Sarang Noether

The construction listed here does not guarantee that the key image appearing in the signature corresponds to the expected ring member. An adversary holding the user's view key can simply...

The "message" you're hiding in scalars for the second idea would be a hash of the view key, the scalar index, and public data unique to the signature. Reuse of...

It depends on your definition of "reliable" here. Balance is only correct if every spend follows the standard, which cannot be enforced. It's a convenience feature that assumes/requires all your...

It's not clear to me if this could be directly adapted to Lelantus, since it uses double-blinded commitments (one term for the value and the other for the standard blinder)....

This idea could be extended to the multi-input case as well, of course. If I'm doing my counting correctly, a 2-input set of proofs (not including the necessary intermediate commitments...

Here is some basic [proof-of-concept code](https://github.com/SarangNoether/skunkworks/tree/lrs/lrs) for this idea. It's only for research, so don't use it for any production purposes.

The algebra seems to check out.

This commit contains some initial (and probably not secure) code to prove knowledge of openings to multiple commitments, along with the correct construction of the corresponding linking tags: https://github.com/SarangNoether/skunkworks/commit/f0a1e1aaf3e39e0d83a4e0a247e05e1f5d537455

The previous mitigation example requires a separate additional base-`G` point for each transaction private key, which can scale poorly. Here is an alternate idea from @UkoeHB on a way to...

> Note: Adding the final form of Janus mitigation would add an average 64 bytes per transaction (average output count is ~2.2, most of which have 1 tx pub key...