04:49:32 <superquantum> greetings 
12:49:26 <gingeropolous> superquantum, greetings
15:00:01 <m-relay> <d​iego:cypherstack.com> hi
15:00:05 <m-relay> <d​iego:cypherstack.com> https://github.com/cypherstack/divisor_deep_dive
15:26:01 <m-relay> <r​ucknium:monero.social> From `followup.pdf`:
15:26:02 <m-relay> <r​ucknium:monero.social> > Great material may come from Eagen’s work on divisors and Bassa’s follow-ups, but more time is necessary. Production deployment of code based on these approaches is premature. We find the following troubling issues have not fully been addressed, which range from superficial to serious. We describe the approach from a high level in Section 2, elaborating on our complaints along the way.
15:26:26 <m-relay> <r​ucknium:monero.social> > - The informality of the work in [Eag22] leads to an accumulating cascade of unclear reasoning, leading to unseen complications, weak conclusions, and more.
15:27:01 <m-relay> <r​ucknium:monero.social> > - Even after Bassa’s clarifications in [Bas24c], [Bas24a], and [Bas24b], there still still seems to be some mistakes related to calculus and the application of the Schwartz-Zippel lemma. Specifically, the verification equations may have terms excluded which have no impact on correctness but do impact soundness. These mistakes seem to be restricted to generalizations over highe<clipped message
15:27:02 <m-relay> <r​ucknium:monero.social> r multiplicities, and they seem to be correctable. Nevertheless, such mistakes would not be caught by typical correctness tests, and fixing them will require a nontrivial amount of work.
15:27:28 <m-relay> <r​ucknium:monero.social> > - Even after corrections are made, the resulting scheme is (or rather, the schemes described in [Bas24c], [Eag24], and [Par24a] are) highly malleable and with a non-zero soundness error, introducing unnecessary attack surfaces and calling soundness results into question.
15:51:56 <m-relay> <r​ucknium:monero.social> > As such, because we are cryptographers who aim to only ever “do no harm” Monero, we cannot in good conscience recommend Eagen’s approach for practical implementations until a deeper degree of research can put these fears to rest.
15:53:00 <m-relay> <r​ucknium:monero.social> > If Bassa’s proofs are valid (or are correctable) and the soundness error is asymptotically negligible, it may still be the case that the practical soundness error in a given implementation may be unacceptably high. Indeed, all assessments of soundness error put forth so far have been only asymptotic assessments. Computing the literal, practical soundness error of a given imple<clipped message
15:53:00 <m-relay> <r​ucknium:monero.social> mentation is therefore of tremendous importance, is nontrivial, and will depend on implementation, including the choice of elliptic curve over which the statements are being proven.
15:55:35 <m-relay> <r​ucknium:monero.social> This ^ statement seems to put a lower bound on the amount of work that would be required for safe FCMP deployment with Eagen's divisors. Tomorrow, a valid proof of the general technique could emerge, yet more analysis would be required to make sure that a specific curve would not open a large enough hole in the probabalistic defense. Is that correct?
16:28:17 <m-relay> <f​reeman:cypherstack.com> From a pedagogical perspective, it's the duty of the author to convince the reader beyond a doubt. The divisor stuff may be the best thing since sliced bread, but ultimately we had to ask ourselves "are we convinced enough to put *our money* behind it?" and the answer was no. We believe it needs to be put on a more formal foundation firstly, then a number of smaller issues should <clipped messag
16:28:18 <m-relay> <f​reeman:cypherstack.com> be addressed, and THEN we'll be convinced enough to protect our funds with it.
16:29:52 <m-relay> <r​ucknium:monero.social> Exactly.
16:43:27 <m-relay> <r​brunner7:monero.social> I guess if you are a crypto "titan" like Eagen you can leave such things to the reader :)
16:43:51 <m-relay> <r​brunner7:monero.social> *Eagan
16:49:04 <moneromooo> So you're saying Eagan has value ?
16:49:07 * moneromooo runs
16:55:36 <m-relay> <f​reeman:cypherstack.com> Any details that aren't clear can become attack vectors in the future, so even if it was written by Dan Boneh, we would feel obligated to verify for ourselves... yes, even at the cost of slowing down progress