04:41:46 <Isthmus> 13404422 ring signatures generated by version 2 transactions
04:42:10 <Isthmus> Whoops, wrong channel
04:42:21 <Isthmus> Well, you can probably guess who I meant to send that to
05:04:59 <UkoeHB_> Avg ~1 tx every 20secs
05:05:05 <UkoeHB_> One ring sig*
14:59:12 <sarang> Reminder that weekly research meeting is today @ 18:00 UTC (about 3 hours from now)
17:01:26 <suraeNoether> why do i keep thinking these meetings are 17:00 UTC?
17:01:53 <sarang> They used to be 17:00
17:06:20 <sgp_> .time
17:06:27 <suraeNoether> .dementia
17:06:54 <sgp_> too bad that doesn't work here. works in #monero-community
17:14:30 <suraeNoether> so, good news everyone: i now have two full days of sleep, with a calorie defecit smaller than 500 calories, for the first time since xmas. finally freaking feeling better
17:14:57 <sarang> :D
17:25:03 <sgp_> suraeNoether: that's great news!
17:29:48 <sarang> How do we get the timebot here?
17:35:17 <nioc> back in my day we wound our watches
17:35:29 <sarang> Now we have robots to do that
17:36:59 <sarang> Anybody have anything they want to specifically add to today's agenda?
17:45:27 <suraeNoether> nioc: i'm still winding my watch :)
17:46:26 <nioc> my question is, what is the status of the matching project and how will is be used going forward to help select an appropriate ringsize?
17:47:07 <UkoeHB_> Curious as well
17:47:09 <sarang> Great question for the meeting, or for right now
17:47:25 <sgp_> +1
17:48:08 <sgp_> As I stated before, I don't think there are strong reasons to increase ringsize with clsag unless there's a justification other than "larger is better" or "it could theoretically help with churning"
17:48:21 <sarang> I agree
17:48:46 <sarang> Some forms of analysis are easily mitigated by small increases, and those have been done already
17:48:54 <sgp_> this was maybe fine a few years ago when the ringsize was MUCH smaller and this was the best analysis we had, and when we were dealing with more basic attacks
17:49:03 <sgp_> sarang: beat me to it :)
17:49:05 <sarang> Other more targeted forms of analysis would be difficult to mitigate without very large increases that are not feasible right now without bloat
17:49:13 <sgp_> easy attacks are effectively covered
17:49:39 <sarang> But marginal increases at the current size seem unnecessary without a good rationale, likely related to churn as sgp_ says
17:55:11 <sarang> We'll start our meeting in just a few minutes
17:55:32 <sgp_> my hope is that the matching results come out in time to make a good decision regarding ringsize in the clsag update
17:55:33 <sarang> The usual agenda, with an addition from Isthmus: https://github.com/monero-project/meta/issues/434
17:55:51 <sarang> ^^ agreed
17:57:38 <sgp_> plus this project has been ongoing for what, a year or two now?
17:59:49 <sarang> OK, let's get started
18:00:03 <sarang> Logs from this meeting will be posted to the agenda issue shortly after the meeting
18:00:09 <sarang> First, GREETINGS
18:00:10 <sarang> hello
18:00:16 <sgp_> hello
18:00:34 <suraeNoether> good mroning
18:00:49 <UkoeHB_> hiya
18:01:27 * sarang will wait a minute for anyone else to arrive
18:03:06 <sarang> On to ROUNDTABLE, where anyone is free to share interesting research
18:03:18 <sarang> I'll go first, since I have a small assortment of things
18:03:51 <sarang> I worked up code and examples for doing hidden data storage within Bulletproofs and Triptych, suitable only for the prover
18:03:53 <Isthmus> I,m kinda here, but on a conference call
18:04:20 <sarang> Several ongoing projects/issues have been moved to monero-project/research-lab issues for comment and discussion
18:05:03 <sarang> The CLSAG code on my monero fork (clsag-plumbing branch) has been cleaned up; thanks to UkoeHB_ for helpful suggestions and comments
18:05:28 <sarang> It includes, among other things, hash function domain separation that we hope to roll out elsewhere for a more robust overall codebase
18:06:02 <sarang> There is also CLSAG Python sample code showing how to do signer index extraction in a clever way, which I assume UkoeHB_ may wish to discuss when he shares
18:06:14 <sarang> I've written up material for ZtM about transaction proofs/assertions
18:06:43 <sarang> And have worked up some new C++ code that updates transaction in/out proofs to have correct Schnorr challenges
18:06:51 <sarang> (still need to write tests for this)
18:07:04 <sarang> That's my update; any particular questions before the baton is passed?
18:07:58 <suraeNoether> quick question: iirc you had done work on encrypted timelocks
18:08:03 <sarang> yes
18:08:05 <suraeNoether> i've been chatting with both isthmus and TheCharlatan about them
18:08:13 <suraeNoether> do you have any notes prepared any place for later reading?
18:08:29 <sarang> On what in particular?
18:08:37 <suraeNoether> alternatively: can we schedule a discussion in this room that will end up in the logs for later this week?
18:09:00 <sarang> Sure
18:09:27 <sarang> Let's table for now, and address at the end
18:09:34 <suraeNoether> if we implement them regardless of if we are using mlsag, clsag, or triptych, there's going to be a cost. i want to see how it's all going to fit into future monero dev
18:09:39 <suraeNoether> word, word, i can go next
18:09:45 <sarang> OK, go ahead suraeNoether
18:09:48 * sarang makes a note about timelocks
18:09:58 <suraeNoether> last week i spent a lot of time on CLSAG and linkable ring signatures security definitions
18:10:22 <suraeNoether> there are a lot of definitions out there and they don't all relate to each other in a clean taxonomy, and it wasn't clear which ones we needed to use, and so on
18:10:43 <suraeNoether> so i started writing this rather large technical note summarizing all this with the intention of writing a second paper about it, but sarang and i have decided to merge the two into a new draft
18:11:12 <suraeNoether> the reason is that even definitions of unforgeability miss absolutely critical stuff becuase they are taken from "ring signatures" and mapped over to "linkable ring signatures" wholesale without regard for linking properties
18:12:04 <suraeNoether> so now the paper will be proposing a new definition of unforgeability specifically for linkable ring signatures that subsumes more than one security definition, and this is going to set the standard for a few years on how unforgeability is considered for all applications of linkable ring signatures.
18:12:09 <suraeNoether> this is good news(tm) for MRL
18:12:20 <Isthmus> sweet
18:12:28 <UkoeHB_> congrats :)
18:12:33 <suraeNoether> thanks :D
18:12:41 <sarang> It makes the preprint all the more valuable
18:12:44 <suraeNoether> In addition to that, I have been preparing my talk for the Blockchain Tech Symposium at the Fields Institute in two weeks, and debugging my matching code.
18:13:01 <suraeNoether> i'm extremely grateful to the peer reviewer who "gently" pointed us towards the backes' paper actually
18:13:03 <sarang> Having both improvements to security models _and_ a new construction seems to be the gold standard these days
18:13:07 <suraeNoether> they did us more of a favor than maybe they realized
18:13:37 <suraeNoether> my work for the week will include finishing up this new draft of CLSAG, and to begin large-scale data collection on matching
18:14:17 <sarang> Thanks suraeNoether
18:14:20 <sarang> Any questions for suraeNoether?
18:14:44 <UkoeHB_> if you want more CLSAG work, it's possible to increase the number of linkable keys up to the total number of pub keys considered :p
18:15:05 <sarang> Sure, but that's not useful for our particular application
18:15:09 <sarang> which is why we didn't consider it
18:15:55 <UkoeHB_> I believe there was an earlier question from nioc about matching
18:16:04 <UkoeHB_> for suraeNoether
18:16:18 <sarang> 12:46 <nioc> my question is, what is the status of the matching project and how will is be used going forward to help select an appropriate ringsize?
18:16:28 <sarang> ^ was the question
18:17:42 <suraeNoether> ah, great question: the matching project is *what appears to be* a single-line bug away from correctly generating simulated ledgers. it already appears to generate correct confusion matrices; once this bug is cleared up, it's a matter of executing a big block of code for a large period of time to get all the sample data, and then analyzing the data that's dumped to file.
18:18:24 <suraeNoether> so... if this bug, just like all the others, is a hydra, then I don't have a good answer, but i suspect i've narrowed down the problems to the source
18:18:39 <UkoeHB_> Is the purpose of the matching project to produce the ledgers?
