3

Given two inputs of value: 10, 11

And two outputs of value 31, -10

The Pedersen commitment would look like:

Let b + c - d - e = k

(10G + bH + 11G + cH) - (31G + dH + -10G + eH) = 0G +  kH

Without range proofs, this Pedersen commitment would look valid. How would a bad actor, then use this in another transaction to create money out of thin air?

What I thought was that he would then do:

Input = -10

Output = 10

But I am not so sure, it is this simple. Could I get some clarification on the amount that would be created out of thin air also, as I read somewhere that the amount created would be 11 in this case.

jtgrassie
  • 19,601
  • 4
  • 17
  • 54
WeCanBeFriends
  • 670
  • 3
  • 7

1 Answers1

5

A good description of this is found in Greg Maxwell's paper on CT:

 (1 + 1) - (-5 + 7) == 0

This would be interpreted as "someone spends two bitcoins, gets a '-5'
bitcoin out that they discard out, and a 7 bitcoin output".

If we substitute your example values:

(10 + 11) - (31 + -10) == 0

The commitment is to zero and the -10 output is simply discarded (it's just one of the two outputs and can be ignored), so you are left with one output of 31. That is, a spend of 21 to get an output of 31 (10 created from thin air).

Hence why range proofs are needed - to prove that each committed value is within a range (positive).

jtgrassie
  • 19,601
  • 4
  • 17
  • 54