Batch verification for range proofs

.travis.yml

@@ -0,0 +1,21 @@
+language: rust
+cache: cargo
+
+rust:
+ - nightly
+
+env:
+ - TEST_COMMAND=test EXTRA_FLAGS='' FEATURES=''
+ - TEST_COMMAND=test EXTRA_FLAGS='' FEATURES='yolocrypto'
+ # run cargo bench with a filter that matches no benchmarks.
+ # this ensures the benchmarks build but doesn't run them on the CI server.
+ - TEST_COMMAND=bench EXTRA_FLAGS='"DONTRUNBENCHMARKS"' FEATURES='yolocrypto'
+
+script:
+ - cargo $TEST_COMMAND --features="$FEATURES" $EXTRA_FLAGS
+
+# enable this integration if we upstream the repo
+#notifications:
+# slack:
+# rooms:
+# - dalek-cryptography:Xxv9WotKYWdSoKlgKNqXiHoD#dalek-bots

Cargo.toml

@@ -1,10 +1,35 @@
 [package]
-name = "ristretto-bp"
+name = "ristretto-bulletproofs"
 version = "0.1.0"
-authors = ["Cathie <[email protected]>"]
+authors = ["Cathie Yun <[email protected]>", 
+ "Henry de Valence <[email protected]>",
+ "Oleg Andreev <[email protected]>"]
+readme = "README.md"
+license = "MIT"
+repository = "https://github.com/chain/ristretto-bulletproofs"
+categories = ["cryptography"]
+keywords = ["cryptography", "ristretto", "zero-knowledge", "bulletproofs"]
+description = "A pure-Rust implementation of Bulletproofs using Ristretto"
 
 [dependencies]
-#curve25519-dalek = "^0.14"
-curve25519-dalek = { git = "https://github.com/dalek-cryptography/curve25519-dalek", branch = "develop", features = ["nightly"]}
+curve25519-dalek = { version = "^0.16", features = ["serde", "nightly"] }
+subtle = "0.6"
 sha2 = "^0.7"
-rand = "^0.4"
+rand = "^0.4"
+byteorder = "1.2.1"
+serde = "1"
+serde_derive = "1"
+tiny-keccak = "1.4.1"
+
+[dev-dependencies]
+hex = "^0.3"
+criterion = "0.2"
+bincode = "1"
+
+[features]
+yolocrypto = ["curve25519-dalek/yolocrypto"]
+
+[[bench]]
+name = "bulletproofs"
+harness = false
+

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Chain, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,8 @@
+FEATURES := 
+
+doc:
+ cargo rustdoc --features "$(FEATURES)" -- --html-in-header docs/assets/rustdoc-include-katex-header.html
+
+doc-internal:
+ cargo rustdoc --features "$(FEATURES)" -- --html-in-header docs/assets/rustdoc-include-katex-header.html --document-private-items
+

README.md

@@ -1 +1,73 @@
-# ristretto-bulletproofs
+# Ristretto Bulletproofs
+
+A pure-Rust implementation of [Bulletproofs][bp_website] using [Ristretto][ristretto].
+
+This crate contains both an implementation and a set of notes on how and why
+Bulletproofs work. The [external documentation][doc_external] describes how to use this
+crate’s API, while the [internal documentation][doc_internal] contains the notes.
+
+## WARNING
+
+This code is still research-quality. It is not (yet) suitable for deployment.
+
+## Documentation
+
+* [Public API documentation][doc_external]
+* [Internal documentation][doc_internal]
+ * [Notes on how Bulletproofs work][bp_notes] (located in the internal `notes` module)
+ * [Range proof protocol description][rp_notes]
+ * [Inner product protocol description][ipp_notes]
+
+
+Unfortunately, `cargo doc` does not yet have support for custom HTML injection
+and for documenting private members, so the documentation is built using:
+
+```text
+make doc # Builds external documentation
+make doc-internal # Builds internal documentation
+```
+
+Note: `cargo doc --open` rebuilds the docs without the custom
+invocation, so it may be necessary to rerun `make`.
+
+## Tests
+
+Run tests with `cargo test`.
+
+## Benchmarks
+
+This crate uses [criterion.rs][criterion] for benchmarks. Run benchmarks with
+`cargo bench`.
+
+## Features
+
+The `yolocrypto` feature enables the `yolocrypto` feature in
+`curve25519-dalek`, which enables the experimental AVX2 backend. To use it for
+Bulletproofs, the `target_cpu` must support AVX2:
+
+```text
+RUSTFLAGS="-C target_cpu=skylake" cargo bench --features "yolocrypto"
+```
+
+Skylake-X CPUs have double the AVX2 registers. To use them, try
+
+```text
+RUSTFLAGS="-C target_cpu=skylake-avx512" cargo bench --features "yolocrypto"
+```
+
+This prevents spills in the AVX2 parallel field multiplication code, but causes
+worse code generation elsewhere ¯\\\_(ツ)\_/¯
+
+## About
+
+This is a research project being built for Chain, Inc, by Henry de Valence,
+Cathie Yun, and Oleg Andreev.
+
+[bp_website]: https://crypto.stanford.edu/bulletproofs/
+[ristretto]: https://doc.dalek.rs/curve25519_dalek/ristretto/index.html
+[doc_external]: https://doc.dalek.rs/ristretto_bulletproofs/index.html
+[doc_internal]: https://doc-internal.dalek.rs/ristretto_bulletproofs/index.html
+[bp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/notes/index.html
+[rp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/range_proof/index.html
+[ipp_notes]: https://doc-internal.dalek.rs/ristretto_bulletproofs/inner_product_proof/index.html
+[criterion]: https://github.com/japaric/criterion.rs

