--- layout: post title: Logs for the Monero Research Lab Meeting Held on 2018-05-07 summary: Sarang work, Surae work, and miscellaneous tags: [dev diaries, crypto, research] author: el00ruobuob / surae --- # Logs **\<sarang>** OK, it's time to begin **\<sarang>** Welcome to everyone; hello **\<sgp\_[m]>** Hi! **\<sarang>** Calling others: hyc suraeNoether anonimal endogenic binaryFate fluffypony luigi1111 luigi1113 rehrar[m] monerigo[m] gingeropolous dEBRUYNE **\<sarang>** and many others no doubt **\<sarang>** s/monerigo[m]/moneromooo **\<binaryFate>** présent **\<sarang>** I suppose we can discuss recent updates and such **\<sarang>** I have been focusing on noninteractive refund transactions **\<sarang>** it's surprisingly tricky to get right **\<sarang>** The idea of whether or not to hide block heights has big implications on size and complexity **\<sarang>** and also will affect the use of old outputs **\<theRealSurae>** Hey everyone, sorry I'm late (and not using my registered nick) **\<sarang>** A good higher-level question is whether we insist that having refund transactions is enough of a priority **\<sarang>** Hello fake suraeNoether **\<theRealSurae>** heh **\<sarang>** \*enough of a priority to devote big plumbing-level changes **\<sarang>** these questions have consumed me as the Whale consumed Ahab **\<sarang>** and, like Ahab, I spend much time in the company of Starbuck(s) **\<theRealSurae>** gross **\<sarang>** theRealSurae: what has consumed you lately? **\<UkoeHB>** it feels like there should be an easier way to hide amounts. Maybe worth mulling for some time **\<sarang>** UkoeHB: other than commitments? **\<rehrar[m]>** Hi **\<UkoeHB>** Yeah. Maybe a shift in perspective. Baseless intuition **\<silur>** what **\<sarang>** Well, the current Best Way is homomorphic commitments + range proofs to ensure balance **\<theRealSurae>** I've been thinking about koe's reduced mlsag and how we might be able to batch-verify ring signatures with bulletproofs. and i've been speaking with a professor at clemson university about the possibility of starting a paid project for a grad student to invent a new elliptic curve with 2^255-19 points on it, or to come up with a similar sort of variant to secp256k1 **\<theRealSurae>** yeah, I think we are going to experience reduced returns in terms of hammering bulletproofs for improving our amount strucutres **\<sarang>** theRealSurae: BPs to batch verify our current MLSAG scheme? **\<silur>** oh yea the curve order question you asked **\<theRealSurae>** so, i think it'd be really really helpful for both bitcoin and monero to have alternate curves **\<theRealSurae>** ohgod **\<theRealSurae>** other than that and the multisig dump I made the night before yesterday, this week has been consumed by editing papers for other folks. Koe and my old advisor and another document. lots of reading this week **\<sarang>** What are your thoughts on refunds? **\<UkoeHB>** and thank you for that :) incredibly helpful **\<sarang>** UkoeHB: any big changes to your excellent paper? **\<UkoeHB>** Well we found out monero doesn't even use borromean sigs **\<UkoeHB>** genBorromean should be genSAGs **\<UkoeHB>** Or something **\<sarang>** SAG? **\<theRealSurae>** I've been thinking a lot about the refund structure with timelocks, and I'm trying to figure out exactly whether we have a novel "invention" in these refund transactions or whether tit is equivalent to a timelock+multisig situation **\<UkoeHB>** spontaneous anonymous group sig. Like LSAG but no key images **\<sarang>** for range? **\<UkoeHB>** Yeah **\<UkoeHB>** Check ringCT.cpp genBorromean **\<sarang>** Yeah I'm familiar with that code **\<UkoeHB>** It's 33% larger range proofs than a real borromean setup **\<theRealSurae>** ... i need more details about that, koe, if you don't mind... **\<sarang>** heh **\<sarang>** theRealSurae: big thing is non-interactivity **\<sarang>** I don't need the recipient's cooperation **\<UkoeHB>** I'll see what I can do **\<theRealSurae>** thanks koe, i'm not in a rush on that though... **\<theRealSurae>** I want to remind everyone that I'll be mostly away from the internet from tomorrow until the 19th, with some intermittent access. **\<moneromooo>** luigi1111: is this (genBorromean doesn't actually generate Borromean sigs) correct ? **\<UkoeHB>** yup have fun :). Vacation right? **\<theRealSurae>** i'm not the sort who can really put work down, but i'm trying, briefly. i managed to write up a skeleton of the unforgeability proof for multisig and hand it off to sarang to familiarize