A Primer to Confidential Transactions
This article is a primer to Confidential Transactions (CT) with the goal of providing a framework to understanding this technology. It is not intended to be an in-depth explanation. As such, it only highlights the key concepts involved. It also doesn’t include Ring Signatures or Bullet Proofs, which prevent accounting overflow. For a fully comprehensive study of CT, I recommend Gregory Maxwell’s initial investigation or this summary by Adam Gibson.
What is CT?
A protocol that hides the amount of Bitcoin you send as well as the receiver’s BTC address.
Why is it important?
Even though Bitcoin is pseudonymous, it doesn’t provide a whole lot of privacy. Due to the public nature of its blockchain, you can track Bitcoin transactions and where it was previously spent through chain analysis. The pseudoanonymity of BTC addresses is especially weak for people who reuse them or post it on a social media account.
The lack of privacy ultimately makes Bitcoin not as fungible as it could be and hinders its ability to become a censorship resistant medium of exchange. For example, one of the reasons why exchanges have suddenly shut down accounts is because the Bitcoin a customer is trying to sell, unbeknownst to them, may have previously used it for illicit purposes. Confidential Transactions will help mitigate these issues inherent in public blockchains.
High level overview
Confidential Transactions work by introducing a new address and transaction format. The transaction format is composed of a scriptPubKey, Pedersen commitment, and ecdh nonce.
The scriptPubKey contains the following: The Confidential Transaction Address (CTA) and a mathematical condition that the BTC can be spent only if ownership of the address’ private key is proven with a signature.
The Confidential Transaction Address is the hash of a blinding key plus a regular BTC address.
A blinding key is used to hide the BTC address and BTC amount on the public ledger. Alternatively if you have access to the blinding key, you have the ability to view the BTC address and BTC amount in a Confidential transaction.
A Pedersen commitment is essentially a hash of the total BTC output plus a blinding key. In a regular BTC transaction, this is where the normal BTC output would go.
Finally, the ecdh nonce is the key to unlocking the whole Confidential Transaction. It is used to communicate encrypted data to the receiver of the transaction so they can learn the BTC transaction output and blinding factor of the Confidential Transaction.
How does it work?
Let’s pretend Alice has 2 BTC in her address wants to send Bob 1 BTC.
Alice takes Bob’s Bitcoin address, creates a blinding key, and hashes the two together. This creates a Confidential Address. Although this gets recorded on the public ledger, no one knows that the CTA is tied to Bob’s BTC address except for Alice and Bob.
Here is an example of a Confidential Address:
CTEwQjyErENrxo8dSQ6pq5atss7Ym9S7P6GGK4PiGAgQRgoh1iPUkLQ168Kqptfnwmpxr2Bf7ipQsagi (Courtesy of Elements Project)
Next Alice creates the Confidential Transaction. She takes the same blinding key and the 1 BTC output and creates a Pedersen commitment. This hides the amount of BTC Alice is sending to Bob. But both Bob and Alice can view the amount because they have the public blinding key. Alice has it because she created the blinding key. Bob can derive it with the private key of his BTC address.
Alice then creates a scriptPubKey with the CTA she created with Bob’s BTC address under a mathematical condition that the 1 BTC can be spent if he can prove ownership of the address’ private key with a signature.
The transaction is then broadcast and recorded on the public ledger.
Maintaining 0 balance sums
One key principle in Bitcoin is that addresses must maintain a 0 balance sum. This means that the number of Bitcoins that get sent to an address must match the number of Bitcoins that leave the address.
But because Confidential Transactions obfuscates amounts, it creates two problems:
- The traditional way mining fees are calculated through subtraction is no longer possible.
- The network can not determined if the output from an address matches the input in order to maintains a 0 balance sum.
The first problem can be easily resolved by sharing the mining fee publicly.
The second problem is bit more complicated, but can be solved through something called Pedersen commitments.
Pedersen commitments have a unique mathematical property in that it is homomorphic. A homomorphism is a structure preserving map between two algebraic structures. This is perfect for cryptography because you can hash data and use basic algebra, like addition, to verify the data “behind” the hash. In other words, you can convey information without revealing the data itself. Here’s an extremely example of what I mean:
Let’s say this is our basic algebraic structure and that we are “hashing” the values by multiplying by 2.
(a + b)2 = a*2 + b*2
Now let’s have a=1 and b=3.
(1+3)2 = 1*2 + 3*2
(4)2 = 2+6
If you replaced the value “a” on the left side of the equation with a different number such as 4, the algebraic structure would no longer be true:
(a + b)2 = a*2 + b*2
(4 + 3)2 ≠ 1*2 + 3*2
This homomorphic property of Pedersen commitments is what Confidential Transactions use to ensure that Bitcoin addresses maintain a 0 balance sum.
Let’s now apply this concept to Alice sending Bob 1 BTC. For simplicity’s sake, we will not factor in mining fees.
Alice has a Pedersen commitment of 2 BTC for her Confidential Transaction Address. When Alice sends Bob 1 BTC, she uses a specified mathematical formula to create a hash. She then uses the same formula to send 1 BTC to a change addresses. The two hashes are added together to see if it equals the 2 BTC Pedersen commitment of Alice’s address. If it does, then it becomes a valid Confidential Transaction.
Confidential Transactions can be a powerful tool to increase privacy on the public blockchain. By using blinding keys, BTC addresses and amounts are obfuscated thereby increasing its fungibility. However, blinding keys can also be used for auditing. That means either the sender or the receiver can hand over the blinding key to a third party for auditing purposes.
*A special thank you to all the people in the #bitcoin-wizards channel on IRC for their comments and review of the paper (maaku, waxwing, and sipa).