05:06:46 FYI decoy-identity proposal updated to address the issues raised in this channel: https://github.com/monero-project/research-lab/issues/75#issuecomment-663935804 05:19:32 sarang if I wanted to provide a schnorr signature proving I knew all x_i private keys for the listed set of public keys X_i, could I just provide the pair of scalars (c=Hs(kG), r=k-c*(sum x_i)), with k as a random scalar that can be discarded, and verified as c==Hs(rG+c*(sum X_i))? Is there a gotcha in there? 05:37:31 You're only proving knowledge of the sum 05:37:54 Use a weighed sum with hash coefficients 05:38:14 sarang could you spell out the threat of only proving knowledge of the sum pls? 05:38:37 Because it's not the thing you said you wanted to prove 05:39:00 If you want to prove knowledge of the sum, then yeah, it's fine 05:39:34 The threat depends on the use 05:40:13 i'm trying to figure out when knowledge of the sum doesn't imply knowledge of every individual private key 05:41:34 but it sounds like you're saying it's easily possible to solve the problem with the weighted sum, so that's great news, thanks sarang 05:41:48 This is basically what CLSAG does 05:42:11 Include all the pubkeys in each coefficient along with a domain separator 05:44:07 sarang is it just: r=k-c*(sum hash(X_i)*x_i)) and c==Hs(rG+c*(sum hash(X_i)*X_i))? what is the domain separator part? 05:59:01 Include all pubkeys in each hash, and separate with an index and also some fixed domain specific string or identifier 06:07:49 great, thanks, i'll look into clsag again for hints. glad this is all possible in principle 13:11:34 What's the use case? 15:05:16 sarang oh it's just related to the idea of tagging each output with a public key Hs("destination_tag" || destination subaddress)*G, and then providing a signature across all outputs so that someone else can't just copy that public key to another output and pretend that output was destined for the same address (unless they knew the address) 15:05:33 so it'd be one schnorr per tx instead of one per output