Monero Bulletproof Hardfork Explained (Updated)

Monero fees plummet to a couple of cents, as the privacy-centric cryptocurrency releases Beryllium Bullet, a highly anticipated system-wide software upgrade. The core change in Monero 0.13.0 includes the introduction of bulletproofs, a breakthrough cryptographic technology that restructures the verification of Confidential Transactions, the technique that helps Monero obfuscate transacted amounts

Last week Monero introduced a major upgrade called Beryllium Bullet. Since the hardfork the average fee has gone down from about 60 cents per transaction to measly 2 cents. Along with the fees, the average XMR transaction size has dropped from 18Kb to 3Kb, according to This is the result of a major change in the restructuring of the verification of Confidential Transactions, a method whereby Monero hides transaction amounts. The new technique is called Bulletproofs, a highly sophisticated cryptographic technology that prior to the hardfork was only conceptual.

Confidential Transactions

Monero uses three separate techniques to provide its users with a high level of anonymity. Ring signatures hide the sender’s address by mixing their signature with other past signatures and forming a unified group signature, so an outside observer cannot tell for sure who among the signers of the transaction is the true sender. Stealth addresses are a rather sophisticated approach to hiding the recipient’s address. If the recipient chooses to stay hidden, they can have the sender transfer funds to a stealth address which is visible to anyone in the network but only the transacting parties can make out the information associated with the stealth address.

Finally, Confidential Transactions (CTs) are special transactions with hidden amounts. CTs encode the inputs and outputs of the transaction by way of Pedersen Commitments which the network can still verify. A Pedersen Commitment is a special equation in which the sum of the inputs of the transaction is multiplied by a big number on one side and the sum of the outputs is multiplied by the same big number on the other side. These big numbers are called blinding factors. Pedersen commitments allow the network to verify that the sum of the transaction inputs equals the sum of its outputs without actually knowing the amount. The sender must also provide a range proof, the proof that the amount the sender commits to is a positive number. Otherwise, committing to a negative number would create new coins out of thin air, i.e. Alice sending -5 bitcoins to Bob means Alice receiving 5 bitcoins out of nothing. The dramatically simplified equation of the Pedersen Commitment looks something like this:

(a+b+c) ⋅ y = (d+e) ⋅ y,

where a, b and c are inputs, d and e are outputs, and y is the blinding factor. So if Alice sends 8 bitcoins to Bob, her commitment may look like this,

(1+3+6) ⋅ 17 = (8+2) ⋅ 17,

where 1, 3 and 6 are bitcoins taken from past transactions by which she received 10 bitcoins, 8 is the output going to Bob, 2 is the change going back to Alice, and 17 is the blinding factor. Note that we used such a small number as our blinding factor to avoid overcomplicating the example. At the same time, the network sees this commitment like this,

170 = 170,

because the network doesn’t know the blinding factor but it can verify that the total value on the left side equals the total value on the right side, therefore the sum of the inputs equals the sum of the outputs.


The problem with Confidential Transactions is that these commitments are massive in size which puts significant constraints of the overall scalability of the system. A confidential transaction is roughly 16x the regular transaction. What aggravates the problem more is the linear scalability of XMR transactions, meaning if a single output is about 7Kb, two outputs are 14Kb, three — 21.

Bulletproofs are a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup. Bulletproofs were proposed by a team of cryptography experts whose names may sound familiar to those closely watching the technological developments of the cryptocurrency space. The team includes Andrew Poelstra who heavily contributed to the Mimblewimble protocol; Pieter Wuille, the author of Segregated Witness; and Greg Maxwell who proposed CoinJoin and Confidential Transactions.

With Bulletproofs already implemented, a typical single-output Confidential transaction in Monero is now only 3Kb, while a transaction with two outputs weighs 3.7Kb. This is called logarithmic scaling and it is one of the best features of Bulletproofs.

Unlike zk-snarks used in Zcash, Bulletproofs do not need a generation setup. You may have heard of the Ceremony held by the Zcash team to generate randomness which the Zcash network needs to properly and securely function. On the other hand, the verification of a bulletproof is more time-consuming than that of zk-snarks.

Post-hardfork Monero

Previously Monero has, to a certain extent, been regarded as a project based on established and well-known technologies. With the introduction of Bulletproofs, however, the largest privacy-centric cryptocurrency makes another step into the territory of experimental zero-knowledge cryptography, which has primarily been the domain of Zcash joined not too long ago by the Mimblewimble implementations such as Grin and Beam.

By continuing to browse, you agree to the use of cookies. Read Privacy Policy to know more or withdraw your consent.