diff --git a/.gitignore b/.gitignore
index 049fc2562..cf7da3a04 100644
--- a/.gitignore
+++ b/.gitignore
@@ -110,3 +110,5 @@ nbproject
 /testnet
 
 __pycache__/
+*.pyc
+*.log
diff --git a/src/blockchain_db/blockchain_db.cpp b/src/blockchain_db/blockchain_db.cpp
index a84a4148d..8e68abbe5 100644
--- a/src/blockchain_db/blockchain_db.cpp
+++ b/src/blockchain_db/blockchain_db.cpp
@@ -241,8 +241,15 @@ void BlockchainDB::add_transaction(const crypto::hash& blk_hash, const std::pair
     }
     else
     {
+      rct::key commitment;
+      if (tx.version > 1)
+      {
+        commitment = tx.rct_signatures.outPk[i].mask;
+        if (rct::is_rct_bulletproof_plus(tx.rct_signatures.type))
+          commitment = rct::scalarmult8(commitment);
+      }
       amount_output_indices[i] = add_output(tx_hash, tx.vout[i], i, tx.unlock_time,
-        tx.version > 1 ? &tx.rct_signatures.outPk[i].mask : NULL);
+        tx.version > 1 ? &commitment : NULL);
     }
   }
   add_tx_amount_output_indices(tx_id, amount_output_indices);
diff --git a/src/cryptonote_basic/cryptonote_boost_serialization.h b/src/cryptonote_basic/cryptonote_boost_serialization.h
index c6b81b094..24d452083 100644
--- a/src/cryptonote_basic/cryptonote_boost_serialization.h
+++ b/src/cryptonote_basic/cryptonote_boost_serialization.h
@@ -227,6 +227,20 @@ namespace boost
     a & x.t;
   }
 
+  template <class Archive>
+  inline void serialize(Archive &a, rct::BulletproofPlus &x, const boost::serialization::version_type ver)
+  {
+    a & x.V;
+    a & x.A;
+    a & x.A1;
+    a & x.B;
+    a & x.r1;
+    a & x.s1;
+    a & x.d1;
+    a & x.L;
+    a & x.R;
+  }
+
   template <class Archive>
   inline void serialize(Archive &a, rct::boroSig &x, const boost::serialization::version_type ver)
   {
@@ -305,7 +319,7 @@ namespace boost
     a & x.type;
     if (x.type == rct::RCTTypeNull)
       return;
-    if (x.type != rct::RCTTypeFull && x.type != rct::RCTTypeSimple && x.type != rct::RCTTypeBulletproof && x.type != rct::RCTTypeBulletproof2 && x.type != rct::RCTTypeCLSAG)
+    if (x.type != rct::RCTTypeFull && x.type != rct::RCTTypeSimple && x.type != rct::RCTTypeBulletproof && x.type != rct::RCTTypeBulletproof2 && x.type != rct::RCTTypeCLSAG && x.type != rct::RCTTypeBulletproofPlus)
       throw boost::archive::archive_exception(boost::archive::archive_exception::other_exception, "Unsupported rct type");
     // a & x.message; message is not serialized, as it can be reconstructed from the tx data
     // a & x.mixRing; mixRing is not serialized, as it can be reconstructed from the offsets
@@ -321,7 +335,11 @@ namespace boost
   {
     a & x.rangeSigs;
     if (x.rangeSigs.empty())
+    {
       a & x.bulletproofs;
+      if (ver >= 2u)
+        a & x.bulletproofs_plus;
+    }
     a & x.MGs;
     if (ver >= 1u)
       a & x.CLSAGs;
@@ -335,7 +353,7 @@ namespace boost
     a & x.type;
     if (x.type == rct::RCTTypeNull)
       return;
-    if (x.type != rct::RCTTypeFull && x.type != rct::RCTTypeSimple && x.type != rct::RCTTypeBulletproof && x.type != rct::RCTTypeBulletproof2 && x.type != rct::RCTTypeCLSAG)
+    if (x.type != rct::RCTTypeFull && x.type != rct::RCTTypeSimple && x.type != rct::RCTTypeBulletproof && x.type != rct::RCTTypeBulletproof2 && x.type != rct::RCTTypeCLSAG && x.type != rct::RCTTypeBulletproofPlus)
       throw boost::archive::archive_exception(boost::archive::archive_exception::other_exception, "Unsupported rct type");
     // a & x.message; message is not serialized, as it can be reconstructed from the tx data
     // a & x.mixRing; mixRing is not serialized, as it can be reconstructed from the offsets
@@ -347,11 +365,15 @@ namespace boost
     //--------------
     a & x.p.rangeSigs;
     if (x.p.rangeSigs.empty())
+    {
       a & x.p.bulletproofs;
+      if (ver >= 2u)
+        a & x.p.bulletproofs_plus;
+    }
     a & x.p.MGs;
     if (ver >= 1u)
       a & x.p.CLSAGs;
-    if (x.type == rct::RCTTypeBulletproof || x.type == rct::RCTTypeBulletproof2 || x.type == rct::RCTTypeCLSAG)
+    if (x.type == rct::RCTTypeBulletproof || x.type == rct::RCTTypeBulletproof2 || x.type == rct::RCTTypeCLSAG || x.type == rct::RCTTypeBulletproofPlus)
       a & x.p.pseudoOuts;
   }
 
@@ -392,6 +414,6 @@ namespace boost
 }
 }
 
-BOOST_CLASS_VERSION(rct::rctSigPrunable, 1)
-BOOST_CLASS_VERSION(rct::rctSig, 1)
+BOOST_CLASS_VERSION(rct::rctSigPrunable, 2)
+BOOST_CLASS_VERSION(rct::rctSig, 2)
 BOOST_CLASS_VERSION(rct::multisig_out, 1)
diff --git a/src/cryptonote_basic/cryptonote_format_utils.cpp b/src/cryptonote_basic/cryptonote_format_utils.cpp
index 835f59d69..cedc6f546 100644
--- a/src/cryptonote_basic/cryptonote_format_utils.cpp
+++ b/src/cryptonote_basic/cryptonote_format_utils.cpp
@@ -105,7 +105,9 @@ namespace cryptonote
 
   uint64_t get_transaction_weight_clawback(const transaction &tx, size_t n_padded_outputs)
   {
-    const uint64_t bp_base = 368;
+    const rct::rctSig &rv = tx.rct_signatures;
+    const bool plus = rv.type == rct::RCTTypeBulletproofPlus;
+    const uint64_t bp_base = (32 * ((plus ? 6 : 9) + 7 * 2)) / 2; // notional size of a 2 output proof, normalized to 1 proof (ie, divided by 2)
     const size_t n_outputs = tx.vout.size();
     if (n_padded_outputs <= 2)
       return 0;
@@ -113,7 +115,7 @@ namespace cryptonote
     while ((1u << nlr) < n_padded_outputs)
       ++nlr;
     nlr += 6;
-    const size_t bp_size = 32 * (9 + 2 * nlr);
+    const size_t bp_size = 32 * ((plus ? 6 : 9) + 2 * nlr);
     CHECK_AND_ASSERT_THROW_MES_L1(n_outputs <= BULLETPROOF_MAX_OUTPUTS, "maximum number of outputs is " + std::to_string(BULLETPROOF_MAX_OUTPUTS) + " per transaction");
     CHECK_AND_ASSERT_THROW_MES_L1(bp_base * n_padded_outputs >= bp_size, "Invalid bulletproof clawback: bp_base " + std::to_string(bp_base) + ", n_padded_outputs "
         + std::to_string(n_padded_outputs) + ", bp_size " + std::to_string(bp_size));
@@ -164,7 +166,32 @@ namespace cryptonote
       if (!base_only)
       {
         const bool bulletproof = rct::is_rct_bulletproof(rv.type);
-        if (bulletproof)
+        const bool bulletproof_plus = rct::is_rct_bulletproof_plus(rv.type);
+        if (bulletproof_plus)
+        {
+          if (rv.p.bulletproofs_plus.size() != 1)
+          {
+            LOG_PRINT_L1("Failed to parse transaction from blob, bad bulletproofs_plus size in tx " << get_transaction_hash(tx));
+            return false;
+          }
+          if (rv.p.bulletproofs_plus[0].L.size() < 6)
+          {
+            LOG_PRINT_L1("Failed to parse transaction from blob, bad bulletproofs_plus L size in tx " << get_transaction_hash(tx));
+            return false;
+          }
+          const size_t max_outputs = rct::n_bulletproof_plus_max_amounts(rv.p.bulletproofs_plus[0]);
+          if (max_outputs < tx.vout.size())
+          {
+            LOG_PRINT_L1("Failed to parse transaction from blob, bad bulletproofs_plus max outputs in tx " << get_transaction_hash(tx));
+            return false;
+          }
+          const size_t n_amounts = tx.vout.size();
+          CHECK_AND_ASSERT_MES(n_amounts == rv.outPk.size(), false, "Internal error filling out V");
+          rv.p.bulletproofs_plus[0].V.resize(n_amounts);
+          for (size_t i = 0; i < n_amounts; ++i)
+            rv.p.bulletproofs_plus[0].V[i] = rv.outPk[i].mask;
+        }
+        else if (bulletproof)
         {
           if (rv.p.bulletproofs.size() != 1)
           {
@@ -419,9 +446,11 @@ namespace cryptonote
     if (tx.version < 2)
       return blob_size;
     const rct::rctSig &rv = tx.rct_signatures;
-    if (!rct::is_rct_bulletproof(rv.type))
+    const bool bulletproof = rct::is_rct_bulletproof(rv.type);
+    const bool bulletproof_plus = rct::is_rct_bulletproof_plus(rv.type);
+    if (!bulletproof && !bulletproof_plus)
       return blob_size;
-    const size_t n_padded_outputs = rct::n_bulletproof_max_amounts(rv.p.bulletproofs);
+    const size_t n_padded_outputs = bulletproof_plus ? rct::n_bulletproof_plus_max_amounts(rv.p.bulletproofs_plus) : rct::n_bulletproof_max_amounts(rv.p.bulletproofs);
     uint64_t bp_clawback = get_transaction_weight_clawback(tx, n_padded_outputs);
     CHECK_AND_ASSERT_THROW_MES_L1(bp_clawback <= std::numeric_limits<uint64_t>::max() - blob_size, "Weight overflow");
     return blob_size + bp_clawback;
@@ -431,8 +460,8 @@ namespace cryptonote
   {
     CHECK_AND_ASSERT_MES(tx.pruned, std::numeric_limits<uint64_t>::max(), "get_pruned_transaction_weight does not support non pruned txes");
     CHECK_AND_ASSERT_MES(tx.version >= 2, std::numeric_limits<uint64_t>::max(), "get_pruned_transaction_weight does not support v1 txes");
-    CHECK_AND_ASSERT_MES(tx.rct_signatures.type >= rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG,
-        std::numeric_limits<uint64_t>::max(), "get_pruned_transaction_weight does not support older range proof types");
+    CHECK_AND_ASSERT_MES(tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG || tx.rct_signatures.type == rct::RCTTypeBulletproofPlus,
+        std::numeric_limits<uint64_t>::max(), "Unsupported rct_signatures type in get_pruned_transaction_weight");
     CHECK_AND_ASSERT_MES(!tx.vin.empty(), std::numeric_limits<uint64_t>::max(), "empty vin");
     CHECK_AND_ASSERT_MES(tx.vin[0].type() == typeid(cryptonote::txin_to_key), std::numeric_limits<uint64_t>::max(), "empty vin");
 
@@ -450,12 +479,12 @@ namespace cryptonote
     while ((n_padded_outputs = (1u << nrl)) < tx.vout.size())
       ++nrl;
     nrl += 6;
-    extra = 32 * (9 + 2 * nrl) + 2;
+    extra = 32 * ((rct::is_rct_bulletproof_plus(tx.rct_signatures.type) ? 6 : 9) + 2 * nrl) + 2;
     weight += extra;
 
     // calculate deterministic CLSAG/MLSAG data size
     const size_t ring_size = boost::get<cryptonote::txin_to_key>(tx.vin[0]).key_offsets.size();
-    if (tx.rct_signatures.type == rct::RCTTypeCLSAG)
+    if (rct::is_rct_clsag(tx.rct_signatures.type))
       extra = tx.vin.size() * (ring_size + 2) * 32;
     else
       extra = tx.vin.size() * (ring_size * (1 + 1) * 32 + 32 /* cc */);
diff --git a/src/cryptonote_config.h b/src/cryptonote_config.h
index b738960a3..ff61fc036 100644
--- a/src/cryptonote_config.h
+++ b/src/cryptonote_config.h
@@ -182,6 +182,7 @@
 #define HF_VERSION_EXACT_COINBASE               13
 #define HF_VERSION_CLSAG                        13
 #define HF_VERSION_DETERMINISTIC_UNLOCK_TIME    13
+#define HF_VERSION_BULLETPROOF_PLUS             15
 
 #define PER_KB_FEE_QUANTIZATION_DECIMALS        8
 
@@ -190,6 +191,7 @@
 #define DEFAULT_TXPOOL_MAX_WEIGHT               648000000ull // 3 days at 300000, in bytes
 
 #define BULLETPROOF_MAX_OUTPUTS                 16
+#define BULLETPROOF_PLUS_MAX_OUTPUTS            16
 
 #define CRYPTONOTE_PRUNING_STRIPE_SIZE          4096 // the smaller, the smoother the increase
 #define CRYPTONOTE_PRUNING_LOG_STRIPES          3 // the higher, the more space saved
@@ -221,6 +223,8 @@ namespace config
 
   // Hash domain separators
   const char HASH_KEY_BULLETPROOF_EXPONENT[] = "bulletproof";
+  const char HASH_KEY_BULLETPROOF_PLUS_EXPONENT[] = "bulletproof_plus";
+  const char HASH_KEY_BULLETPROOF_PLUS_TRANSCRIPT[] = "bulletproof_plus_transcript";
   const char HASH_KEY_RINGDB[] = "ringdsb";
   const char HASH_KEY_SUBADDRESS[] = "SubAddr";
   const unsigned char HASH_KEY_ENCRYPTED_PAYMENT_ID = 0x8d;
diff --git a/src/cryptonote_core/blockchain.cpp b/src/cryptonote_core/blockchain.cpp
index 34031fb7c..cd9972d1e 100644
--- a/src/cryptonote_core/blockchain.cpp
+++ b/src/cryptonote_core/blockchain.cpp
@@ -3143,6 +3143,32 @@ bool Blockchain::check_tx_outputs(const transaction& tx, tx_verification_context
     }
   }
 
+  // from v15, allow bulletproofs plus
+  if (hf_version < HF_VERSION_BULLETPROOF_PLUS) {
+    if (tx.version >= 2) {
+      const bool bulletproof_plus = rct::is_rct_bulletproof_plus(tx.rct_signatures.type);
+      if (bulletproof_plus || !tx.rct_signatures.p.bulletproofs_plus.empty())
+      {
+        MERROR_VER("Bulletproofs plus are not allowed before v" << std::to_string(HF_VERSION_BULLETPROOF_PLUS));
+        tvc.m_invalid_output = true;
+        return false;
+      }
+    }
+  }
+
+  // from v16, forbid bulletproofs
+  if (hf_version > HF_VERSION_BULLETPROOF_PLUS) {
+    if (tx.version >= 2) {
+      const bool bulletproof = rct::is_rct_bulletproof(tx.rct_signatures.type);
+      if (bulletproof)
+      {
+        MERROR_VER("Bulletproof range proofs are not allowed after v" + std::to_string(HF_VERSION_BULLETPROOF_PLUS));
+        tvc.m_invalid_output = true;
+        return false;
+      }
+    }
+  }
+
   return true;
 }
 //------------------------------------------------------------------
@@ -3183,7 +3209,7 @@ bool Blockchain::expand_transaction_2(transaction &tx, const crypto::hash &tx_pr
       }
     }
   }
-  else if (rv.type == rct::RCTTypeSimple || rv.type == rct::RCTTypeBulletproof || rv.type == rct::RCTTypeBulletproof2 || rv.type == rct::RCTTypeCLSAG)
+  else if (rv.type == rct::RCTTypeSimple || rv.type == rct::RCTTypeBulletproof || rv.type == rct::RCTTypeBulletproof2 || rv.type == rct::RCTTypeCLSAG || rv.type == rct::RCTTypeBulletproofPlus)
   {
     CHECK_AND_ASSERT_MES(!pubkeys.empty() && !pubkeys[0].empty(), false, "empty pubkeys");
     rv.mixRing.resize(pubkeys.size());
@@ -3224,7 +3250,7 @@ bool Blockchain::expand_transaction_2(transaction &tx, const crypto::hash &tx_pr
       }
     }
   }
-  else if (rv.type == rct::RCTTypeCLSAG)
+  else if (rv.type == rct::RCTTypeCLSAG || rv.type == rct::RCTTypeBulletproofPlus)
   {
     if (!tx.pruned)
     {
@@ -3516,6 +3542,7 @@ bool Blockchain::check_tx_inputs(transaction& tx, tx_verification_context &tvc,
     case rct::RCTTypeBulletproof:
     case rct::RCTTypeBulletproof2:
     case rct::RCTTypeCLSAG:
+    case rct::RCTTypeBulletproofPlus:
     {
       // check all this, either reconstructed (so should really pass), or not
       {
@@ -3551,7 +3578,7 @@ bool Blockchain::check_tx_inputs(transaction& tx, tx_verification_context &tvc,
         }
       }
 
-      const size_t n_sigs = rv.type == rct::RCTTypeCLSAG ? rv.p.CLSAGs.size() : rv.p.MGs.size();
+      const size_t n_sigs = rct::is_rct_clsag(rv.type) ? rv.p.CLSAGs.size() : rv.p.MGs.size();
       if (n_sigs != tx.vin.size())
       {
         MERROR_VER("Failed to check ringct signatures: mismatched MGs/vin sizes");
@@ -3560,7 +3587,7 @@ bool Blockchain::check_tx_inputs(transaction& tx, tx_verification_context &tvc,
       for (size_t n = 0; n < tx.vin.size(); ++n)
       {
         bool error;
-        if (rv.type == rct::RCTTypeCLSAG)
+        if (rct::is_rct_clsag(rv.type))
           error = memcmp(&boost::get<txin_to_key>(tx.vin[n]).k_image, &rv.p.CLSAGs[n].I, 32);
         else
           error = rv.p.MGs[n].II.empty() || memcmp(&boost::get<txin_to_key>(tx.vin[n]).k_image, &rv.p.MGs[n].II[0], 32);
diff --git a/src/cryptonote_core/cryptonote_core.cpp b/src/cryptonote_core/cryptonote_core.cpp
index 4c6536318..1da4e2d41 100644
--- a/src/cryptonote_core/cryptonote_core.cpp
+++ b/src/cryptonote_core/cryptonote_core.cpp
@@ -879,6 +879,16 @@ namespace cryptonote
     return true;
   }
   //-----------------------------------------------------------------------------------------------
+  static bool is_canonical_bulletproof_plus_layout(const std::vector<rct::BulletproofPlus> &proofs)
+  {
+    if (proofs.size() != 1)
+      return false;
+    const size_t sz = proofs[0].V.size();
+    if (sz == 0 || sz > BULLETPROOF_PLUS_MAX_OUTPUTS)
+      return false;
+    return true;
+  }
+  //-----------------------------------------------------------------------------------------------
   bool core::handle_incoming_tx_accumulated_batch(std::vector<tx_verification_batch_info> &tx_info, bool keeped_by_block)
   {
     bool ret = true;
@@ -943,6 +953,17 @@ namespace cryptonote
           }
           rvv.push_back(&rv); // delayed batch verification
           break;
+        case rct::RCTTypeBulletproofPlus:
+          if (!is_canonical_bulletproof_plus_layout(rv.p.bulletproofs_plus))
+          {
+            MERROR_VER("Bulletproof_plus does not have canonical form");
+            set_semantics_failed(tx_info[n].tx_hash);
+            tx_info[n].tvc.m_verifivation_failed = true;
+            tx_info[n].result = false;
+            break;
+          }
+          rvv.push_back(&rv); // delayed batch verification
+          break;
         default:
           MERROR_VER("Unknown rct type: " << rv.type);
           set_semantics_failed(tx_info[n].tx_hash);
@@ -960,7 +981,7 @@ namespace cryptonote
       {
         if (!tx_info[n].result)
           continue;
-        if (tx_info[n].tx->rct_signatures.type != rct::RCTTypeBulletproof && tx_info[n].tx->rct_signatures.type != rct::RCTTypeBulletproof2 && tx_info[n].tx->rct_signatures.type != rct::RCTTypeCLSAG)
+        if (tx_info[n].tx->rct_signatures.type != rct::RCTTypeBulletproof && tx_info[n].tx->rct_signatures.type != rct::RCTTypeBulletproof2 && tx_info[n].tx->rct_signatures.type != rct::RCTTypeCLSAG && tx_info[n].tx->rct_signatures.type != rct::RCTTypeBulletproofPlus)
           continue;
         if (assumed_bad || !rct::verRctSemanticsSimple(tx_info[n].tx->rct_signatures))
         {
diff --git a/src/hardforks/hardforks.cpp b/src/hardforks/hardforks.cpp
index 9055b92e3..45db59a67 100644
--- a/src/hardforks/hardforks.cpp
+++ b/src/hardforks/hardforks.cpp
@@ -70,6 +70,9 @@ const hardfork_t mainnet_hard_forks[] = {
 
   { 13, 2210000, 0, 1598180817 },
   { 14, 2210720, 0, 1598180818 },
+
+  { 15, 8000000, 0, 1608223241 }, // temp so tests test with these consensus rules
+  { 16, 8000001, 0, 1608223242 }, // temp so tests test with these consensus rules
 };
 const size_t num_mainnet_hard_forks = sizeof(mainnet_hard_forks) / sizeof(mainnet_hard_forks[0]);
 const uint64_t mainnet_hard_fork_version_1_till = 1009826;
diff --git a/src/ringct/CMakeLists.txt b/src/ringct/CMakeLists.txt
index 40b2dfd55..32da0f5f5 100644
--- a/src/ringct/CMakeLists.txt
+++ b/src/ringct/CMakeLists.txt
@@ -31,13 +31,15 @@ set(ringct_basic_sources
   rctTypes.cpp
   rctCryptoOps.c
   multiexp.cc
-  bulletproofs.cc)
+  bulletproofs.cc
+  bulletproofs_plus.cc)
 
 set(ringct_basic_private_headers
   rctOps.h
   rctTypes.h
   multiexp.h
-  bulletproofs.h)
+  bulletproofs.h
+  bulletproofs_plus.h)
 
 monero_private_headers(ringct_basic
   ${crypto_private_headers})
diff --git a/src/ringct/bulletproofs.cc b/src/ringct/bulletproofs.cc
index a6e12c9b3..1689e5463 100644
--- a/src/ringct/bulletproofs.cc
+++ b/src/ringct/bulletproofs.cc
@@ -70,13 +70,12 @@ static rct::key inner_product(const rct::keyV &a, const rct::keyV &b);
 
 static constexpr size_t maxN = 64;
 static constexpr size_t maxM = BULLETPROOF_MAX_OUTPUTS;
-static rct::key Hi[maxN*maxM], Gi[maxN*maxM];
 static ge_p3 Hi_p3[maxN*maxM], Gi_p3[maxN*maxM];
 static std::shared_ptr<straus_cached_data> straus_HiGi_cache;
 static std::shared_ptr<pippenger_cached_data> pippenger_HiGi_cache;
-static const rct::key TWO = { {0x02, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00  } };
-static const rct::key MINUS_ONE = { { 0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 } };
-static const rct::key MINUS_INV_EIGHT = { { 0x74, 0xa4, 0x19, 0x7a, 0xf0, 0x7d, 0x0b, 0xf7, 0x05, 0xc2, 0xda, 0x25, 0x2b, 0x5c, 0x0b, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a } };
+static const constexpr rct::key TWO = { {0x02, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00  } };
+static const constexpr rct::key MINUS_ONE = { { 0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 } };
+static const constexpr rct::key MINUS_INV_EIGHT = { { 0x74, 0xa4, 0x19, 0x7a, 0xf0, 0x7d, 0x0b, 0xf7, 0x05, 0xc2, 0xda, 0x25, 0x2b, 0x5c, 0x0b, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a } };
 static const rct::keyV oneN = vector_dup(rct::identity(), maxN);
 static const rct::keyV twoN = vector_powers(TWO, maxN);
 static const rct::key ip12 = inner_product(oneN, twoN);
@@ -100,8 +99,7 @@ static inline bool is_reduced(const rct::key &scalar)
 
 static rct::key get_exponent(const rct::key &base, size_t idx)
 {
-  static const std::string domain_separator(config::HASH_KEY_BULLETPROOF_EXPONENT);
-  std::string hashed = std::string((const char*)base.bytes, sizeof(base)) + domain_separator + tools::get_varint_data(idx);
+  std::string hashed = std::string((const char*)base.bytes, sizeof(base)) + config::HASH_KEY_BULLETPROOF_EXPONENT + tools::get_varint_data(idx);
   rct::key e;
   ge_p3 e_p3;
   rct::hash_to_p3(e_p3, rct::hash2rct(crypto::cn_fast_hash(hashed.data(), hashed.size())));
@@ -121,10 +119,10 @@ static void init_exponents()
   data.reserve(maxN*maxM*2);
   for (size_t i = 0; i < maxN*maxM; ++i)
   {
-    Hi[i] = get_exponent(rct::H, i * 2);
-    CHECK_AND_ASSERT_THROW_MES(ge_frombytes_vartime(&Hi_p3[i], Hi[i].bytes) == 0, "ge_frombytes_vartime failed");
-    Gi[i] = get_exponent(rct::H, i * 2 + 1);
-    CHECK_AND_ASSERT_THROW_MES(ge_frombytes_vartime(&Gi_p3[i], Gi[i].bytes) == 0, "ge_frombytes_vartime failed");
+    const rct::key Hi = get_exponent(rct::H, i * 2);
+    CHECK_AND_ASSERT_THROW_MES(ge_frombytes_vartime(&Hi_p3[i], Hi.bytes) == 0, "ge_frombytes_vartime failed");
+    const rct::key Gi = get_exponent(rct::H, i * 2 + 1);
+    CHECK_AND_ASSERT_THROW_MES(ge_frombytes_vartime(&Gi_p3[i], Gi.bytes) == 0, "ge_frombytes_vartime failed");
 
     data.push_back({rct::zero(), Gi_p3[i]});
     data.push_back({rct::zero(), Hi_p3[i]});
@@ -133,11 +131,10 @@ static void init_exponents()
   straus_HiGi_cache = straus_init_cache(data, STRAUS_SIZE_LIMIT);
   pippenger_HiGi_cache = pippenger_init_cache(data, 0, PIPPENGER_SIZE_LIMIT);
 
