7

In passive mixing, the monero wallet finds n other parties and forms a ring signature that proves the signer is one of the parties in the ring, and hence entitled to spend from one of the accounts associated with one of the ring parties.

I don't really understand how, say I am B, if I've mixed my coins into a ring with party A, without them knowing, what's stopping me spending money in A's account, as authorised by the ring signature?

If I only sign to the effect of 'I am one of A or B and so move money from either address_A or address_B, then I could correctly prove that 'I am one of Aor B' (because I hold B and b), and move funds from address_A?

What exactly is happening here -- does the transaction come with an EdDSA signature saying that the signer is authorised to spend money from a given address? And if so, how is this blinded so that it won't deanonymise the signer?

For example, if I produce the EdDSA signature then it will be trivial for an eavesdropper to take A and B and see which one the signature verifies against, hence removing the anonymity gained by the ring signature in the first place?

seek adventure
  • 2,239
  • 14
  • 52
bekah
  • 455
  • 2
  • 7

1 Answers1

7

Section 4.4 of CN white-paper describes this. With the ring signature, all the keys used are equivalent, so you can't say which one is the actual signer. The signature can be checked against any of the public keys used in the ring. Let's define our one-time keys as

P = xG

Where P is the public key, x the private key, and G the EC basepoint.

If we let the same key produce two signatures, we would allow for a double-spend. That's where key images come in. The key used must also produce a key image with the signature. Trick is, the key image is a function of only the one-time key so it will be the same regardless of other parameters of the transaction.

I = xHp(P)G

Note that knowing I, you can't recover the P used. The key image also forms part of the signing and all the key images ever used are stored on the blockchain. If anyone would attempt to re-use x, then the resulting key image would be the same, and the signature would be rejected by the network as it would already be found on the 'used' list.

Note that there are no 'accounts' or 'addresses' on the blockchain. There are only one-time keys and key images. An address is kind of a 'blueprint' which lets the sender produce one-time key such that only the owner of the address is able to recognize it as belonging to it and recover the private one-time key.

JollyMort
  • 20,004
  • 3
  • 49
  • 105