rehrar: this might be fun for a community call theonline.town

have no idea the privacy risk/concerns - just saw the idea and thought it neat

fort3hlulz: wow. that was a far more positive aantonop than in Doug's interview.

I remember he said something about some issues with the wallet and was laggimg a bit in knowledge of where monero currently is technologically

Inge-: the progress of coming around seems slow but it's definitely happening

he also correctly understands the perfectly binding / perfectly blinding tradeoff

You are referring to the idea of "supply auditing"?

Yes

Well, for some people, only a fully transparent supply count meets their needs

And as long as they understand the tradeoffs that implies, ok

in XMR case you need to either understand the math enough or trust the mathematicians - as well as the implementation to not introduce inflation bugs

I thought the blog post did a reasonable job trying to highlight the subtleties

Even something like Zcash, with its transparent migrations, has major tradeoffs and the same issues within pools

If "audit the supply" means "count available supply in the clear" then neither Monero nor Zcash nor related assets will meet your needs

realistically you only need to prove that inputs = outputs is always true, or is ever false

Well any asset dealing with commitment-based pools runs the risk that an implementation error or cryptographic break could cause issues

We mitigate the former via audits and review, and the latter is frankly very unlikely

Note that transparent migrations do _not_ solve this problem, but only offload it in ways that I'm not comfortable with

Yeah I'm happy with the response for sure

I'm surprised he even responded, but good to see he seems to have a better grasp of the nuance than I suspected

Think this interim step of people seeing Monero as a mixer is an annoying but necessary building block for Monero adoption

Once they use Monero for actual transactions the logical next step is to just stay in Monero

Perfect example is r/darknetmarkets

More and more people recommending to just stay in Monero and use XMR.to when necessary

what response are y'all talking about, I must've missed the beginning of this conv

I don't think viewing Monero as a mixer is helpful

Mixers are opt-in

This is _not_ what Monero does

Long term no

But that is whats happening

And I think we can latch onto that to help users end up staying within Monero

well, it's definitely common advice now for people to say "but BTC, go thru XMR before spending"

There are many metadata and KYC risks with users using Monero as a mixer alone

s/but/buy

I'm not advocating for people to use it as a mixer, quite the opposite

But rather latching onto the narrative to push people to just stay in XMR and use services like xmr.to when necessary

hyc: Yup this seems to be an evolutionary shift in Monero's adoption

Transferring between Monero and other assets likely incurs additional risk

For sure

But I do _not_ like the general idea of viewing Monero as a mixer

As the failings in privacy in Bitcoin become more apparent to actual users, they are shifting through Monero

It's a very different operation

sarang: Me neither

It's a bad way to use Monero (or any other privacy tech)

Not even that

It also stands out if you only buy Monero when you "need privacy"

I mean that if you mix in something like Bitcoin, _every_ user in the mix is participating for sure

In Monero, decoys do not participate

Monero ideally implies plausible deniability for any particular transaction viewed on chain

Bitcoin mixing does not

In a mixer, you definitely participated

What effect this has in the real world has yet to be determined AFAIK

replace "mixer" with "magic obfuscator"

they don't care about the finer technical points

That's why I used "go-between" in my tweet :P

I dont like the term mixer either, and avoided it intentionally

can someone send a link? i just turned on my relay

ty

Well, the technical points do come into play because of terminology

That's what he responded to and has the video in my sub-tweet

I've seen "ring signature" used to mean "limited anonymity set"

This is only partially correct, but sometimes misunderstood

e.g. Zcoin's Lelantus/Sigma use limited anonymity sets that are not strictly ring signatures

indeed, that comes up a lot too

Assuming "ring signature" == "limited anonymity set" is not totally correct

it's a slight but important misuse of technical terminolog

*terminology

same with "zero knowledge proof", which is almost univerally misunderstood

Yeah sooooo much misuse of terminology

I prefer "signer-ambiguous transaction protocol"

Due to a lack of understanding of nuance

but they still have a point, otherwise why keep worrying about enlarging the ringsize

which is a very uncool-sounding phrase

sarang: Just flows off the tongue 😂

"ring size" is also a bad term

So this is something I'm curious on

?

