In this video I quickly go over the amazing post from the dalek implementation of bulletproof, which itself goes over the range proof protocol of Bulletproofs: Short Proofs for Confidential Transactions and More.

Note that if you don’t know what bulletproof or IPA are, you can check my previous writing on the subject.

To summarize, the way I see the rangeproof protocol built on top of bulletproof/IPA is that you’re proving execution of a circuit with:

• input $A$ := a (hiding) commitment $a_L$ to the bits of $v$, and an intermediary value $a_R=a_L-1$
• expected output := something based on $V$, the (hiding) commitment to $v$

if you can prove the execution of that circuit (which essentially checks that $a_L$ values are bits, and that they are the correct bit decomposition of $v$) correctly, then you convinced the verifier that $v$ is n-bit. The computation is compressed in that inner product $⟨l(x),r(x)⟩=t(x)$ where:

• $l(x),r(x)$ are intermediary values in our circuit, computed from $a_L$ and $a_R$ respectively to embody the circuit logic (unlike other intermediary values, these can be computed by the verifier directly)
• $t(x)$ is an intermediary value that contains the expected output, so we need to prove how it connects with the expected output

the proof that the inner product $⟨l(x),r(x)⟩=t(x)$ itself is delegated to the IPA proof system, so most of the complexity there is to understand how the intermediary variables are calculated and how they connect (the blinding is what makes it more complicated)