Why are rangeproofs necessary?

Question

Title. This is probably a remarkably stupid question, but I digress. Now, I understand the point of rangeproofs, but I don't understand why they're actually necessary.

So, rangeproofs prevent a malicious user from committing to a negative number in the Pedersen Commitment. But going by that protocol (example implementation), successfully committing to a negative number should be impossible (or at least unreasonably expensive) if you choose a prime for g. Roots (which is what a negative exponent is) of any prime number are always going to be irrational, which means that you can't convert them back into an integer unless you multiply by g^-n which brings them back to 1. Unless g² < q (which can be prevented by simply choosing a g which doesn't fit that rule), then it's barely even possible to commit to -1 because mod q only allows for 1 valid number, let alone anything higher which requires exponentially higher numbers to reach a valid integer. This means that you can simply reject any commitment that equals 1.

Not only that, but the discrete logarithm problem should mean that the chances of successfully getting 1 at all are essentially non-existent in the first place.

So, in short, I don't understand why rangeproofs are necessary. By my understanding, the commitment system in and of itself should be resistant against committing to negative numbers

Answer 1

The example you cite is not using elliptic curve operations.

A Pedersen commitment in Monero takes the form C = xG + aH (alternatively notated C = g^x ⋅ h^a) and here G and H (or g and h) are elliptic curve points, hence the operation is repeated addition (or subtraction) of the respective point. Thus a (or x) can indeed be a negative. So -3H (or h^-3) translates as "subtract the point H from itself 3 times (i.e. H - H - H - H)".

With this understanding, it is indeed possible to commit to a value that is negative, and thus a range proof is needed to ensure the committed value is in the range [0..2^64-1].