A range proof is a zero-knowledge proof that allows a prover to convince a verifier that a committed or encrypted value falls within a specified numerical range (e.g., 0 to 2^64), while revealing nothing else about the value. This is a cornerstone for privacy and correctness in blockchain systems, enabling confidential transactions where amounts are hidden yet provably valid. The most common construction, a Bulletproof, is a short, non-interactive proof that is efficient to verify, making it practical for on-chain use.
LABS
Glossary
Range Proof
A cryptographic zero-knowledge proof that verifies a hidden value lies within a specific numerical range without revealing the value itself.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is a Range Proof?
A cryptographic method for proving a secret number lies within a specific interval without revealing the number itself.
The core challenge a range proof solves is demonstrating a positive balance or a non-negative transaction amount without disclosing the actual figures. In a confidential transaction, a user commits to an amount using a Pedersen Commitment. A range proof attached to this commitment proves the amount is within a valid range (e.g., not negative and not exceeding the total supply), preventing overflow attacks and the creation of unauthorized funds. This is essential for privacy-preserving cryptocurrencies like Monero and protocols like Mimblewimble.
Technically, many range proofs work by expressing the secret value in binary and proving each bit is indeed 0 or 1. For a value v and range [0, 2^n], the prover commits to the bits of v and demonstrates that the sum of these bits times their powers of two equals v. Advanced schemes like Bulletproofs use inner-product arguments to aggregate all these bit proofs into a single, compact proof, dramatically reducing size compared to earlier schemes. This efficiency is critical for blockchain scalability.
Key applications extend beyond hidden amounts. Range proofs are vital for proof of solvency where an exchange proves its holdings exceed liabilities without revealing specifics, KYC/AML compliance where age or income is verified privately, and verifiable auctions where bids are concealed but proven to be within rules. They are also a fundamental component in more complex zk-SNARKs and zk-STARKs circuits that require bounded integer operations.
When implementing or analyzing systems using range proofs, developers must consider the trade-offs between proof size, verification time, and trust assumptions. Bulletproofs are transparent (no trusted setup) and have logarithmic size, while Bünz et al. Bulletproofs optimized this further. In contrast, some SNARK-based range proofs offer constant verification time but may require a trusted setup. The choice depends on the application's requirements for privacy, performance, and auditability.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Does a Range Proof Work?
A technical breakdown of the cryptographic mechanisms that allow a prover to convince a verifier that a secret value lies within a specific interval without revealing the value itself.
A range proof is a zero-knowledge proof that cryptographically demonstrates a secret committed value lies within a specified numerical interval, such as proving a transaction amount is non-negative without revealing the exact figure. This is foundational for privacy-preserving blockchains like Monero and Zcash, where it prevents the creation of negative balances (which would inflate the money supply) while keeping amounts confidential. The prover generates the proof using the secret value and a commitment to it, and the verifier checks the proof against the public commitment and the declared range.
The most common construction is the Bulletproofs protocol, which uses inner product arguments and Pedersen commitments. The prover first commits to the secret value v as C = v*G + r*H, where G and H are elliptic curve generators and r is a blinding factor. To prove v is in [0, 2^n], it is expressed in n-bit binary format. The proof then demonstrates that each bit is indeed 0 or 1 and that the bits correctly sum to v, all without opening the commitment C. This compact, non-interactive proof is verified through a series of elliptic curve operations.
Optimizations like Bulletproofs++ and Aggregated Range Proofs allow multiple range proofs (e.g., for all outputs in a transaction) to be combined into a single, much smaller proof, drastically improving scalability. This aggregation is crucial for practical deployment, as it reduces the blockchain space required for private transactions. The verification involves a multi-exponentiation calculation, whose complexity grows logarithmically with the range size and number of aggregated proofs, making it efficient for verifiers.
key-features
CRYPTOGRAPHIC PRIMITIVES
Key Features of Range Proofs
Range proofs are zero-knowledge proofs that allow a prover to convince a verifier that a secret number lies within a specific interval without revealing the number itself. They are fundamental for privacy and correctness in blockchain systems.
01
Zero-Knowledge Property
The core feature is the zero-knowledge property. A prover can demonstrate that a committed value (e.g., a transaction amount) is within a valid range (e.g., non-negative and not exceeding the total supply) without revealing the exact value. This is essential for confidential transactions in protocols like Mimblewimble and Monero.
