moneropedia: uniform structure of bulletproofs.md and add bulletproofs.config

This commit is contained in:
erciccione 2021-09-06 10:53:53 +02:00
parent 2bb0a19ba1
commit 7f122772c5
No known key found for this signature in database
GPG key ID: 762AF8C608E56CDF
15 changed files with 348 additions and 144 deletions

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,51 @@
--- ---
terms: ["bulletproofs", "bulletproof", "Bulletproof", "Bulletproofs"]
summary: "Eine neue Art von 'Range-Proofs', welche Ring-CT in Transaktionen ersetzen, um die gesendeten Beträge zu verschleiern" summary: "Eine neue Art von 'Range-Proofs', welche Ring-CT in Transaktionen ersetzen, um die gesendeten Beträge zu verschleiern"
terms: ["bulletproofs", "bulletproof"]
--- ---
{% include disclaimer.html translated="yes" translationOutdated="no" %} {% include disclaimer.html translated="yes" translationOutdated="no" %}
### Grundlagen ### Grundlagen
@Ring-CT wurde und wird eingesetzt, um Transaktionsbeträge zu verschleiern. Ein Ziel von @Ring-CT ist es, nachzuweisen, dass der Endbetrag von Inputs zu Outputs gleich null ist, und alle Outputs positive Zahlen sind. @Ring-CT wurde und wird eingesetzt, um Transaktionsbeträge zu verschleiern. Ein Ziel von @Ring-CT ist es, nachzuweisen, dass der Endbetrag von Inputs zu Outputs gleich null ist, und alle Outputs positive Zahlen sind.
Um dies zu erreichen, werden zwei Arten von Ringsignaturen konstruiert: eine Ringsignatur für die gesamte Transaktion (um nachzuweisen, dass die Endsumme null ergibt) und eine Reihe von Ringsignaturen für die Teilmengen von Transaktionsstücken (um nachzuweisen, dass die Outputs positive Zahlen sind). Diese werden anschließend kombiniert (zu Beginn passierte das durch Schnorr-Signaturen, welche später von Borromäischen Ringsignaturen abgelöst wurden). Während dies grundsätzlich funktioniert, gibt es einen großen Haken an der Sache: die immense Größe einer solchen Ring-CT-Transaktion. Um dies zu erreichen, werden zwei Arten von Ringsignaturen konstruiert: eine Ringsignatur für die gesamte Transaktion (um nachzuweisen, dass die Endsumme null ergibt) und eine Reihe von Ringsignaturen für die Teilmengen von Transaktionsstücken (um nachzuweisen, dass die Outputs positive Zahlen sind). Diese werden anschließend kombiniert (zu Beginn passierte das durch Schnorr-Signaturen, welche später von Borromäischen Ringsignaturen abgelöst wurden).
Während dies grundsätzlich funktioniert, gibt es einen großen Haken an der
Sache: die immense Größe einer solchen Ring-CT-Transaktion.
### Wo Bulletproofs ins Spiel kommen ### Wo Bulletproofs ins Spiel kommen
Im Jahr 2017 veröffentlichte die [Applied Crypto Group der Stanford University](https://crypto.stanford.edu/bulletproofs/) ein [Paper](https://eprint.iacr.org/2017/1066.pdf), in welchem sie eine neue Art von "Range-Proofs" vorstellte: sogenannte Bulletproofs.
Im Jahr 2017 veröffentlichte die [Applied Crypto Group der Stanford University](https://crypto.stanford.edu/bulletproofs/) ein [Paper](https://eprint.iacr.org/2017/1066.pdf), in welchem sie eine neue Art von "Range-Proofs" vorstellte: sogenannte Bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs sind, im Gegensatz zu Borromäischen oder Schnorr-Signaturen, eine sehr effiziente Art von "Range-Proofs". Die Bereitstellung eines großen Datensatzes generiert lediglich einen kleinen Proof (Nachweis), und die Größe dessen wächst logarithmisch mit der Größe der überprüften/nachgewiesenen Daten. Bulletproofs sind, im Gegensatz zu Borromäischen oder Schnorr-Signaturen, eine sehr effiziente Art von 'Range-Proofs'. Die Bereitstellung eines großen Datensatzes generiert lediglich einen kleinen Proof (Nachweis), und die Größe dessen wächst logarithmisch mit der Größe der überprüften/nachgewiesenen Daten.
Die Nutzung von Bulletproofs bedeutet also, dass eine zunehmende Anzahl von Outputs die Größe des Proofs selbst nur leicht erhöht. Die Nutzung von Bulletproofs bedeutet also, dass eine zunehmende Anzahl von Outputs die Größe des Proofs selbst nur leicht erhöht.
Bulletproofs haben außerdem den Vorteil, dass sie es erlauben, nachzuweisen, dass sich mehrere überwiesene Beträge gleichzeitig im gewünschten Bereich befinden. Es gibt keinen Grund dazu, jeden einzelnen Output zu jedem Ziel in separaten Proofs zu überprüfen - die kompletten Transaktionsbeträge können in einem umfassenderen (und dennoch sehr kleinen) Bulletproof überprüft/nachgewiesen werden. Bulletproofs haben außerdem den Vorteil, dass sie es erlauben, nachzuweisen,
dass sich mehrere überwiesene Beträge gleichzeitig im gewünschten Bereich
befinden. Es gibt keinen Grund dazu, jeden einzelnen Output zu jedem Ziel in
separaten Proofs zu überprüfen - die kompletten Transaktionsbeträge können
in einem umfassenderen (und dennoch sehr kleinen) Bulletproof
überprüft/nachgewiesen werden.
