Confidential Transactions (CT) are a cryptographic protocol that allows you to conceal the recipient’s address and the actual amount of money at transaction inputs and outputs from third parties. How does it function? Is this legal? We are available to answer your questions!
Confidential transactions, on the other hand, allow everyone to verify that the sum of all outputs does not exceed the sum of all inputs, which is sufficient to validate the transaction.
Adam Backthe creator of Hashcash and co-founder of the Blockstream company, introduced the first version of the concept, termed “bitcoins with homomorphic value,” in 2013.
The technology was first implemented in Blockstream’s Elements sidechain in 2015.
The concept was further developed by Gregory Maxwella Bitcoin Core developer.
Bitcoin, as we all know, does not provide complete privacy. Because the blockchain is public, you can track users’ funds’ movements and determine who is making these transactions.
Bitcoin cannot be completely fungible due to the lack of privacy, which also reduces its resistance to censorship. Exchanges and other services, for example, can block users’ profiles because bitcoins were previously used for illegal purposes, even if the current owner is unaware of this fact. These issues may be addressed by confidential transaction technology.
The technology implements new address and transaction formats. The format transaction consists of a scriptPubKey, a Pedersen commitment scheme, and a random ECDH (Diffie-Hellman’s elliptic-curve) code.
The script PubKey contains the address of a confidential transaction (CTA) and a mathematical condition that states that bitcoin can only be spent if the address’s private key ownership is confirmed by a signature.
A confidential transaction’s address is a hash of a blinding key combined with a regular bitcoin address.
The blinding key’s function is to conceal the bitcoin address and transaction amount in the public registry. Furthermore, having access to the blinding key allows you to see the bitcoin address and amount in a confidential transaction.
Pedersen’s commitment scheme consists of a hash of all bitcoin output plus a blinding key.
The ECDH code is a key that allows you to reveal the entire private transaction. It is used to send encrypted data to the transaction’s recipient, who learns the outcome of the bitcoin transaction as well as the blinding factor of the confidential transaction.
An example of how confidential transactions work:
Alice’s wallet contains two bitcoins, one of which she wishes to send to Bob.
Alice generates a blinding key and combines it with a single hash after receiving Bob’s address. So, there is a confidential address. Although it is recorded in the public registry, no one knows except Alice and Bob that the confidential transaction’s address is associated with Bob’s address.
An example of a confidential address:
CTEwQjyErENrxo8dSQ6pq5atss7Ym9S7P6GGK4PiGAgQRgoh1iPUkLQ168Kqptfnwmpxr2Bf7ipQsagi
Then Alice creates a confidential transaction. She generates a Pedersen commitment with the same blinding key and the output of one bitcoin. The amount Alice sends Bob is thus hidden, but both of them can see it because they both have a public blinding key. Alice has it because she created a blinding key, and Bob can withdraw it using his bitcoin address’s private key.
Alice then creates a scriptPubKey with the address of a confidential transaction she created with Bob’s bitcoin address, with a mathematical condition requiring Bob to confirm ownership of the address’s private key with a signature.
The transaction is then recorded in the public registry.
One of the fundamental principles of bitcoin is that addresses should have a zero balance — the number of bitcoins arriving at the address should equal the number of bitcoins leaving the address.
However, because confidential transactions conceal the amounts, two issues arise:
- Using the traditional method of calculating transaction fees by subtraction is impossible.
- The network is unable to determine whether the address’s output corresponds to the input, making it impossible to maintain a zero balance.
The first problem is easily solved by making transaction fees public.
Pederson’s commitment scheme is the solution to the second problem.
The commitment concept developed by Pedersen has the unique mathematical property of homomorphicity. A homomorphism is a structure that preserves an image between two algebraic structures. This solution is useful for cryptography because it enables you to cache data and verify the data behind the hash using basic algebraic operations like addition. In other words, data can be transmitted without revealing the data itself.
Example:
Let’s take a simple algebraic structure and “hash” the values by multiplying by 2.
(a + b)2 = a*2 + b*2
Let’s assume that a=1, а b=3.
(1+3)2 = 1*2 + 3*2
(4)2 = 2+6
If you replace the value “a” on the left side of the equation with another number, for example, 4, the algebraic structure will no longer be true:
(a + b)2 = a*2 + b*2
(4 + 3)2 ≠ 1*2 + 3*2
Confidential transactions ensure the preservation of a zero balance of bitcoin addresses due to the homomorphic property of Pederson’s obligations.
Let’s put this into practice by having Alice send Bob one bitcoin. To put it simply, transaction fees are not taken into account.
