-
coinstudent2048[
<dangerousfreedom> "> <@coinstudent2048:matrix.org..." <- Monero doesn't use this curve. Please use `dumb25519.py`.
-
coinstudent2048[
Here's my dumb25519:
github.com/coinstudent2048/verklebp/blob/main/dumb25519.py. I am interested with your `hash_to_ec` though. Is the hash consistent with Monero wallet's?
-
coinstudent2048[
Another note: dumb25519 has `hash_to_point`, but this is ad hoc and will be different from `hash_to_ec`. The reason is that the code is used to implement cryptography math, and not necessary reflecting Monero code.
-
plowsof[m]
023.
-
slave_blocker
hello :)
-
slave_blocker
i am a little bit how should i say...
-
slave_blocker
assume i always spend 1000 piconeros. And i only ever do one input -> one output transactions.
-
slave_blocker
and i always want to know the blinding factor when my "wannahave" amount is 100xmr...
-
slave_blocker
being a "outpk" from a previous tx now the only input i have, then :
-
slave_blocker
C1 = aG + cH
-
slave_blocker
being C1 = outpk.
-
slave_blocker
C2 = bG + dH
-
slave_blocker
being C2 my new commitment i want to find...
-
slave_blocker
if
-
slave_blocker
C1 = C2
-
slave_blocker
aG + cH = bG + dH
-
slave_blocker
aG + cH - dH = bG
-
slave_blocker
aG + (1000 picos)H - (100xmr)H = bG
-
slave_blocker
and i know a ...
-
slave_blocker
then :
-
slave_blocker
b = log (G) [ aG + (1000 picos)H - (100xmr)H ]
-
slave_blocker
what i'm trying to express is that for me it does not sit well, that not only is there a public secret called gamma...
-
slave_blocker
every commitment in every tx, has a discrete log problem that only depends on the blinding factors being choosen randomly...
-
slave_blocker
?
-
coinstudent2048[
What is gamma? Also, yes, given `C` and `y` in `C=xG+yH`, the only thing that prevents you from recovering `x` is the discrete log problem except for negligible probability (i.e. extremely extremely lucky). If this reliance to discrete logarithm is what concerns you, well it works so far, **until** that day secret-breakers solve the problem efficiently (by quantum computers, or some future math).
-
plowsof[m]
>@Elija "I came across
github.com/dalek-cryptography/bulletproofs#comparative-performance when looking at some projects. Is this bulletproofs a possible way to optimize Monero, or does Monero's implementation prevent such types of optimizations, ignoring the porting constraints. "
-
plowsof[m]
>UkoeHB "It seems odd to me that daleks' bp would be 7x faster. Maybe they have a faster multiexp algorithm... (seems unlikely) is there someone out there up to investigating the reason?"
-
moneromooo
I see 4.63x, and about 4x once you disregard the asm specific one. I *think* I heard before that dalek could not be used for monero due to using a slightly different curve.
-
moneromooo
If a whole lot of stuff gets changed anyway with seraphis, that might be a more plausible option (I saw without knowing what I'm talking about).
-
moneromooo
I can't recall how much of the verificatoin time BP takes though. I htink it's fairly significant.
-
moneromooo
Oh, I see the 7x in the comment, it's not in the table.
-
moneromooo
But just on a handpicked machine, presumanly handpicked to be the one with the highest speedup. Not helpful.
-
atomfried[m]
proofing is 7.3x and verification is 4.63x in the table
-
atomfried[m]
s/proofing/proving/
-
atomfried[m]
Intel Skylake-X i7-7800X
-
moneromooo
Maybe a curve switch would also speed up other parts of tx verification (ie, rings).
-
UkoeHB
oh whoops the proof is 7x, verification is 4x
-
UkoeHB
I ran the bp benchmarks on my machine (rough results):
-
UkoeHB
```
-
UkoeHB
verification
-
UkoeHB
[num aggregated: zkcrypto bp, monero bp, monero bp+]
-
UkoeHB
1: 3.23ms, 5.90ms, 5.80ms
-
UkoeHB
2: 5.29ms, 9.64ms, 9.24ms
-
UkoeHB
4: 8.85ms, 15.72ms, 17.56ms
-
UkoeHB
8: 16.24ms, 27.95ms, 27.28ms
-
UkoeHB
16: 28.05ms, 49.46ms, 49.16ms
-
UkoeHB
32: 54.38ms, 91.33ms, 92.80ms
-
UkoeHB
```
-
UkoeHB
(I am not using a avx2 backend)