<neptunian:unredacted.org> ++ on this. Sorry for being late. I'd like to still toss some banter into the mix. > <@jberman> PGP has a notoriously poor UX and hasn't caught on to a significant degree among non-technically inclined people. I'm not sold on an interactive opening round being something most people will be inclined to do

<neptunian:unredacted.org> people.eecs.berkeley.edu/~tygar/pap…Why_Johnny_Cant_Encrypt/OReilly.pdf in regards PGP's usability

<neptunian:unredacted.org> I'll also be responding to @spirobel:kernal.eu 's response to the response:

<neptunian:unredacted.org> xcancel.com/spirobel/status/2060467360319082641

<syntheticbird> pgp has track record of vulnerabilities. end of the story for me personally. No sane person should use PGP when SSH keys can be used to sign messages.

<syntheticbird> and for encryption you can just use age

<intr:unredacted.org> > 1. someone sends to a publicly posted donation address. the wallet transparently sends a message to the receiver containing the SSK. there is no difference to before

<intr:unredacted.org> if it's a static donation address, what receiver is he talking about?

<hbs:matrix.org> @syntheticbird: Do SSH keys have PQ algo yet? Last time I checked nope

<neptunian:unredacted.org> @hbs:matrix.org: PGP doesn't have PQ-DSA AFAIK.

<neptunian:unredacted.org> So this is moot.

<hbs:matrix.org> @neptunian:unredacted.org: latest version has kyber support

<neptunian:unredacted.org> @hbs:matrix.org: That's KEM, not DSA.

<neptunian:unredacted.org> DSA would be Dilithium (I expect they'd use that.)

<syntheticbird> @hbs:matrix.org: TIL the IETF managed to standardize something

<neptunian:unredacted.org> I personally use Signify/Minisign for signing because I like the fish.

<syntheticbird> @neptunian:unredacted.org: Dilithium is indeed the one discussed in the mailing list

<hbs:matrix.org> @syntheticbird: ... sort of

<syntheticbird> @hbs:matrix.org: yeah i bet its still in test

<syntheticbird> not yet completely adopted, looking for real world data

<syntheticbird> last time i looked into the mails was mid 2025

<hbs:matrix.org> @hbs:matrix.org: actually was speaking of latest GnuPG, not legacy PGP

<syntheticbird> yeah we're all talking of GPG

<neptunian:unredacted.org> I figured. I wasn't talking about legacy PGP either.

<neptunian:unredacted.org> I assume SSH will end up with Dilithium. Falcon seems annoying to implement securely and SLH-DSA is fat.

<syntheticbird> or

<syntheticbird> people can use toy encryption projects

<syntheticbird> i swear someone shared something like that here, but i don't remember the name

<neptunian:unredacted.org> > The argument in favor for it are some abstract ideas that nobody in the real world will ever care about. Especially because the same abstract properties can also be found in protocols that don't require addresses over 400 bytes long. > <@neptunian:unredacted.org> I'll also be responding to @spirobel:kernal.eu 's response to the response:

<neptunian:unredacted.org> I think it's entirely unfair to say that PQ privacy isn't an entirely justified reason for somewhat of a UX regression. In your post, the claim is made that Monero-PSK achieves PQ resistance as a result of a private channel.

<neptunian:unredacted.org> > there are other ways to do PQ privacy as you have discussed before, if the channel stays private monero-PSK has PQ privacy too without 400 character addresses.[... more lines follow, see mrelay.p2pool.observer/e/_PXfjogLbGhkVm11 ]

<neptunian:unredacted.org> age is one of my favourite modern encryption suites. I use it for a lot of symmetric encryption. > <@syntheticbird> and for encryption you can just use age

<intr:unredacted.org> Somewhat unrelated: I'm curious on the current status/consensus of a hypothetical interactive payment protocol to go along with jamtis-PQ. I'm slightly out of the loop, but I recall seeing it discussed briefly here by tevador, and I believe it would have value in real world scenarios, especially bick & mortar stores (fast sett [... too long, see mrelay.p2pool.observer/e/la6rj4gLSzZ3ZGhf ]

<jberman> AFAIK tevador still plans to include an interactive protocol as an appendix item to Jamtis, and the latest discussion on it was considering it as an optional protocol for users who want the strongest possible PQ security

<jberman> With that in mind, @spirobel:kernal.eu you should engage in here. Every protocol is worth discussing here

<jberman> You seem to have a concept of a specification in mind that solves every issue imaginable with no practical downsides, that everyone else in here does not fully see and all criticisms are strawmen

<jberman> It would be constructive to either engage here directly to the criticisms so the concept can be better fleshed out and understood, or even better: draft a complete specification that explains how exactly you envision it would work

<jberman> Because apparently tevador's draft is not accurate from your view

<fireine:matrix.org> do ring signatures with finite ring sizes presumably inherently leak information? it seems like no amount of implementation quality can fix this. can someone say more about this? perhaps my qst is naive

<neptunian:unredacted.org> @fireine:matrix.org: They do leak probabilistic information, yes. If you have a ring of N size, the chances of a given member of that ring being the spender is 1/N.

