2

Given two inputs each with their respective committed amounts; P1, P2.

Then given two outputs each with their own respective committed amounts; P3, P4.

We want to prove that the inputs - outputs - fee * G = 0

P1 = a1 * G + r1 * H P2 = a2 * G + r2 * H

P3 = a3 * G + r3 * H P4 = a4 * G + r4 * H

C = zG = (P1 + P2) - (P3 + P4)

if amounts are balanced, which means that (a1 + a2) - (a3 + a4) = 0

We then have zH = (r1 + r2 - r3 - r4)H

The sender should know z because it is the blinding factors, r1, r2, r3, r4.

r1, r2 are given to the sender from his previous transactions. r3, r4 are created by the sender to blind the new output amounts.

--- While writing this I have come up with a possible answer. Please check.

If the amounts do not balance out, for example, let's say the sender decides to not include P4.

Then we would have C2 = P1 + P2 - P3 = (a1 + a2 - a3)G - (r1 + r2 - r3)H

Since we do not know the relationship between G and H, the prover cannot sign unless he solves the DLP.

This brings up another question brought up by a friend:

What if the sender decides to cancel out the blinding factors part of the commitment instead by cleverly choosing the blinding factor?

Clarification on cancelling the blinding factors:

Let C = (a1 + a2 - b1 - b2)G + (r1 + r2 - r3 - r4)H

Assuming the amounts do not cancel out, so a1 + a2 - b1 - b2 does not equal zero.

What is stopping the sender from choosing r3 and r4 in such a way that r1 + r2 - r3 - r4 = 0 , then singing with the key as (a1 + a2 - b1 - b2) ?

Example of cancelling out:

  • For clarity we will say that C = xG = aH, where a is amount and x is blinder.

  • Bob wants to send 10 Monero to Alice.

  • Bob has two inputs one with 8XMR and the other with 2XMR.
  • Bob also has their commitments C1 = 10G + 8H and C2 = 12G + 2H.

He creates the output to be Alice, but being dishonest he sends her 8XMR and creates the commitment to the output like so: C3 = 22G + 8H

Calculating Sum(in) - Sum(out) we get:

C1 + C2 - C3 = 0G + 2H

Bob then signs with his key as "2"

My question is why is this impossible?

WeCanBeFriends
  • 660
  • 3
  • 7

1 Answers1

3

Firstly, your G and H are the wrong way round. Each Pedersen commitment is actually xG + aH where x is the blinding factor and a is the amount. So where you are writing P1 = a1 * G + r1 * H, I would write: C1 = x1G + a1H.

If the amounts do not balance out, for example, let's say the sender decides to not include P4.

A transaction is invalid if it has more outputs than there are commitments for. It will get rejected.

What if the sender decides to cancel out the blinding factors part of the commitment instead by cleverly choosing the blinding factor?

This makes no sense without defining how they "cancel out the blinding factors". You are suggesting a way the underlying math could be broken without defining how / a way.

Update now you have tried to explain

You cannot arbitrarily change the blinding factors. Quoting from Zero to Monero, 5.6.2:

Indeed, z follows from the blinding factors if and only if input amounts equal output amounts (recalling Section 4.1, we don’t know γ in H = γG).

Given you cannot change the input commitments, the only thing you can do to create a valid commitment to zero, is by having your output commitment balance against the input commitments. In simple terms, if the input commitment is 5, only an output of 5 gives a commitment to 0.

Update based on question edited again

Your new edit just shows Bob burn 2 XMR. He spends input amounts 8 and 2, but only has one output, 8. Thus 2 burnt.

Further,

C1 + C2 - C3 = 0G + 2H

Bob then signs with his key as "2"

No, Bob would be signing with 0. Recall the number next to H is an amount, not a blinding factor.

With respect to the title question:

How does commitment to zero work?

The commitment to zero is a point, zG. This is the sum of all the input commitments blinding factors x, minus the sum of all the output commitments blinding factors y, multiplied by G.

See section: 5.6.2 Commitments to zero.

