Bulletproofs

What Are Bulletproofs?

Bulletproofs are a non-interactive zero-knowledge proof system designed primarily for efficient range proofs. A range proof demonstrates that a hidden (committed) value falls within a specified range, such as proving a transaction amount is between 0 and 2^64 without revealing what the amount actually is. This capability is essential for confidential transactions, where balances must remain hidden yet verifiably valid.

The system was introduced in 2017 by Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Gregory Maxwell, and formally published at the IEEE Symposium on Security and Privacy (S&P) in 2018. The name "Bulletproofs" reflects the proofs being "bulletproof" in the sense that they are short, fast, and require no trusted setup: a notable advantage over proof systems like zk-SNARKs that depend on a structured reference string generated in a ceremony.

Before Bulletproofs, confidential transaction range proofs used Borromean ring signatures, which produced approximately 6 KB of data per output. Bulletproofs reduced this to under 1 KB, making confidential transactions practical for real-world blockchain use.

How It Works

Bulletproofs build on two cryptographic foundations: Pedersen commitments for hiding values, and an efficient inner-product argument for proving statements about those hidden values.

Pedersen Commitments and Range Proofs

A Pedersen commitment allows someone to commit to a value without revealing it. The commitment is perfectly hiding (reveals nothing about the value) and computationally binding (the committer cannot change the value later). In a confidential transaction, each output amount is replaced by a Pedersen commitment.

The problem: commitments alone do not prevent cheating. A malicious user could commit to a negative value, effectively creating coins from nothing. Range proofs solve this by proving that every committed value is non-negative and within a valid range, all without revealing the actual amount.

The Inner-Product Argument

The core innovation in Bulletproofs is an efficient inner-product argument. The prover needs to demonstrate that two committed vectors have a specific inner product. The protocol works through recursive halving:

1. The prover commits to two vectors whose inner product encodes the range proof statement
2. At each round, the vectors are split in half, and the prover sends two compressed commitment elements
3. The verifier issues a random challenge, and the prover combines the halves using that challenge
4. After log(n) rounds of this recursive halving, the proof is complete

This recursive structure is what produces the logarithmic proof size: each round halves the problem while adding only a constant amount of data. The proof is made non-interactive using the Fiat-Shamir heuristic, which replaces the verifier's random challenges with hash function outputs.

Proof Size and Aggregation

For a 64-bit range proof, a Bulletproof requires approximately 674 bytes: specifically, 2 * log2(n) + 9 group and field elements. This is dramatically smaller than the 6+ KB required by prior Borromean ring signature approaches.

Bulletproofs also support efficient aggregation. Proving that m committed values all lie within a valid range requires only an additive O(log(m)) group elements on top of a single proof. This means a transaction with many outputs pays only a small marginal cost per additional output, rather than a full proof for each one.

Proof Size Comparison

Use Cases

Confidential Transactions

The primary use case for Bulletproofs is enabling confidential transactions on blockchains. In a standard Bitcoin transaction, amounts are visible to anyone inspecting the blockchain, enabling chain analysis and reducing financial privacy. Confidential transactions replace plaintext amounts with Pedersen commitments, and Bulletproofs provide the range proofs needed to ensure no inflation occurs.

The verifier checks two things: that all committed output amounts sum correctly (inputs equal outputs plus fees), and that each committed amount falls within a valid range. Bulletproofs handle the second check efficiently enough for practical deployment.

The Liquid Network

The Liquid Network, Blockstream's Bitcoin sidechain for traders and institutions, uses confidential transactions by default. Every Liquid transaction hides both the asset type and the amount from third-party observers. The current implementation uses Borromean ring signatures for range proofs, but Blockstream is developing a Bulletproofs++ upgrade that would reduce range proof sizes by approximately 10x.

The planned Bulletproofs++ integration on Liquid would be implemented through Simplicity, Blockstream's smart contracting language, allowing any project built on Simplicity to benefit from the improved proofs.

Privacy Cryptocurrencies

Monero adopted Bulletproofs in October 2018, reducing typical two-output transaction sizes from approximately 13.2 KB to 2.5 KB: an 80% reduction. Transaction fees dropped by roughly 96% as a result. In August 2022, Monero upgraded to Bulletproofs+, achieving an additional 5-7% reduction in transaction size.

