ConfidentialTransactionsDoc
ConfidentialTransactionsDoc copied to clipboard
AdamISZ
About range proofs
Is the range proof example on pages 13-14 based on Definition 9 of the Confidential Assets paper, "Back-Maxwell Rangeproof"?
It's based on the original codebase in Elements Alpha in 2015. I'll have to check the paper you're referring to but I'm betting that that includes the additional optimization found by Adam Back some time later, in which case the answer is no; that additional optimization isn't included in this doc.
Here is the paper link Also, after reading pages 13-14 I am trying to link the elements of the range proof example with the Borromean ring signature on page 11. On the ring signature (pg11) we have 4 participants each with their respective public key P. We know the private key x for only one of the participants who is able to sign the ring. We also have a message m to be signed, 4 signatures that are published and one e-value derived from the signer. So far so good, and the ring signature scheme seems to work. On the range proof example, we want to perform a ring signature for each of the value digits. Suppose we have base 4, so there are 4 possible digit values. My questions are: a) On the bottom of pg.13, it is stated "So we need to construct a pubkey like this:..." Should more precisely that be "So we need to construct a commitment like this:..."? Also should the C- values on the bottom C20 C21 C22 C23 be named as "commitments" rather than "pubkeys"? b) In the context of the Borromean ring signature example, what would be the the public keys for the digit range-proof be? Are these the values 0*(4^13), 1*(4^13), 2*(4^13) and 3*(4^13)? c) What is our message m here? d)What is the e-value and the signatures that are published according to the ring signature scheme?
Here is the paper link
(edited the comment so the link works). Answer: yes, it's as I remember, that construction has an extra tweak from Dr Back for slightly improved space usage. Note that this doc was actually written in 2015 (the title has a later date due to minor edits).
a) On the bottom of pg.13, it is stated "So we need to construct a pubkey like this:..." Should more precisely that be "So we need to construct a commitment like this:..."? Also should the C- values on the bottom C20 C21 C22 C23 be named as "commitments" rather than "pubkeys"?
Yes, technically I would agree; I have a habit of sometimes using "pubkey" for "elliptic curve point", which the commitments are of course. But I agree "commitment" is less confusing here; it's just that we are indeed using these points as pubkeys that we either can or cannot sign against, depending.
b) In the context of the Borromean ring signature example, what would be the the public keys for the digit range-proof be? Are these the values 0*(4^13), 1*(4^13), 2*(4^13) and 3*(4^13)?
The public keys are exactly the commitments, or technically the sub-commitments for each digit. See the paragraph on page 14 "Now, when time comes to ..." - there I'm pointing out that we can sign against the pubkey commitment C_21, as a pubkey, because we know its privkey.
c) What is our message m here?
I remember at the time of Greg's original writeup he mentioned that the message can be simply the pubkey itself, to fix it. I'm guessing that may have changed. I probably mentioned something similarly vague in this document.
d)What is the e-value and the signatures that are published according to the ring signature scheme?
You can look at my ring sig implementation at https://github.com/AdamISZ/borring if you want to find the exact structure of the message hash e (it concatenates the pubkeys in a certain way), I know it was compatible with Elements Alpha at the time I wrote it, as I was able to create signatures that Elements Alpha verified.
Apart from that, not sure what you're asking; you did see at the end of the doc there is a complete serialization of a txout, right? There's lots of information on how the signature values are constructed.