13:09:45 <fluffypony> https://old.reddit.com/r/Monero/comments/hms3m7/technical_question_on_key_images_in_the_blsag/
13:27:25 <UkoeHB_> The answer is linearity, a question discussed by the cryptonpte white paper
19:26:32 <sarang> PoPETs review of Triptych rejected for their conference based on it being incremental and more suitable for a workshop submission :/
19:26:41 <sarang> Good times
19:27:40 <sarang> They also wanted a more direct real-world implementation comparison, but I think that's less useful than what was included in the preprint
19:28:49 <sarang> The ESORICS blockchain workshop deadline is in just a few days, but it could still be a good destination given the scope recommendations
19:40:46 <sgp_> boo :/
19:50:29 <sarang> I'm definitely not going to code optimized versions of Omniring and RCT3 in exactly the same library as Triptych and Arcturus just for comparison, and trying to extrapolate from implementations elsewhere is basically meaningless
19:50:50 <sarang> The whole point of looking at operation counts is to avoid all of those things, so I completely disagree with the review on that point
19:51:30 <sarang> Can't really argue with "out of scope for what we want here"... that's totally up to the editors/reviewers
19:55:25 <sarang> For Arcturus there's an opportunity to address PoPETs reviewer comments, which tended to overlap those for Triptych
19:55:44 <sarang> Recommendations for workshop submission (i.e. not general enough, too incremental)
19:56:18 <sarang> One reviewer provided a supposed counterexample for the cryptographic hardness assumption that doesn't even work (I'm not sure they actually read the entire definition, or tested their counterexample...)
19:57:04 <sarang> Another reviewer made an interesting point that they considered the possible risk of a novel assumption not to be outweighed by the benefits of the new construction
19:57:18 <sarang> and that's certainly a reasonable opinion
20:23:27 <UkoeHB_> I mean.. wasn't RingCT implemented without a real security proof?
20:23:44 <UkoeHB_> What do they mean by incremental? I thought Triptych was a new system
20:58:03 <sarang> UkoeHB_: the MLSAG preprint never underwent formal review AFAIK, and the security model it (and the original LSAG paper) uses are extremely limited compared to more modern stuff
20:58:42 <sarang> Triptych is new, but it's in some sense an incremental improvement over the original Groth/Kohlweiss proving system that was used for a non-linkable ring signature construction
20:59:05 <sarang> I happen to think it's a bigger deal than that, because of the useful applications
20:59:12 <sarang> but that's a matter of opinion, I suppose
21:00:53 <sarang> FWIW one of the reasons CLSAG took so long to get right was the security model
21:02:17 <sarang> Getting things right under the assumption of malicious keys can get tricky
21:09:17 <sarang> It's worth noting that MLSAG almost certainly inherits the new CLSAG security model quite directly, so the fact that it was originally proven secure under a less robust security model shouldn't be an issue in practice
21:10:55 <sarang> Anyway, I'll make some of the Triptych edits recommended by the PoPETs review, update the document format (what fun), and submit to the ESORICS workshop
21:11:16 <sarang> I can't do the same to Arcturus since it's still under consideration for PoPETs
21:11:41 <sarang> Deadline for ESORICS is July 10, which should be plenty of time (he said confidently...)
21:19:25 <UkoeHB_> yay fun! :p
21:20:20 <sarang> In fact, the more I think about it, the more I think the workshop setting will be more amenable to how the preprint is presented
21:20:48 <sarang> Namely, as building the security model around an LRS definition, and then presenting the application using the multidimensional version
21:21:07 <sarang> we shall see