14:31:25 <sarang> Hello all
15:07:24 <maybefbi> sarang: hi. is Pedro Moreno-Sanchez in this chat room?
15:07:47 <sarang> Not that I know of
15:09:32 <maybefbi> https://eprint.iacr.org/2019/595.pdf Figure 3, says the keygen process should generate a random bitstring m. but when someone opens a payment channel, who generates m and how would they share it with each other? im thinking of putting it in the signature.
15:10:59 <maybefbi> along with all the other ms from other signatures of course
15:14:46 <sarang> They're defined using hashes of public transaction data when generated
15:15:12 <maybefbi> hmm interesting
15:15:33 <sarang> This isn't made explicit in that figure, but is discussed at several other points in the paper
15:15:56 <sarang> Keep in mind, of course, that the DLSAG construction suffers from a tracing issue due to its linking tag construction
15:16:13 <maybefbi> oh i didnt know
15:17:26 <sarang> Yeah, I wanted that to be made much more upfront in the paper (it is mentioned, FWIW)
15:17:51 <sarang> This issue can be solved with a self-spend on receipt of funds, but this operation can't be protocol-enforced
15:17:59 <sarang> meaning it relies on user action for safety
15:18:21 <sarang> We've tried to replicate the functionality of DLSAG without linear linking tags, but have not found a solution yet
15:18:30 <sarang> (the linearity of the tags is what ruins things)
15:18:31 <maybefbi> ouch
15:18:44 <maybefbi> i already implemented a version
15:18:51 <maybefbi> should have read the entire paper first lol
15:19:12 <maybefbi> section 3.1 speaks of this tracing issue
15:19:42 <maybefbi> im assuming these self spends should be done using other signature schemes like CLSAG
15:20:29 <sarang> The issue is mentioned on page 6 and again on pages 23-24
15:20:39 <sarang> I really wanted it to be mentioned immediately
15:20:40 <sarang> :(
15:20:48 <maybefbi> its ok
15:20:54 <maybefbi> it is a fun exercise for me anyways
15:20:56 <sarang> No, the self-spends can use DLSAG
15:21:04 <maybefbi> oh ok
15:21:11 <sarang> Because then the sender and receiver of the self-spend operation are the same entity
15:21:34 <sarang> Of course, the timing of self-spends could lend itself to additional adversarial heuristics
15:21:43 <sarang> but that was not examined in the scope of the paper
15:21:58 <maybefbi> :(
15:22:34 <sarang> Although hidden timelocks do mitigate this somewhat :)
15:23:11 <maybefbi> i havent got to those in the paper. i assume it is like amount hiding but for block heights
15:23:32 <sarang> Yep, the timelock is hidden using a Pedersen commitment
15:23:40 <maybefbi> nice
15:23:45 <sarang> and the signature construction is further modified to account for this
15:23:57 <sarang> The hidden timelock construction could be used outside of DLSAG too
15:24:15 <sarang> It's been examined by a few researchers in the context of the current Monero protocol
15:24:42 <sarang> It would introduce a nontrivial addition to verification time, but is quite reasonable in terms of size
15:25:15 <sarang> but is a very clever approach
15:26:18 <maybefbi> im frankly amazed after reading Z2M2 by UkoeHB_ . all of it is very clever. mere mortals like me can only appreciate the music but never create it
17:51:56 <UkoeHB_> maybefbi: keep in mind Monero has been, and continues to be, developed in a very incremental fashion. Most complex human constructions materialize that way.
17:52:25 <sarang> We all stand on the shoulders of giants, as they say
17:52:45 <moneromooo> Better than on their feet.
18:24:44 <hyc> If I have not seen as far as others, it is because they were standing on my shoulders
18:25:14 <hyc> and blocking my view
18:27:32 <sarang> The lesson is to avoid wearing tall hats in theatres
19:18:35 <sarang> Omniring received a small but important update: https://eprint.iacr.org/2019/580
19:19:01 <sarang> Another researcher and I independently pointed out a problem with a particular inversion step that didn't work in the original paper
19:19:27 <sarang> They posted the update publicly last month after fixing this
19:20:20 <sarang> Always a bit of a feather-in-your-cap to be listed in the acknowledgements of a paper :D
19:25:22 <hyc> nice
19:28:16 <Inge-> cool
19:29:26 <Inge-> I guess this might be fairly tangential, but it would be quite cool if it was possible to have a Monero stablecoin. Unfortunately I can't think of a way to make it work
19:30:11 <hyc> what makes any stablecoin work?
