{"id":13531768,"url":"https://github.com/dalek-cryptography/bulletproofs","last_synced_at":"2025-06-10T17:39:35.248Z","repository":{"id":31901320,"uuid":"119915731","full_name":"dalek-cryptography/bulletproofs","owner":"dalek-cryptography","description":" A pure-Rust implementation of Bulletproofs using Ristretto.","archived":false,"fork":false,"pushed_at":"2024-07-23T19:30:43.000Z","size":3501,"stargazers_count":1085,"open_issues_count":51,"forks_count":226,"subscribers_count":40,"default_branch":"main","last_synced_at":"2025-05-31T14:31:08.098Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dalek-cryptography.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-02T01:35:49.000Z","updated_at":"2025-05-21T12:18:56.000Z","dependencies_parsed_at":"2024-06-27T00:03:06.494Z","dependency_job_id":"1442a737-b636-484f-825d-166406fb6e3e","html_url":"https://github.com/dalek-cryptography/bulletproofs","commit_stats":{"total_commits":690,"total_committers":18,"mean_commits":"38.333333333333336","dds":0.6159420289855073,"last_synced_commit":"be67b6d5f5ad1c1f54d5511b52e6d645a1313d07"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalek-cryptography%2Fbulletproofs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalek-cryptography%2Fbulletproofs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalek-cryptography%2Fbulletproofs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalek-cryptography%2Fbulletproofs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dalek-cryptography","download_url":"https://codeload.github.com/dalek-cryptography/bulletproofs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dalek-cryptography%2Fbulletproofs/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259118827,"owners_count":22808063,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T07:01:05.501Z","updated_at":"2025-06-10T17:39:35.226Z","avatar_url":"https://github.com/dalek-cryptography.png","language":"Rust","readme":"# Bulletproofs\n\n\u003cimg\n width=\"100%\"\n src=\"https://doc.dalek.rs/assets/bulletproofs-rangeproof.png\"\n/\u003e\n\nThe fastest [Bulletproofs][bp_website] implementation ever, featuring\nsingle and aggregated range proofs, strongly-typed multiparty\ncomputation, and a programmable constraint system API for proving\narbitrary statements (under development).\n\nThis library implements Bulletproofs using [Ristretto][ristretto],\nusing the `ristretto255` implementation in\n[`curve25519-dalek`][curve25519_dalek].  When using the [parallel\nformulas][parallel_edwards] in the `curve25519-dalek` AVX2 backend, it\ncan verify 64-bit rangeproofs **approximately twice as fast** as the\noriginal `libsecp256k1`-based Bulletproofs implementation.\n\nThis library provides implementations of:\n\n* Single-party proofs of single or multiple ranges, using the\n  aggregated rangeproof construction;\n\n* Online multi-party computation for rangeproof aggregation between\n  multiple parties, using [session types][session_type_blog] to\n  statically enforce correct protocol flow;\n  \n* A programmable constraint system API for expressing rank-1\n  constraint systems, and proving and verifying proofs of arbitrary\n  statements (unstable, under development with the `yoloproofs` feature);\n  \n* Online multi-party computation for aggregated constraint system proofs\n  (planned future work).\n\nThese proofs are implemented using [Merlin transcripts][doc_merlin],\nallowing them to be arbitrarily composed with other proofs without\nimplementation changes.\n\nThe development roadmap can be found in the\n[Milestones][gh_milestones] section of the [Github repo][gh_repo].\n\nThe constraint system API is provided **FOR EXPERIMENTS ONLY**, and must be\nenabled by specifying the `yoloproofs` feature.  It is not covered by semver\ncompatibility and is **SUBJECT TO CHANGE WITHOUT NOTICE**.  \n\nCurrently, the `yoloproofs` feature is disabled in the published version of the\ncrate, so it can only be used by specifying a git dependency on the `develop`\nbranch.  This means that it is not possible to publish a crate using the R1CS\nAPI, because it is **FOR EXPERIMENTS ONLY**.\n\n## Documentation\n  \nThe user-facing documentation for this functionality can be [found\nhere][doc_external].  In addition, the library *also* contains\nextensive notes on how Bulletproofs work.  These notes can be found in\nthe library's [internal documentation][doc_internal]:\n\n* how [Bulletproofs work][bp_notes];\n* how [the range proof protocol works][rp_notes];\n* how [the inner product proof protocol works][ipp_notes];\n* how [the aggregation protocol works][agg_notes];\n* how the Bulletproof constraint system proofs work (under development);\n* how the constraint system reduction works (under development);\n* how the aggregated constraint system proofs work (future work).\n\n## Comparative Performance\n\nThe following table gives comparative timings for proving and verification of a\n64-bit rangeproof on an Intel Skylake-X i7-7800X (@3.5GHz, Turbo Boost\ndisabled).  Times are in microseconds (lower is better), with the relative\nspeed compared to the fastest implementation.