Key Takeaways
Confidential transactions (CT) use cryptographic techniques to hide transfer amounts on a blockchain while still allowing network participants to verify that no new coins are created, preserving fungibility and preventing chain analysis of transaction values.
The core mechanism relies on Pedersen commitments (additively homomorphic encryption) combined with Bulletproof range proofs that confirm amounts are non-negative without revealing the actual values.
Confidential transactions are live in production on Bitcoin sidechains like Liquid, which extends the concept to "confidential assets" that also hide the type of token being transferred.
CT-based designs face trade-offs in transaction size and verification cost, which is why they are typically deployed on specialized sidechains or combined with other scaling solutions rather than directly on Bitcoin mainnet.
Introduction
System transparency is often considered critical to the functioning of a blockchain. Every node on the network can store a copy of the ledger and verify that no rules are being broken. For many distributed ledgers, anyone can search through blocks, transactions, and addresses using a block explorer.
On the privacy front, this transparency can create challenges. In a system like Bitcoin, every transaction can be linked back to a previous one. Coins are not technically fungible because each can be tied to specific transactions. No one can prevent you from sending bitcoin, but recipients can refuse to accept a transaction if those coins have previously passed through a flagged address.
Privacy in Bitcoin can be overstated. Users enjoy pseudonymity (public addresses are visible instead of names), but sophisticated analysis techniques can cluster addresses together in an attempt to identify network participants. One cryptographic approach proposed to make transactions truly private is confidential transactions.
What Are Confidential Transactions?
Confidential transactions (CT) were first discussed by Blockstream CEO Adam Back in 2013 and were later expanded upon by Bitcoin developer Gregory Maxwell. Maxwell outlined the privacy and fungibility problems described above and proposed a solution: amounts transferred could be shielded from the broader network so that only the transacting parties would know how much had been sent.

Under normal circumstances, it is easy for a node to verify that the amount received does not exceed the amount sent. If Alice wants to send 0.3 BTC to Bob, she takes an unspent output (for example, 1 BTC) and breaks it into two pieces: 0.3 to be sent to Bob and 0.69 to be returned to herself as change (with the remainder forfeited as a mining fee).
This is straightforward arithmetic for other nodes: 1 exceeds 0.3 + 0.69, the digital signatures are all correct, and Alice's inputs have not already been spent elsewhere, so the transaction must be valid. When amounts are blinded, however, verification becomes less trivial. How can a node evaluate whether an unknown amount equals or exceeds the sum of two other unknown amounts?
An Overview of the Cryptography Involved
To hide data, encryption is required. However, traditional encryption methods are like putting documents in a safe: once locked inside, the data becomes unusable until it is removed. What confidential transactions need is a digital safe whose contents are not revealed, but whose properties can be verified by an outsider.
Pedersen commitments
The answer lies in homomorphic encryption, specifically a scheme called a Pedersen commitment. This type of commitment allows an outsider to perform mathematical operations on encrypted data (which they cannot see) to verify correctness without learning the underlying values.
A regular hash can be used to commit to data you want to reveal later. For example, you might publish a hash of your prediction and later prove what you predicted by showing the original input. However, if the space of possible inputs is small, an attacker can simply try all options until they find a match. This is solved by adding a random value called a "blinding factor" to the data before hashing.
A Pedersen commitment goes further by enabling arithmetic on commitments. Formally, a commitment C to value v with blinding factor r is computed as C = vG + rH, where G and H are elliptic curve generator points. The key property is additive homomorphism:
C(v1, r1) + C(v2, r2) = C(v1 + v2, r1 + r2)
This means nodes can verify that the sum of input commitments equals the sum of output commitments without ever seeing the actual amounts.
Range proofs and Bulletproofs
Pedersen commitments alone have a vulnerability: since they work with modular arithmetic, a user could commit to a negative value and exploit the homomorphic property to effectively create coins from nothing. Range proofs solve this by proving in zero knowledge that the committed amount lies within a valid range without revealing the actual value.
Bulletproofs are the modern standard for range proofs in confidential transaction systems. They offer several advantages over earlier approaches: proof size grows logarithmically rather than linearly with the range size; multiple range proofs can be aggregated into a single compact proof; and they require no trusted setup (unlike some SNARK-based systems). In practice, each transaction output carries a Bulletproof that lets any node confirm the committed amount is non-negative and within bounds, maintaining supply integrity while keeping amounts private.
Confidential Transactions in Practice
While confidential transactions have not been adopted on Bitcoin mainnet, they are currently live in production on specialized networks:
Liquid sidechain
Blockstream's Liquid Network is a federated Bitcoin sidechain that implements both confidential transactions and "confidential assets" as first-class features. Confidential transactions hide transfer amounts using Pedersen commitments with Bulletproof range proofs. Confidential assets extend this further by also blinding the asset type being transferred, so observers cannot determine whether a transaction involves L-BTC, tokenized securities, stablecoins, or other issued assets.
Liquid targets institutional settlement between exchanges, OTC desks, and trading firms where commercial confidentiality is important. A federation of functionaries manages the peg-in/peg-out process and block signing, trading some decentralization for speed and privacy features.
