tari_bulletproofs_plus 0.3.2

A smaller faster implementation of Bulletproofs
Documentation 
[![Build](https://circleci.com/gh/tari-project/tari/tree/development.svg?style=svg)](https://circleci.com/gh/tari-project/tari/tree/development)
![](https://github.com/tari-project/bulletproofs-plus/workflows/Security%20audit/badge.svg)
![](https://github.com/tari-project/bulletproofs-plus/workflows/Clippy/badge.svg)
[![Coverage Status](https://coveralls.io/repos/github/tari-project/bulletproofs-plus/badge.svg?branch=main)](https://coveralls.io/github/tari-project/bulletproofs-plus?branch=main)


# Tari Bulletproofs+

A speedy implementation of the [Bulletproofs+](https://eprint.iacr.org/2020/735) range proving system that does fun tricks.

In particular, it supports:
- **Proof aggregation**. You can generate a proof containing multiple range assertions in an efficient way.
- **Extended commitments**. Commitments may contain multiple masks.
- **Batch verification**. Verifying a set of multiple proofs is extremely fast.
- **Minimum value promises**. You can additionally prove that a commitment binds to at least a specified value.
- **Mask extraction**. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.

Compared to an [updated fork](https://github.com/tari-project/bulletproofs) of the `dalek-cryptography` [Bulletproofs](https://github.com/dalek-cryptography/bulletproofs) implementation, this Bulletproofs+ implementation is:
- **Smaller**. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
- **Faster to generate proofs**. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs.
- **Slower to verify single proofs**. While this implementation verifies a single 64-bit range proof in comparable time, it verifies aggregated proofs more slowly.
- **Faster to verify batched proofs**. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.

As always, your mileage may vary.

## References

This implementation takes its cue from the `dalek-cryptography` [Bulletproofs](https://github.com/dalek-cryptography/bulletproofs) implementation, as well as the Monero [Bulletproofs+](https://www.getmonero.org/2020/12/24/Bulletproofs+-in-Monero.html) implementation.

Several of the features and optimizations used in this implementation are described in [Tari RFC-0181](https://rfc.tari.com/RFC-0181_BulletproofsPlus.html).

## Copyright

All original source code files are marked with
```
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
```
All re-used and or adapted `dalek-cryptography` source code files are marked with
```
Copyright 2022 The Tari Project
SPDX-License-Identifier: BSD-3-Clause
  Modified from:
    Copyright (c) 2018 Chain, Inc.
    SPDX-License-Identifier: MIT
```