Doug This is a question no developer likes to answer, but when do we see this actually getting implemented then in terms of timeline? Luke Oh, this one actually provided a very aggressive time frame form. I would hope for the implementation to be ready within about six months. That's insane. That's not, you know, guaranteeing the academic review, formalization, audits, and all of that. Luke But I hope implementation to be done within six months. And I hope for notable progress to have been made on all of the academic review with that. I do have to distinguish I do have to distinguish implementation from integration, though. Luke Right now I'm discussing implementation. Integration is technically something distinctly discussed. And I would hope that that is also done in that time frame. But I cannot speak with as much confidence on that time frame. Doug So potentially at Monerotopia in November, we can be doing a presentation on the completion of implementation. Luke on the proposed implementation of the proofs itself, yeah, possibly. Doug Alright, Luke, what's going on, man? Luke Uh, nothing much, how are y 'all? Doug Good, good, good. Well, what are you doing with regards to the total solar eclipse? Are you anywhere near totality? Luke Uh, yeah, I'm not sure if I'm currently in the path of it, but I'm either in the path of it or I'm like in a couple hours off of it. So I'm heading out with a few friends to go see it in person. Doug Nice. Awesome, man. Enjoy that. Enjoy that. Mm -hmm. So, wanted to bring you on. So, happy you made the time. A lot's happened this week with regards to potential path forward for full membership proofs. Doug You're the guy leading the charge. We got you on. Tell us all about it, and then I'll continue to pick your grain, I'm sure. Luke Uh, yeah, sure. So full team membership proofs. It's something I've prior talked about. I actually announced my work on them, um, almost a year ago at the prior Monero Con. Um, and the plan was to do them with SerifS. Luke SerifS, of course, being this upgrade to Monero's transaction protocol that just is massively same. And there's no real other way to put it. It's massively same. It's just same transaction protocol. And it cleans up a lot of our tech debt. Luke It moves from us kind of assembling proofs together into a very more formal and academic distinction. It enables a lot of new features, one partnered with Jamptist, the proposed new address scheme. We're talking, you know, uh, the ability to see when an output is spent if you share that view key. Luke So that just gets you a bit finer control. Uh, we're talking about, uh, delegated view tag findings. So any, you know, anyone you can trust, you don't want to trust them to have your Monero view key. Luke You don't want them to see, you know, every time you make a transaction, but you do trust them to handle, you know, 99% of the computational load and kind of filter down transactions might be yours. Uh, without ever truly knowing. Luke Yeah. Uh, that was going to be another thing introduced. Uh, we were, I believe, uh, we were no longer putting wallet data into TX extra, which was going to be great. Uh, there's a lot of reasons I came up Seraphis. Luke And one of the things being this more, uh, academic formulation brought is the separation of proofs. Right now, um, we have the CL SAG proof, which we use as our signature, specifically our reg signature, and that handles a few different things that handles membership. Luke My output, which I'm spending is one of these outputs, but I won't tell you which it handles. You have no ownership or spend authority or spend authorization. However you want to phrase it. Uh, yes, I am the owner of this output and I am not stealing Doug's coins. Luke Um, and then it handles linkability. Uh, this is a key image. Uh, in this key image is unique. It's unique to this output. And because this key image has never appeared on the blockchain before, I have never spent this output before. Luke And that's how you know, I'm not spending this output twice. So one of the main advantages of Seraphis is it broke this one proof into two. It broke it into membership as one proof, and then distinctly as another proof was the, uh, signature. Luke This is my output. And with the signature, it proves the correctness of the, uh, quote unquote linking tag. Uh, as I said prior, the key image is how we satisfy quote linkability. The linking tag is basically from a user's perspective, it's the same thing. Luke The linking tag is just the more academic notion of a key image. So that is something that is much appreciated because my prior work on full team membership proofs was just for that. It was solely for membership. Luke And if I try to put a membership proof into Monero right now, that doesn't work. If I just put a membership proof into Monero, cool. What are you replacing? Oh, the CL sag. Oh, no, that also handles, you know, this ownership and linkability properties. Luke You can't replace that with just a membership proof. You need to do all of these other steps. And because of that, it just really made sense to do FCMPs with Seraphis also because of how notable of the evolution with Seraphis would be. Luke You know, Seraphis was already targeting more privacy. It was already this long look forward to hard fork. It was already changing wallet software. Um, I was trying to move to a curve cycle with it and that would offer much greater efficiency, so on and so on. Luke So when Seraphis explicitly provides this framework and when Seraphis is already doing all of these other great things and is already a time of such transition, it just really made sense to do things with Seraphis. Luke But then, of course, you know, recent spam attacks and the question was when I was talking with someone, um, it was just random off comment in like Monero or Monero community or Monero dev. And it was like, so can we discuss like FCMPs in the next hard fork? Luke Or when are FCMPs happening? I forget the exact question, Ethan. And I was like, no, we're not discussing those until we're discussing the Seraphis launch. Like, ideally, yes, in my opinion, we would launch Seraphis with FCMPs, but we're not discussing this until then. Luke And then I'm like, wait, why aren't we discussing this until then? You know, if the demand for them has gone up, what would be such a formulation? And I kind of just popped into MRL on like, do we want to discuss this? Luke Do we want to be discussing, you know, FCMPs before Seraphis? And the obvious question is like, how would you do that? You just said that, you know, you can't just have FCMPs replace the CL sag. They do two different things. Luke One is membership, one is membership and ownership and linkability. How can you just propose this replacement? So I was kind of thinking about it, and I designed two different exact methods, which would work. Luke But what I ended up doing is I ended up proposing this one specific mechanism where instead of the membership proof outputting, what in Seraphis would be an e -note, a squashed e -note? Right now in Monero, we have a couple different variables floating around. Luke We have the output key, which is who's allowed to spend an output. And then with that output is the amount commitment. The commitment is, you know, the cryptographic representation of the amount that hides it so that no one else can see what the amount is. Luke But it also lets us do, you know, zero knowledge proofs off of it to say yes, this output is actually worth 100 Monero. And I am actually spending 100 Monero. I am not taking output worth 100 Monero and spending 5 million Monero. Luke So right now we have these two different things. We have the output key and the amount commitment. And then we also have yet another item, we have the quote, key image generator. So again, we use key images to prevent double spends. Luke And these have a very specific way of being generated. And they have their each of them has their own variable as part of this process. So we're kind of looking at an output as three different things, you know, the output key, the amount commitment, and the quote, key image generator, this extra variable that we use for the key images. Luke And the question is, how do we modify full chain membership proofs to either A, handle this inside of itself, or B, not just output this squashed enote, which under Serifis was one variable. And that's all we needed. Luke We only needed this one variable. We didn't have to keep track of these three different variables. So either how can we have the full chain memberships proof do this internally, or how can we have it output all three of those variables in a way that's safe and then still lets us do after the fact ownership and linkability. Luke So I immediately proposed a sketch. I'm not happy with that sketch. That sketch was fine. It's just not the optimal sketch for a couple of reasons. When I broke my thoughts more formally, I did a different sketch. Luke And basically, I just as when you spend it output, you output a when you spend an output, again, your output has an amount commitment, and your input also has an amount commitment. Obviously, these can't be the same commitment, we want them to have the same amount. Luke So you can't mint more coins, but we don't want them to look the same. And we don't want anyone to be able to distinguish that yes, they are in fact, for the same amount. So what we do is is for your input, we apply something, we apply re -randomization. Luke We just redo the randomness within it so that it still contains the same value, but it looks completely different to someone else. And that's what the proposal here is. We have the membership proof, which was prior proposed. Luke We modify it to output not just the squash, you know, this one variable, yet the output key and the key image generator and the amount commitment. And we do it in a way that all of them are re -randomized. Luke So no outside observer can tell which is which. then we actually do still add a second proof. So just as Serifis was proposing using two proofs for this purpose, this also proposes using two proofs. The second proof just internally undoes the re -randomization and proves that yes, all of these are consistent and valid and someone isn't lying about what they are and creates the expected key image. Luke And there's actually a few really interesting effects for this. One, I think our memory requirements for hardware wallets will actually go down because that's why you don't want one proof for all of this. Luke If you had one proof for all of this, we now have to require hardware wallets, anything that have the private spend key, they suddenly have to do these giant bullet proofs for membership. Because if we just had this one giant proof, then yes, the membership proof would have that private key, which means the proof would have to be created by someone with the private key, which means whatever has the private key has to do bullet proofs, which isn't ideal. Luke So we do two separate proofs. I think the second proof I'm proposing will actually be a bit smaller, quite a bit smaller actually for hardware wallets, which is nice for them because hardware wallets frequently have very limited memory. Luke So anything that frees up space there is something unhappy about. But also, I believe we'll provide a series of very nice, let's go with side effects. Right now with Monero, we don't have transaction training and transaction training has been something discussed before. Luke Notably, it would allow some, and I emphasis on some, some layer two designs, layer twos as in payment channels. You know, Doug, if the two of us are frequently sending Monero back and forth, we can just create payment channels to each other. Luke And then we don't have to do an on -chain Monero transaction. We don't have to tell people on -chain a transaction is occurring. Obviously, Monero is private. They want to be able to tell it to us and they want to be able to tell the amount. Luke But we don't even have to tell the blockchain a transaction is occurring because we would just privately keep the data between us. And no matter how many transactions we did, we'd only put one transaction on -chain and only pay the fees once. Luke So yeah, payment channels can be great. And some payment channel designs, which I wouldn't endorse, like technically they're in a fold, but I also wouldn't endorse them. So I have to copy out that. But some payment channel designs require transaction training. Luke Because this separates, because of how I'm proposing this, I think ideally we do get transaction training with it, which offers a few nice properties. Theoretically, it would enable some L2 designs. For my work specifically on Sorai now that I think about it, it lets us get a bit more efficiency done, so on and so on. Luke So transaction training is just a nice property to have. It was actually something that was planned to come with Serifis. So kind of also jumping the gun on that feature. And then I was reviewing one other aspect of privacy, not privacy in the moment, but privacy against a quantum computer. Luke Because it doesn't matter if you believe they're happening in five years, it doesn't matter if you believe they're happening in 10 years, it doesn't matter if you believe they're going to happen in 100 years. Luke It doesn't change that the moment someone has one, unfortunately they can de -anonymize most of the internet today. And that would include Monero. So being robust