-  MINFO("Hi/Gi cache size: " << (sizeof(Hi)+sizeof(Gi))/1024 << " kB");
   MINFO("Hi_p3/Gi_p3 cache size: " << (sizeof(Hi_p3)+sizeof(Gi_p3))/1024 << " kB");
   MINFO("Straus cache size: " << straus_get_cache_size(straus_HiGi_cache)/1024 << " kB");
   MINFO("Pippenger cache size: " << pippenger_get_cache_size(pippenger_HiGi_cache)/1024 << " kB");
-  size_t cache_size = (sizeof(Hi)+sizeof(Hi_p3))*2 + straus_get_cache_size(straus_HiGi_cache) + pippenger_get_cache_size(pippenger_HiGi_cache);
+  size_t cache_size = straus_get_cache_size(straus_HiGi_cache) + pippenger_get_cache_size(pippenger_HiGi_cache);
   MINFO("Total cache size: " << cache_size/1024 << "kB");
   init_done = true;
 }
@@ -895,7 +892,8 @@ bool bulletproof_VERIFY(const std::vector<const Bulletproof*> &proofs)
   multiexp_data.resize(2 * maxMN);
 
   PERF_TIMER_START_BP(VERIFY_line_24_25_invert);
-  const std::vector<rct::key> inverses = invert(to_invert);
+  const std::vector<rct::key> inverses = invert(std::move(to_invert));
+  to_invert.clear();
   PERF_TIMER_STOP_BP(VERIFY_line_24_25_invert);
 
   // setup weighted aggregates
diff --git a/src/ringct/bulletproofs_plus.cc b/src/ringct/bulletproofs_plus.cc
new file mode 100644
index 000000000..3d27849c1
--- /dev/null
+++ b/src/ringct/bulletproofs_plus.cc
@@ -0,0 +1,1121 @@
+// Copyright (c) 2017-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Implements the Bulletproofs+ prover and verifier algorithms
+//
+// Preprint: https://eprint.iacr.org/2020/735, version 17 Jun 2020
+//
+// NOTE ON NOTATION:
+//  In the signature constructions used in Monero, commitments to zero are treated as
+//      public keys against the curve group generator `G`. This means that amount
+//      commitments must use another generator `H` for values in order to show balance.
+//  The result is that the roles of `g` and `h` in the preprint are effectively swapped
+//      in this code, taking on the roles of `H` and `G`, respectively. Read carefully!
+
+#include <stdlib.h>
+#include <boost/thread/mutex.hpp>
+#include <boost/thread/lock_guard.hpp>
+#include "misc_log_ex.h"
+#include "span.h"
+#include "cryptonote_config.h"
+extern "C"
+{
+#include "crypto/crypto-ops.h"
+}
+#include "rctOps.h"
+#include "multiexp.h"
+#include "bulletproofs_plus.h"
+
+#undef MONERO_DEFAULT_LOG_CATEGORY
+#define MONERO_DEFAULT_LOG_CATEGORY "bulletproof_plus"
+
+#define STRAUS_SIZE_LIMIT 232
+#define PIPPENGER_SIZE_LIMIT 0
+
+namespace rct
+{
+    // Vector functions
+    static rct::key vector_exponent(const rct::keyV &a, const rct::keyV &b);
+    static rct::keyV vector_of_scalar_powers(const rct::key &x, size_t n);
+
+    // Proof bounds
+    static constexpr size_t maxN = 64; // maximum number of bits in range
+    static constexpr size_t maxM = BULLETPROOF_PLUS_MAX_OUTPUTS; // maximum number of outputs to aggregate into a single proof
+
+    // Cached public generators
+    static ge_p3 Hi_p3[maxN*maxM], Gi_p3[maxN*maxM];
+    static std::shared_ptr<straus_cached_data> straus_HiGi_cache;
+    static std::shared_ptr<pippenger_cached_data> pippenger_HiGi_cache;
+
+    // Useful scalar constants
+    static const constexpr rct::key ZERO = { {0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00  } }; // 0
+    static const constexpr rct::key ONE = { {0x01, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00  } }; // 1
+    static const constexpr rct::key TWO = { {0x02, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00  } }; // 2
+    static const constexpr rct::key MINUS_ONE = { { 0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 } }; // -1
+    static const constexpr rct::key MINUS_INV_EIGHT = { { 0x74, 0xa4, 0x19, 0x7a, 0xf0, 0x7d, 0x0b, 0xf7, 0x05, 0xc2, 0xda, 0x25, 0x2b, 0x5c, 0x0b, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a } }; // -(8**(-1))
+    static rct::key TWO_SIXTY_FOUR_MINUS_ONE; // 2**64 - 1
+
+    // Initial transcript hash
+    static rct::key initial_transcript;
+
+    static boost::mutex init_mutex;
+
+    // Use the generator caches to compute a multiscalar multiplication
+    static inline rct::key multiexp(const std::vector<MultiexpData> &data, size_t HiGi_size)
+    {
+        if (HiGi_size > 0)
+        {
+            static_assert(232 <= STRAUS_SIZE_LIMIT, "Straus in precalc mode can only be calculated till STRAUS_SIZE_LIMIT");
+            return HiGi_size <= 232 && data.size() == HiGi_size ? straus(data, straus_HiGi_cache, 0) : pippenger(data, pippenger_HiGi_cache, HiGi_size, get_pippenger_c(data.size()));
+        }
+        else
+        {
+            return data.size() <= 95 ? straus(data, NULL, 0) : pippenger(data, NULL, 0, get_pippenger_c(data.size()));
+        }
+    }
+
+    // Confirm that a scalar is properly reduced
+    static inline bool is_reduced(const rct::key &scalar)
+    {
+        return sc_check(scalar.bytes) == 0;
+    }
+
+    // Use hashed values to produce indexed public generators
+    static ge_p3 get_exponent(const rct::key &base, size_t idx)
+    {
+        std::string hashed = std::string((const char*)base.bytes, sizeof(base)) + config::HASH_KEY_BULLETPROOF_PLUS_EXPONENT + tools::get_varint_data(idx);
+        rct::key generator;
+        ge_p3 generator_p3;
+        rct::hash_to_p3(generator_p3, rct::hash2rct(crypto::cn_fast_hash(hashed.data(), hashed.size())));
+        ge_p3_tobytes(generator.bytes, &generator_p3);
+        CHECK_AND_ASSERT_THROW_MES(!(generator == rct::identity()), "Exponent is point at infinity");
+        return generator_p3;
+    }
+
+    // Construct public generators
+    static void init_exponents()
+    {
+        boost::lock_guard<boost::mutex> lock(init_mutex);
+
+        // Only needs to be done once
+        static bool init_done = false;
+        if (init_done)
+            return;
+
+        std::vector<MultiexpData> data;
+        data.reserve(maxN*maxM*2);
+        for (size_t i = 0; i < maxN*maxM; ++i)
+        {
+            Hi_p3[i] = get_exponent(rct::H, i * 2);
+            Gi_p3[i] = get_exponent(rct::H, i * 2 + 1);
+
+            data.push_back({rct::zero(), Gi_p3[i]});
+            data.push_back({rct::zero(), Hi_p3[i]});
+        }
+
+        straus_HiGi_cache = straus_init_cache(data, STRAUS_SIZE_LIMIT);
+        pippenger_HiGi_cache = pippenger_init_cache(data, 0, PIPPENGER_SIZE_LIMIT);
+
+        // Compute 2**64 - 1 for later use in simplifying verification
+        TWO_SIXTY_FOUR_MINUS_ONE = TWO;
+        for (size_t i = 0; i < 6; i++)
+        {
+            sc_mul(TWO_SIXTY_FOUR_MINUS_ONE.bytes, TWO_SIXTY_FOUR_MINUS_ONE.bytes, TWO_SIXTY_FOUR_MINUS_ONE.bytes);
+        }
+        sc_sub(TWO_SIXTY_FOUR_MINUS_ONE.bytes, TWO_SIXTY_FOUR_MINUS_ONE.bytes, ONE.bytes);
+
+        // Generate the initial Fiat-Shamir transcript hash, which is constant across all proofs
+        const std::string domain_separator(config::HASH_KEY_BULLETPROOF_PLUS_TRANSCRIPT);
+        ge_p3 initial_transcript_p3;
+        rct::hash_to_p3(initial_transcript_p3, rct::hash2rct(crypto::cn_fast_hash(domain_separator.data(), domain_separator.size())));
+        ge_p3_tobytes(initial_transcript.bytes, &initial_transcript_p3);
+
+        init_done = true;
+    }
+
+    // Given two scalar arrays, construct a vector pre-commitment:
+    //
+    // a = (a_0, ..., a_{n-1})
+    // b = (b_0, ..., b_{n-1})
+    //
+    // Outputs a_0*Gi_0 + ... + a_{n-1}*Gi_{n-1} +
+    //         b_0*Hi_0 + ... + b_{n-1}*Hi_{n-1}
+    static rct::key vector_exponent(const rct::keyV &a, const rct::keyV &b)
+    {
+        CHECK_AND_ASSERT_THROW_MES(a.size() == b.size(), "Incompatible sizes of a and b");
+        CHECK_AND_ASSERT_THROW_MES(a.size() <= maxN*maxM, "Incompatible sizes of a and maxN");
+
+        std::vector<MultiexpData> multiexp_data;
+        multiexp_data.reserve(a.size()*2);
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            multiexp_data.emplace_back(a[i], Gi_p3[i]);
+            multiexp_data.emplace_back(b[i], Hi_p3[i]);
+        }
+        return multiexp(multiexp_data, 2 * a.size());
+    }
+
+    // Helper function used to compute the L and R terms used in the inner-product round function
+    static rct::key compute_LR(size_t size, const rct::key &y, const std::vector<ge_p3> &G, size_t G0, const std::vector<ge_p3> &H, size_t H0, const rct::keyV &a, size_t a0, const rct::keyV &b, size_t b0, const rct::key &c, const rct::key &d)
+    {
+        CHECK_AND_ASSERT_THROW_MES(size + G0 <= G.size(), "Incompatible size for G");
+        CHECK_AND_ASSERT_THROW_MES(size + H0 <= H.size(), "Incompatible size for H");
+        CHECK_AND_ASSERT_THROW_MES(size + a0 <= a.size(), "Incompatible size for a");
+        CHECK_AND_ASSERT_THROW_MES(size + b0 <= b.size(), "Incompatible size for b");
+        CHECK_AND_ASSERT_THROW_MES(size <= maxN*maxM, "size is too large");
+
+        std::vector<MultiexpData> multiexp_data;
+        multiexp_data.resize(size*2 + 2);
+        rct::key temp;
+        for (size_t i = 0; i < size; ++i)
+        {
+            sc_mul(temp.bytes, a[a0+i].bytes, y.bytes);
+            sc_mul(multiexp_data[i*2].scalar.bytes, temp.bytes, INV_EIGHT.bytes);
+            multiexp_data[i*2].point = G[G0+i];
+
+            sc_mul(multiexp_data[i*2+1].scalar.bytes, b[b0+i].bytes, INV_EIGHT.bytes);
+            multiexp_data[i*2+1].point = H[H0+i];
+        }
+
+        sc_mul(multiexp_data[2*size].scalar.bytes, c.bytes, INV_EIGHT.bytes);
+        ge_p3 H_p3;
+        ge_frombytes_vartime(&H_p3, rct::H.bytes);
+        multiexp_data[2*size].point = H_p3;
+
+        sc_mul(multiexp_data[2*size+1].scalar.bytes, d.bytes, INV_EIGHT.bytes);
+        ge_p3 G_p3;
+        ge_frombytes_vartime(&G_p3, rct::G.bytes);
+        multiexp_data[2*size+1].point = G_p3;
+
+        return multiexp(multiexp_data, 0);
+    }
+
+    // Given a scalar, construct a vector of its powers:
+    //
+    // Output (1,x,x**2,...,x**{n-1})
+    static rct::keyV vector_of_scalar_powers(const rct::key &x, size_t n)
+    {
+        CHECK_AND_ASSERT_THROW_MES(n != 0, "Need n > 0");
+
+        rct::keyV res(n);
+        res[0] = rct::identity();
+        if (n == 1)
+            return res;
+        res[1] = x;
+        for (size_t i = 2; i < n; ++i)
+        {
+            sc_mul(res[i].bytes, res[i-1].bytes, x.bytes);
+        }
+        return res;
+    }
+
+    // Given a scalar, construct the sum of its powers from 2 to n (where n is a power of 2):
+    //
+    // Output x**2 + x**4 + x**6 + ... + x**n
+    static rct::key sum_of_even_powers(const rct::key &x, size_t n)
+    {
+        CHECK_AND_ASSERT_THROW_MES((n & (n - 1)) == 0, "Need n to be a power of 2");
+        CHECK_AND_ASSERT_THROW_MES(n != 0, "Need n > 0");
+
+        rct::key x1 = copy(x);
+        sc_mul(x1.bytes, x1.bytes, x1.bytes);
+
+        rct::key res = copy(x1);
+        while (n > 2)
+        {
+            sc_muladd(res.bytes, x1.bytes, res.bytes, res.bytes);
+            sc_mul(x1.bytes, x1.bytes, x1.bytes);
+            n /= 2;
+        }
+
+        return res;
+    }
+
+    // Given a scalar, return the sum of its powers from 1 to n
+    //
+    // Output x**1 + x**2 + x**3 + ... + x**n
+    static rct::key sum_of_scalar_powers(const rct::key &x, size_t n)
+    {
+        CHECK_AND_ASSERT_THROW_MES(n != 0, "Need n > 0");
+
+        rct::key res = ONE;
+        if (n == 1)
+            return x;
+
+        n += 1;
+        rct::key x1 = copy(x);
+
+        const bool is_power_of_2 = (n & (n - 1)) == 0;
+        if (is_power_of_2)
+        {
+            sc_add(res.bytes, res.bytes, x1.bytes);
+            while (n > 2)
+            {
+                sc_mul(x1.bytes, x1.bytes, x1.bytes);
+                sc_muladd(res.bytes, x1.bytes, res.bytes, res.bytes);
+                n /= 2;
+            }
+        }
+        else
+        {
+            rct::key prev = x1;
+            for (size_t i = 1; i < n; ++i)
+            {
+                if (i > 1)
+                    sc_mul(prev.bytes, prev.bytes, x1.bytes);
+                sc_add(res.bytes, res.bytes, prev.bytes);
+            }
+        }
+        sc_sub(res.bytes, res.bytes, ONE.bytes);
+
+        return res;
+    }
+
+    // Given two scalar arrays, construct the weighted inner product against another scalar
+    //
+    // Output a_0*b_0*y**1 + a_1*b_1*y**2 + ... + a_{n-1}*b_{n-1}*y**n
+    static rct::key weighted_inner_product(const epee::span<const rct::key> &a, const epee::span<const rct::key> &b, const rct::key &y)
+    {
+        CHECK_AND_ASSERT_THROW_MES(a.size() == b.size(), "Incompatible sizes of a and b");
+        rct::key res = rct::zero();
+        rct::key y_power = ONE;
+        rct::key temp;
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            sc_mul(temp.bytes, a[i].bytes, b[i].bytes);
+            sc_mul(y_power.bytes, y_power.bytes, y.bytes);
+            sc_muladd(res.bytes, temp.bytes, y_power.bytes, res.bytes);
+        }
+        return res;
+    }
+
+    static rct::key weighted_inner_product(const rct::keyV &a, const epee::span<const rct::key> &b, const rct::key &y)
+    {
+        CHECK_AND_ASSERT_THROW_MES(a.size() == b.size(), "Incompatible sizes of a and b");
+        return weighted_inner_product(epee::to_span(a), b, y);
+    }
+
+    // Fold inner-product point vectors
+    static void hadamard_fold(std::vector<ge_p3> &v, const rct::key &a, const rct::key &b)
+    {
+        CHECK_AND_ASSERT_THROW_MES((v.size() & 1) == 0, "Vector size should be even");
+        const size_t sz = v.size() / 2;
+        for (size_t n = 0; n < sz; ++n)
+        {
+            ge_dsmp c[2];
+            ge_dsm_precomp(c[0], &v[n]);
+            ge_dsm_precomp(c[1], &v[sz + n]);
+            ge_double_scalarmult_precomp_vartime2_p3(&v[n], a.bytes, c[0], b.bytes, c[1]);
+        }
+        v.resize(sz);
+    }
+
+    // Add vectors componentwise
+    static rct::keyV vector_add(const rct::keyV &a, const rct::keyV &b)
+    {
+        CHECK_AND_ASSERT_THROW_MES(a.size() == b.size(), "Incompatible sizes of a and b");
+        rct::keyV res(a.size());
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            sc_add(res[i].bytes, a[i].bytes, b[i].bytes);
+        }
+        return res;
+    }
+
+    // Add a scalar to all elements of a vector
+    static rct::keyV vector_add(const rct::keyV &a, const rct::key &b)
+    {
+        rct::keyV res(a.size());
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            sc_add(res[i].bytes, a[i].bytes, b.bytes);
+        }
+        return res;
+    }
+
+    // Subtract a scalar from all elements of a vector
+    static rct::keyV vector_subtract(const rct::keyV &a, const rct::key &b)
+    {
+        rct::keyV res(a.size());
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            sc_sub(res[i].bytes, a[i].bytes, b.bytes);
+        }
+        return res;
+    }
+
+    // Multiply a scalar by all elements of a vector
+    static rct::keyV vector_scalar(const epee::span<const rct::key> &a, const rct::key &x)
+    {
+        rct::keyV res(a.size());
+        for (size_t i = 0; i < a.size(); ++i)
+        {
+            sc_mul(res[i].bytes, a[i].bytes, x.bytes);
+        }
+        return res;
+    }
+
+    // Inversion helper function
+    static rct::key sm(rct::key y, int n, const rct::key &x)
+    {
+        while (n--)
+            sc_mul(y.bytes, y.bytes, y.bytes);
+        sc_mul(y.bytes, y.bytes, x.bytes);
+        return y;
+    }
+
+    // Compute the inverse of a nonzero
+    static rct::key invert(const rct::key &x)
+    {
+        CHECK_AND_ASSERT_THROW_MES(!(x == ZERO), "Cannot invert zero!");
+        rct::key _1, _10, _100, _11, _101, _111, _1001, _1011, _1111;
+
+        _1 = x;
+        sc_mul(_10.bytes, _1.bytes, _1.bytes);
+        sc_mul(_100.bytes, _10.bytes, _10.bytes);
+        sc_mul(_11.bytes, _10.bytes, _1.bytes);
+        sc_mul(_101.bytes, _10.bytes, _11.bytes);
+        sc_mul(_111.bytes, _10.bytes, _101.bytes);
+        sc_mul(_1001.bytes, _10.bytes, _111.bytes);
+        sc_mul(_1011.bytes, _10.bytes, _1001.bytes);
+        sc_mul(_1111.bytes, _100.bytes, _1011.bytes);
+
+        rct::key inv;
+        sc_mul(inv.bytes, _1111.bytes, _1.bytes);
+
+        inv = sm(inv, 123 + 3, _101);
+        inv = sm(inv, 2 + 2, _11);
+        inv = sm(inv, 1 + 4, _1111);
+        inv = sm(inv, 1 + 4, _1111);
+        inv = sm(inv, 4, _1001);
+        inv = sm(inv, 2, _11);
+        inv = sm(inv, 1 + 4, _1111);
+        inv = sm(inv, 1 + 3, _101);
+        inv = sm(inv, 3 + 3, _101);
+        inv = sm(inv, 3, _111);
+        inv = sm(inv, 1 + 4, _1111);
+        inv = sm(inv, 2 + 3, _111);
+        inv = sm(inv, 2 + 2, _11);
+        inv = sm(inv, 1 + 4, _1011);
+        inv = sm(inv, 2 + 4, _1011);
+        inv = sm(inv, 6 + 4, _1001);
+        inv = sm(inv, 2 + 2, _11);
+        inv = sm(inv, 3 + 2, _11);
+        inv = sm(inv, 3 + 2, _11);
+        inv = sm(inv, 1 + 4, _1001);
+        inv = sm(inv, 1 + 3, _111);
+        inv = sm(inv, 2 + 4, _1111);
+        inv = sm(inv, 1 + 4, _1011);
+        inv = sm(inv, 3, _101);
+        inv = sm(inv, 2 + 4, _1111);
+        inv = sm(inv, 3, _101);
+        inv = sm(inv, 1 + 2, _11);
+
+        return inv;
+    }
+
+    // Invert a batch of scalars, all of which _must_ be nonzero
+    static rct::keyV invert(rct::keyV x)
+    {
+        rct::keyV scratch;
+        scratch.reserve(x.size());
+
+        rct::key acc = rct::identity();
+        for (size_t n = 0; n < x.size(); ++n)
+        {
+            CHECK_AND_ASSERT_THROW_MES(!(x[n] == ZERO), "Cannot invert zero!");
+            scratch.push_back(acc);
+            if (n == 0)
+                acc = x[0];
+            else
+                sc_mul(acc.bytes, acc.bytes, x[n].bytes);
+        }
+
+        acc = invert(acc);
+
+        rct::key tmp;
+        for (int i = x.size(); i-- > 0; )
+        {
+            sc_mul(tmp.bytes, acc.bytes, x[i].bytes);
+            sc_mul(x[i].bytes, acc.bytes, scratch[i].bytes);
+            acc = tmp;
+        }
+
+        return x;
+    }
+
+    // Compute the slice of a vector
+    static epee::span<const rct::key> slice(const rct::keyV &a, size_t start, size_t stop)
+    {
+        CHECK_AND_ASSERT_THROW_MES(start < a.size(), "Invalid start index");
+        CHECK_AND_ASSERT_THROW_MES(stop <= a.size(), "Invalid stop index");
+        CHECK_AND_ASSERT_THROW_MES(start < stop, "Invalid start/stop indices");
+        return epee::span<const rct::key>(&a[start], stop - start);
+    }
+
+    // Update the transcript
+    static rct::key transcript_update(rct::key &transcript, const rct::key &update_0)
+    {
+        rct::key data[2];
+        data[0] = transcript;
+        data[1] = update_0;
+        rct::hash_to_scalar(transcript, data, sizeof(data));
+        return transcript;
+    }
+
+    static rct::key transcript_update(rct::key &transcript, const rct::key &update_0, const rct::key &update_1)
+    {
+        rct::key data[3];
+        data[0] = transcript;
+        data[1] = update_0;
+        data[2] = update_1;
+        rct::hash_to_scalar(transcript, data, sizeof(data));
+        return transcript;
+    }
+
+    // Given a value v [0..2**N) and a mask gamma, construct a range proof
+    BulletproofPlus bulletproof_plus_PROVE(const rct::key &sv, const rct::key &gamma)
+    {
+        return bulletproof_plus_PROVE(rct::keyV(1, sv), rct::keyV(1, gamma));
+    }
+
+    BulletproofPlus bulletproof_plus_PROVE(uint64_t v, const rct::key &gamma)
+    {
+        return bulletproof_plus_PROVE(std::vector<uint64_t>(1, v), rct::keyV(1, gamma));
+    }
+
+    // Given a set of values v [0..2**N) and masks gamma, construct a range proof
+    BulletproofPlus bulletproof_plus_PROVE(const rct::keyV &sv, const rct::keyV &gamma)
+    {
+        // Sanity check on inputs
+        CHECK_AND_ASSERT_THROW_MES(sv.size() == gamma.size(), "Incompatible sizes of sv and gamma");
+        CHECK_AND_ASSERT_THROW_MES(!sv.empty(), "sv is empty");
+        for (const rct::key &sve: sv)
+            CHECK_AND_ASSERT_THROW_MES(is_reduced(sve), "Invalid sv input");
+        for (const rct::key &g: gamma)
+            CHECK_AND_ASSERT_THROW_MES(is_reduced(g), "Invalid gamma input");
+
+        init_exponents();
+
+        // Useful proof bounds
+        //
+        // N: number of bits in each range (here, 64)
+        // logN: base-2 logarithm
+        // M: first power of 2 greater than or equal to the number of range proofs to aggregate
+        // logM: base-2 logarithm
+        constexpr size_t logN = 6; // log2(64)
+        constexpr size_t N = 1<<logN;
+        size_t M, logM;
+        for (logM = 0; (M = 1<<logM) <= maxM && M < sv.size(); ++logM);
+        CHECK_AND_ASSERT_THROW_MES(M <= maxM, "sv/gamma are too large");
+        const size_t logMN = logM + logN;
+        const size_t MN = M * N;
+
+        rct::keyV V(sv.size());
+        rct::keyV aL(MN), aR(MN);
+        rct::keyV aL8(MN), aR8(MN);
+        rct::key temp;
+        rct::key temp2;
+
+        // Prepare output commitments and offset by a factor of 8**(-1)
+        //
+        // This offset is applied to other group elements as well;
+        //  it allows us to apply a multiply-by-8 operation in the verifier efficiently
+        //  to ensure that the resulting group elements are in the prime-order point subgroup
+        //  and avoid much more constly multiply-by-group-order operations.
+        for (size_t i = 0; i < sv.size(); ++i)
+        {
+            rct::key gamma8, sv8;
+            sc_mul(gamma8.bytes, gamma[i].bytes, INV_EIGHT.bytes);
+            sc_mul(sv8.bytes, sv[i].bytes, INV_EIGHT.bytes);
+            rct::addKeys2(V[i], gamma8, sv8, rct::H);
+        }
+
+        // Decompose values
+        //
+        // Note that this effectively pads the set to a power of 2, which is required for the inner-product argument later.
+        for (size_t j = 0; j < M; ++j)
+        {
+            for (size_t i = N; i-- > 0; )
+            {
+                if (j < sv.size() && (sv[j][i/8] & (((uint64_t)1)<<(i%8))))
+                {
+                    aL[j*N+i] = rct::identity();
+                    aL8[j*N+i] = INV_EIGHT;
+                    aR[j*N+i] = aR8[j*N+i] = rct::zero();
+                }
+                else
+                {
+                    aL[j*N+i] = aL8[j*N+i] = rct::zero();
+                    aR[j*N+i] = MINUS_ONE;
+                    aR8[j*N+i] = MINUS_INV_EIGHT;
+                }
+            }
+        }
+
+try_again:
+        // This is a Fiat-Shamir transcript
+        rct::key transcript = copy(initial_transcript);
+        transcript = transcript_update(transcript, rct::hash_to_scalar(V));
+
+        // A
+        rct::key alpha = rct::skGen();
+        rct::key pre_A = vector_exponent(aL8, aR8);
+        rct::key A;
+        sc_mul(temp.bytes, alpha.bytes, INV_EIGHT.bytes);
+        rct::addKeys(A, pre_A, rct::scalarmultBase(temp));
+
+        // Challenges
+        rct::key y = transcript_update(transcript, A);
+        if (y == rct::zero())
+        {
+            MINFO("y is 0, trying again");
+            goto try_again;
+        }
+        rct::key z = transcript = rct::hash_to_scalar(y);
+        if (z == rct::zero())
+        {
+            MINFO("z is 0, trying again");
+            goto try_again;
+        }
+        rct::key z_squared;
+        sc_mul(z_squared.bytes, z.bytes, z.bytes);
+
+        // Windowed vector
+        // d[j*N+i] = z**(2*(j+1)) * 2**i
+        //
+        // We compute this iteratively in order to reduce scalar operations.
+        rct::keyV d(MN, rct::zero());
+        d[0] = z_squared;
+        for (size_t i = 1; i < N; i++)
+        {
+            sc_mul(d[i].bytes, d[i-1].bytes, TWO.bytes);
+        }
+
+        for (size_t j = 1; j < M; j++)
+        {
+            for (size_t i = 0; i < N; i++)
+            {
+                sc_mul(d[j*N+i].bytes, d[(j-1)*N+i].bytes, z_squared.bytes);
+            }
+        }
+
+        rct::keyV y_powers = vector_of_scalar_powers(y, MN+2);
+
+        // Prepare inner product terms
+        rct::keyV aL1 = vector_subtract(aL, z);
+
+        rct::keyV aR1 = vector_add(aR, z);
+        rct::keyV d_y(MN);
+        for (size_t i = 0; i < MN; i++)
+        {
+            sc_mul(d_y[i].bytes, d[i].bytes, y_powers[MN-i].bytes);
+        }
+        aR1 = vector_add(aR1, d_y);
+
+        rct::key alpha1 = alpha;
+        temp = ONE;
+        for (size_t j = 0; j < sv.size(); j++)
+        {
+            sc_mul(temp.bytes, temp.bytes, z_squared.bytes);
+            sc_mul(temp2.bytes, y_powers[MN+1].bytes, temp.bytes);
+            sc_mul(temp2.bytes, temp2.bytes, gamma[j].bytes);
+            sc_add(alpha1.bytes, alpha1.bytes, temp2.bytes);
+        }
+
+        // These are used in the inner product rounds
+        size_t nprime = MN;
+        std::vector<ge_p3> Gprime(MN);
+        std::vector<ge_p3> Hprime(MN);
+        rct::keyV aprime(MN);
+        rct::keyV bprime(MN);
+
+        const rct::key yinv = invert(y);
+        rct::keyV yinvpow(MN);
+        yinvpow[0] = ONE;
+        for (size_t i = 0; i < MN; ++i)
+        {
+            Gprime[i] = Gi_p3[i];
+            Hprime[i] = Hi_p3[i];
+            if (i > 0)
+            {
+                sc_mul(yinvpow[i].bytes, yinvpow[i-1].bytes, yinv.bytes);
+            }
+            aprime[i] = aL1[i];
+            bprime[i] = aR1[i];
+        }
+        rct::keyV L(logMN);
+        rct::keyV R(logMN);
+        int round = 0;
+
+        // Inner-product rounds
+        while (nprime > 1)
+        {
+            nprime /= 2;
+
+            rct::key cL = weighted_inner_product(slice(aprime, 0, nprime), slice(bprime, nprime, bprime.size()), y);
+            rct::key cR = weighted_inner_product(vector_scalar(slice(aprime, nprime, aprime.size()), y_powers[nprime]), slice(bprime, 0, nprime), y);
+
+            rct::key dL = rct::skGen();
+            rct::key dR = rct::skGen();
+
+            L[round] = compute_LR(nprime, yinvpow[nprime], Gprime, nprime, Hprime, 0, aprime, 0, bprime, nprime, cL, dL);
+            R[round] = compute_LR(nprime, y_powers[nprime], Gprime, 0, Hprime, nprime, aprime, nprime, bprime, 0, cR, dR);
+
+            const rct::key challenge = transcript_update(transcript, L[round], R[round]);
+            if (challenge == rct::zero())
+            {
+                MINFO("challenge is 0, trying again");
+                goto try_again;
+            }
+
+            const rct::key challenge_inv = invert(challenge);
+
+            sc_mul(temp.bytes, yinvpow[nprime].bytes, challenge.bytes);
+            hadamard_fold(Gprime, challenge_inv, temp);
+            hadamard_fold(Hprime, challenge, challenge_inv);
+
+            sc_mul(temp.bytes, challenge_inv.bytes, y_powers[nprime].bytes);
+            aprime = vector_add(vector_scalar(slice(aprime, 0, nprime), challenge), vector_scalar(slice(aprime, nprime, aprime.size()), temp));
+            bprime = vector_add(vector_scalar(slice(bprime, 0, nprime), challenge_inv), vector_scalar(slice(bprime, nprime, bprime.size()), challenge));
+
+            rct::key challenge_squared;
+            sc_mul(challenge_squared.bytes, challenge.bytes, challenge.bytes);
+            rct::key challenge_squared_inv = invert(challenge_squared);
+            sc_muladd(alpha1.bytes, dL.bytes, challenge_squared.bytes, alpha1.bytes);
+            sc_muladd(alpha1.bytes, dR.bytes, challenge_squared_inv.bytes, alpha1.bytes);
+
+            ++round;
+        }
+
+        // Final round computations
+        rct::key r = rct::skGen();
+        rct::key s = rct::skGen();
+        rct::key d_ = rct::skGen();
+        rct::key eta = rct::skGen();
+
+        std::vector<MultiexpData> A1_data;
+        A1_data.reserve(4);
+        A1_data.resize(4);
+
+        sc_mul(A1_data[0].scalar.bytes, r.bytes, INV_EIGHT.bytes);
+        A1_data[0].point = Gprime[0];
+
+        sc_mul(A1_data[1].scalar.bytes, s.bytes, INV_EIGHT.bytes);
+        A1_data[1].point = Hprime[0];
+
+        sc_mul(A1_data[2].scalar.bytes, d_.bytes, INV_EIGHT.bytes);
+        ge_p3 G_p3;
+        ge_frombytes_vartime(&G_p3, rct::G.bytes);
+        A1_data[2].point = G_p3;
+
+        sc_mul(temp.bytes, r.bytes, y.bytes);
+        sc_mul(temp.bytes, temp.bytes, bprime[0].bytes);
+        sc_mul(temp2.bytes, s.bytes, y.bytes);
+        sc_mul(temp2.bytes, temp2.bytes, aprime[0].bytes);
+        sc_add(temp.bytes, temp.bytes, temp2.bytes);
+        sc_mul(A1_data[3].scalar.bytes, temp.bytes, INV_EIGHT.bytes);
+        ge_p3 H_p3;
+        ge_frombytes_vartime(&H_p3, rct::H.bytes);
+        A1_data[3].point = H_p3;
+
+        rct::key A1 = multiexp(A1_data, 0);
+
+        sc_mul(temp.bytes, r.bytes, y.bytes);
+        sc_mul(temp.bytes, temp.bytes, s.bytes);
+        sc_mul(temp.bytes, temp.bytes, INV_EIGHT.bytes);
+        sc_mul(temp2.bytes, eta.bytes, INV_EIGHT.bytes);
+        rct::key B;
+        rct::addKeys2(B, temp2, temp, rct::H);
+
+        rct::key e = transcript_update(transcript, A1, B);
+        if (e == rct::zero())
+        {
+            MINFO("e is 0, trying again");
+            goto try_again;
+        }
+        rct::key e_squared;
+        sc_mul(e_squared.bytes, e.bytes, e.bytes);
+
+        rct::key r1;
+        sc_muladd(r1.bytes, aprime[0].bytes, e.bytes, r.bytes);
+
+        rct::key s1;
+        sc_muladd(s1.bytes, bprime[0].bytes, e.bytes, s.bytes);
+
+        rct::key d1;
+        sc_muladd(d1.bytes, d_.bytes, e.bytes, eta.bytes);
+        sc_muladd(d1.bytes, alpha1.bytes, e_squared.bytes, d1.bytes);
+
+        return BulletproofPlus(std::move(V), A, A1, B, r1, s1, d1, std::move(L), std::move(R));
+    }
+
+    BulletproofPlus bulletproof_plus_PROVE(const std::vector<uint64_t> &v, const rct::keyV &gamma)
+    {
+        CHECK_AND_ASSERT_THROW_MES(v.size() == gamma.size(), "Incompatible sizes of v and gamma");
+
+        // vG + gammaH
+        rct::keyV sv(v.size());
+        for (size_t i = 0; i < v.size(); ++i)
+        {
+            sv[i] = rct::d2h(v[i]);
+        }
+        return bulletproof_plus_PROVE(sv, gamma);
+    }
+
+    struct bp_plus_proof_data_t
+    {
+        rct::key y, z, e;
+        std::vector<rct::key> challenges;
+        size_t logM, inv_offset;
+    };
+
+    // Given a batch of range proofs, determine if they are all valid
+    bool bulletproof_plus_VERIFY(const std::vector<const BulletproofPlus*> &proofs)
+    {
+        init_exponents();
+
+        const size_t logN = 6;
+        const size_t N = 1 << logN;
+
+        // Set up
+        size_t max_length = 0; // size of each of the longest proof's inner-product vectors
+        size_t nV = 0; // number of output commitments across all proofs
+        size_t inv_offset = 0;
+        size_t max_logM = 0; 
+
+        std::vector<bp_plus_proof_data_t> proof_data;
+        proof_data.reserve(proofs.size());
+
+        // We'll perform only a single batch inversion across all proofs in the batch,
+        //  since batch inversion requires only one scalar inversion operation.
+        std::vector<rct::key> to_invert;
+        to_invert.reserve(11 * proofs.size()); // maximal size, given the aggregation limit
+
+        for (const BulletproofPlus *p: proofs)
+        {
+            const BulletproofPlus &proof = *p;
+
+            // Sanity checks
+            CHECK_AND_ASSERT_MES(is_reduced(proof.r1), false, "Input scalar not in range");
+            CHECK_AND_ASSERT_MES(is_reduced(proof.s1), false, "Input scalar not in range");
+            CHECK_AND_ASSERT_MES(is_reduced(proof.d1), false, "Input scalar not in range");
+
+            CHECK_AND_ASSERT_MES(proof.V.size() >= 1, false, "V does not have at least one element");
+            CHECK_AND_ASSERT_MES(proof.L.size() == proof.R.size(), false, "Mismatched L and R sizes");
+            CHECK_AND_ASSERT_MES(proof.L.size() > 0, false, "Empty proof");
+
+            max_length = std::max(max_length, proof.L.size());
+            nV += proof.V.size();
+
+            proof_data.push_back({});
+            bp_plus_proof_data_t &pd = proof_data.back();
+
+            // Reconstruct the challenges
+            rct::key transcript = copy(initial_transcript);
+            transcript = transcript_update(transcript, rct::hash_to_scalar(proof.V));
+            pd.y = transcript_update(transcript, proof.A);
+            CHECK_AND_ASSERT_MES(!(pd.y == rct::zero()), false, "y == 0");
+            pd.z = transcript = rct::hash_to_scalar(pd.y);
+            CHECK_AND_ASSERT_MES(!(pd.z == rct::zero()), false, "z == 0");
+
+            // Determine the number of inner-product rounds based on proof size
+            size_t M;
+            for (pd.logM = 0; (M = 1<<pd.logM) <= maxM && M < proof.V.size(); ++pd.logM);
+            CHECK_AND_ASSERT_MES(proof.L.size() == 6+pd.logM, false, "Proof is not the expected size");
+            max_logM = std::max(pd.logM, max_logM);
+
+            const size_t rounds = pd.logM+logN;
+            CHECK_AND_ASSERT_MES(rounds > 0, false, "Zero rounds");
+
+            // The inner-product challenges are computed per round
+            pd.challenges.resize(rounds);
+            for (size_t j = 0; j < rounds; ++j)
+            {
+                pd.challenges[j] = transcript_update(transcript, proof.L[j], proof.R[j]);
+                CHECK_AND_ASSERT_MES(!(pd.challenges[j] == rct::zero()), false, "challenges[j] == 0");
+            }
+
+            // Final challenge
+            pd.e = transcript_update(transcript,proof.A1,proof.B);
+            CHECK_AND_ASSERT_MES(!(pd.e == rct::zero()), false, "e == 0");
+
+            // Batch scalar inversions
+            pd.inv_offset = inv_offset;
+            for (size_t j = 0; j < rounds; ++j)
+                to_invert.push_back(pd.challenges[j]);
+            to_invert.push_back(pd.y);
+            inv_offset += rounds + 1;
+        }
+        CHECK_AND_ASSERT_MES(max_length < 32, false, "At least one proof is too large");
+        size_t maxMN = 1u << max_length;
+
+        rct::key temp;
+        rct::key temp2;
+
+        // Final batch proof data
+        std::vector<MultiexpData> multiexp_data;
+        multiexp_data.reserve(nV + (2 * (max_logM + logN) + 3) * proofs.size() + 2 * maxMN);
+        multiexp_data.resize(2 * maxMN);
+
+        const std::vector<rct::key> inverses = invert(std::move(to_invert));
+        to_invert.clear();
+
+        // Weights and aggregates
+        //
+        // The idea is to take the single multiscalar multiplication used in the verification
+        //  of each proof in the batch and weight it using a random weighting factor, resulting
+        //  in just one multiscalar multiplication check to zero for the entire batch.
+        // We can further simplify the verifier complexity by including common group elements
+        //  only once in this single multiscalar multiplication.
+        // Common group elements' weighted scalar sums are tracked across proofs for this reason.
+        //
+        // To build a multiscalar multiplication for each proof, we use the method described in
+        //  Section 6.1 of the preprint. Note that the result given there does not account for
+        //  the construction of the inner-product inputs that are produced in the range proof
+        //  verifier algorithm; we have done so here.
+        rct::key G_scalar = rct::zero();
+        rct::key H_scalar = rct::zero();
+        rct::keyV Gi_scalars(maxMN, rct::zero());
+        rct::keyV Hi_scalars(maxMN, rct::zero());
+
+        int proof_data_index = 0;
+        rct::keyV challenges_cache;
+        std::vector<ge_p3> proof8_V, proof8_L, proof8_R;
+
+        // Process each proof and add to the weighted batch
+        for (const BulletproofPlus *p: proofs)
+        {
+            const BulletproofPlus &proof = *p;
+            const bp_plus_proof_data_t &pd = proof_data[proof_data_index++];
+
+            CHECK_AND_ASSERT_MES(proof.L.size() == 6+pd.logM, false, "Proof is not the expected size");
+            const size_t M = 1 << pd.logM;
+            const size_t MN = M*N;
+
+            // Random weighting factor must be nonzero, which is exceptionally unlikely!
+            rct::key weight = ZERO;
+            while (weight == ZERO)
+            {
+                weight = rct::skGen();
+            }
+
+            // Rescale previously offset proof elements
+            //
+            // This ensures that all such group elements are in the prime-order subgroup.
+            proof8_V.resize(proof.V.size()); for (size_t i = 0; i < proof.V.size(); ++i) rct::scalarmult8(proof8_V[i], proof.V[i]);
+            proof8_L.resize(proof.L.size()); for (size_t i = 0; i < proof.L.size(); ++i) rct::scalarmult8(proof8_L[i], proof.L[i]);
+            proof8_R.resize(proof.R.size()); for (size_t i = 0; i < proof.R.size(); ++i) rct::scalarmult8(proof8_R[i], proof.R[i]);
+            ge_p3 proof8_A1;
+            ge_p3 proof8_B;
+            ge_p3 proof8_A;
+            rct::scalarmult8(proof8_A1, proof.A1);
+            rct::scalarmult8(proof8_B, proof.B);
+            rct::scalarmult8(proof8_A, proof.A);
+
+            // Compute necessary powers of the y-challenge
+            rct::key y_MN = copy(pd.y);
+            rct::key y_MN_1;
+            size_t temp_MN = MN;
+            while (temp_MN > 1)
+            {
+                sc_mul(y_MN.bytes, y_MN.bytes, y_MN.bytes);
+                temp_MN /= 2;
+            }
+            sc_mul(y_MN_1.bytes, y_MN.bytes, pd.y.bytes);
+
+            // V_j: -e**2 * z**(2*j+1) * y**(MN+1) * weight
+            rct::key e_squared;
+            sc_mul(e_squared.bytes, pd.e.bytes, pd.e.bytes);
+
+            rct::key z_squared;
+            sc_mul(z_squared.bytes, pd.z.bytes, pd.z.bytes);
+
+            sc_sub(temp.bytes, ZERO.bytes, e_squared.bytes);
+            sc_mul(temp.bytes, temp.bytes, y_MN_1.bytes);
+            sc_mul(temp.bytes, temp.bytes, weight.bytes);
+            for (size_t j = 0; j < proof8_V.size(); j++)
+            {
+                sc_mul(temp.bytes, temp.bytes, z_squared.bytes);
+                multiexp_data.emplace_back(temp, proof8_V[j]);
+            }
+
+            // B: -weight
+            sc_mul(temp.bytes, MINUS_ONE.bytes, weight.bytes);
+            multiexp_data.emplace_back(temp, proof8_B);
+
+            // A1: -weight*e
+            sc_mul(temp.bytes, temp.bytes, pd.e.bytes);
+            multiexp_data.emplace_back(temp, proof8_A1);
+
+            // A: -weight*e*e
+            rct::key minus_weight_e_squared;
+            sc_mul(minus_weight_e_squared.bytes, temp.bytes, pd.e.bytes);
+            multiexp_data.emplace_back(minus_weight_e_squared, proof8_A);
+
+            // G: weight*d1
+            sc_muladd(G_scalar.bytes, weight.bytes, proof.d1.bytes, G_scalar.bytes);
+
+            // Windowed vector
+            // d[j*N+i] = z**(2*(j+1)) * 2**i
+            rct::keyV d(MN, rct::zero());
+            d[0] = z_squared;
+            for (size_t i = 1; i < N; i++)
+            {
+                sc_add(d[i].bytes, d[i-1].bytes, d[i-1].bytes);
+            }
+
+            for (size_t j = 1; j < M; j++)
+            {
+                for (size_t i = 0; i < N; i++)
+                {
+                    sc_mul(d[j*N+i].bytes, d[(j-1)*N+i].bytes, z_squared.bytes);
+                }
+            }
+
+            // More efficient computation of sum(d)
+            rct::key sum_d;
+            sc_mul(sum_d.bytes, TWO_SIXTY_FOUR_MINUS_ONE.bytes, sum_of_even_powers(pd.z, 2*M).bytes);
+
+            // H: weight*( r1*y*s1 + e**2*( y**(MN+1)*z*sum(d) + (z**2-z)*sum(y) ) )
+            rct::key sum_y = sum_of_scalar_powers(pd.y, MN);
+            sc_sub(temp.bytes, z_squared.bytes, pd.z.bytes);
+            sc_mul(temp.bytes, temp.bytes, sum_y.bytes);
+
+            sc_mul(temp2.bytes, y_MN_1.bytes, pd.z.bytes);
+            sc_mul(temp2.bytes, temp2.bytes, sum_d.bytes);
+            sc_add(temp.bytes, temp.bytes, temp2.bytes);
+            sc_mul(temp.bytes, temp.bytes, e_squared.bytes);
+            sc_mul(temp2.bytes, proof.r1.bytes, pd.y.bytes);
+            sc_mul(temp2.bytes, temp2.bytes, proof.s1.bytes);
+            sc_add(temp.bytes, temp.bytes, temp2.bytes);
+            sc_muladd(H_scalar.bytes, temp.bytes, weight.bytes, H_scalar.bytes);
+
+            // Compute the number of rounds for the inner-product argument
+            const size_t rounds = pd.logM+logN;
+            CHECK_AND_ASSERT_MES(rounds > 0, false, "Zero rounds");
+
+            const rct::key *challenges_inv = &inverses[pd.inv_offset];
+            const rct::key yinv = inverses[pd.inv_offset + rounds];
+
+            // Compute challenge products
+            challenges_cache.resize(1<<rounds);
+            challenges_cache[0] = challenges_inv[0];
+            challenges_cache[1] = pd.challenges[0];
+            for (size_t j = 1; j < rounds; ++j)
+            {
+                const size_t slots = 1<<(j+1);
+                for (size_t s = slots; s-- > 0; --s)
+                {
+                    sc_mul(challenges_cache[s].bytes, challenges_cache[s/2].bytes, pd.challenges[j].bytes);
+                    sc_mul(challenges_cache[s-1].bytes, challenges_cache[s/2].bytes, challenges_inv[j].bytes);
+                }
+            }
+
+            // Gi and Hi
+            rct::key e_r1_w_y;
+            sc_mul(e_r1_w_y.bytes, pd.e.bytes, proof.r1.bytes);
+            sc_mul(e_r1_w_y.bytes, e_r1_w_y.bytes, weight.bytes);
+            rct::key e_s1_w;
+            sc_mul(e_s1_w.bytes, pd.e.bytes, proof.s1.bytes);
+            sc_mul(e_s1_w.bytes, e_s1_w.bytes, weight.bytes);
+            rct::key e_squared_z_w;
+            sc_mul(e_squared_z_w.bytes, e_squared.bytes, pd.z.bytes);
+            sc_mul(e_squared_z_w.bytes, e_squared_z_w.bytes, weight.bytes);
+            rct::key minus_e_squared_z_w;
+            sc_sub(minus_e_squared_z_w.bytes, ZERO.bytes, e_squared_z_w.bytes);
+            rct::key minus_e_squared_w_y;
+            sc_sub(minus_e_squared_w_y.bytes, ZERO.bytes, e_squared.bytes);
+            sc_mul(minus_e_squared_w_y.bytes, minus_e_squared_w_y.bytes, weight.bytes);
+            sc_mul(minus_e_squared_w_y.bytes, minus_e_squared_w_y.bytes, y_MN.bytes);
+            for (size_t i = 0; i < MN; ++i)
+            {
+                rct::key g_scalar = copy(e_r1_w_y);
+                rct::key h_scalar;
+
+                // Use the binary decomposition of the index
+                sc_muladd(g_scalar.bytes, g_scalar.bytes, challenges_cache[i].bytes, e_squared_z_w.bytes);
+                sc_muladd(h_scalar.bytes, e_s1_w.bytes, challenges_cache[(~i) & (MN-1)].bytes, minus_e_squared_z_w.bytes);
+
+                // Complete the scalar derivation
+                sc_add(Gi_scalars[i].bytes, Gi_scalars[i].bytes, g_scalar.bytes);
+                sc_muladd(h_scalar.bytes, minus_e_squared_w_y.bytes, d[i].bytes, h_scalar.bytes);
+                sc_add(Hi_scalars[i].bytes, Hi_scalars[i].bytes, h_scalar.bytes);
+
+                // Update iterated values
+                sc_mul(e_r1_w_y.bytes, e_r1_w_y.bytes, yinv.bytes);
+                sc_mul(minus_e_squared_w_y.bytes, minus_e_squared_w_y.bytes, yinv.bytes);
+            }
+
+            // L_j: -weight*e*e*challenges[j]**2
+            // R_j: -weight*e*e*challenges[j]**(-2)
+            for (size_t j = 0; j < rounds; ++j)
+            {
+                sc_mul(temp.bytes, pd.challenges[j].bytes, pd.challenges[j].bytes);
+                sc_mul(temp.bytes, temp.bytes, minus_weight_e_squared.bytes);
+                multiexp_data.emplace_back(temp, proof8_L[j]);
+
+                sc_mul(temp.bytes, challenges_inv[j].bytes, challenges_inv[j].bytes);
+                sc_mul(temp.bytes, temp.bytes, minus_weight_e_squared.bytes);
+                multiexp_data.emplace_back(temp, proof8_R[j]);
+            }
+        }
+
+        // Verify all proofs in the weighted batch
+        multiexp_data.emplace_back(G_scalar, rct::G);
+        multiexp_data.emplace_back(H_scalar, rct::H);
+        for (size_t i = 0; i < maxMN; ++i)
+        {
+            multiexp_data[i * 2] = {Gi_scalars[i], Gi_p3[i]};
+            multiexp_data[i * 2 + 1] = {Hi_scalars[i], Hi_p3[i]};
+        }
+        if (!(multiexp(multiexp_data, 2 * maxMN) == rct::identity()))
+        {
+            MERROR("Verification failure");
+            return false;
+        }
+
+        return true;
+    }
+
+    bool bulletproof_plus_VERIFY(const std::vector<BulletproofPlus> &proofs)
+    {
+        std::vector<const BulletproofPlus*> proof_pointers;
+        proof_pointers.reserve(proofs.size());
+        for (const BulletproofPlus &proof: proofs)
+            proof_pointers.push_back(&proof);
+        return bulletproof_plus_VERIFY(proof_pointers);
+    }
+
+    bool bulletproof_plus_VERIFY(const BulletproofPlus &proof)
+    {
+        std::vector<const BulletproofPlus*> proofs;
+        proofs.push_back(&proof);
+        return bulletproof_plus_VERIFY(proofs);
+    }
+}
diff --git a/src/ringct/bulletproofs_plus.h b/src/ringct/bulletproofs_plus.h
new file mode 100644
index 000000000..d9084075a
--- /dev/null
+++ b/src/ringct/bulletproofs_plus.h
@@ -0,0 +1,49 @@
+// Copyright (c) 2017-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#pragma once
+
+#ifndef BULLETPROOFS_PLUS_H
+#define BULLETPROOFS_PLUS_H
+
+#include "rctTypes.h"
+
+namespace rct
+{
+
+BulletproofPlus bulletproof_plus_PROVE(const rct::key &v, const rct::key &gamma);
+BulletproofPlus bulletproof_plus_PROVE(uint64_t v, const rct::key &gamma);
+BulletproofPlus bulletproof_plus_PROVE(const rct::keyV &v, const rct::keyV &gamma);
+BulletproofPlus bulletproof_plus_PROVE(const std::vector<uint64_t> &v, const rct::keyV &gamma);
+bool bulletproof_plus_VERIFY(const BulletproofPlus &proof);
+bool bulletproof_plus_VERIFY(const std::vector<const BulletproofPlus*> &proofs);
+bool bulletproof_plus_VERIFY(const std::vector<BulletproofPlus> &proofs);
+
+}
+
+#endif
diff --git a/src/ringct/rctSigs.cpp b/src/ringct/rctSigs.cpp
index f5950c53c..d7883baac 100644
--- a/src/ringct/rctSigs.cpp
+++ b/src/ringct/rctSigs.cpp
@@ -35,6 +35,7 @@
 #include "common/util.h"
 #include "rctSigs.h"
 #include "bulletproofs.h"
+#include "bulletproofs_plus.h"
 #include "cryptonote_basic/cryptonote_format_utils.h"
 #include "cryptonote_config.h"
 
@@ -78,6 +79,36 @@ namespace
 
         return rct::Bulletproof{rct::keyV(n_outs, I), I, I, I, I, I, I, rct::keyV(nrl, I), rct::keyV(nrl, I), I, I, I};
     }
+    rct::BulletproofPlus make_dummy_bulletproof_plus(const std::vector<uint64_t> &outamounts, rct::keyV &C, rct::keyV &masks)
+    {
+        const size_t n_outs = outamounts.size();
+        const rct::key I = rct::identity();
+        size_t nrl = 0;
+        while ((1u << nrl) < n_outs)
+          ++nrl;
+        nrl += 6;
+
+        C.resize(n_outs);
+        masks.resize(n_outs);
+        for (size_t i = 0; i < n_outs; ++i)
+        {
+            masks[i] = I;
+            rct::key sv8, sv;
+            sv = rct::zero();
+            sv.bytes[0] = outamounts[i] & 255;
+            sv.bytes[1] = (outamounts[i] >> 8) & 255;
+            sv.bytes[2] = (outamounts[i] >> 16) & 255;
+            sv.bytes[3] = (outamounts[i] >> 24) & 255;
+            sv.bytes[4] = (outamounts[i] >> 32) & 255;
+            sv.bytes[5] = (outamounts[i] >> 40) & 255;
+            sv.bytes[6] = (outamounts[i] >> 48) & 255;
+            sv.bytes[7] = (outamounts[i] >> 56) & 255;
+            sc_mul(sv8.bytes, sv.bytes, rct::INV_EIGHT.bytes);
+            rct::addKeys2(C[i], rct::INV_EIGHT, sv8, rct::H);
+        }
+
+        return rct::BulletproofPlus{rct::keyV(n_outs, I), I, I, I, I, I, I, rct::keyV(nrl, I), rct::keyV(nrl, I)};
+    }
 }
 
 namespace rct {
@@ -107,6 +138,32 @@ namespace rct {
       catch (...) { return false; }
     }
 
+    BulletproofPlus proveRangeBulletproofPlus(keyV &C, keyV &masks, const std::vector<uint64_t> &amounts, epee::span<const key> sk, hw::device &hwdev)
+    {
+        CHECK_AND_ASSERT_THROW_MES(amounts.size() == sk.size(), "Invalid amounts/sk sizes");
+        masks.resize(amounts.size());
+        for (size_t i = 0; i < masks.size(); ++i)
+            masks[i] = hwdev.genCommitmentMask(sk[i]);
+        BulletproofPlus proof = bulletproof_plus_PROVE(amounts, masks);
+        CHECK_AND_ASSERT_THROW_MES(proof.V.size() == amounts.size(), "V does not have the expected size");
+        C = proof.V;
+        return proof;
+    }
+
+    bool verBulletproofPlus(const BulletproofPlus &proof)
+    {
+      try { return bulletproof_plus_VERIFY(proof); }
+      // we can get deep throws from ge_frombytes_vartime if input isn't valid
+      catch (...) { return false; }
+    }
+
+    bool verBulletproofPlus(const std::vector<const BulletproofPlus*> &proofs)
+    {
+      try { return bulletproof_plus_VERIFY(proofs); }
+      // we can get deep throws from ge_frombytes_vartime if input isn't valid
+      catch (...) { return false; }
+    }
+
     //Borromean (c.f. gmax/andytoshi's paper)
     boroSig genBorromean(const key64 x, const key64 P1, const key64 P2, const bits indices) {
         key64 L[2], alpha;
@@ -611,6 +668,25 @@ namespace rct {
           kv.push_back(p.t);
         }
       }
+      else if (rv.type == RCTTypeBulletproofPlus)
+      {
+        kv.reserve((6*2+6) * rv.p.bulletproofs_plus.size());
+        for (const auto &p: rv.p.bulletproofs_plus)
+        {
+          // V are not hashed as they're expanded from outPk.mask
+          // (and thus hashed as part of rctSigBase above)
+          kv.push_back(p.A);
+          kv.push_back(p.A1);
+          kv.push_back(p.B);
+          kv.push_back(p.r1);
+          kv.push_back(p.s1);
+          kv.push_back(p.d1);
+          for (size_t n = 0; n < p.L.size(); ++n)
+            kv.push_back(p.L[n]);
+          for (size_t n = 0; n < p.R.size(); ++n)
+            kv.push_back(p.R[n]);
+        }
+      }
       else
       {
         kv.reserve((64*3+1) * rv.p.rangeSigs.size());
@@ -1031,7 +1107,7 @@ namespace rct {
             //mask amount and mask
             rv.ecdhInfo[i].mask = copy(outSk[i].mask);
             rv.ecdhInfo[i].amount = d2h(amounts[i]);
-            hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i], rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG);
+            hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i], rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus);
         }
 
         //set txn fee
@@ -1063,7 +1139,7 @@ namespace rct {
     //RCT simple    
     //for post-rct only
     rctSig genRctSimple(const key &message, const ctkeyV & inSk, const keyV & destinations, const vector<xmr_amount> &inamounts, const vector<xmr_amount> &outamounts, xmr_amount txnFee, const ctkeyM & mixRing, const keyV &amount_keys, const std::vector<multisig_kLRki> *kLRki, multisig_out *msout, const std::vector<unsigned int> & index, ctkeyV &outSk, const RCTConfig &rct_config, hw::device &hwdev) {
-        const bool bulletproof = rct_config.range_proof_type != RangeProofBorromean;
+        const bool bulletproof_or_plus = rct_config.range_proof_type > RangeProofBorromean;
         CHECK_AND_ASSERT_THROW_MES(inamounts.size() > 0, "Empty inamounts");
         CHECK_AND_ASSERT_THROW_MES(inamounts.size() == inSk.size(), "Different number of inamounts/inSk");
         CHECK_AND_ASSERT_THROW_MES(outamounts.size() == destinations.size(), "Different number of amounts/destinations");
@@ -1079,11 +1155,14 @@ namespace rct {
         }
 
         rctSig rv;
-        if (bulletproof)
+        if (bulletproof_or_plus)
         {
           switch (rct_config.bp_version)
           {
             case 0:
+            case 4:
+              rv.type = RCTTypeBulletproofPlus;
+              break;
             case 3:
               rv.type = RCTTypeCLSAG;
               break;
@@ -1102,7 +1181,7 @@ namespace rct {
 
         rv.message = message;
         rv.outPk.resize(destinations.size());
-        if (!bulletproof)
+        if (!bulletproof_or_plus)
           rv.p.rangeSigs.resize(destinations.size());
         rv.ecdhInfo.resize(destinations.size());
 
@@ -1114,17 +1193,19 @@ namespace rct {
             //add destination to sig
             rv.outPk[i].dest = copy(destinations[i]);
             //compute range proof
-            if (!bulletproof)
+            if (!bulletproof_or_plus)
               rv.p.rangeSigs[i] = proveRange(rv.outPk[i].mask, outSk[i].mask, outamounts[i]);
             #ifdef DBG
-            if (!bulletproof)
+            if (!bulletproof_or_plus)
                 CHECK_AND_ASSERT_THROW_MES(verRange(rv.outPk[i].mask, rv.p.rangeSigs[i]), "verRange failed on newly created proof");
             #endif
         }
 
         rv.p.bulletproofs.clear();
-        if (bulletproof)
+        rv.p.bulletproofs_plus.clear();
+        if (bulletproof_or_plus)
         {
+            const bool plus = is_rct_bulletproof_plus(rv.type);
             size_t n_amounts = outamounts.size();
             size_t amounts_proved = 0;
             if (rct_config.range_proof_type == RangeProofPaddedBulletproof)
@@ -1133,19 +1214,31 @@ namespace rct {
                 if (hwdev.get_mode() == hw::device::TRANSACTION_CREATE_FAKE)
                 {
                     // use a fake bulletproof for speed
-                    rv.p.bulletproofs.push_back(make_dummy_bulletproof(outamounts, C, masks));
+                    if (plus)
+                      rv.p.bulletproofs_plus.push_back(make_dummy_bulletproof_plus(outamounts, C, masks));
+                    else
+                      rv.p.bulletproofs.push_back(make_dummy_bulletproof(outamounts, C, masks));
                 }
                 else
                 {
                     const epee::span<const key> keys{&amount_keys[0], amount_keys.size()};
-                    rv.p.bulletproofs.push_back(proveRangeBulletproof(C, masks, outamounts, keys, hwdev));
+                    if (plus)
+                      rv.p.bulletproofs_plus.push_back(proveRangeBulletproofPlus(C, masks, outamounts, keys, hwdev));
+                    else
+                      rv.p.bulletproofs.push_back(proveRangeBulletproof(C, masks, outamounts, keys, hwdev));
                     #ifdef DBG
-                    CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs.back()), "verBulletproof failed on newly created proof");
+                    if (plus)
+                      CHECK_AND_ASSERT_THROW_MES(verBulletproofPlus(rv.p.bulletproofs_plus.back()), "verBulletproofPlus failed on newly created proof");
+                    else
+                      CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs.back()), "verBulletproof failed on newly created proof");
                     #endif
                 }
                 for (i = 0; i < outamounts.size(); ++i)
                 {
-                    rv.outPk[i].mask = rct::scalarmult8(C[i]);
+                    if (plus)
+                      rv.outPk[i].mask = C[i];
+                    else
+                      rv.outPk[i].mask = rct::scalarmult8(C[i]);
                     outSk[i].mask = masks[i];
                 }
             }
@@ -1153,7 +1246,7 @@ namespace rct {
             {
                 size_t batch_size = 1;
                 if (rct_config.range_proof_type == RangeProofMultiOutputBulletproof)
-                  while (batch_size * 2 + amounts_proved <= n_amounts && batch_size * 2 <= BULLETPROOF_MAX_OUTPUTS)
+                  while (batch_size * 2 + amounts_proved <= n_amounts && batch_size * 2 <= (plus ? BULLETPROOF_PLUS_MAX_OUTPUTS : BULLETPROOF_MAX_OUTPUTS))
                     batch_size *= 2;
                 rct::keyV C, masks;
                 std::vector<uint64_t> batch_amounts(batch_size);
@@ -1162,19 +1255,31 @@ namespace rct {
                 if (hwdev.get_mode() == hw::device::TRANSACTION_CREATE_FAKE)
                 {
                     // use a fake bulletproof for speed
-                    rv.p.bulletproofs.push_back(make_dummy_bulletproof(batch_amounts, C, masks));
+                    if (plus)
+                      rv.p.bulletproofs_plus.push_back(make_dummy_bulletproof_plus(batch_amounts, C, masks));
+                    else
+                      rv.p.bulletproofs.push_back(make_dummy_bulletproof(batch_amounts, C, masks));
                 }
                 else
                 {
                     const epee::span<const key> keys{&amount_keys[amounts_proved], batch_size};
-                    rv.p.bulletproofs.push_back(proveRangeBulletproof(C, masks, batch_amounts, keys, hwdev));
+                    if (plus)
+                      rv.p.bulletproofs_plus.push_back(proveRangeBulletproofPlus(C, masks, batch_amounts, keys, hwdev));
+                    else
+                      rv.p.bulletproofs.push_back(proveRangeBulletproof(C, masks, batch_amounts, keys, hwdev));
                 #ifdef DBG
-                    CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs.back()), "verBulletproof failed on newly created proof");
+                    if (plus)
+                      CHECK_AND_ASSERT_THROW_MES(verBulletproofPlus(rv.p.bulletproofs_plus.back()), "verBulletproofPlus failed on newly created proof");
+                    else
+                      CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs.back()), "verBulletproof failed on newly created proof");
                 #endif
                 }
                 for (i = 0; i < batch_size; ++i)
                 {
-                  rv.outPk[i + amounts_proved].mask = rct::scalarmult8(C[i]);
+                  if (plus)
+                    rv.outPk[i + amounts_proved].mask = C[i];
+                  else
+                    rv.outPk[i + amounts_proved].mask = rct::scalarmult8(C[i]);
                   outSk[i + amounts_proved].mask = masks[i];
                 }
                 amounts_proved += batch_size;
@@ -1189,7 +1294,7 @@ namespace rct {
             //mask amount and mask
             rv.ecdhInfo[i].mask = copy(outSk[i].mask);
             rv.ecdhInfo[i].amount = d2h(outamounts[i]);
-            hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i], rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG);
+            hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i], rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus);
         }
             
         //set txn fee
@@ -1197,9 +1302,9 @@ namespace rct {
 //        TODO: unused ??
 //        key txnFeeKey = scalarmultH(d2h(rv.txnFee));
         rv.mixRing = mixRing;
-        keyV &pseudoOuts = bulletproof ? rv.p.pseudoOuts : rv.pseudoOuts;
+        keyV &pseudoOuts = bulletproof_or_plus ? rv.p.pseudoOuts : rv.pseudoOuts;
         pseudoOuts.resize(inamounts.size());
-        if (rv.type == RCTTypeCLSAG)
+        if (is_rct_clsag(rv.type))
             rv.p.CLSAGs.resize(inamounts.size());
         else
             rv.p.MGs.resize(inamounts.size());
@@ -1218,11 +1323,11 @@ namespace rct {
         if (msout)
         {
             msout->c.resize(inamounts.size());
-            msout->mu_p.resize(rv.type == RCTTypeCLSAG ? inamounts.size() : 0);
+            msout->mu_p.resize(is_rct_clsag(rv.type) ? inamounts.size() : 0);
         }
         for (i = 0 ; i < inamounts.size(); i++)
         {
-            if (rv.type == RCTTypeCLSAG)
+            if (is_rct_clsag(rv.type))
             {
                 rv.p.CLSAGs[i] = proveRctCLSAGSimple(full_message, rv.mixRing[i], inSk[i], a[i], pseudoOuts[i], kLRki ? &(*kLRki)[i]: NULL, msout ? &msout->c[i] : NULL, msout ? &msout->mu_p[i] : NULL, index[i], hwdev);
             }
@@ -1328,20 +1433,25 @@ namespace rct {
         tools::threadpool& tpool = tools::threadpool::getInstance();
         tools::threadpool::waiter waiter(tpool);
         std::deque<bool> results;
-        std::vector<const Bulletproof*> proofs;
+        std::vector<const Bulletproof*> bp_proofs;
+        std::vector<const BulletproofPlus*> bpp_proofs;
         size_t max_non_bp_proofs = 0, offset = 0;
 
         for (const rctSig *rvp: rvv)
         {
           CHECK_AND_ASSERT_MES(rvp, false, "rctSig pointer is NULL");
           const rctSig &rv = *rvp;
-          CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG,
+          CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus,
               false, "verRctSemanticsSimple called on non simple rctSig");
           const bool bulletproof = is_rct_bulletproof(rv.type);
-          if (bulletproof)
+          const bool bulletproof_plus = is_rct_bulletproof_plus(rv.type);
+          if (bulletproof || bulletproof_plus)
           {
-            CHECK_AND_ASSERT_MES(rv.outPk.size() == n_bulletproof_amounts(rv.p.bulletproofs), false, "Mismatched sizes of outPk and bulletproofs");
-            if (rv.type == RCTTypeCLSAG)
+            if (bulletproof_plus)
+              CHECK_AND_ASSERT_MES(rv.outPk.size() == n_bulletproof_plus_amounts(rv.p.bulletproofs_plus), false, "Mismatched sizes of outPk and bulletproofs_plus");
+            else
+              CHECK_AND_ASSERT_MES(rv.outPk.size() == n_bulletproof_amounts(rv.p.bulletproofs), false, "Mismatched sizes of outPk and bulletproofs");
+            if (is_rct_clsag(rv.type))
             {
               CHECK_AND_ASSERT_MES(rv.p.MGs.empty(), false, "MGs are not empty for CLSAG");
               CHECK_AND_ASSERT_MES(rv.p.pseudoOuts.size() == rv.p.CLSAGs.size(), false, "Mismatched sizes of rv.p.pseudoOuts and rv.p.CLSAGs");
@@ -1361,7 +1471,7 @@ namespace rct {
           }
           CHECK_AND_ASSERT_MES(rv.outPk.size() == rv.ecdhInfo.size(), false, "Mismatched sizes of outPk and rv.ecdhInfo");
 
-          if (!bulletproof)
+          if (!bulletproof && !bulletproof_plus)
             max_non_bp_proofs += rv.p.rangeSigs.size();
         }
 
@@ -1371,11 +1481,15 @@ namespace rct {
           const rctSig &rv = *rvp;
 
           const bool bulletproof = is_rct_bulletproof(rv.type);
-          const keyV &pseudoOuts = bulletproof ? rv.p.pseudoOuts : rv.pseudoOuts;
+          const bool bulletproof_plus = is_rct_bulletproof_plus(rv.type);
+          const keyV &pseudoOuts = bulletproof || bulletproof_plus ? rv.p.pseudoOuts : rv.pseudoOuts;
 
           rct::keyV masks(rv.outPk.size());
           for (size_t i = 0; i < rv.outPk.size(); i++) {
-            masks[i] = rv.outPk[i].mask;
+            if (bulletproof_plus)
+              masks[i] = rct::scalarmult8(rv.outPk[i].mask);
+            else
+              masks[i] = rv.outPk[i].mask;
           }
           key sumOutpks = addKeys(masks);
           DP(sumOutpks);
@@ -1391,10 +1505,15 @@ namespace rct {
             return false;
           }
 
-          if (bulletproof)
+          if (bulletproof_plus)
+          {
+            for (size_t i = 0; i < rv.p.bulletproofs_plus.size(); i++)
+              bpp_proofs.push_back(&rv.p.bulletproofs_plus[i]);
+          }
+          else if (bulletproof)
           {
             for (size_t i = 0; i < rv.p.bulletproofs.size(); i++)
-              proofs.push_back(&rv.p.bulletproofs[i]);
+              bp_proofs.push_back(&rv.p.bulletproofs[i]);
           }
           else
           {
@@ -1403,9 +1522,18 @@ namespace rct {
             offset += rv.p.rangeSigs.size();
           }
         }
-        if (!proofs.empty() && !verBulletproof(proofs))
+        if (!bpp_proofs.empty() && !verBulletproofPlus(bpp_proofs))
+        {
+          LOG_PRINT_L1("Aggregate range proof verified failed");
+          if (!waiter.wait())
+            return false;
+          return false;
+        }
+        if (!bp_proofs.empty() && !verBulletproof(bp_proofs))
         {
           LOG_PRINT_L1("Aggregate range proof verified failed");
+          if (!waiter.wait())
+            return false;
           return false;
         }
 
@@ -1445,11 +1573,12 @@ namespace rct {
       {
         PERF_TIMER(verRctNonSemanticsSimple);
 
-        CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG,
+        CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus,
             false, "verRctNonSemanticsSimple called on non simple rctSig");
         const bool bulletproof = is_rct_bulletproof(rv.type);
+        const bool bulletproof_plus = is_rct_bulletproof_plus(rv.type);
         // semantics check is early, and mixRing/MGs aren't resolved yet
-        if (bulletproof)
+        if (bulletproof || bulletproof_plus)
           CHECK_AND_ASSERT_MES(rv.p.pseudoOuts.size() == rv.mixRing.size(), false, "Mismatched sizes of rv.p.pseudoOuts and mixRing");
         else
           CHECK_AND_ASSERT_MES(rv.pseudoOuts.size() == rv.mixRing.size(), false, "Mismatched sizes of rv.pseudoOuts and mixRing");
@@ -1460,7 +1589,7 @@ namespace rct {
         tools::threadpool& tpool = tools::threadpool::getInstance();
         tools::threadpool::waiter waiter(tpool);
 
-        const keyV &pseudoOuts = bulletproof ? rv.p.pseudoOuts : rv.pseudoOuts;
+        const keyV &pseudoOuts = bulletproof || bulletproof_plus ? rv.p.pseudoOuts : rv.pseudoOuts;
 
         const key message = get_pre_mlsag_hash(rv, hw::get_device("default"));
 
