From 3edacdf27295a936ed96f958691772a00509f7a4 Mon Sep 17 00:00:00 2001
From: Brandon Goodell <b-g-goodell@users.noreply.github.com>
Date: Wed, 23 Aug 2017 14:49:19 -0600
Subject: [PATCH] Temp text desc of newct

---
 publications/txt-standards/Ruffct.txt | 441 ++++++++++++++++++++++++++
 1 file changed, 441 insertions(+)
 create mode 100644 publications/txt-standards/Ruffct.txt

diff --git a/publications/txt-standards/Ruffct.txt b/publications/txt-standards/Ruffct.txt
new file mode 100644
index 0000000..1597ce6
--- /dev/null
+++ b/publications/txt-standards/Ruffct.txt
@@ -0,0 +1,441 @@
+               BOOTLE-RUFFING RINGCT SCHEME
+               ----------------------------
+               Sublinear-sized ring signatures without trusted 
+               set-ups or bilinear pairings. Summarized for 
+               Monero Research Lab by B Goodell
+
+We describe sublinear-sized ring signatures for use in cryptocurrency. This 
+scheme was first sent to MRL by Ruffing and co-authors. These results use 
+tools first described by Bootle, et al in the paper "Short Accountable Ring 
+Signatures Based on DDH," 2015 European Symposium on Research in Computer Sec-
+urity, use a "vanilla" elliptic curve multisignature scheme first described by 
+Bellare and Neven in "Multi-signatures in the plain public-key model and a gen-\
+eral forking lemma," 2006 Proceedings of the 13th, ACM conference on Computer and 
+Communications Security.
+
+This is a living document and will be updated. In section I, the introduction,
+we introduce the general idea of the scheme together with preliminary stuff. 
+We have a section on homomorphic commitments and encryption, a section on 
+ordinary multi-signatures, and a section on the NIZK proof systems presented 
+by Bootle et al. In section II, we present pseudocode describing Ruffing's 
+scheme. In section III, references.
+
+               I. INTRODUCTION
+
+The scheme presented by Ruffing roughly works as follows, exploiting homo-
+morphic commitments. Sender Sally uses L of her txnout keys to send some amount
+stored in a commitment to receiver Roy. Sally wishes to implicate N-1 other  
+senders, so she constructs an LxN matrix of public keys (L = # key images used,
+N = ring size) by picking random public keys from the anonymity set; she stores
+her own pubkeys in some secret column i*. Sally demonstrates that the output
+amount from her secret column and the input amount are the same without re-
+vealing that column or the amounts by using a NIZK proof from the Bootle paper
+to show that at least one commitment in a vector opens to zero. In the constru-
+ction of this proof, she uses information from her secret keys, which binds the
+index she can open to zero to the column of pubkeys in the matrix without re-
+vealing which index. She uses her secret keys to construct a multisignature on 
+the Bootle proof that is verifiable with the key images only. This way, her 
+signature consists of some random information, a Bootle proof, and a multi-
+signature on the Bootle proof. The multisignature is efficient in construction,
+verification, and storage. The Bootle proof, for a vector of commitments of
+length N = n^m, takes O(n*m) (roughly) for construction, verification, and sto-
+rage. For a ring size N=n^m, for a fixed ring base n (say all ring sizes are
+powers of n=16), the Ruffing scheme is approximately log(N).
+
+The scheme consists of four algorithms, KEYGEN, SPEND, and VER, which we des-
+cribe in the next section. The scheme uses multisignatures and Bootle proofs
+as subroutines, and hammers on homomorphic commitment very hard, so we describe
+these in this section as "pre-requisites".  The Bootle method is an interactive 
+sigma protocol that uses another interactive sigma protocol as a subroutine. We
+made these both non-interactive and present the pseudocode in PROVE1, VALID1, 
+PROVE2, VALID2 (the Ruffing scheme uses PROVE2, VALID2, which use PROVE1, 
+VALID1). The Ruffing scheme did not specify a multisignature scheme; we desc-
+ribe here the pseudocode for the Bellare-Neven multisignature scheme, KEYGEN*, 
+SIG*, VER*.
