Compact Confidential Transactions
An enhancement is suggested to make Bitcoin transaction amounts hidden to all but the sender and receiver.
In each transaction, the output amounts are encrypted with the public keys of the respective receivers.
Only the transaction fee is publicly revealed, to allow miners to prioritise
transactions. A homomorphic commitment for each transaction proves
that the sum of the transaction inputs matches the sum of its outputs.
A short Non-Interactive Zero-Knowledge Proof (NIZKP) for each output
also convinces all verifiers that the sum does not overflow. Address
construction includes an additional public view key to allow senders to
encrypt output values. This approach practically resolves a core privacy
issue in Bitcoin, but without overwhelming implementation complexity.
The required commitments are an order of magnitude smaller than those
proposed for Confidential Transactions, and do not depend on ring signatures.
Does anyone have a link to a working implementation?