<gingeropolous> so according to that table we get "might have received an enote in block x" for either 5x or 18x the scan time. This 5x or 18x... is this another thing we can optimize, or hold another competition to optimize? where's the dude that did the divisors crazy speedup....

This 5x and 18x already assumes an optimized x86 assembly implementation (based on this paper: eprint.iacr.org/2021/633 ). Further major optimizations are unlikely and portable code will be even slower (e.g. ARM).

I'm proposing this to be discussed at the next MRL meeting (full table): monero-project/research-lab #151#issuecomment-4412416686

<kayabanerve:matrix.org> > I'm just not convinced about address-linkable PQ view keys being a goal

<kayabanerve:matrix.org> > So you think zero PQ privacy is better than PQ hidden amounts + linking tags? That's quite surprising.

<kayabanerve:matrix.org> Right, so when we're discussing a non-trivial cryptosystem which is a notable software, performance penalty, and doesn't stop a QC from identifying which outputs belong to you, I'm unsure this is a goal.

<kayabanerve:matrix.org> If this was relatively drop-in, free, ofc, I'd be up for PQ amount privacy, or even if it was to some threshold.

<kayabanerve:matrix.org> The amount of work discussed here for amount privacy doesn't seem worthwhile, but I have to note I had yet to consider the claim that while a QC can confirm the address received coins, it couldn't identify when the coins were spent.

<kayabanerve:matrix.org> That probably achieves most of the unlinkability properties we'd want and justify AC1024?

<kayabanerve:matrix.org> I'll also apologize for not realizing that distinction earlier

<ixr3:matrix.org> For me as a user. That sounds acceptable. Better than nothing > <tevador> Even with Option A (hidden amounts + linking tags), QA cannot construct a transaction graph. If the QA has Alice's and Bob's Jamtis addresses, they can see enotes coming to their wallets (without amounts), but cannot infer that they are transacting with each other.

<ixr3:matrix.org> Since CSIDH might break. I will use Carrot internal forward-secrecy as first layer. Second layer Jamtis-PQ

ixr3: Jamtis also has internal forward secrecy (independent of CSIDH). In fact, Carrot adopted it from Jamtis.

<ixr3:matrix.org> tevador: Great engineering!

<boog900> Looks like some more nodes have come online: xmrnetscan.redteam.cash

<boog900> around 1000 since the start of the month, they pass the proxy check but I would be surprised if they were not spies

<boog900> or it might be that some proxy nodes updated to now not show as proxies looking at it more.