04:10:25
chrisv011:
Can anybody help with a https://www.supportxmr.com/ question?
04:25:02
ravfx:xmr.mx:
https://dontasktoask.com/
06:10:50
cyrix126:gupax.io:
@ravfx:xmr.mx: That's like https://nohello.net π
06:12:02
ravfx:xmr.mx:
indeed
17:55:12
kaigoh:gohegan.uk:
Just out of interest, is there a stagenet / testnet version available with FCMP and Carrot up and running? I'm just filtering through all of the nonsense doing the rounds in the usual places and had a thought: if there is a test version out there, can't the FUD be completely and totally thrown out by a simple demo of a new wallet and the data the new view key would make visible?
18:00:23
intr:unredacted.org:
I think you gotta be in #monero-stressnet:monero.social
18:01:35
selsta:
monero stressnet currently does not have Carrot implemented afaik
18:01:49
intr:unredacted.org:
oh
18:04:01
munching:unredacted.org:
omfggg itβs clearly not that. these people donβt know anything about monero
18:12:24
plowsof:matrix.org:
#monero-stressnet:monero.social
20:09:43
DataHoarder:
It has carrot transaction output format implemented
20:10:02
DataHoarder:
Not the wallet new scheme
20:27:34
monerobull:matrix.org:
What is mav smoking
20:27:36
monerobull:matrix.org:
https://mrelay.p2pool.observer/m/matrix.org/cAFElrKcdmxalqcaNXxrCWTo.png (31483.png)
20:31:54
shitpost:monero.coffee:
I need the view key update, I don't want to plug trezor every time I want to check my balance
20:32:14
DataHoarder:
https://xcancel.com/fluffypony/status/2015684629479510514
20:33:39
Lost_Puppy:
I guess that's not happening now, but I wouldn't be opposed to it.
20:33:50
DataHoarder:
what is not happening now?
20:34:09
Lost_Puppy:
If new users come and want to share there transations, let them. I'm not going to do it.
20:34:18
DataHoarder:
There was no hardfork to add this, it's not even in the codebase test
20:34:39
Lost_Puppy:
yea, i mean it is dead as a converstion
20:34:55
DataHoarder:
There was never an automatic conversion
20:35:11
Lost_Puppy:
You are missing the point!
20:35:46
Lost_Puppy:
I'm saing... as long as it doesnt compromise my anonynity, I don't care, others can share their transactions.
20:36:20
DataHoarder:
Indeed, but they can also still do so
20:37:31
Lost_Puppy:
you can share proof of transactions with Monero?
20:37:36
DataHoarder:
Yes.
20:37:42
DataHoarder:
One sec.
20:37:43
DataHoarder:
Next MRL meeting is adding Carrot to the discussed items and also OVK. If you want to observe these AFAIK it'd be Wednesday at 17:00 UTC @ #monero-research-lab and on https://libera.monerologs.net/monero-research-lab (it's a research focused channel, so direct questions or other items are better left for lounge or general monero channels)
20:38:18
DataHoarder:
Lost_Puppy: view keys already exist, tx keys already exist, and directly InProof/OutProof can be made
20:38:41
DataHoarder:
https://www.getmonero.org/resources/user-guides/prove-payment.html
20:39:11
DataHoarder:
These exist cause I could claim I sent you coins on a P2P exchange but you are lying. This allows the sender to prove they sent the coins to you, or for you to show its proper reception
20:39:56
Lost_Puppy:
Oh, thanks. Didn't know about that. It's been a while since I've hold it.
20:40:10
DataHoarder:
The view key is geared towards cold wallets and chosen auditors for businesses, so you don't have to hand out spend keys to your entire wallet or have these online
20:40:12
Lost_Puppy:
Looking more and more into it wiht the latest price action.
