layout |
title |
summary |
tags |
author |
post |
Logs for the Monero Research Lab Meeting Held on 2019-05-14 |
Surae work, Sarang work, and miscellaneous |
dev diaries |
crypto |
research |
|
el00ruobuob / sarang |
Logs
<sarang> Agenda: https://github.com/monero-project/meta/issues/344
<sarang> Logs of this meeting will be posted there
<sarang> GREETINGS
<suraeNoether> howdy!
<suraeNoether> how is everyone?
<suraeNoether> who had fun at MCC? *this guy*
<suraeNoether> okay
<suraeNoether> well let's beign
<suraeNoether> begin*
<suraeNoether> for the roundtable portion
<suraeNoether> let's start with general questions from the audience, and let's go around and see if anyone has anything to present
<suraeNoether> other than sarang and i anyway
<sarang> Heh, I suppose we can move to presentations
<suraeNoether> yup
<sarang> go ahead suraeNoether
<suraeNoether> go ahead sir
<suraeNoether> ahah
<sarang> jinx
<suraeNoether> okay
<suraeNoether> well, CLSAG paper is undergoing the final round the corner. sarang and i are working on the final details today with randomrun, and i hope we can make a public version of the paper available in the next several days (unless some flaw is found)
<sarang> Yeah, just need that timing data and a definite answer on the hash coeffs in the proof
<suraeNoether> DLSAG paper is undergoing further review, but I believe we are putting up an IACR version of that in the coming days also
<sarang> Yep, waiting on all authors to sign off
<suraeNoether> MRL11 is still in progress, but now that clsag and dlsag are off my plate, it's being cranked up in terms of priority
<suraeNoether> i anticipate rapid progress on that as well
<suraeNoether> May 20-24, sarang and endogenic and I are doing the Monero workshop, and I believe we may be having Gao from Clemson come give us talks on starks and fully homomorphic encryption in the RLWE setting
<suraeNoether> (sarang, we should do some studying before then together on that)
<sarang> of course
<suraeNoether> I gave a talk, sat on a panel, and gave an interview at the magical crypto conference
<suraeNoether> all of those are up on youtube; the talk was about four different branches of research here at MRL
<suraeNoether> other than that, i guess i'd prefer answering questions rather than talking myself into a rabbit hole
<suraeNoether> nioc and i have had some conversations about how long-winded i can be so i'm going to zip it unless folks want more details :D
<sarang> Any questions for suraeNoether on this work?
<suraeNoether> so, for the audience members who are new
<suraeNoether> DLSAG = dual-recipient output signatures = work toward the claim-or-refund primitive that can underly smart contracts and lightning network. CLSAG = compressed signatures making the rate of growth on the monterion blockchain hopefully 25% smaller and faster to verify
<suraeNoether> MRL11 = traceability resistance analysis
<suraeNoether> so, work is important, hard, and slow going, but doing it right is very important to us
<suraeNoether> anyway, sarang, how about yourself?
<sarang> Plenty to mention
<sarang> I had overhauled some definitions and such in the CLSAG paper, which suraeNoether has completed more edits on
<sarang> In particular, some stuff on multi-asset transactions that could be enabled by this
<sarang> I'll get timing data and then we can release for review
<moneromooo> "multi-asset" being akin to coloured coins ?
<sarang> ya
<sarang> Not saying I'm recommending such a thing for us, but it's an easy application
<sarang> I've been working on some draft protocols for how a Monero coinjoin could work
<sarang> Right now the initial scheme requires a certain amount of trust in a dealer, but is very efficient
<sarang> This is obviously not ideal
<sarang> MoJoin, I call it
<sarang> FWIW it doesn't leak spend data to the dealer, only the partition of inputs-and-outputs to each player in the join
<sarang> sgp_ and I did two Breaking Monero episodes, one on input/output counts and one on block explorers
<sarang> that's the main stuff for me
<suraeNoether> oh, guys: we are deciding to extend early-bird pricing for a few more days
<suraeNoether> i'll be advertising it
<suraeNoether> but don't forget to get your ticket at monerokon.com before prices change, if you are still coming
<suraeNoether> students are especially encouraged to attend; there will likely be partial rebates at the door for student tickets
<sarang> Any particular questions for me?
<suraeNoether> how many rounds of interaction in mojoin?
<moneromooo> The "Gao [...] fully homomorphic" thing makes me wonder if that could not be looked at in conjunction with dealerless coinjoin :)
<sarang> 3
<sarang> This is minimal because of the BP MPC
<suraeNoether> yeah, that's cool. moneromooo i think that's probably a safe avenue of stuff for us to talk about
<sarang> Er, no... 4 rounds now, sorry
<sarang> I had to make a change
<suraeNoether> oh
<sarang> The extra round is to avoid commitment sums being used to brute-force the partition by an observer
<sarang> Making the resulting transaction identical to one not MoJoined (although the output count is something of a giveaway)
<moneromooo> BTW, something I've not done in the branch is merging outputs to the same destination (originally the intent was to make Alice + Bob atomically paying Carol).
