Confidential Transactions
(Redirected from Confidential Transactions (CT))
- Mostly developed by Bitcoin Core and Blockstream developer Gregory Maxwell and is currently deployed on Blockstream’s Elements Alpha sidechain.
- Explanation by CoinDesk (26-11-2019):
"Mimblewimble anonymizes transactions through batching inputs per block, like a CoinJoin. After mixing the numbers associated with a sender in a pool of similar transactions, equivalent values are spit out on the other side as unidentifiable outputs. Styled a confidential transaction (CT), this process typically works pretty well once it scales to a large enough anonymity set, wherein the sheer number of inputs shields the knowledge about the outputs after a mixing. In CT, the amount and public addresses are never exposed, mainly because addresses don’t exist in the Mimblewimble universe, just transaction inputs and outputs."
- Confidential Transactions lets senders encrypt the bitcoin amounts in transactions with random strings of numbers called “blinding factors.” This process works because transactions also include information with which (only) receivers can decrypt the amounts. And, by utilizing a cryptographic trick called the Pedersen Commitment, anyone else can still perform math on the encrypted amounts. Specifically, Bitcoin nodes can subtract the encrypted amounts on the sending side of transactions (“inputs”) from the encrypted amounts on the receiving side of transactions (“outputs”). If the two sides cancel out to zero, it means the combined inputs and the combined outputs are equal, and no bitcoins were created out of thin air.
- From a transcript (Summer 2019) by Andrew Poelstra (Blockstream) and David Vorick (Sia):
"Confidential transactions is the idea that you can replace the amounts with homomorphic commitments that hide what the amounts are, but they still bind to the amounts so nobody can pretend they are something they are not. Homomorphic means they can be added. Validators can add up all the inputs and all the output amounts and they can tell whether or not they balance to zero, by checking those homomorphic commitments, or by using a proof of zeroness.
Confidential transactions aren't an asymptotic hit to validation time or size. They add a 650 byte object called rangeproofs. These originally used to be 3-4 kilobytes but thanks to bulletproofs they are now "only" 650 bytes each which is cool. They can also be accumulated across outputs so in some contexts it could be 700 bytes per transaction, but that's still not great.
If we had confidential transactions in bitcoin, and then you remove all the other things in bitcoin, you get left with mimblewimble which has some cool scalability like removing old unspent outputs. That's cool, but you would have to remove script from bitcoin. That's not going to happen. Bitcoin blocks aren't going to be replaced by mimblewimble blocks ever due to the loss of functionality.
The other issue is that these things aren't quantum secure. Right now in bitcoin all of our signatures will be broken as soon as there are practical quantum computers that exist. If we had confidential transactions, then not only would the signatures be broken and coins vulnerable to theft, but also the soundness of the system would be in question. Anyone who claimed to own any amount of coins, just instantly everything is gibberish. petertodd has argued this is a benefit for something like mimblewimble-- if a quantum computer shows up, then every single output that ever existed on the mimblewimble chain can suddenly - to every value. So the entire chain then deletes itself. So that's pretty cool. That's kind of crazy. But it doesn't fit into the bitcoin ethos super well.... a very vocal segment of bitcoiners don't want everything to go away. So until we have a quantum secure version of something like bulletproofs or confidential transactions, my feeling is that it's not going to happen in bitcoin."