Bitcoin is an online distributed ledger in which coins are distributed according to the unspent transaction output (UTXO) set, and transactions describe changes to this set. Every UTXO has associated to it an amount and signature verification key, representing the quantity that can be spent and the entity authorized to do so, respectively.
Because the ledger is distributed and publicly verifiable, every UTXO (and the history of all changes) is publicly available and may be used for analysis of all users’ payment history. Although this history is not directly linked to users in any way, it exposes enough structure that even small amounts of personally identifiable information may completely break users’ privacy. Further, the ability to trace coin history creates a market for “clean” coins, harming the fungibility of the underlying asset.
In this paper we describe a scheme, confidential transactions, which blinds the amounts of all UTXOs, while preserving public verifiability that no transaction creates or destroys coins. This removes a significant amount of information from the transaction graph, improving privacy and fungibility without a trusted setup or exotic cryptographic assumptions.
We further extend this to confidential assets, a scheme in which a single blockchain-based ledger may track multiple asset types. We extend confidential transactions to blind not only output amounts, but also their asset type, improving the privacy and fungibility of all assets.
We thank Ben Gorlick for his input on the practical requirements of a confidential assets-based system, and his technical review, and feedback on the systems design.
- 2.Back, A.: Announcing sidechain elements: open source code and developer sidechains for advancing bitcoin. Blockstream blog post (2015). https://blockstream.com/2015/06/08/714/
- 3.Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. Cryptology ePrint Archive, Report 2013/507 (2013). http://eprint.iacr.org/2013/507
- 4.Cabarcas, D., Demirel, D., Göpfert, F., Lancrenon, J., Wunderer, T.: An unconditionally hiding and long-term binding post-quantum commitment scheme. Cryptology ePrint Archive, Report 2015/628 (2015). http://eprint.iacr.org/2015/628
- 8.Friedenbach, M., Timón, J.: Freimarkets: extending bitcoin protocol with user-specified bearer instruments, peer-to-peer exchange, off-chain accounting, auctions, derivatives and transitive transactions (2013). http://freico.in/docs/freimarkets-v0.0.1.pdf
- 9.Grigg, I.: The ricardian contract. In: First IEEE International Workshop on Electronic Contracting. IEEE (2004)Google Scholar
- 10.Hearn, M.: Merge avoidance: privacy enhancing techniques in the bitcoin protocol (2013). http://www.coindesk.com/merge-avoidance-privacy-bitcoin/
- 11.Jedusor, T.: Mimblewimble. Defunct hidden service (2016). http://5pdcbgndmprm4wud.onion/mimblewimble.txt. Reddit discussion at https://www.reddit.com/r/Bitcoin/comments/4vub3y/mimblewimble_noninteractive_coinjoin_and_better/
- 12.jl2012: OP\(\_\)CHECKCOLORVERIFY: soft-fork for native color coin support. BitcoinTalk post (2013). https://bitcointalk.org/index.php?topic=253385.0
- 13.Maxwell, G.: CoinJoin: bitcoin privacy for the real world. BitcoinTalk post (2013). https://bitcointalk.org/index.php?topic=279249.0
- 14.Maxwell, G.: Confidential transactions. Plain text (2015). https://people.xiph.org/~greg/confidential_values.txt
- 15.Maxwell, G., Poelstra, A.: Borromean Ring Signatures (2015). http://diyhpl.us/~bryan/papers2/bitcoin/Borromean%20ring%20signatures.pdf
- 16.Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009). https://www.bitcoin.org/bitcoin.pdf
- 18.Project Ethereum: Create your own crypto-currency with Ethereum (2016). https://www.ethereum.org/token. Accessed 31 Oct 2016
- 19.Schoenmakers, B.: Interval proofs revisited. In: Slides Presented at International Workshop on Frontiers in Electronic Elections (2005)Google Scholar
- 20.Southurst, J.: Blockchain’s sharedcoin users can be identified, says security expert (2014). http://www.coindesk.com/blockchains-sharedcoin-users-can-identified-says-security-expert/
- 21.Wilcox-O’Hearn, Z.: Zcash begins. ZCash Blog Post (2016). https://z.cash/blog/zcash-begins.html. Accessed 31 Oct 2016
- 22.Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2014). http://gavwood.com/paper.pdf