Sharp: Short Relaxed Range Proofs

We provide optimized range proofs, called Sharp, in discrete logarithm and hidden order groups, based on square decomposition. In the former setting, we build on the paradigm of Couteau et al. (Eurocrypt '21) and optimize their range proof (from now on, CKLR) in several ways: (1) We introduce batching via vector commitments and an adapted ∑;-protocol. (2) We introduce a new group switching strategy to reduce communication. (3) As repetitions are necessary to instantiate CKLR in standard groups, we provide a novel batch shortness test that allows for cheaper repetitions. The analysis of our test is nontrivial and forms a core technical contribution of our work. For example, for λ = 128 bit security and B = 64 bit ranges for N = 1 (resp. N = 8) proof(s), we reduce the proof size by 34% (resp. 75%) in arbitrary groups, and by 66% (resp. 88%) in groups of order 256-bit, compared to CKLR. As Sharp and CKLR proofs satisfy a "relaxed" notion of security, we show how to enhance their security with one additional hidden order group element. In RSA groups, this reduces the size of state of the art range proofs (Couteau et al., Eurocrypt '17) by 77% (λ = 128, B = 64, N = 1). Finally, we implement our most optimized range proof. Compared to the state of the art Bulletproofs (Bünz et al., S&P 2018), our benchmarks show a very significant runtime improvement. Eventually, we sketch some applications of our new range proofs.


INTRODUCTION
Zero-Knowledge Proofs and Range Proofs.Zero-knowledge proofs, introduced in the seminal work of Goldwasser, Micali, and Rackoff [30], allow a prover to convince a verifier of the truth of a statement while concealing all other information.This makes them an important tool in theory and practice.Efficient constructions are now known for a variety of NP-languages, and are routinely used in real-world applications.An example of particular interest is range proofs, which are zero-knowledge proofs for demonstrating that a secret value (committed or encrypted) belongs to a public range.Range proofs are a core component in numerous applications, such as anonymous credentials [19], e-voting [31], or e-cash [15], and have been introduced recently in some popular anonymous cryptocurrencies (see [12,27,42]).
Range Proofs.Many range proofs which have been constructed in the past can be categorized in two main paradigms: (1) Range proofs based on -ary decomposition [14,32], where one proves a statement of the form  ∈ [0,  ℓ ) by committing to an -ary decomposition ( 0 , . . .,  ℓ−1 ) of , and proving that  =    •  and each   belongs to [0, ) (which can be done efficiently when  is small).The state of the art method in this paradigm is Bulletproofs [13], which features very small proof size  ( • log ℓ) for a security parameter  (using binary decomposition), and also enjoys a transparent setup: the only trusted parameter it requires is an unstructured common random string, which can be easily generated by standard "nothing up my sleeve" methods (in contrast, protocols requiring a structured common string need to trust the parameter generator, which is undesirable).Due to its great concrete efficiency and its transparent setup, Bulletproofs have become the most commonly used solution in real-world applications.
(2) Range proofs based on square decomposition [10,23,31,36], where one proves a statement of the form  ≥ 0 by using special integer commitment schemes [25,29] to commit to  over Z, and by proving the existence of four squares  1 , . . .,  4 such that  =   2  (such a decomposition always exist by a theorem of Lagrange, and ensures non-negativity).This generalizes to arbitrary intervals [, ] by proving non-negativity of ( −)( −).While avoiding ary decomposition is attractive, instantiating integer commitments required until recently the use of hidden order groups (such as RSA groups), whose elements are too large to be competitive with Bulletproofs for any reasonable interval size, and which require a trusted setup (to set up the RSA modulus).
The CKLR Range Proof.In a recent work [22], Couteau et al. revived the square decomposition paradigm, by constructing bounded integer commitment schemes, which can be instantiated over cryptographic groups with hard DLOG problem.They instantiate (a variant of) the range proof of [23] with this new commitment scheme, significantly reducing their size and removing the need for a structured common reference string.The CKLR scheme was shown to compare favorably with Bulletproofs: for a careful choice of parameters and underlying group, the proofs are about 15% shorter than Bulletproofs, and require an order of magnitude less group operations.Therefore, on paper, CKLR seems to offer a competitive alternative to Bulletproofs.
CKLR versus Bulletproofs.However, this cost estimation ignores several important practical aspects, and the distinction turns out to be far from clear cut in real-world instantiations.The main limitation of CKLR is that it requires exotic group sizes -typically, elliptic curves with elements of size 352 or 416 bits to achieve 128 bits of security for 32-or 64-bit ranges.While in theory, we can use curves with a wide variety of sizes, and many standard options exist, the vast majority of cryptographic applications build upon 256-bit elliptic curves, and highly optimized implementations of some of these curves are available (for example in libsecp256k1 [43] or ristretto255 [26]).These libraries typically offer runtimes 10 to 20 times faster than the NIST standardized implementations of other standard curves.Hence, the use of large curves in CKLR actually negates the efficiency gains of their smaller number of group operations compared to Bulletproofs.Furthermore, several applications constrain the choice of curve; for example, the Ethereum cryptocurrency only allows the curve secp256k1.This is not the only limitation of the CKLR range proof, compared to Bulletproofs.The latter is especially attractive when performing several range proofs at once, because it allows for very efficient batching of multiple proofs; no such batching is known for CKLR.This stems from the fact that the CKLR range proof revolves around an "extraction lemma" which was formulated and proven in the setting of a single proof, and operates on top of single-value commitments (while Bulletproofs operate on generalized Pedersen commitments, which can commit compactly to vectors of values).
Eventually, CKLR is also more restricted in its range of applications compared to Bulletproofs.This is because Bulletproofs operate with standard Pedersen commitments, while CKLR is designed on top of a new (Pedersen-based) construction of bounded integer commitments.Compared to Pedersen commitments, these new commitments have (1) only limited homomorphic properties, and (2) a relaxed notion of opening, where a malicious opener is given more freedom in what is regarded as a valid opening (this is similar in spirit to the property of standard integer commitment schemes, such as the Damgård-Fujisaki commitment [25]).This means that in some applications, for example when a value opened by a malicious party must be reused afterwards by an honest prover (this is the case, e.g. in some cryptocurrency applications), CKLR cannot be used as a drop-in replacement: the use of CKLR is only appropriate when the new commitment scheme can be used in the application without harming security or correctness.
Summing up, the CKLR paradigm is a promising new approach for constructing range proofs with strong performance.However, it does not currently compare favorably to Bulletproofs in practical applications, mostly due to its use of larger curves which lack competitive implementations, but also due to its lack of batching features.Furthermore, it operates on a new commitment scheme, which makes it not a priori clear what are the standard applications of range proofs where it can be safely used.

