00:43:31 <sarang> Due to the recent time change in the United States and elsewhere, tomorrow's research meeting will be at 17:00 UTC instead of 18:00 UTC (an hour earlier if your region did not experience a time change)
14:56:07 <sarang> Reminder: today's meeting is at 17:00 UTC (not 18:00 UTC), which is about two hours from now
15:28:16 <sgp_> sarang: are all MRL meetings going to be at 17 utc during DST?
15:28:51 <sarang> I expect so, unless others object
15:32:56 <moneromooo> Objection, leading.
15:34:28 <sarang> moneromooo: I updated my PR to your branch with an updated performance test
15:34:50 <sarang> It fails the github CI tests, but it was forked from an older master
15:37:03 <moneromooo> OK, I shall merge today. Thanks.
15:41:03 <moneromooo> So the workhorse is completely rewritten then ?
15:41:30 <moneromooo> Oh, maybe just moved...
15:56:07 <sarang> ?
15:56:25 <sarang> The PR has two commits on top of your earlier work
15:57:07 <sarang> The big overall picture is to move verification into a single routine, rather than one routine to prepare the commitment differences and another to do the CLSAG-specific stuff
16:21:38 <sarang> The tests are updated since now it doesn't make sense just to test the CLSAG routines, since they're closely tied to the prove/verify higher-level routines
16:54:09 <sarang> Meeting will start in about 5 minutes or so
16:59:44 <sarang> OK, let's begin the meeting!
16:59:56 <sarang> Agenda is here: https://github.com/monero-project/meta/issues/445
17:00:03 <sarang> Logs will be posted there after the meeting
17:00:09 <suraeNoether> good morning
17:00:12 <sarang> First on the list, GREETINGS
17:00:13 <sarang> hi
17:00:59 * selsta lurking for CLSAG updates
17:01:03 <sarang> Note that because of a recent time change for the United States and elsewhere, these meetings will take place at 17:00 UTC instead of 18:00 UTC
17:01:12 <ArticMine> hi
17:01:21 * sarang will wait a few moments for folks to arrive
17:02:05 <Isthmus> heya sarang and artic
17:02:12 * Isthmus puts on lab coat and goggles
17:02:53 <sarang> I suppose we can move on to ROUNDTABLE
17:02:58 <sarang> Who wishes to share research topics of interest?
17:03:15 <vtnerd> hi
17:03:37 <UkoeHB_> Hi
17:03:43 <suraeNoether> well
17:03:55 <suraeNoether> i want to give a brief two-part update
17:03:58 <sarang> Go ahead suraeNoether!
17:05:15 <suraeNoether> firstly, personally: i'm going to have to take a break from monero for a few weeks while i get this medical stuff figured out. importantly: i'm not stopping work. I just don't know how much time i can actually contribute practically.
17:05:57 <sarang> Oof, sorry to hear this. I hope everything goes well for you suraeNoether
17:06:46 <ArticMine> sorry to hear this. I hope all goes well
17:07:29 <suraeNoether> secondly: my research into matching is a hydra where fixing one bug is revealing handfuls of more bugs, and i'm getting super frustrated with it. this is particularly important work for a few reasons, but for right now i don't anticipate movement any time soon. one of the reasons that this has become so frustrating to me is that certain threats to monero that are going to become more likely over the
17:07:29 <suraeNoether> next several years to be presenting themselves that make the answers that lie within this work *lower priority* than other things. i mean this very specifically in the following sense
17:08:18 <suraeNoether> everyone should know that our anonymity reduces to something like the one-more decisional diffie hellman problem, and our unforgeability reduces to something like one-more discrete logarithm
17:08:44 <suraeNoether> both of these are known to not be hard for quantum adversaries, and while quantum computers are not yet practical...
17:09:25 <suraeNoether> it doesn't matter what ring size we use if china goes "manhattan project" on quantum computers and turns their resulting computing power on de-anonymizing privacy coins in secret.
