-
coinstudent2048[UkoeHB: I need a careful reading, so that I can formalize and have more detailed comments and questions. From scanning the paper, I'll just comment that its modularity makes me happy: more straight-forward analysis, as Sarang said here. For the start, I would fix notation and formalize stuff. 😀
-
coinstudent2048[Section 4.3.2 (Linking tags): "Since linking tags are assumed to be unique for each unique address `K^o`". I think this should be "since `K^o` and linking tag is unique for every pair (k_a^o, k_b^o)".
-
coinstudent2048[I found a little result about this: raw.githubusercontent.com/coinstudent2048/writeups/main/proof1.pdf .
-
coinstudent2048[I have a doubt though on this proof, but it my intuition is correct, then the "proof style" might be useful, I don't know.
-
UkoeHBcoinstudent2048[: I am trying to emphasize the uniqueness of linking tags with respect to the public key `K^o`, since `K^o` is the only thing proof verifiers see. On some level the verifier doesn't care about the private keys, all he cares is that only one linking tag can be produced from each pubkey.
-
UkoeHBAfaict this doc is a good clean argument :) would you like to make an Issue on the seraphis github for longer-term discussion?
-
coinstudent2048[UkoeHB: done. did I do it right? Here's the TeX btw: github.com/coinstudent2048/writeups/blob/main/proof1.tex . Stole it from Triptych 😊
-
coinstudent2048[I mean the layout.
-
sarangIt may be useful to examine the Omniring security model, where they present some results relating to their inversion tag construction
-
coinstudent2048[sarang: Thanks, this is in-depth! UkoeHB Got it. One one-time address =>unique linking tag. In my proof, there is no superscript 'o' because it also applies to masked address, but I don't know if the proof is useful there (or useful at all). I need more study...