Logs for the Monero Research Lab Meeting Held on 2018-05-07
Sarang work, Surae work, and miscellaneous
dev diaries
crypto
research
el00ruobuob / surae
Logs
<sarang> OK, it's time to begin <sarang> Welcome to everyone; hello <sgp_[m]> Hi! <sarang> Calling others: hyc suraeNoether anonimal endogenic binaryFate fluffypony luigi1111 luigi1113 rehrar[m] monerigo[m] gingeropolous dEBRUYNE <sarang> and many others no doubt <sarang> s/monerigo[m]/moneromooo <binaryFate> présent <sarang> I suppose we can discuss recent updates and such <sarang> I have been focusing on noninteractive refund transactions <sarang> it's surprisingly tricky to get right <sarang> The idea of whether or not to hide block heights has big implications on size and complexity <sarang> and also will affect the use of old outputs <theRealSurae> Hey everyone, sorry I'm late (and not using my registered nick) <sarang> A good higher-level question is whether we insist that having refund transactions is enough of a priority <sarang> Hello fake suraeNoether <theRealSurae> heh <sarang> *enough of a priority to devote big plumbing-level changes <sarang> these questions have consumed me as the Whale consumed Ahab <sarang> and, like Ahab, I spend much time in the company of Starbuck(s) <theRealSurae> gross <sarang> theRealSurae: what has consumed you lately? <UkoeHB> it feels like there should be an easier way to hide amounts. Maybe worth mulling for some time <sarang> UkoeHB: other than commitments? <rehrar[m]> Hi <UkoeHB> Yeah. Maybe a shift in perspective. Baseless intuition <silur> what <sarang> Well, the current Best Way is homomorphic commitments + range proofs to ensure balance <theRealSurae> I've been thinking about koe's reduced mlsag and how we might be able to batch-verify ring signatures with bulletproofs. and i've been speaking with a professor at clemson university about the possibility of starting a paid project for a grad student to invent a new elliptic curve with 2^255-19 points on it, or to come up with a similar sort of variant to secp256k1 <theRealSurae> yeah, I think we are going to experience reduced returns in terms of hammering bulletproofs for improving our amount strucutres <sarang> theRealSurae: BPs to batch verify our current MLSAG scheme? <silur> oh yea the curve order question you asked <theRealSurae> so, i think it'd be really really helpful for both bitcoin and monero to have alternate curves <theRealSurae> ohgod <theRealSurae> other than that and the multisig dump I made the night before yesterday, this week has been consumed by editing papers for other folks. Koe and my old advisor and another document. lots of reading this week <sarang> What are your thoughts on refunds? <UkoeHB> and thank you for that :) incredibly helpful <sarang> UkoeHB: any big changes to your excellent paper? <UkoeHB> Well we found out monero doesn't even use borromean sigs <UkoeHB> genBorromean should be genSAGs <UkoeHB> Or something <sarang> SAG? <theRealSurae> I've been thinking a lot about the refund structure with timelocks, and I'm trying to figure out exactly whether we have a novel "invention" in these refund transactions or whether tit is equivalent to a timelock+multisig situation <UkoeHB> spontaneous anonymous group sig. Like LSAG but no key images <sarang> for range? <UkoeHB> Yeah <UkoeHB> Check ringCT.cpp genBorromean <sarang> Yeah I'm familiar with that code <UkoeHB> It's 33% larger range proofs than a real borromean setup <theRealSurae> ... i need more details about that, koe, if you don't mind... <sarang> heh <sarang> theRealSurae: big thing is non-interactivity <sarang> I don't need the recipient's cooperation <UkoeHB> I'll see what I can do <theRealSurae> thanks koe, i'm not in a rush on that though... <theRealSurae> I want to remind everyone that I'll be mostly away from the internet from tomorrow until the 19th, with some intermittent access. <moneromooo> luigi1111: is this (genBorromean doesn't actually generate Borromean sigs) correct ? <UkoeHB> yup have fun :). Vacation right? <theRealSurae> i'm not the sort who can really put work down, but i'm trying, briefly. i managed to write up a skeleton of the unforgeability proof for multisig and hand it off to sarang to familiarize himself with the musig approach <binaryFate> Zcash is also coming