Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

About range proofs #3

Open
PanosChtz opened this issue Nov 23, 2017 · 3 comments
Open

About range proofs #3

PanosChtz opened this issue Nov 23, 2017 · 3 comments

Comments

@PanosChtz
Copy link

Is the range proof example on pages 13-14 based on Definition 9 of the Confidential Assets paper, "Back-Maxwell Rangeproof"?

@AdamISZ
Copy link
Owner

AdamISZ commented Nov 23, 2017

It's based on the original codebase in Elements Alpha in 2015. I'll have to check the paper you're referring to but I'm betting that that includes the additional optimization found by Adam Back some time later, in which case the answer is no; that additional optimization isn't included in this doc.

@PanosChtz
Copy link
Author

PanosChtz commented Nov 23, 2017

Here is the paper link
Also, after reading pages 13-14 I am trying to link the elements of the range proof example with the Borromean ring signature on page 11.
On the ring signature (pg11) we have 4 participants each with their respective public key P. We know the private key x for only one of the participants who is able to sign the ring. We also have a message m to be signed, 4 signatures that are published and one e-value derived from the signer. So far so good, and the ring signature scheme seems to work.
On the range proof example, we want to perform a ring signature for each of the value digits.
Suppose we have base 4, so there are 4 possible digit values.
My questions are:
a) On the bottom of pg.13, it is stated "So we need to construct a pubkey like this:..." Should more precisely that be "So we need to construct a commitment like this:..."? Also should the C- values on the bottom C20 C21 C22 C23 be named as "commitments" rather than "pubkeys"?
b) In the context of the Borromean ring signature example, what would be the the public keys for the digit range-proof be? Are these the values 0*(4^13), 1*(4^13), 2*(4^13) and 3*(4^13)?
c) What is our message m here?
d)What is the e-value and the signatures that are published according to the ring signature scheme?

@AdamISZ
Copy link
Owner

AdamISZ commented Nov 23, 2017

Here is the paper link

(edited the comment so the link works). Answer: yes, it's as I remember, that construction has an extra tweak from Dr Back for slightly improved space usage. Note that this doc was actually written in 2015 (the title has a later date due to minor edits).

a) On the bottom of pg.13, it is stated "So we need to construct a pubkey like this:..." Should more precisely that be "So we need to construct a commitment like this:..."? Also should the C- values on the bottom C20 C21 C22 C23 be named as "commitments" rather than "pubkeys"?

Yes, technically I would agree; I have a habit of sometimes using "pubkey" for "elliptic curve point", which the commitments are of course. But I agree "commitment" is less confusing here; it's just that we are indeed using these points as pubkeys that we either can or cannot sign against, depending.

b) In the context of the Borromean ring signature example, what would be the the public keys for the digit range-proof be? Are these the values 0*(4^13), 1*(4^13), 2*(4^13) and 3*(4^13)?

The public keys are exactly the commitments, or technically the sub-commitments for each digit. See the paragraph on page 14 "Now, when time comes to ..." - there I'm pointing out that we can sign against the pubkey commitment C_21, as a pubkey, because we know its privkey.

c) What is our message m here?

I remember at the time of Greg's original writeup he mentioned that the message can be simply the pubkey itself, to fix it. I'm guessing that may have changed. I probably mentioned something similarly vague in this document.

d)What is the e-value and the signatures that are published according to the ring signature scheme?

You can look at my ring sig implementation at https://github.com/AdamISZ/borring if you want to find the exact structure of the message hash e (it concatenates the pubkeys in a certain way), I know it was compatible with Elements Alpha at the time I wrote it, as I was able to create signatures that Elements Alpha verified.

Apart from that, not sure what you're asking; you did see at the end of the doc there is a complete serialization of a txout, right? There's lots of information on how the signature values are constructed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants