sech1: reddit.com/r/Monero/comments/1013vzz/comment/j2m5o0r it is forward secrecy against a DLP solver, that’s it

DLP solver = quantum computer?

Quantum computer is an example yes

How does forward privacy work sech1

?

* How does forward secrecy y work sech1

s/privacy/secrecy/

no idea

something about having a ton of solution to an equation even if you can solve it

and you don't know which solution is THE solution

I see, didn't know that's part of seraphis but pretty cool

Forward secrecy means if a future exploit is developed then stuff created in the past remains secret

I get that but i didn't know how that could work

Could a DLP solver create counterfeit coins under Seraphis? AFAIK, a DLP solver can create counterfeit XMR coins today.

Maybe I should find a citation for that last statement

yes, it can

Source: sech1 (2023)

Also Section 3.3 of raw.githubusercontent.com/insight-d…/master/writeups/technical_note.pdf

no, it can be concluded from section 5.2 of getmonero.org/library/Zero-to-Monero-2-0-0.pdf

isthmus: Thanks. Yes, I was starting to look through that :)

"The hardness of the discrete logarithm problem ensures calculating γ from H is infeasible"

Then would it be a good idea to perform a "turnstile" once we have a tx protocol that a quantum computer cannot counterfeit? Or could the quantum-resistant protocol be structured so that no counterfeiting could be performed on the input side of the transaction (and the quantum-resistant cryptography would be forced to be used in every output).

so if γ can be calculated from H by a DLP solver, it can add γ to the total value of the output in a transaction, which will probably be some crazy amount of XMR - around 10^73

Rucknium[m]: you’d probably want a sunset on pre-quantum coins

On transitioning them to post-quantum*

A turnstile is just an invitation to steal from old users

If there is a sunset, old inattentive users would lose their coins anyway, right?

Yes

People can leave their coins untouched for years

just now we had a user from minexmr in #monero-pools who asked "why not work". 5 months after minexmr clode

*closed

This isnt Bitcoin. If we have to abandon people who don't check in for a year to improve the chain we should.

^ Hard disagree, we cannot force users to move their coins

It's obviously the most drastic measure but if it's necessary for some massive improvements, why not?

abandoning OG users is a true shitcoin territory, please no

Probably depends how things progress further with those fabled quantum computers. I am one of those who say we are not yet even sure they will *ever* work

in this universe at least

I mean, a DLP solver could probably forge key images so I don't think you can continue supporting any pre-quantum indefinitely.

sorry no, forging key images doesn't matter because you can drain the entire turnstile in 1 tx

it's either a hardfork-defined sunset, or a race to drain the turnstile

Turnstile would work up until the point actual quantum computers become viable, hardfork could potentially sunset decades prior

People can get fucked till (1) turnstile end date or (2) someone manages to generate infinite coins. Best to let them be fucked at the latest possible date. It's thus 2.

That is, if you set 1 date earlier, they get fucked earlier (that is, they get less leeway).

If you set date 1 later, they get fucked by 2 first.

So setting date 1 later is better. Which is equivalent to not setting a date.

Unless you view "preventing someone from stealing coins" to be better than "ensuring noone gets their coins arbitrarily destroyed".

Not doing harm seems better than letting harm happen (assuming rough equivalance between the amount of harm in either case).

At least in this case where you cannot predict when 2 might happen so you can set 1 right before it.

There *is* an argument for saying the magnitude of harm to 1 goes down as enough time passes though.

But it is pretty subjective.

(as in, when one can argue than the time-decreased harm from 1 is less than the potential harm from 2)

In a sense I suppose it's similar to the trolley problem actually... With unknown amounts of people on either side.

With the added complication that you change the rules midday.

I certainly think there are some design choices that complicate this. Transparent migration (revealing amounts) with a total amount limit would be an example.

Why would you want to reveal amounts ?

Is this undoable without revealing amounts ?

nvm, your wording did not imply that. Ignore me.

yeah I'm pretty sure turnstiles must be transparent, because otherwise there is no way to know when you have reached the end condition (put another way - if there is a way to test the end condition then you can always deduce each incremental amount that passes through the turnstile)

Aren’t switch commits conceptually a non-transparent turnstile?

If we define going through a “turnstile” to be migrating outputs generated by a quantum-vulnerable transaction format to a quantum-secured supply, there’s a few ways to do this.

One approach that fits this definition is the Zcash-style turnstile (old shielded pool –> transparent pool –> new shielded pool)

But another approach is simply making a transaction with switch commitments! If you think about it, that *is* going through the turnstile :D

So if we implement switch commitments in 2025 and then in 2040 cryptographically relevant quantum computers (CRQCs) appear plausible in the near future, pretty much the entire supply (any moneroj that have been moved since 2025) will be post-turnstile.