Our Contributions
In this work, we thoroughly revisit the CKLR paradigm.We introduce a new family of range proof schemes, which we call Sharp (for short relaxed range proofs).The name Sharp stems from a change of perspective with respect to CKLR: in CKLR, a proof is interpreted as a full-fledged range proof for values committed with a new bounded integer commitment which they introduce.The latter is essentially a Pedersen commitment where openings are allowed to be rationals, which are rounded to the nearest integer in the opening phase.We observe that one can equivalently "push the relaxation from the commitment to the range proof" and see CKLR as a relaxed range proof operating over standard Pedersen commitments, where relaxed means that the prover is only bound to a rational inside the target range, instead of an integer. 1 While this change of perspective does not in itself change the construction nor its security properties, it allows for a more modular treatment of the construction, and simplifies the analysis of how CKLR (or Sharp) integrates within standard application of range proofs.
Our new constructions build upon numerous optimizations, which are a combination of known techniques and entirely new approaches.The security analysis of our scheme is subtle and technically involved; it forms the core technical contribution of our work.Sharp proofs improve upon CKLR on all possible fronts: they are much shorter, more efficient, allow for a considerably more flexible choice of the underlying group (and can in particular be efficiently instantiated over 256-bit curves), and can be batched efficiently.In addition, we also demonstrate how to overcome the relaxation of soundness, obtaining schemes that operate directly with standard Pedersen commitments and effectively bind the prover to an integer in the range (instead of a rational) at the cost of slightly larger proofs (but still with very competitive performance).
To complement the above results, we elaborate on how Sharp can be used to improve the efficiency of some flagship applications of range proofs, such as anonymous credentials and anonymous transactions, clarifying which applications can work with bounded integer commitment schemes, and which require using a scheme with stronger features.We validate our efficiency claims with implementations and benchmarks of our main schemes.While our implementation is an unoptimized proof-of-concept implementation, our benchmarks show that it offers a ten-fold runtime improvement over a heavily optimized implementation of Bulletproofs; we expect that the efficiency gap would widen further with a more optimized implementation of Sharp.Below, we elaborate on our contributions.
1.1.1Improved Range Proof Constructions.Our new family of range proofs, Sharp, can be instantiated in a variety of settings, leading to tradeoffs between efficiency and the underlying soundness notion.We build upon the paradigm introduced in [22] and obtain range proofs with improved efficiency and flexibility.In applications where low communication matters the most, our scheme Sharp GS provides the most competitive performance, but uses curves of sizes other than the standard 256-bit setting.For runtime-critical applications, or when the application restricts the available curve, we describe Sharp Po SO , a scheme fully optimized to work over 256-bit groups.
At the heart of our flexibility and efficiency improvements is a modular treatment of the structure of a range proof.We split the range proof into two conceptual parts: the proof of short opening (PoSO) and the proof of decomposition (PoDec).The PoSO guarantees that extracted openings are short and the PoDec ensures that the square decomposition holds over Z  , where  is the order of the DLOG group.Combining both parts ensures that the committed value is a rational inside the given range, as the shortness allows us to argue over the integers.This decoupling allows us to develop tailored optimizations for each part, but also clarifies the exact soundness guarantees which the proof provides.We stress that one can still equivalently see Sharp as a standard range proof operating over a relaxed integer commitment scheme, using the rounding technique of CKLR: our change of perspective improves the conceptual simplicity of analyzing the use of Sharp within standard applications, but the exact guarantees remain identical to CKLR.
Optimizing the decomposition proof.We optimize the PoDec via a polynomial-based technique, similar to the lattice version of [22] (with some tweaks that improve efficiency).Besides improving efficiency of the PoDec, this adaption enables two additional improvements: (1) The new protocol is suited for vector commitments, such as Pedersen multi-commitments (MPed).This enables more efficient batch range proofs, in the sense of performing range proofs for all  values in the vector commitment at once.(2) We introduce a group switching strategy that enables the use of different groups for the PoSO and PoDec.To our knowledge, this is the first time group switching is (efficiently) used without leveraging hidden order groups.This optimization further reduces proof length (and computation), while allowing more flexibility to instantiate the underlying groups.These changes lead to an optimized range proof: Sharp GS .
Optimizing the short opening proof.We further present Sharp Po SO , a range proof with optimized PoSO (in combination with the changes described above).The analysis of this scheme is delicate and uses several new ideas.It constitutes the main technical contribution of this work.As range and challenge space (hence soundness) introduce lower bounds on group size, repetitions are required to achieve high security levels when the group is fixed.In CKLR, such repetitions were very expensive, as much of the proof had to be repeated.To reduce their cost, we introduce a (fractional) shortness test that allows the prover to show that numerator and denominator of multiple fractions are short by sending a single short integer, per repetition.Integrating this shortness test in the range proof, a "repetition" requires only two scalars, independent of the batch size.Thus, the bulk of communication and computation of the range proof is the optimized PoDec (without any repetition).
We note that these optimizations also lead to significant improvements in a batch setting, where multiple range proofs must be executed at once.For example, executing  = 8 range proofs with 128 bits of security and 64-bit inputs communicates only 2.9 times more than executing a single range proof.We also observe that a similar batch technique is used in the context of lattice-based range proofs, in the setting where all challenges are bits.However, the possibility of using general short challenges instead of bits is precisely what allows our schemes to remain very compact, and is also what makes the analysis of our shortness test so delicate (we elaborate on this aspect in the technical overview).
Binding to integers instead of rationals.The bounded integer commitment scheme of [22] is essentially a Pedersen commitment where malicious openers are allowed to reveal a rational instead of an integer (that is later rounded to encode an integer inside the range).Consequently Sharp GS , like CKLR, provides only a relaxed notion of soundness, in that it only binds the prover to a rational in the target range.We develop several new approaches to overcome this limitation, obtaining proofs that operate with standard Pedersen commitments (where openings are required to be integers).In the interactive setting, where soundness is statistical (and a 2 −40 statistical soundness error is a common choice), we show how our batch shortness test allows us to use challenges in {0, 1} with much more reasonable communication overhead compared to previous approaches, which gives a competitive three-round range proof with transparent setup and full-fledged soundness.In the non-interactive setting (where soundness is computational and 128 repetitions would be too expensive), we show how to combine our schemes with a minimal use of hidden order groups, obtaining two variants: Sharp CL (using class groups to instantiate the hidden order group) and Sharp RSA (using RSA groups).These variants retain a strong efficiency, as only a single element of the hidden order group must be added to the proof.They achieve stronger soundness notions, namely: (1) Sharp RSA achieves standard soundness (allowing our scheme to be used as a drop-in replacement in essentially any application of range proofs, but at the cost of loosing the transparent setup), and (2) Sharp CL achieves a slightly weaker soundness where the prover is bound to a dyadic rational, which suffices to overcome some attacks that arise from the use of a range proof with relaxed soundness in some applications, while retaining the transparent setup.
We note that many range proofs in RSA groups have been described in the past [10,23,31,36].Our RSA-based variant achieves considerable efficiency improvements compared to all these previous works (both communication and computation-wise), while achieving the same soundness guarantees.
Concrete efficiency estimations.We compare the communication efficiency of Sharp GS , Sharp Po SO , and Sharp RSA to the state-of-theart in table 1.For performing a single range proof, Sharp GS proofs are almost 50% shorter than Bulletproofs, and about 34% shorter than the CKLR range proofs.For our computation-optimized range proofs Sharp Po SO , these numbers are about 42% and 29% respectively.When performing a large number of range proofs, Bulletproofs become better communication-wise, because of their logarithmic cost in the batch size; nevertheless, even for a batch of  = 8 range proofs, our range proofs are only between 1.1 and 1.3 times larger than Bulletproofs (in concrete applications, we believe that this should be largely compensated by our strong computational improvements).Our variant in RSA groups, which achieves standard soundness, improves by a large margin compared to the previous best-known RSA-based range proof of [23]: a factor 3 improvement for a single range proof, and up to a factor 14 improvement for  = 8 simultaneous range proofs.
We implemented our computation-optimized range proof Sharp Po SO , using the 256-bit elliptic curve from the libsecp256k1 library [43].We stress that this is an unoptimized implementation; yet, compared to the optimized reference implementation of Bulletproofs using the same library, and running the two protocols on the same machine, we observe very significant runtime improvements.The runtime of our prover is 11 to 17 times faster than Bulletproofs' (for 32-bit and 64-bit ranges), while our verifier is two to four times faster; see table 2. For a larger batch size of  = 8, our verifier runtime remains two to four times faster than Bulletproofs, while the gap with our prover runtimes increases slightly, ranging from 11 to 21 times faster (all while maintaining a proof size only 1.1 to 1.3 larger than that of Bulletproofs for  = 8).We expect these gaps to further increase with a more optimized implementation.
1.1.2Security and Applications.We analyze the guarantees of range proofs with relaxed soundness (such as CKLR and Sharp) in standard range proof applications.For this, we show which manipulations of the committed values can be allowed depending on the setting.Specifically, we discuss the arithmetical behaviour of the manipulated rationals, the impact of the chosen decomposition on soundness and show that Sharp proofs provide standard soundness when the committed values are short.Then, we use these insights to sketch how Sharp can be applied to two important applications of range proofs: anonymous credentials (AC) and anonymous transactions (AT).While relaxed soundness is sufficient in AC, range proofs with relaxed soundness do not suffice as drop-in replacement in AT (and their usage would lead to concrete attacks).Nevertheless, some (but not all) range proofs can be replaced with Sharp proofs in AT, and we sketch how Sharp proofs augmented with both a RSA and class group element improve this situation, even without trusted setup of the RSA modulus.

