October 31, 2023
Tari's Bulletproofs+ audit is done!
Spoiler: It went pretty well.
Tari uses an in-house implementation of the Bulletproofs+ range proving system to provide proofs that every (confidential) output in the UTXO set has a value between 0 and 264 μMinotari.
This stops folks sending people negative amounts of Minotari, or trying other nefarious tricks to try and inflate the Minotari supply in an undetectable way.
Bulletproofs plus improves substantially on the original range proof algorithm that was originally used in Monero. Bulletproofs+, as the name suggests, provides a set of incremental improvements over Bulletproofs.
In particular, it supports:
- Proof aggregation. You can generate a proof containing multiple range assertions in an efficient way.
- Extended commitments. Commitments may contain multiple masks.
- Batch verification. Verifying a set of multiple proofs is extremely fast.
- Minimum value promises. You can prove that a commitment binds to at least a specified value.
- Mask extraction. If the prover and verifier agree on a shared secret, the verifier can use it to recover the mask used for the commitment in a non-aggregated proof.
Compared to an updated fork of
the dalek-cryptography
Bulletproofs implementation, this
Bulletproofs+ implementation is:
- Smaller. Regardless of the aggregation factor, a Bulletproofs+ proof is 96 bytes shorter.
- Faster to generate proofs. This implementation generates a non-aggregated 64-bit range proof about 10% faster, with similar speedups for aggregated proofs. In fact, we’re fairly sure that Tari BP+ implementation is now the fastest trustless range proof system in the world.
- Faster to verify single proofs. This implementation verifies a single 64-bit range proof about 15% faster.
- Slower to verify aggregated proofs. This implementation verifies aggregated proofs more slowly. You can’t win ‘em all.
- Faster to verify batched proofs. Because this implementation supports batching, its marginal verification time for a single 64-bit range proof can be reduced to under half the corresponding non-batched time.
The audit
The Tari bulletproof+ library is a fairly small piece of Rust code, but the math behind it is pretty complex. A bug in this code could lead to some catastrophic consequences for the Tari network. For this reason, we decided to partner with Quarkslab to perform a thorough review of the code and verify the correctness of the implementation.
The audit was carried out between August and October 2023 and took around 4 weeks in total.
You can
- read the full report
- and read Tari Labs’ responses to the findings
in the Github repository.
I’m not reading an 80-page report! Just give me the results!
Overall, the audit went very well.
The auditors found that the implementation was faithful to the underlying theory and that the optimisations were cryptographically valid.
There was 1 LOW
severity issue related to a dependency of the library that is no longer being maintained.
There were also two INFORMATIONAL
level findings:
- One was related to the library depending on a fork of the Dalek Ristretto library that has fallen a little out of date behind the main library. This is currently being addressed.
- The second informational issue was related to potential arithmetic overflow instances in parts of the code. These issues have already been addressed and resolved in the latest version of the library.
Acknowledgements
This is a terrific result and is largely the work of long-time Tari contributors Aaron Feickert and Hansie Odendaal.
What’s next?
The main Tari base node audit is wrapping up and the final report is due in the next few weeks.
We’re also waiting on the final report of the Aurora wallet penetration test.
We will be announcing the results of those reviews in due course.