[move][natives] added batch bulletproof natives

aptos-labs · Feb 6, 2025 · 87a0ef8 · 87a0ef8
1 parent 835ce75
commit 87a0ef8
Show file tree

Hide file tree

Showing 17 changed files with 1,071 additions and 58 deletions.
diff --git a/aptos-move/aptos-gas-schedule/src/gas_schedule/aptos_framework.rs b/aptos-move/aptos-gas-schedule/src/gas_schedule/aptos_framework.rs
@@ -6,7 +6,9 @@
 use crate::{
     gas_feature_versions::{RELEASE_V1_14, RELEASE_V1_8, RELEASE_V1_9_SKIPPED},
     gas_schedule::NativeGasParameters,
-    ver::gas_feature_versions::{RELEASE_V1_12, RELEASE_V1_13, RELEASE_V1_23, RELEASE_V1_26},
+    ver::gas_feature_versions::{
+        RELEASE_V1_12, RELEASE_V1_13, RELEASE_V1_23, RELEASE_V1_26, RELEASE_V1_27,
+    },
 };
 use aptos_gas_algebra::{
     InternalGas, InternalGasPerAbstractValueUnit, InternalGasPerArg, InternalGasPerByte,
@@ -242,6 +244,30 @@ crate::gas_schedule::macros::define_gas_parameters!(
         [bulletproofs_per_byte_rangeproof_deserialize: InternalGasPerByte, { 11.. => "bulletproofs.per_byte_rangeproof_deserialize" }, 121],
         // Bulletproofs gas parameters end.
 
+        // Bulletproofs batch verify gas parameters begin.
+        // Generated at time 1738614645.7369282 by `scripts/algebra-gas/update_bulletproofs_batch_verify_gas_params.py` with gas_per_ns=37.59.
+        [bulletproofs_verify_base_batch_1_bits_8: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_1_bits_8" }, 16_962_560],
+        [bulletproofs_verify_base_batch_1_bits_16: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_1_bits_16" }, 24_931_911],
+        [bulletproofs_verify_base_batch_1_bits_32: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_1_bits_32" }, 39_516_428],
+        [bulletproofs_verify_base_batch_1_bits_64: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_1_bits_64" }, 67_484_670],
+        [bulletproofs_verify_base_batch_2_bits_8: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_2_bits_8" }, 25_473_326],
+        [bulletproofs_verify_base_batch_2_bits_16: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_2_bits_16" }, 40_014_330],
+        [bulletproofs_verify_base_batch_2_bits_32: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_2_bits_32" }, 68_026_144],
+        [bulletproofs_verify_base_batch_2_bits_64: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_2_bits_64" }, 117_680_288],
+        [bulletproofs_verify_base_batch_4_bits_8: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_4_bits_8" }, 41_271_318],
+        [bulletproofs_verify_base_batch_4_bits_16: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_4_bits_16" }, 69_235_455],
+        [bulletproofs_verify_base_batch_4_bits_32: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_4_bits_32" }, 118_757_702],
+        [bulletproofs_verify_base_batch_4_bits_64: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_4_bits_64" }, 196_220_007],
+        [bulletproofs_verify_base_batch_8_bits_8: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_8_bits_8" }, 71_634_568],
+        [bulletproofs_verify_base_batch_8_bits_16: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_8_bits_16" }, 121_056_810],
+        [bulletproofs_verify_base_batch_8_bits_32: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_8_bits_32" }, 198_192_129],
+        [bulletproofs_verify_base_batch_8_bits_64: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_8_bits_64" }, 340_723_072],
+        [bulletproofs_verify_base_batch_16_bits_8: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_16_bits_8" }, 125_715_047],
+        [bulletproofs_verify_base_batch_16_bits_16: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_16_bits_16" }, 201_725_965],
+        [bulletproofs_verify_base_batch_16_bits_32: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_16_bits_32" }, 343_308_155],
+        [bulletproofs_verify_base_batch_16_bits_64: InternalGas, { RELEASE_V1_27.. => "bulletproofs.verify.base_batch_16_bits_64" }, 602_998_839],
+        // Bulletproofs batch verify gas parameters end.
+
         [type_info_type_of_base: InternalGas, "type_info.type_of.base", 1102],
         // TODO(Gas): the on-chain name is wrong...
         [type_info_type_of_per_byte_in_str: InternalGasPerByte, "type_info.type_of.per_abstract_memory_unit", 18],

diff --git a/aptos-move/aptos-release-builder/src/components/feature_flags.rs b/aptos-move/aptos-release-builder/src/components/feature_flags.rs
@@ -138,6 +138,7 @@ pub enum FeatureFlag {
     PermissionedSigner,
     AccountAbstraction,
     VMBinaryFormatV8,
+    BulletproofsBatchNatives,
 }
 
 fn generate_features_blob(writer: &CodeWriter, data: &[u64]) {
@@ -367,6 +368,7 @@ impl From<FeatureFlag> for AptosFeatureFlag {
             },
             FeatureFlag::PermissionedSigner => AptosFeatureFlag::PERMISSIONED_SIGNER,
             FeatureFlag::AccountAbstraction => AptosFeatureFlag::ACCOUNT_ABSTRACTION,
+            FeatureFlag::BulletproofsBatchNatives => AptosFeatureFlag::BULLETPROOFS_BATCH_NATIVES,
         }
     }
 }
@@ -523,6 +525,7 @@ impl From<AptosFeatureFlag> for FeatureFlag {
             },
             AptosFeatureFlag::PERMISSIONED_SIGNER => FeatureFlag::PermissionedSigner,
             AptosFeatureFlag::ACCOUNT_ABSTRACTION => FeatureFlag::AccountAbstraction,
+            AptosFeatureFlag::BULLETPROOFS_BATCH_NATIVES => FeatureFlag::BulletproofsBatchNatives,
         }
     }
 }

diff --git a/aptos-move/framework/README.md b/aptos-move/framework/README.md
@@ -50,14 +50,31 @@ To skip the Move prover tests, run:
 cargo test -- --skip prover
 ```
 
-To filter and run only the tests in specific packages (e.g., `aptos_stdlib`), run:
+To filter and run **all** the tests in specific packages (e.g., `aptos_stdlib`), run:
 
