A speedy implementation of the Bulletproofs+ range proving system that does fun tricks.
In particular, it supports: - Proof aggregation. You can generate a proof containing multiple range assertions in an efficient way. - Extended commitments. Commitments may contain multiple masks. - Batch verification. Verifying a set of multiple proofs is extremely fast. - Minimum value promises. You can additionally prove that a commitment binds to at least a specified value. - Mask extraction. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.
Compared to an updated fork of the dalek-cryptography Bulletproofs implementation, this Bulletproofs+ implementation is:
- Smaller. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
- Faster to generate proofs. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs.
- Slower to verify single proofs. While this implementation verifies a single 64-bit range proof in comparable time, it verifies aggregated proofs more slowly.
- Faster to verify batched proofs. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.
As always, your mileage may vary.
This implementation takes its cue from the dalek-cryptography Bulletproofs implementation, as well as the Monero Bulletproofs+ implementation.
Several of the features and optimizations used in this implementation are described in Tari RFC-0181.
All original source code files are marked with
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
All re-used and or adapted dalek-cryptography source code files are marked with
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
Modified from:
Copyright (c) 2018 Chain, Inc.
SPDX-License-Identifier: MIT