Testfile

@@ -0,0 +1,2 @@
+rustfmt: rustfmt --version && cargo fmt -- --write-mode=diff
+cargotest: cargo test

benches/bulletproofs.rs

@@ -0,0 +1,150 @@
+#![allow(non_snake_case)]
+#[macro_use]
+extern crate criterion;
+use criterion::Criterion;
+
+extern crate rand;
+use rand::{OsRng, Rng};
+
+extern crate curve25519_dalek;
+use curve25519_dalek::scalar::Scalar;
+
+extern crate ristretto_bulletproofs;
+use ristretto_bulletproofs::ProofTranscript;
+use ristretto_bulletproofs::RangeProof;
+use ristretto_bulletproofs::{Generators, PedersenGenerators};
+
+static AGGREGATION_SIZES: [usize; 6] = [1, 2, 4, 8, 16, 32];
+
+fn create_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
+ let label = format!("Aggregated {}-bit rangeproof creation", n);
+
+ c.bench_function_over_inputs(
+ &label,
+ move |b, &&m| {
+ let generators = Generators::new(PedersenGenerators::default(), n, m);
+ let mut rng = OsRng::new().unwrap();
+
+ let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
+ let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
+
+ b.iter(|| {
+ // Each proof creation requires a clean transcript.
+ let mut transcript = ProofTranscript::new(b"AggregateRangeProofBenchmark");
+
+ RangeProof::prove_multiple(
+ &generators,
+ &mut transcript,
+ &mut rng,
+ &values,
+ &blindings,
+ n,
+ )
+ })
+ },
+ &AGGREGATION_SIZES,
+ );
+}
+
+fn create_aggregated_rangeproof_n_8(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(8, c);
+}
+
+fn create_aggregated_rangeproof_n_16(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(16, c);
+}
+
+fn create_aggregated_rangeproof_n_32(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(32, c);
+}
+
+fn create_aggregated_rangeproof_n_64(c: &mut Criterion) {
+ create_aggregated_rangeproof_helper(64, c);
+}
+
+fn verify_aggregated_rangeproof_helper(n: usize, c: &mut Criterion) {
+ let label = format!("Aggregated {}-bit rangeproof verification", n);
+
+ c.bench_function_over_inputs(
+ &label,
+ move |b, &&m| {
+ let generators = Generators::new(PedersenGenerators::default(), n, m);
+ let mut rng = OsRng::new().unwrap();
+
+ let (min, max) = (0u64, ((1u128 << n) - 1) as u64);
+ let values: Vec<u64> = (0..m).map(|_| rng.gen_range(min, max)).collect();
+ let blindings: Vec<Scalar> = (0..m).map(|_| Scalar::random(&mut rng)).collect();
+
+ let mut transcript = ProofTranscript::new(b"AggregateRangeProofBenchmark");
+ let proof = RangeProof::prove_multiple(
+ &generators,
+ &mut transcript,
+ &mut rng,
+ &values,
+ &blindings,
+ n,
+ ).unwrap();
+
+ // XXX would be nice to have some convenience API for this
+ let pg = &generators.all().pedersen_generators;
+ let value_commitments: Vec<_> = values
+ .iter()
+ .zip(blindings.iter())
+ .map(|(&v, &v_blinding)| pg.commit(Scalar::from_u64(v), v_blinding))
+ .collect();
+
+ b.iter(|| {
+ // Each proof creation requires a clean transcript.
+ let mut transcript = ProofTranscript::new(b"AggregateRangeProofBenchmark");
+
+ proof.verify(
+ &value_commitments,
+ generators.all(),
+ &mut transcript,
+ &mut rng,
+ n,
+ )
+ });
+ },
+ &AGGREGATION_SIZES,
+ );
+}
+
+fn verify_aggregated_rangeproof_n_8(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(8, c);
+}
+
+fn verify_aggregated_rangeproof_n_16(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(16, c);
+}
+
+fn verify_aggregated_rangeproof_n_32(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(32, c);
+}
+
+fn verify_aggregated_rangeproof_n_64(c: &mut Criterion) {
+ verify_aggregated_rangeproof_helper(64, c);
+}
+
+criterion_group!{
+ name = create_rp;
+ config = Criterion::default().sample_size(10);
+ targets =
+ create_aggregated_rangeproof_n_8,
+ create_aggregated_rangeproof_n_16,
+ create_aggregated_rangeproof_n_32,
+ create_aggregated_rangeproof_n_64,
+}
+
+criterion_group!{
+ name = verify_rp;
+ config = Criterion::default();
+ targets =
+ verify_aggregated_rangeproof_n_8,
+ verify_aggregated_rangeproof_n_16,
+ verify_aggregated_rangeproof_n_32,
+ verify_aggregated_rangeproof_n_64,
+}
+
+criterion_main!(create_rp, verify_rp);

docs/assets/rustdoc-include-katex-header.html

@@ -0,0 +1,17 @@
+<link rel="stylesheet" href="https://doc.dalek.rs/assets/katex/katex.min.css">
+<script src="https://doc.dalek.rs/assets/katex/katex.min.js"></script>
+<script src="https://doc.dalek.rs/assets/katex/contrib/auto-render.min.js"></script>
+<script>
+document.addEventListener("DOMContentLoaded", function() {
+ renderMathInElement(document.body, {
+ macros: {
+ "\\lo": "\\text{lo}",
+ "\\hi": "\\text{hi}"
+ }
+ });
+});
+</script>
+<style>
+.katex { font-size: 1em !important; }
+pre.rust, .docblock code, .docblock-short code { font-size: 0.85em !important; }
+</style>