15:10:30 hola 15:10:46 i have a question i posted in monero-dev but was referred to this channel 15:10:52 i will copy/paste into here 15:11:07 suppose i am the greatest mathematician since antiquity and i could break discrete log based algorithms, RSA based algorithms, even lattice based algorithms, and i could also find collisions to SHA256 and any other one way algorithm that exists... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/ed318c5343cca4c347d5a387adbde0849e5f7e03) 15:18:41 >i think ZCash for example (hope I'm not recalling this incorrectly, because I'm not personally familiar with their code) offers long-term privacy. even if cryptography is broken, anonymity remains secure. it's just that the integrity of the system is broken 15:18:41 ^ Why do you think this? helloimpha 15:21:17 i think this because i think i asked zooko about it years ago 15:21:33 i am aware that some crypto systems work this way for certain (my own research) 15:21:44 the ones i've researched are not deployed yet 15:22:51 Regarding ZKP, where can I find papers that does ZKP without doing commitment/without "encrypting" the data? 15:23:31 helloimpha: Ok. If you could give a citation for your claim about Zcash, that would be great. 15:26:16 I believe this quote is attributed to zooko "And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible." 15:28:29 commitments are OK, but they are not the same as encrypting. commitments are protected by the fact that what is commited is psuedo random and there are many possible inputs that can produce the same output (one-way functions) 15:28:38 encrypting is diffferent 15:28:43 encrypting is reversible 15:40:38 Yes, they are different. A monero tx is composed of bunch of commitments clumped together. Hence, I think the issue would lie on pseudo-random function used (which I think, is being discussed in monero dev). 16:04:57 https://github.com/insight-decentralized-consensus-lab/post-quantum-monero/blob/master/writeups/technical_note.pdf 16:05:06 Section 3.2 Violated Signer Ambiguity from On-Chain 16:05:06 From what I can infer from this section, monero is NOT long term privacy secure 16:05:16 My advise is to make this the top priority to fix 16:05:16 It seems to suggest if DL is broken, then monero becomes retroactively publicly traceable like Bitcoin transactions 16:06:02 This also means monero is weaponizable. If gov't can break DL, monero would be ideal choice to spy on people in secret 16:30:14 > <@helloimpha:matrix.org> My advise is to make this the top priority to fix 16:30:14 > It seems to suggest if DL is broken, then monero becomes retroactively publicly traceable like Bitcoin transactions 16:30:14 How can it be fixed? 16:52:12 > <@helloimpha:matrix.org> Section 3.2 Violated Signer Ambiguity from On-Chain 16:52:12 > From what I can infer from this section, monero is NOT long term privacy secure 16:52:12 If long term privacy secure means quantum resistance, then I agree that Monero is not long term privacy secure. Since ZCash also use elliptic curves, my guess is that they are also not long term privacy secure, but I need to see a similar evaluation. 16:52:12 To fix this requires saying bye-bye to elliptic curve, and we do quantum-resistant crypto. ZK-STARK seems to be one, but the public key size is big (min. 10kb according to the linked technical note). Lattice-based is a popular thing. 16:58:37 sorry, I mean "quantum resistance against traceability". 18:39:31 "> <@helloimpha:matrix.org> My..." <- 1. pick the currently most viable-looking post-quantum crypto. see round 3 finalists in NIST's Post-Quantum Cryptography Standardization (https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Standardization#Finalists) and check which ones have good... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/7cd2f6f32d808dda9585ab35425e2cfe3d2f1a48) 18:44:05 for clarity, this will only protect transactions that happen after a hard fork that includes post-quantum crypto. if the discrete logarithm problem is broken at some point, anything before that fork become de-anonymizable. 18:45:05 How do you spend pre-post-quantum outputs after the protocol changes to be quantum resistant? 18:46:04 first someone has to prove that it's viable in 1) verification time, 2) proof size, 3) hardware requirements 18:46:37 yes, these bottlenecks need to be analyzed 18:46:44 last time I read about it these post quantum proofs are absolutely unusable in production 18:52:43 "last time I read about it..." <- could be the case, I'm not the most informed on that. if someone is, this research could make a good CCS proposal. 18:55:14 * CCS proposal, or even a bounty project. 18:56:12 pointless exercise at this point in time. none of those PQC algorithms are usable on average PCs 18:56:28 none of them are viable on average networks 18:57:08 "How do you spend pre-post-..." <- good question, I'm not sure 18:57:28 hyc: in what sense? computational power? 18:57:40 if someone wants to implement these algos as a research project, they should start a brand new blockchain\ 18:57:54 yes, computational power, RAM / disk/ bandwidth requirements 18:58:17 new blockchain, because only a dozen people in the world will use it 19:02:26 hyc: actually that project already exists (https://www.theqrl.org/), but it has no privacy and I hope it won't catch on (so far it didn't) bc I'm already having new-blockchain burnout 19:02:58 gack. why would they go to the trouble of using pqc but omit privacy...\ 19:12:59 my impression of the project is that is was started just to flex with the PQC algos. but they actually plan to switch to cryptonote