04:11:17 Can anybody help with a https://www.supportxmr.com/ question? 04:25:54 https://dontasktoask.com/ 06:11:42 @ravfx:xmr.mx: That's like https://nohello.net 😌 06:12:54 indeed 17:56:04 Just out of interest, is there a stagenet / testnet version available with FCMP and Carrot up and running? I'm just filtering through all of the nonsense doing the rounds in the usual places and had a thought: if there is a test version out there, can't the FUD be completely and totally thrown out by a simple demo of a new wallet and the data the new view key would make visible? 18:01:15 I think you gotta be in #monero-stressnet:monero.social 18:02:28 monero stressnet currently does not have Carrot implemented afaik 18:02:41 oh 18:04:53 omfggg it’s clearly not that. these people don’t know anything about monero 18:13:16 #monero-stressnet:monero.social 20:10:35 It has carrot transaction output format implemented 20:10:55 Not the wallet new scheme 20:28:27 What is mav smoking 20:28:28 https://mrelay.p2pool.observer/m/matrix.org/cAFElrKcdmxalqcaNXxrCWTo.png (31483.png) 20:32:46 I need the view key update, I don't want to plug trezor every time I want to check my balance 20:33:06 https://xcancel.com/fluffypony/status/2015684629479510514 20:34:32 I guess that's not happening now, but I wouldn't be opposed to it. 20:34:42 what is not happening now? 20:35:02 If new users come and want to share there transations, let them. I'm not going to do it. 20:35:11 There was no hardfork to add this, it's not even in the codebase test 20:35:32 yea, i mean it is dead as a converstion 20:35:47 There was never an automatic conversion 20:36:03 You are missing the point! 20:36:39 I'm saing... as long as it doesnt compromise my anonynity, I don't care, others can share their transactions. 20:37:12 Indeed, but they can also still do so 20:38:24 you can share proof of transactions with Monero? 20:38:28 Yes. 20:38:34 One sec. 20:38:36 Next MRL meeting is adding Carrot to the discussed items and also OVK. If you want to observe these AFAIK it'd be Wednesday at 17:00 UTC @ #monero-research-lab and on https://libera.monerologs.net/monero-research-lab (it's a research focused channel, so direct questions or other items are better left for lounge or general monero channels) 20:39:10 Lost_Puppy: view keys already exist, tx keys already exist, and directly InProof/OutProof can be made 20:39:33 https://www.getmonero.org/resources/user-guides/prove-payment.html 20:40:03 These exist cause I could claim I sent you coins on a P2P exchange but you are lying. This allows the sender to prove they sent the coins to you, or for you to show its proper reception 20:40:49 Oh, thanks. Didn't know about that. It's been a while since I've hold it. 20:41:02 The view key is geared towards cold wallets and chosen auditors for businesses, so you don't have to hand out spend keys to your entire wallet or have these online 20:41:05 Looking more and more into it wiht the latest price action. 20:42:09 for example, the Monero general fund shares their view key. With that, we can decode incoming (and parts of outgoing) outputs https://blocks.p2pool.observer/tx/53084115a175428ae1f423a96816f6b5f1072e13012de8d52011fc296b90f614 20:42:29 we still don't know where the funds go to, even full view keys don't say that 20:42:57 after FCMP++, you also can't do output or ring tracing to statistically take a guess at the source 20:43:52 @monerobull:matrix.org: the way he cropped up out of nowhere with the view-botted "sieg heil, also, buy monero" posts, and now this... lmao 20:43:55 I dunno man 20:43:57 Carrot (the wallet one) also allows your internal history of change outputs and self-sends (your wallet history, attribution) to be kept private even against quantum adversaries https://github.com/jeffro256/carrot/blob/master/carrot.md#221-internal-forward-secrecy 20:45:28 Also shared a nice overview https://mrelay.p2pool.observer/m/gohegan.uk/tIxkJWnZuzmIFmmRSFojQxsd.png but it fails to split the tx format (what is being hardforked, and that legacy wallets also will use and benefit) from carrot wallet (which is what has OVK, or Jamtis later down the line, which is the Post-Quantum scheme currently developed) 20:45:36 Thanks for the info. I'll do some homework. 