From d185db671fa4cb5133a76d83581b20e0e8815859 Mon Sep 17 00:00:00 2001 From: el00ruobuob Date: Thu, 14 Feb 2019 14:00:11 +0100 Subject: [PATCH] The whole fourty-five missing MRL meeting logs + corrections after testing --- ...Research-Lab-meeting-held-on-2017-10-09.md | 136 ++++++ ...Research-Lab-meeting-held-on-2017-12-18.md | 83 ++++ ...Research-Lab-meeting-held-on-2018-02-26.md | 107 +++++ ...Research-Lab-meeting-held-on-2018-03-05.md | 227 +++++++++ ...Research-Lab-meeting-held-on-2018-03-12.md | 277 +++++++++++ ...Research-Lab-meeting-held-on-2018-03-19.md | 134 ++++++ ...Research-Lab-meeting-held-on-2018-03-26.md | 101 ++++ ...Research-Lab-meeting-held-on-2018-04-02.md | 235 +++++++++ ...Research-Lab-meeting-held-on-2018-04-09.md | 145 ++++++ ...Research-Lab-meeting-held-on-2018-04-16.md | 109 +++++ ...Research-Lab-meeting-held-on-2018-04-30.md | 188 ++++++++ ...Research-Lab-meeting-held-on-2018-05-07.md | 236 +++++++++ ...Research-Lab-meeting-held-on-2018-05-14.md | 162 +++++++ ...Research-Lab-meeting-held-on-2018-05-21.md | 241 ++++++++++ ...Research-Lab-meeting-held-on-2018-05-28.md | 188 ++++++++ ...Research-Lab-meeting-held-on-2018-06-04.md | 226 +++++++++ ...Research-Lab-meeting-held-on-2018-06-11.md | 64 +++ ...Research-Lab-meeting-held-on-2018-06-18.md | 139 ++++++ ...Research-Lab-meeting-held-on-2018-06-25.md | 135 ++++++ ...Research-Lab-meeting-held-on-2018-07-02.md | 201 ++++++++ ...Research-Lab-meeting-held-on-2018-07-09.md | 145 ++++++ ...Research-Lab-meeting-held-on-2018-07-16.md | 205 ++++++++ ...Research-Lab-meeting-held-on-2018-07-23.md | 278 +++++++++++ ...Research-Lab-meeting-held-on-2018-07-30.md | 113 +++++ ...Research-Lab-meeting-held-on-2018-08-20.md | 180 +++++++ ...Research-Lab-meeting-held-on-2018-08-27.md | 200 ++++++++ ...Research-Lab-meeting-held-on-2018-09-17.md | 255 ++++++++++ ...Research-Lab-meeting-held-on-2018-09-24.md | 343 ++++++++++++++ ...Research-Lab-meeting-held-on-2018-10-01.md | 197 ++++++++ ...Research-Lab-meeting-held-on-2018-10-08.md | 446 ++++++++++++++++++ ...Research-Lab-meeting-held-on-2018-10-15.md | 231 +++++++++ ...Research-Lab-meeting-held-on-2018-10-22.md | 202 ++++++++ ...Research-Lab-meeting-held-on-2018-10-29.md | 172 +++++++ ...Research-Lab-meeting-held-on-2018-11-05.md | 126 +++++ ...Research-Lab-meeting-held-on-2018-11-12.md | 220 +++++++++ ...Research-Lab-meeting-held-on-2018-11-19.md | 212 +++++++++ ...Research-Lab-meeting-held-on-2018-11-26.md | 404 ++++++++++++++++ ...Research-Lab-meeting-held-on-2018-12-03.md | 181 +++++++ ...Research-Lab-meeting-held-on-2018-12-10.md | 202 ++++++++ ...Research-Lab-meeting-held-on-2018-12-17.md | 298 ++++++++++++ ...Research-Lab-meeting-held-on-2018-12-31.md | 271 +++++++++++ ...Research-Lab-meeting-held-on-2019-01-07.md | 269 +++++++++++ ...Research-Lab-meeting-held-on-2019-01-14.md | 358 ++++++++++++++ ...Research-Lab-meeting-held-on-2019-01-21.md | 211 +++++++++ ...Research-Lab-meeting-held-on-2019-01-28.md | 311 ++++++++++++ 45 files changed, 9364 insertions(+) create mode 100644 _posts/2017-10-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-10-09.md create mode 100644 _posts/2017-12-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-12-18.md create mode 100644 _posts/2018-02-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-02-26.md create mode 100644 _posts/2018-03-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-05.md create mode 100644 _posts/2018-03-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-12.md create mode 100644 _posts/2018-03-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-19.md create mode 100644 _posts/2018-03-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-26.md create mode 100644 _posts/2018-04-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-02.md create mode 100644 _posts/2018-04-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-09.md create mode 100644 _posts/2018-04-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-16.md create mode 100644 _posts/2018-04-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-30.md create mode 100644 _posts/2018-05-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-07.md create mode 100644 _posts/2018-05-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-14.md create mode 100644 _posts/2018-05-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-21.md create mode 100644 _posts/2018-05-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-28.md create mode 100644 _posts/2018-06-04-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-04.md create mode 100644 _posts/2018-06-11-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-11.md create mode 100644 _posts/2018-06-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-18.md create mode 100644 _posts/2018-06-25-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-25.md create mode 100644 _posts/2018-07-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-02.md create mode 100644 _posts/2018-07-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-09.md create mode 100644 _posts/2018-07-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-16.md create mode 100644 _posts/2018-07-23-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-23.md create mode 100644 _posts/2018-07-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-30.md create mode 100644 _posts/2018-08-20-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-20.md create mode 100644 _posts/2018-08-27-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-27.md create mode 100644 _posts/2018-09-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-17.md create mode 100644 _posts/2018-09-24-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-24.md create mode 100644 _posts/2018-10-01-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-01.md create mode 100644 _posts/2018-10-08-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-08.md create mode 100644 _posts/2018-10-15-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-15.md create mode 100644 _posts/2018-10-22-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-22.md create mode 100644 _posts/2018-10-29-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-29.md create mode 100644 _posts/2018-11-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-05.md create mode 100644 _posts/2018-11-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-12.md create mode 100644 _posts/2018-11-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-19.md create mode 100644 _posts/2018-11-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-26.md create mode 100644 _posts/2018-12-03-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-03.md create mode 100644 _posts/2018-12-10-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-10.md create mode 100644 _posts/2018-12-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-17.md create mode 100644 _posts/2018-12-31-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-31.md create mode 100644 _posts/2019-01-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-07.md create mode 100644 _posts/2019-01-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-14.md create mode 100644 _posts/2019-01-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-21.md create mode 100644 _posts/2019-01-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-28.md diff --git a/_posts/2017-10-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-10-09.md b/_posts/2017-10-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-10-09.md new file mode 100644 index 00000000..39f28138 --- /dev/null +++ b/_posts/2017-10-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-10-09.md @@ -0,0 +1,136 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2017-10-09 +summary: Announcements, Round table discussion of projects, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Okay, everyone, welcome to our first MRL Research meeting! +**\** yay! +**\** Agenda, I guess, will be 1) Greetings, 2) Announcements, 3) Round table discussion of projects, 4) anything else that anyone else can think of +**\** So, greetings! +**\** hello +**\** As far as announcements go, I'll start with the usual: Next week at this time, we'll have office hours, where people can come in and just ask whatever questions they like. Monday 17:00 UTC. Then we'll be alternating Mondays +**\** between research meetings and "office hours" +**\** i can't think of any other announcements... +**\** sarang? anything? +**\** Okay, moving along I guess +**\** For project discussion... +**\** Personally, I've been working on multisig. Sarang and I had some basic security definitions nailed down when he came out to visit. Unfortunately, a paper that mustn't be ignored came out by Boneh and co-authors... +**\** https://eprint.iacr.org/2017/956.pdf +**\** That paper presents a new scheme that is not directly relevant to us (although it may be in the future) but importantly it defines several security models +**\** How lucky it came out at the same time...? +**\** ;) +**\** one of the security definitions Sarang and I came up with is actually a stronger definition than the one in that paper +**\** Of course +**\** so, it seems as if we are on the right track, if someone like Boneh is thinking about similar problems +**\** There are some implementation issues in my description also; the current draft is here: https://www.sharelatex.com/project/5980a44556789660b0600edb +**\** sounds like their paper is applicable both to multisig and the ever-popular trusted setup +**\** Sorry here +**\** hyc tbh i haven't gotten deep into their homomorphic-specific stuff, so i have very little idea. i'm very interested in their security definitions, though +**\** welcome~ +**\** Should we mention ppl like mooo at the beginning of mtgs? +**\** oh good idea +**\** Per multisig +**\** moneromooo knaccc luigi1111 fluffypony anonimal dEBRUYNE +**\** So yes multisig is coming along well +**\** Subaddress paper is done +**\** That was posted as a final draft to the channel for comment +**\** And is ready to go to Reddit etc +**\** yes, Subaddress paper will now be MRL-0006, will be pushed to my github in a bit here and then i'll issue a pull request to the monero-project +**\** send us a link real quick sarang +**\** i'd be happy to have folks read over it one more time +**\** is anyone else doing anything research-y? learn something new? anyone working on a project? +**\** https://github.com/b-g-goodell/research-lab/blob/master/publications/bulletins/in-prog/MRL-9999-subaddy/MRL-9999-subaddresses.pdf +**\** I am updating myself on some aggregator constructions +**\** And based on the Green tweet, I'd like us to do an analysis of our use of PRNGs +**\** I have nothing crypto-related to offer. been benchmarking DB engines lately. (LMDB still fastest.) +**\** i'd be very interested in hearing from xpto also, since he's working on some LN stuff, and anonimal, since he's dealing with RSA I guess for kovri? knaccc is probably catching up in his RL from spending weeks programming RuffCT/StringCT/RTRS RIngCT +**\** hyc can you link me a primer for LMDB? i know precisely zero +**\** https://symas.com/lmdb/technical/#pubs +**\** nice thanks +**\** i've been curious if there's a simpler implementation of i2p possible +**\** and i'm just wondering (blindly) about revocable view keys +**\** i am excited to start thinking about those more deeply. multisig is... +**\** ah, the notion of time-limited/expiring view keys sounds like a good idea +**\** Sorry, I was out. +**\** yes +**\** no problem mooo, i didn't ping anyone before we started (my bad, first time here yuk yuk) +**\** hyc: i've heard some downsides to proposals of time-expiring view keys +**\** multisig is more delicate than i thought. thing is, i'm pretty sure that our current implementation is safe enough to roll with (pending sarang's agreement, maybe). problems abound, though +**\** nm90 had some concrete ideas on it +**\** problems? +**\** the problems aren't huge. it's like "well, if an adversary uses a side channel attack and listens in on this computation here, the adversary may be able to determine whether a certain key is a shared key or not, so these here should be communicated with encryption" and so on and so forth. since the security of keys in that way is far less important than being unable to go backwards and determine the +**\** participating private keys, stuff like this isn't a huge deal +**\** little... details. that keep building up. +**\** so, i'm going to take a day or two off of it and work on other things, to reset my brain. it's been a few days of just multisig. Pending sarang's agreement on the multisig code being "safe enough," multisig can be put to work before the MRL-0007 paper is put out, though. Two reasons for this +**\** A lot of it is about assuming things about communication of coalition members +**\** First, even if multisig satisfies weaker security definitions than i would like, we can always push changes to it later. Second, I'm already proposing a slightly different implementation in the paper than we are currently going to see in the code. I'm considering writing an appendix to this paper that compares the current code by moneromooo with my suggested implementation, and attempts to close the gap +**\** between them. +**\** so, anyway, i'll probably take two days off and think about blockchains or specter or difficulty or something +**\** Now what about this PRNG bizniss? +**\** Monero's PRNG is not homebrew, AFAIK it's the canonical construction from the Keccak authors. +**\** ? +**\** Our PRNG should follow whatever the best practice is. I'm not convinced NIST or ISO are the ones who describe the best practices. maybe we should have our own standard for that +**\** I'd like to understand it a bit better +**\** Especially since the issue was raised last year and kinda died away +**\** either way, identifying where the PRNG as-is currently influences stuff that actually hits the blockchain seems to be a no-brainer sort of thing to do anyway +**\** https://www.deepdyve.com/lp/institute-of-electrical-and-electronics-engineers/software-only-extremely-compact-keccak-based-secure-prng-on-arm-cortex-QsZRJs71MZ +**\** I also want to vet this spectre paper. I'm suspicious of outlandish claims. +**\** Thanks hyc +**\** also https://keccak.team/files/SpongePRNG.pdf +**\** afaics it's already heavily studied +**\** that's interesting. i'd be very interested to have a conversation with Green +**\** maybe i'll shoot him an e-mail +**\** i also want to meet an economist +**\** ArticMine might be able to help you there surae +**\** for ASIC and POW discussions. i need to learn about the game theoretic dynamics behind commoditizing hardware, decentralization, renting, etc +**\** nice +**\** Okay, so in the next two weeks: progress on multisig expected, i want to vet the spectre paper, sarang is learning about accumulators lacking a trusted set-up, hyc will presumably continue playing with DB engines +**\** ;) +**\** surae will take a short vacation +**\** Oh +**\** ... right?? +**\** Aye +**\** actually, yes, i need sleep and it just snowed for the first time +**\** i need a weekend +**\** hard to separate work and life +**\** Other issues of interest? +**\** oh, and since we are having this public discussion right now +**\** RTRS RingCT: we've concluded that pretty much any improvement in signature verification time will lead to exponentially bigger rings for the same blockchain size. +**\** on the flip side: any increase in verification time will lead to exponentially smaller rings +**\** this is a property of any logarithmically sized ring sig scheme +**\** "lead to bigger" -> "enables using bigger" ? +**\** yeah, for the same blockchain size +**\** ok +**\** since RTRS RIngCT is log-sized and has comparable verification time compared to MLSAG, it's not feasible to implement them unless we can make them faster to verify than MLSAG. If they are as fast or slower, they aren't worth switching to +**\** and i believe vtnerd benchmarked sandy2x and it was freaking fast +**\** faster than MLSAG? +**\** well, sandy2x is just an EC arithmetic implementation +**\** so boht MSLAG and RTRS RingCT would be faster +**\** ok +**\** i believe he got around a 15% improvement in EC arithmetic time, which would lead to around 15% faster verifciation time +**\** which would allow us to have a fixed min ring size of 10! +**\** not 10 factorial +**\** but 10 +**\** we could possibly even get away with a ring size closer to 32 or something like that +**\** so RTRS RingCT is still viable, not dead. good to know +**\** now, knaccc had me contact some folks who did some GPU otpimization for EC +**\** and their code also speeds up CPUs because it's so optimized +**\** for Curve25519 +**\** they are eager to help us try to impement it, though, their emails show a lot of enthusiasm, and I didn't even ask for assistance or anything +**\** so, i'm going to pursue that further in the next two weeks also +**\** excellent +**\** i kind of wanted all that "on the record" so to speak +**\** I can't think of anything else for now. +**\** sarang, anything? +**\** Negatory +**\** allrighty, well +**\** Keep up the good fight? +**\** yep +**\** We can talk PRNG after +**\** and if anyone reads any papers on forward-secure key exchange that may be helpful for revocable view keys, send them along! +**\** yep, we can call this meeting \*over \* diff --git a/_posts/2017-12-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-12-18.md b/_posts/2017-12-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-12-18.md new file mode 100644 index 00000000..0121fb0f --- /dev/null +++ b/_posts/2017-12-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2017-12-18.md @@ -0,0 +1,83 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2017-12-18 +summary: MRL work, MRL 2018 forecast, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** okay, everyone, I suppose we can start this research meeting +**\** 1) Greetings, 2) What has everyone been doing? 3) What should 2018 look like for MRL, in your opinion? +**\** btw if i got a reviewer to look at the bp stuff (hypothetically) who wolud i ping about security issues +**\** andytoshi: I think sarang +**\** And luigi1111w. +**\** luigi1111w and moneromooo would also be good contacts +**\** \*nod\* +**\** So, hi everyone. sarang anonimal ArticMine dEBRUYNE endogenic gingeropolous JollyMort[m] pigeons othe silur stoffu unknownids vtnerd waxwing +**\** I know sarang is moving so he may or may not be active this morning +**\** Sarang and I are finishing up the multisig paper and then we'll be shopping it around to get thoughts from community members +**\** Hello +**\** howdy~ +**\** andytoshi: yeah any reviews could contact me +**\** We have also been reading about the new untrusted-set-up zk-snark paper. I'm particularly interested to see if BPs can be dropped into that scheme. +**\** sarang.noether@protonmail.com is a good way to contact more privately +**\** or darkwire.io for realtime +**\** suraeNoether: yes, there is a particular inner-product argument they use +**\** surae you talking about hyrax? +**\** yes +**\** silur yes +**\** I will most likely be responsible for ZoKRates implementation +**\** oh, at ethereum? +**\** chris and vitalik seem to be too concerned about scalability +**\** yea +**\** but IMO hyrax witness size etc totally worth for kicking trusted setups +**\** It's certainly worth our looking into +**\** And I've found the paper to be quite good +**\** very solid lit review too +**\** it's amazing +**\** I don't care so much about sizes, I care more about validation times under the conditions we've been considering recently +**\** They explicitly consider validation complexity +**\** yep +**\** which is a welcome addition +**\** well hyrax is highly parallel +**\** mhmm +**\** should be many times faster on first sight then simple Groth +**\** Very dependent on circuit parallelization +**\** but haven't actually made any tests on that +**\** I also got my attention on this +**\** http://arxiv.org/abs/1712.04417v2 +**\** quite relevant on sharding, decentralized storage etc +**\** oh interesting +**\** In addition to the authentication end of things, Sarang and I have also been working on an implementation of SPECTRE, the blockchain concencus algorithm here: https://eprint.iacr.org/2016/1159.pdf +**\** Yeah, constant time implementation of SPECTRE is quite interesting +**\** wow +**\** Hinted at by the authors but not explicitly considered in the paper +**\** My current constant-time implementation is on my github here https://github.com/b-g-goodell/research-lab/tree/in-prep/source-code/Spectre <--- it does not match the current SPECTRE algorithm so that it can operate in constant-time, but there are also some design choices I'm tinkering with in the original SPECTRE algorithm... +**\** and, it doesn't pass unit tests yet (with or without the aforementioned tinkering) +**\** but this appears to be the first implementation of spectre anywhere +**\** The unit tests are tricky with this +**\** Because the voting gets so complex very quickly +**\** and suraeNoether you found it doesn't always match intuition +**\** Spectre uses insanely high block arrival rates, so I've been doing computations to maximize privacy (ring size) and transaction processing rate subject to a constraint of getting some minimum gain in new node sync time. +**\** i plan on using values from RTRS ringCT (or RuffCT), MLSAG signatures, borromean range proofs, and bulletproofs to determine what sort of rates we could rationally use in spectre while maintaining network security. I wouldn't mind throwing the new zk-snarks in there also +**\** I've also attained some recent proofs into why some ideas I was previously researching just fundamentally aren't going to work +**\** for example, in terms of Proof-of-Space, I am giving up the ghost for a few months or more, because one critical property of block validation is that it can't have \*progress\* like a progress bar. otherwise, the fastest/strongest always wins the next block. +**\** and i think that PoS will tend toward a progress-bar-like block validation mechanism +**\** a few other ideas I had can't work like that +**\** i'm literally thinking of writing a blog post entitled "Apparently clever but inarbuably bad ideas for cryptocurrencies." +**\** silur keep us informed on how Zokrates comes along +**\** anyone else doing anything interesting? +**\** I'm enjoying zkSNARKs and SPECTRE and tweaks to BP efficiency and review +**\** and helping out w/ multisig review, which has gone well +**\** I'm moving this week and trying to balance that as well +**\** Allrighty for 3) a few things. Firstly, i think we are going to follow the cue of #monero-dev meetings and postpone our next meeting. I'm going to say Monday Jan 8 (perhaps Mon the 1st is cruel). Secondly, for research meetings each week, perhaps sarang or I can present a paper we had read the previous week and try to describe how it works to the community. +**\** Ha just like a real lab group meting +**\** ikr +**\** but moreover +**\** I want to know how everyone feels about the direction MRL should head in 2018 +**\** As long as it doesn't turn into a Buzz Killington event: https://www.memecreator.org/static/images/memes/4440318.jpg +**\** eh, this conversation could wait until our next meeting, I think. +**\** ooo lab group https://i.imgur.com/ehgxi9o.png +**\** oh man it's meme time, meeting adjourned ~ hehe diff --git a/_posts/2018-02-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-02-26.md b/_posts/2018-02-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-02-26.md new file mode 100644 index 00000000..2c34f7e5 --- /dev/null +++ b/_posts/2018-02-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-02-26.md @@ -0,0 +1,107 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-02-26 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Okay, well let's get this research meeting started, I guess. +**\** Greetings everyone who is here. :P I'll make this easy and quick: I'm working on multisig furiously, working my way into migraines so I can get it done, so i haven't thought much about much else except churning and the EABE (or more precisely the EAE) attack. I thought I would be done this morning, but I was put out of commission yesterday afternoon. so maybe this afternoon. +**\** sarang: what have you spent the last week on? +**\** diego[m], sgp\_[m], chachasmooth\_, silur, I believe have all been doing some work over the past few weeks but I could be misrecalling names +**\** mercury^: is your project an attempt at estimating the age distribution of outputs the moment they are spent? +**\** suraeNoether: yes. +**\** cool, we should talk about it after this meeting +**\** I have not done much work so far. I just read the monerolink paper, then tried to think a little bit about what the actual distribution should be. +**\** so, the monerolink paper... the parts that aren't obliterated by obscured amounts in RCT... +**\** there is a slightly incorrect interpretation of our system, which is: the authors, Miller et al, they claimed that the youngest output in a ring is most likely to be the true spender. in fact, it's that \*the first time an output is put into a ring\* is most likely occurrence of the true spending +**\** which is subtly different +**\** I'm making more progress on SoWs +**\** And prepped a privacy talk +**\** suraeNoether: well, both of those could be true. Is their claim false? (Is now a good time to talk about it, or should be wait until the research meeting is over?) +**\** eh, this research meeting is a dud. their claim is also true, but leads to an estimate with much higher variance. one benefit of their approach is that it really should never result in a \*tie\* between two outputs unless they occurred in the same block. one criticism of their approach is that there is not a super clear way to estimate false positive and false negative rates +**\** of course the criticism also holds true for my statement +**\** testing the sensitivity and specificity of a de-anon technique is... well, nontrivial at least +**\** its unfortunate they didn't create a fake network where they could have had ground truth +**\** their block explorer uses their own index instead of pub keys, so it's annoying to cross-reference +**\** fake network based on what? ideally you model the real network but the inputs to the real network are all unknowns +**\** gingeropolous: the thought of the details of that gives me a headache :P +**\** i dunno. just create a network with n "users" making transactions randomly +**\** gingeropolous: but they have to act like the users of Monero. +**\** yeah, ideally. but a fake network of random operators would be better than their current analysis, which IMO still boils down to "maybe" +**\** mercury^: the thing about my heuristic of "find the first ring signature referencing output X, that's the true spender of output X" is true with high probability except in a scenario where an output was sitting around long enough to be included in several ring signatures, or unless several ring signatures already reference it. Hence, I think rather than concentrating on distribution of ages, I think +**\** we should concentrate on including as many outputs that have never been used before as possible, or some sort of joint technique that takes both "number of referential ring signatures" and "block height" into account +**\** gingeropolous: they can test their modeling technique against a null hypothesis like exponential or weibull inter-spending time. or even whole families of distributions, and see how well it does. +**\** gingeropolous: Assuming that the probability of a transaction being unmasked by their method depends only on ring size, their data set would be reasonable I think. +**\** if it is robust against many choices of distribution, then they can be rather confident in their approach in the "unknown distro" case +**\** actually that's a hell of a good idea +**\** suraeNoether: then the pool of never-unconsumed outputs is contentet and might get too small? +**\** never-consumed\* +**\** ahhhh shit i'm going to write that as a paper: rather than test the sensitivity vs. specificity directly, do it monte-carlo style. Pick a random distribution of inter-spending times from a parameterized family of distributions. Simulate an economy with monero or zcash. Try to unmask. Repeat 2^N times for each parameter, and with M parameters, you end up exploring a parameter space of size 2^(NM). +**\** estimate false pos and false neg rate of your de-anon technique for each point in this big parameter space. Estimate the "sensitivity" of these rates to parameter perturbation. Try to find a de-anon technique that is most insensitive to choice of distribution. +**\** suraeNoether: yeah, just weight it so you can still pick 2x or 3x outputs, just less likely to do so somehow +**\** oh man so that'll be the paper I write after multisig is done +**\** suraeNoether: I think with your approach the most likely real output consumed will just be the one that was spent the most often. +**\** no, it's the one that has been spent least often +**\** if an output has not yet been referenced, say X +**\** and you make a new \*random\* transaction +**\** the probability that X is included in that signature is, say, 1/B where B is the blockchain size +**\** actually that probability is the same even if the output has been referenced +**\** however, if X occurs at block height h +**\** the only transactions that could possibly reference X occur at height h+1 or bigger +**\** so if the blockchain is height H, and X is at height h, then at most h/H transactions on the blockchain (roughly) could possibly reference X +**\** each of these is like rolling a B-sided die and looking for a natural 1, and we do it h/H times +**\** that's a baseline "random" appearance of X that occurs completely innocently +**\** Do you mean H−h instead of h/H? (I am new to all this…) +**\** actually \*i do\* good catch +**\** otoh, if we see some X at height h, and it is referenced at block h+10, and H=like a really large number compared to 10, and B=like a really large number compared to 1, the probability of this occurring \*completely innocently and at random\* is super duper small +**\** in other words: the first time an output is referenced is the most likely time it was truly referenced +**\** i wonder if fake out selection should be biased to those outputs that don't have any reference yet +**\** suraeNoether: I can believe that this is currently true; what I said is that I cannot believe that it will stay true if one were to implement your proposed method of choosing fake outputs to consume by preferring those that have rarely been consumed. +**\** hah +**\** ok ill shuddup +**\** So +**\** Is there a temporal aspect to the idea that the first time an output is referenced it is the real output +**\** To test? +**\** For example is it different for recent and old outputs +**\** ArticMine: I believe so. +**\** ArticMine: yes, my argument is based on the idea that the probability an output has been spent is monotonically decreasing over time +**\** ArticMine: an old output that is really being spent is more likely to have been spent before. +**\** er.. has \*not\* been spent +**\** That is also my thought +**\** mercury^: oh yeah i agree, i was walking you through the "derivation" of my argument. +**\** Since this is velocity of money dependent +**\** ah, so that's the thing: miller et al made it velocity dependent by saying "youngest output in the ring." +**\** you can make it velocity independent by saying "first time an output is referenced" +**\** suraeNoether: you assume that outputs are selected uniformly among all that are available. As far as I know that is not even currently true? But the argument probably still holds with the current selection method. +**\** I believe that's the wallet code? +**\** I was thinking in changes in the velocity of money for Monero over time +**\** mercury^: actually since we use two triangular distributions... i would have to think about that mercury^ +**\** It was different in say 2014 that today and will also be different in the future +**\** ArticMine: yeah, this is another reason distributional arguments for wallets squick me out, other than allowing an attacker insight into chain reaction saturation attacks (for lack of a better term) +**\** My thought was to have multiple ring sets that are close in time to the real output and also randomly chose ring leader outputs +**\** ArticMine: the properties of the fake outputs should not depend on properties of the real output. +**\** They should be chosen independently. +**\** So we start with ah output pick say 2 other outputs randomly and then build rings around the real output and the two fake ones +**\** you know, it's funny, i usually laugh at people like IOTA for throwing around terms like neural nets etc, but... this is a great situation for a genetic algorithm. parameterize a wallet selection method as a genetic code, and parameterize an output-reveal-oracle method as another genetic code, then have the two species compete. One tries to make ring signatures that are anonymous, the other tries to +**\** reveal ring signatures, and neither of them breed or eat until they win +**\** With the rings close in time to the real output and each of the fake one and the rings all the same size +**\** but that'd be a senior math-bio-finance major's capstone project +**\** or maybe a masters thesis +**\** for an open minded advisor +**\** just start a college already +**\** for bonus points, toss in a spectre/meltdown attacker trying to steal the wallet secrets +**\** this is just a very fancy version of CoreWars... +**\** Weren't CoreWars programs written by hand? +**\** yes. redcode. +**\** but it would be easy to automate generation of CoreWars programs. +**\** pretty sure it was done, multiple times +**\** but it points to an interesting approach - we should have multiple distribution algorithms, and randomly select when creating each transaction +**\** otherwise an attacker will always know "they're using triangular/whatever" ... +**\** hyc: I think one could guess the selection algorithm by inspecting the transaction. +**\** is there a theoretical ringsize where distribution of fakeout selection becomes moot? +**\** prolly depends on size of blockchain (i.e., number of available outputs) +**\** gingeropolous: I would say that it affects the security that the ring size provides multiplicatively. diff --git a/_posts/2018-03-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-05.md b/_posts/2018-03-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-05.md new file mode 100644 index 00000000..36ef15cb --- /dev/null +++ b/_posts/2018-03-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-05.md @@ -0,0 +1,227 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-03-05 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** howdy everyone~ +**\** hello +**\** Agenda is, as usual: I describe what I've done for the past week or so, and field questions, and Sarang does the same. If anyone else is working on projects, we want to hear about other people's contributions, too! +**\** at any time, feel free to jump in and ask questions +**\** hey +**\** if it gets too chaotic, we'll try to rein it in +**\** oh fluffypony forgot him +**\** Shall we begin? +**\** Yep. How about you go first, brother noether +**\** Sure +**\** The BP audit fundraising FFS is ready and in Open Tasks, waiting for an admin to move to Funding Required +**\** We're setting a stretch goal of 3 auditors, and will fund as many as we raise funds for +**\** Kudelski is pushing back on payment in XMR, but I'm trying to get them to work with OSTIF +**\** If they do, we can pay OSTIF in XMR and they'll convert to USD and pay the auditor +**\** FFS has been moved +**\** Thanks fluffypony +**\** Otherwise we have to ensure that we can legally do the exchange to USD and pay them ourselves +**\** As soon as we have enough XMR for Bunz, we'll hire him +**\** then QuarksLab, then Kudelski +**\** If we can't reach an arrangement with Kudelski, we can replace them with X41, which will work with OSTIF for payment +**\** Other than that, working on some Pippenger stuff for fast multiexponentiation, reviewed a few papers regarding RingCT +**\** Posted my monthly report on r/Monero +**\** Those are the big things! +**\** nice. Does anyone have any questions? +**\** hiya +**\** We're now in Funding Required btw +**\** yup yup +**\** oh, didn't see fp's comment there +**\** https://giphy.com/gifs/excited-ron-paul-its-happening-rl0FOxdz7CcxO +**\** I'll be working with each auditor throughout the process, so this will occupy an known amount of my time for the next couple of months +**\** I have a question, sarang, which is: what are you excited to work on now that the bulletproof range proof audit stuff is going to be spread around a bit? +**\** ah yes +**\** I'm looking forward to doing a more thorough analysis of operation optimization in our current stuff and in proposals like RingCT replacements +**\** and interested in RingCT futures in general +**\** Now that the blockchain will be smaller and verifications faster, anonymity has been moving to the forefront +**\** neat. that leads me to questions about multi-exp optimization in our current scheme +**\** like, in general, it seems like all our EC operations could be made much more speedy +**\** across the board +**\** Depends on what types of operations you mean +**\** Multiexp? Sure +**\** The precise way depends on the size of the operations and curvepoints involved +**\** There's no single silver bullet that's always better +**\** ah i see +**\** Using a combo of Bos-Coster and Straus handles a lot of cases +**\** Pippenger is next up, based on results from andytoshi et al. on their curve +**\** I'd be very curious to see how much faster MLSAGs can get with more efficient operations +**\** The nice thing is that multiexp is probably biggest opportunity for savings, since the current scaling is so bad +**\** I'm pretty much done if someone else wishes to speak now +**\** I just like listening to the sound of my own keyboard +**\** Well, this past week I got the multisig paper to the point where I am seeking feedback/corrections from community members. You can read the current version (main.tex) here. https://www.sharelatex.com/read/bfjfkdgnhgvh +**\** I am confident that the bones of the thing are correct, but details need to be fleshed out +**\** the C++ code appendix must still be reviewed +**\** so i'm not seeking feedback on the appendix yet: i know it's wrong, and I have a list of ways its wrong +**\** There were a few rumblings on whether or not we'd like to take this audit momentum and keep applying it elsewhere, like to multisig +**\** Thoughts? +**\** \*cough\*RingCT?\*cough\* +**\** I believe it'd be good for security and also excellent PR +**\** Ha yes rehrar that was also brought up for sure +**\** I didn't know there were rumblings on that. i think a weak point of my presentation is the C++ code review, for sure +**\** informal rumblings +**\** i actually think I have a pretty clever proof structure that I'm attempting this afternoon that may make things even smaller +**\** rumblings sans top hats +**\** re BPs. in libsecp we use strauss then pippinger. we changed our prover from doing the recursive scheme to one that directly computes L and R with a big multiexp at each iteration, and got an almost 2x speedup +**\** but, again, that's the \*theoretical\* end of the review +**\** andytoshi dayumn brother +**\** andytoshi: nice! +**\** i think i can get a bit more by combining generators at some levels +**\** We did basically zero optimizations to the prover, since that's done once +**\** suraeNoether: auditing the implementation would be key +**\** if we have money left over from the BP audit, I would be happy sitting on the leftover XMR for a month to see if we can get an audit of multi-ringCT out of a single funding round +**\** I very much doubt we'd have enough to fund another complete audit +**\** Might depend on price movement +**\** eh, who knows where the market will be in a month +**\** rihgt +**\** that's all i'm saying +**\** But we could combine leftovers with a new FFS and ride the wave of support for audits +**\** after reading through the C++ code, the only real complaint I had was to increase the # of rounds of chacha encryption +**\** on another note, I'm writing up a brief technical note on sublinear ring signatures. +**\** and why we haven't implemented them yet +**\** or, to be more specific +**\** The idea is this: (i) small anonymity sets are worse than large anonymity sets, (ii) authentication still requires touching all keys in the anonymity set at least once, leading to linear verification times, and (iii) improving the space-efficiency of a blockchain therefore interacts with this linear verification time in a way that produces a space-time trade-off, leading to (iv) a trade-off between +**\** traceability and the space-time efficiency of the blockchain... and I want to discuss (v) several ways that several different currencies have handled this trade-off, and (vi) implications from cost of running an untraceable cryptocurrency network at scale on this time-space trade-off. +**\** Other than working with sarang to get the multisig paper up to peer review shape, soliciting comments from the community on that, and working on this trade-off technical note, I've also been reading papers like Sarang. +**\** What other currenices of notehave handled this tradeoff with ring signatures? +**\** none, but other currencies have hadnled it without ring signatures, i.e. zcash +**\** The tradeoff I see is a replacement with proof structures requiring trusted setup +**\** yeah ^ +**\** There was a paper out with suggestions for Monero, but they too involved a trusted-setup accumulator +**\** (and this fact was buried within the paper....) +**\** yeah, trusted setups are often really hard to find in papers +**\** academics seem to think it's not an important thing +**\** some academics\* +**\** I was surprised since the paper was specifically about Monero +**\** And our views on trust are pretty clear +**\** yeah that's weird +**\** I expect that's \_why\_ they buried it +**\** :| +**\** anyhoo +**\** suraeNoether: carry on... +**\** So, papers: 1) Matthew Green shared his "squeezing crowds" paper, which is a constant-space way of describing the complete set of ring members in a transaction. Link here: https://isi.jhu.edu/~mgreen/mixing.pdf This is a non-trivial result that will help Monero scale eventually... but it solves a problem that isn't yet a problem and may not be for a long while +**\** that new paper by Green? +**\** great minds brother +**\** I know moneromooo had some concerns about transaction height in general +**\** but I can't speak for him +**\** Does it have drawbacks if it was theoretically implemented tomorrow (i.e. not large ringsizes yet)? +**\** Oh that wasn't about the paper itself, just general about when I thought about this. +**\** right +**\** I'm working through the Green paper as well +**\** rehrar literally all it does is \*describe the public keys for use in the signature.\* you still need to pull the public keys out of the blockchain and plug them into the verification equation. +**\** But in retrospect, if you include the height at which you make the sampling, it all goes away. +**\** so this own't help us get larger rings. +**\** Given fake out list size is not our bottleneck, no. Maybe later. +**\** Can you elaborate a little more on what the paper says? +**\** sure, so they define a Recoverable Sampling Scheme +**\** It says you can use a keyed hash function to succinctly describe the ring members to be used in a transaction +**\** so, say you want to construct a ring {A, B, C} +**\** rather than sending keys A, B, and C along with the transaction, you send information for constructing a hash function +**\** if you compute a quick hash of the blockchain using that information, out pops the keys you want to use in the ring signature +**\** Sender grinds or what +**\** All right, with you so far. Why does this have relatively small impact? +**\** and their approach scales with the number of outputs, not the number of inputs. So \*describing\* a transaction with 1000 ring members and five outputs is 99% more efficient with an RSS than with our current scheme +**\** but you still need the signature +**\** and yous till need to verify it +**\** and verifying the signature takes O(N) time. in this case, with 1000 ring members, it's implausible +**\** well except for weirdos +**\** Should not need to grind, make a random + offset should be enough. +**\** in general, you need ring sizes around 10-15 before the RSS scheme actually saves space +**\** one may consider it a database trick for accessing keys efficiently, perhaps, rather than a privacy-enhancing thing +**\** unless i've wholly misunderstood their paper +**\** Hmm moneromooo but that doesn't sound like a hash function +**\** Anyway doesn't matter +**\** ok, thanks for the info +**\** yeah +**\** SO +**\** Yes suraeNoether it's just about descriptors for bandwidth savings over large sample sets +**\** and the use of a hash function means they get proofs of security out of it +**\** not privacy +**\** in addition to that, I've been reading about arithmetic circuits, idly tinkering with my cryptocurrency network simulation tool, thinking about large anonymity sets +**\** but Sarang and I kind of have an announcement, I guess. We are starting an educational non-profit called Multidisciplinary Academic Grants in Cryptocurrency. Our primary goal will be to provide scholarships to students, research grants to researchers, and infrastructure grants to schools. +**\** whoa. And this is a 'separate from MRL' type thing? +**\** Legally separate, yah +**\** yep. The original idea was to start a pipeline between the research world and the cryptocurrency world +**\** Nice! Do you see possible ties to the Monero FFS for scholarships and grants? +**\** We'll get the benefits of being a U.S. registered nonprofit +**\** binaryFate: abso-freaking-lutely +**\** See, after attending several schools that seemed so resistant to cryptocurrencies, I think it's a shame that a lot of students won't be getting a decent education in cryptocurrencies, especially when we're talking about the future world economy +**\** and after speakign with fluffypony and a partner in South Africa, I realized... like... for the cost of a year of college here in the US, that's... an entire schoolteacher's salary in South Africa +**\** Chile has a similar situation going on +**\** cool idea +**\** and if we can manage to encourage education in financial privacy, improve cryptocurrency literacy, etc etc, these are all good things for the economy as a whole... +**\** It also has the side benefit of helping Monero's image +**\** and letting community members give back in a different way +**\** and not to mention: Monero's image as a contributor to education would be an extremely valuable thing for the future of Monero, in terms of development, interest, research, etc. HOW COOL will it be when the first principal investigator who received a MAGIC grant gets tenure or gets an award for a paper they wrote while being funded by us? +**\** ha +**\** again, great minds +**\** jinx +**\** Missed "MAGIC". Just do it already! :) +**\** The idea is that it's legally not tied to Monero (to keep things simple) but can be heavily funded anonymously by Monero community members +**\** and the 501(c)(3) structure will help integrate with institutions and schools better than some random group +**\** kudos to suraeNoether for doing all the legwork on this +**\** I'm just along for the ride +**\** binaryFate: yeah, MAGIC internet money... +**\** Worth noting for the scrupulous among us that donations may be tax-deductible if you're in the U.S. +**\** Thing is, if you go visit a college campus, you'll notice something: the really sweet campuses, the beautiful ones, the country-club campuses... those are the ones that get funding from alumni. you would think that schools that are dumps, the president house is on fire and the dorms are rioting, these are the schools that should get funding. not how it usually goes. i would love it if MAGIC started +**\** funding folks to go to community college and some of those folks ended up building world-changing stuff out of Monero. +**\** and I would love it if the Monero community was responsible for building a library for some disadvantaged kids in south africa. :P +**\** Not to mention, this gives us a legal vehicle to fund academic conferences for Monero +**\** ^^ yesss +**\** So, that's the educational outreach "secrets in the works" that I've been keeping under my hat for a few weeks +**\** It definitely felt like accepting anonymous crypto to fund a nonprofit would rile up the government, but apparently not if you do it correctly +**\** accept XVG? +**\** -\_\_\_\_\_- +**\** sure +**\** Currently we have a partner in ZA and a partner at Clemson University who are interested in being board members, for the two very different ends of the spectrum +**\** I am filing the paperwork to incorporate today +**\** MAGIC doesn't need to GAF about crypto politics +**\** If someone wants to donate to help students, awesome +**\** too bad zcash just announced their grant program too +**\** we want the spotlight =p +**\** well that's all super cool. Glad that you guys are doing awesome things. +**\** Oh, and one last thing: this paper was just put out only a few days ago. Has anyone read it yet? https://eprint.iacr.org/2018/241 +**\** easy sarang. Just make your grant program more grant-ier +**\** and have free pizza. Spotlight all yours. +**\** suraeNoether: I have not yet +**\** Naturally suraeNoether will also be on the board? +**\** oof neha asked me to read that quite a while ago (before publication) and i forgot +**\** ok, well is anyone else working on anything interesting they want to share? andytoshi i know you aren't a direct MRL contributor, but I'm certainly curious about what yall have been up to +**\** BP optimizations mainly +**\** I think he puts blocks into a stream or something +**\** lol +**\** but in very efficient ways +**\** i implemented an optimization from benedikt where we do one less recursion (so we expose two more scalars but save one L/R pair so it's a wash) +**\** this gives us a ~8% speedup in batch verification of single-range rangeproofs +**\** andytoshi: that's the one you discussed with me earlier? +**\** yeah i think so +**\** So, I obviously have zero idea about this, but how long does an audit take to do? +**\** We're looking at up to a month each +**\** but the times overlap +**\** Right. +**\** maybe a little more, maybe a little less +**\** I ask this for two reasons, 1. for BP audits +**\** but 2. what would it look like to devote a bit of MRL time to help audit codebases of other security-focused projects in the privacy space +**\** i.e. Veracrypt, KeepassXC, etc. +**\** it may not be at all feasible, obviously. But just thought I'd ask +**\** That's a huge undertaking +**\** That's what I figured. +**\** and I think it's outside the scope of our intent +**\** Plus we're hardly an independent group +**\** so our results might be viewed as inherently biased +**\** That's really what groups like OSTIF are for +**\** Organizing audits of important tech +**\** (and it's why we're working with them now) +**\** ok :) +**\** We're approaching the end time, and suraeNoether had to leave a bit early +**\** Any other topics of interest to bring up? +**\** OK! +**\** Thanks to everyone for joining in diff --git a/_posts/2018-03-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-12.md b/_posts/2018-03-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-12.md new file mode 100644 index 00000000..857bcb9b --- /dev/null +++ b/_posts/2018-03-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-12.md @@ -0,0 +1,277 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-03-12 +summary: BP audit, Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** So, greetings everyone! +**\** Hi +**\** Hi +**\** yo +**\** Agenda today is 1) hello, 2) BP audit update 3) other stuff Sarang has been reading/working on, 4) stuff I've been working on, 5) obligatory update on MAGIC, 6) anything anyone else wanna talk about? +**\** oh, I also want to talk about: how to educate our users about proper key usage and proper privacy practices +**\** hi +**\** o/ +**\** so, sarang: BP audit update? you gave us a brief one earlier +**\** but let's recap for folks who weren't here +**\** sure thing +**\** We have raised funds for 3 audits: Benedikt Bunz, QuarksLab, Kudelski +**\** I'm finalizing contracts with them +**\** We will likely need to do supplemental funding later due to market tomfoolery +**\** I will be working with the groups during their audits, which will take place between this months and June +**\** That's the brief version +**\** may i ask a question regarding our auditing efforts in general? +**\** plz +**\** or should i wait til end? +**\** fire away +**\** so i'm also wondering about vulnerabilities in the code in general - i know we have the bounty system for that but it's not got quite the same incentive system +**\** just wondering if it makes sense to apply this model to other parts of the code +**\** Hiring auditors, you mean? +**\** yeah +**\** I'm seeing more and more support for it, yes +**\** or an FFS for an auditor +**\** endogenic: so there is this clever idea +**\** At least for components of the code, like multisig or BPs that have a defined scope +**\** that greg maxwell and blockstream are using for their libsecp256k1 library +**\** which has a badass test suite +**\** sarang: right i suppose i'm thinking more from the security and cracking standpoint .. like, can we confirm what % of data input fuzzing we've done and where / if / how the code fails +**\** etc +**\** where they aren't providing bug bounties for the actual library, but for the unit test suite: if you can upload a new unit test that the current system fails, and yet still passes all current unit tests, you get the bounty +**\** That's more of a question for moneromooo I think +**\** that sounds interesting surae +**\** it incentivizes things very nicely +**\** but it requires a really great test suite +**\** yes indeed +**\** I don't think we can easily determine a percentage of inputs for fuzzing. +**\** well that was just one example +**\** i cant take responsibility to define all the jobs an expert cracker would do :P +**\** if we are going to start putting money into auditors, then we should consider putting a proportion of that toward beefing up our test suites. perhaps require that auditors propose new unit tests, or something along those lines, in addition to a thumbs up/down and a list of recommended changes +**\** yeah +**\** i mean we want to record the work which was done +**\** and tests can be nice way to do that +**\** yes +**\** and that way, perhaps after a year or two, we will have a test suite sufficiently beefy to incentivize properly +**\** i know its' kind of a long-term plan +**\** Too bad it's sexier to run an FFS for an auditor than for writing test suites :( +**\** short of paying some smart people to audit our whole lie-berry and come up with test suites across the board +**\** yeah, no kidding +**\** sarang it can be pitched in the same way +**\** they audit by the very activity +**\** do unit tests require coding? (sorry if this is a stupid question) +**\** yep +**\** yes +**\** blerg +**\** it's not that bad tho rehrar +**\** it's more about understanding what you are testing for +**\** The goal is to have complete scope +**\** it is when my coding is 1/10 :D +**\** Any questions on the current audit that anyone has? +**\** Kudelski will be the first to go +**\** When does the C++ based one start ? +**\** They're available this month +**\** More precisely ? +**\** TBD once we sign with them, but I can check on more specific dates if you need them +**\** Anything in particular? +**\** ok, well +**\** are all the audits going through ostif? +**\** Two of them are +**\** Benedikt will be paid directly in XMR +**\** ArticMine: I believe Buenz is independent +**\** ^ +**\** OSTIF's role is just to handle the payment +**\** They'd appreciate being thanked in our materials for helping to organize the groups and handle the exchange +**\** okay, if there are no more questions on BPs +**\** So this will be an ongoing process over the next few months +**\** expect little news until someone finishes +**\** Sarang: what else have you been reading/doing? +**\** I've been reviewing the latest multisig draft from suraeNoether +**\** ok in that case we will stop bringing it up every meeting for 3 weeks or so :P +**\** prepping a submission for defcon china +**\** that's cool +**\** prepping a talk in portland on monero security +**\** reading up on some papers involving mixing and ring representations +**\** hoping to get back to some math shortly for pippenger's algorithm +**\** for speedier multiexp +**\** more administrative work lately, unfortunately +**\** I submitted a monthly report recently that details other efforts +**\** linky linky https://forum.getmonero.org/9/work-in-progress/89005/funding-for-sarang-at-mrl-for-q1-2018?page=&noscroll=1#post-94324 +**\** any other questions for sarang? +**\** I'd like to remind the crowd that sarang's FFS funding round I believe has been posted, although I'm not sure if it's moved to Funding Required yet +**\** There's quite a few things that need to be moved to funding required +**\** we should all poke fluffypony and luigi1111 +**\** Mine is still in Open and not in Funding yet +**\** There hasn't been much activity regarding it anyway +**\** Not a huge rush. I write them in advance to allow for discussion if needed +**\** How about suraeNoether? Your turn +**\** 4) Stuff I've been working on. Multisig paper, formal documentation work for monero, and a formal description of EABE attacks. +**\** For the multisig paper, I just received notes from sarang and I'll be composing a draft for review by someone outside of MRL. +**\** suraeNoether: I'll have remaining notes added to your doc this afternoon +**\** right now I need to copy-paste some intro/notation stuff from a previous version of the paper, fix some references, stuff like that, and then take sarang's changes into account +**\** great thanks +**\** Once the document is a little less ugly, i'll link to it again +**\** Now on to MAGIC per the agenda? +**\** I've been attempting to write up a formal description of the statement being proven in a given monero ringCT authentication, for two reasons. For one thing, I think that our approach for threshold multisig could be generalizable in a way that may make it fun to publish. But I'm not sure if this description has appeared before in the literature, so I'm looking around and contacting some folks +**\** For another reason, because I haven't seen it written out explicitly before. +**\** And the EABE attack is concerning enough to me to be writing up some statistical arguments about churn (sgp\_[m] ping) +**\** i'll be linking all these documents in the next week +**\** so far it looks like 3 sketches of possible papers for publication, even if not as peer reviews, as whitepapers +**\** after multisig is running +**\** anyway, onto MAGIC +**\** i feel like folks have a lot of questions about MAGIC, so I'll ask if anyone has any questions +**\** Question I've seen is: what types of things will it fund, and how will they be determined? +**\** sarang moved +**\** moneromooo ready for funding +**\** thanks luigi +**\** ty luigi1111w +**\** Good question. The overall scope will be: 1) scholarships to undergraduates in the US 2) grants to graduate students in the US, 3) grants to researchers in the US, 4) grants to schools globally with an emphasis on secondary and tertiary education +**\** how much of that we can actually do depends on our funding +**\** oh 5) sponsoring tehcnical conferences in cryptocurrencies is also on that list +**\** suraeNoether: why restrict scholarships and grad grants to US? +**\** so our first year, my goal is to provide a few scholarships, sponsor the first monero conference, and fix up a school in south africa +**\** what other ways of funding are you searching for besides FFS stuff? +**\** do you have any criteria to decide what is good research that gets funded? +**\** sarang: because i feel like we already are going to have lots of applications +**\** will decision making ever get delegated? +**\** The org will need established principles for determining its choices +**\** to stay transparent and accountable to its donors +**\** rehrar: we'll be soliciting funding and grants from as many places as possible. one delightful property of non-profits in america: anything they spend that isn't on overhead must go to charitable purposes or other non-profits. so non-profits like the bill & melinda gates foundation give lots of money to other non-profits. +**\** rehrar: I mentioned the kernel of this idea to some fund managers, who said their groups were interested in supporting nonprofits; this may lead to new funding avenues +**\** that's pretty awesome +**\** endogenic: I haven't started thinking about the research end of MAGIC yet because i'm assumign the first year we won't necessarily get enough money to manage to give out substantial research grants +**\** sorry replace research with project +**\** i misspoke +**\** Sounds like there would be a clear delineation between scholarships and grants +**\** ah yeah well in general, like sarang says, we need established principles for determing our choices, and this is something that needs to be discussed at our board meetings. we want to be very public, and i want to make our board meetings available as youtube videos or whatever... pending agreement by the other board members (some of whom have not yet been picked) +**\** sarang yes +**\** Grants would have the expectation of deliverables +**\** Scholarships are to increase the talent pool and help perhaps underrepresented student groups become involved in the space +**\** scholarships for undergrads, it is my intention, to mainly be aimed at folks in law or economics or computer science or math. Not exactly the traditional STEM mix. however, i don't want an undergrad to worry about losing their money if they decide to study graph theory instead of bitcoin +**\** sarang ^ yep +**\** i kind of want the schoalrships nearly strings-free +**\** However, the devil's in the details +**\** as far as funding goes, though, i'm matching up to 5% of donations up to 50 XMR for this venture. If we manage to get 1000 XMR, I donate 50 XMR to the cause and we'll have 1050 XMR for the first year +**\** suraeNoether a little late to chime in, but I would love to help you with the EAE paper if there's any way I can +**\** sgp\_[m]: PM me +**\** and if we can manage that much XMR the first year, we can pay for like 5 scholarships for undergrads, 2 grad student grants, fix up a school or two in ZA, and host the first monero conference (with no entry fee) +**\** This is an interesting pilot project that could take many different directions +**\** and still have some XMR leftover for the next year +**\** I think it'll important to keep the scope balanced between too narrow and too broad +**\** my primary concern right now is determining criteria for handing out scholarships +**\** An established mission is gonna be essential to establishing and maintaining this direction +**\** personally i think the best students are the ones who sucked the first year or three and then completely turn around, but that's just rewarding students with a past similar to myself +**\** how many board members and who is under consideration? +**\** will you guys need a website? +**\** yes +**\** You'll need to use the application process to determine who is excited about the crypto space and not just eager to hop on a money train +**\** msvb-lab will get mad at me if I talk about other people's websites before I finish Kastelo +**\** I wouldn't expect the model student to know everything about this space, but I want to ensure that the recipients are those with a strong desire to succeed in it for good reasons +**\** rehrar: Yes, very mad. It's our nature. +**\** me, sarang, the operations manager from Globee, my advisor at Clemson university (Jim Coykendall), my wife are going to be the first board members. +**\** rehrar: we'll advertise with hip videos on FaceSpace and SnapTime and InstantGram where students like to hang +**\** if anyone has an issue with my wife on the board, MAGIC was partly her idea, she has 7 years experience teaching in higher education, and she isnt' being paid +**\** Should there be broader representation? +**\** I'd be happy including more board members +**\** Or is this sufficient? +**\** I'm a Mexican if we need diversity :P +**\** I'm not leaning one way or another, just wondering if it is +**\** rehrar: you are also in NM yeah? +**\** I am +**\** and NM has liiiike some serious education problems +**\** iirc +**\** Come down and we'll have a party trip to Juarez +**\** yes +**\** we really do +**\** WELCOME ABOARD REHRAR +**\** I'm working on this myself actually in my free time +**\** We're like the second worst in the nation +**\** cool email me at surae@getmonero.org so I can get you on a list +**\** okay, lastly +**\** I'm on a lot of NSA lists already, but sure. +**\** yes NM does +**\** rehrar is the only beacon +**\** endogenic came here and saw the people sobbing in the streets +**\** okay, lastly: I wanted to talk about how to educate the community about key safety with MoneroV and best practices (currently, I'm not convinced churn is non-negligibly helpful under a very specific threat model) +**\** What about a short one minute video? +**\** would be very convenient to link to +**\** We can put it on our soon-to-come media.getmonero.org as well as youtube and stuff +**\** i've been thinking about starting whiteboard youtube videos explaining how cryptocurrencies work. this could be the first one. +**\** suraeNoether, talk with me later about Privacademy. +**\** something that would allow an idiot like me to know exactly what to do +**\** Just paste your private keys here. We'll print them out and put them in a safe for you +**\** ;))) +**\** OR DON'T +**\** nice +**\** thx +**\** My concern with this is that we do not end up protecting MoneroV from the claws of the bear +**\** nioc, looks to me like you're a pretty smart fella, if the past few years have shown us anything about anticipating change. :P ok. Does nayone have any questions, concerns, comments? I'll be posting my next funding request this afternoon. I have a hard time gauging the mood of an IRC chat room +**\** ArticMine: care to elaborate? +**\** i heard nioc is a cabbage +**\** literally +**\** I don't have a good sense for how many users will fall for V +**\** Basically i see MoneroV as an economic attack. If nobody claims their MoneroV then it price will be significantly inflated +**\** So we need a process for people to claim, their MoneroV safely and without impacting their own and other's privacy and to be blunt at the appropriate time dump the MoneroV on the market +**\** That is where the claws of the bear come in +**\** What do you mean ArticMine? Spending an existing output on the V chain with random ring is immediately deanon +**\** and contributes to the eventual deanon of your ringmates +**\** I see what he's saying though. If not a lot of people claim theirs, then it's a lot of immediate 'holders' which might artificalily inflate the price +**\** The only way I can see this working is a spend on both chains with a significant number of overlapping rings +**\** which in turn, might make it seem like MoneroV was somewhat successful +**\** which also in turn might make other people try to do something similar with Monero +**\** If the price of MoneroV crashes then this becomes a powerful deterrent for the future +**\** ArticMine: i disagree. airdrops are designed to crash like that +**\** Tough part is that a given user might not care about their transaction being deanon. But it's convincing them that it contributes to others that's trickyy +**\** they aren't designed for egalitarian long-term pegs +**\** sarang, I thought (mind you I am late to the party), that spending a output on both chains with the same ring was theoretically "safe-ish" to some extent +**\** Olufunmilayo: only if all your ringmates do the same, and all their ringmates, etc +**\** And their code needs to support it +**\** It is but trike to do +**\** they've shown they don't GAF +**\** Then we will have to release a patched Monerov +**\** It does not have to be "official" +**\** One idea I like is making it easier to fork the Monero codebase and blockchain safely +**\** \*shrug\* I may be thinking a bit casually here, but since this is the first time something like this is happening, and we're already going to be getting our upped ringsize before the fork, I think we can somewhat safely wait this one out and see how it plays +**\** So for future attempts, they'd have to actively break that safety +**\** and then we can give them bad publicity for actively hurting users +**\** i wonder if they doubly-hash their key images. so you check if pHp(P) is in the key image set or if pHp(pHp(P)) +**\** or if they could rather +**\** By the way the network effect is less because of spent RingCT ouputs that will not be compromised +**\** Alright, I gotta split. Thanks for the meeting. Catch you guys later +**\** ArticMine, what good would a patched monerov be if the core team is not behind monerov? Also, suraeNoether, time would also be a factor yes? both have to be done simultaneously +**\** The trouble is that the same keys are used on both chains +**\** It will allow those who wish to claim and sell their MoneroV to do so safely. +**\** oh no the double hash doesn't work unless all previous ring sigs do it that way. bah. +**\** Not all but enough to provide a good mix +**\** and that means pre fork mixins will only work +**\** ArticMine, you will then have two competing versions of monerov competing against each other. I do see the benefit but \*shrug\* +**\** okay, well, unless folks have more questions or suggestions, i think our best bet is simply to put out a video that says "don't claim your MoneroV, here is why." +**\** No the patch can be compatible with the MoneroV consensus +**\** because the math to patch monerov or to protect monero isn't obvious to me right now +**\** I am not sure if there is a solution +**\** It's mooo's code to make it use the ringdb, AFAIUI. +**\** suraeNoether, only other thing would be to I guess track monerov tx's to see just how bad it is haha +**\** We will +**\** Okay, well +**\** good meeting everyone +**\** 1h10 minutes, not too bad +**\** OH OH +**\** oh +**\** oh? +**\** anyone want to volunteer to make PRs to my github with meeting logs? I'm literally never going to do it +**\** i intend to every week, but i think i need to practically accept that it's not going to happen. :P +**\** https://www.youtube.com/watch?v=ZXsQAXx\_ao0 +**\** ok +**\** fine +**\** lol +**\** \\meeting +**\ \** +**\** https://github.com/b-g-goodell/research-lab/tree/master/meta/research-meeting-logs +**\** just started a folder called meta rather than cloning the meta repo for The Monero Project. +**\** i suppose i should clone it and make pushes appropriately +**\** but i'll dot hat later +**\** ack its not complete +**\** ok there we go: https://github.com/b-g-goodell/research-lab/blob/master/meta/research-meeting-logs/ResMeetLogs-12-Mar-2018.txt +**\** bbl yall~ diff --git a/_posts/2018-03-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-19.md b/_posts/2018-03-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-19.md new file mode 100644 index 00000000..5b7131a9 --- /dev/null +++ b/_posts/2018-03-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-19.md @@ -0,0 +1,134 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-03-19 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** So research meeting, I guess, 1) Hello. 2) Sarang's stuff (he appears to not be on)... 3) my stuff. 4) anyone anything else is interested in, and 5) questions +**\** looks like participation this week is a litlte weak. maybe it has something to do with the st patty's weekend or something +**\** So, skipping directly to what i've been working on: I finished the multisig "submission" draft (here https://github.com/b-g-goodell/research-lab/blob/in-prep/publications/bulletins/MRL-0007-multisig/draft/MRL-0007-multisig.pdf ) +**\** i've gotten one email from someone about key cancellation, which I was able to explain +**\** but i'm seeking all sorts of feedback, in particular about the veracity of my proofs +**\** here +**\** andytoshi if you wouldn't mind giving it a sanity check read-through and some brutally honest critiques before I push it out the door, I value your opinion. luigi1111 and moneromooo the implementation in the paper doesn't exactly match the code, i'm splitting the code review into a second document +**\** other than that, i've just been thinking about how to send an output to a \*subring\* of user keys instead of a single user key. and then any ring signature with a key image from the destination subring has authorization to sign a new signature +**\** if i can figure out how to force the square peg/round hole, this is a way to have refund transactions +**\** but it's not atrivial problem +**\** i'm also thinking about how one could send to a "special" monero adress (special according to some TBD definition) that allows a sort of off-network ledger system to track asset issuance and transfer. sort of monero lightning, but not exactly +**\** and the refund addresses are required for that to work out, so... yeah +**\** basically, all theoretical week from me for a few days +**\** ahrem +**\** so, if anyone has any questions +**\** we can call this a Q&A or something I guess. :P +**\** or if anyone thinks we need to start looking into some specific stuff, we can chat about it +**\** are u guys looking into PoW mods / changes / evolution? +**\** there is a core team discussion that involves MRL that is kind of ongoing about PoW +**\** gotcha. i just didn't know if you've formally looked into some things like ... ah some password hash that hyc brought up, or the thing merkle tree proof thing, etc +**\** i haven't looked into any specific stuff recently... but i'm starting to be inclined toward abandoning the idea of asic resistance. in one sense, at least, it's a matter of willfully engaging in an arms race that, 7 years from now, will be (unless something changes) all but unwinnable +**\** ah, that password hash document bothers me +**\** i need to talk to sarang about it actually +**\** it seems like a nice idea because you are 1) hashing 2) an RSA signature +**\** there are some issues with trying to boost a low-entropy space like the space of passwords to a high-entropy space +**\** smooth's point that the centralization required to hard fork away from ASIC resistance isn't something that's what Monero stands for long term +**\** That sounds a lot like "abandoning the idea of freedom". +**\** ^^ +**\** hahahha +**\** ok well +**\** think of it this way +**\** yeah i was gonna say, if your pro asic, then as lord troll dev I banish u +**\** lol no no i'm not pro-asic... or rather, i'm not pro-centralization +**\** my opinion: https://www.reddit.com/r/Monero/comments/84vqkt/why\_is\_everyone\_so\_happy\_about\_making\_monero\_asic/dvsy5us/ +**\** i'm just not convinced that anti-asic = pro-decentralization in the long-run +**\** centralization happens with asic resistance or asic friendliness, just in different ways +**\** andytoshi made a very very good argument at one point that the most decentralized a PoW mining scheme \*can be\* is if it's been ASIC'd down to the thermodynamic equilibrium +**\** right +**\** well, i guess my point was to ask if you've investigated some of the wilder thoughts that have cropped up, like compiling as a PoW +**\** The long run is different from the near future. You can make different decisions for both, but you can't made decisions for the long term now without knowing how things develop. +**\** what i'm primarily concerned about is preserving monero's censorship resistance, antifragility, etc all the buzzwords cryptotwitter loves +**\** gingeropolous: i'm always looking into new schemes, if you find one send me a link! i haven't seen anything like compiling as PoW before +**\** well no one has +**\** Right moneromooo, which is why I support ASIC resistance in the short term, and probably sometime much further down the road when things have developed quite a bit, ASIC friendliness +**\** moneromooo: correct. and in the short-run we have been rather dedicated to foiling ASIC rollouts and this I FULLY support +**\** its fresh off the mindspring of the collective +**\** so there's no link +**\** if there ever comes a point where ASIC creation and distribution is much more decentralized than today (as determined by...?), then I would be in favor of switching to an ASIC-friendly algo +**\** so let me be very clear +**\** thats the general idea. I like the metric that fluffypony proposed - when ASICS are handed out as schwag at corporate events +**\** i can ask PoW and BP question? +**\** I'm 100% behind the community's unspoken social contract that the path to centralization (whihc is inevitable) needs to sort of be \*linear\* in the amount of burnt resources. +**\** yep madLyfe shoot +**\** i feel like that was one of the more fun takeaways from the cryptonote initial design +**\** I think this distinction is important though gingeropolous because otherwise people think ASIC resistance is the be-all-end-all of Monero security. And if they don't realize that it's a means to an end (decentralization and censorship resistance) then if/when we do come to a point that ASIC-friendliness is the better option, there will be hell to pay as people don't understand. +**\** is it in the cards to move towards CPU only PoW mining for the next HF? and for BPs, is it possible to apply in reverse? or prune? or make the chain size smaller? +**\** Define "in reverse". +**\** not possible +**\** possible to prune, absolutely +**\** well maybe not via BPs but to make the entire chain size smaller. +**\** madLyfe: our recent work on the PoW algorithm is intended to foil ASICs that have already been taped out at the factory. the goal is to make monero as close to "all CPU mining" as possible (for the time being). +**\** by pruning and certain trust models, yes +**\** madLyfe: you mean like compressing the current blockchain? i echo what luigi1111w said +**\** well different types of pruning for different trust models, heh +**\** is there an idea of what % of the chain could be shed? +**\** although i'm fairly certain that gmaxwell's original proposal for masking amounts with confidential transactions, where he says that range proofs etc can eventually be discarded... this was a comment intended for a bitcoin-style rollout not a monero style rollout, so i'm not sure how much we'll be able to save on pruning +**\** ah +**\** madLyfe rather than looking at % shaved off the current blockchain, we tend to focus on the marginal improvements like "how much faster or smaller can we make it going forward" +**\** With 100% pruning I can give you an idea, for a lower bound. +**\** luigi1111w, as I don't have a lot of experience in this, what you're saying is that if a person is willing to trust certain things implicitly, then they are able to prune different parts of the blockchain depending on what things they trust, correct? +**\** moneromooo: +1 +**\** rehrar: that is what luigi1111w is saying yeah +**\** rehrar prune at different times +**\** well i shouldn't speak for him +**\** that'd be interesting +**\** you can prune after verifying +**\** or you could "sync pruned" +**\** if you are willing to trust the past 3 months of blockchain info, and willing to trust that range profos aren't cheatable, you can get away with checking nothing but signatures for 90 dyas, for example +**\** leave it up to the user to define what they are comfortable trusting and not, with some users choosing max convenience (basically 96%) and some users choosing to verify and store it all +**\** moneromooo, could you give that number? I'd be interested to know. +**\** note that basically all users already trust hashes for historical syncing +**\** well basically all, I don't have numbers +**\** Hmm. Looks like 50 GB in prunable stuff. Looks a bit much. +**\** perfect! Let's tell the community. +**\** the chain isn't even 50 GB? +**\** lol +**\** rehrar: while that seems like an interesting idea on the surface, keep in mind we don't necessarily let users select everything based on their trust model. for example, they can't pick a curve with smaller group order because they are so trustworthy. +**\** It's 58 GB on my disk. +**\** luigi1111w it adds more space to your hard drive +**\** although it'd be \*very\* interesting to see a cryptocurrency where each transaction specifies \*everything\* including curves. :P heh +**\** .hmm +**\** 44.2GB on mine +**\** Yeah, that sounds a bit wrong. +**\** suraeNoether but is this enforced at a protocol level? +**\** Ah, but I have a db where I split prunable/unprunable, and I have a prunable hashes table too. +**\** or in our reference client implementations (sorry I am nub) +**\** we only have one curve +**\** and one group, really +**\** so, yes (enforced) +**\** k, if I'm too stupid just pat me on the head and move on :D +**\** though one could certainly choose a lower scalar entropy if they desire +**\** (ie, they are incredibly stupid) +**\** ((yet somehow smart enough to set it up)) +**\** X) +**\** rehrar: well, think about it like ring size +**\** except instead of signer ambiguity, you're looking at transaction validity +**\** if you allow users to trust less for greater convenience, you get american airports, TSA, border securiyt, and no more 4th amendment ... ahem what was I saying? +**\** that does not sound like greater convenience -\_- +**\** ikr? +**\** so, i thought zkledger was silly until i realized it could be layered on top of or integrated into most Pedersen-commitment-based cryptocurrencies really nicely +**\** moneromooo sorry just saw your comment +**\** how can that be that much space +**\** suraeNoether: sorry, i stepped away. sure i can read over the multisig thing +**\** I think mdb\_stat is including free space in its pages count. I asked hyc, +**\** prunable hashes should be like a few hundred MB +**\** thanks guys! +**\** it allows a user to act like a "depositor" and specify a finite number of "banks" and execute transfers between these banks and prove it is all correct without revealing any information about that. at first i was like "ehhhh seems like a very fixed set-up that requires a trusted third party, etc etc." then i realized this allows a user to (1) declare and issue an asset, (2) declare a finite set of accounts +**\** through which this asset will be be transferred, and (3) issue assets and transfer them around between these accounts with zkledger. use case: a large store wishes to issue gift cards. they act like a depositor, depositing XMR into a gift card zkledger, declaring a finite set of banks/accounts, say one for each brick and mortar store, and updates the zkledger offchain with gift card transactions. later, they +**\** can close the transaction by auditing the ledger and proving no XMR was created or destroyed. +**\** moneromooo: so you are saying the chain could be pruned to 17%ish of its current size? +**\** I am saying mdb\_stat is getting me weird results. +**\** madLyfe: the take-away is that we have some pruning available if we had some folks carefully thinking about how to do it. :P +**\** we all wear multiple hats here +**\** oh ... uh... i guess we can say that concludes the meeting? :P oy, today was quite informal. \ diff --git a/_posts/2018-03-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-26.md b/_posts/2018-03-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-26.md new file mode 100644 index 00000000..6e98473f --- /dev/null +++ b/_posts/2018-03-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-03-26.md @@ -0,0 +1,101 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-03-26 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Sarang is apparently en route from an airport and is not expected to make it for the meeting. So today i'll just babble a bit +**\** and answer questions +**\** Remind me, was he presenting at that Blockchain conference? +**\** yes, that's why he's en route from the airport +**\** he took it upon himself to disabuse some folks of some certain notions about hashgraph +**\** which I think is neat +**\** specifically, he's been reading a lot about graph-based currencies, and someone gave a rather misleading presentation, but Sarang's presentation (I believe) preceded it and it was an educational moment +**\** but I shouldn't speak for him, I wasn't there. the conference organizers flew him out to give a presentation on behalf of MRL and I have confidence he did a great job representing us +**\** Will it be posted online? +**\** he can answer that later today. I don't know. +**\** ok, thanks +**\** So, before we proceed, does anyone have any other general questions for MRL? +**\** Sorry I'm here but mostly distracted by class. Looking forward to hopefully viewing the presentation online +**\** ok, neato burrito. So, basically this week I've 1) been putting some copy-editing changes into the multisig paper like spelling and references 2) working on models of the spend-time distributions vs. ring mixin selection distributions, and 3) while driving between albuquerque and denver, I think I came up with a novel ECC signature scheme from one-way functions (staring into the desert sun), but I'm not +**\** putting a lot of effort into that until I have more of a handle on spend-time distributions +**\** I've also 4) been building the MRL Research Roadmap for 2018. I need to discuss with sarang, but I think we'll be putting that out mid-May, because we want to have a complete look at what's going on +**\** uhm, also I've spent an enormous amount of time this week on a certain project for MRL related to churning and the EAE scenario. details to come later on +**\** sounds cool +**\** if hyc thinks it's cool, then it's cool +**\** hyc and I have been chatting about an asic-unfriendly POW expansion, also +**\** I'm highly looking forward to seeing your work with EAE +**\** yes and I'm now digging back into the bulletproofs paper to try to get more solid understanding +**\** namely, if instead of a POW game like: find nonce x such that H(block || x) \* difficulty < target.... we can run a POW game like: find a nonce x such that, for a random bit of javascript J(x) that is loop-free, H(block || J(x))\*difficulty < target +**\** this was the idea hyc originally brought to my attention, but verification requires executing the code, so I was thinking instead it could be a random arithmetic circuit instead. then you can present bulletproofs that you know the nonce x such that H(block || AC(x))\*difficulty < target efficiently +**\** oh yeah, I remember you guys discussing something like that. Just to clarify for me cuz it was a bit confusing at the time. The idea is that CPUs and GPUs compile code better than ASICs would, correct? +**\** compile and execute +**\** the idea is that if the code is random, then an asic will presumably not even be able to compile the code, let alone execute it, but a cpu is built to deal with arbitrary code +**\** maybe this is a bad analogy, but I think of an ASIC as a big manufacturing factory, fully automated. it makes lemon cakes. the random code you just spit out asked for a rotisserie chicken +**\** making it so that an ASIC would have to be built with a CPU, which defeats the purpose because might as well have a computer at that point, right? +**\** that's the general idea yes +**\** great, I understand now. Thank you for explaining. :) +**\** yeah, it shifts the bottleneck away from the highly asic'able hash to finding the nonce for the hash, kinda +**\** which is quite clever +**\** hack the planet! +**\** if this idea pans out, we can even do some looking into seeing if the random stuff can do something useful as well? +**\** useful? +**\** never mind, this is something I know too little about. Sorry. Plz continue. +**\** the code must be highly random and unpredictable +**\** if it does something useful, that can be ASIC'd +**\** rehrar: use the heat to warm your chickens +**\** there ya go +**\** can the chickens consume the arbitrary code? +**\** The random code can provide space heating and in many parts of the world that is useful +**\** does anyone have any other questions? i can sketch out my new signature scheme if folks are curious, but it'd be more of an algebra discussion. :D +**\** Sure +**\** Cool. So, definition: a cartesian square of groups is a set of four groups and four group homomorphisms arranged in a square satisfying \*one weird property\* +**\** https://www.irccloud.com/pastebin/XXZjHHp0/ +**\** So the square looks like this +**\** and the property is this: if group elements from B and C end up \*at the same element\* in D, then they must have \*come from\* the same element in A +**\** scientists hate it! +**\** denoting the top map f, the left map g, the rihgt map h, the bottom map j, this means: if there exist some b in B and c in C such that j(c) = h(b), then there exists some a in A such that b = f(a) and c = g(a) +**\** so I'm going to set A to be my private key group Zq, and D to be my public key group G +**\** and i'll just assume the middle groups B and C are also equal to my public key group +**\** then a message M can give me a signature this way: from M, build a one-way map from Zq (private keys) to G (signatures) called SIGN and a one-way map from G (signatures) to G (public keys) called VER +**\** to sign the message, I evaluate my private key SIGN(x) and get a group element, my signature. To validate this game from me, I evaluate VER at my signature and check that the result is my public key, VER(SIGN(x)) = X +**\** so my signature is SIGN(x) and the function VER +**\** each message M has a different pair of one-way functions SIGN and VER +**\** to forge this, I need to find a group element S such that VER(S) = VER(SIGN(x)) for someone's honestly computed SIGN(x), but that