[][src]Struct bulletproofs::range_proof::RangeProof

pub struct RangeProof {
    A: CompressedRistretto,
    S: CompressedRistretto,
    T_1: CompressedRistretto,
    T_2: CompressedRistretto,
    t_x: Scalar,
    t_x_blinding: Scalar,
    e_blinding: Scalar,
    ipp_proof: InnerProductProof,
}

The RangeProof struct represents a proof that one or more values are in a range.

The RangeProof struct contains functions for creating and verifying aggregated range proofs. The single-value case is implemented as a special case of aggregated range proofs.

The bitsize of the range, as well as the list of commitments to the values, are not included in the proof, and must be known to the verifier.

This implementation requires that both the bitsize n and the aggregation size m be powers of two, so that n = 8, 16, 32, 64 and m = 1, 2, 4, 8, 16, .... Note that the aggregation size is not given as an explicit parameter, but is determined by the number of values or commitments passed to the prover or verifier.

Note

For proving, these functions run the multiparty aggregation protocol locally. That API is exposed in the aggregation module and can be used to perform online aggregation between parties without revealing secret values to each other.

Fields

A: CompressedRistretto

Commitment to the bits of the value

S: CompressedRistretto

Commitment to the blinding factors

T_1: CompressedRistretto

Commitment to the \(t_1\) coefficient of \( t(x) \)

T_2: CompressedRistretto

Commitment to the \(t_2\) coefficient of \( t(x) \)

t_x: Scalar

Evaluation of the polynomial \(t(x)\) at the challenge point \(x\)

t_x_blinding: Scalar

Blinding factor for the synthetic commitment to \(t(x)\)

e_blinding: Scalar

Blinding factor for the synthetic commitment to the inner-product arguments

ipp_proof: InnerProductProof

Proof data for the inner-product argument.

Methods

impl RangeProof[src]

pub fn prove_single(
    bp_gens: &BulletproofGens,
    pc_gens: &PedersenGens,
    transcript: &mut Transcript,
    v: u64,
    v_blinding: &Scalar,
    n: usize
) -> Result<(RangeProof, CompressedRistretto), ProofError>[src]

Create a rangeproof for a given pair of value v and blinding scalar v_blinding. This is a convenience wrapper around RangeProof::prove_multiple.

Example

extern crate rand;
use rand::thread_rng;

extern crate curve25519_dalek;
use curve25519_dalek::scalar::Scalar;

extern crate merlin;
use merlin::Transcript;

extern crate bulletproofs;
use bulletproofs::{BulletproofGens, PedersenGens, RangeProof};

// Generators for Pedersen commitments.  These can be selected
// independently of the Bulletproofs generators.
let pc_gens = PedersenGens::default();

// Generators for Bulletproofs, valid for proofs up to bitsize 64
// and aggregation size up to 1.
let bp_gens = BulletproofGens::new(64, 1);

// A secret value we want to prove lies in the range [0, 2^32)
let secret_value = 1037578891u64;

// The API takes a blinding factor for the commitment.
let blinding = Scalar::random(&mut thread_rng());

// The proof can be chained to an existing transcript.
// Here we create a transcript with a doctest domain separator.
let mut prover_transcript = Transcript::new(b"doctest example");

// Create a 32-bit rangeproof.
let (proof, committed_value) = RangeProof::prove_single(
    &bp_gens,
    &pc_gens,
    &mut prover_transcript,
    secret_value,
    &blinding,
    32,
).expect("A real program could handle errors");

// Verification requires a transcript with identical initial state:
let mut verifier_transcript = Transcript::new(b"doctest example");
assert!(
    proof
        .verify_single(&bp_gens, &pc_gens, &mut verifier_transcript, &committed_value, 32)
        .is_ok()
);

pub fn prove_multiple(
    bp_gens: &BulletproofGens,
    pc_gens: &PedersenGens,
    transcript: &mut Transcript,
    values: &[u64],
    blindings: &[Scalar],
    n: usize
) -> Result<(RangeProof, Vec<CompressedRistretto>), ProofError>[src]

Create a rangeproof for a set of values.

