[Global Notice] Hello, freenode will be undergoing maintenance 3 hours from now. Please disconnect from this network, connect to irc.quakenet.org, and join #Quakenet for updates, otherwise, you may be k-lined permanently from freenode. Thank you. -freenode staff

[Global Notice] Hello, freenode will be undergoing maintenance 3 hours from now. Please disconnect from this network, connect to irc.quakenet.org, and join #Quakenet for updates, otherwise, you may be k-lined permanently from freenode. Thank you. -freenode staff

[Global Notice] Hello, freenode will be undergoing maintenance 3 hours from now. Please disconnect from this network, connect to irc.quakenet.org, and join #Quakenet for updates, otherwise, you may be k-lined permanently from freenode. Thank you. -freenode staff

orly

Dump all your monero and buy zcash NOW - or we will ban you from the XMR network permanently. Thank you. -xmr staff

How goes it with people today?

I'm still working on preprint preparation for Triptych-2, getting all the necessary background material in place and tidied up for posting to the IACR archive

hi, starting final edits for proofreader draft

That's great news!

yeah im debating making a reddit post to ask for proofreaders, but it might be too aggressive. Not sure how many people (if any) will actually proofread

aside from me lmao

Heh

I will be glad to proofread if that's helpful to you

And I will get you the bulletproofs stuff you wanted, promise

:)

I'm just on a roll today with the boring parts of the Triptych-2 preprint (introductory material, background, definitions, etc.)

but I figure that putting it on IACR is a good way to encourage more eyes on it

especially given the new hardness assumption that it appears to require

(which may reduce to something better; unknown)

ah did you solve that problem you mentioned earlier?

or was that tryptich-3

triptych

The soundness question?

It's sound up to a particular non-standard hardness assumption that's related to DL

I think the assumption is reasonable, but untested

Reddit would be best for people proofreading syntax, spelling, etc

Triptych-3 is the name I gave to the version that supports timelocks

Tritriptych

The general form of a triptych is called a polyptic, but that sounds awful

Any ideas for the version I'm writing now, that supports single proofs and balance assertions for multiple inputs at the same time?

Right now my draft uses "Triptych-2", but that's hella dull

In my code it's called triptych-multi, but that's also dull and not very informative

triptych basic?

I use the variable `w` as an index across spends... Triptych-w sounds kinda cool

"The w stands for WOW"

this crypto_ops_builder folder always confuses me; is ref10CommentedCombined what's used throughout the code base?

lmao triptych-wow

The crypto-ops and crypto libraries are the ones referenced for rct ops

(with wrappers in ringct)

right but there is also ref10 with the same stuff in it

sarang: unblocking clsag. please check again the reremain.tex document. like every schnorr-based signature in the world, we are back to k-OMDL, rather than usual DL. The variant of the k-OMDL game I present in the paper with all non-zero coefficients is provably equivalent to the usual k-OMDL game, so it's not particularly exotic. I think this is the draft i want to submit, excepting 1) bibliographies

need to be merged with previous version, 2) your agreement that the proofs and defs seem to be correct, 3) any other copy-edits you want, and 4) we need a discussion section interpreting unforgeable + acst linkable + pigeonhole linkable + linkably anonymous all at once, to show that by relaxing our forgery definition slightly we haven't lost any power over Bender's definitions (assuming the other

security definitions hold)

brb to tackle the next thing i'm blocking

i hate blocking stuff, i love unblocking it

roger

hey knaccc do you know why hash-to-point for the ringCT second generator is different from hash-to-point for key images?

the second generator H = ge_frombytes_vartime(cn_fast_hash(G)), while key images are KI = ge_fromfe_frombytes_vartime(cn_fast_hash(K))

(with a mul8 in there)

When nodes receive a txn is there any validation of output index range before it is put in the mempool?

Or could I make a bogus ring signature that references output 99999999 when there are currently 15258733 outputs and temporarily clutter up the mempool?

I assume it would get dropped after a bit?

Yes and no, respectively.

That was typed before your third question.

aren't tx validated before being added to mempool? so ring sigs have to verify to qualify

Cool, thanks :- )

UkoeHB_ only 50% of random 256-bit sequences can be successfully interpreted as an EC point, and so they got lucky when they came up with a NUMS value for H by just interpreting a hash of G as an EC point. Hp for key images (i.e. key image = xHp(P)) can't afford to come up with invalid EC points 50% of the time, so the Hp() function there needed to work for any hash produced

right, but Hp has been around from the beginning; was there some reason it wasn't used to produce H?

good point

i'll think about it

I assumed it had simply been an oversight during the RingCT design, but I don't know for sure