Source from repo

Solana Development Skill (framework-kit-first)

Comprehensive Solana development skill covering @solana/kit v5, Anchor programs, LiteSVM testing, and security patterns.

solana-foundationGitHub solana-foundationSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

273.8 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/confidential-transfers.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown740 linesFree

references/confidential-transfers.md

1---
2title: Confidential Transfers
3description: Implement private, encrypted token balances on Solana using the Token-2022 confidential transfers extension.
4---
5 
6# Confidential Transfers (Token-2022 Extension)
7 
8## When to use this guidance
9 
10Use this guidance when the user asks about:
11 
12- Private/encrypted token balances
13- Confidential transfers or balances on Solana
14- Zero-knowledge proofs for token transfers
15- Token-2022 confidential transfer extension(s)
16- ElGamal encryption for tokens
17 
18## Current Network Availability
19 
20**Important:** Confidential transfers are currently only available on a TXTX cluster.
21 
22- RPC endpoint: `https://zk-edge.surfnet.dev/`
23- Mainnet availability expected in a few months
24 
25When building for confidential transfers, always use the ZK-Edge RPC for testing. Plan for mainnet migration by abstracting the RPC endpoint configuration. Ensure the user is aware of this.
26 
27## Key Concepts
28 
29### What are Confidential Transfers?
30 
31Confidential transfers encrypt token balances and transfer amounts using zero-knowledge cryptography. onchain observers cannot see actual amounts, but the system still verifies:
32 
33- Sender has sufficient balance
34- Transfer amounts are non-negative
35- No tokens are created or destroyed
36 
37### Balance Types
38 
39Each confidential-enabled account has three balance types:
40 
41- **Public**: Standard visible SPL balance
42- **Pending**: Encrypted incoming transfers awaiting application
43- **Available**: Encrypted balance ready for outgoing transfers
44 
45### Encryption Keys
46 
47Two keys are derived deterministically from the account owner's keypair:
48 
49- **ElGamal keypair**: Used for transfer encryption (asymmetric)
50- **AES key**: Used for balance decryption by owner (symmetric)
51 
52### Privacy Levels
53 
54Mints can configure four privacy modes:
55 
56- `Disabled`: No confidential transfers
57- `Whitelisted`: Only approved accounts
58- `OptIn`: Accounts choose to enable
59- `Required`: All transfers must be confidential
60 
61## Dependencies
62 
63```toml
64[dependencies]
65# Solana core
66solana-sdk = "3.0.0"
67solana-client = "3.1.6"
68solana-zk-sdk = "5.0.0"
69solana-commitment-config = "3.1.0"
70 
71# Token-2022
72spl-token-2022 = { version = "10.0.0", features = ["zk-ops"] }
73spl-token-client = "0.18.0"
74spl-associated-token-account = "8.0.0"
75 
76# Confidential transfer proofs
77spl-token-confidential-transfer-proof-generation = "0.5.1"
78spl-token-confidential-transfer-proof-extraction = "0.5.1"
79 
80# Async runtime
81tokio = { version = "1", features = ["full"] }
82```
83 
84## Common Types
85 
86```rust
87use solana_sdk::signature::Signature;
88use std::error::Error;
89 
90pub type CtResult<T> = Result<T, Box<dyn Error>>;
91pub type SigResult = CtResult<Signature>;
92pub type MultiSigResult = CtResult<Vec<Signature>>;
93```
94 
95## Operation Flow
96 
97The typical flow for confidential transfers:
98 
991. **Configure** - Enable confidential transfers on a token account
1002. **Deposit** - Move tokens from public to pending balance
1013. **Apply Pending** - Move pending to available balance
1024. **Transfer** - Send from available balance (encrypted)
1035. **Withdraw** - Move from available back to public balance
104 
105## Key Operations
106 
107### 1. Configure Account for Confidential Transfers
108 
109Before using confidential transfers, accounts must be configured with encryption keys:
110 
111```rust
112use solana_client::rpc_client::RpcClient;
113use solana_sdk::{signature::Signer, transaction::Transaction};
114use spl_associated_token_account::get_associated_token_address_with_program_id;
115use spl_token_2022::{
116    extension::{
117        confidential_transfer::instruction::{configure_account, PubkeyValidityProofData},
118        ExtensionType,
119    },
120    instruction::reallocate,
121    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
122};
123use spl_token_confidential_transfer_proof_extraction::instruction::ProofLocation;
124 
125pub async fn configure_account_for_confidential_transfers(
126    client: &RpcClient,
127    payer: &dyn Signer,
128    authority: &dyn Signer,
129    mint: &solana_sdk::pubkey::Pubkey,
130) -> SigResult {
131    let token_account = get_associated_token_address_with_program_id(
132        &authority.pubkey(),
133        mint,
134        &spl_token_2022::id(),
135    );
136 
137    // Derive encryption keys deterministically from authority
138    let elgamal_keypair = ElGamalKeypair::new_from_signer(
139        authority,
140        &token_account.to_bytes(),
141    )?;
142    let aes_key = AeKey::new_from_signer(
143        authority,
144        &token_account.to_bytes(),
145    )?;
146 
147    // Maximum pending deposits before apply_pending_balance must be called
148    let max_pending_balance_credit_counter = 65536u64;
149 
150    // Initial decryptable balance (encrypted with AES)
151    let decryptable_balance = aes_key.encrypt(0);
152 
153    // Generate proof that we control the ElGamal public key
154    let proof_data = PubkeyValidityProofData::new(&elgamal_keypair)
155        .map_err(|_| "Failed to generate pubkey validity proof")?;
156 
157    // Proof will be in the next instruction (offset 1)
158    let proof_location = ProofLocation::InstructionOffset(
159        1.try_into().unwrap(),
160        &proof_data,
161    );
162 
163    let mut instructions = vec![];
164 
165    // 1. Reallocate to add ConfidentialTransferAccount extension
166    instructions.push(reallocate(
167        &spl_token_2022::id(),
168        &token_account,
169        &payer.pubkey(),
170        &authority.pubkey(),
171        &[&authority.pubkey()],
172        &[ExtensionType::ConfidentialTransferAccount],
173    )?);
174 
175    // 2. Configure account (includes proof instruction)
176    instructions.extend(configure_account(
177        &spl_token_2022::id(),
178        &token_account,
179        mint,
180        &decryptable_balance.into(),
181        max_pending_balance_credit_counter,
182        &authority.pubkey(),
183        &[],
184        proof_location,
185    )?);
186 
187    let recent_blockhash = client.get_latest_blockhash()?;
188    let transaction = Transaction::new_signed_with_payer(
189        &instructions,
190        Some(&payer.pubkey()),
191        &[authority, payer],
192        recent_blockhash,
193    );
194 
195    let signature = client.send_and_confirm_transaction(&transaction)?;
196    Ok(signature)
197}
198```
199 
200### 2. Deposit to Confidential Balance
201 
