Amount Confidentiality

Used to cryptographically commit to a value (the amount) without revealing it. A Pedersen Commitment is a common type, where an amount is combined with a secret random number (a blinding factor). The commitment is published to the ledger. Later, the owner can reveal the secret to open the commitment and prove the amount, but to everyone else, it appears as a random number.

• Key Property: Hiding (cannot deduce amount) and Binding (cannot change amount after commitment).

A specialized zero-knowledge proof that proves a committed amount lies within a specific range (e.g., is a non-negative integer and does not overflow). This is critical to prevent attacks where a user could create a transaction with a negative amount or an amount larger than the total supply.

• Function: Ensures soundness of the system. Without range proofs, a malicious user could create money from nothing.
• Implementation: Often integrated with the commitment scheme, as in Monero's Bulletproofs.

A one-time address system that enhances recipient privacy. While not hiding the amount itself, it is a complementary feature. For each transaction, the sender generates a unique, one-time stealth address for the recipient using their public view key. This breaks the linkability on-chain, as observers cannot tell if multiple transactions are going to the same recipient, thereby protecting the context around confidential amounts.

In UTXO-based confidential systems (like Monero), the concept of a transparent wallet balance is eliminated. A user's "balance" is the sum of many individual, hidden unspent transaction outputs (UTXOs), each with a confidential amount. To spend, a user must prove they own a set of UTXOs whose combined hidden amounts meet the payment requirement, without revealing which specific UTXOs were used or their individual values.

A critical feature for enterprise adoption. Many confidentiality protocols offer view keys or audit keys. These are private keys that can be shared with auditors or regulators to decrypt transaction details (including amounts) for a specific wallet, without compromising the user's general privacy to the public. This creates selective transparency, balancing privacy with necessary compliance.

A blockchain protocol that uses Confidential Transactions and CoinJoin to hide amounts and obscure transaction graphs. It aggregates and prunes transaction data, making amounts private by default.

• Core Mechanism: Uses Pedersen Commitments to encrypt amounts in outputs.
• Data Efficiency: Old transaction data is cut off (cut-through), improving scalability.
• Example: Grin and Beam are the primary implementations of this protocol.

A cryptocurrency using zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) to enable fully shielded transactions where amounts, sender, and receiver are all encrypted.

• Selective Privacy: Users can choose between transparent (public) and shielded (private) transactions.
• Cryptographic Proof: A zero-knowledge proof validates the transaction without revealing any underlying data.
• Resource Intensive: Generating zk-SNARK proofs requires significant computational power.

Monero implements Ring Confidential Transactions (RingCT) to hide transaction amounts and sender/receiver identities by default.

• How it Works: Combines Ring Signatures for sender ambiguity with Commitment Schemes to mask amounts.
• Mandatory Privacy: All Monero transactions have confidential amounts, unlike Zcash's optional model.
• Verification: Network validators can cryptographically verify that the sum of input amounts equals the sum of output amounts without knowing the individual values.

A layer-2 privacy-focused rollup on Ethereum that uses zk-SNARKs to provide confidential transactions, including amount privacy.

• ZK-Rollup Architecture: Batches private transactions off-chain and submits a single validity proof to Ethereum.
• Ethereum Compatibility: Allows users to privately deposit, transfer, and withdraw ETH and ERC-20 tokens.
• Application: The zk.money application was the first consumer-facing product built on this protocol.

A sidechain protocol that extends Confidential Transactions to hide not only the amount but also the asset type being transacted (e.g., whether it's Bitcoin, a stock, or a token).

• Asset Issuance: Allows organizations to issue digital assets with confidential properties on the Liquid Network.
• Pedersen Commitments: The core cryptographic tool used to blind both the amount and a unique asset tag.
• Use Case: Designed for faster, more confidential settlements between financial institutions.

An Ethereum-based non-custodial privacy solution that uses zk-SNARKs to break the on-chain link between deposit and withdrawal, effectively anonymizing the amount and source of funds.

• Pool-Based Model: Users deposit a fixed amount (e.g., 1 ETH) into a shared pool and later withdraw it to a new address.
• Zero-Knowledge Proof: The withdrawal transaction provides a proof that the user made a deposit without revealing which one.
• Note: While it obscures amounts via fixed denominations, its primary function is breaking transaction links.

Amount confidentiality fundamentally creates a tension between user privacy and system transparency. While it prevents external observers from deducing a user's wealth, it also complicates:

• Regulatory compliance (e.g., proving solvency, anti-money laundering checks).
• Protocol-level risk assessment (e.g., accurately gauging total value locked or liquidity concentration).
• User verification of system health without trusted setup assumptions.

Most implementations rely on complex cryptographic primitives whose security is conditional.

• ZK-SNARKs/STARKs: Depend on a trusted setup (for SNARKs) or computationally intensive proof generation.
• Bulletproofs/Range Proofs: Require the assumption that certain discrete logarithm problems are hard.
• Failure of these assumptions or implementation bugs could lead to the creation of invalid coins or the leakage of hidden balances.

Hiding amounts on-chain does not guarantee full transaction privacy. Metadata and timing analysis can still reveal information.

• Transaction graph analysis: Even with hidden amounts, the public sender/receiver addresses and transaction timing can be analyzed to cluster addresses and infer relationships.
• Amount correlation attacks: If an amount is revealed in a related public transaction (e.g., a DEX trade), it can deanonymize the confidential input/output.

The computational and data overhead of proving amount validity is significant.

• Proof generation time: Can be slow for users, requiring powerful hardware.
• Increased transaction size: ZK proofs or range proofs add kilobytes of data, raising fees and bloat.
• Verification gas costs: On Ethereum Virtual Machine (EVM) chains, verifying these proofs in a smart contract is extremely gas-intensive, limiting practicality.

Privacy features can conflict with financial regulations, creating adoption barriers.

• Travel Rule compliance: Regulations like FATF's Travel Rule require VASPs to share sender/receiver information, which is incompatible with full confidentiality.
• Exchange delisting risk: Major centralized exchanges may be reluctant to list assets with strong default privacy, fearing regulatory scrutiny.
• Selective disclosure tools (like viewing keys) are often necessary additions to address this, adding complexity.

Different implementations showcase unique limitations.

• Zcash (zk-SNARKs): Requires a one-time trusted setup ceremony for the Sapling circuit; shielded pool size can be a metadata signal.
• Monero (RingCT): Uses range proofs and ring signatures; scalability is challenged by large, non-aggregatable transaction sizes.
• Aztec (ZK-Rollup): Offers privacy but requires a sequencer/operator, introducing a potential liveness and censorship point of failure.