range_proof's Introduction

Range Proof

The code in this repository is a implementation of the range proof protocol described here.

This work is only proof of concept, it is not audited or does not come with any claims.

Example

To prove that z = 100 lies in the range [0, 2^8)
Trusted setup

use commitment_scheme;
// range: [0, 2^n)
let n = 8usize;
// trusted setup
let (pk, vk) = commitment_scheme::trusted_setup(4usize * n).unwrap();

[Prover] Create range proof

use algebra::bls12_381::Fr;
use merlin::Transcript;
// number in the above range
let z = Fr::from(100u8);
// merlin transcript will be used to
// transform an interactive protocol
// into a non-interactive protocol
let mut proof_transcript = Transcript::new(b"range_proof");
// generate range proof
let proof = RangeProof::prove(&pk, n, &z, &mut proof_transcript);

[Verifier] Verify range proof

// verification transcript
let mut verification_transcript = Transcript::new(b"range_proof");
// verify the above range proof
let result = RangeProof::verify(&proof, &vk, n, &mut verification_transcript);
// assert that the result is ok
assert!(result.is_ok());

License

In detail here

range_proof's People

Stargazers

Watchers

range_proof's Issues

Add zero knowledge to the range proof

As describe in the last section of the protocol:

The modification is to construct g as an n+1 degree polynomial (instead of the original n-1 degree polynomial). This means, the evaluation domain for g will be of size next_power_of_two(n+1).
The proving scheme should fetch two new challenge scalars from the Merlin transcript, namely, alpha and beta, and add them as two new random evaluations to g in this extended domain.
This doesn't change the point evaluations at the roots of unity in the original domain, hence all original relations are still valid.
One caveat to be checked is, rho (evaluation challenge) cannot belong to the set of roots of unity of the original domain. This utility function can be referred while generating a random rho.

Fix the max degree in trusted setup

The max_degree supplied at the time of trusted setup should be the maximum degree of any polynomial that can be verified using the KZG10 scheme. It is not equal to n, where 0 <= z < 2^n.

This is because the polynomial q is of a higher degree.