<just_another_day:matrix.org> If you care about the FUD, I'd recommend to at least read my original post that started it. Because AI slop posts followed and usual Reddit plebs can have many misconceptions, but to effectively fight the FUD/to resolve the concerns (choose what you like more) one has to understand the core issue. It's not misconceptions alone [... too long, see mrelay.p2pool.observer/e/6tm33eAKb25wWEFs ]

<just_another_day:matrix.org> reddit.com/r/Monero/comments/1qhh50…tional_transparency_good_for_monero

<just_another_day:matrix.org> You can also read my comments if you want - there are a bit more additional thoughts.

<ofrnxmr:xmr.mx> Who are you talking to

<just_another_day:matrix.org> whoever

<just_another_day:matrix.org> MRL members, as they'll discuss it tomorrow

There was already some discussion in #monero-research-lounge if you want to take a look - specially around misconceptions

(also I used bad nomenclature in some of the explanations myself - but they were equivalent)

<ity:itycodes.org> I should read XMR's crypto, the above convo about crypto seemed fun

<ity:itycodes.org> I always put it away assuming I'm too stupid for it

<just_another_day:matrix.org> DataHoarder: Thank you. I'll check this out

as usual, Zero to Monero 2.0 getmonero.org/library/Zero-to-Monero-2-0-0.pdf for pre-FCMP++ stuff

there's no update for FCMP++ but it changes quite some underlying (no more rings, so statistical analysis based on rings or outputs cannot be done)

<just_another_day:matrix.org> DataHoarder: I've read it partially

<ity:itycodes.org> FCMP++?

I mean for ity

yes, the part of the next monero upgrade that between others replaces ring with decoys for full chain membership proofs

tl;dr the entire chain is your decoys instead of 15+1 sampled outputs

<ity:itycodes.org> For context, my cryptography background is mostly working on chat protocols (mostly Matrix, the E2EE and trying to fix a bunch of the core protocol vulns)

though some parts listed here are not FCMP++ intrinsic but due to upgrades elsewhere (the carrot tx output format, for legacy and any new wallet) and also the new Carrot wallet that has generate image keys and OVK, which is what people are discussing

(though the wallet part is not a hardfork item per se)

yeah Zero to Monero is good for you then

it lists what it does instead of assuming you know what that means in ed25519 or similar

<just_another_day:matrix.org> what was confusing to me when I was reading zero-to-monero is that it doesn't provide proofs of schemes being secure. It only illustrates their correctness

<ity:itycodes.org> Yai, I shall try to read it, it's quite long so I hope I can get it past my ADHD

yeah, the proofs are in external papers

Zero to monero is an explanation, the proofs ... are vastly longer

<just_another_day:matrix.org> you can't do crypto without the proof, right?

but again, zero to monero is an explainer

the proofs for example for bulletproof+ is way longer and theoretical

one secx

<ity:itycodes.org> Ya ECC stuff I'm decently well familiar with > <DataHoarder> it lists what it does instead of assuming you know what that means in ed25519 or similar

which builds on the original Bulletproofs paper eprint.iacr.org/2017/1066.pdf

<ity:itycodes.org> I'm mostly used to reading specs

MRL gathers related papers in the library moneroresearch.info

<ity:itycodes.org> Tho, well-written specs (like Signal), not horribly written abominations (like Matrix's Olm & Megolm)

not all directly tie to monero but they are kept for research

yeah... monero has a log of baggage from cryptonote original

lot*

<ity:itycodes.org> Cryptonote?

oh, nice link for FCMP++ related papers moneroresearch.info/index.php?actio…S_CORE&method=keywordProcess&id=125

yeah. it's what Monero comes from getmonero.org/resources/research-lab/pubs/cryptonote-whitepaper.pdf

(annotated getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf )

much has changed from this ^ anyhow

<just_another_day:matrix.org> DataHoarder: a nice paper

<just_another_day:matrix.org> @just_another_day:matrix.org: is this true?

