Generalized Bulletproofs

MAGIC Grants • June 1st, 2026 • Technical Report

Introduction

From the 1st of June to the 12th of June (10 working days), two consultants from zkSecurity reviewed the generalized-bulletproofs crate inside the monero-oxide project, commit f3660043e042b5608fc9c8ce1383cee238da9d0a for MAGIC Grants. This code is slated for use in the upcoming Monero ‘fullchain membership proofs’ (FCMP++) and a soundness/privacy critical component of the whole system. We reviewed the codebase as a general library, meaning, we did not discount findings simply because the current application does not trigger the issue.

The code was found to be well-written and easy to understand. The code was reviewed along with its associated paper, for context and because of some concerns about the formal writeup of the extractor (proof of knowledge soundness), we include here a writeup / motivation for the ‘generalized bulletproofs’ protocol as well as a formal proof of (computational) knowledge soundness.

Notation

Let $𝔽$ denote the scalar field and $𝔾$ a prime-order group (in practice a subgroup of an elliptic curve), written additively. Generators are denoted $G, H \in 𝔾$ and $G, H \in 𝔾^{n}$ ; commitments are capitalized ( $V_{(k)}, A_{C}^{(i)}$ ) and blinding factors written as Greek letters ( $γ$ ). We write $a \leftarrow S$ to denote sampling an element from the set $S$ uniformly. An (honest) vector Pedersen commitment to $v$ with randomness $γ$ is $⟨ v, G ⟩ + γ \cdot H$ , and a scalar commitment to $v$ is $v \cdot G + γ \cdot H$ .

Bold font denotes vectors, $a = (a_{1}, \dots, a_{n}) \in 𝔽^{n}$ , with $1$ and $0$ the all-ones and all-zeros vectors, respectively; the witness wires $a_{L}, a_{R}, a_{O}$ (left, right, output) lie in $𝔽^{n}$ , where $n$ and $q$ are the number of multiplication gates and linear constraints. We denote by $⟨ a, b ⟩ = \sum_{i} a_{i} b_{i}$ the inner product, and by $a \circ b = (a_{1} b_{1}, \dots, a_{n} b_{n})$ the Hadamard (entry-wise) product; $(a)^{- 1}$ is the entry-wise inverse, so $a \circ (a)^{- 1} = 1$ . For $y \in 𝔽^{*}$ we write $y = (1, y, \dots, y^{n - 1})$ for the vector of powers and abbreviate $(y)^{- 1} = (y)^{- 1}$ ; likewise $z = (1, z, \dots, z^{q - 1})$ .

Generalized Bulletproofs

Bulletproofs provide a Non-Interactive (perfectly) Zero-Knowledge Argument-of-Knowledge (NIZKAoK) for knowledge of $a_{L}, a_{R}, a_{O}, v$ such that the following relation holds:

ℛ_{B P} = {\begin{matrix} (a_{L}, a_{R}, a_{O}, v, {γ_{k}}_{k = 1}^{m}) : \\ 0 = W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + W_{V} \cdot v + c \\ 0 = a_{L} \circ a_{R} - a_{O} \\ \forall k . V_{(k)} = v_{k} \cdot G + γ_{k} \cdot H \end{matrix}}

Where $a_{L}, a_{R}, a_{O} \in 𝔽^{n}$ and $v$ are the witnesses, with $v$ being the opening of a number of (scalar) Pedersen commitments $V_{(1)}, \dots, V_{(m)} \in 𝔾$ . Compared to the standard bulletproofs description, to follow the implementation, we have moved $W_{V} \cdot v$ and $c$ over, so the relation is a single linear combination equal to $0$ . Generalized bulletproofs extends this with $c$ “pre-committed” vectors ${a_{C}}^{(1)}, \dots, {a_{C}}^{(c)}$ , each the opening of a Pedersen commitment of some higher dimension:

ℛ_{G B P} = {\begin{matrix} (a_{L}, a_{R}, a_{O}, v, {{a_{C}}^{(i)}, {a u x}^{(i)}, γ^{(i)}}_{i = 1}^{c}, {γ_{k}}_{k = 1}^{m}) : \\ 0 = W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + \sum_{i = 1}^{c} W_{C}^{(i)} \cdot {a_{C}}^{(i)} + W_{V} \cdot v + c \\ 0 = a_{L} \circ a_{R} - a_{O} \\ \forall i . A_{C}^{(i)} = ⟨ {a_{C}}^{(i)}, G ⟩ + ⟨ {a u x}^{(i)}, H ⟩ + γ^{(i)} \cdot H \\ \forall k . V_{(k)} = v_{k} \cdot G + γ_{k} \cdot H \end{matrix}}

For vector commitments $A_{C}^{(1)}, \dots, A_{C}^{(c)} \in 𝔾$ and scalar commitments $V_{(1)}, \dots, V_{(m)} \in 𝔾$ . Each committed vector ${a_{C}}^{(i)}$ comes with its own public weight matrix $W_{C}^{(i)}$ and public commitment $A_{C}^{(i)}$ . The “ $⟨ {a u x}^{(i)}, H ⟩$ ” term is an artifact of the proof system: it lets a prover who only knows an opening which also depends on the $H$ generators complete a proof, however these “wires” cannot be “accessed” from within the circuit. To build context for the following code-level review, let’s walk through the Bulletproof arithmetization, which turns this R1CS-equivalent system into an inner product relation, between uniformly random vectors.

GBP Arith 1: R1CS $\to$ $Σ$ IP

To simplify the claim:

\begin{matrix} 0 & = a_{L} \circ a_{R} - a_{O} \\ 0 & = W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + \sum_{i = 1}^{c} W_{C}^{(i)} \cdot {a_{C}}^{(i)} + W_{V} \cdot v + c \end{matrix}

The verifier samples $y \leftarrow 𝔽^{*}$ and $z \leftarrow 𝔽$ , and defines $y = (1, \dots, y^{n - 1})$ and $z = (1, \dots, z^{q - 1})$ . We use this to compute linear combinations of every row of each expression:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ \\ 0 & = ⟨ z, W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + \sum_{i = 1}^{c} W_{C}^{(i)} \cdot {a_{C}}^{(i)} + W_{V} \cdot v + c ⟩ \end{matrix}

In case either of the old relations did not hold, this new relation only holds with probability $\leq max (n, q) / | 𝔽 |$ . Finally, we can compute a linear combination of each of these equations to end up with a single equation which must equal zero, here, we “reuse” the challenge $z$ to “shift” the second equation:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ \\ + z \cdot ⟨ z, W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + \sum_{i = 1}^{c} W_{C}^{(i)} \cdot {a_{C}}^{(i)} + W_{V} \cdot v + c ⟩ \end{matrix}

In summary, we went from an equation over vectors to single field elements using the challenges $y$ and $z$ . Moving $z \cdot$ in and splitting the inner products, we can rewrite the second part of the expression as:

\begin{matrix} 0 & = ⟨ z z \cdot W_{L}, a_{L} ⟩ + ⟨ z z \cdot W_{R}, a_{R} ⟩ + ⟨ z z \cdot W_{O}, a_{O} ⟩ \\ + \sum_{i = 1}^{c} ⟨ z z \cdot W_{C}^{(i)}, {a_{C}}^{(i)} ⟩ + ⟨ z z \cdot W_{V}, v ⟩ + ⟨ z z, c ⟩ \end{matrix}

Let us define:

\begin{matrix} w_{L} & = z \cdot z \cdot W_{L} \in 𝔽^{n} \\ w_{R} & = z \cdot z \cdot W_{R} \in 𝔽^{n} \\ w_{V} & = z \cdot z \cdot W_{V} \in 𝔽^{n} \\ {w_{C}}^{(i)} & = z \cdot z \cdot W_{C}^{(i)} \in 𝔽^{n} (i = 1, \dots, c) \\ w_{O} & = z \cdot z \cdot W_{O} \in 𝔽^{n} \\ w_{c} & = ⟨ z \cdot z, c ⟩ \in 𝔽 \end{matrix}

Note that the verifier can compute all the vectors itself, since the matrices are public.

We are now left to “deal” with:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Splitting the first inner product, we get the expression that we want to look at going forward:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} ⟩ - ⟨ y, a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

The next issue at hand is that the expression above has many inner products. Since we need to do an expensive folding argument for every inner product we would like to avoid this: we want to combine all these inner products into a single one. The trick is going to be to interpret these as committed vector polynomials, enabling us to evaluate many parallel polynomials of low degree. More on that now…

GBP Arith 2: Vector Polynomials

An “ $n$ ” dimensional “vector polynomial” consists of $n$ polynomials “in parallel”:

𝐟 (X) = (f_{1} (X), \dots, f_{n} (X)) = \sum_{i = 0}^{d} c_{i} \cdot X^{i} \in 𝔽 [X]^{n}

In other words, a polynomial with coefficients in $c_{i} \in 𝔽^{n}$ and evaluation points from $𝔽$ , such that plugging an $x$ into $𝐟 (X)$ evaluates to $𝐟 (x) \in 𝔽^{n}$ . This notion is useful, because (vector) Pedersen commitments allow us to commit to a vector polynomial efficiently (independently of the dimension $n$ ):

\begin{matrix} {C o m}_{G, H} : (𝔽^{n}) [X]^{\leq d} \times 𝔽^{d + 1} & \to 𝔾^{d + 1} \\ {C o m}_{G, H} (𝐟 (X); r) & \mapsto (⟨ c_{0}, G ⟩ + r_{0} \cdot H, \dots, ⟨ c_{d}, G ⟩ + r_{d} \cdot H) \in 𝔾^{d + 1} \end{matrix}

As well as homomorphically evaluate every coordinate of the vector polynomial at some public point $x$ :

\sum_{i = 0}^{d} x^{i} \cdot (⟨ c_{i}, G ⟩ + r_{i} \cdot H) = ⟨ 𝐟 (x), G ⟩ + r^{'} \cdot H \in 𝔾

Pedersen vector commitments support one further homomorphic operation we will rely on: multiplying the committed vector by a public vector, i.e. a Hadamard product with a public factor, simply by a change of basis. Writing the commitment to $v$ in basis $G$ explicitly as $⟨ v, G ⟩ + r \cdot H$ , a public Hadamard factor $s$ is applied to the opening by re-committing in the basis $(s)^{- 1} \circ G$ :

\begin{matrix} {C o m}_{(s)^{- 1} \circ G, H} (v \circ s; r) & = {C o m}_{G, H} (v; r) \\ ⟨ v \circ s, (s)^{- 1} \circ G ⟩ + r \cdot H & = ⟨ v, G ⟩ + r \cdot H \end{matrix}

In other words, a commitment to $v$ in basis $G$ is also a commitment to $v \circ s$ in the basis $(s)^{- 1} \circ G$ with the same blinding $r$ : to apply a public Hadamard factor $s$ to the opening, one re-commits in the basis $(s)^{- 1} \circ G$ . This holds because $s \circ (s)^{- 1} = 1$ leaves each generator’s contribution unchanged and the blinding term $r \cdot H$ is untouched.