 ```
 cargo test -- aptos_stdlib --skip prover
 ```
 
 (See tests in `tests/move_unit_test.rs` to determine which filter to use; e.g., to run the tests in `aptos_framework` you must filter by `move_framework`.)
 
+To **filter by test name or module name** in a specific package (e.g., run the `test_empty_range_proof` in `aptos_stdlib::ristretto255_bulletproofs`), run:
+
+```
+TEST_FILTER="test_range_proof" cargo test -- aptos_stdlib --skip prover
+```
+
+Or, e.g., run all the Bulletproof tests:
+```
+TEST_FILTER="bulletproofs" cargo test -- aptos_stdlib --skip prover
+```
+
+To show the amount of time and gas used in every test, set env var `REPORT_STATS=1`.
+E.g.,
+```
+REPORT_STATS=1 TEST_FILTER="bulletproofs" cargo test -- aptos_stdlib --skip prover
+```
+
 Sometimes, Rust runs out of stack memory in dev build mode.  You can address this by either:
 1. Adjusting the stack size
 

diff --git a/aptos-move/framework/aptos-stdlib/doc/ristretto255_bulletproofs.md b/aptos-move/framework/aptos-stdlib/doc/ristretto255_bulletproofs.md
@@ -9,6 +9,10 @@ A Bulletproof-based zero-knowledge range proof is a proof that a Pedersen commit
 $c = v G + r H$ commits to an $n$-bit value $v$ (i.e., $v \in [0, 2^n)$). Currently, this module only supports
 $n \in \{8, 16, 32, 64\}$ for the number of bits.
 
+The module also supports batch range proofs, allowing verification of multiple commitments in a single proof.
+Each commitment in the batch must satisfy the same range constraint $v \in [0, 2^n)$, and the supported batch
+sizes are limited to $\{1, 2, 4, 8, 16\}$.
+
 
 -  [Struct `RangeProof`](#0x1_ristretto255_bulletproofs_RangeProof)
 -  [Constants](#@Constants_0)
@@ -17,7 +21,10 @@ $n \in \{8, 16, 32, 64\}$ for the number of bits.
 -  [Function `range_proof_to_bytes`](#0x1_ristretto255_bulletproofs_range_proof_to_bytes)
 -  [Function `verify_range_proof_pedersen`](#0x1_ristretto255_bulletproofs_verify_range_proof_pedersen)
 -  [Function `verify_range_proof`](#0x1_ristretto255_bulletproofs_verify_range_proof)
+-  [Function `verify_batch_range_proof_pedersen`](#0x1_ristretto255_bulletproofs_verify_batch_range_proof_pedersen)
+-  [Function `verify_batch_range_proof`](#0x1_ristretto255_bulletproofs_verify_batch_range_proof)
 -  [Function `verify_range_proof_internal`](#0x1_ristretto255_bulletproofs_verify_range_proof_internal)
+-  [Function `verify_batch_range_proof_internal`](#0x1_ristretto255_bulletproofs_verify_batch_range_proof_internal)
 -  [Specification](#@Specification_1)
     -  [Function `verify_range_proof_internal`](#@Specification_1_verify_range_proof_internal)
 
@@ -74,6 +81,16 @@ The native functions have not been rolled out yet.
 
 
 
+<a id="0x1_ristretto255_bulletproofs_E_BATCH_SIZE_NOT_SUPPORTED"></a>
+
+The range proof system only supports batch sizes of 1, 2, 4, 8, and 16.
+
+
+<pre><code><b>const</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_BATCH_SIZE_NOT_SUPPORTED">E_BATCH_SIZE_NOT_SUPPORTED</a>: u64 = 4;
+</code></pre>
+
+
+
 <a id="0x1_ristretto255_bulletproofs_E_DESERIALIZE_RANGE_PROOF"></a>
 
 There was an error deserializing the range proof.
@@ -104,6 +121,16 @@ The committed value given to the prover is too large.
 
 
 
+<a id="0x1_ristretto255_bulletproofs_E_VECTOR_LENGTHS_MISMATCH"></a>
+
+The vector lengths of values and blinding factors do not match.
+
+
+<pre><code><b>const</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_VECTOR_LENGTHS_MISMATCH">E_VECTOR_LENGTHS_MISMATCH</a>: u64 = 5;
+</code></pre>
+
+
+
 <a id="0x1_ristretto255_bulletproofs_MAX_RANGE_BITS"></a>
 
 The maximum range supported by the Bulletproofs library is $[0, 2^{64})$.
@@ -215,12 +242,10 @@ WARNING: The DST check is VERY important for security as it prevents proofs comp
 
 
 <pre><code><b>public</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_range_proof_pedersen">verify_range_proof_pedersen</a>(com: &pedersen::Commitment, proof: &<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_RangeProof">RangeProof</a>, num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool {
-    <b>assert</b>!(<a href="../../move-stdlib/doc/features.md#0x1_features_bulletproofs_enabled">features::bulletproofs_enabled</a>(), <a href="../../move-stdlib/doc/error.md#0x1_error_invalid_state">error::invalid_state</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_NATIVE_FUN_NOT_AVAILABLE">E_NATIVE_FUN_NOT_AVAILABLE</a>));
-
-    <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_range_proof_internal">verify_range_proof_internal</a>(
-        <a href="ristretto255.md#0x1_ristretto255_point_to_bytes">ristretto255::point_to_bytes</a>(&pedersen::commitment_as_compressed_point(com)),
+    <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_range_proof">verify_range_proof</a>(
+        pedersen::commitment_as_point(com),
         &<a href="ristretto255.md#0x1_ristretto255_basepoint">ristretto255::basepoint</a>(), &<a href="ristretto255.md#0x1_ristretto255_hash_to_point_base">ristretto255::hash_to_point_base</a>(),
-        proof.bytes,
+        proof,
         num_bits,
         dst
     )
@@ -265,6 +290,82 @@ for some randomness <code>r</code>) satisfies <code>v</code> in <code>[0, 2^num_
 
 
 
+</details>
+
+<a id="0x1_ristretto255_bulletproofs_verify_batch_range_proof_pedersen"></a>
+
+## Function `verify_batch_range_proof_pedersen`
+
+Verifies a zero-knowledge range proof for a batch of Pedersen commitments <code>comms</code>
+(under the default Bulletproofs commitment key; see <code>pedersen::new_commitment_for_bulletproof</code>),
+ensuring that all values <code>v</code> satisfy <code>v</code> in <code>[0, 2^num_bits)</code>.
+Only works for <code>num_bits</code> in <code>{8, 16, 32, 64}</code> and batch size (length of <code>comms</code>) in <code>{1, 2, 4, 8, 16}</code>.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof_pedersen">verify_batch_range_proof_pedersen</a>(comms: &<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;<a href="ristretto255_pedersen.md#0x1_ristretto255_pedersen_Commitment">ristretto255_pedersen::Commitment</a>&gt;, proof: &<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_RangeProof">ristretto255_bulletproofs::RangeProof</a>, num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof_pedersen">verify_batch_range_proof_pedersen</a>(