202Move tokens from public balance to pending confidential balance:
203 
204```rust
205use solana_client::rpc_client::RpcClient;
206use solana_sdk::{signature::Signer, transaction::Transaction};
207use spl_associated_token_account::get_associated_token_address_with_program_id;
208use spl_token_2022::extension::confidential_transfer::instruction::deposit;
209 
210pub async fn deposit_to_confidential(
211    client: &RpcClient,
212    payer: &dyn Signer,
213    authority: &dyn Signer,
214    mint: &solana_sdk::pubkey::Pubkey,
215    amount: u64,
216    decimals: u8,
217) -> SigResult {
218    let token_account = get_associated_token_address_with_program_id(
219        &authority.pubkey(),
220        mint,
221        &spl_token_2022::id(),
222    );
223 
224    let deposit_ix = deposit(
225        &spl_token_2022::id(),
226        &token_account,
227        mint,
228        amount,
229        decimals,
230        &authority.pubkey(),
231        &[&authority.pubkey()],
232    )?;
233 
234    let recent_blockhash = client.get_latest_blockhash()?;
235    let transaction = Transaction::new_signed_with_payer(
236        &[deposit_ix],
237        Some(&payer.pubkey()),
238        &[payer, authority],
239        recent_blockhash,
240    );
241 
242    let signature = client.send_and_confirm_transaction(&transaction)?;
243    Ok(signature)
244}
245```
246 
247### 3. Apply Pending Balance
248 
249Move tokens from pending to available (spendable) balance:
250 
251```rust
252use solana_client::rpc_client::RpcClient;
253use solana_sdk::{signature::Signer, transaction::Transaction};
254use spl_associated_token_account::get_associated_token_address_with_program_id;
255use spl_token_2022::{
256    extension::{
257        confidential_transfer::{
258            instruction::apply_pending_balance as apply_pending_balance_instruction,
259            ConfidentialTransferAccount,
260        },
261        BaseStateWithExtensions, StateWithExtensions,
262    },
263    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
264    state::Account as TokenAccount,
265};
266 
267pub async fn apply_pending_balance(
268    client: &RpcClient,
269    payer: &dyn Signer,
270    authority: &dyn Signer,
271    mint: &solana_sdk::pubkey::Pubkey,
272) -> SigResult {
273    let token_account = get_associated_token_address_with_program_id(
274        &authority.pubkey(),
275        mint,
276        &spl_token_2022::id(),
277    );
278 
279    // Derive encryption keys
280    let elgamal_keypair = ElGamalKeypair::new_from_signer(
281        authority,
282        &token_account.to_bytes(),
283    )?;
284    let aes_key = AeKey::new_from_signer(
285        authority,
286        &token_account.to_bytes(),
287    )?;
288 
289    // Fetch account state
290    let account_data = client.get_account(&token_account)?;
291    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
292    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
293 
294    // Decrypt current balances - note: decrypt_u32 is called ON the ciphertext
295    let pending_balance_lo: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
296        ct_extension.pending_balance_lo.try_into()
297            .map_err(|_| "Failed to convert pending_balance_lo")?;
298    let pending_balance_hi: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
299        ct_extension.pending_balance_hi.try_into()
300            .map_err(|_| "Failed to convert pending_balance_hi")?;
301    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
302        ct_extension.available_balance.try_into()
303            .map_err(|_| "Failed to convert available_balance")?;
304 
305    // Decrypt using ciphertext.decrypt_u32(secret)
306    let pending_lo = pending_balance_lo.decrypt_u32(elgamal_keypair.secret())
307        .ok_or("Failed to decrypt pending_balance_lo")?;
308    let pending_hi = pending_balance_hi.decrypt_u32(elgamal_keypair.secret())
309        .ok_or("Failed to decrypt pending_balance_hi")?;
310    let current_available = available_balance.decrypt_u32(elgamal_keypair.secret())
311        .ok_or("Failed to decrypt available_balance")?;
312 
313    // Calculate new available balance
314    let pending_total = pending_lo + (pending_hi << 16);
315    let new_available = current_available + pending_total;
316 
317    // Encrypt new available balance with AES for owner
318    let new_decryptable_balance = aes_key.encrypt(new_available);
319 
320    // Get expected pending balance credit counter
321    let expected_counter: u64 = ct_extension.pending_balance_credit_counter.into();
322 
323    let apply_ix = apply_pending_balance_instruction(
324        &spl_token_2022::id(),
325        &token_account,
326        expected_counter,
327        &new_decryptable_balance.into(),
328        &authority.pubkey(),
329        &[&authority.pubkey()],
330    )?;
331 
332    let recent_blockhash = client.get_latest_blockhash()?;
333    let transaction = Transaction::new_signed_with_payer(
334        &[apply_ix],
335        Some(&payer.pubkey()),
336        &[payer, authority],
337        recent_blockhash,
338    );
339 
340    let signature = client.send_and_confirm_transaction(&transaction)?;
341    Ok(signature)
342}
343```
344 
345### 4. Confidential Transfer
346 
347Transfer tokens between accounts using zero-knowledge proofs. This is the most complex operation requiring multiple transactions and proof context state accounts:
348 
349```rust
350use solana_client::rpc_client::RpcClient;
351use solana_client::nonblocking::rpc_client::RpcClient as AsyncRpcClient;
352use solana_commitment_config::CommitmentConfig;
353use solana_sdk::signature::{Keypair, Signer};
354use spl_associated_token_account::get_associated_token_address_with_program_id;
355use spl_token_2022::{
356    extension::{
357        confidential_transfer::{
358            account_info::TransferAccountInfo,
359            ConfidentialTransferAccount, ConfidentialTransferMint,
360        },
361        BaseStateWithExtensions, StateWithExtensions,
362    },
363    solana_zk_sdk::encryption::{
364        auth_encryption::AeKey,
365        elgamal::ElGamalKeypair,
366        pod::elgamal::PodElGamalPubkey,
367    },
368    state::{Account as TokenAccount, Mint},
369};
370use spl_token_client::{
371    client::{ProgramRpcClient, ProgramRpcClientSendTransaction, RpcClientResponse},
372    token::{ProofAccountWithCiphertext, Token},
373};
374use std::sync::Arc;
375 
376fn extract_signature(response: RpcClientResponse) -> Result<solana_sdk::signature::Signature, Box<dyn std::error::Error>> {
377    match response {
378        RpcClientResponse::Signature(sig) => Ok(sig),
379        _ => Err("Expected Signature response".into()),
380    }
381}
382 
383pub async fn transfer_confidential(
384    client: &RpcClient,
385    _payer: &dyn Signer,
386    sender: &Keypair,  // Must be Keypair for token client
387    mint: &solana_sdk::pubkey::Pubkey,
388    recipient: &solana_sdk::pubkey::Pubkey,
389    amount: u64,
390) -> MultiSigResult {
391    let sender_token_account = get_associated_token_address_with_program_id(
392        &sender.pubkey(),
