Bulletproof现有代码实现说明

1. Bulletproof特征

Bulletproof相对于zk-SNARK，不需要trust setup过程。但是verify一个proof的时长要超过zk-SNARK。

Bulletproof可用于加密货币的隐私交易（如隐藏UTXO的交易金额），可将现有10KB的proof压缩到1KB，且支持同时对m个交易生成聚合proof，相对于单个交易的proof，只需额外增加O(log(m))个元素。

若Bitcoin中所有的交易都转换为Bulletproof交易，则其UTXO集大小可由当前的160GB压缩到仅约17GB。

2. Bulletproof现有代码实现

参考论文见https://eprint.iacr.org/2017/1066.pdf

当前开源的代码实现 有：

1. Bulletproofs implementation in Secp256k1lib (work in progress) ： An implementation of Bulletproofs in C by Andrew Poelstra and Pieter Wuille. Uses constant time operation for proving and is very fast. Includes a tool for converting Pinocchio circuits to Bulletproof circuits and generating proofs for aribrary statements. Work in progress and will still be improved and expanded.
2. Prototype code (not intended for production use)： An implementation of Bulletproofs in Java. Includes a general tool for constructing Bulletproofs for any NP language using the Pinocchio tool chain.
3. Bulletproofs implementation in Rust by Chain, Inc (work in progress)：An implementation of Bulletproofs range proofs built for Chain, Inc, by Henry de Valence, Cathie Yun, and Oleg Andreev. The code uses curve 25519 and AVX2 instruction.
4. Bulletproof Rust implementation for Aggregated Range Proofs over multiple elliptic curves：由KZen Research公司主导。Rust语言实现，支持secp256k1, ristretto, ed25519多种椭圆曲线。
5. Haskell实现的Bulletproof：由Adjoint主导，采用Haskell语言实现，目前支持secp256k1。

3. Bulletproof视频资料

https://www.youtube.com/watch?v=gZjDKgR4dw8&feature=youtu.be

参考资料：
[1] https://github.com/bbuenz/BulletProofLib/
[2] https://crypto.stanford.edu/bulletproofs/
[3] https://github.com/apoelstra/secp256k1-mw
[4] https://eprint.iacr.org/2017/1066.pdf
[5] https://www.youtube.com/watch?v=gZjDKgR4dw8&feature=youtu.be