16:39:52 <m-relay> <a​nhdres:matrix.org> I have a monero question: if I know both the base 4... address and one of their 8... subaddresses, can I link them together? If they are from the same account I mean.
16:41:53 <m-relay> <j​ivan:opaline.uk> What do you mean by "link together"? What is it that you want to achieve?
16:42:48 <m-relay> <a​nhdres:matrix.org> I want to get a precise notion of the risks of sharing the 4.. address publicly
16:43:19 <m-relay> <a​nhdres:matrix.org> I know it's best practice, but I don't know exactly why
16:43:55 <m-relay> <j​ivan:opaline.uk> See here for a primer: https://www.getmonero.org/2019/10/18/subaddress-janus.html
16:44:17 <m-relay> <j​ivan:opaline.uk> I don't know if any new mitigations have been put in place since that post was made in 2019, others here should be able to comment on that
16:45:10 <m-relay> <j​ivan:opaline.uk> But I see what you mean in your original question now; you're wondering whether someone who has seen such addresses can correlate them, that is figure out that they belong to the same person/account?
16:45:50 <m-relay> <a​nhdres:matrix.org> yes
16:46:23 <moneromoooo> You cannot see it without the secret view key.
16:47:55 <m-relay> <a​nhdres:matrix.org> that was my belief, thanks
16:49:15 <m-relay> <j​ivan:opaline.uk> This may also be informative: https://github.com/monero-project/monero/issues/7889
16:50:22 <m-relay> <j​ivan:opaline.uk> Also, here are use-case descriptions: https://monerodocs.org/public-address/integrated-address/
16:51:08 <m-relay> <c​harutocafe:matrix.org> how many dice rolls would i need to perform to create enough entropy to create a seed phrase?
16:51:26 <m-relay> <c​harutocafe:matrix.org> and how could i even go about it?
16:53:17 <m-relay> <j​ivan:opaline.uk> 128 bits of entropy requires 50 dice rolls. Write down the outcomes of the dice rolls as a long 50-digit number, replace all occurrences of 6 with 0, interpret it as a base-6 (a.k.a. seximal/heximal) number, convert to binary.
16:53:47 <m-relay> <j​ivan:opaline.uk> The number 50 came from the expression *ceiling( log_6 ( 2^128 ) )*.
16:54:21 <m-relay> <c​harutocafe:matrix.org> is 128 bits of entropy enough? i'm fairly sure that the current monero dictionary has a lot more possible combinations?
16:54:27 <m-relay> <c​harutocafe:matrix.org> is 128 bits of entropy enough? i'm fairly sure that the current monero dictionary has a lot more possible combinations
16:54:52 <m-relay> <j​ivan:opaline.uk> Not sure of the spec, just wanted to explain the general principle. Replace 128 with whatever you need.
16:55:05 <moneromoooo> 1626 ** 24, though IIRC there was talk that 128 bit were enough. I'm unsure how much scrutiny the claim had from cryptographers though.
16:55:34 <moneromoooo> You don't need to bother with the base 6 etc fwiw, just hash the 50 digit number as is.
16:55:35 <m-relay> <c​harutocafe:matrix.org> ok, i appreciate the explanation, i figured it'd be something along those lines. after i get a large binary number what do i do?
16:56:52 <m-relay> <j​ivan:opaline.uk> The general consensus is that 256 bits of security is required for long-term quantum resistance (resistance against Grover's algorithm). What size random number that corresponds to in Monero's case depends on its specific security properties, but in the case of a seed I don't think it'll need to be higher than 256 bits of entropy itself.
16:57:13 <m-relay> <j​ivan:opaline.uk> 128 bits of security is fine for most use-cases, but I can see the desire to go with 256 anyway.
16:57:29 <m-relay> <j​ivan:opaline.uk> That's certainly an alternative, hashing instead of converting.
16:57:57 <m-relay> <j​ivan:opaline.uk> But if we're doing things by hand and don't want to enter the entropic string of dice rolls into a computer, do we want to hash by hand or just convert by hand?
16:58:29 <m-relay> <j​ivan:opaline.uk> Otherwise, may as well just use a random number generator on an air-gapped computer rather than rolling dice, right?