393        mint,
394        &spl_token_2022::id(),
395    );
396    let recipient_token_account = get_associated_token_address_with_program_id(
397        recipient,
398        mint,
399        &spl_token_2022::id(),
400    );
401 
402    // Get recipient's ElGamal public key
403    let recipient_account_data = client.get_account(&recipient_token_account)?;
404    let recipient_account = StateWithExtensions::<TokenAccount>::unpack(&recipient_account_data.data)?;
405    let recipient_ct_extension = recipient_account.get_extension::<ConfidentialTransferAccount>()?;
406    let recipient_elgamal_pubkey: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalPubkey =
407        recipient_ct_extension.elgamal_pubkey.try_into()
408            .map_err(|_| "Failed to convert recipient ElGamal pubkey")?;
409 
410    // Get auditor ElGamal public key from mint (if configured)
411    let mint_account_data = client.get_account(mint)?;
412    let mint_account = StateWithExtensions::<Mint>::unpack(&mint_account_data.data)?;
413    let mint_ct_extension = mint_account.get_extension::<ConfidentialTransferMint>()?;
414    let auditor_elgamal_pubkey: Option<spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalPubkey> =
415        Option::<PodElGamalPubkey>::from(mint_ct_extension.auditor_elgamal_pubkey)
416            .map(|pk| pk.try_into())
417            .transpose()
418            .map_err(|_| "Failed to convert auditor ElGamal pubkey")?;
419 
420    // Derive sender's encryption keys
421    let sender_elgamal = ElGamalKeypair::new_from_signer(
422        sender,
423        &sender_token_account.to_bytes(),
424    )?;
425    let sender_aes = AeKey::new_from_signer(
426        sender,
427        &sender_token_account.to_bytes(),
428    )?;
429 
430    // Fetch sender account and create transfer info
431    let account_data = client.get_account(&sender_token_account)?;
432    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
433    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
434    let transfer_info = TransferAccountInfo::new(ct_extension);
435 
436    // Verify sufficient balance
437    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
438        transfer_info.available_balance.try_into()
439            .map_err(|_| "Failed to convert available_balance")?;
440    let current_available = available_balance.decrypt_u32(sender_elgamal.secret())
441        .ok_or("Failed to decrypt available balance")?;
442 
443    if current_available < amount {
444        return Err(format!(
445            "Insufficient balance: have {}, need {}",
446            current_available, amount
447        ).into());
448    }
449 
450    // Generate split transfer proofs (equality, ciphertext validity, range)
451    let proof_data = transfer_info.generate_split_transfer_proof_data(
452        amount,
453        &sender_elgamal,
454        &sender_aes,
455        &recipient_elgamal_pubkey,
456        auditor_elgamal_pubkey.as_ref(),
457    )?;
458 
459    // Create async client for Token operations
460    let rpc_url = client.url();
461    let async_client = Arc::new(AsyncRpcClient::new_with_commitment(
462        rpc_url,
463        CommitmentConfig::confirmed(),
464    ));
465    let program_client = Arc::new(ProgramRpcClient::new(
466        async_client,
467        ProgramRpcClientSendTransaction,
468    ));
469 
470    // Clone sender for Arc (Token client requires ownership)
471    let sender_clone = Keypair::new_from_array(*sender.secret_bytes());
472    let sender_arc: Arc<dyn Signer> = Arc::new(sender_clone);
473 
474    let token = Token::new(
475        program_client,
476        &spl_token_2022::id(),
477        mint,
478        None,
479        sender_arc,
480    );
481 
482    // Create proof context state accounts
483    let equality_proof_account = Keypair::new();
484    let ciphertext_validity_proof_account = Keypair::new();
485    let range_proof_account = Keypair::new();
486 
487    let mut signatures = Vec::new();
488 
489    // 1. Create equality proof context account
490    let response = token.confidential_transfer_create_context_state_account(
491        &equality_proof_account.pubkey(),
492        &sender.pubkey(),
493        &proof_data.equality_proof_data,
494        false,
495        &[&equality_proof_account],
496    ).await?;
497    signatures.push(extract_signature(response)?);
498 
499    // 2. Create ciphertext validity proof context account
500    let response = token.confidential_transfer_create_context_state_account(
501        &ciphertext_validity_proof_account.pubkey(),
502        &sender.pubkey(),
503        &proof_data.ciphertext_validity_proof_data_with_ciphertext.proof_data,
504        false,
505        &[&ciphertext_validity_proof_account],
506    ).await?;
507    signatures.push(extract_signature(response)?);
508 
509    // 3. Create range proof context account
510    let response = token.confidential_transfer_create_context_state_account(
511        &range_proof_account.pubkey(),
512        &sender.pubkey(),
513        &proof_data.range_proof_data,
514        true,  // Range proof uses batched verification
515        &[&range_proof_account],
516    ).await?;
517    signatures.push(extract_signature(response)?);
518 
519    // 4. Execute the confidential transfer
520    let ciphertext_validity_proof = ProofAccountWithCiphertext {
521        context_state_account: ciphertext_validity_proof_account.pubkey(),
522        ciphertext_lo: proof_data.ciphertext_validity_proof_data_with_ciphertext.ciphertext_lo,
523        ciphertext_hi: proof_data.ciphertext_validity_proof_data_with_ciphertext.ciphertext_hi,
524    };
525 
526    let response = token.confidential_transfer_transfer(
527        &sender_token_account,
528        &recipient_token_account,
529        &sender.pubkey(),
530        Some(&equality_proof_account.pubkey()),
531        Some(&ciphertext_validity_proof),
532        Some(&range_proof_account.pubkey()),
533        amount,
534        None,
535        &sender_elgamal,
536        &sender_aes,
537        &recipient_elgamal_pubkey,
538        auditor_elgamal_pubkey.as_ref(),
539        &[sender],
540    ).await?;
541    signatures.push(extract_signature(response)?);
542 
543    // 5. Close proof context accounts to reclaim rent
544    let response = token.confidential_transfer_close_context_state_account(
545        &equality_proof_account.pubkey(),
546        &sender_token_account,
547        &sender.pubkey(),
548        &[sender],
549    ).await?;
550    signatures.push(extract_signature(response)?);
551 
552    let response = token.confidential_transfer_close_context_state_account(
553        &ciphertext_validity_proof_account.pubkey(),
554        &sender_token_account,
555        &sender.pubkey(),
556        &[sender],
557    ).await?;
558    signatures.push(extract_signature(response)?);
559 
560    let response = token.confidential_transfer_close_context_state_account(
561        &range_proof_account.pubkey(),
562        &sender_token_account,
563        &sender.pubkey(),
564        &[sender],
565    ).await?;
