So from memory to confirm, when a user sends to a particular address, they generate a random nonce that gets combined with the address to determine where to send their funds

And choosing the same number and sending to it twice will generate outs with the same key image, rendering only one spend able

If I'm missing a piece please fill it in, my memory says that there's an infinitesimal chance that sending to a user will cause an unredeemable spend

that's right, reusing transaction public keys can cause problems but is very very unlikely if you generate them randomly each new tx

I would have assumed the chance of a single account generating duplicate key images was zero

and the only chance of collision was across multiple accounts

There's the context

ah yes, all-zero spendkey

some crypto mechs just error-out on an all-zero input

precomputed hashes aren't working on master

Hello, I want to generate keyimage, but I can't find the Java implementation

needbrrrrrrr90: I saw the reddit thread. The problem is the private spend key is all zeros, which doesn't work mathematically (can't multiply an elliptic curve point by zero, it just doesn't make sense), and I guess the code is built to handle that kind of issue.

isn't* built

yeah, confirmed on second box and build "2020-05-09 13:11:28.894 E Failed to load hashes - unexpected data size

"

gimme mah hashes!

Is that with selsta's recent patch for 0.15.1.0 ?

its master

Fine, I get it, I'll look.

yes the hashes haven’t been updated in a while, they work with my v0.15.1.0 patch

so if its not pulled in yet, then i didn't compile it

(that I have to update to v0.16...)

lemme hunt down that patch

wtf, git pull trying (and failing) to pull some ethereum stuff

yes trezor submodules pulls some ethereum stuff

has for a while now

Succeeded now. That is dodgy.

So it looks like it does not have selsta's patch yet. Does it work if you apply it ? :)

That's why 0.15.0.1 was released, wasn't it ?

Wrong hash step (256 -> 512) in 0.15.0.0, IIRC.

You mean master has had a bad hoh file all this time, but gingeropolous only spotted it now ?

Could be. Any way to tell if the hashes in master are 256-step or 512 ?

The header has the number of hashes.

They're not logged though. Or check the date of the commit that modified it last.

Says 0.15.0.0.

So you're likely correct and we can just ignore this, since selsta's commit probably uses the right version.

DE1D = 1DDE = 7646 x 256 = 1957376 ?

Sounds plausible ?

yes hashes master have been broken for a while

release-v0.15 has 030F = 0F03 = 3843 x 512 = 1967616.

Sounds very plausible.

UkoeHB_: there is this now monero-project/monero #6296

Is that causing trouble ? It's just a "tell the user to stop being an idiot", really to placate some spammy dude.

Someone entered `abbey` 25 times as their seed and asked if/why things are broken.

Was that given by some software, or is that someone being an idiot on purpose ?

> It was at this point he told me it wouldn't be the first time the seed had changed hands, and that someone had given him the seed at a Monero Meetup.

maybe someone did this as a joke to confuse people?

Using a seed from someone else, clearly trolling.

Anyway, from time to time people pop up thinking it's a good idea to use their own words and not understanding that not veru word string maps to a valid seed.

AFAIK nothing in monero tells people this is a good idea.

*every

maybe they are conusing it with a brainwallet?

I *think* this is why some people report a changed seed (software reduces the scalar).

Brainwallet tells you to come up with your own words ?

yes

Unfortunate. Then maybe it's not idiotic, just bad assumptions.

there is this correct horse battery staple xkcd and a lot of people used it as their brainwallet

so now there are bots that instantly transfer out transactions of this brainwallet

Come to think of it, if people want their own woeds, we could just hash this with a KDF to a seed.

OK, back to idiotic then.

Actually, my address generator does that already. I wonder if that helped confuse people :/

I think the idea can be neat if you can memorize your seed.

you mean the custom entropy thing?

abbey is word 1

aka zero

someone trolled that dude I guess

lol

I think it's about the 4th time this "abbey abbey abbey ..." wallet and its strange behaviour comes up on Reddit. I guess it's possible to come with this for curious people all on their own and then check that seed

moneromooo, will your patch now make this wallet un-restorable?

No.

(just for the json restore path)

Guess we could warn when we get an invalid words list.

Doesn't hlep people who use a seed someone else made though.

By the way, is this wallet unique? Or are there other ones where every out transaction produces the same key image, say because some modulo operation makes it work like these zero keys?

(Somebody asked this on Reddit, and I got interested. My guess is "yes, it's unique", but I am not sure.)

I don't really get it

Get what, my question?

seems like a bug

a zeroed private key shouldn't result in identity key images

only a zeroed output private key should

Well, maybe I assume this to be much too simple, but isn't there some op where "times 0" (from the keys) gives 0, and from there on it goes wrong?

Or does EC multiplication not work this way?

it does, yes

but the private key is only used by addition

anyway plenty of copies

large hemlock royal beware woozy gather slackens vain nanny tumbling gained identity abbey abbey abbey abbey abbey abbey abbey abbey abbey justice yearbook annoyed nanny

wade saga knuckle dolphin website pegs ethics angled galaxy seeded pause space abbey abbey abbey abbey abbey abbey abbey abbey abbey upwards withdrawn below saga

I assume if you import them the wallet will reduce to abbey abbey....

How did you come up with those seeds?

Replacing some words with "abbey" to get a zero key?

more seeds to troll at meetups

the wallet does reduce to abbey, just tested

Because the one key derives from the other, right?

rbrunner just double l

there should be like 15 of them

"yearbook annoyed nanny" lol

unfortunately all of them will ahve a lot of abbey's later on, so anyone in the know can detect them

So it's unique, in a way? There is no key, say "halfway up to the maximum" key that has the same behaviour because some mod operation makes it zero.

(Sometimes stupid questions lead to something, so please forgive :)

no of course not, the modulus is a prime number

keys are 0, modulus, 2*modulus, and so on

when the wallet sees a key higher than modulus, it reduces it to the equivalent key in the set

I see. So only limited fun.

but I still don't get it

I guess I'll scan that wallet and see

See what? It has 7 transactions incoming, one is from me when I tried whether the transactions were doctored, or the wallet is "broken"

yeah I wanna see them

can we tell everyone to send their burn coins there

There should be an "abbey" command in the wallet for that.

iDunk, you made my day

:)

abbey normal?

idk if the abbey wallet qualifies as a burn address, be very careful

I expect someone could patch the code to make it useable

figured it out

wallet thinks it's view only

UkoeHB_ it's definitely not a burn address

thus <luigi1111w> can we tell everyone to send their burn coins there

lol

go get your free monero

lol

abbey is a permanent watch-only wallet?

not permanent, you just have to patch it up

custom build

yeah, even a non dev (if you can figure out how to compile) could do it

the spendkey is still zero tho

very easy change

one-time addresses aren't just the spend key, so it works out

ah

the spendkey is only used in an addition context for transactions, that's why it works

Almost an anti-climax

yeah, much better as a cursed address

Hmmm, Monero Core Team member with "cloud10again" as their Reddit handle? They just made a post explaining the thing with the treatment as output-only wallet ...

luigi

cloudluigi

Oh, ok.

<luigi1111w> a zeroed private key shouldn't result in identity key images <= Perhaps someone trolled by sending burnt outputs to the wallet

By keeping r constant for numerous transactions

no

loogi pls branch

v0.16 or whatever you like

releasing v.16.1111

nice

luigi = monero leader

confirmed by wikipedia^tm