-
m-relay
<anhdres:matrix.org> I have a monero question: if I know both the base 4... address and one of their 8... subaddresses, can I link them together? If they are from the same account I mean.
-
m-relay
<jivan:opaline.uk> What do you mean by "link together"? What is it that you want to achieve?
-
m-relay
<anhdres:matrix.org> I want to get a precise notion of the risks of sharing the 4.. address publicly
-
m-relay
<anhdres:matrix.org> I know it's best practice, but I don't know exactly why
-
m-relay
-
m-relay
<jivan:opaline.uk> I don't know if any new mitigations have been put in place since that post was made in 2019, others here should be able to comment on that
-
m-relay
<jivan:opaline.uk> But I see what you mean in your original question now; you're wondering whether someone who has seen such addresses can correlate them, that is figure out that they belong to the same person/account?
-
m-relay
<anhdres:matrix.org> yes
-
moneromoooo
You cannot see it without the secret view key.
-
m-relay
<anhdres:matrix.org> that was my belief, thanks
-
m-relay
<jivan:opaline.uk> This may also be informative:
monero-project/monero #7889
-
m-relay
<jivan:opaline.uk> Also, here are use-case descriptions:
monerodocs.org/public-address/integrated-address
-
m-relay
<charutocafe:matrix.org> how many dice rolls would i need to perform to create enough entropy to create a seed phrase?
-
m-relay
<charutocafe:matrix.org> and how could i even go about it?
-
m-relay
<jivan:opaline.uk> 128 bits of entropy requires 50 dice rolls. Write down the outcomes of the dice rolls as a long 50-digit number, replace all occurrences of 6 with 0, interpret it as a base-6 (a.k.a. seximal/heximal) number, convert to binary.
-
m-relay
<jivan:opaline.uk> The number 50 came from the expression *ceiling( log_6 ( 2^128 ) )*.
-
m-relay
<charutocafe:matrix.org> is 128 bits of entropy enough? i'm fairly sure that the current monero dictionary has a lot more possible combinations?
-
m-relay
<charutocafe:matrix.org> is 128 bits of entropy enough? i'm fairly sure that the current monero dictionary has a lot more possible combinations
-
m-relay
<jivan:opaline.uk> Not sure of the spec, just wanted to explain the general principle. Replace 128 with whatever you need.
-
moneromoooo
1626 ** 24, though IIRC there was talk that 128 bit were enough. I'm unsure how much scrutiny the claim had from cryptographers though.
-
moneromoooo
You don't need to bother with the base 6 etc fwiw, just hash the 50 digit number as is.
-
m-relay
<charutocafe:matrix.org> ok, i appreciate the explanation, i figured it'd be something along those lines. after i get a large binary number what do i do?
-
m-relay
<jivan:opaline.uk> The general consensus is that 256 bits of security is required for long-term quantum resistance (resistance against Grover's algorithm). What size random number that corresponds to in Monero's case depends on its specific security properties, but in the case of a seed I don't think it'll need to be higher than 256 bits of entropy itself.
-
m-relay
<jivan:opaline.uk> 128 bits of security is fine for most use-cases, but I can see the desire to go with 256 anyway.
-
m-relay
<jivan:opaline.uk> That's certainly an alternative, hashing instead of converting.
-
m-relay
<jivan:opaline.uk> But if we're doing things by hand and don't want to enter the entropic string of dice rolls into a computer, do we want to hash by hand or just convert by hand?
-
m-relay
<jivan:opaline.uk> Otherwise, may as well just use a random number generator on an air-gapped computer rather than rolling dice, right?
-
moneromoooo
What are you going to do with that string if not use it on a computer ?
-
m-relay
<charutocafe:matrix.org> somehow use it to choose words from the wordlist (?)
-
m-relay
<jivan:opaline.uk> You might use the seed derived from the dice rolls on something like a hardware wallet, but not a general-purpose computer.
-
m-relay
<jivan:opaline.uk> Whether you bother with any/all of this depends on how paranoid you are / how strict your threat model is
-
m-relay
<charutocafe:matrix.org> i imagine you could split the string into 24 equal length parts
-
moneromoooo
OK, fair enough, didn't know some hw wallets took raw numbers like this.
-
m-relay
<charutocafe:matrix.org> and then modulo 1626 to find the appopriate word for each
-
m-relay
<jivan:opaline.uk> They don't, but depending on your paranoia/threat level, you would derive the words from the numbers by hand. Hashing is not feasible in that circumstance
-
m-relay
<charutocafe:matrix.org> or could that yield a non-valid seed?
-
m-relay
<plowsof:matrix.org> i assume you might find this interesting charuto
feather-wallet/feather #82
-
m-relay
<jivan:opaline.uk> That's essentially the same thing, just shortcutting to the wordlist rather than getting a binary seed first. You're just converting from base-6 directly to base-1626 rather than going to base-2 first and then applying the seed derivation algorithm.