566    signatures.push(extract_signature(response)?);
567 
568    Ok(signatures)
569}
570```
571 
572### 5. Withdraw from Confidential Balance
573 
574Move tokens from available confidential balance back to public balance:
575 
576```rust
577use solana_client::rpc_client::RpcClient;
578use solana_sdk::{signature::Signer, transaction::Transaction};
579use spl_associated_token_account::get_associated_token_address_with_program_id;
580use spl_token_2022::{
581    extension::{
582        confidential_transfer::{
583            account_info::WithdrawAccountInfo,
584            instruction::withdraw,
585            ConfidentialTransferAccount,
586        },
587        BaseStateWithExtensions, StateWithExtensions,
588    },
589    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
590    state::Account as TokenAccount,
591};
592use spl_token_confidential_transfer_proof_extraction::instruction::ProofLocation;
593 
594pub async fn withdraw_from_confidential(
595    client: &RpcClient,
596    payer: &dyn Signer,
597    authority: &dyn Signer,
598    mint: &solana_sdk::pubkey::Pubkey,
599    amount: u64,
600    decimals: u8,
601) -> SigResult {
602    let token_account = get_associated_token_address_with_program_id(
603        &authority.pubkey(),
604        mint,
605        &spl_token_2022::id(),
606    );
607 
608    // Derive encryption keys
609    let elgamal_keypair = ElGamalKeypair::new_from_signer(
610        authority,
611        &token_account.to_bytes(),
612    )?;
613    let aes_key = AeKey::new_from_signer(
614        authority,
615        &token_account.to_bytes(),
616    )?;
617 
618    // Fetch account state
619    let account_data = client.get_account(&token_account)?;
620    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
621    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
622 
623    // Create withdraw account info helper
624    let withdraw_info = WithdrawAccountInfo::new(ct_extension);
625 
626    // Decrypt available balance to verify sufficiency
627    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
628        withdraw_info.available_balance.try_into()
629            .map_err(|_| "Failed to convert available_balance")?;
630    let current_available = available_balance.decrypt_u32(elgamal_keypair.secret())
631        .ok_or("Failed to decrypt available balance")?;
632 
633    if current_available < amount {
634        return Err(format!(
635            "Insufficient confidential balance: have {}, need {}",
636            current_available, amount
637        ).into());
638    }
639 
640    // Generate withdrawal proofs using the helper
641    let proof_data = withdraw_info.generate_proof_data(
642        amount,
643        &elgamal_keypair,
644        &aes_key,
645    )?;
646 
647    // Calculate new decryptable available balance after withdrawal
648    let new_available = current_available - amount;
649    let new_decryptable_balance = aes_key.encrypt(new_available);
650 
651    // Build withdraw instruction with two proof locations (equality + range)
652    let withdraw_instructions = withdraw(
653        &spl_token_2022::id(),
654        &token_account,
655        mint,
656        amount,
657        decimals,
658        &new_decryptable_balance.into(),
659        &authority.pubkey(),
660        &[&authority.pubkey()],
661        ProofLocation::InstructionOffset(1.try_into().unwrap(), &proof_data.equality_proof_data),
662        ProofLocation::InstructionOffset(2.try_into().unwrap(), &proof_data.range_proof_data),
663    )?;
664 
665    let recent_blockhash = client.get_latest_blockhash()?;
666    let transaction = Transaction::new_signed_with_payer(
667        &withdraw_instructions,
668        Some(&payer.pubkey()),
669        &[payer, authority],
670        recent_blockhash,
671    );
672 
673    let signature = client.send_and_confirm_transaction(&transaction)?;
674    Ok(signature)
675}
676```
677 
678## Reading Balances
679 
680To read and decrypt all balance types:
681 
682```rust
683pub fn get_confidential_balances(
684    client: &RpcClient,
685    authority: &dyn Signer,
686    mint: &solana_sdk::pubkey::Pubkey,
687) -> Result<(u64, u64, u64), Box<dyn std::error::Error>> {
688    let token_account = get_associated_token_address_with_program_id(
689        &authority.pubkey(),
690        mint,
691        &spl_token_2022::id(),
692    );
693 
694    let elgamal_keypair = ElGamalKeypair::new_from_signer(authority, &token_account.to_bytes())?;
695    let aes_key = AeKey::new_from_signer(authority, &token_account.to_bytes())?;
696 
697    let account_data = client.get_account(&token_account)?;
698    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
699    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
700 
701    // Public balance (visible to all)
702    let public_balance = account.base.amount;
703 
704    // Pending balance (decrypt with ElGamal) - note method is on ciphertext
705    let pending_lo_ct: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
706        ct_extension.pending_balance_lo.try_into()?;
707    let pending_hi_ct: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
708        ct_extension.pending_balance_hi.try_into()?;
709 
710    let pending_lo = pending_lo_ct.decrypt_u32(elgamal_keypair.secret()).unwrap_or(0) as u64;
711    let pending_hi = pending_hi_ct.decrypt_u32(elgamal_keypair.secret()).unwrap_or(0) as u64;
712    let pending_balance = pending_lo + (pending_hi << 16);
713 
714    // Available balance (decrypt with AES - only owner can see)
715    let available_balance = aes_key.decrypt(&ct_extension.decryptable_available_balance.try_into()?)?;
716 
717    Ok((public_balance, pending_balance, available_balance))
718}
719```
720 
721## Security Considerations
722 
723- **Key derivation is deterministic**: The same keypair always produces the same encryption keys for a given token account. This enables recovery but means keypair compromise exposes all confidential balances.
724- **Auditor keys**: Mints can configure an auditor ElGamal public key that can decrypt all transfer amounts (but not balances).
725- **Pending balance limits**: The `max_pending_balance_credit_counter` limits how many incoming transfers can accumulate before `apply_pending` must be called.
726- **Proof verification**: All proofs are verified by the ZK ElGamal Proof Program onchain (`ZkE1Gama1Proof11111111111111111111111111111`).
727 
728## Reference Implementation
729 
730For complete working examples including mint creation, see:
731https://github.com/gitteri/confidential-balances-exploration (Rust) and
732https://github.com/catmcgee/confidential-transfers-explorer (TypeScript)
733 
734## Limitations
735 
736- Currently only works on ZK-Edge testnet (`https://zk-edge.surfnet.dev/`)
737- Transfer operations require multiple transactions (7 total) due to proof size. This will be lower when larger transactions are merged into mainnet
738- Proof generation can be computationally intensive (client-side)
739- Sender must be a `Keypair` (not generic `Signer`) for transfers due to token client requirements
740

