Score:1

How is a keyImage linked to a ring signature?

cn flag

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't get is how this keyImage is produced and verified.It is somehow derived from the private key and hashed in a way that it can't be reverse engineered. But how do I know that a private key was in fact used for the keyImage? I mean I could just use a random keyImage to have its uniqueness.

So it must be linked somehow to the signature so that one can be sure it is really derived and hashed from the private key.Of course without revealing which private key of the group was used. So how is this linked together?

baro77 avatar
gd flag
this question seems more suitable for monero.stackexchange.com imho ...and the "hash-signature" tag seems wrong
fgrieu avatar
ng flag
"keyImage" is not a standard cryptographic term. Thus the question should be stated with a reference to what "keyImage" means from a cryptographic standpoint. If the question is specific to Monero, I can migrate it there (they have at least one [related question](https://monero.stackexchange.com/q/2883)). However if the question's focus is on ring signature and whatever "keyImage" is (rather than on Monero specifics) it can be kept here, if clarified.
baro77 avatar
gd flag
I totally agree @fgrieu. I have assumed the OP was thinking to cryptocurrency related stuff because of citing "double spend" in the question. Anyway better to give him opportunity to unambiguously clarify
user3776738 avatar
cn flag
Ah ok, it is not exactly Monero specific as I'm asking for Shadowcash or more precisely a fork of it. I don't know if the original Monero Ring signature differs from the Shadowcash one not to mention their now using RingCT but I guess the principle might be the same. So yes you (@fgrieu) can move it to Monero if you believe that their community has a better answer. Thanks so far.
fgrieu avatar
ng flag
[Here](https://monerodocs.org/cryptography/asymmetric/key-image/) is an attempt to define Monero's key image cryptographically. I'm defering migration, because clearly there is an ECC crypto side to the question, and perhaps it will get a better answer here. I still think the question should be improved by adding links to defintions of the terms used.
baro77 avatar
gd flag
@user3776738 got it! So, just a comment because I don't know the Shadowcash implementation: in Monero your doubt "But how do I know that a private key was in fact used for the keyImage?" is solved with a structure by which ring verification succeed only if the keyImage is built from privkey.... I wouldn't know how to describe it by words, but perhaps this could be useful to you: https://www.getmonero.org/library/RingsCheatsheet20210301.pdf (disclaimer: I'm the author of the cheatsheet) PS RingCT doesn't matter
user3776738 avatar
cn flag
@fgrieu: "The key image I is a one-way function of the private key x ." My thoughts go this: So somehow I must verify this key image otherwise it could be random.But it is a one way hash function.To reproduce a one-way hash function I need all the information used for creating it. When I have access to all that information I know the private key. But I should not know the private key. That's were I'm stuck.
user3776738 avatar
cn flag
@baro77 I will try to understand that, but it looks like Chinese to me.
fgrieu avatar
ng flag
@baro77 : what about writing an answer starting from your comment?
baro77 avatar
gd flag
@fgrieu ok, I'm going to try... just let me take some time, 'cause these are busy days of mines and the topic is a bit awkward to be summarized
Score:2
gd flag

Hoping to satisfy @fgrieu invite in comments, I try an answer coming from Monero's implementation. The source of these words is the cheatsheet I have written https://getmonero.org/library/RingsCheatsheet20210301.pdf while studying https://www.getmonero.org/library/Zero-to-Monero-2-0-0.pdf

I think the right thing is to start from non-interactive (in the Fiat-Shamir flavour) Schnorr signature for keys over elliptic curve. Let's quickly recap it.

Let's say $(x,X)$ is the private/public keys pair, where $X\triangleq xG$ with $G$ the generator point of the EC; $tx$ is the transaction/text/whichever stuff we need to sign; Signing $tx$ with $x$ means being able to generate a pair $(c,r)$ such that:

$H(tx, rG + cX)=c$

where $H$ is an hash (no matter here which one) and $c$ and $r$ are called "challenge" and "response", with the terms coming from the interactive schema. $c$ is obtained from a secret random unique $\alpha$ known only by the signer and never reused in two signatures, and the foregoing equality is equivalent to:

$rG + cX = \alpha G$

(btw, by substituting you get how $c$ is defined ;) )

So, looking at it from a bird view, we can say that verification of $tx$ signature by $x$ is a function of the signed stuff, the public key, the challenge and the response:

$f(tx, X, r, c)$

Ring signatures are about finding flavours of this schema with decoys, while still retaining just only one ACTUAL signer (from a technical point of view: needing many $X_i$ -let's say $n$- in verifying algo but single $x$ in signing algo); and all without coordination between involved key owners.

There are a challenge and a response for each $X_i$, so we have $c_i$ and $r_i$, however things are arranged so that from $c_i$ we can calculate $c_{i+1}$, with "overflow" when $i=n$ (here it is the "ring"), so:

$H(tx, r_{i}G + c_{i}X_{i})=c_{i+1}$ with $1 \le i \le n-1$

$H(tx, r_{n}G + c_{n}X_{n})=c_1$ with $i=n$

given we can regress from $c_n$ to $c_1$ the above conditions lead to the signature verification function:

$f(tx, X_i, r_i, c_1)$

But where does the "magic" come from? How is the arrangement made to have $c_i$ forming a closed chain in which given one challenge value you can calculate all the others (note we have chosen $c_1$ as special one, but that's really nothing special about it)? Well, thanks to these facts:

  1. if we indicate as $c_\pi$ the challenge associated to the ACTUAL signer, $c_{\pi+1}$ is calculated from a random secret $\alpha$ known only to the ACTUAL signer (does it recall anything? ;) );
  2. all other $c_i$ are calculated with the above chain formula;
  3. all $r_i$ are just random numbers, except $r_\pi$ wich is chosen so to let $c_{\pi+1}$ to respect the chain formula as well (even if it comes from $\alpha$)

And now eventually the Key Image $X^*$! A part from being advertised in the transaction to prevent double spending, it is also part of $c_i$ calculus, and again the $\alpha$/chain formula trick is used: and it holds only if Key Image $X^*$ is obtained in a very specific way, function of the private and public keys of ACTUAL signer.

That's why you cannot just choose a random still-unused one!

I understand this is only the main line of the reasoning, missing many details, but I hope you can find them in the cheatsheet with the help of these companion words (I guess for your needs you can care only about "Non-interactive (Fiat-Shamir) Schnorr", "SAG" and "bLSAG")

user3776738 avatar
cn flag
I accepted your answer, because it looks very detailed and I might understand it someday. Despite I'm not really understanding it to be honest. I will need to read through it a dozen times and do some research about the mathematical knowledge I'm lacking of. Maybe I will ask a new question based on your answer someday, if I don't get it. Thanks so far.
baro77 avatar
gd flag
if you are looking a more gradual introduction to the topic you can read chap 2 of https://www.getmonero.org/library/Zero-to-Monero-2-0-0.pdf (it's far from being complete as cryptography reference books, but I guess it's enough as background for your problem); chapter 3 is interesting as well but imho it's easy to get lost inside it. So the recipe could be: read chapter 2 as far as you need; then study the left column, the SAG and bLSAG rings and their notes on the right column of my cheatsheet, using my words here in SE as a tour guide. Wish you a good work!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.