requires breaking the one-way-ness of all the arrows in my square +**\** \*this is all great in theory, but i have no implementation yet. :P\* +**\** oh, i missed a word: in the definition of the cartesian square, the diagram has to be commutative. so if I traverse from A to D along one path (through B), I get the same result as if I had traversed the other path (through C) +**\** and that is \*critical\* +**\** so, to construct an implementation, I need a way to map from message space to the space of one-way group homomorphisms to get SIGN and VER, and then I need to mod out by the ideal generated by all the functions that don't satisfy the cartesian property +**\** more recently cartesian squares (mid-late 20th century terminology) have been called "pullback diagrams," and I haven't found any descritpions in the literature of EC-based digital signatures based on them +**\** that doesn't mean that this is a novel signature scheme, only that I haven't found any old references to them. I'm emailing around asking folks, and if anyone comes across anything, please let me know +**\** to forge this... <--- also, i need to find a message M such that VER is the one-way function derived from M to compute a forgery +**\** okay, abstract algebra/category theory lecture done. :P hehe +**\** whew ;) +**\** ikr what a blowhard +**\** also s/game/came +**\** I think I missed a part, can you explain again the bit after "now listen carefully" ? +**\** "i think a few pages back, you missed a negative and the error propagates. I would have said something, but you were so excited about proving P=NP" +**\** lol +**\** does anyone have any questions for MRL? I believe sarang is going to be posting another FFS to fund the third audit later today or something? +**\** how much extra is going to be needed? +**\** and did we sign off on anyone getting started already? +**\** rehrar I don't know, and I don't know. i believe nioc was encouraging us to not worry about getting it funded and to just post it so we can get the process moving, but I don't want to speak for him. +**\** got it +**\** and sarang will be back later today to talk about that +**\** days like today, i want to hire a suresh noether +**\** okay, next meeting, I want to talk about planning the first monero conference, and planning travel for sarang and i to other conferences between now and then +**\** i'm actually attending a bitcoin/blockchain event on april 25 in denver at one of the venues i'm looking at for the monero conference +**\** and I have a few meetings next week about it too +**\** other than that, I got nothing left to chat about +**\** rehrar: I believe Bunz and QuarksLab have already been signed +**\** i also want to chat next week about how is everyone satisfied with MRL. I want to gauge the community on direction, depth, breadth, leadership, funding models/goals etc. +**\** cool, thanks nioc +**\** so, with that, i want folks to think about what you would say to me if you had me face-to-face. :D +**\** oy, I need to talk with the two of you fairly soon. It's already Revuo time again. +**\** rehrar i believe i'm dragging sarang out to denver for that blockchain event. make it up here around that time and maybe we can make it a MAGIC board member meeting + revuo intervuo. +**\** we'll drag mike from the moneromonitor by. :P it'll be historic~ +**\** \ diff --git a/_posts/2018-04-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-02.md b/_posts/2018-04-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-02.md new file mode 100644 index 00000000..01814a1e --- /dev/null +++ b/_posts/2018-04-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-02.md @@ -0,0 +1,235 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-04-02 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** meeting time! +**\** i think he is attributing research to his imaginary R&D research group +**\** If he's claiming they're doing the "improved" CT then I am not concerned at all +**\** because that's junk +**\** FFS he is known to basically hate Monero +**\** allrighty, 1) Greetings everyone, 2) what MRL has been up to, 3) what we plan on getting up to. i know it's a really loose agenda, but hey +**\** FFS = FYI +**\** monero loves him too +**\** so, hi! +**\** who's all here? +**\** Cat of the week, sarang? +**\** hi +**\** also, I'm here. +**\** He's hiding out in the clothes dryer now +**\** and I'd have to get a photo and scrub the metadata first +**\** hiyo :) +**\** hi :) +**\** 12 monekys more like +**\** 12 monkeys was a pretty good film tho +**\** allrighty: sarang, what have you been up to? +**\** https://imgur.com/a/gpv13 +**\** A lot of paper reading to stay up to date and learn, released my monthly report on r/Monero and FFS, checking up on moneromooo's recent addition of batch verification to his BP code and tests +**\** Trying to stay afloat with Son of Monerolink +**\** Seems to be a lot of putting out small fires that idiots start +**\** Matthew Green all proud of himself about that +**\** My gods the press coverage has been abysmal +**\** and much of it by people who should absolutely know better +**\** Schneier basically said HEY LOOK A THING I SAW ONLINE +**\** negativity sells on a bust +**\** but only for a while +**\** This past week I've been working on reviews to the multisig paper. andytoshi has provided me some comments and I'm making some changes consequently +**\** what is your timeline for release? +**\** What sorts of changes? I'm curious +**\** the paper in its current form is already on github koe, changes will be uploaded by the end of the week I think +**\** the main large-scale complaint is that I specify stuff that could be chalked up to secure side-channels, and there is some back-and-forth discussion about using fresh multisig keys versus salting and hashing your current user keys +**\** oh I dont see it in MRL, is there another spot? +**\** True, there were plenty of discussions during the development about the nature of secure communication between coalition members +**\** I'll be curious to see what updates you make from it +**\** sechttps://github.com/b-g-goodell/research-lab/tree/in-prep/publications/bulletins/MRL-0007-multisig +**\** whoops +**\** https://github.com/b-g-goodell/research-lab/tree/in-prep/publications/bulletins/MRL-0007-multisig +**\** cool thanks :) +**\** Tell us about fresh keys vs salting +**\** if the hash function is good, no one could tell the difference between using fresh keys or using hashed ol keys, and the reason to not re-use old addresses is to prevent exclusion attacks where two coalitions collude to remove control of some common coalition members... but if the old keys have been hashed with new salts, that isn't a danger with a good hash function. so ... +**\** right... +**\** for convenience to users, i think it's okay to re-use keys this way, but to describe the scheme for the paper and make it more clear, readable, compact, etc, I think i agree with andytoshi that the salted-then-hashed keys can be at least moved to the end +**\** as a "if users really want to do it this way, they can do it" sort of thing as opposed to built into the scheme +**\** it will make it easier to prove secure too +**\** andytoshi had a variety of other very helpful comments. i'm most concerned about my unforgeability proof at this point, and revisions are still happening. +**\** roger +**\** in addition to all that, i invented what i think is a novel signature scheme in the elliptic curve setting. depending on construction, the security can fall onto the existence of one-way 2nd pre-image resistant group isomorphisms, instead of the discrete log hardness assumption +**\** going for QC-resistance? +**\** current draft descritpion is here; an implementation requires, i think, a really freaking large group, though +**\** hyc no, just had a dream one night. :P +**\** https://www.sharelatex.com/project/5ab98a71234cc910159f828b +**\** Did you make updates to it since you first showed me? +**\** it's been undergoing pretty much constant revision, i don't recommend anyone read it yet. you have the basic idea from the first read-through and until stuff is more formal, it's just me messing around +**\** it'd be nice to be able to pick some folks brains \*in person\* at a whiteboard, though +**\** always is +**\** suraeNoether: will you bill for your sleeping time since you seem to work then also? +**\** i know andytoshi isn't a formal contributor to MRL, but we enjoy his assistance an awful lot around here... +**\** and since this is a research meeting, andytoshi, would you feel comfortable going over your BP work again for those who missed it earlier? +**\** rehrar: i don't bill by the hour, which is why i can't put work down ever +**\** any chance andytoshi will co-author any papers with you? +**\** hyc maybe if i write something worth publishing. :P oh! my last paper from grad school has been thrown up on arxiv and is seeking publication. not technically an MRL accomplishment, but my co-author let me know he put it on arxiv and submitted it +**\** nuts, i wanted to chat with hyc about random-code POW +**\** Any other updates? +**\** Not from me, not about MRL or research. If anyone has any other research projects they have been working on/would like to discuss, fire away... +**\** or any questions, etc +**\** suraeNoether had mentioned an upcoming conference very relevant to our interests +**\** do you actually get informed if someone references your work in white paper? +**\** Depends on how they're released +**\** ok +**\** Google Scholar can pull citations from a lot of formats, for exampl +**\** antw081 google scholar tracks citations of whitepapers and you can set up alerts. +**\** but for informal non-cached stuff, not necessarily +**\** Ah, yeah, so there's this conference in London in 2 weeks. I would normally just buy tickets and go and then start an FFS for reimbursement (if possible) but tickets are A LOT more than they were when I did the same thing for Switzerland. +**\** and I don't want to just impulsively go to conferences last minute +**\** you should send meeeee +**\** It is a lot though for a one-day +**\** suraeNoether: link? +**\** looks like good talks relevant to cryptocurrency privacy +**\** yes, and the first MAGIC board meeting is in a day or two after that conference +**\** and that's kind of our specialty and junk +**\** http://ieee-sb2018.cs.ucl.ac.uk/#schedule +**\** I was totally unaware of this event until earlier today +**\** so i'm okay with not going to it, but \*i'm totally willing to hop on a plane and jet lag myself later this month\* if that is what this community wants from me. i'm your humble servant, as it were. :P +**\** \*on that note\* I would like to start an MRL calendar or something like that, where we throw up big research conferences in bitcoin, blockchain, cryptocurrencies, and infosec, and our travel plans +**\** any time \*anyone\* sees a conference or an event i htink it'd be cool if folks started to just passively populate this calendar +**\** Just use Github issues? +**\** FFS it, it will get funded +**\** I think it'd be excellent to go +**\** antw081 and if it doesn't, we just simply won't go. :P +**\** I haven't done an international conference for MRL =p +**\** sarang: start an FFS for both of us, whydon'tya +**\** Wish it were a longer event though, we could talk about this stuff forever +**\** sure thing +**\** FP, FFS a speaking tour, it was funded in no time. +**\** I find it funny to see Monero talks and not know about the contents in advance 0\_0 +**\** besides, i would like to be able to chat with some of the organizers in person, since i want to organize a conference for next year +**\** suraeNoether: we can chat after meeting about the FFS detais +**\** see what the community thinks +**\** okay, let's see here... we've covered research, travel, a bit of MAGIC... +**\** later today i'm writing up my FFS end-of-month summary... +**\** What's the approx expense? +**\** sgp\_[m]: will sponsor you +**\** sgp\_[m]: tickets alone for me are 2400USD. doesn't include loding +**\** Airfare for me would be ~1500-1700 USD +**\** lodging\* +**\** This one is not cheap, that's for sure +**\** Okay, the last thing I wanted to chat about +**\** is \*next year of MRL\* +**\** for those of you who recall correctly, I began in June of last year, +**\** aaaand +**\** well, I want to know how folks like the direction we are going, see if anyone thinks we should be taking different directions, perhaps see how community members feel about our resources +**\** oh shoot, it's time for another Revuo already. +**\** My take is that MRL is on the right track +**\** I think MRL is doing good stuff. Happy with you guys. +**\** I wouldn't mind hiring an additional researcher or two. but I don't want to overly burden the community, though, and +**\** it reminds me of a story, I have no idea who told it to me +**\** but you tell two guys to go dig a ditch and everything is fine. you later hire a third guy to help and tell him he's in charge of the first two and all work totally stops +**\** or send a third guy over and have one of the first two guys be in charge, same thing happens +**\** I'm not sure how sarang feels bout hiring additional folks, if he feels like we could use a person for specific things or not, etc +**\** we can do grants maybe? to do research on Monero related topics +**\** When I started shortly after suraeNoether, our goals seemed pretty broad: figure out what we're doing right, correct what we're doing wrong, and figure out what comes next. The way we're funded always makes me feel guilty about providing good deliverables, but I think the community realizes that's not necessarily the point +**\** that's an interesting idea antw081. More on a contract basis for specific stuff. +**\** but this begs the question do we want to dig a second ditch +**\** antw081: that's sort of hard to fund on a per-project basis. +**\** ArticMine: +1 heh +**\** so, the thing is +**\** it can be general fund +**\** like HackerOne +**\** question, would a third researcher have unique things to do, or just be another set of eyes on the current stuff? +**\** or Bug Bounty FFS +**\** That also begs the question: what would that mean for my role? Or suraeNoether ? +**\** I think grants make the most sense for additional research. Get some people to focus more formally on specific research +**\** Should we move to a per-project funding too/ +**\** I don't think so sarang +**\** ok i gut to ask +**\** I think having two general researchers that do what they feel needs to be done is beneficial +**\** is there like a group of cryptographers called the: Is there an organisation called Chainmasons? +**\** ? +**\** lol +**\** sorry: Chainmasons +**\** what is that +**\** rehrar: I ask because I want to ensure suraeNoether and I are providing value to the community +**\** sarang + suraeNoether = 33rd degree Chainmasons +**\** his guy claims to have formed a group of researchers - referred to as Chainmasons +**\** In my personal opinion, you the four full time hired people, you two, mooo, and anonimal are good four cornerstones for teh community +**\** his = this +**\** it seems like if the MRL didn't exist, Monero would feel a lot more precarious and purposeless +**\** https://bitcointalk.org/index.php?topic=3118418.msg32233166#msg32233166 +**\** I view part (certainly not all) of my value as staying afloat of new developments that we don't necessarily have specific projects for +**\** yes, this is important +**\** like, shouldn't there obviously be research into privacy for a privacy focused crypto? +**\** Monero does not necessarily equal ring sigs, ringct, and stealth addresses +**\** koe: A lot of good research happens academically too +**\** not affiliated with anyone +**\** We often use that work (e.g. BPs) +**\** I think at the moment you all are more responding to other research, changes, and looking into thoughts people have. There's definitely value there, but there's also value in allowing people to be focused on certain projects. +**\** yeah, but the MRL cares about making that stuff apply to Monero +**\** I may not speak for the community though, since I'm a privacy idealist, and this stuff you guys do gets me excited :D +**\** sgp\_[m]: definitely +**\** so, the reason i bring all this up is this +**\** if I had one comment though it would be this: +**\** When I came on, there were some specific projects in that realm, like sublinear ring sigs, but more kept getting added to our plates +**\** sarang is the intent for MAGIC to provide research grants? Eg: support one group taking a deep dive into the effectiveness of churning +**\** I think time should be split fairly evenly between new research, and improving the privacy and security of the stuff we already have implemented. As an example, and as I have stated before, I think designated research into optimal ring sizes, fixed ring size vs non, and other stuff of that nature should be a higher priority than it currently is. +**\** MAGIC is definitely intended to provide research grants as part of its mission +**\** rehrar: agreed, but it sucks that these things are often not so neatly delineated +**\** I understand. +**\** if i was hired at a university and got a big grant, or if i was hired at a big company and had resources, i would write a budget, hire folks, get a proper lab going where representatives from the lab regularly travel to represent the lab and disseminate results, etc etc. very very different approach from getting hired at a small start-up +**\** and i feel like sarnag and I have spent the first year treating MRL sort of like the start-up approach +**\** but maybe there is a middle way +**\** that's a good analogy +**\** The specific goals were much smaller back then +**\** rehrar: MAGIC can give research grants, but not to open-source software projects (non-profits in america cannot touch OSS) +**\** Now we have more irons in the fire +**\** One thing to keep in mined is that this is a very fluid situation +**\** ArticMine: how so +**\** A significant change in XMR/USD +**\** yeah, if the market bottoms out further over the next six months, buttholes will get progressively tighter +**\** true +**\** or vice versa, we'll go full goatse at 12,000 USD/XMR +**\** true +**\** ... and there is also the flipside +**\** As an non-researcher, I think the "best" way forward is to balance both. I think the project will demand that it becomes more formalized +**\** this is an important thing to consider. The FFS, while working so far, has shown some signs of beginning to sit down to catch its breath +**\** rehrar Yeah, pockets aren't infinitely deep +**\** So we'd have to consider the carrying capacity of the funding network +**\** this applies to all sorts of people who want to put out more 'FFS propoasls' +**\** I think as a community we need to gauge what proposals are really worth funding +**\** at the very least, we have 2 months to sort of figure out \*whether\* or \*how much\* our directions shall shift for the second half of 2018. not a super urgent conversation, and 2 months is an eternity in cryptocurrencies +**\** There should be a need for people to do what you both do right now +**\** I constantly worry that my FFS will be the last to get fully funded :/ +**\** But I expect future grant-based research to be more specific +**\** ye, no job security is indeed one of the downsides of changing the world :P +**\** sarang: same, i'm actually regularly worried fluffypony is going to text me a big unhappy horse pic +**\** so we'll table this discussion for now +**\** If I may offer the perspective of an outsider: It is often quite hard to even grasp where to start research, maybe having a list of problems that need to be solved could give more people the opportunity to contribute. We could then just reward people when they solve a problem, based on how hard the problem is. this way anyone can give it a shot without entering a paid commitment, but with the certainty that they will be +**\** paid for their work if they are successful +**\** oh, hi heh +**\** This line of reasoning isn't new at all. There are camps that value more "open-ended" research because it often contributes in novel ways, and camps that really want to push specific projects that may or may not have return due to their specificity +**\** nyeaa merely formalizing our problems and characterizing whatever constitutes a solution is a monumental task in itself. :\\ +**\** m2049r[m] is facing a similar issue with his FFS proposal +**\** suraeNoether: many of our open questions on things like churn, optimal ring size, fixed vs variable, are partly due to a lack of formalization of attack vectors IMHO +**\** our attack surface is much different than other projects +**\** thanks to ring sigs and key images +**\** can't just fall back on all the work done on bitcoin...again +**\** Maybe this also speaks to the need for suraeNoether and I to devote less time to new broad ideas and more to existing fiddly problems +**\** with a fraction of the third party interest +**\** fwiw i am willing to throw some xmr at m2049r[m] but that's aside the point. +**\** he really is quite amazing, isn't he? Did alone what nobody did. +**\** popped out of nowhere :D +**\** I feel a lot mor comfortable using XMR with monerujo than I do using bitcoin. +**\** clock is ticking, our time is limited boiz +**\** allrighty, let's conclude with this +**\** (in regards to FFS) +**\** Anyone who is willing to take out Issues on the MRL github for upcoming conferences will be rewarded with admiration +**\** end of the week we should have another iteration of the multisig paper to read +**\** admiration. A new coin...or...? +**\** nobody +**\** i got a document camera for making whiteboard videos, too, forgot to mention that +**\** monero: nobodycoin +**\** okay \ diff --git a/_posts/2018-04-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-09.md b/_posts/2018-04-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-09.md new file mode 100644 index 00000000..34bf5eae --- /dev/null +++ b/_posts/2018-04-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-09.md @@ -0,0 +1,145 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-04-09 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Let's start our abbreviated meeting presently +**\** hey everyone +**\** i'm surae +**\** this is sarang +**\** attention all aircraft, research meeting now +**\** we do maths sometimes, and math other times +**\** :D +**\** When you travel to Europe, you have to surrender the "s" at immigration +**\** yay +**\** before leaving +**\** Okay, I've been working on a churn model, as I mentioned before, and the idea is reducing to this: if there is a proportion $p$ of poison outputs and everyone uses ring size $R$ then the probability that the first poison output appears at height H in the transaction tree is easily computable: for P(H=1) = 1-(1-p)^R and for h > 1, we have P(H=h) = (1-p)^(f(h))\*(1-(1-p)^(R^h)) where f(h) = R^(h-1) + R^(h-2) + +**\** ... + R... reduces to f(h) = ((1-R^h)/(1-R)) - 1. So we want to pick a probability alpha describing type I error and we want to churn for some height H so that P(H=1)+...+P(H=h) > 1-alpha +**\** this ensures that at least 100\*(1-alpha)% of the time, some poison output appears before your churned output +**\** Now, does height delay work into this model? +**\** not used at all +**\** In case I want to delay or space my churns +**\** Is this because you assume uniform fraction of poisoned outputs over time? +**\** that will probably help protect against temporal association, but the model of transaction i'm using doesn't take age of ring signatures into account at all +**\** right +**\** but essentially, if you can churn deeply enough so that other poison outputs are more likely to be implicated than the one you are really spending, i suppose that's the best you can really hope for lacking a more rigorous analysis +**\** not sure i've seen you folks define "poison outputs," though i suspect one could make a pretty approximate guess as to the definition +**\** Outputs controlled by Eve, who can identify them as such +**\** stating it adversarilly is probably more useful than uniform. assume there might be some poison outputs in whatever time period you as the target are concerned with (since you don't know there aren't) +**\** ty +**\** so, to give an idea, even with a ring size of 5, you can churn 8 or 9 times and an attacker with between 1-in-a-million and 1-in-a-thousand poison outputs and the attacker will see a fake poison output before the real one +**\** seeing fake one before real one say 50% of the time is probably good enough +**\** at least it provides us an actionable suggestion +**\** right +**\** the good news is that churn doesn't appear useless except against extremely powerful attackers +**\** defined as? +**\** high proportion of poison outputs +**\** defined as? +**\** all except yours :) +**\** lol +**\** even works against zcash +**\** those powerful attackers are a real pita +**\** if an attacker has poisoned 1-in-a-thousand outputs in a large subset of the blockchain, i would call that attacker powerful +**\** really? that's only like 2 per day right? +**\** well now at least, with low usage +**\** maybe the word powerful is misleading people. let's say "determined." +**\** Yeah, 1 in 1000 is relatively easy to get... +**\** yeah, but 75% isn't hard to get either, for short periods of time +**\** 2 per day could be more like 'what the hell, ill give it a try and see what i figure out' +**\** I'll be really interested to read the writeup with the deets! +**\** Other comments, in the interest of staying abbreviated today? +**\** write-up by the end of the week +**\** sexcellent +**\** oh, also, the first board meeting of MAGIC is being held at the end of this month, April 27 in denver. the board members (minus one) are all going to be there: me, sarang, my wife, rehrar, and sgp. if anyone happens to be in the area, feel free to lmk and we can all go out to lunch or whatever +**\** looking forward to it +**\** btw, I finished rewriting that monero report. would anyone mind reviewing it? https://github.com/UkoeHB/Monero-RCT-report +**\** creepy +**\** koe great, i will try to read through it this week +**\** cool thanks suraeNoether :) +**\** multisig paper? +**\** koe: many changes? +**\** yes +**\** OK, will run a diff to see +**\** (status, I mean) +**\** rehrar: making edits and waiting on comments from two folks. "in progress" +**\** kthx +**\** there were some theoretical errors, i reworked the notation scheme, added subaddresses and a summary chapter, and generally revamped everything to communicate better +**\** nice! +**\** er summary section not chapter +**\** Funding is open for IEEE workshop later this month: https://forum.getmonero.org/8/funding-required/90165/noether-brothers-ieee-workshop +**\** sarang were you planning on funding for Defcon? +**\** and about 30-40 footnotes trying to explain eveyrthing to laymen +**\** rehrar: I wasn't sure what the overall funding plan for DEF CON was +**\** it seemed a bit up-in-the-air +**\** should be discussed sooner rather than later +**\** agreed, but in the context of everyone +**\** ye +**\** Plan is (ideally) for me to give a talk at the village on our crypto/math +**\** and touch on new developments and ideas +**\** suraeNoether: coming? +**\** koe this looks great +**\** also, I should have a plan ready for the FMEA meeting that I mentioned last week, within a day or two (fingers crossed) +**\** cool +**\** koe: I'm curious, what's your background? +**\** thanks sgp\_[m] :) if you have any comments let me know, I want it to be as perfect as possible +**\** rehrar yeah, i'm opening a window to get tickets so i don't forget +**\** noice! +**\** mechanical engineering +**\** a solid discipline +**\** Any other items to discuss? We touched on churn, koe's updates to the kurtmagnus paper +**\** wathoo been doing? +**\** \*watchoo +**\** a lot of reading on zero-knowledge schemes and arithmetic circuits to familiarize myself with recent progress +**\** sarang, I mean :P +**\** thank you, no more questions, your honor +**\** getting back into some tests for multiexp optimizations +**\** in prep for the BP finalization +**\** it would be nice to have those operations optimized for the next network upgrade when we deploy BPs +**\** suraeNoether: if you want another set of eyes on churn (or other help with it) let me know +**\** more than nice +**\** nioc: but it's worth noting that those aren't consensus related +**\** yes +**\** and even with the two optimizations I worked with mooo on, we're much faster than we used to be +**\** still most people only upgrade wen they have to :) +**\** we now use either bos-coster or straus +**\** these operations are also really only relevant if you bring a new node up and need to process the whole chain going forward +**\** the nice part is they're general and not BP specific +**\** Aggregated verification is relevant for keeping up with new blocks too. +**\** moneromooo: true, but less of a bottleneck +**\** also thanks to moneromooo for doing the codebase integrations for the optimizations so far +**\** sarang for sure i will real soon +**\** so this is really interesting +**\** so, the PMF for these distributions is highly unimodal and very ... spikey. low variance, heavy tails. it's like there's a step function at a critical depth in a tree. before the step, poison outputs are rare, and after the step, poison outputs are super common. very very helpful property +**\** absolutely +**\** gradual changes make it difficult to establish cutoffs +**\** ok so here's some sample numbers +**\** yes plz +**\** ring size 15, attacker proportion 10%, it is all but certain a poison output appears either in the first ring signature or in the layer of second ring signatures; in this scenario, churning twice or three times is all that's necessary for the attacker to see some decoy poison output first before the true spender +**\** UkoeHB: usual terminology is "cyclic group", not "cyclical" +**\** what fixed ringsize do u think we can pull off once BP is in? +**\** ring size 5 and poison proportion 0.0001, it is all but certain an attacker will see a poison output before layer 6, so churning 6 or 7 times is all that's necessary +**\** Do you mean, in order to maintain the same tx size as right now? +**\** i mean, will be optimal. optimal verification speed, size, privacy +**\** Well, there's a subgroup of users for whom "optimal" means "tiny in size" +**\** right +**\** so, gingeropolous +**\** are you referring to a level of churn that puts a churner at max 'anonymity set'? ie the whole pool of txo +**\** i mean, cause we're kicking the tires on a fixed ringsize right? +**\** if blockstream mathemagics their way into BP sublinear ring signatures like the RTRS sigs, or some sort of hash tree or something ... then we can get pretty big rings for the same current size, verification speed, etc +**\** UkoeHB: the maximum anonymity set is trivial: keep churning forever and don't stop +**\** who knows if that'll happen any time soon, though +**\** ok, so in the absence of mathemagic , is there a proposal for a fixed ringsize for v8 fork? +**\** there are more clever statistical tricks that could be used to link monero transactions, though, this is simply an eyeball metric +**\** maybe: 'makes a churner indistinguishable from most unrelated people'? +**\** gingeropolous: to fix ring size? i always advocate it. a formal proposal? not really, not yet +**\** UkoeHB: well, i don't necessarily think that's a good description either. i said what I meant: if you churn this amount, the attacker is more likely to see a decoy poison output appear in the transaction history before the true spender. whether that translates into indistinguishability from an innocent spender is a very different animal... +**\** and not only that, the statistical test i came up with the other day didn't take into account \*how many\* of some outputs even had poison outputs in their history.. this influences the test quite a bit +**\** but coming up with a really powerful statistical test would require strong assumptions on properties of transaction history trees, and i'm not sure that any assumptions are time-invariant (economic conditions influence a lot about how money moves) +**\** hmm ok, so preliminary work before discussing implications +**\** so "for now" this is "good enough" and these "air quotes" are somewhere between irony and not really believing what i say. :P i know of a handful of folks who are working on de-anonymization techniques for anonymity sets up to sizes like 50-100, so whatever sort of unlinkability we are buying here is strongly provisional on the analytic capability of the attacker +**\** yeah diff --git a/_posts/2018-04-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-16.md b/_posts/2018-04-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-16.md new file mode 100644 index 00000000..9240bd99 --- /dev/null +++ b/_posts/2018-04-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-16.md @@ -0,0 +1,109 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-04-16 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** allrighty +**\** well hello everyone +**\** oh man how could i forget hyc +**\** grettings +**\** Sarang, you want to kick us off? What have you been working on? +**\** Sure +**\** I've been working on the churn analysis paper suraeNoether began, looking at definitions and models etc. +**\** The paper on FruitChains was also brought to my attention again +**\** this is my first time seeing it +**\** It's an interesting scheme intended to reduce the effectiveness of pooled mining +**\** there's an overhead in block data, unfortunately +**\** interesting +**\** but it ensures more fair mining and reduces the effectiveness of selfish mining attacks +**\** What isn't as clear is the way reward incentives are done, since it's a sort of distributed reward system +**\** We did a review of our JS PRNG +**\** after a posting on some shitty ones (we're fine) +**\** yes! such drama haha +**\** Looked at zerocoin attacks +**\** and more of the usual audit administrivia +**\ \** +**\** how is the audit going? +**\** what stage of the process are we at for each auditor? +**\** As planned; we're in the queue for each reviewer +**\** I have a kickoff meeting w/ Kudelski tomorrow morning +**\** i think this might be the first time we'll actually end up getting this discussion into the meeting notes on github +**\** I will say that the FruitChains idea is intriguing if only because of the disincentive to pooled mining +**\** especially after our ASIC shenanigans +**\** the paper says "orange is the new block" +**\** I see the resistance to selfish mining as pretty important too +**\** Oh yes, that property is also nice for sure +**\** hyc i agree, especially after seeing a huge ecology of selfish mining and block withholding attacks at BPASE +**\** also, BTC is unlikely to ever pursue it. "Too complicated to code" +**\** cool beans, cool beans. i've spent the past month basically reading crypto papers, writing code, and writing papers. i'm now back knee-deep in multisig, and i think i'm going to make some recommendations for changes instead of trying to merely describe our current system, since the c++ review was going to be in a second paper anyway... +**\** but in the past few weeks, i invented a signature scheme. i lack an implementation, but i am still going to seek publication (because maybe someone else can come upw ith an implementation) +**\** In the grand scheme of things, the addition of fruits isn't a \_huge\_ overhead in space, but it'd need to be considered +**\** What's the coding you're up to suraeNoether ? +**\** anyone curious about that can see it here: https://www.sharelatex.com/read/sbjpykftgxkn ... +**\** still doing the Poisson graph simulation thing in the evenings +**\** sounds like an excellent work-life balance =p +**\** in addition to that, I started writing up some notes on using a Kolmogorov-smirnov test as a basis for difficulty adjustment... and then i realized it'd be nice and fun to write a "difficulty adjustment as a statistical inference problem" paper +**\** and with those sims, i'll be able to test various hypotheses about UMVUEs and such +**\** but that's sort of my side thing the past few weeks. i've been putting a lot of energy into churn and multisig +**\** surae is there an updated multisig pdf I can look at? +**\** the one from a month ago has some issues but if you fixed them then all good +**\** koe\_ wednesday. and yeah, there have been some drastic changes since then +**\** difficulty? have you been talking to @zawy12 ? https://github.com/monero-project/monero/pull/2887 +**\** hyc i've read through a lot of that, and zawy12 will be heavily cited in my work +**\** cool +**\** let's see here... +**\** I've also spent time organizing the first board meeting for MAGIC, April 27 in Denver. sgp and rehrar and myself and sarang and my wife will all be there, and we'll be doing it at one of the possible monero conference locations so we can kinda scope it out +**\** maybe we'll all go out and look at several locations and take pictures and rate the places by ratio of distance-to-taco-place by distance-to-hotels +**\** yessir +**\** oh, and effing taxes +**\** Aren't those fun? +**\** Any updates from others? +**\** last weekend I cobbled together my PoW PoC +**\** literally slapped together while reading a tutorial on JS syntax +**\** gonna fork monero? do an airdrop? +**\** I wanted to launch hyccoin from it, but he wasn't ecstatic about it +**\** it would be nice to publish my report on transactions soon, if surae can get a chance to look through it this week +**\** give me a link right quick +**\** i'll add it to my high priority before Wednesday thing +**\** https://github.com/UkoeHB/Monero-RCT-report +**\** in the next couple weeks I plan to rewrite it into something closer to production quality. the current version produces wildly inconsistent random programs (very small to very large) and we want something a bit more uniform in length/runtime +**\** koe\_: it's a nice update +**\** oh koe wait are you kurt magnus also? or are you two just collaborating? +**\** ill add some edits ive made over the last week soon, so its all up to date +**\** I took over the report ffrom him +**\** haven't heard from him in weeks idk +**\** huh. +**\** Okay, so, basically my whole life right now is dedicated to 1) multisig, 2) reading koe's thing by wednesday, and 3) getting ready for LONDON NEXT WEEK +**\** oh my GOD you community members who donated ROCK and kick ASS +**\** ^ +**\** I'll put on my Fancy Jacket so I can represent us well +**\** If anyone is going to find themselves in london on Monday next week +**\** hyc, when you do that, can we launc the test coin? :D +**\** let's get some fish and chips and wear bowler hats together +**\** suraeNoether: do I have to start carrying my phone in my left pocket instead of my right? +**\** rehrar absolutely, I will launch my own testnet. pre-ICO announcement right here right now. +**\** Okay, anyone have any other discussion points? +**\** instead of directly storing the records m inside the blockchain, the records are put inside “fruits” denoted f +**\** sarang i recommend not bringing your phone to police states, but that's none of my business +**\** jwinterm: yes +**\** fruits and blocks are mined at the same time +**\** I'm just going over the paper quickly now +**\** but reference different things in the chain +**\** and mining rewards are distributed over a segment +**\** please inform me hyc, I want to be among the first to hold these coins +**\** lol okeydoke +**\** how many wowneros for a hycoin +**\ \** +**\** lol +**\** OH! No meeting next Monday +**\** Sarang and I will be bowler-hatting +**\** in old london-town +**\** funfun +**\** I assume it'll go much like The Prisoner +**\** and we'll end up on some island +**\** until we spill the beans on Monero diff --git a/_posts/2018-04-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-30.md b/_posts/2018-04-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-30.md new file mode 100644 index 00000000..885ed79b --- /dev/null +++ b/_posts/2018-04-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-04-30.md @@ -0,0 +1,188 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-04-30 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** dingdingding +**\** it's time +**\** h'lo +**\** Hi everyone~ +**\** Welcome to our research meeting +**\** g day +**\** One week ago today, Sarang and I were in London +**\** hello +**\** thanks to this generous community +**\** It seems as if it were only a week ago +**\** heh +**\** It was highly productive +**\** Hello +**\** We got to meet some London meetup organizers before the event, which was great +**\** yes, this is where we spoke with Pedro Moren-Sanchez, who together with his student (who goes by donut in here) invented refund adresses for Monero +**\** I'm analyzing some preliminary material from them +**\** There's some question about the applicability of hiding block heights +**\** and whether this provides sufficiently better information obscurity to make it worthwhile +**\** Great sarang! Glad you could make that work +**\** Since then, other than recovering from jetlag, I've been working non-stop on the multisig paper, which has come a long way... but I've run into a roadblock on the proof of unforgeability, involving the key image, the signing oracle, and access to a discrete logarithm oracle +**\** it involves a change to the ring signatures and key images +**\** in addition to that, I brought rehrar, sgp\_[m], and sarang out to Denver to meet with me and my wife about MAGIC, Multidisciplinary Academic Grants in Cryptocurrencies +**\** whats MAGIC? +**\** or rather, can you elaborate.. +**\** MAGIC is (or will be) a 501(c)3 non-profit based in Colorado, USA +**\** a Colorado nonprofit organization dedicated to empowering the next generation of people in this space +**\** nice +**\** our goal is to promote education and scientific research, as well as community and educational outreach, in privacy infrastructure for the public good +**\** that is actually pretty awesome +**\** the basic idea will be to take some of the capital flowing into cryptocurrencies and close the loop back toward education. provide scholarships, provide research grants to researchers and infrastructure grants to schools, and to host conferences on privacy enhancing technologies +**\** It will help boost education (which is great for many reasons) and also can help to promote privacy in the eyes of the public +**\** I'm not one for focusing solely on PR, but it could help +**\** \*nod\* +**\** Kudos to suraeNoether for all the planning on this +**\** it's a ton of work +**\** well, so is math, and this is a way for me to procrastinate on one by being productive in another, and vice versa. :P +**\** i think if you can redirect some of the capital flows alone towards solid scientific research you are doing a great service already +**\** there is a lof of greed in crypto +**\** thanks midipoet +**\** Our goal is focus first on education, and then on research +**\** The research side overlaps a bit with some other groups (which is totally fine and beneficial) +**\** MAGIC focuses on ecological conservation and saving the whales +**\** lol +**\** hehe +**\** oh wait, I think I dreamed that (no joke) after our meeting +**\** our first year we don't expect to get enough money to provide a substantial amount towards research, which is pretty expensive. the first year we are going to focus on scholarships, hosting a conference, and hopefully building a computer lab or a library for some impoverished primary schools +**\** Hopefully the 501(c)(3) process goes smoothly. It's very... federal +**\** I'll have more info on that later this week +**\** tomorrow, it's lawyer meetin' time +**\** excellent +**\** nice +**\** It's worth noting that donors are free to remain anonymous, in the spirit of Monero +**\** but the 501 status will allow donations to be tax-deductible in the U.S. if donors reveal themselves +**\** creating goodwill around crypto is needed. a lot of people have a very strange view of it, especially since the whole ICO thing +**\** midipoet: definitely +**\** The only other group I know of trying a similar-ish thing is the Zcash Foundation +**\** We'll certainly apply for one of their grants if possible +**\** This work transcends silly interproject politics +**\** i could tell you a sad story about what computer science kids thought crypto is about in nigeria +**\** yay! +**\** crypto = ca$hmoney +**\** https://i.imgur.com/J2Vyl27.png +**\** pretty much sarang +**\** So, from sarang's research we've been looking at refund addresses. from mine, I'm struggling with signing oracles, key images, and discrete logarithms in our unforgeability proofs of multisig (ahem). from educational outreach, we have several folks from the monero research lab and the monero community participating. We even got dinner with Zooko to get ideas on including more independent folks, and I'm +**\** reaching out to two possible additional board members later today +**\** ... silly politics is based on technological assessment tho +**\** wrong channel. sorry. +**\** hyc: I totally see that side of it +**\** But for the purposes of this organization it's all silly +**\** I should have clarified +**\** We'll take donations where we can find them if it means helping more students and communities +**\** on another note, a representative from the ZCash foundation asked if we know of anyone in the Monero community who would be willing to serve on the ZCash Foundation board of directors. Because ZCash Foundation, despite the name, is independent of ZCashCo, is a non-profit focused on internet payment and privacy infrastructure also, even if one disagrees with the zcash design philosophy (which is totally fair) +**\** you could still contribute to the privacy community as a whole +**\** hyc maybe you should do it :D +**\** of course, no one from Monero \*needs\* to go and attempt that, but I think it's nice that they reached out +**\** would you not lose some street cred sitting on that board? +**\** I second hyc +**\** he has the good looks and charisma necessary +**\** midipoet: almost certainly. +**\** rehrar: and the fiddlin' talent +**\** midipoet: maybe, but that's up to the individual +**\** midipoet: street cred is for shmuks +**\** rehrar: ^ +1 +**\** schmuks in Zcash suits +**\** It's worth noting their organization documents include language specifically mentioning supporting the Zcash network +**\** FWIW +**\** I don't agree with many things of the Zcash implementation, but they're pushing the privacy scene forward +**\** in a similar way that we are as well with our work +**\** I choose to believe that better research and public perception of privacy will help us all +**\** right, even if this whole cryptocurrency experiment fails, the world can learn +**\** yeah, i agree as well. just sceptical +**\** and they're literally making free money available for research and other helpful projects +**\** personally, i think that in 20 years or so, we'll look at the different currency teams in the same way we look at IBM vs. microsoft. it's not weird for IBM guys to get lunch with microsoft guys, or for them to do business together, and probably any market forces that improve one will lead to improving the other. +**\** i mean +**\** there's a positive covariance in market performance across most of the big cryptocurrencies, so high tides lift all the boats, so to speak +**\** It's like commercial airlines... the management types see each other as the devil, but the pilots all help each other out since they're out to get people there safely +**\** maybe +**\** lol maybe +**\** that said: https://www.youtube.com/watch?v=A51Bl3jkF0c +**\** to continue that analogy, it's like Google using Java for Android, which was made (or maybe its IP is just now owned) by Oracle +**\** ^ continues to be one of my favorite videos (10 seconds long) +**\** sneurlax: sure lol +**\** anyway +**\** aha +**\** ok, so that covers the basic research from the last week, and our educational outreach, and the various political-ish connections MRL has made with other projects +**\** My monthly report details a few other things we've been doing: https://www.reddit.com/r/Monero/comments/8fzfzx/april\_monthly\_report\_from\_sarang\_noether/ +**\** has anyone done anything else they want to chat about? interesting simulations? I know silur has expressed some interest in getting more involved at MRL, but he is suffering under the delusion that one of us is in charge +**\** The audit has begun for the two larger groups +**\** oh! audit! yeah! +**\** Nothing to report there, just reviewers getting their hands dirty +**\** but it's good news +**\** good, good, it's before May so that's pretty good +**\** uh, yeah, what's your favorite programming language with which to verify claims/reports? Python? +**\** i want to signpost the research i am doing. some of you will have heard it a million times, but formal requests for interviews with devs/cryptographers will be coming very soon. so warning! +**\** sneurlax: I dig Python for tools +**\** We also need to have fee structure discussions sooner rather than later +**\** and decide precisely how that will change with the BP deployment +**\** oh shoot, that's a big conversation that we don't want to leave for the last minute +**\** yes +**\** We keep almost having the conversation +**\** Fees are probably the most publicly-visible part of the BP thing +**\** as well, would there be work for an undergrad mathematician (well versed in statistics)? I know of one that would probably want to get involved over the summer. Would be at the disposal of our MRL PhDs +**\** One thing I would like is a clean Python library giving data structure access to transaction trees +**\** sarang let's talk about fees later today or tomorrow? +**\** rehrar: what sarang said: visualization of transaction histories +**\** i.e. this transaction has these inputs in its ring, and those trace back to other rings, etc. +**\** not even visualizations +**\** just a library giving clean data structures +**\** we can do all sorts of things with that +**\** sarang: suraeNoether: that is the basis of my tool +**\** yeah, fair enough, i'm more interested in various statistical properties of those things +**\** Yeah I wanted to ask about details with that +**\** sneurlax: want to talk about it, since it came up? +**\** I can port that to Python. the more information/specs you can proivide, the less questions I'll have later +**\** Sure, let's chat after the meeting sneurlax +**\** perfect +**\** Even if it's not Python, having something easy to implement will be great +**\** yeah, i mean from my point of view +**\** always check with ArticMine when it comes to fees +**\** i'm interested in things like the distribution of sizes of transaction trees, how often outputs are re-used within the same, tree, stuff like that +**\** Yes, it's a discussion for many people +**\** nioc: yeah, he has something written up already +**\** but one that needs to be had +**\** iirc +**\** Any other interesting work lately? +**\** (BTW we should arrange some time in -dev meeting for fee talks) +**\** should be a dev meeting this coming Sun +**\** rehrar: ^^^ ?? +**\** yes nioc +**\** Was this discussed? https://github.com/moneroexamples/key\_images\_comparison +**\** it has not been +**\** wow! +**\** much smaller numbers than I was expecting +**\** you know, endogenic earlier asked about the plausibility of long-term blackballing +**\** and I responded with a silly analogy, comparing the monero blockchain to a pile of radioactive material: outputs have half-lives of their anonymity as bad actors perform more and more blockchain forensics, they expose more and more old outputs... +**\** Thoughts on the proportion used, and the proportion that used the tool? I actually felt that 10% of reused key images using a special tool to pair outputs was unusually high +**\** lol pretty sure Zcash team has me blacklisted +**\** i meant the % that have at least one re-used key +**\** hyc it's what you get for being such a lovely violinist +**\** harhar +**\** @sgp\_:matrix.org would you mind linking your previous work on key image reuse impacts at ... what was it, % reuse? +**\** if we make it clear which outputs are provably spent, then what we are doing is relying on economic activity frontloading this radioactive decay process, hoping that a big mass of anonymous outputs stand between us and the back end, as blockchain forensics unravel the blockchain from the genesis block moving forward. so the only way this sort of thing is sustainable is if we have economic activity outpacing +**\** forensics efforts +**\** thats quite interesting +**\** I just ask because I liked the work, sqp +**\** it highlights that ring sigs, or at least "small anon set" methods, need to be replaced +**\** that big mass probably has a lot of dead ends that'll confound that unravelling. who knows how many keys have been lost. +**\** sneurlax here's the Google Sheet (logout of Google): https://docs.google.com/spreadsheets/d/1iLa\_yklutjHqn\_DrOlO\_eTb00l4YDAezijX2J5r6P14/edit?usp=sharing +**\** or there is some critical mass of privacy enaction that provides protection... +**\** there are definitely outputs which will never be reused because their owners forgot about them, lost their keys, etc. +**\** thank you! +**\** okay, does anyone else have any questions, concerns? i need to bother andytoshi about key images and this discrete log problem I'm having before I'm more comfortable with where our multisig scheme is at +**\** so those outputs will always be ambiguous, never proven spent +**\** they could be proven unspent +**\** hyc unless all outputs that refer to it can be proven to be linked to another output +**\** right +**\** ok +**\** OK, meeting is officially adjourned, but feel free to stick around for further discussion diff --git a/_posts/2018-05-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-07.md b/_posts/2018-05-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-07.md new file mode 100644 index 00000000..f8695ac4 --- /dev/null +++ b/_posts/2018-05-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-07.md @@ -0,0 +1,236 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-05-07 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** OK, it's time to begin +**\** Welcome to everyone; hello +**\** Hi! +**\** Calling others: hyc suraeNoether anonimal endogenic binaryFate fluffypony luigi1111 luigi1113 rehrar[m] monerigo[m] gingeropolous dEBRUYNE +**\** and many others no doubt +**\** s/monerigo[m]/moneromooo +**\** présent +**\** I suppose we can discuss recent updates and such +**\** I have been focusing on noninteractive refund transactions +**\** it's surprisingly tricky to get right +**\** The idea of whether or not to hide block heights has big implications on size and complexity +**\** and also will affect the use of old outputs +**\** Hey everyone, sorry I'm late (and not using my registered nick) +**\** A good higher-level question is whether we insist that having refund transactions is enough of a priority +**\** Hello fake suraeNoether +**\** heh +**\** \*enough of a priority to devote big plumbing-level changes +**\** these questions have consumed me as the Whale consumed Ahab +**\** and, like Ahab, I spend much time in the company of Starbuck(s) +**\** gross +**\** theRealSurae: what has consumed you lately? +**\** it feels like there should be an easier way to hide amounts. Maybe worth mulling for some time +**\** UkoeHB: other than commitments? +**\** Hi +**\** Yeah. Maybe a shift in perspective. Baseless intuition +**\** what +**\** Well, the current Best Way is homomorphic commitments + range proofs to ensure balance +**\** I've been thinking about koe's reduced mlsag and how we might be able to batch-verify ring signatures with bulletproofs. and i've been speaking with a professor at clemson university about the possibility of starting a paid project for a grad student to invent a new elliptic curve with 2^255-19 points on it, or to come up with a similar sort of variant to secp256k1 +**\** yeah, I think we are going to experience reduced returns in terms of hammering bulletproofs for improving our amount strucutres +**\** theRealSurae: BPs to batch verify our current MLSAG scheme? +**\** oh yea the curve order question you asked +**\** so, i think it'd be really really helpful for both bitcoin and monero to have alternate curves +**\** ohgod +**\** other than that and the multisig dump I made the night before yesterday, this week has been consumed by editing papers for other folks. Koe and my old advisor and another document. lots of reading this week +**\** What are your thoughts on refunds? +**\** and thank you for that :) incredibly helpful +**\** UkoeHB: any big changes to your excellent paper? +**\** Well we found out monero doesn't even use borromean sigs +**\** genBorromean should be genSAGs +**\** Or something +**\** SAG? +**\** I've been thinking a lot about the refund structure with timelocks, and I'm trying to figure out exactly whether we have a novel "invention" in these refund transactions or whether tit is equivalent to a timelock+multisig situation +**\** spontaneous anonymous group sig. Like LSAG but no key images +**\** for range? +**\** Yeah +**\** Check ringCT.cpp genBorromean +**\** Yeah I'm familiar with that code +**\** It's 33% larger range proofs than a real borromean setup +**\** ... i need more details about that, koe, if you don't mind... +**\** heh +**\** theRealSurae: big thing is non-interactivity +**\** I don't need the recipient's cooperation +**\** I'll see what I can do +**\** thanks koe, i'm not in a rush on that though... +**\** I want to remind everyone that I'll be mostly away from the internet from tomorrow until the 19th, with some intermittent access. +**\** luigi1111: is this (genBorromean doesn't actually generate Borromean sigs) correct ? +**\** yup have fun :). Vacation right? +**\** i'm not the sort who can really put work down, but i'm trying, briefly. i managed to write up a skeleton of the unforgeability proof for multisig and hand it off to sarang to familiarize himself with the musig approach +**\** Zcash is also coming up with their own curve so as to speed up the particular things they need to. I find it worrying if the trend is that every project cooks up their curve to suit their particular needs. +**\** and, like I said, I'm communicating with some folks at Clemson +**\** Yeah I've been revisiting the original musig paper +**\** Not that I know of +**\** binaryFate: why would this be worrying? +**\** theRealSurae: 2^255-19 isn't the number of points +**\** you are right, it's the group order +**\** against the "don't invent your own crypto", and light years away from typical review process for curves +**\** right? i misspoke +**\** no, 2^255-19 is the prime field +**\** I hear it's a kind of cake +**\** Or that feeling when your leg falls asleep and you stand up +**\** Group order is l +**\** 2^252+blah +**\** aaaanyway +**\** i confess I tend to think of our group as a scrambled mirror image of Z\_q, despite addition of points not even landing on the subgroup. +**\** So theRealSurae is working on unforgeability +**\** I am figuring out if noninteractive new-output-style refunds are worth it +**\** Other fun times? +**\** binaryFate: yeah, I see that +**\** binaryFate: do you have any information on the Zcash efforts? I wasn't aware of their work +**\** binaryFate: eventually that curve, even if proven to satisfy our desired properties, will have to be implemented, and the dangers or crappy implementation are huge... but I don't think that should discourage research into new curves and new proof methods using isomorphic curves +**\** yeah, I wasn't either. I thought it was just Blockstream looking for a variant of secp256k1 so far +**\** oh i messed up - they are borromean ugh +**\** that's a relief koe! +**\** UkoeHB: what led to believe otherwise? +**\** ^ +**\** misreading code like a fool +**\** thought this hash\_to\_scalar(L[1]) meant an array of hashes for each L[1], instead of a hash of the entire array +**\** Good thing hashes aren't important to borromean sigs /s +**\** If there aren't any other big topics to discuss, we could certainly return to refunds or previous topics +**\** There were suggestions from luigi1111 that the refunds needed for payment channels would be possible purely w/ timelocks + multisig +**\** will look for some link on the zcash curve thing. It's part of their roadmap to reduce overhead to generate z-transactions iirc +**\** I do not see how that would be possible without interaction from both parties, or a third-party arbiter +**\** I just want to mention that I'm working on preserving the integrity of outputs held by mining pools +**\** But I'd love to be convinced otherwise +**\** MRL corporate cheer! +**\** sgp\_[m]: in response to the linking work? +**\** It does require interaction at the start +**\** right +**\** it'd have to +**\** So the recipient pre-signs for the refund? +**\** I have a bit of other ZCash news. +**\** sarang kinda, yeah. I don't have too much to mention now though +**\** How does the network verify the spend of the originally-intended output? +**\** sgp\_[m]: ok, keep us updated +**\** I've contacted ehanoc re: the "transaction tree" python toolkit and we will collaborate to deliver that after I finish the scraping tool which moneromooo asked for. mooo, I'll be sending you results this week +**\** sorry to interject +**\** sneurlax: excellent! That'll provide good data +**\** rehrar[m]: tell us? +**\** sneurlax: that's fantastic news +**\** ZCash wants to open a grant proposal jointly with a Monero community member (that'd be me atm) to donate a considerable sum of money to some FFS proposals. +**\** What types of FFS do they want to fund? +**\** how would that work? would you have discretion over donating the funds? +**\** https://twitter.com/socrates1024/status/993252058923925506?s=19 +**\** i'll almost always take free money if it's no-strings +**\** Aw shucks, they like us! +**\** that's... fantastic +**\** Dunno. When next round of bp auditing funds? +**\** We can out it up, raise the amount, and take out right away. Superior Coin also wants to help if you recall. +**\** Perhaps we can also get subaddresses audited? +**\** hmm +**\** Yeah, was thinking of waiting until closer to the finalization, but I suppose there's little advantage if we can coordinate w/ OSTIF quickly +**\** it seems like a lot of projects want to funnel their research funding through the Monero FFS +**\** the harder we criticize them the more they like us... 10k$ is not that much compared to amounts raised typically anyway +**\** It's a nice gesture of community spirit though +**\** I think the best ones are the hardware wallet (which should work with Zcash iirc) and code audits +**\** They're masochists binaryfate. If we criticize harder they'll give more. +**\** A subaddress audit depends highly on the scope +**\** The BP scope was narrow-ish +**\** binaryFate: yeah, it seems like a largely symbolic thing, but also: they've been really encouraging me and sarang to encourage you guys to ask for grant money. +**\** rehrar[m]: i should just take zooko out to a bdsm club in denver, see if they offer us six or seven figures. :P +**\** In return , we can send them Monero stickers to put on their laptops. +**\** something something meat market +**\** meat meat something market +**\ \** In return , we can send them Monero stickers to put on their laptops. <-- they have one at least, we've put one on zooko's back at CCC without him noticing +**\** I'll be interested to see how the 10K is disbursed +**\** sarang: Is the implication that it would totally be up to our discretion? that's sort of what i'm getting... +**\** Zooko is a dude. +**\** I chilled with him in Colorado. +**\** Can neither confirm nor deny Verge dev there too. +**\** What if we take the 10k, pay for a semester of a grad student working with some cryptographers to invent three new curves, a variant for secp256k1, a variant for x25519, and a variant for zcash's thing +**\** tall order +**\** maybe +**\** sorry rehar +**\** it'd guarantee that student would spend the rest of his time in grad school working on that sort of thing +**\** which I think would be a valuable thing: seed the mind-virus among as many researchers as possible +**\** They're not even asking for doing joint work with zcash stuff at this stage apparently. Would just channel to Monero topics entirely if possible. +**\** Hi all. +**\** Anyway grad student is a great idea +**\** binaryFate: yeah, that's the inference I made +**\** I'll talk with Miller. +**\** See how he wants to do the grant proposal. +**\** binaryFate: the problem then is picking the student/school +**\** Funding grant money for school research seems cool. Pinning all the hopes on one grad student seems like a bad idea. +**\** rehrar[m]: please do, maybe CC me... I can hook him up with at least two cryptographers at Clemson who may be interested +**\** pwrcycle: yeah, you'd pick by advisor more than student +**\** Maybe we can get some people to make a FFS that should have made one a while back in exchange for ZCash paper +**\** Like dEBRYUNE +**\** Then again, what use have gods for our petty currencies. +**\** Btw having some sort of pulic call for the paid internship circulating in academic circles is as important as the thing actually happening, in terms of mind-virus spreading +**\** Nothing more from me. +**\** rehrar[m]: you are the greatest orator of our time +**\** binaryFate: TRUE point +**\** very true +**\** sarang +**\** yo +**\** when I get back I'm going to look into putting job postings on mathjobs.org +**\** i was about to ask you to do it while i'm gone, but it's not urgent and there's no need to delegate. :P if you're curious, though :D +**\** I think using mathjobs is a really good idea for pure math applicants +**\** there are lots and lots of applied jobs on there too +**\** you should check it some time, but +**\** creation of a curve is at the intersection of applied algebraic geometry and pure cryptography +**\** right, that wasn't what I meant +**\** so it's sort of both pure and applied +**\** oh ok +**\** I mean to get solid reach to academics +**\** that's the obvious choice +**\** yep +**\** They can send us a list of all the points on their new curve, for us to check +**\** good old emails circulating between labs and advisors ("if you have a really good students, consider asking them to apply. And please forward blabla") is also worth it. Reaches more senior people than a job posting probably read primarily by students directly. +**\** Oh, so I've been seeing random reddit postings about deep reorgs +**\** But I haven't looked into it at all +**\** Anyone know anything? +**\** also articles are starting to come out https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep +**\** I think it's fixed now (no PR yet). +**\** Do you know the cause? +**\** is it known what the issue was? +**\** jinx +**\** The +20-blocks fork mentioned in the post is not an actual fork, you only see that when syncing. But somebody is fiddling with decent HR +**\** buy me a DietMonero +**\** i thought the first few reports were possibly the OP for some reason +**\** moneromooo link or summary? +**\** Some init wasn't done in some cases when adding a tx. +**\** Yeah, I want to be able to give correct information +**\** So that was causing the tx to be rejected though it is valid. +**\** hrmm +**\** OK, so that explains the "double spend" FUD +**\** The long-chain reorgs are just related to initial sync? +**\** It was noted that there wasn't any big spike in hashrate +**\** so it's not outsiders coming online and futzing +**\** If a pool doesn't accept a valid tx, it will continue mining on its own chain till it stops doing so. +**\** OK, so it's a single cause with these two effects? +**\** What two effects ? +**\** Well the reports I've seen have complained about apparent double spends (rejected tx) and long-chain reorgs +**\** i feel like if a selfish miner was going to release a chain in an attack, the hashrate wouldn't necessarily look different to an observer, especially if the attacker had 33%+ attack power and was clever with their timestamp choice... +**\** I don't know anything about double spends. +**\** Though if a merchant is only connected to that pool, you could swindle it. +**\** The merchant would have to be only connected to that pool though, but that's not a new attack. +**\** Yeah that's just being cavalier +**\** https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep +**\** i don't like that article for a variety of reasons, but +**\** Yeah that's the article I keep getting linked to +**\** it's based on some r/monero complaint posts +**\** so naturally it will be accepted as gospel and spread widely +**\** it would be helpful to get more information from the specific users making this complaint +**\** A random user says one thing and the devs who know things say another thing! So there's no way to know! +**\ \** It was noted that there wasn't any big spike in hashrate <-- if someone is purposefully mining on alternative blocks rather than winning chain, we would not "see" the HR spike as it does not make blocks coming faster +**\** You'd see a hashrate spike downwards. +**\** only if that miner was mining before no? +**\** Yes. +**\** not necessarily; an attacker with exactly 50% hash rate and honest timestamps will appear to be invisible. an attacker with lower hash rate could mess with timestamps slightly and appear invisible. an attacker with too low of a hash rate couldn't manipulate his timestamps enough to hide his activity +**\** (not necessarily re: downward spike) +**\** Can we check how long it took them to mine a particular altchain of N blocks by checking logs on other nodes on when the last block in their chain got known to peers? +**\** we can put a bound on it, for sure, and we can use that to estimate the hash rate power they have +**\** ok y'all I gotta go +**\** have a good week and a half! +**\** same! diff --git a/_posts/2018-05-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-14.md b/_posts/2018-05-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-14.md new file mode 100644 index 00000000..4c9741aa --- /dev/null +++ b/_posts/2018-05-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-14.md @@ -0,0 +1,162 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-05-14 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** andytoshi anonimal binaryFate ArticMine dEBRUYNE endogenic gingeropolous moneromooo sgp\_[m] smooth stoffu UkoeHB etc +**\** Hi +**\** Kind of present :P +**\** close enough! +**\** an informal meeting today, probably fairly short +**\** not present +**\** 1. Greetings +**\** yo +**\** 2. Updates all around +**\** Our pal suraeNoether is on holiday +**\** that lucky bastard +**\** I've been continuing to work with the Purdue researchers on noninteractive refunds +**\** which would be much more of a hassle than an interactive refund +**\** But it brings up some really interesting new ideas that we're formalizing to publish +**\** Aside from that, there was some good Zcash anonymity research in the spirit of the monerolink stuff +**\** It has good lessons about the importance of mandatory privacy +**\** Another paper pointed out some flaws in the MuSig paper that suraeNoether had been working with +**\** not in terms of attacks, but in terms of security proofs unfortunately +**\** The second BP round went through, and we'll be getting that funding to OSTIF as soon as I can talk with a Core Team member about funding release (send them my way if you find them today!) +**\** Anything else from the peanut gallery? +**\** will get in touch with OSTIF again tomorrow +**\** binaryFate! Perfect, thanks +**\** Please release it all to lock in the exchange rate; your help is appreciated as always +**\** Any unused amount will be return to us by OSTIF +**\** Yes I understand there is some freaking out about exchange rate around :) Will do +**\** It seems to be a quiet day today, not sure if anyone else has anything to share +**\** Or something they've run across lately +**\ \** not in terms of attacks, but in terms of security proofs unfortunately <= What does this entail? +**\** They had done away with a precommitment phase of their key preparation +**\** and this led to a flaw in the proof that would be fixed by adding this step (more communication) +**\** it would also make it secure up to discrete log, as opposed to one-more discrete log as it is now +**\** I had a brief chat w/ andytoshi about it earlier +**\** So it's not a showstopper, but would preferably be implemented right? +**\** Right. I don't know of any big projects that were immediately applying MuSig directly, but suraeNoether was curious about using some of the ideas to reduce communication +**\** All right +**\** The "upgrade" to DL security is good too IMHO +**\** Consensus is live streaming, as mentioned earlier... so that's a source of infotainment for anyone interested +**\** They're having Zooko interview Whit Diffie about privacy +**\** that'll be a good watch +**\** For this week, I plan to incorporate some suggestions from the Purdue folks into the writeup of noninteractive refunds and get that out +**\** and look more precisely at interactive refunds and what's needed +**\** Whelp, it looks like slim pickings today for updates, so +**\** 3. Tearful goodbyes +**\** Keep up the good work, and be well +**\** We'll never forget the good times and memories +**\** Did anyone have a chance to look at my research on mining pool outputs? +**\** Yes! Can we talk about that openly in here? +**\** I don't recall if you had publicly released it +**\** Just the mitigation strategies +**\** This is what I worked on: https://1drv.ms/b/s!AjOt8D-0YjBHgco6O7TRnzm91YACUw +**\** My only lingering question was regarding the suggestions for churn +**\** since that work is still ongoing to determine the optimal behavior +**\** I think we should discourage churning as much as possible since it harms the network, but it can be used effectively to preserve the integrity of outputs. Even if it only adds plausible deniability +**\** What's your view on it harming the network specifically? +**\** Yes there is also the issue of pool transparency +**\** Just blockchain bloat. Imagine if we recommended every mining pool churn after each payout lol +**\** Any proprietary in mining is a potential danger +**\** Note that I've only looked at publicly-available information. Many mining pools also publish the transaction amount, which could allow a recipient to remove certain decoys that are known to be under the sent value. I haven't thoroughly looked into this yet +**\** Maybe we need to find a way to blackball these outputs for future rings and leave the churning to the recipient +**\** The recipient is also likely the one with greater incentive to do so, no? +**\** ArticMine one option is for mining pools to be extremely transparent about all outputs they have controlled, and clients blackball these. I think there's a high risk of clients not doing this though +**\** but can the blackballing not be done by the pool +**\** We also have a broader issue of the blacklist being slow to implement +**\** I recommend my "third best" solution for pools that still want to make everything transparent, which involves a different selection algorithm +**\** It doesn't really matter that pools would use a different algorithm, since they publish a list of transactions anyway +**\** And they could adapt their algorithm to include payout outputs in a single ring signature +**\** That relies entirely on pools voluntarily complying, right? +**\** I have diagrams in slides 11-15 of the deck I shared +**\** My take is that we should be actively discouraging pools from being anything but totally transparent +**\** sarang yes, it relies on pools complying. Pools have the potential to cause a lot of harm to outputs in the status quo +**\** It is a related but different issue that is impacted here. Namely overall transparency in mining. +**\** yeah +**\** One of the reasons I was intrigued by the FruitChains paper was the idea of reducing the incentives to pool at all +**\** A voluntary way for pools to flag these outputs as to not be used in mixins may be the best way +**\** If a user thinks pools are malicious, they should absolutely churn individually to the extent research shows. However, I'm talking more about the pools removing the entropy of these outptus in this transparency. We can have transparent pools while still preserving the integrity of these outputs +**\** If people feel comfortable mining to a pool that doesn't even publish coinbase history, that would be the best for the network. However, that is unrealistic +**\** It is best for the network from the point of view of privacy but no from the point of view of mining integrity +**\** ArticMine: in what way +**\** For starters how does one determine the size of the pool? +**\** Independently? +**\** Or how much of a take the pool is getting +**\** It is a special situation one step above coinbase outputs +**\** Pools are in a unique position of power which is why transparency must at least be encourages and ideally enforced +**\** But my understanding is that pools can simply not give all this information +**\** so it'll all still based on voluntary goodwill +**\** as in, information from self-selecting entities +**\** This is true but there is a market pressure to give out this information +**\** and this is very healthy +**\** Well, even if they don't povide an easy blackball list, someone can realtively trivially put one tegether from the complete transaction history +**\** sneurlax made one such tool (or may still be making one). +**\** That is actually a backup answer +**\** But ideally we should encourage the pools to give a blackball list +**\** What do you think the general thoughts are about the blackball list being checkpointed and supplied non-locally? +**\** I recommend we instead encourage them to use a different selection process so a blackball list is unnecessary +**\** Because the local generation seems pretty intense +**\** sgp\_[m] So if I understand correctly these pool outputs could then be easily identified and not included in mixins +**\** That of course would work very well +**\** I believe you are explaining the blackball process ArticMine +**\** Yes +**\** So I am not clear how a different selction process would work +**\** oy, missed the meeting? +**\** Most folks were away, but we're still chatting +**\** whats the good word +**\** I recommend that pools instead take the outputs in a published transaction and use all these outputs in a single ring signature. Then, outsiders don't know which outputs are paid to miners and which are change returned to the pool +**\** Yeah I liked this approach +**\** I didn't see any immediate downsides +**\** It makes sense since the pools are known entities +**\** but normally almost all of these outputs are paid to miners +**\** It still needs someone to volunteer to maintain a blackball list, and so far nobody has so this code is left unused :) +**\** The goal is to make the outputs returned to the pool look the same in a random transaction decoy as how they look when miners make transactions with their payouts +**\** can we replace ring sigs already? that is all +**\** That'll be our big MoneroCon unveil +**\** This is difficult to explain, so I'm sorry I'm not doing it very well +**\** oh, also that article on PoW (which I'm sure had to have been discussed at this meeting). Something else. +**\** "MoneroCon: Monero is a con!" +**\** So one is obfuscating the change output among the payouts +**\** sgp\_[m]: I think I get the point you're making +**\** That I understand +**\** ArticMine yes that's the goal, so that the outputs controlled by the pools (these change outputs) no longer need to be blacklisted +**\** \*blackballed +**\** even if the transaction history is published +**\** Yes that would work. +**\** hmm actually on second thought, pools should need to still churn the coinbase outputs (not just the very first one), or they need to be blackballed. My slide 14 is incorrect +**\** sgp\_[m]: Suppose you get some fraction of pools to comply, but some don't... you'd still need to monitor for the blacklist, no? +**\** hi :) +**\** hullo +**\** Yes, an end user should still blacklist as much as possible +**\** I want to limit this as much as possible though, in case users don't go through this process +**\** Unless we more broadly support a non-local blacklist integration +**\** but that has its own issues +**\** There may be a different approach. What if we were to limit the number of ring members comprising of these troublesome outputs to say 2 fakes +**\** that would include coinbase and tx outputs a certain number of steps above coinbase +**\** What's the advantage to this? +**\** what if we blacklisted all of the outputs in existence +**\** Ensure the ring has a minimum unexposed number of fakes +**\** I would have to see the math before saying it would be effective. Coinbase outptus are already the minority, and they could still be revealed as decoys anyway. Would potentially limit impact to extend of all decoys compromised but hard to say +**\** In my I idea I would include the real output if it was one of the gray outputs so actually two members of the ring as opposed to two fakes +**\** I believe the way to deal with exposed outputs is to limit their number in a ring to two or possibly three rather than exclude them altogether +**\** Why not exclude them? They are known to be fake +**\** If they are known spent yes, but if they are known unspent then no +**\** that is the key difference +**\** A coinbase tx for example is a known unspent output +**\** Once it is included in a ring it can become unclear if it is unspent or not +**\** Not if a pool lists it on the site though +**\** They make it a known unspent +**\** by listing it +**\** If they make the coinbase a known spent then it should be ideally blackballed; however if this cannot be easily automatically determined then simply including it in the limit I suggested becomes an option +**\** Centralized blackball lists can also becomes an issue +**\** ArticMine: yes, and that's why I wonder what they'll look like broadly +**\** Which is why creating entropy around the exclusion of "blackballed" outputs may have some merit +**\** Then it would also be impossible to as rehrar said blacklist "all of the outputs in existence" +**\** It is an interesting attack by a centralized blackball list diff --git a/_posts/2018-05-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-21.md b/_posts/2018-05-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-21.md new file mode 100644 index 00000000..90368b75 --- /dev/null +++ b/_posts/2018-05-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-21.md @@ -0,0 +1,241 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-05-21 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Let's begin the meetin +**\** sure +**\** ye +**\** i have a list of stuff i want to bring up +**\** but let's start with the simple stuff +**\** sarang: updates on BP audits? +**\** hi all, I had a death in the family on the 14th so I have been travelling this week and have not made any progress on anything, really :( +**\** I will remind you that I've reached out to ehanoc and will be working with them on python code but yeah, delays delays delays +**\** Sure, so the audits are underway, will be checking in tomorrow with the groups for updates +**\** Noting to report yet +**\** sneurlax[m]1: sorry to hear that :( +**\** sneurlax I am sorry to hear about that. :( +**\** What are the expected time lines for each group/ +**\** Looking at mid-July all around +**\** not bad +**\** Yeah given that they work on a lot of projects +**\** sarang: what have you been working on for the past 2 weeks? +**\** Otherwise, I've written up a noninteractive refund scheme in collaboration w/ Purdue folks +**\** will be doing a formal journal paper for submission too +**\** ah yeah, that's on my lsit of stuff to read today +**\** nice +**\** Have been keeping up with some Zcash flaws and plenty of other papers that came through the pipe +**\** and advanced course prep for the upcoming crypto course +**\** i've started keeping a monthly "works cited/read" list +**\** any other updates? +**\** Nice, I also include my reading list in updates +**\** Also some good talk in here about BPs and fees +**\** which needs to be settled soon +**\** Can't deploy without consensus on the new fee structure +**\** this fees thing is not something we can keep saying 'we need to talk about this soon' +**\** it needs to get talked about ASAP +**\** Allright, so when Sarang and I were in london, we started hashing out (heh) a list of things for MRL to tackle in the upcoming year. we've been late on the research road map because... well, because there are lots of possible forks in the road, so to speak, and it's not clear which are dead ends, and which the community would like us to pursue. and near the top of the list is BP fee structure +**\** let's talk about it immediately after the meeting +**\** rehrar: yes, we need concrete proposals with actual values +**\** Once we have final figures on size and verification efficiency we can finalize on fees / blocksize +**\** before i get to my big list: has anyone else been working on anything interesting? I don't want to downplay the contributions of other folks +**\** well vtnerd has, a little +**\** oh? +**\** he was looking into xmr <> btc swaps +**\** UkoeHB worked up a great draft of his tech explanation of transactions +**\** he came up with a funny method by which you'd have to burn your btc priv key :P +**\** endogenic: there were all sorts of curve issues tho +**\** called it the sony method +**\** yeah +**\** I did? +**\** oh yeah didn't koe have something to gift surae? : P +**\** UkoeHB: yeah, your extension of the magnus stuff, not sure if the latest work was before or after surae's departure +**\** Ah yes give me abt 10mins +**\** oh, one thing from my recent trip was noting a strong interest in ring sig alternatives research +**\** fwiw +**\** kurt magnus contacted me asking me for my comments before I left, and I was confused because I thought UkoeHB \*took over\* that paper from kurt, but kurt appears to think it's two separate projects now? maybe y'all should chat about that together... +**\** endogenic: seems like very few folks in the community oppose the idea of replacing ring signatures with something else +**\** suraeNoether: no i just meant people are excited about specific alternatives like starks +**\** Don't know surae kurt is rather curt +**\** rather than saying 'oh this is a problem' +**\** oh he spelled it with a k when he first got on irc \*shrug\* +**\** okay, so here's the list of stuff on my general MRL "todo" list: +**\** 1. BP fee models. +**\** 2. Transaction graph python library (see sneurlax[m]1 comment above) +**\** 3. Sarang and I would both like a full technical report on "what happens if PRNG is terrible in Monero? Failure model and effects analysis sort of deal. +**\** 4. Codifying Monero's best practices guidelines into a nice infographic. I believe sgp and rehrar have put some effort into this so far. +**\** 5. Monero Standards in general. We have lots of source material to start gathering these together, and I would like to get MOST of this done before next month; describing the current state of monero before BPs go live is probably going to be valuable later on. +**\** 6. Payment channel infrastructure and prereqs +**\** ^ +**\** Ooooh yes please :) +**\** We have some good work on 6 so far, but no definite path forward atm +**\** 7. network simulation library for testing things like consensus algorithms and difficulty metrics. (I am off-and-on working with a friend at University of New Mexico on using population-ecology models to look at mining incentives, etc) +**\** There's more work on the actual channel implementation that's being worked on w/ Purdue folks, but those drafts aren't released yet +**\** 8. Ric's zk-s(t,n)ark zidechain proposal +**\** at their request +**\** 9. I would like to write a paper on using heuristic analyses for constructing "ground truth" transaction graphs in private cryptocurrencies, and the common pitfalls that crop up from statistical points of view +**\** (for example, my common sensitivity vs. specificity complaint) +**\** 10. Churn analysis (ties with 9) +**\** (and with 2) +**\** Having the library will give really useful data into the churn models +**\** 11. I have written here "curve optimizations," but I feel like the ones we intend to use should be included in the monero standards... but it could be helpful for other projects for us to make a technical note about them +**\** in particular, seeing where we can cram them in elsewhere seems like a good idea +**\** good ideas all around +**\** 12. General literature reviews (this is an ongoing thing, but since Sarang and I are constantly reading, we may as well start compiling our thoughts into common documents!). This ranges from zero knowledge proofs, to hash-based signatures, to reviews on pairings-based approaches +**\** I may have missed it, but was the multisig paper sent off for review? +**\** There was a recent flaw in MuSig that IIRC will affect one of suraeNoether's proof strategies +**\** no: the flaws in the musig paper apply to my security proof too, so we are now... reading... a lot. +**\** this happened during his absence +**\** this isn't to say that they were proven insecure +**\** The MuSig fix is to add another communication round +**\** it hardens the proofs substantially +**\** but merely that it's been proven that a proof of the security \*cannot exist\* under standard assumptions +**\** subtle point, but important +**\** Yeah, and it snuck past a lot of people +**\** phew big list in any case +**\** a lot of very smart people +**\** 13. New elliptic curves. \*if we think it is valuable,\* and I think it is, I think we should reach out to folks for developing a family of suitable ECs that are compatible with 25519 +**\** Before I leave to do my crypto course, I'll continue the payment work w/ Purdue primarily, as well as get a bunch of educational material onto GitHub +**\** you'll be gone for one month sarang? +**\** 3 weeks +**\** this is the sort of thing that could be a whole masters thesis, so that alone would be a sufficient project to require funding, I think... and there are dangers in rolling our own crypto, making our own libraries... so this is a bit controversial +**\** alright, great +**\** one week is dumbass training that'll be "multitasking" =p +**\** I'll also continue the audit coordination work during that time +**\** great +**\** Otherwise it's full time teaching (not getting FFS during the month) so I'll have limited availability +**\** are they paying you in Dash? +**\** but it's good outreach and PR +**\** lol +**\** fiat, those fools +**\** I'll assign groups to each of our MRL goals secretly =p +**\** this huge list, is varying in urgency depending on items. i think BP fees, churn analysis + txn graph modeling, and the monero standards are the most important in my mind. almost everything else on the list would be great to tick off the list before another year is up +**\** but these are \*broad MRL goals.