02:16:57 Naive questions: 02:16:57 With FCMP++, what will be revealed if ECC/SCIDH is broken? 02:16:57 Privacy? the addresses of senders and receivers, the amounts 02:16:57 or[... more lines follow, see https://mrelay.p2pool.observer/e/v46RpokLNEdQbmF6 ] 02:18:21 FCMP++ does not use CSIDH, that would be Jamtis :) 02:26:07 Fine, my question is, for monero, PQC updates are solving privacy or security issues? or both? 02:26:44 I will decide whether to update my wallets. 02:40:20 Grok says: With Jamtis, privacy holds but security breaks if ECDLP is broken.đŸ„¶ 02:51:37 @yushanren:matrix.org: pq is presumably ensuring the curves involved at XMR aren't compromised by something with a ton of logical qubits. 02:52:01 https://scottaaronson.blog/?p=9718 02:55:12 FCMP++ improves PQ privacy (a quantum adversary would need your address in order to compromise your privacy, and you inherit this protection for new addresses in any wallet after the fork that are unused prior to the fork) 02:55:32 Jamtis-PQ would improve PQ privacy further (a quantum adversary that has your address would need to break both ECDLP and CSIDH in order to definitively see your received enotes) 02:55:36 Neither solve that a quantum adversary could print coins out of thin air undetectably 02:57:34 What will happen to the old transfers and addresses? 02:58:11 > a quantum adversary that has your address would need to break both ECDLP and CSIDH 02:58:11 if only a quantum adversary were unable to parse this search space for such keys at the first place (ECDLP and CSIDH, respectively) 02:58:43 @yushanren:matrix.org: Practically everything on the blockchain currently will be deanonymized at some point 02:59:08 @jpk68:matrix.org: this is a problem. 03:10:57 Yes, there should be a way to prevent compromised keys to move funds with old addresses. This is so painful. 03:12:31 You want to own you wallets with your keys. However, you also want people with your keys cannot move your funds. 03:58:10 https://github.com/monero-project/research-lab/issues/151#issuecomment-4608938308 > fireine: The three comments I wrote are my main critique of the write-up. Any responses to that? 04:04:38 Indeed, the response to all three critiques is the same: you're presumably critiquing the (yet unoptimized) Lean file as a design document when it's actually a proof of concept for an existing behavior. 04:05:53 this dialogue demonstrates that what tevador calls a "design choice" has a concrete consequence: an auditor with a view key can be shown a balance that differs from what the chain actually contains, which is either a feature or a bug depending on who you ask, but either way it exists and works today. 04:23:10 The source is the seed phrase. If it is weak, there is no secret. If it is not, you can always derive keys and add them to old ones. 04:27:38 @yushanren:matrix.org: I don't want to get too theoretical here. But key generation / management needs a good source of entropy. Indeed, you do not want a low entropy seed phrase or xpriv in general. The bigger problem is the fact that all keys are in the same search-space at the specific computational universe at which they exist. But at 2026 this isn't such an important problem. For now :) 04:37:50 No way to decrypt seed phase? 05:06:44 jpk68: twofish because it's the right size, efficient, well established, and had a usable C implementation. 08:37:00 fireine: You still haven't addressed the merit of my critique. For example, how would opt-in linkability work without introducing double spending vulnerabilities? 12:59:18 tevador: sorry for the delay. typhoon #6 in Japan and was checking up on some friends. I'll put that data in shortly. 13:19:49 > YEs, this is the most recent version 13:19:49 tevador we can't seem to find the key-management section at Appendix B? Is the key management / generation section at Jamtis interactive protocol yet unpublished? dabo⊙cse told me long ago that most companies in general get this wrong and think this might be a useful addition. All I see is forward secrecy propertie [... too long, see https://mrelay.p2pool.observer/e/4OCMuYkLZnFNb3kz ] 13:19:49 https://gist.github.com/tevador/d3656a217c0177c160b9b6219d9ebb96?permalink_comment_id=5060622#gistcomment-5060622 13:30:21 To be brutally honest — even if Jamtis's interactive protocol generates ephemeral keys off-chain, consumer hardware entropy sources are historically unreliable and architecturally bounded, meaning the effective keyspace is smaller than the nominal cryptographic parameters assume. Against a permanent public ledger where harve [... too long, see https://mrelay.p2pool.observer/e/k5azuYkLWmhtUW1a ] 13:31:47 though I admit my projection is perhaps a bit pedantic. just pointing my policy finger at the structural incompatibility between the security assumptions of public-key cryptography in general (uniform random keyspace) and the physical reality of the deployment environment (bounded consumer entropy). 13:33:16 It’s not the problem with Monero, but the problem of all cryptos. 13:35:32 @fireine:matrix.org: As it says in the gist's title, it's a draft still 13:36:25 @jpk68:matrix.org: Indeed, tevador said nothing was yet unpublished so injected this data bc I had assumed there was nothing else to add. 13:37:04 for example, the data @freeman:cypherstack.com injected is yet unrefined 13:37:06 "consumer hardware entropy sources are historically unreliable and architecturally bounded, meaning the effective keyspace is smaller than the nominal cryptographic parameters assume." Can you point to papers on this problem? I'm interested. 13:40:10 @rucknium: https://mrelay.p2pool.observer/m/matrix.org/zCakDksMhuxZDdFTfaKcXAdZ.png (turing-award.png) 13:40:43 everything the Jamtis defender is relying on sits at the "?" column 13:42:50 avi's blackboard shows that even at theoretical computer science, exponential lower bounds are marked '!' only where proven and '?' everywhere cryptography actually relies on them - and consumer hardware entropy adds a third '?' that no one has answered. 13:44:15 I sometimes use dice for important stuff. Do we all get to use dice now? :D 13:44:39 I was looking for a paper citation instead of a photo of a blackboard. 13:46:04 @rucknium: this is a research chat. most mathematicians usually collaborate using blackboards. usually at the same physical location. 13:46:49 https://crypto.stanford.edu/RealWorldCrypto/slides/nadia.pdf 13:47:40 Thanks. 13:58:47 fireine: You are reading "JAMTIS-RCT [OBSOLETE]", which is obsolete as stated in the title. The correct link is: https://gist.github.com/tevador/639d083c994c1ef9401832c08e2b7832 14:01:59 tevador: I linked a comment I made at the obsolete version but your new version still doesn’t have the key management section. 14:02:13 This is an important section. 14:03:32 Also here is a reply to your critique of CSIDH: https://github.com/monero-project/research-lab/issues/151#issuecomment-4610471041 14:04:12 Jamtis Appendix B is still a work in progress. 14:05:22 tevador: The lack of an explicit key management section is a problem bc if an auditor is skimming the spec they might miss a section they’d otherwise fail to scrutinize (this is smth that cannot be overlooked) 14:07:58 tevador: as is @freeman:cypherstack.coms Fraus implementation at view-key evasion | opt in linkability. 14:15:31 Does that mean you have no idea yet how to do opt-in linkability without double spending vulnerabilities? 14:22:53 tevador: I'll start by saying that, in part, I agree bc isogenies are genuinely exciting, and dismissing them purely because substantial cryptanalysis hasn't been done yet isn't a serious position (those people are idiots). You don't need a thousand people to confirm a shiny rock is a shiny rock. It's shiny. That said, the Eur [... too long, see https://mrelay.p2pool.observer/e/peHzuokLX0VyMXhv ] 14:23:21 tevador: the implementation is trivial. academic responsibilities rn and will put the data in soon. 14:25:21 tevador there is much more to unpack at that repo vs just that monolithic lean fragment. more on this later - but it builds at Fieckert's past work as well. 14:25:25 who also has repo access. 