himself with the musig approach **\<binaryFate>** Zcash is also coming up with their own curve so as to speed up the particular things they need to. I find it worrying if the trend is that every project cooks up their curve to suit their particular needs. **\<theRealSurae>** and, like I said, I'm communicating with some folks at Clemson **\<sarang>** Yeah I've been revisiting the original musig paper **\<luigi1111>** Not that I know of **\<theRealSurae>** binaryFate: why would this be worrying? **\<luigi1111>** theRealSurae: 2^255-19 isn't the number of points **\<theRealSurae>** you are right, it's the group order **\<binaryFate>** against the "don't invent your own crypto", and light years away from typical review process for curves **\<theRealSurae>** right? i misspoke **\<vtnerd>** no, 2^255-19 is the prime field **\<sarang>** I hear it's a kind of cake **\<sarang>** Or that feeling when your leg falls asleep and you stand up **\<luigi1111>** Group order is l **\<luigi1111>** 2^252+blah **\<sarang>** aaaanyway **\<theRealSurae>** i confess I tend to think of our group as a scrambled mirror image of Z\_q, despite addition of points not even landing on the subgroup. **\<sarang>** So theRealSurae is working on unforgeability **\<sarang>** I am figuring out if noninteractive new-output-style refunds are worth it **\<sarang>** Other fun times? **\<theRealSurae>** binaryFate: yeah, I see that **\<sarang>** binaryFate: do you have any information on the Zcash efforts? I wasn't aware of their work **\<theRealSurae>** binaryFate: eventually that curve, even if proven to satisfy our desired properties, will have to be implemented, and the dangers or crappy implementation are huge... but I don't think that should discourage research into new curves and new proof methods using isomorphic curves **\<theRealSurae>** yeah, I wasn't either. I thought it was just Blockstream looking for a variant of secp256k1 so far **\<UkoeHB>** oh i messed up - they are borromean ugh **\<theRealSurae>** that's a relief koe! **\<sarang>** UkoeHB: what led to believe otherwise? **\<luigi1111>** ^ **\<UkoeHB>** misreading code like a fool **\<UkoeHB>** thought this hash\_to\_scalar(L[1]) meant an array of hashes for each L[1], instead of a hash of the entire array **\<sarang>** Good thing hashes aren't important to borromean sigs /s **\<sarang>** If there aren't any other big topics to discuss, we could certainly return to refunds or previous topics **\<sarang>** There were suggestions from luigi1111 that the refunds needed for payment channels would be possible purely w/ timelocks + multisig **\<binaryFate>** will look for some link on the zcash curve thing. It's part of their roadmap to reduce overhead to generate z-transactions iirc **\<sarang>** I do not see how that would be possible without interaction from both parties, or a third-party arbiter **\<sgp\_[m]>** I just want to mention that I'm working on preserving the integrity of outputs held by mining pools **\<sarang>** But I'd love to be convinced otherwise **\<rehrar[m]>** MRL corporate cheer! **\<sarang>** sgp\_[m]: in response to the linking work? **\<luigi1111>** It does require interaction at the start **\<sarang>** right **\<sarang>** it'd have to **\<sarang>** So the recipient pre-signs for the refund? **\<rehrar[m]>** I have a bit of other ZCash news. **\<sgp\_[m]>** sarang kinda, yeah. I don't have too much to mention now though **\<sarang>** How does the network verify the spend of the originally-intended output? **\<sarang>** sgp\_[m]: ok, keep us updated **\<sneurlax>** I've contacted ehanoc re: the "transaction tree" python toolkit and we will collaborate to deliver that after I finish the scraping tool which moneromooo asked for. mooo, I'll be sending you results this week **\<sneurlax>** sorry to interject **\<sarang>** sneurlax: excellent! That'll provide good data **\<theRealSurae>** rehrar[m]: tell us? **\<theRealSurae>** sneurlax: that's fantastic news **\<rehrar[m]>** ZCash wants to open a grant proposal jointly with a Monero community member (that'd be me atm) to donate a considerable sum of money to some FFS proposals. **\<sarang>** What types of FFS do they want to fund? **\<theRealSurae>** how would that work? would you have discretion over donating the funds? **\<rehrar[m]>** https://twitter.com/socrates1024/status/993252058923925506?s=19 **\<theRealSurae>** i'll almost always take free money if it's no-strings **\<sarang>** Aw shucks, they like us! **\<theRealSurae>** that's... fantastic **\<rehrar[m]>** Dunno. When next round of bp auditing