Why is it necessary in confidential transactions to have two generators?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












So as i understand it (though im not sure if its the same w/ bulletproofs so please correct me if im wrong), a commitment is generated like this;



commitment = (blinding_secret . G) + (value . H)


where G and H are both different generators on the same curve. But why is it necessary to have the second generator, H, instead of just using G twice?










share|improve this question

























    up vote
    2
    down vote

    favorite












    So as i understand it (though im not sure if its the same w/ bulletproofs so please correct me if im wrong), a commitment is generated like this;



    commitment = (blinding_secret . G) + (value . H)


    where G and H are both different generators on the same curve. But why is it necessary to have the second generator, H, instead of just using G twice?










    share|improve this question























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      So as i understand it (though im not sure if its the same w/ bulletproofs so please correct me if im wrong), a commitment is generated like this;



      commitment = (blinding_secret . G) + (value . H)


      where G and H are both different generators on the same curve. But why is it necessary to have the second generator, H, instead of just using G twice?










      share|improve this question













      So as i understand it (though im not sure if its the same w/ bulletproofs so please correct me if im wrong), a commitment is generated like this;



      commitment = (blinding_secret . G) + (value . H)


      where G and H are both different generators on the same curve. But why is it necessary to have the second generator, H, instead of just using G twice?







      cryptography confidential-transactions






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 hours ago









      cookiekid

      1253




      1253




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          Normally C = xG + aH where a is the amount and x is the blinding factor.



          The point of a Pedersen Commitment is to commit you to a certain value of a. If instead you had C = xG + aG, then this simplifies to C = (x+a)G. So you could claim any value of a later by claiming you'd used a different blinding factor. Using H, which has an unknown DL w.r.t. G, prevents you from doing this.






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "656"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmonero.stackexchange.com%2fquestions%2f10510%2fwhy-is-it-necessary-in-confidential-transactions-to-have-two-generators%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            Normally C = xG + aH where a is the amount and x is the blinding factor.



            The point of a Pedersen Commitment is to commit you to a certain value of a. If instead you had C = xG + aG, then this simplifies to C = (x+a)G. So you could claim any value of a later by claiming you'd used a different blinding factor. Using H, which has an unknown DL w.r.t. G, prevents you from doing this.






            share|improve this answer
























              up vote
              3
              down vote



              accepted










              Normally C = xG + aH where a is the amount and x is the blinding factor.



              The point of a Pedersen Commitment is to commit you to a certain value of a. If instead you had C = xG + aG, then this simplifies to C = (x+a)G. So you could claim any value of a later by claiming you'd used a different blinding factor. Using H, which has an unknown DL w.r.t. G, prevents you from doing this.






              share|improve this answer






















                up vote
                3
                down vote



                accepted







                up vote
                3
                down vote



                accepted






                Normally C = xG + aH where a is the amount and x is the blinding factor.



                The point of a Pedersen Commitment is to commit you to a certain value of a. If instead you had C = xG + aG, then this simplifies to C = (x+a)G. So you could claim any value of a later by claiming you'd used a different blinding factor. Using H, which has an unknown DL w.r.t. G, prevents you from doing this.






                share|improve this answer












                Normally C = xG + aH where a is the amount and x is the blinding factor.



                The point of a Pedersen Commitment is to commit you to a certain value of a. If instead you had C = xG + aG, then this simplifies to C = (x+a)G. So you could claim any value of a later by claiming you'd used a different blinding factor. Using H, which has an unknown DL w.r.t. G, prevents you from doing this.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 1 hour ago









                knaccc

                5,968517




                5,968517



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmonero.stackexchange.com%2fquestions%2f10510%2fwhy-is-it-necessary-in-confidential-transactions-to-have-two-generators%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    How many registers does an x86_64 CPU actually have?

                    Nur Jahan