-
helloimpha[m]
hola
-
helloimpha[m]
i have a question i posted in monero-dev but was referred to this channel
-
helloimpha[m]
i will copy/paste into here
-
helloimpha[m]
suppose i am the greatest mathematician since antiquity and i could break discrete log based algorithms, RSA based algorithms, even lattice based algorithms, and i could also find collisions to SHA256 and any other one way algorithm that exists... (full message at
libera.ems.host/_matrix/media/r0/do…c5343cca4c347d5a387adbde0849e5f7e03)
-
Rucknium[m]
>i think ZCash for example (hope I'm not recalling this incorrectly, because I'm not personally familiar with their code) offers long-term privacy. even if cryptography is broken, anonymity remains secure. it's just that the integrity of the system is broken
-
Rucknium[m]
^ Why do you think this? helloimpha
-
helloimpha[m]
i think this because i think i asked zooko about it years ago
-
helloimpha[m]
i am aware that some crypto systems work this way for certain (my own research)
-
helloimpha[m]
the ones i've researched are not deployed yet
-
coinstudent2048[
Regarding ZKP, where can I find papers that does ZKP without doing commitment/without "encrypting" the data?
-
Rucknium[m]
helloimpha: Ok. If you could give a citation for your claim about Zcash, that would be great.
-
nioc
I believe this quote is attributed to zooko "And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible."
-
helloimpha[m]
commitments are OK, but they are not the same as encrypting. commitments are protected by the fact that what is commited is psuedo random and there are many possible inputs that can produce the same output (one-way functions)
-
helloimpha[m]
encrypting is diffferent
-
helloimpha[m]
encrypting is reversible
-
coinstudent2048[
Yes, they are different. A monero tx is composed of bunch of commitments clumped together. Hence, I think the issue would lie on pseudo-random function used (which I think, is being discussed in monero dev).
-
helloimpha[m]
-
helloimpha[m]
Section 3.2 Violated Signer Ambiguity from On-Chain
-
helloimpha[m]
From what I can infer from this section, monero is NOT long term privacy secure
-
helloimpha[m]
My advise is to make this the top priority to fix
-
helloimpha[m]
It seems to suggest if DL is broken, then monero becomes retroactively publicly traceable like Bitcoin transactions
-
helloimpha[m]
This also means monero is weaponizable. If gov't can break DL, monero would be ideal choice to spy on people in secret
-
Rucknium[m]
> <@helloimpha:matrix.org> My advise is to make this the top priority to fix
-
Rucknium[m]
> It seems to suggest if DL is broken, then monero becomes retroactively publicly traceable like Bitcoin transactions
-
Rucknium[m]
How can it be fixed?
-
coinstudent2048[
> <@helloimpha:matrix.org> Section 3.2 Violated Signer Ambiguity from On-Chain
-
coinstudent2048[
> From what I can infer from this section, monero is NOT long term privacy secure
-
coinstudent2048[
If long term privacy secure means quantum resistance, then I agree that Monero is not long term privacy secure. Since ZCash also use elliptic curves, my guess is that they are also not long term privacy secure, but I need to see a similar evaluation.
-
coinstudent2048[
To fix this requires saying bye-bye to elliptic curve, and we do quantum-resistant crypto. ZK-STARK seems to be one, but the public key size is big (min. 10kb according to the linked technical note). Lattice-based is a popular thing.
-
coinstudent2048[
sorry, I mean "quantum resistance against traceability".
-
chaser[m]
<Rucknium[m]> "> <@helloimpha:matrix.org> My..." <- 1. pick the currently most viable-looking post-quantum crypto. see round 3 finalists in NIST's Post-Quantum Cryptography Standardization (
en.wikipedia.org/wiki/NIST_Post-Qua…ptography_Standardization#Finalists) and check which ones have good... (full message at
libera.ems.host/_matrix/media/r0/do…6f32d808dda9585ab35425e2cfe3d2f1a48)
-
chaser[m]
for clarity, this will only protect transactions that happen after a hard fork that includes post-quantum crypto. if the discrete logarithm problem is broken at some point, anything before that fork become de-anonymizable.
-
UkoeHB
How do you spend pre-post-quantum outputs after the protocol changes to be quantum resistant?
-
selsta
first someone has to prove that it's viable in 1) verification time, 2) proof size, 3) hardware requirements
-
chaser[m]
yes, these bottlenecks need to be analyzed
-
selsta
last time I read about it these post quantum proofs are absolutely unusable in production
-
chaser[m]
<selsta> "last time I read about it..." <- could be the case, I'm not the most informed on that. if someone is, this research could make a good CCS proposal.
-
chaser[m]
* CCS proposal, or even a bounty project.
-
hyc
pointless exercise at this point in time. none of those PQC algorithms are usable on average PCs
-
hyc
none of them are viable on average networks
-
chaser[m]
<UkoeHB> "How do you spend pre-post-..." <- good question, I'm not sure
-
chaser[m]
hyc: in what sense? computational power?
-
hyc
if someone wants to implement these algos as a research project, they should start a brand new blockchain\
-
hyc
yes, computational power, RAM / disk/ bandwidth requirements
-
hyc
new blockchain, because only a dozen people in the world will use it
-
chaser[m]
hyc: actually that project already exists (
theqrl.org), but it has no privacy and I hope it won't catch on (so far it didn't) bc I'm already having new-blockchain burnout
-
hyc
gack. why would they go to the trouble of using pqc but omit privacy...\
-
chaser[m]
my impression of the project is that is was started just to flex with the PQC algos. but they actually plan to switch to cryptonote