11:16:39 jberman[m]: Did you get the "Onion Monero Blockchain Explorer" running with your viewtag branch, by any chance? Guess not, but asking is free :) 11:21:43 It does not compile with your branch, and if compiled with the release branch it exits with an error, probably as soon as it touches the first block. 11:22:05 Pretty clear of course that it's the difference in tx structure, but I don't know enough about that explorer to patch it ... 12:51:11 Never mind, got it running 19:16:42 Hi, im having problems with learning LSAG ring signatures and how they are used in monero 19:16:42 I decided to try using "Mastering Monero First Edition", on page 133 and doing the process in a python script to see if I can get it too work 19:16:42 Is there anything else I can reference for this project? 19:17:09 with ringCT this was much easier with the open courseware video that was made xwx 19:18:26 Palladion (he/him): Yes. _Zero to Monero_ is a more technical and more up-to-date reference. 19:19:09 Rucknium[m]1: I been using it, its just not in plain english 19:19:09 I just wanted to see if theres anything else 19:22:49 > <@palladion:cyberia.club> Hi, im having problems with learning LSAG ring signatures and how they are used in monero... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/c3e5006b4a70eb3f1e2459fd21b31cb2508d8445) 19:24:30 wernervasquez[m]: It helped me a lot with stealth addresses and ringCT (although I needed the opencourseware video on it to make an implementation) 19:24:30 I just wanted to know if theres anythign else I should look at 19:24:51 > <@palladion:cyberia.club> I been using it, its just not in plain english 19:24:51 > I just wanted to see if theres anything else 19:24:51 I didn't see you already mentioned it 19:25:37 Palladion (he/him): what is your goal in your learning? 19:27:22 wernervasquez[m]: To make an implmentation in python, same for everything I been doing, honestly this is the last step. I already finished ringCT and stealth addresses 19:27:22 I just want to understand monero better 19:28:27 I also have my own crypto projects im doing but they are just for fun, not an actual project I would have others use 19:28:27 I just do things to learning 19:29:48 Palladionhehim[m: you could look at mechanics of mobilecoin, the chapters on ring sigs are a bit improved compared to ztm 19:30:23 chapter* is* 19:31:30 Thank you 21:01:04 "Palladion (he/him): you could..." <- Thanks, I just got a working prototype going 21:21:17 nice :) 22:24:10 Thanks for the update tevador. Btw I found it a bit confusing the distinction between `SecretDerive()` and `KeyDerive()`. Maybe you could call secrets like `k_ga -> s_ga`, `k_et -> s_et`. 22:26:24 And then they would be 'generate-address secret' and 'encrypt tag secret' instead of 'key'. This way the secret/key separation is consistent. 22:32:15 I was thinking the same, but "s" could get confused with the signature "s" 22:33:23 I guess we've run out of alphabet letters... 22:33:27 Personally I would use: `r -> a, R ->A, e -> c, s -> r` there 22:33:48 `c` for challenge, `r` for response, `a` for nonce 22:35:37 and `H_s() -> H_n()` for hash to scalar, so `s` can be 'secret' 22:35:44 Just one question, for LSAG ring signatures, the docs say if c1=c`1 22:35:44 Along with that, c=c` only is valid on the first signature, c1, 22:35:44 So.....do the other signatures not matter? Or am I doing something wrong 22:36:44 `c_1` is the value you get with the original signature, everything else is computed during verification 22:37:03 so you are checking that the 'computed' `c'_1` equals the `c_1` that the prover gave you 22:37:35 i.e. checking that if you start with `c_1`, your computation loop gets you back to `c_1` 22:38:18 A loop like that is only possible if one of the steps started you off with `\alpha G`. 22:39:04 Ah, so in verification you do c_1 first for key_1 in the ring 22:39:04 Then c_1 for key_2? c_2 for key_3? Or do I just throw away everything but c_1 22:39:40 > <@palladion:cyberia.club> Ah, so in verification you do c_1 first for key_1 in the ring 22:39:40 > 22:39:40 > Then c_1 for key_2? c_2 for key_3? Or do I just throw away everything but c_1 22:39:40 Because if I do this then c_x = c_x` for each signature 22:40:02 The signature itself only needs to record `c_1`: `c_1, r_1, r_2, r_3`. 22:42:34 how does it verify the entire ring then if its only doing one signature? why do I find each c_x value if I only use c_1, shouldn't I stop once I get to my real key? 22:43:13 the verifier doesn't know the real one 22:44:00 But the signer does, im just confused why we send values like r_2 if they won't be used 22:44:14 All the responses are needed in order to compute the ring of challenges. 22:44:15 because we just use the keys r 22:44:37 The point is to start at `c_1` and then compute a ring of challenges, and end up back at `c_1`. 22:44:37 wait, do we cycle through the r_x values to find a match? 22:44:53 no, you just compute each challenge in series 22:47:59 So if we have 3 keys in a ring, and we do the challenges, I will be from 22:47:59 c_1->c_2->c_1 or c_1? (like a ring looping back to itself) 22:48:17 s/c_1// 22:48:25 s/or c_1?// 22:49:07 (sorry for asking so many questions, I probably will go back to playing to figure the verifier out soon) 22:49:28 c_2 = h(c_1), c_3 = h(c_1), c_1 = h(c_3) 22:50:22 I call the result `c'_1` since it is a 'nominal' challenge. You have to check that `c'_1` actually is the same as `c_1`. 23:44:11 Still trying to figure this out, I have a 3 key ring, I loop from c'_1 to c'_3... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/59184e71142d97ef0565065ced36ad1e6eeae29e) 23:44:24 I know I have this wrong, but im unsure how 23:48:20 * Still trying to figure this out, I have a 3 key ring, I loop from c'_1 to c'_3... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/5e0023bb8cd37d2d65a991e021094fce55899c85) 23:48:20 `c'_1` takes `r_3` and `c'_3` 23:50:10 Where do I start the loop then? 23:50:31 you compute `c'_2` first 23:50:35 I see 23:51:01 So I do c'_2 with r_1 and Key_1 and c1 from my signature? 23:51:07 yes 23:51:39 Thank you, thats a lot of help 23:51:51 * of help, I didn't realize that when reading the docs