Bulletproofs: Short Proofs for Confidential Transactions and More

@article{Bnz2018BulletproofsSP,
  title={Bulletproofs: Short Proofs for Confidential Transactions and More},
  author={Benedikt B{\"u}nz and Jonathan Bootle and Dan Boneh and Andrew Poelstra and Pieter Wuille and Gregory Maxwell},
  journal={2018 IEEE Symposium on Security and Privacy (SP)},
  year={2018},
  pages={315-334}
}
We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. [] Key Method To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a…

Figures and Tables from this paper

Bulletproofs+: Shorter Proofs for a Privacy-Enhanced Distributed Ledger
TLDR
This paper presents a new short zero-knowledge argument, zk-WIP, which can achieve the shortest proof size of the proof system categories without a trusted setup and is superior to Bulletproofs in all aspects.
Efficient Range Proofs with Transparent Setup from Bounded Integer Commitments
TLDR
A new approach for constructing range proofs that leads to highly competitive range proofs under standard assumption, using less communication and (much) less computation than the state of the art methods, without relying on a trusted setup.
Short-lived zero-knowledge proofs and signatures
TLDR
The short-lived proof is introduced, a non-interactive proof of knowledge with a novel feature: after a specified period of time, the proof is no longer convincing, because of a time-delayed loss of soundness.
Leaking Arbitrarily Many Secrets: Any-out-of-Many Proofs and Applications to RingCT Protocols
TLDR
An improved version called bounded any-out-of-many proof is presented, which preserves all nice features of the original protocol such as high anonymity and logarithmic size, and indicates that the RingCT protocol is more efficient and secure than others.
Efficient and Post-Quantum Zero-Knowledge Proofs for Blockchain Confidential Transaction Protocols
TLDR
An inner-product based linear equation satisfiability approach for balance proofs with a wide range (e.g. 64-bit precision) and a ring signature scheme to hide a user’s identity in large anonymity sets is designed.
Bulletproofs++
  • Liam Eagen
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2022
TLDR
This work describes several new range proofs that achieve both shorter proof sizes and witness lengths as well as a new confidential transaction protocol for multiple types of currency.
Curve Trees: Practical and Transparent Zero-Knowledge Accumulators
TLDR
This work proposes a new accumulator construction and efficient ways to prove knowledge of some element in a set without leaking anything about the element, and can construct a simple and concretely efficient anonymous cryptocurrency with full anonymity set.
Triptych: logarithmic-sized linkable ring signatures with applications
TLDR
Triptych is introduced, a family of linkable ring signatures without trusted setup that is based on generalizations of zero-knowledge proofs of knowledge of commitment openings to zero and shows that for anonymity set sizes practical for use in distributed protocols, TriptYch offers competitive performance with a straightforward construction.
Cuproof: Range Proof with Constant Size
TLDR
The Cuproof can make a range proof to show that a secret number v lies in an interval [a,b] with no exposure of the real value v or other extra information leakage about v and is a good and practical method to protect privacy and information security.
Designing efficient zero-knowledge proofs in the ideal linear commitment model
TLDR
The Ideal Linear Commitment model is shown to be a useful and effective abstraction for producing zero-knowledge protocols and its versatility is demonstrated by compiling the idealised protocols into real protocols under two completely different cryptographic assumptions; the discrete logarithm assumption and the existence of collision-resistant hash functions.
...
...

References

SHOWING 1-10 OF 77 REFERENCES
Delegating computation: interactive proofs for muggles
TLDR
This work shows how to construct short (polylog size) computationally sound non-interactive certificates of correctness for any log-space uniform NC computation, in the public-key model, and settles an open question regarding the expressive power of proof systems with such verifiers.
Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability
TLDR
This work gives computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors.
Ligero: Lightweight Sublinear Arguments Without a Trusted Setup
TLDR
A simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the verification circuit size, which is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications.
Efficient Non-interactive Proof Systems for Bilinear Groups
TLDR
The goal of this paper is to spread the use of non-interactive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
Efficient Protocols for Set Membership and Range Proofs
TLDR
Two new approaches to buildingset-membership proofs based on bilinear group assumptions are presented, and a discrete logarithm based setting, which is an order ofmagnitude more efficient than previously known ones.
A verifiable secret shuffle and its application to e-voting
  • C. A. Neff
  • Computer Science, Mathematics
    CCS '01
  • 2001
TLDR
A mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers is presented, and its application to secure, universally verifiable, multi-authority election schemes is discussed and shown to be honest-verifier zeroknowledge in a special case and in general.
Recursive composition and bootstrapping for SNARKS and proof-carrying data
TLDR
This work constructs the first fully-succinct publicly-verifiable SNARK, and recursively compose the SNARK to obtain a "weak" PCD system for shallow distributed computations, and uses the PCD framework to attain stronger notions of SNARKs and PCD systems.
Ring Confidential Transactions
TLDR
A new type of ring signature, A Multilayered Linkable Spontaneous Anonymous Group signature is described which allows one to include a Pedersen Commitment in a ring signature and results in a digital currency with hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation.
Compact E-Cash
TLDR
This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 coins each of which she can spend unlinkably, and offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent.
An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions
TLDR
It is shown how to prove that an n -gate circuit is satisfiable, with error probability 1/nO(1) , using only O(n lg n) random committed bits, which matches to within a constant factor the number of committed bits required by the most efficient known interactive proof systems.
...
...