+
+               a. Commitments and Encryption
+
+To commit to a scalar x with some random mask r, we use the following options:
+
+  COMp(x; r)  := rG + xHp(xG)        # Unconditionally hiding Pedersen
+  COMeg(x; r) := (rG + xHp(xG), rG)  # Computationally hiding El Gamal
+
+We may extend these to a vector/array/matrix B=[b[j][i]; j=0...m-1,i=0..n-1]:
+
+  COMp(B; r) := rG + b[0][0]Hp(b[0][0]G) + ... + b[m-1][n-1]Hp(b[m-1][n-1]G)
+
+and we can similarly lift this to an El Gamal commitment by appending rG. In
+the first case, we refer to x or the matrix B as the "data under commitment"
+and the value r as the "mask." Given a Pedersen commitment c, we open c by 
+revealing x and r, where a verifier checks that c == rG + xHp(xG). Given an 
+El Gamal commitment (C1, C2), we open by revealing r and x, a verifier 
+computes C2' = rG, C1' = rG + xHp(xG) from these, and lastly checks that 
+C1 == C1' and C2 == C2'. 
+
+These commitments are additive under the following definition:
+
+  COMp(x; r)  + COMp(x'; r')  := COMp(x+x'; r+r')
+  COMeg(x; r) + COMeg(x'; r') := COMeg(x+x'; r+r')
+
+
+               b. Ordinary Multi-signature
+
+The Ruffing scheme utilizes as a subroutine an efficient multisignature scheme, 
+consisting of three algorithms (KEYGEN*, SIG*, VER*). We present a scheme based 
+on the scheme described by Bellare and Neven in 2006 [3] (which is, in turn, 
+based on Schnorr signatures). Our variation of the B&N scheme is that it is 
+executed only by one party holding all the keys, so interaction is unnecessary. 
+We use a group of prime order q. Ruffing's  scheme assumes that the Decisional 
+Diffie-Hellman assumption holds, so there is no harm in making this assumption 
+for the ordinary multi-signature scheme. Let G be a commonly known generator of 
+the group. Let Hs be a hash function that produces a scalar in Zq. Let Zq denote 
+the integers modulo q. 
+
+KEYGEN*: Each user selects x at random from Zq. The secret key is x. The
+public key is X=xG. Output (sk,pk) = (x,X).
+
+SIG*: Take as input a message M and a list of private keys L = x[0], x[1],
+..., x[n-1]. Let L' be the associated list of public keys X[0], ..., X[n-1], 
+and assume L' is lexicographically ordered.
+    1) Compute L* = H(L').
+    2) For each i=0,1,...,n-1, select r[i] at random from Zq.
+    3) Compute r=r[0]+r[1]+...+r[n-1] and R=rG.
+    4) For each i=0,1,...,n-1:
+        i)  Compute c[i] := Hs(X[i], R, L*, M)
+        ii) Compute s[i] := r[i] + x[i]*c[i]
+    5) Compute s = s[0] + ... + s[n-1].
+    6) Output the signature sigma = (R, s)
+
+VER*: Take as input a message M, a set of keys L' = X[0], ..., X[n-1], and a 
+signature sigma = (R,s).
+    1) Compute L* = H(L')
+    2) For each i=0,1,...,n-1, compute c[i] = Hs(X[i], R, L*, M)
+    3) Accept if and only if sG = R + c[0]*X[0] + ... + c[n-1]*X[n-1]
+
+               c. NIZK Proofs
+====|====|====|====|====|====|====|====|====|====|====|====|====|====|====|====
+Lastly, the scheme also utilizes the following algorithms, (PROVE1, VALID1), 
+and (PROVE2, VALID2), which are NIZK prove-and-verify algorithm pairs. These 
+use the Fiat-Shamir transformation to make the zero-knowledge sigma protocols 
+presented by Bootle non-interactive under the random oracle model. The second
+algorithm requires the usage of a helper algorithm, COEFs, which computes 
+coefficients of certain polynomials.
+
+The pair (PROVE1, VALID1) allows a prover to demonstrate that each row of a 
+matrix is a set of commitments to bits that open to exactly one 1 (the rest 
+open to 0). The implementation works like this:
+
+PROVE1: Take as input ([[b[0][0], b[0][1], ..., b[m-1][n-1]] ], r).
