hello :)

just a sanity check for me, let alice send a transaction to bob. The receiving one-time addresses of bob don't appear anywhere in the ringCT right?

What is "[t]he receiving one-time addresses of bob" ?

If you mean "the address Bob gave Alice to send to", then it does not appear in the tx.

But your wording suggests it's not that. If you mean the output pubkey, then it's obviously in the tx. If something else, be more precise.

Also, I take "ringCT" to mean the entire tx. If you just mean the ringct structure, then the output pubkey technically isn't, it's in the prefix. I don't think that's what you meant, even though you did say ringct and not tx.

well, as far as i have understood, when alice sends a tx to bob, she must first prove she owns the outputs she is spending.

if i refer to zero to monero page 138, there is the part of the tx that for me represents the ring signature, from line 81 until 129.

so basically what i m asking is if the ring signature only contains the previous one-time public addresses (wich are now inputs), and the corresponding output commitments (pseudo and normal).

The tx prefix contains indices pointing to the output pubkeys included in the rings. In each ring, one of those will be the one that gets spent.

Bob's ownership is upon the addresses in vout right? line 27 and 32 in this case. What i am asking is if bob's keys appear in the ring signature...

If by "bob's keys" you mean the public keys of bob's destination address, then those do not appear in the tx.

The output pubkey of the new output now belonging to bob does.

yes

but not in the ring signature right?

Right.

:)

thanks

also,

second sanity check,

the commitments to the new amounts now belonging to bob, who now owns these new output pubkeys, also don't appear in the ring signature right? page 137, namely the "outPk"'s of the transaction at hand.

I guess it depends what you call the ring signature.

The outPk are included in the ringct structure.

i am calling the ring signature the part of the tx where there is "MGs"; page 138 line 81 to 129.

Then it is there.

the outPk are not in the MGs in any way right?

they naturally would invalidate the ringct, if the sums of input commits - sums of output commits - fH != 0 . But they are not part of the mlsag ?

They are not in MGs.

MGs and outPk are alongside each other in the same structure.

moneromooo, thanks for your patience :)

Well, one's in the prunable part and the other in the unprunable part.

Hello! I started dumbp256k1: github.com/coinstudent2048/dumbp256k1. The only implemented so far are the Scalar and Point classes.... (full message at libera.ems.host/_matrix/media/r0/do…7d932797c88a84b8f245b99fa42be35fe03)

another thing, how are the ring one-time addresses referenced? I can only see the "vin" part, "key_offsets" there i count 11 numbers referencing to block numbers but not tx's ?

key offsets refer to outputs, not blocks.

coinstudent2048[: interesting thanks :)

how are the one-time addresses found?

slave_blocker: step 3 on page 38 of ztm for standard addresses

Ztm2*

from page 136 : "key_offsets": [ 14401866, 142824, 615514, 18703, 5949, 22840, 5572, 16439,

983, 4050, 320]

slave_blocker: step 3 on page 40 of ztm2 for subadddresses

how do these 11 numbers represent 11 "vin"'s ?

wernervasquez[m], thanks for the reply, but i mean how are the ring members found?

slave_blocker: chapter 6 footnote 13

slave_blocker: monero.stackexchange.com/a/12368/7493

<moneromooo> "The output pubkey of the new..." <- Just to clarify my understanding, Bob's (recipient) actual pub address is nowhere in the blockchain or transaction, but his onetime stealth address (randomly generated) is? I am a noob to the tech of Monero. How "random" is the generation of stealth

* generation of one-time recipient addresses in Monero? I watched Sarang Noether discuss this with the ciphertrace guy and it appears ciphertrace hasn't broken the stealth, * stealth addresses used for recipients? Does this still seem to be the case?

the public addresses are nowhere to be seen in the xmr chain.

its only one-time addresses.

Niceu. Thanks

i call the addresses but i guess they are rather one time public keys...

these are subtle syntactic nuances...

I intend on reading Zero to Monero after finishing Mastering Monero. So I haven't gotten into the details of how the stealth addresses are generated yet.

slave_blocker: Yep I just learned about Monero around Christmas last year, so apologies if I botch the official/technical syntax

I dunno what a onetime stealth address is. Don't use that term, different people mean different things with it. Worse even, some use that term without even knowing what they intend to mean.

Assuming you mean the output pubkey (which is not an address), this one is on the chain.

oh

so i'm wrong...

so it's a one time public key?

why does it get referred to as a stealth address?

