Otdfbt

As easy as Three, Two, One... How fast can you go from Five to Four?

The significance of kelvin as a unit of absolute temperature

Transfer custom ringtones to iPhone using a computer running Linux

Does a (nice) centerless group always have a centerless profinite completion?

Can there be absolute velocity?

So a part of my house disappeared... But not because of a chunk resetting

Does the new finding on "reversing a quantum jump mid-flight" rule out any interpretations of QM?

How to destroy a galactic level civilization and still leave behind primitive survivors?

Why is long-term living in Almost-Earth causing severe health problems?

Is it safe to remove python 2.7.15rc1 from Ubuntu 18.04?

How can I write the maximally mixed state on m qubits as a linear combination of basis vectors

Make Gimbap cutter

Is Lambda Calculus purely syntactic?

Print "N NE E SE S SW W NW"

What STL algorithm can determine if exactly one item in a container satisfies a predicate?

Why is the length of the Kelvin unit of temperature equal to that of the Celsius unit?

Ability To Change Root User Password (Vulnerability?)

Is it okay to have a sequel start immediately after the end of the first book?

What plausible reason could I give for my FTL drive only working in space

Diatonic chords of a pentatonic vs blues scale?

Who is "He that flies" in Lord of the Rings?

Why do radiation hardened IC packages often have long leads?

empApi with Lightning Web Components?

Should I put programming books I wrote a few years ago on my resume?

Where is the encrypted mask value?

How are outPk, mask and amount fields created when spending RignCT coinbase transactions?Error with transaction on the blockchainIs it possible to reset the blockchain with a new genesis block for efficiency?How does having a negative number in a Pedersen commitment, create money out of thin air?How would I exploit the fact that I knew the scalar used for H in the Pedersons Commitment w.r.t G?Why do we use different H values in a vector Pedersen Commitment?How is the used Pedersen commitment kept secret?How does the mixing work?What is the significance of monero switching the G and H points in a Pedersen commitment?Trying to understand how RCTTypeSimple works

4

Checked this link: https://moneroblocks.info/api/get_transaction_data/4adb55cde1ffcc0ea639b6718355c48c0e574000306d95ef857e55d91ddabcf2

I could not find the encrypted mask value.

I believe the encrypted amount is in the ecdh part:

 "ecdhInfo": [
 
 "amount": "f350bbedb3a4a93b"
 ,
 
 "amount": "c2005984b560da47"
 ,
 
 "amount": "6a2a649c8322d6e1"
 ,
 
 "amount": "0e0c6e72d16779c7"
 
 ],

ringct

share|improve this question

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

add a comment | 

4

Checked this link: https://moneroblocks.info/api/get_transaction_data/4adb55cde1ffcc0ea639b6718355c48c0e574000306d95ef857e55d91ddabcf2

I could not find the encrypted mask value.

I believe the encrypted amount is in the ecdh part:

 "ecdhInfo": [
 
 "amount": "f350bbedb3a4a93b"
 ,
 
 "amount": "c2005984b560da47"
 ,
 
 "amount": "6a2a649c8322d6e1"
 ,
 
 "amount": "0e0c6e72d16779c7"
 
 ],

ringct

share|improve this question

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

add a comment | 

Checked this link: https://moneroblocks.info/api/get_transaction_data/4adb55cde1ffcc0ea639b6718355c48c0e574000306d95ef857e55d91ddabcf2

I could not find the encrypted mask value.

I believe the encrypted amount is in the ecdh part:

 "ecdhInfo": [
 
 "amount": "f350bbedb3a4a93b"
 ,
 
 "amount": "c2005984b560da47"
 ,
 
 "amount": "6a2a649c8322d6e1"
 ,
 
 "amount": "0e0c6e72d16779c7"
 
 ],

ringct

share|improve this question

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

 "ecdhInfo": [
 
 "amount": "f350bbedb3a4a93b"
 ,
 
 "amount": "c2005984b560da47"
 ,
 
 "amount": "6a2a649c8322d6e1"
 ,
 
 "amount": "0e0c6e72d16779c7"
 
 ],

share|improve this question

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

share|improve this question

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

asked May 26 at 18:50

WeCanBeFriendsWeCanBeFriends

33617

1 Answer
1

active

oldest

votes

4

As of the March 2019 hard fork, commitment masks are deterministically derived from the per-output shared secret. This means the ECDHinfo part of the transaction will no longer store the encrypted mask.

See the commit here: https://github.com/monero-project/monero/commit/7d375981584e5ddac4ea6ad8879e2211d465b79d

Therefore, to determine the commitment mask, calculate:

commitment mask = Hs("commitment_mask" || Hs(8aR||i))

To reduce the storage requirement for the amount from 32 bytes to 8 bytes, the 8 byte amount is now XOR encrypted using an 8 byte key deterministically derived from the shared secret.

To encrypt the amount, calculate:

encrypted amount = 8 byte amount XOR first 8 bytes of keccak("amount" || Hs(8rA||i))

To decrypt the amount, calculate:

amount = 8 byte encrypted amount XOR first 8 bytes of keccak("amount" || Hs(8aR||i))

share|improve this answer

edited May 30 at 20:29

answered May 26 at 19:27

knacccknaccc

7,018820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  TBC: a is the public view key, i is the index of the output in the transaction
  
  – WeCanBeFriends
  May 26 at 21:11
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a is the private view key, not public.
  
  – jtgrassie
  May 26 at 22:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh right, 8aR is the public view key
  
  – WeCanBeFriends
  May 26 at 22:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  8aR is not "the public view key" either. R is the tx public key (the shared part of the shared secret), a is the receivers private view key and i is the output index.
  