\* +**\** \*applause\* +**\** not a checklist of things I personally feel responsible for and need to get done (which is why multisig wasn't included on this list.) it's a roadmap list +**\** so, my question is +**\** It's my personal desire to see a path set toward payment channels within the next couple of network upgrades +**\** ah yeah, i think that's super important too +**\** depending on quality of proposals +**\** speaking of that +**\** tadah new chapter +**\** go on... +**\** https://www.pdf-archive.com/2018/05/21/zero-to-monero-first-edition-v0-14/zero-to-monero-first-edition-v0-14.pdf +**\** good! i will read that today too +**\** multisig! +**\** excellent UkoeHB +**\** I will also review +**\** SO! Does anyone want to add anything to the MRL broad goals for the 2018/2019 year? +**\** wow, that looks comprehensive. +**\** Any new proposals contained in that UkoeHB, or just descriptions? +**\** suraeNoether: is that list ordered by priority or just generally? +**\** m-of-n and details on how to nest multisigs inside each other +**\** great +**\** some conventions +**\** endogenic: it's very loosely ordered by the order that sarang and I thought of them after meeting philkode at green man in london. :D +**\** I think we're excited about BPs as an on-chain optimization, and we're looking for off-chain optimizations, but I think keeping a casual look at other opportunities for on-chain optimization is quite important. Not the least reason for doing so is to help quell the BTC/BCH debate from within our halls. +**\** and a walkthrough of all implications for monero transactions +**\** suraeNoether: kk +**\** rehrar: totally, but optimizations to the level people \_really\_ want are not immediately forthcoming +**\** rehrar: one of the items on my list is "sublinear ring signatures," but because of this: we need to write a technical note to the community on why we don't intend on pursuing \*that route\* of on-chain optimizations. +**\** so add that as 14 +**\** "14. explain why we don't have logarithmic ring signatures, and investigate other on-chain optimizations." +**\** 14 is pretty straightforward to do +**\** If people see that we are pursuing both on and off chain optimizations it will hopefully keep the braindead squealing to a minimum +**\** well half of it is easy. :D +**\** thanks for that addition, rehrar, I agree +**\** anyone else have any suggestions for the MRL roadmap for the next year? +**\** sorry, I obviously don't have high opinions of people who adamantly hold to one side or the other of the BTC/BCH debate :P +**\** 15. Stupid contracts +**\** ha +**\** Well having payment channel infrastructure available and understood will be a Good Thing even without a definite intent to move to large off-chain operations +**\** maybe the slogan of MRL should be something like "Don't be intellectually dishonest." In line with google's now-defunct code of conduct +**\** oh and a one-key lstag for generating shared key images with zero-trust +**\** you'd think so wouldn't you sarang? +**\** I would +**\** if you'd kept up with the debates, you'd see that even good ideas, if proposed by 'the other side', become evil ideas +**\** MRL: ruining everything since 20xx +**\** "a social/technical/something else attack" +**\** that's going on the t shrit +**\** UkoeHB: what page should i read that on, and are you comfortable with us using a lot of your document for the monero standards? (i've asked before but I want to verify) +**\** suraeNoether and/or sarang can these MRL roadmap goals be sent to me ASAP. I'd like to make a little simple graphic to share with the community. +**\** Sure we'll work them up into something more formal on GitHub +**\** as well, anything that has been completed in the past year should go on the roadmap section of the website +**\** agreed +**\** which desperately needs updating :P +**\** https://getmonero.org/resources/roadmap/ +**\** I'll need to run in about 5-10 min, btw +**\** we still in 2017 +**\** suraeNoether: can we talk formal roadmap in about an hour? +**\** okay, so now that the roadmap discussion is out of the way: I plan on reading about BIP47 today for endogenic, reading sarang's dual output paper with the purdue guys, and reading zero to monero again... and then after I've done those three finite tasks, I'll start reading the criticisms of the musig proof and continuing with multisig. and hten I'm going to write up my FFS for June-July-August because, like +**\** an idiot, i'm off the usual fiscal year again :( +**\** suraeNoether: +**\** yes +**\** sarang\* yes +**\** when you get back we'll talk about fees + roadmap +**\** suraeNoether: sarang +**\** sarang: suraeNoether +**\** heh +**\** anything else before I head out? (parking metre is dumb) +**\** go fix your meter bruh +**\** serious request here +**\** also move to a place where you don't have meters +**\** can I get profile shots of both suraeNoether and sarang +**\** ikr +**\** top of head to upper chest +**\** One fees I do have a preliminary proposal ideas +**\** rehrar: are you making us those fake passports you promised? :D +**\** I'll talk with both of you about it later +**\** When is later? +**\** ArticMine: do you have them written up, by chance, or is it going to be a platonic dialogue to talk about them? +**\** I have not written it up yet but it is coming +**\** ArticMine: he meant about the pictures. we can talk about fees as soon as sarang gets back +**\** i want him to be able to ask questions +**\** like, live +**\** ArticMine: by later I mean the profile shots +**\** but one question that came up is verification times +**\** This was a very valid point raised by smooth +**\** performance\_tests show you verification times for various cases. The only thing that I know will change it is Pippenger, if it gets coded. +**\** ArticMine: yeah, i wanted to do fees proportional to both expected ver time and space, but i feel like someone shot me down when i suggested ms-kB metric +**\** but i don't recall +**\** It more an understanding on what verification times will be with current tech +**\** surae the table of contents should have everything. i don't recall you asking, but sure do whatever you want with it :) +**\** ah, yeah, we'll have to estimate, and it's hardware dependent but the info-theoretic lower bound on the number of operations isn't, and we can use that instead +**\** and this will require the optimizations +**\** UkoeHB: if you seek peer review publication, we'll have to probably make sure that rights are reserved or blah blah so the monero project doesn't get sued by the publication company for copy-pasting a document you helped write while volunteering at MRL. :P +**\** That is where copy left comes in +**\** ArticMine: well, the lower bound will be impelmentation-independent. like, "we know we have to check \*at least\* this many group elements, and therefore... " sort of argument +**\** is there any benefit to getting it peer reviewed? +**\** Last thing I wanted to mention as part of the meeting is MAGIC, the non-profit that sarang, myself, rehrar, sgp\_[m], and my wife are starting. we are currently waiting on communications from our lawyer and CPA re: filing our 1023. my wife is on the phone with him this morning taking notes, and we'll probably make a more formal update later today or at least before the end of the week. the main trouble has +**\** been finding CPAs and attorneys with the sufficient interest to learn about cryptocurrency law, etc +**\** Yes but is that a valid basis for pricing vs size, or can ti be handled instead with a clawback / weight idea +**\** UkoeHB: eh, i merely thought that was your intention for the docuemnt. +**\** interesting indeed +**\** get scooby on your board man +**\** why scooby? is he a laywer? +**\** paging scoobybejesus +**\** well you said CPA +**\** I miss sarang already +**\** not to doxx him.. +**\** :D +**\** lol scooby you dont mind me volunteering your life do you? :P +**\** but anyway surae he may be able to point you in some direction +**\** that would be helpful +**\** right now it's our attorney calling all his CPA friends and getting shot down it looks like. :P but we will see +**\** It's to be educational more than anything +**\** i snoop around the lounge, so i'll at least be sure to put in my two cents when appropriate +**\** Learning crypto and monero is haphazard and frustrating with no formal approach +**\** UkoeHB: people can only teach you about "hodling" nowadays +**\** cool thanks scoobybejesus +**\** UkoeHB: agreed, and you and me and sarang should chat about textbooks. +**\** i hesitate to provide to much firm advice in this crypto wild west we're in, but i can sure help with understanding context and the like +**\** sool +**\** cool\* +**\** Allright, anything else anyone want to bring up for MRL? especially anyone who feels they have helped fund MRL and they have something they want to say? +**\** Nah. +**\** okay, well, \ diff --git a/_posts/2018-05-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-28.md b/_posts/2018-05-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-28.md new file mode 100644 index 00000000..a91061fc --- /dev/null +++ b/_posts/2018-05-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-28.md @@ -0,0 +1,188 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-05-28 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** sure~ +**\** Greetings everyone +**\** welcome to the MRL Research meeting for the week +**\** Hi. Lurking for one here :) +**\** yo +**\** mostly an informal discussion of what we've all been getting up to for the past week +**\** hi +**\** o/ +**\** Happy Memorial Day to those who celebrate it today! +**\** i know sarang has been discussing fees with myself and ArticMine, and we both have been talking about multisig with each other... does anyone want to put an item on the agenda? +**\** otherwise, sarang and I can just describe what we've done this past week and get on to it, but i know some folks have been working on a lot of stuff +**\** oh, man i forgot to ping UkoeHB +**\** ya if i may, you should ping ppl at the start of the mtg +**\** Yes there is plenty to discuss for BPs, fees, and optimizations +**\** endogenic: I pinged people about 20 minutes ago +**\** but point taken +**\** Sarang, how about you go first +**\** I worked with moneromooo to speed up BPs +**\** we can let people jump in with questions +**\** Here is timing data for the expensive multiexp operations they use, to illustrate: https://imgur.com/a/rZB0vin +**\** The green bar, Pippenger, is the new one +**\** BPs start at 256 points, on the x-axis +**\** cool! +**\** suraeNoether: think both can be helpful +**\** Once we finish up some testing, BPs will use a combination of algorithms. The speedup on the operations has been clocked at 40% of the original +**\** The audits continue +**\** What really remains is determining fees, as was discussed last week +**\** fluffypony knaccc luigi1111 anonimal andytoshi ArticMine binaryFate chachasmooth dEBRUYNE endogenic gingeropolous hyc iDunk IsthmusCrypto john\_alan JollyMort[m] jwinterm kenshi84 medusa\_ moneromooo MoroccanMalinois needmoney90 nioc nioc\_ othe philkode rehrar rrol[m] sgp\_[m] smooth sneurlax[m]1 stoffu TheCharlatan unknownids vtnerd waxwing +**\** okay, so let's talk about fees really quick +**\** yes +**\** since verification times are roughly constant across powers of 2 (in terms of number of outputs) and the space is proportional to the number of outputs, we can get a good simple fee model going +**\** This chart shows timings \_before\_ the new Pippenger optimizations: https://docs.google.com/spreadsheets/d/1HPk2a0atBqLqUlxQqBLiQXEJi-e1egIMYu3tS1NGHUo/edit#gid=0 +**\** It's the same chart as I presented last week, but gives an idea of timings +**\** say N = # outputs, and 2^(m-1) < N <= 2^m. then space is approximately N and verification time is approximately m = round(lg2(N)). +**\** The timings also do \_not\_ account for batch verification, since that depends on what size proofs a client has +**\** suraeNoether: space does not scale linearly with the # of outputs +**\** It essentially forces verification time as the major pricing element when comparing a 2 output proof with 2^N output proof +**\** Yes. Compared to Borromean, space is basically constant +**\** at least across the ranges we deal with +**\** 64 bytes for each additional factor of 2 +**\** From the table +**\** yes, it's a very small increase +**\** but among all costs to consider, it's the smallest +**\** wait, sarang, verificaiton time is O(N) and space is lg(N), right? according to that table we glanced at earlier +**\** For single verification, yes, but it scales with the next power of 2 from N +**\** right +**\** We don't have the more general BPs that can handle any number of outputs cleanly +**\** (and we'd never get that change audited since it's tricky and not published) +**\** so, my point is: if we consider space to be wasted download time, then everything is about time, not space-and-time +**\** and so for fees +**\** more or less +**\** we can either do space+time, and pick some constants a, b and charge fees a\*lg(N) + b\*N +**\** or we can do space\*time and pick some constant a and charge fees a\*N\*lg(N) +**\** Yes we can convert between space and time. The question becomes the conversion factor +**\** so, for a 2-in-2-out transaction +**\** lg(N) = 1, N=2, so we charge a base fee of 2\*a +**\** whatever we think is fair for that, say a = 1 piconero +**\** We have to modify the penalty formula this is critical +**\** To reflect the time component +**\** So converting time back to space is the simplest way +**\** ok here +**\** ArticMine: the time component is linear in number of outputs, and I think the penalty formula is already linear in the number of outputs? +**\** We can use the 2 output proof ans the starting point. Then add a space weight linear to the number of outputs to account for the time +**\** wait, i'm getting myself confused here +**\** Are we accounting for the fact that a 9-proof and a 15-proof take the same verification time, roughly? +**\** that's a hugely important observation +**\** The penalty formula is size based and includes all the transaction inputs +**\** ArticMine: okay, so check this out +**\** We have to price 9 and 16 the same +**\** ArticMine: the time to verify is approximately linear in size +**\** ArticMine: in number of outputs i mean +**\** Time to verify is linear in outputs for each 2^N +**\** so 9 and 16 is the same +**\** It's linear in the number of outputs used, but we pad to ensure there are always 2^m +**\** We'd need the unpublished BP modifications to get rid of that requirement +**\** because of padding +**\** assuming everything is being rounded up to the nearest power of 2, time = O(N outs). space = O(log(N outs)), essentially. so fees can be a\*N + b\*log(N). agreed or disagreed? if measured in atomic units of monero, we can write this as N + c\*log(N) if we like and if we want to pick c carefully. +**\** We do get much smoother time changes if we use separate proofs +**\** but at the cost of greater size +**\** This discussion is all assuming we require a single proof +**\** i am not assuming that at all +**\** i'm going proof-by-proof +**\** Well +**\** If we split proofs, each proof is an optimal size from a verification perspective +**\** if every proof pays fees in proportion to both space and time, then there's an economic incentive for wallet software to find the best solutions for output management +**\** If we round, some are more optimal than others +**\** if someone wants to make a sloppy BP, then \*fine\* let them pay for it by simply charging in proportion to number of outputs. is what i'm saying +**\** suraeNoether Yes size which determines penalty which in turn sets fees would follow a\*N + b\*log2(N) +**\** ok so next question: how many fees should a 2-in, 2-out transaction incur? what about a 2-in, 4-out transaction? +**\** Though given the data I suspect that a\*N will be dominant +**\** ArticMine: it will be +**\** but since most txns are 2-in, 2-out, we're really over-optimizing the crap out of this +**\** is it only the number of outputs that affects the verification time for BPs? +**\** all we need is a quick metric that asymptotically matches the cost in space and time. that's all we need. :P +**\** For 2 in 2 out there is not change from the current formula +**\** jwinterm: yes +**\** Since this will be used as the base tx size +**\** okay, so call that fee F +**\** and we set F = a\*2 + b\*1 +**\** ArticMine: but I assume the prefactor will be smaller than currently +**\** Since we're dropping both verification time and space from the current txns +**\** now for a 2-in 4-out transaction +**\** oh, we don't want to do that one +**\** we need linearly independent choices +**\** so what about a 1-in, 2-out transaction? +**\** ah, the fees will be the same +**\** heh +**\** okay, so what about a 3-output transaction? +**\** for a 4-output transaction, they'll pay double, so we may as well make a 3-output transaction 50% more +**\** 3 out same as 4 out +**\** oh ok +**\** that works too +**\** The will pay double on the proof +**\** very likely but not on the rest of the tx +**\ \<@suraeNoether>** but since most txns are 2-in, 2-out, we're really over-optimizing the crap out of this +**\** No, because this is a defense against attacks. +**\** So you have to consider the worst case here. +**\** jumping in: yay new chapter +**\** https://www.pdf-archive.com/2018/05/28/zero-to-monero-first-edition-v0-17/zero-to-monero-first-edition-v0-17.pdf +**\** Which is why we have to add a space penalty term for the spoace gains in say 2 out to 4 out 8 out etc +**\** thanks UkoeHB +**\** okay, so ArticMine and sarang, let's talk about fees after the meeting +**\** Sure +**\** i don't want to waste a bunch of folks' time, but I think I have a formula +**\** sarang, my understanding is you are taking June off to teach, correct? and that during that time you'll be volunteering your time at MRL to complete, for example, the bulletproof audit +**\** Yes, I'll be teaching a crypto course for Duke +**\** w/o FFS pay +**\** I'll be volunteering time to manage the BP udit +**\** \*audit +**\** If it ends up being more time than expected, I can adjust the next FFS accordingly +**\** The first week of June is BS training, so I'll be partially available +**\** cool. UkoeHB care to share/describe your newest chapter in zero-to-monero? +**\** blockchain +**\** lol +**\** "blockchain" he said, with stars in his eyes +**\** short and sweet +**\** and two new appendices: block content, genesis block +**\** If I were a VC, that statement alone would get you funding +**\** lol +**\** sarang i should have asked: do you have anything else you want to talk about before we move on? +**\** Did a little timing on the noninteractive refund stuff, turns out they're a little faster than typical signatures +**\** finished up the tech note, hoping for internal review before we release +**\** oh yeah, i wanted to ask: think there's a way we could compute \*all\* our key image basepoints in a way that can exploit the speed-up you discovered? +**\** sarang, can you also give us a link to your dual output tech note? +**\** https://www.sharelatex.com/read/vcyxgpntfsgz +**\** I don't know a great way to do it safely with just the single pubkey value +**\** k +**\** If anything I'd rather find a way to reconstruct MLSAG to use other speedups +**\** but I've given almost zero thought to that +**\** so, in the past week I've read this paper in detail (https://scholar.google.com/scholar?cluster=15619301617669058049&hl=en&as\_sdt=0,6) and this paper in detail (https://arxiv.org/abs/1503.08768) and this paper in detail (https://scholar.google.com/scholar?hl=en&as\_sdt=0%2C6&q=okamoto+beats+schnorr&btnG=) and this paper in detail (https://eprint.iacr.org/2018/068) to get to the bottom of this multisig +**\** unforgeability proof +**\** the long story short: I believe that by adding the commit-and-reveal phase of the musig appraoch to our ring signatures will result in a provably unforgeable scheme +**\** too bad they couldn't fix it without that phase +**\** it's fine, i like that phase in general +**\** but it also improves the security assumptions +**\** commitment isnt' scary, sarang +**\** yes, it does +**\** unfortunately, we fork all over the place +**\** and depending on the constructions, things can get out of hand rather quickly +**\** on the plus side, the paper is, once again... smaller than it was. :D +**\** unfortunately i'm debugging some latex code so it's not viewable right now +**\** that has basically been my whole life this past week, although I spent some time looking into what it would take for a zk-ledger-based sidechain to work merge-mined with monero +**\** i believe a very private "banking system" with off-chain transaction processing through semi-trusted third parties could be a second layer on top of monero +**\** but that's not where my mind has really been at, which has been on multisignature unforgeability proofs +**\** sarang, I believe, will be posting his monthly report, as will I... +**\** and later today, I'm helping advise zcash foundation on how to spend a quarter million of their dollars on grants +**\** anyone have any questions? +**\** Yep, my report will go up later today, once I again remind myself how markdown works on various platforms +**\** I love how it's different EVERYWHERE +**\** oh, and we have formalized our research roadmap from our meeting last week! i can't believe I forgot to metnion that +**\** aye +**\** https://github.com/monero-project/research-lab/issues/29 +**\** if anyone has questions or concerns or comments, that's a good place to throw them +**\** oh you can update z-to-m link with new draft :) +**\** yay +**\** Nice roadmap. I'll definitely want to be in the loop for item 4, the "research infrastructure" - and I'll try to contribute myself. +**\** good to hear :D +**\** allright, well, let's finish this \ and talk about fees diff --git a/_posts/2018-06-04-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-04.md b/_posts/2018-06-04-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-04.md new file mode 100644 index 00000000..07977a64 --- /dev/null +++ b/_posts/2018-06-04-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-04.md @@ -0,0 +1,226 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-06-04 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** I can stay ~15 min today +**\** poor cat +**\** :) +**\** Coco hates car rides, needles, and strange places. This'll go great +**\** Hey guys +**\** yo +**\** so we'll go with 1. greetings, 2. give sarang a brief platform to talk with us about what he'll be up to before he has to dip out, 3. i'll give the community an update on the unforgeability of LSTAGs, 3. we'll bring up churning and best practices infographics, 4. any other projects anyone wants to talk about +**\** Will be keeping one eye on the Apple WWDC keynote and one eye here +**\** philkode: i'll post transcript after the meeting so no worries there +**\** so, howdy everyone +**\** heyo +**\** sarang, take it away~ +**\** As has been discussed elsewhere, BP reviews are humming along +**\** moneromooo and I worked up the last big optimization we had hoped to get done for them +**\** increasing verification speed +**\** While I'm away I'll continue managing the review process as needed +**\** Everything is coming up Milhouse for the next upgrade +**\** what's our "overall" verification speed improvement looking like, and do your changes only apply to the BP code for now? +**\** i recall around 50% improvement in total? or am i misremembering? +**\** We're looking at up to >90% size benefits and >85% speed benefits for transactions +**\** depending on batching, size, etc. +**\** freaking fantastic +**\** you win the internet +**\** We'll get some "official" stats for public-facing publicity stuff +**\** And yes, this only applies to BPs for now +**\** but in theory any multiexp operation (besides aX+bY simple terms) could probably benefit from this +**\** But BPs are the big use case right now +**\** this makes me want us to write our own 25519 library with pippinger and blackjack +**\** nopenopenope +**\** i know, never roll your own crypto +**\** it may be worth incentivizing the creation of test suites, though +**\** This was a case of good algorithm deployment, nothing more +**\** not libraries themselves, but test suites for libraries +**\** but one that was on the back burner for a while +**\** but that's another discussion +**\** Anyway, that's my Big News for today +**\** gratzo +**\** Tests are available on mooo's branch +**\** anyone have any questions for sarang? +**\** for anyone wanting to play with them +**\** https://github.com/moneromooo-monero/bitmonero/tree/bp-multi-aggregation-pippenger +**\** thanks to mooo for fast coding of my shit Python prototypes +**\** =p +**\** mooo is actually seven dudes in singapore +**\** I often agree with this hypothesis +**\** okay, if no one has any questions, i'll bring up a discovery i've made +**\** That would explain memory lapses. +**\** in terms of LSTAGs and unforgeability +**\** Those are amazing size and speed up figures, really well done guys +**\** ty philkode +**\** yes, sarang and moneromooo are MVPs of the ... year so far +**\** so, unforgeability: the Musig paper uses a double fork to accomplish their proof of unforgeability. while working through a ring-signature version of the same approach, i realized something +**\** suraeNoether: wasn't it three forks? +**\** or was that changed with the fixes +**\** it was 2 before and after the changes, whereas i initially thought we would need 3 for the ring signatures +**\** oh ok, must be thinking of something else, nvm +**\** but, i was not just trying to do a ring signature version of the proof, but also a recursive-aggregation version, where keys have trees of family members, and as long as everyone is participating, they can cooperate to construct a signature simultaneously, in a big recursive signing party +**\** now, one fact about unforgeability proofs is that they often use rewinding-on-success or forking to prove their unforgeability, and every time you do this, the security bound gets looser and looser +**\** what i realized is that forking ring signatures the way i've been trying to do it, with trees of family histories of keys... the bound gets so freaking loose that you lose non-negligibility \*if the size of the family histories is a security parameter\* +**\** in other words: the forking approach to proving unforgeability, afaik one of the only real ways to prove equivalence wiht the DL hardness problem, \*seems to not be sufficient to allow an attacker to get the DL\* +**\** this \*suggests\* that violating the unforgeability of ring signatures is much harder than regular signatures +**\** it's not a proof on the relation between hardness, but it means that classic proof techniques \*may fail\* to prove unforgeability for arbitrary recursive key aggregation +**\** so, in other words: we have to fork once for each use of the honest key in the family history, which could be a big tree of re-uses of the same key, and in this case, the attacker can't present a forgery... +**\** so, long story short: i'm looking into merely restricting things to the non-recursive case, proving it secure in that case and remarking on the crappiness of the bound (instead of forking twice as in musig, we have to fork 2+ringSize times in this case, so you have a really really loose security bound, but you still hav ea non-negligible advantage +**\** and that's what i've been working on +**\** I wanted to be explicit about this particular fact, because it may end up being useful later: rewind/forking lemmas applied recursively cause adversaries to lose non-negligible advantages very quickly +**\** any questions in that regard before we start talking about churning and infographics and microsoft and github? +**\** jw about your eta for the paper +**\** That all went way over my head, but hopefully I can understand your work with churning! +**\** Sounds like you have some interesting stuff to work with +**\** UkoeHB: if i restrict the scope of this thing appropriately, i'll be posting a version of it later today that is a sketch of my intentions and then a more correct version of it later this week. I don't want this thing to take more time than the remainder of June. +**\** Cool :) +**\** and i've really pared this thing down, it's a lot smaller and more clear at this point +**\** now churn +**\** the biggest concern is that you receive some money from or send some money to an adversary (or first one then the other). if someone is "watching you," so to speak, then even if your transactions appear to look like background noise to the average observer and match the statistical pattern of the monero economy (somehow), the "watcher" can still sort of tell you are churning. they can look at an AML/KYC +**\** exchange's records with a warrant, for example, and see that an abnormal \*number\* of your transactions reference one of their poison outputs, even if the depths and distribution of those references appear to look like background noise +**\** to avoid this, even innocent parties have to reference these poison outputs \*quite often\* +**\** one solution is that \*everyone always does a lot of churning.\* +**\** not just people who care about securtiy +**\** sort of like ring size minimums +**\** i don't know how one could enforce that, thoguh +**\** I think the only way would be a large minimum (likely impractical) ringsize, yeah +**\** Difficult to force people to send transactions +**\** not just a minimum ring size that is large, but some sort of structure that requires "you can send this to (A,B), but only if you send it through (X,Y) and (W,Z) first" +**\** but if we do that +**\** we're talking about a massive blockchain blowup +**\** hmm +**\** The input selection algorithm can't help with this? +**\** maybe a timed pop-up on the GUI-CLI saying: churning help your privacy, do you want to churn now? every week or so (i don't know how stupid this can sound) +**\** input selection could be tweaked so that inputs are chosen with a probability that is inversely proportional to the number of references that have been made (so that no output goes long without being referenced a few times) +**\** I think that's more reasonable +**\** erciccione\_[m]: we have to weigh the benefits of security against the increased weight of our blockchain in the long term, if we are going to go down that route +**\** so, i'm going to write up a proposal on input selection algorithms +**\** Do you have an idea how many times you want each output referenced? Obviously the more the better all else being equal +**\** simply the more the better +**\** Outputs can't be referenced more than ringsize number of times on average +**\** shouldn't the ringsize become larger anyway after BP get implemented? +**\** It sounds like you're hoping for a ringsize increase too then +**\** UkoeHB: \*can't\* be, or under mild assumptions, will asymptotically tend toward the ring size? +**\** Well, the average number of references depends on the average number of inputs and outputs in transactions +**\** There are likely more outputs than inputs on average, meaning that the references should be less than the ringsize over a long term +**\** each output can be referenced at most R\*number of transactions ahead of it in the blockchain. so the total number of references would be R\*N + R\*N-1 + ... + R\*2 + R, so the maximum average would be R\*(N-1)/2 references (although the true average would be much smaller in general) +**\** How could the average output be referenced more or less than ringsize, if total number of references is ringsize\*numouts? +**\** Of course there could be periods of mass consolidation where it could be the opposite +**\** anyway, this is all a bit accessory to the point, which is that the probability that an output is selected should be jointly proportional to (1) 1/# of references that already exist and (2) the gamma distribution from bitcoin's age data (although combining data from litecoin would be helpful) +**\** and probably only from the non-blackballed list +**\** dynamic ringsize is not an option based on which inputs are actually used? +**\** It makes sense. Reduce reference spread +**\** m2049r[m]: eh, I usually think about ring size only in terms of the minimum, because people really shouldn't be advertising their behavior by selecting out-of-the-ordinary ring sizes +**\** those two sound good suraeNoether +**\** the question earlier about larger ring sizes +**\** and hope that people do the third +**\** Could you poison outputs? Simply reference one a bunch of times so it becomes extremely improbable. Then, when you spend it, it's probably real +**\** because people really shouldn't be advertising their behavior by selecting out-of-the-ordinary ring sizes <= A good argument to enforce static ring sizes after the next HF +**\** UkoeHB: yes, you could, actually! nuts. that's the consequence of using things like temporal heuristics and selection frequency to try to mask erratic human behavior :( +**\ \** Could you poison outputs? Simply reference one a bunch of times so it becomes extremely improbable. Then, when you spend it, it's probably real <= You could still reference it after spending it? +**\** dEBRUYNE: if selection probability is 1/(prev references), someone can reference an output many times +**\** reduces likelihood future references ARENT real +**\** dEBRUYNE: NSA wants to know if an output has been spent. So they manufacture 1000 ring signatures referencing it. almost no one except the true spender will include it in any future ring signatures because it is 1000 times less likely to be selected at random. so after the nsa do this experiment, the first time the output in question appears on the blockchain is very likely a true spend +**\** "I send money to you, knowing which output I give you. Then I make 100 transactions with this output as a decoy, meaning the only likely other transaction that will include it is the real one" +**\** it's real bad +**\** it's a \*real bad idea.\* +**\** maybe we just triple ring size after BP +**\** sgp\_: But an observer doesn't know when it is used as decoy and when it is actually spent +**\** it reverses the "guess newest" rule from monerolink and turns it into a "guess the last possible spender" +**\** dEBRUYNE right, but if the input selection algorithm is tweaked to prefer lesser-used outputs, then it may not be used outside of the actual transaction +**\** dEBRUYNE: no, but an observer can be pretty sure that the output has been spent. besides, if 1000 transactions referencing an output P occur in a single block, and then a week later a single transaction with P occurs, that is strong circumstantial evidence that this attack occurred and the single lonely P from later in the week is likely the true spender +**\** Why not choose probabalistically between different selection algos +**\** Or define a 'ring sig ambiguity tree' factor, analyze as function of ring size, and select a new ring size w/ justification. Instead of arbitrarily increasing +**\** One which prioritizes unused outputs, one which chooses uniformly +**\** why wouldn't attacker spread txs across many blocks? +**\** For example +**\** suraeNoether: Why wouldn't he spend it in one of those 1000 transactions and reference it as decoy a week later? +**\** Some may be stronger than others. A uniform one falls under the shortfall where the newest is typically the real one, and this phenomemon will get worse over time +**\** You have to account for the alternative scenario here as well +**\** hyc \*shrug\* they may be impatient, or they may want to expose the true spender to the whole community maliciously instead of keeping the information to themselves. there are other attack models +**\** I mean, new ring size that synergizes with a churn strat +**\** Sgp\_ the point was to have multiple selection strategies, where one is randomly chosen, and some of them have a chance to use a ring member previously used 100x +**\** dEBRUYNE: the point is merely that this could be exploited to make it easier for an attacker to tell if a given output they don't control has been spent. that's all. the specific threat models aren't as important as the observation that it can be exploited \*somehow.\* +**\** in other words: since output reference frequency can be adversarially controlled, we can't use it as part of our input selection method +**\** So someone using a ring member you poisoned by including it in a ring a lot doesn't mean they're the real spender +**\** They could have just used a selection algo that chose it +**\** I still think it is good to adapt the selection algorithm with this criteria in mind, perhaps only to a small extent though. Maybe a 10-20% preference +**\** it does if all wallet software selects outputs \*in inverse proportion\* to frequency of spending +**\** which is what we are talking about needmoney90 +**\** Yes surae, I'm saying we can add multiple selection algos, where one of them doesn't choose with inverse proportion +**\** Even if a given tx only has a 10% chance of using it +**\** sgp\_: even in that case, it gives block chain analysts more power to reduce effective ring sizes +**\** It adds plausible deniability +**\** needmoney90: yes, okay, but to give you an idea of the challenges we face here, let's reduce it to a simple case where we have two algorithms, A1 and A2 +**\** and we pick one with probability p and the other with probabiltiy 1-p +**\** Any programmatic deviation from natural distribution can be analyzed +**\** Yeah, but only by ~1 or 2 UkoeHB. May be less than the reduced risk of some outputs being referenced few times +**\** It will be apparent which was used +**\** For sure +**\** Hm +**\** now an attacker who has success with algorihtm A1 just needs to make the attack 1/p times +**\** instead of only once +**\** so, this brings us back towards plausible deniability, which is good +**\** but it still isn't protection against the attack +**\** We can continue in lounge after the meeting, sorry to derail +**\** if you have many algorithms, this increases the sample size the attacker needs to attack any one of them +**\** sgp\_: it might ok if we increase ring size dramatically +**\** which is that plausible deniability, which is good, but still gamable +**\** UkoeHB: any deviation from "natural" is identifiable, you are right, and the problem is we have small anonymity subsets chosen from a (still unfortunately rather small) anonymity superset +**\** there merely isn't a good statistical mask for behavior here, the fix has to be to replace ring sizes +**\** You mean increase ring size +**\** Any good prospects for escaping ring sigs? +**\** erg.... replace ring signatures\* +**\** with ... +**\** Is there anything else that works without trust? +**\** whatever comes next :) +**\** there are untrusted stark set-ups that are slow +**\** or use weird pairings +**\** i'm looking into options +**\** but the fact of the matter is, small anon sets will need to go for this problem to really be solved +**\** in the meantime, churning isn't going to help you if all the transactions you deposit on your AML/KYC exchange originated somehow from a malicious watcher like the DEA or NSA or something +**\** and churning more than 3-4 times is probably overkill if all you are worried about is helping flesh out our anonymity sets +**\** so ... what should we put on getmonero.org regarding churning... ? :) +**\** gingeropolous: give us a few days to write up a formal thing +**\** cool +**\** gingeropolous: because i want some specific numbers on how much you are really exposing yourself +**\** Can you give us a hint on the relationship between churning and ringsize? How significant is it? +**\** exponential? +**\** well, the naively computed anonymity set of a monero transaction tree of depth H with ring size R is approxiamtely O(R^H) +**\** so +**\** the question is "how many times are you going to pull a poison jelly bean out of this jar with R^H jelly beans in it, only one of which is poison?" +**\** oh, "while grabbing R jelly beans at a handful?" +**\** and these answers require some statistics involving the hypergeometric distribution, or binomial approximations... +**\** I'm having flashbacks +**\** hahah +**\** let me summarize: churning 80 times wiht ring size 10 gives you more possibilities than the number of fundamental particles in teh universe +**\** Ok we are at end of meeting so I'll jump in +**\** churning 7 or 8 times with ring size 10 gives you more possibilities than the monero blockchain +**\** but a lot of these are collisions +**\** Final draft: open for edits and feedback. Plan to publish in 2 weeks +**\** https://www.pdf-archive.com/2018/06/04/zero-to-monero-first-edition-v0-20/zero-to-monero-first-edition-v0-20.pdf +**\** by "collisions" i mean 'the true anonymity set is much smaller.' +**\** sarang will be happy to see pg 50 (57 of pdf) +**\** if everyone on the network churned 2-3 times, we'd all be better off. anyone who lives in a sensitive land of security nightmares should churn maybe 8 times, but definitely shouldn't be using AML/KYC exchanges, and if they do, the vast majority of their deposits at those exchanges should \*not\* be sensitive. +**\** makes sense suraeNoether, given the selection algorithm +**\** UkoeHB: good job, i'll try to read it before the end of the week +**\** awesome thanks :) +**\** i wanted to ask if folks were worried about github and microsoft and alternatives we may want to look into, but i think that can wait till later +**\** anyone have any last questions before we finish up? +**\** Any official status updates on atomic swaps? +**\** needmoney90: dual output ring signatures for refund transactions should enable atomic swaps, but there are some security concerns involved with those that will make it easier to determine spent outputs +**\** so, there has been progress made, sarang wrote a technical note on the dual output sigs... but we are examining "what it means" for us to have two outputs with a differentiating/trigger block height. +**\** it is too easy to see if one or the other has been spent based on block height, and introduces some temporal stuff: if a transaction happens right after a trigger block height for a ring member, that ring member is likely to be the true spender in a refund +**\** UkoeHB Great job. I was looking at the block size scaling part +**\** if the block height is encrypted, there are different problems that show up +**\** This is on my reading list for this week +**\** oooh, i like reading lists +**\** okay, any other questions? +**\** oops mistake in range proof verification. 63 is for A+B +**\** okay, \ :D diff --git a/_posts/2018-06-11-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-11.md b/_posts/2018-06-11-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-11.md new file mode 100644 index 00000000..6cc0ad3c --- /dev/null +++ b/_posts/2018-06-11-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-11.md @@ -0,0 +1,64 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-06-11 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Greetings everyone! +**\** ?? +**\** I'm Surae, and I'll be accompanying you on this mathematical journey today +**\** Our agenda today is simple. 1. Greetings. 2. I'll give a brief update on the multisig paper, giving a brief update on MAGIC, and a brief talk about the recent paper on constant-sized ring sigs that made its rounds on twitter this morning. +**\** 3. I'll open it up for any updates or projects anyone else is officially or unofficially working on +**\** 4. Q&A +**\** So, 1. Greetings everyone! say hello if you are sitting in on this one or lurking +**\** okaaaaaaaaaay 2. Multisig paper will be done later this week, I'm just putting finishing touches on it before i send it out for review by some smarter parties than myself. it's a lot more clear and correct and compact now, and it actually makes some sense re: simulations and signing oracles. some details are still lacking, but that's what the rest of this week is for. https://v2.overleaf.com/read/bfjfkdgnhgvh +**\** oh hi +**\** MAGIC and MRL are going to have a presence at defcon this year, and I was hoping sgp\_[m] could say something about that, but it looks like I'm alone today, and that's okay. Hopefully we can sell some MAGIC t-shirts and start accepting donations. +**\** We had some speedbumps to overcome in terms of getting MAGIC off the ground. CPAs and lawyers who didn't really have time for new clients who thought they could waste our time, etc. +**\** bonsoir +**\** howdy oneiric\_ and binaryFate +**\** I mentioned earlier about a constant-sized ring signature scheme in the random oracle model. it's actually a really neat scheme, but it uses bilinear pairings and takes a lot more verification time than our current set-up, so it isn't really suitable as a replacement. i did a little tweetstorm on it this morning you can see here. https://twitter.com/BGGoodell/status/1006203923827343361 +**\** Is there a white paper for it? +**\** https://link.springer.com/article/10.1007/s11390-018-1838-z +**\** not white +**\** i linked it earlier +**\** Let's see here, in addition to that, I have a script for a white-board video on cryptocurrencies that i am fleshing out. rehrar mentioned he would be willing to help when he gets back, and that could be fun and cool. +**\** I was quite offline last 3 days, didn't see the twitter storm. It's constant-size in space, right? How does it scale for verification time? +**\** in the meantime, i'm interested in doing a plausibility analysis of a RLWE-based version of Monero instead of a discrete logarithm-based version, but that's a longer-term thing. I've been taking notes on all the multisig papers i've been reading for a comprehensive literature review that i plan on publishing later this summer, too, and that's coming along nicely (although no links available yet) +**\** binaryFate: it's a lot slower +**\** same nubmer of exponentiations, but also a linear number of pairings operations +**\** Ok. First time someone comes up with a constant-size scheme without any sort of setup no? Neat even if not usable for us +**\** yep! +**\** Other than that, sarang and I posted the roadmap on github a few weeks ago, and we are still hoping for discussion and/or comments about additions or expansions to the topics listed. https://github.com/monero-project/research-lab/issues/29 +**\** Sorry if I'm behind the curve, what's RLWE? +**\** Ring-Learning-With-Errors, it is a hardness assumption that is thought to be resistant to quantum computers, and a lot of "lattice-based" crypto schemes rely on it +**\** a lot of "lattice-based" ring signature schemes are available, too +**\** So that would be to use ring sigs resistant to quantum computers? +**\** That's awesome surae, find anything interesting/potentially usable there? +**\** oh, i don't know yet, i just know that most of the frameworks are available to be assembled together carefully +**\** it's an interesting route of inquiry, but htat's all at this point +**\** How does that relate to plausible deniability (if a ring remains a ring, just using different underlying math) +**\** binaryFate: the hope is merely to replicate all of monero's current capabilities in a setting where an adversary with a quantum computer is trying to peek in on amounts, or to cheat the system to mint money, or to try to forge signatures. +**\** the signatures would still be ring signatures with plausible deniability as we currently have, just built with a scheme with a different hardness assumption +**\** there's almost no point in having ring signatures in that setting though, even if they are QC-resistant to forgery, becuase a QC computer can enumerate the spending tree and find true spenders very efficiently; a QC-resistant privacy-focused currency, I think, really has to be built on large-anon set technology +**\** otherwise you could use far less exotic QC-resistant signatures to accomplish the same deal +**\** anyway, since we are probably going to have to switch to pairings or starks or something weird eventually anyway in order to get our large anon sets, i started thinking a little more broadly +**\** UkoeHB: do you want to update us on ZTM? +**\** maybe later today :D +**\** Does anyone have any questions for me or MRL in general? +**\** mostly proofreading and edits +**\** Okay, well, if anyone has any questions or concerns for me, I'll be here for most of the rest of the day and you an always e-mail me at suraeNoether@protonmail.com +**\** \** \<.,>d;fhadlf +**\** lol, thanks for the information suraeNoether +**\** here is latest draft https://www.pdf-archive.com/2018/06/11/zero-to-monero-first-edition-v0-20-3/zero-to-monero-first-edition-v0-20-3.pdf +**\** thanks UkoeHB +**\** and thanks to endogenic for throwing that link in earlier +**\** aiming to close proofreading sunday night, then PR getmonero, for publish ~1 week later +**\** unless proofreaders more time, then ill push it out +**\** really tremendous work coming out of the research lab, as always. much excite for 2018-2019! +**\** thanks suraeNoether for the updates! diff --git a/_posts/2018-06-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-18.md b/_posts/2018-06-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-18.md new file mode 100644 index 00000000..068fc50c --- /dev/null +++ b/_posts/2018-06-18-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-18.md @@ -0,0 +1,139 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-06-18 +summary: MRL work, DefCon plans, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** fluffypony knaccc luigi1111 anonimal binaryFate chachasmooth dEBRUYNE endogenic erciccione\_[m] gingeropolous hyc iDunk isthmuscrypto john\_alan JollyMort[m] jwinterm kenshi84 kerber m2049r[m] moneromooo MoroccanMalinois needmoney90 nioc othe philkode pigeons rehrar rrol[m] sarang sgp\_[m] stoffu unknownids vtnerd waxwing, research meeting in three minutes~ +**\** and of course UkoeHB who is already here and aware :D +**\** it's time \\o/ +**\** Hi +**\** hi +**\** 1. Greetings! 2. Work from this past week. I was hoping to chat about BP fees and where they are currently at, i wanted to update folks on the multisignature paper and literature review, I wanted to share a few links to papers I'm reading... and open up the floor to anyone else doing anything fun and math and crypto related. 3. Plans for this upcoming week and defcon? +**\** So, hi everyone :D +**\** does anyone want to add anything to our little makeshift agenda before we get goin? +**\** okay, cool +**\** as far as bulletproofs go, apparently Quarkslab will be done by the end of the week and Benedikt has begun work (I think). Quarkslab has apparently found a few small optimizations, but no bugs so far (but that could be outdated info) +**\** ArticMine: do you want to bring the community up to speed on where we are currently sitting in terms of bulletproofs fees? you've led the charge for a lot of that discussion +**\** yay ArticMine +**\** I have the basic concept down +**\** Replacement of the blcoksize with block weight +**\** That is linear with an increase in verification time +**\** i believe the last time we talked about this, taking space and time together into account led to a formula that was like n + log(n) in number of outputs. by picking fees based on n only, this means we are slightly under-compensating miners for large bulletproofs and slightly overcompensating them for smaller ones, leading to a weak batching incentivization without distorting our ideas of cost paid by the +**\** miner in both space and time. since the space paid is logarithmic, its impact is rather small, even for large bulletproofs. +**\** This will replace the blocksize in the determination of the penalty. Fees then follow from the penalty based weight calculation using the current formula +**\** \*nod\* are we not modifying the current formula to make overall fees lower? +**\** We are not modifying the formula however the weight will be a lot lower than our current blocksize +**\** So we still have to change the minimum fee +**\** For a 2 output transaction the block weight will equal the block size +**\** ah i see +**\** we should get a formal description of our proposed bulletproof fee structure out to the community so they can start discussing it soon +**\** so I'll try to put 2-3 hours into that this week +**\** What really matters is that as the number of outputs the weight scales linearly with number of outputs +**\** I expect to have a formal description out by the middle to the end of next week +**\** cool, let us know if you need more hands +**\** After the weekend I expect to have 2-3 days I can dedicate to this +**\** There are a lot of details +**\** we have some folks who are interested in contributing to MRL but don't necessarily have a project, so there are lots of eyes we can put on it as well +**\** Allright, moving on +**\** I've been discussing our multisig scheme with UkoeHB and a few other folks. I have contacted one of the musig authors about an issue UkoeHB brought up. It's... causing me sufficient pause to reach out. Essentially, my first (and second and third) reading of the scheme seems to allow for a replay attack +**\** our multisig scheme ?= RTRS multisig? +**\** no, threshold sigs. +**\** the musig scheme + our scheme. it \*seems\* to allow an honest adversary to be cloned or rewound in a way that may be dangerous. of course, in the musig paper there is a whole section on derandomization and not re-using signature data... this is a \*known issue\* but I'm not sure if their security model is sufficient. +**\** our threshold scheme, not RTRS +**\** so, due to this, i've gone back to some older papers on multisignatures and simulation theory to look into it +**\** right now i'm reading a primer on simulation theory by Lindell, who is a good author and has written a rather comprehensive document on the matter (pdf link https://eprint.iacr.org/2016/046.pdf) +**\** and i've gone back to some of the original certificate authority and/or KOSK assumption papers because their security models are highly relevant +**\** https://hovav.net/ucsd/dist/agg-sig.pdf +**\** during all this, by the way, I'm taking copious notes on multisignature schemes and old papers for a future literature review +**\** ArticMine: Great to hear (about the fee stuff). I, however, hope we're not making it unnecessarily complex +**\** The concepts are very simple and elegant if we work at the protocol level and change the penalty from block size to block weight +**\** dEBRUYNE: eh, essentially we are merely changing the fee structure to count the outputs in a block instead of absolute size in bits, or bytes, or kb, or what have you, that's the core idea of the change +**\** Strictly speaking we are changing the penalty formula to take into account ^ +**\** other than that (deep diving into the simulation theory and the dark corners of the multisig world), I wanted to see what other folks are working on (silur?), and maybe chat about defcon first, a monero conference second, and a MAGIC conference in privacy technologies third. things seem so quiet around here without sarang +**\** The fees then follow with essentially no change other than the minimum fee to account fro the much lower overall weight +**\** sarang was the heart and soul of MRL +**\** A very important distinction is that the penalty formula is consensus while the fees are not +**\** read: was +**\** was? +**\** I'm continuing my RTRS implementation +**\** was talking to suraeNoether, ArticMine +**\** HCPP invited me to make a demo there +**\** silur are you implementing that on github? have a link? +**\** RTRS still needs heavy testing, i kinda tend to do 'if it compiles it's ready' +**\** sure +**\** https://github.com/Silur/libstringct +**\** tim ruffing contacted me, their scheme has been modified and they are coming out with a newer version of it. as a sample, their signatures are about 1.12 kb for a ring size of 64 +**\** thanks silur +**\** how long is verification for that ring size? +**\** great to hear, although the current docs are already outdated +**\** would be nice to have that paper out :D +**\** are there any sketches on the mods? +**\** he has been loose with details silur, but he contacted me about it tuesday last week and he said he'd get me the paper this week. maybe, maybe not. :P it's how research goes, even at universities like saarlang +**\** rehrar: no idea, i don't wnat to speculate +**\** rehrar but my knee jerk instinct is "about as much time as an LSAG with 128 ring members" +**\** Also are there any non linear with size verification times +**\** or "no less than" instead of "about as much time as" +**\** ArticMine: not with a usual ring signature model. technically you could count zk-snarks as sublinear verification time ring signatures that require a trusted set-up, but htere is nothing in the chasm/gulf between our untrusted set-up hash-based ring signatures and the zk-snark world +**\** everything with RTRS has to take around double the amount of time for each group operation, since keys are double in length... and our hash-based set-up is pretty much as close to an information-theoretic minimum allowable in terms of "number of group operations" in order to compute a ring signature, we are very optimal in that regard, very few wasted computations... so "best case" RTRS will be double the +**\** verification time of an LSAG +**\** so, uh... what's up with defcon +**\** The bottom line we do not have to deal with a situation similar with bulletproof verification times +**\** who all is going to be at defcon? +**\** I am +**\** I am alos giving a talk related to the fee question +**\** also +**\** nice +**\** i heard something about a booth +**\** i believe that sarang and I both declined actually having an MRL booth, but I'm happy to sit around at the monero booth for awhile, presuming... we have a booth (and now the word booth is meaningless, it's been said too much. like the word kiosk) +**\** hmmm....then there was a misunderstanding +**\** I thought it was "we'd man the booth if there was one, but not for the whole time cuz we want to enjoy the conference" +**\** I'll communicate and change that right away if I was incorrect. +**\** oh, no, i think i'm mis-remembering +**\** we can totally do a booth +**\** i need to make a t-shirt or something +**\** it'd probably be split with Kovri temporally +**\** turf warrrrr +**\** I don't think MRL needs to prepare anything special unless you guys want to +**\** just sitting at the table and fielding questions would be sufficient +**\** but i want a t shirt ;( +**\** wait that's winking +**\** i meant :\*( +**\** semicolons are so hard to use correctly +**\** we'll get you a tshirt, but it may not be what you expect +**\** ;P +**\** anyways, nothing else regarding defcon as far as I know +**\** okay, so, in terms of other conferences, we originally had this idea to have the first Monero conference in Denver next spring, perhaps funded or hosted by the MAGIC non-profit (me, rehrar, sgp, and sarang and some non-monero-related people) +**\** but we are trying to keep MAGIC more or less separate from Monero, (we are looking for some non-monero members to be on the board) becuase it's an educational organization, not a project-oriented one +**\** so we are going to host the MAGIC conference as a general privacy enhancing technology conference instead +**\** and all funding for that will be through MAGIC, we won't be starting an FFS for that +**\** totally independent +**\** BUT +**\** the monero community deserves a freaking technical conference! +**\** so i wanted to get the community's thoughts on starting a Monero conference-specific FFS. If I took charge of this, I would hire an event organizer to take care of a lot of it and spend time trying to get speakers for the conference. +**\** FFS? +**\** forum funding system +**\** oooh +**\** cool, go for it +**\** great +**\** really sorry I gotta run +**\** best to y'all +**\** ta silur +**\** okay, the way i figure it, the monero conference is a good use of MRL resources and time, so I'll post it under ideas with the current estimated price tag and we'll see what happens from there. i think anything over-funded should go to the general fund +**\** well, we're rounding up on the hour here +**\** does anyone have any questions? +**\** maybe about the proceedings at MRL, what's going on recently and what's going to be going on over the next few weeks, any other general questions? +**\** (my favorite color is blue and i'm probably a taurus and i like long walks on the beach) +**\** hmmm... +**\** I think I'm a gemini, would we work well together? +**\** Or am I a something else? +**\** ArticMine: Sounds interesting. Looking forward to the details of your fee proposal +**\** a question earlier from the lounge >> \ some while ago, was there a discussion about letting new nodes bootstrap the blockchain quickly, that required new crypto techniques, afaik? i might have this completely wrong, but think i read about it in the research-lab channel +**\** if the meeting is over i would like to get back to the topic of exposing the index of a subaddress - from what i understood there are mixed statements about this. it may be a problem and it may not be. ??!? +**\** nioc\_: not sure about htat +**\** yeah, we can call this meeting over :D +**\** thanks everyone \ diff --git a/_posts/2018-06-25-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-25.md b/_posts/2018-06-25-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-25.md new file mode 100644 index 00000000..026b9fec --- /dev/null +++ b/_posts/2018-06-25-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-06-25.md @@ -0,0 +1,135 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-06-25 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** let's get this partay starteeeeed +**\** Agenda today: 1. Greetings. 2. Brief MRL update. 3. Show and tell! 4. Who's going to defcon? +**\** hi everyone +**\** hullo +**\** Okay, 2. I have finally posted all our meetings logs here: https://github.com/b-g-goodell/research-lab/tree/master/meta/research-meeting-logs +**\** I didn't want to fork the whole meta repo just to keep track of our research meeting logs, so I just started a folder +**\** Greetings! +**\** if anyone objects or wants to make PRs to monero-project's meta repo to track our logs, I'm fine with that, too, but this is easiest for me to deal with. +**\** Morning all +**\** Hello +**\** morning isthmuscrypto and needmoney90 +**\** Another update, Sarang will be back next week I believe +**\** Other than that, Sarang and I will be at defcon, and we are excited to meet up with folks +**\** They're more accessible if they are posted as a blog post on getmonero. Probably some value there +**\** sgp\_[m]: would I make a PR to the monero-site repo then? +**\** hello +**\** There are some open PRs now for the community meetings. Best to use those as a template +**\** so the answer is yes, and to use those as a template? I haven't done any blog posts through the repo before, so I'm not sure exactly what the procedure is. :P +**\** they require markdown change +**\** I'll look around and take care of it later today +**\** Basically yes. It's not very difficult +**\** cool, then easy thing to check off my list later +**\** So, 3. Show and tell. Silur is here, isthmuscrypto is here, and both of them are working on rather interesting projects I'd like to hear about. +**\** I'm struggling with testing my RTRS lib, and now got into VDFs, verifiable delay functions and trying to generalize them for lattices +**\** i didn't catch isthmuscrypto's original description of his generalized adversarial networks, when he mentioned it for the first time a few weeks ago +**\** and of course as usual lattices are more interesting than testing but I need to have RTRS done for HCPP :/ +**\** oooh VDFs are super super interesting to me +**\** Hi @suraeNoether https://github.com/Mitchellpkt/BlockchainAnalysisGAN +**\** I have a general VRF construction for DH and EC, PoC ready (I can share the notebook) and a blockchain is already adapting it, working on the lattice VRF now +**\** I'm tied up in a meeting for the next 50 minutes and sneaking the MRL meeting on the side, so I'll be intermittent in responding. +**\** ah silur, that's a conference I would have loved to attend if I had heard of it a few months earlier. +**\** so my next step is to make the same for VDFs +**\** that's awesome, silur! +**\** I'm sure we can figure something out +**\** about HCPP +**\** oh, no, i literally can't attend, but maybe next year. +**\** oh that brings up something: I was thinking maybe we could start taking issues out on the monero-project/research-lab repo for conferences that the community might want us to attend +**\** a lot of them I'm willing to go to out of pocket because they are great experiences, but keeping track of the wide world of conference calendars can be challenging +**\** " track of the wide world of conference calendars can be challenging" < sounds like we need a decentralized solution xD +**\** MARKET GAP! :D +**\** tokenize it! +**\** ICO it +**\** lol +**\** hi +**\** is it unreasonable to ask: if folks hear about a technical conference, literally anywhere in the world, at which MRL should have a presence, open up an issue about it on the monero-project/research-lab repo? +**\** hi rehrar +**\** so brings me back to a interesting bottleneck I can't overcome for weeks for all my current work +**\** VDF, IVC, VRF, Bulletproofs.... +**\** ACs +**\** I don't have any experience for arithmetization of boolean circuits +**\** anyone willing to help out on that? +**\** maybe not a meeting subject, let's go on with the agenda and get back on it later :D +**\** well funny thing about that silur +**\** boolean circuits are arithmetic circuits already, just not contrariwise +**\** which is one of my favorite -wise suffixed words +**\** well in Gf(2) +**\** but most protocols need a galois field with a large prime base so I thought bulletproofs won't work ever on Gf(2) +**\** ah that's what you meant +**\** anyway I'm stuck now with QSP-s and a little less-efficient snark stuff to experiment with BPs +**\** well, we'll chat about it later +**\** yea sorry for holdin' the meeting :D +**\** does anyone else have any interesting work they want to talk about? My work this past week has been into zero knowledge proofs and extractability requirements and schnorr signatures. primary reference of the week is this one (pdf link https://link.springer.com/content/pdf/10.1007/3-540-48071-4\_28.pdf) +**\** primarily, I'm thinking it's possible we don't need to worry about the KOSK setting with only minor adjustments to our current scheme, and if that's the case, all the musig key computation and all the commit-and-reveal nonsense just goes away +**\** in which case the whole paper will \*AGAIN\* collapse to something smaller +**\** but I need some sanity checks from folks with more knowledge in the field of complexity theory +**\** Other than that, I recently finished advising the ZCash Foundation in giving out 250kUSD in grants, I'm working on encrypted memo fields in Monero transactions, and I've been writing up my backlog statements of work. I've already broken 160 hours this month, but I like this job a whole lot so I'm not really taking weekends until I start feeling burnt out. +**\** usual cryptographer's calendar :D +**\** oh, earlier this week I made some commits to my PoissonGraph simulations (see here https://github.com/b-g-goodell/research-lab/tree/simple/source-code/Poisson-Graphs/new) which are \*inches\* away from successfully producing human-readable transcripts describing cryptocurrency network simulations. +**\** The sim suite is for testing difficulty algorithms, consensus algorithms, and dynamical properties of the network. +**\** a friend who just got a job at the university of Exeter (inspiration for Hogwarts) is interested in writing a population ecology-inspired paper demonstrating how ethereum can effectively prey upon bitcoin's hashrate by rewarding bitcoin block-withholding attacks using ethereum smart contracts. +**\** wow this is awesome +**\** o\_0 +**\** https://arxiv.org/abs/1805.08832 +**\** this paper is sort of the foundation of that idea +**\** well +**\** one part of the foundation +**\** +1000 on the sim network research suraeNoether! +**\** oh yea I saw a paper based on this .... "vulnerability"? +**\** https://eprint.iacr.org/2018/581 +**\** yes, exactly +**\** that's another part of the foundation, but i haven't been able to find the reference recently, thank you +**\** i forgot that was mccrory +**\** also a nice guy +**\** hmm, published june 6 +**\** i must have seen him talk about this +**\** Allright, next meeting agenda point: who's going to defcon? +**\** I am +**\** and all of you should also +**\** yay, i think most of the board of directors of MAGIC will be there, if not all of us +**\** we should all go out for a dinner +**\** but... it's in the... USA :'( +**\** ugh, no kidding +**\** 'murica +**\** who wants to start a sea-cooled, solar-powered mining farm with me on the pacific coast of Costa Rica? +**\** yes please +**\** :) +**\** who wants to fund it? +**\** Elon Musk +**\** good ole' elon +**\** okay +**\** i'm still thinking about defcon, also I have another blockchain security conf in vegas in october that I'm invited as a speaker but still couldn't get my head over getting into US +**\** last year I think 2 ppl got arrested at defcon? +**\** the wannacry and the election machine guy +**\** ooh what conference? +**\** just surround them so po po can't get to them +**\** civil disobedience of whatever +**\** if you are invited as a speaker, the conference should be able to write you a letter requesting a temporary visa for your visit, but i'm not sure if hungary is on the list of countries that need temporary visas even for a conference visit. i would assume so, because we have shut our borders to friggin canada +**\** it's more complicated than that, I'm stateless +**\** ! +**\** good freaking luck +**\** https://www.hoshocon.com/ +**\** does being stateless suck? +**\** it sucks that you wouldn't be able to get into USA :/ +**\** being stateless is a desirable state for a hash-based signature scheme. +**\** they should see about holding Defcon in Canada +**\** Ugh Tues-Thurs +**\** should we hold the monero conference in another country? +**\** HCPP last year had a "secret" monero meeting, I met a dev guy there +**\** he was giving away SO MANY stickers +**\** so I guess HCPP is ideal :P +**\** Okay, so anyway +**\** :D +**\** hold monero conf in Liberland: http://www.liberland.org/ +**\** Let's call this meeting what it is: done +**\** \ diff --git a/_posts/2018-07-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-02.md b/_posts/2018-07-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-02.md new file mode 100644 index 00000000..20fe5428 --- /dev/null +++ b/_posts/2018-07-02-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-02.md @@ -0,0 +1,201 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-07-02 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** First, greetings +**\** Yawns\* +**\** well, greetings +**\** Hopefully a little more people than the Dev meeting, but prolly not, because of the holidays +**\** For my sake at least, I'm very interested in the current state of folks' projects or undertakings +**\** Does Merkato count? +**\** Hi :) +**\** Does Mastering Monero count? +**\** fo sho +**\** Currently one of the next steps for Merkato is calculating the optimal spread, which is some fun math that scares me +**\** elaborate? +**\** Hi all, small update and that's it, I quit my job so I'm resuming work on my small project related to scraping mining pools. I apologize it took so long, but my job got incredibly demanding incredibly quickly... So I quit! +**\** that's what I do when the going gets tough +**\** https://arxiv.org/pdf/1606.07381.pdf +**\** Starts on describing the optimal spread Calc +**\** I need to dive into it +**\** interesting! +**\** I finished up my teaching and also worked with the auditors more +**\** QL and Kudelski are finishing up reports +**\** There was, of course, also the twitteresearcher +**\** all hail twitter +**\** His notes about subgroup checking were also identified by our audit +**\** and will be incorporated into some easy checks on the code +**\** as far for me on RTRS-StringCT I didn't have any advance on testing for the last 2 weeks :( +**\** neither on Lattice-based bulletproofs +**\** suraeNoether sent me more details on sublinear ring sigs but that was just yesterday +**\** I'm sure he will have more to say on this +**\** I just need a technical feedback because I am not sure I wrote anything correctly in Mastering Monero. You can read by viewing this pdf https://masteringmonero.com/book/preview.pdf . Thanks! :) Feel free to message me for any inputs! +**\** yea that's why RTRS is on hold now, the scheme changed a lot since I started implementing +**\** yes indeedy +**\** eek, time got away from me. sorry about that everyone! i'm here, i swear, i'm writing a document on blockdags and got excited :( +**\** The incorporation of an internal range proof is intriguing +**\** suraeNoether: what about blockdags? +**\** go on +**\** oh, i think i have a "fast" version of a blockdag based approach to transactions sort of similar to spectre +**\** i'm looking at convergence rates and such +**\** Ah, new work? +**\** yeah. going into details, the problem with blockdag schemes is ordering blocks that aren't linked to each other (so-called "antichains") +**\** correct +**\** that's the hangup in computation +**\** and i think I realized a structure built into the blockdag approach that allows for a rather fast linear ordering of otherwise unordered blocks +**\** that would be hugely useful! +**\** in the end, if all these different metrics end up being equal, you end up hashing block headers either way, so the probability of two blocks having the same place in the line is negligible either way, and it should be quick +**\** What other projects have kept you busy during my absence suraeNoether ? +**\** oh gosh, i made commits to my PoissonGraphs project, which allegedly spits out a human-readable cryptocurrency network simulation's transcript... and i've been communicating with tim ruffing about his new sublinear ring signature scheme...and I've been trying to get a handle on the multisig KOSK setting and UkoeHB's rewind/replay problem. +**\** excellent +**\** Anyone else with news or updates? I have a month of "lack of knowledge" to account for! +**\** @suraeNoether pls relay any info on RTRS from ruffiing if available! +**\** i believe we've spoken about the twitterstorm "problems with bulletproofs and ed25519" thing? +**\** yes +**\** Here's the lowdown +**\** I thought we were performing key checks at a lower level already, but I was mistaken +**\** After speaking with the auditors (who also noticed this), they recommended adding some checks +**\** for subgroup membership and point-at-infinity +**\** as well as checking for null scalars +**\** However +**\** They, like us, were unable to identify any way that the absence of such checks could be exploited +**\** But this is precisely why we audit +**\** long story short: the bulletproof method uses a group of prime order. we use a group of composite order, and while we restrict all our keys to the prime order subgroup, we didn't have checks to guarantee that someone wasn't feeding non-subgroup elements into the bulletproof as inputs +**\** So, once we deploy bulletproofs, we can get to RTRS and make bulletproofs obsolete =p +**\** basically, yes +**\** it's an easy and fairly cheap thing to check +**\** this leaves open the logical possibility that someone coudl produce a bulletproof that passes the verification algorithm correctly, but does not present a valid proof of the range of the argument. as sarang said, \*there is no way we have yet identified to do this.\* but \*it's a logical possibility\* and we deal in the realm of provable security in this here lab +**\** On a more irritating note, Benedikt indicated on twitter that he had not yet begun his review, which was not indicated in his communications to me, and I've been unable to reach him for details +**\** sarang: the new RTRS scheme with bulletproofs is faster than the scheme with their "included" range proofs +**\** ... +**\** suraeNoether: ok, haven't looked into newRTRS at all +**\** which new? :D +**\** By RTRS, you mean the new paper by Ruffing et al ? +**\** there's like new-new-new-RTRS :D +**\** lol, the internal paper suraeNoether showed me +**\** let's say RTRS2 +**\** it's actually... one sec +**\** the paper was marked to be for internal review only +**\** LRRSTW signatures now. :D +**\** omg no more +**\** different authors than RTRS +**\** What are the implications if any for verification cost vs 1) number of outputs, 2) number of rings? +**\** ArticMine: number of rings = ring members? +**\** TBD +**\** LRRSTW is even new for me +**\** they have some data +**\** yes +**\** ArticMine: eyeballing their results, it looks like we can have 2.4kb, ring-sized 64 signatures that take as much time to verify as (approximately) one of our current ring signatures with ring size 16... +**\** BUT +**\** it's POSSIBLE that the verification time there needs to double +**\** in which case we could go for 2.0kb, ring sized 32 signatures that take as much time to verify as one of our MLSAGs at ring size 8-10 +**\** My view is that once we prototype it, we'll get a better sense of the op counts +**\** note: these are actually really huge signatures +**\** and that will tell us verification times +**\** suraeNoether: agree? +**\** sarang: sure, although there is a table of op counts in the back +**\** Is there a scaling issue when compared to tx size with increasing the number of ring members? +**\** we can literally compute whether it's worth it to even prototype it +**\** (and i'm doing that calculation this afternoon) +**\** ArticMine: yes, these signatures are sublinear, are almost as fast as our current signatures... but their size constants are bigger than ours, and the sublinearity doesn't become worth it in terms of size until 10-12 ring members +**\** Subliner with tx size? +**\** oh i thought you meant by ring member, excuse me +**\** i'm not sure what you mean, then. signature size is related to both the number of inputs and outputs. +**\** Whats the level of incompatibility with what we're doing now? +**\** 1 sig for all inputs (and outputs), IIRC from yesterday. +**\** unsure yet, i'm optimistic that it doesn't requrie, for example, more group elements in the public key or antyhing like that +**\** My question relates to a possible attack by increasing the number of ring members where we are only measuring tx size +**\** oh, if we made a decision like moving to these signatures, i would strongly recommend a fixed ring size, if that helps your thought process on the matter +**\** What would it take to allow \_either\_ signature type, depending on size, if the size were not fixed? +**\** considering this as an option boils down to considering whether or not we are willing to commit to having large, slowish, but rather efficient (with respect to privacy) sigs +**\** just as a thought experiment +**\** no idea +**\** OK +**\** Yes that would simplify the issue; however we could also add a weight parameter to increasing the number of ring members +**\** I'll be interested to actually look into this +**\** Moving forward for this month, what's everyone's priorities? +**\** (i think in general keeping around multiple signature schemes is bad business) +**\** Mine are to finalize BPs and then move on to RTRS, while finishing up a few other writeups +**\** @sarang it shouldn't take much effort in my opinion +**\** suraeNoether: sure, just a thought experiment +**\** to support both +**\** every time i need something to do for an afternoon, i look at the MRL roadmap +**\** I mean a bit longer-term +**\** to help long-range planning +**\** and help us complete things +**\** as long as the implementation keeps it's orthogonal design it can be an opt-in +**\** it's easy to get sidetracked with fun new projects +**\** temptation of math! +**\** other than my weird blockdag approach, which i'll be sharing with sarang eventually, and my poissongraphs simulations, and multisig + kosk setting stuff... actually, i'm pretty full up. :P +**\** Nice! +**\** and i'll talk about the blockdag stuff after the meeting in some more detail +**\** Yeah I'm interested +**\** dags are at the top of my "I wish I had more time to do this" list +**\** it's not clever, which is my strongest argument in its favor +**\** being not clever often means "easier to prove" +**\** yep, and more secure, and lots of other things +**\** suraeNoether: what do you intend to do with RTRS2 this month? +**\** If the op counts they provide make sense, I'd be interested in prototyping to help my understanding better +**\** step 1: understand how it works +**\** ^ +**\** step 2: if it's like RTRS1, step 2 is "abandon the project." +**\** T\_T +**\** RIP silur :D +**\** lolol +**\** i regret to inform yall but i'm guessing 1) this scheme is as good as it gets without pairings based crypto or a weird RLWE scheme or something, and 2) i still think it's too slow for a mandatory every-transaction sort of deployment and 3) i don't think it's worth deploying without the always-on protection of 64-member rings. maybe. i don't know. +**\** we talked about an RLWE-generalization months ago +**\** so more likely ruffing found that too +**\** Well, we can use this month to find out +**\** i think the variability in ring sizes is... well, it's not the biggest vulnerability, right, but it's a vulnerability and it's super low-hanging fruit: we should be mandating ring sizes to avoid inter-signature linking +**\** i love my cat, and you should love my cat too. i got nothing else to contribute to this meeting except CAT LOVE. +**\** My cat is sitting on my lap with his paw on the keyboard +**\** ready to jump in should he become necessary here +**\** hyc: any developments on asic resistance? +**\** I have not been following that stuff this past month +**\** (or anyone else involved in this) +**\** (please chime in) +**\** my last info on that is that cuckoo-cycle doesn't work for some reason +**\** last time I got into that, it was the best known stuff +**\** \*sad\* +**\** silur hyc has been working on a proof of random code project +**\** VRF? \*-\* +**\** sorry was on another call +**\** i suppose one could imagine it as a VRF. some random code is generated from a nonce, excecuted, the final state is hashed, and that's the nonce for the proof of work game. puts the burden not on hashing the final output for PoW, but in executing random code +**\** silur you can catch up here https://www.reddit.com/r/Monero/comments/8bshrx/what\_we\_need\_to\_know\_about\_proof\_of\_work\_pow/ +**\** hyc its ok we still love you +**\** my prototype is here github.com/hyc/randprog but already superseded by tevador's +**\** https://github.com/tevador/RandomJS +**\** thanx hyc +**\** cuckoo-cycle breaks down because of some memory/time tradeoff +**\** hyc when did tevador start working on that? haha +**\** e.g. double memory gives superlinear time acceleration +**\** oh +**\** suraeNoether: shortly after I published PoC ;) +**\** what about a VRF or rather VDF-based approach? +**\** VDF ? what are these acronyms +**\** verifiable random/delay function +**\** I don't know of any good examples. +**\** I have a DH and EC demo on VRF in a jupyter notebook I can upload it into the lab +**\** repo +**\** cool +**\** Also, Wolf's colleagues have another variation on my idea, but tuned to GPUs +**\** but it kind of sidetracks a lot from "asic-resistant pows" since it's not a pow +**\** https://github.com/ifdefelse/ProgPOW +**\** we had a good couple days' worth of email conversations leading into that one +**\** I'm disinclined to adopt it because I think it leaves CPUs out, and ignores the prevalence of smartphones in the userbase these days +**\** In the interest of time, are there any other updates before we officially close and continue discussion of these topics? +**\** I'll be giving a presentation in Portland in a couple of weeks on the importance of fungibility, so hopefully some good PR from that +**\** nice +**\** The usual disclosure that my travel/hotel are covered, so I'm not requesting any community funding for this +**\** I'll be glad to share the presentation here for comments +**\** OK, looks like the official topics list is exhausted, so I suppose we can officially adjourn and continue talking here +**\** keep up the good fight +**\** <3 cool +**\** I'd be glad to hear more from hyc or suraeNoether about PoW and/or fun DAG stuff +**\** \ diff --git a/_posts/2018-07-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-09.md b/_posts/2018-07-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-09.md new file mode 100644 index 00000000..8e347b3b --- /dev/null +++ b/_posts/2018-07-09-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-09.md @@ -0,0 +1,145 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-07-09 +summary: MRL work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** hey +**\** Our pal suraeNoether is unavailable today, so this inmate will be running the asylum today +**\** Let's go around the room and mention any present or ongoing work of interest to the group +**\** In the spirit of fairness, I'll go first +**\** hi +**\** Waiting on reports from our reviewers, all of which are finalizing with a few delays due to last-minute checks +**\** (on BPs, that is) +**\** There was a delightful twitteresearcher who pointed out lack of small-subgroup checking +**\** Reviewers also noted this, but were unable to identify an exploit +**\** hi +**\** Regardless, this is now included in the code +**\** reviewers clearly lack imagination of twitterati +**\** As always, we welcome external research but appreciate responsible disclosure (the lack of which makes a researcher ineligible for hackerone moneyz) +**\** Relating to the audit, there was some work on other aspects of the BP code, like generator specifications, fixes to multiexp, etc +**\** I posted some code and other materials to my research-lab repo, including notes from my summer course +**\** I'll be giving a talk in Portland on fungible digital assets, and another at defcon +**\** I got a recent email from someone with an idea for including a transaction-specific subaddress within transactions, which could be used for (among other things) refunds +**\** or returns for misdirected funds to exchanges +**\** Finally, I've been working through additional sublinear ring sig material and some math on non-power-of-2 bulletproofs (a future thing) +**\** why NPO2? +**\** Hello everyone. Sorry I'm late +**\** does that subaddress email come with the condition of restricted circulation? +**\** hyc: NPO2 gives better verification efficiency, which is relevant for any later work involving larger circuits +**\** ah cool +**\** knaccc: I can share the info if desired +**\** just need to check if the researcher wants their name released +**\** yes a fedorapaste or something, with name redacted, would be interesting for discussion +**\** Yeah, he's been emailing me just before the meeting. When I hear back I'll make a paste of the info +**\** Anyway, that's my work this week +**\** Move on to others, or questions on my stuff? +**\** sounds good +**\** I know suraeNoether has been working on nonprofit stuff and also recently on some churn analysis. We really need information on output depth, which a few folks said they were interested in coding +**\** What is output depth ? +**\** Oh, link to my repo with that material: https://github.com/SarangNoether/research-lab +**\** The distribution of coinbase outputs tracked back through the spend tree of a transaction +**\** It's useful as parameters for churn analysis +**\** Is this something that's been pending for a while ? +**\** Kinda rings a bell... +**\** yup +**\** If it's a few folks that siad they would, then flaked out, I can do it. If it's a few folk that recently said so and are doing it, I won't. +**\** Not sure if flaked, or busy, or what +**\** I have little experience in lmdb, or I'd jump on it +**\** clearly moneromooo sits around all day doing... very little =p +**\** Well, remind me whenever you feel like you waited enough :) +**\** lol ok +**\** I can give more details after meeting +**\** ty +**\** if you want to poke and prod at the blockchain before writing actual code, I suggest the CLI in py-lmdb +**\** hyc: I thought our implementation was non compatible? +**\** eh? you point the python module at out liblmdb, no problem +**\** at our +**\** Ah ok, I had tried a while back to no avail, and had read that we were using too new a version or something +**\** py-lmdb itself works great +**\** with any recent version of liblmdb +**\** great +**\** I'll revisit it then +**\** Who else wishes to share anything of group interest? +**\** on the subject of LMDB, I've been doing a bunch of benchmarking on $secret $systems lately +**\** orly +**\** point of interest - common filesystems today are all journaling filesystems - they log FS ops before they perform them +**\** to give them crash resilience. With LMDB such logging is superfluous. turns out you can creatae Linux ext4 filesystems without journals +**\** which gives a nice performance boost +**\** also, I've got a patch that lets LMDB use a raw device directly, without any filesystem at all +**\** on a bulk load test (loading records sequentially, as fast as possible) this is 2x faster than ext4 with no journal +**\** oh wow +**\** it turns out you spend a lot of time just growing the file, on a filesystem +**\** that's what I can share at the moment. actual results/numbers are under NDA +**\** So LMDB on a dedicated GNU / Linux partition +**\** yes +**\** very cool +**\** is there a way to ask an commonly used filesystems to just allow raw access to some regions? +**\** With way faster sync for Monero +**\** any\* +**\** Throwback time... here's the email regarding subaddys: https://paste.fedoraproject.org/paste/KTgF84V-pHPL-dO8V8mAjw +**\** knaccc: unfortunately not +**\** doh +**\** you create a filesystem, it owns all that space +**\** Researcher asked to be identified as "that Russian dude" +**\** won't give it to you :P +**\** haha +**\** BTW, iDunk reported much faster sync on HDD with some particular options. +**\** i think it was sneurlax who was writing up spend tree code in python +**\** Just needs... a lot of data points. To fix a new default. +**\** re: churn, i have been planning to put together a 'best practices' infographic that collects some of surae's findings, as well as other usage guidelines, but work keeps eating my headspace. if ppl want to help maybe reach out and we can coordinate together +**\** scoobybejesus: righto, didn't see any final product, unless there is and I don't know about it +**\** rrol[m]: that'll be great; just waiting on some final numbers +**\** is there a way to setup a partition without root? then on make install, partition sets up automatically? +**\** oneiric\_: I think it always requires root access +**\** soon™ -- do you want the mining pool traceability analysis first or the generalized spend tree code first? +**\** damn, very cool work hyc +**\** Kinda loses the point of a fs, which is to allow files to live in parallel. So you have to preallocate loads of space to your raw partition. +**\** thanks. I guess mostly theoretical for now, impractical for most people to deploy +**\** rrol sarang: I also want to see what's known about churning for my Defcon talk +**\** sneurlax: getting the distribution of output depths (back to coinbase) for a given txn sample will be the most relevant right now +**\** sgp\_[m]: righto +**\** oh, and like sarang, I'll be giving a talk at defcon. unlike sarang's. +**\** I am not so sure this is impractical to deploy +**\** i think thats really exciting you're giving a talk about fungibility at defcon. from what i've seen, people change their mind on that topic fairly easily once presented with some evidence +**\** "people" == people that think btc is fungible +**\** Yeah, I think it'll be really relevant at the Portland event too, which is attended by a very nontechnical audience +**\** I'm shifting my language from private to fungible more and more +**\** ^good +**\** less overtones/baggage? +**\** Telling people how much it would suck if your salary wasn't exchangeable because of some ransomware crap you had nothing to do with +**\** oneiric\_: easier to explain why people should care +**\** My favorite paying for a meal with two $20 bills +**\** In the US +**\** fungibility requires a weaker form of untraceability than privacy though +**\** sure +**\** knaccc, in cryptocurrency though? +**\** and I still talk about privacy too +**\** so as long as it's not an admission of defeat :) +**\** knaccc: weaker, how so? +**\** I assume knaccc means breaking links between outputs +**\** not necessarily identities of use +**\** I use physical coinsas my example, since they have no serial numbers (as opposed to paper bills) +**\** privacy can be exposed after the fact +**\** weaker is fine for something like cash imo. there are serial numbers so it may only be 99.9999% fungible. with cryptocurrency its either private or extremely public +**\** fungibility counts in the moment more +**\** very good point +**\** In many countries fiat is fungible by law +**\** A fun topic, but to keep us on track... +**\** Are there other research topics on anyone's plate? +**\** (I'd love to continue talking fungibility afterward) +**\** ArticMine, as in no serial numbers on bills? +**\** I was interested to know if anyone thought that a 38% reduction in wallet output scanning time was significant enough to justify altering the one-time output public key construction. UkoeHB and vtnerd had some interesting comments which I've incorporated into this: https://paste.fedoraproject.org/paste/h069cKbPYUC3ixgVJIPVYw/raw This is very low priority of course +**\** I need to think more about changes to any security properties by removing the hash and replacing with a sum in this way +**\** yes, I'm sure it would need a thorough security analysis. That's why I was wondering specifically if people thought 38% was enough to bother looking into it +**\** To decide whether it's worth it, you'd need to give actual speedup, not speedup for a particular step. +**\** /win/win1 +**\** moneromooo true, I'm sure there are other factors that I'm not taking into account +**\** Seems the topics are winding down a bit, but interesting on all counts +**\** Well, thanks to all for attending today, and let's continue the discussions now that the meeting is formally concluded! +**\** ^^ +**\** thanks everybody :) diff --git a/_posts/2018-07-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-16.md b/_posts/2018-07-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-16.md new file mode 100644 index 00000000..89d6fd29 --- /dev/null +++ b/_posts/2018-07-16-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-16.md @@ -0,0 +1,205 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-07-16 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** Welcome to everyone; greetings +**\** hi +**\** Let us go with brief updates +**\** The initial draft report from Kudelski has arrived, with generally positive results +**\** A few small things to address +**\** I am working on some prototyping code for a sublinear RingCT proposal that's progressing very nicely +**\** I delivered a talk on fungibility in Portland (in the airport right now about to depart) +**\** Other reports? +**\** I wrote a thing... it was sort of a whim +**\** endogenic and I started talking about comparing addresses when sending a transaction +**\** humans tend to only check the first five or sex and last five or six characters in an address +**\** there are graphical representations of random data so people can visually compare them +**\** one way to do this is using seashells, since they are easily parameterizable +**\** (e.g. randomart) +**\** https://github.com/b-g-goodell/research-lab/tree/master/source-code/iseeseashells +**\** nice +**\** so i wrote a thing that takes an address, hashes it, breaks the hash into 4-byte pieces +**\** uses each of those pieces to define a parameter of a seashell +**\** and then plot it +**\** so if we could get something going client-side with each transaction, with a javascript renderer, it would work like this +**\** i want to send xmr to a bitcoin address using xmr.to +**\** i fire up my xmr wallet and copy-paste my xmr.to address into it, and a seashell appears. i compare it to the seashell on the xmr.to website. they look the same, and the characters seem to mostly match, so i send the transaction +**\** (same thing for firing up my bitcoin wallet to verify i'm sending to myself appropriately) +**\** So you effectively treat the shell as a fingerprint +**\** yeah, pretty much +**\** there are collision issues +**\** its use being similar to key fingerprints in other places +**\** but i think if we do it appropriately, it's less likely than for other approaches +**\** Right, so it's not a primary check +**\** very cool, can you paste an example seashell ascii art please? +**\** in addition to that, i wrote a thing on churn that is 3+ pages long. it's statistics-heavy, still internal, will be shared later this week. it'll help inform us on our ring size choices, etc, for the next fork +**\** not ascii :D +**\** but one sec +**\** oh it's not ascii art? so won't work in the CLI? +**\** correct, it is a 3d rendering +**\** oh cool +**\** You can have cli shells there. +**\** so it'd have to be a javascript client side rendering sort of deal +**\** hehe +**\** let me find where i saved some of the cool ones last night +**\** will it work in bash, or just in csh =p +**\** you could render it easily enough +**\** :) +**\** and could also scan a render +**\** rotated of course +**\** FYI will have to leave meeting early in 20 min to catch plane +**\** 3d renderings sound much more useful than the kind of ssh-keygen fingerprint ascii art +**\** https://usercontent.irccloud-cdn.com/file/vM0sXAXB/Figure\_1.png +**\** https://usercontent.irccloud-cdn.com/file/RKtCkotV/Figure\_1-1.png +**\** so, 1) i'm using matplotlib in python, so it's ugly +**\** oooh that's lovely! much better than this: +**\** +---[RSA 2048]----+ +**\** | .