23:00:36 <kayabaNerve> I have a cryptography question that's a really weird edge case. Can't you break amount commitments for single-input TXs if you know the view key for every output?
23:01:01 <kayabaNerve> Like, it's a pointless exercise. If you have the view key for every output, you can just sum the amounts and fee and call it a day.
23:01:15 <kayabaNerve> *pre-BP
23:02:50 <kayabaNerve> For a single input TX, the blinding factor is sum(outSk) which was public before the move to 8-byte encrypted amounts BUT the publicized version was outSk + amount_key. If you can subtract the amount_key, which requires knowing it and therefore the output value, you can recover outSk. Knowing every outSK lets you remove the blinding factor from the input commitment and then it's a simple enough problem. Just get a FPGA to build a 
23:02:50 <kayabaNerve> lookup table for a {1 .. MAX} H
23:03:49 <kayabaNerve> Like is there something I'm misunderstanding and I'm just an idiot, am I right, and then am I still an idiot for going down this rabbit hole when you can just sum the decrypted amounts lol
23:06:44 <kayabaNerve> This is presumably just a transposition of the actual commitment checks executed. I just found it interesting and wanted to ask without digging out enough tooling to try it for myself on a dummy TX.
23:09:39 <UkoeHB> yes it's a known issue
23:10:06 <kayabaNerve> ... is it an issue?
23:10:15 <kayabaNerve> And thanks for the confirmation :)
23:10:43 <kayabaNerve> Eh. I can see situations in which it becomes an issue if someone continually modifies the proofs without understanding that part. As of right now, it has no value though. Only reason I posted about it.
23:23:57 <UkoeHB> I comment on this in the seraphis paper, section 4.2.2
23:51:43 <kayabaNerve> I'll check it out. Thanks :)