14:40:58 that being said, if you are interested at what our pq implementation in general might look like for monero specifically we might be interested in sharing iff it can be done via private channels (via email). but only if you don't strongly object to such data, tevador (assuming I get approval from reuben⊙fo to do so) 14:45:02 http://ecdsa.fail/ 14:45:03 Why would it need to be done via private channel? 14:46:11 @rucknium: ask reuben⊙fo 14:47:02 @fireine:matrix.org: @reuben:firo.org: Why would this ^ need to be done via private channel? 14:52:29 You're free to share it with them @fireine:matrix.org but don't know if I should make the repo public if I'm going to put in this position 14:54:39 @reuben:firo.org: https://mrelay.p2pool.observer/m/matrix.org/kigFkTxyaZHRNHcEHzCiZbqG.png (Screenshot 2026-06-03 at 10.49.38 AM.png) 14:54:44 That's how many years ago 14:54:50 @reuben:firo.org: the repo should probably stay private for now. 14:54:51 once it's complete I'll fire it off to you before sharing. 14:56:11 Thanks. I didn't mean to put pressure on anyone. I'm just trying to understand the context. 14:56:57 @rucknium: I also dmed you 15:00:24 can researchers stop researching in the research channel please. 15:05:27 MRL meeting in this room in two hours. 15:06:34 I'll need to delay the decision on helios/selene until next week, but we did receive 7 proposals 16:05:01 I'm actually online for once. Send praise and deposits to the following address ... 17:00:24 Meeting time! https://github.com/monero-project/meta/issues/1399 17:00:28 1. Greetings. 17:00:36 Hi 17:00:38 waves 17:00:47 hi 17:00:47 Hi 17:01:03 Hello 17:01:17 hi 17:01:23 Hello 17:01:25 Hello 17:02:12 2. Updates. What is everyone working on? 17:02:14 * br-m waves 17:03:20 Polyseed support for the Wallet RPC server, the last bigger chunk 17:03:20 me: posted zmq-pub code that leverages cbor instead of msgpack after feedback and perf testing 17:04:10 Hi 17:04:21 me: completed FCMP++ audit remediation tasks, chasing down windows GUI crashing on stressnet, PR review 17:04:31 and working on ssl stuff! almost forgot about that. Im going to address selstastuff and then start a pr to beta-stressnet 17:05:37 3. Post-quantum encryption (https://github.com/monero-project/research-lab/issues/151#issuecomment-4412416686) 17:05:46 No notable updates from me, I'm working on Jamtis Appendix B (interactive payment protocol). 17:05:56 I’ll shill episode 2 of plaintext on divisors: https://youtu.be/-Ae0AUBG2Mg 17:06:14 Hi, will be reviewing the jamtis-pq draft, maybe start implementing it 17:11:31 [waiting on someone to finish typing on Matrix side] 17:12:27 (nothing from me sorry) 17:13:19 sgp may have something to say. Or his elbow is on the keyboard. 17:13:43 4. Monero-PSK (https://gist.github.com/tevador/9169235b3c0c97e735f58a8c2ba92502) 17:14:12 I'm proposing to skip this agenda item unless spirobel is here. 17:14:30 Ok. Any other comments on PSK? 17:14:55 I think spirobel just needs to clarify his ideas on that front to move that forward 17:15:30 5. FCMP beta stressnet (https://github.com/seraphis-migration/monero/releases/) 17:16:12 v2.0 seems to be going smooth for now. Spamming hasn't kicked into gear yet 17:16:15 My monitors for the new stressnet are up and running: https://stressnetnode1.redteam.cash/ https://stressnetnode2.redteam.cash/ https://stressnetconsensus1.redteam.cash/ https://stressnetconsensus2.redteam.cash/ 17:16:38 I'm working on a windows GUI binary crash at the moment 17:17:07 Just curious, can you use a proper debugger there now? 17:17:26 no, I don't have a good dev env for windows 17:17:51 but I think I'm close to getting at the cause of the issue 17:18:30 rbrunner: you can capture a crash dump with prodcump and run it through WinDbg. used that to produce the crash report for the issue 17:18:49 hola 17:18:58 Ah, I see. That makes sense. 17:21:01 More on stressnet? 17:21:28 6. FCMP++ integration audit (https://github.com/seraphis-migration/monero/issues/294) 17:23:35 Reminder context: Trail of Bits completed phase 1, minus a task item. We're working internally on managing that task item (would prefer to kick discussion of this til next week) 17:24:35 I also haven't had a good chance to deeply review Cypher Stack's audit (much appreciated for that work, thank you guys again) 17:24:45 But what has been reviewed so far has all "passed" so to speak. Neither ToB nor Cypherstack found issues beyond informational so far 17:25:28 Zcash just patched a critical counterfeiting bug via hard fork: https://forum.zcashcommunity.com/t/orchard-vulnerability-successfully-remediated/55976#p-248390-technical-details-5 . It looks like it was a problem with a code loop, not a problem with the mathematical theory. That shows how important the code integration audit is :) 17:26:11 By next week, I'll try to have all code prepped for phase 2 as well so that can move forward 17:26:38 Zcash has a safety net. They have a turnstile that prevents counterfeiting supply from increasing the total supply in the transparent pool. Monero does not have that. Thanks to selsta for pointing out the Zcash developments. 17:27:56 FWIW the equivalent bug would actually not be in the scope of this code integration audit, and it would still be something on the Rust side in @kayabanerve:matrix.org 's FCMP++ lib. And that side is getting (and has gotten) audited rigorously 17:28:00 uhm, i'm not sure if i would say our implementation audit at cypher stack is "passing" 17:28:20 we raised an issue about the view-all key 17:28:21 i'm not sure if this is the best time to bring it up 17:28:41 but we are concerned for a few reasons 17:28:50 namely, the view-all key advertised in the CARROT spec is not a view-all key. it's an opt-in view key 17:28:59 @brandon:cypherstack.com: Sure. Go ahead and bring it up. 17:29:08 That was unrelated to phase 1 of the integration audit 17:29:09 @brandon:cypherstack.com: Indeed, I wouldn't have lobbied for this if it was trivial. 17:29:54 so, for the folks listening, there is a way to construct a transaction to a wallet, which you've given the view key access to an auditor, but for which the auditor does not see the incoming transaction 17:30:10 this is similar to sending money to a wallet the auditor does not know about 17:30:17 however, it is distinct 17:30:23 Maybe I am not fully understanding, but I find this ironic because some community members were worried that the Carrot view key would give "viewers" too much information. Now, is this new finding a feature or a bug? 17:30:46 an auditor with your view key may see some outgoing transactions to yourself, but not incoming transactions, and conclude you have a negative balance 17:30:51 And I think it can do things that just sending money to a new wallet cannot 17:31:06 i view this as a bug, unconditionally, in the sense that the key was advertised as a view-all key, but it is not. 17:31:17 @brandon:cypherstack.com: bc it is. 17:31:26 the bug is buggy 17:31:29 Cuz it is lol 17:31:34 whether this practically impacts the security surface is a different question, because someone could always send money to a wallet the auditor doesn't know about 17:31:52 Otherwise everything runs perfectly ok with those "hide from view-all key holder" transactions? 17:32:33 Is @jeffro256:monero.social present? 17:32:51 Just throwing this out there: this could actually be nice to have, if it can work that way. None of the benefits with regards to hardware wallets/LWS seem to be removed, meanwhile it could also reduce FUD around mandatory key-sharing and whatnot 17:32:56 rbrunner: we haven't identified other broken parts yet, but we suspect that the same problem may just appear in multiple spots in carrot, soi it may be that there are many ways to do this 17:33:16 there is a simple fix which is to include a verifiable random function (VRF) proof that a certain piece of randomness was computed verifiably randomly, one for each transaction output 17:33:26 this would inflate FCMP transaction sizes, but would guarantee that view-all keys are view-all 17:33:39 @jpk68:matrix.org: this is a common attitude, but here's my concern 17:33:48 Ok, but probably otherwise no other disadvantages? E.g. perfect restore from seed with such transactions received, right? 