You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How to View-scan Monero without View Keys, public nor private
Requirements
Working quantum computer
Address spend pubkey of target, main or subaddress
How it works
Background
A transaction output in Monero RingCT contains four main components: the output pubkey $K_o$ (AKA onetime address), the amount commitment $C_a$, the encrypted amount $a_{enc}$, and the ephemeral tx pubkey $K_e$. All of these, except $a_{enc}$, are elliptic curve points in Ed25519. As of hardfork v10, a transaction output of amount $a$, at index $i_o$, addressed to $(K^j_s, K^j_v)$, is computed as:
Where $G$ and $H$ are independent generators, $H_s$ is a hash-to-scalar function, and $H_8$ is a hash-to-8-bytes function. $k_v$ and $k_e$ are the private view key, and the ephemeral tx private key, respectively.
Method
If one suspects that a transaction output is addressed to some address spend pubkey $K^j_s$, and they have a quantum computer which can calculate the discrete logarithm betweeen points on Ed25519, they could perform the following:
$K_{ext}' = K_o - K^j_s$
$k_{ext}' = dlog(K_{ext}', G)$
$m_a' = H_8("amount" \mid\mid k_{ext})$
$a' = m_a' XOR a_{enc}$
$z' = H_s("commitment_mask" \mid\mid k_{ext}')$
$C_a' = z' G + a' H$
Where $dlog(Q, P)$ returns $a$ such that $Q = a P$.
If $C_a' = C_a$, then that means this transaction output was addressed to that address with that amount. No view key needed. This is guaranteed to the adversary with cryptographic strength since, given $a, z, C$ such that $C = z G + a H$, it is computationally intractable to find $a' \neq a, z' \neq z$ such that $C = z G + a H = z' G + a' H$, assuming that the discrete log between $G$ and $H$ is unknown.