  – jtgrassie
  May 27 at 0:24
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @WeCanBeFriends You're right, I've fixed the error in my answer. The shared secret is Hs(8aR||i) and not Hs(8aR||i)G. From a cryptographic point of view, it would also have worked to have chosen to directly use (8aR||i) instead of Hs(8aR||i) (inside these hashed constructions only), but since the code already calculates Hs(8aR||i) for use elsewhere, we just re-use it for simplicity.
  
  – knaccc
  May 27 at 4:23
  
  

  
  
  
  

 | 
show 2 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "656"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmonero.stackexchange.com%2fquestions%2f11272%2fwhere-is-the-encrypted-mask-value%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

As of the March 2019 hard fork, commitment masks are deterministically derived from the per-output shared secret. This means the ECDHinfo part of the transaction will no longer store the encrypted mask.

See the commit here: https://github.com/monero-project/monero/commit/7d375981584e5ddac4ea6ad8879e2211d465b79d

Therefore, to determine the commitment mask, calculate:

commitment mask = Hs("commitment_mask" || Hs(8aR||i))

To reduce the storage requirement for the amount from 32 bytes to 8 bytes, the 8 byte amount is now XOR encrypted using an 8 byte key deterministically derived from the shared secret.

To encrypt the amount, calculate:

encrypted amount = 8 byte amount XOR first 8 bytes of keccak("amount" || Hs(8rA||i))

To decrypt the amount, calculate:

amount = 8 byte encrypted amount XOR first 8 bytes of keccak("amount" || Hs(8aR||i))

share|improve this answer

edited May 30 at 20:29

answered May 26 at 19:27

knacccknaccc

7,018820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  TBC: a is the public view key, i is the index of the output in the transaction
  
  – WeCanBeFriends
  May 26 at 21:11
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a is the private view key, not public.
  
  – jtgrassie
  May 26 at 22:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh right, 8aR is the public view key
  
  – WeCanBeFriends
  May 26 at 22:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  8aR is not "the public view key" either. R is the tx public key (the shared part of the shared secret), a is the receivers private view key and i is the output index.
  
  – jtgrassie
  May 27 at 0:24
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @WeCanBeFriends You're right, I've fixed the error in my answer. The shared secret is Hs(8aR||i) and not Hs(8aR||i)G. From a cryptographic point of view, it would also have worked to have chosen to directly use (8aR||i) instead of Hs(8aR||i) (inside these hashed constructions only), but since the code already calculates Hs(8aR||i) for use elsewhere, we just re-use it for simplicity.
  
  – knaccc
  May 27 at 4:23
  
  

  
  
  
  

 | 
show 2 more comments

4

As of the March 2019 hard fork, commitment masks are deterministically derived from the per-output shared secret. This means the ECDHinfo part of the transaction will no longer store the encrypted mask.

See the commit here: https://github.com/monero-project/monero/commit/7d375981584e5ddac4ea6ad8879e2211d465b79d

Therefore, to determine the commitment mask, calculate:

commitment mask = Hs("commitment_mask" || Hs(8aR||i))

To reduce the storage requirement for the amount from 32 bytes to 8 bytes, the 8 byte amount is now XOR encrypted using an 8 byte key deterministically derived from the shared secret.

To encrypt the amount, calculate:

encrypted amount = 8 byte amount XOR first 8 bytes of keccak("amount" || Hs(8rA||i))

To decrypt the amount, calculate:

amount = 8 byte encrypted amount XOR first 8 bytes of keccak("amount" || Hs(8aR||i))

share|improve this answer

edited May 30 at 20:29

answered May 26 at 19:27

knacccknaccc

7,018820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  TBC: a is the public view key, i is the index of the output in the transaction
  
  – WeCanBeFriends
  May 26 at 21:11
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a is the private view key, not public.
  
  – jtgrassie
  May 26 at 22:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh right, 8aR is the public view key
  
  – WeCanBeFriends
  May 26 at 22:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  8aR is not "the public view key" either. R is the tx public key (the shared part of the shared secret), a is the receivers private view key and i is the output index.
  
  – jtgrassie
  May 27 at 0:24
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @WeCanBeFriends You're right, I've fixed the error in my answer. The shared secret is Hs(8aR||i) and not Hs(8aR||i)G. From a cryptographic point of view, it would also have worked to have chosen to directly use (8aR||i) instead of Hs(8aR||i) (inside these hashed constructions only), but since the code already calculates Hs(8aR||i) for use elsewhere, we just re-use it for simplicity.
  
  – knaccc
  May 27 at 4:23
  
  

  
  
  
  

 | 
show 2 more comments

As of the March 2019 hard fork, commitment masks are deterministically derived from the per-output shared secret. This means the ECDHinfo part of the transaction will no longer store the encrypted mask.

See the commit here: https://github.com/monero-project/monero/commit/7d375981584e5ddac4ea6ad8879e2211d465b79d

Therefore, to determine the commitment mask, calculate:

commitment mask = Hs("commitment_mask" || Hs(8aR||i))

To reduce the storage requirement for the amount from 32 bytes to 8 bytes, the 8 byte amount is now XOR encrypted using an 8 byte key deterministically derived from the shared secret.

To encrypt the amount, calculate:

encrypted amount = 8 byte amount XOR first 8 bytes of keccak("amount" || Hs(8rA||i))

To decrypt the amount, calculate:

amount = 8 byte encrypted amount XOR first 8 bytes of keccak("amount" || Hs(8aR||i))

share|improve this answer

edited May 30 at 20:29

answered May 26 at 19:27

knacccknaccc

7,018820

share|improve this answer

edited May 30 at 20:29

answered May 26 at 19:27

knacccknaccc

7,018820

answered May 26 at 19:27

knacccknaccc

7,018820

answered May 26 at 19:27

knacccknaccc

7,018820