> Our arguments achieve 6.6× and 11.4×

improvement in proving and verification efficiency for 𝑁 = 64, respectively, while

incurring only 50% additional communication cost

UkoeHB:

kayabanerve[m]: are these a bulletproofs replacement?

ok, yes, should have looked at the paper :P

Yes

so basically we would have to check how it comapres to Bulletproofs++

+ and ++ were size savings on original IIRC

I don't believe they changed perf

not only size, see monero-project/research-lab #101

So sure, its not only 50℅ but will be 60℅ or whatever

Interesting

I get roughly the same results for 2 outputs

hmm

Ah. I used a dumb mode. Base 16 shared has a massive fixed cost

51 for BP++

279 for BP+ base 16 inline

277 for BP+ binary

Looks to be 5x for 2 outputs?

This is claiming 11.4x BUT that may be for just one output

I find it hard to believe the verifier can use fewer than N exponentiations

although it's true with BP batching you can amortize to fewer than N per range proof..

I think?

UkoeHB: While I won't say this is reviewed, I will say Eagen is potentially revolutionary at this topic

they have a lot of extremely performant ideas

this isn't an eagen paper

I also didn't cite its performance here other than a multiplier

> <@kayabanerve:matrix.org> 51 for BP++... (full message at <libera.ems.host/_matrix/media/r0/do…4e0f651d3448c70861391d46bb36b06b31b>)

I'm not sure flash proofs can be batched

*though yes, this claims just 30 ops for a range proof of 64 bits

So this also claims <N

kayabanerve[m]: I'm sure we could have it technically do a 128 bit proof, which may still be <51? But we'd be limited to just 3 outputs in an extremely weird system

Page 19 discusses aggregation

It's written as 16 outputs taking ~320 operations. I'd have to check how well BP++ does there

BP++ wins at 16 with 295. It's also only slightly slower at the one output level

So looks like BP++ remains the path, but this is definitely interesting

kayabanerve[m]: back in 2019/2020 monero had 94% of txs as 1/2-in 2-out txs

would be nice to see some concrete benchmarks, nothing much I personally can do with the paper