21:01:24 @shitpost:monero.coffee: me too. 21:01:30 let alone "paper" wallets 21:04:42 our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > we still don't know where the funds go to, even full view keys don't say that 21:04:43 well actually everyone would have known it 21:06:07 you can even tell the drainage https://blocks.p2pool.observer/tx/ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a 21:06:29 as you can tell when outgoing are made 21:23:41 DataHoarder: Is it normal that this page says "Part of the CSS Wallet Drain Incident."? 21:23:50 22:04:42 our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > we still don't know where the funds go to, even full view keys don't say that 21:23:52 https://mrelay.p2pool.observer/m/albertlarsan.fr/XbqFKxpMDNrZmmrqHpVmEeNp.png (image.png) 21:24:02 it's on response to that 21:24:13 I added annotations to the transactions that did the sweep out 21:24:34 follow the link to the blog (from 2023) 21:24:42 It says CSS, not CCS 21:25:04 well, than THAT is the issue as usual 21:25:06 see plowsof you are not the only one that does CSS :P 21:25:38 that always preys on our minds albertlarsan68 :) 21:25:44 updated it for next restart 21:51:13 and as far as I know it was on a windows server or pc and it was never audited > 22:04:42 our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > we still don't know where the funds go to, even full view keys don't say that 21:51:49 I mean auditing movements, not the setup 22:02:50 @monerobull:matrix.org: Crack or meth 22:13:28 selsta: It has CARROT , the addressing protocol , implemented and integrated, but not the new OVK wallet format integration yet . The crypto is implemented and tested 22:14:22 @kaigoh:gohegan.uk: For context, the question was about testing / demoing OVK wallets 22:15:45 Its pretty simple. It shows the same data as restoring from seed. Txids, amounts, times, but not recipient addresses 22:16:14 (or sender addresses) 22:16:36 and FCMP++ removes the ability to do statistical ring analysis 22:16:56 :P if it showed sender addresses, that would be a backdoor fed move :D lmao 22:17:30 And to be clear, by sender i mean the address that sent to me 22:17:49 πŸƒ 22:18:02 @ofrnxmr:xmr.mx: Some people want the tx private keys to be deterministic, so that reloading your seed phrase reloads the tx private keys, and you can make tx proofs even if your wallet cache is deleted 22:18:19 who are these "some people" 22:18:25 I'm pretty uncomfortable with that, but I do see the utility 22:18:34 idk there's some GH issue somewhere 22:19:52 I do understand that its can be a pain to not be able to provide tx proofs if you restore from seed or from a different wallet w/ the same seed. I can't say that would be a bad thing if its only possible for spend wallets to achieve 22:20:46 But actually, i like that i can disable saving of recipient info or tx keys, and not even be able to provide such info 22:20:54 you'd still need the recipient address to make the proof, no? 22:20:58 (i actually dont save recipient info or txkeys) 22:21:10 even if tx key is deterministic based on some method 22:21:31 we've had multiple CSS incidents DataHoarder πŸ˜” 22:22:05 outside of specific protocol I don't see the need for deterministic tx key on sender side, as the burning bug is fixed already 22:22:11 DataHoarder: yes\ 22:22:13 as in, deterministic randomnness 22:22:24 and recipient side derivation is enforced for normal wallets 22:23:08 p2pool as implemented uses deterministic keys per output/block/p2pool as it requires these to re-derivate outputs and verify, but that's not on wallet side 22:23:16 it's so that if you screw up and lost your wallet cache, you can still prove to a third-party that you actually sent funds. it has apparently happened to more than 1 person > outside of specific protocol I don't see the need for deterministic tx key on sender side, as the burning bug is fixed already 22:23:39 yeah. no way to make an OutProof without these 22:24:09 also, miners can't make OutProof :P cause monero never saves tx keys used in generating the template 22:24:11 unless you are p2pool 22:24:24 huh 22:24:31 i didn't know that lol 22:24:41 (or returns, the tx key is ephemeral in the get template method) 22:24:44 makes sense, but I never though about it 22:25:08 You can recover the ECDH if you're the holder of the address, but I see your point 22:25:11 I mention that under https://blocks.p2pool.observer/proofs 22:25:13 > Monero does not save transaction keys when calling get_block_template. This method is currently only used by P2Pool thanks to it creating templates on its own. 22:25:19 yep, on new derivation method you can 22:25:22 but not before 22:25:31 Might be useful if you're a pool miner to prove you didn't make a wack template 22:25:48 (outproof vs inproof) 22:25:50 also if it had been saved/provided separately 22:25:56 it would have fixed the Tari burn bug 22:26:15 ah did it re-use tx keys ? 