-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: update 121 This update gives the results of the bulletproof+ audit. * fix: small typos
- Loading branch information
Showing
1 changed file
with
94 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| --- | ||
| layout: update | ||
| tag: Developer Update | ||
| date: 2023-10-31 | ||
| author: CjS77 | ||
| thumbnail: update-background.jpg | ||
| title: Tari's Bulletproofs+ audit is done! | ||
| subtitle: "Spoiler: It went pretty well." | ||
| class: subpage | ||
| --- | ||
|
|
||
| Tari uses an in-house implementation of the [Bulletproofs+](https://eprint.iacr.org/2020/735) range proving system to | ||
| provide proofs that every (confidential) output in the UTXO set has a value between 0 and 2<sup>64</sup> μMinotari. | ||
|
|
||
| This stops folks sending people negative amounts of Minotari, or trying other nefarious tricks to try and | ||
| inflate the Minotari supply in an undetectable way. | ||
|
|
||
| Bulletproofs plus improves substantially on the original range proof algorithm that was originally used in Monero. | ||
| Bulletproofs+, as the name suggests, provides a set of incremental improvements over Bulletproofs. | ||
|
|
||
| In particular, it supports: | ||
|
|
||
| - **Proof aggregation**. You can generate a proof containing multiple range assertions in an efficient way. | ||
| - **Extended commitments**. Commitments may contain multiple masks. | ||
| - **Batch verification**. Verifying a set of multiple proofs is extremely fast. | ||
| - **Minimum value promises**. You can prove that a commitment binds to at least a specified value. | ||
| - **Mask extraction**. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask | ||
| used for the commitment in a non-aggregated proof. | ||
|
|
||
| Compared to an [updated fork](https://github.com/tari-project/bulletproofs) of | ||
| the `dalek-cryptography` [Bulletproofs](https://github.com/dalek-cryptography/bulletproofs) implementation, this | ||
| Bulletproofs+ implementation is: | ||
|
|
||
| - **Smaller**. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter. | ||
| - **Faster to generate proofs**. This implementation generates a non-aggregated 64-bit range proof about 10% faster, | ||
| with similar speedups for aggregated proofs. In fact, we're fairly sure that Tari BP+ implementation is now the | ||
| _fastest trustless range proof system in the world_. | ||
| - **Faster to verify single proofs**. This implementation verifies a single 64-bit range proof about 15% faster. | ||
| - **Slower to verify aggregated proofs**. This implementation verifies aggregated proofs more slowly. You can't win | ||
| 'em all. | ||
| - **Faster to verify batched proofs**. Because this implementation supports batching, its marginal verification time for | ||
| a single 64-bit range proof can be reduced to _under half_ the corresponding non-batched time. | ||
|
|
||
| ## The audit | ||
|
|
||
| The [Tari bulletproof+ library](https://github.com/tari-project/bulletproofs-plus) is a fairly small piece of Rust | ||
| code, but the math behind it is pretty complex. A bug in this code could lead to some catastrophic consequences for the | ||
| Tari network. For this reason, we decided to partner with [Quarkslab](https://www.quarkslab.com/) to perform a | ||
| thorough review of the code and verify the correctness of the implementation. | ||
|
|
||
| The audit was carried out between August and October 2023 and took around 4 weeks in total. | ||
|
|
||
| You can | ||
|
|
||
| * read the | ||
| **[full report](https://github.com/tari-project/bulletproofs-plus/blob/main/docs/quarkslab-audit/report.pdf)** | ||
| * and read **Tari Labs' | ||
| [responses](https://github.com/tari-project/bulletproofs-plus/blob/main/docs/quarkslab-audit/README.md)** to the | ||
| findings | ||
|
|
||
| in the Github repository. | ||
|
|
||
| ## I'm not reading an 80-page report! Just give me the results! | ||
|
|
||
| Overall, the audit went very well. | ||
|
|
||
| The auditors found that the implementation was faithful to the underlying theory and that the optimisations were | ||
| cryptographically valid. | ||
|
|
||
| There was 1 `LOW` severity issue related to a dependency of the library that is no longer being maintained. | ||
|
|
||
| There were also two `INFORMATIONAL` level findings: | ||
| * One was related to the library depending on a fork of the Dalek Ristretto library that has fallen a little out of | ||
| date behind the main library. This is currently being addressed. | ||
| * The second informational issue was related to potential arithmetic overflow instances in parts of the code. These | ||
| issues have already been addressed and [resolved](https://github.com/tari-project/bulletproofs-plus/pull/62) in the | ||
| latest version of the library. | ||
|
|
||
| ## Acknowledgements | ||
|
|
||
| This is a terrific result and is largely the work of long-time Tari contributors Aaron Feickert and Hansie Odendaal. | ||
|
|
||
| ## What's next? | ||
|
|
||
| The main Tari base node audit is wrapping up and the final report is due in the next few weeks. | ||
|
|
||
| We're also waiting on the final report of the Aurora wallet penetration test. | ||
|
|
||
| We will be announcing the results of those reviews in due course. | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|