02
Bulletproofs Protocol
Bulletproofs are a prominent, efficient non-interactive range proof construction. Their key advantages are:
- Short proofs: Size grows logarithmically with the range size.
- No trusted setup: Unlike some zk-SNARKs, they don't require a trusted ceremony.
- Aggregation: Multiple range proofs can be aggregated into one, saving significant blockchain space.
03
Application: Confidential Transactions
Range proofs prevent negative amounts and overflow in confidential transactions. By proving an output amount is within [0, 2^64], they ensure value conservation (inputs equal outputs) without disclosing the actual figures. This combats inflation attacks while preserving financial privacy on the ledger.
04
Proof Size & Performance
A critical trade-off exists between proof size, verification time, and prover computation. Bulletproofs offer ~1-2 KB proofs but slower proving. zk-SNARKs (like Groth16) offer constant-size proofs (~200 bytes) and fast verification but require a trusted setup. The choice depends on the application's constraints.
05
Inner Product Argument
Many efficient range proofs, including Bulletproofs, rely on an inner product argument. This technique allows the prover to efficiently convince the verifier of the correctness of an inner product relation between committed vectors, which is used to encode the range condition. It's the engine that enables the logarithmic proof size.
06
Beyond Monetary Amounts
Range proofs have applications beyond cryptocurrency:
- Proof of age: Proving one is over 18 without revealing a birthdate.
- KYC/AML: Demonstrating a credit score is above a threshold.
- Secure voting: Proving a vote is for a valid candidate without revealing the choice.
- Game logic: Verifying a secret random number falls within game parameters.
ecosystem-usage
RANGE PROOF
Ecosystem Usage & Applications
Range proofs are cryptographic primitives that enable privacy and scalability by verifying a secret value lies within a specific interval without revealing the value itself. Their applications are foundational to modern blockchain systems.
02
ZK-Rollup Scalability
In ZK-Rollups like zkSync and StarkNet, range proofs are a critical component within the larger zero-knowledge proof (ZKP) system. They efficiently batch-verify that all state transitions (e.g., account balances) are valid—ensuring no balance goes negative—without requiring each transaction's details to be published on-chain, dramatically increasing throughput.
03
Private Voting & Auctions
Range proofs enable privacy-preserving applications beyond payments. In blind auctions or voting systems, they can prove that a bid or a vote falls within a valid, pre-defined range (e.g., a bid is between 1 and 100 ETH, or a vote is for candidate 1, 2, or 3) without disclosing the specific choice, ensuring both correctness and secrecy.
04
Regulatory Compliance (ZK-KYC)
Emerging Zero-Knowledge Know Your Customer (ZK-KYC) schemes use range proofs to allow users to prove compliance attributes to a verifier (e.g., a DeFi protocol) without revealing the underlying data. For example, proving age is over 18 or that a jurisdiction is not on a sanctions list, by demonstrating the secret data falls within an approved range.
06
ZK-SNARKs vs. Bulletproofs
While both provide privacy, their trade-offs are distinct:
- ZK-SNARKs (e.g., Zcash): Require a trusted setup but offer extremely small proof sizes and fast verification. Often use range proofs as a component.
- Bulletproofs: No trusted setup, but proofs are larger and verification is more computationally intensive. They are specifically optimized for efficient range proofs. The choice depends on the application's need for trust minimization, proof size, and verification speed.
examples
RANGE PROOF IMPLEMENTATIONS
Real-World Protocol Examples
Range proofs are a critical privacy and scaling primitive. These examples showcase their application across major blockchain protocols.
