what would happen if there was no pseudo output commitments ?

and we used the output commitments instead?

you would have to use the RCTTypeFull transaction type, which was deprecated in protocol v8

it was deprecated because real inputs have to be clustered together (same indices in input signatures)

FWIW some of the next-gen transaction protocols don't require them

UkoeHB_, sarang: can i ask tari questions here? I checked and they dont use MSLAGs or any ring signatures. why did they walk back?

they just use commitments and range proofs

There's a #tari{,-dev,-resarch}. And AFAIK they never used MLSAGs or ring signatures.

interesting

yeah the other channels are best

Good news; I have a call scheduled with Teserakt (the auditors for CLSAG recommended by the audit workgroup) next week to discuss the scope of an audit

They tell me that they would able to conduct the audit in mid-June

nice

One thing not currently included in CLSAG (but very easy to add) is subgroup checks for ring members

This was suggested a long while back, but IIRC did not receive support due to increased sync times

Opinions on this?

doesn't seem to gain us much?

Well, it's technically necessary for the security proofs to hold

but there are no issues in practice AFAIK

Anyway, thought I'd bring it up again as the audit gets underway for CLSAG