17:34:25 advertising view access but not actually having it may piss off exchanges who are trying to comply with kyc/aml, and this may lead to them deciding that monero is no longer compliance-friendly. which is incorrect, because the new view keys are less broken than the current view keys lol 17:34:28 ... wouldn't that imply they sent to a different wallet, just one with overlapping other keys? 17:34:39 rbrunner: yeah we think so 17:34:56 Like, same internal view key, different view key 17:35:12 Interesting. 17:35:25 no, it just means they didn't use ScalarDerive on something appropriately, instead picking a random number 17:35:37 same wallet keys 17:35:43 I agree that's a bug, not a feature. People who don't want view-all keys existing shall use the old 2-key wallet format ... 17:36:17 With or without holes 17:36:29 @jberman: as a sort of pedantic point of order, I want to underline this as well 17:36:30 that what Freeman and surae are discussing is outside of the scope of the phase 1 integration audit except insofar as that Freeman found it while reviewing the underlying math while we were doing integration audit phase 1 17:36:40 rbrunner: which is what was stated. 17:36:43 perhaps you underestimate us lol 17:37:01 Was there a "Carrot the crypto and the math" audit that overlooked this? 17:37:02 So if the sender creates an unscannable TX, but the opening is communicated out-of-band, then...? 17:37:35 By another party, I mean 17:38:02 > <@brandon:cypherstack.com> advertising view access but not actually having it may piss off exchanges who are trying to comply with kyc/aml, and this may lead to them deciding that monero is no longer compliance-friendly. which is incorrect, because the new view keys are less broken than the current view keys lol 17:38:02 Understandable, and clearly the "marketing" around Carrot would need to change to match what it actually does. But does this imply that making Monero compliance-friendly (or at least perceived to be) is part of the objective here? I don't really agree with that, if it's the case 17:38:15 To be clear, I am not against Carrot in any way 17:38:32 I did a CARROT audit in the past, but explicitly searching for vulnerabilities wasn't in-scope, so I don't feel too bad 17:38:55 Better late than never, amirite.....? 😅 17:38:56 I'm still unclear on this scenario which causes the auditor to perceive a negative balance 17:39:27 @kayabanerve:matrix.org: same thing happens. the interesting thing here is that with the fcmp view keys (as-is), auditors actually have a chance to collect evidence of wrongdoing (if your apparent balance goes negative, for example) so in a way, the detectability in the case that a malicious user is not being very carefu [... too long, see https://mrelay.p2pool.observer/e/3MnDwIkLX215UC1Q ] 17:39:40 @kayabanerve:matrix.org: you have 100 xmr 17:39:42 you send 100 xmr less fees to yourself 17:39:45 The objective of the key isn't compliance friendliness. It's primarily to improve UX for cold/hot wallets, hw wallets, and multisig. So this wouldn't deviate from the primary goal imo 17:39:56 you randomly sample your own key data so that the transaction can't be scanned by someone with the view key 17:40:01 auditor sees you lose 100 xmr but not gain it again 17:40:06 jpk68: view-all keys do not only "please auditors". It has other solid uses. E.g. checking your paper wallet balance is still there without any danger 17:40:09 but you sent it to the same wallet it came from 17:40:35 Sure. That isn't a bug in CARROT. 17:40:56 But I wonder if exactly this could be abused. I show an auditor "look, I have a negative balance, so I'm deserving of golden parachute funds!!" when actually I'm just hiding them (or something like this) 17:41:39 @jberman: okay, if that's the case, then it's a matter of being careful to clarify this. this is not how monero view access has been advertised, for the most part, going back to the cryptonote whitepaper 17:41:47 I don't understand. Won't even the dumbest auditors see that there is no such thing like a negative balance with a cryptocurrency wallet? 17:42:00 If everything works correctly, that is 17:42:09 The ability for senders to not send you an output via CARROT, but the ability for you to manually import non-CARROT outputs and spend them in ways which interact with CARROT, is bs understandably outside the scope of CARROT. 17:42:09 If you have to manually import an opening, so does the auditor, is straightforward enough. 17:42:38 manually importing an opening is effectively operating a distinct wallet though 17:42:58 if the view keys are just for convenience for wallets and UX, then the problem is auditors using the view keys for auditing instead of wallets using them for backend convenience (or whatever) 17:43:15 There is no solution to prove your view key is for all of your wallets without linking to an identity 17:43:57 Except the view keys do identify all coins that wallet received. Your proposal requires a wallet with distinct rules to receive the coins with. 17:44:22 @kayabanerve:matrix.org: absolutely correct 17:44:32 the severity of this problem is ... debatable. there's nuance. 17:44:33 You're then noting manual importing can fuck with CARROT accounting, sure, but the bug isn't with the view key itself. 17:44:46 @kayabanerve:matrix.org: uhm no 17:44:56 rbrunner: Of course, and that's part of my argument. In my opinion, a huge part of the tangible benefit provided by Carrot is the ability to have so-called "view-all" keys, allowing for safer balance-checking without the need for the spend keys. I am sure this possibility for hiding transactions will not be part of core wallet [... too long, see https://mrelay.p2pool.observer/e/xsrXwIkLR2tBT2ky ] 17:45:04 i can opt out of the vie accesss, and it's advertised as view all 17:45:07 not true with a VRF deciding random transaction data 17:45:21 You can create a different wallet 17:45:25 A concern of mine, though, is transparency of General Fund wallets with this, along with similar things 17:45:41 @kayabanerve:matrix.org: no one ever claimed that creating a new wallet wouldn't evade auditors 17:45:45 view-all for a wallet does not mean view all for every wallet under this entity 17:45:47 Though it wouldn't be any worse than how it is currently 17:45:49 carrot claims that view-all is view-all, and it isn't 17:45:54 where this may come in handy is to keep in mind downstream for applications like swaps etc that are built on shared wallets using view keys as one method of accounting 17:46:02 @kayabanerve:matrix.org: view all also does not mean "optional" 17:46:22 @jpk68:matrix.org: yeah, i don't think it is worse than the current state of things 17:46:25 @jbabb:cypherstack.com: just to be more aware of the ways malicious counterparties can fudge the books for shared wallets 17:46:27 but that's my knee jerk 17:46:32 It is because you're proposing a non-carrot wallet and therefore a distinct wallet 17:46:59 @kayabanerve:matrix.org: no i'm proposing an actor who is semi-honest can fail to satisfy the claimed properties 17:47:10 How much would the fix impact scaling and transaction sizes? 17:47:11 A CARROT view key omitting outputs to a non-CARROT wallet isn't a bug in CARROT 17:47:16 if the claimed properties are different, then claim teh correct properties 17:47:30 Which properties though? 17:47:32 Just making sure I understand it on a high conceptual level: The "invisible to view-all key" transactions can't go the normal way through the blockchain? 