FYI decoy-identity proposal updated to address the issues raised in this channel: monero-project/research-lab #75#issuecomment-663935804

sarang if I wanted to provide a schnorr signature proving I knew all x_i private keys for the listed set of public keys X_i, could I just provide the pair of scalars (c=Hs(kG), r=k-c*(sum x_i)), with k as a random scalar that can be discarded, and verified as c==Hs(rG+c*(sum X_i))? Is there a gotcha in there?

You're only proving knowledge of the sum

Use a weighed sum with hash coefficients

sarang could you spell out the threat of only proving knowledge of the sum pls?

Because it's not the thing you said you wanted to prove

If you want to prove knowledge of the sum, then yeah, it's fine

The threat depends on the use

i'm trying to figure out when knowledge of the sum doesn't imply knowledge of every individual private key

but it sounds like you're saying it's easily possible to solve the problem with the weighted sum, so that's great news, thanks sarang

This is basically what CLSAG does

Include all the pubkeys in each coefficient along with a domain separator

sarang is it just: r=k-c*(sum hash(X_i)*x_i)) and c==Hs(rG+c*(sum hash(X_i)*X_i))? what is the domain separator part?

Include all pubkeys in each hash, and separate with an index and also some fixed domain specific string or identifier

great, thanks, i'll look into clsag again for hints. glad this is all possible in principle

What's the use case?

sarang oh it's just related to the idea of tagging each output with a public key Hs("destination_tag" || destination subaddress)*G, and then providing a signature across all outputs so that someone else can't just copy that public key to another output and pretend that output was destined for the same address (unless they knew the address)

so it'd be one schnorr per tx instead of one per output