### Ein umfassender Prüfungsablauf und Implementierung ### Ein umfassender Prüfungsablauf und Implementierung
Bulletproofs waren ziemlich neu, und obwohl die ursprüngliche Implementierung durch die Gruppe sehr ausführlich und umfassend war, benötigte es eine Neufassung, die sich auf unseren speziellen Anwendungsfall bezog. Dies machte es nicht gerade einfach, Bulletproofs innerhalb Moneros zu implementieren. Bulletproofs waren ziemlich neu, und obwohl die ursprüngliche Implementierung durch die Gruppe sehr ausführlich und umfassend war, benötigte es eine Neufassung, die sich auf unseren speziellen Anwendungsfall bezog. Dies machte es nicht gerade einfach, Bulletproofs innerhalb Moneros zu implementieren.
Der Code wurde mehrfach umgeschrieben, um der (noch immer in Entwicklung befindlichen) neuen Version der Bulletproofs zu entsprechen. Nachdem die finale Umsetzung zum Abschluss gebracht wurde, durfte sie nur unter hoher Sorgfalt zum Einsatz kommen. Der Code wurde mehrfach umgeschrieben, um der (noch immer in Entwicklung befindlichen) neuen Version der Bulletproofs zu entsprechen. Nachdem die finale Umsetzung zum Abschluss gebracht wurde, durfte sie nur unter hoher Sorgfalt zum Einsatz kommen.
Aus diesem Grund initiierte die Community einen Prüfungssprozess: Forscher traten in Kontakt mit Benedikt Bünz, dem leitenden Autor des Bulletproofs-Papers, und darüber hinaus mit [OSTIF](https://ostif.org/), einer Organisation, die Open-Source-Technologien dabei hilft, sich zu verbessern und abzusichern. OSTIF verwies die Gruppe an etliche Organisationen, welche über die für die Überprüfung benötigten Kompetenzen verfügten. Während eine davon darum bat, nicht namentlich erwähnt zu werden und damit vom öffentlich stattfindenden Prozess ausgeschlossen werden musste, wurden zwei andere (QuarksLab und Kudelski Security) ausgewählt, um die Prüfung durchzuführen. Aus diesem Grund initiierte die Community einen Prüfungssprozess: Forscher traten in Kontakt mit Benedikt Bünz, dem leitenden Autor des Bulletproofs-Papers, und darüber hinaus mit [OSTIF](https://ostif.org/), einer Organisation, die Open-Source-Technologien dabei hilft, sich zu verbessern und abzusichern.
Unsere (schlussendlich drei) Prüfer wurden durch die Community finanziert und sollten testen, ob die Implementation der Bulletproofs kritische Bugs oder andere Probleme (wie Malware) enthielt. OSTIF verwies die Gruppe an etliche Organisationen, welche über die für die Überprüfung benötigten Kompetenzen verfügten. Während eine davon darum bat, nicht namentlich erwähnt zu werden und damit vom öffentlich stattfindenden Prozess ausgeschlossen werden musste, wurden zwei andere (QuarksLab und Kudelski Security) ausgewählt, um die Prüfung durchzuführen.
Die abschließenden Berichte wurden im Sommer 2018 veröffentlicht und enthielten einige nützliche Anregungen zu Fehlerbehebungen und anderen Nachbesserungen. Die finale Bulletproof-Implementation ist zunächst zum Monero-Stagenet und während des Netzwerkupgrades im Oktober 2018 schließlich auch zum Hauptnetzwerk hinzugefügt worden. Unsere (schlussendlich drei) Prüfer wurden durch die Community finanziert
und sollten testen, ob die Implementation der Bulletproofs kritische Bugs
oder andere Probleme (wie Malware) enthielt. Die abschließenden Berichte
wurden im Sommer 2018 veröffentlicht und enthielten einige nützliche
Anregungen zu Fehlerbehebungen und anderen Nachbesserungen. Die finale
Bulletproof-Implementation ist zunächst zum Monero-Stagenet und während des
Netzwerkupgrades im Oktober 2018 schließlich auch zum Hauptnetzwerk
hinzugefügt worden.
Seit der Bereitstellung von Bulletproofs ist die Größe einer durchschnittlichen Transaktion um mindestens 80 Prozent gesunken; das Gleiche gilt für die Transaktionsgebühren. Seit der Bereitstellung von Bulletproofs ist die Größe einer
durchschnittlichen Transaktion um mindestens 80 Prozent gesunken; das
Gleiche gilt für die Transaktionsgebühren.
Weitere Erläuterungen zu Moneros Implementierung von Bulletproofs finden sich auf dem Youtube-Kanal der Monero Community Workgroup in einem [Gespräch mit Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). Weitere Erläuterungen zu Moneros Implementierung von Bulletproofs finden
sich auf dem Youtube-Kanal der Monero Community Workgroup in einem [Gespräch
mit Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -4,12 +4,15 @@ summary: "a new kind of range proofs replacing RingCT in transactions to obfusca
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
@ -19,6 +22,7 @@ It means that increasing the number of outputs in a transaction will, with bulle
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,48 @@
--- ---
summary: "Une nouvelle sorte de preuve d'étendue remplaçant les transactions confidentielles de cercle pour masquer les montant envoyés"
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "Une nouvelle sorte de preuve d'étendue remplaçant les transactions confidentielles de cercle pour masquer les montant envoyés."
