.iacr.org/2019/1021.pdf).
We assume basic familiarity of the reader with elliptic curve group operations and Pedersen commitments.
### Introduction
Suppose you have some secret information (say, passkeys to two lockers) encoded in a couple of vectors $\textbf{a}, \textbf{b}$.
You (the *prover*) want to convince the government (the *verifier*) that you are the owner of those lockers, so naturally you will have to prove that you know the vectors $\textbf{a}, \textbf{b}$. But you cannot just reveal them for obvious reasons. Can you prove the knowledge of $\textbf{a}, \textbf{b}$ without revealing them? The inner-product argument lets you do so such that the government would be convinved about your ownership without knowing *much* about your secrets.
We assume that size of the vectors $\textbf{a}, \textbf{b}$ are a power of two, but it is fairly straghtforward to extend the analysis for cases otherwise.
### The Inner-Product Argument
The inner-product argument proves the knowledge of *witness* vectors $\textbf{a}, \textbf{b} \in \mathbb{F}_q^{n}$ given a Pedersen vector commitment $P \in \mathbb{G}$ to $\textbf{a}, \textbf{b}$ and the inner product $c = \langle \textbf{a}, \textbf{b} \rangle \in \mathbb{F}_q$.
The following relation proves describes the inner-product argument in a mathematical form.
$$
\mathcal{L}_{\textsf{IP}}(\sigma) =
\bigg\{
\underbrace{\textbf{g}, \textbf{h} \in \mathbb{G}^n, P \in \mathbb{G}, c \in \ \mathbb{Z}_q}_{\textsf{statement}}; \
\underbrace{\textbf{a}, \textbf{b} \in \mathbb{Z}_q^n}_{\textsf{witness}}
\ \bigg| \
\underbrace{P = \textbf{g}^{\textbf{a}} \cdot \textbf{h}^{\textbf{b}} \cdot u^{c}
\ \wedge \ c = \langle \textbf{a}, \textbf{b} \rangle}_{\textsf{relation}}
\bigg\}
$$
where the *common reference string* $\sigma$ contains the public information $\textbf{g}, \textbf{h} \in \mathbb{G}^n, u \in \mathbb{G}$.
To construct the inner-product argument, we first split the secret vectors into half,
$$
\textbf{a} = (\textcolor{red}{\textbf{a}}_{1}, \textcolor{blue}{\textbf{a}}_{1}),
\quad
\textbf{b} = (\textcolor{red}{\textbf{b}}_{1}, \textcolor{blue}{\textbf{b}}_{1})
$$
where the red vector denotes the left half while the blue denotes right half.
The $1$ in the subscript denotes the step number in recursion.
We now compute Pedersen vector commitments to $(\textcolor{red}{\textbf{a}}_{1}, \textcolor{blue}{\textbf{b}}_{1})$ and $(\textcolor{blue}{\textbf{a}}_{1}, \textcolor{red}{\textbf{b}}_{1})$. Note that we can split the base vectors too as $\textbf{g} = (\textcolor{red}{\textbf{g}}_{1}, \textcolor{blue}{\textbf{g}}_{1}), \textbf{h} = (\textcolor{red}{\textbf{h}}_{1}, \textcolor{blue}{\textbf{h}}_{1})$ and use them to compute:
$$
L_1 = \textcolor{blue}{\textbf{g}}_{1}^{\textcolor{red}{\textbf{a}}_{1}} \cdot \textcolor{red}{\textbf{h}}_{1}^{\textcolor{blue}{\textbf{b}}_{1}} \cdot u^{\langle \textcolor{red}{\textbf{a}}_{1} , \textcolor{blue}{\textbf{b}}_{1} \rangle},
\quad
R_1 = \textcolor{red}{\textbf{g}}_{1}^{\textcolor{blue}{\textbf{a}}_{1}} \cdot \textcolor{blue}{\textbf{h}}_{1}^{\textcolor{red}{\textbf{b}}_{1}} \cdot u^{\langle \textcolor{blue}{\textbf{a}}_{1} , \textcolor{red}{\textbf{b}}_{1} \rangle}.
$$
We send $L_1, R_1 \in \mathbb{G}$ to the verifier. The verifier sends back a challenge scalar $x_1 \in \mathbb{F}_q$.
For the next round, we (as well as the verifer) update the base vectors as the combined Pedersen commitment as
$$
\begin{aligned}
\textbf{g}_{1} &= \textcolor{red}{\textbf{g}}_{1}^{x_1^{-1}} \circ \textcolor{blue}{\textbf{g}}_{1}^{x_1} \in \mathbb{G}^{\frac{n}{2}}, \\
\textbf{h}_{1} &= \textcolor{red}{\textbf{h}}_{1}^{x_1} \circ \textcolor{blue}{\textbf{h}}_{1}^{x_1^{-1}} \in \mathbb{G}^{\frac{n}{2}}, \\
P_{1} &= L_1^{x^2} \cdot P \cdot R_1^{x^{-2}} \in \mathbb{G}.
