CryptoDB
Bulletproofs++: Next Generation Confidential Transactions via Reciprocal Set Membership Arguments
Authors: |
|
---|---|
Download: |
|
Presentation: | Slides |
Conference: | EUROCRYPT 2024 |
Abstract: | Zero-knowledge proofs are a cryptographic cornerstone of privacy-preserving technologies such as “Confidential Transactions” (CT), which aims at hiding monetary amounts in cryptocurrency transactions. Due to its asymptotically logarithmic proof size and transparent setup, most state-of-the-art CT protocols use the Bulletproofs (BP) zero-knowledge proof system for set membership proofs such as range proofs. However, even taking into account recent efficiency improvements, BP comes with a serious overhead in terms of concrete proof size as well as verifier running time and thus puts a large burden on practical deployments of CT and its extensions. In this work, we introduce Bulletproofs++ (BP++), a drop-in replacement for BP that improves its concrete efficiency and compactness significantly. As for BP, the security of BP++ relies only on the hardness of the discrete logarithm problem in the random oracle model, and BP++ retains all features of Bulletproofs including transparent setup and support for proof aggregation, multi-party proving and batch verification. Asymptotically, BP++ range proofs require only O(n/ log n) group scalar multiplications compared to O(n) for BP and BP+. At the heart of our construction are novel techniques for permutation and set membership, enabling highly efficient proofs of statements encoded as arithmetic circuits. Concretely, a single BP++ range proof to establish that a committed value is in a 64-bit range (as commonly required by CT) is just 416 bytes over a 256-bit elliptic curve, 38% smaller than an equivalent BP and 27% smaller than BP+. When instantiated on the secp256k1 curve as used in Bitcoin, our benchmarks show that proving is about 5 times faster than BP and verification is about 3 times faster than BP+. When aggregating 32 range proofs, proving and verification are about 9.5 times and 5.5 times faster, respectively. |
BibTeX
@inproceedings{eurocrypt-2024-34002, title={Bulletproofs++: Next Generation Confidential Transactions via Reciprocal Set Membership Arguments}, publisher={Springer-Verlag}, doi={10.1007/978-3-031-58740-5_9}, author={Liam Eagen and Sanket Kanjalkar and Jonas Nick and Tim Ruffing}, year=2024 }