Introduction
It is often considered essential for the functioning of a blockchain that the system is transparent. This means that each node on the network can store a copy and verify that no rules are broken. For many distributed ledgers, anyone can go to an online block explorer that allows them to search for blocks, transactions, and addresses.
On the privacy front, this isn't ideal. In a system like Bitcoin, each transaction can be linked to a previous transaction. Coins are not technically fungible, meaning each can be tied to specific transactions. No one can stop you from sending bitcoins, but the recipient can refuse to accept your transaction if those coins previously passed through a blacklisted address.
In a worst-case scenario, a lack of fungibility could have a profound impact on the very foundations of the system. Clean coins may be more expensive, while older coins may be less valuable due to their history.
Privacy protection in the Bitcoin network is often overrated. Not only can parts be traced, but so can users. They benefit from pseudonymity (public addresses are visible instead of names), but this is not without flaws. Sophisticated analysis techniques can, with increasing precision, aggregate addresses with the goal of deanonymizing network entities.
A proposed upgrade to make transactions truly private is Confidential Transactions.
What are confidential transactions?
Confidential Transactions (CT) were first discussed by Adam Back, CEO of Blockstream, in 2013, and later developed by Gregory Maxwell, developer of Bitcoin. Maxwell described the problems mentioned in the first section (fungibility and weak pseudonymity) and proposed a solution. Amounts transferred can be shielded from the network as a whole, so that only transacting parties know the amounts sent.
Under normal circumstances (with publicly visible transactions), it is easy for a node to verify that the amount received does not exceed the amount sent. If Alice wants to send 0.3 BTC to Bob, she takes an unspent output (let's say 1 BTC) and divides it in half: 0.3 to send to Bob, and 0.69 to send back to him (with the rest lost in fees). mining).
This is a simple operation for the other nodes: 1 exceeds 0.3 + 0.69, the signatures are all correct, and Alice's inputs have not yet been used elsewhere. The transaction must therefore be valid. However, when the amounts are hidden, things are not so trivial. How to assess whether an unknown amount is equal to or greater than the sum of two other unknown amounts?
An overview of the cryptography involved
To hide data, encryption is required. However, traditional methods are similar to placing documents in a safe: once locked inside, they become unusable until they are taken out for inspection. For confidential transactions to work, we need a digital vault whose contents are not revealed, but whose properties can be verified by an outside person.
The answer lies specifically in homomorphic encryption, in a scheme called Pedersen pledging. This type of encryption allows an external user to perform operations on encrypted data (that they cannot see) for various purposes.
A regular hash can be used to commit to data that you want to display later. Let's say you want to announce a contest on social media, where anyone who guesses your favorite exchange will win a prize of 0.01 BTC. Entrants may be skeptical because you might just look at the responses after the contest closes and pick an exchange that wasn't mentioned.
You can provide your subscribers with a hash: a string of seemingly random numbers and characters that matches a specific entry. You submit the name of your exchange to a function in order to get a certain output. We will illustrate it with the SHA256 algorithm:
f1624fcc63b615ac0e95daf9ab78434ec2e8ffe402144dc631b055f711225191Looking at this string you can't guess the entry. You also can't reverse the function to get it. If you know the entry was "Binance", however, you can easily verify that its hash matches the one shown above. This way, your followers have the assurance that you won't change your answer at the end of the competition because that would produce a completely different output.
But in reality, this is not very certain. If your followers can't reverse engineer the algorithm, they can make a list of possible exchanges, hashing each one until they get a match. We can reduce the likelihood of this by adding random data called a blind factor to the data we are going to hash.
If we hear "Binance is my favorite exchange that I love more than any other exchange 2#43Wr", it becomes much harder for an opponent to guess (and for 0.01 BTC, it's certainly unlikely that any who would try to do it).
A Pedersen pledge allows us to add the comments behind the pledges. As Maxwell illustrates:
C(BF1 + D1) + C(BF2 + D2) = C(BF1 + BF2, D1 + D2)
Where BF is the obfuscation factor and D is the data
There are still a few steps to follow to achieve elliptic curve cryptography and interval proofs, but the basic idea is that a user has a Pedersen pledge for their address. When you send money, two additional commitments are created (one for the change address to be sent back to the user and one for the destination address).
No one knows how much is sent, but we can verify that the change and destination commitments (the left side of Maxwell's equation) match the original address (the right side of the equation). If this is evaluated correctly, the user's transaction is valid, because it can be proven that the inputs equal the outputs.
What can confidential transactions accomplish?
If confidential transactions were implemented in the Bitcoin network, we would benefit from a much more confidential system. Inputs and outputs would be hidden from the larger network, and ledger entries would be hidden, but nodes could still verify their authenticity. With this massive increase in privacy, bitcoins can be made fungible, as on-chain analysis no longer reveals the history of a given unit.
If you're wondering if confidential transactions will be integrated into the protocol, it doesn't seem likely at this time. With this additional feature, transactions are much larger than standard transactions. Given the limited space in the block, this would only increase demand. It would also require a majority of participants to agree to modify the code, a task that has traditionally proven difficult.
To conclude
Some iterations in other cryptocurrencies and Bitcoin sidechains have featured confidential transactions. For example, Monero uses them in combination with constructs called ring signatures to provide anonymity and fungibility. The Liquid sidechain implements them to ensure greater privacy, and MimbleWimble uses them for the same purposes.
For the benefits they bring, confidential transactions come at the expense of a larger footprint. Cryptocurrencies often struggle with scalability and throughput at the base layer, and larger transactions don't appeal to everyone. That said, privacy advocates believe hiding transaction amounts and participants is essential to allowing cryptocurrencies to serve as fungible money.