against this is kind of this idea of forward secrecy. Luke No matter what happens in the future, your data is still private. So I was looking at extending this as well with forward secrecy. The design isn't quite there yet, but it's not technically impossible. Luke It's not there yet. I don't want to propose forward secrecy is happening with this next step. Because I really want to develop, plan and execute a very efficient and very tight timeline for full chain membership proofs in order to ensure that they have been with the respect and expediency they deserve. Luke And they don't languish in development for another few years. Can you just explain? Doug Can you just explain forward secrecy real quick? Like what exactly? Luke So it's if you make a transaction today a quantum computer whenever it comes out five years 20 years Doug be waterproof for the future. Luke Right, it wouldn't make us quantum proof against, you know, inflation attacks, but it would prevent a quantum computer from figuring out who sent transactions. Right now, a quantum computer against Monero can remove sender privacy. Luke They can pick any output and they can find the exact input it was spent in. So Ford, CPC, at least as I'm using here, would be a quantum computer could not determine what input spent in output. The design isn't impossible, but it requires a more complicated proof. Luke And that more complicated proof would be the truth executed by a hardware wallet. So I don't want to propose it at this time, but it is something else I was considering. Doug That's amazing that it's a potential possibility already at this point. Like you see a path towards that. Luke Well, I actually wouldn't have considered it possible of key images. It's explained that will require me explaining the math of key images for about 15 minutes. So I'll refrain from that. But it's not possible, it just fundamentally isn't possible no matter what proof you use with how we currently define output keys and how we currently define key images. Luke So because of that, the idea is, oh, well, of course, we would have to change our output keys are defined and we'd have to change how key images are defined in order to enable forward secrecy. And unfortunately, doing that would restart the privacy pool. Luke We'd have to make a new set of outputs, a new set of privacy. And that was being proposed with Seraphis because of all of the improvements Seraphis dropped. I was looking at it, there's ways it's not technically impossible because we wouldn't tweak the definition of key images. Luke And as long as the definition of key images, kind of, it's complicated, there's a lot of copyouts here, please don't quote me on this. But basically, as long as the key image for any prior output is still the key image for that prior output, it doesn't make that prior output spendable again. Luke And we can continue forward. So it's like technically, technically, we would lightly change the definition of key images, but all outputs that were prior spent would have the same key image, therefore, they would not become spendable again. Luke With that in mind, we would actually change the definition of output keys. And that's what kind of enables this to decide. So this is a very future thought, and it's not something I want to get into right now. Luke It's actually backstory for what I was wanting to get to. But while I was looking into forward secrecy, I noted that technically, one could redefine output keys. Right now, output keys are just a very traditional public key. Luke It's your private key with the mathematic operations behind it to convert it to a public key. I'll be very vague and non -mathematical about this. And I was noting while I was actually reviewing this proof, technically, you can define your public key differently. Luke Instead of defining your public key as this one private key converted to a public key, you can add this extra element to it. And if you add this extra element to it, you can still produce proofs and still spend the output. Luke And that was initially a concern for me, like, oh, people can now throw random stuff into their public key, and my work doesn't care. Should it care? Is this an issue? Is this a vulnerability? Looking through it, no, it appears fine to me. Luke Obviously, we will have to get this family reviewed. And if we need to tweak it so that these extra elements are banned, they're banned. So be it. I already wrote up the math on how they would be banned. Luke But as part of this, what I noted is because you're technically allowed this extra element, I believe we might actually be able to discuss what I would call an outgoing view key today. As in the ability to detect when an output you received is spent. Luke So if you have a light wallet, you know, and you don't have the private key, but you're still making sure you receive Monero, now your light wallet would automatically be able to tell when your private key did come online and did actually spend Monero. Luke So if you do decide to make a transaction from your hardware wallet or from your cold storage device, you wouldn't have to, you know, copy data from your cold storage device and plug it into your light wallet and be like, yep, here's all the outputs I spent. Luke Here you go. Your light wallet, if you, or your hot wallet, sorry, I'm mixing up my terminal to your hot wallet, if you gave it this additional outgoing view key, would automatically be able to detect, oh, by the way, you pulled out your cold storage device and spent these outputs. Luke Yep, I can just detect that because you gave me this extra private key. So what's looking too on dinner raid was looking forward secrecy. It's not quite there yet, and I don't want to propose it at this time, but I did actually notice that it would enable us in the future to change how we define output keys. Luke And with that, there's also the potential we could introduce outgoing view keys, the ability to detect when an output was spent. So that's actually something I'd really look forward to because the inability to detect when an output you received was spent is actually very annoying for me. Luke A lot of the work I did over at Sarai was... handling exactly that because we have this adversarial multisig. We have, let's say, 10 guys in a room. And if any seven of them can manage to agree to, they can just take the XMR for themselves. Luke And obviously, Sorai has this economic design around that to ensure that there's never incentive to do so. And if it ever happens, Sorai is expected to be able to recoup the value, so on and so on. But that doesn't change that we do have to have procedures in order to detect if it did in fact happen because we have to know if it did in fact happen in order to move forward with the flashing process where we slash their stake of presumably greater value. Luke And as part of that, I had to write all of this code because we can't detect when an output is spent. So we have to write all of this other code that isn't detecting when an output is spent, but it's detecting this other class of behaviors which are inherent side effects to it. Luke It's a whole thing. So, yeah, outgoing view keys would actually just be very great for cold and hot wallets. It would be great for multisigs. It would be great for my personal work. And I believe that's something that would also be enabled by this, which I'm very happy about. Luke And that's amazing. tuxsudo reason that that view only walls don't work well right because you can't you can't tell if an output has been spent and when you get the change back it shows up as new money not as a change output Luke Right. And practically, you can assume, hey, this transaction had a ring of 16. And for every single input it had, one of the ring members was an output I detected as mine. And also, this looks like it's changing out from that. Luke So, it's not that incoming due keys can't already guess with incredibly high confidence. It's that technically yes, they're guessing. And now, they'd be able to know certainty. And that also helps with, you know, like charity auditing. Luke You want to donate to a charity. You can see how much money the charities received. And you can also see how much they've spent. That would be one of the great benefits of this kind of outgoing view key. Luke So, it started out as just full chain membership proofs. By design, it kind of mirrored the proof separation within service. And I'm hoping to actually get, you know, after having made this proposal, which was just for full chain membership proofs, it sounds like might get a few really nice features out of it as well. Doug Amazing. I mean, this sounds like a renaissance in Monero moment here, right? All these things, I had no idea. So if you could just step back for a moment, I think maybe you did say it, but if you can kind of rephrase it, what was the moment that it was realized that essentially full membership proofs can be implemented pre -Seraphis into bullet proofs? Doug Like, well, has that been realized already for some time? It's been theoretical for some time. I know like Liam Egan, I think, has participated in this, right? And then I was looking back at some of these other like bulletproof plus papers. Doug Were these things talked about then or did everything just kind of come together recently? But it's really cute. Luke comment. The full team membership proof has always been proposed to use the slightly modified bullet proofs. So the fact that it's being done with bullet proofs isn't, you know, the newer exciting part here. Luke Sorry, a bit of the sniffles today. The discussion about doing it free, a Seraphis with free CTE is one I briefly considered before, but I kind of wrote it up as non -possible. Because the ideas I had for it were like, we would redefine every address, which is obviously something we do not want to do. Luke It's not something we want to do. It's not pleasant to do. It should not be done. But my idea was like, we would redefine every address. And with the redefinition of every address, we would we would make every address have its penkey be something called a Peterson commitment, and the output keys would be in the form of a Peterson commitment. Luke And then the membership proof would remove the randomness in the Peterson commitment to get to the actual value, you would not be able to distinguish the value from the Peterson commitment in which it came from, which is why it'd be unlinkable. Luke And then you could do pretty standard signatures over it. There's like all of these thoughts. And it wasn't that it was impossible is that you would need new addresses. And I think one of the concerns is that if someone said to you, they'd be able to detect when you spent your coins. Luke I think that was the concern as well. So if I, you know, if I pay you back, you know, for out we get drinks, I pay you back for picking up the bill in USD, Doug, you're always eager to pick up some more Monero, then I'd be able to see when you you know, oh, 24 hours later, you spent that Monero, you must be grabbing drinks with someone else. Luke Why wasn't I invited? And that's kind of the privacy issues. So it's not that I thought it impossible. It's a what I like briefly thought about the design. There were issues with it. If it requires a new address format, obviously, that's not something we want to do until Seraphis because Seraphis does enough things to make it worth it. Luke The reason I move forward with it now is because one, I had a new idea about how to do it, which would actually be efficient. And two, the estimates for Seraphis, which were being discussed were longer than my personal estimates. Luke So due to the discrepancy and presumed timing, I wanted to move forward with the quicker option to ensure privacy now. Doug What can you tell us about Liam Egan and the contributions he's made because we've reached out to him. He said he'll come speak at Moneratopia. My understanding is he's played some role in the development of the cryptography in this arena. Luke Mind if I ask if in person or virtually? Doug I think we're trying to get him in person. He seems eager to attend. Luke All right. Yeah. If they're coming in person, please let me know. I'd love to know about that. Doug Yeah, I mean that was the end to get to get you there as well. Obviously, I mean that would be the the juke on trip Luke So, Liam, again, they're quite smart. They personally did a few different preprints. They did one on the application of elliptic curve divisors for proving like this is all mathematical I know, but they posited using elliptic curve divisors for efficient in circuit inner product proofs. Luke We're not looking at doing inner product proofs. We're solely looking at doing elliptic curve divisors for proofs of scalar multiplication. Don't worry, guys. We're not going all the way up. No, all of this is, you know, mathematical gibberish. Luke But regardless, they said, hey, there's this mathematical structure. It's an elliptic curve divisor. It's inherent to the concept of elliptic curves. It's been, you know, studied here and near before. Luke You can also use them to do efficient proofs about, you know, objects on elliptic curves, about points on elliptic curves. So that was really great because it beats all prior noted ideas on how to do these proofs of let's just go scalar multiplication by at least a factor of two. Luke So by using this, just everything gets twice as fast. And saying that everything gets twice as fast is always