<ofrnxmr:xmr.mx> if you connected manually to a malicious node, thats probably a "you problem"

<rrjo1zj8p7lhtl15lylp:matrix.org> I agree

<ofrnxmr:xmr.mx> GUI connects to malocious nodes automatically :D

<ofrnxmr:xmr.mx> @ofrnxmr:xmr.mx: And advertises the feature to noobs

<rrjo1zj8p7lhtl15lylp:matrix.org> select a trusted node manually

didn't monero.fail get flooded with a sea of I2P nodes suddenly one day?

<ofrnxmr:xmr.mx> Yea

<just_another_day:matrix.org> getmonero also says this in the faq: "All transactions on the network are private by mandate; there is no way to accidentally send a transparent transaction. This feature is exclusive to Monero. " > <DataHoarder> on monero front page since I remember

<kiersten5821:matrix.org> is there a single system that doesn't have a kind of viewkey feature? even tornado has it. maybe some coinjoin impls?

just_another_day: that is true

there is no way to actually send a transparent transaction

but monero doesn't stop you from leaking your view keys or sending rnadom people proof that you sent the TX

s/actually/accidentally/

because that's not accidental

As in, you can't make a transaction open to everyone

Like Z vs T on others

<just_another_day:matrix.org> can't I publish my view key in the open?

How do you do this in the network?

^

You can send it here, or post it on a website

you can only do this off-chain

<just_another_day:matrix.org> it's not a big difference really

i mean, you can shove your keys in tx_extra

It is a big difference

it is

if you wanna publish your keys so badly, monero won't stop you

Specially that even your transactions mask others

<just_another_day:matrix.org> we want transactions hidden from a single adversary primarily

<just_another_day:matrix.org> and this adversary can persistently ask for the keys

They can ask for your spend keys

Or for you to provide interactive proofs

Regardless

<just_another_day:matrix.org> no one is gonna give them spend keys

that sounds like a problem outside the scope of monero

<rrjo1zj8p7lhtl15lylp:matrix.org> why would someone want to make their transactions public anyway? I'm confused.

No one is going to give them view keys

See?

if the adversary has a 5 dollar wrench on the top of your head

then they'll make you give them anything

<just_another_day:matrix.org> because aml demands so

rrjo1zj8p7lhtl15lylp: for example Monero donation wallet operates in the open

<just_another_day:matrix.org> people happilty compromise their privacy doing kyc

<just_another_day:matrix.org> no one wants to lose their coins

It's transactions are still the same class as others, but they have shared their local keys

Remember that for you to decode your keys that sort of key exists

<just_another_day:matrix.org> Cindy: we're going back and forth, but the adversary powers are not unlimited

<rrjo1zj8p7lhtl15lylp:matrix.org> just make a new wallet, send your coins to your new wallet, be careful.

Then the adversary asks you to move to their wallet that reports but you keep your keys

<just_another_day:matrix.org> i just want to maximize the political cost of forcing users to make their wallets transparent

Or asks you to make an interactive proof for every tx ever automatically

<rrjo1zj8p7lhtl15lylp:matrix.org> don't admit to having a wallet maybe lol

And same way, can't tx again with them if you ever withhold proofs

Note you can prove you have not received or having received a transaction without sharing tx keys

<rrjo1zj8p7lhtl15lylp:matrix.org> I wish I had enough money that I actively needed to be creative to not lose it. I play with pennies.

View keys*

This is again using the proof system

if i want to reveal my transactions or not, i should have the option to

<just_another_day:matrix.org> DataHoarder are you on Reddit? Maybe just write an anti-FUD post?

Which is not an addition on top but something solely possible due to cryptography

<just_another_day:matrix.org> explaining all the stuff

I just deleted the spend keys from my wallet

I feel safe now

Well there's the carrot derivation scheme and the PQ pages on MRL issue tracker and turnstile one

But people won't read

And will get stuck in semantics of what is view key or decoding etc

And what exists due to cryptographic reasons or as a side effect

nioc: do you like looking at a number :P

<rrjo1zj8p7lhtl15lylp:matrix.org> are you looking to get your coins out? or you looking to please regulators by saying hey look here's my wallet, hey look here's my transaction history etc?

<rrjo1zj8p7lhtl15lylp:matrix.org> Because you can just use BTC if you want to be out in the open. Most countries have delisted XMR for a reason I think. Your trying to accomplish the opposite of what xmr is supposed to do?

