diff --git a/_posts/2019-10-28-mrl-meeting.md b/_posts/2019-10-28-mrl-meeting.md new file mode 100644 index 00000000..e5505645 --- /dev/null +++ b/_posts/2019-10-28-mrl-meeting.md @@ -0,0 +1,63 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-10-28 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** hello! +**\** I'll give a few moments for others who wish to join +**\** OK then +**\** Since suraeNoether is unavailable for this meeting due to an appointment, I'll share my recent work +**\** I've been working on algorithms and proofs for Triptych, a new transaction protocol +**\** The goal is to use a single proof to represent multiple inputs at the same time, including balance proving and linking tags +**\** Everything works great with completeness, zero knowledge, and soundness except for one proof component (the linking tags) +**\** There's a less efficient version that operates on single inputs, but can be combined for general transactions +**\** For this single-input version, modified proofs of security seem to work just fine +**\** For this reason, I'll finalize work on the single-input proving system while considering alternate approaches to finalizing the soundness proof for the multi-input version +**\** Separately from this, I have a small pull request (PR 6049) for a minor speedup and simplification to the Bulletproofs prover +**\** Also separately from this, Derek at OSTIF informs me that an audit group is willing to complete the CLSAG review +**\** JP Aumasson has offered to complete a review of the math and proofs for $7200 (USD), and his new company Teserakt has offered to then complete a code review for as little as $4800 +**\** He says that including dependencies would increase the time (and therefore the cost), possibly significantly +**\** But the timeline could be before the end of this year, if there are no changes required to the algorithms after the math review +**\** Dependencies, like the src/crypto code ? +**\** Presumably. I do not have specific details on what his scope is (but will get this information) +**\** One approach might be to review all the changes \_from MLSAG_, to show that CLSAG is no less secure as a whole than MLSAG +**\** These changes are fairly minor in the grand scope of the codebase +**\** I see there being efficiency advantages to having JP (and colleagues) doing both types of review, but this also reduces the total number of eyes on the combined math+code +**\** That being said, JP knows his stuff +**\** (he was formerly with Kudelski) +**\** Adding eyes by having Alice do the math and Bob do the code does not provide anything of value over Alice doing both IMHO. +**\** Assuming Alice and Bob have similar eyes and brains and proficiency in the relevant fields etc etc etc. +**\** So that's my report +**\** Is any of the new protocols being considered still compatible with multisig ? +**\** Aside from CLSAG, you mean? +**\** None of them specifically consider it in either algorithms or security model +**\** but it's on my list for analysis on RCT3 and (eventually) Triptych, since there are some modifications to RCT3 that I wish to consider (more on this later) +**\** I mean tryptich, rct3 and... and.......... the other the name of which escapes me. +**\** lelantus +**\** Omniring? +**\** Also :) +**\** Omniring and Lelantus both suffer from some drawbacks at present... Omniring does not support batching, and Lelantus still has a tracing issue unless you remove stealth addressing +**\** Looking into batch-compatible Omniring-style constructions with other proving systems is a topic for more investigation down the road that is nontrivial +**\** Is there other research that anyone wishes to present, or other questions? +**\** Also, rather selfishly, would any of them avoid the public-a issue we had for multi user txes ? +**\** (if known offhand) +**\** public-a? +**\** The problem where users would have to make their a values known to other signers. +**\** Ah, that's very unclear to me +**\** FWIW: RCT3, Omniring, and Triptych are agnostic to how output keys are generated (though their security models address particular constructions) +**\** So my ACTION ITEMS for this week are a bit in flux, mainly because I'll be at World Crypto Conference giving a talk on transaction protocols +**\** But aside from that, I want to finish the proof modifications (completeness, SHVZK, special soundness) for the single-input version of Triptych (which can be used in a larger protocol to support multi-input transactions), as well as a more efficient linking tag construction that matches what RCT3 and Omniring propose +**\** I also want to backport some of the ideas from the latest RCT3 update to their older version to compare efficiency +**\** It's unclear if this could easily be proven secure, or what the efficiency gains would be +**\** Their update did essentially two things: fix an exploitable flaw due to a particular discrete log relation, and allow for aggregated proofs of multiple inputs +**\** Unfortunately, the latter means potentially large padding requirements that would also incur computational cost to the verifier +**\** I want to see how easily the exploit fix could be included in the non-aggregated version... which would avoid this potential verification bloat at the cost of proof size +**\** I probably won't have time to do so this week, but it's on my list +**\** Anything else of note to cover before we formally adjourn? +**\** All right! Thanks to everyone for attending +**\** Logs will be posted shortly to the GitHub agenda issue diff --git a/_posts/2019-11-04-mrl-meeting.md b/_posts/2019-11-04-mrl-meeting.md new file mode 100644 index 00000000..f677a793 --- /dev/null +++ b/_posts/2019-11-04-mrl-meeting.md @@ -0,0 +1,115 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-11-04 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS! +**\** I'm surae, I'm a taurus maybe, and i like long walks on the beach with high probability +**\** Hi +**\** anyone else here? +**\** well, public logs will be posted of this meeting either way, so anyone who missed it can find the logs online +**\** okay, well, sarang, would you like to start? +**\** Sure +**\** I've been working on a few things... +**\** More Triptych work, on math/proof for single inputs, which are fine +**\** This includes some CLSAG-style key aggregation and more efficient key images +**\** (more on multi-input in a sec) +**\** Also gave a talk on transaction protocols +**\** And looked at using the existing transaction proofs to mitigate the Janus subaddress attack +**\** As to multi-input Triptych, this link is to the Overleaf paper: https://www.overleaf.com/read/ncqsdsydxvjv +**\** (multi.tex) +**\** The problem with witness extraction is the last equation on page 7 +**\** you and arthur are planning on submitting for peer review, yes? +**\** We could, once/if the proofs work out for multi-input +**\** We want to show that for every spent input M, H(M) = r\*J +**\** where J is the key image +**\** and M = rG +**\** What we instead show is that a sum of the form \sum\_u (\mu\_u \* H(M\_u)) = \sum\_u (witness\_u J\_u) +**\** do you have your talk powerpoint up on your github? +**\** by chance +**\** yes +**\** It's also the case that the sum of all witness\_u is equal to the witness found for the signing key check +**\** Two equations above that one +**\** found it: https://github.com/SarangNoether/talks :P +**\** I don't see a good line of reasoning to show why such a witness extraction would be equivalent to the honest generation of those key image +**\** i'm taking a look now. +**\** that shouldn't discourage anyone else from looking tho +**\** (you have to swap the two sums in the last equation to get something of the form that's two equations above, but that's fine) +**\** janus mitigation right now is extra schnorr signatures, right? +**\** Yes, but you can use the existing transaction proof method, provided you check against a complete subaddress +**\** It's still off-chain, but functionality that exists now +**\** very nice. iirc sgp\_ wrote something on the janus vulnerability and made a blog post about it, or has a draft prepared. is that out or does it need updating or anything like that? +**\** Probably, but I'd like someone else to confirm that tx proof verification does in fact require external input of the suspected subaddress +**\** and that it's not pulled from the proof string in any way, or otherwise influenced directly by the prover +**\** (since the prover could simply use the Janus-modified subaddress) +**\** For this witness extraction, I suspect that it may possible to show that each u-summand in the X-check is in fact equal to a particular r\_u term +**\** If that's the case, then we could easily show that the u-summand scalars in the Y-check are those \_same\_ r terms +**\** great, does anyone else have any other questions for sarang about his work on triptych, or his work on janus, or questions about his talk? +**\** well, my work this week has been on the matching code ( https://github.com/b-g-goodell/mrl-skunkworks/tree/matching-buttercup/Matching ) which has some peculiar failings right now +**\** my basic unit tests for graphtheory.py, which handles all the graph theoretic stuff, are passing. nodes and edges are added and deleted correctly, weighted correctly, matches are found, etc. +**\** but when i simulate a ledger with my simulator.py tool, the result misses some nodes and/or edges +**\** these aren't being caught lower down, but are being caught higher up +**\** hmm +**\** so anyone with interest in python, graph theory, traceability, etc, can contribute by trying to figure out why my code isn't adding edges/nodes appropriately all the time. it's very bizarre behavior, and i'm sure it comes down to something ridiculous like my previous buffer problem +**\** but, i want to put it down for a few days since other folks in theory could help, and i have other things to do like help review triptych's proofs +**\** That seems reasonable +**\** Is it clear in the code (or errors) where the specific problems are? +**\** i.e. if someone wishes to play around with it +**\** running sh tests.sh from the tools folder will auto detect all the tests and execute them; i've skipped all the tests i know are currently passing, so it'll go right into the brick wall immediately +**\** got it +**\** suraeNoether: if you're going to be on IRC this afternoon, we could dive into that witness extraction and see if we can't solve it +**\** I have some ideas +**\** beyond that, i have a few papers i have begun reading, such as this one https://eprint.iacr.org/2019/1177.pdf on aggregation approaches, and a few others on interactive versions of concensus mechanisms like this one https://eprint.iacr.org/2019/1172.pdf +**\** sarang: i'm catching up on the triptych paper now and whiteboarding it +**\** if i go all pepe sylvia on the thing i may take a crazed picture for posterity +**\** excellent reference +**\** I'll add a few more lines to page 7 to show how the X and Y witnesses are related +**\** since that should come into play in the Y-soundness +**\** https://www.youtube.com/watch?v=InbaU387Wl8 +**\** so my action items today are: triptych whiteboarding, janus tx proof validation check (the external input issue you just mentioned) +**\** great +**\** my action items immediately are to post my work report for last month and request funding for my next quarter, but i hate that and i much prefer coding and math so i'm finding myself v avoidant +**\** For this week, I'd (ideally) like to figure out this soundness issue... if it's possible to do so, it provides a very interesting extension to this Groth proof scheme +**\** does anyone have any other research to advertise, or other questions for sarang or i? +**\** and would make Triptych a competitive option for tx protocol +**\** it's such a great name +**\** suraeNoether: here are some general notes on the witness structure for ya +**\** afk for about 10 minutes +**\** sarang ^ yes pls! +**\** The prover wants to show that it knows the discrete logs (r-terms, in notation) for each of the signing pubkeys (M terms) +**\** so it knows a set of r (indexed by u different spends, no index here for clarity) such that M = rG for each one +**\** it also wants to show that H(M) = rJ for each one, where each J is a key image provided by the prover +**\** When done honestly, each J is defined such that J = (r^-1)\*H(M) +**\** In the soundness proof, the "X check" is for signing keys, and the "Y check" is for linking tags +**\** X-soundness allows us to extract a witness (which involves certain Vandermonde-related coefficients) r1 such that r1\*G = mu\_1\*M\_1 + mu\_2\*M\_2 + ... +**\** and we claim (MuSig/CLSAG-style) that knowing this witness r1 implies knowledge of each of the r terms going into the right-hand sum +**\** Ideally, for the Y-soundness, we want to extract a related witness that implies knowledge of the same r-terms that go into the linking tag identities +**\** If you stare at the rightmost terms of the bottom equation and third-from-bottom equations on page 7, you can see the u-summands match up +**\** If we can show (using the form of the Vandermonde coefficients, etc.) that each u-summand in the X-soundness corresponds properly to an r-value, we may be able to make a solid argument about using those same u-summands in the Y-soundness equation (since we need the \_same\_ r-values there) +**\** The construction of the Vandermonde-related coefficients \theta\_e is also discussed on page 7 (and can be found in the original Bootle paper's proof) +**\** back +**\** This might get complicated, since rows of the Vandermonde matrix correspond to different F-S challenges :/ +**\** sarang is done talking now +**\** suraeNoether: yes, the blog post should be updated to include the mitigation +**\** hmmmm +**\** sgp\_: can you link the post for the meeting logs pls? +**\** sgp\_: once it's been confirmed that the verifier externally provides the expected subaddress +**\** showing the correspondence like that has always been a sticking point :\ +**\** https://getmonero.org/2019/10/18/subaddress-janus.html +**\** suraeNoether: unless you can think of a good argument that having the same summand terms in both the X- and Y-witnesses is sufficient already +**\** well, i'll catch up and then i'll see what you mean by that. :P +**\** e.g. we already claim that knowledge of that sum-witness in the X-portion is equivalent to knowledge of each discrete log +**\** sure +**\** \*nod\* +**\** Just remember that the key to the linking is that we show that the \_same\_ r-terms are used to construct the signing keys \_and\_ the corresponding linking keys +**\** so having the same witnesses should come into play +**\** It gets tricky because we don't directly show knowledge of each r-term, just the mu-weighted CLSAG-style combination +**\** So I wonder if we in fact already have all the information we need to show this +**\** and perhaps don't need to mess with those Vandermonde coefficients (which would be a huge pain to do) +**\** okay, does anyone else have any research to talk about, or questions for MRL, or requests/points to bring up/etc? +**\** otherwise we can adjourn the meeting and continue chatting about triptych outside of that context +**\** roger diff --git a/_posts/2019-11-12-mrl-meeting.md b/_posts/2019-11-12-mrl-meeting.md new file mode 100644 index 00000000..37bf7183 --- /dev/null +++ b/_posts/2019-11-12-mrl-meeting.md @@ -0,0 +1,83 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-11-12 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Hello all +**\** Meeting begins presently +**\** hello +**\** First, GREETINGS +**\** darn, beat you to it :) +**\** Next up, ROUNDTABLE +**\** howdy :D +**\** sarang how about you go first +**\** I backported the RCT3 exploit fix from the multi-input aggregated proving system to the single-input prover, updated code to reflect this, and checked the relevant security proofs for this construction +**\** Also went through some math on ways to support multisignatures securely on the sublinear protocols under consideration, with no good answers +**\** As of now, the constructions for RCT3, Omniring, and Triptych all require an output secret key inversion, which is incompatible with the linear-combination method used for doing multisignatures +**\** This only comes up for RCT3 and Triptych in the key image generation step, but it's still unfortunate +**\** i was reading about some signature schemes that don't use hash functions and do use key inversion the other day... when i review your stuff on triptych soundness later today, i'll see if there is anythingt obvious that jumps out at me +**\** Thanks +**\** i would assume it's not obvious because you and randomrun are both v diligent +**\** A few things are still in progress too +**\** Regardless of multisignature support, I'm working up a preprint on Triptych for IACR eprint +**\** It'll either be the provably-secure single-signer version, or the multi-signer version if the soundness argument works out +**\** It'll include the same PRF-based key image construction as found in RCT3 and Omniring, since that's much more efficient than one based on hashing public keys +**\** Now passing the baton to suraeNoether +**\** cool, so for our traceability analysis, i'm collecting data now. i presented some preliminary results from a \*single\* simulation yesterday that were rather promising, but can't be generalized yet +**\** Is the code for those results currently pushed to your repo? +**\** indeed, all you do is run playerchallenger.py with python3 and simulation results will be spit out +**\** Can you provide the branch and commit for that version, to be sure we're running the same code? +**\** of course, the results will vary from simulation to simulation so the precise numbers i provided yesterday will change from simulation to simulation +**\** right +**\** https://github.com/b-g-goodell/mrl-skunkworks/tree/matching-buttercup/Matching is the present up to date everything +**\** Got it, thanks +**\** the code isn't complete in a lot of ways (there are always ways to make the weighting scheme selected by Eve to be better and to take into account more data), but it's complete enough to start doing some data analysis to get some hard numbers on churn +**\** How can I configure it to test with different churn parameters? +**\** i am currently modifying the code to specifically investigate churn, which requires some changes to the very front end of my simulations; i don't expect it to be done today +**\** ^ heh +**\** ok, so stay tuned +**\** I'm seeing commit d5076 as most recent +**\** indeedindeed, d5076 is most common +**\** roger, thanks +**\** i think MRL-churn-numbers will have some more satisfying answers later this week +**\** other than that: catching up on the RCT, omni, and triptych work that sarang has been doing +**\** that's all i have. OH my work report and stuff like that :P +**\** fingers crossed my question makes sense +\< could the logistics be made to work such that signing a tx still happens via linear-combination but key image is derivable independently by multisig members? +**\** We'd need a secure MPC for the function J(x) = (1/x)\*U +**\** If there is such a thing, it's all ok +**\** (here U is a globally fixed curve group generator) +**\** I'm trying to find the paper where that particular PRF was first introduced +**\** Cited from Omniring (reference 20): https://www.iacr.org/cryptodb/archive/2005/PKC/3320/3320.pdf +**\** Anything else to share or discuss from anybody? +**\** Besides me both liking and disliking that particular pseudorandom function =p +**\** Just compute the logarithm then add ;) +**\** But for real, an MPC for that function based on linear combinations would solve the multisig problem AFAICT +**\** It may not be possible while retaining its nice PRF properties +**\** (perhaps there's a formal argument that such an MPC couldn't exist) +**\** Slightly more seriously: why not compute the inverse of the product of the private keys and instead of a partial sum on the basepoint being passed around, a partial product on the basepoint is passed around... +**\** If I have x and you have y, let the combined key be 1/(xy) U +**\** If you take away the affine nature of the composite key, I don't see a way to make that work cleanly with the rest of the proof +**\** nor do I immediately see what partial key image data would be passed around to construct the full image +**\** I send you (1/x)U. You multiply by 1/y... +**\** So it's not just an mpc you need but specifically a linear function of the input keys... +**\** Perhaps. I was thinking in the context of linear key combinations initially (since the rest of the proofs play nicely with that) +**\** The current multisig works nicely because everything plays nicely with linear combinations +**\** But point taken that if it were possible to relax that restriction, it could be quite compelling +**\** The only point in Triptych and RCT3 that requires the use of a full private key (outside of key image construction) is at the end of the proofs, to construct a particular masked scalar +**\** Hmm +**\** Ok well I am going to continue reading on triptych and I will try to make a push later today to mess with churn number in my simulations for sgp\_ +**\** Righto +**\** Let me know if you have any additional thoughts on multisig/MPC constructions too +**\** Oh, and here's a neat paper that came out recently for doing composable zk proofs in a Python library: https://arxiv.org/abs/1911.02459 +**\** thanks suraeNoether. I'm interested in testing your model out +**\** So perhaps on to ACTION ITEMS now? +**\** Mine are to wrap up the Triptych formalization to a preprint as much as possible, while considering options for secure MPC +**\** and then I want to do a deeper review of suraeNoether's recent work on his simulation code +**\** (and clear a backlog of lit review) +**\** My big backlog for matching at this point is commenting it and documenting how it works for anyone who wants to pick it up +**\** But other than that, I am reading today and doing my work reoorts diff --git a/_posts/2019-11-18-mrl-meeting.md b/_posts/2019-11-18-mrl-meeting.md new file mode 100644 index 00000000..9d8b32a4 --- /dev/null +++ b/_posts/2019-11-18-mrl-meeting.md @@ -0,0 +1,79 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-11-18 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** First, GREETINGS +**\** Hello +**\** heylo +**\** hello +**\** For today's ROUNDTABLE, I have a few things of interest to share +**\** Updates to the RingCT 3.0 analysis and code reflect its two provably-sound versions: https://github.com/SarangNoether/skunkworks/blob/sublinear/rct3.md +**\** One version is the authors' padded-input version that implies some restrictions on the signer count +**\** The other version is a backport I did of the exploit fix from their newer version to the original one, with corresponding changes to security proofs +**\** Triptych analysis now reflects an optimized multi-signer version: https://github.com/SarangNoether/skunkworks/blob/sublinear/triptych.md +**\** as does its code and the draft writeup +**\** I have shared the writeup with a few additional researchers as well, in the hope of getting extra eyes on the soundness proof +**\** The CLSAG paper was unfortunately rejected for the Financial Cryptography 2020 conference (which only had a 22% acceptance rate, according to the committee) +**\** Here are the reviewer comments: https://gist.github.com/SarangNoether/e39db743c3260448c1d67c3622b43f4b +**\** Reviewer A, who recommended rejection, made some detailed points about the security model: particularly how ambiguity and linkability are treated relative to some other papers +**\** Once suraeNoether returns, I want to discuss the particulars of this +**\** I'm not convinced that the more complete linkability treatment (which ties in ambiguity as well) is needed, given the use case +**\** However, the recommendation for a more robust treatment of signer ambiguity is fair +**\** The notes about the k-OMDL assumption being less common are also fair, but that's the best hardness assumption that was found for the proofs in question +**\** Related to CLSAG: Derek at OSTIF tells me that JP Aumasson, who quoted $7200 to review the paper, is available presently to do so, and it's not clear at the moment when he would be unavailable again +**\** I didn't sense a lot of broad support for this earlier +**\** Given that the FC2020 review comments just came back, the paper should be updated to reflect the notes before being sent off to anyone for additional review +**\** So the timeline on this seems unclear right now +**\** Does anyone else wish to share interesting news or research? +**\** Righto +**\** My ACTION items are to address CLSAG reviewer comments to update the preprint, finalize single-signer Triptych analysis and the associated preprint, continue working with others on whether multi-signer soundness is provable using known assumptions, and examine the current state of suraeNoether's graph-matching work +**\** What a quiet meeting =p +**\** normaly this meetings are you talking with suraeNoether :P (at least the lasts I watch) +**\** I am reading the links you posted, thank you for the heads up +**\** selsta also posted this link elsewhere, which I found very interesting: https://medium.com/dragonfly-research/breaking-mimblewimble-privacy-model-84bcd67bfe52 +**\** Looking at a practical attack on Grin using network observation +**\** I did start to understud better how MW work with that research +**\** there is not much they can do about this kinda of attack unless users kinda of "coinjoin" the transactions with know peers before releasing them to the all network +**\** for what I did understund about it +**\** It definitely highlights the importance of the network and propagation layer in transactions +**\** seems like using 8 peers only by default is kinda dangerous +**\** vtnerd has been looking into the tricky interactions involved with integrating Dandelion++, I2P, Tor, and the like +**\** I mean for dandelion to work "properly" +**\** It should be possible to get some farly good level of privacy with MW, but the way the transactions are propagated would need to became more complex in order to ofuscate the way they are made +**\** How so? Dandelion++ provides restrictions on stem neighbor selection for a given time epoch +**\** kinda of what Bitcoin think they can do on layer2 to obuscate the linkability on layer1 +**\** I guess if one connects to more peers it increases the chance that it aggregates transactions before they're peered to the network for what I understood from that paper +**\** A good lesson on how it's tricky to assume things about transactions before they reach the chain, I suppose +**\** Well, anything else of interest to discuss before closing the meeting? +**\** If anyone has thoughts or comments relating to the CLSAG reviewer notes, I'd be glad to hear them +**\** just one quick question from someone that dont know much abouth CLSAG +**\** sure +**\** CLSAG will not make possible second layer networkds (missing the word here) ? +**\** No, it doesn't introduce any new functionality toward that +**\** Its only purpose is to make signatures smaller and a bit faster +**\** Off-chain solutions are limited by a lack of scripting and ambiguity around useful things like non-interactive refunds, etc. +**\** there is something that can possibility second layer in the future for monero yet or we still far from it ? +**\** Introducing such things is tricky (DLSAG is one attempt, but suffers from a linking problem) +**\** ok, thank you for the heads up +**\** If you are willing to work through the technical language and definitions, the DLSAG paper has some very clever constructions: https://eprint.iacr.org/2019/595 +**\** (disclaimer: I am a co-author on the paper, but did not come up with the original idea) +**\** Ok, I will take a look +**\** It highlights how tricky it can be to enable swaps, payment channels, and the like, given the protocol and indistinguishability restrictions +**\** Oh, I should also add that the DLSAG paper \_was\_ accepted to the FC2020 conferences +**\** oh, that is good +**\** I believe that it will be almost impossible to make any "Non-Interactive Refund Transactions" (just took it from the paper) seemless as the other transactions +**\** DLSAG comes very close, but the linking problem is troublesome +**\** peraphs we would come to a place where we need to choose if we want to acept anything like DLSAG knowing its less private but allow us to have hotswaps and some kind of lightning network working +**\** or just keep with onechain transactions +**\** I would not expect broad support for such a tradeoff, but who knows +**\** And perhaps a new idea that \_does\_ solve the problem will arise at some point +**\** we hope so +**\** Anyway, are there other topics of interest to bring up before closing the meeting? +**\** well, thats all from me, thanks for your time sarang \* +**\** no problem +**\** OK, the meeting is over! Thanks to everyone for attending diff --git a/_posts/2019-12-09-mrl-meeting.md b/_posts/2019-12-09-mrl-meeting.md new file mode 100644 index 00000000..75c661cf --- /dev/null +++ b/_posts/2019-12-09-mrl-meeting.md @@ -0,0 +1,159 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-12-09 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Let's go ahead and get started with GREETINGS +**\** o/ +**\** hello +**\** That's long enough! +**\** Let's move to ROUNDTABLE +**\** suraeNoether: what up with you +**\** i'm terribly ill this morning, so my update will be very brief. my work in this past week has involved three incomplete tasks: +**\** 1) CLSAG linkable anonymity proof required some thought. sarang and i have thought about it and we have a strategy to finish writing the proof. sarang: do you want to make the changes to our LA definition or do you want i should? +**\** suraeNoether: I have a writeup for LA in my notebook that I'm transcribing to TeX +**\** and proof\* not just the definition +**\** it works just fine +**\** On that note +**\** Do you have any thoughts on linkability (not LA) +**\** I don't particularly like the Backes definition +**\** uh one sec +**\** Triptych has a version of linkability+non-frameability that I like better +**\** is there soemthing wrong with the definition we proposed initially? +**\** iirc that one's from bender +**\** It's not formalized quite enough, in the apparent opinion of the reviewer +**\** I think it needs just minor work +**\** Triptych formalizes it a tad more IMO +**\** I can add that to the writeup if you like +**\** well +**\** for the sake of the audience, can you describe the 3 different definitions you want to consider? or 2, assuming you want to bail on backes' +**\** Backes requires the following for an LRS: completeness, linkable anonymity, linkability, non-frameability +**\** Right now we combine linkability and non-frameability with non-standard terminology +**\** Backes uses a particular linkability definition: can the adversary use `q` keys to generate `q+1` non-linking signatures? +**\** Where `q` is scaled via the security parameter +**\** I don't particularly like this definition over the "usual" one about producing two linking signatures, but I think it's important to frame the definition as a challenger-player interaction +**\** Our current method does this very informally +**\** I propose a combined linkability definition in my Triptych writeup that's a slight formalization of what CLSAG has now +**\** (it could easily be split into linkability and non-frameability) +**\** hmmmm q scaling with the security parameter is the weird part to me: if the security parameter goes up, so does q... and so this means, for example, the adversary can't produce 3 signatures using 2 keys without some linking occurring. this feels \*weaker\* than the statement "can't produce two signatures using the same key without them being linked" +**\** Yeah, which is why I don't really like it +**\** didn't sit well with me +**\** and we want the property with q=1 anyway to prevent double-spending +**\** So I am proposing not using the Backes definition, but simply formalizing what we have now, a la Triptych +**\** then it's more clear what the linkability player has access to in terms of keys etc. +**\** okay, i'm going to read more deeply into that this afternoon +**\** IMO it's a pretty straightforward formalization +**\** doesn't affect much in practice +**\** backes' definition with q=1 seems to me to imply backes' definition with greater q, but it's possible that it doesn't technically reduce the way it seems. i'll think more about it +**\** That definition doesn't make assumptions about linking tags being equal AFAICT +**\** Whereas ours does +**\** I think that's part of it +**\** Anyway, you were talking about work you'd been doing, before I barged in =p +**\** moving along, my next incomplete task is reviewing triptych's security proofs more deeply, which dovetails with this :P +**\** Yeah, a nice tie-in +**\** finally, i'm working on matching simulations today. i'm experiencing a data management and presentation issue, but i hope for the end of the day a nice graph displaying performance of Eve as a function of ring size and churn length +**\** Nice! +**\** this will come along with a push to my repo with all the code used to generate that, and explanations so people can replicate it +**\** word +**\** that's it, if i had presented in the other order then your "barging" would have been a great segue into \*your\* work for the week :P +**\** We can pretend otherwise +**\** I have completed a draft of the Triptych preprint, which is now in suraeNoether's hands +**\** suraeNoether: I'm really looking forward to that chart +**\** it includes my proposed linkability+non-frameability definition +**\** Figured out the CLSAG linkable anonymity definition, which is not as strong as Backes, but does the job IMO +**\** I've also been working with Aram from Zcoin on some related Groth proving system stuff +**\** what's the shortfall on the linkable anonymity definition, even if there's no practical difference? +**\** There will be a neat paper coming out from them on that shortly, which they graciously provided to me in advance +**\** sgp\_: Backes permits key corruption, which doesn't work with our DDH hardness assumption +**\** Instead, we assume the adversary can obtain key images +**\** And that the adversary can pack rings with their own malicious keys +**\** sarang: thanks +**\** (which you can assume are trivially corrupted) +**\** This is already stronger than the existing definition that was used +**\** Otherwise, I also wish to update the DLSAG paper (which will appear next year in conference proceedings) with the CLSAG security model, since they are structurally extremely similar +**\** So overall, a lot of tedious (but still interesting) stuff involving formal definitions and proofs +**\** When suraeNoether finishes his review of the Triptych preprint, it'll go to the IACR archive +**\** and presumably any CLSAG/DLSAG updates as well +**\** hmm Backes' linkability definition is a puzzle i have very little intuition about: should it be harder or easier to present 2 signatures from the same key without linking the signatures than it should be to present 201 signatures from 200 different keys without any of them linking? \*taps chin\* +**\** The adversary picks which keys IIRC, right? +**\** yeah, adversary can use KeyGen or any other way of selecting the verification keys +**\** may not even know the secret key, so it's genuinely adversarial +**\** ya +**\** The adversarial generation isn't really a big deal, since soundness implies the adversary's choice of keys satisfy the verification equations +**\** and then you rely on the one-way mapping +**\** actually, it's not clear; each verification key needs to be in \mathcal{VK}, and it's not specified where that comes from, i'm assuming from the challenger +**\** in which case the adversary has to pick challenge keys to break linkability, it's not enough for the adversary to pack all rings with fake pubkeys +**\** Backes even notes that generating `q` such signatures is trivial, since you simply use separate keys +**\** Fake pubkeys should be acceptable +**\** since the adversary does all this offline, or otherwise generates the pubkeys in its own (seemingly) valid transactions +**\** The `q=1` case feels like some kind of targeted linking attack, where the general `q` case seems like a broader "hope for a collision somewhere" attack +**\** suraeNoether: thoughts? +**\** nothing concrete. the way this definition is written feels very very counter-intuitive to the way you and i have discussed linkability in the past. +**\** Yeah, and I haven't seen it anywhere else +**\** Again, I don't feel any particular need to use it +**\** But getting the existing definition more formalized in a challenger-player sense seems wise +**\** agreed +**\** roger +**\** OK, that's my update +**\** Does anyone else have interesting (or uninteresting) research to share? +**\** ok, dude, i think i know the problem here +**\** with that definition +**\** or at least my problem with it +**\** Ooh, go on +**\** linkability is a property that has a "correctness" component and a "soundness" component. to correctly link two things means to link them when they should be linked. to soundly link two things is to \*only\* link them when they should be linked +**\** you called this positive and negative linkability at some point +**\** i feel like this definition is mashing the two together +**\** or attempting to +**\** anyway, my thoughts don't go deeper than that yet +**\** Backes uses non-frameability to show that you can't make signatures that \_appear\_ to link without knowing/using the same key +**\** and linkability to mean that you can't make sigs with the same key(s) but different tag(s) +**\** The reviewer didn't like the CLSAG paper's use of positive/negative/soundness in linkability +**\** hmm +**\** okay, that's going to require more thought +**\** anywya, now i'm done. :P +**\** A lot of this is simply getting the right terminology for the definition(s) of choice +**\** I happen to like using linkability to refer to both +**\** since that's typically what you want +**\** but it's two different concepts +**\** OK, we can move on to any other research +**\** or to the next topic, QUESTIONS +**\** i have a pretty general observation +**\** which may be relevant in terms of independent interest +**\** a property like linkability applies to all ZK proofs. for example, our ring signatures are ZK proofs of knowledge of a secret key. but they are \*linkable\* proofs of knowledge, so that if the same witness data (keys) are used for two different proofs (signatures), then an observer can link them. +**\** so just like ZK proofs have a property of correctness (if you know a witness, the proof is valid) and a property of soundness (if you don't know a witness, your proof is invalid), a linkable ZK proof is going to have a dual pair of notions for linkability +**\** i bring this up so that the next version of snarks has an L floating around +**\** There's a related-ish property in sigma protocols, quasi-unique responses +**\** But that relates to responses to the verifier challenge +**\** more reading to do :\ +**\** There's probably a subtle relationship to (SHV)ZK +**\** and therefore witness indistinguishability +**\** (which follows from SHVZK) +**\** anyway +**\** Normally, providing two proofs should not reveal distinguishing information about the witnesses +**\** right +**\** Hopefully you will enjoy the Triptych paper, which builds a linkable construction on top of a sigma protocol :) +**\** i enjoyed it the last time i read it, and the tiem before that. it takes awhile to digest :P +**\** ok, i gotta bounce, i'm not feeling well; my list of 3 unfinished tasks is also my list of action items today +**\** roger +**\** My ACTION ITEMS are getting these new definitions and proofs typeset and finalized, determining their DLSAG applicability, a few other organizational issues on the CLSAG paper to prepare it for resubmission, and getting Triptych submitted on review +**\** Any other final thoughts, comments, or questions before this meeting ends? +**\** I have an unrelated question. +**\** ? +**\** I was wondering whether atomic swaps between two cryptonotes with hte same curve etc (ie, not the general case) is possible now. +**\** Well, assuming the tooling was there of course, which it isn't. +**\** In theory I mean. +**\** I don't know of a good way that retains indistinguishability as well as DLSAG does, and that still has the tracing issue +**\** If you were willing to accept and mitigate the tracing issue, then its method could do it +**\** its = DLSAG's +**\** What is the tracing issue already ? +**\** The fixed basepoint used for dual-address key images allows determination of unwanted signature linking +**\** It isn't clear how to do a DLSAG-type construction with the variable-basepoint key images used currently +**\** I should more precisely say, the use of a fixed basepoint and having output private keys used as the corresponding key image discrete log (this doesn't exist in more recent constructions that use a fixed basepoint but in a different way) +**\** Oh, suraeNoether: do you think it's useful in the LA definition to include the linking tag oracle separately from the signature oracle? +**\** The player can get the linking tag oracle result simply by querying the signature oracle on a public key by using a random ring and message (and ignoring everything but the returned linking tag) +**\** Having a separate oracle only really serves to make it clear that the player doesn't necessarily need to convince a user to sign messages, but can obtain linking tags otherwise +**\** (although in this security model, it can do both) diff --git a/_posts/2019-12-16-mrl-meeting.md b/_posts/2019-12-16-mrl-meeting.md new file mode 100644 index 00000000..5d86dac5 --- /dev/null +++ b/_posts/2019-12-16-mrl-meeting.md @@ -0,0 +1,175 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-12-16 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** howdy! +**\** suppose we should move onto the roundtable? +**\** Might as well +**\** Who shall begin? +**\** I'm going to ping isthmus +**\** in the hopes that he can describe a bit of the data science work he's currently doing +**\** n3ptune and I have been looking at block rewards +**\** Lots of funky stuff going on +**\** How so? +**\** Isthmus is digging up figures +**\** Here's a bad figure, and I'll try to have a nicer one by the end of the meeting +**\** https://usercontent.irccloud-cdn.com/file/f9F4XDd3/image.png +**\** x-axis is block height +**\** y-axis is the total reward claimed by the miner +**\** (fresh + fees) +**\** The trend is basically our emission curve (the bottom of the traces) +**\** The data points above the trend are miners who made good blocks with fees on top of reward +**\** exponential decay shape of the graph comes from our emission curve (fees are related to block reward). is the piecewise break from bulletproofs? +**\** The anomalies below the line are what's interesting +**\** There's a few distinct events that happened +**\** For each, we can tell a few things: +**\** Exactly which blocks were mined by that miner/pool/software +**\** (linkability) +**\** And exactly how long it took them to notice that they were making suboptimal blocks, and fix the software +**\** You can tell a bit more by adding size as the color +**\** https://usercontent.irccloud-cdn.com/file/HUoctx7I/image.png +**\** Scale is blue to yellow +**\** So there I've zoomed into a small section +**\** Looking at the band from 1225000 to 1275000ish +**\** It looks like the blocks claiming \*less\* reward than empty blocks are about the same size as those produced by others +**\** that graph is gorgeous bro +**\** thx :- ) +**\** Odd behavior +**\** The definition of suboptimal, you might say... +**\** Yeah, because their sizes are about the same as the surrounding blocks, here are two guesses for what might be happening +**\** Maybe other miners are making high-fee big blocks, and the ones below the trend are the suckers that make big blocks after the mempool has been tapped out for high-fee txns +**\** But based on how bounded the second (anomalous) trend is, I think it might just be a software bug? +**\** I just discovered this like 20 hours ago, so I haven't done full exploration +**\** I'll be able to drill down into the blocks and actually figure out what was going on +**\** (that's about where it's at right now) +**\** It's really interesting to see it mapped out so clearly +**\** thanks so much, isthmus; it seems to me like i've read at least one paper about purposely claiming smaller rewards for a variety of game-theoretic reasons... +**\** i'm going to try to dig up at least one of htem +**\** i have so many questions about this +**\** It would be good to know which particular software (if it's specific) leads to this, due to how common it appears to be +**\** suraeNoether: your roundtable? +**\** yeah, sure: Matching. I \*think\* i'm \*one\* bug away from getting all the data i want. and I'm talking to Insight Data Science to throw a fellow at the simulation results to help me come up with best-practices recommendation +**\** my current bug is silly and strange, in that i'm not adding the number of nodes and edges my software is expecting. initially i thought this was a problem with computing the number of available ring members or something like that, but i'm still trying to figure it out +**\** Do you have code ready that can reproduce it? +**\** it occurs in a random test in testSimulator.py, not any of my deterministic tests +**\** so i'm still hunting down exactly the conditions that lead to the bug, and attempting to isolate it as a new unit test +**\** the graph theoretic component is working perfectly, the analysis component exploring parameter space is working perfectly, but the simulator keeps hitting this snag and then we're off to the races +**\** oops, here +**\** welcome +**\** suraeNoether: you dont think V could make all those masks by himself even in 20 years though? +**\** suraeNoether: is the currently-pushed code the version you're working with? +**\** yes, the commit i pushed this morning +**\** to matching-buttercup branch +**\** so, someone brought up by sidechannel the question about whether i should re-implement the sims in rust in the hopes that the improved explicit references of rust would help find the errors +**\** Do you suspect that could be the origin of the errors? +**\** i think refactoring the whole codebase is a last-ditch effort for finding the bugs, though +**\** If they're simply algorithmic mistakes, switching to Rust might not do anything +**\** no; i literally think i'm merely predicting the number of nodes and edges incorrectly based on the total nodeset as opposed to only the nodes that can be spent. +**\** have you tried log statements? +**\** secret weapon +**\** and i'm in the midst of tracking that down +**\** Could you tweak the simulation to be 3 blocks long, 2 transactions per block, with spend pattern & ring member selection algorithm = pull from previous block +**\** Would the issue persist and be easy to spot by eye? +**\** endogenic: your suggestion reminded me of https://xkcd.com/451/ =p +**\** except that i am +**\** :P +**\** Nono, the statement about logs! +**\** Sorry, digression +**\** isthmus unfortunately i believe the problem may be in the ring selection algorithm i have written (which is only uniform at this point), so that would reduce the problem away +**\** but i'm attempting something similar next +**\** right now, debugger is my friend +**\** sarang, how about you? +**\** log statements are nice because you can let the whole thing run +**\** Several things to mention +**\** debugger is also nice. +**\** I modified the linkability and non-frameability definitions in Triptych, and would like to see if they can be directly used in CLSAG as well +**\** I've come around on Backes' definition of linkability +**\** I updated the CLSAG linkable anonymity definition, as well as its proof +**\** Reviewed a paper by the Zcoin folks on hierarchical Groth commitment proofs +**\** Looked over some changes that Zcoin made to fix a problem they had relating to Groth proofs (doesn't apply to Triptych) +**\** Worked out some example code for doing inversion via an MPC for use in computing certain linking tag constructions +**\** and wrote out some simple draft MPC ideas for RCT3 and Triptych, which for now assume honest-but-curious players +**\** nice! +**\** The good news on MPC is that it's certainly possible to collaboratively compute the inverse-based key images used in those proving systems +**\** The bad news is it requires something akin to Paillier encryption, which leads to some computational overhead +**\** hmmm are you looking into the MPC stuff for linking tag constructions due to the constructions and usage of linking tags in Triptych? +**\** (note that my example code should \_not\_ be taken to be a secure Paillier implementation) +**\** Yep, the MPC is to handle linking tags in Triptych, RCT3, and Omniring +**\** Even though Omniring can use traditional linking tags, even that construction still requires an underlying inversion +**\** There are also affine quantities to compute, but those are understood +**\** refresh my memory: which, if any, of those 3 require self-sends? +**\** None of them +**\** DLSAG and Lelantus would require this +**\** LELANTUS +**\** okay, so what, in your heart of hearts, are you hoping for from linking tags? +**\** The problem, previously, was that it was not clear how to enable multisig support when the linking tags require a secret key inversion +**\** aaaaah +**\** Now that there's an understood MPC to compute this, it means multisig support is feasible +**\** gotcha gotcha +**\** you had questions about multisig for me +**\** The downside to the MPC is that Paillier can't take advantage of the efficient curve libraries we all know and love +**\** we can address them now or after the meeting if you like +**\** hoi sorry for being late +**\** holla +**\** long time no see silur +**\** whatup silur +**\** Paillier requires RSA modulus stuff (but there aren't issues with trusted setup etc.) +**\** Encryption and decryption require exponentiation with variable modulus +**\** So computationally-constrained devices would need to able to support this +**\** s/to able/to be able +**\** so are we hoping for an MPC to compute inversion-based key images... such that the MPC is more consistent with the development history of monero/cryptonote? ie based on the DL setting in Ed25519 instead of RSA? +**\** or at least, one of the items on our "wish we had" list? +**\** Such a thing would be great, but as you pointed out, getting the required homomorphicity would imply a DL break, or some such thing +**\** can you elaborate on "inversion based key images"? +**\** or shall I just review it from the log? +**\** Key images / linking tags in newer proving systems use the form `(1/x)\*U` +**\** rather than x\*H(X) +**\** U is fixed, yes? +**\** Here the division is an inverse, `x` is the secret key, and `U` is either globally fixed or depends on the proof statement +**\** but it's public +**\** uhmmmm wait a moment: +**\** It's globally fixed in the more efficient versions of the proving systems +**\** my comment had to do with an efficient group-to-scalar map that had any sort of homomorphicity built in +**\** oh oh oh +**\** i get what you are saying +**\** For context: https://github.com/SarangNoether/skunkworks/tree/inverse-mpc +**\** The inverse.py script shows how the process works, and the markdown documents describe one possible use for RCT3/Triptych (again, with many assumptions on the players) +**\** The encryption homomorphicity is important for the MPC method that Gennaro and Goldfeder introduce +**\** so most generally, each person has a secret x\_i and there is a function f such that you want to compute f(x\_1, ..., x\_n)\*U with some friends. you were using f(x\_1, ..., x\_n) = 1/sum(x\_i) ? +**\** you know what: let's talk about this after the meeting +**\** Yeah, better for after meeting +**\** so, isthmus, myself, and sarang have all brought the room up to speed. does anyone else want to talk about any monero-related research they are doing? +**\** can't we somehow exploit the bootle inner-product encryption with a killian randomization here somehow? the killian randomization preserves linear combinations so everything before multiplying with U is the same +**\** but individual inputs are useless +**\** and at the last step the same inner-product for the last vector reduces into a Z\_p element? +**\** I don't see how to directly apply that to the share derivation in Gennaro +**\** The multiplicative-share to additive-share method, I mean +**\** (which is the point of their Paillier-based protocol) +**\** Oh the Genaroo-Goldfeder method IS a hard requirement +**\** then we can't inded :) +**\** I wasn't aware it's a must-have +**\** Well, we don't \_need\_ to use Gennaro-Goldfeder +**\** but it seems reasonably efficient and useful if you can accept the homomorphicity requirement +**\** In the interest of time, let's move to ACTION ITEMS +**\** Mine are to continue work on the MPC stuff, get CLSAG definitions ported as necessary (would like to discuss with suraeNoether as well), and get final review on the Triptych draft to get posted to IACR +**\** triptych? O.o +**\** ? +**\** mine is to hunt down and kill my final bug, work on the churn report, review the triptych draft (finally) and continue chatting with isthmus about getting a data science fellow working with me on matching/churn +**\** I was not familiar with that, will look into +**\** it's a paper sarang is presently writing +**\** too much meetings missed :D +**\** silur: Triptych is a linkable ring signature construction based on Groth 1-of-many commitment proofs +\<3 +**\** Preprint draft forthcoming +**\** There's a super-efficient version for which I can't reduce soundness to a known hardness assumption +**\** If you want to take a look silur, most welcome +**\** The less-efficient version does reduce nicely +**\** yea I'd be more than happy to look into +**\** neat +**\** OK, I suppose we can formally adjourn and continue discussions as desired diff --git a/_posts/2019-12-23-mrl-meeting.md b/_posts/2019-12-23-mrl-meeting.md new file mode 100644 index 00000000..c74558f5 --- /dev/null +++ b/_posts/2019-12-23-mrl-meeting.md @@ -0,0 +1,88 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-12-23 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** we'll start with GREETINGS. hiya! +**\** mele kalikimaka, etc +**\** let's move along to the ROUNTABLE +**\** i know isthmus has been up to some interesting stuff with block sizes and fees, but he doesn't appear to be here. sarang, as usual, has been busy. you want to start, sarang? +**\** Sure +**\** I redid the CLSAG linkability and non-frameability definitions, theorems, and proofs +**\** and then did a major reorganization of the preprint for clarity and style/format +**\** It's ready for suraeNoether's review, and then posting +**\** Additionally, the Triptych preprint draft is ready for suraeNoether to review as well +**\** and then it can be posted +**\** good times +**\** word, word +**\** does anyone have any questions for sarang? +**\** Apparently not! +**\** I have a question for the MRL team regarding L2 scaling for Monero: Are there any scalability solutions currently deployed on Monero? If not, why not? +**\** I assume you mean off-chain? +**\** I do mean off-chain +**\** not currently deployed. DLSAG and thring signatures are two fundamental pieces of off-chain scaling +**\** DLSAG is currently... uhm... accepted for publication? did iirc? +**\** Accepted to FC2020 +**\** that's a spicy meatball, yes +**\** Awaiting some likely rewrites for definitions +**\** Downside is that indistinguishable refund-compatible transactions don't play nicely with key image requirements +**\** mikerah[m]: requires some more research into how to ensure consistency in key image use +**\** ^ +**\** So, the current state of the art for monero is DLSAG, thring signatures and the Tari sidechain? +**\** tari sidechain is independent +**\** Tari is a separate project +**\** but built on top of monero, from my understanding +**\** No +**\** er... sidechain +**\** not \*on top of\* +**\** IIRC they're doing a MW-based implementation +**\** oh +**\** news to me \*shrug\* +**\** Hoping to do merge mining +**\** But I have not been following their recent work +**\** ah +\ Me too. I guess the association to fluffypony made me assume that it was Monero related +**\** well, for my part of the roundtable, my work this week was to start copy-editing triptych and clsag, and to work on my matching simulations. I just made a push this morning... https://github.com/b-g-goodell/mrl-skunkworks/tree/matching-buttercup/Matching +**\** anyone can run tracing.py and it will create a data folder, stash human-readable simulated monero transcripts inside... +**\** mikerah[m]: to be clear, DLSAG is not deployed anywhere +\ Thanks for the clarification. +**\** these transcripts say things like "Alice sends key NODE\_ID with ring members RING\_MEMBERS, authorizing the creation of outputs NEW\_NODE\_ID owned by Bob." It's a "ground truth" ledger. +**\** these transcripts also contain the accusations that Eve makes. "Eve thinks ring signature NODE\_ID belongs to Bob. In actuality, it belongs to Alice." sort of thing +**\** in theory, anyone can fire up tracing.py, tweak the parameters inside, and see the simulated ledger +**\** the ledger is working just fine +**\** nice +**\** unfortunately, but also fortunately, once i put these transcripts into human readable format it became immediately obvious there was a problem with my Eve +**\** she is allegedly granted knowledge of her part of the graph, but she doesn't incorporate that knowledge into her matching solution appropriately. +**\** so the previous numbers i shared in here, which i took care to explain where provisional, are lower than what we can expect from a realistic eve. +**\** these problems were not being caught by my unit tests +**\** What needs to be done to properly account for that? +**\** the run\_experiment function in tracing.py builds a dictionary called eve\_ownership, which is not utilized correctly, and allegedly deletes spurious ring members, but i have some evidence that this isn't being done correctly either +**\** what really needs to happen is that eve builds a sub-ledger by deleting all her known information, so that it's purely "uknown" data to Eve, before playing the matching game +**\** that, together with reporting her known information, would fix the problem +**\** since i have CLSAG and triptych to take care of, and since so much of this code is human readable at this point, i'm putting this project down until the new year +**\** especially since "the problem" is easily explainable and I can point to where it's occuring +**\** but, for example, if anyone wants to just simulate a ledger using different stochastic matrices or spendtime distributions, they can tweak the parameters inside of tracing.py and generate as many ledgers as they like +**\** and now you can read them like a story. the world's least interesting procedurally generated story. +**\** i'll be unavailable for the next 72 hours or so (family is coming into town) but i have CLSAG and triptych printed; i'm about 1/3 of the way marking up my copy of triptych +**\** that's all i have today. does anyone have any questions for me about that, or other questions on anything research-y? +**\** When you're done with Triptych, will suggestions be added as Overleaf review comments? +**\** i was going to add some as comments and send the rest as an email to you +**\** Great, thanks +**\** You have the line-numbered version? +**\** yep +**\** okay, let's move onto ACTION ITEMS +**\** sarang? +**\** I'll be addressing some multisig-related MPC stuff for RCT3 and Omniring +**\** Then working on any necessary updates for CLSAG and/or Triptych based on review +**\** and then getting both papers posted to IACR +**\** Helping sarang finish triptych and clsag; if i finish this before end-of-year, i'll go back to matching +**\** Oh, a longer-term action item is to backport the CLSAG security model changes to DLSAG, but that's likely not this week +**\** I don't recall the DLSAG reviewers mentioning it, but it should be done anyway +**\** allrighty +**\** unless anyone has any final quesitons +**\** i think we can adjourn +**\** Happy Festivus! diff --git a/_posts/2019-12-30-mrl-meeting.md b/_posts/2019-12-30-mrl-meeting.md new file mode 100644 index 00000000..ef646ae2 --- /dev/null +++ b/_posts/2019-12-30-mrl-meeting.md @@ -0,0 +1,219 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2019-12-30 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** welcome everyone, to the last MRL research meeting of the year +**\** if i had thought about it, i'd have something more in-depth prepared but it just occurred to me ;P +**\** let's start with 1) GREETINGS +**\** o/ +**\** hi +**\** good and you, oh not so bad +**\** isthmus was here mere moments ago +**\** Kind of. Splitting headache. Looking at screen intermittently. +**\** yikes +**\** :( +**\** C'est la vie. +**\** okay, well; go away isthmus and come back when you're healthy +**\** you'll get us all sick with headaches left and right +**\** i have a headache now +**\** See, we should just ban headaches at the protocol level +**\** Not just in the wallet. +**\** no your headache now +**\** before we move onto 2) ROUNDTABLE I would like to bring up a single administrative issue +**\** i would like to propose that we consider switching meeting times; we selected 17 UTC mondays essentially at random about 2 years ago +**\** ? +**\** What's a preferred time? +**\** nowadays, not all of our participants easily are able to attend that time, so often it's just sarang and i +**\** so while i don't have a lot of time constraints, i wanted to hear from folks like isthmus who oftentimes have meetings at around the same time +**\** and open the room up for general discussion about timing for meetings +**\** ty +**\** i know this is boring, but it's been on my mind for more than a month now +**\** Suggestions on a better time? +**\** an hr fro +**\** I'm normally on Pacific time so Monday 1700 UTC is early and right when I'm getting swamped at the office +**\** m now? +**\** nm +**\** I'm just here now cuz on holiday & EST +**\** How about 18:00 or 19:00 UTC? +**\** Weds? +**\** Weds at 18 or 19 would be better +**\** In that case, I think I could block it on my work calendar as a recurring event +**\** We could always try a new datetime out and see how it goes +**\** i second wednesdays at 18-19 UTC provisionally for the first month of the year just to see how it works out re: participation +**\** I make sure the topic bar shows the meeting datetime +**\** +1 +**\** OK, Wednesday at 18:00 UTC it is +**\** Thanks! Will be very helpful for me. +**\** okay, neato burrito +**\** onto 2) ROUNDTABLE +**\** since the holidays were last week, maybe we can make this not just a "here's what I did last week" thing but also a "here's what we did this year" thing, but that could end up being a... surprisingly long list +**\** but we don't have to go in-depth +**\** sarang or isthmus, do you guys want to begin? wait, no, isthmus: go away and treat your headache +**\** I finished up a draft MPC for the aggregated version of RCT3 this past week +**\** And am currently in the weeds with some Omniring stuff that has been puzzling +**\** Additionally, my funding request is open: https://ccs.getmonero.org/proposals/sarang-2020-q1.html +**\** i strongly recommend that everyone donate to sarang's funding request +**\** well, i mean, whatever you are comfortable with +**\** and I'm on pins and needles for any comments from suraeNoether on CLSAG or Triptych preprint updates +**\** what i mean to say is: this is a valuable request, and if you have been considering donating to the CCS but don't know where your money will have a big impact, sarang's fund is a high priority ticket imho +**\** Much appreciation for all the support +**\** I'm eager to see what the next year holds in the research space, particularly relating to transaction protocols +**\** Yea, what's our research theme for 2020 +**\** I'll obviously continue to be a huge PITA about information leaks +**\** yes plz +**\** "2020: zero knowledge, infinite heart"? +**\** Ring size 2020? +**\** Oh wait, it's not a prime number +**\** People are going to think there's a technical reason for having prime-number ring sizes :/ +**\** Interestingly, for some protocols, you specifically \_can't\_ have a prime number size! +**\** for any merkle-tree based approach, you have to stick with powers of 2 +**\** for 2020, a few things i'd like would be a formal protocol specification for a tryptich-based protocol, using ristretto, going down to the nitty gritty details of optimized arithmetic, tor integration, etc +**\** thing is, i think we are eventually going to need to abandon the DL setting for efficiency and security reasons; either switching to multilinear pairings may be necessary for efficiency, but still boils down to computational security. on the other hand, switching to other hardness assumptions like RLWE, which are believed to be quantum-secure, is an area of active research. that assumption also has a +**\** very different profile for use in cryptocurrencies because key sizes and signature verification speeds are very different in the new setting +**\** my roundtable contribution from this past week: i got flu-like symptoms after xmas, so all I could do was sit around and be grumpy, so I ... copy-edited triptych and clsag +**\** (best thing to do when grumpy is to grade papers???) +**\** Looking forward to your notes on those +**\** should be before 3PM today +**\** Hooray! +**\** It's a Festivus miracle! +**\** i'll be switching back to matching simulation stuff literally next year +**\** festivus miracles involve being able to use the aluminum pole on your grievances +**\** i dont get that reference but i will google +**\** I'll be continuing a deep-dive into some Omniring stuff this week, to determine if an issue I ran into presents a problem with any of the proofs +**\** My roundtable is still plotting, but should be rendered shortly +**\** after recovering from the flu, or whatever i had, though, i have to say: i feel like a million bucks and i'm super excited to finish off triptych today +**\** endo and isthmus and sarang can all attest to the number of times per year i say i feel like a million bucks +**\** :- ) +**\** 1/4 times per year so far +**\** when the moon hits your eye like a big pizza pie, thatsa N=1 +**\** Ah, here we go +**\** i feel for the transcription translators who do these logs +**\** https://usercontent.irccloud-cdn.com/file/ntGPLKhz/image.png +**\** ^ non-coinbase TXNs as of late +**\** oh my fkn god +**\** I zoomed in on lower values there, there are some absurd outliers +**\** https://usercontent.irccloud-cdn.com/file/Uz5uJDlS/image.png +**\** so i like the idea of having an adjustable unlock time for smart contract reasons. ... +**\** for m'kids +**\** hey, sarang: think the range proof technique for the trigger block height in DLSAG could be janked around to hide \*all unlock times\*? +**\** https://usercontent.irccloud-cdn.com/file/xS32XCWP/image.png +**\** ^ All from the last few months +**\** Excluding the giant ones +**\** I believe it could +**\** Apparently unlock\_time supports both unix timestamps and height... There are 13 transactions that used UNIX time and the rest are height-based +**\** unix timestamps? did not know that +**\** There's one transaction whose outputs will unlock in the year 46000, lol +**\** hmmmm +**\** i can't think of a good reason to allow unix timestamps +**\** who uses unlock time currently? +**\** costs of hiding all unlock times is a new range proof, but that can be batched with bulletproofs... and variable unlock times are desirable for smart contracting... +**\** @endogenic apparently 8 different sets of people, and they all use it differently +**\** xD +**\** lol +**\** the DLSAG connection is strong with this +**\** surae is one of them +**\** https://xmrchain.net/search?value=2c2762d8817ea4d1cb667752698f2ff7597a051d433043776945669043d908b5 +**\** "unlock\_time": 1420722551128, +**\** i'm \*really\* bad at monero +**\** Not only batched, but aggregated for logarithmic size benefits +**\** can anyone think of a good reason to keep unlock time in plaintext? +**\** auditability +**\** It's also smaller +**\** forgive me monero gods +**\** Otherwise you have to put it into a commitment +**\** What is the point of unlock time? +**\** Serious question. +**\** I need to understand the intended use cases to figure out how we should handle it +**\** A reason to use UNIX timestamps is to not depend on block time changes. +**\** (unreclaimable) vesting period; force-hodl +**\** that's a fair point +**\** If the unlock time is plaintext, then how can the hodl be forced? +**\** Erm +**\** \*if is encrypted, how enforced +**\** There's a range proof included, showing that the current block height exceeds the committed lock period +**\** Can't you easily brute force it ? +**\** The goal is to reduce heuristics around expected spends +**\** endogenic: auditability in this case would be the same security/threat model as our confidential transactions, so that wouldn't reduce our auditability... not to mention, for the folks in the audience, monero balances are guaranteed by the unforgeability property of our signatures; if anyone is capable of cheating the monero system with our confidential transactions, they can also forge signatures with +**\** elliptic curves, which breaks a lot more than just monero. +**\** I second mooo's question +**\** moneromooo: the lock time is in a Pedersen commitment +**\** suraeNoether: was joke :) +**\** which is perfectly hiding +**\** isthmus: early cross-chain swap models require unlock times to elapse to use SPV +**\** but how does recipient easily verify time til unlock isnt ridiculous through only range proof? +**\** endogenic: it's a joke, but like a making a math joke in a math class, it's always followed up by a serious discussion of why it's funny. #mathteacherlife +**\** That needs to be communicated to the recipient endogenic +**\** suraeNoether: one-up'd +**\** The range proof is included at spend time +**\** not at output generation time +**\** Ohhhh +**\** So a verifier gets a yes/no, and at some point a no becomes a yes. +**\** moneromooo: can't brute force due to sarang's observation about perfect hiding +**\** Right ? +**\** not quite +**\** sarang: out of band? +**\** When you generate the output, you specify an unlock time commitment, and transfer the plaintext version to the recipient either encrypted or out of band +**\** I mean, from a verifier's perpective, they will need to either reject a spend, or ok it. +**\** -\_- +**\** When the output is spent, a range proof is generated using a particular time offset against the commitment, to show the lock time has been exceeded relative to the current block height +**\** When they stop getting a verification failure, there's no other reason (currently) other than that, no ? +**\** The method is a bit unintuitive until you write it out, TBH +**\** Oh. I see. Thanks. +**\** but it's included in the DLSAG preprint +**\** er. +**\** moneromooo: you wouldn't be able to construct a range proof on [0, ..., N] with time offset -3 +**\** it wouldn't be a valid proof +**\** the trickiness is in realizing how the DLSAG construction actually captures the offset +**\** So you include the block hash at currnet block then ? +**\** let me pull it up +**\** But moneromooo, it's important to note that you can't simply brute-force the verification at each successive block until it succeeds +**\** for the audience members: https://eprint.iacr.org/2019/595 +**\** The signer generates the proof once, at spend time +**\** OK, that's good enough for me. Thanks. +**\** There's some subtlety in choosing the offsets and such, to reduce heuristics, but the method makes sense +**\** bottom of page 10, left hand column +**\** Cost would be replacing plaintext lock times with commitments, and extending bulletproofs to include the lock proof +**\** this would be the first step toward "private" smart contracts that depend on dev-selected unlock times +**\** in a sense it's more basic than DLSAG, almost an independent component used in DLSAG. it should have occurred to me before that it was basically it's own construction... +**\** It is an independent component... you can do DLSAG with plaintext trigger heights +**\** \*nod\* +**\** but it's probably a bad idea to do so +**\** i have to step out y'all +**\** which means it has its own stand-alone security definitions. in this case, the definitions rely on some adversarially generated blockchain, yadda yadda +**\** I think that would be worthwhile to switch to unlock time commitments... Right now an adversary can partition (/fingerprint) the blockchain into ~20 different anonymity puddles based on unlock time alone. +**\** When I first plotted it I was expecting a few Easter eggs, not heuristic info bleeding everywhere. +**\** keep killin it Isthmus +**\** okay, anyone else want to present any research or thoughts at our roundtable? +**\** If you guys are looking at making unlock time a commitment, maybe this is a good time to look at a possible semantics change for unlock time to ease future things like atomic swaps etc. +**\** ^ ooooh +**\** How so? +**\** yeah, please go on +**\** Ok, my head is figuratively literally splitting in half, so I'mma peace out. Thanks y'all. +**\** gg +**\** By... er... thinking of the requirements you know of for atomic swaps etc, and what semantics would best match those. +**\** See ya Isthmus; feel better +**\** also see ya endogenic +**\** I'm thinking in particular of the fact monero's unlock\_time semantics do not match bitcoin's, and bitcoin's used for more fancy things like atomic swaps. +**\** Ah ok +**\** Oh but before I go, huge shoutout to @n3ptune who curated the data set +**\** Ok ciao! +**\** moneromooo: yeah, we need to nail down specific examples of usual atomic swaps with bitcoin and how the masked unlock times in monero will play with the unmasked lock times in bitcoin... +**\** for sure +**\** isthm and i are having a video call about it after he feels better. i'll take notes and we'll draft an issue. +**\** allrighty, we are coming up on an hour +**\** Action items, I suppose? +**\** indeed +**\** Mine: sending comments to sarang re: triptych and clsag, consulting with isthm about masking unlock times... which maybe we should do over IRC instead of a video call... to make a donation to sarang's funding request... +**\** I'll be continuing that Omniring issue, editing CLSAG/Triptych based on suraeNoether's reviews, and a few odds and ends relating to code libraries and MPC +\< does anyone have any last questions? +**\** Nay +**\** I suppose we can adjourn then +**\** when ringsize a bajillion +**\** Soon (tm) +**\** :) +**\** Or the Futurama answer: "Soon enough." "That's not soon enough!" diff --git a/_posts/2020-01-08-mrl-meeting.md b/_posts/2020-01-08-mrl-meeting.md new file mode 100644 index 00000000..ca33b91f --- /dev/null +++ b/_posts/2020-01-08-mrl-meeting.md @@ -0,0 +1,221 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-01-08 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS to everyone +**\** Hi. +**\** hi hi +**\** Let's start with ROUNDTABLE +**\** The preprint for Triptych, a new linkable ring signature construction that can be extended for use in transactions, is on the IACR archive +**\** Link: https://eprint.iacr.org/2020/018 +**\** CoinTelegraph just released an article about it (but note there are some errors in the data presented there, that I'm told will be fixed) +**\** I plan to make an update on the size and time data, to properly account for batch verification and ensure fair comparison +**\** More work was done on the multi-index version of Triptych, fixing soundness in exchange for a separate proof relation that we need to show is equivalent to another proof relation +**\** This would allow even better performance +**\** I worked out an MPC for that version of Triptych as well, which would be useful for multisig +**\** And I'm presently working on some questions relating to Omniring math that I've brought up with that paper's authors +**\** Does anyone else wish to share interesting research work? +**\** When the time is right, at a key juncture, we could have a press release on Triptych. Monero Outreach could support that. Maybe when it is established that it is going into a release. +**\** To be clear, there are no guarantees that Triptych, or any presently-known construction, is fit for deployment +**\** Right. +**\** I've got some fingerprinting stuff, and n3ptune just completed a pretty cool network analysis +**\** Ooh +**\** Isthmus: what sort of data have you uncovered? +**\** Ah my fingerprinting notes are nothing new or exciting, just an idea that might make data presentation more intuitive. So, I tend to think about wallet fingerprinting in a kind of abstract way - every transaction sits at some corner of a hypercube in a high-dimensional space made of different heuristics yadda yaddaaa yadda +**\** So even though I work with sets of boolean features on the backend, wanted a good way to show results +**\** This is my first attempt: https://mitchellpkt.github.io/fingerprint.html +**\** What, you can't accurately present visualizations of high-dimensional hypercubes? =p +**\** llol +**\** This is somewhat by @suraeNoether adding human-interpretable output to the graph matching +**\** I like the idea of enumeration like that +**\** thanks! It figure it's also an easy way to pass around data in a 2-column CSV chart, and researchers can do substring matching on portions that they find relevant to a given analysis +**\** Ack sorry! I'm here! Time change got me unawares +**\** Isthmus: is there anything to share about the network analysis you mentioned? +**\** Re: questions on block propagation timing asked last month, I've collected and analyzed block receipt timing data from our global nodes recorded during the past 6 months +**\** Nice! +**\** What conclusions? +**\** Isthmus has notes about interpretation and I have more to write but you can look at the graphs here https://github.com/noncesense-research-lab/archival\_network/wiki/Block-propogation-time +**\** This was RE a question that @moneromooo asked, right? +**\** Units are size in bytes and timestamps in milliseconds, right? +**\** that was my question ^ +**\** we used this formula where NRT is Node Received Timestamp: prop\_time\_lower\_bound(h) = MAX[NRT(h,1), NRT(h,2), NRT(h,3)] - MIN[NRT(h,1), NRT(h,2), NRT(h,3)] +**\** What are the changing indices there? +**\** Different nodes? +**\** hello +**\** yeah, that goes up to 3 but there are 4 nodes total +**\** got it +**\** so block prop time is reliably at least 0.1s. interesting. +**\** Oh scatter heatmap is height from dark=old to light=new +**\** ^ color scale +**\** And those are the differences between the miner-reported timestamp and the node's wall clock upon receipt? +**\** Miner reported timestamps are not considered anywhere in this study +**\** But we did that elsewhere +**\** hm then what is being measured for prop time? +**\** So these are blocks only passed between your nodes? +**\** Where you look at local times on send and receipt? +**\** ^ Was going to ask that, as the min propogation time seems particularly low, as 100msec is quite low in our experience to cross the globe. +**\** Or better question: how is NRT computed +**\** it's the difference in timing between different nodes receiving the same blocks +**\** Ah, ok +**\** Yea, not passing between our nodes, but passing through our nodes +**\** NRT is recorded from the node system time when a block arrives +**\** Independent of the peer from which they receive +**\** (which would differ) +**\** Seeing the difference between miner-reported time (which could be inaccurate) and wall-clock receipt time would also be interesting +**\** hmmmm +**\** o/ +**\** https://usercontent.irccloud-cdn.com/file/brPsQyeU/image.png +**\** @sarang just for you +**\** So what we're really seeing here is not propagation time directly, but variability in one layer of propagation time +**\** here = the initial plots, not this one +**\** I'll have to check pool log data, as I might be able to give some extra data points if you're interested. We started to log the time in which a pool node finds a block, versus when that block is stored into our database, which means it's been processed by the local node, as we skip all monerod timings on the pool itself. +**\** oooop +**\** that's cool +**\** Very high times +**\** @Snipa very nice! +\< can you elaborate? +**\** isthmus well it's how long it takes for the block to propagate from one of your nodes to another of your nodes; not time it takes to propagate from a miner to one of your nodes +**\** I mean that for the initial plots you showed, you can't directly interpret the time for the block to reach your node after it's mined +**\** suraeNoether: no +**\** no? +**\** Yea, we very deliberately labeled all of the axes "prop time lower bound" for that reason +**\** Also, we could always posit that there is an old PC on dialup somewhere in Nebraska with a 4 minute prop time, but that's not meaningful +**\** suraeNoether: it's looking at the difference in receipt time, whichever path the block took in total propagation +**\** Hrm, auctually, I can provide a data stream of our global block propgations, as every node has a local reporter that we can hook. +**\** @Snipa yes please! +**\** sarang that's true also +**\** that data would be awesome to work with +**\** I'll posit something that might be wrong: +**\** It's a hacky data science way of thinking - +**\** Hit me up a bit later and we can discuss how to get it to you, and go over data formats. +**\** Shoot, I gotta get off the bus +**\** isthmus: you have two sensors set up to detect propagation time. but you need 3 to triangulate, ala seismic detection of epicenters +**\** Don't leave us with that cliffhanger Isthmus! +**\** i'm on the edge of my seat +**\** i spilled my tea +**\** i'm so upset at isthmus right now i could just light myself on fire +**\** Stay on the bus Isthmus... it'll loop back around to your stop eventually +**\** In the meantime, any other interesting tidbits on this work? +**\** This is very interesting data +**\** while we are waiting on Isthmus, I'll give my super-brief update: after some discussions with endo, my matching code has been made significantly more efficient, easy to understand, and easier to debug; i'll be making a push later today. my two categories of work today are re-reviewing CLSAG and working on matching +**\** that's it for now, we will update +**\** his pseudocode now fits onto one sheet of notepad paper.. +**\** isthmus and i also technically had a conversation about writing up a proposal to encrypt and enforce all lock times, but we haven't gotten details worked out yet +**\** You mean using DLSAG-style commitments? +**\** We'd discussed it earlier in a meeting +**\** yep, last meeting iirc. but i actually had a call with isthmus about it. i view this move as a very good boost in privacy in the sense that it covers up a source of non-randomness in the large data sets that isthmus likes to comb through. +**\** I can work out the size and time implications on that if you like +**\** i'm not convinced it is worth the additional cost to our txn sizes, but we'll see how it shakes out +**\** Since it could be bundled into the existing bulletproof +**\** ^ ah +**\** Yeah, size is not the issue here due to the logarithmic scaling +**\** yeah, and verification times are speedy as a cheetah's balls +**\** pardon me, this is a public meeting, i should be less vulgar. please accept my apologies. +**\** Right... there's a linear increase in verification time, but with the benefits of multiexp that's reduced a bit +**\** CoinTelegraph has updated their article: https://cointelegraph.com/news/moneros-triptych-research-could-vastly-improve-its-anonymity +**\** Thanks to the author for taking care of that so quickly +**\** A press release could get more coverage, when and if it is desired. +**\** suraeNoether: interestingly, due to bulletproof padding, for many transactions there would be no size increase aside from the space taken up by the commitment data +**\** good on cointelegraph +**\** (as opposed to a smaller plaintext representation) +**\** sarang: could a similar approach be used to include a ciphertext of a message? +**\** ie moneroMail +**\** Sorry somebody got in a fight with the bus driver right before my stop +**\** Not really... there's some spare space in bulletproofs that could hold something 1-2 proof elements of arbitrary data by controlling randomness (I'd need to check the details) +**\** Sigh San Francisco +**\** Welcome back Isthmus +**\** Ok lemme whiteboard some stuff 1 sex +**\** n3ptune: do you want to share the padding? +**\** In the blocks +**\** sure +**\** sarang so enough for a key exchange but unlikely enough for a ciphertext? +**\** Well, you're limited by space +**\** Is there a known purpose for the null padding tag in tx\_extra? +**\** I don't remember if Poelstra and friends found 32 or 64 bytes of space +**\** n3ptune: good question for moneromooo et al. +**\** While we await Isthmus' continued update, anything else of interest to share? +**\** Or ACTION ITEMS, according to the agenda? +**\** i want to provide final comments to you on clsag but i'm very unlikely to get that finished today +**\** but it's on my mind for this week +**\** Back +**\** Front +**\** Mine are to get CLSAG submitted (after review), to hopefully nail down this Omniring issue and pass it to the authors, work on a few EC curve library updates for proof of concept code, and get preprint stuff taken care of via monero-site MR +**\** Isthmus: please go ahead +**\** (oh, and update the Triptych preprint performance data with better clarity) +**\** https://usercontent.irccloud-cdn.com/file/gAM3VbDV/1578508953.JPG +**\** wat dis +**\** So let's say that we have 100 of n3ptune/NRL's archival nodes running +**\** If we have only 2 nodes, then our propagation envelope will have a lot of variability, be topology dependent (assume archival nodes don't connect to each other), and just t\_second - t\_first +**\** As we add a 3rd node, it has the possibility of increasing the measured prop time (since it could hear before or after) but can't decrease the prop time since it's max-min +**\** As we get up to 100 nodes, the variability will probably smooth out and we approach the true reasonable prop time (from miner to global nodes with broadband internet) +**\** Doesn't prop time depend on max/min among all nodes? So the third node could fall outside the envelope of the other two and affect the value? +**\** Yeah, that's the point +**\** OK, I must have misinterpreted +**\** Oh, can't \_decrease\_ +**\** nvm +**\** Painting very broadly, when