great. We love it when things just magically get twice as fast. And one of the other advantages of it is actually the specific ways in which it scales. Luke If we were to use traditional solutions, we would have a non -negligible. I'm trying to think of the best way to explain this. Basically, this is the very non -mathematical way to explain it. We have this private key inside of the proof. Luke It's not actually a private key. Like, oh, if you leak this private key inside of the proof. Private key, you lose all your money. No, it's just this number that only you should know. And we have to convert it to a public key twice. Luke So we would need two of these proofs. And that's annoying. These proofs are most of the work. Proving this private key does, in fact, match this public key is most of the work we do inside of these proofs and inside of the bulletproof, which we use to prove all of these statements. Luke So with existing work, it would have been, you know, like 2x. And then if you wanted to convert it to a public key a second time, it would have been an additional 1x. So if you do it again, it's cheaper, but it's still a notable cost. Luke With Egan's work, if you do it for the first time, it's just 1x. You just pay this 1x penalty cost. And if you ever have to do it again in the future, there's not really an additional cost. It's effectively free. Luke So because we actually do have to convert a private key to a public key multiple times, Egan's work is not only twice as fast as everything else in the... with everything else that's prime or positive, but for the second time we do it, it's actually near free and not yet another cost. Luke So Egan's work on elliptic cryptivisors is just absolutely great for the performance of this work and something I'm truly in love with there. They also posited, I believe they posited their own private cryptocurrency protocol. Luke I want to say Vcash and have to double check if that was the exact label for it, because I believe the curve trees authors also posited a private currency protocol, and theirs may have been Vcash. It may be confusing to tell. Luke But I believe Egan also commented on how you could do one with a pair of recursive bulletproofs, which is really interesting. And then Egan also is doing the work on bulletproofs. It's also the primary author of bulletproofs plus plus, where we have bulletproofs, and then this was improved by bulletproofs plus. Luke Bulletproofs plus just slightly slimming down the proof, saved a few bytes, which is always appreciated. And then bulletproofs plus plus is actually very interesting in how far it takes it. And there's all sorts of commentary there. Luke But yeah, bulletproofs plus plus is also looking to be very interesting. And I'm very much looking forward to when it's a complete paper, including with all additional review and industry acceptance as something that, yeah, people should be using. Doug And then Monero would implement that. Luke Yeah, so two different options. We could implement bulletproof++ for our range proofs, or if it was feasible to apply the same modifications that we did for bulletproofs, we could also look at using them for membership proofs, which would actually open up a couple very interesting doors. Luke Because of how specifically they present the, sorry, I'm trying to think of the best way to explain this. So this membership proof is done via something known as an arithmetic circuit. An arithmetic circuit is just a long series of math statements and requirements. Luke You know, a times b equals c, c is 1, that lets a and b be whatever, but whatever they multiply to has to be 1, so on and so on. So bulletproofs presented an arithmetic circuit argument, and then bulletproof++, of course, carries that and also presents an arithmetic circuit argument. Luke From my understanding, bulletproofs adds to a power of two. So powers of two, two, four, eight, 16, 32, 64, 128, 256, so on and so on. But what this means is if we have, you know, 200 lines of mathematical statements in this membership proof, it doesn't matter. Luke We have needed to be a power of two, and the closest power to 200 is 256. So no matter what, we're paying for these extra, you know, 56. With bulletproof++, I believe they give you a bit more flexibility and that you can pat it to either a power of two or you can pat it to a power of three, to my understanding, which is a very slight tweak, but it actually gives you a decent bit more flexibility. Luke And with that flexibility comes performance, which is always something I appreciate. Doug Amazing. We actually had Benedict Bunn's on this show back in the day when we first implemented Bulletproofs. This feels like another Bulletproofs moment in terms of evolution of Monero or actually, I guess, figure. Doug But that was a major transition for Monero when Bulletproofs were implemented and we saw the transaction wait essentially go down overnight, seas go down overnight. Actually, I would say this feels like an even larger change for Monero for all the reasons you're saying. Doug It just opens up all these new doorways. And obviously, the biggest thing being that will now be essentially perfectly private in terms of hiding the center. Right? Still no for secrecy. Luke it still no regarding where does where does that one in computers come around Doug Where does that put us in, you know, relation to projects like Zcash and others are, has anybody figured out forward secrecy yet? Or it's just, or only people have like kind of. Luke So, such a can of worms you've opened to your dog. You have to do this to me. I don't believe anyone has solved forward secrecy when the person's addresses know. If I know your address, then I can break it apart. Luke You know, if I see your public spend key and I have a quantum computer, I can recover the private spend key. If I see your public view key and I have a quantum computer, I can recover the private view key. Luke If I have the private view key and have the private spend key, I can just do the normal scanning process. So, I don't believe anyone's on forward secrecy when the address is known. With Zcash and Fero, their currently deployed privacy protocols are fundamentally better than whatever Monero has today. Luke And I'm not here to contest that. The reasons I don't recommend them over Monero isn't about immersion adoptance or anything. It's about the fragmented user story. It's this story I frequently heard when talking to some Zcash people about, you know, oh, someone has Zcash and Exodus and they think, oh, Zcash, it's a privacy coin. Luke I'm private. No, the Exodus version is the transparent Zcash. You're not private at all. Or whatever wallets it is. And I don't believe coins should promote a false sense of privacy. And I'm not here to say that, oh, Zcash is actively maliciously promoting a false sense of privacy. Luke No, of course I'm not here to claim that. But what I'm noting is because there are ways to use Zcash transparently and because we can't expect users to always be conscious of what's going on, it's hard for me to say use Zcash because there's a risk that by saying use Zcash, the user ends up using it transparently. Luke That doesn't change that, yes, theoretically if you just took Zcash's privacy protocols and isolate and you gave it the same user base and the same amount of transactions occurring, then sure, the on -chain privacy would be far better than Monero's. Luke And the same goes for Furo as well. Then my understanding, Zcash, orchard, and I believe even Sapling, is Ford Private if you do not have the person's address. And then Furo, LeLantis Spark Protocol, has the chance to be Ford Private, or Ford Secret, sorry, has the chance to be Ford Secret. Luke But the currently used membership proof is the one out of many, you know, growth and brutal proof to my understanding. And that specific proof is not Ford Secret. So Zcash, orchard, and I believe Sapling is, I don't know about Sprout, but you can no longer use Sprout anyway so you can only redeem your coins from it to my understanding. Luke And then Furo's, LeLantis Spark, could be the current membership proof is not. But if they move to full -chain membership proofs, specifically the work I'm doing, I'm sure that you could implement the same concept of full -chain membership proof with some other proof that doesn't have these properties. Luke But the work I'm doing on full -chain membership proofs, I believe if they incorporated that, then they would become Ford Secret. With regards to a quantum computer could not break which output was spent when. Doug All right, very well explained, hoping Furo participates in Monerotopia again as well. It'd be cool to get some Zcash people at Monerotopia, right? Get them in the mix. Luke Agreed. I really would love to mend that relationship. I've heard comments from kind of both sides of it. And what I kind of have to say is that unless the communities do better, I would not expect these unless the communities do better, I would not expect the people we would like to have there to want to be there. Luke Because I actually wrote a brief year about this prior. But basically, for whatever reason, communities can be toxic to each other. Or at least there can be notable toxic elements within each community, which is toxic towards the other community at large. Luke And the justification is being toxic is, oh, well, they're toxic to us. Why should I not just be toxic to them? Why should I be polite and actually talk with them if they're just going to shout things back at me? Luke And honestly, I think with a lot of communities, what we kind of just need is a reset. Don't just go, oh, Zcash, no one uses your trade, oh, Zcash, blah, blah, blah. But actually just have open discussions as Zcash comes up. Luke And if you don't like it, don't comment, oh, you guys suck. Just leave. Just don't participate in that conversation. If you want to say, my concerns with CCAP are this, this, and this, and try to provide the counter response, yeah, do so politely. Luke Don't just attack people. Because as long as there are enough toxic people in community attacking the other community, that community isn't going to want to participate, and it's just going to film in their own toxicity. Luke And we'll never get anywhere like that. Doug Yeah. So much positive can come out of bringing the communities together, especially on a technological level, getting the devs talking to each other. It's a waste to do otherwise. Maybe we can get somebody down. Doug Who would be an ideal person for us to try to seek from the Zcash development team to get down there? Luke I mainly know of two researchers actively involved with CCASH, not to say that there aren't others, just to say there's two I'm personally aware of and notably no. It is hard for me to recommend either as a candidate at this time. Luke I would be happy to discuss with you privately and also do my best to reflect my concerns, but I don't want to air my thoughts on this publicly at this time. Doug All right, no worries. Not yet. They're gonna put you on solid. Luke Uh, by the way, I think they say like, Oh, this person would be interested. Like would be great to have, you know, but I don't think they're willing to. And then they get a hundred replies. Oh, you gotta come. Luke You gotta come. If you don't come, you're a bad person. And I don't want that to be why they don't come. Doug To the probably bad people would have it Um, yeah, by the way, we're moving Monero topia back to mexico city. It's not a hundred percent but we're Considering making that transition we're gonna make a decision with the next Luke Did you make all of these comments here about Buenos Aires? Doug What's that? Luke Dude, it was all, what about Buenos Aires? Doug What happened? Well, we're having issues with the marketplace down there that we want it to work with. So we don't want to take the risk. We know that it will definitely work out in Mexico City because we're going to team up with all the same people. Luke It was a gorgeous venue last time. Doug Yeah, and the market was amazing, right? And we know the woman who runs it, so we know this time we'd be able to onboard all the vendors to Monero in anticipation, we'll improve the internet, we'll actually have electricity running 24 -7, we'll have some local nodes running so people can have a smoother experience with Monero. Doug And then we think you just kind of build upon it from that. It's also more centrally located. Argentina is just far, unless you literally live in Argentina or Brazil. It's just very far for most people. Doug That's the thing. So I don't know, hopefully that changes, helps you with your decision for Monero -Tobia. Luke Uh, the comment that the thoughts I already had, uh, combined with the heads up that Egan may be trying to attend, that's done much more than the location that makes the heads up there. Um, I'm hoping no one actually, I'm hoping I have no trepper friends right now who bought flights in advance. Doug Well, we know we reached out to it. We reached out to everybody behind the scenes. I'm pretty sure we sent you a message, too. So just to kind of people know that we're transitioning. We didn't officially got it out yet. Doug So we this is it, do not buy your ticket to Buenos Aires. We will announce in a day or two whether or not we fully shipped it to Mexico City. The reason not by a flight ticket. Luke I'd be interested to hear if you'd let me know. Doug All right, cool. Yeah, I know. We've kind