The “inner product” between two vector polynomials is defined in the intuitive way (for any module over any ring): taking the coordinate-wise product of polynomials and summing:

⟨ 𝐟 (X), 𝐠 (X) ⟩ = \sum_{i} f_{i} (X) \cdot g_{i} (X) \in 𝔽 [X]

Note that $\forall x . ⟨ 𝐟, 𝐠 ⟩ (x) = ⟨ 𝐟 (x), 𝐠 (x) ⟩$ and $\deg (⟨ 𝐟, 𝐠 ⟩) = \deg (𝐟) + \deg (𝐠)$ .

GBP Arith 3: $Σ$ IP $\to$ Single IP

Viewing the vectors as vector polynomials is useful because it allows us to batch check independent inner products. Suppose we have two inner products:

Δ = ⟨ 𝐚, 𝐛 ⟩ + ⟨ 𝐜, 𝐝 ⟩

We define the vector polynomials (“left/right”):

\begin{matrix} f_{L} (X) & = a \cdot X + c \cdot X^{2} \\ f_{R} (X) & = b \cdot X + d \end{matrix}

And consider the inner product, then the desired inner product $Δ$ lands in the square term:

⟨ f_{L}, f_{R} ⟩ (X) = δ_{0} + δ_{1} \cdot X + Δ \cdot X^{2} + δ_{3} \cdot X^{3} \in 𝔽 [X]

Where $δ_{0}, δ_{1}, δ_{3}$ are some cross-term garbage we don’t care about. More generally: we define a “left polynomial” where powers increase for every left term in the series of inner products and a “right polynomial” where the powers decrease for every right term, then the terms will “align” at the “middle power”. i.e. in general, suppose we have:

Δ = \sum_{i = 1}^{t} ⟨ L_{i}, R_{i} ⟩

Then we define:

\begin{matrix} f_{L} (X) & = \sum_{i = 1}^{t} L_{i} \cdot X^{i} \\ f_{R} (X) & = \sum_{i = 1}^{t} R_{i} \cdot X^{t - i} \end{matrix}

In which case, the $t$ ‘th coefficient of $⟨ f_{L}, f_{R} ⟩ (X)$ is $Δ$ . This observation suggests the following approach to reduce a sum of multiple inner products, given commitments to every vector, to a single inner product as follows:

Prover sends commitments to the coefficients ${δ_{i}}_{i \in 0, \dots, 2 \cdot t - 1}$ , where we are interested in $δ_{t} = Δ$ , which is usually implicit (e.g. fixed to $0$ ). Then both parties locally define:

\begin{matrix} f_{L} (X) & = \sum_{i = 1}^{t} L_{i} \cdot X^{i} \in 𝔽 [X]^{n} \\ f_{R} (X) & = \sum_{i = 1}^{t} R_{i} \cdot X^{t - i} \in 𝔽 [X]^{n} \\ g (X) & = \sum_{i = 0}^{2 \cdot t - 1} δ_{i} \cdot X^{i} \in 𝔽 [X] \end{matrix}

Verifier samples $x \leftarrow 𝔽$
Both sides compute commitments to the vectors:

f_{L} (x), f_{R} (x) \in 𝔽^{n}

And a commitment to the field element $g (x) \in 𝔽$ , using the homomorphic property of the Pedersen commitments. We now have just a single inner product claim about Pedersen commitments:

⟨ f_{L} (x), f_{R} (x) ⟩ = g (x)

GBP Arith 4: Combining

Recall the expression we were trying to verify, before our digression about batching inner products and vector polynomials:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} ⟩ - ⟨ y, a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

To apply the techniques above, we want to:

Eliminate Pairwise Products. We haven’t yet described a technique for proving Hadamard (pairwise) products of secret (committed) vectors, so we get to get rid of $a_{L} \circ a_{R}$ ; we want each secret to appear on a different side of an inner product.
Collect Common Terms. Reduce the number of inner products, for efficiency, by collecting common terms. This reduces the degree of the vector polynomials, meaning: less committed coefficients and less cross-terms.

Eliminate Secret-Secret Hadamard Product

Note that the left side of the inner product $⟨ y, a_{L} \circ a_{R} ⟩$ is public, so let us move one secret to each side, using $⟨ y, a_{L} \circ a_{R} ⟩ = ⟨ a_{L}, y \circ a_{R} ⟩$ to get rid of the Hadamard product between secret values:

\begin{matrix} 0 & = ⟨ y, a_{L} \circ a_{R} ⟩ - ⟨ y, a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ - ⟨ y, a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Note that we know how to deal with a Hadamard product between a secret and a public value.

Combine the $a_{O}$ terms

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ - ⟨ y, a_{O} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O}, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Rewrite $a_{R}$ Inner Product

Using $⟨ a_{R}, w_{R} ⟩ = ⟨ w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩$ rewrite:

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R}, a_{R} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Collect $y \circ a_{R}$ Terms

This was our motivation for the previous step:

\begin{matrix} 0 & = ⟨ a_{L}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} 0 & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Add $δ (y, z)$ to Both Sides

Add the public scalar $δ (y, z) = ⟨ (y)^{- 1} \circ w_{R}, w_{L} ⟩$ to both sides (note that $0$ on the left becomes $δ (y, z)$ ):

\begin{matrix} 0 & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} δ (y, z) & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ (y)^{- 1} \circ w_{R}, w_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Note that $δ (y, z)$ does not depend on the witness! (the verifier can compute it)

Combine $w_{L}$ Terms

\begin{matrix} δ (y, z) & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ w_{L}, a_{L} ⟩ + ⟨ (y)^{- 1} \circ w_{R}, w_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} δ (y, z) & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ (y)^{- 1} \circ w_{R} + a_{L}, w_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Combine $a_{L} + w_{R} \circ (y)^{- 1}$ Terms

\begin{matrix} δ (y, z) & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} ⟩ + ⟨ (y)^{- 1} \circ w_{R} + a_{L}, w_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

Becomes

\begin{matrix} δ (y, z) & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} + w_{L} ⟩ + ⟨ w_{O} - y, a_{O} ⟩ + \sum_{i = 1}^{c} ⟨ {w_{C}}^{(i)}, {a_{C}}^{(i)} ⟩ \\ + ⟨ w_{V}, v ⟩ + w_{c} \in 𝔽 \end{matrix}

So we are left with $2 + c$ inner products: two coming from the $a_{L}, a_{R}, a_{O}$ terms and one for each of the $c$ committed vectors ${a_{C}}^{(i)}$ . All these are combined into a single inner product using the previous technique based on vector polynomials.

Note that during verification everything except the $2 + c$ inner products is known to the verifier: $δ (y, z)$ (on the left) and $w_{c}$ are public, and $⟨ w_{V}, v ⟩$ is a commitment to a single field element, formed homomorphically from the $V_{(k)}$ . Those inner products are folded into a single one next.

Arithmetization

Public inputs: generators $G, H \in 𝔾^{n}$ and $G, H \in 𝔾$ ; weight matrices $W_{L}$ , $W_{R}$ , $W_{O}$ , ${W_{C}^{(k)}}_{k = 1}^{c}$ , $W_{V}$ with constant $c$ ; vector commitments ${A_{C}^{(k)}}_{k = 1}^{c}$ and scalar commitments ${V_{(j)}}_{j = 1}^{m}$ . Write $n^{'} = 2 c + 2$ for the target monomial.

