sarang: From page 51 of Zero to Monero 2.0 imgur.com/ICl3Eyv so the private key of the commitment to zero is used in the signature. But the key image of the commitment to zero is not used when linking two sets of key images. Is this correct?

The footnote 8 on page 51 says imgur.com/4H0d54j so the signature omits the commitment to zero

omitting them only during linking two signatures might be more elegant no?

It isn't needed in the signature unless you want to link

maybefbi: it would be quite a bit more expensive for verification to also have key images for commitments to zero

hmm true

if i rebuilt monero i will include it in the signature, because then it proves alice knows the z, the private key of the commitment to zero to the onlookers who dont know any view keys or such. even if i include the key image of the commitment to zero in the linking it wont cause problem because transaction public key rK is unique because r is chosen from a CPRNG. it is unlikely it will create a duplicate r and cause unwanted linkage of k

ey images

There is no need, even though the key image part is excluded the normal key part IS included, so you always sign and prove knowledge of z

The challenge is like H(..., Ko, Ko key image, commitment to zero)

The whole innovation with CLSAG is it lets you squish the signature into a smaller faster version because the commitment to zero doesn’t require a key image/linking

yeah i agree CLSAG is definitely better.

it is as lean as it can be with schemes like this

more or less yes

only that primary keypair use can be linked

to be frank im trying to make a DLSAG version of monero after i understand monero. i already have an MDLSAG. But CDLSAG is hard. i cant get it to work

i still havent gotten around to doing commitments inside an MDLSAG. perhaps i will need two commitments and two pseudo commitments

isn’t there some kind of flaw with DLSAG?

yes it needs self sign at getting money

*after getting money

not aware of any other flaws

It is true that it should be possible to "CLSAGify" DLSAG, as was mentioned in the original preprint

We just never bothered to work it out with the security proofs yet, because the self-spend issue was so onerous a requirement

But yeah, the whole CLSAG idea is just that you can squish the components together with some careful weighting inside the hash challenges... and you pay for it by carrying around key images for each component, even if you don't use them for linking

At that point, the "extra" key image(s) is/are only to make the algebra work

(there are applications to something like 3-CLSAG, like hidden timelocks)