1

Looking at the code, and after reading a post on the subject, it looks as if transactions of type RCTTypeSimple (multi-input, RCT) get new commitments with new blinding factors for the inputs.

Doesn't this mean that the sender can get creative about the input amounts? There is no way of verifying that they match the previous outputs ...

Improve this question
1
  • Try it and see :) Commented Dec 13, 2017 at 21:02

1 Answer 1

Reset to default
4

That additional commitment used in the "RCTSimple" scheme is called "pseudo output". And the short answer is NO: the original input commitment and the pseudo output commitment are guaranteed to commit to the same amount. Below is why.

Suppose the sender's input commitment C consists of the mask (aka. blinding factor) x and the committed amount a:

C = x*G + a*H

The pseudo output is a commitment to the same amount but with a different mask y chosen by the sender:

D = y*G + a*H

The sender forms a ring signature by randomly choosing decoy outputs as ring partners. Let's say the ring size is 5 and the commitments in the ring are denoted as C1, C2, C3, C4, C5 and the sender's commitment is in the second place in the ring, i.e. C2 = C. The ring signature is formed with respect to public keys defined as:

P1 = C1 - D ... P5 = C5 - D

Importantly, the sender knows the secret key of P2 as x-y because D is a commitment to the same amount as committed to by C. From the verifier's perspective, the fact that the ring signature of pubkeys P1,...,P5 as defined above checks as valid proves that one of C1,...,C5 commits to the same amount as committed to by D.

Improve this answer
3
  • Thanks for the reply. I understand that with this scheme, it is the current inputs and previous outputs that are committed to 0. But what about the the output commitments of the current transaction? With the Full scheme, one commits to zero previous outputs (=current inputs) with current outputs. Current outputs should also be committed to 0 with the current inputs in order to prove that the current transactions balances. But I can not see that in the code ... Sorry for all the questions ... Iḿ writing a paper about the crypto in Monero Commented Dec 14, 2017 at 6:53
  • It's very simple, you just check sum(pseudoOut) == sum(outputCommitment) + fee*H. Perhaps this post with an actual example may be helpful: monero.stackexchange.com/questions/2575/… Commented Dec 14, 2017 at 7:34
  • Yes, obviously. Sorry, it was too early in the morning and no coffee :-) Commented Dec 14, 2017 at 7:49

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.