++ | +**\** | .+.. .| +**\** ikr +**\** | . . . . ..| +**\** | . . .E.. | +**\** ... +**\** | ...S . | +**\** | o+. | +**\** | +..o | +**\** | o B .o. | +**\** | . + +.. | +**\** +------[MD5]------+ +**\** omg stahp +**\** the ascii, it hurts +**\** haha +**\** so, all the formulaes and everything need to be tweaked to make them prettier and more shell-like... and a good javascript person could use the marching cubes algorithm to render these really easily. someone could mess with textures and colors using the hashes, too +**\** Or we could generate rogue rooms... +**\** but i'm essentially \*not\* going to put more effort into it: my goal was to construct parameterizations of these surfaces, the math heavy end of things, so someone else can take it and run with it +**\** To jump in quickly due to time... any questions lingering about the audit results? The initial stuff has been picked up by a few sites, generally reported badly +**\** We'll respond to the findings and they'll issue a final report, and then get the rest of their payment from OSTIF +**\** The initial draft doesn't mention OSTIF, which is an oversight on Kudelski's part +**\** sarang I was going to ask about how money was transferred to OSTIF without tax exposure to the monero project or whatever +**\** i was thinking about \*how to pay for the monero conference\* +**\** like, will we need to start an LLC for each conference? maybe +**\** didn't seem like anyone found the keyspace validation issue.. is that correct +**\** ? +**\** endogenic: you mean the multiply-by-8 stuff? +**\** mm +**\** endogenic: kudelski did not mention the subgroup checks +**\** oh wiat one did +**\** quarkslab did note it in an email to me +**\** i think +**\** k \*zips it\* +**\** suraeNoether: what about taxes? +**\** scoobybejesus ^ +**\** sarang: well, some entity has to pay another entity +**\** example: to pay for a venue +**\** I mean for the audits +**\** The payment for the audit was from OSTIF, a nonprofit, to Kudelski, a private company +**\** ah, so we paid OSTIF in monero, and OSTIF is dealing with it +**\** when is QuarksLab expected to be finished? +**\** and since they are non-profit, tax reports must be made but they aren't exposed to the taxes. i get it. but now i'm thinking about how to funnel money from the monero project towards something like a venue expenditure +**\** Correct; OSTIF does the transfer to Kudelski's preferred fiat +**\** which is a different question +**\** the phrase "funnel money" sounds like a Very Bad Thing +**\** nioc: I had expected it this past week +**\** Probably a bad idea to make the audits public one at a time +**\** charuto: I've been posting public audit information as I receive it, in the interest of open disclosure +**\** i can see the argument that it foils some of the independence of the teams +**\** and IMHO we should fix issues openly as we find them +**\** Well, if they'd found something bad, we'd have wanted to wait till a release anyway. +**\** (without piping up) +**\** true, good point +**\** Their issues were only minor +**\** the last team to release their results could have done nothing and waited to see the other team's results to copy them +**\** I suppose +**\** charuto while that's technically possible, it's more likely that hte second report will merely be \*bigger\* than the first, including everything the first does, plus more. +**\** Imagine like a student assignment where students make their work public before the assignment is due +**\** yeah, except these firms make their living off repeat business and word of mouth +**\** Except that I trust these groups to operate in good faith +**\** it's not a great incentive to screw over one small software project for a relatively small amount of money, when all of them are on twitter all the time trolling zooko +**\** yeah, the incentive structure for them to not do their jobs isn't really there the way it is in high school or college +**\** hey guys sorry for being late :( +**\** hullo +**\** Anyway, other questions on the audits? +**\** We shall make changes as necessary and continue the plan toward a release +**\** i have one last quick question on that +**\** go +**\** i know we signed contracts wtih K and QL +**\** or did we just accept their SOW? +**\** We signed the statements of work regarding scope and payment +**\** y? +**\** either way, i'm curious about what we have for Buenz. in terms of "what happens if he just gets busy and phones it in? do we still owe him 10k if he does that?" +**\** We have an SoW for Benedikt +**\** There is no defined metric for what counts as "phoning it in" +**\** k i'll read through it again +**\** It is assumed that he will operate in good faith, just as we assume this for the other reviewers +**\** yep +**\** part of the reason he and the others were chosen was for this reason +**\** yep, just curiuos. +**\** When is QuarksLab expected to be finished? +**\** He gave bulletproofs research for free already. No reason why he'd try and screw us here. +**\** I emailed a few days ago to QL asking for a status update; no word yet +**\** thx +**\** I am not pleased with their lack of communication this week +**\** Well, not "no reason", that is too strong. +**\** moneromooo: i'm not assuming malice, but densely packed schedules, the priorities and prerogatives of grad students, etc +**\** suraeNoether: he waited for summer term +**\** partly because of scheduling +**\** yeah i know\\ +**\** i'm not making any accusations, i was just curious. gosh guys +**\** lol +**\** i'm going to re-iterate my request that future audits have a "suggested unit testing" section to their reports, though. if we're going to be forking over lots of cash for someone to audit our code, and they are going to spend time saying "gee, this HERE would have been an easy test to write" then... may as well +**\** anyway, that's all i have: seashells, churn paper (and small delay on multisig for churn analysis last week, but I've been communicating with Yannick of musig regarding our multisig paper, so that's still moving too) +**\** oh, if anyone is curious on the churn paper, and they are tolerant of \*incorrect statistics\* (NEVER BE TOLERANT OF THIS) then you can read my crapdraft here: https://v2.overleaf.com/read/rznczkmdmchy +**\** lol +**\** all statistics are incorrect +**\** got 'em +**\** OK, I need to board my plane now +**\** I'll be back online in the air +**\** because we're living in the freaking future +**\** man can't believe they make people actually catch the planes these days +**\** they don't taxi that fast +**\** maybe if you're riding a pony +**\** last time border police didn't let me on my flight..... again +**\** #beingstateless +**\** Okay, does anyone have any other things they want to discuss? +**\** yep, any news from the new-new-new-updated rtrs? +**\** silur yes, sarang is getting permission to post it on his github +**\** shall we merge the implementation too there? +**\** he has finished around half the algorihtms required, and has been messing around wtih an ed25519 library in python +**\** oh it's AN implementation +**\** thought only text +**\** no, no, friend +**\** sarang has been ON THIS +**\** okay, any other questions before we call it? +**\** Yeah code is making good progress, waiting on permission to include on my repo +**\** I kinda don't want to progress with mine if the reference is outdated but glad to hear the py version is goin good +**\** I don't have an opinion on it yet +**\** The code is basically to help me better understand the setup and efficiency +**\** i'm curious to bring up the question of bindings to C/C++ +**\** It's also not even remotely optimized +**\** but i know it's work +**\** the mem mgmt could be made v simple +**\** guess it can be a future goal +**\** @endogenic my implementation is pure C with openssl dependency +**\** endogenic: yeah, all we are doing right now is trying to prototype it to get a \*sense\* of asymptotic properties of verification time, etc beyond the statistics described in the paper +**\** i mean for various util libs so the usage of a specific language for r&d isn't indicated by the existence of those shared libs +**\** r&d as in prototyping, sims, etc +**\** alllrighty, well, it appears as if we have run out of stuff to talk about. Any final questions? +**\** I love you all +**\** no i mean that's unsolved +**\** ? +**\** sarang chose a specific language to work in because there were libs in that language already +**\** even if it wasn't the preferred language +**\** just saying there are alternatives and asking how recently they've been investigated +**\** oh, gosh +**\** i don't know! +**\** last time i checked... which was last year when knaccc and i were working on ruffct +**\** i believe there weren't better options available at the time +**\** but since it's just prototyping, i'm not sure it matters too much +**\** yeah, just a matter of language preference for him.. +**\** okay, \ diff --git a/_posts/2018-07-23-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-23.md b/_posts/2018-07-23-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-23.md new file mode 100644 index 00000000..3da09e0c --- /dev/null +++ b/_posts/2018-07-23-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-23.md @@ -0,0 +1,278 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-07-23 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** Allright everyone, let's get going on this. Today we are having a research meeting, whose purpose in general is to keep the community up to date on what MRL is doing. That includes all contributors, too, not just sarang and myself. We share papers we've been reading or writing, we disseminate our results... but also we get ideas from you guys, give you a chance to provide feedback to us. Today's agenda is: +**\** let us begin, eh +**\** 1) Greetings. 2) Sarang has an update on bulletproofs for us. 3) I have an update on multisig for us. 4) ArticMine has an update on bulletproof fees but I'm not sure if available... let's see... 5) soliciting questions, etc? +**\** hello +**\** Hi +**\** hi +**\** hi +**\** Sarang, want to start us off? +**\** Kudelski has completed their final report, with input from us. This reduces the number of identified flaws to 3, along with some observations +**\** All flaws have been patched by moneromooo already +**\** hi +**\** sweet +**\** if a flaw sits in a codebase, and no one is there to release it, is it a bug? +**\** The report is staged for release, but there was an issue with how OSTIF was credit in the report. That's been fixed and we're waiting for their sign-off as a courtesy for concurrent release and blag posting +**\** care to describe the flaws and their severities? +**\** However, the final report is just the draft report (https://github.com/SarangNoether/research-lab/tree/master/audits/bulletproofs) with one issue removed, typos fixed, and our brief responses inserted +**\** There was a possible overflow (low priority), unsafe use of env variables (low), lack of certain scalar range verification (low) +**\** hi +**\** and a couple of identified patches elsewhere in the codebase to harden it up a bit +**\** sarang: To be clear, 3 flaws found, which already have been fixed by mooo right? +**\** yes +**\** QL expects first draft today, but they have been delightfully poor at communicating promptly, so we shall see +**\** Bunz has not responded to my emails in several workdays +**\** "hyc> if a flaw sits in a codebase, and no one is there to release it, is it a bug?" you changed it +**\** well that already makes the audit financially worth it, in my mind: imagine someone purposely desigining a bulletproof with the overflow issue +**\** None of the flaws had identified exploits +**\** Wouldn't matter, since that function will not be used :) +**\** <3 +**\** hence the low priority +**\** but i imagine someone could do something nefariously annoying with it +**\** even if it wasn't a full on exploit +**\** perhaps +**\** anyway +**\** We didn't know at the time it wouldn't be used. We know only since ArticMine's fee proposal limits to one proof per tx. +**\** aha i see! so it's even lower priority, since it's not a functional component +**\** that's neat +**\** "we found a flaw in your design: the appendix." +**\** "i mean what is that really" +**\** Aside from BPs, I have been working with Ruffing's colleague on ring sig stuff. I now have enough information to jump a big hurdle in the prototyping code +**\** oh yeah you saw that email he sent with the polynomial info? +**\** This code has been cleared for release to GitHub, so I can push to a test branch on my repo +**\** suraeNoether: yes +**\** awesome +**\** I think he has it a little backwards tho +**\** (transpose of his matrix, IIRC) +**\** I'll check with him to confirm +**\** these are sublinear batch-verification ring confidential transactions, for those of you in the crowd keeping track +**\** We haven't been cleared to release their draft paper unfortunately, just the code, with the understanding that it's very, very early +**\** and we have no definite plans to do anything with it yet +**\** needs "quantum" in the name somewhere +**\** sarang one last thing on BPs: want to write a blog post on "the current state of our art" with bulletproofs + audit results? we can hold off on releasing it until after all the audits are in, or we could do it piecemeal, but I want a link I can point to that summarizes all the optimizations etc, and maybe summarizes the net improvements we'll be seeing +**\** However, it includes a built-in range proof (SORRY BULLETPROOFS) and can take advantage of our cool multiexp stuff +**\** suraeNoether: I'd wait +**\** We'll publish the Kudelski final report first, in the interest of transparency +**\** "quantum transactions: you can either be sure the money was authorized to be sent and not a double spend, or be sure where it's supposed to go, but you can't be certain..." +**\** ;) +**\** neato burrito. Does anyone have any questions for sarang on the bulletproof updates, or the sublinear ring signature scheme (the paper we have not been given permission to share, btw) +**\** kk +**\** surprised you're allowed yo publish the prototype code, since that obviously gives away the algorithm from the paper +**\** They wanted it clearly identified as code only representing a draft paper +**\** and the code has no security proofs, obviously +**\** will the sublinear ring signatures work alongside bulletproofs to reduce signature size/ verification? +**\** hyc they don't want to embarass themselves by pushing out incorrect proofs, or typo-laden stuff, etc, and they want the code to be labeled as sarang just described +**\** oneiric\_: they can either use BPs or a built-in range proof option +**\** question: can the ruffct proofs be bulletproofed? +**\** very cool, thanks sarang +**\** They essentially take all the statements in a RingCT proof and batch them all together in a big polynomial matrix +**\** the range proof is one row of this matrix +**\** then they compress them down logarithmically +**\** that sounds to me like the bulletproof method could be applied to it. interesting. +**\** it's very clever +**\** not really +**\** they use a method by Bootle on polynomial zero-knowledge systems +**\** I can link the Bootle paper later +**\** that's been out for a bit already +**\** I don't know why you'd want to bulletproof this system +**\** it already is logarithmic +**\** let me put it another way: i'm curious about whether bringing the polynomial commitments into bulletproofs would bring anything, not the other way around. but nevermind, we can move on. :P +**\** and allows for a fair bit of flexibility in the statements you can include all at once +**\** oh, I haven't considered that. My gut says "not easily" +**\** nothing worth doin is easy. :P +**\** speakign of which, moving onto multisig +**\** https://v2.overleaf.com/read/bfjfkdgnhgvh +**\** i'm moving through to verify equations, but proof structure is all finished, and we have some other updates to make like copy editing, etc +**\** the hard parts are all completed +**\** for \*this\* paper +**\** congrats! +**\** it technically is not proving anything about MLSTAG-style ring confidential transactions, or our view key structures +**\** instead... +**\** well, it's like a plain public key model, you use one key X, I use one key Y, we compute one shared key Z, and we compute a ring signature with some fake Z's +**\** instead of: I have a pair of keys (A,B), you do too, we merge the B's, etc +**\** but it's the underlying threshold ring signature scheme upon which our extensions are based +**\** and it's secure! +**\** now, the ruffing paper with sublinear ring confidential transactions defines RCT as a primitive, and proves a variety of security properties specific to that primitive +**\** they are helping lay the foundation of the path towards proving our entire current set-up secure... but if we are considering switching to ruffing's approach eventually... +**\** considering is a very strong word +**\** intrigued is a better word +**\** heh, well you and I and everyone else immediately say "what" about ring signatures? +**\** "ugh, ring signatures need to be replaced eventually" +**\** yes please +**\** but until that day, bigger is often better +**\** ring size, not proof size +**\** a full and complete rigorous description of our current ring signature set-up like in this multisig paper if ring signatures days are numbered? not sold on the utility of that +**\** and other things ;) +**\** motion of the ocean, rehrar, motion of the ocean +**\** lies +**\** I'm lost now. +**\** Do we have possible alternatives to ring signatures in the pipeline +**\** Not particularly. Nobody has a way that's untrusted and smaller and faster yet +**\** ArticMine: other than ruffing's ring confidential transactions, which are the only good candidates we know of for ring sizes 32-64, short of using a zk-stark set-up... not yet +**\** Ruffing is still essentially a ring signature +**\** in that we rely on key images and known decoy sets +**\** It just uses a more general language to prove the underlying statements +**\** fair enough +**\** I look forward to the shitty newzsites: MONERO TO GET RID OF BULLETPROOFS +**\** Anyway, I plan to continue working with the Ruffing scheme +**\** heh +**\** ArticMine had much to say about fees +**\** I have a proposal for better than ZKPs: negative knowledge proofs. the longer you analyze them, the dumber you get. +**\** allrighty, other than a bit of work on churn, i've spent like 12+ hours per day on multisig for a week so i'm taking a few days off. :P heh... and i'm done. +**\** hyc i love it +**\** hyc we should make tshirts +**\** yes, ArticMine please enlighten us on bulletproof fees +**\** suraeNoether: definitely carry on with churn going forward +**\** I posted the proposal in dev https://docs.google.com/document/d/1Y3IsjH7ywJOvFeZd1qT1fRfz2lw8APp8ptcyDXzYrxk/ +**\** wheee! yay +**\** Basically we replace size with weight to account for the Log2 scaling of BP verification +**\** (BTW don't view link if you have an active Google session, or your information will be listed as a viewer) +**\** View it without a Google log in +**\** correct +**\** anyway, carry on +**\** Your second FOR loop applies to the (total number of outputs) - 2? +**\** The key is that size has to be replace with weight in the determination of the block size now block weight penalty +**\** The weight only applies when there is more than 2 outputs and we limit the maximum number of outputs to 16 +**\** so fees are flat\_fee + (# outs - 2)\*fee-per-out? +**\** Yes +**\** sweet! +**\** does anyone have any questions for ArticMine ? +**\** could a reduction happen with only one output? +**\** Why would there be one output? +**\** someone gaming the weighting algo +**\** if an output is spent with no change +**\** if you sweep a wallet won't there only be 1 output? +**\** or if you want no change +**\** yeah +**\** I thought wallet always generated a zero-amount second out +**\** It does. +**\** Is that consensus level? +**\** No. +**\** ty +**\** didn't know that, what's the purpose of it? +**\** is it for anonymisation? +**\** Still since it is possible it need to be accounted for +**\** tnsepta: since most txns are 2-in-2-out, it helps keep most transactions distinguishable +**\** Actually there can be many txs that are 1 in 2 out +**\** wait?fair, i should just restrict my statement to number of outs +**\** x-in-2-out +**\** but anyway +**\** and they are significantly smaller in size now because the ring signature part is more significant +**\** yup that makes sense then from an anonymisation standpoint +**\** Is anyone else doing anything interesting with monero they want to chat about? +**\** One other point here is increasing the ring size to 11 or using a fixed ring size of 11 +**\** This actually helps mitigate the verification issue +**\** This is where I'd hoped we would have better data on churn/diffusion and its relationship to ring size +**\** Why 11? +**\** oh, gosh, moneromoo o built me a utility that i can use to figure out whether there is a numerical solution to that! +**\** i forgot! i've been so busy finishing multisig +**\** yup yup +**\** Likewise +**\** moneromooo built a utility that computes the # of unique transaction outputs in the history of any given transaction +**\** I piked 11 as the largest ring that would still allow for an 80% fee reduction +**\** oh, that's a good metric :D +**\** We should have concrete data to show the benefit +**\** Otherwise we're just saying "surely bigger is better" +**\** So all the fee calculations are based upon a ring size of 11 and a 2 in 2 out tx +**\** and then there's a counterargument about keeping ring size and taking smaller txn size +**\** at the very least we wanted to moved to a fixed ringsize this upcoming hard fork, yes? +**\** regardless of bigger or not +**\** I believe that is best +**\** i think that would be beneficial, yes +**\** we are at 7 now? +**\** is that rihgt? +**\** In my proposal my recommendation is fixed 11 +**\** yes +**\** Yes +**\** that is rihgt +**\** Yes 7 +**\** We can at least make fun Spinal Tap references to convince people it's a good thing +**\** i'd support a fixed number between 7 and 11. i have no skin in this game, so to sepak +**\** I'd support learning the effects +**\** sarang: oh yeah we can brand this the spinal tap update, with bulletproofs and ring size all the way to 11 +**\** and making a decision based on that +**\** 11 rings when you need 1 more ring than 10 +**\** lol +**\** why not just make 10 bigger? cause ours go to 11 +**\** I see you got the idea rihgt. +**\** The case for a fixed 11 are 1) User simplicity 2) No ring profiles 3) There may also be a regulatory advantage in taking away control from the user here +**\** I still think we need to start naming our changes (PoW, network upgrades, etc.) to make them seem less contentious +**\** i'll run moneromoo's utility, it'll take a day or three of boiling my ram, then i'll have an answer about "what ring size is so large that improvements become negligible? +**\** ty suraeNoether +**\** keep me in the loop +**\** post results here, I wanna know too +**\** Any questions? +**\** rehrar: of course +**\** Will we be ready for the "freeze"? +**\** Moving to a static ring size is more important than bumping it imo +**\** has the freeze been discussed yet? +**\** When is our desired freeze date +**\** I need to update the verification time and size increase to account for bulletproofs before making any analysis. The % will be higher since outputs are a smaller consideration +**\** Yes, one: have you considered allowing compound proofs for the case of 2^n+1 ? +**\** Is there support for static 11 ring size? +**\** Yes. +**\** any interest in a consensus rule that # of outputs must be >= 2? +**\** I would say Yes, unless suraeNoether's research shows something surprising +**\** ArticMine: i support a static ring size. i will hold off on a number for a day or three +**\** Are there any arguments/reasons against using a static ring size? +**\** ArticMine I need to compile more info before agreeing, but I think the number is generally reasonable +**\** I definitely support static +**\** Some users will argue they want "greater privacy" +**\** i think 11 in general is fine, actually +**\** I think those users are wrong +**\** i may support a slightly higher number +**\** i tentatively support static 11 +**\** No, they're not. Everyone should want greater privacy. +**\** They get to send to themselves once, and wait for a day or so. +**\** People who REALLY know what they're doing lose flexibility +**\** I think they're wrong about the big ring size moneromooo, not wanting privacy +**\** isn't there a balance between privacy and prices? +**\** Yes +**\** tnsepta: there is, the question is whether the balance will be on the side of privacy or prices. :P +**\** @xmrhaelan et al over in Monero Outreach could do some preemptive education about "ringsize > default ---> LESS privacy, not more" +**\** tnsepta: Price as in fee price or? +**\** but it's misguided to believe "I want greater privacy than the average monero user so whatever ringsize they use, I'm going to use a bigger one" +**\** A increase over 11 will require a modification of the fees. +**\** Basically what matters is the ratio of the reference transaction weight to the effective minimum block weight +**\** okay, let's move on for now; seems like a static ring size is supported regardless of whether we increase it or not or by how much +**\** That alternative is to increase the minimum effective median block weight above 300000 bytes +**\** have you considered allowing compound proofs for the case of 2^n+1 ? +**\** moneromooo: can you elaborate on your question? +**\** The case where the # of outputs is 3, 5, 9 +**\** Sure. If you have 9 outs, have you considered allowing two proofs of 8 and 1, insetad of one of 16 ? +**\** and we round up +**\** Since that' the case that hurts most in verification time. +**\** Yes the tradeoff is size +**\** So you considered it, and deemed it better even in that case ? +**\** Yes +**\** OK, thanks. +**\** In fact the 9 case is the tricky one +**\** When is our ideal freeze date? +**\** Also the pricing treats 9 the same as 16 +**\** sarang: good question +**\** we should have asked that in dev at the last meeting +**\** ok does anyone else have anything they want to chat about? +**\** Monero Archival Project is chugging along nicely. Transitioning to VPS infrastructure, spun up nodes on 3 continents now. Having multiple geographically-distributed archival nodes will helpful for understanding the representativeness of our data, and enables study of network topology/latency. +**\** NeptuneResearch is working on updating our archival daemon to be compatible with 0.12.3.0 and expects to be done soon. +**\** that's such a cool project isthmuscrypto +**\** do you guys have an irc channel or a website or something +**\** ? +**\** #noncesense-research-lab +**\** heh +**\** Anybody is welcome to join, we just keep the data science-y stuff over there to avoid flooding the MRL channel +**\** cool +**\** i think it's interesting, though, so you're welcome to talk about it here too :D +**\** Have some preliminary results analyzing the spring data. Going to do some double checking, and documentation, but will run the results by you in the next month or so. +**\** Thanks! It's helpful to get input from MRL +**\** Our timing today is perfect; exactly one hour +**\** I'll finish up some polynomial stuff and continue lighting small fires under reviewers' asses =p +**\** yep! have a good day everyone diff --git a/_posts/2018-07-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-30.md b/_posts/2018-07-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-30.md new file mode 100644 index 00000000..5269d53c --- /dev/null +++ b/_posts/2018-07-30-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-07-30.md @@ -0,0 +1,113 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-07-30 +summary: Sarang work, others work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** We can start now +**\** Greetings +**\** This will be a brief meeting to catch up on recent research +**\** All bulletproof audits have completed +**\** Kudelski's final report is posted. QuarksLab is updating theirs with our responses before releasing their final version. Benedikt Bunz is updating his similarly with our feedback. +**\** yaay +**\** I continue to work on some new ring signature algos from Ruffing et al. +**\** very nice, excited to read the most recent reports +**\** lots of fun building blocks with that scheme +**\** and suraeNoether has provided a multisig paper for me to review +**\** that is also in progress +**\** any questions on these things in particular? +**\** let's collaborate on that I have an implemaentation on the first paper version +**\** C, openssl +**\** silur: sure, the initial parts of the prototype are on my repo, rupol branch, in python +**\** been working on rtrs for a long time +**\** okay, will write you after the meeting +**\** anything in particular to share regarding your rtrs silur ? +**\** well we just have to update it to the new-new-new construction +**\** I only have the unpublished internal version of the first paper +**\** righto +**\** We shall talk afterward +**\** Any other interesting work to be shared? +**\** anyone see a problem with running openssl transpiled via emscripten in a browser? +**\** I feel extremely not qualified to answer that properly +**\** endogenic: openssl, transpiling, emscripten, and browsers are all bad for security +**\** yep, no worries, just throwing it out there +**\** lol +**\** then why does monero use it lol +**\** where? +**\** monero is writtcen in C++ +**\** common/util.cpp (LOL) #include ... ringct/bulletproofs.cc #include ... +**\** yea but where do we transpile it with emscripten? +**\** just asking +**\** I don't really recommend that +**\** any specific reason? +**\** don't know about emscripten internals but we used to have a thing called openssl code health tuesdays +**\** after a month we eliminated 40K dead lines and 8 dead platforms +**\** I think that's a reason not to include it in browsers +**\** emscripten handles that sort of stuff +**\** there are lots of reasons that projects might have an openssl dep (bitcoin had one for a while). it takes time to eliminate it as other options are developed +**\** also it has lots of inline ASM stuff how does emscripten handle that? +**\** but in all seriousness, if you're doing crypto in a browser, you should stop, because it's snake oil. a browser cannot run code in a secure environment. +**\** Did anyone check out the paper I posted last week? +**\** https://arxiv.org/abs/1702.07588 +**\** http://matasano.com/articles/javascript-cryptography/ +**\** andytoshi: people are going to run worse web wallets if we don't +**\** run one that is +**\** I'm curious if FHE can be used for remote node syncing, to allow us to make queries on encrypted data +**\** silur: 1sec +**\** needmoney90: you want PIR for that, not FHE. and there are existing PIR primitives that are actually implemented and usable (see percy++) +**\** It's possible that due to our static append only data set that we can't actually hide access patterns +**\** needmoney90 thanks a lot, it seems super interesting +**\** Never heard of PIR, got a paper for me? +**\** Maybe I just don't know the acronym +**\** private information retrieval +**\** lots of stuff on PIR +**\** thanks for percy++, i'm working with pir a lot for riffle +**\** where do we need that btw? +**\** in monero? +**\** silur: emscripten might not be able to handle it, depending on exactly what's there. i guess maybe an alternative implementation exists +**\** people seem to have been able to do it , in any case +**\** 🤞 +**\** is boringssl an option for you? +**\** oh +**\** ./configure --no-asm +**\** of course +**\** oneiric\_: not to ignore you - i'll investigate if it becomes necessary +**\** Anyone else wish to share something intriguing on their minds? +**\** Also welcome andytoshi +**\** Oh, I can give a #noncense-research-lab summary +**\** please +**\** Lots of action in the Monero Archival Project this week. @n3ptune released a new version of our custom archival daemon, and @serhack has been working wonders, configuring and maintaining our network of global VPS-based nodes. +**\** I have been playing around with temporal analysis of the blockchain. Miner-reported timestamps were shown to be very unreliable, since 2% of blocks include a timestamp that is \*before\* the timestamp of the block prior. +**\** These time-traveling Merlin blocks showed up while scoping out the distribution of wait times. https://usercontent.irccloud-cdn.com/file/tLUEZ9aU/ttblocks.png // Looking at the wait times for the block above and below the Merlin blocks themselves, we see that it is skewed toward a longer interval afterward, suggesting that they are actually being retroactively timestamped. +**\** Our new daemon (upgraded last night) records the node-receipt timestamp(s) in addition to the miner-reported timestamp, so expect some way more detailed analysis of that soon. +**\** I'm a little exploratory study of how fast the blockchain syncs at each height. It's mostly a cute novelty, but if there are interesting features (e.g. discontinuities around introduction of new tech), or notable conclusions about empirical scaling, I'll share back here. +**\** (/end) +**\** Whoops, here's the second link, showing the skew in wait times before and after Merlin blocks: https://usercontent.irccloud-cdn.com/file/f46p6Ddd/merlin\_parent\_child +**\** this is very interesting work +**\** sarang: we've made a lot of progress on musig recently; you can see https://github.com/apoelstra/secp256k1/blob/2018-04-taproot/src/modules/musig/musig.md for our current API. may have insights valuable to monero in future when you guys support arbitrary multisigs +**\** oh excellent, thanks +**\** Shoot, I gave the wrong channel above. #noncesense-research-lab +**\** andytoshi: what are the overall plans for musig? +**\** sarang: well, musig signatures verify identically to schnorr.. +**\** so the goal is for bitcoin to support schnorr as part of taproot +**\** and then wallets would implement musig if they're doing multisig stuff +**\** since the resulting multisigs would be smaller/more private than ones using CHECKMULTISIG +**\** Great, so laying the groundwork for future wallet code +**\** cool +**\** It seems fairly quiet here otherwise today, so any other material to share? +**\** not really, i've mostly been doing rust-bitcoin ecosystem work +**\** yknow people have been transpiling rust to JS too :P +**\** and wasm :D +**\** well that's what i mean :P +**\** wasm openssl is not a bad idea tho +**\** looks like I have a new sideproject +**\** oh that's just what i'm talking about... +**\** whoever beats the other to it i guess +**\** it's easy enough +**\** i have instructions.. :P +**\** i have boost transpiled already.. +**\** Well, I think we can safely call the meeting then, everyone can continue performing admirably diff --git a/_posts/2018-08-20-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-20.md b/_posts/2018-08-20-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-20.md new file mode 100644 index 00000000..f2ec50e9 --- /dev/null +++ b/_posts/2018-08-20-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-20.md @@ -0,0 +1,180 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-08-20 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** lets begin +**\** fluffypony: knaccc luigi1111 sarang ajs[m] andytoshi anonimal ArticMine binaryFate chachasmooth dEBRUYNE endogenic gingeropolous hyc iDunk isthmuscrypto john\_alan jwinterm knaccc kerber m2049r[m] moneromooo MoroccanMalinois needmoney90 nioc philkode pigeons rehrar[m] rrol[m] scoobybejesus sgp\_1 sgp\_[m] smooth sneurlax stout stoffu UkoeHB unknownids vtnerd waxwing +**\** let's hang out for 2 minutes and we'll start +**\** careful, mass mentions can get you autobanned +**\** hello +**\** hi +**\** sarang i've been doing it for a year. \*shrug\* you mean from freenode? or from this channel? +**\** freenode IIRC +**\** due to all the recent spam +**\** hi +**\** hi everyone +**\** Hey, I have the code to provide mining-pool-reused outputs in the format moneromooo requested up at github.com/sneurlax/xmreuse. I don't know if or how there's a way to add to the blackball database from GET/HTTP calls but that's what I was asked for. I need to update the outputs, I think, and add more pools over the next few days, but it's pretty straightforward... +**\** The repo is private at the moment if I recall correctly. Drop github names to invite or I'll make it public whenever y'all say to +**\** hi +**\** Welcome to the first post-defcon MRL research meeting. Agenda today is simple. 1) Greetings (done!) 2) Does anyone have any items they want to add to the agenda? 3) Let's catch up on what everyone is doing. +**\** Sorry to dump and I have to have an afk meeting now but I'll catch up on what I missed after. +**\** sneurlax: great, thanks! +**\** sneurlax I would like to be invited if possible. I'm added to xmreuse-firebase but not xmreuse +**\** okay, as far as stuff \*i\* am doing/want to do: depending on contact from one person, we'll be putting multisig up on IACR. in the meantime we can publish it as MRL-7 or whatever we like as a technical note, or as an author version or something like that... +**\** but that depends on whether the journal we decide upon is greedy and has a concurrent publication policy +**\** Absolutely. Anyone that wants to can be, or just let me know to flip it public. Later tho +**\** weww +**\** my first priority is to publish the multisig paper as a peer reviewed document. send, as an MRL bulletin. why? MRL (from my point of view) isnt' interested in drifting toward the publiccation world yet. :P and getting more peer reviewed articles published under the MRL \*name\* is more important than publishing our own articles without review +**\** my second priority this week is sarang's DLSAG paper and some research on side channel stuff +**\** I'll look forward to the DLSAG review; we can push it as an MRL once internally reviewed +**\** my tertiary priorities this week are: discussions about an MRL research assistantship program, and work on the MAGIC non-profit stuff. +**\** i already read it once and i saw no troubles with it, but this time i'm looking at it more closely +**\** What side channel stuff are you researching? +**\** that's a broad area +**\** ooh, let me know if I can help with the assistant research program +**\** the whole \*waves hand\* broad side of the area on \*waves hands more\* this side of the area +**\** that assistant research program sounds intriguing by name +**\** so, the MRL research assistantship program... \*sigh\* so like, look +**\** we, as a crowd-sourced open source project, have a fundamental problem with funding things in crypto +**\** and that is: if anyone wants to do anything organizational in nature, they eat the taxes +**\** if i want to host a job search for MRL, for example, well.. we aren't a company, someone needs to hold the cash, and spend it, for making websites and putting up job postings, etc +**\** if it's an individual, it's all individual income, capital gains and losses... it's insane to try to do it that way legally +**\** Not really, just annoying +**\** that's how we operate +**\** well, the hiring example isn't a good example, but hosting a conference \*is\* a good example +**\** yes +**\** that's tens of thousands of dollars worth of liability, possibly hundreds depending on size +**\** in general, though, there are lots and lots of little things that all add up to "SOMEONE SHOULD START A FREAKING COMPANY HERE JUST TO DIRECT FUNDING THROUGH." and that ... is... i'm a math phd, i'm not a business dude. it's not appealing to me +**\** so something like a research assistantship program is an idea that i've been kicking around with sarang and fluffypony +**\** and some others +**\** where we invite graduate students from across the country to apply. the core team and MRL go through applications and short list us down to 3-5 candidates. then each of those candidates starts their own FFS +**\** and either the FFS sends funding directly to the students, or sends it directly to their university, leaving all the liability on the student and/or the school +**\** doesn't sound like a solution for the conference problem, but I like the step nonetheless +**\** this way, grad students who were in the same position sarang and i were in when we first srtarted at MRL can apply, get some funding, and become monero fanatics who will volunteer their time and blood forever. :P +**\** no, not a solution to the conference problem +**\** For the conference, outside groups have come forward and expressed interest in managing/funding +**\** yeah, i think fluffypony is attempting some solutions to that in a roundabout way +**\** but, again, we're kicking ideas around +**\** yep +**\** Any way we can help, specifically in the research assistant thing? +**\** I also have it on good authority that a research assistant FFS would have no trouble being funded +**\** well, one thing we could use is a secure survey/application system. +**\** stout: I think good resources for job postings would be helpful too +**\** google forms is criticized as being ... google, obviously +**\** Cast a wide net for quality applicants +**\** surveymonky allegedly leaks IP addresses, etc +**\** my understanding is that thunderosa on reddit has made secure survey software for monero before, so that'd be interseting to look into +**\** use blockchain +**\** When using Google you give the info to Google, but only form info is shared with the owner +**\** as far as advertising and finding sources for job postings, that part is easy. we can literally just send out an advertising email to every single computer science and math department in the US and europe. no problem. that's not hard, and there are lists for things like that. +**\** "to every single department" o\_0 +**\** why not? +**\** it sounds tough +**\** there are list-servs for it +**\** hmm +**\** clemson got spammed constantly by such advertisements +**\** except it wasn't really spam +**\** it was legit grant and scholarship application stuff +**\** besides: i don't want to spend time narrowing down which schools to advertise to, for a bunch of reasons +**\** https://www.youtube.com/watch?v=yDbvVFffWV4 +**\** righto +**\** yeah, that's ... surprisingly how clemson was. so many students were like "GOSH DUDE I NEED LIKE 3 MORE SEMESTERS TO GRADUATE, LEAVE ME ALONE!" +**\** but it was all industry jobs. :P +**\** anyway +**\** the thing is about google forms +**\** 90% of grad students already have to use google and their products +**\** Yeah, I think Google Forms is totally fine +**\** i don't want to discourage people who are very privacy-centric from applying by using google forms, but i also know that most of our applicants really won't care too much +**\** I use it for anonymous student feedback all the time +**\** Not a fan. +**\** OK, they can email the info to us as an alternative +**\** ? +**\** good +**\** they can always drop an encrypted blob into the google form, tbh, but then we have to decrypt it in a virtual box or something, things get annoying fast. :P +**\** let's not complicate things too much +**\** if we can help it +**\** Yeah, I feel google forms or not is just a minor point right now. +**\** Might be wrong, of course. +**\** anyway, any other big info along these lines to share? +**\** wait, just to be clear: does that mean we have a weak consensus for this first round of applicants that google forms should be good enough, but if folks want to apply in a more private way they should try to arrange to do so with our protonmails or something like that? is everyone chill with that, even if you aren't a google fan? +**\** It really comes down to how you end up storing data, IMHO. If you put the PM data into a Google sheet, the applicants gain nothing +**\** true. that. +**\** the most vocal statement so far about this is stout saying "not a fan" so i'm guessing everyone's pretty chill with this approach in general for now +**\** we'll leave the discussion open about this for a week or so, then we'll start designing the application i guess +**\** i got nothing else on the MRL RAP +**\** roger +**\** Offering an alternative to google always finds my vote, and protonmail is great. I don't object. +**\** I was asked to be on the OSTIF advisory council, so that's a bit of news +**\** gave a local talk on privacy +**\** some lit review +**\** BP follow-up +**\** wow +**\** polynomial stuffs +**\** def do the advisory council +**\** Yeah we had a video meeting last night +**\** It helps them prioritize and set their goals openly +**\** they're doing good work +**\** is OSTIF a non-profit? +**\** IT IS +**\** dude +**\** yes +**\** as a board member of MAGIC i strongly encourage you to network :D +**\** One of the duckduckgo leads is on the board, among others +**\** a good group +**\** Are you going to take the offer? +**\** And congrats, of course :) +**\** It's an informal group, but yeah +**\** cool. anyone have any other topics to talk about? +**\** It's good to get our name out there as positive contributors to the bigger community +**\** yes +**\** One topic that came up +**\** over def con +**\** was the idea of "outgoing view key" functionality +**\** ohhh yeah, still thinking about that, but my last attempt did not work the way i wanted it to. did you have ideas? +**\** I am still thinking about ways to do it with the new language afforded by the RuPol scheme +**\** I don't have any solid answers yet +**\** I think it's important to consider this and other topics that may become more relevant as Monero increases in adoption +**\** things like exchange blacklisting, outgoing view, etc. +**\** I also considered accumulator-based schemes off-chain for the view functionality, but you need to still prove that an output was generated correctly +**\** Not that a "me too" attitude matters, but it's clear that Zcash is introducing this to encourage exchange adoption +**\** I need to read up on their Sapling circuit to better understand their approach (I admit to knowing zero about it) +**\** That's all the news I have atm +**\** any thoughts on this would be appreciated +**\** I remember some voices on reddit saying that all private keys should be kept private at all times, especially including the view key. +**\** I don't necessarily agree with this, just some input. +**\** Yeah and that might be the primary opposition to the idea +**\** The broader question about the nature of our optional transparency +**\** Of course, higher ring sizes counter the effects of known spends +**\** and those are easier now that we're saving space +**\** And another counterargument is that if you are forced to give up some privacy, at least have it granular. +**\** Else whoever is trying to get info will just straight up force you to give up all private keys. +**\** One original motivation was the idea that an exchange might require account balance information for some clients +**\** as a condition of use +**\** a la bitlicense +**\** I personally am fine with users having the choice of transparency, provided this doesn't harm other users +**\** and provided they can do so with understanding of the consequences +**\** I think it's a discussion worth having in a broader scope. +**\** absolutely +**\** and it motivates specific discussions based on particular implementation ideas +**\** Anyone else care to share their recent work? +**\** Not much. I've been working on the blackball tool for the past few days and adding to the fixed ringsize Github issue +**\** I just applied to speak at the NDSU conference next month, so hopefully I am selected +**\** Nice! +**\** Ring sigs? +**\** more general privacy tech +**\** how so? +**\** What privacy technologies are available, what are their use-cases, etc +**\** Nice, broad zero-knowledge systems vs. mixers vs. our approach? +**\** I don't want to talk too much more about mixers since that's told news, but things like tumblebit, CT, ring sig, zkSNARK, etc +**\** Cool, I'd be interested to know what specifically you'll discuss related to snarks +**\** zkSNARKs make sense for "private blockchains" (I hear your complaints) since they are already running in a trusted environment +**\** are you gonna discuss how they operate specifically? scaling w/ circuit size etc? +**\** No, this is a more business-focused audience +**\** got it +**\** I'd say we can adjourn the meeting, but sgp\_1 what are your views on "private blockchains" as they relate to trusted participation? diff --git a/_posts/2018-08-27-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-27.md b/_posts/2018-08-27-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-27.md new file mode 100644 index 00000000..c0d59e67 --- /dev/null +++ b/_posts/2018-08-27-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-08-27.md @@ -0,0 +1,200 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-08-27 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** The meeting starts presently +**\** rbrunner: answer is there no? +**\** suraeNoether: care to begin? +**\** oh gosh +**\** lost track of time +**\** Hi, everyone, my agenda today is 1) greetings, 2) description of the noether bros recent work, and 3) open up the lab to discussion. I wouldn't mind hearing from silur and IsthmusCrypto. +**\** So, hi everyone +**\** hi +**\** hi :) +**\** Hello there +**\** This week I submitted our multisig paper to IACR, started reading the DLSAG paper by sarang and started writing up notes for thring confidential transactions and their applications to cross-chain atomic swaps +**\** woop woop +**\** waiting on a link from IACR +**\** So you'll be taking the DLSAG and extending? +**\** sarang: if you don't mind. we could do two separate papers but I don't see a good reason for that, unless yours is already over 15 pages? +**\** I would also like comments on its current "technical note" form, for internal publication +**\** yeah, for sure +**\** But yes, I would like to see it publishable elsewhere too +**\** Mine is ~7 IIRC +**\** i feel like "Spender-ambiguous cross-chain atomic swaps of confidential assets" is a sexy title +**\** it is +**\** yeah, i'll provide notes on that as a technical note, then i'll copypasta to a new doc for swaps +**\** Let's stay in close contact regarding the DLSAG work and extension +**\** yes +**\** excellent +**\** if you want to do more of the writing before handing it off to me, i think with our writing dynamic it may be appropriate to find a third author to "finish it off" so I don't spend months being a perfectionist +**\** Let's wait and see how it goes +**\** No need to put the cart before the LaTeX manuscript +**\** i was basically going to take the appendix from "Enabling Blockchain Innovations with Pegged Sidechains" by Back, et al, describing cross-chain atomic swaps (initial suggestion by Tier Nolan) and write up a highly detailed version of it with thring signatures +**\** so if you want to have more of a hand in writing it, i can put that down for a few days and give you a chance to put some words into it +**\** aye +**\** cool. so, what have \*you\* been up to this week? +**\** sorry is thring signatures a typo or the new name? :D +**\** I've been working with mooo to make BPs even faster +**\** new name +**\** Threshold Ring Signatures = thring signatures! +**\** I coded up an addition chain for scalar inversion that doesn't need the OpenSSL library +**\** and batch inversion that lets us compute a bunch of inverses speedy quick +**\** Threshold Ring Confidential Transactions = Thring Confidential Transactions! Woooo! +**\** We're now seeing batched BP verification > 40x faster than borromean +**\** jfc +**\** wow +**\** So yeah, a bunch of new optimizations +**\** It something in the stuff that is planned to go online tomorrow on testnet? +**\** I'm also doing initial work toward off-chain safe balance computations +**\** rbrunner: the PR includes only some of the optimizations +**\** not all +**\** i vote fixing ring sizes at 36 and keeping them fixed for a year while we look into sublinear optimizations. :P +**\** it would be a good problem to have +**\** Unfortunately the prover is still 2x slower than borromean +**\** Oh, I bumped like 25% off the prover btw. +**\** lolwut +**\** go on +**\** Not looking at it anymore for now :) +**\** commit #? +**\** I took out 128 scalarmults IIRC. +**\** jfc +**\** https://gph.is/1e0T1tY +**\** oh, i wanted to add an item to the end of the agenda +**\** lol sarang +**\** 81a65c30d667eaf5e4a1f0ecd1e64746b09cfdd7 +**\** 4) the possibility of an FFS for QuarksLabs to just audit our whole codebase. +**\** ty +**\** Aso +**\** or some part of it +**\** \*Also +**\** hello everyone +**\** I want to keep working on trustless accumulators for safe balance computation with auditors +**\** ^ +**\** sarangpls +**\** PIVX claims to be working on a form of this that's bulletproofs-compatible +**\** sarang: do you have any links on that? i know we talked about that euclidean-ring based one +**\** I've also been chatting with Zcash devs on their knowledge of this field +**\** suraeNoether: the issue is efficiency when it comes to committed values +**\** BPs let us do this more or less for free +**\** You need to have an accumulator that you can prove was computed correctly with all outputs, and then provide proofs of membership of all the outputs you control, and show that the balances compute +**\** my goal is an off-chain solution that requires no protocol changes +**\** but also doesn't give the auditor direct knowledge of spend outs +**\** (modulo knapsack-type attacks) +**\** Our goal is \_not\_ to encourage users to reveal their key images, which is bad for privacy +**\** it should be to allow a user to safely prove a balance without showing key images +**\** hence the benefit of commitment-based trustless accumulators as one possible approach +**\** i'm eager for any reading you have available for that, although i don't know when i'd get to it. :P +**\** I'll keep a running list +**\** Zcash team had good early discussion on this same problem, and I'm following their logs as a start +**\** cool, consider it a literature review in prep :P +**\** yup +**\** i wonder if a zk-ledger sidechain run by all the exchanges would work +**\** If PIVX figured this out, hot damn +**\** not really trading tokens around but only committed balances +**\** and zk-ledger is largely trustless, iirc +**\** In the approach in my head, Alice would share an accumulator that she filled with all outputs on the blockchain +**\** and i don't see how it wouldn't be BP-able +**\** the auditor could verify that it was computed correctly +**\** new type of lightning network? :P +**\** strictly for auditing/compliance purposes... uhm. +**\** and using this she can construct zk proofs that her outputs either are or are not in the key image list +**\** can i suggest another agenda item? ring sig replacements.. could it make sense to give research into that to another funded postdoc as a main project? +**\** depends +**\** right now there are no good solutions, and people are looking for them +**\** khm RTRS +**\** the second we get trustless efficient general zk systems, this would be possible +**\** hyrax? +**\** poor size/memory tradeoff IIRC +**\** all the trustless approaches I know of have terrible scaling +**\** it's that damn snark toxic waste that gives the proof polynomials structure in a zerocash setup +**\** and that's what gives you such good scaling +**\** okay, so Silur, IsthmusCrypto, y'all have been busy +**\** yep I'm slowly making tests for my RTRS demo at HCPP and patching up my mistakes +**\** RTRS being? +**\** silur: i know i've asked you about PQ shuffles before, but I don't know much about pseudorandom generating objects on a theoretical level. Do you know of any introductory papers or textbooks you could suggest to us? I'm sure to put a few hours in some time in the next few months for my backburnered "cartesian square sig" project +**\** RTRS is a version of sublinear ring confidential transactions based loosely on the Bootle paper "Short Accountable Ring Signatures" +**\** or am i thinking about someone else with the PQ shuffle +**\** silur: any chance of sharing code, even privately? +**\** also I had some advance with the RLWE VRF stuff kind of overkilled a whole section with modular and double-rounding reconcillation but maybe it will be helpful for a designated verifier setup +**\** no I'm also working on PQ shuffles but bulletproofs kind of got ahead of me +**\** and I still have to understand BP fully +**\** because originally I went for the simple Neff shuffle model on a generalized Chaum-pedersen proof +**\** sharing the RTRS code I mean +**\** yea it's on my github +**\** https://github.com/Silur/libstringct +**\** so because BP's are much more scalable I put the PQ-shuffle on a pause and try again when I understand BP at a level when I can confidently start to "port" them into a PQ setting +**\** neat +**\** Anything else of interest to share with the class +**\** Or IsthmusCrypto? +**\** sneurlax's tool is now easy to run +**\** I updated the blackball lists with MoneroV +**\** Excellent +**\** I hope this sees use and extension by others as well +**\** Any thoughts on making the pool lists available too? I know sneurlax was worried about releasing the code +**\** (for those who don't trust sgp\_ ) +**\** Give me the arguments +**\** I can't speak on his behalf. I would release if I was him +**\** I'm generally a fan of making information available +**\** Might it influence pool behavior in a positive way? +**\** We will need some way to have this tool check for chain reactions with the regular blackball tool in the future +**\** sarang I already came up with an initial best practices guide for pools, but I need to refine it +**\** The pool thing is a guess though. +**\** Does it output some sane format (like a key per line or so) ? +**\** It outputs a single output per line in a .txt file +**\** OK, I can add reading that then. +**\** great! Ideally the pool tool could be run first, then the list can be added to the blackball tool as a set of bad outputs +**\** Is there a regular schedule envisioned for this? +**\** for the hosted version +**\** At the moment I'm just doing it when I have time. It's all manual at the moment +**\** seems a prime candidate for automation +**\** Probably a few times a month unless it's automated, yes +**\** I had this idea of having diffs made, then advertised in a TXT record like the release updates. +**\** Then the wallet could automatically download/merge. +**\** baller +**\** It would require the list maintainer to keep to rigid naming conventions for the diffs. +**\** moneromooo I believe there are two big features that would help with pool outputs: 1) an easily-selectable output selection option, such as "--selection-algo public-pool", 2) a wallet option to avoid selecting coinbase outputs for decoys, enabled by default (--coinbase-decoys false) +**\** we can streamline the blackball lists significantly if the coinbase outputs are excluded automatically +**\** I won't do that unless surae or sarang reckons it's a statistically advantageous thing to do. +**\** all right, but since the vast majority of coinbase outputs are mined by public pools, it's something to consider +**\** So you mean perform the statistically correct output selection (fitted gamma) but with avoided decoys +**\** including blackball+coinbase +**\** That means an attacker can know whether a given tx was made by a pool or not. At first glance, it diminishes your anonymity set. +**\** moneromooo can you expand on this reasoning? If you're referring to coinbase outputs, they know what transaction they are spent in anyway by the pool since the pool makes its transaction lists public +**\** If your tx has only two outs, then it \*might\* be good, but that's not immediately obvious. +**\** Oh, I forgot they do now. Dumb. +**\** Time to kick pools out ^\_^ +**\** yeah, it's a situation where a ton of network info is public +**\** Is IsthmusCrypto here? +**\** So if you can attribute ~90% of coinbase outputs to specific transactions, we should at least consider setting the default wallet behavior to not include these outputs that will be bad ~90% of the time +**\** anyone know if exploremonero.com is open source? i was a bit surprised to see they ask for the sec view key for checking txs +**\** endogenic I can't find it. Only the localization: https://github.com/GBKS +**\** hmmmmm +**\** btw i -think- i've identified anycoin as one of the wallets sending with ringsize 8 +**\** damn off-by-one... +**\** So we have ten minutes remaining +**\** Does anyone else wish to share something of interest they are working on? +**\** moneromooo: can you comment on the expected status of BP updates relative to our release schedule? +**\** Do you mean "are BPs going in" ? If so, yes. +**\** I know there was a cutoff for PR review purposes +**\** I assume all that is going smoothly? +**\** The PR is reviewed and ready to go. The CNv2 changes were supposed to go in too, but the author dropped a large change yesterday :/ +**\** also interested. would be good to freeze at some point, if only for a good bit of testing lead time +**\** So that might push the merge a bit. +**\** If some of you are familiar with low level bit bashing and hashes, feel free to review ^\_^ +**\** Yeah I've been following the tweak discussion a bit +**\** how worthwhile will it be to have a final review of this code after the final cut ? +**\** Updates to BPs will be a point release I suppose? +**\** i mean audit +**\** If you mean what's not in the current PR, I dunno yet, but it is fairly likely. +**\** Unless people want the speedups bad :) +**\** Eh +**\** Well, thanks to everyone for sharing +**\** We can adjourn now and keep discussions going as desired +**\** \ diff --git a/_posts/2018-09-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-17.md b/_posts/2018-09-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-17.md new file mode 100644 index 00000000..f284f4cb --- /dev/null +++ b/_posts/2018-09-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-17.md @@ -0,0 +1,255 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-09-17 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** welcome to the #monero-research-lab meeting for 17 September 2018 +**\** Hullo +**\** hi +**\** we didn't meet last week because Sarang and I were meeting in person for some productivity turned up to 11, enabled partly by endogenic +**\** When snarks +**\** Or at least snark +**\** today's agenda is only 1) greetings is 2) a brief update on what folks have been working on and what they see coming up next +**\** we got 1) out of the way so efficiently, i'm just blown away, look at you guys, you are rock stars +**\** lol +**\** Shine on suraeNoether +**\** ^ +**\** sarang has recently been doing some digging into view key solutions for additional functionality like balance-proving or proofs-of-reserve; is there anything you want to bring up publicly about those for now sarang? +**\** since you have like 3minutes +**\** Just that the nature of our txn model means balance proofs open up knapsack style problems, are not efficient, and therefore I think not something of great priority +**\** yeah, and we can elaborate on that for folks who are interested as the week goes on +**\** Sure +**\** or just later today :D +**\** earlier this week, I discussed some stuff regarding finding provably spent subsets of output keys +**\** Oh and they're likely always going to be interactive, which is a bad ux +**\** sarang and i worked some of this out in person +**\** Aye +**\** essentially the take-away is this: +**\** let's say some entity like the Monero Project wants to keep a blackball list of provably spent outputs +**\** to avoid mixing with future ring signatures +**\** let's say a user doesn't trust the Monero Project +**\** this user wants to verify all the computations used in computing that blackball list, to verify that the list is a complete list of all provably spent outputs +**\** the user loses trust in the Monero project if any provably spent set is found that is not on the list, or if any set on the list is not actually provably spent +**\** how long does the user need to take to verify a small section of the list? let's say only for transactions created in a single day? +**\** tree fitty +**\** well, the answer to that is in the binomial coefficient: to completely verify a day's worth of transactions (between 10^3 and 10^4 presently), with a ring size of r=7, requires presently at least 1000-choose-7 checks. this is... around 2e17 things to check. even in constant time, that takes a loooong time to check +**\** it's maybe doable, but to verify even a month's of transactions is like 4e27, and there's a certain point where verifiers can no longer check the list for completeness +**\** I disagree the user loses trust if a provably spent set is not on the list (assuming he uses his own method, not the public sources for determining blackball list). The opposite would be more devastating. +**\** I agree +**\** We just want the user to trust that nobody is being censored +**\** And verifying the list will be easy +**\** binaryFate: that's fair, what i mean is if the Monero Project is acting like a curating party for this blackball list, they are acting as a trusted third party, so there is a risk to the user if that third party is acting dishonestly +**\** Each item can also have its rings listed +**\** So the user checks her own copy of the chain +**\** I think it's fine as long as it's advertise as a "best effort" and not claiming to be exhaustive. +**\** right, checking small pieces of this list for provable spent-ness is easy: verifying that the list is \*complete\* can be made "essentially impossible" by picking larger rings; and using this sort of heuristic, we (sarang and I) determined anything above ring size 45-ish is wasteful in this regard +**\** You're all in luck. My plane is delayed +**\** is there a way to distribute the computation BOINC style? decentralize all the things and all +**\** The initial computation +**\** Yes +**\** I would be way more comfortable to give up completely on the idea to claim we're exhaustive. +**\** Then everyone can check their peers work +**\** but the key take-away here is that checking our blackball list for ring sizes beyond 3 is impractical for our project. we kicked the idea around of a sidechain that rewards finding provably spent sets on the main chain and proving their spent-ness on the side-chain to earn a PoW reward :D +**\** There might be more tricks we did not realize yet. +**\** We can do a small ring complete subset analysis once +**\** And hardcode it +**\** yep +**\** Optional user verification +**\** Better to go with "best effort given computational ressources used and state of our understanding; anyone welcome to improve it" +**\** Yes +**\** binaryFate: for sure, for sure +**\** We will have the complete list for those small rings +**\** also seems reasonable given our constant releases and forks and checkpoints +**\** We don't need to run it further +**\** But I'm writing up a quick thing on it +**\** right, point is now we have a reasonable expectation of when to stop increasing our curation of the blackball list: ring size 4 is pretty much impractical already, ring size 5 is going to be... a... loooong.... wait... +**\** that's totally ok +**\** on other fronts, I've been looking into zk-snarks and starks as a sidechain on monero, with no transparent pool (the "transparent" pool would be monero's base layer, and this starky side-chain would be the optional "shielded" pool on top of it). i'm looking into trust-free accumulators; i think there's actually a "whole new protocol" sort of thing going on using certain accumulator constructions (see +**\** https://link.springer.com/chapter/10.1007/978-3-642-31284-7\_14 for example) +**\** Can these calculations be parallelized/cluster-ified? +**\** (the blackball) +**\** yes they can +**\** im curious - is this calculation / processing done on a given state? Or is it done while building the blockchain? i.e., you could imagine a Sync 2.0 where the monero blockchain takes even LONGER because while your synchronizing, your own computer is curating its own blackball +**\** very parallelizable +**\** but huuuuge search space +**\** Worth noting that verification is fast for the user +**\** gingeropolous: I don't think we'd need to do a live version during sync +**\** Damn. Planes radar altimeter is busted :( +**\** No bueno +**\** gingeropolous: there are ways to make it faster to blackball in a rolling computation like that, but even for a single day's worth of blocks per batch, you end up having a huge space to search (which is why i selected a day above) +**\** and if the blacksync indeed does work, you could just prune them from the blockchain and the network eventually reaches a blackballed consensus because those outputs just don't exist... hrmmmm +**\** but it doesn't matter because once we're at ringsize 21 we can all go on vacation +**\** yeah, and syncing from scratch doesn't really solve the problem, because even short periods of time end up with huge search spaces +**\** if i had a single transaction to the blockchain with a single output, i need to check every known subset to see which share ring members with the new transaction +**\** >\_\< +**\** But that also means an attacker would have to do that too +**\** yes, precisely +**\** So it becomes nbd +**\** Under a certain threat set +**\** If ultimately we're facing an NP-complete/NP-hard problem, we could quantify it and demonstrate no attacker can go beyond rings N, no more than we can. +**\** for complete lists, that is correct; a ring size of, say, 45-ish gets us close to "you have to brute force more things than particles in the universe" territory +**\** Yeah that's the reasonable approach idea +**\** but you still have heuristic linkability; all this is merely to discuss proven spent-ness +**\** This is all theoretical fun anyway, in practice it's assumed all this has no bearings on post-ringct tx anyway +**\** Given high ring sizes yes +**\** suraeNoether Monero always has heuristic linkability anyway... we're only very good at plausible deniablity +**\** yeah, the likelihood this happens on accident is vanishingly small, so someone would have to be doing it on purpose for it to really be a problem +**\** binaryFate: absolutely correct +**\** And this is a fairly easy way to improve safety +**\** Therefore worth doing +**\** ok, so this week i am finally going to pick a journal for peer review for thring signatures +**\** And even doing it on purpose requires collusion anyway +**\** And then the attacker can just outputs they control anyway +**\** That would be an interesting idea, if a hostile node just returns outputs off the blackball list whenever queried for decoys +**\** IsthmusCrypto: yeah but why would it do that instead of using its own outputs? :P +**\** sarang and i go back and forth on it +**\** Depends if the node is lawful evil or chaotic evil +**\** lawful might use own outputs. Chaotic might just ruin it for everybody. +**\** It would get noticed immediately +**\** Or fairly quickly +**\** If they used known black balled outputs +**\** Exclusively +**\** Is somebody watching out for that, or should MAP set it up? +**\** Oh +**\** because they're all so old +**\** yeah, that would be obvious +**\** smh +**\** sorry, continue +**\** anyway, i don't think provably spentness is really the issue +**\** i believe that if you take the bipartite graph model and weight edges by output key age at the time of the transaction used it, we would re-attain the monerolink heuristic linkability model; what's funny about that, though, is that even if you were to optimize that guy to look for "probably" not provably spent outputs, you would still have such a large space to search through, you'd never quite be sure if +**\** there wasn't a more likely solution right around the corner +**\** i want to quantify that +**\** because i think heuristic linkability is more a danger issue for monero +**\** thank accidentally using provably spent ring members +**\** ^^ agree +**\** later this week, i'll be reviewing the general M/N multisig thing +**\** is there anything else that folks want MRL to work on, bring up, discuss, etc? There will be news about the Denver Monero Conference later this week, I think. +**\** IsthmusCrypto and silur you guys have been working on stuff +**\** would you care to discuss it? +**\** I can give a quick update on some of the #noncesense-research-lab projects +**\** 1) Working on ways to automate identification of selfish/stubborn mining, since I have been doing it by visual inspection so far. One example written up so far. +**\** 2) Doing a small study of nodes doubled up on IP addresses. Checked peer lists and found duplicates. This is a subtle type of centralization - if 20% of our nodes/miners are showing up over a handful of ProtonVPN addresses, then another DoS on the VPN would have the side effect of knocking a disproportional number of machines off the network. +**\** 3)Vanity stealth addresses generation. If all of your personal outgoing transactions have the same prefix, then they will be indistinguishable from each other. This maximizes fungibility and eliminates headaches caused by how difficult it is to link your transactions on the blockchain. When you restore your wallet, use the same vanity code - the initial sync time decreases by orders of magnitude when your +**\** wallet only needs to check outputs that obviously belong to it! /s +**\** 4) Blockchain analysis to identify all MyMonero.com transactions that used high or paranoid mode. Partial writeup, but porting over to unsupervised ML methods to automatically pick out all the MyMonero txns from the main fungible cluster. +**\** 5) A lot of work on MAP infrastructure by @n3ptune - both backend database work and some slick UI/visualization +**\** And a misc pet project on timing how long it takes to sync the blockchain on different machines. +**\** (end) +**\** #4 will be a paper that will be used as FUD; want to collab on an MRL bulletin and use our header and stuff so it's clear it's coming from MRL? +**\** quantum-vrf is on it's way I had major advances and even figured out that i can do it in a designated verifier setup. also I've sent you my slides on RTRS for HCPP prague, did you have time to review it? +**\** no, i have not, did you email it or mention it in chat? +**\** you = suraeNoether & sarang +**\** email it for both of you +**\** on your protonmail addr +**\** IsthmusCrypto: for number 3, the vanity prefix can be deterministic with the private key as the seed, right? +**\** just found it; when is the talk? +**\** So every new stealth address has a new prefix that can't be determined ahead of time without the private key +**\** october 3 +**\** ok i will review it this week +**\** That's actually super cool +**\** thanks +**\** for #3 that forbids sending to a subaddress +**\** since the subaddress recipient has to ask for a specific basepoint on the transaction key +**\** which sucks +**\** silur i am more interested in your quantum vrf to be honest :D hehe +**\** @suraeNoether - yea RE #4 I’ll keep you in the loop. Don’t want to give FUD fodder, so I am really hoping that MyMonero will fix it soon.... +**\** and I'd like your review on that I could send you the draft and we can eliminate my probably countless mistakes :) +**\** #3 was just a joke, although it does reflect a real threat model (using a few digits to encode which output is the true spender, or maybe use a few digits to mark part of a hash of the private key to deterministically fingerprint transactions \*from\* the same account. +**\** (would be malicious wallet software trying to communicate with no telemetry besides what is on the blockchain) +**\** I think it could actually be used for fast sync +**\** Without fungibility concerns +**\** endogenic ^ can't really do anything about the older choices, but we can patch that up moving forward +**\** Hooray fixed plane. TTYL. Will be on after landing +**\** prefixing keys makes them distinguishable by prefix, so i'm not sure what the goal of the idea is :P +**\** Surae, make the prefix deterministic +**\** Increment private key by 1 every tx, hash it, truncate, and use that as the prefix +**\** Without the private key you can't fingerprint the txes +**\** I think you still get a different prefix for each output no? +**\** That's a super naive method of course +**\** You do binaryfate, but when scanning the chain you can look for the next prefix +**\** Every time you find one, you increment and look for the next +**\** I mean within the same transaction +**\** And as you don't know the order, you can miss some +**\** Ah, yes +**\** If it's the same tx you can have a lookback +**\** That's not a huge deal imo +**\** true +**\** Sorry for doing research stuff in the meeting, carry on guys. I'll bring this to the lounge. +**\** needmoney90: interesting... i need to thinka bout that. :P actually needmoney90 this is what the research meeting is for :D +**\** I've been finally getting to work on an idea I had since a long time, I think I mentioned it here a couple of times. +**\** please go ahead! +**\** yea I missed that and interested :D +**\** Broad idea is to study the age distribution of \*actual\* spendings of Monero users, with ultimately maybe proposing a better decoy output selection algorithm +**\** Go on +**\** If it's opt in, wouldn't the set of data we collect be skewed away from those who are super cautious about privacy? +**\** Maybe best to explain the approach is a simplified example: imagine all rings are of size 2 (one real + one decoy). The "real" distribution is unknown, but the "decoy" one is known from what the wallet software is doing (restricted to certain block ranges where we are confident an overly large percentage of users are using the same version) +**\** The result is a mixture, or (simplified) a weighted distribution. This is observable in the blockchain. +**\** By using the observable bit, and the known part of the weighted distribution, I want to estimate the unknown one, aka the real spending habits +**\** I'm writing an R package to do this, with an emphasis on graphically comparing what we should expect if users were spending "as we think" versus what we actually see from the blockchain +**\** so whatever results I get be done again in the future with the same procedure +**\** First results expecting soon (this week hopefully) +**\** This will also allow to check the Miller et al. gamma distribution fitting btw, which afaik nobody really cross-checked (even though it will make it into the next hard fork) +**\** (end) +**\** so is this asking which inputs are outliers of the distribution the wallet is using? +**\** no, it's about the distributions, not the level of inputs. It's comparing "the situation we are modelling using [triangular/gamma] distribution" and "what we see in the blockchain" +**\** gotcha +**\** Think of it as cutting through the noise to estimate the real spending habits, but it only gives you the distribution of it, no info on a single input +**\** We rank highly on plausible deniablity :) I'm trying to improve on the distribution/heuristic thing. There was very little studies to come up with first the triangular one then the gamma one. +**\** Anyway, I'll probably have a draft report in week or two to circulate. +**\** this is a very interesting idea +**\** i'm a little confused; where are you getting your data? your own wallet? +**\** It doesn't need a ground truth. It's just actual distribution minus decoy selection algorithm expectation, right? +**\** IsthmusCrypto: fix the ability to use different ring sizes? the new apps and new web wallet do not allow you to pick, for that reason. i didn't expect we'd still have the old mymonero.com wallet up til now and totally forgot we have the mixin select there +**\** just let me know next time :) +**\** got so many things going on : +**\** IsthmusCrypto correct +**\** will start to settle down soon i hope +**\** IsthmusCrypto: ahhhhh i see, yeah, if i understand it correctly, that's a wonderful treasure trove of useful data. :P +**\** oh man +**\** anyway IsthmusCrypto can you really tell they are -MyMonero- transactions? +**\** binaryFate: good freaking idea! +**\** or just that they have a high ring size? +**\** The MyMonero fingerprint is based on the ringsize AND the decoy selection algorithm +**\** suraeNoether simplified example again (ring size 2): wallet is known to use unifom for decoy. Blockchain shows distribution X (and we know it's 0.5 wallet distrib + 0.5 user real spending). We can compare the two and infere a lot about real user spending +**\** The first is a good signpost to find candidates, then the second is the actual give-away +**\** I'm just getting interesting results as we speak, but prefer to clear things a bit before sending to anyone +**\** IsthmusCrypto: just want you to know i've been motivating for the decoy selection algo change for a long time, +**\** i'm discussing it internally again to get it done ... +**\** we hve work on it +**\** need to stabilize and deploy.. +**\** Cool @edogenic. I haven't worried about it too much or rushed the research because the impending fixed ring size will remove half of the heuristic. +**\** binaryFate: more generally: if we use a distribution F to pick ring members, the extent to which ring members on the blockchain vary from F is directly related to the true signers... really great approach +**\** anyway +**\** okay, anyone else have anything they want to chat about? +**\** it's been a few weeks +**\** yep, and it's directly quantifiable by the ring sizes too +**\** Last thought - can we start recording MRL meetings alongside the other dev diaries? It would be good for accessibility and showcasing some of the best people/conversations in our community +**\** If somebody can show me where/how, I can take care of uploading them. +**\** IsthmusCrypto: they used to get uploaded +**\** or did they? +**\** anyway I plan on creating a IRC bot that auto uploads the meetings +**\** IsthmusCrypto: i usually throw the logs up on my github, but i have been lazy lately; i'll set aside an hour later today to upload all the ones I have +**\** if anyone wants to put them anywhere else, feel free, maybe we could throw them up on the getmonero.org page or something like that. i'll look into a few options +**\** 👍 I started thinking about this when the person showed up claiming that fixed ring sizes hadn't been publicly discussed +**\** if anyone wants to take initiative and upload meeting logs that are missing before i get to them, that'd be a great contribution to MRL +**\** only so many hours in a day :D +**\** either way, i'll try to organize what i see available later today. my github is a mess +**\** Cool, I was thinking I could upload them here? (If that seems alright and somebody shows me how or wants to take initiative and do it themselves) +**\** go for it +**\** good idea +**\** Do I just PR it to here? https://github.com/monero-project/monero-site/tree/master/\_posts +**\** i believe that is correct; moneromooo or luigi1111 ? +**\** IsthmusCrypto: yes, but you have to convert the logs to markdown +**\** ok, I believe we are over an hour here, so we'll wrap this up +**\** any last notes/comments/concerns/questions? +**\** i'm expecting my cross-chain paper to be done by the end of the month, i think; it's actually a lot simpler than the multisig paper +**\** the cross-chain atomic swaps? +**\** not quite, I remember it had a much cooler name +**\** ring-confidential atomic swaps or something +**\** No, to https://repo.getmonero.org/ +**\** oh didn't even know about that thx diff --git a/_posts/2018-09-24-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-24.md b/_posts/2018-09-24-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-24.md new file mode 100644 index 00000000..51cd49a4 --- /dev/null +++ b/_posts/2018-09-24-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-09-24.md @@ -0,0 +1,343 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-09-24 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** thanks for the ping :) +**\** 👍 +**\** hi +**\** hi +**\** hi +**\** hi +**\** heyo +**\** allrighty +**\** Now that greetings are out of the way +**\** as usual, we are basically just going over what we've done last week and what we want to go over this week, and to open up the table for questions and suggestions +**\** but today i want to reverse the usual order +**\** hmmm +**\** i want people who have questions or suggestions to be able to speak up at the beginning +**\** so they don't have to sit around hearing about groups etc before they are allowed to give us their thoughts +**\** nioc i knew i forgot at least one person :D sorry +**\** np my comment was about the order +**\** so. \*crosses legs\* who has some thoughts for the MRL guys? +**\** Anyone? Bueller? +**\** are cancellable signatures possible with monero? +**\** I see that the BPs were just tweaked, are we all set now? +**\** you mean (un)denyable signatures? +**\** \*(un)deniable +**\** I mean, one is part of a multisig, but before the multisig is fully signed, can one cancel their part of the multisig? +**\** nioc: a verification tweak, for a belt-and-suspenders approach to curve points +**\** oneiric\_: i don't think cancellability in the way you describe it is particularly necessary... +**\** if you bail on a multisig signing? +**\** no information is leaked; there may be a record of your communication between the other signers, though, and that's really the more dangerous part of things, from the point of view of IRL opsec +**\** ok, how else would you bail out after initially signing? +**\** and there isn't anything in the protocol that prevents you performing the multisig signing ceremony in a "bad" way, if htat makes sense +**\** you just stop +**\** if you mean "i want to retract a signature that has already been computed," I don't think that... is... practical... +**\** adds too many moving parts? +**\** uh, well, if it's already computed and can later be revoked +**\** maybe a type of tx which has two stages of confirmation.. during first stage, it could be canceled with another tx by same signer? +**\** if it's already computed and later can be revoked, does this mean you need a revocation signature in a later block that refers to the original signature? etc. i'm not sure exaclty how all of it would work +**\** and i'm not sure what the use case would be +**\** generally we want our transactions to be signed and done, for finality and liveness reasons +**\** retracting a transaction that you've already executed... I imagine that's maybe something that \*could\* be done on a lightning like system between honest parties without issue +**\** i can't think about how to implement it on the base layer without a lot of problems +**\** revocation would happen before tx is fully signed, use-case is for an automatic funding of an FFS wallet +**\** there was a similar suggestion for a 2-of-3 with a trusted mediator +**\** ah; in that case, if you don't want to make the transaction, just \*don't finish signing it.