Luke Parker
@kayabaNerve
Followers
3,037
Following
188
Media
35
Statuses
4,447
Lead Developer of @SeraiDEX . Tweets rants about cryptography and cryptocurrency 🔥 Also on @kayaba @infosec .exchange.
USA
Joined October 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Oasis
• 579387 Tweets
Switch
• 284841 Tweets
Shadow
• 207685 Tweets
#SonicMovie3
• 172467 Tweets
ニンダイ
• 131029 Tweets
#GMMTVLiveHouse
• 74725 Tweets
#西園寺さんは家事をしない
• 61195 Tweets
Mikel Merino
• 47433 Tweets
Sancho
• 44726 Tweets
アトリエ
• 40270 Tweets
Sterling
• 38541 Tweets
グレイセス
• 38153 Tweets
Toney
• 33723 Tweets
テイルズ
• 28174 Tweets
ときメモ
• 24272 Tweets
ときメモ
• 24272 Tweets
#NintendoDirect
• 23245 Tweets
幻想水滸伝
• 18121 Tweets
Pizza Tower
• 15010 Tweets
ピザタワー
• 14655 Tweets
軌跡シリーズ
• 11971 Tweets
コーヒートーク
• 11967 Tweets
ルンファク
• 11478 Tweets
Keith Lee
• 10218 Tweets
Pinned Tweet
I'm happy to finally announce my own work, Serai!
Announcing Serai: A new decentralized exchange for Bitcoin, Ethereum, and Monero.
Join us on Discord to participate in building the most usable decentralized and secure exchange!
24
41
205
16
24
166
Deanonymization of the Dero Network
TL;DR An insecure message encryption protocol enables breaking message, amount, receiver, and sender (on wallets with a recent patch) privacy, even if the sender doesn't explicitly specify a message.
43
94
331
My CCS to develop FCMP++s (Full-chain Membership Proofs for the current RingCT protocol) was merged! :D
I'm very hopeful the corollary CCS for the various audits also gets merged soon.
25
28
201
My talk, announcing my work on full chain membership proofs for
#Monero
$XMR, is live!
Just skip about ten minutes in.
18
41
182
I don't like posts that go
"Here's 10 reasons why MYBAGS is going to revolutionize cryptocurrency and also solve world hunger"
Even when there's something interesting happen, I don't like the exaggerated language.
I'm also wondering if we're in a Monero Renaissance.
10
23
165
crowdstrike has done more to reduce windows desktop usage than a decade of Linux evangelists
15
16
150
Just did the first $ZEC atomic swaps! "But that's a BTC fork! It had P2SH atomic swaps performed years ago!" But these were shielded 👀
Shielded ZEC can now be swapped against BTC, appearing as a standard send in the process. The counterparty does not know where the funds move.
7
26
105
I tweeted about how this doesn't make sense earlier ('Protonmail is a shit protocol' by this argument), but I have to ask why the disrespect, especially from Proton of all orgs?
Is being insulting for clout sufficiently worthwhile? Do they not have legitimate arguments?
14
7
111
The Research CCS was also funded! There is now a 2000 XMR earmarked fund for the academic review and audits necessary!
Hopefully will be put to good use soon :)
This was funded almost immediately!
Thank you to whoever donated! I personally appreciate it and will do my best to fulfill this properly, enabling removing rings once and for all.
Now it's just the Research CCS, which was merged a few minutes later 👀
5
3
95
7
12
112
@kklas_
@bigz_Pubkey
Publicly announce it and how the programs broke their offered terms. Name and shame so no one bothers with them either.
You'll also further boost your reputation via a proper write up.
1
0
97
You can't even create shielded transactions under $ZEC without using a brand new, incompatible, copyleft license seemingly designed to route developers to a corporate license (beyond being copyleft in general). I'm really just done with this bullshit centralization.
11
12
87
This was funded almost immediately!
Thank you to whoever donated! I personally appreciate it and will do my best to fulfill this properly, enabling removing rings once and for all.
Now it's just the Research CCS, which was merged a few minutes later 👀
5
3
95
Congrats to
@techleaks24
for being the first account I've ever blocked!
It has been a several year streak yet finally someone has been such an absolute waste of time I gave up.