For her confidential transaction, Alice has Pederson’s commitment of two bitcoins. When Alice sends Bob one bitcoin, she creates a hash using a specific mathematical formula. The same mathematical formula is then used to send one bitcoin to the exchange address. We multiply two hashes to see if the result is the same as Pedersen’s commitment of Alice’s address in relation to two bitcoins. If the result is the same, the hash is considered a valid confidential transaction.
The protocol allows you to increase bitcoin’s privacy. Blinding keys mask bitcoin addresses and amounts, increasing the fungibility of bitcoin.
Blinding keys can also be used for auditing: the payment’s sender or recipient can transfer the blinding key to a third party for auditing purposes.
Confidential transaction technology is used in Blockstream’s commercial sidechain Liquid. Liquid users can use the technology to ensure that the amounts received do not exceed the amounts sent.
It means that funds can move between exchanges with no one knowing the exact amounts involved. Competitors will not be able to see what amounts are stored on exchanges, and traders will be unable to use such information when trading, as they frequently do today: the public nature of the blockchain allows those with information about an upcoming major operation to conclude a deal to profit from price changes.
Ring confidential transactions (Ring CT), a variant of confidential transactions, are used in the Monero cryptocurrency. Modifications to the technology are also used in the Bitshares cryptocurrency and the MimbleWimble protocol, which underpins the Grin and Beam cryptocurrencies.
The main bitcoin protocol can also support confidential transactions. There are several ideas on how to do this using backward-compatible software, but such upgrades will still have a negative impact on scalability and are most likely still a long way off.
Confidential Assets technology extends the functionality of confidential transactions by allowing you to see the sender and recipient of the transaction in the blockchain while concealing which asset is being moved — bitcoin, gold, securities, or something else.
The technology of confidential assets was invented by Blackstream developers Andrew Poelstra, Adam Back, Mark Friedenbach, Gregory Maxwell, and Pieter Wuille.
White paper Confidential Assets was published on the Blockstream website on April 3, 2017. The company announced Confidential Assets as a new option for the sidechain technology of Sidechain Elements
Confidential transaction technology uses Pedersen’s commitment, which replaces the initial transaction amount in the blockchain:
commitment = xG + a(H + rG)
a is the transaction amount, G and H are elliptic curve generators. G is a constant. H represents the asset type and takes different values for different confidential assets. X and r are the blinding factors.
They are set to different random values in each UTXO (unspent transaction output) in order to hide the transaction amount and asset type.
This model allows you to check the balance of the asset’s entry and exit amounts in each transaction. At the same time, the verifier is aware of the obligations but is unaware of the transaction amount or asset type.
The sender sends the data on the transaction amount and asset type to the recipient in encrypted form, either on-chain or off-chain in p2p format so that the data is only known to the two parties to the transaction.
In the transaction of issuing assets, transferring them, and destroying them, it is also necessary to use ZKP (Zero-Knowledge Proof) processes to prove that the amount and asset type have an acceptable value, without disclosing the value itself. The proof for the asset type is called Surjection Proof.
The technology can only be implemented in a new blockchain or via a hard fork of an existing blockchain.
Because smart contracts cannot be added to this solution, it is impossible to customize the logic of confidential assets or create on-chain applications based on them. Developers can only use schemes like Scriptless Script to implement simple logic.
This issue is being addressed by AZTEC, Zether, Anonymous Zether, PGC, Nightfall, and others. Existing blockchain solutions for confidential transactions (zk-SNARK, MimbleWimble, etc.) are implemented using smart contracts in all of these protocols. This model has the following features:
- Programmability: smart contracts modify the logic of the issue, destruction, transfer, and exchange of an asset, expanding the set of functions and attributes of confidential assets.
- Interoperability: assets confidential can interact with other contracts (tokens, auctions, votes), allowing for more diverse applications.
In terms of tracking the updates, subscribe to our Medium feed. Stay tuned!
You can also try your hand at working with cryptocurrency on our platform Sunflower Corporation.
The Elements project applies confidential asset technology to the bitcoin network.
The transaction process in bitcoin-based systems is not interactive, which means that the recipient of the transaction does not need to be online to complete the transaction. The transactional process is interactive in MimbleWimble-based system implementations.
Unlike in MimbleWimble-based systems, the addresses of both parties are not hidden in the implementations of confidential assets in bitcoin-based systems.
The technology can also be implemented in systems based on the MimbleWimble: Grin and Beam protocol. Beam developers implemented this feature as part of the Eager Electron 5.0 hard fork in June 2020.
New to trading? Try crypto trading bots or copy trading
