I have a cryptography question that's a really weird edge case. Can't you break amount commitments for single-input TXs if you know the view key for every output?

Like, it's a pointless exercise. If you have the view key for every output, you can just sum the amounts and fee and call it a day.

*pre-BP

For a single input TX, the blinding factor is sum(outSk) which was public before the move to 8-byte encrypted amounts BUT the publicized version was outSk + amount_key. If you can subtract the amount_key, which requires knowing it and therefore the output value, you can recover outSk. Knowing every outSK lets you remove the blinding factor from the input commitment and then it's a simple enough problem. Just get a FPGA to build a

lookup table for a {1 .. MAX} H

Like is there something I'm misunderstanding and I'm just an idiot, am I right, and then am I still an idiot for going down this rabbit hole when you can just sum the decrypted amounts lol

This is presumably just a transposition of the actual commitment checks executed. I just found it interesting and wanted to ask without digging out enough tooling to try it for myself on a dummy TX.

yes it's a known issue

... is it an issue?

And thanks for the confirmation :)

Eh. I can see situations in which it becomes an issue if someone continually modifies the proofs without understanding that part. As of right now, it has no value though. Only reason I posted about it.

I comment on this in the seraphis paper, section 4.2.2

I'll check it out. Thanks :)