17:47:45 "view ALL" 17:48:07 i'm done arguing. if the community thinks this isn't a security problem and monero gets delisted for not being compliance friendly, that's not my decision. 17:48:27 I, from what I've read, believe you're claiming CARROT view keys not being inclusive to other wallets is an issue. I'd disagree with that premise 17:48:45 Translation: CARROT wallet has 100xmr in it, but auditor with view-all key see's less-than 100xmr = view-all is falsely advertised 17:49:15 But, AFAICT, your exceptional case is an output to a distinct wallet?? 17:49:31 no, output to the same wallet 17:49:45 . > <@brandon:cypherstack.com> but you sent it to the same wallet it came from 17:49:48 That means your reading of "view all" means all wallets, not just this wallet, AIUI? 17:50:14 except it explicitly isn't scannable by the wallet @ofrnxmr 17:50:28 @brandon:cypherstack.com: Monero is delisted from almost everything already 17:50:29 rbrunner: yes they can. monero-wallet-cli detects "evil" spends made this way that are self-spends or a send-to-self see it as being sent to an outside address even though they still own it 17:50:29 we save the secret needed in a sort of notebook on the side. it requires custom software but passes consensus and gets confirmed 17:50:35 so it can't be to the same wallet AIUI 17:51:19 Is there a clear written summary of the conditions this may apply to? We need to fully understand that to know if it’s an issue or something we can say we don’t care about 17:51:32 So outputs to _different wallets_ manually migrated in aren't in-scope is the claim @jbabb:cypherstack.com: ? 17:51:35 That all sounds pretty weird. Maybe we talk past each other at least in part, and don't fully understand brandon's argument ... 17:52:21 Well, if someone can swipe the funds from your paper wallet, and your view-all key doesnt notice, id say this isnt desirable behavior 17:52:50 Uh, *that's* not on the table, right? 17:52:55 @ofrnxmr: Is that the case though? 17:53:03 It doesn’t sound like it? 17:53:23 @kayabanerve:matrix.org: I'm not sure I understand the question sorry. tbh I agree that it isn't really a problem yet--it may indicate a weakness in the protocol that mathematicians exploit somehow in the future--but so far it's not really a problem with CARROT as we do enough different that it's some evil sort of carrot anyways 17:53:23 and I think this is outside of the scope of this agenda item and also unrelated to fireine's agenda item completely 17:53:24 Or rather, i guess the case is that you can have funds on the paper wallet and hide them 17:53:29 You could construct a paper that appears empty when looked at with a view-all key but isn't really, however, if I understand correctly 17:53:36 @ofrnxmr: AFAIK, you as the wallet holder would have to deliberately set up those conditions. And you still see funds leaving the wallet, if I understand correctly. You just don't see funds entering. 17:53:41 @ofrnxmr: AIUI you have to have created a custom wallet with custom software to create a distinct view-all key 17:53:48 missing credits, not missing debits, afaiui 17:54:45 Yeah, sorry. Got mixed up for a sec 17:55:07 And does it require knowledge of the private spend key to create these “hidden” credits? 17:55:10 @jberman: if the argument for something not being a problem is that there is currently no software that supports it, that's a bad argument 17:55:26 As I get it, it's a view-all key that requires trust that the view-all key holder created a well formed view-all key. And you can detect if they didn't if they spend funds 17:55:39 Same @jberman, in which case this is saying view-al keys aren't view ALL because they don't cover other wallets even though other wallets' outputs have to be manually migrated in? 17:55:49 I don't think we reached already a point where we can confidently judge whether it's a problem, and if yes how big IMHO 17:55:59 but we can't say a view key ever works for all wallets 17:56:36 @jberman: *while reusing some keys from the original wallet 17:56:47 (AFAIUI) 17:56:51 jberman: That makes sense as an explanation - if it's correct 17:57:37 So the view-all key doesn't view distinct wallets which may overlap? 17:57:52 (with _some_ keys) 17:57:55 I’m concerned about the possibility (if this even applies!) of users causing headaches to exchanges by depositing funds that don’t appear in their incoming balances, tracked by view all key. But does that scenario apply here? 17:58:42 it's really not that deep guys. CARROT is being marketed as having a view key wherein you can see all the funds coming in and out. It's not that. Either decide that's not a problem and adjust the verbiage on CARROT description, or fix the problem so the description is accurate. There's no in-between or trying to halfway change the verbiage. 17:59:01 I think the sender has to the distinct wallet, though Brandon left before we're clear 17:59:23 @kayabanerve:matrix.org: as far as I understand, yes 17:59:28 Do we know how much larger the txs would be with the fix? The verifiable random function. 17:59:29 @diego:cypherstack.com: AIUI, it requires sending to a distinct wallet, and we lack clarity. 18:00:13 No shot this is getting fixed with increased tx sizes 18:00:20 If this requires sending to a distinct wallet, as @jbabb:cypherstack.com: just agreed, then it is arguing about the view key not covering _distinct wallets_ 18:00:34 That's why we're discussing this so 18:00:49 I think argument is going to be over accurately describing the key's properties 18:01:10 @jberman: What is the increase in tx size? Is this known? 18:01:35 If the claim is the view key doesn't show TXs not sent to the CARROT wallet with consistent keys, I don't see any issue. 18:02:31 If this bug can only be dine with the wallets spend key then I don't think it is an issue, otherwise I do. 18:02:41 If the claim is 'ghost debits', where a wallet can spend funds it doesn't actually have, that's an issue but only with the debit system AFAICT, trivially solved via checking key images, I'd assume 18:03:12 @diego:cypherstack.com: Can CS please provide a clear writeup at some point so we may properly discuss this? 18:03:24 @kayabanerve:matrix.org: Here's the conjecture: 18:03:25 Assume: 18:03:25 * Alice is an honest sender, 18:03:25 * Mallory is a dishonest user with a new-hierarchy wallet, 18:03:25 * Vera is an auditor,[... more lines follow, see https://mrelay.p2pool.observer/e/7LGbwYkLdjNDYVhZ ] 18:03:40 @kayabanerve:matrix.org: done ^ 18:04:24 @diego:cypherstack.com: Cool. 18:05:14 I am really curious how this will play out. 18:05:45 And if there is a real problem I will shout "See! This is all much too complex" :) 18:06:06 rbrunner: it's chaotic but presumably solvable 18:06:31 I don't doubt, e.g. with more complexity, right, like that "random function whatever" :) 18:06:44 as far as I understand it, this means that this custom approach does not track the CARROT specification 18:06:47 I am only joking about 30% or so, don't misunderstand 18:07:17 Mallory sends to a distinct wallet, in effect. Vera's auditing is correct for the wallet Vera has access to AFAICT in that it resolves as 0? 18:07:17 Also, the write-up has typos AFAICT. (iii) should be a second credit, not a second debit? 18:07:41 well... except insofar as that you can trick a CARROT-specification-following-wallet into thinking it has less than it really does. that a boat accident happened 18:08:11 Ok so Mallory does this to her own wallet ... 18:08:19 Sending 10 XMR to a different wallet, where the auditor observes the spend but not the receipt, is fundamental 18:08:35 @jbabb:cypherstack.com: except it's to a different wallet 18:08:52 Well, if we claim we built a system where you have to follow Carrot to transact, but you can cheat and operate Carrot+/- in stealth, that's an exploit, no? 18:09:15 @kayabanerve:matrix.org: They would see the spend though right? 18:09:37 like its not really a different wallet 18:09:42 Mallory, in effect, derives a bespoke wallet and sends to it. Why _should_ the view key for the original wallet apply? 