-
m-relay
<charutocafe:matrix.org> thanks plowsof , i'll definitely take a look
-
moneromoooo
Well, the seed is really a secret key, it should be reduced. A non rediced one shuld work but may get you odd behaviour in some cases.
-
m-relay
<charutocafe:matrix.org> i guess the question is, can i use dice to manually get a monero mnemonic seed without using any software? if so, how?
-
m-relay
<plowsof:matrix.org> more info on that dice roill scripts entropy
github.com/Monero-HackerIndustrial/MoneroDice-WalletGen#entropy "The script generates 100 dice rolls for a little bit over 256 bit entropy."
-
m-relay
<jivan:opaline.uk> Here we go, it's 256 bits:
monero.stackexchange.com/a/470
-
m-relay
<jivan:opaline.uk> So, 100 dice, rolls, convert from base-6 to base-2, take the least-significant 256 digits of that base-2 number (which should be just over 256 digits long), and split it into eight 32-bit chunks. Each such chunk corresponds to 3 words from the word list. That gives you 24 words. The 25th word is a checksum word.
-
m-relay
<jivan:opaline.uk> So, 100 dice rolls, convert from base-6 to base-2, take the least-significant 256 digits of that base-2 number (which should be just over 256 digits long), and split it into eight 32-bit chunks. Each such chunk corresponds to 3 words from the word list. That gives you 24 words. The 25th word is a checksum word.
-
m-relay
<charutocafe:matrix.org> i'll do it all by hand one day just for the sake of it
-
m-relay
<jivan:opaline.uk> Related: if you want, there's a similar scheme for password generation called Diceware.
-
m-relay
<charutocafe:matrix.org> good to know
-
m-relay
<charutocafe:matrix.org> also i think that using multiple different dice, say 10 rolls of 10 dice, would probably increase entropy over 100 rolls on a single dice
-
m-relay
<jivan:opaline.uk> It won't increase entropy, but it will mitigate against weighting
-
m-relay
<charutocafe:matrix.org> doesnt weighting decrease entropy though?
-
m-relay
<charutocafe:matrix.org> that's what i meant.
-
m-relay
<jivan:opaline.uk> Use a casino die if you're super paranoid about the probability distribution not being uniform, those are tested to a high standard
-
m-relay
<jivan:opaline.uk> No, but it makes certain outcomes more likely than others, so if someone knows the weight of your dice, they are more likely to figure out your seed sooner.
-
m-relay
<jivan:opaline.uk> No, but it makes certain outcomes more likely than others, so if someone knows the weighting of your dice, they are more likely to figure out your seed sooner.
-
m-relay
<jivan:opaline.uk> For example, if your die outcome is "1" 99% of the time, it's still possible that your 100 dice rolls didn't include any "1"s, but it would be silly for the adversary to not try "1111111..." first.
-
m-relay
<jivan:opaline.uk> Entropy is a measure of how many states there are overall.
-
m-relay
<charutocafe:matrix.org> yeah, that's fair, i was equating it with security, but you're correct. you can have more entropy and less security.
-
m-relay
<charutocafe:matrix.org> (depending on the source of entropy)
-
m-relay
<charutocafe:matrix.org> "Based on some Math from coldcard, a d6 dice provides 2.585 bits of additional entropy per roll This means: 50 rolls for 128 bit 99 rolls for 256 bit" that's an interesting way of saying log2(6)=2.585
-
m-relay
<charutocafe:matrix.org> "some Math"
-
hyc
lol
-
m-relay
<jivan:opaline.uk> As a final point, rather than converting from base-6 to binary and deriving the 24 words from that, you could do what you're suggesting and go straight from dice rolls to words from the wordlist. However, there are 1,626 words to choose from, so that requires 5 rolls per word (in order to assign a 5-digit base-6 number to each word), for a total of 120 rolls to generate 24 words. <clipped message>
-
m-relay
<jivan:opaline.uk> So if someone wants to generate that mapping in a probabilistically uniform way, you'd save yourself the binary conversion at the expense of 20 extra dice rolls.
-
m-relay
<jivan:opaline.uk> It's very important that such a mapping by probabilistically uniform though; you can't just assign the first 1,626 base-6 numbers to the words in order, else the final 330 words are more likely to be chosen than the others.
-
m-relay
<jivan:opaline.uk> (Because 1626 - 6^4 = 330)
-
m-relay
<charutocafe:matrix.org> my main doubt was if all possible 24 word combination represented valid keys or if some were just "filler"
-
m-relay
<charutocafe:matrix.org> combinations*
-
hyc
you could also use 8-sided or 12-sided dice instead. or 10- or 20-sided for that matter
-
m-relay
<jivan:opaline.uk> I think one valid way to do that is to use the naive "assign base-6 numbers in ascending order" and then flip the order of the 5-digit number assigned to each word.
