New preprint that, like Triptych-2, uses an extension to Groth proofs (but in a different way and for a different application): eprint.iacr.org/2020/293

Crazy timing!

what is the status of Zether, do you know?

I do not know

sarang: was there any known problem with multi sender txes, apart from the privacy leak to other senders in the same tx ?

Under what transaction model?

(and the fact it might not adapt to lelantus/triptych/etc)

I'm asking with the current MLSAG system.

Do you mean back when we discussed MoJoin and similar ideas with MLSAG?

Ah

In the dealer-free version, an observer could determine the input/output mappings

Yes.

In the dealer version, there was the information leak to the dealer (and partial leak to other senders, since you know which inputs/outputs are not yours)

The idea that koe had removes this by adding additional communication requirements and data offsets

Oh, I missed that...

pdf-archive.com/2020/03/04/zerotomo…1-1-0/zerotomoneromaster-v1-1-0.pdf (page 114)

ty

^ proofreading draft

Any of the ideas would require some retooling of the bulletproof generation workflow

in addition to the signature stuff

Which next gen protocols would be capable of joint tx?

Have you checked potcoin

Sorry I couldn't help myself, carry on

I heard potcoin was doing research and development into joint txes

UkoeHB_: RCT3, Lelantus, Triptych have linear dependence on signing keys (outside of key images, which are nonlinear)

and therefore could be used in this way

It isn't clear what would be affected by Triptych-2, which takes a different approach to multi-index signing

I suspect it's possible to do multi-signer while keeping indices private in Triptcyh-2, but don't have a protocol for it yet

Oh, you also mean non-multisig joint signing, between unrelated parties

Triptych-1 definitely works for that as well, since it uses separate proofs per index

"I suspect it's possible to do multi-signer while keeping indices private in Triptcyh-2" <- oooooh, that sounds very interesting...

er... is multi-signer multisig (everyone signs all inputs) or multi sender (everyone signs their onw inputs) ?

Yeah, I had specifically examined multisig in the context of single keys produced collaboratively (multisig) for Triptych-2, but less about jointly-constructed txs

It would be a good addition to the preprint

The secret indices come into play with some particular commitments and polynomial coefficients, the signing keys are used in a linear combination with offsets that could probably be done safely between parties, and the output commitments appear similarly

Sounds like a fun problem :D

Interesting new preprint: eprint.iacr.org/2020/289

There had been some early interest in Jacobians of hyperelliptic curves for unknown-order constructions, but this calls the practical security and efficiency into question

RSA and class groups are other options, but either lack good size efficiency or require trusted group parameter setup

The idea behind the 00% was to keep some incentive for the the use of more than 2 output txs (smaller size) while pricing as much as possible the linear with number of outputs verification time

ArticMine: remind me, was the specific 80% value arbitrary?

(I haven't reviewed my logs for the conversation on this)

I don't recall there being a deterministic reason for 80% exactly

It was arbitrary

ok, thanks

^ UkoeHB_

It comes down to relative weight one gives to verification vs size

yep

UkoeHB_ had asked earlier about the specific value

I didn't recall if it was arbitrary or not

One in principle could make it deterministic if one cold measure the relative impact on the network of a size attack vs a verification attack

80% seems ok as a ballpark of a more deterministic estimate

The world of safety factors is a lot of intuition lol