{"id":13686984,"url":"https://github.com/sdiehl/bulletproofs","last_synced_at":"2025-12-11T23:28:05.565Z","repository":{"id":41420146,"uuid":"140532513","full_name":"sdiehl/bulletproofs","owner":"sdiehl","description":"Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup ","archived":false,"fork":false,"pushed_at":"2022-12-25T10:16:13.000Z","size":181,"stargazers_count":531,"open_issues_count":5,"forks_count":44,"subscribers_count":31,"default_branch":"master","last_synced_at":"2024-04-14T12:11:14.660Z","etag":null,"topics":["bulletproofs","cryptography","elliptic-curves","pedersen-commitment","range-proofs","sigma","zero-knowledge","zk-snarks","zksnarks"],"latest_commit_sha":null,"homepage":"","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sdiehl.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-07-11T06:38:34.000Z","updated_at":"2024-04-11T08:24:05.000Z","dependencies_parsed_at":"2023-01-30T22:00:48.568Z","dependency_job_id":null,"html_url":"https://github.com/sdiehl/bulletproofs","commit_stats":null,"previous_names":["adjoint-io/bulletproofs"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Fbulletproofs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Fbulletproofs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Fbulletproofs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Fbulletproofs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sdiehl","download_url":"https://codeload.github.com/sdiehl/bulletproofs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247284951,"owners_count":20913704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bulletproofs","cryptography","elliptic-curves","pedersen-commitment","range-proofs","sigma","zero-knowledge","zk-snarks","zksnarks"],"created_at":"2024-08-02T15:00:45.392Z","updated_at":"2025-12-11T23:28:00.543Z","avatar_url":"https://github.com/sdiehl.png","language":"Haskell","funding_links":[],"categories":["Haskell","Uncategorized"],"sub_categories":["Uncategorized"],"readme":"# Buletproofs\n\nBulletproofs are short zero-knowledge arguments of knowledge that do not require a trusted setup.\nArgument systems are proof systems with computational soundness.\n\nBulletproofs are suitable for proving statements on committed values, such as range proofs, verifiable suffles, arithmetic circuits, etc.\nThey rely on the discrete logarithmic assumption and are made non-interactive using\nthe Fiat-Shamir heuristic.\n\nThe core algorithm of Bulletproofs is the inner-product algorithm presented by Groth [2].\nThe algorithm provides an argument of knowledge of two binding vector Pedersen commitments that satisfy a given inner product relation.\nBulletproofs build on the techniques of Bootle et al. [3] to introduce a communication efficient inner-product proof that reduces\noverall communication complexity of the argument to only \u003cimg src=\"/tex/c9180fbdcebcd1d43138236079832280.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=62.21854814999998pt height=24.65753399999998pt/\u003e where \u003cimg src=\"/tex/55a049b8f161ae7cfeb0197d75aff967.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=9.86687624999999pt height=14.15524440000002pt/\u003e is the dimension\nof the two vectors of commitments.\n\n\n## Range proofs\n\nBulletproofs present a protocol for conducting short and aggregatable range proofs.\nThey encode a proof of the range of a committed number in an inner product, using polynomials.\nRange proofs are proofs that a secret value lies in a certain interval.\nRange proofs do not leak any information about the secret value, other\nthan the fact that they lie in the interval.\n\nThe proof algorithm can be sketched out in 5 steps:\n\nLet \u003cimg src=\"/tex/6c4adbc36120d62b98deef2a20d5d303.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.55786029999999pt height=14.15524440000002pt/\u003e be a value in \u003cimg src=\"/tex/55f3e69887b882407ce69a32f942ec8b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=36.35090909999999pt height=24.65753399999998pt/\u003e and \u003cimg src=\"/tex/780fe58ca23d4620755100bcd6df5857.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=18.20773514999999pt height=14.611878600000017pt/\u003e a vector of bit such that\n\u003cimg src=\"/tex/027c16cc98d01e325f81b02b717810ea.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=79.77706439999999pt height=22.968105600000015pt/\u003e.