05:09:19 <maybefbi> UkoeHB_, sarang: I have implemented CSLAG like you mentioned in "Zero to Monero 2" (Z2M2) but I noticed a difference between the the prefixed hashes used Z2M2 and https://eprint.iacr.org/2019/654.pdf . In Z2M2 the prefixed used for hashes is CSLAG_c but in the IACR preprint the 0th hash function is reused for hashing messages
05:10:19 <maybefbi> So I have chosen to use the 0th hash function a.k.a CSLAG_0 prefixed hash function in my implementation here: https://github.com/edwinhere/zero/blob/master/src/main.rs#L798
05:10:26 <maybefbi> hope this is OK?
09:12:19 <UkoeHB_> maybefbi the CLSAG_c domain separation reflects a design goal that was not included in the IACT preprint; CLSAG coefficients must be different (by design) while also having the same content, which we accomplish with domain separation, while it is 'best practice' to domain separate all general uses of hash functions to avoid unexpected collisions
09:13:41 <maybefbi> UkoeHB_: noted
12:35:36 <maybefbi> Don't one time addresses (and their corresponding private keys) already make it hard to do chain analysis? I thought chain analysis worked based on the assumption that all inputs in a transaction belonged to the same wallet. And by accumulating enough input signatures we can figure out who owns them by linking one of the signatures to KYCed transaction like at a KYC exchange. But with one time addresses, and one time secret keys, no amount o
12:35:38 <maybefbi> f signature tracking will ever reveal which keys are in a wallet. Am I missing something here?
12:36:29 <maybefbi> So why we need MSLAG and CSLAG?
12:36:50 <moneromooo> That's one method, but there are plenty of others.
12:37:24 <maybefbi> hmm