funds? **\<rehrar[m]>** We can out it up, raise the amount, and take out right away. Superior Coin also wants to help if you recall. **\<rehrar[m]>** Perhaps we can also get subaddresses audited? **\<theRealSurae>** hmm **\<sarang>** Yeah, was thinking of waiting until closer to the finalization, but I suppose there's little advantage if we can coordinate w/ OSTIF quickly **\<theRealSurae>** it seems like a lot of projects want to funnel their research funding through the Monero FFS **\<binaryFate>** the harder we criticize them the more they like us... 10k$ is not that much compared to amounts raised typically anyway **\<sarang>** It's a nice gesture of community spirit though **\<sgp\_[m]>** I think the best ones are the hardware wallet (which should work with Zcash iirc) and code audits **\<rehrar[m]>** They're masochists binaryfate. If we criticize harder they'll give more. **\<sarang>** A subaddress audit depends highly on the scope **\<sarang>** The BP scope was narrow-ish **\<theRealSurae>** binaryFate: yeah, it seems like a largely symbolic thing, but also: they've been really encouraging me and sarang to encourage you guys to ask for grant money. **\<theRealSurae>** rehrar[m]: i should just take zooko out to a bdsm club in denver, see if they offer us six or seven figures. :P **\<rehrar[m]>** In return , we can send them Monero stickers to put on their laptops. **\<sarang>** something something meat market **\<theRealSurae>** meat meat something market **\<binaryFate> \<rehrar[m]>** In return , we can send them Monero stickers to put on their laptops. <-- they have one at least, we've put one on zooko's back at CCC without him noticing **\<sarang>** I'll be interested to see how the 10K is disbursed **\<theRealSurae>** sarang: Is the implication that it would totally be up to our discretion? that's sort of what i'm getting... **\<rehrar[m]>** Zooko is a dude. **\<rehrar[m]>** I chilled with him in Colorado. **\<rehrar[m]>** Can neither confirm nor deny Verge dev there too. **\<theRealSurae>** What if we take the 10k, pay for a semester of a grad student working with some cryptographers to invent three new curves, a variant for secp256k1, a variant for x25519, and a variant for zcash's thing **\<sarang>** tall order **\<theRealSurae>** maybe **\<endogenic>** sorry rehar **\<theRealSurae>** it'd guarantee that student would spend the rest of his time in grad school working on that sort of thing **\<theRealSurae>** which I think would be a valuable thing: seed the mind-virus among as many researchers as possible **\<binaryFate>** They're not even asking for doing joint work with zcash stuff at this stage apparently. Would just channel to Monero topics entirely if possible. **\<pwrcycle>** Hi all. **\<binaryFate>** Anyway grad student is a great idea **\<theRealSurae>** binaryFate: yeah, that's the inference I made **\<rehrar[m]>** I'll talk with Miller. **\<rehrar[m]>** See how he wants to do the grant proposal. **\<theRealSurae>** binaryFate: the problem then is picking the student/school **\<pwrcycle>** Funding grant money for school research seems cool. Pinning all the hopes on one grad student seems like a bad idea. **\<theRealSurae>** rehrar[m]: please do, maybe CC me... I can hook him up with at least two cryptographers at Clemson who may be interested **\<theRealSurae>** pwrcycle: yeah, you'd pick by advisor more than student **\<rehrar[m]>** Maybe we can get some people to make a FFS that should have made one a while back in exchange for ZCash paper **\<rehrar[m]>** Like dEBRYUNE **\<rehrar[m]>** Then again, what use have gods for our petty currencies. **\<binaryFate>** Btw having some sort of pulic call for the paid internship circulating in academic circles is as important as the thing actually happening, in terms of mind-virus spreading **\<rehrar[m]>** Nothing more from me. **\<theRealSurae>** rehrar[m]: you are the greatest orator of our time **\<theRealSurae>** binaryFate: TRUE point **\<theRealSurae>** very true **\<theRealSurae>** sarang **\<sarang>** yo **\<theRealSurae>** when I get back I'm going to look into putting job postings on mathjobs.org **\<theRealSurae>** i was about to ask you to do it while i'm gone, but it's not urgent and there's no need to delegate. :P if you're curious, though :D **\<sarang>** I think using mathjobs is a really good idea for pure math applicants **\<theRealSurae>** there are lots and lots of applied jobs on there too **\<theRealSurae>** you should check it some time, but **\<theRealSurae>** creation of a curve is at the intersection of applied algebraic