#range-proof #bulletproofs #generator #commitment #aggregated #random #byte

no-std tari_bulletproofs_plus

A smaller faster implementation of Bulletproofs

4 releases (2 breaking)

0.4.0 May 7, 2024
0.3.2 Aug 7, 2023
0.3.1 Jul 18, 2023
0.2.3 Apr 3, 2023

#827 in Magic Beans

Download history 786/week @ 2024-01-26 996/week @ 2024-02-02 850/week @ 2024-02-09 650/week @ 2024-02-16 783/week @ 2024-02-23 996/week @ 2024-03-01 1216/week @ 2024-03-08 867/week @ 2024-03-15 864/week @ 2024-03-22 818/week @ 2024-03-29 614/week @ 2024-04-05 948/week @ 2024-04-12 946/week @ 2024-04-19 711/week @ 2024-04-26 940/week @ 2024-05-03 556/week @ 2024-05-10

3,287 downloads per month
Used in 3 crates (via tari_crypto)



Build Coverage Status

Tari Bulletproofs+

A speedy implementation of the Bulletproofs+ range proving system that does fun tricks.

In particular, it supports:

  • Proof aggregation. You can generate a proof containing multiple range assertions in an efficient way.
  • Extended commitments. Commitments may contain multiple masks.
  • Batch verification. Verifying a set of multiple proofs is extremely fast.
  • Minimum value promises. You can prove that a commitment binds to at least a specified value.
  • Mask extraction. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.

Compared to an updated fork of the dalek-cryptography Bulletproofs implementation, this Bulletproofs+ implementation is:

  • Smaller. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
  • Faster to generate proofs. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs.
  • Faster to verify single proofs. This implementation verifies a single 64-bit range proof about 15% faster.
  • Slower to verify aggregated proofs. This implementaiton verifies aggregated proofs more slowly.
  • Faster to verify batched proofs. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.

As always, your mileage may vary.

This library underwent a code audit by Quarkslab at a specific point in the repository history. You can read the report and issue responses in this repository.


The library is #![no_std]-friendly when default features are disabled.

The (default) rand feature adds prover and verifier functionality using the OsRng random number generator. If it is not enabled, you must supply your own cryptographically-secure random number generator.

The (default) std feature enables corresponding functionality in dependencies.


Unit tests are available via cargo test. Basic fuzz testing can be run (on a nightly toolchain) via cargo fuzz.


This implementation takes its cue from the dalek-cryptography Bulletproofs implementation, as well as the Monero Bulletproofs+ implementation.

Several of the features and optimizations used in this implementation are described in Tari RFC-0181.

All original source code files are marked with

Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause

All re-used and or adapted dalek-cryptography source code files are marked with

Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
  Modified from:
    Copyright (c) 2018 Chain, Inc.
    SPDX-License-Identifier: MIT


~103K SLoC