of got you going here for an hour already, and this is a Monero Topi. It's not even a Monero Top, but greatly appreciate you taking that. Can you give us some more insight, at least to what the actual path forward will look like? Doug I know Cypherstack is going to be involved, right? I believe they're going to be doing an audit on this. You kind of tell us what that's all about. And I know, depending on how that goes, that may actually prevent the implementation at this stage. Doug And then just let us know what they're doing, and then what you're doing, and how we get to the end goal here of actually getting it implemented pre -service. Luke Right, so cypher stack is putting forward been doing my best to think about exactly I want to phrase this one moment, please. Doug Yeah, take your time, man. Luke Cypher Stack is putting forward truths for the slight modifications to Bulletproofs, which I keep saying are slight modifications, and we can extend some debate how slight they are, because it is still Bulletproofs. Luke It would be adding something known as a vector commitment. The existing Bulletproof already works with commitments, interesting commitments, which I aforementioned, even though I didn't explain. I've done my best to keep all of the very complicated math out of this and try to keep things as simple as possible. Luke So, they're trying to put forward security proofs for it. The slight modifications, they're known as generalized Bulletproofs, and you don't just work with Peterson give it, they work with Peterson vector commitments. Luke Peterson commitments commit to one value, Peterson vector commitments commit to a list of values. And the authors of CurveTrees are like, we use generalized Bulletproofs to make CurveTrees work. And then I reached out to them, and I'm like, hey, you say you use generalized Bulletproofs? Luke What are those? Those are not a thing. You're saying you're using a thing that does not exist. What is this thing? And they reached out, and it's our own custom slight modifications, which we didn't publish anywhere or document. Luke We can send you a link to that. And they sent me this link, and it's all of the mathematical theory. It's like, oh, yeah, Bulletproofs is an inner product argument, obviously. And it does all of these various inner product relationships, obviously, as one does. Luke And we just add this extra inner product relationship. Again, as one does. And, yeah, Ben, you get Peterson vector commitments, and it all works out. I'm like, what am I looking at? What am I looking at here? Luke It's all of this math, and it's all written out. And I reached out to Aaron, and I'm like, what the hell am I looking at here? Because it's just all of these mathematical statements with no actual it's not, oh, yes, here's the literal Bulletproofs protocol. Luke You define these variables. You hash these things together. Once you hash these things together, you continue here. No, it was literally just like the algebraic theory behind it. And they're like, oh, yeah, I kind of see what it's doing. Doug I'm sorry, and just just for one second and who was it that proposed that the general bulletproofs Luke Uh, generalized bullet proofs were by the authors of curve trees who I don't immediately recall the names of, unfortunately. So with that. Doug But it's so it's essentially it's never been audited. It's never been proven. Luke Um, right. So they did put forward an implementation along with their notes on the algebraic theory. I reached out to iron about that and under cypher stack, they did eventually put forward the formalization. Luke You know, here's the algebraic intent that the authors provided. Here's the literal modifications to the bulletproof vertical. And with these literal modifications to the this basically what I needed to implement it. Luke So I implemented those a few months ago, which was greatly beneficial. I think I estimated like 35. I think I was working at like 35 milliseconds back in, uh, Monero topia. But since then I have managed to move to generalized bulletproofs, which already should be, you know, twice as fast there. Luke So we're looking at something notably smaller and we may have performance penalties elsewhere and performance gains elsewhere, but really hopeful. Um, but yeah, cypher stack did this formalization. They're like, here's the literal modifications you make to the bulletproof protocol to enable all of this algebraic theory. Luke And right now, cypher stack is putting forward a CCS for funding their development of security proofs for it. And with the proofs is what we would need to actually use and deploy it. Because right now there's just the idea and there's a literal modifications to the protocol you can make. Luke And with these literal modifications, yeah, the proofs prove and verify. You know, I can call the proof function. They prove. I can call the verify function. They verify. That doesn't mean someone else can't make a proof of anything that they want. Luke It just means that my tricks when I call proof and verify work. So what the security proofs are are the formal academic arguments that no one else can call proof unless they're actually proving for honest data. Luke For the expected variables. At least not without it failing to verify. So that's the next step there. And that will give us generalized bullet proofs. If we don't have generalized bullet proofs, we actually have two options forward. Luke Which would be a thing. These are great and both of them would increase scrutiny. Because that is a discussion for another day. But technically we don't need generalized bullet proofs practically. Yes, it is going to be painful if we don't have them. Luke With generalized bullet proofs, there is also a slew of other tasks kicking off. So I am personally playing before the CCS. Not only to cover my development over these next several months. Yet also to create let's go with a flesh fund. Luke Basically a discretionary fund held by, you know, however CCS payments are currently held. Instead of needing to look for new CCSs for auditors and instead of needing to find debate, create this statement of work with the auditors and then publicly get feedback on it and publicly raise funds. Luke And that raising may take a few weeks. This flush fund would instead allow much more immediate disclosure. So it is basically, hey, we have already raised the funds. If an audience company steps up and there is general agreement that they can do the draw, we could just immediately ask for such a disbursement. Luke We wouldn't then have to go through the entire CCS procedure. So I am personally planning to forward my own CCS for development and for creating a flush fund for auditors. And this will cover things such as, you know, a more formally written proposal for what I am currently doing. Luke Right now I have notated all the ideas. But this would be like the literal arithmetic circuit. The actual literal series of mathematical operations used in order to proof it. And then we can immediately have that design, you know, reviewed, even family verified to ensure its safety. Luke And then with this review and formal verification, the implementation of the circuit, the literal, you know, writing the code that is a whistle it to all of those lines on a piece of paper, that could be done at the same time. Luke So as we prove the theory of it, we could also implement it. So as soon as we verify that, yes, the theory does exactly what we want, then we can immediately audit that the implementation matches the theory. Luke And we can really just, you know, parallelize it. As the next step of review occurs, the next step of implementation occurs. So by the time the prior step of review finishes, the next step of implementation is ready for review. Luke So it's going to be quite a large CCS, accordingly, because it's not only scoping my development for the next few months, but it's also including, you know, several months of it's also presumably including multiple different audits. Luke And audits in this space are unfortunately quite expensive. And also justifiably quite expensive, but also unfortunately. So not only is it my development, but it's also this however many audits and it's going to be a rather large CCS. Luke But yeah, hopefully that gets funded and we can move forward, because I do believe this is critical to Monero. Doug it will it will absolutely get funded I can't call now right now when do you guys think you're gonna post it Luke So the CCS for approving Generalized Bulletproofs is already live. I do need to work out a couple of things with Jay Berman. I've been talking with them about this CCS and this Soluo board. I need to know if they want to be included on this CCS, which is for my development and slush fund, or if they want to be included on their own CCS and self -manage it. Luke It's out and I'd hope to post it next week. Doug also amazing. Um, the, what, what do you think the likelihood that generalized bulletproofs, you know, approved is found for, for. Luke So if site -for -stack cannot create a proof, that does not mean a proof does not exist. If Marcy said it, just that one was not valid. And I just want to be clear about that. Personally, I am quite hopeful. Luke But that doesn't change that until one is realized, it is all hope. Doug Can't we just ask like chat GPT, like, you know, find the title for a sport. Luke Yeah, that's not how I want inflation bugs to be added today. Doug Legit question though, is AI being used in this realm in any real way that's helpful or just not? Luke I don't believe so. I would hope no one's using it believing it's helpful. I think if anyone tried to use any LLM gear, it would be actively dangerous. Doug Don't worry, don't worry, I'm not releasing a cryptocurrency any time soon. Happy to hear you. But if I did, I'd be using AI to do it, 100%. Luke LLM coin, the only cryptocurrency coded entirely by a large language model. Doug It could definitely be a thing. So this is a question no developer likes to answer, but when do we see this actually getting implemented then in terms of timeline? Luke Oh, this one actually provided a very aggressive time frame form. I would hope for the implementation to be ready within about six months. That's insane. That's not, you know, guaranteeing the academic review, formalization, audits and all of that. Luke But I hope the implementation to be done within six months. And I hope for notable progress to have been made on all of the academic review with that. I do have to distinguish implementation from integration, though. Luke Right now I'm discussing implementation. Integration is technically something distinctly discussed. And I would hope that that is also done in that time frame, but I cannot speak with as much confidence on that time frame. Doug So potentially at Monerotopia in November, we can be doing a presentation on the completion of implementation. Luke on the proposed implementation of the proofs itself, yeah, possibly. Doug Wow, amazing. I got no more questions, Tux, what do you got? I'm just blowing away over here, honestly. This is epic and it feels like it came out of nowhere. Obviously, you've been inching us toward it for quite some time, but. tuxsudo It's just being fast -tracked, dude, the, uh, the ongoing situation. Well, I mean, not ongoing, but could happen again. I was just looking at the CCS page here. I use the generalized bulletproof security proofs under the idea. tuxsudo And there's also a Serifis wallet work and then Serifis general paper review. So this is the new one that was the new idea that was published yesterday. Doug Yep, okay. Yep sector stacks Yeah, let's get a funny guess do it be part of history to you next time tuxsudo their history. Two -twenty. Not, not up for funding yet, currently an idea. Once it gets moved to the funding phase, then everyone can start donating. Doug Luke, thank you so much. Stick around, obviously, if you can, but, you know, we understand it. Yeah, no. Luke I'd be happy to stick around for a bit. I think I am going to trim my camera off so I can work as I listen and chime in. But yeah, happy chip. Speaker 5 If Ganbat wants to do the Argentina thing, that'd be great. But I was trying to see if I could provoke Luke into talking about something that he barely mentions, but I think that he would speak much better to you than myself. Speaker 5 Like if we can all just ignore the little bit of bias and self -interest in the response. I've been saying for quite some time that in order to grow the talent pool, we need to find a way to pay more for quality developers. Speaker 5 That involves direct engagements with businesses, because business to business is the largest part of any economy, basically anywhere in the world, except some like third world, it's, you know, government funding and all of that. Speaker 5 But I was hoping that you could speak to the fact that a lot of talented developers are forced to choose between an upper middle -class lifestyle or working on projects that actually matter to them, or they have to split their time, which dilutes their focus. Speaker 5 I hear a lot about this stuff, but I don't think that it reaches the broader audience at the level that it should. So do you think you could chime in a little bit? Luke Yeah, sure. So one of the things I think is that obviously developers willing to take a haircut in order to work on Monero and volunteer in that regard. You know, the very pure cypher pink ethos is, you know, like, oh, yeah, people