3
1
In confidential transaction proposed by Maxwell, instead of transaction amounts we use pedersen commitments to hide the amount and add the range proof to the transaction to prevent overflow. A simple commitment with one input and one output C1 and C2 is as follow: (Ignore the fee for simplicity)
C1 = C2 => BF1*G + a*H = BF2*G + a*H
where in this example BF1 = BF2 obviously since it only has one input and output.
How does the sender send the amount and blinding factor to the receiver? Receiver can check if the amount is correct! I noticed Maxwell said they use ECDH. I assume there is no additional communication channel for ECDH. Then how does the sender get receivers public key? and does sender need to reveal both blinding factor and amount in the ECDH?
By the random number for creating range proof you are referring to the commitment's blinding factor? Blinding factor in the ring signature proves the range proof as far as i know. If so then the blinding factor is generated from the seed? May I know what the seed is exactly? – abeikverdi – 2016-08-19T05:03:06.003
If the range proof only covers values up to 2^32-1 does that mean you can't send more than ~42.9… bitcoins with CT? – Murch – 2016-08-19T06:57:56.243
@abeikverdi No, the seed value is not the blinding factor. It is the base for the randomness that goes into the ring signatures inside the range proofs. By making the randomness deterministic, the receive can "undo" the range proof by knowing what randomness goes into it. – Pieter Wuille – 2016-08-19T08:31:45.253
1@Murch The range can actually be chosen to be anything between 2 and 64 bits of randomness, but that range is public. So you can use a larger range, but that gives an indication you're transacting more. Of course, you can always use larger ranges even when transacting small values, but this increases the price. – Pieter Wuille – 2016-08-19T08:33:20.470