Technical Overview
1.2.1 CKLR Proofs.Before introducing our technical improvements, we give a short overview of CKLR in the DLOG setting.Given a group G of order  with generators (,  ), a Pedersen commitment (Ped) to  ∈ Z  with randomness  is given by  +  .(We use additive notation.) CKLR opens the commitment to  ∈ [0, ] in a zero-knowledge manner using standard Σ-protocol techniques.That is, the prover commits to random masks in  = Ped.Commit( ,  ), where  and  are additive masks for  and  respectively.Then, sends  to the verifier who in turn sends a random challenge  ∈ [0, Γ].The prover responds with two linear combinations  =  + ,  =  +  .
The basic observation in [22] is that the soundness of the above protocol guarantees the extraction of a value of the form  ≡  • −1 , where both (, ) are short as well.While this does not suffice to bind the prover to a small integer, CKLR observes that  ≡   •  −1 uniquely defines a small rational number  = / ∈ Q (where ,  are short and coprime), if 2(Γ + 1)Γ ≤  holds. 2 We call  ∈ Q the rational representative of  and write  = [] Q .
To show that  resides in the range [0, ], CKLR decomposes as the sum of four squares, commits to   in separate Ped commitments, performs a PoSO for the   and , and shows that the decomposition holds over Z  using the homomorphic properties of Ped.We call this part a proof of decomposition (PoDec).The shortness guarantees of the PoSO imply that  ( − ) ≥ 0 and thus  ∈ [0, ] Q , if 18((Γ + 1)) 2 ≤  holds. 3.2.2 Sharp GS : Group Switching and Batching via an Adapted PoDec.
To weaken the requirements on commitment homomorphism, we use a polynomial-based technique.That is, the prover commits to   in Ped commitments and performs a PoSO for each   , as before.To show that the four square decomposition holds, i.e.
, the prover computes a polynomial  using the (short) masked witnesses  =  +  and   =   +   from the PoSO as follows: A short computation shows that  2 = 0, i.e. the degree of  in  is 1, iff the decomposition holds.To show that the degree of  is one, the prover commits to  1 and  0 in  * = Ped.Commit( 1 ;  * ) and  * = Ped.Commit( 0 ;  * ) and sends  * ,  * to the verifier.Then, the verifier sends the challenge  and the prover replies with  * =  * +  * .Note that the verifier can recompute  from , {  } 4 =1 and the statement.Now, the verifier can check whether  ≡   1  +  0 via Ped.Commit( ,  * ) =  * +  * .As the challenge is not known to the prover at the point of committing to the coefficients, the Schwartz-Zippel lemma guarantees that the decomposition holds over Z  with overwhelming probability.Further, the prover reveals nothing about the values as the commitments are hiding and the openings are masked in  * .
By construction, the polynomial-based technique allows us to use Pedersen multi-commitments (MPed), instead of separate Pedersen commitments (as in CKLR).Thus, we can perform  range proofs at once, with a constant number of group elements and a linear number of short integers.
The high level structure of this Σ-protocol resembles the latticebased version of CKLR.But now, by committing to the entire decomposition   in a single Pedersen multi-commitment, which was not possible in the DLOG Σ-protocol of CKLR, the prover needs to Table 1: Theoretical proof size in Bytes for showing that some  ∈ [0, ] of CKLR proofs [22], Bulletproofs [13], RSA-based range proofs [23] and Sharp proofs (Sharp GS , Sharp Po SO and Sharp RSA ) given the security parameter .The groups G com and G 3sq used for Sharp proofs have order  and  respectively. denotes proof size in Bytes,  denotes the number of proofs in the batch, and log , log  is the bit-size of  and .communicate two integers and group elements fewer, compared to CKLR.This improves over the standard Σ-protocol for the showing the square decomposition in a group setting [22,23].