we adad the 3rd node there's a 2/3 chance that it'll fall outside the N=2 and increase the prop time, and a 1/3 chance that it'll be between the first 2 nodes. +**\** Sorry, I'm giving a kind of scattered description cuz I just realized this on the bus +**\** Max-Min is a very sensitive metric, sensitive to outliers. +**\** Hmm lemme ponder on that +**\** Skipping over that for now +**\** How're you pulling the time in which the block is received? Tweaked monerod/using it's logs or polling on the RPC interface to determine when it's auctually viably added to the box? +**\** That's a n3ptune question, they do all the DevOps and data engineering. All ended up in a SQL database by the time I got to it +**\** tweaked monerod +**\** On P2P receive then? +**\** So for each height we have epsilon (green line) which our many-node approximation of global prop time +**\** you can also use monerod --block-notify, if you point that to a shell script that writes the timestamp +**\** --block-notify waits until the block is committed, which is why I ask, because nodes that do not use NVMe have much slower propagation times in general, as you're waiting on disks to write. +**\** i like that better because then you can use the stock daemon. but we don't use that yet +**\** OK, so using the max-min metric, assuming relatively even node placement across the network topology? +**\** Yeah, though after @almutasim I'm considering a few other less sensitive metrics +**\** slap all those epsilons into a histogram, and that's the plot on the right. +**\** The outliers being nodes close to the miner and far from it, topologically +**\** Uhm, the outlier might be only 2 hops away but one of the hops is really slow +**\** P2P Receive: no it happens when it adds it to the blockchain, after it determines whether or not it's an alt block. this was because we had another original goal to capture alt blocks data. the daemon patch is shared here https://github.com/neptuneresearch/monerod-archive +**\** @sarang so it depends if topological distance definition is just the p2p connectivity graph or takes into account time between vertices +**\** right +**\** And that epsilon plot is basically what n3ptune shared earlier except instead of "max-min with 4 nodes" it is "asymptotic approximation of global prop time" +**\** ^talking about x-axis of histogram +**\** --block-notify waits until the block is committed \>\> oh then i guess this method of doing it in blockchain::add\_new\_block() at least occurs before block-notify would. but yes it isn't \*immediately\* on receive +**\** Since we're just about out of time, any last bits of information before adjourning (discussion can of course continue) for log purposes? +**\** Oh yea +**\** just a quick note that tx\_padding is used in the wild, but unclear why +**\** In the scatter plot showed earlier, the vertical bands from left to right are empty blocks and then N=1,2,3... transaactions +**\** That's a question for someone like moneromooo +**\** Of course there's variability in the horizontal width of the vertical bands due to transaction size differences, but the variability in coinbase-only blocks was straange +**\** https://xmrchain.net/tx/acdf8eac41a7a76fd899e09640db34023abff66b3ae2c9ea86e49f19c0720af4 +**\** Not really, coinbase only blocks are quite common due to pool design. +**\** No no, the size\*variability\* in coinbase-only was strange +**\** Turns out some (now fingerprinted) miners are using lots of null padding, check out the tx\_extra for this coinbase +**\** gadzooks +**\** Not super surprising. +**\** Looks like bloat to me +**\** Bunch of blocks waste space with nulls in tx\_extra +**\** Possibly, it's also something that can be requested by a pool. +**\** As that's the block padding that we use for extra nonce storage space. +**\** "As that's the block padding that we use for extra nonce storage space." block nonce or transaction nonce? This is padding in the coinbase transaction +**\** Oh sorry, txn, my bad. +**\** Do you know why some miners use the padding and some don't? +**\** Lemme look through some of my decoding code I wrote for that. +**\** I'd been comparing: +**\** https://xmrchain.net/search?value=1988283 +**\** and +**\** https://xmrchain.net/search?value=1985042 +**\** Since they seem to be exactly the same besides different padding +**\** Anyways, thanks for letting me ramble and shifting meeting time +**\** For quick reference: The block's CB TXN contains an "extras" section, which is requested from Monerod as the extra space in which arbitary data can be written. This data is used by pool implementations to implement the per-pool nonces as well as any custom nonce data used by more advanced techniques. +**\** "extra space in which arbitrary data can be written" +**\** You can use this data in a number of ways, particularly with knowledge of pool design, as the two main pool implementations use this space similarly, but have different sizes based on various addon support. +**\** Ooh, what are the current use cases? +**\** You also can identify what pool instances are submitting blocks, as pools use unique identifiers in particular bytes. +**\** (I have no knowledge of pool design) +**\** https://github.com/Snipa22/nodejs-pool/blob/master/lib/coins/xmr.js#L115 +**\** For those of you who are interested in helping out with Monero Kon 2020 in Berlin, there is a meeting happening right now for prospective volunteers. This is research related, but otherwise off-topic, so I'm just dropping this here. +**\** ^ is the implementation you'll find on pools that support the XNP extensions I wrote awhile ago. +**\** Yeah, we can formally adjourn the meeting, but carry on the conversation +**\** Thanks to everyone for attending diff --git a/_posts/2020-01-15-mrl-meeting.md b/_posts/2020-01-15-mrl-meeting.md new file mode 100644 index 00000000..1159d9f4 --- /dev/null +++ b/_posts/2020-01-15-mrl-meeting.md @@ -0,0 +1,135 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-01-15 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** hello +**\** Hi. +**\** Hi +**\** hi +**\** hi +**\** Wow what a turnout! +**\** Hello +**\** hi +**\** Let's continue with ROUNDTABLE discussion +**\** suraeNoether: anything of research interest to share? +**\** ajs archived the channel. +**\** um.... is the channel now gone on Mattermost? +**\** not yet... Right now I'm just copy editing CL sag, working on matching code, and looking into possible speedups for triptych +**\** ? +**\** I expect about an hour before clsag is done +**\** I thought it was just for me +**\** I noticed it disappeared too. +**\** it's gone +**\** lol +**\** give me a sec +**\** Hmm. Who was running it? +**\** sorry for derailing, something to fix later +**\** Oh +**\** Moving along :) what about you, Sarang? +**\** Sure +**\** for those who want to access logs later: https://monerologs.net +**\** lol +**\** The Triptych preprint has been updated with new efficiency data and some minor typo corrections (IACR 2020/018) +**\** It will appear on monero-site as MR 1197 +**\** The DLSAG paper is being revised for its publication in the FC 2020 proceedings +**\** and we're working on updating the security model for later journal submission +**\** I have a monero-site MR ready to go for the CLSAG updates (MR 1202) as soon as suraeNoether's review is complete +**\** (and I get it updated on IACR) +**\** I did some major overhauls on the curve libraries that I use for ed25519 and ed448 testing (for prototyping only; don't use them in production) +**\** That included porting them to a bunch of other research projects +**\** I also did some updates on my Lelantus code to fix some Fiat-Shamir transcript issues +**\** And that's about it +**\** Does anyone else have research to share? +**\** We can also have any questions as well +**\** Currently I have been just familiarizing myself with Monero Research +**\** I have read quite a bit of Zero to Monero, and I also looked at the bipartite matching project: https://github.com/b-g-goodell/mrl-skunkworks/tree/matching-buttercup/Matching +**\** I did have some questions, but I can go through them later with surae perhaps? +**\** Sure, now is fine with me too +**\** It's on topic :P +**\** Sure, go ahead +**\** speaking of ZtM, thanks to Articmine the dynamic fee section has been greatly elaborated; anyone curious about all the justifications and derivation and analysis can find it in the latest draft; all that remains before I can publish are multisigs, bulletproofs, and proofreading (each of which will take a long time admittedly) +**\** https://www.pdf-archive.com/2020/01/15/zerotomoneroebookmaster-v1-0-17/zerotomoneroebookmaster-v1-0-17.pdf +**\** Ok cool, well can you briefly give a high level description of this project? From what I understand so far is that this project will be used for user analysis along with statistical models, but hearing an overview from in your words would be nice. +**\** it's good to see ZtM getting the update :) +**\** Gotcha okay so first think about the Monero blockchain using two columns. List all of the one-time output keys from coinbases and from other transactions on the left and list all ring signatures or if you like key images on the right-hand column +**\** You can then go and draw edges between one time keys and ring signatures indicating ring membership. So if I publish a ring signature with ring members a b and c, my ring signature on the right would have edges connecting it to the outputs a, b, and c on the left +**\** These are what I call red edges in my code, and I also indicate blue edges connecting ring signatures on the right with the new fresh transaction one time keys that are output from their respective transactions on the left +**\** koe: I asked this before, but how detailed are you looking to get with bulletproofs? +**\** I fear you may end up essentially rewriting their entire paper, with little benefit to the typical reader +**\** So the Monero blockchain can be visualized as this two-colored bipartite graph with one-time keys on the left, ring signatures on the right, red edges indicating ring membership, and blue edges indicating output relationships +**\** Hey @koe I owe you an email. I have some protocol notes, but have just been super swamped. +**\** Cool cool, I +**\** I'll try to get the email out in the next few days +**\** I'm with you\* +**\** i am sort of busy, but wanted to throw out a question (in other words, don't let this question interrupt the current line of talk). a response anytime would be great, though +**\** I was thinking about how people complain about outputs getting locked up for 10 blocks. Consequently one must send to themself a multi-out txn to prevent that from happening. What if we made the standard tx 2-in and 3-out (2 change)? And maybe set them to send to different accounts, so they take on independent/divergent decedent txn histories. Was curious if MRL had thoughts/impressions +**\** I also got halfway through updating Big Bang paper, but then got distracted. Hoping to finish that this weekend or next. +**\** The ground truth of the situation is that each ring signature has a ring member that is the true signer of the signature, so for every ring signature with a bunch of red edges leading to a bunch of one-time output keys, somebody who's trying to track transactions is trying to pick the true spender from these red edges +**\** And this is called the matching problem in the graph theory world, sometimes also called the assignment problem, sometimes called the assigned marriage problem lol +**\** So somebody who is trying to track transactions on the Monero blockchain is really trying to find a maximum matching on the Monero blockchain, linking signatures to true spenders +**\** scoobybejesus: I'd rather find ways to reduce the lock time +**\** no worries Isthmus :); sarang that's a valid concern and Im really not sure since I don't actually understand bulletproofs yet; I think if the bulletproofs paper is clear enough it will be fine to point people in that direction; I dislike the idea of leaving things open ended, but maybe it's just a useless hangup ^.^ +**\** The signatures themselves give nothing away about which edge is supposed to be the true spender, so without any additional information the attacker just has to guess, and so every possible maximum matching is equivalently good in this world +**\** Ah okay, I see. It seemed as if you were trying to find out if there was a way to trace back transactions. +**\** I am kinda +**\** So my graph theory python code allows you to build a graph, and then find maximum matchings, and if you wait the edges, it'll find the heaviest weight matching so that somebody using extra metadata can do better than just guessing at random +**\** Weight\* +**\** How do you assign weights? +**\** Right so that's outside of the scope of graph theory and in the scope of my simulations... +**\** Ah. Are they probabilities? +**\** Is this where statistical models come into play/ +**\** Yep. The way that I'm trying to do this is I'm simulating an economy between Alice, Eve and exchange with KYC information, and Bob representing all background players in the Monero economy. I'm even telling Eve the information about the Markov chain from the beginning, which models eves perfect ability to learn your habits. +**\** So this Eve is able to wait the graph using some null hypothesis about user behavior +**\** once she does this, even though she doesn't know the ground truth reality of the blockchain, she can find a maximum likelihood estimate which corresponds to a maximum weight matching +**\** s/wait/weight/ ? +**\** Weight\* sorry I'm on voice to text +**\** So the simulator simulates an economy, strips information out of the graph that Eve doesn't know, hands the blockchain to Eve, Eve weights the graph and compute some maximum likelihood estimate, and this maximum likelihood estimate is compared to the simulators ground truth +**\** When things are working I get preliminary data that suggests that Eve is really really bad at this game Even though she's given perfect information about Alice's habits +**\** But that's all preliminary because my code is only intermittently working and I am currently in the midst of refactoring it to be simpler. +**\** That's encouraging. +**\** Quite interesting surae. I understood about half of it before, but given you're description I see the goal of the project now. +**\** Ah I see, was MoneroLink done by the Monero community or third-party? +**\**: The fact that it was written by people who had a financial interest in succeeding compared to Monero was viewed as very suspicious by a lot of folks. +**\** suraeNoether have you collected a list of tracability analysis papers? for example sarang mentioned a preprint earlier; or maybe Isthmus has that list +**\**: Andrew Miller from Zcash and a couple of other folks who were involved with Zcash were authors +**\**: Actually you know, Sarang may have a better list than I would... A paper came out last year describing a game not dissimilar from my graph theory game and they named it after sun tzu. But I can be more helpful in finding background papers. Basically any papers on the traceability of anonymous communication networks has some degree of applicability to the Monero blockchain +**\**: "perfect matching disclosure attacks" is a general paper that was critical in the construction of the matching stuff +**\** I see I see. So I see a couple of todos listed (unity tests and another). What are some important priorities for this project? I feel I can contribute to this project as a start. +**\** Just a little background about myself: I'm an academic researcher in theoretical computer science (neural algorithms). +**\**: Let's talk about that after the meeting +**\** sure +**\** Dang, I got bumped off IRC +**\** Can't log back in +**\**: speaking of the meeting, isthmus tells me that he has lost access to IRC... And I also happened to lose access to IRC and I'm just using the keybase bridge +**\** \*IRCcloud +**\**: it looks to me like IRC cloud has gone down which means the vast majority of the people in this room are probably not here anymore +**\** @atoc nice to meet you, excited to contribute +**\** \*to collaborate +**\** Sorry, I'm in a meatspace meeting too +**\**: So we'll give it a few more minutes and if I receive cloud doesn't come back or if nobody else speaks up, I say we adjourn the meeting +**\**: If irccloud\* +**\** So I just realized that we aren't fully utilizing the archival network data. But I'll wait for our IRCcloud comrades to return +**\** yes, irccloud seems to be down for everyone +**\**: I had a question for isthmus about the archival network and lock times +**\** sup +**\**: I want to know the distribution of fork lengths observed so far, and I also want to know the distribution of forklengths experienced by a new node syncing +**\** isthmus nice to meet you as well. +**\** hmm okay and sorry what do you mean fork lengths? +**\**: As in Nakamura consensus resolving a fork +**\**: Nakamoto +**\**: WTF that was autocorrect too not voice to text +**\** It should be correcting the other way. +**\** I see, alright I will begin looking into this. +**\**: Isthmus actually specifically I want an estimate of the parameter r under the null hypothesis that fork lengths are negbinom(p, r) +**\**: I think lock time has to be proportional to r to protect most transactions from most rollbacks +**\**: Okay since irccloud is now fartcloud, I say this meeting is adjourned. +**\** good meeting! happy day to yall +**\**: Good seeing you around koe +**\** thanks +**\** Thanks. Good meeting. diff --git a/_posts/2020-01-22-mrl-meeting.md b/_posts/2020-01-22-mrl-meeting.md new file mode 100644 index 00000000..de9fad49 --- /dev/null +++ b/_posts/2020-01-22-mrl-meeting.md @@ -0,0 +1,283 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-01-22 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** hi! +**\** hello +**\** Hi +**\** hiya +**\** holla +**\** Let's move to ROUNDTABLE +**\** Isthmus: you posted some data on the agenda; care to discuss? +**\** Link to data: https://github.com/monero-project/meta/issues/430#issuecomment-576455137 +**\** Sure +**\** First, glanced at distribution of number of outputs on miner transactions +**\** https://usercontent.irccloud-cdn.com/file/OB2UWpjs/image.png +**\** This is mostly a historical novelty from back in the days of denominated XMR - since RingCT became mandatory at block 1400000 all miner transactions have been 1OTXs. +**\** \*single-output coinbase transactions +**\** So that chart is for \_all\_ miner txns? +**\** Throughout all of time? +**\** From genesis block to last week +**\** Courtesy of n3ptune's magic database xD +**\** Another mostly historic novelty - altruistic transaction selection by miners who would include many/large transactions in their blocks, incurring a coinbase penalty that is not offset by the added fees. (In other words, they would have had a higher total block payout by mining an empty block.) +**\** https://usercontent.irccloud-cdn.com/file/0pcNROcT/image.png +**\** color is size, starting at blue = small +**\** This seems to not be a very common practice these days +**\** Altruistic mining could be banned at the protocol level, but at the moment I'm not inclined to do so +**\** more advanced altruism based on suboptimal tx inclusion will involve more intensive analysis, which I provided pseudo code for this week, if that path is chosen +**\** Any comparison against partially filled blocks rather than empty blocks? +**\** @koe yea do you want to jump in +**\** Yeah koe please do +**\** koe: if you have a link to the pseudocode can you include it here? +**\** well this week I: made pseudo code for Isthmus blockchain analysis, deep proofreads of several ZtM chapters, talked with cohcho and jtgrassie about uniformity of coinbase tx +**\** more or less improved a roadmap of future monero developments: https://justpaste.it/5io6e which we can talk about some items +**\** latest ztm2 draft, I have honestly been pushing off multisig edits, but not making no progress https://www.pdf-archive.com/2020/01/22/zerotomoneromaster-v1-0-20/zerotomoneromaster-v1-0-20.pdf +**\** Enforcement of exact block rewards seems straightforward and a good idea +**\** pseodo code https://paste.debian.net/1127152/ +**\** Regarding ZtM, are there topics in progress for which you'd like particular information or assistance? +**\** currently working on multisig, and have already gone through most documentation available, but there are some things that aren't clear despite documents +**\** so if anyone knows about multisig, Id like to discuss with them +**\** otherwise will dive into code base +**\** I'm not super familiar with the code base, but I'm familiar with what it's supposed to abstractly represent +**\** Thanks koe +**\** So if you have questions koe about how things are supposed to work (as compared to how things are currently implemented) +**\** Lmk +**\** ok Ill hit you up +**\** Anything else of interest to share koe? You've clearly been busy! +**\** well there are all the things in the roadmap, in particular enforcing 1 output from coinbase (since Isthmus found literally all coinbase for 4 years have been single output), and possibly enforcing single-type ring membership (only coinbase ring emmbers, only rcttypebulletproof2 ring members) since 99.5% of coinbase are owned by pools who are easy +**\** to fingerprint +**\** Single-type enforcement was brought up a few times by sgp\_ in the past as well +**\** see https://minexmr.com/pools.html where 99.5% of hash is accounted for +**\** My concern was that a full segregation of coinbase outputs means certain heuristics are only moved "down chain" by a single hop +**\** Meaning there's likely improvement for sure, but perhaps more marginal than desired +**\** koe, do you still need proofreading of ZtM or are you good on that? +**\** I'm in favor of enforcing single output coonbase txns by consensus. I'm in favor of enforcing block reward. I'm tentaticely in favor of type-restricted rings. +**\** always need proofreading :) even after it's published lmao, I've received some good emails that are incorporated in v2 +**\** I actually was going to re-introduce the topic again here to keep it on everyone's minds, so nice timing +**\** related: https://medium.com/@JEhrenhofer/lets-stop-using-coinbase-outputs-da672ca75d43 +**\** koe, I am have some notes that I need to send you. +**\** I will try to get them to you soon. +**\** ill look forward to them :) (email me) +**\** Enforcing single output coonbase txns would prevent p2pool. +**\** will do :) +**\** Atoc, I believe that my mojojo branch is no longer bugging out, although data isn't being written to file how I want. The actual tracing game script I am running will be pushed soon(tm) +**\** jtgrassie is p2pool your project? +**\** AFAIK nobody is doing it yet. +**\** But simulator is now successfully simulating a monero economy between Alice, Eve, and Bob to model flavors of EABE +**\** cool suraeNoether I have been falling a bit behind and will catch up today and get you my thoughts +**\** good to know the unit tests are working fine +**\** Nice +**\** It's all good, I'll still be plugging away +**\** Any other questions/comments for koe? +**\** no specific questions, but I have a related topic for mining pools besides coinbase outputs when time allows +**\** OK, first, is Isthmus back? He had to step away briefly +**\** Isthmus: care to finish up your data? +**\** Also, it's not "kicking the can down the road" depending on how you implement it +**\** (then we can move to sgp\_) +**\** But yea, moving on +**\** Hold on +**\** Discovered that everybody seems to use the miner\_tx differently, including some really strange stuff like many blocks with 60 B of null padding(??!) https://xmrchain.net/tx/7dfcc4e5d8bd772e3373e51d4140052121503d9b4f3cb6587251292bf06ced9a +**\** Why would coinbase-only not do this? +**\** If you assume the spend patterns would be sufficiently different, I agree +**\** Uhm, I could get in the weeds with this +**\** On like 4 levels +**\** lol +**\** From an \*on chain\* perspective, there's two questions we can ask +**\** 1) Is this ring spending a coinbase +**\** \me pulls up lawn chair +**\** 2) Which coinbase is this ring spending +**\** #1 is hard to hide +**\** #2 can be accomplished +**\** making #2 unanswerable can be accomplished +**\** I'm an evil exchange +**\** With current system, I can fingerprint which pools my users belong to +**\** Aah ha, this person makes monthly deposits that are 4-input transactions each spending from a ring with 62 B null padding, so I know that they have about 3000 H/s attached to minexmr.com +**\** \*each spending from a coinbase whose miner tx\_extra has... +**\** But with coinbase-only txns, we strip the pool-to-user link +**\** fair +**\** Sure, as an exchange I can look at each user, and their average number of coinbases per ring +**\** And if it's more coinbases per average I could suspect that they're a miner +**\** But that's about all +**\** while there are some concerns with coinbase-only having only a layer of separation, I think the real benefits are being minimized slightly, especially to non-mining users +**\** also, coinbase is currently polluting normal tx rings, since a large proportion are identifiably spent/not spent +**\** koe: the newer weighted selection algorithm does help this to an extent (relative only to tx weight, nothing else) +**\** One thing that is important about privacy is that third parties that have data like this are lawyer magnets. If an exchange couldn't possibly identify their mining user habits, they can't be hacked or subpoenaed to determine one of their customer's hash rates +**\** In my ideal world, we have 13 ring members and two selection algorithms. Precisely 11 of the members are non-coinbase, selected with current algorithm. Precisely 2 of the members are coinbase(/coinbase-only) that are selected independently. +**\** Isthmus: that would not be good for many reasons :) +**\** notably, you need a set of at least 3 +**\** Oh, I'm not married to the numbers +**\** Just making an example +**\** (trying to avoid the misconception that adjusting our coinbase ring member selection algorithm will somehow be zero-sum with the rest of the anonymity set or users) +**\** koe: I know that rbrunner (sp) made an implementation of multisig so it might be good to speak with him. I don't see him online now and haven't seen him for a little while but should still be around +**\** on the other hand, I wonder if enforced ring types is too much like reacting to how people use it; although the same could be said for many other protocol rules +**\** Anyway, I derailed Isthmus's discussion of his other data with this topic... +**\** Also, let M be the minimum plausible age between any output and it's temporally closest ancestor coinbase +**\** :- P +**\** That can either be a plotable feature, or fixed for all transactions at zero +**\** nioc ok Ill reach out +**\** I think n3ptune and I may plot this for all outputs just to show the point +**\** Other two things on the agenda - encrypted unlock time, and tx\_extra in coinbases +**\** I can get into these if people are interested +**\** Sure, I saw your information about encrypted locks +**\** (I also wish to address timelocks anyway\_ +**\** ) +**\** Cool, lemme copypasta real quick +**\** Oh, and for the encrypted + enforced unlock time, we have to decide on a format. Currently, 3 things are being put in the unlock field: +**\** Small integers like "12", presumably to be interpreted as height differences, i.e. "unlock in 12 blocks" +**\** Large integers like "1980000", presumably to be interpreted as block heights +**\** Very large integers like "1578561720", presumably to be interpreted as unix timestamps +**\** While normally I'd be loathe to bring real world time onto the blockchain, I am inclined towards this approach: encrypted unlock time is a future timestamp recorded in unix seconds, and each ring must include a range proof comparing the unlock time to the oldest or youngest ring member (I haven't fully thought this through). +**\** The minimum lock time of 10 is trivial for any outside observer/miner to enforce by delaying (or rejecting) transactions with rings containing members less than 10 blocks old. This requires no mathematical validation within the transaction. +**\** The encrypted unlock time could actually be defined as timestamp - 1500000000 to save a bit of space by removing the offset from some of time between 1970 and deployment, but that could be overengineering. +**\** We have a relatively efficient way to do encrypted timelocks, as introduced in DLSAG +**\** Small integers are block heights. If you put 12 now, it's pointless. +**\** I'm 100% in support of encrypted lock times... I know that sarang has done some work into the requirements on that in addition to isthmus +**\** The method is described here: https://github.com/SarangNoether/skunkworks/tree/timelock +**\** It works as follows: outputs come equipped with a timelock Pedersen commitment (units aren't relevant for this at the moment) +**\** Small integers are block heights. If you put 12 now, it's pointless." Ahhahahaha that's what everybody is doing. Lemme make a plot real quick +**\** Signatures come equipped with an auxiliary plaintext time that's chosen semi-at-random +**\** as well as a particular auxiliary commitment +**\** There is a range proof constructed using all these values, and CLSAG/MLSAG gets a new set of entries too +**\** This maintains signer anonymity, shows the timelock has passed, but does not specifically reveal information about it +**\** The cost for CLSAG is 1 new group element; the plaintext timelock is replaced by a plaintext intermediate value +**\** and the auxiliary per-signature commitment is 1 new group element +**\** does this mean the no-locktime transactions will be indistinguishable from locktime ones? Or just that the locktime ones will have an obfuscated time lock? +**\** The rangeproofs can be worked into the existing bulletproofs, likely for free due to padding +**\** Indistinguishable plz +**\** Depends on how it's implemented +**\** indistinguishable would probably require no-locktime txns to have a dummy encrypted locktime +**\** So the cost is 64 extra bytes per signature, and 32 bytes per extra timelocked output +**\** Yep, you'd include zero locktime +**\** and the rest of the process proceeds the same +**\** So this is not free, but it's not terribly expensive either +**\** Anyway, this information is to supplement what Isthmus brought up about how timelocks are handled now +**\** It's completely offtopic but I personally like the idea that we can embed an arbitratry hash in a transaction in a way that is indistinguishable from other txs, for timestamping purposes. +**\** Would only be half or a quarter of a hash in that case though +**\** (using the encrypted time lock field) +**\** @binaryFate if we add an enforced encrypted memo field, that would be a very good use case +**\** binaryFate: well, you could always pick your txn key as the Hp of some message. is that not what you mean? +**\** it works too, but require you don't lose your local storage. +**\** sure. you want to be able to extract the message also, something like that? +**\** just exhibit the message later on and point out to a past hash in the blockchain that timestamps it, without people taking notice this was a timestamping tx. +**\** but if you have message you can get hash back, so tx key works perfectly I guess +**\** oh neat +**\** anyway, sorry to derail +**\** Isthmus: take it away :) +**\** Derailing conversation is a key part of research! :- D +**\** I think that's where 2/3 of our interesting stuff comes from +**\** \*nod\* i prefer these lively research meetings for sure +**\** Anyways, last topic I had has been discussed significantly since I initially mentioned it. So I'll intro and then duck out of the way +**\** You had some notes, Isthmus, on how timestamps are represented +**\** https://usercontent.irccloud-cdn.com/file/Ovp9yP0j/image.png +**\** I will most likely need to take off, so I'll bring up my other mining pool ring signature proposal (which I mentioned in the past) when I get back +**\** @isthmus agreed, it seems that new ideas fluster that way. +**\** Oh go @sgp\_ +**\** ah, so very fast +**\** there are special ways we can construct rings for public mining pools to protect the "integrity" of outputs (make it no longer publicly known what transactions they are spent in) +**\** for public mining pools that share transaction histories, it's clear which outputs are change outputs, which are later spent by the pools +**\** to avoid this, public pools can select rings using exclusively decoys that they create as payments to miners +**\** that way, outsiders have no way to distinguish the output from the other outputs given to miners. saves one output per payment, per public pool +**\** this is not a consensus change, but it would require a separate "public pool selection mode" or similar +**\** Isthmus: how? payouts won't be from coinbase outputs +**\** Aah, maybe I was thinking of something slightly different +**\** Carry on :- ) +**\** this protects pool change outputs from being known as spent by the pool in specific transactions +**\** that's about it, just wanting to make sure this idea is resurrected, since I introduced it nearly 2 years ago now +**\** Thanks sgp\_ +**\** In the interest of time, Isthmus please go ahead! +**\** Everybody seems to use the miner\_tx differently, including some really strange stuff like many blocks with 60 B of null padding(??!) https://xmrchain.net/tx/7dfcc4e5d8bd772e3373e51d4140052121503d9b4f3cb6587251292bf06ced9a +**\** https://usercontent.irccloud-cdn.com/file/tXHruCE0/image.png +**\** This has implications for privacy of all users. For example, I have a list of blocks mined by the pool that added 60 B null padding to each miner transaction. When this person creates multiple-input transactions to claim the reward, ring signatures offer them no protection. +**\** (Multi input + miner fingerprint is statistically noisy, so we know when those outputs are really spent, and can rule them out as decoys in other transactions.) +**\** To avoid fingerprinting, it's important that any implementation mimics the full hierarchy on any block. For example, if we accommodate {nonce, pool, proxy}, then every miner (including solo mining core software) should put random data in pool & proxy. Otherwise we've just made a fancier way to leave the same fingerprint. :-P +**\** Anyways, others in this room have made a lot of progress on how to address this, so I'll let them jump in +**\** Anyone have anything to add in particular to this? +**\** nope, but I have to get going +**\** OK, suraeNoether: any brief update before you go? +**\** Otherwise, no worries +**\** sarang is this the encrypted timelock? https://justpaste.it/2754y +**\** just that sarang and i have been having some extremely deep discussions about unforgeability in CLSAG and the crappiness of linkability models... we are nearing some very valuable improvements to d-CLSAG as written... +**\** i'll let him describe more; i've also gotten my matching simulations (apparently) working correctly on my matching-mojojo branch of mrl-skunkworks +**\** other than that, i have to get going +**\** sorry :( +**\** i'll drop in later today for more of an update +**\** koe: you include the auxiliary timestamp in the signature's extra commitment in the model I worked up +**\** Isthmus: anything else that you hoped to share? +**\** (sorry, trying to ensure everyone gets a chance to finish their presentations) +**\** Thanks, I'm outta new material +**\** OK, thanks Isthmus +**\** I worked up some stuff on timelocks (shared earlier), did a blag post with sgp\_ relating to supply auditing (to answer questions that often come up), and got into the weeds on security models relating to linkability +**\** Linkability meaning the formal definition used in linkable ring signatures, not any particular transaction linking +**\** koe: what you have may be algebraically equivalent; I'll take a look shortly +**\** OK, did anyone else have something to share that was missed? +**\** So many things to discuss today! +**\** well does anyone have thoughts on enforced sorted TLV format for the extra field? I have spammed up the channel a bit recently, with that topic +**\** Can you recap the benefits and tradeoffs briefly, for those who didn't see the earlier discussion? +**\** If someone wants to stuff some random data in there, it's as visible as now, no ? +**\** and pursuing coinbase extra field standardization by seeking an inter-pool committe +**\** (note that monerologs.net has logs of this and other channels available) +**\** What's an inter-pool commite ? +**\** committee between pools +**\** composed of +**\** Oh you mean just talk to pool ops ? +**\** lol yeah +**\** these things are called standardization committees in industry +**\** benefits of enforced sorted TLV + guidelines for use: a) makes sure all implementations are using the same essential format for constructing extra fields, since without guidelines or structure each implementation is ad hoc; b) for those who are privacy minded, there will be a clear way to blend in with other like minded implementers (for example, +**\** who knew that the code base sorts field entries, but at least one live implementation does not?); c) leaves extra field almost as open ended as it is now, so those who choose opt-out privacy (choose to stand out from the crowd) for whatever reason, can still do so trivially +**\** In the earlier discussions, were there particular opinions opposed to it? +**\** If so, why? +**\** tradeoffs: a) it may have limited real impact on transaction indistinguishability, especially among coinbase tx if most pool operators aren't on board; b) implies no stricter enforcement of the field will be pursued (which would directly address questions of indistinguishability; c) so far as coinbase tx go, many pools publish their mined blocks +**\** (counter argument is Monero development is focused on on-chain, and can't concern too much off-chain activity) +**\** Noted; thanks +**\** Since you were interested also in the hidden timelock construction, any other thoughts on that as well (from your link above) +**\** actually I just felt inspired, and wanted to confirm my understanding +**\** Keeping in mind that the range proof can be absorbed into the existing one, meaning no effective change in size or verification for that portion of it +**\** Your construction appears algebraically equivalent to what I listed +**\** I dont know enough about CLSAG to make a real judgement +**\** The CLSAG part could apply to MLSAG as well +**\** Perhaps if we knew how much timelock is being used in the wild +**\** The only difference is how the commitment to zero is handled in the signature +**\** In MLSAG it would be \_very\_ expensive, but in CLSAG it adds only a single auxiliary linking tag, and makes the verification multiexp a bit more expensive +**\** oh nice, I was imagining all those extra mlsag scalars +**\** If people think it's worth seriously considering, I can get more precise timing estimates on those curve operations +**\** Yeah, for CLSAG you don't add scalars +**\** It is in no way worth it for MLSAG +**\** either in size or extra verification +**\** The current CLSAG data has some custom curve-op code for efficiency that wouldn't apply to this new 3-CLSAG timelock construction +**\** (the Python code is not suitable for timing, only to see how it works) +**\** Anyway +**\** We're way over time +**\** Anyone have ACTION ITEMS for this week they want to share? +**\** (I find action items useful for me, to help prioritize and share those priorities) +**\** I will continue working with Surae. Hopefully I can share more next week. +**\** I have several... some additional work writing up comparisons of linkability definitions between a few papers, to get some timelock numbers (if it's seen as useful), and some data analysis relating to sublinear protocols +**\** Oh, and one additional note... the IEEE S&B conference is coming up later this year +**\** https://ieeesb.org/ +**\** Both suraeNoether and I are on the program committee +**\** It's a great event, and is seeking papers +**\** If you have some work that could be worth sharing, consider writing it up formally and submitting +**\** Ok cool +**\** (you should note any conflicts of interest with the program committee if you feel they apply to you) +**\** I went to this event a while back, and it had great presentations (but was not streamed) +**\** Any other comments, questions, or final remarks before we adjourn? +**\** Normally there isn't so much to cover in one meeting; it's a great problem to have :D +**\** Going once... +**\** going twice... +**\** I will be focusing on ZtM2 multisig, which may be done by next meeting in which case Ill start in on bulletproofs; and anything else that comes up, perhaps work on updating the fee priority multipliers for surge situations (emails with ArticMine) +**\** Last thing, I didn't realize IEE had Security and Privacy on Blockchain. That's pretty cool. +**\** I'm happy to help with bulletproofs koe; I have a branch for it in my ZtM repo +**\** atoc: it's a great event +**\** all in good time :) +**\** I'm very happy to be asked to be on the committee :) +**\** OK, thanks to everyone for attending, even though we went over the usual time +**\** Yeah that's awesome! +**\** Logs will be posted shortly to the GitHub issue +**\** It was good. There was a lot of material. +**\** Discussion can of course continue +**\** (I just need a stopping point for the posted logs!) diff --git a/_posts/2020-01-29-mrl-meeting.md b/_posts/2020-01-29-mrl-meeting.md new file mode 100644 index 00000000..28e8e9bc --- /dev/null +++ b/_posts/2020-01-29-mrl-meeting.md @@ -0,0 +1,218 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-01-29 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Let's go ahead and get started with GREETINGs +**\** Hello +**\** Hi +**\** v Greetings +**\** Heyo +**\** greetings +**\** hello +**\** Hi +**\** Let's continue with ROUNDTABLE, where anyone is welcome to share research topics of general interest (and discuss any questions arising from them) +**\** Since there was so much to discuss last week, I'll try to keep the discussion focused to the extent possible, for clarity +**\** I have a few brief things to mention +**\** hello +**\** First, I wanted to better understand the effects of including hidden timelocks in CLSAG signatures, and worked up a version of 3-CLSAG in C++ for performance tests +**\** Including timelocks would negate the verification time advantages of an MLSAG-CLSAG transition +**\** but would still give size benefits over MLSAG +**\** A similar approach would work in Triptych, so I extended the Triptych test code to 3-Triptych for this purpose +**\** And, just for completeness, updated the Triptych preprint on IACR to a general d-LRS construction +**\** Here is the 3-CLSAG test code, for those interested: https://github.com/SarangNoether/monero/commit/db33d18bb889043c4bdea6d8582ffe2f6c581d28 +**\** And the 3-Triptych concept code: https://github.com/SarangNoether/skunkworks/commit/f7581a385d72baa3dbb60c83e8d856a9335bec1f +**\** And the updated Triptych preprint: https://eprint.iacr.org/2020/018 +**\** I also found a very minor change to make in the existing CLSAG test code +**\** Finally, suraeNoether and I have been doing more security model stuff +**\** Any questions on these items from anyone? +**\** not directly for sarang, but at Isthmus regarding timelock; what is the prevalence of non-zero timelock