01:19:00 If you care about the FUD, I'd recommend to at least read my original post that started it. Because AI slop posts followed and usual Reddit plebs can have many misconceptions, but to effectively fight the FUD/to resolve the concerns (choose what you like more) one has to understand the core issue. It's not misconceptions alone [... too long, see https://mrelay.p2pool.observer/e/6tm33eAKb25wWEFs ] 01:19:00 https://www.reddit.com/r/Monero/comments/1qhh50x/is_optional_transparency_good_for_monero 01:19:00 You can also read my comments if you want - there are a bit more additional thoughts. 01:32:45 Who are you talking to 01:36:09 whoever 01:47:57 MRL members, as they'll discuss it tomorrow 01:59:59 There was already some discussion in #monero-research-lounge if you want to take a look - specially around misconceptions 02:00:38 (also I used bad nomenclature in some of the explanations myself - but they were equivalent) 02:02:43 I should read XMR's crypto, the above convo about crypto seemed fun 02:03:44 I always put it away assuming I'm too stupid for it 02:03:56 DataHoarder: Thank you. I'll check this out 02:05:22 as usual, Zero to Monero 2.0 https://www.getmonero.org/library/Zero-to-Monero-2-0-0.pdf for pre-FCMP++ stuff 02:05:52 there's no update for FCMP++ but it changes quite some underlying (no more rings, so statistical analysis based on rings or outputs cannot be done) 02:06:07 DataHoarder: I've read it partially 02:06:12 FCMP++? 02:06:22 I mean for ity 02:06:53 yes, the part of the next monero upgrade that between others replaces ring with decoys for full chain membership proofs 02:07:11 tl;dr the entire chain is your decoys instead of 15+1 sampled outputs 02:07:33 https://www.getmonero.org/2024/04/27/fcmps.html 02:08:20 For context, my cryptography background is mostly working on chat protocols (mostly Matrix, the E2EE and trying to fix a bunch of the core protocol vulns) 02:08:29 though some parts listed here are not FCMP++ intrinsic but due to upgrades elsewhere (the carrot tx output format, for legacy and any new wallet) and also the new Carrot wallet that has generate image keys and OVK, which is what people are discussing 02:08:54 (though the wallet part is not a hardfork item per se) 02:08:59 yeah Zero to Monero is good for you then 02:09:28 it lists what it does instead of assuming you know what that means in ed25519 or similar 02:09:36 what was confusing to me when I was reading zero-to-monero is that it doesn't provide proofs of schemes being secure. It only illustrates their correctness 02:09:51 Yai, I shall try to read it, it's quite long so I hope I can get it past my ADHD 02:10:02 yeah, the proofs are in external papers 02:10:27 Zero to monero is an explanation, the proofs ... are vastly longer 02:10:34 you can't do crypto without the proof, right? 02:10:57 but again, zero to monero is an explainer 02:11:00 the proofs for example for bulletproof+ is way longer and theoretical 02:11:01 one secx 02:11:28 Ya ECC stuff I'm decently well familiar with > it lists what it does instead of assuming you know what that means in ed25519 or similar 02:11:32 https://eprint.iacr.org/2020/735.pdf 02:11:36 which builds on the original Bulletproofs paper https://eprint.iacr.org/2017/1066.pdf 02:11:41 I'm mostly used to reading specs 02:12:10 MRL gathers related papers in the library https://moneroresearch.info/ 02:12:17 Tho, well-written specs (like Signal), not horribly written abominations (like Matrix's Olm & Megolm) 02:12:36 not all directly tie to monero but they are kept for research 02:13:03 yeah... monero has a log of baggage from cryptonote original 02:13:05 lot* 02:13:23 Cryptonote? 02:13:35 oh, nice link for FCMP++ related papers https://moneroresearch.info/index.php?action=list_LISTSOMERESOURCES_CORE&method=keywordProcess&id=125 02:14:05 yeah. it's what Monero comes from https://www.getmonero.org/resources/research-lab/pubs/cryptonote-whitepaper.pdf 02:14:13 (annotated https://www.getmonero.org/resources/research-lab/pubs/whitepaper_annotated.pdf ) 02:14:37 much has changed from this ^ anyhow 02:15:28 DataHoarder: a nice paper 02:16:28 @just_another_day:matrix.org: is this true? 02:16:55 how do you know what you're doing makes sense if you don't do proofs? 