we all saw it last week: There is a lot of latent demand for Monero that is currently unmet, because we don't have enough uncensorable liquidity.
A browser wallet is crucial to soften the edges around current & future initiatives to bring real liquidity to XMR.
. @monero community, having a browser wallet extension is a necessary next step. @spirobel has been working hard.... As an open source model we can continue to iterate and integrate into ecosystems ie @xmrbazaar and future apps (hopefully defi?)
Donate!
ccs.getmonero.org/proposals/spir…
no. the difference is that the stuff they are building on is a lot slower. I would recommend reading this for a direct comparison: x.com/spirobel/statu… (it contains a link to the paper with the comparison of curve trees with orchard)
for more context i recommend the article and podcast linked in:
x.com/spirobel/statu…
if you are really interested in this topic, I would recommend to run the fcmp benchmarks yourself to get a feel for what minimum core count is necessary to achieve similar tps numbers to what they are targeting with tachyon (they threw around the number 660tps as the target ... doubtful they will achieve that. you can look up what project Mina got which tried a similar Amdahl's law ignorant recursive zkp approach)
@spirobel@vvvdft88435 Monero faces the same challenges as Zcash with regard to scaling, correct? Monero’s key images are analogous to Zcash’s nullifiers.
the Monero-PSK addressing protocol is taking shape
tevador wrote a draft to formalize it based on the earlier MRL discussions
this will enable bitcoin like UX for wallet synchronization
FRIENDLY REMINDER: project tachyon means that it will not be possible to recover funds from seedphrase and blockchain state in the future.
when I first read this I thought it was a joke.
Zcash wants to introduce tachyon and at the same time do the "this is the new bitcoin" pitch. It is just deluded and an insult to the audience.
Their scaling roadmap destroys the store of value properties completely.
Monero has objectively the better store of value proposition. There is no debate about this.
And we have a path towards enhancing the lead in this regard.
Improvements like Monero-PSK will lead us towards a wallet user experience that is similar to what people are used to with transparent store of value assets like Bitcoin.
Our scaling roadmap is not fundamentally at odds with the Store of Value aspects of the currency. We get users to see their balance instantly and gain trust. While Tachyon will make Zcash uninvestable from a Store of Value perspective.
Monero-PSK: gist.github.com/tevador/916923…
No Seedphrase Recovery for Tachyon: x.com/spirobel/statu…
TLDR: Monero is ahead on scaling, we need to work out how to speed up wallet sync
Friendly reminder: Project Tachyon is 5 people and claude code working on the wrong problem.
Last year I wrote this article: monerochan.news/article/18 and we talked about it on this podcast: x.com/monerotopia/st…
There was a follow up post comparing the batch verification time of the state of the art work that Monero's FCMP is based on: x.com/spirobel/statu…
Nothing has changed since then.
There are still no TPS benchmarks for Tachyon and there is zero credible evidence that they will do any better than the failed Project Mina. It also made outrageous claims that it can scale to infinity.
Tachyon ran on this absurd "TPS don't matter anymore" narrative as well. Now they have pivoted to talking about quantum computers.
The Monero community should become more outspoken about the fact that the CPU bound proof verification work is the bottleneck and not state contention like project tachyon wrongly assumes.
FCMP is based on curve trees which is the current state of the art peer reviewed research with the best batch verification time.
(as mentioned earlier: there are follow up papers that improve on this even further. There is clear path to widen the gap even more)
Node level throughput is determined by the minimum required core count. If that is set to something reasonable, we have to start thinking about end user wallets not being able to catch up,
as currently they have to scan all transactions, everyone is making, all the time.
To solve this issue I started writing down some notes that were discussed in this MRL session: x.com/MoneroResearch…
@craftsoldier do you have anything meaningful to say or just snarky comments?
can I ask you something: are there also intelligent people in Zcash? Everyone I come across is either an ai bot or really really stupid.
TLDR: Monero is ahead on scaling, we need to work out how to speed up wallet sync
Friendly reminder: Project Tachyon is 5 people and claude code working on the wrong problem.
Last year I wrote this article: monerochan.news/article/18 and we talked about it on this podcast: x.com/monerotopia/st…
There was a follow up post comparing the batch verification time of the state of the art work that Monero's FCMP is based on: x.com/spirobel/statu…
Nothing has changed since then.
There are still no TPS benchmarks for Tachyon and there is zero credible evidence that they will do any better than the failed Project Mina. It also made outrageous claims that it can scale to infinity.
