Our new privacy protocol and what should we call it?

Before going into the rest of the post, as there is some ambiguity between what to call our different versions of Lelantus I would be referring it as follows to avoid confusion:

Lelantus v1: As currently implemented in FIRO. Only change amounts hidden. No separate private address.

Lelantus v2: The original protocol we were planning to deploy after Lelantus v1 and described in our preprint. Has its own private addressing system, all amounts hidden. No stealth addressing. Lelantus v2 hasn’t actually been named officially.

New Privacy Protocol (NPP): The new protocol that we have been researching below whose name we are still trying to decide. This is a placeholder reference.

As per my previous research update we’ve been hard at work on a new privacy protocol that supports stealth addressing. The reason for this research is that while Lelantus v2 has very nice properties like high anon sets and good performance it has a few drawbacks:

  • No stealth addressing. Meaning for ideal privacy, users need to keep generating new addresses. If new addresses aren’t generated, third parties can know that the address received something but not how much or where it came from or when it spends from it. This is however an important piece of metadata which can be a problem with recurring payments. RAP addresses only work on the transparent layer which is what Lelantus v1 uses.
  • No multisig (might be possible to work one out but we haven’t put work into it).
  • Balance proof security is difficult to prove formally. While we have found no obvious way to exploit it, it is quite challenging to formally prove it. The existing security proof does not conclusively prove its security and while there are alternate ways to prove it, it still doesn’t address all concerns.

As such, I had tasked our research team to work on addressing these concerns. Aram has come up with quite a clever solution which we hope solves this while Aaron has been doing security analysis on it. The building blocks of it have been worked out and are in the process of writing the paper and security proofs for it. Note this is very much a work in progress and things may be subject to change. However, the purpose of this thread is we need a new name for it.

What this new protocol does (if we are right) on top of all the goodness that is Lelantus v2:

  • Supports stealth addressing meaning you don’t have to generate new addresses when sharing your address.
  • Simplified balance proof meaning we have greater security and confidence that the balance proof is sound.
  • Supports multi-sig
  • Supports view keys both incoming and outgoing. This means you can optionally reveal to your auditor or useful for donations where you can view amounts that come in or go out. This is important as we move to mandatory privacy.
  • Would have faster verification and proving performance than Triptych for large anonymity sets though Triptych can be modified to get similar speedups at the cost of size.

The above is what we think the protocol can achieve but the security needs to be tested and formally proven to ensure everything holds.

The new scheme uses almost a completely different structure than Lelantus but still uses a modified Groth-Bootle (one-out-of-many) proofs to prove membership. How NPP differs from Lelantus v2:

  • Uses a modified address format
  • Separates output keys from value commitments (sort of like how Triptych/RingCT do it)
  • Uses a parallel modification to Groth/Bootle for membership proof (and a related requirement for value commitment offsets)
  • Uses a modified Chaum-Pedersen proof to show linking tag validity
  • Uses RingCT-style balance assertion via value commitment offsets

It does sacrifice some performance compared to Lelantus v2 but we believe that having a complete stealth addressing system offers more practical privacy and a better balance proof for security.

NPP is also nice in that if there’s a more efficient proof besides Groth/Bootle, it can be replaced.

The coding work for moving to Lelantus v2 vs NPP we estimate to be about equal however the paper does need to be published and re-audited but on a development standpoint doesn’t delay things too much. If our research goes well and we should have a better idea by August-ish, I would be minded to skip Lelantus v2 and just go for NPP.

But what should we call it? Aram is of the opinion we should retain the Lelantus branding and call it either v2 or v3 despite it being pretty different so as to cement the Lelantus/Firo branding.

I am of the opinion that we should call it something different (maybe some variant of Aura) to reflect that it’s a significantly different scheme that shares only minimal shared plumbing with Lelantus v2 though it can be described as ‘spiritually’ the same in its use of trustless Groth-Bootle proofs and the way it approaches anonymity sets. I think we shouldn’t downplay how different these schemes are.

This poll is just as a sentiment check and to see if we can find good solutions.

  • Lelantus v2 or v3
  • Aura or some variant (as per our roadmap)
  • Something else (please state)

0 voters

Ideally the name is easy to say, good for SEO (for e.g. Aura is not good for SEO just like how Halo, Halo 2 keeps leading to the game) and yet sounds cool.

4 Likes

Some ELI5 on terms:

Balance proof: When hiding amounts you need to prove that the inputs are equal to the outputs, meaning the amount sent is the amount received.

Range proof: Together with the balance proof you need to prove that the amounts are not negative or infinity.

Together, the balance and range proofs, prove without revealing amounts that no coins are being created out of thin air.

2 Likes

Btw Aaron and Diego think we should call it Burrito :wink:

“Because all the goodness is wrapped up in a privacy tortilla layer”
“An outside observer cannot see what kind of burrito it is. Only the one eating can know.”

1 Like

Why not Prometheus the god of fire?
Aura is sad character for Firo imo.

