10:12:06 <rbrunner> Somebody on Reddit asked an interesting question about the review of the CryptoNote protocol, this one here: https://downloads.getmonero.org/whitepaper_review.pdf
10:12:32 <rbrunner> They refer to this sentence at the start of chapter 3, "Problems with the protocol":
10:13:35 <rbrunner> my single biggest question after reading the entire paper is the “how did they choose their elliptic curve constants?” The protocol appears sound; who chose the constants? Will there be a plan for choosing new constants in the future if needed?
10:14:01 <rbrunner> What are those "constants" mentioned here?
10:15:51 <rbrunner> Reddit post: https://old.reddit.com/r/Monero/comments/yrqlgk/review_of_cryptonote_white_paper_question/
14:16:50 <rbrunner> I see that Tevador answered that question: https://old.reddit.com/r/Monero/comments/yrqlgk/review_of_cryptonote_white_paper_question/ivy0481/
14:17:57 <rbrunner> I wonder a bit why Surae Noether would distrust Curve25519 quite in general.
14:18:32 <rbrunner> Or more exact, Ed25519
14:31:09 <monerobull[m]> Isn't an eliptic curve just a set of numbers? No way to mess with that right?
14:31:29 <monerobull[m]> Or can you define one that is somehow backdoored
14:32:53 <merope> The latter. See for example: https://en.wikipedia.org/wiki/Dual_EC_DRBG
14:40:42 <monerobull[m]> ._.
18:12:45 <DataHoarder> rbrunner: https://ed25519.cr.yp.to/ (and also https://monerodocs.org/cryptography/asymmetric/edwards25519/ )
18:13:31 <DataHoarder> do note some of the "higher level" operations are implemented differently than in the Ed25519 scheme, but the low level operations (add/multiply/substract etc.) are the same
18:32:58 <rbrunner> DataHoarder: Thanks. That CryptoNote paper review really gave the impression, at least to someone not "in the know", that there most be more to it than simply those very fundamental curve parameters.
18:33:30 <rbrunner> Something that the CryptoNote devs themselves decided and defined. Good to know it ain't so. No FUD :)
18:33:40 <DataHoarder> they were picked in way that make sense, nothing in your sleeve, also not at random
18:34:20 <rbrunner> If you don't trust Bernstein, I guess you can lie down and prepare to die.
18:34:28 <DataHoarder> (and yes, not by cryptonote, plz also use curve/ed25519 where possible, for example, wireguard, ssh keys, DNSSEC keys, etc.)
18:35:51 <DataHoarder> tor also uses them, that's what the "onion address" is as well btw