18:09:57 How is this not 18:09:57 "If people don't use CARROT, CARROT stops applying"? 18:10:07 @kayabanerve:matrix.org: Its an issue becuase the keys would still see the spend 18:10:10 @boog900: and you can send it back and they regain control 18:10:22 @boog900: but not see it incoming 18:10:26 @boog900: The spend is detected and is to a non-CARROT wallet, therefore distinct 18:10:28 right? 18:10:44 @kayabanerve:matrix.org: no if you were to then spend that again 18:11:02 they view all key would see that right? 18:11:24 that, I would have to check. 18:11:44 so it sees the spend of the first but not the incoming and the spend of the second 18:11:51 right? 18:12:55 In the exact write-up above, it isn't spendable again AFAICT 18:13:09 @boog900: yes, you can send to self and they detect the spend but not where it went 18:13:09 then if the evil mallory chooses in the future to spend to self back into the CARROT wallet they would detect the incoming funds and regain control 18:13:11 Mallory is not breaking any cryptographic primitive. She is exploiting the fact that CARROT's view-all scanning relies on outputs being constructed according to the protocol's derivation scheme (ScalarDerive). 18:13:20 perhaps this statement is naive tho 18:13:35 @kayabanerve:matrix.org: At all? So its burned? 18:13:46 @jbabb:cypherstack.com: what? 18:13:49 I'm sorry, I https://matrix.to/#/!toFcRZtpaiwiyapgVO:matrix.org/$XcV7c2sC_wAkQUyhGKs0TfzZDIi_EMNU3Wa2Ku7S7Fc fireine's comments to Freeman's work, but they aren't really related. I saw "View-All Evasion" and jumped to the conclusion that they had independently discovered something related, but I don't see how they are related after review 18:13:54 *send to self's distinct wallet though, which is a key distinction, @jbabb:cypherstack.com: 18:14:11 @kayabanerve:matrix.org: yes but thats what I got from above 18:14:23 @jbabb:cypherstack.com: cant we use a zkzk proof that ScalarDerive was followed 18:14:40 i should have optimized everything before pushing that commit. by bad lol 18:14:50 An overlapping spend key does not change the view key is distinct 18:15:31 also we should document that view-all tracks honestly-constructed flows only. 18:15:42 maybe at the MRL meeting agenda 18:15:46 @fireine:matrix.org: We don't need any additional proof if the issue is the owner may have multiple wallets and may only share _some_'s view keys 18:15:55 @kayabanerve:matrix.org: can U say more? 18:16:17 'View all' is implicitly 'view all enotes sent/received within the carrot spec'. It does not include out-of-spec receives. Not sure how an auditor would see negative balance for spent enotes whose key images he doesn't know and can't verify. Non-compliant enotes would need to be 'isolated' into essentially a wallet-within-a-wallet, otherwise audits would fail when looking at txs containing key images of unknown 18:16:17 providence. 18:17:33 @jbabb:cypherstack.com: so they don't see the spend of the bad output? 18:17:35 @kayabanerve:matrix.org: like a toy model or smth 18:17:47 if this is the case then it is just the same as sending to another wallet lol 18:18:43 I'm saying, AFAICT, the posited issue is a view-all key is scoped to wallet, not person, where a person may have multiple wallets. That's fundamental, not an issue needing a fix, AFAICT 18:18:46 @boog900: ok, then we're back to: sorry, I don't know and have to check. 18:19:06 @boog900: I agree it's effectively this at this point. but I Am Not A Cryptographer 18:19:10 I agree with kayabanerve and UkoeHB. The "view-all" key does not claim to see payments that don't follow the Carrot specs. 18:19:33 Hmmm ... maybe we see the birth of a new protocol, like "Tomatoe" or whatever, and the issue is maybe not more that you can serve two protocols at the same time with a single wallet? 18:19:48 *not more than 18:19:49 People were talking about negative balances earlier 18:19:52 so surly it still sees the spend 18:19:57 if the auditor did, I'd agree that's a bug, but the fix is just checking debits against scanned credits to remove such 'ghost debits' > <@boog900> so they don't see the spend of the bad output? 18:20:34 From a usability perspective, I am inclined to believe that, IF a wallet can receive 'hidden' enotes without the owner doing this on purpose, AND this only applies to incoming transactions, it is a bug rather than a feature. Just throwing this out there; I am also not a cryptographer (obviously) 18:20:53 And I don't think you can ever detect negative balance in the wallet even if you miss payments because the wallet balance only reduces if an enote known to be owned by the wallet is spent. 18:21:06 rbrunner: If a CARROT View key does not scan a Tomatoe output, does that mean the view key isn't a view key? 18:21:12 @jbabb:cypherstack.com: Even if you were, it’s not like you’d actually be doing anything. At least you’re putting the time in lol 18:21:15 However, I am strongly of the opinion that no compromises should be made for so-called "compliance", full stop. 18:21:31 @jpk68:matrix.org: The owner has to collude with an alternative wallet as far as we can tel. 18:21:57 @jpk68:matrix.org: A knife can be used to cut a steak, a rope, or a person. Cant stop someone from using the tool for compliance 18:22:35 So its either we dont allow knives, or we accept that some people might use them to hurt people 18:22:52 @kayabanerve:matrix.org: As in, if I am a regular person using Skylight Wallet with my self-hosted LWS server, people cannot send "hidden" enotes that cannot be seen from my LWS client without me making this possible on my part? 18:23:06 tevador: I suppose you could inflate apparent balance using selfsends constructed as normal enotes. But a deep enough audit would question the providence of those enotes. 18:23:52 @jbabb:cypherstack.com: You reacted with a thumbs down, but how is Mallory's alt derivation of K_o'prime _not_ a theoretical Tomatoe process? 18:24:00 @ofrnxmr: Yes, my point is just that design decisions should not be made to purposefully allow for increased compliance, as that is not the purpose of Monero. 18:24:13 CARROT view keys don't work for receives via Tomatoe, a non-CARROT process, even if Tomatoe reuses some keys AFAICT. 18:24:23 I meant: "does that mean the view key isn't a view key?" No. Right? > <@kayabanerve:matrix.org> If a CARROT View key does not scan a Tomatoe output, does that mean the view key isn't a view key? 18:24:29 my understanding is that view-all only guarantees visibility of enotes constructed according to CARROT spec; non-compliant outputs inherently fall outside this scope and to prevent audit contamination, wallets must enforce strict domain isolation, never mixing compliant and non-compliant inputs in a single transaction. 18:24:31 Oh, sorry lol 18:24:49 UkoeHB: the view-all wallet will detect the key image on the selfsend and deduct balance correctly. 18:24:50 I don't think we can make progress without more info 18:25:16 +1 18:25:20 Okay, but then the issue is why this is considered such a bug by @brandon:cypherstack.com: and @diego:cypherstack.com: , as we feel we must be missing something, somewhere. 18:25:32 I was trying to scroll up--someone else put it much better up above--if the claim is that we came up with fcmp++ and carrot was the only way to use it and thus all fcmp++ txs get "compliant!" view-all keys, well, we can use fcmp++ apparently without a lawful good carrot, is all 18:25:43 @jpk68:matrix.org: +1 18:26:01 tevador: oh true, you can't cycle it. 18:26:05 CARROT is not protocol-enforced and any entity may have multiple wallets, sure 18:26:07 @jpk68:matrix.org: I agree that if this only effects compliance theater, then i dont care lmao 18:26:10 @kayabanerve:matrix.org: bc it is a bug. and the bug is buggy for many reasons 18:26:35 The view-all key is still view-all within the scope of the CARROT wallet though 18:27:14 @fireine:matrix.org: No one has posited a way to send to the same wallet without it being viewed. What exactly do you think the bug is? 18:27:23 I would be worried about this issue if it could affect protocols like atomic swaps and escrow. Could it? 18:27:43 Do you have a way to send to a CARROT wallet in a way the view key cannot detect? 