00:37:00 <suraeNoether> then yes
00:37:08 <suraeNoether> esp if we can get 2020/020 i'm a sucker for that
00:37:24 <suraeNoether> so, good news: the fields institute is paying for travel. :D
00:37:27 <suraeNoether> sooooo what should i talk about
00:57:05 <moneromooo> Comparison of lelantus/triptych/omniring/rct3 ?
00:57:14 <moneromooo> And how these are still progressing.
00:57:37 <moneromooo> Or is that too obvious ? :)
01:41:02 <sarang> A discussion of the current state of the art for trust-free protocols could be nice
01:41:57 <sarang> It often feels like trust-heavy proving systems and protocols occupy a lot of attention
05:08:43 <gingeropolous> so triptych takes a bunch of signatures, and somehow morphs the index location of a given signature amongst other signatures to some math gibberish that when combined with a new gibberish morph of a signature return 0
05:12:13 <gingeropolous> forgot my ?
08:21:21 <koe> Im looking at the extra field of a transaction: "extra":[1,...transaction pub key...,2,9,1,80,183,247,67,174,198,16,201]; the '2, 9,...' sequence must be the payment ID (probably a dummy) where 2 is the tag and 9 is the number of bytes; I was under the impression encrypted payment IDs were 8 bytes, am I mistaken or is there something else going on
08:21:21 <koe> here?
08:25:04 <amulet_dingy[m]> Am I correct in assuming the goal for Triptych implementation is to utilize larger anonymity sets with a smaller increase in computational time/effort?
08:30:34 <gingeropolous> amulet_dingy[m], i think that is true. That is the goal for any of the new protocol candidates afaik
08:31:11 <gingeropolous> size is also a consideration, though i personally have that ranked pretty low
19:19:37 <sarang> The idea is to have better size scaling, with presumably linear verification time scaling that can take advantage of batching to bring down the marginal verification time
19:20:49 <sarang> gingeropolous: the idea is to prove knowledge of a commitment opening within a list; such a proving system can be used as a building block for a linkable ring signature, as Groth and Bootle did in their earlier papers
19:28:04 <gingeropolous> yeah. i was trying to reword it in a way that i understand. i.e., one of the things in list A, when combined with something in list B, equals 0.
19:29:30 <sarang> The way it works is that signing keys are commitments to zero, and Pedersen amount differences are commitments to zero if the amounts balance (and you construct the commitments in specific ways)
19:29:48 <sarang> So you show that you (the signer) know the openings to these commitments
19:30:13 <sarang> The trick is to do this in a linkable way and take care of the signing and amount keys at the same time
19:32:05 <sarang> And now there are several distinct ways to do this, with different tradeoffs in size and time scaling and security: CLSAG, Lelantus, RCT3, Omniring, Triptych