We propose a pairing-based confidential transactions.
Confidential transactions are technologies that hides the amount of bitcoins (or any other cryptocurrencies) transacted from third parties. Confidential transactions utilize Pedersen commitments which is defined as follows. Let G be a base point of a elliptic curve, and H be a point at the same curve whose discrete logarithm to G is not known. Such H can be computed by just hashing the base point G. The Pedersen commitment for a value a, with a blinding factor b is
C(a, b) := bG + aH
Intersting fact is that the Pedersen commitment is additive:
C(a1, b1) + C(a2, b2) = C(a1+a2, b1+b2)
We ommit now and on the blinding factor b for clarity. If one encodes his amount of bitcoins with the Pedersen commitments, because the sum of the all inputs of a transaction is identical to the sum of all outputs of a transaction, it immediately follows that
C(in1) + ... C(inN) = C(out1) + ... C(outN)
So one can prove the total sum of a bitcoins in UTXO set by just showing only the above equation, not the values transactted itself. In this construction, one can set out1 < 0 to mint new coins, which is not allowed by principal. To prevent issue, one should add extra proof named "range proof". Range proofs are key technology of confidential transactions but we do not describe in detail because that will beyond our scope.
Pairing is a bilinear function that maps two elliptic curve point to another Group. By bilinearity, the following formula is always holds.
e(pG, qG) = e(G, G)^pq
Here, we denote addtively in the input for the Pairing and multiplicative for the output Group.
In pairing-based confidential transactions, we map the amount as
D_r(a) := r^a G
where r is a random number. We here assume that the transaction has just two inputs and outputs. This assumption is not too special, because any transaction can be translated in to this 2-of-to form. Then,
e( D_r(a1) + D_r(a2) ) = e( D_r'(a1') + D_r'(a2') )
holds iff a1+a2 = a1'+a2'. So one encodes the amount as D_r, he can prove the sum of inputs and outputs are identical by showing the above pairing.
Yes, as ordinally confidential transactions do.
I have no idea. I thought it improves the speed but pairing is too slow generally :( If you find some positive insight, just let me know ⇩⇩⇩.