for non-coinbase tx? +**\** Absurdly prevelant +**\** whether or not to include encrypted time lock depends in part on how much use it actually gets +**\** used +**\** Yeah, and I'm not formally advocating for it at this point; only curious about the implications +**\** I think our options are to remove the silly timelock field (It's just an arbitrary integer memo field currently) or encrypt it. +**\** I like that it's a straightforward application of concepts already used in Monero +**\** Yeah, conceptually it's really neat +**\** Will we be the first privacy coin to roll it out? +**\** I expect that it will become industry standard +**\** Does Zcash offer such functionality? +**\** (I have not checked) +**\** no clue +**\** I don't think so, but not 100% confident +**\** ZCash has serious scaling issues +**\** Anyway, whether or not Zcash does it should not be the determining factor IMO :) +**\** Merely curious +**\** Oh wait. Zcash inherited nLockTime from Bitcoin +**\** +**\** I'mma fish out their information leaks too +**\** And OP\_CLTV +**\** If implemented, it would make the most sense to bundle the timelock range proofs with the existing Bulletproofs +**\** So this means the sum of timelock-enabled inputs (all inputs, if mandatory) and outputs is restricted +**\** for Triptych, what are the steps between now and considering it for replacing RingCT? +**\** Formal review, a determination about its effects on multisig (particularly on compute-limited hardware), a decision on Triptych vs something like RCT3 +**\** I have not yet examined how easy it would be to include timelocks in RCT3 with their security model +**\** ^ ... and estimated recommended tx size for Triptych +**\** Also note that, as I think I mentioned last week, it would not make sense to deploy hidden timelocks with MLSAG due to the poor scaling +**\** (though technically possible) +**\** agreed +**\** Anyway, I want to make sure others have time to speak as well +**\** Who else wishes to share research topics? +**\** Zebra network stack looks interesting, potential applications in Monero? +**\** I saw that yesterday! +**\** Blag post about it: https://www.zfnd.org/blog/a-new-network-stack-for-zcash/ +**\** cool, will check out +**\** And a corresponding forum post (not much activity there yet): https://forum.zcashcommunity.com/t/a-new-network-stack-for-zcash/35870 +**\** It's from Zcash Foundation research +**\** Monero maintains a single state across all the peers, right? +**\** That's a good question, and I don't know the answer +**\** ping vtnerd +**\** I had thought so, but not confident in that +**\** not even sure what that means. single state? what is included in that state? +**\** there is an aggregate state for bandwidth limiting +**\** but sync info is per-connection +**\** Oh so maybe we already take the Zebra approach? +**\** It seems pretty elegant. +**\** Isthmus: did you have other topics you wanted to bring up as well? +**\** "Unlike zcashd, which maintains a fixed number of outbound connections, we attempt to connect to as many peers as possible, subject to resource limits " +**\** this approach will be troublesome for them, since they use levelDB/rocksDB for storage +**\** lvelDB/rocksDB requires thousands of file descriptors for its storage. +**\** that competes with the demand for socket descriptors +**\** Interesting... worth bringing up as a question on the forum? +**\** One of the developers (Henry) opened the thread +**\** not from me. I have no interest in helping zcash project +**\** ok +**\** I'm trying to make the unlock time plot, but my laptop is struggling with the 1.5 GB data set +**\** they should have already known by now that their DB choice is inappropriate for a network service that uses lots of connections, but it seems they haven't discovered that yet +**\** Isthmus: no rush! +**\** In the meantime, koe: did you wish to address anything in particular? +**\** yes muahaha +**\** not technically research, my roadmap has been cleaned up a bit; in particular I want to get opinions on item koe\_11, which would enable view-only wallets to know when owned outputs have been spent; also item koe\_9 which would allow all wallet implementations to more or less deprecate pre-RingCT transaction versions +**\** https://www.pdf-archive.com/2020/01/29/moneroroadmapkoe012920/moneroroadmapkoe012920.pdf +**\** koe\_11 sounds like a high priority +**\** also, sarang helped me work up a decentralized CoinJoin-esque protocol (temporarily named JoinMo), which is available as chapter 9 of current ZtM2 draft +**\** https://www.pdf-archive.com/2020/01/29/zerotomoneromaster-v1-0-21/zerotomoneromaster-v1-0-21.pdf +**\** chapter 10\* +**\** I like the JoinMo approach of using per-participant shared secrets to obscure the input-output mapping +**\** also, rbrunner at one time investigated OpenBazaar integration, and ran into some roadblocks, so my 'research' has been engineering solutions to those problems, which should be available next week +**\** I'm giving extra scrutiny to the specifics around SAG/LSAG since the keys are per-output only +**\** I was thinking about the implications of using a separate keyset for inputs as well +**\** (keys = per-join participant keys, I mean) +**\** however, OpenBazaar integration would likely entail a large update to the code-base, to optimize communication rounds +**\** moreover, multisig in general should be updated to comply with suraeNoether's paper on the subject +**\** Yes +**\** Somewhat related to item 10, I'm still concerned about any blockchain observer being able to identify which transactions do not include any outputs to subaddresses. +**\** n3ptune and I will make a plot of subaddress adoption over time : -) +**\** But ideally that should not be possible.3 +**\** Also yes :) +**\** It's been suggested before to standardize on some form of per-output keys for this purpose +**\** but it never gained traction +**\** koe: nice list! koe\_9 may be controversial since spending pre-rct would stand out more, no? +**\** Yeah looks like a nice list koe +**\** it already stands out like a sore thumb +**\** but that sort of problem will exist for RingCT as well, since spending ancient outputs is always somewhat unusual +**\** and my suggestion is to start using pre-ringct outputs as decoys as well +**\** If we told everyone to sweep them to themselves, would that also be too obvious? you could assume that every txn with pre-RCT inputs is going back to its sender +**\** so gamma select over entire site of outputs +**\** set +**\** koe: do we currently only select rct randomly as decoys? +**\** yes, and coinbase (not sure if pre-ringct coinbase are included) +**\** coinbase are included as decoy in normal tx, which is where this idea comes from +**\** then this actually makes spending pre-rct slightly less suspicious, no? +**\** And the handling of coinbase outputs is by no means solved +**\** This is 80% a joke: We implement Koe\_9 and sgp\_coinbase\_only rings, \*but\* require each and every one to include N coinbases and M pre-ringCT transactions, for fixed consensus parameters N and M +**\** sgp\_: the distribution tail falls fast +**\** sarang: indeed, but it's near-zero better, not near-zero worse I think +**\** Yes, but does provide slightly more information (amount) +**\** https://usercontent.irccloud-cdn.com/file/R26YQwiJ/image.png +**\** ^ which is hilarious, because all of these would hypothetically unlock at HEIGHT 2 and HEIGHT 12 back in 2014, IIRC what mooo said +**\** Due to the non-standard handling of that field, you mean? +**\** (which should be standardized anyway) +**\** Isthmus: hmm, I would need to see a lot more info on how many people actually spend pre-rct (suspected) compared to coinbase. My intuition leans no +**\** So include a single pre ring CT fake if the real output is not pre ring ct +**\** @sarang: Yes, currently, 3 things are being put in the unlock field: +**\** https://www.irccloud.com/pastebin/0Y87gTTq/ +**\** Argh sorry +**\** Small integers like "12", presumably to be interpreted as height differences, i.e. "unlock in 12 blocks" +**\** Large integers like "1980000", presumably to be interpreted as block heights +**\** Very large integers like "1578561720", presumably to be interpreted as unix timestamps +**\** yup +**\** I am working on a first version implementation of xmr-btc atomic swap in Rust +**\** more info here: https://github.com/h4sh3d/xmr-btc-atomic-swap/blob/master/whitepaper/xmr-btc.pdf +**\** atoc: did you identify a suitable zkp? +**\** Aside from things like the handling of non-compliant participants etc., the zkp of hash/log preimage was not specified +**\** the paper proposes two transactions for each token +**\** yep +**\** is there is a zkp not specified I will look at it. So far I have just gotten some initial stuff implemented +**\** however I have not gotten to the swap part yet +**\** for the implementation, I have read through the paper and it seems sounds +**\** sound\* +**\** Yeah, you'll notice there's a requirement for a particular proof that a hash preimage and discrete log preimage are equal in equal knowledge +**\** Something trustless like Bulletproofs could be used for this, with a suitable circuit +**\** I see +**\** The BP paper had data on such a circuit, but I was specifically told it was for testing only and was not yet suitable for any kind of deployment +**\** I will take a look at that +**\** We will need it. Perhaps we can see if that circuit works okay, and if not hopefully we can look at ways to improve. +**\** koe: thanks for that roadmap writeup; it's nice to see many suggestions put together in one place +**\** It might be useful to open research-lab issues for those that require ongoing discussion +**\** I still advocate for those two mining pool-related proposals btw :) +**\** sarang I send you a link to my repo once I push some changes +**\** even though most discussion happens on IRC +**\** I will send\* +**\** Thanks atoc +**\** You can take a look and I would like to get your feedback on it +**\** Happy to help +**\** Thanks for taking a look at that +**\** (y) +**\** sure I can put on research github; was just wondering if koe\_11 should go on main repo's issues +**\** Np, it seems interesting. This week I was just l familiarizing myself with different atomic swap techniques i.e off-chain and on-chain +**\** And looking at the dalek library in Rust +**\** koe: I'd say anything that requires ongoing unsolved research is definitely suitable for research-lab +**\** But I don't dictate the scope of issues! +**\** OK, we have about 10 minutes left (there's another meeting taking place at 19:00 UTC for the Konferenco) +**\** ok can put them up there +**\** Any research topics that have not yet been brought up, and should be? +**\** sarang btw have you considered publishing your list? +**\** Of topics I am personally working on? Not really, it's more to help organize my own work +**\** The private list that you had of research topics that need attention. +**\** I should open issues for them as well +**\** TBH github issues for research are not used as well as they could be +**\** Yeah I think it would be could to have a public list to look through as important topics for Monero that need attention +**\** Since so much of the discussion happens on IRC in real time +**\** yes indeed +**\** But at least those issues could be used as a central posting location +**\** I currently go back to the logs, but that list was helpful. +**\** I don't want people to have to scour IRC logs +**\** Sure, I'll make some issues +**\** We should clear out old issues as well, or request updates +**\** peanut gallery here. Now that suraeNoether 's matching project is complete (?) or nearly so, what is the plan to use it going forward ? +**\** 'scouring IRC logs' - story of my life :') +**\** nioc: good question for suraeNoether! +**\** He has also been working on LRS security models lately +**\** (which are a blocker for CLSAG review) +**\** OK, let's move to ACTION ITEMS for the time being (discussion can of course continue after we formally adjourn) +**\** I am writing up some material on transaction proofs/assertions, and writing up new code for a proposed InProofV2 and OutProofV2 +**\** As well as security model updates, some work on proof rewinding for data storage, and some odds and ends +**\** Anyone else? +**\** my action item: mkW my private .git repo (of atomic swap implemntation) public on Githuv +**\** neat +**\** Github\* +**\** my action items: multisig and escrowed-marketplace protocol writeup, possibly start bulletproof study if time permits +**\** BPs for the ZtM writeup? +**\** I want to make a website where you can type in a stealth address (or list of them) and see what future transactions have used them as ring members +**\** But need a little bit more backend work before that is ready +**\** at the very least studying it +**\** I think the concerning part will be seeing the outputs that have been used in no subsequent rings, and thus have a known spend state and no plausible deniable for spendedness +**\** Let me know if you have any particular questions that I may be able to answer +**\** of course :) +**\** Any other action items, or final comments before we adjourn? +**\** (from anyone) +**\** actually spoiled my writeup from several months ago in the latest ztm2 draft whoops +**\** It's great to see so much research lately into so many different areas of interest from so many people :D +**\** Gets tough to keep up with everything +**\** Which is a great problem to have, in some sense +**\** Anyway, thanks to everyone for attending; we are now adjourned! diff --git a/_posts/2020-02-05-mrl-meeting.md b/_posts/2020-02-05-mrl-meeting.md new file mode 100644 index 00000000..6d56e3ba --- /dev/null +++ b/_posts/2020-02-05-mrl-meeting.md @@ -0,0 +1,200 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-02-05 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, let's get started +**\** Logs from this meeting will be posted to the agenda issue shortly after the meeting +**\** First, GREETINGS +**\** hello +**\** hello +**\** good mroning +**\** hiya +**\** On to ROUNDTABLE, where anyone is free to share interesting research +**\** I'll go first, since I have a small assortment of things +**\** I worked up code and examples for doing hidden data storage within Bulletproofs and Triptych, suitable only for the prover +**\** I,m kinda here, but on a conference call +**\** Several ongoing projects/issues have been moved to monero-project/research-lab issues for comment and discussion +**\** The CLSAG code on my monero fork (clsag-plumbing branch) has been cleaned up; thanks to UkoeHB\_ for helpful suggestions and comments +**\** It includes, among other things, hash function domain separation that we hope to roll out elsewhere for a more robust overall codebase +**\** There is also CLSAG Python sample code showing how to do signer index extraction in a clever way, which I assume UkoeHB\_ may wish to discuss when he shares +**\** I've written up material for ZtM about transaction proofs/assertions +**\** And have worked up some new C++ code that updates transaction in/out proofs to have correct Schnorr challenges +**\** (still need to write tests for this) +**\** That's my update; any particular questions before the baton is passed? +**\** quick question: iirc you had done work on encrypted timelocks +**\** yes +**\** i've been chatting with both isthmus and TheCharlatan about them +**\** do you have any notes prepared any place for later reading? +**\** On what in particular? +**\** alternatively: can we schedule a discussion in this room that will end up in the logs for later this week? +**\** Sure +**\** Let's table for now, and address at the end +**\** if we implement them regardless of if we are using mlsag, clsag, or triptych, there's going to be a cost. i want to see how it's all going to fit into future monero dev +**\** word, word, i can go next +**\** OK, go ahead suraeNoether +**\** last week i spent a lot of time on CLSAG and linkable ring signatures security definitions +**\** there are a lot of definitions out there and they don't all relate to each other in a clean taxonomy, and it wasn't clear which ones we needed to use, and so on +**\** so i started writing this rather large technical note summarizing all this with the intention of writing a second paper about it, but sarang and i have decided to merge the two into a new draft +**\** the reason is that even definitions of unforgeability miss absolutely critical stuff becuase they are taken from "ring signatures" and mapped over to "linkable ring signatures" wholesale without regard for linking properties +**\** so now the paper will be proposing a new definition of unforgeability specifically for linkable ring signatures that subsumes more than one security definition, and this is going to set the standard for a few years on how unforgeability is considered for all applications of linkable ring signatures. +**\** this is good news(tm) for MRL +**\** sweet +**\** congrats :) +**\** thanks :D +**\** It makes the preprint all the more valuable +**\** In addition to that, I have been preparing my talk for the Blockchain Tech Symposium at the Fields Institute in two weeks, and debugging my matching code. +**\** i'm extremely grateful to the peer reviewer who "gently" pointed us towards the backes' paper actually +**\** Having both improvements to security models \_and\_ a new construction seems to be the gold standard these days +**\** they did us more of a favor than maybe they realized +**\** my work for the week will include finishing up this new draft of CLSAG, and to begin large-scale data collection on matching +**\** Thanks suraeNoether +**\** Any questions for suraeNoether? +**\** if you want more CLSAG work, it's possible to increase the number of linkable keys up to the total number of pub keys considered :p +**\** Sure, but that's not useful for our particular application +**\** which is why we didn't consider it +**\** I believe there was an earlier question from nioc about matching +**\** for suraeNoether +**\**� my question is, what is the status of the matching project and how will is be used going forward to help select an appropriate ringsize? +**\** ^ was the question +**\** ah, great question: the matching project is \*what appears to be\* a single-line bug away from correctly generating simulated ledgers. it already appears to generate correct confusion matrices; once this bug is cleared up, it's a matter of executing a big block of code for a large period of time to get all the sample data, and then analyzing the data that's dumped to file. +**\** so... if this bug, just like all the others, is a hydra, then I don't have a good answer, but i suspect i've narrowed down the problems to the source +**\** Is the purpose of the matching project to produce the ledgers? +**\** there are several purposes, but here's the main thing +**\** we want to estimate how well an adversary can do at finding the "real" history of a monero ledger, given some hints (like it's a KYC exchange) +**\** i have a method of computing a maximum likelihood estimate of the real history given some obscured ledger, and all that code works +**\** and i have a method of taking an estimate and comparing it to the ground truth, producing a confusion matrix, and all that code works +**\** i have a simulator that generates simulated ledgers, and the vast majority of that simulator is working just fine, too +**\** the origin of the project came from the idea of developing a game-theoretic description of traceability on the monero ledger: you hand me an obscured ledger and some hints, I hand back to you my best guess, and then success is judged by you comparing the best guess to the ground truth you kept from me the whole time +**\** so, the hope is: graph performance against ring size, and see if getting larger than 11 is a waste of space/time or not +**\** in the meantime, we hope to also get good data for zcash-style ledgers, so that we can actually rigorously compare the two ledgers against each other, instead of tweeting at each other about fragility +**\** but that last bit is farrrrr down the line +**\** Oh yea, I just remembered that ginger and I talked about generating synthetic blockchains forever ago https://github.com/insight-decentralized-consensus-lab/CryptoNote-Blockchain-GAN/issues/1 +\< +**\** OK, any follow-up questions on this? +**\** unfortunately, i've not worked on matching since mid-January because CLSAG's security models are critically important +**\** and CLSAG needs to get out the door +**\** Anything else to share, suraeNoether? +**\** Does anyone else wish to share relevant or interesting research? +**\** I'm taking a break from blockchain logs analysis to do some chat log analysis, analyzing recurring logical fallacies in this space +**\** Nope +**\** isthmus lol really? +**\** ? +**\** Yeah, actually doing a formal analysis +**\** Isthmus: if you are, i have a friend to hook you up with at the university of exeter +**\** This channel in particular? +**\** Or more broadly in cryptography? +**\** Somewhat broady +**\** There's 7 common ones that show up in -lab +**\** go on... +**\** But they break down into combinations of red herrings and something that is \*similar\* to the slippery slope argument, but not quite the same and I'm still nailing down its technical logical structure +**\** dude, please elaborate +**\** Like when we're debating fixing a tractable privacy leak, and somebody points out that there are other privacy leaks +**\** :O +**\** ah yeah +**\** or comparing everything to 50% attack costs +**\** Another one is the hashrate code control fallacy +**\** ? +**\** Confusing a 51% attack on longest chain with a 51% attack on the code +**\** This came up a few weeks ago actually +**\** aaaah +**\** i smell some medium articles +**\** Like why should we bother working on the protocol and code, when one day, somebody might run their own version on a bunch of their own miners +**\** Based on what you've analyzed so far, any particular recommendations to avoid such flaws in discussion/thinking? +**\** That one can be disproven by contradiction +**\** If 50% of BTC hashrate moved to BCH, does that make BCH the official bitcoin? +**\** "why should we patch little leaks in info here and there" styled privacy nihilism/despair +**\** Oh shit, I gotta be in a meatspace meeting +**\** ciao! +**\** -\_\_- +**\** Very interesting stuff +**\** Erm, not by contradiction. I mean by example demonstrating absurdity +**\** We have plenty of time left... does anyone else wish to share anything? +**\** lol +**\** lol "i'm going to use machine learning to watch all of your conversations and find out who repeats fallacies most zealously BAIII GOTTA GO GRAB A FREE SLIZE OF 'ZZA FROM THE CORPORATE OVERLORDS" amiright +**\** Here's mine. Worked on write-ups of different ideas -\> now Research repo Issues, with good feedback from sarang improving viewspent approach. TxTangle (aka my monero coinjoin protocol) is mostly done and just needs questions answered about network-layer anonymity. Current draft of ZtM2 is here https://www.pdf-archive.com/2020/02/05/zerotomoneromaster-v1-0-23/zerotomoneromaster-v1-0-23.pdf and current +**\** ‘koe’s Ideas’ is here https://www.pdf-archive.com/2020/02/05/moneroideaskoe020520/moneroideaskoe020520.pdf +**\** Yeah, the original view/spent idea was broken, but there's a better approach +**\** It ties in with the CLSAG index extraction that I mentioned earlier +**\** If the signer generates all non-signing scalars via a PRNG `s\_i := H(seed,i)` (with appropropriate seed data), then it can be asserted privately what the signing index is +**\** It removes the need to add anything to the chain, and hence is good for indistinguishability +**\** I dig it, provided the UX is sufficient for reasonable use cases +**\** yeah if view key can regenerate those scalars, it can know when an output has been spent with certainty +**\** of course, it only works if tx author generates scalars like that +**\** The problem is still that it's opt-in, so even an accidental use of a non-participating wallet ruins the account balance computation for good +**\** So you'd have to be super-clear about presenting that to the user +**\** hmm +**\** Of course, a wallet could be doing that right now for all we know +**\** it's non-consensus and can't be detected if done properly anyway +**\** it does leave open questions about data stored by nodes, since signature scalars are pruned; perhaps only full nodes, or view-spent enabled nodes can be used +**\** IMO that's a completely reasonable trade-off +**\** sounds reasonable to me too +**\** it also may greatly increase data transmitted to view-only wallets by remote nodes +**\** Bloating the network for optional functionality benefitting only a single user seems unnecessary +**\** But this approach means you can run a full node (good for the network) and have the functionality for your wallets safely +**\** UkoeHB\_: I think that's a good thing to point out but probably isn't a showstopper +**\** might need to receive a gigabyte of data to read through a year's worth of tx +**\** hmmm +**\** i'm a little worried about this in the following sense +**\** I still think that is okay for view-only wallets +**\** you are selecting the non-signing scalars deterministically from a PRNG +**\** anyone using them for critical stuff, or viewing multiple wallets, should run their own node +**\** one thing we all know about schnorr signatures is that if nonces are selected deterministically, it's possible to extract the private keys +**\** at least, under certain constraints +**\** suraeNoether: yes, which is why seed selection is very important +**\** so my question is +**\** UkoeHB\_ and I discussed this a bit already earlier +**\** if the seed is chosen from a high entropy distribution and kept secret, it's computationally hard to detect that these are computed deterministically +**\** i would prefer a method that is more than computationally hard +**\** Presumably the seed is a combination of the view secret key, the index, the key image, etc. +**\** suraeNoether: how would that even work? +**\** Data extraction requires that only the designated parties be able to construct the "expected" output value +**\** pfeh, we use PRNGs because statistical RNGs don't really exist :P so ... it wouldn't +**\** Well, right now we operate on the assumption that the user has access to something behaving as an RNG +**\** this moves to an honest-to-goodness PRNG +**\** (and has to) +**\** You can't do data extraction with a true RNG AFAICT +**\** that... is... true. +**\** Anyway, this is an interesting topic that could be useful for a future release +**\** but has subtle aspects to seed selection and UX that need further review +**\** Let's move on, for the sake of time +**\** Any other topics you wish to share, UkoeHB\_? +**\** well, I hope people can leave feedback on the repo issues +**\** Yes, please do +**\** Much easier than only doing IRC comments =p +**\** sorted TLV is probably most important for next hardfork +**\** TBH that's probably going to be better for -dev discussion +**\** More of an engineering question than a math question :) +**\** true +**\** I'd bring it up at a dev meeting, or just in -dev whenever +**\** Get a sense of the work involved +**\** ok +**\** I know people have brought up tx\_extra parsing before, and it's a hot topic +**\** Does anyone else wish to discuss other research topics? +**\** ah, CLSAG section was added to ZtM2 for anyone curious +**\** excellent +**\** uh i saw vtnerd's push on dandelion++ +**\** Yes +**\** Most excellent +**\** It's on my list to review later this week +**\** Speaking of which +**\** Let's briefly move to ACTION ITEMS to respect everyone's time +**\** I'll be reviewing the D++ PR, working through some additional transaction assertion/proof stuff, updating sublinear tx protocol MPCs, and writing up examples of RCT3 hidden data storage +**\** yes. Mine: Finish CLSAG, start collecting matching data. Also, of primary importance: provide updates twice or three times a day in here until both of these are finished. +**\** As well as getting tests written for the new tx in/out proofs +**\** i'll be reviewing the D++ pr also once those are both off my plate +**\** Yes, looking forward to the CLSAG stuff (will review when ready) +**\** Anyone else have action items planned for the week? +**\** To do: focus on multisig all week, hopefully finish txtangle (need a network anonymity expert for advice, any takers?) +**\** The most knowledgeable person is probably vtnerd +**\** I hear if you say his name 3 times, he gets 3 separate notifications... +**\** =p +**\** Any last-minute items, questions, etc. before we formally wrap up? +**\** (I'm happy to discuss timelocks after we adjourn) +**\** Going once... +**\** twice... +**\** Adjourned! Thanks to everyone for attending; logs will be posted shortly on the agenda issue diff --git a/_posts/2020-02-12-mrl-meeting.md b/_posts/2020-02-12-mrl-meeting.md new file mode 100644 index 00000000..ea33011c --- /dev/null +++ b/_posts/2020-02-12-mrl-meeting.md @@ -0,0 +1,116 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-02-12 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Greetings! +**\** Hi +**\** Hiya +**\** Hello +**\** Thanks selsta I'll look +**\** I suppose we can move to roundtable discussion +**\** Who wishes to share interesting research? +**\** hello +**\** Something quick from NRL +**\** We've been looking at some results regarding the extra field in transactions. We have one thing to share today +**\** Here is an analysis of Payment id usage since v10 when unencrypted payment ids were deprecated: +**\** https://usercontent.irccloud-cdn.com/file/Xf1uZRsZ/image.png +**\** (Sorry there is an uncorrected typo: "Unencrypted Included x Encrypted Absent" should be 232980 (not 232972) and "Unencrypted Absent x Encrypted Included" should be 1904765) +**\** ^ moneromooo etc. +**\** It's actually not 'mandatory', just part of the core wallet's behavior +**\** As jtgrassie liked to insist :p +**\** Nothing stops a wallet from simply including a fixed default value either +**\** (can't enforce "uniformly random" in that way) +**\** Once again touches on the idea of extra parsing/enforcement +**\** Are there other indications of what non-standard software it might be? +**\** 17% is a good amount that didn't update properly +**\** do they save slightly on fees? +**\** That's a good question, we didn't look into the transactions but there may be other things going on that make more of a fingerprint +**\** Thanks n3ptune +**\** Thanks! Just sharing these numbers today +**\** if the fees are lower, I can see someone setting it up this way if they process many transactions +**\** Looking at long payment id usage since 1.7e6 is a bit pointless. What is it from 1.98e6 ? +**\** I can check +**\** n3ptune: the core wallet only creates encrypted payment IDs for all 2-output tx, would you mind looking into the distinction (proportion encrypted IDs with 2-output and \>2 output)\> +**\** moneromooo: was the dummy encrypted payment ID also since 1.98e6? +**\** Another good question +**\** I think before. +**\** It was merged late january 2019. +**\** Yes, it was included in the release for that height. +**\** I don't think we looked at long PID +**\** Sorry, here is the updated figure +**\** https://usercontent.irccloud-cdn.com/file/t5ozuruh/image.png +**\** ? Long PID = Unencrypted PID, yes +**\** Yes. +**\** Oh, I was thinking integrated +**\** Sorry, on 4 hours of sleep, no coffee, and in presentations at a crypto compliance company all morning +**\** But they're cool with me being half in MRL, obviously they've been pretty supportive of my research over the past year :- ) +**\** How ominous +**\** it might just mean more significant implementations exist than just core, which might be good news also +**\** Well, not if the result is fingerprinting +**\** n3ptune: also, afaik coinbase transactions do not use payment IDs (a round 200k tx over that period) +**\** The numbers should be for non-coinbase only +**\** Well, in the interest of time, shall we continue? Hopefully we can get more detailed data, which can help any future decisions about parsing +**\** Thanks for the data Isthmus and n3ptune +**\** Thx, I'll check out those questions +**\** Other research to discuss or share? +**\** UkoeHB \_ ? +**\** suraeNoether ? +**\** OK, I can discuss a few short items +**\** ok, I sketched out a light node proposal https://github.com/monero-project/research-lab/issues/69 pls leave your thoughts there if interested +**\** Ah ok, nvm +**\** go ahead UkoeHB\_ +**\** ZtM2 I got through multisig and the draft of that chapter is done, started working on escrowed marketplace chapter which will be done by next meeting https://www.pdf-archive.com/2020/02/12/zerotomoneromaster-v1-0-25/zerotomoneromaster-v1-0-25.pdf +**\** thats all from me +**\** @UkoeHB\_ just scoped that proposal last night, looks like great stuff +**\** Looks to be similar to SPV structure? +**\** possibly, idk anything about SPV +**\** I worked out data storage inside RCT3 proofs (both single- and multi-input) as well as storage in multi-input Triptych +**\** Finished code and tests for new transaction proofs +**\** did some Dandelion++ review +**\** yay triptych! +**\** Wrote some code to demo spend/non-spend status proofs that have been discussed previously +**\** and overhauled the Omniring/RCT3/Triptych key image multisig construction protocol +**\** Any size indications for triptych? +**\** Individual transactions? Sure, that's been available for some time +**\** https://github.com/SarangNoether/skunkworks/blob/sublinear/triptych.md +**\** Now that I have I/O structure data from n3ptune, I can run some chain-wide estimates based on that +**\** since different tx protocols imply different tradeoffs as I/O structure changes +**\** It seems to me a move in the reference tx size from 3000 bytes to 4000 bytes would be needed +**\** Which is very reasonable given the mixin privacy gains +**\** why increase? +**\** It depends on what protocol (if any) is chosen, what parameters used, etc. +**\** ah i see, for 1024 ring size +**\** I am saying with N = 512 or 1024 +**\** what are the hurdles for tryptich? besides me wanting to spell it wrong all the time +**\** If this goes through, by the time it makes it to the main chain the drop in block reward would easily cover the fee increase +**\** If we increase the penalty free block weight to 400000 bytes +**\** gingeropolous: no peer review yet +**\** I also need to know the practical drawbacks to the more complex multisig operations +**\** especially on lower-powered devices +**\** They'd need to support Paillier encryption/decryption for multisig with any of the sublinear protocols +**\** We must also keep in mind this is less than a year of Nielsen's Law of Internet Bandwidth +**\** ugh. what, for those silly hardware wallets? +**\** Well, anything that would need to participate in multisig +**\** The process involves doing peer-to-peer Paillier operations, some Schnorr and commitment stuff, etc. +**\** would multi-tryptich work with any kind of join protocol? +**\** Unclear. It's still in the early stages +**\** before this meeting gets wrapped up, I am curious about the state of discussion around Monero's difficulty algorithm; zawy12 seems to have done a lot of research on the topic of difficulty algos https://github.com/zawy12/difficulty-algorithms/issues/50 +**\** and suraeNoether was at one point doing research on that area +**\** apparently Monero's algorithm is quite bad, relatively speaking +**\** Interesting; I had seen some of their earlier work, but not this summary +**\** The conclusion seems to be that the potential oscillations would be of much greater importance for uses with large mining variance +**\** (which isn't really part of the design choice) +**\** Worth a read, now that we have the link +**\** UkoeHB\_: did you want to discuss extra sorting, given its relationship to the information from n3ptune and Isthmus? +**\** I feel Ive made my case for it, although Isthmus says they are working on a big comprehensive report so at that time I may recapitulate +**\** Fair enough. Trying to enforce better uniformity and order is a good idea, so I agree +**\** It may come down to questions of efficiency and "someone needs to write it", but who knows +**\** enforcing it should be less than 100 lines of code IMO +**\** Sounds like someone is volunteering :D +**\** Anyway, there is a Konferenco meeting starting presently, so any final comments or thoughts before adjourning? +**\** Righto; thanks for attending, everyone diff --git a/_posts/2020-02-19-mrl-meeting.md b/_posts/2020-02-19-mrl-meeting.md new file mode 100644 index 00000000..39f8eb2d --- /dev/null +++ b/_posts/2020-02-19-mrl-meeting.md @@ -0,0 +1,166 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-02-19 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, let's get started with the meeting +**\** GREETINGS +**\** hello :) +**\** Hello +**\** I caught the meeting! +**\** I would like to note that the meetings are not listed in the calendar +**\** idk if thats intentional +**\** Which calendar? +**\** Hi +**\** And how are meetings applied to it? +**\** Hi +**\** Meeting times/agendas are always listed as meta repo github issues +**\** Anyway, does anyone wish to begin the ROUNDTABLE with research topics of interest? +**\** Yes +**\** Take it away UkoeHB\_ +**\** I finished designing an escrowed marketplace 'protocol' which hopefully solves issues encountered by rbrunner in his openbazaar integration analysis. Also, multisig and txtangle have been finalized. +**\** https://www.pdf-archive.com/2020/02/19/zerotomoneromaster-v1-0-28/zerotomoneromaster-v1-0-28.pdf +**\** Neat +**\** Finally, I had an idea for reducing minimum fee variability, and likewise for putting antispam directly in the protocol instead of relying on minimum fee +**\** Are you seeking analysis on those? +**\** Which is issue #70 +**\** They are open for comments any time anywhere +**\** Ah and sarang provided a draft for a tx knowledge proof chapter +**\** aye +**\** (not really my research :p) +**\** Heh, it's more of a summary of what's in the codebase (and some changes) +**\** I look forward to reading the update draft you linked +**\** A number of topics here are lonely and want attention btw https://github.com/monero-project/research-lab/issues +**\** \end +**\** Thanks UkoeHB\_ +**\** Any questions or comments on those topics from anyone? +**\** Yes +**\** Please go ahead! +**\** I have taken a look at issue 70 +**\** It actually has serious implications +**\** When the LT medium increases substantially +**\** I do have an idea for a solution +**\** Very preliminary at this stage +**\** As for an interim fix +**\** The est is to pay the high or at least normal fee for escrows that are expected to last past the next hard fork +**\** I will have comments on the issue in the next two weeks +**\** end +**\** Thanks ArticMine +**\** Any other questions/comments from the topics presented by UkoeHB\_? +**\** Righto +**\** I'll share a few things +**\** First, the Stanford Blockchain Conference is happening right now (and the next couple of days), and has streaming available: https://cbr.stanford.edu/sbc20/ +**\** Second, I did some math/code related to multiparty stuff for next-gen protocols +**\** Third, I worked on code and write-ups for transaction proofs, both for an updated PR and for inclusion in Zero to Monero for better documentation +**\** Fourth, I used chain data from n3ptune and friends to do better estimates of the cumulative effects of next-gen protocols +**\** both in chain growth and verification time +**\** Major caveat: these assume the same input/output distribution as the current chain, and are \_estimates\_only\_ +**\** and apply to post-bulletproof chain data only +**\** https://usercontent.irccloud-cdn.com/file/ijaEAI7m/size.png +**\** ^ this link shows the total chain growth estimates for various protocols with varying ring size +**\** namely, from 16 to 1024 in powers of 2 (lines for visual aid only) +**\** Sarang would you mind adding an indicator for MLSAG and CLSAG at the 11 ring size 'point'? For reference +**\** Sure, let me grab that data from my spreadsheet +**\** hold please +**\** Or the super steep slope from 11 to 20 lol that goes off that chart +**\** Heh, I had that data but didn't include it since it's crazy linear +**\** I'm running the N=11 code for MLSAG/CLSAG, which I don't have handy +**\** Anyway, I'll pull up the time data while we wait +**\** https://usercontent.irccloud-cdn.com/file/T7uWoFEp/time.png +**\** ^ verification time estimate for \_group\_operations\_only\_ at varying ring sizes +**\** I think it's interesting that all these protocols/signature schemes are similar size on the small end +**\** All the verification times are linear (up to a logarithmic term due to multiexp) +**\** Where is tryptich multi hiding? +**\** It's underneath Triptych-single +**\** They're essentially indistinguishable +**\** Does Triptych single have advantages over multi? +**\** RCT3-multi suffers due to input padding requirements that still have a linear verification effect +**\** selsta: a complete soundness proof :) +**\** Update on MLSAG/CLSAG size estimates... +**\** Could you make a smaller graph from 0 to 128 ring size? Since those large ones seem pretty unreasonable +**\** At N=11, MLSAG for that chain range is 7.84 GB, while CLSAG is 5.84 GB +**\** (the actual size of that chain range is 7.9 GB) +**\** https://usercontent.irccloud-cdn.com/file/DFhClmEe/time-small.png +**\** ^ same time data, zoomed in +**\** Perfect thanks :) are time estimates for CLSAG/MLSAG available? +**\** Heh, just writing that out +**\** I have very early estimates on that, which are tricky since multiexp doesn't apply, and hashing is nontrivial +**\** MLSAG N=11 estimate is 29.9 hours for that chain range (but I have \_not\_ double-checked it) +**\** What hardware was used for the verification time calculations? +**\** It's a single core on a 2.1 GHz Opteron machine, with a bonkers amount of RAM +**\** I would rely on the timing data only for comparisons, not absolute values +**\** age of CPU? +**\** I am still in the process of getting CLSAG data, which requires additional test code +**\** It's a gen-3 Opteron, if that's what you mean +**\** Is there a way others could run the same tests? +**\** Again, only estimates using performance test code +**\** For next-gen protocols, it's quite easy +**\** Yes great it does give an idea thanks +**\** Well, somewhat easy +**\** You need to get multiexp performance timing data and use a linear interpolation that you plug into the simulator +**\** For MSLAG/CLSAG you need to run more operation performance data +**\** This is the simulator, which is still WIP: https://github.com/SarangNoether/skunkworks/blob/sublinear/estimate.py +**\** https://usercontent.irccloud-cdn.com/file/HuPcfLdT/image.png +**\** But again, it's tricky to do comparisons between MLSAG/CLSAG and the next-gens +**\** (drive by data) +**\** Wow, that's quite low +**\** Oh yeah, the numbers are one thing. But moreso, we should all be more alarmed that analyzing something like this is possible for an outside observer +**\** ;-) +**\** Yep, and has certainly been a topic of interest! +**\** It's a privacy risk to use subaddresses right now... +**\** Anyways, I gotta bounce, sorry to spam n run +**\** OK thanks for sharing the data Isthmus +**\** Another good reminder that I/O structure reveals some information about subaddress use +**\** Since Isthmus had to leave, were there other questions/comments on the data that I shared above? +**\** UkoeHB\_: if you want to run tests as well, let me know after the meeting and I can let you know how to get the numbers you'll need +**\** My computer is quite weak, was just asking for viewers :) +**\** sarang: can you remind us on the plans to fix this subaddress thing? +**\** ah ok +**\** Requiring separate tx keys per output is a good idea, but IIRC didn't have a huge amount of support when last brought up +**\** FWIW the size data that I presented for next-gens assumes a separate tx key per output +**\** Is that necessary for the protocols? +**\** For the proving systems, you mean? No, not at all +**\** They don't care how you get signing keys +**\** Can you estimate the amount of additional pub key data? Num outs \* 32 and num tx \* 32? +**\** sarang: why did it not get support now? complexity? size? verification time? +**\** My numbers for MLSAG/CLSAG include separate tx keys too! +**\** Also: n3ptune's dataset includes the pubkey counts +**\** So I could run that separately for a more direct count +**\** With only 3% subaddress adoption, the difference is likely on the order of 100MB +**\** Or 2% of total size I think +**\** that's probably a good order-of-magnitude estimate +**\** But IIRC scanning requires checking all pubkeys +**\** So either there needs to be a specified correlation, or there's added complexity in scanning +**\** I think it costs ~1GB for 30mill pub keys btw +**\** I think moneromooo had a better idea of the impacts, when it was brought up earlier +**\** FWIW I think it's a good idea unless it's very compelling not to due to complexity +**\** OK, we're running up to the one-hour mark... +**\** obviously without this change, the impacts are quite negative for network privacy........ +**\** It's differentiated data, but it doesn't leak \_which\_ outputs are subaddress-destined +**\** (not that I'm saying that's a good reason to keep the current approach) +**\** It's quite a lot of unused data, I'm a bit skeptical +**\** just reveals "one of this outputs goes to a subaddres?" +**\** UkoeHB\_:? +**\** A lot of dummy data +**\** sgp\_: it reveals the number of subaddress outputs +**\** sarang all it reveals is at least one of the outputs must be to a subaddress +**\** Doesn't it reveal the total number of sub outs? +**\** No +**\** orly +**\** How would it? +**\** Number of additional pub keys always equals number of outs +**\** Even if nonsubaddress +**\** How is the CLSAG paper going? +**\** Hmm, for some reason I thought otherwise; noted +**\** I'm still waiting for suraeNoether +**\** He wanted to continue working on his ideas for the security model +**\** So unfortunately I am not the one to ask +**\** OK, is there anything else of interest to share? +**\** (Would be a good idea to continue discussing this after meeting, or on an issue, to keep it alive) +**\** definitely need an issue for it +**\** All righty then; thanks to everyone for attending today +**\** We are adjourned! diff --git a/_posts/2020-02-26-mrl-meeting.md b/_posts/2020-02-26-mrl-meeting.md new file mode 100644 index 00000000..b6245189 --- /dev/null +++ b/_posts/2020-02-26-mrl-meeting.md @@ -0,0 +1,197 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-02-26 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Hello all, and welcome to the weekly research meeting +**\** First, GREETINGS +**\** Hi +**\** hi +**\** hi +**\** \*others +**\** Peanut gallery quickly checking in to ask what the latest is on return addresses. Last I remember there was an idea to include a subaddress in the tx as a return address. Is that still being being considered? +**\** It's always possible to include in tx\_extra, which is not consensus +**\** and there was a space-minimizing proposal as well +**\** AFAIK no one has coded such a thing yet +**\** As always, there's a consideration of how optional behavior is bad for indistinguishability +**\** Let's go ahead and start the ROUNDTABLE +**\** Does anyone have research topics of interest to share? +**\** I'll go ahead, then +**\** First, the Stanford Blockchain Conference was held this past week +**\** Here is a link to the schedule and recordings of talks for each day: https://cbr.stanford.edu/sbc20/ +**\** Second, a small PR on hash function domain separation was updated, and could always use extra eyes for review: https://github.com/monero-project/monero/pull/6338 +**\** Third, I made some updates to the structure of CLSAG signature verification code... by reducing the modularity of the signature verification routine to specifically include some commitment offsets, I was able to shave about 5% off the verification time +**\** See this branch for details: https://github.com/SarangNoether/monero/tree/clsag-optimized +**\** Any particular talks that you recommend from SBC?n +**\** hello everyone, catching up on the chat so far +**\** Florian's talk about Monero and Zcash side-channel analysis on Wednesday's stream is very good +**\** All of session 4 on Wednesday is interesting +**\** As is session 5 on Thursday +**\** Fourth, I worked on similar improvements for MLSAG... however, this is trickier, since verification requires particular byte-representation hash inputs for backwards compatibility +**\** The results for that aren't great: https://github.com/SarangNoether/monero/tree/mlsag-optimized +**\** Ah I loved that paper +**\** Yeah, kudos to Florian and collaborators for great work and responsible disclosure +**\** Finally, another researcher contacted me with an idea for atomic swaps that might remove the need for a SHA-256 preimage proof +**\** We're still working out the details, but it's an intriguing idea for which the necessary building blocks already exist +**\** More information as we work on it! +**\** interesting, haven't heard from atoc in a while who was looking into that +**\** Yeah... I don't want to provide more information until the researcher and I have discussed it (as a courtesy to them) +**\** sorry +**\** Respecting privacy is good ;- ) +**\** Anyway, those are my updates! Mostly code updates and testing +**\** Does anyone else wish to share research of interest? +**\** thanks to sarang 's initial draft, tx knowledge proofs chapter is done (wip tag is off) for ztm2 +**\** https://www.pdf-archive.com/2020/02/26/zerotomoneromaster-v1-0-30/zerotomoneromaster-v1-0-30.pdf +**\** chapter 9 +**\** Nice! +**\** "An Axiomatic Approach to Block Rewards" https://arxiv.org/pdf/1909.10645.pdf +**\** sgp\_ may be interested in section 9.3 for audits +**\** reader beware various things arent implemented and are just theoretical +**\** Yeah, the idea for a general audit framework is super interesting to me +**\** and could be useful to reduce confusion about what proof types provide what information +**\** Right now, it's sort of ad-hoc +**\** ZtoM will contain unimplemented features and ideas from the roadmap? +**\** Isthmus: that paper is on my literature review list! +**\** also made some updates/fixes to minimum fee change idea https://github.com/monero-project/research-lab/issues/70 @ArticMine +**\** thanks for sharing! I will see if I can get feedback on it +**\** cankerwort part 2 'extensions' contains unimplemented features; saying they are roadmap is quite ambitious +**\** One thing to note about the audit idea from UkoeHB\_ is that it requires proofs applying to \_all\_ transactions for which a given output appears in rings +**\** which I suspect may require substantial engineering effort (as a guess) +**\** also proofs for every single tx in the chain +**\** for each normal address you own +**\** but the benefits of this approach are worth investigation +**\** IMO +**\** audits arent trivial for sure +**\** Should be called "ZtoM... and beyond!" +**\** lol yeah +**\** I'm familiar with some people who do Monero audits for businesses so I'll try and get their feedback +**\** UkoeHB\_: fortunately the proofs are all off-chain anyway +**\** So efficiency is much less of a consideration +**\** Id refrain from expecting anything in ZtM that isnt implemented to actually get implemented. They are just ideas +**\** UkoeHB\_ and I had discussed this very topic earlier... about the intended purpose of ZtM +**\** e.g. protocol spec, or something else +**\** I think that flavoring it with the latest ideas and discussions will convey the lively R & D, provide helpful context, and leave an important historical record +**\** In 10 years I want to sit down and nostalgically re-read the old "future work" sections +**\** heh +**\** Anything else to share UkoeHB\_? +**\** (just to keep the meeting on track) +**\** dont think so +**\** Cool, thanks for the update +**\** Isthmus: you had chimed in earlier +**\** Did you wish to continue with anything else? +**\** Life has been hectic, so haven't had many Monero moments lately. +**\** However +**\** n3ptune was doing some data QC/QA and noticed that in a recent preliminary figure I had missed 100 recent transactions with no payment id (encrypted nor unencrypted) +**\** But that's a minor difference +**\** How recent is "recent"? +**\** If you recall +**\** Probably this version, but idk +**\** It's only like a 0.5% change over the previously presented data +**\** I've been working on a little design thought experiment, but it's still rough and maybe more -lounge appropriate +**\** Otherwise, nothing else to report, that I can think of +**\** Got it, thanks +**\** I know suraeNoether said he was unavailable, but would provide an update later today on his recent work +**\** He's been working on some interesting updates to linkable ring signature security models +**\** I've been reviewing those as well +**\** Does anyone else wish to share ongoing research? +**\** Either specific to something mentioned here, or more generally +**\** If not, we can move on to QUESTIONS +**\** OK, looks like no questions so far +**\** Let's move to ACTION ITEMS before closing the meeting +**\** Feasibility of child pas for parent in Monero (child has parent as one of the mixins) +**\** ? +**\** pays +**\** Can you elaborate, ArticMine ? +**\** In Bitcoin a tx in the tx pool has to low a fee +**\** "has to low a fee"? +**\** A second tx is sent using the tx with to low a fee as an input +**\** Sorry, I'm not following +**\** ah +**\** The miner miones both txs in a block +**\** In the Monero case the child has the tx output of the parent as one of the mixins +**\** can be real or fake +**\** What is the specific question you're getting to? +**\** Interesting interesting +**\** Can this e done in Monero +**\** be +**\** oh is it about what can be done if a tx is stuck since its fee is too low? +**\** e.g. make a new tx with more fee for it +**\** Yes this can e part of the toolkit +**\** be +**\** but in addition to what I am looking at with the fees, etc +**\** we do have 10block lock time atm, so tx spending other tx output doesn't quite work, though there could be new rules around 'in the same block' +**\** I actually think this seems very plausible +**\** You wouldn't mine only the bump +**\** And once the transaction is mined, the bump is unnecessary +**\** The bump transaction should have exactly 2 outputs: a plaintext fee and an encrypted change output +**\** And reference the first transaction by hash +**\** yeah +**\** hmm +**\** Im wondering why not just remake the same tx +**\** with more fee +**\** because of multi sig +**\** ah yeah +**\** Huh, that's a very interesting question +**\** Oh, and only 1 bump per transaction +**\** You can broadcast more if you want, obviously +**\** But only one bump can be claimed by the miner +**\** So if you bump with 0.2 XMR then change your mind and send a 0.5 XMR bump, a miner would just ignore the smaller bump +**\** Yes +**\** but anyone can do the bump in Monero unlike Bitcoin +**\** Why "becauae of multisig"? +**\** You could design it either way: allow anybody to bump, or require a signature from the original sender to bump +**\** (one of the original senders) +**\** sounds like it's possible, although would require protocol level changes (new transaction type, etc) +**\** wouldn't being able to do that (child pays for parent) drastically decrease the overall cost of the chain reaction attack? +**\** You include the parent as one of the mixins +**\** @UkoeHB\_ I'm only here for the protocol level changes :- P +**\** Also the big bang attack presumably +**\** The miner does know if the parent is real or not +**\** ArticMine I don't know if the parent needs to be a mixin, just include the parent tx hash as part of bump tx, an additional data field +**\** That does not mine the parent +**\** It would be a new tx type +**\** 'bump tx' +**\** Not really +**\** RCTTypeBumpIt +**\** heh +**\** lol +**\** The point of child pays for parent is that in order to mine the child one has to mine the parent +**\** right +**\** But that seems straightforward to enforce, no? +**\** In Bitcoin that means spending the output of the parent in the child +**\** I think you might get into weird 0-conf territory if can spend an output with 0-block lock time +**\** @cankerwort yeah, though as long as the bump density [XMR per kB] is higher than transaction density [XMR per kB] then they would effectively take up less space (be less effective) for a big bang attack +**\** the 10block lock is there for a reason afaik +**\** just willy nilly +**\** in Monero it means including it in the ring real or fake. The miner does no know +**\** Yeah, I think the "bump" transaction needs to be a new type with exactly [fee delta + change] outputs and a new field referencing the transaction hash of the transaction to be accelerated +**\** And everything is subject to the 10-block lock +**\** or you could make it an optional field in normal tx type, to reduce complexity +**\** Both are mined in the same block so there is no issue with orphans +**\** UkoeHB\_: not in extra, right? +**\** for parsing etc. +**\** no, unless we start enforcing it +**\** aye +**\** interesting idea articmine +**\** Surely the delta could be as small as you like though? So it could be used to make big bang attack cheaper +**\** big bang is about total block weight +**\** still have to pay fee for bump tx too +**\** Ie you are adding 2 transactions for one fee? +**\** The fee in the bump has to cover both the weight of the bump itself and the original transaction +**\** Ah +**\** So if I have a 5 kB txn and a 2 kB bump, then the total fee has to incentivize the miner to include 7 kB +**\** Yes enough to provide an incentive the miner +**\** That is the point of child pas for parent also in Bitcoin +**\** Quick note that we should try to finish up soon, since Konferenco has a meeting in a few minutes +**\** pays +**\** May we quickly review action items, and then continue discussion? +**\** Yes of course +**\** I'll be working on some review for vtnerd's 64-bit operation code +**\** as well as some Triptych coding for timing purposes +**\** Others? +**\** OK, then let's formally adjourn for log posting purposes... please continue discussion! +**\** Thanks to everyone for attending diff --git a/_posts/2020-03-04-mrl-meeting.md b/_posts/2020-03-04-mrl-meeting.md new file mode 100644 index 00000000..b57d83af --- /dev/null +++ b/_posts/2020-03-04-mrl-meeting.md @@ -0,0 +1,113 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-03-04 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** Let's start the meeting! +**\** First, GREETINGS +**\** hello +**\** hi +**\** [meta] I added the MRL meetings with reminders to the Google Calendar I have if you are ok using Google: https://calendar.google.com/calendar/embed?src=itmaraubkfoe4aq2oquoaogsuk%40group.calendar.google.com&ctz=UTC +**\** Does using that link leak any information to you? (presumably it leaks IP information to Google) +**\** not to me, just Google +**\** roger +**\** OK, continuing on +**\** Next up is the ROUNDTABLE +**\** hi +**\** I've been getting the multi-input version of Triptych updated for posting to the IACR preprint archive +**\** as well as minor edits to the original preprint as I come across them +**\** Posting to IACR (with suitable caveats about non-standard cryptographic hardness assumptions) can increase the visibility of the idea, and hopefully encourage feedback +**\** It's pretty slow going, but progressing well +**\** Any particular questions on that before I pass the baton? +**\** OK, next up! +**\** Does anyone else have research of interest to share and discuss? +**\** Yo +**\** Hello Isthmus +**\** Did you wish to share anything, or just observing? +**\** I’ve been pretty busy in meatspace, sadly no time for data spelunking +**\** OK, no problem! Simply checking +**\** It's a fairly quiet day today anyway +**\** UkoeHB\_? +**\** suraeNoether? +**\** Others? +**\** Oh yes, actually +**\** ah ok +**\** carry on Isthmus +**\** Wait there’s too much traffic for voiced text, let me look back pewter in four minutes +**\** roger +**\** Someone else, then? +**\** need about 10mins +**\** OK, in that case, let's pause the meeting for 10 minutes or so; I show the time is 18:12, so let's reconvene at 18:22 or so +**\** sarang: want to talk about Triptych naming at some point? +**\** That seems like a suitably off-topic idea during this break =p +**\** Right now, the multi-input Triptych preprint uses the name "Triptych-2" +**\** this is boring and not descriptive +**\** I am open to better naming ideas +**\** Note that I can revise the older paper if that's helpful (this has been done to add features and fix errors) +**\** what part of the original "triptych" is triple? +**\** The benefits of Triptych-2 are using a single proof for all spends (instead of separate proofs with commitment offsets), and handling balance assertions directly within the proof +**\** I originally recommended Triptyzk as a half joke, but part of me thinks it's a good idea +**\** Polyptych +**\** The idea was that the three parts to Triptych are signing keys, commitment keys, and linking tags +**\** Heh, a polyptic sounds like something a surgeon would remove :/ +**\** lmao +**\** FWIW there's basically no change to the SHVZK property or proof between the two versions +**\** They're almost identical +**\** that's partially why adding "zk" now makes no sense. It's more about proactively naming for the Twitter trolls/idiots +**\** B-Triptych and E-Triptych for basic and extended +**\** Triptych Classic and New Triptych +**\** Triptych and Antikythera :P +**\** Just what we need; something equally hard to pronounce =p +**\** Technology so old nobody remembers how it works. +**\** yes... and indecipherable, and considered too advanced for its time +**\** i havent been paying that close attention but have we "shelved" CLSAG? +**\** suraeNoether just told me he's now happy with the revised security model for CLSAG +**\** Nothing has changed with the algorithms themselves, apart from a small change to hash function inputs +**\** it sounded like suraeNoether was considering advocating to skip CLSAG and go directly to next-gen in a year or two +**\** I disagree +**\** CLSAG is a straightforward change that's well understood +**\** +**\** Anyway, he made very recent updates that I'll review (more on this during ACTION ITEMS) for IACR posting +**\** Anyway +**\** UkoeHB\_ and Isthmus both wanted to share some work +**\** Will CSLAG require a paid review? +**\** Nothing "requires" paid review +**\** for you to be comfortable with it +**\** But it's probably a good idea :) +**\** I'm very comfortable with the math +**\** Hm, upon more consideration, discussing it today might be the wrong order of operations +**\** Nothing pressing or dangerous +**\** The total estimate for math+code review by Teserakt was ~$15000 USD, which is quite reasonable IMO +**\** Isthmus: how so? +**\** Now you have everyone intrigued +**\** happy to announce a final proofreading draft of ZtM2 is ready. Note that I decided not to go into Bulletproofs since it's frankly way too much detailed math to be worth it. Anyone who wants to learn bulletproofs should just read the original paper. https://www.pdf-archive.com/2020/03/04/zerotomoneromaster-v1-1-0/zerotomoneromaster-v1-1-0.pdf +**\** A poorly-framed thought experiment is worse than no thought experiment at all +**\** UkoeHB\_: great! +**\** Will this be renamed to 2.0 after review? +**\** Or will the title be incremented to "One to Monero" :D:D:D +**\** Ill make a reddit post asking for proofreaders, and if anyone knows someone who wants to proofread go ahead and pass it around. Not much is likely to change between now and publication in ~1.5-2months. The proofreading period is 3 weeks. +**\** I think Ill just remove the version number +**\** maybe +**\** UkoeHB\_: fair play +**\** Name them based on the most recent Monero version name? +**\** Anyway, great to hear the update is nearing completion +**\** Zero to Monero, Hero Edition +**\** yes I want to meet the hero who reads the whole thing :) +**\** the more -ero suffixes in the title, the better :P +**\** Does anyone else wish to share research of interest? +**\** OK, we can move on to ACTION ITEMS, then +**\** I am completing the Triptych-2/NewTriptych/E-Triptych/etc. preprint for IACR posting +**\** and reviewing the (hopefully final) changes to CLSAG that I received from suraeNoether +**\** Anyone else? +**\** proofreading, and listening to proofreader feedback if and when it appears; starting now will probably spend a lot less time with Monero as this project wraps up +**\** I think a reddit post is a great idea to encourage readers to take a look +**\** ZtM is such a valuable resource +**\** Short meeting today! But that's fine +**\** Any other questions, comments, etc. as we wrap up? +**\** All right! Let's adjourn +**\** Thanks to everyone for attending +**\** Logs will be posted shortly to the GitHub issue diff --git a/_posts/2020-03-11-mrl-meeting.md b/_posts/2020-03-11-mrl-meeting.md new file mode 100644 index 00000000..77bb015a --- /dev/null +++ b/_posts/2020-03-11-mrl-meeting.md @@ -0,0 +1,177 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-03-11 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, let's begin the meeting! +**\** Agenda is here: https://github.com/monero-project/meta/issues/445 +**\** Logs will be posted there after the meeting +**\** good morning +**\** First on the list, GREETINGS +**\** hi +**\** Note that because of a recent time change for the United States and elsewhere, these meetings will take place at 17:00 UTC instead of 18:00 UTC +**\** hi +**\** heya sarang and artic +**\** I suppose we can move on to ROUNDTABLE +**\** Who wishes to share research topics of interest? +**\** hi +**\** Hi +**\** well +**\** i want to give a brief two-part update +**\** Go ahead suraeNoether! +**\** firstly, personally: i'm going to have to take a break from monero for a few weeks while i get this medical stuff figured out. importantly: i'm not stopping work. I just don't know how much time i can actually contribute practically. +**\** Oof, sorry to hear this. I hope everything goes well for you suraeNoether +**\** sorry to hear this. I hope all goes well +**\** secondly: my research into matching is a hydra where fixing one bug is revealing handfuls of more bugs, and i'm getting super frustrated with it. this is particularly important work for a few reasons, but for right now i don't anticipate movement any time soon. one of the reasons that this has become so frustrating to me is that certain threats to monero that are going to become more likely over the +**\** next several years to be presenting themselves that make the answers that lie within this work \*lower priority\* than other things. i mean this very specifically in the following sense +**\** everyone should know that our anonymity reduces to something like the one-more decisional diffie hellman problem, and our unforgeability reduces to something like one-more discrete logarithm +**\** both of these are known to not be hard for quantum adversaries, and while quantum computers are not yet practical... +**\** it doesn't matter what ring size we use if china goes "manhattan project" on quantum computers and turns their resulting computing power on de-anonymizing privacy coins in secret. +**\** my work on matching would give us answers to questions like "how large should ring sizes be \*assuming the underlying problem that our anonymity rests upon is hard to solve\*" but we know that this problem is only going to be hard over the short term +**\** FWIW such a "quantum adversary" could wreak havoc on basically the entire global internet +**\** indeed ^ but that's in fact exactly all the more reason to become resistant to a quantum adversary sooner rather than later +**\** How realistic is a quantum adversary? +**\** ^ I agree +**\** if it takes 3 years to migrate to a quantum-secure system, and we hope something like clsag or triptych has a 3 year shelf life, then we should be looking at what will be practical 6 years from now +**\** In the shorter term, understanding the effects of ring size on matching-type analysis is useful for knowing how large to make ring size for a next-gen protocol +**\** Uhm +**\** Would an adversary with a quantum computer break ring signatures or just decrypt the transactions? +**\** both: they can compute the discrete log of every one-time key and then they just own all of monero +**\** Yeah, I'd just do that. +**\** yeah +**\** so like +**\** Once you have key discrete logs, you can check key images +**\** matching: important. investigating quantum-secure schemes: higher priority, even over a relatively short 3-year term +**\** so every time i kill a bug in my matching code, i become more painfully aware: i'm fighting the wrong hydra +**\** I still think it's very valuable +**\** Yeah, we've been doing some quantum vs crypto experiments at Insight lately +**\** long story short, i'm prsently working on a summary-of-knowledge of quantum-resistant RingCT-type protocols, 3 of which have been proposed in the past 3 years +**\** Otherwise, "bigger rings are better" is a qualitative statement +**\** just for community education reasons +**\** sarang: absolutely agreed +**\** My recent work on Triptych-2 and chain simulations shows, as expected, that ring size has a large effect on verification complexity +**\** Can you also evaluate how realistic a quantum adversary is? I recall general skepticism of them ever materializing +**\** So choosing the smallest rings that do the job is important +**\** UkoeHB\_: yeah, so basically here's a qualitative answer to that question +**\** We're already working on 5 [actual] qbits +**\** (Insight working on IBM equipment) +**\** Expecting this to scale in the next few years +**\** you may recall the sensationalist headlines a few months ago: https://www.eurekalert.org/pub\_releases/2020-02/aps-teo022720.php +**\** quantum supremacy is probably a bad term but +**\** before these researchers did what they did, the \*fastest way to figure out what a quantum computer can do\* would be to \*simulate it on a classical computer\* +**\** Quantum supremacy is a poor metric for usefulness IMO +**\** Such problems are typically highly contrived +**\** because of these guys' work, that is no longer the case: there now exist quantum computers that cannot be simulated more quickly than they can operate. this is a critical benchmark for scaling quantum +**\** @surae should I just loop in my quantum/crypto engineer for a few weeks, so you can focus on the matching hydra? +**\** They're already looking into the schemes, and would probably be happy to work on Monero +**\** google's bristlecone has 72 qubits running +**\** isthmus: let's set up a call for later this week +**\** well I have to say it ... quantum computers are BS, they just spin hyperbole but go nowhere. There was a discussion about this on metzdowd +**\** Given retroactive denonymization doesn't really matter if they're 5 or 15 years off, we gotta hustle to protect Monero users in 2020 +**\** do you mean like computers based on quantum principles will never work, vtnerd? can you clarify? +**\** isthmus ^ bingo +**\** someone discussed the progress made on metzdowd. Its been very little over 25+ years +**\** the researchers have alwasy been just on the edge of making it a reality +**\** okay well +**\** the researchers into QC i've spoken with disagree +**\** and that's an appeal to authority +**\** admitedly this isn't my expertise, but theres time tradeoffs investigating these QC resitistent systems +**\** but i think it's absolutely silly to say that very little progress has occurred over 25 years, and it's even sillier to assume that no progress will be made ala cold fusion, and i think it's even sillier to propose that we, say, avoid quantum-secure implementations rather than looking into the costs and benefits and time horizons of implementing them +**\** and the one thing thats bizarre, is when someone builds a QC system, we basically ahve to reboot on general purpose computing projects, no? Like one year out are they even cracking crypto? +**\** well, i don't want to take more time on this: my update is that i have to step back from monero for awhile, and i'm looking into RLWE-based ring signatures +**\** Y'all know the tech cycle. Many-year winters leads to the most exciting explosions. AI, crypto, quantum... the pattern repeats +**\** i'll still be presenting at meetings and coming by and stuff +**\** for folks who are interested, the wikipedia article on the timeline of quantum computing has lots of good info +**\** OK thanks suraeNoether +**\** I have a few things to share +**\** First, CLSAG +**\** I've completed review of suraeNoether's security model updates +**\** suraeNoether: I've left several Overleaf review comments for you +**\** Along with that, I migrated some recent CLSAG verification optimization code to moneromooo's branch, along with relevant unit and performance tests +**\** Saves about 5% on verification, which seemed worth it +**\** Relating to Triptych: I made a minor update to the original Triptych-1 preprint for readability, but also completed the Triptych-2 preprint +**\** Here is a link to the Triptych-2 preprint on Overleaf: https://www.overleaf.com/read/ynfkhykjfvrd +**\** I'd appreciate any review on it prior to posting to the IACR archive +**\** Unrelated to these, I've been catching up with literature review +**\** and, as a program committee member for the IEEE S&B conference, I'm reviewing submissions +**\** i'll take a look at your comments and read through triptych 2: electric bugaloo +**\** Thanks suraeNoether +**\** IMO the CLSAG review is top priority +**\** Did you contact Teserakt? +**\** I'd like to wait on confirming a schedule until we have this paper done +**\** Otherwise we risk losing the availability again due to delays +**\** Anyone who wants to review the CLSAG optimizations can see this branch: https://github.com/SarangNoether/monero/commits/clsag-mooo +**\** Finally, my funding proposal needs feedback on GitLab before it's decided whether to open it: https://repo.getmonero.org/monero-project/ccs-proposals/-/merge\_requests/131 +**\** That's all for me today +**\** Does anyone else wish to present, or have questions? +**\** i propose that we fund sarang +**\** but no +**\** no questions +**\** I propose that we fund surae +**\** Heh, then leave a reaction or comment on gitlab! +**\** I've been wrestling with a weird conundrum +**\** Go on +**\** I'm thinking about modifying my wallet to only select decoys from transactions generated by the core wallet +**\** But then that in and of itself becomes a subtle heuristic +**\** Ah, so using fingerprinting to pick the most "standard" decoys? +**\** Not "most" +**\** Something either looks like the core wallet, or provably isn't +**\** Heh, yeah, it kicks the fingerprinting can slightly down the road +**\** I guess if almost everybody used only outputs generated by the core wallet, then it wouldn't be a heuristic to fingerprint me +**\** \*outputs that cannot be proven to have not originated from the core wallet +**\** ^ to be very specific +**\** got it +**\** Eh, I dunno. Don't really have a solution. It was just funny that I worked on it for a it before realizing that it becomes its own heuristic xD +**\** Anyways, nothing much from me. I've had about 20 minutes per week for Monero lately +**\** But in May, we're gonna have some long talks and clean house +**\** ? +**\** Have 7 heuristics that have now partitioned out upwards of 20 different implementations. +**\** Most of which I've shared in MRL already +**\** 20 sounds like a lot +**\** monero is really doing well if there are 20 +**\** That's unfiltered for time. +**\** Going to clean it to recent blocks and see what's in the wild \*now\* +**\** So some might be updates to the same implementations? +**\** It's at least 3 right now, +**\** Yeah, that's why I'm not really sweating the 20 +**\** I think it's 3-5 in current era +**\** Which is pleasantly(?) surprising +**\** But yea, with absolutely no time to work on it now, hard to put together a full writeup +**\** But will definitely circle back in the next 2 months +**\** Sounds good! +**\** Anyone else wish to share any research? +**\** hi, ztm2 proofreading draft is updated (with feedback from sarang about bulletproofs, and also the clawback formula regarding tx weights) https://www.pdf-archive.com/2020/03/11/zerotomoneromaster-v1-1-1/zerotomoneromaster-v1-1-1.pdf +**\** 2 more weeks for proofreading +**\** Good feedback so far overall? +**\** also, looked into next-gen tx key image generation for multisig (sarang has a solution for it), and it seems like inversion key images wont greatly disrupt multisig transaction flows (especially escrowed markets, which is a big deal) +**\** Not much feedback so far +**\** But it's 152 pages so not surprising +**\** that's all from me +**\** OK, let's move on to ACTION ITEMS for the next week or so +**\** I'll await final word on my CLSAG review notes +**\** wondering if ArticMine has progress on fees +**\** Continue working on Triptych +**\** Why did it switch from 02 to 20? +**\** oops +**\** Yes I do +**\** ignore that +**\** Go ahead ArticMine! +**\** I am looking at making the penalty free one also dynamic and using the long term median to control it +**\** Also slowing down the fall in the long term median to match the constraint on the rise +**\** just got caught up +**\** So it does not go from say 3000000 bytes 300000 bytes in one shot +**\** The new dynamic penalty free one would track the long term median at say 20 - 25% of the long term median +**\** Ooh interesting +**\** This will provide predictable fee over time +**\** Will you have a specific proposal for this, intended for a network upgrade? +**\** The models I am looking at is a sharp drop, followed by a fiat banking crisis that creates a very sharp rise +**\** Yes +**\** OK, any final thoughts or topics before we wrap up this hour? +**\** be kind to each other +**\** just be excellent +**\** you animals +**\** All right, thanks to everyone for attending. Adjourned! diff --git a/_posts/2020-03-25-mrl-meeting.md b/_posts/2020-03-25-mrl-meeting.md new file mode 100644 index 00000000..1e3e2d6c --- /dev/null +++ b/_posts/2020-03-25-mrl-meeting.md @@ -0,0 +1,141 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-03-25 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** hi +**\**: o/ +**\** hi +**\** hi +**\** Moving on, then, to ROUNDTABLE +**\** Who wishes to share research of interest? +**\** Hi +**\** I can share a few things +**\** I've completed some formal peer review for the IEEE S&B proceedings +**\** and worked on analysis for a linkable ring signature construction in IACR 2020/333 +**\** it claimed to be more efficient than CLSAG +**\** However, the numbers assumed an insecure key image construction +**\** The authors have already posted a revision, but it doesn't include numbers or new security proofs for the modified construction +**\** Besides this, here's an update on some other projects... +**\** For CLSAG, I am still waiting on the final go-ahead from suraeNoether, who is a coauthor on the paper +**\** I finished code optimization and made a PR to moneromooo's branch, which has some nice verification speedups +**\** For Triptych-1, its preprint has been updated at IACR 2020/018 +**\** An MPC construction for key images is completed, and multisig/join analysis is still underway +**\** For Triptych-2, its preprint has been posted at IACR 2020/312 +**\** Multisig/join analysis is still underway +**\** That's all for me +**\** Any particular questions or comments? +**\** how much verification speeedup for CLSAG? +**\**: Do you need any more eyes on the CLSAG PR? +**\** It's around 4-5% +**\** nice +**\** seddd: That would be welcome, once moneromooo integrates the new changes into the branch +**\**: Ok, let me know, and I'll review +**\** that'd be great +**\** I did, I can push. +**\** Oh excellent +**\** 4-5% reduction in size? Verification time? +**\** The only real changes from the paper's description is a modification to the public parameters that go into the challenge hashes, which allows for the speedup to happen +**\** ArticMine: verification time +**\** I didn't bother with generation stuff, since that's less important +**\** Size is identical +**\** The PR includes new performance tests with better direct comparison to MLSAG, if that's useful to anyone +**\**: moneromooo: link? +**\** So is this the version that is going for audit? +**\** Not yet. +**\** Presumably, but that's up to the audit workgroup +**\** I'm rebasing it to master now, then will run tests, then push, then post a link. +**\** moneromooo: excellent, then the CI workflow will operate properly +**\**: awesome, many thanks +**\** Any other questions for me? +**\** Or does anyone else wish to share research topics? +**\**: Mb but it involves pow of another coin, not sure appropriate +**\** Perhaps suited for after the meeting +**\**: Definitely +**\** who is the audit workgroup? sgp? +**\** sgp\_ has been working to coordinate +**\** As far as the CLSAG paper goes, if I don't hear from suraeNoether, eventually I suppose we'll just have to release the revised version without him +**\** But I would prefer not to do that, since he's a coauthor +**\**: Is suraeNoether not around rn? +**\** He hasn't enabled public viewing on the overleaf version, and I don't have access rights to do that unfortunately +**\** No, he is not around right now AFAIK +**\**: k +**\** Well, to respect everyone's time, I suppose we can move to ACTION ITEMS +**\** update from me: proofreading is extended to this weekend as comments are trickling in at the last moment :p; I have received several good feedbacks so far +**\** Ah ok, go ahead UkoeHB\_ +**\** current proofreading version is here https://www.pdf-archive.com/2020/03/22/zerotomoneromaster-v1-1-2/zerotomoneromaster-v1-1-2.pdf +**\** that's all +**\** Great, thanks +**\** My action items are to complete my proofreading of Zero to Monero (it's been delayed; my apologies) +**\** and to work on some Triptych-2 MPC math +**\** Anyone else? +**\** "research only, not for production use" inb4 sumo releases it and claims to be first +**\** oh right, I made a small update to Janus mitigation +**\** hyc: ? +**\** UkoeHB\_: cool,, what? +**\**: lul hyc +**\** sorry, catching up from a couple days ago +**\** https://github.com/monero-project/research-lab/issues/62#issuecomment-603079784 +**\**: imagines sumo as yt commenter: "FIRST" +**\** UkoeHB\_: none of that is implemented correct? +**\** Off topic, folks! +**\** correct +**\**: srry +**\** IIRC, the last time Janus mitigations were discussed in a dev meeting, there seemed to be mixed support +**\** my action item is to go through all proofreading comments, and then this weekend finalize a for-publication version +**\** sarang part of that seemed to be related to exactly how many pub keys and janus base keys it would require +**\** full Janus mitigation would require: 1 Janus base key per transaction, #pub keys = #outputs for ALL transactions (not just tx with subaddresses as is the case now) +**\** yep +**\**: sounds like a lot of overhead, is that one of the main objections? +**\** there is partial Janus mitigation, where normal addresses and subaddresses are split up; in other words, don't mitigate linking of normal addresses with subaddresses; that way only tx with subaddresses would need the janus base key +**\** however, even with partial mitigation a lot more subaddress tx would be revealed as subaddress, as there are currently some optimizations that hide subaddress tx among normal tx +**\** while with full migitation, normal address tx and subaddress tx would be universally indistinguishable +**\** which iirc sarang was in favor of even outside of Janus +**\**: +1 for the latter +**\** Yeah, encouraging/enforcing indistinguishability is useful +**\** the main objective is solving the Janus attack +**\** which is currently undetectable +**\** yes +**\**: so what are the opposing arguments? +**\** Transaction size is increased +**\** that's a big counterargument +**\** (literally) +**\**: :) +**\** So as happens always, there's a tradeoff on complexity (in this case, size and protocol changes) and indistinguishability +**\** s/always/often +**\** Worth noting that with CLSAG, standard tx size already drops from ~2.5 kB to ~1.9 kB +**\** so there's some wiggle room +**\**: are there potentially more compact full Janis mitigations? +**\** Each added scalar/group element adds 32 bytes +**\**: Janus\* +**\** this is the smallest known mitigation +**\** Tx size is increased by how much? +**\** on average, about 2.2\*32 bytes per transaction +**\** assuming 2.2 is the average output count +**\** wait no, 32 + 1.2\*32 +**\** same thing lol +**\**: What about encoding the extra basepoint in smth like a lookup table, where base points are indexed by the first 8? bytes +**\** actually a tiny bit less than that, taking into account current subaddress tx +**\** So 64 bytes for a typical tx +**\** yeah basically +**\** So if the security issue is verified I do not see an issue here +**\** seddd, the base key must be generated by transaction authors +**\** under the current construction, not sure if there are any other ways to do it +**\** ArticMine: the math checks out on the fix +**\**: Ok so unknowable ahead, gotcha +**\**: will read more in the issue you linked +**\** Probably time to bring it up in dev meeting again +**\** seddd there might be something to that (using a fixed janus base key of some kind), Ill ponder it a bit +**\** Any other action items to bring up? +**\**: UkoeHB\_ that's kind of what I was thinking, or a fixed set of usable bases +**\**: Happy to collaborate, this is an interesting problem +**\** for sure +**\** OK, let's go ahead and wrap things up for this meeting; discussions can of course continue after we adjourn +**\** Any last topics of general interest for the meeting? +**\** Righto! Meeting adjourned +**\** thanks to everyone for attending diff --git a/_posts/2020-04-01-mrl-meeting.md b/_posts/2020-04-01-mrl-meeting.md new file mode 100644 index 00000000..cc9e8844 --- /dev/null +++ b/_posts/2020-04-01-mrl-meeting.md @@ -0,0 +1,186 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-04-01 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** Hi +**\** Heya +**\** Sorry I fell asleep last week +**\** I'm feeling a bit under the weather today, so I'll try to keep things short and sweet if possible +**\** No problem Isthmus +**\** Let's move on to ROUNDTABLE +**\** My list is short but hopefully interesting +**\** The CLSAG preprint has been revised and updated on the IACR archive +**\** Link: https://eprint.iacr.org/2019/654 +**\** New security model and proofs +**\** Oh hi forgot about this :p +**\** Alongside this, the code has been updated to make it easier to include trezor/ledger support +**\** Plumbing for device