wallet: skip identity points in decoy selection

[jeffro256]

This skips the output for decoy selection if $O = 0$, $C = 0$, or $C = G$. $O = 0$ would cause the key image $L = 0$, which isn't valid by consensus rules (i.e. it is unspendable). If $C = 0$, or $C = G$, then it is known that the amount commitment binds to a 0 amount.

[kayabaNerve]

ACK to banning selecting unspendable keys as decoys.

NACK to changing the checks on the commitment. commit(r=0, v=0) and commit(r=1, a=0) are valid commitments and as statistically probable as any other uniformly-sampled randomness value. If you want to ban them for being trivial, also ban commit(r=2, a=0).

Also, commit(r=3, a=0).

Also, commit(r=4, a=0).

Also, ...

Also, I just really don't like commit(r=7205610562950251946294610472026491380, a=0). Can we ban that too?

[jeffro256]

commit(r=1, a=0) are valid commitments and as statistically probable as any other uniformly-sampled randomness value

Well, not really, since all coinbase outputs of amount zero are always commit(r=1, a=0).

Also, I just really don't like commit(r=7205610562950251946294610472026491380, a=0). Can we ban that too?

Great, will add it to the list ;)

[kayabaNerve]

Well, really, because your example is for a non-uniformly-sampled value when I distinguished to uniformly-sampled values.

I maintain we shouldn't ban values you personally dislike because you dislike them. It's not a legitimate cryptographic process to argue our security via.