<namenet:matrix.org> Is 16 words safe enough for polyseed?

<namenet:matrix.org> Seems small

<rbrunner7> "Is 16 words safe enough for polyseed?" Cryptographers say yes: github.com/tevador/polyseed?tab=readme-ov-file#secret-seed

<ity:itycodes.org> "Cryptographers say yes" omg

learning will continue until morale improves

<ity:itycodes.org> Haha

<heyadora:matrix.org> I never used crypto owo

<ity:itycodes.org> I am unsatisfied with their README, but generally speaking, 2048 word list * 16 gives you 176 bits of entropy, which corresponds to about ~26 characters of random printable ASCII characters. Their stated target is 128 bits, which corresponds to ~19 characters. Their actual seed length is 150 bits, which is ~22 characters. They [... too long, see mrelay.p2pool.observer/e/t6q1ncIKVUlua051 ]

<ity:itycodes.org> SHA256 is 256bit, HMAC and PBKDF2 both have variable widths

<ity:itycodes.org> The README implies that they made it 128 bits, meaning they seem to just discard 2.36 words worth of entropy (why not make it 256 bit then cut it in half at the end?)

<ity:itycodes.org> They also don't specify the resulting bit width, so I have no idea if it actually is 128 bit or not.

<ity:itycodes.org> They also have some slightly confusing sections which might impact entropy, but since it seems to be additive metadata it's probably irrelevant

<ity:itycodes.org> > To prevent the seed from being accidentally used with a different cryptocurrency, a coin flag is XORed with the second word after the checksum is calculated. Checksum validation will fail unless the wallet software XORs the same coin flag with the second word when restoring.

<ity:itycodes.org> Well, that will eat 10 bits of your entropy, but there's 22 bits to spare so whatever

<ity:itycodes.org> > The mnemonic phrase can be treated as a polynomial over GF(2048), which enables the use of an efficient Reed-Solomon error correction code with one check word. All single-word errors can be detected and all single-word erasures can be corrected without false positives.

<ity:itycodes.org> This is another 10 bits of entropy gone but they already accounted for that given word 1 is taken as the checksum and not counted to the total

<ity:itycodes.org> > Key generation is domain-separated by the wallet birthday month, seed features and the coin flag.

<ity:itycodes.org> I'm a bit unsure of what they mean by this

<ity:itycodes.org> Repeatedly quoting Bernstein as their only reference remains sad

<ity:itycodes.org> @ity:itycodes.org: He has kinda gone crazy ever since NIST did a NIST and intentionally introduced security vulnerabilities in ciphers, which he took personally (given he had stakes in the selection - his SNTRUP vs ML-KEM/Kyber)

<ity:itycodes.org> I am unsure how many actual implementations of Kyber have incorporated NIST's weakening (introducing an attack surface by the means of PRNG vulnerabilities in the standardized version)

<ity:itycodes.org> Nobody actually takes them seriously when they recommend against hybrid ciphers so I just hope nobody takes them seriously here either.

<kayabanerve:matrix.org> tevador is probably the best cryptographer working for Monero that isn't known outright as a cryptographer (like Goodell). I wouldn't be surprised if they had a degree and simply prefer their privacy/unlimited interaction (no obligation, no contracts, etc.). They're amazingly talented and despite sometimes disagreeing, I have nothing but respect for them.

<kayabanerve:matrix.org> 128 bits of entropy plus a bit more for multi-user concerns is fine if.

<kayabanerve:matrix.org> djb arguably, w.r.t. their profession, has always been a bit crazy. They sued the government decades ago.

<ity:itycodes.org> @kayabanerve:matrix.org: They are still suing the government

<ity:itycodes.org> Their case against P-256 was much stronger than their case against Kyber

<kayabanerve:matrix.org> They do allege severe mishandling of NIST, which is potentially somewhat valid, but it appears as somewhat personal. One of the best replies I saw to their 20 page open letter picking every issue part was

<kayabanerve:matrix.org> 'I declare a Gish gallop. Because you drown us in claims, I ask you to defend your weakest claim. Can you prove the colors in this graph where chosen with malicious intent to NTRU?'