<just_another_day:matrix.org> how do you know what you're doing makes sense if you don't do proofs?

you can't invent arbitrary stuff by feels

it is proven and audited

but again, your question was on "zero to monero doesn't have proofs" cause it's an explainer. the external in-depth papers have the proofs, but you may need to be in certain fields of mathematics to look at them in depth

<just_another_day:matrix.org> i'm ok with zero to monero not having proofs. I understand that's an explainer

example on CLSAG proofs getmonero.org/resources/moneropedia/clsag.html + getmonero.org/2020/07/31/clsag-audit.html

<ity:itycodes.org> Ahh > <DataHoarder> yeah. it's what Monero comes from getmonero.org/resources/research-lab/pubs/cryptonote-whitepaper.pdf

<ity:itycodes.org> DataHoarder: Which specific fields ?

<ity:itycodes.org> (I'm curious if I'll be able to follow them or not due to mostly doing abstract algebra)

some of the ring signatures extend well across iterations from original

(I implemented them as well in go)

bulletproofs are quite far away from any of the knowledge, I have to gain more bases first

I know and understand what they do and the way they get to do it but ... yeah no the proofs end up too far

<just_another_day:matrix.org> I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like?

I don't write proofs, it's not YOLO lol

MRL doesn't always write the research, either. there's a wider cryptography field than monero

<ity:itycodes.org> Haha yolo proofs

<just_another_day:matrix.org> so vibe designing?

<ity:itycodes.org> Huh?

I can't get to you can I

again, literally open the paper

Bulletproofs paper for example is written mixed irc.gammaspectra.live/81af2584a22f151f/image.png method -> theorem -> proof writing

proving that each part holds true along the way

Many build up on previous papers with proofs on theorems they use

<just_another_day:matrix.org> you don't have to explain this

<just_another_day:matrix.org> i was asking about Monero-specific cryptography

> Corollary 2 (Range Proof). The range proof presented in Section 4.1 has perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

> Proof. The range proof is a special case of the aggregated range proof from section 4.3 with m “ 1. This is therefore a direct corollary of Theorem 3.

Monero specific cryptography is no different

it's applied cryptography, usually around edwards25519 curve

one of the elliptic curves of all time

<just_another_day:matrix.org> what's applied cryptography?

some people don't have the urge to seek knowledge on their own

Bulletproofs for example is a general ZK proof that extends range proofs to general circuits

<ity:itycodes.org> > eprint.iacr.org/2019/654

<ity:itycodes.org> Yep I'm also missing background knowledge for this x3

<ity:itycodes.org> Tho not as much as I would expect

Monero then set them up specifically just for range proofs in the context of ed25519 and its field

ity: recommendation is to start with ring signatures as originally done in monero/cryptonote

then go from there

to MLSAG then CLSAG

<ity:itycodes.org> Yea first time hearing of ring signatures and now I wanna look into them more

<ity:itycodes.org> And seeing if I can use that to fix some holes in some of the chat protocols I designed

<ity:itycodes.org> My first reaction when googling it was "oh yes more cryptography magic"

03:32:50 <br-m> <just_another_day:matrix.org> what's applied cryptography?

applied X is the practical implementation of algorithms or protocols related to X

theoretical cryptography -> applied cryptography (where specifics or interaction with existing systems, and transfer to pseudocode-looking or mathematical formulation that can be used to write code with)

<ity:itycodes.org> @ity:itycodes.org: In fact it already partially fixes the deniability issue I had with the way I was fixing the homeserver puppeting room takeover vuln of matrix

<ity:itycodes.org> Stars I got nerdsniped into designing a thing just by hearing of a cool new crypto primitive

<ity:itycodes.org> Tho ig that's too offtopic, sorry

<ity:itycodes.org> The introduction is actually comprehensible for me unlike the abstract, I like it > <@ity:itycodes.org> > eprint.iacr.org/2019/654

<just_another_day:matrix.org> Am I correct that when you design a Monero-specific cryptographic scheme, you take an existing theoretical cryptographic scheme, adapt it to Monero in a way that "feels right" and conduct an external audit to make sure it's secure?