+    1)  Select r[A], r[C], r[D] at random from Zq.
+    2)  For each j=0, 1,..., m-1 and for each  i=1,2,...,n-1, select a[j][i] 
+        from Zq at random.
+    3)  For each j, compute a[j][0] = -a[j][1] - a[j][2] - ... - a[j][n-1].        
+    4)  Compute A:=COMp(a[0][0], ..., a[m-1][n-1]; r[A])
+    5)  For each j=0,...,m-1 and i=0,...,n-1, compute the values
+        c[j][i] := a[j][i]*(1-2*b[j][i])
+        d[j][i] := -a[j][i]^2
+    6)  Compute the commitments C:=COMp(c[0][0], ..., c[m-1][n-1]; r[C]) and
+        D:=COMp(d[0][0],...,d[m-1][n-1]; r[D]).
+    7)  Compute x := Hs(A,C,D)
+    8)  For each j=0,...,m-1, i=0,...,n-1, compute f[j][i]:=b[j][i]*x + a[j][i]
+    9)  Compute z[A]:= r*x + r[A], z[C]:=r[C]*x+r[D]
+    10) Output proof P:=A,C,D, f[0][1],f[0][2], ..., f[0][n-1], f[1][1], 
+        f[1][2], ..., f[1][n-1], ..., f[m-1][1], ...,  f[m-1][n-1], z[A], z[C].
+
+When PROVE1 is run as a subroutine for PROVE2, the prover will also output the 
+values of each a[j][i]; these are not part of the formal proof, but they are 
+used elsewhere. Note that we do not output the first column of the matrix F 
+whose (ji)^th entry is f[j][i]. Essentially here, we are taking a matrix, we 
+are showing each row sums to 1 and each element satisfies the equation
+b[j][i]*(1-b[j][i]) = 0.
+
+VALID1: Take as input B (the prover wishes to demonstrate B is a commitment to
+the values b[j][i] as described in PROVE1) and proof P. 
+    1)  If A,B,C,D are each elliptic curve points, both z[A] and z[C] are ele-
+        ments of Zq, and each f[j][i] are elements of Zq, compute the value 
+        x := Hs(A,C,D). Else, output FAIL and terminate.
+    2)  For each j=0, ..., m-1, compute f[j][0] = x-f[j][1] - ... - f[j][n-1].
+    3)  For each j=0, ..., m-1, i=0,...,n-1, compute each of the values
+        f'[j][i] := f[j][i]*(x-f[j][i])
+    4)  Return 1 if and only if all of the conditions hold true:
+        i)   For each j=0, ..., m-1, f[j][0]=x-f[j][1]-f[j][2]- ... -f[j][n-1]
+        ii)  xB + A = COMp(f[0][0], ..., f[m-1][n-1]; z[A])
+        iii) xC + D = COMp(f'[0][0], ..., f'[m-1][n-1]; z[C])
+        (otherwise return 0).
+
+The pair (PROVE2, VALID2) allows a prover to demonstrate that a sequence of 
+commitments contains at least one commitment to 1. The implementation works 
+like this:
+
+PROVE2: Take as input a sequence of values c[0], c[1], ... c[N-1] for
+some N= n^m, a secret index i* in this list corresponding to a commitment that
+opens to 1, and a random scalar r in Zq. For all integers j, i, define the 
+Kronecker delta function as DELTA(j,i) := 1 if j=i and 0 otherwise.
+    1)  For k=0, 1, ..., m-1, select random coefficient u[k] at random from Zq.
+    2)  Select r[B] at random from Zq.
+    3)  Write i* in n-ary i* = i*[0] + i*[1]*(n) + i*[2]*(n^2) + ... 
+            ... + i*[m-1]*(n^(m-1)), and represent i*  as the sequence i*[j].
+    4)  For each j=0, 1, ..., m-1 and i=0, 1, ..., n-1, define the values
+        d[j][i] := DELTA(i*[j],i).
+    5)  Compute B:=COMp(d[0][0], ..., d[m-1][n-1]; r[B]).
+    6)  Prover runs PROVE1 and stores the output as the list of data 
+        P <- PROVE1(B, (d[0][0], ..., d[m-1][n-1], r[B])) and stores the values
+        a[j][i] for use in the next step. Note the prover receives A, C, D from
+        PROVE1, all the values f[j][i], and the values z[A], z[C].