up with their own curve so as to speed up the particular things they need to. I find it worrying if the trend is that every project cooks up their curve to suit their particular needs. <theRealSurae> and, like I said, I'm communicating with some folks at Clemson <sarang> Yeah I've been revisiting the original musig paper <luigi1111> Not that I know of <theRealSurae> binaryFate: why would this be worrying? <luigi1111> theRealSurae: 2^255-19 isn't the number of points <theRealSurae> you are right, it's the group order <binaryFate> against the "don't invent your own crypto", and light years away from typical review process for curves <theRealSurae> right? i misspoke <vtnerd> no, 2^255-19 is the prime field <sarang> I hear it's a kind of cake <sarang> Or that feeling when your leg falls asleep and you stand up <luigi1111> Group order is l <luigi1111> 2^252+blah <sarang> aaaanyway <theRealSurae> i confess I tend to think of our group as a scrambled mirror image of Z_q, despite addition of points not even landing on the subgroup. <sarang> So theRealSurae is working on unforgeability <sarang> I am figuring out if noninteractive new-output-style refunds are worth it <sarang> Other fun times? <theRealSurae> binaryFate: yeah, I see that <sarang> binaryFate: do you have any information on the Zcash efforts? I wasn't aware of their work <theRealSurae> binaryFate: eventually that curve, even if proven to satisfy our desired properties, will have to be implemented, and the dangers or crappy implementation are huge... but I don't think that should discourage research into new curves and new proof methods using isomorphic curves <theRealSurae> yeah, I wasn't either. I thought it was just Blockstream looking for a variant of secp256k1 so far <UkoeHB> oh i messed up - they are borromean ugh <theRealSurae> that's a relief koe! <sarang> UkoeHB: what led to believe otherwise? <luigi1111> ^ <UkoeHB> misreading code like a fool <UkoeHB> thought this hash_to_scalar(L[1]) meant an array of hashes for each L[1], instead of a hash of the entire array <sarang> Good thing hashes aren't important to borromean sigs /s <sarang> If there aren't any other big topics to discuss, we could certainly return to refunds or previous topics <sarang> There were suggestions from luigi1111 that the refunds needed for payment channels would be possible purely w/ timelocks + multisig <binaryFate> will look for some link on the zcash curve thing. It's part of their roadmap to reduce overhead to generate z-transactions iirc <sarang> I do not see how that would be possible without interaction from both parties, or a third-party arbiter <sgp_[m]> I just want to mention that I'm working on preserving the integrity of outputs held by mining pools <sarang> But I'd love to be convinced otherwise <rehrar[m]> MRL corporate cheer! <sarang> sgp_[m]: in response to the linking work? <luigi1111> It does require interaction at the start <sarang> right <sarang> it'd have to <sarang> So the recipient pre-signs for the refund? <rehrar[m]> I have a bit of other ZCash news. <sgp_[m]> sarang kinda, yeah. I don't have too much to mention now though <sarang> How does the network verify the spend of the originally-intended output? <sarang> sgp_[m]: ok, keep us updated <sneurlax> I've contacted ehanoc re: the "transaction tree" python toolkit and we will collaborate to deliver that after I finish the scraping tool which moneromooo asked for. mooo, I'll be sending you results this week <sneurlax> sorry to interject <sarang> sneurlax: excellent! That'll provide good data <theRealSurae> rehrar[m]: tell us? <theRealSurae> sneurlax: that's fantastic news <rehrar[m]> ZCash wants to open a grant proposal jointly with a Monero community member (that'd be me atm) to donate a considerable sum of money to some FFS proposals. <sarang> What types of FFS do they want to fund? <theRealSurae> how would that work? would you have discretion over donating the funds? <rehrar[m]>https://twitter.com/socrates1024/status/993252058923925506?s=19 <theRealSurae> i'll almost always take free money if it's no-strings <sarang> Aw shucks, they like us! <theRealSurae> that's... fantastic <rehrar[m]> Dunno. When next round of bp auditing funds? <rehrar[m]> We can out it up, raise the amount, and take out right away. Superior