+    comms: &<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;pedersen::Commitment&gt;, proof: &<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_RangeProof">RangeProof</a>,
+    num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool
+{
+    <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof">verify_batch_range_proof</a>(
+        &std::vector::map_ref(comms, |com| <a href="ristretto255.md#0x1_ristretto255_point_clone">ristretto255::point_clone</a>(pedersen::commitment_as_point(com))),
+        &<a href="ristretto255.md#0x1_ristretto255_basepoint">ristretto255::basepoint</a>(), &<a href="ristretto255.md#0x1_ristretto255_hash_to_point_base">ristretto255::hash_to_point_base</a>(),
+        proof,
+        num_bits,
+        dst
+    )
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_ristretto255_bulletproofs_verify_batch_range_proof"></a>
+
+## Function `verify_batch_range_proof`
+
+<code>v * val_base + r * rand_base</code>), ensuring that all values <code>v</code> satisfy
+<code>v</code> in <code>[0, 2^num_bits)</code>. Only works for <code>num_bits</code> in <code>{8, 16, 32, 64}</code> and batch size
+(length of the <code>comms</code>) in <code>{1, 2, 4, 8, 16}</code>.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof">verify_batch_range_proof</a>(comms: &<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;<a href="ristretto255.md#0x1_ristretto255_RistrettoPoint">ristretto255::RistrettoPoint</a>&gt;, val_base: &<a href="ristretto255.md#0x1_ristretto255_RistrettoPoint">ristretto255::RistrettoPoint</a>, rand_base: &<a href="ristretto255.md#0x1_ristretto255_RistrettoPoint">ristretto255::RistrettoPoint</a>, proof: &<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_RangeProof">ristretto255_bulletproofs::RangeProof</a>, num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof">verify_batch_range_proof</a>(
+    comms: &<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;RistrettoPoint&gt;,
+    val_base: &RistrettoPoint, rand_base: &RistrettoPoint,
+    proof: &<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_RangeProof">RangeProof</a>, num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool
+{
+    <b>assert</b>!(<a href="../../move-stdlib/doc/features.md#0x1_features_bulletproofs_batch_enabled">features::bulletproofs_batch_enabled</a>(), <a href="../../move-stdlib/doc/error.md#0x1_error_invalid_state">error::invalid_state</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_NATIVE_FUN_NOT_AVAILABLE">E_NATIVE_FUN_NOT_AVAILABLE</a>));
+
+    <b>let</b> comms = std::vector::map_ref(comms, |com| <a href="ristretto255.md#0x1_ristretto255_point_to_bytes">ristretto255::point_to_bytes</a>(&<a href="ristretto255.md#0x1_ristretto255_point_compress">ristretto255::point_compress</a>(com)));
+
+    <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof_internal">verify_batch_range_proof_internal</a>(
+        comms,
+        val_base, rand_base,
+        proof.bytes, num_bits, dst
+    )
+}
+</code></pre>
+
+
+
 </details>
 
 <a id="0x1_ristretto255_bulletproofs_verify_range_proof_internal"></a>
@@ -296,6 +397,39 @@ Aborts with <code><a href="../../move-stdlib/doc/error.md#0x1_error_invalid_argu
 
 
 
+</details>
+
+<a id="0x1_ristretto255_bulletproofs_verify_batch_range_proof_internal"></a>
+
+## Function `verify_batch_range_proof_internal`
+
+Aborts with <code><a href="../../move-stdlib/doc/error.md#0x1_error_invalid_argument">error::invalid_argument</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_DESERIALIZE_RANGE_PROOF">E_DESERIALIZE_RANGE_PROOF</a>)</code> if <code>proof</code> is not a valid serialization of a
+range proof.
+Aborts with <code><a href="../../move-stdlib/doc/error.md#0x1_error_invalid_argument">error::invalid_argument</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_RANGE_NOT_SUPPORTED">E_RANGE_NOT_SUPPORTED</a>)</code> if an unsupported <code>num_bits</code> is provided.
+Aborts with <code><a href="../../move-stdlib/doc/error.md#0x1_error_invalid_argument">error::invalid_argument</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_BATCH_SIZE_NOT_SUPPORTED">E_BATCH_SIZE_NOT_SUPPORTED</a>)</code> if an unsupported batch size is provided.
+Aborts with <code><a href="../../move-stdlib/doc/error.md#0x1_error_invalid_argument">error::invalid_argument</a>(<a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_E_VECTOR_LENGTHS_MISMATCH">E_VECTOR_LENGTHS_MISMATCH</a>)</code> if the vector lengths of <code>comms</code> and <code>proof</code> do not match.
+
+
+<pre><code><b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof_internal">verify_batch_range_proof_internal</a>(comms: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;&gt;, val_base: &<a href="ristretto255.md#0x1_ristretto255_RistrettoPoint">ristretto255::RistrettoPoint</a>, rand_base: &<a href="ristretto255.md#0x1_ristretto255_RistrettoPoint">ristretto255::RistrettoPoint</a>, proof: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;, num_bits: u64, dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>native</b> <b>fun</b> <a href="ristretto255_bulletproofs.md#0x1_ristretto255_bulletproofs_verify_batch_range_proof_internal">verify_batch_range_proof_internal</a>(
+    comms: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;<a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;&gt;,
+    val_base: &RistrettoPoint,
+    rand_base: &RistrettoPoint,
+    proof: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;,
+    num_bits: u64,
+    dst: <a href="../../move-stdlib/doc/vector.md#0x1_vector">vector</a>&lt;u8&gt;): bool;
+</code></pre>
+
+
+
 </details>
 
 <a id="@Specification_1"></a>