<nioc> "Monerujo is currently raising..." <- Very interesting feature imo

<hyc> "btw, sech1, any other rpi users,..." <- I'll gladly check today. Thanks.

<moneromooo> "That already exists (assuming..." <- What exactly?

Output splitting.

Will this [issue](monero-project/monero-gui #3478) not be resolved? The appstream file [already exists](github.com/flathub/org.getmonero.Mo…r/org.getmonero.Monero.metainfo.xml).

hola

is there anyoone here who understand the zero knowledge cryptography that monero uses? someone who is intimately familiar with the code with concrete understanding, not just superficial high level understanding

there are a number of people here who have written that code, so yes

and there's #monero-research-lab if you're talking more about the theory than the code

ok so i have one simple question

btw, glad to see you're free online

well this is not theoretical

well part of the explaination is, but the question itself is about real world implications of design

so here is how i'll phrase it

suppose i am the greatest mathematician since antiquity and i could break discrete log based algorithms, RSA based algorithms, even lattice based algorithms, and i could also find collisions to SHA256 and any other one way algorithm that exists

would this affect the anonymity of past transactions? i don't care if it affects the integrity of the system

basically is this information theoretically secure anonymity or does it hinge on the cryptography

?

as an example to this point: even if i can find collisions to SHA256, there is no way i could ever hope to find a particular collision (there are 2^128 different inputs for every output). hence, the anonymity factor of SHA256 remains secure, even if the integrity is not

by integrity, i mean the assumptions regarding security are broken

another way to think of it: does monero offer long term privacy or conditional privacy (depedent on cryptography)?

i think ZCash for example (hope I'm not recalling this incorrectly, because I'm not personally familiar with their code) offers long-term privacy. even if cryptography is broken, anonymity remains secure. it's just that the integrity of the system is broken

I think if DL is broken then the world basically collapses

even the anonymity?

i get that monero becomes worthless, but does the privacy go away too?

will everyone be revealed?

At least *some* of the possible breaks will break past privacy. Folk in #monero-research-lab will know more.

damn

not what i wanted to hear

it's possible to design so that past privacy is preserved, really important.

Well, some layers of privacy. Not sure which of ring sigs and/or one time addresses. Maybe each break only breaks one of them...

i don't want to see a situation where everyone who used monero gets screwed later

I think isthmus has been looking at that before (in the context of QC).

it turns monero into a weapon basically

Hmm... how does ZCash offer long-term privacy? Assuming they'll deploy a variant of Halo, I think Halo/Halo 2 will get screwed also in that scenario.

helloimpha[m]: you have to assume that ANY cryptography will be broken later, including ZCash

it's the reason that certain TLAs are snorting up web traffic

<helloimpha[m]> i don't want to see a situation where everyone who used monero gets screwed later

they can't break TLS right now, but they will later on

this will happen, same with Zcash, it's a matter of time.

It's also why I constantly send out encrypted goatse pictures.

there's a cute american entity that's storing all the information they can't decrypt until there is a scientific breakthrough

Blockchains given their very nature make that job easier, if the breakthrough is achieved

i'm going to give you an example i'm familiar with and not talk about ZCash since i am not personally familiar with their code. some crypto systems that use ZKP do not "encrypt" any sensitive information into the proofs which are published in the open. so no "encrypted" data is ever put out there (which can be decrypted later, if crypto is broken). if you were to make a transaction with this type of system, and later all the crypto

is broken, no one can retroactively go back and decrypt anything of any value

other systems encrypt data. these ones have ciphertexts that can be opened later, after the transaction has been made

right, so consider hashed passwords

they're not plaintext that is encrypted, they're a one-way hash

but nowadays we have rainbow tables and all sorts to attack leaked password hashes

and in some future there will be a quantum computer or some other improvement that will allow for those hashes to be attacked orders of magnitude faster than now

so just to be clear on definitions

Monero's strong privacy may not be "reversable" in some obvious way, and there are specific design choices that prevent that (eg. Pedersen commitments are computationally hiding, but perfectly binding), but there is no such thing as a perfect system

when we say one-way hash function, what we're implying is that there are many more inputs than there are outputs. IOW, there are a huge number of possible ways to achieve a particular image.

information wants to be free.

therefore if you were to hash psuedo random data, even if the cryptography of the one-way function is broken later, there is no way someone is going to find the exact pre-image you made. they can produce the same image, but the way they produce that image will be with a different pre-image because the space of pre-images is so much greater than the space of images and it's too much to iterate through

that is a secure design for privacy. it means someone can't figure out what your password was (assuming it's sufficiently random) just by breaking the hash

they can only re-produce the hash, they can't figure out your exact password

that is secure if monero is based only on systems like that

right, but even in that event you still have a limited data set - most passwords are <50 characters so you can disregard hash matches for larger data

and you are likely to find only a single match in the <50 chars space

still 64^50 is a big number

so you'd have to itereate all of those

and even then how do you tell which one is the real one?

