When I read Introduction to MimbleWimble and Grin,there is some queries about Transaction Aggregation.In my understanding, any transaction is verified by kernel excess(proves Pedersen commitment equal rG + 0H) and transaction signature(proves the sender knows the value r of inputs ).
I just wonder to know when a miner collected and verified transactions, and calculated sum(outputs) - sum(inputs) = sum(kernel_excess),other miners how to verify each transaction when they received that block?There is not a signature using sum(kernel_excess) as public key.
Why would you need that when all the kernels sign for their individual zero excess?
THe Cut-through part says “Blocks let miners assemble multiple transactions into a single set”.In the example, 3 transactions in a block, as below(without Kernel Offsets):
transaction A:
I1(x1) — O1
|- O2
(We assume kernel excess equal (O1G + 1H) + (O2G + 2H) - (x1G + 3H) = (O1+O2-x1)G + 0H), and signed using (O1+O2-x1)G as public key)
transaction B:
I2(x2) — O3
I3(O2) -|
(We assume kernel excess equal (O3G + 5H) - (O2G + 2H) - (x2G + 3H) = (O3-O2-x2)G + 0H), and signed using (O3-O2-x2)G as public key)
I4(O3) — O4
|- O5
(We assume kernel excess equal (O5G + 1H) + (O4G + 4H) - (x2G + 5H) = (O5+O4-O3)G + 0H), and signed using (O5+O4-O3)*G as public key)
When miners assemble these 3 transactions, the block becomes:
I1(x1) | O1
I2(x2) | O4
| O5
We assume kernel excess equal (O5G + 1H) + (O4G + 4H) + (O1G + 1H) - (x1G + 3H) - (x2G + 3H) = (O5+O4+O1-x1-x2)G + 0H).SO if there is not a signature using (O5+O4+O1-x1-x2)*G as public key,How do the other miners verify transactions in the block is true?
Is there any misunderstanding of structure in a block?
The 3 kernels kA= (O1+O2-x1) * G, kB = *(O3-O2-x2) * G, and kC = (O5+O4-O3) * G, sum to kA+kB+kC = (O5+O4+O1-x1-x2) * G, so the miners can verify by checking all kernel signatures and checking that sum output - sum inputs = sum kernels.
Yes,If the block contains all transactions’ information(include tx inputs, outputs, Pedersen commitment and signature) ,all miners can check each tx’s validation.Now a miner creates the last block and assemble transactions, then broadcasts it.Other miners who receives that block without each transaction’s information(just sum output, sum inputs and sum kernels).So they can not verify whether each tx in the block is valid.
The miner who creates that block can easily cheat all of the others just by adding a invalid tx in the block.He can use any UTXO and doesn’t sign it.Because after he assembles all transactions, no one can check his signature anymore.
A block contains only a single (aggregate) transaction.
Thank you for your replies, tromp.
That is where I’am puzzled.
If I am a miner who win the hash game and create block A.
Block A contains 3 valid txs(as we discussed above) . Besides these,I add transaction D.
I choose any kernel(assuming O5, O5 * G + 1 * H) as a input of transaction D ,and I don’t know the value of x3.Because the value of O5 * G + 1 * H is just a point (x , y) in a coordinate system,I can easily create 2 outputs :
O6:(x1,y1)
O7:(x2,y2)
and let x1+x2 = x , y1 + y2 = y;
At last,I aggregate 4 transactions like below and broadcast the block.
I1(x1) | O1
I2(x2) | O4
| O6
| O7
It’s easy to see that sum output - sum inputs = sum kernels.
So, I’ve spent the O5 without learning it’s private key.At the same time , I create O6,O7 and I also having noting of their private key(more likely , these 2 outputs are not the valid value of the ECC).
After that , no one can use O5 anymore.
Elliptic curve point addition is very different from coordinate-wise addition.
Even if your O6 and O7 were curve points, their sum O6+O7 would not have coordinates (x,y).
I think I understand what you explain.
After Aggregating above 3 transactions , a block contains:
a series of inputs ( I1(x1) , I2(x2))
a series of outputs ( O1 , O4 , O5)
3 kernels ( excess A , signature A ; excess B , signature B ; excess C , signature C)
excess A/B/C can be verified by signature A/B/C.
O1 + O4 + O5 - I1(x1) - I2(x2) = excess A + excess B + excess C
Is that right?
Yes, that’s the idea.
Thanks a lot , tromp.