02:05:00 <gingeropolous> is the problem solved with a ringsize 1024
02:05:44 <gingeropolous> cause sometimes i convince myself it is, but then i think of the iterative thing
02:17:14 <gingeropolous> <knaccc> we kept coming back to the fundamental problem that your outputs just aren't ever used as decoys much, if at all. <<< i mean if this is the case, i dunno whats gonna augment this besides order of magnitude changes in ringsize
02:18:00 <gingeropolous> in 2018 there was no triptych or arcturius.... lets do it
02:26:40 <Isthmus> What fraction of outputs never showed up in a ring?
02:27:08 <Isthmus> (within some arbitrary window)
02:27:43 <knaccc> gingeropolous the problem is, even at ring size 1024, you have tens of millions of outputs to choose from, so getting outputs owned by the same set of users appearing in all 3 branches (in my diagram) is just not going to happen
02:27:58 <knaccc> Isthmus actually i misremembered, most outputs are used
02:28:37 <knaccc> Isthmus https://paste.debian.net/plain/1156115
02:29:07 * Isthmus is pleasantly surprised
02:29:28 <knaccc> so yeah actually 100% coverage is so good there that i wonder if that can be right...
02:29:38 <knaccc> hmm
02:29:44 <knaccc> looks too good to be true
02:30:13 <knaccc> all but 8 out of 27120 were used at least once
02:32:13 <knaccc> it's as if someone pumping monero was running a script to artificially inflate the tx count, knowing that spamming 100k txs only costs $140
12:19:57 <gingeropolous> now who would do that
12:49:56 <sarang> Hello all
12:50:05 <sarang> Looks like a lot of discussion about churn this past weekend
12:50:27 <sarang> I'll catch up today (but will be away for a few hours for an appointment)
14:00:46 <sgp_> needmoney90: I haven't looked at the numbers, but shouldn't churn behavior be relatively well hidden for a few churns given the relatively hasty selection algo? Maybe not for dozens of churns, and probably not for even >2,3 if done every 10 blocks exactly or something
14:01:26 <sgp_> knaccc: paste expired; can you reshare please?
14:04:54 <sgp_> disregard my earlier comment
14:08:01 <sgp_> what is the difference between the count and chain length numbers?
14:08:51 <knaccc> sgp_ 90-day expiry on this one https://paste.debian.net/plain/1156229
14:09:04 <knaccc> count means nubmer of times an output is referenced by another (in a ring)
14:10:06 <knaccc> chain length means for each output, what is the maximum length of any chain that follows that output (due to other outputs referencing it in a ring, and other outputs referencing the results of those rings, and so on)
14:11:12 <sgp_> knaccc: that's really clear, thanks
14:13:46 <knaccc> sgp_ oops sorry, it may have been clear ,but also wrong :)
14:13:49 <sgp_> it would be sweet if there was a way to extrapolate these with diferent ringsizes using the selection algo
14:13:56 <knaccc> it's the preceeding chain
14:13:57 <sgp_> haha
14:14:16 <knaccc> so you take each output, and you go backwards as far as you can in the chain
14:14:33 <knaccc> so did it reference any outputs, and did those outputs reference outputs, etc
14:15:20 <sgp_> ah, I read it that way anyway haha
14:17:13 <knaccc> one aspect of this proposal, the instant-on, hasn't been commented on: which is whether there is acceptance that monero will hit a wall if it gets 10x the daily tx volume or beyond, because people simply are not going to want to wait 12 hours to sync their wallet each time they start it, and it'll be too much of a hassle to use
14:20:45 <knaccc> instant-on would be transformative for monero
14:28:03 <real_or_random> sarang: is that relevant to monero (e.g. for checking incoming txs)? https://twitter.com/hashbreaker/status/1282300847607578625
14:28:13 <sgp_> knaccc: instant-on?
14:28:16 <real_or_random> ah no, probably not
14:28:20 <real_or_random> hm
14:29:32 <real_or_random> not sure, I don't know remember how this this works in monero :D
14:34:55 <knaccc> sgp_ yeah that's one of the biggest upsides - you don't have to expensively scan the blockchain with your wallet if your incoming outputs are tagged with subaddress hashes. so monero wallets can be instant-on, like electrum
14:36:08 <knaccc> if you didn't know about the instant-on thing, maybe you didn't see the github mrl issue?