Coin also wants to help if you recall. <rehrar[m]> Perhaps we can also get subaddresses audited? <theRealSurae> hmm <sarang> Yeah, was thinking of waiting until closer to the finalization, but I suppose there's little advantage if we can coordinate w/ OSTIF quickly <theRealSurae> it seems like a lot of projects want to funnel their research funding through the Monero FFS <binaryFate> the harder we criticize them the more they like us... 10k$ is not that much compared to amounts raised typically anyway <sarang> It's a nice gesture of community spirit though <sgp_[m]> I think the best ones are the hardware wallet (which should work with Zcash iirc) and code audits <rehrar[m]> They're masochists binaryfate. If we criticize harder they'll give more. <sarang> A subaddress audit depends highly on the scope <sarang> The BP scope was narrow-ish <theRealSurae> binaryFate: yeah, it seems like a largely symbolic thing, but also: they've been really encouraging me and sarang to encourage you guys to ask for grant money. <theRealSurae> rehrar[m]: i should just take zooko out to a bdsm club in denver, see if they offer us six or seven figures. :P <rehrar[m]> In return , we can send them Monero stickers to put on their laptops. <sarang> something something meat market <theRealSurae> meat meat something market <binaryFate> <rehrar[m]> In return , we can send them Monero stickers to put on their laptops. <-- they have one at least, we've put one on zooko's back at CCC without him noticing <sarang> I'll be interested to see how the 10K is disbursed <theRealSurae> sarang: Is the implication that it would totally be up to our discretion? that's sort of what i'm getting... <rehrar[m]> Zooko is a dude. <rehrar[m]> I chilled with him in Colorado. <rehrar[m]> Can neither confirm nor deny Verge dev there too. <theRealSurae> What if we take the 10k, pay for a semester of a grad student working with some cryptographers to invent three new curves, a variant for secp256k1, a variant for x25519, and a variant for zcash's thing <sarang> tall order <theRealSurae> maybe <endogenic> sorry rehar <theRealSurae> it'd guarantee that student would spend the rest of his time in grad school working on that sort of thing <theRealSurae> which I think would be a valuable thing: seed the mind-virus among as many researchers as possible <binaryFate> They're not even asking for doing joint work with zcash stuff at this stage apparently. Would just channel to Monero topics entirely if possible. <pwrcycle> Hi all. <binaryFate> Anyway grad student is a great idea <theRealSurae> binaryFate: yeah, that's the inference I made <rehrar[m]> I'll talk with Miller. <rehrar[m]> See how he wants to do the grant proposal. <theRealSurae> binaryFate: the problem then is picking the student/school <pwrcycle> Funding grant money for school research seems cool. Pinning all the hopes on one grad student seems like a bad idea. <theRealSurae> rehrar[m]: please do, maybe CC me... I can hook him up with at least two cryptographers at Clemson who may be interested <theRealSurae> pwrcycle: yeah, you'd pick by advisor more than student <rehrar[m]> Maybe we can get some people to make a FFS that should have made one a while back in exchange for ZCash paper <rehrar[m]> Like dEBRYUNE <rehrar[m]> Then again, what use have gods for our petty currencies. <binaryFate> Btw having some sort of pulic call for the paid internship circulating in academic circles is as important as the thing actually happening, in terms of mind-virus spreading <rehrar[m]> Nothing more from me. <theRealSurae> rehrar[m]: you are the greatest orator of our time <theRealSurae> binaryFate: TRUE point <theRealSurae> very true <theRealSurae> sarang <sarang> yo <theRealSurae> when I get back I'm going to look into putting job postings on mathjobs.org <theRealSurae> i was about to ask you to do it while i'm gone, but it's not urgent and there's no need to delegate. :P if you're curious, though :D <sarang> I think using mathjobs is a really good idea for pure math applicants <theRealSurae> there are lots and lots of applied jobs on there too <theRealSurae> you should check it some time, but <theRealSurae> creation of a curve is at the intersection of applied algebraic geometry and pure cryptography <sarang> right, that wasn't