20:41:16
DataHoarder:
for example, the Monero general fund shares their view key. With that, we can decode incoming (and parts of outgoing) outputs https://blocks.p2pool.observer/tx/53084115a175428ae1f423a96816f6b5f1072e13012de8d52011fc296b90f614
20:41:36
DataHoarder:
we still don't know where the funds go to, even full view keys don't say that
20:42:04
DataHoarder:
after FCMP++, you also can't do output or ring tracing to statistically take a guess at the source
20:43:00
intr:unredacted.org:
@monerobull:matrix.org: the way he cropped up out of nowhere with the view-botted "sieg heil, also, buy monero" posts, and now this... lmao
20:43:03
intr:unredacted.org:
I dunno man
20:43:05
DataHoarder:
Carrot (the wallet one) also allows your internal history of change outputs and self-sends (your wallet history, attribution) to be kept private even against quantum adversaries https://github.com/jeffro256/carrot/blob/master/carrot.md#221-internal-forward-secrecy
20:44:36
DataHoarder:
Also shared a nice overview https://mrelay.p2pool.observer/m/gohegan.uk/tIxkJWnZuzmIFmmRSFojQxsd.png but it fails to split the tx format (what is being hardforked, and that legacy wallets also will use and benefit) from carrot wallet (which is what has OVK, or Jamtis later down the line, which is the Post-Quantum scheme currently developed)
20:44:43
Lost_Puppy:
Thanks for the info. I'll do some homework.
21:00:32
intr:unredacted.org:
@shitpost:monero.coffee: me too.
21:00:38
intr:unredacted.org:
let alone "paper" wallets
21:03:50
shitpost:monero.coffee:
our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > <DataHoarder> we still don't know where the funds go to, even full view keys don't say that
21:03:51
shitpost:monero.coffee:
well actually everyone would have known it
21:05:15
DataHoarder:
you can even tell the drainage https://blocks.p2pool.observer/tx/ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a
21:05:37
DataHoarder:
as you can tell when outgoing are made
21:22:48
albertlarsan68:albertlarsan.fr:
DataHoarder: Is it normal that this page says "Part of the CSS Wallet Drain Incident."?
21:22:58
DataHoarder:
22:04:42 <br-m> <shitpost:monero.coffee> our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > <DataHoarder> we still don't know where the funds go to, even full view keys don't say that
21:23:00
albertlarsan68:albertlarsan.fr:
https://mrelay.p2pool.observer/m/albertlarsan.fr/XbqFKxpMDNrZmmrqHpVmEeNp.png (image.png)
21:23:09
DataHoarder:
it's on response to that
21:23:21
DataHoarder:
I added annotations to the transactions that did the sweep out
21:23:42
DataHoarder:
follow the link to the blog (from 2023)
21:23:49
albertlarsan68:albertlarsan.fr:
It says CSS, not CCS
21:24:12
DataHoarder:
well, than THAT is the issue as usual
21:24:14
DataHoarder:
see plowsof you are not the only one that does CSS :P
21:24:46
DataHoarder:
that always preys on our minds albertlarsan68 :)
21:24:52
DataHoarder:
updated it for next restart
21:50:20
shitpost:monero.coffee:
and as far as I know it was on a windows server or pc and it was never audited > <DataHoarder> 22:04:42 <br-m> <shitpost:monero.coffee> our CCS wallet keepers would have known the monero funds were stolen earlier, not months later :D > <DataHoarder> we still don't know where the funds go to, even full view keys don't say that
21:50:57
DataHoarder:
I mean auditing movements, not the setup
22:01:58
ofrnxmr:xmr.mx:
@monerobull:matrix.org: Crack or meth
22:12:36
jeffro256:
selsta: It has CARROT , the addressing protocol , implemented and integrated, but not the new OVK wallet format integration yet . The crypto is implemented and tested
22:13:30
ofrnxmr:xmr.mx:
@kaigoh:gohegan.uk: For context, the question was about testing / demoing OVK wallets
22:14:53
ofrnxmr:xmr.mx:
Its pretty simple. It shows the same data as restoring from seed. Txids, amounts, times, but not recipient addresses
22:15:21
DataHoarder:
(or sender addresses)
22:15:43
DataHoarder:
and FCMP++ removes the ability to do statistical ring analysis
22:16:04
ofrnxmr:xmr.mx:
:P if it showed sender addresses, that would be a backdoor fed move :D lmao
22:16:37
ofrnxmr:xmr.mx:
And to be clear, by sender i mean the address that sent to me
22:16:56
plowsof:
π
22:17:10
jeffro256:
@ofrnxmr:xmr.mx: Some people want the tx private keys to be deterministic, so that reloading your seed phrase reloads the tx private keys, and you can make tx proofs even if your wallet cache is deleted
22:17:27
ofrnxmr:xmr.mx:
who are these "some people"
22:17:33
jeffro256:
I'm pretty uncomfortable with that, but I do see the utility
22:17:41
jeffro256:
idk there's some GH issue somewhere
22:19:00
ofrnxmr:xmr.mx:
I do understand that its can be a pain to not be able to provide tx proofs if you restore from seed or from a different wallet w/ the same seed. I can't say that would be a bad thing if its only possible for spend wallets to achieve
22:19:54
ofrnxmr:xmr.mx:
But actually, i like that i can disable saving of recipient info or tx keys, and not even be able to provide such info
22:20:01
DataHoarder:
you'd still need the recipient address to make the proof, no?
