Confidential transactions

Confidential Transactions

Among the numerous technological advancements of cryptocurrency, nothing has quite captured the interest of the users as much as the promise of truly private payments. However, cryptocurrencies have always been pseudonymous by nature which mean users use a pseudonym instead of their real identity. Using that, all the transactions and account balance can be tracked down for an address and not the owner. Unless you declare the ownership of an address, no one can know how much you own. Transacting without declaring the ownership of an address is a challenge and was not possible just yet.

The latest development in cryptocurrency has given birth to an algorithm which can provide us the benefits of truly private payments. It is a solution that can restrict anyone from associating the transaction amount to an address. Now, the Lite Coin Core developers have also indicated the enthusiasm about the same upgrade, which is known as 'Confidential Transactions'.

The problem is this “How can we hide the data (addresses and amount being transferred) while still maintaining consensus and security?”. That’s where confidential transaction comes in. The Confidential transaction is much awaited and one of the most important solutions to be implemented in the Blockchains.

Gregory Maxwell, the founder and CTO of Blockstream has said that “All the transaction data must be conspicuously public so it can be verified, which is at odds with the normal expectation of privacy for the traditional monetary instrument.” Privacy is essential for both commercial and personal use. In the current model of cryptocurrency which is based on public consensus. the privacy is lacking. In the absences of which, the bad actors might target some accounts selectively for attacks or hacking.

The concept of ‘confidential transactions’ was first described in 2013 by Adam Back (CEO and creator of Hashcash) -- In Back’s post on Bitcoin Talk Forum entitled “Bitcoin with homomorphic Value (validatable but encrypted)”. While inefficient, it worked and laid a foundation for the solution. After a few years, the idea was picked up by aforementioned Bitcoin Developer Gregory Maxwell. Maxwell went on to improve and expand the original proposal in his own writings for BlockStream’s Elements project entitled “Confidential Transactions -- Investigation”. Further came a paper that was co-written by BlockStream’s Team for a financial cryptography event entitled “Confidential Assets”.

However, despite these advancements in the technical implementation, it has yet to make its way into Bitcoin.

How does Confidential Transaction work?

With the current method laid out, it proposes a change to the 8-byte output value in a transaction. An eight-byte value which declares the value being sent is replaced with a new 33-byte commitment and acts effectively just like the hash of that value. Hashing is where we convert a value into text by using a non-reversible mathematical function.


Value (8 bytes) in the List of output is replaced with a 33-Byte Commitment


New template with 33-Byte Commitment

It would also mean, only those who are involved would know the actual value of this output that the hash represents. This change would in-turn add around an additional 1400 line of code in the Blockchain’s software.

But the impressive part is how the mathematics of the hashes work. The network still needs to know that you are not attempting to send a value that you don’t actually have or bring new coins into existence. These commitments contain a special property by where they preserve addition. In essence, this means if we take the hash value of one output and add it to the hash value of another, we will get the hash of their sum (aka, the total amount being transacted). This is confidential Transactions in a nutshell. The network participants can verify that the transaction inputs and outputs remain consistent whilst obfuscating the actual amount being transferred from public view.


Transactions and the sum total

The hash value of their sum is the same as the sum of hashes of each individual transaction.


Note: Hash values are not correct. Used only for explanation.

As of all things that sound good, there are trade-offs. The first trade-off in Confidential Transactions is the increase in size. These transactions are twice as long versus the standard transactions as they require an additional public key to encrypt a message that is sent to the receiver. The message declares how much amount is being paid.

Using Confidential Transaction we could also expect a roughly 66% increase in the size of the unspent transaction's output, because of the 33-Byte commitment. Along with that, there is a 15-20 times increase in bandwidth requirement and a 30-60x increase in validation cost.

It’s not all terrible though, Confidential Transactions can be implemented in a soft-fork, meaning no chain splits. Additionally, it is also prunable which implies that all the extra data doesn’t need to be stored on a chain after a point. It is also possible to make it around 20% more efficient according to the previously mentioned paper presented by BlockStream at financial cryptography.

With the introduction of Bulletproof, a better Zero-knowledge proof (a method where one person could prove to everybody else that they know this hidden value without disclosing it) further improvement to the performance can be made. The improvements will include reducing the transaction size from originally around 20 times to about three times that of a standard transaction. While these figures sound drastic, however, they would potentially cause issues on nodes running on the lower end hardware and everything else would likely remain unaffected.

Unfortunately, those are not the only drawbacks as complexity is often the enemy of security and these additional fourteen hundred lines of code could have an adverse effect when put into practice. To try and mitigate this, the Blocksteam’s Elements project has operated working versions of Confidential Transactions as a side-chain for testing purposes. Yet, even this has issues with the amount being disclosed under certain situations.

If an attacker manages to break the computational binding property of a commitment, he can create money out of thin air, jeopardizing the security of the entire currency. The obvious solution is to use statistically or perfectly binding commitment schemes but they come with performance drawbacks due to the need for less efficient range proofs. These are a form of commitment validation that allows anyone to verify that a commitment represents an amount within a specified range, without revealing anything else about its value (known as the secret value).

In the meantime, Tim Ruffing and Guilio Mallavolta created something called ‘Switched Commitments’. As the name suggests, these allow the switching of the existing commitments from computational bindingness to statistical bindingness if doubts in the underlying hardness assumptions arise. In this case, there are two different commitments: Edison and El Gamal. Edison is very efficient due to bulletproofs and is perfectly hidden and computationally binding. This roughly translates to the fact that it’ll hide the amount but the network inflation could occur if the aforementioned quantum range proofs are not ready in time.

Whereas, on the other hand, El Gamal are very efficient and are much larger in comparison. However, we’ve switched commitments that can be hashed, meaning they take far less space. They are also opposite, computationally hidden but perfectly binding. So we know no new coins can be printed using them but transaction amounts will be displayed if quantum computing breaks.

El-Gamal is effectively the safety net, if quantum range proofs are not ready in time, we can switch to them and ensure that the soundness of a network is not jeopardized. However, this brings the technology back at square one. Fortunately, the commitments are compatible with each other so coins which have used Edison are redeemable under El-Gamal and transactions that had been hidden will remain hidden if the switch has to be made.

It is theoretically impossible to have a coin which is both perfectly binding and hidden. That is why switch commitments are a safer route to go.

Assuming that Confidential Transactions are a success, businesses would effectively operate, and individuals wouldn’t need to disclose the amount of coins owned by them at every transaction. Despite many regulatory concerns, Confidential Transactions do not stop the tracking of illicit coins.

As exciting as it seems, Confidential Transactions may not be yet production-ready. The Lite Coins core developer led by Edwin Gallagher has now begun setup step to implement confidential transactions into Litecoin. As of now, the Confidential Transactions are fully implemented in a cryptocurrency called Monera. These upgrades will come to the other mainstream cryptocurrencies too, but surely on the sidechains. The prunability and the advantage of running it on sidechains are two features reducing the risk in implementing these solutions.