geometry and pure cryptography **\<sarang>** right, that wasn't what I meant **\<theRealSurae>** so it's sort of both pure and applied **\<theRealSurae>** oh ok **\<sarang>** I mean to get solid reach to academics **\<sarang>** that's the obvious choice **\<theRealSurae>** yep **\<sarang>** They can send us a list of all the points on their new curve, for us to check **\<binaryFate>** good old emails circulating between labs and advisors ("if you have a really good students, consider asking them to apply. And please forward blabla") is also worth it. Reaches more senior people than a job posting probably read primarily by students directly. **\<sarang>** Oh, so I've been seeing random reddit postings about deep reorgs **\<sarang>** But I haven't looked into it at all **\<sarang>** Anyone know anything? **\<selsta>** also articles are starting to come out https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep **\<moneromooo>** I think it's fixed now (no PR yet). **\<sarang>** Do you know the cause? **\<theRealSurae>** is it known what the issue was? **\<sarang>** jinx **\<binaryFate>** The +20-blocks fork mentioned in the post is not an actual fork, you only see that when syncing. But somebody is fiddling with decent HR **\<sarang>** buy me a DietMonero **\<theRealSurae>** i thought the first few reports were possibly the OP for some reason **\<binaryFate>** moneromooo link or summary? **\<moneromooo>** Some init wasn't done in some cases when adding a tx. **\<sarang>** Yeah, I want to be able to give correct information **\<moneromooo>** So that was causing the tx to be rejected though it is valid. **\<theRealSurae>** hrmm **\<sarang>** OK, so that explains the "double spend" FUD **\<sarang>** The long-chain reorgs are just related to initial sync? **\<sarang>** It was noted that there wasn't any big spike in hashrate **\<sarang>** so it's not outsiders coming online and futzing **\<moneromooo>** If a pool doesn't accept a valid tx, it will continue mining on its own chain till it stops doing so. **\<sarang>** OK, so it's a single cause with these two effects? **\<moneromooo>** What two effects ? **\<sarang>** Well the reports I've seen have complained about apparent double spends (rejected tx) and long-chain reorgs **\<theRealSurae>** i feel like if a selfish miner was going to release a chain in an attack, the hashrate wouldn't necessarily look different to an observer, especially if the attacker had 33%+ attack power and was clever with their timestamp choice... **\<moneromooo>** I don't know anything about double spends. **\<moneromooo>** Though if a merchant is only connected to that pool, you could swindle it. **\<moneromooo>** The merchant would have to be only connected to that pool though, but that's not a new attack. **\<sarang>** Yeah that's just being cavalier **\<theRealSurae>** https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep **\<theRealSurae>** i don't like that article for a variety of reasons, but **\<sarang>** Yeah that's the article I keep getting linked to **\<sarang>** it's based on some r/monero complaint posts **\<sarang>** so naturally it will be accepted as gospel and spread widely **\<theRealSurae>** it would be helpful to get more information from the specific users making this complaint **\<sarang>** A random user says one thing and the devs who know things say another thing! So there's no way to know! **\<binaryFate> \<sarang>** It was noted that there wasn't any big spike in hashrate <-- if someone is purposefully mining on alternative blocks rather than winning chain, we would not "see" the HR spike as it does not make blocks coming faster **\<moneromooo>** You'd see a hashrate spike downwards. **\<binaryFate>** only if that miner was mining before no? **\<moneromooo>** Yes. **\<theRealSurae>** not necessarily; an attacker with exactly 50% hash rate and honest timestamps will appear to be invisible. an attacker with lower hash rate could mess with timestamps slightly and appear invisible. an attacker with too low of a hash rate couldn't manipulate his timestamps enough to hide his activity **\<theRealSurae>** (not necessarily re: downward spike) **\<binaryFate>** Can we check how long it took them to mine a particular altchain of N blocks by checking logs on other nodes on when the last block in their chain got known to peers? **\<theRealSurae>** we can put a bound on it, for sure, and we can use that to estimate the hash rate power they have **\<theRealSurae>** ok y'all I gotta go **\<theRealSurae>** have a good week and a half! **\<binaryFate>** same!