16:58:32 <moneromoooo> What are you going to do with that string if not use it on a computer ?
16:59:01 <m-relay> <c​harutocafe:matrix.org> somehow use it to choose words from the wordlist (?)
16:59:11 <m-relay> <j​ivan:opaline.uk> You might use the seed derived from the dice rolls on something like a hardware wallet, but not a general-purpose computer.
16:59:43 <m-relay> <j​ivan:opaline.uk> Whether you bother with any/all of this depends on how paranoid you are / how strict your threat model is
17:00:02 <m-relay> <c​harutocafe:matrix.org> i imagine you could split the string into 24 equal length parts
17:00:06 <moneromoooo> OK, fair enough, didn't know some hw wallets took raw numbers like this.
17:00:21 <m-relay> <c​harutocafe:matrix.org> and then modulo 1626 to find the appopriate word for each
17:00:36 <m-relay> <j​ivan:opaline.uk> They don't, but depending on your paranoia/threat level, you would derive the words from the numbers by hand. Hashing is not feasible in that circumstance
17:00:49 <m-relay> <c​harutocafe:matrix.org> or could that yield a non-valid seed?
17:01:19 <m-relay> <p​lowsof:matrix.org> i assume you might find this interesting charuto https://github.com/feather-wallet/feather/issues/82
17:01:34 <m-relay> <j​ivan:opaline.uk> That's essentially the same thing, just shortcutting to the wordlist rather than getting a binary seed first. You're just converting from base-6 directly to base-1626 rather than going to base-2 first and then applying the seed derivation algorithm.
17:01:48 <m-relay> <c​harutocafe:matrix.org> thanks plowsof , i'll definitely take a look
17:02:18 <moneromoooo> Well, the seed is really a secret key, it should be reduced. A non rediced one shuld work but may get you odd behaviour in some cases.
17:02:55 <m-relay> <c​harutocafe:matrix.org> i guess the question is, can i use dice to manually get a monero mnemonic seed without using any software? if so, how?
17:03:12 <m-relay> <p​lowsof:matrix.org> more info on that dice roill scripts entropy https://github.com/Monero-HackerIndustrial/MoneroDice-WalletGen#entropy "The script generates 100 dice rolls for a little bit over 256 bit entropy."
17:04:29 <m-relay> <j​ivan:opaline.uk> Here we go, it's 256 bits: https://monero.stackexchange.com/a/470
17:06:19 <m-relay> <j​ivan:opaline.uk> So, 100 dice, rolls, convert from base-6 to base-2, take the least-significant 256 digits of that base-2 number (which should be just over 256 digits long), and split it into eight 32-bit chunks. Each such chunk corresponds to 3 words from the word list. That gives you 24 words. The 25th word is a checksum word.
17:06:44 <m-relay> <j​ivan:opaline.uk> So, 100 dice rolls, convert from base-6 to base-2, take the least-significant 256 digits of that base-2 number (which should be just over 256 digits long), and split it into eight 32-bit chunks. Each such chunk corresponds to 3 words from the word list. That gives you 24 words. The 25th word is a checksum word.
17:08:44 <m-relay> <c​harutocafe:matrix.org> i'll do it all by hand one day just for the sake of it
17:09:09 <m-relay> <j​ivan:opaline.uk> Related: if you want, there's a similar scheme for password generation called Diceware.
17:09:52 <m-relay> <c​harutocafe:matrix.org> good to know
17:10:27 <m-relay> <c​harutocafe:matrix.org> also i think that using multiple different dice, say 10 rolls of 10 dice, would probably increase entropy over 100 rolls on a single dice
17:10:39 <m-relay> <j​ivan:opaline.uk> It won't increase entropy, but it will mitigate against weighting
17:10:56 <m-relay> <c​harutocafe:matrix.org> doesnt weighting decrease entropy though?
17:10:59 <m-relay> <c​harutocafe:matrix.org> that's what i meant.
17:11:10 <m-relay> <j​ivan:opaline.uk> Use a casino die if you're super paranoid about the probability distribution not being uniform, those are tested to a high standard
17:11:39 <m-relay> <j​ivan:opaline.uk> No, but it makes certain outcomes more likely than others, so if someone knows the weight of your dice, they are more likely to figure out your seed sooner.
