Logs for the Monero Research Lab Meeting Held on 2019-05-14
Surae work, Sarang work, and miscellaneous
dev diaries
crypto
research
el00ruobuob / sarang
Logs
<sarang> Agenda: https://github.com/monero-project/meta/issues/344 <sarang> Logs of this meeting will be posted there <sarang> GREETINGS <suraeNoether> howdy! <suraeNoether> how is everyone? <suraeNoether> who had fun at MCC? *this guy* <suraeNoether> okay <suraeNoether> well let's beign <suraeNoether> begin* <suraeNoether> for the roundtable portion <suraeNoether> let's start with general questions from the audience, and let's go around and see if anyone has anything to present <suraeNoether> other than sarang and i anyway <sarang> Heh, I suppose we can move to presentations <suraeNoether> yup <sarang> go ahead suraeNoether <suraeNoether> go ahead sir <suraeNoether> ahah <sarang> jinx <suraeNoether> okay <suraeNoether> well, CLSAG paper is undergoing the final round the corner. sarang and i are working on the final details today with randomrun, and i hope we can make a public version of the paper available in the next several days (unless some flaw is found) <sarang> Yeah, just need that timing data and a definite answer on the hash coeffs in the proof <suraeNoether> DLSAG paper is undergoing further review, but I believe we are putting up an IACR version of that in the coming days also <sarang> Yep, waiting on all authors to sign off <suraeNoether> MRL11 is still in progress, but now that clsag and dlsag are off my plate, it's being cranked up in terms of priority <suraeNoether> i anticipate rapid progress on that as well <suraeNoether> May 20-24, sarang and endogenic and I are doing the Monero workshop, and I believe we may be having Gao from Clemson come give us talks on starks and fully homomorphic encryption in the RLWE setting <suraeNoether> (sarang, we should do some studying before then together on that) <sarang> of course <suraeNoether> I gave a talk, sat on a panel, and gave an interview at the magical crypto conference <suraeNoether> all of those are up on youtube; the talk was about four different branches of research here at MRL <suraeNoether> other than that, i guess i'd prefer answering questions rather than talking myself into a rabbit hole <suraeNoether> nioc and i have had some conversations about how long-winded i can be so i'm going to zip it unless folks want more details :D <sarang> Any questions for suraeNoether on this work? <suraeNoether> so, for the audience members who are new <suraeNoether> DLSAG = dual-recipient output signatures = work toward the claim-or-refund primitive that can underly smart contracts and lightning network. CLSAG = compressed signatures making the rate of growth on the monterion blockchain hopefully 25% smaller and faster to verify <suraeNoether> MRL11 = traceability resistance analysis <suraeNoether> so, work is important, hard, and slow going, but doing it right is very important to us <suraeNoether> anyway, sarang, how about yourself? <sarang> Plenty to mention <sarang> I had overhauled some definitions and such in the CLSAG paper, which suraeNoether has completed more edits on <sarang> In particular, some stuff on multi-asset transactions that could be enabled by this <sarang> I'll get timing data and then we can release for review <moneromooo> "multi-asset" being akin to coloured coins ? <sarang> ya <sarang> Not saying I'm recommending such a thing for us, but it's an easy application <sarang> I've been working on some draft protocols for how a Monero coinjoin could work <sarang> Right now the initial scheme requires a certain amount of trust in a dealer, but is very efficient <sarang> This is obviously not ideal <sarang> MoJoin, I call it <sarang> FWIW it doesn't leak spend data to the dealer, only the partition of inputs-and-outputs to each player in the join <sarang> sgp_ and I did two Breaking Monero episodes, one on input/output counts and one on block explorers <sarang> that's the main stuff for me <suraeNoether> oh, guys: we are deciding to extend early-bird pricing for a few more days <suraeNoether> i'll be advertising it <suraeNoether> but don't forget to get your ticket at monerokon.com before prices change, if you are still coming <suraeNoether> students are especially encouraged to attend; there will likely be partial rebates at the door for student tickets <sarang> Any particular questions for me? <suraeNoether> how many rounds of interaction in mojoin? <moneromooo> The "Gao [...] fully homomorphic" thing makes me wonder if that could not be looked at in conjunction with dealerless coinjoin :) <sarang> 3 <sarang> This is minimal because of the BP MPC <suraeNoether> yeah, that's cool. moneromooo i think that's probably a safe avenue of stuff for us to talk about <sarang> Er, no... 4 rounds now, sorry <sarang> I had to make a change <suraeNoether> oh <sarang> The extra round is to avoid commitment sums being used to