Prover $\to$ Verifier.
- Sample $α, β, ρ \leftarrow 𝔽$ and $s_{L}, s_{R} \leftarrow 𝔽^{n}$ .
- $A_{L | R} = ⟨ a_{L}, G ⟩ + ⟨ a_{R}, H ⟩ + α H$
- $A_{O} = ⟨ a_{O}, G ⟩ + β H$
- $S = ⟨ s_{L}, G ⟩ + ⟨ s_{R}, H ⟩ + ρ H$
- Send $(A_{L | R}, A_{O}, S)$ .
Verifier $\to$ Prover.
- Sample $y, z \leftarrow 𝔽^{*}$ .
- Send $(y, z)$ .
- Both parties compute:
  - The challenge vectors $y, (y)^{- 1}, z$
  - The weights $w_{L}, w_{R}, w_{O}, {{w_{C}}^{(k)}}, w_{V}, w_{c}$
  - $δ (y, z) = ⟨ (y)^{- 1} \circ w_{R}, w_{L} ⟩$
Prover $\to$ Verifier.
- Recall that the inner products to batch are: $\begin{matrix} t_{n^{'}} & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} + w_{L} ⟩ + ⟨ a_{O}, w_{O} - y ⟩ + \sum_{k = 1}^{c} ⟨ {a_{C}}^{(k)}, {w_{C}}^{(k)} ⟩ \\ = δ (y, z) - w_{c} - ⟨ w_{V}, v ⟩ . \end{matrix}$
- Build fL(X),fR(X)∈𝔽[X]n (powers as in GBP Arith 3) with nonzero coefficients:
  - fL(X):
    - $a_{L} + w_{R} \circ (y)^{- 1}$ at $X^{n^{'} / 2}$
    - ${a_{C}}^{(k)}$ at $X^{n^{'} - k}$ for $k = 1, \dots, c$
    - $a_{O}$ at $X^{n^{'}}$
    - $s_{L}$ at $X^{n^{'} + 1}$
  - fR(X):
    - $w_{O} - y$ at $X^{0}$
    - ${w_{C}}^{(k)}$ at $X^{k}$ for $k = 1, \dots, c$
    - $y \circ a_{R} + w_{L}$ at $X^{n^{'} / 2}$
    - $y \circ {a u x}^{(k)}$ at $X^{n^{'} - k}$ for $k = 1, \dots, c$
    - $y \circ s_{R}$ at $X^{n^{'} + 1}$
  - Corresponding to generators in $G$ and $H$ respectively.
- $t (X) = ⟨ f_{L} (X), f_{R} (X) ⟩ = \sum_{i = n^{'} / 2}^{2 (n^{'} + 1)} t_{i} X^{i}$ ; the target coefficient is $t_{n^{'}}$ .
- Sample $τ_{i} \leftarrow 𝔽$ for every $i \neq n^{'}$ and set $T_{i} = t_{i} G + τ_{i} H$ .
- Send ${T_{i}}_{i \neq n^{'}}$ .
Verifier $\to$ Prover.
- Sample $x \leftarrow 𝔽^{*}$ .
- Send $x$ .
Prover $\to$ Verifier.
- Opening of $t (x)$ (value $\hat{t}$ , blinding $τ_{x}$ ): $\begin{matrix} \hat{t} & = ⟨ f_{L} (x), f_{R} (x) ⟩ = t (x) \\ τ_{x} & = \sum_{i \neq n^{'}} τ_{i} x^{i} - x^{n^{'}} ⟨ w_{V}, γ_{V} ⟩ \end{matrix}$
- Opening of $P$ (vectors $f_{L} (x), f_{R} (x)$ , blinding $μ$ ): $μ = α \cdot x^{n^{'} / 2} + β \cdot x^{n^{'}} + ρ \cdot x^{n^{'} + 1} + \sum_{k = 1}^{c} γ^{(k)} \cdot x^{n^{'} - k}$ With $γ_{V}$ the blinding factors of the $V_{(j)}$ and $γ^{(k)}$ the blinding factor of $A_{C}^{(k)}$ .
- Send $(τ_{x}, μ, \hat{t}, f_{L} (x) \in 𝔽^{n}, f_{R} (x) \in 𝔽^{n})$ .
Verifier.
- Set $H^{(y)^{- 1}} = (y)^{- 1} \circ H$ .
- Define: $\begin{matrix} {\tilde{W}}_{L} & = ⟨ w_{L}, H^{(y)^{- 1}} ⟩ \in 𝔾 & {\tilde{W}}_{R} & = ⟨ (y)^{- 1} \circ w_{R}, G ⟩ \in 𝔾 \\ {\tilde{W}}_{O} & = ⟨ w_{O} - y, H^{(y)^{- 1}} ⟩ \in 𝔾 & {\tilde{W}}_{k} & = ⟨ {w_{C}}^{(k)}, H^{(y)^{- 1}} ⟩ \in 𝔾 \end{matrix}$
- Compute: $P = {\tilde{W}}_{O} + \sum_{k = 1}^{c} x^{k} {\tilde{W}}_{k} + x^{n^{'} / 2} (A_{L | R} + {\tilde{W}}_{L} + {\tilde{W}}_{R}) + \sum_{k = 1}^{c} x^{n^{'} - k} A_{C}^{(k)} + x^{n^{'}} A_{O} + x^{n^{'} + 1} S$
- Check: $\hat{t} G + τ_{x} H = x^{n^{'}} ((δ (y, z) - w_{c}) G - \sum_{j = 1}^{m} (w_{V})_{j} V_{(j)}) + \sum_{i \neq n^{'}} x^{i} T_{i}$
- Check: $((G, H^{(y)^{- 1}}, H, P, μ, \hat{t}), (f_{L} (x), f_{R} (x))) \in ℛ_{I P}$

Computational Special Soundness

We prove that the arithmetization (‘Generalized Bulletproofs’) is an argument of knowledge for $ℛ_{G B P}$ . The theorem below establishes $(n, q + 1, 2 n^{'} + 3)$ -computational special soundness. By Attema, Fehr and Klooß (TCC 2022) the Fiat-Shamir compiled argument then has tight security: under the hardness of discrete log over $𝔾$ it is knowledge sound with knowledge error at most $(Q_{r o} + 1) \cdot (n + q + 4 c + 5) / (| 𝔽 | - 1)$ , where $Q_{r o}$ is the number of random-oracle queries made by the adversary.

Theorem. Assume $W_{V}$ has full column rank $m$ , i.e. a left inverse. The full arithmetization is $(n, q + 1, 2 n^{'} + 3)$ -computationally special sound for $ℛ_{G B P}$ : from any $(n, q + 1, 2 n^{'} + 3)$ -tree of accepting transcripts a deterministic extractor returns either a witness for $ℛ_{G B P}$ , or a non-trivial discrete-log relation among the generators $Γ = G ‖ H ‖ G ‖ H \in 𝔾^{2 n + 2}$ , i.e. a non-zero $v$ with $⟨ v, Γ ⟩ = 0$ .

The Tree of Transcripts. A $(n, q + 1, 2 n^{'} + 3)$ -tree fixes the first message $(A_{L | R}, A_{O}, S)$ at the root and branches on the three challenges, recording each verifier message at its node: $n$ distinct children on $y$ ; under each, $q + 1$ distinct children on $z$ , each with its ${T_{i}}$ ; under each, $2 n^{'} + 3$ distinct leaves on $x$ , each with its opening $(τ_{x}, μ, f_{L} (x), f_{R} (x))$ . Every root-to-leaf path is an accepting transcript. Index a $(y, z)$ -node by $(i_{y}, i_{z})$ and its $x$ -leaves by $i_{x}$ , so $(i_{y}, i_{z}, i_{x})$ indexes a full transcript. The three arities are forced by the three interpolations below: $2 n^{'} + 3 = \deg t + 1$ for $x$ ; $q + 1$ for the $q$ constraint rows together with the constant Hadamard term; $n$ for the Hadamard coordinates.

The

(n, q + 1, 2 n^{'} + 3)

tree of accepting transcripts: each edge is a verifier challenge (

y

, then

z

, then

x

), and every root-to-leaf path is an accepting transcript (one highlighted).

Step 1: $x$ -Vandermonde Read-off. Fix a node $(i_{y}, i_{z})$ . The verifier’s $P$ is the value at the leaf’s challenge of a polynomial $\sum_{p = 0}^{2 (n^{'} + 1)} x^{p} P_{p}$ whose coefficients $P_{p} \in 𝔾$ are:

\begin{matrix} P_{0} & = {\tilde{W}}_{O}, & P_{k} & = {\tilde{W}}_{k} (1 \leq k \leq c), & P_{n^{'} / 2} & = A_{L | R} + {\tilde{W}}_{L} + {\tilde{W}}_{R}, \\ P_{n^{'} - k} & = A_{C}^{(k)}, & P_{n^{'}} & = A_{O}, & P_{n^{'} + 1} & = S, \end{matrix}

With $P_{p} = 0$ for $p > n^{'} + 1$ .

The $2 n^{'} + 3$ leaves of the node share $(y, z)$ and use distinct $x$ , so the $P$ -opening check at leaf $i_{x}$ :

\sum_{p} x_{i_{x}}^{p} P_{p} = ⟨ f_{L} (x_{i_{x}}), G ⟩ + ⟨ f_{R} (x_{i_{x}}), H^{(y)^{- 1}} ⟩ + μ_{i_{x}} H,

Is a Vandermonde system in $x$ ; inverting it writes each $P_{p}$ as a representation in the $(G, H^{(y)^{- 1}}, H)$ basis. When the node’s collision candidates (Step 5) all vanish, the $G$ -block of $P_{p}$ at every degree equals the honest $f_{L}$ coefficient and the $H^{(y)^{- 1}}$ -block at every degree $\neq n^{'}$ equals the honest $f_{R}$ coefficient: the public degrees $0$ and $k$ open purely on $H^{(y)^{- 1}}$ to $w_{O} - y$ and ${w_{C}}^{(k)}$ ; degree $n^{'} / 2$ gives $a_{L} + w_{R} \circ (y)^{- 1}$ on $G$ and $y \circ a_{R} + w_{L}$ on $H^{(y)^{- 1}}$ ; degrees $n^{'} - k$ , $n^{'}$ , $n^{'} + 1$ give the wires ${a_{C}}^{(k)}, a_{O}, s_{L}$ on $G$ and $y \circ {a u x}^{(k)}, y \circ s_{R}$ on $H^{(y)^{- 1}}$ . The lone degree- $n^{'}$ $H^{(y)^{- 1}}$ -block — the $H$ -part of $A_{O}$ — is unconstrained; the relation tolerates this slack, and since its convolution partner is the degree- $0$ coefficient of $f_{L}$ , which is $0$ , it never contributes downstream.

Step 2: The Per-Node Identity $(⋆)$ . With the leaf openings pinned to the honest $f_{L}, f_{R}$ , the $n^{'}$ -coefficient of $⟨ f_{L} (X), f_{R} (X) ⟩$ — the committed target $t_{n^{'}}$ , recovered from the leaves by inverting the same $x$ -Vandermonde at degree $n^{'}$ — expands without invoking any constraint into $δ (y, z)$ , the $z$ -aggregated linear $R 1 C S$ rows, and the $y$ -weighted Hadamard term $⟨ y, a_{L} \circ a_{R} - a_{O} ⟩$ . The first verifier check independently pins the same coefficient to $t_{n^{'}} = δ (y, z) - w_{c} - ⟨ w_{V}, v ⟩$ ; here the check couples $⟨ w_{V}, v ⟩$ to the aggregate $\sum_{j} (w_{V})_{j} V_{(j)}$ through its degree- $n^{'}$ coefficient, the two agreeing once the corresponding $(G, H)$ -collision candidate of Step 5 vanishes. Equating the two expansions and cancelling $δ (y, z)$ gives, at every node $(i_{y}, i_{z})$ :

(⋆) ⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ + \sum_{ℓ = 1}^{q} z^{ℓ} {(W_{L} a_{L} + W_{R} a_{R} + W_{O} a_{O} + \sum_{k} W_{C}^{(k)} {a_{C}}^{(k)} + W_{V} v + c)}_{ℓ} = 0

Step 3: Deaggregation over $z$ then $y$ . It suffices to know $(⋆)$ on one reference row and one reference column. Fix a reference $y$ -child: as $z$ ranges over the $q + 1$ children of that node, $(⋆)$ is a degree- $q$ polynomial in $z$ — constant term $⟨ y, a_{L} \circ a_{R} - a_{O} ⟩$ , row $ℓ$ at $z^{ℓ}$ — vanishing at $q + 1$ distinct points, so a Vandermonde in $z$ forces every $R 1 C S$ row to zero. With the rows gone, $(⋆)$ on the reference column ( $z$ fixed to a reference child, $y$ ranging over its $n$ children) collapses to $⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ = 0$ at $n$ distinct $y$ ; a Vandermonde in $y$ forces each coordinate. This yields the first two relation clauses:

\begin{matrix} W_{L} a_{L} + W_{R} a_{R} + W_{O} a_{O} + \sum_{k} W_{C}^{(k)} {a_{C}}^{(k)} + W_{V} v + c & = 0 \\ a_{L} \circ a_{R} - a_{O} & = 0 \end{matrix}

(The $q + 1$ arity is the constant term plus $q$ rows; the L-shape avoids needing $(⋆)$ on the full $n \cdot (q + 1)$ grid.)