Tachyon ran on this absurd "TPS don't matter anymore" narrative as well. Now they have pivoted to talking about quantum computers.
The Monero community should become more outspoken about the fact that the CPU bound proof verification work is the bottleneck and not state contention like project tachyon wrongly assumes.
FCMP is based on curve trees which is the current state of the art peer reviewed research with the best batch verification time.
(as mentioned earlier: there are follow up papers that improve on this even further. There is clear path to widen the gap even more)
Node level throughput is determined by the minimum required core count. If that is set to something reasonable, we have to start thinking about end user wallets not being able to catch up,
as currently they have to scan all transactions, everyone is making, all the time.
To solve this issue I started writing down some notes that were discussed in this MRL session: x.com/MoneroResearch…
).
tevador: I have no updates, I'm still going with AC1024 as discussed in the last meeting. I can answer questions if needed.
rucknium: I thought more about having an interactive address option. I think some merchants have problems with non-interactive txs. Or you could say that they are accustomed to the "pull" procedure of digital fiat payments, but cryptocurrency txs are "push". In previous research, I found this set of complaints about accepting cryptocurrency. It says that small underpayments were a problem: blog.shodan.io/accepting-cryp…
rucknium: Just some thoughts on UX. Or DX (developer experience) maybe.
rucknium: ^ AFAIK, that site blocks Tor. And I cannot get archive.org to work right now :(
tevador: I think that interactive transactions could be an option, but not the only option. There are use cases for non-interactive transfers.
rucknium: That reminds me that the Tor Project is running a cryptocurrency donation campaign for some internet privacy tools, including ones that are useful for research. I used OnionShare to collect user-submitted monerod logs, for example. The donation link appears in the blank page of the newest version of Tor Browser: internetfreedom.torproject.org
rucknium: They accept XMR. Donations are being matched by Cake Wallet and Zcash Community Grants, plus some smaller donors.
rucknium: tevador: I agree. Not the only option. I just wanted to say that an optional interactive protocol could have some UX/DX advantages.
tevador: Yes, I'm still planning to include an interactive protocol in the appendix of Jamtis.
tevador: In response to spirobel, for point 2, you cannot just pretend that passively posted donation addresses don't exist. They do and we are not going to discontinue that use case.
tevador: This is a response to: #c677589" target="_blank" rel="nofollow noopener">libera.monerologs.net/monero-researc…
rucknium: Here was point 2:
> 2.the one-to-many "donation address" use case:
> for this case the status quo is that we have systems like kuno, ccs, xmrchat.
> there is a need for the group to see a donation counter go up.
> people don't donate to passively posted donation addresses where nothing happens after the transaction was sent.
> so in any case where donations are successfully collected,
> the information how many donations happened to this address is public in any case.
> this still doesn't mean the receiver needs to be online at the same time.
> strictly speaking the service to record the received transactions just needs to be able to receive messages,
> with similar ergonomics to smtp relays.
> in practice as we see, there is a hosted service with a donation progress bar in any case,
> so this service might just act like a checkout and in practice this falls back to the one-to-one case,
> as the donation checkout page generates a unique address for each donation attempt.
sgp_: I agree passive donation addresses are important
rucknium: More discussion about PQ addressing?
spirobel: tevador: just to clarify: i am not for discontinuing the use case. its just that if someone wants this functionality, they have to continue to scan the whole chain. also again: my suggestion is non interactive.
spirobel: regarding the PQ addressing small addition: it would be good to have it as a separate document from jamtis and it shouldnt take up most of the space regarding addressing design choices. the discussion should be more focused on ux problems in the real world and how we can reduce scan time. > rucknium: More discussion about PQ addressing?
jpk68: spirobel: Why shift the focus even further away from the non-interactive side of the protocol? This seems like a needlessly large UX change with no apparent benefit
spirobel: jpk68: i clarified earlier my approach is non interactive. further context: #m" target="_blank" rel="nofollow noopener">xcancel.com/spirobel/statu… and two more MRL messages ...
spirobel: jpk68: mrelay.p2pool.observer/e/gIrIw4QLRzMz… maybe i should turn this whole thing into a gist ... just to be clear i dont like interactive protocols ... where both parties have to be online at the same time.
spirobel: jpk68: the apparent benefit is that you dont have to sync wallets anymore.
tevador: spirobel: Your twitter post is too vague to properly judge the proposal. You should post a more detailed write-up, with all the keys and derivations, what constitutes an address, what is included on-chain and what must be shared off-chain.