\end{aligned}
$$
Notice that on substituting for $L_1, R_1$ and $P$, the commitment $P_1$ has the form
$$
\begin{aligned}
P_1 &= \left( \textcolor{blue}{\textbf{g}}_{1}^{\textcolor{red}{\textbf{a}}_{1}} \cdot \textcolor{red}{\textbf{h}}_{1}^{\textcolor{blue}{\textbf{b}}_{1}} \cdot u^{\langle \textcolor{red}{\textbf{a}}_{1} , \textcolor{blue}{\textbf{b}}_{1} \rangle} \right)^{x_1^2}
\cdot
\left( \textcolor{red}{\textbf{g}}_{1}^{\textcolor{red}{\textbf{a}}_{1}} \cdot
\textcolor{blue}{\textbf{g}}_{1}^{\textcolor{blue}{\textbf{a}}_{1}} \cdot
\textcolor{red}{\textbf{h}}_{1}^{\textcolor{red}{\textbf{b}}_{1}} \cdot
\textcolor{blue}{\textbf{h}}_{1}^{\textcolor{blue}{\textbf{b}}_{1}} \cdot
u^{\langle \textbf{a} , \textbf{b} \rangle} \right)
\cdot
\left( \textcolor{red}{\textbf{g}}_{1}^{\textcolor{blue}{\textbf{a}}_{1}} \cdot \textcolor{blue}{\textbf{h}}_{1}^{\textcolor{red}{\textbf{b}}_{1}} \cdot u^{\langle \textcolor{blue}{\textbf{a}}_{1} , \textcolor{red}{\textbf{b}}_{1} \rangle} \right)^{x_1^{-2}}
\\
&= \textcolor{red}{\textbf{g}}_{1}^{\textcolor{red}{\textbf{a}}_{1} + x_1^{-2}\textcolor{blue}{\textbf{a}}_{1}} \cdot
\textcolor{blue}{\textbf{g}}_{1}^{x_1^2\textcolor{red}{\textbf{a}}_{1} + \textcolor{blue}{\textbf{a}}_{1}} \cdot
\textcolor{red}{\textbf{h}}_{1}^{\textcolor{red}{\textbf{b}}_{1} + x_1^{2}\textcolor{blue}{\textbf{b}}_{1}} \cdot
\textcolor{blue}{\textbf{h}}_{1}^{x_1^{-2}\textcolor{red}{\textbf{b}}_{1} + \textcolor{blue}{\textbf{b}}_{1}} \cdot
u^{ x_1^{2}\langle \textcolor{red}{\textbf{a}}_{1} , \textcolor{blue}{\textbf{b}}_{1} \rangle +
\langle \textcolor{red}{\textbf{a}}_{1} , \textcolor{red}{\textbf{b}}_{1} \rangle +
\langle \textcolor{blue}{\textbf{a}}_{1} , \textcolor{blue}{\textbf{b}}_{1} \rangle +
x_1^{-2}\langle \textcolor{blue}{\textbf{a}}_{1} , \textcolor{red}{\textbf{b}}_{1} \rangle}
\\
&= \textcolor{red}{\textbf{g}}_{1}^{x_1^{-1} \cdot (x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1})} \cdot
\textcolor{blue}{\textbf{g}}_{1}^{x_1 \cdot (x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1})} \cdot
\textcolor{red}{\textbf{h}}_{1}^{x_1 \cdot (x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})} \cdot
\textcolor{blue}{\textbf{h}}_{1}^{x_1^{-1} \cdot (x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})} \cdot
u^{ \langle x_1 \textcolor{red}{\textbf{a}}_{1} , x_1 \textcolor{blue}{\textbf{b}}_{1} \rangle +
\langle x_1 \textcolor{red}{\textbf{a}}_{1} , x_1^{-1} \textcolor{red}{\textbf{b}}_{1} \rangle +
\langle x_1^{-1} \textcolor{blue}{\textbf{a}}_{1} , x_1 \textcolor{blue}{\textbf{b}}_{1} \rangle +
\langle x_1^{-1} \textcolor{blue}{\textbf{a}}_{1} , x_1^{-1} \textcolor{red}{\textbf{b}}_{1} \rangle}
\\
&= \left( \textcolor{red}{\textbf{g}}_{1}^{x_1^{-1}} \circ \textcolor{blue}{\textbf{g}}_{1}^{x_1} \right)^{(x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1})} \cdot
\left( \textcolor{red}{\textbf{h}}_{1}^{x_1} \circ \textcolor{blue}{\textbf{h}}_{1}^{x_1^{-1}} \right)^{(x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})} \cdot
u^{ \left\langle
(x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1}), \
(x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})
\right\rangle }
\\
& = \textbf{g}_1^{(x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1})} \cdot
\textbf{h}_1^{(x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})} \cdot
u^{ \left\langle
(x_1\textcolor{red}{\textbf{a}}_{1} + x_1^{-1}\textcolor{blue}{\textbf{a}}_{1}), \
(x_1^{-1}\textcolor{red}{\textbf{b}}_{1} + x_1\textcolor{blue}{\textbf{b}}_{1})
\right\rangle }
\end{aligned}
$$
Therefore, $P_1$ is in fact the Pedersen commitment to the quantities
$$
\begin{aligned}
\textbf{a}_1 &= (x_1 \cdot \textcolor{red}{\textbf{a}}_{1} + x_1^{-1} \cdot \textcolor{blue}{\textbf{a}}_{1}) \in \mathbb{F}_q^{\frac{n}{2}} \\
\textbf{b}_1 &= (x_1^{-1} \cdot \textcolor{red}{\textbf{b}}_{1} + x_1 \cdot \textcolor{blue}{\textbf{b}}_{1}) \in \mathbb{F}_q^{\frac{n}{2}}.
\end{aligned}
$$
Note that we could send the vectors $(\textbf{a}_1, \textbf{b}_1)$ to the verifier and she could verify (and be convinced about our knowledge of vectors $(\textbf{a}, \textbf{b})$ without actually knowing them!) the last equality above, but this results in prover communication to be $n$ field elements. We wish to reduce it to logarithmic in $n$.
With that in mind, we can now repeat the above process with the new secrets $(\textbf{a}_1, \textbf{b}_1)$, bases $(\textbf{g}_1, \textbf{h}_1)$ and commitment $P_1$. We can keep doing so until the size of the new bases is $1$. In this process, the verifier would have sent $l = \text{log}_2(n)$ challenges, viz. $(x_1, x_2, \dots, x_{l})$ and we would have sent $(L_1, R_1, L_2, R_2, \dots, L_l, R_l) \in \mathbb{G}^{2l}$ elements.
For the last round, we send the elements $(a_{\text{last}}, b_{\text{last}}) \in \mathbb{F}_q^2$ and all the verifier has to check is
$$
\tag{1}
P_{\text{last}} \stackrel{?}{=} g_{\text{last}}^{a_{\text{last}}} \cdot h_{\text{last}}^{b_{\text{last}}} \cdot u^{a_{\text{last}} \cdot b_{\text{last}}}
$$
where $P_{\text{last}}, g_{\text{last}}, h_{\text{last}}$ can be computed by the verifier from all the information she has in the previous $l$ rounds!
Thus, the total prover communication would then be $2 \text{log}_2(n)$ group elements plus $2$ field elements.
### Prover and Verifier Costs
In the $i$-th round, the prover computes $L_i, R_i \in \mathbb{G}$ and base vectors $\textbf{g}_i, \textbf{h}_i \in \mathbb{G}^{\frac{n}{2^i}}$.
This amounts to 2 group exponentiations of size $2 \cdot \frac{n}{2^i} + 1$ and 2 group exponentiations of size $2 \cdot \frac{n}{2^i}$, so a total of $\frac{n}{2^{i-3}} + 2$ group exponentiations. In total, the prover would need $8(n-1)$ group exponentiations. Since field operations are typically orders of magnitude faster than group exponentiations, we consider the costs only due to group exponentiations.
On the other hand, the verifier only needs to validate equation $(1)$ in the last round.
All she needs for validation is to compute $g_\text{last}, h_\text{last}$ and $P_\text{last}$.
Note that $g_\text{last}, h_\text{last}$ would depend only on the challenges $(x_1, x_2, \dots, x_l)$.
Let us try to compute the base vector $\textbf{g}_2$ for round 2 for $n=8$.