How can I best describe the privacy improvements of a mixin increase from 11-100+

It's not anonymity set

Ring size doesn't mean anything to most people

OK so

I'm not sure how to best communicate that

"linkable ring signature" is a technical term for a construction meeting a variety of possible definitions

I always campaigned for "decoys/ number of decoys" but nobody else went with it

If you're not a cryptographer, you almost certainly don't care what those definitions are

"zero knowledge proof" is a technical term for a _huge_ range of constructions that have _nothing_ inherently to do with anonymity sets

Again, if you're not a cryptographer, you almost certainly don't care what those definitions are

You can use linkable signatures to build signer-ambiguous transaction protocols

You can use ZKPs to build them too

If you assume "zkp" == "full anonymity set" then you are not correct

That equality _can_ be true for certain protocols, but it's not true in general

This muddling of terms has become very common in general use

and that will continue... hell, our own users can't even spell Monero half the time

Zcoin uses ZKPs for limited anonymity sets

So does Triptych

So does Arcturus

So does Omniring

So does RCT3

Zcash uses ZKPs for full anonymity sets (within specified pools)

so does Wafflecoin

kidding, I just made that up

You can use Triptych to build a linkable ring signature, which its preprint does

proof-of-syrup

nom

So yeah, "ring size" is a typical term (I use it all the time, often not strictly correctly) that doesn't always apply to ring signatures =p

If Monero moves to Triptych/Arcuturus/Omniring/whatever, it will also use ZKPs, but for limited anonymity sets

just like Zcoin now does

"ZKP == full anonymity" is great for marketing, but is incorrect

I can only relate to what you've said because it's similar in the industry I work in - the market is constantly spewing buzzwords that have become all interchangeable

So I should keep using the term "ring size" to describe the increases in anonymity brought about by a move from 11>100+ with Arcturus etc?

we should start a marketing campaign to correct the incorrect use of the term "ZKP"

and then after that we can go after "crypto means cryptography:

I'm just not sure what that conveys to a less technical user in reality, and am struggling to find a better way

fluffypony: I like it :D Hunt down the false narratives one by one

:-P

lza_menace: This is every industry, sadly, they benefit by confusing users with lingo and buzzwords that sounds better/worth more money

The less users understand the nuance the more likely they are to buy in blindly

i.e. "5G" being the next big thing, even though the vast majority of users will see practically no benefits

Because 5G can mean many different things

The meaning is robbed from it (intentionally IMO) to make it sound good but hard to discern true meaning/nuance

But I digress

fort3hlulz: I think "per-transaction anonymity set size" is the most correct reference

fluffypony: I would _love_ to see people understand that "zkp" != "full anonymity set"

it's fantastic marketing, and _can_ be true (ideally, in theory, etc.)

but those two quoted phrases don't inherently have _anything_ to do with each other

sarang: Yeah I've leaned towards anonymity set with some sort of nuance in the description, as that seems to be the best overall answer to bring clarity

Monero also uses ZKPs in its transaction protocol

and other constructions that are witness-indistinguishable but not ZKPs

and the difference doesn't mean a freaking thing if you're not super into definitions :)

fort3hlulz: "anonymity set" is better because people don't/shouldn't care if that's achieved via a signature, or a ZKP, or whatever

in practice it's irrelevant

and only comes into play for security models/proofs and certain types of scaling

Every time I see something like "Project X uses zero-knowledge proofs" I die a little inside :/

Haha absolutely

our project uses algebra

lol

"special honest verifier zero knowledge" implies existence of a proof simulator

If you do not care what a proof simulator is, you likely also do not care what SHVZK is, and that's totally ok

:)

You lost me 😅

and that's ok!

