Bulletproofs+ Explained: How Monero Shrinks Transaction Sizes

What Are Range Proofs and Why Do They Matter?

At the heart of every private cryptocurrency lies a fundamental challenge: how do you prove that a transaction is valid without revealing the amounts involved? In Monero, this problem is solved through a cryptographic construct called a range proof. Range proofs demonstrate that transaction outputs contain non-negative values without disclosing what those values actually are. Without range proofs, a malicious user could create transactions with negative outputs, effectively printing money out of thin air while the hidden amounts would prevent anyone from detecting the fraud.

Range proofs are essential for the integrity of Monero's confidential transaction system, known as RingCT. Every time you send XMR, range proofs are included in the transaction to assure the network that the amounts are valid. However, these proofs come at a cost: they add significant data to each transaction, increasing the size of the blockchain and the fees users must pay. This is where Bulletproofs+ comes in, representing a major advancement in making these proofs as efficient as possible.

The Evolution: From Borromean to Bulletproofs to Bulletproofs+

Monero's range proof system has evolved through three distinct generations, each bringing substantial improvements in efficiency. Understanding this evolution helps contextualize why Bulletproofs+ represents such an important milestone for the network.

Borromean Ring Signatures (2017 and Earlier)

Monero's original range proof implementation used Borromean ring signatures. While cryptographically sound, these proofs were extremely large. A typical two-output transaction required range proofs of approximately 13 KB. This made Monero transactions quite heavy compared to transparent cryptocurrencies, leading to higher fees and slower blockchain growth. The size scaled linearly with the number of outputs, meaning multi-output transactions were prohibitively expensive.

Bulletproofs (October 2018)

The introduction of Bulletproofs in October 2018 was a game-changer for Monero. Developed by Benedikt Bunz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell, Bulletproofs replaced Borromean signatures with a far more compact proof system. Transaction sizes dropped by approximately 80%, and fees decreased proportionally. A standard two-output transaction went from about 13 KB of range proof data to roughly 2.5 KB. Furthermore, Bulletproofs allowed for batch verification, meaning that multiple proofs could be verified together more efficiently than individually.

Bulletproofs+ (August 2022)

Bulletproofs+ is the latest evolution, introduced in Monero's August 2022 hard fork. Based on a 2020 research paper by Heewon Chung, Kyoohyung Han, Chanyang Ju, Myungsun Kim, and Jae Hong Seo, Bulletproofs+ further optimizes the proof generation and verification process. The improvements are more incremental than the Borromean-to-Bulletproofs transition, but they are nonetheless significant for a network processing thousands of transactions daily.

How Bulletproofs+ Works: A Technical Overview

Bulletproofs+ builds on the same mathematical foundation as original Bulletproofs, using the discrete logarithm problem and inner product arguments, but introduces several key optimizations that reduce both proof size and verification time.

Weighted Inner Product Argument

The primary innovation in Bulletproofs+ is the use of a weighted inner product argument (WIPA) instead of the standard inner product argument used in original Bulletproofs. This modification changes how the proof is structured internally, allowing for a more compact representation without sacrificing any security properties. The weighted approach reduces the number of group elements and scalar values that need to be included in the proof, directly translating to smaller transaction sizes on the blockchain.

Size Reduction: The Numbers

Bulletproofs+ reduces the size of range proofs by approximately 6% compared to original Bulletproofs. While this might sound modest, the cumulative impact on a blockchain that processes thousands of transactions daily is substantial. For a standard two-output transaction, the range proof shrinks from approximately 2,560 bytes to approximately 2,400 bytes. Over millions of transactions, this saves gigabytes of blockchain space, reducing storage requirements for node operators and synchronization time for new nodes joining the network.

• Single-output proof: approximately 5-7% smaller than Bulletproofs
• Two-output proof: approximately 6% smaller than Bulletproofs
• Batch proofs (multiple outputs): savings scale favorably with batch size
• Verification speed: approximately 6% faster than original Bulletproofs

Verification Speed Improvements

Beyond size reduction, Bulletproofs+ also improves verification speed. The weighted inner product argument requires fewer computational steps to verify, meaning that nodes can validate transactions faster. This is particularly important during initial blockchain synchronization, when a new node must verify every historical transaction. The approximately 6% improvement in verification speed translates to meaningfully faster sync times for the entire Monero network.