14:38:36 <hyc> which issue?
14:39:07 <hyc> if you can tag outputs, can you tag them with amount encrypted by viewkey, so that view-only wallets can see outgoing txn amounts?
14:43:46 <knaccc> hyc this one, with the diagram explaining iterated-eabe https://github.com/monero-project/research-lab/issues/75
14:43:50 <sgp_> knaccc: I've just had a super busy weekend buying a car and moving haha
14:43:58 <knaccc> oh nice, porsche?
14:44:16 <sgp_> Lmao nah, Kia Forte
14:44:23 <hyc> lambo or get out
14:44:45 <knaccc> actually that forte looks pretty nice
14:45:31 <knaccc> hyc the purpose of tagging is so that other people can correlate outputs as being owned by the same subaddress
14:45:57 <knaccc> but sure, you could tag with other stuff too
14:46:32 <knaccc> the main thing is you can't rely on a thief tagging it, in order to notice the theft
14:46:56 <knaccc> which is why i think people have not considered something like what you propose
15:01:36 <hyc> it can be forced by consensus
15:01:53 <hyc> if the tag is missing or incorrect, reject the tx
15:03:14 <sarang> The network can't enforce encryption with a key it doesn't know
15:03:24 <sarang> It can certainly require a tag be present
15:44:04 <gingeropolous> well, instant on if there's a server doin the work for yah
16:15:01 <hyc> still not instant-on, you still need to scan all the blocks that are newer than the last time you were online
16:15:14 <hyc> you're just making the output detection operation faster
16:17:52 <sgp_> yeah afaict "instant-on" is a little bold (maybe it's fine for marketing), but faster is better :)
16:18:23 <hyc> hard to say that it will be a noticeable improvement for majority of users
16:18:49 <hyc> everyone with compute access has cheap access to relatively fast CPUs
16:18:56 <hyc> they don't all necessarily have access to fast internet
16:19:17 <hyc> the block scan may not be improved at all, if the network was the bottleneck
16:21:36 <hyc> and frankly, making outputs readily identifiable to 3rd parties seems insane
16:22:53 <sgp_> I agree on the limitations part, but in my experience CPU has always been the bottleneck for syncing
16:23:27 <sgp_> maybe that isn't the case on some high-end desktop CPUs
16:25:42 <hyc> syncing daemon or wallet?
16:26:21 <sgp_> you're right I was thinking daemon, but I also think this applies for wallet sync? I'm only 75% sure about that one
16:27:10 <moneromooo> knaccc wanted to have the wallet tell the daemon "gimme outputs with a tag in the following list".
16:27:32 <moneromooo> So the daemon would do the work. And be able to tell even more about the wallet.
16:27:51 <moneromooo> And you know people would also trust a stranger's daemon for this.
16:27:52 <hyc> ohh, didn't realize he moved the entire scan to daemon side
16:27:55 <hyc> that's also nuts
16:28:14 <moneromooo> Not the scan, just a preliminary filter. Also asking for tags that are not yours.
16:28:16 <hyc> sorry I can't believe anyone is giving serious consideration to any of this
16:28:36 <sgp_> hyc: I think the tradeoffs are too significant personally
16:28:59 <sarang> OK, back from my appointment
16:29:10 <sarang> Hooray for healthy eyes
16:29:14 <sarang> Boo for those eye drops
16:29:49 <hyc> even the notion of using a 32bit hash as the tag. so you collapse the 128bit key space down to 32 bits. that helps attackers as much as it helps legit wallet owners
18:20:08 <knaccc> hyc i don't think there is an attack on 32-bit hashes that wouldn't also apply to 512-bit hashes. re: scanning, the daemon would provide a bloom filter to the client. the client then knows which blocks it needs to request, and will over-sample blocks to avoid giving too much away
18:21:26 <knaccc> but you could, of course, also request all blocks. and you'd have no CPU problem
18:21:40 <knaccc> i don't see how monero can survive if tx volume goes up my more than 10x
18:22:03 <knaccc> syncing a wallet takes forever if you don't leave it running all the time
18:22:40 <selsta> do you mean with a remote node?
