All you are 'fighting' for is e-penis of a guy you never met, that doesn't even have common decency to pay you for your time.

Do you think they care about Monero, or privacy or anything other than money?

I think everyone here knows that most Monero exchange withdrawals and desposits are traceable (Breaking Monero - poisoned outputs). How does it feel to go out and lie to people that they are private and then earn less than holding BTC on your bag?

Hey, I've got a quick question regarding Triptych and was hoping anyone on here could help me out with it:

In the protocol for parallel linkable one-of-many commitments (section 6) it uses the challenges $\mu_1, ..., \mu_{d-1}$ obtained from a hash / random oracle (obviously these challenges could alternatively be provided by the verifier instead).

Now my question is: what's the reason for each $\mu_\alpha$ being a separate challenge? Wouldn't it also work, if the verifier / random oracle only provides a single challenge $\mu$ and then using powers of this challenge, so $\mu_\alpha = \mu^\alpha$?

try emailing one of the paper's authors

<madhatter369 "Now my question is: what's the r"> IIUC I think this is what happens in practice, since a field multiplication should be cheaper than squeezing out another challenge from a hash function

However in theory/paper, it’s more about proving the protocol secure, which you use a random oracle for and concrete efficiency is not that important

Powers of a single verifier challenge should work fine as well

ok great, thanks :)

Note that this is just my intuition at this point; there would need to be a more careful analysis

did we discuss MProve back in 2018?

this doesn't ring a bell

was published in IEEE ieeexplore.ieee.org/document/8802437

“I thought, ‘I’m going to pump it and dump it,’ because I was interested and taking the ideas and implementing them in bitcoin. The bitcoin code base was far more interesting to me than monero, and I thought, ‘I’m not going to work on this codebase, it’s terrible,'” he recalls - fluffypony in an interview about Monero

how does cut through work?

hrm nvm, reading it. not what i expected

could u hash all the algorithmic inputs for triptych and then just do the verification required on those hashes?

though i guess even if that worked you'd still have to hash 64 or 128 or 256 things and then do the main math

hrmmm... i think im blending homomorphic encryption and hash functions maybe

Triptych relies heavily on the algebraic structure of inputs

Both the signing keys and the amount commitments

sarang: are these verification or signing times at the bottom? github.com/SarangNoether/skunkworks/blob/sublinear/triptych.md

Verification

I don't think I ever bothered with recording signing times, since they're one-off operations

okay good

are they comparable to these from the clsag paper?

No

CLSAG preprint is only the ring signature

That Triptych note includes range proofs, balance proofs, and signing zkp

oh so triptych is even better than how it appears comparing directly

The newer CLSAG performance tests include the balance proof, IIRC

So you'd just have to add in the corresponding batched range proof verifications

I tried to unify the perf_tests as much as reasonable

but I can pretty safely say triptych 128 is faster to verify than clsag 16?

unless those CLSAG numbers are unbatched

The CLSAG preprint does not batch

because CLSAG does not batch

got it

"but I can pretty safely say triptych 128 is faster to verify than clsag 16?" this is reasonably true then no?

I'd need to check if those numbers were on the same machine or not

If not, the wall times are meaningless

yeah that's a critical assumption

If you build from source, you can make perf_tests for whatever params you like

I've run these numbers before, but I don't recall if I stored the results :/

sgp_[m]2: do you get PMs from freenode accounts?

I should be able to

sarang you can set yourself to +R to block spammers

oh..

What ring size is being targeted for the Triptych upgrade?

~128

But not set in stone AFAIK

This is a placeholder.

I just needed one.

Ok, thanks.

Also, has anyone created a comparison table of all the new ring signature proofs from the last year or so? Triptych, CLSAG, RCT3, Arcterus(?), etc

It would be nice to see the tradeoffs and why Triptych was chosen over the others.

Just to keep up to speed

sarang or sgp_ would be the most likely to have something like that, I think!

sarang did, most are likely findable via github.com/SarangNoether/skunkworks

Thanks! I will dig through the branches and see what I find