--- ---
{% include disclaimer.html translated="yes" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### Les Bases ### Les Bases
Les @transactions-confidentielles-de-cercle ont été mise en place pour masquer le montant des transactions. L'un des objectifs de @ringCT était de prouver que la sommes des entrées - sorties dans la @transaction était égale à 0, et que toutes les sorties étaient des nombre positifs. Les @transactions-confidentielles-de-cercle ont été mise en place pour masquer le montant des transactions. L'un des objectifs de @ringCT était de prouver que la sommes des entrées - sorties dans la @transaction était égale à 0, et que toutes les sorties étaient des nombre positifs.
Pour ce faire, deux types de signatures de cercle étaient construits : une signature cercle pour la totalité de la transaction (prouvant que la somme est 0) et un lot de signatures de cercle pour chaque bit de la transaction (prouvant que les sorties sont des nombres positifs), alors agrégés en utilisant d'abord les signatures de Schnorr (remplacées ensuite par les signatures de cercle Borroméennes). Pour ce faire, deux types de signatures de cercle étaient construits : une signature cercle pour la totalité de la transaction (prouvant que la somme est 0) et un lot de signatures de cercle pour chaque bit de la transaction (prouvant que les sorties sont des nombres positifs), alors agrégés en utilisant d'abord les signatures de Schnorr (remplacées ensuite par les signatures de cercle Borroméennes).
Bien que cela fonctionnait, un gros désavantage était l'énorme taille de ces transactions RingCT. Bien que cela fonctionnait, un gros désavantage était l'énorme taille de ces
transactions RingCT.
### En venir aux bulletproofs ### En venir aux bulletproofs
En 2017, un [groupe de cryptographie appliquée de Standford](https://crypto.stanford.edu/bulletproofs/) a écrit une [publication](https://eprint.iacr.org/2017/1066.pdf) présentant une nouvelle sorte de preuve d'étendue, appelé bulletproofs. En 2017, un [groupe de cryptographie appliquée de Standford](https://crypto.stanford.edu/bulletproofs/) a écrit une [publication](https://eprint.iacr.org/2017/1066.pdf) présentant une nouvelle sorte de preuve d'étendue, appelé bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, contrairement aux signatures Borroméennes ou aux signatures de Schnorr est très efficace en tant que preuve d'étendue. Prouver une grande quantité de donné ne génère qu'une petite preuve, et la taille de cette preuve grandit logarithmiquement avec la taille des données à prouver. Bulletproofs, contrairement aux signatures Borroméennes ou aux signatures de Schnorr est très efficace en tant que preuve d'étendue. Prouver une grande quantité de donné ne génère qu'une petite preuve, et la taille de cette preuve grandit logarithmiquement avec la taille des données à prouver.
Cela signifie qu'augmenter le nombre de sorties dans une transaction n'augmentera, avec bulletproofs, qu'un tout petit peu la taille de la preuve. Cela signifie qu'augmenter le nombre de sorties dans une transaction n'augmentera, avec bulletproofs, qu'un tout petit peu la taille de la preuve.
Bulletproofs a aussi l'avantage de permettre de prouver que différents montants engagés se situent dans la plage souhaitée en une seule fois. Pas besoin de prouver chaque sortie vers chaque destination dans des preuves séparées. La totalité des montant de la transaction peuvent être prouvés avec une plus grosse (mais toujours très petite) bulletproofs. Bulletproofs a aussi l'avantage de permettre de prouver que différents
montants engagés se situent dans la plage souhaitée en une seule fois. Pas
besoin de prouver chaque sortie vers chaque destination dans des preuves
séparées. La totalité des montant de la transaction peuvent être prouvés
avec une plus grosse (mais toujours très petite) bulletproofs.
### Processus d'audit consciencieux et implémentation ### Processus d'audit consciencieux et implémentation
Comme les bulletproofs étaient totalement nouvelles, et l'implémentation initiale faite par le groupe, bien que parfaitement réalisée, nécessitait une réécriture orientée vers notre cas d'usage spécifique, l'implémentation de Bulletproof dans Monero n'était pas une mince affaire. Comme les bulletproofs étaient totalement nouvelles, et l'implémentation initiale faite par le groupe, bien que parfaitement réalisée, nécessitait une réécriture orientée vers notre cas d'usage spécifique, l'implémentation de Bulletproof dans Monero n'était pas une mince affaire.
Le code a été écrit et réécrit pour suivre les nouvelles versions de Bulletproofs qui était toujours en cours de développement, mais une fois cette implémentation Monero finalisée, le déploiement qui en résulterait devrait être effectué avec le plus grand soin. Le code a été écrit et réécrit pour suivre les nouvelles versions de Bulletproofs qui était toujours en cours de développement, mais une fois cette implémentation Monero finalisée, le déploiement qui en résulterait devrait être effectué avec le plus grand soin.
Dans ce sens, la communauté a démarrée un processus d'audit. Les chercheurs se sont rapprochés de Benedikt Bünz, l'auteur principal de la publication des Bulletproofs, et de l'[OSTIF](https://ostif.org/), une organisation qui aide les technologies open-source à s'amméliorer et à se sécuriser. Dans ce sens, la communauté a démarrée un processus d'audit. Les chercheurs se sont rapprochés de Benedikt Bünz, l'auteur principal de la publication des Bulletproofs, et de l'[OSTIF](https://ostif.org/), une organisation qui aide les technologies open-source à s'amméliorer et à se sécuriser.