And what is a designed feature

Like here already :P

Now imagine doing this on reddit

<will not type your username>: but what if i want to have transparent fundraisers

<rrjo1zj8p7lhtl15lylp:matrix.org> use btc

<just_another_day:matrix.org> this is a secondary goal to Monero

Atomic swaps btw ^

<rrjo1zj8p7lhtl15lylp:matrix.org> your trying to fish with dynamite. use a fishing rod

It is a primary goal

To be able to be auditable by you or other reporting selectively entirely by you

<just_another_day:matrix.org> pursuing secondary goals is good, but not hurting the primary goal

Cindy: yes, hold only

(This is your own freedom to use the methods provided as you see fit(

<just_another_day:matrix.org> monero's better not be auditable, so that we don't get aml bs

The primary goal is safe cash system , and now that includes quantum forward secrecy

<rrjo1zj8p7lhtl15lylp:matrix.org> I'm so confused why anyone would want this.

Auditable by people you chose

<rrjo1zj8p7lhtl15lylp:matrix.org> i understand the quantum play

my wallet no longer has keys and is now non auditable \o/

You can also audit that blocks are mined with the right rewards

(That is why miner tx outputs are in the clear)

<just_another_day:matrix.org> Real cash is audited by excel spreadsheads. that's why authorities don't like real cash

<just_another_day:matrix.org> I want Monero to be the same

same reason why people like to be transparent sometimes

You also can prove the receiver you sent them funds

Instead of them claiming they received nothing

why the monero CCS does the same thing

even the monero general fund

I use cash but have never used excel, this time imma not joking

you can get the view keys of those wallets if you want, and look at how much they got

Imagine swapping funds in DEX

Without any way to prove the swap lol

This is what auditable is, and gives actual force to the transaction/money

Instead of sharing pictures that are fake

<just_another_day:matrix.org> Cindy: if they already do this, why would we need more powerful view keys?

To make it transferable in a way you can prove doing so (without other person lying about it)

Again

They are not being ADDED

also to make the balance more accurate

They are a side effect of splitting spend and key image for quantum forward secrecy (and being able to migrate in the future)

in case people pull from the wallet

Also it's not even dependent on hardfork

<just_another_day:matrix.org> CARROT is possible with cryptonote?

This is also what people misunderstand

It's not a consensus protocol (unless turnstile becomes relevant in the far future)

Yes

Carrot is two things

<rrjo1zj8p7lhtl15lylp:matrix.org> this is the explanation that makes sense. I get what your saying here. For escrow related issues. > <DataHoarder> To make it transferable in a way you can prove doing so (without other person lying about it)

this all feels like ddos

An output format (this is just a convenience)

And an addressing mode (new)

<just_another_day:matrix.org> i'll let Ghost speak. He's a new voice here

The new addressing mode is not even implemented in wallet and probably won't be ready and doesn't matter

<just_another_day:matrix.org> I'm just repeating myself really

ya think

It can come later, or someone else can add it

The legacy wallets also use the outputs, either old or new

<rrjo1zj8p7lhtl15lylp:matrix.org> im a noob, don't listen to me

noobs welcome

Carrot native wallets could just ... put this onto tx extra today

This is why it's called an addressing mode too, and addressing modes stay entirely on the wallet / client side

<rrjo1zj8p7lhtl15lylp:matrix.org> in theory does Carrot wallet help get xmr relisted on delisted platforms? is that the goal? more onramps to pump price?

it will not get it relisted, it will still work too well

The hardfork carrot output format doesn't add any new wallet format. The output format however allows deriving legacy or new better (unrelated to wallet features) so eligible addressing schemes (new carrot, partially legacy) can also get quantum forward secrecy

No way that helps

If anything it prevents future quantum adversaries from getting your history

More reason to deliat

<johnjenkinss:unredacted.org> @rrjo1zj8p7lhtl15lylp:matrix.org: I don't think that's the goal, but could be an effect of it, but we wouldn't know until it comes

<rrjo1zj8p7lhtl15lylp:matrix.org> I need to learn what your talking about. I'm aware of quantum risk , but not really knowledgeable on how what your talking about helps.

