It seems that Seraphis offers strictly weaker privacy than RingCT against a quantum adversary. Each SpCompositionProof directly leaks k_s if the adversary knows the discrete logs of X and U. This immediately links the output to a particular wallet.

tevador: how does the dlp of X and U leak k_s?

The proof gives 6 equations with 6 variables (a_t1, a_t2, a_ki, a, b, c), so it's solvable. K_o = a G + b X + c U.

c is the spend key

UkoeHB: paste.debian.net/plainh/097e9baf

tevador: that adversary seems to know more DLPs than just between X and U

If you can get any arbitrary DLP, then you only need two to get k_s: between K” and K_t1, and between KI and U.

I meant a quantum adversaty in general, able to solve any DLP.

I don’t mind updating jamtis for better forward-secrecy against a DLP-breaking adversary (quantum or otherwise). I’ll post an update on the gist today, it’s easy enough.

it's not about Jamtis, but the Seraphis ownership proof

The proof also gives the output key that was spent (= b X + c U), which breaks the ring signature. But this is the same with RingCT.

UkoeHB: by updating Jamtis, you mean to also tweak the U-component?

Yes, tweak the U

I’m looking back at the modified chaum-pedersen proof used by lelantus-spark, which seems to have better forward-secrecy against a DLP-breaker than composition proofs.

nvm, there is a system of equations that can be solved to get all the variables

is there no way to make the proof perfectly hiding? even at the cost of computational soundness

Hi friends,

Is anyone familiar with what Findora is doing? Any key advantages they have vs. Monero and zcash?

tevador: no idea

Lazarus: looks like a dead project and possibly a scam

From the article: "He added that Findora's research team created the "bulletproofs" technology used on Monero."

Ha, curious.

So please show a little respect :)

<tevador> "is there no way to make the..." <- Pedersen commitments scheme are perfectly hiding, right? What do you mean? The equations used are not Pedersen like or you would like to have schemes that do not depend on the DLP like quantum resitant algorithms?

And the txs on their blockchain are sooooo private right now: findorascan.io/transactionshash?has…5D975174F57929156BB3B09AAC068BEE5C0

this is/was their tech docs page: wiki.findora.org/docs/findora_basics/introduction the only relevant thing (if true) to my eyes being the state machine replication algo was a fork of tendermint, so a BFT-like a not a longest-chain... by the way.. any way to use a leader election strategy permitting permissionless access with that kind of SMR, as far as you know?

s/findora_basics/findora\_basics/, s/a/and/

And I guess the 100 millions for that fund will just rain from the sky.

dangerousfreedom: I meant to have a proof that says you know a, b, c such that K = a G + b X + c U, but won't leak a, b, c if the DLP is broken.

<tevador> "dangerousfreedom: I meant to..." <- I see, AFAIK only quantum resistant algos do it. But I guess we never seriously consider implementing something like that as we are far away from this scenario.

Forward secrecy is needed *now*, not at some point in the future. It's inevitable that ed25519 will be broken and we want past transctions to stay private.

Hello guys, a quick update from my side:

I took some vacation last week and now I'm ready to continue annoying you :)

I finished what I proposed to do related to the moneroinflation project but I still didnt answer all the questions that I have about it (as there is the bp+ era). I feel ready though to continue working to improve Monero so in the next month I will still continue working on finishing the moneroinflation project (scan the bp/bp+ era using my RUST codes) and improving a bit more the website. Meanwhile, I will be organizing

my tasks to create a wallet for Seraphis asap. I would be happy to get your thoughts on the required tasks and TODOS so I can better prioritize my work. (I will definitely need the help and inputs from koe, tevador, jberman, rbrunner and others so be aware that I will reach out to you soon :))

tevador: I agree. I just don't know how to do it without radically changing the crypto schemes. Moreover, I believe that there isn't a standard on how to achieve it either.

I guess we have much higher risks with bad implementations of the known schemes than with quantum computers now. Really nice spot about these 6 equations/6 unknows. Something like that is much more harmful. Also allowing non-canonical points/scalars could be harmful if not handled correctly.

Anything could be harmful if not handled correctly.

dangerousfreedom: Right now I think merely coming up with a solid list of tasks needed to implement a Seraphis wallet will be a difficult task in itself. Tasks all the way down :)

Haha yeah :)

reviews/comments are welcome

<tevador> "gist.github.com/tevador..." <- Wow! Amazing!!!

I will definitely look into it carefully

I'm leaning towards SPHINCS+-SHA-256-128f-simple as the QR signature scheme. Least likely to be backdoored by NSA. Replacing SHA-256 with Blake2s should give a 2x speed-up for hardware wallets.

tevador: I believe NACK. SHA-256 was found to be insecure IIRC.

*tens of bits less secure when used in a WOTS derived scheme

The exact ciphersuite you named may not be category 5, and accordingly not harmed by this research (as SHA-256 may not be the lower bound). If that's the case, I'll drop my commentary :P But I did remember this paper and wanted to be sure it was represented.

Though aren't we able to use schemes which only allow a single message without issue?

If SPHINCS+ offers more efficient public keys, great, but I don't believe we have benefits from the multi-messaging function offered. Accordingly, wouldn't pure WOTS+ be possible?

*Yes, the proposed one is category one. So ACK on the proposed suite.

*assuming we did use SPHINCS+.

Though I can't comment on s/f simple/robust at this time.