17:11:47 <m-relay> <j​ivan:opaline.uk> No, but it makes certain outcomes more likely than others, so if someone knows the weighting of your dice, they are more likely to figure out your seed sooner.
17:12:56 <m-relay> <j​ivan:opaline.uk> For example, if your die outcome is "1" 99% of the time, it's still possible that your 100 dice rolls didn't include any "1"s, but it would be silly for the adversary to not try "1111111..." first.
17:14:17 <m-relay> <j​ivan:opaline.uk> Entropy is a measure of how many states there are overall.
17:15:23 <m-relay> <c​harutocafe:matrix.org> yeah, that's fair, i was equating it with security, but you're correct. you can have more entropy and less security.
17:15:44 <m-relay> <c​harutocafe:matrix.org> (depending on the source of entropy)
17:18:30 <m-relay> <c​harutocafe:matrix.org> "Based on some Math from coldcard, a d6 dice provides 2.585 bits of additional entropy per roll This means: 50 rolls for 128 bit 99 rolls for 256 bit" that's an interesting way of saying log2(6)=2.585
17:18:55 <m-relay> <c​harutocafe:matrix.org> "some Math"
17:18:59 <hyc> lol
17:22:27 <m-relay> <j​ivan:opaline.uk> As a final point, rather than converting from base-6 to binary and deriving the 24 words from that, you could do what you're suggesting and go straight from dice rolls to words from the wordlist. However, there are 1,626 words to choose from, so that requires 5 rolls per word (in order to assign a 5-digit base-6 number to each word), for a total of 120 rolls to generate 24 words. <clipped message>
17:22:27 <m-relay> <j​ivan:opaline.uk> So if someone wants to generate that mapping in a probabilistically uniform way, you'd save yourself the binary conversion at the expense of 20 extra dice rolls.
17:24:09 <m-relay> <j​ivan:opaline.uk> It's very important that such a mapping by probabilistically uniform though; you can't just assign the first 1,626 base-6 numbers to the words in order, else the final 330 words are more likely to be chosen than the others.
17:24:36 <m-relay> <j​ivan:opaline.uk> (Because 1626 - 6^4 = 330)
17:28:40 <m-relay> <c​harutocafe:matrix.org> my main doubt was if all possible 24 word combination represented valid keys or if some were just "filler"
17:28:46 <m-relay> <c​harutocafe:matrix.org> combinations*
17:29:13 <hyc> you could also use 8-sided or 12-sided dice instead. or 10- or 20-sided for that matter
17:29:19 <m-relay> <j​ivan:opaline.uk> I think one valid way to do that is to use the naive "assign base-6 numbers in ascending order" and then flip the order of the 5-digit number assigned to each word.
17:29:41 <m-relay> <j​ivan:opaline.uk> I think one valid way to do that is to use the naive "assign base-6 numbers in ascending order" and then reverse the order of the digits in the 5-digit number assigned to each word.
17:29:46 <m-relay> <c​harutocafe:matrix.org> hyc: brb raiding the dungeons and dragons club
17:30:01 <hyc> exactly ;)
17:30:40 <m-relay> <j​ivan:opaline.uk> Just make sure that they're not spindown dice, but are actually probabilistically uniform dice.
17:30:46 <m-relay> <c​harutocafe:matrix.org> i feel like those are more likely to have less uniform probabilities, i think casino dice like Jivan mentioned are probably the most appropriate
17:31:29 <m-relay> <c​harutocafe:matrix.org> no pun intended
17:32:12 <hyc> some of these dice makers are pretty fanatical about their uniformity/quality
17:32:31 <hyc> a shame I've never seen anyone make a 16-sided die
17:33:19 <m-relay> <c​harutocafe:matrix.org> is die the singular for dice?
17:33:27 <hyc> yes
17:33:33 <m-relay> <c​harutocafe:matrix.org> TIL
17:37:54 <m-relay> <j​ivan:opaline.uk> Even with this scheme, some words will be marginally more/less likely than others.
