Confidential Transactions - Reading Assignment

Range proofs are used to prove that the amount of the tx is within a specific range without revealing the amount.

1. CTs obscure the transaction amounts.
2. The commutive property means that the sum of a set of commitments is equal to a commitment of the sum of the data. It means that the math of the transaction works.
3. The scanning key let’s you display the actual value amounts if necessary.
4. Range prooks are used to prove the values of the transaction are positive without giving away the amount.
5. around 2k per transaction

1. What piece of information do Confidential Transactions obscure?
   The amount transferred

2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
   It essentially means that the inputs equal the output. It is a property of CT’s and make sure that the integrity of Bitcoin transactions is maintained.

3. What is the ‘scanning key’ and what important function does it enable?
   A scanning key is a shared secret used to reveal the values of a transaction.

4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
   Rang proofs makes sure that the transaction amount is valid/correct all the while keeping the amount anonymous

5. How does Confidential Transactions affect the size of a blockchain?
   CT’s would increase the block size significantly

1. What piece of information to Confidential Transactions obscure? amounts

2. What is the ‘commutative property’ and how does it relate to Confidential Transactions? Commitments are additive. The sum of the commitments is the same as the commitments to a set of data with a blinding key (large random seed number). commitment = SHA256( blinding_factor || data )

3. What is the ‘scanning key’ and what important function does it enable? Its a shared secret so it allows who you share it with to view the amounts.

4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions? they are used to prove that transactions are with a specified range but without having to disclose the amount.

5. How does Confidential Transactions affect the size of a blockchain? increases it as the size is non trivial but it can be placed outside of the block.

1. The amount in the transaction is obscure.
   2.A binary operation is commutative if changing the order of the operations does not change the result.Confidential transactions make use of Pedersen Commitments in order to provide confidentiality. Pedersens commitments also allow addition operations and preserve commutative property on the commitments.
   3.The scanning key is used to establish the shared secret used by rewindable range proofs, enabling “watch only wallets”.
2. Range proofs make the range incapable of overflow, in Confidential Transactions it is vital to avoid overflow.
3. Confidential Transactions increase Blockchain size by replacing 8 byte integers with 33 byte Pedersen commitments.

1. What piece of information to Confidential Transactions obscure?
   Confidential Transactions keep transaction amounts private.
2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
   Allows you to change the order of factors in a sum; it is one of the properties of “Pedersen commitment”, the basic tool that CT are based on.
3. What is the ‘scanning key’ and what important function does it enable?
   The scanning key is used to establish the shared secret used by the rewindable range proofs. Watching wallets can use these keys to view transaction amounts
4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
   A range proof is a form of commitment validation that enables everyone to verify the range of value for the commitment without giving the precise information about it. It is only used with multiple confidential value outputs and they have a order of magnitude which is smaller and thus faster to verify than other alternatives. They are necessary in Confidential Transactions because they enable to keep transaction amounts secret while proving the commitment.
5. How does Confidential Transactions affect the size of a blockchain?
   It builds up the size due to the additional information. This could impact scalability and performance.

1. What piece of information to Confidential Transactions obscure?
the value
2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
a+b=b+a, ab=ba
The commutative property allows construct the Pederson Commitment. Which is a prove of the sum of the values. This is sufficient for the blockchain to verify the TX.
3. What is the ‘scanning key’ and what important function does it enable?
The SK are for auditors to be able to view TX amounts without intermediatries
4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
Value range has a limited size. For one TX it can be proven easily. For several TXs the sum value can overflow the max amount those resulting in not valid number. This could be exploited for generating new coins.
5. How does Confidential Transactions affect the size of a blockchain?
The Pfroof for a 32-bit value is 2564 bytes. This amounts for every TX, which currently not supported by the Bitcoin blockchain. Only for suggesting to increase the block size, the small blockers goner kill you!

1. What piece of information to Confidential Transactions obscure?
   The amount of transactions is obscured.
2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
   A mathematical operation is commutative when you can change the order of the factors and the result is the same. It’s related to Confidential Transactions as they are based on Pedersen Commitments, which use this property.
3. What is the ‘scanning key’ and what important function does it enable?
   The ‘scanning key’ is the one used to establish the secret and can therefore be used to read the amounts.
4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
   Range proofs validate that transaction amounts are acceptable without revealing the exact amounts.
5. How does Confidential Transactions affect the size of a blockchain?
   Confidential Transactions require include more data which makes the blockchain bigger.

1.- TX amonuts are just visible to the ones involved in it.

