<n​ineteen_century_man:matrix.org> Hello to everyone,

<n​ineteen_century_man:matrix.org> I'm new to this chat. I know the Monero cryptography, and your idea of using the Curve-Trees-based FCMP++ approach as a replacement for CLSAG looks extremely interesting to me.

<n​ineteen_century_man:matrix.org> Recently I had an idea of a minimalistic efficient signature

<n​ineteen_century_man:matrix.org> eprint.iacr.org/2024/921 which also can drop-in replace CLSAG.

<n​ineteen_century_man:matrix.org> I've tried to make announcement of it at Monero's reddit, however reddit filters block it. If the FCMP++ solution audit is expected to take a long time or if you continue to consider different possible options, could it be of interest to you to take a look at my draft? If this is the case, I'd be happy to hear your feedback or opinions.

<r​ucknium:monero.social> C19th-adm: Welcome! You are in the right place.

<r​ucknium:monero.social> kayabanerve , kayabanerve : Do you have any thoughts about the paper^?

nineteen_century_man: Can you link your Reddit post please?

I can approve it

<n​ineteen_century_man:matrix.org> Yes, here it is reddit.com/r/Monero/comments/1ecye8…utm_term=1&utm_content=share_button

Could you repost it first please?

The thread is 2 days old and will not get any visibility, even if it is approved

A new thread that is directly approved will though

<n​ineteen_century_man:matrix.org> Done reddit.com/r/Monero/comments/1ef7i2…utm_term=1&utm_content=share_button

Approved and upvoted :-P

<n​ineteen_century_man:matrix.org> See it, thanks a lot!

Your account is new and therefore the thread was filtered, if you leave a few comments (people probably will have questions), you should be over the threshold for comment and post karma fairly quickly

np!

<n​ineteen_century_man:matrix.org> Clear, thanks)

<k​ayabanerve:matrix.org> I believe I remember reading this :)

<k​ayabanerve:matrix.org> I believe FCMP++s are on track for the next hard fork (which is up in the air, yet the FCMP++ effort has gone very well so far). If it was still a ways out, I'd agree this likely would be worth future review.

<k​ayabanerve:matrix.org> So while I don't personally believe it's worth the excursion (review, implementation, audit, and PR) at this time, I do want to say it's quite interesting work and I appreciate the submission :)

<k​ayabanerve:matrix.org> *I do want to explicitly note FCMP++s are log size and log time, as despite using a O(n)-time proof, its program is of log size to the statement.

<r​brunner7:monero.social> Is this an unlucky case of being late? I guess that 5 years ago or so we could have switched to this, with nice benefits, if it really holds?

<n​ineteen_century_man:matrix.org> FCMP++ is shorter and faster, no questions. One possible objection that I can think of may appear during the audit is the additional EC introduced by FCMP++, Helios&Selene, as it's currently proposed. Helios&Selene is shown having >120bit security in theory, however it is new. Compared to the current state with only one underlying EC, the time-tested Ed25519, the system became no <clippe

<n​ineteen_century_man:matrix.org> more as secure as Ed25519. Thus, my guess is that a cautious way might be to test Helios&Selene+Ed25519 as they come in FCMP++ in a smaller solution. Namely, in a smaller system with high insetives for hackers, e.g. DEX, which can be turned off in the case of emergency.

<n​ineteen_century_man:matrix.org> Simple solutions come last, paraphrasing Einstein)))

<k​ayabanerve:matrix.org> Assuming it's all valid, it'd be Triptych-comparable.

<k​ayabanerve:matrix.org> Speaking of, I'd have to check the feasibility for MPC protocols of it.

<k​ayabanerve:matrix.org> IMO, which isn't that of an expert, curves are trivial to prove secure. If you ignore single-coordinate ladders/uncompressed points, it really comes down to the MOV attacks and embedding degree.

<k​ayabanerve:matrix.org> There's a bunch of other factors you can consider, see the list of SafeCurves criteria, yet most of them I'd argue egregious/not modern day relevant.

<n​ineteen_century_man:matrix.org> I'm not a big expert in curves either. Leaving this question to judgement of more experienced people. I still perceive a difference between triviality of being to proved secure and having a practical record of being secure for a long time... So, it's good that your're going to check it with various protocols.