00:10:19 <needbrrrrrrr90> Anyone want to play Moneroversary games
00:10:39 <needbrrrrrrr90> sarang suraeNoether Isthmus knaccc? :D
00:11:00 <sarang> ?
00:11:17 <needbrrrrrrr90> We're looking for people to play Moneroversary games (see -community)
00:11:23 <needbrrrrrrr90> Thought I'd query the MRL
00:12:06 <needbrrrrrrr90> The ivory tower looks awfully boring
02:05:39 <UkoeHB_> knaccc about the real_index_tag idea for inputs: unfortunately someone with the view key could fool you into believing one of your outputs has been spent; that problem is what killed my original idea for the same effect
02:06:37 <UkoeHB_> https://github.com/monero-project/research-lab/issues/58
11:36:16 <knaccc> yeah the real_index_tag is far from a perfect solution since it can't tell you if you've had funds stolen (if the thief is smart enough to fork the wallet and mangle the real_index_tag). i do still think it has utility, but it's imperfect enough that i wouldn't waste any effort defending it
12:36:42 <knaccc> i see it as a very cheap way of getting extra functionality. on a 2-in 2-out tx, the cost would only be 1 byte
13:38:59 <UkoeHB_> Even beyond a thief, if someone gets your view key they can fool you into thinking your outputs have been spent
13:41:05 <moneromooo> So... you could fool a thief into thinking your outputs have already been spent ?
13:52:32 <UkoeHB_> people other than thieves might have your view key ^.^
14:34:13 <knaccc> the way i see it, we already have to warn people anyway when they create a view-only wallet that they cannot trust the balance. so if we're having to warn them anyway, why not at least try to make the balance appear more sensibly
14:37:46 <UkoeHB_> well there is a more reliable way, generating fake responses deterministically based on your view key, which reveals the true index
14:46:59 <sarang> That of course requires all your wallets to do this
14:47:22 <sarang> But does work very simply
14:50:49 <knaccc> what is "generating fake responses deterministically based on your view key"?
14:57:48 <sarang> You can use a hash input seed value in MLSAG/CLSAG signatures to later recover the signing index: https://github.com/SarangNoether/skunkworks/blob/clsag/clsag/clsag.py#L62
14:58:13 <sarang> You can't trick it into thinking a different index is the real signer, but it only works for identifying spends reliably if all your wallets generate scalars this way
14:58:38 <sarang> (in that code example, the seed is whatever you choose to provide)
15:03:17 <knaccc> oh very cool
15:07:24 <sarang> You could do a similar thing in Triptych, or could use the seed approach to store up to 64 bytes of arbitrary hidden data
15:07:59 <sarang> https://github.com/SarangNoether/skunkworks/blob/triptych/triptych/triptych.py#L120
15:08:40 <sarang> These approaches are neat because they don't imply any extra overhead on the network
15:08:57 <sarang> only on clients that choose to parse for the data
15:09:41 <sarang> The MLSAG/CLSAG approach does require to test up to `N-1` hash-to-scalar operations
15:11:01 <sarang> In Triptych you can avoid this by storing the index as a hidden value and setting the index matrix mask to a deterministic pseudorandom value for testing
15:11:36 <sarang> So you'd recover the index via a single hash operation (and some easy scalar operations), and then test the matrix commitment