Revuo Monero Issue 244: July 8 - 21, 2025. revuo-xmr.com/weekly/issue-244

<j​ackrin:matrix.org> Guys, I'm writing here in hope someone with a better understanding of cryptography can answer.

<j​ackrin:matrix.org> It's not directly related to Monero, although it will, but I can't say much.

<j​ackrin:matrix.org> As of now, what would be the best protocol or mix of protocols, for someone in a chain, too prove they hold the private key among a growing set of public keys on the chain, while also having the proof be unlikable to other time they used it?

<j​ackrin:matrix.org> Basically, they should create the proof, include it in the tx, and be able to do this for tx in the future starting from the same "credential", and they be unlinkable.

<j​ackrin:matrix.org> A plus would be, if it were easy in the future to switch to quantum-resistant suite

<j​ackrin:matrix.org> I know I can google, I have, extensively, read whitepapers about many established protocols, but even though I work in cybersecurity, cryptoghraphy is a whole new world at high levels.

<j​ackrin:matrix.org> I have especially read about FCMP and what it does and the math behind it, to maybe understand if some of it was maybe applicable, but I still feel like I maybe be lacking or assuming things that are just wrong, and find myself later with something that doesn't work.

<j​ackrin:matrix.org> So I thought to ask here to have a no bullshit answer, that will outline problems with the current available protocols.

<j​ackrin:matrix.org> Guys, I'm writing here in hope someone with a better understanding of cryptography can answer.

<j​ackrin:matrix.org> It's not directly related to Monero, although it will, but I can't say much.

<j​ackrin:matrix.org> As of now, what would be the best protocol or mix of protocols, for someone in a chain, too prove they hold the private key among a growing set of public keys on the chain, while also having the proof be unlikable to other time they used it?

<j​ackrin:matrix.org> Basically, they should create the proof, include it in the tx, and be able to do this for tx in the future starting from the same "credential", and they be unlinkable.

<j​ackrin:matrix.org> A plus would be, if it were easy in the future to switch to quantum-resistant suite.

<j​ackrin:matrix.org> This of course, has to be completely decentralized, no trust.

<j​ackrin:matrix.org> I know I can google, I have, extensively, read whitepapers about many established protocols, but even though I work in cybersecurity, cryptoghraphy is a whole new world at high levels.

<j​ackrin:matrix.org> I have especially read about FCMP and what it does and the math behind it, to maybe understand if some of it was maybe applicable, but I still feel like I maybe be lacking or assuming things that are just wrong, and find myself later with something that doesn't work.

<j​ackrin:matrix.org> So I thought to ask here to have a no bullshit answer, that will outline problems with the current available protocols.

<k​ayabanerve:matrix.org> The methodology of a FCMP should be largely applicable. It just proves a re-randomization of an on-chain output. Those re-rands aren't inherently linkable. Monero composes the FCMP with its SAL proof to establish linkability.

<k​ayabanerve:matrix.org> Don't chain it with a proof which produces a linking tag, don't have linkability.

<r​ucknium:monero.social> Jackrin: I'm not sure exactly what you're asking for, but doesn't a standard Hierarchical Deterministic (HD) wallet with hardened derivation paths do what you want? Of course, you need the public keys to not be linkable through statistical analysis, which is hard to avoid on transparent chains like BTC, but easier to avoid on status quo Monero.

<r​ucknium:monero.social> on-chain statistical analysis, I mean.

<j​ackrin:matrix.org> Thanks, I'll look into what that is to learn it.

<j​ackrin:matrix.org> What I asked maybe was confusing, I'll summarize it better:

<j​ackrin:matrix.org> Credentials are issued on the chain, and the user to which they actually belong will get them in some way, its not important now.

<j​ackrin:matrix.org> Once they have it, they should have a way to prove they hold one among all issued credentials on the chain.

<j​ackrin:matrix.org> Just this.

<r​ucknium:monero.social> If the protocol is decentralized and trustless, the users generate the credentials themselves. No one issues the credentials to them on the chain.

<j​ackrin:matrix.org> Thanks for the asnwer, I was looking a lot into FCMP, cause I did think it was what I needed, and also cause I wanted to "copy" monero's approach.

<j​ackrin:matrix.org> But at some point I started having doubts about the linkability thing, due to my lack of knowledge probably.

<j​ackrin:matrix.org> So you are saying that, there is a way to use FCMP so that from a single credential the user owns, they can make "unlimited" proofs which are not linkable to each other?

<r​ucknium:monero.social> An HD wallet can generate an infinite number of unlinkable private-public keys pairs from one master private key, called an extended private key.

<r​ucknium:monero.social> It depends what you are proving. If you just want to prove that you own the private key that corresponds to a public key, the HD wallet idea will do it.

<s​pirobel:kernal.eu> maybe what you are looking for is just proofing a transaction. the spend proof can be your credential

<j​ackrin:matrix.org> I know, in a way it won't decentralized, I can't really explain how they will get these credentials, but they will receive them.

<j​ackrin:matrix.org> So it's not like normal "open" chains. They receive these credentials, and there's a public part of this process on the chain, so nodes can see all the issued credentials, and I just want a way to prove you have one of those.

<j​ackrin:matrix.org> I know, in a way it won't decentralized, I can't really explain how they will get these credentials, but they will receive them.

<j​ackrin:matrix.org> So it's not like normal "open" chains. They receive these credentials, and there's a public part of this process on the chain, so nodes can see all the issued credentials, and I just want a way to prove you have one of those, without revealing which.

<r​ucknium:monero.social> This sounds like #monero-offtopic:monero.social and en.wikipedia.org/wiki/XY_problem

<s​pirobel:kernal.eu> you can do this decentralized already. just let them send a monero transaction and by nature they also have a credential. or let them sign a message with their seed. probably ot though 🫡 Rucknium

<j​ackrin:matrix.org> moved to #monero-offtopic:monero.social

<r​ucknium:monero.social> My suggested changes to the DNS block/ban list contents: monero-project/meta #1242

<s​yntheticbird:monero.social> I'm gonna ask just in case

<s​yntheticbird:monero.social> why not take the array of ip addresses in binary format, compress them and encode them into the TXT field ?

<s​yntheticbird:monero.social> more space

<r​ucknium:monero.social> I do suggest that in the issue.

<r​ucknium:monero.social> But it won't work well with nodes that don't update, AFAIK.

<s​yntheticbird:monero.social> sorry i first glossed it very quick

<r​ucknium:monero.social> that don't update to the version of `monerod` that has the new parsing code

<r​ucknium:monero.social> Sorry it is long 😬

<r​ucknium:monero.social> But I need to show my reasoning and the steps to reproduce my analysis. Otherwise, it is just "trust me".

<s​yntheticbird:monero.social> dw i just don't like to read (which is one of the final consequences of the industrial revolution on humankind...)

<r​ucknium:monero.social> My suggested change would only replace 4 of the 300 total DNS ban list entries. Yet, 570 spy node IP addresses would be banned (because of subnets).