1 Introduction

Cryptocurrencies like Bitcoin [40] enable decentralized, peer-to-peer payments by maintaining a distributed public ledger called the blockchain. While this innovation has permitted an unprecedented degree of financial autonomy on the Internet, the fact that every transaction leaves a permanent record in the blockchain poses a substantial threat to the financial privacy of users. Even though cryptocurrency transactions are not typically associated with real-world identities, a surprisingly large amount of information can be extracted from the information in the blockchain [24, 38, 48].

Among the most glaring pieces of data that an observer can extract are the amounts of funds that transactions move from sender to recipient. These monetary amounts are stored as plain integers in many popular cryptocurrencies, including Bitcoin, which makes it easy for blockchain nodes to verify that a transaction is balanced, i.e., that the sum of all its input amounts equals the sum of all its output amounts (except for a small fee given to the miners).

Confidential Transactions. A common countermeasure to this leak of information, e.g., as suggested first in the “Confidential Transactions” proposal [26, 37] (CT), is to hide the monetary amounts in homomorphic commitments such as Pedersen commitments. The additive homomorphism ensures that blockchain nodes can verify the amounts in a confidential transaction without learning the plain amounts, by performing the necessary additions for checking the balance equation on the homomorphic commitments instead of the plain amounts. However, this approach is only sound if the amounts do not overflow during the homomorphic addition, because this would allow an attacker to violate balance and thus create money out of thin air. To exclude overflow, transactions are required to carry a non-interactive zero-knowledge (NIZK) range proof that demonstrates that committed amounts are in a range \([0,2^b)\) of non-negative integers much smaller than the message space of the commitment space.

Bulletproofs. Motivated by this application, the seminal Bulletproofs (BP) by Bünz et al. [8] was the first to achieve range proofs with an asymptotic size logarithmic in the number of bits in the range as well as concrete sizes less than \(1\,\)kB. Moreover, BP supports aggregate proving, i.e., a single range proof can cover multiple commitments at once, and this proof is significantly more compact than proving each commitment separately. This efficiency makes it feasible to use BP in cryptocurrencies, and BP range proofs have been successfully deployed in Grin [27] and Monero [39] in conjunction with other privacy-preserving features.

However, even though Monero has subsequently upgraded [47] to Chung et al. [15]’s recent improvement Bulletproofs+ (BP+), which reduces the size of a single 64-bit range proof to 576 bytes, range proofs still account for 29% to 42% of the size of a typical Monero transaction.Footnote 1 These concrete storage costs as well as the concrete verification efficiency still leave much to be desired, considering that all nodes in a cryptocurrency are required to download and verify the entirety of all range proofs created within the system.

Multi-asset Confidential Transactions (MACT). While the initial CT proposal [37] supports only a single asset (e.g., only Bitcoin), the protocol by Poelstra et al. [43] (as deployed for instance in the Liquid sidechain [41]) extends the idea to multi-asset confidential transactions (MACT), i.e., a single transaction can transfer multiple assets simultaneously, and no observer can learn the transacted amounts or the involved assets. Moreover, the range proof construction used in this protocol supports multi-party proving for transactions created by multiple senders. This is a prerequisite to using coin mixing protocols [36] on top of MACT, which further enhance privacy.

However, it is thus far unclear how to fully leverage the potential of BP in MACT protocols. While it is possible to implement the range proofs in MACT using BP, the protocol by Poelstra et al. [43] requires additional zero-knowledge surjection proofs to show that the assets on the output side of the transaction are a permutation of the assets on the input side of the transactions. These additional proofs are large and since they are constructed using techniques different from BP, it is not possible to aggregate them together with BP range proofs. The approach taken by the Cloak [50] MACT protocol overcomes this problem by using BP to encode a permutation argument as an arithmetic circuit. This avoids surjection proofs, but the way the circuit is constructed makes it incompatible with known multi-party proving techniques for BP. In summary, there is currently no solution to MACT that is practical and compatible with BP.

1.1 Contributions

The main contribution of this work is Bulletproofs++ (BP++), a zero-knowledge argument of knowledge for arithmetic circuits in the discrete logarithm setting.

Reciprocal Argument. At the core of BP++ is the reciprocal argument, a novel interactive argument protocol that generalizes permutation arguments and set membership arguments. This approach builds on the work by Bayer, Groth [3], who encode a multiset as the roots of a polynomial, and whose basic technique has been extended to show richer permutation arguments in plookup [21] and plays a critical role in protocols based on Plonk [22]. These protocols use a “grand product”, i.e., the product of numerous committed values, to show that a particular permutation, which encodes the structure of an arithmetic circuit, was applied correctly. The reciprocal argument of BP++ is essentially the logarithmic derivative of the polynomials used by Bayer-Groth permutation arguments. The logarithmic derivative transforms a product of linear factors into a sum, thereby linearizing the representation of the multiset.

Table 1. Range proof sizes compared to previous work. The range column of the table (\(m\times n\)) indicates the number of aggregated proofs (m) and bits of range proven (n) by each proof. We express the resulting proof size in terms of the number of group elements g and scalars s. Values denoted by dash (—) are not provided in the Flashproofs paper [51].
Full size table

Since the initial publication of a preprint of our work, the reciprocal argument has already been used in several other works: Haböck [31] modifies the “grand product” of Hyperplonk [13] to use a variant of the reciprocal argument, which he rederives via the logarithmic derivative. Eagen, Fiore, Gabizon [18] develop a more asymptotically and concretely performant lookup argument, improving upon the sequence of works beginning with Caulk [45, 54].Footnote 2 As evident from these works, the reciprocal argument is clearly of independent interest.

Compactness and Efficiency. BP++’s novel techniques improve the compactness and efficiency of BP(+) significantly. Table 1 compares the size of BP++ range proofs with SwiftRange [52], Flashproofs [51], BP [8] and BP+ [15] range proofs. As demonstrated by the table, BP++ has a clear advantage in terms of proof size compared to the alternatives.

The time needed for proving and verification is dominated in practice by multiplications of group elements with scalars. In BP and BP+ range proofs, the count of these multiplications scales linearly with n. However, BP++ offers an asymptotic improvement, reducing the count to \(O(n/\log n)\). The benchmarks in Sect. 7 demonstrate that BP++’s improvements do in fact translate to actual implementations. A 64-bit range proof takes roughly 4 ms for proving and 0.9  ms for verifying, making it \(5\times \) quicker than BP in proving and \(3\times \) quicker in verification.

Modularity Without Sacrificing Performance. Since BP++ is capable of proving arbitrary statements encoded in arithmetic circuits, it is possible to construct range proofs and MACT simply by an arithmetic circuit that encodes the relation. As opposed to BP(+), we adopted this methodology because our techniques allow for the creation of a range proof that is nearly as efficient as a direct construction of such a proof. Our approach simplifies the security analysis of range proofs and MACT, as they inherit the security properties of the arithmetic circuit protocol, providing the circuit accurately encodes the relation. This demonstrates the potential of reusing the BP++ arithmetic circuit protocol with the reciprocal argument in other applications.

MACT. On the MACT side, we introduce a BP++ MACT protocol (again by specifying an arithmetic circuit) that relies on the same asset representation as Cloak but uses an instance of the reciprocal argument, substantially simplifying the permutation argument. The marginal cost of a BP++ MACT over an aggregated range proof is negligible in prover and verifier time, and proof size.

Compatibility with BP. Since BP++ maintains the same interface and security assumptions established by BP(+), BP++ is a drop-in replacement for existing uses of BP(+). For example, BP range proofs in existing protocols like Grin [27], Monero [39], and Liquid [41] can be replaced without any change in security assumptions and with only minimal modification to existing protocols. This is also true for statements encoded as general arithmetic circuits. Moreover, the MACT protocol uses the same asset representation as Cloak, and so can be directly substituted for Cloak for smaller proof sizes and faster prover and verifier. These replacements retain all benefits of BP:

  • Aggregate proving. A prover who would like to prove multiple statements simultaneously can create a single aggregated proof, which is more compact than simply giving multiple independent proofs. For example, in the common case that a cryptocurrency transaction creates \(m\ge 1\) commitments, an aggregate range proof can prove that m committed values are in range in just \(O(\log n +\log m)\) bits, instead of \(m \cdot O(\log n)\) bits in the case of m separate range proofs.

  • Multi-party aggregate proving. For the case that multiple provers want to create a single aggregated proof, BP++ offers a natural MPC protocol. Multi-party proving yields large space savings when CT is combined with coin mixing protocols [46].

  • Batch verification. Multiple (possibly aggregated) proofs can be verified in a batch computation, improving efficiency further.

  • Conservative cryptographic assumptions. BP++ is provably secure assuming only the hardness of the discrete logarithm problem and can be made non-interactive in the random oracle model, thus ensuring compatibility with assumptions widely accepted by engineers and users in the cryptocurrency ecosystem. Concretely, BP++ neither requires pairings nor cycles of curves and can be instantiated on the secp256k1 elliptic curve which used in Bitcoin, for which a wide range of implementations exist.

  • Transparent setup. Since the public setup parameters only consist of random group elements, the setup is trustless assuming a common random string or the random oracle model.

1.2 Related Work

Range Proofs. An alternative to digit decomposition range proofs are those based on Lagrange’s four square theorem. This theorem states that any positive integer can be written as a sum of four squares, as originally proposed by Lipmaa [35]. In practice, this is often transformed to an instance of the three square theorem as was originally observed by Groth [28]. To show that a value \(v < B\) one can find a four, or three, square decomposition of the value \(B - v\), which is positive only if the initial condition is met. These protocols require integer commitments, which require either RSA groups, and hence a trusted setup, or ideal class groups.

More recently, Couteau et al. [16] developed a bounded integer commitment protocol that requires only the discrete logarithm assumption in a group of known order. This allows them to construct three-square range proofs using elliptic curves, which are highly performant and smaller than BP and BP+ range proofs. However, BP++ range proofs remain smaller as compared to their approach. Moreover, since their bounded integer commitment scheme requires the committed values to remain in a bounded interval, their approach requires a curve with order somewhat larger than 256 bits at the 128-bit security level. This lower bound on the group size or, equivalently, on the security of their approach is inherent and applies even if one ignores the non-tightness of the security analysis when setting parameters, as often done in practice. This limits their applicability to existing blockchains.

MACT. As explained above, the original Confidential Assets protocol [43] uses surjection proofs to hide the asset type of each output from a set of possible assets. In general, the size of this set is equal to the number m of inputs to the transaction. Thus, for n outputs, the prover will do \(O(n \cdot m)\) work as compared to only \(O(n+m)\) for BP++. Since it is not known how to aggregate surjection proofs, the proof size is in \(O(n \cdot m)\).

Cloak [50] uses a more complex construction to encode a permutation over the assets into a BP circuit. This approach is a large constant factor more expensive than BP++ in terms of prover work.

