Confidential Assets

Abstract

Bitcoin is an online distributed ledger in which coins are distributed according to the unspent transaction output (UTXO) set, and transactions describe changes to this set. Every UTXO has associated to it an amount and signature verification key, representing the quantity that can be spent and the entity authorized to do so, respectively.

Because the ledger is distributed and publicly verifiable, every UTXO (and the history of all changes) is publicly available and may be used for analysis of all users’ payment history. Although this history is not directly linked to users in any way, it exposes enough structure that even small amounts of personally identifiable information may completely break users’ privacy. Further, the ability to trace coin history creates a market for “clean” coins, harming the fungibility of the underlying asset.

In this paper we describe a scheme, confidential transactions, which blinds the amounts of all UTXOs, while preserving public verifiability that no transaction creates or destroys coins. This removes a significant amount of information from the transaction graph, improving privacy and fungibility without a trusted setup or exotic cryptographic assumptions.

We further extend this to confidential assets, a scheme in which a single blockchain-based ledger may track multiple asset types. We extend confidential transactions to blind not only output amounts, but also their asset type, improving the privacy and fungibility of all assets.

A Appendix: Proofs

Theorem 8

Fix integers \(i\ge 0\), \(m>0\). Consider an algorithm \(\mathcal {A}\) which can produce the tuple

$$\begin{aligned} \pi = (\alpha , e_0, C, s_1, \ldots , s_{m-1}) \end{aligned}$$

such that one can define, for \(j\in \{1,\ldots ,m-1\}\),

$$\begin{aligned} e_j\leftarrow \mathcal {H}\left( s_jG - e_{j-1}\left[ C - jm^iH\right] \right) , \end{aligned}$$

$$\begin{aligned} R\leftarrow e_{m-1} C, \end{aligned}$$

and it holds that \(e_0 = \mathcal {H}(R\Vert \alpha )\). (Observe that the formula for \(e_j\) is the same as (1) from Definition 9; this represents the verification equation of a single ring. Here \(\alpha \) is auxiliary data that \(\mathcal {A}\) chooses, but in the full algorithm it consists of the R values from the other rings.)

Then a simulator \(\mathcal {B}\) exists, which given oracle access to \(\mathcal {A}\), can extract an opening (v, r) such that \(\mathrm {Open}(v, r, C)\) accepts and \(v\in \{0, m^i, \ldots , (m-1)m^i\}\).

Proof

Suppose that \(\mathcal {A}\) makes at most q random oracle queries. \(\mathcal {B}\) acts as follows. For each random oracle query it chooses a uniformly random scalar and responds with this.

It chooses \(i^*\in \{1,\ldots ,q\}\) uniformly at random, and on the \(i^*\)th query, \(\mathcal {B}\) forks \(\mathcal {A}\) into \(\mathcal {A}\) and \(\mathcal {A}'\). It gives \(e_{i^*}\) to \(\mathcal {A}\), \(e_{i^*}'\) to \(\mathcal {A}'\), and answers further queries from other algorithms with uniformly random values.

Let the final output of the two algorithms be

$$\begin{aligned} \pi = (\alpha , e_0, C, s_1, \ldots , s_{m-1}) \end{aligned}$$

$$\begin{aligned} \pi ' = (\alpha ', e_0', C', s_1', \ldots , s_{m-1}') \end{aligned}$$

and similarly \(e_j\) and \(e_j'\) are defined as in the hypothesis.

With probability \(1/q-negl\), we have \(e_j=e_j'\) for all j except one, \(j^*\). (This is the probability that the \(i^*\)th query was the last \(e_j\) that \(\mathcal {A}\) needed, and that it obtained every \(e_j\) by querying the random oracle rather than guessing.) Abort otherwise.

We consider four cases.

1. 1.

   If \(j^* = m-1\), then

   $$\begin{aligned} e_0 = \mathcal {H}(e_{m-1}C\Vert \alpha ) = \mathcal {H}(e_{m-1}'C'\Vert \alpha ') = e_0' \end{aligned}$$

   so that except with negligible probability, \(\alpha = \alpha '\) and \(C = \frac{e_{m-1}'}{e_{m-1}}C'\). Now,

   $$\begin{aligned} e_{m-1} = \mathcal {H}\left( s_{m-1}G - e_{m-2}\left[ C - (m-1)m^iH\right] \right) \end{aligned}$$
   $$\begin{aligned} e_{m-1}' = \mathcal {H}'\left( s_{m-1}'G - e_{m-2}\left[ C' - (m-1)m^iH\right] \right) \end{aligned}$$

   where \(\mathcal {H}\), \(\mathcal {H}'\) are used to emphasize which side of the fork received these random oracle responses. But by hypothesis, the input to these queries is the same, that is,

   $$\begin{aligned} s_{m-1}G - e_{m-2}\left[ C - (m-1)m^iH\right] = s_{m-1}'G - e_{m-2}\left[ C' - (m-1)m^iH\right] \end{aligned}$$

   which is sufficient to solve for the discrete logarithms r, \(r'\) of \(C - (m-1)m^iH\) and \(C' - (m-1)m^iH\), giving us openings \((m-1, r)\) and \((m-1, r')\) for the commitments of the two forks.

2. 2.

   If \(j^* \ne m-1\) and \(C=C'\), then

   $$\begin{aligned} e_{j^*+1}&= \mathcal {H}\left( s_{j^*+1}G - e_{j^*}\left[ C - j^*m^iH\right] \right) \\&= \mathcal {H}\left( s_{j^*+1}'G - e_{j^*}'\left[ C - j^*m^iH\right] \right) \\&= e_{j^*+1}' \end{aligned}$$

   and we can solve for the discrete logarithm r of \(C - j^*m^iH\), and our desired opening for C (the output of both forks) is \((j^*m^i, r)\).

3. 3.

   If \(j^*=0\) and \(C\ne C'\), we have that the inputs to

   $$\begin{aligned} e_0 = \mathcal {H}(e_{m-1}C\Vert \alpha ) \end{aligned}$$
   $$\begin{aligned} e_0' = \mathcal {H}(e_{m-1}'C'\Vert \alpha ') \end{aligned}$$

   are the same, and \(e_{m-1} = e_{m-1}'\) by hypothesis. This implies \(C=C'\), a contradiction.

4. 4.

   If \(0<j^*< m-1\) and \(C\ne C'\), observe that

   $$\begin{aligned} e_{j^*} = \mathcal {H}\left( s_{j^*}G - e_{j^*}\left[ C - j^*m^iH\right] \right) \end{aligned}$$
   $$\begin{aligned} e_{j^*}' = \mathcal {H}'\left( s_{j^*}'G - e_{j^*}'\left[ C' - j^*m^iH\right] \right) \end{aligned}$$

   and as in case 1, by hypothesis

   $$\begin{aligned} s_{j^*}G - e_{j^*}\left[ C - j^*m^iH\right] = s_{j^*}'G - e_{j^*}'\left[ C' - j^*m^iH\right] \end{aligned}$$

   (2)

   Similarly,

   $$\begin{aligned} e_{m-1}&= \mathcal {H}\left( s_{m-1}G - e_{m-2}\left[ C - (m-1)m^iH\right] \right) \\&= \mathcal {H}\left( s_{m-1}'G - e_{m-2}'\left[ C' - (m-1)m^iH\right] \right) \\&= e_{m-1}' \end{aligned}$$

   so

   $$\begin{aligned} s_{m-1}G - e_{m-1}\left[ C - (m-1)m^iH\right] = s_{m-1}'G - e_{m-1}'\left[ C' - (m-1)m^iH\right] \end{aligned}$$

   (3)

   Now, after rearranging, (2) is

   $$\begin{aligned} \frac{1}{j^*m^i(e_{j^*}' - e_{j^*})} \left[ (s_{j^*} - s_{j^*}') G + e_{j^*}'C' - e_{j^*}C \right] = H \end{aligned}$$

   and (3) is

   $$\begin{aligned} \frac{1}{(m-1)m^i(e_{m-1}' - e_{m-1})} \left[ (s_{m-1} - s_{m-1}') G + e_{m-1}'C' - e_{m-1}C \right] = H \end{aligned}$$

   which combine to determine the discrete logarithms r, \(r'\) of C and \(C'\), so that (0, r) and \((0, r')\) are the desired openings.

1.1 A.1 Proof of Theorem 3

Proof

Recall that G is a fixed random generator of \(\mathcal {G}\). Let (G, X) be \(\mathcal {B}\)’s discrete logarithm challenge, i.e. \(\mathcal {B}\) succeeds if it outputs x such that \(X = xG\). We consider two types of adversary: a type I adversary’s output satisfies \(\sum _{i=1}^n r_i\ne r\), while a type II has equality. We assume that \(\mathcal {A}\) makes at most q random oracle queries.

For a Type I adversary, \(\mathcal {B}\) acts as follows.

First, \(\mathcal {B}\) responds to random oracle queries by choosing random scalars r and replying with rX. Then from \(\mathcal {A}\)’s perspective, \(\mathrm {Setup}_i\) outputs uniformly a random generators \(H_i\); however \(\mathcal {B}\) knows scalars \(s_i\) such that \(H_i = s_iX\).

Now, let \((C_i, v_i, r_i, v, r)\) for \(i=1,\ldots ,n\) be the output of \(\mathcal {A}\). Write \(C=\sum _{i=1}^nC_i\). We have

$$\begin{aligned} 0&= C - \sum _{i=1}^n C_i \\&= vH_0 + rG - \sum _{i=1}^n [v_iH_i + r_iG] \\&= vs_0X + rG - \sum _{i=1}^n [v_is_iX + r_iG] \\&= \left[ vs_0 - \sum _{i=1}^n v_is_i\right] X + \left[ r - \sum _{i=1}^n r_i\right] G \end{aligned}$$

Since the sum in the right term is nonzero for a type I adversary, so must be the sum in the left term, so we have

$$\begin{aligned} x = \frac{r - \sum _{i=1}^n r_i}{vs_0 - \sum _{i=1}^n v_is_i} \end{aligned}$$

which satisfies \(X = xG\).

For a Type II adversary, \(\mathcal {B}\) acts as follows. It responds for the Type I simulator, except for one random oracle queries it replies with sG rather than sX. Then with probability 1/q we have \(H_0 = s_0G\), and if not we abort. We also abort if \(s_0 = 0\), which occurs with negligible probability.

The above equation then becomes

$$\begin{aligned} 0 = \left[ \sum _{i=1}^n v_is_i\right] X + \left[ vs_0 + r - \sum _{i=1}^n r_i\right] G \end{aligned}$$

where the right term is equal to \(vs_0\ne 0\), so the left term must also be nonzero, and

$$\begin{aligned} x = \frac{vs_0}{\sum _{i=1}^n v_is_i} \end{aligned}$$

satisfies \(X = xG\).