I tried to explain, tried to correct, tried to prove, but it's truly clear they're a bad actor.
@techleaks24
I couldn't get amount/receiver out of a Monero transaction, nor sender address as I did.
I'm just going to block you at this point.
You've:
- Scammed me
- Misunderstood basic concepts
- Ignored things challenging your narrative
- Harassed me
And enough has to be enough.
6
3
39
10
5
89
I listened to a space on privacy technology for roughly an hour today, and not once did I hear the term "zero-knowledge".
Privacy technology isn't about your feelings, it's about your math. Discussions on privacy must have a formal background.
7
6
90
oh cool it's me 👀
New Bugfix Review! 👾 ✨
On August 20th, 2023 Top 50 Whitehat Kayaba reported a vulnerability which was fixed by
@TheTNetwork
, and was rewarded with a $50,000 bounty!
Read the breakdown here:
1
5
42
9
3
86
New clarification of the day:
Dero payload encryption has been broken for years. With it, payload (which I called message)/receiver/amount privacy for all TXs (years worth, at the least).
The payload was meant to include the sender. As a bug, it specified the receiver.
5
9
84
Wishing a happy birthday to Monero! I'm very hopeful for what's in the next year to come :)
2
9
82
Shout out to calling me a slimeball before being the one to scam *me*.
I've argued with them before yet it's a shame they may not have a single honest bone in their body.
Anyways, they conceded I can deanon TXs so... That's something?
I repeat, I will give Palantir sponsored slimeball
@kayabaNerve
10000 $DERO (𝐭𝐞𝐧 𝐭𝐡𝐨𝐮𝐬𝐚𝐧𝐝 $DERO) if he can deanonymize a single transaction ID I give him.
If what he wrote is true then it should be easy for him to win the bounty.
3
0
3
7
8
81
My third Monerokon talk is live!
This is one is on how, within a trustless environment, we can add private smart contracts to Monero.
Auditable to participants, completely private to external observers, enabling turing-complete L2s (and scaling)!
Luke
@kayabaNerve
Parker - Private Smart Contracts: A Way to Bring Programmability to
#Monero
#MoneroKon2024
2
6
34
9
8
80
All in all, I'm incredibly excited ^_^
Still wondering if I can consider it a Monero renaissance 🤔 At least a RingCT renaissance.
Here's hoping it continues well :D
8
2
81
I had the privilege of recording Episode 1 of Breaking Dero with
@JEhrenhofer
, going over the recent vulnerability!
We'll see if this becomes a series 😅
6
7
79
"Bitcoin is also a digital protocol for money on the internet, and with protocols, it’s almost always winner-takes-all. ... and we all use SMTP to send emails."
Why is a company initially premised on an alt mail protocol adding encryption saying this?
5
5
78
It has been 7 days.
is a 428 line PoC in Rust.
It's quite slow and literally grabs TXs off the block explorer.
It works as a PoC yet would need to be rewritten to deanonymize at scale.
I release it to provide full transparency and clarity on the issue.
Deanonymization of the Dero Network
TL;DR An insecure message encryption protocol enables breaking message, amount, receiver, and sender (on wallets with a recent patch) privacy, even if the sender doesn't explicitly specify a message.
43
94
331
9
17
78
monero-serai now supports no-std builds!
What does that mean?
- No networking
- No file I/O
- No logging
- No background tasks creeping up on you
Perfect for hardened Monero use cases. Hardware wallets, always encrypted apps...
And perfectly memory safe. Offered by
@SeraiDEX
.
3
9
74
In the future, I'd say please don't use Dero as a secure messenger/private cryptocurrency without proper formalization and peer review. Anyone who did just lost their privacy today, not 'ten years from now' :/
3
9
75
For anyone newly following me,
@SeraiDEX
is my work on a cross-chain DEX for Bitcoin, Ethereum, and Monero.
Discord is
9
10
71
The level of fucking entitlement here. Monero developers wrote a patch to limit large file uploads which had universal agreeance on it in the development meeting. We have no obligation to ping anyone. If you want to be involved, show up to the meeting.