$$
\begin{aligned}
\textbf{g}_1 &= \textcolor{red}{\textbf{g}}_{1}^{x_1^{-1}} \circ \textcolor{blue}{\textbf{g}}_{1}^{x_1} \in \mathbb{G}^{\frac{n}{2}}
\\
&= (g_1, g_2, g_3, g_4)^{x_1^{-1}} \circ (g_5, g_6, g_7, g_8)^{x_1}
\\
&= (g_1^{x_1^{-1}} g_5^{x_1}, \ g_2^{x_1^{-1}} g_6^{x_1}, \ g_3^{x_1^{-1}} g_7^{x_1}, \ g_4^{x_1^{-1}} g_8^{x_1})
\in \mathbb{G}^4
\\
\textbf{g}_2 &= \left( g_1^{x_1^{-1}} g_5^{x_1}, \ g_2^{x_1^{-1}} g_6^{x_1} \right)^{x_2^{-1}} \circ
\left( g_3^{x_1^{-1}} g_7^{x_1}, \ g_4^{x_1^{-1}} g_8^{x_1} \right)^{x_2}
\\
&= \left(
g_1^{x_1^{-1} x_2^{-1}} g_5^{x_1 x_2^{-1}} g_3^{x_1^{-1} x_2} g_7^{x_1 x_2}, \
g_2^{x_1^{-1} x_2^{-1}} g_6^{x_1 x_2^{-1}} g_4^{x_1^{-1} x_2} g_8^{x_1 x_2}
\right)
\in \mathbb{G}^2
\\
g_\text{last} = \textbf{g}_3 &=
\left( g_1^{x_1^{-1} x_2^{-1}} g_5^{x_1 x_2^{-1}} g_3^{x_1^{-1} x_2} g_7^{x_1 x_2} \right)^{x_3^{-1}} \circ
\left( g_2^{x_1^{-1} x_2^{-1}} g_6^{x_1 x_2^{-1}} g_4^{x_1^{-1} x_2} g_8^{x_1 x_2} \right)^{x_3}
\\
&= g_1^{x_1^{-1} x_2^{-1} x_3^{-1}} g_5^{x_1 x_2^{-1} x_3^{-1}} g_3^{x_1^{-1} x_2 x_3^{-1}} g_7^{x_1 x_2 x_3^{-1}}
g_2^{x_1^{-1} x_2^{-1} x_3} g_6^{x_1 x_2^{-1} x_3} g_4^{x_1^{-1} x_2 x_3} g_8^{x_1 x_2 x_3}
\\
&= g_1^{x_1^{-1} x_2^{-1} x_3^{-1}} g_2^{x_1^{-1} x_2^{-1} x_3^{1}} g_3^{x_1^{-1} x_2^{1} x_3^{-1}} g_4^{x_1^{-1} x_2^{1} x_3^{1}}
g_5^{x_1^{1} x_2^{-1} x_3^{-1}} g_6^{x_1^{1} x_2^{-1} x_3^{1}} g_7^{x_1^{1} x_2^{1} x_3^{-1}} g_8^{x_1^{1} x_2^{1} x_3^{1}}
\in \mathbb{G}
\end{aligned}
$$
Note the following pattern in the powers of challenges $(x_1, x_2, x_3)$.
| generator | powers of $(x_1, x_2, x_3)$ | binary form | decimal |
|-----------|-----------------------------|-------------|---------|
| $g_1$ | $-1,-1,-1$ | $000$ | 0 |
| $g_2$ | $-1,-1,1$ | $001$ | 1 |
| $g_3$ | $-1,1,-1$ | $010$ | 2 |
| $g_4$ | $-1,1,1$ | $011$ | 3 |
| $g_5$ | $1,-1,-1$ | $100$ | 4 |
| $g_6$ | $1,-1,1$ | $101$ | 5 |
| $g_7$ | $1,1,-1$ | $110$ | 6 |
| $g_8$ | $1,1,1$ | $111$ | 7 |
Similarly, we can compute $h_{\text{last}}$ with a difference that the powers of the challenges in the exponent get inverted.
$$
h_{\text{last}} = \textbf{h}_3
= h_1^{x_1^{1} x_2^{1} x_3^{1}} h_2^{x_1^{1} x_2^{1} x_3^{-1}} h_3^{x_1^{1} x_2^{-1} x_3^{1}} h_4^{x_1^{1} x_2^{-1} x_3^{-1}}
h_5^{x_1^{-1} x_2^{1} x_3^{1}} h_6^{x_1^{-1} x_2^{1} x_3^{-1}} h_7^{x_1^{-1} x_2^{-1} x_3^{1}} h_8^{x_1^{-1} x_2^{-1} x_3^{-1}}
\in \mathbb{G}
$$
The ghastly looking expressions for $g_{\text{last}}$ and $h_{\text{last}}$ (for even $n=3$) can be written in a much simpler form as
$$
g_{\text{last}} = \prod_{i=1}^{n} g_i^{s_i}, \quad h_{\text{last}} = \prod_{i=1}^{n} h_i^{s_i^{-1}},
$$
such that
$$
s_i = \prod_{j=1}^{l} x_j^{b(i,j)}, \quad \text{ where } \quad b(i,j) =
\begin{cases}
1 & \text{if the $j$-th bit of } (i-1) \text{ is 1} \\
-1 & \text{otherwise}.