CKLR
Group Switching.We highlighted in the overview above that the uniqueness of rational representatives requires (only) that  ≥ 2(Γ + 1)Γ.Unfortunately, for the guarantee that the 3-square decomposition holds, this becomes  ≥ 18 2 , where  = (Γ + 1), which almost doubles the minimal possible group size.We observe that a dependency of PoSO and PoDec, which was present in CKLR, is removed with our improved Σ-protocol.Thus, we can choose groups with different modulus for the PoSO and PoDec.This gives us flexibility in group choices, and no compromise between optimal choice for commitment (typically 256-bit groups) or PoDec (typically larger groups) has to be made.

Sharp Po
SO : Cheaper Repetitions via a Novel PoSO.To clarify the requirements for our PoSO, we take a closer look at the security proof of Sharp GS .The PoDec proves (among other equations) the square decomposition of  integers   : for each committed value   .Security of PoDec follows from 3special soundness, i.e. 3 related transcripts.To derive that [  ] Q ∈ [0, ] Q , the security proof exploits a guarantee of the (simple) PoSO: Given two related transcripts (, , ì ) and (,  ′ , ì  ′ ), we can extract   ≡    / where   =  ′  −  and  =  ′ − ∈ [−Γ, Γ], and likewise for  , ; given a third related transcript, eq. ( 1) is ensured.Moreover, e. a fraction with numerator bounded by  and denominator bounded by Γ.Thus, multiplying eq. ( 1) by  2 , it is a homogeneous quadratic equation in , ,   , and  , , all of which bounded by , so short.Since 18 2 < , the equation holds over the integers.As a consequence, any PoSO which ensures that all extracted   ,  , are of the form   =   / and  , =  , / is sufficient for this argument.Note that it is important that all fractions   ,  , share the same denominator  for the above argument.Thus, we aim to replace the individual PoSOs by a "Batch-PoSO": Given any number of   s (where we do not distinguish between   and  , anymore), prove that all of them are short fractions (i.e. in Q ,Γ ) with a shared denominator .
A straightforward approach is the following: To check shortness of  1 , . . .,   , check shortness of the random linear combination  =      for   ← [0, Γ] (where we ignore masking terms for zero-knowledge for simplicity).Intuitively, if any   is not short, 4the term     should ensure that  is not short with high probability.And indeed, it is not hard to see that individually, every   is of the form   /  for short   and   , where   ∈ [1, Γ].However, as we explained above, we require that the common denominator  of all   /  is also short.Perhaps surprisingly, this does not follow trivially.
It is clear that, by using binary challenges, i.e.Γ = 1, all   are 1, and thus, the common denominator  is 1.In fact, all   /  =   are small integers.This simple approach is well-known and used in (lattice-based) cryptography for proving knowledge of short preimages via random subset sums.While this even ensures standard soundness, it has the huge drawback of a binary challenge space.Thus, 128 repetitions are required for knowledge error 2 −128 , which leads to relatively large proof size, e.g.instead of a 335-byte (relaxed sound) we get a 1877-byte (standard sound) range proof from Sharp Po SO (for 32-bit range).To achieve the claimed proof size, we must therefore choose a large challenge space [0, Γ], so as to minimize repetitions.The crux of the security proof is then to ensure the common denominator  of all   /  is still short.Our core theorem (theorem 3.3) asserts, that either such a short common  exists, or the false acceptance probability at most 8/Γ, This result is surprisingly non-trivial to prove, and it may be of independent interest.
Relation to similar lattice-based approaches.As noted before, our Batch-PoSO bears close similarities to some (approximate) batch proofs of (knowledge of) short preimages in the lattice setting.Indeed, random linear combinations for batch proofs are a standard approach and used in the lattices setting, e.g. with binary challenges in [5].It is also used with larger challenges spaces to prove "fractional openings" of commitments, resulting in relaxed soundness somewhat similar to our setting, e.g. in [6,7].Namely, by multiplying with the (small) denominator, an extracted solution grows in size, but if parameters are chosen accordingly, the lattice problem still remains hard even for such larger solutions.Moreover, in special settings, e.g.ring-lattices, special challenge sets  where even ( ′ − ) −1 is small for all ,  ′ ∈  are used [2].
However, a crucial difference between our setting and the latticesetting is that, in all the lattice-based works we are aware of, the challenge space for proving (approximate or relaxed) shortness is small and a large number of repetitions are required.Moreover, in these works, there is no requirement for a short common denominator , instead, it suffices that individually each   is small, which is straightforward to show (but insufficient in our case).Since we embrace relaxed soundness and aim to maximize the challenge space, our approach exhibits such a requirement.Hence, to prove security, we require an entirely new analysis for the random linear combination test.Our current proof seems quite different from (advanced) lattice-based techniques, but it is an interesting question if and how such techniques are applicable to strengthen the lemma or simplify its proof.
Lastly, we note that lattice-based proof systems have vastly improved; even exact (range) proofs are now quite small, e.g.[38,39], though still an order of magnitude larger than group-based proofs, e.g.[38] notes that a proof of opening alone needs 8 kB.We leave it as an interesting question, whether lattice-based range proofs could benefit from square-decompositions or our techniques as well.
1.2.4 Sharp HO : Augmenting Sharp with Hidden Order Groups.By using groups of hidden order, we can achieve improved soundness guarantees.On a high level, we add a single MPed commitment  ′ in a hidden order group to Sharp to restrict the possible commitment openings to "special" rationals.In contrast, all other range proofs in hidden order groups perform the entire range proof in the hidden order group [10,22,23,31,36].As these groups are larger than standard DLOG groups, our approach heavily improves efficiency.
Our proof of opening for the additional commitment only requires one additional short integer (for proving knowledge of the randomness of  ′ ), as we use a synthesized challenge  ′ and response  ′  (computed from the actual challenges and responses) to avoid further repetitions (even if the underlying range proof is repeated).In more detail, when the PoSO is repeated  times with challenges {  }  =1 , the prover and verifier set  ′ =  =1   (Γ + 1) −1 and similarly for  ′  .So for completing the proof, only the masked commitment randomness  ′  is sent additionally.When instantiating this augmentation with suitable class groups, the committed   s are restricted to be dyadic rationals, i.e. of the form /2 ℓ .With RSA groups, the   must be integers, hence the proof is standard sound.

