Greater Privacy with Confidential Transactions
I’ll save you the whole ‘Bitcoin isn’t technically anonymous’ introduction given that we’ve covered it ad nauseam in previous pieces (check out this one on fungibility).
The bottom line is that the nature of the blockchain is such that anyone can view any transaction occuring on-chain – even assuming that analytics aren’t very effective today, they’ve still got plenty of time to mature. That’s immutability for you.
To dupe the spies and to ensure the longevity of Bitcoin, stronger privacy measures are needed. Many solutions being explored nowadays do not require any changes to the protocol in itself – consider CoinJoin implementations like Wasabi Wallet, for instance.
Today, we’ll take a brief look at Confidential Transactions, a privacy-enhancing feature that can be forked in.
Much of the focus when it comes to adding privacy to Bitcoin is currently centred around ‘breaking the chain’ – that is to say, making it difficult to link transactions together.
Confidential Transactions (CTs, the general idea of which was proposed by Adam Back on BitcoinTalk in 2013) instead aim to make the content of a transaction private – as Greg Maxwell explains in a 2017 talk, the amounts transacted are often more valuable to spies: if you wanted to spend 500 sats on a coffee but broke up a 1 BTC UTXO to do so, the barista would now know that you owned at least 0.999995 BTC (which could be problematic for your security if coins hit new highs in dollar value).
With CTs, both the receiver’s address and the amount transferred are hidden from any observers, in such a way that only parties to the transaction (and those they share it with) are aware of the value sent/received. For this to work, a cryptographic technique known as a Pedersen commitment is used.
I’m not a cryptographer, and it would be a waste of everyone’s time for me to try to explain how they work. I’d recommend this outstanding primer by ecurrencyhodler, or Maxwell’s initial investigation. Suffice it to say, a Pedersen commitment functions similarly to a regular commitment scheme, but allows for some mathematical manipulation that enables the verification of data without it being divulged.
Why is this important? Remember that, in order to work, the Bitcoin ledger needs to be balanced (inputs need to match outputs). That’s straightforward enough when every transaction is made public and nodes can verify it. Given that the purpose of Confidential Transactions is to redact amounts from the blockchain, however, a more creative approach is needed (the Pedersen commitments, paired with a few other tools) to ensure no one’s playing central bank and secretly printing off more money.
Feasible?
Certainly. It’s been done on altcoins already (Beam, Grin, Monero) – and according to a recent tweet by Charlie Lee, Litecoin may see it integrated within the year. Blockstream’s Elements platform has supported Confidential Transactions since 2015, as does Blockstream’s recently launched Liquid sidechain.
As it stands now, the size of a Confidential Transaction is roughly 3x the size of a regular one, addresses are twice as large and validation cost spikes by 30x-60x (according to Maxwell in his aforementioned talk), which may push lower-end hardware into retirement.
Pushing a CT upgrade to Bitcoin with a hard fork might prove difficult, though it’s thought that the tech could be integrated with a soft fork (or as Peter Todd suggests, a ‘pseudo soft fork’). You’d need consensus, but most generally seem to be in favour of the addition of Confidential Transactions alongside other privacy enhancements.
Cover art by the author.