18:27:45 @kayabanerve:matrix.org: I'll be putting the data in soon. 18:28:34 @rucknium: it's something to be aware of and advise all people working on atomic swap, multisig, or other protocols with shared wallets in ways that their counterparties can be dishonest so as to guard against, yes 18:28:46 With my little knowledge I can imagine problems if people use a different, non-Carrot protocol where nevertheless *some* txs made are visible to Carrot, and some not 18:28:53 @kayabanerve:matrix.org: in short - after skimming through the spec think wallet owner must have control over output construction 18:28:57 @rucknium:monero.social: If I send 1 XMR to the hash of "Rucknium", I can claim I sent 1 XMR to you. You'd check your wallet and not notice.People who do bespoke wallet protocols require mutual support. There shouldn't be concern re: atomic swaps. 18:29:05 if you build an app ("smart contract", whatever) on top of monero that uses a shared wallet in some step or uses view keys as some security feature, yes 18:29:09 @jbabb:cypherstack.com: Dont think so, as the swap wallet (as is) only needs to detect incoming funds and xmr is the second mover ? 18:29:25 @jbabb:cypherstack.com: won't the crazy people try injecting NFTs 18:29:27 into the smart contract 18:29:30 More research needs to be done, of course, but my fear is this has ramifications deeper than just using a new wallet 18:29:47 @freeman:cypherstack.com: doing it now 18:29:55 @jpk68:matrix.org: ^ I apologize for asking again, but I feel like this is very relevant from a usability perspective 18:30:31 @jbabb:cypherstack.com: Except these outputs to 'guard against' aren't to that wallet, they're to a distinct wallet. Guardimg against TXs to other wallets isn't sensical unless an explicit relation exists of note. That's why I'm pushing for clarity or correction. 18:30:32 you have to have the spend key to do this > <@jpk68:matrix.org> From a usability perspective, I am inclined to believe that, IF a wallet can receive 'hidden' enotes without the owner doing this on purpose, AND this only applies to incoming transactions, it is a bug rather than a feature. Just throwing this out there; I am also not a cryptographer (obviously) 18:30:57 @rucknium:monero.social cross-cutting into your previous post regarding smart contracting / NFT's on monero 18:30:57 https://www.reddit.com/r/Monero/comments/12kv5m0/empirical_privacy_impact_of_mordinals_monero_nfts/ 18:31:11 @jbabb:cypherstack.com: Okay, so it would only be the owner of the wallet doing this on purpose. Others cannot send "invisible" enotes. 18:31:14 People have already injected NFTs into the Monero block chain and called them Mordinals. tx_extra length was limited by a relay rule to prevent it. 18:31:19 @fireine:matrix.org: Right. 18:31:22 @rucknium: i already credited U 18:31:23 @jpk68:matrix.org: People can always send 'you' outputs you can't see. People can't send you XMR via CARROT in a way you can't detect though. 18:32:02 I sent you 1 XMR right now @jpk68:matrix.org: . To scan it, just solve for my private key. 18:32:03 There is no way to send an enote to a Carrot wallet in a way that an (unmodified) ViewAll tier doesn't detect it but an (unmodified) Master tier does. When sending an enotes not constructed according to the Carrot specs, the payment never actually arrives in the wallet. 18:32:29 Has this conversation run its course for the time being? I will put it on next meeting's agenda. 18:32:31 Oh no, 1 XMR I sent to you in a bespoke way you can't scan/spend đŸ˜± 18:33:00 I think tevador summarized it best, yeah 18:35:09 So far, I think the "issue" is just a nitpick on the naming of "ViewAll", which actually can't view arbitrarily botched enotes. 18:35:28 Monero doesn't yet force compliance with view-all keys on the protocol level is about the gist of the finding as I understand it? 18:35:54 @jbabb:cypherstack.com: Why? 18:35:59 or that CARROT isn't enforced? 18:36:30 @jbabb:cypherstack.com: Even if this Carrot thing wasn't an issue, can you not still use legacy wallets after the hardfork? 18:36:56 @jbabb:cypherstack.com: you can't, if I understand the issue correctly, I can just make a new wallet to do the same thing: send XMR to myself without a view key seeing it. 18:37:38 @rucknium: Indeed, this deserves more active dialogue and think it might make sense to place at next meeting agenda. 18:37:46 7. CCS proposal: ProbeLab P2P Network Metrics Proposal (https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/667) 18:38:08 @boog900: This is also my thought 18:38:35 👋 Hi everyone! 18:39:05 @articmine: this should be formally verified. 18:39:36 bc it's quite the assumption 18:40:32 its pretty much what it says here^ > <@jbabb:cypherstack.com> Assume: 18:40:43 @boog900: not yet formally verified. 18:40:51 I vote to NOT place "ViewAll issue" on the next meetings agenda unless a clear write-up with examples is publicly provided in advance of the meeting. 18:41:08 tevador: well, it's almost complete 18:41:13 what about next meeting? 18:41:21 assuming we put the data in 18:41:47 and you'll get toy models, not examples 18:41:57 @rucknium: Hi everyone, here to answer any questions regarding the proposal. I hope people had the time to look through the updated proposal, although I didn't see any new comments in the issue. 18:42:38 @yiannisbot:matrix.org: Hi. Thanks. I think there was a misunderstanding about terminology. I said before that the Dandelion++ paper ignored unreachable nodes. You said in your revised proposal that they ignored spy nodes. Just change that to unreachable nodes. Spy nodes are very reachable. Being reached is their main purpose :) 18:43:35 tevador: By the way, how is voting done at MRL? Surely not on chain? 18:43:40 I think the proposal looks good in its revised form. The exploratory research is risky, but that is usually the case with research. I mean risky in terms of uncertainty about the outcome. 18:44:06 @rucknium: 😅 Of course, apologies. Wrong phrasing. I'll change that. 18:44:19 because that would be stupid 18:44:43 I would change moneronet.info to https://xmrnetscan.redteam.cash/ in the proposal. 18:45:29 @fireine:matrix.org: Please dont post the same thing repeatedly and edit your messages. each edit comes through as a new message and spams irc and the meeting logs 18:45:58 tevador: @freeman:cypherstack.com @jbabb:cypherstack.com i'll place the data for such write-up at the repo and if there's anything useful feel free to harvest - this deserves a place at the agenda at some point. 18:46:11 @ofrnxmr: governance isn't spam. even if you hate it. 18:46:35 That's not the point 18:46:39 it is. 18:46:41 @fireine:matrix.org: EACH EDIT IS SPAM 18:46:43 voting is non-trivial 18:46:47 MRL has "votes" sparingly because MRL members are not really defined. If someone has strong objections to something, then MRL tries to talk it out. Then an ad-hoc voting process may be followed if consensus is very difficult to reach. Last year there was a decision that took months. 18:46:52 @ofrnxmr: at your opinion. 18:47:08 this isnt a blockchain. its matrix. but in general i agree 18:47:12 fireine, what ofrn means is that when you edit your message, it sends the whole message again on irc. 18:47:14 @rucknium: makes sense. 18:47:39 @jbabb:cypherstack.com: I see. I don't usually use matrix. thanks for letting me know 18:47:40 signal only usually. 18:47:42 also, fireine, please, we're on another agenda item. please wait for your next agenda item when that comes up; see the github issue referenced at the very beginning of the meeting 18:48:25 @jbabb:cypherstack.com: sure 18:48:28 timezone mismatch. thought we still had ten minutes til active dialogue. 