many will produce the same hash

I don't think "many" will, not for a 256-bit hash

and with something like passwords it doesn't matter

you can login with the wrong password as long as it produces the right hash

the point being: there are entire classes of attack that we can't imagine today

so you can't prevent an attack that you can't even fathom

Monero provides strong privacy today, using more than just a single tool (ring signatures + confidential transactions + dual-key stealth addresses)

one or more of those tools may be broken tomorrow

there is no way to know

so you need to combine using a tool like Monero with good opsec, if maximal privacy is your aim

what i want to be sure of is.... suppose i send a transaction with monero and it's mixed with 1000 other addresses (not even sure exactly how you guys do this, merkle tree or something). if the crypto is broken later, i am sure that this will no longer work correctly. however, will it be possible to discover where my past transactions went?

and about SHA256 (if thats' what you're talking about). There are 2^128 possible inputs (really more, if you account for the merkle damgard construction they use internally) that produce each possible output

The ONLY way we can make public digital ledgers private is through cryptography. If the premise is “suppose I can crack all crypto” then no public ledger will offer protection

Not to be too reductionist, but that’s what it boils down to

so if you want to know someone's password, given only sha256, you need to iterate all possible inputs... with merkle damgard that's infinite

That’s not breaking crypto though

It’s designed that you would have to iterate

assuming the block size is restricted to the standard 512 bits, it's 2^128 possible

that's not true

but privacy more important than the integrity of the system

doesn't matter so much if people lose money

If you have to resort to brute force then the crypto is working properly, no?

matters a lot if they can be persecuted later after the fact

if you can find two inputs that produce the same SHA256 hash, you have broken SHA256

i don't mean brute force

brute force would require 2^128 guesses to find a single collision. then you'd have to do that another 2^128 times

you're talking 2^256 iterations

if you break sha256, you can rapidly find a collision

but you can't find a particular collision

make sense?

Yeah but now we’re selectively defining the adversary’s capabilities with respect to preimage attack vs collision attack etc

Anyways TLDR if privacy crypto is broken then privacy is broken. Hard rule for all public ledgers

100% chance DL will be broken

so these nuances matter a lot

I have to bounce to a meeting but you might enjoy this doc which has a lot of “what if X mechanism was broken” hypothetical analyses

helloimpha[m]: Why do you think this?

it's a really strong assumption. there is absolutely no proof it is secure (like all other assumptions), but we do know that quantum computers can break it (this is unlikely other assumptions). so either we get QC's and it's broken or we don't and it's likely broken.

that's as much as i can say on it

QC's can't even break small instances of NP-complete problems

but have no trouble with DL

gives you a sense of where it stands in the assumption hierarchy

it will take at least a decade for QCs of significant size to be built

from a mathematical perspective, it's insane to think it's secure

lol

there's a good joke about a mathematician and an engineer...

yeah?

they're presented with a challenge: they enter one end of a long hallway, there is a $1M prize at the other end of the hallway

the rule is tevery time they take a step, their next step can only be half as long as the previous

the mathematician looks at the hallway, and walks away, because he knows that at the limit, he will never reach the end

the engineer walks down the hall and takes the prize. because he knows that theoretically it would take infinite steps, but for all practical purposes he can just get there.

haha

s/just get there/get close enough/

well hey guys. thanks for trying to answer my question. i'm really impressed with the work monero is doing for privacy (which is essential for freedom). i really hope past transactions are secure long term, and if not, my advise is to work on fixing it asap

cryptographic strength is a constantly moving target. it can't be "fixed".

20 years ago it was impossible to brute-force DES, now it's easy.

the same dynamic will always exist.

i'm back

i just skimmed this paper: github.com/insight-decentralized-co…/master/writeups/technical_note.pdf

the one isthmus sent

Section 3.2 Violated Signer Ambiguity from On-Chain

From what I can infer from this section, monero is NOT long term privacy secure

My advise is to make this the top priority to fix

It seems to suggest if DL is broken, then monero becomes retroactively publicly traceable like Bitcoin transactions

This also means monero is weaponizable. If gov't can break DL, monero would be ideal choice to spy on people in secret

There are no priorities... people work on what they feel like. Are you volunteering to study this issue?

if DL is broken, TLS is broken and pretty much everything else in crypto space

I suggest you refrain from bullshit if you want to have a conversation here. Keep to tech. Weapon stuff will get you in ignore lists.

