The team of PIVX, an open source cryptocurrency focused on fast private transactions using the Zerocoin protocol has announced the world’s first Bulletproofs implemented to the Zerocoin protocol, now publicly available in the PIVX GitHub.
It has been developed by the PIVX core development team (mainly Random Zebra & Furszy) with the cryptography work done by cryptographers Mary Maller & Jonathan Bootle, where the signature of knowledge algorithm has been changed drastically to enable much smaller proof sizes.
This change results in significant reductions of Zerocoin transaction size, blockchain growth rate and improved verification time. The team says it “welcomes all auditors to review the code and will also follow up to ensure it gets third-party audits. Once the core wallet version 3.2 is released, this build can also be tested on our updated testnet.”
What’s the big deal?
The main goal of the project was to improve the efficiency and scalability of the Zerocoin protocol.
“In particular, we were aiming at reducing – so-called, “communication costs” (the amount of exchanged data in each session, which ultimately is data that is recorded forever into the blockchain). More specifically each zerocoin spend transaction required more than 20 kB space. It contains, among other things, two zero-knowledge proofs (Accumulator Proof of Knowledge, which takes about 5kB and the second, the one we worked on, is the Serial Number Signature of Knowledge, which took almost 14kB.”
“PIVX worked on the latter and has re-modeled the problem as something known as an “arithmetic circuit. Arithmetic circuits are a generalized method for describing problems from complexity theory. There is a wealth of zero-knowledge algorithms designed for proving knowledge of a solution to an arithmetic circuit in the cryptographic literature. We choose to use Bulletproofs because these are well suited to smaller circuits, such as ours and are very efficient.”
Bulletproofs were invented by Bootle, Cerulli, Chaidos, Groth, and Petit and improved by Bunz, Bootle, Boneh, Poelstra and Maxwell.
As the Standford site states:
- Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. A bulletproof can be used to convince a verifier that an encrypted plaintext is well formed. For example, prove that an encrypted number is in a given range, without revealing anything else about the number. Compared to SNARKs, Bulletproofs require no trusted setup. However, verifying a bulletproof takes more time to consume than verifying a SNARK proof.
- Bulletproofs are designed to enable efficient confidential transactions in Bitcoin and other cryptocurrencies.
- Bulletproofs have many other applications in cryptographic protocols, such as shortening proofs of solvency, short verifiable shuffles, confidential smart contracts, and as a general drop-in replacement for Sigma-protocols.
It is believed that this is the first (and only) application of Bulletproofs to the Zerocoin protocol signature of knowledge.
With this technique, PIVX was able to shrink the size of the signature of knowledge from 14 kB to about 4 kB (a 71% reduction in communication costs) thus making the whole spend transaction half the size (about 10 kB). This was achieved while maintaining performance (times required to produce/verify the spend) comparable, if not slightly better, than the old protocol (despite the increased complexity and computational costs).
The next iteration of the protocol, currently in development, will involve the Accumulator Proof of Knowledge and further improvements to the Serial Number Signature of knowledge.