Confidential Transactions (CT) are a really exciting and often overlooked feature of the Liquid Network, allowing users to keep the quantities and assets they transact private. We frequently mention them in our Liquid updates and on our social media. However, online discussions about Confidential Transactions can quickly become overwhelming if you are not a full-time cryptographic researcher, with daunting terms like Pedersen commitments, homomorphic encryption, and range proofs being used regularly. As such, I wanted to take some time to write a bit about the basics: what Confidential Transactions are and how they came about. I will also give a high-level overview of how the encryption works. This introduction will be approachable even if you do not have a serious math background. Let’s jump in!
Long Ago on an Internet Forum Far, Far Away
Confidential Transactions were initially proposed by Blockstream CEO Dr. Adam Back in a post on the BitcoinTalk forum in 2013 titled bitcoins with homomorphic value (validatable but encrypted).
The Bitcoin blockchain is a distributed public ledger, which records transactions between network participants. The amounts in each transaction are stored on this ledger and as such, they are visible to all network participants. For example, if I send you 0.1 BTC in exchange for a service, anyone on the network can see that a transaction occurred between two participants where 0.1 BTC was exchanged. In his initial BitcoinTalk write-up, Adam Back proposed a method of blinding the values of Bitcoin transactions.
Encryption on Bitcoin is challenging due to the network’s decentralized nature, which demands that all network participants be able to independently validate the chain history. This allows each participant to ensure that all protocol rules have been followed, and that there has been no unintended inflation of the money supply. On a blockchain with no blinding of transaction amounts, if I have 0.1 BTC and send it to you, network participants will be able to easily confirm that I only sent bitcoin that I owned. In other words: 0.1 BTC was sent and 0.1 BTC was received. No new coins were created. Each network participant can then feel comfortable adding that transaction to the ledger. However, if the amount that I sent is encrypted then network participants will not be able to independently confirm that the amounts in the transaction add up. They would be then unable to guarantee that all the coins in the transaction were owned by the sender, and they would not know if the bitcoin consensus rules had been followed.
In Adam Back’s write-up, he proposed a method of blinding transaction amounts, which would not sacrifice the ability to self-validate. Under his proposal, nodes on the network could still confirm that no new coins had been created in a transaction, even without knowing the actual transaction amounts. This was an exciting development because it would greatly improve privacy for Bitcoin users. It becomes much harder for third parties to analyze money flows on the Bitcoin network when transaction amounts are encrypted.
Adam Back’s initial hope was to add this feature to Bitcoin. However, this change came with a few tradeoffs. For example, Confidential Transactions are larger in size than regular transactions, so using them would lead to a faster rate of blockchain growth. This would increase the overhead on users who are running full nodes. Overall, building community consensus around this change was not simple due to these tradeoffs, and it was clear that Confidential Transactions would not be added to Bitcoin any time soon.
A New Hope
Fast forward to 2014, and Blockstream was founded by a group of engineers aiming to build new technology around the Bitcoin network. When they set upon developing the Elements sidechain technology, adding Confidential Transactions was an obvious choice due to the privacy benefits it provided financial institutions, investors, and traders.
At Blockstream, Gregory Maxwell, Andrew Poelstra, and Pieter Wuille all played a major role in developing this idea further. They invented new ring signature optimizations, which were needed for Confidential Transactions to be efficient. Additionally, since Elements has support for multiple assets they extended this idea to also hide the asset type being transacted.
A few years later in 2018, the Liquid Network launched publicly. Since the Liquid Network was an implementation of Elements, any user of the network was able to easily blind their transactions and instantly gain better privacy guarantees. A similar technology, inspired by Confidential Transactions, has also been included in other cryptocurrencies such as Monero.
So, what does this mean for you as a user? Creating a Confidential Transaction on Liquid ensures that only you and the recipient of your coins will know how much you are sending (unless either of you disclose this information to others or choose to send to a non-confidential address). This greatly improves your on-chain privacy.
To understand how Confidential Transactions work at a technical level, it is important to reiterate that the Bitcoin and Liquid blockchains are public ledgers. Anyone can view the chain history, either by running their own node or by using online tools such as the Blockstream Explorer. Non-confidential transactions are actually pseudonymous. Third parties viewing the blockchain will see the amounts within transactions, but they will not inherently know who the funds belong to unless your identity is tied to the address. They will just see the addresses, which sent and received the coins.
