## Confidential Transactions

With the introduction of RingCT (Ring Confidential Transactions), the value of the amounts transacted are now hidden from the public. In this section we will explain how the amounts are hidden via 'commitments' and how to prove that they are what they are really supposed to be via 'rangeproofs'.

#### Commitments and range proofs in Layman's terms

###### Commitments

We would like to hide from the world the amounts in a transaction except for the sender and receiver. At the same time, we would like to let the world know that the amounts transacted are balanced (inputs = outputs + fees) and that they lie within an expected range. Let's first start with the first part.

Suppose that Alice would like to send 17 XMR to Bob but she doesn't want other people to know it. So, instead of communicating the value openly to Bob, she would make a 'commitment' to a value and reveal Bob what she has commited to.

She could simply try to hide the amount by multiplying it by the Generator of our elliptic function, which would like: $C_a = aG$ and then secretly communicate $a$ to Bob. But that doesn't really work as anyone multiplying 1 up to the maximum quantity of Monero (~18M) could create a table linking the point values to the amounts. After working hard and many attempts, she gave up and called her friend Pedersen. Finally, they came up with the idea of creating a binding, hiding and homomorphic function represented below.

$C_a = xG+aH \\$

Now Alice can create a commitment $C_a$ with a value $x$ which we will call 'blinding factor' multiply it by the point $G$ and add the amount $a$ multiplied by the point $H$. As there are many possible combinations for $x$ and $a$ giving the same commitment value $C_a$ nobody can guess what $a$ is.

She can now communicate $a$ and $x$ secretly (encrypted as message) to Bob (as shown below) and the world (except Bob or someone holding his private viewkey) would not know what the value is.

$mask = x + \mathcal{H}(\mathcal{H}(rK_B^v,t)) \\$ $amount = a + \mathcal{H}(\mathcal{H}(\mathcal{H}(rK_B^v,t))) \\$
This solution was implemented at hardfork (v10) to save more space in the blockchain. They started being used at transaction type 4. $mask = \mathcal{H}(\text{commitment_mask'},\mathcal{H}(r k_B^v G, t)) \\$ $amount = a \oplus_8 \mathcal{H}(\text{amount'}, \mathcal{H}(r k_B^v G, t))$ Where $\oplus_8$ means to perform a XOR operation between the first 8 bytes of each operand ($a$ which is already 8 bytes, and $\mathcal{H}_n(...)$ which is 32 bytes). Recipients can perform the same XOR operation on $\mathit{amount}$ to reveal $a$.

So, if Bob wants to retrieve the amount that was sent to him, he would need to know the 'transaction public key - rG' which is communicated in every message, his private viewkey and the output index t, which is just the order of the output. He can then simply, do:

$\mathcal{H}(\mathcal{H}(rk_B^vG,t))-mask = x \\$ $\mathcal{H}(\mathcal{H}(\mathcal{H}(rk_B^vG,t)))-amount = a \\$

Now he knows every coefficient in the commitment equation $C_a = xG+aH$ and can verify if that is valid.

###### Range proofs
Although Bob is satisfied and he knows that Alice correctly commited to the value $a$ that corresponds to the commitment $C_a$, the rest of the world does not know it. So, Alice still has to prove to the network that her commitment is valid otherwise her transaction will not be accepted. Alice can do that with the help of Borromean signatures, which are a sort of ring signatures combined with a zero-knowledge proof. Its goal is basically twofold: 1) Prove that the amount, blinding factor and commitment are coherent. 2) Prove that the amount that Alice is sending is not negative and lies between the minimum and maximum supply. Let's see how it can be achieved. Let's start with Alice commitment $C_a$: $C_a = xG+aH \\$

First, let's get the binary representation of a, where k = 64. (The total Monero supply, before tail emission starts, is $2^{64} - 1 = 18446744073709551615$ indivisible units). We can factor any amount into its binary form.

$a = a_02^0+a_12^1+...+a_{k-1}2^{k-1}$

Next, we generate random numbers $x_i$ and we store the $C_i$ generated:

$C_i = x_iG + a_i2^i H$

Now, we want to prove that the sum of all $C_i$ is equal to $C_a$, as the amounts and commitments are additive, ie. $C(a+b)=C(a)+C(b)$, which means:

$\displaystyle\sum_{i=0}^{k-1} C_i = \displaystyle\sum_{i=0}^{k-1} \left( x_iG+a_i2^iH \right) = xG+aH = C_a \\$

and this will only be true if the following holds:

$x = \displaystyle\sum_{i=0}^{k-1} x_i$ as we know that: $a = \displaystyle\sum_{i=0}^{k-1} a_i2^i$

Finally, we observe that $x_i$ is either the private key of $C_i$ or $C_i - 2^iH$. As shown in the equations below:

$x_iG = C_i \quad if \quad a_i=0$ $x_iG = C_i - 2^iH \quad if \quad a_i=1$

Now, if we had a way to prove that we know $x_iG$ without revealing $a_i$ then our mission would be done here. Yes, you guessed it right. We will create a ring signature where the participants are the public keys ($C_i$ and $C_i-2^iH$) and sign it using our knowledge of $a_i$. Therefore, the external viewer can be sure that the signer knows $a_i$ without revealing it.