-
m-relay
<jivan:opaline.uk> I think one valid way to do that is to use the naive "assign base-6 numbers in ascending order" and then reverse the order of the digits in the 5-digit number assigned to each word.
-
m-relay
<charutocafe:matrix.org> hyc: brb raiding the dungeons and dragons club
-
hyc
exactly ;)
-
m-relay
<jivan:opaline.uk> Just make sure that they're not spindown dice, but are actually probabilistically uniform dice.
-
m-relay
<charutocafe:matrix.org> i feel like those are more likely to have less uniform probabilities, i think casino dice like Jivan mentioned are probably the most appropriate
-
m-relay
<charutocafe:matrix.org> no pun intended
-
hyc
some of these dice makers are pretty fanatical about their uniformity/quality
-
hyc
a shame I've never seen anyone make a 16-sided die
-
m-relay
<charutocafe:matrix.org> is die the singular for dice?
-
hyc
yes
-
m-relay
<charutocafe:matrix.org> TIL
-
m-relay
<jivan:opaline.uk> Even with this scheme, some words will be marginally more/less likely than others.
-
m-relay
<jivan:opaline.uk> I remember digging into this problem of uniformity a while ago, you can't do it in a single pass for the case of 6-sided dice and 1,626 words, because the prime factors of 1626 are 2, 3, and 271, of which the first two are factors of 6, but 271 of course isn't.
-
m-relay
<jivan:opaline.uk> They all need to be factors of the number of sides the dice has in order for there to be some fixed number of dice rolls whose set of outcomes can be divided into 1626 equally sized groups.
-
m-relay
<jivan:opaline.uk> Found my derivation of that:
reddit.com/r/math/comments/smvbqz/comment/hw0tov1
-
m-relay
<charutocafe:matrix.org> If n > s, choose a sufficiently high amount of times r to roll the die, i.e such that n ≤ s^r. ideally one should choose the minimum value for r that satisfies the condition, correct?
-
m-relay
<charutocafe:matrix.org> just to avoid unnecessary rerolls
-
m-relay
<charutocafe:matrix.org> "If n > s, choose a sufficiently high amount of times r to roll the die, i.e such that n ≤ s^r." ideally one should choose the minimum value for r that satisfies the condition, correct?
-
moneromoooo
Save yourself the bother. Roll a healthy extra amount. Hash. Don't care about fairness as long as good enough.
-
moneromoooo
Unless it's for fun. In which case carry on :D
-
m-relay
<charutocafe:matrix.org> it's mostly for fun/educational purposes, yeah :)
-
m-relay
<charutocafe:matrix.org> but i appreciate your pragmatic approach
-
revuoxmr
Revuo Monero Issue 190: October 19 - 26, 2023.
revuo-xmr.com/issue-190.html
-
pLaMaN
Is normal when runing a public node using p2pool that an other person can call the mining_status and start mining with any public node wich dont have set a user and pass for the rpc?
-
selsta
pLaMaN: run a restricted node
-
selsta
or wait, p2pool node
-
selsta
ignore me :D someone else might know
-
pLaMaN
is not normal that commands should be just local
-
pLaMaN
even if public
-
pLaMaN
Peace out everyone
-
plowsof
pLaMaN left
-
sech1
what
-
sech1
of course, if you expose unrestricted RPC to the whole world, people will start mining on your node
-
selsta
I wasn't sure if they are talking about monerod or p2pool
-
m-relay
<ofrnxmr:monero.social> P2pool stratum would only allow mining to the server host's monero address iirc,
-
m-relay
<ofrnxmr:monero.social> The nodes zmq would allow someone to rub their own p2pool using a remote node (like xmrvsbeast's setup instructions)
-
m-relay
<ofrnxmr:monero.social> but looks like user issue is unrestricted rpc on monerod
-
m-relay
<jivan:opaline.uk> That's the less specific case I was just describing to make the point that you can use multiple die rolls to simulate larger dice. But yes, you make a valid point.
-
m-relay
<jivan:opaline.uk> Given the bit later on about choosing r such that s^r = mn, where m is some integer, the minimal value of r that works is the lowest common multiple of the orders/exponents of the prime factors of s and n. That is what I try to illustrate with the numerical example immediately afterwards.
-
m-relay
<jivan:opaline.uk> Actually, I don't think that's exactly right, but hopefully the numerical example makes it clear how you can figure out minimal r by looking at the prime factorisations of s and n.
-
m-relay
<jivan:opaline.uk> I think it's actually r = max(n_i / s_i) over all i, where n_i and s_i are the exponents of the same prime number p_i in their prime factorisations, respectively.
-
m-relay
<jivan:opaline.uk> Basically, you want to choose r so that the exponents in the prime factorisation of s^r are at least as big as those of n. That way m := (s^r)/n is an integer.