-
dangerousfreedom> <@sanada08:matrix.org> Hi team, there was a paper that was published in 2020 to reduce proof size - ‘Omniring: Scaling Private Payments Without Trusted Setup’
-
dangerousfreedom> Was there any voting or feedback on this paper?
-
dangerousfreedomGreat question. It is a great paper and from my first reading I believe that some ideas there will be implemented in the next version of Monero. The vocabulary used for the Omnirings seems very similar to the one used in Seraphis (Tags) and the performance of the proposed scheme is also very similar. I believe that we could also get inspired from this paper when we formalize all the Seraphis schemes. Probably UkoeHB read
-
dangerousfreedomit long ago and it helped him to develop Seraphis :p
-
UkoeHBI did not read omniring, but iirc it helped inspire sarang's triptych (which was a precursor to seraphis)
-
dangerousfreedom<UkoeHB> "I did not read omniring, but..." <- 👍️
-
kayabanerve[m]moneroresearch.info/index.php?actio…SOURCEVIEW_CORE&id=33&browserTabID= encouraged steganography through selection of ring members, obtaining 1 bit through each. More bits can be obtained from each if we greater deviate from the intended distribution.
-
kayabanerve[m]If the ring is increased to 128-explicitly-specified-parties, and we don't enforce selection, this would offer 80 bytes per input with minimal deviations from the distribution.
-
kayabanerve[m]This means it'd not add storage to the chain and it also wouldn't reduce privacy. I only see it as feasible as post-Seraphis however, and it requires non-deterministic selection with explicitly specified membership (so no arithmetic circuit proving along a merkle tree).
-
kayabanerve[m]To be clear, 5-bits is 2^5 AKA 32 potentials. You'll, on average, find the potential you need within 16 tries. If done +-, you only need to go 8 in each direction. It's that 8 which I didn't find notable, though obviously, I'd defer to Rucknium. There is some level of search/brute force required though.