FCMP++ makes tracking via rings or outputs also not possible

So they can't do chain analysis

You will see an effort to increase spy nodes or attempt to remove features that make people safer

<just_another_day:matrix.org> But isn't the PQ plan quite new? I mean, the OVK debate dates back to 2021/22

quantum, here is a link but good luck reading it :) gist.github.com/jeffro256/146bfd5306ea3a8a2a0ea4d660cd2243

<rrjo1zj8p7lhtl15lylp:matrix.org> DataHoarder: how is this achieved. we don't like chain analysis this I do know

<just_another_day:matrix.org> So OVKs predate PQ

the history has already been explained to you

and the decision process

is this some sort of operation to destroy the brain cells of monero developers

and make them dumber?

<just_another_day:matrix.org> DataHoarder says OVKs are a consequence of PQ

it's ok, DataHoarder is an alien, this is ez 4 him

Jamtis is before that

<johnjenkinss:unredacted.org> Not gonna lie Thankful, at this point its looking like you looking to argue, or have some never ending debate, people have explained you a LOT , multiple times

Again NO

It is a side effect

Of splitting spend key into something that you can use to generate key images

his username is accurate

to monero devs, it is just_another_day of arguing

It's not OVK -> bolt it onto quantum for reasons

It's that the scheme to allow quantum forward secrecy and it staying safe on an active environment necessitates the split

And because it exists, you can use it locally (or same as the other keys)

But without ability to SPEND

Cause spend key ended up separate due to the aforementioned reasons

@rrjo1zj8p7lhtl15lylp:matrix.org: There are no decoys anymore

The entire past Monero history is effectively your decoy ser

So you can't do statistical analysis

Even in the face of a cex or tagging attack done by entities

just_another_day you are getting an amazing depth of knowledge provided to you, it certainly worth something

may I suggest that you give DataHoarder a donation

You can't tag outputs and see where decoys might have used them in a ring signature

<just_another_day:matrix.org> sure

<rrjo1zj8p7lhtl15lylp:matrix.org> the more I read the more I realize I don't know. Weren't the decoys a good thing? or your talking about CA sneaking stuff in? leaving breadcrumbs?

Stuff like this p2pool.observer/sweeps

Which I built on p2pool to show the point

decoys are good but have weaknesses, the only weak part of monero

Every mining output there can be tagged to come from a miner, so when multiple outputs are used you can statistically determine how likely it was them or not

Decoys are good

<just_another_day:matrix.org> DataHoarder: where can I donate you for your time spent here?

But when tagged you can be open to stuff like this, or black marble attacks (see research paper(

FCMP++ effectively makes the decoy set be as large as all outputs in Monero

Meaning you can no longer do any statistical analysis at all

<rrjo1zj8p7lhtl15lylp:matrix.org> thank you

It is a chain membership proof that says "yes I exist in Monero"

<rrjo1zj8p7lhtl15lylp:matrix.org> I'm glad I joined this group

The linked p2pool observer page has a donation address at the end

Or blocks.p2pool.observer on the header menu

Under about

On the sweeps page I linked you can click in some

You can see how I previously tagged some known public mining outputs, then when they are spent in a group it is likely it was this miner

I don't decode amounts, or destination

<rrjo1zj8p7lhtl15lylp:matrix.org> your a smart man, this is all above my intelligence level.

But in many cases in sweeps I attribute the transaction to the miner entity

<rrjo1zj8p7lhtl15lylp:matrix.org> I appreciate the help in understanding a lot.

hang out and it slowly sinks in :)

I mark the sweeps as well, sometimes you can see secondary sweep groups

FCMP++: none of this is possible

Even if you know all outputs of someone via other means

Yes and I should be sleeping too

I just looked one last time, my curse

I have reimplemented the new hardfork features to test on stressnet, carrot output format and derivations for legacy, and carrot

I have raised concerns when I couldn't replicate results or when changes were done, I brought these for my own review

I made a list of changes to do to also make life easier for mining (which saw some implemented)

Example git.gammaspectra.live/P2Pool/consen…src/branch/master/docs/STRESSNET.md

I didn't need to but I went and also reimplemented the PQ Turnstile as part of my end to end tests

This is how I learned about all of this

Can even play a game with the donation stuff neat

So someone sent me this just now-ish blocks.p2pool.observer/tx/693687f1c…2697b2513b4f215f08b984b43aca0318bde

However I could claim to have received nothing. The sender can then generate an OutProofV2 (available under advanced -> prove?) or share the tx key. Others can then verify this on the block explorer by entering the details or on their local Monero GUI or CLI

irc.gammaspectra.live/66017aede397c3d9/IMG_8297.jpeg

That section

this is why selective proofs exist

have a good night and thx

I don't know who sent that, or which address came from or where the change went to

Maybe I'll peek around again I was sleepy but not anymore thanks for the excitement

<just_another_day:matrix.org> a single tx proof is great, but allowing users to make their entire wallet transparent indefinitely is dangerous

<rrjo1zj8p7lhtl15lylp:matrix.org> I'm reasearching everything you posted. It is starting to come together a bit more clearly. Have a great night.

