So I think I understand the Pedersen commitment math on the curve to hide amounts, but I'm struggling to understand how ring signatures obfuscate your transaction even further.
If only one set of the inputs in a ring can be proven to equal the outputs (zero Pedersen commitment), don't you know exactly which inputs were used? I'm assuming I'm just missing some more math and I don't want to read an entire book today and hope to figure it out (I'm not good at math). My apologies if this is a stupid question.
Also, if a key image can't be directly linked to the TXO because it's a one-way function of the one-time destination keys, how does the network know that the key image included in a transaction is legitimate?
One more thing, with the Pedersen commitment:
c=r*G+a*H
Where a is the actual amount, r is a random number that you generate, G and H are known points on the curve. If someone ever finds a single combination of as and rs that result in the same c, can they now just print monero by using the smaller a as an input but the larger amount as an output? I understand that's very computationally unlikely to be found, but if only one is ever found the whole chain is screwed, right?
Sorry if these are stupid questions or if they should be asked elsewhere. I love the idea of Monero and I'm just trying to wrap my head around how it works. I think asking someone here who knows to explain it would do me more good than trying to learn from the whitepaper or a book.
