But I'm sure I can create valid ring-signature using MyPublic, YourPublic and MyPrivate keys.
You certainly can, but it won't be a valid signature to spend my output, only your output.
That's because it will fail the
VER step (page 10 of above mentioned whitepaper) when applied to my output. It will pass the step when applied to your output.
Even I can produce fake "key image" because no one can verify it.
No. The key image is an input in to the
VER step, and the signature won't verify with an invalid key image. Which is to say, it
can be verified. The key image also needs to be unique (not used before --
LNK step) but this only matters once the signature containing the key image is verified. It won't be if you try to use your private key and my output.
EDIT:
Oh, I think I understand what you're saying. You are saying that the verifier can't tell whether your output was spent or mine. This is true. The difference comes from the
LNK step, where
I'm still able to spend my output once you've done this but you can't spend yours again. That's because I can create another valid key image with any ring signature containing my output, and you can't create another valid key image for any ring signature containing yours.
So you see, my output has not been "spent" here, because I'm able to spend it later (by producing a different, but valid, key image). Yours has been spent, because you won't be able to do this.
Ok I'm not sure about "image key". I red somewhere it is derived from private key (so only me can verify because only I know private ) ... But in this paper "image key" is derived from pubic key. Does it mean I can use VER to find out who is really spending ?