OSTIF nous a dirigé vers 3 sociétés en mesure de réaliser l'audit. Alors que l'une d'entre elles demandait à rester anonyme, ce qui l'évinçait de notre processus devant rester publique, les deux autres (QuarksLab & Kudelski Security) furent choisis pour réaliser l'audit. OSTIF nous a dirigé vers 3 sociétés en mesure de réaliser l'audit. Alors que l'une d'entre elles demandait à rester anonyme, ce qui l'évinçait de notre processus devant rester publique, les deux autres (QuarksLab & Kudelski Security) furent choisis pour réaliser l'audit.
Nos 3 auditeurs ont été financés par la communauté pour vérifier que l'implémentation était exempte de bug critique ou d'axe d'exploitation. Nos 3 auditeurs ont été financés par la communauté pour vérifier que
Les rapports finaux ont été publiés durant l'été 2018, avec quelques rectifications et corrections utiles conseillées, et l'implémentation définitive de bulletproof a été ajoutée au Stagenet de Monero, puis au Mainnet lors de la mise à jours réseau du 18 Octobre 2018. l'implémentation était exempte de bug critique ou d'axe d'exploitation. Les
rapports finaux ont été publiés durant l'été 2018, avec quelques
rectifications et corrections utiles conseillées, et l'implémentation
définitive de bulletproof a été ajoutée au Stagenet de Monero, puis au
Mainnet lors de la mise à jours réseau du 18 Octobre 2018.
Depuis que Bulletproofs est en application sur le réseau Monero, la taille moyenne des transaction a été réduite d'au moins 80%, de même que les frais de transaction. Depuis que Bulletproofs est en application sur le réseau Monero, la taille
moyenne des transaction a été réduite d'au moins 80%, de même que les frais
de transaction.
Plus d'information (en Anglais) sur l'implémentation Monero de bulletproofs sur la chaîne Youtube de Fondajo lors d'une [conversation avec Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). Plus d'information (en Anglais) sur l'implémentation Monero de bulletproofs
sur la chaîne Youtube de Fondajo lors d'une [conversation avec Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,30 +1,47 @@
--- ---
summary: 'en ny type rekkeviddebevis som tilslører det sendte beløpet ved å erstatte RingCT-er i transaksjoner'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "en ny type rekkeviddebevis som tilslører det sendte beløpet ved å erstatte RingCT-er i transaksjoner"
--- ---
{% include disclaimer.html translated="yes" translationOutdated="no" %} {% include disclaimer.html translated="yes" translationOutdated="no" %}
### Det grunnleggende ### Det grunnleggende
@RingCT-er ble introdusert for å tilsløre transaksjonsbeløpene. Ett mål med @RingCT-ene var å bevise at summen av inndataene fratrukket utdataene i @transaksjonen var lik 0, og at alle utdata var positive tall. For å oppnå dette ble to typer ringsignaturer opprettet: Én ringsignatur for hele transaksjonen (for å bevise at summen er 0), og et sett med ringsignaturer for undergruppene av transaksjonsdelene (for å bevise at utdataene er positive tall), og deretter kombinere dem ved å bruke Schnorr-signaturer (som senere ble byttet ut med Borromean-ringsignaturer).
Mens den utførte jobben, viste det seg at den omfattende størrelsen på ringCT-transaksjonene var en stor ulempe. @RingCT-er ble introdusert for å tilsløre transaksjonsbeløpene. Ett mål med @RingCT-ene var å bevise at summen av inndataene fratrukket utdataene i @transaksjonen var lik 0, og at alle utdata var positive tall.
For å oppnå dette ble to typer ringsignaturer opprettet: Én ringsignatur for hele transaksjonen (for å bevise at summen er 0), og et sett med ringsignaturer for undergruppene av transaksjonsdelene (for å bevise at utdataene er positive tall), og deretter kombinere dem ved å bruke Schnorr-signaturer (som senere ble byttet ut med Borromean-ringsignaturer).
Mens den utførte jobben, viste det seg at den omfattende størrelsen på
ringCT-transaksjonene var en stor ulempe.
### Når det kommer til bulletproofs ### Når det kommer til bulletproofs
I 2017 skrev en [krypto-gruppe på Stanford](https://crypto.stanford.edu/bulletproofs/) en [vitenskapelig artikkel](https://eprint.iacr.org/2017/1066.pdf) der de presenterte en ny type rekkeviddebevis, kalt bulletproofs. I 2017 skrev en [krypto-gruppe på Stanford](https://crypto.stanford.edu/bulletproofs/) en [vitenskapelig artikkel](https://eprint.iacr.org/2017/1066.pdf) der de presenterte en ny type rekkeviddebevis, kalt bulletproofs.
> Bulletproofs er korte, ikke-interaktive null-kunnskap-bevis som ikke krever et pålitelig oppsett. > Bulletproofs er korte, ikke-interaktive null-kunnskap-bevis som ikke krever et pålitelig oppsett.
I motsetning til Borromean- eller Schnorr-signaturer, er bulletproofs veldig effektive som rekkeviddebevis. Å bevise en stor datamengde genererer kun et lite bevis, og størrelsen på disse bevisene vokser logaritmisk med datastørrelsen som bevises. I motsetning til Borromean- eller Schnorr-signaturer, er bulletproofs veldig effektive som rekkeviddebevis. Å bevise en stor datamengde genererer kun et lite bevis, og størrelsen på disse bevisene vokser logaritmisk med datastørrelsen som bevises.