10/ And please, next time ping me before making any more changes, for the love of God. I'm happy to provide extensive feedback on the proposal and possible workarounds so that you can determine if it's worth it.
5
0
2
4
8
67
I've done my best to clarify and explain things to a variety of people recently, and ffs, is it frustrating.
I literally state why certain things fundamentally aren't true, what's actually true, and the impacts of that, just get to told something false is true and I'm wrong.
17
1
64
I forgot to tweet about my talks yesterday, but I'm going on @ Monerokon in ~10 minutes to discuss Private Smart Contracts!
3
9
65
By finding a new elliptic curve, implementing two elliptic curves and a modified Bulletproofs, having research done on prior postulated methods, and with just several thousand lines of Rust code, DKGs are trivial and end up as just 64 lines of Rust code:
2
4
64
@TheDesertLynx
I am legitimately hopeful more people, including the Dero developers, start formalizing their protocols and looking for protocols with peer review. With that, until Dero is peer reviewed, I'd hope for less fervent promotion of it.
4
3
63
My CCS for retroactive funding of the research and development I've already done on FCMPs for Monero was funded!
Before I could even tweet fundraising had opened 😅
2
2
61
I actually did manage to posit the forward secret design 😅 It's amazing what just a few days can do.
Full Chain Membership Proofs w/
@kayabaNerve
, Full-chain membership proofs, Monezon, Milei, XMR to charities & more!
👀Full Epi
#160
➡️
Sponsors🙏
🎢
@cakewallet
@monerocom
🎢
@localmoneroco
1
8
29
3
10
61
FYI to y'all, I am at ETH Denver if anyone wants to discuss
@SeraiDEX
or Monero.
Or threshold ECDSA, or trustless SNARKs, or...
2
12
60
Couple of notes.
1) I'm not releasing the full PoC today so hopefully people don't have their data viewed by others for another day. Still 6d.
2) Scope is being misinterpreted. RTFM and understand the theory before you try to restate effects. All (AFAIK) lost receiver/amount/msg
1
5
58
I paid for drinks with
#Monero
at Monerokon! It was great!
I also had bad sender privacy. That's less great.
Here's why.
Before Monerokon, I split my large output into a bunch of small ones. This has recently been called "pocket change".
3
6
56
My final report of 2023 granted me my retroactive Elite status! (prior qualifiers didn't automatically get it once the status was announced)
I plan to make a yearly review of 2023 once everything is eligible for disclosure. Still a bit until then...
Some people are OG... but most people are not
@kayabaNerve
Because most people don't make $690,000 in just 8 reports total. He is both OG and a whitehat G-O-D.
(did we mention he's a full-time dev as well?)
Congrats again Kayaba! 👾✨
1
8
82
7
3
55
I don't want to take donations directly, but if this is the current environment it almost feels like I could independently raise the requested amount to impl + audit FCMPs 0_o
6
2
54
This has a near-complete lack of info on how they'll actually achieve transparency (no, saying reserve proofs exist isn't sufficient) and how they'll actually create a security custody environment for the Monero.
I'd stay away.
#Monero
: We are thrilled to introduce the XMRT project: A wrapped version of Monero, which will be available on a dozen chains thanks to
@LayerZero_Labs
A thread 🧵
Whitepaper :
21
53
154
4
2
50
And finally, my fourth talk of Monerokon was published on
@SeraiDEX
!
That's all of them!
1
4
18
5
3
49
Additionally, thanks to
@justinberman95
for their help on optimizing, and agreeance to help carry this forward.
Also,
@firoorg
, who wants to collaborate on this and ensure the cryptography, theory, and security is in line.
2
6
48
The next few months, I'll be pushing for this to be deployed with Seraphis, finally removing rings. We'll have a clear path ahead, and I'm already talking with cryptographers to help with review.
1
0
44
Happy to see a distinct affected project (who informed me of their status) confirm and warn their users in order to promote informed choices around privacy.
This impacts their extra data and transfer amount privacy for TXs with extra data (which is a subset).
Thanks to
@kayabaNerve
for its finding.
We are also partially impacted by this issue as in our case, the extra data is optional and only set at this moment by integrated addresses from exchanges and/or services.