PRELIMINARIES 2.1 Notation and Basic Functions
We use log for the binary logarithm.We write [, ] for an interval [, ] in Z, and we write [, ]  for an interval in another space , e.g.Q, R, Z  .We use Minkowski sum notation for sets, i.e.  +  = {+ |  ∈ ,  ∈ } and write + +{} for offsets.We denote by | | the absolute value of  ∈ R. Let  be an (odd) (prime) number.Let Z  = Z/Z be the integers modulo , with representatives either For a randomized algorithm  with input , we write  ←  (;  ) for its execution with explicit randomness  .If the randomness is not explicit, we write  ←  () and assume that  was sampled accordingly.We write  $ ←  for sampling  uniformly at random from a finite set  or  $ ←  to sample  randomly according to a given probability distribution .Further, we generally assume that some public parameters, denoted by pp, and the security parameter, denoted by , are implicitly passed as input to algorithms if it is clear by context.
We define the "prime number analogue" of the factorial.

Cryptographic Primitives
We define syntax and semantics of cryptographic primitives, and sketch their security properties.For formal definitions, see the full version [21].A PPT algorithm GenGrp on input 1  outputs a (description of a) group G = G  .Given the description, group operations (addition and inverse) and membership tests are efficient, as well as bounds  lo ≤ |G| ≤  up on the group order are specified.For notational simplicity, we leave GenGrp implicit in the rest of the work.By  $ ← G we denote randomly drawn group elements without trapdoors. 6 When we say "G is a group of (prime) order  =   ", we mean that  = | | is known unless explicitly stated otherwise.
The DLOG assumption in cyclic groups asserts that finding the discrete logarithm of a random group element  $ ← G is hard.It translates to groups of hidden order (where ⟨⟩ ⊊ G is possible), by considering  $ ← ⟨⟩.For better efficiency in groups of large order, the DLOG assumption can be strengthened.

The above assumptions are only of interest if 𝑆 ≪ ord(G).
Throughout this work, we generally set  = 2 2 − 1. 7   2.2.2 Hash Functions.A (keyed) hash function Hash is of the form Hash :  × {0, 1} * ↦ → {0, 1} ℓ .The key (i.e. the first input) to Hash is usually implicit, and part of the public parameters.We call Hash a collision-resistant hash function (CRHF), if it is hard to find a collision, i.e. two inputs ,  ′ such that Hash() = Hash( ′ ).

Commitment Schemes. A (non-interactive) commitment scheme
Com allow committing to a message , obtaining a commitment  and opening information .More formally, Com is a 3-tuple of PPT algorithms (Setup, Commit, Verify) s.t.
• Com.Setup(1  ): outputs a commitment key ck (often left implicit), • Com.Commit ck (): outputs a pair (, ) of commitment  (to ) and opening  under commitment key ck, • Com.Verify ck (, , ): outputs 1 iff it accepts that  opens to  given opening  under commitment key ck.We require that Com is (perfectly) correct, i.e. honest commitments always verify.Moreover, Com should be binding and hiding, i.e. a commitment  can be opened to (at most) one message , and it is hard to distinguish whether an (unopened) commitment is to message  0 or  1 .
Instantiation.We consider Pedersen multi-commitments (MPed), a generalization of the Pedersen commitment scheme [40], with short openings over a prime or hidden order group G. Let  ,  ∈ N and  lo ≤ |G| ≤  up .Setup samples   $ ← G for  ∈ [0,  ] and outputs commitment key ck = ({  }  ∈ [0, ] ).Given a message 6 Transparent setup typically requires trapdoor-free sampling.Otherwise,  could be sampled/encoded via  ∈ Z, as  = , leaking the dlog of .A stronger form, called invertible sampling is often used in security reductions to "program" the setup, and possible in most cryptographic groups (including Z ×  , elliptic curves, and RSA groups).However, as noted in [1], there are no known invertible sampling algorithms for class groups.In this work, we rely on suitably strengthened hardness assumptions to avoid invertible sampling in class groups. 7To the best of our knowledge, there are no non-generic attacks on the (short) discrete logarithm assumption in hidden order groups.    and   is in the right message space for all .That is, if G has prime order , then   ∈ Z  , or else   ∈ Z unless stated otherwise.We write Ped for the Pedersen commitment scheme, i.e.MPed for  = 1.The scheme MPed is hiding under the SI and SEI assumptions and binding under the DLOG assumption.The strength of the hiding property scales with hiding parameter . 8   2.2.4 Zero-Knowledge Proofs of Knowledge.A proof system (P, V) for NP-relation R is a two-party protocol, where prover P has input (, ) ∈ R and verifier V has input .The verifier accepts or rejects an interaction (by outputting 1 or 0).The prover has no output.Moreover, we require correctness with error  err , that is if (, ) ∈ R, then in an honest execution, the verifier accepts except with probability  err .
Our proof systems will be proofs of knowledge (PoK) and nonabort special honest verifier zero-knowledge (SHVZK).PoK means, that one can extract a witness  for  from any prover which convinces V with probability higher than the knowledge error  err .We consider relaxed soundness, that is, the witness relation R Ext for an extracted witness can differ from the correctness relation R. We share this efficiency trade-off with many lattice-based proof systems.Non-abort SHVZK means, that transcripts where the prover does not abort can be simulated efficiently given only , if the verifier's challenges are known ahead of time.In our proof systems, prover aborts happen due to rejection sampling.
We work in the common reference string (CRS) model.Most of our protocols require only a uniform (common) random string (URS), a.k.a.transparent setup.

