Range proof's Confidential Transaction understanding

I've some doubt about Greg Maxwell Confidential transaction and hope someone can help to make it clear. A commitment using Elliptic Curve math is:

                                  P=xG + aH

where G,H are public value and x,a are private.

My questions are:

xG is public or private value?
if xG is a public value why an attacker cannot simply make a brute force attack trying all possible value of a checking for the equality with the P value?
if xG is a private value the CT paper tell: can be proven to be a commitment to a zero by just signing a hash of the commitment with the commitment as the public or if if you want to prove a=1 make C' = C - 1H and then sign the hash of C'. How signing C or C' can I prove the value and also how can I verify a sign if I dont know xG?

confidential-transactions

Bartok

Posted 2017-05-18T07:43:20.827

Reputation: 25

Answers

Only the overall commitment (P) is revealed. G and H are constants known to everyone. x (the blinding factor) and a (the value) are secret.

if xG is a private value the CT paper tell: can be proven to be a commitment to a zero by just signing a hash of the commitment with the commitment as the public or if if you want to prove a=1 make C' = C - 1H and then sign the hash of C'. How signing C or C' can I prove the value and also how can I verify a sign if I dont know xG?

You can only sign with a point if it's a known multiple of G. By definition, a signature with private k can be verified with public key kG. If P = xG + aH with a nonzero, it is impossible to find a k such that kG = xG + aH - that would require knowing the ratio between G and H (and H is constructed in such a way that this ratio is unknown to everyone).

Pieter Wuille

Posted 2017-05-18T07:43:20.827

Reputation: 54 032

Thanks! If I've understand .. suppose we 've got a commitment C to 1 (C=xG+H) in a set [0-1]. Then make two commitment: P0 = C=xG+H and P1= C-1H = xG+H-h=xG. If I want to use this commitment as sign's public key I can do it only for P1 beacause dont know the logaritm of P0? – Bartok – 2017-05-22T09:36:40.097

You got it. The DL of P1 (wrt G) is x, but the DL of P0 wrt G is not known (to anyone). – Pieter Wuille – 2017-05-22T17:06:02.803