Hi; hope everyone is doing well

I'll be finishing some formal peer review today, wooo

sounds fun :P

Even though the IEEE S&B event is delayed, they'll still maintain the same review schedule

As might be expected given the current world situation, the review process has been... slow

sarang: I can assure you that review processes are always that slow lol

so kudos for working on it early! :D

Heh, noted

I try to get my reviews done earlier

I remember one time my collaborator and I waited over a year for a review...

New LRS proposal: eprint.iacr.org/2020/333

Still reading, but I think it assumes a linear fixed-based key image, which is traceable and not suitable for use

it also appears to use a fixed-index key matrix in one of its constructions, which we also should not use

(so I also think its comparison to MLSAG/CLSAG as deployed is not accurate either)

If needed, I can contact the authors with this information

Is this the post peer-review version? In any case maybe it is good to contact them asap wrt. "so I also think its comparison to MLSAG/CLSAG as deployed is not accurate either"?

It's not clear if that is the case

but I want to give it a thorough read first, of course

But at any rate, the use of a fixed-base linear key image means it's not secure in practice anyway

^ binaryFate

It also has a pretty restrictive security model too

Basically the entire recent CLSAG update work has been to remove such restrictions

Ah ok, I was confused by the authors' notation in that preprint

When they say `m`-ring signature, they mean in the context of key vector dimension, not inputs

The use of a fixed-based key image still means it couldn't be used due to linking

Their signature size is identical to CLSAG

They claim a lot faster performance, even for non-parallel generation and verification, but don't provide a link to their code or any relative operation counts

e.g. if the speedup comes from using a fixed key image base instead of hashing, then that doesn't apply due to the security problem

So I take back earlier when I thought that the comparisons were not accurate... I don't think there can be a comparison without fixing the key image flaw first

Heck, I should run an operation count to see

^ binaryFate

^ proposed email to the authors

comments welcome

Whoops, s/MSLSR/MSLRS/g

This is interesting in part because there doesn't appear (at first glance) to be anything wrong with their security proofs

but rather a consequence of the security model not capturing the one-time address construction

CLSAG's security model doesn't either, but is constructed with the key image linking problem in mind

and RCT3/Omniring/Triptych/Triptych-2 don't have to worry about it in the same way, either because of the VRF construction or (in the case of at least Omniring) building in the OTA construction into the protocol directly

[keybase] <seddd>: _wonders who gets paper 2020-420_

[keybase] <seddd>: If it's a hashing paper, I'm gonna die

Ah, RCT3 does too, that's right

sarang I can't comment on the fundamental meat of it but that's a polite and very clearly written email, very good

Also a bit funny is that this exact same issue is what plagues DLSAG too

!

Do you know the authors? Does it happen often that "unknown" researchers publish something clearly referecing Monero with aim to potentially improve something?

I'm a bit surprised that they published this on IACR 2-3 years after the conference year listed

It's not the first time that a Monero-related preprint has appeared unexpectedly on the archive

I get why they wouldn't necessarily contact MRL, if they fear getting their research scooped (I certainly wouldn't do such a thing)

Anyway, I'll send that email

No clue if they'll choose to revise

but at any rate, we certainly won't be deploying the signature construction from the paper

gotcha

Hopefully it doesn't gain too much traction for potential deployment in production anywhere

It's still interesting from a theoretical perspective

Pity they didn't reach out, no matter the reason :/

Eh, I can understand it if they don't want to get scooped

[keybase] <seddd>: Doubt it would if there was a statement about it's brokenness (mb optimistic)

[keybase] <seddd>: Yeah sucks to be them

Well, the construction itself isn't broken, given its security model

just not safe for the application they suggest

[keybase] <seddd>: Ah, gotcha

I happen to think that revising to note this would be important, to avoid it being implemented in a way that's unsafe

but it's their paper; they can do what they wish

[keybase] <seddd>: True, hopefully they'll take it as a kindness

Part of why the preprint system is cool IMO is to get feedback from other researchers like this

Easier to iterate on an idea, in theory

The downside is it's easy to fall into the trap of thinking that a preprint has been subject to scrutiny or review (I fall into this trap sometimes, for sure)

even if you know that isn't the case

[keybase] <seddd>: Right, same. Do they have a "this is solid + reviewed" section?

