<learninandlurkin> Call outs and guest blogs

tevador: they obviously misspelled bonnets

I'm thinking we need an explicit "on the auditability of Monero" blog post

get sarang or surae to co-author

sgp_: is that inresponse to gscoders' question in #monero?

asymptotically: I was watching malmen's portugal talk and the question came up

You rang?

sarang: I think a blog post about auditability would help dispel concerns a good amount

I dislike the term "auditability" because it often seems ill-defined or undefined when used

the question keeps coming up, especially among bitcoiners

I don't think the answer would make those people happy

doesn't it mean you can factually see the total amount of available supply at a certain point through the daemon?

but... can you with ct?

The use of signatures on Pedersen commitment differences (which are computationally binding) means there cannot be a 100% guarantee of balance

not sarcastic questions. they're legit, just saying.

I suspect many of those people would only be satisfied with visible amounts

yes.

In that case, there are plenty of other projects whose design matches that requirement

This project does not, and likely never will

So I'm not sure what you'd want to accomplish

IIRC Aeon specifically does not use Pedersen commitments for this reason

I'm not saying the concerns aren't valid. I'm saying people may need extra help seeing why the tradeoff was made

Like all things, it's a design choice and comes with a tradeoff

and what the actual implications of the tradeoff are

and FWIW computationally binding and perfectly binding are effectively the same thing given non-infinite computing resources

yeah but people need a lot of hand-holding to get there

they hear "it's not perfect" and freak out

And perhaps such a theoretical adversary can break arbitrary discrete logs, meaning all such signatures are broken regardless of Pedersen commitments

indeed, so bitcoin is at risk of that too. which is worth saying in a blog post

all I'm saying is that we've had this conversation 1000 times and we should just write down a blog post

It's not guaranteed that the two hard problems are linked

But you get the idea

When you start arguing about the nature of infinite computing resources, perhaps things are starting to get pedantic

I'm only getting across that people think Bitcoin is infallible by comparison which is nonsense

"Design choices imply tradeoffs"

bitcoiners rather auditability over privacy, moneronerones (lol) rather fungibility over auditability.

Important to keep in mind that computational binding is still a strong assertion

and that it's not possible to switch to a perfectly binding commitment scheme while retaining reasonably-sized range proofs

Such a tradeoff would likely not be well received

rottensox: I think people perceive is as 100% auditable or 0% auditable

which makes no sense

.shrug

the war won't be over regardless of the altitude the blog post has, in my humble opinion. the chances of chauvinist bitcoin maximalists reading or paying any attention to anything outside their echo chamber are very, very slim, not to use the hard word 'impossible'.

sarang: do you think this is something you can take on? the post? I can review and provide guidance but it would be best-received coming from you I think

There are only a finite number of automobile keys possible... so the mapping between your key and your car is not perfectly binding. But I don't know many people who are concerned about this

it is a waste of time and resources to work on that. better to live in our own echo chambers. :)

rottensox: the maxis aren't the target audience; they won't care. It's for everyone else who sometimes hear maxis

hmm, ok.

like a person in the portugal audience during the talk

can you link me to this talk, please?

rottensox: youtube.com/watch?v=30o3Joftk2g

happened in the last 10 mins

dankeschön.

I think it's still important to respect people's personal requirements for this stuff; if you understand the tradeoffs but still choose visible amounts, fine

the person on the audience was an Bitcoin maximalist, and he was Ok with the tradeoff that monero made

:o

we talked alot after the talk

he felt that people need to know that is an tradeoff and in the end we are all trying to archive an better currencie with our diferences

some sense from a maxi. shocked.

that's why the insurance companies covering auto theft pushed for those transponders in the key and ignition

you still have a ecent chance of opening someone else's car with your key, but the key won't start the car

MalMen: I was going to PM you, but great job on the talk!

pigeons: my point with that analogy was that far weaker mappings are present in everyday life

yeah, just came across opening another car recently :)

34 minutes too, short talks are best talks.

thanks for making it short.

thank you sgp_ :) made some noob mistakes but its an learning process, hope do better next time

you don't want to see my first talk lol

not good

:D

I'm afraid that any technically-correct blag post will have to get specific on definitions, and I can see that resulting in simply irritating people

^

sarang: indeed, something too technical would be annoying. maybe a summary at the top in simple language then a more-technical part? note however that no one reading it will care about the technical part though

the target audience isn't researchers

it's concerned enthusiasts\

Yeah, but getting too wishy-washy could lead to people not understanding how subtle it is

The subtlety is the point

no, the main point is explaining in an understandable way that tradeoffs exist and that Monero didn't take an "all-or-nothing" tradeoff