\nThe components of \u003cimg src=\"/tex/780fe58ca23d4620755100bcd6df5857.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=18.20773514999999pt height=14.611878600000017pt/\u003e are the binary digits of \u003cimg src=\"/tex/6c4adbc36120d62b98deef2a20d5d303.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.55786029999999pt height=14.15524440000002pt/\u003e.\nWe construct a complementary vector \u003cimg src=\"/tex/a6a2d4d080eb7f2709d2667b008dd215.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=78.49842824999999pt height=22.968105600000015pt/\u003e\nand require that \u003cimg src=\"/tex/9ca3a8cc8ef0c73eb5f30bc2a79c10bf.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=85.89737144999998pt height=21.18721440000001pt/\u003e holds.\n\n- \u003cimg src=\"/tex/b4208d8b4738940db657353162d75988.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=96.00990794999998pt height=22.465723500000017pt/\u003e - where \u003cimg src=\"/tex/53d147e7f3fe6e47ee05b88b166bd3f6.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=12.32879834999999pt height=22.465723500000017pt/\u003e and \u003cimg src=\"/tex/e257acd1ccbe7fcb654708f1a866bfe9.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=11.027402099999989pt height=22.465723500000017pt/\u003e are blinded Pedersen commitments to \u003cimg src=\"/tex/780fe58ca23d4620755100bcd6df5857.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=18.20773514999999pt height=14.611878600000017pt/\u003e and \u003cimg src=\"/tex/43c0eea9d6fd13b6dcc00c115f09f827.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=19.15122824999999pt height=14.611878600000017pt/\u003e.\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/682f94ba2740d7ac0151285bb5c0e2d5.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=221.92594214999994pt height=22.831056599999986pt/\u003e\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/1cc942c32fa7a265ec264b6b89cb7a5e.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=215.08120259999995pt height=22.831056599999986pt/\u003e\n\n- \u003cimg src=\"/tex/60a45cf4b3b952bb99961cea76f438ec.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=89.67053534999998pt height=22.465723500000017pt/\u003e - Verifier sends challenges \u003cimg src=\"/tex/deceeaf6940a8c7a5a02373728002b0f.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.649225749999989pt height=14.15524440000002pt/\u003e and \u003cimg src=\"/tex/f93ce33e511096ed626b4719d50f17d2.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.367621899999993pt height=14.15524440000002pt/\u003e to fix \u003cimg src=\"/tex/53d147e7f3fe6e47ee05b88b166bd3f6.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=12.32879834999999pt height=22.465723500000017pt/\u003e and \u003cimg src=\"/tex/e257acd1ccbe7fcb654708f1a866bfe9.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=11.027402099999989pt height=22.465723500000017pt/\u003e.\n\n- \u003cimg src=\"/tex/0a5841e3d06796e4fe2365142851641a.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=105.79308629999998pt height=22.465723500000017pt/\u003e - where \u003cimg src=\"/tex/b1aadae6dafc7da339f61626db58e355.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=16.15873379999999pt height=22.465723500000017pt/\u003e and \u003cimg src=\"/tex/b48cd4fc1cc1b8c602c81734763b31f0.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=16.15873379999999pt height=22.465723500000017pt/\u003e are commitments to\n  the coefficients \u003cimg src=\"/tex/4ad941990ade99427ec9730e46ddcdd4.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=12.48864374999999pt height=20.221802699999984pt/\u003e, of a polynomial \u003cimg src=\"/tex/4f4f4e395762a3af4575de74c019ebb5.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=5.936097749999991pt height=20.221802699999984pt/\u003e constructed from the existing\n  values in the protocol.\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/3b476246fe46073d297bf73ac65431d4.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=228.34261889999993pt height=24.65753399999998pt/\u003e\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/3f647f042871be1fa7d4c2dd3a39c860.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=343.26980655pt height=26.76175259999998pt/\u003e\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/8776955e6030428869cce9bc42d05f80.