As intended, we proved that we know $a$ (by proving that we know the entire binary decomposition of $a$) and that it is a positive number that lies inside the money supply of Monero. Therefore, by proving that a Borromean signature is valid, we validade that: 1) the commitment, blinding factor and amount are coherent. 2) the amounts are in the expected range.

#### Hiding and verifying amounts in practice

###### Generation of Borromean ring signatures

To generate a Borromean signature, let's consider the function generate_Borromean(x, C1, C2, indices) that outputs the Borromean signatures bbee, bbs0, bbs1.

You can consider $x$ as a key vector with 64 keys representing each of the $x_i$ values, C1 as a key vector with 64 keys representing each of the previous defined $C_i$ values, C2 as a key vector with 64 keys representing each of the $C_i - 2^iH$ values, $indices$ being the binary representation of the amount.

Consider $n = indices[j]$, $p = (indices[j]+1) \, mod \, 2$ and $\alpha_j$ a random scalar.

For $j = 0 .. 63$:

\begin{align} L_{n,j} &= \; \alpha_j G \\ if\;\; n& == 0: \\ &bbs1[j] = random\text{_}scalar() \\ &c = \mathcal{H_s}(L_{n,j}) \\ &L_{1,j} = bbs1_jG + c C2_j \\ L_{hash}& = L_{hash}+L_{1,j} \\ \end{align}

The signature bbee wil be $bbee = \mathcal{H_s}(L_{hash})$

Now, for $j = 0 .. 63$:

\begin{align} if \quad &(indices[j]) == 0: \\ &bbs0_j = \alpha_j - x_i \, bbee \\ else&: \\ &bbs0_j = random\text{_}scalar() \\ &LL = bbs0_{j} \, G + bbee \, C1_j \\ &cc = \mathcal{H_s}(LL) \\ &bbs1_j = \alpha_j - x_j \, cc \\ \end{align}

The signature will be: bbee, bbs0, bbs1

The following Python snippet shows how to verify the signature according to the equations above:

def generate_Borromean(ai,Ci,CiH,b):
alpha = []
bbs1 = misc_func.scalar_matrix(64,0,0)
bbs0 = misc_func.scalar_matrix(64,0,0)
L1 = ''
L = misc_func.point_matrix(2,64,0)
for i in range(64):
naught = int(b[i])
prime = (int(b[i])+1)%2
alpha.append(dumber25519.random_scalar())
L[naught][i] = alpha[i]*dumber25519.G
if naught == 0:
bbs1[i] = dumber25519.random_scalar()
c = dumber25519.hash_to_scalar(str(L[naught][i]))
L[prime][i] = bbs1[i]*dumber25519.G + c*CiH[i]
L1 += str(L[1][i])

bbee = dumber25519.hash_to_scalar(L1)

for j in range(64):
if  int(b[j])==0:
bbs0[j] = alpha[j]-ai[j]*bbee
else:
bbs0[j] = dumber25519.random_scalar()
LL=bbs0[j]*dumber25519.G+bbee*Ci[j]
cc = dumber25519.hash_to_scalar(str(LL))
bbs1[j] = alpha[j]-ai[j]*cc

return bbee,bbs0,bbs1

Let's consider as input parameters the following variables:

b = '0110100101111110010001100011110100111100101110000000000000000000'

bbee,bbs0,bbs1 = generate_Borromean(ai,Ci,CiH,b)

Finally, the Borromean signatures $bbee,bbs0$ and $bbs1$ are:

