The bulletproofs protocol allows to prove that the value carried by a Pedersen commitment is contained between
2^64 - 1 nanogrins.
The problem with
0-value outputs is that an attacker can set up
24/7 bots on the network which are nodes mechanically appending
0-value outputs to each and every transactions that they receive from peers.
Unlike for non-
0 outputs, appending
0-value outputs to any transaction is something possible since this operation does not effect the correctness of the balance equation provided that the
kernel_offset is accordingly adjusted, which is trivial to do.
This possibility allows for 2 unfortunate consequences:
- Reducing by potentially a large degree the capacity for transactions to properly aggregate (in particular with output uniqueness rule).
- Allowing to post large amounts of (useless) data on the blockchain for free.
This data individually consists of around
700 bytes, which is around the size of a single bulletproof.
Proposed fix, which is a consensus change:
All bulletproofs should not be generated, and verified, against
P, but against
P' = P - H, where
P = vH + rG. This implies that the values
v contained by the Pedersen commitments
P = vH + rG must be contained between
2^64 nanogrin, instead of between
This overhead of data on the blockchain is not only a problem of data overhead, but is also an unnecessary overhead for verification time, since bulletproofs are not trivial to verify. (Around 150 exponentiations and group operations for a single bulletproof)
On the other hand, doing the operation
P <- P - H is only one group operation.
The balance equations should still be verified againt
P (and not
P - H).