I’m trying to wrap my head around MimbleWimble and Grin. I’m first attempting to show that a block is valid. Much of my understanding came from the excellent Mimblewimble documentation.

As I understand it, the sum of a block’s outputs minus the sum of the block’s inputs should equal the sum of the kernel excesses. I believe all these items: outputs, inputs, and excesses are represented as public keys - is that right?

So, given this block, I see the output and input commits. Are these Pedersen Commitment public keys? I don’t see any kernel excess keys, I’m guess they are just not shown in the UI - is that right or did I miss something?

Thanks for the clarifications! So is it right to say that the Pedersen commitments can be summed in order to be used in the validity equation you posted? As in these outputs from the example block I posted earlier…

My only other question at this point is around G and H. According to the equation, these values need to be known in order to prove the block validity.

Can you direct me on where to find these values? I was under the impression these were public keys of the sender/receiver but that is probably incorrect.

Yes, each kernel is generated with an accompanying offset. When merging multiple transactions together, as happens in forming a block, the offsets get summed into one.

An offset is basically a scalar correction of the sum of kernels. After the correction is made, the result (Σkernel + offset*G) is equal to the Σoutputs - Σinputs curve point. A transaction basically has a random curve point being a kernel and comes with a correction scalar offset. When aggregating two transactions, these offset scalars can be summed together to obtain a single offset (their sum) making it impossible to deaggregate the transaction without knowing the original offsets.

I’m in way over my head, but I’m slowly learning, damn it. After looking at the official Node code, I observed that the commitments are serialized to_hex (33 byte DER!) and are deserialized from_hex to a bytes array.

Now, because the commitments are curve points, is it right that I need to convert the bytes array into an x and y?