Lib.rs

CryptographyMagic Beans
#range-proof #bulletproofs #commitment #byte #mask #aggregated #tari

tari_bulletproofs_plus

A smaller faster implementation of Bulletproofs

Owned by SW van Heerden, stringhandler, Cayle Sharrock.

3 unstable releases

0.3.2 Aug 7, 2023
0.3.1 Jul 18, 2023
0.2.3 Apr 3, 2023

#2572 in Magic Beans

Download history 602/week @ 2024-01-06 1066/week @ 2024-01-13 905/week @ 2024-01-20 906/week @ 2024-01-27 987/week @ 2024-02-03 692/week @ 2024-02-10 694/week @ 2024-02-17 799/week @ 2024-02-24 969/week @ 2024-03-02 1206/week @ 2024-03-09 908/week @ 2024-03-16 806/week @ 2024-03-23 847/week @ 2024-03-30 614/week @ 2024-04-06 1016/week @ 2024-04-13 773/week @ 2024-04-20

3,337 downloads per month
Used in 3 crates (via tari_crypto)

BSD-3-Clause

145KB
3K SLoC

Build Coverage Status

Tari Bulletproofs+

A speedy implementation of the Bulletproofs+ range proving system that does fun tricks.

In particular, it supports:

  • Proof aggregation. You can generate a proof containing multiple range assertions in an efficient way.
  • Extended commitments. Commitments may contain multiple masks.
  • Batch verification. Verifying a set of multiple proofs is extremely fast.
  • Minimum value promises. You can additionally prove that a commitment binds to at least a specified value.
  • Mask extraction. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.

Compared to an updated fork of the dalek-cryptography Bulletproofs implementation, this Bulletproofs+ implementation is:

  • Smaller. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
  • Faster to generate proofs. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs.
  • Slower to verify single proofs. While this implementation verifies a single 64-bit range proof in comparable time, it verifies aggregated proofs more slowly.
  • Faster to verify batched proofs. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.

As always, your mileage may vary.

References

This implementation takes its cue from the dalek-cryptography Bulletproofs implementation, as well as the Monero Bulletproofs+ implementation.

Several of the features and optimizations used in this implementation are described in Tari RFC-0181.

All original source code files are marked with

Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause

All re-used and or adapted dalek-cryptography source code files are marked with

Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
  Modified from:
    Copyright (c) 2018 Chain, Inc.
    SPDX-License-Identifier: MIT

Dependencies

~3.5–5MB
~90K SLoC