Example

extern crate rand;
use rand::thread_rng;

extern crate curve25519_dalek;
use curve25519_dalek::scalar::Scalar;

extern crate merlin;
use merlin::Transcript;

extern crate bulletproofs;
use bulletproofs::{BulletproofGens, PedersenGens, RangeProof};

// Generators for Pedersen commitments.  These can be selected
// independently of the Bulletproofs generators.
let pc_gens = PedersenGens::default();

// Generators for Bulletproofs, valid for proofs up to bitsize 64
// and aggregation size up to 16.
let bp_gens = BulletproofGens::new(64, 16);

// Four secret values we want to prove lie in the range [0, 2^32)
let secrets = [4242344947u64, 3718732727u64, 2255562556u64, 2526146994u64];

// The API takes blinding factors for the commitments.
let blindings: Vec<_> = (0..4).map(|_| Scalar::random(&mut thread_rng())).collect();

// The proof can be chained to an existing transcript.
// Here we create a transcript with a doctest domain separator.
let mut prover_transcript = Transcript::new(b"doctest example");

// Create an aggregated 32-bit rangeproof and corresponding commitments.
let (proof, commitments) = RangeProof::prove_multiple(
    &bp_gens,
    &pc_gens,
    &mut prover_transcript,
    &secrets,
    &blindings,
    32,
).expect("A real program could handle errors");

// Verification requires a transcript with identical initial state:
let mut verifier_transcript = Transcript::new(b"doctest example");
assert!(
    proof
        .verify_multiple(&bp_gens, &pc_gens, &mut verifier_transcript, &commitments, 32)
        .is_ok()
);

pub fn verify_single(
    &self,
    bp_gens: &BulletproofGens,
    pc_gens: &PedersenGens,
    transcript: &mut Transcript,
    V: &CompressedRistretto,
    n: usize
) -> Result<(), ProofError>[src]

Verifies a rangeproof for a given value commitment \(V\).

This is a convenience wrapper around verify_multiple for the m=1 case.

pub fn verify_multiple(
    &self,
    bp_gens: &BulletproofGens,
    pc_gens: &PedersenGens,
    transcript: &mut Transcript,
    value_commitments: &[CompressedRistretto],
    n: usize
) -> Result<(), ProofError>[src]

Verifies an aggregated rangeproof for the given value commitments.

pub fn to_bytes(&self) -> Vec<u8>[src]

Serializes the proof into a byte array of \(2 \lg n + 9\) 32-byte elements, where \(n\) is the number of secret bits.

Layout

The layout of the range proof encoding is:

  • four compressed Ristretto points \(A,S,T_1,T_2\),
  • three scalars \(t_x, \tilde{t}_x, \tilde{e}\),
  • \(n\) pairs of compressed Ristretto points \(L_0,R_0\dots,L_{n-1},R_{n-1}\),
  • two scalars \(a, b\).

pub fn from_bytes(slice: &[u8]) -> Result<RangeProof, ProofError>[src]

Deserializes the proof from a byte slice.

Returns an error if the byte slice cannot be parsed into a RangeProof.

Trait Implementations

impl Clone for RangeProof[src]

impl Debug for RangeProof[src]

impl<'de> Deserialize<'de> for RangeProof[src]

impl Serialize for RangeProof[src]

Auto Trait Implementations

impl RefUnwindSafe for RangeProof

impl Send for RangeProof

impl Sync for RangeProof

impl Unpin for RangeProof

impl UnwindSafe for RangeProof

Blanket Implementations

impl<T> Any for T where
    T: 'static + ?Sized[src]

impl<T> Borrow<T> for T where
    T: ?Sized[src]

impl<T> BorrowMut<T> for T where
    T: ?Sized[src]

impl<T> DeserializeOwned for T where
    T: Deserialize<'de>, [src]

impl<T> From<T> for T[src]

impl<T, U> Into<U> for T where
    U: From<T>, [src]

impl<T> Same<T> for T

type Output = T

Should always be Self

impl<T> ToOwned for T where
    T: Clone[src]

type Owned = T

The resulting type after obtaining ownership.

impl<T, U> TryFrom<U> for T where
    U: Into<T>, [src]

type Error = !

The type returned in the event of a conversion error.

impl<T, U> TryInto<U> for T where
    U: TryFrom<T>, [src]

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.