Mimblewimble-based protocols such as Grin and Beam also rely on Bulletproofs for their range proofs. Since Mimblewimble transactions are inherently confidential, efficient range proofs are critical to keeping the blockchain compact.

Bulletproofs+ and Bulletproofs++

Since the original Bulletproofs paper, two major improvements have been published:

Bulletproofs+ (2020)

Proposed by Chung, Han, Ju, Kim, and Seo, Bulletproofs+ introduces a weighted inner product argument that reduces proof size by approximately 15%. A 64-bit range proof shrinks from 674 bytes to 576 bytes. Computational costs for proving and verification remain comparable to the original. Monero deployed Bulletproofs+ in its August 2022 hard fork.

Bulletproofs++ (2022)

Developed by Eagen, Kanjalkar, Ruffing, and Nick at Blockstream Research, Bulletproofs++ was formally presented at Eurocrypt 2024. It introduces two key innovations:

• A norm argument replacing the inner-product argument, reducing verification time by approximately half
• A reciprocal argument for efficient set membership and permutation proofs, extending Bulletproofs beyond range proofs to more general statements

The results are significant: a 64-bit range proof is only 416 bytes (38% smaller than the original), verification is approximately 3x faster at roughly 0.9 ms per proof, and proving is approximately 5x faster at roughly 4 ms. Like the original, Bulletproofs++ requires no trusted setup and relies only on the discrete logarithm assumption.

Comparison with Other Zero-Knowledge Proof Systems

Bulletproofs occupy a specific niche in the zero-knowledge proof landscape. They are not the best choice for every application, but they excel at range proofs and other relatively small statements.

Bulletproofs are ideal for scenarios requiring compact proofs without a trusted setup, particularly range proofs on existing elliptic curve infrastructure like secp256k1. For large general-purpose computation, zk-SNARKs or zk-rollups using STARKs are typically more efficient due to their sublinear verification time.

Why It Matters

Financial privacy is a fundamental property for any monetary system. On transparent blockchains like Bitcoin, every transaction amount is publicly visible, creating risks for both individuals and businesses. Bulletproofs provide the cryptographic foundation for hiding amounts without sacrificing verifiability: a critical building block for privacy-preserving payment systems.

For Bitcoin Layer 2 protocols and sidechains, confidential transactions powered by Bulletproofs enable private value transfers without the overhead of full general-purpose zero-knowledge circuits. As Bulletproofs++ continues to reduce proof sizes and verification costs, confidential transactions become increasingly practical for high-throughput systems. For a deeper comparison of Bitcoin scaling approaches, see the Bitcoin Layer 2 comparison.

Risks and Considerations

Verification Cost

While Bulletproofs produce small proofs, verification time scales linearly with the statement size. For range proofs this is manageable (a 64-bit range proof verifies in under a millisecond with Bulletproofs++), but for large general circuits, the linear verification cost becomes prohibitive compared to zk-SNARKs with constant-time verification.

Quantum Vulnerability

Bulletproofs rely on the hardness of the discrete logarithm problem, which is vulnerable to quantum computers running Shor's algorithm. A sufficiently powerful quantum computer could break the binding property of Pedersen commitments, potentially allowing undetectable inflation in confidential transaction systems. Research into lattice-based alternatives is ongoing but not yet production-ready. For more on quantum threats, see post-quantum cryptography and Bitcoin.

Regulatory Considerations

Confidential transactions complicate chain analysis and may conflict with KYC/AML regulations in some jurisdictions. While Bulletproofs are a neutral cryptographic tool, their primary application of hiding transaction amounts raises compliance questions for regulated entities.

Implementation Complexity

Bulletproofs involve non-trivial cryptographic operations: multi-round inner-product arguments, careful challenge generation via Fiat-Shamir, and group arithmetic on elliptic curves. Implementation bugs can lead to soundness failures (accepting invalid proofs) or privacy leaks (revealing committed values). Production deployments require extensive auditing and typically rely on well-tested libraries rather than custom implementations.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.