Generalizations of BP. There are a number of other works building on BP, including BP+ [15] which uses a weighted inner product argument to reduce proving time and uses several other improvements to reduce proof size, and Flashproofs [51] which combine the BP inner product argument with Groth polynomial commitments [29] to reduce verifier complexity and attempt to minimize Ethereum gas costs. There has also been work to unify BP with the large, existing body of work on Sigma protocols [1], and to further generalize this to other related contexts like groups of unknown order [10] to support homomorphic commitments of arbitrary order. BP have also been generalized to inner product arguments in other contexts, including by Lee [33], who propose a general purpose SNARK protocol over a pairing friendly curve that uses an inner product to avoid trusted setup requirements. BP are also core to the structure of Halo [6] and Halo2 [49], which are now implemented in Zcash [7] and have inspired the development of accumulation schemes [9]. These allow a prover to efficiently aggregate multiple proofs in such a way that verification time depends only on the time to verify a single proof.

2 Preliminaries

Notation. Hereafter, we denote the set of polynomially-bounded functions in the security parameter \(\lambda \) by \(poly= \{ f : \exists a \in \mathbb {N},\ f(\lambda ) \in O(\lambda ^a) \},\) the set of negligible functions in the security parameter \(\lambda \) by \(negl= \{ f : f(\lambda )^{-1} \not \in poly\}.\) A function f is overwhelming if \(1-f\) is negligible.

A probabilistic interactive Turing machine \(\mathcal {A}\) is probabilistic polynomial-time (PPT) if its runtime is in \(poly\); it is probabilistic expected polynomial-time (expected-PPT) if its expected runtime is in \(poly\); it is deterministic polynomial-time (DPT) if it is PPT and does not read from its randomness tape.

We denote by \(\mathbb {G}\) a cyclic group of prime order p written additively, which is in practice typically a subgroup of an elliptic curve. We write group elements in \(\mathbb {G}\) with capital letters and scalars in \(\mathbb {F}:= \mathbb {F}_p\) with lower case letters. We write \(\mathbb {F}[X]\) for the ring of polynomials over \(\mathbb {F}\) in indeterminate X; when we treat it a vector space, then as vector space over the field \(\mathbb {F}\).

Vectors. Vectors are written with bold letters, and matrices with capital letters. These can be distinguished from \(\mathbb {G}\) elements from context. We write the diagonal matrix of powers of \(\mu \) starting with \(\mu ^0\) as \(\textrm{diag}(\mu )\). Vectors are zero indexed and implicitly padded with zeros on the right as necessary for various operations to be well-defined, i.e. addition and inner products. We denote the vector of all zeros by \(\boldsymbol{0}\) and the vector of all ones by \(\boldsymbol{1}\). We use \(\left| \boldsymbol{v} \right| \) to denote the length of \(\boldsymbol{v}\). We use “slice” notation \(\boldsymbol{v}_{i:j}\) to denote the subvector of \(\boldsymbol{v}\) consisting of components i to \(j-1\); we may omit i if \(i=0\), and j if \(j=|\boldsymbol{v}|-1\). To access a component of a slice, we write \((\boldsymbol{v}_{i:})_k = \boldsymbol{v}_{i+k}\).

We write the inner product of two vectors using angle brackets and an optional subscript to denote weighting by powers of the subscript. If the subscript is not present, it is implicitly 1. Inner products are defined for any vectors of quantities that can be multiplied, i.e. scalars and scalars or scalars and group elements. The norm of a vector refers to its self inner product and uses the same subscripting convention for weights. For example, the weighted inner product of \(\boldsymbol{x}\) and \(\boldsymbol{G}\) and the weighted norm of \(\boldsymbol{x}\) are written

$$\begin{aligned} \left\langle \boldsymbol{x},\boldsymbol{G}\right\rangle _{\mu } = \sum \nolimits _{i=0} x_i G_i \mu ^{i+1} \quad \text {and}\quad \left|\boldsymbol{x} \right|^2_{\mu } = \left\langle \boldsymbol{x},\boldsymbol{x}\right\rangle _{\mu }. \end{aligned}$$

We write concatenation of vectors using \(\mathbin {||}\), the component-wise product of vectors (Hadamard product) using \(\circ \) and tensor product of vectors using \(\otimes \). An iterated tensor product is evaluated from left to right and obeys the convention

$$\begin{aligned} \bigotimes \nolimits _{i=0}^n (1, x_i) = \left( 1, x_0, x_1, x_0 x_1, x_2, \ldots , \prod \nolimits _{i=0}^n x_i\right) . \end{aligned}$$

This is convenient for describing, e.g., the vector of challenges used by the verifier for the norm linear argument.

We denote the vector of powers from \(\mu ^0\) to \(\mu ^{n-1}\) by \(\textbf{e}_{n}(\mu )\). It obeys the tensor product equation

$$\begin{aligned} \textbf{e}_{ab}(\mu ) = \textbf{e}_{a}(\mu ) \otimes \textbf{e}_{b}(\mu ^a) = (1, \mu , \ldots , \mu ^{ab-1}). \end{aligned}$$

We decompose vectors into subvectors of even (indices 0, 2, \(\ldots \)) and odd (indices 1, 3, \(\ldots \)) components, instead of left and right halves as in BP, written as written as \([\boldsymbol{a}]_0\) and \([\boldsymbol{a}]_1\) respectively. This transformation simplifies certain parts of the protocol, and may help with locality in implementations. BP and BP+ can easily be modified to use even and odd halves, as can BP++ to use left and right halves.

Discrete Logarithm Relation Problem. BP++ is provably secure assuming the expected-PPT hardness of the discrete logarithm relation (DLR) problem, which is well-known to be tightly equivalent to the standard discrete logarithm problem [32, Lemma 3].

Definition 1 (Discrete Logarithm Relation (DLR) Problem)

[Discrete Logarithm Relation (DLR) Problem] The discrete logarithm relation (DLR) problem in \(\mathbb {G}\) is hard if for all \(n \ge 1\) and for all expected-PPT adversaries \(\mathcal {A}\),

figure a

2.1 Zero-Knowledge Arguments of Knowledge

A zero-knowledge argument of knowledge consists of a non-interactive PPT Turing machine \(\mathcal {K}\) which outputs a common random string \(\sigma \), and two interactive PPT Turing machines \(\mathcal {P}\) (prover) and \(\mathcal {V}\) (verifier). Critically, the randomness used by \(\mathcal {K}\) is public and \(\sigma \) can be reproduced transparently (no trusted setup). The prover and verifier interacting will produce a transcript \(\pi \) and output a bit b indicating whether the verifier accepts, which we write \(\pi \leftarrow \left\langle \mathcal {P}(\sigma ,u,w),\mathcal {V}(\sigma ,u)\right\rangle = b\). Here, for any \(\sigma \), a value w is a witness for a statement u if it satisfies the polynomial time relation \((\sigma , u, w) \in \mathcal {R}\).

A zero-knowledge argument of knowledge must satisfy completeness, soundness, and zero-knowledge.

Definition 2 (Completeness)

[Completeness] The protocol \((\mathcal {K}, \mathcal {P}, \mathcal {V})\) satisfies perfect completeness if for all PPT \(\mathcal {A}\),

$$\begin{aligned} \textrm{Pr}\left[ \left. \begin{array}{c} \left\langle \mathcal {P}(\sigma , u, w),\mathcal {V}(\sigma , u)\right\rangle = 1\\ \vee \ (\sigma , u, w) \not \in \mathcal {R} \end{array} \right| \begin{array}{c} \sigma \leftarrow \mathcal {K}(1^\lambda );\\ (u, w) \leftarrow \mathcal {A}(\sigma ) \end{array}\right] = 1. \end{aligned}$$

The soundness notion we consider in this work is computational witness-extended emulation [30, 34].

Definition 3 (Computational Witness-Extended Emulation)

[Computational Witness-Extended Emulation] The protocol \((\mathcal {K}, \mathcal {P}, \mathcal {V})\) has witness-extended emulation (WEE) if for all DPT provers \(\mathcal {P}^{*}\), there exists an expected-PPT emulator \(\mathcal {E}^{\textsf{O}}\) with access to rewinding oracle \(\textsf{O}= \left\langle \mathcal {P}^{*}(\sigma , u, s),\mathcal {V}(\sigma , u)\right\rangle \) such that for all pairs of adversaries \((\mathcal {A}_1, \mathcal {A}_2)\),

$$\begin{aligned} \left| \begin{array}{c}\textrm{Pr}\left[ \mathcal {A}_2(\sigma , \pi ) = 1 \mid \sigma \leftarrow \mathcal {K}(1^{\lambda }); (u, s) \leftarrow \mathcal {A}_1(\sigma ); \pi \leftarrow \textsf{O}\right] \\ - \textrm{Pr}\left[ \left. \begin{array}{c} (\pi \text { is accepting}\Rightarrow \\ (\sigma , u, w) \in \mathcal {R})\\ \wedge \ \mathcal {A}_2(\sigma , \pi ) = 1 \end{array} \right| \begin{array}{c} \sigma \leftarrow \mathcal {K}(1^\lambda );\\ (u, s) \leftarrow \mathcal {A}_1(\sigma );\\ (\pi , w) \leftarrow \mathcal {E}^{\textsf{O}}(\sigma , u) \end{array} \right] \end{array} \right| \le negl(\lambda ). \end{aligned}$$

The protocol has computational witness-extended emulation (CWEE) when adversaries \(A_1\) and \(A_2\) are restricted to non-uniform polynomial time.

In the zero-knowledge notion used in this work, the simulator has access to randomness used by the verifier; this is commonly called “special” zero-knowledge in the literature and requires the protocol to be public coin.

Definition 4 (Public Coin)

[Public Coin] The protocol \((\mathcal {K}, \mathcal {P}, \mathcal {V})\) is public coin if the i-th message sent by \(\mathcal {V}(\sigma , u; \rho )\) is the i-th component of its randomness argument \(\rho \).

Definition 5 (Perfect Special Honest Verifier Zero-Knowledge)

[Perfect Special Honest Verifier Zero-Knowledge] The protocol \((\mathcal {K}, \mathcal {P}, \mathcal {V})\) has perfect Special Honest Verifier Zero-Knowledge (SHVZK) if there exists a PPT simulator \(\mathcal {S}\) such that for all pairs of adversaries \((\mathcal {A}_1,\mathcal {A}_2)\),

$$\begin{aligned} & \textrm{Pr}\left[ \left. \begin{array}{c} (\sigma , u, w) \in \mathcal {R}\\ \wedge \ \mathcal {A}_2(\sigma , \pi ) = 1 \end{array} \right| \begin{array}{c} \sigma \leftarrow \mathcal {K}(1^\lambda ); (u, w, \rho ) \leftarrow \mathcal {A}_1(\sigma );\\ \pi \leftarrow \left\langle \mathcal {P}(\sigma , u, w),\mathcal {V}(\sigma , u; \rho )\right\rangle \end{array} \right] \\ & = \textrm{Pr}\left[ \left. \begin{array}{c} (\sigma , u, w) \in \mathcal {R}\\ \wedge \ \mathcal {A}_2(\sigma , \pi ) = 1 \end{array} \right| \begin{array}{c} \sigma \leftarrow \mathcal {K}(1^\lambda ); (u, w, \rho ) \leftarrow \mathcal {A}_1(\sigma );\\ \pi \leftarrow \mathcal {S}(u, \rho ) \end{array} \right] . \end{aligned}$$

General Forking Lemma. To show CWEE, we will use the generalized forking lemma by Bootle et al. [5]. It allows handling extractors for multi-round zero-knowledge argument of knowledge generically.