19:30:28 <Inge-> the ability to sell it for the peg :P
19:37:07 <UkoeHB_> speaking of incremental improvements, it seems we can reduce the 48-byte Janus Schnorr proof to 32 bytes (or even 16 bytes); however... it is a bit messy since we still need 48-byte proofs for 2-out tx
20:18:43 <UkoeHB_> updated https://github.com/monero-project/monero/issues/6456, important part is Proposal Part 2 (new) method 3: 32-byte consolidated Schnorr proof. sarang would you mind taking a look? It's a new/unusual kind of proof dynamic
20:20:19 <UkoeHB_> Im wondering if we could reduce the 32-byte proof to 16 bytes (e.g. only use a 16-byte response, and 16-byte challenge) by constraining the tx private key to 16 bytes. Doing so would also reduce the 48-byte proof to 32 bytes.
22:03:39 <UkoeHB_> Yeah nvm, rather than unique it's just a convoluted way of encoding the tx private key. Now that I think about it, we might be able to do away with Janus proofs altogether and just use encoded tx private keys. What were the objections to encoding the tx private key in the past? knaccc
22:09:34 <niocbrrrrrr> the ignorant one is posting a link, hopefully it is meaningful
22:09:38 <niocbrrrrrr> https://twitter.com/SomsenRuben/status/1259880539907129347
22:09:39 <monerobux> [ Ruben Somsen ⚡️🇳🅾️2️⃣❎ on Twitter: "SAS: Succinct Atomic Swaps The #Bitcoin block subsidy is not the only thing that's halving today! A regular atomic swap takes 4 transactions. What if I told you w ] - twitter.com
22:28:21 <knaccc> UkoeHB_ i'm trying to remember, i guess you're saying you'd need to encode a tx private key per non-change output, right?
22:37:35 <UkoeHB_> Right, only costs 32 bytes at most instead of 48 bytes. Then for change outs modify how derivation_to_scalar is computed (e.g. prefix with the private view key) to make the non-change out's knowledge of the tx private key irrelevant.
22:38:58 <UkoeHB_> By doing that we wouldn't need an separate change tag to encode the amount, since the entire change output would be encoded with a change tag essentially
22:39:28 <UkoeHB_> It's kind of annoying, but the other option is 48-byte schnorr which is 16 bytes more expensive
22:39:29 <knaccc> i'm trying to think about implications for tx proofs when the tx private key is no longer only known to the sender
22:40:09 <knaccc> since there is the "here is another ring signature for the same key images being spent" tx proof, i guess maybe it's not a loss
22:40:21 <UkoeHB_> Yes OutProofs no longer prove you created an output, so you'd also need a SpendProof. However, solo OutProofs are still sufficient to prove about a recipient
22:40:41 <UkoeHB_> Unfortunately OutProofs would need a special construction for change outs, which is really annoying too
22:40:50 <knaccc> and one could argue that having many differnet types of tx proof was confusing anyway, so why not just have one type that is always used, regardless of whether you remembered the tx priv key or not
22:41:27 <knaccc> i'm trying to remember, currently, is there a different txprivkey per output?
22:41:48 <UkoeHB_> Only sometimes
22:42:07 <knaccc> >=3 outputs is where you have multiple txprivkeys right?
22:42:52 <UkoeHB_> In the new construction it would be that way yes, and in the current construction it's more situational
22:43:02 <knaccc> how is it done currently
22:43:06 <knaccc> what are the situations
22:43:37 <UkoeHB_> There are multiple tx private keys when there are at least 2 non-change outputs and at least one of them is a subaddress
22:44:46 <knaccc> it basically mirrors situations where there is more than one tx pubkey specified, right?
22:45:11 <UkoeHB_> Yes tx pub keys always have their own tx private key
22:47:25 <UkoeHB_> The tradeoff here is ~16 bytes per transaction vs a lot of development hassle
22:48:04 <knaccc> you're saying that encrypting and sending the txprivkey is more dev hassle than adding the janus schnorr proof?
