This thread is specifically for discussing
Ring Confidential Transactions as defined and outlined in Shen Noether's RingCT pdfs
My Goal of this thread is to simplify RingCT and its definition as much as possible so others can understand it (including myself)Disclaimer: I am just a curious mind. I do not pretend to know anything about RingCT and its underlying math/proofs/defintions. I am merely a curious soul trying to understand how this all works. I welcome any and all discussion directly related to the topic of this thread. IF I HAVE WRITTEN SOMETHING WRONG OR INCORRECTLY PLEASE POST OR PM ME ABOUT IT SO I CAN CORRECT IT.Latest version:
https://github.com/ShenNoether/MiniNero/raw/master/RingCT0.5_copy.pdfThis paper is very math heavy and some variables are defined and some aren't.
Hopefully after discussion there can be more clarity on the math that is used within.
Preface/Purpose: Currently in Monero amounts that are transferred are public to view. Ring CT is an attempt to obfuscate the amount of a transaction (and all of its inputs and outputs) to add more transactional privacy.
Definitions: MLSAG - Multilayered Linkable Spontaneous ad-hoc group signatures
E - an elliptic curve equation; −x2 + y2 = 1 + dx2y2;
q: a prime number; q = 2255 − 19
d = -121665/121666
Pj = xG = Public Key
G = Ed25519 base point
l: a prime order of the base point; l = 2252 + 27742317777372353535851937790883648493 =~ 7.25 x 1075
x = signer's spend key
I = xH(Pj) = Key Image (unique - no copies/duplicates allowed)
H = hash function returning a point (in practice toPoint(Keccak(Pk)))
h = hash function toScalar(Keccak(Pk)) <---- can take multiple parameters concatenated
m = message
α, si, i =/= j, i ∈ {1,...,n} are random values in Zq (the ed25519 base field)
sj = α − cj·x mod l
α = sj +cj·x mod l
Lj = αG = sj·G + cj·Pj <---- Intermediate value if i = s
Rj =αH(Pj) <---- <---- Intermediate value if i = s
cj+1 = h(m,Lj,Rj) or A.K.A. "non-interactive challenge"
σ = (I,c1,s1,...,sn) = Signature
Key Vector = the collection of all public keys Y = (y1,...,yr) and corresponding private keys X = (x1, ..., xr)
Generalized Ring = [Pij] where i = 1,...,n and j = 1,...,m = n-members and all of which have EXACTLY m-keys
<Other heading not sure what to call it lol>1. What I've deduced from reading up until page 6 is that the idea of obfuscating
amounts will be accomplished with
"mixing" with
n signers that have the same amount of
m keys.
2. Also noticed that the equations are recursive mod n. If you don't know what that means that means that for example define the following:
Lj = sj·G + cj·Pj
cj+1 =H(m,Lj,Rj)Since L
j is part of the definition of c
j+1 and c
j is part of the definition of L
j that is the definition of recursion. A function/equation calling itself within its definition.
The
mod portion is the remainder of a division (example: 5 mod 3 = 2).
In the context of this paper c
n+1 = c
1 AND c
n+2 = c
2...and so forth, because (n+1) mod n = 1 and (n+2) mod n = 2
sj = α − cj·x mod l
α = sj +cj·x mod l3. With a single c
i value, the P
j values, I (key image), and all the s
j values...
... all other c
k values can be deduced while k =/= i.
This provides space saving of about 1/2 the space/size when creating the signature.
<------ is this part of Compact CT?The signature therefore is:
σ = (I,c1,s1,...,sn)4. Assuming a GENERAL RING composed of
n-member and EXACTLY
m-keys with the following requirements:
a. Exactly 1 of the n-signers gives a signature on all m of their keys.
b. If that same user uses any of those m-keys to in another GENERAL RING SIG then, the two RINGS are linked.
<more to come>
Elliptic-curve overview: Example #1 with d = 30:
x2 + y2 = 1 - 30x2y2
Center of the curve is point (0,0) for reference.
Example #2 using the actual curve E as defined above:
<-------- Actual Ed25519 curve used in Monero/cryptonote
As you can see above in the blue is the curve of the equation in the image above it. Here is the site where the graph was generated
https://www.desmos.com/calculator/ialhd71we3Just paste the following into a new Elliptic curve line on the left:
-x^2\ +y^2\ =\ 1\ +\left(\frac{\left(-121665\right)}{121666}\right)x^2\cdot y^2
Question: Why do you only show the graph from -7.25x1075 to 7.25x1075 on the x-axis?Answer: Because
l as it is defined 2
252 + 27742317777372353535851937790883648493 =~ 7.25 x 10
75Because we mod the base point
G by
l in our computations this why the graph essentially "ends" at those points.
Example #3Now if you play with some of the values on that site you can get a different modified curve that doesn't just look like two parallel lines just to get a gist of how elliptic curves look like when you slightly modify the values:
Example #3 And modifying it one more time you get:
Helpful resources:ECCHacks - A gentle introduction to elliptic-curve cryptography [31c3]Online Elliptic Curve Points Graph GeneratorWill be editing OP to add more information as I am able to digest it in my limited capacity brain. 
