<yiannisbot:matrix.org> Hey folks, I would love to continue the discussion regarding ProbeLab's proposal (repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/667), but I see the site/repo is still down. Do you have an ETA when it's going to be back up? Or is there another way to recover the comments so that we can talk them through?

it should be back up in the next days

<reedmarin:unredacted.org> A very elaborate article covering the risks of the FCMP++ HF was posted an hour ago on Twitter. It is likely that many of you stay away from Twitter as a matter of principle. But given the unusual thoroughness of the article in question, I thought it could be worthwhile to bring it to your attention. Perhaps you may want to make corrections, or provide additional information or context.

<reedmarin:unredacted.org> x.com/babysolo_/status/2051741460643430449

Can't read it without an X account.

👍

<sgp_> I don't think it's worth reading. It would take a lot of effort to reply to

<sgp_> e.g. this

<sgp_> mrelay.p2pool.observer/m/monero.social/XgUUCkLjwfgpADMFodXofAMF.png (image.png)

"unusual thoroughness" and they have not reached out to the people involved for clarification, bar charts, ok

<sgp_> Fwiw, I think the most fair criticism (which isn't even brought up on the post) is that an outsider not regularly involved in meetings will have a tough time keeping tack of wtf is happening. Which for most things is fine, otherwise you have "why less than 128???" drama more regularly lol

<kayabanerve:matrix.org> The twist of an elliptic curve is not the elliptic curve. The twist is its own elliptic curve which we don't use. There's a bogeyman in elliptic curve cryptography that the twist being insecure may cause the curve itself to be insecure. Such attacks are hypothesized, not existent, and are why we didn't care for twist security.

<kayabanerve:matrix.org> We accepted it as a criteria because we were asked

<kayabanerve:matrix.org> But what about the bogeyman?

<kayabanerve:matrix.org> and also[... more lines follow, see mrelay.p2pool.observer/e/u5ONm4ALckpWOUlF ]

<sgp_> Oh kayaba you're back, I though you completely disappeared in 2024

<kayabanerve:matrix.org> Also, due to an oversight where on the list of tens of candidates, some were inadvertently omitted, there was already reason to redefine the list.

<vtnerd> Yeah that one caught me too, just assumed his username was sold on darkney

<kayabanerve:matrix.org> @sgp_:monero.social: my interest and patience did, now you just have my annoyance and random appearances to ruin your day before disappearing again

<vtnerd> It wasn't a bad post overall, it's tough to be perfectly neutral

<kayabanerve:matrix.org> /s

<kayabanerve:matrix.org> I think the post is horribly written

verified accounts require engagement on twitter for $

<vtnerd> lol ok, maybe I need to re read. His primary point seemed to be that change has risk, and so this upgrade isn't risk free. I feel like that's a decent overview even if it was critical

<vtnerd> But maybe some of the facts were out of line

<vtnerd> It did seem to imply that a counterfeit bug was all but inevitable, and the kaya narrative fed into that

<kayabanerve:matrix.org> I didn't step back due to QCs and I even said, a moratorium _after_ this protocol. Also, BP+ is cited as a component when it isn't, and they criticize the composition for not having peer reviewed, but in contrast, proceed to list the other things which weren't published with proofs in a conference for peer review.

<ofrnxmr:xmr.mx> plowsof: "sponsored by wagyu"

<rucknium> Wow moneroresearch.info cited on Twitter. In the big leagues now ;)

<kayabanerve:matrix.org> The composition was defined by me, is rather immediate to understand the security of, was formalized and proven by Aaron Feickert, with proofs published.

<kayabanerve:matrix.org> That's as notable as their claim Generalized Bulletproofs was published with proofs by CS, as literally, in both cases, CS uploaded a PDF with proofs.

<sgp_> They read the audits but didn't understand them, and wrote a post without understanding. For X, that might be above average?

<kayabanerve:matrix.org> They also note the lack of issues, and I agree we can discuss why audits without findings are a concern, but have we considered I'm just that good? /s

<sgp_> @kayabanerve:matrix.org: Something something recent Serai audit :p

<ofrnxmr:xmr.mx> @sgp_: Threw the audits into an llm* and posted what they gathered from the llm

<kayabanerve:matrix.org> ... have we considered I'm just that good 100% of the time, 50% of the time?

