June 24, 2022
...so, what is different?
Tari Bulletproofs+ (BP+) implements Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger , derived from the original Bulletproofs (BP) work Bulletproofs: Short Proofs for Confidential Transactions and More . Bulletproof+ shaves 96 bytes off range proofs.
Thanks to batch verification, range proof verification is also more efficient. (See our benchmarks).
Let us remind ourselves what the primary use case for BP (and now BP+) is on the Tari blockchain. Our tokens are
essentially Pedersen Commitments, e.g.
C(v,k) = (v.H + k.G), with
v being the value and
k being the blinding
factor or spending key. We need to provide proof for any interested verifier, like a base node, that the value of our
token is not less than zero. If the latter were allowed, we would be able to inflate the mined base layer tokens or
tXTR. Such a proof is called a range proof.
Similar to BP, BP+ also supports rewinding the proof for wallet recovery.
We can also aggregate range proofs (in batches of
2^n, i.e. 2, 4, 8, 16 etc.), but rewinding only works for non-aggregated proofs.
Our implementation of BP+ range proofs also offers the ability to prove an arbitrary minimum value other than zero. This feature is also possible with standard bullet proofs, but is something that we’re explicitly adding to BP+ to enable required features of the Tari DAN, such as collateral proofs. Lastly, our implementation of BP+ is compatible with extended commitments. This enables us to package additional tokens apart from the base layer token, tXTR, into a single UTXO.
If we add two base points to the default Pedersen Commitment, we get an extended Pedersen Commitment defined as
C(v,k1,k2,k3) = (v.H + k1.G1 + k2.G2 + k3.G3). In this case,
v is the value,
k1 is the blinding factor or spending
k3 are adding two additional dimensions such as an asset ID and serial number. Mind-boggling, and this is really a topic for a future blog post.