2

In MRL005, See page9, they describe the signing key for a given ring as Sum public keys + SumInputs - SumOutputs

In zero to monero, Page49 section "MLSAG signature for inputs", they describe it as SumInputs - SumOutputs

Could someone explain the change?

With the scheme in MRL005, The signer could use one key to sign the whole "sub ring" and the verifier could verify Since he has the Public keys, the inputs and outputs.

WeCanBeFriends
  • 660
  • 3
  • 7
  • Both of the pages you reference are actually discussing the ring R which is to be signed. Not a "signing key". They are each just expressing the ring in a slightly different way. Each ring, is simply a matrix of the public keys and commitments. Each row is signed by using the private key for each. No idea what you are taking about when you mention "sub ring". There is no reference to "sub rings" anywhere in either paper. – jtgrassie Apr 28 '19 at 21:47

1 Answers1

2

On Zero to Monero page 43, each key vector in the ring signed by RCTTypeFull consists of public keys for each input, followed by a public key which is the sum of output commitments minus the sum of input commitments.

MRL0005 on page 9 describes almost the same thing, except the public keys for each input are followed by the sum of public keys for those inputs plus the sum of output commitments minus the sum of input commitments.

Since Monero has implemented the Zero to Monero version and not the MRL0005 version, it has been deemed overkill to include the input public keys twice.

This is because the way that challenges (the c-value hashes) work in the MLSAG ring signature forces it to be the case that for one ring key vector, all private keys for all public keys are known.

Thus it could not be the case that the signer has knowledge of the private keys for the inputs but not also the private keys (a.k.a masks a.k.a blinding factors) corresponding to the commitments of those same inputs.

knaccc
  • 8,468
  • 16
  • 22