22:20:06
ofrnxmr:xmr.mx:
(i actually dont save recipient info or txkeys)
22:20:17
DataHoarder:
even if tx key is deterministic based on some method
22:20:38
plowsof:matrix.org:
we've had multiple CSS incidents DataHoarder π
22:21:13
DataHoarder:
outside of specific protocol I don't see the need for deterministic tx key on sender side, as the burning bug is fixed already
22:21:18
jeffro256:
DataHoarder: yes\
22:21:21
DataHoarder:
as in, deterministic randomnness
22:21:31
DataHoarder:
and recipient side derivation is enforced for normal wallets
22:22:16
DataHoarder:
p2pool as implemented uses deterministic keys per output/block/p2pool as it requires these to re-derivate outputs and verify, but that's not on wallet side
22:22:24
jeffro256:
it's so that if you screw up and lost your wallet cache, you can still prove to a third-party that you actually sent funds. it has apparently happened to more than 1 person > <DataHoarder> outside of specific protocol I don't see the need for deterministic tx key on sender side, as the burning bug is fixed already
22:22:47
DataHoarder:
yeah. no way to make an OutProof without these
22:23:16
DataHoarder:
also, miners can't make OutProof :P cause monero never saves tx keys used in generating the template
22:23:18
DataHoarder:
unless you are p2pool
22:23:32
jeffro256:
huh
22:23:39
jeffro256:
i didn't know that lol
22:23:49
DataHoarder:
(or returns, the tx key is ephemeral in the get template method)
22:23:51
jeffro256:
makes sense, but I never though about it
22:24:16
jeffro256:
You can recover the ECDH if you're the holder of the address, but I see your point
22:24:19
DataHoarder:
I mention that under https://blocks.p2pool.observer/proofs
22:24:21
DataHoarder:
> Monero does not save transaction keys when calling get_block_template. This method is currently only used by P2Pool thanks to it creating templates on its own.
22:24:27
DataHoarder:
yep, on new derivation method you can
22:24:30
DataHoarder:
but not before
22:24:38
jeffro256:
Might be useful if you're a pool miner to prove you didn't make a wack template
22:24:55
DataHoarder:
(outproof vs inproof)
22:24:57
DataHoarder:
also if it had been saved/provided separately
22:25:04
DataHoarder:
it would have fixed the Tari burn bug
22:25:23
jeffro256:
ah did it re-use tx keys ?
22:25:30
DataHoarder:
where the pubkey was overwritten on the tx, it could have been fetched from the tx priv
22:26:00
DataHoarder:
see this example 85c9e0e2fa7d843b6698d6aa9c51e0dcda030126805654d9e91a68d720268764
22:26:04
DataHoarder:
err https://blocks.p2pool.observer/block/85c9e0e2fa7d843b6698d6aa9c51e0dcda030126805654d9e91a68d720268764
22:26:32
DataHoarder:
7 bytes of tx pub were overwritten
22:26:34
DataHoarder:
you can recover with view key + bruteforcing these (and doing derivations)
22:27:05
DataHoarder:
56 bit keyspace with some reductions, but still vastly too slow even for the thrown together GPU code
22:27:07
jeffro256:
ohhhh
22:27:17
jeffro256:
That's unfortunate
22:27:35
DataHoarder:
(which I made for fun https://git.gammaspectra.live/WeebDataHoarder/tari-tx-brute )
22:27:58
jeffro256:
They've got 72057594037927936 combos to try. Better start soon...