Random Oracle Model (ROM).
In the ROM, all parties have access to a truly random function RO : {0, 1} * → {0, 1} 2 .The Fiat-Shamir transformation converts public coin protocols to noninteractive zero-knowledge proofs of knowledge (NIZKPoK) by computing the verifier's challenges as hashes over partial transcripts and other context information (which includes ).In case of non-zero correctness error, one retries in case of aborts [37].In practice, the ROM is heuristically instantiated by a strong cryptographic hash function, e.g.SHA-3.Note that a URS can be generated trivially in the ROM.

Rational Representatives
Using Z-valued representatives for Z/Z is a natural choice, obtained from the homomorphism Z → Z  ,  ↦ →  mod .Another choice is induced by the ring We call such representatives rational.Strictly speaking, a set of representatives  ⊆ Z () should have a unique representative for each element in Z  .We work with smaller sets, which do not have representatives for all of Z  , but existing representatives are unique.The lack of surjectivity will be of no concern. 8If   $ ← ⟨ 0 ⟩ and  is large enough, then MPed is statistically hiding.Under the SI assumption, instead using   $ ← G remains (computationally) hiding.Usually, sampling   $ ← G can be transparent (trapdoor-free), but   $ ← ⟨ 0 ⟩ not necessarily.Definition 2.3.Let Q  , ⊆ Q be the rationals whose numerator is bounded by  and denominator bounded by , that is The value  is represented by   if  ≡   −1 (where  −1 is computed modulo ).
Note that we interpret   as a fraction; the tuple (, ) is not unique.It becomes unique if    is reduced and  ≥ 1. Lemma 2.4 (Criterion for Uniqe Representative in Q  , ).Let  ,  so that  •  < /2.Then for any  ∈ Z  , if there is a representative in Q  , of , i.e. some   so that  −1 ≡  , then   is unique (as a fraction).
We always assume that  •  < /2 whenever we use Qrepresentatives.
Remark 2.1.Let  ∈ Z  and   < /2.We define [] Q ∈ Q  , as the unique irreducible representatives   of , assuming it exists.(We assume that some maximal bounds  ,  are implicitly fixed in the context.)We note that [] Q can be efficiently computed (if it exists), see [28].

Masking Scheme
We use "additive masking" to hide information with random noise.For readability, we use an abstraction of this technique formalized below, in a way similar to [3].A masking scheme is a tuple (R, mask, ) of efficiently samplable distribution R and a masking algorithm mask for values in range [0, ].

Scheme Overview
The Σ-protocol Sharp GS is described in algorithm 1.The prover receives the witnesses   ∈ [0, ] and   ∈ [0, ], and the statement   =    0 +  =1     and  as input.Prover and verifier proceed as follows: (1) In the first flow, the prover computes and commits to a decomposition of   using MPed in G com (lines 1 and 2).Then, for all repetitions  ∈ [1, ], she commits to random masks of the witnesses and decomposition in MPed over G com (line 4 to 7) and the garbage terms of the decomposition polynomial (lines 8 to 12).Finally, she sends the commitments to the verifier.(2) In the second flow, the verifier draws a random challenge for each repetition (line 1) and sends it to the prover.(3) In the third flow, the prover masks the witnesses (multiplied with the challenges) for each repetition and sends the result to the verifier (lines 13 to 18). ( 4) Finally, the verifier checks whether the linear relation between the commitments and the challenge holds, after recomputing the decomposition polynomial (lines 2 to 8).
Optimizations.We use uniform rejection sampling for the masking (instead of Gaussian rejection sampling in CKLR).This reduces the masking overhead in our setting.As in CKLR, the prover can avoid sending  = ( , ,  , ,  , * )  =1 by replacing the output  in the first flow with a hash Δ ← Hash().Then, the verifier can recompute  in the verification and check whether the hash matches.Applying the Fiat-Shamir transformation yields a non-interactive range proof.

Security and Correctness
Non-abort probability.With  repetitions, the probability of the honest prover not aborting (due to masking) is lower-bounded by Security.Sharp GS proofs satisfy correctness, non-abort SHVZK and relaxed soundness.Intuitively, the verifier is convinced that the committed value has a unique rational representative in the range [− 1 4 ,  + 1 4 ] Q , formalized in theorem 4.1 below.Note that with the four square decomposition, we obtain exact range membership in [0, ], in exchange for slightly increasing proof size (see section 6.1.2).
Set  , = mask  (    ,  , ),  , = mask  (  •   ,  , ) To be precise, we consider the -bounded SEI assumption in G com and Security proof, outline.Here, we only sketch the proof of security and the relaxed soundness guarantee.We refer to the full version [21] for details.(The proof is given for the Sharp GS with all optimizations.)Informally, the committed   are guaranteed to have rational representatives in , where the numerator and denominator is bounded by  = (Γ + 1) and Γ respectively.
Since either mask aborts or the 's lie within a predetermined range, correctness follows easily.Also, we can simulate a valid transcript of the proof for statement (  , ) by first sampling the challenge and then computing a transcript starting from the last flow.For this, we replace each witness  in the masking mask (, ) with 0 (where  is the used mask) which affects the distribution only by  mask = 0 (see section 2.4).If any masking aborts, the simulator returns ⊥.Thus, the scheme is non-abort SHVZK under the SEI assumption (for hiding commitments).For the soundness proof, we show 3-special soundness, i.e. extraction from 3 related transcripts.First, we extract the commitments (with a standard argument).Second, we verify that the three square decomposition holds over Z  for the extracted   s and infer that The switch between groups requires special care, as the rings Z  and Z  are "algebraically incompatible".But the shortness of the extracted values suffices to show that the three square decomposition over Z  implies non-negativity for the rational representative committed over Z  .

Sharp Po SO : IMPROVED PROOF OF SHORT OPENING
We present Sharp Po SO , which is based on Sharp GS but uses a (batch) shortness test to separate PoSO and PoDec, and to reduce costs of "internal" repetitions.

Parameters
The groups G com and G 3sq , and parameters , Γ,  , and , are identical to Sharp GS (cf.section 4.1).The commitment key ck com is augmented by additional elements   $ ← G com for  ∈ [1, ].For simplicity, we define Γ (Γ + 1)  − 1 (the size of "large" challenge), and require that Γ ≤ . 11asking and mask sizes.For simplicity, we fix a single masking overhead  for all masks.Logically, some masks must be short due to shortness checks, while other masks only hide the value and shortness is used to reduce communication.The latter may be drawn uniformly from Z  as well.In Sharp GS ,   was the former,   the latter type.In Sharp Po SO , we have following masking behaviour: • R  = [0, (  + 1)], where   = 4 Γ must be short.

