Bulletproofs+: Shorter Proofs for a Privacy-Enhanced Distributed Ledger

This paper presents a new short zero-knowledge argument for the range proof and arithmetic circuits without a trusted setup. In particular, it can achieve the shortest proof size of the proof system categories without a trusted setup. More specifically, when proving that a committed value is a positive integer less than 64 bits, except for negligible error in the 128-bit security parameter, the proof size is 576 bytes long, which is 85.7% the size of the previous shortest proof due to Bünz et al. (Bulletproofs, IEEE Security and Privacy 2018). Similarly, circuit satisfiability can be proven with less communication overhead. Nevertheless, computational overheads in both proof generation and verification are comparable with those of Bulletproofs. Bulletproofs is established as one of the important privacy-enhancing technologies for a distributed ledger due to its trustless feature and short proof size. In particular, it has been implemented and optimized in various programming languages for practical usage by independent entities since it was proposed. The essence of Bulletproofs is based on the logarithmic inner product argument with no zero-knowledge. This paper revisits Bulletproofs from the viewpoint of the first sublinear zero-knowledge argument for linear algebra due to Groth (CRYPTO 2009) and then propose Bulletproofs+, an improved variety of Bulletproofs. The main component is the zero-knowledge weighted inner product argument (zk-WIP) which enables to reduce both the range proof and the arithmetic circuit proof. It already has zero-knowledge properties, there is no additional information when reducing zk-WIP, and it incurs a minimal transmission cost during the reduction process. Note that zk-WIP has all characteristics of the inner product argument, such as an aggregating range proof and batch verification; thus, Bulletproofs+ is superior to Bulletproofs in all aspects.


I. INTRODUCTION
Adistributed ledger is a database that is consensually shared and synchronized across multiple nodes without a trusted administrator. The blockchain is one type of distributed ledger, where the database consists of linked blocks, called chains, and cryptocurrency, such as Bitcoin [1], is a representative application of the blockchain. The benefit of a The associate editor coordinating the review of this manuscript and approving it for publication was SK Hafizul Islam . distributed ledger is that it is immutable and that any independent observer can verify its validity without the aid of a trusted third party. The transparency of the natural realization of distributed ledgers often causes a data privacy issue since all information is public. For instance, all transaction details, including the sender, the receiver, and the amount transferred, are public in Bitcoin.
Noninteractive zero-knowledge proofs (NIZKs) enable the data owner to generate proof to convince observers of the validity of the data without disclosing it. Range proofs are VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ special NIZKs for membership in a predetermined interval. That is, the prover first commits to a value using a commitment scheme and then proves that a committed value lies in a given interval. The range proof has broad applications that include blockchain-based cryptocurrencies in particular. For example, using a range proof, each transaction can be confidentially transferred without disclosing the amount transferred by including only the zero-knowledge proof validity of the transaction [2]. Due to its distributed and transparent nature, a short NIZK without a trusted setup is highly desired in the context of a distributed ledger. Bünz et al. [3] proposed a short NIZK without a trusted setup, called Bulletproofs, on the basis of the techniques of Bootle et al. [4]. Bulletproofs provides the shortest proof size, which is indeed incomparably shorter than the other range proof systems when a trusted setup is undesired. In fact, [4] achieved the first logarithmic communication complexity, and Bulletproofs improve Bootle et al. 's protocol so that the proof size is reduced by a factor of 3 and the protocol is suitable for proving statements on committed values. Hoffmann, Klooß, and Rupp [5] improved Bulletproofs to efficiently cover more expressive relations than rank 1 constraint systems. Even though [5] presents a more generic approach than Bulletproofs, they failed to reduce the proof size in specific arguments such as range proofs. Recently, Bünz, Fisch, and Szepieniec [6] devised a novel polynomial commitment scheme based on the class group and proposed the first succinct NIZK without trusted setup, called Supersonic, on the basis of their polynomial commitment scheme. Although Supersonic has strengths in both low verification costs and a short proof size, its minimum proof size is at least × 6 that of Bulletproofs for the 128-bit security level, and the gap becomes larger when increasing the security level. Bulletproofs are established as an important privacy-enhancing technology for distributed ledgers due to its trustless features and short proof size. In particular, it has been implemented and optimized in various programming languages for practical usage by independent entities: Java [7], C [8], C++ [9], Rust [10], [11], Go [12], Haskell [13], among others. This paper presents, Bulletproofs+, an improved variety of Bulletproofs with a shorter proof size. That is, Bulletproofs+ achieves the shortest proof size in the NIZK category without a trusted setup. We compare the proof size of the range proof protocol of Bulletproofs+ with that of Bulletproofs in Table 1 for typical data types on a scale from 8 bits to 64 bits. The proof size of our range proof is ×0.8 ∼ 0.857 of that of Bulletproofs. Note that computational overheads in both proof generation and proof verification in Bulletproofs+ are comparable to those of Bulletproofs. To achieve a shorter proof size, we revisits Bulletproofs from the viewpoint of the first sublinear zero-knowledge argument for linear algebra due to Groth [14]. Bulletproofs employ the inner product argument without zero-knowledge as the essential ingredient. In [14] and Bulletproofs+, the main ingredient is the zeroknowledge weighted inner product argument (zk-WIP), which enables to reduce both the range proofs and the arithmetic circuit proofs. Briefly, Bulletproofs mask committed values with random numbers to give a zero-knowledge property to the inner product argument and to reduce to the inner product argument, committed values become random polynomials of degree 1 and it makes 5 elements for reduction. In contrast, zk-WIP already has zero-knowledge properties, our protocol needs no random number anymore, and it enables the reduction to zk-WIP by only one element. Therefore, the benefit of reducing zk-WIP is the minimal transmission cost during the reduction process, which makes the overall proof size of Bulletproofs+ smaller than that of Bulletproofs. Furthermore, like Bulletproofs, Bulletproofs+ has additional extensions, such as aggregating range proofs and batch verification.
The inner product argument based on a homomorphic commitment scheme such as a generalization of the Pedersen commitment [14], [15] is employed as a core building block for more complicated relations such as linear algebra equations, range relations, and circuit satisfiability [3], [4], [14]. More precisely, Groth [14] proposed efficient reductions from the advanced arguments to the inner product argument, and Bootle et al. [4] and Bünz et al. [3] improved Groth's result in terms of the communication overhead by imposing more interactions between the prover and the verifier. However, this is not a major burden in the random oracle model [16] since this approach can be converted into the noninteractive argument through the Fiat-Shamir heuristic [17] in the random oracle model.
In fact, when Groth proposed the reduction from the advanced argument for linear algebra equations, he used the weighted inner product (WIP) argument as well as the inner product argument as ingredient protocols. For a constant vector c ∈ Z n p , the WIP with respect to c, denoted by c , is defined as where denotes the standard inner product and • denotes the componentwise product (a.k.a. the Hadamard product).
At the heart of the reductions to the WIP argument is the batch processing of several equations so that the communication overhead is reduced. For example, the Hadamard product equation between two vectors a and b, denoted by a • b = c ∈ Z n p , is a set of n equations, and this equation can be converted by imposing a random integer y into the equation a, (y, y 2 , . . . , y n ) • b = c, (y, y 2 , . . . , y n ) ∈ Z p . (1) The prover can thus convince the verifier of the original Hadamard product equation a • b = c ∈ Z n p by convincing (1) for randomly chosen y. Both sides of (1) can be directly considered as the WIP with respect to the coefficient vector (y, y 2 , . . . , y n ). Therefore, an efficient proof protocol for the WIP is necessary for this approach.

