Why we dont upgrade and implement Bulletproofs+ as a replacement for the current Bulletproofs system in Grin?. This would require a consensus hard fork, but delivers concrete, measurable improvements to proof size, verification speed, and chain growth and with minimal protocol complexity increase.
A standard Grin transaction with 1 input and 2 outputs is roughly 1,600 bytes. Of that, the two Bulletproof range proofs (~675 bytes each) account for 84% of the transaction size. Range proof verification is also the most CPU-expensive operation during sync and roughly 235x slower than a signature verification on the same hardware.
This means range proof efficiency is the single highest-leverage optimization target in the entire protocol. Even modest improvements compound significantly over time.
Bulletproofs+ improves on the original Bulletproofs in three measurable ways:
1. Smaller proofs: 96 bytes saved per proof, every proof, forever
| Outputs per tx | Current BP (bytes) | BP+ (bytes) | Savings |
|—|—|—|—|
| 1 | ~674 | ~576 | 96 bytes (14.3%) |
| 2 | ~738 | ~642 | 96 bytes (13.0%) |
| 4 | ~804 | ~708 | 96 bytes (11.9%) |
| 16 | ~936 | ~840 | 96 bytes (10.3%) |
The 96-byte reduction is constant regardless of aggregation. For a typical 2-output transaction, total transaction size drops from ~1,600 bytes to ~1,408 bytes , a 12% reduction in transaction size.
Projected chain savings assuming current network activity (~60 tx/block):
-
~16.9 MB/day less chain growth
-
~6.2 GB/year less storage
-
Every unspent output in the UTXO set carries its proof, so the savings compound
2. Faster verification
Based on Monero’s production benchmarks and Tari’s audited Rust implementation:
-
Single proof verification: ~15-17% faster
-
Proof generation (2-output, most common): ~10% faster
-
Batch verification: comparable or slightly better than current BP
For initial block download and ongoing sync, this directly translates to reduced sync time. Combined with PIBD, the new-node experience improves meaningfully.
Bulletproofs+ preserves all the properties we rely on:
-
No trusted setup (transparent)
-
Based on the discrete log assumption (same as current BP)
-
Supports aggregated range proofs
-
Supports batch verification
-
Non-interactive (Fiat-Shamir)
-
Compatible with Pedersen commitments on secp256k1
This is not experimental cryptography. Bulletproofs+ has been:
-
Deployed in Monero since their hard fork upgrade
-
Audited by ZenGo X (Monero’s C implementation, Feb 2021)
-
Audited by Quarkslab (Tari’s Rust implementation)
-
Implemented by Tari in a clean, well-documented Rust crate (
tari-project/bulletproofs-plus)
We’re not pioneering here , we’re adopting proven technology that two other projects have already validated.