02:06:52 Is 16 words safe enough for polyseed? 02:06:58 Seems small 05:48:30 "Is 16 words safe enough for polyseed?" Cryptographers say yes: https://github.com/tevador/polyseed?tab=readme-ov-file#secret-seed 06:46:33 "Cryptographers say yes" omg 06:47:21 learning will continue until morale improves 06:51:47 Haha 07:03:18 I never used crypto owo 07:03:35 I am unsatisfied with their README, but generally speaking, 2048 word list * 16 gives you 176 bits of entropy, which corresponds to about ~26 characters of random printable ASCII characters. Their stated target is 128 bits, which corresponds to ~19 characters. Their actual seed length is 150 bits, which is ~22 characters. They [... too long, see https://mrelay.p2pool.observer/e/t6q1ncIKVUlua051 ] 07:04:11 SHA256 is 256bit, HMAC and PBKDF2 both have variable widths 07:06:12 The README implies that they made it 128 bits, meaning they seem to just discard 2.36 words worth of entropy (why not make it 256 bit then cut it in half at the end?) 07:06:12 They also don't specify the resulting bit width, so I have no idea if it actually is 128 bit or not. 07:06:59 They also have some slightly confusing sections which might impact entropy, but since it seems to be additive metadata it's probably irrelevant 07:08:59 > To prevent the seed from being accidentally used with a different cryptocurrency, a coin flag is XORed with the second word after the checksum is calculated. Checksum validation will fail unless the wallet software XORs the same coin flag with the second word when restoring. 07:08:59 Well, that will eat 10 bits of your entropy, but there's 22 bits to spare so whatever 07:10:22 > The mnemonic phrase can be treated as a polynomial over GF(2048), which enables the use of an efficient Reed-Solomon error correction code with one check word. All single-word errors can be detected and all single-word erasures can be corrected without false positives. 07:10:22 This is another 10 bits of entropy gone but they already accounted for that given word 1 is taken as the checksum and not counted to the total 07:12:37 > Key generation is domain-separated by the wallet birthday month, seed features and the coin flag. 07:12:37 I'm a bit unsure of what they mean by this 07:13:02 Repeatedly quoting Bernstein as their only reference remains sad 07:17:48 @ity:itycodes.org: He has kinda gone crazy ever since NIST did a NIST and intentionally introduced security vulnerabilities in ciphers, which he took personally (given he had stakes in the selection - his SNTRUP vs ML-KEM/Kyber) 07:17:48 I am unsure how many actual implementations of Kyber have incorporated NIST's weakening (introducing an attack surface by the means of PRNG vulnerabilities in the standardized version) 07:17:48 Nobody actually takes them seriously when they recommend against hybrid ciphers so I just hope nobody takes them seriously here either. 07:19:30 tevador is probably the best cryptographer working for Monero that isn't known outright as a cryptographer (like Goodell). I wouldn't be surprised if they had a degree and simply prefer their privacy/unlimited interaction (no obligation, no contracts, etc.). They're amazingly talented and despite sometimes disagreeing, I have nothing but respect for them. 07:19:43 128 bits of entropy plus a bit more for multi-user concerns is fine if. 07:20:27 djb arguably, w.r.t. their profession, has always been a bit crazy. They sued the government decades ago. 07:20:56 @kayabanerve:matrix.org: They are still suing the government 07:21:44 Their case against P-256 was much stronger than their case against Kyber 07:21:50 They do allege severe mishandling of NIST, which is potentially somewhat valid, but it appears as somewhat personal. One of the best replies I saw to their 20 page open letter picking every issue part was 07:21:50 'I declare a Gish gallop. Because you drown us in claims, I ask you to defend your weakest claim. Can you prove the colors in this graph where chosen with malicious intent to NTRU?' 07:21:50 Or so. 07:22:10 Lmfao 07:22:13 Not because I disagree with the letter, but because it showed how djb was being perceived while itself being immediately rational. 07:22:32 @ity:itycodes.org: That's my point, they've always done stuff like this. 07:23:41 TIL, I only got into crypto recently so I have been live following the PQC funsies (I was working on getting PQC into Matrix) 07:24:02 Haven't followed his ECC shenanigans, given he won 07:26:09 Honestly, most likely yea. I converted it into "password length" to get a more user-understandable measure, tho unsure if using printable ASCII as the alphabet was a good choice for presenting it. > <@kayabanerve:matrix.org> 128 bits of entropy plus a bit more for multi-user concerns is fine if. 07:26:09 It's always about threat modeling. 128 bits should be enough to remain secure within a considerable enough time. 07:26:30 I am annoyed by the lack of information on the KDF params in the README 07:27:06 I wouldn't have designed Polyseed but I think it's well-designed, intelligent, and the security issues are of marginal concern. 07:27:35 I would agree, I just like to present things directly for users to make an informed choice 07:27:50 I would've had different design goals and tevador and I disagree on some aspects, such as I likely would've used more entropy. 07:28:00 Knowing the Monero community, Polyseed is only fully described in some random Github gist somewhere that will be impossible to find. And in the actual code, of course. 07:28:15 That's fair, if your comments/questions are honest and transparent :) 07:28:16 @torir:matrix.org: Lmao 07:28:26 @kayabanerve:matrix.org: Same 07:28:36 *no allegations they're not, just saying be careful asking about where it's weaker so you don't suggest it's weaker where it's fine inadvertently 07:28:52 It's described in the README without issue, actually. 07:29:02 It's missing the KDF params 07:29:09 Also, monero-oxide for FCMP++ has an audits folder for our background. 07:29:49 cc @boog900:monero.social: We should throw in historical Monero papers/audits as relevant to what oxide re-implements, even if not directly related to oxide. 07:30:56 https://github.com/monero-oxide/monero-oxide/tree/fcmp%2B%2B/audits 07:30:56 Here is my collection to document the FCMP++ efforts' design, review, and audits. 07:31:08 @rucknium:monero.social: also maintains a repository of papers. 07:37:24 @ity:itycodes.org: It's described the README with only some issues, actually. 07:37:32 Thank you for the correction 15:15:51 https://discuss.privacyguides.net/t/how-do-you-compare-zcash-with-other-cryptocurrencies-like-monero/32331 20:13:46 @basses:matrix.org: J no I’m trying to tell you truth don’t juicy juice, juice juice 20:26:27 https://libroot.org/posts/getmoneroorg-should-move-beyond-cloudflare/ 20:45:22 https://xcancel.com/zachxbt/status/1980612190609576229 20:46:04 ZachXBT uses zcash 23:56:23 Guis, I came across the following post on an image board. Does anyone know its sauce?... or is it a larp? 23:56:29 Digital Euro 23:56:29 Increasing the uptake of digital euro and euro linked stable coins. 23:56:29 [... more lines follow, see https://mrelay.p2pool.observer/e/4sOyusIKbE9BT3lN ] 23:58:30 OP of that post on that image board went AWOL telling it's just a LARP... is it a larp or not?