tevador: I'm suspecting that in the process of writing it down, you will identify several issues.
spirobel: tevador it is good enough to judge the core idea. no i don't think there is an issue with this. its a fairly clear idea
spirobel: i will turn it into gist when i have more time
tevador: It's not clear to me. One paragraph says the sender includes an index verbatim, one paragraph says the sender increments an index and one paragraph says the sender fills part of the index with random data.
spirobel: or write a prototype ... do a kdf on the wallet seed and put it into the address ... put the secret into the place where the dummy payment id is now
spirobel: then only scan transactions that contain this secret in the dummy id
tevador: But that's a serious privacy regression. Any external observer can see the same pid repeating and can conclude that those two outputs are owned by the same party.
spirobel: tevador ... yes because this works for only one tx, so after that this secret index needs to be incremented
tevador: That doesn't solve anything, the external observer can identify (pid, pid+1) just as easily as (pid, pid)
spirobel: no it cant. because after the initial transaction the channel is open and we can obviously "increment" it in away the channel observer wont know
tevador: Ah, so your proposal requires a secret channel between the sender and receiver. OK, in that case we don't actually need addresses, the receiver can just construct their own outputs every time.
spirobel: and the point is: you find the channel opening ... and then you can find all others ... that where sent with this participant
spirobel: no wallet syncing anymore
spirobel: and just to be clear: by channel i mean this in the simplest way, just some ecdh with the viewkey in the address and just say: this is the next secret for the next transaction. then you can find it as easily as the first but the observer wont know. thats what i mean by increment
spirobel: used the word channel because i had hedy lamarrs frequency hoping technique in mind, but its not some interactive off chain connection
spirobel: so you can reconstruct the first secret from seed and you get all the others afterwards as the next "index" is always embedded in encrypted form in the transaction
tevador: Does it allow for stateless address generation? Probably not. You'd have to keep track of issued 'view keys' and never reuse the same key for two recipients (even if they don't send you anything). And you still have to scan, at least for the first transaction in every channel.
spirobel: do subaddresses allow for stateless address generation? no we increment the subaddress index. " never reuse the same key for two recipients " exactly what we recommend now for subaddresses ...
tevador: Jamtis does allow for stateless address generation.
spirobel: and scanning for open channels: no. the expensive part is the cpu work ... and even if we were to still to do all the network fetching (which is not necessary, as this secret is similar to a txhash an "index" in the sense of a database index, so we can retrieve just what we want. its just a matter of in the case of remote nodes to obscure it... but that is a minor detail that can be worked out ...
tevador: It could probably work if the channel opening transaction included the original index. But at least the sender is always stateful. If they ever forget how many transactions they have sent, repeated 'view tags' will appear in the blockchain.
tevador: spirobel: you can't have stateless address generation that supports "index lookup" because you don't know which addresses exist.
spirobel: yes i dont see statefulness as a big issue. wallets have to do this in practice. statefulness is cheap compared to having to scan every single transaction everyone is sending all the time
spirobel: and also for logical reasons: if you want to compartmentalize your identity you have to make different identifiers for the people you interact with in any case
tevador: Stateful addresses get you issues like this: github.com/monero-project…
spirobel: but that is an engineering issue. because wallet2.cpp sometimes left gaps ... in my wallet library i increment the index for every address generated
tevador: And how do you know the value of the index when restoring from a seed?
spirobel: this whole lookahead thing is clunky ... also statelessness is not worth the price ... we can literally do away with scanning entirely ... which is a much practical step towards scaling than something like tachyon (which needs to update a proof constantly to be able to spend, different topic, but shows the different directions here ...)
spirobel: "And how do you know the value of the index when restoring from a seed?" you would know how many addresses you generated ... you can easily just make 100000. just call the kdf make the secret ask the node if there where txs for these ... just a database lookup
spirobel: and the incremented indeces per participant only come into play if a tx was found ... if that is the case its easy ... because the info is in the tx
#c677826" target="_blank" rel="nofollow noopener">libera.monerologs.net/monero-researc…
yes the guy with blog posts & non peer reviewed preprint papers full of em-double dashes with subtitles like
"1.2 The Tyranny of the Accumulator Update Equations"
He is making the claim that he will build "a private digital payment network that scales to billions".
