1
I have a small question about confidential transactions. In it, a secret random blinding key is used to generate a Pedersen commitment. Is that mean that the recipient's blinding key is determined by the sender, and sender deliver the blinding key to the recipient in private channel?
My question may be stupid. It would be great if anyone could shed some light on this.
1
The blinding key is a shared secret among the receiver and the sender.
Typically the Diffie-Hellman key exchange is intiated by the sender ECDH, given that he already has knowledge of the receivers public key in a secure manner. The blinding key itself is not public knowledge, but the sender includes a one-time/temporary/ephemeral public key along with the transaction. The temporary public key is used in the ECDH key exchange scheme (receiver public key + temporary public key -> shared secret) to create the blind key.
There is no need for a private channel, the temporary public key can be public knowledge. The receiver however has to generate the shared secret themselves.
Thanks. I am still confused about how to generate the first commitment since its input must come from the block reward -- coinbase which is explicit. When the inputs are all plain-text amount, how to make the CT outputs? – N.aN – 2017-10-24T04:41:32.433
What's stopping the sender from packing a different ephemeral public key in the transaction? If he packs a different public key, the transaction will still validate, but the receiver won't be able to actually receive the money, right? – PowerPanda – 2018-02-10T00:14:37.320
@PowerPanda correct. Disclosing the shared blinding factor and its public key variant (blinding factor x, public blind key = xG) would result in a complete failure of the CT scheme. The network will validate the transaction, as it is mathematically correct but the receiver should not accept the transaction. – Penquin – 2018-02-10T15:32:25.150