02:16:59 you can't invent arbitrary stuff by feels 02:17:08 it is proven and audited 02:18:00 but again, your question was on "zero to monero doesn't have proofs" cause it's an explainer. the external in-depth papers have the proofs, but you may need to be in certain fields of mathematics to look at them in depth 02:18:31 i'm ok with zero to monero not having proofs. I understand that's an explainer 02:22:25 example on CLSAG proofs https://www.getmonero.org/resources/moneropedia/clsag.html + https://www.getmonero.org/2020/07/31/clsag-audit.html 02:23:40 Ahh > yeah. it's what Monero comes from https://www.getmonero.org/resources/research-lab/pubs/cryptonote-whitepaper.pdf 02:25:27 DataHoarder: Which specific fields ? 02:25:27 (I'm curious if I'll be able to follow them or not due to mostly doing abstract algebra) 02:26:23 some of the ring signatures extend well across iterations from original 02:26:32 (I implemented them as well in go) 02:26:57 bulletproofs are quite far away from any of the knowledge, I have to gain more bases first 02:27:26 I know and understand what they do and the way they get to do it but ... yeah no the proofs end up too far 02:27:42 I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like? 02:28:07 I don't write proofs, it's not YOLO lol 02:28:35 MRL doesn't always write the research, either. there's a wider cryptography field than monero 02:29:11 Haha yolo proofs 02:29:41 so vibe designing? 02:29:52 Huh? 02:29:54 I can't get to you can I 02:30:01 again, literally open the paper 02:30:14 Bulletproofs paper for example is written mixed https://irc.gammaspectra.live/81af2584a22f151f/image.png method -> theorem -> proof writing 02:30:34 proving that each part holds true along the way 02:31:13 Many build up on previous papers with proofs on theorems they use 02:31:27 you don't have to explain this 02:31:37 i was asking about Monero-specific cryptography 02:31:40 > Corollary 2 (Range Proof). The range proof presented in Section 4.1 has perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation. 02:31:40 > Proof. The range proof is a special case of the aggregated range proof from section 4.3 with m “ 1. This is therefore a direct corollary of Theorem 3. 02:32:02 Monero specific cryptography is no different 02:32:04 it's applied cryptography, usually around edwards25519 curve 02:32:14 one of the elliptic curves of all time 02:32:50 what's applied cryptography? 02:33:13 some people don't have the urge to seek knowledge on their own 02:33:35 Bulletproofs for example is a general ZK proof that extends range proofs to general circuits 02:33:57 > https://eprint.iacr.org/2019/654 02:33:57 Yep I'm also missing background knowledge for this x3 02:33:57 Tho not as much as I would expect 02:34:05 Monero then set them up specifically just for range proofs in the context of ed25519 and its field 02:34:35 ity: recommendation is to start with ring signatures as originally done in monero/cryptonote 02:34:37 then go from there 02:35:06 to MLSAG then CLSAG 02:36:04 https://en.wikipedia.org/wiki/Ring_signature 02:36:09 Yea first time hearing of ring signatures and now I wanna look into them more 02:36:09 And seeing if I can use that to fix some holes in some of the chat protocols I designed 02:36:36 My first reaction when googling it was "oh yes more cryptography magic" 02:37:37 03:32:50 what's applied cryptography? 02:37:37 applied X is the practical implementation of algorithms or protocols related to X 02:38:40 theoretical cryptography -> applied cryptography (where specifics or interaction with existing systems, and transfer to pseudocode-looking or mathematical formulation that can be used to write code with) 02:39:24 @ity:itycodes.org: In fact it already partially fixes the deniability issue I had with the way I was fixing the homeserver puppeting room takeover vuln of matrix 02:39:24 Stars I got nerdsniped into designing a thing just by hearing of a cool new crypto primitive 02:39:40 Tho ig that's too offtopic, sorry 02:41:10 The introduction is actually comprehensible for me unlike the abstract, I like it > <@ity:itycodes.org> > https://eprint.iacr.org/2019/654 02:41:19 Am I correct that when you design a Monero-specific cryptographic scheme, you take an existing theoretical cryptographic scheme, adapt it to Monero in a way that "feels right" and conduct an external audit to make sure it's secure? 02:41:19 It's not an offensive question, I'm just curious 02:41:29 in a way that "feels right" 02:41:30 no 02:41:57 you adapt it in a way that complies with the proof conditions mathematically 02:41:58 then how? 02:42:00 it's a proof, with set expectations/ranges/preconditions 02:42:13 what do you mean HOW? 02:42:28 I see 02:42:42 if you understand the mathematics you can prove that the applied construction is equivalent to the proof 02:42:57 What about CLSAG? 