00:19:40 Call outs and guest blogs 10:07:02 tevador: they obviously misspelled bonnets 11:09:59 https://taiga.getmonero.org/project/michael-konferenco/wiki/01-general-information 17:40:03 I'm thinking we need an explicit "on the auditability of Monero" blog post 17:40:16 get sarang or surae to co-author 17:40:43 sgp_: is that inresponse to gscoders' question in #monero? 17:41:19 asymptotically: I was watching malmen's portugal talk and the question came up 17:41:22 You rang? 17:42:08 sarang: I think a blog post about auditability would help dispel concerns a good amount 17:42:20 I dislike the term "auditability" because it often seems ill-defined or undefined when used 17:42:30 the question keeps coming up, especially among bitcoiners 17:42:45 I don't think the answer would make those people happy 17:42:59 doesn't it mean you can factually see the total amount of available supply at a certain point through the daemon? 17:43:08 but... can you with ct? 17:43:17 The use of signatures on Pedersen commitment differences (which are computationally binding) means there cannot be a 100% guarantee of balance 17:43:24 not sarcastic questions. they're legit, just saying. 17:43:32 I suspect many of those people would only be satisfied with visible amounts 17:43:38 yes. 17:43:42 In that case, there are plenty of other projects whose design matches that requirement 17:43:48 This project does not, and likely never will 17:43:57 So I'm not sure what you'd want to accomplish 17:44:26 IIRC Aeon specifically does not use Pedersen commitments for this reason 17:44:39 I'm not saying the concerns aren't valid. I'm saying people may need extra help seeing why the tradeoff was made 17:44:45 Like all things, it's a design choice and comes with a tradeoff 17:44:53 and what the actual implications of the tradeoff are 17:45:09 and FWIW computationally binding and perfectly binding are effectively the same thing given non-infinite computing resources 17:45:42 yeah but people need a lot of hand-holding to get there 17:45:53 they hear "it's not perfect" and freak out 17:45:58 And perhaps such a theoretical adversary can break arbitrary discrete logs, meaning all such signatures are broken regardless of Pedersen commitments 17:46:21 indeed, so bitcoin is at risk of that too. which is worth saying in a blog post 17:46:41 all I'm saying is that we've had this conversation 1000 times and we should just write down a blog post 17:46:50 It's not guaranteed that the two hard problems are linked 17:46:55 But you get the idea 17:47:11 When you start arguing about the nature of infinite computing resources, perhaps things are starting to get pedantic 17:47:24 I'm only getting across that people think Bitcoin is infallible by comparison which is nonsense 17:47:39 "Design choices imply tradeoffs" 17:48:16 bitcoiners rather auditability over privacy, moneronerones (lol) rather fungibility over auditability. 17:48:59 Important to keep in mind that computational binding is still a strong assertion 17:49:39 and that it's not possible to switch to a perfectly binding commitment scheme while retaining reasonably-sized range proofs 17:49:51 Such a tradeoff would likely not be well received 17:49:52 rottensox: I think people perceive is as 100% auditable or 0% auditable 17:49:58 which makes no sense 17:50:03 .shrug 17:50:03 ¯\_(ツ)_/¯ 17:50:53 the war won't be over regardless of the altitude the blog post has, in my humble opinion. the chances of chauvinist bitcoin maximalists reading or paying any attention to anything outside their echo chamber are very, very slim, not to use the hard word 'impossible'. 17:50:54 sarang: do you think this is something you can take on? the post? I can review and provide guidance but it would be best-received coming from you I think 17:51:04 There are only a finite number of automobile keys possible... so the mapping between your key and your car is not perfectly binding. But I don't know many people who are concerned about this 17:51:10 it is a waste of time and resources to work on that. better to live in our own echo chambers. :) 17:51:20 rottensox: the maxis aren't the target audience; they won't care. It's for everyone else who sometimes hear maxis 17:51:32 hmm, ok. 17:51:42 like a person in the portugal audience during the talk 17:51:53 can you link me to this talk, please? 