\n\n| Implementation | Group            | Proving (μs) |       rel | Verification (μs) |       rel |\n|----------------|------------------|-------------:|----------:|------------------:|----------:|\n| ours (avx2)    | ristretto255     |         7300 | **1.00x** |              1040 | **1.00x** |\n| ours (u64)     | ristretto255     |        11300 | **1.54x** |              1490 | **1.43x** |\n| libsecp+endo   | secp256k1        |        14300 | **1.96x** |              1900 | **1.83x** |\n| libsecp-endo   | secp256k1        |        16800 | **2.30x** |              2080 | **2.00x** |\n| Monero         | ed25519 (unsafe) |        53300 | **7.30x** |              4810 | **4.63x** |\n\nUse of the `curve25519-dalek` IFMA backend gives another 1.5x speedup on a\nCannonlake i3-8121U, increasing the verification speedup **3x** over libsecp\nand **7x** over Monero, but these processors are not yet generally available.\n\nThis crate also contains other benchmarks; see the *Tests and Benchmarks*\nsection below for details on how to run them all.\n\n## Example\n\nThe following example shows how to create and verify a 32-bit rangeproof.\n\n```rust\n# // The #-commented lines are hidden in Rustdoc but not in raw\n# // markdown rendering, and contain boilerplate code so that the\n# // code in the README.md is actually run as part of the test suite.\n#\n# extern crate rand;\n# use rand::thread_rng;\n#\n# extern crate curve25519_dalek;\n# use curve25519_dalek::scalar::Scalar;\n#\n# extern crate merlin;\n# use merlin::Transcript;\n#\n# extern crate bulletproofs;\n# use bulletproofs::{BulletproofGens, PedersenGens, RangeProof};\n#\n# fn main() {\n// Generators for Pedersen commitments.  These can be selected\n// independently of the Bulletproofs generators.\nlet pc_gens = PedersenGens::default();\n\n// Generators for Bulletproofs, valid for proofs up to bitsize 64\n// and aggregation size up to 1.\nlet bp_gens = BulletproofGens::new(64, 1);\n\n// A secret value we want to prove lies in the range [0, 2^32)\nlet secret_value = 1037578891u64;\n\n// The API takes a blinding factor for the commitment.\nlet blinding = Scalar::random(\u0026mut thread_rng());\n\n// The proof can be chained to an existing transcript.\n// Here we create a transcript with a doctest domain separator.\nlet mut prover_transcript = Transcript::new(b\"doctest example\");\n\n// Create a 32-bit rangeproof.\nlet (proof, committed_value) = RangeProof::prove_single(\n    \u0026bp_gens,\n    \u0026pc_gens,\n    \u0026mut prover_transcript,\n    secret_value,\n    \u0026blinding,\n    32,\n).expect(\"A real program could handle errors\");\n\n// Verification requires a transcript with identical initial state:\nlet mut verifier_transcript = Transcript::new(b\"doctest example\");\nassert!(\n    proof\n        .verify_single(\u0026bp_gens, \u0026pc_gens, \u0026mut verifier_transcript, \u0026committed_value, 32)\n        .is_ok()\n);\n# }\n```\n## Building\n\nTo compile successfully, you will need to have nightly Rust installed, rather than stable.\n\nYou can install nightly Rust with rustup:\n\n```text\nrustup default nightly\n```\n\n## Tests and Benchmarks\n\nRun tests with `cargo test`.  Run benchmarks with `cargo bench`.  This crate\nuses [criterion.rs][criterion] for benchmarks. \n\n## Features\n\nThe `yoloproofs` feature enables support for rank-1 constraint system proofs.\nIt is **UNSTABLE AND UNSUITABLE FOR DEPLOYMENT**, and **PROVIDED FOR TESTING\nONLY**.\n\nThe `avx2_backend` feature enables `curve25519-dalek`'s AVX2 backend,\nwhich implements curve arithmetic using [parallel\nformulas][parallel_edwards].  To use it for Bulletproofs, the\n`target_cpu` must support AVX2:\n\n```text\nRUSTFLAGS=\"-C target_cpu=skylake\" cargo bench --features \"avx2_backend\"\n```\n\nSkylake-X CPUs have double the AVX2 registers. To use them, try\n\n```text\nRUSTFLAGS=\"-C target_cpu=skylake-avx512\" cargo bench --features \"avx2_backend\"\n```\n\nThis prevents spills in the AVX2 parallel field multiplication code, but causes\nworse code generation elsewhere ¯\\\\\\_(ツ)\\_/¯\n\n## About\n\nThis is a research project sponsored by [Interstellar][interstellar],\ndeveloped by Henry de Valence, Cathie Yun, and Oleg Andreev.\n\n[bp_website]: https://crypto.stanford.edu/bulletproofs/\n[ristretto]: https://ristretto.group\n[doc_merlin]: https://doc.dalek.rs/merlin/index.html\n[doc_external]: https://doc.dalek.rs/bulletproofs/index.html\n[doc_internal]: https://doc-internal.dalek.rs/bulletproofs/index.html\n[bp_notes]: https://doc-internal.dalek.rs/bulletproofs/notes/index.html\n[rp_notes]: https://doc-internal.dalek.rs/bulletproofs/range_proof/index.html\n[ipp_notes]: https://doc-internal.dalek.rs/bulletproofs/inner_product_proof/index.html\n[agg_notes]: https://doc-internal.dalek.rs/bulletproofs/notes/index.html#aggregated-range-proof\n[criterion]: https://github.com/japaric/criterion.rs\n[session_type_blog]: https://blog.chain.com/bulletproof-multi-party-computation-in-rust-with-session-types-b3da6e928d5d\n[curve25519_dalek]: https://doc.dalek.rs/curve25519_dalek/index.html\n[parallel_edwards]: https://medium.com/@hdevalence/accelerating-edwards-curve-arithmetic-with-parallel-formulas-ac12cf5015be\n[gh_repo]: https://github.com/dalek-cryptography/bulletproofs/\n[gh_milestones]: https://github.com/dalek-cryptography/bulletproofs/milestones\n[interstellar]: https://interstellar.com/\n","funding_links":[],"categories":["Cryptography","Rust","Uncategorized","Bulletproofs","\u003ca name=\"Rust\"\u003e\u003c/a\u003eRust"],"sub_categories":["Zero Knowledge Proofs","Uncategorized","Try"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdalek-cryptography%2Fbulletproofs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdalek-cryptography%2Fbulletproofs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdalek-cryptography%2Fbulletproofs/lists"}