08:02:36 sarang: I see, thanks 15:35:08 As far as I can understand the results of the preprint sarang linked late last night, things look pretty good for what Monero successively implemented over the last 3 years. 18:11:56 sarang: for Arcturus, with one shared ring for each signature, if there are 10 inputs and eg ring size 256, would there be 2560 total ring members? Rather than 256 total ring members. 18:18:35 In your example, only 256 outputs would be referenced/used for the anonymity set 18:19:08 Arcturus proves that the signer controls a subset of the anonymity set (along with other statements relating to linking tags and balance), rather than a single element of the set 18:19:56 The idea is that it replaces a signature _per spend_ with a signature _per transaction_ 18:20:32 Instead of `k` separate 1-of-`N` signatures, it's a single `k`-of-`N` signature 18:23:14 UkoeHB_: worth noting that there's nothing stopping you from making a rule that, say, higher-`k` signatures must have higher `N` too, or something like that 18:23:25 The security model says nothing about this 18:28:02 Im just thinking about verification/scaling for N/k. 18:29:26 Note that `k` separate Triptych 1-of-`N` proofs scale roughly the same as a single `k`-of-`N` Arcturus proof (for reasonable `k`) 18:29:33 in verification time 18:29:34 not in size 18:29:59 Verification depends almost entirely on the number of group elements involved 18:30:16 and if you use a common anon set in Triptych, you're not adding that many new generators (but you are adding some per proof) 18:30:35 For reasonable `k`, though, that's mostly overshadowed by `N` >> `k` 18:31:04 So the more outputs someone spends in a tx, the more likely they each ring member is to be actually spent ? 18:31:34 ie, if someone spends 128 outputs in a tx, we know they're all spent ? 18:31:37 er, 256. 18:31:49 ah so in Triptych you can get a lot more ring members total for the same verification cost? 18:32:18 e.g. with >2 inputs 18:32:18 moneromooo: this would be the same as if you had a 256-spend transaction with the same 256 ring members across all signatures 18:32:36 UkoeHB_: Triptych and Arcturus have essentially the same verification cost 18:32:48 Such a ring would mean we know the'yre all spent. So I'll take htat as a yes. 18:34:23 moneromooo: yes; if `k` == `N` in Arcturus, all members of the anon set would be known to be spent in that transaction (assuming unique linking tags etc.) 18:36:57 UkoeHB_: you can compare the relationships between `k` and `N` with the performance tests in my `monero/arcturus` and `monero/triptych` branches 18:37:09 Those also include balance proofs 18:40:05 UkoeHB_: does that explanation make sense? 18:40:15 yeah I think I got it 18:41:32 It's kinda like in Bulletproofs, how multiple proofs have a common portion and a per-proof portion 18:41:48 and provided that the common portion is much larger than the per-proof portion, batching is beneficial 18:41:54 *more beneficial 18:42:03 It's similar in Triptych verification with a common anon set 18:42:39 right, Im just thinking about binning techniques and the differences between Arcturus and Triptych 18:42:45 Any time you have linear combinations to zero with common generators, you can batch and see a benefit 18:43:00 Yeah, I had asked about that a while ago and have had it in the back of my mind for a while 18:43:35 FWIW Triptych still works fine if you use separate anon sets per spend, but of course you lose basically all the benefits of batching 18:43:52 (not entirely due to how multiexp works, but almost entirely)