International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Bulletproofs++: Next Generation Confidential Transactions via Reciprocal Set Membership Arguments

Authors:
Liam Eagen , Blockstream Research
Sanket Kanjalkar , Blockstream Research
Jonas Nick , Blockstream Research
Tim Ruffing , Blockstream Research
Download:
DOI: 10.1007/978-3-031-58740-5_9 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2024
Abstract: Zero-knowledge proofs are a cryptographic cornerstone of privacy-preserving technologies such as “Confidential Transactions” (CT), which aims at hiding monetary amounts in cryptocurrency transactions. Due to its asymptotically logarithmic proof size and transparent setup, most state-of-the-art CT protocols use the Bulletproofs (BP) zero-knowledge proof system for set membership proofs such as range proofs. However, even taking into account recent efficiency improvements, BP comes with a serious overhead in terms of concrete proof size as well as verifier running time and thus puts a large burden on practical deployments of CT and its extensions. In this work, we introduce Bulletproofs++ (BP++), a drop-in replacement for BP that improves its concrete efficiency and compactness significantly. As for BP, the security of BP++ relies only on the hardness of the discrete logarithm problem in the random oracle model, and BP++ retains all features of Bulletproofs including transparent setup and support for proof aggregation, multi-party proving and batch verification. Asymptotically, BP++ range proofs require only O(n/ log n) group scalar multiplications compared to O(n) for BP and BP+. At the heart of our construction are novel techniques for permutation and set membership, enabling highly efficient proofs of statements encoded as arithmetic circuits. Concretely, a single BP++ range proof to establish that a committed value is in a 64-bit range (as commonly required by CT) is just 416 bytes over a 256-bit elliptic curve, 38% smaller than an equivalent BP and 27% smaller than BP+. When instantiated on the secp256k1 curve as used in Bitcoin, our benchmarks show that proving is about 5 times faster than BP and verification is about 3 times faster than BP+. When aggregating 32 range proofs, proving and verification are about 9.5 times and 5.5 times faster, respectively.
BibTeX
@inproceedings{eurocrypt-2024-34002,
  title={Bulletproofs++: Next Generation Confidential Transactions via Reciprocal Set Membership Arguments},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-031-58740-5_9},
  author={Liam Eagen and Sanket Kanjalkar and Jonas Nick and Tim Ruffing},
  year=2024
}