17:10:07 <suraeNoether> my work on matching would give us answers to questions like "how large should ring sizes be *assuming the underlying problem that our anonymity rests upon is hard to solve*" but we know that this problem is only going to be hard over the short term
17:10:12 <sarang> FWIW such a "quantum adversary" could wreak havoc on basically the entire global internet
17:10:32 <suraeNoether> indeed ^ but that's in fact exactly all the more reason to become resistant to a quantum adversary sooner rather than later
17:10:56 <UkoeHB_> How realistic is a quantum adversary?
17:10:57 <ArticMine> ^ I agree
17:11:04 <suraeNoether> if it takes 3 years to migrate to a quantum-secure system, and we hope something like clsag or triptych has a 3 year shelf life, then we should be looking at what will be practical 6 years from now
17:11:15 <sarang> In the shorter term, understanding the effects of ring size on matching-type analysis is useful for knowing how large to make ring size for a next-gen protocol
17:11:22 <Isthmus> Uhm
17:11:43 <Isthmus> Would an adversary with a quantum computer break ring signatures or just decrypt the transactions?
17:12:01 <suraeNoether> both: they can compute the discrete log of every one-time key and then they just own all of monero
17:12:10 <Isthmus> Yeah, I'd just do that.
17:12:15 <suraeNoether> yeah
17:12:17 <suraeNoether> so like
17:12:25 <sarang> Once you have key discrete logs, you can check key images
17:12:31 <suraeNoether> matching: important. investigating quantum-secure schemes: higher priority, even over a relatively short 3-year term
17:12:54 <suraeNoether> so every time i kill a bug in my matching code, i become more painfully aware: i'm fighting the wrong hydra
17:13:20 <sarang> I still think it's very valuable
17:13:20 <Isthmus> Yeah, we've been doing some quantum vs crypto experiments at Insight lately
17:13:24 <suraeNoether> long story short, i'm prsently working on a summary-of-knowledge of quantum-resistant RingCT-type protocols, 3 of which have been proposed in the past 3 years
17:13:29 <sarang> Otherwise, "bigger rings are better" is a qualitative statement
17:13:38 <suraeNoether> just for community education reasons
17:13:41 <suraeNoether> sarang: absolutely agreed
17:14:14 <sarang> My recent work on Triptych-2 and chain simulations shows, as expected, that ring size has a large effect on verification complexity
17:14:22 <UkoeHB_> Can you also evaluate how realistic a quantum adversary is? I recall general skepticism of them ever materializing
17:14:36 <sarang> So choosing the smallest rings that do the job is important
17:14:53 <suraeNoether> UkoeHB_: yeah, so basically here's a qualitative answer to that question
17:15:08 <Isthmus> We're already working on 5 [actual] qbits
17:15:21 <Isthmus> (Insight working on IBM equipment)
17:15:30 <Isthmus> Expecting this to scale in the next few years
17:15:31 <suraeNoether> you may recall the sensationalist headlines a few months ago: https://www.eurekalert.org/pub_releases/2020-02/aps-teo022720.php
17:15:42 <suraeNoether> quantum supremacy is probably a bad term but
17:15:59 <suraeNoether> before these researchers did what they did, the *fastest way to figure out what a quantum computer can do* would be to *simulate it on a classical computer*
17:16:15 <sarang> Quantum supremacy is a poor metric for usefulness IMO
17:16:25 <sarang> Such problems are typically highly contrived
17:16:29 <suraeNoether> because of these guys' work, that is no longer the case: there now exist quantum computers that cannot be simulated more quickly than they can operate. this is a critical benchmark for scaling quantum
17:16:33 <Isthmus> @surae should I just loop in my quantum/crypto engineer for a few weeks, so you can focus on the matching hydra?
17:16:50 <Isthmus> They're already looking into the schemes, and would probably be happy to work on Monero
17:17:34 <suraeNoether> google's bristlecone has 72 qubits running
17:17:44 <suraeNoether> isthmus: let's set up a call for later this week
17:17:55 <vtnerd> well I have to say it ... quantum computers are BS, they just spin hyperbole but go nowhere. There was a discussion about this on metzdowd
17:18:38 <Isthmus> Given retroactive denonymization doesn't really matter if they're 5 or 15 years off, we gotta hustle to protect Monero users in 2020
17:18:49 <suraeNoether> do you mean like computers based on quantum principles will never work, vtnerd? can you clarify?