<moneromooo> Would that be possible with the dealer based coinjoin ?
<sarang> So A+B generate a single joint output?
<moneromooo> yes.
<sarang> I don't think it's possible to do the BP MPC without leaking the full mask
<sarang> unless that's acceptable
<moneromooo> That's fine in that case since Alice and Bob to advertise what they're paying, since each of them verifies the other does pay.
<sarang> Would this assume another side channel between them that's outside of the join?
<sarang> So it'd be a plug-and-play operation into a join?
<moneromooo> I dunno. If you need one I guess.
<sarang> Hmm
<sarang> It's probably possible, under the right trust model between A+B
<sarang> Of course, "probably possible" is quite the weaselworld
<sgp_> I'm here and caught up, sorry for being late
<sarang> hi
<suraeNoether> nbd
<sarang> talking coinjoin
<fort3hlulz> Whats the advantage for Monero in using a CoinJoin implementation? if its better to chat later about it Ill shutup :)
<suraeNoether> no, that's a great question
<moneromooo> It adds another layer of privacy. If Eve looks at one tx, she can't assume anymore than all the inputs are from hte same owner.
<sarang> Yeah, it tries to break the common-ownership assumption
<fort3hlulz> Ah, so its a mitigation of poisoning/EAE attacks specifically? How does it affect Tx size/blockchain bloat?
<sarang> My thought about the dealer model (if it's a necessity, which is yet TBD) is that under a malicious dealer assumption, you basically revert back to the current model
<moneromooo> If we're lucky, smaller txes since one single BP :)
<sarang> Another quick note that hyc and I had a call with Trail of Bits, an auditor who submitted a SoW
<sarang> they'll be updating their numbers, and noted that another project may be interested in helping fund RandomX
<sarang> We'll have a call with those folks tomorrow
<hyc> Hi, just finished my other call
<sarang> yo
<hyc> yeah, some good stuff from Trail of Bits
<fort3hlulz> Awesome, I'm excited to learn more about CoinJoin on Monero as well as CLSAG, thanks guys! Ill get out of your hair now :)
<sarang> Thanks for the question fort3hlulz
<sarang> The security of coinjoins in Monero is still very much in the air
<hyc> also for the benchmark freaks (like me) Huawei has offered to give me access to some servers with their newest chip, for benchmarking purposes
<hyc> will be getting efficiency numbers for CN/R and RandomX on ARMv8
<suraeNoether> ooooh
<suraeNoether> thats... fantastic...
<sarang> nice
<hyc> thes guys https://e.huawei.com/us/products/cloud-computing-dc/servers/arm-based
<sarang> We'll post the ToB updated SoW when they provide it
<suraeNoether> and MRL marches forward into tomorrow's yesterday of the future^tm
<hyc> general availability is end of June, early access is nice
<hyc> that's all for me
<sarang> Does anyone else have research to present?
<sarang> Or general questions at all?
<suraeNoether> whats the coolest plane you've flown?
<luigi1113> what kind of pie do you like?
<suraeNoether> berry berry
<sarang> suraeNoether: commercially, or piloting myself?
<suraeNoether> with greek yogurt
<suraeNoether> ^ both
<sarang> Commercially, Nepal
<sarang> Myself, in between buildings in downtown San Francisco and the Golden Gate
<sarang> which apparently is legal
<suraeNoether> not place, plane, but i'll accept your answer happily
<suraeNoether> that's awesome
<sarang> Oh heh, didn't see that
<sarang> Commercially, B787
<sarang> Myself, probably a DA40
<sarang> it's got the aerodynamics of a glider
<sarang> WEll
<sarang> Let's move to action items
<sarang> suraeNoether: ?
<suraeNoether> final dlsag review today
<suraeNoether> mrl11 rest of the week
<suraeNoether> uhmmm... and if anything else is handed back to me like clsag
<sarang> word
<suraeNoether> adjective
<sarang> I'll get those CLSAG timings into the paper and finalize the proof question we had
<sarang> Carry on with MoJoin
<sarang> etc.
<sarang> Any final words before we formally adjourn?
<dEBRUYNE> Perhaps a blog post from CLSAG could be written (similar to the one for Bulletproofs)
<suraeNoether> just excited for lunch
<sarang> "Signatures. They are smaller and faster."
<dEBRUYNE> I don't think many community members would understand CLSAG from the technical paper alone :P
<sarang> But yes, we could do that once we're satisfied with security
<sgp_> People need these blog posts or else no one will know
<suraeNoether> dEBRUYNE: that would be good, yes.
<sarang> All righty, thanks to everyone for attending
<sarang> We are now formally adjourned; logs will appear shortly