2) LOGARITHMIC ZERO-KNOWLEDGE ARGUMENT FOR WEIGHTED INNER PRODUCT
Groth [14] proposed zk-WIP with linear communication overhead, which is an ingredient protocol for more advanced arguments for linear algebra equations. Subsequent works [3], [4] employed an inner product argument without zero-knowledge as an ingredient protocol, but zero-knowledgeness for advanced relations such as circuit satisfiability is achieved by the reduction to the inner product argument. Wahby et al. [18] presented a logarithmic zero-knowledge argument for the inner product between a hidden vector and a public vector, which is different from the (weighted) inner product between two hidden vectors in [14]. Hoffmann, Klooß, and Rupp [5] proposed a zero-knowledge argument for the inner product between two hidden vectors satisfying certain constraints, which was called the almost zero-knowledge proof protocol by the authors. To blind witness vectors, they used random vectors depending on the witness, which constrains the witness to some degree. To our knowledge, there is no specific construction for a logarithmic WIP proof protocol with full zero-knowledge, where both WIP input vectors are perfectly hidden.
The starting point of this work is logarithmic inner product arguments whose the main component is the following equality as well as the bilinearity of the inner product. For the sake of simplicity, let n be an even number n = 2 n for some integers n and a = (a 1 , a 2 That is, an inner product can be represented by the sum of two half-length inner products. This property is essential for reduction to a half-length inner product, which leads to logarithmic communications. The WIP is also a bilinear map and satisfies a similar property to (2) when c is the Vandermonde vector, e.g., c = (y, . . . , y n ) ∈ Z n p .
The bilinearity of the WIP and (3) guarantee that the following equation holds for a random challenge e.
(ea 1 + e −1 y n a 2 ) (y,...,y n ) (eb 2 + e −1 b 1 ) = e 2 a 1 (y,...,y n ) b 2 + a (y,...,y n ) b + e −2 (y n a 2 ) (y,...,y n ) b 1 (4) In our protocol, the verifier can calculate the commitments to (ea 1 + e −1 y n a 2 ) and (eb 2 + e −1 b 1 ) and inputs of the WIP of the left-hand side in (4) with the aid of the prover. Let c := e 2 c L + c + e −2 c R . Then, the commitment to c can be publicly calculated using the homomorphic property of an underlying commitment scheme, and this calculation can be used as the result of the WIP when taking (ea 1 +e −1 y n a 2 ) and (eb 2 + e −1 b 1 ) as input. Thus, the equality between (4) and c for randomly chosen e guarantees the equality between each coefficient of a power of e of the right-hand side in (4) and that of c, so that we have c = a (y,...,y n ) b. Therefore, a WIP proof w.r.t. (y, . . . , y n ) between n-dimensional vectors is reduced to a WIP proof w.r.t (y, . . . , y n ) between n-dimensional vectors.
The commitment to the hidden vector of length n, which is the input of the reduction, and each transmission sent by the prover during the reduction is blinded by random group elements chosen by the prover so that the witness is perfectly hidden from the viewpoint of the verifier. Using the discrete logarithms of such random group elements, the prover updates the blinding factor in the commitment to the new hidden vector of length n, which is the output of the reduction.
Constant communication is sufficient for each reduction step, and a number of rounds of O(log 2 (n)) is sufficient for reducing to a dimension 1 WIP proof protocol. For the final step of the zk-WIP proof protocol, we devise a variant of the Schnorr protocol, which requires 2 group elements and 3 field elements. Therefore, the proposed zk-WIP protocol requires communication of 2 log 2 (n) + 5 field or group elements.

3) ONE ROUND REDUCTION FOR BULLETPROOFS-LIKE PROTOCOLS
Bünz et al. proposed a short zero-knowledge argument called Bulletproofs, which includes an aggregate range proof protocol with logarithmic size in the witness size and an arithmetic circuit proof protocol with logarithmic size in the circuit size. Both aggregate range proof and arithmetic circuit proof protocols are built on their inner product proof protocol.
We show that when our zk-WIP proof protocol is used as an ingredient protocol, one commit-and-challenge round is sufficient to reduce from advanced protocols such as aggregate range proof and arithmetic circuit proof to the zk-WIP proof protocol. In particular, the prover sends only a group element in our reductions.
Let us explain the idea of the reduction for our single-range proof protocol. The prover's goal is to convince the verifier that witness v belongs to an interval [0, 2 n − 1], equivalently, the prover knows a binary vector of the witness v of length n. VOLUME 10, 2022 To show a binary vector, the prover begins by committing to a L , a R ∈ Z n p satsifying where 1 n = (1, . . . , 1) is a vector filled with 1's in all entries and 2 n = (1, 2, . . . , 2 n−1 ) is a vector consisting of powers of 2. If a L and a R has other than 0 and 1, (5) cannot be satisfied and the verifier can be convinced. To reduce communication overhead, the verifier sends a random challenge y ∈ Z p to utilize WIP. Then, 2n+1 equations in (5) are batched to a WIP equation. Therefore, we place each term of the left-hand sides of the equations in (5) into a distinct monomial coefficient with variables y and z as follows.
where ζ (y, z) = y n+1 z 1 n , 2 n + z 2 1 n , − → y n and − → y n indicates (y, . . . , y n ). Each term of the right-hand sides in (5) is either constant or the witness v and appears as a distinct monomial coefficient with variables y and z in 0 + y n+1 v + z1 n (y,...,y n ) 1 n − ζ (y, z).
Therefore, the remaining part of our range proof protocol is to run the zk-WIP protocol w.r.t. (y, . . . , y n ) that convinces a L − 1 n · z (y,...,y n ) a R + 2 n • (y n , . . . , y) + 1 n · z = y n+1 v + z1 n (y,...,y n ) 1 n − ζ (y, z). (8) By the homomorphic property of an underlying commitment scheme, the commitments to inputs and output of the WIP in (8) can be publicly calculated from public parameters and the commitment sent by the prover at the beginning of our range protocol. Therefore, both the prover and the verifier can run the zk-WIP protocol. Similarly, aggregate range proof and arithmetic circuit proof protocols can be reduced to the zk-WIP proof protocol through one commit-and-challenge round.