@@ -1468,10 +1597,8 @@ namespace rct {
         results.resize(rv.mixRing.size());
         for (size_t i = 0 ; i < rv.mixRing.size() ; i++) {
           tpool.submit(&waiter, [&, i] {
-              if (rv.type == RCTTypeCLSAG)
-              {
+              if (is_rct_clsag(rv.type))
                   results[i] = verRctCLSAGSimple(message, rv.p.CLSAGs[i], rv.mixRing[i], pseudoOuts[i]);
-              }
               else
                   results[i] = verRctMGSimple(message, rv.p.MGs[i], rv.mixRing[i], pseudoOuts[i]);
           });
@@ -1518,10 +1645,12 @@ namespace rct {
 
         //mask amount and mask
         ecdhTuple ecdh_info = rv.ecdhInfo[i];
-        hwdev.ecdhDecode(ecdh_info, sk, rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG);
+        hwdev.ecdhDecode(ecdh_info, sk, rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus);
         mask = ecdh_info.mask;
         key amount = ecdh_info.amount;
         key C = rv.outPk[i].mask;
+        if (is_rct_bulletproof_plus(rv.type))
+          C = scalarmult8(C);
         DP("C");
         DP(C);
         key Ctmp;
@@ -1542,16 +1671,19 @@ namespace rct {
     }
 
     xmr_amount decodeRctSimple(const rctSig & rv, const key & sk, unsigned int i, key &mask, hw::device &hwdev) {
-        CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG, false, "decodeRct called on non simple rctSig");
+        CHECK_AND_ASSERT_MES(rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus,
+            false, "decodeRct called on non simple rctSig");
         CHECK_AND_ASSERT_THROW_MES(i < rv.ecdhInfo.size(), "Bad index");
         CHECK_AND_ASSERT_THROW_MES(rv.outPk.size() == rv.ecdhInfo.size(), "Mismatched sizes of rv.outPk and rv.ecdhInfo");
 
         //mask amount and mask
         ecdhTuple ecdh_info = rv.ecdhInfo[i];
-        hwdev.ecdhDecode(ecdh_info, sk, rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG);
+        hwdev.ecdhDecode(ecdh_info, sk, rv.type == RCTTypeBulletproof2 || rv.type == RCTTypeCLSAG || rv.type == RCTTypeBulletproofPlus);
         mask = ecdh_info.mask;
         key amount = ecdh_info.amount;
         key C = rv.outPk[i].mask;
+        if (is_rct_bulletproof_plus(rv.type))
+          C = scalarmult8(C);
         DP("C");
         DP(C);
         key Ctmp;
@@ -1574,6 +1706,7 @@ namespace rct {
     bool signMultisigMLSAG(rctSig &rv, const std::vector<unsigned int> &indices, const keyV &k, const multisig_out &msout, const key &secret_key) {
         CHECK_AND_ASSERT_MES(rv.type == RCTTypeFull || rv.type == RCTTypeSimple || rv.type == RCTTypeBulletproof || rv.type == RCTTypeBulletproof2,
             false, "unsupported rct type");
+        CHECK_AND_ASSERT_MES(!is_rct_clsag(rv.type), false, "CLSAG signature type in MLSAG signature function");
         CHECK_AND_ASSERT_MES(indices.size() == k.size(), false, "Mismatched k/indices sizes");
         CHECK_AND_ASSERT_MES(k.size() == rv.p.MGs.size(), false, "Mismatched k/MGs size");
         CHECK_AND_ASSERT_MES(k.size() == msout.c.size(), false, "Mismatched k/msout.c size");
@@ -1598,7 +1731,7 @@ namespace rct {
     }
 
     bool signMultisigCLSAG(rctSig &rv, const std::vector<unsigned int> &indices, const keyV &k, const multisig_out &msout, const key &secret_key) {
-        CHECK_AND_ASSERT_MES(rv.type == RCTTypeCLSAG, false, "unsupported rct type");
+        CHECK_AND_ASSERT_MES(is_rct_clsag(rv.type), false, "unsupported rct type");
         CHECK_AND_ASSERT_MES(indices.size() == k.size(), false, "Mismatched k/indices sizes");
         CHECK_AND_ASSERT_MES(k.size() == rv.p.CLSAGs.size(), false, "Mismatched k/CLSAGs size");
         CHECK_AND_ASSERT_MES(k.size() == msout.c.size(), false, "Mismatched k/msout.c size");
@@ -1620,7 +1753,7 @@ namespace rct {
     }
 
     bool signMultisig(rctSig &rv, const std::vector<unsigned int> &indices, const keyV &k, const multisig_out &msout, const key &secret_key) {
-        if (rv.type == RCTTypeCLSAG)
+        if (is_rct_clsag(rv.type))
             return signMultisigCLSAG(rv, indices, k, msout, secret_key);
         else
             return signMultisigMLSAG(rv, indices, k, msout, secret_key);
diff --git a/src/ringct/rctTypes.cpp b/src/ringct/rctTypes.cpp
index 1f674056d..c22b0524f 100644
--- a/src/ringct/rctTypes.cpp
+++ b/src/ringct/rctTypes.cpp
@@ -196,6 +196,7 @@ namespace rct {
             case RCTTypeBulletproof:
             case RCTTypeBulletproof2:
             case RCTTypeCLSAG:
+            case RCTTypeBulletproofPlus:
                 return true;
             default:
                 return false;
@@ -215,6 +216,17 @@ namespace rct {
         }
     }
 
+    bool is_rct_bulletproof_plus(int type)
+    {
+        switch (type)
+        {
+            case RCTTypeBulletproofPlus:
+                return true;
+            default:
+                return false;
+        }
+    }
+
     bool is_rct_borromean(int type)
     {
         switch (type)
@@ -227,19 +239,34 @@ namespace rct {
         }
     }
 
-    size_t n_bulletproof_amounts(const Bulletproof &proof)
+    bool is_rct_clsag(int type)
     {
-        CHECK_AND_ASSERT_MES(proof.L.size() >= 6, 0, "Invalid bulletproof L size");
-        CHECK_AND_ASSERT_MES(proof.L.size() == proof.R.size(), 0, "Mismatched bulletproof L/R size");
+        switch (type)
+        {
+            case RCTTypeCLSAG:
+            case RCTTypeBulletproofPlus:
+                return true;
+            default:
+                return false;
+        }
+    }
+
+    static size_t n_bulletproof_amounts_base(const size_t L_size, const size_t R_size, const size_t V_size, const size_t max_outputs)
+    {
+        CHECK_AND_ASSERT_MES(L_size >= 6, 0, "Invalid bulletproof L size");
+        CHECK_AND_ASSERT_MES(L_size == R_size, 0, "Mismatched bulletproof L/R size");
         static const size_t extra_bits = 4;
-        static_assert((1 << extra_bits) == BULLETPROOF_MAX_OUTPUTS, "log2(BULLETPROOF_MAX_OUTPUTS) is out of date");
-        CHECK_AND_ASSERT_MES(proof.L.size() <= 6 + extra_bits, 0, "Invalid bulletproof L size");
-        CHECK_AND_ASSERT_MES(proof.V.size() <= (1u<<(proof.L.size()-6)), 0, "Invalid bulletproof V/L");
-        CHECK_AND_ASSERT_MES(proof.V.size() * 2 > (1u<<(proof.L.size()-6)), 0, "Invalid bulletproof V/L");
-        CHECK_AND_ASSERT_MES(proof.V.size() > 0, 0, "Empty bulletproof");
-        return proof.V.size();
+        CHECK_AND_ASSERT_MES((1 << extra_bits) == max_outputs, 0, "log2(max_outputs) is out of date");
+        CHECK_AND_ASSERT_MES(L_size <= 6 + extra_bits, 0, "Invalid bulletproof L size");
+        CHECK_AND_ASSERT_MES(V_size <= (1u<<(L_size-6)), 0, "Invalid bulletproof V/L");
+        CHECK_AND_ASSERT_MES(V_size * 2 > (1u<<(L_size-6)), 0, "Invalid bulletproof V/L");
+        CHECK_AND_ASSERT_MES(V_size > 0, 0, "Empty bulletproof");
+        return V_size;
     }
 
+    size_t n_bulletproof_amounts(const Bulletproof &proof) { return n_bulletproof_amounts_base(proof.L.size(), proof.R.size(), proof.V.size(), BULLETPROOF_MAX_OUTPUTS); }
+    size_t n_bulletproof_plus_amounts(const BulletproofPlus &proof) { return n_bulletproof_amounts_base(proof.L.size(), proof.R.size(), proof.V.size(), BULLETPROOF_PLUS_MAX_OUTPUTS); }
+
     size_t n_bulletproof_amounts(const std::vector<Bulletproof> &proofs)
     {
         size_t n = 0;
@@ -254,15 +281,31 @@ namespace rct {
         return n;
     }
 
-    size_t n_bulletproof_max_amounts(const Bulletproof &proof)
+    size_t n_bulletproof_plus_amounts(const std::vector<BulletproofPlus> &proofs)
+    {
+        size_t n = 0;
+        for (const BulletproofPlus &proof: proofs)
+        {
+            size_t n2 = n_bulletproof_plus_amounts(proof);
+            CHECK_AND_ASSERT_MES(n2 < std::numeric_limits<uint32_t>::max() - n, 0, "Invalid number of bulletproofs");
+            if (n2 == 0)
+                return 0;
+            n += n2;
+        }
+        return n;
+    }
+
+    static size_t n_bulletproof_max_amounts_base(size_t L_size, size_t R_size, size_t max_outputs)
     {
-        CHECK_AND_ASSERT_MES(proof.L.size() >= 6, 0, "Invalid bulletproof L size");
-        CHECK_AND_ASSERT_MES(proof.L.size() == proof.R.size(), 0, "Mismatched bulletproof L/R size");
+        CHECK_AND_ASSERT_MES(L_size >= 6, 0, "Invalid bulletproof L size");
+        CHECK_AND_ASSERT_MES(L_size == R_size, 0, "Mismatched bulletproof L/R size");
         static const size_t extra_bits = 4;
-        static_assert((1 << extra_bits) == BULLETPROOF_MAX_OUTPUTS, "log2(BULLETPROOF_MAX_OUTPUTS) is out of date");
-        CHECK_AND_ASSERT_MES(proof.L.size() <= 6 + extra_bits, 0, "Invalid bulletproof L size");
-        return 1 << (proof.L.size() - 6);
+        CHECK_AND_ASSERT_MES((1 << extra_bits) == max_outputs, 0, "log2(max_outputs) is out of date");
+        CHECK_AND_ASSERT_MES(L_size <= 6 + extra_bits, 0, "Invalid bulletproof L size");
+        return 1 << (L_size - 6);
     }
+    size_t n_bulletproof_max_amounts(const Bulletproof &proof) { return n_bulletproof_max_amounts_base(proof.L.size(), proof.R.size(), BULLETPROOF_MAX_OUTPUTS); }
+    size_t n_bulletproof_plus_max_amounts(const BulletproofPlus &proof) { return n_bulletproof_max_amounts_base(proof.L.size(), proof.R.size(), BULLETPROOF_PLUS_MAX_OUTPUTS); }
 
     size_t n_bulletproof_max_amounts(const std::vector<Bulletproof> &proofs)
     {
@@ -278,4 +321,18 @@ namespace rct {
         return n;
     }
 
+    size_t n_bulletproof_plus_max_amounts(const std::vector<BulletproofPlus> &proofs)
+    {
+        size_t n = 0;
+        for (const BulletproofPlus &proof: proofs)
+        {
+            size_t n2 = n_bulletproof_plus_max_amounts(proof);
+            CHECK_AND_ASSERT_MES(n2 < std::numeric_limits<uint32_t>::max() - n, 0, "Invalid number of bulletproofs");
+            if (n2 == 0)
+                return 0;
+            n += n2;
+        }
+        return n;
+    }
+
 }
diff --git a/src/ringct/rctTypes.h b/src/ringct/rctTypes.h
index 278ff4164..59ed4d6a6 100644
--- a/src/ringct/rctTypes.h
+++ b/src/ringct/rctTypes.h
@@ -238,11 +238,48 @@ namespace rct {
       END_SERIALIZE()
     };
 
+    struct BulletproofPlus
+    {
+      rct::keyV V;
+      rct::key A, A1, B;
+      rct::key r1, s1, d1;
+      rct::keyV L, R;
+
+      BulletproofPlus() {}
+      BulletproofPlus(const rct::key &V, const rct::key &A, const rct::key &A1, const rct::key &B, const rct::key &r1, const rct::key &s1, const rct::key &d1, const rct::keyV &L, const rct::keyV &R):
+        V({V}), A(A), A1(A1), B(B), r1(r1), s1(s1), d1(d1), L(L), R(R) {}
+      BulletproofPlus(const rct::keyV &V, const rct::key &A, const rct::key &A1, const rct::key &B, const rct::key &r1, const rct::key &s1, const rct::key &d1, const rct::keyV &L, const rct::keyV &R):
+        V(V), A(A), A1(A1), B(B), r1(r1), s1(s1), d1(d1), L(L), R(R) {}
+
+      bool operator==(const BulletproofPlus &other) const { return V == other.V && A == other.A && A1 == other.A1 && B == other.B && r1 == other.r1 && s1 == other.s1 && d1 == other.d1 && L == other.L && R == other.R; }
+
+      BEGIN_SERIALIZE_OBJECT()
+        // Commitments aren't saved, they're restored via outPk
+        // FIELD(V)
+        FIELD(A)
+        FIELD(A1)
+        FIELD(B)
+        FIELD(r1)
+        FIELD(s1)
+        FIELD(d1)
+        FIELD(L)
+        FIELD(R)
+
+        if (L.empty() || L.size() != R.size())
+          return false;
+      END_SERIALIZE()
+    };
+
     size_t n_bulletproof_amounts(const Bulletproof &proof);
     size_t n_bulletproof_max_amounts(const Bulletproof &proof);
     size_t n_bulletproof_amounts(const std::vector<Bulletproof> &proofs);
     size_t n_bulletproof_max_amounts(const std::vector<Bulletproof> &proofs);
 
+    size_t n_bulletproof_plus_amounts(const BulletproofPlus &proof);
+    size_t n_bulletproof_plus_max_amounts(const BulletproofPlus &proof);
+    size_t n_bulletproof_plus_amounts(const std::vector<BulletproofPlus> &proofs);
+    size_t n_bulletproof_plus_max_amounts(const std::vector<BulletproofPlus> &proofs);
+
     //A container to hold all signatures necessary for RingCT
     // rangeSigs holds all the rangeproof data of a transaction
     // MG holds the MLSAG signature of a transaction
@@ -257,6 +294,7 @@ namespace rct {
       RCTTypeBulletproof = 3,
       RCTTypeBulletproof2 = 4,
       RCTTypeCLSAG = 5,
+      RCTTypeBulletproofPlus = 6,
     };
     enum RangeProofType { RangeProofBorromean, RangeProofBulletproof, RangeProofMultiOutputBulletproof, RangeProofPaddedBulletproof };
     struct RCTConfig {
@@ -285,7 +323,7 @@ namespace rct {
           FIELD(type)
           if (type == RCTTypeNull)
             return ar.good();
-          if (type != RCTTypeFull && type != RCTTypeSimple && type != RCTTypeBulletproof && type != RCTTypeBulletproof2 && type != RCTTypeCLSAG)
+          if (type != RCTTypeFull && type != RCTTypeSimple && type != RCTTypeBulletproof && type != RCTTypeBulletproof2 && type != RCTTypeCLSAG && type != RCTTypeBulletproofPlus)
             return false;
           VARINT_FIELD(txnFee)
           // inputs/outputs not saved, only here for serialization help
@@ -314,7 +352,7 @@ namespace rct {
             return false;
           for (size_t i = 0; i < outputs; ++i)
           {
-            if (type == RCTTypeBulletproof2 || type == RCTTypeCLSAG)
+            if (type == RCTTypeBulletproof2 || type == RCTTypeCLSAG || type == RCTTypeBulletproofPlus)
             {
               ar.begin_object();
               if (!typename Archive<W>::is_saving())
@@ -360,6 +398,7 @@ namespace rct {
     struct rctSigPrunable {
         std::vector<rangeSig> rangeSigs;
         std::vector<Bulletproof> bulletproofs;
+        std::vector<BulletproofPlus> bulletproofs_plus;
         std::vector<mgSig> MGs; // simple rct has N, full has 1
         std::vector<clsag> CLSAGs;
         keyV pseudoOuts; //C - for simple rct
@@ -376,9 +415,28 @@ namespace rct {
             return false;
           if (type == RCTTypeNull)
             return ar.good();
-          if (type != RCTTypeFull && type != RCTTypeSimple && type != RCTTypeBulletproof && type != RCTTypeBulletproof2 && type != RCTTypeCLSAG)
+          if (type != RCTTypeFull && type != RCTTypeSimple && type != RCTTypeBulletproof && type != RCTTypeBulletproof2 && type != RCTTypeCLSAG && type != RCTTypeBulletproofPlus)
             return false;
-          if (type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG)
+          if (type == RCTTypeBulletproofPlus)
+          {
+            uint32_t nbp = bulletproofs_plus.size();
+            VARINT_FIELD(nbp)
+            ar.tag("bpp");
+            ar.begin_array();
+            if (nbp > outputs)
+              return false;
+            PREPARE_CUSTOM_VECTOR_SERIALIZATION(nbp, bulletproofs_plus);
+            for (size_t i = 0; i < nbp; ++i)
+            {
+              FIELDS(bulletproofs_plus[i])
+              if (nbp - i > 1)
+                ar.delimit_array();
+            }
+            if (n_bulletproof_plus_max_amounts(bulletproofs_plus) < outputs)
+              return false;
+            ar.end_array();
+          }
+          else if (type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG)
           {
             uint32_t nbp = bulletproofs.size();
             if (type == RCTTypeBulletproof2 || type == RCTTypeCLSAG)
@@ -416,7 +474,7 @@ namespace rct {
             ar.end_array();
           }
 
-          if (type == RCTTypeCLSAG)
+          if (type == RCTTypeCLSAG || type == RCTTypeBulletproofPlus)
           {
             ar.tag("CLSAGs");
             ar.begin_array();
@@ -507,7 +565,7 @@ namespace rct {
             }
             ar.end_array();
           }
-          if (type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG)
+          if (type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG || type == RCTTypeBulletproofPlus)
           {
             ar.tag("pseudoOuts");
             ar.begin_array();
@@ -528,6 +586,7 @@ namespace rct {
         BEGIN_SERIALIZE_OBJECT()
           FIELD(rangeSigs)
           FIELD(bulletproofs)
+          FIELD(bulletproofs_plus)
           FIELD(MGs)
           FIELD(CLSAGs)
           FIELD(pseudoOuts)
@@ -538,12 +597,12 @@ namespace rct {
 
         keyV& get_pseudo_outs()
         {
-          return type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG ? p.pseudoOuts : pseudoOuts;
+          return type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG || type == RCTTypeBulletproofPlus ? p.pseudoOuts : pseudoOuts;
         }
 
         keyV const& get_pseudo_outs() const
         {
-          return type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG ? p.pseudoOuts : pseudoOuts;
+          return type == RCTTypeBulletproof || type == RCTTypeBulletproof2 || type == RCTTypeCLSAG || type == RCTTypeBulletproofPlus ? p.pseudoOuts : pseudoOuts;
         }
 
         BEGIN_SERIALIZE_OBJECT()
@@ -655,7 +714,9 @@ namespace rct {
 
     bool is_rct_simple(int type);
     bool is_rct_bulletproof(int type);
+    bool is_rct_bulletproof_plus(int type);
     bool is_rct_borromean(int type);
+    bool is_rct_clsag(int type);
 
     static inline const rct::key &pk2rct(const crypto::public_key &pk) { return (const rct::key&)pk; }
     static inline const rct::key &sk2rct(const crypto::secret_key &sk) { return (const rct::key&)sk; }
@@ -711,6 +772,7 @@ VARIANT_TAG(debug_archive, rct::Bulletproof, "rct::bulletproof");
 VARIANT_TAG(debug_archive, rct::multisig_kLRki, "rct::multisig_kLRki");
 VARIANT_TAG(debug_archive, rct::multisig_out, "rct::multisig_out");
 VARIANT_TAG(debug_archive, rct::clsag, "rct::clsag");
+VARIANT_TAG(debug_archive, rct::BulletproofPlus, "rct::bulletproof_plus");
 
 VARIANT_TAG(binary_archive, rct::key, 0x90);
 VARIANT_TAG(binary_archive, rct::key64, 0x91);
@@ -728,6 +790,7 @@ VARIANT_TAG(binary_archive, rct::Bulletproof, 0x9c);
 VARIANT_TAG(binary_archive, rct::multisig_kLRki, 0x9d);
 VARIANT_TAG(binary_archive, rct::multisig_out, 0x9e);
 VARIANT_TAG(binary_archive, rct::clsag, 0x9f);
+VARIANT_TAG(binary_archive, rct::BulletproofPlus, 0xa0);
 
 VARIANT_TAG(json_archive, rct::key, "rct_key");
 VARIANT_TAG(json_archive, rct::key64, "rct_key64");
@@ -745,5 +808,6 @@ VARIANT_TAG(json_archive, rct::Bulletproof, "rct_bulletproof");
 VARIANT_TAG(json_archive, rct::multisig_kLRki, "rct_multisig_kLR");
 VARIANT_TAG(json_archive, rct::multisig_out, "rct_multisig_out");
 VARIANT_TAG(json_archive, rct::clsag, "rct_clsag");
+VARIANT_TAG(json_archive, rct::BulletproofPlus, "rct_bulletproof_plus");
 
 #endif  /* RCTTYPES_H */
diff --git a/src/serialization/json_object.cpp b/src/serialization/json_object.cpp
index b03da1edc..bd715dcfd 100644
--- a/src/serialization/json_object.cpp
+++ b/src/serialization/json_object.cpp
@@ -300,7 +300,7 @@ void fromJsonValue(const rapidjson::Value& val, cryptonote::transaction& tx)
   }
 
   const auto& rsig = tx.rct_signatures;
-  if (!cryptonote::is_coinbase(tx) && rsig.p.bulletproofs.empty() && rsig.p.rangeSigs.empty() && rsig.p.MGs.empty() && rsig.get_pseudo_outs().empty() && sigs == val.MemberEnd())
+  if (!cryptonote::is_coinbase(tx) && rsig.p.bulletproofs.empty() && rsig.p.bulletproofs_plus.empty() && rsig.p.rangeSigs.empty() && rsig.p.MGs.empty() && rsig.get_pseudo_outs().empty() && sigs == val.MemberEnd())
     tx.pruned = true;
 }
 
@@ -1100,13 +1100,14 @@ void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::rctSig&
   }
 
   // prunable
-  if (!sig.p.bulletproofs.empty() || !sig.p.rangeSigs.empty() || !sig.p.MGs.empty() || !sig.get_pseudo_outs().empty())
+  if (!sig.p.bulletproofs.empty() || !sig.p.bulletproofs_plus.empty() || !sig.p.rangeSigs.empty() || !sig.p.MGs.empty() || !sig.get_pseudo_outs().empty())
   {
     dest.Key("prunable");
     dest.StartObject();
 
     INSERT_INTO_JSON_OBJECT(dest, range_proofs, sig.p.rangeSigs);
     INSERT_INTO_JSON_OBJECT(dest, bulletproofs, sig.p.bulletproofs);
+    INSERT_INTO_JSON_OBJECT(dest, bulletproofs_plus, sig.p.bulletproofs_plus);
     INSERT_INTO_JSON_OBJECT(dest, mlsags, sig.p.MGs);
     INSERT_INTO_JSON_OBJECT(dest, pseudo_outs, sig.get_pseudo_outs());
 
@@ -1141,6 +1142,7 @@ void fromJsonValue(const rapidjson::Value& val, rct::rctSig& sig)
 
     GET_FROM_JSON_OBJECT(prunable->value, sig.p.rangeSigs, range_proofs);
     GET_FROM_JSON_OBJECT(prunable->value, sig.p.bulletproofs, bulletproofs);
+    GET_FROM_JSON_OBJECT(prunable->value, sig.p.bulletproofs_plus, bulletproofs_plus);
     GET_FROM_JSON_OBJECT(prunable->value, sig.p.MGs, mlsags);
     GET_FROM_JSON_OBJECT(prunable->value, pseudo_outs, pseudo_outs);
 
@@ -1150,6 +1152,7 @@ void fromJsonValue(const rapidjson::Value& val, rct::rctSig& sig)
   {
     sig.p.rangeSigs.clear();
     sig.p.bulletproofs.clear();
+    sig.p.bulletproofs_plus.clear();
     sig.p.MGs.clear();
     sig.get_pseudo_outs().clear();
   }
@@ -1258,6 +1261,41 @@ void fromJsonValue(const rapidjson::Value& val, rct::Bulletproof& p)
   GET_FROM_JSON_OBJECT(val, p.t, t);
 }
 
