What keys are being used to create the key image and how is it verified?

Question

So i'm trying to pin this down since yesterday and i simply cannot find a definite answer. Read dozens of posts and few papers specifically on this topic and while i developed a "belief" that it has to be this way i still would like to be reassured so i can move on and be sure of what i know.

I understand that in standard ring signature "systems" everyone would have their one pair of public and secret keys and when signing some message they would use a set of public keys from some (maybe randomly chosen) people, and then (depending on the cryptography behind it - RSA/EC) they would do the according crypto-magic using their own private key to derive some keys to fit the equation (in case of rsa) or "close" the ring for EC so that it can be verified with each of the public keys in the signature.

Now lets add one more step towards the monero approach: the one-time keys. Using DH we are able to generate a public key, to which only the recipient is able to derive the one-time secret key using his own "wallet/master-secret-key". We can hide the recipients that way. Great.

Now because we have this anonymity, we do not have the overview of how much money each user has, so we cannot verify (this easy way) if they actually own the money they want to spend in a transaction. So if someone would want to spend 100 xmr we would not be able to tell if they own those or not, so what monero does is it makes you reference the transaction with 100 xmr that has been made to "you" (where you is not your wallet-public-key but the one-time-pk). Now you have to prove somehow, that the transaction was made to you, without giving out, that it actually is you. That is why you use the ring signature for - with crypto-magic help, you prove that you are able to spend the coins, while hiding yourself in a group of, let's say 5 people. All good so far, but what prevents me from spending the same amount of money over and over again with a different set of public keys (so hiding behind other people)? As far nothing.

So now we've come to the key images. Those are used to ensure, that the 100 xmr you received can only be spent once (by you, or more specifically by the wallet you own). The key image is calculated as follows:

I = xH_p(P)

with x being the secret key, and P the public key and H_p the hash function to a point on the curve.

Now to my actual question: which secret and public keys are being used here??

To my understanding it have to be the one-time public and secret keys of the transaction addressed to you. The public key of it is visible to everyone anyway and you are able to retrieve the secret-key of it and this is the way you prove. that you are able to spend that money. Now this may seem obvious to someone who already understands it or even developed it, but the problem is that everywhere it's stated as "...you use your secret and public key..." or some form of that sentence. Now if i did that i could only create one single transaction with my wallet, according to the along going statements like: "this way it's ensured, that you didn't sign more transactions with the same key". IMHO it's extremely confusing and misguiding and i cannot understand why there is no clear statement on this part like:

I = xH_p(P)

where x is the one-time secret key of the transaction addressed to you and P the corresponding one-time-public-key. It's neither in the papers, nor in the answers provided to similiar questions. The closest i got to a satisfing answer was this post: What is a key image?.

Another question i'm struggling to find a good answer to is: how is the key image verified?

All if found is that it's checked if this key image has been used before, but not if it's actually valid. Is the verification part of the signature check as whole and is not explicitly checked?

I'd be grateful if someone could assure me of my assumptions or correct me if i'm wrong. Thanks in advance!

Answer 1

I = xH_p(P) which secret and public keys are being used here?

x and P are the one-time output private and public keys, respectively.

To my understanding it have to be the one-time public and secret keys of the transaction addressed to you

There is a transaction public and private key, but this is only related to addressing inputs to particular wallets and allowing the recipient to calculate the correct private and public keys for the outputs destined for them. Ring signatures are purely about proving that the private keys of particular outputs are known.

how is the key image verified?

All if found is that it's checked if this key image has been used before, but not if it's actually valid. Is the verification part of the signature check as whole and is not explicitly checked?

The cryptonote white paper does a good job of putting this into English:

The meaning of the protocol: by applying L-transformations the signer proves that he knows such x that at least one Pi = xG. To make this proof non-repeatable we introduce the key image as I = xHp(P). The signer uses the same coefficients (ri , ci) to prove almost the same statement: he knows such x that at least one Hp(Pi) = I · x^−1

The signer cannot make two signatures with different I’s and the same x

In other words, the key image could not have just been some random made-up key image, because the verification of the ring signature mathematically proves that for one of the outputs in each ring, the key image the spender declared was calculated as xHp(P), where that x is the same x that the ring signature also proves must have been the secret key of one of the outputs being spent.

Perhaps the simplest way to state this is: Monero uses linkable ring signatures, which is a way of proving that for one particular unidentifiable public key in a set, the corresponding private key is known and that the corresponding key image has been correctly declared.