How to get components of m (message) for verifying

Question

I am trying to verify a transaction manually..but not knowing some components of message m.

The message is derived from:

m = H( H(tx_prefix), H(ss), H(range proofs) )

where

tx_prefix = {
    tx version (ringCT = 2),
    inputs {key offsets, key image},
    outputs {one-time addresses},
    extra {transaction public key, payment ID or encoded payment ID, misc.}
    }

ss = {
    signature type,
    transaction fee,
    pseudo output commitments for inputs,
    ecdhInfo (masks and amounts), output commitments
    }.

My questions are...

[1.] What is the format of key offsets?

Take a transaction as an example:

b43a7ac21e1b60ad748ec905d6e03cf3165e5d8c9e1c61c263d328118c42eaa6

The key offsets above is [799048, 782511, 1197717, 216704, 841722]. However they should not be the input format for hash. What the right format looks like?

[2.] What is the format of transaction fee?

The txnFee above is 26000000000 but the hex format is 8088e2ed60. Should I use 8088e2ed60 instead? And how it transforms from 26000000000?

[3.] What is the range proofs

In the example, Is the range proofs "rangeSigs"?

I am stuck here for a long time.. Please help on it, many thanks!

The key offsets and transaction fee are recorded as 'varints'. See this previous question. And yes rangeSigs should be the range proofs hashed. — koe, May 21 '20 at 03:53
What precisely do you want to verify? The MLSAG signature, the range proof??? — jtgrassie, May 22 '20 at 02:21
Sorry for implicit information.. I want to verify MLSAG signature and I used a RCTTypefull case. — Mooooo, May 22 '20 at 02:55
When verifying RCTTypefull type, what should I do if there is no pseudo output commitment for inputs? — Mooooo, May 22 '20 at 02:58

score 1 · Accepted Answer · answered May 22 '20 at 03:29

1

Consult to the Varint description and transform from decimal to variant format for key offsets and transaction fee.

[1.] What is the format of key offsets?

799048 -> c8e230
782511 -> afe12f
1197717-> 958d49
216704 -> 809d0d
841722 -> faaf33

So the key offsets should be c8e230afe12f958d49809d0dfaaf33

[2.] What is the format of transaction fee?

Same as [1.] transaction fee should be 8088e2ed60

[3.] What is the range proofs?

I am not sure but I think the range proofs in MLSAG verifying is the concatenation of all asig and Ci. If it's wrong please correct me. Many thanks!

answered May 22 '20 at 03:29

Mooooo

459
2
8

1

For RCTTypeFull, yes range sigs would be a concatenation of asig and Ci. You could check the implementation to see how it's done exactly get_pre_mlsag_hash(). – koe May 22 '20 at 06:45
＠koe There is no pseudo output commitments for inputs in RCTTypeFull. So, I should pass it, right? – Mooooo May 22 '20 at 07:02
1

Well they don't exist, so yeah. – koe May 22 '20 at 07:04

How to get components of m (message) for verifying

1 Answers1