Bulletproofs: Short Proofs for Confidential Transactions and More

Bünz, Benedikt and Bootle, Jonathan and Boneh, Dan and Poelstra, Andrew and Wuille, Pieter and Maxwell, Greg Bulletproofs: Short Proofs for Confidential Transactions and More. Technical Report. Blockstream.

[img] Text
Bünz et al. - 2017 - Bulletproofs Short Proofs for Confidential Transa.pdf
Restricted to Registered users only
Download (583kB)

Abstract

We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for eficient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log2pnq n 9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very eficient in practice. Moreover, the verification of multiple Bulletproofs can be batched for further speed-up. Concretely, the marginal time to verify an aggregation of 16 range proofs is about the same as the time to verify 16 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The eficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains.

Item Type: Monograph (Technical Report)
Subjects: Main Topics > Bitcoin
Projects > BloSSom 2019
Main Topics > Crypto Currency
Main Topics > Security
Main Topics > Theory
Divisions: Computer Science
Depositing User: Unnamed user with email richard.dabels@uni-rostock.de
Date Deposited: 09 Sep 2019 15:25
Last Modified: 09 Sep 2019 15:25
URI: http://blossom.informatik.uni-rostock.de/id/eprint/102

Actions (login required)

View Item View Item
Blockchain is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.