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=90.58874879999999pt height=22.831056599999986pt/\u003e\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;  \u003cimg src=\"/tex/a279966ad1c6df42c3dfa8291334fbe7.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=131.93364524999998pt height=22.831056599999986pt/\u003e, \u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/131fbdb12ac9849e6ca36f10a618834b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=65.9370855pt height=24.65753399999998pt/\u003e\n\n- \u003cimg src=\"/tex/4ec1a874225b934747bb34ef5828b457.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=74.74281209999998pt height=22.465723500000017pt/\u003e - Verifier challenges Prover with value \u003cimg src=\"/tex/332cc365a4987aacce0ead01b8bdcc0b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=9.39498779999999pt height=14.15524440000002pt/\u003e.\n\n- \u003cimg src=\"/tex/f62b5cfd714aaeeb533f9ef8c3aa945f.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=131.58244935pt height=22.831056599999986pt/\u003e - Prover sends several commitments that the verifier will then check.\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/d3e7839976018ff10b0004522caa8c03.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=195.8404503pt height=26.76175259999998pt/\u003e\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; \u003cimg src=\"/tex/21c10ff9f2eb2b517eb136bd2fb72927.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=118.2106728pt height=22.648391699999998pt/\u003e\n\nSee [Prover.hs](https://github.com/sdiehl/bulletproofs/blob/master/Bulletproofs/RangeProof/Prover.hs \"Prover.hs\") for implementation details.\n\nThe interaction described is made non-interactive using the Fiat-Shamir Transform wherein all the random\nchallenges made by V are replaced with a hash of the transcript up until that point.\n\n## Inner-product range proof\n\nThe size of the proof is further reduced by leveraging the compact \u003cimg src=\"/tex/a0dbe24a0fee4cdae71ca7c7cd9920f2.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=55.96170689999999pt height=24.65753399999998pt/\u003e inner product proof.\n\nThe inner-product argument in the protocol allows to prove knowledge of vectors \u003cimg src=\"/tex/d6e48bf9a93b968d85cb6d6d6e33a0b8.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=5.251113449999989pt height=22.831056599999986pt/\u003e and \u003cimg src=\"/tex/9f9c14b9a3c7d1e583ad84cde97887bc.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=7.785368249999991pt height=14.611878600000017pt/\u003e, whose inner product is \u003cimg src=\"/tex/4f4f4e395762a3af4575de74c019ebb5.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=5.936097749999991pt height=20.221802699999984pt/\u003e and\nthe commitment \u003cimg src=\"/tex/a609ac3c8189720abb255d49a1c40183.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=45.71334404999999pt height=22.648391699999998pt/\u003e is a commitment of these two vectors. We can therefore replace sending\n(\u003cimg src=\"/tex/3e7a0b9dae6212d3be6814d4732827c6.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=66.23462504999999pt height=22.831056599999986pt/\u003e) with a transfer of (\u003cimg src=\"/tex/9261976c22c8fab73fb9c45ca5e5e760.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=38.58637694999999pt height=20.221802699999984pt/\u003e) and an execution of an inner product argument.\n\nThen, instead of sharing \u003cimg src=\"/tex/d6e48bf9a93b968d85cb6d6d6e33a0b8.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=5.251113449999989pt height=22.831056599999986pt/\u003e and \u003cimg src=\"/tex/9f9c14b9a3c7d1e583ad84cde97887bc.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=7.785368249999991pt height=14.611878600000017pt/\u003e, which has a communication cost of \u003cimg src=\"/tex/47c124971e1327d1d3882a141f95face.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=18.08608559999999pt height=21.18721440000001pt/\u003e elements, the inner-product\nargument transmits only \u003cimg src=\"/tex/7de3cd737846db6d62c7797dae0208ee.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=63.31054124999998pt height=22.831056599999986pt/\u003e elements. In total, the prover sends only \u003cimg src=\"/tex/ae4d1a6a8432a8c26279981571ebaf60.