Å øke antallet inndata i en transaksjon med bulletproofs, øker bare størrelsen på beviset litt. Å øke antallet inndata i en transaksjon med bulletproofs, øker bare størrelsen på beviset litt.
Bulletproofs har også fordelen ved at det kan bevise at flere dedikerte kontoer er i den ønskede rekkevidden på én gang. Det er ikke noe behov for å bevise hver utdata til hver destinasjon i separate bevis; hele transaksjonsbeløpet kan bevises i én større (men fremdeles veldig liten) bulletproof. Bulletproofs har også fordelen ved at det kan bevise at flere dedikerte
kontoer er i den ønskede rekkevidden på én gang. Det er ikke noe behov for å
bevise hver utdata til hver destinasjon i separate bevis; hele
transaksjonsbeløpet kan bevises i én større (men fremdeles veldig liten)
bulletproof.
### Gjennomgående revisjonsprosess og implementering ### Gjennomgående revisjonsprosess og implementering
I og med at bulletproofs var veldig nytt og den opprinnelige implementeringen som ble gjort av gruppen til tross for at den ble gjort grundig trengte en omskrivning som var fokusert på vårt spesifikke bruksområde, var det ingen enkel sak å implementere bulletproof i Monero. I og med at bulletproofs var veldig nytt og den opprinnelige implementeringen som ble gjort av gruppen til tross for at den ble gjort grundig trengte en omskrivning som var fokusert på vårt spesifikke bruksområde, var det ingen enkel sak å implementere bulletproof i Monero.
Koden har blitt skrevet og omskrevet for å følge den nye versjonen av bulletproofs som fremdeles var under utvikling, men med én gang denne Monero-implenteringen var ferdig, måtte den resulterende utrullingen bli tatt hånd om med stor varsomhet. Koden har blitt skrevet og omskrevet for å følge den nye versjonen av bulletproofs som fremdeles var under utvikling, men med én gang denne Monero-implenteringen var ferdig, måtte den resulterende utrullingen bli tatt hånd om med stor varsomhet.
Samfunnet startet derfor en revisjonsprosess. Forskere tok kontakt med Benedikt Bünz, hovedforfatteren av Bulletproofs-artikkelen, og [OSTIF](https://ostif.org/) en organisasjon som hjelper teknologier som bruker åpen kildekode med å forbedre og sikre seg. Samfunnet startet derfor en revisjonsprosess. Forskere tok kontakt med Benedikt Bünz, hovedforfatteren av Bulletproofs-artikkelen, og [OSTIF](https://ostif.org/) en organisasjon som hjelper teknologier som bruker åpen kildekode med å forbedre og sikre seg.
OSTIF rettet gruppen til flere organisasjoner som innehadde ferdighetene til å gjennomføre revisjonen. Mens én av dem ba om å forbli anonym og ble holdt utenfor prosessen som måtte være offentlig, ble to andre (QuarksLab og Kudelski Security) valgt til å foreta revisjonen. OSTIF rettet gruppen til flere organisasjoner som innehadde ferdighetene til å gjennomføre revisjonen. Mens én av dem ba om å forbli anonym og ble holdt utenfor prosessen som måtte være offentlig, ble to andre (QuarksLab og Kudelski Security) valgt til å foreta revisjonen.
Våre tre revisorer ble finansiert av samfunnet til å undersøke om implementeringen ikke inneholdt kritiske progamvarefeil, og ikke hadde utnyttelsesområder. Våre tre revisorer ble finansiert av samfunnet til å undersøke om
De endelige rapportene ble utgitt sommeren 2018, med flere nyttige foreslåtte korrigeringer og reparasjoner, og den endelige bulletproof-implementeringen ble først lagt til Monero Stagenet og deretter til Moneros hovednettverk under nettverksoppdateringen i oktober 2018. implementeringen ikke inneholdt kritiske progamvarefeil, og ikke hadde
utnyttelsesområder. De endelige rapportene ble utgitt sommeren 2018, med
flere nyttige foreslåtte korrigeringer og reparasjoner, og den endelige
bulletproof-implementeringen ble først lagt til Monero Stagenet og deretter
til Moneros hovednettverk under nettverksoppdateringen i oktober 2018.
Siden utrullingen av bulletproofs, har størrelsen på en gjennomsnittlig transaksjon falt med minst 80 %, det samme gjelder transaksjonskostnadene. Siden utrullingen av bulletproofs, har størrelsen på en gjennomsnittlig
transaksjon falt med minst 80 %, det samme gjelder transaksjonskostnadene.
Flere forklaringer på Moneros implementering av bulletproofs kan du finne på YouTube i en [samtale med Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). Flere forklaringer på Moneros implementering av bulletproofs kan du finne på
YouTube i en [samtale med Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,47 @@
--- ---
summary: 'новый вид доказательства диапазона, заменяющий RingCT в транзакциях, для запутывания отправляемых сумм'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "новый вид доказательства диапазона, заменяющий RingCT в транзакциях, для запутывания отправляемых сумм"
--- ---
{% include disclaimer.html translated="yes" translationOutdated="no" %} {% include disclaimer.html translated="yes" translationOutdated="no" %}
### Основы ### Основы
Целью введения протокола @RingCT было сокрытие сумм, переводимых при совершении транзакций. Одной из задач @RingCT также было доказательство суммы выходов — выходы @транзакции были равны 0, а все выходы были представлены положительными числами. Целью введения протокола @RingCT было сокрытие сумм, переводимых при совершении транзакций. Одной из задач @RingCT также было доказательство суммы выходов — выходы @транзакции были равны 0, а все выходы были представлены положительными числами.
