Introduction
System transparency is key to the normal operation of blockchain. Transparency means that every node in the network can store a copy and have the right to verify whether there are any violations. In many distributed ledgers, anyone can load a block browser and browse the blocks, transactions and addresses in the network.
This is not ideal from a privacy perspective. In systems like Bitcoin, each transaction can be linked to previous transactions. Tokens are not technically fungible, meaning each coin is tied to a specific transaction. No one can stop you from sending Bitcoin, but if those coins have been to a blacklisted address, the other party has the right to reject the transaction.
In the worst case, lack of fungibility can have far-reaching consequences for the foundations of the system, with clean tokens commanding a premium while early tokens devalue due to historical issues.
The privacy of Bitcoin is often overstated. In reality, tokens and users are traceable in the system. People are used to operating anonymously (displaying public addresses instead of names), but this approach has certain drawbacks. With increasing precision, cutting-edge analytical techniques are clustering entities in the network to enable deanonymization.
Confidential transactions are precisely the upgraded means to promote the true privacy of transactions.
What are Confidential Transactions?
The concept of confidential transactions (CT) was first proposed by Adam Back, CEO of Blockstream, in 2013, and was later extended by Gregory Maxwell, a Bitcoin developer. In the first part, Maxwell outlined the problems mentioned above, such as "homogenization" and "weak anonymity", and proposed corresponding solutions. He pointed out that the transaction amount can be hidden in the wider network, and only the transaction participants can know the specific value.
Under normal circumstances (transactions can be viewed publicly), nodes can easily verify that the amount of tokens received exceeds the amount sent. For example, Alice wants to send 0.3 BTC to Bob, she uses the unspent output (which we call "1 BTC") and splits it into two parts: 0.3 BTC is sent to Bob, and 0.69 BTC is sent back to her personal wallet (the remaining funds are paid as mining fees).
For other nodes, this is a simple algebraic problem: 1 > 0.3+0.69, the signatures are all correct, and Alice's input has not been spent elsewhere, so the transaction must be valid. Things become more complicated when the amounts are hidden. How do we determine whether an unknown amount is greater than or equal to the sum of two other unknown amounts?
Overview of the cryptographic principles involved
In order to hide data, some encryption technology must be applied. However, the traditional method is similar to storing documents in a safe: once the safe is locked, it cannot be taken out until it is unlocked. "Confidential Transactions" operate in a similar way to a digital safe, where the contents are hidden and the ownership of the assets can be verified by outsiders.
The answer lies in "homomorphic encryption," a mechanism called Pedersen commitments, which allow outsiders to perform operations on encrypted data for various purposes without being able to see the contents.
Regular hashes can be used to submit data that you want to be displayed. Let's say you want to announce a contest on social media to win 0.01 BTC for guessing your favorite exchange. Participants may be skeptical of the contest because you can easily check their answers after the contest is over and pick an exchange that no one mentioned.
To do this, you can provide your fans with a hash value: a seemingly random combination of numbers and characters (corresponding to a specific input), pass the answer through a specific function (that is, a specified exchange), and finally get the output. Let's take the SHA256 algorithm as an example:
f1624fcc63b615ac0e95daf9ab78434ec2e8ffe402144dc631b055f711225191Based on the hash above, you don’t know the specific input, and you can’t reverse the function to get the previous input. But if you know the input is “Binance”, you can easily determine that its hash is consistent with the one listed above. This way, fans will feel more comfortable knowing that you won’t change the answer at the end of the game, because this will produce a completely different output.
In fact, this method is not completely safe. Although fans cannot reverse engineer this algorithm, they can create a list of exchanges and match them one by one with the above hash value until they get the correct answer. To avoid such operations, we can add random data to the data that needs to be hashed, which is called a "masking factor."
If we type “Binance is my favorite exchange over any other 2#43Wr”, it will be hard for competitors to guess the result (after all, they can’t make countless attempts for just 0.01 BTC).
With Pedersen commitments, we can add inputs to the end of the commitment. Maxwell explains this as:
C(BF1 + D1) + C(BF2 + D2) = C(BF1 + BF2, D1 + D2)
Where BF refers to the masking factor and D refers to the data
The next few steps involve elliptic curve cryptography and range proofs, but the basic idea is to process the addresses with Pedersen commitments. When sending funds, the system will generate two additional "commitments" (one for the change address and the destination address for returning funds).
No one knows the amount sent, but they can check whether the change and target commitment (the left side of Maxwell's equation) are equal to the original address (the right side of the equation). If the calculation is correct, it is enough to prove that the input and output are equal, indicating that the user's transaction is valid.
What Confidential Transactions Can Achieve
If confidential transactions are implemented in Bitcoin, a more private system can be created. Inputs and outputs to the system will be hidden, and entities in the ledger will be obfuscated, but nodes can still verify their authenticity. With significantly improved privacy, chain analysis cannot reveal the history of a given unit, making Bitcoin effectively fungible.
As for whether "confidential transactions" can be integrated into the protocol, it seems unlikely at the moment. With the addition of this feature, the size of transactions is larger than regular transactions, which will naturally generate more market demand given the limited block space. In addition, the majority of participants in the network must agree to change the code, which has also been a major problem in the past.
Summarize
Some cryptocurrencies have iterated to some extent on confidential transactions in Bitcoin sidechains. For example, Monero perfectly integrates confidential transactions with the "ring signature" structure to achieve anonymity and homogeneity. The privacy of Liquid sidechains and MimbleWimble has also been significantly improved.
Confidential transactions do have many advantages, but they also face the problem of increased processing volume. Cryptocurrencies have long faced challenges in scalability and throughput at the base layer, and large-scale transactions will also discourage many people. Despite this, privacy advocates believe it is necessary to hide transaction amounts and participants in order to promote cryptocurrencies to become truly homogeneous currencies.