<kayabanerve:matrix.org> Or so.

<ity:itycodes.org> Lmfao

<kayabanerve:matrix.org> Not because I disagree with the letter, but because it showed how djb was being perceived while itself being immediately rational.

<kayabanerve:matrix.org> @ity:itycodes.org: That's my point, they've always done stuff like this.

<ity:itycodes.org> TIL, I only got into crypto recently so I have been live following the PQC funsies (I was working on getting PQC into Matrix)

<ity:itycodes.org> Haven't followed his ECC shenanigans, given he won

<ity:itycodes.org> Honestly, most likely yea. I converted it into "password length" to get a more user-understandable measure, tho unsure if using printable ASCII as the alphabet was a good choice for presenting it. > <@kayabanerve:matrix.org> 128 bits of entropy plus a bit more for multi-user concerns is fine if.

<ity:itycodes.org> It's always about threat modeling. 128 bits should be enough to remain secure within a considerable enough time.

<ity:itycodes.org> I am annoyed by the lack of information on the KDF params in the README

<kayabanerve:matrix.org> I wouldn't have designed Polyseed but I think it's well-designed, intelligent, and the security issues are of marginal concern.

<ity:itycodes.org> I would agree, I just like to present things directly for users to make an informed choice

<kayabanerve:matrix.org> I would've had different design goals and tevador and I disagree on some aspects, such as I likely would've used more entropy.

<torir:matrix.org> Knowing the Monero community, Polyseed is only fully described in some random Github gist somewhere that will be impossible to find. And in the actual code, of course.

<kayabanerve:matrix.org> That's fair, if your comments/questions are honest and transparent :)

<ity:itycodes.org> @torir:matrix.org: Lmao

<ity:itycodes.org> @kayabanerve:matrix.org: Same

<kayabanerve:matrix.org> *no allegations they're not, just saying be careful asking about where it's weaker so you don't suggest it's weaker where it's fine inadvertently

<kayabanerve:matrix.org> It's described in the README without issue, actually.

<ity:itycodes.org> It's missing the KDF params

<kayabanerve:matrix.org> Also, monero-oxide for FCMP++ has an audits folder for our background.

<kayabanerve:matrix.org> cc @boog900:monero.social: We should throw in historical Monero papers/audits as relevant to what oxide re-implements, even if not directly related to oxide.

<kayabanerve:matrix.org> github.com/monero-oxide/monero-oxide/tree/fcmp%2B%2B/audits

<kayabanerve:matrix.org> Here is my collection to document the FCMP++ efforts' design, review, and audits.

<kayabanerve:matrix.org> @rucknium:monero.social: also maintains a repository of papers.

<kayabanerve:matrix.org> @ity:itycodes.org: It's described the README with only some issues, actually.

<kayabanerve:matrix.org> Thank you for the correction

<basses:matrix.org> discuss.privacyguides.net/t/how-do-…-cryptocurrencies-like-monero/32331

<monerojuana_:matrix.org> @basses:matrix.org: J no I’m trying to tell you truth don’t juicy juice, juice juice

<sbt:nope.chat> libroot.org/posts/getmoneroorg-should-move-beyond-cloudflare

<sbt:nope.chat> xcancel.com/zachxbt/status/1980612190609576229

<sbt:nope.chat> ZachXBT uses zcash

<sanjay:bladerunn.in> Guis, I came across the following post on an image board. Does anyone know its sauce?... or is it a larp?

<sanjay:bladerunn.in> Digital Euro

<sanjay:bladerunn.in> Increasing the uptake of digital euro and euro linked stable coins.

<sanjay:bladerunn.in> [... more lines follow, see mrelay.p2pool.observer/e/4sOyusIKbE9BT3lN ]

<sanjay:bladerunn.in> OP of that post on that image board went AWOL telling it's just a LARP... is it a larp or not?