-
philogy
Hey so I'm trying to understand why the constraints are combined the way they are in the bulletproof range proofs. So we have following constraints:
-
philogy
<a_L, 2^n> = v
-
philogy
<a_L - 1 - a_R, y^n> = 0
-
philogy
<a_L, a_R * y^n> = 0
-
philogy
=> z^2 * v = z^2 * <a_L, 2^n> + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
-
philogy
Why a polynomial? Why couldn't one just simply add or multiply them together
-
philogy
Trying to gain an in depth understanding of bulletproofs, any help would be much appreciated :D
-
kenshamir[m]
<philogy "Why a polynomial? Why couldn't o"> This seems a bit vague, maybe expand for when help arrives?
-
kenshamir[m]
For example, it’s not clear what “them” is referring to
-
kenshamir[m]
To give a general overview, a rangeproof usually works on the fact that a particular number can be represented with X amount of bits
-
philogy
So my question why is the challenge z is introduced. With them I mean the constraints. So why isn't it:
-
philogy
v = <a_L, 2^n> + <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
-
philogy
instead of
-
philogy
z^2 * v = z^2 * <a_L, 2^n> + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
-
kenshamir[m]
Ohh
-
philogy
kenshamir[m]: yeah I think I'm at the point where I understand the general approach (kind of the recursive reduction still confuses me) but I'm trying to understand why certain equations are setup the way they are
-
kenshamir[m]
Because when you are combing statements, you need to make sure that the prover cannot manipúlate the final value by cancelling parts out
-
kenshamir[m]
For example if you take this equation
-
kenshamir[m]
X = Y
-
kenshamir[m]
If X really does equal to Y, then multiplying each side by a random challenge will not change that fact
-
kenshamir[m]
Hmm I don’t think there is always recursion for a general rangeproof, there is in bulletproofs AFAIK
-
kenshamir[m]
Each equation should map to a statement
-
kenshamir[m]
For understanding, you can ignore the random challenges, as they are there for soundness
-
kenshamir[m]
* For understanding, you can ignore the random challenges, as they are there for soundness against something like a dishonest prover
-
kenshamir[m]
The random challenge concept is used a lot by the way in crypto. I think the “rogue key attack” is quite well documented and also shows what happens when you allow “things” to be aggregated without a random challenge
-
kenshamir[m]
<philogy "kenshamir: yeah I think I'm at t"> Going to pop off in about 10 minutes, but taking your first equation:
-
kenshamir[m]
Any number that can be bit decomposed into N bits must lie between 0 and 2^N-1
-
kenshamir[m]
The thing is that the prover has not shown us that the ALs are bits. He could trivially make AL_0 = v and then make the rest of the terms 0
-
philogy
but that's what the a_R * a_L = 0 constraint is for, no?
-
kenshamir[m]
<philogy "but that's what the a_R * a_L = "> Yep exactly
-
kenshamir[m]
You then combine all of the equations together using random challenges