A Primer to Confidential Transactions
This article is a primer to Confidential Transactions (CT) with the goal of providing a framework to understanding the technology. It is not intended to be an in-depth explanation. As such, it only highlights the key concepts involved. It also doesn’t include Ring Signatures or Bullet Proofs, which prevent accounting overflow. For a fully comprehensive study of CT, I recommend Gregory Maxwell’s initial investigation or this summary by Adam Gibson.
What is CT?
A protocol that hides the amount of Litecoin you send as well as the receiver’s LTC address.
Why is it Important?
Even though Litecoin is pseudonymous, it doesn’t provide a whole lot of privacy. Due to the public nature of its blockchain, you can track Litecoin transactions and where it was previously spent through chain analysis. The pseudoanonymity of LTC addresses is especially weak for people who reuse them or post it on a social media account.
The lack of privacy ultimately makes Litecoin not as fungible as it could be and hinders its ability to become a censorship resistant medium of exchange. For example, one of the reasons why exchanges have suddenly shut down accounts is because the Litecoin a customer is trying to sell, unbeknownst to them, may have previously used it for illicit purposes. Confidential Transactions will help mitigate these issues inherent in public blockchains.
High Level Overview
Confidential Transactions work by introducing a new address and transaction format. The transaction format is composed of a scriptPubKey, Pedersen commitment, and ecdh nonce.
The scriptPubKey contains the following: The Confidential Transaction Address (CTA) and a mathematical condition that the LTC can be spent only if ownership of the address’ private key is proven with a signature.
The Confidential Transaction Address is the hash of a blinding key plus a regular LTC address.
A blinding key is used to hide the LTC address and LTC amount on the public ledger. Alternatively if you have access to the blinding key, you have the ability to view the LTC address and LTC amount in a Confidential transaction.
A Pedersen commitment is essentially a hash of the total LTC output plus a blinding key. In a regular LTC transaction, this is where the normal LTC output would go.
Finally, the ecdh nonce is the key to unlocking the whole Confidential Transaction. It is used to communicate encrypted data to the receiver of the transaction so they can learn the LTC transaction output and blinding factor of the Confidential Transaction.
How Does it Work?
Let’s pretend Alice has 2 LTC in her address wants to send Bob 1 LTC.
Alice takes Bob’s Litecoin address, creates a blinding key, and hashes the two together. This creates a Confidential Address. Although this gets recorded on the public ledger, no one knows that the CTA is tied to Bob’s LTC address except for Alice and Bob.
Here is an example of a Confidential Address:
Next Alice creates the Confidential Transaction. She takes the same blinding key and the 1 LTC output and creates a Pedersen commitment. This hides the amount of LTC Alice is sending to Bob. But both Bob and Alice can view the amount because they have the public blinding key. Alice has it because she created the blinding key. Bob can derive it with the private key of his LTC address.
Alice then creates a scriptPubKey with the CTA she created with Bob’s LTC address under a mathematical condition that the 1 LTC can be spent if he can prove ownership of the address’ private key with a signature.
The transaction is then broadcast and recorded on the public ledger.
Maintaining 0 Balance Sums
One key principle in Litecoin is that addresses must maintain a 0 balance sum. This means that the number of Litecoin that get sent to an address must match the number of Litecoin that leave the address.
But because Confidential Transactions obfuscates amounts, it creates two problems:
The traditional way mining fees are calculated through subtraction is no longer possible.
The clients can not determined if the output from an address matches the input in order to maintains a 0 balance sum.
The first problem can be easily resolved by sharing the mining fee publicly.
The second problem is bit more complicated, but can be solved through something called Pedersen commitments.
Pedersen commitments have a unique mathematical property in that it is homomorphic. A homomorphism is a structure preserving map between two algebraic structures. This is perfect for cryptography because you can hash data and use basic algebra, like addition, to verify the data “behind” the hash. In other words, you can convey information without revealing the data itself. Here’s an extremely simplified example of what I mean:
Let’s say this is our basic algebraic structure and that we are “hashing” the values by multiplying everything by 2.
(a + b)2 = a*2 + b*2
Now let’s have a=1 and b=3.
(1+3)2 = 1*2 + 3*2
(4)2 = 2+6
If you replaced the value “a” on the left side of the equation with a different number such as 4, the algebraic structure would no longer be true:
(a + b)2 = a*2 + b*2
(4 + 3)2 ≠ 1*2 + 3*2
This homomorphic property of Pedersen commitments is what Confidential Transactions uses to ensure that Litecoin addresses maintain a 0 balance sum.
Let’s now apply this concept to Alice sending Bob 1 LTC. For simplicity’s sake, we will not factor in mining fees.
Alice has a Pedersen commitment of 2 LTC for her Confidential Transaction Address. When Alice sends Bob 1 LTC, she uses a specified mathematical formula to create a hash. She then uses the same formula to send 1 LTC to a change addresses. The two hashes are added together to see if it equals the 2 LTC Pedersen commitment of Alice’s address. If it does, then it becomes a valid Confidential Transaction.
Confidential Transactions can be a powerful tool to increase privacy on the public blockchain. By using blinding keys, LTC addresses and amounts are obfuscated thereby increasing its fungibility. However, blinding keys can also be used for auditing. That means either the sender or the receiver can hand over the blinding key to a third party for auditing purposes.
*A special thank you to all the people in the #bitcoin-wizards channel on IRC for their comments and review of the paper (maaku, waxwing, and sipa).