-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About range proofs #3
Comments
It's based on the original codebase in Elements Alpha in 2015. I'll have to check the paper you're referring to but I'm betting that that includes the additional optimization found by Adam Back some time later, in which case the answer is no; that additional optimization isn't included in this doc. |
Here is the paper link |
(edited the comment so the link works). Answer: yes, it's as I remember, that construction has an extra tweak from Dr Back for slightly improved space usage. Note that this doc was actually written in 2015 (the title has a later date due to minor edits).
Yes, technically I would agree; I have a habit of sometimes using "pubkey" for "elliptic curve point", which the commitments are of course. But I agree "commitment" is less confusing here; it's just that we are indeed using these points as pubkeys that we either can or cannot sign against, depending.
The public keys are exactly the commitments, or technically the sub-commitments for each digit. See the paragraph on page 14 "Now, when time comes to ..." - there I'm pointing out that we can sign against the pubkey commitment C_21, as a pubkey, because we know its privkey.
I remember at the time of Greg's original writeup he mentioned that the message can be simply the pubkey itself, to fix it. I'm guessing that may have changed. I probably mentioned something similarly vague in this document.
You can look at my ring sig implementation at https://github.com/AdamISZ/borring if you want to find the exact structure of the message hash Apart from that, not sure what you're asking; you did see at the end of the doc there is a complete serialization of a txout, right? There's lots of information on how the signature values are constructed. |
Is the range proof example on pages 13-14 based on Definition 9 of the Confidential Assets paper, "Back-Maxwell Rangeproof"?
The text was updated successfully, but these errors were encountered: