00:37:47 <Isthmus> I always assume that one of us is secretly a 3 letter agency, and somebody else is probably a Fortune 500 company that is still in stealth mode about cryptocurrency adoption. :- P
00:38:21 <Isthmus> Anyways, what do y'all think about extra decoy outputs for the sake of artificially increasing the anonymity set?
00:38:23 <Isthmus> https://github.com/MyHush/sietch
00:38:35 <Isthmus> I don't agree with 100% of the statements in that GitHub issue, but I do find the idea thought provoking
00:39:25 <Isthmus> Kind of depends on ratios between transaction volume, output volume, and ring size
00:39:59 <Isthmus> s/GitHub issue/Sietch writeup on GitHub
00:39:59 <monerobux> Isthmus meant to say: I don't agree with 100% of the statements in that Sietch writeup on GitHub, but I do find the idea thought provoking
00:42:42 <sarang> This has been brought up several times over the years
00:50:29 <sarang> The previous context was mainly about the idea of reducing the effects of entities colluding with known outputs to reduce the effective anonymity set
01:38:00 <derpy_bridge> <[keybase] unseddd>: sarang: agree that increasing the anonymity set is a good idea, along with removing the ability of malicious actors to collude in a way that reduces the anonymity set for all users. am advocating for not using an algorithm that is too greedy, rejecting legitimate auxilliary input(s), claiming they are malicious
01:41:52 <sarang> You can't prevent entities from colluding
01:42:55 <sarang> Nor can you reliably detect what outputs belong to such entities without significant external information
01:43:33 <derpy_bridge> <[keybase] unseddd>: what i mean, is removing user control over vulnerable aspects of the protocol as much as possible, e.g. deterministic tx-building to defeat Janus attacks
01:43:54 <sarang> FWIW the percentage of outputs that need to be controlled by colluding entities (or otherwise suspected/known to be non-signers) to destroy a ring signature is nontrivial
01:44:01 <sarang> and keep in mind that this is very time-based
01:44:12 <sarang> since decoy selection by default is not uniform over time
01:44:26 <sarang> unseddd: decoy selection is not protocol enfoced
01:44:28 <sarang> *enforced
01:45:04 <sarang> There have been proposals to do so, but they do not play nicely with accurate spend distribution estimates
01:46:32 <derpy_bridge> <[keybase] unseddd>: great! that should make implementing/integrating hardening changes there won't require any consensus changes / hard-forks, right?
01:46:49 <sarang> What kind of change
01:47:13 <sarang> Changes to non-enforced decoy selection are, by definition, not enforced =p
01:47:56 <derpy_bridge> <[keybase] unseddd>: still don't fully understand the idea of non-uniform distribution, if spend distributions can't be analyzed on Monero
01:48:33 <sarang> They can't directly
01:48:47 <sarang> But some early transactions can be
01:48:54 <sarang> and this distribution can be compared to transparent chains
01:49:01 <sarang> They turn out to be similar
01:49:26 <derpy_bridge> <[keybase] unseddd>: the distribution algo from stdlib also causes clang builds to fail for Monero, so replacing it with a uniform random distribution would fix two things
01:49:27 <sarang> This is assumed to be a reasonable approximation
01:49:43 <sarang> A uniform random selection from the chain is not suitable
01:49:58 <derpy_bridge> <[keybase] unseddd>: maybe Monero used uniform random distribution before, and it caused issues?