\end{cases}
$$
On a similar note, we can compute $P_{\text{last}}$ as
$$
\begin{aligned}
P_2 &= L_2^{x_2^2} \cdot P_1 \cdot R_2^{x_2^{-2}} \\
&= L_2^{x_2^2} \cdot \left( L_1^{x_1^2} \cdot P \cdot R_1^{x_1^{-2}} \right) \cdot R_2^{x_2^{-2}} \\
&= L_2^{x_2^2} \cdot L_1^{x_1^2} \cdot P \cdot R_1^{x_2^2} \cdot R_2^{x_1^2} \\
\therefore \quad P_{\text{last}} &= \left(L_l^{x_l^2} \cdot \ldots \cdot L_2^{x_2^2} \cdot L_1^{x_1^2}\right)
\cdot P \cdot
\left( R_1^{x_2^2} \cdot R_2^{x_1^2} \cdot \ldots \cdot R_l^{x_l^2} \right) \\
&= P \cdot \left(\prod_{j=1}^{l} L_j^{x_j^2} \cdot R_j^{x_j^{-2}}\right)
\end{aligned}
$$
Therefore from $(1)$, the verification of an inner-product argument boils to a single multi-exponentiation check of size $(2n + 2l + 1)$
$$
P \cdot \left(\prod_{j=1}^{l} L_j^{x_j^2} \cdot R_j^{x_j^{-2}}\right)
\stackrel{?}{=}
\textbf{g}^{a \cdot \textbf{s}} \cdot \textbf{h}^{b \cdot \textbf{s}^{-1}} \cdot u^{a \cdot b}
$$
where $\textbf{s} = (s_1, s_2, \dots, s_n)$.
### Closing Comments
The log-sized inner-product in a non-trusted setup was an important breakthrough in applied cryptography research.
For cryptocurrencies like Monero, the inner-product powered range proof protocol *bulletproofs* helped reduce the transaction sizes by a whopping 80%[^1].
The downside, however, of the inner-product argument is the linear verification times in spite of aggregated proof verification, causing practical bottlenecks for deployment for large arithmetic circuits.
Nevertheless, the inner-product argument opened up avenues for future research in the direction of recursive proofs.
Stay tuned to understand how the beautiful technique of inner-product argument helped in construction of [Halo](https://eprint.iacr.org/2019/1021.pdf).
[^1]: Bulletproofs in Moneropedia, Link: [https://web.getmonero.org/resources/moneropedia/bulletproofs.html](https://web.getmonero.org/resources/moneropedia/bulletproofs.html)
{% endkatexmm %}Personal WebpageThe Bulletproofs paper introduces a log-sized inner-product argument and thereafter constructs the state-of-the-art range proof protocol in non-trusted setup setting. We will discuss the inner-product argument and how it motivated the idea of recursive proof systems like Halo. We assume basic familiarity of the reader with elliptic curve group operations and Pedersen commitments.Shorter, Privacy-Preserving Proof of Reserves for Cryptocurrency Exchanges2019-10-19T00:00:00+05:302019-10-19T00:00:00+05:30http://localhost:4000/homepage/project/2019/10/19/eff-proof-of-reservesCryptocurrency exchanges (also called as crypto exchanges) provide a convenient way for customers to own and trade cryptocurrencies in exchange for fiat currencies. However, in cases of hacks and internal frauds in such exchanges result in huge loss of customer funds [^1]<sup>,</sup>[^2].
Proof of solvency is one of the preventive measures which could help in early detection of such scams. As a part of my master's thesis, I am working on designing a proof of reserves for crypto exchanges wherein the exchanges can prove that they own funds enough to recover their liabilities in unfortunate cases of hack or frauds.
{% katexmm %}
To illustrate the idea, let's say an exchange owns assets equal to $v_{a}$ and has lent out crypto assets worth $v_{l}$ to its customers in exchanage for fiat currency. Thus, the liabilities of en exchange towards its cutomers is $v_{l}$. An exchange is solvent if $v_{a} \ge v_{l}$. A proof of reserves is a proof that an exchange owns assets equal to some amount $v_a$. In case of crypto assets, an exchange can just reveal what addresses it owns to give a proof of its reserves. This is, however, undesirable from the point of view of privacy of the exchange's customers.
I am working on designing zero-knowledge proofs of reserves for different cryptocurrencies.
{% endkatexmm %}
{% katexmm %}
To do this without revealing the addresses and amounts, an exchange can generate two Pedersen commitments $C_a$ and $C_l$ to $v_a$ and $v_l$ respectively. To prove $v_a \ge v_l$, exchange gives a range proof that $C_a \cdot C_l^{-1}$ is a commitment to a non-negative amount.
{% endkatexmm %}
I am working on designing zero-knowledge proofs of reserves for different cryptocurrencies. I designed Revelio+, an efficient proof of reserves for [MimbleWimble](https://github.com/mimblewimble/) based cryptocurrencies. MimbleWimble has outputs instead of addresses to store coins. Using our protocol, an exchange proves in zero-knowledge that it owns particular outputs from the set of unspent outputs on the blockchain preserving privacy of outputs owned by an exchange. Further, it also helps detect collusion between exchanges when they try to share an output in their respective proofs of reserves.