Trustless Common Setup. As a convention, all zero-knowledge arguments in this work use the same setup algorithm \(\mathcal {K}\), which outputs \(\sigma =(G, \boldsymbol{H}, \boldsymbol{G})\), where G and the components of the two vectors \(\boldsymbol{H}, \boldsymbol{G}\) (of sufficient size, which will be clear from the context) are random generators in \(\mathbb {G}\). Since \(\mathcal {K}\) is transparent, it is possible to use make the setup trustless in the random oracle model.

Non-interactive Proofs from Fiat-Shamir. All zero-knowledge arguments presented in this paper are public coin, interactive protocols between a prover and honest verifier. This means that they can be made non-interactive via the Fiat-Shamir transform [4], and honest-verifier zero-knowledge of the interactive protocols immediately implies that the Fiat-Shamir transformed variants are non-interactive zero-knowledge in the random oracle model. Recent work has shown that also soundness is retained, even for multi-round protocols [2, 25, 53]. Concretely, we establish that our protocols achieve special soundness, which implies that their Fiat-Shamir version achieves knowledge soundness as shown by Attema, Fehr, Klooß [2, Theorem 4] and further elaborated on by Ganesh et al. [23, Section 2.8].

Commitments as Inputs. Our zero-knowledge arguments accept witness inputs in Pedersen vector commitments. For convenience later, given generators \(\sigma =(G, \boldsymbol{H}, \dotsc )\) from the zero-knowledge setup, we define a commitment to message \(\boldsymbol{v}\) with randomness s to be \(\textsf{Com}(\boldsymbol{v};s) = v_0 G + s H_0 + \left\langle \boldsymbol{v}_{1:},\boldsymbol{H}_{8:}\right\rangle .\) Generators \(\boldsymbol{H}_{1:8}=(H_1, \ldots , H_7)\) are intentionally not used for commitments; this will simplify the notation in later sections.

Pedersen commitments are homomorphic, perfectly hiding, and computationally binding up to the hardness of the discrete logarithm relation problem. We omit a formal treatment of these properties because the security analysis of our protocols uses the underlying group directly and does not invoke these abstract properties.

3 Technical Overview

BP++ consists of four primary improvements over earlier, transparent discrete logarithm-based range proof protocols. First, we substitute the BP+ inner product argument by a norm argument, which reduces verifier time by approximately half in many common cases. Second, we introduce a novel set membership and permutation argumentcalled the reciprocal argument, which has already found significant applications beyond BP++. Third, we modify the BP arithmetic circuit protocol to accomplish “blinding” in one round of communication of a single group element, which can be easily adapted to other similarly constructed protocols. These modified circuits are extended to support first order use of the reciprocal argument, similarly to integration of plookup [21] into Halo2 [49]. Finally, we use these techniques to construct the shortest, and most verifier performant transparent range proof and MACT protocols.

3.1 Recap: Bulletproofs and Bulletproofs+

BP, at its core, uses a recursive argument to show the inner product relation

$$\begin{aligned} \mathcal {R}_{ ip } = \left\{ { \left( {\begin{array}{c} \boldsymbol{G}, \boldsymbol{H} \in \mathbb {G}^n, G \in \mathbb {G}; \\ C \in \mathbb {G}; \boldsymbol{x}, \boldsymbol{y} \in \mathbb {Z}^n_p \end{array} } \right) : C = \left\langle \boldsymbol{x},\boldsymbol{y}\right\rangle G + \left\langle \boldsymbol{x},\boldsymbol{G}\right\rangle + \left\langle \boldsymbol{y},\boldsymbol{H}\right\rangle } \right\} . \end{aligned}$$
(1)

The recursive structure of the argument is itself derived from the recursive structure in Bootle et al. [5]. In each round, a commitment to a scalar v and vectors \(\boldsymbol{x}\) and \(\boldsymbol{y}\) of length n is reduced to a commitment to vectors \(\boldsymbol{x}'\) and \(\boldsymbol{y}'\) of length n/2. If this commitment satisfies the relation, then the original commitment satisfies the relation with overwhelming probability.

In our notation, given a commitment C, the prover sends the verifier commitments (LR), and the verifier chooses a challenge \(\gamma \). The reduced commitment is defined as

$$\begin{aligned} C' = C + \gamma ^{-2} L + \gamma ^2 R = v' G + \left\langle \boldsymbol{x}',\boldsymbol{G}'\right\rangle + \left\langle \boldsymbol{y}',\boldsymbol{H}'\right\rangle . \end{aligned}$$
(2)

Each round of the protocol forms essentially a vector valued polynomial commitment. The key to ensuring that the reduced vectors are of length n/2 comes from the folding relation. The reduced vectors are defined, in terms of the challenge

$$\begin{aligned} \boldsymbol{x}' = \gamma [\boldsymbol{x}]_0 + \gamma ^{-1} [\boldsymbol{x}]_1 \qquad \boldsymbol{y}' = \gamma ^{-1} [\boldsymbol{y}]_0 + \gamma [\boldsymbol{y}]_1. \end{aligned}$$
(3)

Computing the inner product of these vectors as polynomials in \(\gamma \), we find that the original inner product \(\left\langle \boldsymbol{x},\boldsymbol{y}\right\rangle \) from the inner product relation occurs as the \(\gamma ^0\) term

$$\begin{aligned} \left\langle \boldsymbol{x}',\boldsymbol{y}'\right\rangle = \left\langle \boldsymbol{x},\boldsymbol{y}\right\rangle + \gamma ^2 \left\langle [\boldsymbol{x}]_0,[\boldsymbol{y}]_1\right\rangle + \gamma ^{-2} \left\langle [\boldsymbol{x}]_1,[\boldsymbol{y}]_0\right\rangle . \end{aligned}$$
(4)

BP applies this same relation to the inner products between the basis points \(\boldsymbol{G}\) and \(\boldsymbol{H}\) and the witness vectors. That is, the reduced basis points are defined in terms of \(\gamma \) to be

$$\begin{aligned} \boldsymbol{G}' = \gamma ^{-1} [\boldsymbol{G}]_0 + \gamma [\boldsymbol{G}]_1 \qquad \boldsymbol{H}' = \gamma [\boldsymbol{H}]_0 + \gamma ^{-1} [\boldsymbol{H}]_1. \end{aligned}$$
(5)

This means when the inner products \(\left\langle \boldsymbol{x}',\boldsymbol{G}'\right\rangle \) and \(\left\langle \boldsymbol{y}',\boldsymbol{H}'\right\rangle \) are evaluated, the original inner products will appear on the \(\gamma ^0\) term. The \(\gamma ^{-2}\) coefficients from all three reduced inner products are then collected into L and likewise the \(\gamma ^2\) coefficients into R. This reduction is applied until the reduced vectors are of length 2, at which point the reduced vectors are sent to the verifier.

BP+ uses a very similar recursive structure that also incorporates weights to show a weighted inner product relation, with the inner product replaced by a weighted inner product.

3.2 Reciprocal Argument

The primary technique that makes BP++ range proofs and MACT possible is a simple interactive protocol called the reciprocal argument. It operates on collections that are finite sets A of pairs (ms) consisting of symbols \(s\in \mathbb {F}\) with associated multiplicities \(m\in \mathbb {F}\). In more details, the reciprocal argument lets a prover convince a verifier that the total multiplicity \( \hat{m}_s = \sum \nolimits _{\begin{array}{c} (m',s')\in A\,:\,s'=s \end{array}} m' \) of each symbol \(s \in \mathbb {F}\) vanishes (i.e., equals zero). In that case, we also say that A itself vanishes. (For example, \(A=\{(-3,42), (5,17), (7,42), (-4,42), (-5,17), (0,1) \}\) vanishes.) In the protocols we will construct, some or all of the m and s may be private to the prover and thus appear only in committed form.

Vanishing is powerful enough to express many relations commonly used to construct zero-knowledge arguments: For example, assuming that no wrap-around occurs when summing up multiplicities, which is guaranteed if \(|A|\ll |\mathbb {F}|\), some (committed) sequence U is a permutation of another (committed) sequence T if and only if \(A = \{(-1, u) : u \in U\} \cup \{(1, t) : t \in T\}\) vanishes. As a second example, consider a “lookup argument”: the components of U form a subset of a some public set T (called “table”) if, for each \(t\in T\), there exists a multiplicity \(m_t\) (only known to the prover) such that \(A = \{(-1, u) : u \in U\} \cup \{(m_{t}, t) : t \in T \}\) vanishes.

The underlying idea of the protocol is that we can associate to A a rational function \(f_A(X)\) defined as a sum of reciprocals such that for all \((m, s) \in A\), \(f_A(X)\) has a pole \(-s\) of multiplicity m:

$$\begin{aligned} f_A(X) = \sum \nolimits _{(m,s)\in A} \frac{m}{X + s}. \end{aligned}$$
(6)

Function \(f_A\) vanishes (i.e., is zero everywhere) if and only if the total multiplicity \(\hat{m}_s\) for each symbol s vanishes. To show that this function vanishes, it suffices to evaluate it at a uniformly random input X. In the reciprocal argument protocol, this input is a challenge chosen by verifier after the prover has committed to A. We note that the function \(f_A\) has the structure of a logarithmic derivative, see the full version [20] for more background.

Application to Range Proofs. Consider the problem of constructing a range proof. We want to prove that some (committed) integer value v is in a range \([0,b^k)\) A natural solution is to consider the k base-b digits \(d_i\) of v and use a lookup argument (as described above) that shows that all digits \(d_i\) occur in the “table” \(T=\{0,\ldots , b-1\}\). In that case, the rational function \(f_A(X)\) is

$$\begin{aligned} f_A(X) = \sum \nolimits _i \frac{-1}{X + d_i} + \sum \nolimits _{j=0}^{b-1} \frac{m_j}{X + j}. \end{aligned}$$
(7)

In contrast, both BP and BP+ construct a range proof by proving the validity of each digit individually, then showing that the linear combination of these digits equals the committed value. Binary digits (i.e., \(b=2\)) are used since their validity can be checked with just one multiplication per digit: \(d \in \{0, 1\}\) if and only if \(d (d - 1) = 0\).

However, Camenisch, Chaabouni, shelat [11] suggest to select b such that \(b^b \approx B - A\). This base uses only \(O(n / \log n)\) digits, where \(n = \left\lceil \log _2(B - A)\right\rceil \), which is optimal in the sense that the witness length is a function of the base b and the number n of digits and is minimized when they are equal. Unfortunately, the natural generalization of the binary digit check \(d_i (d_i - 1)\) to bases \(b>2\) does not result in a more efficient proof in BP. In the binary case, each digit requires a single multiplication, but the number of multiplications increases linearly in the size of the base.

In BP++, we sidestep this performance trade-off via the reciprocal argument, which we use as an efficient lookup argument. Rather than checking each digit is the root of some polynomial separately as in BP, we can use Eq. (7) to check membership of each digit in the set of valid digits. This enables us to construct range proofs with “optimal” bases \(b>2\) while retaining efficiency.