22:28:03
DataHoarder:
I wonder what sort of entropy you'd have available
22:28:05
DataHoarder:
:)
22:28:36
DataHoarder:
given that post FCMP++ txs can be signed without the membership proof for example
22:28:57
jeffro256:
Not all bits make valid points on the Ed25519 subgroup, so definitely less than that, but still sucks
22:29:33
DataHoarder:
yeah, it's about a 50% decoding
22:29:35
DataHoarder:
then view tag
22:30:05
DataHoarder:
so about 8 bit reduction
22:30:31
jeffro256:
50% decoding? I would've though that the vast majority of time spent was doing the Ed25519 scalar-point mult
22:30:33
DataHoarder:
sadly the CUDA waves don't have that good granularity
22:30:41
DataHoarder:
maybe an FPGA can do the bulk, then requeue
22:30:43
DataHoarder:
I mean bit space
22:30:45
DataHoarder:
50% fail/succeed
22:30:51
DataHoarder:
so -1 bit
22:31:00
jeffro256:
Do you know how much Tari was affected?
22:31:18
DataHoarder:
it was not tari, but Monero
22:31:20
DataHoarder:
one sec, I have the amounts
22:31:22
jeffro256:
Oh i see > <DataHoarder> 50% fail/succeed
22:31:33
DataHoarder:
02:12:26 <DataHoarder> there's a total of 139.641137792160 XMR that I could find "lost" to the Tari bug
22:31:58
DataHoarder:
I can recalculate the list (it's part of the finder program in that repo) but seems debian paste deleted it now
22:33:47
DataHoarder:
but about deterministic entropy, what do you have even in an offline wallet? and wallet could have been synced without all txs (synced at a specific height for example)
22:34:21
DataHoarder:
I guess you could take the inputs as entropy, local derivations, but ofc, destination cannot be stored in any way
22:35:32
jeffro256:
You could use a function of your spend key or view key (for hiding), plus the spent key images (for inter-tx burning), plus local output index (for intra-tx burning)
22:36:28
jeffro256:
key images + local output index are public, so all the offline needs to remember permanently is the spend key or view key, depending on which they use
22:38:16
DataHoarder:
that'd affect internal moves transparency
22:38:48
DataHoarder:
which I guess don't need this
22:39:47
jeffro256:
wdym
22:39:47
DataHoarder:
it's adding an extra scheme that can be played with outside of the current context, so care would need to be had to not introduce any shortcuts against any quantum capable adversary
22:40:46
jeffro256:
Oh yeah I see. Yeah that's correct.
22:42:03
jeffro256:
If you were using the new 6-key wallet in the CARROT spec, you'd want to use the view-balance secret instead of the potentially leakable k_v
22:43:01
jeffro256:
I don't think it really matters for legacy wallets either way, since any QC with one of their Monero addresses can peel off k_s and k_v, which reveals the whole tx history anyways
22:43:02
DataHoarder:
in that case even if you import key images with a view incoming key wallet, you can't create this deterministic derivation
22:44:39
jeffro256:
Well if your hot wallet only has k_v, then the cold wallet would have to do it. If the hot wallet had s_vb, then the hot wallet could do it
22:44:54
jeffro256:
It depends on how you set it up
22:45:52
DataHoarder:
generate deterministic derivation secret? :)
22:47:16
DataHoarder:
I guess as long as it's doing the similar derivations via H(...) you can't walk it backwards even from a quantum adversary perspective
22:49:13
jeffro256:
@jeffro256: To expand on this, in either case, to make a tx proof as a QC, you need to know both the ephemeral public key (which is on the chain), and one the Monero addresses of the receiver. Without deterministic tx keys, a QC can still derive the tx key if it knows the receiver by computing the ECDH directly, then finding r s.t. ECDH = 8 r K^j_v.
22:49:37
jeffro256:
DataHoarder: Hmmmmm......
22:49:40
kayabanerve:matrix.org:
@jeffro256:monero.social: monero-wallet supports deterministic entropy for ephemeral keys.
22:49:48
jeffro256:
You federal agent
22:50:01
kayabanerve:matrix.org:
lol
22:55:47
DataHoarder:
but yep jeffro256 that is what I mean, it's a "shortcut" pathway to jump derivation tiers