18:18:56 <suraeNoether> there are several purposes, but here's the main thing
18:19:30 <suraeNoether> we want to estimate how well an adversary can do at finding the "real" history of a monero ledger, given some hints (like it's a KYC exchange)
18:19:44 <suraeNoether> i have a method of computing a maximum likelihood estimate of the real history given some obscured ledger, and all that code works
18:20:02 <suraeNoether> and i have a method of taking an estimate and comparing it to the ground truth, producing a confusion matrix, and all that code works
18:20:17 <suraeNoether> i have a simulator that generates simulated ledgers, and the vast majority of that simulator is working just fine, too
18:21:08 <suraeNoether> the origin of the project came from the idea of developing a game-theoretic description of traceability on the monero ledger: you hand me an obscured ledger and some hints, I hand back to you my best guess, and then success is judged by you comparing the best guess to the ground truth you kept from me the whole time
18:22:04 <suraeNoether> so, the hope is: graph performance against ring size, and see if getting larger than 11 is a waste of space/time or not
18:22:36 <suraeNoether> in the meantime, we hope to also get good data for zcash-style ledgers, so that we can actually rigorously compare the two ledgers against each other, instead of tweeting at each other about fragility
18:22:48 <suraeNoether> but that last bit is farrrrr down the line
18:23:10 <Isthmus> Oh yea, I just remembered that ginger and I talked about generating synthetic blockchains forever ago https://github.com/insight-decentralized-consensus-lab/CryptoNote-Blockchain-GAN/issues/1
18:23:21 * Isthmus has to run to a meeting at :30, sorry >_<
18:23:27 <sarang> OK, any follow-up questions on this?
18:23:37 <suraeNoether> unfortunately, i've not worked on matching since mid-January because CLSAG's security models are critically important
18:24:06 <sarang> and CLSAG needs to get out the door
18:24:21 <sarang> Anything else to share, suraeNoether?
18:25:51 <sarang> Does anyone else wish to share relevant or interesting research?
18:27:02 <Isthmus> I'm taking a break from blockchain logs analysis to do some chat log analysis, analyzing recurring logical fallacies in this space
18:27:03 <suraeNoether> Nope
18:27:11 <suraeNoether> isthmus lol really?
18:27:23 <sarang> ?
18:27:29 <Isthmus> Yeah, actually doing a formal analysis
18:27:35 <suraeNoether> Isthmus: if you are, i have a friend to hook you up with at the university of exeter
18:27:37 <sarang> This channel in particular?
18:27:44 <sarang> Or more broadly in cryptography?
18:27:50 <Isthmus> Somewhat broady
18:27:56 <Isthmus> There's 7 common ones that show up in -lab
18:28:01 <sarang> go on...
18:28:24 <Isthmus> But they break down into combinations of red herrings and something that is *similar* to the slippery slope argument, but not quite the same and I'm still nailing down its technical logical structure
18:28:33 <suraeNoether> dude, please elaborate
18:29:14 <Isthmus> Like when we're debating fixing a tractable privacy leak, and somebody points out that there are other privacy leaks
18:29:23 <UkoeHB_> :O
18:29:50 <suraeNoether> ah yeah
18:29:59 <suraeNoether> or comparing everything to 50% attack costs
18:30:13 <Isthmus> Another one is the hashrate code control fallacy
18:30:34 <suraeNoether> ?
18:30:38 <Isthmus> Confusing a 51% attack on longest chain with a 51% attack on the code
18:30:42 <Isthmus> This came up a few weeks ago actually
18:30:45 <suraeNoether> aaaah
18:31:01 <suraeNoether> i smell some medium articles
18:31:02 <Isthmus> Like why should we bother working on the protocol and code, when one day, somebody might run their own version on a bunch of their own miners
18:31:15 <sarang> Based on what you've analyzed so far, any particular recommendations to avoid such flaws in discussion/thinking?
18:31:16 <Isthmus> That one can be disproven by contradiction
18:31:32 <Isthmus> If 50% of BTC hashrate moved to BCH, does that make BCH the official bitcoin?
18:31:33 <suraeNoether> "why should we patch little leaks in info here and there" styled privacy nihilism/despair
18:31:40 <Isthmus> Oh shit, I gotta be in a meatspace meeting
18:31:43 <Isthmus> ciao!
18:31:57 <sarang> -__-
18:32:20 <sarang> Very interesting stuff
18:32:37 <Isthmus> Erm, not by contradiction. I mean by example demonstrating absurdity
18:32:44 <sarang> We have plenty of time left... does anyone else wish to share anything?