The gist is that ring signatures and ZKPs are used as building blocks for transaction protocols

and those protocols may have implications for anonymity sets

But to make big extrapolations back to the building blocks isn't a good idea

Got it

"Our bank vault is impenetrable because it uses steel" is a similar phrasing

Maybe it is, maybe it isn't... depends how you used the steel to build the vault

If you forgot to build a door, it isn't =p

Building blocks != final product

Thanks for the deep dive + rant sarang 🙂

:/

Gotta step away for a bit

Rants are good haha

It was a joke :D

It just gets frustrating to read the same inaccurate things over and over again

I bet as someone who actually knows the difference

and it's very subtle to explain

I have a slight understanding but I haven't dedicated years to learn/teach/build on it

I'm sure its way more frustrating to you,and its already frustrating to me :P

I don't blame anyone for not getting the differences; they're super technical and boring

but to make claims about those differences is just reckless IMO

sometimes it's for reporting; other times it's for marketing; etc.

so I hear that we are changing our terminology to decoys dks.scene7.com/is/image/GolfGalaxy/…LBDYMLLHWF?qlt=70&wid=1100&fmt=webp

something everyone can understand

sigh

It may also be worth noting that a huge focus on the size of the per-transaction anonymity is not the only/optimal metric for privacy

e.g. early research into Zcash showed that a _huge_ number of shielded operations were trivially traceable despite a very large anonymity set

pre-CT Monero transactions are generally traceable despite variable anonymity sets

Threat models involving network observation may change this risk

etc.

Privacy != anon set

A broader, more holistic view toward privacy, coupled with strong education about threat models, is almost certainly a better approach for most users

how to communicate this succinctly

Tough call

maybe an ecosystem involving ducks :)

ball and 3 cups

there's only so much education you can do. cars are quite complex systems. everyone gets a few weeks worth of driver training, and off they go.

yep

If only drivers were trained like pilots...

where you're tested in real time on all sorts of emergencies

I remember during my in-flight final examination, when the examiner "failed" my GPS system and said there was an emergency, and we needed to land :)

and then later "failed" the engine!

midipoet: found an open source version

In my simple and naive world, a ZKP just means you can prove something about a thing without giving away other information about that thing

hyc: waddayamean we can't even spell romero half the time?

Inge-: informally

but in marketing, that's taken to mean "you can prove sender, recipient, amount without showing anything about them"

sarang: try this silly little thing with me.

FOSS

?

.romerito

it's a way to do video conferencing, but with a game? basically if you are close to someone you hear them well, but you can leave and not hear conversations like irl

midipoet just showed it to me

Inge-: today's spelling is monerrrrrro

basically just a proximity-based dynamic video chat

lol, everyone ran away

rehrar: your version looks neat as well!

join midipoet

I can, but for five mins

Have to have a shower

rehrar: I sent you a song with chickens the other day

How annoying.

oh yeah! I remember.

was pretty funny

didn't have time to respond in the moment, sorry

np

oh is it virtual meeting thinggy?

thoughts on changing the name of "unmixable outputs" to "stale outputs"?

CLI also uses sweep_unmixable

I prefer unmixable as stale really doesn't allude to unmixable-ness

the reason stale is ng is because they are unmixable?

niocbrrrrrr basically yes, however I'm thinking of more user-friendly names. We also don't really want to associate Monero with interactive mixing processes

Unconsolidated?

Uncombined?

anyone know if operator of cyphermarket.com is on irc/reddit?

lza_menace, I thought it was rehrar

oh, cool

I was thinking so because I thought he did the monopoly board

or at least I had seen him mention/link it somewhere

Whatchoo need lza_menace ?

Want a monopoly? I'll give you the best price.

nothing, just was vetting the store before sending any funds

your shop looks awesome

Thanks. We're the best in the business.

We're also the only one in the "selling merch for FOSS projects" business.

that's why you're the best