02:43:11 It was created by MRL, wasn't it? 02:43:12 DataHoarder: In theory 02:43:16 there's also https://en.wikipedia.org/wiki/Automated_theorem_proving 02:43:46 read up https://eprint.iacr.org/2019/654.pdf 02:43:55 DataHoarder: Nooooooo cries 02:43:56 (This is basically my direct field of study) 02:44:22 I work on proof assistants mostly 02:44:46 DataHoarder: so MRL is writing proofs after all 02:44:59 It walks through the theorems and lemmas, and proves them directly or by referencing previous work 02:45:29 you are again misunderstanding how stuff works 02:45:31 it's not A -> B 02:45:41 but B -> A from the underlying proofs you can build A 02:47:11 I didn't say it's A -> B 02:48:59 sorry I said you meaning Monero devs, not yourself DataHoarder > <@just_another_day:matrix.org> I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like? 02:49:15 this is a wider field so I have no idea what resources to even point you to, anyhow https://en.wikipedia.org/wiki/Mathematical_proof 02:49:38 I know what a proof is 02:50:27 then see how you achieve these for your theorems there 02:51:00 I'm not even that far down the line (compared to ity working on proof assistants) but there's a missing piece you seem to lack here, just_another_day, given you ask "how do you prove something" 02:52:19 that's funny 02:53:03 I was asking about how MRL designs cryptographic schemes, because I thought they do that without writing proofs 02:53:18 If they do write proofs, I don't any questions 02:53:31 Proofs for Monero-specific schemes, that is 02:53:35 the obvious answer is by knowing far more than me on the specific field of cryptography and mathematics 😅 02:54:03 Monero-specific schemes are not that far from general elliptic curve, just the focus 02:56:03 on unrelated topic https://crypto.stackexchange.com/questions/71053/soft-question-what-are-examples-of-beautiful-proofs-in-cryptography 02:56:16 I choked at the classic ECB one 02:56:58 Proof: [image of tux encrypted using ECB mode of operation] 02:58:38 also when searching, a cryptographic proof or cryptographic proving it means using cryptography algorithms or methods to prove something not the mathematical proof of the algorithm :) 02:59:20 do you write proofs for cryptographic proofs? :) 03:01:12 DataHoarder: that's a good one 03:01:21 the tux 03:01:34 DataHoarder: There's the FCMP++ technical overview. 03:01:59 (for after ZtM) 03:02:43 it's a moving target still given changes on tx output derivations for example :) 03:03:00 but yeah, I guess it'll get more defined as things freeze 03:03:35 Monero, generally, has looked for proofs which meet a desired statement. See the usage of Bulletproofs' range proof within Monero's RingCT, and evolution to Bulletproofs+. 03:04:16 With FCMP++, we proved the proof system underlying Curve Trees (Generalized Bulletproofs) secure, and did adapt the arithmetic circuit to the statement defined in the FCMP++ composition. 03:04:34 The FCMP++ composition was reviewed and proven secure, along with its SA+L proof. 03:05:04 ^ listen up just_another_day from the source themselves 03:05:23 The SA+L proof was something I designed and put forth, concatenating a BP+ IPA (n=1) with a GSP, both existing proofs to a statement. Their concatenation achieved the statement necessary within the composition, and again, reviewed and proven secure. 03:06:14 CLSAG was in-house. I believe Borromean was posited as a range proof. I can't comment on MLSAG. I know there's a paper for RingCT, which I think MLSAG may have been part of? 03:06:31 And then all protocol-level cryptography before then was CryptoNote. 03:06:35 yes, it was part of RingCT paper 03:06:55 So Monero's modus operandi wasn't really part of that, other than the modus operandi being to start by forming CN. 03:07:29 and RingCT applied Pedersen commitments + MLSAG to build what we had 03:08:00 While Monero cryptography may be messy and disorganized due to the amount of contributors of various backgrounds, I wouldn't present leading questions (or questions which come off as leading questions) which imply it may be insufficiently reviewed before deployment. 03:09:21 I know that Monero does audits 03:09:27 So I wasn't implying that 03:10:19 You said your question wasn't meant to be offensive, but it still asked if development was vibes-based before an external audit. 03:10:40 I would say no, research is research and review occurs until satisfactory. 