2

so lets say for the first commitment (after a mined transaction)

let a = miner_reward

this is a known number.

to generate the first commitment, one does;

input = x.G + a.H; output = x.G + a.H

Then using diffie-hellman the sender lets the receiver know the values of both x an a. The problem is, if the receiver now wants to spend the outputted commitment, he must add a further layer of masking/encryption. Because if he doesn't and some malicious actor down the road receives a payment, all the bad actor has to do is reveal x, and everyone in the chain that used x as a blinding key, will have their amounts compromised.

So my question is, how exactly does the receiver add the further encryption to the commitment? Proofs of why its valid would be nice as well.

cookiekid
  • 201
  • 1
  • 3

1 Answers1

3

Blinding factors are random numbers that are only used once per commitment. No two commitments should ever share the same blinding factor, even if they're for the same amount. The blinding factor is generated by the sender and communicated to the receiver in encrypted form using the DH shared secret (as you've pointed out).

If the existing commitments for inputs were used in transactions spending multiple inputs (known as RCTTypeSimple transactions), if one real input ring position was revealed, this would reveal all real input ring positions in the transaction.

Therefore for transactions spending multiple inputs, you avoid this problem by creating new commitments for the inputs you're spending, and these are called "PseudoOuts" in the transaction structure. See Is the 'pseudoOuts' of 'rctSig' the commitment on input amounts for simple RCT

knaccc
  • 8,518
  • 17
  • 23