Step 4: Commitment Openings. Two clauses remain, read straight off Step 1. The degree- $(n^{'} - k)$ coefficient is $A_{C}^{(k)}$ , whose $G$ -, $H$ - and $H$ -blocks give the vector-commitment clause:

A_{C}^{(k)} = ⟨ {a_{C}}^{(k)}, G ⟩ + ⟨ {a u x}^{(k)}, H ⟩ + γ^{(k)} H

with the $⟨ {a u x}^{(k)}, H ⟩$ slack retained — precisely the term the improved protocol removes. For the scalar commitments, the first check’s degree- $n^{'}$ coefficient opens the aggregate $\sum_{j} (w_{V})_{j} V_{(j)}$ as a $(G, H)$ -combination at each of the $q + 1$ $z$ -children; inverting the Vandermonde in $z$ and applying the left inverse of $W_{V}$ recovers each $V_{(k)} = v_{k} G + γ_{k} H$ .

Step 5: Witness or Relation. The extractor reads a candidate witness $W$ off the Step-1 representations at a fixed reference $(y, z)$ (the first $y$ - and $z$ -children): $a_{L}$ from the $G$ -block at degree $n^{'} / 2$ minus the public $w_{R} \circ (y)^{- 1}$ ; $a_{O}$ at degree $n^{'}$ ; ${a_{C}}^{(k)}$ and $γ^{(k)}$ from the $G$ - and $H$ -blocks at degree $n^{'} - k$ ; $a_{R}$ from the $H^{(y)^{- 1}}$ -block at degree $n^{'} / 2$ , minus the public $w_{L}$ and rescaled by $(y)^{- 1}$ ; ${a u x}^{(k)}$ from the $H^{(y)^{- 1}}$ -block at degree $n^{'} - k$ , rescaled by $(y)^{- 1}$ ; and $v, {γ_{k}}$ from the degree- $n^{'}$ first-check coefficients via the left inverse of $W_{V}$ . It is computed by Lagrange-form Vandermonde inversion and Gaussian elimination — no discrete-log search. It also forms a list of candidate discrete-log relations: differences of two recovered representations of the same group element — the public coefficients ${\tilde{W}}_{O}, {\tilde{W}}_{k}$ ; the challenge-independent commitments $A_{L | R}, A_{O}, A_{C}^{(k)}, S$ across distinct nodes; the degree- $n^{'}$ $(G, H)$ -candidate of Step 2; and the high-degree coefficients, which open $0$ directly. Each candidate $c$ satisfies $⟨ c, Γ ⟩ = 0$ by construction, being a difference of two openings of the same commitment; it is non-trivial exactly when $c \neq 0$ .

The extractor outputs $W$ if $W \in ℛ_{G B P}$ , and otherwise the first non-zero candidate relation; we argue the contrapositive. If every candidate vanishes, the Step-1 read-offs hold and the degree- $n^{'}$ identity of Step 2 holds at every node, so $(⋆)$ holds on the reference row and column; Step 3 deaggregates it into the first two clauses, and Step 4 supplies the vector- and scalar-commitment clauses. All four clauses hold, so $W \in ℛ_{G B P}$ , contradicting the assumption. Hence a failing $W$ yields a non-zero candidate, which the extractor returns as the discrete-log relation.

Reduce $ℛ_{I P} \to ℛ_{I P A, n}$

The $\hat{t}$ check above ties $\hat{t}$ to the committed polynomial $t (X)$ ; the remaining verifier check is membership in a single inner-product relation $ℛ_{I P}$ , with statement $(G, H^{(y)^{- 1}}, H, P, μ, \hat{t})$ and witness $(a, b)$ :

ℛ_{I P} = {((G, H^{(y)^{- 1}}, H, P, μ, \hat{t}), (a, b)) : P = ⟨ a, G ⟩ + ⟨ b, H^{(y)^{- 1}} ⟩ + μ H \land \hat{t} = ⟨ a, b ⟩}

Here $a, b \in 𝔽^{n}$ and $H^{(y)^{- 1}} = (y)^{- 1} \circ H$ . The generators $G, H^{(y)^{- 1}}, H$ are public; the verifier derives the remaining statement components $P, μ, \hat{t}$ from the protocol transcript, and the prover holds the witness $(a, b) = (f_{L} (x), f_{R} (x))$ . We abbreviate $\tilde{H} = H^{(y)^{- 1}}$ .

To recursively fold this relation, we first want to reduce it to:

ℛ_{I P A, N} = {((G, \tilde{H}, U, P), (a, b)) : a, b \in 𝔽^{N} \land P = ⟨ a, G ⟩ + ⟨ b, \tilde{H} ⟩ + ⟨ a, b ⟩ \cdot U}

The verifier samples a challenge $ξ_{0} \leftarrow 𝔽^{*}$ ; both parties set $U = ξ_{0} \cdot G$ (a generator independent of $G, \tilde{H}$ ) and update the commitment:

P \leftarrow P - μ H + \hat{t} \cdot U

Subtracting $μ H$ removes the blinding term from the $ℛ_{I P}$ commitment, and adding $\hat{t} \cdot U$ encodes the claimed inner product in the $U$ component. Since $\hat{t} = ⟨ a, b ⟩$ , the updated statement is an instance of $ℛ_{I P A, n}$ .

Inner-Product Argument

The argument proves membership in $ℛ_{I P A, N}$ on length- $N$ vectors, initially $N = n$ . In each round, the prover and verifier combine the left and right halves of each vector into vectors of half the length. After $⌈ \log_{2} n ⌉$ rounds, the prover has sent $2 ⌈ \log_{2} n ⌉$ group elements and sends two final scalars.

Folding

Split each vector in half:

\begin{matrix} a & = (a_{1} ‖ a_{2}) & b & = (b_{1} ‖ b_{2}) \\ G & = (G_{1} ‖ G_{2}) & \tilde{H} & = ({\tilde{H}}_{1} ‖ {\tilde{H}}_{2}) \end{matrix}

The prover sends the two cross terms:

\begin{matrix} L & = ⟨ a_{1}, G_{2} ⟩ + ⟨ b_{2}, {\tilde{H}}_{1} ⟩ + ⟨ a_{1}, b_{2} ⟩ \cdot U \\ R & = ⟨ a_{2}, G_{1} ⟩ + ⟨ b_{1}, {\tilde{H}}_{2} ⟩ + ⟨ a_{2}, b_{1} ⟩ \cdot U \end{matrix}

The verifier replies with a challenge $ξ \leftarrow 𝔽^{*}$ , and both sides fold the generators and statement to half length:

\begin{matrix} G^{'} & = ξ^{- 1} \cdot G_{1} + ξ \cdot G_{2} \\ {\tilde{H}}^{'} & = ξ \cdot {\tilde{H}}_{1} + ξ^{- 1} \cdot {\tilde{H}}_{2} \\ P^{'} & = ξ^{2} \cdot L + P + ξ^{- 2} \cdot R \end{matrix}

While the prover folds the witness the same way:

\begin{matrix} a^{'} & = ξ \cdot a_{1} + ξ^{- 1} \cdot a_{2} \\ b^{'} & = ξ^{- 1} \cdot b_{1} + ξ \cdot b_{2} \end{matrix}

A simple calculation shows the relation is preserved, $P^{'} = ⟨ a^{'}, G^{'} ⟩ +$ $⟨ b^{'}, {\tilde{H}}^{'} ⟩ +$ $⟨ a^{'}, b^{'} ⟩ \cdot U$ . The folded statement and witness then form a smaller instance of the same relation, $((G^{'}, {\tilde{H}}^{'}, U, P^{'}), (a^{'}, b^{'})) \in ℛ_{I P A, N / 2}$ .

Base Case

After $⌈ \log_{2} n ⌉$ rounds the vectors have length one, leaving the base relation $ℛ_{I P A, 1}$ . The prover sends the two scalars $a, b \in 𝔽$ , and the verifier accepts iff:

P = a \cdot G + b \cdot \tilde{H} + (a \cdot b) \cdot U

The verifier never folds the generators one round at a time: the round challenges $ξ_{1}, \dots, ξ_{⌈ \log_{2} n ⌉}$ assign each original generator a fixed coefficient (a product of the $ξ_{j}^{\pm 1}$ ), so the whole check collapses into a single multi-exponentiation, batched with the rest of verification.

Improvements

We describe two improvements to the protocol above: a cheaper arithmetization, and an inversion-free inner-product argument with a tighter and simpler proof of computational special soundness.

Arithmetization

Recall that the full arithmetization spreads $t (X)$ across degree $2 (n^{'} + 1) = 4 c + 6$ , so the prover commits to all $3 c + 5$ of its coefficients. Most of that degree is wasted: it exists only to park the two halves of $A_{L | R}$ (and of $S$ ) on a shared monomial, so that they can be jointly committed; this is a bad ‘optimization’, that ends up hurting efficiency in the GBP setting. If we give every vector its own monomial and $t (X)$ collapses to degree $2 (c + 2)$ , the prover commits to $2 c + 4$ coefficients, a saving of $c + 1$ . We pay for this by splitting $A_{L | R}$ into $(A_{L}, A_{R})$ and $S$ into $(S_{L}, S_{R})$ : two extra commitments, leaving a net saving of $c - 1$ group elements. For 4 vector commitments the saving is 96 bytes: 3 fewer group elements.

The split buys something else: it tightens the relation. A vector commitment opens as:

A_{C}^{(k)} = ⟨ {a_{C}}^{(k)}, G ⟩ + ⟨ {a u x}^{(k)}, H ⟩ + γ^{(k)} H

The $⟨ {a u x}^{(k)}, H ⟩$ term is slack the circuit cannot reach; the full arithmetization tolerates it, carrying it along in the $y \circ {a u x}^{(k)}$ terms of $f_{R} (X)$ . However, the improved protocol below can ensure that all those terms are zero. The verifier evaluates the $G$ - and $H$ -sides separately and recombines them with a binding challenge $r$ , drawn after the evaluation point $x$ and before the opening. The improved protocol then proves the tighter relation $ℛ_{{G B P}^{'}}$ , identical to the generalized Bulletproofs relation except that the vector commitments carry no $H$ component:

ℛ_{{G B P}^{'}} = {\begin{matrix} (a_{L}, a_{R}, a_{O}, v, {{a_{C}}^{(i)}, γ^{(i)}}_{i = 1}^{c}, {γ_{k}}_{k = 1}^{m}) : \\ 0 = W_{L} \cdot a_{L} + W_{R} \cdot a_{R} + W_{O} \cdot a_{O} + \sum_{i = 1}^{c} W_{C}^{(i)} \cdot {a_{C}}^{(i)} + W_{V} \cdot v + c \\ 0 = a_{L} \circ a_{R} - a_{O} \\ \forall i . A_{C}^{(i)} = ⟨ {a_{C}}^{(i)}, G ⟩ + γ^{(i)} \cdot H \\ \forall k . V_{(k)} = v_{k} \cdot G + γ_{k} \cdot H \end{matrix}}

Public inputs are as in the arithmetization above; the target monomial is now $X^{c + 1}$ .