should just do things. Luke And that will be great. The end. And it's not that I don't respect that. And it's not that I don't like people working on things solely because they believe in them with no need for external incentives. Luke But the fact is, you know, people need money to pay for food, shelter, water, kinds of necessities here. And with that, yeah, there is payment. And that's why the CCS exists. And also solutions like magic. Luke Donate to Monero development. If you're in the U .S., get tax -deductible donations because magic is a 501C3 charity. Yeah. So there are solutions to fund developers. Yet with these solutions, every developer, even if they take money from the CCS or from magic, they are largely still donating their time because of the opportunity cost that's post. Luke The job market for talented cryptographers right now is insane. Truly, it's really insane and out there. So for any developer to not receive an insane paycheck, it is them donating that opportunity and the opportunity cost with it. Luke Yeah. So one of the things I think is that the Monero CCS needs to be more open to paying people more. I do think that's starting to change. And hopefully it is. The other thing I think is that developers need to be willing to ask for more. Luke You know, I've seen prior positive the idea of like this, you know, oh, well, the CCS average or the standard is generally this. And that causes some developers to not bother submitting proposals. And what I personally think is that, no, if that's too low for you, it's not that you shouldn't submit a proposal, it's that you should submit a proposal. Luke Like you just if in a magic, but the CCS is generally paying is too low for you. That does not invalidate your own proposal. And hopefully as we get more proposals and we realize what we're missing out on by not be willing to pay more, only then could the Monero community take a step back and evaluate how stingy do we want to be here or how forthcoming with funding do we want to be here. Luke Because obviously I'm not saying if someone walks in and says for a million dollars, I'll like fix this, you know, one bug where we have a typo in some text. No, I'm not saying that any proposal that improves Monero is justifiable regardless of the cost. Luke What I am saying is that when developers do not make proposals because they do not believe will go through, they don't put their thumbs down on the scale, weigh it, weigh the CCS towards paying more in the future. Luke And they remove data from Monero by creating the appearance that there simply aren't developers when the truth is there simply aren't developers who are willing to submit out of the leaf of what we're likely to pay. Luke So, Monero community, I think needs to be more open. Developers, I think, need to be willing to submit proposals even if they don't expect them to go through. The other thing I note is that the CCS creates a lot of bureaucracy, not because, you know, you have to fill out all of these forms to go through it, but because of the full, you know, review process, and it can take several weeks. Luke Like, it might take a couple of meetings just to get your CCS listed, and then it might take a few weeks for it to get funded. And that alone has caused us to lose developers before. Just the amount of effort that goes into the CCS system. Luke So, what I actually would really love to see, and I brought this up a few weeks ago, is for an organization such as magic, which I am a committee member for the magic Monero fund, I would actually love to see them start to outright hiring developers. Luke Not solely hosting fundraising for developers, but outright hiring developers with like one year contracts. And then in six months, we would restart the fundraising process. Not for each individual developer and each individual line item of work, but actually for the entire development team. Luke And then, you know, that might take three months to complete. And then three months before the current development team's contract is up, we would let them know, yes, we are able to extend your contract another year, so on and so on. Luke And we would be able to provide ideally stable employment that minimizes the headache for these developers and brings a quality amount of talent to Monero. The main reason magic is not immediately moving forward with that. Luke It's because in order to move forward with that, we have to like, it would pretty much be we walk out next week and say we are looking for $200 ,000 to start hiring developers. And that is the tall ask for us to make. Luke So it's something I proposed as a long -term goal, something I believe the committee generally agrees would be great if we can do it, but is the discussion that we have to work towards and me talking about it here is me trying to work towards it. Luke I will also note that with my upcoming CCS, I plan to create a slush fund so that we can more quickly contract outside parties. And that's just in the name of efficiency on the specific issue between membership groups. Luke But in similar spirits, both a retainer for cypher stack who currently employs Aaron, also known as Saray Noether, in order to ensure access to their research talent and also provide a more consistent stream of payment for cypher stack, that was proposed and even just an MRL, Monero research lab sort of general fund was proposed such that MRL can dispatch such contracts without going through the entire bureaucracy of the CCS. Luke So I definitely think that there's change occurring and there's change being worked towards, but I think the community needs to be open to it. And when the time comes, the people with the significant financial interest in Monero need to be willing to donate to that development. Speaker 5 I'd just point out there's something really sexy about how the bleeding edge of technology and the stuff that drives interest in these projects are really bad at driving interest in funding these projects. Speaker 5 But there are so many solutions at every level. Like if you're mining Monero, you could just send the money to a wallet that funds these projects or another thing is the bounty system has its own advantages. Speaker 5 But I think that people don't understand if you are, I mean, we'll just say an underpaid developer and your cashflow situation, you're looking at, I could get paid in three weeks maybe, you know, people have to pay their rent every four to five weeks. Speaker 5 And there's many solutions to this problem. But if we can't alleviate people who are willing to dedicate a lot of time to this. And then there's also the question of this is a highly cerebral undertaking. Speaker 5 So if you add stress to the question of getting the work done, well, will I get paid? When will I get paid? Or somebody is motivated to tackle one of these problems, right? They want to work on this project. Speaker 5 But you know, if they're looking for work for four weeks as a developer, because they don't know that they're going to get paid by the time, you know, something is even approved, they may have a different job, they may have other obligations. Speaker 5 So yeah, there's another reasons why I wanted you to speak to it, because you have been more transparent and other conversations about it. I've been screaming from the rooftops forever that this is a serious issue. Speaker 5 So I appreciate you being transparent about that. Luke I think there's actually an even more damaging aspect to this than the irregularity alone. It's that if you submit a three month CCS, three month, I believe there's a reasonably common term for development. Luke If you submit a three month CCS and then you finish your CCS and prepare your next three month CCS, it may take you a month for that next CCS to start. Which means that for every three months, you have to wait a month. Luke Which means out of every four months, you're not working nor getting paid for a quarter of that time just because you're waiting for the wheels to turn. And that's why, yeah, I actually really want to move forward this discussion with magic outright hiring developers. Luke The issue is to offer such safety guarantee, lack of headaches to the developers. Like even just to start soliciting candidates and doing interviews, we don't want to interview a bunch of people and be like, oh, we can offer you a job and we want to, but we have to wait a month to see if the funding proposal goes through for your one year contract. Luke It's all so ridiculous and that's kind of why we're waiting to move forward and trying to talk this up a bit more, or at least I'm trying to talk it up a bit more because it's going to end up with us asking on a leap of faith without us having proposed any results yet, asking for enough to pay a one year salary just to be completely raised of donations. Luke And after we answer a one year salary, if we move forward with this idea, I have to be clear, I'm speaking as an individual here and not a representative of magic and not a representative of the committee as a whole, I'm just speaking as an individual and an idea I would like to see the committee execute on. Luke But not only would we have to ask for this one year salary, but six pumps in, only halfway into it, we have to ask for the next year in order to ensure that by the time that's fundraised, we have certainty and can give any developers the appropriate heads up about their status of renewal and that's a very large task to ask. Luke So yeah, it's definitely going to have to have more conversations and as you said, more transparency to make the community more open -minded about it. Speaker 5 You know, and by my calculations, if we could get consistent donations to a fund that was well managed, I mean, we're talking about maybe 900 people donating $10 a month for a very comfortable salary. Speaker 5 We've already demonstrated that people who are passionate about Monero development are willing to take less to do what they believe in. But if you add a layer of security to it, it's a much less anxiety inducing proposition. Speaker 5 So as an example, if I'm doing contracting work, right, I'm going to add a buffer to for one, am I going to get paid and for two, when the contract is done, I'm looking for work again. So it adds extra cost when we don't have a plan for paying out over many, many months, because the person has to take additional risks. Speaker 5 And what really bothers me about this entire thing is a lot of people who are motivated to work on Monero, you know, they they have families or they have, you know, things where they can't actually afford to take such a risk. Speaker 5 And they might be the most adequate individuals for the job. So I mean, I really hope that people are listening here, like, it does not take very much to make this happen, if we as a community can consistently donate the money. Speaker 5 And donations don't have to be the only option. But we are seriously talking about less than ten dollars a month here for less than a thousand people to just get one talented developer day after day, month after month. Speaker 5 And, you know, I've met a lot of you guys like at Monero topia. These people are not living high on the hog. And honestly, they probably should be after what they've created. So it's like if we don't find a way to solve this problem, especially the way that things are going, we're going to see the talent pool dwindle away because it's becoming unaffordable to survive off of bug bounties. Speaker 5 It's becoming unaffordable. But I'll get off the soapbox. I just hope people understand this is more important than the tech right now. This is insanely important to solve now. Luke Um, I do want to make one disclosure. And generally, I do agree. It almost makes me wonder if we should discuss, you know, putting up the change box at events like Monero topia trying to do a fund raising drive while we're there for larger efforts. Luke I'll just apply that pressure to Doug and not elaborate at this time. Um, but yeah, Doug I also want to totally, totally on board for that by any, any open to any of all the ideas I'm good to hear. Thank you. We're growing the Monero Treasury. Luke But just in the name of full disclosure and honesty, there is something I want to be clear on. For me, personally, I have to decide where I donate my time. So personally, I actually decide to donate my time largely not to Monero, although I have I'll get to that in a second. Luke I largely donate my time to my own projects. Sarai, you know, decentralized exchange, and with that, you know, stuff like Monero Sarai. Monero Sarai is a Monero library which implements the Monero transaction protocol and is meant as a public good for the Monero community. Luke And it's not something I've ever requested funding for. There are discussions to request funding for its audit. That may actually be something I publicly fund. But largely, I personally donate my time to Sarai and not Monero. Luke With regards to my work directly on Monero, like with full chain membership proofs, I did prior request retroactive funding. So I did take the risk. You know, if it wasn't going to get funded, I wasn't going to get paid for the work I did. Luke But I was fine with that because I thought it needed to be done. I thought I could efficiently do it. And I accepted. I may not get paid for it when I believed in it. But I did request retroactive funding. Luke And that did go through and have been paid out and everything. So that's