Hello everybody. Guys, why do you think that everyone except Monero will develop, their algorithms and encryption methods are also evolving

I already know solution. I am just warning you guys that huge number of your users may be subjected to retroactive persecution if this is not addressed. That will be huge disservice to your users, could result in lots of freedoms and lives lost

you already know a solution? do tell ...

is it not true?

i'm stating facts, based on the research paper discoveries

use cryptography that does not make it possible to retroactively reveal information about transactions.

there's no such thing

my advice also is to stop using DL but that's less important than privacy

no such thing?

yes there is

"use cryptography that does not make it possible to retroactively reveal information about transactions." <- it doesn't exist

tell you what

lol

all that exists is a panacea that something is secure and safe, but merely we just haven't figured out a meaningful attack

yes it does

no

zero knowledge proofs use information theoretically secure math

for example

Stern's protocol

Can you write a paper on how to do this?

is secure with the only assumption being the commitment scheme used (which as I explained earlier is one-way, so this is OK to use, because there is no way to iterate all the possible inputs or distinguish which input was real)

what's the size of a typical proof in your example systems

the rest of it is rock solid math, no assumption

what's the computation time required to construct it

proof size depends on implementation, but very large would be what i'm familiar with.

however

i think zcash managed to achieve this same effect using different techniques. you can inquire with their team to find out. i would advise that.

but privacy too important

once again, difference between theory and practice

if you think ZCash is unbreakable then use ZCash and don't bother with Monero, problem solved

this is about people's lives

more important that it's private than fast

otherwise it's really hard to read this as anything other than concern-trolling

i don't think zcash is great solution, but it's safer for privacy if they solved that problem

go ahead and talk to them and find out then. educate yourself.

theoretically perfect solutions that are impractical to implement and use are pointless.

not at all true

go and educate yourself...

just like the initial zcash protocol, that required 4+GB RAM and minutes to construct a proof - nobody can use that

well, maybe you can use that if you're routinely working with a supercomputer, etc.

but for average consumers, not happening.

an impractical solution like that is worthless.

i'm all for speed. that's great. i'm just saying your website says "untraceable". and i came in here without any assumptions about that. i thought you achieved the same thing in terms of long term security (in which case, i think "untraceable" is perfectly valid description).

people use moner for privacy

not just speed

one additional point before I check out of this convo: you're right that people's lives hang in the balance with privacy-enhancing systems, which is why we have to balance providing strong privacy with providing strong soundness around the economic system AND making it easy for people to use on low-power devices. There is NO value in building a theoretically perfect system where there is massive risk that everyone's life savings could be

worthless tomorrow, and where it's infeasible to use on 99% of devices.

people should know this

i think you guys should at least point this out on your website. if DL is broken, research suggests the privacy will be retroactively lost.

this way people can at least mix the coins traditionally and take additional steps before using

nonsense. traditional mixing is BS.

time to put this guy on /ignore\

it's not good, but if your entire transaction history is revealed later and you did no mixing, that's even worse. that's my point

i'm not being hostile with anyone here

.merge+ 7972 7989 7975

Added

hyc: All green on RPi4, Re: #8001

good then we can include that in the release too

Then let me run all the other tests as well.

I think it will finish tomorrow morning.

moneromooo: are you planning to review #7877 (multisig pr)?

No. I could look at the code itself but I could not review the crypto, which is where I expect any issues to be. Besides, I went to see a couple days ago and got scared off by the size...

If think you a code-not-crypto review is still useful, I can do it though.

is it better to merge BP+ first or the fee changes?

BP+ is older

BP+, since I'll remember fee changes better.

(for conflict resolution)

ok

moneromooo: BP+ fails to compile with clang currently: monero-project/monero #7170#issuecomment-940224775

Maybe if you could skim it for any stand-out issues, that could be useful.

At the very least, the tests all work lol.

OK, I will. Just as long as everyone knows I can't find crypto bugs :)

Thanks :)

Anyone know if stoffu is around/available to review the PR? He reviewed the initial multisig PR.

Also, moneromooo, where did you get the original implementation from, if it wasn't from scratch?

luigi1111.

.merges

selsta: should be fixed now

moneromooo: did you see monero-project/monero #7170#issuecomment-940225290 too?

I think a function call has to be updated or so, did not look in detail

I had not.

Ah, it's the silly gui wallet layer again...

Gimme like an hour

moneromooo: you can use the `wallet_api` target to compile it

Hey Jberman I’m going to take a look at the rw blockchain lock, who should I contact regarding library choices going forward? Thanks

selsta: done

ty

luigi1112: can you review the multisig PR?

mj-xmr[m], selsta ok I'll PR against release branch as well

#8005

UkoeHB: I'm not sure. stoffu would be better if we can locate and kidnap him

midnightmage: I think general questions like that are good to ask in here. I believe this is a good starting point for that task (see how `m_blockchain_lock` is used elsewhere): github.com/monero-project/monero/bl…/cryptonote_core/blockchain.h#L1109

Also note there's an existing rw lock class and related functions that matches `epee::critical_section` here: github.com/monero-project/monero/bl…trib/epee/include/winobj.h#L95-L128

there also was this PR: monero-project/monero #6401

Ok cool, thanks guys, I’ll DM you tomorrow as it’s late here now and got to work in the morning.