<just_another_day:matrix.org> have a good night

All in all the concern is: the new addressing features of Carrot (not the hardfork tx format, but the upcoming wallet addressing) allows an user to disclose a value that allows tracking not just incoming but all spends, without allowing spending. This value is necessary for forward secrecy in the face of a quantum opponent

Options:

No new wallet addressing ever (it's not tied to hardfork) and no quantum secrecy . Someone could still release a wallet that implements it regardless

Make this value (OVK) be within advanced menus with a warning, and tbh, also add a warning to incoming view keys

And spend keys cause some people shared them

c. Make sharing dangerous values an advanced feature only available in CLI for Monero. For example, seed words or spend keys, or full view keys (OVK)

<rrjo1zj8p7lhtl15lylp:matrix.org> The no new wallet thing, can you further explain? Don't people do this quite frequently?

c. Part two: make them available via an alternate launch mode of GUI (but with a command line arg to start it for advanced users); or alternatively a very angry message

I mean no new wallet addressing mode (Carrot)

Not just no new wallets XD

You could make the argument that allowing users to share these is harmful and stupid, however, users ability to be stupid is also part of their freedom

<rrjo1zj8p7lhtl15lylp:matrix.org> DataHoarder: people get joined bank accounts with their wives, people give debit cards to their kids. I have thought of setting my kids up xmr wallets to show them the ropes.

Otherwise you'd be limited and cannot use Monero as a business if your financial auditor requires access to a spend wallet

<just_another_day:matrix.org> realistically, OVKs will be promoted as a tool for charity audits, get added to every wallet and then AML will start abusing it

but why is that not done today

<rrjo1zj8p7lhtl15lylp:matrix.org> @just_another_day:matrix.org: they can't change every wallet, lets be realistic.

<just_another_day:matrix.org> wallet devs will do it themselves

<just_another_day:matrix.org> oh look a new cool feature to imrpove ux

<just_another_day:matrix.org> DataHoarder: Monero is still niche

"fine, i'll do it myself"

And such wallet devs can do it today or later

That is the part I don't get here. It doesn't matter what Monero devs do

<just_another_day:matrix.org> carrot is an infohazard

Someone else can do it ON Monero protocol/transactions

Like we already have non compatible wallets generated

What carrot

<just_another_day:matrix.org> addressing scheme

The transaction output format?

Or addressing scheme

The only part that hard forks is tx format. Which doesn't bring up carrot addressing scheme with it

<just_another_day:matrix.org> but it enables it?

The tx format is shared with Jamtis (for them to be compatible)

Not at all

They could put the same data in tx extra instead

And do it today

But no point was seen on this as the part that brings partial forward secrecy (even for legacy) it's the tx format

<jeffro256> @just_another_day:matrix.org: Don't use the wallet format if you don't like it

<jeffro256> keep your old wallet

<jeffro256> It will still work on FCMP++

Then carrot addressing format extends this and allows self send, change and internal txs to also be fully forward secret, and opens the way fur future full quantum encryption schemes

The hardfork brings FCMP++ and tx output format

You WANT FCMP and the output format

Keep fighting towards the carrot addressing scheme if that is what you want

<just_another_day:matrix.org> @jeffro256: i don't want everyone to require shari OVK as an AML policy

<johnjenkinss:unredacted.org> isn't carrot and info-hazard only if you decide for it to be an info-hazard? > <@just_another_day:matrix.org> carrot is an infohazard

This is why the FUD is everything overreaching and tying everything

<just_another_day:matrix.org> But the issue isn't about the hardfork per se

You have an issue, as I listed above: a future upgrade (in this case not a hardfork) brings a feature you view as bad or challenging. Listed are ways to go with it

But suddenly it's "stop the hardfork"???? All on Reddit cause FUD mixes it all up, and this is only good for detractors or adversaries of Monero

<rrjo1zj8p7lhtl15lylp:matrix.org> it seems the fear here is a misunderstanding, thinking monero is perfect right now, and that change will make it easier to get your wallet doxxed or that all wallets will be required at some point to do this. Even if that may or may not be the case.