A typical Revelio+ proof would be of the form
{% katex display %}
\Pi_{\text{Rev+}} = \{ t, I_1, I_2, \dots, I_m, \Pi_{+} \}
{% endkatex %}
{% katexmm %}
where $t$ is the block height which denotes the blockchain state. All the unspent outputs $(C_1, C_2, \dots, C_n)$ on the blockchain till those included in $t$-th block form the anonymity set. The exchange owns outputs $(C_{i_1}, C_{i_2}, \dots, C_{i_m})$. Additionally, it defines key-images $(I_1, I_2, \dots, I_{m})$ for each output it owns. The key-images help detect collusion between exchanges, i.e. if two exchanges generate their proofs of reserves at block height $t$ and if any of their key-images match, we declare collusion. $\Pi_{+}$ is a zero-knowledge argument of knowledge which proves that the exchange actually owns the forementioned outputs. It is logarithmic in the size of set of all the unspent outputs.
{% endkatexmm %}
[Revelio](https://eprint.iacr.org/2019/684.pdf), the existing protocol had a proof size linear in the size of anonymity set. Also, collusion between the exchanges could be detected only if the anonymity sets in the two proofs are the same. We alleviate both of these issues by giving a log-sized protocol and linking the proof generation with the blockchain state, we cryptographically enforce exchanges to generate proofs at the same time and thus give a foolproof way to detect collusion. Further, log-sized proof also allows us to have the anonymity set as the entire set of unspent outputs corresposing to a particular blockchain state. This enhances the privacy of exchange-owned outputs.
The downside of our protocol, however, is the time needed to generate the proof and verify the same. It is linear in the size of anonymity set size. The following graph shows the performance of our protocol in comparison to Revelio.
<center>
{% include image.html name="r-perf.png" caption="Performance comparison of Revelio and Revelio+" %}
</center>
The linear proof generation times motivate the need for specialized hardware for cryptographic operations like elliptic curve point addition. The links for the preprint and presentation would be added soon.
[^1]: [The History of the Mt Gox Hack: Bitcoin’s Biggest Heist](https://blockonomi.com/mt-gox-hack/)
[^2]: [Quadriga: The cryptocurrency exchange that lost $135m](https://www.bbc.com/news/world-us-canada-47203706)Master's ThesisCryptocurrency exchanges (also called as crypto exchanges) provide a convenient way for customers to own and trade cryptocurrencies in exchange for fiat currencies. However, in cases of hacks and internal frauds in such exchanges result in huge loss of customer funds 1,2. Proof of solvency is one of the preventive measures which could help in early detection of such scams. As a part of my master’s thesis, I am working on designing a proof of reserves for crypto exchanges wherein the exchanges can prove that they own funds enough to recover their liabilities in unfortunate cases of hack or frauds. The History of the Mt Gox Hack: Bitcoin’s Biggest Heist ↩ Quadriga: The cryptocurrency exchange that lost $135m ↩Understanding Crypto Ban in India2019-10-15T00:00:00+05:302019-10-15T00:00:00+05:30http://localhost:4000/homepage/blog/2019/10/15/crypto-ban-india> No person shall mine, generate, hold, sell, deal in, issue, transfer, dispose of or use Cryptocurrency in the territory of India.
The above is the first clause in the draft of a bill called *Banning of Cryptocurrency &
Regulation of Official Digital Currency Bill, 2019* issued by the [Department of Economic Affairs](https://dea.gov.in/), Government of India. The proposed bill is considered as a final nail in the coffin for any sort of cryptocurrency trading in India, and has resulted in several petetions being filed in the [Supreme Court of India](https://main.sci.gov.in/) from crypto-exchanges in India. Notwithstanding lesser extent of awareness about cryptocurrencies in India, there were still 5 million digital currency holders in India. Further, the worst to face would be the entrepreneurial organisations who had set up mining infrastructure for mining cryptocurrencies. The heavy investments they made have now become completely useless as the mining computational machinery, being specialized for particular tasks, cannot be used for other computational purposes. There has been stringent criticism that the failure of the government and RBI to regulate has hampered the rise of such an innovative technology which is being widely accepted by nations worldwide.
The [Reserve Bank of India](https://www.rbi.org.in/) (RBI) had given warnings several instances before the ban was actually laid out. The main concern of the government seems to build a regulatory framework for private currencies. This is because most tracking cryptocurrencies to their owners is very difficult with the privacy and security guarantees of crypto in place. One segment of experts believe that levying tax on each transaction would be the way to regulate crypto. Here, again the question of determining the origin of transactions remains unsolved. The possibility of terror funding in crypto is another thing which might be of prime concern to the government. The government states that only *government-owned* digital currency could be introduced. It, however, creates ambiguity about the *decentralized* nature of such government-backed digital currencies. The draft also mentions that the use of the *distributed ledger technology* for applications other than those involving trading of private cryptocurrencies is allowed. Although this does not restrict the application of blockchain in different areas, it is still not clear what would be the exact relaxations and restrictions on use of blockchain technology, pertaining to the vast extent possibilities blockchain opens up for businesses and otherwise. All in all, it would be shameful if India just shuts doors to innovation and technology
without putting efforts in trying to build a regulation for it.