17:52:14 rottensox: https://www.youtube.com/watch?v=30o3Joftk2g 17:52:14 [ Ubucon Europe 2019 - Monero means Money - YouTube ] - www.youtube.com 17:52:17 happened in the last 10 mins 17:52:20 dankeschön. 17:52:22 I think it's still important to respect people's personal requirements for this stuff; if you understand the tradeoffs but still choose visible amounts, fine 17:53:11 the person on the audience was an Bitcoin maximalist, and he was Ok with the tradeoff that monero made 17:53:23 :o 17:53:24 we talked alot after the talk 17:53:57 he felt that people need to know that is an tradeoff and in the end we are all trying to archive an better currencie with our diferences 17:54:20 some sense from a maxi. shocked. 17:54:22 that's why the insurance companies covering auto theft pushed for those transponders in the key and ignition 17:54:58 you still have a ecent chance of opening someone else's car with your key, but the key won't start the car 17:55:12 MalMen: I was going to PM you, but great job on the talk! 17:55:17 pigeons: my point with that analogy was that far weaker mappings are present in everyday life 17:55:43 yeah, just came across opening another car recently :) 17:55:45 34 minutes too, short talks are best talks. 17:55:54 thanks for making it short. 17:57:03 thank you sgp_ :) made some noob mistakes but its an learning process, hope do better next time 17:57:37 you don't want to see my first talk lol 17:57:38 not good 17:57:57 :D 17:58:25 I'm afraid that any technically-correct blag post will have to get specific on definitions, and I can see that resulting in simply irritating people 17:59:16 ^ 17:59:32 sarang: indeed, something too technical would be annoying. maybe a summary at the top in simple language then a more-technical part? note however that no one reading it will care about the technical part though 17:59:45 the target audience isn't researchers 17:59:53 it's concerned enthusiasts\ 18:00:26 Yeah, but getting too wishy-washy could lead to people not understanding how subtle it is 18:00:33 The subtlety is the point 18:01:23 no, the main point is explaining in an understandable way that tradeoffs exist and that Monero didn't take an "all-or-nothing" tradeoff 18:01:51 I think you can do that without getting too heavy into definitions 18:01:52 OK, focusing on practical tradeoffs seems honest and reasonable 18:02:41 We can easily highlight other projects that make similar tradeoffs: Aeon, Zcash, etc. 18:03:10 presenting "how to define auditability" as an issue needing a definition is useful to show the reader it's undefined, but I don't think it's worth walking through how to define it 18:03:41 Well, I have a suspicion that for many people the definition boils down to "computing balance by arithmetic on visible amounts" 18:03:51 I wonder if a "how might I be fucked?" table would be too much lol 18:04:01 and for some others, it's "computing balance by math I am comfortable with", which is subjective 18:04:49 In project design, it's waaaaay more likely that a consensus or implementation bug occurs than a break in a computational hardness problem 18:05:00 Plenty of examples of this across the board 18:05:21 But this ventures into the realm of detecting such problems 18:05:23 Alien with a specific mega-crazy computer: Bitcoin YES Monero NO 18:05:29 You can't detect a Pedersen break 18:05:58 Although there are other types of non-detectable breaks, like the Zcash soundness problem 18:06:05 so it's not limited to just Pedersen 18:07:39 sarang: I am thinking along the theme of the image used in this post: https://web.getmonero.org/2019/10/18/subaddress-janus.html 18:07:52 the image conveys quite accurately what it means for the end user 18:08:46 oh what about this for an idea 18:09:07 a flowchart of "choose your auditability definition" and how Bitcoin and Monero fare 18:09:27 but it would need to be super simplified 18:09:51 "Does there exist an all-powerful