22:26:22 where the pubkey was overwritten on the tx, it could have been fetched from the tx priv 22:26:52 see this example 85c9e0e2fa7d843b6698d6aa9c51e0dcda030126805654d9e91a68d720268764 22:26:57 err https://blocks.p2pool.observer/block/85c9e0e2fa7d843b6698d6aa9c51e0dcda030126805654d9e91a68d720268764 22:27:25 7 bytes of tx pub were overwritten 22:27:27 you can recover with view key + bruteforcing these (and doing derivations) 22:27:57 56 bit keyspace with some reductions, but still vastly too slow even for the thrown together GPU code 22:27:59 ohhhh 22:28:10 That's unfortunate 22:28:27 (which I made for fun https://git.gammaspectra.live/WeebDataHoarder/tari-tx-brute ) 22:28:50 They've got 72057594037927936 combos to try. Better start soon... 22:28:56 I wonder what sort of entropy you'd have available 22:28:58 :) 22:29:28 given that post FCMP++ txs can be signed without the membership proof for example 22:29:50 Not all bits make valid points on the Ed25519 subgroup, so definitely less than that, but still sucks 22:30:25 yeah, it's about a 50% decoding 22:30:27 then view tag 22:30:57 so about 8 bit reduction 22:31:24 50% decoding? I would've though that the vast majority of time spent was doing the Ed25519 scalar-point mult 22:31:26 sadly the CUDA waves don't have that good granularity 22:31:34 maybe an FPGA can do the bulk, then requeue 22:31:36 I mean bit space 22:31:38 50% fail/succeed 22:31:44 so -1 bit 22:31:52 Do you know how much Tari was affected? 22:32:10 it was not tari, but Monero 22:32:12 one sec, I have the amounts 22:32:14 Oh i see > 50% fail/succeed 22:32:25 02:12:26 there's a total of 139.641137792160 XMR that I could find "lost" to the Tari bug 22:32:50 I can recalculate the list (it's part of the finder program in that repo) but seems debian paste deleted it now 22:34:39 but about deterministic entropy, what do you have even in an offline wallet? and wallet could have been synced without all txs (synced at a specific height for example) 22:35:13 I guess you could take the inputs as entropy, local derivations, but ofc, destination cannot be stored in any way 22:36:24 You could use a function of your spend key or view key (for hiding), plus the spent key images (for inter-tx burning), plus local output index (for intra-tx burning) 22:37:20 key images + local output index are public, so all the offline needs to remember permanently is the spend key or view key, depending on which they use 22:39:08 that'd affect internal moves transparency 22:39:40 which I guess don't need this 22:40:39 wdym 22:40:39 it's adding an extra scheme that can be played with outside of the current context, so care would need to be had to not introduce any shortcuts against any quantum capable adversary 22:41:38 Oh yeah I see. Yeah that's correct. 22:42:55 If you were using the new 6-key wallet in the CARROT spec, you'd want to use the view-balance secret instead of the potentially leakable k_v 22:43:53 I don't think it really matters for legacy wallets either way, since any QC with one of their Monero addresses can peel off k_s and k_v, which reveals the whole tx history anyways 22:43:55 in that case even if you import key images with a view incoming key wallet, you can't create this deterministic derivation 22:45:31 Well if your hot wallet only has k_v, then the cold wallet would have to do it. If the hot wallet had s_vb, then the hot wallet could do it 22:45:46 It depends on how you set it up 22:46:44 generate deterministic derivation secret? :) 22:48:08 I guess as long as it's doing the similar derivations via H(...) you can't walk it backwards even from a quantum adversary perspective 22:50:05 @jeffro256: To expand on this, in either case, to make a tx proof as a QC, you need to know both the ephemeral public key (which is on the chain), and one the Monero addresses of the receiver. Without deterministic tx keys, a QC can still derive the tx key if it knows the receiver by computing the ECDH directly, then finding r s.t. ECDH = 8 r K^j_v. 22:50:29 DataHoarder: Hmmmmm...... 22:50:32 @jeffro256:monero.social: monero-wallet supports deterministic entropy for ephemeral keys. 22:50:41 You federal agent 22:50:53 lol 22:56:39 but yep jeffro256 that is what I mean, it's a "shortcut" pathway to jump derivation tiers