Duplicate one-time output key possible?

Discussion of math, cryptography, protocol, and features

Duplicate one-time output key possible?

Postby mr_john » Thu Sep 25, 2014 4:26 pm

Hi!

I have a another question for my understanding:

First I try to repeat what I already understood:

When Alice sends a transaction to Bob she calculates a one-time destination key P by using the public key-pair (A,B) of Bob, a randomly choosen integer value r and the index n of the output within the created transaction:

P = Hs( rA.n ) * G + B

Bob can then later recover the according private key p by using his private key-pair and the public R (public key of r) which is publicly included in the transaction:

p = Hs( aR.n ) + b

So far, so good.

I also learned, that when spending an output an image is derived of the private key of the spent output using a one-way function, so that it does not reveal the key which was used, but it will be obvious if the same key was used again (because it would result in the same key image):

Key image I = p * Hp( P )

(with Hp being a one-way hash function which maps one point on the elliptic curve deterministically to another point on the curve).


Ok, so far so good.

Here comes my question:

But, what happens if I send 2 transactions to Bob and use both times deliberately the same value r as my random number for generating the one-time destination keys?

This obviously will generate both times the same destination keys (like in the 1st tx) for the outputs in the 2nd transaction. So if Bob later on wants to spend the money I sent him, he could only spend the first transaction, because in the second transaction the same key image would have to be used and this wouldn't be allowed by the protocol.

Is this correct, or did I miss something?

So can I really deliberately send money in this way to Bob, so that he never can spend it? (Of course this is not rational, but would it be possible in principle)?


Thanks for all your insight! :-)

Kind regards,
john :-)
mr_john
 
Posts: 5
Joined: Tue Sep 09, 2014 9:41 am

Re: Duplicate one-time output key possible?

Postby Werner_Albert » Mon Sep 29, 2014 12:47 pm

Yes, you are correct. By using the same value R twice you will generate two identical key images. The example you have given is correct as well, because in the second transaction the same key image would have to be used this wouldn't be allowed by the protocol.
Werner_Albert
 
Posts: 56
Joined: Wed Mar 26, 2014 3:23 pm

Re: Duplicate one-time output key possible?

Postby mr_john » Mon Sep 29, 2014 1:19 pm

Thank you for the clarification.

But I did not understand exactly, what wouldn't be allowed by the protocol:

(1) the creation of two transactions with the same "R" value and the same receiver (and therefore the same output destination keys)

(2) creation of a later followup transaction which tries to spend the outputs created in step (1) (as this would lead to duplicated key images)?
mr_john
 
Posts: 5
Joined: Tue Sep 09, 2014 9:41 am

Re: Duplicate one-time output key possible?

Postby Werner_Albert » Tue Sep 30, 2014 9:03 am

(1) the creation of two transactions with the same "R" value and the same receiver is supported by the protocol, however the code prohibiting this action is available and fairly simple.
(2) creation of a followup transaction in order to spend the outputs created in step (1) is not supported by the protocol.
Werner_Albert
 
Posts: 56
Joined: Wed Mar 26, 2014 3:23 pm


Return to Technology

Who is online

Users browsing this forum: No registered users and 2 guests

cron