brute-force the partition by an observer <sarang> Making the resulting transaction identical to one not MoJoined (although the output count is something of a giveaway) <moneromooo> BTW, something I've not done in the branch is merging outputs to the same destination (originally the intent was to make Alice + Bob atomically paying Carol). <moneromooo> Would that be possible with the dealer based coinjoin ? <sarang> So A+B generate a single joint output? <moneromooo> yes. <sarang> I don't think it's possible to do the BP MPC without leaking the full mask <sarang> unless that's acceptable <moneromooo> That's fine in that case since Alice and Bob to advertise what they're paying, since each of them verifies the other does pay. <sarang> Would this assume another side channel between them that's outside of the join? <sarang> So it'd be a plug-and-play operation into a join? <moneromooo> I dunno. If you need one I guess. <sarang> Hmm <sarang> It's probably possible, under the right trust model between A+B <sarang> Of course, "probably possible" is quite the weaselworld <sgp_> I'm here and caught up, sorry for being late <sarang> hi <suraeNoether> nbd <sarang> talking coinjoin <fort3hlulz> Whats the advantage for Monero in using a CoinJoin implementation? if its better to chat later about it Ill shutup :) <suraeNoether> no, that's a great question <moneromooo> It adds another layer of privacy. If Eve looks at one tx, she can't assume anymore than all the inputs are from hte same owner. <sarang> Yeah, it tries to break the common-ownership assumption <fort3hlulz> Ah, so its a mitigation of poisoning/EAE attacks specifically? How does it affect Tx size/blockchain bloat? <sarang> My thought about the dealer model (if it's a necessity, which is yet TBD) is that under a malicious dealer assumption, you basically revert back to the current model <moneromooo> If we're lucky, smaller txes since one single BP :) <sarang> Another quick note that hyc and I had a call with Trail of Bits, an auditor who submitted a SoW <sarang> they'll be updating their numbers, and noted that another project may be interested in helping fund RandomX <sarang> We'll have a call with those folks tomorrow <hyc> Hi, just finished my other call <sarang> yo <hyc> yeah, some good stuff from Trail of Bits <fort3hlulz> Awesome, I'm excited to learn more about CoinJoin on Monero as well as CLSAG, thanks guys! Ill get out of your hair now :) <sarang> Thanks for the question fort3hlulz <sarang> The security of coinjoins in Monero is still very much in the air <hyc> also for the benchmark freaks (like me) Huawei has offered to give me access to some servers with their newest chip, for benchmarking purposes <hyc> will be getting efficiency numbers for CN/R and RandomX on ARMv8 <suraeNoether> ooooh <suraeNoether> thats... fantastic... <sarang> nice <hyc> thes guys https://e.huawei.com/us/products/cloud-computing-dc/servers/arm-based <sarang> We'll post the ToB updated SoW when they provide it <suraeNoether> and MRL marches forward into tomorrow's yesterday of the future^tm <hyc> general availability is end of June, early access is nice <hyc> that's all for me <sarang> Does anyone else have research to present? <sarang> Or general questions at all? <suraeNoether> whats the coolest plane you've flown? <luigi1113> what kind of pie do you like? <suraeNoether> berry berry <sarang> suraeNoether: commercially, or piloting myself? <suraeNoether> with greek yogurt <suraeNoether> ^ both <sarang> Commercially, Nepal <sarang> Myself, in between buildings in downtown San Francisco and the Golden Gate <sarang> which apparently is legal <suraeNoether> not place, plane, but i'll accept your answer happily <suraeNoether> that's awesome <sarang> Oh heh, didn't see that <sarang> Commercially, B787 <sarang> Myself, probably a DA40 <sarang> it's got the aerodynamics of a glider <sarang> WEll <sarang> Let's move to action items <sarang> suraeNoether: ? <suraeNoether> final dlsag review today <suraeNoether> mrl11 rest of the week <suraeNoether> uhmmm... and if anything else is handed back to me like clsag <sarang> word <suraeNoether> adjective <sarang> I'll get those CLSAG timings into the paper and finalize the proof question we had <sarang> Carry on with MoJoin <sarang> etc. <sarang> Any final words before we formally adjourn? <dEBRUYNE> Perhaps a blog post from CLSAG could be written (similar to the one for Bulletproofs) <suraeNoether> just excited for lunch <sarang> "Signatures. They are smaller and faster." <dEBRUYNE> I don't think many community members would understand CLSAG from the technical paper alone :P <sarang> But yes, we could do that once we're satisfied with security <sgp_> People need these blog posts or else no one will know <suraeNoether> dEBRUYNE: that would be good, yes. <sarang> All righty, thanks to everyone for attending <sarang> We are now formally adjourned; logs will appear shortly