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=90.52894949999998pt height=24.65753399999998pt/\u003e\ngroup elements and 5 elements in \u003cimg src=\"/tex/f627272d293c812bbe5497a7141010ca.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=17.73541934999999pt height=22.648391699999998pt/\u003e\n\n## Aggregating Logarithmic Proofs\n\nWe can construct a single proof of range of multiple values, while only incurring an additional space cost of \u003cimg src=\"/tex/bff392076b1ad2c01d7c637eed69f076.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=66.78477299999999pt height=24.65753399999998pt/\u003e for\n\u003cimg src=\"/tex/0e51a2dede42189d77627c4d742822c3.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=14.433101099999991pt height=14.15524440000002pt/\u003e additional values \u003cimg src=\"/tex/6c4adbc36120d62b98deef2a20d5d303.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.55786029999999pt height=14.15524440000002pt/\u003e, as opposed to a multiplicative factor of \u003cimg src=\"/tex/0e51a2dede42189d77627c4d742822c3.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=14.433101099999991pt height=14.15524440000002pt/\u003e when creating \u003cimg src=\"/tex/0e51a2dede42189d77627c4d742822c3.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=14.433101099999991pt height=14.15524440000002pt/\u003e independent range proofs.\n\nThe aggregate range proof makes use of the inner product argument. It uses (\u003cimg src=\"/tex/b105d53b0c1735325f002ac85419593b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=104.96204894999998pt height=24.65753399999998pt/\u003e) group elements and 5 elements in \u003cimg src=\"/tex/f627272d293c812bbe5497a7141010ca.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=17.73541934999999pt height=22.648391699999998pt/\u003e.\n\nSee [Multi range proof example](https://github.com/sdiehl/bulletproofs/tree/master#multi-range-proof)\n\n## Usage\n\n**Single range proof**\n\n```haskell\nimport Data.Curve.Weierstrass.SECP256K1 (Fr)\nimport qualified Bulletproofs.RangeProof as RP\nimport Bulletproofs.Utils (commit)\n\ntestSingleRangeProof :: Integer -\u003e (Fr, Fr) -\u003e IO Bool\ntestSingleRangeProof upperBound (v, vBlinding) = do\n  let vCommit = commit v vBlinding\n\n  -- Prover\n  proofE \u003c- runExceptT (RP.generateProof upperBound (v, vBlinding))\n\n  -- Verifier\n  case proofE of\n    Left err -\u003e panic (show err)\n    Right proof@RP.RangeProof{..}\n      -\u003e pure (RP.verifyProof upperBound vCommit proof)\n```\n\n**Multi range proof**\n\n```haskell\nimport Data.Curve.Weierstrass.SECP256K1 (Fr)\nimport qualified Bulletproofs.MultiRangeProof as MRP\nimport Bulletproofs.Utils (commit)\n\ntestMultiRangeProof :: Integer -\u003e [(Fr, Fr)] -\u003e IO Bool\ntestMultiRangeProof upperBound vsAndvBlindings = do\n  let vCommits = fmap (uncurry commit) vsAndvBlindings\n\n  -- Prover\n  proofE \u003c- runExceptT (MRP.generateProof upperBound vsAndvBlindings)\n\n  -- Verifier\n  case proofE of\n    Left err -\u003e panic (show err)\n    Right proof@RP.RangeProof{..}\n      -\u003e pure (MRP.verifyProof upperBound vCommits proof)\n```\n\n\nNote that the upper bound \u003cimg src=\"/tex/6dbb78540bd76da3f1625782d42d6d16.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=9.41027339999999pt height=14.15524440000002pt/\u003e must be such that \u003cimg src=\"/tex/62f327ee7716dc7200264b15c6316a6c.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=47.67313649999999pt height=21.839370299999988pt/\u003e, where \u003cimg src=\"/tex/55a049b8f161ae7cfeb0197d75aff967.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=9.86687624999999pt height=14.15524440000002pt/\u003e is also a power of 2.\nThis implementation uses the elliptic curve secp256k1, a Koblitz curve, which\nhas 128 bit security.\nSee [Range proofs examples](./example/Example/RangeProof.hs) for further details.\n\n## Zero-knowledge proofs for Arithmetic Circuits\n\nAn arithmetic circuit over a field and variables \u003cimg src=\"/tex/aff58f35eb363816321c112e32d55a1a.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=74.79657734999999pt height=24.65753399999998pt/\u003e is a directed acyclic graph whose vertices are called gates.\n\nArithmetic circuit can be described alternatively as a list of multiplication gates with a collection of linear consistency equations\nrelating the inputs and outputs of the gates. Any circuit described as an acyclic graph can be efficiently converted into this alternative description.