+    7)  coefs <- COEFS(a[0][0], ..., a[m-1][n-1], i*)
+    8)  For k=0, ..., m-1:
+        i)   G[k] := ENCeg(0, u[k])  # = (rHp(G), rG)
+        ii)  For i=0, ..., N-1, update G[k] by multiplying:
+             G[k]=G[k]*(co[i]^coefs[i][k])
+                 =(G[k][1]+coefs[i][k]*co[i][1], G[k][2]+coefs[i][k]*co[i][2])
+        The final value for each G[k] from step 8 can be written explicitly:
+           G[k]=(rHp(G)+coefs[0][k]*co[0][1] + ... +coefs[n-1][k]*co[n-1][1],
+                 rG+coefs[0][k]*co[0][2] + ... +coefs[n-1][k]*co[n-1][2])
+    9)  Compute x' = Hs(A,B,C,D, G[0], ..., G[m-1]).
+    10) Compute z:= r*(x')^m - u[m-1]*(x')^(m-1) - ... - u[1]*(x')^1 - u[0]
+    11) Output proof P':=P, B, G[0], ..., G[m-1], z.
+
+VALID2: Take as input a list of N El Gamal commitments co[0], ..., co[N-1] and a
+proof P' parsed as P, B, G[0],...,G[m-1], where P is a proof parsed as 
+P = A,C,D, f[0][1],f[0][2], ..., f[m-1][n-1], z[A], z[C]. 
+    1)  If A,B,C,D, each G[k] are all elliptic curve points, and if z[A], z[C], 
+        and z are elements of Zq, and if each f[j][i] are elements of Zq, and 
+        if VALID1(B,P)=1, then compute the value 
+            x' := Hs(A, B, C,D,G[0],...,G[m-1]). 
+        Else, output FAIL and terminate.
+    2)  Compute c := ENCeg(0,z).
+    3)  For each k=0,...,m-1, compute 
+            G[k]^(-x^k) := (-x^k*G[k][1],-x^k*G[k][2]).
+    4)  Compute (G[0]^(-(x')^0))*(G[1]^(-(x')^1))*...*(G[m-1]^(-(x')^(m-1)) 
+        which explicitly is the ordered pair (G*[1], G*[2]):
+            (-G[0][1] - (x')G[1][1] - ... - (x')^(m-1)G[m-1][1], 
+            -G[0][2] - (x')G[1][2] - ... - (x')^(m-1)G[m-1][2] )
+    5)  For each j=0, ..., m-1, i=0,...,n-1, compute each of the values
+            f[j][0] := x' - f[j][1] - f[j][2] - ... - f[j][n-1].
+    6)  For each i=0,...,N-1, write i in n-ary arithmetic as usual as
+        i = i[0] + i[1]*n + i[2]*(n^2) + ... + i[m-1]*(n^(m-1)). Compute the
+        values g[i] := f[0][i[0]]*f[1][i[1]]*...*f[m-1][i[m-1] and the
+        commitments co*[i] := co[i]^g[i] = (g[i]*co[i][1], g[i]*co[i][2]).
+    7)  Compute (co*[0])*(co*[1])*...*(co*[N-1]) which ends up as the ordered
+        pair (c**[1], c**[2])
+            (c*[0][1] + c*[1][1] + ... c*[N-1][1], c*[0][2] +  ... c*[N-1][2])
+    8)  Compute c'=(c**[1],c**[2])*(G*[1],G*[2])=(c**[1]+G*[1], c**[2] + G*[2]).
+    9)  Return 1 if and only if c' == c and 0 otherwise.
+
+COEFS: We split this into two algorithms. The outer layer, COEFS, is specific 
+to the Ruffing scheme. The inner layer, COEFPROD, takes two sequences of coef-
+ficients as input, representing polynomials, and outputs a sequence of coef-
+ficients of the resulting product of those two polynomials. We denote the 
+Discrete Fourier Transform as DFT, and the inverse IDFT. 
