sarang, watching your defcon video. What is the ring size where CLSAG becomes less efficient/uses more space than RCTTypeSimple?

Verification is the same at about 128

that's pretty big; are you guys considering raising the mixin again with CLSAG?

next prime is 13 lol

Verification of 13-CLSAG is about the same as 11-MLSAG

Much larger ring sizes are likely better suited for a sublinear construction that supports batch verification

makes sense

(since all verification is linear-ish)

Ill add CLSAG writeup to my list

We have an extensive rewrite

It's over to suraeNoether for review before we update on IACR

Has changes to the security definitions

well the security definitions and proofs are outside my scope anyway

There's sample code in Python and Rust, and a PR from mooo

ok

if everything goes well, will CLSAG be shipped with v13 hard fork in May 2020? (implies two hard forks, v13 and v14 for transition period as with bulletproofs and ringct)

Depends on what people think of the math and code, I suppose

not up to me

fair enough

Revuo Issue 41 - revuo-monero.com/issue-41.html

ringsize 1024 sarang !!!! AWESOME!!!!

Oh, I'd missed that backlog. Nifty!

What is the verification bottleneck for large ring sizes ?

For batchable constructions? Only the fact that there's a linear component to them

I mean more like, what does the profile hit most ?

If yoi've not checked in detail yet, no worries, just curious.

What do you mean?

As examples, is most of the time spend in... multiexp ? single aA muls ? Scalar ops ? Keccak ? syscalls ? busy loop ?

Ah

Multiexp for sure

We can generally eliminate hash to point calls by switching linking tag formats

At the cost of more complex multisig, as we have seen

There's a few hash to scalar ops, but those are cheap and limited

sarang: is m of n multisig possible with triptych?

With additional rounds to produce `n`-of-`n` equivalent shares, should be fine

so at this point, what are the main drawbacks of triptych?

Lack of review, some further comparison with RCT3

Still need transaction-level security definitions for the more efficient Triptych

(right now we only have them for the underlying sigma protocol)

still, this is very promising then

It provides more options

Omniring still wins for size, but I have new questions about its proofs and the potential for batch verification (which currently is not possible)

Monero Research Lab referenced on Ring Sigs

from the German Federal Office regarding secure Blockchains

Good to see differentiation between mixing and ring signatures

Seems they are often muddled together, despite mixing being interactive and ring signatures being non-interactive

yeah, its a very solid document to be fair, from first reading/overview

Isthmus I am taking a look at your fee question. I do suspect that a misunderstanding on what the fee ratios are after bullet proofs are a major factor for the appearance of fee sniping.

What is the intended audience midipoet?

i would imagine IT security practitioners, IT developers, IT decision makers weighing up pro/cons of moving to a blockchain/dlt based data structure

The ratio for the low fee is 0.2 and no 0.25 and the ratio for the fastest is 200x and not 41.5x Th gui until the last fork was calculating the fees correctly but displaying the old pre bulltprrof ratios

So the first step in my opinion is to better communicate how the fee formula actually works.

midipoet: those summary points are pretty solid

We can then look at adding one or more levels right above the normal fee and also Isthmus' idea of fee bins for relay

section 9.2 on the GDPR is pretty telling also, in that document

Summary of it?

midipoet: can you also share in #monero-compliance?

yes

sweet

By the way I am on CET UTC+1, Madrid, until January 8, when I fly back to Vancouver PST UTC-8

What counts as proper anonymization?

That GDPR document is pretty interesting.

sarang: that's the million dollar question

there have been advice guidances provided by some entities

Any reliable conclusions?

but there has yet to be a reference case, as far as i know

probably the most robust if you were to go to court

The Europol comments on Monero may provide some indication.

It is based upon reasonable so the current approach of gradually toughening up privacy in Monero may be no that far off

In any case we are way ahead of the competition

ArticMine: yes, i would agree

i also get the impression that those who are starting to shape policy also understand this

but are facing pressure from other groups (money laundering, national security, etc)

Yes I agree.

good morning

yo

Triptych preprint: github.com/SarangNoether/skunkworks/blob/triptych/paper/iacr.tex

Nice

If anyone else wishes to review it, please do; then it can go onto the IACR archive

I'm sad that we couldn't be IACR 2020/001, which would have been great

or even 2020/007

Note that the version on github should still be considered a draft (hence it being in draft mode in LaTeX)

#monero-research-recipes

...

