00:00:16 if you connected manually to a malicious node, thats probably a "you problem" 00:00:41 I agree 00:00:42 GUI connects to malocious nodes automatically :D 00:01:02 @ofrnxmr:xmr.mx: And advertises the feature to noobs 00:01:05 select a trusted node manually 00:03:30 didn't monero.fail get flooded with a sea of I2P nodes suddenly one day? 00:44:01 Yea 01:03:03 getmonero also says this in the faq: "All transactions on the network are private by mandate; there is no way to accidentally send a transparent transaction. This feature is exclusive to Monero. " > on monero front page since I remember 01:05:31 is there a single system that doesn't have a kind of viewkey feature? even tornado has it. maybe some coinjoin impls? 01:06:57 just_another_day: that is true 01:07:06 there is no way to actually send a transparent transaction 01:07:17 but monero doesn't stop you from leaking your view keys or sending rnadom people proof that you sent the TX 01:07:29 s/actually/accidentally/ 01:07:46 because that's not accidental 01:09:37 As in, you can't make a transaction open to everyone 01:09:56 Like Z vs T on others 01:10:05 can't I publish my view key in the open? 01:10:27 How do you do this in the network? 01:10:35 ^ 01:10:37 You can send it here, or post it on a website 01:10:40 you can only do this off-chain 01:10:54 it's not a big difference really 01:10:54 i mean, you can shove your keys in tx_extra 01:11:02 It is a big difference 01:11:06 it is 01:11:23 if you wanna publish your keys so badly, monero won't stop you 01:11:29 Specially that even your transactions mask others 01:12:01 we want transactions hidden from a single adversary primarily 01:12:41 and this adversary can persistently ask for the keys 01:12:56 They can ask for your spend keys 01:12:58 Or for you to provide interactive proofs 01:13:02 Regardless 01:13:13 no one is gonna give them spend keys 01:13:17 that sounds like a problem outside the scope of monero 01:13:27 why would someone want to make their transactions public anyway? I'm confused. 01:13:31 No one is going to give them view keys 01:13:33 See? 01:13:33 if the adversary has a 5 dollar wrench on the top of your head 01:13:42 then they'll make you give them anything 01:13:46 because aml demands so 01:14:03 rrjo1zj8p7lhtl15lylp: for example Monero donation wallet operates in the open 01:14:08 people happilty compromise their privacy doing kyc 01:14:17 no one wants to lose their coins 01:14:33 It's transactions are still the same class as others, but they have shared their local keys 01:14:36 Remember that for you to decode your keys that sort of key exists 01:14:44 Cindy: we're going back and forth, but the adversary powers are not unlimited 01:15:15 just make a new wallet, send your coins to your new wallet, be careful. 01:15:15 Then the adversary asks you to move to their wallet that reports but you keep your keys 01:15:27 i just want to maximize the political cost of forcing users to make their wallets transparent 01:15:36 Or asks you to make an interactive proof for every tx ever automatically 01:15:53 don't admit to having a wallet maybe lol 01:16:06 And same way, can't tx again with them if you ever withhold proofs 01:16:15 Note you can prove you have not received or having received a transaction without sharing tx keys 01:16:24 I wish I had enough money that I actively needed to be creative to not lose it. I play with pennies. 01:16:39 View keys* 01:16:43 This is again using the proof system 01:17:06 if i want to reveal my transactions or not, i should have the option to 01:17:10 DataHoarder are you on Reddit? Maybe just write an anti-FUD post? 01:17:11 Which is not an addition on top but something solely possible due to cryptography 01:17:30 explaining all the stuff 01:17:56 I just deleted the spend keys from my wallet 01:18:05 I feel safe now 01:18:10 Well there's the carrot derivation scheme and the PQ pages on MRL issue tracker and turnstile one 01:18:12 But people won't read 01:18:42 And will get stuck in semantics of what is view key or decoding etc 01:18:44 And what exists due to cryptographic reasons or as a side effect 01:18:48 nioc: do you like looking at a number :P 01:18:56 are you looking to get your coins out? or you looking to please regulators by saying hey look here's my wallet, hey look here's my transaction history etc? 01:18:56 Because you can just use BTC if you want to be out in the open. Most countries have delisted XMR for a reason I think. Your trying to accomplish the opposite of what xmr is supposed to do? 01:19:15 And what is a designed feature 01:19:17 Like here already :P 01:19:19 Now imagine doing this on reddit 01:19:27 : but what if i want to have transparent fundraisers 01:19:42 use btc 01:19:44 this is a secondary goal to Monero 01:19:49 Atomic swaps btw ^ 01:20:14 your trying to fish with dynamite. use a fishing rod 01:20:19 It is a primary goal 01:20:21 To be able to be auditable by you or other reporting selectively entirely by you 01:20:22 pursuing secondary goals is good, but not hurting the primary goal 01:20:30 Cindy: yes, hold only 01:20:52 (This is your own freedom to use the methods provided as you see fit( 01:20:54 monero's better not be auditable, so that we don't get aml bs 01:21:22 The primary goal is safe cash system , and now that includes quantum forward secrecy 01:21:24 I'm so confused why anyone would want this. 01:21:24 Auditable by people you chose 01:21:36 i understand the quantum play 01:21:47 my wallet no longer has keys and is now non auditable \o/ 01:21:54 You can also audit that blocks are mined with the right rewards 01:21:56 (That is why miner tx outputs are in the clear) 01:21:58 Real cash is audited by excel spreadsheads. that's why authorities don't like real cash 01:22:04 I want Monero to be the same 01:22:06 same reason why people like to be transparent sometimes 01:22:24 You also can prove the receiver you sent them funds 01:22:26 Instead of them claiming they received nothing 01:22:30 why the monero CCS does the same thing 01:22:34 even the monero general fund 01:22:38 I use cash but have never used excel, this time imma not joking 01:22:44 you can get the view keys of those wallets if you want, and look at how much they got 01:22:55 Imagine swapping funds in DEX 01:22:57 Without any way to prove the swap lol 01:23:27 This is what auditable is, and gives actual force to the transaction/money 01:23:29 Instead of sharing pictures that are fake 01:23:47 Cindy: if they already do this, why would we need more powerful view keys? 01:24:00 To make it transferable in a way you can prove doing so (without other person lying about it) 01:24:16 Again 01:24:18 They are not being ADDED 01:24:41 also to make the balance more accurate 01:24:48 They are a side effect of splitting spend and key image for quantum forward secrecy (and being able to migrate in the future) 01:24:48 in case people pull from the wallet 01:24:50 Also it's not even dependent on hardfork 01:25:07 CARROT is possible with cryptonote? 01:25:20 This is also what people misunderstand 01:25:22 It's not a consensus protocol (unless turnstile becomes relevant in the far future) 01:25:24 Yes 01:25:26 Carrot is two things 01:25:28 this is the explanation that makes sense. I get what your saying here. For escrow related issues. > To make it transferable in a way you can prove doing so (without other person lying about it) 01:25:29 this all feels like ddos 01:25:54 An output format (this is just a convenience) 01:25:56 And an addressing mode (new) 01:26:17 i'll let Ghost speak. He's a new voice here 01:26:27 The new addressing mode is not even implemented in wallet and probably won't be ready and doesn't matter 01:26:32 I'm just repeating myself really 01:26:41 ya think 01:26:57 It can come later, or someone else can add it 01:26:59 The legacy wallets also use the outputs, either old or new 01:27:07 im a noob, don't listen to me 01:27:27 noobs welcome 01:27:29 Carrot native wallets could just ... put this onto tx extra today 01:28:00 This is why it's called an addressing mode too, and addressing modes stay entirely on the wallet / client side 01:28:57 in theory does Carrot wallet help get xmr relisted on delisted platforms? is that the goal? more onramps to pump price? 01:29:25 it will not get it relisted, it will still work too well 01:29:26 The hardfork carrot output format doesn't add any new wallet format. The output format however allows deriving legacy or new better (unrelated to wallet features) so eligible addressing schemes (new carrot, partially legacy) can also get quantum forward secrecy 01:29:28 No way that helps 01:29:59 If anything it prevents future quantum adversaries from getting your history 01:30:01 More reason to deliat 01:30:13 @rrjo1zj8p7lhtl15lylp:matrix.org: I don't think that's the goal, but could be an effect of it, but we wouldn't know until it comes 01:30:20 I need to learn what your talking about. I'm aware of quantum risk , but not really knowledgeable on how what your talking about helps. 01:30:29 FCMP++ makes tracking via rings or outputs also not possible 01:30:31 So they can't do chain analysis 01:30:59 You will see an effort to increase spy nodes or attempt to remove features that make people safer 01:31:16 But isn't the PQ plan quite new? I mean, the OVK debate dates back to 2021/22 01:31:27 quantum, here is a link but good luck reading it :) https://gist.github.com/jeffro256/146bfd5306ea3a8a2a0ea4d660cd2243 01:31:27 DataHoarder: how is this achieved. we don't like chain analysis this I do know 01:31:37 So OVKs predate PQ 01:32:12 the history has already been explained to you 01:32:37 and the decision process 01:32:54 is this some sort of operation to destroy the brain cells of monero developers 01:32:58 and make them dumber? 