B. APPLICATIONS 1) BLOCKCHAIN: CONFIDENTIAL TRANSACTIONS, SMART CONTRACTS, AND MORE
Although Bitcoin [1] supports pseudonymity, it does not guarantee perfect privacy [19], [20]. To address the confidentiality issue, Maxwell [2] proposed the concept of the confidential transaction, where every piece of information except validity is hidden, in the UTXO model. Here, the UTXO is an unspent transaction output, and the UTXO model indicates that each transaction should fully spend the outputs of previously unspent transactions. A confidential transaction consists of commitments to a set of inputs and a set of outputs with a Pedersen commitment scheme [15]. Although the homomorphic property of the Pedersen commitment enables the verifier to check whether the sum of inputs is equal to the sum of outputs, the verifier cannot verify whether a sender has enough balance to involved amounts, and thus a sender should provide additional evidence for this. The range proof exactly resolves this problem and is thus essential in confidential transactions.
Monero [21], [22] is a well-known privacy-enhanced blockchain project that employs confidential transactions in the UTXO model. Each transaction in the UTXO model has 2.5 outputs on average. The range proof should be attached for each transaction output in Monero so that on average, 2.5 range proofs are required for each transaction. The size of each transaction with two outputs was reduced from 13 kB to 2.5 kB since Bulletproofs for aggregate range proof were integrated with Monero in 2018. Bulletproofs+ for aggregate range proof is 96 bytes smaller than Bulletproofs in 128-bit security so that when applying Bulletproofs+ instead of Bulletproofs to Monero, two output transactions were further reduced and finally obtained 2.4 kB. Therefore, Bulletproofs+ can save more than 1 MB every day. Beside Monero, a similar effect can be obtained from the other privacy cryptocurrencies such as QusQuis due to Fauzi et al. [23] Compared to Monero, QuisQuis makes UTXO sets nonmonotomically growing by introducing a new notion called updatable public keys; however, Bulletproofs still play an essential role in QuisQuis. Thus, Bulletproofs+ can also affect QuisQuis by reducing the transaction size.
Mimblewimble [24]- [26] aimed to resolve privacy and scalability problems in Bitcoin. In the UTXO model, the sums of input transaction values and output transaction values should be the same, apart from a transaction fee, and anyone can obtain a commitment to 0 from the valid transaction. Then, a sender signs a transaction under the commitment to 0 (as the public key), which implies that no money vanished and none was created. Through this, they simplify the structure of a confidential transaction; however, they still require the sender's balance check for the validity of the transaction, and thus, a range proof is indispensable. Grin [27] and Beam [28] are major implementations of Mimblewimble. For a million blocks, 10 million transactions (2 inputs, 2.5 outputs average) and 100,000 unspent outputs, the UTXO size is nearly 520 MB, and among them, almost 517 MB is allocated to the range proofs [27]. UTXO size can be significantly reduced to approximately 90 MB (100 MB) with Bulletproofs+ (Bulletproofs).
There are several attempts to employ range proofs in smart contracts. A confidential transaction is first proposed based on the UTXO model; however, a smart contract platform usually takes an account-based model. To construct a confidential transaction for the smart contract, it should support not only range proofs but also statements on algebraically encoded values to execute arbitrary smart contracts securely. Zether [29] suggests a confidential transaction compatible with a smart contract platform, especially Ethereum [30], called confidential transfers. Additionally, Findora [31] is one of the projects employing Bulletproofs on a smart contract. The main feature of [31] is supporting audits on a confidential transaction, and it enables us to prove more nuanced statements with selective disclosure. Both [29] and [31] support confidential asset transfer, and range proofs and arithmetic circuit proofs are necessary. Thus, Bulletproofs+ can also enhance the efficiency of the account-based model.

2) RANGE PROOFS
Range proof is an essential tool for resolving privacy issues in digital financial technology, including distributed ledgers, e.g., [32]. Banks perform the process of identifying and verifying the identity of the client when opening an account. Due to regulations such as laundering antimoney and knowing your customer, this process becomes mandatory and causes privacy issues. The zero-knowledge proofs enable this process to be performed without disclosing the customer's private information. Using the range proofs, the client can convince the banks of some relations on the age, zip codes, and GPS position without disclosing the actual information. For instance, the client can prove that the customer's age is over the legal age and that the zip codes and the GPS information are contained in specific ranges to validate the location where the customer stays.

3) VERIFIABLE SHUFFLES
Bulletproofs+ for the arithmetic circuit can be employed to reduce the proof size of applications beyond distributed ledgers. For example, it can be applied to the verifiable shuffle [3], [33]- [36] that takes a list of committed values as input and outputs a permuted list along with the proof of correctness of the permuted list. Although the verifiable shuffle is an important stand-alone protocol, it is also a good building block for many other applications, such as e-voting protocols [33], [37], mix-net [38], privacy-preserving advertisement delivery [39], and solvency proofs [40]. In terms of the proof size, Bulletproofs have the most efficient scheme that increases the proof size logarithmically in the size of the input list. The shuffle can be implemented either by the sorting circuit using O(n log 2 (n)) multiplications, where n is the size of the input list [3], or by the permutation circuit and the multiexponentiation circuits in [36]. 1 Although Bulletproofs+ reduces only constant term (e.g., 96 bytes for the 128-bit security), for practically large n (e.g., n < 2 32 ), the improvement of Bulletproofs+ makes a meaningful difference similar to the range proof case due to logarithmic increasing speed of Bulletproofs' proof size in n.

C. RELATED WORK 1) RANGE PROOFS
Brickell et al. [41] first proposed range proofs, and since then, they have received great attention [42]- [49]. Lipmaa [44] presented a range proof protocol that relies on Lagrange's four-square theorem (a.k.a., Bachet's conjecture), which states that any positive integer can be written as a sum of four squares. Groth [50] improved Lipmaa's suggestion by exploiting Legendre's three-square theorem, which states that a positive integer α can be written as a sum of three squares if and only if α is not of the form 4 n 1 (8n 2 + 7) n 1 , n 2 ∈ Z. More recently, Couteau et al. [49] suggested a range proof solution based on a weaker assumption than the strong RSA assumption [51].

