monero-site/_posts/2018-05-07-logs-for-the-Monero-Research-Lab-meeting-held-on-2018-05-07.md

237 lines
18 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: post
title: Logs for the Monero Research Lab Meeting Held on 2018-05-07
summary: Sarang work, Surae work, and miscellaneous
tags: [dev diaries, crypto, research]
author: el00ruobuob / surae
---
# Logs
**\<sarang>** OK, it's time to begin
**\<sarang>** Welcome to everyone; hello
**\<sgp\_[m]>** Hi!
**\<sarang>** Calling others: hyc suraeNoether anonimal endogenic binaryFate fluffypony luigi1111 luigi1113 rehrar[m] monerigo[m] gingeropolous dEBRUYNE
**\<sarang>** and many others no doubt
**\<sarang>** s/monerigo[m]/moneromooo
**\<binaryFate>** présent
**\<sarang>** I suppose we can discuss recent updates and such
**\<sarang>** I have been focusing on noninteractive refund transactions
**\<sarang>** it's surprisingly tricky to get right
**\<sarang>** The idea of whether or not to hide block heights has big implications on size and complexity
**\<sarang>** and also will affect the use of old outputs
**\<theRealSurae>** Hey everyone, sorry I'm late (and not using my registered nick)
**\<sarang>** A good higher-level question is whether we insist that having refund transactions is enough of a priority
**\<sarang>** Hello fake suraeNoether
**\<theRealSurae>** heh
**\<sarang>** \*enough of a priority to devote big plumbing-level changes
**\<sarang>** these questions have consumed me as the Whale consumed Ahab
**\<sarang>** and, like Ahab, I spend much time in the company of Starbuck(s)
**\<theRealSurae>** gross
**\<sarang>** theRealSurae: what has consumed you lately?
**\<UkoeHB>** it feels like there should be an easier way to hide amounts. Maybe worth mulling for some time
**\<sarang>** UkoeHB: other than commitments?
**\<rehrar[m]>** Hi
**\<UkoeHB>** Yeah. Maybe a shift in perspective. Baseless intuition
**\<silur>** what
**\<sarang>** Well, the current Best Way is homomorphic commitments + range proofs to ensure balance
**\<theRealSurae>** I've been thinking about koe's reduced mlsag and how we might be able to batch-verify ring signatures with bulletproofs. and i've been speaking with a professor at clemson university about the possibility of starting a paid project for a grad student to invent a new elliptic curve with 2^255-19 points on it, or to come up with a similar sort of variant to secp256k1
**\<theRealSurae>** yeah, I think we are going to experience reduced returns in terms of hammering bulletproofs for improving our amount strucutres
**\<sarang>** theRealSurae: BPs to batch verify our current MLSAG scheme?
**\<silur>** oh yea the curve order question you asked
**\<theRealSurae>** so, i think it'd be really really helpful for both bitcoin and monero to have alternate curves
**\<theRealSurae>** ohgod
**\<theRealSurae>** other than that and the multisig dump I made the night before yesterday, this week has been consumed by editing papers for other folks. Koe and my old advisor and another document. lots of reading this week
**\<sarang>** What are your thoughts on refunds?
**\<UkoeHB>** and thank you for that :) incredibly helpful
**\<sarang>** UkoeHB: any big changes to your excellent paper?
**\<UkoeHB>** Well we found out monero doesn't even use borromean sigs
**\<UkoeHB>** genBorromean should be genSAGs
**\<UkoeHB>** Or something
**\<sarang>** SAG?
**\<theRealSurae>** I've been thinking a lot about the refund structure with timelocks, and I'm trying to figure out exactly whether we have a novel "invention" in these refund transactions or whether tit is equivalent to a timelock+multisig situation
**\<UkoeHB>** spontaneous anonymous group sig. Like LSAG but no key images
**\<sarang>** for range?
**\<UkoeHB>** Yeah
**\<UkoeHB>** Check ringCT.cpp genBorromean
**\<sarang>** Yeah I'm familiar with that code
**\<UkoeHB>** It's 33% larger range proofs than a real borromean setup
**\<theRealSurae>** ... i need more details about that, koe, if you don't mind...
**\<sarang>** heh
**\<sarang>** theRealSurae: big thing is non-interactivity
**\<sarang>** I don't need the recipient's cooperation
**\<UkoeHB>** I'll see what I can do
**\<theRealSurae>** thanks koe, i'm not in a rush on that though...
**\<theRealSurae>** I want to remind everyone that I'll be mostly away from the internet from tomorrow until the 19th, with some intermittent access.
