-
philogy
thanks, I don't really understand what I'm meant to put in the "block_ids" field of the /get_blocks.bin RPC method?
-
moneromooo
You might not want to use that function, but... last block hash you have, the block hash you have that's 2 from the toip, the pone 4 from the top, the one 8 from hte top, etc. Last is the genesis block if you've not included it already.
-
moneromooo
This is so the daemon can know where to send from without the client sending everything it has.
-
philogy
Yeah the non-json rpc end points aren't as dev friendly as the json rpc ones, but none of them really provide offset information right?
-
moneromooo
I just cheked, get_transactions does.
-
philogy
I sorry I meant like get which transactions are referenced by the offsets
-
philogy
there's the /get_outs method but the txid it returns is unfortunately empty...
-
moneromooo
Did you set get_txid to true ?
-
philogy
no I did not, thanks so much for the tip! That works, that should really be in the documentation
-
philogy
Does Monero have such things as Monero improvement proposals?
-
ErCiccione[m]
We don't have a structured proposal system like the BIP, but anybody is welcome to make proposals and suggest improvements
-
moneromooo
If it's cryptography, you can file a bug in the monero-research-lab repo and talk about it in #monero-=research-lab. Otherwise, in the monero repo and here.
-
philogy
Alright
-
philogy
I drafted up a small whitepaper about how Monero could extend transactions to not only allow atomic swaps but also more versatile transactions likely without significantly impacting privacy, I have it as a pdf what would be the best way to share it and does anyone want to read it?
-
moneromooo
Put it on github and link it here ?
-
fort3hlulz
I'd love to read it, philogy
-
philogy
github.com/philogy/revokable-branched-outputs Tell me what you think! The idea is relatively simple so I wouldn't be surprised if somebody has already had it
-
philogy
If you'd like to give your feedback I'd recommend the reddit thread as your comments will be more permanent there:
reddit.com/r/Monero/comments/gye8cq…anched_outputs_atomic_swaps_complex
-
dEBRUYNE
philogy: Can you perhaps also open a new issue on the Monero Research Lab Github repository?
-
dEBRUYNE
Reddit is kind of bad for looking up historical threads
-
dEBRUYNE
And threads quickly disappear from the front page
-
UkoeHB_
-
philogy
Ok
-
UkoeHB_
not sure I understand section 3.2, are you implying `s` would be published before one of the outputs is spent? in that case, some malicious party could steal `s`, make their own revokable outputs, then spend one of them - thereby producing `KI_s` and locking the original outputs forever; to get around that you'd need to mandate unique `k^s*G` keys (e.g. can only appear in a given transaction)
-
philogy
Yes I'm implying it would be published before being spent. That's why I added in the Mechanisms section (1.6) that no transaction may reuse an sG insuring that nobody is able to maliciously lock that transaction.
-
UkoeHB_
ah missed that
-
UkoeHB_
there don't seem to by any serious problems, although you probably should add a Schnorr signature on the commitment to zero between the revokable output pair; the range proof would only use one of the revokables
-
philogy
what do you mean?
-
UkoeHB_
so the total cost for [normal output] -> [revokable pair] would be: 1 more output (+ scan time), 1 EC point for the revokable key (can just point it at a given output, which needs at most 1 byte), 1 Schnorr proof
-
UkoeHB_
"the sum of outputs may be greater than inputs" only makes sense with an additional proof
-
UkoeHB_
the output commitments for the revokable pair can't be the same since the blinding factor is deterministic from the sender-receiver shared secret
-
philogy
couldn't you reuse the commitment for outputs that use the same revocation key?
-
UkoeHB_
yes you could, although you'd have to encode the blinding factor for both recipients (the method from pre-RCTTypeBulletproof2)
-
UkoeHB_
so the cost difference would be: [2x encoded blinding factors = 64 bytes + extra implementation effort and complexity] vs [1 extra commitment + 48-byte Schnorr signature = 80 bytes]
-
philogy
Ah wait: you could leave the same blinding factor derivation as it is currently you just count outputs that have the same revocation key as having the same index t.
-
UkoeHB_
the recipient view keys are likely to be different, so even with the same index the shared secret changes
-
UkoeHB_
plus the tx pub keys may be different
-
philogy
Oh yeah I forgot about that...
-
UkoeHB_
interesting idea thanks philogy
-
philogy
thanks to you too, I mean there's some still kinks to work out but it could be pretty useful right?
-
UkoeHB_
quite possibly; there has been a general struggle to find a good use for timelocks, which this could address
-
philogy
On a totally separate note would it be possible to hide timelocks? Like you commit to the timelock somehow and when you want to spend the transaction you somehow do a zero knowledge proof that the current time is equal to or greater than the commited lock time?
-
sarang
Yes
-
sarang
You can embed this inside signatures
-
sarang
But it has a nontrivial computational cost
-
philogy
Interesting.
-
UkoeHB_
-
sarang
There's example code as well for the underlying signature modifications
-
philogy
There's a thing I don't understand about MLSAG ring signatures why is the [rG + cK] term necessary? isn't [rH(K) + cK~] enough? Where can I see the code?
-
philogy
UkoeHB_: I think I have a solution for the commitment mask problem instead of yt = Hn(“commitment mask”, Hn(rKv B, t)) simply do yt = Hn(“commitment mask”, Hn(sKv B, t)). For normal transactions that don't require revocation simply do r = s
-
UkoeHB_
the `[rG + cK]` component means you know the private key `k` in `K`, while `[rH(K) + cK~]`means you know the private key `k` in key image `KI`; placing them next to each other proves that `k` is the same in both cases (recall Section 3.1 from ZtM2, on proving knowledge of a discrete log across multiple bases)
-
UkoeHB_
philogy: if `s` is made public then someone could brute force the amount, since it's only 8 bytes (e.g. figure out `a*H = C - Hn(sKv, t)*G` then brute force `a` by guess-and-check)
-
philogy
You're right, I'll keep thinking
-
philogy
UkoeHB_: instead of publishing publicly the actual private revocation key s, revealing the amount in an atomic swap a type of diffiehellman exchange is done:
-
philogy
Bob (has btc wants xmr); Mary (has xmr wants btc)
-
philogy
Bob: generates random db (sends it securely to Mary)
-
philogy
Mary: generates random dm (keeps it to herself)
-
philogy
Mary: s = dm * db
-
philogy
Mary: creates a transaction with revocation public key sG; with the timelocked output to herself and the normal output to Bob
-
philogy
Mary: Qm = dm * G
-
philogy
Mary: sends Qm to Bob
-
philogy
Bob: verifies that db * Qm = sG
-
philogy
Bob: creates a locking script as specified based on Qm where dm unlocks it
-
philogy
Mary: unlocks the script and redeems her bitcoin using dm
-
philogy
Bob: can unlock his monero using s because (s = dm * db)
-
UkoeHB_
philogy: it makes sense to me
-
selsta
Is it possible that malicious remote nodes feed empty blocks to the wallet?
-
asymptotically
wouldn't the hash be invalid if they took the transactions out of it?