01:33:13 DataHoarder says OVKs are a consequence of PQ 01:33:23 it's ok, DataHoarder is an alien, this is ez 4 him 01:33:27 Jamtis is before that 01:33:51 Not gonna lie Thankful, at this point its looking like you looking to argue, or have some never ending debate, people have explained you a LOT , multiple times 01:33:55 Again NO 01:33:57 It is a side effect 01:33:59 Of splitting spend key into something that you can use to generate key images 01:34:44 his username is accurate 01:34:53 to monero devs, it is just_another_day of arguing 01:34:56 It's not OVK -> bolt it onto quantum for reasons 01:34:58 It's that the scheme to allow quantum forward secrecy and it staying safe on an active environment necessitates the split 01:35:28 And because it exists, you can use it locally (or same as the other keys) 01:35:30 But without ability to SPEND 01:36:00 Cause spend key ended up separate due to the aforementioned reasons 01:36:26 @rrjo1zj8p7lhtl15lylp:matrix.org: There are no decoys anymore 01:36:59 The entire past Monero history is effectively your decoy ser 01:37:29 So you can't do statistical analysis 01:37:31 Even in the face of a cex or tagging attack done by entities 01:37:42 just_another_day you are getting an amazing depth of knowledge provided to you, it certainly worth something 01:37:46 may I suggest that you give DataHoarder a donation 01:38:01 You can't tag outputs and see where decoys might have used them in a ring signature 01:38:06 sure 01:38:13 the more I read the more I realize I don't know. Weren't the decoys a good thing? or your talking about CA sneaking stuff in? leaving breadcrumbs? 01:38:32 Stuff like this https://p2pool.observer/sweeps 01:38:34 Which I built on p2pool to show the point 01:39:00 decoys are good but have weaknesses, the only weak part of monero 01:39:04 Every mining output there can be tagged to come from a miner, so when multiple outputs are used you can statistically determine how likely it was them or not 01:39:08 Decoys are good 01:40:03 DataHoarder: where can I donate you for your time spent here? 01:40:05 But when tagged you can be open to stuff like this, or black marble attacks (see research paper( 01:40:07 FCMP++ effectively makes the decoy set be as large as all outputs in Monero 01:40:11 Meaning you can no longer do any statistical analysis at all 01:40:36 thank you 01:40:39 It is a chain membership proof that says "yes I exist in Monero" 01:40:55 I'm glad I joined this group 01:41:09 The linked p2pool observer page has a donation address at the end 01:41:11 Or blocks.p2pool.observer on the header menu 01:41:13 Under about 01:41:42 On the sweeps page I linked you can click in some 01:42:12 You can see how I previously tagged some known public mining outputs, then when they are spent in a group it is likely it was this miner 01:42:16 I don't decode amounts, or destination 01:42:28 your a smart man, this is all above my intelligence level. 01:42:45 But in many cases in sweeps I attribute the transaction to the miner entity 01:42:52 I appreciate the help in understanding a lot. 01:42:58 hang out and it slowly sinks in :) 01:43:15 I mark the sweeps as well, sometimes you can see secondary sweep groups 01:43:17 FCMP++: none of this is possible 01:43:21 Even if you know all outputs of someone via other means 01:43:49 Yes and I should be sleeping too 01:43:54 I just looked one last time, my curse 01:44:50 I have reimplemented the new hardfork features to test on stressnet, carrot output format and derivations for legacy, and carrot 01:45:19 I have raised concerns when I couldn't replicate results or when changes were done, I brought these for my own review 01:45:47 I made a list of changes to do to also make life easier for mining (which saw some implemented) 01:46:17 Example https://git.gammaspectra.live/P2Pool/consensus/src/branch/master/docs/STRESSNET.md 01:46:45 I didn't need to but I went and also reimplemented the PQ Turnstile as part of my end to end tests 01:46:47 This is how I learned about all of this 01:49:09 Can even play a game with the donation stuff neat 01:49:11 So someone sent me this just now-ish https://blocks.p2pool.observer/tx/693687f1ca2037a0e826f67f9ecb22697b2513b4f215f08b984b43aca0318bde 01:50:36 However I could claim to have received nothing. The sender can then generate an OutProofV2 (available under advanced -> prove?) or share the tx key. Others can then verify this on the block explorer by entering the details or on their local Monero GUI or CLI 01:51:07 https://irc.gammaspectra.live/66017aede397c3d9/IMG_8297.jpeg 01:51:09 That section 01:52:36 this is why selective proofs exist 01:53:25 have a good night and thx 01:53:33 I don't know who sent that, or which address came from or where the change went to 01:54:31 Maybe I'll peek around again I was sleepy but not anymore thanks for the excitement 01:54:53 a single tx proof is great, but allowing users to make their entire wallet transparent indefinitely is dangerous 01:55:09 I'm reasearching everything you posted. It is starting to come together a bit more clearly. Have a great night. 