Confidential Transactions/Bulletproofs

The Blackest Box

From the highest level you can think about Confidential Transactions, as Bitcoin transactions, where the amounts are confidential. This means only the sender and the receiver know what the actual amounts are, third parties can only verify that the transaction is correct. They can see who sends to who. They can see how many inputs and outputs are in the transaction. But they cannot see the amounts involved with it.


When you give me a Bitcoin address, I can send money to it. My operation will create a UTXO, which only you can spend. Let’s assume you got 1BTC from me and you want to buy Alpaca socks for 0.1BTC. In this case you would create a transaction with an input of 1BTC, with a payment output of 0.1BTC and a change output that goes back to you: 0.9BTC.

A Confidential Transaction with traditional heart notation.


With homomorphic cryptographic commitments, like Pedersen Commitments one can prove relations between bitcoin amounts without revealing the amounts.

Problems with Commitments

Since you don’t know the amounts, I could trick you like this: C(1) = C(100) + C(-99) . And I just created 100BTC out of thin air. Similar problems arise on the other end of the spectrum concerning integer overflows. Thus we need to also prove the bounds of each and every commitment. Or should I say range?


Rangeproofs to the rescue. It turns out we can prove the range of each and every commitment with rangeproofs. However rangeproofs are gigantic and don’t play well with Bitcoin’s scarce blockspace.

That’s a question for another time.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store