Other implementations
Several other protocols use CT-derived techniques. MimbleWimble combines confidential transactions with transaction graph minimization through a process called "cut-through," which removes spent intermediate outputs and compresses blockchain state. Monero uses RingCT (ring signatures combined with confidential transactions) alongside stealth addresses to obscure sender, receiver, and amount simultaneously.
Selective disclosure and viewing keys
Modern CT implementations increasingly support selective disclosure mechanisms. Transaction participants can share blinding keys or dedicated viewing keys with auditors, compliance providers, or regulators. This allows private audits of specific transactions without making data publicly visible on-chain, creating a model of "private to the public, transparent to authorized parties."
Regulatory Landscape and Compliant Privacy
The regulatory environment for blockchain privacy has evolved significantly. The EU's Markets in Crypto-Assets (MiCA) regulation and the FATF Travel Rule both impose obligations on crypto-asset service providers (CASPs) to collect and transmit originator and beneficiary information for transfers. While these regulations target service providers rather than cryptographic primitives themselves, they indirectly pressure high-privacy assets.
Exchanges in regulated jurisdictions have delisted or restricted assets where effective AML monitoring is not feasible. This has particularly affected privacy coins with full transaction graph obfuscation. However, regulators generally show more tolerance for systems that hide commercial data from the public while providing opt-in transparency toward regulated entities.
The dominant trajectory in recent years has been "compliant privacy," combining zero-knowledge proofs with identity attestations. Users can prove they are KYC-verified or not on a sanctions list without revealing identity details on-chain. CT-style designs with viewing keys fit naturally into this framework: private by default, verifiable when legally required.
What Can Confidential Transactions Accomplish?
Confidential transactions address several practical challenges:
Commercial confidentiality: Businesses can transact on public blockchains without revealing trade volumes, payment amounts, or treasury flows to competitors.
Fungibility: When amounts are hidden, chain analysis cannot determine the history or "taint" of specific coins, making all units effectively interchangeable.
Reduced front-running risk: In DeFi and trading contexts, hidden amounts prevent observers from detecting and exploiting large pending transactions.
Regulatory compatibility: Unlike fully anonymous systems, CT with viewing keys can satisfy audit and compliance requirements while maintaining public privacy.
As to whether confidential transactions will be integrated directly into Bitcoin mainnet, it remains unlikely in the near term. CT transactions are significantly larger than standard ones due to the Bulletproof range proofs attached to each output. Given Bitcoin's limited block space and the conservative approach to protocol changes, deployment on sidechains and specialized networks remains the practical path.
FAQ
What are Bulletproofs and why are they important for confidential transactions?
Bulletproofs are a type of zero-knowledge range proof that confirms a committed value lies within a valid range (non-negative and not excessively large) without revealing the value itself. They are important because they are compact (logarithmic proof size), require no trusted setup, and can be aggregated across multiple outputs into a single proof, making confidential transactions practical for real-world use.
How do confidential transactions differ from zero-knowledge proof systems like Zcash?
Confidential transactions specifically hide amounts using Pedersen commitments and range proofs, while preserving address visibility. Zero-knowledge systems like Zcash's shielded pools can hide sender, receiver, and amount simultaneously using more complex ZK circuits (such as Groth16 or Halo2). CT is a more targeted primitive focused on value privacy, while shielded systems provide broader anonymity at higher computational cost.
Are confidential transactions legal?
The cryptographic techniques themselves are not prohibited in most jurisdictions. Regulations like MiCA and the Travel Rule target service providers (exchanges, custodians) rather than underlying cryptographic methods. However, service providers listing assets that use CT-style privacy may face enhanced compliance obligations, particularly around transaction monitoring and reporting.
Why haven't confidential transactions been added to Bitcoin mainnet?
The primary barriers are technical: CT transactions are significantly larger than standard Bitcoin transactions due to the range proofs, which would consume limited block space. Implementing CT would also require a consensus-level protocol change (a soft fork or hard fork), which demands broad community agreement. The conservative Bitcoin development culture and existing block space constraints make sidechain deployment the preferred approach.
What are viewing keys and how do they enable compliance?
Viewing keys are cryptographic keys that allow designated third parties (auditors, regulators, compliance providers) to decrypt the hidden amounts in confidential transactions without requiring the data to be publicly visible on-chain. Transaction participants can selectively share these keys, enabling private audits while maintaining general public privacy. This mechanism bridges the gap between on-chain confidentiality and regulatory requirements.
Closing Thoughts
Confidential transactions represent a well-understood cryptographic approach to on-chain privacy that balances value concealment with network verifiability. Through Pedersen commitments and Bulletproof range proofs, CT systems allow nodes to confirm transaction validity without learning the amounts involved..
Further Reading
Disclaimer: This content is presented to you on an "as is" basis for general information and educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal, or other professional advice, nor is it intended to recommend the purchase of any specific product or service. You should seek your own advice from appropriate professional advisors. Where the content is contributed by a third-party contributor, please note that those views expressed belong to the third-party contributor, and do not necessarily reflect those of Binance Academy. Digital asset prices can be volatile. The value of your investment may go down or up and you may not get back the amount invested. You are solely responsible for your investment decisions and Binance Academy is not liable for any losses you may incur. For more information, see our Terms of Use, Risk Warning and Binance Academy Terms.