Scheme Overview
The difference between Sharp GS and Sharp Po SO is the use of the Batch-PoSO.Again, to simplify we only consider one range [0, ] for all   .It will be evident how to generalize to independent ranges The scheme is defined in algorithms 2 and 3.It is a 5-move protocol which effectively consists of 2 phases: In Phase 1, the prover commits to the 3-square decompositions (and masks   ).Then,  parallel random affine shortness tests are run on committed values.In Phase 2, the prover proves that it has correctly answered the shortness test, and that the 3-square decomposition holds modulo .Thus, Phase 2 is very similar to Sharp GS , except, it uses a large challenge space [0, Γ], so no repetitions are required.

Security and Correctness
Non-abort probability.With  "internal" repetitions, the nonabort probability is lower-bounded by Security.The security guarantee of Sharp Po SO is almost the same as that of Sharp GS , except for a small tightness loss due to the weaker (provable) guarantees of the shortness test (theorem 3.3).The ideas behind the soundness proof of theorem 5.1 are quite straightforward.It proceeds by dealing with the two phases separately.First, observe that Phase 2 is effectively a Σ-protocol for the statement which was completed in Phase 1, i.e. that   resp.  are commitments to the   's resp.auxiliary values  , and   , the answers   of a random affine shortness test are correct, and the 3-square decomposition holds.Indeed, Phase 2 is 3-special sound, i.e. given 3 accepting transcripts identical up until the challenge message  for 3 distinct challenges, one can extract openings to the commitments which satisfy the relation (or the binding property is broken).Thus, as a first step, one can replace Phase 2 with an extractor with knowledge error 2/(Γ + 1)  .
Next, one needs to argue that the   and  , are short (from above, we know that they satisfy the 3-square decomposition).This does not follow from (3 transcripts for) Phase 2 alone.Intuitively, if the "shortness test" used has soundness error , then if any   ,  , is not short, the probability that the verifier accepts is at most   .More precisely, if there is no  ∈ [1, Γ] such that   ,  , ∈ [− ′ ,  ′ ] Z  for all , , then the shortness test accepts with probability at most .However, there is a gap: Our commitment is only computationally binding, so, by breaking the commitment, the adversary might win with probability  (much) higher than   .Fortunately, to win with probability  >   , the adversary must break the binding property.Thus, except with probability   , one obtains a binding break from such an adversary in expected time (by rewinding until  succeeds again).Overall, this proves the soundness claim of theorem 5.1.

Trade-offs and Optimizations
Reducing communication.As with Sharp GS , hashing can reduce the communication in Phase 2 of the protocol.Also, since Phase 2 is effectively independent of Phase 1, it may be exchanged with other suitable (succinct) argument systems.

Fiat-Shamir transformation. Sharp Po
SO is public-coin and the Fiat-Shamir transformation is applicable.This yields a non-interactive zero-knowledge argument.
Standard Soundness and higher knowledge error.It is easy to see that RAST with uniform distribution over {0, 1}  is fractionally ( , 1)-sound with error 1/2.In this case, Sharp Po SO has standard soundness with knowledge error  err = 2 − , and  repetitions require approximately 2 • log( ) bits communication overhead.This trade-off is especially interesting if high knowledge error is acceptable.for example, a statistical knowledge error  err = 2 −40 + negl in interactive settings 12 is a common choice, and in application to anonymous credentials may be considered acceptable.
By using the Fiat-Shamir transformation on Phase 2 (with Γ = 2  − 1), an interactive 3-move protocol can be obtained. 13The tradeoff is also useful if batch size  is huge (hence amortized cost to achieve standard soundness is small).

SOUNDNESS GUARANTEES AND HIDDEN ORDER AUGMENTATION
We provide some insights into the consequences of relaxed soundness and the use of hidden order groups in that context.Further discussions can be found in the full version [21].

Remarks on Relaxed Soundness
The relaxed soundness of CKLR-type proofs only ensures that a committed value  is a fraction  ≡  / with short numerator and denominator, say  ∈ Q , .As we will see, this can be sufficient in important applications, such as anonymous credentials.However, this guarantee is, in general, too weak to allow unchecked homomorphic operations on commitments, e.g. the sum  =1     of short fractions   /  need not be short.The main problem is the growth of the common denominator as  = lcm( 1 , . . .,   ), and the numerator grows similarly.Thus, after a few operations, all guarantees on shortness are lost.
6.1.1Cheating with Small Denominators.The use of relaxed soundness is not a proof artefact: For small  and , find 3 =1  2  =  2 + 4( − ) and let  ≡  / and   ≡    /.This decomposition has a chance of 1/ (per repetition, and 1/  overall) to fool the verifier.In particular, after the Fiat-Shamir transformation, generating proofs for  is efficiently possible if  is not too large.

Using Groups of Hidden Order
The problem of denominator growth can be mitigated by resorting to a group H of hidden order.For Sharp GS and Sharp Po SO , the approach works as follows: Add a single additional commitment  ′  to all values   in H (using a MPed commitment).Moreover, include a proof of knowledge of opening of  ′  (to the same value as in   ).This small change, allows us to reduce to properties of H to control the denominator.Using reasonable assumptions, it can be shown that the denominators   are of the form   =    for   ∈ N 0 .

6.2.1
Instantiating the Hidden Order Group.When instantiating H with suitable class groups of hidden order for which a plausible strengthened 2-fROOT assumption holds, the prover will be bound to dyadic rationals, i.e.   of the form   =   /2   .This improves the applicability of the range proof significantly, since, even in homomorphic computations, the common denominator  is of the form 2  with  ≤ log(Γ).This restriction already enables the use of homomorphic computations.
When using RSA groups (with trusted setup), the proof provides standard soundness, since the prover is bound to an integer under the 1-fROOT assumption (a.k.a.strong RSA assumption).Interestingly, even without trusted setup, e.g. in cases with a "designated verifier", we sketch how RSA groups enable the use of Sharp proofs (cf.section 7.3).

Non-Relaxed Soundness from Prior Knowledge
Prior knowledge on the shortness of committed values can "upgrade" the soundness from relaxed to non-relaxed.Namely, suppose for some reason, that you have prior knowledge or the guarantee that the committed value  ∈ Z  is short, i.e.  ∈ [−, ].Then its representative in Q , is an integer (namely,  1 ).Thus, the range proof then directly implies that  = Note that this reasoning also works for the range proofs from CKLR [22].

