Confidential Transactions/Bulletproofs: The Elephant In The Room

In my previous article I illustrated why and how Confidential Transactions and Bulletproofs are revolutionary and how they will change Bitcoin for good. However, I conveniently ignored the elephant in the room, thus in this article I must correct myself, because as it is today, these technologies will not get into Bitcoin.

Quick recap: Confidential Transactions hides the values in transaction outputs and Bulletproofs makes using CT almost practical. They need a soft fork and we will not have consensus for that.
There is a tricky technical issue with Bulletproofs. From the whitepaper:

Bulletproofs, like the range proofs currently used in confidential transactions, are computationally binding. An adversary that could break the discrete logarithm assumption could generate acceptable range proofs for a value outside the correct range…
…An adversary that can break the binding property of the commitment scheme or the soundness of the proof system can generate coins out of thin air and thus create uncontrolled but undetectable inflation rendering the currency useless…
…While the discrete logarithm assumption is believed to hold for classical computers, it does not hold against a quantum adversary.

Meaning: quantum computers could break Bulletproofs by creating silent inflation. This may be fine for experimental cryptocurrencies, like Monero or Grin/Mimblewimble, but this will not fly with Bitcoin developers.

Will we see Confidential Transactions with Bulletproofs in Bitcoin, if so, when? I would speculate from three to ten years we will get some kind of sound amount hiding, call it Confidential Transactions, Bulletproofs, MimbleZeroRingShuffleProofs or something else. I would be surprised if this is the end of the road. Luckily, progress in technology doesn’t tend to just stop.


If you are interested, you can read more about just how real this quantum computer attack on Bulletproofs is. Tldr: real enough.