
UkoeHBIt might be worth thinking about transitioning from PoW to SCP in the long run (at or after tail emission). It is a very different trust model and can’t be adopted lightly (or easily, at the implementation level), but the possible benefits are not trivial. 1. no 51% attacks (no mining pools); 2. fast block times (~520s); 3. no confirmation times; 4. no massive energy use (for those concerned about

UkoeHBsustainability).

rbrunnerI am preparing one more of my Monerothemed short stories and try to understand more about the zeroknowledge proofs in the heart of Monero

rbrunnerI learned that from a purely mathematical point of view ZKPs are not really proofs, but are probabilistic in nature. Very favorable probabilities of course, but still.

rbrunnerSo I guess that a Bulletproof also has a probabilistic component. If true I struggle to grasp what that would mean in theory.

rbrunnerIs it mathematically possible at all to construct a Bulletproof for a Monero tx that contains outputs for negative values? Or does that just not work, like you can't divide by 0, in a certain sense?

rbrunnerAnd about probabilities: Is there a way to quantify more or less how improbable it is that a given Bulletproof is wrong?

rbrunnerIs this in the same region as "Careful, I will guess your private key and then rob you", or significantly worse?

rbrunnerI suspect that there is no known strategy how to construct a "bad" Bulletproof somehow, so if I want one, all that is basically left is aking

rbrunnerto throwing dices and hope that a very, very, very improbable result appears by chance that I can then exploit. Is that correct?

chad[m]<rbrunner "So I guess that a Bulletproof al"> Bulletproofs too are probabilistic in nature, and similarly rely on the discrete logarithm assumption. That is, similarly to signatures and other ZKPs, it is theoretically possible to construct a false bulletproof which passes verification, but should be astronomically difficult to construct. To find some such forged proof, would require solving a discrete logarithm

chad[m]of ECC points. So long as our assumption holds that solving an EC discrete logarithm is astronomically hard, then finding such a forged proof should also be astronomically hard.

rbrunnerThanks, chad!