[keybase] <seddd>: Or way of tagging?

No

[keybase] <seddd>: yeh, didn't think so

Preprint archive is just a place to post relevant original research

Papers do get a minimal review by the editors, but only for apparent relevance

and that seems entirely reasonable

[keybase] <seddd>: Yeah, and then it's just up to peer review?

[keybase] <seddd>: I mean for getting feedback

<midipoet> To be honest, I don't understand how the "preprint process" has any relation to good science.

[keybase] <seddd>: how so?

<midipoet> But perhaps I don't understand it properly

I think it's hugely beneficial for sharing research with other researchers

[keybase] <seddd>: +1

I think it's not generally useful (and sometimes even harmful) outside of that

e.g. if media picks up on a preprint and doesn't understand the process

<midipoet> Yes, perhaps that is the problem.

But I think the benefits outweight the costs

<midipoet> It seems that it is essentially a great big non-peer reviewed white paper respository.

for sure

<midipoet> So I suppose to speed up research it helps

indeed

Especially because the peer-review process can take a long time, if it happens at all

There aren't enough journals or conferences or reviewers for all the good papers out there

and peer review doesn't guarantee quality peer review either

so it's all a balance of risk, I suppose, like everything in life

<midipoet> But I didn't think that cryptography would be a field that prioritises quantity over quality (perhaps those aren't the correct descriptors)

It's a really active field

that often has a lot of applications

<midipoet> There are enough authors, but not enough reviewers?

That seems accurate

Because the authors are also reviewers...

who are often professors who have their own classes and research etc.

and review is time-consuming

Not to mention that submitting papers is a linear process that can't be done in parallel

i.e. you need to submit, then wait for a response, then submit elsewhere, etc.

you can't usually submit to multiple destinations at once

That might be more reasonable in some fields, but cryptography moves quickly

<midipoet> Yes sarang, I understand the process. But sometimes the slower pace means better overall quality of research

so having access to interesting new techniques is important and useful

Why would that be?

It's not like review is slow because the reviewers take the entire time for the process

or that non-parallel submission means you do more research on that topic

<midipoet> Like, what percentage of the preprints, in you opinion, may have significant deficiencies/be repeated work, not reference previous work, etc?

Well, most work builds on previous stuff in the field

<midipoet> Those new techniques could be shared in different formats than non-reviewed papers, could they not?

Or is inspired by current research trends

Like what?

<midipoet> no, I meant the review process means that submissions are usually of higher quality, as they dear rejection.

<midipoet> *fear

Some, perhaps

Certainly not all

but good point

Although many good papers get rejected all the time

and the process starts over

:/

<midipoet> I would say the vast majority of papers that are submitted to peer review are of higher quality.

<midipoet> The rejection process is of itself a scientifically beneficial process

<midipoet> Provided the review process is properly done, of course

I don't think rejection is necessarily strongly correlated with quality

<midipoet> Like, would you want this preprint process be applied to medicine?

<midipoet> (though admittedly perhaps it is!)

Absolutely, provided the results are applied properly

I would certainly not want my doctor to give me advice based solely on a preprint

<midipoet> And what about Law?

I don't know enough about that field, sorry

Anyway, we should move this to -lounge probably

<midipoet> Well, I certainly wouldn't want legal advice given on a law non reviewed pre-print

makes sense

[keybase] <seddd>: right, but an impl on a pre-print under application for standardization isn't so bad.

[keybase] <seddd>: especially under the assumption of change or total failure

<midipoet> As an aside, it's interesting to see the guides for medical preprints (it is a thing, but with caveats)

<midipoet> sciencemag.org/news/2019/06/medical-preprint-server-debuts

[keybase] <seddd>: agree good impls and professional products/services should have a strong basis, vetted by multiple independent, reputable sources

to -lounge !