Marketplace

Source from repo

Solana Development Skill (framework-kit-first)

Comprehensive Solana development skill covering @solana/kit v5, Anchor programs, LiteSVM testing, and security patterns.

solana-foundationGitHub solana-foundationSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

273.8 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/confidential-transfers.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown740 linesFree

references/confidential-transfers.md

1---
2title: Confidential Transfers
3description: Implement private, encrypted token balances on Solana using the Token-2022 confidential transfers extension.
4---
5 
6# Confidential Transfers (Token-2022 Extension)
7 
8## When to use this guidance
9 
10Use this guidance when the user asks about:
11 
12- Private/encrypted token balances
13- Confidential transfers or balances on Solana
14- Zero-knowledge proofs for token transfers
15- Token-2022 confidential transfer extension(s)
16- ElGamal encryption for tokens
17 
18## Current Network Availability
19 
20**Important:** Confidential transfers are currently only available on a TXTX cluster.
21 
22- RPC endpoint: `https://zk-edge.surfnet.dev/`
23- Mainnet availability expected in a few months
24 
25When building for confidential transfers, always use the ZK-Edge RPC for testing. Plan for mainnet migration by abstracting the RPC endpoint configuration. Ensure the user is aware of this.
26 
27## Key Concepts
28 
29### What are Confidential Transfers?
30 
31Confidential transfers encrypt token balances and transfer amounts using zero-knowledge cryptography. onchain observers cannot see actual amounts, but the system still verifies:
32 
33- Sender has sufficient balance
34- Transfer amounts are non-negative
35- No tokens are created or destroyed
36 
37### Balance Types
38 
39Each confidential-enabled account has three balance types:
40 
41- **Public**: Standard visible SPL balance
42- **Pending**: Encrypted incoming transfers awaiting application
43- **Available**: Encrypted balance ready for outgoing transfers
44 
45### Encryption Keys
46 
47Two keys are derived deterministically from the account owner's keypair:
48 
49- **ElGamal keypair**: Used for transfer encryption (asymmetric)
50- **AES key**: Used for balance decryption by owner (symmetric)
51 
52### Privacy Levels
53 
54Mints can configure four privacy modes:
55 
56- `Disabled`: No confidential transfers
57- `Whitelisted`: Only approved accounts
58- `OptIn`: Accounts choose to enable
59- `Required`: All transfers must be confidential
60 
61## Dependencies
62 
63```toml
64[dependencies]
65# Solana core
66solana-sdk = "3.0.0"
67solana-client = "3.1.6"
68solana-zk-sdk = "5.0.0"
69solana-commitment-config = "3.1.0"
70 
71# Token-2022
72spl-token-2022 = { version = "10.0.0", features = ["zk-ops"] }
73spl-token-client = "0.18.0"
74spl-associated-token-account = "8.0.0"
75 
76# Confidential transfer proofs
77spl-token-confidential-transfer-proof-generation = "0.5.1"
78spl-token-confidential-transfer-proof-extraction = "0.5.1"
79 
80# Async runtime
81tokio = { version = "1", features = ["full"] }
82```
83 
84## Common Types
85 
86```rust
87use solana_sdk::signature::Signature;
88use std::error::Error;
89 
90pub type CtResult<T> = Result<T, Box<dyn Error>>;
91pub type SigResult = CtResult<Signature>;
92pub type MultiSigResult = CtResult<Vec<Signature>>;
93```
94 
95## Operation Flow
96 
97The typical flow for confidential transfers:
98 
991. **Configure** - Enable confidential transfers on a token account
1002. **Deposit** - Move tokens from public to pending balance
1013. **Apply Pending** - Move pending to available balance
1024. **Transfer** - Send from available balance (encrypted)
1035. **Withdraw** - Move from available back to public balance
104 
105## Key Operations
106 
107### 1. Configure Account for Confidential Transfers
108 
109Before using confidential transfers, accounts must be configured with encryption keys:
110 
111```rust
112use solana_client::rpc_client::RpcClient;
113use solana_sdk::{signature::Signer, transaction::Transaction};
114use spl_associated_token_account::get_associated_token_address_with_program_id;
115use spl_token_2022::{
116    extension::{
117        confidential_transfer::instruction::{configure_account, PubkeyValidityProofData},
118        ExtensionType,
119    },
120    instruction::reallocate,
121    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
122};
123use spl_token_confidential_transfer_proof_extraction::instruction::ProofLocation;
124 
125pub async fn configure_account_for_confidential_transfers(
126    client: &RpcClient,
127    payer: &dyn Signer,
128    authority: &dyn Signer,
129    mint: &solana_sdk::pubkey::Pubkey,
130) -> SigResult {
131    let token_account = get_associated_token_address_with_program_id(
132        &authority.pubkey(),
133        mint,
134        &spl_token_2022::id(),
135    );
136 
137    // Derive encryption keys deterministically from authority
138    let elgamal_keypair = ElGamalKeypair::new_from_signer(
139        authority,
140        &token_account.to_bytes(),
141    )?;
142    let aes_key = AeKey::new_from_signer(
143        authority,
144        &token_account.to_bytes(),
145    )?;
146 
147    // Maximum pending deposits before apply_pending_balance must be called
148    let max_pending_balance_credit_counter = 65536u64;
149 
150    // Initial decryptable balance (encrypted with AES)
151    let decryptable_balance = aes_key.encrypt(0);
152 
153    // Generate proof that we control the ElGamal public key
154    let proof_data = PubkeyValidityProofData::new(&elgamal_keypair)
155        .map_err(|_| "Failed to generate pubkey validity proof")?;
156 
157    // Proof will be in the next instruction (offset 1)
158    let proof_location = ProofLocation::InstructionOffset(
159        1.try_into().unwrap(),
160        &proof_data,
161    );
162 
163    let mut instructions = vec![];
164 
165    // 1. Reallocate to add ConfidentialTransferAccount extension
166    instructions.push(reallocate(
167        &spl_token_2022::id(),
168        &token_account,
169        &payer.pubkey(),
170        &authority.pubkey(),
171        &[&authority.pubkey()],
172        &[ExtensionType::ConfidentialTransferAccount],
173    )?);
174 
175    // 2. Configure account (includes proof instruction)
176    instructions.extend(configure_account(
177        &spl_token_2022::id(),
178        &token_account,
179        mint,
180        &decryptable_balance.into(),
181        max_pending_balance_credit_counter,
182        &authority.pubkey(),
183        &[],
184        proof_location,
185    )?);
186 
187    let recent_blockhash = client.get_latest_blockhash()?;
188    let transaction = Transaction::new_signed_with_payer(
189        &instructions,
190        Some(&payer.pubkey()),
191        &[authority, payer],
192        recent_blockhash,
193    );
194 
195    let signature = client.send_and_confirm_transaction(&transaction)?;
196    Ok(signature)
197}
198```
199 
200### 2. Deposit to Confidential Balance
201 
202Move tokens from public balance to pending confidential balance:
203 
204```rust
