rickwebiii
commented
1 year ago Well, as long as we didn't pick one of the points of g_vec or h_vec to be a known power of RISTRETTO_BASEPOINT_POINT.
I think choosing Q by hashing the transcript provides extra guarantee the protocol developer didn't do that, accidentally or otherwise. Otherwise, how would you really know that some point g/h in the protocol isn't a known power of Q to somebody?
Context:
The InnerProductProofs takes a few inputs including g_vec, h_vec, a_vec, b_vec, Q and basically gives a point P and a proof that we know a_vec, b_vec such that
(g_vec^a_vec) (h_vec^b_vec) Q^<a_vec, b_vec> = P
My question:
It seems to me that Q can be any point as long as finding a non trivial discrete log relation between elements of g_vec, h_vec and Q is hard. It particular, I think Q = RISTRETTO_BASEPOINT_POINT (aka self.pc_gens.B) would do. Well, as long as we didn't pick one of the points of g_vec or h_vec to be a known power of RISTRETTO_BASEPOINT_POINT.
In the range proof, this is how Q is defined:
// Get a challenge value to combine statements for the IPP let w = self.transcript.challenge_scalar(b"w"); let Q = w * self.pc_gens.B;
I'm wondering what is the motivation for constructing it with a challenge. Do we need this point to not be predictable?