docs: range proofs #82
Conversation
There was a problem hiding this comment.
Hi @AaronFeickert,
Thank you for this.
This write-up has a very nice introduction and starts off being a not-too-difficult read, however, this may only be one but, I find it extremely difficult to reference this work back to the two pre-cursor pre-prints for Zarcanum and BP+, especially the Extended commitments and Aggregation paragraph.
Maybe a reference to the Zarcanum/BP+ pre-print would help?
src/RFC-0181_BulletproofsPlus.md
Outdated
|
|
||
|  | ||
|
|
||
| **Maintainer(s)**: [Hansie Odendaal](https://github.com/hansieodendaal) |
There was a problem hiding this comment.
| **Maintainer(s)**: [Hansie Odendaal](https://github.com/hansieodendaal) | |
| **Maintainer(s)**: [Aaron Feickert](https://github.com/aaronfeickert) |
src/RFC-0181_BulletproofsPlus.md
Outdated
|
|
||
| We now describe how to reduce verification of a single aggregated range proof using extended commitments to a single multiscalar multiplication operation. | ||
| A partial approach is described in the Bulletproofs+ preprint. | ||
| The single multiscalar multiplication used to verify an aggregated range proof can be written more explicitly in our case by accounting for the extra steps used to support extended commitments, and by noting that the $P$ input term to the weighted inner product argument is replaced by the term $\widehat{A}$ defined in the overall range proving protocol. |
There was a problem hiding this comment.
I would add a reference to the Zarcanum/BP+ pre-print here for P
src/RFC-0181_BulletproofsPlus.md
Outdated
| is a scalar defined entirely in terms of constants and challenge values from the proof. | ||
| Grouping terms, we find that a single aggregated range proof can be verified as: | ||
| \\[ | ||
| \sum\_i (r'es\_i + e^2z) G\_i + \sum\_i (s'es\_i' - e^2(z + d\_iy^{mn-i})) H\_i + \left( r'ys' - e^2x + e^2y^{mn+1}\sum\_k z^{2(k+1)}v\_{\text{min},k} \right) G\_c + \sum\_l \delta\_l' H\_{c,i} - \sum\_k (y^{mn+1}z^{2(k+1)}e^2) V\_k - e^2 A - \sum\_j (e^2e\_j^2) L\_j - \sum\_j (e^2e\_j^{-2}) R\_j - e A' - B = 0 |
There was a problem hiding this comment.
Please split this equation across two lines
src/RFC-0181_BulletproofsPlus.md
Outdated
|
|
||
| Suppose we index the inner product generator vectors $\vec{G}$ and $\vec{H}$ using $i$, the inner product recursion generator vectors $\vec{L}$ and $\vec{R}$ using $j$, the aggregated commitment vector $\vec{V}$ by $k$, and the extended commitment mask generator vector $\vec{H}\_c$ by $l$. | ||
| We assume indexing starts at zero unless otherwise noted. | ||
| Single aggregated proof verification reduces to the following: |
There was a problem hiding this comment.
Again, a reference to the Zarcanum/BP+ pre-print would help, and everywhere else
src/RFC-0181_BulletproofsPlus.md
Outdated
| Aggregation of range assertions using Pedersen commitments is described in the Bulletproofs+ preprint, and the Zarcanum preprint describes the corresponding changes for extended commitments. | ||
| Batch verification is described only informally in the Bulletproofs+ preprint, and in an incomplete fashion. | ||
| Minimum value assertion is not addressed in the preprint. | ||
| An approach to mask and value recovery was [used by Grin](https://github.com/mimblewimble/grin-wallet/issues/105) for a different range proving system, and can be modified to support Bulletproofs+ range proofs with extended commitments. |
There was a problem hiding this comment.