18:32:47 <UkoeHB_> lol 😆
18:32:52 <suraeNoether> lol "i'm going to use machine learning to watch all of your conversations and find out who repeats fallacies most zealously BAIII GOTTA GO GRAB A FREE SLIZE OF 'ZZA FROM THE CORPORATE OVERLORDS" amiright
18:33:06 <UkoeHB_> Here's mine. Worked on write-ups of different ideas -> now Research repo Issues, with good feedback from sarang improving viewspent approach. TxTangle (aka my monero coinjoin protocol) is mostly done and just needs questions answered about network-layer anonymity. Current draft of ZtM2 is here https://www.pdf-archive.com/2020/02/05/zerotomoneromaster-v1-0-23/zerotomoneromaster-v1-0-23.pdf and current
18:33:06 <UkoeHB_> ‘koe’s Ideas’ is here https://www.pdf-archive.com/2020/02/05/moneroideaskoe020520/moneroideaskoe020520.pdf
18:33:30 <sarang> Yeah, the original view/spent idea was broken, but there's a better approach
18:33:44 <sarang> It ties in with the CLSAG index extraction that I mentioned earlier
18:34:26 <sarang> If the signer generates all non-signing scalars via a PRNG `s_i := H(seed,i)` (with appropropriate seed data), then it can be asserted privately what the signing index is
18:35:10 <sarang> It removes the need to add anything to the chain, and hence is good for indistinguishability
18:35:24 <sarang> I dig it, provided the UX is sufficient for reasonable use cases
18:35:37 <UkoeHB_> yeah if view key can regenerate those scalars, it can know when an output has been spent with certainty
18:35:50 <UkoeHB_> of course, it only works if tx author generates scalars like that
18:36:01 <sarang> The problem is still that it's opt-in, so even an accidental use of a non-participating wallet ruins the account balance computation for good
18:36:16 <sarang> So you'd have to be super-clear about presenting that to the user
18:36:24 <sgp_> hmm
18:36:40 <sarang> Of course, a wallet could be doing that right now for all we know
18:36:51 <sarang> it's non-consensus and can't be detected if done properly anyway
18:38:20 <UkoeHB_> it does leave open questions about data stored by nodes, since signature scalars are pruned; perhaps only full nodes, or view-spent enabled nodes can be used
18:38:33 <sarang> IMO that's a completely reasonable trade-off
18:39:04 <sgp_> sounds reasonable to me too
18:39:06 <UkoeHB_> it also may greatly increase data transmitted to view-only wallets by remote nodes
18:39:09 <sarang> Bloating the network for optional functionality benefitting only a single user seems unnecessary
18:39:28 <sarang> But this approach means you can run a full node (good for the network) and have the functionality for your wallets safely
18:40:32 <sgp_> UkoeHB_: I think that's a good thing to point out but probably isn't a showstopper
18:40:53 <UkoeHB_> might need to receive a gigabyte of data to read through a year's worth of tx
18:42:24 <suraeNoether> hmmm
18:42:31 <suraeNoether> i'm a little worried about this in the following sense
18:42:36 <sgp_> I still think that is okay for view-only wallets
18:42:45 <suraeNoether> you are selecting the non-signing scalars deterministically from a PRNG
18:42:52 <sgp_> anyone using them for critical stuff, or viewing multiple wallets, should run their own node
18:43:05 <suraeNoether> one thing we all know about schnorr signatures is that if nonces are selected deterministically, it's possible to extract the private keys
18:43:24 <suraeNoether> at least, under certain constraints
18:43:26 <sarang> suraeNoether: yes, which is why seed selection is very important
18:43:26 <suraeNoether> so my question is
18:43:35 <sarang> UkoeHB_ and I discussed this a bit already earlier
18:44:12 <suraeNoether> if the seed is chosen from a high entropy distribution and kept secret, it's computationally hard to detect that these are computed deterministically
18:44:27 <suraeNoether> i would prefer a method that is more than computationally hard
18:44:37 <sarang> Presumably the seed is a combination of the view secret key, the index, the key image, etc.
18:44:50 <sarang> suraeNoether: how would that even work?
18:45:15 <sarang> Data extraction requires that only the designated parties be able to construct the "expected" output value
18:45:27 <suraeNoether> pfeh, we use PRNGs because statistical RNGs don't really exist :P so ... it wouldn't
18:45:49 <sarang> Well, right now we operate on the assumption that the user has access to something behaving as an RNG
18:45:55 <sarang> this moves to an honest-to-goodness PRNG
18:45:57 <sarang> (and has to)
18:46:06 <sarang> You can't do data extraction with a true RNG AFAICT
18:47:11 <suraeNoether> that... is... true.
18:47:21 <sarang> Anyway, this is an interesting topic that could be useful for a future release
18:47:41 <sarang> but has subtle aspects to seed selection and UX that need further review
18:47:46 <sarang> Let's move on, for the sake of time
18:47:54 <sarang> Any other topics you wish to share, UkoeHB_?
