bulletproofs icon indicating copy to clipboard operation
bulletproofs copied to clipboard
verified publisher icon dalek-cryptography

Extend R1CS with support for vector commitments for external variables

Open oleganza opened this issue 4 years ago • 1 comments

Problem

Currently, each external variable is a single-value Pedersen commitment: V = v*B + b*B_blinding. However, some applications (e.g. ML) may need to commit to whole vectors of N values and using N pedersen commitments would blow up the size of the proof needlessly.

Idea

(Warning: this is a very quick midnight draft, without much thought put into it.)

image

Consider the above equation. The vector v could be split in subvectors committed with orthogonal generators B_i as vector Pedersen commitments. The rest of the protocol stays the same and the change is backwards compatible with single-value commitments.

oleganza avatar Sep 23 '21 21:09 oleganza

Hi,

I have a design for this laying around, and a fork of this crate with it implemented, and proofs. Would you mind sending me an email? We're still pushing for publication.

rubdos avatar Sep 24 '21 07:09 rubdos