Confidential transactions are transactions where the transferred amounts are “hidden”, however the validity of the transaction still remains publicly verifiable (i.e. no money is created out of thin air). Although they do not provide anonymity per se, unlike Monero and ZCash, that provides confidentiality AND anonymity, confidential transactions are an important first step in the right direction and in some use cases it is not even desired to hide the identity of the parties, rather just transacted amounts to retain them as business secrets.

Without doubt, the flagship of these proposals is the AZTEC protocol (Anonymous Zero-Knowledge Transactions with Efficient Communication), created and invented by Zachary Williamson. First, Zac proposes a novel perfectly hiding and computationally binding commitment scheme, which is tailored to admit efficient range proofs. Afterwards he defines the Joinsplit protocol and a NIZK (non-interactive zero-knowledge) proof system to prove the correctness of Joinsplit transactions.

What are Joinsplit transactions? AZTEC represents money as notes, one might think of them as UTXOs (unspent transaction outputs). In a Joinsplit transaction input notes are destroyed and output notes are created in equal amount, in a way that the values of these notes remain encrypted. More precisely, both input and output notes are commitments to the value these notes represent. A novel NIZK proof system is introduced in AZTEC to prove that the commitments in a Joinsplit transaction are well formed (the transaction originator can open the commitments) and the sum of input notes equal to the sum of output notes. Zac shows in the AZTEC paper that the proposed proof system achieves perfect completeness, special soundness and special honest verifier zero-knowledge in the random oracle model under the q-Strong Diffie-Hellman (SDH) assumption.

AZTEC’s efficiency comes at a price. It relies on a trusted setup, whose protocol details are not public yet, although I encourage anyone to participate in the trusted setup once the trusted setup MPC date and protocol details are known. Basically in the trusted setup, participants need to create Boneh-Boyen signatures on all the numbers in the interval [0..2³²-1] in a way, that the secret signing key is additively shared among participants and no participant knows the secret key in its entirety. The number 2³²-1 is defined in the protocol as the highest representable AZTEC note denomination.