Seraphis is simply a work of art.

The "A/B" optimization (batching the one-out-of-many proof with the binary proof on signing index l) is something that made me very happy.

Squashed is also very clever, and made me smile.

The composition proofs are also very nice.

Sounds very nice. Lots of good work seems to have gone into that indeed.

the A/B optimization comes from the fact that the statement made in the "binary proof" can be verified essentially linearly in the challenge, so the statement in the proof represented by the construction of commitments C and D can be combined with the one on A and B.

s/one-out-of-many/two/, s/proof/statements/, s/with/in/

Yeah the A/B thing was an easy win. It’s kind of surprising how often easy wins can take a while to reveal themselves

I know!

The squashed logic is actually more along the lines of my favorite thing in Seraphis.

also, just to make sure, A/B only works if the generators for the commitments are independent; i.e. H is independent of the Gs, and the G's are independent of both.

Feickert did Lelantus-Spark?

Lelantus-Spark is Jivanyan's project and Aaron helped quite a bit

It took me a while to convince myself that squashed enotes have a robust security factor against minting, but now I'm happy with it

and yeah, separate generators are mandatory github.com/UkoeHB/monero/blob/db344…126101/src/seraphis/grootle.cpp#L80

Honestly I'm pretty surprised... I always thought this stuff was more complicated than I could understand, but it makes a lot of sense.

Reading the original one-out-of-many proof was really satisfying since it's the basis for most of this.

I was finally able to talk to Exodus about their decoy selection algorithm: reddit.com/r/Monero/comments/wm5th1/comment/ik1zhj3

"We deviate from Monero slightly. We perform the typical gamma with shape parameter 19.28 rate 1.61 but the resolution is on a block level. We randomly sample the blocks using the gamma distribution and then once a block has been selected another random sample using a uniform distribution within the block to retrieve the final mixin output."

"We call it "custom core". This differs from Monero Core if my memory serves me right, they have a global index for all the outputs and they perform the random sample with gamma distribution based on the individual outputs."

jberman ^

It's not entirely clear to me what it means, but it's probably one of two options:

1) The "unit" in the Exodus gamma probability density function (PDF) is naively set to block. The unit for the wallet2 gamma PDF is second. Therefore, the Exodus decoy selector could differ from wallet2 by a factor of approximately 120.

2) The Exodus gamma PDF is re-scaled so that the real unit is seconds. This would likely give a decoy selector close to wallet2, but would not have wallet2's notion of density of outputs in the block. Also I'm not sure if they are applying gamma from chaintip (which is preferred) or from the 10th block

I think (1) and (2) can be distinguished by simple experimentation with the Exodus wallet.

Exodus is not ready for the hard fork, so their transactions would not appear in the immediate post-hardfork period.