Here's Greg Maxwell (one of the Bitcoin core team members) explaining the confidential transactions.

https://crypto.stanford.edu/bulletproofs/

Here's an optimization used in Monero that optimizes the ledger size (initial confidential transaction proofs were too large).

You can have a public ledger but all of the data in it is encrypted and verifiable.

Each transaction, from the creation, to validation has its amounts and wallet ids hidden, the sender and the receiver cannot know anything about wallet contents of each other and receiver has no idea from where the sender is sourcing the coins.

This anonymity depends on encryption to hide the wallets & transaction, and decryption to verify it, and for the receiver to be able to use the funds in the future.

So, who/what controls those keys? Seems they've just exchanged an open ledger problem for a key management problem - why is this not the case?

The key insight is that you design a cryptographic algorithm that will preserve addition between amounts, even when encrypted but you need to also provide some encrypted data that will allow an independent verifier to validate the whole transaction.

The problem is more nuanced because you need to guarantee that coins aren't produced from thin air.

The problem of the approach in the linked article is that proofs are large. To support encrypted verification (there is no need to decrypt anything in any step of the process) you need thousands of bytes for verifying a 32-bit amount.

Bulletproofs reduced the proof size significantly. There are then additional approaches like MimbleWimble where the proofs on the ledger can be discarded to make it even smaller.

Start reading this paper above then, it goes from the simplest form to data optimized form.

Three years and much work by others later, it takes ~2 to 3 seconds on a Pixel three to make a zk-proof for a payment. This can be optimized down to 1 second fairly easily (on that you have only my assertion currently)

This is commercially deployed in Zcash (the above mentioned coin with usability and adoption issues), a few other straight up forks, and a new coin called IronFish. And related protocols are in a few things on Ethereum (e.g., Aztec). If you want to test performance numbers, you can download one of these systems and try it yourself (Nighthawk is a decent mobile wallet for Zcash)

Current technical objections (again, beyond criticisms of Zcash as a coin itself) 1) Current ZK proofs require trusted setup. New ZK proofs developed by engineers at Zcash removed this[1]. So its not longer an issue for the technology (or for Zcash once it's deployed)

2) you have to scan the blockchain to get notified of payments. No, this happens to be how Zcash does it. As I said in a separate comment, it's easy to send payment notifications out of band.

3) Vague objections about "scale." Even though zksnarks take a second or two to prove, they are very fast to verify. So adding privacy doesn't make blockchain's scaling problems worse. And the privacy tech is agnostic to the underlying consensus layer, so if you ever get a blockchain to scale, you can put privacy on it.

4) Other approaches(Monero/RingCt/Coinjoin) are better. The major problem is these don't offer strong privacy, just obfuscation. See [2] if you want a 20 minute talk on the issues or [3] for a blog post covering the same

5) There's an inflation risk. Yes, once you hide the values of a payment, because you want privacy, if the crypto breaks, things can go wrong. This is true of any serious approach to privacy. So you want to very carefully vet the crypto design. But if you don't hide payment values, you get no privacy and your blockchain is twitter for your bank account.

[0] https://www.cs.umd.edu/~imiers/pdf/zerocash-oakland2014.pdf [1]https://electriccoin.co/blog/technical-explainer-halo-on-zca... [2]https://www.youtube.com/watch?v=9s3EbSKDA3o [3]https://www.zfnd.org/blog/blockchain-privacy/