2) NIZK FOR ARITHMETIC CIRCUITS
In recent years, many improvements in NIZK for circuit satisfiability have been made [52]- [54]. SNARKs are arguments of knowledge that have succinct proof and efficient verifiers. Although SNARKs provide high performance that can meet practical requirements, they inherently and inevitably require a trusted setup to generate the structured reference string (SRS). To address this problem, Groth et al. [55] and many subsequent works [?], [56]- [58] proposed proof systems relying on the SRS, where SRS is efficiently updatable. Nevertheless, these proof systems with the updatable SRS still require at least one trusted setup at the beginning of the proof system.

3) CONCURRENT WORK
There are three independent and concurrent works that improve Bulletproofs [59]- [61]. Boneh, Fisch, Gabizon and Williamson [59] proposed a simple range proof from a polynomial commitment scheme. To prove 0 ≤ v < 2 n with the zero-knowledge property, the prover should transmit 2 · log 2 (n + 2) + 2 elements in G and 5 elements in Z p . This communication certainly costs less than Bulletproofs; however, it still requires at least one more element than our range proof. Moreover, since the construction is based on a polynomial commitment scheme that needs to choose a prime p larger than n, a prover can only claim the same interval once a polynomial commitment scheme is determined. In contrast, our range proof scheme supports an arbitrary n; thus, there is no restriction for the prover.
Attema and Cramer [60] focused on reconciling Bulletproofs with the theory of -protocols. A prover needs to prove quadratic equations for a range proof; however, -protocols are appropriate for proving arbitrary linear relations, and thus, Bulletproofs require reinvention with the quadratic constraint, which may cause some technical difficulties. To resolve this issue, the authors employed an arithmetic secret sharing-based technique that enables the linearization of all nonlinear statements while preserving the same communication reduction. More precisely, a communication cost for the range proof is 2 · log 2 (2n + 3) elements in G and 5 elements in Z p ; thus, Bulletproofs+ still remains the transparent range proof with the smallest proof size.
Couteau, Klooß, Lin, and Reichle [61] proposed a new range proof with transparent setup from bounded integer commitments. One of the classical approaches for range proofs is based on square decomposition and to merge it, they suggest a method for transforming a commitment scheme over a finite field to a commitment scheme that enables to commit a bounded integer and to prove relations efficiently. VOLUME 10, 2022 As a result, they can propose several new instantiations of range proof paradigms. More specifically, they suggest a range proof scheme based on discrete logarithm problem, lattice problem and standard class group assumptions. In latticebased range proofs, they can improve over the state of the art in a batch setting when at least a few dozen range proofs are required. Under the standard class group assumptions, they can propose the first concrete efficient commitment scheme, which does not require any trusted setup. Compared to Bulletproofs, they can also reduce the proof size about 15% (see Table 1 of [61]) and it varies from about 40 bytes to 120 bytes depending on the parameter. However, the proof size for our scheme is always less than 96 bytes than Bulletproofs for any parameter and our proof size is still less than that of [61] in some parameter settings. Moreover, they do not provide a scheme for arithmetic circuit, but Bulletproofs+ can prove the arithmetic circuit.

D. ORGANIZATION
We provide definitions of assumptions, homomorphic commitment schemes, and zero-knowledge arguments in Section II. In Section III, we present a main building block protocol, the zero-knowledge argument for the WIP without a trusted setup. We propose short zero-knowledge arguments for the range proof and the arbitrary arithmetic circuits in the following sections, Section IV and Section V, respectively. Finally, we provide the performance of the proposed protocols for the specific parameters in Section VI.

II. PRELIMINARIES
We begin by defining some basic notations to be used when defining the preliminary concepts in the following subsections. More specific notations that are useful for describing and analyzing the proposed proof systems are provided in Section II-C. For any algorithm A, y = A(x; r) denotes that y is the output of A on input x with randomness r. When using uniform randomness, we use a shortened notation y ← A(x), meaning that randomness r is chosen at random outside A, and we set y = A(x; r). For any set S, x $ ←S denotes uniform random sampling of x from S. Throughout the paper, λ denotes the security parameter, and it is written in unary form when it is used as the algorithm input. For a function (1) . Here, negl(λ) denotes a negligible function.

A. HOMOMORPHIC COMMITMENTS
A (noninteractive) commitment scheme consists of two algorithms Gen and Com. Gen is called the key generation algorithm that takes the security parameter and outputs the commitment key ck. The message space M ck , the randomness space R ck , and the commitment space C ck are specified in ck. The commitment algorithm Com combined with the commitment key ck specifies a commitment function Com ck : M ck × R ck → C ck that takes m ∈ M ck and outputs a commitment com ∈ C ck using randomness r ∈ R ck . To commit to a message m ∈ M ck , the sender selects r $ ←R and computes the commitment com = Com ck (m; r). We define several properties of the commitment scheme.
Definition 1 (Homomorphic Commitments): A homomorphic commitment scheme is a (noninteractive) commitment scheme that has a homomorphic property such that for all m 1 , m 2 ∈ M ck and r 1 , r 2 ∈ R ck , where + C ck , + M ck and + R ck define operations in C ck , M ck and R ck , respectively. Definition 2 (Hiding Commitments): A commitment scheme is hiding if for all nonuniform polynomial-time interactive adversaries A the following probability is smaller than or equal to negl(λ) for some negligible function negl(λ), as shown at the bottom of the page, where the probability goes over the randomness used in A and Gen and the choice of b and r. We say the scheme is perfectly hiding if negl(λ) = 0.

Definition 3 (Binding Commitments): A commitment scheme is binding if for all nonuniform polynomial-time interac-
tive adversaries A, the following probability is smaller than or equal to negl(λ) for some negligible function negl(λ).

Pr
Com(m 0 ; r 0 ) = Com(m 1 , r 1 ) where the probability exceeds the randomness used in A and Gen. We say the commitment scheme is perfectly binding if negl(λ) = 0.
A generalized Pedersen commitment scheme is extensively used in this work. We explain here how the generalized Pedersen commitment was implemented. Let M ck = Z n p , R ck = Z p and C ck = G, where ck = (G, p, g, g 1 , . . . , g n ) and g, g i $ ←G for i = 1, . . . , n. To commit to a message vector m = (m 1 , . . . , m n ) ∈ Z n p , one computes Com ck (m; r) := g r n i=1 g m i i , where r $ ←Z p . The generalized Pedersen commitment scheme is perfectly hiding since g is a generator of the cyclic group, and thus, the random blinding factor g r is uniformly distributed over the cyclic group. If the discrete logarithm assumption holds on G, then the Pedersen commitment scheme is computationally binding [14], [15]. and r, r ∈ Z p , Com ck (m; r) · Com ck (m ; r ) = Com ck (m + m ; r + r ) holds.