great. With my upcoming work on full chain membership proofs, I also am planning to request funding for that. And it's not because I don't like Monero. Luke I obviously do like Monero. I just have to choose where I donate my time. And personally, I'm currently donating my time to my own project Sarai and not Monero directly. So I do want to be transparent about that before people start thinking, oh, Luke is great. Luke They donate their time. I largely do not directly donate my time to Monero. Though, oh, so I do work on some things for Monero that I don't put under a CCS. So yes, I do still donate some time to Monero. Doug Extremely important topic. Anybody else have any insights, thoughts on this topic before we move on? Speaker 6 I wanted to ask you, how about a hybrid approach? Like some people in the Monero community who are like an extreme fringe, they want to be like direct donation, that model, so that the developer stays in the shadow, but they get their funding. Speaker 6 So how about hybrid approach, like CCF, with Rhino and Multisek setup, as well as magic, as well as a culture of direct donation? Am I like, is my mic working? Speaker 5 We heard you, man. Speaker 6 so yeah I wanted to hear your thoughts like that a hybrid approach of like ccs with multi -sake rhino or whatever then like magic funds want to pay less tax in the u .s as well as a culture of direct donation hybrid approach Luke So, obviously, all of these fundraising systems are additive. And that's the really great thing about this. You know, if magic does great, it doesn't make the CCS disappear and evaporate. It just means that the CCS is available for the people who want to do the CCS and magic is available for the people who want to do magic. Luke With regards to Rhino specifically and multisig, that's more about how these programs would internally operate. And it's not really about the effects of how they work and how they move forward. But, yeah, keeping the CCS but also adding additional highlights to magic. Luke Because one of the reasons magic is great, in my opinion, not to say that it's better than the CCS. It's an alternative. But one of the reasons it's great, in my opinion, is, one, it can do USD payments for people who are in the US and need a more traditional income. Luke And two, it actually can raise a bit less. Because we no longer need to take the standard, you know, 10% for volatility. A lot of these CCS proposals add 10% for volatility. But as soon as magic receives coins, it can immediately convert them to USD. Luke And in the process of converting it to USD, no longer be affected by volatility with regards to fiat. So I definitely think there should be a hybrid approach of a bunch of different funding mechanisms. Luke But I think that's largely what we already have. It's just about putting the proper emphasis on each one and covering the areas not just covered, which kind of goes back to my employment commentary. There's not anyone right now who will offer you a one -year contract to work on Monero. Luke The best you might get is, you know, one -year contract to work at Cake Wallet. And then that may have you as part of your work on Cake Wallet, six some bugs of Monero, or you might, you know, that might be generous and allow you to spend some of your time on Monero. Luke Because I'm sure, yeah, if Monero has some bug or slowdown with its RTC or infrastructure, and that's affecting you over at Cake, well, it's free open source software. The easiest way for you to fix the issue at Cake would be to fix the problem upstream. Luke But that doesn't change that. No one right now will just give you a salaried employment. No one will give you dental, which is the biggest outreach in our modern society. And that's kind of why I want magic to grow to also cover that angle. Luke And yeah, as you said, it's also about the community being mindful and open to these ideas. So... Speaker 5 So I don't know how much people know about, for example, like Red Hat, Linux, or some of the, I think it's called the Canon, the people who do Ubuntu, do you remember what it's called, Luke? I don't remember, but canonical, canonical, yeah, I apologize. Speaker 5 There are business models in Monero for service, but it should not be the responsibility of developers to do that, and that's kind of what Vic does, for example, taking open source software and turning it into a business model does require a certain expertise in the realm of business. Speaker 5 It is harder than running a business based on either conventional services rendered or manufacturing or something like that, but not only can it be done, it has been done for over 30 years with operating systems and open source software. Speaker 5 There are so many opportunities for somebody who isn't a software developer to deal with this problem, and I would argue that it's probably more important because software developers, they can work a lot of places, but they cannot live without getting value for their talent, but a business entrepreneur can create opportunities for those people if they have the wisdom to do so, and it's even more fun because it's an additional challenge. Speaker 5 So people could take, if you have been looking for how you can facilitate the development of Monero, you don't have to learn how to code. You can poach coders out of places like the software stack developers at Google or all of these other places by offering them the opportunity for employment that they would seek for doing something that's more noble. Speaker 6 Yeah and I wanted to ask another question regarding full chain membership group as well as what do you see with the performance upgrade with performance issue regarding full chain membership group with the modified bullet group and what are your thoughts about modified like bullet plus which this Monero is currently using as well as for future like bullet plus. Speaker 6 Is it possible to use like directly implementation of bullet plus with full chain membership? Luke If we're moving on to prior topic, then. The work originally was done with BulletproofsPlus and my retroactive funding wars for the implementations that was with BulletproofsPlus. I did not implement it with BulletproofsPlus, or rather, I did not implement it with generalized BulletproofsPlus. Luke Instead, I implemented with BulletproofsPlus and this shim around it, which was not pleasant at all and was not great. When the generalized Bulletproofs formalization was made available to literal changes needed for BulletproofsPlus to become generalized BulletproofsPlus, I actually did move my work over to generalized BulletproofsPlus and that did not appear in any CCS and it will not appear at any future CCS. Luke I initially implemented BulletproofsPlus that turned out to be invalid. That was my fault, or at least I perceived it as my thing to own up to. I personally made the decision to move it to generalized BulletproofsPlus without involving the CCS. Luke I'm just clarifying this because it goes back to my prior commentary about how I donate to Monero. Before generalized BulletproofsPlus was formalized, we did actually inquire with Cypherstack about creating generalized BulletproofsPlus and moving forward with that instead of moving forward with generalized BulletproofsPlus because not only would it be a tiny bit smaller, but it would set the stage for BulletproofsPlusPlus because they introduced this academic thing, a norm argument. Luke The norm argument of BulletproofsPlusPlus is argued as comparable to the weighted inner product argument of BulletproofsPlus, which is evolving the inner product argument of Bulletproofs. Basically, we did consider generalized BulletproofsPlus. Luke The math did not work out. It's not that it's impossible to create this generalized BulletproofsPlus. It's that Aaron Serengdoser did spend time on it and did not create results. So BulletproofsPlus kind of sees out and BulletproofsPlus also wouldn't be worth it upon further review because it would be a tiny bit smaller, but to my understanding, it would also be twice as large with regards to time to verify. Luke So twice as slow, despite only being a tiny bit smaller. With BulletproofsPlusPlus, there is the opportunity for review and further hopes of greater performance, but I really can't comment on that at this time. Speaker 6 So, what are your thoughts about Seraphis and SwillersGen upgrade? Will we see development and spending or will we see within like two years? Right now, the discussion is only either of criticism or either of performance upgrade. Luke Uh, the estimates discussed, uh, regarding Seraphis, which is what caused me to do this full team membership proofs work now was that Seraphis was presumably at least, and I do mean at least two years out. Luke Not, you know, maybe in two years, but at least two years out. Uh, and that's what caused me to do my work now. Um, with regards to future improvements, there's definitely a few, but I think it's a long discussion with a lot of options and it's not really worth getting into right now versus after we've taken this first step. Speaker 6 okay that's great but do you see like for the future since Monero is in like an adversarial mood like we have lots of enemies with the state and the central government and other stuff do you think in the future we will need more cryptographers a culture of cryptography to make sure that the research and development of like the research we are facing like Chantee is stand up as well as bullet plus plus and not with blockchain membership proof like it's taking a lot of delay so do you think in future we have to tackle that problem that we need more cryptographers in our camp Luke I'm never against more cryptographers, yet the goal with full chain membership proofs is to establish this, is to finally establish full sender privacy. And once we've established full sender privacy, that gives us a lot of time. Luke Because if we have full sender privacy, we have full amount privacy and we have full receiver privacy, we are kind of good with the privacy. At that point, our only concerns would be metadata and forward secrecy. Luke Forward secrecy is actually very important to me, and I don't want to dismiss this. But the goal with full chain membership proofs is to get to this minimally viable point where technically all improvements are optional, not because they're required, and you can debate how optional they are. Luke You know, if someone starts spamming the blockchain and our current cryptographic proofs aren't fast enough, or if Monero overnight on boards, all seven billion people on earth, and we can't handle, you know, the combined transaction load of seven billion people, obviously we will need more efficient cryptographic proofs, and that will require this field of cartographers you discuss, which is why it's still important to culture cartographers, culture, focus on research, et cetera, et cetera. Luke But I do want to note that technically the privacy will be at this, you know, minimum level. Speaker 6 Yeah, that is true. Yeah, we need quantum stuff. And regarding the, okay, there is, I think we should discuss about the Argentina battery house. Yeah, I think the major problem is the IMF as well as the Financial Action Task Force, because those guys, their goal is like client state model. Speaker 6 They are an empire, let's face it. It's the neo -American empire. And look at the temperate parties. So they are in charge. So they want to continue that empire. So they want client state. They don't want allies. Speaker 6 They just want client state. So yeah, I think we can discuss what's the matter with Argentina. Speaker 7 Yeah, for sure. I mean, so first get the facts. So basically, this new legislation is part of the new anti -money laundering law that was planned. It was designed by the previous government, so the Peronists, and it was already half approved. Speaker 7 And so, you know, a few weeks ago, it was bought on Congress. And, you know, what the Milei congressmen said was that we are not, you know, they said that they are not okay with this legislation. They have a lot of criticisms against it. Speaker 7 However, the FATF is already on the country. They are, you know, auditing us right now. And because we don't want to be cut off from international credit, at this moment, you know, the Congress, Milei's congressmen decide to vote for it anyway. Speaker 7 Keeping the promise that, you know, they want to re -discuss it later and, you know, actually fix it and make it reasonable. But for the time being, it was voted as it is. Yeah, you know, it's obviously pretty bad because it was designed by socialists, but it's pretty much the only thing available at the moment. Speaker 7 And so what I think on it is that, you know, there's a lot of libertarians criticizing Milei because of, for example, you know, he's, you know, y 'alls seeing his interviews, you know, he preached about the free market and how much harm the state causes. Speaker 7 But yet, you know, he's president now and Argentina still has capital controls. It still has, you know, huge restrictions in commerce. You know, the tax pressure is still insane, you know, the central bank still exists. Speaker 7 And, you know, and you think like, you know, why is someone like Milei, you know, still maintains this kind of thing. And, you know, the way I think is that it's just the same, right? Because the financial system, you know, or Speaker 6 It's a minority government and I think the thing is either they are