Bulletproofs are designed to enable efficient confidential tranactions in Bitcoin and other cryptocurrencies. Confidential transactions hide the amount that is transferred in the transaction. Every confidential transaction contains a cryptographic proof that the transaction is valid.
— Adam Back (@adam3us) January 31, 2018
Bulletproofs also have the advantage of reducing the size of the cryptographic proof from over 10kB to less than 1kB. In addition bulletproofs support proof aggregation. If all Bitcoin transactions were confidential and used Bulletproofs, then the total size of the blockchain would be only 17 GB, compared to 160 GB with the currently used proofs.
CT needs a soft fork and we will not have consensus for that.
There is a tricky technical issue with Bulletproofs. From the whitepaper:
Bulletproofs, like the range proofs currently used in confidential transactions, are computationally binding. An adversary that could break the discrete logarithm assumption could generate acceptable range proofs for a value outside the correct range…
…An adversary that can break the binding property of the commitment scheme or the soundness of the proof system can generate coins out of thin air and thus create uncontrolled but undetectable inflation rendering the currency useless…
…While the discrete logarithm assumption is believed to hold for classical computers, it does not hold against a quantum adversary.
Meaning: quantum computers could break Bulletproofs by creating silent inflation. This is fine for Monero or Mimblewimble, but this will not fly with Bitcoin developers.
So will we see CT/Bulletproofs in Bitcoin, if so, when? This may sound contradictory to this whole post, but I would speculate from 3 to 10 years we will get some kind of sound amount hiding, call it Confidential Transactions, Bulletproofs, Mimblezeroringshuffleproofs or something else.
Photo: Bullet riddled sign Mojave Desert by John Loo