All of the details are covered extremely well in the Zero to Monero paper. Refer to sections 4.1, 4.2, 5.6.1 and 5.6.2.

jtgrassie
  • 19,111
  • 4
  • 14
  • 51
  • Added more information on cancelling out part in question. TBC, they are the wrong way around because of the standard monero uses. Both are still valid commitments AFAIK, just different notation – WeCanBeFriends Apr 20 '19 at 22:14
  • No they are the wrong way round and that breaks your assumptions, Monero uses them the other way round. They would not both be valid commitments, not just a different notation. – jtgrassie Apr 20 '19 at 22:32
  • Hmm pretty sure they are valid commitments even if you switch around the points. The Discrete log is not known respectively for either point, so afaik the assumption is not broken. Regarding the extra clarification, is this possible in monero? I could not find an answer from your link – WeCanBeFriends Apr 20 '19 at 22:45
  • No they are not valid because everyone else would be using G and H the other way round which would break the math. – jtgrassie Apr 20 '19 at 22:47
  • With regards to your update on "cancelling out", a user cannot arbitrarily just change the blinding factors, recall you are using past commitments and your new one in the calculation of z. Quoting the paper I keep urging you to read: Indeed, z follows from the blinding factors if and only if input amounts equal output amounts (recalling Section 4.1, we don’t know γ in H = γG). – jtgrassie Apr 20 '19 at 22:48
  • I've read that part, AFAIK you create the blinding factors for the output commitments? So they can be generated in such a way that they cancel out the previous commitments' blinding factors? – WeCanBeFriends Apr 20 '19 at 23:01
  • You are creating the output mounts and blinding factors only for the outputs and (if you had your H and G the correct way round), quoting+emphasis: "Indeed, z follows from the blinding factors if and only if input amounts equal output amounts (recalling Section 4.1, we don’t know γ in H = γG).". And given you cannot edit the input commitments, you cannot create a fake output to zero. Your output either balances against the input to zero or it doesn't. – jtgrassie Apr 20 '19 at 23:08
  • That doesn't answer the question. The part you emphasised only shows that we do not know the DL for H in terms of G and has no relationship to my question. To clarify: The blinding factors for the output commitments are created by the sender to be random. They can be chosen to cancel out any previous blind factors from input commitments, to make 0G<-using your notation. If this were the case, then we would be able to sign with kH, where k is the amount factors. This would break monero, so is likely not the case, could you explain how this is stopped please? – WeCanBeFriends Apr 20 '19 at 23:17
  • Yes but you can only create blinding factors for your output commitment, which has to balance against the input commitments, which you cannot change. The only way you could fake your output commitment would be to know the DL for H wrt G. – jtgrassie Apr 20 '19 at 23:19
  • I added a solid example in the question. I believe I am close to understanding what the answer is. Using actual numbers, may clarify. Thank you for your patience. – WeCanBeFriends Apr 20 '19 at 23:44
  • Your new example has just shown Bob burn 2 XMR. He has spent 10 (8+2 inputs), with only 8 going to Alice and 2 disappearing. Thats burning 2 XMR. – jtgrassie Apr 20 '19 at 23:56
  • I think got it, so signing/verifying can only be done w.r.t G and not H. So when the verifier is verifying, he uses G as the base in some way. BTW, if Bob signed with 0, then it would be rejected as that is not the correct private key for the public key C = 0G + 2H. He would need to sign with the private key corresponding to C = 2H. Since H = yG, he would need C = (2y)G If I understand correctly – WeCanBeFriends Apr 21 '19 at 00:22
  • Final takeway, is that the transaction would get rejected as Bob would not be able to generate the correct signature for that commitment – WeCanBeFriends Apr 21 '19 at 00:23
  • "if Bob signed with 0, then it would be rejected", no, it would not be rejected as 0 is the correct value. As I stated, Bob is burning 2 XMR. The commitment to zero is correct. – jtgrassie Apr 21 '19 at 00:28
  • See parts 4.2 & 4.3 in z2m. – jtgrassie Apr 21 '19 at 00:33