Bitcoin Q&A: What are Bulletproofs?

Zoltan asks, “What are Bulletproofs?
A team of researchers has published a paper titled
‘Bulletproofs: Short Proofs for
Confidential Transactions and More.’
“It described Bulletproofs as a new non-
interactive zero knowledge proof protocol,
with very short proofs and without a trusted setup.”
“What does it mean? How does it work?
What will be the practical benefits?”
A highly technical question. Thank you for asking it,
Zoltan. Let me try to explain this as best I can.
Confidential transactions (CT) is an invention published
three years ago [by Gregory Maxwell] that allows you…
to encrypt the amount in a bitcoin transaction.
By encrypting the amounts, you can [hide]
a very important source of information…
[which] analytics companies can track.
In [answering] a previous question I mentioned CoinJoin,
where lots of people participate in a transaction.
One of the disadvantages of that is, unless you
are all trading approximately the same amount,
it is very easy to track which input belongs to
which output because of the amounts involved.
Confidential transactions is meant to be
used with coin mixing strategies to create…
anonymous and private bitcoin transactions,
whereby no one can track who is paying what to whom.
Confidential transactions encrypts the value so
you can’t see how much is being transacted.
If you use that together with mixing, you can’t really
tell which output corresponds to which inputs.
It makes for much more robust privacy.
You might be thinking, ‘if the amount is encrypted,
how do we know they didn’t spend money twice?’
‘How do we know they didn’t create new money
from nothing, [i.e. inflate the supply]?’
The technique that’s used in confidential transactions
is called a zero-knowledge proof,
where you prove something is true without
knowing some underlying information.
In the case of confidential transactions, you can use
a special type of math in the zero-knowledge proof,
to [show that] the amounts in the inputs
and outputs are equal and add up to zero,
without knowing what these amounts are.
This seems impossible [to a layperson]. The math, when
you read it, doesn’t make it seem any more possible.
It is quite confusing and very difficult to
understand. I don’t really understand it.
What I do understand is, if you encrypt
values in the inputs and the outputs,
you can then apply a proof that
says they cancel each other out.
The sum is zero, so you know there is an equal amount
of inputs and outputs; no new money was created.
The specific zero-knowledge proof used in
confidential transactions is called a range proof,
[where] you can prove that a number is within a
certain range without knowing what the number is.
Bulletproofs is in development because a problem
with non-interactive zero-knowledge proofs is that…
they tend to be very large,
use a large amount of data.
A confidential transaction containing these
non-interactive zero knowledge proofs…
could be 20 kilobytes, compared to a
normal transaction that is about 200 bytes.
That is not a very good trade-off.
You get a lot of privacy, but in return the capacity of
your blockchain just decreased tremendously,
because these transactions just
became a hundred times larger.
[The paper] is a very interesting read,
although you might find it challenging.
[The authors] achieved a much shorter proof,
[where] you can prove the amounts in the
inputs and outputs are within a range,
without using as much data and making very large
transactions, reducing the capacity of your blockchain.
It is a very incredible development in cryptography.
Once again, a demonstration that research in the Bitcoin
and the crypto ecosystem is pushing boundaries,
generating new cryptographic knowledge and
discoveries in [computer] science every single day.
As you asked, the practical benefits are that we can get
confidential transactions with much shorter proofs,
allowing us to encrypt the values, and gain greater
anonymity without transactions being enormous in size.


Add a Comment

Your email address will not be published. Required fields are marked *