Application to MACT. For MACT, we face a related problem when proving multi-asset conservation of money. In this case, we have two collections of amounts and types of tokens I and O corresponding to the inputs and outputs of a transaction. We want to show that the total amount of each token in I is equal to the total amount of each token in O and that each amount in I and O is a positive integer. The latter claim can be shown using a range proof and the former using a new invocation of the reciprocal argument. Let \(A = \{ (v, t) : (v, t) \in I \} \cup \{ (-v, t) : (v, t) \in O \}\). If A vanishes then the sum of all the amounts in I equals the sum of all the amounts in O for each token t. If the amounts are all positive integers much smaller than p, it follows that no tokens were created or destroyed in the transaction. In this case \(f_A(X)\) is

$$\begin{aligned} f_A(X) = \sum \nolimits _{(v, t) \in I} \frac{v}{X + t} - \sum \nolimits _{(v,t) \in O} \frac{v}{X + t}. \end{aligned}$$
(8)

3.3 Norm Linear Argument

As described in Sect. 3.1, BP and BP+ show a (weighted) inner product relation involving two vectors \(\boldsymbol{x}\) and \(\boldsymbol{y}\) by letting the prover send commitments to both \(\boldsymbol{x}\) and \(\boldsymbol{y}\). This introduces undesirable redundancy in some cases. Consider the example of a binary range proof: A prover wants to show \(d_i (d_i - 1) = 0\) for each digit \(d_i\) in the vector \(\boldsymbol{d}\) that encodes the binary representation of some value v. In a BP range proof, this requires committing to both \(\boldsymbol{x} = \boldsymbol{d}\) and \(\boldsymbol{y} = -(\boldsymbol{1} - \boldsymbol{d})\), even though \(\boldsymbol{y}\) is entirely determined by \(\boldsymbol{x}\) up to the addition of a constant.

To avoid this redundancy in BP++, we can rewrite \(d_i (d_i - 1) = 0\) into the equivalent constraint \((2d_i - 1)^2 = 1\). This allows us to substitute the inner product relation by a BP++ norm relation, which is a relation involving the inner product of a single vector with itself, and thus requires only a commitment to that single vector. As a result, we not only save data to be committed and hence communication, but also roughly half the prover and verifier cost.

However, while this motivating example provides an intuition for why a norm relation can be preferable over an inner product relation, it turns out that in practice, it is almost always more efficient to use a BP++ reciprocal range proof instead of a BP++ binary range proof. As a consequence, we defer the details of BP++ binary range proofs to the full version [20], and now turn our attention towards arithmetic circuits instead.

In the case of arithmetic circuits, similarly as for binary range proofs, using a norm argument allows reducing the verifier time by half, provided we can commit to only a single vector per commitment instead of two. Unfortunately, the inner product relation of BP and the weighted inner product relation of BP+ cannot work for this purpose, since even if the initial \(\boldsymbol{x} = \boldsymbol{y}\) the reduction is asymmetric so \(\boldsymbol{x}' \ne \boldsymbol{y}'\). To show a norm relation, we need a new reduction technique that is symmetric in the way it reduces \(\boldsymbol{x}\) and \(\boldsymbol{y}\). Unlike BP, the reduced vectors are now defined to be

$$\begin{aligned} \boldsymbol{x}' = [\boldsymbol{x}]_0 + \gamma [\boldsymbol{x}]_1 \qquad \boldsymbol{y}' = [\boldsymbol{y}]_0 + \gamma [\boldsymbol{y}]_1. \end{aligned}$$
(9)

The reduction can be derived by computing the coefficients of the three polynomials \(1, \gamma , \gamma ^2 - 1 \in \mathbb {F}[\gamma ]\) where in BP we computed the coefficients of the polynomials \(\gamma ^{-2}, 1, \gamma ^2 \in \mathbb {F}[\gamma ]\). Since these polynomials are linearly independent in \(\mathbb {F}[\gamma ]\), the reduction is sound. Setting \(\boldsymbol{x} = \boldsymbol{y} = \boldsymbol{n}\) we can show a norm relation, and with some modifications can show a weighted norm relation.

A norm by itself is not sufficient; we want to be able to show that the witness satisfies linear constraints without introducing extraneous terms. We can apply this reduction relation to an inner product of an additional vector \(\boldsymbol{l}\) and a public constraint vector \(\boldsymbol{c}\). This will be especially relevant when handling the blinding procedure for arithmetic circuits and also helps in the MPC proving setting. Thus, BP++ will show the weighted norm linear relation for a witness \((v, \boldsymbol{l}, \boldsymbol{n})\) and public \((\mu , \boldsymbol{c})\) satisfy \( v = \left\langle \boldsymbol{c},\boldsymbol{l}\right\rangle + \left|\boldsymbol{n} \right|^2_{\mu } \).

3.4 Arithmetic Circuits

In BP and BP+, arithmetic circuits are given as a separate protocol from range proofs. The circuit is encoded as four matrices and a vector \((W_L, W_R, W_O, W_V, \boldsymbol{c})\). A witness \((\boldsymbol{w}_L, \boldsymbol{w}_R, \boldsymbol{w}_O, \boldsymbol{v})\) satisfies the circuit if

$$\begin{aligned} \begin{gathered} W_L \boldsymbol{w}_L + W_R \boldsymbol{w}_R + W_O \boldsymbol{w}_O = W_V \boldsymbol{v} + \boldsymbol{c} \qquad \boldsymbol{w}_L \circ \boldsymbol{w}_R = \boldsymbol{w}_O. \end{gathered} \end{aligned}$$
(10)

While one could use an arithmetic circuit to prove a range proof in BP, it would be less efficient than the specialized range proof protocol. In the BP protocol for circuits, the prover constructs a vector valued polynomial commitment to some \((v(X), \boldsymbol{x}(X), \boldsymbol{y}(X))\) and wants to show that when we apply the inner product equation to this witness, the \(X^2\) term of the polynomial \(t(X) = v(X) - \left\langle \boldsymbol{x}(X),\boldsymbol{y}(X)\right\rangle \) vanishes. To show this, the prover commits to all the other “error” terms of t(X) in Pedersen scalar commitments in \(T_1, T_3, T_4, T_5, T_6\).

BP++ arithmetic circuits avoids these extra commitments, as well as the two final commitments necessary to blind in both BP and BP+. Rather than committing to these other terms in scalar commitments, we commit to them as a vector in the final blinding commitment. This comes at no cost, and conveniently generalizes to larger polynomials without increasing proof size. The norm linear argument naturally allows us to evaluate the committed t(X) at a random X by placing the coefficients in \(\boldsymbol{l}\) and changing the \(\boldsymbol{c}\) vector to be powers of X. We are then able to use the other commitments in the proof to blind these error terms at no additional cost in terms of proof size. This procedure is responsible for the much of the reduction in proof size.

BP++ also modifies the circuit protocol so that instead of the constraint \(\boldsymbol{w}_L \circ \boldsymbol{w}_R = \boldsymbol{w}_O\), the arithmetic circuit checks that \(\boldsymbol{w}_L \circ \boldsymbol{w}_R\) equals a linear combination of the entire witness.

This makes it efficient to formulate reciprocal constraints, where the denominators occur in \(\boldsymbol{w}_L\), the reciprocals in \(\boldsymbol{w}_R\), and the numerators can be any linear combination on the right hand side. This new arithmetic circuit protocol allows encoding reciprocal range proofs and MACT more efficiently than existing protocols without the use of specialized protocols.

4 Norm Linear Argument

Unlike BP and BP+ which show inner product relations, BP++ is an argument of knowledge for the weighted norm linear relation

$$\begin{aligned} \mathcal {R}_{ nl } = \left\{ \left( \begin{array}{c} \boldsymbol{H} \in \mathbb {G}^l, \boldsymbol{G} \in \mathbb {G}^n, G \in \mathbb {G}; \\ C \in \mathbb {G}, \boldsymbol{c} \in \mathbb {F}^l, \mu \in \mathbb {F};\\ \boldsymbol{l} \in \mathbb {F}^l, \boldsymbol{n} \in \mathbb {F}^n \end{array} \right) : \begin{array}{c} v = \left\langle \boldsymbol{c},\boldsymbol{l}\right\rangle + \left|\boldsymbol{n} \right|^2_\mu \\ C = v G + \left\langle \boldsymbol{l},\boldsymbol{H}\right\rangle + \left\langle \boldsymbol{n},\boldsymbol{G}\right\rangle \end{array} \right\} . \end{aligned}$$
(11)

4.1 Reducing the Vectors

We note that the norm linear relation \(\mathcal {R}_{ nl }\) is equivalent in expressiveness to the weighted inner product relation \(\mathcal {R}_{ ip }\), in the sense that both are capable of proving arithmetic circuit satisfiability and more narrowly in the sense that one could, in principle, write the norm linear relation as an inner product and thus construct a norm linear argument by reducing directly to an inner product argument. However, the latter approach requires committing to the vector \(\boldsymbol{n}\) twice, in as both \(\boldsymbol{x}\) and \(\boldsymbol{y}\) from the inner product relation (see Sect. 3.1). While it is possible to simplify the initial commitment by computing \(\left\langle \boldsymbol{n},\boldsymbol{G} + \boldsymbol{H}\right\rangle \) in the inner product commitment, the vectors \(\boldsymbol{x}\) and \(\boldsymbol{y}\) will be reduced asymmetrically following such an approach. This means that even if \(\boldsymbol{x} = \boldsymbol{y}\), it will not be the case that \(\boldsymbol{x}' = \boldsymbol{y}'\).

This makes clear what we want from a norm linear argument: given a commitment C to vectors as defined in the relation, we want to reduce this commitment to a new commitment to vectors \(\boldsymbol{l}'\) and \(\boldsymbol{n}'\) of half the length of the original vectors. To this end, we need a folding relation for a pair of vectors that treats both vectors symmetrically. That is, instead of scaling the halves of \(\boldsymbol{x}\) and \(\boldsymbol{y}\) by complementary \(\gamma \) and \(\gamma ^{-1}\), we would like to use reduced vectors that are folded in the same way, such as

$$\begin{aligned} \boldsymbol{x}' = \rho ^{-1} [\boldsymbol{x}]_0 + \gamma [\boldsymbol{x}]_1 \qquad \boldsymbol{y}' = \rho ^{-1} [\boldsymbol{y}]_0 + \gamma [\boldsymbol{y}]_1. \end{aligned}$$
(12)

Now if \(\boldsymbol{x} = \boldsymbol{y}\) then \(\boldsymbol{x}' = \boldsymbol{y}'\). Here the value is defined as \(\rho ^2 = \mu \) for weight \(\mu \). Taking the weighted inner product of these vectors by \(\mu \) we can work out a relation that includes the original weighted inner product \(\left\langle \boldsymbol{x},\boldsymbol{y}\right\rangle _{\mu }\) as one coefficient of a polynomial in \(\gamma \)

$$\begin{aligned} \begin{gathered} v_x = \rho ^{-1} (\left\langle [\boldsymbol{x}]_0,[\boldsymbol{y}]_1\right\rangle _{\mu ^2} + \left\langle [\boldsymbol{x}]_1,[\boldsymbol{y}]_0\right\rangle _{\mu ^2}) {\qquad } v_r = \left\langle [\boldsymbol{x}]_1,[\boldsymbol{y}]_1\right\rangle _{\mu ^2} \\ \left\langle \boldsymbol{x}',\boldsymbol{y}'\right\rangle _{\mu ^2} = \left\langle \boldsymbol{x},\boldsymbol{y}\right\rangle _{\mu } + v_x \gamma + v_r (\gamma ^2 - 1). \end{gathered} \end{aligned}$$
(13)

Note that this reduction is sound because the polynomials \(1, \gamma , \gamma ^2 - 1 \in \mathbb {F}[\gamma ]\) are linearly independent. As in BP(+), the protocol follows straightforwardly from this relation by applying it to all the inner products in the commitment and grouping alike terms. The prover can commit to the \(\gamma \) and \(\gamma ^2 - 1\) coefficients (XR) and then the verifier can select a random \(\gamma \) to evaluate the relation. Because this relation is symmetric, the prover can apply it to the \(\boldsymbol{x} = \boldsymbol{y} = \boldsymbol{n}\) case and reduce \(\boldsymbol{n}\) to a single \(\boldsymbol{n}'\).