what I meant <theRealSurae> so it's sort of both pure and applied <theRealSurae> oh ok <sarang> I mean to get solid reach to academics <sarang> that's the obvious choice <theRealSurae> yep <sarang> They can send us a list of all the points on their new curve, for us to check <binaryFate> good old emails circulating between labs and advisors ("if you have a really good students, consider asking them to apply. And please forward blabla") is also worth it. Reaches more senior people than a job posting probably read primarily by students directly. <sarang> Oh, so I've been seeing random reddit postings about deep reorgs <sarang> But I haven't looked into it at all <sarang> Anyone know anything? <selsta> also articles are starting to come out https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep <moneromooo> I think it's fixed now (no PR yet). <sarang> Do you know the cause? <theRealSurae> is it known what the issue was? <sarang> jinx <binaryFate> The +20-blocks fork mentioned in the post is not an actual fork, you only see that when syncing. But somebody is fiddling with decent HR <sarang> buy me a DietMonero <theRealSurae> i thought the first few reports were possibly the OP for some reason <binaryFate> moneromooo link or summary? <moneromooo> Some init wasn't done in some cases when adding a tx. <sarang> Yeah, I want to be able to give correct information <moneromooo> So that was causing the tx to be rejected though it is valid. <theRealSurae> hrmm <sarang> OK, so that explains the "double spend" FUD <sarang> The long-chain reorgs are just related to initial sync? <sarang> It was noted that there wasn't any big spike in hashrate <sarang> so it's not outsiders coming online and futzing <moneromooo> If a pool doesn't accept a valid tx, it will continue mining on its own chain till it stops doing so. <sarang> OK, so it's a single cause with these two effects? <moneromooo> What two effects ? <sarang> Well the reports I've seen have complained about apparent double spends (rejected tx) and long-chain reorgs <theRealSurae> i feel like if a selfish miner was going to release a chain in an attack, the hashrate wouldn't necessarily look different to an observer, especially if the attacker had 33%+ attack power and was clever with their timestamp choice... <moneromooo> I don't know anything about double spends. <moneromooo> Though if a merchant is only connected to that pool, you could swindle it. <moneromooo> The merchant would have to be only connected to that pool though, but that's not a new attack. <sarang> Yeah that's just being cavalier <theRealSurae>https://www.trustnodes.com/2018/05/07/monero-allegedly-attack-claims-double-spends-orphaned-chains-21-block-deep <theRealSurae> i don't like that article for a variety of reasons, but <sarang> Yeah that's the article I keep getting linked to <sarang> it's based on some r/monero complaint posts <sarang> so naturally it will be accepted as gospel and spread widely <theRealSurae> it would be helpful to get more information from the specific users making this complaint <sarang> A random user says one thing and the devs who know things say another thing! So there's no way to know! <binaryFate> <sarang> It was noted that there wasn't any big spike in hashrate <-- if someone is purposefully mining on alternative blocks rather than winning chain, we would not "see" the HR spike as it does not make blocks coming faster <moneromooo> You'd see a hashrate spike downwards. <binaryFate> only if that miner was mining before no? <moneromooo> Yes. <theRealSurae> not necessarily; an attacker with exactly 50% hash rate and honest timestamps will appear to be invisible. an attacker with lower hash rate could mess with timestamps slightly and appear invisible. an attacker with too low of a hash rate couldn't manipulate his timestamps enough to hide his activity <theRealSurae> (not necessarily re: downward spike) <binaryFate> Can we check how long it took them to mine a particular altchain of N blocks by checking logs on other nodes on when the last block in their chain got known to peers? <theRealSurae> we can put a bound on it, for sure, and we can use that to estimate the hash rate power they have <theRealSurae> ok y'all I gotta go <theRealSurae> have a good week and a half! <binaryFate> same!