<just_another_day:matrix.org> It's not an offensive question, I'm just curious

in a way that "feels right"

no

you adapt it in a way that complies with the proof conditions mathematically

<just_another_day:matrix.org> then how?

it's a proof, with set expectations/ranges/preconditions

what do you mean HOW?

<just_another_day:matrix.org> I see

if you understand the mathematics you can prove that the applied construction is equivalent to the proof

<just_another_day:matrix.org> What about CLSAG?

<just_another_day:matrix.org> It was created by MRL, wasn't it?

<ity:itycodes.org> DataHoarder: In theory

there's also en.wikipedia.org/wiki/Automated_theorem_proving

read up eprint.iacr.org/2019/654.pdf

<ity:itycodes.org> DataHoarder: Nooooooo cries

<ity:itycodes.org> (This is basically my direct field of study)

<ity:itycodes.org> I work on proof assistants mostly

<just_another_day:matrix.org> DataHoarder: so MRL is writing proofs after all

It walks through the theorems and lemmas, and proves them directly or by referencing previous work

you are again misunderstanding how stuff works

it's not A -> B

but B -> A from the underlying proofs you can build A

<just_another_day:matrix.org> I didn't say it's A -> B

<just_another_day:matrix.org> sorry I said you meaning Monero devs, not yourself DataHoarder > <@just_another_day:matrix.org> I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like?

this is a wider field so I have no idea what resources to even point you to, anyhow en.wikipedia.org/wiki/Mathematical_proof

<just_another_day:matrix.org> I know what a proof is

then see how you achieve these for your theorems there

I'm not even that far down the line (compared to ity working on proof assistants) but there's a missing piece you seem to lack here, just_another_day, given you ask "how do you prove something"

<just_another_day:matrix.org> that's funny

<just_another_day:matrix.org> I was asking about how MRL designs cryptographic schemes, because I thought they do that without writing proofs

<just_another_day:matrix.org> If they do write proofs, I don't any questions

<just_another_day:matrix.org> Proofs for Monero-specific schemes, that is

the obvious answer is by knowing far more than me on the specific field of cryptography and mathematics 😅

Monero-specific schemes are not that far from general elliptic curve, just the focus

on unrelated topic crypto.stackexchange.com/questions/…of-beautiful-proofs-in-cryptography

I choked at the classic ECB one

Proof: [image of tux encrypted using ECB mode of operation]

also when searching, a cryptographic proof or cryptographic proving it means using cryptography algorithms or methods to prove something not the mathematical proof of the algorithm :)

<just_another_day:matrix.org> do you write proofs for cryptographic proofs? :)

<just_another_day:matrix.org> DataHoarder: that's a good one

<just_another_day:matrix.org> the tux

<kayabanerve:matrix.org> DataHoarder: There's the FCMP++ technical overview.

<kayabanerve:matrix.org> (for after ZtM)

it's a moving target still given changes on tx output derivations for example :)

but yeah, I guess it'll get more defined as things freeze

<kayabanerve:matrix.org> Monero, generally, has looked for proofs which meet a desired statement. See the usage of Bulletproofs' range proof within Monero's RingCT, and evolution to Bulletproofs+.

<kayabanerve:matrix.org> With FCMP++, we proved the proof system underlying Curve Trees (Generalized Bulletproofs) secure, and did adapt the arithmetic circuit to the statement defined in the FCMP++ composition.

<kayabanerve:matrix.org> The FCMP++ composition was reviewed and proven secure, along with its SA+L proof.

^ listen up just_another_day from the source themselves

<kayabanerve:matrix.org> The SA+L proof was something I designed and put forth, concatenating a BP+ IPA (n=1) with a GSP, both existing proofs to a statement. Their concatenation achieved the statement necessary within the composition, and again, reviewed and proven secure.

<kayabanerve:matrix.org> CLSAG was in-house. I believe Borromean was posited as a range proof. I can't comment on MLSAG. I know there's a paper for RingCT, which I think MLSAG may have been part of?