18:49:24 @ofrnxmr:monero.social, @boog900:monero.social : Do you have comments on ProbeLab's proposal now that you have had time to digest the revisions? 18:51:10 my only comment was to re-iterate what someone else said: “he Dandelion++ paper assumes that spy nodes do not play a role and therefore ignores them in the analysis.” -> I assume this was meant to be unreachable nodes? 18:51:19 spy nodes were definitely a part of their analysis iirc 18:51:41 @vtnerd: what is a reasonable definition for a "spy node" 18:51:51 @rucknium: I think it's ok 18:52:00 @vtnerd: Yes, definitely, apologies, this was my fault. 18:52:20 yeah which is minor because I guessed based on context it was a typo 18:52:38 @fireine:matrix.org: A node trying to link IPs to txs. 18:53:15 @boog900: what if the node operating a "spy" service without its knowledge. how can we identify or tag them as a "spy node" 18:53:46 meaning the service running on such node is linking IPs to txns and not the runtime itself 18:53:47 They would have to know. Spying is deliberate and involves active aggregation of information. 18:54:00 @rucknium: what if it's mythos, for example 18:54:29 or an adversarial ai 18:54:49 The main model of spy nodes is explained in the D++ paper. One moment. 18:55:35 https://moneroresearch.info/122 Fanti, G., Venkatakrishnan, S. B., Bakshi, S., Denby, B., Bhargava, S., & Miller, A., et al. (2018). Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees. Proc. ACM Meas. Anal. Comput. Syst. 2(2). 18:56:20 https://www.cnbc.com/2026/06/01/anthropic-eu-ai-mythos-access-advanced-model.html 18:56:32 I think the ProbeLab proposal is ready to go to #monero-community:monero.social 18:56:41 I think anthropic peeps are mostly weird. so laugh at their models too. but still. something to consider 18:56:48 Any more comments on this item? 18:57:44 @fireine:matrix.org: Whether or not it's run by an AI is completely irrelevant. A spy node is a spy node 18:58:10 8. Potential ring signature findings (https://github.com/monero-project/meta/issues/1399#issuecomment-4604934837) 18:59:11 nothing from CS on this. 18:59:19 tevador: "I vote to NOT place "ViewAll issue" on the next meetings agenda unless a clear write-up with examples is publicly provided in advance of the meeting." That sounds good to me. I will put it on the agenda if a write-up is provided. 18:59:28 @jpk68:matrix.org: A spy is a person who secretly collects information for a government, organization, military, or other group. An ai isn't a prson 18:59:53 @rucknium: I vote to have it placed at the agenda bc the issue is a trivially obvious one. 19:00:03 and shouldn't need a write up bc it is obvious 19:00:08 but will provide this regardless 19:00:22 why does it matter? > <@fireine:matrix.org> A spy is a person who secretly collects information for a government, organization, military, or other group. An ai isn't a prson 19:00:40 @boog900: it doesn't. just wanted a reasonable definition so i can look into it :) 19:00:41 just a discussion to waste time 19:00:47 Thanks. It seemed during the ViewAll discussion today that there were some details that a write-up would clarify. It would help discussion. 19:00:55 @boog900: ^ 19:00:58 @boog900: for you perhaps. 19:01:15 i'd argue dealing with curves is itself a waste of time. 19:01:19 yet here we are 19:02:10 @rucknium: i'll work on that. 19:02:21 @rucknium: @fireine:matrix.org: I think you wanted to put this ^ item on the agenda. Could you start the discussion? 19:02:50 @rucknium: Indeed, but don't think I'm authorized to make these projections yet so will tie in @freeman:cypherstack.com 19:03:14 as far as I can tell, fireine's findings are unrelated to Freeman's and the ones we were all discussing earlier 19:03:29 they seem to be premised on the reuse of one time use keys 19:04:08 @jbabb:cypherstack.com: based on ideas from @freeman:cypherstack.com 19:04:16 I have to apologize. I saw "View-All Evasion" mentioned and assumed that we were all discussing the same thing and so related two unrelated concepts. 19:04:31 @jbabb:cypherstack.com: Well, the data exists but hasn't yet been pushed. I'll get to that. 19:04:32 What are next steps here @rucknium:monero.social ? > <@rucknium> I think the ProbeLab proposal is ready to go to #monero-community:monero.social 19:04:59 @jbabb:cypherstack.com: IIRC wallet2 has a ring cache to prevent this issue right? 19:05:14 yes it does, non issue 19:05:17 This linkability issue is separate, and solved with opt-in linkability. I have a PQ paper solving it that will be published around August, but I don’t think it’s a problem in this setting 19:06:09 Since in cryptocurrencies, the point is to catch key reuse, it’s fine 19:06:12 @jberman: have you read the pq paper 19:06:24 @yiannisbot:matrix.org: @yiannisbot:matrix.org: I think plowsof would put it on the next Community Workgroup meeting for approval at that stage, then go to funding required. I think plowsof's role may have changed a little recently, however. @plowsof:matrix.org , what do you think? 19:07:37 Though, it means those cryptocurrencies are married to their hash function. If a large family of collisions were found tomorrow, it would cause problems with linking tags 19:07:45 But that hasn’t happened yet, so whatever 19:08:22 A few published papers have analyzed key reuse on Monero hard forks. Any Monero hard forkers are supposed to implement key image reuse mitigation to prevent privacy issues. 19:08:41 ofrnxmr has been organising the community meetings as of late but that sounds like a plan 19:08:53 @rucknium: If all looks good here, then it can bbe merged before the next meeting 19:09:40 @fireine:matrix.org: have I read a paper that will be published in August? 19:09:56 Mitigations ≠ Specifications 19:10:07 @jberman: @jbabb:cypherstack.com: pushed a draft here im not trolling U 19:10:09 for GRYMOIRE 19:10:12 @ofrnxmr: Cool, thanks. When does that meeting take place? Is that a public meeting where we're supposed to be present? 19:10:13 so assumed maybe it was shared 19:10:23 https://moneroresearch.info/45 Wijaya, D. A., Liu, J. K., Steinfeld, R., Liu, D., & Yu, J. 2019, On The Unforkability of Monero. Paper presented at Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. 19:10:28 @rucknium: My research is mostly interested in linkable ring signatures where the linking tag is formed from a different primitive than taking a hash digest. So it’s generally applicable, but imo NOT an issue here 19:10:49 https://moneroresearch.info/39 Vijayakumaran, S. 2023, Analysis of CryptoNote Transaction Graphs using the Dulmage-Mendelsohn Decomposition. Paper presented at 5th Conference on Advances in Financial Technologies (AFT 2023). 19:10:50 e.g.: syndrome computation or MinRank 19:11:27 doesn't eliminate the need to understand and formally document the baseline risk. > <@freeman:cypherstack.com> This linkability issue is separate, and solved with opt-in linkability. I have a PQ paper solving it that will be published around August, but I don’t think it’s a problem in this setting 19:11:35 The point is that accidental key reuse should be caught and prevented, not that reuse should be publicly linkable. If a wallet generates duplicate one-time keys by mistake, that's a catastrophic privacy failure. Making it detectable doesn't prevent it. 19:11:46 Both the View-All isolation requirement and one-time key reuse prevention point to the same architectural imperative: robust privacy and auditing in Monero depend on comprehensive wallet-level specification and enforcement, not just cryptographic properties alone. 19:12:33 Thanks chatGPT 19:12:43 > The point is that accidental key reuse should be caught and prevented 19:12:43 We do 19:12:56 That's what the ring cache is. 19:13:02 @freeman:cypherstack.com: Does the hash-based linking tag in Monero's current implementation create linkability risks that wallet mitigations inadequately address? If no, prove it. If yes, our formalization is necessary 19:13:06 @boog900: I don't run GPT. I use a Lambda instance when necessary. 