Content
Introduction
What are Confidential Transactions?
An overview of the cryptography involved
What are Confidential Transactions capable of?
Conclusion
Introduction
It is often considered critical to the functioning of a blockchain that the system is transparent. This means that each node on the network must be able to store a copy and verify that no rules have been violated. For many distributed ledgers, anyone can upload an online block explorer that will allow them to search across blocks, transactions, and addresses.
From a privacy point of view, this is not an ideal situation. In a system like Bitcoin, any transaction can be linked to the one that precedes it. Coins are not technically fungible, meaning they can be linked to specific transactions. No one can stop you from sending bitcoin, but your transaction may be rejected if the coins involved in it have previously passed through a "blacklisted address."
In the worst-case scenario, the lack of fungibility could profoundly impact the very foundations of the system. "Clean" coins could develop a premium over their value, while old ones, because of their history, would become less valuable.
In Bitcoin, privacy is often overrated. Not only the coins can be tracked, but also the users. These enjoy a "pseudonymity" (instead of names, public addresses are visible), which is not without defects. Sophisticated analysis techniques can, with an increasing level of precision, aggregate addresses in an attempt to deanonymize entities on the network.
One of the update proposals to make transactions truly private is Confidential Transactions.
What are Confidential Transactions?
Confidential Transactions (CT) were first addressed in 2013 by Adam Back, CEO of Blockstream; and later Gregory Maxwell -Bitcoin developer- would expand his analysis. Maxwell would highlight the problems mentioned in the previous section (i.e. fungibility and weak "pseudonymity"), and propose a solution. The amounts sent could be shielded from the rest of the network, so that only the parties involved in the transaction could know said data.
Under normal circumstances (with publicly visible transactions), it is easy for a node to verify that the amount received does not exceed the amount sent. If Alice wants to send Bob 0.3 BTC, she will take an unspent output (say 1 BTC) and divide it into two parts: 0.3 that she will send to Bob, and 0.69 that she will send back to herself (the difference What is missing corresponds to the deduction of the mining commission).
For the other nodes this is simple algebra: 1 is greater than 0.3 + 0.69, the signatures are all correct, and Alice's inputs have not yet been spent anywhere else, so the transaction must be valid. When the quantities are obfuscated, however, things are no longer so trivial. How can you even evaluate whether an unknown quantity equals or exceeds the sum of two other unknown quantities?
An overview of the cryptography involved
To hide data, encryption is required. However, traditional methods are comparable to storing documents in a safe: once locked inside, they are unusable until the safe is removed. What we need for Confidential Transactions to work is a digital safe that does not reveal its contents, but whose properties can be verified by an outsider.
The answer to this question lies in homomorphic encryption, specifically, in a scheme called "Pedersen commitment". This type of encryption allows an outsider to perform operations on encrypted data (which they cannot see) for a number of purposes.
An ordinary hash can be used to commit data that you want to reveal later. Imagine that you want to announce a competition on social networks, in which anyone who guesses your favorite exchange will win a prize of 0.01 BTC. Participants might be skeptical that you will be able to see the answers after the competition has concluded, and you can choose an exchange that hasn't been mentioned.
What you could do is provide your followers with a hash: a string of seemingly random numbers and characters that map to a specific entry. You pass your exchange through a function to obtain a certain result. We will illustrate with the SHA256 algorithm:
f1624fcc63b615ac0e95daf9ab78434ec2e8ffe402144dc631b055f711225191Looking at this, you have no idea what the input was. You can't reverse the function to get it either. However, if you know the entry was "Binance", you can easily verify that your hash matches the one mentioned above. This way, your followers are assured that you will not change your answer at the close of the competition, as this would produce a totally different result.
However, realistically, this is not very safe. While your followers can't reverse engineer the algorithm, they can create a list of potential trades, hashing each one until they get a match. We can reduce the probability of this by adding some random data called blinding factors to the data we are going to hash.
If we enter "Binance is my favorite exchange, I love it more than any other exchange 2#43Wr", it becomes much harder for an opponent to guess (and for 0.01 BTC, it's certainly unlikely anyone will try).
A Pedersen commitment allows us to add the contributions behind the commitments. As Maxwell illustrates:
C(BF1 + D1) + C(BF2 + D2) = C(BF1 + BF2, D1 + D2)Where BF is the blinding factor and D is the data.
There are a few more steps from here that involve elliptic curve cryptography and range testing, but the basic idea is that a user has a strong commitment to their address. When sending funds, two additional commitments are created (one for the change address to be returned to the user and one for the destination address).
No one knows how much is sent, but they can verify that the exchange and destination commitments (the left side of Maxwell's equation) add up to the source address (the right side of the equation). If this evaluates correctly, the user's transaction is valid, since the inputs can be shown to be equal to the outputs.
What are Confidential Transactions capable of?
If confidential transactions were implemented in Bitcoin, we would enjoy a much more private system. Both inputs and outputs would be masked from the broader network, and entries in the ledger would be obfuscated, but nodes would still be able to verify their authenticity. With this massive increase in privacy, bitcoins can become effectively fungible, as on-chain analysis no longer reveals the history of a given unit.
As to whether confidential transactions will be integrated into the protocol, it does not seem likely at this time. With this additional functionality, transactions are much larger than standard ones: given the limited block space, this would only increase demand. It would also require that a majority of participants agree to change the code, a task that has traditionally proven difficult.
In conclusion
Confidential transactions have seen some iterations in other cryptocurrencies and Bitcoin sidechains. For example, Monero uses them in combination with constructs called ring signatures to achieve anonymity and fungibility. Liquid sidechain implements them for greater privacy, and MimbleWimble extends them to the same endpoints.
For the benefits they bring, Confidential Transactions come with the trade-off of a larger footprint. Cryptocurrencies often struggle with scalability and performance at the base layer, and larger transaction sizes are not attractive to everyone. That said, privacy advocates believe it is essential to hide transaction amounts and for participants to actually allow cryptocurrency to serve as fungible money.