+
+COEFS takes as input a matrix A = a[0][0], ..., a[m-1][n-1] and index i* such
+that 0 <= i* < n^m. We decompose 0 <= i* < N into the n-ary representation
+    i* = i*[0] + i*[1]*n + ... + i*[m-1]*n^(m-1)
+In this decomposition, for each 0 <= j < m, we have the constraint 
+0 <= i*[j] < n (otherwise we could include the "runoff" above n into the co-
+efficient one index higher). For index 0 <= k < N we again decompose into 
+the n-ary representation
+    k  = k[0]  + k[1]*n  + ... + k[m-1]*n^(m-1)
+where for each index 0 <= j < m (where N=n^m), we have 0 <= k[j] < n.  We rep-
+resent the polynomial defined by DELTA(i*[j],k[j])*x + a[j][k[j]] as an array 
+    q[j][k] = [a[j][k[j]], DELTA(i*[j],k[j])]
+We then do the following:
+    1) For each k = 0, ..., N-1:
+        i)  Compute coefList[k] : = q[0][k]
+        ii) For 1<=j<m update coefList[k] = COEFPROD(coefList[k], q[j][k[j]])
+    2) Output coefList[0], coefList[1], ..., coefList[N-1].
+
+COEFPROD: Take as input lists c[0],...,c[n-1] and d[0],...,d[n-1]. If these are
+not the same length, the shorter one may be padded with zeros at the end. We
+can parse the polynomial p(x) = c[0] + c[1]*x + ... + c[n-1]*x^(n-1) and the
+polynomial q(x) = d[0] + d[1]*x + ... + d[n-1]*x^(n-1). Let m = 2n-1.
+    1) Compute P := DFT(p), Q := DFT(q). Both P and Q should have length m and
+        This should take O(n*log(n)) time.
+    2) Compute PQ := [P[0]*Q[0], P[1]*Q[1], ...]. This should take O(n) time.
+    3) Compute t:= IDFT(PQ) = t[0], t[1], ..., t[m]. This should take 
+        O(n*log(n)).
+    4) Output t as the coefficients of p(x)*q(x).
+
+
+               II. BOOTLE-RUFFING RINGCT SCHEME
+
+We are now in a position to present Ruffing's scheme in its entirety. We select 
+a group of prime order q under which the Decisional Diffie-Hellman assumption 
+holds. Let G be a commonly known generator of the group. Let Hp be a hash func-
+tion that produces an elliptic curve point. Let Hs be a hash function that prod-
+uces a scalar in Zq. Let Zq denote the integers modulo q. 
+
+KEYGEN: 
+    1) Select r,r' randomly from Zq.
+    2) Set sk := (r,r')
+    3) Set ki := r'G
+    4) Set pk := ENCeg(ki,r)
+    5) Output (sk,ki,pk).
+
+SPEND: Take as input an (L x N)  matrix of public keys PK written as 
+PK  = [pk[j][i]; j=0,1,...,L-1, i=0,1,...,N-1], such that the signer knows the 
+associated secret keys of the column with (secret) index i*, a commitment for 
+each column co = co[0], co[1], ...., co[N-1] such that co[i*] opens to zero, a 
+set of secret keys sk = sk[0],sk[1],...,sk[L-1], a set of key images ki, a 
+message M, and a random scalar s from Zq. Write each secret key as 
+sk[i]=(r[i],r'[i]).
+
+    1) Compute co' := sG.
+    2) Set f := (ki, PK, co, co', M)
+    3) Compute (c, f') := SUB(f)
+    4) Compute s' := s + r[0]*f'[0] + r[1]*f'[1] + ... + r[L-1]*f'[L-1]
+    5) Compute sigma[1] := PROVE2(c, i*,s')
+    6) Compute sigma[2] := SIG*((r'[0], r'[1], ..., r'[L-1]), (sigma[1], f))
+    7) Output signature = (co', sigma[1], sigma[2])
+
+SUB: Take as input key images ki = ki[0], ki[1], ..., ki[L-1], a matrix of 
+public keys PK = [pk[j][i]; j=1,2,...,L, i=1,2,...,N], a set of Pedersen com-
+mitments co = co[1], ..., co[N], an elliptic curve point co', and message M.