\* +**\** if you already pre-signed it and haven't broadcasted it, then don't broadcast it and delete it +**\** if it's already broadcast? don't... don't do that? +**\** ok that makes sense. my thinking on this might not be the clearest. was thinking of people signing multisig to show support, but if something changes their mind before the tx is complete, being able to revoke their part of the signature +**\** people could show support by posting proof of funds +**\** ah, yeah, that's not necessary; their pre-signatures or partial signatures can't be used to construct a complete signature, so you show your initial support by participating in the first round of interaction, and you revoke your support, so to speak, by not participating in the second round of interaction +**\** oooo, that's way smoother, thanks suraeNoether :) +**\** i can think of another case, though, that could be helpful, and i'm going to state it so we start percolating on the idea in the back of our heads +**\** this might actually introduce some problems on blockchains +**\** let's say you relay a new transaction that can't be mined for 1440 blocks, and has a locktime of 2880 blocks, so that the soonest it can be mined is tomorrow and the soonest it can be spent is the day after... should someone be able to broadcast a revocation of that transaction in the next 1440 blocks so that miners don't include it? the answer, I think, is yes, this is possible, but I also think that there +**\** isn't a good way to \*enforce it.\* +**\** so it'd be, at best, asking miners politely to not mine the transaction +**\** there could be some workarounds maybe, but we'll think about it and move onto other topics +**\** nioc had a question on the BP tweaks, but sarang you didn't mention if we anticipate more tweaks or not +**\** you just said what they were +**\** I don't anticipate others +**\** cool +**\** anyone else have any other questions? +**\** does it make sense to do questions also after updates given? +**\** sure +**\** cool. Last week I worked more on my Fulmo Network (lightning in esperanto) paper, and I anticipate making it available for public perusal later this week or early next week... I read through Sarang's DLSAG paper, which is important to the Fulmo paper, and I'm going through donut and Pedro Moreno-Sanchez' similar paper (in prep, but we got an early copy earlier this year) +**\** I'm intending on reading hte M/N multisig thing; I haven't gotten to Silur's slides for HPCC yet +**\** (I'm so sorry) +**\** np, I had help from sarang +**\** I also have had some lovely conversations with Dr. Shuhong Gao at Clemson University regarding the possibility of some informal collaborations between MRL and Clemson in the future, which would be fun and great +**\** nice +**\** coolio +**\** right on +**\** I also am waiting on a few more quotes from venues for the Monero Konferenco, named by rehrar (I kind of like Monero in the Mountains, or Ring Signatures on the Rockies, but tbqh, Monero Konferenco has a Mortal Kombat feel to it, and I kinda love it) +**\** The remainder of this week? More DLSAG, more fulmo, more research into accumulators... OH OH OH +**\** I also have a question for the community, but I'll wait until Sarang has gone and anyone else who wants to contribute +**\** dun dun dun dada dun.. Monero Kooooonferenco!! +**\** Sure +**\** can we pls work in some lotr references like Council of Elrond? +**\** NO +**\** Wrote up a draft of a tech note on generalizing our knowledge about provably spent outputs +**\** mainly because it covers several other ways we test for this, and shows why it's a hard problem (for us and adversaries) +**\** Tweaking the DLSAG stuff based on suraeNoether's comments (and his desire to work the foundations into his work) +**\** There was a late tweak to BPs to handle some ways we were doing a scalar conversion that were subtly incorrect +**\** oneiric\_, always dressed and ready for Mortal Kombat +**\** Also: I was asked to present on attack surfaces and privacy research at a Kyiv hackathon... wondering the group's thoughts on me taking like 5-6 days to do this +**\** I like the hackathon approach to getting the word out +**\** that sounds like a very cool thing +**\** Yeah, it's a big time investment but fortunately I work remotely anyway, amirite? +**\** will you be needing financial support for it, or would those organizers be compensating you? +**\** https://forum.getmonero.org/7/open-tasks/90857/sarang-re-present-at-kyiv-hackathon +**\** They're compensating flight and some hotel. With local transportation, M&IE, and hotel, it'd run about 9 XMR community funding +**\** cheap +**\** oh hehe +**\** Would be nice to reach out to that part of the world, getting technical folks thinking about and hacking on Monero +**\** Anyway, open to comments +**\** it'd be in a couple of weeks +**\** do you know anyone there? +**\** I believe msvb is also speaking there about hardware +**\** This group actually approached us at our defcon village +**\** oh this reminds me, david chaum will be present at HCPP +**\** \*\*shittin' brix\*\* +**\** seriously?! so excite! +**\** Sarang and I were curious about whether the community would want to fund us for the Berlin conference, but I'm having a hard time finding the website. i'll bring it up next week +**\** I don't think I'll be doing Berlin +**\** I'm all traveled out +**\** Does anyone else have any projects they want to discuss? +**\** and the timing is not great +**\** I'm working on some other minor stuff about curvepoint checking +**\** small optimization stuff +**\** dang, i wanna go surae +**\** I got into a spaghetti of proofs on my quantumVRF not much advance there +**\** i'll keep an eye out +**\** Another bit of work; sgp and I are contributing to a friend's educational outreach project. the idea is to provide a privacy breakdown of all the different privacy coins out there, at a level that someone with some computer science and/or math experience can understand, but without requiring a Masters or PhD to get +**\** I'm not sure exactly how public that is, but I plan on putting a few hours into some writing on that later this week, especially in the Monero sections +**\** nice +**\** oh interesting +**\** Well I take it there's no big opposition to speaking to Kyiv +**\** It would be great to see an honest and even approach to comparing the major privacy currencies +**\** oh, sarang, I'm sorry, I didn't mean to switch topics; I got the sense that no one in the room objected +**\** but I'll stfu for a moment +**\** Heh no, I think people were done commenting +**\** it's a risk.. +**\** ? +**\** but i dont think anyone objects to the benefits +**\** Risk in what way +**\** you could be hit on +**\** Oof +**\** A risk worth taking I'm sure +**\** well, suppose you traveled with a partner…i think it's reasonable to say you'd be safer +**\** That isn't the case tho +**\** you can always be \*safer\* by staying home +**\** anyway +**\** is Kiev that dangerous? +**\** my understanding is that kyiv has very low levels of violent crime except when alcohol is involved. :P +**\** I was there, in general it's ok. But there has been a case of a CEO of a crypto company kidnapped for a ransom +**\** Well I'm not overly concerned +**\** From what I've heard +**\** I'm a lowly mathematologist +**\** sarang you need to let me know about the cards so I can get you necessary files before you go +**\** Just a mere scientician +**\** \<\< opens FFS page to fund a bodyguard for @sarang in Kiev >> +**\** @suraeNoether - that document sounds great, and I'm looking forward to reading it. I love to see cross-project collaborations like these. Building bridges and knowledge sharing makes everybody stronger. +**\** Should I request the FFS get opened for that event travel? +**\** i belive you should, sarang +**\** It's quite new but the event is soon +**\** Are there any longterm research tasks that can be done by independent individual except find some vulnerabilities & exploit them? +**\** Hark! Requesting eventually FFS migration +**\** Yes +**\** what if sarang were held for ffs ransom? :P +**\** sarang: checking with Devin no about migration. He's doing a lot of good work. QR codes will be implemented, an API, and more +**\** i know i would donate +**\** crCr62U0: yes absolutely +**\** wait what +**\** Donations for FFS rework?!? +**\** Plz let me give my money :D +**\** okay, last topic I want to discuss is... a little out of the blue, and Sarang and I want some input from the community regarding a Conflicts of Interest Policy for MRL, or some sort of ethics policy.... +**\** We really bend over backwards to state in our papers that our research is paid for in Monero, for the same reason that doctors funded by pharma companies \*are ethically obligated\* to disclose those conflicts of interest. +**\** However, as everyone is aware, there is an epidemic of unethically plausible reporting. +**\** We see very often that Coin X is being described in Magazine Y, and they interview researchers P, Q, and R, some of whom are paid in Coin X, and this conflict is not described in the article. +**\** I'm asking about longterm in order to have time to learn something; It's difficulty to be successful in shortterm tasks due to lack of experience and mind abilities. +**\** we suspect that putting out such a policy, even though it is totally nonbinding, since we are a headless entity with no authorities... we think that putting out such a policy would goad other coins to do something similar, to put out their own ethics policies +**\** \*to be competitive(successful) among others +**\** crCr62U0: your question about research tasks that the community can contribute to... let's get back to that in a moment. we are overflowing with problems to solve and infrastructure in the coding department that would make our research lives easier +**\** crCr62U0: yes, to contribute you need to know a little about monero first, then you'll find some problems there. one of them is replacing ringsigs with something better than zksnarks +**\** suraeNoether: sounds good to me +**\** so if you need something to do, we can definitely point you in a direction none of us currently have time for :D +**\** suraeNoether it's a great idea. Regardless of what other coins are doing, making the ethic already there in Monero/MRL more visible and clear to the outside world is a net positive. +**\** i agree, binaryFate +**\** As to research, it's problematic +**\** There's a big learning curve to do big bluesky work +**\** but there are smaller projects that someone doesn't have to be a broad expert to complete +**\** or at least participate in +**\** e.g. I'd love to abstract more of our cryptographic functions properly so we can move to more standard and tested libraries +**\** can we talk about the never-ending list of to-do in a moment? it's a big list +**\** sure +**\** okay, so my question to the community is +**\** @suraeNoether I hadn't thought about the disclosure before, and I think you have a good point. And while the headless entity cannot enforce it, it does protect the headless entity. +**\** In the unlikely case that some Monero dev or researcher presents unethically without full disclosure, we can point to that as a violation of community policy. Meaning that the person was communicating in a sketchy way, and not the community acting in a sketchy way. +**\** It also helps guide other projects to the same idea, I hope +**\** and is a statement about our intent to do honest work +**\** so my question to the community is simple: what do we want to see in our ethics policy? +**\** I think the biggest thing is disclosure of funding specifically tailored around research/dev for Monero +**\** e.g. "Sarang Noether receives Monero community funding, paid in XMR, to do full-time R&D for the Monero Research Lab, a workgroup of the Monero Project" +**\** i think MRL researchers should not go off and start their own coins while working at MRL, even if they do so fairly +**\** ehhhhh +**\** should it be that broad? +**\** What are our ultimate goals for it? +**\** woopsie +**\** that seems a little over reaching to me +**\** i think at the last it has to require disclosure of material facts +**\** at the least +**\** maybe not, but my goal in that regard is: i don't want someone claiming they work for/at MRL while they are shilling/pumping their own project +**\** I would care to know if a Monero researcher does have their own coin +**\** okay, if we stick with disclosure, i'm cool with that, too +**\** maybe +**\** oh yea that policy was actually active in ethereum foundation too +**\** I think it's all about keeping people informed +**\** i don't know +**\** silur: linky? +**\** if facts are visible then the community can handle things on their own +**\** to the policy mail? :D +**\** I like that people don't need to question our motives for doing this. And I think the policy should continue to reassure people of this +**\** silur: yeah, or whatever the policy is +**\** I know nothing about it +**\** I don't know whether ming (that time she was our CEO) published it anywhere +**\** Do we know what other projects are doing? +**\** Maybe that's a start before drafting our own +**\** we just received collectively a mail about that +**\** See what's out there, if anything +**\** Take what we like from it, avoid what we don't +**\** I don't want fall into the "not invented here" trap. Let's build on it +**\** This is very thought provoking conversation. I don't think a hard ban is quite appropriate - and I don't mind if one of the MRL researchers makes small contributions to other currencies as long as it's not interfering with completion of MRL duties. (see building bridges comment from earlier). But there should be some constraints/transparency. +**\** I'll look it up sarang +**\** Well, and researchers \_do\_ collaborate +**\** We don't want to discourage that +**\** We should encourage it, with disclosure +**\** And I do like the ideas in the brief example statement from @sarang regarding conflict of interest disclosure. I think that "supported by funding from the Monero community" is more important than "paid in Monero" +**\** IsthmusCrypto: agreed +**\** generally +**\** totally agreed +**\** agreed on that too +**\** I don't even care about constraints. If the community doesn't like what the disclosure implies about someone's conflicts, that's up to them to decide +**\** But give people open information so they can decide for themselves how to interpret someone's motives or actions, eh? +**\** My recommendation to you both would be to draft a document and present it to the community rather than trying to do something by community design +**\** Yeah, based on what we know from elsewhere +**\** And if there are high quality suggestions to be added, they will filter to the top +**\** We're surely not the first open-source project to consider this +**\** use your best judgement and include what you think should be there. The community can fill in gaps after it is proposed +**\** righto +**\** basically EF did it in a way that it was okay to do advising and help in other coins under your own name but only that +**\** in the end, MRL is its own workgroup, and is free to set its own internal rules +**\** so the whitepaper shouldht have \_MRL member\_ +**\** it worked quite well +**\** rehrar: I've been working on the draft for a few days, and I wanted to seek input to see if a high signal-to-noise ratio on a specific topic floated during the discussion before the document is really ready to show off to people +**\** "MRL is its own workgroup" <<< +**\** Well, that's another question entirely +**\** there's no legal status to MRL... anyone can claim to be "part of it" +**\** sounds quite contradicting from me for I violated that policy ^^" +**\** I had spoken with sarang a bit about formalizing the MRL a little bit, just so random people can't nab the name "MRL Researcher" and use it on stuff when they don't contribute +**\** i don't think so sarang +**\** endogenic: they can, it's only based on reputation really +**\** and participation +**\** and that reputation is basically all internal to the project +**\** i mean no legal status +**\** this arm of Monero is honestly the one that would be under the most scrutiny apart from the coding, so I think it's quite important +**\** (that reminds me, I will be uploading meeting notes once I get a break from a current metaphorical tsunami at work) +**\** historically, the community has either hired Noethers directly or the Noethers have published something for monero that the rest of the Noethers agree on .. is that incorrect anywhere? +**\** i would have to speak to an attorney or two about legal status, copyright, etc +**\** endogenic: no, I had almost zero interaction with shen regarding ringct. :P MRL is even more headless than your description +**\** At the very least, we have no formal guidelines for putting "Monero Research Lab" as a title/tagline +**\** yeah but who published his paper on MRL +**\** i dunno, fluffypony? +**\** It just really hasn't been tested by anyone +**\** (yet) +**\** I would like to make a proposal to do a weak formalization of MRL. Basically acknowledging sarang and suraeNoether as the leaders of the workgroup, whether or not they are paid by the FFS. +**\** I assume core team put it up +**\** exactly.. so it's in the first category +**\** anyone can be part of MRL +**\** it's self-assembling +**\** rehrar: I feel like we're treading into governance territory, and if we are doing that, i would like a title like "Paladin Exemplar" or "Necrophage Elitus" +**\** I understand what rehrar is getting at though +**\** We're very public-facing +**\** yes, for sure +**\** I'd like "Man About Town" for my title +**\** Right now it's based on your reputation w/in the community. But people outside the community don't track that +**\** okay, let's put the ethics document on the side burner, we'll get back to it next week; in the meantime, if anyone doesn't object, i'm going to just go tattoo my pgp keys on my forehead and that'll be MRL's authentication +**\** my proposed formalization doesn't put anything on membership (anyone can join and contribute) but does put a bit of a hierarchy in terms of "these people are putting out random stuff, suraeNoether sarang, is this MRL work?" +**\** nor should they +**\** rehrar: understood +**\** exactly sarang +**\** "putting out MRL work" == merged into the research-lab repo +**\** doing something like this is saying the community has vetted and found these two, so you don't have to vet +**\** and those merges are controlled +**\** the same way anyone can work on Monero's source code +**\** True, but is the concern more about claiming representation from others rehrar? +**\** doesn't mean we'll merge something that introduces a backdoro +**\** \*backdoor +**\** fluffypony: or will we...? +**\** backdoro is esperanto for backdoor +**\** lol +**\** sarang: unsure yet. Admittedly the concern is vaguely defined, so no action should be taken as of now until the "threats" are better defined +**\** we'll start with the ethics policy document +**\** I'll dig up our EF version and forward to suraeNoether and sarang +**\** ty silur +**\** one simple method is for Sarang and I to publish an accumulator of PGP keys that we consider "valid" MRL keys; when you ssee a document signed wiht a key, you check if it's in the public accumulator. If it is, great, you know we approved it. If not, you know someone is tryign to push out an MRL paper early (or just lying about their own credentials) +**\** but we can think about it more between now and next week +**\** i like the idea of a simple ethics/conflict of interest policy +**\** We really should sign those +**\** I'd be happy to put on my UncagedPotential hat and review any drafts of the policies. +**\** git already supports GPG signing +**\** or at least post to github with signed commits +**\** fluffypony: lol, read my mind +**\** I don't think you need to over complicate it beyond that +**\** good point +**\** yeah, i agree +**\** was there any such attempt of claiming MRL relations for unethical or random reasons? Or is this all abstract discussion? +**\** binaryFate: when sarang and i met endo in person at the beginning fo this month, we discussed the general phenomena i described regarding too-plausible reporting that doesn't display conflicts of interest. nothing about \*monero\* right now is drifting us in that direction, it was just an idea we had about the overall cryptocurrency space. +**\** I think binaryFate means the MRL formalization comments +**\** right, all of this is coming from that one discussion; the answer is no, there have not been any attempts to impersonate me or sarang yet, afaik +**\** Shall we address the idea of to-do? +**\** it was brought up earlier +**\** yea I was waiting for that :D +**\** (we are over time, if anyone needs to go) +**\** here is our current "road map" with some things ticked off. It could be slightly out of date. https://github.com/monero-project/research-lab/issues/29 +**\** in general, I would really really like a transaction tree visualization tool +**\** or something that scrapes statistics from teh monero blockchain in genreal +**\** From the cryptographic point of view, we are interested in replacing ring signatures with something that has decently large anonymity sets, no trusted set-ups (say ZK-STARKs)... +**\** but the replacement must be sufficiently efficient in both space and verification time that total time-to-download-and-verify the blockchain (an up-front cost for new members to join the network) is manageable over the next several years, and preferably should also have greater security claims than computational unforgeability. +**\** More pointedly, I have been thinking lately about the state of our current primitives and their implementations +**\** IMO we should be offloading to tested libraries far more +**\** i agree with that statement, and anywhere that we aren't, should be filled with unit tests. +**\** From a stochastic processes point of view, consensus models lack a rigorous description as "adversarial" or game-theoretic, such that participants have some control over the distribution of the outcomes, financial interests, and payoffs, etc. If you are a statistics sort of person, that could be fun. +**\** One interesting thing that is almost a computer-science exercise and could land anyone "on the map," so to speak, would be to place the Zerocash Sapling ZK-SNARKs inside the bulletproofs of Bunz, Bootle, Boneh, et al. +**\** Anyone who can manage to do that will essentially see money thrown at them to work on these projects forever, and will see their work implemented live on multi-billion dollar currencies within a year. +**\** we should put this in a doc on a repo or somethin +**\** From an applied algebra point of view, we are more-and-more interested in RLWE settings and their post-quantum resistance properties, and personally, I've recently been reading about using Euclidean rings to construct untrusted accumulators. +**\** yaaaay +**\** oh, i need to publish the Q4 roadmap by the end of this month, endo, and i'll be including this stuff in there +**\** I was actually just wondering whether my RLWE fanatism will be extingiused here +**\** with the roadmap +**\** i copy-pasted some of the list above from my communications with Clemson recently. :P +**\** These should be open issues on github probably +**\** the roadmap is an open issue +**\** and it consolidates all this into a list +**\** suraeNoether: around may we had a brief discussion about how bulletproofs could be even more efficient with RLWE +**\** we should really see that to the end +**\** silur: https://eprint.iacr.org/2018/637 for some RLWE fully homomorphic stuff :P +**\** i don't recall that discussion, and i haven't thought \*at all\* about how LWE or RLWE could be used in bulletproofs +**\** these cipher expansions are supa-dupa small O.o +**\** thanks for tha paper +**\** okay, i think this was a pretty good meeting. Anyone have objections to beginning the closing ceremony of our research meeting? +**\** also will you have some time to share your leads on this RLWE untrusted accumulator stuff? I don't really see the connection now +**\** I have a Q or two about the notes at the GitHub, but that can happen post-meeting +**\** no, no, the untrusted accumulator is with euclidean rings (like polynomial rings) https://kodu.ut.ee/~lipmaa/papers/lip12b/cl-accum.pdf +**\** the FHE encryption uses RLWE +**\** IsthmusCrypto: eh, the closing ceremony is "people gradually losing interest and walking away from their computers" so fire away buddy diff --git a/_posts/2018-10-01-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-01.md b/_posts/2018-10-01-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-01.md new file mode 100644 index 00000000..629b3152 --- /dev/null +++ b/_posts/2018-10-01-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-01.md @@ -0,0 +1,197 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-10-01 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** Hello everyone; greetings abound +**\** hola +**\** suraeNoether informs me his flight was delayed and he plans to join late if at all +**\** Let's briefly go around the (apparently small) table and review anything of interest from this past week +**\** I have finalized a few small lingering projects, like a couple of papers: one on dual-key signatures, and another on the set theory of spent outputs +**\** hope I'm not to late hi all +**\** jai +**\** and am returning to larger projects like sublinear ring sigs that were delayed due to the network upgrade prep +**\** I have some other news regarding external research, but I will save that until others speak about their work +**\** yaaay sarang on rtrs \\o/ +**\** On behalf of suraeNoether I'll say that there is a draft of an MRL ethics and conflicts statement; comments requested: https://github.com/monero-project/research-lab/issues/31 +**\** We want to make sure that our contributors are clear about their conflicts, which is sorely lacking in our field and especially in other projects +**\** hyc or silur or oneiric\_ anything of interest? +**\** (apologies for my slow responses due to shitty wifi) +**\** we had a decent discussion in here about PoW algorithms +**\** yes indeed, so good that it was relayed to reddit +**\** and the threat of finding shortcuts in e.g. RandomJS +**\** hyc what are your conclusions from that discussion? +**\** there's 2 considerations - one is that long sequences of source instructions could be automatically recognized/templated +**\** and these templates could then be condensed into ASIC blocks +**\** That decreases quickly due to randomization, no? +**\** ideally +**\** the other is that if the generated code has nonuniform difficulty, a miner could detect harder nonces and skip them +**\** and presumably choose only easy nonces, and crunch them much faster than a vanilla miner +**\** I suppose this is playing with the law of averages; if you only search 1/1000th of the search space, and can do it 1000x faster, you should be able to beat regular miners +**\** sarang: yes, ideally the randomization prevents recognizable sequences from recurring +**\** (we've been to the moon something like 7 times, but wireless networking is apparently impossible) +**\** Does this affect your design principles going forward? +**\** these 2 points are actually in opposition: we could guarantee perfectly uniform difficulty +**\** but that requires limiting the possible generated output to some strictly defined parameters +**\** and that will make the output templatable :P +**\** What if we switch to some kind of "hash-function" with a uniform output? +**\** lololol +**\** I dig into multilinear pairing in lattices to form a PQ-HIBBE. Also I'll make sure to follow this guide @sarang at HCPP, originally I didn't even want them to write MRL below my name :D +**\** but I do have some interest conflicts and make that clear in my interview +**\** There are no formal standards to claiming MRL as a byline, but including it should imply that the main MRL peeps are in agreement +**\** I don't know wheter this actually applies to those not funded by the community? +**\** and typically we only publish under MRL when we do releases to the main site +**\** If you're publishing on the side, I would personally recommend not including such a byline +**\** I'm often careful to say that I "work with MRL", not "for MRL" +**\** since nobody works "for MRL" +**\** publish like research papers or software? +**\** anything +**\** People may attribute a certain level of researcher consensus to anything bearing The Name +**\** Our six papers on lab.getmonero.org are probably the only "official-ish" papers we have out +**\** This is all my opinion, btw +**\** I don't speak for anyone else +**\** "People may attribute a certain level of researcher consensus to anything bearing The Name" well put +**\** e.g. when I speak, I have a whole slide stating that I don't formally represent MRL or Monero in my talks +**\** this is kinda gödelic :D +**\** hyc: can we find anyone to run those simulations? +**\** yea I should include that in my HCPP slide too +**\** If we were a formal organization I think it would be different, but since we're a loose group that has a certain amount of sway, I want us to be hella careful about representation +**\** I don't even include the MRL logo +**\** endogenic: nobody has contacted me yet. I'll have some time to set it up myself after next week +**\** is this similar to usual "these are my opinions not my employers" disclaimer? +**\** except at the end to include a link to it for people to see +**\** oneiric\_: basically +**\** "All views in this presentation are those of the author, and do not necessarily represent those of the Monero Project, Monero Research Lab, or their associated communities or contributors." +**\** Media doesn't know what our loose group actually means +**\** :) much formal +**\** I don't blame them, but I also don't wanna muddle things +**\** "Any inference you make are you own problem" +**\** lol +**\** Anyway, silur you are free to do as you wish, these are solely my views =p +**\** but I totally agree so I'll include this in my talk and iterview too :) +**\** Yes, especially for interviews +**\** make sure they know you speak only for yourself +**\** the ethics statement draft specifically addresses this +**\** "I thought we were an autonomous collective" +**\** yeah, but media assumes we're some devious entity +**\** there was one time when after the interview they published me as a monero developer even though I stated in the recording that im not :/ +**\** I always keep in mind not to say anything to a journalist that I'm not comfortable having twisted beyond recognition =p +**\** lol hyc I totally missed your reference :( +**\** So hyc continues his design work toward ASIC-proof random code +**\** silur wades the murky waters of cryptofame +**\** suraeNoether waits patiently at an aeroport +**\** As was discussed yesterday, I received some paper drafts from external researchers +**\** "I'm not comfortable having twisted beyond recognition" i know that feel +**\** they basically duplicated all our blackballing and set theory work +**\** formalized it quite nicely +**\** and plan to publish +**\** As a professional courtesy I can't share the papers themselves, but they contain no shocking results +**\** did they say if they would cite MRL? +**\** I'm drafting a response to them, asking them to acknowledge that we already knew all this +**\** nice +**\** I assume the cryptomedia will latch onto this, just like the other shitpapers about "output attacks" we already knew about +**\** Granted, this paper is really quite good +**\** I have a few quibbles about how they present things +**\** If anything, I'm peeved that all these academicians work in their silos and don't bother asking "hey, did you folks already do this work?" +**\** and then we're left on the defensive, fielding annoying questions +**\** My response passive-aggressively says that I wish they would have contacted us, so as not to duplicate other work and waste their own time +**\** I hope they agree to collaborate with us, and not claim that their work was unknown +**\** I'll share my response before I send it +**\** They do have a nice algorithm for identifying more spent outputs; it's one I also came up with but never finished coding +**\** perhaps we don't need to press so hard on that point - it's good to have independent reproduction/confirmation of our work +**\** I agree on that point; I only ask them to change the wording a bit +**\** so as not to unintentionally mislead readers +**\** and their results essentially mirror our blackball results +**\** so that's good +**\** And keep in mind that ideally, scientific reproduction is done with full acknowledgement to other work, with comparisons +**\** I get that they only looked into published former work, but not bothering to reach out strikes me as lazy +**\** I'd like researchers to stop doing that +**\** Any questions/comments regarding this? +**\** agreed +**\** this is open source, you're supposed to communicate with the community +**\** Yeah, it's a weird intersection between the academic community and the OSS community +**\** But hey, hopefully these folks continue to work with us; they did great analysis +**\** I saw moneromooo jokingly bring up an smt solver. how hard/useful would plugging in a blackball finding algo into an smt solver? +**\** unclear +**\** We already have algorithms to catch all spent sets up to whatever size our computers can do +**\** So for the upcoming week, I'll be working with these researchers, perhaps integrating their/my algorithm into code (unclear if it's actually that useful), and continuing bigger projects +**\** I'm sure new things will start on fire that will require attention =p +**\** awesome, thanks sarang +**\** One thing of future interest: Tari Labs paid travel for suraeNoether and endogenic and I to do an in-person research session in Nashville, and they'll be funding such a thing in November again +**\** Tari Labs didn't pay for my travel +**\** Ooh true, thank you +**\** they did take us to a few nice dinners though :) +**\** they being Naveen +**\** There was no additional stipend-type funding, and they do not set research directions +**\** But are supporters of MRL and Monero +**\** and actually technically I guess I paid for hotel :) +**\** I wanted to make this clear for transparency... they have also offered to bring up to 2 others to such a meeting as we see fit +**\** In-person research is incredibly effective, and I like the idea +**\** suraeNoether says he has a researcher in mind who has interest in zk-stark applications, but has not previously worked with MRL +**\** I don't know the person and have no opinion either way about bringing this person to such a meeting +**\** Other ideas for people to bring? +**\** let's bring hyc +**\** I should add... they agreed to fund travel within the U.S. only, due to cost +**\** the unfortunate side to a global project, I suppose, is lack of proximity for in-person events +**\** I'm sure suraeNoether will have more to add when he returns +**\** but the idea is simply to have space/time to wax poetic about what MRL is working on +**\** there's a whiteboard too +**\** the best research tool +**\** minutes are taken +**\** ah good, no serious gathering can be without a whiteboard +**\** heh +**\** I'm also saying all this to ensure that folks are in the know about the nature of the meeting and its funding +**\** I appreciate the support of Tari Labs, but they (and everyone else) can pry research independence from my cold, dead hands +**\** Anyway... anything else of interest that anyone wishes to share? +**\** it'd be a good idea imo for everyone in the community to know they can put something on MRL's agenda for the meeting +**\** Oh absolutely +**\** and this is probably a good place to leave suggestions +**\** I'm sure that big topics of interest will be ring signatures, spent output analysis, cross-chain fundamentals, payment channels, and general talk of trustless zero-knowledge applications +**\** If there are no other issues to discuss, we can begin to wrap up the formal meeting +**\** suraeNoether must still be delayed, but I'm sure he'll be on when his plane lands in Opsec USA +**\** I'd put trustless IBE on that table and i'll dig somewhat deeper into that +**\** making key-exchange in crypto payments easier is I think a key adoption step +**\** IBE? +**\** acronyms are my downfall +**\** identity based encrytion (for signatures of course) +**\** ah yes +**\** good call +**\** silur: do you have particular interest in attending an in-person research meeting (if based in the U.S.)? +**\** you don't have to reveal your location here, obv +**\** I am interested but you know about my stateless situation :D +**\** don't know how that works in the US +**\** I only have 50% success of leaving my country even within the EU +**\** it was really only a question of how much the supporters were willing to fund, and I suppose any visa issues that might arise (can't speak to that) +**\** perhaps we could arrange some kind of remote participation, this hasn't been worked out yet +**\** OK, let's formally adjourn +**\** thanks everyone +**\** thanks +**\** ttyl +**\** we just need to get one of these for silur and hyc and maybe moneromooo http://www.doublerobotics.com +**\** and i guess a lackey to write on the whiteboard for them +**\** Heh +**\** thnx +**\** aaaaah six minutes +**\** damn +**\** hi guys +**\** lol +**\** oh hey +**\** surae can buy the post-meeting beers +**\** hyc you have to come to nashville for that +**\** so I'm kindof outdated with our education lead +**\** we started to talk about that around may I think +**\** sarang i disagree that they contain no shocking results: i was shocked that their global solution is harder than NP (it's #P apparently) but I haven't gotten deeply enough into the paper to see if they've \*proven\* it or just have strong evidence of it +**\** so, news from the education front is... twofronted +**\** firstly, i got my mentee assigned to me for the she256 mentorship program, and depending on my conversations with her, she'll be joining us in the chat room. +**\** secondly, i have gotten more communication from the crypto-brick-string group at clemson +**\** he gave me some price ballparks for what it would look like to fund grants/consultation at Clemson, which is less important before the community decides to move forward with funding; i explained how we fund things essentially on a quarterly basis to avoid various problems with volatility, and he stopped describing it as grants and more as consultation... +**\** he also said "Regardless of the Monero funding status for Spring 2019, I plan to teach a graduate class for Modern Cryptography, AND teach a research topic course on blockchains and applications (more like a seminar, but meet twice a week, this is related to my NSF grant)." +**\** (for the record, NSF grants in the math community are pretty rare, and the fact that he regularly snags them is an indicator of the quality of his work) +**\** he also asked a question I want to pass on to the community: "One question for you: In my course announcement, I would like to mention the possible collaboration and funding from Monero Research Lab as an advertisement in order to attract good students from Math and CS to join the team. Is this ok with you? " +**\** sarang ^ thoughts? +**\** any \*funders\* of the MRL have any thoughts? diff --git a/_posts/2018-10-08-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-08.md b/_posts/2018-10-08-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-08.md new file mode 100644 index 00000000..e4b0cd02 --- /dev/null +++ b/_posts/2018-10-08-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-08.md @@ -0,0 +1,446 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-10-08 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** Let's begin! +**\** fluffypony knaccc luigi1111 luigiafk sarang andytoshi anonimal ArticMine binaryFate dEBRUYNE endogenic ErCiccione ferretinjapan gingeropolous gmaxwell hyc iDunk IsthmusCrypto john\_alan jwinterm kenshi84 kerber\_ medusa\_ moneromooo MoroccanMalinois naughtyfox needmoney90 oneiric\_ OhGodAGirl philkode pigeons rehrar rrol[m] sgp\_ smooth sneurlax stoffu unknownids vtnerd waxwing +**\** meeting time! woo! i'll get banned from freenode eventually by calling everyone's name +**\** just in time +**\** So, greetings everyone +**\** got back from the dentist +**\** gross +**\ \** hallo +**\** did you bring snakes and butter +**\** hello +**\** wat? +**\** Im just lurking +**\** rehrar: adventure time reference, nothing to see here +**\** okay, so today I want sarang and myself to discuss what we're working on presently, and then i want to chat about the topics i mentioned before: 1) research, 2) conferences, 3) collaboration, 4) funding +**\** righto +**\** 5) privacy/efficiency tradeoffs +**\** before we begin, though +**\** I like the idea that we employed last time where people can be free to ask questions before we begin +**\** (i mean in general, you are free to ask questions) +**\** but, before we start: who has questions in general for MRL? +**\** When Monero scale? +**\** when GUI? +**\** how much does a piconero weigh +**\** when 0.13 +**\** oooh that's a better question +**\** But anyway +**\** Shall I talk research? +**\** yes +**\** yep, fire away sarang +**\** Well, suraeNoether and I were sent a couple of draft papers from some researchers regarding spent outputs and blackballing +**\** There's some formalization of the set theory that we already developed +**\** and some parts of the results that are presented in a way that is FUD-inducing +**\** "XX% of outputs are traceable!!!!1!" +**\** of course, 99% of those were announced in monerolink. :P +**\** So we worked through those, offered to work with the researchers, no word back from them except "we will look into it" +**\** or 100\*(1-p) for some reasonably small p, i believe they managed to find an additional, ... I think about a single day's worth of transactions in total, from teh whole blockchain, iirc +**\** I'm working to get some updated blackball stats on our own to compare +**\** they have an O(N^2) method for identifying more outputs, but this is negligible as always +**\** At the very least, we'll have up to date data to refute if they publish their work as-is +**\** Aside from that, suraeNoether and I have been continuing work on sublinear ring sigs for feasibility +**\** they reinvented several wheels that we've worked on in the past 3 months here at MRL, which is actually a good thing, because it lends credence to our results to have some independent and similar results pop up +**\** like RuffCT type stuff? +**\** yiss +**\** I have a shitty version of their clustering algo on my repo +**\** well, RuPol. RuffCT was the first one we had presented to us (also by Ruffing et al, but with a different "et al") +**\** the clustering algorithm has to do with this blackball paper, not sublinear ring sigs +**\** yes +**\** As sgp\_ has mentioned before, forks and pools will be the BB things to focus on anyway +**\** so is the new sublinear stuff looking more promising than the Ruff Stuff? +**\** unfortunately those are not verifiable by the user +**\** rehrar: unclear +**\** it's clever but very complex +**\** that's what we are trying to figure out: it appears to be more efficient, asymptotically, but until we have a working implementation, it's hard to tell +**\** like me +**\** yes +**\** heh +**\** There is a lot of math left out of the paper, so it's a thing we're working on in parallel to other things that come up +**\** cool. Sounds lit. +**\** #litmaths +**\** last week I split our MRL research roadmap into a sequence of separate github issues (#30 and higher I believe) https://github.com/monero-project/research-lab/issues +**\** nope, #31 and higher +**\** and I've spent a bit of time on my lightning-for-monero paper, but not nearly enough, as this RuPol thing is a nasty rabbit hole +**\** is MRL going to transition to gitlab also? +**\** I'm at the SF Blockchain Week Epicenter today & tomorrow on behalf of #noncesense-research-lab -- ping me if you're around and want to meet up for coffee/drink/chat. I'll be back with a million new ideas soon. +**\** rehrar: I have no big preference +**\** rehrar: i have no control over the research-lab git, actually. :P +**\** so if all workgroups migrate, we'll presumably migrate too? \*shrug\* +**\** also personal repos, but that can be after the meeting +**\** yeah sarang and I have been talking about blackball, and it's my opinion that we need the public pool data working with the blackball tool to test for chain reactions before we proceed further +**\** I have a question. Would the blackball cause such kind of attack? Mallory knows an output belongs to Alice and wants to trace when it is spent. He makes N transactions with each of them exactly N ring members, and each of them contains Alice's target output as decoy. If the blackball get in effects, then the next time the target output apears, it must be Alice's real output. +**\** One conclusion sgp\_ and I share is that understanding the statistics can help guide best practices going forward +**\** if pool transactions are mostly unimportant, then we probably only need to use the blackball tool as an indicator of netowkr health. no one would use it typically +**\** equim[m]: the on-chain set theory stuff is for provably spent outs +**\** it's not possible to "get caught" with that +**\** Mallory couldn't make those signatures anyway +**\** if pool transactions ARE important, we need to bump ringsize, avoid coinbase decoys by default in wallet clients, or have everyone use a blackball list +**\** you can see our recommendations hinge on the importance of pool data +**\** option 1 is expensive, option 2 is possible (but could fingerprint), and option 3 is not verifiable +**\** (or at least mine do, I don't mean to speak for sarang) +**\** equim[m]: short answer is no, long answer requires more explanation, but primarily: the probability that allice \*happens\* to select all used up ring members is very low unless someone was flooding the network with transactions, and at that point, the attack is costly +**\** My opinion is that we need the data for this +**\** and moving toward getting that data is the first step +**\** i think the blackball thing is a big red herring waste of time, and i've said this beforfe +**\** it is for set theory stuff +**\** for pools it is unclear until we have data to show one way or another +**\** i think i've sketched out my argument about how, even in the next 10 years, it's unlikely to impact even a single ring signature, so i'm still highly skeptical +**\** Hence getting pool chain rxn data +**\** then we can lay it to rest one way or the other +**\** if the back of the napkin is that pessimistic, i think spending even an hour collecting data is wasting time, but i've said that before too +**\** i disagree: this shit will never be laid to rest until people just admit that it has no practical impact +**\** AIUI mooo thinks it's bad to include pool txs in the BB list +**\** the EAE attack and ring sizes in general are far more fearsome +**\** and far more worthy places for us to spend our limited time +**\** nioc: do you recall moneromooo's justificaiton for that? +**\** Not saying we should add them. Saying that we should see what effect they have so we can decide if/how to move forward +**\** sgp\_: i heard a rumor that you had started including heuristically linked outputs in the blackball list, or outputs that aren't necessarily \*provably\* spent. is that true? +**\** sarang: yes +**\** I don't really like this. (1) they're not proven spent, (2) it means it strips away non pool miners' ring signaturity when they spend. +**\** sarang: would you mind opening an issue up on the research-lab git on this topic so we can have a public discussion about it that is referrable later without combing through meeting logs? +**\** I'll defer to sgp\_ since this is really his baby. I'm just an interested party who would like to know the results of the analysis +**\** moneromooo we can talk about the implications, but the effectiveness of these pool ring signatures is already 0 +**\** sgp\_ any word on my previous question? +**\** re: blackball list and non-provably spent outputs? +**\** suraeNoether sneurlax's tool looks at coinbase outputs and the sent transactions to see which outptus could have been spent in the transaction +**\** the current codebase's bb tool will not do heuristics on its own +**\** I believe it's a heuristic using data the pool provides, and it takes this data with the assumption it's correct +**\** so... \*yes\* the tool blackballs outputs that are not provably spent? +**\** so if a pool mis-reported, the tool would report different results +**\** sgp\_: he's asking if your hosted list contains any non-proven +**\** the current tool that ships with Monero now does not +**\** i strongly recommend against any blackballing for any outputs that are not provably spent +**\** right now, the site has 3 list categories +**\** So if everyone is using blackball, then one can easily make others mark a target output as spent (N transactions with N ring size) that is actually not spent? +**\** it is critical that the blackball list be independently verifiable +**\** one for all chain data with chain splits, another with only rct data with chain splits, and a third separate category for pool data +**\** equim[m]: you cannot generate signatures that blackball another person's output +**\** Yes that's my point +**\** equim[m] I'm not understanding your question +**\** would you mind clarifying? +**\** a user could verify the first two by running XMR, XMO, XMV nodes locally +**\** Okay, I think I need to read up more first. +**\** equim[m]: if you generate N identical rings of N outputs with valid sigs, it means you controlled all N of them +**\** fwiw I don't recommend a user should use a blackball list. I think we should use the findings of the blackball list to pursue other options to mitigate the data that would need to potentially be stored there +**\** equim[m]: you cannot make N rings with N outputs, one of which being not yours. +**\** Oh I got it, just missed that. +**\** rings need to be identical +**\** sneurlax's tool essentially creates a list of outputs that the pool controls at any one given time, then sees if it can attribute these outputs to specific ring signatures +**\** I still think we need to table this discussion until we can test for possible chain reactions with pool data, which means updating the output format for sneurlax's tool +**\** Yes, I think a useful action item is to get this data, run rxns, and compare to our base data to see what the effects might be +**\** just like it's useful to have data on previous forks to better understand what, if any, risk is present +**\** yeah, and if the impact is small, we forget about it. if it's large, we need to discuss options +**\** Yep, use the data to inform best practices +**\** So +**\** suraeNoether: any research to report in addition to what's been discussed? +**\** sorry, had to get the door +**\** So, other than a modest amount of progress on my lightning paper, and workign with Sarang on this sublinear RuPol scheme, I have done a lot more administrative stuff this week +**\** so i want to move onto a bit of that adminstrative crap regarding conferences +**\** actually +**\** collaboration is a bit more research themed +**\** so, there is some good news and bad news on the collaboration/grant front +**\** the short summary is this: after speaking with three separate univeristy research foundations on Friday +**\** there simply is not a structure in place for universities to accept research funding from a crowdfunded animal like our own +**\** this is both good news and bad news +**\** the bad news is it'll be six months at least, if not longer, before we can start interacting wtih universities in a way that requires funding +**\** the good news is that all three of those universities are extremely eager to start working these things into their foundation's policies +**\** so, for example, the researcher Gao at Clemson: even if we wanted to, we couldn't really offer any money (beyond bug bounties, etc) for their collaboration +**\** is it really a good idea for MRL to be in the grant giving business? is there anything the FFS system could not accomplish for such candidates? +**\** endogenic: being actually funded for one +**\** ba dum tsh +**\** this relieves a possible burden on the community; in the meantime, CURF (clemosn university research foundation) is going to start working (partly with me at MAGIC) doing research on how to start making this a thing, because everyone at these universities agree this is not going away any time soon +**\** I thought the Clemson group might be interested in non-funded collaboration +**\** thereby removing the burden from the community +**\** and that's the best news, is that they are +**\** and the PITA of funding +**\** rehrar: why does everyone keep saying that +**\** endogenic: the best jokes require explanation +**\** cuz funding is taking a while for other stuff. It's just cuz people are funded out after funding mooo, sarang, and suraeNoether +**\** of course, providing some incentives for that research like travel funding,e tc, these things can be accomplished through the FFS, endogenic... kinda! but not really... because every single university requires a cut of all such funding, and they refuse to accept such funding from a crowdfunded anon crowd style animal +**\** admittedly, those are our greatest assets, but they require good amounts of Momos, so the other ones are struggling a bti atm +**\** \*bit +**\** yep +**\** I think the correct avenue is non-funded collab +**\** so the short answer is that right now, it doesn't matter if it's in MRL's best interest to be a source of funding, because we literally can't do it +**\** We already have university groups publishing on Monero +**\** yep +**\** I'm going to make it my personal mission to make Momos a thing for Monero in the same way bucks and paper is for dollars +**\** all about the momos +**\** i think.. it does matter.. because if it's not in mrl's interest then we don't have to become nonprofit administrators with the ffs funding we have. +**\** so, that actually puts a nail in a coffin that i very much wanted to either be nailed shut or aired out in the daylight, i was uncomfortable with whatever was inside banging on a loose lid +**\** so to speak +**\** "every single university requires a cut of all such funding, and they refuse to accept such funding from a crowdfunded anon crowd style animal" hmm +**\** how about from individuals? +**\** that's a different animal +**\** we just have individuals who are willing to deanonymize themselves say who they are +**\** well +**\** you can even feature 'em +**\** another option is, for example, OSTIF +**\** but for now, adding this layer of grief I think is not worth it, even if there are interested parties who could throw their weight toward our project; MRL has other goals and priorities and we don't want to spread ourselves too thin... and the answers I got from the foundations I spoke with are good enough reasons to abandon the idea for at least a few semesters +**\** Keep in mind that whoever is giving the grant is paying a lot extra for administration +**\** 50% in fact +**\** yes +**\** well, between 33% and 50% depending on the university +**\** researchers don't see a dime of that +**\** yep +**\** heh +**\** so, that's going on a longer-term back burner +**\** another thing I wanted to talk about is the Monero Konferenco +**\** So I agree with the sentiment that FFS shouldn't fund university grants, but we should be receptive to helping good researchers apply for funding, and also keep collaborating for free with groups we know are interested +**\** especially researchers who have contributed to the project already +**\** sarang: if ffs proposals for grants had more trouble getting funded than those which didnt have admin fees attached then i think that could create a market to lower admin fees +**\** endogenic: my experience, to be frank, is that almost any university will climb over their own grandmother, so to speak, for more funding, so you may not be wrong. however, these institutions are oftentimes very... slow... to... make... decisions... regarding new technology especially +**\** but anyway, unless folks have questions, let's move along to conference talk +**\** re: the Monero Konferenco, I finally have all the quotes for costs that I need to post the funding request, and I want everyone's advice on how to proceed +**\** MoneroKon! +**\** long story short I've boiled down our possibilities to at least two, if not three possible locations, all that are roughly within the same range of price and amenities. However, one of those locations is the University of Colorado in Denver, which has some... interesting requirements... for the events held there. And there is a possiblity that they have to turn us down if we are not a "society" like SIAM or +**\** AMS (for the same reason that grants can't be accepted) +**\** all that needs to happen there is one professor decide to "sponsor" the event, but then there are issues with a public university endorsing our little conference, and whether that is even allowed +**\** so...probably best not to do it there then? Or is that the best of the bunch price-wise? +**\** so, depending on my communications with them this week, it may simply not be possible to do it there. I've already gotten proposals from the Colorado Convention Center and the University of Denver, both of which have some sub-optimal properties +**\** it's not only the best of the bunch price-wise, I think, but also: you can take the lightrail from the airport to the location, which is embedded in the 16th street mall, which is a bit of a tourist location. lots of restaurants and hotels, etc +**\** and there are bike share stations all around, etc +**\** rehrar thinking about your previous mention of people being funded-out .. tbh we have a lot more funding sources than those who are aware of the ffs system but they cant donate monero because they dont have any. we need to open the funding platform to those who visit then drop off +**\** this meeting is not about the FFS +**\** and I would really like to move on +**\** we are coming up on an hour already. :P +**\** but i guess the meeting really IS about FFS +**\** it's my fault +**\** so maybe THEY might not be able to market our event +**\** but can WE do it? +**\** is there a cryptocurrency club in that university? +**\** oh, marketing is totally aside; the issue is that by sponsoring the event (which they require for the event to be held on their campus) is an implicit endorsement BUT THAT'S A REALLY GOOD QUESTION REHRAR! +**\** +1 rehrar +**\** i know that three professors there are currently chatting with each other about this to decide how to approach the topic +**\** they haven't contacted me directly yet, though, and I will email the chair of their department back +**\** however, locations aside: we have numbers for funding requests, and I want folks' advice on moving forward for this +**\** My honest opinion is, if this can be hammered out relatively quickly, then let's try for there. If not, then we should find another place. The truth is so much depends on the venue that it's super hard, if not impossible in some areas, to plan further without knowing the venue +**\** I feel like having more than one funding round would be wise, where we can cash out as we go. this could prevent something like asking for the single big chunk all at once and then failign to fund the entire thing, even though we could still throw a kcikass event for 80% of funding, or even 60%, as long as we plan around it +**\** has that sort of thing been done through the Monero FFS yet? +**\** also, if we can get a sponsorship, say from Cake Wallet or Tari or something like that, over-funding could be returned to the community through the general fund or whatever +**\** what is the amount of the "big chunk" +**\** I 100% support those terms +**\** The idea that you ask for 100% of what is needed, and then ask for sponsors after. +**\** And specify in the FFS that any extra funding will be kept for next year's conference +**\** there is no guarantee of sponsors +**\** this may or may not have been thought of or talked about above, but if MRL can't do university stuff because its a total PITA etc, one resource that could be created is a research facilitator +**\** that's just my opinion though +**\** my initial numbers were 54,150 USD to 72,900 USD, but i was assuming wedding-level costs of a venue. with our newest numbers, the cost will be closer to 52k USD to 59k USD +**\** i.e., if there's a researcher at a university who wants to do monero research, we can provide grant templates or boilerplate crap or letters of support +**\** I'm not sure how wise several funding rounds is though +**\** for the university researchers grant application etc +**\** gingeropolous: that's a very interesting idea that we can start looking at over the next few months +**\** depending on how quickly it moves through the system and gets funded each time, it might be too long to get stuff done +**\** I still think we need to do a better job of reaching out to groups that have already done Monero research +**\** yeah, it shouldn't hit any beaurocratic nightmare hurdles +**\** rehrar: that's a fair point +**\** I think make an FFS for 65k +**\** bureaucratic +**\** roughly 10% of wiggle room there for price movements +**\** okay, and we can make it clear that excess funding will be used for next year's conference +**\** now, for transparency reasons +**\** I'll be throwing this conference, contacting speakers, hiring the conference coordinator, etc +**\** the coordinator will be taking care of most of the grunt work +**\** I'm down to help in whatever capacity (management, coordination, or otherwise) that you need me for +**\** as well as design, obviously +**\** in order to avoid liability, I've started an LLC called colorado crypto conferences LLC, so that I can distribute funds to organizers, venues, etc, without it coming out of my personal bank accounts, etc +**\** thanks for volunteering for this rehrar! +**\** we'll definitely take you up on that. I wouldn't mind having t-shirts or shwag bags +**\** so, does anyone object to me opening an FFS for 65kUSD for this? I can post 100% of all bookkeeping information for CCCLLC for transparency +**\** and comply with any other wishes the community has for transparency +**\** start there, and get feedback. I think it should be more than fine. :) +**\ \** sounds like a great idea, +1 +**\** fantastic +**\** How much does the coordinator get paid? +**\** (due to the conflict of interest there) +**\** 9000 USD. Approximately 100 man-hours of work. Justification: Typical per-hour fees for event organization at a firm are between 125-250 USD per hour. The project organizer is low-balling herself for this cost specifically because she is related to me. Around 10 of these hours she anticipates can be spent seeking out sponsors for the conference to mitigate our costs, as well. +**\** she just finished organizing a conference for Johnson and Johnson and she received over 20 for the same amount of time and work she expects for this. +**\** I think all that is needed for this justification is quotes from a couple other people of the same job +**\** ^ that doesnt work +**\** no? +**\** at least not without showing their work will turn out just as well +**\** yup +**\** i say leave it to the community to ask +**\** ok +**\** it's not a complete look, but it's fairly standard to find 3-4 quotes from several parties as an investigation into "fair market value" and then select from there +**\** of course +**\** not sure why youre on the hook to justify it though if youve done your research and are doing something for the community +**\** it's an easy thing to find a quote for +**\** I'll have a couple of quick unrelated blackball stats when we're finished up here +**\** endogenic: I think it's ethically important because he's related to the organizer he currently plans to hire +**\** how does showing quotes ameliorate that? :P +**\** endogenic: it's a good faith thing +**\** yeah +**\** you're not recommending her rate imo +**\** i'm not, she selected her rate +**\** this is true, endogenic. +**\** And if another coordinator wants to come in, prove their past work, and undercut, nothing is stopping them. +**\** but onus on them +**\** the fact is: it's a very easy thing to temper any appearance of impropriety, and so we should +**\** suraeNoether: what does the total estimate assume about entry fees? +**\** I assumed nothing about fees. +**\** here is the section I was going to include on that. +**\** Cool, so it assumes people show up fo free? +**\** \*Registration fees.\* Charging attendees is optional here and we should discuss the benefits (free and open access to Monero conferences is something we value?) and the costs (random crazy people and ICO shillsters will almost certainly walk in off the street!). It's worth pointing out that the event will \*not\* pay for itself unless we charge more than 1000 USD per ticket and we have full attendance. +**\** currently looking at 50-70 attendees, so charging, say, 40 bucks for entry would only partially mitigate our total costs +**\** Does the LLC's tax burden come into play with any of this? +**\** We can discuss what it would look like to charge a small amount to partially mitigate costs, and give tickets for free to anyone who asks nicely.:D +**\** sarang: if the LLC makes any profit, it passes through to me and i pay personal taxes on it; my goal is to save a bit of cash for next year's conference, extract taxes from that part set aside, and then ensure that the remainder is spent on expenses for this year, so that i personally never feel any burden or liability from this. +**\** you will get more than 50-70 attendees and there should be some cost for them +**\** OK, so charging entry fees doesn't mess with that +**\** nioc not if i only sell 70 tickets :) +**\** sarang correct +**\** got it +**\** all my venue costs look at around 600-650 a day, but are based on no more than 150 people +**\** how many days? +**\** are we only planning for 50-70 because that's the sizes of the veue +**\** 1.5 +**\** \*venue +**\** Will there be a story about the afterparty on mashable? +**\** 50-70 for measuring interest the first year, and to keep the topics and audience in the technical, rather than ICO/business end... also because it's easier to scale a small event up than throw a big event htat no one shows up to... not to mention, fluffypony has discussed with me throwing a monero conference preceding the magical crypto friends conference he is planning in NY, and I \*imagine\* that's going to +**\** be a larger scale event. +**\** most of these universities have so much room for events like these we can scale up relatively easily without paying \*too much\* more +**\** interesting +**\** if we get flooded with people, we can see about just purchasing a bit more space? :D +**\** anyways, let's do what you've planned. See how it goes. +**\** especially at a university, yes +**\** but we would need several months lead time on estimates of crowd sizes +**\** okay, rehrar's opinion is good enough for me +**\** :D +**\** okay, any last questions before I pivot to a controversial opinion I'm strongly interested in peddling on everyone here? +**\** Sure, but let's speedy things up +**\** we're way over +**\** no questions, give opinion +**\** okay, the main thing is this: we have a responsibility to our users. they use our currency in some cases to protect their own livelihoods from tyrannical etc etc +**\** yes +**\** in some cases, monero is a matter of life and death +**\** due to this, I believe we need to start shifting our attitude about development at Monero away from efficiency and towards security +**\** and due to this, I believe we should move to a fixed but large ring size, like 45. +**\** Do we have data to back up such a choice? +**\** I believe our job is to provide users the best efficiency for what we see as reasonable and necessary security/privacy +**\** if it turns out that, in 6 months time, a more efficient scheme comes along, then we would see a drop in our sizes and verification times, similar to our bulletproof thing, which is a PR win for us, and in the meantime, we would be taking the cautious route. +**\** short answer to that sarang is: kinda +**\** If users who need us can't join the network reasonably, we've failed them +**\** yes, if we go too large, network security is compromised by new nodes choosing other coins +**\** "The chain is now 400 GB" is a bad statement to give them +**\** I think this hearkens back to the need for a better understanding of threat models +**\** so we are stuck between a rock (loose security with efficiency and speed, lots of network security but weaker untraceability claims) vs. a hard place (tight secuirty for a coin that no one uses properly, a la pre-sapling zcash) +**\** If ring size is made less relevant by a better understanding of, e.g. churn and controlled spends under certain threat models, that's good data +**\** yeah, but what about users who don't churn? +**\** That's the need for understanding our threat models better +**\** churning is an active choice to protect yourself +**\** i like the idea of shifting focus towards security.... but that seems to go hand-in-hand with efficiency. +**\** every step you make a user take for themselves, you will see significant drop off in people who do it +**\** then again, monero (the entity) didn't give two shits about efficiency when it went to RingCT +**\** What I mean is that if we can establish that a large ring increase has measurable benefits for users under reasonable threat models, that's a conversation worth having +**\** actually gingeropolous that is one of hte best points: we added these huge slow range proofs without hesitation, and then we had a big PR win for making them more efficient. +**\** we should just assume the following threat model: anyone we transact with is transacting with an AML/KYC exchange, who can be assumed to have godlike, state-level computational power because a government serving them a warrant leads to that +**\** There was a big benefit to CT... can we point to such a benefit with a large increase? +**\** now, if you are pinned, EAE style, between two adversaries, ain't no ring size that will help +**\** so the only reasonable threat model we can really work with is EBABE where you may not be transacting directly with AML/KYC but people on either side of you are +**\** I think the assumption of EABE for current standard use is not unfounded +**\** ^ bingo +**\** and I think a threat model of EABE is probably the one to operate under +**\** BUT +**\** since we cannot see Monero's stuff +**\** we should analyze how people use altcoins +**\** like Litecoin or Dash +**\** see if it tends to go EABE +**\** wownero just forked and their static ringsize is now 22. Don't know if they will have any stats that would be of interest to "us" +**\** and extrapolate from that to Monero +**\ \** what do EAE and EABE stand for? +**\** That use could be waaaay different +**\** sarang: we do the same for sending patterns and selecting ring members though +**\** Eve-Alice-Eve and Eve-Alice-Bob-Eve +**\** oneiric\_: EAE is "eve-alice-eve" where eve is an evil exchange and you are alice. other non-E letters are other users who may or may not be malicious +**\** rehrar: we have some Monero data for that too +**\** ok +**\** based on deduced spends +**\ \** ok, thanks sarang and suraeNoether +**\** but something like exchange interaction might be way different for a private coin +**\** so sarang keeps asking "can we point to a benefit" and the answer is "we can point to a point at which ring size increases are no longer helpful, which is around 45, and we can point to some weak results on, say, how many transaction histories exist." for example, I just found a theorem that proves that there must be twice as many transaction histories as their are output keys, but finding all of them is +**\** progressively harder and harder as ring sizes increase +**\** OK, let's formalize this, determine how exchange interactions affect it (to the extent that we can), and then go from there +**\** ^ +**\** The question of formalization and hard numbers always comes up when this gets discussed +**\** see the mathz +**\** but it hasn't happened yet +**\** okay; i'm not trying to convince people today, i just want our community to start thinking about the formalization components of this and longer-term thinking for the safety of our users +**\** This has been on our radar for a long time +**\** Until we have the math for it, I think it's a very hard sell +**\** perhaps one of you community paid MRL researchers should get this formalization done ;) +**\** ikr +**\** that's one of my in-prep papers +**\** suraeNoether: it was my understanding that you already had informal versions of this +**\** ^ +**\** I think it should be a priority +**\** yeah, that's where my priorities are shifting, but that also includes looking at the sublinear papers +**\** because if they are sufficiently efficient (heh) we don't actually even have an argument, y'know? +**\** Yeah, they go hand-in-hand +**\** the sublinear papers are for increasing efficiency of larger ringsizes though, correct? +**\** But I consider this more important than, say, lightning and cross-chain stuff +**\** rehrar: size efficiency, yes +**\** I understand they go together, but I think priority should be on establishing usage patterns to establish a threat model +**\** agreed +**\** I believe Monero has been operating for a dangerously long time without a specified threat model +**\** Well, and our ring increases have to some extent been based on "bigger is better" +**\** we're long past the point of chain reaction style threats +**\** and so, while efficiencies to ring sizes are good, I think the establishment of the threat model is imperative to all future research in this area +**\** (exactly 5 post-CT outputs are blackball-worthy from on-chain analysis) +**\** as a community member, I would propose that both sarang and suraeNoether work together on hammering out this formalization before further work proceeds +**\** this will further legitimize Monero in the privacy/security industry. +**\** i mean we could just go to 45, and then let optimization take its natural course +**\** At the moment, I can see the criticisms from other people that see the lack of a defined threat model as proof that we are flying by the seat of our pants +**\** ala RingCT +**\** my primary concern is that repeated analyses of a system that uses small anonymity set sizes (sub-millions) can be very powerful in reducing effective anonymity set sizes, regardless of the threat model +**\** We could also require users to use a different burner laptop from a different IP for every transaction, but that doesn't mean it's necessarily helpful +**\** gingeropolous: doesn't solve the problem of threat modeling and formalization. and Monero is better than that +**\** and the "sub-millions" thing is essentially a non-starter for obvious reasons +**\** "who needs action when you've got words" +**\** heh +**\** who needs either when you have math +**\** which guides the action and discussion +**\** A good start will be formalizing the ring size informal stuff, hammering out churn wait times as a heuristic killer, and going from there, perhaps? +**\** right now we have not the math +**\** yes ^ +**\** for me, as a recommendation from a community member, this is priority number 1 +**\** can't speak for others obviously +**\** I think it answers "how can we use Monero safely right now" so we can move to "how can we make Monero better for tomorrow" +**\** okay, I'm going to formalize a single-hop (EABE) and double-hop (EBABE) pair of threat models, write up my formal definition of fungibility, demonstrate it implies anonymity, show that neither zcash nor monero satisfy my definition of fungibility, demonstrate a churn model that brings us closer to fungibility, and i'll share that document with the community. that will be my top priority this week +**\** thank you suraeNoether +**\** baller +**\** from a research perspective +**\** also, can we change the term "blackball" to "marked notes?" :P +**\** This doesn't even need to be journal-worthy +**\** to me, this is even bigger than BPs +**\** and will be the biggest thign to come out of MRL this year +**\** but we need a base for our recommendations +**\ \** serious win +**\** Let's collaborate as much as is useful, suraeNoether +**\** i'm sure the formalization will pretty much write itself... /s +**\** allright, before we end the meeting: any final questions, comments, concerns? I need to write my summary of my september work and post it, so I apologize to the community for my delay (again) +**\** I ran some new blackball stats to compare to our author friends +**\** nope. Great meeting. Gotta split. Bai. +**\** Finding their results are comparable to ours +**\** Importantly, our analysis methods show exactly 5 post-CT outputs are bad +**\** whereas about 68% of pre-CT outputs are bad +**\** good to know :D +**\** this accounts only for on-chain stuff (no forks, pools, etc) +**\** I'm going to add this to our tech note to shut people up about "OMG OUTPUTS ARE TRACED" +**\** yeah 5 of them! +**\** modern transactions are not vulnerable to this crap +**\** and like all of pre-ct +**\** on a totally different note, i'm in a weird funding trap because I was an idiot earlier this year, and I don't have funding for december. sarang and I were going to request funding for Jan-March simultaneously: do you guys think I should ask for Dec-March or should I request december separately, or what? I tried to get back on the quarter system earlier this year and then idiotically got back off it again. :\\ +**\** just do four months +**\** now I really gotta split +**\** bai +**\** ok <3 rehrar diff --git a/_posts/2018-10-15-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-15.md b/_posts/2018-10-15-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-15.md new file mode 100644 index 00000000..56c7fa09 --- /dev/null +++ b/_posts/2018-10-15-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-15.md @@ -0,0 +1,231 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-10-15 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** LET US BEGIN +**\** yes hello +**\** Hello +**\ \** hullo +**\** today i want to chat about research and the monero konferenco, and... that's my agenda. if folks want to add to the list, shout out~ +**\** hi +**\** Where to begin? +**\** well, firstly +**\** who wants to come give a 20-40 minute chat at the Monero Konferenco? I'd like each workgroup to have at least one representative +**\** when/where is that going to be? +**\** I'll do one +**\** Good question, hyc! Right now it's looking to be one of the weekends between April 27 and June 15 in Denver, Colorado. invited speakers will be reimbursed for their travel costs +**\** assuming the community decides to fund my proposal, that is +**\** cool +**\** Can reimbursement be in XMR? +**\** I'm leaning toward April 27, personally +**\** Or are there weird legally things with that +**\ \** I could do one, or defer to anonimal if he wanted to do one +**\** yes, reimbursement can be done in XMR, it just makes accounting moderately more annoying, but no legal issues +**\** cool +**\** and i'm happy to do that +**\** Because fiat reimbursement is always a baffling and lengthy ordeal +**\** well oneiric i wanted a session of several talks on networking privacy. i'd love to have both you and anonimal come speak +**\ \** :) +**\** i also want to invite people not directly related to the monero ecosystem +**\** i will also try and come there! as i could not make it to defcon sadly +**\** suraeNoether: are there plans to arrange for streaming or quality recording? +**\** Yeah, we need that +**\** i really want to give folks who are up and coming a chance to speak at this event; we can invite really big name people to come talk, but i feel like their careers are already pretty well laid out before them, so it'd be nice to get some outside researchers who are more tangential to the crypto celebrity scene +**\** May I recommend hiring an outside group to handle that, and \_not\_ venue staff +**\** sarang, one option laid out in the budget is a section on audio/visual rental and web streaming and costs; a local place that does webcast-style AV presentations regularly would charge around 5kUSD for such an event. +**\** Or at the very least getting someone with professional experience as an audio engineer +**\** cool! +**\** i posted last week on the forums for the FFS under ideas +**\** i haven't gotten comments. :P +**\** oops +**\** that's my bad +**\** I thought I had read something on recording but it's easier to just ask you and be lazy +**\** ty +**\** not a problem, rehrar was mentioning something about cyphermarket and sponsorship and free toys and t-shirts +**\** so i'm thinking we move the idea into "open discussion" and update from there +**\** if folks have recommendations for speakers, we are assuming a decent travel cost on average for speakers, so if we can get a handful of relatively small-cost local-ish speakers, we can also have a decent budget for flying people out from further away +**\** there are a lot of contacts from the open source hardware association in denver (open source hardware summit was there last year); i could reach out to ppl (audio engineer, etc.) +**\** Yeah, my RT Frontier flight is only ~$200 :) +**\** i'm thinking a formal call for papers may be in order +**\** sgp\_: excellente, come give a taaaaalk on blackballin brother +**\** let us have a meeting of the minds +**\** all the minds +**\** sgp\_: but you're flying Frontier, so you'll pay one way or another.... =p +**\** sarang zing +**\** more like zi... ziring.. +**\** nah +**\** okay, onto research +**\** Buy us a Monero jet and I'll fly everyone there +**\** Lmao +**\** last week, sarang and I concluded that, for now, RuPol may be too risky for us to implement, given the layers of development required +**\** essentially un-vettable at this stage +**\** once things are more clear, we can actually benchmark it +**\** The level of complexity required for verification computation is also unclear +**\** The authors left many, many implementation details out of their paper +**\** It suffices to say that there is a lot of annoying math still to be worked out +**\** but for now, it relies on a previously described scheme that has it's own typographical errors, etc, and at this point even workign out a single example by hand requires beautiful-mind-level of whiteboards on the walls +**\** so we are falling back on ruffct for now to see how much the multiexp speedups we learned about during bulletproof implementations could help +**\** I've returned to our older RuffCT scheme, working to backport what we've learned from BPs about optimizations and batching +**\** jinx +**\** im finna shutup now +**\** heh +**\** We can certainly speed up some operations on individual spend proofs, and that's cool +**\** But +**\** The possibility of batching some parts of verification are quite intriguing +**\** especially relating to fixed group points +**\** I'm running some code and tests on this presently +**\** in addition to all that, i've been working on the churn paper to formalize the threat model we discussed last week +**\** Also, I've finished some updated blackball testing +**\** that's going... really well, and i hope to have a draft to the community in a few days +**\** My hunch is that we'll see those papers published with shitty information +**\** and the associated bad press +**\** sarang i will want to dip into your blackball info in writing this to illustrate the negligibility of the gains from heuristic methods +**\** i disagree, i think the papers weren't sufficiently FUD-dy to really be worried about it, as long as they clarify "newly found" versus "total found" +**\** Sounds like a good co-op +**\** but, you know, matt green says we have "fake privacy" so +**\** :P +**\ \** lol, really? +**\** yeah some tweet from awhile ago \*shrug\* +**\** The Zcash mentality is that we offer shitty obfuscation +**\** I tend to not really pay attention to it +**\** we happen to agree that ring signatures suck and they need to be replaced with something with larger anonymity set sizes +**\** when ringsize 42 +**\** which is why sarang and I never really let go of the sublinear +**\** Those papers did a terrible job of differentiating things that are time-based or blockheight-based +**\** no big deal +**\** Has anyone seen this new paper? https://eprint.iacr.org/2018/962 +**\** we saw a draft, not the final thing, i'm withholding judgement +**\** sgp\_: i have seen this thing, but i have not yet read that thing +**\** i need to learn about aurora and this thing +**\** Basically Zerocash applied to computations, no? +**\** trusted setup +**\** Just call them "trusted computations" :p +**\** lol +**\** still quite expensive, <2 minutes generation time +**\** the setup is buried deep w/in the paper +**\** gmaxwell noted it in p15 +**\** pls ignore the men behind the curtain +**\** Sounds like a typical trusted setup response +**\** trusted setup reminds me of the phrase "military grade encryption" +**\ \** lol, shady indeed +**\** Nah +**\** People brag about military encryption +**\** no no +**\** They hide the setup deep within a definition +**\** the phrase military grade encryption is usually a tongue-in-cheek reference to a plaintext message +**\** =p +**\** lol +**\** rot26 +**\** smeaphore at least +**\** are we military grade? or moar better? +**\** semaphore, or morse +**\** sarang that reminds me +**\** ? +**\** We used a Caesar's Cypher, totally secure. Roman military-grade +**\** i really really want to create a cryptocurrency like monero but replacing the bernstein group with an absurdly small group, like order 7000-ish or something, and with a tiny-output hash function +**\** just let people go wild in forging signatures +**\** just see what happens +**\** "when forgecoin moon?" +**\** etc +**\** I'd like to see a version that uses a curve group with cofactor 1 +**\** ring size 2 +**\** anyway +**\** yeah +**\** that can be the next generation of useless ethereum token +**\** so, that's my life for this week: ruffct with sarang and the churn paper, and fantasizing about rubiks-cubes-sized groups as a joke cryptocurrency +**\** ohhhh man implementing a rubiks cube on top of ethereum would be \*such a waste of resources you guys\* +**\** Yup, I'll be finishing up unit tests on optimized ruffct to get a better idea of batching +**\** proving you are making each permutation omg +**\** put it on the ledger forever man +**\** There was a neat paper I linked earlier about some optimized curve operations +**\** they found some better EC formulas in certain special cases +**\** Ethereum Plays Rubik's Cube +**\** hm... rubkis cube solvers are pretty fast these days. would be funny to advertise a rubiks cube-based key system +**\** oh yes, i am eager to read that. it seems to be strictly related to optimizations obtained from utilizing analytic formula/expressions for multiexp +**\** for example, if you have point P = (x, y) and point Q = (z, w) on the ed25519 curve, we define P+Q using the equations of the elliptic curve, the twisted edwards polynomial equations +**\** They discuss some neat work on better addition chains +**\** so if you want something like 3P + 4Q very often, you can expand that polynomial expression and exploit the structure within those analytic expressions to speed up the computations +**\** Goes to show that this is not a totally solved area of research +**\** I don't see it being terribly useful here, mind you +**\** Anyone else with something fun to share about recent work, questions, ideas? +**\** Here's a link to my quick port of ruffct to my python library: https://github.com/SarangNoether/research-lab/tree/pyruff +**\** It's more or less a direct port of the java stuff that will be refactored as needed +**\** prototyping only; don't use it anywhere that counts +**\** oh, I wanted to point out: Vtnerd is asking for a very reasonable amount of USD/hour to construct a tor-based RPC tool for monero (or something like that), and his FFS is under "ideas" right now +**\** i wanted to express my support for that proposal +**\** Tell me more about this in relation to kovri +**\** ELI5 +**\** Would RuffCT be pretty drop in as well? Or would it take large amounts of work to get it in? +**\** It'd be some work to safely transition old outputs +**\** that's part of the prototyping process +**\** afaict this is going to be a parallel thing, independent of kovri +**\** but also since it's not inventing new protocols, it should proceed with easier-to-anticipate milestones +**\** some folks are of the opinion that multiple tools are beneficial; when it comes to tor, i2p, kovri... i tend to think the most beneficial tools will eventually see the most use +**\** rehrar: actual practical ruffct is still a bit pie-in-the-sky; but that's part of our job +**\** it has implications on things like address size, for example +**\** but we're learning what we can from it +**\** Only point I need to make is that if we want to get anywhere with blackball research, someone needs to update the pool tool and sneurlax is busy +**\** regarding Tor, I think it would be beneficial to Monero to have the option to run over Tor +**\** MRL: Putting The Skunk In Skunkworks +**\** sgp\_: link to current work? +**\** rehrar: ruffct as-is requires an additional user key, which would bring us to either 3 group elements as your public key, or 4, depending on how you interpret the ruffct paper, and so we may end up doubling our key length (which doubles verification time from loading keys!) +**\** sgp\_: any ideas? or does anyone want to help sgp\_ out with the pool tool? +**\** suraeNoether: you can change the constants in the curve equation and get a tiny group with basically no other changes in the code, there are tests in libsecp256k1 that work that way. +**\** https://github.com/sneurlax/xmreuse +**\** gmaxwell: delightful :) +**\ \** yeah, having a public node over tor would be nice. even a hybrid of p2p over tor, rpc over i2p would be sweet +**\** gmaxwell: you are referring to a cofactor-1 curve? +**\** oh nvm, you mean group size +**\** we have moneroworld nodes on tor +**\** Of course it's possible to run Monero over Tor with some finagling. But how cool would it be to run over tor with a command or button press? +**\** Qubes-Whonix is a good way right now btw +**\** perhaps we first get the moneroworld nodes upgraded at all... +**\** okay, for me, final thoughts... please make comments on the Denver Monero Konferenco FFS here, and we will move it up to Open Discussion: https://forum.getmonero.org/6/ideas/90909/surae-noether-first-denver-monero-konferenco-spring-2019 and for this conference, PLEASE please let me know if you know of someone who I absolutely MUST INVITE TO SPEAK. If you have a favorite speaker, let me know by emailing +**\** surae.noether@protonmail.com +**\** I'll be sending out first-round invitation emails in the next week or so +**\** or just email me because i'm lonely +**\** lol. I can cook up a talk +**\** by next spring we should have a much better idea of whether/how well randomJS will work +**\** If there isn't a talk on RandomJS there will be riots +**\** heck, I may start a Riot anyways +**\** lol +**\** it's a decent little app on the Matrix protocol +**\** #nerdjokes +**\** cool, we can have a session on hardware and proof of work and maybe invite some asic or fpga manufacturers +**\** ah a mini-track, yeah +**\ \** head-to-head debate hyc v. timolson? +**\** Other questions or research topics? +**\** though if we've done our work right, no asic/fpga guys will want to speak to us ever again +**\** heh +**\ \** was reading up on ML techniques, would LSTM/regression be helpful for blackball analysis? +**\** I don't think so +**\** Given our ring sizes and the actual risks involved, we understand it decently well +**\** Things like forks will always be more of an issue than random selection errors +**\** if that's what you mean oneiric +**\** Even a deterministic approach to identify spent rings reveals relatively few, and each of these has a negligible effect on other rings +**\ \** kind of, I meant applying the learning algo to new forks rather than tuning by hand. I might be misunderstanding blackballing though +**\** The risk from forks is spending on both forks, which reveals your spend +**\** on-chain risks involve things like pool outputs and set-theoretic analysis +**\** The goal of blackballing is to identify \_definitely\_ spent outs +**\** and that's a hard game to play that gives you progressively lesser benefits over time +**\** I suppose we can begin to wrap up the official meeting +**\ \** ok, thanks sarang +**\** Thoughts on anything that people would like to see investigated for this next week? +**\** oneiric: I think some people worry that their outputs can get "caught up" in a blackball list, but this isn't the case +**\** The methods we use only determine if it's provable that an output is already spent, which does not affect anyone's funds +**\** (the name 'blackball' is really kind of unfortunate.) +**\** gmaxwell: agreed +**\** I've been using the term "spent note" in my paper drafts +**\** I'd prefer something like that or "dead output" +**\** Spent Note List (SNL) would hae been much better. +**\** We could update it each week, in a Weekend Update +**\ \** Live from New York.. +**\** Well, sunday is a day of rest so one should do it on saturday, but perhaps as late as possible.. +**\** :P +**\** Well, thanks to everyone for participating in our meeting; we are now adjourned, and informal convos shall continue diff --git a/_posts/2018-10-22-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-22.md b/_posts/2018-10-22-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-22.md new file mode 100644 index 00000000..4f0ea500 --- /dev/null +++ b/_posts/2018-10-22-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-22.md @@ -0,0 +1,202 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-10-22 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** OK, welcome to our meeting everyone +**\** GREETINGS +**\ \** hiyo +**\** There is much to discuss today, but I'll try to dwell on particular topics too long +**\** FIRST, congrats to everyone on the network upgrade +**\** oneiric btw i have a kovri thing to chat about but couldn't PM you +**\** BPs, bigger and better rings, and a host of other fixes are a benefit to our community +**\ \** yeah, lost access to clearnet irc temporarily +**\** Related to this, the final BP audit report is out: https://github.com/SarangNoether/research-lab/blob/master/audits/bulletproofs/Report-QuarksLab.pdf +**\** It was delayed to wait for a bugfix at the time of upgrade +**\ \** ^ halfway thru first read, great work by QuarksLabs +**\** Yeah, they did an outstanding job, catching things outside of BPs too (hence the delay) +**\** On to more things now... +**\** There was earlier discussion about making it clear to researchers how to contact us and such, to avoid low-quality repetitive research on old shit +**\** I propose an addition to the main project readme: http://paste.debian.net/hidden/6d3a8964/ +**\** Related to that, and to talks and papers given over the past year-ish relating to "OMG old ringz are bad and everyone is ded", I think a blag post is called for, summarizing all the work we've done to mitigate against ring attacks: http://paste.debian.net/hidden/6d3a8964/ +**\** Correction, this link is to the blag post: http://paste.debian.net/hidden/ea43fad6/ +**\** back +**\** Neither of these is live, but I'd like to post them soon. They take into account several good comments that were received last week about them +**\** If there are no comments over the next day or so, I'll PR them / send to the correct peeps to post +**\** Related to the upgrade, it was noted that our output selection has a bit of a bias, in that it selects blocks according to time, and then picks fakes equiprobably within them +**\** This is skewed a bit, since some blocks are full and other are empty +**\** regarding blackballing/dead txn outputs: there is a very efficient algorithm I'm interested in benchmarking to revisit the question of whether it's worth the lab or the core team maintaining a live deadout list +**\** I recommend that we introduce a windowing, where transactions in the chosen block \_and\_ a small number on either side are equiprobably chosen +**\** suraeNoether: I now agree with your earlier sentiments that this would be a waste of time +**\** especially given our ring increase +**\** why not use a rule like "pick block height h, go down to the first non-empty block of height h\* <= h and up to the first non-empty blcok of height h' >= h, and pick from the (inclusive) range [h\*, h']? +**\** eh, i suppose details are unimportant for the meeting. :P +**\** sarang i'll have some specific numbers to \*prove\* it's a waste of time, though. :P +**\** excellent +**\** But yeah, it's reasonably easy to mitigate against that bias, and we should +**\** cool +**\** I have a question about that blog post +**\** selsta: go +**\** s/blog/blag +**\** Is it a good idea to write that we know about an upcoming research paper? Maybe other researchers would stop disclosing research that is in progress to us. +**\** https://eprint.iacr.org/2018/990 < old? +**\** selsta: we've communicated with them about that paper, and they didn't ask for any particular confidentiality or anything. in the past, researchers have contacted us with a paper and asked for confidentiality until publication, and we've kept those promises +**\** netg i will read this carefully +**\** suraeNoether: okay :) +**\** ok, i have two things i want to chat about: firstly, the churn analysis, and second, the monero konferenco +**\** May I say one thing first? +**\** but i don't want to interrupt sarang's +**\** yep +**\** Then I believe I'm finished +**\** ty +**\** np didn't even finish typing +**\** I have two paper drafts, one on dual-key signatures and one on spent output sets, that are sitting in no-man's land right now. I'd like us to move those to the official MRL publication list +**\** i thought we already had for DLSAG +**\** We had not +**\** i'm fine with that, and we can reformat the thring signature paper and put them out at the same time with sequential numbers +**\** or... we should wait till we find out about a journal for thring +**\** Cool, we can arrange PRs later for this +**\** selsta: about your comment +**\** can you make both links available for the folks who are attending? +**\** I also didn't provide details on anything that hasn't already been discussed here publicly and known before those peeps contacted us +**\** I'll look up links to the compiled PDFs while suraeNoether discusses +**\** okay, coolio +**\** so, at our research meeting two weeks ago, i guess it was Oct 1 +**\** rehrar, sgp, sarang, and others asked for a formalization of the EAE + churn problem +**\** in the ensuing two weeks, I've come up with some... disappointing results. and some hopeful results. sort of contradictory +**\** not a literal contradiction, or i wouldn't be coming to the community about it +**\** so, essentially, i have \*nearly\* formalized a game i'm calling the linkability game, and a specific implementation of this game could be called the fungibility game +**\** this quantifies the complexity an adversary faces when trying to link monero transactions +**\** compare this to the naive anonymity set questions we began with... "if we churn 7 times with ring size 5, does that mean we have an effective anonymity set of 5^7? who knows!" +**\** well, now i have a formal, quantifiable way of assessing the time required for an adversary to find a plausible transaction history that is optimal with respect to some model chosen by the adversary: that is to say, if the adversary thinks they have come up with a new heuristic, I can answer the question "how long does it take to find the most plausible transaction history, according to this heuristic?" +**\** It sounds like the counter to the adversary's work is "how many other transaction histories are possible along with the true spends?" +**\** the answer to that question confirms previous results from linkability studies: it doesn't take long. Even in a world with \*lots and lots\* of plausible transaction histories, it is fairly quick to find the \*optimally plausible ones\* where plausible is defined by the adversary's model +**\** ^ good observation, sarang, they are related questions, but here's what's funny +**\** if an adversary wants to find an \_approximately\_ optimal transaction history among N keys with ring size R using some model, they can find it in O(R\*N) time +**\** if they want to find an \_exactly\_ optimal trnasaction history, they can do it in O(R\*N^1.5) time +**\** this is sort of bad news and sort of good news: this is says "it is never worse than O(R\*N^1.5) time to find these histories, and so the time required is proportional to ring size, and gets more annoying as the blockchain gets bigger" +**\** What are the takeaways for this group? +**\** oh gosh sorry, yeah +**\** sorry, getting lost in the weeds +**\** so, bad news: it's fast and efficient to find an optimally plausible solution. good news: the total number of solutions can be made \*really really massive\* +**\** even if someone can find the optimally plausible solution in a short period of time, \*all the other possible solutions\* are also plausible +**\** so, I asked myself "okay, how can we make it so that there are so many plausible transaction histories that it's unreasonable to decide on any one of them?" +**\ \** yes +**\** even if you have a great heuristic and you can find the optimally plausible one very quickly, you are vulnerable to \*not\* catching someone who uses your heuristics to greedily make their transactions as invisible as possible +**\** so, for example, there are at least a billion transaction histories that are \*plausible\* if you deposit 16 outputs with a ring size of 10 +**\** there are 10^81 plausible trnasaction histories if you deposit 52 outputs at ring size 100 +**\** So the question becomes "what number is acceptable"? +**\ \** how are 10, 81, 52, and 100 related? +**\** (not from a theory perspective, from a practical one) +**\** so: time complexity to find \*any\* solution is linearly related to ring size, and the total number of possible transaction histories can be computed precisely using this formula: (((R-1)^(R-1))/(R^(R-2)))^k where k = # of outputs deposited +**\** sgp\_[m]: merely related according to that formula +**\ \** thanks, gives me some context +**\** i picked 10 and 100 ring members respectively as examples that are one order of magnitude apart, and i picked a billion (10^9) and big (10^81) essentially just to look at the behavior, at a glance +**\** so, this actually demonstrates a few things +**\** firstly: someone who is making only a few deposits, say 3, with no churn whatsoever, at a ring size of 11 is like ... dealing with 76 or so possible transaction histories +**\** which is unnaceptable for someone whose safety depends on Monero +**\** this means people transacting with untrusted 3rd parties should be using at least one churn between transactions +**\** What do you call "transaction history" ? +**\** moneromooo: a plausible transaction history is a matching between key images and one-time output keys. there is only one "true" transaction history, which corresponds to "which key was used to compute this key image?" +**\** if some signatures are mutually incompatible, you end up not getting a matching +**\** Thanks. +**\** np +**\** (e.g. from the graph representation we talked about a while ago) +**\** yep +**\** I assume it also goes without saying that churns should follow spend timing patterns +**\** but this is a separate issue from the idea of transaction matchings +**\** yes +**\** so, the second thing this demonstrates is the power of plausible deniability, which really only matters for a court-of-law sort of situation as opposed to a more nefarious type who is trying to literally hunt or track down people using the monero blockchain +**\** another thing: this same approach can be used to link commitments and nullifiers in zcash; the goodness of your linking is dependent upon your heuristics (like timing as people leave and enter the shielded pool, or like amount-matching with the transparent-pool trnasactions) just like in monero. the primary difference is that the total number of edges to match is much much higher in zcash, at least whenever +**\** the shielded pool is big enough +**\** so it takes a lot longer, and there is less information to base heuristics on +**\** In the interest of time, what are our next steps? +**\** These are excellent results +**\** i think a priority of MRL should be to seek out replacements for ring signatures +**\** of course +**\** i think writing a paper on the topic will 1) do Monero a world of good in the long run but 2) will be FUDbait in the short run +**\** sort of like my MRL-0001 paper +**\** Our users want to know what churn should look like +**\** And before we replace ring sigs, understanding the benefits to increasing ring size is also important +**\** well, that's a good question: my results suggest that churning is helpful, but far less important than \*diluting your deposits.\* let me give you an example +**\** yeah, I agree churning and ringsize should be the high priority since we have them right now +**\** IMO we should write up the relevant portions of these results and give some insights into churn behavior and how ring size affects it +**\** and then best practices can be built from that +**\** formalization and generalization to other projects could come after +**\** sarang please yes :) it's the material the community can best understand +**\** if you are depositing more than 155 outputs at our current ring size, the adversary has more possible transaciotn histories than the number of fundamental particles in the universe. +**\** sure +**\** and that has no information about churn in it whatsoever +**\** ok +**\** but we can re-interpret it: instead of 155 outputs, say we have 1 output we churn 154 times. same answer +**\** what security level should we strive for? +**\** i have no clue, especially since this is a heuristic approach; if we shoot for 10^120, i'm pretty sure we'll be good to go +**\** I'm not sure 2^256 is necessary for these kinds of plausible deniability +**\** For rings we only have 11 options =p +**\** let's say we want to obscure 6 outputs by churning 6 times each. that's 216 keys in total. at ring size 10, there are 10^127 transaction histories +**\** oh no that's 36 keys. :P +**\** let's say 14 keys 14 times. that gives us 10^114 transaction histories +**\** Cool, let's get a table like this into a tech note, along with the relevant results +**\** i don't have a good way of saying "here, churn 7 times at ring size 11" +**\** ok cool +**\** and it'll be a great contribution +**\** excellent work suraeNoether on this +**\** I still hate churning though. +**\** moneromooo same same +**\** due to bloat? +**\** which it certainly does +**\** Yes. It encourages people to shit on everyone's else resources. +**\** suraeNoether and I had discussed that earlier too, that we need to provide answers about reasonable threat models that minimize bloat +**\** and obv different user types have different requirements for their privacy/safety +**\** long story short: don't use KYC/AML exchanges, and if you do, make sure you churn at least once before your deposits... and more often if you plan on making many deposits that you suspect are "marked..." and dilute your deposits with other outputs as much as possible. +**\** it's the "as much as possible" and "at least" that this note should attempt to quantify +**\** yes, thanks +**\** cool +**\** except i don't think it's directly quantifiable :( if we say "a cryptographic number of plausible transaction histories, so 10^88 or bigger, or so", this is essentially arbitrarily chosen +**\** but we'll chat more about it later +**\** Well, whatever we do (or don't do) eventually needs to be distilled to best practices +**\** or users will just do whatever they think is helpful +**\** and that might just lead to bloat with no benefit +**\** Anyway, let's move on for now +**\** Any other quick news suraeNoether ? +**\** (10 min officially remain) +**\** the second thing i wanted to talk to everyone about is the monero konferenco. in order to move forward in the funding process, please leave ANY COMMENT, positive, negative, or neutral, in this thread: https://forum.getmonero.org/6/ideas/90909/surae-noether-first-denver-monero-konferenco-spring-2019 +**\** Please keep in mind that things like booking the event or inviting speakers... these are unlikely to happen before funding begins, and the longer we wait, the less likely it is we can get all the things we want to get +**\** ^ +**\** There's been informal speaking interest from some top-quality folks +**\** yes, several +**\** (won't put names out there yet) +**\** also, I conferred with fluffypony re: timing for next year +**\** due to the lateness of the year, the coincidence with consensus, etc, we decided on the weekend of June 22nd +**\** unless booking goes weird, in which case we will shoot for June 15th as a back-up date +**\** sweet +**\** I know i was mentioning April 27 last week, but that's 1) too close to consensus and graduation, and 2) pushing it back earlier seems unwise. +**\** To wrap up, I have some action-item links to list here +**\** excellente +**\** The dual-key signature paper, which will be pushed to main MRL page unless there are comments: https://v2.overleaf.com/read/vcyxgpntfsgz +**\** The spent-output paper, same deal: https://v2.overleaf.com/read/xtbwpvqvtqmm +**\** The proposed addition to the readme, that discusses research contacts: http://paste.debian.net/hidden/6d3a8964/ +**\** The proposed blag post responding to ring attacks: http://paste.debian.net/hidden/ea43fad6/ +**\ \** Oh shoot! None of my comments have relayed. +**\ \** I have been talking this whole time. +**\** Action will be taken on all those links if I hear no comments or suggestions +**\ \** And thought everyone has been ignoring me cuz they hate me. +**\** And of course, suraeNoether's FFS on the conference would like comments: https://forum.getmonero.org/6/ideas/90909/surae-noether-first-denver-monero-konferenco-spring-2019 +**\ \** I have many many comments on Brandon's work. +**\** rehrar[m]: hullo +**\** We can chat about all of this once we adjourn! +**\ \** Ok. +**\** Any other last-minute wrap-up? +**\** i'm very eager to see what rehrar[m] had to say +**\** :P +**\** Yes! OK, lets adjourn and continue discussion +**\** Thanks to all +**\** hullo rehrar[m] ! +**\** sarang title "Sets of spent notes" is ambiguous wording +**\ \** same, thanks for the meeting +**\** maybe +Notes on "Sets of spent"+ diff --git a/_posts/2018-10-29-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-29.md b/_posts/2018-10-29-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-29.md new file mode 100644 index 00000000..b783f306 --- /dev/null +++ b/_posts/2018-10-29-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-10-29.md @@ -0,0 +1,172 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-10-29 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** Greetings to everyone, and welcome to our meeting, which will likely go pretty quickly +**\** Pipe in if you're here! +**\** To start with, let's review happenings over the last week or so +**\** suraeNoether: care to begin? +**\** pipe +**\** | +**\** Gosh sure +**\** I'm tuning in +**\** This past week, I've been working on my graph-theoretic security paper +**\** calling it a security paper now because i'm pretty sure that my main contribution is formalizing a couple of security games, using graph theory +**\** I like the idea of using known graph theory to establish bounds on identifying possible spend histories +**\** absolutely. what else is it besides a graph problem +**\** those bounds, coupled with a goal for an "acceptable" number of alternate histories, is a neat approach to practical fungibility +**\** for sure +**\** other than that, I've been chatting with folks about preparing for Monero Konferenco, and having meetings on my non-profit MAGIC (PM me if interested). i also spent some time last week working on a constant sized ring signature scheme, and i'm like, 50/50 on whether or not i found a problem with it. :P +**\** To what extent can we extract churn practices from this? +**\** I consider that to be an important open question +**\** Hello. +**\** it's the first step in a long process; all i've confirmed using this message is that at least one churn for paranoid users is probably wise. i'm honestly not sure if there \*is\* a good answer to that question, sarang, and i'm not sure if htere's a good way to formalize \*the lack of an answer\* +**\** hello msvb-lab +**\** what's the goal? EABE attack establishes that 1 churn minimum is always required +**\** s/message/method +**\** I would like us to be able to give semi-quantifiable results to avoid unnecessary churn +**\** and churn that might harm fungibility if done badly +**\** (and would also bloat the chain) +**\** hyc well, first and primary goal is to have a document to point at when folks start talking about ring intersection attacks in the future. secondary goal is to lay the groundwork for future security work. third goal is to have a nice publication come out of MRL, imo +**\** ^ great +**\** It'll be a nice extended complement to our previous tech note on spends +**\** btw, I have done a bad churn recently. did a sweep with multiple outputs, then received another exchange withdrawal. +**\** if we can get some quantifiable results on churn or ring size, that's great, but my hidden secret opinion is that: any choice we make in that regard is more or less arbitrary and informed by magic numbers being selected for convenience, not necessarily real security, and this is a fundamental problem with ring signatures +**\** then did another sweep. +**\** but the multiple outputs from the previous sweep are all obviously from the same block... +**\** Right, and having something to back up that negative answer will be just as useful +**\** So yeah, I look forward to the continuation of this work +**\** I'll be reading over the current stuff today or tomorrow suraeNoether +**\** it's ... research. jerks and starts, i don't know everything yet or hte paper would already be written :D +**\** Questions on this? Going once... +**\** Sorry to divert the conversation but quick question: Are ring signatures not constant sized now? What difference would this make? +**\** They are not constant +**\** They grow linearly with the # of inputs/fakes +**\** All existing constant methods suffer huge drawbacks, usually in terms of trust +**\** Going twice... +**\** OK, suraeNoether, another topic of your interest? +**\** lurkinandlearnin: ring sigs are linearly sized now, we are looking at a logarithmic scheme. the smaller our signatures are, making some qualifying assumptions about verificaiton times, the lower the cost for a node to join our network +**\** uhm i'm just going ot pass it onto sarang for now and if anyone wants to chat about other topics later today, i'll be here all day +**\** OK! +**\** We've been examining output selection since our recent switch to a gamma distribution +**\** Thanks for the answers. I'll be sure to read up on this. +**\** Previously, there was a heuristic about assuming the newest ring member was the spender (but it can't be proven) +**\** So we moved to a distribution that mirrors expected spend patterns +**\** However, we choose blocks and then txns within those blocks, and the appearance of more empty blocks due to Bulletproofs, and in general the distribution of txns per block, means the selection has bias +**\** You can read about this on reddit, or on the many high-quality outlets that report on reddit posts +**\** Long term, we need a better strategy for handling coinbase outputs +**\** Short term, we're tweaking the algorithm to select from a small group of blocks to mitigate against this +**\** "on the many high-quality outlets that report on reddit posts" <--- lulz +**\** I predict it will cut the number of coinbase per ring in half from what we see now +**\** This is part of the 0.4 release +**\** and is not consensus +**\** i think there's a strong argument to be made that coinbase-only is used in coinbase transactions, but i'm concerned about provably spent sets amongst coinbase transactions becoming an issue +**\** It's subtle +**\** and public pools that broadcast mined outputs and payout txns make it trickier +**\** There is not a silver bullet to this +**\** But we have a mitigating fix in the wings, and are certainly open to more data that can help inform the decision of how best to handle this +**\** Is just not selecting from empty blocks not an option? +**\** It would be great if pools didn't broadcast payouts like this, and if we also had data on hand for coinbase spend patterns +**\** lurkinandlearnin: then you could never spend coinbase +**\** they'd be instantly identified +**\** aha +**\** So while what we have now is not the final answer to this, our current selection algo is arguably a big improvement over previous iterations +**\** and is getting better +**\** Having bigger rings is also a built-in mitigation +**\** Now you are all equipped to handle the flood of posts we'll be getting on this +**\** The work Justin did on showing that blackballing is no longer necessary thanks to bigger rings was very cool +**\** you mean "spent output analysis" =p +**\** blackballing sounds dangerous and non-deterministic, which it isn't +**\** the MRL-0007 tech note has a nice table about this +**\** I had no idea where the term came from haha +**\** motto: modern transactions are fine +**\** counterpoint: but about all those papers that were published +**\** response: modern transactions are fine +**\** They keep quoting the same old papers +**\** Moving on from this, work continues on the StringCT optimizations from our Bulletproofs plumbing +**\** Ooh wait one last question on that +**\** Speaking of "modern transactions are fine" does anybody know about code for generating Plot 5 in Malte Möser? +**\** sure +**\** https://usercontent.irccloud-cdn.com/file/EH9Lwt8u/Screen%20Shot%202018-10-29%20at%2010.11.42.png +**\** It seems like the best antiFUD would be extending this plot to present time +**\** They didn't release their code (unfortunately far too common) AFAIK +**\** You could get it from a modification to the spent-output tool +**\** but the MRL-0007 table basically covers it +**\** Cool, it'd be nice anti-FUD to use an extended Moser paper to keep people from stressing about Moser :- ) +**\** Using single-chain analysis, there are exactly 5 post-ct outputs that are known spent using our methods +**\** and those were from a research paper that generated them on purpose for testing +**\** Awesome, is MRL-007 in the repo? I'll check it out and let meeting conversation move along 👍 +**\** It's on my repo, will PR it to the main site once I make a gitlab account and set that up +**\** https://github.com/SarangNoether/research-lab/tree/master/publications/bulletins/MRL-0007-spent +**\** So yeah, StringCT optimizations show promise and we'll continue looking into them as we get more data on optimal ring sizes +**\** Its signature scheme is being updated at suraeNoether's suggestion to harden against key cancellation +**\** No definite plans on changing CT schemes yet, mind you, just preliminary stuff in the wings +**\** Diversion #2: I'd be interested to know what you guys think about the traceability arising from visible fees. And if it is a threat, what is the best way to mitigate it? +**\** Any questions on RingCT schemes, output selection, or spent-output analysis? +**\** y +**\** lurkinandlearnin: restricting fee amounts +**\** it's been suggested +**\** as it could be a fingerprinting method in theory +**\** sarang: "Using single-chain analysis, there are exactly 5 post-ct outputs that are known spent using our methods" <-- there exists a better method, but we have not deemed it important enough to code up rigorously enough to catch any larger sets, fwiw +**\** yes +**\** lurkinandlearnin: visible fees are technically a concern, technically +**\** statistically it's very unlikely to get set union problems with our large rings +**\** we have these dynamic fees, and so if you sign a transaction well before it's broadcast, the fee computed will be linkable back to the height when it was signed +**\** notmike: you had a question also? +**\** The fee is based on weight and the time at which it is made. Harly much of a fingerprinting thing. +**\** Admittedly, there's also the size of the txpool at the time though. +**\** this gives a route for linkability to identify cold signers +**\** (one bit) +**\** moneromooo: yeah, not necessarily very useful, but still one of those things that isn't mandated +**\** I'm not particularly concerned about it +**\** And both weight and time of tx are already essentially public. +**\** but overall encrypting fees has a whole bunch of engineering headaches associated with it that are not worth the security risk that the unencrypted fees represent, imo +**\** basically the worst thing that can happen is someone identifies that a transaction was signed on an airgapped computer and a significant delay in broadcasting occurred +**\** suraeNoether: there's encrypting fees, and then there's mandating set options +**\** i shouldn't say worst, because there's always something worse +**\** yeah, i personally would prefer 3 fee values, low medium and high +**\** but transparent +**\** or just low and high +**\** Yes set transparent values seems sensible +**\** With the gamma selection, you can already tell, because there's a fairly hard right wall. +**\** "this gives a route for linkability to identify cold signers" < decoy ages does this +**\** Oh, yea, exactly @moneromooo +**\** Agree with @suraeNoether - fixed & plaintext +**\** So the risks of transaparent fees are strictly timing/delay based and not related to what service/wallet was used to make a transaction? +**\** Well a wallet can choose whatever it wants +**\** if Sarangwallet always chooses a bonkers fee value... +**\** I.e are all big services using the same method of dynamic fees? +**\** I don't think it's selectable now unless you do some surgery on the wallet. +**\** Not 100% sure though. Do check if you want to know for sure. +**\** right, anyone can always tweak their own copy of wallet code and do whatever +**\** I think the lowest-hanging privacy detriments will be wallet software and exchanges that use fixed or non-standard fee calculations +**\** But for example if a service were compromised and was forced to use some unique fee structure, this would be a subtle way of making users traceable? +**\** @lurkinandlearnin Yes. Compromized or just lazy +**\** Hah, in addition to KYC we should start talking about MYC (mark your customer) +**\** Making it consensus could mitigate +**\** as has been discussed before +**\** To ensure time is respected, were there questions or comments on other topics discussed so far? We can certainly fee talk afterward +**\** IsthmusCrypto: actually... yeah +**\** I'll hold other fee thoughts until after the meeting +**\** I will be stepping out in about 5 minutes for an unrelated meeting +**\** but that's all I have to discuss personally +**\** Output selection also is not consensus of course, right? +**\** correct +**\** does anyone have any topics they want us to chat about today? +**\** Maybe another potential for the newly invented MYC threat haha +**\** You can't enforce it in any good way +**\** Yes it seems clear that would be much harder than doing it for fees +**\** But if you don't trust whomever is doing your transactions with your keys, you're hosed in many ways +**\** it's all about the threat model +**\** It (if a service were compromised and was forced to use some unique fee structure) would be stupid, as you don't get more info than getting a view of the service's output txes. +**\** Unless someone can show something more :) +**\** I must unfortunately take off for an hour now +**\** ok, let's call this meeting good +**\** good job, sarang +**\** but we can just continue talking at our leisure. :P diff --git a/_posts/2018-11-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-05.md b/_posts/2018-11-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-05.md new file mode 100644 index 00000000..1295bc36 --- /dev/null +++ b/_posts/2018-11-05-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-05.md @@ -0,0 +1,126 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-11-05 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** Right right, let's begin our meeting now +**\** First, GREETINGS to/from all +**\** hello +**\** hello +**\** ping binaryFate dEBRUYNE endogenic hyc IsthmusCrypto gmaxwell gingeropolous moneromooo parasew[m] rehrar rrol[m] stoffu smooth UkoeHB etc +**\** small crowd today +**\** hi +**\** Even so, RESEARCH UPDATE time +**\** I've done some rearranging with the Lab's public-facing presentation +**\** We'll be routing the old lab.getmonero.org to the new getmonero.org MRL landing page +**\** nice +**\** I'm here +**\** This allows for translations of things like abstracts, and lets us PR new papers +**\** Once this gets merged over on monero-site (hint hint nudge nudge), the three newest MRL publications will appear there +**\** English translations only for those papers' abstracts, for the moment +**\** Anyway, PR is open there: https://repo.getmonero.org/monero-project/monero-site/merge\_requests/950 +**\** Some format changes too; review if you like +**\** I've tossed a basic noninteractive musig implementation over to the sublinear prototyping code for testing purposes +**\** The usual lit review +**\** And a lot of investigations on output selection since the upgrade +**\** Any questions/comments on these items? +**\** do you think it would be useful to have another bulletproof-type video talking about the recent selection changes and possible options going forward? It could be much shorter, perhaps 20-30 minutes +**\** I don't consider there to be consensus on the best way to iterate on that +**\** so it's not clear what user benefit there would be, except "it's better than before, and we're working on it" +**\** :/ +**\** it could be useful just to get the info out there. depends on user feedback I suppose +**\** most people probably don't care +**\** We certainly could, but I also don't want to cause unnecessary FUD +**\** My standard line has become "output selection is one layer we use to keep transactions safe; it's been iterated many times over the project's history, and continues to be" +**\** all right, we can move on then +**\** as with many heuristics, a suboptimal selection algorithm is not a spend proof +**\** ring signatures continue to do exactly what it says on the box +**\** I'm running a workshop in Chicago later this week, offering hands-on coding with some basic crypto constructions in Python, practicing RPC calls and explorer APIs, and maybe writing some C++ unit tests +**\** I'm really interested to hear how these technical workshops go +**\** very nice, sarang. +**\** Folks will get a chance to implement Schnorr sigs and some commitment code +**\** Otherwise, I continue to move forward on ring sig code/tests, some graph analysis that moves our spent-output work forward to examine complexity, etc +**\** Does anyone else have topics of interest to discuss or ask about? Or doing some work that's of interest to the group? +**\** hey everyone, sorry for my delay +**\** np +**\** I just finished my brief updates +**\** This is a good place to jump in +**\** well, this weekend I spent time on matching and churn and benchmarking the known traceability attacks on monero, and how to translate similar attacks on zcash into this framework +**\** worked on the paper for that a bit +**\** chatted with rehrar on the phone regarding the monero konferenco +**\** i'm starting to reach out to speakers for formal invitations +**\** aaaand yeah, slow weekend, i've been ill :( +**\** i'll hopefully be pushing a bipartite graph-theoretic benchmarking tool some time this week +**\** hopefully first draft of this benchmark paper will be available by end of november +**\** This graph matching work is quite excellent +**\** It links the complexity of determining possible spends with computational problems in graph theory +**\** yeah, we're getting very good information on the raw computational effort and time an adversary would have to spend to "unravel" monero +**\** Can you elaborate on the tool? +**\** sur +**\** sure\* +**\** the tool is essentially going to compute maximal matchings on randomly generated graphs of specified properties (like number of nodes, connectivity, etc) with the intent of estimating, ballpark, the constants associated with big-oh timing +**\** for those of you unfamiliar: https://en.wikipedia.org/wiki/Big\_O\_notation +**\** Which algorithm(s) in particular? +**\** https://en.wikipedia.org/wiki/Hopcroft%E2%80%93Karp\_algorithm +**\** great +**\** so, essentially, finding an optimal matching under some null model is the same as finding a maximal matching of a related graph, which is the same as finding augmenting paths for existing matching, and all that boils down to... +**\** breadth-first searches +**\** you guys are the bees knees +**\** so the idea is this +**\** Oh, a quick housekeeping note (lest I forget) that suraeNoether and I have an open funding request for an upcoming Stanford academic conference... and there are other open requests in need of support too: https://forum.getmonero.org/8/funding-required +**\** if we can estimate a ballpark constant k such that it takes, worst-case, k\*r\*n^1.5 units of time to find a maximal matching on an r-regular bipartite graph with 2n nodes in it, using a dumb computer with a dumb algorithm that isn't parallelized, we can begin estimating what a large-scale perfect matching disclosure attack would do to Monero. (see here: +**\** https://link.springer.com/chapter/10.1007/978-3-540-70630-4\_2 ) +**\** this literally quantifies the urgency with which we need to replace ring signatures +**\** i have some expectations of the results, but we'll see how it all unrolls +**\** \*and for those who are interested\* that paper above is not one-to-one directly correlatable with Monero. comparing the results from that paper to our system is inappropriate for a handful of reasons +**\** if anything, that paper seems more related to "what would happen if we did a fluffypony styled 30-day timed zcash sidechain?" +**\** but it's a great first approach +**\** yeah, and i'm eager to apply the results therein with the zcash turnstile +**\** what's the zcash turnstile? I haven't been following recently with the CLI and GUI releases +**\** You can't go sprout to sapling +**\** you have to sent to transparent, and then to sapling +**\** yep: sprout -> transparent -> sapling +**\** They plan to release a tool to help users not fuck it up, but I hear it won't be out for a couple months +**\** IMO it's a terrible idea to do it this way +**\** They call it "turnstile" to make it seem like Fancy Moon Math +**\** nah, they called it that for auditing reasons +**\** Oh, I know why they want it +**\** they want to demonstrate exactly as many zcash exist as intended +**\** but it's a terrible idea and the name softens it +**\** security be damned, i guess. :P +**\** Not offering users help in doing it safely is dumb as rocks +**\** auditing reasons is an admission you don't trust your math/implementation +**\** it's an implicit admission that they could be inflated... +**\** I did hear that they're backing off the "eventually make sprout unspendable" bandwagon +**\** so that's good +**\** (that was also dumb as rocks IMO) +**\** agreed +**\** anyway +**\** I offered to help them mitigate turnstile privacy loss. We'll see how good we can get, but it will be a bloodbath no matter what, especially since many people have already transitioned +**\** thats a pretty big albatross though... an extra gigabyte of key data wallets need ot have to support it? +**\** They should have released the tool and clear instructions to use it +**\** gmaxwell: I consider deprecation of spend ability to be a huge violation of the "social contract" of the asset +**\** sarang i'm not sure if they've backed off of that. saw zooko brag about backwards incompatibility on twitter. :P +**\** Ugh, I had read that they were \_not\_ looking toward deprecation. Boo +**\** ring signatures for turnstile would help and keep auditing possible :P +**\** anyway, this is off-topic for the research meeting BUT point of the matter is that a modified version of the matching game applies to zcash and it's made more interesting by adding the existence of a second shielded pool +**\** binaryFate: +1 +**\** i would invest in zcash and put it all into the sapling shielded pool, but i wouldn't be able to be confident they'll deprecate \*that\* shielded pool and force me through a transparent pool again in the future +**\** they can promise that they are abandoning their transparent pool all they like +**\** i'll believe it when i see it +**\** sure +**\** seriously off topic +**\** But good to keep in mind our goals relative to what's happening in this space +**\** noooo +**\** -lounge +**\** Anyone else with Fun Things to share? +**\** #monero-too-many-rooms-discussion +**\** stahp +**\** i tried to get #monero-recipes off the ground, but noooo +**\** ok, i guess unless folks have more to talk about +**\** we can call this a /meeting diff --git a/_posts/2018-11-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-12.md b/_posts/2018-11-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-12.md new file mode 100644 index 00000000..851dcb92 --- /dev/null +++ b/_posts/2018-11-12-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-12.md @@ -0,0 +1,220 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-11-12 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** howdy everyone! +**\** meow +**\** :D +**\** hiyo +**\** Sup! +**\** hiyo +**\** .....to quote sarang +**\** so, let's flip the usual order of the meeting to allow for questions at the beginning +**\** i like that +**\** in fact, i'm going to call THAT the new "usual order" +**\** so, the agenda today is 1) questions, 2) sarang's research this week and last, 3) mine, and 4) any other project discussion that's remotely relevant to research +**\** roger +**\** so, someone give me and sarang your top two questions :D +**\** any updates on Konferemco preparations? +**\** I should have a logo and branding guidelines today +**\** in regards to MRL, where are we in the churn and privacy formalizations? +**\** although I assume this will be talked about with your report of the week suraeNoether +**\** that is precisely the case +**\** i'm in the midst of getting hard numbers for a timing for a practical attack +**\** sarang and i have discovered an anonymity metric that could give us a guideline for "how rapidly we need to chagne our ring size with respect to blockchain size to maintain our current levels of anonymity." +**\** this is a very useful metric, but it's dangerous to misinterpret it +**\** Let us shift that to the later agendum +**\** so we're avoiding making formal proclamations about it, but we are going to use it as a rough guideline for future ring size increases +**\** agreed +**\** nioc our conference organizer has been checking out a few alternative venues, and we have already identified some vendors for things like catering +**\** I have a question... how the hell do I build the dalek bulletproof rust implementation for timing testing??!?!?!?! +**\** I know jack shiz about rust +**\** that's an excellent question that occurred to me yesterday afternoon! +**\** they claim to be bonkers fast, even compared to libsecp256k1 (which seems nutso to me) +**\** they are claiming some mad speed gainz on top of your already mad speed gainz +**\** They don't have batch verification yet tho +**\** (it's on their issue list) +**\** jfc +**\** So I want to run timing tests myself to see +**\** if that's the case, then... man that implementation is bonker fast like what-what +**\** I don't think they're lying, but I'm also naturally skeptical +**\** I don't find it terribly relevant since we're already pretty fast +**\** i suspect that bulletproofs are going to benefit from 40 years of optimizations in linear algebra and ECC very very quickly +**\** and any changes specific to underlying curve architecture aren't useful for us ATM +**\** sarang: what if it's so fast it can reverse the blackchain continuum? +**\** somethign to look into +**\** Ah yes, the chain shrinks over time +**\** negachain +**\** the blackchain continuum hypothesis, by tom clancy +**\** or dan brown +**\** Anyway, it won't build for me, but I'll verify timings once I get it figured out +**\ \** Ah yes, the chain shrinks over time <-- it will give extra space to your computer when it goes negative +**\** However, they also have ideas for non-power-of-2 stuff, which was on the back burner for me +**\** if it proves useful for them in a way that translates to us, great +**\** nioc i believe we already have enough funding availalbe to put a deposit down on a location, and I would like to do that before the end of 2018. email invitations to speakers will be start being setn out this week +**\** nice +**\** Also our other conference FFS (Stanford) was funded recently, so many thanks on that front +**\** in general: thank you to all contributors who make Monero Research Lab a funded thing +**\** suraeNoether and I will learn next month if either of us will be speaking there +**\** anyway, other questions for us? +**\** ne +**\** In the absence of further questions, we can talk recent research +**\** This past week, I did two events in Chicago +**\** one was a hands-on Monero development workshop +**\** the other was a more general talk on privacy tech +**\** both videos are on YouTube, linked from the Monero Moon posting +**\** thanks to the Chicago Bitcoin and Open Blockchains group for hosting me +**\** Did you have a good time? think you'll do something like that again? +**\** Yeah, I think it was very valuable +**\** They had good turnout and excellent questions +**\** I really like the workshop idea especially +**\** Aside from that work, I did a good amount of lit review to support suraeNoether's work (discussed shortly) on graph matchings, which was an extension of some earlier analysis we did on spent output analysis +**\** what was the demographic of the crowd like? +**\** The workshop was smaller (due to scheduling shenanigans for some participants) but had folks interested in math/CS/development +**\** The talk had a good mix of technical folks and well-wishers +**\** It'd be cool to find a way to host an interactive online workshop +**\** what would that entail? +**\** Well, one set of tasks I had them do was use a simple Python ed25519 library to build some constructions +**\** like Pedersen commitments and Schnorr sigs +**\** lol, love the name OpenSorceress. That's funny. +**\** So being able to do video w/ slides for introductory work would be good +**\** as well as interactive stuff to help the participants write code +**\** Then we did some basic RPC stuff +**\** like remote pairing? +**\** OpenSorceress: some situation where the workshoppers could do in-browser code, perhaps, and then let me assist interactively if needed +**\** I don't know if there is such a thing already +**\** just spitballing here +**\** that is pretty awesome, sarang! i'm glad it's online. +**\** there is +**\** orly +**\** yeppers +**\** -> floobits pops to mind +**\** Cool, let's discuss after meeting +**\** :) ok +**\** I've also been working to integrate stealth addresses into the RTRSRingStringRuffCT optimizations +**\** and other minor tasks, etc +**\** allrighty +**\** How about you suraeNoether? The graph matching, perhaps +**\** well, i've been doing the churn and graph theoretic stuff +**\** as I mentioned earlier, sarang and I have stumbled upon a class of anonymity metrics for graphs such as ours, and this will give us a quantitative basis for maintaining at least our current levels of anonymity as the blockchain gets larger +**\** It's worth noting that this isn't even new analysis +**\** But a really clever interpretation of older stuff that suraeNoether came up with +**\** which is always great in math +**\** correct, in fact several of these were proposed right around the time Bitcoin was proposed, which amuses me +**\** 2007, 2008, 2009 +**\** so are you saying that as the blockchain gets larger, anonymity decreases? +**\** well, consider the following situation +**\** let's say something ridiculous like "tomororw Monero goes back to ring size 1" +**\** It's important to note that "anonymity" here means "anonymity according to a very specific metric formulation that may or may not correspond to a particular threat model" +**\** what happens? a bunch of blocks are added to the monero blockchain, all of which are totally linkable +**\** this is an edge case of the following idea: +**\** Even I could link them! +**\** heh +**\** if we take our present system and add a bunch of non-anonymous stuff, we aren't improving our anonymity +**\** in fact, we are decreasing our anonymity, by essentially diluting our nice big fat blockchain filled with fat ring sigs with non-anonymous data +**\** At their heart, these metrics use numbers of matchings to relate to some idea of anonymity +**\** a graph matching is a possible global spend history, of which there will be many +**\** Think of it as being a guess about true spends that's at least \_consistent\_, but of course not provable +**\** My current view of this type of analysis is that, being only a heuristic that could be combined with things like output age, it provides the same types of plausible deniability that ring sigs have always offered +**\** however +**\** what suraeNoether was saying about it being useful to examine proposed changes is a good idea +**\** So you can say "if we increase ring size to X given usage patterns Y, this metric implies that anonymity gets better" +**\** it's not possible to say things like "anonymity gets Z% better" though +**\** so, to answer your question rehrar: the Edman anonymity level is \*negatively\* related to overall graph size and \*positively\* related to ring size. so we can say "okay, if our blockchain was \*this\* big, how big of a ring size would we need to have similar EAL to today?" +**\** the fact of the matter is, though, it very slowly changes with respect to graph size at these levels +**\** got it +**\** to maintain an EAL similar ot what we have today, the blockchain could be 10x larger +**\** and we might need a ring size of like 15 at that point, or something like that, to make it equal exactly +**\** I have the same types of broad, non-mathematical questions about global anonymity that I do about rings in general +**\** If there are 2^64 possible spend histories, is that good enough for our threat models? What if there were only 2^4? I don't know +**\** sarang actually we can sort of answer that question quantitatively +**\** Well, for some threat models, "good enough" means "enough reasonable doubt to avoid someone getting in trouble for a spend history they weren't actually involved in" +**\** and that depends on how your legal system works +**\** What types were you considering? +**\** the question an attacker needs to answer is "out of all possible spend histories with a likelihood greater than some C of being the true spend history, what % of these is a specific edge traced?" for example, if in 95% of all plausible and likely histories, edge e sending monero from address X to address Y is included in the matching, we conclude that edge e is the true spender. +**\** we may be able to quantify our security on an individual level that way, and see how it is sensitive to game parameters +**\** anyway, 100% of my MRL attention is on this paper right now +**\** A lot of this (not just graph metrics) seems to be chasing after specific heuristics (some unknown) without a real fundamental idea of what guarantees we want to be able to offer +**\** Subtly moving from "not provable spending" to "not heuristically-guessable spending" seems like a generally good idea, but it's like swiss cheese +**\** all of my work so far is highlighting, essentially, the urgency with which we need to replace ring signatures +**\** true +**\** and the fundamental problem with using KYC exchanges +**\** Well, those aren't going anywhere +**\** and if anything, more people will move to them +**\** as opposed to DEXs? +**\** Do you know of any usable ones? +**\** I assume Bisq works +**\** bisq .. ? +**\** haven't used it +**\** question on replacing ring signatures...is there any sort of tech (eevn un battle tested) that exists at the moment? +**\** nor have I +**\** rehrar: no +**\** i hear bisq is good, but i haven't used it yet +**\** rehrar: yes and no +**\** not without sacrificing trust +**\** or speed/efficiency +**\** correct +**\** there are some trustless set-ups that are unreasonably slow +**\** if we could do cross-chain atomic swaps with BTC that would eliminate a huge chunk of exchange usecases +**\** or big +**\** IMO the goal of the graph matching analysis should be to at least get an order-of-magnitude estimate on Monero global spend histories +**\** hyc that is 100% correct, and we have all the theoretical framework for that except SPV at this point, but the recent nipopow paper and another recent paper may fix that too +**\** I'm not convinced this provides an adversary with remarkably more actionable data than existing heuristics +**\** how would you go about sussing that out? +**\** And while it should push us toward better non-ring-sig solutions, I also don't want to FUD our users in the same way that all the other Monero tracking papers have +**\** it should provide literally the same amount of data, just one is a global approach and one is a txn-by-txn approach +**\** OpenSorceress: run the analysis on at least a portion of the chain +**\** suraeNoether: implementing nipopow is a huge undertaking +**\** yes +**\** suraeNoether: what do you see as the goal of the analysis? +**\** provide actionable advice for the monero community on how to mitigate the worst known traceability chainalsysis attack. ultimately +**\** in terms of ring size specifically? +**\** given that the EAL is sensitive to it? +**\** not necessarily, although that is presently a facet of the analysis, yeah. +**\** i mean, at this point, I think that further increases in ring size without order-of-magnitude increases... i'm not convinced of their efficacy, but i can't say either way at this point +**\** What's the takeaway from all of this, for the folks in this meeting? +**\** research is ongoing into the matter +**\** progress is being made in terms of making actionable recommendations to the community +**\** but we aren't announcing them yet, until after more consideration +**\** i'm not sure what you mean +**\** good enough for me +**\** Do you view this a fundamentally new form of analysis that provides adversaries with a lot of new damaging information? +**\** (as opposed to, for example, the closed-set attack, which really gave marginal information) +**\** there is no practical way i can answer that question, sarang +**\** ok +**\** i'm telling you it's the worst-known traceability attack +**\** i'm estimating how bad it is +**\** that's my job right now +**\** ok +**\** Anything else of note to share from your side regarding recent stuff? +**\** not with respeect to MRL, no +**\** kk +**\** and i have an appointment i need to get to you guys, so.. peach out +**\** imagine whirled peas +**\** etc +**\** np +**\** love you guys \*smooches\* +**\** Anyone else wish to bring up something they've been working on? +**\** crickets! +**\** if you're bothered by blockchain sync speed, get your hands on Optane SSDs +**\** yeah? +**\** Optane SSDs? +**\** SSDs? +**\** Ds? +**\** ?? +**\** +**\** I store the chain in RAM +**\** yeah http://www.lmdb.tech/bench/optanessd +**\** LOL +**\** I build a new ASIC for each block that gets added +**\** Real Men store the blockchain in RAM :P +**\** Well, I'll officially adjourn today's meeting; thanks to all for attending +**\** Next week, same bat-time, same bat-channel +**\** ttyl +**\** bai diff --git a/_posts/2018-11-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-19.md b/_posts/2018-11-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-19.md new file mode 100644 index 00000000..8288083f --- /dev/null +++ b/_posts/2018-11-19-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-19.md @@ -0,0 +1,212 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-11-19 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** heyo +**\** hello +**\** Hi surae! +**\** good timing :D +**\** hi +**\** i decided to not look at screens this weekend, because i got like 5 migraines last week, and i made it from the hours of 8am saturday to 1pm saturday +**\** but i still felt like a totally new person :D +**\** anyone have any questions before we begin? +**\** Welcome suraeNewther +**\** nice +**\** \\nick suraEyeOfNewt +**\** damn +**\** s/\\\\/\\// +**\** Shall we begin? +**\** omg that should be on a t-shirt with MRL's logo +**\** yes +**\** how many rings can a ring signature ring if a ring signature can ring rings? +**\** let's begin +**\** that's actually the subtitle of nick van saberhagen's autobiography +**\** Who shall start with updates? +**\** Allright, we've gotten greetings out of the way. Sarang: how is that timing code going? still on iteration 18? +**\** Nope, 19 +**\** Sarang is currently running some timing experiments for me on matching bipartite graphs +**\** okay, for it to complete 20, i estimate it will be done in mid december, so i say we don't fall prey to the sunk cost fallacy +**\** i'm going to re-rig the code and run it over a smaller sample of the parameter space and get some results +**\** Want to give your update suraeNoether first? +**\** cool +**\** Getting some hard numbers with scaling information will be useful +**\** Sure: Right now my time is being spent describing this bipartite matching graph problem that traceability problems in monero boil down to +**\** very useful +**\** having a complete description in terms of graph theory is marvelous to have +**\** the idea is simple. if someone were to try to trace the monero blockchain, they would at least have to perform the following matching task. that sort of idea +**\** and we have known bounds on the complexity for that matching task +**\** Exactly, and now some code to get an idea of scaling +**\** at least order of magnitude +**\** this is all in the pursuit of a formal model of de-anonymizing a "mixing with an anonymity set" style anonymity system like that of Monero. +**\** i've begun writing how we can use this approach + zcash turnstile to place bounds on the difficulty of de-anonymizing zcash as well +**\** i should have a draft of the monero portion of this paper done by the end of November +**\** sexxy +**\** sarang has already seen it and (if i do say so myself) it's a pretty fun paper actually +**\** Very much so +**\** if it wasn't for the fact that's \*criticizing\* monero just like MRL-0001, i'd be very excited about writing it +**\** Have you informed Zcash of the possible applicability to their project, so they can draft a blog post about it? =p +**\** i'm confident that this will make monero better, however, by formalizing some of our concerns that were previously only qualitative +**\** sarang not formally, i may have brought it up with zooko in person before +**\** any way I can get a draft copy? +**\** We should be good neighbors and let them know +**\** sgp\_: it's all super early +**\** sgp\_: yes, i actually want your thoughts becauset his is relevant to pools and mining and i want your recommendations, too, sgp +**\** cool +**\** so, that's my MRL update. Sarang, what have you been up to? +**\** A few things +**\** First, housekeeping for monero-site updates to migrate our papers over, and add the new ones +**\** Second, more lit review on graph theory approaches to anonymity +**\** Third, reviewing some other papers relating to ring sigs and zk proving +**\** Fourth, fixing and writing up a cross-curve discrete log equality proving system +**\** there's also working toy code for that, using ed25519 and ed448 +**\** This allows you to use "discrete log preimages" across curves or groups arbitrarily +**\** provided the spaces are big enough (they are) +**\** Here's the writeup, for those curious: https://v2.overleaf.com/read/jcyscybzhzmy +**\** Note that I did not invent this, but this is the first correct writeup I've seen and I wanted one for completeness +**\** That's about it for me +**\** sarang has been on fire btw +**\** As in, running around with my hair on fire, sure! +**\** if you guys haven't noticed, he's implemented several toy implementations of various crypto schemes in the past two months alone +**\** you have hair? +**\** Not anymore, it burned off +**\** nice +**\** So going forward, this paper (and others) will be on getmonero.org +**\** A few newer papers are in the PR pipeline +**\** Questions on any of my stuff? +**\** the only other topics on my mind are only half research-related: 1) research: the post-thanksgiving Monero face-to-face being hosted by Tari bringing sarang and endogenic and i together in Nashville again... I heard a rumor someone else important was coming :D 2) not really research: the coin center privacy workshop in December I'm considering attending, 3) research: the Monero Konferenco, and... +**\** well, the last bit is related to my nonprofit whihc is a selfish thing to bring up so I'll leave that alone +**\** too l8 +**\** bring it up anyway +**\** heh +**\** okay +**\** so, for 1) as folks may know, Tari has paid the expenses required to get sarang, endogenic, and i face to face for a meeting before... and they are doing it again, and it is looking like it may become a quarterly thing +**\** I suspect funding may be stalled a bit while belts tighten :/ +**\** oh btw i drive in +**\** this is largely a research powwow over a few days, at the last meeting this whole bipartite matching thing was initially estimated and it kicked off my current research paper +**\** and i should say: it's not just Tari, it's also MyMonero +**\** one of these next ones i'm going to try to get surae to stay at my house ^\_^ +**\** We aren't burdening the community financially with these meetings, but we also want the community to learn of our financials in this way, to prevent accusations of opacity +**\** For 2) I really want to go to this thing on some levels, but i am concerned coin center is going to look to me as a voice of the Monero community. I'm not sure if they want me to come if I'm coming as a private individual not as an individual representing Monero +**\** Isthmus was already nice enough to offer a place to stay for me in SFO so the only financial cost would be a plane ticket +**\** it seemed to me like folks were lukewarm on the idea of me attending last time I brought it up +**\** trying to sense the temperature now that folks have had a week or two to sit on the idea +**\** In terms of funding, it seems to have more value for the space as a whole, rather than just for the Monero community +**\** I suspect you're right about the "voice of Monero" thing, but I don't know how bad of a thing that is +**\** yeah, and I would go on my own dime +**\** I remain disappointed that this is a "be in person or don't have a say" thing +**\** but that's neither here nor there +**\** for 3), the Monero Konferenco: we are sitting almost at 20% funded. https://forum.getmonero.org/8/funding-required/90909/surae-noether-first-denver-monero-konferenco-spring-2019 +**\** that's impressive +**\** i know, right? +**\** that'll be enough to put a deposit down on a location +**\** I assume you'll wait until funding is closer to guaranteed before deposits? +**\** to the extent possible, that is +**\** i'm concerned about waiting until it's totally funded for stuff like that, and I can't think of an easy quick solution. maybe rehrar has some thoughts +**\** suraeNoether: I see that there are no milestones in the FFS for payout +**\** nioc yeah, we should consider how to structure that asap +**\** because a milestone like putting a deposit down on a location requires the money before the milestone occurs +**\** I think nioc's point is good particularly because of the natural payouts that are needed for this +**\** yeah +**\** so perhaps we invert the milestones +**\** suraeNoether: what's the downside to waiting, besides the risk of losing venue? +**\** i could make a milestone post to request funding to complete a milestone +**\** I think that's fine +**\** sarang: volatility in price over the long term makes the actual funding receive much more variable +**\** There's no independent way for donors to verify the milestones happened anyway +**\** unless you posted receipts and such +**\** we'll be posting contracts signed with venues and receipts, etc, all of which are very easily faked, unfortunately +**\** Yeah, that's unavoidable +**\** I think people understand this +**\** curious parties could always call the literal venues themselves and check, I suppose +**\** Goal should be to maximize transparency and accountability within the limits of the unique circumstances +**\** so, how shall we go about doing this? Should I edit the funding request post to include all this information? I feel like that's changing the terms of the request after we received donations already, which isn't necessarily fair to the previous donors +**\** As long as you're doing the same things with the money, updating for more clear scheduling seems entirely reasonable +**\** sarang: I believe it's up to core not the community to verify receipts +**\** since they release the funds +**\** nioc: I only mean this in the sense that most funding requests have a tangible, publicly-verifiable work output +**\** maybe fluffypony luigi1111 binaryFate or ArticMine could weigh in on this. +**\** Whereas this is a bit different +**\** not that you couldn't make it public +**\** thanks for that observation, sarang +**\** okay, i'm going to edit the current funding request post to include a handful of milestones and a description of how we are going to invert the milestone process for this event +**\** I think a payout with a clear understanding of what happens with it (e.g. venue deposit) and some kind of immediate transparency for a modicum of verification (e.g. invoices and core team verifies somehow) makes sense +**\** Donors likely already implicitly assumed something along these lines +**\** The "work output" is a conference next year :) +**\** I would look for community agreement if there seemed to be anything "shady" +**\** Plus suraeNoether already has to have evidence of this for corporate tax purposes anyway +**\** cool cool +**\** one milestone can be a deposit on a venue, AV stuff, caterer and (if appropriate) a deal at a hotel so attendees can get a discount. another milestone can be purchase of flights and hotels for speakers. a final milestone can be for the remainder of the cost of the event to pay for things like media, publicity, printing pamphlets and posters, assembling shwag bags, etc +**\** thanks for the input luigi1111 i believe you are 100% correct +**\** we will be testing a few things at the 35C3 (Monero at the Chaos Communication Congress 27.-30.dec) which could be valuable for the conferenco: submission management, streaming, etc. will let everyone know when there is something to see! +**\** we mentioned having defcon-style badges from the hardware team, but i think we are going to hold off on those until the second year. this will keep our costs down and allow the HW team to focus on the wallet, etc +**\** ^ good idea, on both counts +**\** parasew[m]: regarding the 35c3 conference, if sarang sgp and myself all want to come (I do!) we need to make our post for travel funds this afternoon +**\** i'm holding off on renewing my passport until after it so i don't have to worry about not getting my passport back in time +**\** rehrar sarang and sgp\_ are you guys still interested in going to 35c3 +**\** ? +**\** suraeNoether: sure! yes! (my planning got heavily delayed but the stage and everything got confirmed yesterday) +**\** I was just checking my schedule yesterday, and it simply will not work for me due to family commitments +**\** (the timing of the event is awful) +**\** timing indeed is a problem +**\** it really is. flights are super expensive on the 26th and 25th in general +**\** I had hoped that I could work around the family stuff, but it's not possible +**\** Plus my brother, sarangbro, is expecting a kiddo during that week +**\** very exciting +**\** nice name +**\** ikr +**\** we welcome sarangbrokid +**\** in olden tymes, they'd have invented a new last name, like sarangson +**\** best wishes to sarangbro+sarangbro\_junior! :) +**\** yes :D +**\** BTW, IACR has been chock full of interesting relevant papers lately +**\** yes. yes it ihas. +**\** I have a long list for this week +**\** I try to hit up lit review weekly but some weeks it gets just bonkers there +**\** btw +**\** everyone, i really think sarang needs a vacation +**\** like five days of no computer screens and some sun or something, and he barely takes weekends off +**\** sarang is a very driven person +**\** psh, do any of us? +**\** ikr +**\** It's like Newman, who once opined that the mail never stops +**\** thing is, you see Ethereum people on twitter bragging about working 18 hours a day and you know they are producing some straight up crap in those conditions. +**\** I suspect many of us will be effectively taking time off around Christmahannukwanzaka +**\** for one reason or another +**\** OH there is one FFS i would like to direct everyone's attention to +**\** ? +**\** TheCharlatan is proposing development of reproducible builds here: https://forum.getmonero.org/6/ideas/91098/funding-for-development-of-reproducible-builds +**\** outreach? +**\** I strongly support this FFS project, and I think it would be a nice security gain for Monero +**\** These have been desired for a while +**\** So the whole request is for 6 XMR? +**\** yep, and i don't think it's out of line with endogenic's recent efforts to encourage reworking/refactoring Monero (i'm almost certainly mischaracterizing Endo's goals) +**\** it appears he's only asking us to pay for his VPS +**\** I don't know the details of repro build complexity, but that seems like a great deal +**\** unless we can get VPS support for free, as some others had indicated +**\** ^ he works at Shift, the hardware wallet developer, and he started gridcoin, and admittedly wildly insecure but super fun cryptocurrency experiment +**\** or at least, when i met him, he was doing work with Shift +**\** anyway +**\** I have no further information to report +**\** although I'm always interested in getting community feedback in general +**\** cool +**\** Any other fun news to report +**\** ? +**\** aha, so MAGIC received its first non-board member donation today, so I'm totally energized to encourage folks interested in contributing to MAGIC to check out what we are about at https://www.magicgrants.org ... we are an educational and scientific non-profit focused on scholarships and research grants in cryptocurrencies. +**\** our scholarship program will be open starting in January and we are currently fundraising for next year +**\** if we were in a bubble I'd say "hey, come reduce your tax burden possibly" but I'm fully aware of the current state of the market. :P +**\** lol +**\** this is amazing, congrats for magic! +**\** I must take off shortly to meet up with someone +**\** thank you! hopefully we can reduce the financial burden of studying cryptocurrencies for students while also incentivizing universities to make cryptocurrency curricula +**\** and eventually? build primary schools, libraries, and computer labs in the developing world +**\** can't have a crypto infrastructure without comptuers (technically a false statement, but theory and practice disagree here :P) +**\** but since that's not research related and is a coin-agnostic project, it may be one of the last times I bring it up during an MRL research meeting +**\** okay +**\** i believe we are good to go on today's meeting +**\** EVERYONE. you must know this: i love you diff --git a/_posts/2018-11-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-26.md b/_posts/2018-11-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-26.md new file mode 100644 index 00000000..fe116560 --- /dev/null +++ b/_posts/2018-11-26-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-11-26.md @@ -0,0 +1,404 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-11-26 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** It's just about time to begin our meeting +**\** hope you're having all of the fun +**\** all ofit +**\** allllright everyone, let's begin +**\** Greetings from MRL. +**\** heyo +**\** before we really get rolling, does anyone have any questions to open the meeting wiht? +**\** o/ +**\** I assume this meeting will be reasonably short, given U.S. Thanksgiving was last week and some of our folks are from U.S. +**\** fire away +**\** okay +**\** the IRS will never call or IRC you +**\** assuming no questions, let's get going I guess. sarang, want to share what you worked on for the past week or so? +**\** Sure +**\** I have a few things +**\** First, there was interest expressed in possibly getting another researcher on board +**\** It would get funded, but we'd need someone qualified and available +**\** So this is more of a "if you know people, send them our way" +**\** The second thing is that I'm working with those outside researchers from Australia on their spent-output stuff +**\** Turns out they didn't invent the ideas on their papers :/ but it's good formalization +**\** (to be clear, sarang means an outside group has approached us offering to fund a new researcher) +**\** ^ wow +**\** sweet +**\** Third, still working more on cross-curve discrete log stuff +**\** what level of researcher are you looking for? full time? +**\** We could easily fund full time, but part time is better than no time +**\** an academic group? +**\** No, it's a foundation +**\** Anyway, just throwing a line out there +**\** rehrar: take what we can get? we have a huge list of todos and all of us have full plates. +**\** well that's awesome +**\** I kind of feel like research does the following +**\** if human knowledge is a circle (think venn diagram), then the circumference is the interface with the unknown, and adding to the circle of knowledge just makes the circumference bigger +**\** so the problem is that if we add additional people without a firmly defined scope, I fear we will have a mission creep sort of thing happening +**\** i'm eager to have more hands and eyes on our project, for sure +**\** Sure, but that doesn't mean we can't set a reasonable number of desired peeps +**\** ^ yep +**\** For the limited current scope we have, I think at least one more person would be very useful +**\** But again, cart before the horse +**\** I just think we should kick some ideas around on coming up with a more concrete scope +**\** so let's chat about that later, maybe? we have time to chat about it, for sure +**\** First, does evenlessmoney (stick with a handle, dude!) want to talk about bloat? +**\** yes, let me repost my message +**\** ty +**\** so we can move on for now, but this has come up in several research meetings before, the prospect of adding to the MRL crew... so we should formalize our ideas about it this week +**\** ArticMine chimed in earlier about it, FWW +**\** FWIW +**\** The block size adjustment algorithm has been on my mind in recent weeks. I was asked in another chat what the biggest caveats were with the dynamic block size, and after thinking about it, I concluded that a motivated attacker could pay the extra fee to bump the block size, and then maintain a perpetual low cost flood of transactions to bloat the utxo set. +**\** https://link.medium.com/OrG5th051R +**\** This article underscores the need for our nodes to remain syncable to the masses, it is doubly important that Monero remains syncable on commodity hardware long run, considering the privacy implications a remote node brings. +**\** After some deliberation, I think capping block size in the code may be necessary, and that allowing it to be dynamic with no upper bound is dangerous. I would love to hear some input from people who are more informed than me on the matter. +**\** articmine mentioned that he doesnt think that this is an issue, but I had a second question afterwards +**\** one moment let me process this +**\** Reading the article +**\** which involved the centralization of nodes - if our block size has too quick a growth rate, nodes cant sync on commodity hardware +**\** which is what that article points out +**\** most of the network would be forced to use remote nodes, unless I'm misunderstanding +**\** its a long article. TL/DR is ethereum is becoming unsyncable and therefore will become centralized +**\** at first glance. if possible to make the attack more expensive is an option it might be worth looking at vs capping the block size. does anyone really want to go there right now? +**\** its worse for Monero IMO, because we really want to stress users running their own nodes +**\** and any network that becomes unsyncable becomes centralized +**\** for privacy's sake, not even decentralization +**\** spaced0ut: one option is to add a nonlinear term to fees. another option is to add a momentum term to block size adjustment, or a resistance term, so to speak. however... +**\** evenlessmoney: when we changed our fees, we did make such an attack much less expensive to carry out, but I don't think it's particularly an issue... if folks think it is, we can maybe consider some simulations, etc, and add a resistance term to dynamic block size. this would prevent the block size from responding extremely elastically to network demand... +**\** but we can all see how that leads to an opposite problem, right, where the block size is too rigid and can't change with demand? +**\** First unlike Ethereum and Bitcoin Cash there is a cost to bloating the Monero blockchain that is comparable to a 51% attack +**\** Not on a continuous basis +**\** only to raise the block size +**\** once the size is up, you can perpetually fill those blocks with bloat txes for cheap +**\** You havee to get it there in the first place +**\** have +**\** and any pool can mine those txs in +**\** You can do a couple percent a block +**\** its not very expensive when you ratchet it over a few days +**\** evenlessmoney: cheaper than before, but not free, and maintaining a long-term flood is non-trivially expensive, even for super cheap monero fees +**\** I'm more worried about baseline activity being that high +**\** and cheap +**\** in this situation +**\** if Monero becomes the de facto BTC alternative +**\** in my mind, I don't see this as a practical attack. people have to blow their Monero in order to drag monero's blockchain down... seems like an incentivization problem, not a security problem. and going the opposite direction, by making monero block size more rigid, presents other scaling problems +**\** can we calculate the cost to double the size over time periods in between hard forks? or even calculate the cost to add a terabyte to the size? +**\** The cost of bloating to a given size is close to independent of the rate of bloat. One can pay all at once or over time +**\** there are a few options to address this, that don't require deep changes nor totally fixed block sizes, i'm just not convinced of the power of an attacker, and ArticMine's fact re: cost of bloating is a really important factor +**\** well one thing to point out is that the median 100 is a parameter from the original implementation +**\** one option: momentum/resistance term, so that increasing block size is harder the further it is away from some fixed "ideal", which we can always change later +**\** and those guys didn't think some things through fully, so I think its fine to question the block growth rate +**\** another option: coupling block size with past block sizes in a moving average sort of way. similar to the momentum trick +**\** gingeropolous: I agree with that statement +**\** evenlessmoney: if this attack does turn out to be practical though, would a solution be to have to continue to pay a fee to keep the block size above default? +**\** its not even an 'attack' so much as popularity +**\** another option: change the timescale of blocksize adjustment so that going up in block size requires a lot of statsitical evidence and, lacking htat, we have a rapid exponential decay back to baseline, or something like that +**\** ^^ +**\** rehrar: yeah, having a fee penalty proportional to the difference between the current block size and the "resting" size would do the trick +**\** I think the biggest issue here is that one you pay the fee to bump the blocksize, as long as the block remains full, it's free to keep it at that blocksize, correct? +**\** In creasing the median to more that 100 block will make this attack way more expensive and if the new median is chosen carefully will have little impact overall +**\** there is no additional cost that I am aware of rehrar +**\** rehrar: that summarizes the potential issue. i'm not sure if it's an issue. :P +**\** after all, there's an argument: if they are paying fees, it ain't spam +**\** so my suggestion of miners having