01:55:17 have a good night 01:56:27 All in all the concern is: the new addressing features of Carrot (not the hardfork tx format, but the upcoming wallet addressing) allows an user to disclose a value that allows tracking not just incoming but all spends, without allowing spending. This value is necessary for forward secrecy in the face of a quantum opponent 01:56:29 Options: 01:57:27 No new wallet addressing ever (it's not tied to hardfork) and no quantum secrecy . Someone could still release a wallet that implements it regardless 01:57:55 Make this value (OVK) be within advanced menus with a warning, and tbh, also add a warning to incoming view keys 01:57:57 And spend keys cause some people shared them 01:58:56 c. Make sharing dangerous values an advanced feature only available in CLI for Monero. For example, seed words or spend keys, or full view keys (OVK) 01:59:50 The no new wallet thing, can you further explain? Don't people do this quite frequently? 01:59:54 c. Part two: make them available via an alternate launch mode of GUI (but with a command line arg to start it for advanced users); or alternatively a very angry message 02:00:25 I mean no new wallet addressing mode (Carrot) 02:00:27 Not just no new wallets XD 02:00:57 You could make the argument that allowing users to share these is harmful and stupid, however, users ability to be stupid is also part of their freedom 02:01:59 DataHoarder: people get joined bank accounts with their wives, people give debit cards to their kids. I have thought of setting my kids up xmr wallets to show them the ropes. 02:02:20 Otherwise you'd be limited and cannot use Monero as a business if your financial auditor requires access to a spend wallet 02:02:23 realistically, OVKs will be promoted as a tool for charity audits, get added to every wallet and then AML will start abusing it 02:02:50 but why is that not done today 02:03:04 @just_another_day:matrix.org: they can't change every wallet, lets be realistic. 02:03:25 wallet devs will do it themselves 02:03:49 oh look a new cool feature to imrpove ux 02:04:10 DataHoarder: Monero is still niche 02:04:11 "fine, i'll do it myself" 02:04:15 And such wallet devs can do it today or later 02:04:17 That is the part I don't get here. It doesn't matter what Monero devs do 02:04:38 carrot is an infohazard 02:04:47 Someone else can do it ON Monero protocol/transactions 02:04:49 Like we already have non compatible wallets generated 02:04:52 What carrot 02:05:21 addressing scheme 02:05:22 The transaction output format? 02:05:24 Or addressing scheme 02:05:52 The only part that hard forks is tx format. Which doesn't bring up carrot addressing scheme with it 02:06:07 but it enables it? 02:06:20 The tx format is shared with Jamtis (for them to be compatible) 02:06:22 Not at all 02:06:53 They could put the same data in tx extra instead 02:06:55 And do it today 02:07:53 But no point was seen on this as the part that brings partial forward secrecy (even for legacy) it's the tx format 02:08:36 @just_another_day:matrix.org: Don't use the wallet format if you don't like it 02:08:41 keep your old wallet 02:08:49 It will still work on FCMP++ 02:08:52 Then carrot addressing format extends this and allows self send, change and internal txs to also be fully forward secret, and opens the way fur future full quantum encryption schemes 02:08:54 The hardfork brings FCMP++ and tx output format 02:09:22 You WANT FCMP and the output format 02:09:24 Keep fighting towards the carrot addressing scheme if that is what you want 02:09:47 @jeffro256: i don't want everyone to require shari OVK as an AML policy 02:09:53 isn't carrot and info-hazard only if you decide for it to be an info-hazard? > <@just_another_day:matrix.org> carrot is an infohazard 02:10:51 This is why the FUD is everything overreaching and tying everything 02:11:11 But the issue isn't about the hardfork per se 02:11:22 You have an issue, as I listed above: a future upgrade (in this case not a hardfork) brings a feature you view as bad or challenging. Listed are ways to go with it 02:12:20 But suddenly it's "stop the hardfork"???? All on Reddit cause FUD mixes it all up, and this is only good for detractors or adversaries of Monero 02:13:06 it seems the fear here is a misunderstanding, thinking monero is perfect right now, and