dalek-cryptography · ripa1995 · Dec 13, 2022 · Dec 13, 2022 · Dec 13, 2022 · Dec 13, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 Entries are listed in reverse chronological order.
 
+## 3.0.0
+
+* Update `curve25519-dalek`, `sha3`, `digest` and `merlin` versions.
+* Add `scalar_range_proof` feature, which allow `RangeProof` to be used with `Scalar`.
+* Allow range proof with bitsize n = 128.
+* Use `u128` instead of `u64` in range proof.
+
 ## 2.0.0
 
 * Switch from `failure` to `std`-compatible errors via `thiserror`.

diff --git a/Cargo.toml b/Cargo.toml
@@ -5,7 +5,7 @@ name = "bulletproofs"
 # - update html_root_url
 # - ensure yoloproofs was disabled in an atomic (revertable) commit
 # - update CHANGELOG
-version = "2.0.0"
+version = "3.0.0"
 authors = ["Cathie Yun <[email protected]>", 
  "Henry de Valence <[email protected]>",
  "Oleg Andreev <[email protected]>"]
@@ -15,20 +15,20 @@ repository = "https://github.com/dalek-cryptography/bulletproofs"
 categories = ["cryptography"]
 keywords = ["cryptography", "crypto", "ristretto", "zero-knowledge", "bulletproofs"]
 description = "A pure-Rust implementation of Bulletproofs using Ristretto"
-edition = "2018"
+edition = "2021"
 
 [dependencies]
-curve25519-dalek = { version = "2", default-features = false, features = ["u64_backend", "nightly", "serde", "alloc"] }
+curve25519-dalek = { version = "3.2.0", default-features = false, features = ["u64_backend", "nightly", "serde", "alloc"] }
 subtle = { version = "2", default-features = false }
-sha3 = { version = "0.8", default-features = false }
-digest = { version = "0.8", default-features = false }
+sha3 = { version = "0.9", default-features = false }
+digest = { version = "0.9", default-features = false }
 rand_core = { version = "0.5", default-features = false, features = ["alloc"] }
 rand = { version = "0.7", default-features = false, optional = true }
 byteorder = { version = "1", default-features = false }
 serde = { version = "1", default-features = false, features = ["alloc"] }
 serde_derive = { version = "1", default-features = false }
 thiserror = { version = "1", optional = true }
-merlin = { version = "2", default-features = false }
+merlin = { version = "3", default-features = false }
 clear_on_drop = { version = "0.2", default-features = false, features = ["nightly"] }
 
 [dev-dependencies]
@@ -42,10 +42,15 @@ default = ["std", "avx2_backend"]
 avx2_backend = ["curve25519-dalek/avx2_backend"]
 # yoloproofs = []
 std = ["rand", "rand/std", "thiserror"]
+scalar_range_proof = []
 
 [[test]]
 name = "range_proof"
 
+[[test]]
+name = "scalar_range_proof"
+required-features = ["scalar_range_proof"]
+
 [[test]]
 name = "r1cs"
 required-features = ["yoloproofs"]
@@ -67,3 +72,7 @@ required-features = ["yoloproofs"]
 name = "linear_proof"
 harness = false
 
+[[bench]]
+name = "scalar_range_proof"
+harness = false
+required-features = ["scalar_range_proof"]
diff --git a/README.md b/README.md
@@ -112,12 +112,15 @@ The following example shows how to create and verify a 32-bit rangeproof.
 // independently of the Bulletproofs generators.
 let pc_gens = PedersenGens::default();
 
-// Generators for Bulletproofs, valid for proofs up to bitsize 64
+// Generators for Bulletproofs, valid for proofs up to bitsize 128
 // and aggregation size up to 1.
-let bp_gens = BulletproofGens::new(64, 1);
+let bp_gens = BulletproofGens::new(128, 1);
 
 // A secret value we want to prove lies in the range [0, 2^32)
-let secret_value = 1037578891u64;
+# #[cfg(not(feature = "scalar_range_proof"))]
+let secret_value = 1037578891u128;
+# #[cfg(feature = "scalar_range_proof")]
+# let secret_value = &Scalar::from(1037578891u128);
 
 // The API takes a blinding factor for the commitment.
 let blinding = Scalar::random(&mut thread_rng());

diff --git a/benches/range_proof.rs b/benches/range_proof.rs
@@ -16,7 +16,10 @@ use bulletproofs::{BulletproofGens, PedersenGens};
 static AGGREGATION_SIZES: [usize; 6] = [1, 2, 4, 8, 16, 32];
 
 fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
- let label = format!("Aggregated {}-bit rangeproof creation", n);
+ #[cfg(not(feature = "scalar_range_proof"))]
+ let label = format!("Aggregated {}-bit rangeproof verification", n);
+ #[cfg(feature = "scalar_range_proof")]
+ let label = format!("Aggregated {}-bit rangeproof verification using Scalar", n);
 
  c.bench_function_over_inputs(
  &label,
@@ -25,8 +28,13 @@ fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
  let bp_gens = BulletproofGens::new(n, m);
  let mut rng = rand::thread_rng();
 
