Aptos mainnet will enable 🔒 confidential assets 💸 very soon!! i.e., encrypted balances & transaction amounts 🔐, albeit with publicly-visible 🌍 sender & recipient addresses! (One step at a time, folks...) Here's how they work! 🤓👇

Aptos confidential assets build upon & extend prior work. We encrypt balances on-chain using Twisted ElGamal, like PGC (). This composes well with Bulletproofs to prove that an encrypted balance was debited correctly after a confidential send/withdraw.

Or, as I like to often say [and am made fun of at this point]... "See my blog!"

*Feat 1:* Unlike PGC and Solana, our Twisted ElGamal ciphertexts are _aggressively-chunked_ so as to ensure super-fast decryption while handling balances & amounts of ~256 bits. We dub this *chunked'n'twisted ElGamal.* FWIW, Aptos only needs 128-bit balances & 64-bit amounts.

For Aptos, chunking guarantees the max discrete log (DL) instance that needs to be solved during decryption is 32-bit, in the worst case (and much smaller on average). => easily solvable in 2^16 elliptic curve additions using simple algorithms like baby-step giant-step (BSGS)👇

*Feat 2:* We speed up BSGS for our choice of Ristretto255 elliptic curve via batched compressions. We also reduce its pre-computed table size by 4x (=> reduce confidential dapps' SDK size & latency) We call this new algorithm *truncated BSGS-k (TBSGS-k).*

I've riffed on this algorithm before: ...but failed to emphasize the *why*: TBSGS-k is deterministic => simpler to implement and test. TBSGS-k is only ~2x slower (10.6 ms vs 4.8 ms) than the more complex [BL12] algorithm, and has only 2x larger tables.

*Feat 3:* When auditing is enabled, we maintain a provably-correct encryption of each user's (available) balance under the auditor's encryption key (EK). This precludes auditors from scanning users' TXNs to reconstruct their balance. Key: it enables auditor EK rotations 👌

*Feat 4:* In Aptos, user _signing_ key rotation is a central security feature. So: we also designed confidential assets to support user *decryption* key rotation! For now, key management policies are left to applications/wallets (famous last words 🤞).

The good news: Keyless confidential dapps can safely re-use their 🌶️ as a decryption key! () ==> no extra key management burden introduced for such applications ==> easiest way to build a confidential dapp is as a keyless dapp; no wallet [support] needed!

*Feat 5:* Implementing crypto(*graphy*) that secures real user funds is terrifying. To minimize errors (🤞), we use a largely-overlooked methodology for safely designing & composing Sigma-protocols: The *homomorphism framework,* which I discovered in @danboneh's book 🙏

*Feat 6:* The first production-ready confidential-asset implementation in Move. The code is currently private while it undergoes an audit, but will be released soon. Here's a teaser for how simple a confidential transfer can be 👇

Also, because I can't help it, here's part of our Sigma-protocol homomorphism framework implemented in Move 😍

*Feat 7:* Full cryptographic specification with security proofs. (Heck, maybe we can vibe code it in @leanprover?) Coming soon, with the spicy details, in an eprint next to you 👇

Lastly, credit where credit is due: Aptos confidential assets build upon and extend ideas introduced in prior work 👇 1. Zether (): fixed account model's "front-running" problem via pending balances

2. PGC (): proposed Twisted ElGamal + Bulletproofs as a simpler alternative to \Sigma-bullets. This drastically reduces implementation complexity: we only need to focus on correctly designing our Sigma-protocols! Secure composition is argued below 👇

3. Solana (): allowed for 48-bit transferred amounts by splitting the pending balance into a "high" 32-bit chunk and a "low" 16-bit chunk. We allow for larger amounts by using a higher number of chunks & by additionally chunking the available balance too.

Last but not least, I want to thank @mstrakastrak and the folks at @distributedlab, who helped with designing the initial version of the confidential asset protocol and implementing it in Move and TypeScript 🖖 Watch out for our joint paper coming out soon!