Topic: rpietila Wall Observer - the Quality TA Thread ;) - page 102. (Read 907212 times)

>  You can't sign a valid transaction spending my output using my public key.
Maybe I can't and there is something.

But I'm sure I can create valid ring-signature using MyPublic, YourPublic and MyPrivate keys. Even I can produce fake "key image" because no one can verify it.

I'm asking why I can't?

I fear we are going around in circles now.

But one more time. You can't sign a valid transaction spending my output using my public key. It would require my private key. You can sign a valid transaction spending your transaction with your private key. All you can do with my public key is add it to your signature spending your output, obscuring the fact of which output was spent. This is just obscuring your spend with my public key, not spending my output.

In both cases, a foreign public key can be added but you can't construct a valid transaction without the private key.

I have: myPublic,myPrivate
You have yourPublic,yourPrivate

I can ring-sign your input, if I know your public key.

I'll simply add your PUBLIC and use my private ... no one know (except me :-) )

No, you can't sign with a public key by itself. You can only add one or more public keys to an otherwise valid signature, but there has to be a private key already present to make the signature valid. You can't sign my output without my private key. I can do it and add your public key, but without my private key, you can't.

This is the SIG step on page 9 of the CN whitepaper if you want to read it. You need a valid key pair (puiblic and private) for the output, plus a set (possibly empty) of other public keys.

But if I'm able to ring-sign input then I can use my old pubic key (I know private key) sing your input (I do not have private key only public) :-)

Now you are getting into an area the details of which I'm still working to fully understand in the code. But you are signing at least some portion of the transaction you create to spend the outputs, if not all of it.

OK np,  I have both private keys, so I'll sing(ring or otherwise).  What will be content ? (what I'm signing)

Wait, you actually take him seriously?  
Reality check:  How much was BTC going for on Aug. 15th?

Looking at the price alone is worrisome, but I've seen more innovation in the Bitcoin ecosystem in the past 6 months than in all the time prior. I suspect that eventually these new services will result in greater adoption and the price will rise again along with demand.

Risto often points out and stresses that Bitcoin has always had a history of 'deep dips' and 'never to sell below ATH', I totally agree. But, what is your current prediction or estimate on the current market situation, Risto? Things are a bit worrisome, we're on a freaky slide right now!! I think some around here need some positive words.

Let's do one at at time. This one needs to be signed using both inputs. so

input ( a1=5 XMR, a2=5XMR )  output( g1=2 XMR, a3= 8 XMR )   -> ring-sing with a1 + ring-sign with a2

You can't spent a2 without a valid signature (ring or otherwise)

lol, I'm still confused:-)

So I'll send 2 transaction, is this possible ?
input ( a1=5 XMR, a2=5XMR )  output( g1=2 XMR, a3= 8 XMR )   -> ring-sing with a1
input ( a1=5 XMR, a2=5XMR )  output( g2=2 XMR, a4= 8 XMR )   -> ring-sing with a2

Excellent, thanks for your answer! Really appreciated.

Well like I said, there are issues with CoinJoin-style mixing, and there are issues with people with whom you interact not necessarily all being DW users. It is possible that under some circumstances it will work great. Under others it probably won't. That isn't entirely in your control though.

Overall it is certainly going to be a big improvement over regular Bitcoin in terms of privacy (not saying much).

Thanks for the answer! So, you can use DarkWallet completely anonymously if you know what to do, right (of course you are kind of biased to answer )?

Darkwallet uses a form of stealth addresses that is similar to Monero. This won't work with regular Bitcoin users though, you will have to use regular address unless both parties are using Darkwallet (or some wallet using a compatible stealth scheme). In a sense this feature makes Darkwallet a bit like an altcoin that is sharing the Bitcoin blockchain. If you are exchanging with regular Bitcoin users you will lose the unlinkability benefit of stealth addresses (but you can still do it and you can keep unlinkability if you never reuse addresses).

Darkwallet uses CoinJoin style mixing. This has issues that have been widely discussed elsewhere, especially when there aren't a large number of people wanting to mix at the exact same time. (There is a rendezvous process in CoinJoin where people making truncations at the same time are mixed together.) This can be still be used even with regular Bitcoin addresses, but only if the sender is using Darkwallet. A Darkwallet user who receives coins from a non-Darkwallet user will receive non-mixed coins, and also will potentially have address linkability if the address is reused. By contrast Monero uses ring signatures for mixing which doesn't require a rendezvous process the way CoinJoin does, but does have some other issues (some discussed in MRL-0001)

Since Darkwallet is based on Bitcoin it shares the rest of Bitcoins advantages and disadvantages (biggest advantage being its relatively wide adoption, but again when interacting with non-DW users your feature set is reduced). Monero is a new code base that does some things differently (for example not having a fixed block size), which again has advantages and disadvantages. The relative immaturity of the code is a big disadvantage.

This is what I would love to know 

In a practical sense how is Amero Monero different from Darkwallet?

Almost. You will will sign with both a1 and a2 private keys, allowing you to spend both outputs.

If you want to ring sign (it is optional) you can also include in the ring sig additional public keys from other outputs that you don't control (you just pull them from the blockchain). The observer can't tell which of the outputs was the actual source (where you hold the private key) but can verify that there is a valid private key being used for each input.

Hope that helps!

Thank you.
Example:
I have(I know private keys) 2 unspent "addresses"  a1=5 XMR and a2=5 XMR, I want pay for goods 2 XMR (address g1.) and send the rest to a3. To confuse observer I'll use both input addresses.

Transaction
input ( a1=5 XMR, a2=5XMR )  output( g1=2 XMR, a3= 8 XMR )
I'll ring-sign with  a1 private key, Is this correct ?