$bbee$ = 28443a2ac7403b7c3dfb5ea1839ae45ac9d531ec4c531a6357f7ae98a7e3d80d

$bbs0$ = [38e79e22b62786ad40a20a1c3a0c3b305f35772f0d44a8e7b86f633d4ff05000, f645422841c61cfb189194417e55bbfa60db0e1f89155f95f3a45546861df103, c16e7f41f8343e06c81e97365e884b5ef051eb1aaf40627f79fa774b7b148905, 97b21b57b345ac1a4cdd3ffd8830217a0e331e17385b7b136a9913debfc05d05, aa0fbadc4206fac11f861969e1662bc25c31822dab22b53bc6b05d5e7428100c, 25e36060961d2197414c2cee74ef51e03834b5724deba6d60bdde7b3b6495a06, e3e892b16ff4ac4a641e984db7b15e80a23cf10800b72dbb6e1cfba6b6ffd908, cc38f2ffcdc477c856c6f6055928be0b9e4c7698a5e9b6fa0b82470abce81c07, 8d5a54e019eb311b64377712801055dfd2b8915ff4fbf136882d50bbad5ba502, 7e0f88ac3d63c9265075d0e8d38401812008c0b24b93dc172483595033842d06, cd83f97081713954cd4e7dcb85e865af298d00dced6de7a00d6b6e2a54917a07, b9073d96b280b020d61e7f2cce1df840b2c00d3c347db780a029f2092d446e07, c12e6c45c8ec38d49beb056d3f88160025fc828813779af9471dd2ac641e740f, c625f55bd186a1bf2133ebe5b8f9408c4fbdd7d56d697826c0967eec2909f801, 84f6ae7030f8142d84e8de286c8309477e4f8bb7888eafffc291a8a87111150f, baede58cf5bff5e03fa686ef6fb1a1315583f234ba11b7234a88798a38f9e20c, 9d833171dc0c4e56f4c0715a11a43805c6d6fe5a21fe0902faf700a6cce79501, bcf9f973fb58ba248b6c752c3d13f1228e80e67f434f163233c68e3e1d5e4d08, 579488cec93a761e2cede6cc5b4c38623f7b6b529b80ecb724738eda2258260d, f391337fd1fa55998fd4d2238335e4c287459a02a4f43877f28344312a865d05, 3498549e616d4388c32192e10b0f0d6be86dd5e3c9d4f5c1f333a0afd7dce201, 419dfc496a2a1829d16a76722090b5602549c54d976ad683fd43590ea6635a0e, 69a47d7de058b83845d1884eca09c9908b308ab5f20154579ef01de5da140d00, 8159f16978cff0351f4abe7b054f47650680c0b2b76a3f884ca8020b93a43a08, ee38b4a63d8d5049bdd9f3ede4f1990dc708a3502714d3c2a78d24547f4b5708, ffb43ca94e6559558cbe34d5399d68a455dda6d01b38667f98ca54f6f255530a, 4827f82345d958ef1ebf30d3e7b95bbd447ffb5f91e3d294999b54fa0ad49801, cb9fae07f480b13bd9822c28e1120330defefd5fe7619df49e80ed708fa0a209, e65e070ad266ed7827c43b5d6dd593334de8cf109f62c231eadf7d6d3a364007, 97e7aad3583dd16780776c0a1eb86bc9f744d35e93b668c367e2ee769dd33607, 1a98cc1d93e7ae2c4fb615fbe19a50e0ac40f53ffe9669d64d7e00b8bf04ac0e, 7e3840415d8bfb7391575c9ddc97273f3d85d7ea8d6b8d4741eea51bb2271e00, 9d76a2722ea64500e435f0b7e2315d0645ec55cf16d700d9e1a2dff29e2f0509, cf0d9189b6f6fc638dd60c1d8a98a11f3d969df675e1c3ea7656eaa122fce40a, ae7e3f17b0278bfecb48968b833ef2be5b363c3d441adebe234dad3dd15fed03, a542ccb592925e5e4a924f497f6dd79c39d277acbda61f2a02e83241ec575f05, 75ac19bf2537186188b0dd0f84a14d303da08c8166e616c814088b65a4cb7409, a3460065da772b3cd0ef14c687bdecb2fd9be94523305a1b41499fcdfb86d307, c25ad262779ce5114b57adca2c95f83682376093ac0d99abf70c8a315a5a3902, 59657b1e62c9cc456ea8d0c753b5c29f86d3cc9c1e52269c2438d52c3a8b4906, bf906f9f18a2667a9df0d9f8a5641aa1c06d3f4aff88a21448af492905494706, d8f51f05efe35d059982f8845ce5ca396514dca55afc3d36b4a9069ccceff305, 2956efeeb7a5a936630cee619ab10283da7d53b574df60a97427c86634346608, e2526ddd03b75773fd3c5c4e6d129df4efe1d49ad0ec5f0f767636e6525cc100, 760ac51af190719b6fa3081719762db4dc2be691a8016b14da4300a7e4df2c07, f512d4579cc662a210fffe30c17a2b07a74bc21646cdabc8f2b85b86d3a08801, 8f009a78bd966951fcdd0825dc2d41b36ae983687fcf97b22c9d06ac24079305, 4d3d94c6a123cbc8b7272383d49113f1e46c96b4e9c4604710aa111c16e8340f, 86f5ff383be5599c2617190e72e8527f8e5432f4627268f4c6599f77b3105a03, a0f309d036b9995e57bf7fa675f7ce10eda1a992902e67a6ab1ed6a18cb95f07, c563c518b89ec270b33e83a4f80a07dd558f147a715618d995dbae4407044209, 10f4f83ac640971d70828e0a9648e89db71072e670c86266182dfc3da348000a, a4852d2b3b5a045ae906436cc4c368f8853b73e67743029eea7931ae1ba58b00, eb71dec02512f4fdcf4a8791a34b74090d971a6ae5f9e1c09580d1ca0a39df0d, 2a067ddb2587a48cc114f6dd5c5994e7e8b522927278eef5a43d24ef41996201, d4682f6233773ad13fcff381ee983be1cb5e4872b9e28f33e7676d7584d1aa06, d771f957ce2812ee852c2b84b578b322f3e95c3d900cbb5be4c0834c24eee001, b2731fa1f8929c95734f2bbbb070fba54aad8c0b03c091841adcb5fa6f8e8101, 0509ac842f697683f93e4c90d7d586392a69e2b3617993d3c9d271fc8263400e, 89cca55611407966e14c6843369fd4fba929157e4fd905810b4e73b308b2fb0b, 20065cd958aed578e3e39f4d219321305769b2d469fef62edc058f31e8710105, 24a211f398f08e217e5346adbfc58d57048db940b3522580dc989ba57919100f, 00b23e562fd2d55ff8da6c6725cdbc9aa46c37237a44e1972e069aa38dbf9e0c, f5af0d4795562eb789f3a3b921222b255bf696f9c25e37ff6adae1dd69d5cb03]