22:48:27 <UkoeHB_> Yeah, due to 2-out tx where there is only 1 tx pub key
22:48:53 <knaccc> so what are you proposing in that scenario
22:49:06 <UkoeHB_> So change outs need a special construction that has broad repercussions
22:49:24 <knaccc> it does sound a little messy
22:50:45 <UkoeHB_> The basic problem is if I know the tx private key for someone else's output, then I could figure out who they are by testing known addresses.
22:50:46 <knaccc> so change output is Hs( Hs(a||r)A )G+B instead of Hs(rA)G+B?
22:51:10 <UkoeHB_> Yeah that's the gist of it
22:51:38 <knaccc> that doesn't sound like that much of a hassle
22:51:53 <knaccc> oh wait
22:51:53 <UkoeHB_> More like H(a, rA)G + B
22:52:06 <knaccc> ok i see
22:52:23 <knaccc> is there a scanning time implication therE?
22:52:26 <UkoeHB_> Well you have to keep track of change outs.. and then always apply the change out computation
22:52:55 <UkoeHB_> No, since we can use view tags
22:54:00 <knaccc> ah ok yes i see
22:54:01 <UkoeHB_> Also OutProofs need some massaging to get them to work
22:54:35 <UkoeHB_> Without revealing the view key
22:54:52 <knaccc> yeah it feels a bit messy, but it does the job
22:55:16 <knaccc> i'll see if i can think of any other implications of divulging the txprivkey
22:56:20 <UkoeHB_> I also wonder if we can use a smaller tx private key, maybe 16 bytes. At that point Janus mitigation would be very cheap
22:57:31 <knaccc> that sounds like playing with fire
22:57:33 <UkoeHB_> Hmm there may be a way around the change out nonsense by exploiting view tags
22:58:33 <knaccc> on what basis are you saying that a DH exchange would not need a full 32-byte scalar?
22:59:01 <UkoeHB_> Well I imagine 31 byte tx private keys would be ok, so is there a limit how small they can go? I wonder what sarang thinks
22:59:44 <UkoeHB_> More of a wondering and less of a real basis :p
23:00:23 <knaccc> i mean it does make intuitive sense to me that txprivkey=Hs(16 byte random scalar) should deliver a 128-bit security level actually
23:00:30 <UkoeHB_> And it only matters since it would reduce on-chain storage for the solution we are discussing
23:01:29 <knaccc> i think you are onto something
23:04:32 <knaccc> i guess it's a question of defense-in-depth and quantum resistance
23:16:04 <UkoeHB_> For the change output, instead of altering derivation-to-scalar which is a core part of the tx protocol, make a 'hidden tx pub key' deterministically from the encoded non-change tx private key + the tx author's view key. This is cheap because of view tags. There are 2 tags: non-change tag and change tag. First compute the sender-receiver shared secret like normal with k_v*R, then the two view tags H("view",
23:16:04 <UkoeHB_> k_v*R), H("view", k_v*R, k_v). If the former matches e.g. the first view tag in a tx, then set output index = 0 and check if the output is owned like normal. If it is owned then decode the tx private key and use it to check the tx pub key is legitimate. If the former matches e.g. the second view tag in a tx then set output index = 1 and compute the hidden tx private key r_hidden = H(r_encoded, k_v), and
23:16:04 <UkoeHB_> hidden tx pub key R_h = r_hidden*G, then compute the shared secret k_v*R_hidden and use that to see if the output is owned. If it's owned, the Janus test automatically passes.
23:20:44 <UkoeHB_> Anyway I'll update the proposal so it's more clear
23:24:34 <sarang> Reducing the complexity of private keys sounds unwise
23:30:04 <UkoeHB_> Regarding OutProofs.. I don't believe they work for all change outputs currently. Not that I can see a point to proving you sent yourself something
23:33:26 <UkoeHB_> The workaround is an InProof + SpendProof
23:35:05 <UkoeHB_> sarang idk how I feel about you crushing my hopes and dreams 😢
23:38:36 <sarang> Replace all signatures with a written promise that you didn't cheat :D
23:48:06 <sarang> knaccc: suppose you used `H(1 bit scalar)` as an extreme example...
23:50:24 <moneromooo> It seems hard to get an attack that's better than brute force.
23:50:55 <sarang> But if you're restricting your search space, brute force itself becomes easier