<k​ayabanerve:matrix.org> CS delivered their review of the Veridise work regarding sums of points, a prelude to their latest work which was recently delivered. It's in agreeance until we get to the last part, discussing the security of how the proof is proven over integers yet performed over a finite field. Veridise argued it secure. CS disagrees and says a range proof is needed.

<k​ayabanerve:matrix.org> The faulty proofs CS describe aren't forgeries though, per our view. The fundamental gadget proven, that points sum to zero, holds its integrity. The prover solely gets to find alternative points without range proofs.

<k​ayabanerve:matrix.org> This isn't expected to be an issue for Monero because as we move into a scalar multiplication gadget, from a sums of points gadget, we do successfully fix points in a way the adversary shouldn't be able to perform this malleation to effect.

<k​ayabanerve:matrix.org> While CS is not signing off on our total gadget (that'd be the next scope of work), and this work has notes on this part, we agree we can move forward to this next scope of work and reconcile the concerns there.

<k​ayabanerve:matrix.org> I'll follow up with CS to get a quote on the latest document from Veridise, certifying the full gadget and pseudocode of it.