205use solana_client::rpc_client::RpcClient;
206use solana_sdk::{signature::Signer, transaction::Transaction};
207use spl_associated_token_account::get_associated_token_address_with_program_id;
208use spl_token_2022::extension::confidential_transfer::instruction::deposit;
209 
210pub async fn deposit_to_confidential(
211    client: &RpcClient,
212    payer: &dyn Signer,
213    authority: &dyn Signer,
214    mint: &solana_sdk::pubkey::Pubkey,
215    amount: u64,
216    decimals: u8,
217) -> SigResult {
218    let token_account = get_associated_token_address_with_program_id(
219        &authority.pubkey(),
220        mint,
221        &spl_token_2022::id(),
222    );
223 
224    let deposit_ix = deposit(
225        &spl_token_2022::id(),
226        &token_account,
227        mint,
228        amount,
229        decimals,
230        &authority.pubkey(),
231        &[&authority.pubkey()],
232    )?;
233 
234    let recent_blockhash = client.get_latest_blockhash()?;
235    let transaction = Transaction::new_signed_with_payer(
236        &[deposit_ix],
237        Some(&payer.pubkey()),
238        &[payer, authority],
239        recent_blockhash,
240    );
241 
242    let signature = client.send_and_confirm_transaction(&transaction)?;
243    Ok(signature)
244}
245```
246 
247### 3. Apply Pending Balance
248 
249Move tokens from pending to available (spendable) balance:
250 
251```rust
252use solana_client::rpc_client::RpcClient;
253use solana_sdk::{signature::Signer, transaction::Transaction};
254use spl_associated_token_account::get_associated_token_address_with_program_id;
255use spl_token_2022::{
256    extension::{
257        confidential_transfer::{
258            instruction::apply_pending_balance as apply_pending_balance_instruction,
259            ConfidentialTransferAccount,
260        },
261        BaseStateWithExtensions, StateWithExtensions,
262    },
263    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
264    state::Account as TokenAccount,
265};
266 
267pub async fn apply_pending_balance(
268    client: &RpcClient,
269    payer: &dyn Signer,
270    authority: &dyn Signer,
271    mint: &solana_sdk::pubkey::Pubkey,
272) -> SigResult {
273    let token_account = get_associated_token_address_with_program_id(
274        &authority.pubkey(),
275        mint,
276        &spl_token_2022::id(),
277    );
278 
279    // Derive encryption keys
280    let elgamal_keypair = ElGamalKeypair::new_from_signer(
281        authority,
282        &token_account.to_bytes(),
283    )?;
284    let aes_key = AeKey::new_from_signer(
285        authority,
286        &token_account.to_bytes(),
287    )?;
288 
289    // Fetch account state
290    let account_data = client.get_account(&token_account)?;
291    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
292    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
293 
294    // Decrypt current balances - note: decrypt_u32 is called ON the ciphertext
295    let pending_balance_lo: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
296        ct_extension.pending_balance_lo.try_into()
297            .map_err(|_| "Failed to convert pending_balance_lo")?;
298    let pending_balance_hi: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
299        ct_extension.pending_balance_hi.try_into()
300            .map_err(|_| "Failed to convert pending_balance_hi")?;
301    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
302        ct_extension.available_balance.try_into()
303            .map_err(|_| "Failed to convert available_balance")?;
304 
305    // Decrypt using ciphertext.decrypt_u32(secret)
306    let pending_lo = pending_balance_lo.decrypt_u32(elgamal_keypair.secret())
307        .ok_or("Failed to decrypt pending_balance_lo")?;
308    let pending_hi = pending_balance_hi.decrypt_u32(elgamal_keypair.secret())
309        .ok_or("Failed to decrypt pending_balance_hi")?;
310    let current_available = available_balance.decrypt_u32(elgamal_keypair.secret())
311        .ok_or("Failed to decrypt available_balance")?;
312 
313    // Calculate new available balance
314    let pending_total = pending_lo + (pending_hi << 16);
315    let new_available = current_available + pending_total;
316 
317    // Encrypt new available balance with AES for owner
318    let new_decryptable_balance = aes_key.encrypt(new_available);
319 
320    // Get expected pending balance credit counter
321    let expected_counter: u64 = ct_extension.pending_balance_credit_counter.into();
322 
323    let apply_ix = apply_pending_balance_instruction(
324        &spl_token_2022::id(),
325        &token_account,
326        expected_counter,
327        &new_decryptable_balance.into(),
328        &authority.pubkey(),
329        &[&authority.pubkey()],
330    )?;
331 
332    let recent_blockhash = client.get_latest_blockhash()?;
333    let transaction = Transaction::new_signed_with_payer(
334        &[apply_ix],
335        Some(&payer.pubkey()),
336        &[payer, authority],
337        recent_blockhash,
338    );
339 
340    let signature = client.send_and_confirm_transaction(&transaction)?;
341    Ok(signature)
342}
343```
344 
345### 4. Confidential Transfer
346 
347Transfer tokens between accounts using zero-knowledge proofs. This is the most complex operation requiring multiple transactions and proof context state accounts:
348 
349```rust
350use solana_client::rpc_client::RpcClient;
351use solana_client::nonblocking::rpc_client::RpcClient as AsyncRpcClient;
352use solana_commitment_config::CommitmentConfig;
353use solana_sdk::signature::{Keypair, Signer};
354use spl_associated_token_account::get_associated_token_address_with_program_id;
355use spl_token_2022::{
356    extension::{
357        confidential_transfer::{
358            account_info::TransferAccountInfo,
359            ConfidentialTransferAccount, ConfidentialTransferMint,
360        },
361        BaseStateWithExtensions, StateWithExtensions,
362    },
363    solana_zk_sdk::encryption::{
364        auth_encryption::AeKey,
365        elgamal::ElGamalKeypair,
366        pod::elgamal::PodElGamalPubkey,
367    },
368    state::{Account as TokenAccount, Mint},
369};
370use spl_token_client::{
371    client::{ProgramRpcClient, ProgramRpcClientSendTransaction, RpcClientResponse},
372    token::{ProofAccountWithCiphertext, Token},
373};
374use std::sync::Arc;
375 
376fn extract_signature(response: RpcClientResponse) -> Result<solana_sdk::signature::Signature, Box<dyn std::error::Error>> {
377    match response {
378        RpcClientResponse::Signature(sig) => Ok(sig),
379        _ => Err("Expected Signature response".into()),
380    }
381}
382 
383pub async fn transfer_confidential(
384    client: &RpcClient,
385    _payer: &dyn Signer,
386    sender: &Keypair,  // Must be Keypair for token client
387    mint: &solana_sdk::pubkey::Pubkey,
388    recipient: &solana_sdk::pubkey::Pubkey,
389    amount: u64,
390) -> MultiSigResult {
391    let sender_token_account = get_associated_token_address_with_program_id(
392        &sender.pubkey(),
393        mint,
394        &spl_token_2022::id(),
395    );
396    let recipient_token_account = get_associated_token_address_with_program_id(
