It might be worth thinking about transitioning from PoW to SCP in the long run (at or after tail emission). It is a very different trust model and can’t be adopted lightly (or easily, at the implementation level), but the possible benefits are not trivial. 1. no 51% attacks (no mining pools); 2. fast block times (~5-20s); 3. no confirmation times; 4. no massive energy use (for those concerned about

sustainability).

I am preparing one more of my Monero-themed short stories and try to understand more about the zero-knowledge proofs in the heart of Monero

I learned that from a purely mathematical point of view ZKPs are not really proofs, but are probabilistic in nature. Very favorable probabilities of course, but still.

So I guess that a Bulletproof also has a probabilistic component. If true I struggle to grasp what that would mean in theory.

Is it mathematically possible at all to construct a Bulletproof for a Monero tx that contains outputs for negative values? Or does that just not work, like you can't divide by 0, in a certain sense?

And about probabilities: Is there a way to quantify more or less how improbable it is that a given Bulletproof is wrong?

Is this in the same region as "Careful, I will guess your private key and then rob you", or significantly worse?

I suspect that there is no known strategy how to construct a "bad" Bulletproof somehow, so if I want one, all that is basically left is aking

to throwing dices and hope that a very, very, very improbable result appears by chance that I can then exploit. Is that correct?

<rbrunner "So I guess that a Bulletproof al"> Bulletproofs too are probabilistic in nature, and similarly rely on the discrete logarithm assumption. That is, similarly to signatures and other ZKPs, it is theoretically possible to construct a false bulletproof which passes verification, but should be astronomically difficult to construct. To find some such forged proof, would require solving a discrete logarithm

of ECC points. So long as our assumption holds that solving an EC discrete logarithm is astronomically hard, then finding such a forged proof should also be astronomically hard.

Thanks, chad!