Чтобы решить эту задачу, было построено два типа кольцевых подписей: одна кольцевая подпись для всей транзакции (чтоб доказать, что сумма является нулевой) и набор кольцевых подписей для поднаборов битов транзакций (позднее были заменены кольцевой подписью Борромео). Чтобы решить эту задачу, было построено два типа кольцевых подписей: одна кольцевая подпись для всей транзакции (чтоб доказать, что сумма является нулевой) и набор кольцевых подписей для поднаборов битов транзакций (позднее были заменены кольцевой подписью Борромео).
Несмотря на то, что протокол работал и решал свою задачу, у него был один серьёзный недостаток: огромный размер таких RingCT транзакций. Несмотря на то, что протокол работал и решал свою задачу, у него был один
серьёзный недостаток: огромный размер таких RingCT транзакций.
### Как появились Bulletproofs ### Как появились Bulletproofs
В 2017 году [группой исследователей](https://crypto.stanford.edu/bulletproofs/), работающих в области прикладной криптографии, из Стэнфорда была написана [работа](https://eprint.iacr.org/2017/1066.pdf), в которой предлагался новый вид доказательств диапазона под названием Bulletproofs. В 2017 году [группой исследователей](https://crypto.stanford.edu/bulletproofs/), работающих в области прикладной криптографии, из Стэнфорда была написана [работа](https://eprint.iacr.org/2017/1066.pdf), в которой предлагался новый вид доказательств диапазона под названием Bulletproofs.
> Bulletproofs являются короткими неинтерактивными доказательствами с нулевым раскрытием конфиденциальной информации, не требующими доверенных настроек. > Bulletproofs являются короткими неинтерактивными доказательствами с нулевым раскрытием конфиденциальной информации, не требующими доверенных настроек.
Bulletproofs, в отличие от подписей Борромео и Шнорра, являются довольно эффективным доказательством диапазона. При доказательстве большого объёма данных генерируется небольшое доказательство, а размер подобных доказательств растёт логарифмически по мере роста объёма доказываемых данных. Bulletproofs, в отличие от подписей Борромео и Шнорра, являются довольно эффективным доказательством диапазона. При доказательстве большого объёма данных генерируется небольшое доказательство, а размер подобных доказательств растёт логарифмически по мере роста объёма доказываемых данных.
Это означает, что увеличение количества выходов в транзакции при использовании Bulletproofs лишь незначительно увеличит размер доказательства. Это означает, что увеличение количества выходов в транзакции при использовании Bulletproofs лишь незначительно увеличит размер доказательства. Другим преимуществом также является то, что они позволяют одновременно доказать, что множество подтверждённых сумм находится в пределах желаемого диапазона.
Другим преимуществом также является то, что они позволяют одновременно доказать, что множество подтверждённых сумм находится в пределах желаемого диапазона. Необходимость в доказательстве каждого выхода, передаваемого в любом направлении, отдельным доказательством отсутствует; все суммы транзакций могут быть доказаны одним большим (но всё же небольшим) доказательством Bulletproof. Необходимость в доказательстве каждого выхода, передаваемого в любом
направлении, отдельным доказательством отсутствует; все суммы транзакций
могут быть доказаны одним большим (но всё же небольшим) доказательством
Bulletproof.
### ### Процесс глубокого аудита и реализации
### Процесс глубокого аудита и реализации
Так как доказательства Bulletproofs были абсолютно новой технологией, начальная реализация, выполненная группой, даже несмотря на то, что она была тщательно проработана, требовала редакции с учётом определённых вариантов использования, так что реализация Bulletproofs в рамках Monero стала довольно непростым делом. Так как доказательства Bulletproofs были абсолютно новой технологией, начальная реализация, выполненная группой, даже несмотря на то, что она была тщательно проработана, требовала редакции с учётом определённых вариантов использования, так что реализация Bulletproofs в рамках Monero стала довольно непростым делом.
Код писался и переписывался в соответствии с новой версией Bulletproofs, которая всё ещё находилась в разработке. Но как только реализация доказательств для Monero была завершена, стало ясно, что ввод технологии в эксплуатацию требует предельной осторожности. Код писался и переписывался в соответствии с новой версией Bulletproofs, которая всё ещё находилась в разработке. Но как только реализация доказательств для Monero была завершена, стало ясно, что ввод технологии в эксплуатацию требует предельной осторожности.
Поэтому сообществом был запущен процесс аудита. Исследователи связались с Бенедиктом Бюнцем (Benedikt Bünz), главным автором работы по Bulletproofs, и с [OSTIF](https://ostif.org/), организацией, которая помогает улучшать и обеспечивать безопасность открытых технологий. Поэтому сообществом был запущен процесс аудита. Исследователи связались с Бенедиктом Бюнцем (Benedikt Bünz), главным автором работы по Bulletproofs, и с [OSTIF](https://ostif.org/), организацией, которая помогает улучшать и обеспечивать безопасность открытых технологий.
OSTIF была направлена группа специалистов из нескольких организаций, обладающих необходимыми для проведения аудита навыками. Несмотря на то, что один из специалистов пожелал сохранить анонимность и был отстранён от процесса, так как процесс в данном случае требовал публичности, двое других (QuarksLab & Kudelski Security) были выбраны для проведения аудита. OSTIF была направлена группа специалистов из нескольких организаций, обладающих необходимыми для проведения аудита навыками. Несмотря на то, что один из специалистов пожелал сохранить анонимность и был отстранён от процесса, так как процесс в данном случае требовал публичности, двое других (QuarksLab & Kudelski Security) были выбраны для проведения аудита.