APPLICATIONS
In this section, we show how range proofs with relaxed soundness, such as Sharp (or CKLR), can be used in certain applications, namely as anonymous credentials and anonymous transactions.

Anonymous Credentials
Anonymous credential schemes [11,16,19] allow users to obtain credentials from issuing authorities.Later, the user can present this credential to a verifier, without revealing his identity, which is fixed (but hidden via a commitment) in the credential.These credentials can also have attributes, for example a birthdate or a validity date.When showing the credential, the user might need to show that he is older than 18 or that the credential is still valid in a privacy-preserving manner.Constructions of anonymous credentials typically rely on very efficient special-purpose zero-knowledge proofs.Concretely, most rely on so-called "CL-type" (algebraic) signature schemes, which come with very efficient proofs of knowledge of a signature on committed messages [17].These are used to sign the identity and attributes of a user.To prove that attributes lie in some range, e.g. for age restrictions or a validity date of the credential, range proofs are employed.Thus, range proofs often constitute a significant, if not dominant, part in computation (and communication) in these settings.
Sharp proofs can often be used as an almost drop-in replacement in such settings.Consider the DLOG setting in a group of prime order .
• When issuing the credential, all attribute values are known to the issuer.Assuming suitably small ranges [0, ] ⊆ [−, ] for valid attributes, the verifier's validity check of attribute values ensures shortness.If  < /(4Γ), then a rational representative / of an attribute  must be of the form /1, i.e.  is a short integer.Thus, our range proof will be standard sound for  (see section 6.3).• In case of blind issuance (where identity and attributes remain (partially) hidden), the relaxed soundness of DLOGbased Sharp may not suffice (see section 6.1.1).Here, we can use Sharp RSA which provides standard soundness, using a trusted public RSA-based setup of the issuer.• For showing the credential, our range proofs can be used if the (blind) issuing phase ensured that the attributes lie within valid ranges, as in that case, our range proof is standard sound (see section 6.3).
The same reasoning applies to so-called keyed-verification anonymous credentials [18], where the issuer and verifiers have a shared secret key, which allows for more efficient protocols (but restricts the use-cases).
Anonymous credentials and their constructions come in many flavours [4,24,41], and not all rely on prime order groups alone.Some use pairing groups and some use hidden order groups.Nevertheless, it is very likely that in all these settings, our range proofs offer favourable trade-offs when compared to those in use.For example, while hidden order groups allow for three-square decomposition based range proofs, working in prime order groups is typically more efficient in terms of computation and communication.In the pairing-based settings, the approach of [14] allows quite efficient digit-based decompositions.However, operations in pairing-groups are slower, elements are bigger, and for efficiency, [14] needs relatively large (non-transparent) public parameters.

Updatable Anonymous Credentials and BBAs
A line of works [8,9,[33][34][35] uses techniques from anonymous credentials in a "non-static" manner to construct updateable anoymous credentials or black-box accumulation (BBA) schemes, which can be used for electronic payments, ticket systems, incentive systems and more.Most of the schemes feature range proofs as a core component, as these are required to prevent users from spending more than they have.The (blind) issuing process is mostly unchanged in comparison to anonymous credentials.The show protocol is replaced by (one or more) update protocol(s), which modify the user's attributes (e.g. the user's current balance).Most applications work in the "public balance update" setting, where the user interacts with an operator, and the operator knows the amount Δ by which a user's (hidden) balance  is changed.That is, after the transaction, the balance should be  + Δ, and for security,  + Δ ≥ 0 must be ensured.In this "public balance update" setting, our range proofs are again almost drop-in replacements.Namely, if the security proof ensures that the balance  is "small" (i.e. has rational representative /1), then our proof has standard soundness for  + Δ ∈ [0, ].Since the security proofs typically prove inductively that, after each operation, the (new) balance  has certain properties (e.g.lies in the range [0, ]), the requirement for our proof to be standard sound is easily seen to be satisfied.
Range proofs are so expensive that early works [33,35] consider weakened (security) requirements to achieve practical efficiency.Even in later works [8,9,34], they amount to a large part of (or even dominate) the runtime.Our optimized range proofs greatly improve efficiency.

Anonymous Transactions
Range proofs are often used in privacy-preserving blockchain-based smart contract platforms in order to ensure that the fixed (but hidden) balance of users is non-negative after performing a transfer [12,27,42].This ensures that no user can spend more coins than he owns while preserving privacy.Thus, this is a "secret balance update" setting.Here, we give an overview on the applicability of Sharp in this context and refer to the full version [21] for more details.
When a sender with a balance of  coins performs a transfer of  coins to a receiver, she has to guarantee the following: (1)  −  ≥ 0, i.e. the sender's balance remains non-negative after the transaction and (2)  ≥ 0, i.e. the sender transfers a non-negative number of coins to the receiver.Often, the values  and  are committed (or fixed via an encryption), and the sender performs two range proofs to show equations ( 1) and (2).Unfortunately, even an initial shortness guarantee on the committed balances  is not sufficient for relaxed soundness to provide standard guarantees, as the shortness of  cannot be guaranteed this way.Thus, we cannot replace all range proofs with Sharp proofs naively (and doing so would lead to concrete attacks).Nevertheless, some range proofs can be replaced with Sharp proofs for efficiency improvements.
Furthermore, in the full version [21] we sketch how the use of augmented Sharp proofs, with both an additional RSA and class group element, is sufficient to avoid these attacks without trusted setup of the RSA modulus.Perhaps surprisingly, we can still leverage the properties of RSA groups in this case.

2. 2 . 1
Cryptographic Groups.We work in the DLOG setting with cryptographic groups.We write G, H, etc. for groups and use capital letters ,  , etc. for group elements.All groups are commutative and we use additive notation, i.e. we write  +  and  •  or  for ,  ∈ G,  ∈ Z.We denote by ⟨⟩ the cyclic subgroup generated by .The subgroup indistinguishability (SI) assumption in G asserts that  $ ← G and  $ ← ⟨⟩ are indistinguishable.

Table 2 :
Benchmark of our optimized range proofs compared to Bulletproofs, using the reference Bulletproofs implementa- [43] in  of[13], using batch sizes  = 1 and  = 8.Both implementations use the library libsecp256k1[43], and were run on a MacBook Pro with a 2.3 GHz Intel core i7 processor.All timings are in milliseconds.