Relationship to RingCT

Bulletproofs+ does not exist in isolation; it is a component of Monero's broader Ring Confidential Transactions system. RingCT combines three privacy technologies: ring signatures (which hide the sender), stealth addresses (which hide the recipient), and confidential transaction amounts (which hide the values). Bulletproofs+ specifically handles the confidential amount component, providing the mathematical proof that hidden amounts are valid.

When you send a Monero transaction, the process works as follows: your wallet constructs the transaction with hidden amounts using Pedersen commitments, generates Bulletproofs+ range proofs to demonstrate that all outputs are non-negative and that inputs equal outputs, applies ring signatures to obfuscate the true input among decoys, and creates stealth addresses for each recipient. The Bulletproofs+ proofs are then included in the transaction data that is broadcast to the network and stored on the blockchain.

How Bulletproofs+ Lowers Fees

Monero's fee structure is directly tied to transaction size. Smaller transactions cost less to include in a block, so any reduction in transaction size translates directly to lower fees for users. The approximately 6% reduction in range proof size brought by Bulletproofs+ means that users pay roughly 6% less in fees for every transaction. While this is a modest per-transaction savings, it adds up significantly for frequent users, businesses, and services that process many transactions daily.

For users of MoneroSwapper, lower on-chain fees mean more of your funds arrive at their destination. Whether you are converting Bitcoin to Monero or swapping XMR for another cryptocurrency, the reduced network fees enabled by Bulletproofs+ ensure maximum value transfer efficiency.

Comparison with Other Zero-Knowledge Proof Systems

Bulletproofs+ is not the only zero-knowledge proof system in the cryptocurrency space. Understanding how it compares to alternatives helps explain why Monero chose this particular approach.

zk-SNARKs (Zcash)

Zcash uses zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) for its shielded transactions. zk-SNARKs produce extremely small proofs and are very fast to verify, but they require a trusted setup ceremony. If the parameters generated during this ceremony are compromised, undetectable counterfeiting becomes possible. Monero's choice of Bulletproofs+ avoids this trusted setup requirement entirely, making the system trustless by design.

zk-STARKs

zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge) do not require a trusted setup and offer quantum resistance, but they produce significantly larger proofs than both zk-SNARKs and Bulletproofs+. For a privacy coin where every transaction includes proofs, the size overhead of zk-STARKs would be prohibitive for Monero's use case.

Groth16

Groth16 is a specific zk-SNARK construction that produces the smallest possible proofs (just three group elements) but requires a per-circuit trusted setup. While extremely efficient for verification, the trusted setup requirement and the rigidity of per-circuit construction make it unsuitable for Monero's evolving privacy requirements.

Why Bulletproofs+ Is the Right Choice for Monero

Bulletproofs+ strikes a pragmatic balance for Monero's specific needs. It requires no trusted setup, produces reasonably compact proofs, allows for efficient batch verification, and has been formally proven secure under standard cryptographic assumptions. The trade-off is that proofs are larger than zk-SNARKs and verification is slower, but the elimination of trusted setup concerns makes this a worthwhile exchange for a privacy-focused currency where trust minimization is paramount.

Frequently Asked Questions

Do I need to do anything to benefit from Bulletproofs+?

No. Bulletproofs+ was activated network-wide during the August 2022 hard fork. All transactions on the Monero network now automatically use Bulletproofs+ for range proofs. You benefit from smaller transaction sizes and lower fees simply by using Monero as you normally would, with no additional action required.

Does Bulletproofs+ affect Monero's privacy level?

No. Bulletproofs+ provides the exact same privacy guarantees as original Bulletproofs. The upgrade is purely about efficiency: smaller proofs and faster verification. The cryptographic privacy properties, specifically that transaction amounts remain hidden while provably valid, are identical between the two versions.

Could Monero adopt zk-SNARKs in the future for even smaller proofs?

While theoretically possible, the Monero community has consistently prioritized trustless designs over maximum efficiency. The trusted setup requirement of most zk-SNARK constructions conflicts with Monero's philosophy of minimizing trust assumptions. Future improvements are more likely to come from further optimizations to the Bulletproofs family or from new trustless proof systems that achieve better efficiency without requiring trusted ceremonies.

How does Bulletproofs+ affect blockchain synchronization?

Bulletproofs+ improves blockchain synchronization in two ways. First, each transaction is smaller, so less data needs to be downloaded. Second, each proof verifies faster, so the computational time required to validate the blockchain history is reduced. Both factors contribute to faster sync times for new nodes joining the Monero network.