Работа трёх аудиторов финансировалась сообществом и была направлена на то, чтобы гарантировать отсутствие в реализации критических багов, а также эксплоитов. Работа трёх аудиторов финансировалась сообществом и была направлена на то,
Окончательные отчёты были выпущены летом 2018 года. При этом было предложено внести несколько полезных исправлений. Окончательный вариант реализации Bulletproofs сначала был добавлен в стендовую сеть Monero, а затем, в октябре 2018, в основную сеть в рамках её обновления. чтобы гарантировать отсутствие в реализации критических багов, а также
эксплоитов. Окончательные отчёты были выпущены летом 2018 года. При этом
было предложено внести несколько полезных исправлений. Окончательный вариант
реализации Bulletproofs сначала был добавлен в стендовую сеть Monero, а
затем, в октябре 2018, в основную сеть в рамках её обновления.
После введения Bulletproofs в эксплуатацию средний размер транзакций сократился, по крайней мере, на 80%, равно как и размер комиссий за проведение транзакций. После введения Bulletproofs в эксплуатацию средний размер транзакций
сократился, по крайней мере, на 80%, равно как и размер комиссий за
проведение транзакций.
Более подробную информацию по реализации Bulletproofs Monero можно найти на YouTube канале fondajo [в интервью с Сарангом Ноезером (Sarang Noether)](https://www.youtube.com/watch?v=6lEWqIMLzUU). Более подробную информацию по реализации Bulletproofs Monero можно найти на
YouTube канале fondajo [в интервью с Сарангом Ноезером (Sarang
Noether)](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -1,43 +1,40 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="yes" translationOutdated="no" %} {% include disclaimer.html translated="yes" translationOutdated="no" %}
### 基础知识 ### 基础知识
引入环机密交易是为了混淆交易金额。@环机密交易的一个目标是证明@交易中的输入和输出之和为0并且所有输出都是正数。 引入环机密交易是为了混淆交易金额。@环机密交易的一个目标是证明@交易中的输入和输出之和为0并且所有输出都是正数。
为了实现这个目标,构建了两种环签名:一个环签名为整个交易(证明输出之和为0);另一组环签名为交易单位的子集(为了证明所有输出都是正数),然后组合在一起,最初使用 Schnorr 签名(后来被 Borromean 环签名所取代)。 为了实现这个目标,构建了两种环签名:一个环签名为整个交易(证明输出之和为0);另一组环签名为交易单位的子集(为了证明所有输出都是正数),然后组合在一起,最初使用 Schnorr 签名(后来被 Borromean 环签名所取代)。
当它运行的时候,存在一个很大的缺点就是这种环机密交易的尺寸太大。 当它运行的时候,存在一个很大的缺点就是这种环机密交易的尺寸太大。
### 涉及到防弹协议 ### 涉及到防弹协议
早在2017年一个[斯坦福应用加密小组](https://crypto.stanford.edu/bulletproofs/)写了一篇[论文](https://eprint.iacr.org/2017/1066.pdf),提出了一种新的范围证明,称为防弹协议。 早在2017年一个[斯坦福应用加密小组](https://crypto.stanford.edu/bulletproofs/)写了一篇[论文](https://eprint.iacr.org/2017/1066.pdf),提出了一种新的范围证明,称为防弹协议。
>防弹证明是一种短的非交互式零知识证明,不需要可信的设置。 > 防弹证明是一种短的非交互式零知识证明,不需要可信的设置。
与 Borromean 或 Schnorr 签名不同,防弹协议作为范围证明非常高效。要证明一个大的数据集只需产生一个小的证明,而且这个证明的尺寸随着被证明数据的规模大小呈对数增长。 与 Borromean 或 Schnorr 签名不同,防弹协议作为范围证明非常高效。要证明一个大的数据集只需产生一个小的证明,而且这个证明的尺寸随着被证明数据的规模大小呈对数增长。
这意味着在一个交易中,增加输出的数量只会略微增加证明的大小。 这意味着在一个交易中,增加输出的数量只会略微增加证明的大小。
防弹协议还具有这样一些优势,可以同时证明多个提交的数量在所需范围内。不需要分别证明每个输出到每个目标;整个交易金额可以被证明在一个更大的(但仍然非常小)防弹协议中。 防弹协议还具有这样一些优势,可以同时证明多个提交的数量在所需范围内。不需要分别证明每个输出到每个目标;整个交易金额可以被证明在一个更大的(但仍然非常小)防弹协议中。
### 彻底的审核过程及执行 ### 彻底的审核过程及执行
由于防弹协议很新,而且小组制作的最初的实现虽然完成得很彻底,但是需要针对我们特定的用例进行重写,所以在门罗币中实现防弹协议并不是一件简单的事情。 由于防弹协议很新,而且小组制作的最初的实现虽然完成得很彻底,但是需要针对我们特定的用例进行重写,所以在门罗币中实现防弹协议并不是一件简单的事情。
代码被编写了一遍又一遍,以遵循仍在不断被开发的新版防弹程序,但是一旦这个门罗币实现被完成,就应该非常小心地进行部署
代码被编写了一遍又一遍,以遵循仍在不断被开发的新版防弹程序,但是一旦这个门罗币实现被完成,就应该非常小心地进行部署。 Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
因此,社区开始了审计过程。研究人员联系了本尼迪克特·邦茨(Benedikt Bunz),他是这篇防弹论文的主要作者,并联系了[OSTIF](https://ostif.org/),这是一个帮助开源技术改进和保护自身安全的组织。 Our 3 auditors were funded by the community to ensure that the
implementation did not contain any critical bugs or exploits. The final
OSTIF给小组介绍了几个具备执行审计所需技能的组织。其中一个要求匿名因此被排除在需要公开的过程之外而另外两个(QuarksLab & Kudelski Security)被选中进行审计。 reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
我们的3个审计员是由社区资助的以检查该实现是否存在严重的bug以及是否存在任何漏洞。 has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
最终的报告是在2018年夏天发布的并提出了几个有用的修正和修复建议最终的防弹实现已经首先添加到门罗币的镜像主网然后在2018年10月网络升级期间添加到门罗币的主网。
自从防弹协议部署以来平均交易尺寸已经下降了至少80%,交易费用也因而大幅下降。 自从防弹协议部署以来平均交易尺寸已经下降了至少80%,交易费用也因而大幅下降。
更多与门罗币的防弹协议实现有关的解释,可以在 youtube fondajo 频道上 [与 Sarang Noether 的对话](https://www.youtube.com/watch?v=6lEWqIMLzUU) 当中找到。 更多与门罗币的防弹协议实现有关的解释,可以在 youtube fondajo 频道上 [与 Sarang Noether
的对话](https://www.youtube.com/watch?v=6lEWqIMLzUU) 当中找到。

View file

@ -1,31 +1,46 @@
--- ---
summary: 'a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent'
terms: ["bulletproofs", "bulletproof"] terms: ["bulletproofs", "bulletproof"]
summary: "a new kind of range proofs replacing RingCT in transactions to obfuscate the amounts sent"
--- ---
{% include disclaimer.html translated="no" translationOutdated="no" %} {% include disclaimer.html translated="no" translationOutdated="no" %}
