1. What are Confidential Transactions?
Confidential Transactions (CT) is a cryptographic protocol that allows you to hide the recipient’s address and the actual amounts of transaction inputs and outputs from third parties. In doing so, it allows everyone to verify that the sum of all outputs does not exceed the sum of all inputs, which is enough to validate the transaction.
2. Who invented confidential transaction technology and when?
The first version of the concept called “bitcoins with homomorphic value” was proposed in 2013 by Hashcash inventor and Blockstream co-founder Adam Back.
In 2015, the technology was first implemented in the Blockstream-developed Elements sidechain.
The concept was further developed by Bitcoin Core developer Gregory Maxwell.
3. Why do we need confidential transactions?
As we know, bitcoin does not provide complete privacy. Because blockchain is public, transaction analysis tools can not only track users’ movements of funds, but also determine who makes those transactions.
The lack of privacy prevents bitcoin from being fully interchangeable and reduces its resistance to censorship. For example, exchanges and other services can block user accounts because bitcoins may have previously been used for illegal purposes, although the current owner may not know about it. Confidential transaction technology potentially solves these problems.
4. How does confidential transaction technology work?
The technology implements new address and transaction formats. The transaction format consists of scriptPubKey, a Pedersen commitment scheme and a random ECDH (elliptic Diffie-Hellman curve) code.
ScriptPubKey contains a Confidential Transaction Address (CTA) and a mathematical condition that bitcoin can only be spent if ownership of the address’s private key is confirmed by a signature.
The Confidential Transaction Address is the hash of the blinding key plus the regular bitcoin address.
The function of the blinding key is to hide the bitcoin address and transaction amount in the public registry. In addition, access to the blinding key makes it possible to see the bitcoin address and amount in a confidential transaction.
Pedersen’s commitment scheme is the hash of the entire bitcoin output plus the blinding key.
The ECDH code is a key that allows the entire confidential transaction to be exposed. It is used to transmit encrypted data to the recipient of the transaction, who recognizes the bitcoin transaction’s output and the blinding factor of the confidential transaction.
An example of how confidential transactions work.
Alice has two bitcoins in her wallet, one of which she wants to send to Bob.
After getting Bob’s address, Alice creates a blinding key and combines them with a single hash. This creates a confidential address. Although it is recorded in the public registry, nobody but Alice and Bob know that the confidential transaction address is related to Bob’s address.
An example of a confidential address:
Alice then creates a confidential transaction. Using the same blinding key and the output of one bitcoin, she creates a Pedersen commitment. Because of this, the amount Alice sends to Bob is hidden, but they can both see it because they both have a public blinding key. Alice has it because she created the blinding key, and Bob can deduce it with the private key of his bitcoin address.
Alice then creates a scriptPubKey with the confidential transaction address she created with Bob’s bitcoin address, with the mathematical condition that one bitcoin can be spent if Bob manages to confirm with his signature the possession of the address private key.
The transaction is then recorded in a public ledger.
5. How does technology solve the problem of maintaining a zero balance?
One of the key principles in bitcoin is that addresses must maintain a zero balance – the amount of bitcoins entering the address must match the amount of bitcoins leaving the address.
But because confidential transactions mask the amounts, two problems arise:
- It becomes impossible to use the traditional way of calculating transaction fees – through subtraction.
- The network cannot determine whether the exit from the address matches the entry, making it impossible to maintain a zero balance.
The first problem can easily be solved by making transaction fees available for review.
The solution to the second problem is Pederson’s commitment scheme.
Pedersen’s commitment concept has the unique mathematical property of homomorphism. Homomorphism is a structure that preserves an image between two algebraic structures. This solution is effective for cryptography because it allows you to hash data and, using elementary algebraic operations such as addition, verify the data behind the hash. In other words, it is possible to transmit information without revealing the data itself.
Take a simple algebraic structure and “hash” the values by multiplying by 2.
(a + b)2 = a2 + b2
Assume that a=1 and b=3.
(1+3)2 = 12 + 32
(4)2 = 2+6
If you replace the value of “a” on the left side of the equation with another number, such as 4, the algebraic structure is no longer true:
(a + b)2 = a2 + b2
(4 + 3)2 ≠ 12 + 32
By means of the homomorphic property of Pederson’s commitment, confidential transactions ensure that bitcoin addresses remain zero-balanced.
Now let us apply this concept to Alice sending Bob one bitcoin. For simplicity, the transaction fees factor is not taken into account.
Alice has a Pederson commitment of two bitcoins for her confidential transaction. When Alice sends Bob one bitcoin, she uses a certain mathematical formula to create the hash. She then uses the same mathematical formula to send one bitcoin to the swap address. We add up the two hashes to see if the result is equal to the Pedersen commitment of Alice’s address for the two bitcoins. If the result is equal, the hash becomes a valid confidential transaction.
6. What are the benefits of confidential transactions?
The protocol allows for greater bitcoin privacy. Blinding keys mask bitcoin addresses and amounts, making bitcoin more interchangeable.
Blinding keys can also be used for auditing: the sender or recipient of a payment can give the blinding key to a third party for auditing purposes.
7. What are the disadvantages of confidential transactions?
Although confidential transaction technology allows transaction amounts to be hidden, observers can see the sender’s address and the recipient’s address.