$bbs1$ = [c7bb39bd54c2eb3c2732a54579a9ee49804d194775921e74ca5b2ba837cb7c06, cf6c5c588349462657283f468716baf291cfeb39d2a9b08432e258f720e49301, 05be98f7a1202133e6cc92cd6df0883abad9c5cb638500b09405a7209b15520f, 830dddeb1f9374974ffad80ef6e302473db9aae18343476009c6b7d92c22380e, 0737aefcc6dc2a3ed2bbe890f1d9b99c0cfdeef3133e7676eb91d2658b18f603, 9d9fd033cbae7dff8692ec4195720a37d503e0a0ee2a6c8918429e4fa6f46407, c4615fcbef48df920ff0f3c4cf14710b6ebad35456116fda951296c40b3ef80e, 7fb8364d65358c1022b96dccef7e695c85cad97d5d287c8e6c621ce310f82702, d3158d0c1fced1402a38c16666d94757096efa255bd4434fbbc7b2cb96d3990e, 406261c67dd480825da9f416964dcbd6ee714083b60ed3212a276660714b8509, c73ab316971d9d7a4e73cadd9a7c098ca93961dd041ee3bb596039cfb9a33003, 5327f82bb24dbba621efb8dafd47ff9ab51abb8be04e07c965d003662b2a8306, 48595ac0fce9c4ad84fa0225ddccfd2132a73e04783d246b73968d8c0e671f0e, 5eebd713b86a086d10a3b537e81d1d90b84b0d7f4a06bb8d63150a3a4fc4770e, 4046bfcdb7d56703f0738ecc6dd055172907d8cfdda8dcab3a991f377502850e, 3a4d82c50979a5fda8c37aad233e7795fc79641f7481d56d4808f275c278c10d, 52ddb63754e8ec2fe734a0a37b990ec61553b679c09496de7b98ba63771b4a00, d65b250db4c6e01c4f09c8b5a9d29817ed4aeee7bdf307a94a99d21d793a360b, 5e02423b61a4ca332f2bc284eb87830f338ce047b933e6fd12bdea6ca813b302, 402f4da9946865f50b24cb392b84a9d5136c1d4f14b745a16991b7918135ab0b, 8c0ffdf3626abc85a56fe7f187b8d9f486aeb080b04fc4f29d46d02d5a0b2e04, ad95282287763885e56dd95d84e72a4ae0957ef346111ce569ce63993cc71c07, 01ac55bb28d091965d51c94d1ed2e57f13efb6c9d4096b0e3a4ff7a4d2345902, 25478c14d10307f461a1e5816b762a9f0503ce516dac4682e39a6a275af1400a, 77fb99e40537764bed3f9a5f5dacf3b32b09b21bcbee1bab3ad7d728a56d9b0b, e1844b8b2c20c48988b10dbb86e5d559c37ee577e0f3901f31aeffb7bf9e6900, b70f978bf0f627816ab38510fd833a557ff7a5ccf320f3661f3b6eff81c98d05, 6f90a6096f775e2787a7569d363b419f511076a54a95fc5d99e8d8ea0a257f05, 0772879b24cca4a59e3130be2406cbea1c780fa2690c57a5f0510bcb287d9d03, 2c2a966b366d7222855a027a95578edc02fbe8070c40f117baf8bc59a157e80f, 83f4838da4115cbd5636eaf7a38f762bbfef48d3ddc4f924423aa23d96417c06, 391c69dadfa08ac3da6ec96d0ee1a64772a059eea76ae50b6ac3559f09321b08, a6799df3510f0025032901772bdd2acf1ac47be14870c155161e12125e4e530e, 2a1319832104dfadaee5facd19f38a8871bf8726b3ec47c3b393a22522cc7109, e142befd6b9957489e71d12d65f5f20f691175abed6160f886bbfbc9024cc507, 14d9eee48b4315f25c00044d022c581517ed97e7b5f70bd9c03f34c81cd2bd04, 3a5d025d5d6ac6d23ab5d898ad717f62f43d0a09dbbe6cc864cfa385041ed204, dcc9d94f8a61b6e53cb45eb48253e2d7e52e25da6bc4b5618e8fe28327c55607, c0e31aba5d2f238ca967d06ae8682d1e708290b678756fde561d59c764460b02, 379d5f9a073d7285603f9fa95dfabc1c7c7f51d9b9f5591e3a0bccb3ac164603, 9de5777b3852c4763a3553a71345b2a8150a93befa834da9cb40721f21d8b608, 8724efb2681b91b3f421999cfc9bba23cb6016bcb0e0f7e2fd05432ddc79c901, 43cdde500be65a136848df3fba2c922eb70db97a17e0d1994a92a92019d4680e, bafb5eb05fa0d7d29ca7869687d7ecff49cac52a4a01a969b34e5ad1320c3d0e, a6ee798251db9c39139bcf57bda27dbdc1fe7ea5d4bd5da7d99c647394e12501, c424e6f9543384fbcb974ce652d2f1b2ef43039aacc1feb05a3d7250b30c9305, 26ab33d9c6b9b5e2827c4edb2cff78962ed84a8bbfa3ecffc70c8d7412f6320f, d7cd5ce89751226ec5bb58370f61ff25fb561ba684bfc5af27c6c60d0b3f5708, 14ad48fe07d071ef83245419dfd88a69811999f56a37e65d1faf7213ecfd6f08, 096038635b9874ae87433688ac1e1df55cf08230af3f5cab6628ddbdcc91bd0f, dfca2946c8fc119bb2fdc4c3843a28233e4421d935bbabbd3cb7e22ad791120f, 81cad44be4d80a6ffc20811944d2bc52feaa81ee7a0faa5258eb84dcaf97c00a, 9fa767423588f4ac654d3c44fcf96fa1af180cab341a53dcce1ee221ba30af0e, 784b30a86bf5ae5a8abcaf8db1c5b33a167d7cc3dc3e46348da9ef5e10268c03, eaef95aac27effc18529365b4cf791ee0d6cde7192f122c13a739816704d2f07, 0f8d515c48c0400915d4ab0657b0646e85c558be46a696679198f1287189d209, 67626105070d831c1ba5a1d67ef047ac2a116f6bb4c7746d08c033d4f4781a0e, a2e0d3d5f2f9c1a40ef1180793c18946446a1ae798acebd5f5976fc59b03bb02, fac4c1c890db78040fce0372af2993f89556f1ce0f48dc0f1184809590c9ef01, ac1a20a802cdff3750b8840907ee28f097ed8533a02d5227cb0dae7f3d3e670e, 8b78dd8bce9f5eac29aaf1272411ddde7f1f99028f541ca018c408277d1a8406, a15c1da1ae11bb55cb6ce31a74c7d6751f21c4a9d0e83e6c73c7aaa381afbb0b, 1e661e0a7f7bfd20edb1b0faf894e57ced491b7f24b31c35b2b9ccafdf2fa808, 66556714d469501c193802970f3d2d4781d2396e459c34bd6101bfcd1d15860f]