4.2 Norm Linear Argument

In the norm linear relation, there are 4 inner products that the prover needs to reduce: \(\left|\boldsymbol{n} \right|^2_{\mu }\), \(\left\langle \boldsymbol{n},\boldsymbol{G}\right\rangle \), \(\left\langle \boldsymbol{c},\boldsymbol{l}\right\rangle \), and \(\left\langle \boldsymbol{l},\boldsymbol{H}\right\rangle \). Since \(\boldsymbol{n}\) participates in a weighted inner product (norm), we need to modify the relation for \(\boldsymbol{G}\) slightly, and since \(\boldsymbol{l}\), \(\boldsymbol{c}\), and \(\boldsymbol{H}\) only participate in unweighted relations, there are no weights present. The reduced vectors are thus

$$\begin{aligned} \begin{aligned} v' = \left|\boldsymbol{n}' \right|^2_{\mu ^2} + \left\langle \boldsymbol{c}',\boldsymbol{l}'\right\rangle &\qquad \boldsymbol{c}' = [\boldsymbol{c}]_0 + \gamma [\boldsymbol{c}]_1 \\ \boldsymbol{l}' = [\boldsymbol{l}]_0 + \gamma [\boldsymbol{l}]_1 &\qquad \boldsymbol{n}' = \rho ^{-1} [\boldsymbol{n}]_0 + \gamma [\boldsymbol{n}]_1 \\ \boldsymbol{G}' = \rho [\boldsymbol{G}]_0 + \gamma [\boldsymbol{G}]_1 &\qquad \boldsymbol{H}' = [\boldsymbol{H}]_0 + \gamma [\boldsymbol{H}]_1. \end{aligned} \end{aligned}$$
(14)

The commitments X and R follow directly from expanding all the reduced inner products and gathering \(\gamma \) and \(\gamma ^2 - 1\) coefficients. Explicitly

$$\begin{aligned} v_x = 2 \rho ^{-1} \left\langle [\boldsymbol{n}]_0,[\boldsymbol{n}]_1\right\rangle _{\mu ^2} + \left\langle \boldsymbol{c},( [\boldsymbol{l}]_1, [\boldsymbol{l}]_0) \right\rangle \end{aligned}$$
(15)
$$\begin{aligned} v_r = \left|[\boldsymbol{n}]_1 \right|^2_{\mu ^2} + \left\langle [\boldsymbol{c}]_1,[\boldsymbol{l}]_1\right\rangle \end{aligned}$$
(16)
$$\begin{aligned} X = v_x G + \left\langle ([\boldsymbol{l}]_1, [\boldsymbol{l}]_0),\boldsymbol{H}\right\rangle + \left\langle (\rho [\boldsymbol{n}]_1, \rho ^{-1} [\boldsymbol{n}]_0),\boldsymbol{G}\right\rangle \end{aligned}$$
(17)
$$\begin{aligned} R = v_r G + \left\langle [\boldsymbol{l}]_1,[\boldsymbol{H}]_1\right\rangle + \left\langle [\boldsymbol{n}]_1,[\boldsymbol{G}]_1\right\rangle . \end{aligned}$$
(18)

Evaluating the polynomial commitment at \(\gamma \) yields a commitment on the reduced basis to the reduced witness, i.e., we have

$$\begin{aligned} C + \gamma X + (\gamma ^2 - 1) R = v' G + \left\langle \boldsymbol{l}',\boldsymbol{H}'\right\rangle + \left\langle \boldsymbol{n}',\boldsymbol{G}'\right\rangle . \end{aligned}$$
(19)

The full protocol applies this reduction recursively until doing so does not reduce the overall proof size. This occurs when \(\left| \boldsymbol{l} \right| + \left| \boldsymbol{n} \right| \le 6\), at which point the prover sends the reduced \(\boldsymbol{l}\) and \(\boldsymbol{n}\) to the verifier. If these vectors satisfy the norm linear relation for the reduced \(\boldsymbol{c}\) and \(\mu \), then it follows by induction that the original commitment satisfies the relation.

Completeness follows directly from this equation holding and soundness from the linear independence of the polynomials \(1, \gamma , \gamma ^2 - 1 \in \mathbb {F}[\gamma ]\). Linear independence can be used to construct a round extractor, which as in BP can be used to construct an extractor for the entire protocol.

Theorem 1

The weighted norm linear argument has perfect completeness. Assuming the expected-PPT hardness of the discrete logarithm relation problem, the argument has CWEE and is therefore an argument of knowledge for the weighted norm linear relation.

See the full version [20] for the proof.

4.3 Full Protocol Description

The setup protocol for the norm linear argument \(\mathcal {K}\) simply chooses all group elements \(G, \boldsymbol{H}, \boldsymbol{G}\) uniformly at random.

figure b

As in BP, it is not necessary for the verifier to actually compute the intermediate \((\boldsymbol{G}, \boldsymbol{H}, \boldsymbol{c}, C)\) values and the final verification check can be replaced with a single linear combination of public curve points. Letting k be the number of rounds before stopping and the vectors \(\boldsymbol{\gamma }_l\) and \(\boldsymbol{\gamma }_n\) be defined as

$$\begin{aligned} \boldsymbol{\gamma }_l = \bigotimes \nolimits _{i=0}^{k-1} (1, \gamma _i) \qquad \boldsymbol{\gamma }_n = \bigotimes \nolimits _{i=0}^{k-1} (\rho ^{2^i}, \gamma _i) , \end{aligned}$$
(20)

the \((\boldsymbol{G}, \boldsymbol{H}, \boldsymbol{c}, C)\) in the final verification equation can be rewritten in terms of the original \((\boldsymbol{G}, \boldsymbol{H}, \boldsymbol{c}, C)\) as

$$\begin{aligned} v = \left\langle \boldsymbol{c},\boldsymbol{\gamma }_l \otimes \boldsymbol{l}\right\rangle + \left|\boldsymbol{n} \right|^2_\mu \end{aligned}$$
(21)
$$\begin{aligned} v G + \left\langle \boldsymbol{\gamma }_l \otimes \boldsymbol{l},\boldsymbol{H}\right\rangle + \left\langle \boldsymbol{\gamma }_n \otimes \boldsymbol{n},\boldsymbol{G}\right\rangle \overset{?}{=}\ C + \sum \nolimits _{i=0}^{k-1} \gamma _i X_i + (\gamma _i^2 - 1) R_i. \end{aligned}$$
(22)

Also as in BP, when verifying multiple proofs simultaneously, the verifier can take a random linear combination of the equations and combine the \(\boldsymbol{\gamma }_l \otimes \boldsymbol{l}\) and \(\boldsymbol{\gamma }_n \otimes \boldsymbol{n}\) from different proofs if the \(\boldsymbol{G}\) and \(\boldsymbol{H}\) are the same. Thus the marginal cost of verifying an additional proof is only \(O(\log n)\) additional scalar multiplications and O(n) field operations. There are additional optimizations that help reduce prover work, as we discuss in the full version [20].

5 Arithmetic Circuits

In BP, arithmetic circuits are represented using four public matrices and one public vector \((W_L, W_R, W_O,W_V,\boldsymbol{c})\) and four witness vectors \((\boldsymbol{w}_L, \boldsymbol{w}_R, \boldsymbol{w}_O, \boldsymbol{v})\), which must satisfy Eq. (10). For each multiplication in a BP arithmetic circuit, the prover commits to the left input in \(\boldsymbol{w}_{L,i}\), the right input in \(\boldsymbol{w}_{R,i}\) and the output in \(\boldsymbol{w}_{O, i}\). In some cases, this leads to the prover committing to redundant information. Specifically, if an output of a multiplication is immediately subject to a linear constraint, the prover could avoid committing to it by instead showing

$$\begin{aligned} \boldsymbol{w}_L \circ \boldsymbol{w}_R = W_{m,L} \boldsymbol{w}_L + W_{m,R} \boldsymbol{w}_R + W_{m,O} \boldsymbol{w}_O. \end{aligned}$$
(23)

This motivates the BP++ circuit encoding, where we make exactly this change. It turns out that effectively every multiplication gate in reciprocal range proofs (Sect. 6.2) and MACTs is of this form. This change makes it more efficient to represent these protocols as arithmetic circuits, rather than using bespoke range proof protocols like other Bulletproof based constructions. We also modify the circuits to accept input vectors from Pedersen vector commitments, rather than just scalars, which removes the matrix \(W_V\).

Concretely, an arithmetic circuit \(\mathcal {C}\) will be encoded into two matrices \((W_l, W_m)\) and two vectors \((\boldsymbol{a}_l, \boldsymbol{a}_m)\) which constrain a witness \(\boldsymbol{w} = (\boldsymbol{w} _L, \boldsymbol{w} _R, \boldsymbol{w} _O)\). The vectors \(\boldsymbol{w} _L\) and \(\boldsymbol{w} _R\) are the left and right inputs to each multiplication, as in BP. The input vector is the concatenation of vectors \(\boldsymbol{w} _V= (\boldsymbol{v}_i)_{i=0}^k\), each of which comes from a Pedersen vector commitment \(V_i\). The circuit is satisfied if both

$$\begin{aligned} \boldsymbol{0} = W_l\boldsymbol{w} + \boldsymbol{w} _V+ \boldsymbol{a}_l\qquad \boldsymbol{w} _L\circ \boldsymbol{w} _R= W_m\boldsymbol{w} + \boldsymbol{a}_m. \end{aligned}$$
(24)

The arithmetic circuit protocol is therefore a proof of knowledge for the relation

$$\begin{aligned} \mathcal {C} = \left( \begin{array}{c} W_l\in \mathbb {F}^{N_l \times N_w}, \boldsymbol{a}_l\in \mathbb {F}^{N_l}, W_m\in \mathbb {F}^{N_m \times N_w}, \boldsymbol{a}_m\in \mathbb {F}^{N_m} \end{array} \right) \end{aligned}$$
(25)
$$\begin{aligned} \mathcal {R}_{ ac } = \left\{ \left( \begin{array}{c} G \in \mathbb {G}, \boldsymbol{H} \in \mathbb {G}^{N_v+7}, \boldsymbol{G} \in \mathbb {G}^{N_m}; \\ \mathcal {C}, \boldsymbol{V} \in \mathbb {G}^k ; \boldsymbol{v}_i \in \mathbb {F}^{N_v} : i = [0,k), \\ \boldsymbol{s}_V \in \mathbb {F}^k, \boldsymbol{w} _O\in \mathbb {F}^{N_O} \boldsymbol{w} _L, \boldsymbol{w} _R\in \mathbb {F}^{N_m} \\ \end{array} \right) : \begin{array}{c} V_i = \textsf{Com}(\boldsymbol{v}_i; s_{V, i}) \\ \text {Eq. } (24) \end{array} \right\} \end{aligned}$$
(26)

This new arithmetic circuit format can encode satisfiability of BP circuits and is therefore capable of representing any arithmetic circuit, see the full version [20] for details.