Prover $\to$ Verifier.
- Sample $α_{L}, α_{R}, β, ρ_{L}, ρ_{R} \leftarrow 𝔽$ and $s_{L}, s_{R} \leftarrow 𝔽^{n}$ .
- Commit: $\begin{matrix} S_{L} & = ⟨ s_{L}, G ⟩ + ρ_{L} H & S_{R} & = ⟨ s_{R}, H ⟩ + ρ_{R} H \\ A_{L} & = ⟨ a_{L}, G ⟩ + α_{L} H & A_{R} & = ⟨ a_{R}, H ⟩ + α_{R} H \\ A_{O} & = ⟨ a_{O}, G ⟩ + β H \end{matrix}$
- Send $(A_{L}, A_{R}, A_{O}, S_{L}, S_{R})$ .
Verifier $\to$ Prover.
- Sample $y \leftarrow 𝔽^{*}$ and $z \leftarrow 𝔽$ .
- Send $(y, z)$ .
- Both parties compute:
  - The challenge vectors $y, (y)^{- 1}, z$
  - The weights $w_{L}, w_{R}, w_{O}, {{w_{C}}^{(k)}}, w_{V}, w_{c}$
  - $δ (y, z) = ⟨ (y)^{- 1} \circ w_{R}, w_{L} ⟩$
Prover $\to$ Verifier.
- Recall that the inner products to batch are: $\begin{matrix} t_{c + 1} & = ⟨ a_{L} + w_{R} \circ (y)^{- 1}, y \circ a_{R} + w_{L} ⟩ + ⟨ a_{O}, w_{O} - y ⟩ + \sum_{k = 1}^{c} ⟨ {a_{C}}^{(k)}, {w_{C}}^{(k)} ⟩ \\ = δ (y, z) - w_{c} - ⟨ w_{V}, v ⟩ . \end{matrix}$
- Build fL(X),fR(X)∈𝔽[X]n with nonzero coefficients:
  - fL(X):
    - $a_{L} + w_{R} \circ (y)^{- 1}$ at $X^{0}$
    - $a_{O}$ at $X^{1}$
    - ${a_{C}}^{(k)}$ at $X^{k + 1}$ for $k = 1, \dots, c$
    - $s_{L} + z^{q + 1} \cdot 1$ at $X^{c + 2}$
  - fR(X):
    - ${w_{C}}^{(k)}$ at $X^{c - k}$ for $k = 1, \dots, c$
    - $w_{O} - y$ at $X^{c}$
    - $y \circ a_{R} + w_{L}$ at $X^{c + 1}$
    - $y \circ s_{R}$ at $X^{c + 2}$
  - Corresponding to generators in $G$ and $H$ respectively.
- $t (X) = ⟨ f_{L} (X), f_{R} (X) ⟩ = \sum_{i = 0}^{2 (c + 2)} t_{i} X^{i}$ ; the target coefficient is $t_{c + 1}$ .
- Sample $τ_{i} \leftarrow 𝔽$ for every $i \neq c + 1$ and set $T_{i} = t_{i} G + τ_{i} H$ .
- Send ${T_{i}}_{i \neq c + 1}$ .
Verifier $\to$ Prover.
- Sample $x \leftarrow 𝔽$ , then $r \leftarrow 𝔽^{*}$ .
- Send $(x, r)$ .
Prover $\to$ Verifier.
- Opening of $t (x)$ (value $\hat{t}$ , blinding $τ_{x}$ ): $\begin{matrix} \hat{t} & = ⟨ f_{L} (x), f_{R} (x) ⟩ = t (x) \\ τ_{x} & = \sum_{i \neq c + 1} τ_{i} x^{i} - x^{c + 1} ⟨ w_{V}, γ_{V} ⟩ \end{matrix}$
- Opening of $P$ (vectors $f_{L} (x), f_{R} (x)$ , blinding $μ = μ_{L} + r μ_{R}$ ): $\begin{matrix} μ_{L} & = α_{L} + β x + \sum_{k = 1}^{c} γ^{(k)} x^{k + 1} + ρ_{L} x^{c + 2} \\ μ_{R} & = α_{R} x^{c + 1} + ρ_{R} x^{c + 2} \end{matrix}$ with $γ_{V}$ the blinding factors of the $V_{(j)}$ and $γ^{(k)}$ the blinding factor of $A_{C}^{(k)}$ .
- Send $(τ_{x}, \hat{t}, μ, f_{L} (x) \in 𝔽^{n}, f_{R} (x) \in 𝔽^{n})$ .
Verifier.
- Set $H^{(y)^{- 1}} = (y)^{- 1} \circ H$ .
- Define: $\begin{matrix} {\tilde{W}}_{L} & = ⟨ w_{L}, H^{(y)^{- 1}} ⟩ \in 𝔾 & {\tilde{W}}_{R} & = ⟨ (y)^{- 1} \circ w_{R}, G ⟩ \in 𝔾 \\ {\tilde{W}}_{O} & = ⟨ w_{O} - y, H^{(y)^{- 1}} ⟩ \in 𝔾 & {\tilde{W}}_{k} & = ⟨ {w_{C}}^{(k)}, H^{(y)^{- 1}} ⟩ \in 𝔾 \end{matrix}$
- Compute: $\begin{matrix} P & = \underset{⟨ f_{L} (x), G ⟩ + μ_{L} H}{\underset{⏟}{x^{0} (A_{L} + {\tilde{W}}_{R}) + x^{1} A_{O} + \sum_{k = 1}^{c} x^{k + 1} A_{C}^{(k)} + x^{c + 2} (S_{L} + z^{q + 1} \cdot ⟨ 1, G ⟩)}} \\ + r \underset{⟨ f_{R} (x), H^{(y)^{- 1}} ⟩ + μ_{R} H}{\underset{⏟}{(\sum_{k = 1}^{c} x^{c - k} {\tilde{W}}_{k} + x^{c} {\tilde{W}}_{O} + x^{c + 1} (A_{R} + {\tilde{W}}_{L}) + x^{c + 2} S_{R})}} \end{matrix}$
- Check: $\hat{t} G + τ_{x} H = x^{c + 1} ((δ (y, z) - w_{c}) G - \sum_{j = 1}^{m} (w_{V})_{j} V_{(j)}) + \sum_{i \neq c + 1} x^{i} T_{i}$
- Check: $((G, r \cdot H^{(y)^{- 1}}, H, P, μ, \hat{t}), (f_{L} (x), f_{R} (x))) \in ℛ_{I P}$

Computational Special Soundness

We prove that the protocol is an argument of knowledge for $ℛ_{{G B P}^{'}}$ . The theorem below establishes $(n, q + 2, 2 c + 5, 3)$ -computational special soundness; by Attema, Fehr and Klooß (TCC 2022) the Fiat-Shamir compiled argument then has tight security: under the hardness of discrete log over $𝔾$ it is knowledge sound with knowledge error at most $(Q_{r o} + 1) \cdot (n + q + 2 c + 6) / (| 𝔽 | - 1)$ , where $Q_{r o}$ is the number of random-oracle queries.

Theorem. Assume $W_{V}$ has full column rank $m$ , i.e. a left inverse. The improved arithmetization is $(n, q + 2, 2 c + 5, 3)$ -computationally special sound for $ℛ_{{G B P}^{'}}$ : from any $(n, q + 2, 2 c + 5, 3)$ -tree of accepting transcripts a deterministic extractor returns either a witness for $ℛ_{{G B P}^{'}}$ , or a non-trivial discrete-log relation among the generators $Γ = G ‖ H ‖ G ‖ H \in 𝔾^{2 n + 2}$ , i.e. a non-zero $v$ with $⟨ v, Γ ⟩ = 0$ .

The Tree of Accepting Transcripts. A $(n, q + 2, 2 c + 5, 3)$ -tree fixes the first message $(A_{L}, A_{R}, A_{O}, S_{L}, S_{R})$ at the root and branches on the four challenges, recording each verifier message at its node: $n$ distinct children on $y$ ; under each, $q + 2$ distinct children on $z$ , each with its ${T_{i}}$ ; under each, $2 c + 5$ distinct children on $x$ ; under each, $3$ distinct leaves on $r$ . The opening $(τ_{x}, μ, a, b) = (τ_{x}, μ_{L} + r μ_{R}, f_{L} (x), f_{R} (x))$ is the never-sent final message decorating the leaves; drawn after $r$ , it may differ across the $r$ -children. Every root-to-leaf path is an accepting transcript. Index a $(y, z, x)$ -node by $(i_{y}, i_{z}, i_{x})$ and its $r$ -leaves by $e \in {0, 1, 2}$ , with challenges $r_{e}$ and leaf openings $(τ_{x, e}, μ_{e}, a_{e}, b_{e})$ . Write $P_{L}, P_{R}$ for the two bracketed sums of the verifier’s $P$ (so $P = P_{L} + r P_{R}$ ) and $H^{(y)^{- 1}} = (y)^{- 1} \circ H$ . The four arities are forced by the four interpolations below: $2 c + 5 = \deg t + 1$ for $x$ ; $q + 2$ for the constraints together with the fresh offset degree; $n$ for the Hadamard rows; $3$ for the quadratic in $r$ .

