@@ -8,14 +8,13 @@ summary: "a new kind of range proofs replacing RingCT in transactions to obfusca

To accomplish this, two kind of ring signatures were constructed: One ring signature for the whole transaction (to prove the sum is 0), and a set of ring signatures for the subsets of transaction bits (to prove the outputs are positive numbers), then combined together using originally Schnorr signatures (and later replaced by Borromean ring signatures).

RingCT was effective for this feature but required a large amount of storage space within the blockchain relative to other stored information. In September 2018 RingCT was responsible for over 80% of the size of each block.

### Where it comes to bulletproofs

### The origin and benefits of Bulletproofs

In 2017, a [Standford applied crypto group](https://crypto.stanford.edu/bulletproofs/) wrote a [paper](https://eprint.iacr.org/2017/1066.pdf) presenting a new kind of range proofs, called bulletproofs.

> Bulletproofs are short, non-interactive zero-knowledge proofs that require no trusted setup.

Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proofs grows logarithmically with the size of the data being proved.

It means that increasing the number of outputs in a transaction will, with bulletproofs only slightly increase the size of the proof.

Bulletproofs also have the advantage to allow to prove that multiple committed amounts are in the desired range at once. No need to prove each output to each destination in separate proofs; the whole transaction amounts could be proven in one bigger (but still very small) bulletproof.

Bulletproofs, unlike Borromean or Schnorr signatures, are very efficient as range proofs. Proving a big set of data only generates a small proof, and the size of this proof grows logarithmically with the size of the data being proved. This means that increasing the number of outputs in a transaction will only slightly increase the size of the proof.

Bulletproofs also allow proving that multiple committed amounts are in the desired range at once. Instead of generating a separate proof for each output definition it is possible to use a single bulletproof for all outputs which is much smaller than using a separate proof for each transaction.

### Thorough audit process and implementation

As bulletproofs were really new, and the initial implementation made by the group, while thoroughly done, needed a rewrite focused on our specific use-case, implementing bulletproof in Monero was not a simple thing.