2.- Its a rule from mathematics, the arguments of an operation can be changed w/o changing the result.

3.- It is used to establish the shared secret.

4.- They assure each TX is included within a range that cant be surpassed.

5.- They increase the block size.

1. transaction amounts private
2. the math operations can be rearranged and result in the same values
3. shared secret
4. make sure the values are with the acceptable range and not negative
5. the 8 byte integer amounts are replaced with 33 byte pedersen commitments

You need to have a graduate degree in math to understand this. I have an extensive background in math and I have no idea what he is talking about. I feel really bad for people trying to read this who don’t have the kind of background that I have in math. They must feel really hopeless. It’s no wonder this lesson has a 20% drop in activity from the last lesson.

1. What piece of information to Confidential Transactions obscure?
   Transaction amount.
2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
   When an operation between two numbers does not depend on the order of the numbers. 5 + 3 = 3 + 5, 2 * 7 = 7 * 2. It relates to Confidential Transactions because Petersen commitments can be added together and of course you can add them in any order.
3. What is the ‘scanning key’ and what important function does it enable?
   The scanning key is used to generate a shared secret. It can be used to reveal the wallet balance.
4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
   They prove that the committed output is within a certain range. They prove that the amount is not negative, which would essentially allow for generating now coins.
5. How does Confidential Transactions affect the size of the blockchain?
   It is increased. The amounts are now 33-byte Petersen commitments instead of “8-byte integers”. (I was pretty sure you can send a fraction of a Bitcoin. So I don’t know why the amounts were previously considered “integers”.)

I agree that the Privacy course is easily the hardest course in the academy. But the math can be understood even by someone that doesn’t have a math degree… I have a computer science degree

Btw what happened to the final three answers?

1. What piece of information to Confidential Transactions obscure?
   Obscures the transaction amount, visible only to transacting parties

2. What is the ‘commutative property’ and how does it relate to Confidential Transactions?
   That ECC outputs are additive/multiplicative, it’s linear output is interrupted and so loses information as its number line is generated, which allows for both sides of the equation additive/multiplicative outputs to be verifiable without revealing it’s discrete components because it’s division/subtraction information is lost during the out put generation by ECC…so division and subtraction don’t lend themselves to be used in the equation by ECC to compute these discrete components to mathematically verify the equation. Thus the equation’s properties are verifiable mathematically, not it’s components…commutative property. This means adding a blinding factor can be added to both sides of the equation will remain equal even after it is hashed.

3. What is the ‘scanning key’ and what important function does it enable?
   Secret key shared by the transacting parties, so the transaction amount is audible by these parties.

4. What do ‘range proofs’ do and why are they necessary in Confidential Transactions?
   A defined range within which the transaction value must exist, without which it may be possible to output a mathematically correct but false amount of bitcoin.

5. How does Confidential Transactions affect the size of a blockchain?
   Significant increase in transactional information and thus block size

1. The piece of information that Confidential Transactions obscures is the amounts transferred. Allowing them to be visible only to participants in the transaction (and those they designate).
2. The ‘commutative property’ is a property of binary operations, for which changing the order of the operands (quantity on which an operation is performed) does not change the result. This relates to Confidential Transactions in that a blinding factor is present because without one, someone could try guessing at the data; if your data is small and simple, it might be easy to just guess it and compare the guess to the commitment.
3. The ‘scanning key’ is used to establish the shared secret used by the rewindable range proofs, and the important function it enables is that users can share these keys with auditors to enable them to view their transaction amounts.
4. ‘Range proofs’ prove that each committed output is within a range which cannot overflow (e.g. [0, 2^64). They are necessary in Confidential Transactions to avoid the addition of large values which can ‘overflow’ and behave like negative amounts, effectively allowing the creation of coins from nothing
5. Confidential Transactions have little affects on the size of a blockchain by making the transaction amounts private, as they enable this without adding any new basic cryptographic assumptions to the Bitcoin system, and with a manageable level of overhead.

Okay then maybe you can help.

Pub = xG

So here G is a point on the elliptic curve. You can transform the point by creating a line between the last point and the current point and then finding the intersection with the graph. So basically you have to calculate the points one a time.

1. How is it possible to do x transformations if x is an extremely large number? Wouldn’t that take forever? Wouldn’t it be akin to just guessing all of the private keys?
2. How is a point on a graph considered a “pub key”. A point on a graph consists of 2 numbers, but a pub key is just one number.

The result is usually serialized as a 33-byte array.

3. What is a 33-byte array? I thought the pub key was just a simple large number?

Pub1 + Pub2 = (x1 + x2 (mod n))G.