2020/002 would still look cool

Too late :/

:(

They're up to 2020/007

I'd be cool with 2020/020

ok, wait for /020

;)

A brief update from me today

I've been invited to speak at the Blockchain Technology Symposium in February at the Fields Institute in Toronto

there are three themes for the event, Security Longevity, Privacy / Digital Identity, and Organizational Change

very nice!

i'm extremely flattered; a colleague at Clemson University recommended me to them

That's crazy good

congrats, sounds great!

I need an excuse to visit Toronto, do you need a co-presenter to advance slides for you?

So, I'm going to make a CCS request for travel funding; personally, I would also like Sarang to come and attend the event, so I think he should also make a request. hyc if you come out, that'd be absolutely delightful, and if you like I can recommend you to their organizer to see if they need more speakers?

Would I also speak?

and what is the audience for this?

i'll ask if they are looking for more speakers

i certainly can't give you a speaking slot :\

just kidding; I don't have any hot topics to present at the moment

how about just as a fiddle opener to my talk?

:D tat could work

This talk will be delivered in the form of an opera

LOL

def need cutting edge presentation methods for cutting edge research material

Just present your slides by triplets, with the side ones angled a bit.

i'll present my slides in 4:3 polyrythm

okay so another note, I want to take the temperature of the room on this one

does the Monero community want to help sponsor this BTS event?

There are a few levels of sponsorship. We would get the monero logo to appear on the website and we could put monero swag into their swag bags. I'd be willing to throw some XMR at a CCS funding request to sponsor an event at the Fields Institute

To what benefit?

What's the audience and scope and reach?

it's an event in the same vein in terms of content as Konferenco or the Stanford Bitcoin Conference

do we believe Monero is currently unknown to that audience?

it would be the monero community contributing to cryptocurrency research *shrug* and they asked me in their invitation if we would be interested in sponsoring, so i'm passing along the notion

as an open source dev, I'm not accustomed to asking the community for money for promotion

but if folks don't see the point, or don't see value in it, i don't really have a dog in that fight

hell, in OpenLDAP we don't ask the community for money, period.

it *is* promotional for sure

20:11 <suraeNoether> does the Monero community want to help sponsor this BTS event? <- we turned these down in the past

suraeNoether: do you know if they'll be offering livestreaming or recordings of talks?

I think sponsoring isn't especially good. They're already asking you to pay for your own travel? To a university!

Even NDSU paid for my travel to speak

ah, good point. if they're not paying lodging and at least part of travel, something's wrong.

selsta: good to know. i wouldn't recommend that the monero community sponsor some ico hypefest, and i'm on the fence about more academic events

suraeNoether: I don't plan on requesting funds for this, regardless of speaking invitation

Heck, I don't plan on requesting funds for the Stanford conference either

"Because we have been fortunate enough to have secured substantial sponsorship for the event, admission for the event is only $100 and it includes lunches and a reception."

oof

sgp_: my general experience is that for invited speaking gigs, the bigger the university the tighter the pockets. and I insisted on paying for speaker travel for the konferenco specifically because most academic conferences in my experience *do not* have travel assistance for speakers, and I think that's unfair. maybe i misunderstood the offer. I'll ask for clarification.

Perhaps the admission is only for non-speaking attendees

Charging speakers admission would be absurd

indeed

i assume the speakers don't have to pay admission

I'm surprised more conferences don't allow speakers to present remotely

my experience of remote presentations is kinda meh

network glitches are distracting and mostly unavoidable

and most of the value of a conference is meeting people in the hallways

half the point of conferences is to interact with people real-time, face-to-face. problems get discussed and solved much more quickly that way

^

word

Face-to-face is best, but I don't recall having ever seen a remote presenter at all

Given that the cost is probably zero, it seems useful for presenters with good information but who can't make it in person

we could try that sometime, do an all-remote Monerokon, charge a minimal fee

to pay for video servers etc

Konferenco Fantomo? (ghost conference)

has a nice ring to it

why not "virtual" tho?

Sounds less interesting

yeah, 10 GBPs and 100 GBPs servers are pretty expensive

suraeNoether: ought I submit the Triptych preprint?

Hold off 24 hours

I don't think there is any harm if it's the single index stuff for now

But for multi let's let it sit for a bit

Yeah I mean single only