We can also reference the deprecated RFC-0180 here as the previous Tari implementation for mask and value recovery
src/RFC-0181_BulletproofsPlus.md
Outdated
| It is possible for the prover to perform careful modifications to a non-aggregated range proof in order to allow a designated verifier to recover the masks used in the corresponding extended commitment. | ||
| The construction we describe here does not affect the verification process for non-designated verifiers. | ||
| Note that this construction requires a non-aggregated proof that contains a range assertion for only a single commitment. | ||
| Unlike the approach described initially by Grin for the Bulletproofs range proving system, it is not possible to embed additional data (like the commitment value) into a Bulletproofs+ range proof. |
There was a problem hiding this comment.
| Unlike the approach described initially by Grin for the Bulletproofs range proving system, it is not possible to embed additional data (like the commitment value) into a Bulletproofs+ range proof. | |
| Unlike the approach described initially used by Tari for the Bulletproofs range proving system, it is not possible to embed additional data (like the commitment value) into a Bulletproofs+ range proof. |
src/RFC-0181_BulletproofsPlus.md
Outdated
|
|
||
| After sampling a nonce seed, the prover passes it through an appropriate set of domain-separated hash functions with scalar output to generate the following nonces used in the proof: | ||
| \\[ | ||
| \\{\eta\_k\\}, \\{\delta\_k\\}, \\{\alpha\_k\\}, \\{d\_{L,j,k}\\}, \\{d\_{R,j.k}\\} |
There was a problem hiding this comment.
| \\{\eta\_k\\}, \\{\delta\_k\\}, \\{\alpha\_k\\}, \\{d\_{L,j,k}\\}, \\{d\_{R,j.k}\\} | |
| \\{\eta\_k\\}, \\{\delta\_k\\}, \\{\alpha\_k\\}, \\{d\_{L,j,k}\\}, \\{d\_{R,j,k}\\} |
There was a problem hiding this comment.
Nice catch! Your eyes are clearly better than mine!
|
@AaronFeickert Cheers for this.
As far as the rewinding goes, any additional information you can add is helpful. The existing benchmarks is as far as I've gotten with RFC content (and this information was taken from our other repositories). If you were able to write a similar breakdown for rewinding it would also be very useful. Once reviewed/merged I can layer layer in an additional PR with any other useful information I have. |
Sounds good. Feel free to make a separate PR after merging to include the benchmarks. As to additional mask recovery details, I intentionally didn't include specific information on how nonce seeds are derived in practice, since that's separate from the underlying mathematics. The idea was to keep this PR as self-contained as possible to the Bulletproofs+ implementation. I'm certainly open to any ideas on how best to communicate mask recovery to the reader. |
|
Updated for cleanup and to address review comments. Deprecates RFC-0180. |
There was a problem hiding this comment.
Hi @AaronFeickert, thank you for the updates, it certainly helps.
This RFC definitely fills the gap in the math that we needed, however, in my opinion, this together with the BP+ and Zarcanum pre-prints is still too abstract for a developer to link to our implementation of BP+, including myself.
I vote that we approve and merge this RFC, but that we add an issue to produce an RFC that contains all the math algebraic equations of the entire BP+ protocol in a single document in an easily linkable manner to the BP+ implementation. That RFC can also contain related equations for the multi-party BP+ protocol.
|
I wonder if a better approach might simply be improving the code comments for the prover, since the prover implementation follows the preprint algorithm steps pretty closely. I do not think that a similar approach works nearly as well for the verifier; because of the optimizations shown in this RFC, there is not a neat and tidy correlation between the verifier steps in the preprint and the code. The preprint algorithms show the interactive steps for a single aggregated proof, which doesn't translate cleanly to the batch case. Documenting the multiparty BP+ prover algorithm should be straightforward, at least as it applies to the changes between the original prover and the multiparty prover. Rewriting all the steps of this prover would be tedious and probably not insightful for the reader, but showing exactly where the parties deviate from the existing protocol (as is done now in the PDF version of the prover algorithm) should be very clear. |
Description
Adds a new RFC-0181 to describe Tari-specific implementation details relevant to the Bulletproofs+ range proving system: extended commitments, aggregation, batch verification, minimum value assertion, and designated-verifier mask recovery.
Supersedes the existing RFC-0180 describing Bulletproofs mask recovery and data extraction, which is now deprecated.
Motivation and Context
The existing RFC-0180 describes mask recovery and data extraction for the Bulletproofs range proving system. However, the Tari protocol now uses Bulletproofs+, which uses a different method for mask recovery. Further, the Bulletproofs+ implementation supports additional useful features like extended commitments, batch verification, and minimum value assertion.
This work creates a unified RFC-0181 that describes how these features work and are implemented.
It supersedes RFC-0180. There is concurrent work by @brianp on range proof rewinding that includes benchmark data.
How Has This Been Tested?
Tested by building locally and checking that the math doesn't render too horribly...