<kayabanerve:matrix.org> Because I also have a Trail of Bits audit which follows the distribution from Veridise :p

<kayabanerve:matrix.org> Also, the cited audit from Veridise was over a very specific scope and doesn't discuss the other audits

<sgp_> So we should expect to bomb the next one, got it 👍

<sgp_> @kayabanerve:matrix.org: Wdym audit scope

<sgp_> Is audited or not

<kayabanerve:matrix.org> @ofrnxmr:xmr.mx: It does seem like an LLM but 'in their voice', except I'd honestly expect a bit more academic accuracy out of an LLM in the year 2026

<aillia:matrix.org> "Perplexity has also been quite helpful" xcancel.com/babysolo_/status/2040184685360472259 > <@sgp_> They read the audits but didn't understand them, and wrote a post without understanding. For X, that might be above average?

<kayabanerve:matrix.org> The Veridise audit was GBP < stuff <= FCMP.

<kayabanerve:matrix.org> Aaron Feickert audited the GBP lib itself.

<kayabanerve:matrix.org> That's also the FCMP, not the ++ part.

<ofrnxmr:xmr.mx> @kayabanerve:matrix.org: iirc they write a lot of these plagiarized llm atricles

"community pushed for multisig and from what I understand that's been implemented now" yeah good to know

<kayabanerve:matrix.org> Er. I'm silly. We do use a BP+, technically. It's one of the proofs composed into the GSP for the ++ part. I completely forgot about it because it's such a non-normative use of it...

<kayabanerve:matrix.org> So that is a component, technically...

<kayabanerve:matrix.org> I'd say their 'put the four cards together' is wrong on points 1, 2, and 3. I'm not skeptical of FCMP++ (2) and lack of peer review (3) is misleading.

<kayabanerve:matrix.org> The composition was reviewed by a peer, Aaron Feickert, if I dare call him a peer of mine (despite not being of his caliber).

<kayabanerve:matrix.org> The GBP has been around the block a few times, as has the divisors technique.

<kayabanerve:matrix.org> And I think there's still a possible outstanding discussion on yet another review for the composition?

<reedmarin:unredacted.org> plowsof: To clarify, by "unusual thoroughness" I did not try to vouch for accuracy. Perhaps it was not the right choice of words. What I meant is that the article is not your typical useless twitter post, but it is actually bringing up interesting topics. It does have some claims which may be questionable, and now you have the [... too long, see mrelay.p2pool.observer/e/goTDm4ALOUhOY0k0 ]

<kayabanerve:matrix.org> github.com/monero-oxide/monero-oxide/tree/fcmp++/audits

<kayabanerve:matrix.org> why do I even bother maintaining documentation on our peer review

as always, the debunking part is significantly more work than writing such an article with LLMs

<kayabanerve:matrix.org> github.com/monero-oxide/monero-oxid…e/tree/fcmp%2B%2B/audits/fcmp%2B%2B if only there was a folder specifically for the composition as a whole

<kayabanerve:matrix.org> I guess no one has done that though, and any review, if any even exists, has been lost to time in the disorganized meeting logs and endless noise which is irc

<kayabanerve:matrix.org> I will, on a more realistic note, say that one can say only a single qualified cryptographer has reviewed the composition and produced an artifact confirming their review. Accordingly, one may consider it solely of singular review. I'd disagree but not find that false. I also believe it acceptable as one can show the compositi [... too long, see mrelay.p2pool.observer/e/8-3Xm4ALekNfTndV ]

<sgp_> "is it moon math, yes or no"

<kayabanerve:matrix.org> So if we consider my proof it's perfectly zero-knowledge, Aaron's proof, the soundness derived from the composed proofs, and the soundness from Aaron's explicit proof... that is at two people.

<kayabanerve:matrix.org> ... I want to say 'yes if anything with a circuit is moon math', but honestly, with divisors, sure, moon math, why not

<kayabanerve:matrix.org> That had so many rounds of review

<kayabanerve:matrix.org> And the final version is the original version!