17:18:59 <suraeNoether> isthmus ^ bingo
17:19:21 <vtnerd> someone discussed the progress made on metzdowd. Its been very little over 25+ years
17:19:46 <vtnerd> the researchers have alwasy been just on the edge of making it a reality
17:20:39 <suraeNoether> okay well
17:20:50 <suraeNoether> the researchers into QC i've spoken with disagree
17:20:55 <suraeNoether> and that's an appeal to authority
17:21:09 <vtnerd> admitedly this isn't my expertise, but theres time tradeoffs investigating these QC resitistent systems
17:21:55 <suraeNoether> but i think it's absolutely silly to say that very little progress has occurred over 25 years, and it's even sillier to assume that no progress will be made ala cold fusion, and i think it's even sillier to propose that we, say, avoid quantum-secure implementations rather than looking into the costs and benefits and time horizons of implementing them
17:22:28 <vtnerd> and the one thing thats bizarre, is when someone builds a QC system, we basically ahve to reboot on general purpose computing projects, no? Like one year out are they even cracking crypto?
17:23:05 <suraeNoether> well, i don't want to take more time on this: my update is that i have to step back from monero for awhile, and i'm looking into RLWE-based ring signatures
17:23:14 <Isthmus> Y'all know the tech cycle. Many-year winters leads to the most exciting explosions. AI, crypto, quantum... the pattern repeats
17:23:18 <suraeNoether> i'll still be presenting at meetings and coming by and stuff
17:24:11 <suraeNoether> for folks who are interested, the wikipedia article on the timeline of quantum computing has lots of good info
17:24:58 <sarang> OK thanks suraeNoether
17:25:02 <sarang> I have a few things to share
17:25:05 <sarang> First, CLSAG
17:25:15 <sarang> I've completed review of suraeNoether's security model updates
17:25:23 <sarang> suraeNoether: I've left several Overleaf review comments for you
17:26:09 <sarang> Along with that, I migrated some recent CLSAG verification optimization code to moneromooo's branch, along with relevant unit and performance tests
17:26:20 <sarang> Saves about 5% on verification, which seemed worth it
17:27:09 <sarang> Relating to Triptych: I made a minor update to the original Triptych-1 preprint for readability, but also completed the Triptych-2 preprint
17:27:29 <sarang> Here is a link to the Triptych-2 preprint on Overleaf: https://www.overleaf.com/read/ynfkhykjfvrd
17:27:53 <sarang> I'd appreciate any review on it prior to posting to the IACR archive
17:28:27 <sarang> Unrelated to these, I've been catching up with literature review
17:28:46 <sarang> and, as a program committee member for the IEEE S&B conference, I'm reviewing submissions
17:28:52 <suraeNoether> i'll take a look at your comments and read through triptych 2: electric bugaloo
17:29:00 <sarang> Thanks suraeNoether
17:29:05 <sarang> IMO the CLSAG review is top priority
17:29:15 <selsta> Did you contact Teserakt?
17:29:38 <sarang> I'd like to wait on confirming a schedule until we have this paper done
17:29:53 <sarang> Otherwise we risk losing the availability again due to delays
17:30:48 <sarang> Anyone who wants to review the CLSAG optimizations can see this branch: https://github.com/SarangNoether/monero/commits/clsag-mooo
17:31:34 <sarang> Finally, my funding proposal needs feedback on GitLab before it's decided whether to open it: https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/131
17:31:39 <sarang> That's all for me today
17:31:47 <sarang> Does anyone else wish to present, or have questions?
17:34:24 <suraeNoether> i propose that we fund sarang
17:34:33 <suraeNoether> but no
17:34:36 <suraeNoether> no questions
17:34:48 <Isthmus> I propose that we fund surae
17:34:49 <sarang> Heh, then leave a reaction or comment on gitlab!
17:34:54 <Isthmus> I've been wrestling with a weird conundrum
17:35:27 <sarang> Go on
17:35:28 <Isthmus> I'm thinking about modifying my wallet to only select decoys from transactions generated by the core wallet
17:35:47 <Isthmus> But then that in and of itself becomes a subtle heuristic
17:35:49 <sarang> Ah, so using fingerprinting to pick the most "standard" decoys?
