7

As far as i understand Monero currently uses range proofs (Soon to be bulletproofs) to prove that when an amount of Monero is sent that amount is between 0 and some large number. this is to protect against negative amounts being sent

My question is can Monero range proofs or bulletproofs for that matter prove that a public key owns a certain amount of Monero. for example can i create a construction that a third party can verify that i have say between 50 and 100 XMR

As far as my research goes the only way to prove balance in accounts is to provide view keys and a set of signed key images to a third party, is this still the only way to do this?

Looking forward to any input Thanks

KamLazar
  • 127
  • 5

1 Answers1

5

Technically, I think it's possible to use the range proof scheme (whether using Borromean or Bulletproofs) to prove that the amount committed by a given Pedersen Commitment falls within a certain range. A Pedersen Commitment C committing to an amount a using a mask (aka. blinding factor) x is represented as

C = x*G + a*H

where G and H are protocol-defined independent base points. The range proof scheme proves that the committed amount in C falls between 0 and 2^64-1. To prove that the committed amount falls between a specific range, say 50 and 100 XMR, we could define two more commitments

C1 = C - 50*H
C2 = 100*H - C

and generate a new range proof for each of C1 and C2.

This approach could be generalized to involve multiple outputs and prove that the sum of the committed amounts falls within a specified range. For auditing purposes, however, I think it's more useful to prove "I hold at least this amount in my wallet" rather than proving "My holding falls within this range". Such a proof scheme called "reserve proof" is currently being developed (https://github.com/monero-project/monero/pull/3027).

See also: Using Monero as proof of funds

stoffu
  • 704
  • 3
  • 8