397        recipient,
398        mint,
399        &spl_token_2022::id(),
400    );
401 
402    // Get recipient's ElGamal public key
403    let recipient_account_data = client.get_account(&recipient_token_account)?;
404    let recipient_account = StateWithExtensions::<TokenAccount>::unpack(&recipient_account_data.data)?;
405    let recipient_ct_extension = recipient_account.get_extension::<ConfidentialTransferAccount>()?;
406    let recipient_elgamal_pubkey: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalPubkey =
407        recipient_ct_extension.elgamal_pubkey.try_into()
408            .map_err(|_| "Failed to convert recipient ElGamal pubkey")?;
409 
410    // Get auditor ElGamal public key from mint (if configured)
411    let mint_account_data = client.get_account(mint)?;
412    let mint_account = StateWithExtensions::<Mint>::unpack(&mint_account_data.data)?;
413    let mint_ct_extension = mint_account.get_extension::<ConfidentialTransferMint>()?;
414    let auditor_elgamal_pubkey: Option<spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalPubkey> =
415        Option::<PodElGamalPubkey>::from(mint_ct_extension.auditor_elgamal_pubkey)
416            .map(|pk| pk.try_into())
417            .transpose()
418            .map_err(|_| "Failed to convert auditor ElGamal pubkey")?;
419 
420    // Derive sender's encryption keys
421    let sender_elgamal = ElGamalKeypair::new_from_signer(
422        sender,
423        &sender_token_account.to_bytes(),
424    )?;
425    let sender_aes = AeKey::new_from_signer(
426        sender,
427        &sender_token_account.to_bytes(),
428    )?;
429 
430    // Fetch sender account and create transfer info
431    let account_data = client.get_account(&sender_token_account)?;
432    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
433    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
434    let transfer_info = TransferAccountInfo::new(ct_extension);
435 
436    // Verify sufficient balance
437    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
438        transfer_info.available_balance.try_into()
439            .map_err(|_| "Failed to convert available_balance")?;
440    let current_available = available_balance.decrypt_u32(sender_elgamal.secret())
441        .ok_or("Failed to decrypt available balance")?;
442 
443    if current_available < amount {
444        return Err(format!(
445            "Insufficient balance: have {}, need {}",
446            current_available, amount
447        ).into());
448    }
449 
450    // Generate split transfer proofs (equality, ciphertext validity, range)
451    let proof_data = transfer_info.generate_split_transfer_proof_data(
452        amount,
453        &sender_elgamal,
454        &sender_aes,
455        &recipient_elgamal_pubkey,
456        auditor_elgamal_pubkey.as_ref(),
457    )?;
458 
459    // Create async client for Token operations
460    let rpc_url = client.url();
461    let async_client = Arc::new(AsyncRpcClient::new_with_commitment(
462        rpc_url,
463        CommitmentConfig::confirmed(),
464    ));
465    let program_client = Arc::new(ProgramRpcClient::new(
466        async_client,
467        ProgramRpcClientSendTransaction,
468    ));
469 
470    // Clone sender for Arc (Token client requires ownership)
471    let sender_clone = Keypair::new_from_array(*sender.secret_bytes());
472    let sender_arc: Arc<dyn Signer> = Arc::new(sender_clone);
473 
474    let token = Token::new(
475        program_client,
476        &spl_token_2022::id(),
477        mint,
478        None,
479        sender_arc,
480    );
481 
482    // Create proof context state accounts
483    let equality_proof_account = Keypair::new();
484    let ciphertext_validity_proof_account = Keypair::new();
485    let range_proof_account = Keypair::new();
486 
487    let mut signatures = Vec::new();
488 
489    // 1. Create equality proof context account
490    let response = token.confidential_transfer_create_context_state_account(
491        &equality_proof_account.pubkey(),
492        &sender.pubkey(),
493        &proof_data.equality_proof_data,
494        false,
495        &[&equality_proof_account],
496    ).await?;
497    signatures.push(extract_signature(response)?);
498 
499    // 2. Create ciphertext validity proof context account
500    let response = token.confidential_transfer_create_context_state_account(
501        &ciphertext_validity_proof_account.pubkey(),
502        &sender.pubkey(),
503        &proof_data.ciphertext_validity_proof_data_with_ciphertext.proof_data,
504        false,
505        &[&ciphertext_validity_proof_account],
506    ).await?;
507    signatures.push(extract_signature(response)?);
508 
509    // 3. Create range proof context account
510    let response = token.confidential_transfer_create_context_state_account(
511        &range_proof_account.pubkey(),
512        &sender.pubkey(),
513        &proof_data.range_proof_data,
514        true,  // Range proof uses batched verification
515        &[&range_proof_account],
516    ).await?;
517    signatures.push(extract_signature(response)?);
518 
519    // 4. Execute the confidential transfer
520    let ciphertext_validity_proof = ProofAccountWithCiphertext {
521        context_state_account: ciphertext_validity_proof_account.pubkey(),
522        ciphertext_lo: proof_data.ciphertext_validity_proof_data_with_ciphertext.ciphertext_lo,
523        ciphertext_hi: proof_data.ciphertext_validity_proof_data_with_ciphertext.ciphertext_hi,
524    };
525 
526    let response = token.confidential_transfer_transfer(
527        &sender_token_account,
528        &recipient_token_account,
529        &sender.pubkey(),
530        Some(&equality_proof_account.pubkey()),
531        Some(&ciphertext_validity_proof),
532        Some(&range_proof_account.pubkey()),
533        amount,
534        None,
535        &sender_elgamal,
536        &sender_aes,
537        &recipient_elgamal_pubkey,
538        auditor_elgamal_pubkey.as_ref(),
539        &[sender],
540    ).await?;
541    signatures.push(extract_signature(response)?);
542 
543    // 5. Close proof context accounts to reclaim rent
544    let response = token.confidential_transfer_close_context_state_account(
545        &equality_proof_account.pubkey(),
546        &sender_token_account,
547        &sender.pubkey(),
548        &[sender],
549    ).await?;
550    signatures.push(extract_signature(response)?);
551 
552    let response = token.confidential_transfer_close_context_state_account(
553        &ciphertext_validity_proof_account.pubkey(),
554        &sender_token_account,
555        &sender.pubkey(),
556        &[sender],
557    ).await?;
558    signatures.push(extract_signature(response)?);
559 
560    let response = token.confidential_transfer_close_context_state_account(
561        &range_proof_account.pubkey(),
562        &sender_token_account,
563        &sender.pubkey(),
564        &[sender],
565    ).await?;
566    signatures.push(extract_signature(response)?);
567 
568    Ok(signatures)
569}
570```
571 
572### 5. Withdraw from Confidential Balance
573 
574Move tokens from available confidential balance back to public balance:
575 
576```rust
