so if you can't mix the decoys, u won't be able to make a seraphis tx spending a seraphis enote until 128 seraphis enotes have appeared on the chain .... ?

replace 128 with whatever n the decoy set becomes

we have ~2 years (?)... is there anything we can do to the existing ringct method to make the decoys blendable?

a pre-seraphis ringct mod

no

blendable not possible

sounds like a chicken'n'egg problem then

much the same as anybody trying to clone Monero's code and launch a brand new chain

128 is 4 hours, and you can expect there will be mixed ringct and seraphis txs during the transition

there wouldn't be any outputs available to construct an 11 or 16 member ring on a freshly launched chain

you just wait for block rewards

or for a seraphis tx that spends only legacy enotes

a bunch of txs*

4 hours is *only* 128. so *one* txn could be created after 4 hours passed

on a new chain yes

I forgot you can spend legacy enotes in a seraphis tx

it's just the turnaround, spending a seraphis enote, that you need to wait at most 4hrs before you can make a tx (or more depending on the bin radius)

sounds like it would be much more than 4 hours. if you just go 4 hours and scoop up the 128 latest outputs, it seems to me the true output would be obvious

why

because of imbalance between coinbase and normal enotes?

hm, maybe not. was thinking there'd be 127 outputs with close sequential ages, and one arbitrary age

all seraphis ring members are selected from the DSA (whatever gets defined)

for seraphis inputs; legacy inputs would use the legacy DSA

ok. so in addition to coinbase there'd be new seraphis outs being produced from legacy inputs

would the legacy inputs be in a ring of 16 or ring of 128?

spending legacy will be CLSAG

Rucknium[m]: comment on the legacy DSA post-transition -> it would be nice if at some point the DSA becomes timing agnostic (maybe asymptotically). This way you can't use the ring members in a legacy ring signature to accurately estimate when the signature was constructed. With deferred seraphis membership proofs, you can only defer the seraphis membership proofs (e.g. for multisig) - legacy proofs can't be deferred. If

there is a statistically significant big gap between the 'when was this proof constructed' timing projection between legacy and seraphis membership proofs, that could allow tx fingerprinting.

It's possible to cache the block height when you construct legacy proofs, then later use that height when making seraphis membership proofs to inform the decoy selection. It would be nice to avoid that complexity.

UkoeHB: I don't think the DSA can be "timing agnostic" if it's a mimicking DSA, i.e. the type of DSA that we strive for currently. Partitioning or "single bin" DSA is a different story.

How often would people construct proofs at different times?

offline signing

Has anyone tried to understand this paper? moneroresearch.info/index.php?action=resource_RESOURCEVIEW_CORE&id=92

Liang, M., Karantaidou, I., Baldimtsi, F., Gordon, D. S., & Varia, M. (2022). (∈, δ)-indistinguishable mixing for cryptocurrencies.

seems that trying to mimic a "realistic" spending pattern is an exercise in futility

Maybe there is something in there.

best would be random, no discernible pattern

Why is it futile?

because spending patterns change

and also, the current scheme is so highly dependent on the time a txn is created

what if you just cluster all outputs around the same age as the real output?

then it doesn't matter if someone signs a txn and waits a long time before submitting it

All Monero decoy selection algorithms (at least in the reference implementation) have been random as far as I know. I assume you mean to randomly select some distribution. Well, the method by which you select that random distribution would itself define a distribution, so I think we would be back to square 1.

hyc: That is "partitioning". It has been analyzed quite a bit in the Monero research literature. Certainly some people like it a lot.

sorry if I'm retreading old ground then. what are the major objections to it?

Of course it identifies the approximate timing of the sender's previous output. And a "strict" partitioning requires at most a spending waiting time of M where M is the number of outputs that have already been confirmed.

So it would further ossify the 10 block lock and even make it unpredictable.

Also targeted flooding or black marble attacks would be more feasible

I think it's Ok to have partitioning in the conversation, but there are drawbacks of course

hmm. flooding attack in this case requires you to know the age of the output you're attacking, no?

I, an adversary, send an output to a target user. At the same time, I flood the mempool with my own transactions and outputs. Then I can eliminate many decoys (or maybe all if I am lucky and determined) when they go to spend that output.

Ronge, V., Egger, C., Lai, R. W. F., Schröder, D., & Yin, H. H. F. (2021). Foundations of ring sampling.

Yeah, I see.

is the most recent analysis of it.

then those are pretty solid downsides

A lot of the literature on DSAs has favored partitioning since (IMHO) the authors cannot figure out a way to estimate the real spend distribution in order to construct a better mimicking DSA. The whole point of OSPEAD is to develop the first feasible estimator of Monero's real spend distribution that does not rely on a de-anonymized sample like Moser et al. (2018).

Ronge et al. (2021) say "It is therefore reasonable to expect that if the mimicking sampler has access to the true source distribution S, its anonymity

should be close to optimal. In the following, we give an evidence that this is the case."

"We emphasize that although Theorem 6.2 shows that the optimal anonymity is always almost achievable up to a constant factor, the result is mostly of theoretical interest, because it requires the knowledge of an estimation ˆS of the signer distribution S. Even if it is possible to obtain a reasonable estimation ˆS of S, a questionable assumption, S may change over time, e.g., due...

"I'll help 10individuals how to earn $30,000 in 72 hours from the crypto market. But you will pay me 10% commission when you receive your profit. if interested send me a direct message on Telegram by asking me (HOW) for more details on how to get started

to economic bubbles and recessions, and depends on the free will of users. For a good and practical sampler we recommend the partitioning sampler in Section 6.3."

Is anyone looking closer at the zec implementation? They haven't rolled it into production yet?

Rucknium[m]: right, you need knowledge of the true spend distribution, which we can't actually know

A good estimate of it is possible, as I'll show

hmm. that kind of assumes you can estimate the population of real users, as well as the distribution of coins each user owns.

someone with an old wallet may have coins distributed evenly thru time, or only a bunch of old coins

or whatever other distribution. spending patterns per user will be all over the place

Right. But there is an aggregate distribution.

If you want to be on the OSPEAD review panel, you are welcome to be. I think I will be done with the detailed proposal in 1.5 weeks. Then I will give the panel 1-1.5 months for review.

sure, sounds like it'll be quite interesting work

tho it'll be mostly for my own edification. haven't done anything in stats since college

Ok great. So far it's you, Artic Mine and isth mus. I'm hoping to have a biostatistcian on it too. I wrote a section on key statistical concepts to put everyone on mostly the same footing, hopefully.

I won't be available for the meeting wednesday, someone else should pilot it