2

As far as I understand, Monero allows Alice to create a public key for Bob that only Bob knows, on the fly, by using the following mechanism:

Bob's address: A = aG, B = bG, where only Bob knows a and b.

Alice's creation: R = rG, P = h(rA)G + B

This allows Bob to know that the private key of P is equal to h(aR) + b.

My question is, is this key creation process enforced?

For example, could Alice send money to a different P that is in no way associated with an address A and B, and is instead an arbitrary P = xG and simply generating a random unassociated R? Or is there a mechanism that I am not aware of that somehow prevents this?

My suspicion is that this is a valid maneuver, as it doesn't violate any of the unlinkability protections and is, as far as I know, undetectable.

EDIT: Just to be clear, this P = xG has not been used before.

EDIT 2: I should clarify that x can be a value known by Bob.

Zarquan
  • 145
  • 4

1 Answers1

2

Is this key creation process enforced?

There is no protocol level enforcement beyond P and R being points on the curve.

For example, could Alice send money to a different P that is in no way associated with an address A and B, and is instead an arbitrary P = xG and simply generating a random unassociated R?

So yes, in theory at least, Alice could manually construct a transaction with output key P and transaction key R as you described.

jtgrassie
  • 19,111
  • 4
  • 14
  • 51
  • Would it be burning the money? If Bob (or Alice) knew x? I thought the only thing needed for a transaction was the private key and R was only needed to find the key. – Zarquan Mar 13 '19 at 04:28
  • If the random x was persisted then no, funds wouldn't be burnt. – jtgrassie Mar 13 '19 at 11:21