Step 1: Interpolation in $r$ . Fix a node $(i_{y}, i_{z}, i_{x})$ . The second verifier check at leaf $e$ reads:

P_{L} + r_{e} P_{R} = ⟨ a_{e}, G ⟩ + r_{e} ⟨ b_{e}, H^{(y)^{- 1}} ⟩ + μ_{e} H

with $μ_{e}$ the single blinding supplied at the leaf. The leaves $e = 0, 1$ (with $r_{0} \neq r_{1}$ ) form a $2 \times 2$ system whose unique solution pins both sides to four quadrant vectors and recovers the two blinders:

\begin{matrix} P_{L} & = ⟨ a^{⋆}, G ⟩ + ⟨ β, H^{(y)^{- 1}} ⟩ + μ_{L} H \\ P_{R} & = ⟨ α, G ⟩ + ⟨ b^{⋆}, H^{(y)^{- 1}} ⟩ + μ_{R} H \end{matrix}

Where the quadrants are the interpolants:

\begin{matrix} a^{⋆} & = \frac{r_{1} a_{0} - r_{0} a_{1}}{r_{1} - r_{0}} & β & = \frac{r_{0} r_{1} (b_{0} - b_{1})}{r_{1} - r_{0}} \\ α & = \frac{a_{1} - a_{0}}{r_{1} - r_{0}} & b^{⋆} & = \frac{r_{1} b_{1} - r_{0} b_{0}}{r_{1} - r_{0}} \end{matrix}

And the blinding factors by the same interpolation, $μ_{L} = \frac{r_{1} μ_{0} - r_{0} μ_{1}}{r_{1} - r_{0}}$ and $μ_{R} = \frac{μ_{1} - μ_{0}}{r_{1} - r_{0}}$ . Here $β$ is a $H^{(y)^{- 1}}$ -mass sitting on the $G$ -side $P_{L}$ , and $α$ a $G$ -mass on the $H$ -side $P_{R}$ . The opening is sent after $r$ , so nothing yet forces $β = α = 0$ ; this is the slack the offset must remove.

Step 2: The $\hat{t}$ -Quadratic Forces the Cross Terms to Vanish. On this family the $e$ -th leaf satisfies $a_{e} = a^{⋆} + r_{e} α$ and $b_{e} = r_{e}^{- 1} β + b^{⋆}$ (leaves $0, 1$ by construction; leaf $2$ either lies on the family — vectors and blinding alike — since its candidate below vanishes, or yields a relation). Hence:

⟨ a_{e}, b_{e} ⟩ = ⟨ a^{⋆}, β ⟩ r_{e}^{- 1} + (⟨ a^{⋆}, b^{⋆} ⟩ + ⟨ α, β ⟩) + ⟨ α, b^{⋆} ⟩ r_{e}

The first check at leaf $e$ reads $⟨ a_{e}, b_{e} ⟩ G + τ_{x, e} H = R$ , with right-hand side $R = \sum_{i \neq c + 1} x^{i} T_{i} + x^{c + 1} ((δ (y, z) - w_{c}) G - \sum_{j} (w_{V})_{j} V_{(j)})$ determined before $r$ is drawn. Subtracting the leaf- $0$ instance, $(⟨ a_{e}, b_{e} ⟩ - ⟨ a_{0}, b_{0} ⟩) G + (τ_{x, e} - τ_{x, 0}) H = 0$ is a discrete-log relation on $(G, H)$ ; unless it is trivial — both $⟨ a_{e}, b_{e} ⟩$ and $τ_{x, e}$ constant across the $r$ -children — the extractor returns it. With $⟨ a_{e}, b_{e} ⟩$ pinned to a single value, a map $r \mapsto A r^{- 1} + C + B r$ constant at the three distinct non-zero $r_{0}, r_{1}, r_{2}$ has $A = B = 0$ ; hence at every node:

⟨ a^{⋆}, β ⟩ = 0, ⟨ α, b^{⋆} ⟩ = 0, ⟨ a_{e}, b_{e} ⟩ = ⟨ a^{⋆}, b^{⋆} ⟩ + ⟨ α, β ⟩

Forcing both the $r^{- 1}$ - and $r$ -terms to vanish requires three points, which fixes the $r$ -arity at $3$ .

Step 3: $x$ -Vandermonde Extraction. Fix $y$ and $z$ . Across the $2 c + 5$ accepting transcripts that share them and use distinct $x$ , each quadrant is the evaluation at $x_{i_{x}}$ of a vector polynomial of degree $\leq 2 c + 4$ whose coefficients are the per-degree representations of $P_{L} (X)$ and $P_{R} (X)$ . Inverting the Vandermonde in $x$ recovers, for each degree $p$ , a representation in three blocks:

[{coeff}_{p} P_{L}] = ⟨ g_{p}, G ⟩ + ⟨ h_{p}, H^{(y)^{- 1}} ⟩ + η_{p} H

And likewise for $P_{R}$ . Matching the layout of $f_{L}$ , the $G$ -blocks at degrees $0, 1, k + 1, c + 2$ are $a_{L} + w_{R} \circ (y)^{- 1}$ , $a_{O}$ , ${a_{C}}^{(k)}$ , and $s_{L} + z^{q + 1} \cdot 1$ (the mask with offset); the $H^{(y)^{- 1}}$ -blocks are the residual components $β$ at each degree.

Step 4: The Offset Eliminates the Residual Components. The residual $H^{(y)^{- 1}}$ -block of each $P_{L}$ -coefficient is the same fixed vector $w_{p}$ for every $(y, z)$ (up to the $y$ -rescaling), a property of the fixed commitments $A_{L}, A_{O}, A_{C}^{(k)}, S_{L}$ . We show every $w_{p} = 0$ by descending induction on $p$ , from $c + 2$ down.

Step 2 gives $⟨ a^{⋆} (x), β (x) ⟩ = 0$ at every $x$ -child; interpolating across the $2 c + 5$ points, every convolution coefficient of the two degree- $(c + 2)$ quadrant polynomials vanishes. Take the coefficient at convolution degree $p_{0} + c + 2$ . With the higher-degree residual components already zero by the induction hypothesis, the only nonzero term pairs the $G$ -block of the mask slot $c + 2$ with $w_{p_{0}}$ ; that block is $u + z^{q + 1} \cdot 1$ , with $u$ the fixed representation of $S_{L}$ , so the coefficient is:

⟨ u, y \circ w_{p_{0}} ⟩ + z^{q + 1} \sum_{t} y^{t} (w_{p_{0}})_{t} = 0

Fix $y$ . The summand $D = ⟨ u, y \circ w_{p_{0}} ⟩$ and the coefficient $B = \sum_{t} y^{t} (w_{p_{0}})_{t}$ are independent of $z$ : the weights live at $z^{1}, \dots, z^{q}$ , and $u$ is fixed before $z$ . The term $z^{q + 1} B$ carries the fresh power, so $D + z^{q + 1} B$ is a polynomial vanishing at the $q + 2$ distinct $z$ , and full-degree Vandermonde forces $B = 0$ . (Pairwise differences would not suffice: distinct $z$ can share a $(q + 1)$ -th power, which is why the $z$ -arity is $q + 2$ , not $q + 1$ .) Finally $\sum_{t} y^{t} (w_{p_{0}})_{t} = 0$ across the $n$ distinct $y$ is a Vandermonde in $y$ , so $w_{p_{0}} = 0$ coordinate-wise.

Since every $w_{p} = 0$ , the residual quadrant $β$ vanishes at every node, and each leaf’s inner product equals the honest convolution $⟨ a^{⋆}, b^{⋆} ⟩$ .

Step 5: Witness or Relation. The extractor reads a candidate witness $W$ off the Step-3 representations at a fixed reference $(y, z)$ (the first $y$ - and $z$ -children): $a_{L}$ from the $G$ -block of $P_{L}$ at degree $0$ , minus the public $w_{R} \circ (y)^{- 1}$ ; $a_{O}$ at degree $1$ ; ${a_{C}}^{(k)}$ and its blinder $γ^{(k)}$ from the $G$ - and $H$ -blocks of $P_{L}$ at degree $k + 1$ ; $a_{R}$ from the $H^{(y)^{- 1}}$ -block of $P_{R}$ at degree $c + 1$ , minus the public $w_{L}$ and rescaled by $(y)^{- 1}$ ; and $v, {γ_{k}}$ from the first check’s degree- $(c + 1)$ coefficient across the first $q + 1$ $z$ -children, via the precomputed left inverse of $W_{V}$ . It also forms a list of candidate discrete-log relations: differences of two recovered representations of the same group element, e.g. the representation of $A_{L}$ at $(y_{i_{y}}, z_{i_{z}})$ minus the one at the reference $(y_{0}, z_{0})$ , the high-degree coefficients, and the per-node consistency checks — the third $r$ -child’s opening and blinding against the family interpolated from the first two (Step 1), and the agreement of $(⟨ a_{e}, b_{e} ⟩, τ_{x, e})$ across the $r$ -children (Step 2). Each candidate $c$ satisfies $⟨ c, Γ ⟩ = 0$ by construction, being the difference of two representations of the same commitment; it is therefore a discrete-log relation, non-trivial exactly when $c \neq 0$ .

The extractor outputs $W$ if $W \in ℛ_{{G B P}^{'}}$ , and otherwise the first non-zero candidate relation; we argue the contrapositive. If every candidate vanishes, the Step-3 representations and the per-node identities of Step 2 hold, and the residual components are pinned to the single family $w_{p}$ , so Step 4 forces every $w_{p}$ to zero. With the leaf openings now honest, cancelling $δ$ in the first-check identity $t_{c + 1} = δ (y, z) - w_{c} - ⟨ w_{V}, v ⟩$ gives, for each $(y, z)$ :

⟨ y, a_{L} \circ a_{R} - a_{O} ⟩ + \sum_{ℓ = 1}^{q} z^{ℓ} (W_{L} a_{L} + W_{R} a_{R} + W_{O} a_{O} + \sum_{k} W_{C}^{(k)} {a_{C}}^{(k)} + W_{V} v + c)_{ℓ} = 0

Deaggregating over the $n$ distinct $y$ and the $q + 1$ distinct $z$ (two Vandermondes) splits this into the first two relation clauses:

W_{L} a_{L} + W_{R} a_{R} + W_{O} a_{O} + \sum_{k} W_{C}^{(k)} {a_{C}}^{(k)} + W_{V} v + c = 0, a_{L} \circ a_{R} - a_{O} = 0

The vector-commitment clause is tight: since the residual components vanish, the degree- $(k + 1)$ $G$ -block representation gives $A_{C}^{(k)} = ⟨ {a_{C}}^{(k)}, G ⟩ + γ^{(k)} H$ , with no $H$ -component. The scalar clause $V_{(k)} = v_{k} G + γ_{k} H$ follows from the degree- $(c + 1)$ recovery and the $W_{V}$ left inverse. All four clauses hold, so $W \in ℛ_{{G B P}^{'}}$ , contradicting the assumption. Hence a failing $W$ yields a non-zero candidate, which the extractor returns as the discrete-log relation.

Inner-Product Argument

The improved arithmetization reduces to the same inner-product relation $ℛ_{I P}$ , so it can reuse the inner-product argument above. Folding in the value yields the same relation $ℛ_{I P A, N}$ , and the base case is unchanged; we change only the folding round, replacing the Laurent fold with a polynomial fold. This removes every field inversion.

Folding

Split each vector in half:

\begin{matrix} a & = (a_{1} ‖ a_{2}) & b & = (b_{1} ‖ b_{2}) \\ G & = (G_{1} ‖ G_{2}) & \tilde{H} & = ({\tilde{H}}_{1} ‖ {\tilde{H}}_{2}) \end{matrix}

The prover sends the two cross terms:

\begin{matrix} L & = ⟨ a_{1}, G_{2} ⟩ + ⟨ b_{2}, {\tilde{H}}_{1} ⟩ + ⟨ a_{1}, b_{2} ⟩ \cdot U \\ R & = ⟨ a_{2}, G_{1} ⟩ + ⟨ b_{1}, {\tilde{H}}_{2} ⟩ + ⟨ a_{2}, b_{1} ⟩ \cdot U \end{matrix}

The verifier replies with a challenge $ξ \leftarrow 𝔽$ , and both sides fold the generators and statement to half length:

\begin{matrix} G^{'} & = G_{1} + ξ \cdot G_{2} \\ {\tilde{H}}^{'} & = ξ \cdot {\tilde{H}}_{1} + {\tilde{H}}_{2} \\ P^{'} & = ξ^{2} \cdot L + ξ \cdot P + R \end{matrix}

While the prover folds the witness the same way:

\begin{matrix} a^{'} & = ξ \cdot a_{1} + a_{2} \\ b^{'} & = b_{1} + ξ \cdot b_{2} \end{matrix}

Base Case

After $⌈ \log_{2} n ⌉$ rounds the vectors have length one, leaving the base relation $ℛ_{I P A, 1}$ . The prover sends the two scalars $a, b \in 𝔽$ , and the verifier accepts iff:

P = a \cdot G + b \cdot \tilde{H} + (a \cdot b) \cdot U

Findings

Below are listed the findings found during the engagement. High severity findings can be seen as so-called "priority 0" issues that need fixing (potentially urgently). Medium severity findings are most often serious findings that have less impact (or are harder to exploit) than high-severity findings. Low severity findings are most often exploitable in contrived scenarios, if at all, but still warrant reflection. Findings marked as informational are general comments that did not fit any of the other criteria.

Low

#00 Repeated `LinComb` Additions Can Grow the Sparse Weight Vectors Exponentially generalized-bulletproofs/src/lincomb.rs #01 Commitment Has Secret-Dependent Memory Access Patterns generalized-bulletproofs/src/arithmetic_circuit_proof.rs #02 Secret Data Not Zeroized After Vector Reallocation generalized-bulletproofs/src/lib.rs #03 Scalar Commitment Are Not Extractable for Rank-Deficient `W_V` generalized-bulletproofs/src/arithmetic_circuit_proof.rs

Informational

#04 Generator Validation for `g` Is Skipped in Release Builds generalized-bulletproofs/src/lib.rs #05 Inner Product Prover Accepts Generator Vectors With Non-Canonical Length generalized-bulletproofs/src/inner_product.rs #06 Vector Commitment Tail Coordinates Are Unconstrained Unless Explicitly Restricted crypto/generalized-bulletproofs/src/lib.rs

Low · #00

Repeated `LinComb` Additions Can Grow the Sparse Weight Vectors Exponentially

generalized-bulletproofs/src/lincomb.rs

Description. LinComb stores its weights in sparse vectors (WL, WR, WO, WV) and a sparse map (WCG). Addition concatenates the operand’s entries onto these vectors rather than coalescing terms that share an index.

fn add(mut self, constraint: &Self) -> Self {
  self.reconcile_for_merging(constraint);

  self.WL.extend(&constraint.WL);
  self.WR.extend(&constraint.WR);
  self.WO.extend(&constraint.WO);
  for (i, sparse_vec) in &constraint.WCG {
    self
      .WCG
      .entry(*i)
      .and_modify(|existing| existing.extend(sparse_vec))
      .or_insert_with(|| sparse_vec.clone());
  }
  self.WV.extend(&constraint.WV);
  self.c += constraint.c;
  self
}

Observe that the size of the result is the sum of the sizes of the operands. Adding a combination to itself doubles its length, so a loop that repeatedly accumulates a combination into itself grows the stored representation exponentially in the number of iterations.

for _ in 0 .. n {
  a = a + &a;
}

After n iterations the WL/WR/WO/WV vectors hold on the order of $2^{n}$ entries, even though the combination is mathematically equivalent to a far smaller one.

Impact. This does not affect correctness or soundness; duplicated entries are accumulated additively when the constraint is evaluated, so the result is unchanged. It’s a potential denial of service concern if the library is used in a setting where the adversary can cause the verifier to try and verify a circuit of this form.

Recommendation. If linear combinations are built from programmatic or untrusted inputs, coalesce terms sharing an index during add/sub, or document that the sparse representation is not reduced and that callers should make sure that the constructed circuit does not trigger this behavior.

Low · #01

Commitment Has Secret-Dependent Memory Access Patterns

generalized-bulletproofs/src/arithmetic_circuit_proof.rs

Description. The prover forms its commitments $A_{I}$ , $A_{O}$ , and $S$ with the constant-time multiexp over witness-derived scalars (aL, aR, aO, the blinding vectors sL, sR, and the masks alpha, beta, rho).

let AI = {
  let alg = witness.aL.0.iter().enumerate().map(|(i, aL)| (*aL, self.generators.g_bold(i)));
  let arh = witness.aR.0.iter().enumerate().map(|(i, aR)| (*aR, self.generators.h_bold(i)));
  let ah = core::iter::once((alpha, self.generators.h()));
  let mut AI_terms = alg.chain(arh).chain(ah).collect::<Vec<_>>();
  let AI = multiexp(&AI_terms);
  AI_terms.zeroize();
  AI
};

multiexp is the constant-time variant, but it is not constant time with respect to the scalars in the sense needed to hide the witness. It uses Pippenger’s algorithm, whose bucket accumulation indexes memory using bits of the secret scalars. Memory accesses are not constant time in general, so the access pattern leaks information about the scalars and cache attacks such as flush-and-reload apply. A scan over all buckets would close this, but that is not what the algorithm does.

The issue is in the upstream multiexp dependency used by the generalized-bulletproofs library. The upstream project has already fixed the issue, but the fixed version has not yet been published to crates.io.

Impact. This is not a verifier-soundness issue and is not exploitable from the proof bytes. It is a local side-channel risk: an attacker who can observe the prover’s memory access pattern, e.g. a co-tenant on the same machine, can learn information about the witness scalars. Whether this matters depends on whether the proofs are used in a witness-hiding setting and on the prover’s execution environment.

Recommendation. Document that proof generation assumes no local microarchitectural side-channel adversary and that witness privacy is out of scope for that environment, or update to the fixed upstream multiexp version once it is available.

Low · #02

Secret Data Not Zeroized After Vector Reallocation

generalized-bulletproofs/src/lib.rs

Description. PedersenVectorCommitment::commit builds the input to multiexp in a temporary terms vector. The vector contains self.mask and the committed witness values from self.g_values.

impl<C: Ciphersuite> PedersenVectorCommitment<C> {
  /// Commit to the vectors of values.
  ///
  /// This function returns `None` if the amount of generators is less than the amount of values
  /// within the relevant vector.
  pub fn commit(&self, g_bold: &[C::G], h: C::G) -> Option<C::G>
  where
    C::G: ConditionallySelectable,
  {
    if g_bold.len() < self.g_values.len() {
      None?;
    }

    let mut terms = vec![(self.mask, h)];
    for pair in self.g_values.iter().copied().zip(g_bold.iter().copied()) {
      terms.push(pair);
    }
    let res = multiexp(&terms);
    terms.zeroize();
    Some(res)
  }
}

The terms vector is initialized with one element and then extended in the loop. Since the vector does not reserve space for all entries upfront, pushing witness pairs can force one or more reallocations. During a reallocation, Rust allocates a larger buffer, copies the existing elements into the new buffer, and releases the previous buffer. The old allocation is not zeroized before being released back to the allocator.

As a result, stale copies of self.mask and earlier self.g_values entries may remain in freed heap memory even though the final terms allocation is zeroized after multiexp returns. The explicit terms.zeroize() call is therefore incomplete for copies created by vector growth.

Impact. This does not affect the correctness, soundness, or hiding properties of the commitment scheme. It is a local secret-handling issue: witness scalars may remain in process memory longer than intended and could be recovered only if an attacker can read freed heap memory, inspect a memory dump, or otherwise obtain process memory. Zeroization is a best effort with Rust zeroize library, and the compiler or runtime may introduce other copies outside this function, but the vector reallocation pattern is a concrete and avoidable source of stale witness data.

Recommendation. It is recommended to pre-allocate enough space for terms before pushing witness values, so the vector does not reallocate during construction.

pub fn commit(&self, g_bold: &[C::G], h: C::G) -> Option<C::G>
where
  C::G: ConditionallySelectable,
{
  if g_bold.len() < self.g_values.len() {
    None?;
  }

  let mut terms = Vec::with_capacity(self.g_values.len() + 1);
  terms.push((self.mask, h));
  for pair in self.g_values.iter().copied().zip(g_bold.iter().copied()) {
    terms.push(pair);
  }
  let res = multiexp(&terms);
  terms.zeroize();
  Some(res)
}

Low · #03

Scalar Commitment Are Not Extractable for Rank-Deficient `W_V`

generalized-bulletproofs/src/arithmetic_circuit_proof.rs

Description. The fixed Generalized Bulletproofs relation treats the scalar-commitment weight matrix W_V as having full column rank, so each scalar commitment $V_{k} = v_{k} \cdot G + γ_{k} \cdot H$ is individually bound by the constraints. ArithmeticCircuitStatement::new does not enforce this; it only checks that the indices referenced by each constraint are in bounds.

for constraint in &constraints {
  if Some(generators.len()) <= constraint.highest_a_index {
    Err(AcStatementError::ConstrainedNonExistentTerm)?;
  }
  if Some(C.len()) <= constraint.highest_c_index {
    Err(AcStatementError::ConstrainedNonExistentVectorCommitment)?;
  }
  if Some(V.len()) <= constraint.highest_v_index {
    Err(AcStatementError::ConstrainedNonExistentCommitment)?;
  }
}

Both the prover and the verifier access the scalar commitments only through the z-aggregated combination of the W_V rows, so the proof binds the single combination $𝐳^{⊤} W_{V} \cdot 𝐕$ rather than the individual commitments $V_{k}$ .

Observe that if W_V is not full column rank, any commitment in the right kernel of W_V is invisible to the verifier. The only code that checks each witness opening against its public commitment is gated behind #[cfg(debug_assertions)], so a release build does not catch a bogus opening for such a commitment.