5.1 Protocol Overview

We defer the explicit details of how the arithmetic circuit protocol encodes the statement into the norm linear argument to the full version [20] and limit ourselves to a high-level description here. First, the prover will commit to \((\boldsymbol{w}_L, \boldsymbol{w}_R, \boldsymbol{w}_O)\) in \((C_L, C_R, C_O)\) and send these to the verifier. There is some freedom in how the prover can organize the witness into these three norm linear commitments. Specifically, in some cases it may be more efficient to commit to some of \(\boldsymbol{w}_O\) in the linear portion of \(C_L\) and \(C_R\).

Then, the verifier will choose two challenges \(\lambda \) and \(\mu \) to combine the linear and multiplicative constraints respectively using the vectors of powers \(\textbf{e}_{N_l}(\lambda )\) and \(\textbf{e}_{N_m}(\mu )\). The verifier will also choose challenges \(\beta \) and \(\delta \), which will be necessary for blinding. These allow us to transform equations Eq. (24) into a single scalar equation

$$\begin{aligned} 0 = \textbf{e}_{N_l}(\lambda )^{\top } \left( W_l\boldsymbol{w} + \boldsymbol{w} _V+ \boldsymbol{a}_l\right) + \left\langle \boldsymbol{w} _L,\boldsymbol{w} _R\right\rangle _\mu - \textbf{e}_{N_m}(\mu )^{\top } \left( W_m\boldsymbol{w} + \boldsymbol{a}_m\right) . \end{aligned}$$
(27)

We want to construct a triple of polynomials \((\hat{v}(T), \hat{\boldsymbol{l}}(T), \hat{\boldsymbol{n}}(T))\) so that when we apply the norm linear relation and get \(\hat{f}(T) = \hat{v}(T) - \left\langle \boldsymbol{c}(T),\boldsymbol{l}(T)\right\rangle - \left|\hat{\boldsymbol{n}}(T) \right|^2_\mu \) exactly one term of \(\hat{f}(T)\) encodes these randomized constraints. We call this term the value term and the other terms the error terms. To show that the constraints are satisfied, it suffices to show that the value term vanishes, and prove knowledge of the error terms.

To construct this polynomial, we first assign a unique T term to each commitment. The product of the T terms for \(C_L\) and \(C_R\) will be the value term. Each constraint will be placed on the unique T term so that when multiplied with the T term of the commitment to the witness it acts on, the result will be the value term. So, if T multiplies \(C_L\) and \(T^2\) \(C_R\), then the value term is \(T^3\) and \(\textbf{e}_{N_l}(\lambda )^\top W_L\) should be multiplied by \(T^2\). The challenge \(\delta \) will be used to prevent the norm portion of the \(\boldsymbol{w}_V\) commitments from interfering with f(X).

Then, the prover sends \(C_S\) to blind. For the portions of the commitments that commit to \(\boldsymbol{w}\), \(C_S\) will consist of uniformly random values. We need to choose a T term for \(C_S\) so that none of these random values can interfere with the value term. Our goal now is to introduce some additional elements to the linear portion of \(C_S\) to subtract off the non-value terms from \(\hat{f}(T)\) and the additional terms that arise from the blinding. If the result of this is zero, then the value term must be zero.

This can have two problems: it might allow interference with the value term and it will not be zero knowledge as it may reveal information about the error terms. The second problem is fixed by allowing the commitments \(C_L, C_R, C_O\) to blind the error terms in \(C_S\). The first is fixed by using the challenge \(\delta \) to prevent interference. Showing that the result is zero knowledge is somewhat more involved than other protocols, and is ultimately reducible to showing that by manipulating the error term blinding in \(C_L, C_R, C_O\) can produce any valid opening. Equivalently that a certain matrix is full rank.

Finally, the verifier will send a challenge \(T=\tau \). Because of how the blinding was constructed, the prover and verifier can take a linear combination of \(C_L, C_R, C_S, C_O\) and public information to produce a valid norm linear instance. Without the blinding protocol, the protocol would need an additional round of interaction. At this point, since the witness is blinded the prover and verifier can run the norm linear argument and complete the protocol.

figure c

Theorem 2 (Arithmetic Circuits)

[Arithmetic Circuits] The arithmetic circuit protocol (whose pseudocode can be found in the full version [20]) has perfect completeness and perfect honest verifier zero-knowledge. Assuming the expected-PPT hardness of the discrete logarithm relation problem, the protocol has computational witness-extended emulation.

See the full version [20] for the proof.

6 Reciprocal Argument

Initially, zero knowledge proof arithmetizations, including that of the original Bulletproof AC protocol, supported only additions and multiplications. This was sufficient to encode all arithmetic circuits, but more modern proof systems like Halo2 [49] incorporate so called “custom gates” directly into the arithmetization. These custom gates allow circuit designers to “factor out” certain features into the arithmetization, which has a number of benefits for circuit designers. For example, a custom gate to compute \(x^5\) avoids adding the values \(x^2\) and \(x^4\) to the witness.

Another more powerful type of custom gate is the so called “lookup gate”, which is implemented using a variant of plookup [21] in Halo2 [49]. This allows circuit designer to incorporate lookup arguments into their circuits. Unlike raising to the fifth power, this gate cannot be conveniently implemented as a low degree expression since it requires an additional round of prover, verifier interaction. In particularly, this means it is not possible to efficiently perform plookup, or the reciprocal argument, inside simpler arithmetizations like BP++ AC. This motivates adding the reciprocal argument directly to BP++ AC, which we call reciprocal form circuits. By formalizing this modification of the protocol, we are also able to provide a single knowledge soundness proof.

To demonstrate the power of this approach, we use the new reciprocal form circuit protocol to define a range proof and a MACT protocol. Since these protocol are simply reciprocal from arithmetic circuits, zero-knowledge and knowledge soundness will follow without the need for additional security proofs.

6.1 Warmup: Reciprocal Argument Protocol

Recall from Sect. 3.2 that the reciprocal argument is an interactive protocol by which the prover can convince a verifier that a collection A vanishes.

Definition 6

Let A be a set of pairs \((m_i,s_i)\) of multiplicities \(m_i\in \mathbb {F}\) and symbols \(s_i\in \mathbb {F}\). Let the total multiplicity of a symbol \(s \in \mathbb {F}\) in A be

$$ \hat{m}_s = \sum \nolimits _{i:\,s_i=s} m_i. $$

We call A a collection, and we say that A vanishes if \(\forall s \in \mathbb {F}: \hat{m}_s = 0\).

Let \(S = \{ s_i : \exists m: (m, s_i) \in A \}\) be the set of symbols in A, and further recall that the reciprocal argument encodes A as a rational function \(f_A\) defined as

$$\begin{aligned} f_A(X) := \sum \nolimits _{i=0}^{|A|-1} \frac{m_i}{X + s_i} = \sum \nolimits _{s \in S} \frac{\hat{m}_v}{X + s}. \end{aligned}$$
(28)

To demonstrate the core idea of the reciprocal argument, we present an informal protocol in which the prover sends the verifier the witness explicitly. This protocol is not used in a blackbox manner by BP++; we will instead embed it into an arithmetic circuit and make additional modifications, e.g., some of \(\boldsymbol{s}\) or \(\boldsymbol{m}\) may be known to the verifier.

The (informal) protocol works as follows: First, the prover sends multiplicities \(\boldsymbol{m}\) and symbols \(\boldsymbol{s}\) in A. Next the verifier selects a random challenge \(\alpha \), and the prover responds by sending the “reciprocals” \(r_i = m_i / (\alpha + s_i)\). Finally, the verifier checks that each reciprocal is properly formed and that the sum of all the reciprocals vanish, i.e., if \((\alpha + s_i) r_i = m_i\) and \(\sum \nolimits _i r_i = 0\).

figure d

This protocol lacks perfect completeness because if \(\alpha = -s_i\) for any \(s_i\) then \(r_i\) is not well-defined. However, this only occurs with negligible probability since . Informally, soundness follows from the structure of the sum of the reciprocals. If \((\alpha + s_i) r_i = m_i\), then either \(\alpha = -s_i\) and \(m_i = 0\), or \(r_i = m_i / (\alpha + s_i)\). So, with overwhelming probability, if \(\sum \nolimits _i r_i = 0\) we have that \(f_A(\alpha ) = 0\).

We can show that if \(f_A(\alpha _j) = 0\) for 2|S| distinct challenges \(\alpha _j\) then \(\hat{m}_s\) must be zero for all \(s\in S\).

Lemma 1 (Reciprocal Argument Vanishing)

[Reciprocal Argument Vanishing] Let A be a collection of pairs of multiplicities and symbols. If there exist 2|A| accepting transcripts of the reciprocal argument protocol for A with pairwise distinct challenges \(\alpha _j\), then A vanishes (Definition 6).

Proof

There are at most |S| values \(\alpha \) such that there exists \(s_i \in S\) for which \(\alpha = -s_i\). Let \(\boldsymbol{\alpha }'\) be a vector of |S| challenges \(\alpha _j\) from the transcripts such that \(\alpha _j' \ne -s_i\) for any ij. Let \(\boldsymbol{s}\) be the vector of elements in S, and note that the components of vector \(-\boldsymbol{s}\) are pairwise distinct and the components in \(\boldsymbol{\alpha }'\) are pairwise distinct. This means the \(|S|\times |S|\) Cauchy matrix C formed from \(-\boldsymbol{s}\) and \(\boldsymbol{\alpha }'\) is well-defined and therefore invertible. Let \(f_j = f_A(\alpha _j')\) for \(f_A\) as defined in Eq. (28) and note that \(\boldsymbol{f} = C \hat{\boldsymbol{m}}_s = \boldsymbol{0}\). Since C is invertible, \(\hat{\boldsymbol{m}}_s = \boldsymbol{0}\) and therefore A vanishes.

6.2 Reciprocal Form Circuits

Reciprocal form circuits extend the BP++ AC protocol to support the reciprocal argument. As in the protocol outlined above, this requires an additional round of interaction, where the verifier chooses \(\alpha \), and will require the prover to commit to the witness in several stages. Once we have \(\alpha \) and the entire witness, we can use a BP++ AC to verify step 4 of the reciprocal argument protocol.

