00:40:15 <m-relay> <l​owdegree:matrix.org> I am 314stache_nathy from Reddit, I have deleted my account in Reddit and Matrix (an foid
00:40:40 <m-relay> <l​owdegree:matrix.org> I am 314stache_nathy from Reddit, I have deleted my account in Reddit and Matrix.
00:41:14 <m-relay> <l​owdegree:matrix.org> I deleted from Reddit to Use more decentralized platforms (and my old account here haved problems).
00:42:24 <m-relay> <l​owdegree:matrix.org> Nice meet you again guys :)
01:26:53 <m-relay> <k​ayabanerve:matrix.org> vtnerd: It's up to us, but for a finality layer:
01:26:55 <m-relay> <k​ayabanerve:matrix.org> - We can having staking outputs be transparent
01:26:57 <m-relay> <k​ayabanerve:matrix.org> - We can have staking outputs be private
01:26:59 <m-relay> <k​ayabanerve:matrix.org> If private, we need to eventually decrypt the _sum_ of stake. This isn't an issue. What's notable is decryption of not just the sum, but every individual staking output, would be possible by:
01:27:01 <m-relay> <k​ayabanerve:matrix.org> - A malicious 67%
01:27:03 <m-relay> <k​ayabanerve:matrix.org> - A quantum computer
01:27:05 <m-relay> <k​ayabanerve:matrix.org> We can avoid this by adding one more layer to the system.
01:27:07 <m-relay> <k​ayabanerve:matrix.org> - The user creates a timelocked output to stake
01:27:09 <m-relay> <k​ayabanerve:matrix.org> - The user creates a stake transaction which:
01:27:11 <m-relay> <k​ayabanerve:matrix.org> 1) Proves the existence of a staking output
01:27:13 <m-relay> <k​ayabanerve:matrix.org> 2) Proves it encrypts the correct amount
01:27:17 <m-relay> <k​ayabanerve:matrix.org> Ugh, my formatting just got butchered.
01:27:43 <m-relay> <k​ayabanerve:matrix.org> If we are unlinkable to the outputs, slashing becomes more difficult. It's possible?
01:28:48 <m-relay> <r​ucknium:monero.social> kayabanerve: Did you check the recent work in PoPETs about private Monero reserve proofs? Maybe something could be useful in there.
01:29:01 <m-relay> <k​ayabanerve:matrix.org> Validators, to vote, would have to say 'I own some output for X' (again, not linked to the output under FCMP++ methodology except via a key image'. We could assign dedicated key images for staking, allow slashing staking key images, and then as we prove the key image wasn't prior used, we would prove the staking key image wasn't slashed?
01:30:18 <m-relay> <k​ayabanerve:matrix.org> But requiring publishing the staking key image would be linkable from on-chain outputs to validators. We'd have to handle the 'staking key image' inside the FCMP and not actually publish the 'staking key image'. Probably a _sparse_ merkle tree?
01:32:19 <m-relay> <k​ayabanerve:matrix.org> TL;DR We can get effectively full unlinkability from staking to actual Monero outputs _and_ maintain slashing with more and more technical designs. All descend from the FCMP methodology, and all would be feasible, but would require:
01:32:19 <m-relay> <k​ayabanerve:matrix.org> - An extra TX type to add a forward-secret degree of separation between the output and the stake declaration
01:32:21 <m-relay> <k​ayabanerve:matrix.org> - A non-trivially slower FCMP (4x?)
01:32:23 <m-relay> <r​ucknium:monero.social> https://moneroresearch.info/266  Thakore, V., & Vijayakumaran, S. (2025). MProve-Nova: A Privacy-Preserving Proof of Reserves Protocol for Monero, Proceedings on Privacy Enhancing Technologies, 2025(2), 582–606.
01:32:43 <m-relay> <f​lyingfish0:matrix.org> Is it technically possible to know ( as a miner software) if i'm taking part to an attack from my pool on the network ? and if so adding an option on the mining software to switch to another pool if such attack is detected. This prevents those who invest in monero from hurting the trust in the token
01:32:48 <m-relay> <k​ayabanerve:matrix.org> (This is in response to a tweet from vtnerd, which I responded there and here as well as I'd prefer to discuss it here)
01:33:07 <m-relay> <k​ayabanerve:matrix.org> Rucknium: I'd have to look for the exact techniques but possibly :)
01:33:51 <m-relay> <r​ucknium:monero.social> Pedro Da Fonseca: This is a good question to bring to the #monero room. The short answer is use p2pool.
01:35:04 <m-relay> <r​ucknium:monero.social> Thakore & Vijayakumaran (2025), linked above, have their own technique and the literature review could be helpful. It applies to RingCT outputs now AFAIK.