B. ZERO-KNOWLEDGE ARGUMENTS OF KNOWLEDGE
We consider arguments consisting of three interactive probabilistic polynomial-time algorithms (K, P, V) in the common random string model. K is called the common reference string generator, which takes the security parameter 1 λ as input and outputs the common reference string σ . In this paper, the common reference string is a public key for the generalized Pedersen commitment scheme, that is, uniformly chosen group elements. 2 P and V are called the prover and the verifier, respectively. For the sake of simplicity, in this paper, we do not explicitly describe K but assume that the common reference string is given as common input to both P and V. At the end of the interaction, the verifier V accepts (equivalently outputs 1) or rejects (equivalently outputs 0).
We prove that the proposed protocol, Bulletproofs+, is a zero-knowledge argument of knowledge. Informally, the goal of the prover in this protocol is to convince the verifier of witness knowledge that guarantees some statement holds, without disclosing the witness. Let R ⊂ {0, 1} * × {0, 1} * × {0, 1} * be a polynomial time verifiable ternary relation. Given the common reference string σ , we call w a witness for a statement x if (σ, x, w) ∈ R. We define a corresponding reference string-dependent language L σ as the set of statements x that has a witness w such that (σ, x, w) ∈ R. That is, and if σ = ∅, then this is the same as the standard notion of NP languages.
Definition 6 (Computational Witness-Extended Emulation): We say that (K, P, V) has witness-extended emulation if for all deterministic polynomial provers P * if there exists an expected polynomial time emulator E such that for all nonuniform polynomial time interactive adversaries A there exists a negligible function negl(λ) such that the gap between 2 The public key (or commitment key) of the Pedersen commitment scheme can be chosen as a random string. Therefore, we are in the common random string model, and even in the plain model if we let the verifier choose the random string.
In the definition of witness-extended emulation, the value s can be regarded as the state of P * , including the randomness. Therefore, whenever P * can make a convincing argument when in state s, E can extract a witness, so we call an argument (K, P, V) satisfying Definition 6 and Definition 5 an argument of knowledge (of witness w).

C. NOTATION
Let p denote a prime of length λ. In our protocol, we use several sets G, Z p , Z * p , G n , Z n p and several binary operations over them. Let G denote a group of orders p, Z p denote the ring of integers modulo p, and Z * p denote Z p \{0}. For a group F, F n denotes the n-dimensional product group, and hence, it also denotes vector spaces of dimension n over F. Z n×m p denotes the set of matrices with n rows and m columns over Z p . An element in Cartesian product set F ∈ {G n , Z n p , Z n×m p } is denoted by bold letters, i.e.,. g = (g 1 , . . . , g n ) ∈ G n , a = (a 1 , . . . , a n ) ∈ Z n p , and B ∈ Z n×m p . We often consider a vector a in Z n p as a row matrix in Z 1×n p , and its transpose vector, which is the corresponding column vector, is denoted by a .
We define notations for several binary operators among the above defined sets. For two vectors a, b ∈ Z n p , the inner product between a and b is defined as a · b = n i=1 a i · b i ∈ Z p and denoted by a, b . The componentwise multiplication (a.k.a., the Hadamard product) between a and b is denoted  by a • b, i.e., a • b = (a 1 · b 1 , . . . , a n · b n ) ∈ Z n p . For a ∈ Z n p and g ∈ G n , the multiexponentiation n i=1 g a i i ∈ G is denoted by g a . For a scalar c ∈ Z p and a vector a ∈ Z n p , the scalar multiplication is denoted by c · a ∈ Z n p , i.e., c · a = (c · a 1 , . . . , c · a n ).
For a ternary relation R, we use the format {(Public Input; Witness) : R} to denote the relation R using specific public input and witness. VOLUME 10, 2022

III. ZERO-KNOWLEDGE WEIGHTED INNER-PRODUCT ARGUMENT
Groth [14] proposed the zero-knowledge argument for the weighted inner product (zk-WIP) and used it to build squareroot zero-knowledge arguments for linear algebra equations. This paper proposes an improved zk-WIP argument and use it to build short zero-knowledge arguments for range proofs and arithmetic circuits. For a constant vector c, the weighted inner product (WIP) with respect to c is defined as a, b) → a, (c • b) .
The most interesting special case is that c = − → y n for an integer y ∈ Z * p , which is also mainly used in [14], since it has useful properties. This paper designs arguments for range proofs and arithmetic circuits based on the zk-WIP argument with respect to − → y n . For simplicity, we use the notation y instead of − → y n . Note that if y = 1, then y is equivalent to the inner product. Even after the map is defined with y > 1, it can be utilized like the inner product by computing a y (b • ← − y n ) and one can verify that and this propoerty is used when the prover needs to perform the inner product between a and b after fixing y > 1. This paper proposes a zero-knowledge argument for the WIP w.r.t. − → y n relation. In particular, group-based homomorphic commitment scheme is employed as a building block so that the relation necessarily involves group elements. In addition, compressed representation is used in the sense that the witness and the WIP result are committed together into a group element. 3 More precisely, we propose a zero-knowledge proof system for the following relation: (g, h ∈ G n , g, h, P ∈ G; a, b ∈ Z n p , α ∈ Z p ) : P = g a h b g a y b h α The WIP w.r.t − → y n and its simplest case, inner product, have an interesting property, which leads to logarithmic communication cost when combined with homomorphic commitment schemes. The WIP w.r.t − → y n can be replaced with the sum of two WIPs with half-lengths. When n is an even number, n = 2 n, let a = (a 1 , a 2 Thus, using the homomorphic property of the homomorphic commitment scheme and (11), zk-WIP can be reduced w.r.t. − → y n to two zk-WIPs w.r.t. − → y n . However, this reduction does not lead to proof size diminution, and we need an additional technique to batch two n-length arguments to an n-length argument. To ensure this end, we impose an additional round and use a random challenge given from the verifier so that the 3 The witness and the inner-product result are separately committed in [4], [14], but those are committed together in [3]. For short proof size, we follow the representation of [3]. proposed protocol can achieve logarithmic communication cost in the length of vector n. More precisely, the prover of the zk-WIP w.r.t. − → y n transmits 2 · log 2 (n) + 2 elements in G and 3 elements in Z p . The computational costs of both the prover and the verifier are linear in n.