+
+    1) For j=0, 1, ..., L-1:
+        i)  Compute pkz[j] := (ki[j],0) 
+        ii) Compute f[j]   := Hs(ki[j],f,j)
+    2) For i=0, 1, ..., N-1 do:
+        i)   Set c[i] := (co[i], co')
+        ii)  For j=0,1, ..., L-1, update c[i] = c[i]*(pk[j][i]/pkz[j])^(f[j])
+    3) Output (c,f) where c = c[0], ..., c[N-1], f=f[0], ..., f[L-1].
+
+Note that due to commitment arithmetic the result c[i] is written explicitly as:
+  (co[i]+f[0]*(pk[0][i][1]-pkz[0][1])+ ... +f[L-1]*(pk[L-1][i][1]-pkz[L-1][1]), 
+   co'+f[0]*(pk[0][i][2]-pkz[0][2])+ ... +f[L-1]*(pk[L-1][i][2]-pkz[L-1][2]))
+
+VER: This verifies a ring signature. Take as input a set of key images
+ki = ki[0], ki[1], ..., ki[L-1], a matrix of public keys PK, commitments
+co = co[0], ..., co[N-1], an elliptic curve point co', a message M, and a sig-
+nature from SPEND, signature = (co', sigma[1], sigma[2]).
+
+    1) Set f := (ki, PK, co, co', M).
+    2) Compute (c, f') := SUB(f) (we only use c for verification)
+    3) Return 1 iff 
+        (i)  the signature sigma[2] on message (sigma[1], f) passes VER* with
+             keys ki, i.e. VER*((sigma[1],f), ki, sigma[2])==1
+        (ii) the proof sigma[1] is a valid NIZK proof that one of the commit-
+             ments in co open to 0, i.e. VALID2(sigma[1], co) == 1. 
+       Return 0 otherwise.
+
+              III. Specific Example
+
+Here is a quick concrete example using integer scalars of the Bootle NIZK
+proof that a commitment opens appropriately* as in PROVE1/VALID1 above.
+We start with random data we wish to commit to. Each entry must be
+a bit and each row must sum to 1 if VALID1 is to validate the proof. We
+may as well go with the identity matrix:
+
+[ [b[0][0], b[0][1] ],   =   [ [1, 0],
+  [b[1][0], b[1][1] ] ]        [0, 1] ]
+
+We compute the commitment B = COMp([b[j][i]], rB):
+
+B = rB*G + 1*H[0,0] + 0*H[0,1] + 0*H[1,0] + 1*H[1,1]
+
+We pick random a[0][1], say 7, and a random a[1][1], say -5. We compute a[j][0]
+as -sum(a[j][i]):
+
+[ [a[0][0], a[0][1] ],   =   [ [-7,  7],
+  [a[1][0], a[1][1] ] ]        [ 5, -5] ]
+
+We compute commitment A = COMp( [a[j][i]], rA):
+
+A = rA*G - 7*H[0,0] + 7*H[0,1] + 5*H[1,0] - 5*H[1,1]
+
+We compute c[j][i] = a[j][i]*(1-2b[j][i]), d[j][i] = -a[j][i]^2:
+
+[ [c[0][0], c[0][1] ],   =   [ [7, 7],
+  [c[1][0], c[1][1] ] ]        [5, 5] ]
+
+[ [d[0][0], d[0][1] ],   =   [ [-49, -49],
+  [d[1][0], d[1][1] ] ]        [-25, -25] ]
+
+We compute commitments C and D:
+
+C = rC*G +  7*H[0,0] +  7*H[0,1] +  5*H[1,0] +  5*H[1,1]
+D = rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1]
+
+We compute x = Hs(A,C,D). We compute f[j][i] = b[j][i]*x + a[j][i]:
+
+[ [f[0][0], f[0][1] ],   =   [ [x-7,   7],
+  [f[1][0], f[1][1] ] ]        [  5, x-5] ]
+
+We compute zA = rB*x + rA, zC = rC*x + rD and send [A,B,C,D, zA, zC] together
+with all columns except the first column of [f[j][i]] as our NIZK proof that B
+is a well-formed Bootle commitment*. Now a verifier receives the left hand side
+of the following system of equations
+
+A       = rA*G -  7*H[0,0] +  7*H[0,1] +  5*H[1,0] -  5*H[1,1]
+B       = rB*G +  1*H[0,0] +  0*H[0,1] +  0*H[1,0] +  1*H[1,1]
+C       = rC*G +  7*H[0,0] +  7*H[0,1] +  5*H[1,0] +  5*H[1,1]
+D       = rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1]
+f[0][1] = 7
+f[1][1] = x-5
+zA      = rB*x + rA
+zC      = rC*x + rD
+
+Using the left hand side only, the verifier computes:
+x       := H(A,C,D)
+f[0][0] := x - f[0][1]
+f[1][0] := x - f[1][1]
+Now the verifier computes the matrix [f'[j][i]] = [f[j][i]*(x-f[j][i])]:
+[ [f'[0][0], f'[0][1] ],   =   [ [f[0][0]*(x-f[0][0]), f[0][1]*(x-f[0][1])],
+  [f'[1][0], f'[1][1] ] ]        [ f[1][0]*(x-f[1][0]), f[1][1]*(x-f[1][1])] ]
+and computes the commitments COM(f[j][i], zA), COM(f'[j][i], zC):
+
+COM( f[j][i], zA) := zA*G +  f[0][0]*H[0,0] +  f[0][1]*H[0,1] + ...