support: https://github.com/SarangNoether/monero/commit/94a7daad0f53074a28dbfb39c0ed1d68d5c40e86 +**\** Support for ledger, courtesy of cslashm: https://github.com/SarangNoether/monero/pull/1 +**\** Smaller items are proofreading for UkoeHB\_'s Zero to Monero update, and finalizing a PR for hash function domain separation, along with the usual literature review +**\** Does anyone have particular questions, or otherwise have research of interest to share? +**\** I see that Isthmus has just added to the agenda issue +**\** https://user-images.githubusercontent.com/21246742/78165574-c14f9500-7408-11ea-8ae5-7d695b4321d3.png +**\** n3ptune and I have been exploring tx\_extra some more +**\** neat +**\** A few months ago @UkoeHB\_ suggested that the \*ordering\* of tags might leak some information +**\** This intuition turned out to be correct +**\** link to the issue: https://github.com/monero-project/research-lab/issues/61 +**\** If we look at tx\_extra in the wild since 1978433 (v12) we see 8 different ways that tags are assembled +**\** Enforcing an ordering and certain fields makes sense for uniformity; I wonder what the added time complexity would be for parsing overall +**\** This also ties in with an idea for Janus mitigation, which would enforce a per-transaction Janus transaction key and per-output tx pubkeys +**\** +1 +**\** And, FWIW, there was a PR yesterday from moneromooo with an idea for an encrypted-memo-type addition to extra: https://github.com/monero-project/monero/pull/6410 +**\** (I have concerns about that one) +**\** I would support encrypted memo if \*length\* and \*inclusion\* enforced in protocol. :- ) +**\** Zcash has a 512 byte encrypted memo on all z2z transactions, and people are having a lot of fun with it +**\** (mostly whimsical fun at the moment, but I expect fun applications to follow) +**\** Of course, this seems to overlap in functionality somewhat with encrypted pIDs +**\** Oh yea, could just roll the PID into the memo +**\** But yes, I agree that if included, length should be enforced for uniformity +**\** Would it be per txn or per output? +**\** Im a bit skeptical about scope creep, since Monero is money, not random messages +**\** and kept small +**\** or email +**\** or a replacement for twitter +**\** AIUI that PR requires a single non-change output +**\** at least from my initial read of the code +**\** Its use in Zcash is per-output, I believe +**\** Can we actually do away with this messaging entirely? +**\** ? +**\** Isthmus's research indicates that even though the extra field is technically open ended, in practice people arent implementing random things +**\** supporting random messages with core code would directly lead to more random things in the chain +**\** Wait can we clarify "random" +**\** Do we mean a fixed tag that supports arbitrary payload +**\** non-standard +**\** I guess 'memo field' implies to me 'any random message you feel like' +**\** Ideally encrypted +**\** To clarify, this PR uses chacha to encrypt with the DH shared secret, including padding as needed to hit certain size resolution +**\** what are pros of including memo field? +**\** but it's not possible to enforce that the data are actually encrypted +**\** does chacha index each chunk in some way (so no two chunks are likely to be the same)? +**\** That is my question +**\** I think the goal was to enable encrypted recipient data as desired, to reduce the likelihood of non-standard inclusion of data in extra +**\** UkoeHB\_: the chunks are appended before passing to chacha +**\** If I'm reading the PR correctly, the chunking is just to enforce size resolution +**\** From a technical/statistical info leak standpoint, we should either have \*no\* messages, or an encrypted message on \*every\* transactions. Which option we choose is partially a UX/design conversation. +**\** And at that point, you basically have a larger pID setup +**\** Yea +**\** Which was part of my concern +**\** Is there no way to mathematically verify that a field is encrypted? +**\** Not for the network AFAIK +**\** Nor is it possible in Zcash either +**\** It is possible to assure the \_recipient\_ that if they can decrypt properly, the data were encrypted as expected +**\** Ohhh yea that's how that works +**\** But otherwise, it's just uniformly distributed data +**\** I think that encryption or not isn't a concern, since implementers should want to harmonize with other implementations. The core impl would encrypt, so others would too +**\** All of this begs the question do we need this memo filed and even extra +**\** So the worst case in Zcash is that you throw a bunch of unencrypted junk into a tx that gets accepted by the network, but that the recipient won't properly decrypt +\< I would be very happy to do away with both +**\** ArticMine: I think ultimately the extra field is useful when/if hard forks are no longer feasible. +**\** At the very least, enforcing ordering as UkoeHB\_ listed in their issue would help a lot of this +**\** certainly not all cases though +**\** Imagine if Janus attack wasn't discovered until after hard forks stopped happening. We'd be in Bitcoin's situation of absolute chaos +**\** (i.e. if no extra field for wiggle room) +**\** How would extra help +**\** Geez, if that happened I think the issue is ossification +**\** wallets can implement janus mitigation on their own, since it's technically unverifiable anyway +**\** I'd like to proactively avoid a situation like that by keeping an agile codebase, not having an anything-goes tx\_extra field +**\** Anyways, lots of different pros & cons to consider for each possibility +**\** The question at this point, I think, is to decide whether doing order enforcement (e.g. TLV) is something that a develop wishes to take on +**\** Which ties in to whether enforcement of a consistent Janus mitigation is desirable (I think yes, it is) +**\** After next gen tx protocol gets implemented, I imagine the stuff that can go in a hard fork will drop off quite a bit. Rather than losing the ability to make hard forks, we might just run out of hard forks to make. Once the expectation of making periodic hard forks fades away, subsequent hard forks will become much more difficult (also the case if adoption rises concurrently). +**\** Network upgrades also have the probable advantage of encouraging client upgrades +**\** Yeah "we might just run out of hard forks to make" is a different situation from encountering an issue (e.g. Janus) and not forking +**\** which provide other non-consensus fixes and benefits +**\** Regardless, let's separate the metadata question (should we enforce ordered TLV) from feature questions (should we have a memo field) +**\** Well, TLV enforcement has a big effect on non-standard data, since it requires a stated type +**\** I did make pseudo code for enforced sorted TLV, about 200lines +**\** yes +**\** But I mean that the features and the layout enforcement are closely intertwined here +**\** Current code already mostly does sorted tlv by default +**\** So all that needs to change is in tx validation +**\** +**\** nice +**\** OK, so I think what should be brought up in -dev is a well-considered position for 3 things related to extra +**\** 1. Decision on TLV enforcement, and responsibility for implementation +**\** koe, what's your github +**\** 2. Decision on Janus mitigation, and implementation +**\** 3. Musings on the new encrypted-memo idea +**\** atoc https://github.com/monero-project/research-lab/issues/61 +**\** My position is 1: yes, 2: yes, 3: not unless enforced uniformly (and then it runs up against ePIDs) +**\** 1: agree, 2: agree, 3: agree +**\** Anyway, good things to consider here +**\** is the janus mitigation the thing with the subaddresses? +**\** Yes +**\** Janus https://github.com/monero-project/research-lab/issues/62 +**\** Enforcing a mitigation has the added advantage of making the number of tx pubkeys uniform +**\** !!! +**\** yesplz +**\** ima just throw it out there to play devils advocate, dunno if its been stated before. What about reverting to not having subaddresses? +**\** So you have one Janus-specific tx pubkey per transaction, and a separate additional pubkey per output +**\** is it possible to replace tx extra completely with memo, so you don't need to sort anything +**\** You'd need to remove all non-recipient-specific data from memo +**\** Which IIRC moneromooo said would be a significant engineering effort +**\** Extra isn't an inherent problem if uniformity is reasonably enforced +**\** Oh, I was wondering something actually +**\** Suppose we decide that each transaction should contain X, Y, and Z +**\** gingeropolous: then Janus would no longer be a problem. That's about it afaik +**\** What's the performance difference between having 3 separate fields versus having 1 field with 3 enforced objects +**\** That's a good question, and I'm not sure +**\** right. so i guess the underlying question is whether subaddresses are worth it. +**\** The scanning benefit is huge for large sets of addresses +**\** Hash lookups are much faster than doing multiple scans of all transactions per address +**\** and Janus checks are only needed for transactions that are already identified as being destined for you +**\** (and those checks are quite fast anyway) +**\** Also note that MLSAG -\> CLSAG drops average tx size by 600 bytes already +**\** s/average/typical +**\** Like 2 in 2 out +**\** Yes, a 2-2 tx drops already from ~2.5 kB to ~1.9 kB +**\** So Janus mitigation adds something like about 64 bytes back in +**\** (more for multi-output) +**\** Meaning there's already plenty of wiggle room +**\** well here's hoping its the last mitigation for subaddresses. +**\** that's a pretty good drop +**\** We can increase the ring size +**\** meeting is getting toward the end, so Ill add my update here: ztm2 should be ready to publish this weekend, I'm finishing up my last proofreading atm +**\** UkoeHB\_: great! +**\** might take a bit for getmonero to update though, so we will see when I post about it +**\** koe - i sent you an email but to reiterate it's looking really good +**\** yeah saw that :) +**\** Since the hour is indeed almost up, does anyone else wish to share any topics of interest? +**\** https://www.reddit.com/r/Monero/comments/fnhm6u/maam\_monero\_ask\_anything\_monday\_march\_23\_2020/flbbt45?utm\_source=share&utm\_medium=web2x +**\** ^ thoughts? +**\** I'm looking for projects for Fellows to work on, wondering if that seems like a good candidate +**\** That sounds like a question for -dev or -gui TBH! +**\** I could also have one of the software engineers implement ordered TLV if -dev wants somebody else to tackle it +**\** Oh yea, good point +**\** Any wish list projects for MRL? I have 2 software engineers, 1 mathematician, and some data scientists that are open to working on Monero stuff +**\** Isthmus this seems good. i am willing to help but probably can't commit too much atm +**\** Isthmus: perhaps pop over to -dev after meeting and let the channel know that a Fellow might be able to tackle TLV +**\** see what the responses are +**\** I bet moneromooo will have better knowledge of the effects that parsing would have on performance overall +**\** well this never got much traction but Im still a fan https://github.com/monero-project/research-lab/issues/59 could be a lot of work idk +**\** Isthmus: I know this important PR needed review... https://github.com/monero-project/supercop/pull/3 +**\** and if any Fellows have sufficient interest, the new CLSAG security model in the paper could use some eyes +**\** Anyway, let's start to wrap up +**\** I'll cover the fee, penalty and median proposal in the next meeting. By then I'll have most of this finalized +**\** Any ACTION ITEMS to share? +**\** Great ArticMine +**\** @sarang i'll probably ping you tomorrow to go over some zkp ideas for atomic swap +**\** I'll be doing some work on an older preprint, reviewing some ideas in a draft preprint that were sent to me by another researcher, and returning to some Triptych code +**\** there are two other big projects: fully-formed audit functionality, and extensive updates to multisig; mentioned those to TheCharlatan but they really are beasts I expect +**\** i have some resources i'd like to share +**\** for sure +**\** We can close up the meeting, but I'm curious later if anybody has speculation around what's going on with https://xmrchain.net/search?value=f6cff1edd1a7861ed13d494dd4ae7c4a7f42b5c3bf91457310d2166722c1316f +**\** It has an unknown tag type, and the length is recorded incorrectly +**\** are you sure it's a length and not a value byte? +**\** Not sure, that's why I'm asking +**\** All right, let's go ahead and adjourn for timing purposes, but discussions can of course continue +**\** Thanks to everyone for attending! +**\** Logs posted shortly on the GitHub agenda issue diff --git a/_posts/2020-04-08-mrl-meeting.md b/_posts/2020-04-08-mrl-meeting.md new file mode 100644 index 00000000..65bdeeb0 --- /dev/null +++ b/_posts/2020-04-08-mrl-meeting.md @@ -0,0 +1,148 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-04-08 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, time for the weekly research meeting +**\** Let's get started +**\** GREETINGS +**\** hi +**\** hi +**\** hi +**\** ahoy +**\** On to ROUNDTABLE, I suppose +**\** I've been working on papers for PoPETs submission, which has been a blast +**\** hello! +**\** As well as some review for a paper on hierarchical one-of-many proofs +**\** Finally, plenty of code relating to Triptych +**\** Not too much exciting stuff to report overall +**\** Any particular questions? +**\** hierarchical one-of-many-proofs sounds interesting. can you link the paper? +**\** It's not on the IACR yet (and I am not the author) +**\** Otherwise, anyone else who wishes to share research topics is welcome to do so +**\** what are hierarchical one-of-many-proofs? +**\** An extension of the Groth proofs used in Triptych and Lelantus that trade size for prover complexity +**\** They use a clever layering technique +**\** smaller size for increased prover complexity? +**\** Other way around :) +**\** ok :) +**\** The author thought there could be verification savings in certain cases, but I don't think that's the case if you do batching in the usual way +**\** Does anyone else have research topics they'd like to share or discuss here? +**\** I can give an update on the scaling and fees issue #70 +**\** Sure! +**\** I have a solution for the scaling side and minimum relay fee. I am still finalizing the fee ratios +**\** Basically we can use the long term medium to deal with this +**\** Can you summarize? +**\** Sure +**\** 1) Put a cap on the rate of fall of the long term medium so that it falls at the same rate it rises +**\** 2) Make the penalty free zone dynamic as the greater of 300000 bytes and 25% of the log term medium +**\** Will that 300K value change with CLSAG? +**\** No the reference transaction size will to 2100 +**\** yes +**\** But there are no plans to change the fixed-value penalty-free size? +**\** The minimum relay fee will very close to the old normal fee +**\** So for the current minimum penalty one the minimum fee will actually go up ~2.5x +**\** ArticMine what issue/risk is this solution tackling? +**\** A sudden drop in use followed by a recovery +**\** In many ways similar to COVID-19 +**\** What would be the shortcomings of the current implementation in that situation? +**\** https://github.com/monero-project/research-lab/issues/70 +**\** This create the scenario +**\** Ah, couldn't find issue. Thank you +**\** The basic problem is a sharp rise in fee that can take months or year to come back to normal +**\** Also a very sudden drop in the long term medium that also could take months or years to recover +**\** Issue #70 does not mention COVID-19 but COVID-19 is a very good scenario +**\** Will you have specific code or pseudocode soon to allow for simulations prior to any recommended deployment? +**\** Also there are scenarios where COVID-19 cold lead to a significant demand on the Monero network in terms of transactions +**\** Yes +**\** I have all the formulas now except for the fee ratios +**\** OK, thanks +**\** Still working on that +**\** I assume you'll post them to the issue you linked? +**\** Yes that is where I will post this +**\** Got it +**\** Anything else of note that folks wish to discuss? +**\** I know UkoeHB\_ recently posted his new version of Zero to Monero +**\** not sure if he's around right now +**\** Yes that is excellent +**\** but that's on the getmonero library page, along with a link to the TeX source repo +**\** and there was also a suggestion from UkoeHB\_ for updating how MLSAG secret data is wiped, which was a great catch (PR now available) +**\** Anyone else? +**\** Otherwise, we can move on to ACTION ITEMS for the week +**\** I will be continuing work on a C++ implementation of Triptych for timing efficiency tests +**\** as well as some new material for the multi-signer Triptych variant's security model, prior to the PoPETs submission deadline +**\** Oops, just got back. Nice work Artic! +**\** Isthmus: do you have any research or topics you'd like the group to discuss? +**\** Ah, I've been neck deep in Zcash all week. +**\** https://twitter.com/Mitchellpkt0/status/1245769462172745728 +**\** [ Mitchell P. Krawiec-Thayer on Twitter: "Several unique phenomena in the #Zcash transaction lock\_time field. Most make sense: 0, block heights, unix timestamps, delayed broadcast. Still trying to under ] - twitter.com +**\** We did find that funny transaction over in NRL +**\** Probably more of a novelty than anything else +**\** Lemme grab the link +**\** Anything relating to the Zcash lock times that's been observed in the Monero network too? +**\** https://gist.github.com/noncesense-research-lab/a90b8bc5f57ffa9fff1a22d1323e5c2c +**\** Or any lessons to learn from the Zcash work? +**\** Monero's lock times look very similar +**\** Actually there's also 4 bands +**\** Like this: +**\** 0 +**\** {1,3,8,10,12} +**\** {block heights ~ 1xxxxxx} +**\** and then UTC timestamps +**\** It's all over the place, and I don't think any of it is enforced, so the lock\_time field is really just an arbitrary memo xD +**\** In Zcash too? +**\** Did you analyze the distribution of the UTC timestamps as well? +**\** Lemme try to find that notebook +**\** Shoot, I don't have it on this computer +**\** No worries +**\** Any other action items for the week? +**\** So what's up with duplicate subaddresses? +**\** Isthmus: were those the only two such examples? +**\** You suggested "novelty", heh +**\** No, there were several, But all very similar, that one is representative +**\** hmm +**\** Along those lines, it was suggested (last week, IIRC) to move some of the more standardized tx fields out of extra +**\** Which wouldn't eliminate strange behavior, of course +**\** but could help with distinguishing factors like ordering etc. +**\** Any further thoughts on that? +**\** I'm working on it a bit, but need to move ideas from my head into diagrams. Will share here in a week or two. +**\** Might have a new approach, but tbd +**\** New approach to what exactly? +**\** Transaction structure? +**\** Nah, mental models that more accurately describe information leaks +**\** But it doesn't all fit together yet. +**\** My action item is making it into something comprehensible by next week xD +**\** ah ok +**\** Neat! +**\** We're coming up on the end of the hour +**\** Any last questions, topics, action items, etc.? +**\** Just curious what's your perception of relevant research over the next 6 months. Everything staled? Business almost as usual? +**\** Conferences and events are mostly canceled or moved to remote? +**\** Oh you mean in the broader research community? +**\** Seems that some conferences planned for later in the year are playing it by ear for now +**\** Yeah, anything relevant to MRL and Monero, how do you see things going? +**\** The cancellation of the Konferenco was unfortunate, but necessary +**\** Otherwise, calls for papers seem to be mostly continuing as normal, which is great to see +**\** ok good to know thank you +**\** Perhaps bored academics stuck at home will be more eager to read and review new research too +**\** and go straight for journals :) +**\** Oh interesting question @binaryFate +**\** That reminds me, when do we want to research quantum-resistant PoW and/or quantum-resistant cryptography? +**\** Note that pqPoW isn't super important in the short term +**\** "before it's too late" +**\** However it is unfortunate that the Monero transaction I make tomorrow will most likely be decrypted by a quantum computer during my life time. +**\** I know that suraeNoether had taken a particular interest recently in post-quantum signature constructions, but I don't know of any relevant efficient results at this point +**\** It might be nice to have somebody put together a survey of (1) Exactly which pieces of Monero will be broken by quantum computers (2) Potentially Monero-compatible solutions +**\** The reliance on discrete log hardness is the kicker +**\** Yep, it's gonna be tricky. +**\** But, I believe we can do it! If not, Monero has a very limited shelf-life :- P +**\** I feel like the bipartite graph matching project that suraeNoether is verifying will be one of the most vulnerable +**\** Graph matching is already parallelizable without a quantum computer +**\** It's just a very large search space in general +**\** On that happy note, let's go ahead and adjourn! +**\** Thanks to everyone for participating +**\** Logs will be posted shortly to the agenda GitHub issue diff --git a/_posts/2020-04-15-mrl-meeting.md b/_posts/2020-04-15-mrl-meeting.md new file mode 100644 index 00000000..b0bbe149 --- /dev/null +++ b/_posts/2020-04-15-mrl-meeting.md @@ -0,0 +1,220 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-04-15 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** First, GREETINGS +**\** Hello +**\** Hi +**\** Heya +**\** hi +**\** hi! +**\** I'll wait a couple of minutes for anyone else to arrive +**\** hello +**\** All right, on to ROUNDTABLE +**\** Who would like to share any research of interest? +**\** Howdy +**\** https://github.com/monero-project/research-lab/issues/73 +**\** Research is a big word, but there's an idea +**\** It'd be possible for a recipient to miss spendable funds if this value weren't included properly +**\** is there any potential issue if the sender does not play "nicely" (purposefully fail the scheme) but can nonetheless prove having sent some outputs to the recipient? +**\** same is true for tx pub keys +**\** If the sender doesn't follow the rules, recipient won't see a message showing receipt of funds. +**\** So they'd just ask the sender to make a valid transaction +**\** Yep +**\** Really, the sender hurt themselves +**\** It's similar to if a sender sent a bad commitment,e tc. +**\** (except for the spendability property) +**\** if there is a wallet that doesnt make view tags correctly, it will be a worthless wallet +**\** Bingo +**\** and quickly get patched +**\** Surely this would be a kind of "fast scan" and if the sender messed it up somehow it would still show up in a normal scan? +**\** yes +**\** They can "DoS" an exchange support easily +**\** Probably hurt them more than the exchange +**\** yeah cankerwort it would be trivial to have fast/normal scan differentiation; the technique is very simple +**\** And wallets don't have to use the method to scan at all if they don't want to +**\** how would fast scan work together with supercop EC ASM? would ASM still bring a scanning speedup? +**\** would there be interesting tradeoff too with a bit more or a bit less than a byte? (changing the 1/256 chance) +**\** The speedup is huge if you're looking for 1-2 addresses, but marginal if you're scanning for 20,000 transactions, right? +**\** my thought is 1 byte is a very standard size, and going lower gets kinda hacky; more than that I can't imagine meaningful improvement +**\** \*1-2 transactions +**\** which speedup? +**\** if somehow you own 80% of all tx, then yeah the view tag only helps you for (255/256)\*.2 of the rest +**\** So a scan under this system would scan (1/256 of all transactions) + (actually relevant transactions) - overlap +**\** right +**\** and 'scan' just means perform a few more ec operations +**\** per output +**\** it's actually 1/256 of all outputs, not tx +**\** ah yea, ty +**\** why only one byte? Are two bytes too revealing? +**\** diminishing returns +**\** the marginal scan change from 1 byte to 2 byte view tags is tiny +**\** OK, noted +**\** Any additional questions on this idea at this point? +**\** any objections also? +**\** I like it +**\** yes :) +**\** Hopefully this will reduce the "Y MONERO SO SLO TO SYNC" posts on reddit by 1/256 too +**\** one can only dream +**\** I suppose generally speaking the fork when transactions get smaller anyway is a good time to introduce these QoL improvements +**\** this looks great +**\** Well, there doesn't seem to be a plan for whether or not to include Janus mitigations, which have been brought up repeatedly before +**\** or is any reduction in transaction sizes already earmarked for bigger ringsizes? +**\** There is currently no concrete plan to increase the ring size with CLSAG +**\** Note that the move from MLSAG to CLSAG will reduce the typical 2-2 transaction from 2.5 kB to 1.9 kB in size +**\** (absent any other changes) +**\** I think the discussion about Janus and tx extra has made some small progress +**\** Sure, but small progress != PR +**\** :D +**\** Anything else you'd like to discuss UkoeHB\_? +**\** dont think so thanks sarang +**\** OK thanks UkoeHB\_ +**\** Does anyone else wish to share research of interest? +**\** If not, I have a couple of things to share +**\** Hmm, I’m still working on creating a graph formalism for fungibility defects. Made a little bit of progress since last week, but it’s still not quite coherent. Being rigorous is hard. Hopefully will have something to share in a week or two. +**\** I’m cooking up some stuff with Insight too. One of the Fellows put together a patch to prevent coinbase underclaiming now that we’ve moved away from discretized outputs. I just looked at the code, will clean it up and submit for consideration/review. +**\** I want to get more of Insight’s engineers working in our ecosystem! Insigght has been pouring a ton of R & D resources into Polkadot, ICON, Zcash, etc. I really want to leverage my team to contribute to the Monero community at this scale too. +**\** Having a few internal syncs to match Fellows onto open challenges, based on their skills/passions/interests. Hopefully in the next week or two, I’ll be introducing new contributors. :- ) +**\** Nice +**\** More details coming soon as those conversation proceed +**\** What kinds of projects? +**\** Meeting with the candidates this week to nail that down based on their skillsets +**\** got it +**\** And now I need to go find out wtf is Polkadot and ICON all evening +**\** Thanks Isthmus +**\** This PR to speed up Bulletproofs is ready to go: https://github.com/monero-project/monero/pull/6451 +**\** Applies retroactively, and has some pretty nice improvements +**\** Saves 25% on a 64-batch of 2-output proofs +**\** Feel free to review if you like +**\** Excellent +**\** Fantastic news +**\** Second, I've been working hard on a Triptych implementation in the codebase, for more accurate real-world testing +**\** This is the branch: https://github.com/SarangNoether/monero/tree/triptych +**\** (note that this code is not production-ready, and should not be used in anything important) +**\** Size data comparison: https://usercontent.irccloud-cdn.com/file/KvolrThG/size.png +**\** Triptych = Tryptych 2? As in did one version supersede the other? +**\** Verification timing comparison: https://usercontent.irccloud-cdn.com/file/4CATnXf6/timing.png +**\** This is for Triptych, which requires separate proofs per input (much like MLSAG and CLSAG require) +**\** The timing plot uses performance test data from this branch +**\** The gray lines are centered at the 11-MLSAG point for visual reference +**\** The timing data does \_not\_ include some unfinished optimizations, or batching, or common input sets within the same transactions +**\** However, it provides an idea of how MLSAG, CLSAG, and Triptych compare generally +**\** Noice +**\** what's the gray line intersection with the Triptych line x axis value? +**\** The vertical gray line is for ring size 11 across all constructions +**\** The horizontal line is the size/time value for MLSAG at ring size 11 +**\** (again, just for visual reference) +**\** To help you compare to what we have in place right now +**\** What is the impact on tx size +**\** Each transaction input (not ring element, spent input) requires a single signature, of whatever construction you prefer +**\** Moving from 11-MLSAG to ~32-Triptych would result in no change to signature size +**\** and would result in slightly faster verification +**\** really impressive +**\** These are awesome improvements! But the plan is not to go straight for Triptych right? +**\** The size data are final; but again, the verification data is still WIP +**\** Triptych (and all other WIP next-gen constructions) require a modification to key images that requires new engineering work for multisig +**\** It's very nontrivial +\<[keybase] seddd\>: sorry 4 late. just finishing review of CLSAG, will send draft report to sarang when done. no big findings :) +**\** Thanks seddd, much appreciated +**\** seddd = surae? +\<[keybase] seddd\>: +1 +\<[keybase] seddd\>: not by a long shot cankerwort +**\** Finally, ledger/trezor support for CLSAG is getting finished +\<[keybase] seddd\>: (surae wayyyy smarter) +**\** cslashm made a PR that'll be included in the test branch +**\** and ledger has a PR on their side for firmware support that's been completed +**\** Nice that hw wallets are so proactive compared to how exchanges were with subaddresses +\<[keybase] seddd\>: ah, that's my next step. still haven't reviewed the ledger-side stuffs. looked at cslashm's PR tho +**\** It's been very nice to see such quick work for ledger/trezor, that's for sure +**\** The goal is to have support ready to go at network upgrade time +**\** really cool numbers +**\** Anyway, that's my report: BP speedup, Triptych WIP data, CLSAG device-specific support +**\** Any other questions for me about those topics? +**\** Are these numbers \*likely\* similar to Arcturus? +**\** for non-bath +**\** \*batch +**\** what is Arcturus? +**\** Ah, I renamed Triptych-2, both to reduce name confusion and because it operates differently +**\** I never liked the name Triptych-2; it was more of a placeholder +**\** Noted and appreciated +**\** I am not good at clever naming :/ +**\** Anyway, to answer sgp\_'s question +**\** Arcturus gives better size scaling +**\** Verification timing will be very similar to Triptych +**\** size already looks pretty good +**\** Still if it can be made smaller then it is an improvement +**\** With Arcturus, you only need one proof/signature per \_transaction\_ instead of per \_input\_ +**\** Ooooh +**\** The magic of generator reuse means the verification would be similar (if you use common anon sets for Triptych for comparison) +**\** (this difference is why I renamed it) +**\** However, keep in mind that Arcturus relies on a nonstandard hardness assumption +**\** What if any are the disadvantages? +**\** ^^ +**\** Is the plan still to get CLSAG audited in time for the next fork? Which are now annually apparently? +**\** This is my understanding +**\** (but it's not my decision) +**\** sarang what's your feeling about whether the multisig issue can be solved without foreign primitives? +**\** As far as I know, we'd need support for general RSA groups for proper multisig with the next-gen constructions +**\** This is for signing only, not verification +**\** (even though it's RSA groups, there are no trusted setup problems, FWIW) +**\** And you're confident about this being a requirement, or it's just that nobody found how to do without yet? +**\** I did a writeup on the multisig question here https://github.com/monero-project/research-lab/issues/72 +**\** If you can point out a homomorphic public-key scheme that can use arbitrary prime-order groups, I'm all ears +**\** Yes, it links to code and a description that I worked out +**\** right ^ +**\** Paillier encryption is not specifically required +**\** but you need an additively homomorphic scheme +**\** Anyway, I've taken a lot of time in this meeting +**\** Was there anything else of interest to share here? +**\** I made a Rust PoC for including timelock blinding and commitments in transactions. The PoC builds transactions and verifies them with CLSAG signing and the locktime blinding mechanism as described in DLSAG. It looks like the additional size requirements are: input and output commitments, auxiliary (dummy) plaintext locktime, locktime image and a range proof. Thanks to CLSAG, there is no further +**\** increase in the signature size. Contrary to the locktime blinding desription in DLSAG, I think we can spare the range proof on the transaction's output locktime. The main size component therefore is the additional range proof. I also had a discussion about aggregating the locktime range proof in a transaction input with the amount range proof in the output with sarang yesterday (admittedly more +**\** of a lesson from sarang, than a discussion). The gist of it is that in transactions with many outputs and inputs, aggregated range proof verification would become prohibitively slow. +\<[keybase] seddd\>: oh, awesome! please disregard then, sometimes I derp +**\** TheCharlatan: there should be an additional 32 bytes to the signature +**\** because of the use of an additional auxiliary linking tag +**\** Ah, right I did not include tags in the description :P +**\** However, adding 32 bytes per input is still pretty darn good +**\** Note that verification will take a hit +**\** I have a CLSAG test branch that shows the difference +**\** (but I don't recall the numbers) +**\** TheCharlatan: is your code public? +**\** yes: https://github.com/TheCharlatan/rs-xmr-cryp/tree/master/timelock +**\** Also: note that Triptych can be easily extended to support this as well, since it's also a d-LRS construction like CLSAG is +**\** nice thanks +\<[keybase] seddd\>: TheCharlatan: that's awesome! was going to live-code CLSAG in Rust this Saturday. glad to have another reference impl :) +**\** There's also another CLSAG rust implementation available too +**\** https://github.com/crate-crypto +\<[keybase] seddd\>: so nice! thanks sarang :) +**\** (I didn't write that, FWIW) +\<[keybase] seddd\>: for sure, thanks for the link then :) +**\** The crate-crypto implementation is much nicer, mine is more of a quick script. +**\** TheCharlatan: what would be helpful from this group at this point? +**\** so I don't have a good feel on the boundaries of bulletproof scaling yet. So I think some more data there would be helpful. +**\** OK, I'm glad to help with that if you like +**\** (probably best to save those questions for after the meeting) +**\** yes :) +**\** Thanks TheCharlatan +**\** OK, we're just past the hour mark +**\** Let's move on to ACTION ITEMS +**\** What do folks plan to work on this week (that they wish to share)? +**\** I plan to finish the last Triptych code optimizations, to finalize that timing data +**\** as well as the CLSAG device-specific code integration +**\** Others? +**\** I think Ill write a brief proposal for Janus + view tag + extra field, a package update +**\** The concept seems to be coalescing +\<[keybase] seddd\>: just working on finishing up testing/manual review of CLSAG, writing the draft report, etc +**\** Yeah, and there are several related ideas there that could happen concurrently +\<[keybase] seddd\>: \_cedes to UkoeHB\_\_ +**\** Any last questions or comments before we adjourn? +**\** ArticMine: how is the fee proposal coming along? +**\** just wants to say that was a lot of impressive developments, feels like christmas +**\** ^ +**\** Still working on the fee part. +**\** All right; we are adjourned! Thanks to everyone for participating +**\** Lots will be posted shortly +**\** Discussions can of course continue :) diff --git a/_posts/2020-04-22-mrl-meeting.md b/_posts/2020-04-22-mrl-meeting.md new file mode 100644 index 00000000..f1e1ffbf --- /dev/null +++ b/_posts/2020-04-22-mrl-meeting.md @@ -0,0 +1,299 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-04-22 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** First, GREETINGS +**\** hi +**\** Hello +**\** .time localtime +**\** Could not find timezone localtime. +**\** .time cdt +**\** Could not find timezone cdt. +**\** First agenda item is trolling the monerobux bot +**\** naturally +**\** Well, let's move to ROUNDTABLE +**\** ooh +**\** Hi +**\** I assume Isthmus would like to share the material he posted on the agenda issue? +**\** https://github.com/monero-project/meta/issues/456 +**\** Specifically: https://github.com/monero-project/meta/issues/456#issuecomment-617883059 +**\** Sure +**\** Go ahead! +**\** hi +**\** Just completed a study quantifying the impact of exchange rate volatility for Monero-denominated delayed payouts. +**\** Normally I consider exchange rate stuff out of scope for MRL but this is relevant to all CCS-funded contributors +**\** Hm, I was going to cut and paste from the GitHub issue but everything is slightly too long for IRC +**\** Basically, I put together a sliding window statistical analysis of the XMR price timeseries to create a framework for volatility risk management +**\** The TL;DR is this: +**\** [INPUTS:] X% confidence that a Y-month payout will cover the quote (based on the last Z months of data) can be achieved with an [OUTPUT:] V% volatility buffer. +**\** Suppose we want to look at the last 24 months of data +**\** And consider a 4-month sliding window (1 month to fundraise on CCS + 3 months to execute) +**\** Here are the outcomes based on historical data +**\** https://usercontent.irccloud-cdn.com/file/tbl4tkZn/image.png +**\** We observe an unfortunate asymmetry over the past two years, for example: contributors to projects with a 4-month timeline were more than twice as likely to experience a 50% decrease in compensation value (red line) than a 50% increase in compensation value (green line). +**\** That's quite the asymmetry +**\** That's the probability distribution function, the cumulative version is helpful too: +**\** https://usercontent.irccloud-cdn.com/file/2UBTfPI7/image.png +**\** The red cross highlights that USD/XMR decreased over 65% of sliding 4-month windows (i.e. only 35% of contributors would receive payouts worth the quote price). The orange cross shows that an 80% likelihood of receiving a sufficient payout would be achieved with a +35% buffer. +**\** Explaining the orange cross in the framework described above: 80% confidence that a 4-month payout will cover the quote (based on the last 24 months of data) can be achieved with a 35% volatility buffer. +**\** Now, let's consider what happens if we double the timeframe (so that the data include a bull market as well as cryptowinter). The previous plots spanned the last 2 years (blue dots); now let's extend this to 4 years (blue & green dots). +**\** https://usercontent.irccloud-cdn.com/file/aCapoFx3/image.png +**\** oops transparent background, ssorry +**\** Now that our we include both the bull run leading up to the all time high and the subsequent decay, the extended data set contains new outcomes on both sides of the red breakeven line (+ a few outliers omitted on this plot that are shown in the next). +**\** https://usercontent.irccloud-cdn.com/file/kiCGTbDh/image.png +**\** Over the 4 year history, we see that about 60% of the windows receive a payout covering the quoted value (red cross). Since the data set now includes an 8x bubble in its entirety, the volatility insurance rate for 80% confidence rises to a 170% buffer (orange cross). +**\** https://usercontent.irccloud-cdn.com/file/le8lMFik/image.png +**\** I'm hoping that having a volatility risk management framework like this will increase funding accessibility for people/businesses that want to contribute but cannot afford speculate on income. +**\** This is great data +**\** Any questions for Isthmus? +**\** Volatility is expensive +**\** No questions, but thanks for doing this +**\** ty :) +**\** I can share next, if there are no other questions for Isthmus +**\** More of a comment. +**\** Thanks for the work +**\** Yeah thanks, just for more clarity: what are Monero-denominated delayed payouts? +**\** What we are dealing with is more like a two bear market as opposed to volatility +**\** It seems like long delays in payouts are not worthwhile. Either donators or donation recipients will lose on fiat-equivalent purchasing power with a good probability +**\** With the bear trend longer than the term of the typical CCS +**\** ah I see what this is now +**\** I actually wondered about this previously too. This is definitely good info +**\** Donators can't lose. They get exactly what they intend in terms of exchange rate. Recipients can lose or win. Other market participants (which could also be the donators or recipients if they choose to play the markets in the meantime) will win or lose. +**\** Donators can lose if recipients justifiably ask for premiums in the name of volatility, so donators are paying for the volatility +**\** At any rate, it provides useful information for proposers and potential donors to assess the impacts of volatility +**\** Isthmus: did you want to also discuss TheCharlatan's possible work on timelocks? +**\** (you just posted to the agenda on it) +**\** I think volatility is the wrong term here +**\** @ArticMine yeah, there may be a more precise way to phrase it. Let me know if you have ideas +**\** @sarang sure +**\** We discovered a few months ago that Monero's plaintext unlock time leaks information and presents a transaction linkability risk +**\** An encrypted unlock time is possible and would solve privacy issues, however the design and performance characteristics must be carefully considered. +**\** Right +**\** The issue is a systematic downward trend during the term of the particular CCS +**\** We investigated this with the DLSAG preprint +**\** Insight has put together a proposal for Isthmus & TheCharlatan to research solutions over the summer. Looking for feedback on the plan here: https://github.com/insight-decentralized-consensus-lab/monero\_encrypted\_unlock\_time +**\** Our goals are: +**\** The method from the DLSAG preprint works even without the dual-key output structure, and I have some code demonstrating both the general method and how various LRS constructions could be used for this +**\** Detailed system design decisions (e.g. unlock\_time per output or per transaction?) +**\** Prototype code to quickly test different approaches , including simulating transaction construction, signing and verification +**\** Report of quantified space/time/privacy tradeoffs with each mitigation strategy +**\** Implementation code for Monero source tree, for at least one of the chosen approaches +**\** Comprehensive research analysis writeup , cross-referenced with code and documentation +**\** Oh sorry Sarang, go ahead +**\** Oh no, just providing some background; please continue +**\** Oh, that was the end of the list :- ) +**\** Ha got it! +**\** Yeah, so there was already some work on this +**\** and I've been discussing it with TheCharlatan +**\** Basically you can follow an approach similar to that in DLSAG using any d-LRS construction +**\** Meaning MLSAG, CLSAG, Triptych can be used +**\** Obviously the scaling will