There is a potential solution to this problem. It is possible to create a false negative and send zero amounts to multiple addresses to hide the address where the bitcoins actually arrived.
In addition, confidential transaction technology can be used in conjunction with CoinJoin technology, which combines transaction outputs into one large transaction, hiding connections between users from outside observers.
Another disadvantage of the technology is that it only hides the amount for a particular transaction. This is useless if the subsequent transaction is not confidential. Using data from such a transaction, it is possible to retroactively calculate the amount of bitcoins in a confidential transaction.
For example, if Alice sends an unknown number of bitcoins to Bob, and Bob, in turn, sends five bitcoins to Carol and two to himself as change, it can be understood that Alice sent Bob seven bitcoins.
Confidential transactions are quite effective only if the technology is widely applied.
- The data volume of a confidential transaction is about 20 times that of a normal transaction, which increases the computational load three times. Therefore, the price of a confidential transaction will be significantly higher than the price of a normal transaction, which narrows the range of potential users.
- The size of a confidential transaction conflicts with either scalability (the network will be able to handle fewer transactions) or decentralization (the number of users able to manage a full node and verify all transactions will be reduced), or both.
- It is unclear whether all users would agree to make bitcoin more private and interchangeable. The lack of consensus could make it even more difficult to implement the potential softforces needed to implement the technology.
8. Where is confidential transaction technology used?
Confidential transaction technology is used in Liquid, a commercial sidechain developed by Blockstream. The technology allows Liquid users to verify that amounts received do not exceed amounts sent.
In the context of Liquid, this means, among other things, that funds can move between exchanges and no one will know exactly what amounts are involved. Competitors will not know what amounts are stored on exchanges, and traders will not be able to use that information to trade, which they often do today: the public nature of blockchain allows those who have information about an upcoming large transaction to enter into a transaction to profit from price changes.
A modification of confidential transactions, Ring Confidential Transactions (Ring CT), is used in the cryptocurrency Monero. Technology modifications are also used in the cryptocurrency Bitshares and in the MimbleWimble protocol, on which Grin and Beam cryptocurrencies operate.
Confidential transactions can also be implemented in the main bitcoin protocol. There are already some ideas on how to accomplish this through backward compatible softforces, but such upgrades will still have a negative effect on scalability and are likely still far from reality.
9. What is Confidential Assets technology?
Confidential Assets technology extends the functionality of confidential transactions: it allows you to see in the blockchain the sender and recipient of a transaction, but hides exactly what asset is being moved – bitcoin, gold, securities or something else.
10. Who invented sensitive asset technology and when?
Confidential Assets technology was invented by Blockstream developers Andrew Poelstra, Adam Beck, Mark Friedenbach, Gregory Maxwell, and Peter Welle.
The Confidential Assets white paper was published on Blockstream’s website on April 3, 2017. The company announced Confidential Assets as a new option for Sidechain Elements technology.
11. How does Confidential Assets technology work?
Confidential transaction technology uses a Pedersen commitment, which replaces the initial transaction amount in the blockchain:
commitment = xG + a(H + rG)
Where a is the transaction amount, G and H are elliptic curve generators. G is a constant. H represents the type of asset and takes different values for different confidential assets. X and r are the blinding factor.
They are set to different random values in each UTXO (unspent incoming transaction balance) in order to hide the transaction amount and asset type.
Such a model allows verification of the balance of input and output amounts for each asset in each transaction. In this case, the verifier knows the liability but does not know the transaction amount and asset type.
The data about the transaction amount and asset type is sent by the sender to the receiver in encrypted onchain or offchain in p2p format, so that the data is known only to the two parties to the transaction.
The process of asset issuance, transfer, and destruction also requires ZKP (Zero-Knowledge Proof) processes to prove that the transaction amount and asset type have an acceptable value without revealing the value itself. The proof for the asset type is called Surjection Proof.
12. What are the disadvantages of confidential asset technology?
The technology can only be implemented in a new blockchain or through a hardforge of an existing blockchain.
Smart contracts cannot be added to this solution, so it is not possible to customize the logic of confidential assets or create onchain applications based on them. Developers can only implement some simple logic through a scheme such as Scriptless Script.
AZTEC, Zether, Anonymous Zether, PGC, Nightfall and other technologies solve this problem. In all of these protocols, existing blockchain solutions for confidential transactions (zk-SNARK, MimbleWimble, etc.) are implemented using smart contracts. Such a model provides the following properties:
- Programmability: smart contracts modify the logic of asset issuance, destruction, transfer, and exchange, extending the set of functions and attributes of confidential assets.
- Interoperability: confidential assets can interact with other contracts (tokens, auctions, votes), enabling more different applications.
13. Where is Confidential Asset Technology Applied?
The Elements project applies confidential asset technology to the bitcoin network.
In implementations in bitcoin-based systems, the transaction process is not interactive, that is, the recipient of the transaction does not need to be online to make the transaction. In implementations in MimbleWimble-based systems, the transaction process is interactive.
In the implementation of confidential assets in bitcoin-based systems, the addresses of both parties are not hidden, unlike in MimbleWimble-based systems.
The technology can also be implemented in systems based on the MimbleWimble protocol – Grin and Beam. The developers of Beam implemented such a feature as part of the Eager Electron 5.0 hardfork in June 2020.