17:36:05 <Isthmus> Not "most"
17:36:12 <Isthmus> Something either looks like the core wallet, or provably isn't
17:36:14 <sarang> Heh, yeah, it kicks the fingerprinting can slightly down the road
17:36:56 <Isthmus> I guess if almost everybody used only outputs generated by the core wallet, then it wouldn't be a heuristic to fingerprint me
17:37:16 <Isthmus> *outputs that cannot be proven to have not originated from the core wallet
17:37:18 <Isthmus> ^ to be very specific
17:37:36 <sarang> got it
17:38:05 <Isthmus> Eh, I dunno. Don't really have a solution. It was just funny that I worked on it for a it before realizing that it becomes its own heuristic xD
17:38:25 <Isthmus> Anyways, nothing much from me. I've had about 20 minutes per week for Monero lately
17:38:37 <Isthmus> But in May, we're gonna have some long talks and clean house
17:39:04 <sarang> ?
17:40:02 <Isthmus> Have 7 heuristics that have now partitioned out upwards of 20 different implementations.
17:40:11 <Isthmus> Most of which I've shared in MRL already
17:40:22 <UkoeHB_> 20 sounds like a lot
17:40:29 <UkoeHB_> monero is really doing well if there are 20
17:40:38 <Isthmus> That's unfiltered for time.
17:40:49 <Isthmus> Going to clean it to recent blocks and see what's in the wild *now*
17:41:02 <sarang> So some might be updates to the same implementations?
17:41:02 <Isthmus> It's at least 3 right now,
17:41:36 <Isthmus> Yeah, that's why I'm not really sweating the 20
17:41:52 <Isthmus> I think it's 3-5 in current era
17:42:19 <Isthmus> Which is pleasantly(?) surprising
17:43:05 <Isthmus> But yea, with absolutely no time to work on it now, hard to put together a full writeup
17:43:15 <Isthmus> But will definitely circle back in the next 2 months
17:44:01 <sarang> Sounds good!
17:44:07 <sarang> Anyone else wish to share any research?
17:44:50 <UkoeHB_> hi, ztm2 proofreading draft is updated (with feedback from sarang about bulletproofs, and also the clawback formula regarding tx weights) https://www.pdf-archive.com/2020/03/11/zerotomoneromaster-v1-1-1/zerotomoneromaster-v1-1-1.pdf
17:45:02 <UkoeHB_> 2 more weeks for proofreading
17:46:25 <sarang> Good feedback so far overall?
17:46:27 <UkoeHB_> also, looked into next-gen tx key image generation for multisig (sarang has a solution for it), and it seems like inversion key images wont greatly disrupt multisig transaction flows (especially escrowed markets, which is a big deal)
17:46:32 <UkoeHB_> Not much feedback so far
17:47:41 <UkoeHB_> But it's 152 pages so not surprising
17:48:24 <UkoeHB_> that's all from me
17:48:38 <sarang> OK, let's move on to ACTION ITEMS for the next week or so
17:48:51 <sarang> I'll await final word on my CLSAG review notes
17:48:54 <UkoeHB_> wondering if ArticMine has progress on fees
17:49:15 <sarang> Continue working on Triptych
17:49:57 <Isthmus> Why did it switch from 02 to 20?
17:50:00 <Isthmus> oops
17:50:02 <ArticMine> Yes I do
17:50:03 <Isthmus> ignore that
17:50:51 <sarang> Go ahead ArticMine!
17:51:13 <ArticMine> I am looking at making the penalty free one also dynamic and using the long term median to control it
17:52:14 <ArticMine> Also slowing down the fall in the long term median to match the constraint on the rise
17:52:58 <sgp_> just got caught up
17:53:10 <ArticMine> So it does not go from say 3000000 bytes 300000 bytes in one shot
17:54:17 <ArticMine> The new dynamic penalty free one would track the long term median at say 20 - 25% of the long term median
17:55:01 <Isthmus> Ooh interesting
17:55:20 <ArticMine> This will provide predictable fee over time
17:56:34 <sarang> Will you have a specific proposal for this, intended for a network upgrade?