18:48:22 <UkoeHB_> well, I hope people can leave feedback on the repo issues
18:48:27 <sarang> Yes, please do
18:48:37 <sarang> Much easier than only doing IRC comments =p
18:48:37 <UkoeHB_> sorted TLV is probably most important for next hardfork
18:49:06 <sarang> TBH that's probably going to be better for -dev discussion
18:49:20 <sarang> More of an engineering question than a math question :)
18:49:25 <UkoeHB_> true
18:49:38 <sarang> I'd bring it up at a dev meeting, or just in -dev whenever
18:49:45 <sarang> Get a sense of the work involved
18:49:59 <UkoeHB_> ok
18:50:14 <sarang> I know people have brought up tx_extra parsing before, and it's a hot topic
18:50:36 <sarang> Does anyone else wish to discuss other research topics?
18:50:37 <UkoeHB_> ah, CLSAG section was added to ZtM2 for anyone curious
18:50:43 <sarang> excellent
18:51:16 <suraeNoether> uh i saw vtnerd's push on dandelion++
18:51:21 <sarang> Yes
18:51:23 <sarang> Most excellent
18:51:29 <sarang> It's on my list to review later this week
18:51:32 <sarang> Speaking of which
18:51:41 <sarang> Let's briefly move to ACTION ITEMS to respect everyone's time
18:52:42 <sarang> I'll be reviewing the D++ PR, working through some additional transaction assertion/proof stuff, updating sublinear tx protocol MPCs, and writing up examples of RCT3 hidden data storage
18:52:49 <suraeNoether> yes. Mine: Finish CLSAG, start collecting matching data. Also, of primary importance: provide updates twice or three times a day in here until both of these are finished.
18:52:53 <sarang> As well as getting tests written for the new tx in/out proofs
18:53:08 <suraeNoether> i'll be reviewing the D++ pr also once those are both off my plate
18:53:15 <sarang> Yes, looking forward to the CLSAG stuff (will review when ready)
18:53:29 <sarang> Anyone else have action items planned for the week?
18:54:18 <UkoeHB_> To do: focus on multisig all week, hopefully finish txtangle (need a network anonymity expert for advice, any takers?)
18:54:33 <sarang> The most knowledgeable person is probably vtnerd
18:54:59 <sarang> I hear if you say his name 3 times, he gets 3 separate notifications...
18:55:10 <sarang> =p
18:56:00 <sarang> Any last-minute items, questions, etc. before we formally wrap up?
18:56:55 <sarang> (I'm happy to discuss timelocks after we adjourn)
18:56:59 <sarang> Going once...
18:57:22 <sarang> twice...
18:57:44 <sarang> Adjourned! Thanks to everyone for attending; logs will be posted shortly on the agenda issue
18:57:51 <sarang> Feel free to continue discussions, of course
18:57:54 <sarang> suraeNoether: timelocks
18:58:25 <sarang> What do you wish to know
18:58:55 <suraeNoether> well, first question: is there a github issue or something describing any proposed methods of implementing them?
18:59:14 <suraeNoether> second question assuming no: is there a document anywhere describing any proposed method of implementing them?
19:00:15 <sarang> I have some example code showing how they operate
19:00:20 <sarang> What details do you want?
19:00:36 <sarang> If you want timing information, that's separate (depends on performance timing)
19:01:04 <sarang> and that doesn't address the engineering work required to integrate the timelock range proofs (used for inputs) with the existing bulletproofs (used for outputs)
19:01:17 <sarang> It seems pretty nontrivial to do
19:01:20 <UkoeHB_> Issue #65 I did a short explanation of how it works
19:03:20 <suraeNoether> uh #65?
19:03:47 <sarang> UkoeHB_ means https://github.com/monero-project/research-lab/issues/65
19:03:59 <sarang> I opened an issue describing the basic idea
19:04:18 <suraeNoether> oh!