###### Verification of Borromean ring signatures

Let's now verify if a Borromean signature is valid. The verification function is defined as: result = check_Borromean(C1,C2,bbee,bbs0,bbs1)

.

For $j = 0 .. 63$:

\begin{align} LL &= bbee \, C1_j + bbs0_j \, G \\ chash &= \mathcal{H_s}(LL) \\ LV &= LV + chash \, C2_j + bbs1_j \, G \\ \end{align}

Finally we calculate $eeComp = \mathcal{H_s}(LV)$ and we subtract from $bbee$. If the result is 0, the signature is valid. $res = (bbee - eeComp) == 0$

The verification code is simply described by:

def check_Borromean(P1,P2,bbee,bbs0,bbs1,details=0):
LV = ''
str_out = '\n'
str_out += '--------------------------------------------------------'
str_out += '\n'
str_out += 'Verifying Borromean signature'
str_out += '\n'
for j in range(64):
LL = bbee*P1[j] + bbs0[j]*dumber25519.G
chash = dumber25519.hash_to_scalar(str(LL))
LV += str(chash*P2[j] + bbs1[j]*dumber25519.G)
str_out += str('LL = ')
str_out += str(LL)
str_out += '\n'

eeComp = dumber25519.hash_to_scalar(LV)
str_out += str('eeComp = ')
str_out += str(eeComp)
str_out += '\n'

res = (bbee - eeComp)
str_out += '\n'
str_out += str('Result: ')
str_out += str(res)
str_out += '\n'
str_out += '--------------------------------------------------------'
str_out += '\n'

return res == Scalar(0), str_out


Taking the same parameters as described in 'Generating Borromean signatures', we can see that this signature is valid by running the above code:

