tl;dr: Confidential assets are in town! But first, a moment of silence for veiled coins.
Introduction
We chose 16-bit chunks to ensure that the max pending balance chunks never exceed $2^{32}$ after around $2^{16}$ incoming transfers. This, in turn, ensures fast decryption times.
Why so many incoming transfers? There could be use cases, such as payment processors, where seamlessly receiving many transfers is necessary.
Resources
Appendix
BL DL benchmarks for Ristretto255
These were run on a Macbook M3.
| Chunk size | Algorithm | Lowest time | Average time | Highest time |
|---|---|---|---|---|
| 16-bit | Bernstein-Lange1 | 1.67 ms | 2.01 ms | 2.96 ms |
| 32-bit | Bernstein-Lange1 | 7.38 ms | 30.86 ms | 77.00 ms |
| 48-bit | Bernstein-Lange1 | 0.72 s | 4.03 s | 12.78 s |
Something is off here: BL should be faster than baby-step giant-step (BSGS), which would take $2^{16}$ group operations for a 32-bit DL $\Rightarrow$ 0.5 microseconds $2^{16} \approx 32$ ms.
References
For cited works, see below 👇👇