I'm certain @jeffro256 would be open for this (carrot addressing scheme, quantum safety and the generate image key) to be brought on an MRL meeting item or somewhat explanation as this seems to be a contention item

It is clear cryptographically why it's needed but this usually doesn't transfer over to general understanding

<just_another_day:matrix.org> DataHoarder: I posted the "Is optional transparency good for Monero?" post, it didn't get that much of attention, but then people started to generate AI slop based on it

So asking for clarifying the need of it: good, but instantly seeing it as an extra bad feature is a bad way to bring the topic up

hasn't monero always been optionally transparent?

<rrjo1zj8p7lhtl15lylp:matrix.org> you've got me convinced, but I'm not an expert

It has nioc

Part of the whitepaper too

<just_another_day:matrix.org> i like the option b or c > <DataHoarder> Make this value (OVK) be within advanced menus with a warning, and tbh, also add a warning to incoming view keys

Yeah just_another_day that is how FUD works. Any organic traction is increased exponentially

You have doubts, you ask, then send people in panic with other people helping along the way and saying different things

Suddenly the only thing the hardfork brings is OVK: but it's not even part of the hardfork! And a weeks before the FUD was about quantum security and how Monero has done nothing. Which we point carrot tx format, carrot addressing scheme, and FCMP++ to combat current BS

It's not even scheduled, it's not even in the code yet

It's in stressnet on a different codebase still having changes, and the part people are talking about isn't even in the code yet or implemented for wallets (and doesn't need to, it's not in a rush as it's not part of the hardfork)

<just_another_day:matrix.org> maybe a stupid question, but would it be possible to implement PQ-secure cryptography before a quantum computer emerges and migrate everyone from legacy addresses to this new scheme without the intermediate CARROT step

That is the desired pathway

However in case it's too sudden the turnstile is there as fallback

And once that's around you can't transact using old systems anymore

<rrjo1zj8p7lhtl15lylp:matrix.org> how long will people have to migrate?

Also, there is a cutover date for such moves too

Afterwards only the turnstile would work

<rrjo1zj8p7lhtl15lylp:matrix.org> ohhh like literal turnstile, one way in, no going back

There is no information around this. That is why the turnstile exists as a fallback

<rrjo1zj8p7lhtl15lylp:matrix.org> so is it like a toll bridge? 1:1 or will people be racing to swtich?

If the opportunity arises they'd definitely like not using this turnstile (it exposes some details to edite it's all verified and cannot be faked even against a quantum adversary)

No race

They go one way

Well not even one way per se, they just use that to move old outputs

A special way to unlock them instead of any new quantum safe scheme

Which by necessity is incompatible (it's not ed25519)

<rrjo1zj8p7lhtl15lylp:matrix.org> what happens to people that don't actively pay attention to what is happening? will they just be at increased risk? or they can migrate later or how does that look for laymen trying to stay secure and up to date?

But questions like these would be something to actually bring up into any future topics in research lounge maybe, but note that is a research focused channel and usually expects at least some form of understanding

The PQ Turnstile would be for those people

At some point, it'd be turned off. You can read on the gist about that

That is not decided not planned. It just lays down the technical means to accomplish a failover migration

> just increased risk

A quantum adversary can fake membership proofs so they can't be allowed to transact

They can also go backwards and break legacy wallets and have their history compromised pre-hardfork, or conditionally after

They also could fake and inflate amounts if allowed to transact normally

<rrjo1zj8p7lhtl15lylp:matrix.org> do you have any predictions when someone might achieve a functional quantum device capable of all these scary things? What is your mental timeline for this happening? years? months?

That is again why the PQ Turnstile has to do things in a special way to ensure a quantum adversary cannot fake the membership, the amounts or double spend

<rrjo1zj8p7lhtl15lylp:matrix.org> I'm thinking 5-10 years, but I guess that is being optimistic, reality moves quickly.

The specific people you are worried about might have some before normies get to know

As always, it's a few years away since 20y ago

<rrjo1zj8p7lhtl15lylp:matrix.org> I think they are close, just too glitchy/buggy to be reliable right now

It is taken seriously, including by the same agencies

The research, implementation, move and standardization has to happen now to be ready for it in 10 years for example

For Monero the scheme also has to be economically/usability viable and not have say, as a random pull, 1 GiB tx sizes

<kiersten5821:matrix.org> @rrjo1zj8p7lhtl15lylp:matrix.org: 30 years

Or require a day to generate or decode a transaction

Such parameters are discussed here monero-project/research-lab #151