π
Original date posted:2016-02-09
π Original message:My understanding of the paper is that the blinding factor would be
included in the extra data which is incorporated into the ring
signatures used in the range proof.
Although, since I think the range proof is optional for single output
transactions (or at least, one output per transaction doesn't require a
range proof since there's only one possible value that it can be to make
the whole thing work, and that value must be in range, I'm not entirely
sure how you'd transmit it then, though in any case, since using it will
pretty much require segwit, adding extraneous data isn't much of a
problem. In both cases, I imagine the blinding factor would be
protected from outside examination via some form of shared secret
generation... Although that would require the sender to know the
recipient's unhashed public key; I don't know of any shared secret
schemes that will work on hashed keys.
Jeremy Papp
On 2/9/2016 7:12 AM, Henning Kopp via bitcoin-dev wrote:
> Hi all,
>
> I am trying to fully grasp confidential transactions.
>
> When a sender creates a confidential transaction and picks the blinding
> values correctly, anyone can check that the transaction is valid. It
> remains publically verifiable.
> But how can the receiver of the transaction check which amount was
> sent to him?
> I think he needs to learn the blinding factor to reveal the commit
> somehow off-chain. Am I correct with this assumption?
> If yes, how does this work?
>
> All the best
> Henning
>
Jeremy Papp [ARCHIVE] /
npub1d2β¦ra7hj
2023-06-07 17:49:00
in reply to nevent1qβ¦hxum
Author Public Key
npub1d2jn9v846mxrvkmr5p2azy3wh4ycf50eaugt9e4ljzdcyfv5mqsqmra7hjSeen on
wss://relay.nostr.bandPublished at
2023-06-07 17:49:00Event JSON
{
"id": "e6a866e4b371bd61cd60f3dfd3f09150ebbfb7176b7aceeb587c945d9c2262e8",
"pubkey": "6aa532b0f5d6cc365b63a055d1122ebd4984d1f9ef10b2e6bf909b822594d820",
"created_at": 1686160140,
"kind": 1,
"tags": [
[
"e",
"ecce5e206f5ce817a148e6742efb6fbb69da668616fb0d71ac468c42688bea0a",
"",
"root"
],
[
"e",
"0c3a6a9e87b857e95b319b2844d361224218b6b9ebd73178b04a1404b6cb1fab",
"",
"reply"
],
[
"p",
"5f0a91713bf7b0eac4f3af9f2a7714d917168ae44ba350b1b95c1d4b32c3ce35"
]
],
"content": "π
Original date posted:2016-02-09\nπ Original message:My understanding of the paper is that the blinding factor would be \nincluded in the extra data which is incorporated into the ring \nsignatures used in the range proof.\n\nAlthough, since I think the range proof is optional for single output \ntransactions (or at least, one output per transaction doesn't require a \nrange proof since there's only one possible value that it can be to make \nthe whole thing work, and that value must be in range, I'm not entirely \nsure how you'd transmit it then, though in any case, since using it will \npretty much require segwit, adding extraneous data isn't much of a \nproblem. In both cases, I imagine the blinding factor would be \nprotected from outside examination via some form of shared secret \ngeneration... Although that would require the sender to know the \nrecipient's unhashed public key; I don't know of any shared secret \nschemes that will work on hashed keys.\n\nJeremy Papp\n\nOn 2/9/2016 7:12 AM, Henning Kopp via bitcoin-dev wrote:\n\u003e Hi all,\n\u003e\n\u003e I am trying to fully grasp confidential transactions.\n\u003e\n\u003e When a sender creates a confidential transaction and picks the blinding\n\u003e values correctly, anyone can check that the transaction is valid. It\n\u003e remains publically verifiable.\n\u003e But how can the receiver of the transaction check which amount was\n\u003e sent to him?\n\u003e I think he needs to learn the blinding factor to reveal the commit\n\u003e somehow off-chain. Am I correct with this assumption?\n\u003e If yes, how does this work?\n\u003e\n\u003e All the best\n\u003e Henning\n\u003e",
"sig": "1a74f67c6291d8ef6867f8cfd17af937ef2b29472be03ebc1b0998ede816091a1b1b59755ece525ae3f20e34fa880775404841175f4c61d059f08079a6be9a61"
}