"AURA was the Titan-goddess of the breeze and the fresh, cool air of early morning. She was a virgin-huntress who was excessively proud of her maidenhood. In her hubris she dared compare her body with that of the goddess Artemis, claiming the goddess was too womanly in form to be a true virgin. Artemis sought out Nemesis (Retribution) to avenge her and as punishment Aura was violated by the god Dionysos. The crime drove her mad and in her fury she became a ruthless, slayer of men. When her twin sons were born, Aura swallowed one whole, but the second was snatched safely away by Artemis. Zeus then transformed Aura into a stream–or perhaps breeze “aura”.

Below is the story of Prometheus…

PROMETHEUS was the Titan god of forethought and crafty counsel who was given the task of moulding mankind out of clay. His attempts to better the lives of his creation brought him into conflict with Zeus. Firstly he tricked the gods out of the best portion of the sacrificial feast, acquiring the meat for the feasting of man. Then, when Zeus withheld fire, he stole it from heaven and delivered it to mortal kind hidden inside a fennel-stalk. As punishment for these rebellious acts, Zeus ordered the creation of Pandora (the first woman) as a means to deliver misfortune into the house of man, or as a way to cheat mankind of the company of the good spirits. Prometheus meanwhile, was arrested and bound to a stake on Mount Kaukasos (Caucasus) where an eagle was set to feed upon his ever-regenerating liver (or, some say, heart). Generations later the great hero Herakles (Heracles) came along and released the old Titan from his torture.
Prometheus was loosely identified in cult and myth with the fire-god.

3 Likes

I like the idea of associating it with fire! But Prometheus is quite a common name even in software.

How about Eleutheria?

Firotheus Protocol?

Alternatively Firebird

The Firebird In Context

Although the main character of many tales about the firebird is a young prince, the tales themselves also offer an appealing message to more common people. In some tales, the firebird steals from the rich—as with the golden apples from the tsar’s garden—and gives those riches to the peasants. The firebird is also believed to drop pearls from its beak when passing over peasant villages, to give the poor something to trade for food and other necessities. In this way, the firebird is a folk hero for the Russian people.

Thank you for the great work. I agree Aram’s opinion that we should retain the Lelantus branding.

We may think of a new name for the proposed privacy protocal this time, what if, sometime in the future, a better privacy protocal will be inplementated in Firo? Do we need another name?

Lelantus has been reported by many media and been known by ordinary users like me. If a new name of the pravacy protocal is used, people will spend some time knowing and learning it. We know that widely used products like Windows OS, Apple electronics never change the brand name.

So instead bothering with a new name, I personally look forward to seeing Lelantus Vn (the nth version) become a standard protocal in privacy coins.

3 Likes

I choose Aura, however if there is another option, i would like to choose

X-Priv (Extremely High Privacy) Protocol

or

T-HSec (Tremendous High Security) Protocol

Or we can keep Lelantus.

With that it can become

Lelantus-XPriv
or
Lelantus-THSec

1 Like

Zerocoin was used for three years, Sigma a year and a half. If you ask people which one of the two they have heard of most, will answer zerocoin: demonstrating that the longer a name is used, the more it familiar it is to the public (despite its flaws). And from my observation, quite a number of people couldn’t recall Sigma.

Compared to the above two, Lelantus is just seven months old. Even if we were to adopt the new privacy protocol in the next year, the name Lelantus barely lived as long as Sigma did. There is also an image hit: most would be suspicious of a project that keeps changing its privacy protocol and name, despite massive changes under the hood.

I very much prefer to retain Lelantus.

5 Likes

I have another name: Lelantus Pro+

1 Like

Maybe Lelantus ++ is an option.

2 Likes

When I think of a privacy protocol with different name: I will think it as a protocol that performs completely different function. For a lay person like me, when I see the Aura whitepaper, I thought the protocol is used for voting only. But on the website roadmap, Aura is another core privacy protocol that Firo uses.

Take Microsoft for example, they named their OS Windows X, they named their office products as Microsoft office, and programming environment Microsoft Visual Studio.

1 Like

The more Lelantus is used in future articles with Firo, the better it will be for the brand I think for searchability and recognition. Anwar has a point that since Sigma was short lived, that people didn’t notice it as much as zerocoin that had more time.

3 Likes

Please not Firotheus (too similar to Ferocious with a lisp)

Securitas :grinning_face_with_smiling_eyes:

In Roman mythology, Securitas was the goddess of security and stability, especially the security of the Roman Empire.

1 Like

I think ‘Aura’ is the way to go.
I would agree that ‘Lelantus’ fits better with the fundamentals, describes it more precisely, however I’d be willing to bet that 99% of the people have never heard of the word before in their life.
So while ‘Lelantus’ describes it better, I think ‘Aura’ generally fits better as people usually associate it with protection, shields & such.

2 Likes

how about Chicane? it can mean to trick or hide like Stealth

Agree to maintain Lelantus name with added suffix

We have been building the lelantus name for quite a while even before the rebrand. Now Firo has already established itself to the Lelantus tech.

3 Likes