<kayabanerve:matrix.org> And then all protocol-level cryptography before then was CryptoNote.

yes, it was part of RingCT paper

<kayabanerve:matrix.org> So Monero's modus operandi wasn't really part of that, other than the modus operandi being to start by forming CN.

and RingCT applied Pedersen commitments + MLSAG to build what we had

<kayabanerve:matrix.org> While Monero cryptography may be messy and disorganized due to the amount of contributors of various backgrounds, I wouldn't present leading questions (or questions which come off as leading questions) which imply it may be insufficiently reviewed before deployment.

<just_another_day:matrix.org> I know that Monero does audits

<just_another_day:matrix.org> So I wasn't implying that

<kayabanerve:matrix.org> You said your question wasn't meant to be offensive, but it still asked if development was vibes-based before an external audit.

<kayabanerve:matrix.org> I would say no, research is research and review occurs until satisfactory.

<just_another_day:matrix.org> If I recall correctly, your proposal for FCMP++ was initially without proofs?

<kayabanerve:matrix.org> This is the part on accusing of seeming leading.

<kayabanerve:matrix.org> *I'm accusing

<just_another_day:matrix.org> Leading for what?

<kayabanerve:matrix.org> DataHoarder[m]: What's the term I'm looking for?

<just_another_day:matrix.org> You're being paranoid

<kayabanerve:matrix.org> Re: social behavior where one tries to appear honest and helpful while actually being antagonistic.

<just_another_day:matrix.org> so vibe designing? <<>> hmmm

@kayabanerve:matrix.org: idk, it's late and I think there is a disconnect in how the conversation goes with thankful_for_xmr given previous days

<kayabanerve:matrix.org> Eh, @just_another_day:matrix.org: you could just be rubbing me the wrong way, but you seem to present yourself in good faith while not acting in good faith.

<kayabanerve:matrix.org> Yes, my research and proposal for FCMP++ was without proofs. I am not someone who has written a security proof.

<kayabanerve:matrix.org> The FCMP++ paper lacks proofs directly to this day.

<kayabanerve:matrix.org> The proposal was always intended to have review and security proofs however, which we've done extensive work on.

it takes several messages to get the point across if you see previous conversation here a couple days ago

<kayabanerve:matrix.org> The proposal also derived from Curve Trees, BP+, and GSP. All three were prior art, the latter two proven. FCMP++ was solely their intelligent composition, though it did modify the arithmetic circuit.

<kayabanerve:matrix.org> Aaron Feickert, who worked at Cypher Stack, a company described as being created to offer employment on paper to Monero researchers, proved the composition secure and the BP+ + GSP composition as satisfying the SA+L statement.

<kayabanerve:matrix.org> Feickert and Goodell have both worked on the underlying Generalized Bulletproots, Goodell currently at Cypher Stack.

<kayabanerve:matrix.org> The optimization with divisors had extensive review from Cypher Stack and Veridise.

<kayabanerve:matrix.org> Feickert audited the current GBP implementation. Veridise reviewed the circuit and audited its impl on top of the audited GBP lib. They also provided a variety of formal proofs.

<kayabanerve:matrix.org> Sealioning? en.wikipedia.org/wiki/Sealioning

just read the MRL meeting logs for the past year or more and you will understand how the process works

no idea why you think things are done unseriously

<kayabanerve:matrix.org> @just_another_day:matrix.org: I don't actually want to be a dick to you for no reason. Your questions come off, to me personally at least, as in bad faith.

that may be too far kayabanerve I think there's a better term

<kayabanerve:matrix.org> If you are trying to act in good faith, I'd recommend revisiting how you phrase your questions. You don't have to, you do you, but as of right now, to me personally, it comes off as antagonistic which isn't optimal for a civil discussion.

<just_another_day:matrix.org> you have a ground to think this way given my activity on Reddit

<kayabanerve:matrix.org> Yeah, I'm trying to caveat this as it could just be me, and I'm sorry if so, but also, I'm tired in _general_ of people who claim to be in good faith and just want to cause trouble.

<kayabanerve:matrix.org> There was an asshole a month ago who took every opportunity possible to praise me while also turning people away from me.

