-
maybefbisarang: From page 51 of Zero to Monero 2.0 imgur.com/ICl3Eyv so the private key of the commitment to zero is used in the signature. But the key image of the commitment to zero is not used when linking two sets of key images. Is this correct?
-
maybefbiThe footnote 8 on page 51 says imgur.com/4H0d54j so the signature omits the commitment to zero
-
maybefbiomitting them only during linking two signatures might be more elegant no?
-
sarangIt isn't needed in the signature unless you want to link
-
UkoeHB_maybefbi: it would be quite a bit more expensive for verification to also have key images for commitments to zero
-
maybefbihmm true
-
maybefbiif i rebuilt monero i will include it in the signature, because then it proves alice knows the z, the private key of the commitment to zero to the onlookers who dont know any view keys or such. even if i include the key image of the commitment to zero in the linking it wont cause problem because transaction public key rK is unique because r is chosen from a CPRNG. it is unlikely it will create a duplicate r and cause unwanted linkage of k
-
maybefbiey images
-
UkoeHB_There is no need, even though the key image part is excluded the normal key part IS included, so you always sign and prove knowledge of z
-
UkoeHB_The challenge is like H(..., Ko, Ko key image, commitment to zero)
-
UkoeHB_The whole innovation with CLSAG is it lets you squish the signature into a smaller faster version because the commitment to zero doesn’t require a key image/linking
-
maybefbiyeah i agree CLSAG is definitely better.
-
maybefbiit is as lean as it can be with schemes like this
-
UkoeHB_more or less yes
-
maybefbionly that primary keypair use can be linked
-
maybefbito be frank im trying to make a DLSAG version of monero after i understand monero. i already have an MDLSAG. But CDLSAG is hard. i cant get it to work
-
maybefbii still havent gotten around to doing commitments inside an MDLSAG. perhaps i will need two commitments and two pseudo commitments
-
UkoeHB_isn’t there some kind of flaw with DLSAG?
-
maybefbiyes it needs self sign at getting money
-
maybefbi*after getting money
-
maybefbinot aware of any other flaws
-
sarangIt is true that it should be possible to "CLSAGify" DLSAG, as was mentioned in the original preprint
-
sarangWe just never bothered to work it out with the security proofs yet, because the self-spend issue was so onerous a requirement
-
sarangBut yeah, the whole CLSAG idea is just that you can squish the components together with some careful weighting inside the hash challenges... and you pay for it by carrying around key images for each component, even if you don't use them for linking
-
sarangAt that point, the "extra" key image(s) is/are only to make the algebra work
-
sarang(there are applications to something like 3-CLSAG, like hidden timelocks)