+COM(f'[j][i], zC) := zC*G + f'[0][0]*H[0,0] + f'[0][1]*H[0,1] + ...
+
+The verifier can now check whether
+  i)  xB + A =? COM(f[j][i], zA)
+  ii) xC + D =? COM(f'[j][i], zC)
+
+Note that if the verifier received the values as specified above, she computes
+the same f[0][0], f[1][0] as the prover used, x-7 and 5, so the verifier 
+obtains the matrix 
+
+[ [f[0][0], f[0][1] ],   =   [ [x-7,   7],
+  [f[1][0], f[1][1] ] ]        [  5, x-5] ]
+  
+and computes
+
+[ [f'[0][0], f'[0][1] ],   =   [ [7(x-7), 7(x-7)],
+  [f'[1][0], f'[1][1] ] ]        [5(x-5), 5(x-5)] ]
+  
+And thus computes the commitments
+
+COM([ f[j][i]], zA) = zA*G + (x-7)*H[0,0] + 7*H[0,1] + 5*H[1,0] + (x-5)*H[1,1]
+COM([f'[j][i]], zC) = zC*G + 7(x-7)*H[0,0] + 7(x-7)*H[0,1] + 5*(x-5)*H[1,0] 
+                      + 5(x-5)*H[1,1]
+
+On the other hand, she is given B and A, and with her x, she can compute xB+A:
+
+xB + A = x(rB*G +  1*H[0,0] +  0*H[0,1] +  0*H[1,0] +  1*H[1,1])
+         + (rA*G -  7*H[0,0] +  7*H[0,1] +  5*H[1,0] -  5*H[1,1])
+       = (rB*x + rA)*G  + (x-7)*H[0,0] + 7*H[0,1] + 5*H[1,0] + (x-5)*H[1,1]
+
+Lo and behold, this matches COM([ f[j][i]], zA). She can do the same with C,D:
+
+xC + D = x(rC*G +  7*H[0,0] +  7*H[0,1] +  5*H[1,0] +  5*H[1,1])
+         + (rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1])
+       = (rC*x + rD)*G + 7(x-7)*H[0,0] + 7(x-7)*H[0,1] + 5(x-5)*H[1,0] 
+         + 5*(x-5)*H[1,1]
+
+Voila!
+
+
+
+               IV. REFERENCES
+
+    [1] Ruffing, Thyagarajan, Ronge, Schröder. "Boosting Private Payments in 
+        Monero: New Attacks, Exact Cryptographic Definitions, and Sublinear 
+        Ring Signatures." In preparation.
+    [2] Bootle, Cerulli, Chaidos, Ghadafi, Groth, Petit. "Short accountable 
+        ring signatures based on DDH." European Symposium on Research in 
+        Computer Security. Springer, Cham, 2015.
+    [3] Bellare, Mihir, and Gregory Neven. "Multi-signatures in the plain 
+        public-key model and a general forking lemma." Proceedings of the 13th
+        ACM conference on Computer and communications security. ACM, 2006.
+
+