Many developed as well as developing economies have well-adopted to the rising digital currency markets[^1]. Japan has allowed the use of crypto with a proper legal system regulating cryptocurrency trading[^2]. Singapore become the second country in the world after the US to regulate virtual currencies such as bitcoins long back in 2014[^3].
<center>
{% include image.html name="btcmap.png" caption="Image courtesy: Wikipedia CC 4.0" %}
</center>
![#F70401](https://placehold.it/15/F70401/000000?text=+) **Permissive** (legal to use bitcoin) <br/>
![#FE4CD8](https://placehold.it/15/FE4CD8/000000?text=+) **Contentious** (some legal restrictions on usage of bitcoin) <br/>
![#FFD000](https://placehold.it/15/FFD000/000000?text=+) **Contentious** (interpretation of old laws, but bitcoin is not prohibited directly) <br/>
![#00D65D](https://placehold.it/15/00D65D/000000?text=+) **Hostile** (full or partial prohibition)
<br/>
The benefits of decentralized economy are immense and blockchain technology promises to bring about a drastic change the way economies and trading work. Malpractices are a part and parcel of each disruptive technology. It is on the will and determination of the law-makers to ensure responsible and legal use of such technologies and bring about the benefits to the common. It sure might take some time, but India too would adopt a robust regulatory framework for cryptocurrencies and pave a way for a decentralized economy.
[^1]: [Legality of bitcoin by country or territory](https://en.wikipedia.org/wiki/Legality_of_bitcoin_by_country_or_territory)
[^2]: [Japan a global leader in cryptocurrency investment](https://www.japantimes.co.jp/news/2018/01/23/business/japan-global-leader-cryptocurrency-investment/)
[^3]: [Singapore becomes the second country to regulate bitcoins](https://www.bbc.com/news/av/business-26572771/singapore-becomes-the-second-country-to-regulate-bitcoins)Suyash BagadNo person shall mine, generate, hold, sell, deal in, issue, transfer, dispose of or use Cryptocurrency in the territory of India.Solving the Chicken & Hen Problem of MProve2019-08-18T00:00:00+05:302019-08-18T00:00:00+05:30http://localhost:4000/homepage/project/2019/08/18/mprove-drawback[MProve](https://eprint.iacr.org/2018/1210.pdf) is the first proof of reserves for Monero. Monero [^1] is a decentralized cryptocurrency, meaning it is secure digital cash operated by a network of users. It uses ring signatures, ring confidential transactions, and stealth addresses to hide the origins, amounts, and destinations of all transactions. Transactions on the Monero blockchain are untraceable. Read more about Monero [here](https://web.getmonero.org/).
{% katexmm %}
MProve leverages the ring signatures to generate a proof of reserves. In simple words, it considers an anonymity set $\mathcal{P}_{\text{anon}}$ which includes $\mathcal{P}_{\text{own}}$ the set of exchange-owned addresses. To generate MProve, an exchange selects $\mathcal{P}_{\text{anon}} = \{P_1, P_2, \dots, P_n\}$ from Monero blockchain. The commitment $C_i = g^{y_i} h^{a_i}$ for each $P_i \in \mathcal{P}_{\text{anon}}$. The exchange defines the quantity $C_i^{\prime}$ as follows
{% katex display %}
C_i^{\prime} \coloneqq
\begin{cases}
g^{z_i} & \text{if } P_i \in \mathcal{P}_{\text{own}} \\
g^{z_i}C_i & \text{if } P_i \notin \mathcal{P}_{\text{own}}
\end{cases}
{% endkatex %}
where $z_i$ is randomly chosen from $\mathbb{Z}_q$. Further, the exchange publishes ring signatures $\gamma_i \ \forall i \in \{1, \dots, n\}$ verifiable by the pair of public keys $(C_i^{\prime}, C_i^{\prime} - C_i)$ and linkable ring signatures $\sigma_i \ \forall i \in \{1, \dots, n\}$ verifiable by the pair of public keys $(P_i, C_i^{\prime} - C_i)$. Each $\sigma_i$ contains key-images $I_i$. These key-images help detect collusion and double spending. Checking if the published key-image doesn't match existing key-images on the blockchain ensures that the exchange is not using an already-spent address in its proof. Thus, a typical MProve is of the form
{% katex display %}
\Pi_{\text{M}} = \{ P_i, C_i, C_i^{\prime}, \gamma_i, \sigma_i \}_{i=1}^{n}
{% endkatex %}
The problem is with the key-images $I_i$ for $i$ s.t $P_i \in \mathcal{P}_{\text{own}}$ which are a part of $\sigma_i$. Let's say an exchange publishes a MProve proof at time $t_1$. Now if that exchange tries to spend from address $P_i \in \mathcal{P}_{\text{own}}$ at some time $t_2 > t_1$, the transaction also includes the same key-image $I_i$ as the one present in the MProve proof.
