00:30:03 <m-relay> <o​frnxmr:monero.social> Pros of carrot vs jamtis rct?
00:31:05 <m-relay> <o​frnxmr:monero.social> Why go "carrot > jamtis" instead of "jamtis rct > jamtis "
01:33:20 <m-relay> <s​yntheticbird:monero.social> Carrot is heavily based on Jamtis. Quoting carrot:
01:33:21 <m-relay> <s​yntheticbird:monero.social> > Carrot is not the only upcoming addressing protocol for Monero's FCMP++ consensus protocol. **The other big contender is Jamtis, for which Carrot is designed to be indistinguishable on-chain**, which will justify some seemingly strange design choices later on in this document.
01:33:23 <m-relay> <s​yntheticbird:monero.social> > Special thanks to everyone who commented and provided feedback on the original Jamtis gist. Many of the ideas were incorporated in this document.
01:33:25 <m-relay> <s​yntheticbird:monero.social> > A very special thanks to @tevador, who wrote up the Jamtis and Jamtis-RCT specifications, which were the foundation of this document, containing most of the transaction protocol math.
01:37:23 <m-relay> <s​yntheticbird:monero.social> And iirc comments suggest that Carrot offer *stronger forward secrecy* than original Jamtis. Tho in practice no addresses should be known by the ECDLP solver.
01:38:23 <m-relay> <s​yntheticbird:monero.social> cc jeffro256
01:44:39 <m-relay> <k​ayabanerve:matrix.org> Dan (Is not the man & Braxman Tomsparks Advocate) Backup: Carrot was created for FCMP++. The FCMP++ Research CCS isn't scoped to it. I don't personally want to risk wearing it thin for what is an optional add-on (there's a much much simpler scheme we could do if we just want to solve the burning bug/forward-secrecy aspects).
01:45:43 <m-relay> <k​ayabanerve:matrix.org> SyntheticBird: No, they aren't auditing the crate, they're expanding their prior work on security proofs in response to Aaron's review and an issue they noted when going from academia to practice.
01:47:44 <m-relay> <k​ayabanerve:matrix.org> IIRC, Carrot is effectively JAMTIS RCT, specifically the protocol on sending to existing addresses under JAMTIS RCT. JAMTIS RCT was also an entire new address format. That is not included in Carrot.
02:16:25 <m-relay> <j​effro256:monero.social> "Jamtis" was originally for Seraphis. If we stay on FCMP++, we'd only maybe do Jamtis-RCT, not Jamtis. Carrot and Jamtis-RCT are for FCMP++, Jamtis is for Seraphis
02:16:30 <m-relay> <j​effro256:monero.social> We're so good at naming things
02:18:05 <m-relay> <j​effro256:monero.social> The main pro is that we can have backwards compatible support for existing wallets
02:18:26 <m-relay> <j​effro256:monero.social> You'd have to regenerate account keys for Jamtis-RCT and the addresses take a different format
02:19:10 <m-relay> <j​effro256:monero.social> So we wouldn't be going Carrot > Jamtis, but we might go Carrot > Jamtis-RCT
02:20:29 <m-relay> <j​effro256:monero.social> Jamtis and Jamtis-RCT have the basically the same forward secrecy properties as Carrot, there's no real difference there