ACE Seminar: Bulletproofs: Short Proofs for Confidential Transactions and More

Speaker: Benedikt Bünz

Date/Time: 14-Dec-2017, 16:00 UTC

Venue: Roberts 508



Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. A bulletproof can be used to convince a verifier that an encrypted plaintext is well formed. For example, prove that an encrypted number is in a given range, without revealing anything else about the number. Compared to SNARKs, Bulletproofs require no trusted setup. However, verifying a bulletproof is more time consuming than verifying a SNARK proof. Bulletproofs are designed to enable efficient confidential tranactions in Bitcoin and other cryptocurrencies. Confidential transactions hide the amount that is transfered in the transaction. Every confidential transaction contains a cryptographic proof that the transaction is valid. Bulletproofs shrink the size of the cryptographic proof from over 10kB to less than 1kB. Moreover, bulletproofs support proof aggregation, so that proving that m transaction values are valid adds only O(log(m)) additional elements to the size of a single proof. If all Bitcoin transactions were confidential and used Bulletproofs, then the total size of the blockchain would be only 17 GB, compared to 160 GB with the currently used proofs. Bulletproofs have many other applications in cryptographic protocols, such as shortening proofs of solvency, short verifiable shuffles, confidential smart contracts, and as a general drop-in replacement for Sigma-protocols. Joint Work with Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, Greg Maxwell.


Benedikt Bünz is a second year PhD student at Stanford. He is advised by Dan Boneh and his research focuses on the cryptography of crypto currencies. He has worked on zero-knowledge proofs, randomness beacons and light clients.

Add to Calendar

This page was last modified on 27 Mar 2014.