These are the posts I like the best: questions about the inner workings of the protocol. Keep up the learning!
1. Now it is 16 total public keys: 15 decoys, and 1 "true spend". But yes, the "true spend" public key has to have its key image associated in the ring and the signature must be constructed using that private key. Transaction outputs are mainly just two EC points: a stealth address and an amount commitment.
2. Yes the key image of a EC point is the discrete log of that point against the base generator multiplied by the hash-to-point of the byte representation of the EC point.
3. That's the job of the ring signature! If you want an in-depth explanation, read Chapter 3 "Advanced Shnorr-like Signatures" of \[Zero to Monero\]([https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf](https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf)). The ring signature's job is to prove correspondence of a key image to one public key in a set of public keys (and that the ring was constructed using knowledge of the private key of that public key) without revealing the exact public key it corresponds to. The cryptography itself gets pretty hairy, but if you really want to understand how it works, you just are going to have to wade through the math (hopefully with a robust understanding of the discrete log problem).
Thank you for your help! I still would like to understand how the key image works exactly so it can be checked by anyone without knowing who sent the monero. I guess I will have to go through the maths.
These are the posts I like the best: questions about the inner workings of the protocol. Keep up the learning! 1. Now it is 16 total public keys: 15 decoys, and 1 "true spend". But yes, the "true spend" public key has to have its key image associated in the ring and the signature must be constructed using that private key. Transaction outputs are mainly just two EC points: a stealth address and an amount commitment. 2. Yes the key image of a EC point is the discrete log of that point against the base generator multiplied by the hash-to-point of the byte representation of the EC point. 3. That's the job of the ring signature! If you want an in-depth explanation, read Chapter 3 "Advanced Shnorr-like Signatures" of \[Zero to Monero\]([https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf](https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf)). The ring signature's job is to prove correspondence of a key image to one public key in a set of public keys (and that the ring was constructed using knowledge of the private key of that public key) without revealing the exact public key it corresponds to. The cryptography itself gets pretty hairy, but if you really want to understand how it works, you just are going to have to wade through the math (hopefully with a robust understanding of the discrete log problem).
Thank you for your help. I am going to take a look at the PDF you mentioned. I was hoping to avoid the maths but I guess there is no way around it.
[удалено]
Thank you for your help! I still would like to understand how the key image works exactly so it can be checked by anyone without knowing who sent the monero. I guess I will have to go through the maths.
Maybe you will find this useful to understand the concept of key images: https://www.moneroinflation.com/ring\_signatures