not like coordinating with like the Mises Institute or like the firearms or Lixi Coalition or like the guns of America those guys because the thing is they need dollar and the way to get dollar it's like Argentina is like 90% state. Speaker 6 So they have the state they would like manufactured guns and make a law mandatory everywhere every people have to buy a gun and they will get dollar instead. So the thing is it's like the priorities they have to set their priorities right they have to look at the important thing right they need the second amendment otherwise the libertarian project is dead. Speaker 6 And what I like wrong one incorrect government and it's all gone. Speaker 7 right so Billy has to you know pick the fights he wants to take on like for example like why why didn't he delete the central bank on his first day and Bob for that to happen but if he did I mean the central bank is has a lot of debts and if you know if it disappears overnight it has to pay back that debt and the only way to do it is to bring that money because it has no money so it has to bring the money and that's like four times the monetary supply so that's hyperinflation that's why he cannot you know end the central bank yet to do that he has to put it back on shape and to do that he needs dollars so I mean it takes time yeah he needs to follow a plan he can't just you know get rid of him because everything's just so broken it's barely held back together that you know these things take time and yeah it's frustrating but I think people are being a bit unfair as well Speaker 6 Yeah. Another thing I found interesting is that he stopped the spending also, like the money period. I think he told he will make a lot to make it illegal to even create money. But yeah, there is another problem. Speaker 6 The existing money is still there. He's not burning the supply. Like he could do like 10% allocation. He will buy the, on the note and then 10% he will burn them. Eventually he could delete the peso entirely. Speaker 6 And then, then you will get the political might because everyone will be using dollar or board from one year or whatever. Then I think it will fix the situation. I think still the problem is it's, he's a minority government and it's like a client what state like US will try like the Democratic party as well as the neo funds, neo lips, those Brussels people, they will try to make it Argentina into a colony. Speaker 6 That's a problem. Argentina is not a nuclear arms state. It has like a great geography, but the thing is militarily it's worldwide. To prove that. Speaker 5 I think there's a certain issue of missing the forest through the trees here. The single greatest thing that happened with the election of Milei is the undermining of the all -pervasive godlike nature of government. Speaker 5 When we talk about governments, we talk about these monolithic institutions that don't actually exist. It's like talking about Phlogiston. It's not real. There's men with guns playing mind games with other men, and some of them don't have guns. Speaker 5 The power that exists behind Milei being even in the institution of government is the fact that a large blow to the permanence of the bureaucracy state was done in the minds of individuals. Whether it was a concession by the deep state to keep people participating or not, whether it was an organic movement of Ancaps, and now he's in the government trying to make things happen, maybe he's legit, maybe he's not. Speaker 5 It's irrelevant. Speaker 6 CIA wants some of any guy and because it's like then also let's face it United States militarily it was a hyper power now it's a declining super power so they also Speaker 5 Well, my point IPP is that you're, I mean, even that comment, it still does it because the power of the United States from the very beginning was its productive capacity on an individual level. And it's the same with Argentina, which is when you're an export economy with stuff that is so prized around the world, right? Speaker 5 But your power is in the productivity of the individual. And the only thing that gives the state any power is how much they take from the individual. And I don't, I don't even know if Milei exists, right? Speaker 5 Maybe he's some AI generated video somewhere. I don't know. I've never met the guy. I don't know anything about him, but what I do know is the moment in which a parking ticket receives any power is going to boil down to two things. Speaker 5 Either somebody has a gun in my face and they're forcing me to comply, or I willingly comply by transferring value to the state because I got a little piece of paper. And if you don't acknowledge what is the reality of the situation, then what you're going to do is you're always going to be caught up in this idea of these bureaucrats over here are leveraging this pressure over there. Speaker 5 And so it caused this person to do that, or we're speculating on what people are thinking. And even if they tell us what they're thinking, it doesn't matter. It's what they're doing, right? And what is happening right now is a powerful movement is becoming complacent. Speaker 5 And it doesn't matter if the guy is legitimately trying to follow the values that he presented to those who, I guess, allegedly theoretically voted for them or whatever. Money is an entirely faith -based institution. Speaker 5 It is a religion. Government is a faith -based institution. It is a religion. And people are practicing the art of worshipping the government when they're waiting for somebody else to take the pressure off of other people who are deeply invested in the religion. Speaker 5 There's this concept in volunteerism that is all but dead. But when I started my volunteerist anarchist journey, we had this thing that we called the magic suit, where a normal human being wakes up and is a normal human being. Speaker 5 And then he puts on his magic suit, his police uniform, his military fatigues, whatever. And he is now exercising the will of the state. What's the difference between that and a priest putting on his goofy thing? Speaker 5 Or what's the difference between that and a palace guard putting on his stupid hat? When you allow people to believe that through the magical powers of a badge or something, they are no longer themselves. Speaker 5 They are exercising the will of the state. But the thing is, is the reason they believe that is because you believe that. When you talk to a cop as though he's a person, and then he says, well, the law is blah, blah, blah, and you say, but you're the one doing it, OK, either you choose to exercise your imaginary magic suit powers or you don't. Speaker 5 You have to force people to acknowledge that this is a religious institution. There is no way that some guy in Brussels is going to write a document and then it is going to magically compel a farmer in Argentina to not sell his cow to the Chinese. Speaker 5 This is literally all theater, OK? And when we talk about nuclear arms state this, and when we talk about, oh, well, you see, because the central bank, it's underfunded by magic fiat fed notes. And because it doesn't have all of a sudden, the debt is just transferred to the people of Argentina. Speaker 5 And they're like, no, you tell them to go blank themselves. See how I clean it up, Doug? I'm getting better. Doug This is a top 5 right here. Speaker 5 is no debt knuckle there is no there's nothing backing any fiat anything it's not something you're allowing the momentum of the anarchist movement to be undermined because when you know the democratic people's republic of kerblakistan is coming along and saying well i have bonds that were issued to your great great grandfather and so you're not allowed to be free because my great great grandfather you know used leveraged buyouts with slave labor and all it's you have to call them on their blank blank and tell them that this is an unacceptable premise i don't actually practice your religion you're delusional and i'm not interested all right that's Doug Let's hear from let's hear from ganbat. Let's hear from ganbat. Yeah Speaker 7 something I want to point out is that, you know, one thing, you know, these new regulations are, you know, are the same ones that are in El Salvador. And it's just that before we didn't have any anti -money laundering. Speaker 7 But also the thing is, you know, sure, this thing got through Congress, but the Cuevas will still exist. No, not even the most die -hard socialist governments were able to deal with the Cuevas. You know, so I think the Argentinian society, you know, is very resilient to this kind of things. Speaker 7 So, and I think that, you know, one can, you know, when I defend all, you know, he can't close the central bank because of debt and all that, you know, it has some actual implications. It's quite different from the, you know, from the Fed. Speaker 7 Like, for example, when I talk about debt, debt is actually the Argentinian deposits. So it's the money that people have under bank. You know, if the central bank closes, all that money just disappears. Speaker 7 Now, is that something I defend? No, I personally don't have any money on banks, on Argentinian banks or any banks because I don't want to play on that game. You know, that's why I opt out, I use Monero. Speaker 7 But he also, you know, I don't want to, you know, pretend that it doesn't matter, you know, because it does and, you know, it needs time to fix and, yeah. Doug A quick question. There was that rumor that we were hearing. I think it was potentially through executive order where it was going to be mandated that everybody has to basically submit file and explain what their crypto holdings are. Doug Is that something that might actually happen? Speaker 7 I haven't heard of a new executive order asking for that but there was many ones like that from the previous governments and again I mean just no no that that has happened in the past in Argentina where yeah many times and you know the first time they were like you have to declare your holdings the next time you have if you declare your holdings you'll pay less tax than then it was please declare your holdings you'll pay no tax and yet no in the currency because Speaker 6 the ethnic factor, like the first they will try to disclose it's like a permanent registry and we know what happens with permanent registry look at Nazi Germany they did permanent registry of all the wealth as well as all the guns and then you know the Holocaust. Speaker 6 But yeah I think Argentina can be saved like if they use if they have a constitution carry second amendment as well as counterculture like I'm see in the streets all the protests happening but there is no counter no one is wearing instant flags with count and just going yeah but yeah that's Doug Let's uh, let's let's hear from uh, let's hear from alex and arca. Sorry itp. I just want I just want to spread this spread the wealth out here Speaker 8 Yeah, what's up? Can you hear me? Yeah, yeah, we can hear you. Speaker 7 Amen. Speaker 8 Well, I think my Bluetooth headset just disconnected. We hear you. Well, you okay, it sounded cool. Yeah. So, I've been working on my podcast and my website. This is a new topic. Is this okay? Speaker 9 yeah yeah that's fine i mean uh i was i was actually hoping to say something about habir mille if that's okay Doug Oh guys, let's lift stuff to junk dial and junk dial me real fast, hold on, let's close out the Milei topic, go ahead junk dialing. Speaker 9 So, um, yesterday, or at least in the last couple of days, I believe there was a guest on the Tom woods show. Um, if you don't know who he is, he's extremely well -respected in the libertarian community, um, Dave Smith, that circle, uh, his, his name is he's like bow tied Mora. Speaker 9 Um, his name is shell banger. I encourage everyone to listen to that episode. Um, very recent last episode or two, he lives in Argentina. And one thing that kind of goes down to the fundamentals of it, what everyone's talking about is we can't really trust everything we're hearing in the news about me, Larry, um, if you, if you know about the Trump, uh, very fine people hoax or the Russia collusion hoax or the all that other stuff, you understand this America is divided into two almost evenly split camps who live in completely different realities. Speaker 9 And what I've noticed with the hockey or melee note news is that he is getting criticized for stuff that if it's scratched below the surface, just barely below the surface, it turns out to be crap. At least I've noticed over 50% of the time I'm not even digging that heart. Speaker 9 So if you haven't followed, uh, the gentleman named shell banger, I would encourage everyone to, uh, follow him. He's a lot like a bow tied Mora. Um, I think it would be a really great guest actually, because he could speak to this, it's a great episode. Speaker 9 It touches on a lot of crypto stuff. Um, so that's all, that's all I want to throw up. Doug Awesome, and yeah DM me that actually if you don't mind. We had a bowtiding around. Speaker 6 How can you see? How can you see? How can you see? Like, gunbed fire. Have you seen any groups like those American groups coming over there? What's the condition of the party? The various party? Any anarch -capitalist guys or any libertarian guys coming to advise them? Speaker 6 Because he needs to go to the net. Speaker 7 Yeah, I mean, there are some, you know, in order to achieve, you know, going ability, he had to make some compromise. So there are some