Besides avoiding some kind of last-minute turnstile double race conditions (race #1 for devs to develop and deploy the turnstile, race #2 for users to get through it) it has good optics for the intervening timeframe as well.

When people post honest or FUD questions on reddit about CRQCs vs Monero supply, we can say that there’s already an output protection mechanism in the protocol, and to protect your funds just follow these steps:

(1) Make a transaction moving your funds

There. Done. If some long-tail breakthrough in QC tech jeopardizes the integrity of old outputs, your funds are already on the post-quantum side of the line.

Well, we have range proofs. If they can get accumulated, you could maybe do "is sum(these) > threshold". Theoretically.

Well, maybe not range proofs in this case, but other crypto ops that do not leak the actual value.

Oh. Nevermind. If you could do that, then I suppose an attacker could brute force by making their own proofs and then binary search any existing proof's value.

isthmus: yes you definitely need a conversion process that starts when 'risk of DLP solver viability' becomes convincing, but the question is what to do about old funds once you are in the 'danger zone'. Either old funds can't be converted at all, or you have a turnstile that lets some funds through with the idea that at least some honest users will get through before an adversary drains the remaining amount.

That question remains, orthogonal to any mitigation angle, and I don't touch it ):

Nothing we do in the future is going to make v2 transactions post-quantum, sad fact of life

So I tend to be forward-looking

If you have to have cleartext amounts, then the answer is obvious: no end date.

In that case, the only difference is who gets the coins: you do not stop honest people from getting their coins back at any arbitrary date.

We don't have to have cleartext amount

And the attacker can only get the remainder, which does not inflate.

Ah, OK.

I think that's the beauty of ElGamal commitments

No plaintext step

That's equivalent to switch commitments in this context ?

Or like, ElGamal commitments are a type of switch commitment

afaik

There could be other types(?)

Here's the main reference eprint.iacr.org/2017/237.pdf

They are statistically binding but only computationally hiding - so I think the takeaway is that even with a CRQC, to see the amount an adversary would have to crack the hiding.

(which would be very expensive even if a CRQC could do it in polynomial time, probably not a high priority for an attacker looking to make or steal money)

Ah this doc might be more relevant and readable gist.github.com/tevador/23a84444df2419dd658cba804bf57f1a

moneromoooo: post-quantum would have hidden amounts. Option 1) conversion process where you go pre-quantum -> post-quantum with a fixed end date on conversions. Option 2) conversion with a turnstile where you go pre-quantum -> cleartext -> post-quantum and block new conversion txs when cleartext = amount pre-conversion-activation max (i.e. total amount created by block rewards up to the first post-quantum block) (if

using a turnstile, then ALL conversion txs must go through the turnstile so you know when the end condition is met).

cleartext amount = pre-conversion-activation max *

so either hard end date, or all users expose amounts when converting

That would be funny

Seeing how many coins are still active

it would be a privacy catastrophe

But very Anti-Ethos

UkoeHB: Yeah

<jokingly> The transaction uniformity improvements of Seraphis are going to knock out most of the Noncesense Research Lab chain analysis arsenal... At least a cleartext turnstile would give me something to analyze!

with elgamal commitments you could theoretically start the conversion process very early, but you need a comprehensive switch protocol (switch commitments by themselves are useless); this is the only existing proposal gist.github.com/tevador/23a84444df2419dd658cba804bf57f1a

oh isthmus linked that already

If my understanding is correct an attacker who has a CRQC could forge xmr out of thin air. In this case what benefit would a turnstile have if the entire old supply could be converted into the post quantum xmr. Wouldn’t the attacker drain all the funds and essentially destroy monero due to a single entity controlling a majority of the supply?

Why would a single entity controlling a large share of the total supply "destroy Monero"? That would only be a problem if Monero were proof-of-stake.

a currency needs to be widely distributed to be useful. it wouldn't break consensus but it would make it functionally hard to use as a currency if you could effectively only buy it from one guy. at that point why not start a new chain tbh

"so either hard end date, or all users expose amounts when converting" <- It could also be done by revealing amounts only after the cutoff date since the blinding factor is derived as H("amount" || key), revealing the key proves the amount in the original commitment in a way a CRQC cannot easily fake.

tevador: the conversion method question is about old enotes, i.e. enotes without any elgamal or whatever

yes, I was talking about RingCT outputs

AFAIK wallets derive the blinding factor this way

ah

a DLP solver could fake the key but then the you'd lose the range, so it could work

the problem is old key images can be forged

I think?

seraphis key images definitely can be, idk about cryptonote

RingCT key images cannot be forged, forging only applies to Seraphis.