+void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::BulletproofPlus& p)
+{
+  dest.StartObject();
+
+  INSERT_INTO_JSON_OBJECT(dest, V, p.V);
+  INSERT_INTO_JSON_OBJECT(dest, A, p.A);
+  INSERT_INTO_JSON_OBJECT(dest, A1, p.A1);
+  INSERT_INTO_JSON_OBJECT(dest, B, p.B);
+  INSERT_INTO_JSON_OBJECT(dest, r1, p.r1);
+  INSERT_INTO_JSON_OBJECT(dest, s1, p.s1);
+  INSERT_INTO_JSON_OBJECT(dest, d1, p.d1);
+  INSERT_INTO_JSON_OBJECT(dest, L, p.L);
+  INSERT_INTO_JSON_OBJECT(dest, R, p.R);
+
+  dest.EndObject();
+}
+
+void fromJsonValue(const rapidjson::Value& val, rct::BulletproofPlus& p)
+{
+  if (!val.IsObject())
+  {
+    throw WRONG_TYPE("json object");
+  }
+
+  GET_FROM_JSON_OBJECT(val, p.V, V);
+  GET_FROM_JSON_OBJECT(val, p.A, A);
+  GET_FROM_JSON_OBJECT(val, p.A1, A1);
+  GET_FROM_JSON_OBJECT(val, p.B, B);
+  GET_FROM_JSON_OBJECT(val, p.r1, r1);
+  GET_FROM_JSON_OBJECT(val, p.s1, s1);
+  GET_FROM_JSON_OBJECT(val, p.d1, d1);
+  GET_FROM_JSON_OBJECT(val, p.L, L);
+  GET_FROM_JSON_OBJECT(val, p.R, R);
+}
+
 void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::boroSig& sig)
 {
   dest.StartObject();
diff --git a/src/serialization/json_object.h b/src/serialization/json_object.h
index c858faf5a..4514ad568 100644
--- a/src/serialization/json_object.h
+++ b/src/serialization/json_object.h
@@ -292,6 +292,9 @@ void fromJsonValue(const rapidjson::Value& val, rct::rangeSig& sig);
 void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::Bulletproof& p);
 void fromJsonValue(const rapidjson::Value& val, rct::Bulletproof& p);
 
+void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::BulletproofPlus& p);
+void fromJsonValue(const rapidjson::Value& val, rct::BulletproofPlus& p);
+
 void toJsonValue(rapidjson::Writer<epee::byte_stream>& dest, const rct::boroSig& sig);
 void fromJsonValue(const rapidjson::Value& val, rct::boroSig& sig);
 
diff --git a/src/wallet/api/wallet.cpp b/src/wallet/api/wallet.cpp
index b058619a3..87242b79c 100644
--- a/src/wallet/api/wallet.cpp
+++ b/src/wallet/api/wallet.cpp
@@ -1742,6 +1742,7 @@ uint64_t WalletImpl::estimateTransactionFee(const std::vector<std::pair<std::str
         extra_size,
         m_wallet->use_fork_rules(8, 0),
         m_wallet->use_fork_rules(HF_VERSION_CLSAG, 0),
+        m_wallet->use_fork_rules(HF_VERSION_BULLETPROOF_PLUS, 0),
         m_wallet->get_base_fee(),
         m_wallet->get_fee_multiplier(m_wallet->adjust_priority(static_cast<uint32_t>(priority))),
         m_wallet->get_fee_quantization_mask());
diff --git a/src/wallet/wallet2.cpp b/src/wallet/wallet2.cpp
index 03106e3e3..f2795b50f 100644
--- a/src/wallet/wallet2.cpp
+++ b/src/wallet/wallet2.cpp
@@ -781,7 +781,7 @@ void drop_from_short_history(std::list<crypto::hash> &short_chain_history, size_
   }
 }
 
-size_t estimate_rct_tx_size(int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag)
+size_t estimate_rct_tx_size(int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, bool bulletproof_plus)
 {
   size_t size = 0;
 
@@ -805,12 +805,12 @@ size_t estimate_rct_tx_size(int n_inputs, int mixin, int n_outputs, size_t extra
   size += 1;
 
   // rangeSigs
-  if (bulletproof)
+  if (bulletproof || bulletproof_plus)
   {
     size_t log_padded_outputs = 0;
     while ((1<<log_padded_outputs) < n_outputs)
       ++log_padded_outputs;
-    size += (2 * (6 + log_padded_outputs) + 4 + 5) * 32 + 3;
+    size += (2 * (6 + log_padded_outputs) + (bulletproof_plus ? 6 : (4 + 5))) * 32 + 3;
   }
   else
     size += (2*64*32+32+64*32) * n_outputs;
@@ -833,29 +833,29 @@ size_t estimate_rct_tx_size(int n_inputs, int mixin, int n_outputs, size_t extra
   // txnFee
   size += 4;
 
-  LOG_PRINT_L2("estimated " << (bulletproof ? "bulletproof" : "borromean") << " rct tx size for " << n_inputs << " inputs with ring size " << (mixin+1) << " and " << n_outputs << " outputs: " << size << " (" << ((32 * n_inputs/*+1*/) + 2 * 32 * (mixin+1) * n_inputs + 32 * n_outputs) << " saved)");
+  LOG_PRINT_L2("estimated " << (bulletproof_plus ? "bulletproof plus" : bulletproof ? "bulletproof" : "borromean") << " rct tx size for " << n_inputs << " inputs with ring size " << (mixin+1) << " and " << n_outputs << " outputs: " << size << " (" << ((32 * n_inputs/*+1*/) + 2 * 32 * (mixin+1) * n_inputs + 32 * n_outputs) << " saved)");
   return size;
 }
 
-size_t estimate_tx_size(bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag)
+size_t estimate_tx_size(bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, bool bulletproof_plus)
 {
   if (use_rct)
-    return estimate_rct_tx_size(n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag);
+    return estimate_rct_tx_size(n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
   else
     return n_inputs * (mixin+1) * APPROXIMATE_INPUT_BYTES + extra_size;
 }
 
-uint64_t estimate_tx_weight(bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag)
+uint64_t estimate_tx_weight(bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, bool bulletproof_plus)
 {
-  size_t size = estimate_tx_size(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag);
-  if (use_rct && bulletproof && n_outputs > 2)
+  size_t size = estimate_tx_size(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
+  if (use_rct && (bulletproof || bulletproof_plus) && n_outputs > 2)
   {
-    const uint64_t bp_base = 368;
+    const uint64_t bp_base = (32 * ((bulletproof_plus ? 6 : 9) + 7 * 2)) / 2; // notional size of a 2 output proof, normalized to 1 proof (ie, divided by 2)
     size_t log_padded_outputs = 2;
     while ((1<<log_padded_outputs) < n_outputs)
       ++log_padded_outputs;
     uint64_t nlr = 2 * (6 + log_padded_outputs);
-    const uint64_t bp_size = 32 * (9 + nlr);
+    const uint64_t bp_size = 32 * ((bulletproof_plus ? 6 : 9) + nlr);
     const uint64_t bp_clawback = (bp_base * (1<<log_padded_outputs) - bp_size) * 4 / 5;
     MDEBUG("clawback on size " << size << ": " << bp_clawback);
     size += bp_clawback;
@@ -868,6 +868,11 @@ uint8_t get_bulletproof_fork()
   return 8;
 }
 
+uint8_t get_bulletproof_plus_fork()
+{
+  return HF_VERSION_BULLETPROOF_PLUS;
+}
+
 uint8_t get_clsag_fork()
 {
   return HF_VERSION_CLSAG;
@@ -1817,6 +1822,7 @@ static uint64_t decodeRct(const rct::rctSig & rv, const crypto::key_derivation &
     case rct::RCTTypeBulletproof:
     case rct::RCTTypeBulletproof2:
     case rct::RCTTypeCLSAG:
+    case rct::RCTTypeBulletproofPlus:
       return rct::decodeRctSimple(rv, rct::sk2rct(scalar1), i, mask, hwdev);
     case rct::RCTTypeFull:
       return rct::decodeRct(rv, rct::sk2rct(scalar1), i, mask, hwdev);
@@ -7223,16 +7229,16 @@ bool wallet2::sign_multisig_tx_from_file(const std::string &filename, std::vecto
   return sign_multisig_tx_to_file(exported_txs, filename, txids);
 }
 //----------------------------------------------------------------------------------------------------
-uint64_t wallet2::estimate_fee(bool use_per_byte_fee, bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, uint64_t base_fee, uint64_t fee_multiplier, uint64_t fee_quantization_mask) const
+uint64_t wallet2::estimate_fee(bool use_per_byte_fee, bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, bool bulletproof_plus, uint64_t base_fee, uint64_t fee_multiplier, uint64_t fee_quantization_mask) const
 {
   if (use_per_byte_fee)
   {
-    const size_t estimated_tx_weight = estimate_tx_weight(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag);
+    const size_t estimated_tx_weight = estimate_tx_weight(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
     return calculate_fee_from_weight(base_fee, estimated_tx_weight, fee_multiplier, fee_quantization_mask);
   }
   else
   {
-    const size_t estimated_tx_size = estimate_tx_size(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag);
+    const size_t estimated_tx_size = estimate_tx_size(use_rct, n_inputs, mixin, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
     return calculate_fee(base_fee, estimated_tx_size, fee_multiplier);
   }
 }
@@ -8953,8 +8959,8 @@ void wallet2::transfer_selected_rct(std::vector<cryptonote::tx_destination_entry
   ptx.construction_data.unlock_time = unlock_time;
   ptx.construction_data.use_rct = true;
   ptx.construction_data.rct_config = {
-    tx.rct_signatures.p.bulletproofs.empty() ? rct::RangeProofBorromean : rct::RangeProofPaddedBulletproof,
-    use_fork_rules(HF_VERSION_CLSAG, -10) ? 3 : use_fork_rules(HF_VERSION_SMALLER_BP, -10) ? 2 : 1
+    rct::RangeProofPaddedBulletproof,
+    use_fork_rules(HF_VERSION_BULLETPROOF_PLUS, -10) ? 4 : 3
   };
   ptx.construction_data.dests = dsts;
   // record which subaddress indices are being used as inputs
@@ -9649,10 +9655,11 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
   const bool use_per_byte_fee = use_fork_rules(HF_VERSION_PER_BYTE_FEE, 0);
   const bool use_rct = use_fork_rules(4, 0);
   const bool bulletproof = use_fork_rules(get_bulletproof_fork(), 0);
+  const bool bulletproof_plus = use_fork_rules(get_bulletproof_plus_fork(), 0);
   const bool clsag = use_fork_rules(get_clsag_fork(), 0);
   const rct::RCTConfig rct_config {
-    bulletproof ? rct::RangeProofPaddedBulletproof : rct::RangeProofBorromean,
-    bulletproof ? (use_fork_rules(HF_VERSION_CLSAG, -10) ? 3 : use_fork_rules(HF_VERSION_SMALLER_BP, -10) ? 2 : 1) : 0
+    rct::RangeProofPaddedBulletproof,
+    bulletproof_plus ? 4 : 3
   };
 
   const uint64_t base_fee  = get_base_fee();
@@ -9688,7 +9695,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
   // early out if we know we can't make it anyway
   // we could also check for being within FEE_PER_KB, but if the fee calculation
   // ever changes, this might be missed, so let this go through
-  const uint64_t min_fee = (fee_multiplier * base_fee * estimate_tx_size(use_rct, 1, fake_outs_count, 2, extra.size(), bulletproof, clsag));
+  const uint64_t min_fee = (fee_multiplier * base_fee * estimate_tx_size(use_rct, 1, fake_outs_count, 2, extra.size(), bulletproof, clsag, bulletproof_plus));
   uint64_t balance_subtotal = 0;
   uint64_t unlocked_balance_subtotal = 0;
   for (uint32_t index_minor : subaddr_indices)
@@ -9706,8 +9713,8 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
     LOG_PRINT_L2("Candidate subaddress index for spending: " << i);
 
   // determine threshold for fractional amount
-  const size_t tx_weight_one_ring = estimate_tx_weight(use_rct, 1, fake_outs_count, 2, 0, bulletproof, clsag);
-  const size_t tx_weight_two_rings = estimate_tx_weight(use_rct, 2, fake_outs_count, 2, 0, bulletproof, clsag);
+  const size_t tx_weight_one_ring = estimate_tx_weight(use_rct, 1, fake_outs_count, 2, 0, bulletproof, clsag, bulletproof_plus);
+  const size_t tx_weight_two_rings = estimate_tx_weight(use_rct, 2, fake_outs_count, 2, 0, bulletproof, clsag, bulletproof_plus);
   THROW_WALLET_EXCEPTION_IF(tx_weight_one_ring > tx_weight_two_rings, error::wallet_internal_error, "Estimated tx weight with 1 input is larger than with 2 inputs!");
   const size_t tx_weight_per_ring = tx_weight_two_rings - tx_weight_one_ring;
   const uint64_t fractional_threshold = (fee_multiplier * base_fee * tx_weight_per_ring) / (use_per_byte_fee ? 1 : 1024);
@@ -9804,7 +9811,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
   {
     // this is used to build a tx that's 1 or 2 inputs, and 2 outputs, which
     // will get us a known fee.
-    uint64_t estimated_fee = estimate_fee(use_per_byte_fee, use_rct, 2, fake_outs_count, 2, extra.size(), bulletproof, clsag, base_fee, fee_multiplier, fee_quantization_mask);
+    uint64_t estimated_fee = estimate_fee(use_per_byte_fee, use_rct, 2, fake_outs_count, 2, extra.size(), bulletproof, clsag, bulletproof_plus, base_fee, fee_multiplier, fee_quantization_mask);
     preferred_inputs = pick_preferred_rct_inputs(needed_money + estimated_fee, subaddr_account, subaddr_indices);
     if (!preferred_inputs.empty())
     {
@@ -9917,7 +9924,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
     }
     else
     {
-      while (!dsts.empty() && dsts[0].amount <= available_amount && estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag) < TX_WEIGHT_TARGET(upper_transaction_weight_limit))
+      while (!dsts.empty() && dsts[0].amount <= available_amount && estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag, bulletproof_plus) < TX_WEIGHT_TARGET(upper_transaction_weight_limit))
       {
         // we can fully pay that destination
         LOG_PRINT_L2("We can fully pay " << get_account_address_as_str(m_nettype, dsts[0].is_subaddress, dsts[0].addr) <<
@@ -9934,7 +9941,8 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
         ++original_output_index;
       }
 
-      if (!out_slots_exhausted && available_amount > 0 && !dsts.empty() && estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag) < TX_WEIGHT_TARGET(upper_transaction_weight_limit)) {
+      if (!out_slots_exhausted && available_amount > 0 && !dsts.empty() &&
+                                                   estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag, bulletproof_plus) < TX_WEIGHT_TARGET(upper_transaction_weight_limit)) {
         // we can partially fill that destination
         LOG_PRINT_L2("We can partially pay " << get_account_address_as_str(m_nettype, dsts[0].is_subaddress, dsts[0].addr) <<
           " for " << print_money(available_amount) << "/" << print_money(dsts[0].amount));
@@ -9972,7 +9980,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
       }
       else
       {
-        const size_t estimated_rct_tx_weight = estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag);
+        const size_t estimated_rct_tx_weight = estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag, bulletproof_plus);
         try_tx = dsts.empty() || (estimated_rct_tx_weight >= TX_WEIGHT_TARGET(upper_transaction_weight_limit));
         THROW_WALLET_EXCEPTION_IF(try_tx && tx.dsts.empty(), error::tx_too_big, estimated_rct_tx_weight, upper_transaction_weight_limit);
       }
@@ -9983,7 +9991,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_2(std::vector<cryp
       pending_tx test_ptx;
 
       const size_t num_outputs = get_num_outputs(tx.dsts, m_transfers, tx.selected_transfers);
-      needed_fee = estimate_fee(use_per_byte_fee, use_rct ,tx.selected_transfers.size(), fake_outs_count, num_outputs, extra.size(), bulletproof, clsag, base_fee, fee_multiplier, fee_quantization_mask);
+      needed_fee = estimate_fee(use_per_byte_fee, use_rct ,tx.selected_transfers.size(), fake_outs_count, num_outputs, extra.size(), bulletproof, clsag, bulletproof_plus, base_fee, fee_multiplier, fee_quantization_mask);
 
       auto try_carving_from_partial_payment = [&](uint64_t needed_fee, uint64_t available_for_fee)
       {
@@ -10243,11 +10251,12 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_all(uint64_t below
   // determine threshold for fractional amount
   const bool use_per_byte_fee = use_fork_rules(HF_VERSION_PER_BYTE_FEE, 0);
   const bool bulletproof = use_fork_rules(get_bulletproof_fork(), 0);
+  const bool bulletproof_plus = use_fork_rules(get_bulletproof_plus_fork(), 0);
   const bool clsag = use_fork_rules(get_clsag_fork(), 0);
   const uint64_t base_fee  = get_base_fee();
   const uint64_t fee_multiplier = get_fee_multiplier(priority, get_fee_algorithm());
-  const size_t tx_weight_one_ring = estimate_tx_weight(use_rct, 1, fake_outs_count, 2, 0, bulletproof, clsag);
-  const size_t tx_weight_two_rings = estimate_tx_weight(use_rct, 2, fake_outs_count, 2, 0, bulletproof, clsag);
+  const size_t tx_weight_one_ring = estimate_tx_weight(use_rct, 1, fake_outs_count, 2, 0, bulletproof, clsag, bulletproof_plus);
+  const size_t tx_weight_two_rings = estimate_tx_weight(use_rct, 2, fake_outs_count, 2, 0, bulletproof, clsag, bulletproof_plus);
   THROW_WALLET_EXCEPTION_IF(tx_weight_one_ring > tx_weight_two_rings, error::wallet_internal_error, "Estimated tx weight with 1 input is larger than with 2 inputs!");
   const size_t tx_weight_per_ring = tx_weight_two_rings - tx_weight_one_ring;
   const uint64_t fractional_threshold = (fee_multiplier * base_fee * tx_weight_per_ring) / (use_per_byte_fee ? 1 : 1024);
@@ -10353,10 +10362,11 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_from(const crypton
   const bool use_per_byte_fee = use_fork_rules(HF_VERSION_PER_BYTE_FEE);
   const bool use_rct = fake_outs_count > 0 && use_fork_rules(4, 0);
   const bool bulletproof = use_fork_rules(get_bulletproof_fork(), 0);
+  const bool bulletproof_plus = use_fork_rules(get_bulletproof_plus_fork(), 0);
   const bool clsag = use_fork_rules(get_clsag_fork(), 0);
   const rct::RCTConfig rct_config {
-    bulletproof ? rct::RangeProofPaddedBulletproof : rct::RangeProofBorromean,
-    bulletproof ? (use_fork_rules(HF_VERSION_CLSAG, -10) ? 3 : use_fork_rules(HF_VERSION_SMALLER_BP, -10) ? 2 : 1) : 0,
+    rct::RangeProofPaddedBulletproof,
+    bulletproof_plus ? 4 : 3
   };
   const uint64_t base_fee  = get_base_fee();
   const uint64_t fee_multiplier = get_fee_multiplier(priority, get_fee_algorithm());
@@ -10385,7 +10395,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_from(const crypton
     uint64_t fee_dust_threshold;
     if (use_fork_rules(HF_VERSION_PER_BYTE_FEE))
     {
-      const uint64_t estimated_tx_weight_with_one_extra_output = estimate_tx_weight(use_rct, tx.selected_transfers.size() + 1, fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag);
+      const uint64_t estimated_tx_weight_with_one_extra_output = estimate_tx_weight(use_rct, tx.selected_transfers.size() + 1, fake_outs_count, tx.dsts.size()+1, extra.size(), bulletproof, clsag, bulletproof_plus);
       fee_dust_threshold = calculate_fee_from_weight(base_fee, estimated_tx_weight_with_one_extra_output, fee_multiplier, fee_quantization_mask);
     }
     else
@@ -10416,7 +10426,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_from(const crypton
     // here, check if we need to sent tx and start a new one
     LOG_PRINT_L2("Considering whether to create a tx now, " << tx.selected_transfers.size() << " inputs, tx limit "
       << upper_transaction_weight_limit);
-    const size_t estimated_rct_tx_weight = estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size() + 2, extra.size(), bulletproof, clsag);
+    const size_t estimated_rct_tx_weight = estimate_tx_weight(use_rct, tx.selected_transfers.size(), fake_outs_count, tx.dsts.size() + 2, extra.size(), bulletproof, clsag, bulletproof_plus);
     bool try_tx = (unused_dust_indices.empty() && unused_transfers_indices.empty()) || ( estimated_rct_tx_weight >= TX_WEIGHT_TARGET(upper_transaction_weight_limit));
 
     if (try_tx) {
@@ -10424,7 +10434,7 @@ std::vector<wallet2::pending_tx> wallet2::create_transactions_from(const crypton
       pending_tx test_ptx;
 
       const size_t num_outputs = get_num_outputs(tx.dsts, m_transfers, tx.selected_transfers);
-      needed_fee = estimate_fee(use_per_byte_fee, use_rct, tx.selected_transfers.size(), fake_outs_count, num_outputs, extra.size(), bulletproof, clsag, base_fee, fee_multiplier, fee_quantization_mask);
+      needed_fee = estimate_fee(use_per_byte_fee, use_rct, tx.selected_transfers.size(), fake_outs_count, num_outputs, extra.size(), bulletproof, clsag, bulletproof_plus, base_fee, fee_multiplier, fee_quantization_mask);
 
       // add N - 1 outputs for correct initial fee estimation
       for (size_t i = 0; i < ((outputs > 1) ? outputs - 1 : outputs); ++i)
@@ -11286,8 +11296,10 @@ void wallet2::check_tx_key_helper(const cryptonote::transaction &tx, const crypt
         crypto::secret_key scalar1;
         crypto::derivation_to_scalar(found_derivation, n, scalar1);
         rct::ecdhTuple ecdh_info = tx.rct_signatures.ecdhInfo[n];
-        rct::ecdhDecode(ecdh_info, rct::sk2rct(scalar1), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
-        const rct::key C = tx.rct_signatures.outPk[n].mask;
+        rct::ecdhDecode(ecdh_info, rct::sk2rct(scalar1), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG || tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
+        rct::key C = tx.rct_signatures.outPk[n].mask;
+        if (rct::is_rct_bulletproof_plus(tx.rct_signatures.type))
+          C = rct::scalarmult8(C);
         rct::key Ctmp;
         THROW_WALLET_EXCEPTION_IF(sc_check(ecdh_info.mask.bytes) != 0, error::wallet_internal_error, "Bad ECDH input mask");
         THROW_WALLET_EXCEPTION_IF(sc_check(ecdh_info.amount.bytes) != 0, error::wallet_internal_error, "Bad ECDH input amount");
@@ -11939,7 +11951,7 @@ bool wallet2::check_reserve_proof(const cryptonote::account_public_address &addr
       crypto::secret_key shared_secret;
       crypto::derivation_to_scalar(derivation, proof.index_in_tx, shared_secret);
       rct::ecdhTuple ecdh_info = tx.rct_signatures.ecdhInfo[proof.index_in_tx];
-      rct::ecdhDecode(ecdh_info, rct::sk2rct(shared_secret), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
+      rct::ecdhDecode(ecdh_info, rct::sk2rct(shared_secret), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG || tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
       amount = rct::h2d(ecdh_info.amount);
     }
     total += amount;
@@ -14073,9 +14085,10 @@ std::pair<size_t, uint64_t> wallet2::estimate_tx_size_and_weight(bool use_rct, i
     n_outputs = 2; // extra dummy output
 
   const bool bulletproof = use_fork_rules(get_bulletproof_fork(), 0);
+  const bool bulletproof_plus = use_fork_rules(get_bulletproof_plus_fork(), 0);
   const bool clsag = use_fork_rules(get_clsag_fork(), 0);
-  size_t size = estimate_tx_size(use_rct, n_inputs, ring_size - 1, n_outputs, extra_size, bulletproof, clsag);
-  uint64_t weight = estimate_tx_weight(use_rct, n_inputs, ring_size - 1, n_outputs, extra_size, bulletproof, clsag);
+  size_t size = estimate_tx_size(use_rct, n_inputs, ring_size - 1, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
+  uint64_t weight = estimate_tx_weight(use_rct, n_inputs, ring_size - 1, n_outputs, extra_size, bulletproof, clsag, bulletproof_plus);
   return std::make_pair(size, weight);
 }
 //----------------------------------------------------------------------------------------------------
diff --git a/src/wallet/wallet2.h b/src/wallet/wallet2.h
index 51ca6e038..ccf9a96a3 100644
--- a/src/wallet/wallet2.h
+++ b/src/wallet/wallet2.h
@@ -1388,7 +1388,7 @@ private:
     std::vector<std::pair<uint64_t, uint64_t>> estimate_backlog(const std::vector<std::pair<double, double>> &fee_levels);
     std::vector<std::pair<uint64_t, uint64_t>> estimate_backlog(uint64_t min_tx_weight, uint64_t max_tx_weight, const std::vector<uint64_t> &fees);
 