actors in his trenches that are, you know, not, I actually were tearing a suit, like, but yeah, I mean, I just wanted to say that we can, we can fight on both fronts. Speaker 6 is having support from like the Republican conservative side of the Argentinian population that's what but the thing is Argentinian it's more than anything it's the second amendment with constitution Doug Hello, hello, hello. Do you hear me? Hold up, hold up, hold up. I just I just I want to keep keep the convo going. Um, combat. I saw you had thrown in a question about Yuki's and how is that? The first from Monero, this maybe maybe you want to throw that out there to Luke. Doug And also any any other questions people might have for for Luke. I just want to I just want to switch back. I feel like we're starting to repeat ourselves now on the Milei topic. So let's let's move on from Milei. Doug Sure. Anybody who wants to ask Luke any questions while we still have him, I think he might still be with us. Speaker 7 Yeah, sure. So I'll look, just talk about how to implement a buquis that are able to see outgoing transactions. And so I was wondering, yes, Mr. Luke about Sano's auditable. Yeah, and also- Speaker 7 Auditable access. Yeah. So I get it. Luke comment on... I didn't comment on XANO because I wasn't aware of it. I didn't want to comment on something I didn't know about in case I was wrong. I actually looked it up when I turned my camera off. Luke The way XANO does it is they just remove sender privacy. Speaker 6 oh that is not good Luke I mean, it's only for auditable wallets. So it's if you want to be able to audit the wallet of this charity, the charity no longer has sender privacy. And on the one hand, a solution. On the other hand, there's a reason we would not deploy such a technique on Monero, because it's not selective disclosure. Luke It's just removing privacy on the blockchain itself, though I will note the amounts are still private. It's just it's ineligible for usage in ring signatures, which is how that they enforce that when it is spent, it is clear that it is the only output spent because it is directly specified. Speaker 10 Kayaba Nerve, sir, what an honor to speak to you. Do you hear me? You gotta hear me about it. Yeah. I have a question like motivated by a speculation of shifting the Genesis walk, but you don't have to go into that, like why not to do it? Speaker 10 My question is, now with the generalized bullet proofs, is it still a curve cycle? Or it's still about curve trees, right? Luke Prior to this, we would be using a towering curve cycle which gives us a curve cycle without switching curves with a bunch of commentary on the quality, performance, and security of that. So basically, yes, the proofs do still use a curve cycle. Luke It would be a curve cycle mathematically. It's really weird. Technically, it's not possible for VAD 255. Speaker 10 Yeah, just for everyone else. For each block, there would be like a tree, right? I remember you explaining it to me. I looked at your call. Then it's really difficult for me. But I like to elucidate the things for the common listener. Speaker 10 And yeah. So as I understood it, for each block, there is then like a tree which can be pruned. My question is, because I'm sort of against it, of course, this is life. There is also always some guy that is against it. Speaker 10 I'm not against it. Like I'm just asking. I find it great, like all kudos to you. Is that within a window, can you like do the full membership proof without doing the full chain membership proof thing? Speaker 10 Or do you always have to have an archival node? Luke So, it's not that each block has its own tree, it's that the outputs in every block are added to the tree, just to clarify that. Technically, you could define a new tree every year, and then you could do membership only off that single tree, but there's not exactly benefit to that. Speaker 5 not even a performance benefit. Luke Well, technically, there might be a performance benefit. But then anyone would be able to see what year your transaction is from, which is really messy. Like, if we were to do that, we wouldn't want to segment it by year unless your focus is on the pruning of historical data. Luke But we would want to just define two trees, or however many trees. And then if we have two trees with every transaction, we would alternate which one it's added to. So it would either be added to tree A or would be added to tree B. Luke And then because our trees are twice as small, that would change how the math works out of it regarding performance. Speaker 5 I had a question, so go ahead. Speaker 10 The answer is yes, it can be done over time horizon, right? Luke It can, but I wouldn't support that. OK, thanks. Speaker 7 I wanted to follow up on the Sano Outdoor Wallet, so I look it up and yeah, what you see is true that when you, it used to be the case that our digital wallets had to use zero mixins when sending transactions, but apparently that's no longer the case. Speaker 7 So now they can use mixins. So I guess ring signatures when sending. So Luke So you're saying auditable wallets with ring signatures? Yeah, so... When are you seeing that? Because I only pulled up their 2020 link, which is no, they're not allowed to be used in ring signatures. Speaker 5 added like a week ago wasn't it or like no no Speaker 7 No, no. So I seen on the docs that there was a restriction that you cannot use mixins when you send coins from an old digital wallet, but Luke Yeah, their current doc site, docs .xanro .org, Auditable Wallets FAQ. Are there any restrictions? You cannot use mixins when you send coins from an auditable wallet. Speaker 7 Yeah, I just read it. Yeah, I said below said that it was it changed in a car for but I got confused. No, actually, that's the Luke Yeah, other restrictions were lifted in a hard forks that one remains. Speaker 7 Yeah. Luke That's right. And if you do add that restriction, then yes, auditable wallets are trivial. You know, the whole outgoing view key is to detect when an output is spent. If you remove the ring, part of ring signatures, that's very trivial to do. Luke The way this would work is it would allow anyone with the quote outgoing view key to calculate the key image despite being unable to spend the output. Speaker 10 But that would require specialized hardware? Luke No, not really. None of this is proposed for using specialized driveware. Speaker 10 What you said before, like we were talking last episode, this quantum resolency of Monero is the one -time address on the chain. Because of the Diffie -Hellman key exchange that happens, does it reveal the sender? Speaker 10 Like if I have... Luke No, that's not the target for quantum computers. The one -time key itself is not the target. The one -time key itself is not the target because it is made up of a spend key and a view key, but a quantum computer can only recover the discrete logarithm of the one -time key. Luke So it can't differentiate what part of that discrete logarithm came from the spend key and what part of it came from the view key. Speaker 10 Exactly, so a quantum computer from the one -time key cannot catch your private key, right? Right, but... Luke Will they actually can obtain the private key for that output? For the one -time address? Yes, they just can't link it to any other one -time address. Speaker 10 Oh shit, I didn't know that. Luke Well, so a quantum computer can recover the private key of the one -time address. They cannot recover your spend key, nor can they recover your view key. Once they have the private key for the one -time address, as of right now, they can calculate the key image for the one -time address, and therefore they can determine when any output was spent. Speaker 10 But they don't get the spend key. I'm getting confused here. Sorry. They get so. Luke the spend key and the view key are wallet concepts that are used in your stealth address and they are used internally. But your spend key and your view key, when instantiated into a one -time key, do you create exactly that, a one -time key? Luke A public key only meant to be used once. With a private key, it only meant to be used once. So, this one -time key, there is a one -time key that is a private key that is derived from your spend and view key. Luke Quantum computers can recover that one -time key. They can't link it back to your wallet. They can't go from this one -time key to your spend key and your view key. But that one -time key is what's actually used to spend that output if you have all of the other information associated with it. Luke you Speaker 10 Exactly. So with the one -time key and the one -time address and with the quantum computer you get the one -time key and you are able to spend from just that output, not from any other. Luke You wouldn't want to actually spend from it if you have a quantum computer. You can just mint infinite coins regardless. That wouldn't be the immediate target. The main focus is that if you have a one -time key, as in the private key, not as in the public key we see on chain, you can calculate the key image for that one -time key. Luke And if you calculate its key image, you can detect when it was spent. So, as part of this full -chain membership thrift proposal, I was looking at it and I noted it inherently. Just the proposal I made, without my intention for this, inherently noted malleability. Luke When I was doing my review with the proposal, I noticed a lot of malleability of the output key. Now instead of the output key being the variable X times the constant G, technically you could have it be the variable X times the constant G plus, let's say, a variable A times the constant Z. Luke The letters for these don't matter. And I was reviewing that malleability because obviously when you suggest malleability, that's just a concern. You know, if someone can manage to get two different key images for a single output, they could double spend. Luke And that's a concern. What I realized is that as far as I can tell, it's still perfectly secure. And because it changes how output keys work, it changes the effects of a quantum computer. A quantum computer can recover for a output key X times the constant G. Luke They can recover X. But if the input key is X times the constant G plus A times the constant Z, they cannot recover X and A. They can only recover whatever the X would be if it was of the form X times G. Speaker 10 huh sufficiently enough for the signature but he would not get the private key would be able Luke Actually, if you created that signature, it would be a signature for technically a different output. Because right now the output key is defined as x times the constant g, and that x's would decide your key image. Luke But this quantum computer, when it looked at it, output key of the form x times the constant g plus a times the constant c, it would actually recover a different x value. And because it recovered a different x value, it would actually create a different key image. Luke So it would actually have a different private key, and it would have a different key image. And that's why a quantum computer would be, they would be unable to detect what the actual key image for that output was, because it would effectively create a new key image with its ability to solve for the elliptic curve discrete log problem. Luke So it's not that this scheme isn't theoretically Ford secret, it's that the exact full chain membership proof proposal I'm making, the proof that I used to sign for it and to prove ownership and prove the linking tag is correct, the key image, that proof is not Ford secret. Luke So the scheme theoretically could be made forward secret, but one of these proofs would have to be augmented. Speaker 5 I had a question that has come up a lot on this show and hopefully you listened to enough Monero talks to notice how there's a great interest in, because the hash rate for Monero is what it is and it has, I don't know if you've looked at it recently, but it's not super great. Speaker 5 There's been a lot of interest in the effect that merge mining, especially with other practical use case chains, what effect that would have on Monero, both the tokenomics of other people mining it, but then also what effect it might have on price, what effect it might have on performance and so on. Speaker 5 And as many people chiming in is the same as how many different opinions there are on this, but isn't it DarkFi or no? Who was it that's gonna be merge mining with Monero already as a project? Tari, right? Speaker 5 My main question is what do you think about not only the implications of what Tari already plans to do, but what do you think the greater implications for merge mining just generally would be for Monero? Speaker 5 And then how much could you scale such a concept for the value of merge mining for both the project and Monero itself? Luke I wasn't commenting if this isn't something I have an opinion on. Got it. Speaker 5 So there's another. Luke and it'd be more helpful there. Doug All right, Luke, thank you so much, man. Greatly appreciate you, uh, sticking with us today, answering everybody's questions. Um, yeah, thanks for the opportunity. I was happy, Chip. And we're, we're super excited. Doug I mean, there's, there's no bigger news in Monero right now. And, uh, I can't remember the last time. I was so excited about Monero in terms of, uh, it's technological improvements. So cheers, man. We all greatly appreciate it. Luke Alright, have a great one y 'all.