1. Bulletproof特征
Bulletproof相对于zk-SNARK,不需要trust setup过程。但是verify一个proof的时长要超过zk-SNARK。
Bulletproof可用于加密货币的隐私交易(如隐藏UTXO的交易金额),可将现有10KB的proof压缩到1KB,且支持同时对m个交易生成聚合proof,相对于单个交易的proof,只需额外增加O(log(m))个元素。
若Bitcoin中所有的交易都转换为Bulletproof交易,则其UTXO集大小可由当前的160GB压缩到仅约17GB。
2. Bulletproof现有代码实现参考论文见https://eprint.iacr.org/2017/1066.pdf
当前开源的代码实现 有:
- Bulletproofs implementation in Secp256k1lib (work in progress) : An implementation of Bulletproofs in C by Andrew Poelstra and Pieter Wuille. Uses constant time operation for proving and is very fast. Includes a tool for converting Pinocchio circuits to Bulletproof circuits and generating proofs for aribrary statements. Work in progress and will still be improved and expanded.
- Prototype code (not intended for production use): An implementation of Bulletproofs in Java. Includes a general tool for constructing Bulletproofs for any NP language using the Pinocchio tool chain.
- Bulletproofs implementation in Rust by Chain, Inc (work in progress):An implementation of Bulletproofs range proofs built for Chain, Inc, by Henry de Valence, Cathie Yun, and Oleg Andreev. The code uses curve 25519 and AVX2 instruction.
- Bulletproof Rust implementation for Aggregated Range Proofs over multiple elliptic curves:由KZen Research公司主导。Rust语言实现,支持
secp256k1,ristretto,ed25519多种椭圆曲线。 - Haskell实现的Bulletproof:由Adjoint主导,采用Haskell语言实现,目前支持
secp256k1。
https://www.youtube.com/watch?v=gZjDKgR4dw8&feature=youtu.be
参考资料: [1] https://github.com/bbuenz/BulletProofLib/ [2] https://crypto.stanford.edu/bulletproofs/ [3] https://github.com/apoelstra/secp256k1-mw [4] https://eprint.iacr.org/2017/1066.pdf [5] https://www.youtube.com/watch?v=gZjDKgR4dw8&feature=youtu.be