-    uint64_t estimate_fee(bool use_per_byte_fee, bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, uint64_t base_fee, uint64_t fee_multiplier, uint64_t fee_quantization_mask) const;
+    uint64_t estimate_fee(bool use_per_byte_fee, bool use_rct, int n_inputs, int mixin, int n_outputs, size_t extra_size, bool bulletproof, bool clsag, bool bulletproof_plus, uint64_t base_fee, uint64_t fee_multiplier, uint64_t fee_quantization_mask) const;
     uint64_t get_fee_multiplier(uint32_t priority, int fee_algorithm = -1);
     uint64_t get_base_fee();
     uint64_t get_fee_quantization_mask();
diff --git a/tests/core_tests/CMakeLists.txt b/tests/core_tests/CMakeLists.txt
index 7455639ca..c8583c476 100644
--- a/tests/core_tests/CMakeLists.txt
+++ b/tests/core_tests/CMakeLists.txt
@@ -44,6 +44,7 @@ set(core_tests_sources
   v2_tests.cpp
   rct.cpp
   bulletproofs.cpp
+  bulletproof_plus.cpp
   rct2.cpp
   wallet_tools.cpp)
 
@@ -65,6 +66,7 @@ set(core_tests_headers
   v2_tests.h
   rct.h
   bulletproofs.h
+  bulletproof_plus.h
   rct2.h
   wallet_tools.h)
 
diff --git a/tests/core_tests/bulletproof_plus.cpp b/tests/core_tests/bulletproof_plus.cpp
new file mode 100644
index 000000000..c3879e646
--- /dev/null
+++ b/tests/core_tests/bulletproof_plus.cpp
@@ -0,0 +1,373 @@
+// Copyright (c) 2014-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#include "ringct/rctSigs.h"
+#include "ringct/bulletproofs_plus.h"
+#include "chaingen.h"
+#include "bulletproof_plus.h"
+#include "device/device.hpp"
+
+using namespace epee;
+using namespace crypto;
+using namespace cryptonote;
+
+//----------------------------------------------------------------------------------------------------------------------
+// Tests
+
+bool gen_bpp_tx_validation_base::generate_with(std::vector<test_event_entry>& events,
+    size_t mixin, size_t n_txes, const uint64_t *amounts_paid, bool valid, const rct::RCTConfig *rct_config, uint8_t hf_version,
+    const std::function<bool(std::vector<tx_source_entry> &sources, std::vector<tx_destination_entry> &destinations, size_t tx_idx)> &pre_tx,
+    const std::function<bool(transaction &tx, size_t tx_idx)> &post_tx) const
+{
+  uint64_t ts_start = 1338224400;
+
+  GENERATE_ACCOUNT(miner_account);
+  MAKE_GENESIS_BLOCK(events, blk_0, miner_account, ts_start);
+
+  // create 12 miner accounts, and have them mine the next 12 blocks
+  cryptonote::account_base miner_accounts[12];
+  const cryptonote::block *prev_block = &blk_0;
+  cryptonote::block blocks[12 + CRYPTONOTE_MINED_MONEY_UNLOCK_WINDOW];
+  for (size_t n = 0; n < 12; ++n) {
+    miner_accounts[n].generate();
+    CHECK_AND_ASSERT_MES(generator.construct_block_manually(blocks[n], *prev_block, miner_accounts[n],
+        test_generator::bf_major_ver | test_generator::bf_minor_ver | test_generator::bf_timestamp | test_generator::bf_hf_version,
+        2, 2, prev_block->timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
+          crypto::hash(), 0, transaction(), std::vector<crypto::hash>(), 0, 0, 2),
+        false, "Failed to generate block");
+    events.push_back(blocks[n]);
+    prev_block = blocks + n;
+  }
+
+  // rewind
+  cryptonote::block blk_r, blk_last;
+  {
+    blk_last = blocks[11];
+    for (size_t i = 0; i < CRYPTONOTE_MINED_MONEY_UNLOCK_WINDOW; ++i)
+    {
+      CHECK_AND_ASSERT_MES(generator.construct_block_manually(blocks[12+i], blk_last, miner_account,
+          test_generator::bf_major_ver | test_generator::bf_minor_ver | test_generator::bf_timestamp | test_generator::bf_hf_version,
+          2, 2, blk_last.timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
+          crypto::hash(), 0, transaction(), std::vector<crypto::hash>(), 0, 0, 2),
+          false, "Failed to generate block");
+      events.push_back(blocks[12+i]);
+      blk_last = blocks[12+i];
+    }
+    blk_r = blk_last;
+  }
+
+  // create 4 txes from these miners in another block, to generate some rct outputs
+  std::vector<transaction> rct_txes;
+  cryptonote::block blk_txes;
+  std::vector<crypto::hash> starting_rct_tx_hashes;
+  uint64_t fees = 0;
+  static const uint64_t input_amounts_available[] = {5000000000000, 30000000000000, 100000000000, 80000000000};
+  for (size_t n = 0; n < n_txes; ++n)
+  {
+    std::vector<tx_source_entry> sources;
+
+    sources.resize(1);
+    tx_source_entry& src = sources.back();
+
+    const uint64_t needed_amount = input_amounts_available[n];
+    src.amount = input_amounts_available[n];
+    size_t real_index_in_tx = 0;
+    for (size_t m = 0; m <= mixin; ++m) {
+      size_t index_in_tx = 0;
+      for (size_t i = 0; i < blocks[m].miner_tx.vout.size(); ++i)
+        if (blocks[m].miner_tx.vout[i].amount == needed_amount)
+          index_in_tx = i;
+      CHECK_AND_ASSERT_MES(blocks[m].miner_tx.vout[index_in_tx].amount == needed_amount, false, "Expected amount not found");
+      src.push_output(m, boost::get<txout_to_key>(blocks[m].miner_tx.vout[index_in_tx].target).key, src.amount);
+      if (m == n)
+        real_index_in_tx = index_in_tx;
+    }
+    src.real_out_tx_key = cryptonote::get_tx_pub_key_from_extra(blocks[n].miner_tx);
+    src.real_output = n;
+    src.real_output_in_tx_index = real_index_in_tx;
+    src.mask = rct::identity();
+    src.rct = false;
+
+    //fill outputs entry
+    tx_destination_entry td;
+    td.addr = miner_accounts[n].get_keys().m_account_address;
+    std::vector<tx_destination_entry> destinations;
+    for (int o = 0; amounts_paid[o] != (uint64_t)-1; ++o)
+    {
+      td.amount = amounts_paid[o];
+      destinations.push_back(td);
+    }
+
+    if (pre_tx && !pre_tx(sources, destinations, n))
+    {
+      MDEBUG("pre_tx returned failure");
+      return false;
+    }
+
+    crypto::secret_key tx_key;
+    std::vector<crypto::secret_key> additional_tx_keys;
+    std::unordered_map<crypto::public_key, cryptonote::subaddress_index> subaddresses;
+    subaddresses[miner_accounts[n].get_keys().m_account_address.m_spend_public_key] = {0,0};
+    rct_txes.resize(rct_txes.size() + 1);
+    bool r = construct_tx_and_get_tx_key(miner_accounts[n].get_keys(), subaddresses, sources, destinations, cryptonote::account_public_address{}, std::vector<uint8_t>(), rct_txes.back(), 0, tx_key, additional_tx_keys, true, rct_config[n]);
+    CHECK_AND_ASSERT_MES(r, false, "failed to construct transaction");
+
+    if (post_tx && !post_tx(rct_txes.back(), n))
+    {
+      MDEBUG("post_tx returned failure");
+      return false;
+    }
+
+    //events.push_back(rct_txes.back());
+    starting_rct_tx_hashes.push_back(get_transaction_hash(rct_txes.back()));
+    LOG_PRINT_L0("Test tx: " << obj_to_json_str(rct_txes.back()));
+
+    for (int o = 0; amounts_paid[o] != (uint64_t)-1; ++o)
+    {
+      crypto::key_derivation derivation;
+      bool r = crypto::generate_key_derivation(destinations[o].addr.m_view_public_key, tx_key, derivation);
+      CHECK_AND_ASSERT_MES(r, false, "Failed to generate key derivation");
+      crypto::secret_key amount_key;
+      crypto::derivation_to_scalar(derivation, o, amount_key);
+      rct::key rct_tx_mask;
+      const uint8_t type = rct_txes.back().rct_signatures.type;
+      if (rct::is_rct_simple(type))
+        rct::decodeRctSimple(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
+      else
+        rct::decodeRct(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
+    }
+
+    while (amounts_paid[0] != (size_t)-1)
+      ++amounts_paid;
+    ++amounts_paid;
+
+    uint64_t fee = 0;
+    get_tx_fee(rct_txes.back(), fee);
+    fees += fee;
+  }
+  if (!valid)
+    DO_CALLBACK(events, "mark_invalid_tx");
+  events.push_back(rct_txes);
+
+  CHECK_AND_ASSERT_MES(generator.construct_block_manually(blk_txes, blk_last, miner_account,
+      test_generator::bf_major_ver | test_generator::bf_minor_ver | test_generator::bf_timestamp | test_generator::bf_tx_hashes | test_generator::bf_hf_version | test_generator::bf_max_outs | test_generator::bf_tx_fees,
+      hf_version, hf_version, blk_last.timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
+      crypto::hash(), 0, transaction(), starting_rct_tx_hashes, 0, 6, hf_version, fees),
+      false, "Failed to generate block");
+  if (!valid)
+    DO_CALLBACK(events, "mark_invalid_block");
+  events.push_back(blk_txes);
+  blk_last = blk_txes;
+
+  return true;
+}
+
+bool gen_bpp_tx_validation_base::check_bpp(const cryptonote::transaction &tx, size_t tx_idx, const size_t *sizes, const char *context) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT(context);
+  CHECK_TEST_CONDITION(tx.version >= 2);
+  CHECK_TEST_CONDITION(rct::is_rct_bulletproof_plus(tx.rct_signatures.type));
+  size_t n_sizes = 0, n_amounts = 0;
+  for (size_t n = 0; n < tx_idx; ++n)
+  {
+    while (sizes[0] != (size_t)-1)
+      ++sizes;
+    ++sizes;
+  }
+  while (sizes[n_sizes] != (size_t)-1)
+    n_amounts += sizes[n_sizes++];
+  CHECK_TEST_CONDITION(tx.rct_signatures.p.bulletproofs_plus.size() == n_sizes);
+  CHECK_TEST_CONDITION(rct::n_bulletproof_plus_max_amounts(tx.rct_signatures.p.bulletproofs_plus) == n_amounts);
+  for (size_t n = 0; n < n_sizes; ++n)
+    CHECK_TEST_CONDITION(rct::n_bulletproof_plus_max_amounts(tx.rct_signatures.p.bulletproofs_plus[n]) == sizes[n]);
+  return true;
+}
+
+bool gen_bpp_tx_invalid_before_fork::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const size_t bp_sizes[] = {2, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS - 1, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_tx_invalid_before_fork"); });
+}
+
+bool gen_bpp_tx_valid_at_fork::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const size_t bp_sizes[] = {2, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_tx_valid_at_fork"); });
+}
+
+bool gen_bpp_tx_invalid_1_1::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof , 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, NULL);
+}
+
+bool gen_bpp_tx_valid_2::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const size_t bp_sizes[] = {2, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_tx_valid_2"); });
+}
+
+bool gen_bpp_tx_valid_3::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, 5000, (uint64_t)-1};
+  const size_t bp_sizes[] = {4, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof , 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_tx_valid_3"); });
+}
+
+bool gen_bpp_tx_valid_16::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, (uint64_t)-1};
+  const size_t bp_sizes[] = {16, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof , 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_tx_valid_16"); });
+}
+
+bool gen_bpp_tx_invalid_4_2_1::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof , 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, NULL);
+}
+
+bool gen_bpp_tx_invalid_16_16::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof , 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, NULL);
+}
+
+bool gen_bpp_txs_valid_2_and_2::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {1000, 1000, (size_t)-1, 1000, 1000, (uint64_t)-1};
+  const size_t bp_sizes[] = {2, (size_t)-1, 2, (size_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 4 }, {rct::RangeProofPaddedBulletproof, 4 } };
+  return generate_with(events, mixin, 2, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_txs_valid_2_and_2"); });
+}
+
+bool gen_bpp_txs_invalid_2_and_8_2_and_16_16_1::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {1000, 1000, (uint64_t)-1, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = {{rct::RangeProofMultiOutputBulletproof, 4}, {rct::RangeProofMultiOutputBulletproof, 4}, {rct::RangeProofMultiOutputBulletproof, 4}};
+  return generate_with(events, mixin, 3, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, NULL);
+}
+
+bool gen_bpp_txs_valid_2_and_3_and_2_and_4::generate(std::vector<test_event_entry>& events) const
+{
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {11111115000, 11111115000, (uint64_t)-1, 11111115000, 11111115000, 11111115001, (uint64_t)-1, 11111115000, 11111115002, (uint64_t)-1, 11111115000, 11111115000, 11111115000, 11111115003, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = {{rct::RangeProofPaddedBulletproof, 4}, {rct::RangeProofPaddedBulletproof, 4}, {rct::RangeProofPaddedBulletproof, 4}, {rct::RangeProofPaddedBulletproof, 4}};
+  const size_t bp_sizes[] = {2, (size_t)-1, 4, (size_t)-1, 2, (size_t)-1, 4, (size_t)-1};
+  return generate_with(events, mixin, 4, amounts_paid, true, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx) { return check_bpp(tx, tx_idx, bp_sizes, "gen_bpp_txs_valid_2_and_3_and_2_and_4"); });
+}
+
+bool gen_bpp_tx_invalid_not_enough_proofs::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bpp_tx_invalid_not_enough_proofs");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](cryptonote::transaction &tx, size_t idx){
+    CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
+    CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs_plus.empty());
+    tx.rct_signatures.p.bulletproofs_plus.pop_back();
+    CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs_plus.empty());
+    return true;
+  });
+}
+
+bool gen_bpp_tx_invalid_empty_proofs::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bpp_tx_invalid_empty_proofs");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {50000, 50000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](cryptonote::transaction &tx, size_t idx){
+    CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
+    tx.rct_signatures.p.bulletproofs_plus.clear();
+    return true;
+  });
+}
+
+bool gen_bpp_tx_invalid_too_many_proofs::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bpp_tx_invalid_too_many_proofs");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {10000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](cryptonote::transaction &tx, size_t idx){
+    CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
+    CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs_plus.empty());
+    tx.rct_signatures.p.bulletproofs_plus.push_back(tx.rct_signatures.p.bulletproofs_plus.back());
+    return true;
+  });
+}
+
+bool gen_bpp_tx_invalid_wrong_amount::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bpp_tx_invalid_wrong_amount");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {10000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 4 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS, NULL, [&](cryptonote::transaction &tx, size_t idx){
+    CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
+    CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs_plus.empty());
+    tx.rct_signatures.p.bulletproofs_plus.back() = rct::bulletproof_plus_PROVE(1000, rct::skGen());
+    return true;
+  });
+}
+
+bool gen_bpp_tx_invalid_clsag_type::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bpp_tx_invalid_clsag_type");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS + 1, NULL, [&](cryptonote::transaction &tx, size_t tx_idx){
+    return true;
+  });
+}
diff --git a/tests/core_tests/bulletproof_plus.h b/tests/core_tests/bulletproof_plus.h
new file mode 100644
index 000000000..481044fd4
--- /dev/null
+++ b/tests/core_tests/bulletproof_plus.h
@@ -0,0 +1,206 @@
+// Copyright (c) 2014-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once 
+#include "chaingen.h"
+
+struct gen_bpp_tx_validation_base : public test_chain_unit_base
+{
+  gen_bpp_tx_validation_base()
+    : m_invalid_tx_index(0)
+    , m_invalid_block_index(0)
+  {
+    REGISTER_CALLBACK_METHOD(gen_bpp_tx_validation_base, mark_invalid_tx);
+    REGISTER_CALLBACK_METHOD(gen_bpp_tx_validation_base, mark_invalid_block);
+  }
+
+  bool check_tx_verification_context(const cryptonote::tx_verification_context& tvc, bool tx_added, size_t event_idx, const cryptonote::transaction& /*tx*/)
+  {
+    if (m_invalid_tx_index == event_idx)
+      return tvc.m_verifivation_failed;
+    else
+      return !tvc.m_verifivation_failed && tx_added;
+  }
+
+  bool check_tx_verification_context_array(const std::vector<cryptonote::tx_verification_context>& tvcs, size_t tx_added, size_t event_idx, const std::vector<cryptonote::transaction>& /*txs*/)
+  {
+    size_t failed = 0;
+    for (const cryptonote::tx_verification_context &tvc: tvcs)
+      if (tvc.m_verifivation_failed)
+        ++failed;
+    if (m_invalid_tx_index == event_idx)
+      return failed > 0;
+    else
+      return failed == 0 && tx_added == tvcs.size();
+  }
+
+  bool check_block_verification_context(const cryptonote::block_verification_context& bvc, size_t event_idx, const cryptonote::block& /*block*/)
+  {
+    if (m_invalid_block_index == event_idx)
+      return bvc.m_verifivation_failed;
+    else
+      return !bvc.m_verifivation_failed;
+  }
+
+  bool mark_invalid_block(cryptonote::core& /*c*/, size_t ev_index, const std::vector<test_event_entry>& /*events*/)
+  {
+    m_invalid_block_index = ev_index + 1;
+    return true;
+  }
+
+  bool mark_invalid_tx(cryptonote::core& /*c*/, size_t ev_index, const std::vector<test_event_entry>& /*events*/)
+  {
+    m_invalid_tx_index = ev_index + 1;
+    return true;
+  }
+
+  bool generate_with(std::vector<test_event_entry>& events, size_t mixin,
+      size_t n_txes, const uint64_t *amounts_paid, bool valid, const rct::RCTConfig *rct_config, uint8_t hf_version,
+      const std::function<bool(std::vector<cryptonote::tx_source_entry> &sources, std::vector<cryptonote::tx_destination_entry> &destinations, size_t)> &pre_tx,
+      const std::function<bool(cryptonote::transaction &tx, size_t)> &post_tx) const;
+
+  bool check_bpp(const cryptonote::transaction &tx, size_t tx_idx, const size_t *sizes, const char *context) const;
+
+private:
+  size_t m_invalid_tx_index;
+  size_t m_invalid_block_index;
+};
+
+template<>
+struct get_test_options<gen_bpp_tx_validation_base> {
+  const std::pair<uint8_t, uint64_t> hard_forks[4] = {std::make_pair(1, 0), std::make_pair(2, 1), std::make_pair(HF_VERSION_BULLETPROOF_PLUS, 73), std::make_pair(0, 0)};
+  const cryptonote::test_options test_options = {
+    hard_forks, 0
+  };
+};
+
+template<uint8_t test_version = 1>
+struct get_bpp_versioned_test_options: public get_test_options<gen_bpp_tx_validation_base> {
+  const std::pair<uint8_t, uint64_t> hard_forks[4] = {std::make_pair(1, 0), std::make_pair(2, 1), std::make_pair(test_version, 73), std::make_pair(0, 0)};
+  const cryptonote::test_options test_options = {
+    hard_forks, 0
+  };
+};
+
+struct gen_bpp_tx_invalid_before_fork : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_before_fork>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS - 1> {};
+
+struct gen_bpp_tx_valid_at_fork : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_valid_at_fork>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_1_1 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_1_1>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_valid_2 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_valid_2>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_valid_3 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_valid_3>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_valid_16 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_valid_16>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_4_2_1 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_4_2_1>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_16_16 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_16_16>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_txs_valid_2_and_2 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_txs_valid_2_and_2>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_txs_invalid_2_and_8_2_and_16_16_1 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_txs_invalid_2_and_8_2_and_16_16_1>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_txs_valid_2_and_3_and_2_and_4 : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_txs_valid_2_and_3_and_2_and_4>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_not_enough_proofs : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_not_enough_proofs>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_empty_proofs : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_empty_proofs>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_too_many_proofs : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_too_many_proofs>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_wrong_amount : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_wrong_amount>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS> {};
+
+struct gen_bpp_tx_invalid_clsag_type : public gen_bpp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bpp_tx_invalid_clsag_type>: public get_bpp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS + 1> {};
diff --git a/tests/core_tests/bulletproofs.cpp b/tests/core_tests/bulletproofs.cpp
index c46b5e657..e7b42405b 100644
--- a/tests/core_tests/bulletproofs.cpp
+++ b/tests/core_tests/bulletproofs.cpp
@@ -158,7 +158,7 @@ bool gen_bp_tx_validation_base::generate_with(std::vector<test_event_entry>& eve
       crypto::derivation_to_scalar(derivation, o, amount_key);
       rct::key rct_tx_mask;
       const uint8_t type = rct_txes.back().rct_signatures.type;
-      if (type == rct::RCTTypeSimple || type == rct::RCTTypeBulletproof || type == rct::RCTTypeBulletproof2 || type == rct::RCTTypeCLSAG)
+      if (rct::is_rct_simple(type))
         rct::decodeRctSimple(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
       else
         rct::decodeRct(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
@@ -232,7 +232,7 @@ bool gen_bp_tx_invalid_1_1::generate(std::vector<test_event_entry>& events) cons
 {
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof , 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof , 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, NULL);
 }
 
@@ -241,7 +241,7 @@ bool gen_bp_tx_valid_2::generate(std::vector<test_event_entry>& events) const
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
   const size_t bp_sizes[] = {2, (size_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_CLSAG, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bp(tx, tx_idx, bp_sizes, "gen_bp_tx_valid_2"); });
 }
 
@@ -250,7 +250,7 @@ bool gen_bp_tx_valid_3::generate(std::vector<test_event_entry>& events) const
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {5000, 5000, 5000, (uint64_t)-1};
   const size_t bp_sizes[] = {4, (size_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof , 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_CLSAG, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bp(tx, tx_idx, bp_sizes, "gen_bp_tx_valid_3"); });
 }
 
@@ -259,7 +259,7 @@ bool gen_bp_tx_valid_16::generate(std::vector<test_event_entry>& events) const
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, 500, (uint64_t)-1};
   const size_t bp_sizes[] = {16, (size_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof , 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, true, rct_config, HF_VERSION_CLSAG, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bp(tx, tx_idx, bp_sizes, "gen_bp_tx_valid_16"); });
 }
 
@@ -267,7 +267,7 @@ bool gen_bp_tx_invalid_4_2_1::generate(std::vector<test_event_entry>& events) co
 {
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof , 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, NULL);
 }
 
@@ -275,7 +275,7 @@ bool gen_bp_tx_invalid_16_16::generate(std::vector<test_event_entry>& events) co
 {
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof , 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofMultiOutputBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, NULL);
 }
 
@@ -284,7 +284,7 @@ bool gen_bp_txs_valid_2_and_2::generate(std::vector<test_event_entry>& events) c
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {1000, 1000, (size_t)-1, 1000, 1000, (uint64_t)-1};
   const size_t bp_sizes[] = {2, (size_t)-1, 2, (size_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 0 }, {rct::RangeProofPaddedBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 }, {rct::RangeProofPaddedBulletproof, 3 } };
   return generate_with(events, mixin, 2, amounts_paid, true, rct_config, HF_VERSION_CLSAG, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx){ return check_bp(tx, tx_idx, bp_sizes, "gen_bp_txs_valid_2_and_2"); });
 }
 
@@ -292,7 +292,7 @@ bool gen_bp_txs_invalid_2_and_8_2_and_16_16_1::generate(std::vector<test_event_e
 {
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {1000, 1000, (uint64_t)-1, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, 1000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = {{rct::RangeProofMultiOutputBulletproof, 0}, {rct::RangeProofMultiOutputBulletproof, 0}, {rct::RangeProofMultiOutputBulletproof, 0}};
+  const rct::RCTConfig rct_config[] = {{rct::RangeProofMultiOutputBulletproof, 3}, {rct::RangeProofMultiOutputBulletproof, 3}, {rct::RangeProofMultiOutputBulletproof, 3}};
   return generate_with(events, mixin, 3, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, NULL);
 }
 
