I’ve tried to illustrate the obfuscation of the transaction graph: Here we have each transaction happening in sequence, building up the transaction graph.
The bottom sequence shows the true transaction graph, where as the top shows the decoy inputs in grey. Here we are padding each transaction with 3 decoy inputs.
The final obfuscated DAG is what you’d see when you look at the spentbook.
Auditing the spentbook:
- within a transaction, we can always verify if the sum(inputs) == sum(outputs) and that all outputs are positive (this relies on Pedersen commitments and range proofs)
- from within a transaction, we can’t know if an input is a fraudulent DBC, we need to go to the spentbook for that. i.e. Someone may have convinced some dishonest mint to sign an invalid DBC.
- To check if a DBC is real, we need to check that all paths up the DAG starting at that DBC leads to the genesis DAG