04:31:57 <UkoeHB_> Im fine with moving transaction public keys and encrypted payment IDs out of the extra field, since we already have the precedent of putting the 'encrypted amount' in the tx structure (it's currently the only non-extra piece of a tx that is unverified aside from being part of the MLSAG messages; and I wonder if the encrypted amount length is even verified hmm). It still feels important to give non-standard
04:31:57 <UkoeHB_> 'freeform' usecases some kind of expectations so there is less variability for each in-the-wild feature. Implementers are less likely to be careless if they must keep track of a precise ruleset.
09:11:57 <tromp_> dumb question: how does Monero check that value is balanced between input and output Pedersen commitments?
09:12:49 <tromp_> does it also have a notion of blinding factor excess?
09:13:00 <UkoeHB_> please check chapter 5 and section 6.2.1 https://www.pdf-archive.com/2020/02/12/zerotomoneromaster-v1-0-25/zerotomoneromaster-v1-0-25.pdf
09:14:13 <tromp_> thanks for the pointer
09:23:50 <tromp_> page 43 says "If P = (x, y), −P = (−x, y)". shouldn't that be (x, -y) ?
09:24:47 <UkoeHB_> the citation is Bernstein's twisted edwards curve paper
09:26:03 <UkoeHB_> Bernstein section 2 "The inverse of a point (x1,y1) on E is (−x1,y1). "
09:26:43 <UkoeHB_> https://eprint.iacr.org/2008/013.pdf
09:30:21 <UkoeHB_> unless am I misunderstanding something ?
09:30:42 <tromp_> sounds like the x and y coordinate got swapped in that curve
09:31:01 <tromp_> Hence, she would be able to use this value as a commitment to zero, since she can make a signature
09:31:01 <tromp_> with the private key (xj − x
09:31:01 <tromp_> 0
09:31:03 <tromp_> j
09:31:05 <tromp_> ) = zj and prove there is no H component to the sum
09:31:22 <tromp_> hmm that paste came out weird
09:31:48 <tromp_> Anyway, right there is the essence of of Mimblewimble
09:32:33 <tromp_> RingCT might as well be called RingMimblewimble?!
09:33:21 <UkoeHB_> confidential transaction started with Maxwell's paper iirc
09:33:38 <UkoeHB_> so I imagine mimblewimble comes later
09:34:48 <UkoeHB_> https://people.xiph.org/~greg/confidential_values.txt
09:36:15 <tromp_> that paper lacks a date. curious to know when Greg first published on CT
09:37:43 <UkoeHB_> well this has a date :) https://web.getmonero.org/resources/research-lab/pubs/MRL-0005.pdf
09:41:00 <tromp_> accessed June 1, 2015
09:41:19 <tromp_> close to June 9 date of https://bitcointalk.org/index.php?topic=1085273.0
09:43:11 <UkoeHB_> in any case it was an important innovation for everyone
11:22:39 <monero-research-> tromp_: you need something like a leveled homomorphic trapdoor function for non-interactive tx with cut-through on mw
11:24:58 <tromp_> you can add non-interactive tx to MW by adding a bitcoin-style pubkey to every utxo as an extra spending condition
11:25:31 <monero-research-> yes, but not without changing concensus
11:25:39 <tromp_> weird; line i just typed disappeared?
11:26:11 <tromp_> oh, sorry, IRC client quirk; it appeared on small bottom section
11:28:01 <tromp_> you change consensus for recent tx; beyond the horizon you ignore the pubkeys. (it's a slightly different security model, assuming no deep reorgs)
11:28:53 <tromp_> i assume you saw the proposal by David Burkett?
11:29:07 <monero-research-> adding extra spending conditions is a slippery slope and its uncertain how it affects future attempts of breaking the tx graph
11:30:37 <monero-research-> yes, saw the proposal
11:31:06 <tromp_> i'm not in favor of adding it to Grin
16:17:16 <sarang> Initial work for hash function domain separation: https://github.com/monero-project/monero/pull/6338
16:17:34 <sarang> (no changes to format, only a common location for domain separation strings/chars/etc.)
19:51:10 <dburkett> Adding extra spending conditions, if not reusing public keys, should not have any affect on tx graph
20:19:15 <sarang> Thanks to n3ptune, I'm running some chain growth estimates for all the various tx protocols that are currently under study
20:20:12 <sarang> The goal is to examine the I/O distribution of the actual chain, and determine what the resulting total growth would be under each proposal (since different protocols have different I/O scaling that's tricky to directly compare)
20:20:21 <sarang> Very interesting initial results :D
20:20:29 <sarang> (I'm doing double-checks now)
20:21:12 <sarang> I'm looking at MLSAG, CLSAG, Triptych-1, Triptych-multi, RCT3-1, and RCT3-multi
20:21:35 <sarang> Right now I'm excluding Omniring due to issues with batching and (possibly) some problems with the algebra
20:22:15 <sarang> I'm also excluding Lelantus due to the issues with sender tracing and one-time addressing that have not been worked out yet
20:25:06 <sarang> (also note: the RCT3-1 numbers include a soundness fix not in the preprint that I backported myself from their RCT3-multi update)
23:17:12 <UkoeHB_> tromp: the original mimblewimble white paper cites Maxwell's CT ^.^
23:29:39 <tromp> right. the interesting quote from that CT paper is "If the author of a transaction takes care in picking their blinding factors so that they add up correctly". MW follows from not taking such care and realizing that he tx can be signed with the difference.
23:31:01 <tromp> it also takes a mental leap to have the sender and recipient interact in constructing that signature
23:42:36 <UkoeHB_> Monero's RCTTypeFull transaction type (deprecated, as it meant all inputs were at the same ring index) took the same approach. Section 5.6.1 https://web.getmonero.org/library/Zero-to-Monero-1-0-0.pdf