Suppose we have an arithmetic circuit \(\mathcal {C}\) and the arithmetic circuit witness \((\boldsymbol{w} _L, \boldsymbol{w} _R, \boldsymbol{w} _O, \boldsymbol{w} _V)\). To integrate the reciprocal argument, we want to show that this circuit is satisfied and that some set of rational functions \(\boldsymbol{f}(X)\) vanishes, where each rational function encodes a reciprocal argument instance. In general, we want the symbols and multiplicities to be able to depend on the arithmetic circuit witness \(\boldsymbol{w} \) and ultimately would like to be able to compile the \(\boldsymbol{f}(X)\) vanishing check into an arithmetic circuit for a particular \(X= \alpha \).

Let \(\boldsymbol{w}_D\) be the vector of private denominators for all the reciprocal argument instances, and let \(\boldsymbol{w}_P(X)\) be the vector of all the reciprocals associated to each \(w_{D, i}\). Define the “initial witness” \(\boldsymbol{w}_I = \boldsymbol{w} _O\mathbin {||}\boldsymbol{w} _L\mathbin {||}\boldsymbol{w}_D\) and the “entire witness” to be \(\boldsymbol{w}(X) = \boldsymbol{w}_D \mathbin {||}\boldsymbol{w} _L\mathbin {||}\boldsymbol{w}_P(X) \mathbin {||}\boldsymbol{w}_R \mathbin {||}\boldsymbol{w}_O\). We can specify all the reciprocal argument instances using three matrices \((W_n, W_d, W_p(X))\)

$$\begin{aligned} w_{P,i}(X) = \frac{(W_n \boldsymbol{w}_I + \boldsymbol{a}_n)_i}{X + w_{D, i}} \end{aligned}$$
(29)
$$\begin{aligned} W_d \boldsymbol{w}_I + \boldsymbol{w}_V + \boldsymbol{a}_d = \boldsymbol{0} \end{aligned}$$
(30)
$$\begin{aligned} \boldsymbol{f}(X) = W_p(X) \boldsymbol{w}(X) + \boldsymbol{a}_p(X). \end{aligned}$$
(31)

The intuition here is as follows. First, we take all the reciprocals that occur in all the \(\boldsymbol{f}(X)\) instances and partition them into two groups. The first are the reciprocals with public denominators, and the second are those with denominators that depend on the witness. Those with public denominators do not require multiplicative constraints and can be encoded via \(W_p(X)\). The second set are organized into a vector, and \(\boldsymbol{w}_D\) is their denominators. We allow the prover to constrain these values via Eq. (30). The numerators of these reciprocals are encoded via \(W_n \boldsymbol{w}_I + \boldsymbol{a}_n\), and the reciprocals themselves will be committed via \(\boldsymbol{w}_P(\alpha )\). Finally, we map each reciprocal to its reciprocal argument instance via \(W_p(X)\) and add any that consist of entirely public information via \(\boldsymbol{a}_p(X)\).

Following commitment to \(\boldsymbol{w}_I\), the verifier chooses \(\alpha \), and the prover commits to \(\boldsymbol{w}_R\) and \(\boldsymbol{w}_P(\alpha )\). We can now define the new arithmetic circuit \(\mathcal {C}'\) for \(\alpha \). First, prepend the vector \(\boldsymbol{w}_D\) onto \(\boldsymbol{w}_L\) and the vector \(\boldsymbol{w}_P(\alpha )\) onto \(\boldsymbol{w}_R\) to produce \(\boldsymbol{w}_L'\) and \(\boldsymbol{w}_R'\) for \(\mathcal {C}'\). We keep \(\boldsymbol{w}_O' = \boldsymbol{w}_O\), and can let . To verify that the committed vector \(\boldsymbol{w}_P'\) is correctly constructed as \(\boldsymbol{w}_P(\alpha )\), we can clear the denominator of Eq. (29) and check

$$\begin{aligned} w_{D, i} w_{P, i}' = (W_n \boldsymbol{w}_I + \boldsymbol{a}_n)_i - \alpha w_{P, i}'. \end{aligned}$$
(32)

This is satisfied if \(w_{P,i}' = w_{P,i}(\alpha )\) or if \(w_{D, i} = -\alpha \) and the numerator is zero. The latter occurs with negligible probability, so this is sufficient to check \(\boldsymbol{w}_P'\) is correctly constructed. The rest of the constraints can be appended onto the \(W_l\) and \(W_m\) matrices to construct the \(W_l'\) and \(W_m'\) matrices for \(\mathcal {C}'\) as

$$\begin{aligned} W_l' \boldsymbol{w}' = (W_d \boldsymbol{w}_I) \mathbin {||}(W_p(\alpha ) \boldsymbol{w}(X)) \mathbin {||}(W_l \boldsymbol{w}) \end{aligned}$$
(33)
$$\begin{aligned} W_m' \boldsymbol{w}' = (W_n \boldsymbol{w}_I - \alpha \boldsymbol{w}_P(\alpha )) \mathbin {||}(W_m \boldsymbol{w}). \end{aligned}$$
(34)

Formally, the reciprocal form arithmetic circuit protocol shows that the reciprocal form arithmetic circuit relation is satisfied for the circuit \(\mathcal{R}\mathcal{C}\). In the relation, \(A_i\) refers to the collection for the ith instance of the reciprocal argument. That is, the collection \(A_i\) is encoded as in Eq. (28) by \(f_i(X)\) in Eq. (31).

$$\begin{aligned} \mathcal{R}\mathcal{C} = \left( \begin{array}{c} \mathcal {C}, W_n \in \mathbb {F}^{N_p \times N_I}, W_d \in \mathbb {F}^{N_d \times N_I}, \\ W_p(X) \in \mathbb {F}(X)^{N_p \times N_w'} \\ \boldsymbol{a}_n \in \mathbb {F}^{N_p}, \boldsymbol{a}_d \in \mathbb {F}^{N_d} , \boldsymbol{a}_p(X) \in \mathbb {F}(X)^{N_p} \end{array} \right) \end{aligned}$$
(35)
$$\begin{aligned} \mathcal {R}_{ rf } = \big \{ ( \sigma ; x, \mathcal{R}\mathcal{C} ; w, \boldsymbol{w}_D \in \mathbb {F}^{N_p} ) : A_i \text { vanishes}, \text {Eq. }(30), (\sigma ; x; w) \in \mathcal {R}_{ ac } \big \} \end{aligned}$$
(36)

Given that we can compile reciprocal form circuits to arithmetic circuits for a particular \(\alpha \), the security proofs are able to inherit most of the structure of those of arithmetic circuits. Zero-knowledge follows immediately, and soundness requires one additional level in the transcript tree for \(\alpha \) to extract the vanishing of \(\boldsymbol{f}(\alpha )\).

Theorem 3 (Reciprocal Form Arithmetic Circuits)

[Reciprocal Form Arithmetic Circuits] The arithmetic circuit protocol for circuits in reciprocal form (whose pseudocode can be found in the full version [20]) has completeness and perfect honest verifier zero-knowledge. Assuming the expected-PPT hardness of the discrete logarithm relation problem, the protocol has computational witness-extended emulation.

See the full version [20] for the proof.

6.3 Reciprocal Range Proofs

Given the reciprocal argument and reciprocal form arithmetic circuits, we can now construct a range proof as an argument of knowledge for

$$\begin{aligned} \mathcal {R}_{ rp } = \left\{ \left( \begin{array}{c} G, H \in \mathbb {G}; \\ \boldsymbol{V} \in \mathbb {G}^k, \boldsymbol{A}, \boldsymbol{B} \in \mathbb {Z}^k, B_i - A_i \in [1, p);\\ \boldsymbol{v}, \boldsymbol{s} \in \mathbb {F}^k \end{array} \right) : \begin{array}{c} \forall i : v_i \in [A_i, B_i),\\ V_i = \textsf{Com}(v_i; s_i) \end{array} \right\} . \end{aligned}$$
(37)

For simplicity, assume each range \([A_i, B_i)\) uses the same base b. To show that each value lies in the range the prover can break down \(v_i\) into digits \(\boldsymbol{d}_i\), show that each digit is a valid base b digit, and show that for some vector of public constants \(\boldsymbol{b}_i\), the following linear relation is satisfied \(\left\langle \boldsymbol{b}_i,\boldsymbol{d}_i\right\rangle = v_i - A_i\). To show each \(\boldsymbol{d}_i\) is a valid digit we can use the reciprocal argument and let \(\boldsymbol{w}_D\) consist of all the digits for all the range proofs.

We will also assume for simplicity of presentation that the size of the range is a power of b. That is \(B - A = b^k\) for some integer k. This simplifies the range proof description, and is typically sufficient in practice. Especially in cryptocurrencies range proofs are typically used to enforce that a value is not “negative” rather than that it lies in a specific range. It is straightforward to adapt the protocol to support arbitrary ranges using the work of Chaabouni, Lipmaa, shelat [12] and we defer a detailed description to the full version [20].

BP++ arithmetic circuits, as mentioned before, allow placing the vector \(\boldsymbol{w}_O\) of witness elements that participate only linear constraints either in the \(\boldsymbol{l}_X\) portion of the witness, or in the \(\boldsymbol{n}_O\) portion of the witness. For reciprocal range proofs, it makes sense to either place them in \(\boldsymbol{n}_O\), which we will call “inline” multiplicity range proofs, or in \(\boldsymbol{l}_L\), which we will call “shared” multiplicity range proofs. The terminology refers to the fact that in the multiparty setting when multiplicities are placed in the linear portion of the witness multiple provers can reuse the same basis points in their separate proofs. Inline range proofs are so called because in the multiparty setting, multiplicities must be represented over the basis elements used by each prover to commit to their digits, so the multiplicities are inline with the digits.

Arithmetic Circuit. In both the inline and reciprocal cases, the vector \(\boldsymbol{w}_D\) consists of the concatenation of the digit vectors for all the ranges. The numerator for each digit reciprocal is always 1, so the numerator matrix is simply zero and \(\boldsymbol{a}_n = \boldsymbol{1}\). The vector of reciprocals \(\boldsymbol{w}_P(X)\) is the concatenation of the values \(r_{i, j} = 1/(\alpha + d_{i,j})\) so they align with \(\boldsymbol{w}_D\) per value that verifies the range using

$$\begin{aligned} \left\langle W_{d,i},\boldsymbol{w}_D\right\rangle = \left\langle \boldsymbol{b}_i,\boldsymbol{d}_i\right\rangle \qquad a_{d, i} = A_i \end{aligned}$$
(38)

Now all that remains is to describe the matrix \(W_p(X)\) in terms of the multiplicities. In both the inline and shared cases, the prover shows that the set membership check is satisfied for all the digits of each base. Let the vector \(\boldsymbol{m}_i\) be the number of times each value in \([1, b_i)\) occurs in \(\boldsymbol{d}_i\). Note this does not include a multiplicity for zero, as this multiplicity is equal to the number of digits minus the sum of the other multiplicities. Let the total multiplicity be \(\hat{\boldsymbol{m}} = \sum \nolimits _{i} \boldsymbol{m}_i\) and the total number of digits be \(\hat{n} = \sum \nolimits _{i} |\boldsymbol{d}_i|\). In both the inline and the shared cases, the prover uses the vectors of reciprocals to prove each digit is a valid base b digit

$$\begin{aligned} \sum \nolimits _{i} \left\langle \boldsymbol{1},\boldsymbol{r}_i\right\rangle = \frac{\hat{n} - \left\langle \boldsymbol{1},\hat{\boldsymbol{m}}\right\rangle }{X} + \sum \nolimits _{j = 0}^{b - 2} \frac{\hat{m}_{j}}{X + j + 1}. \end{aligned}$$
(39)

The difference arises in how the prover commits to the multiplicities in the inline case, the prover commits to the vector \(\boldsymbol{m}\) in \(\boldsymbol{w}_O\) padded so that they align with \(\boldsymbol{d}_i\). The partition function \(\mathcal {F}\) in the inline case maps all of \(\boldsymbol{w}_O\) to \(\boldsymbol{n}_O\). Since the \(\hat{\boldsymbol{m}}\) are a linear function of the \(\boldsymbol{m}_i\), the matrix \(W_p(X)\) is defined to compute this function and then the right hand side of Eq. (39).

