A speedy implementation of the Bulletproofs+ range proving system that does fun tricks.
In particular, it supports:
- Proof aggregation. You can generate a proof containing multiple range assertions in an efficient way.
- Extended commitments. Commitments may contain multiple masks.
- Batch verification. Verifying a set of multiple proofs is extremely fast.
- Minimum value promises. You can prove that a commitment binds to at least a specified value.
- Mask extraction. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.
Compared to an updated fork of the dalek-cryptography
Bulletproofs implementation, this Bulletproofs+ implementation is:
- Smaller. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
- Faster to generate proofs. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs.
- Faster to verify single proofs. This implementation verifies a single 64-bit range proof about 15% faster.
- Slower to verify aggregated proofs. This implementaiton verifies aggregated proofs more slowly.
- Faster to verify batched proofs. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.
As always, your mileage may vary.
This library underwent a code audit by Quarkslab at a specific point in the repository history. You can read the report and issue responses in this repository.
Unit tests are available via cargo test
. Basic fuzz testing can be run (on a nightly toolchain) via cargo fuzz
.
This implementation takes its cue from the dalek-cryptography
Bulletproofs implementation, as well as the Monero Bulletproofs+ implementation.
Several of the features and optimizations used in this implementation are described in Tari RFC-0181.
All original source code files are marked with
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
All re-used and or adapted dalek-cryptography
source code files are marked with
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
Modified from:
Copyright (c) 2018 Chain, Inc.
SPDX-License-Identifier: MIT