01:36:09 <m-relay> <k​ayabanerve:matrix.org> I've outlined a few chapters of my proposed book to discuss ways the L1 can declare staking outputs, and the tradeoffs it causes :)
01:40:27 <m-relay> <f​lyingfish0:matrix.org> Ok but It could also be a defense mecanism, if the most part use this option, even if they're on qubic for profitability each time they try to become a bad actor they're fucked and can't know in advance by how much
01:43:16 <m-relay> <f​lyingfish0:matrix.org> Only works if they use the mining software from monero when linked to qubic don't know if it's the case
05:51:11 <m-relay> <s​pirobel:kernal.eu> this has privacy implications though. Assuming the stake is a large percentage of the monero supply, knowing the amount staked (and how it changes) helps with correlating large amounts of capital that move in and out of monero.
06:11:34 <m-relay> <k​ayabanerve:matrix.org> I was responding specifically to being able to link it to outputs.
06:11:57 <m-relay> <k​ayabanerve:matrix.org> If you see a notable amount of Monero leave the staking pool, and a similar notable amount hit your exchange, then obvious guesses are obvious.
06:19:37 <m-relay> <s​pirobel:kernal.eu> if you consider the extreme case where almost all of the monero is staked, then it is easy to correlate when somebody swaps in and then out again. For large movements of capital this still applies even at realistic percentages of total market cap staked. thought you agreed to this here https://github.com/serai-dex/serai/issues/333#issuecomment-3191481625 but just realized when rer<clipped message>
06:19:37 <m-relay> <s​pirobel:kernal.eu> eading that you only agreed to low amount of stake per validator. I would argue even low amount of stake for the total network is desirable. Would you agree?
06:35:37 <m-relay> <k​ayabanerve:matrix.org> Sorry, I did misunderstand you there. I called for an accessible stake for decentralization.
06:36:27 <m-relay> <k​ayabanerve:matrix.org> Considering the amount of stake is only publicly revealed as a weekly difference, I'm unsure how impactful that is for small entries/exits into the staking pool.
06:37:11 <m-relay> <k​ayabanerve:matrix.org> By assigning everyone one stake, and having someone who stakes five times still appear as five distinct validators, it also wouldn't be feasible to determine if one large amount of stake dropped off or a lot of small entries.
06:37:26 <m-relay> <k​ayabanerve:matrix.org> I'll agree there's theoretical concerns regarding the privacy pool
06:42:43 <m-relay> <s​pirobel:kernal.eu> I don't think those are theoretical. One of the main benefits of Monero over something like tornado cash is that you can go in with size.
07:36:17 <m-relay> <k​ayabanerve:matrix.org> Monero users don't have to stake if they don't want exposure to these considerations.
07:48:22 <m-relay> <h​bs:matrix.org> I once understood that what was being considered was to only stake coinbase outputs, is that no longer the case? Because in the case of coinbase outputs there is direct linkability with the mining address in the case of p2pool. And in order to maximize the number of coinbase outputs one detains, the use of p2pool imposes itself, right?
07:53:12 <m-relay> <s​yntheticbird:monero.social> This was ofrnxmr idea
07:53:59 <m-relay> <s​yntheticbird:monero.social> and it isn't considered at the moment because of mining window and hashrate need to stake enough coinbase
07:54:16 <m-relay> <s​yntheticbird:monero.social> so it will either take 2 weeks for big pools, or 2 years for other
07:54:54 <m-relay> <s​yntheticbird:monero.social> at least that's what i remember
08:05:42 <m-relay> <h​bs:matrix.org> Thanks for the precision, that's too bad it's not seriously considered, this would retain the ethos of Monero way more than if a staker can simply buy its stake :-(
08:45:00 <m-relay> <a​rticmine:monero.social> An issue here is false accusations by blockchain surveillance companies that,  while mathematically unsound, could still be accepted by a court of law especially at first instance.
08:46:56 <m-relay> <a​rticmine:monero.social> Blockchain surveillance is based upon the sale of guesses to governments and law enforcement.
08:47:59 <m-relay> <a​rticmine:monero.social> It is for front deterministic
08:48:14 <m-relay> <a​rticmine:monero.social> From
08:50:23 <m-relay> <s​yntheticbird:monero.social> The fact that judges understand nothing to cryptography or mathematics yet have to decide on the life of someone else over it. Explaining them why they are false sounds like insolence doubled by an impression of arguing semantics to them. No shit they prefer to rely le and blockchain surveillance claims. It's always about assurance, not doing the right thing
09:00:27 <m-relay> <a​rticmine:monero.social> The issue is that the Court can accept an argument that can be mathematically valid for a certain case and extrapolate it to situations where there is little or no mathematical validity.
09:00:27 <m-relay> <a​rticmine:monero.social> This is what happened in the case in US Federal Court that I was presented at last year. I am not saying that this will be upheld by the higher courts, but even if it is overturned on appeal a lot harm can be done to an innocent person. 
09:00:29 <m-relay> <a​rticmine:monero.social> If blockchain surveillance can work for large amounts, then innocent people with small amounts can and will be falsely accused.
09:03:13 <m-relay> <a​rticmine:monero.social> I was working for the defense in the case.