Monero Bulletproofs+ vs Bulletproofs: 2026 Guide
Monero Bulletproofs+ vs Bulletproofs: What Actually Changed
On 13 August 2022, the Monero network upgrade quietly swapped out a piece of cryptography that almost no user ever sees but everyone relies on. Bulletproofs+ replaced the original Bulletproofs range proofs, trimming more bytes off every transaction and shaving verification time for the thousands of full nodes that police the chain. If you have ever moved XMR through a no-KYC service like MoneroSwapper, your transaction carried one of these proofs as cryptographic baggage — mathematical evidence that you are not secretly minting coins out of thin air.
The two names sound almost identical, and the release notes rarely explain the gap. Is Bulletproofs+ a privacy upgrade? A speed upgrade? An entirely new system? Short answer: it is an efficiency upgrade, not a privacy one. This guide breaks down what each proof actually does, why Monero adopted them in October 2018 and August 2022 respectively, and how meaningful the practical difference between them is for an ordinary transaction in 2026.
Why Monero Needs Range Proofs at All
Monero hides transaction amounts using RingCT (Ring Confidential Transactions), introduced in January 2017. Instead of writing the amount in plain text, each output stores a Pedersen commitment of the form C = xG + aH, where a is the hidden amount, x is a random blinding factor, and G and H are fixed elliptic-curve generators. The network can verify that inputs equal outputs without ever learning the numbers involved.
That secrecy creates a dangerous loophole. If nobody can see the amount, what stops a malicious sender from committing to a gigantic value that wraps around the curve's group order — effectively creating XMR from nothing? This is where range proofs earn their keep.
- Inflation defense: A range proof proves that every hidden amount sits inside the valid interval [0, 264) without revealing the figure. No negative amounts, no integer overflow, no counterfeit coins.
- Zero-knowledge: The proof leaks nothing about the actual value. A verifier learns only "this number is in range," never the number itself.
- No trusted setup: Unlike many zk-SNARK constructions, Bulletproofs and Bulletproofs+ require no secret ceremony. There is no toxic waste that could later be used to forge proofs.
- Aggregation: A single proof can cover all of a transaction's outputs at once, so the size grows only logarithmically rather than linearly with each new output.
Every byte spent on these proofs lives on the blockchain forever, replicated across every node on Earth. That is why range-proof efficiency is not a footnote — it directly shapes Monero's fees, sync times, and long-term storage burden, all of which underpin its fungibility.
Bulletproofs: The 2018 Breakthrough
Before Bulletproofs, Monero used Borromean ring signatures to build its range proofs. They worked, but they were brutal on space: the proof grew linearly with the number of bits being proven, and a single two-output transaction ballooned to roughly 13 KB. On a privacy chain that already carries heavy ring signature data, that was unsustainable.
Bulletproofs, proposed by Benedikt Bünz, Jonathan Bootle and co-authors in 2017, landed on Monero's mainnet with the October 2018 network upgrade. The result was dramatic. A typical transaction shrank by around 80%, dropping from ~13 KB to about 2.5 KB, and median fees collapsed by more than 95%. It remains one of the single largest efficiency wins in Monero's history.
How Bulletproofs Work Under the Hood
The engine inside Bulletproofs is the inner-product argument (IPA). The prover encodes the amount's bits into two vectors and must convince the verifier that their inner product equals a specific value. Rather than sending the full vectors, the protocol runs several rounds, halving the vector length each time. After log2(n) rounds, only a handful of curve points remain to transmit.
That logarithmic scaling is the magic. Proving a 64-bit range takes a proof of just a few hundred bytes, and aggregating multiple outputs adds only a couple of extra elements rather than a whole new proof. To make the inner-product argument zero-knowledge, vanilla Bulletproofs bolt on extra blinding terms that get sent alongside the core argument.
Batch Verification
Bulletproofs also let nodes verify many proofs together in a single batched operation, which is far cheaper than checking each one in isolation. This matters enormously when a full node syncs years of history or validates a freshly mined block stuffed with transactions from the mempool.
Bulletproofs+ vs Bulletproofs: The Real Differences
Bulletproofs+ comes from a 2020 paper by Heewon Chung, Kyoohyung Han, Chanyang Ju, Myungsun Kim and Jae Hong Seo. Its core innovation is replacing the inner-product argument with a weighted inner-product (WIP) argument. The WIP folds the zero-knowledge blinding directly into the argument itself, so the prover no longer needs to transmit the separate masking terms that vanilla Bulletproofs required.
Fewer transmitted elements means a smaller proof and a slightly cheaper verification. In Monero's deployment, Bulletproofs+ cut the range-proof portion of a transaction by roughly 5–7% and modestly sped up verification. It is an incremental refinement — nowhere near the 80% leap of 2018, but free savings that compound across millions of transactions and every node's storage.
Crucially, the privacy properties are identical. Both proofs hide amounts equally well; both rely on the same 64-bit range and the same Pedersen commitment scheme. Anyone marketing Bulletproofs+ as "more private" is mistaken. The privacy comes from RingCT, ring signatures and CLSAG — the range proof only guarantees honest amounts.
| Property | Bulletproofs (2018) | Bulletproofs+ (2022) |
|---|---|---|
| Monero activation | October 2018 (v8) | August 2022 (v15) |
| Core argument | Inner-product argument | Weighted inner-product argument |
| Zero-knowledge blinding | Separate extra terms sent | Folded into the argument |
| Proof size vs predecessor | ~80% smaller than Borromean | ~5–7% smaller than Bulletproofs |
| Verification speed | Fast, batchable | Slightly faster, batchable |
| Trusted setup | None | None |
| Range proven | [0, 264) | [0, 264) |
| Privacy impact | Hides amounts | Identical — efficiency only |
The August 2022 upgrade did more than swap the range proof. It also shipped view tags, which sped up wallet scanning by roughly 40%, and bumped the ring size from 11 to 16 decoys. Bulletproofs+ helped offset the extra weight those bigger rings added, keeping transactions lean even as the anonymity set grew.
