Recently I’ve been working with the same cryptographic primitives that Confidential Transactions are using. In this quick article I’ll show you what Confidential Transactions and Bulletproofs are and how they are supposed to be used in Bitcoin. All this without going into the cryptographic formulas as I am afraid I would make a mistake and I would never recover from the eternal shame that would come with it.
The Blackest Box
From the highest level you can think about Confidential Transactions, as Bitcoin transactions, where the amounts are confidential. This means only the sender and the receiver know what the actual amounts are, third parties can only verify that the transaction is correct. They can see who sends to who. They can see how many inputs and outputs are in the transaction. But they cannot see the amounts involved with it.
When you give me a Bitcoin address, I can send money to it. My operation will create a UTXO, which only you can spend. Let’s assume you got 1BTC from me and you want to buy Alpaca socks for 0.1BTC. In this case you would create a transaction with an input of 1BTC, with a payment output of 0.1BTC and a change output that goes back to you: 0.9BTC.
When a node of the Bitcoin network validates the transaction it makes sure that
1 = 0.1 + 0.9. Note it’s not exactly correct as there are network fees, but we don’t need to be concerned with that in this article.
The idea of Confidential Transactions are based on the realization that the validating node does not have to know the amounts, it’s enough if it knows that
sum of inputs = sum of outputs .
And indeed there’s a dark crypto magic that enables a similar information hiding, which would look like this:
commitment1 = commitment2 + commitment3 .
With homomorphic cryptographic commitments, like Pedersen Commitments one can prove relations between bitcoin amounts without revealing the amounts.
I can create a commitment to 1 (BTC) and two commitments to 0.1 and 0.9 and I would be able to prove to you that
C(1) = C(0.1) + C(0.9) without you knowing
1, 0.1 and
This is great and we can add it to Bitcoin right away, right? No.
Problems with Commitments
Since you don’t know the amounts, I could trick you like this:
C(1) = C(100) + C(-99) . And I just created 100BTC out of thin air. Similar problems arise on the other end of the spectrum concerning integer overflows. Thus we need to also prove the bounds of each and every commitment. Or should I say range?
Rangeproofs to the rescue. It turns out we can prove the range of each and every commitment with rangeproofs. However rangeproofs are gigantic and don’t play well with Bitcoin’s scarce blockspace.
Meet Bulletproofs! In 2017, some rockstar level cryptographers and Bitcoin developers introduced Bulletproofs, which not only greatly reduced the size of the rangeproofs coming with every outputs of your transaction, but they also made them aggregatable, which means now it’s ok to provide a single Bulletproof along with the transaction instead of providing a proof for every single output.
Now, that you have a grasp on the tech you are probably wondering: If everything is so great about this, then why aren’t Bitcoin developers rushing to implement Confidential Transactions and Bulletproofs into the protocol?
That’s a question for another time.