that change will make it easier to get your wallet doxxed or that all wallets will be required at some point to do this. Even if that may or may not be the case. 02:13:19 I'm certain @jeffro256 would be open for this (carrot addressing scheme, quantum safety and the generate image key) to be brought on an MRL meeting item or somewhat explanation as this seems to be a contention item 02:13:47 It is clear cryptographically why it's needed but this usually doesn't transfer over to general understanding 02:13:53 DataHoarder: I posted the "Is optional transparency good for Monero?" post, it didn't get that much of attention, but then people started to generate AI slop based on it 02:14:45 So asking for clarifying the need of it: good, but instantly seeing it as an extra bad feature is a bad way to bring the topic up 02:14:57 hasn't monero always been optionally transparent? 02:15:22 you've got me convinced, but I'm not an expert 02:15:46 It has nioc 02:15:48 Part of the whitepaper too 02:16:27 i like the option b or c > Make this value (OVK) be within advanced menus with a warning, and tbh, also add a warning to incoming view keys 02:16:46 Yeah just_another_day that is how FUD works. Any organic traction is increased exponentially 02:17:17 You have doubts, you ask, then send people in panic with other people helping along the way and saying different things 02:18:16 Suddenly the only thing the hardfork brings is OVK: but it's not even part of the hardfork! And a weeks before the FUD was about quantum security and how Monero has done nothing. Which we point carrot tx format, carrot addressing scheme, and FCMP++ to combat current BS 02:19:20 It's not even scheduled, it's not even in the code yet 02:20:11 It's in stressnet on a different codebase still having changes, and the part people are talking about isn't even in the code yet or implemented for wallets (and doesn't need to, it's not in a rush as it's not part of the hardfork) 02:20:28 maybe a stupid question, but would it be possible to implement PQ-secure cryptography before a quantum computer emerges and migrate everyone from legacy addresses to this new scheme without the intermediate CARROT step 02:20:50 That is the desired pathway 02:21:05 However in case it's too sudden the turnstile is there as fallback 02:21:16 And once that's around you can't transact using old systems anymore 02:21:35 how long will people have to migrate? 02:21:36 Also, there is a cutover date for such moves too 02:21:38 Afterwards only the turnstile would work 02:22:08 ohhh like literal turnstile, one way in, no going back 02:22:08 There is no information around this. That is why the turnstile exists as a fallback 02:22:42 so is it like a toll bridge? 1:1 or will people be racing to swtich? 02:22:42 If the opportunity arises they'd definitely like not using this turnstile (it exposes some details to edite it's all verified and cannot be faked even against a quantum adversary) 02:22:51 No race 02:23:11 They go one way 02:23:13 Well not even one way per se, they just use that to move old outputs 02:23:43 A special way to unlock them instead of any new quantum safe scheme 02:24:13 Which by necessity is incompatible (it's not ed25519) 02:24:48 what happens to people that don't actively pay attention to what is happening? will they just be at increased risk? or they can migrate later or how does that look for laymen trying to stay secure and up to date? 02:25:44 But questions like these would be something to actually bring up into any future topics in research lounge maybe, but note that is a research focused channel and usually expects at least some form of understanding 02:25:53 The PQ Turnstile would be for those people 02:26:17 At some point, it'd be turned off. You can read on the gist about that 02:26:47 That is not decided not planned. It just lays down the technical means to accomplish a failover migration 02:26:49 > just increased risk 02:27:19 A quantum adversary can fake membership proofs so they can't be allowed to transact 02:27:49 They can also go backwards and break legacy wallets and have their history compromised pre-hardfork, or conditionally after 02:28:20 They also could fake and inflate amounts if allowed to transact normally 02:29:13 do you have any predictions when someone might achieve a functional quantum device capable of all these scary things? What is your mental timeline for this happening? years? months? 02:29:19 That is again why the PQ Turnstile has to do things in a special way to ensure a quantum adversary cannot fake the membership, the amounts or double spend 02:29:47 I'm thinking 5-10 years, but I guess that is being optimistic, reality moves quickly. 02:29:50 The specific people you are worried about might have some before normies get to know 02:30:19