--------------------------------------------------------
Verifying Borromean signature
LL = a0c9c09415751f95a9279aec1c4dcb98b014b8cacc96147d56e6315025ab8a7f
LL = 260aa32dfb0acdbc8c049a1765b62588754a3f78555645dac43ea3e5790383ab
LL = cbf81914dced1c61919df14ea3b8402a52597e72e6659104c63f86556dfe0c46
LL = 296f82f03fa47d0fd0da67fa47acf2156c4a0ac89fde060b0a905e17e2646a2c
LL = 8d9ef0e1c621e8ff4015309859ae612f05e43e4f5e02fdf81ec0a1a320c748d7
LL = 418706645ec33a13332532e867565d4d86e650acf8e858c6694bb4d5a20529db
LL = 124b9f54bf06efedbf425c0f8b7b1f5188824ac223c27c5dd76729e1f975f772
LL = cf3acd39685816c157f588b00d8b7f623ba3255868c98700e82db25e09008b6b
LL = 244b9a2ec51e39e57b88b1f41d6101b0d3582ac369a737e91397d156be89d1e8
LL = f3a946785fd9840c9d5fe31e4bc458e9357f79ecd2be19faae4032e4b001a589
LL = dbc9ee8b9d4b83fd460d0f42d551aa7e78f43a6b7c4438dfea8bf4f5a702713f
LL = 4ed2f3facef7775245790e3684c921c42034689656482d42539fb4920e8164f1
LL = b010c7b220d1bdb100079e97b6261ab04b38f32a3f182051f4611c9e6f43db35
LL = 0d54e2bc01867e989bc97d5c6989cd2914a81efa2c49600bc738da2b35f082d0
LL = dfa48e0752cfe032788f076aef9bfb627a30af1f5fb35f20e167c0933cd4cc37
LL = b027b356c13126cb94ea00666f3fccf51a10ef5de45d15b4eafe4826322ac915
LL = 74c12b248739552aed86077e8c9dd880814c5f6ec8faaa9a8c4f50f639e56467
LL = cd789791230de42abe4a2c2be57d8af0f082916e0bbc0b32c716655e928ea253
LL = b38f96c5c0b565ea03b5ee1d90f48e1315ff6f63938a46437c1cdba20e46edb3
LL = f5a83928858cd3291fa199ffdff02727e7c05ef989c0b743b615518a656f53f0
LL = 5237b64deb2b296e192540e292414fb3d98ababd831487dab99141b36d685245
LL = e711defab48d5bd46caf9478ed0e65baf520c5dd6ba9c28400b37daaa16fd524
LL = b7246b96525284d6f72099f80f4f0278d33090b037353dbe396f4b0e88c00bc0
LL = 34cfe11c5a4a4256f341b5c0243239262181230c117250ed3094a196ce758184
LL = 0ab7b1cd4f40129b55eeed4df54dff3d6be42f4aa3bb88b6a964605586c0b737
LL = eedd454da6af2d1ba131b230755344f9b58380a1ed888ffca1f39a4f9197d97c
LL = f1367a82e9380af84bcce258f2c435515b5d6f17b22e70c11d19f17700d7b0cb
LL = 662a3b5c3e7c9b2890b3186854ddef23e2506304c61155692242bd9354dc56a8
LL = 525e184063f3abd887eb708dbd300a0070c2037486d78930c60757ee21169526
LL = a970fbd179ce10eec691118376a559390251856f566e5c916def1e8a5c075620
LL = cc516e8c7dd8703233f75e9ddc220a61427653c1cdfc74bd09822f064f515f1e
LL = 7aed9d97eea71edb1bff501fe78f16179fc016127f3699eed67fd35f2a0ca8c2
LL = e7f58442de2838f699c3e3a37deee78983935838812d8413d922b121b66cf988
LL = 49f073171ce288a2ce2cec790979c7130ec78313bfb0a0a5fd7555b1f47e99dd
LL = 415efe2e73ac2c05634dfd4591c2328e12f9c08e28a136abd6b026e20f60618d
LL = 684e3d7572508a5c843c9332da17346fda9446939ee73c31477b07603cd77238
LL = f044674a0fd8bc8d68533fc9d35c4004d9a071668b11eb00e67cd282d77fcfe9
LL = 91ba4bf638bd973dc124c5ec21e851c222c798b9ba7c1a15331b9fc405b88015
LL = f6e0a8f1e0651209d14d7486b4e13d2239e8d56e0e438bd03833452201d1f708
LL = 7dc948897956b40352aa034c06e3ba84c3bd94ef2f7a93c625c38af5a3af95f9
LL = 0f5f604c4d7e97285b82c5bd0c3f4a6cb49b84a5736d2c2cbf5da1fb7a92a713
LL = f507399875ec4cfc91940985da6011edc0b5a4c71440fbda34548bd52deb7df6
LL = 7260c40cf6d016da392e17c3256f3c73bfca28bfefd66ce9b061a55e5f315394
LL = 0d1448b1784574b1727f08d1916fa6a8f144c5cfc75f4843de795d3682e13379
LL = 96335565769db7a448e1ba7fd50b6aa44303d17aab4765edb2363af18ddb82e9
LL = 48eab94e2bdeb6fb97b4d73c316b4a9b81e379f16097cc7b350dc65fec26ae5d
LL = 80579032d88f4ae76d0cf66d5e1b140ddcb0aa3704ae0cef915166a102edd101
LL = b2ea8ddded1444ca161dbe626771be864e7b769c89e5dd63a4809eb67d118519
LL = 74f7bf498251cc67f799d7a2be0db30f7ab41d553fa9ab136d1a49b09ef6e52b
LL = 25474c428823192c77de497693c4d460b162b0382675fdb31c20d240af13b733
eeComp = c5c5fc225bf23729012e099446c40bded061dae53782cae16c46102a042b8808

