FWIW, I've found it much easier when explaining people to first explain a pedersen commitment. Then explain how a pedersen commitment can be forged if you know the discrete log relating the two generators.
Then I explain a chameleon hash function as a hash function where you can generate collisions if you know a trapdoor, which is just a pedersen forgery... then you feed the output of the chameleon into its input, and... and the result is a schnorr signature.
The version of non-interactive Schnorr presented here is called "weak Fiat-Shamir" and it has led to things getting broken. While there are edge cases when it's ok to use, I would strongly discourage it.
In step 2, e = H(Q || M) should be e = H(Q || M || P). That binds the signature to the public key, if you don't have that then the scheme is not sound in the usual models (UF-CMA +ROM etc.).
EDIT: see "How not to prove yourself", Asiacrypt 2012, eprint 2016/771.
Reading through the linked paper, it seems that as long as P is fixed before the proof is attempted, wFS is secure. I probably could have made it more explicit, but that is indeed my assumption in the setup of the blog post.
That particular bug seems explicitly covered by this cryptography, using the rangeproofs. But if there were ever some other subtle bug that created money out of thin air, would you be ever able to detect it? The schemes mentioned all seem to sanity-check individual transactions, and not accounts or the money supply as a whole.
And that page says: "This effectively allows someone to create an infinite amount of coins in a way that is impossible to detect without knowing about the exploit and explicitly writing code to check for it."
It seems like a formal correctness proof would be very important for cryptocurrencies with such strong privacy guarantees.
There's a trade off you have to make where you can choose either absolute privacy and computational inflation guarantees, or vice versa. Strangely confidential transactions chooses strong privacy over inflation guarantees.
Are you sure? If you lose privacy, that sucks but it reverts back to bitcoin of today. If you lose inflation guarantees, then it doesn't matter if you have privacy because the whole system becomes worthless.
So you’d rather lose your savings than have anyone reveal your holdings? This seems to me like a rather extreme point of view.
I mean, you have to keep your savings somewhere, right? You need savings for when you retire. And no alternative offers 100% anonymity, so in that case you would risk your anonymity for the security of your savings, right?
I’m not saying cryptocurrency will comprise even a minor part of your retirement savings any time soon, but perhaps in 10/20/30 years?
It depends entirely on what you're doing. There are people who "save" cryptocurrency and depend on its long-term value, but there are also people who are more worried about going to prison (or being murdered/extorted) than whether their coins will be worth anything in a few years.
The problem is that non-private cryptocurrencies are permanent records of financial activity. I would rather risk soundness now than privacy forever, especially when there are post-quantum paths forward and our current assumptions are reasonable.
an early writeup: https://people.xiph.org/~greg/confidential_values.txt
http://diyhpl.us/wiki/transcripts/gmaxwell-confidential-tran... which is a transcript of https://www.youtube.com/watch?v=LHPYNZ8i1cU
The actual borromean ring signature paper (compiled into pdf): http://diyhpl.us/~bryan/papers2/bitcoin/Borromean%20ring%20s...
Confidential transactions was later extended to confidential assets: https://blockstream.com/bitcoin17-final41.pdf and https://blog.chain.com/hidden-in-plain-sight-transacting-pri...