be different in size/time +**\** But essentially you increase from a 2-LRS (signing key, amount key) to a 3-LRS (signing key, amount key, timelock key) +**\** You also need to change how range proofs are structured, in a nontrivial way +**\** Does unlock time per transaction mean all outputs have the same unlock time? +**\** In theory, yes +**\** But it would depend on how it's designed +**\** Yep @sgp\_ that's how it works currently +**\** Anyway, there's a marginal increase in transaction size to include the necessary auxiliary commitment data +**\** But more notably, there's a time cost that scales linearly with the ring size +**\** Maybe market research some come first to see if there's a demand for per-output. Has this been done at all? +**\** \*should come +**\** This time cost exists regardless of whether the locks are per-output or per-transaction +**\** I have C++ timing data for CLSAG to show this, and could modify the new Triptych code similarly +**\** (no point doing it for MLSAG) +**\** Before there's too much time/effort invested in this, I think it'd be useful to determine what costs people think are acceptable to introduce this +**\** The signature stuff is pretty straightforward (from 2-LRS to 3-LRS), but there's additional engineering work for a much different handling of range proofs, which would also need to change the fee structure due to Bulletproofs DoS scaling +**\** Does this impact transactions that use the locks only or all of them? +**\** and, of course, the timing hit needs to be considered +**\** Well, for maximum uniformity all outputs would need locks +**\** The lock could be set to 0 +**\** but the time cost is the same +**\** Since for every ring member, you need to process its lock data +**\** and the verifier can't tell which locks are 0 due to the commitment structure +**\** I feel like knaccc since I can't imagine what utility timelocks have +**\** Crossing borders +**\** Would encrypting lock times prevent it from being used as a second layer building block ? +**\** Constructions involving cross-chain and off-chain channels would need them +**\** Isthmus: how many transactions use these locks again? I lean towards not pursuing this unless there's a known demand +**\** moneromooo: encrypting timelocks were originally designed for 2nd layer stuff in DLSAG +**\** i thought the second chain requires the kind of time locks that we don';t have yet +**\** They aren't required for DLSAG, but they are useful to avoid spend heuristics +**\** second layer, sorry +**\** e.g. ring members whose locks have just expired may be more likely to be true signers, etc. +**\** but i guess both types would need encryption +**\** Anyway, if the decision is to support timelocks, requiring the commitment structure is good for mitigating heuristics, but it comes at a definite cost +**\** and this cost scales with the ring size +**\** I'd be ok with a fair cost if it is instrumental having a good second layer, but not really otherwise. +**\** it seems pretty integral if we want monero to be programmatic money +**\** To be clear, a solution like DLSAG requires timelocks, but does not require encrypted timelocks +**\** It is highly beneficial for uniformity if the timelocks are encrypted, however +**\** Isthmus it might help the proposal if there were some basic estimates of costs related to timelocks (storage requirements, additional EC ops), for both CLSAG and then for Triptych. +**\** UkoeHB\_: I already have this data for CLSAG, and presented it quite a while ago +**\** For Triptych there are estimates (the C++ code didn't exist at the time) +**\** ah, in which case a link would be nice +**\** I can dig it up after the meeting +**\** That's only the costs for the signature and commitments though, right sarang? +**\** FWIW the branch is here for 3-CLSAG: https://github.com/SarangNoether/monero/tree/3-clsag +**\** TheCharlatan: the range proof wouldn't necessarily incur any extra costs +**\** Depending on if/how the limits are changed +**\** If desired, I can update the new Triptych C++ code to support timelocks, for data on performance differences +**\** it'd be pretty straightforward to do +**\** Anyway, I support the idea if it's based on a solid understanding of the costs, and has general consensus +**\** I only really support the research if we know there's a solution on the table that Monero will use for second layer stuff. The "how to encrypt" question will be answered faster than the audit process. Maybe I'm not understanding the application, but I perceive this bug hurdle as needing to come first +**\** sgp\_: we know exactly \_how\_ to do it +**\** (in terms of signature handling) +**\** I meant selecting which is best +**\** What's not known are specifics related to range proofs, fee structure, etc. +**\** fee would be pretty simple to update afaik +**\** Perhaps. What changes is that the aggregated range proof now needs to account for newly-generated outputs, as well as a proof for each timelock input +**\** But it's still something that would need to be considered and completed in the design/deployment process +**\** right +**\** and it also complicates things since there are currently no specific input limits +**\** whereas Bulletproofs have a ceiling-power-of-2 verification cost, which is why we limit the output count +**\** Having a separate bulletproof makes little sense from a size perspective +**\** ah hm +**\** per-input timelocks may be expensive, but I defer to the estimates /o\ +**\** Could we have 1 time per transaction, and an encrypted bit with each output +**\** 1 = use encrypted timelock +**\** 0 = default (10 blocks) +**\** Isthmus: you still need the signature and range components +**\** How you assign timelock commitments to outputs isn't really relevant there +**\** Mmkay, was just trying to think of a way to bee able to lock 1+ outputs without locking your change (without having an encrypted timelock for each output) +**\** That's a pretty minimal size cost +**\** The real kicker is verification +**\** and the specifics on range proof structure +**\** Yep, those are key things to nail down first +**\** Well, we have CLSAG code to give real numbers on that cost +**\** and it's easy to modify Triptych to give its costs +**\** What is not known is what time hit is considered reasonable +**\** "as low as possible" isn't a design decision +**\** Can I step in since I really need to make sure I understand the big picture here +**\** sure +**\** of course +**\** In order to add a feature, there should be at least some stated use for it, especially if there are costs +**\** nvm per-output timelocks would be cheap at 8 bytes per additional output, most cost is on input proving side +**\** So the main benefit is the ability to add things like DLSAG and other related protocols that could allow second-layer right? That time locks are necessary for second-layer solutions we know about? +**\** Well, and we allow timelocks right now; but they have multiple accepted specifications, and likely introduce spend heuristics +**\** s/likely/do/ +**\** So their presence and optionality introduce fingerprinting +**\** right but they aren't used as far as we know for anything in particular? +**\** ^^ good point +**\** Not only are timelocks used +**\** 5 different formats are used +**\** See the documentation linked above +**\** that's what I meant +**\** So SOMEBODY is using them +**\** They're anonymous, unfortunately, so I don't know their use case +**\** Requiring a uniform format is an obvious first step +**\** what fraction of all tx have non-zero timelocks? +**\** sgp\_ they are also useful for atomic swap purposes, if you are looking for specific features. +**\** was about to ask same UkoeHB\_ +**\** https://usercontent.irccloud-cdn.com/file/xIfs2dFC/table +**\** TheCharlatan, but not in the state that they currently exist, right? I thought atomic swaps require the kind of time locks that bitcoin has - i.e., this tx can't be mined until certain time +**\** yeah right now its payment channels (lightning network) and atomic swaps, for the most relevant application of timelocks (i think) +**\** They're not super widely used, on the order of 10k nonzero locktimes +**\** Of course, neither are subaddresses ;- ) +**\** total number of txs is 10M order of magnitude? +**\** 6M +**\** Almos 7M +**\** \*almost +**\** .c 1e4/7e6 +**\** jwinterm: 0.001428571429 +**\** dumb idea: why not threaten to remove this feature entirely unless someone justifies the need? +**\** 0.1% more than I would've guessed +**\** since we are spitballing a bit, Istmus and I also discussed introducing a more compact format. So if encrypting them is deemed undesirable, I believe we should still change their current behaviour to something more sane and less dangerous. +**\** if these are caused by someone fucking around for no purpose, then why bother having them +**\** compact format? +**\** Do you mean supporting only a single uniform format? +**\** Because this seems like a natural first step +**\** iirc they are varints atm, so at most 9 bytes +**\** At least removing the fingerprinting possible within the use of timelocks +**\** in order for the \*cool\* time-lock applications to come around, we need to agree to implement something else which would come with a large advance notice. This hasn't happened obviously +**\** Well, and there is no DLSAG-type payment channel use currently available +**\** @UkoeHB\_ I thought it was uint64. I got a few outputs locked until 18446744073709551614 (about 500 billion years) over the weekend :- P +**\** Isthmus: something something store of value +**\** Using a single format for timelocks seems a sensible first step to me +**\** varints have up to 63 bits of information from what I understand +**\** oh yea +**\** OK, so in the interest of time, what's a good next step in this design process? +**\** cost estimates +**\** Isthmus TheCharlatan: let's discuss that after the meeting +**\** Exactly, but a varint for a timelock is completely overblown. There have been a lot of discussions on this in Bitcoin as well, for example to restrict the size to a 1 byte value that is then interpreted as a power of time. +**\** single format +**\** I say the cost estimate of only the cheapest option to begin with to see if that action is warranted +**\** Personally I would get rid of time based lock times entirely. +**\** That introduces a correction term when blocktime changes +**\** But that's easy enough to do +**\** TheCharlatan: haha exactly, or at least aggressively ask for justification from people who use them +**\** OK, so beyond investigating optimal single-format cleartext use and updated cost estimates, anything else on this topic for right now? +**\** (otherwise we could discuss it for hours...) +**\** going once +**\** going twice +**\** sold +**\** nope, I just want to stress that we need to know why they are used before slowing down transactions +**\** I can briefly share a couple things in the time we have left +**\** I overhauled Triptych verification to support common-key batching +**\** and s/time/two - deleted the wrong word :( +**\** New timing data: https://usercontent.irccloud-cdn.com/file/TWAkCeJJ/timing.png +**\** This data represents the input-amortized verification cost for a 2-input set of signatures +**\** Assuming the same ring is used across both inputs for Triptych +**\** (for MLSAG/CLSAG it doesn't matter) +**\** I also overhauled the MLSAG tests for better consistency with the other series +**\** wait isnt that way faster? +**\** It should be +**\** What are amortized inputs? +**\** If you have a 2-input transaction, you need to compute 2 signatures +**\** For MLSAG/CLSAG, this takes twice the time as one signature +**\** For Triptych, if you use the same ring, you get huge batching benefits +**\** So this is the per-input cost for a 2-input transaction +**\** For higher-input-count txs that would share rings, the benefits get even better +**\** +**\** The gray crossed lines are centered at the current N=11 MLSAG point +**\** This implies that Triptych becomes slower than right now (for 2-input txs) between N=64 and N=128 +**\** (but you can't split the difference... you need to pick a power of 2) +**\** Anyway, hopefully this gives more realistic timing data, at least across 2-input txs +**\** is 128 about the same time as DLSAG 12? 13? +**\** You can use my `triptych` branch and `clsag-device` branch to construct this data for yourself +**\** I don't have C++ data for DLSAG +**\** soory I meant MLSAG +**\** I'd have to run some quick MLSAG tests on those intermediate numbers +**\** I can have that shortly after the meeting (need to do a new build) +**\** it's fine, not that important +**\** It's easy, just takes a few minutes +**\** Anyway, that's what I wanted to share +**\** cool stuff +**\** Does anyone else have research to share (we're running a little long, but that's ok) +**\** very cool +**\** hi yes, this proposal went up this week https://github.com/monero-project/monero/issues/6456 +**\** it's a synthesis of discussion and research from IRC over the past months +**\** It's very comprehensive :) +**\** I admit that I haven't had a chance to sit down and devote time to it :/ +**\** However, do you have any concrete suggestions at this point UkoeHB\_? +**\** there needs some debate about whether to pursue Janus, and which solution to adopt, but otherwise tx structure recommendations, sorted tlv, and view tag all seem concrete to me +**\** Neat +**\** I'll devote time to it before the next meeting for sure +**\** also moving to mandating 1 tx pub key for 2-out tx, and 1 key per output for \>2 out tx +**\** Many thanks for continuing work on that +**\** OK, let's briefly review ACTION ITEMS before we adjourn +\< is that assuming that every 2-output txn has a change output? +**\** \*change or dummy +**\** we only have to make that assumption if Janus is implemented +**\** Ok, so then if there's a txn being split between 2 (non-change) recipients, it must be constructed as a 3-output txn with a dummy output, right? +**\** right +**\** Eh that seems harmless. Is a corner case anyways. +**\** Sorry @sarang go ahead +**\** Someone volunteered to do a review of the CLSAG code, which was very helpful... they also recommended adding Poly1305 authentication to wallet encryption, which is a good idea to prevent chosen-ciphertext adversaries +**\** Aside from that, I'll pull up some 3-CLSAG and 3-Triptych data to help the timelock discussion, as well as some stuff on Arcturus +**\** that's all for me :) +**\** Anyone else? +**\** I'll expand the timelock proposal with some more references/data/use cases +**\** And I'll probably finish another quantum-resistance proposal today or tomorrow, currently incorporating feedback into the first draft +**\** great +**\** Any other final action items before we adjourn? +**\** Oh yea, and I'll read UkoeHB\_ 's epic github issue :- ) +**\** Righto, we are now adjourned! Thanks to everyone for a great meeting diff --git a/_posts/2020-04-29-mrl-meeting.md b/_posts/2020-04-29-mrl-meeting.md new file mode 100644 index 00000000..e730acd9 --- /dev/null +++ b/_posts/2020-04-29-mrl-meeting.md @@ -0,0 +1,167 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-04-29 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, let's get started with the research meeting! +**\** First, GREETINGS +**\** hi +**\** hi +\<[keybase] unseddd\>: o7 +**\** hi +**\** Let's go ahead and continue with the ROUNDTABLE +**\** Anyone is welcome to share research topics of interest +**\** I suppose that I can share a few things +**\** Relating to timelocks, I extended CLSAG and Triptych to support them +**\** CLSAG: https://github.com/SarangNoether/monero/commit/28f098260c5bb4da57bb78ebc885fe27c9f10c39 +**\** Triptych: https://github.com/SarangNoether/monero/commit/ed48ab1686b7e7405bd6656c18e37ea21e01fe05 +**\** Here is corresponding timing data: https://usercontent.irccloud-cdn.com/file/dQXuFH2U/timing.png +**\** 3-CLSAG and 3-Triptych are the timelock-friendly data series +**\** The other data series are unchanged from when I first shared them +**\** I suspect that 3-CLSAG could be optimized by perhaps another 10% or so from what appears on the plot +**\** Unrelated to this, I'm updating how in-memory key encryption is handled, which is taking a bit longer than expected +**\** and am reviewing the new CLSAG fuzzer tool that unseddd provided +**\** That's about it from me! +**\** Are there any questions that I can answer? +**\** Nice work +**\** Thanks! +**\** CLSAG optimization in verification time, size or both +\<[keybase] unseddd\>: seconded, nice stuff sarang +**\** ArticMine: in verification time, and only for the new 3-CLSAG variant that would apply to encrypted timelocks +**\** Great work by the way +**\** Thanks +**\** When I wrote 3-CLSAG, I used a particular multiscalar multiplication that could likely be made faster for this particular case +**\** Also, huge thanks to unseddd for reviewing CLSAG and writing the fuzzer tool +\<[keybase] unseddd\>: is 3-CLSAG limiting the multisig to three parties? +\<[keybase] unseddd\>: np :) +**\** No, it adds another key component that would be used for timelocks +**\** Right now we have two key components: one for the usual signing, and the other for balance purposes +\<[keybase] unseddd\>: ah, thanks for the clarification +**\** Does anyone else wish to share research of interest? +**\** it seems like 3-triptych would reduce the ringsize likely to be selected by a power of 2 +\<[keybase] unseddd\>: not much interesting on my end. just reading formal verification papers + some pq-crypto stuff from Mike Hamburg +**\** Adding encrypted timelocks is a nontrivial verification hit +**\** What is the time ans size cost +**\** What might be interesting as an alternative would be to allow cleartext timelocks, but update decoy selection to account for known spend patterns +**\** It would not eliminate fingerprinting, but could help to mitigate age-related selection heuristics +\<[keybase] unseddd\>: are there any leakage issues having the timelock in the clear? +**\** ArticMine: going from CLSAG to 3-CLSAG is about 1.4x increase in verification time +**\** Which could probably be reduced slightly with some extra work +**\** In terms of size it's fairly trivial... adding an extra auxiliary key image (this does not account for other non-signature data) +**\** unseddd: for sure +**\** I'm not saying that I advocate for such an approach, only that it could be an option +**\** and would not imply any size/time hits +**\** it's a ways down the road, but I'd like to mention it now; when deciding ring sizes for next gen tx protocol I feel it should be based on a broader analysis of theoretical maximum tx throughput of the network; this is because the max tx volume is when rings are \_least\_ useful to defend against non-scaling graph heuristics, and because larger ring sizes actually reduce the max tx volume; it's an optimization +**\** problem +\<[keybase] unseddd\>: right, from a naive perspective, triptych seems like it has enough savings for the hit from timelocks +**\** sorry I'm late. catching up +**\** UkoeHB\_ The maximum tx throughput is also dependent on external factor tat keep improving over time +**\** unfortunately that optimization depends on the efficacy of ring sizes.. which we don't have a complete understanding of; I hope suraeNoether can return to that topic at some point +**\** ArticMine: true, there are a lot of factors to consider! +**\** At the very least, we now have concrete numbers for the spacetime effects of ring size increases +**\** hi +**\** the cost of encrypted timelocks seems extreme to me tbh. I don't want to go there unless we know we need to support them for a good use-case +**\** Getting timelock-related spend age data from transparent chains might be helpful if it's decided to continue to allow cleartext timelocks +**\** Then output selection could be improved to account for it, and reduce the usefulness of spend-age heuristics +\<[keybase] unseddd\>: use-case: timelocks necessary for atomic swap, encrypting is the most private +\<[keybase] unseddd\>: could also see the counter-point for clear timelocks if they are necessary for atomic swaps (interop w/ clear chains maybe) +**\** sarang: I agree, but given the current low utilization, I consider this low priority. The impact to the wider network is negligible +**\** Payment channels come to mind here +**\** also escrow +**\** Getting that kind of transparent chain data seems pretty straightforward +**\** if there's a payment channel, then we can move to make encrypted mandatory. when that happens +**\** @sarang, it's on my to-do list for XMR and BTC +**\** :D +**\** How do you plan to examine spend-age data for XMR? +**\** It was examined in Miller for "deducible" outputs (pretty sure that's the term they used) that were the result of chain reactions, which we find don't occur anymore +**\** Oh, I just meant comparing the unlock time height to block height to see how many of them even make sense +**\** Not that current usage tells us much about future applications. +**\** Ah, got it +**\** What is it that you were interested in? +**\** Isthmus are you thinking about atomic swaps these days at all/ +**\** @sarang sorry I'm in a zoom call and IRC meeting at the same time, and missing little pieces of both +**\** I'd like to see the age distribution of spent outputs in a transparent asset (like BTC) relative to lock expiration, to see if it differs substantially from the overall age distribution +**\** No problem Isthmus! +**\** ahhh, yea I can't officially do that for Monero yet. I'll pull it for BTC though. +**\** can't officially? it's possible? +**\** Thanks! The overall distribution likely is still similar to the Miller data +**\** (for BTC, of course) +**\** and having that data would be an interesting check of that +**\** @UkoeHB\_ yeah, I mean my research over the past few years reveals anonymity puddles covering like 20% of transactions. Then change outputs bleed everything, so there's a ton of data on obviously real spend times. BUT no guarantee that it's representative. +**\** I'll be supper curious to see the BTC distributions, will try to get that in the next week or so. +**\** \*super +**\** Yeah, Miller's team used two different large sets of blocks in BTC for their analysis +**\** and found the distributions to be similar +**\** but it doesn't appear they accounted for locks +**\** OK, did anyone else have a topic to discuss? +**\** Insight is interested in researching practical post-quantum cryptography for Monero, especially privacy features that will remain secure against retrospective deanonymization by future adversaries that can utilize Shor's algorithm, Grover's algorithm, etc. I want to know what our options are, and their costs (complexity, proof size, generation/verification time, etc) +**\** https://github.com/insight-decentralized-consensus-lab/post-quantum-monero/blob/master/README.md +**\** Looking for feedback on the research plan. +**\** Our goals are to (1) study and simulate the threats listed above to assess vulnerability to quantum computers, (2) evaluate post-quantum cryptography scheme candidates to create a roadmap for hardening Monero against quantum adversaries, and (3) provide open-source proof-of-concept code and demos where applicable. +\<[keybase] unseddd\>: i like pq stuff :) will take a look +**\** Sounds like a fascinating project +**\** I'd be very curious to see what exactly the Phase 3 deliverables would look like +**\** Me too! ^\_^ +**\** and I think it'd be important to assess any transtion points between constructions/protocols +**\** e.g. it was possible to transition from pre-CT to post-CT +**\** Yeah, we'll have to document both the transition and post-transition costs/tradeoffs +**\** New constructions are great, but if it's not possible/feasible to transition on the same chain, that's a sticking point +\<[keybase] unseddd\>: here is the Hamburg paper i am reading through: https://www.shiftleft.org/papers/qromcca/ +**\** Yes this is a very interesting project +**\** Are you confident about the timeline? +**\** Particularly surrounding the Phase 3 stuff +**\** (not that practical quantum computers are expected by the end of summer...) +**\** There's two types of things we could prototype +**\** it does say May - June, only a couple days away, not sure if a CCS could be approved and funded in time +\<[keybase] unseddd\>: ten million qubits by fall!!! +**\** (1) demo of a quantum computer breaking a Monero encryption feature (at a reduced keysize, or something like that) +**\** s/June/July +**\** UkoeHB\_ meant to say: it does say May - July, only a couple days away, not sure if a CCS could be approved and funded in time +**\** Adam did this before, got an IBM quantum computer mining bitcoin at shorter hash length +**\** So that's demo breaking classical crypto +**\** (2) prototype a possible solution +**\** (so we'd use traditional computers and prototype a future solution) +\<[keybase] unseddd\>: \_thoroughly impressed\_ +**\** Now honestly, I think that #2 would be way cooler. But it also may be hopeful thinking +**\** I've seen Adam rapidly convert math papers to code before, but this is going to be a pretty serious endeavor +**\** Either way, would be fascinating +**\** here was my note in the writeup +**\** "Phase 3 deliverables: The best use of time during this final stage depends strongly on results from the exploratory research. Likely deliverables are a proof of concept or prototype tooling for demonstrating a vulnerability or potential solution" +**\** would (1) also include a comparison with a classical computer on the same task? at reduced keysizes, the encryption is weaker on classical computers too +\<[keybase] unseddd\>: Isthmus: are Adam and you regularly in IRC? what is best communication channel? +**\** @UkoeHB\_ exactly +**\** Adam'll be on IRC shortly :- ) +**\** We'll probably do a lot of the research in this room, if that's okay with people? +**\** Or could make #pq-mrl +**\** Up to you! +**\** +**\** OK, any other topics to address before finishing up the meeting? +**\** does anyone have new thoughts on https://github.com/monero-project/monero/issues/6456? +\<[keybase] unseddd\>: UkoeHB\_: unfortunately no, have been consumed elsewhere. many apologies +**\** UkoeHB\_: I got unexpectedly caught up in other coding, and didn't review in detail yet :/ +**\** Oh! Yeah, I'll look at that by Monday. Hopefullly today +**\** my aopologies +**\** s/aopologies/apologies +**\** sarang meant to say: my apologies +**\** All righty, any ACTION ITEMS for the next week to share? +**\** I will be reviewing 6456, reviewing some CLSAG tests, updating some in-memory encryption code, etc. +**\** I'll probably bump the pq-monero proposal over to CCS by EOW, so shoot me a message (irc or isthmus@getmonero.org works) if you have any suggestions for updates or additions +**\** on a certain level I have nothing else to contribute to the proposal; whether it gets implemented or not is out of my control; keep in mind it likely won't be superseded by anything, so for 'tx extra', 'janus mitigation', 'tx pub keys', and 'view tag', that's the 'final answer' for the forseeable future +**\** I'm working on some slides (summary) that details how Grin does their grin-btc atomic swap +**\** looking to see if we can get some insight for xmr-btc swaps +**\** Iǘe become convinced that itś never in any XMR holders'interest to swap for BTC, due to BTC taint issues +**\** but I'd be curious to see how it can work, for future XMR(earth)/XMR(mars) swaps +\<[keybase] unseddd\>: hyc: even for true DEX scenario? +\<[keybase] unseddd\>: marsero +**\** especially for true DEX, wher eyou can't vet the BTC +**\** the benefits are all one-sided, in favor of the BTC seller +**\** Eh if I've got a wallet full of Monero, but the sandwich shop I'm standing in only takes BTC, I might find that swap useful. +**\** I have to agree with hyc Selling XMR for BTC on a swap is very dangerous +\<[keybase] unseddd\>: yeah, i see your point. do you have the same opinion for other swap pairs? +**\** if the other pairs also involve transparent coins, yes +**\** +1 concern here +**\** Well, in the interest of time (our hour is up), I'll adjourn the meeting for log purposes, but discussion can of course continue diff --git a/_posts/2020-05-06-mrl-meeting.md b/_posts/2020-05-06-mrl-meeting.md new file mode 100644 index 00000000..1451d374 --- /dev/null +++ b/_posts/2020-05-06-mrl-meeting.md @@ -0,0 +1,123 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-05-06 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** All righty! Time for the weekly research meeting +**\** As always, we begin with GREETINGS +**\** Hi +**\** hi +**\** hi +**\** Let's move on to ROUNDTABLE +**\** Any research of interest that folks wish to share? +**\** I can share a few things, I suppose +**\** I worked up a PR to update how keys are encrypted in memory +**\** This has follow-on effects to how they're stored on disk, and I'm making some additional updates to improve the existing unit tests and add others +**\** and I'm finishing up a test implementation of Arcturus, the extension of Triptych that offers better proof sizes +**\** I'd like to determine exactly what the timing differences are, since initial estimates suggested that Arcturus and Triptych would be very close +**\** Sorry if I've missed this; are there any comparisons for Arcturus, Triptych and CLSAG ? +**\** hello +**\** And kenshamir[m]: I have comparisons for CLSAG and Triptych, but this will add actual implementation data for Arcturus when finished +**\** Oh right, very cool +**\** The size data is already known, FWIW +**\** But the Arcturus timing was always an estimate based on operation counts +**\** It's different enough in how it handles transactions that I'd like to know for sure +**\** concretely? +**\** Is there a link for it? +**\** The size/timing data? +**\** Yeah, the size data +**\** Yeah, let me pull it up +**\** Probably may not be that helpful for Monero, but there is a new paper out on an endomorphism that allows you to compute aG + bH faster in variable time +**\** Page 11: https://eprint.iacr.org/2020/312.pdf +**\** Link : https://eprint.iacr.org/2020/454.pdf +**\** Thank you +**\** Anyway, that's what I wanted to share +**\** Does anyone else have research of interest? +**\** what's the gist of your encryption update? +**\** The in-memory encryption of keys was being done with a chacha stream that was XORed with keys, instead of just encrypting the keys with chacha directly +**\** This PR makes this change +**\** The existing unit tests for wallet and key encryption also get some updates +**\** ah interesting +**\** It also transitions old encrypted keys to the new format, which needs better testing that I'm still working on +**\** Seems pretty quiet today! +**\** We could always end early if there isn't more that needs to be discussed... +**\** I have nothing to add except to remind people that I still want coinbase outputs to be avoided entirely in non-coinbase-spend rings :p +**\** You mean the idea that a ring containing a coinbase output must have all coinbase outputs, right? +**\** sgp\_: can you briefly recap your rationale, to ensure everyone is on the same page? +**\** yes that idea +**\** rationale is that no normal users spend coinbase outputs +**\** even people who mine on mining pools never spend coinbase outputs +**\** so the selection of these is markedly different from expected user spend behavior +**\** When I thought about this earlier, I was concerned that it sort of kicks the can down the road one hop on the graph +**\** separating these will increase the effective ringsize for most (\>99%) users by 10-20% +**\** sarang: it kicks the can down the road, but it's still MUCH better +**\** Interesting +**\** And that if a heuristic was "this coinbase probably isn't the true signer" previously, it would become "this output that came from a coinbase ring probably isn't the true signer" as a somewhat weaker heuristic +**\** Yeah, I think it's better but doesn't totally eliminate it +**\** If it were implemented, there would need to be a decision on what selection distribution to use, which should probably be based on a transparent-chain analysis at minimum +**\** it's still essentially one set of transactions separated (one ring signature? I'm struggling to explain this simply and also accurately) +**\** to see if it matches the overall distribution +**\** The idea is that an ouput from a mining pool is far more likely to e spent by a normal user +**\** basically the real spend of the after-coinbase output would look the same as several transactions that select this output as the decoys +**\** Yeah +**\** Does my statement about the analysis for a distribution make sense? +**\** I agree it mitigates but does not completely eliminate the risk +**\** but now this accounts for the behavior that the user could just be a miner on a mining pool, for example +**\** which is hugely broader +**\** But it is true that right now, the spend patterns of coinbase vs non-coinbase are assumed to be the same by the selection algorithm +**\** It'll be very interesting to see that distribution for coinbase-only +**\** only solo miners can spend coinbase outputs. Miners on mining pools can also spend from-coinbase outputs +**\** right +**\** so while it kicks the can down the road, in terms of practical behavior, it's a night and day improvement +**\** I'll ping Isthmus here, since his group has access to this sort of data for other chains +**\** discussion on this idea has been mixed for years. I'd like to see this actually done +**\** 10-20% better effective ringsizes just with smarter selection +**\** It is a significant mitigation of the issue. I do not see a clear downside to this. +**\** downside is to people that are running private pools. They effectively need to "churn" once by not directly sending the coinbase outputs to people +**\** I think this is a small tradeoff +**\** I think it's an improvement, provided it doesn't introduce unexpected or unintended consequences to the selection distribution, and is based on distribution data from known spends where reasonable (e.g. Bitcoin) +**\** hoi, can someone evaluate how sound this ECDSA adaptor signature is? https://joinmarket.me/blog/blog/schnorrless-scriptless-scripts/ if these ECDSA adaptor signature works, it looks like the atomic swap can be done using a scheme similar to the suggested by andytoshi-sarang (equivalent discrete logs), mixed with the game theory from h4sh3d's proposal: all game theory on bitcoin script (forcing players to act or +**\** I agree with that caveat, though I want to add my own caveat that I don't see how it can be worse +**\** lose), and no need for monero refund. so it should work on monero today. +**\** zkao: I didn't invent that cross-group discrete log idea; it was andytoshi +**\** yes, i know, u proposed +**\** sgp\_: if the coinbase-only selection distribution ends up being very different to the overall distribution, it would introduce a heuristic for coinbase true signers +**\** and for all we know, it could be a very different distribution in that miners/pools spend immediately or something +**\** luckily then we can approach coinbase with its own algo +**\** which we can't do now +**\** The non-coinbase distribution could be easily modified to simply redraw if it chooses a coinbase +**\** if these are actually very different spend patterns, then the possibility for increased privacy is even greater +**\** since we can handle them separately, not together +**\** The coinbase distribution would simply be some fixed selection distribution on block order, that doesn't need to do the shuffling method we do now +**\** sgp\_: right +**\** my gut suggests coinbase spends are quicker on average +**\** but Bitcoin data would be great for that ofc +**\** Right +**\** Hopefully someone like Isthmus's group can get that data, since they have easy access to the dataset AFAIK +**\** I still support avoiding coinbase with the stupid method of re-selecting a coinbase is chosen, though improvements can make that better. I see even this stupid model as an incremental improvement +**\** \*if a coinbase is chosen +**\** what I'm trying to say is that the data on Bitcoin should help make the selections better, but that they are not prerequisites to switch since it can't be worse than it already is in my eyes +**\** If there were no known distribution from Bitcoin etc., what selection for coinbase-only would you suggest? +**\** Reselect-on-coinbase seems reasonably for non-coinbase rings, but there still would need to be a chosen selection distribution for coinbase-only rings +**\** same as current probably? I agree that's not ideal +**\** Well, the current one takes block density into account, and that's not relevant for coinbase-only +**\** keeping in mind most public pools publish this data openly anyway +**\** so frankly the coinbase rings would be susceptible to a lot of public data causing a high proportion of heuristically dead outputs +**\** in the worst of cases I say ~90% of of the hashrate accounted for by public pools sharing coinbase data, so ringsize 11 doesn't really help with that in the best of cases +**\** \*I saw ~90% +**\** Well, at that point you could \_almost\_ suggest removing the requirement for nontrivial rings in coinbase-only at all +**\** \*altogether +**\** If the thought is that analysis could reveal true signers in a huge number of cases anyway +**\** there's a push for pools to not share this data, but I agree that in the current case, coinbase rings should be considered to offer near-zero protection +**\** really any coinbase spend. in the current situation, they are still heuristically dead, just spread across normal users' transactions +**\** Hmm, we're a bit over time +**\** yeah we can end +**\** Let's move to ACTION ITEMS and then continue discussion +**\** I have some unit tests update to make for the key encryption PR, and hopefully can get Arcturus code working in C++ with the timing data that I want +**\** Any other updates, action items, etc. before we adjourn? +**\** If not, adjourned! +**\** Logs will be posted shortly diff --git a/_posts/2020-05-13-mrl-meeting.md b/_posts/2020-05-13-mrl-meeting.md new file mode 100644 index 00000000..ea9db183 --- /dev/null +++ b/_posts/2020-05-13-mrl-meeting.md @@ -0,0 +1,100 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-05-13 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** First, GREETINGS +**\** Hi +**\** hello! +**\** Heyo +**\** Hello +**\** Hi +**\** Next up is ROUNDTABLE +**\** hi +**\** Does anyone have research of interest to share with the group? +**\** I know Isthmus just mentioned something before we started +**\** Hey everybody. I incorporated y'all's feedback on the research proposal (thanks for your input), updated version here: https://repo.getmonero.org/monero-project/ccs-proposals/-/merge\_requests/142 +**\** Most of the changes are in the Roadmap section +**\** For phase 1 we've switched to a very formal enumeration of adversary capabilities and Monero features of interest, and will document possible issues and solutions along the lines of: +**\** "Monero's [component] is vulnerable to [impact] by a hypothetical adversary that can leverage [algorithm]. In general, the solution must meet [requirements]. Current relevant methods include [cryptosystem] which would require [migration process] and has [tradeoffs] that would prevent implementation until [device bandwidth/resource threshold] is widely available." +**\** Throughout this entire project, the community will receive updates during the weekly #monero-research-lab meetings. During phase 3 however, several specific documents (the key deliverables from this research) will be freely published: +**\** 1. User-friendly writeup: This community-facing writeup will provide an approachable explanation of how hypothetical quantum computers may impact Monero, and possible future mitigations. The writeup should minimize FUD and provide the context that these vulnerabilities apply to almost all cryptocurrencies (not only Monero). +**\** 2. Technical documentation: An MRL position paper to distill key information for (current and future) researchers and developers. The writeup should formally describe vulnerabilities, and highlight potential strategies and solutions, noting their tradeoffs. Code snippets may be included if appropriate for pedagogical purposes or clarity. +**\** 3. Non-technical 1-pager: An ELI5 / TL;DR summary will be provided for journalists, Monero Outreach, etc. This blurb will discuss risks and myths with no technical jargon, with key takeaways that a broad audience will appreciate. +**\** Results and updates will be also disseminated via Twitter threads, Reddit posts, and Breaking Monero videos. :- ) +**\** (ends notes) +**\** Oh, I'll X-post the proposal to Reddit today +**\** I like the change in scope, particularly focusing on communicating the current state of the protocol +**\** Moving away from specific things like implementations and proofs-of-concept for changes seems wise, especially considering that the state of the art will change +**\** ^ yep +**\** It's important to note that many current post-quantum cryptography candidates require large proofs and significant computational resources, and will thus not be suitable for immediate deployment. For this reason, understanding broad strategies and their tradeoff will be more useful than specific implementations. Thankfully, consumer device capabilities increase over time, and researchers continue to +**\** discover new faster/smaller proving systems, so these practical barriers are temporary. +**\** Were there any questions for Isthmus about this proposal? (Comments could also be made on the proposal itself to reach a wider audience) +**\** nop +**\** OK, does anyone else wish to share research of interest? +**\** If not, I have a few items to share +**\** Yes, I have something +**\** Earlier someone posted this: https://gist.github.com/RubenSomsen/8853a66a64825716f51b409be528355f +**\** Ah yes, the atomic swap idea +**\** I had a closer look. The interesting part is the usage of ECDSA adaptor signature +**\** Avoids the use of hash preimage proofs IIRC? +**\** (I have yet to examine it in detail) +**\** Yes, the protocol is very close what I already shared here +**\** But with the idea of using a cross group dl-proof with an ECDSA adaptor signature might work +**\** At the very least, a cross-group DL equivalence proof is very straightforward +**\** and exists today +**\** Yes, that's why it's interesting =) +**\** The new part for me is this: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002316.html +**\** Is that link related to the gist? +**\** Very cool +**\** Ah, the link is from the gist +**\** Yes, it's the first link "single signer ECDSA adaptor signatures" in the Gist +**\** got it +**\** I'm excited to work it out in detail! +**\** With this, we can put one half of the monero key as the adaptor `Y` (or the other half depending if the swap succeed or not) +**\** I'd be happy to work on this too. As zkao mentioned it earlier we are thinking about a proposal if it make sense +**\** Having more eyes on ideas like this is definitely a good thing +**\** Thanks for sharing this h4sh3d[m] (and zkao earlier as well!) +**\** Were there any questions for h4sh3d[m] ? +**\** Cool, I'll continue posting my findings here in the next days. +**\** Thanks, please do +**\** I wanted to finish up some work on next-gen transaction protocols, so I wrote up a proof-of-concept C++ implementation of Arcturus: https://github.com/SarangNoether/monero/tree/arcturus +**\** weeeeee!!!! +**\** The usual disclaimer that it has not undergone any