to continuously pay a fee for any blocksize above default is I think beneficial from a incentivization perspective, because it makes sure that blocks absolutely need to be that large +**\** or they start slipping back down +**\** rehrar, but that kind of breaks the scaling +**\** does anyone have some idea how how much money we're talking to perform this attack? are we looking to be safe vs nation states? +**\** someone ran some python on this recently +**\** That is actually the case now since one does not get a rebate for mining below the effective median +**\** Isthmus, where u at +**\** i would like us to stop calling this an attack. It's not like a DOS attack or something like that. +**\** well it actually could be a DOS if well funded enough and nodes can't sync right? +**\** I agree. +**\** how could you distinguish it from healthy usage without a lot of real-life extra information? +**\** this is the big issue, and where a lot of criticism of Bitcoin comes in +**\** A DDOS against node is actually a weakness of fixed blocksize coins such as Bitcoin +**\** if Bitcoin tx goes up, some will say it's a spam attack, and some will say it's adoption +**\** and we simply do not have an oracle able to differentiate +**\** okay, let's do this +**\** and even if there was a reliable one, it would probably not be a decentralized one +**\** There were spam attacks in Bitcoin to drive up fees. This works if hte block are full since most of the spam ts are not mined +**\** But they cost andwith to the nodes +**\** to me it seems there is a small list of useful information needed to address the issue: 1) cost of attack, in XMR, to get to 3 GB / block in one day per Isthmus "\ 00:44 By the end of the 1st day: 3 goddamn GB per block" +**\** bandwith +**\** let's just do some back of the napkin calculations today and see what we see. then we can talk about it more. :P +**\** why 3 GB/block? +**\** yes, concrete numbers are needed +**\** Compare the cost to a 51% attack +**\** 2) current node processing ability. What is the existing blocksize tipping point for processing +**\** Yes, without numbers or simulations (e.g. the work Isthmus and others have done) in this discussion, all this is speculation without data +**\** we may not be "academics" like Zcash (according to Snowden) +**\** suraeNoether, 3 GB / block because thats what Isthmus ran if you do the maximum possible expansion +**\** but we can still pretend to math, at least +**\** gingeropolous: wait do you mean "by the end of one day, block sizes could be 3Gb?" +**\** i.e., if you max out the equation, you can get to 3 GB / block in 1 day +**\** hmm +**\** yeah, let's merely estimate how much that would literally cost someone +**\** I'd like to see this done on testnet +**\** ooooh +**\** yeah, why simulate it if you can just simulate it? :P +**\** we literally have a toy network available +**\** Sure and pay 4x the reward. Why not just do a 51% attack? +**\** that we can nuke +**\** im just parroting Isthmus 's work +**\** Don't spam testnet. +**\** https://usercontent.irccloud-cdn.com/file/UHG4yi8G/image.png +**\** make a new testnet, toynet +**\** axis lbels be damned apaprently +**\** spamnet +**\** we need a testtestnet? +**\** do it on wow +**\** we shall have our own testnet! with spam, and DOS attacks! +**\** ^ +**\** ooh, yes +**\** wownero pls +**\** let's finally make them useful for something +**\** they're good for memes.. +**\** Anyway, this discussion hasn't really produced much IMO +**\** In any case the parameter I would look at if this is an issue is the median number of blocks. +**\** ^^ +**\** for an increase +**\** We can look into running some simulations +**\** anyone got a cache of testnero? +**\** needtestnero90 +**\** ugh, lets not make testnet a pain to use +**\** Hey, sorry for belated response. I'm on phone, at work, can't really hang in meeting, but just saw all the pings +**\** https://github.com/noncesense-research-lab/Blockchain\_big\_bang/blob/master/Isthmus\_Bx\_big\_bang\_model.ipynb +**\** Updated simulations are there +**\** I'll speak with isthmus (we can maybe get together), we can talk about simulations and stuff +**\** But keep in mind if a 51% attack is cheaper then what is the point of this attack? +**\** and report back next meeting or something +**\** ArticMine: medians require 50% violation of data before the median shifts (breakdown point... https://en.wikipedia.org/wiki/Robust\_statistics ) +**\** https://usercontent.irccloud-cdn.com/file/EziXrd38/image.png +**\** a 51% attack costs energy, this attack costs units of account +**\** ArticMine: i don't think it's cheaper +**\** smooth had a good suggestion, to have the penalty start before the median, so you'd get penalty free till, say, 90% of the median. This would cause a natural shrinking if the txpool is full of low fee txes. +**\** oh +**\** thats smart too +**\** I like that one, one of my big issues has been that its basically free (base tx cost) to keep block sizes up atm +**\** isthmus, the axes of your graph are transparent on my computer and i can't read them. :P +**\** hell, someone could find a flaw in monero, print a bajillion monero, and then bring the network to its knees for nothin +**\** https://usercontent.irccloud-cdn.com/file/X1So57dJ/image.png +**\** Sorry, is that legiblbe? +**\** ginger thats a threat if they get infinite monero no matter what our algo is +**\** 51% and bloat are two totally unrelated attacks that accomplish different things. It's an apples/oranges comparison +**\** is graph over a day? Isthmus +**\** yeah i can read it now +**\** Or maybe that was already discussed more earlier, I'm not caught up on scrollback and need to hop back to work +**\** ut unites of account translate into energy via the lock reward +**\** ArticMine: the 51% attack requires hardware/POW. this bloat issue requires only cash, like a POS attack +**\** you can attack the network without being a miner if you have the capital using this approach +**\** It is not like a POS attack because in this case hte cash is burned +**\** true, but it is like a POS attack because all it requires is capital +**\** not hardware +**\** wow 200k eur for 10TB in 2 days +**\** Ok, I gotta bounce back to work. All of the info & FAQ are in that notebook, although it's a very rough draft that I had written up for internal use. +**\** POS can use borrowed capital +**\** There are probably some small bugs, feel free to fix it. :- 0 +**\** thanks Isthmus +**\** Isthmus: sorry to bother you, i just want to make sure i understand: does that mean 1 million euros can drive the monero blockchain to be more than 1 million gigs in size? +**\** within a DAY? +**\** I think it might take 2 days to get to 10 TB +**\** But essentially. +**\** This is taking into account the exponential accumulation +**\** wow. thanks +**\** You are maxing out the penalty? +**\** okay, let me think about this more, but now I've shifted my opinion +**\** Yes, totally override the penalty to make block ~2\*(median of last 100) for every block. It's very petal to the metal, deliberately sized attack +**\** yes, median 10k +**\** Then it is 4x the lock reward +**\** block +**\** I think we should have a term in our fees that is proportional to a super-linear function of the difference between current block size and a "target" block size, say 1MB right now +**\** what about raising the cost to increase again if the block size has recently increased in X amount of blocks? +**\** drastically raising maybe +**\** Fees are driven by the penalty +**\** spaced0ut: in the event of rapid adption (should it ever happen), this would cripple the network for quite some time +**\** So one needs to look at the penalty function. +**\** The simplest an lees disruptive is to increase the 100 block median +**\** less +**\** well assuming this hasn't happened before we can probably get pretty good data (maybe even from btc also) on the upper bound of how rapid real adoption could be. just a thought +**\** the size shouldnt need to double 10 times in a row +**\** we risk the BTC people moving here en masse +**\** or the ecosystem moving in +**\** and i ultimately think increase the 100 block median won't affect UX drastically. It will actually drive a fee market. Current activity is very burst-like. +**\** so delays will eventually clear +**\** and those needing priority can get it +**\** but if the network actually demonstrates a need for larger blocks, they come into existence +**\** and we somehow work a long tail into the decay +**\** surely rapid adoption shouldn't be catered to above long term survivability against this type of attack +**\** The only downside to increasing the median I can see is that the network may not e able to adapt to seasonal changes such as December +**\** its not even an attack, if we get too popular and fees are too cheap for large blocks, we risk nodes becoming unsyncable +**\** the unbounded block size is concerning imo +**\** increasing sample size for the median over 100 blocks will make such a drift attack slower (and therefore cost a lot more, because you have to do it over more and more blocks) but linearly slower. and is a rigid sort of decision, as ArticMine mentions re: December. Adding a nonlinear term to our fees seems sensible to me. +**\** forcing average users to sync against remote nodes due to bandwidth constraints is dangerous +**\** Yes evenlessmoney that's the whole point of Isthmus's posting +**\** if anyone needs to be secure against nation states it's XMR +**\** im interested to see what Isthmus 's multistate memory thing is +**\** but...and I hate to say it like this, hasn't this already been kinda known for a while? +**\** Yes ut how do you enforce non linear fees? +**\** Because we have a dynamic blocksize, we can scale with adoptin +**\** multi-term memory sounds like moving averages of different spans of time to me +**\** "secure against nation states" is ridiculous. They could fuck with us anytime they wanted to already. +**\** That is the whole point +**\** although taht would mean maybe going up to several GB block sizes. +**\** moneromooo, fair enough but shouldn't that be the goal? +**\** rehrar: yeah, but just like a lot of other monero problems, we are learning about the size/scale of the issue. +**\** i agree with moneromooo :P +**\** rehrar: yes, this has been known for a while +**\** we didnt have hard numbers from isthmus until recently either +**\** its been a bit more nebulous +**\** A fixed block size has been proven to be a disaster for Bitcoin and as recent events have demonstrated for Bitcoin cash +**\** Time will tell whether Bitcoin's decision was a disaster. I think the jury is still out. +**\** my thinking is, there is a hard cap. Its 2X the current blocksize. I really think we need a long perspective on the median. Like 6 months. however many blocks that is +**\** + +**\** gingeropolous what if we have a dynamic soft cap that is determined by a long time-scale measurement? :P +**\** thats prolly the multistate thing :) +**\** My take is that increasing the median is the way to address this concern provided it is legitimate. +**\** By legitimate I mean a cost comparison with a 51% attack +**\** That sounds good to me. I would rather the network slow down in the rare december-like situation that someone being able to inflate the blockchain to unusable levels for less than the "cost" (however you quantify that because they are different) of a 51% attack +**\** definitely +**\** Long medians with say a 6 month time frame will not lead to Bitcoin's problems +**\** A 51% attack is recoverable from. That one seems not. +**\** It depends on what the 51% attack does +**\** i think the problem, like the 51%, is that the cost is dynamic and unpredictable. I.e., it cost less to 51% the monero network 3 years ago. We don't know what the hardware will be in 5 years, or the state of network. The protocol needs to be hardware agnostic as much as it can +**\** with the volatility of Monero, this thing is unpredictable too +**\** since it requiers unit of account, this "attack" can be done while Monero is dirt cheap, and the effects stick around +**\** even if Monero goes way up and this isn't feasible anymore +**\** ^^ es it has to be hardware agnostic +**\** Yes +**\** i'm in agreement with articmine for now. both: 1) we need to estimate costs for 51% vs. bloat and 2) a long-time-scale soft cap seems super smart, especially considering how bursty the network is in general +**\** Also because this resembles a PoS attack, you have to remember that it could be done for "free" if people/whales/exchanges are stolen/compromised +**\** Sounds like a long-scale median increase is an adjustment that, while probably suboptimal, is better understood +**\** we can make it even softer by using that long-time-scale soft cap as the anchor point for a nonlinear penalty term +**\** so we gonna use a magic number or see if we can get an emergent one +**\** and even softer if we wrap the solution in fur +**\** There is a lot of room between 3.4 hours and 6 months to tune the median +**\** and make it optimmal +**\** ArticMine: given the 50% breakdwon point of medians... +**\** if we did 6 months, that implies that at least 3 months of \*all monero transactions\* would have to be bloat transactions +**\** for someone to raise the soft cap over time +**\** Isthmus: would be nice to see the effects of a long-term median in your sims +**\** IMO that's the best approach to this analysis right now +**\** moreover, if we don't actually cap anything but add a nonlinear penalty to block reward for block sizes above the "soft cap" chosen by a long-time-scale-median, temporary fluctuations in economic activity would be handled relatively easily +**\** we'll seek out more information +**\** and try to come up with a write-up +**\** after isthmus and noncesense have had their way with some analyses +**\** that's smart suraeNoether +**\** Maybe finding medians/"target values" and softcaps might be an actual legitimate application of some TA haha +**\** lurkinandlearnin: other way around :D +**\** there are no legitimate applications of TA, but there are legitimate applications of statistics \*for use in\* TA :P hehe +**\** A hybrid approach could be used to deal with seasonal issue. Essentially a stiff penalty over the long term median +**\** shit, we can easily do a seasonal model, too +**\** https://machinelearningmastery.com/sarima-for-time-series-forecasting-in-python/ +**\** we wouldn't be using this for forecasting +**\** sarima noether +**\** That implies baking in an eternal event +**\** Yes that's what I mean. The whole point of the TA bullshit is to find patterns which would "look" reasonable given past results (and to claim this somehow predicts them). Whereas we want to put limits on what "looks reasonable" to apply incentives. Right? +**\** ima throw it out there... i think we should target this for protocol change spring 2019 fork +**\** if we have something fancy, great. If not, we just pick a larger median. +**\** gingeropolous: i'm fine with that. i think the large sample size median is going ot have some rigidity problems with the network, i'll work with isthmus to write something up maybe +**\** Cool, I think that sums things up nicely for now, until we have data on this +**\** a rigid network is more useful than a broken one :) +**\** In the interest of time, any other topics to discuss with the whole group? +**\** gingeropolous: sure :D +**\** okay, other than that +**\** over thanksgiving: i read papers on accumulators and learned some more about STARKs +**\** and sarang is still running some matching code for timing purposes +**\** my matching paper is coming along :D +**\** aaaand I don't have anythign else to talk about +**\** sarang? anything else? does anyone else have interesting projects they want to chat about? even if its not formally for MRL or kovri or monero specifically +**\** Perhaps to sum up our meeting, does anyone have goals for the next network upgrade? This ties in with our earlier discussion +**\** ^ good question! +**\** ring size increase? +**\** hold on that until i have more information from matching. :P +**\** Seems like a change to handle bloat would be good, PoW tweak... +**\** everyone here following tevador's RandomX ? +**\** and any recommendations from the matching that are urgent +**\** IMO goals should be getting rid of the payment ID/integrated address/subaddress confusion and what was discussed today +**\** Nuking payment IDs is a longer-term issue IMO +**\** Setting a timeline is more reasonable +**\** its just standing up to exchanges +**\** RIght +**\** we should deprecate and kill long pids for sure +**\** i think a timeline was proposed but never agreed on +**\** exchanges laziness shouldn't slow down the improvement of the network +**\** ^^ +**\** But if we don't set a timeline, we become Zcash with their "deprecate transparent addresses SOMEDAY" +**\** Whether or not to add IPv6 connectivity might be relevant. IPv4 scarcity is said to be a barrier to Sybils. How much though, I don't know. +**\** is it reasonable to have a goal of having only subaddresses by the next September upgrade? +**\** as an enforced consensus rule? +**\** I don't have enough knowledge of exchange timelines to say +**\** hyc: yes +**\** imo, deprecating pids isn;t an MRL thing +**\** We've already said "please don't use them" +**\** the client could just make choices about how to diversify its connections if IPv6 is used +**\** gingeropolous: yeah, only bringing it up because I asked about upgrade goals :D +**\** Only works for outgoing connections. +**\** i feel like you are correct gingeropolous but I want to shy away from the "not my problem" effect +**\** doesn't adopting i2p expose us to the same Sybil possibilities? +**\** I don't know enough to say. +**\** okay, so it seems like we have hit all our major points +**\** very long addresses, and you have no way to know where they originate from +**\** worse than IPv6 in that regard +**\** and we can continue chatting about ipv4 and ipv6 and medians for the rest of the day +**\** but i think that's sufficient for our meeting today :D +**\** Great, so action items are to get Isthmus and friends to examine median changes, and be thinking about upgrade +**\** Oh. One other thing that's related: +**\** sure +**\** If the blockchain is split in N stripes, such that every peer selects a random stripe (that is, 4096 blocks every N\*4096). What is the optimal value of N (too small means you save less storage, too large means it gets harder to find the data you need to sync). +**\** Do we use Bitcoin's default peer limit of 8? +**\** If so, that should be factored in to n +**\** 8 outgoing peers, unlimited incoming IIRC. +**\** The optimal value depends on our metric, I suppose +**\** OK. That was a bad question. A better question was "what is the best metric". +**\** hmm +**\** I think it's just a question of, how much space do you need to save +**\** moneromooo: i feel like N < 3 risks byzantine consensus problems +**\** well, the goal is to save space, but the problem is that is a dynamic question for each user +**\** If we assume good connectivity and number of peers, the number could be decently high +**\** yes, and dynamic for the overall chain too since it continues to grow +**\** someone thats not gonna run software that takes up 80 gigs probably still won't run it if it takes up 40 +**\** suraeNoether: I do not understand. +**\** In my blocktree ramblings I was envisioning 256-way branching +**\** moneromooo: i'm imagining each miner as being a member of one of N coalitions of possibly dishonest participants +**\** Ah, one thing I neglected to mention: the pruned data is just range proofs and smaller bits. Not the whole chain. +**\** if everyone in control of one strip is totally dishonest, that information is no longer really accessible +**\** hmm +**\** this is a nontrivial problem +**\** Yeah moneromooo brings up the question of "is old enough prunable data \_safe\_ to remove" +**\** which is related +**\** moneromooo: I don't think we can pick a number without some knowledge of the underlying network topology +**\** this type of thing is ... unprecedented, right? Therefore, it might be the kind of thing that requires measurement. Once implemented, will nodes advertise which portions of the chain they keep? +**\** and therefore, the network could be crawled to obtain a census of adoption of this approach? +**\** Yes, nodes adertise. And don't have to stripe if they want to keep all. +**\** right. +**\** ... I would deterministically automate it. e.g., MAC address of first network interface & MASK = stripe # +**\** so, the thing we may want to measure is how many nodes join the network with N. +**\** or some other already-visible node ID. +**\** so, say we start with N of 8, we could measure the increase nodecount that are using 8. Or maybe start with 4. +**\** because thats the goal, right? increase number of nodes? +**\** back to moneromoo's clarification - this isn't striping the entire blockchain. just the prunable stuff, range proofs. +**\** so aside from someone bootstrapping a new node, this has no real impact on data availability +**\** wallets talking to nodes that they trust won't see any change at all +**\** i have a question for moneromooo : if we pick N = 8 and six months later want to change it to N = 11 or something weird, how much of a PITA is that? it means that miners need to pull a different stripe, that means a lot of data can be deleted and some new data needs to be downloaded... +**\** i guess my question is: what's the cost of picking a \*bad\* N for implementation? +**\** there are consistent hashing algorithms to minimize that problem +**\** It'd be kinda of a pita. Changing to 16 would be less so, as it's kinda made to allow this (would need some extra code though). +**\** minimize the amount of reshuffling needed when N changes +**\** moneromooo: that's why i picked 11 :P coprime. heh +**\** Also, picking 11 means divisions all the time. +**\** let's tell wownero to pick 24, and we pick 6, and we figure out the difference :P +**\** stick to powers of 2 +**\** (bad approach) +**\** hyc: or at least prime powers of some sort. makes changing it easier +**\** BTW, if anyone wants to try a sync from scratch using the crash branch (which simulates this) is welcome ^\_^ +**\** carbon crab incoming. :P +**\** cesium crab +**\** anyway +**\** OK, I think we can officially call the meeting diff --git a/_posts/2018-12-03-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-03.md b/_posts/2018-12-03-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-03.md new file mode 100644 index 00000000..0e0dd0e9 --- /dev/null +++ b/_posts/2018-12-03-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-03.md @@ -0,0 +1,181 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-12-03 +summary: Surae work, Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** OK, it's time to begin our meeting +**\** ping suraeNoether and others (mass ping sucks) +**\** i am self-pinging +**\** ping serhack +**\** Hey! +**\** howdy everyone +**\** If everyone pings three others, eventually the whole world is pinged +**\** pinged? pung? +**\** multi-level pinging schemes +**\** consider myself punged +**\** definitely pung +**\** it's like the purge, but pingier +**\** pang\* +**\** I have several items on my provisional agenda today, as well as a round-the-horn to see what folks wish to share +**\** First, the Lab landing page https://getmonero.org/resources/research-lab/ has been updated to add new papers +**\** very nice! +**\** translations are welcome, now that we support them +**\** I only added English abstracts +**\** Second, suraeNoether and I will be posting new FFS requests for Q1 2019 shortly +**\** We've been discussing, as we often to, the correct way to assess the amount +**\** This ties in with discussions elsewhere about how best to approach multi-month funding on FFS +**\** Whoa, translating abstracts to Italian? it would a pleasure for me +**\** serhack: yass +**\** Given the 50% contraction each of the past two quarters, we are trying to decide the best way to price our next quarters. whether we should switch to monthly funding, etc. +**\** The current FFS system doesn't allow for non-escrow payments, so we're stuck with whatever the market does +**\** I've been traditionally using a 14-day EMA or 30-day EMA +**\** Last time, I tried to take trendline into account and I received some pushback, which is very understandable. so we wanted to open up the discussion to get some ideas. +**\** Yeah, what are the group's thoughts on this? +**\** (We'd be requesting through Mar 2019) +**\** could you make the question a little more concrete? +**\** for clarity +**\** We could do shorter periods, like monthly, but that opens to donor fatigue +**\** endogenic: what's the fairest exchange rate computation? +**\** i'm generally opposed to using moving averages: in an uptrend, the community ends up paying more and we receive disproportionately more than \*that\* by the time our paychecks come around... so we are arguably unfairly overcompensated... and in the downtrend, the opposite occurs, where donor cash doesn't go as far, and we still receive disproportionately less than \*that\* by the time our paychecks come around +**\** imo ideally you all shouldnt have to worry about that as you really want to have your compensation targeted for the currency you have to pay rent, taxes, etc in +**\** so it's whatever allows you not to have to worry about it +**\** i think it's a real issue though as a source of stress +**\** Well, discussions of how to structure FFS in the future are good ones, but right now it is what it is +**\** endogenic: what if we list our desired salaries in USD and donating to pay our salaries could be a rolling thing; at the end of each month, we take a 48-hour average or something based on Kraken or whatever, and we dip into that fund according to that instantaneous exchange rate? it seems more fair to both donors and us to use a method like that +**\** that's interesting +**\** It might encourage donors to delay donations +**\** until they know the actual value being dispersed +**\** that may actually work out to everyone's benefit +**\** people see their XMR hit our account at much closer to their desired exchange rate +**\** or rather, we gain control over it at a more reasonable rate +**\** Any big opposition to investigating this further? We'd need a decision very quickly +**\** so people's money isn't wasted on volatility and we get what we need to pay rent, etc +**\** fluffypony luigi1111w any thoughts? +**\** ping binaryFate or luigi1111 or fluffypony +**\** ArticMine and binaryFate too +**\** jinx +**\** when atomic pings +**\** cross-client atomic pings via SMS relayed by telegram (the literal wire, not the app) +**\** (not wire the app either) +**\** make it so +**\** anyway, let's put that on the back burner until we get feedback, hopefully in the next day or so +**\** Anyway, until Core Team arrive, let's move on +**\** yep +**\** wow are you guys twins or something +**\** suraeNoether: want to give your updates? +**\** https://github.com/cjdelisle/RandomHash +**\** hello +**\** howdy +**\** experimentation on randomized hash function +**\** well, recently I've been working on three things +**\** cjd thanks for the contribution +**\** first thing i've been working on is the matching paper, which i've handed off to sarang +**\** i had some ideas over the weekend on how to quantify some churn length methodology +**\** which is a step in the right direction +**\** the second thing i've been working on is reading more about accumulators and zero knowledge proofs of membership and nonmembership +**\** this is surae. this is surae catching up on large-anon-set-authentication-without-trusted-setups-to-replace-ring signatures. see surae cry. +**\** Rolling fund sounds good +**\** binaryFate +1 thanks for the feedback :D +**\** the third thing I've been working on is mapping certain discrete-log-based crypto schemes over into a module-theoretic setting and constructing examples. this is a fun hobby for me that is brand new and sarang and i are going to write a paper on it +**\** i've also been working on non-research stuff related to the monero konferenco, and we just got back from our monero workshop in nashville, where we met up to do some research and brainstorming face to face +**\** oh, and i've been making some final edits to the thring sig paper before submitting for peer review +**\** and that's it +**\** oh, i started reading silur's verifiable shuffle +**\** Any specific questions on suraeNoether's recent work? +**\** going once, twice +**\** OK, I'll make my update +**\** suraeNoether has passed on the current draft of the graph matching paper to me for additional work; this is some really cool shit that will be worth everyone's time +**\** I'm finalizing a tech note on discrete logs, reviewing several other papers by other researchers, and also finishing up some re-review of a ring representation paper from Matt Green's team from a while back +**\** My goal is get the tech note, graph matching paper, etc. out the door as efficiently as possible +**\** I want next quarter to focus more heavily on ringct replacements, as does suraeNoether +**\** Any specific questions for me or for suraeNoether on these fast updates? +**\** chirp chirp +**\** Isthmus was unavailable but wanted me to share the following update (one sec): +**\** https://www.irccloud.com/pastebin/UGzuSz5P/ +**\** sgp\_ was looking at pool output data to give more information that could lead to changes in how we handle pool and coinbase outputs +**\** very cool sgp\_ +**\** The upcoming Stanford Blockchain Conference has its free registration open now: https://cyber.stanford.edu/sbc19 +**\** Both suraeNoether and I applied to speak, but I have not heard back on this +**\** An FFS to fund our presence was successful, but the market has been... unkind in the meantime +**\** as it is +**\** Hopefully at least one of us is accepted, to offset those costs. It's an exceptionally worthwhile event +**\** Does anyone else have work of interest to share with the group? +**\** sarang thanks for the link to SBC, i just registered :P +**\** I have worked on an atomic swap BTC/XMR https://github.com/GuggerJoel/XMR-BTC-atomic +**\** h4sh3d: did you see the feedback you got to that? +**\** Worthy goal. +**\** endogenic: I didn't see feedback on IRC +**\** Doesn't that scheme require knowledge of the same scalar across groups? +**\** h4sh3d: "vtnerd> h4sh3d the paper still has a magic zkp step. How are these values zkp'ed ?" +**\** correct me if wrong +**\** if so, that's a subtle step that is nontrivial +**\** Knowledge of a scalar on ed25519 (i.e. mod l) only +**\** and the SHA256 of the scalar +**\** a proof of that equality in zero knowledge? +**\** that's the magic zkp needed, but with Bulletproofs it is possible to prove these constraints +**\** Yeah, other proposals have had the same issue +**\** > a proof of that equality in zero knowledge? +**\** yes +**\** hey guys i have to go a bit early +**\** np +**\** i'll be on for most of the day +**\** see you +**\** I started to write a proposal to work on that scheme, what do you think? +**\** h4sh3d: I need to re-read your paper to remind myself of a few details, but does the sender on one chain guarantee return of funds if the protocol fails? +**\** sarang: yes if it fails Alice (XMR) get her XMR back and Bob (BTC) get his BTC baCK +**\** If Bob disappears Alice gains the BTC +**\** High level: why does Alice get her XMR back? +**\** Delayed signing and posting by Bob? +**\** Ok, what do you mean by "fail"? The zkp or after the firsts transactions on-chain? +**\** why not either +**\** Under whatever circumstances Alice is not guaranteed the BTC +**\** If after locking the BTC/XMR on-chain Bob does not follow the protocol anymore +**\** can be because Bob disappear or act malicious +**\** So what transaction is posted to the XMR chain, and why can Alice get her funds back if it's posted and Bob disappears or pulls other shenanigans? +**\** Proposals around refund transactions can take advantage of that new construction, but not with this proposal +**\** In this scheme the first XMR transaction move funds into the address controlled w/ (a,x) private key, where x is half controlled by Alice and half by Bob +**\** OK, if Bob disappears, Alice can recover the key? +**\** no, but she can get the BTC +**\** Does she wait until Bob has posted the BTC transaction before posting the XMR transaction? +**\** so if Bob disappears, Bob loose +**\** (I'm being purposefully socratic to help me understand better) +**\** np +**\** https://github.com/GuggerJoel/XMR-BTC-atomic/blob/master/whitepaper/xmr-btc.pdf +**\** page 4 +**\** Yep, I read that. I want to ensure I understand the nature of protocol failure by asking you that question +**\** Yes, Alice waits enough conf before sending XMR tx +**\** OK, and Bob takes advantage of BTC timelock in case of Alice's disappearance +**\** In fact we can say that Alice or Bob will "sell" half of the key in the Bitcoin tx +**\** Yes, exactly +**\** My spidey sense tells me that someone else had a similar idea at some point, but I don't recall specifically +**\** Even so, at face value a neat idea +**\** made possible by bulletproofs (tm) +**\** To what extent is knowledge of the ed25519 scalar as a hash preimage on the BTC chain group-specific? +**\** I've not finished my journey into Bulletproof, but I'm pretty sure that it's feasible with zkp tech today +**\** h4sh3d: yes +**\** bulletproofs can support this +**\** verification isn't trivial and the circuit is ugly +**\** But yeah, any time you're using values across groups, you have to account for how they are used +**\** Not sure that I understand the question about preimage on the BTC chain group-specific +**\** ed25519 != secp256k1 +**\** None o that goes onto the chain though, right ? +**\** (except the tx) +**\** That's my question +**\** Yea I know but the x is not used with secp256k1 +**\** I obviously need to do deeper diving onto the guts of hash timelocks +**\** x\_0 or x\_1 is reveal into the unlock script in bitcoin +**\** sometimes I think you guys just make up words and terms to sound smart +**\** What groups are those scalars in? +**\** Is there any algebraic requirement beyond "throw it into a hash function as a byte string"? +**\** rehrar: you're not wrong +**\** I dont think so +**\** h4sh3d: if there are no algebraic assumptions on the scalars and it's purely a matter of byte representation, that's one thing +**\** otherwise you'd have to be very careful about crossing groups (we dealt with this recently do a discrete log equality proof across curves) +**\** Anyway, we should continue to discuss this... but does anyone else have a short item to bring up, before we hit the end of our meeting time? +**\** If not, we can adjourn and continue existing discussions +**\** OK, officially adjourned diff --git a/_posts/2018-12-10-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-10.md b/_posts/2018-12-10-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-10.md new file mode 100644 index 00000000..889f0407 --- /dev/null +++ b/_posts/2018-12-10-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-10.md @@ -0,0 +1,202 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-12-10 +summary: Sarang work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** OK, it's about time to begin our meeting +**\** Greetings to everyone; who's here? +**\** hello +**\** hi +**\** ping binaryFate endogenic gingeropolous hyc Isthmus moneromooo nioc parasew[m] rehrar smooth stoffu etc +**\** hello +**\** suraeNoether will be away today +**\** First off, updates on recent work +**\** another tech note (MRL-0010) is merged to -site along with several others that now appear +**\** https://getmonero.org/resources/research-lab/ +**\** soon lab.getmonero.org will direct there as well +**\** MRL-0011 deals with graph matching and is being finalized +**\** Along those lines, some interesting lit review +**\** An older paper on quantum-resistant accumulators: https://eprint.iacr.org/2017/1154 +**\** One on highly expressive accumulator proofs: http://legacydirs.umiacs.umd.edu/~zhangyp/papers/accum.pdf +**\** Publication of a paper we saw as a talk in London, about using nested merkle trees to avoid evil remote nodes: http://legacydirs.umiacs.umd.edu/~zhangyp/papers/accum.pdf +**\** whoops, wrong paste: https://ieeexplore.ieee.org/abstract/document/8406557/ +**\** And the paper discussed this morning about cross-chain stats: https://arxiv.org/abs/1812.02808 +**\** cool stuff +**\** Besides those, I'm reviewing additional non-published stuff, one of which is an alternate proposal for return addresses +**\** sgp\_ suggested doing a youtube series called Breaking Monero +**\** each short episode would talk about a common method of monero analysis +**\** to help the DHS ;) ? +**\** heh +**\** want me to paste the initial description ideas? +**\** please do sgp\_ +**\** I didn't update yet with your feedback +**\** that's fine +**\** https://www.irccloud.com/pastebin/XI0H2aU9/Breaking%20Monero%20Ideas +**\** I think doing this will speak well to our transparency and get ahead of low-quality research +**\** I also think it will help Monero research be more approachable to those who do not idle here all day +**\** Any thoughts after reading this? (Or on my previous statements about lit review and MRL papers?) +**\** ^^ +**\** is there a plan to add paper references to the episodes= +**\** ? +**\** We could +**\** engelmensch\_: good idea. would take preparation, but would be worth it +**\** Eh, or just short episode notes on a corresponding reddit post +**\** Episode 0: A Preprint is Not Peer Review +**\** The thought was to start the series next week +**\** 15 minute-ish episodes, perhaps +**\** informal +**\** exactly. keep it pretty short to keep user attention +**\** Anyway, be thinking about ideas and presentation. Consider them a shorter series similar to the Bulletproofs fireside chat that sgp\_ and I did a while back +**\** initial timeline is announce next week, create most content in early Jan +**\** ah ok, nvm then +**\** any plans for video visualisations? that might help a lot to grasp the problem. or else a whiteboard +**\** I misunderstood +**\** first intro episode next week +**\** yes, will include visualizations +**\** the finest stick figures that paint can offer! +**\** ;) +**\** pretty much +**\** But IMO that's fine +**\** Too much flash and people will accuse you of being up to something +**\** that's quite a list of episodes. looks good +**\** "Here you go, now shut up about chain analysis" +**\** not flash, but having too many references in you brain might break stuff, so a diagram is quite useful +**\** agreed +**\** On a funding note, FFS for suraeNoether and me have been posted for Q1 2019 +**\** and related to this, a rep from the Loki Foundation contacted me and said their group is interested in funding a researcher in fiat +**\** they've offered 15000 USD for this +**\** the escrow system is not set up for this, so any researcher who took them up on this would do so separately from FFS +**\** I'd be interested to know people's thoughts on the idea of having a researcher partly paid by FFS and partly in fiat by this organization +**\** up to the individual I suppose +**\** Their original hope was to help out someone new, which would be great if we could find such a person +**\** but they said that given the market and current FFS needs, they'd be open to doing this for me and/or surae +**\** If only such a person existed! +**\** The latter would obviously be a big change +**\** I'm personally open to the idea, provided the community can be assured that there are no extra strings attached to the fiat +**\** and that research directions aren't being influenced +**\** Anyway, those are my updates. Does anyone else have work of interest to share? +**\** in my opinion it looks the same as other funded researchers contributing to the comunity +**\** Agreed, but community funding carries a certain onus +**\** Any updates on konferenco? +**\** I try to write up a simulation based security proof for the ringct +**\** suraeNoether has been planning, but I do not know of updates (and he is away for the morning) +**\** engelmensch\_: in what way? +**\** What happened to the coral reef project? +**\** in a semi-honest model and then hope to GMW compile it to the malicious model +**\** What aspect of ringct? +**\** notmike how is that remotely appropriate for this channel? does anyone else find notmike disruptive? +**\** trying to have a meeting here +**\** I want to show that the commitment do not leak any more information, as an attacker would find out anyway +**\** excuse me endogenic can you take a step back and try to calm down, please +**\** no +**\** I'm just curious as are many others about where the monero from the FFS is goin +**\** If you haven't noticed this is something many are asking. +**\** we can discuss that shortly if you don't mind +**\** go ask on reddit then. this is not your personal attention seeking venue +**\** engelmensch\_: the amount commitments? +**\** Nor have I tried to make it that guy. You should really try to calm yourself. :/ +**\** yes the amount commitments and the intermeidate stuff in the single, in my setting also the color commitments +**\** well the commitment itself is a pedersen commitment, not much info gained there +**\** is it something particular to the signature definition you're looking at? +**\** not sure if I can only reduce the security of my contruction to the current monero +**\** I use the MLSAG as a blackbox +**\** Interesting +**\** We'll be glad to help as needed +**\** but for my paper I'd like a formal proof that it's sound and secure. And the best way to do this was via a simulation based proof +**\** notmike: non-research FFS requests are outside of MRL's scope +**\** at least, that was what a prof told me who is into it +**\** OK +**\** The existing analysis was essentially a 2-D version of the Liu proofs +**\** yes, I saw this for the MLSAG and just reference it +**\** sarang: well, consider the Loki Foundation's offer. There should be a serious effort to draw in other researchers before any consideration is made of paying present researchers with that cash. +**\** We don't want to spread community donations too thin +**\** at the moment even moneromooo's FFS has been open for a few days +**\** If current researchers get fully funded, it makes more sense to investigate someone else +**\** Its not clear that this would happen from bringing in other researchers, or that fully funding present researchers is the best use of the funds. +**\** It's up to donors to decide what to do with their money +**\** notmike: i am calm. nice try though +**\** is there a preprint/draft of MRL-0011? +**\** engelmensch\_: privately, yes, but it's not in a state for public release yet +**\** ok +**\** it needs only a few more days +**\** then will be posted to github and -site +**\** One issue with bringing in other researchers is that most folks with training in this field are employed already, or are grad students +**\** because we're writing a grant proposal to investigate cross-layer effects of privacy preserving p2p entworks and privacy preserving applications ontop of them +**\** engelmensch\_: this work is purely about graph analysis +**\** I'll be interested to see your simulation work on this engelmensch\_ +**\** Any other news or work of interest to share? +**\** it might be related, as we did some work with DC nets on the p2p layer which also create some sort of anonymity set as the ringsig +**\** hmm ok, let's talk after meeting about details +**\** sorry if I'm too verbose +**\** no prob +**\** Hmm well it seems the well of information has run dry a bit early today +**\** I suppose we could discuss more about engelmensch\_'s work given the timing +**\** How do you see our analysis complementing the grant proposal? +**\** by graph analysis I suppose it's tx graph analysis? +**\** Our work is an examination of formalizing ring sigs as graph structures, and examining the computational complexity of proposing spend histories +**\** it also can tie into other heuristics, like the guess-newest output heuristic +**\** ok, and how does this hold, if you get auxiliary information from the p2p layer? +**\** You can use heuristic information, like output age or presumably probabilities from p2p layer, to optimize your history selection +**\** and for identified outputs, you can simply remove them from the graph altogether as you might expect +**\** none of it is provable, of course, and the complexity is huge +**\** jup. my effort on provable stuff was only considering 1 tx +**\** Ah ok, this is a more global analysis +**\** but it could be examined for smaller sets +**\** the idea behind simulation based based sec proofs is that you create an ideal world, where there is e.g. a trusted third party and then you compare the views of different parties to the real ones. And if there is an algorithm which can create the view of an actor without access to it's secrets, it is considered secure +**\** I'm in the process of understanding how these proofs actually work from: https://eprint.iacr.org/2016/046.pdf +**\** maybe written down it makes more sense. I'm happy to have a working implementation of it in the meantime from postponing the theory work +**\** Awesome +**\** Well, looks like good work in progress on that analysis +**\** We should have the first graph paper finished in a few days for review +**\** There's definitely room to expand it to a second one as well +**\** I'm happy to review it +**\** That'd be excellent +**\** I'll post it here when it's a good state +**\** Original plan was to include a broader scope, but we dialed it back a bit and are removing some stuff +**\** surae also has some code relating to it +**\** cool +**\** Side note: I made this post yesterday regarding attackers collecting IP broadcast data by running nodes: https://medium.com/@JEhrenhofer/attacker-collection-of-ip-metadata-27032e736371 +**\** m2049r got back to me with an estimate gingeropolous: 3183 Monero nodes, 64 of them with port 18089 open, 56 of those on the proper block height +**\** Conclusions? +**\** Attackers can run x many nodes to connect to y clients directly, therefore learning more about the transaction broadcast process +**\** s/y clients/y other nodes +**\** yes. there are some modified clients which connect to all possible nodes and do not relay any pending TX to figure out the timings when they receive the tx +**\** this can be used to deduce the topology +**\** we plan on running such a node +**\** it is also useful to get metrics for 0-confirmation clients +**\** sgp\_ had some estimates posted to reddit/twitter based on this +**\** how long is a good time to wait before you can be sure that a TX will most likely be included in a block +**\** since each node reports who its connected to, the topology is clear. or what do you mean engelmensch\_ ? +**\** no. when you collect the timings of when you get a tx from a node, you can infer the latency between nodes. If you do this with planetlab and have low latency to most peers and GPS timestamping, this gives you pretty good latency estimates +**\** the IP information is a good indicator for the importance of i2p/tor routing +**\** Yes. For my research, the next step is estimating the impact that server providers can have +**\** m2049r is there a way to do an org lookup on these IPs? +**\** you can use the location ISP database +**\** that gives you decent results +**\** http://lite.ip2location.com/ +**\** Cool, didn't know about this specific service +**\** I played with it, when I was using zmap to scan 0.0.0.0/0 and knocked on some ports +**\** it's a nice way to visualise, but should also serve well to track clients +**\** So engelmensch\_ you are more interested in latency-based topology, as opposed to sgp\_'s interest in ip data from nodes? +**\** if I'm understanding the difference properly +**\** At the moment I've done no research with latency +**\** right +**\** we are 2 PhD students, I'm more on the blockchain layer and my colleague is more network oriented, so he leads this direction +**\** but atm he wants to have a latency graph +**\** engelmensch\_: is your interest more about adversarial data, or about propagation statistics? +**\** when you have the propagation statistics, you can motivate a lot of research why latency is important. e.g. if you use a DS network to disseminate pending TX (to hide your position) it has to reach all nodes in an appropriate amout of time +**\** so there are a lot of really good privacy preserving networks, but they normally have n² messages and therefore are unusable +**\** fwiw I have a connection here at Minnesota to Professor Hopper, who does Tor latency and bandwidth research iirc. Could be a useful person to talk to +**\** https://www-users.cs.umn.edu/~hoppernj/ +**\** I saw a lot of analysis from the guys in sardinia: http://blockchain.unica.it/ +**\** It's getting late in Europe ;) I'll read up later +**\** Thanks for joining engelmensch\_ +**\** thanks for all the input and discussion +**\** http://lite.ip2location.com/ looks pretty good - is there a catch? +**\** I guess we never formally adjourned, but thanks to everyone for joining +**\** Seems the order of the day is network analysis diff --git a/_posts/2018-12-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-17.md b/_posts/2018-12-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-17.md new file mode 100644 index 00000000..f72a85d9 --- /dev/null +++ b/_posts/2018-12-17-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-17.md @@ -0,0 +1,298 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-12-17 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** howdy everyone +**\** heyo +**\** i've been sick all weekend +**\** I'M BACK THO +**\** not really +**\** still exhausted but INCREMENTALLY GETTING BETTER +**\** just like monero +**\** heh +**\** allrighty everyone: as usual, we'll open with questions, then discuss the work we've done the past weeks since our last update +**\** does anyone have any questions before we open up? +**\** okay. cool :) we'll ask for questions as we go +**\** since last we met I received and started reviewing sarang's version of the matching paper, and I attended the coincenter workshop in san fransisco, and I met isthmus in person +**\** i paid for that trip out of pocket to not burden the community, fwiw +**\** Anything more about the coincenter workshop? You had mentioned it a bit before +**\** so, to refresh the audience, coincenter writes policy reports to help inform lawmakers and regulators about cryptocurrency technologies, their true capabilities, and to advocate on behalf of financial privacy, to try to persuade lawmakers to not make stupid decisions +**\** if anyone saw the CFTC commissioner's speech in october: there was a small freakout that the CFTC may be prosecuting developers of smart contracts eventually: these are the sorts of things that coincenter is trying to advocate \*against\* +**\** the reports are extremely well written and contain some of the best arguments, in my mind, that financial privacy is necessary for an open society and that large-scale surveillance of financial transactions is basically antithetical to a free and open society +**\** What did you bring to the table from your perspective? +**\** i brought a few arguments favoring privacy that i like a lot, tbh +**\** for example +**\** clearly preserving financial privacy is a step in the right direction, but how to reconciliate regulator acceptance of something like monero, in a world of guilty by default, aml/kyc, FATCA and CRS? if you were to transpose the banking rules as they stand today to the crypto space, then it seems evident (unfortunately) that the general population having access to the famous swiss bank account in their pocket would go against the +**\** direction of the last decade or two, which is granting government the ability to track anything and everything digital (specifically in regards to money flows in this discussion) +**\** i love it when fluffypony talks about how monero can be used to buy banned books in totalitarian regimes like north korea, for example, because it illustrates that \*using a technology that is morally neutral, and can be used for good or for evil\* is not inherently wrong or criminal, and can be used to do ostensibly "good" things for society +**\** kayront: actually +**\** not to hashtag-actually yoiu +**\** the thing is that the banking rules as they stand today give exhcanges like coinbase plenty of power and ability to comply +**\** Exchanges are waiting for super-conservative Coinbase +**\** I'm not convinced that accepting Zcash was a step in the right direction or not +**\** every single cryptocurrency, zcash and monero included, if you are using KYC/AML exchanges, can totally de-anonymize you. so you may ask a better question which is: "why are law enforcement asking for MORE power and control over this new technology?" +**\** lol because they can +**\** for example kayront +**\** sarang: yeah the answer is obvious +**\** hence the political pushback and advocacy +**\** so, for example kayront, a bank today only needs to file a suspicious activity report about information that's happening inside their own bank +**\** suraeNoether: "totally"? sure, they'll be able to track when you get in and out of monero, but after that, the ship has sailed +**\** the guys at Chase arent' responsible for filing an SAR about stuff that happened on Wells Fargo accounts, and vice versa +**\** transfer to your own wallet, churn as you please for increased peace of mind, do whatever you want +**\** I think he's saying that you give them your name and address and bank info, so of course the exchange knows who you are +**\** i think this sort of thing scares the regulator +**\** Sure it does +**\** so the recent trend where pols and law enforcement officials are asking for additional view key access is in contradiction with their current ability to comply +**\** with classic/traditional assets +**\** if Chase doesn't need to report anything beyond one hop outside their bank, why should Monero give outgoing view key access, for example? stuff like that +**\** We need to convince exchanges that they can already comply +**\** so the coincenter workshop was a day of very smart and stimulating people from various coin projects and various non-profits around the world discussing how to convince lawmakers of stuff like this +**\** but regulators are being super cagey about specifics +**\** i find the whole argument very fallible, so don't misunderstand, of course I don't stand for that .. i don't quite understand how sending money to anyone you want to without asking for permission isn't basically the same as chatting up anyone online as you please without permission +**\** kayront: ? +**\** in fact, if you ask me, it opens up a whole new ocean of possibilities +**\** i mean the "guilty until proven innocent" spin on things +**\** kayront there is a strong argumetn from the 1st and 4th amendment right that these financial transactions are free speech and demanding financial histories doesn't jive with the 4th amendment +**\** That's much broader than financial regulation +**\** anyway +**\** not totally relevant +**\** ya +**\** it's interesting +**\** So... good meeting, I take it? +**\** what does MRL think about using hashcash or a reduced monero PoW (like pool mining shares) to secure anonymity networks for p2p? +**\** and political science-y, so we can call it research :D +**\** And you had said that the documents will be published? +**\** :D +**\** oneiric\_: what does that mean exactly? +**\** yeah, sarang, i walked away feeling like it was a room full of allies both for financial privacy in general and for the twin monero-zcash ecosystems. i wasn't expecting that at all, tbqh +**\** nice +**\** sarang: yes, all the reports will be made public on coincenter.org soon +**\** oneiric\_: if you elaborate i could form an opinion :D +**\** In the meantime, anything else to share suraeNoether of interest? +**\** Sounds really interesting. I'll look into those reports when they drop +**\** oneiric\_: i know that stellar uses a weird concensus mechanism involving picking neighbors to form a quorum vote, but rather than being a networking tool, it's intended to replace POW/POS +**\** Hadn't even heard of coincenter until now +**\** sarang: I read the recent andrew miller paper on probing network topology blindly in bitcoin +**\** so, anonymity networks (and ipv6) make it much easier for attackers to perform sybil attacks by spinning up many addresses (nodes) for little cost. adding some form of PoW would help mitigate that possibility by adding some effort to spinning up a node +**\** Interesting, I'd be interested to see how that would work +**\** and how a PoW integrates to it +**\** sarang which is SUPER clever and it could be used similarly for boostrapping blockchain downloads or kovri networking or something like that, if a similar sort of feature can be exploited as in that paper +**\** suraeNoether: link? +**\** Not sure I saw that paper +**\** https://www.cs.umd.edu/projects/coinscope/coinscope.pdf +**\** How new is it? Didn't see on IACR +**\** i saw it tweeted end of last week iirc +**\** word +**\** it's clever: it uses inputs with no known outputs and a bitcoin node's behavior when it receives such an input +**\** it can't be relayed because it doesn't appear valid +**\** Huh, I shall read it today, thanks +**\** yeha, they use a purposeful double spend attempt to suss out which nodes you are \*really\* connected to +**\** anyway: that paper, plus sarang and my matching paper, comprise most of my time last week and this week other htan the workshop +**\** (surae is done now)\\ +**\** The matching paper is under its reasonably final review +**\** we'll post here for internal review soon, and then off to the presses +**\** although at the end of the meeting i have a small community announcement +**\** sarang we should also consider whether we want to publish our matching paper \*specifically in a journal\* or leave it as an MRL bulletin +**\** I also spent a good deal of time on that, but kudos to surae for a lot of work on it +**\** Right +**\** i feel like it would be valuable to publish in an applied graph theory journal +**\** Sorry to interupt but could you explain what exactly "matching" means in this context? +**\** And it opens up to additional matching/weighting work too +**\** lurkinandlearnin: ah, good question +**\** lurkinandlearnin: you can apply graph theory to a transaction graph +**\** and this means questions of Monero analysis can be reframed to known graph theory problems +**\** lurkinandlearnin: the idea is basically to link transactions in a transaction graph. if it's just a plain old graph with no additional information, mathematicians call it a "matching problem" or an "assignment problem" or sometimes a "marriage problem" +**\** suraeNoether formalizes this +**\** soon (tm) +**\** lurkinandlearnin: so we are applying known techniques to our graph, to get an overall sense of "how bad" our linkability really is, disregarding less complete approaches previous researchers have used +**\** Once again, a "please stop publishing on this" to others =p +**\** I see. So it's to abstract the data we can get from the blockchain to a form where these established techniques and theories can be applied? +**\** Right, we don't have to reinvent the graph-theoretic wheel +**\** and it also provides bounds +**\** yeah, the number one problem with ring signatures and monero going back years is small anon set sizes. fluffypony makes this an important part of almost every talk he gives, but people still regularly publish papers that re-invent the wheel over and over again. "look, if two signatures have the same ring, you can ... you can... oh boy! i'ma publish!" +**\** the novelty of our approach is we are able to find a lower bound on some specific instances of the matching problem +**\** It's basically how other types of security proofs go... if you could break X, it'd mean you would have solved Famous Math Problem Y +**\** previous approaches have been able to say "well, matching monero is \*no worse\* than sharp P. https://en.wikipedia.org/wiki/%E2%99%AFP +**\** Interesting. So is the paper "groundwork" towards using these techniques or have you already got findings? +**\** but that's like saying "it's no worse than the worst possible problemt hat God himself couldn't solve" +**\** lurkinandlearnin: we are sort of generalizing many previous techniques at once and showing how they fit under a common umbrella +**\** We have some algorithmic findings +**\** Again, it'll be posted here for internal review soon +**\** yerp +**\** it's a good paper +**\** i like it a lot +**\** it really highlights how linkable Monero will be until we get larger anon set authentications +**\** Aside from that, Badass Benedikt Bunz put out a new paper on batching in accumulators: https://eprint.iacr.org/2018/1188 +**\** Unfortunately it applies most directly to RSA accumulators, which are a no-go for us +**\** Thanks for the explanations. I'll look forward to it. +**\** np +**\** I'm working a ZtM update regarding spend proofs, which I realized are useful but missing from the tech documentation +**\** as well as some arithmetic circuit research +**\** Otherwise, just trucking along with lit review and code +**\** A side note that several funding requests are open, including those that fund MRL and other developers: https://forum.getmonero.org/8/funding-required +**\** In a bear market, pockets tend to shrink unfortunately :( +**\** (disclaimer: one of those requests is for me) +**\** Ain't that the truth +**\** Loki Foundation is still willing to help fund one of us +**\** to the tune of 15K USD total +**\** If the funding requests don't complete, I would consider accepting the fiat donation under the right conditions +**\** the bear spares no one +**\** Loki Foundation? +**\** Foundation associated to this group: https://loki.network/ +**\** Monero-based, so they wish to support researchers (and no doubt it's good PR too) +**\** The Foundation as a legal entity is not allowed to donate in cryptoassets +**\** so they'd have to donate directly in fiat +**\** haha I searched before you answered and only found a german record label +**\** Anyway, I welcome comments on such an arrangement +**\** I would insist that there be no additional strings that wouldn't apply to any other FFS donor +**\** to ensure research independence +**\** Well I've never heard of them but if it can be guaranteed no strings then I don't see the problem +**\** My goal would be to ensure that it doesn't change the nature of MRL's support +**\** It wouldn't become MRL Brought To You By Loki Foundation +**\** Anyway, it could be a moo point if the FFS are funded; then Loki would be interested in supporting a new researcher if one came around +**\** Anyone else have interesting work to share with the group? +**\** I do! +**\** carry on +**\** But I guess the important stuff should go first. +**\** I can go on after the meeting. +**\** Nonsense, all researchers are welcome here +**\** I'm finished with my update, please go ahead +**\** This is the point of the meeting +**\** Today I want to present the return addresses. +**\** Return address is a GREAT idea. +**\** It's also MY idea, but that is unrelated. +**\** It's quite simple: include sender's subaddress to every transaction header. +**\** To make transactions unlinkable generate the subaddress from transaction's public key and sender's private key. +**\** This way it's trivial to generate corresponding private key even after wallet restore. +**\** I was thinking about this earlier in the context of other timelock schemes +**\** What good a return addresses for? +**\** Many things! +**\** The most obvious one: a full or partial refund (interactive). +**\** A merchant can send you funds back without asking for your address. +**\** i'm sodl +**\** Another one: an exchange can return funds that it can't bind to any account. +**\** the famous PaymentID problem. +**\** Or if the account is closed for some reason. +**\** There can be non-interactive services. +**\** or AML / KYC +**\** Like micro-credits. +**\** .. or returning unused FFS monies to their owners +**\** You send a coin to the public address and get two in a month. +**\** But even more! +**\** more, you say! +**\** You send money to a specific address and receive a password to something in the dust. +**\** It'd be ~2% increase in a 2-2 txn size +**\** Yes. But it's per-transaction, not per-output or per-input. +**\** ilyaAldanov: it's a very interesting idea. if it works out, that means we have two possible ways of going about doing some sort of return functionality +**\** It's the only 100% reliable link back to transaction owner. +**\** This is a 10/10 idea. The usefulness of these features could help push the more general adoption of subaddresses (which imo is a urgent goal). +**\** It'd be a fingerprinting method, as usual +**\** Yes, but I want to stress out that my return addresses is not limited to refunds. +**\** sarang ? +**\** Anytime some transactions include data that not all do, it distinguishes them +**\** it'd be easy to discern who is using these return addresses and who isn't +**\** Every transaction should have one. +**\** No exceptions. +**\** i can see why you would say that +**\** or suggest it i mean +**\** Yes, but of course you can't make randomness enforced +**\** yes but you could see that the subaddress in the header has received funds in a future transaction, correct? +**\** its essentially, what, 32 Bytes additional per transaction? not so bad at all given the functionality that would come out of it +**\** lurkinandlearnin: no, but you'd see an output in a ring +**\** 64 bytes +**\** 2% add-on to a 2-2 txn +**\** rihgt +**\** The return address is just a subaddress - nobody sees when it is used except the owner. +**\** yes sorry that's what I meant +**\** i think we need a write-up before we can really judge how it's supposed to work, but it's v promising +**\** There is one +**\** not published tho +**\** I don't publish it because a) it's a draft b) don't want the coins I don't like to implement it first. +**\** The construction of the subaddress is clever ilyaAldanov +**\** Heh, Monero doesn't need to be first, just best +**\** sarang: there's a write-up for ilyaAldanov's idea? +**\** It was sent privately during discussions +**\** fwiw i find this a very interesting idea as well +**\** The more we discuss it, the more I like it +**\** opens up a lot of functionality +**\** I sent it to Sarang and Isthmus. Can send to you as well. +**\** seems less disruptive than DLSAG +**\** if it can be made to work without meta/data leakage, sounds like a no brainer +**\** Yes, but doesn't solve the same problems +**\** +1 sounds like a great improvment over payment id +**\** sarang: right, no timelock/block height stuff built in +**\** oneiric\_: it doesn't really solve payment ID either +**\** it acts as a band-aid for when they require payment ID and you forget it +**\** also it's interactive +**\** I'm just saying this is orthogonal to DLSAG +**\** would they be do-able together or would it be one or the other only? +**\** DLSAG = ? +**\** You could probably do a separate return subaddress per output address +**\** MRL-0008: https://ww.getmonero.org/resources/research-lab/ +**\** If you ask me, I came up with many more use cases for return addresses. +**\** I definitely see the usefulness +**\** DLSAG = dual-output linkable spontaneous anonymous group signatures +**\** But it's our job to rip every idea apart +**\** I want to talk about one exceptionally useful case tomorrow. +**\** Not today? +**\** One feature per day! +**\** i.e.: usual ringCT but with two output keys and a trigger block before which the recipient of the first can spend the first and after which the recipient of the second can spend the second. +**\** There was Hybrid Mining and Emission Curve days already. +**\** ilyaAldanov: it would be necessary to post the construction here for review +**\** this would need to be public, of course +**\** Yes, of course. +**\** After you'd brought it up earlier, I started considering the effects this would have if it were optional (or effectively optional), especially on fake selections +**\** But right now it's a draft. I really appreciate some comments, especially negative. +**\** This is an important consideration +**\** Even if it's mandatory, you should assume that wallets not using the functionality would be stupid and include all zeros or something +**\** It'd be useless if optional. +**\** I like the fact that subaddresses have found another potential use. +**\** and determine what an adversary would do if it saw ring inputs from txns that include a "fake" return address vs a "true" one +**\** ilyaAldanov: I know, but you can't make randomness a consensus issue +**\** That's a perspective I didn't think about. Thanks. +**\** It came up with payment IDs a while ago +**\** ilyaAldanov: think about it this way: someone publishes a txn with the return key 000000000000001 +**\** how can you tell that's not genuinely random? +**\** should it be blacklisted and not propagated? +**\** what about 000..0? +**\** Yep, I get the idea. +**\** or what about 10101110010100111? +**\** coolio +**\** The goal would be to ensure that even if wallets do this, it doesn't affect other users' rings +**\** But there're many places where wallets can misbehave. +**\** Yes +**\** Like in the change output. +**\** So we should assume they'll be awful and minimize the damage +**\** ilyaAldanov: if you approve, I can send your document to suraeNoether +**\** I approve. +**\** or just email it to me at surae@getmonero.org +**\** But I want feedback! +**\** Sure; you'll get the best feedback if/when you release the draft publicly, tho +**\** Are there any spies of the coins I don't like here? +**\** ilyaAldanov: probably, but they also are not very good at their jobs :D +**\** probably +**\** I don't like coins with premines, developer's rewards and obnoxious leaders. +**\** Welcome to Club Monero +**\** I assume Monono will steal this, but I'm ok with that +**\** So our time is nearly up... anyone else have info to share? +**\** a while ago there was a request for a recommended ring size for the next hard fork which is April and the code freeze is Jan. I know research has been done to address this request. Where do we stand in regards to a possible ring size increase? +**\** suraeNoether: you'd indicated you had a community announcement +**\** I am a spy +**\** I'll publish it, just to put one more section about Shared Secret. +**\** cool +**\** oh wait I wasn't meant to say that out loud +**\** I do not see a reason to increase at this time +**\** but more is better :D +**\** nioc: recent research suggests that increasing ring size \*may not\* be super helpful, even though \*the min time required\* to generate a guess at the true Monero transaction history is proportional to r: double r and you double that min time required +**\** which sounds great +**\** but it's not very efficient +**\** i would rather: increase r by 1 and the difficulty doubles +**\** suraeNoether: your community annoucement? (I don't want to go over if people need to leave) +**\** Hmm he has vanished +**\** Community announcement: https://www.youtube.com/watch?v=CiRu\_W9tzM8 diff --git a/_posts/2018-12-31-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-31.md b/_posts/2018-12-31-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-31.md new file mode 100644 index 00000000..9ee6330b --- /dev/null +++ b/_posts/2018-12-31-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-12-31.md @@ -0,0 +1,271 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2018-12-31 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** OK, probably low attendance today, but might as well see what folks are up to +**\** Hullo ll +**\** \*all +**\** morning guys +**\** taptap this thing on? +**\** good morning +**\** howdy :D +**\** morn' +**\** i'm actually excited for this meeting because its' been like two weeks +**\** but i don't have much of an update, except "the matching paper is much \*shorter\* now" +**\** :P +**\** allrighty, so let's begin +**\** Heh, no problem +**\** I figure most people took it low this week anyway +**\** as tends to happen +**\** as usual, we'll 1) open up with questions, 2) sarang and i will give some updates, and 3) we'll see if anyone else has been doing anything interesting +**\** so, before we get fired up +**\** who has some questions +**\** ? +**\** oh and, just before I forget: i want to bring the community up to speed on current thinking re: block size blowup +**\** seems like no one has any burning questions +**\** so, sarang, how about you jump in and give us a briefing on your holiday comings-and-goings +**\** Oh I have a question; what's the status on getting rid of / dealing with payment id +**\** (or integrated addresses, whatever the recent discussino was about) +**\** dsc\_: i think we need to bring it up at a dev meeting +**\** ok cool +**\** but i dont know +**\** There's general support for deprecation over time, but the question of how/when is still under active discussion +**\** dsc\_: sgp\_ recently posted a draft blag post on the matter +**\** Right, but that should not be taken as any kind of consensus +**\** i'm not sure how much further the discussion has gotten than the pastebin: https://www.irccloud.com/pastebin/cRwyJViz/monero%20scheduled%20address%20upgrade%20timeline%20%5Bdraft%5D +**\** very little +**\** rihgt +**\** this is still quite fluid +**\** dunno sgp\_'s pretty good at representing that stuff :) +**\** Heh, very true +**\** cheers +**\** hello all +**\** eyyyy +**\** Hi sgp\_ +**\** Want to talk at all about your post draft? +**\** Sure. I outlined my best summary of how Monero will handle payment IDs going forward and how we got to that decision +**\** Of course, we all still need to agree +**\** I have been muddling over your post proposal +**\** i just started reading it this mroning and i'm going to reserve my comments for later today +**\** A good deal of discussion centered around info leakage during multi-destination txns +**\** since there's only one payment ID per txn (kind of a PITA honestly) +**\** and not one per output, which is much simpler IMO +**\** This assumes unencrypted (standalone) payment ID prohibition in April 2019 and encrypted payment ID prohibition (use subaddresses instead) in April 2020 +**\** To what extent do we have exchanges represented in the discussion? +**\** I operate on the assumption that no exchange reps are in any channels +**\** The most we've heard from any exchanges is from LocalMonero that helped initiate this discussion earlier this year afaik +**\** While I don't think we should make decisions based on exchange wishes, they represent a good chunk of user interaction +**\** To what extend would Sarang like to involve exchanges? I mean, probably most of us know some folk who work at exchanges, should an effort be made to get in contact? +**\** My thought has been as follows +**\** Exchanges need to do infrastructure work if we change pIDs +**\** and have little incentive to move to safer alternatives (e.g. subaddresses) without being required t +**\** to +**\** Setting a firm timeline is important, as is providing sufficient time to change +**\** There's almost certainly too few developers doing such things at exchanges +**\** I wrote up this post to help exchanges and other services be prepared, but we've had a historically difficult time reaching these services +**\** nice sgp\_ +**\** One option has been doing wallet defaults only, and not consensus +**\** this at least makes most transactions more uniform +**\** just in my personal view i dont think we need to worry too much about third parties… they're going to have to adapt +**\** maybe part of our discussion should be to hold a call with some folks at exchanges or something like that, but my thoughts on the matter are in alignment with sarang's: the exchange will make whatever \*mandatory\* changes the core team decides upon, and it's not like they are going to be able to say "well, what if you guys did \*this\* instead, it'd be easier on us and it would lead to a better public key +**\** infrastructure" or something. that's not their "mission" so to speak +**\** "we've had a historically difficult time reaching these services" <--- calls may be tough +**\** who's going to pay us to reach out to them though? :) +**\** FFS to the rescue +**\** heh +**\** I can forward stuff to Kraken if neccesary +**\** bah +**\** the exchanges should +**\** if monero moved to pairings based crypto tomorrow and we modified our whole key structure, they would groan, roll their eyes, curse our names, and then make the changes without publicly complaining at all +**\** yes +**\** agreed +**\** I may be able to talk to Circle and Poloniex. I have someone's email +**\** Cool. Step 1: make a damn decision +**\** well, let's do a cursory reach-out. let's see if kraken, circle, and polo are willing to provide some feedback, even if it's "please don't make any changes for the love of god" +**\** unless we want exchange input well in advance of decisions +**\** in the meantime, we'll prioritize a decision on this over the next few days +**\** polo has historically been pretty open to communication +**\** feedback wont do harm +**\** We can still approve or reject this recommendation. Give them a pre-release of the press release of sorts +**\** that seems fair and in line with our transparency +**\** yeah +**\** Cool. thanks guys. +**\** thanks sgp\_ for taking the reins on the public-facing side of this +**\** let's all review and think about options over the next few days as suraeNoether mentions +**\** I've received feedback from a few people. I'll make the changes to the doc this afternoon, but the overall message is the same +**\** esp. relating to timelines, consensus v wallet default, and the consequences on information leakage +**\** okay, since we are on specific topics, before we move on to get sarang's research update, we may as well talk about the blocksize blowup thing +**\** One thing I claimed we are not doing: enforcing payment IDs. Are we in agreement here? +**\** yes +**\** We can't effectively enforce encrypted IDs +**\** Cool, thanks +**\** and wallets can always be dumb about it anyway +**\** but having the default wallet do the right thing will help a great deal +**\** okay, so regarding this blowup/dynamic block size problem +**\** first: solutions are easy and numerous, each with pros and cons, but most involve magic numbers of some sort +**\** for those of us in the audience, a magic number is \*arbitrarily chosen in code\* +**\** and consensus, which places a firm deadline on changes +**\** yes +**\** and this is sufficiently urgent of a problem that we should come up with \*some solution\* asap +**\** the gist of the problem: it's easy to blow up the block size by spending money, and it stays there +**\** it's cheap to keep block size big, too +**\** yes +**\** There was a clever proposal to start the penalty \_below\_ the median +**\** to bring size down by default +**\** others involve (at the very least) a high cap that still avoids the crazy blowup possibilities +**\** Options include but are not limited to +**\** 1) change sample size of median block size to something very large like a year. pro: easy, ensures that an attacker has to be executing an attack for at least half a year before expecting any success. con: adds inflexibility to monero block size. +**\** (it makes sense to make this increase in window size to be somehow proportional to our change in fees, to ensure that it doesn't cost \*less\* to attack today than before bulletproofs) +**\** 2) add a momentum term to block size so that bigger changes are harder to effect. pro: also easy, improved flexibility. con: unlike median, determining the strength of an attacker required to execute the attack over a sustained period is a trickier question. +**\** 3) change block size penalty to begin sub-median. pro: incentive against the attack! great! con: weak incentive, and a determined attacker is already blowing cash on this attack +**\** We should also consider the two parts to this: (1) getting the block size big, (2) keeping it big +**\** yeah, we could add a rapid decay back to "small" +**\** that requires lots of funds to counteract +**\** 4) change block size dynamic updating to an \*additive\* update instead of a \*multiplicative update.\* Example: if median block size for the past N blocks is greater than some threshold, then change block size as S = S + diff\_S instead of S = r\*S for some r. Keep the \*decreases\* in blockchain size multiplicative. Pros: leads to an exponential decay in block size back to zero in the absence of demand, and leads +**\** to at best a linear increase in block size in the presence of demand. Con: Not intuitive? +**\** 5) limit the maximum change in block size over some time period by some factor. example: do not allow block size to grow more than 2x in a year. pro: easy to intuit, provides a cap on growth but still allows growth, etc. 2x a year is very fast exponential growth generally but we would have time to notice a bloat drift attack and maybe come up with other solutions. con: 2x a year is still very fast exponential +**\** growth. +**\** in all cases, we have to end up picking some magic numbers that would need to be justified to the community. example: why 2x a year instead of 1.05x a year, or 3x a year? +**\** isn't prevention a little more important than the cure? rapid decays back would solve one issue but wasn't it determined someone could grow the chain 30TB or something quickly? +**\** last I spoke to fluffypony about this, he said something like option (1) is most easy to get consensus on because we can justify a change based on the decreased fees. the change is pretty intuitive. with an 80% reduction in fees we could have a 5x increase in median sample size +**\** This needs a robust long-term solution, but also a short-term solution +**\** spaced0ut: i agree with that sentiment +**\** suraeNoether: imo the community doesn't need things justified to them so much as you have to consider them justified from a model pov - community looks to you +**\** cause they'll be able to investigate what you propose +**\** endogenic: i disagree. look at bitcoin block size debate or our current ring size debate. everyone wants a justification of the magic numbers proposed. +**\** FWIW the funds required to execute such a bloat attack to TB size are O(100K) USD IIRC +**\** suraeNoether: monero != bitcoin tho.. big differences +**\** magic number != overall strategy tho +**\** wow r u me +**\** If you ask for community consensus, you'll get the noisy ones to get their way, and they'll typically be short term profit people who \. +**\** I want developer consensus +**\** ^ +**\** Oh, then that's much better. If you include people like ArticMine in this. +**\** Everyone will/should agree that avoiding TB bloat is worth changing shit +**\** People Who We Know Have A Clue. +**\** \*nod\* i agree with all the above, to be honest +**\** at the very least, getting a worst-case short-term fix (like a high cap) in place for spring is the necessary starting point +**\** as long as the change clearly shows everything possible is being done to have to avoid setting a hard limit like BTC. not many will think negatively. +**\** i think for the spring hard fork, we should try for (1) and (3) together. start penalty at 80% median, and increase median sample size window by 5x. +**\** spaced0ut: a hard limit while we actively determine a more robust solution isn't all bad +**\** but I see the point +**\** but before we make that decision, i want to back-of-the-napkin the cost of the attack before and after the change +**\** Isthmus has been helping with some of that +**\** but we should also make a decision on this v soon, like end of week +**\** Isthmus has a technical note draft on it +**\** the cost of changing block size dynamics a second time later this year is low; the cost of permanently bloated blockchain is much higher in my mind +**\** If we establish an idea, we can compare to his original analysis +**\** yes +**\** doing nothing is the worst option +**\** sarang: yeah exctly.. when he's done sleeping and recovering from the past month of work. :P +**\** OK, for the sake of this discussion, let's work up a proposal for combining options 1 and 3 from suraeNoether's list above +**\** (not right now, but I mean as an initial proposal) +**\** sarang, i agree. its probably the safest option for XMR's longevity really. that won't be fun to explain so that most people understand though +**\** that will make the attack slow and expensive, and bring block size back down after such an attack +**\** yep. let's shoot for end of week for our proposal +**\** spaced0ut: it's easy if you say "the consequence of leaving it is TB blocks" +**\** people hate bloat already +**\** yeah +**\** These options have little effect on the average user if done properly +**\** we don't really have MIPs do we? :P +**\** nope +**\** Every Commit Is a MIP (tm) +**\** that should be on a t-shirt with several cows coding on the back +**\** paging rehrar[m] i'd buy several of those shirts +**\** well, two +**\** So +**\** This week I've been doing lit review in between Festivus celebrations, and doing some documentation writeups +**\** The intent of the block size increase is to allow sustained spikes (to the extent it is not an oxymoron). A year's smoothing will prevent that from working. +**\** moneromooo: yes, but at the cost of our simple model failing to prevent sustained bloat +**\** That seems to be a false dichotomy. +**\** Should sustained spikes not also yield a corresponding cost? +**\** moneromooo: ehhh it doesn't prevent it. it merely raises the bar for what is required to push block size up, so spikes have to be sustained longer for them to impact the base layer. but you are correct; any time we have a variable/dynamic capacity, this allows for bloat, but fixed capacity is inflexible +**\** but to be perfectly honest, if we find ourselves in a situation where people are regularly waiting until the next block to stash a transaction because the current block is full... +**\** This is a negative question, so "sustained spikes should yield a corresponding cost". +**\** then in this situation, we probably will have some lead time to correct our block size dynamics to prevent it from being a systemic load problem +**\** The point is, if ytou have to waiut for half a year for the thing to kick in, it's pointless for spikes. +**\** moneromooo: well, we can try one of the other methods that are more immediately flexible, like a momentum term or whatever +**\** or we could just make fees great again +**\** yes ^ +**\** heh yes to which +**\** on the other hand, we could just recognize the dynamic block size flexibility to be a long-term flexibility instead of somethign designed to handle short-term volume spikes +**\** fundamentally, the reason bloating the chain is cheap is because fees are cheap and XMR/fiat is cheap +**\** hyc yes +**\** Just throwing an incomplete idea out there. Has anyone thought about increasing fee's as block size increases then decreasing fees based on some median tx count? +**\** spaced0ut: the idea of blocksize-dependent fees is one that is very interesting to me, but i haven't dived into the idea +**\** but that allows for an attacker to bloat the blockchain and drive everyone else's fees up, ala the bitcoin bloat from ... whenever that was. 2017? sheeee +**\** i think that one was just lots of real transaction activity? +**\** yes, but the net effect is the same +**\** everyone else's fees go up, to get their txs mined +**\** okay, we'll think about this a little harder this week and see what there is to see +**\** brb +**\** which is what makes this problem hard, you have to increase the cost of bloat attack without also making transactions way too expensive +**\** two sides of the same coin +**\** I would say that's an impossibility +**\** of course it's impossible to do both at the same time, i mean it's hard to balance the two right +**\** you can't distinguish "real" txs from "bloat" txs +**\** the truth has been said in here multiple times already. it just sucks to admit. unfortunately our chain isn't insanely expensive to attack right now. there has to be a limit. make it complex or simple but it comes down to size not cost. can't make cost high enough without making it expensive for legit use. +**\** standard tragedy of commons scenario +**\** and size is dependent only on usage, of course... if you need to get N txns on chain, it costs O(N) in size no matter what +**\** Aight, that's two items of priority: (1) fee structure; (2) payment ID timeline +**\** Any other work of note? +**\** I'm doing some more work on multiuser txes (the type you can use, eg, coinjoin with). +**\** That might be interetsing to people here ? +**\** go on... +**\** is there a benefit of doing coinjoin when we're already doing RCT? +**\** Yes. Even more privacy. +**\** And atomic multi user spends. +**\** ahh ok +**\** does it require all participants to be online at once? +**\** There \*might\* also be a way to have smaller range proofs, but I'm not sure. +**\** No. +**\** Go on... +**\** Well, yes if you want it to be fast :D +**\** I always want computers to be fast. +**\** What's the basic structure moneromooo ? +**\** I'm making it like multisig. You pass a file around, and write your things. 