Encrypted amount can be brute forced
2
5
21
0
4
46
@techleaks24
5512000 atomic units, 55.12 DERO. Message is literally ''.
It's not empty. It's two single quotes.
Wallet without patch, I have the receiver as a hex key. That enough?
3
4
45
Just performed the first
#monero
atomic swap! This marks an exciting moment for not only Monero, but also Meros and Nano thanks to the proof it offers about asmr's expandability. Very excited to be able to push this!
2
5
44
Overslash. A single exploit capable of draining
@THORChain
's vaults for over 200 million USD in $RUNE. With a long history of being exploited for millions, and several criticals still having been found afterwards,
@THORChain
was up again.
2
9
41
The first of my talks is live! Anyone curious on how FCMPs have evolved from last year into the modern FCMP++ proposal (IMO, superseding the Seraphis one-time-key/linking tag redefinition) should watch :)
1
9
42
It boils down to ElGamal commitments only being secure so long as the shared key is only known to the persons encrypting/decrypting.
Since Dero reused this shared key for messages, you can keep trying commitments until you find the one which decrypts the message (the shared key)
1
3
43
This does require brute forcing the amount, yet amount brute forcing is feasible for computers. It's private key brute forcing which isn't.
This affects all TXs AFAIK. Sender privacy is only broken for wallets which have a patch from 6 months ago.
1
3
41
woodser not personally running the Haveno network is a good thing, actually.
2
1
42
Happy new year!
3-round (2-preproccessable) threshold ECDSA signing with O(n) complexity (with identifiable aborts, without trusted setup nor a setup requiring generating additive shares of a prime number).
A thread.
4
2
40
I have too much going on.
- Pending write-ups/disclosures
- Launching the
@SeraiDEX
testnet
- FCMPs
- tECDSA
- Looking at a new project at the ETH Denver hackathon
Legitimately wondering if I need to hire a full time dev to cowork, which sounds ridiculous yet may be optimal.
5
0
41
I posted the written up proposal Full Chain Membership Proofs over RingCT on March 30th. Just over a month ago. It'd be notably slower than a Seraphis version and not forward secret. That means a Quantum Computer could break sender privacy, something considered inherent to RingCT
1
1
41
That still needs to be discussed with the community at larger. I'm unsure it'll make the cut.
But with all the flurry of development and how much better it keeps getting, I'm incredibly excited ^_^
Just waiting for something to come back and bite me...
1
0
41
@patoshio
@DouglasTuman
@TheDesertLynx
@THORChain
@Maya_Protocol
@Chainflip
@SeraiDEX
@SamouraiWallet
I'm public and working on
@SeraiDEX
.
I have no concern for developing a DEX.
6
2
41
Another day, another disclosure. This isn't isn't as exciting, as it was only in... unreleased software 😱
But it does provide a comment on the intricacies of working with
#Monero
, along with
@HavenXHV
's ( $XHV ) work on integrating with
@THORChain
.
1
8
38
This means cold wallets don't have to be brought online to calculate key images, multisig is a lot simpler, and you non-interactively audit the balance of public wallets. Really nice UX improvements, with a lot less technical complexity.
1
0
40
@techleaks24
I couldn't get amount/receiver out of a Monero transaction, nor sender address as I did.
I'm just going to block you at this point.
You've:
- Scammed me
- Misunderstood basic concepts
- Ignored things challenging your narrative
- Harassed me
And enough has to be enough.
6
3
39
Friendly reminder,
#Monero
is a political project. It's intended to defend individual liberty and prevent oppression. While it's unfortunate those aspects also enable oppressors in some ways, the Monero community needs to stand together on fighting oppression. Not accepting it.
4
6
37
This is the argument against KYC. In aggregate, it puts hundreds of millions of people at risk of extortion, assault, and identity theft.
Binance users KYC data seems to be on sale on the dark web now
alleged github hack leak
110
182
812
2
6
37
@techleaks24
It's for 9400000 atomic units (94 DERO). The payment ID as a 64-bit int is 1197661182997454304. The RPC payload object only has the destination port, which means it has no human message and ~130 zeroes after it (effectively statistically impossible unless correct).
1
1
37
@Alumn0
Monero and Dero both use rings to hide the sender.