There are still zero TPS benchmarks for Tachyon and there is no credible evidence that they will do any better than the failed Project Mina. It also made outrageous claims that it can scale to infinity.
there is none. the payment protocol is out of band and interactive. To spend the funds an "oblivious syncing service" has to keep a proof constantly updated.
At the end of this not entirely em-double dash free effort post by sean bowe he wrote this:
"We’ll have to find the best trade-off that creates a good experience for wallets without socializing the costs of secret distribution (and wallet backup and restore) via the blockchain."
as things stand currently, they have not figured out how exactly the recovery should work, and they think that being able to recover your funds from seed phrase and blockchain is communism.
@spirobel@vvvdft88435 How is fund (output) recovery supposed to work after Tachyon? If the seed phrase in isolation is insufficient to restore access outputs, what will be required for ZEC after Tachyon?
when baal and moloch paint a chart together 🤣
oh what terrible opportunity I have missed out on. Amazing chance to buy Jeffrey's rapist bags from 2018
Zoggers just can not comprehend that there are other reasons to care about something than to make a buck.
Dont get me wrong I think monero will do well. It is just better to build something with people that are not obsessed with money at all costs. Because the downward reflexivity is brutal when everyone is just there for number go up.
As soon as there is a spark of doubt, it can all unravel. That is why zoggers just can not stop shitting up my replies with price talk. (they have to distract from the fact that I am right about everything and as soon as enough people realize that, their house of cards will collapse)
I honestly want to avoid that, as their goofy pseudo science cult does a lot of free PR for the privacy narrative.
@te_mpe_st sure we can put it on the agenda. tbh the discussion in the MRL channel is always ongoing, there is already some conversation about it there. if there are questions or suggestions i recommend engaging there
@TheMaximus73@zkDragon it is just a repetition of the mina talking points.
no amount of zk recursive fairy dust is going to get you around the fact that there is a sequential part
@spirobel > Amdahl's law
> Sequential bottleneck cited: CPU verification time of SNARKs
> Recursion solves verification time of SNARKs
As seen in every zkVM/L2. Each transaction already works like this, only one fast ZKP/block.
@EthosVentures lol that people give people like you money to manage
you fall for a pseudo science show where the chubby kid asks the skinny one to calculate something on the iphone calculator
Tell me you don't understand Amdahl's law without saying you don't understand Amdahl's law
people like you just piss me off. You have no proof that you will do better than Project Mina. And yet you go around doing your little pseudo science show. It is ridiculous that this delusion can just live on even as other projects failed at trying to do the same thing.
@themerit0crat@spirobel in my experience, laymen have a hard time understanding the concept of digital signatures, and this confusion extends to multisig too. how about this?
"the money is in a multi-lock chest that has three key holes. it needs at least two keys to be opened."
interesting substack article ...
seems like we need better messaging and find a better word for "escrow" because lawyers have scared businesses about this term.
to some degree i get it: without cryptography an escrow business has to be highly regulated, because the arbitrator has control of the asset and could just run away
the issue is: how do we convey to people, that we can solve this issue in a more elegant way, that makes the laws and the initial game theory (arbitrator can just take the chips and run) not apply
A major breakthrough for Monero multisig escrows: @spirobel just integrated Serai-powered multisig!
It improves multisig UX thus eliminating the current choice traders face today: either risky but easy direct trades or clunky multistep escrows with repeated logins/sync or manual CLI steps (as described here: themeritocrat.substack.com/p/why-monero-c…).
As someone mediating daily on XmrBazaar, this is a true game changer! Future of Monero P2P trade just got a lot brighter💖
Read & help test: monerochan.news/article/19
i don't see how this would make any difference. What worse position to be in than having SBF on your cap table?
especially for such a supposedly idealistic project it is embarrassing
why even have a cap table if it is such an "idealistic" project?
their tech docs are mixed with calls to read books by this cia connected terror group PKK during the "mandatory initial stage"
man wtf this is all just too crazy for me to spend more time on.
the question is if this PKK nonsense or having to learn python will fry your brain more during the "Mandatory Initial Stage" cult initiation ritual.
Darkfi is larp asshole nonsense. It has been years and they still don't want to admit they are going to premine the fuck out of their token distribution.
there is no doubt both of these alts were him. He was so agitated at this point. And nobody gets that agitated about random YPG PKK stuff. (normal people don't even know what that is. While he apparently handed out propaganda material for these groups at conferences, even after years passed since his "adventure" .)
he also later claimed this:
(we never had interactions outside of me talking to this "bitcoinisbackbaby" sock puppet)
