How Bulletproofs Could Make Bitcoin Privacy Less Costly
Bulletproofs, presented in a paper titled “Bulletproofs: Short Proofs for Confidential Transactions and More,” describe a new zero-knowledge proof system. The proposal uses on-chain scaling for privacy and suggests a new, faster and more compact way to verify privacy-enhancing Confidential Transactions (CTs). Specifically, Bulletproofs can decrease the size of these verifications for these types of transactions drastically. Furthermore, the authors of the paper — Stanford University’s Applied Cryptography Group, overseen by professor Dan Boneh — have already managed to create a practical implementation for Bulletproofs.
This is how it works.
Currently, all transaction information — such as wallet addresses and especially the sent amount of bitcoins — are visible on the Bitcoin blockchain. This affects the privacy of all users. If we wish to pay wages via the Bitcoin network, for example, this means that every salary will be visible on the blockchain network. This, in turn, could mean that someone (like your landlord) could look up how much money you’re making to try and increase your rent accordingly.
Confidential Transactions are much needed to bring any type of blockchain to a higher level of privacy. Confidential Transactions combine and utilize several cryptographic tricks so that only the sender and the receiver of a transaction are aware of the amount transacted. These cryptographic tricks let users obfuscate the amounts they are transacting while still allowing onlookers to perform math on the obfuscated amounts. Basically, anyone can still check that the sum of sent bitcoins is greater than the sum of received bitcoins.
Confidential Transactions are realized with “zero-knowledge proofs.” These proofs are best described as a method for proving to another party that a Confidential Transaction is valid without conveying any information about the Confidential Transaction itself.
However, as stated in the Bulletproofs paper: “Current proposals for CT zero-knowledge proofs have either been prohibitively large or required a trusted setup. Neither is desirable.”
First of all, if we have to prove multiple range proofs, which is the case for multisignature transactions, the complexity and size will scale in a linear fashion. For example, if the size of a single proof is 2 kB, two proofs are 4 kB, three proofs are 6 kB and so on.
Additionally, zero-knowledge proofs typically require a trusted setup: they must be initialized by some trusted authority. However, the security properties of the Bitcoin system don’t apply to that authority because in practice it means that the authority could produce fake “proofs.” These fake proofs could lead to uncontrolled and undetectable inflation.
Bulletproofs could solve these problems.
According to the paper, “In any distributed system where proofs are transmitted over a network or stored for a long time, short proofs reduce overall cost.”
Bulletproofs are claimed to be able to reduce the cryptographic proof significantly: from 8 kB to 734 bytes, though this depends on what the transaction looks like. Moreover, when dealing with multiple proofs, the size increases with just a few percent instead of this linear scaling. And in addition, Bulletproofs do not require a trusted setup.
Andrew Poelstra, contributor to the research paper and mathematician at Blockstream, believes that Bulletproofs are very practical: “We have already implemented a first version in the Bitcoin crypto library libsec256k1, which can verify proofs three and a half times faster than the verifier for the classic rangeproofs. It is a drop-in replacement for classic rangeproofs that does not affect other aspects of the system and is therefore very easy to integrate.”
Until now, Confidential Transactions were just a theoretical concept because they were so heavy to implement. With Bulletproofs, the implementation of Confidential Transactions on Bitcoin suddenly becomes more likely.