High-level intuitions for the Bulletproofs/IPA protocol

I wrote about Bulletproofs / inner product arguments (IPA) here in the past, but let me try again. The Bulletproofs protocol allows you to produce these zero-knowledge proofs based only on some discrete logarithm assumption and without a trusted setup. This essentially means no pairing (like KZG/Groth16) but a scheme more involved than just using hash functions (like STARKs). This protocol has been used for rangeproofs by Monero, and as a polynomial commitment scheme in proof systems like Kimchi (the one at the core of the Mina protocol), so it’s quite versatile and deployed in the real world.

The easiest way to introduce the protocol, I believe, is to explain that it’s just a protocol to compute an inner product in a verifiable way:

⟨ \vec{a}, \vec{b} ⟩ = c

If you don’t know what an inner product is, imagine the following example:

⟨ (\begin{matrix} a_{1} \\ a_{2} \\ a_{3} \\ a_{4} \end{matrix}), (\begin{matrix} b_{1} \\ b_{2} \\ b_{3} \\ b_{4} \end{matrix}) ⟩ = a_{1} b_{1} + a_{2} b_{2} + a_{3} b_{3} + a_{4} b_{4}

Using Bulletproofs makes it faster to verify a proof that $⟨ \vec{a}, \vec{b} ⟩ = c$ than computing it yourself. But more than that, you can try to hide some of the inputs, or the output, to obtain interesting ZK protocols.

Furthermore, computing an inner product doesn’t sound that sexy by itself, but you can imagine that this is used to do actual useful things like proving that a value lies within a given range (a range proof, as I explained in my previous post), or even that a circuit was executed correctly. But this is out of scope for this explanation :)

Alright, enough intro, let’s get started. Bulletproofs and its variants always “compress” the proof by hiding everything in commitments, such that you have one single point that represent each input/output:

A = $⟨ \vec{a}, \vec{G} ⟩$
B = $⟨ \vec{b}, \vec{H} ⟩$
C = $⟨ \vec{a}, \vec{b} ⟩ Q$

where you can see each point $A, B, C$ as a non-hiding Pedersen commitment with independent bases $\vec{G}, \vec{H}, Q$ (so the above calculations are multi-scalar multiplications). To drive the point home, let me repeat: single points instead of long vectors makes proofs shorter!

Because we like examples, let me just give you the commitment of $\vec{a}$ :

⟨ (\begin{matrix} a_{1} \\ a_{2} \\ a_{3} \\ a_{4} \end{matrix}), (\begin{matrix} G_{1} \\ G_{2} \\ G_{3} \\ G_{4} \end{matrix}) ⟩ = a_{1} G_{1} + a_{2} G_{2} + a_{3} G_{3} + a_{4} G_{4}

Different protocols (like the halo one I talk about in the first post) since bootleproof (the paper that came before bulletproofs) aggregate commitments differently. In the explanation above I didn’t aggregate anything, but you can imagine that you could make things even smaller by having a single commitment $P = A + B + C$ to the inputs/output.

At this point, a prover can just reveal both inputs $\vec{a}, \vec{b}$ and the verifier can check that they are valid opening of $A, B$ , and $C$ (or to $P$ if you aggregated all three commitments). But this is note very efficient (you have to perform the inner product as the verifier) and it also is not very compact (you have to send the long vectors $\vec{a}$ and $\vec{b}$ ). I know it’s also not zero-knowledge, but we will just explain Bulletproofs/IPA without hiding, and for the hiding part we’ll just ignore it as we usually do in such ZKP schemes.

The prover will eventually send the two input vectors by the way, but before doing that they will reduce the problem statement $⟨ \vec{a}, \vec{b} ⟩ = c$ to a much smaller $⟨ \vec{a^{'}}, \vec{b^{'}} ⟩ = c^{'}$ where the vectors $\vec{a^{'}}$ and $\vec{b^{'}}$ both have a single entry. If the original vectors where of size $2^{n}$ then Bulletproofs will perform $n$ reductions in order to get that final statement (as each reduction halves the size of the vectors), and then will send these “reduced” input vectors (for the verifier do perform the same check as before).

For us, this means that there are two things to understand next:

how does the reduction work?
how is it verifiable?

To reduce stuff, we do the same basic operation we’re doing in every “folding” protocol: we pick a challenge $x$ and we multiply it with one half, then add it to the other half. Except that here, because we’re dealing with a much harder algebraic structure to work with (these Pedersen commitments, which as I pointed in this post, are basically random linear combinations of what you’re committing to, hidden in the exponent), we’ll have to also use the inverse $x^{- 1}$ .

