From 0071ea3a696093c12b5530ddae93cd280960f7de Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 12:29:54 -0400 Subject: [PATCH 1/6] Add Pedersen Commitments explanation to FAQ Text from [here](https://www.reddit.com/r/Monero/comments/6wi512/how_can_a_third_party_verify_my_transaction/dm89e8g/). --- get-started/faq/index.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/get-started/faq/index.md b/get-started/faq/index.md index 14a6f7ec..2fa4c85f 100644 --- a/get-started/faq/index.md +++ b/get-started/faq/index.md @@ -124,3 +124,18 @@ Fungibility is a simple property of money such that there are no differences bet + +
+ + + +
+ +The value of the inputs that you are spending and the value of the outputs you are sending are encrypted and opaque to everyone except the recipient of each of those outputs. + +The clever part is that they're encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. + +As long as the encrypted output amounts you create (which include an output for the recipient and a change output back to yourself) plus the transaction fee (which is unencrypted) is equal to the sum of the inputs that are being spent, then you have a legitimate transaction that is not creating Monero out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. +
+ +
From 0bbeb816beb88e101e070c887ca936b0ea7dc7bc Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 13:00:47 -0400 Subject: [PATCH 2/6] Add Pedersen Commitment Moneropedia Entry Text modified from [this](https://www.reddit.com/r/Monero/comments/6wi512/how_can_a_third_party_verify_my_transaction/dm89e8g/) Reddit comment from @knaccc. --- resources/moneropedia/pedersen-commitment | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 resources/moneropedia/pedersen-commitment diff --git a/resources/moneropedia/pedersen-commitment b/resources/moneropedia/pedersen-commitment new file mode 100644 index 00000000..a7ff98ba --- /dev/null +++ b/resources/moneropedia/pedersen-commitment @@ -0,0 +1,24 @@ +--- +layout: moneropedia +entry: "Pedersen Commitment" +terms: ["commitments", "commitment", "pedersen"] +summary: "Pedersen commitments are cryptographic algorythms that allow a prover to commit to a certain value without revealing it or being able to change it." +--- + +### The Basics + +When you spend Monero, the value of the inputs that you are spending and the value of the outputs you are sending are encrypted and opaque to everyone except the recipient of each of those outputs. Pedersen commitments allow you to send Monero without revealing the value of the transactions. Pedersen commitments also make it possible for people to verify that transactions on the blockchain are valid and not creating Monero out of thin air. + +### What It Means + +As long as the encrypted output amounts created, which include an output for the recipient and a change output back to the sender, and the unencrypted transaction fee is equal to the sum of the inputs that are being spent, it is a legitimate transaction and can be confirmed to not be creating Monero out of thin air. + +Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. Pedersen commitments also mean that even the ratio of one input to another, or one output to another is undeterminable. + +Even though it's unclear which inputs are really being spent (the ring signature lists both the real inputs being spent and decoy inputs therefore you don't actually know which input Pedersen commitments you need to sum) that's okay, because the RingCT ring signature only has to prove is that for one combination of the inputs the outputs are equal to the sum of the inputs. For mathematical reasons, this is impossible to forge. + +### In-depth Information + +See information in [Ring Confidential Transactions paper](https://eprint.iacr.org/2015/1098.pdf) by Shen Noether of the Monero Research Lab. + +{{ page.summary | capitalize }}. From 89099b411ff1c93ba92653943512fd2ab1d57994 Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 14:52:38 -0400 Subject: [PATCH 3/6] Update index.md ### Update FAQ * added key image information (double spend protection) * clarified Pedersen commitment information --- get-started/faq/index.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/get-started/faq/index.md b/get-started/faq/index.md index 2fa4c85f..37f589d3 100644 --- a/get-started/faq/index.md +++ b/get-started/faq/index.md @@ -130,12 +130,13 @@ Fungibility is a simple property of money such that there are no differences bet
+In Monero, every transaction generates a key image. Key images that are used more than once are rejected by the the miners as double-spends and cannot be added to a valid block. When a new transaction is received, miners verify that the key image does not already exist for a previous transaction to ensure it's not a double-spend. -The value of the inputs that you are spending and the value of the outputs you are sending are encrypted and opaque to everyone except the recipient of each of those outputs. +We can also know that transaction amounts are valid even though the value of the inputs that you are spending and the value of the outputs you are sending are encrypted and hidden to everyone except the recipient of each of those outputs. -The clever part is that they're encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. +They're encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. -As long as the encrypted output amounts you create (which include an output for the recipient and a change output back to yourself) plus the transaction fee (which is unencrypted) is equal to the sum of the inputs that are being spent, then you have a legitimate transaction that is not creating Monero out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. +As long as the encrypted output amounts you create which include an output for the recipient and a change output back to yourself plus the unencrypted transaction fee is equal to the sum of the inputs that are being spent, then you have a legitimate transaction and know no Monero is being created out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable.