- let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
- let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ let (min, max) = (0u128, u128::MAX >> (u128::BITS as usize - n));
+
+ #[cfg(not(feature = "scalar_range_proof"))]
+ let values: Vec<u128> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ #[cfg(feature = "scalar_range_proof")]
+ let values: Vec<Scalar> = (0..m).map(|_| rng.gen_range(min, max).into()).collect();
+
  let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
 
  b.iter(|| {
@@ -63,8 +71,15 @@ fn create_aggregated_rangeproof_n_64(c: &mut Criterion) {
  create_aggregated_rangeproof_helper(64, c);
 }
 
+fn create_aggregated_rangeproof_n_128(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(128, c);
+}
+
 fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
+ #[cfg(not(feature = "scalar_range_proof"))]
  let label = format!("Aggregated {}-bit rangeproof verification", n);
+ #[cfg(feature = "scalar_range_proof")]
+ let label = format!("Aggregated {}-bit rangeproof verification using Scalar", n);
 
  c.bench_function_over_inputs(
  &label,
@@ -73,8 +88,13 @@ fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
  let bp_gens = BulletproofGens::new(n, m);
  let mut rng = rand::thread_rng();
 
- let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
- let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ let (min, max) = (0u128, u128::MAX >> (u128::BITS as usize - n));
+
+ #[cfg(not(feature = "scalar_range_proof"))]
+ let values: Vec<u128> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ #[cfg(feature = "scalar_range_proof")]
+ let values: Vec<Scalar> = (0..m).map(|_| rng.gen_range(min, max).into()).collect();
+
  let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
 
  let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
@@ -115,6 +135,10 @@ fn verify_aggregated_rangeproof_n_64(c: &mut Criterion) {
  verify_aggregated_rangeproof_helper(64, c);
 }
 
+fn verify_aggregated_rangeproof_n_128(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(128, c);
+}
+
 criterion_group! {
  name = create_rp;
  config = Criterion::default().sample_size(10);
@@ -123,6 +147,7 @@ criterion_group! {
  create_aggregated_rangeproof_n_16,
  create_aggregated_rangeproof_n_32,
  create_aggregated_rangeproof_n_64,
+ create_aggregated_rangeproof_n_128,
 }
 
 criterion_group! {
@@ -133,6 +158,7 @@ criterion_group! {
  verify_aggregated_rangeproof_n_16,
  verify_aggregated_rangeproof_n_32,
  verify_aggregated_rangeproof_n_64,
+ verify_aggregated_rangeproof_n_128,
 }
 