<kayabanerve:matrix.org> but oh my gosh did that take a while to get sufficient sign offs on

<ixr3:matrix.org> @reedmarin:unredacted.org: "The bet resolves in the next 90 days." No way. There are plenty of new audits after July.

<reedmarin:unredacted.org> I find it strange that they wrote all of that and did not think to reach out and verify the facts. Unfortunately, LLM-assisted or not, in twitter normie land the article will likely see a lot of traction and mostly be regarded as fact by those who read it.

<ofrnxmr:xmr.mx> They are sponsored by wagyu. The centralized, single wallet, fake dex, paid shill exchange

<ofrnxmr:xmr.mx> Zero integrity. What did you expect?

<321bob321> Nothing new

<vtnerd> The author posted some corrections as replies on C but has not modified the article

<vtnerd> *on X

<fr33_yourself> Hey everyone, I just read the article under discussion and was curious for everyone's insight into how likely a possible counterfeiting / inflation bug will be with the comping upgrade? Are the mathematical proofs for amounts changing with FCMP? And even if not, how would you all assess the likelihoods of bugs / exploits from the changes in the code that governs the integrity of amount proofs?

<sgp_> Less likely if you donate $500k for additional audits :)

<fr33_yourself> Haha I wish

<sgp_> There's always non-zero risk, but a lot of effort (and money) has gone into multi-step reviews by multiple competent people. That process started two years ago and is still ongoing

<sgp_> You can read the MRL logs going back 2 years to see how it's being taken seriously, and all the MRL logs before that showing how the Monero community has taken this seriously in general in the past

<fr33_yourself> True. I've seen the amount of resources and academic work going into it. Plus implementation from jberman jeffro etc. Also, what would the rollback plan be? I guess if we find out after the fact there was an inflation bug exploited, the only option would be for most participants to agree to go back to a blockheight before the fork and run old-software

<fr33_yourself> The math of the rangeproofs and bulletproofs is staying the same correct? Or are these proofs also getting tweaked a bit for FCMP?

<sgp_> I can't speak for others, but one likely "rollback" type option would be a forced turnstile. That has been posited for certain post quantum reaction scenarios

<sgp_> There's really no single answer because it'll depend on the scale, etc

<fr33_yourself> I don't see how a turnstile would help after the fact. And I don't think it is necessary to have all outputs go through one pre-fork

<sgp_> There isn't a suggested one with the FCMP++ upgrade/deployment

<fr33_yourself> An interesting idea with turnstiles to DETECT inflation would be to schedule a turnstile every year or fiver years or something, requiring all outputs to move through the turnstile before being spendable. But this would likely be complicated to implement, enforce, and most importantly would cause unnecessary chain bloat. A boa [... too long, see mrelay.p2pool.observer/e/hbyUn4ALY00yN19U ]

<sgp_> I'm not aware of proposals for anything like that

<fr33_yourself> it was just me spit-balling

Is there any writeup in regards to FCMP++ and pruning?

<sgp_> reddit.com/r/Monero/s/XZh7dZxdHX

<sgp_> There is probably (?) more elsewhere

<fr33_yourself> I'm not sure if you guys in here saw or heard, but the inflation bug issue (and other bugs as well) seems particularly interesting in light of the recent issues with Litecoin. In March an attacker successfully exploited a bug in the amount proofs when moving from their Mimblewimble sidechain with confidential transactions to t [... too long, see mrelay.p2pool.observer/e/v6Ssn4ALb3dwVWdu ]

<fr33_yourself> This is all happening when the AI cybersecurity / code related models are getting better, such as the alleged Mythos by Claude.

<sgp_> I don't think thinking on this has really changed: getmonero.org/2020/01/17/auditability.html

<sgp_> There are plenty of examples of inflation on a transparent network, and people don't notice until after it's too late to take meaningful action without harming honest victims

<fr33_yourself> @sgp_: Can you cite some of these examples? The only two I'm familiar with are the one that was exploited in Bitcoin then patched + rollback from Satoshi in early days as well as the more recent one in Bitcoin where the bug was caught by a BCH developer I think and they patched it.

<sgp_> messari.io/report/messari-research-…2-billion-xlm-inflation-bug-in-2017

<sgp_> They addressed it by burning their reserves, per the article