<kayabanerve:matrix.org> "Kayaba works on so many things, it's incredible! That's why we should be patient and wait, because they're so busy, it may be a while. In the mean time, check out X"

<kayabanerve:matrix.org> Then I banned that guy and a few days later my server was raided with Naziism and absolute bs.

<kayabanerve:matrix.org> So my personal issues with an individual from about a month ago, the recent OVK drama (which we can just be on opposite side of the coins of), _and_ these questions seeming to suggest Monero is vibe-based is why I'm being so critical here.

<just_another_day:matrix.org> I mean, my question is pretty neutral > <@just_another_day:matrix.org> I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like?

^ in my opinion the answered with an example above

<kayabanerve:matrix.org> That wasn't the one I minded

they*

<kayabanerve:matrix.org> And again, I'm sorry if I am just being unfairly critical of you.

<just_another_day:matrix.org> I misunderstood DataHoarder's response

<just_another_day:matrix.org> I thought he said that MRL doesn't always write proofs for their schemes

<kayabanerve:matrix.org> github.com/monero-oxide/monero-oxide/tree/fcmp++/audits is my own collection of documentation regarding FCMP++

<kayabanerve:matrix.org> Well, it's the monero-oxide FCMP++ audits folder, so it's the monero-oxide stuff + all the FCMP++ supporting evidence.

I said they don't have to, as they take existing pieces just_another_day

like, you aren't proving ECDLP

ed25519 itself

Bulletproofs, was developed externally afaik

<just_another_day:matrix.org> I mean, even such a big project as Telegram released MtProto without a formal mathematical proof of security, as they mainly combined existing stuff

<just_another_day:matrix.org> So I wasn't implying it's always bad

<just_another_day:matrix.org> Just curious

04:04:34 <br-m> <kayabanerve:matrix.org> The FCMP++ composition was reviewed and proven secure, along with its SA+L proof.

Telegram composed proven parts but the composition itself was/is flawed

this whole conversation started from this > 03:09:36 <br-m> <just_another_day:matrix.org> what was confusing to me when I was reading zero-to-monero is that it doesn't provide proofs of schemes being secure. It only illustrates their correctness

to this > 03:18:31 <br-m> <just_another_day:matrix.org> i'm ok with zero to monero not having proofs. I understand that's an explainer

<just_another_day:matrix.org> it was confusing to me because I wanted to learn the cryptography in depth

<kayabanerve:matrix.org> Though granted, my scope only intends to supplant CLSAG as seen in Monero. I even define an statement I say is analogous to the current role of CLSAG for which I say the FCMP++/ composition achieves via its two decomposed parts.

<kayabanerve:matrix.org> For Monero as a whole, I believe there was an external researcher (PhD track?) who reviewed Monero as a whole.

<kayabanerve:matrix.org> And then of course, there's also the considerations about the addressing protocol (CARROT soon™) and so on.

JAMTIS soon™

<just_another_day:matrix.org> you're assuming everything I say is somehow intended to criticize Monero

<kayabanerve:matrix.org> JAMTIS would be quite the discussion...

<just_another_day:matrix.org> when I really wanted to learn how the serious crypto™ is done

<kayabanerve:matrix.org> @just_another_day:matrix.org: I'm not currently. I tried to answer your question before despite my frustration, and I've continued to comment on the topic since.

<kayabanerve:matrix.org> I don't plan to hold it against you. I had a frustration due to my _perception_ of you and I raised it. I also apologized if it was on my end.

<kayabanerve:matrix.org> I can iterate the exact messages that irked me or we can get back to the topic.

<just_another_day:matrix.org> @kayabanerve:matrix.org: thank you for the explanation. I'm not that proficient in cryptography to understand the specifics.