Dero uses ElGamal ciphertexts (additively homomorphic encryption) for hiding amounts. Monero uses Pedersen commitments (perfectly blinding additively homomorphic commitments which can't be decrypted).
3
4
38
I'm a bit surprised I haven't heard more about .
Preprint, without review, yet constant communication complexity per-party regardless of set size.
I'm haven't gotten too far into it yet (wrapping up my Monerokon trip) yet sounds incredibly promising.
1
4
37
For context, JAMTIS was a new address protocol adding privacy and functionality. It was originally intended for RingCT, yet moved to being for Seraphis. Now, a version exists for FCMPs over RingCT. Kinda full circle there 😅
1
0
37
The new JAMTIS works with existing addresses and:
1) Gives them forward secrecy for all future outputs
2) Solves the Janus attack, except when trying to link a main address with subaddresses
2
0
37
Then I noticed this same malleation offers forward secrecy, if we make one of the proofs forward secret (it wasn't already). This made my FCMPs proposal at feature-parity with Seraphis, despite not requiring a migration. It was still slower though.
1
0
36
Development is going well. The proving system we want to use, Generalized Bulletproofs (Generalized Generalized Bulletproofs if you're in the know) was recently proven by the wonderful Aaron Feickert @
@cypher_stack
.
I'm reaching out to ZK auditors regarding components already.
1
0
36
Finally, Liam Eagen for their research, and
@Narodism
for helping me implement Eagen's work by demonstrating a lot of the theory. Later, Eagen's own PoC helped significantly as well.
0
0
33
A week later, on April 5th, I noticed it allowed malleating output keys. Malleation isn't inherently bad!
Key image malleation? Bad. Enables double spends.
Output malleation?
???
So I looked into it.
1
1
35
On April 28th, I asked why not include old CN outputs, made prior to RingCT? They'd be compatible with this scheme, unify all the privacy pools, and make it so there's only one active set of protocol rules
(Right now, we still have logic for migrating TXs active which is a pain)
2
0
34
Turns out, it's fine, and it changed output keys from xG to xG + aT (any xG key simply has a=0). I started wondering the impact of that.
It trivially gives you outgoing view keys. You now need the private keys x, a, to spend, yet only x is needed to calculate the key images.
1
0
35
On April 28th, I also realized the proof will only incur *minor* overhead compared to Seraphis. Most of the performance overhead had been eliminated.
May 1st, moving to Ristretto was proposed (much harder to muck up, faster than what's currently done).
1
0
35
@techleaks24
1) All historical TXs affected.
2) I was literally just thanking you for acknowledging my work and being honest. Unfortunate you're literally a scammer. Oh well.
0
0
34
I posted the initial paper on April 23rd. It got largely final and in a feedback stage on the 27th. I was funded for my work on the 25th, and a earmarked fund for review and audits was funded on the 29th.
Tevador posted JAMTIS for this scheme on the 28th.
1
0
34
Not everything is an IDF FUD campaign (or a FUD campaign at all). Sometimes, things have bugs, people find them, and they get posted. That's life
I just want users to be informed while giving them even a bit of time to prepare. Ive said that before but apparently I need to again
5
2
33
I've been keeping an eye on the recent
#Zcash
$ZEC dev fund discussions, and I do have two observations.
1) Community sentiment, to me at least, seems to be that the ZFND isn't as valuable as ECC or even ZCG. Considering they literally *rewrote zcashd*, that's insane to me.
3
3
33
Are you even a FOSS developer if you don't wear a maid outfit?
We ARE here to serve our communities, no?
1
6
23
The goal isn't to rush and force it through. It's to aggressively parallelize the work, including full review and audits, to minimize bottlenecks. With the proving system proven, we can audit its impl. While that's done, we can audit the circuit. Then, their joining. Etc.
1
0
33
Seth is an idiot who has missed the obvious issue with covenants.
If we can scale Bitcoin, it'll be flooded by people actually using it. Commoners! Everyday men!
Keep Bitcoin for the 1%. Support my proposal to set the block size to 10kB and the fees to $20,000.