19:04:28 <suraeNoether> i was in monero-project/monero :P
19:04:49 <suraeNoether> ok, this was *all* i wanted before i had more questions
19:04:50 <suraeNoether> thank you
19:05:55 <sarang>  The gist: requires each input to have an additional auxiliary commitment added; still a cleartext auxiliary time included; CLSAG verification complexity increases; range proofs basically unaffected if done properly
19:06:47 <sarang> First-order estimate is that the MLSAG-CLSAG verification benefits go away with CLSAG-based timelocks
19:08:21 <sarang> Although: I should note that range proofs currently have a cap on the number of commitments included... with timelocks, this cap would incorporate both input timelock commitments _and_ output value commitments
19:08:38 <sarang> I mean unaffected since we already pad to the next power of 2 for size and time purposes
19:08:47 <sarang> Increasing the limit would of course change this
19:13:21 <suraeNoether> *nod*
19:13:59 <sarang> So there are still size benefits from the MLSAG-CLSAG transition, but the time benefits disappear
19:14:32 <sarang> May be slower overall by a bit... there's always variance in the test numbers
19:14:43 <sarang> Seemed like a wash during my initial testing
19:55:05 <suraeNoether> sarang: i have a weird notion of unframeability, or non-slanderability i wanna run by ou
19:55:12 <suraeNoether> but it requires out of the box thinking
19:55:20 <suraeNoether> if you are aroudn
19:55:27 <sarang> I am around
19:55:56 <suraeNoether> ok so
19:56:48 <suraeNoether> firstly, unforgeability is a version of soundness, which is a matter of the existence of a witness extraction algorithm. when we prove unforgeability, we prove such an extractor exists and use it to violate a hardness assumption
19:57:30 <suraeNoether> secondly, if A is an algo that can produce a valid signature, then it can be rewound by the extractor to get the witness, so if A produces some (m, R, \sigma), we can wrap it without harming its advantage and output instead ((m, R, \sigma), w) for a witness w
19:57:35 <suraeNoether> follow me so far?
19:58:17 <sarang> Ideally
20:00:05 <suraeNoether> https://www.irccloud.com/pastebin/uJUqZ5mb/
20:01:14 <suraeNoether> this is an amped up definition of linkability. I suspect it's distinct both from Backes' and the older Tsang-style definitions, also
20:01:25 <suraeNoether> but i haven't proven proper containment of the securiyt models yet.
20:03:30 <suraeNoether> actually: this is a very strong definition of linkability that says two signatures will link if and only if their witnesses match
20:03:37 <suraeNoether> which implies Backes' definition for sure
20:04:59 <suraeNoether> hmm, yeah, actually i think this definition also implies tsang's definition
20:05:02 <suraeNoether> suggesting this is stronger than those
20:05:14 <suraeNoether> i... suspect htere's a problem with my thinking, though, other htan the fact that it assumes the scheme is unforgeable to start.
20:05:47 <sarang> How do you frame this in a challenger-player scenario?
20:05:59 <sarang> The challenger can't naively extract the witness itself
20:06:23 <Isthmus> https://www.irccloud.com/pastebin/yh1NDdj9/
20:06:28 <Isthmus> Back by popular demand
20:06:31 <Isthmus> ^@koe
20:06:36 <Isthmus> @UkoeHB_
20:07:54 <Isthmus> Wow, we've had some transactions with a lot of inputs... 1187, 1086, 1067, ...
20:08:34 <sarang> Ah is this the chain analysis I had asked for?
20:09:38 <suraeNoether> sarang: same way backes' linkability defines it as player-challenger
20:09:50 <sarang> suraeNoether: this is a good conceptual example of linking unforgeability to (special) soundness by Groth and Kohlweiss: https://link.springer.com/content/pdf/10.1007/978-3-662-46803-6_9.pdf
20:10:00 <suraeNoether> oooh
20:10:48 <suraeNoether> taking a lunch break, and then sarang, i'm at the point where i'm copy-pasting proofs over... so i think i'll be done later today and passing a new draft along to you, but i'll do an update in a bit
20:14:22 <sarang> Roger
20:15:43 <Isthmus> Want to see 800 obviously spent outputs?
20:15:46 <Isthmus> https://usercontent.irccloud-cdn.com/file/dRXOlFUI/image.png
20:16:26 <Isthmus> Our ring signatures and decoy selection algorithm are simply statistically incompatible with spending a large number of temporally-correlated outputs in a single transaction
20:16:36 <Isthmus> I can automate this too
20:16:50 <sarang> Yup
20:17:29 <Isthmus> Collapse the ring member ages of all 1000 ring into a histogram, find cluster centroids, flag every output within 1 stddev as spent. Loop this over all of the 500+ input transactions, and mark thousands and thousands of outputs as known to be spent.