A. ZERO-KNOWLEDGE ARGUMENT FOR WIP
This section describes the zero-knowledge argument for WIP w.r.t. − → y n , denoted by zk-WIP− → y n (x; y), where x is the input of V and (x; y) is the input of P. In the proposed protocol, the verifier starts with the public parameters including group  generators g, h ∈ G n , g, h ∈ G and P = g a h b g c h α a  commitment to vectors a, b and their weighted WIP c =  a y b, where a b are witnesses. The prover takes as input  g, h, g, h, P and a, b, α. For the sake of simplicity, assume that n is a power of 2 and let n = n/2. When n > 1, protocol zk-WIP− → y n (g, h, g, h, P; a, b, α) is a reduction from lengthn argument to n-length argument. In the case of n > 1, the prover begins by choosing random integers d L , d R $ ←Z p , computes 1 2 g c R h d R ∈ G, and sends L and R to the verifier. Next, the verifier chooses and sends a random challenge e to the prover. Then, both the prover and the verifier compute and the prover additionally computes Last, the above n-length vectors a and b have a relation with c L , c R , and c as follows: Using the above relation, the following equality can be verified through a simple calculation.
Thus, the above interaction between the prover and the verifier shows that the argument for WIP relation with n-length vectors can be reduced to the same argument with half-length vectors. More precisely, the components shared by the prover and the verifier at the end of interaction ( g, h, g, h, P; a, b, α) is composed of the same zk-WIP argument with a halflength n, which is the desired reduction from an argument related to a and b ∈ Z n p to an argument related to a and b ∈ Z n p . Here, the prover sends only two group elements for each reduction, so that totally, it requires only logarithmic communication cost in n.
When n = 1, it becomes a variant of the Schnorr protocol such that logarithms of input bases fulfill a specific quadratic relation, which yields both constant communication and computation costs.
The full description of our zero-knowledge argument for the WIP relation is provided in Fig.1. Theorem 1 is the security statement for zk-WIP protocol and its proof is relegated to Appendix.
Theorem 1: Let y be a constant in Z * p . The zero-knowledge argument for WIP is presented in Fig. 1 has perfect completeness, perfect honest verifier zero-knowledge and computational witness-extended emulation.

IV. RANGE PROOFS
This section describes our zero-knowledge argument protocols for single-range proof in Section IV-A and aggregate range proof in Section IV-B.

A. SINGLE-RANGE PROOF PROTOCOL
Consider the following group-based range relation such that witness is committed using the Pedersen commitment scheme.
Here, V is a commitment to the witness v that lies in an interval [0, 2 n − 1] for some predetermined parameter n. g and h are vectors of group G generators, but their usage is ambiguous in the above relation. In fact, these are parameters of the generalized Pedersen commitment scheme. v can be represented as an n-bit string a L , and it is committed using g and h in our range proof protocol. Then, the goal of the range protocol is to prove the knowledge of a L and an additional vector a R satisfying (12) which implies that the prover knows a binary vector of length n of witness v. Since each a L and a R has n components, (12) consists of 2n + 1 equations. To handle multiple equations at once in a sublinear manner in n, this paper follows the technique dating back to Groth [14] such that it batches equations by computing the inner product with − → y n for a random challenge y given from the verifier. Applying the batching technique, (12) becomes a product relation between three values, the witness a L , a R and the challenge y used in the batching technique. Bünz et al. [3] presented a proof system for the relations in (12) based on their inner-product argument. Their inner-product protocol does not support the zero-knowledgeness property so that the openings of the Pedersen commitments are revealed to the verifier. Hence, the reduction process should introduce exponentiation-level blinding factors to hide openings, which is rather cumbersome to handle, so that it requires several interactions and transmission of 5 elements in Z p and 2 group elements in G.
zk-WIP protocol w.r.t. − → y n is a tailored protocol for proving a product relation between two hidden vectors a L and a R and the challenge − → y n with zero-knowledge. Consequently, an optimal reduction to the zk-WIP protocol can be obtained in the sense that the prover transmits only a group element in one move during the reduction phase.
Let us explain our reduction to the WIP protocol. The prover begins by sending a commitment A = g a L h a R h α ∈ G to vectors a L and a R with a random α, and the verifier returns random challenges y, z ∈ Z p . Next, both the prover and the verifier can compute A as follows.
Ag −1 n z h 2 n • ← − y n +1 n z V y n+1 g 1 n , − → y n z− 1 n ,2 n y n+1 z− 1 n , − → y n z 2 (13) Here, all the exponents are combinations of the challenges y and z, so that A is publicly computable. Finally, both the prover and the verifier run the WIP argument w.r.t − → y n on input (g, h, g, h, A; a L , a R , α), where One can easily check that the above defined a L , a R , and α are exponents with bases g, h, and h of A, respectively. See the proof of Theorem 2 for completeness. Now, let us explain why the above reduction correctly works. Let β be the exponent with the base g in A, which is set to be 0 by the honest prover. Then, the WIP argument guarantees that the exponent with the base g of A, which is defined as β + vy n+1 + 1 n , − → y n z − 1 n , 2 n y n+1 z − 1 n , − → y n z 2 (14) by (13), is equal to a L y a R . It can be written as = a L y a R + y n+1 · a L , 2 n + (a L − a R ) y (1 n · z) − 1 n , 2 n y n+1 z − 1 n , − → y n z 2 (15) where the fourth equality holds due to (10). Then, since a L , a R , and v are committed to seeing the challenges y and z, we expect that each coefficient of distinct monomials in (14) is equal to the corresponding coefficient in (15). Therefore, (12) should satisfy. The full description of our range proof protocol is provided in Figure 2. The prover sends only one group element A ∈ G for this reduction to the WIP argument of length-n vectors. In total, the prover in the aggregate range proof protocol transmits 2· log 2 (n) +3 elements in G and 3 elements in Z p . The computational cost of both the prover and the verifier is linear in n.
Theorem 2 states the security for range proof protocol and its proof is relegated to Appendix.
Theorem 2: The zero-knowledge argument for the range proof presented in Figure 2 has perfect completeness, perfect honest verifier zero-knowledge and computational witness extended emulation.