17:39:15 <m-relay> <j​ivan:opaline.uk> I remember digging into this problem of uniformity a while ago, you can't do it in a single pass for the case of 6-sided dice and 1,626 words, because the prime factors of 1626 are 2, 3, and 271, of which the first two are factors of 6, but 271 of course isn't.
17:40:24 <m-relay> <j​ivan:opaline.uk> They all need to be factors of the number of sides the dice has in order for there to be some fixed number of dice rolls whose set of outcomes can be divided into 1626 equally sized groups.
17:42:30 <m-relay> <j​ivan:opaline.uk> Found my derivation of that: https://www.reddit.com/r/math/comments/smvbqz/comment/hw0tov1
17:52:03 <m-relay> <c​harutocafe:matrix.org> If n > s, choose a sufficiently high amount of times r to roll the die, i.e such that n ≤ s^r. ideally one should choose the minimum value for r that satisfies the condition, correct?
17:52:47 <m-relay> <c​harutocafe:matrix.org> just to avoid unnecessary rerolls
17:54:57 <m-relay> <c​harutocafe:matrix.org> "If n > s, choose a sufficiently high amount of times r to roll the die, i.e such that n ≤ s^r." ideally one should choose the minimum value for r that satisfies the condition, correct?
17:55:15 <moneromoooo> Save yourself the bother. Roll a healthy extra amount. Hash. Don't care about fairness as long as good enough.
17:55:45 <moneromoooo> Unless it's for fun. In which case carry on :D
17:57:20 <m-relay> <c​harutocafe:matrix.org> it's mostly for fun/educational purposes, yeah :)
17:58:14 <m-relay> <c​harutocafe:matrix.org> but i appreciate your pragmatic approach
18:00:58 <revuoxmr> Revuo Monero Issue 190: October 19 - 26, 2023. https://revuo-xmr.com/issue-190.html
19:31:03 <pLaMaN> Is normal when runing a public node using p2pool that an other person can call the mining_status and start mining with any public node wich dont have set a user and pass for the rpc?
19:32:10 <selsta> pLaMaN: run a restricted node
19:32:24 <selsta> or wait, p2pool node
19:32:40 <selsta> ignore me :D someone else might know
19:35:57 <pLaMaN> is not normal that commands should be just local
19:36:09 <pLaMaN> even if public
19:37:39 <pLaMaN> Peace out everyone
19:38:33 <plowsof> pLaMaN left 
19:43:20 <sech1> what
19:43:59 <sech1> of course, if you expose unrestricted RPC to the whole world, people will start mining on your node
20:11:52 <selsta> I wasn't sure if they are talking about monerod or p2pool
20:27:34 <m-relay> <o​frnxmr:monero.social> P2pool stratum would only allow mining to the server host's monero address iirc,
20:27:34 <m-relay> <o​frnxmr:monero.social> The nodes zmq would allow someone to rub their own p2pool using a remote node (like xmrvsbeast's setup instructions)
20:27:34 <m-relay> <o​frnxmr:monero.social> but looks like user issue is unrestricted rpc on monerod
21:58:09 <m-relay> <j​ivan:opaline.uk> That's the less specific case I was just describing to make the point that you can use multiple die rolls to simulate larger dice. But yes, you make a valid point.
21:58:10 <m-relay> <j​ivan:opaline.uk> Given the bit later on about choosing r such that s^r = mn, where m is some integer, the minimal value of r that works is the lowest common multiple of the orders/exponents of the prime factors of s and n. That is what I try to illustrate with the numerical example immediately afterwards.
22:01:57 <m-relay> <j​ivan:opaline.uk> Actually, I don't think that's exactly right, but hopefully the numerical example makes it clear how you can figure out minimal r by looking at the prime factorisations of s and n.
22:06:21 <m-relay> <j​ivan:opaline.uk> I think it's actually r = max(n_i / s_i) over all i, where n_i and s_i are the exponents of the same prime number p_i in their prime factorisations, respectively.
22:06:21 <m-relay> <j​ivan:opaline.uk> Basically, you want to choose r so that the exponents in the prime factorisation of s^r are at least as big as those of n. That way m := (s^r)/n is an integer.