 criterion_main!(create_rp, verify_rp);
diff --git a/benches/scalar_range_proof.rs b/benches/scalar_range_proof.rs
@@ -0,0 +1,148 @@
+#![allow(non_snake_case)]
+#[macro_use]
+extern crate criterion;
+use criterion::Criterion;
+
+use rand;
+use rand::Rng;
+
+use curve25519_dalek::scalar::Scalar;
+
+use merlin::Transcript;
+
+use bulletproofs::RangeProof;
+use bulletproofs::{BulletproofGens, PedersenGens};
+
+static AGGREGATION_SIZES: [usize; 6] = [1, 2, 4, 8, 16, 32];
+
+fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
+ let label = format!("Aggregated {}-bit rangeproof verification using Scalar", n);
+
+ c.bench_function_over_inputs(
+ &label,
+ move |b, &&m| {
+ let pc_gens = PedersenGens::default();
+ let bp_gens = BulletproofGens::new(n, m);
+ let mut rng = rand::thread_rng();
+
+ let (min, max) = (0u128, u128::MAX >> (u128::BITS as usize - n));
+ let values: Vec<Scalar> = (0..m).map(|_| rng.gen_range(min, max).into()).collect();
+ let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
+
+ b.iter(|| {
+ // Each proof creation requires a clean transcript.
+ let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
+
+ RangeProof::prove_multiple(
+ &bp_gens,
+ &pc_gens,
+ &mut transcript,
+ &values,
+ &blindings,
+ n,
+ )
+ })
+ },
+ &AGGREGATION_SIZES,
+ );
+}
+
+fn create_aggregated_rangeproof_n_8(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(8, c);
+}
+
+fn create_aggregated_rangeproof_n_16(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(16, c);
+}
+
+fn create_aggregated_rangeproof_n_32(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(32, c);
+}
+
+fn create_aggregated_rangeproof_n_64(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(64, c);
+}
+
+fn create_aggregated_rangeproof_n_128(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(128, c);
+}
+
+fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
+ let label = format!("Aggregated {}-bit rangeproof verification using Scalar", n);
+
+ c.bench_function_over_inputs(
+ &label,
+ move |b, &&m| {
+ let pc_gens = PedersenGens::default();
+ let bp_gens = BulletproofGens::new(n, m);
+ let mut rng = rand::thread_rng();
+
+ let (min, max) = (0u128, u128::MAX >> (u128::BITS as usize - n));
+ let values: Vec<Scalar> = (0..m).map(|_| rng.gen_range(min, max).into()).collect();
+ let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
+
+ let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
+ let (proof, value_commitments) = RangeProof::prove_multiple(
+ &bp_gens,
+ &pc_gens,
+ &mut transcript,
+ &values,
+ &blindings,
+ n,
+ )
+ .unwrap();
+
+ b.iter(|| {
+ // Each proof creation requires a clean transcript.
+ let mut transcript = Transcript::new(b"AggregateRangeProofBenchmark");
+
+ proof.verify_multiple(&bp_gens, &pc_gens, &mut transcript, &value_commitments, n)
+ });
+ },
+ &AGGREGATION_SIZES,
+ );
+}
+
+fn verify_aggregated_rangeproof_n_8(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(8, c);
+}
+
+fn verify_aggregated_rangeproof_n_16(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(16, c);
+}
+
+fn verify_aggregated_rangeproof_n_32(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(32, c);
+}
+
+fn verify_aggregated_rangeproof_n_64(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(64, c);
+}
+
+fn verify_aggregated_rangeproof_n_128(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(128, c);
+}
+
+criterion_group! {
+ name = create_rp;
+ config = Criterion::default().sample_size(10);
+ targets =
+ create_aggregated_rangeproof_n_8,
+ create_aggregated_rangeproof_n_16,
+ create_aggregated_rangeproof_n_32,
+ create_aggregated_rangeproof_n_64,
+ create_aggregated_rangeproof_n_128,
+}
+
+criterion_group! {
+ name = verify_rp;
+ config = Criterion::default();
+ targets =
+ verify_aggregated_rangeproof_n_8,
+ verify_aggregated_rangeproof_n_16,
+ verify_aggregated_rangeproof_n_32,
+ verify_aggregated_rangeproof_n_64,
+ verify_aggregated_rangeproof_n_128,
+}
+
+criterion_main!(create_rp, verify_rp);
diff --git a/rust-toolchain b/rust-toolchain
@@ -1 +1 @@
-nightly-2019-07-31
+nightly-2023-01-01
diff --git a/src/errors.rs b/src/errors.rs
@@ -21,8 +21,11 @@ pub enum ProofError {
  #[cfg_attr(feature = "std", error("Wrong number of blinding factors supplied."))]
  WrongNumBlindingFactors,
  /// This error occurs when attempting to create a proof with
- /// bitsize other than \\(8\\), \\(16\\), \\(32\\), or \\(64\\).
- #[cfg_attr(feature = "std", error("Invalid bitsize, must have n = 8,16,32,64."))]
+ /// bitsize other than \\(8\\), \\(16\\), \\(32\\), \\(64\\) or \\(128\\).
+ #[cfg_attr(
+ feature = "std",
+ error("Invalid bitsize, must have n = 8,16,32,64,128.")
+ )]
  InvalidBitsize,
  /// This error occurs when attempting to create an aggregated
  /// proof with non-power-of-two aggregation size.
@@ -73,8 +76,11 @@ pub enum MPCError {
  #[cfg_attr(feature = "std", error("Dealer gave a malicious challenge value."))]
  MaliciousDealer,
  /// This error occurs when attempting to create a proof with
- /// bitsize other than \\(8\\), \\(16\\), \\(32\\), or \\(64\\).
- #[cfg_attr(feature = "std", error("Invalid bitsize, must have n = 8,16,32,64"))]
+ /// bitsize other than \\(8\\), \\(16\\), \\(32\\), \\(64\\) or \\(128\\).
+ #[cfg_attr(
+ feature = "std",
+ error("Invalid bitsize, must have n = 8,16,32,64,128")
+ )]
  InvalidBitsize,
  /// This error occurs when attempting to create an aggregated
  /// proof with non-power-of-two aggregation size.

diff --git a/src/generators.rs b/src/generators.rs
@@ -12,7 +12,7 @@ use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
 use curve25519_dalek::ristretto::RistrettoPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::MultiscalarMul;
-use digest::{ExtendableOutput, Input, XofReader};
+use digest::{ExtendableOutput, Update, XofReader};
 use sha3::{Sha3XofReader, Sha3_512, Shake256};
 
 /// Represents a pair of base points for Pedersen commitments.
@@ -63,11 +63,11 @@ impl GeneratorsChain {
  /// Creates a chain of generators, determined by the hash of `label`.
  fn new(label: &[u8]) -> Self {
  let mut shake = Shake256::default();
- shake.input(b"GeneratorsChain");
- shake.input(label);
+ shake.update(b"GeneratorsChain");
+ shake.update(label);
 
  GeneratorsChain {
- reader: shake.xof_result(),
+ reader: shake.finalize_xof(),
  }
  }
 
@@ -169,7 +169,7 @@ impl BulletproofGens {
  /// slice of vectors G and H for the j-th range proof.
  pub fn share(&self, j: usize) -> BulletproofGensShare<'_> {
  BulletproofGensShare {
- gens: &self,
+ gens: self,
  share: j,
  }
  }