20:17:37 <UkoeHB_> Interesting, it seems like the amount of pool payouts is less than 1% of all tx
20:17:56 <Isthmus> i haven't coded it up yet, but it could take a single pass through our database and identify >10,000 spends
20:17:58 <sarang> Isthmus: *highly suspected* to be spent
20:18:07 <sarang> Known for a long time :/
20:18:30 <sarang> Tricky to avoid without sufficient cluster/bin selection AFAICT
20:18:42 <sarang> Which in turn is tricky without larger overall anon set sizes
20:18:43 <Isthmus> And of course revealing 10,000 spends also reveals 50,000 decoys
20:19:15 <Isthmus> I'm a statistician, not a court of law. For the purposes of commercial chain-analysis those are considered spent.
20:19:18 <Isthmus> :- P
20:19:59 <sarang> Sure, and I don't know a good way to avoid this beyond clustering and/or wallet warnings
20:20:41 <UkoeHB_> All high input count inputs are pre-ringct
20:20:58 <sarang> Or, alternatively, such a large-input transaction followed by a properly-executed self-spend
20:21:04 <UkoeHB_> Since max tx size limit
20:21:07 <sarang> to return the single output into the "recent pool"
20:21:48 <Isthmus> " Or, alternatively, such a large-input transaction followed by a properly-executed self-spend" < protects the sender, but laces the chain with weak decoys
20:21:55 <sarang> An on-the-fly analysis followed by a churn wallet warning might useful as a stopgap
20:22:08 <UkoeHB_> Ah right, can you flag every tx with >1 input if it used RCTTypeFull?
20:22:15 <sarang> Isthmus: right, but in general it's not possible to fully avoid
20:22:50 <UkoeHB_> Or add a count column to that data set with #tx with rcttypefull
20:23:12 <Isthmus> Yea it is, we just need to cap the number of inputs to force multiple transactions. A little bit of computational and fee overhead, but allowing insanely large numbers of inputs basically defeats the point of ring signatures
20:23:17 <Isthmus> I'm not saying to cap it at 5
20:23:22 <Isthmus> But it needs to be not 1000
20:23:43 <UkoeHB_> And another flag if the first referenced input offset is pre-ringct (implies all inputs are pre-ringct)
20:24:58 <Isthmus> Ah interesting
20:25:40 <UkoeHB_> I think rcttypefull could get up to around 600 inputs, maybe more with smaller ring sizes
20:25:52 <UkoeHB_> Pre-bulletproofs
20:27:03 <Isthmus> Anyways, good lunch break but I gotta get back to the work
20:27:05 <Isthmus> gg
20:27:20 <sarang> Isthmus: the sharp dropoff for decoy selections means that the temporal effects may be reduced somewhat
20:27:27 <sarang> but it'd be interesting to see to what extent this is the case
20:27:42 <UkoeHB_> I'm guessing all those inputs from the same block are denominated pre-ringct outputs being swept
20:28:36 <sarang> I still very much advocate for eventually moving to a bin/cluster selection approach, but I also think it only has maximal benefit when used with a large overall ring size
20:32:57 <UkoeHB_> Isthmus multiple transactions doesn't work either, since with a little extra effort you can compare the input rings of adjacent tx for clusters
20:33:41 <UkoeHB_> Well helps a little, and moreso as the time spread rises, but not a huge improvement
20:34:22 <sarang> Larger clustered bins shared across all inputs seems to mitigate this
20:34:36 <UkoeHB_> Yeah
20:34:44 <Isthmus> True, in that sense transactions are kind of arbitrary boundaries around branches of the tree, but it's still the same tree
20:34:49 <sarang> Even if you gain knowledge of the bin used across inputs, that doesn't necessarily identify all spends within the bin
20:34:58 <Isthmus> Very mature graph analysis erases the boundaries from both blocks and transactions, to focus on the pure topology
20:35:25 <sarang> and the presence of identical bins on all txns means you can longer use only cross-input techniques to guarantee a single set of spent inputs
20:39:52 <sarang> Isthmus and UkoeHB_: suppose we can do ringsize 128 or 512
20:39:57 <sarang> How would you structure selection?
20:40:03 <sarang> I've thought a lot about this
20:40:18 <sarang> but surely there are factors at play that I am missing :)
20:40:40 <sarang> For starters, inputs should share the same anon set
20:40:51 <sarang> (this is generally also very efficient)
20:41:42 <sarang> Binning is also a good idea (Miller et al. show how to do deterministic shuffled binning to avoid miner shenanigans)
20:41:51 <UkoeHB_> I think maintaining the gamma distribution as foundation is important, although I have some thoughts on how to make sure it ages decently
20:41:53 <sarang> What else?