### The Basics ### The Basics
@RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers. @RingCT was introduced to obfuscate transaction amounts. One goal of @RingCT was to prove the sum of inputs - outputs in the @transaction was equal to 0, and all outputs were positive numbers.
To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature). To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signature).
While it was doing the job, a big drawback was the huge size of such a ringCT transaction. While it was doing the job, a big drawback was the huge size of such a
ringCT transaction.
### Where it comes to bulletproofs ### Where it comes to bulletproofs
Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs. Back in 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.
> Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. > Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup.
Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved. Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.
It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof. It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.
Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof. Bulletproofs also have the advantage to allow to prove that multiple
committed amounts are in the desired range at once. No need to prove each
output to each destination in separate proofs; the whole transaction amounts
could be proven in one bigger (but still very small) bulletproof.
### Thorough audit process and implementation ### Thorough audit process and implementation
As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing. As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.
The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care. The code has been written and rewritten to follow the new version of bulletproofs which was still being developed, but once this Monero implementation was finalized, the resulting deployment should be taken with extreme care.
Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves. Therefore, the community started an auditing process. Researchers reached out to Benedikt Bünz, lead author of the Bulletproofs paper, and to [OSTIF](https://ostif.org/) an organization which helps open source technologies to improve and secure themselves.
OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit. OSTIF directed the group to several organizations with the skills required to perform the audit. While one of them asked to be kept unnamed and was therefore put away from the process that needed to be public, two others (QuarksLab & Kudelski Security) were choosen to conduct the audit.
Our 3 auditors were funded by the community to check out the if the implementation did not did not contain critical bugs, and if it did not have any exploits. Our 3 auditors were funded by the community to ensure that the
The final reports were released during the summer of 2018, with several useful corrections and fixes suggested, and the final bulletproof implementation has been added first to Monero Stagenet, and then to the main Monero network during the October 2018 network upgrade. implementation did not contain any critical bugs or exploits. The final
reports were released during the summer of 2018, with several useful
corrections and fixes suggested, and the final bulletproof implementation
has been added first to Monero Stagenet, and then to the main Monero network
during the October 2018 network upgrade.
Since the bulletproofs deployment, the size of an average transaction has dropped by at least 80%, as well as the transaction fees. Since the bulletproofs deployment, the size of an average transaction has
dropped by at least 80%, as well as the transaction fees.
More explanations on Monero's implementation of bulletproofs could be found on youtube fondajo channel in a [conversation with Sarang Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU). More explanations on Monero's implementation of bulletproofs could be found
on youtube fondajo channel in a [conversation with Sarang
Noether](https://www.youtube.com/watch?v=6lEWqIMLzUU).

View file

@ -0,0 +1,13 @@
[po4a_langs] es it pl fr ar ru de nl pt-br tr zh-cn zh-tw nb-no
[po4a_paths] ../_i18n/en/resources/moneropedia/weblate/bulletproofs.pot $lang:../_i18n/$lang/resources/moneropedia/weblate/bulletproofs.po
[options] opt:"--keep=0"
[options] opt:"--localized-charset=UTF-8"
[options] opt:"--master-charset=UTF-8"
[options] opt:"--master-language=en_US"
[options] opt:"--msgmerge-opt='--no-wrap'"
[options] opt:"--wrap-po=newlines"
[po4a_alias:markdown] text opt:"--option markdown"
[type: markdown] ../_i18n/en/resources/moneropedia/bulletproofs.md $lang:../_i18n/$lang/resources/moneropedia/bulletproofs.md