kind of review, and should be considered unsafe for production use +**\** However, I got timing data from it +**\** I had to rewrite the performance tests for Triptych, MLSAG, and CLSAG for better comparison since Arcturus integrates balance checking directly into the proof (and the others do not) +**\** The results, which I'll paste in just a sec, show that transaction input/output structure plays a role in the overall timing results +**\** Here is data for 1-in-2-out transactions: https://usercontent.irccloud-cdn.com/file/KZxENlzN/timing-1-2.png +**\** Here is data for 2-in-2-out transactions: https://usercontent.irccloud-cdn.com/file/Ww2hDEbo/timing-2-2.png +**\** These account for the total verification time for signature/proof verification and balance checks +**\** but does not include range proof verification (that's the same for all protocols) +**\** You can get the same data by choosing the appropriate performance test parameters on my `clsag-device` branch (for MLSAG \_and\_ CLSAG), `triptych` branch (for Triptych), and `arcturus` branch (for Arcturus) +**\** The grey lines are centered at the 11-MLSAG point to show the current timing +**\** it looks super close to Triptych, any hunch how it would look like for more-inputs and/or more-outputs? +**\** At higher ring sizes, Triptych and Arcturus should stay very close, as the balance check component becomes less relevant overall +**\** The difference mainly arises from whether the balance check group operations are separated (in Triptych) or included in a single multiscalar multiscalar operation with the rest of the proof (in Arcturus) +**\** and that difference goes away at higher ring sizes +**\** The real benefit is in transaction size +**\** I thought I already had Arcturus included in plot data, but it turns out I don't... I'll work that out right after the meeting and post it here +**\** Unrelated to this, I'm coordinating a statement of work for the CLSAG audit with OSTIF and Teserakt, the audit firm that the audit workgroup recommended +**\** Were there any other questions for me on these topics? +**\** Oooooh ^\_^ +**\** Does anyone else have topics to discuss for the roundtable, before we move on? +**\** Hmm, I just remembered a showerthought to generate seashell avatars based on transforming heterogeneously-structured transaction metadata into a signature string, and then running that through surae's visual hash function... +**\** I'll try to prototype it this weekend so I can share examples next week (kind of hard to describe abstractly) +**\** Oh man, I remember that seashell work! It's been a while +**\** Yeah, that's a throwback. I forked Surae's repo back in 2018 and turned it into a notebook, but never connected it to Monero input data. https://github.com/Mitchellpkt/seashells/blob/master/seashells\_notebook.ipynb +**\** I suppose we can move on to ACTION ITEMS and finish up the meeting if there isn't anything else to discuss +**\** I wish we could display seashells in CLI wallet. +**\** I'll be incorporating some changes to my in-memory key encryption PR, looking into that swap proposal in greater detail, and updating the Arcturus security model for conference submission +**\** Anyone else? +**\** I'll study more in details adaptor for ECDSA and rewrite the concerned parts of the atomic swap paper. +**\** You mean updating your original write-up? +**\** yes +**\** Excellent +**\** All right, I suppose we can adjourn; thanks to everyone for participating! +**\** Logs will be posted shortly to the agenda issue diff --git a/_posts/2020-05-20-mrl-meeting.md b/_posts/2020-05-20-mrl-meeting.md new file mode 100644 index 00000000..58cd3af2 --- /dev/null +++ b/_posts/2020-05-20-mrl-meeting.md @@ -0,0 +1,185 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-05-20 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** GREETINGS +**\** hello +**\** hello +**\** hi +**\** Hi guys, just eavesdropping here :-D +**\** hello +**\** Let's move to ROUNDTABLE, where anyone is welcome to share research topics of interest +**\** Who wishes to share something? (I saw Isthmus just posted to the agenda issue) +**\** Hi +**\** I suppose that I can share a few items +**\** First, I'll review some Arcturus numbers, some of which were presented last week +**\** Recall that Arcturus is a modification of Triptych that needs only one proof per transaction, instead of one proof per spend +**\** Hi +**\** (making it similar to RCT3's update and Omniring) +**\** I'll link some plots... +**\** Size data for 1 input: https://usercontent.irccloud-cdn.com/file/DYMoX7jy/size-1.png +**\** Size data for 2 inputs: https://usercontent.irccloud-cdn.com/file/7Hw5Wnsv/size-2.png +**\** Size data for 16 inputs: https://usercontent.irccloud-cdn.com/file/QzJ03VBI/size-16.png +**\** You can see the improvement as the number of inputs increases +**\** From last week, I'll re-post the timing data... +**\** Verification timing for 1-input/2-output transaction: https://usercontent.irccloud-cdn.com/file/airMJ4pC/timing-1-2.png +**\** Verification timing for 2-input/2-output transaction: https://usercontent.irccloud-cdn.com/file/iZdBR8xe/timing-2-2.png +**\** Related to this, I've been working on the Arcturus transaction security model, which uses an Omniring-style balance game/definition and applies it to the combination of Arcturus proofs and Bulletproof range proofs +**\** I'll post that update when I've finished typesetting it and reorganizing the preprint on IACR +**\** (but it's still in progress!) +**\** Any questions for me on this material? +**\** Arcturus seems to blow away the other sig mechs +**\** What's the main drawback(s) of Arcturus compared to other sig mechs? +**\** Seems like a clear win, but maybe there is something I'm missing. +**\** The RCT3 update beats it for overall size (when looking at the whole chain), but that does very poorly in verification due to input padding +**\** Arcturus relies on a nonstandard cryptographic hardness assumption +**\** what are the implications of being nonstandard? needs further proofs? +**\** You can see the full-chain comparative estimates on page 12 of the Arcturus IACR preprint: https://eprint.iacr.org/2020/312.pdf +**\** note that in Figure 3, RCT3 wins, but in Figure 4, it loses +**\** (size vs time) +**\** It would need external study to see if it can either be reduced to more standard assumption, broken, or considered/tested enough to be considered reasonable +**\** Triptych does not have this limitation, and relies on only standard assumptions +**\** I'm submitting it to conference proceedings in the hope that it will get some quality review +**\** so I want to update the security model prior to that deadline at the end of this month +**\** the win on time is huge +**\** FWIW both Triptych and Arcturus are very similar for verification time +**\** that's because of how generators are batched similarly in both approaches +**\** triptych appears to be a constant factor larger in size +**\** well, nearly. +**\** It requires multiple proofs, and has some extra elements included (e.g. commitment offsets) +**\** Arcturus is a single proof, and does not require any commitment offsets +**\** (it does have proof elements that scale with the number of spends, but does so pretty darn well) +**\** at least all of the size plots are linear, no silly exponential growth +**\** probably an obvious statement but I would choose to optimize time +**\** In that case, Triptych and Arcturus are essentially comparable +**\** with small variations relating to how balances are checked +**\** and these variations disappear at higher ring sizes anyway +**\** and Triptych requires no nonstandard assumptions +**\** Nope +\< ah thanks, I was wondering about this +**\** I could probably add the Arcturus-style balance security definition to Triptych as well +**\** Isthmus: balance checks in MLSAG/CLSAG/Triptych are identical... sum the commitment offsets and outputs to zero +**\** In Arcturus it's built in to the proving system directly +**\** At high ring sizes, the offset-based balance check is overshadowed by the large number of group operations required for the rest of the verification process +**\** this is some great stuff. Arcturus still grows in size more slowly than Triptych, +**\** At low ring sizes, they're more comparable and the difference is notable +**\** Yeah +**\** Its per-spend elements scale better +**\** What's nifty is they both use the same underlying Groth-style cryptographic plumbing, but in different ways +**\** (this is the same plumbing that Lelantus uses) +**\** Anyway, I've taken up enough of the roundtable time for one day! +**\** Does anyone else have research they wish to share? +**\** TheCharlatan updated the encrypted unlock time research proposal with sarang's timing data: https://github.com/insight-decentralized-consensus-lab/monero\_encrypted\_unlock\_time +**\** s/Tryptich/Triptych/ +**\** (based on feedback at previous MRL meeting, and input from sarang) +**\** Also, experimenting with a new application for surae's seashell avatars project. Essentially, each transaction fingerprint (behavior or metadata) is compared against the behavior of the core software and assigned a 0 if matching or 1 if deviating. +**\** Looping over fingerprints creates a fingerprint string that is ingested to produce a visual hash. These could be added to a research blockchain explorer so that it's easier to tell at a glance which transactions must have been generated by custom software. +**\** I'm glad the 3-CLSAG and 3-Triptych data was useful! +**\** For example, the first image shows the avatar for transactions that are from (or mimic) the core GUI/CLI, which has fingerprint ...0000 +**\** https://usercontent.irccloud-cdn.com/file/vjCauM0y/image.png +**\** The secnd image shows the avatar for transactions that included a juvenile ring member and thus produce a different signature (...0010) +**\** the bottom image shows the avatar for transactions that included a juvenile ring member and thus produce a different signature (...0010) +**\** https://usercontent.irccloud-cdn.com/file/Lzt9vfyJ/image.png +**\** (note that this particular issue was fixed in recent update) +**\** Anyways, still very early toy/prototype +**\** So the hash inputs are individually set bits? 1 = "basically the same as standard", 0 = "different enough" +**\** and this is done over different characteristics to build the input string? +**\** Yep +**\** 0 = "the core wallet would construct a transaction in this way" +**\** 1 = "the core wallet would never construct a transaction this way" +**\** e.g. the juvenile spend example +**\** got it +**\** Will spice it up a bit though, surae comments "The skin of the shells could be fractals dependent on the hash input visualized in 2d with \*color schemes\* selected from families of pleasing color triples based on hash input..." +**\** What's a juvenile ring member, +**\** ? +**\** Any transaction that includes a ring that includes a ring member less than 10 blocks old (based on the time it was mined) +**\** https://github.com/monero-project/monero/issues/5712 +**\** ah +**\** The core wallet has observed a 10-block lock time, so they must have been generated by custom software +**\** But now it's a consensus rule +**\** To what extent does the visual fingerprint identify the extent to which the transaction is nonstandard? +**\** e.g. can you look at a fingerprint and see "oof, this transaction is \_very\_ nonstandard!" +**\** (obviously the Hamming weight of the input will tell you this by inspection) +**\** No, since the visual hash function is appropriately unstable +**\** You could look at the fingerprint string itself to see how different, since more 1s = more different +**\** That's what I mean by the Hamming weight +**\** aaaactually if the hamming weigh was used to select the colorscale...... +**\** Then it could be intuitively accomplished +**\** if colorscale(0) is greenish +**\** At that point, what's the usefulness of the fingerprint shape? +**\** going all the way back to the unlock time proposal, I still think the tradeoffs aren't worth it +**\** Because 0010 and 0001 are different +**\** True +**\** So it really only tells you if the actual strings are different +**\** I guess I figured the "more useful" component in general might be the Hamming weight +**\** since one goal is to minimize it +**\** It depends if 'degree of wrongness' is important +**\** I agree sgp\_ it feels quite expensive +**\** From my perspective, 0010, 0001, and 0011 are 3 distinct signatures +**\** Even though 0011 is more worse :- P +**\** ArticMine: how is it going with your penalty/fee proposal? +**\** While we wait to see if ArticMine is around, were there any other questions on the material Isthmus presented? +**\** none about the presented material, but I eventually have a question for Isthmus about the coinbase vs non-coinbase spend distributions +**\** Hey @sgp\_ what do you have in mind? :- ) +**\** I would also be interested to see that for BTC +**\** heelo Isthmus :) +**\** s/heelo/hello +**\** sgp\_ meant to say: hello Isthmus :) +**\** I really want to segregate coinbase outputs form other outputs +**\** to do this, I ideally would like to know what the independent spend distributions are for these two categories of outputs +**\** my suspicion is that coinbase outputs are spent faster on average +**\** We can ascertain this by subtracting the reference distribution from the observed ensemble distribution +**\** And split it by type: +**\** distribution(coinbase inclusion in rings) - reference\_distribution +**\** distribution(non-coinbase inclusion in rings) - reference\_distribution +**\** I think @binaryFate was going to present this type of analysis at Konferenco, though I don't know if was split up by output type (non/coinbaase) +**\** Having a direct measurement from something like BTC would be very helpful regardless +**\** ideally to follow the Miller et al. idea of comparing known-estimated Monero behavior to BTC +**\** I'll see about extracting true BTC spend times from Google's BigQuery dataset +**\** That'd be great +**\** There's probably some way to do it in a clever SQL one-liner +**\** But I can do it in 20 lines! +**\** :- P +**\** Separately, it would also be interesting to see how/if overall BTC spend times have changed since Miller et al.'s paper +**\** They used two different large groups of blocks +**\** we need to have some selection for the coinbase-only rings in any case, though if the results show that the distributions are different, then that's even more reason to segregate +\< this +**\** note I still support coinbase-only rings even if the distributions are exactly the same :p +**\** In the interest of time, were there any other topics to be brought up before moving on? +**\** that's all fro me, thanks Isthmus +**\** \*from +**\** Any new comments on the Tx Supplement proposal? +**\** Restructuring for uniformity and Janus mitigation seems useful and reasonable to me, FWIW +**\** agreed +**\** costs are small +**\** Especially with the savings from CLSAG +**\** I'm in favor. Uniformity is the whole point. +**\** UkoeHB\_ It is almost done. I held it back to give ti ore thought especially with COVID-19 which is a perfect scenario for the issue +**\** I should have this in the next two weeks +**\** Cool thanks :) +**\** OK, with the last few minutes of the hour, let's get to ACTION ITEMS +**\** I would like to finish the update of the Arcturus security model, to get the updated preprint submitted for review +**\** And will be discussing the CLSAG audit with Teserakt +**\** Anyone else? +**\** In the tx supplement proposal I recommend moving to sorted TLV in the extra field. However, it's not completely solved. One option is to retain 'restricted tags' for core features (e.g. encrypted payment IDs, miner nonce). Are restricted tags worthwhile or too hands-on? +**\** Well, certain tags would be required by consensus... can you refresh us on your definitions here? +**\** Moving to restricted tags might force more uniformity out of pool implementations, since there would be a fixed miner nonce size. However, they could just move their unique nonces to unrestricted tags. +**\** Only encrypted payment IDs would remain in the extra field after the update +**\** And miner extra nonce +**\** So not much consensus left +**\** Oh, TLV for \_extra only\_... of course +**\** nvm +**\** I was thinking about fields in general, which is not correct +**\** With a restricted miner nonce we (probably I) could release a miner nonce guideline for pool implementer to reference +**\** If it's easy enough then hopefully most pools and solominers would be indistinguishable on-chain +**\** OK, any other questions, topics, or action items before we adjourn? +**\** I posted a proposal for the atomic swap, feedback are welcome +**\** Link? +**\** https://repo.getmonero.org/monero-project/ccs-proposals/-/merge\_requests/145 +**\** thanks +**\** All right, let's adjourn in the interest of time (and for log posting purposes). Thanks to everyone for attending! diff --git a/_posts/2020-05-27-mrl-meeting.md b/_posts/2020-05-27-mrl-meeting.md new file mode 100644 index 00000000..86d5a92d --- /dev/null +++ b/_posts/2020-05-27-mrl-meeting.md @@ -0,0 +1,177 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-05-27 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, it's time for the meeting! +**\** As usual, begin with GREETINGS +**\** GREETINGS +**\** Hi +**\** hello +**\** yo +**\** very nice :) +**\** Subtle! +**\** hello +**\** OK, let's move to ROUNDTABLE +**\** I'll start with a few things +**\** A preprint came out from student researchers at CMU on Monero and Zcash tracing: https://eprint.iacr.org/2020/593 +**\** It only looked at pre-Sapling Zcash data that was previously examined (independent checking of earlier work is valuable) +**\** but did look at much more recent Monero transactions +**\** The overall conclusions are that protocol improvements have been very useful +**\** I disagree completely with their methodology leading to a conclusion about the effectiveness of the updated output selection algorithm, however +**\** and I think they can't reach any conclusions from that +**\** I put together some notes and sent them to the authors, along with my thanks for their work +**\** They did make their analysis code available on GitHub, so I'm going to see what useful information can be pulled from that as well +**\** Separately from this, I'm working on some non-slanderability definition stuff to port from Omniring's security model to that of Arcturus now +**\** Worked on address verification proof updates with moneromooo +**\** and wrote up some test code for the view tag scanning idea +**\** in what lang? +**\** As described by UkoeHB\_ earlier, the idea is to include a small truncated hash of the key derivation for each output, and use this for a "fast scanning" mode that avoids some curve operations +**\** knaccc: timing code in the C++ codebase +**\** It's not an implementation, only for getting timing information +**\** Under the assumption that a view tag is a single byte and only 1 out of every 256 tag checks results in a match, here are the numbers +**\** On a particular test machine, the total scan cost \_without\_ view tags for those 256 checks is 43.520 ms +**\** The total scan cost \_with\_ view tags (and a single match in the group) is 32.559 ms +**\** That means the fast scan mode operates in 75% of the time as the standard scan mode, in this example +**\** how many txs in total were you scanning? +**\** This wasn't an actual scan; it was a simulation that performed all the operations for fake outputs generated by the test code +**\** i just mean, what was the ratio of matching outputs to outputs scanned +**\** It built a view tag and output key, and then timed the scanning under various modes +**\** This assumed 1/256 +**\** Purely statistical +**\** when you hit that 1 in 256, are you including the cost of the extra scalamultbase to then properly check? +**\** Yes, let me explain a bit +**\** The test has 3 modes +**\** Mode 1. standard scanning, no view tags +**\** Mode 2. view tag, no hit (compute the derivation and view tag, and then abort) +**\** Mode 3. view tag, hit (after the derivation and view tag check, recompute the expected spend pubkey) +**\** So the "no view tags" total assumes 256 Mode 1 operations +**\** The "yes view tags" total assumes 255 Mode 2 operations, and 1 Mode 3 operation +**\** There is the question also of non standard math +**\** ? +**\** knaccc: the test code actually always generates a matching view tag and output key (for sanity checking), but the simulation just uses the modes to fake whether or not a match occurred (there's no difference in timing doing it this way) +**\** your findings roughly match up with the back-of-envelope calc that if you almost always save on a scalarmultbase, and if variable-base scalarmult costs 25 and a fixed-base scalarmult costs 15, then you reduce the scanning cost from 100% to 25/(25+15) = 62.5% +**\** for Arcturus +**\** ArticMine: view tags are entirely separate from Arcturus +**\** sorry +**\** They apply generally to the output key construction process +**\** which is abstracted away from Arcturus anyway +**\** The added risk with view tags is that a sending wallet can generate whatever tag it wants, and the receiver would not detect the output +**\** But FWIW the reverse isn't true... you can't DoS a scan with this method +**\** Bad view tag implementations could also fingerprint if a wallet did something silly like always set it to a fixed value +**\** Of course, compatible recipient wallets wouldn't detect it if they did fast scanning, and this would not look good for the incompatible sending wallet anyway +**\** Here's the timing code: https://github.com/SarangNoether/monero/commit/93172f80b2c25def9aaf40fc30dbee54f92f47a5 +**\** (it does pass build checks, but Windows CI is broken) +**\** i wonder where the difference is between the 75% real-world and 62.5% theoretical +**\** i'll read through your code +**\** There is a small cost for each hash computation, and for the few non-scalarmult operations +**\** Yeah, let me know if you notice something that I missed +**\** those are usually neglibible compared to .15ms or .25ms for an EC mult +**\** aye +**\** IIRC the hash stuff is something like 2-3% of the total time +**\** i don't see anywhere in your code actually referencing loop\_count +**\** That's taken care of by the test runner +**\** Which uses the individual results for statistics +**\** ah +**\** Each test is set up by a non-timed init() +**\** and then timed for test() +**\** makes perfect sense +**\** If you build yourself, just run `./performance\_tests --stats --filter=\\*view\_tag\\*` +**\** the `true`/`false` flags correspond to the bools in the test definition +**\** Oh, the byte conversions would need to be accounted for +**\** They're not huge, but not negligible either +**\** I tend to ignore those during back-of-envelope estimates +**\** Anyway, that's the stuff I wanted to present here +**\** Are there other questions? +**\** code looks good to me +**\** OK, does anyone else wish to present any research of interest? +**\** knaccc: cool +**\** Hmmm, I started wondering about something this morning... +**\** Over the last several years, I’ve had to nix a ton of cool software ideas because repeated 3-output transactions are heuristically linkable, and alternative business models (subscriptions, accounts, etc) have tons of downsides and privacy concessions compared to adding a small service fee to each operation. +**\** Now I’m wondering if this is stifling Monero adoption and integration by preventing the most straightforward and private method for compensating the developers who want to contribute new stuff to the ecosystem. +**\** If we want Monero to be used for more than point-to-point transactions, without putting the first adopters at statistical risk, there may be some pros to a 3-output minimum: recipient + change + optional service fee. +**\** Of course, for many transactions the third output will be an empty dummy. (Or people could get creative and split the return across 2 change addresses for latter flexibility, etc) +**\** Ah, increasing the enforced minimum to 3? +**\** It might make sense to bundle this in with bigger rings, since the ratio of (# outputs) / (# ring signatures) per unit time shouldn’t get too large (since outputs that haven’t ever shown up in a ring signature yet have a known spend state [unspent], and inforrms [with provable certainty] the sender that funds weren’t subsequently moved). +**\** @sarang yep +**\** Splitting change means more likely to pull in multiple change outputs in later transactions +**\** which is bad for linking +**\** Downside is chain bloat +**\** Yeah, that's why I've always advocated against people splitting up within their wallet +**\** What is the additional size per tx? +**\** 0.22 kB +**\** I think +**\** oh wait +**\** that seems too big +**\** That number isn't right +**\** hold on a sec +**\** If we go to 4? +**\** ArticMine: why 4? +**\** Is there not efficiency bullet proofs? +**\** with 4 vs 3 outputs that had to be padded +**\** BP padding doesn't imply extra outputs +**\** Now I'm getting pulled into a side adventure on xmrchain that I can't find any 1/3/e txns but there are lots of 1/3/s (trying to figure out what that means) +**\** it's merely an algebra thing +**\** ArticMine: it would mean that the corresponding bulletproof is a bit bigger for standard transactions +**\** if that's what you meant? +**\** Yes +**\** Ah, a 3-out BP (padded to 4) is 64 bytes larger than a 2-out BP +**\** (a 4-out BP is the same size as a 3-out BP) +**\** That is y point +**\** my +**\** got it +**\** Yes, you are correct that this would increase the typical range proof size +**\** Yep, it makes Monero usable for more applications and businesses, but does increase the transaction size +**\** Hm, little easter egg: +**\** There are essentially no 1-in-3-out txns with encrypted PIDs +**\** There are a few 1-in-3-out transactions with no PID at all +**\** And a few 1-in-3-out with some unusual tag in xmrchain, not sure what's in tx\_extra +**\** I guess that would make sense considering any PID tx is probably from user to exchange/service, so would likely just be one in two out +**\** Ugh, stands out as non-standard software +**\** I feel like we sometimes make things worse when we add a feature "to all transactions" in the wallet, but not the protocol :- ( +**\** aye +**\** So is there additional bloat over the 64 bytes? +**\** The new output has a pubkey, a commitment, an encrypted amount... +**\** those three are 72 bytes total +**\** and 4 +**\** 73 bytes if you add a view tag +**\** add another pubkey, commitment, amount, view tag for each output you want +**\** so 82 vs 73 bytes for 4 over 3 +**\** No +**\** In addition to a possible marginal range proof increase, each additional output requires 73 more bytes for pubkey, commitment, hidden amount, [optional view tag] +**\** The marginal range proof increase from 2 -\> {3 or 4} is another 64 bytes +**\** So for 3 it is 137 bytes +**\** sounds about right +**\** This also implies increased scanning time (reduced by view tags) +**\** and for 4 210 bytes +**\** and additional scanning time +**\** Yes +**\** Anyway, in the interest of time, were there other topics that needed to be brought up? +**\** (We can always continue discussions afterward) +**\** btw i'd be interested to know some examples of great use-cases for 3-out txs +**\** either now or after +**\** Service fees are a big one +**\** One output goes to the recipient, one to change, one to service provider +**\** VAT / GST? +**\** sarang can you be more specific about the service? just one example of something that could be common? +**\** ArticMine you're suggesting paying VAT direct to the gov as part of a tx? +**\** knaccc: maybe you're using some kind of hosted wallet service +**\** Or maybe your wallet software has an option to donate a small amount to charity with each txn +**\** oh right, fine yes, gotcha. +**\** OK, let's finish up with ACTION ITEMS if there aren't any other topics to bring up +**\** If/when Windows CI gets fixed up, I'll rebase some new work for PR/review +**\** and get Triptych and Arcturus sent off to PoPETs +**\** and hopefully be able to reproduce some of the results from that tracing preprint +**\** Micropayments in every tx is a great way to punch monero into the ground. We don't want to have huge amounts of dust outputs, they take up the same resources as "normal" outputs. +**\** moneromooo: that's what I meant by chain bloat and scan increases +**\** service-fee is essential for multisig arbitration insurance fee probably +**\** but I see a slippery slope +**\** eventually i think the default kind of payment tx should be multisig w/arbitration insurance fee attached +**\** and multisig won't be a different type of wallet, it'll be something created on-the-fly on each payment tx +**\** OK, I suppose we can formally adjourn (so I can post logs), but discussion can of course continue +**\** Thanks to everyone for attending! +**\** ^^ diff --git a/_posts/2020-06-03-mrl-meeting.md b/_posts/2020-06-03-mrl-meeting.md new file mode 100644 index 00000000..68a65430 --- /dev/null +++ b/_posts/2020-06-03-mrl-meeting.md @@ -0,0 +1,182 @@ +--- +layout: post +title: Logs for the MRL Meeting Held on 2020-06-03 +tags: [dev diaries, crypto, research] +author: asymptotically / Sarang +--- + +# Logs + +**\** OK, let's get started! +**\** First, GREETINGS +**\** hello +**\** Hi +**\** hi +**\** hey +**\** Heyo +**\** Next up, ROUNDTABLE, where anyone is welcome to share research of general interest +**\** I have a few topics of interest +**\** The recent preprint from CMU student researchers on transaction tracing has been updated to reflect suggestions and corrections: https://eprint.iacr.org/2020/593 +**\** hello +**\** The researchers still claim that a small but nonzero number of post-changeover (i.e. the RingCT protocol switch) transactions were traceable, which didn't correspond with other numbers I'd found +**\** So I decided to independently run the same analysis and compare +**\** I ran updated numbers that account for all transactions up to the beginning of this week +**\** If you run a full chain-reaction-type analysis, there are 7303 transactions after the changeover containing at least one deducible input +**\** However +**\** All of those transactions spend pre-changeover outputs +**\** So if you filter out all transactions that aren't CT-in-CT-out, there are still precisely 0 deducible transactions/inputs +**\** But wait, there's more! +**\** The preprint also tries to determine how effective the guess-newest age heuristic is against modern transactions +**\** Unfortunately, it uses those 7303 (or however many were in their block range) deducible post-changeover transactions as ground truth +**\** and assumes that holds for all post-changeover transactions +**\** huh that's pretty dumb +**\** I wouldn't say it's dumb; it just failed to account for transaction types +**\** So the key here is RingCT +**\** Because there are "full-CT" transactions post-changeover that are deducible, the entirety of their ground-truth data set is based on spends of old funds, for which the modern selection algorithm does not apply +**\** But there is an interesting twist +**\** To be clear, it concerns transactions were non-RingCT outputs are essentially converted to RingCT outputs, right? +**\** Among that ground-truth data set, the researchers find those transactions are \_still\_ twice as good against guess-newest from Miller et al.! +**\** dEBRUYNE: yes, or that aren't converted to CT at all +**\** (very limited cases involving single inputs) +**\** \> Because there are "full-CT" transactions post-changeover that are deducible, +**\** Forgot a no, right ? +**\** Correct, thank you +**\** because there are NO full-CT post-changeover that are deducible (typo) +**\** sarang: Thanks, I guess those are dust outputs then that first have to be converted to standardized outputs +**\** dust or non-mixable +**\** So the conclusions presented in the paper about transaction counts aren't wrong, but don't differentiate between type, which I think is very important +**\** The conclusions about guess-newest are only valid for their ground-truth set, and cannot be extrapolated to CT transactions +**\** The wallet warns you when you spend old outputs that privacy is lessen and it's known you should churn in that case. It should absolutely be mentioned in their paper that these transactions are particular and users are fully informed of the risk +**\** I'm drafting an email to the authors to let them know of this, should they wish to revise again +**\** They were very prompt in responding to my earlier email, and very quickly revised, which was great +**\** Now that I have a complete deduced data set, I'm checking their results on effective anonymity sets of non-deduced transactions +**\** I want to separate those by transaction type as well +**\** Even though the preprint had errors, I'm glad they did the research +**\** We should encourage student researchers +**\** I'm unclear on the guess-newhest on this dataset +**\** How so? +**\** Since this dataset is specifically about real output being old, shouldn't that give very specific results when seeing how the heuristic performs, that can't be extended to other transactions? +**\** Yes +**\** That's what I was saying earlier +**\** They assumed their ground-truth post-changeover dataset was representative of all post-changeover transactions, which is entirely false +**\** pre-ringCT inputs could be used in rings just like modern coinbase outputs are, which makes me sad +\<= Yes, because uninformed readers may infer that it concerns full RingCT transactions +**\** IIRC the decoy selection algorithm is very different for these transactions, only selecting non-ringct. Since all of them are very old, they are old on the tail of the gamma distribution, very different from recent one +**\** Using pre-ringct outs as fake outs would help shortly after ringct, but would otherwise introduce a number of known spent outs in rings. +**\** \*they are all +**\** When I finish the effective anonymity data, it should give a much more clear picture of the status of modern transactions (before and after ring increases too) +**\** The code still needs some cleanup to make it easier for others to run this analysis, either now or in the future +**\** interesting point moneromooo +**\** thanks to gingeropolous for the use of a fast machine for this analysis +**\** If the researchers choose not to revise, I can always write a new preprint that presents this data +**\** but I strongly suspect the researchers will revise again, since they did a very prompt first revision +**\** super cool that you checked all these results +**\** sounds great +**\** I can also post the raw data for the post-changeover deducible transactions, in case anyone wants to specifically analyze them +**\** super cool that their work is pulblicly reproducible +**\** Again, I'm really glad they did the analysis +**\** Yeah, I didn't end up using their Java code though +**\** I wanted some extra data they didn't provide, so I rewrote +**\** but kudos to them for making all their code public, for sure +**\** I'd like to see if the code can be adapted to a certain analysis I have in mind, so I'm looking forward to it +**\** Not really. More like negative kudos for those that don't. +**\** What analysis is that UkoeHB\_? +**\** moneromooo: yes but that still tends to be the majority these days +**\** Papers without it are really hearsay. Should never be published. +**\** getting data on ring loops, and comparing to a purely randomly generated ring db +**\** Define ring loop +**\** moneromooo: agreed +**\** A ring is a circular construct. A loop is.... a....... +**\** e.g. two outputs are owned by the same person, a loop is when their descendents intersect in the same tx +**\** Oh, output merging +**\** ? +**\** Can happen by chance too (from fake outs). +**\** yes +**\** yeah basically, so I want to see the probability of given loop sizes happening randomly +**\** I think the question is how likely it is to occur in practice vs not +**\** @UkoeHB\_ important research. Results will be probably be depressing :- ( +**\** If it was super fast, it'd be nice for the wallet to try and pick fake outs that generate "false positives". +**\** There's code that will do forms of merge analysis, and it's something I have to add specifically to my check code +**\** The graphs involved are likely quite large, so it isn't clear what the complexity of this is +\< +**\** FWIW the early analysis on output merging used deducible transactions only +**\** right, I have some ideas about limiting the output range to first estimate exactly how long such analysis would take; can also limit the maximum loop size considered +**\** UkoeHB\_: to generate random data set, will have to select guesstimates for parameters like number of transactions per wallet. (really, would be a distribution, not single value) +**\** yes +**\** The interesting thing is that we may be able to establish statistical estimates of these parameterss based on the real blockchain data +**\** Isthmus we can just use the transactions that already exist, but make the input rings randomly selected; this provides a direct comparison with the real ring db +**\** Especially if rare "natural" occurrence, i.e. low false positive rate +**\** This sort of analysis was considered as a major part of the churn framework as well +**\** and do the randomly generated analysis multiple times for variance +**\** Makes sense +**\** Anyway, I've taken up a lot of time on that +**\** Was there other research of interest to discuss from anyone? +**\** I'll be interested in seeing plots where x-axis is # of txns made within a given wallet, and y-axis is statistical measures, like precision/accuracy/etc +**\** I have a few quick updates +**\** I’ve been doing some p2p network scalability research, creating some testing suites, etc. Still very early reading/planning, but hopefully will have some actionable insights for Monero. +**\** yes it's a big project and might be worthy of a paper if it goes somewhere, we will see; I also want to see how well the gamma distribution is working by subtracting the theoretical distribution from what we have in reality +\< YES PLEASE +**\** @UkoeHB\_ I have some algorithms floating around GitHub to identify and filter txns that use uniform decoy selection instead of correct algo. If you don't strip those out, it will introduce a bias in your results towards older oututs +**\** I'll dig those up and send links +**\** cool thanks +**\** Yeah, trying to exclude old software will be important +**\** since there's no consensus enforcement +**\** I think ring analysis is too scary for anyone to tackle alone, so a collaborative and incremental effort seems reliable +**\** Software can't be any older than the last ring size change, right? +**\** Sorry, I meant software using old/incorrect methods +**\** "nonstandard" is a better term +**\** A big reason why deterministic input sets are intriguing is because they're likely to contain many outputs from the same transactions +**\** and therefore are included as a "standard feature" of all rings +**\** "see how well the gamma distribution is working by subtracting the theoretical distribution from what we have in reality" I was doing stuff in that direction too, exciting! +**\** I think I missed the last meeting. The Janus proposal was updated a week ago (https://github.com/monero-project/monero/issues/6456), and now the Janus mitigation is to encode the tx private key for recipients. For 2-out tx where there will only be 1 tx pub key, the 'change output' would use a 'hidden tx pub key' derived from the non-change recipient's encoded tx private key. An alternative would be for the +**\** change output to use a unique 'derivation to scalar', however I am concerned that affects too much protocol-level code (could be wrong). +**\** What happens where there is a 2-out tx but none of them is change? +**\** I think you have to make a 3 +**\** 3-output then? +**\** The proposal is to enforce 1 tx pub key for 2-outs, and 1 key per output for \>2-outs. All tx with no change output would have to be \>2-out, even if it means adding a dummy output. +**\** A 0 change is automatically added \*only\* if there's one output otherwise. +**\** Right, and following the proposal there would be a very rare case of 2 non-change outs needing a dummy +**\** It's an edge case, so I perceive this as a reasonable solution +**\** Originally encoding the tx private key was disregarded since current tx share tx pub keys, but since we'd start enforcing more tx pub keys that problem is solved. +**\** i.e. as a solution for Janus\* +**\** Well, the hidden tx pub key might be unnecessary now that I think about it.. anyway that's my dusty update. +**\** but does this means that a 2 out tx always has change real or dummy +**\** yes +**\** Can this then be attacked? +**\** the idea that there is always a change output in 2-out tx? that assumption can be made today already +**\** Oh no wait, it would just move the issue to n+1 +**\** Sorry, connection problems; back now +**\** but not with 100% certainty +**\** well the shenanigans around 2-out tx are mostly to optimize scanning and tx sizes, since 2-out tx are ~95% of tx +**\** that's true ArticMine +**\** one can assume with high certainty that every transaction contains a change output. I don't understand why that's a significant observation. +**\** Most txns. Churn doesn't, for example. +**\** ^ +**\** Why does it not ? +**\** Doesn't have to +**\** And would affect output merging later +**\** Well, that's circular reasoning then. +**\** Churning with change creates the loops UkoeHB\_ mentioned earlier +**\** churn has two change outputs, no? +**\** It can +**\** or one and a fake one +**\** churn has an 'output to yourself' and a 'change output'; change outputs are handled differently in the code +**\** sure but this is from a network perspective +**\** yeah +**\** Or a split 2 separate wallets under the control of one person +**\** It introduces uncertainty +**\** but why does it matter? +**\** because even a small bias can grow. +**\** Given the time, is there other research that needs to be brought up before adjourning? +**\** I've got 2 updates, will keep brief for sake of time: +**\** Our CCS for researching Monero’s post-quantum security is sooooooo close. Only 7% left, less than 40 XMR needed. https://ccs.getmonero.org/proposals/research-post-quantum-monero.html +**\** If that could get topped off today, we’ll dive in immediately and have our first update at next week’s MRL meeting. :- ) +**\** Unrelated - I also have one of Insight’s DistSys engineers buildling “speedup” networks, i.e. highly-connected peers with high bandwidth to propagate blocks/txns through the ad hoc network faster than organic propagation. Main goal is to eliminate the long tail in block propagation times. +**\** The codebase is very modular with Terraform/ansible deployment and control scripts, so could be configured to spin up a Monero speedup network in the future. +**\** That's all from me. +**\** Nice! +**\** I suppose I should mention that I welcome/request comments/questions/emoji on my funding proposal as well, so a decision can be made whether to open it: https://repo.getmonero.org/monero-project/ccs-proposals/-/merge\_requests/148 +**\** thanks for opening it well in advance +**\** OK, I suppose we can formally adjourn for the sake of logging +**\** Thanks to everyone for joining in today +**\** Discussion can of course continue!