<sbt:nope.chat> fluffy fighting the fud redlib.perennialte.ch/r/Monero/comm…constantly_under/o22zdoq/?context=3

<sbt:nope.chat> That fucking retard doesn't even understand what is timing correlation, glad we got fluffy

<sbt:nope.chat> omg this AI fud slop got 200 upvotes redlib.perennialte.ch/r/Monero/comm…transparency_trap_why_new_view_keys

I can't believe they got fluffy to answer on twitter multiple times but also get so annoyed moved to also answer on reddit

> I don't understand why you're being so needlessly hostile

yeah kayabanerve now this is sealioning

<kayabanerve:matrix.org> if this is sealioning, why aren't there cute sealions I can pet? >:(

<zero-ghost> any of the people running the monero.social matrix instance in here?

<zero-ghost> or is there a specific room to contact them?

what are you trying to contact about?

<zero-ghost> im trying to get my contacts to spread out across different homeservers and wondering if there is any way to get a registration for one or two of them on this homeserver

<zero-ghost> right now everyone is on matrix.org, we all know thats not great

registrations are generally closed due to spam

<zero-ghost> yea ive seen that the past few months of checking every now and then

<zero-ghost> so i wanted to see if any of them were around in person and ask

it may be possible, you can try in #monero-community or dm pigeons on IRC side

(I am on IRC!)

which you can also ask friends to do

that gets them directly with puppets on the monero.social side

<zero-ghost> hmm yea, but they are low/zero-tech people

<zero-ghost> so having to worry about an IRC account and where its bridged etc etc

<zero-ghost> and that room looks invite only

maybe it was made like that after (again spam) incidents, maybe plowsof can shed some light. but it's reachable on IRC side

<zero-ghost> mustve been

community was invite only, made it public just now. monero social registration is disabled but accounts can/have been manually approved since

<intr:unredacted.org> @kayabanerve:matrix.org: sealion -> sealioff

<zero-ghost> plowsof: thats all good to hear, we are in no rush so I'll probably come back around in the next month or so and see if theres any manual approval up for grabs 👍️

<pyratevevo:matrix.org> mrelay.p2pool.observer/m/matrix.org/zINRwchiIamlgDAzxLhpjpwt.png (13844.png)

<pyratevevo:matrix.org> Based on true events.

<intr:unredacted.org> is that your address? lmao

<ofrnxmr:xmr.mx> Lol @datahoarder ^ > <@kayabanerve:matrix.org> Yeah, I'm trying to caveat this as it could just be me, and I'm sorry if so, but also, I'm tired in _general_ of people who claim to be in good faith and just want to cause trouble.

<pyratevevo:matrix.org> @intr:unredacted.org: You bet.

<pyratevevo:matrix.org> Wanted to hide the shotgun, but didn't know what to cover it with.

<intr:unredacted.org> lmao

<intr:unredacted.org> you hid the gun behind 16 potential guns

<pyratevevo:matrix.org> Soon to be 100 million !

<intr:unredacted.org> full metal jacket proofs

"when I really wanted to learn how the serious crypto™ is done" followed by "I'm not that proficient in cryptography to understand the specifics."

hmmmmm

<just_another_day:matrix.org> There can be a general overview of the process instead of specific details. But never mind

sorry maybe I am a bit tired after many days of this

<rucknium> > <@kayabanerve:matrix.org> Though granted, my scope only intends to supplant CLSAG as seen in Monero. I even define an statement I say is analogous to the current role of CLSAG for which I say the FCMP++/ composition achieves via its two decomposed parts.

<rucknium> Probably you mean this as "reviewed Monero as a whole": moneroresearch.info/171 Cremers, C., Loss, J., & Wagner, B. (2023). A Holistic Security Analysis of Monero Transactions.

but I must say much learning has come from conversations like this whether genuine interest or from other motives because often much info comes out

<everchange000:matrix.org> Aren't we all tired?

<everchange000:matrix.org> Let's take a nap, rejuvinate our sense of Justice and get to work! 🤜🤛

thx DH

fud never sleeps

MRL meeting is in progress right now monero-project/meta #1333 and the Carrot and OVK topic will be discussed at the end, feel free to observe @ #monero-research-lab and on libera.monerologs.net/monero-research-lab (it's a research focused channel, so direct questions or other items are better left for lounge or

general monero channels)

Meeting logs are provided afterwards on the github issue.