**\<moneromooo>** luigi1111: is this (genBorromean doesn't actually generate Borromean sigs) correct ?
**\<UkoeHB>** yup have fun :). Vacation right?
**\<theRealSurae>** i'm not the sort who can really put work down, but i'm trying, briefly. i managed to write up a skeleton of the unforgeability proof for multisig and hand it off to sarang to familiarize himself with the musig approach
**\<binaryFate>** Zcash is also coming up with their own curve so as to speed up the particular things they need to. I find it worrying if the trend is that every project cooks up their curve to suit their particular needs.
**\<theRealSurae>** and, like I said, I'm communicating with some folks at Clemson
**\<sarang>** Yeah I've been revisiting the original musig paper
**\<luigi1111>** Not that I know of
**\<theRealSurae>** binaryFate: why would this be worrying?
**\<luigi1111>** theRealSurae: 2^255-19 isn't the number of points
**\<theRealSurae>** you are right, it's the group order
**\<binaryFate>** against the "don't invent your own crypto", and light years away from typical review process for curves
**\<theRealSurae>** right? i misspoke
**\<vtnerd>** no, 2^255-19 is the prime field
**\<sarang>** I hear it's a kind of cake
**\<sarang>** Or that feeling when your leg falls asleep and you stand up
**\<luigi1111>** Group order is l
**\<luigi1111>** 2^252+blah
**\<sarang>** aaaanyway
**\<theRealSurae>** i confess I tend to think of our group as a scrambled mirror image of Z\_q, despite addition of points not even landing on the subgroup.
**\<sarang>** So theRealSurae is working on unforgeability
**\<sarang>** I am figuring out if noninteractive new-output-style refunds are worth it
**\<sarang>** Other fun times?
**\<theRealSurae>** binaryFate: yeah, I see that
**\<sarang>** binaryFate: do you have any information on the Zcash efforts? I wasn't aware of their work
**\<theRealSurae>** binaryFate: eventually that curve, even if proven to satisfy our desired properties, will have to be implemented, and the dangers or crappy implementation are huge... but I don't think that should discourage research into new curves and new proof methods using isomorphic curves
**\<theRealSurae>** yeah, I wasn't either. I thought it was just Blockstream looking for a variant of secp256k1 so far
**\<UkoeHB>** oh i messed up - they are borromean ugh
**\<theRealSurae>** that's a relief koe!
**\<sarang>** UkoeHB: what led to believe otherwise?
**\<luigi1111>** ^
**\<UkoeHB>** misreading code like a fool
**\<UkoeHB>** thought this hash\_to\_scalar(L[1]) meant an array of hashes for each L[1], instead of a hash of the entire array
**\<sarang>** Good thing hashes aren't important to borromean sigs /s
**\<sarang>** If there aren't any other big topics to discuss, we could certainly return to refunds or previous topics
**\<sarang>** There were suggestions from luigi1111 that the refunds needed for payment channels would be possible purely w/ timelocks + multisig
**\<binaryFate>** will look for some link on the zcash curve thing. It's part of their roadmap to reduce overhead to generate z-transactions iirc
**\<sarang>** I do not see how that would be possible without interaction from both parties, or a third-party arbiter
**\<sgp\_[m]>** I just want to mention that I'm working on preserving the integrity of outputs held by mining pools
**\<sarang>** But I'd love to be convinced otherwise
**\<rehrar[m]>** MRL corporate cheer!
**\<sarang>** sgp\_[m]: in response to the linking work?
**\<luigi1111>** It does require interaction at the start
**\<sarang>** right
**\<sarang>** it'd have to
**\<sarang>** So the recipient pre-signs for the refund?
**\<rehrar[m]>** I have a bit of other ZCash news.
**\<sgp\_[m]>** sarang kinda, yeah. I don't have too much to mention now though
**\<sarang>** How does the network verify the spend of the originally-intended output?
**\<sarang>** sgp\_[m]: ok, keep us updated
**\<sneurlax>** I've contacted ehanoc re: the "transaction tree" python toolkit and we will collaborate to deliver that after I finish the scraping tool which moneromooo asked for. mooo, I'll be sending you results this week
**\<sneurlax>** sorry to interject
**\<sarang>** sneurlax: excellent! That'll provide good data
**\<theRealSurae>** rehrar[m]: tell us?
**\<theRealSurae>** sneurlax: that's fantastic news
**\<rehrar[m]>** ZCash wants to open a grant proposal jointly with a Monero community member (that'd be me atm) to donate a considerable sum of money to some FFS proposals.