19:13:14 different model 19:13:24 H100. 19:14:41 Thanks for sharing those papers @rucknium:monero.social, will read now 19:15:07 No problem. I think there may be a third paper out there, but I'm not sure. 19:16:23 The relevant part of the second paper is "secondly using data from four hard forks of Monero in addition to the main Monero chain." I have successfully run the code from the second paper if you need any pointers on that. 19:16:46 @rucknium: https://scholar.googleblog.com/2025/11/scholar-labs-ai-powered-scholar-search.html 19:16:49 @rucknium: Very interesting. 19:16:56 is this code public? 19:17:08 Yes 19:17:14 With very good documentation, too. 19:17:50 https://www.respectedsir.com/cna https://github.com/avras/cryptonote-analysis 19:18:09 @rucknium: can u pls link 19:18:32 oh IIT! 19:18:32 https://eprint.iacr.org/2021/760 19:19:02 THX! 19:20:03 Is there more to discuss in this agenda item for now? 19:21:20 @boog900: To be brutally honest and to straighten the record - lots of the zkzk community assumes I am some borg like entity. You are not the only one. I have been at academia since before OpenAI even existed and doing quite well for myself unassisted, might I add ; - ) 19:21:40 @rucknium: No more dialogue to field at my end, thank U 19:22:03 We can end the meeting here. Thanks everyone. 19:22:17 thanks ruck 19:22:57 huzaah! 19:23:48 and me who thought I was unhinged, @fireine:matrix.org make me look like a sane person 19:24:30 @syntheticbird: if you think I'm insane — just wait til you meet the NEAR cryptograthors 19:24:43 yeah this is among the most chaotic MRLs I've personally witnessed 19:25:01 @intr:unredacted.org: I think whats at the agenda is solvable tho 19:30:22 To straigten the record — we still need to deliver the probability density function to the core development team...? What is the current status of this? 19:31:07 @ofrnxmr:monero.social^ 19:34:40 @yiannisbot:matrix.org: https://github.com/monero-project/meta/issues 19:47:15 @fireine:matrix.org: Are you talking about OSPEAD? I was investigating the safety of having multiple decoy distributions being used at the same time, as would happen with a non-mandatory rollout. I tried many different ways to attack privacy and it did seem safe. But effort has switched to deploying FCMP, which would eliminate the decoy distribution problem. 19:48:22 Initially it was assumed that OSPEAD would be deployed with a mandatory rollout, e.g. as part of a hard fork with Seraphis, but the FCMP advances changed that. 19:59:34 @rucknium: Vacuously yes. I have not yet extensively evaluated the monero codebase but am taking active steps to do so as we speak and will put the data in regarding a complete pq spec before the end of the week. If there's anything that's non-trivial, I'm sure it'll find it's way into the chats in a way that doesn't spam everyone (not our intent). 20:04:19 the data will be pushed to https://github.com/firoorg/crucible/tree/main/lessons-from-monerochan/fieckert-working-group-pq-spec 20:04:19 I'm sure @freeman:cypherstack.com will see it at some point and share if iff it's non-trivial. 20:10:27 I can't expect prof menezes to audit all of our stuff bc he is super busy and has already kindly done this for us before for a different project. so will try and self-filter what is and isn't trivial by just pushing privately for now. 20:31:56 admittedly hilarious — but also obviously a serious issue 20:31:57 https://arxiv.org/abs/2606.03811 20:31:57 Our results demonstrate that self-sustaining AI-driven cyber-threats are no longer theoretical. We must prepare for autonomous generative adversaries 21:04:27 sir, this is a wendy's 22:09:24 > <@jbabb:cypherstack.com> Assume: 22:09:24 I've presumably solved the conjecture and it's been validated at Reuben's internal repo. My analysis appears to confirm that a wallet owner can evade CARROT's view-all auditing by constructing non-compliant self-send outputs outside the ScalarDerive derivation path, but this represents an inherent limitation of view-key-based [... too long, see https://mrelay.p2pool.observer/e/oZGgyIkLemR0WTBy ] 22:09:24 https://github.com/firoorg/crucible/blob/main/lessons-from-monerochan/fieckert-working-group-pq-spec/conjecture.md 22:11:26 to be precise, the markdown presumably validates that the conjecture is "true" 22:11:41 I'm not mathematically sophisticated yet so it needs to be screened for bullshit. But I put the data in. 22:13:49 it's trivial bc we don't give a fuck about compliance. but if we did. it's a serious thing. that being said it is indeed still a bug. 22:13:57 at my opinion. 22:14:44 @jbabb:cypherstack.com: pls do not waste your time until I've added comments. will be up before end of day EST. 22:15:29 It might be better to discuss these things in a private message, otherwise you are talking about a document no one can access. 22:16:04 selsta: monero stakeholders can indeed access it. 22:16:14 monero core / affiliates. 22:16:19 including fieckert. 22:16:24 I can't access it 22:16:24 but I'm not a stakeholder really :) 22:16:35 @jbabb:cypherstack.com: @reuben:firo.org: 22:17:34 selsta: xmr is a private ecosystem. or at least, that's what it was designed to be. private cash lol. can't hate me for requesting privacy when it's a core part of what I see as the ethos 22:17:44 selsta: just ping @reuben:firo.org 22:17:58 fieckert articulated that it doesnt always make sense to share at research chats. and so i wont 22:18:11 he was core. 22:18:21 This channel is for open research. I don't want access to the document, but it goes against the spirit of the channel. If you don't wan to share it here that's fine, but then also no need to talk about it in here. 22:18:38 selsta: you're going against the spirit of the monero private ecosystem 22:18:47 privacy is non-trivial 22:18:58 like sharing a view key 22:20:07 ignoring fieckert would be stupid. 22:20:25 At least spell his name right :P 22:20:27 *dialogue he has injected at the past regarding this 22:20:57 @jpk68:matrix.org: top cryptographers and mathematicians make typos all the time. just putting the data in. typos are trivial. but I will try and spell Aaron's name correcly 22:24:04 top whatevers need to stop being so full on and spamming 22:24:14 @plowsof:matrix.org: pq isn't spam. 22:28:29 could you at least role play the researcher role properly and create an open document for people to review and share thoughts on at a meeting 22:29:21 @plowsof:matrix.org: role play? 22:29:21 respectfully, LMAO 22:29:22 bitcoin primitive OG's have endorsed my work 22:29:22 I'm not a crankpot 22:29:23 even if you want me to be 22:29:25 yeah stop spamming 22:29:25 it's not spam. it's pq dialogue 22:29:26 and if it's ignored bad things will happen 22:29:47 I'll push the data to @reuben:firo.org 's repo and if anyone with access think's it is non-trivial, it'll likely be shared. I'll end my dialogue here, thank you 22:30:20 Unfortunately, quantum computers / logical qubits are real. 22:30:32 take care. 22:31:30 i know who satoshi is, doesnt give me the right to spam my stream of consciousness here 22:31:57 @plowsof:matrix.org: prof. menezes built the primitives he used to create your beloved btc. and he endorsed our work. but ok. 22:32:01 send satoshi our regards lol 22:32:02 take care 22:33:29 std::consciousness_stream x << "random jargon"; 22:33:29 mrl_messages = x.str(); 22:34:01 Wait, that's the wrong syntax :(( 22:34:07 Ruined the joke 22:35:04 > top cryptographers and mathematicians make typos all the time 22:37:52 "And the silence is deafening / You're absolutely right" 22:41:34 @jpk68:matrix.org: is this an insult? 22:42:25 Nah its a really nice compliment 22:42:26 @boog900: they do. at least at the context of computation, optimization | actual invariant theory 22:43:01 @boog900: i had similar thoughts when menezes endorsed our work and pushed other faculty to do the same. hopefully the bullshit we push isn't comparatively retarded 22:43:19 anyways, I'll stop "spamming" the chats and get back to work.