This is a known restriction inherited from the original Bulletproofs relation, not specific to this implementation: a rank-deficient W_V binds only a linear combination of the commitments, so the individual openings cannot be extracted.

Consider two public commitments $V_{1} = v_{1} G + γ_{1} H$ and $V_{2} = v_{2} G + γ_{2} H$ , with a single constraint asserting their values sum to some target, $v_{1} + v_{2} = v_{3}$ . The weight row over $(V_{1}, V_{2})$ is $[1, 1]$ : rank one for two commitments, so $Q = 1 < m = 2$ . The proof binds only $v_{1} + v_{2}$ and $γ_{1} + γ_{2}$ , which is the opening of the sum $V_{1} + V_{2}$ ; it says nothing about $V_{1}$ and $V_{2}$ individually.

A prover therefore need not know either opening. Pick $V_{1}$ to be an arbitrary point with no known opening, then set $V_{2} = (v_{3} G + γ_{3} H) - V_{1}$ for a chosen opening $(v_{3}, γ_{3})$ . Now $V_{1} + V_{2} = v_{3} G + γ_{3} H$ , so the prover proves $v_{1} + v_{2} = v_{3}$ from the opening of the sum alone, while knowing no opening of $V_{1}$ or $V_{2}$ . The right kernel of W_V is spanned by $(1, - 1)$ : the prover can slide value and mask freely between the two commitments, including pushing $V_{1}$ onto a point it cannot open.

The extreme case is a self-cancelling column. The degenerate constraint V(0) - V(0) = 0 zeroes the entire column for that commitment, dropping it from every verifier equation; since the per-opening check is #[cfg(debug_assertions)]-gated, a release build then accepts a proof whose witness does not open the public commitment at all.

Impact. This is a defense-in-depth issue at the statement-construction boundary; it does not affect a caller using fixed, full-rank constraints. An integration that passes externally supplied Pedersen commitments in V and relies on the proof to establish knowledge of each opening, without itself ensuring W_V has full column rank, does not get that guarantee: the extractor cannot recover the openings of commitments outside the column span of W_V.

In particular, such a proof cannot stand in for a Schnorr-style proof of knowledge of a commitment opening, for example to spend a commitment by proving the prover can open it. When W_V is rank-deficient the proof establishes knowledge of an aggregate opening only, not of the individual commitments the application believes were proven.

Recommendation. If ArithmeticCircuitStatement::new does not enforce that W_V has full column rank, this limitation must be documented clearly: the proof binds only the aggregated combination $W_{V} \cdot 𝐕$ , not the individual scalar commitment openings. Callers that rely on per-commitment binding, for example to prove knowledge of a commitment opening, must ensure W_V has full column rank themselves.

Informational · #04

Generator Validation for `g` Is Skipped in Release Builds

generalized-bulletproofs/src/lib.rs

Description. Generators::new uses a local add_generator helper to reject identity points and track duplicate generators.

let mut set = HashSet::new();
let mut add_generator = |generator: &C::G| {
  if bool::from(generator.is_identity()) {
    return Err(GeneratorsError::IdentityPoint);
  }
  let bytes = generator.to_bytes();
  Ok(!set.insert(bytes.as_ref().to_vec()))
};

debug_assert!(!add_generator(&g)?, "g was prior present in empty set");
if add_generator(&h)? {
  Err(GeneratorsError::DuplicatedGenerator)?;
}

The call to add_generator(&g)? is placed inside debug_assert!. In release builds, debug_assert! expressions are compiled out, so this call is not evaluated. As a result, g is not checked for being the identity and is not inserted into the duplicate-detection set.

The following checks still validate h, g_bold, and h_bold, but they no longer compare those generators against g in release builds because g was never inserted into set. This makes the production validation weaker than the validation performed in debug builds.

Impact. Invalid generator sets involving g can be accepted in release builds even though they would be rejected in debug builds. The practical impact depends on how the library is integrated and whether generator inputs can be influenced by an untrusted party. At minimum, this creates a configuration validation mismatch.

Recommendation. Evaluate add_generator(&g)? unconditionally and return a normal error instead of relying on debug_assert!.

if add_generator(&g)? {
  Err(GeneratorsError::DuplicatedGenerator)?;
}

The duplicate and identity checks are best-effort validation. They do not prove that the accepted bases are independently generated, or that no party knows discrete-log relations between them. It is recommended to document Generators::new as accepting only already-trusted independent bases, with these checks serving as additional defensive validation.

Informational · #05

Inner Product Prover Accepts Generator Vectors With Non-Canonical Length

generalized-bulletproofs/src/inner_product.rs

Description. IpStatement::prove checks that the prover has at least enough generators for the witness length rounded up to the next power of two.

// Ensure we have the necessary amount of generators
if witness.a.len() > ((usize::MAX >> 1) + 1) {
  Err(IpProveError::IncorrectAmountOfGenerators)?;
}
if generators.g_bold_slice().len() < witness.a.len().next_power_of_two() {
  Err(IpProveError::IncorrectAmountOfGenerators)?;
}

This permits generators.g_bold_slice().len() to be larger than witness.a.len().next_power_of_two(). However, the folding loop later treats g_bold.len() as the inner product dimension, while it splits the witness vectors using a.len().next_power_of_two() / 2.

// This interprets `g_bold.len()` as `n`
while g_bold.len() > 1 {
  // Split a, b, g_bold, h_bold as needed for lines 20-24
  let split_at = a.len().next_power_of_two() / 2;
  let (a1, a2) = a.split(split_at);
  let (b1, b2) = b.split(split_at);

  let (g_bold1, g_bold2) = g_bold.split();
  let (h_bold1, h_bold2) = h_bold.split();

  let n_hat = g_bold1.len();

  // Sanity
  debug_assert_eq!(a1.len(), n_hat);
  debug_assert!(a2.len() <= n_hat);
  debug_assert_eq!(b1.len(), n_hat);
  debug_assert!(b2.len() <= n_hat);
  debug_assert_eq!(g_bold1.len(), n_hat);
  debug_assert_eq!(g_bold2.len(), n_hat);
  debug_assert_eq!(h_bold1.len(), n_hat);
  debug_assert_eq!(h_bold2.len(), n_hat);

  [...]
}

The debug assertions show that the intended invariant is stronger than the initial check: the generator vector length should match the padded witness length. If extra generators are accepted, the witness vectors and generator vectors can be folded under different dimensions. In release builds, the debug assertions are not enforced.

Impact. This is an input validation issue in the prover. Under the expected canonical parameters, where the generator vector length equals the padded witness length, there is no impact. If prove is called with an oversized generator vector, it can operate on inconsistent dimensions and may produce an invalid proof or fail later in the folding process instead of returning IpProveError::IncorrectAmountOfGenerators at the boundary.

Recommendation. It is recommended to require the generator vector length to be exactly witness.a.len().next_power_of_two() before entering the folding loop.

if generators.g_bold_slice().len() != witness.a.len().next_power_of_two() {
  Err(IpProveError::IncorrectAmountOfGenerators)?;
}

Informational · #06

Vector Commitment Tail Coordinates Are Unconstrained Unless Explicitly Restricted

crypto/generalized-bulletproofs/src/lib.rs

Description. In the generalized Bulletproof construction, vector commitments are expressed over the same G_bold and H_bold generator vectors used by the proof. The length of these generator vectors is tied to the proof dimension, which is derived from the number of gates and padded to a power of two for the inner product argument.

This proof dimension can be larger than the logical vector length used by an application. For example, an application may intend to commit to a vector of length 3, while the generalized Bulletproof instance uses 4 generators after power-of-two padding.

The vector commitment API accepts an opening as long as there are enough generators for the provided values.

pub fn commit(&self, g_bold: &[C::G], h: C::G) -> Option<C::G>
where
  C::G: ConditionallySelectable,
{
  if g_bold.len() < self.g_values.len() {
    None?;
  }

  let mut terms = vec![(self.mask, h)];
  for pair in self.g_values.iter().copied().zip(g_bold.iter().copied()) {
    terms.push(pair);
  }
  let res = multiexp(&terms);
  terms.zeroize();
  Some(res)
}

The generalized Bulletproof circuit then constrains only the coordinates that appear in the arithmetic constraints. This is expected for the H_bold part of the vector commitment, which represents auxiliary opening data that is not accessible from the circuit. However, the same issue can affect the G_bold part when the proof dimension is larger than the application’s intended vector length: tail coordinates past the logical vector length are not forced to be zero by default.

As a result, an application that reasons about only a fixed prefix of the vector commitment must ensure that every unused G_bold coordinate is either absent from the opening or explicitly constrained to zero. Otherwise, a prover can use non-zero values in the padded tail while still satisfying all constraints over the intended prefix.

Impact. This is an integration-level soundness concern. The proof remains valid for the generalized Bulletproof relation that was actually encoded, but that relation may be wider than the application intended. If an application treats a vector commitment as an exact-length commitment and does not constrain padded tail coordinates, the commitment can contain additional non-zero data outside the checked prefix.

Recommendation. It is recommended to document that generalized Bulletproof vector commitments are over the proof dimension, not necessarily the application-level vector length, and that callers are responsible for constraining unused tail coordinates.

Is is also recommended to make the logical vector length explicit wherever vector commitments are used in generalized Bulletproof statements. For exact-length vectors, add constraints forcing every padded G_bold coordinate beyond the logical length to be zero, or provide an API helper that automatically inserts these constraints.

← Back to Index

Generalized Bulletproofs

Introduction

Notation

Generalized Bulletproofs

GBP Arith 1: R1CS → Σ IP

GBP Arith 2: Vector Polynomials

GBP Arith 3: Σ IP → Single IP

GBP Arith 4: Combining

Eliminate Secret-Secret Hadamard Product

Combine the aO terms

Rewrite aR Inner Product

Collect y∘aR Terms

Add δ(y,z) to Both Sides

Combine wL Terms

Combine aL+wR∘(y)−1 Terms

Arithmetization

Computational Special Soundness

Reduce ℛIP→ℛIPA,n

Inner-Product Argument

Folding

Base Case

Improvements

Arithmetization

Computational Special Soundness

Inner-Product Argument

Folding

Base Case

GBP Arith 1: R1CS $\to$ $Σ$ IP

GBP Arith 3: $Σ$ IP $\to$ Single IP

Combine the $a_{O}$ terms

Rewrite $a_{R}$ Inner Product

Collect $y \circ a_{R}$ Terms

Add $δ (y, z)$ to Both Sides

Combine $w_{L}$ Terms

Combine $a_{L} + w_{R} \circ (y)^{- 1}$ Terms

Reduce $ℛ_{I P} \to ℛ_{I P A, n}$