These Are Not the Coins You Are Looking For
Let’s use a real-world example to illustrate how Confidential Transactions help preserve your Bitcoin privacy. Imagine that a trader wishes to place a large sell order of 1,000 BTC on a bitcoin exchange. They will first have to send these bitcoin to the exchange’s public bitcoin address. Third parties monitor such addresses to predict upcoming market moves. Imagine that upon detecting this large exchange inflow and anticipating the coming downwards price move, one of these third parties quickly sells their bitcoin. By frontrunning the trader, this third party crashes the price and reduces the trader’s profits from their sale. This simple example demonstrates the lack of privacy that is inherently present in ordinary non-confidential transactions.
When using Confidential Transactions on Liquid your transaction amounts are hidden by default, which preserves your financial privacy. In the above example, third parties monitoring exchange inflows would not know how much bitcoin the trader had sent to the exchange, and so they would no longer be able to predict the price response to the sale and frontrun it. Furthermore, on Liquid the asset type itself is also hidden using the same technology. So, if you choose to use a different asset on Liquid (such as USDt), it will not be known to third parties. Such confidentiality is very exciting!.
Math and Stuff
I would now like to briefly describe the math behind this cryptography. The basics are fairly straightforward, but if you would like to skip this part feel free to jump to the Unconfidential Takeaways section below.
Confidential Transactions rely on homomorphic encryption. Backing up a bit, a regular Bitcoin transaction has inputs and outputs. The inputs are the “coins” from your wallet, which you are spending. These “coins” are called unspent transaction outputs, or “UTXOs”. The outputs of the transaction are the new coins (UTXOs) created by the transaction, each of which has a recipient attached. Below is a diagram of a simple Bitcoin transaction:
Homomorphic encryption utilizes a special mathematical construct; let’s call it f for now. We can pass an amount through f, and f will output an encrypted value.
These encrypted amounts cannot be reversed by third parties without an unblinding key (which is only possessed by the sender and the recipient), and so third parties will have no idea what the amounts are (unless, of course, the sender or the recipient share it with them).
With the initial transaction above, all network observers can confirm that the inputs (2 + 3) are equal to the outputs (5). Thus, all participants can confirm that no unexpected inflation took place. The key property that makes the homomorphic construct f special is that f(A) + f(B) = f(A + B). So, if the user owns two coins with values of 2 BTC and 3 BTC, then they can share f(2) and f(3) with the network and network participants can be certain that f(2) + f(3) = f(5) by simply computing the sum of the inputs (f(2) + f(3)) and checking that it is equal to the sum of the outputs (f(5)). However, network participants only know the encrypted amounts when making this computation, and they do not actually know that the amounts in question are 2, 3, and 5. In practice, this means that third parties can confirm that the sender is only spending coins that they own without creating any new coins out of thin air.
The complexity in this scheme lies in the construction of this homomorphic function f. This function relies on Pedersen commitments. An understanding of them is not necessary in order to use Confidential Transactions. But, if this high-level explanation has piqued your interest you can find a deeper, more detailed mathematical explanation on Pedersen commitments in Gregory Maxwell’s initial investigation into the subject.
After proving that the amounts add up, we must also prove that the values are not negative. Otherwise, someone with 1 BTC in their possession could potentially produce a transaction with an input of 1 and two outputs: 10 and -9. The math shown above would prove that all inputs and outputs match (f(1) = f(10) + f(-9)), and thus network participants would confirm that the user owned the 1 BTC input. But, in reality, the user initially had an input worth 1 BTC and they ended up with an output that is worth 10 BTC. In other words, the user created 9 new coins out of thin air and this is not permitted. To resolve this we use something called range proofs. They allow the sender to prove that all the amounts are non-negative, without revealing their values. Those are also described in further detail in the aforementioned investigation.
Confidential Transactions enable the encryption of transaction amounts and asset types on public blockchain ledgers. They increase privacy for users while still allowing network participants to verify key consensus rules, such as ensuring that asset supplies are not artificially inflated. Confidential Transactions have been implemented in multiple production cryptocurrencies and they can already be used today on the Liquid Network.
If you want to discuss Confidential Transactions further, feel free to DM me on the Liquid community or to ask your question directly in the thread here.