A Primer to Confidential Transactions
This article is a primer to Confidential Transactions (CT) with the goal of providing a framework to understanding the technology. It is not intended to be an in-depth explanation. As such, it only highlights the key concepts involved. It also doesn’t include Ring Signatures or Bullet Proofs, which prevent accounting overflow. For a fully comprehensive study of CT, I recommend this summary by Adam Gibson.
What is CT?
A protocol that hides the amount of litecoin within a transaction as well as the receiver’s Litecoin address.
Why is it Important?
Even though Litecoin is pseudonymous, it doesn’t provide a whole lot of privacy. Due to the public nature of its blockchain, you can track Litecoin transactions and where it was previously spent through chain analysis. The pseudoanonymity of Litecoin addresses is especially weak for people who reuse them or post it on social media.
The lack of transactional privacy ultimately makes Litecoin not as fungible as it could be. For example, exchanges have been known to suddenly shut down a customer account. The reason is because the customer may have deposited litecoin with a transactional history tied to the dark market. By hiding transaction amounts, Confidential Transactions can help disrupt chain analysis and increase Litecoin’s fungibility.
How Does it Work?
Confidential Transactions work by introducing a new address and transaction format. The transaction format is composed of a scriptPubKey, Pedersen commitment, and ecdh nonce.
The scriptPubKey contains the following: The Confidential Transaction Address (CTA) and a mathematical condition that the Litecoin can be spent only if ownership of the address’ private key is proven with a signature.
The Confidential Transaction Address is the hash of a blinding key plus a regular Litecoin address.
A blinding key is used to hide the Litecoin address as well as the amount within a transaction. However, it can also be used to reveal that same information as well.
A pedersen commitment is a hash of the total Litecoin output plus the blinding key. In a regular Litecoin transaction, this is where the normal Litecoin output would go.
Finally, the ecdh nonce is the key to unlocking the whole Confidential Transaction. It is used to communicate encrypted data of the transaction to the receiver so that they can learn the transaction output amount and blinding factor.
An Example of a Confidential Transaction
Let’s pretend Alice has 2 LTC in her address wants to send Bob 1 LTC.
Alice takes Bob’s Litecoin address, creates a blinding key, and hashes the two together. This creates a Confidential Address. Although this gets recorded on the public ledger, no one knows that the CTA is tied to Bob’s LTC address except for Alice and Bob.
Here is an example of a Confidential Address:
Next Alice creates the Confidential Transaction. She takes the same blinding key and the 1 LTC output and creates a pedersen commitment. This hides the amount of litecoin Alice is sending to Bob. But both Bob and Alice can view the amount because they have the public blinding key. Alice has it because she created the blinding key. Bob can derive it with the private key of his Litecoin address.
Alice then creates a scriptPubKey with the CTA she created with Bob’s Litecoin address under the condition that the 1 LTC can be spent only if he can prove ownership of the address’ private key with a signature.
The transaction is then broadcast and recorded in Litecoin’s blockchain.
Maintaining 0 Balance Sums
One key principle in Litecoin is that addresses must maintain a 0 balance sum. This means that the number of litecoin that get sent to an address must match the number of litecoin that leave the address.
But because Confidential Transactions obfuscates amounts, it creates two problems:
The traditional way mining fees are calculated through subtraction is no longer possible.
The clients can not determined if the output from an address matches the input in order to maintains a 0 balance sum.
The first problem can be easily resolved by sharing the mining fee publicly.
The second problem is bit more complicated, but can be solved through something called pedersen commitments.
Pedersen Commitments
Pedersen commitments have a unique mathematical property in that it is homomorphic. A homomorphism is a structure preserving map between two algebraic structures. This is perfect for cryptography because you can hash data and use basic math, such as addition, to verify the data behind the hash. In other words, you can convey information without revealing the data itself. Here’s a simplified example of what I mean:
Let’s say this is our basic algebraic structure and that we are hashing the values by multiplying everything by 2.
(a + b)2 = a*2 + b*2
Now let’s have a=1 and b=3.
(1+3)2 = 1*2 + 3*2
(4)2 = 2+6
If you replaced the value “a” on the left side of the equation with a different number such as 4, the algebraic structure would no longer be true:
(a + b)2 = a*2 + b*2
(4 + 3)2 ≠ 1*2 + 3*2
This homomorphic property of Pedersen commitments is what Confidential Transactions uses to ensure that Litecoin addresses maintain a 0 balance sum.
Now let’s apply this concept to the example above. For simplicity’s sake, we will not factor in mining fees.
Alice has a pedersen commitment of 2 LTC for her Confidential Transaction Address. When Alice sends Bob 1 LTC, she uses a specified mathematical formula to create a hash. She then uses the same formula to send 1 LTC to a change addresses. The two hashes are added together to see if it equals the 2 LTC pedersen commitment of Alice’s address. If it does, then it becomes a valid Confidential Transaction.
Conclusion
Confidential Transactions can be a powerful tool to increase privacy on the public blockchain. By using blinding keys, Litecoin addresses and amounts are obfuscated thereby increasing its fungibility. However, blinding keys can also be used for auditing. That means either the sender or the receiver can hand over the blinding key to a third party for auditing purposes.
*A special thank you to all the people in the #bitcoin-wizards channel on IRC for their comments and review of the paper (maaku, waxwing, and sipa).