03:11:26 If I recall correctly, your proposal for FCMP++ was initially without proofs? 03:11:51 This is the part on accusing of seeming leading. 03:12:11 *I'm accusing 03:12:27 Leading for what? 03:12:49 DataHoarder[m]: What's the term I'm looking for? 03:13:03 You're being paranoid 03:13:22 Re: social behavior where one tries to appear honest and helpful while actually being antagonistic. 03:13:29 so vibe designing? <<>> hmmm 03:13:49 @kayabanerve:matrix.org: idk, it's late and I think there is a disconnect in how the conversation goes with thankful_for_xmr given previous days 03:13:51 Eh, @just_another_day:matrix.org: you could just be rubbing me the wrong way, but you seem to present yourself in good faith while not acting in good faith. 03:13:57 Yes, my research and proposal for FCMP++ was without proofs. I am not someone who has written a security proof. 03:13:57 The FCMP++ paper lacks proofs directly to this day. 03:14:14 The proposal was always intended to have review and security proofs however, which we've done extensive work on. 03:14:22 it takes several messages to get the point across if you see previous conversation here a couple days ago 03:15:18 The proposal also derived from Curve Trees, BP+, and GSP. All three were prior art, the latter two proven. FCMP++ was solely their intelligent composition, though it did modify the arithmetic circuit. 03:16:11 Aaron Feickert, who worked at Cypher Stack, a company described as being created to offer employment on paper to Monero researchers, proved the composition secure and the BP+ + GSP composition as satisfying the SA+L statement. 03:16:45 Feickert and Goodell have both worked on the underlying Generalized Bulletproots, Goodell currently at Cypher Stack. 03:17:05 The optimization with divisors had extensive review from Cypher Stack and Veridise. 03:17:40 Feickert audited the current GBP implementation. Veridise reviewed the circuit and audited its impl on top of the audited GBP lib. They also provided a variety of formal proofs. 03:18:22 Sealioning? https://en.wikipedia.org/wiki/Sealioning 03:18:53 just read the MRL meeting logs for the past year or more and you will understand how the process works 03:18:56 no idea why you think things are done unseriously 03:19:01 @just_another_day:matrix.org: I don't actually want to be a dick to you for no reason. Your questions come off, to me personally at least, as in bad faith. 03:19:03 that may be too far kayabanerve I think there's a better term 03:20:04 If you are trying to act in good faith, I'd recommend revisiting how you phrase your questions. You don't have to, you do you, but as of right now, to me personally, it comes off as antagonistic which isn't optimal for a civil discussion. 03:21:28 you have a ground to think this way given my activity on Reddit 03:21:50 Yeah, I'm trying to caveat this as it could just be me, and I'm sorry if so, but also, I'm tired in _general_ of people who claim to be in good faith and just want to cause trouble. 03:21:50 There was an asshole a month ago who took every opportunity possible to praise me while also turning people away from me. 03:21:50 "Kayaba works on so many things, it's incredible! That's why we should be patient and wait, because they're so busy, it may be a while. In the mean time, check out X" 03:22:18 Then I banned that guy and a few days later my server was raided with Naziism and absolute bs. 03:23:15 So my personal issues with an individual from about a month ago, the recent OVK drama (which we can just be on opposite side of the coins of), _and_ these questions seeming to suggest Monero is vibe-based is why I'm being so critical here. 03:23:24 I mean, my question is pretty neutral > <@just_another_day:matrix.org> I was just curious about how MRL designs cryptography for Monero. I have the idea that you adapt existing research. Do you write proofs by yourself? If not, how do you know the design makes sense? Just because of a general understanding how a proof would look like? 03:23:45 ^ in my opinion the answered with an example above 03:23:47 That wasn't the one I minded 03:23:48 they* 03:24:09 And again, I'm sorry if I am just being unfairly critical of you. 03:24:18 I misunderstood DataHoarder's response 03:24:34 I thought he said that MRL doesn't always write proofs for their schemes 03:24:57 https://github.com/monero-oxide/monero-oxide/tree/fcmp++/audits is my own collection of documentation regarding FCMP++ 03:25:23 Well, it's the monero-oxide FCMP++ audits folder, so it's the monero-oxide stuff + all the FCMP++ supporting evidence. 