577use solana_client::rpc_client::RpcClient;
578use solana_sdk::{signature::Signer, transaction::Transaction};
579use spl_associated_token_account::get_associated_token_address_with_program_id;
580use spl_token_2022::{
581    extension::{
582        confidential_transfer::{
583            account_info::WithdrawAccountInfo,
584            instruction::withdraw,
585            ConfidentialTransferAccount,
586        },
587        BaseStateWithExtensions, StateWithExtensions,
588    },
589    solana_zk_sdk::encryption::{auth_encryption::AeKey, elgamal::ElGamalKeypair},
590    state::Account as TokenAccount,
591};
592use spl_token_confidential_transfer_proof_extraction::instruction::ProofLocation;
593 
594pub async fn withdraw_from_confidential(
595    client: &RpcClient,
596    payer: &dyn Signer,
597    authority: &dyn Signer,
598    mint: &solana_sdk::pubkey::Pubkey,
599    amount: u64,
600    decimals: u8,
601) -> SigResult {
602    let token_account = get_associated_token_address_with_program_id(
603        &authority.pubkey(),
604        mint,
605        &spl_token_2022::id(),
606    );
607 
608    // Derive encryption keys
609    let elgamal_keypair = ElGamalKeypair::new_from_signer(
610        authority,
611        &token_account.to_bytes(),
612    )?;
613    let aes_key = AeKey::new_from_signer(
614        authority,
615        &token_account.to_bytes(),
616    )?;
617 
618    // Fetch account state
619    let account_data = client.get_account(&token_account)?;
620    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
621    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
622 
623    // Create withdraw account info helper
624    let withdraw_info = WithdrawAccountInfo::new(ct_extension);
625 
626    // Decrypt available balance to verify sufficiency
627    let available_balance: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
628        withdraw_info.available_balance.try_into()
629            .map_err(|_| "Failed to convert available_balance")?;
630    let current_available = available_balance.decrypt_u32(elgamal_keypair.secret())
631        .ok_or("Failed to decrypt available balance")?;
632 
633    if current_available < amount {
634        return Err(format!(
635            "Insufficient confidential balance: have {}, need {}",
636            current_available, amount
637        ).into());
638    }
639 
640    // Generate withdrawal proofs using the helper
641    let proof_data = withdraw_info.generate_proof_data(
642        amount,
643        &elgamal_keypair,
644        &aes_key,
645    )?;
646 
647    // Calculate new decryptable available balance after withdrawal
648    let new_available = current_available - amount;
649    let new_decryptable_balance = aes_key.encrypt(new_available);
650 
651    // Build withdraw instruction with two proof locations (equality + range)
652    let withdraw_instructions = withdraw(
653        &spl_token_2022::id(),
654        &token_account,
655        mint,
656        amount,
657        decimals,
658        &new_decryptable_balance.into(),
659        &authority.pubkey(),
660        &[&authority.pubkey()],
661        ProofLocation::InstructionOffset(1.try_into().unwrap(), &proof_data.equality_proof_data),
662        ProofLocation::InstructionOffset(2.try_into().unwrap(), &proof_data.range_proof_data),
663    )?;
664 
665    let recent_blockhash = client.get_latest_blockhash()?;
666    let transaction = Transaction::new_signed_with_payer(
667        &withdraw_instructions,
668        Some(&payer.pubkey()),
669        &[payer, authority],
670        recent_blockhash,
671    );
672 
673    let signature = client.send_and_confirm_transaction(&transaction)?;
674    Ok(signature)
675}
676```
677 
678## Reading Balances
679 
680To read and decrypt all balance types:
681 
682```rust
683pub fn get_confidential_balances(
684    client: &RpcClient,
685    authority: &dyn Signer,
686    mint: &solana_sdk::pubkey::Pubkey,
687) -> Result<(u64, u64, u64), Box<dyn std::error::Error>> {
688    let token_account = get_associated_token_address_with_program_id(
689        &authority.pubkey(),
690        mint,
691        &spl_token_2022::id(),
692    );
693 
694    let elgamal_keypair = ElGamalKeypair::new_from_signer(authority, &token_account.to_bytes())?;
695    let aes_key = AeKey::new_from_signer(authority, &token_account.to_bytes())?;
696 
697    let account_data = client.get_account(&token_account)?;
698    let account = StateWithExtensions::<TokenAccount>::unpack(&account_data.data)?;
699    let ct_extension = account.get_extension::<ConfidentialTransferAccount>()?;
700 
701    // Public balance (visible to all)
702    let public_balance = account.base.amount;
703 
704    // Pending balance (decrypt with ElGamal) - note method is on ciphertext
705    let pending_lo_ct: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
706        ct_extension.pending_balance_lo.try_into()?;
707    let pending_hi_ct: spl_token_2022::solana_zk_sdk::encryption::elgamal::ElGamalCiphertext =
708        ct_extension.pending_balance_hi.try_into()?;
709 
710    let pending_lo = pending_lo_ct.decrypt_u32(elgamal_keypair.secret()).unwrap_or(0) as u64;
711    let pending_hi = pending_hi_ct.decrypt_u32(elgamal_keypair.secret()).unwrap_or(0) as u64;
712    let pending_balance = pending_lo + (pending_hi << 16);
713 
714    // Available balance (decrypt with AES - only owner can see)
715    let available_balance = aes_key.decrypt(&ct_extension.decryptable_available_balance.try_into()?)?;
716 
717    Ok((public_balance, pending_balance, available_balance))
718}
719```
720 
721## Security Considerations
722 
723- **Key derivation is deterministic**: The same keypair always produces the same encryption keys for a given token account. This enables recovery but means keypair compromise exposes all confidential balances.
724- **Auditor keys**: Mints can configure an auditor ElGamal public key that can decrypt all transfer amounts (but not balances).
725- **Pending balance limits**: The `max_pending_balance_credit_counter` limits how many incoming transfers can accumulate before `apply_pending` must be called.
726- **Proof verification**: All proofs are verified by the ZK ElGamal Proof Program onchain (`ZkE1Gama1Proof11111111111111111111111111111`).
727 
728## Reference Implementation
729 
730For complete working examples including mint creation, see:
731https://github.com/gitteri/confidential-balances-exploration (Rust) and
732https://github.com/catmcgee/confidential-transfers-explorer (TypeScript)
733 
734## Limitations
735 
736- Currently only works on ZK-Edge testnet (`https://zk-edge.surfnet.dev/`)
737- Transfer operations require multiple transactions (7 total) due to proof size. This will be lower when larger transactions are merged into mainnet
738- Proof generation can be computationally intensive (client-side)
739- Sender must be a `Keypair` (not generic `Signer`) for transfers due to token client requirements
740

Solana Development Skill (framework-kit-first)

references/confidential-transfers.md

Preparing the source view

Solana Development Skill (framework-kit-first)

references/confidential-transfers.md