**\<sarang>** What types of FFS do they want to fund?
**\<theRealSurae>** how would that work? would you have discretion over donating the funds?
**\<rehrar[m]>** https://twitter.com/socrates1024/status/993252058923925506?s=19
**\<theRealSurae>** i'll almost always take free money if it's no-strings
**\<sarang>** Aw shucks, they like us!
**\<theRealSurae>** that's... fantastic
**\<rehrar[m]>** Dunno. When next round of bp auditing funds?
**\<rehrar[m]>** We can out it up, raise the amount, and take out right away. Superior Coin also wants to help if you recall.
**\<rehrar[m]>** Perhaps we can also get subaddresses audited?
**\<theRealSurae>** hmm
**\<sarang>** Yeah, was thinking of waiting until closer to the finalization, but I suppose there's little advantage if we can coordinate w/ OSTIF quickly
**\<theRealSurae>** it seems like a lot of projects want to funnel their research funding through the Monero FFS
**\<binaryFate>** the harder we criticize them the more they like us... 10k$ is not that much compared to amounts raised typically anyway
**\<sarang>** It's a nice gesture of community spirit though
**\<sgp\_[m]>** I think the best ones are the hardware wallet (which should work with Zcash iirc) and code audits
**\<rehrar[m]>** They're masochists binaryfate. If we criticize harder they'll give more.
**\<sarang>** A subaddress audit depends highly on the scope
**\<sarang>** The BP scope was narrow-ish
**\<theRealSurae>** binaryFate: yeah, it seems like a largely symbolic thing, but also: they've been really encouraging me and sarang to encourage you guys to ask for grant money.
**\<theRealSurae>** rehrar[m]: i should just take zooko out to a bdsm club in denver, see if they offer us six or seven figures. :P
**\<rehrar[m]>** In return , we can send them Monero stickers to put on their laptops.
**\<sarang>** something something meat market
**\<theRealSurae>** meat meat something market
**\<binaryFate> \<rehrar[m]>** In return , we can send them Monero stickers to put on their laptops. <-- they have one at least, we've put one on zooko's back at CCC without him noticing
**\<sarang>** I'll be interested to see how the 10K is disbursed
**\<theRealSurae>** sarang: Is the implication that it would totally be up to our discretion? that's sort of what i'm getting...
**\<rehrar[m]>** Zooko is a dude.
**\<rehrar[m]>** I chilled with him in Colorado.
**\<rehrar[m]>** Can neither confirm nor deny Verge dev there too.
**\<theRealSurae>** What if we take the 10k, pay for a semester of a grad student working with some cryptographers to invent three new curves, a variant for secp256k1, a variant for x25519, and a variant for zcash's thing
**\<sarang>** tall order
**\<theRealSurae>** maybe
**\<endogenic>** sorry rehar
**\<theRealSurae>** it'd guarantee that student would spend the rest of his time in grad school working on that sort of thing
**\<theRealSurae>** which I think would be a valuable thing: seed the mind-virus among as many researchers as possible
**\<binaryFate>** They're not even asking for doing joint work with zcash stuff at this stage apparently. Would just channel to Monero topics entirely if possible.
**\<pwrcycle>** Hi all.
**\<binaryFate>** Anyway grad student is a great idea
**\<theRealSurae>** binaryFate: yeah, that's the inference I made
**\<rehrar[m]>** I'll talk with Miller.
**\<rehrar[m]>** See how he wants to do the grant proposal.
**\<theRealSurae>** binaryFate: the problem then is picking the student/school
**\<pwrcycle>** Funding grant money for school research seems cool. Pinning all the hopes on one grad student seems like a bad idea.
**\<theRealSurae>** rehrar[m]: please do, maybe CC me... I can hook him up with at least two cryptographers at Clemson who may be interested
**\<theRealSurae>** pwrcycle: yeah, you'd pick by advisor more than student
**\<rehrar[m]>** Maybe we can get some people to make a FFS that should have made one a while back in exchange for ZCash paper
**\<rehrar[m]>** Like dEBRYUNE
**\<rehrar[m]>** Then again, what use have gods for our petty currencies.
**\<binaryFate>** Btw having some sort of pulic call for the paid internship circulating in academic circles is as important as the thing actually happening, in terms of mind-virus spreading
