Discussion of math, cryptography, protocol, and features

Hi!

Coming from the Bitcoin world I have quite a good understanding of how Bitcoin works in detail but I am new to CryptoNote (but very excited about its features ). I really got fascinated by the 2 neat tricks for hiding the sender (by using ring-signatures) and hiding the receiver (by using one-time public keys).

Currently I am trying to acquire some deeper understanding of the underlying principles and protocol. I think that I already understood the biggest part of the whitepaper (also dug around in the code) but there are still some open points which don't make sense for me (yet).

So I'd like to ask here some questions for my better understanding:

1)
As I understood each output within a tx has a destination public key. So do I understand correctly that this is the "one time public key", having each output its own "one time public key"?

2)
The one-time key is calculated in this way: "P = Hs(rA)G + B" with being (A,B) the receiver's public key-pair and "r" a randomly chosen number/priv-key. So doesn't this mean that if I have several outputs within a single transaction, which all go to the same receiver (same A|B), that all these outputs have the same one-time public key (assuming that I use the same "r" value for each output within a single tx, which I thought is the case as the public "R" value is only stored once per transaction, within the "extra[]" field of the "tx" struct and not separatly for each output - or did I get something wrong here?)

So I was pretty sure that this is the case (several outputs within a single tx resulting in the same public one-time key). But then I looked into the web-based blockchain-explorer at minergate and when I look into a random tx like https://minergate.com/blockchain/mro/transaction/eaf7f96889f8fef4baf3564a668ebe02442f18af97df19ac36e149b46a96bf88 each output seems to have a different "key". And this seems to be the case for all transactions.

So what did I get wrong here?

3) Key images:
So, if the "key" per output is the one-time public destination key, where is the corresponding key-image stored? Or is the key-image only published when spending an output (i.e. in a transaction's input) and never appearing in the outputs?

4)
and last one for the moment: When looking at the web-based blockchain explorer again: https://minergate.com/blockchain/mro/transaction/eaf7f96889f8fef4baf3564a668ebe02442f18af97df19ac36e149b46a96bf88 I see that there is a "One-time public key" field at the transaction's data. Do I assume correctly that this is the public "R" value (caluclated by r*G) or am I completly wrong here?

Thanks a lot for your help, I am excited to learn more about CryptoNote! John
mr_john

Posts: 5
Joined: Tue Sep 09, 2014 9:41 am

### Re: Questions about transaction details

Hi,
We greatly appreciate your taking interest in the CN technology. Now, to answer your questions properly we’ll go by the order in which you’ve put them.

1. You are correct; each output has its own one time public key.

2. Each one-time key is derived not only from "r", "A", and "B", but also from a sequence number of its output. More specifically, k = H(rA.n)*G + B, where "n" is a number and dot stands for concatenation. This approach guarantees that every key (and key image) is unique, even for one transaction.

3. The key-image is only published when spending an output and does not appear in the outputs.

4. You are correct; that is the public R value. The question mark icon on the website says "transaction one-time public key". In the article it’s called "transaction public key" and "one time" refers to destinations.

Please, let us know if the answers we have given helped you. Also feel free to contact us if you have any further questions.
Maurice.P

Posts: 63
Joined: Wed Mar 26, 2014 3:26 pm

### Re: Questions about transaction details

Thank you very much for your fast response. This is highly appreciated!

Yes, your answers clarified a lot for me. I already guessed that the answers for 1) 3) and 4) will be like you explained but I really missed the piece of information for answer 2) (the fact that the output index also is involved in key derivation). Thanks a lot for the hint!

I have one followup questions regarding the key-image (please excuse me if it's a stupid quesion, maybe this clear if one understands better how ring signatures work in detail):

I understand that the key-image provides a way to prevent double spending of outputs while still providing the anonymity of the sender so that nobody knows which of the outputs is the "real" one (which I find is an excellent trick! )

What I do not understand is how it is assured that the key image is calculated correctly. What I mean: According to the whitepaper the key image I is calulated I = xHp(P) with x and P being the private/public key of the output to be spent.

Also every client keeps a list of all spent key-images and if one image is used twice everybody knows that this must be a double-spend and discards the transaction.

But what prevents me from just using some random data as "key image" in my transaction. As both, the private and public key of the output is needed to calculate only me can calculate the "correct" key image.

So how do the other participants in the network know if I inserted the correct key image into my transaction?

I guess I missed some basic point here, did I?

Thanks a lot!
john mr_john

Posts: 5
Joined: Tue Sep 09, 2014 9:41 am

### Re: Questions about transaction details

To answer your question, key images are used in the formulas for creation and verification of signatures. Using some random data as "key image" in your transaction will wreck the signature. In fact, forging the key image that has a valid signature is an extremely hard task.
To expand on the issue, key image and H(P) have the same relation as in public key to base point. Key image equals x * H(P) whereas public key equals x * G. (where x – is a private key and G – is a base point). Ring signature exploits the fact of the same relation between two. If somehow the relation is broken the signature verification formula will be invalid.
For further info, please read the last part of the paragraph 4.4. https://cryptonote.org/whitepaper.pdf
Maurice.P

Posts: 63
Joined: Wed Mar 26, 2014 3:26 pm

### Re: Questions about transaction details

Thank you very much for this response!
This makes it somehow clearer for me. I will try to learn more about how ring signatures work.

Thanks! mr_john

Posts: 5
Joined: Tue Sep 09, 2014 9:41 am 