B. AGGREGATING RANGE PROOFS
This paper shows that our range proof can be extended to support aggregate range proof as in [3]. That is, when the prover needs to perform m > 1 range proofs simultaneously, the proof size increases only logarithmically in m, so that this work can achieve the shortest proof size even in performing multiple range proofs. More precisely, the relation for aggregating range proofs can be presented by generalizing a single-range proof relation as follows. ). The prover commits to a L ∈ {0, 1} m·n , which is the concatenation of all of the bits for v j 's and satisfies a L , d j = v j for all j ∈ [1, m], and a R := a L − 1 mn . More precisely, the prover sends a commitment A = g a L h a R h α ∈ G to vectors a L and a R with a random α. The difference between a single-range proof is that a L is the concatenation of all binary vectors of v j s; thus, the length is mn. Then, the prover's goal is to prove the knowledge of a L and a R satisfying the following relations: for all j ∈ [1, m], Although the aggregate range proof requires more relations to convince the verifier than the single-range proof, the batching technique used in the single-range proof can be suitably extended. For the challenge z given from the verifier, let d := m j=1 z 2j · d j , and then m relations a L , d j = v j ∀j ∈ [1, m] can be batched to a single relation a L , d = m j=1 z 2j · v j . Here, we use even powers of z since z is already reserved for convincing the other equations. All the other parts of the protocol are essentially the same as the single-range proof protocol.
The full description of our aggregate range proof protocol is provided in Figure 3. The prover sends only one group element A ∈ G for this reduction to the zk-WIP argument of length-mn vectors. In total, the prover in the aggregate range proof protocol transmits 2 · log 2 (m) + log 2 (n) + 3 elements in G and 3 elements in Z p . The computational cost of both the prover and the verifier is linear in mn.
Theorem 3 covers the security statement for the proposed aggregate range proof portocol and its proof is relegated to Appendix.
Theorem 3: The zero-knowledge argument for the range proof presented in Figure 3 has perfect completeness, perfect honest verifier zero-knowledge and computational witness extended emulation.

V. ZERO-KNOWLEDGE ARGUMENT FOR ARITHMETIC CIRCUITS
As another application of the zk-WIP argument, we presents a zero-knowledge proof system for arbitrary arithmetic circuits. Bootle et al. [4] presented a conversion from an arbitrary arithmetic circuit with n multiplication gates into a certain relation containing a Hadamard product with some linear constraints, which is formally described below. Bünz et al. [3] slightly generalizes the relation to include committed values as inputs to the arithmetic circuit so that the converted relation contains the committed values as well. The following relation is for zero-knowledge argument for arithmetic circuits, which is exactly the same as that in Bulletproofs [3], and we also restrict W V ∈ Z Q×m p to be of rank m, as in Bulletproofs.
As in our range proof protocol, our goal for the arithmetic circuit proof is to reduce to the zk-WIP argument, and as a result, only one element is sufficient for reducing zk-WIP in terms of the prover. The whole description of our arithmetic circuit proof is given in Fig. 4. For a concise description, we introduce the notation used in Fig. 4. For an integer z ∈ Z p ,z Q denotes a vector (z, z 3 , z 5 , . . . , z 2Q−1 ) ∈ Z First, the prover sends A = g a L 1 g a O 2 h a R 1 h α , which is a commitment to a L , a O , a R with a random α. Then, the prover's goal is to convince that a L , a O , a R and v j 's satisfy the following relations.
Next, the verifier chooses y and z randomly and sends them to the prover, and both the prover and the verifier compute A as follows.
W L (16) and run the protocol for the zk-WIP w.r.t. − → y 2n on input ((g 1 , g 2 ), (h 1 , h 2 ), g, h, A; a L , a R , α), where One can easily check that the above defined a L , a R , and α are exponents with bases (g 1 , g 2 ), (h 1 , h 2 ), and h of A, respectively. The completeness of our suggestion is described in Theorem 4. Now, let us explain why the above reduction works correctly. Let β be the exponent with the base g in A, which is set to be 0 by the honest prover. Similarly, let a P be the exponent with base h 2 in A, which is set to 0 by the honest prover. Then, the WIP argument guarantees that the exponent with the base g of A, which is defined as by (16), is equal to a L y a R and so is equal to VOLUME 10, 2022 by (17) and (18). a L , a R , and v are committed to first disclose the challenges y and z, so that we expect that each coefficient of distinct monomials in (19) is equal to the corresponding coefficient in (20). This enables to convince the verifier of several relations given in (12). For example, there are no y only terms in (19), but a L y a R + y n · a O y a P − a O y 1 n are y only terms in (20), so that one can obtain a relation a L y a R + y n · a O y a P − a O y 1 n = 0, which implies the desired relation a L • a R = a O . We relegate the detailed calculations for checking the soundness to the proof of Theorem 4. The full description of our arithmetic circuit proof protocol is provided in Fig. 4. The prover sends only one group element A ∈ G for this reduction to the zk-WIP argument of length-2n vectors. In total, the prover of the aggregate range proof protocol transmits 2 · log 2 (n) + 5 elements in G and 3 elements in Z p . The computational cost of the prover and the verifier is linear in n.
Theorem 4 covers the security statement for our zero-knowledge proof protocol for arithmetic circuits and its proof is relegated to Appendix.
Theorem 4: The zero-knowledge argument presented in Fig. 4  For a fair comparison with optimized Bulletproofs implementation, our protocols are implemented in Rust using the curve25519-dalek library for ECC operations [62] and compared with the January 2020 git version of the Bulletproofs implementation by Valence et al. [11], which is, to our knowledge, one of the most optimized Bulletproofs implementations. For more details, we use F p = F 2 255 −19 and point arithmetic in affine Niels coordinates, and both implementations for Bulletproofs and Bulletproofs+ are expected to have 128-bit security [63].

A. PRACTICAL OPTIMIZATIONS 1) REDUCTION TO SINGLE MULTIEXPONENTIATION
Let g and h be the generators used in the final round of the protocol and e i be the challenge from the i-th round. In the last round, the verifier computes g r ·e h s ·e . To avoid computing g and h in every round, we rewrite these final generators g, h as a single multiexponentiation, using recursion unrolling as in [3]. This substantially reduces the computational overhead on the verifier side since a single multiexponentiation can be done much faster than multiplying the results of individual exponentiations.
where s = (s 1 , . . . , s n ), s = (s 1 , . . . , s n ) ∈ Z n p depend on only the challenges (e 1 , . . . , e log 2 (n) ). The scalars s 1 , . . . , s n and s 1 , . . . , s n can be computed by the following simple calculations: Then, the entire verification check in the zk-WIP argument protocol given in Figure 1 reduces to a single multiexponentiation as follows: g r e·s h s e·s g r s h δ

2) REUSE IN SCALARS
As an additional optimization, our implementation uses the dynamic programming paradigm to reduce the number of exponentiations in F p that cover a large part of the computing scalars. For example, consider an exponent of base g while computing A in our range proof protocol (see Figure 2).
We inductively obtain y i by multiplying y by y i−1 , and this result is reused in computing the last term of the exponent of base g. Consequently, we can obtain a resulting scalar for the g only with n + 5 multiplications in F p where we do not count the exponentiations of base 2 as 2 y. We apply the same technique to the implementations of other argument protocols.