18:22:58 <knaccc> yes, nodes will provide bloom filters to anyone that asks
18:22:59 <selsta> because it doesn’t take too long when using a local node IMO
18:23:10 <moneromooo> Did you not have an idea about the sender brute forcing keys so the prefix/suffix could be used to discard 1/256 of incoming outputs ?
18:23:55 <moneromooo> 255/256
18:24:01 <knaccc> mooo i had an unworkable variant of that years ago, UkoeHB_ had a working one recently
18:24:16 <knaccc> but that discards 255/256 of scalarmultbases
18:24:24 <knaccc> you still always have to do the first variable-base scalarmult
18:25:28 <moneromooo> It seems plausible that one could skip outputs outright.
18:25:47 <knaccc> moneromooo i'm not sure i understand that sentence
18:26:07 <moneromooo> Why do you need to do a scalarmult in the first place ?
18:26:21 <knaccc> so that only the recipient knows the tx is for them
18:27:05 <moneromooo> Why does "so that only the recipient knows the tx is for them" imply "have to do the first variable-base scalarmult" ?
18:27:34 <knaccc> they could be advised of the location of the received funds out-of-band
18:28:10 <knaccc> but if it has to be done within the blockchain, there have been no alternative ways found, so far
18:28:12 <moneromooo> If the key prefix is set to, say, the first byte of some data in the tx prefix encrypted with the destination subaddress' pubkey. Nobody knows that except sender and recipient.
18:28:38 <luigi1111w> anyone with that address would be able to decrypt
18:28:39 <moneromooo> Ah, but the recipient still has to encrypt tht.
18:28:57 <moneromooo> Yes, and that's only sender and recipient ideally :)
18:29:09 <luigi1111w> sure but that's knaccc's idea I think
18:29:16 <luigi1111w> using the public address
18:29:35 <luigi1111w> (this is not like rsa public key encryption at all)
18:29:40 <moneromooo> Hmm. Alright.
18:30:21 <knaccc> moneromooo so yes, the subaddress-hash proposal effectively means that only the holder of the destination address can know if an output was destined for that address
18:30:36 <knaccc> and if it's one subaddress given out to each sender, that does preserve privacy
18:31:27 <luigi1111w> if you have end to end encryption on the out of band communication, etc etc
18:31:37 <knaccc> right
18:35:21 <knaccc> hyc don't get me wrong, i'd be horrified if everyone just said it was a great idea and started coding it. it will take a lot of thinking about. i'm just trying to spark some ideas, and at least get consensus over the severity of intersection attacks that make a mockery of untraceability, and of the wall we'll hit one day with tx volume
18:38:49 <moneromooo> Hmm. What would you say if I'd started coding it...
18:50:22 <hyc> you'll get my attention when it's deployed on the mooonero testnet
19:05:23 <sarang> Updated version of FROST, the threshold signature construction from Zcash Foundation research: https://eprint.iacr.org/2020/852
19:30:14 <knaccc> haha genuis reverse psychology my mooo. i retract everything!
19:33:38 <moneromooo> I didn't.
19:43:25 <knaccc> by* mooo
19:46:07 <knaccc> i really do think i'm at least onto something though, about the correct unit of anonymity perhaps needing to be wallet-level rather than transaction-level, due to the intersection attack
19:53:36 <sarang> It's certainly an interesting way to look at the "level" of anonyimity
20:07:54 <hyc> I suppose it was wallet-level before the intrduction of subaddresses
20:29:13 <tevador> wallet sync is not that slow, I did a rescan of 3 years of transactions in about 20 minutes yesterday
22:21:08 <knaccc> hyc what i mean is that even prior to subaddresses, the anonymity set of each transaction was considered separately from the anonymity set of any other transaction made. so the change in thinking would be to start choosing decoys patterns across all transactions, rather than per-transaction.
23:47:45 <UkoeHB_> not sure if this has been mentioned, but it seems like a malicious actor could inject outputs with fake subaddress tags to pollute specific individuals' rings