So, any observer will know that address $P_i$ was owned by that exchange from the proof given at $t_1$. An obvious way out of this seems to change the way we define key-images in MProve. But then we won't be able to detect double spending in that case. Revealing key-images seem to be unavoidable.
{% endkatexmm %}
The way I thought I would solve this paradoxical situtation was to somehow prove that the key-images we generate do not use any of the private information of the existing spent addresses on the blockchain. Solving MProve drawback essentially means that we come up with an efficient proof of
reserves which does two things:
1. Checks for double spending using the already existing key images
2. Ensure non-collusion between exchanges
{% katexmm %}
Specifically, let $P_i$ be a one-time address owned by the exchange with $y_i$ as the secret key, and let $I_j$ be a key-image from the blockchain, indicating that the funds from address $P_j$ have already been spent, we have
{% katex display %}
P_i = g^{x_i}, \ I_j = H(P_j)^{x_j}
{% endkatex %}
If we prove, for each $P_i \in \mathcal{P}_{\text{own}}$, that the discrete-log of $I_j$ w.r.t $H(P_i)$ is not equal to the discrete-log of $P_i$ w.r.t $g \in \mathbb{G}$, for each spent address $P_j$ on the Monero blockchain, we are done. We can now have another definition of key-images in out proof of reserves. This fixes the paradoxical situation. Stay tuned to know how exactly we do it as we are in process of writing the manuscript of the protocol!
{% endkatexmm %}
[^1]: [Monero Project](https://web.getmonero.org/)Personal WebpageMProve is the first proof of reserves for Monero. Monero 1 is a decentralized cryptocurrency, meaning it is secure digital cash operated by a network of users. It uses ring signatures, ring confidential transactions, and stealth addresses to hide the origins, amounts, and destinations of all transactions. Transactions on the Monero blockchain are untraceable. Read more about Monero here. Monero Project ↩Dynamic Boltzmann Machines2019-05-01T00:00:00+05:302019-05-01T00:00:00+05:30http://localhost:4000/homepage/project/2019/05/01/dybmDynamic Boltzmann Machine (DyBM) was proposed by *Osogami at al.* in 2015 when their team at [IBM, Tokyo](https://www.ibm.com/blogs/research/category/ibmres-tokyo/) showed how a network of just 7 neurons could memorize a sequence of letters of alphabet[^1]. Inspired from this work, we set out to explore DyBM and realize its usefulness in boosting performance in time-series prediction related tasks.
The Dynamic Boltzmann machine beautifully incorporates the notion of time in the existing
framework of Boltzmann machines. It consists of infinite layers of neurons unfolded in time.
There are no neuronal connections in space, the only connections between neurons are in time.
<center>
{% include image.html name="dybm_var.png" caption="The basic structures of the variants of the Boltzmann machines" %}
</center>
DyBM is essentially an energy-minimization model. The most interesting aspect of DyBM is its interpretation in terms of biological neuronal networks. A DyBM consists of a network of neurons and memory units. Between two neurons, we have two separate uni-directional FIFO queues storing the past states of the pre-synaptic neuron. Also, each neuron has the memory unit for storing *neural eligibility traces*, which summarize the neurons activities in the past. A *synaptic eligibility trace* is associated with a synapse between a pre-synaptic neuron and a post-synaptic neuron, and summarizes the spikes that have arrived at the synapse, via the FIFO queue, from the pre-synaptic neuron.
Realization of DyBM is hardware is a promising direction for research attributed to the advent of SNN-based chips like [Intel's Loihi](https://www.intel.in/content/www/in/en/research/neuromorphic-computing.html) [^2] and [IBM's Truenorth](https://www.ibm.com/blogs/research/tag/truenorth/). We were able to come up with an initial framework for hardware realisation of DyBM.
To validate the results of DyBM on a real life time-series, we used RNN Gaussian DyBM to predict a
variable in different tasks. We use LSTM networks as a benchmark to compare the results of DyBM since LSTMs have recently emerged as the state-of-the-art model for time-series prediction. We observe that the DyBM model *occasionally outperforms* the results of LSTM. We compare the results using RMSE as a metric.
<center>
{% include image.html name="dybm_comparison.png" caption="Single dimensional time-series prediction of exchange rate of AUD wrt USD." %}
</center>
[^1]: [Seven neurons memorizing sequences of alphabetical images via spike-timing dependent plasticity](https://www.nature.com/articles/srep14149)
[^2]: [Loihi: A Neuromorphic Manycore Processor with On-Chip Learning](https://ieeexplore.ieee.org/document/8259423)Personal WebpageDynamic Boltzmann Machine (DyBM) was proposed by Osogami at al. in 2015 when their team at IBM, Tokyo showed how a network of just 7 neurons could memorize a sequence of letters of alphabet1. Inspired from this work, we set out to explore DyBM and realize its usefulness in boosting performance in time-series prediction related tasks. Seven neurons memorizing sequences of alphabetical images via spike-timing dependent plasticity ↩