Compact Confidential Transactions for Bitcoin

An enhancement is suggested to make Bitcoin transaction amounts hidden to all but the sender and receiver. In each transaction, the output amounts are encrypted with the public keys of the respective receivers. Only the transaction fee is publicly revealed, to allow miners to prioritise transactions. A homomorphic commitment for each transaction proves that the sum of the transaction inputs matches the sum of its outputs. A short Non-Interactive Zero-Knowledge Proof (NIZKP) for each output also convinces all verifiers that the sum does not overflow. Address construction includes an additional public view key to allow senders to encrypt output values. This approach practically resolves a core privacy issue in Bitcoin[1], but without overwhelming implementation complexity. The required commitments are an order of magnitude smaller than those proposed for Confidential Transactions[2], and do not depend on ring signatures.