infinite computer?" No -> you're fine 18:09:59 Yes -> nobody is fine 18:10:11 lol. 18:10:14 ^ 18:13:00 Or it could be boiled down to a similar worry as the "what if someone guesses the private key" question 18:13:14 Such a person should start buying lottery tickets immediately =p 18:13:25 and also worry about getting struck by lightning multiple times 18:14:05 haha yeah that's what I'm getting at 18:15:52 FWIW such low-probability risks seem hard to wrap your head around, since they're so far removed from the real world 18:16:17 "guessing a number" seems somehow inherently easier than "getting struck by lightning as you win the lottery" 18:25:28 indeed 18:50:02 does someone have the odds of a guess handy? I'll make a chart as long as I can include a shark attack beside the lotto. 18:52:45 For a fixed Pedersen mask, identification of an input value to hit a specified target point is a 1/2^252-ish shot 18:52:52 but assumes brute force on a fixed mask 18:53:02 So on average you'd need half that number of guesses 18:55:10 Wolfram Alpha claims the approximate number of atoms in the earth is around 2^166 18:58:16 To hit any point with separate Pedersen inputs would be akin to the birthday problem 18:59:10 but in that case you still need to restrict the input values due to range, so you'd flip the problem: fix the inputs and play with the mask values 18:59:36 Oh nvm, the range proof would be fooled by using the valid version of the inputs 18:59:46 Even so, the numbers for brute force are absurdly high 19:58:51 :) Fuck I love Monero guys. I totally appreciate what you described, but if I knew with some degree of confidence what that absurdly high number was I could jump in and do my thing. You know,...sharks, lotto tickets,..odds of cracking a Monero address....that kind of stuff :) 19:59:00 Staircases 19:59:08 Automobiles 19:59:17 Die Hard II scenarios 19:59:23 Bathtubs 19:59:31 Battery explosions 19:59:40 :) 20:10:34 1/2 of 1/2^252? 20:12:16 the more factual the better,...I know it's in the hypothetical realm, but truth is the best advertiser. 20:37:22 The size of these cryptographically-large group structures are so many orders of magnitude higher than anything we experience day-to-day that it's tough to really appreciate the comparison 20:38:16 e.g. Wolfram Alpha estimates the universe age to be perhaps 2^59 seconds 20:39:25 Comparing 2^59 to 2^252 is not intuitive to me :/ 20:41:14 I can work with the big bang for scale :) Thank you. Yeah,...I'm pleading complete ignorance here....but if I can get my arms around it I might be able to make something useful. 20:41:54 I tried graphing the 2008 bailout once against GDP,....it's going to be the same hockey stick I'm pretty sure. 20:43:30 hell, it's always the same graph :) 20:47:52 Of course, there's no guarantee that a non-brute-force method could be found to break something like DL or other hardness problems 20:48:11 Hardness assumptions aren't proven; that's why they're assumptions :) 20:50:11 Hard for me to imagine what a non-brute force attack could be at this level but I'm so glad it's being thought about. 20:50:59 I'm totally fine with brute force numbers,....it's true enough. 20:51:25 It at least gives an idea to the scale 21:07:43 Everytime I learn more about Monero, the more impressed I get. I knew a bit about address generation, but this is awesome. 21:51:27 half of 1/2^252 is like 1/2^251 :P 21:54:12 yeah, I realized I was being a dumbass without knowing it,...but I'm glad to have found out :) 21:54:34 suck it Yogi Berra! 21:55:31 What I think is easy to miss is that increasing complexity from 2^a to 2^(a+1) is double the complexity 21:55:40 and that increasing from 2^a to 2^(2a) is simply nutso 21:55:47 e.g. 128-bit to 256-bit 22:00:33 yeah, that's the message to translate. I want to plot this out before bringing anymore bad questions to the table....this is cool, thanks for explaining. Scale is something that folks crave,...I'm not sure why it is,...maybe it's just Western,...but we all grew up with a picture of the Empire State Building next to a dinosaur,...and we liked it. 22:02:30 The Cult of Compariasion