<k​ayabanerve:matrix.org> blog.google/technology/research/google-willow-quantum-chip

<k​ayabanerve:matrix.org> gist.github.com/kayabaNerve/e5b262c…efefcfcfa32748a0d99bc0e1#the-future

<k​ayabanerve:matrix.org> > I am explicitly proposing immediately starting a parallel research and development effort on a post-quantum protocol.

<k​ayabanerve:matrix.org> It's up to y'all to do whatever with my opinion there but it's probably worth raising here with the recent news demonstrating mounting pressure.

<s​gp_:monero.social> Fwiw, MAGIC Grants has raised money with the intent to help research and implement solutions for this specifically. Significant resources are already available

<s​yntheticbird:monero.social> I'll profit from the post-quantum discussion to make a request: Most users are on monero.social instance, can we guarantee before QDAY happen that the entire matrix instance get erased.

<s​yntheticbird:monero.social> Useless if we consider *Harvest now, Decrypt later* but I think it is still sane to do so.

<s​yntheticbird:monero.social> Since cross monero.social direct message do not leak to the internet

<s​yntheticbird:monero.social> Since cross monero.social direct message do not leak to other instances

<d​etherminal:monero.social> Is there a Quantum Research channel for Monero?

<s​yntheticbird:monero.social> no

<m​onerobull:matrix.org> understandingwar.org/backgrounder/r…campaign-assessment-december-7-2024

<m​onerobull:matrix.org> Russia apparently isolated 3 regions from the internet, if they are big enough to include some nodes, this would be pretty interesting to keep an eye on.

<m​onerobull:matrix.org> ```

<m​onerobull:matrix.org> Russian federal censor Roskomnadzor appears to be testing the Russian sovereign internet in Russian regions populated by ethnic minorities. Dagestani telecom operator Ellko reported that Roskomnadzor conducted a test to revoke Republic of Dagestan residents' access to foreign websites and applications from December 6 to 7, and Radio Free Europe/Radio Liberty's Caucasus service rep<clipped message>

<m​onerobull:matrix.org> orted that users in Dagestan also experienced issues accessing WhatsApp and Telegram social media and messaging services.[22] Dagestani publication Chernovik reported that users in the Chechen and Ingushetian republics also experienced issues accessing foreign and some domestic websites and online services, including YouTube, Google, and some services of Russian internet giant Yan<clipped message>

<m​onerobull:matrix.org> dex — even with virtual private networks (VPNs).[23] Roskomnadzor confirmed on December 6 the test in the Republic of Dagestan and stated that the test is to ensure that "key replacement infrastructure" can function if Roskomnadzor deliberately disconnects Russia from the global internet.[24] Roskomnadzor likely intended in part to test its ability to successfully disconnect Che<clipped message>

<m​onerobull:matrix.org> chnya, Dagestan, and Ingushetia — Russian federal subjects with Muslim-majority populations and recent histories of instability — from services like Telegram in order to control the information space in the event of instability in the future. Roskomnadzor previously attempted to disconnect users in the Dagestan, Sakha, and Bashkortostan republics from Telegram during antisemit<clipped message>

<m​onerobull:matrix.org> ic pogroms in November 2023 and protests in January 2024.[25] The Kremlin has recently invested roughly 59 billion rubles (about $648 million) into developing its technical capabilities to restrict internet traffic and has devoted efforts to compelling Russians to migrate from Western social media platforms to domestic platforms that the Kremlin can more easily control.[26]

<m​onerobull:matrix.org> Roskomnadzor indicated that it may intend to force Russians to migrate their websites from Western hosting providers to Russian hosting providers likely to better enforce Russian censorship laws. Roskomnadzor also warned on December 7 that it could block eight foreign web service hosting providers, including Amazon Web Services (AWS), GoDaddy, and HostGator, from operating in Russ<clipped message>

<m​onerobull:matrix.org> ia due to noncompliance with Russian censorship laws.[27] Roskomnadzor has previously issued such warnings ahead of blocking Western websites and online services likely to test the reaction to these blocks before implementing them and pressure Russians to switch to domestic, Kremlin-approved and -controlled platforms and services.[28]

<m​onerobull:matrix.org> ```

<s​yntheticbird:monero.social> Opened a discussion on MRL repository: monero-project/research-lab #131

<s​yntheticbird:monero.social> My starting introductory point is that I agree with KayabaNerve and we're just or too late in time to not start implementing post-quantum security.

<s​yntheticbird:monero.social> My starting introductory point is that I agree with KayabaNerve and we're just or too late in time to start implementing post-quantum security.

<s​yntheticbird:monero.social> Obviously I hope MRL members will be able to link other important points or discussions that might have been happened and not included in the original comment. cc: Rucknium

<s​yntheticbird:monero.social> Opened a discussion in MRL repository: monero-project/research-lab #131

is it possible to do one-time blinding for the amount commitment?

<j​effro256:monero.social> Amount commitments are already perfectly blinded, so long as the QC doesn't know your Monero address

<j​effro256:monero.social> At a fundamental level, if we use ECDH to encrypt tx details and give hints to open Pederson commitments, then if that ECDH is found, then it reveals amount information. What a QC needs to calculate the ECDH is both the enote ephemeral pubkey (which resides in the open on-chain) and the Monero address pubkeys. An adversary will always have the enote ephemeral pubkeys available to <clipped messag

<j​effro256:monero.social> them due to the nature of blockchains, but the public address isn't necessarily available to them

<j​effro256:monero.social> There's some good discussion here: monero-project/research-lab #106

<j​effro256:monero.social> Tevador proposed a one-shot, quantum forward secret scheme for sending funds where both sender and receiver know the secret spend key. It doesn't require interactivity, but payments can "bounce" and aren't confirmed until the receiver sends it back to themselves. At the end of the thread, I propose a interactive quantum forward secret scheme scheme which can't "bounce", doesn't re<clipped messag

<j​effro256:monero.social> quire individual BPs, doesn't reveal to the sender when the payment is spent, and can be recovered by a deterministic Jamtis/Carrot wallet. The interactivity requirement might bar it from some use cases, though. But for any normal online retail-like payment, credit card or crypto, there is already some merchant service running which processes payments in real-time

<j​effro256:monero.social> Tevador's scheme would be have a similar flow to how current Monero addresses work, where you can consume an address and immediately construct a transaction to the receiver. However, it still needs an off-chain asynchronous channel like an email to work

<j​effro256:monero.social> Neither of these require any advanced post quantum cryptography to maintain unconditional confidentiality. Though, it should be noted that a QC could still inflate the supply

Amount commitments are already perfectly blinded, so long as the QC doesn't know your Monero address?

but as far as i had understoud it the private key of H is unknown

such that it is not known H = xG

where the x or gamma is unknown

and if found out then one could print monero at will?

if i recall correctly, C = aG + bH

where b is the amount and a is the blinding factor

so if i would send monero to myself knowing the rest of the info for the transaction, i could make a new Commitment for anouther amount?

so C = C' . but C' uses a different amount b?

(at least that how i put it into the ztm v2 in portuguese...

thats why i asked about that if there is this unknown discrete log wich cant be broken, say the private key of H. and if that is used merely for the amount commitments...

then if it was possible to do it "one time" amount commitments

well thanks for your reply jeffro256, i shall read on it further :)