23:25:30 <philogy> Hey so I'm trying to understand why the constraints are combined the way they are in the bulletproof range proofs. So we have following constraints:
23:25:30 <philogy> <a_L, 2^n> = v
23:25:30 <philogy> <a_L - 1 - a_R, y^n> = 0
23:25:30 <philogy> <a_L, a_R * y^n> = 0
23:25:30 <philogy> => z^2 * v = z^2 * <a_L, 2^n>  + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
23:25:30 <philogy> Why a polynomial? Why couldn't one just simply  add or multiply them together
23:26:17 <philogy> Trying to gain an in depth understanding of bulletproofs, any help would be much appreciated :D
23:32:21 <kenshamir[m]> <philogy "Why a polynomial? Why couldn't o"> This seems a bit vague, maybe expand for when help arrives?
23:33:13 <kenshamir[m]> For example, it’s not clear what “them” is referring to
23:34:49 <kenshamir[m]> To give a general overview, a rangeproof usually works on the fact that a particular number can be represented with X amount of bits
23:35:00 <philogy> So my question why is the challenge z is introduced. With them I mean the constraints. So why isn't it:
23:35:00 <philogy>  v =  <a_L, 2^n>  + <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
23:35:00 <philogy> instead of
23:35:00 <philogy> z^2 * v = z^2 * <a_L, 2^n>  + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n>
23:35:23 <kenshamir[m]> Ohh
23:36:29 <philogy> kenshamir[m]: yeah I think I'm at the point where I understand the general approach (kind of the recursive reduction still confuses me) but I'm trying to understand why certain equations are setup the way they are
23:36:36 <kenshamir[m]> Because when you are combing statements, you need to make sure that the prover cannot manipúlate the final value by cancelling parts out
23:37:03 <kenshamir[m]> For example if you take this equation
23:37:10 <kenshamir[m]> X = Y
23:37:53 <kenshamir[m]> If X really does equal to Y, then multiplying each side by a random challenge will not change that fact
23:39:21 <kenshamir[m]> Hmm I don’t think there is always recursion for a general rangeproof,  there is in bulletproofs AFAIK
23:39:39 <kenshamir[m]> Each equation should map to a statement
23:40:38 <kenshamir[m]> For understanding, you can ignore the random challenges, as they are there for soundness
23:41:15 <kenshamir[m]> * For understanding, you can ignore the random challenges, as they are there for soundness against something like a dishonest prover
23:42:59 <kenshamir[m]> The random challenge concept is used a lot by the way in crypto. I think the “rogue key attack” is quite well documented and also shows what happens when you allow “things” to be aggregated without a random challenge
23:46:46 <kenshamir[m]> <philogy "kenshamir: yeah I think I'm at t"> Going to pop off in about 10 minutes, but taking your first equation:
23:47:17 <kenshamir[m]> Any number that can be bit decomposed into N bits must lie between 0 and 2^N-1
23:48:20 <kenshamir[m]> The thing is that the prover has not shown us that the ALs are bits. He could trivially make AL_0 = v and then make the rest of the terms 0
23:50:15 <philogy> but that's what the a_R * a_L = 0 constraint is for, no?
23:59:14 <kenshamir[m]> <philogy "but that's what the a_R * a_L = "> Yep exactly
23:59:50 <kenshamir[m]> You then combine all of the equations together using random challenges