You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _posts/2024-12-04-Monero.md
+18-2Lines changed: 18 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -367,17 +367,32 @@ $P_o = K_{dh} G + S_b$
367
367
368
368
$R = r G$
369
369
370
-
Instead of sending money to Bob's address as done in BTC, Alice sends the money to $P_o$ & also broadcasts $R$ to the network.
370
+
Instead of sending money to Bob's address as done in BTC, Alice sends the money to $P_o$ & publishes $R$ in cleartext as part of the transaction data.
371
+
371
372
In the above expression $G$ and $S_b$ are publicly known. But $K_{dh} = H_s(r V_b \space)$ has a term $r$ which is known only to Alice.
372
373
373
374
However, $V_b = v_b G$ & $R = r G$
374
375
375
376
$r V_b = r (v_b G) = v_b (r G) = v_b R$
376
377
377
-
Since $v_b$ is known to Bob (& no one else), Bob can compute $K_{dh} = H_s(v_b R)$ even without knowing $r$.
378
+
Since $v_b$ is known to Bob (and no one else), only Bob can compute $K_{dh} = H_s(v_b R)$ even without knowing $r$.
378
379
379
380
So above, Alice used Diffie-Hellman to share a secret $K_{dh}$ with Bob.
380
381
382
+
But most transactions have more than one output - either sender sends money to more than one receiver in the same transaction. If nothing else, she has to send change back to herself because the amount she wants to send to Bob will not match the exact amount of the input(s) she is spending. So, typically instead of just $K_{dh} = H_s(r V_b \space)$, we will have
383
+
384
+
$K^0_{dh} = H_s(r V^0_b \space)$
385
+
386
+
$K^1_{dh} = H_s(r V^1_b \space)$
387
+
388
+
where the superscript $0, 1, ...$ etc is the output index - if a transaction has multiple ouputs, then it's indexed as $0, 1, ...$ etc
389
+
390
+
$V^i_b$ is the View Output Key of the receiver of the $i$-th receiver & Alice will compute the corresponding one time Public Address as
391
+
392
+
$P^i_o = K^i_{dh} G + S^i_b$
393
+
394
+
where $S^i_b$ is the $i$-th receiver's spend Public Key
395
+
381
396
In BTC, everytime a new mined block appears, your wallet scans the block and finds transactions sent to your address. In Monero, your wallet uses the $R$ of each new transaction to compute $P_o$ from it (using Bob's View Private Key) & checks if the transaction is sent to $P_o$ to find transactions meant for him.
382
397
383
398
Only the View Private Key is required for viewing transactions coming to your wallet & the Spend Private Key isn't required.
@@ -400,6 +415,7 @@ When Bob wants to spend this output, he has to prove possession of $x_o$ - the v
400
415
401
416
In BTC, where money is sent to non-secret addresses, in Monero, it's sent to a one-time address to preserve privacy & anonymity.
402
417
418
+
403
419
#### Amount Commitments
404
420
405
421
In BTC, the amount is represented in the transaction entry as the actual value. In Monero, the transaction data has Pedersen commitments of the amounts instead. Since these commitments are Hiding, nobody else can figure out the amounts in any transaction.
0 commit comments