Is it possible to create a zero-knowledge proof that a number is more than zero, and less than x?

Question

Note: This might be similar to this question.

I'm thinking about a hypothetical cryptocurrency where the blockchain doesn't store any transactions. The balance of an address would be stored by the owner, and the blockchain would only contain the root hashes for Merkle trees with hashes of "{address}{balance}". Each block would also contain a list of invalidated hashes. The "miner" nodes would execute a transaction by invalidating the previous hash for an address, send both parties the new Merkle tree leaf nodes for the updated balances, and create a new block with the root hash. It would also be a proof-of-stake algorithm.

I would like to know if there's some way to generate a zero-knowledge proof that your address contains more than 0, and at least x? (x can be an integer, since this hypothetical cryptocurrency has a fixed number of decimal places.)

This would allow people to send transactions without disclosing their actual balance. They could also provide a sequence of verified transactions to prove that their address contains the original amount, minus x, y, z, etc.

I've read some of the other zero-knowledge answers on here, so I'm pretty sure that the answer is "yes". I found this paper, and I've also found some answers like this. However, I would love to see an answer that is relevant to this specific case. I would also find it easier to understand some code examples (any language, or even pseudocode.)

EDIT: I forgot to mention something: the implementation must also include a nonce, otherwise it would be very easy to bruteforce balances for some addresses. For example, if there was no nonce, then it would be easy to find a list of all addresses that have a specific balance of 1.00000000. So the range proof / verification must also consider a secret nonce (or salt).

Answer 1

What you want is usually called a range proof: proving in zero-knowledge that some value (committed, or encrypted) is in a given public range. I had written a detailed answer on existing techniques for range proofs where answering this question.

I'm not sure I understood exactly how your scenario would work, but one possible issue with standard solutions is that they are based on algebraic primitives (like, commitments over abelian groups), while you seem to look for a proof related to something hashed in a Merkle tree, without any specific (algebraic) structure. Such statements are harder to prove, but this can be done, using techniques based on garbled circuits to prove knowledge of a satisfying assignment for a given boolean circuit (in your case, this boolean circuit would first check that the input is in the correct range, then hash it the way you want). The most relevant techniques are the recent protocols ZKBoo and Ligero.

One last thing: if you want access to a specific paper that seems relevant to you, but that is behind a paywall, you can contact me by MP (my institution gives me access to the database of most editors).