4. Why does he add “mod n” here but not on the last calculation?
5. If you take the mod of the “number of transformations” then doesn’t that mean two private keys can have the same public key?
6. What is n anyways?

created by picking an additional generator for the group (which we’ll call H) such that no one knows the discrete log for H with respect to G

H = to_point(SHA256(ENCODE(G)))

7. So G and H are known by everybody in the network? Basically a convention? So what if somebody discovers x where H = xG? Does that mean that the whole past and future blockchain are compromised?
8. How can you do SHA256 on a point on a graph? And how can you then turn a SHA256 into a point on a graph? It seems very arbitrary. I don’t understand why someone can’t find x where H = xG.
9. You mean to tell me that other people are reading this and understanding this?

(In1 + In2 + In3 + plaintext_input_amount*H...) -
(Out1 + Out2 + Out3 + ... fees*H) == 0.

10. Okay now why is he adding “plaintext_input_amount*H” to the inputs? I thought the input amounts were already included in “In1, In2, In3”. How come he’s multiplying by H? Where’s the blinding factor for this term?

This requires making the fees in a transaction explicit, but that’s generally desirable.

11. How are the fees “explicit” when they are being multiplied by H? It’s like getting a private key from a public key, which is not easy.

At this point in the article I’m about halfway. And I have more questions than it’s even feasible to ask. I haven’t even gotten to the part where I can answer the questions.

So I shrug it off and continue. But as I read the article gets more and more confusing. It’s to the point now where I can’t even articulate the questions that I need to ask.

I feel like it’s unreasonable to expect us to read this article and answer these questions.

Ohh sorry, I thought the question was about the Elliptic curve which is a bit less difficult. I admit I have trouble with the math from Maxwell as well. But the questions in the course don’t require knowing them in detail so one can still answer them. On that note Maxwell is a well known and respected member of the community and a lot of BIPs are credited to him.

No because the number is still quite a bit smaller than the possible range of private keys. You only have to do this calculation once. So if you have a complex key pair it can take quite a while for your PC to calculate the pair. Like the PGP pair I use for authentication on servers, which is 4096 bit.

Most examples use a Cartesian graph which is simplest to understand for most people. You can use something like a polar graph to represent points as one number and they can be converted from one to another. Graphs are just a visual representation of the actual math.

To represent large numbers in a computer you have to use multiple register addresses instead of one that you usually use for a simple integer for example. To do this you use an array because its the simplest way to implement such large numbers in a PC. Register is technically just a very large array.

Yes it can happen, its called a collision, kind of like in sha. Public keys are usually smaller than public keys so therefore you are bound to have collisions.

From there on it gets to complicated for me, but you can ask on bitcointalk if you want a more detailed explanation or maybe @BERGLUND will come to the rescue.

1. The amount transacted (visible only to the participants and anyone they choose).
2. The commutative addition property that gmaxwell is referring to is that changing the order of the operands doesn’t change the result. Using the Pedersen Commitment, you can add operands to the equation but simultaneously preserving the result of the equation (prior to adding the operands).
3. A scanning key can be used to establish the shared secret, which allows auditors to observe the transactions.
4. Range proofs are a way of validating the transaction without disclosing the actual amount that was transacted.
5. They make the transactions larger because the Pedersen Commitments replace the 8-byte integers with 33-byte integers.

The amount transferred

The addition of the Blinding Factor does not destroy the commutative property of the hash. As such, Confidential Transaction is made possible.

Scanning Keys act like watch wallets which would allow auditors to view the amounts.

Range proofs checks if the floating decimal point in CT is correct. If it is not checked, negative-like values (overflow) might compute resulting creation of excess coins.

32-bit value is 2564 bytes, and simultaneously may convey 2048 bytes of message.

1. transaction amounts

2. It allows you to change the order factors in a sum. It is one of the properties of pedersed commitment
   the tool that the confidential transactions are based upon.

3. the scanning key makes it possible for auditors for example to see the amounts of transactions.

4. It allows a form of commitment validation that allows others to validate that it is within range without sharing transaction amounts.

5. it increases the size of the blockchain

1. TX amounts
2. Binary operation is commutative because changing the order of operatives does not change the results.It is a property of Pedersen commitments that is used to generate confidentail TX.
3. It is used to establish a shared secret. This approach is completely compatible with watching wallets; users can share these keys with auditors to enable them to view their transaction amounts.
4. It assures that each TX is included in a range that can not be surpassed so as not to create overflow value.
5. Increases the size of the blockchain.