2N-1 comms though. +**\** afaik this is the first I've heard of your work +**\** atm, I've got a first N comms rounds with everyone adding their inputs/outputs, then another ~N with people signing after checking their I/O are what they specified. +**\** who would want to use this approach? +**\** People who want to use a coinjoin style tx, and people who want to atomically pay. +**\** passing this file around sounds like it carries sensitive info, what's the danger of exposing it prematurely? +**\** (ie, Alice and Bob want to pay Carol, but only if the other also does) +**\** Not much I think. +**\** you're effectively doing partial signatures? +**\** You create MGs for the outputs you own. +**\** So kinda yes. +**\** MG? +**\** I think that's a MLSAG. +**\** The smaller range proof idea would be an MPC on a bulletproof? +**\** which is possible, but we've never had a definite use case +**\** I don't know. That'll be your job to find out :P +**\** heh +**\** well fwiw, bulletproof mpc is a known construction +**\** damn, missed the bloat thing. i like 1 and 2. I think 1 can be the quick easy fix for now... and if we can figure out the best double mechanism (#2) then we should probably switch to that, because that can allow for spikes +**\** tnsepta: if you have more than one user, it breaks down some of the analysis you can do since you can't assume all inputs have a common owner. +**\** moneromooo: is there a branch with any work? or is it just at the "here's the math" stage? +**\** There's a "multi" branch, which has a PoC in core\_tests. +**\** I've started working on the simplewallet tooling now. +**\** Could the same attack used to expand blocksize and bloat the chain also be used to create an insane amount of identical mixins to the point that future tx would have a high chance of having 10 identical mixins and your real spend? +**\** How do you get so much done simultaneously moneromooo ? +**\** Surely you burn the candle at all ends +**\** I have four legs. Humans only use two hands to type. +**\** spaced0ut: what do you mean? +**\** Do you mean the ring union analysis method? +**\** it's extremely unlikely to occur without active selection +**\** Unless you mean that the adversary controls a large percentage of available outputs and therefore knows other true spends? +**\** okay. i wasn't sure if that held true in a scenario where the chain grew 100x larger and an attacker was sending the exact same amount every time. i'm a noob on input selection +**\** In that case, sure, that's always a possibility for an attacker who wants to spam the chain +**\** Amounts are irrelevant +**\** yes ofc. i worded that funny. you answered me though thanks +**\** roger +**\** moneromooo: your idea intrigues me, and I'll be interested to examine the details +**\** Well, we have come to the end of our allotted time +**\** Great discussion all around +**\** We'll each move into the future sometime today; let us know what it's like when you get there diff --git a/_posts/2019-01-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-07.md b/_posts/2019-01-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-07.md new file mode 100644 index 00000000..1b72cd49 --- /dev/null +++ b/_posts/2019-01-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-07.md @@ -0,0 +1,269 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2019-01-07 +summary: Sarang work, Surae work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** okay everyone +**\** time for our Monday research meeting +**\** before we get going, let's open up the meeting to questions! i like questions +**\** I want to know whether knaccc's propose change to the ecdh mask is good/safe, so I can code it early enough for the fork. +**\** is knaccc around? i'm still unclear enough on the details of \*what exactly\* is being proposed. in terms of security, picking a mask from the same set as the value to be hidden is fine to do, but the devil is in the details +**\** Right, so the idea was to make the ECDH amount mask deterministic from the shared secret +**\** i thought it was to select the mask from a smaller set so we can describe it with fewer bytes +**\** e.g. mask = H('mask',z,i) for example +**\** There was a separate idea to shrink the size of the encrypted amount data type +**\** making the mask deterministic means you shave 32 bytes off each output +**\** ah, i see. and the question is "will this be good enough entropy because z itself is hashed?" +**\** The only thing to consider, I think, is that outputs with the same index and shared secret share a mask +**\** if we are concerned with loss of entropy, we can use HMACs. they don't lose entropy after iteratively hashing in the same way... oh +**\** what if we add an additional nonce that indicates the index among the outputs, assuming the output keys are lexicographically ordered? +**\** From an MLSAG perspective, we care only that the mask is uniformly distributed and known only to the sender/recipient +**\** that's what the proposal includes +**\** ie H(m,z,i,j) where j = j^th output +**\** oh +**\** i'm clearly catching up on this. :P i didn't know this was written up, can I get a link? +**\** I don't believe that was written up AFAIK +**\** oh, then i feel a little less bad +**\** wait quick question +**\** H('mask',z,i,j)... z is the amount being masked here? +**\** No, z is the shared secret; z=arG in the standard address case +**\** The encrypted amount is still included elsewhere in the ecdh data +**\** yeah, looks fine to me. my only concern is that an adversary gets some partial control over z +**\** How? +**\** but that's taken care of by CDH +**\** sender picks r +**\** recipient picks a +**\** they both have a little control +**\** Well previously we used a random mask and used z to encrypt that +**\** So anyone who got z could compute the mask anyway +**\** The difference here is that the mask is now completely deterministic +**\** is there a "known-best" algorithm, or set of algorithms, for generating a bounded random distribution? +**\** oneiric\_: you mean a uniform distribution on a bouned set or...? +**\** that's true, sarang, but ... +**\** ... +**\** there's a difference here, and i need to figure out how to express it. one moment. +**\** The way I see it, the difference is only that the mask is now deterministic but still limited to the view of sender/recipient +**\** It's reused if the same shared secret is used elsewhere with identical index +**\** suraeNoether: mean like, obfs4 generates random padding for dpi resistance. they bin based on common tor packet sizes. would like to know if there are particular mutations should perform on sampled, binned sizes to get a good random distribution +**\** okay, so the difference here is that \*partial adversarial control over this z\* is being combined with using z as input for a one-way function that is allegedly masking some secret information. +**\** the sender presumably wants to protect their own amount +**\** the recipient could just reveal their own private view key if they want to be a jerk +**\** so control over view key a isn't a big deal +**\** Our use of hash functions is about as uniform as you can expect (slight bias with H\_s) +**\** Again, keep in mind that anyone who can compute the shared secret (e.g. view key) can \_already\_ decrypt the mask now +**\** right, the only fix i can think of would be computing H('mask', HMAC(z), i, j), which would sort of ensure that the security reduces to \*revealing z,\* following the strength of hmacs +**\** and thereby reconstruct the amount commitment +**\** and i'm not sure what would be "fixed" +**\** other than, in general, i like avoiding using any adversarially controlled data as input for protecting a secret +**\** Pro: shave off 32 bytes per output; commitments themselves are not deterministic +**\** whoops, that was for the con list +**\** Only downsides I see in practice relate to reuse of shared secrets +**\** well, if it's two separate transction,, the sender should select two distinct random keys +**\** Sure, but they don't have to +**\** but what if a sender maliciously selects the same random transaction keys on purpose? what happens? the mask is the same for two different transactions. +**\** right +**\** but the sender already knows the amounts +**\** In any case, it only leaks information that the two parties had already +**\** if you use the same r or s with the same recipient twice, i don't think that's a security breach +**\** it's a linkability breach though +**\** But it was already +**\** yes +**\** knaccc: if i'm an observer and i know two transactions use the same mask, i can figure out which transaction is larger and i can compute the \*difference in amounts\* between those two transactions +**\** so i suppose this could be a way for a sender to surreptitiously leak transaction amounts to exterior parties without ever revealing anything to them directly +**\** suraeNoether: that was already possible +**\** suraeNoether yes i agree +**\** right yes, they could always set the same mask twice +**\** now there is only one random variable to not screw up :) +**\** on the other hand, the problem can be avoided by computing the mask as H('mask', z, i, P\_output) where P\_output is the output key being masked. +**\** Not even that... the encrypted amounts already use the shared secret +**\** why not H('mask', z, i, P)? +**\** sarang lol yes good point +**\** In fact, encrypted amounts should also use P +**\** okay, so including P seems to be a good way to avoid the lex ordering above too +**\** holw on, what's z? the shared secret? +**\** heck, you could include as much crap in that hash as possible, like the signing ring and everything public +**\** Oh heh, including P really does nothing +**\** knaccc: yeah, rA = aR +**\** it's determined from z entirely +**\** d'oh +**\** oh hehe +**\** Reusing this to the same full address will gain you nothing +**\** So: the motto is basically not to reuse shared secrets, or you're already being bad to yourself +**\** and you may be being bad to your recipients +**\** suraeNoether do you really mean Hs(aR||i)? +**\** knaccc: yes +**\** i think +**\** cool just checking +**\** \*thumbs up\* +**\** cos it's only the per-output shared secret that is ever used anywhere +**\** okay, moneromooo sarang +**\** oh wait +**\** ... +**\** okay i agree, re-using transaction keys r is the root of all evil. +**\** but we need some way to order these keys for multiple outputs at least +**\** So since money is the root of all evil... you make money by reusing transaction keys ? +**\** suraeNoether the ||i in the per-output shared secret does that, right? +**\** heh +**\** yes +**\** yes +**\** yeah, that's a good way to deterministically derive masks +**\** i like it +**\** okay, moving along: do we have any further questions? +**\** There was the question of a reduced amount ecdh size +**\** I'd like to get that written out with details ^\_^ +**\** just the one about random distributions... +**\** The final "this is good, safe and vetted" version if you will. +**\** oneiric\_: i need a little bit more detail on your question +**\** I thought the amount size one was already vetted ? +**\** very non-urgent, but there is the refund scheme. https://paste.fedoraproject.org/paste/lpM4dWKuV7KKCeAPn~P4Fw/raw +**\** knaccc: yeah i started reading that right before the meeting +**\** Regarding the 64-bit amounts, I know it was discussed earlier but thought it best to bring up in meeting for a final thumbs-up +**\** suraeNoether: what more information do you need? +**\** oneiric\_: " they bin based on common tor packet sizes. would like to know if there are particular mutations should perform on sampled, binned sizes to get a good random distribution" <--- do you mean you have a histogram and you need to pick a random number from that histogram as if it were a probability distribuiton? i'm not sure what you mean yet. +**\** picking from a histogram sounds pretty close to what i want to do, or close to what obfs4 does +**\** sarang: let's collaborate on an ascii one-sheet for moneromooo on both amounts and masks for moneromooo +**\** oneiric\_: oh then the answer is: hells yes +**\** i'm not sure if this is sufficiently on-topic for the room +**\** ok, will keep looking elsewhere. thanks suraeNoether +**\** Can we confirm people's thoughts on reducing ecdh amount size? +**\** oneiric\_: nah, i got you in PM +**\** Right now encrypted\_amount = amount + H(z) +**\** :) +**\** all are 32 bytes as usual +**\** the proposal was to reduce amount to 8 bytes, take the bottom 8 bytes of H(z) and XOR +**\** thereby keeping that data type down to 8 bytes +**\** moo has reimplemented that as encrypted\_amount = keccak("amount" || shared secret) +**\** mooo\* +**\** Sure, that's even better +**\** Er, wait +**\** that's the final encrypted amount sent to the recipient? +**\** oops i left out tons. i meant encrypted\_amount = 8 byte amount XOR 8 bytes of keccak("amount" || shared secret) +**\** aha +**\** yes +**\** I seem to remember suraeNoether had much to say about this earlier when it was first brought up? +**\** i think surae might have been thinking about what would happen if there was an auth tag or something to check brute force attempts against +**\** nope, i never should have brought auth into the discussion becuase it was aside the main point +**\** Is output index also considered in this hash construction? +**\** so the main thing my concern was +**\** yes the entire thing is encrypted\_amount = 8 byte amount XOR 8 bytes of keccak("amount" || Hs(8aR||i)) +**\** hiding an N-bit number with an N-bit number, mod 2^N +**\** why 8aR? aR is guaranteed to be on the curve if A and R are both on the curve... +**\** Recipient can't guarantee anything about R +**\** yes, but instead of checking if R is in the subgroup of G, we just mul8 so no check is required +**\** everywhere you see people talking about aR, they really mean 8aR +**\** that's something people don't discover usually until they read the code +**\** because it's always ommitted for brevity +**\** oh fantastic, that's fine +**\** i usually only think about it when computing hash-to-piont +**\** point\* +**\** that's bad of me +**\** When people tell me aR, I compute aR... +**\** Hence writing up details on this as requested +**\** moneromooo well in the ecdh case, you were using a shared secret that was based on 8aR +**\** so, short answer on whether it's safe to just use 8 bytes of keccak to mask an 8 byte number +**\** is yeah, it should be fine +**\** partaay! +**\** although rather than only xor'ing the first 8 bytes +**\** you could break keccak(stuff) into 8 byte blocks and xor all of them +**\** lol +**\** ? +**\** there's nothing to be gained from that +**\** Can I take this as a vote of non confidence in keccak ? :P +**\** 8 byte amount XOR first 8 bytes of keccak XOR next 8 bytes of keccak XOR ... +**\** no, it's simply using all the entropy from the output of keccak +**\** it's pretty standard practice when you have a csprng to just xor the stream against the plaintext +**\** yes +**\** yeah, it is +**\** and you don't need more than 64 bits of entropy to encrypt 64 bits +**\** moneromooo: sure, replace keccak with the identity function for simplicity +**\** There is a pointless keccak you mean ? +**\** i don't know what sarang means either +**\** i'm just mentioning it's an option. if the first 8 bytes are indistinguishable from uniform, then great, but reducing the output of keccak to the first 8 bytes does a lot to hurt 2nd pre-image resistance. +**\** Hmm. OK. There's a few places where that's done. Like the payment id stuff. +**\** I think some subaddress stuff too. +**\** right, so the question is whether the first 8 bytes of keccak are indistinguishable from uniform, which I think it is +**\** otherwise it'd be a terrible hash +**\** I was only joking :/ +**\** hehe +**\** Yes, a subset of the hash output is uniform +**\** i need to think about exactly how much 2nd pre-image resistance is even important here, though +**\** Keep in mind that the recipient does a commitment reconstruction too +**\** So any mismatch between encrypted amounts (which the sender can always just make up) and the commitment will be detected +**\** We should always assume that the sender is lying about the amount +**\** even if we find two R, R' such that keccak("amount" || Hs(8aR||i)) is identical, we send two transactions to whoever controls the view key a, and the encrypted amount has the same xor mask... but so what? even if you took those two encrypted amounts and xor'd them together, you would cancel the mask, but then you just have two xor'd amounts... i don't know. +**\** anyway, we can avoid the problem of 2nd pre-image resistance by XOR'ing all the blocks +**\** i'm just not convinced it's important here +**\** i think keccak is immune +**\** keccak is pre-image resistant. truncations of keccak are not necessarily. easy example, the \*first bit\* of keccak is \*not\* second pre-image resistant +**\** So something like this ? https://paste.debian.net/hidden/38907823/ +**\** (not tested yet) +**\** if the first bit was not 2ndpreimageresistant, then it would not be a decent hash +**\** moneromooo: that looks to do what i think it should do, yeah... but that's assuming sarang and others agree with me +**\** Well, it can't hurt, even if it's pointless. +**\** knaccc: technically it's pre-image resistant \*asymptotically.\* but in the concrete sense of security, i can break 2nd pre-image resistance for the first bit in an astonishingly short period of time +**\** it only helps if the randomness in the hash is not evenly distributed +**\** moneromooo: yeah, the cost is a few milliseconds when signing. \*shrug\* +**\** suraeNoether maybe you'll have to spell out how you'd do that, but i don't think that's possible if the first bit is uniformly distributed +**\** knaccc: okay check it out +**\** pick a random number x +**\** compute keccak(x) +**\** select the first bit +**\** i have a 50% chance that your bit matches the first bit of keccak(0), and a 50% chance it matches keccak(1), and a 50% chance it matches keccak(2), and so on +**\** yes +**\** finding a 2nd pre-image for your bit is as rapid as finding a heads up fair coin +**\** this seems... pedantic +**\** maybe i need to re-read the definition of 2nd pre-image resistance and why it matters in this scenario +**\** for the level we're working with (2^64) it should not +**\** it is. i'm just saying truncating a secure hash function according to whatever security property we are talking about... in general.... doesn't result in a secure hash function. +**\** ^ it is \*pedantic\* +**\** knaccc the answer you are looking for perhaps is this: i have to try, in expectation, as many pre-images as there are possible outputs, before finding a 2nd pre-image +**\** so asymptotically with a security parameter that gives you the ridiculous 1-bit case, it's still technically a secure hash function, i guess +**\** it's just not practically one +**\** anyway +**\** sarang: how about you tell us about your work for the past week or so, and then i'll give my update, and anyone else doing any other work can chime in +**\** and we'll wrap it up +**\** suraeNoether ah sorry i know what you mean by 2nd pre-image resistance now, for some reason i was confused on terms. so yes, there is certainly a 2nd pre-image resistance issue at 64 bits +**\** but not in a way that actually matters +**\** This past week has basically been a sandstorm of proposals to consider and review +**\** Payment IDs +**\** Refund addresses +**\** Block size and penalty structure +**\** and so on +**\** as well as the release of the second episode of Breaking Monero +**\** oh yes i loved one of your metaphors in that vid +**\** knaccc: right, finding a 2nd pre-image at 64 bits itself takes a long time. it's not cryptographically long periods of time short of 80 bits... but i can't really think of what such a pre-image would gain an attacker, either, so like I said i'm not sure how much it's necessary +**\** can't remember what it was now +**\** Was it burning the envelope as a heuristic? +**\** it was eating the envelope and walking away +**\** heh +**\** i lolled like crazy on that +**\** The current loose consensus seems to be that a two-median approach to block size cap is reasonable but not ideal +**\** as it will at least slow the bloat +**\** For payment IDs there is less consensus about the timeline +**\** my work this past week included: 1) some coding simulations for the matching paper, 2) working on the monero konferenco website, which should be up and running before jan 15, which is when i'm going to put out a formal call for papers (although i've already heard back from a few folks). 3) refund proposal by charuto (I think it was charuto?) and 4) block size stuff. i was going to participate in breaking +**\** monero this week but I got caught up on the block size stuff, unfortunately... it appears to me like the problem with the blocksize debate boils down to this: we don't necessarily know what we want from our own dynamic blocksize adjustment methods +**\** we know some loose ideas about what we want, like adapting for rapid short-term growth that handles, for example, the holiday season, and we want block sizes to stay small unless it's needed +**\** but the details of what behavior is considered malicious and which should be adapted for ... these aren't totally clear to me. so i've been thinking about those things, too. +**\** oh, and 5) fees. i've been thinking about fee strucutre. but that ties in with 4). +**\** i just have not had time to get into the payment ID discussion :( +**\** timelines are really about politics more than tech +**\** yes +**\** and the timelines for applications and users of pIDs +**\** sarang: since pay\_id isn't necessarily a security issue, but they are so freaking annoying, where do you stand on timeline for deprecation? +**\** Well, they can be a problem if not enforced +**\** Most complete option is full deprecation of unenc/enc, which I support doing all at once +**\** probably fall 2019 +**\** at the very least, remove unenc and enforce enc (to the extent possible) with wallet default +**\** okay, guys, i want to continue some of these discussions for sure, but let's call it for the official meeting time +**\** sarang, thank you +**\** Should I re-write my post to say all payment IDs are disallowed in the Fall 2019 upgrade? +**\** sgp\_: you were interested in learning who uses unenc, right? +**\** To get a better sense of who needs to switch over and for what uses +**\** Shapeshift does. +**\** thanks guys +**\** thanks all for the meeting diff --git a/_posts/2019-01-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-14.md b/_posts/2019-01-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-14.md new file mode 100644 index 00000000..1f4bc8db --- /dev/null +++ b/_posts/2019-01-14-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-14.md @@ -0,0 +1,358 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2019-01-14 +summary: Upgrade items, Research, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / sarang +--- + +# Logs + +**\** But, let's begin +**\** The agenda, as linked above: http://paste.debian.net/hidden/4ae0abc9/ +**\** 1. GREETINGS +**\** hello all +**\** hi +**\** o/ +**\** We have much to talk about today +**\** I'm going to move the Matrix item to 1.5. META +**\** hello! +**\** howdy +**\** charuto asked if we could do a deeper Matrix integration of this room +**\** what does it entail? +**\** i'm neutral on bridges generally +**\** Right now AFAIK, the room is a portal in matrix, and the desire is for a plumbed room +**\** https://github.com/matrix-org/matrix-appservice-irc/wiki/Permissioning-in-Portal-vs-Plumbed-rooms +**\** This would have the side effect of allowing Matrix-side ops to exercise control over Matrix users in the room, but not on the freenode side +**\** i'm not really grokking the benefit +**\** And be consistent with how other rooms (e.g. monero-community) are set up already on Matrix +**\** charuto: are you present? +**\** yeah, it would mostly not change anything IRC side, just here on this side, would allow for a more visible monero research lab matrix room and some matrix moderation options +**\** charuto is already matrix-side op for other monero rooms +**\** Provided we have another admin as well, I am not opposed to this +**\** However, I'll request loose consensus from the room now before enabling +**\** Hi everyone +**\** and yes, sarang is correct, it's mostly for matrix-side consistency, so matrix users can simply join #monero-research-lab:matrix.org +**\** okay, so i'm not really following why this is fine +**\** charuto, no offense intended, please, but +**\** if someone comes to the matrix room and thinks you are in charge... \*shrug\* +**\** i don't see a benefit to this +**\** I originally had similar concerns, but that's possible right now with the portal room +**\** i see this as an opportunity for someone to act as a middle man to interact with me, and that makes me nervous +**\** sarang: we can't stop someone from starting a portal room but we don't have to give them permission to plumb +**\** i literally mean no offense, charuto, i am sure you are running the rooms responsibly but +**\** i'm open to changing my view +**\** if someone can explain the benefits other than consistency +**\** i understand your concern, suraeNoether , but the alternative would be people not even getting to the room +**\** i thought there was already a room +**\** that is a portal +**\** so +**\** If this makes it easier to use on the matrix side, and introduces no new problems that don't potentially already exist, I am fine with it +**\** how does that work then +**\** the portal room will remain, im trying to add a plumbed room +**\** cant remove portal rooms +**\** then how is the alternative people not getting in? +**\** maybe i'm confused about how matrix works +**\** some people dont know how portal rooms work and only join publicly listed matrix native rooms +**\** on other monero channels, portal rooms always have less matrix users than plumbed rooms +**\** it's the difference of joining #monero:matrix.org or joining #freenode\_#matrix.org +**\** typo, #freenode\_#monero:matrix.org +**\** uhm +**\** Given that suraeNoether is an op in this room, we won't proceed at this time if he objects +**\** so i guess my question is now reverting to a rude one: are people who can't figure out how to go to freenode.net and typing /join #monero-research-lab going to be helpful contributors in this room +**\** This issue will be tabled until after the meeting, so we can move on and respect attendees' time +**\** k +**\** On to 2. UPGRADE ITEMS +**\** The block size algorithm has been discussed at length here and in -dev +**\** (I think that's a fair question surae) +**\** Loose consensus seems to be that the recommended approach, a dual median cap, is a reasonable stopgap that slows bloat, but it not a long-term solution +**\** ArticMine: given your deep involvement in this, can you comment? +**\** the proposal on the table is to cap the next block at min[ 1.4\*median(100), 50\*median(100000) ] +**\** (others are welcome to comment as well) +**\** i'm happy to endorse this +**\** Isthmus may have thoughts on simulations, but he's always super busy +**\** A lot of debate centered around this not being a long-term solution, and I agree +**\** Yes I can comment on this. +**\** What this does is stretch the time required by a lot +**\** ty ArticMine +**\** Fist both the original proposal that I made and smooth's latest proposal fail because they are using the entire block to scale the long term median +**\** smooth's proposal being... ? +**\** So either one has an exponential that scales based upon 50x my original proposal or the burst is lost +**\** smooth's proposal is above in this thread I will try to find it +**\ \** A=median of last 100 blocks +**\ \** B=median of last 100000 blocks (arbitary number, might be changed) +**\ \** maximum block size is min(max(A,300KB)\*1.4,max(B,15MB)\*1.2) (again both numbers could be changed) +**\ \** existing method is max(A,300KB)\*2 +**\** Since code freeze is presumably drawing near, what is your endorsement ArticMine for what to include in the next fork (Boron)? +**\** Right now I am working on a solution that addresses both of the above issues +**\** Basically I does not use the whole block to scale the long term median +**\** but only that part of the block that would have been legal using the long term median +**\** ArticMine: is there a serious flaw in using min[ 1.4\*median(100), 50\*median(100000) ] ? +**\** A benefit of the current approach is that it seems not too large of a fundamental change to include as a stopgap until more complex approaches can be studied more deeply +**\** the 50x factor is applied at the end +**\** like... if we spend another week trying to come up with a better method, is that a good usage of time for the possible benefit of using a different method? +**\** Also we leave the current block scaling formual alone +**\** and instead restrict that effective median block weight to put a rolling cap on it using the long term median +**\** ArticMine: maybe i'm not following you... what do you mean by using the entire block to scale the long term median? +**\** and what do you mean "only that part of the block that would have been legal"? +**\** Let us say that the long term median only allows 400000 bytes for a block +**\** But the short term median allows for 500000 bytes +**\** The lock is legal under both proposals because of the 50x factor on the long term median +**\** Block +**\** Under both current proposals the whole 500000 bytes is used to scale the long term median +**\** What I am saying is that we only use 400000 bytes in that example +**\** This avoids the 50 factor in scaling the long term median that smooth was concerned about +**\** okay, i'm still a little confused, but let me ask a follow-uyp +**\** well its the same question i asked earlier: what is the problem with using min[ 1.4\*median(100), 50\*median(100000) ] ? I'm still not following.. :( +**\** You still get exponential growth over time +**\** it's just slowed way down +**\** okay, i understand that part +**\** The problem is that we are incorporating the 50 facto in scaling the long term median +**\** ArticMine: can you get us a write-up of your suggestions some time in the next few days? +**\** something formal to look at? at least a formula or something +**\** We will need to make a decision ASAP on what to do +**\** That is the essence of smooth'ss concern +**\** Yes +**\** Right now, the only slow-growth proposal that at least has a formula and a simulated graph is the one suraeNoether mentioned above +**\** so I will consider that the current "best option" for now until/unless we get the same detail before freeze +**\** moneromooo: when should freeze be? +**\** When is freeze +**\** We'll move on and assume freeze is "as soon as possible, and perhaps sooner" +**\** my concern is this: the only way to prevent a literal exponential blowup is to put in some sort of hard cap +**\** I has to be a rolling hard cap. +**\** In the interest of time, on to payment IDs +**\** Never a fixed hard cap +**\** Unknown. Pony wanted to have a first build end of january. +**\** sgp\_: you looked into usage of payment IDs by popular services +**\** ok ty moneromooo +**\** I advocate no changes to block cap that haven't been simulated +**\** yes sarang, and it's about a 50-50 split between unencrypted and encrypted +**\** If ArticMine need one more week to finish proving his idea, then I'm totally fine waiting for this. +**\** That will work very well for me +**\** Awesome, thanks ArticMine +**\** sgp\_ and others had proposed candidate timelines +**\** and received some feedback from wallets +**\** Can you explain your findings sgp\_ ? +**\** Sure. Here is where we are at right now: +**\** https://usercontent.irccloud-cdn.com/file/k06P021t/image.png +**\** Though after speaking with Justin from X Wallet, they seem interested in meeting the April timeline to remove the payment ID field when sending +**\** endogenic (who runs mymonero) expressed general concern about the rationale for removing encrypted IDs, particularly citing UX +**\** Cake Wallet says they will remove support once exchanges no longer use it +**\** Based on these timelines, there is no consensus change until fall 2019 (Carbon fork) +**\** endogenic: can you elaborate on your concerns? +**\** endogenic said he'd be unlikely to be available for this meeting +**\** sgp\_: No soft depreciation in the GUI? +**\** In my opinion, the most important goal should be to remove the long unencrypted payment IDs +**\** Let me explain the timeline a little bit more +**\** They are detrimental to UX. Also, I am personally kind of ambivalent on integrated addresses versus subaddresses +**\** Those with -lounge history should look at those logs from earlier today to see his full remarks +**\** As sarang stated, no consensus changes until Oct 2019 (Carbon), when all payment IDs (encrypted and unencrypted) will be disallowed +**\** Subaddresses are obviously better, but I am not sure how feasible it would be to get all exchanges and services to implement them +**\** In April 2019, the official GUI will no longer support sending transactions with unencrypted payment IDs, and the official CLI will force users to use annoying flags to send +**\** hmmm, endogenic makes some interesting points about the memory requirements for subaddresses at exchanges +**\** namely: a big exchange will have to have huge hash tables +**\** sgp\_: The GUI PR I did is similar to the CLI, requires enabling in settings. Why did you mark it as no support? +**\** mooo points out it wont be crazy.. 8mb for a million entries? +**\** (i'm half here, half not. busybusy) +**\** selsta: I thought the plan was to remove entirely. I can make it look like the CLI if that's what we want +**\** I looked, it's actually 32 bytes + 8 bytes, so 40 bytes payload. Plus the tree overhead. +**\** Removing them entirely in the next version is going to lead to loads of user issues +**\** dEBRUYNE: them = what +**\** The option to use long payment IDs +**\** To add them to a transaction that is +**\** sgp\_: https://github.com/monero-project/monero-gui/pull/1866 Disabled by default, can be reenabled in the settings. +**\** Is this preferred? https://usercontent.irccloud-cdn.com/file/4g4NYw3q/image.png +**\** IMO yes. +**\** It at least provides consistency for our default products +**\** If we let encrypted pIDs stick around, there remain distinguishability problems between those txns and those w/ subaddresses and no pID +**\** these are mitigated somewhat by the use of a wallet-default encrypted value +**\** Those will get a 8 byte payment id (if only two outs). +**\** subaddress txns? +**\** Yes. +**\** with a default enc value +**\** excellent; I thought that wasn't the case +**\** Meaning the two choices there are: (1) ban all pIDs at Carbon fork; or (2) allow encrypted with a wallet default for \_only\_ 2-out txns at Carbon fork +**\** Are there other options that I'm missing here? +**\** "Carbon" is confusing. +**\** Carbon is Oct 2019 +**\** fall fork; the element is carbon +**\** Wait. Carbon has 12 protons doesn't it ? Already there ? +**\** If exchanges and pools batch Monero transactions now with payment IDs, then they will need to change their behavior nevertheless +**\** actually wait, they can't do that. disregard +**\** If we are specifying a wallet default encrypted ID for subaddress transactions as well, I am less concerned about what happens if encrypted is permitted +**\** Ah, 14 protons \*and\* neutrons. Shame on me. +**\** since we cant' enforce payids to be encrypted/can't verify that the payid has been encrypted, this new chart says to me "we aren't doing antyhing about this until october": +**\** What we're doing is encouraging exchanges to move off unencrypted +**\** and requiring it in October +**\** \*nod\* +**\** I would much rather move totally to subaddresses to streamline this process. mandatory encrypted payment IDs seems really clunky to me +**\** Deciding on the fate of encrypted is important, so they know what to code +**\** it's not mandatory +**\** no sarang, it looks like in october we are even deprecating the encrypted payids +**\** StupidWallet2.0 can always put 0 +**\** even default seems clunky to me +**\** suraeNoether: according to sgp\_'s proposal yes, but we're discussing the consequences of what happens if encrypted is allowed to live +**\** no one should use payment IDs when sending funds to subaddresses +**\** ah +**\** No, but they're important for distinguishability +**\** You can tell subaddress vs non subaddresses btw: additional tx pubkeys. +**\** For Carbon, I'd much rather remove all payment IDs to solve the distinguishability issue +**\** It's all a bit shitty isn't it. +**\** \*mitigate to the same extent +**\** i agree with sgp. this makes me ask why we are even specifying the difference between encrypted vs. unencrypted, if the plan is to deprecate both by the october upgrade, and nothing about them is changing before october, and we can't enforce any shift away from unenc anyway +**\** Yes moneromooo but it doesn't give away info in the case of, say, exchange true inputs +**\** moneromooo: lol +**\** moneromooo: i knew a guy with a tattoo that said "life is a big shit sandwich and every day is another bite" +**\** seems like a similar sentiment +**\** suraeNoether: ignoring the chart, the question at hand is what to do about encrypted: keep around, or get rid of it in fall 2019 +**\** sgp\_ recommends nixing them in fall +**\** yes +**\** endogenic and dEBRUYNE suggest keeping them around +**\** If we keep encrypted around, the wallet needs to always include dummy values +**\** Suggest might be a bit excessive +**\** ok +**\** sarang: if we keep encrypted around we may as well not make any changes +**\** I am just skeptical of the feasibility of forcing all exchanges to upgrade to subaddresses +**\** because there's no way to enforce that they are encrypted +**\** I'll probably just start warning about them when used, like I did for 256 bit ones earlier. +**\** dEBRUYNE: it's more feasible than asking everyone nicely to only encrypt their payids +**\** I think that given the timeline, we should be abitious and encourage them to update +**\** suraeNoether: no, but we are nixing long pIDs in fall +**\** I suppose it could work if some workgroup started contacting exchanges soon +**\** This is ~9 months away +**\** That provides them almost 10 months to implement stuff +**\** so the wallets will always encrypt whatever value the exchange tells them +**\** It is true that we cannot enforce legitimate encryption over random values etc +**\** So for the upcoming spring (Boron) upgrade, CLI/GUI \_will\_ permit sending with long pIDs with a flag and terrifying warnings of death +**\** And we will have public notice that long pIDs will be consensus-denied in fall 2019 +**\** We \_should\_ produce a decision about encrypted at the same time, so services know what to expect and start developing for +**\** But I am not seeing any firm agreement about the latter +**\** I argue that we should write a post including the aggressive timeline. Luckily, if there is an implementation disaster, we can always walk back with nearly no effort +**\** fact of the matter is, either we want people using subaddresses, or not, and we certainly dont' want to keep adding mroe and more address types. usual address + unenc payid, usual address + enc payid, integrated address, subaddresses... especially since subaddresses are (1) efficient for users and (2) cover all the use cases, and since (3) we can't enforce the difference between the first three, but we can +**\** enforce subaddresses, the way forward to me is totally clear +**\** moneromooo: why +**\** because of daemon parsing? +**\** Because it's always coming back. +**\** Yes. +**\** Is it more than parsing for size? +**\** I don't understand that question. +**\** It has to parse tx\_extra afaik +**\** We're already over time, and we still need to bring up another upgrade change: commitment amount/mask changes +**\** Commitment masks will be generated deterministically and not included separately in the ECDH data, saving a bit of space +**\** Amounts will be shrunk to 8 bytes and XORed with shared-secret-hash data +**\** This is probably... less controversial than the other changes :/ +**\** Any questions/comments on it? +**\** This was proposed by knaccc and talked about earlier here and in -dev +**\** moneromooo has a branch for it +**\** yeah, sarang and i have considered it and we agree that this still provides the perfect hiding property of pedersen commitments, and commitments to amounts are as binding as they were before our proposed change +**\** it's a small space optimization. knaccc had the idea, right? or who came up with iut? +**\** knaccc +**\** it's simple and clever +**\** clever in a good way? +**\** yes +**\** cool +**\** Just in general, do you feel it's the worth the (potential) risk? Imo the size savings are not that significant +**\** Yes +**\** It doesn't leak additional information that sender/receiver didn't already hold +**\** it's 56 bytes per output, but that's significant on a pruned transaction +**\** OK, in the interest of time, very briefly on to 3. RESEARCH +**\** There are now a few options on the table for refund addresses +**\** knaccc proposed one that involves no consensus changes +**\** another uses a non-interactive DLSAG approach but requires substantial overhaul to the plumbing with many subtleties, but could allow for payment channels etc. +**\** and another was posted (link in the agenda) +**\** just stuff to chew on, likely not before the upgrade IMO +**\** since it requires a lot of wallet fun +**\** moneromooo has been working on coinjoin-style fundamentals +**\** I'll be writing up some bulletproofs mpc for that +**\** thank you ^\_^ +**\** I posted a few papers of interest in the agenda +**\** ( still on the previous topic, but just a quick comment dEBRUYNE: the savings aren't that significant, but afaict, the security is concretely very similar (if not identical). It's a no-loss decision, in my mind ) +**\** Since we're over time, any very quick updates from others? Then we'll review action items +**\** sarang, are your comments on the matching paper complete? was our conversation last week all your thoughts or am i waiting on more notes from you? +**\** I am just warry of the change somehow being exploited later on +**\** One question about refund addresses: only one of those proposals helps with payment channels ? +**\** I am nearly complete, was derailed by an unrelated topic +**\** Does it necessarily matter we're over time btw? I don't mind continuing :p +**\** for non-interactive use +**\** i started a "linear techniques in applied cryptography" document to keep my notes on Ruffing's scheme, Schnorr signatures, Bulletproofs, and Bootle's polynomial commitments all in one neat and tidy place. i may tweak it over the next year in little ways with the long term goal of writing a book +**\** We don't have a concrete proposal for integrating knaccc's or Ilya's schemes into a payment channel system safely +**\** moneromooo: DLSAG is good for payment channels... cryptonote++ or ilya's paper... i believe that is non-channel based refund addresses +**\** DLSAG ensures you can properly track spends +**\** hence the tomfuckery with key images and signature style +**\** So for the sake of sanity, here are the action items that are time-sensitive: +**\** (a) block size cap algorithm: we need a method that has been simulated in time for freeze +**\** (b) payment ID timeline: we need to know the fate of each address type to make a unified statement for services to use for planning +**\** (c) any objections to the ECDH data change are at the "speak now" phase +**\** Non-sensitive items: +**\** (d) we can talk after the meeting about the Matrix room integration +**\** (e) the MRL-0011 paper will be released to this group when I get my reviewing ass in gear again +**\** (f) refund address options should be investigated more thoroughly to decide what route(s) to take +**\** That's all I wanted to get through. We can open the floor now to continuation of anything and everything +**\** Sorry for being a hardass on time today; wanted to make sure we hit everything +**\** in order to address (c), we should write up a formal technical note on (i) how amount commitments are currently computed, (ii) our proposal for the new computation and (iii) proofs of equal security in terms of hiding and binding properties\\ +**\** and i can work with knaccc on that this week +**\** Not sure if MRL is the right place for this, bu re: the embedded Java-I2P router idea, I've almost finished it. Just need to test my scripts a bit more. Available here: https://github.com/knaccc/embedded-i2p-java-router-with-sam +**\** OK, have you seen the branch moneromooo has already? +**\** it's in code +**\** 5052 +**\** oh man +**\** i'll check that out +**\** thanks moneromooo +**\** I know moneromooo and knaccc and I have looked it over +**\** yeah, and i recall writing up a proof of the idea and satisfying myself about it, but that was on paper +**\** which branch? +**\** rctb +**\** https://github.com/moneromooo-monero/bitmonero/tree/rctb +**\** knaccc: cool work on the java-i2p embedded router +**\** knaccc: let me know if you need any help with the java embedding +**\** found it right after i asked :P thanks sarang +**\** oneiric\_ zlatinb thanks, any comments or suggestions welcome +**\** Are you adding i2p/monero connectivity ? +**\** do you know if there are any hardening flags available for jlink? +**\** not sure what you mean by hardening +**\** aslr pie stuff like that +**\** i don't think those things apply to Java +**\** no? +**\** that's kinda the point of Java +**\** buffer overflows etc are impossible +**\** even if you're brain dead +**\** hrm, the jvm is still in c tho no? +**\** C++ +**\** oh the jvm itself is hardened over 2.5 decades by Sun/Oracle, in theory +**\** there are no user flags i'm aware of for hardening it further, but i'll check +**\** jlink doesn’t really “link” anything in the sense of C/C++ linking +**\** correct +**\** it's static linking of java stuff +**\** so, in java dev, there is no sense of hardening outside of writing good code? +**\** not really +**\** OH GUYS I HAD AN ANNOUNCEMENT +**\** as some of you know, Sarang and I have started a non-profit together called MAGIC - Multidisciplinary Academic Grants in Cryptocurrencies +**\** and we are opening up our scholarship program this month! +**\** congrats! +**\** we are giving out 5 $1000 USD scholarships for this fall, and we are giving out 2 $3000 USD research grants in the upcoming spring +**\** moneromooo: I think that's the intention +**\** congrats surae +**\** so, by the end of this month, our application will be available on https://magicgrants.org for anyone registered at an accredited school in the US, South Africa, or the EU or EFTA nations or micronations within the EU or EU-eligible nations. +**\** all this is made possible by a single anonymous donor so far +**\** i know the market has screwed all of us essentially, but if anyone wants to give, there are donation links both through globee for crypto and stripe for fiat on that webpage +**\** very cool suraeNoether! +**\** thanks knaccc! +**\** hopefully by 2022 we can start building primary schools all over the world libraries and computer labs +**\** well, in the listed nations for now. :P +**\** Side update: suraeNoether is fine with the Matrix plumbed room, as am I. Unless there are objections now (this was mentioned earlier to other room ops, with no reply) we'll go ahead and allow it +**\** ah yeah i removed my objection because i realized we can always undo the decision later. :P +**\** and i don't think charuto is a personel risk, although having a second mod would be keen +**\** Block cap algo is in ArticMine's court for now, with the current proposed dual-median in the wings +**\** Payment ID timeline is still annoyingly up in the air +**\** If anything, we should figure that damn thing out +**\** moneromooo just in case it's not clear, I don't know a thing about the C side of things, e.g. how to add libsam3 to the Monero C code in order to talk to the embedded i2p router via the SAM protocol. But I am able to figure out how to produce an embedded JVM/I2P binary that can be bundled with zero installation and zero dependencies +**\** OK. +**\** do we have an issue on github yet re: replacing pay\_id with subaddresses? +**\** it'd be helpful to have some coherent arguments laid out in all the different directions +**\** also does anyone have thoughts on this: https://github.com/monero-project/research-lab/issues/46 +**\** That was brought up on reddit earlier, presumably by the same person +**\** When I see a post that has "it's going to be brushed off", I want to brush it off just because it said that. OTOH, a game theoretic analysis of this would be very nice, if possible. +**\** Yeah, I said that person is free to do it or put it out there for someone else to do, either volunteer or for FFS donations +**\** s/possible/not made up of mostly unknowable factors/ +**\** ArticMine has brought up his views on supply but AFAIK they are not really documented anywhere +**\** and they should be diff --git a/_posts/2019-01-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-21.md b/_posts/2019-01-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-21.md new file mode 100644 index 00000000..09ec3c9e --- /dev/null +++ b/_posts/2019-01-21-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-21.md @@ -0,0 +1,211 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2019-01-21 +summary: Ongoing work, New work, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** FYI meeting begins shortly +**\** Current agenda: https://github.com/monero-project/meta/issues/301 +**\** Shall we begin? +**\** sure +**\** Greetings, everyone +**\** letsdothis.gif +**\** o/ +**\** I dislike mass pings, but given certain topics, a special ping to sgp\_ ArticMine moneromooo knaccc +**\** First, ONGOING WORK +**\** Hi +**\** Much discussion about payment ID deprecation has occurred +**\** sgp\_ is holding an open meeting to discuss this, on 25 January: https://github.com/monero-project/meta/issues/299 +**\** THe current proposal intends to discuss is a deprecation of unencrypted pIDs at next upgrade, followed by a ban on all payment IDs in fall +**\** The main source of contention at this point seems to be whether keeping encrypted pIDs around, whether or not the wallet supports them by default, is necessary or desired +**\** Unless there's something important to talk about regarding this, and its relationship to the upcoming fork, we can table it until sgp\_'s meeting +**\** i think it's wise to table the discussion until the meeting +**\** moneromooo has been working on wallet handling of payment IDs, as well as the use of default payment IDs for transaction indistinguishability +**\** ok! +**\** Next is block size scaling +**\** ArticMine recently posted a new proposal \\ +**\** So the two on the table right now are the dual-median option (presented last time) and ArticMine's new one +**\** I can go over the details and answer questions +**\** ty ArticMine +**\** Here is the paste on this idea, linked earlier: http://paste.debian.net/hidden/50f142a6/ +**\** To confirm, the old proposal is this? https://github.com/noncesense-research-lab/Blockchain\_big\_bang/blob/master/models/Isthmus\_Bx\_big\_bang\_model.ipynb +**\** The key part of my proposal is to separate the block weight into a long term portion LongTermBlockWeight and the balance +**\** LongTermBlockWeight - BlockWeight +**\** lurkinandlearnin: look at notebook line [3] +**\** LongTermBlockWeight does not include the burst potion that can go up to 50x +**\** So the LongTermMedianBlockWeight does not compound at 50x +**\** fwiw for the folks in the audience: one of the reasons block size based on medians is a difficult question is the way medians behave... +**\** most equations that have been proposed here introduce an effective time delay between how max block size is responding to previous block sizes... and it's a difference equation... and introducing time delay to difference equations can introduce very strange behavior like chaos. (example: https://advancesindifferenceequations.springeropen.com/articles/10.1186/s13662-015-0374-1 ) +**\** chaos is bad +**\** so most of these proposals are most easily analyzed with simulations, which provide no guarantee that things won't go crazy. i've been looking into mean-based appraoches instead of median-based approaches; this introduces the possibility that outliers become disproportionately important, but it removes chaos from the equations, so we may be able to design a globally stable approach. +**\** in addition to evaluating articmine's proposal +**\** This is the key difference with the prior proposal that compounds the LongTermMedianBlockWeight using the entire block +**\** the +**\** Including the simple two-median approach, right ArticMine ? +**\** Yes the simple two median approach fails +**\** i'm still not clear on the properties we want out of max block size adjustments +**\** Since it either compounds the 50x burst (my initial version) or kills the burst over time (smooth's version) +**\** ArticMine: is that paste complete as written? +**\** beyond "ability to go 50x over a slow day to accommodate a christmas day, and to not allow a big bang" +**\** Yes +**\** Isthmus and I plan to work this in to our existing simulations +**\** His is more complete, but I am doing one for my own education and as a separate check +**\** We shall need to make a decision by freeze time +**\** ArticMine: there are a few subtleties that I'll want to ask you about later +**\** But I also would like to hear the answer to suraeNoether's question +**\** I did not see any response to smooth's comment..... +**\** you can avoid any sort of consensus issues on \*1.4 by making it 1.375 which is adding 3/8 +**\** 10:50 PM or some such, but that should be close enough +**\** 10:56 PM overall looks good to me at first reading +**\** 11:02 PM i guess 4/10 is fine too, just slower (but not significant) +**\** that was a rounding issue, I suppose +**\** If people will fuck up with 1.4, they will fuck up with 1.375. +**\** For interested people, the amp branch has ArticMine's change (untested). +**\** we should just pick a number that can be represented exactly in a computer +**\** (just the top patch) +**\** Better to pick one that can't. You don't want people to use floating point and think they did it right bevause the number was chosen to make things look right. +**\** branch link: https://github.com/moneromooo-monero/bitmonero/commit/f1ee51c55963d05a78db916d41da7dc5948bb05a +**\** representing 1.4 in a computer is inexact and will cause floating point rounding problems in different pieces of software, but i think 1.375 can be represented in binary exactly and so there is no roundoff problem in that regard... +**\** also, hot dang that was fast moneromooo +**\** one of the things i, personally, would like out of the block size adjustment is this +**\** smooth's comment would e an improvement if the BlockWeight were a factor of 8 in bytes, but it is not. So in reality it is not a material change +**\** moneromooo: that's a strong argument actually +**\** so, i think block size adjustment can benefit from: forcing the marginal cost of adding an additional transaction in terms of block reward penalty to be greater than the standard fees gained by including that transaction +**\** even if we pick some exotic max\_block\_size calculation, we should also be changing the block reward penalty this way +**\** Still I see as an improvement. As per suraeNoether comment above. So we can make the change from 1.4 to 1.375 +**\** of course, if the block is nearly full and the block reward is almost zero, adding almost any transaction fees will make up for it +**\** ArticMine: moneromooo just made a strong argument \*against\* that +**\** so this marginal cost approach will be most effective when block sizes are nowhere near the big bang levels +**\** which is good: providing an incentive to stay reasonable when they are already reasonable +**\** No When block weight is close to big bang levels LongTermBlockWeight is << BlockWeight +**\** i'm not talking about your block size proposal; i'm talking about block reward penalty as a function of block size +**\** Has any thought been given towards an incentive for miners to create smaller blocks when transaction volume is low? To slow blockchain growth +**\** that's what i was just talking about lurkinandlearnin +**\** lower blockchain growth is probably less important than quicker validation and propogation but the same point applies +**\** lurkinandlearnin: all txns get added eventually if the fee market allows +**\** something isthmus brought up to me: there are only about 150,000 blocks between us and the next hard fork. with the \*simple\* two-median method will forbid a blowup before the next hard fork. +**\** woops i mean between March and October hard forks +**\** Yes, starting the penalty before 100% (idea from smooth). +**\** we should consider implementing the simple method \*first\* and spending time thinking about a more optimal solution, rather than trying to go for broke +**\** moneromooo: that sounds like a great idea +**\** moneromooo: yep, smooth had the initial idea of sub-100%-median block penalty; my idea is to make the drop-off nonlinear so that it's more expensive to push block sizes larger in the absence of a healthy fee market +**\** Well, simulations will shortly be done for ArticMine's proposal compared to the current approach and the simple two-median +**\** Presumably the next upgrade will do one of the two options +**\** okay, i don't think we're going to come to any conclusions on this, but it's been a good update +**\** let's move past scaling +**\** Sure thing. We'll talk after simulation data are available +**\** Next is transaction size reduction, for which there is a PR from moneromooo +**\** AFAIK there are no new updates on this otherwise +**\** unless moneromooo you wish to say anything about it? +**\** I'd just like one of you Noethers to review the code before it goes in. +**\** suraeNoether said he'd have a look. +**\** sarang let's do that \*together\* tomorrow morning? we can do it over a vidchat since we were going to meet tomorrow anyway +**\** Roger; the math looked correct to me, but I may have neglected to add a comment +**\** ok suraeNoether can do +**\** fun +**\** as for the semi-final point on the agenda... what's the deal with bulletproofs, anyway? seinfeld.gif +**\** lol +**\** DID YOU GUYS MAKE THINGS FASTER AGAIN +**\** Only a brief update that some BP verifier optimizations didn't make it into the 0.13 release +**\** a very unscientific test on my box resulted in a 64-batch of 2-proofs verifying 60% faster +**\** kudos to moneromooo for continuing to squeeze speed out of those suckers +**\** holy smokes +**\** 60% faster than current impl or than pre-BP? +**\** than the 0.13 release code +**\** jeez +**\** that is, 0.13 vs master +**\** as of a few days ago +**\** where did this speedup come from? +**\** Folding in some multiexponentiation operations, as well a host of other voodoo moneromooo can dooo +**\** So we can brag about the next release making txns smaller and faster again :D +**\** I did not keep track of which change sped up by how much. I think sarang's single multiexp change is probably the biggest one though. +**\** Let's now discuss NEW WORK +**\** cool! +**\** suraeNoether: your personal updates? +**\** personally, this past week was largely a konferenco administration week for me, contacting speakers and vendors and getting my bank compliant with me +**\** i did research on bulletproofs, linear algebra in cryptography, and our matching paper +**\** I'm sooper excited for this conference +**\** but a lot of my work this week was contacting possible speakers +**\** sounds like we'll have some big names joining us +**\** yes, it's pretty great so far; we are adding more names this week +**\** Any updates on the matching paper suraeNoether ? +**\** my simulations aren't passing unit tests +**\** once they do, i'm making a commit +**\** and then collecting data +**\** so: it's moving forward +**\** excellent +**\** Any questions for suraeNoether ? +**\** OK, I'll go next +**\** oh i had one more thing to bring up +**\** sorry sarang, i don't want to interrupt +**\** np go ahead +**\** is there a list of speakers for the conference? +**\** i found all those old Monero Protocol Standards documents I started writing last year, and I'm wondering if folks still want me to compose the v0.1 versions of these rather short text documents into something to put up on our github +**\** or not official yet? +**\** lurkinandlearnin: check out konferenco.xyz +**\** the benefit of having the standards instead of a single big zero-to-monero document is this: +**\** we can update each one piecemeal and only update it if something has changed. this reduces overhead work on documentation. and if it's on github, anyone can update them, we don't have to go find kurt magnus or koe +**\** FWIW the ZtM doc is on github and can be PRed +**\** but I see the point about modularity +**\** My pessimistic side worries that updates would fall behind, as they already have on ZtM +**\** What aspects of the protocol are covered? Could be something useful to incorporate into the often neglected wiki +**\** as they both sound modular +**\** lurkinandlearnin: essentially similar to the cryptonote standards they released after i reviewed their whitepaper years ago, like this: https://cryptonote.org/cns/cns006.txt +**\** (my whitepaper review would have been moderately better if they wrote those standards before the whitepaper, but hey) +**\** sarang your points are valid +**\** which is why i'm not sure if it's a good idea to devote time to it +**\** Wiki is a good idea, specs are a good idea. Having experience as a book editor, people making random PRs is a huge nightmare to text style and continuity and often took 4x as long to polish then if SerHack and I had written ourselves. +**\** okay, how about this +**\** Whatever is made available, whether ZtM or wiki or standards, keeping up to date is the most important aspect IMO +**\** I cringe at "text-rendered math" though... +**\** Maybe we should pick one to be the "reference" documentation and the others follow suite? +**\** Who's responsible for maintenance of each one? +**\** Well as long as the version at time of writing is very clear keeping it updated is not so critical +**\** sarang who's responsbile for maintaining anything around here? +**\** lurkinandlearnin: I disagree +**\** how about i just post what i have after making it a little more readable, and if someone wants to run with it they can +**\** nice, but not disastrous. If anything having info about how things used to work out there is also useful. +**\** i can post it on my personal github to avoid cluttering the primary\\ +**\** suraeNoether: I think that'd be useful, to get a better sense of scope of audience +**\** sarang: we can always label them clearly DEPRECATED AND NOT USEFUL. but i think it'd be better to have them out there +**\** good point +**\** okay handing it back to sarang +**\** As long as it's clear what can be considered "closer to canonical" +**\** So I've had some testing and minor optimizations to BPs for the next release, as mentioned earlier +**\** Minor work on simulating block size changes to confirm work by Isthmus on scaling etc. +**\** Recording of new Breaking Monero episodes with sgp\_ +**\** The usual new lit and project review +**\** and some work on a safe MPC protocol for Bulletproofs for future use +**\** as well as a lot of back-and-forth administrivia on the topics for the Boron upgrade +**\** I am personally in favor of either Boron Betelgeuse or Boron Bellatrix +**\** (as far as names go) +**\** and of course the math for graph matchings, which has been passed back to suraeNoether for simulation data that he is obtaining +**\** Betelgeuse will lead to a schism in the community over pronounciation +**\** precisely +**\** It's like the naming of iPhone X... by making it hard to get right, it forces you to think it's better than you are +**\** humbles us all +**\** "It gets the people going!" +**\** Any questions for me? +**\** what's the next breaking monero topic? +**\** Hmm... Lightning network things ? +**\** moneromooo: what questions on that? +**\** "Boron borealis" ?? I think there's a Harry Potter character called Bellatrix, which could get confusing with all the HP-themed MimbleWimble names. +**\** lurkinandlearnin: we have several topics in the lineup, to be arranged +**\** Also, Breaking Monero = awesome, thanks for all the time going into that series :- D +**\** Was anything done or thought about recently about anything monero needs for LN or LN style system ? +**\** moneromooo: some of it was an efficient and fungible way to handle protocol aborts, a la noninteractive refunds +**\** that was quietly tabled as several proposals for interactive refunds were thrown around +**\** Ah yes. It would be nice to see a list of things that are needed in monero as building blocks. In terms of parenthesized AND/OR. I always forget. Or never knew. +**\** That's a good point. Having a well-considered status update will be useful for longer-term planning +**\** Does anyone else have updates to share, before we adjourn? +**\** righto +**\** Thanks to everyone for joining +**\** Our current action items: +**\** (a) simulation data for block size proposals, to make a decision before freeze +**\** (b) final review of transaction size reduction PR +**\** (c) meeting to decide on payment ID deprecation (PLEASE attend or comment on github issue if you have an opinion on this, with justification/data) +**\** at ease, soldiers diff --git a/_posts/2019-01-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-28.md b/_posts/2019-01-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-28.md new file mode 100644 index 00000000..c6603613 --- /dev/null +++ b/_posts/2019-01-28-logs-for-the-Monero-Research-Lab-meeting-held-on-2019-01-28.md @@ -0,0 +1,311 @@ +--- +layout: post +title: Logs for the Monero Research Lab Meeting Held on 2019-01-28 +summary: Ongoing work, MRL going to SBC, and miscellaneous +tags: [community, crypto, research] +author: el00ruobuob / surae +--- + +# Logs + +**\** allrighty, well, it's 17 UTC +**\** Hi! +**\** howdy everyone +**\** HI +**\** ohiyo +**\** Hey +**\** Salutations +**\** hi +**\** today, our agenda is here: https://github.com/monero-project/meta/issues/302 +**\** woohoo! +**\** allrighty, so let's begin with payment ID deprecation +**\** Very sad. +**\** my understanding is that some folks are opposed to the proposed timeline for switching over to subaddresses +**\** Don't you guys think that such drastic changes hurts Monero adoption? +**\** It is new information to me that this was not already default +**\** Mochi101: payment id is actually what "hurts Monero adoption" +**\** ^ standalone one +**\** mochi101 what drastic change are you referring to? deprecating payment IDs? or enforcing subaddresses? +**\** Both actually. +**\** Drastic changes is what Monero is all about. 6 month forks and whatnot. +**\** I am in favor of this, the only possible issue I see is timing on which I am neutral +**\** in my opinion, switching to a system with fewer moving parts with fewer ways for users or wallet developers to accidentally screw up, this is a net win for monero users, the ecosystem in general. +**\** ^^ +**\** Yes, Monero feels like a really high maintenance, needy girlfriend sometimes. +**\** i don't know about you, but "idiot proof" cryptography is sort of a myth, but it'd be really really great if we could take incremental steps toward systems with fewer complications glued on top just to make it work +**\** In the unknown future, will Monero no longer require network upgrades every 6 months? +**\** xeagu i believe we are intending on keeping 6 month network upgrade schedules for the foreseeable future, with the intention of \*eventually\* slowing them down +**\** i don't know what timescale "eventually" means here, practically, though. fluffypony has mentioned it before but I don't recall the timescale +**\** Do you think a timeline would help those with concerns about that activity hurting adoption? +**\** The unknown future is unknown +**\** I aggree that in the anctient security vs UX war we need to stick with security +**\** and moving/changing parts is a golden rule in crypto +**\** even if it's more surface for users to screw up +**\** ArticMine: thank you for supporting the change. i'm with you on both timeline and supporting the upgrade. i'm asking if anyone here has specific timeline objections they want to bring up; last I recall, sgp\_ had a great chart, but perhaps the discussions have changed a bit since then? +**\** UX issues stemming from payment IDs are predominantly caused by the long, unencrypted payment IDs. Thus, imo, it's imperative that we remove those +**\** ^^ +**\** As far as I know there's not even any real documentation on subaddress generation, identifying the last index which has been used, etc. +**\** That's pretty bad when you're going to force it. +**\** Mochi101: https://github.com/monero-project/meta/issues/299 +**\** lots of details there, including a basic upgrade guide for services +**\** thanks for the link to the previous PayID discussion, sgp\_ ! i am bookmarking that rn +**\** services have nearly half a year to upgrade, which is reasonable given the requirements. We have spoken to exchanges and payment processor services who think the timeline is aggressive but realistic +**\** Mochi101: the logs for the meeting are also available at the same link +**\** sgp\_: cool! personally, I think this is a win for monero users in terms of privacy, a win for developers in terms of elegance, and a win for the ecosystem in terms of efficiency +**\** I recommend you read them +**\** I admit I don't understand how subaddresses work +**\** I don't want to speak for sarang; perhaps when he gets back he can jump in and provide an opinion. +**\** There is a need in the market for distributed education +**\** Xeagu: the main idea is you take your wallet address (A,B) and you generate a family of addresses deterministically all sharing the same view key, and allowing you to mass-scan all the subaddresses simultaneously for incoming transactions +**\** it's a little more complciated than that because they don't \*actually\* share a view key +**\** Thanks. But you're only seeing this from your "in the loop" perspective. I looked for information about this and couldn't find any in the places that I expected them to be. Really people using Monero should not have to search through GitHub to find this stuff. If it's a major issue like this it should be front and center on something like getmonero.org +**\** but they can all be \*scanned\* with a single view key +**\** Yes I am confused on the order that subaddresses are selected during generation +**\** If they are deterministic, no? +**\** is there anything research-y about payment IDs / encrypted / subaddresses at this point? I mean, its pretty solid that anything except subaddresses is sub-optimal, right? +**\** you use deterministic nonces while hashing, so they appear random but always come up to be the same +**\** Xeagu: read this: https://medium.com/@anhdres/how-moneros-accounts-and-subaddresses-work-in-monerujo-4fa7df0a58e4 +**\** Mochi101: You should subscribe to the newsletter. +**\** Mochi101: It was announced on the mailing list +**\** Yes, please join that. It's essential for staying up-to-date +**\** Alright so basically I need to read through Mastering Monero again +**\** gingeropolous: yeah. this is a question (subaddresses) about key infrastructures. not really in doubt that subaddresses are objectively superior in terms of engineering and in terms of simplicity. keeping around old systems for no good reason is not going to help adoption. +**\** also as far as I understand it, the MRL contributors sgp and knaccc are both working on documentation +**\** right. it just seems at this point we gotta bite the bullet and go through the suck. +**\** we can continue this conversation after the meeting +**\** Subaddresses mean you only really need to memorize a single wallet seed, as I understand it. +**\** yes Xeagu, and best to table this discussion imo +**\** Let's move on +**\** let's move along to the oh-so-contentious block size scaling discussion +**\** articmine is currently validating some cost analyses by sarang +**\** Sup n00bs +**\** i whipped up two ideas, one wacky and one not for block size debate, and i'll be contributing these two ideas to the mix to see about how it all fits together +**\** in terms of cost analyses +**\** What are the two ideas? +**\** I presented my overall proposal +**\** my first idea is a simple low-pass filter, and my complicated idea is inspired by some discontinuous reset models from neuroscience, which sounds fancy, but is in no way "modeling brains on the blockchain" or anything like that, please do not run away with my words +**\** ArticMine: yeah, i thought you and sarang were working together to make sure cost analyses were apples-to-apples comparisons? +**\** https://paste.debian.net/hidden/556a3a8a/ +**\** aha! +**\** thanks articmine +**\** that's articmine's proposal +**\** Interesting okay. Can you explain the low-pass filter? I'd like to discuss the brains on the blockchain idea later. +**\** There was one addition: We can use LongTermBlockWeight as opposed to BlockWeight in the fee calculation +**\** xeagu essentially all our proposals revolve around discrete-time dynamical systems, including my discontinuous reset idea. so "how to update next\_max\_block\_size as a function of previous block sizes... so that the blockchain doesn't get caught in a feedback loop and blow up for a determined and moderately wealthy attacker?" +**\** This is trying to determine future dynamic block size scaling? +**\** yep. +**\** wait +**\** I have a paper on this issue +**\** great! +**\** please link! +**\** it's originally for PoS +**\** but does address the problem +**\** i believe articmine's approach is good in the sense that it forces an attacker attempting to force bloat to drag out an attack over a long timescale in order to have a decent influence, which costs more and more money. +**\** of keeping this wealth blowup in check +**\** https://arxiv.org/abs/1809.07468v2 +**\** interesting, thank you. i believe someone had an idea where miners vote on the max block size for the next N blocks using proof of work, but i haven't looked further into it yet +**\** wb sarang +**\** I am not familiar with ArticMines proposal +**\** xeagu he linked it a moment ago, and sarang has been running simulations and comparing costs +**\** this one has a formula for how to calculate the next reward based on the current parameters +**\** maybe we can generalize it for blocksize? +**\** I need it in ELI5 terms +**\** interesting, thank you. i believe someone had an idea where miners vote on the max block size for the next N blocks using proof of work, but i haven't looked further into it yet] <--- This is one of many failed Bitcoin proposals +**\** As long as we finalize ArticMine's proposal soon, before the fancy new stuff gets worked on :) +**\** How does the dynamic block size change from its current state? +**\** ArticMine: also good to know +**\** xeagu right now +**\** The newer proposals do away with the idea of a single median +**\** we allow next max block size to be 2\*Median(last N blocks) +**\** i forget N +**\** Xeagu: https://paste.debian.net/hidden/556a3a8a/ +**\** 100000 +**\** Details that have been previously reviewed can probably be discussed more deeply after meeting, IMO +**\** moneromooo: that's too high level for me +**\** And 1.4 IIRC, not 2. +**\** I'll review other notes sure +**\** moneromooo: oh! that's good :D +**\** xeagu i'll get you after the meeting +**\** atm, I am waiting to see what cost details are added by ArticMine to ensure we understand the relative cost of bloat under the different options +**\** Okay +**\** basically: block size scaling is still under discussion, we are working on formalizing articmine's proposal and comparing it to our present proposal as well as at least one other proposal. +**\** and i think sarang and i can collaborate on a technical note describing all this +**\** moving along to MRL 11's status update: MRL 11 is essentially about traceability and linkability in Monero, and comparing techniques across multiple blockchains like Zcash + Monero together +**\** if you guys have seen matthew green and binaryfate and fluffypony sparring on twitter about ring sizes compared to the shielded pool in zcash +**\** this is that +**\** Zcash doesn't scale +**\** ah :D +**\** the current status is that sarang passed it back to me more than a week ago, and i've been tinkering with simulations +**\** My proposal uses the current 2x maximum for the short term median and 1.4x for the long term median +**\** You can't let every transaction be shielded without huge data storage +**\** i want to simulate something like the following, and it's quite challenging to formalize this (i'm bringing my hangup to the crowd so you guys know what i'm stuck on)... I want to create a formal statistical hypothesis, and it's eluding me... +**\** essentially, i want to capture the EABE scenario that started this whole paper last year +**\** and churn +**\** EABE scenario? +**\** Poisoned outputs +**\** Oh got it +**\** I want to generate a random blockchain (somehow) and embed within it the spending behavior masking "churn" between receiving a possibly "marked note" and then later trying to cash it out at a KYC/AML exchange +**\** then i want to apply our matching technique to see the probability that this behavior is caught, if someone is looking for it +**\** But as I understand if you just show view key, the exchange will accept it +**\** xeagu that's the final vertex in the transaction graph +**\** there may be many intermediate vertices as you churn +**\** most importantly, we need somehow to gauge the entire confusion table; false positives, false negatives, true positives, and true negatives +**\** Like how far back do exchanges care about poisoned outputs? +**\** unknown +**\** and i can do this \*under certain hypotheses\* but i can't do it in general. all i really i want is a practical comparison of our technique to a real world scenario like a miner trying to hide that he's depositing a mined coin on an exchange +**\** You should conservatively assume "all the way back" +**\** Anyway, feels like we're getting off topic somewhat +**\** Was regarding MRL 11 +**\** Traceability comparison +**\** so, to summarize MRL 11: we have an algorithm, we have timing estimates, we are working on simulations and comparisons of our technique across multiple blockchains at once, and we are basically gearing up to figure out how many churns is enough... or... alternatively... we are gearing up to figure out how to show the depth of the wastefulness of having a massive anonymity set like the whole zcash shielded +**\** pool +**\** sarang: think that was an okay summary? i don't want to speak for you +**\** Yes, the computational bounds are the most interesting part IMO +**\** yeah, same actually +**\** they set a framework for analyzing certain behavior +**\** the interesting thing to me is we were able to put lower bounds on how fast an attacker can generate a "guess" at a possible spend history +**\** bad news: it's pretty fast. good news: there are lots and lots of possible spend histories, like cryptographically many +**\** how much is the practical security compared to a zk-snark scenario? we'll find out +**\** So you earlier discussed block size scaling (waiting on cost analysis)... did I also miss anything on output selection? +**\** spoiler: if both blockchains exist together at the same time, one with an opt-out transparent pool and both with users interacting at KYC/AML exchanges... then security on both are wildly compromised +**\** sarang eek I forgot to add output selection to the agenda, that's my bad +**\** OK, is now a good time for this? +**\** perfect time actually +**\** Great +**\** It's not on the agenda but I wanted to make sure we discussed the rumor of ASIC/FPGAS on the network. +**\** moneromooo had asked me earlier about reviewing our windowing approach to gamma selection +**\** He had an idea about further weighting selection probability of a block based on output count +**\** with a possible goal of reducing the coinbase-to-non-coinbase ratio in rings to that of the whole chain +**\** xeagu we'll get to that in a sec, thanks for reminding me :\\ +**\** e.g. 6-10% of outputs are coinbase, so 6-10% of a ring should be as well +**\** moneromooo can explain it better, but the idea would be to take the gamma probability of block selection and further weight by the block's output count, and then uniformly select within that block +**\** I'm working up some code based on chain stats +**\** but I'll put it out there for comment +**\** sarang #actually +**\** the distribution in the ring should be "whatever the probability that the next transaction is a coinbase output." +**\** I think miners churning newly mined coins would help against poisoned outputs +**\** so if miners typically hodl for long long long times, then mimicing the distribution of the outputs that care coinbases will drastically over-sample the coinbase outputs. +**\** xeagu i agree +**\** \ e.g. 6-10% of outputs are coinbase, so 6-10% of a ring should be as well >>>>> but 99% of coinbase outputs are owned by about 15 people +**\** i think a lot of miners churn in order to mask that they are mining +**\** gingeropolous: exactly! +**\** I know, but we have no good metric for "how many coinbase in a ring is ok" +**\** unfortunately we don't really have a way of estimating how often any given subsets of our blockchain are spent +**\** Currently it's 1-3 outputs per ring on average that are coinbase +**\** The idea I had is meant to (I think) make the selection process match the gamma from an ideal blockchain (ideal being, every block has the same number of outputs). +**\** And indeed, in that particular case, the two distributions match. +**\** The idea has two steps: +**\** Nice, did you run sims? +**\** - for each block, calculate its probability of being picked by the gamma distribution pick +**\** - for each block, multiply that number by the number of outputs in that block +**\** Then you just pick a random block from those weights using a discrete distribution. +**\** I did not run sims, because I do not know how to calculate the first step. +**\** MOO +**\** you brilliant bastard +**\** you want to know why that works? +**\** moneromooo had pointed out earlier that this also solves the issue of a fixed window size +**\** Well, I see how it'd work by, er... intuition really. Why does it work ? +**\** you are estimating an empirical distribution: when you multiply that number by the number of outputs in the block, you are computing the expected number of outputs to be selected from that block. then you built a histogram and selected from that! +**\** Yeah +**\** it's cool +**\** expectation as a linear operator +**\** fun stuff +**\** \*ahem\* +**\** the scaling of coinbase outputs in this case is also independent of the gamma distribution, which I find neat +**\** very frequentist. hem hem +**\** yeah, you could use this with any underlying hypothetical distribution +**\** I'm confirming that it does so, and writing up some sims to convince myself of it +**\** \\me eats oatmeal +**\** kudos moneromooo, it's a clever approach that fixes the issues with windowing +**\** so there's still a probability that multiple coinbases will be selected, but because tiny blocks have low probability, we should expect less outputs selected from tiny blocks? +**\** it actually fixes several other things i'd been thinking about +**\** it's a great framework. +**\** Thanks. Still needs a way to compute the first number. I fear it might involve integrals. +**\** I don't understand :/ +**\** moneromooo: probably not =p +**\** gingeropolous: yeah, exactly. each output has a gamma age, and then you select from all outputs. rather than selecting an output age from a gamma and then selecting from all the outs with that age. subtle flipping of the order of things +**\** I believe it should reduce the ring ratio to that of the whole chain +**\** I don't know what gamma means +**\** In the most extreme case, we can say 0 coinbase are necessary and force independent miners to churn their received funds if they care. Pools don't care and are the main cause of this debate. But there doesn't seem to be enough support for this, and it comes with other tradeoffs. I just think it's important to keep mentioning +**\** A particular random distribution. +**\** the way we select ring members using math Xeagu +**\** Xeagu, you can think of gamma as a droopy triangle +**\** xeagu there is a long statistical background on the gamma distribution. we'll catch you up after the meeting +**\** right triangle, 90 degrees on the right side. the hypotenuse is the droopy side +**\** sgp\_: we can enforce coinbase-only rings as a first churn, but that doesn't solve the heuristic of "coinbase are bad" +**\** it just moves it along the transaction graph a teeny bit +**\** so I feel ya +**\** you flip a coin until you get a heads up and right down the number of flips. then you do that 10 times. then you add those wait-times-until-heads-up together +**\** sarang: this would just accept "coinbases are bad" and not touch them whenever possible +**\** So if gamma is a process (verb) how is it acting as an adjective modifying a noun (age)? +**\** i dunno what parameters we use, but https://en.wikipedia.org/wiki/Gamma\_distribution#/media/File:Gamma\_distribution\_pdf.svg +**\** i'd guess we look like the red line +**\** and then you ask "what is the probability that i got wait times of 3, 2, 0, 1, 1, 0, 1, 2, 1, 0?" that's essentially a gamma distribution +**\** Xeagu, +**\** The heuristic would move from "coinbase in a ring are decoys" to "outputs generated in a coinbase-only ring are decoys" +**\** sarang i'm not sure i follow that +**\** unless you convince miners to churn more out of the goodness of their pooled hearts +**\** oh i think i follow you +**\** Right now you might throw out all coinbase ring members as decoys +**\** Now you look back one step, and throw out an output generated from an obvious coinbase churn +**\** You gain very little from this +**\** yeah, i think i follow yoiu +**\** So I like the idea of shooting for a ring member ratio matching the chain +**\** and this weighted approach should do that for us +**\** to be confirmed by sanity-check sims! +**\** okay, so the output selection method proposed by moneromooo is actually a really clever way of computing expectations, and as a consequence, gives us a better output selection method. we should glance through the code, but i'm happy with that +**\** FPGA/ASIC stuff +**\** Neat +**\** let's move along +**\** i hear some nonce distributions are non-uniform +**\** and they recently changed as of the new year-ish +**\** fun +**\** so, i'm not really prepared to talk about monero POW and asic-resistance right now, tbqh +**\** i happened upon some reading this weekend on sponge constructions, so i'm currently on the path toward learning more about hash functions and pseudorandom functions +**\** but i don't have any thoughts i want to make public right now +**\** sarang? +**\** (i'm not keeping anything from anyone either, I harbor no secret opinions on this either) +**\** I have been working on sims relating to output selection and block size, and continue side work on bulletproofs MPC and related things +**\** I'll be attending the Stanford academic crypto conference this week +**\** Yeah, sarang and endogenic and i and isthmus will all be there +**\** \*not envy\* +**\** CONVENIENTLY i found my LAST FOUR MRL shirts, so you know +**\** i'll be forcing everyone to wear them for a photo +**\** Does anyone else have work to share before we review action items? +**\** I have to go +**\** i have been doing some reading on alternatives to ring signatures +**\** Great meeting everyone +**\** i plan on writing up a technical note summarizing different options in different cryptographic hardness settings, timing and space comparisons +**\** Alternatives without huge resource drain? +**\** learninandlurkin: so, some of that is tricky +**\** that's always the kicker +**\** for example, i came across some short-integer-solution methods with lattices that are FAST AS HECK but HUGE +**\** oh yes +**\** the tradeoff isn't there yet, but it's worth summarizing it all +**\** my favorites +**\** they are also good for accumulators +**\** I have some demos on that +**\** been working with SIS for long +**\** silur ooh, i'd love to see a link of some sort +**\** I've got really into noncommutative crypto recently +**\** so i'll be summarizing i think four papers in the coming days, to communicate some of the options we have to the community +**\** it feels like a graveyard because except for the primitives everything is broken +**\** Action items for this week? +**\** but I asessed all attacks and stuff that are still holding in the recent months +**\** main focus on zk stuff now +**\** I am looking forward to ArticMine's sim code updates to reflect rational miner costs, which will allow us to assess our options for next upgrade +**\** my action items are: matching simulations and hypothesis testing, and my alternatives-to-ring-signatures-aren't-much-better technical note +**\** I'll look forward to that suraeNoether. With ringsigs being our main weakness and also the main missing component of Grin (as compared to XMR) I think this are of research will have big implications. +**\** ringsigs are our main weakness? +**\** what happenned with RTRS? +**\** It remains an option, but one that requires a lot of overhauling for still being ring sigs :. +**\** :/ +**\** silur: sarang has gotten them to be suitably fast with multiexponentiation so that we could, say, use ring sizes up to, say, 20-30. however, there are some other sublinear schemes that are available, each with their own trade-offs, which is why i'm writing my paper +**\** wow +**\** i was hoping that once we broke a certain speed barrier, the path forward would be a no-brainer +**\** okay, I'll be waiting for it +**\** the paper I mean +**\** but we have certain issues we're dealing with and it's not totally clear whether overhauling the system for such a small ring size boost would be worth it if there could be another option with a relatively bigger boost eventually +**\** well said +**\** replace that last word "eventually" with "presently" +**\** cool, /meeting