3) BATCH VERIFICATION
The batch verification technique in [3] is applicable to Bulletproofs+. Informally, batch verification collapses two independent exponentiations g a ? = 1 and g b ? = 1 into a single exponentiation g a·r+b ? = 1 by picking a random value in F p . Similarly, in our WIP-based argument protocols, the verifier needs to test whether A is correctly computed and invoke the WIP verifier with a reduced proof. Because the bases in both computations are equivalent, we can utilize the batch verification technique to reduce CPU times at the verifier as in Bulletproofs.

B. EXPERIMENTAL RESULTS
We implement our protocols with the above optimizations, and in what follows, we present the results. The experimental results of the range arguments are summarized in Table 2 for each of our metrics. We use three metrics: 1) the size of a proof in bytes, 2) the total CPU time at the prover in milliseconds, and 3) the total CPU time at the verifier. For this purpose, we use Rust's benchmark tests that run our benchmark many times and take the average. When demonstrating CPU times, we omit the total number of iterations made by the test crate.

1) PROOF SIZE
As shown in the previous sections, Bulletproofs+ prover for the range proof transmits 2 · log 2 (m) + log 2 (n) + 6 field or group elements, which are 3 elements smaller than that of Bulletproofs. In general, the Bulletproofs+ prover for an arbitrary arithmetic circuit sends 2 · log 2 (n) + 8 field or group elements that are 5 elements smaller than that of Bulletproofs. In our experimental parameter setting, Bulletproofs+ for the range proof and arithmetic circuit proof always save 96 bytes and 160 bytes, respectively, compared with Bulletproofs, regardless of input size. Table 2 and its graph on the prover's time in Figure 5 show that a Bulletproofs+ prover is slightly faster than that of Bulletproofs. When aggregating more proofs, the ratio between speeds tends to increase in our experimentation. For instance, in the case of a range argument for a single 32-bit secret, our range argument protocol runs 9.7% faster than that of Bulletproofs; additionally, in the case of 64 × 32-bit secrets, our protocol runs 26.8% faster than that of Bulletproofs.

2) PROVER's CPU TIME ON THE AGGREGATE RANGE PROOF
Comparing our WIP prover with a prover in the inner product argument of Bulletproofs, our WIP prover has to perform more operations and exponentiations for blinding factors to achieve zero-knowledgeness. These computational overheads are insignificant compared to heavy multiexponentiations performed in the two provers. The most influential computation is performed during the process of reduction from the aggregate range proof to ingredient protocols (WIP for ours and inner product for Bulletproofs). In fact, the benefit of using WIP is a simpler process in the reduction than the approach used in Bulletproofs. More precisely, Bulletproofs require more multiexponentiations in the reduction process, contrary to a single multiexponentiation in Bulletproofs+.
Bulletproofs+ can gain computational cost for the prover over Bulletproofs by reducing the number of multiexponentiations. Specifically, because WIP prover and an IP prover in Bulletproofs both require to invoke a single multi-exponentiation 2 log 2 (n) times, there is no difference in CPU-time for the provers. However, different from our range argument protocol, the prover in Bulletproofs needs to compute S = g s L h s R h ρ that requires to run a single multi-exponentiation of size 2n + 1 two times. Furthermore, the prover has to compute double exponentiations two times. As a result, total invocations of multi-exponentiations amounts to 2 log 2 (n)+2, in addition to two double exponentiations. On the contrary, Bulletproofs+ performs a single multi-exponentiation of size n + 3 during computing A. Bulletproofs+ also needs to perform a single multi-exponentiation to commit to secrets as A, of size 2n + 1. Therefore, Bulletproofs+ performs a single multi-exponentiation of smaller size among one of multiexponentiations, and Bulletproofs+ removes two double exponentiations. Figure 6 shows that our proposal is comparable to Bulletproofs in terms of the verifier's computational cost. Both of the verification costs in Bulletproofs and Bulletproofs+ are dominated by a single multiexponentiation. In fact, Bulletproofs+ requires a multiexponentiation for computing A during the reduction process. We note that A is taken as input to the WIP protocol so that it eventually becomes  a component in the multiexponentiation performed in the WIP argument protocol. Thus, the verifier can delay the A computation and extend the technique for reduction to single multiexponentiation in Section VI-A. Finally, we obtain a single multiexponentiation.

3) VERIFIER's CPU TIME ON THE AGGREGATE RANGE PROOF
The difference on the size of the single multi-exponentiation between Bulletproofs and Bulletproofs+ may cause a slight difference between the verification speeds. In fact, a similar technique of batching multiple multi-exponentiations is already used in Bulletproofs to merge two multiexponentiations. As mentioned above, our implementation extensively exploits batch verification as well as the single multi-exponentiation technique. Thus although our WIP argument ensures the zero-knowledge property, there is no difference in verifier's time from that of Bulletproofs. The main factor to make our verifier slightly slower (precisely, on average 3.3%) than of Bulletproofs is the size of exponents for multiexponentiations.

VII. CONCLUSION
This paper describes a new short zero-knowledge argument for range proofs and arithmetic circuits without a trusted setup. These proof systems are one of the widely employed proof systems in the blockchain and the proof size is one of the major criteria to be contained in a block. We can achieve the shortest proof size of the proof system categories while preserving the proof cost and the verification cost. Furthermore, we implement Bulletproofs+ and we can show that the proving time and the verification time are comparable to Bulletproofs.
Limitations and Future Work: This paper achieves the smallest proof size in the proof system category without a trusted setup. However, the computational cost for the verifier is still O(n) where n is the circuit size, meaning that the verifier also should execute a circuit as large as the prover's circuit. It causes some inefficiency problems for the verifier depending on the applications such as deep learning and succinct blockchain. Recently, there are a couple of papers that can achieve O(log 2 n) for the verifier. However, these protocols are not transparent [56], [64], some cannot achieve O(log 2 n) proof size [65], or, some require multiexponentiations of large size [6] that still causes inefficiency problem when n is small. Hence, one can raise the following natural and meangingful question: Is there a way to achieve O(log 2 n) at the same time as the proof size and the verifier cost?
and if there is a protocol that can achieve these properties, Bulletproofs-style proof system can be employed in the various applications.