**\<rehrar[m]>** Nothing more from me.
**\<theRealSurae>** rehrar[m]: you are the greatest orator of our time
**\<theRealSurae>** binaryFate: TRUE point
**\<theRealSurae>** very true
**\<theRealSurae>** sarang
**\<sarang>** yo
**\<theRealSurae>** when I get back I'm going to look into putting job postings on mathjobs.org
**\<theRealSurae>** i was about to ask you to do it while i'm gone, but it's not urgent and there's no need to delegate. :P if you're curious, though :D
**\<sarang>** I think using mathjobs is a really good idea for pure math applicants
**\<theRealSurae>** there are lots and lots of applied jobs on there too
**\<theRealSurae>** you should check it some time, but
**\<theRealSurae>** creation of a curve is at the intersection of applied algebraic geometry and pure cryptography
**\<sarang>** right, that wasn't what I meant
**\<theRealSurae>** so it's sort of both pure and applied
**\<theRealSurae>** oh ok
**\<sarang>** I mean to get solid reach to academics
**\<sarang>** that's the obvious choice
**\<theRealSurae>** yep
**\<sarang>** They can send us a list of all the points on their new curve, for us to check
**\<binaryFate>** good old emails circulating between labs and advisors ("if you have a really good students, consider asking them to apply. And please forward blabla") is also worth it. Reaches more senior people than a job posting probably read primarily by students directly.
**\<sarang>** Oh, so I've been seeing random reddit postings about deep reorgs
**\<sarang>** But I haven't looked into it at all
**\<sarang>** Anyone know anything?
**\<selsta>** also articles are starting to come out https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep
**\<moneromooo>** I think it's fixed now (no PR yet).
**\<sarang>** Do you know the cause?
**\<theRealSurae>** is it known what the issue was?
**\<sarang>** jinx
**\<binaryFate>** The +20-blocks fork mentioned in the post is not an actual fork, you only see that when syncing. But somebody is fiddling with decent HR
**\<sarang>** buy me a DietMonero
**\<theRealSurae>** i thought the first few reports were possibly the OP for some reason
**\<binaryFate>** moneromooo link or summary?
**\<moneromooo>** Some init wasn't done in some cases when adding a tx.
**\<sarang>** Yeah, I want to be able to give correct information
**\<moneromooo>** So that was causing the tx to be rejected though it is valid.
**\<theRealSurae>** hrmm
**\<sarang>** OK, so that explains the "double spend" FUD
**\<sarang>** The long-chain reorgs are just related to initial sync?
**\<sarang>** It was noted that there wasn't any big spike in hashrate
**\<sarang>** so it's not outsiders coming online and futzing
**\<moneromooo>** If a pool doesn't accept a valid tx, it will continue mining on its own chain till it stops doing so.
**\<sarang>** OK, so it's a single cause with these two effects?
**\<moneromooo>** What two effects ?
**\<sarang>** Well the reports I've seen have complained about apparent double spends (rejected tx) and long-chain reorgs
**\<theRealSurae>** i feel like if a selfish miner was going to release a chain in an attack, the hashrate wouldn't necessarily look different to an observer, especially if the attacker had 33%+ attack power and was clever with their timestamp choice...
**\<moneromooo>** I don't know anything about double spends.
**\<moneromooo>** Though if a merchant is only connected to that pool, you could swindle it.
**\<moneromooo>** The merchant would have to be only connected to that pool though, but that's not a new attack.
**\<sarang>** Yeah that's just being cavalier
**\<theRealSurae>** https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep
**\<theRealSurae>** i don't like that article for a variety of reasons, but
**\<sarang>** Yeah that's the article I keep getting linked to
**\<sarang>** it's based on some r/monero complaint posts
**\<sarang>** so naturally it will be accepted as gospel and spread widely
**\<theRealSurae>** it would be helpful to get more information from the specific users making this complaint
**\<sarang>** A random user says one thing and the devs who know things say another thing! So there's no way to know!
**\<binaryFate> \<sarang>** It was noted that there wasn't any big spike in hashrate <-- if someone is purposefully mining on alternative blocks rather than winning chain, we would not "see" the HR spike as it does not make blocks coming faster
**\<moneromooo>** You'd see a hashrate spike downwards.
**\<binaryFate>** only if that miner was mining before no?
**\<moneromooo>** Yes.
**\<theRealSurae>** not necessarily; an attacker with exactly 50% hash rate and honest timestamps will appear to be invisible. an attacker with lower hash rate could mess with timestamps slightly and appear invisible. an attacker with too low of a hash rate couldn't manipulate his timestamps enough to hide his activity
**\<theRealSurae>** (not necessarily re: downward spike)
**\<binaryFate>** Can we check how long it took them to mine a particular altchain of N blocks by checking logs on other nodes on when the last block in their chain got known to peers?
**\<theRealSurae>** we can put a bound on it, for sure, and we can use that to estimate the hash rate power they have
**\<theRealSurae>** ok y'all I gotta go
**\<theRealSurae>** have a good week and a half!
**\<binaryFate>** same!