Here’s how we’ll fold our inputs:

$\vec{a^{'}} = x^{- 1} (\begin{matrix} a_{1} \\ a_{2} \end{matrix}) + x (\begin{matrix} a_{3} \\ a_{4} \end{matrix})$
$\vec{b^{'}} = x (\begin{matrix} b_{1} \\ b_{2} \end{matrix}) + x^{- 1} (\begin{matrix} b_{3} \\ b_{4} \end{matrix})$

Then you get two new vectors $\vec{a^{'}}, \vec{b^{'}}$ of half the size. This means nothing much so far, so let’s look at what their inner product looks like:

\begin{matrix} ⟨ \vec{a^{'}}, \vec{b^{'}} ⟩ = ⟨ (\begin{matrix} x^{- 1} a_{1} + x a_{3} \\ x^{- 1} a_{2} + x a_{4} \end{matrix}), (\begin{matrix} x b_{1} + x^{- 1} b_{3} \\ x b_{2} + x^{- 1} b_{4} \end{matrix}) ⟩ \\ = (a_{1} b_{1} + a_{2} b_{2} + a_{3} b_{3} + a_{4} b_{4}) + x^{- 2} (a_{1} b_{3} + a_{2} b_{4}) + x^{2} (a_{3} b_{1} + a_{4} b_{2}) \\ = ⟨ \vec{a}, \vec{b} ⟩ + x^{- 2} (L) + x^{2} (R) \end{matrix}

for some cross terms $L$ and $R$ that are independent of the challenge $x$ chosen (so when we will Fiat-Shamir this protocol, the prover will need to produce $L$ and $R$ before sampling $x$ ).

Wow, did you notice? The new inner product depends on the old one. This means that as a verifier, you can produce the reduced inner product result in a verifiable way by computing

⟨ \vec{a^{'}}, \vec{b^{'}} ⟩ = ⟨ \vec{a}, \vec{b} ⟩ + stuff

If what you have is a commitment $C = ⟨ \vec{a}, \vec{b} ⟩ Q$ , then you can produce a reduced commitment $C^{'} = C + stuff$ where stuff is essentially provided by the prover, and is not going to mess with $C$ because of the challenge that’s shifting/randomizing that garbage (it’ll look like $x^{- 2} [L] + x^{2} [R]$ where $[L]$ and $[R]$ are commitments of the protocol $L$ and $R$ ).

So we tackled the question of how do we reduce, in a verifiable way, the result of the inner product. But what about the inputs?

Of course, you can do the same for the commitment of $a$ and $b$ ! So essentially, you get $[\vec{a^{'}}] = reduce ([\vec{a}], x, stuff)$ (and similarly for $\vec{b}$ ).

We can go over it in a quick example, but it’ll pretty much look the same as we did above except that we also have to reduce the generators $\vec{G}$ for the first input (and $\vec{H}$ for the second input).

The first thing we’ll do is reduce the generators:

\vec{G^{'}} = x (\begin{matrix} G_{1} \\ G_{2} \end{matrix}) + x^{- 1} (\begin{matrix} G_{3} \\ G_{4} \end{matrix})

then we will look at what a Pedersen commitment of our reduced first input $\vec{a^{'}}$ looks like:

\begin{matrix} \vec{A^{'}} = ⟨ \vec{a^{'}}, \vec{G^{'}} ⟩ \\ = (x^{- 1} a_{1} + x a_{3}) (x G_{1} + x^{- 1} G_{3}) + (x^{- 1} a_{2} + x a_{4}) (x G_{2} + x^{- 1} G_{4}) \\ = A + x^{- 2} (a_{1} G_{3} + a_{2} G_{4}) + x^{2} (a_{3} G_{1} + a_{4} G_{2}) \\ = A + x^{- 2} L_{a} + x^{2} R_{a} \end{matrix}

In other words, $⟨ \vec{a^{'}}, \vec{G^{'}} ⟩ = ⟨ \vec{a}, \vec{G} ⟩ + stuff$ (and similarly for the second input).

In the Bulletproofs protocol, we’re dealing with a single commitment $P = A + B + C$ and so we’ll reduce that statement to $P^{'} = P + stuff$ where stuff contains the aggregated $L$ and $R$ for all of the separate commitments.

So just a recap, this is what you’re essentially doing with this first round of the protocol:

we start from $P = ⟨ \vec{a}, \vec{G} ⟩ + ⟨ \vec{b}, \vec{H} ⟩ + ⟨ \vec{a}, \vec{b} ⟩ Q$
the prover produces the points $L$ and $R$
the verifier samples a challenge $x$
they both produce $P^{'} = P + x^{- 2} L + x^{2} R$

at this point the prover can choose to release $\vec{a^{'}}$ and $\vec{b^{'}}$ and the verifier can check that this is a valid opening for $P$ by comparing it with $⟨ \vec{a^{'}}, \vec{G^{'}} ⟩ + ⟨ \vec{b^{'}}, \vec{H^{'}} ⟩ + ⟨ \vec{a^{'}}, \vec{b^{'}} ⟩ Q$ (so the verifier needs to produce the reduced bases $\vec{G^{'}}$ and $\vec{H^{'}}$ as well).

you can imagine that in Bulletproofs, they don’t stop there, they just notice that this looks like another statement that you could reduce as well, so you do that until your reduced inputs are both of size 1.

Notice that we computed $⟨ \vec{a^{'}}, \vec{b^{'}} ⟩ Q$ which is important because you want to make sure that the inner product result is indeed $⟨ \vec{a^{'}}, \vec{b^{'}}$ and not some arbitrary value. Checking this in the reduced form tells you with high probability that this is true as well in the original statement $P$ .

Anyway, that’s it, hopefully that adds some colors to what Bulletproofs look like. In real-world implementation, the reductions are not checked one by one, instead an optimized check aggregates all of them.