\n\nBulletproofs present a protocol to generate zero-knowledge argument for arithmetic circuits using the inner product argument,\nwhich allows to get a proof of size \u003cimg src=\"/tex/b1be659baa5db44599cdcb3279deb68c.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=98.74815885pt height=24.65753399999998pt/\u003e elements and include committed values as inputs to the arithmetic circuit.\n\nIn the protocol, the Prover proves that the hadamard product of \u003cimg src=\"/tex/780fe58ca23d4620755100bcd6df5857.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=18.20773514999999pt height=14.611878600000017pt/\u003e and \u003cimg src=\"/tex/43c0eea9d6fd13b6dcc00c115f09f827.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=19.15122824999999pt height=14.611878600000017pt/\u003e and a set of linear constraints hold.\nThe input values \u003cimg src=\"/tex/6c4adbc36120d62b98deef2a20d5d303.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.55786029999999pt height=14.15524440000002pt/\u003e used to generate the proof are then committed and shared with the Verifier.\n\n```haskell\nimport Data.Curve.Weierstrass.SECP256K1 (Fr)\nimport Data.Field.Galois (rnd)\nimport Bulletproofs.ArithmeticCircuit\nimport Bulletproofs.Utils (hadamard, commit)\n\n--  Example:\n--  2 linear constraints (q = 2):\n--  aL[0] + aL[1] + aL[2] + aL[3] = v[0]\n--  aR[0] + aR[1] + aR[2] + aR[3] = v[1]\n--\n--  4 multiplication constraints (implicit) (n = 4):\n--  aL[0] * aR[0] = aO[0]\n--  aL[1] * aR[1] = aO[1]\n--  aL[2] * aR[2] = aO[2]\n--  aL[3] * aR[3] = aO[3]\n--\n--  2 input values (m = 2)\n\narithCircuitExample :: ArithCircuit Fr\narithCircuitExample = ArithCircuit\n  { weights = GateWeights\n    { wL = [[1, 1, 1, 1]\n           ,[0, 0, 0, 0]]\n    , wR = [[0, 0, 0, 0]\n           ,[1, 1, 1, 1]]\n    , wO = [[0, 0, 0, 0]\n           ,[0, 0, 0, 0]]\n    }\n  , commitmentWeights = [[1, 0]\n                        ,[0, 1]]\n  , cs = [0, 0]\n  }\n\ntestArithCircuitProof :: ([Fr], [Fr]) -\u003e ArithCircuit Fr -\u003e IO Bool\ntestArithCircuitProof (aL, aR) arithCircuit = do\n  let m = 2\n\n  -- Multiplication constraints\n  let aO = aL `hadamard` aR\n\n  -- Linear constraints\n      v0 = sum aL\n      v1 = sum aR\n\n  commitBlinders \u003c- replicateM m rnd\n  let commitments = zipWith commit [v0, v1] commitBlinders\n\n  let arithWitness = ArithWitness\n        { assignment = Assignment aL aR aO\n        , commitments = commitments\n        , commitBlinders = commitBlinders\n        }\n\n  proof \u003c- generateProof arithCircuit arithWitness\n\n  pure (verifyProof commitments proof arithCircuit)\n```\nSee [Aritmetic circuit example](./example/Example/ArithmeticCircuit.hs) for further details.\n\n**References**:\n\n1.  Bunz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G.\n    \"Bulletproofs: Short Proofs for Confidential Transactions and More\". Stanford, UCL, Blockstream, 2017\n\n2. Groth J. \"Linear Algebra with Sub-linear Zero-Knowledge Arguments\". University College London, 2009\n\n3. Bootle J., Cerully A., Chaidos P., Groth J, Petit C. \"Efficient Zero-Knowledge Arguments for\nArithmetic Circuits in the Discrete Log Setting\". University College London and University of Oxford, 2016.\n\n**Notation**:\n\n- \u003cimg src=\"/tex/c0463eeb4772bfde779c20d52901d01b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=8.219209349999991pt height=14.611911599999981pt/\u003e : Hadamard product\n- \u003cimg src=\"/tex/211dca2f7e396e7b572b4982e8ab3d19.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=4.5662248499999905pt height=14.611911599999981pt/\u003e :Inner product\n- \u003cimg src=\"/tex/f3acd3ad07cbb3204b505285686c149b.svg?invert_in_darkmode\u0026sanitize=true\" align=middle width=9.18943409999999pt height=14.611878600000017pt/\u003e: Vector\n\n## Disclaimer\n\nThis is experimental code meant for research-grade projects only. Please do not\nuse this code in production until it has matured significantly.\n\n## License\n\n```\nCopyright 2018-2022 Stephen Diehl\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsdiehl%2Fbulletproofs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsdiehl%2Fbulletproofs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsdiehl%2Fbulletproofs/lists"}