17:56:50 <ArticMine> The models I am looking at is a sharp drop, followed by a fiat banking crisis that creates a very sharp rise
17:56:52 <ArticMine> Yes
17:57:27 <sarang> OK, any final thoughts or topics before we wrap up this hour?
17:58:06 <suraeNoether> be kind to each other
17:58:10 <suraeNoether> just be excellent
17:58:12 <suraeNoether> you animals
17:59:19 <sarang> All right, thanks to everyone for attending. Adjourned!
18:00:06 <sgp_> suraeNoether: you still here?
18:01:03 <sgp_> I know you're not especially interested in matching compared to the newer stuff, but it needs to be done for the safety of Monero users
18:01:03 <suraeNoether> Yep
18:01:17 <suraeNoether> It's not a matter of lack of interest
18:01:32 <sgp_> Matching will make a huge influence on how Monero changes its protocol the next few months to years
18:01:51 <suraeNoether> Yes, it will.
18:02:18 <sgp_> You've also been working on this project since what, the beginning of 2018? Almost 2 years?
18:02:28 <sgp_> (not exclusively of course)
18:02:39 <suraeNoether> Yes.
18:03:05 <sgp_> I really think it's time to figure out a way to get some insights out of this project
18:03:17 <sgp_> Even if they're limited in some way
18:07:36 <suraeNoether> Well, I certainly can't disagree with that
18:09:34 <UkoeHB_> Deciding ring size for the next gen transaction protocol might be difficult without an analysis backing it up, since verification times are linear.
18:09:48 <sgp_> So what would that potentially look like? The MVP based on what you currently have
18:10:16 <sgp_> UkoeHB_: exactly, we can use common sense, but we should be using more than just that
18:18:05 <sgp_> suraeNoether ^
18:18:20 <suraeNoether> I am thinking about it
18:23:17 <suraeNoether> So, for one thing, I have non-elective surgeries coming up, so in a practical sense the question is 'what would be required to hand the project off to someone else to finish'
18:25:00 <suraeNoether> And in that regard, I have made my code available this entire time, and my latest commit appears to be passing unit tests. My simulator writes a ledger to file in a human readable format. There, in theory, has been nothing stopping anyone from picking it up in the first place. I can expand upon my notes in my md files so that in principle a new person could pick it up to finish it
18:25:54 <suraeNoether> Looking back on it with atoc, who offered to help, I should have taken him up on that offer, but the funding issues around it were a little thorny for me
18:28:35 <suraeNoether> There are a couple of more things I can try for debugging, but it would take days or weeks to get another person up to speed on that project
18:30:16 <suraeNoether> The annoying part is that the gap between MWP and full working product is zero: if the code starts working, it just spits out a complete and total analysis into a csv file anyone can open
18:30:29 <Isthmus> If there's funding for it, I have several few researchers with graph theory and python background that could run with it for a quarter
18:30:39 <Isthmus> A fresh set of eyes might be nonlinearly productive too
18:30:39 <suraeNoether> Which is why I had to think about your question sgp_
18:31:03 <suraeNoether> Oh yes, if you have postdocs with those skillsets, let's arrange a call for later today
18:33:08 <Isthmus> 👍
18:34:33 <vtnerd> where is this code?
18:36:00 <suraeNoether> https://github.com/b-g-goodell/mrl-skunkworks
18:36:09 <suraeNoether> Matching mojojo branch
18:36:17 <suraeNoether> Under the folder Matching
18:36:45 <suraeNoether> https://github.com/b-g-goodell/mrl-skunkworks/blob/matching-mojojo/Matching/graphtheory.py graphtheory has been passing tests for ages
18:37:11 <suraeNoether> My simulator, which generates a monero ledger together with a ground truth, is super fragile
20:44:47 <gingeropolous> <suraeNoether> long story short, i'm prsently working on a summary-of-knowledge of quantum-resistant RingCT-type protocols, 3 of which have been proposed in the past 3 years <<< nice