23:25:30 <philogy> Hey so I'm trying to understand why the constraints are combined the way they are in the bulletproof range proofs. So we have following constraints: 23:25:30 <philogy> <a_L, 2^n> = v 23:25:30 <philogy> <a_L - 1 - a_R, y^n> = 0 23:25:30 <philogy> <a_L, a_R * y^n> = 0 23:25:30 <philogy> => z^2 * v = z^2 * <a_L, 2^n> + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n> 23:25:30 <philogy> Why a polynomial? Why couldn't one just simply add or multiply them together 23:26:17 <philogy> Trying to gain an in depth understanding of bulletproofs, any help would be much appreciated :D 23:32:21 <kenshamir[m]> <philogy "Why a polynomial? Why couldn't o"> This seems a bit vague, maybe expand for when help arrives? 23:33:13 <kenshamir[m]> For example, it’s not clear what “them” is referring to 23:34:49 <kenshamir[m]> To give a general overview, a rangeproof usually works on the fact that a particular number can be represented with X amount of bits 23:35:00 <philogy> So my question why is the challenge z is introduced. With them I mean the constraints. So why isn't it: 23:35:00 <philogy> v = <a_L, 2^n> + <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n> 23:35:00 <philogy> instead of 23:35:00 <philogy> z^2 * v = z^2 * <a_L, 2^n> + z * <a_L - 1 - a_R, y^n> + <a_L, a_R * y^n> 23:35:23 <kenshamir[m]> Ohh 23:36:29 <philogy> kenshamir[m]: yeah I think I'm at the point where I understand the general approach (kind of the recursive reduction still confuses me) but I'm trying to understand why certain equations are setup the way they are 23:36:36 <kenshamir[m]> Because when you are combing statements, you need to make sure that the prover cannot manipúlate the final value by cancelling parts out 23:37:03 <kenshamir[m]> For example if you take this equation 23:37:10 <kenshamir[m]> X = Y 23:37:53 <kenshamir[m]> If X really does equal to Y, then multiplying each side by a random challenge will not change that fact 23:39:21 <kenshamir[m]> Hmm I don’t think there is always recursion for a general rangeproof, there is in bulletproofs AFAIK 23:39:39 <kenshamir[m]> Each equation should map to a statement 23:40:38 <kenshamir[m]> For understanding, you can ignore the random challenges, as they are there for soundness 23:41:15 <kenshamir[m]> * For understanding, you can ignore the random challenges, as they are there for soundness against something like a dishonest prover 23:42:59 <kenshamir[m]> The random challenge concept is used a lot by the way in crypto. I think the “rogue key attack” is quite well documented and also shows what happens when you allow “things” to be aggregated without a random challenge 23:46:46 <kenshamir[m]> <philogy "kenshamir: yeah I think I'm at t"> Going to pop off in about 10 minutes, but taking your first equation: 23:47:17 <kenshamir[m]> Any number that can be bit decomposed into N bits must lie between 0 and 2^N-1 23:48:20 <kenshamir[m]> The thing is that the prover has not shown us that the ALs are bits. He could trivially make AL_0 = v and then make the rest of the terms 0 23:50:15 <philogy> but that's what the a_R * a_L = 0 constraint is for, no? 23:59:14 <kenshamir[m]> <philogy "but that's what the a_R * a_L = "> Yep exactly 23:59:50 <kenshamir[m]> You then combine all of the equations together using random challenges