>Some anonymity-preserving cryptocurrencies, such as Zcash and Monero, are designed to eliminate traceability entirely: assets cannot be identified across transactions....... (full message at libera.ems.host/_matrix/media/r0/do…d744a22a1236afd148751b49c386243ecb5)

>There are potential downsides to non-fungibility, and fungibility is in fact treated as a design goal in many cryptocurrencies. This is because non-fungibility can be at odds with privacy and choice for currency holders. The ability to differentiate among units of currency based on serial numbers or transaction histories facilitates tracing, and indeed the distinctive transaction histories of Bitcoin enable blacklisting of

units tainted by criminal activity [239] and transaction tracing by companies specializing in that activity, e.g., Chainalysis [160]. Similarly, the SNAP [Food Stamps] program places limitations on currency holders’ purchasing behavior. Non-fungible currency would offer new mechanisms for government control of citizens’ spending behavior that could catalyze new classes of “nanny state” interventions that may be unduly

heavy-handed or micromanaging, and/or infringe on consumers’ civil liberties.

Interesting that they are considering this

This paper is also apparently associated with the Brooking Institution, which is a center-left think tank in Washington DC. Strangely, even through it is an NBER paper, there seem to be no economists as co-authors. And our old Friend Andrew Miller is one of the co-authors:

I'm following some paper citation "trees" and I found this paper.

Does anyone have access to this? Maybe you have to be an IEEE member:

New Attacks on the Untraceability of Transactions in CryptoNote-Style Blockchains

Nevermind, found it.

is there a good paper describing binning?

atomfried[m]: afaik all that exists is this issue and the references at the bottom monero-project/research-lab #84

ok thank you

I have a similar question concerning spending : is there somewhere a description of the algorithm used to construct a spending ?

ie how is the selection of outputs done ?

Is the algo just using the 1st outputs whose sum corresponds to the precise spending (without taking into account the timestamps of the outputs),

or does the algo try to use outputs with different timestamps (when possible of course) ?

Halver[m]: there is (afaict) a huge amount of code in `wallet2.cpp` related to selecting outputs.

Idk what it all does... maybe moneromooo can expound on it.

> <@hoverhalver:monero.social> I have a similar question concerning spending : is there somewhere a description of the algorithm used to construct a spending ?... (full message at libera.ems.host/_matrix/media/r0/do…06165d4b735898292c9fe4889b4a19c50c6)

I'm just quoting jberman here:

If you spend >1 output >30 days old, you get this warning: github.com/monero-project/monero/bl…wallet/simplewallet.cpp#L6478-L6479... (full message at libera.ems.host/_matrix/media/r0/do…ec4bd9593598b0ae548948aa7ebeae495af)

IIRC it picks random outputs until the combined amount is enough, going first through outputs which are not related to the set of outputs already picked.

Related here means from the same tx, from the same height, from a close height, in decreasing order of relatedness.

People concerned know certainly this paper, but anyway, concerning the july-august "flood",

* People concerned know certainly this paper, but anyway, concerning the 2021 july-august Monero txs "flood",

I found this paper from MRL 2014 interesting : getmonero.org/resources/research-lab/pubs/MRL-0001.pdf

I updated the Seraphis draft with a new, slightly different, linking tag construction (github.com/UkoeHB/Seraphis). Shout-out to Nikolas Krätzschmar (nwk) for realizing the previous construction would allow wallets with the private view key to burn the wallet's outputs (i.e. without needing the private spend key).

The reason I did not use this new construction originally is it costs a bit more for ownership proofs (~1 proof element per tx input).

i just started refreshing my memory on group theorie and cryptography as i have some free time right now. i hope to be able to help with some proofs once i catched up to the current status quo of cryptography used in monero/seraphis.

Is there a list of things which are different in the current cryptography used in monero in comparison to what is writen in zero to monero?

atomfried[m]: afaik after ZtM2 was published, the only crypto change has been the move from MLSAGs to CLSAGs; I added a section to ZtM2 in anticipation of that

UkoeHB: perfect, thank you. what do i need to study additionaly to understand and be able to help with seraphis?

It isn't required for Seraphis, but you could look at the Groth/Bootle proofs used in Triptych and Lelantus-Spark (they are the best candidate for Seraphis membership proofs as well): eprint.iacr.org/2015/643.pdf, eprint.iacr.org/2020/018.pdf, eprint.iacr.org/2021/1173, github.com/nkraetzschmar/triptych-plus

added to the list, thank you :D i need to see/understand some more proofs for cryptographic stuff, i am from another math field so i need to get a bit used to the techniques used in cryptography