20:42:08 <sarang> Yes, I assume the bin selection follows a reasonable spend distribution
20:42:19 <sarang> with the rule that when you select a bin, the ring includes that entire bin
20:43:13 <UkoeHB_> I feel that reveals too much about the spend timing
20:43:36 <Isthmus> I need to clear my mind and think on that for a while. There are 3 concrete research strategies that I believe should inform selection
20:44:55 <sarang> UkoeHB_: bear in mind one of the key reasons the Miller paper advocated binning (at least in the single-input simplified case) was to reduce the adversarial advantage from heuristically identifying the spent bin because of a bad distribution choice
20:45:07 <sarang> At that point, the signer ambiguity is still at the level of the bin size
20:45:24 <Isthmus> (1) What does the spend time distribution look like for other  multiple other cryptocurrencies like BTC and transparent Zcash. Why multiple? I don't just want to see the distribution for one, I want to understand how representative it is and how much it varies across different coins
20:45:31 <sarang> as opposed to a single output
20:46:21 <Isthmus> (2) use the egregious decoy transactions (exhibit 1: uniform selection, exhibit 2: cached decoys, exhibit 3: links from by MonKon talk) to identify real spend times in Monero
20:46:42 <Isthmus> There's enough obviously spent outputs (from a statistician's perspective) that we should be able to generate a pretty large data set
20:46:55 <sarang> Isthmus: are you familiar with the data presented in the Miller paper?
20:47:04 <Isthmus> Oh yea, I read it like once every 6 months
20:47:08 <sarang> haha ok
20:47:15 <Isthmus> Now, we don't know for sure whether these sore thumbs representative of general activity
20:47:18 <sarang> I was gonna say, 1+2 is basically "do Miller again"
20:47:30 <sarang> but with more sources
20:47:35 <Isthmus> Yea, I just have more heuristics with more teeth :- )
20:47:44 <Isthmus> We've advanced chain analysis significantly since then
20:48:20 <sarang> Because I wonder if, even armed with this extra data, there are good general rules beyond "build shuffled bins, select them using an estimated spend distribution, and that's it"
20:48:22 <Isthmus> So the last strategy (3) is to take the transactions that appear to have the correct decoy algorithm matching core wallet implementation (assessed by offset-corrected median ring member age) and then subtract those from the observed distribution
20:48:32 <sarang> (and reuse all bins across inputs)
20:49:23 <Isthmus> This won't tell us anything about a *particular* ring, but across 13404422 ring signatures, the difference should paint a pretty accurate picture of the real Monero spend time distribution
20:50:02 <sarang> OK, so assume you have that distribution in hand
20:50:08 <sarang> What do you want to pull from it?
20:50:45 <Isthmus> Our decoy selection algorithm should mimic the ground truth spend time
20:51:07 <sarang> Sure, but we already know that doesn't play well across inputs
20:51:17 <sarang> So now we also have the hypothetical advantage of 128-512 rings
20:51:44 <sarang> Also assume that reusing inputs/decoys across rings is more efficient to verify (it is)
20:52:15 <Isthmus> Oh I'm tacking theory for single ring before cross-ring stuff xD
20:52:27 <Isthmus> I guess that's bad of me
20:53:07 <Isthmus> Anyways, gotta bounce back to work stuff, will meditate on large rings laater
20:54:22 <sarang> roger
20:59:48 <UkoeHB_> Earlier I figured out how to hide the true distribution inside another distribution, but that only works if the true distribution is unknown.
21:01:37 <UkoeHB_> only hides if the true dist is unknown to analyst*
21:02:33 <sarang> We should assume a reasonably-accurate distribution is known (at least its general form, if not parameters)
21:03:00 <sarang> The parameters we use in practice are from Miller, assumed to be "nothing-up-my-sleeve" values (or something reasonably so)
22:50:49 <suraeNoether> i still think it'd be worth it to have those values updated every 6 months or so
22:51:10 <suraeNoether> the market today is not the market in 2017, and the velocity of money largely determines spendtime...
22:51:20 <suraeNoether> one of the stupid things about spendtime is that it's sensitive to economic conditions
22:51:49 <suraeNoether> a depression is when spendtimes are long, and a bubble occurs when spendtimes get shorter; picking a single distribution to capture both regimes is not a smart way around the problem
22:52:15 <suraeNoether> but ya gotta pick *some* spendtime
22:56:45 <sarang> The methods should also be consistent and reproducible
22:56:52 <sarang> All NUMS values