# Borromean Rules

## Introduction

These rules apply to all ringCT types that use Borromean ring signatures to prove an output amount is in the correct range.

## Rules

### Number Of Borromean Range Proofs

The amount of Borromean range proofs must be the same as the number of outputs.^{1}

### Ci Valid Points

Each Ci (bit commitment) must be canonically encoded points.^{2}

### Sum Ci

For a range proof at a certain index the sum of each Ci must equal the outPK at that index.^{3}

### Borromean Scalar Encoding

Monero does not check that the scalars `s0`

and `s1`

are reduced this leads to them, if not reduced, being interpreted as a different scalar by the `slide`

function
which calculates the 5-NAF of the number. The `slide`

function restricts it's output to 256 bytes however if the last bit is set on the input this could lead to the
5-NAF of the scalar being 257 bytes long. There are scalars on the chain which have this behavior.^{4}

The scalar `ee`

must be a fully reduced scalar as it is compared against the raw bytes of an output from the `hash_to_scalar`

function.^{5}

### The Borromean Ring Must Be Valid

To verify a Borromean ring signature is valid you must first set up the public keys that the ring will be verified with, one member of the ring will be a Ci the
other will be (\(Ci - H * 2^X \)), where X is the index of the Ci. By setting up the ring like this the prover will only know the discreet log of a
ring member if either the Ci is a commitment to 0 or \(2^X\)^{6}.

After setting up the public keys the actual borromean rings must be valid.^{7}