From d6e7fda47e3686563431de7060c75bcf7c69b985 Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 14:56:38 -0400 Subject: [PATCH 4/6] Update index.md * clarification --- get-started/faq/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/get-started/faq/index.md b/get-started/faq/index.md index 37f589d3..2a8ec585 100644 --- a/get-started/faq/index.md +++ b/get-started/faq/index.md @@ -134,7 +134,7 @@ In Monero, every transaction generates a key image. Key images that are used mor We can also know that transaction amounts are valid even though the value of the inputs that you are spending and the value of the outputs you are sending are encrypted and hidden to everyone except the recipient of each of those outputs. -They're encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. +The amounts are encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. As long as the encrypted output amounts you create which include an output for the recipient and a change output back to yourself plus the unencrypted transaction fee is equal to the sum of the inputs that are being spent, then you have a legitimate transaction and know no Monero is being created out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. From cf802544127ae02410d820584575fb6b38495fc0 Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 15:24:15 -0400 Subject: [PATCH 5/6] Update index.md * grammar: repeated word (the the) * consolidated paragraph for clarity (slight re-write) --- get-started/faq/index.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/get-started/faq/index.md b/get-started/faq/index.md index 2a8ec585..656e1969 100644 --- a/get-started/faq/index.md +++ b/get-started/faq/index.md @@ -130,13 +130,11 @@ Fungibility is a simple property of money such that there are no differences bet
-In Monero, every transaction generates a key image. Key images that are used more than once are rejected by the the miners as double-spends and cannot be added to a valid block. When a new transaction is received, miners verify that the key image does not already exist for a previous transaction to ensure it's not a double-spend. +In Monero, every transaction generates a key image. Key images that are used more than once are rejected by the miners as double-spends and cannot be added to a valid block. When a new transaction is received, miners verify that the key image does not already exist for a previous transaction to ensure it's not a double-spend. -We can also know that transaction amounts are valid even though the value of the inputs that you are spending and the value of the outputs you are sending are encrypted and hidden to everyone except the recipient of each of those outputs. +We can also know that transaction amounts are valid even though the value of the inputs that you are spending and the value of the outputs you are sending are encrypted (these are hidden to everyone except the recipient). Because the amounts are encrypted using Pedersen commitments what this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. -The amounts are encrypted using Pedersen commitments. What this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air. - -As long as the encrypted output amounts you create which include an output for the recipient and a change output back to yourself plus the unencrypted transaction fee is equal to the sum of the inputs that are being spent, then you have a legitimate transaction and know no Monero is being created out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. +As long as the encrypted output amounts you create is equal to the sum of the inputs that are being spent (which include an output for the recipient and a change output back to yourself and the unencrypted transaction fee), then you have a legitimate transaction and know no Monero is being created out of thin air. Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable.
From 322f81cf9587c80b3b27ecc9cd906fc704bd8799 Mon Sep 17 00:00:00 2001 From: Mike Justman Date: Mon, 28 Aug 2017 19:39:10 -0400 Subject: [PATCH 6/6] Updated key image text. * updated key image text. --- get-started/faq/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/get-started/faq/index.md b/get-started/faq/index.md index 656e1969..fa5ffcde 100644 --- a/get-started/faq/index.md +++ b/get-started/faq/index.md @@ -130,7 +130,7 @@ Fungibility is a simple property of money such that there are no differences bet
-In Monero, every transaction generates a key image. Key images that are used more than once are rejected by the miners as double-spends and cannot be added to a valid block. When a new transaction is received, miners verify that the key image does not already exist for a previous transaction to ensure it's not a double-spend. +In Monero, every transaction output is uniquely associated with a key image that can only be generated by the holder of that output. Key images that are used more than once are rejected by the miners as double-spends and cannot be added to a valid block. When a new transaction is received, miners verify that the key image does not already exist for a previous transaction to ensure it's not a double-spend. We can also know that transaction amounts are valid even though the value of the inputs that you are spending and the value of the outputs you are sending are encrypted (these are hidden to everyone except the recipient). Because the amounts are encrypted using Pedersen commitments what this means is that no observers can tell the amounts of the inputs and outputs, but they can do math on the Pedersen commitments to determine that no Monero was created out of thin air.