Bulletproofs, Rangeproofs & the quest for Confidential Transactions.
In another step towards greater privacy and protocol-level advances for cryptocurrencies, a team of researchers, including Bitcoin Core developers Pieter Wuille and Greg Maxwell, have recently released a paper outlining a protocol for zero-knowledge proofs entitled “Bulletproofs: Short Proofs for Confidential Transactions and More”. Zero-knowledge proofs are an important cryptographic principal wherein the validity of a statement can be proven, without knowledge of the underlying data. In cryptocurrencies their use is linked to privacy and fungibility, through providing a secure means of concealing sensitive transaction data on the public blockchain, such as input and output amounts.
The task of adding greater privacy to Bitcoin has presented a great challenge for cryptographers in the space since at least 2013. The Zerocoin paper released in May 2013, and BitcoinTalk threads initiated by both Adam Back and Gregory Maxwell later that year all looked into practical ways to shield transaction data for greater privacy. 2014 saw the release of the Zerocash paper which was something of a continuation of the work on Zerocoin and lead to the creation of the Z-cash cryptocurrency, with its shielded addresses. However, each of these implementations has distinct drawbacks in either the size of the proof or the computation required to generate it. The zk-SNARKs used in Z-cash rely on a trusted setup, and despite some efficiency gains, utilising them requires quite significant computation on a system with a reasonable amount of RAM (~3GB). Zerocoin, on the other hand, requires a large amount of additional data to be committed to the blockchain, which would rapidly present a challenge at scale.
Bulletproofs are designed to enable confidential transactions in Bitcoin and other cryptocurrencies, without adding a huge amount of additional and unnecessary data to the blockchain, and with reasonable computational requirements. They are essentially a more efficient version of the rangeproofs discussed in Greg Maxwell’s Confidential Transactions paper. These proofs allow transaction inputs to be concealed in the form of Pedersen Commitments, wherein the zero-knowledge proof is used to validate that the inputs involved with a transaction are greater than the positive output. In simple terms, it cryptographically ensures the legitimacy of a transaction without revealing the specifics of the UTXOs involved.
“At the time of writing, Bitcoin has roughly 50 million UTXOs from 22 million transactions. Using a 52-bit representation of bitcoin that can cover all values from 1 satoshi up to 21 million bitcoins, this results in roughly 160GB of range proof data using the current systems. Using aggregated Bulletproofs, the range proofs for all UTXOs would take less than 17GB, about a factor 10 reduction in size.”
Excerpt from the Bulletproofs paper (Bűnz et al. 2018)
The efficiency gains offered by Bulletproofs will certainly make them worthy of consideration for inclusion into active cryptocurrencies, and perhaps we will even see steps towards utilising bulletproofs for confidential transactions on the Bitcoin blockchain sometime in the future. It is impressive to note the level of academic work being done on cryptographic principals which are now directly linked to the Bitcoin and cryptocurrency world. Some of the best minds in computer science and cryptography are working on the challenges facing Bitcoin as it continues to grow and develop.