In the shared case, the prover commits to the all the \(\hat{\boldsymbol{m}}\) directly in \(\boldsymbol{w}_O\) and the partition function maps these values to \(\boldsymbol{l}_L\). In this case, since neither \(\boldsymbol{l}_O\) or \(\boldsymbol{n}_O\) are used, the commitment can be safely dropped from the protocol. The matrix \(W_p(X)\) once again encodes Eq. (39) but now uses the committed total multiplicities.

Theorem 4 (Reciprocal Range Proofs)

[Reciprocal Range Proofs] Both the inline and shared multiplicity reciprocal range proofs and zero knowledge arguments of knowledge for the reciprocal range proof relation \(\mathcal {R}_{ rp }\) Eq. (37) assuming the expected-PPT hardness of the discrete logarithm relation problem.

Proof

The reciprocal range proof protocols are both instances of the reciprocal form arithmetic circuit protocol, so they have SHVZK, CWEE, and completeness. To show they are arguments for Eq. (37), we must establish that the circuit is satisfiable only if the inputs \(\boldsymbol{v}\) satisfy the relation. The protocol applies the reciprocal form circuit protocol to \(A = \{ (-1, d_i) : i \} \cup \{ (m_j, t_j) : j \}\). By the soundness of the reciprocal form circuit protocol, A vanishes. So long as the number of digits is less than \(\mathbb {F}\), which is the case by assumption, this implies all \(d_i\) are valid base b digits. Therefore \(v_i = \left\langle \boldsymbol{b}_i,\boldsymbol{d}_i\right\rangle + A_i\) implies that \(v_i \in [A_i, B_i)\). Thus, the reciprocal range proof protocol is a zero knowledge argument of knowledge for Eq. (37).

6.4 Multi-asset Confidential Transactions

In a MACT, the prover wants to prove a closely related relation to that of an aggregated range proof. Given a transaction with a set of inputs I (\(o_i = 0\)) and outputs O (\(o_i = 1\)), each with a type and amount, the prover wants to show that the amount of input tokens of each type equals the amount of tokens output of each type and that all the output token amounts are “positive.” This is because if one of the outputs were negative it would be possible to secretly create new tokens, by adding more tokens to one of the other outputs to be larger. It is typically not necessary to check that the inputs are positive since they are the outputs of some other transaction.

In a finite field, the positivity condition is checked by bounding each output (\(o_i = 1\)) by a range much smaller than the field characteristic. More precisely, it must be the case that any negligible amount of inputs and outputs cannot wrap around in the field to create a “negative” value. For simplicity, we can assume that all transaction outputs use the same range in the range proof [0, B), and in practice we can assume that \(B = 2^{64}\). The MACT relation is thus

$$\begin{aligned} \mathcal {R}_{ ct } = \left\{ \left( \begin{array}{c} G, H_0, H_1 \in \mathbb {G}; \boldsymbol{o} \in \{0, 1\}^k,\\ \boldsymbol{V} \in \mathbb {G}^k, B \in \mathbb {Z}, k B < p,\\ \forall i: o_i= 0 \Rightarrow v_i \in [0, B) ;\\ \boldsymbol{v}, \boldsymbol{t}, \boldsymbol{s} \in \mathbb {F}^k \end{array} \right) : \begin{array}{c} \forall i: V_i = v_i G + t_i H_0 + s_i H_1 \\ \forall i : o_i = 1 \Rightarrow v_i \in [0, B) \\ \forall t : \sum \nolimits _{i : t_i = t} (-1)^{o_i} v_i = 0 \end{array} \right\} . \end{aligned}$$
(40)

To check the range proof part of the relation, we can use any reciprocal range proof over all the transaction outputs, i.e. \(o_i = 1\), for the optimal base b and range [0, B). Checking that all the amounts of each type net to zero in \(\mathbb {F}\) is essentially a multiset permutation check with large multiplicities, and can be stated in the form of the reciprocal argument as

$$\begin{aligned} f(X) = \sum \nolimits _{i=1}^k \frac{(-1)^{o_i} v_i}{X + t_i} = 0. \end{aligned}$$
(41)

From Lemma 1 it follows that if \(f(\alpha ) = 0\) for a uniformly random \(\alpha \) then with overwhelming probability the total multiplicity associated to each \(t_i\) must be zero in \(\mathbb {F}\). From the structure of the function, this total multiplicity is the sum of all the inputs of that type minus the sum of all the outputs of that type, and so the total multiplicity is zero in \(\mathbb {F}\) if and only if the amounts net to zero in \(\mathbb {F}\).

Taking these together, we can show that the total amount (i.e., multiplicity) of each type of asset nets to zero in \(\mathbb {Z}\). We know by assumption that each transaction input amount lies in [0, B), and we know from the range proof that each transaction output amount lies in [0, B). Therefore, the total multiplicity \(\hat{v}_t\) of any type of asset lies in \((-k B, k B)\), which occurs in a transaction with k inputs or k outputs all of the same type and maximum amount. Since \(k B < p\), this value cannot wrap around the field, so if \(\hat{v}_t = 0\) in \(\mathbb {F}\) and \(\hat{v}_t \in (-k B, k B)\), then the amounts net to zero in \(\mathbb {Z}\).

Arithmetic Circuit. Each input and each output commit to two values, so \(N_v = 2\). As in the reciprocal range proofs, all multiplicative constraints are reciprocal constraints and the matrices \(W_L, W_R\) have zero rows. The protocol can use any reciprocal range proof, and for the purposes of this protocol assume one is fixed by a reciprocal form circuit \(\mathcal{R}\mathcal{C}\) for either a shared or inline digit range proof for all \(v_i\) with \(o_i = 1\) for the range [0, B).

We will append the vector \(\boldsymbol{t}\) of types to \(\boldsymbol{w}_D\) from the range proof, and we will add copy constraints to check that these are the same values from the input commitments. Note these copy constraints should be interleaved with the range proof linear constraints to line up with \(\boldsymbol{t}\) in \(\boldsymbol{w}_V\). Each reciprocal in Eq. (41) has \(v_i (-1)^{o_i}\) as its numerator and \(X + t_i\) as its denominator. We will define \(w_{P,i}(X)\) to be the unsigned reciprocals \( w_{P,i}(X) = v_i / (X + t_i)\). Since multiplicative constraints cannot directly access inputs, we also need to add constraints to copy \(v_i\) into \(\boldsymbol{w}_I\) and modify \(W_n\) such that This lets us simplify \((W_n \boldsymbol{w}_I + \boldsymbol{a}_n)_i = v_i\). We can insert dummy constraints that check \(t_i = t_i\) in the linear constraints so that the inputs align with the constraint matrix. To check that Eq. (41) holds, we can then append a row \(W_p(X)\) so that

$$ \left\langle W_p(X)_0,\boldsymbol{w}\right\rangle = \sum \nolimits _{i=1}^k (-1)^{o_i} w_{P, i}(X). $$

This completes the MACT arithmetic circuit. In total, each input adds only one element to \(\boldsymbol{w}_D\) and \(\boldsymbol{w}_P(X)\), one copy constraint to \(W_d\) and one, trivial, row to \(W_n\). There is also one constraint in \(W_p(X)\) to check Eq. (41).

The marginal cost of a MACT over an aggregated range proof is negligible in prover time, verifier time, and proof size. This is in stark contrast to existing protocols which either require large proofs, complex circuits, and require trading off multi-party proving for the full relation.

Theorem 5 (Multi-Asset Confidential Transactions)

[Multi-Asset Confidential Transactions] The confidential transaction protocol, instantiated with any of the reciprocal range proofs is a zero-knowledge argument of knowledge for the MACT relation Eq. (40) assuming the expected-PPT hardness of the discrete logarithm relation problem.

Proof

Since the MACT protocol is an instantiation of the reciprocal form arithmetic circuit protocol, it has completeness and perfect SHVZK and CWEE. Therefore, it is sufficient to show that this circuit is satisfied if and only if the protocol inputs \(\boldsymbol{v}\) and \(\boldsymbol{t}\) satisfy the relation. By Theorem 4, we know that all the transaction output commitments commit to values in [0, B) if they satisfy the circuit, and we know by assumption that all inputs lie in this range. Since \(k B < p\), the magnitude of the total multiplicity of any type of asset cannot exceed p. The circuit invokes the reciprocal argument on the collection A formed as \( \{ (v, t) : (v, t) \in I \} \cup \{ (-v, t) : (v, t) \in O \}\). By the soundness of the reciprocal form circuits, A vanishes, so total multiplicity of each token type must be zero in \(\mathbb {F}\). Therefore, the total multiplicity of each type of asset must be 0 as an integer.

Fig. 1.
figure 1

Proving and verification time for BP++ range proofs. X-axis shows the total number of bits in the range proof. For \(x > 64\) bits, we consider an aggregation of 64-bit range proofs. Y-axis shows the time in milliseconds.

Full size image
Table 2. Proving and verification time compared to prior work.
Full size table

7 Implementation and Benchmarks

To demonstrate the real-world performance of BP++, we provide a reference implementation in C [19] as well as benchmarks. Our implementation builds on top of the libsecp256k1-zkp library [44] and thus uses secp256k1, the elliptic curve used in Bitcoin and many other cryptocurrencies. All operations on secret data performed by the prover implementation are constant-time. The experiments were performed on an Intel i7-10510U system at \(1.80\,\)GHz using a single thread. The implementation uses a single multi-exponentiation algorithm and scalar precomputation optimizations. In summary, verifying a 64-bit range proof took about 0.9 ms and proving about 4 ms. Figure 1 shows the proving and verification time as a function of the total number of range proof bits.

In order to compare the performance of BP++ with existing implementations of BP and BP+, we ran a BP implementation on secp256k1 [42], a BP implementation on Ristretto255 [17] and a BP+ implementation on Ristretto255 [14]. The results are summarized in Table 2. Despite secp256k1 having slower group operations than Ristretto255, for a 64-bit range proof, the BP++ prover is about 3 times and the verifier about 2.2 times faster than the BP+ implementation. The performance improvement in BP++ is amplified when aggregating multiple range proofs, e.g., when aggregating 32 64-bit range proofs, the BP++ prover and verifier are about 5–6 times faster than BP+. Moreover, based on SwiftRange’s [52] comparison to BP, we anticipate BP++ to outperform SwiftRange significantly, with roughly 3 times faster proving speed and 1.3 times faster verification speed.Footnote 3