Result: 0000000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------


###### RCTTypeNull (version = 2, type = 0)

This is a miner transaction, it has one input, which is the height of the block, and outputs containing the addressess and the reward value. The amount has to be lower than the specified agreed value of the emission curve and it is not hidden. An example is found here.

###### RCTTypeFull (version = 2, type = 1)

This type of transaction was conceived to be more compact. It has one input and many outputs. We can prove that the $inputs = outputs + fees$ by looking at the structure of the 'Commitment' member at the MLSAG signature scheme. We have to prove that the input commitments are equal to the output commitments plus the fees, as the commitments are homomorphic. Let's call the input commitment $C_a = xG + aH$, the sum of the output commitments $\sum C_b = \sum (yG + bH)$ and the fee commitment $C_{fee} = fH$. Therefore, we have: $C_a = \displaystyle\sum_{i} C_b + C_{fee}$ We can obtain $C_a$ directly by looking at the commitment of the output that we are trying to spend from. It is located at the field 'mask' when an output is stored in the blockchain. We would of course also know the amount and blinding factor as we own this output. The output commitments are built by the sender who is constructing the transaction, he chooses all of its parameters (blinding factors and amounts). Finally, he has to add the fees and choose the appropriate output blinding factor $y_m$ of the last coefficient in order to match the equation above. This can be done by picking the appropriate blinding factor as shown below. $y_m = x - \displaystyle\sum_{i=1}^{m-1} y_i$ Now, if we can sign the transaction, by proving that we own the private key $z$ corresponding to the public key of the commitment ring member, as shown below, then we can be sure that the equation $inputs = outputs +fees$ is valid. We know that the commitment ring member is defined as: $PK[i][1] = \text{get_outs(key_offsets[}i\text{])["mask"]}-(\sum \text{outPk}) - fee*H$ In other words, it can be represented as: $PK = C_a - \displaystyle\sum C_b - C_{fee} = xG + aH - \sum_j^m (y_jG + b_jH) - fee H$ If the amounts cancels out ($a = \sum_i b_i + fee$), as expected in a transaction, then we have for the commitments: $xG - \sum_j^m (y_jG) = zG$ Where $z$ can be written as: \begin{align} z &= x - (y_1 + y_2 + ... + y_{m-1} + y_m) = x - (y_1 + y_2 + ... + y_{m-1} + (x - y_1 - y_2 ... - y_{m-1}) \\ z &= -2 (y_1 +y_2 + ... + y_{m-1}) \end{align} Therefore, if we can sign the transaction with the private key $z$, then someone observing the blockchain can be sure that there is no inflation happening.

###### RCTTypeSimple (version = 2, type = 2)

This type of transaction was conceived to be more generic. It has many inputs and outputs. In a similar way as the RCTTypeFull, we can prove that the $inputs = outputs + fees$ by looking at the structure of the 'Commitment' member at the MLSAG signature scheme. We have to prove that the input commitments are equal to the output commitments plus the fees, as the commitments are homomorphic. The difference here is that we have more than one input and we cannot use the previous commitment of the output that we are trying to spend from. We will need to create 'Pseudo outputs' in order to verify the amounts, therefore, there will be an intermediary step. Let's call the input commitments $Ca = xG + aH$, the pseudo commitments $Ca^ = x^G + a^H$. We know that the commitment ring member is defined as: $PK[i][1] = \text{get_outs(key_offsets[}i\text{])["mask"]}-\text{pseudoOuts}$ In other words, it can be represented as: $PK = Ca - Ca^$ Therefore, we have: $Z = Ca - Ca^ = x G + a H - \left( x^ G + a^ H \right) = z G$ If the amounts cancels out ($\ a = a^$), as expected in a transaction, then we have for the commitments: $\ (xG - x^G) = zG$ Where $z$ can be written as: $z = (x - x^)$

Now, if we can sign the transaction, by proving that we own the private key $z$ corresponding to the public key of the commitment ring member, as shown above, then we can be sure that the pseudo outputs corresponds to the value commited at the output that we trying to spend from. It does not prove though that that the output values of a transaction are obeying the equation $inputs = outputs + fee$. Let's see how we can do it.