Depends what you mean by "it" here.

well from what i understand, the members of a ring signature (inputs) from "vin", aswell as the "vout" public keys, are all one-time...

Now i was calling them one-time addresses. and i heard about them as stealth addresses...

<moneromooo> "I dunno what a onetime stealth..." <- Does monero have a style guide? Or some authoritative reference? IMO one time address desribes it well as does output pubkey....

The members of a ring are outputs, and each output has a public key. They're one time enough, though you can tachnically construct dupes.

wernervasquez[m]: try to match hte style of whatever you're modifying at first approximation.

There's no fascist style guide.

:)

> <@coinstudent2048:matrix.org> Hello! I started dumbp256k1: github.com/coinstudent2048/dumbp256k1. The only implemented so far are the Scalar and Point classes.... (full message at libera.ems.host/_matrix/media/r0/do…8da3df00f1207a75dbc3d2c60b1eab911e7)

I will present my results by the end of the week. Now I have something to show :)

dangerousfreedom: Thats good news or bad 🙃

<moneromooo> "I dunno what a onetime stealth..." <- I will try not to use that term moving forward. To restate my question, on the blockchain there is a recipient address shown right? The output goes from sender to recipient, but on YouTube videos I heard that the recipient's true address is kept private to only themself and the sender. Not even miners can see the receiver's true address. The recipient address shown on

chain is random, thus unknowable? Is my understanding here correct or incorrect?

I don't have a technical understanding of the method by which a random address/key for onchain is generated, so I was more so hoping to hear it's super random and ciphertrace can pound sand haha

w[m]: I hope it is good news :p

I have been spending a lot of time to build some tools and some educational material to explain (to myself and others) why there is no inflation in monero.

pound sand

;)

The recipient address is not on the chain.

Not even encrypted.

moneromooo: Oh that is super strong privacy then

Basically, when an output is created, it's done in such a manner that the recipient (and only the recipient) can calculate its secret key, using the recipient's secret keys, and is thus the only person able to spend it.

So there is no keeping track of who owns what by means of assigning outputs to addresses like it Bitcoin.

And thus no need to have addresses on chain.

s/ like it Bitcoin/

er, ,/$,//,

moneromooo: I wish the btc maxis I spoke to knew this haha

Monero too stronk, thank you moneromoo for helping make it stronk.

np, none of the theory is mine fwiw.

Yes, but you are a bigtime dev

Without the devs we would not have Monero

and without monero i would be permatrapped in fiat slavery haha

<moneromooo> "Basically, when an output is..." <- Is it the case that the output is created / encrypted with one of receiver's keys, such that only his wallet can decrypt/know he owns it? The output is encrypted when it is created/being sent? If my understanding is correct, a similar process is used in transparent ledgers with regards to ability to spend outputs, but in Monero it is the case that knowledge of owning funds

is encrypted such that only the receiver's private view key can decrypt this knowledge of output ownership?

I... think so :) It's not really encrypted, but close enough.

moneromooo: To the best of your understanding the method by which output ownership is kept private is both secure and legit though right? I'm sure all of the nitty gritty are in Zero to Monero, I just haven't made it to that stage of understanding/reading yet.

Yes.

Gotcha, thanks :) I have a couple more questions if you don't mind my asking

Let's say an individual has a cold wallet that has never come online, will this individual need to do anything prior to the coming hardfork to make sure nothing goes amiss? I would also wonder how this will work when Seraphis comes, but that will probably be a question for later when Seraphis is ready for deployment. Could anyone make a guess as to how long Seraphis would be tested prior to implementation for Monero

users?

Nothing to do prior to the fork.

I assume your "cold wallet" consists of a standard Monero 25 word seed. Those will continue to work, Seraphis or no Seraphis. Nothing to prepare then.

moneromooo: Sweet, I wouldn't want the boating accident meme to become a reality haha

If you mean a Monero wallet file that you just never use and don't sync: Monero will have to keep the capability to import such wallet files somehow indefinitely, I would say

<rbrunner> "I assume your "cold wallet..." <- So the idea with implementing Seraphis is that every single wallet's mnenomic seed will remain unchanged, but all of their public and private keys will change. Meaning that if one has the seed saved somewhere they will be fine, even if they boot up their wallet one year post-Seraphis implementation and their public and private keys (character strings) have all changed?

<rbrunner> "If you mean a Monero wallet file..." <- It's more so a question of an untouched cold wallet that never spends or goes online, and is only synced as a viewonly wallet. Even this unspent/receive only cold wallet will be a-ok?