03:29:29 I said they don't have to, as they take existing pieces just_another_day 03:29:59 like, you aren't proving ECDLP 03:30:30 ed25519 itself 03:31:33 Bulletproofs, was developed externally afaik 03:32:59 I mean, even such a big project as Telegram released MtProto without a formal mathematical proof of security, as they mainly combined existing stuff 03:33:41 So I wasn't implying it's always bad 03:33:52 Just curious 03:34:00 04:04:34 The FCMP++ composition was reviewed and proven secure, along with its SA+L proof. 03:34:14 Telegram composed proven parts but the composition itself was/is flawed 03:36:44 this whole conversation started from this > 03:09:36 what was confusing to me when I was reading zero-to-monero is that it doesn't provide proofs of schemes being secure. It only illustrates their correctness 03:36:48 to this > 03:18:31 i'm ok with zero to monero not having proofs. I understand that's an explainer 03:37:28 it was confusing to me because I wanted to learn the cryptography in depth 03:37:38 Though granted, my scope only intends to supplant CLSAG as seen in Monero. I even define an statement I say is analogous to the current role of CLSAG for which I say the FCMP++/ composition achieves via its two decomposed parts. 03:37:38 For Monero as a whole, I believe there was an external researcher (PhD track?) who reviewed Monero as a whole. 03:38:08 And then of course, there's also the considerations about the addressing protocol (CARROT soon™) and so on. 03:38:50 JAMTIS soon™ 03:39:13 you're assuming everything I say is somehow intended to criticize Monero 03:39:14 JAMTIS would be quite the discussion... 03:41:35 when I really wanted to learn how the serious crypto™ is done 03:42:22 @just_another_day:matrix.org: I'm not currently. I tried to answer your question before despite my frustration, and I've continued to comment on the topic since. 03:42:44 I don't plan to hold it against you. I had a frustration due to my _perception_ of you and I raised it. I also apologized if it was on my end. 03:43:06 I can iterate the exact messages that irked me or we can get back to the topic. 03:45:36 @kayabanerve:matrix.org: thank you for the explanation. I'm not that proficient in cryptography to understand the specifics. 04:10:06 fluffy fighting the fud https://redlib.perennialte.ch/r/Monero/comments/1qnwhru/relevant_reminder_monero_is_constantly_under/o22zdoq/?context=3 04:11:00 That fucking retard doesn't even understand what is timing correlation, glad we got fluffy 04:13:12 omg this AI fud slop got 200 upvotes https://redlib.perennialte.ch/r/Monero/comments/1qjqpgn/the_optional_transparency_trap_why_new_view_keys/ 04:14:41 I can't believe they got fluffy to answer on twitter multiple times but also get so annoyed moved to also answer on reddit 04:15:49 > I don't understand why you're being so needlessly hostile 04:16:09 yeah kayabanerve now this is sealioning 04:16:44 if this is sealioning, why aren't there cute sealions I can pet? >:( 04:36:39

any of the people running the monero.social matrix instance in here? 04:36:49

or is there a specific room to contact them? 04:39:40 what are you trying to contact about? 04:48:50

im trying to get my contacts to spread out across different homeservers and wondering if there is any way to get a registration for one or two of them on this homeserver 04:49:07

right now everyone is on matrix.org, we all know thats not great 04:49:36 registrations are generally closed due to spam 04:49:59

yea ive seen that the past few months of checking every now and then 04:50:13

so i wanted to see if any of them were around in person and ask 04:50:15 it may be possible, you can try in #monero-community or dm pigeons on IRC side 04:50:37 (I am on IRC!) 04:50:43 which you can also ask friends to do 04:50:54 that gets them directly with puppets on the monero.social side 04:51:19

hmm yea, but they are low/zero-tech people 04:51:35

so having to worry about an IRC account and where its bridged etc etc 04:51:53

and that room looks invite only 04:52:36 maybe it was made like that after (again spam) incidents, maybe plowsof can shed some light. but it's reachable on IRC side 04:53:19

mustve been 07:50:48 community was invite only, made it public just now. monero social registration is disabled but accounts can/have been manually approved since 08:57:06 @kayabanerve:matrix.org: sealion -> sealioff 09:48:14