<syntheticbird> @neptunian:unredacted.org: hehe its not that ideal

<syntheticbird> idr who shared a paper but there is a higher probability that the most recent output is the real one

<neptunian:unredacted.org> Sure sure. I'm not being textbook, but this is a toy model.

<neptunian:unredacted.org> FCMP++ certainly helps this, though.

<fireine:matrix.org> @neptunian:unredacted.org: @freeman:cypherstack.com this is a problem!!

<neptunian:unredacted.org> FCMP++ makes the anonymity set far safer, though.

<neptunian:unredacted.org> So even if you consider it a problem now, it's far less of a problem after the upgrade.

<neptunian:unredacted.org> If you want a someone to vouch for its safety, ask Chainalysis ;-)

<neptunian:unredacted.org> Seriously, though. Not something to lose sleep over.

<fireine:matrix.org> @neptunian:unredacted.org: Got it. @freeman:cypherstack.com the private repo has been updated and this is now at the roadmap (everything will be commented by end of day)

<neptunian:unredacted.org> If you do want cryptographic privacy (i.e. privacy that relies on cryptographic hardness assumptions rather than probabilistic assumptions), I'd advise taking a look at zk-SNARKs, zk-STARKs, and other related schemes.

<fireine:matrix.org> @neptunian:unredacted.org: @freeman:cypherstack.com has access to one such implementation - commenting it now

<fireine:matrix.org> if something is useful, I'm sure he will let people know.

<fireine:matrix.org> THX!

<neptunian:unredacted.org> Have a good day.

<syntheticbird> blursed profile picture @khimaira:matrix.org

<freeman:cypherstack.com> > <@fireine:matrix.org> do ring signatures with finite ring sizes presumably inherently leak information? it seems like no amount of implementation quality can fix this. can someone say more about this? perhaps my qst is naive

<freeman:cypherstack.com> In a 1/N sense, sure. In fact, worse is true: if I sign a linkable ring sig for org A, and a different one for org B, then the linking tag reveals they were signed by the same person. If I’m the only individual in both orgs, I’ve accidentally revealed that I’m the signer!!

<freeman:cypherstack.com> This sort of thing is a real-world possibility that the theory doesn’t address. I talk about this in some of my recent papers, and try to fix it with “opt-in linkability”

<fireine:matrix.org> @freeman:cypherstack.com: Which was why I raised the issue.

<fireine:matrix.org> @freeman:cypherstack.com I created a new directory for this at the repo. Will put the data in before end of day.

<syntheticbird> is fireine who i think this is ?

<fireine:matrix.org> @syntheticbird: I am actually an internet rando from left field. But nice to e-meet you

<syntheticbird> @fireine:matrix.org: nice to e-meet you hopefully for the first time

<neptunian:unredacted.org> @freeman:cypherstack.com: Yes with a big asterisk.

<neptunian:unredacted.org> This applies but I don't think we should discount stealth addresses.

<syntheticbird> ring signature security is limited and any half security is a security theater therefore we should strip ring signatures out of monero. no privacy if no security 👍️👍️👍️👍️👍️💯💯💯💯💯

<neptunian:unredacted.org> @syntheticbird: Truth nuke.

<neptunian:unredacted.org> @freeman:cypherstack.com: If you wouldn't mind, could you link me the papers you mention?

<neptunian:unredacted.org> I'd like to compare them with the current implementation of stealth addresses.

<intr:unredacted.org> I wonder how an interactive protocol like this would look from a UX perspective and whether it would 0-conf transactions even faster. > <@jberman> AFAIK tevador still plans to include an interactive protocol as an appendix item to Jamtis, and the latest discussion on it was considering it as an optional protocol for users who want the strongest possible PQ security

<fireine:matrix.org> @neptunian:unredacted.org: @freeman:cypherstack.comhas a private repo with more data. I’m sure he could get you access to it privately.

<fireine:matrix.org> @reuben:firo.org

<neptunian:unredacted.org> @fireine:matrix.org: I can be contacted via Signal or email mainly.

<neptunian:unredacted.org> neptunian.01

<neptunian:unredacted.org> neptunian AT te mpe st

<fireine:matrix.org> @neptunian:unredacted.org: @reuben:firo.org@freeman:cypherstack.com

<fireine:matrix.org> Well, it'll be easier when we've implemented this

<fireine:matrix.org> > docs.scion.org/en/latest

<jpk68:matrix.org> I reacted by accident and can't remove it :P