So far the only criticism I see is:
1) It could have unintended consequences
2) Exchanges could force you to withdraw to a covenant that encumbers your coins and only allows you to spend at approved places
Figured I would answer both as best I can here, and am starting a
20
21
119
7
3
33
Phone died when I was mid-point on a space 😅
I wanted to say, in comparison to the current Samourai case, Tornado Cash had a much clearer argument for its legality despite the DAO as a complication.
1
3
33
A prior ring of 8 would now be a ring of 4.
I actually kinda do want to set up a full graph de-anon now on the network and report what percent of TXs still have sender privacy, ignoring any statistical analysis heuristics.
Full as in, all TXs. Not full as in all private data.
1
1
30
Extremely happy to hear this. If Zcash is to stand for freedom, its source code should be FOSS (as defined by the OSI, under a recognized license).
Best wishes to Zcash and its future.
Yesterday I posted that one of my near-term priorities at
@ElectricCoinCo
is to "Remove friction and barriers, at ECC and within the community, that impede our ability to iterate quickly."
Today, we are relicensing Zcash Orchard from BOSL to MIT.
25
40
200
2
0
32
I'm not even saying they should be a multi-coin wallet or spend hours listening to everyone ask for their favorite coin.
"We aren't interested in adding any other coins at this time and will not take suggestions."
Curt, but not disrespectful.
1
2
32
I worked on a full codebase, aiming to be productionized, over the past month and a half or so.
A new, clean impl of Bulletproofs+. Curve trees. One of tevador's curve cycles. And a way for Monero to move over and be ready.
1
0
29
I'm very excited for Monero to inevitably have full sender privacy, and will do what I can to make that reality.
3
1
31
As for timeline, initially, it'll just be FCMPs. No forward secrecy, no outgoing view keys, no JAMTIS.
The goal is to keep it and lean and mean so it can be deployed as soon as reasonable.
1
0
30
Literally just found out BTC is not at ~60k yet 73k.
I only found out ETH wasn't at 2800 yet 4000 @ ETH Denver.
I have not been paying attention in the slightest to this bull market 0_o
7
0
31
@techleaks24
I'm not doing a third challenge. I won't sit here all day while you try to rationalize any other solution than me actually being an honest person :/
2
1
30
If you only give out subaddresses right now, as Feather defaults to, you'll automatically gain the new privacy features *without creating and distributing new addresses*, once JAMTIS is live.
1
0
30
@RaddyHimself
This is less my thoughts and more an explicit vulnerability in their messaging protocol (key reuse) that led to a cascade failure.
It does highlight my thoughts of don't use undocumented cryptography without sufficient review.
0
0
29
I think my truest comment on Mordinals is that it's selfish bullshit. Bitcoin, Wownero, and Ethereum all would've been better candidates.
The community should adopt the most recent patch ASAP. When a supermajority of mining adopts it, I'll probably advocate for a soft fork.
3
0
29
Lmao, literally as I was typing this.
This isn't reflective of any group as a whole and is just one bad individual, but it is, IMO, definitive proof they're not engaging in good faith.
Don't be like this person.
8
1
29
I have made it to San Francisco for a few weeks 😎
Honestly really hopeful. I've been trying to decide where to settle down and I've heard great things.
12
1
29
Updated the gist to reflect azylem isn't a developer and to include I apparently did message a member of the 'Dero Foundation' (which I knew of due to DeroFdn/Engram yet had, and have, no idea the role of/actual definition).
Still no contact
Have heard an independent PoC exists
1
4
28
Then May 2nd, I proposed... redefining key images 😱
Theoretically, that'd make a new privacy pool requiring a migration and allow double spends! Right???
Nope. New key images can be calculated from the old ones. We'd be able to keep one global pool, with no migrations.
1
0
29
"ProtonMail is a layer on SMTP, privacy can be a layer on BTC"
ProtonMail doesn't support SMTP. You have to locally run a proxy to expose an SMTP interface. Bitcoin privacy, at the scale other protocols, isn't solved without trust assumptions.
0
1
28
@nikzh
Sorry, am I supposed to be against new features?
I wasn't saying L2s were automatically good nor the future. I was saying some designs become possible, which is a good thing. The ability to do more becomes doing more in a progressive society.
1
0
28