We’re excited to announce a pre-release version of our Bulletproofs implementation, providing a stable interface for creating and verifying range proofs, an important building block for a range of privacy-preserving protocols. For instance, range proofs are important for confidential transaction systems, such as Confidential Transactions for Bitcoin, Chain’s Confidential Assets, and many other protocols, because a verifier can check that secret values, such as asset amounts, are nonnegative.
As we described a few months ago, our implementation is implemented in pure Rust using the Ristretto group; our previous post has more detail and background information. Since then, we improved performance slightly, pushing verification performance down to 1040 µs for a 64-bit range proof. For comparison, this is:1.83x faster than the libsecp implementation (with endomorphisms); 2.00x faster than the libsecp implementation (without endomorphisms); 4.63x faster than the Monero implementation.
In addition to better performance, we also provide a clean, safe, and extensible API for both single-party proving as well as multi-party computation of aggregated proofs. The single-party proving is actually implemented by self-MPC internally, to avoid code duplication.
This post shares some details of our design and says a few words about the next version of Bulletproofs, that will provide a constraint system API to allow proofs of arbitrary statements.Composable proof transcripts
Our implementation performs the Fiat-Shamir transform using Merlin transcripts. This provides per-application domain separation, since constructing a transcript requires passing a domain separation label. It also means that it’s possible for users of our API to bind the Bulletproofs to arbitrary structured data (by committing it to the transcript prior to proving), or to compose the Bulletproofs with other proof statements (by using a common tran...