My understanding of the paper is that the blinding factor would be
included in the extra data which is incorporated into the ring
signatures used in the range proof.
Although, since I think the range proof is optional for single output
transactions (or at least, one output per transaction doesn't require a
range proof since there's only one possible value that it can be to make
the whole thing work, and that value must be in range, I'm not entirely
sure how you'd transmit it then, though in any case, since using it will
pretty much require segwit, adding extraneous data isn't much of a
problem. In both cases, I imagine the blinding factor would be
protected from outside examination via some form of shared secret
generation... Although that would require the sender to know the
recipient's unhashed public key; I don't know of any shared secret
schemes that will work on hashed keys.
Jeremy Papp
On 2/9/2016 7:12 AM, Henning Kopp via bitcoin-dev wrote:
Hi all,
I am trying to fully grasp confidential transactions.
When a sender creates a confidential transaction and picks the blinding
values correctly, anyone can check that the transaction is valid. It
remains publically verifiable.
But how can the receiver of the transaction check which amount was
sent to him?
I think he needs to learn the blinding factor to reveal the commit
somehow off-chain. Am I correct with this assumption?
If yes, how does this work?
All the best
Henning
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
