How does a range proof bound lower at 0 and not -1?

1

From the confidential transactions article:

C' = C - 1H Then I provide a ring signature over {C, C’}.

If C was a commitment to 1 then I do not know its discrete log, but C’ becomes a commitment to 0 and I do know its discrete log (just the blinding factor). If C was a commitment to 0 I know its discrete log, and I don’t for C’. If it was a commitment to any other amount, none of the result will be zero and I won’t be able to sign.

What if C and C' are commitments to 0 and -1? Then if I can sign, that means the ring signature is a proof is over {0,-1}. I'm probably missing something, so please tell me, why can't the amount be -1 in this proof?

Jimmy Song

Posted 2017-06-01T15:56:42.597

Reputation: 7 067

I don't understand your question. The quote literally states what happens if C is a commitment to 0.Pieter Wuille 2017-06-01T16:04:37.997

Just edited it, maybe clearer? May also be showing my misunderstanding. I'm wondering why C, C' proves a commitment to 0 or 1 and not -1, 0.Jimmy Song 2017-06-01T16:12:22.930

Answers

1

What if C and C' are commitments to 0 and -1? Then if I can sign, that means the ring signature is a proof is over {0,-1}.

To create a signature, the public key must be a known multiple of G. That multiple is known as the private key. When a point has a nonzero H term in it, no signature with that point as public key can be created. In order to write rG+vH as a multiple k of G, k = r + v*(G/H). H is constructed in such a way that nobody knows the ratio between G and H. As a result, rG+vH can only be a known multiple of G when v = 0.

As a result, you can only sign for public keys that are points which are commitments to the value 0.

A ring signature means you're picking multiple points as public key, and signing for 1 of them, without revealing which one.

So if C is a commitment to 0, and thus C' a commitment to -1, you absolutely can create a ring signature with {C, C'} as public keys. But it's due to the presence of C there.

I'm probably missing something, so please tell me, why can't the amount be -1 in this proof?

There is no 'value' in the proof. There is a choice of two values. The signer only proves he can sign for one of them, and verifiers cannot know which one he meant.

Pieter Wuille

Posted 2017-06-01T15:56:42.597

Reputation: 54 032

I get this part. I'm not getting why a ring signature over {0,1} is known to the verifier as a signature over {0,1} and not {-1,0}. When the signer gives C, how does the verifier know it's a commitment to 0?Jimmy Song 2017-06-01T17:57:44.963

1The verifier knows that C is a commitment to 0 or to 1, because if C was anything else, neither of {C, C' = C - H} would be a commitment to 0, and thus nobody could have signed for it. The presence of the signature proves that one of pubkeys in the ring was actually a commitment to 0 and nothing else.Pieter Wuille 2017-06-01T20:50:10.773

ok, I think I got it. It's because the verifier calculates C-H, and it's not from the signer. That's the part that I was missing. I thought the signer gave C and C-H. Thanks!Jimmy Song 2017-06-01T21:53:44.400

1Indeed! The verifier computes C'. Glad it got cleared up.Pieter Wuille 2017-06-02T00:24:36.630

Asked: 2017-06-01T15:56:42.597

Viewed: 112 times

Active: 2017-06-01T16:30:57.130