@@ -300,7 +300,7 @@ bool gen_bp_txs_valid_2_and_3_and_2_and_4::generate(std::vector<test_event_entry
 {
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {11111115000, 11111115000, (uint64_t)-1, 11111115000, 11111115000, 11111115001, (uint64_t)-1, 11111115000, 11111115002, (uint64_t)-1, 11111115000, 11111115000, 11111115000, 11111115003, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = {{rct::RangeProofPaddedBulletproof, 0}, {rct::RangeProofPaddedBulletproof, 0}, {rct::RangeProofPaddedBulletproof, 0}, {rct::RangeProofPaddedBulletproof, 0}};
+  const rct::RCTConfig rct_config[] = {{rct::RangeProofPaddedBulletproof, 3}, {rct::RangeProofPaddedBulletproof, 3}, {rct::RangeProofPaddedBulletproof, 3}, {rct::RangeProofPaddedBulletproof, 3}};
   const size_t bp_sizes[] = {2, (size_t)-1, 4, (size_t)-1, 2, (size_t)-1, 4, (size_t)-1};
   return generate_with(events, mixin, 4, amounts_paid, true, rct_config, HF_VERSION_CLSAG, NULL, [&](const cryptonote::transaction &tx, size_t tx_idx) { return check_bp(tx, tx_idx, bp_sizes, "gen_bp_txs_valid_2_and_3_and_2_and_4"); });
 }
@@ -310,7 +310,7 @@ bool gen_bp_tx_invalid_not_enough_proofs::generate(std::vector<test_event_entry>
   DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_not_enough_proofs");
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, [&](cryptonote::transaction &tx, size_t idx){
     CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproof || tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
     CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs.empty());
@@ -325,7 +325,7 @@ bool gen_bp_tx_invalid_empty_proofs::generate(std::vector<test_event_entry>& eve
   DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_empty_proofs");
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {50000, 50000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, [&](cryptonote::transaction &tx, size_t idx){
     CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproof || tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
     tx.rct_signatures.p.bulletproofs.clear();
@@ -338,7 +338,7 @@ bool gen_bp_tx_invalid_too_many_proofs::generate(std::vector<test_event_entry>&
   DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_too_many_proofs");
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {10000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, [&](cryptonote::transaction &tx, size_t idx){
     CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproof || tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
     CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs.empty());
@@ -352,7 +352,7 @@ bool gen_bp_tx_invalid_wrong_amount::generate(std::vector<test_event_entry>& eve
   DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_wrong_amount");
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {10000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBulletproof, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_CLSAG, NULL, [&](cryptonote::transaction &tx, size_t idx){
     CHECK_TEST_CONDITION(tx.rct_signatures.type == rct::RCTTypeBulletproof || tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
     CHECK_TEST_CONDITION(!tx.rct_signatures.p.bulletproofs.empty());
@@ -366,7 +366,7 @@ bool gen_bp_tx_invalid_borromean_type::generate(std::vector<test_event_entry>& e
   DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_borromean_type");
   const size_t mixin = 10;
   const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
-  const rct::RCTConfig rct_config[] = { { rct::RangeProofBorromean, 0 } };
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofBorromean, 3 } };
   return generate_with(events, mixin, 1, amounts_paid, false, rct_config, 11, NULL, [&](cryptonote::transaction &tx, size_t tx_idx){
     return true;
   });
@@ -382,3 +382,14 @@ bool gen_bp_tx_invalid_bulletproof2_type::generate(std::vector<test_event_entry>
     return true;
   });
 }
+
+bool gen_bp_tx_invalid_clsag_type::generate(std::vector<test_event_entry>& events) const
+{
+  DEFINE_TESTS_ERROR_CONTEXT("gen_bp_tx_invalid_clsag_type");
+  const size_t mixin = 10;
+  const uint64_t amounts_paid[] = {5000, 5000, (uint64_t)-1};
+  const rct::RCTConfig rct_config[] = { { rct::RangeProofPaddedBulletproof, 3 } };
+  return generate_with(events, mixin, 1, amounts_paid, false, rct_config, HF_VERSION_BULLETPROOF_PLUS + 1, NULL, [&](cryptonote::transaction &tx, size_t tx_idx){
+    return true;
+  });
+}
diff --git a/tests/core_tests/bulletproofs.h b/tests/core_tests/bulletproofs.h
index b30d82e68..115ad49b5 100644
--- a/tests/core_tests/bulletproofs.h
+++ b/tests/core_tests/bulletproofs.h
@@ -211,3 +211,9 @@ struct gen_bp_tx_invalid_bulletproof2_type : public gen_bp_tx_validation_base
   bool generate(std::vector<test_event_entry>& events) const;
 };
 template<> struct get_test_options<gen_bp_tx_invalid_bulletproof2_type>: public get_bp_versioned_test_options<HF_VERSION_CLSAG + 1> {};
+
+struct gen_bp_tx_invalid_clsag_type : public gen_bp_tx_validation_base
+{
+  bool generate(std::vector<test_event_entry>& events) const;
+};
+template<> struct get_test_options<gen_bp_tx_invalid_clsag_type>: public get_bp_versioned_test_options<HF_VERSION_BULLETPROOF_PLUS + 1> {};
diff --git a/tests/core_tests/chaingen_main.cpp b/tests/core_tests/chaingen_main.cpp
index c55154917..c573eb995 100644
--- a/tests/core_tests/chaingen_main.cpp
+++ b/tests/core_tests/chaingen_main.cpp
@@ -265,6 +265,24 @@ int main(int argc, char* argv[])
     GENERATE_AND_PLAY(gen_bp_tx_invalid_wrong_amount);
     GENERATE_AND_PLAY(gen_bp_tx_invalid_borromean_type);
     GENERATE_AND_PLAY(gen_bp_tx_invalid_bulletproof2_type);
+    GENERATE_AND_PLAY(gen_bp_tx_invalid_clsag_type);
+
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_before_fork);
+    GENERATE_AND_PLAY(gen_bpp_tx_valid_at_fork);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_1_1);
+    GENERATE_AND_PLAY(gen_bpp_tx_valid_2);
+    GENERATE_AND_PLAY(gen_bpp_tx_valid_3);
+    GENERATE_AND_PLAY(gen_bpp_tx_valid_16);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_4_2_1);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_16_16);
+    GENERATE_AND_PLAY(gen_bpp_txs_valid_2_and_2);
+    GENERATE_AND_PLAY(gen_bpp_txs_invalid_2_and_8_2_and_16_16_1);
+    GENERATE_AND_PLAY(gen_bpp_txs_valid_2_and_3_and_2_and_4);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_not_enough_proofs);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_empty_proofs);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_too_many_proofs);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_wrong_amount);
+    GENERATE_AND_PLAY(gen_bpp_tx_invalid_clsag_type);
 
     GENERATE_AND_PLAY(gen_rct2_tx_clsag_malleability);
 
diff --git a/tests/core_tests/chaingen_tests_list.h b/tests/core_tests/chaingen_tests_list.h
index db78c3e41..1a5489b9e 100644
--- a/tests/core_tests/chaingen_tests_list.h
+++ b/tests/core_tests/chaingen_tests_list.h
@@ -43,6 +43,7 @@
 #include "rct.h"
 #include "multisig.h"
 #include "bulletproofs.h"
+#include "bulletproof_plus.h"
 #include "rct2.h"
 /************************************************************************/
 /*                                                                      */
diff --git a/tests/core_tests/multisig.cpp b/tests/core_tests/multisig.cpp
index 73bc1f104..49ae86eb0 100644
--- a/tests/core_tests/multisig.cpp
+++ b/tests/core_tests/multisig.cpp
@@ -165,7 +165,7 @@ bool gen_multisig_tx_validation_base::generate_with(std::vector<test_event_entry
     account_base &account = n < inputs ? miner_account[creator] : miner_accounts[n];
     CHECK_AND_ASSERT_MES(generator.construct_block_manually(blocks[n], *prev_block, account,
         test_generator::bf_major_ver | test_generator::bf_minor_ver | test_generator::bf_timestamp | test_generator::bf_hf_version | test_generator::bf_max_outs,
-        10, 10, prev_block->timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
+        HF_VERSION_BULLETPROOF_PLUS, HF_VERSION_BULLETPROOF_PLUS, prev_block->timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
           crypto::hash(), 0, transaction(), std::vector<crypto::hash>(), 0, 1, 4),
         false, "Failed to generate block");
     events.push_back(blocks[n]);
@@ -181,7 +181,7 @@ bool gen_multisig_tx_validation_base::generate_with(std::vector<test_event_entry
       cryptonote::block blk;
       CHECK_AND_ASSERT_MES(generator.construct_block_manually(blk, blk_last, miner_accounts[0],
           test_generator::bf_major_ver | test_generator::bf_minor_ver | test_generator::bf_timestamp | test_generator::bf_hf_version | test_generator::bf_max_outs,
-          10, 10, blk_last.timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
+          HF_VERSION_BULLETPROOF_PLUS, HF_VERSION_BULLETPROOF_PLUS, blk_last.timestamp + DIFFICULTY_BLOCKS_ESTIMATE_TIMESPAN * 2, // v2 has blocks twice as long
           crypto::hash(), 0, transaction(), std::vector<crypto::hash>(), 0, 1, 4),
           false, "Failed to generate block");
       events.push_back(blk);
@@ -339,6 +339,11 @@ bool gen_multisig_tx_validation_base::generate_with(std::vector<test_event_entry
   td.amount = amount_paid;
   std::vector<tx_destination_entry> destinations;
   destinations.push_back(td);
+  cryptonote::account_base dummy;
+  dummy.generate();
+  td.addr = dummy.get_keys().m_account_address;
+  td.amount = 0;
+  destinations.push_back(td);
 
   if (pre_tx)
     pre_tx(sources, destinations);
@@ -353,7 +358,7 @@ bool gen_multisig_tx_validation_base::generate_with(std::vector<test_event_entry
 #endif
   std::vector<crypto::secret_key> additional_tx_secret_keys;
   auto sources_copy = sources;
-  r = construct_tx_and_get_tx_key(miner_account[creator].get_keys(), subaddresses, sources, destinations, boost::none, std::vector<uint8_t>(), tx, 0, tx_key, additional_tx_secret_keys, true, { rct::RangeProofPaddedBulletproof, 2 }, msoutp);
+  r = construct_tx_and_get_tx_key(miner_account[creator].get_keys(), subaddresses, sources, destinations, boost::none, std::vector<uint8_t>(), tx, 0, tx_key, additional_tx_secret_keys, true, { rct::RangeProofPaddedBulletproof, 0 }, msoutp);
   CHECK_AND_ASSERT_MES(r, false, "failed to construct transaction");
 
 #ifndef NO_MULTISIG
@@ -443,8 +448,10 @@ bool gen_multisig_tx_validation_base::generate_with(std::vector<test_event_entry
       crypto::secret_key scalar1;
       crypto::derivation_to_scalar(derivation, n, scalar1);
       rct::ecdhTuple ecdh_info = tx.rct_signatures.ecdhInfo[n];
-      rct::ecdhDecode(ecdh_info, rct::sk2rct(scalar1), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG);
+      rct::ecdhDecode(ecdh_info, rct::sk2rct(scalar1), tx.rct_signatures.type == rct::RCTTypeBulletproof2 || tx.rct_signatures.type == rct::RCTTypeCLSAG || tx.rct_signatures.type == rct::RCTTypeBulletproofPlus);
       rct::key C = tx.rct_signatures.outPk[n].mask;
+      if (rct::is_rct_bulletproof_plus(tx.rct_signatures.type))
+        C = rct::scalarmult8(C);
       rct::addKeys2(Ctmp, ecdh_info.mask, ecdh_info.amount, rct::H);
       CHECK_AND_ASSERT_MES(rct::equalKeys(C, Ctmp), false, "Failed to decode amount");
       amount += rct::h2d(ecdh_info.amount);
diff --git a/tests/core_tests/multisig.h b/tests/core_tests/multisig.h
index 333c4fe38..c7376bf63 100644
--- a/tests/core_tests/multisig.h
+++ b/tests/core_tests/multisig.h
@@ -82,7 +82,7 @@ private:
 
 template<>
 struct get_test_options<gen_multisig_tx_validation_base> {
-  const std::pair<uint8_t, uint64_t> hard_forks[3] = {std::make_pair(1, 0), std::make_pair(10, 1), std::make_pair(0, 0)};
+  const std::pair<uint8_t, uint64_t> hard_forks[3] = {std::make_pair(1, 0), std::make_pair(HF_VERSION_BULLETPROOF_PLUS, 1), std::make_pair(0, 0)};
   const cryptonote::test_options test_options = {
     hard_forks, 0
   };
diff --git a/tests/core_tests/rct.cpp b/tests/core_tests/rct.cpp
index 6ce99e76e..035128177 100644
--- a/tests/core_tests/rct.cpp
+++ b/tests/core_tests/rct.cpp
@@ -133,7 +133,7 @@ bool gen_rct_tx_validation_base::generate_with_full(std::vector<test_event_entry
       crypto::secret_key amount_key;
       crypto::derivation_to_scalar(derivation, o, amount_key);
       const uint8_t type = rct_txes[n].rct_signatures.type;
-      if (type == rct::RCTTypeSimple || type == rct::RCTTypeBulletproof || type == rct::RCTTypeBulletproof2 || type == rct::RCTTypeCLSAG)
+      if (rct::is_rct_simple(type))
         rct::decodeRctSimple(rct_txes[n].rct_signatures, rct::sk2rct(amount_key), o, rct_tx_masks[o+n*4], hw::get_device("default"));
       else
         rct::decodeRct(rct_txes[n].rct_signatures, rct::sk2rct(amount_key), o, rct_tx_masks[o+n*4], hw::get_device("default"));
diff --git a/tests/core_tests/rct2.cpp b/tests/core_tests/rct2.cpp
index 8d7c4b3eb..4772be38c 100644
--- a/tests/core_tests/rct2.cpp
+++ b/tests/core_tests/rct2.cpp
@@ -158,7 +158,7 @@ bool gen_rct2_tx_validation_base::generate_with(std::vector<test_event_entry>& e
       crypto::derivation_to_scalar(derivation, o, amount_key);
       rct::key rct_tx_mask;
       const uint8_t type = rct_txes.back().rct_signatures.type;
-      if (type == rct::RCTTypeSimple || type == rct::RCTTypeBulletproof || type == rct::RCTTypeBulletproof2 || type == rct::RCTTypeCLSAG)
+      if (rct::is_rct_simple(type))
         rct::decodeRctSimple(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
       else
         rct::decodeRct(rct_txes.back().rct_signatures, rct::sk2rct(amount_key), o, rct_tx_mask, hw::get_device("default"));
diff --git a/tests/performance_tests/CMakeLists.txt b/tests/performance_tests/CMakeLists.txt
index 542d204e0..e8810ff85 100644
--- a/tests/performance_tests/CMakeLists.txt
+++ b/tests/performance_tests/CMakeLists.txt
@@ -46,6 +46,7 @@ set(performance_tests_headers
   subaddress_expand.h
   range_proof.h
   bulletproof.h
+  bulletproof_plus.h
   crypto_ops.h
   sc_reduce32.h
   sc_check.h
diff --git a/tests/performance_tests/bulletproof_plus.h b/tests/performance_tests/bulletproof_plus.h
new file mode 100644
index 000000000..9aad61065
--- /dev/null
+++ b/tests/performance_tests/bulletproof_plus.h
@@ -0,0 +1,99 @@
+// Copyright (c) 2014-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once
+
+#include "ringct/rctSigs.h"
+#include "ringct/bulletproofs_plus.h"
+
+template<bool a_verify, size_t n_amounts>
+class test_bulletproof_plus
+{
+public:
+  static const size_t approx_loop_count = 100 / n_amounts;
+  static const size_t loop_count = (approx_loop_count >= 10 ? approx_loop_count : 10) / (a_verify ? 1 : 5);
+  static const bool verify = a_verify;
+
+  bool init()
+  {
+    proof = rct::bulletproof_plus_PROVE(std::vector<uint64_t>(n_amounts, 749327532984), rct::skvGen(n_amounts));
+    return true;
+  }
+
+  bool test()
+  {
+    bool ret = true;
+    if (verify)
+      ret = rct::bulletproof_plus_VERIFY(proof);
+    else
+      rct::bulletproof_plus_PROVE(std::vector<uint64_t>(n_amounts, 749327532984), rct::skvGen(n_amounts));
+    return ret;
+  }
+
+private:
+  rct::BulletproofPlus proof;
+};
+
+template<bool batch, size_t start, size_t repeat, size_t mul, size_t add, size_t N>
+class test_aggregated_bulletproof_plus
+{
+public:
+  static const size_t loop_count = 500 / (N * repeat);
+
+  bool init()
+  {
+    size_t o = start;
+    for (size_t n = 0; n < N; ++n)
+    {
+      for (size_t i = 0; i < repeat; ++i)
+        proofs.push_back(rct::bulletproof_plus_PROVE(std::vector<uint64_t>(o, 749327532984), rct::skvGen(o)));
+      o = o * mul + add;
+    }
+    return true;
+  }
+
+  bool test()
+  {
+    if (batch)
+    {
+        return rct::bulletproof_plus_VERIFY(proofs);
+    }
+    else
+    {
+      for (const rct::BulletproofPlus &proof: proofs)
+        if (!rct::bulletproof_plus_VERIFY(proof))
+          return false;
+      return true;
+    }
+  }
+
+private:
+  std::vector<rct::BulletproofPlus> proofs;
+};
diff --git a/tests/performance_tests/main.cpp b/tests/performance_tests/main.cpp
index e59bb52fd..a61d84bed 100644
--- a/tests/performance_tests/main.cpp
+++ b/tests/performance_tests/main.cpp
@@ -58,6 +58,7 @@
 #include "equality.h"
 #include "range_proof.h"
 #include "bulletproof.h"
+#include "bulletproof_plus.h"
 #include "crypto_ops.h"
 #include "multiexp.h"
 #include "sig_mlsag.h"
@@ -241,6 +242,26 @@ int main(int argc, char** argv)
   TEST_PERFORMANCE1(filter, p, test_range_proof, true);
   TEST_PERFORMANCE1(filter, p, test_range_proof, false);
 
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, true, 1); // 1 bulletproof_plus with 1 amount
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, false, 1);
+
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, true, 2); // 1 bulletproof_plus with 2 amounts
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, false, 2);
+
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, true, 15); // 1 bulletproof_plus with 15 amounts
+  TEST_PERFORMANCE2(filter, p, test_bulletproof_plus, false, 15);
+
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, false, 2, 1, 1, 0, 4);
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, true, 2, 1, 1, 0, 4); // 4 proofs, each with 2 amounts
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, false, 8, 1, 1, 0, 4);
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, true, 8, 1, 1, 0, 4); // 4 proofs, each with 8 amounts
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, false, 1, 1, 2, 0, 4);
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, true, 1, 1, 2, 0, 4); // 4 proofs with 1, 2, 4, 8 amounts
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, false, 1, 8, 1, 1, 4);
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, true, 1, 8, 1, 1, 4); // 32 proofs, with 1, 2, 3, 4 amounts, 8 of each
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, false, 2, 1, 1, 0, 64);
+  TEST_PERFORMANCE6(filter, p, test_aggregated_bulletproof_plus, true, 2, 1, 1, 0, 64); // 64 proof, each with 2 amounts
+
   TEST_PERFORMANCE2(filter, p, test_bulletproof, true, 1); // 1 bulletproof with 1 amount
   TEST_PERFORMANCE2(filter, p, test_bulletproof, false, 1);
 
diff --git a/tests/unit_tests/CMakeLists.txt b/tests/unit_tests/CMakeLists.txt
index 556e0ec40..5f6b1e749 100644
--- a/tests/unit_tests/CMakeLists.txt
+++ b/tests/unit_tests/CMakeLists.txt
@@ -36,6 +36,7 @@ set(unit_tests_sources
   block_reward.cpp
   bootstrap_node_selector.cpp
   bulletproofs.cpp
+  bulletproofs_plus.cpp
   canonical_amounts.cpp
   chacha.cpp
   checkpoints.cpp
diff --git a/tests/unit_tests/bulletproofs.cpp b/tests/unit_tests/bulletproofs.cpp
index ee617938c..43a359a59 100644
--- a/tests/unit_tests/bulletproofs.cpp
+++ b/tests/unit_tests/bulletproofs.cpp
@@ -131,7 +131,7 @@ TEST(bulletproofs, multi_splitting)
     }
 
     rct::ctkeyV outSk;
-    rct::RCTConfig rct_config { rct::RangeProofPaddedBulletproof, 0 };
+    rct::RCTConfig rct_config { rct::RangeProofPaddedBulletproof, 4 };
     rct::rctSig s = rct::genRctSimple(rct::zero(), sc, destinations, inamounts, outamounts, available, mixRing, amount_keys, NULL, NULL, index, outSk, rct_config, hw::get_device("default"));
     ASSERT_TRUE(rct::verRctSimple(s));
     for (size_t i = 0; i < n_outputs; ++i)
diff --git a/tests/unit_tests/bulletproofs_plus.cpp b/tests/unit_tests/bulletproofs_plus.cpp
new file mode 100644
index 000000000..a64320233
--- /dev/null
+++ b/tests/unit_tests/bulletproofs_plus.cpp
@@ -0,0 +1,169 @@
+// Copyright (c) 2017-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#include "gtest/gtest.h"
+
+#include "string_tools.h"
+#include "ringct/rctOps.h"
+#include "ringct/rctSigs.h"
+#include "ringct/bulletproofs_plus.h"
+#include "cryptonote_basic/blobdatatype.h"
+#include "cryptonote_basic/cryptonote_format_utils.h"
+#include "device/device.hpp"
+#include "misc_log_ex.h"
+
+TEST(bulletproofs_plus, valid_zero)
+{
+  rct::BulletproofPlus proof = bulletproof_plus_PROVE(0, rct::skGen());
+  ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proof));
+}
+
+TEST(bulletproofs_plus, valid_max)
+{
+  rct::BulletproofPlus proof = bulletproof_plus_PROVE(0xffffffffffffffff, rct::skGen());
+  ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proof));
+}
+
+TEST(bulletproofs_plus, valid_random)
+{
+  for (int n = 0; n < 8; ++n)
+  {
+    rct::BulletproofPlus proof = bulletproof_plus_PROVE(crypto::rand<uint64_t>(), rct::skGen());
+    ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proof));
+  }
+}
+
+TEST(bulletproofs_plus, valid_multi_random)
+{
+  for (int n = 0; n < 8; ++n)
+  {
+    size_t outputs = 2 + n;
+    std::vector<uint64_t> amounts;
+    rct::keyV gamma;
+    for (size_t i = 0; i < outputs; ++i)
+    {
+      amounts.push_back(crypto::rand<uint64_t>());
+      gamma.push_back(rct::skGen());
+    }
+    rct::BulletproofPlus proof = bulletproof_plus_PROVE(amounts, gamma);
+    ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proof));
+  }
+}
+
+TEST(bulletproofs_plus, valid_aggregated)
+{
+  static const size_t N_PROOFS = 8;
+  std::vector<rct::BulletproofPlus> proofs(N_PROOFS);
+  for (size_t n = 0; n < N_PROOFS; ++n)
+  {
+    size_t outputs = 2 + n;
+    std::vector<uint64_t> amounts;
+    rct::keyV gamma;
+    for (size_t i = 0; i < outputs; ++i)
+    {
+      amounts.push_back(crypto::rand<uint64_t>());
+      gamma.push_back(rct::skGen());
+    }
+    proofs[n] = bulletproof_plus_PROVE(amounts, gamma);
+  }
+  ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proofs));
+}
+
+TEST(bulletproofs_plus, invalid_8)
+{
+  rct::key invalid_amount = rct::zero();
+  invalid_amount[8] = 1;
+  rct::BulletproofPlus proof = bulletproof_plus_PROVE(invalid_amount, rct::skGen());
+  ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+}
+
+TEST(bulletproofs_plus, invalid_31)
+{
+  rct::key invalid_amount = rct::zero();
+  invalid_amount[31] = 1;
+  rct::BulletproofPlus proof = bulletproof_plus_PROVE(invalid_amount, rct::skGen());
+  ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+}
+
+static const char * const torsion_elements[] =
+{
+  "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa",
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85",
+  "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+  "26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05",
+  "0000000000000000000000000000000000000000000000000000000000000080",
+  "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a",
+};
+
+TEST(bulletproofs_plus, invalid_torsion)
+{
+  rct::BulletproofPlus proof = bulletproof_plus_PROVE(7329838943733, rct::skGen());
+  ASSERT_TRUE(rct::bulletproof_plus_VERIFY(proof));
+  for (const auto &xs: torsion_elements)
+  {
+    rct::key x;
+    ASSERT_TRUE(epee::string_tools::hex_to_pod(xs, x));
+    ASSERT_FALSE(rct::isInMainSubgroup(x));
+    for (auto &k: proof.V)
+    {
+      const rct::key org_k = k;
+      rct::addKeys(k, org_k, x);
+      ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+      k = org_k;
+    }
+    for (auto &k: proof.L)
+    {
+      const rct::key org_k = k;
+      rct::addKeys(k, org_k, x);
+      ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+      k = org_k;
+    }
+    for (auto &k: proof.R)
+    {
+      const rct::key org_k = k;
+      rct::addKeys(k, org_k, x);
+      ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+      k = org_k;
+    }
+    const rct::key org_A = proof.A;
+    rct::addKeys(proof.A, org_A, x);
+    ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+    proof.A = org_A;
+    const rct::key org_A1 = proof.A1;
+    rct::addKeys(proof.A1, org_A1, x);
+    ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+    proof.A1 = org_A1;
+    const rct::key org_B = proof.B;
+    rct::addKeys(proof.B, org_B, x);
+    ASSERT_FALSE(rct::bulletproof_plus_VERIFY(proof));
+    proof.B = org_B;
+  }
+}