CRYPTOGRAPHIC PROTOCOLS
Comparison: Range Proof Types
A technical comparison of major cryptographic protocols used to prove a secret value lies within a specific interval without revealing the value itself.
| Feature / Metric | Bulletproofs | Bulletproofs++ | ZK-SNARKs |
|---|---|---|---|
Cryptographic Assumption | Discrete Logarithm | Discrete Logarithm | Pairing-Friendly Elliptic Curves |
Trusted Setup Required | |||
Proof Size (Scalar) | ~ 672 bytes | ~ 576 bytes | ~ 288 bytes |
Verification Time | Linear in circuit size | Logarithmic in circuit size | Constant |
Prover Memory | Low | Low | High (requires circuit-specific SRS) |
Primary Use Case | Confidential Transactions (Monero) | Optimized confidential assets | Private smart contracts (Zcash) |
Succinctness | |||
Post-Quantum Resistance | No (Relies on ECC) | No (Relies on ECC) | No (Relies on ECC) |
security-considerations
RANGE PROOF
Security Considerations
Range proofs are cryptographic tools that allow a prover to convince a verifier that a secret value lies within a specific interval without revealing the value itself. Their security is paramount for preserving privacy and ensuring the integrity of blockchain systems.
01
Soundness & Completeness
A secure range proof must satisfy two fundamental cryptographic properties:
- Soundness: A malicious prover cannot convince a verifier that a false statement (e.g., a value is within the range when it is not) is true, except with negligible probability.
- Completeness: An honest prover, who knows a secret value within the valid range, can always generate a proof that a verifier will accept.
02
Zero-Knowledge Property
Beyond proving the range, a zero-knowledge range proof ensures the secret value itself is not leaked. The verifier learns nothing about the committed number other than the fact it is within the specified bounds. This is critical for privacy-focused applications like confidential transactions, where amounts must be validated without being disclosed on-chain.
03
Implementation Vulnerabilities
Even with a sound cryptographic design, implementation flaws can compromise security. Common risks include:
- Side-channel attacks: Timing or power analysis during proof generation/verification could leak the secret.
- Randomness failures: Using weak or predictable randomness in proof construction can allow forgery.
- Parameter selection: Incorrectly configured cryptographic groups or curve parameters can introduce backdoors or weaknesses.
04
Performance & Scalability Trade-offs
The security guarantees of a range proof are often balanced against performance. More complex, bulletproof-style proofs offer compact size and strong security but require significant computational resources to verify. Inefficient verification can become a denial-of-service (DoS) vector, where an attacker floods the network with proofs to overwhelm nodes.
05
Trusted Setup Requirements
Some advanced range proof constructions, like those used in zk-SNARKs, may require a trusted setup ceremony to generate public parameters. If this setup is compromised, an attacker could generate false proofs. Systems must either use a secure multi-party computation for setup or prefer transparent proof systems (like Bulletproofs or STARKs) that eliminate this trust assumption.
06
Integration with Consensus
The security of the broader system depends on how range proofs are integrated. For example, in a blockchain validating confidential transactions:
- All validating nodes must run the same, correct verification algorithm.
- Consensus rules must mandate proof verification before a transaction is considered valid.
- A bug in the verification logic could lead to the acceptance of invalid transactions, breaking the monetary supply guarantees.
RANGE PROOF
Technical Deep Dive
A range proof is a cryptographic protocol that allows a prover to convince a verifier that a secret value lies within a specific interval without revealing the value itself. This is a fundamental building block for privacy and scalability in blockchain systems.
A range proof is a zero-knowledge proof that cryptographically demonstrates a secret number is within a specified range (e.g., between 0 and 2^64) without revealing the number. It works by the prover committing to the secret value using a commitment scheme (like a Pedersen Commitment), then constructing a proof that this committed value satisfies the range constraint. The verifier checks this proof against the public commitment and the known range, gaining confidence in the statement's truth without learning the underlying data. This is essential for verifying that transaction amounts are non-negative in confidential transactions, preventing the creation of negative or overflow amounts that could break the monetary supply.
RANGE PROOF
Frequently Asked Questions (FAQ)
A range proof is a cryptographic protocol that allows a prover to convince a verifier that a secret value lies within a specific interval without revealing the value itself. This section answers common technical questions about their function, types, and applications in blockchain systems.
A range proof is a zero-knowledge proof (ZKP) that cryptographically demonstrates a secret number is within a specified range (e.g., 0 to 2^64) without revealing the number itself. It works by the prover committing to the secret value, typically using a Pedersen Commitment or similar cryptographic primitive, and then constructing a proof that this committed value satisfies the range constraint. The verifier can check the proof against the public commitment and the known range, gaining confidence in the statement's truth while learning nothing else about the secret. This is foundational for privacy in systems like confidential transactions.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall