The author of bulletproofs++ also has a paper on a tx protocol with trustless full chain membership proofs with txs < 1.5kb (that increases 64 bytes for each input) with support for

"efficient batch verification, user defined assets and multi-asset confidential transactions, privacy preserving multi-party proving, adaptor signatures, absolute and relative time locks, and a multiphase transaction structure to support scriptless scripts for private atomic swaps and payment channels"

One theoretical issue seems to be that either txs must have a maximum age, or information about old txs will be leaked, but it's not clear to me what exact information or why (section 5.1.2, pg 33)

I also don't see any claims on verification time, but the section on batch verification (6.3.2, pg 43) seems promising

Also of note, its multiphase structure seems to be similarly modular to Seraphis, from pg 4:

"μCash has also been designed to support adaptor signatures and scriptless scripts. The way such protocols often work has the parties to a contract, like an atomic swap or a payment channel, prepare transactions liquidating a multisig output before the output has been funded. This ensures they can recover their money if the protocol fails or the counterparty defects."

"In a zkSMP based transaction protocol, this creates a cyclic dependency, as a transaction spending an output must prepare a zkSMP for the output in the TXO set, but the users will not fund the multisig output until this transaction has been created."

"I resolve this paradox through the use of a multi-phase transaction protocol. The first phase, the transaction body phase, proves the confidential portion of the transaction, and after this phase the amounts and types of currency are not needed to complete the transaction."

"The second phase, called the membership phase, shows that all the inputs belong to a Merkle root using CT zkSMPs. This phase can be completed by any collection of provers where that collectively know all the Merkle witness information, in particular it can be completed by one party of a swap or payment channel without the cooperation of the counterparty."

"The final phase of the transaction, called the Bulletproof phase, performs the nested Bulletproof verification described above and can be completed by anyone, including a miner or untrusted third party prover."

"As far as I am aware, this protocol has the smallest standalone proof size for an anonymous transaction protocol without a trusted setup, at 1344 + 64n + 32log2(c) bytes over a curve with 128 bits of security, plus 5 to store signs for the curve points."

"That is a protocol that provides perfect anonymity for each input among the entire anonymity set. The quantity c is bounded by a linear function in (dn, n, m) and is equal to 1 for most transactions in practice."

Link to the paper: eprint.iacr.org/2022/1104.pdf

jberman[m]: "Scriptless scripts" "Serveless servers" lol

I will wait until Holy Spirit technology makes Monero transactions lol

transaction-less transactions with privacy-less privacy and double-spend-less properties

that paper sounds like a silver bullet

which immediately demands skepticism...

<wnum[m]> ""Scriptless scripts" "Serveless..." <- well scriptless scripts are actually a thing ...

Script without script. Sounds international space station stories. I know "virtual servers" you can call it "serverless". Loosely

<wnum[m]> "Script without script. Sounds..." <- sorry, but discrediting someones work just because you dont like the work of something is just stupid

jberman: link to paper?

Nvm

I see it now

"I don't like the work". I didn't say that.

sorry i wanted to say "but discrediting someones work just because you dont know something is just stupid"

> <@atomfried:matrix.org> sorry i wanted to say "but discrediting someones work just because you dont know something is just stupid"

>

Yes better but I think it is just amusing using those terms. Scriptless and so on.

It is like watching Steven Seagal teaching Kung fu. Funny.

to the lounge

has someone looked into (curve trees)[eprint.iacr.org/2022/756.pdf] for zero knowledge set membership in seraphis?

s/(/[/, s/)[/](/, s/]/)/

checksum updates: seraphis-migration/wallet3 #37#issuecomment-1356400341

thanks tevador, and thanks for documenting it :) gist.github.com/tevador/5b3fbbd0877a3412ede07263c6b2663d

<tevador> "checksum updates: github..." <- Nice!