Up to now, we did not speak about the commitments of the outputs that we are creating, let's call them $Cb = yG + bH$ and let's suppose that we have $t$ outputs. Therefore, the sum of all output commitments can be written as: $\sum_{j=1}^t Cb_j = y_jG + b_jH$. Similarly to the RCTTypeFull, we can chose the coefficients of the pseudo output commitments to match the blinding factors in order to prove that there is no inflation happening by proving that the amounts cancels out. (If they don't, it means that we found a relation between $G$ and $H$, which is as hard as solving the discrete logarithm problem).

So, let's verify that $inputs = outputs + fee$ by verifying its commitments, where $m$ is the number of inputs and $t$ is the number of outputs. We have:

$\displaystyle\sum_{i=1}^m Ca_i^ = \displaystyle\sum_{j=1}^t Cb_j + C_{fee} \\$ This equation can be simply verified as all the commitment values are explicit shown in a RCTTypeSimple transaction. Therefore, if this equation holds, then we can be sure that there is no inflation happening. Similarly to the RCTTypeFull, the create of the transaction will choose the m^{th} pseudo output term to be as: $x_m^ = \displaystyle\sum_{j=1}^{t} y_j - \displaystyle\sum_{i=1}^{m-1} x_i^$

#### Let's create money out of thin air, why not?

Suppose that we received an output $K_o$, we know its private key $k_o$, the amount $a$ and the blinding factor $x$. It means, we know everything in the equation $Ca = xG+aH$. Let's also suppose that a = 0.3 XMR. Now, I would like to spend my 0.3 XMR output and buy a car with it. Unfortunately, I don't have enough money as the cars here cost 30 XMR so I will try to write two zeros in front of my 0.3 XMR 'bill' and see what happens.

###### First step

I need to create a commitment to my new value, let's call it $Cb = yG+bH$, where b = 30 XMR.

The blinding factor $y$ is related to the amount by the range proofs, so let's try to create this new commitment otherwise anyone verifying the Borromean signatures would discover that the commitment $Cb$ does not correspond to $b$.

Let's get the binary representation of b.

$b = b_02^0+b_12^1+...+b_k-1^{k-1}$

Now we generate random numbers $y_i$ and we store the $C_i$ generated by:

$C_i = y_iG + b_i2^i H$

Now, we want to prove that the sum of all $C_i$ is equal to $C_b$, which means:

$\displaystyle\sum_{i=0}^{k-1} C_i = \displaystyle\sum_{i=0}^{k-1} y_iG+b_i2^iH = yG+bH = Cb \\$

and this will only be true if the following holds:

$y = \displaystyle\sum_{i=0}^{k-1} y_i$

As the $y_i$ are randomly generated, and we proved using the Borromean signatures that they are either the private key of $C_i$ or $C_i - b_i2^iH$, we have proved that $y$ corresponds to the real value of $b$. If the Borromean signatures have failed, I would not be able to prove that my blinding factor is actually blinding the real value of $b$ and I would be witnessing an attempt of forgery here.

###### Second step

Now, I have my commitment $Cb = yG+bH$ with b = 30 XMR. Let's try to sign a transaction with this amount.

We have two possibilities to sign a transaction, either using the RCTTypeFull or RCTTypeSimple schemes.

In the first case (RCTTypeFull), I will need to prove that I know the private key of the public key defined by:

$PK = Ca - Cb - C_{fee} = xG + aH - yG - bH - fee H$

As the amounts do not cancel out ($a = 0.3 \neq b + fee = 30 + fee$ ), as the fees cannot be negative, then we will have a factor depending on H in the equation of the public key. Therefore, we would need to have a private key $z$ correponding to:

$(x-y)G +(a-b-fee)H = zG$

As we do not know $z$ as we would have to solve the discrete logarithm problem to get a relation between $G$ and $H$, then we would not be able to sign this transaction and the ring signature would fail.

In the second case (RCTTypeSimple), I will need to prove that I know the private key of the public key containing the pseudo output commitment and defined by:

$Z = Ca - Ca^ = x G + a H - \left( x^ G + a^ H \right) = z G$

We could create some pseudo output commitments that commits to 0.3 XMR being spent, otherwise the ring signatures would fail. If we commit to 0.3 XMR, then we would have to pass the last check, which is verifying if the equation $inputs = outputs + fees$ is valid. Which means, verifying:

$\displaystyle\sum_{i=1}^m Ca_i^ = \displaystyle\sum_{j=1}^t Cb_j + C_{fee} \\$

As we tried to cheat, the amounts won't cancel out as $0.3 - 30 - fee \neq 0$ and there will be a remaining term depending on H. Therefore, it won't be possible to find the term ($x_m^$) (as we would have to solve the discrete logarithm problem to find the relation between G and H) and this verification would fail.

$x_m^ = \displaystyle\sum_{j=1}^{t} y_j - \displaystyle\sum_{i=1}^{m-1} x_i^$