One question please. When Seraphis is adopted, user can still receive funds in old CryptoNote addresses?

Only on the ghost chain i would assume

It requires a hardfork

Updated wallets would probably only allow you to send to seraphis addresses

What happens to hardcoded donation addresses you can find on websites?

You won't be able to send to legacy addresses.

So if someone send to a cryptonote address then funds are lost

No, the network will reject the transaction.

Unless the wallet he uses prevent him to send

Ha ok ok

Great thank you :)

I wonder when we will reach a point where we can make something like a "crypto freeze" on Seraphis, so no more changes in key derivation, address generation and such unless something quite drastic forces a change

Because from that point on it should be possible to build tools that build Seraphis addresses from people's private spend keys, and they could publish those addresses early

and vanity address generators :)

:)

Right now, with attempts to add forward-secrecy / quantum-computer hardness whatever, things still look quite in flux, IMHO a bit uncomfortably so ...

And the number of keys seems to continue to mushroom :)

I think it is good. Better a better version that an early one.

Yes there is no rush for that

Yeah, of course I am well aware what chance this clean break is. Almost irresistible.

Segwit addresses took years of research

Did they? Didn't just the introduction take years, to make them popular and universally supported by the whole ecosystem?

Segwit as a whole took years. Regarding addresses specifically Idk but better to take the time and have something we don't have to change again too soon

"Rush" is relative. As far as I understand only Seraphis will be quantum resistant. If it comes late, we will amass further heaps of transactions which will never be, and are in danger.

If I understood tevador and UkoeHB correctly about that stuff ...

<chch3003[m]> "Segwit as a whole took years..." <- The neat thing is, we don't need to be backwards compatible

You either use the newest hardfork or you don't transact on the monero network, simple as that.

monerobull: Right. That sounds draconian, but BTC's numerous transaction formats are an absolute goldmine for chain analysis companies when they are checking whether coins have changed custody.

rbrunner: currently a seraphis user has forward secrecy against a DL-solver that doesn’t know any of their addresses, tevador has also proposed some changes that could be ‘activated’ to spend seraphis enotes in a quantum-resistant protocol

I see. But the argument still stands, right? The longer we wait with Seraphis, the more transactions poeple will create without forward secrecy or even activatable quantum resistence.

Yeah, forward secrecy of RingCT is non-existent. All it takes is one subaddress posted publicly and all your transactions will be leaked in the future.

And even if you never publish an address, the transaction graph will be leaked anyways.

<tevador> "Yeah, forward secrecy of..." <- Sorry, I don't get it, maybe I missing something. How does making one address public leak the transaction graph?

aceitche: Something to do with quantum computers, if they ever exist in a usable form.

aceitche[m]: a quantum computer will be able to recover the whole RingCT transaction graph even without knowing any addresses. Publishing an address will leak all your transactions and their amounts in the future.

all transactions, but without recipient addresses, right?

unless the recipient's address also has been published somewhere, then the quantum adversary can scan through all known addresses to find a match with the stealth address of a transaction

yes, all incoming txs can be decrypted based on 1 public address from the wallet

I was talking about outgoing transactions from the wallet

outgoing cannot be decrypted unless the recipient's address is also known

right

but all known addresses can be tried one by one and there can be millions of them (think of exchange databases)

They can recover the view keys from 1 address and then simply scan for all incoming payments to that wallet. So I'd say most of the blockchain will be leaked.

Scary

Wouldn't that be easily noticed by Pedersen Commitments or counting block rewards?