I think you can do that without getting too heavy into definitions

OK, focusing on practical tradeoffs seems honest and reasonable

We can easily highlight other projects that make similar tradeoffs: Aeon, Zcash, etc.

presenting "how to define auditability" as an issue needing a definition is useful to show the reader it's undefined, but I don't think it's worth walking through how to define it

Well, I have a suspicion that for many people the definition boils down to "computing balance by arithmetic on visible amounts"

I wonder if a "how might I be fucked?" table would be too much lol

and for some others, it's "computing balance by math I am comfortable with", which is subjective

In project design, it's waaaaay more likely that a consensus or implementation bug occurs than a break in a computational hardness problem

Plenty of examples of this across the board

But this ventures into the realm of detecting such problems

Alien with a specific mega-crazy computer: Bitcoin YES Monero NO

You can't detect a Pedersen break

Although there are other types of non-detectable breaks, like the Zcash soundness problem

so it's not limited to just Pedersen

sarang: I am thinking along the theme of the image used in this post: web.getmonero.org/2019/10/18/subaddress-janus.html

the image conveys quite accurately what it means for the end user

oh what about this for an idea

a flowchart of "choose your auditability definition" and how Bitcoin and Monero fare

but it would need to be super simplified

"Does there exist an all-powerful infinite computer?" No -> you're fine

Yes -> nobody is fine

lol.

^

Or it could be boiled down to a similar worry as the "what if someone guesses the private key" question

Such a person should start buying lottery tickets immediately =p

and also worry about getting struck by lightning multiple times

haha yeah that's what I'm getting at

FWIW such low-probability risks seem hard to wrap your head around, since they're so far removed from the real world

"guessing a number" seems somehow inherently easier than "getting struck by lightning as you win the lottery"

indeed

does someone have the odds of a guess handy? I'll make a chart as long as I can include a shark attack beside the lotto.

For a fixed Pedersen mask, identification of an input value to hit a specified target point is a 1/2^252-ish shot

but assumes brute force on a fixed mask

So on average you'd need half that number of guesses

Wolfram Alpha claims the approximate number of atoms in the earth is around 2^166

To hit any point with separate Pedersen inputs would be akin to the birthday problem

but in that case you still need to restrict the input values due to range, so you'd flip the problem: fix the inputs and play with the mask values

Oh nvm, the range proof would be fooled by using the valid version of the inputs

Even so, the numbers for brute force are absurdly high

:) Fuck I love Monero guys. I totally appreciate what you described, but if I knew with some degree of confidence what that absurdly high number was I could jump in and do my thing. You know,...sharks, lotto tickets,..odds of cracking a Monero address....that kind of stuff :)

Staircases

Automobiles

Die Hard II scenarios

Bathtubs

Battery explosions

:)

1/2 of 1/2^252?

the more factual the better,...I know it's in the hypothetical realm, but truth is the best advertiser.

The size of these cryptographically-large group structures are so many orders of magnitude higher than anything we experience day-to-day that it's tough to really appreciate the comparison

e.g. Wolfram Alpha estimates the universe age to be perhaps 2^59 seconds

Comparing 2^59 to 2^252 is not intuitive to me :/

I can work with the big bang for scale :) Thank you. Yeah,...I'm pleading complete ignorance here....but if I can get my arms around it I might be able to make something useful.

I tried graphing the 2008 bailout once against GDP,....it's going to be the same hockey stick I'm pretty sure.

hell, it's always the same graph :)

Of course, there's no guarantee that a non-brute-force method could be found to break something like DL or other hardness problems

Hardness assumptions aren't proven; that's why they're assumptions :)

Hard for me to imagine what a non-brute force attack could be at this level but I'm so glad it's being thought about.

I'm totally fine with brute force numbers,....it's true enough.

It at least gives an idea to the scale

Everytime I learn more about Monero, the more impressed I get. I knew a bit about address generation, but this is awesome.

half of 1/2^252 is like 1/2^251 :P

yeah, I realized I was being a dumbass without knowing it,...but I'm glad to have found out :)

suck it Yogi Berra!

What I think is easy to miss is that increasing complexity from 2^a to 2^(a+1) is double the complexity

and that increasing from 2^a to 2^(2a) is simply nutso

e.g. 128-bit to 256-bit

yeah, that's the message to translate. I want to plot this out before bringing anymore bad questions to the table....this is cool, thanks for explaining. Scale is something that folks crave,...I'm not sure why it is,...maybe it's just Western,...but we all grew up with a picture of the Empire State Building next to a dinosaur,...and we liked it.

The Cult of Compariasion