Bulletproofs+ is a recently proposed range proof which is similar in spirit to Bulletproofs. Both of these range proof protocols enable proof sizes logarithmic in the number of bits of the range using a recursive inner product protocol. Bulletproofs relies on the improved inner product protocol 1 while Bulletproofs+ uses a weighted inner product protocol 2.
Improved Inner Product Argument
The recursive inner product argument introduced in [1] gives an argument of knowledge for the language given by
where σ=(G,q=∣G∣,u∈G) is the common reference string (crs).
Note that P is a Pedersen vector commitment to a,b∈Zqn.
We can write the witness as a=(aL,aR)∈Zq2n×2 and b=(bL,bR)∈Zq2n×2.
Similarly, the base vectors can be written as g=(gL,gR)∈G2n×2 and h=(hL,hR)∈G2n×2. Now, we compute Pedersen vector commitments to the vector tuples (aL,bR) and aR,bL as
Instead of publishing vectors (a^,b^), we can further repeat the same process of dividing (a^,b^) in halves and compute (L1,R1,a^1,b^1) and so on until we are left with scalars (a^,b^)∈Zq.
This is the main idea of the log-sized inner product protocol and the proof is of the form
Note that the above argument is perfectly complete and sound, but not zero-knowledge.
This is because we cannot construct a PPT simulator who could generate a valid transcript given statement and the crs.
Weighted Inner Product Argument
The weighted inner product argument uses a weighted inner product operation ⊙y:Zqn×Zqn↦Zq defined as
a⊙yb=⟨a,y∘b⟩
where y=(y,y2,…,yn)∈Zqn and n=∣a∣=∣b∣. The weighted inner product is essentially a way to combine multiple equations into a single equation. For instance,
a∘b=c∈Zqn represent n distinct equations.
The weighted inner product combines these equations to give a single equation of the form
i=1∑nyi⋅(aibi)=a⊙yb=⟨c,y⟩
The weighted inner product protocol is also bilinear and satisfies the following property 3a⊙yb=aL⊙ybL+(y2n⋅aR)⊙ybR.
We now wish to design a proof system based on the weighted inner product.
The language of the weighted inner product protocol becomes
LWIP(σ)={statementg,h∈Gn,P∈G,c∈Zq;witnessa,b∈Zqn∣∣∣∣∣relationP=ga⋅hb⋅uc∧c=a⊙yb}
Similar to the inner product protocol, suppose the prover commits to vectors (aL,bR) and (aR,bL) and the scalars cL=aL⊙ybR,cR=(y2n⋅aR)⊙ybL,
the prover must convince the verifier of the relation c=a⊙yb.
For this, we blind the original witness vectors using a challenge scalar x∈Zq.
a^=xaL+x−1(y2n⋅aR),b^=x−1bL+xbR.⟹a^⊙yb^=x2cL+c+x−2cR.
Now, similar to the inner product argument, the 4-tuple (L,R,a^,b^) becomes a valid proof of knowledge of the witness. We can shrink this argument too to logarithmic in the size of witness vectors.
The WIP based argument presented in Bulletproofs+ paper is zero-knowledge as against the inner product argument.
This is achieved by including randomly chosen blinding factors dL,dR∈Zq in computing the Pedersen vector commitments L,R as
where h∈G. Further, in the last round of the protocol, instead of sending a^,b^∈Z, we use a sigma-like protocol yeilding constant communication and computation.
This is the main difference in the inner product and the weighted inner product arguments.
We will see in the next blog how this helps building Bulletproofs+ - a range proof protocol with proof size shorter than that of Bulletproofs.
References and Notes
Benedikt Bünz et al, “Bulletproofs: Short Proofs for Confidential Transactions and More”, in Cryptology ePrint Archive, Report 2017/1066, Available at https://eprint.iacr.org/2017/1066.pdf↩
Chung H. et al, “Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger”, in Cryptology ePrint Archive, Report 2020/735, Available at https://eprint.iacr.org/2020/735.pdf. ↩
Note that aL⊙ybL=⟨aL,(y,y2,…,y2n)∘bL⟩ for aL,bL∈Zq2n. ↩