# Bulletproofs: Short Proofs for Confidential Transactions and More

@article{Bnz2018BulletproofsSP, title={Bulletproofs: Short Proofs for Confidential Transactions and More}, author={Benedikt B{\"u}nz and Jonathan Bootle and Dan Boneh and Andrew Poelstra and Pieter Wuille and Gregory Maxwell}, journal={2018 IEEE Symposium on Security and Privacy (SP)}, year={2018}, pages={315-334} }

We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. [... ] Key Method To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a… Expand

## 491 Citations

Bulletproofs+: Shorter Proofs for a Privacy-Enhanced Distributed Ledger

- Computer Science, MathematicsIEEE Access
- 2022

This paper presents a new short zero-knowledge argument, zk-WIP, which can achieve the shortest proof size of the proof system categories without a trusted setup and is superior to Bulletproofs in all aspects.

Efficient Range Proofs with Transparent Setup from Bounded Integer Commitments

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

A new approach for constructing range proofs that leads to highly competitive range proofs under standard assumption, using less communication and (much) less computation than the state of the art methods, without relying on a trusted setup.

Leaking Arbitrarily Many Secrets: Any-out-of-Many Proofs and Applications to RingCT Protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

An improved version called bounded any-out-of-many proof is presented, which preserves all nice features of the original protocol such as high anonymity and logarithmic size, and indicates that the RingCT protocol is more efficient and secure than others.

Efficient and Post-Quantum Zero-Knowledge Proofs for Blockchain Confidential Transaction Protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

An inner-product based linear equation satisﬁability approach for balance proofs with a wide range (e.g. 64-bit precision) and a ring signature scheme to hide a user’s identity in large anonymity sets is designed.

Bulletproofs++

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

This work describes several new range proofs that achieve both shorter proof sizes and witness lengths as well as a new conﬁdential transaction protocol for multiple types of currency.

Triptych: logarithmic-sized linkable ring signatures with applications

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

Triptych is introduced, a family of linkable ring signatures without trusted setup that is based on generalizations of zero-knowledge proofs of knowledge of commitment openings to zero and shows that for anonymity set sizes practical for use in distributed protocols, TriptYch offers competitive performance with a straightforward construction.

Cuproof: Range Proof with Constant Size

- Mathematics, Computer ScienceEntropy
- 2022

The Cuproof can make a range proof to show that a secret number v lies in an interval [a,b] with no exposure of the real value v or other extra information leakage about v and is a good and practical method to protect privacy and information security.

Designing efficient zero-knowledge proofs in the ideal linear commitment model

- Computer Science, Mathematics
- 2019

The Ideal Linear Commitment model is shown to be a useful and effective abstraction for producing zero-knowledge protocols and its versatility is demonstrated by compiling the idealised protocols into real protocols under two completely different cryptographic assumptions; the discrete logarithm assumption and the existence of collision-resistant hash functions.

Curve Trees: Practical and Transparent Zero-Knowledge Accumulators

- Computer Science, Mathematics
- 2022

This work proposes a new accumulator construction and efficient ways to prove knowledge of some element in a set without leaking anything about the element, and can construct a simple and concretely efficient anonymous cryptocurrency with full anonymity set.

Efficient Set Membership Proofs using MPC-in-the-Head

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This work develops a new technique for efficiently adding logarithmic-sized set membership proofs to any MPC-in-the-head based zero-knowledge protocol and integrates it into an open source implementation of the state-of theart, post quantum secure zero- knowledge protocol of Katz et al.

## References

SHOWING 1-10 OF 77 REFERENCES

Delegating computation: interactive proofs for muggles

- Computer Science, MathematicsSTOC
- 2008

This work shows how to construct short (polylog size) computationally sound non-interactive certificates of correctness for any log-space uniform NC computation, in the public-key model, and settles an open question regarding the expressive power of proof systems with such verifiers.

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

This work gives computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors.

Ligero: Lightweight Sublinear Arguments Without a Trusted Setup

- Computer Science, MathematicsCCS
- 2017

A simple zero-knowledge argument protocol for NP whose communication complexity is proportional to the square-root of the verification circuit size, which is attractive not only for very large verification circuits but also for moderately large circuits that arise in applications.

Efficient Non-interactive Proof Systems for Bilinear Groups

- Mathematics, Computer ScienceEUROCRYPT
- 2008

The goal of this paper is to spread the use of non-interactive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.

Efficient Protocols for Set Membership and Range Proofs

- Computer Science, MathematicsASIACRYPT
- 2008

Two new approaches to buildingset-membership proofs based on bilinear group assumptions are presented, and a discrete logarithm based setting, which is an order ofmagnitude more efficient than previously known ones.

A verifiable secret shuffle and its application to e-voting

- Computer Science, MathematicsCCS '01
- 2001

A mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers is presented, and its application to secure, universally verifiable, multi-authority election schemes is discussed and shown to be honest-verifier zeroknowledge in a special case and in general.

Recursive composition and bootstrapping for SNARKS and proof-carrying data

- Computer Science, MathematicsSTOC '13
- 2013

This work constructs the first fully-succinct publicly-verifiable SNARK, and recursively compose the SNARK to obtain a "weak" PCD system for shallow distributed computations, and uses the PCD framework to attain stronger notions of SNARKs and PCD systems.

Ring Confidential Transactions

- Computer Science, MathematicsLedger
- 2016

A new type of ring signature, A Multilayered Linkable Spontaneous Anonymous Group signature is described which allows one to include a Pedersen Commitment in a ring signature and results in a digital currency with hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation.

Compact E-Cash

- Computer Science, MathematicsEUROCRYPT
- 2005

This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 coins each of which she can spend unlinkably, and offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent.

An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions

- Computer Science, MathematicsJournal of Cryptology
- 1998

It is shown how to prove that an n -gate circuit is satisfiable, with error probability 1/nO(1) , using only O(n lg n) random committed bits, which matches to within a constant factor the number of committed bits required by the most efficient known interactive proof systems.