How a Range Proof Travels Through a Transaction
It helps to see where these proofs sit in the lifecycle of an XMR payment. The steps below trace a single output from creation to confirmation.
- Commit the amount. Your wallet picks a random blinding factor and builds the Pedersen commitment C = xG + aH for each output, hiding the value on-chain.
- Generate the proof. The wallet constructs one aggregated Bulletproofs+ range proof covering every output, proving each amount lies in [0, 264) without exposing it.
- Broadcast. The signed transaction — ring signature data, key image, commitments and the range proof — propagates through the network via Dandelion++ and lands in the mempool.
- Verify. Each full node checks the range proof (often batched with others), confirms inputs balance outputs, and validates the ring signatures before relaying.
- Confirm. A miner includes the transaction in a block; after ten confirmations the funds are considered settled and spendable.
If a single range proof fails verification, the entire transaction is rejected — there is no "partial" acceptance. That all-or-nothing rule is what makes the inflation guarantee airtight.
What the Difference Means in Practice
For a normal user, the switch from Bulletproofs to Bulletproofs+ was invisible. You updated your wallet, and your transactions simply started building the newer proof. No coins became unspendable, no addresses changed, and nothing about your privacy posture shifted. The benefit landed at the network level.
A standard two-input, two-output Monero transaction in 2026 weighs roughly 1.5 KB and costs a fraction of a US cent at normal priority. Bulletproofs+ is one reason that figure stayed low even after the ring size jumped to 16. Multiply the 5–7% range-proof saving across the millions of transactions confirmed each year and you get measurably slimmer blocks, faster initial sync for new nodes, and a lighter footprint for anyone running Monero over Tor on modest hardware.
That efficiency feeds directly into accessibility. Lower fees and smaller transactions make it cheaper to spin up a node, which keeps the network decentralized. When you swap into XMR through MoneroSwapper and withdraw to your own wallet, the proof riding inside that transaction is the same lean Bulletproofs+ object every other 2026 user produces — preserving fungibility, because one XMR output is cryptographically indistinguishable from the next.
It is worth noting that range proofs are only one layer of Monero's privacy stack. Tax authorities such as the IRS and regulators like the SEC scrutinize crypto flows, but a range proof reveals nothing about sender, receiver, or amount. Its sole job is honesty about supply, not anonymity — that work is handled elsewhere in the protocol.
FAQ
Did Bulletproofs+ make my old Monero unspendable?
No. The change was a consensus-level upgrade activated at a specific block height. After the August 2022 fork, updated wallets simply began constructing Bulletproofs+ proofs for new transactions. Coins received under the old Bulletproofs era spend perfectly fine — the proof is generated fresh each time you send, not stored permanently with your balance.
Is Bulletproofs+ more private than Bulletproofs?
No. Both hide amounts to exactly the same degree and prove the identical [0, 264) range. Bulletproofs+ is purely an efficiency improvement — smaller proofs and slightly faster verification. Monero's actual privacy comes from RingCT, stealth addresses and CLSAG ring signatures, none of which the range proof touches.
Do I need to do anything to use Bulletproofs+?
Just run a current wallet. Official Monero software, the GUI and CLI, and reputable third-party wallets have built Bulletproofs+ proofs by default since the 2022 upgrade. There is no setting to toggle and no migration to perform — it is automatic.
Why doesn't Monero use zk-SNARKs instead?
Most efficient zk-SNARK systems require a trusted setup ceremony, which produces secret parameters that, if leaked, could let an attacker forge proofs and inflate the supply undetectably. Bulletproofs and Bulletproofs+ need no such ceremony, aligning with Monero's trustless philosophy. The trade-off is slightly larger proofs and verification that scales with the statement size.
What comes after Bulletproofs+?
The next major leap is FCMP++ (Full-Chain Membership Proofs), which aims to replace ring signatures with a proof that hides each spend among the entire blockchain rather than a ring of 16 decoys. It uses its own proving machinery and has been in active testing through 2025–2026, slated for a future hard fork. Range proofs like Bulletproofs+ will likely keep their job even as FCMP++ overhauls the membership side of privacy.
The Bottom Line
Bulletproofs was the revolution — an 80% size cut that made confidential amounts practical in 2018. Bulletproofs+ is the polish — a 5–7% refinement in 2022 that swapped the inner-product argument for a weighted variant, folding zero-knowledge into the proof and saving bytes on every transaction without changing a thing about your privacy. Knowing the difference means you can spot the marketing myth that calls the newer proof "more anonymous": it simply is not, and it does not need to be.
Both proofs share the same goal — guaranteeing that nobody counterfeits XMR while the amounts stay sealed. That quiet integrity is part of what keeps every coin interchangeable. Ready to put it to work? You can buy Monero anonymously through MoneroSwapper with no account and no KYC, and every output you receive will ship with the same lean, battle-tested Bulletproofs+ proof the rest of the network trusts.
🌍 Read in