01:50:01 <sarang> because outputs are not equally likely to be spent as a function of their age on chain
01:50:19 <sarang> Newer outputs are _much_ more likely to be spent
01:51:05 <sarang> If the selection algorithm differs significantly from the expected spend age distribution, you can build a heuristic for the most likely signer based on this
01:51:27 <sarang> So while moving to a simple distribution is useful for protocol-enforced decoy selection, it is terrible for adversarial heuristics
01:52:15 <sarang> If there are problems with the current distribution, it might be possible to rewrite a custom version that builds properly with other tools
01:52:21 <sarang> (I have not run into this problem personally)
01:57:15 <derpy_bridge> <[keybase] unseddd>: try building Monero with clang, you'll run into the issue
02:00:44 <Isthmus> I want R = fxn[seed, height]
02:01:08 <Isthmus> seed is any integer, height is a block height
02:01:14 <derpy_bridge> <[keybase] unseddd>: also advocating for enforcing decoy selection, at least in some of the ways mentioned for Janus mitigation, i.e. making tx-building verifiable, even if optional
02:01:31 <sarang> Isthmus: ?
02:01:52 <Isthmus> And the output R is a set of ring members [technically, a list of output indices] that satisfy our decoy selection algorithm
02:01:53 <sarang> Oh you mean deterministic ring selection
02:02:00 <sarang> Yes, this method exists
02:02:08 <sarang> but in general requires inverse transform sampling
02:02:16 <Isthmus> Oooh, tell me more
02:02:33 <derpy_bridge> <[keybase] unseddd>: Isthmus: you want fxn? ;p
02:02:36 <Isthmus> Oh, having to generate sets of R's to find one that includes your output?
02:02:44 <Isthmus> fxn, yes plz
02:03:06 <sarang> http://spar.isi.jhu.edu/~mgreen/mixing.pdf
02:03:13 <sarang> For simple distributions it's efficient
02:03:19 <sarang> (I have simple code that shows examples of this)
02:03:30 <sarang> For more complex distributions, not so much
02:03:39 <derpy_bridge> <[keybase] unseddd>: _gib Isthmus fxn_
02:03:45 <sarang> Because the verifier needs to use the seed data to reconstruct the output set
02:04:39 <sarang> The paper shows it for uniform sampling and the old triangular sampling
02:05:09 <Isthmus> O rly?
02:05:13 <sarang> yes
02:05:20 * Isthmus scopes it out
02:05:24 <sarang> but our distribution is not nearly so straightforward as lines
02:05:39 <sarang> It relies on keyed hash functions
02:06:09 <Isthmus> Here's a weird, maybe heretical question
02:06:48 <Isthmus> How closely does our decoy selection algorithm need to match the real spend time distribution
02:07:03 <Isthmus> If we ask "what is the ideal decoy selection algorithm" the trivial answer is "our best approximation of the spend time"
02:07:03 <derpy_bridge> <[keybase] unseddd>: not familiar, will check it out. perhaps uniform-random is naive, as am still familiarizing myself with Monero attach surface / design choices. however, continuing a heuristic based only on information exposed by the earliest txes seems a large technical debt
02:07:17 <Isthmus> But is this the *only* possible approach that would provide adequate cover?
02:07:27 <derpy_bridge> <[keybase] unseddd>: *attack
02:08:54 <sarang> Miller et al. look at this difference
02:09:28 <sarang> Well, it's important to note that there is (ideally) no way to check the validity of age-based guesses
02:10:01 <sarang> So on their own, they provide no particular provable data
02:10:43 <sarang> and it's not at all clear what a quantifiable definition of "plausible deniability" for a ring signature looks like in practice
02:11:28 <sarang> unseddd: how does the selection algorithm imply technical debt?
02:12:09 <sarang> We have no particular reason to think that Monero spend age distributions differ from the combination of known Monero spend data and Bitcoin spend data, which show the same trends
02:12:14 <sarang> (and we can't check this anyway)
02:12:21 <derpy_bridge> <[keybase] unseddd>: unfortunately don't think practical knowledge of plausible deniability will be know until it's used in a court case or similar
02:12:31 <sarang> and FWIW the distribution is not that complicated
02:12:51 <sarang> it just doesn't play as nicely with sampling that would make deterministic selection reasonable
02:15:22 <derpy_bridge> <[keybase] unseddd>: since the effect of uniform random selection on deniable plausibility is unknown, and the effects of non-deterministic selection is known (Janus), would favor mitigating the latter given more research on the former
02:17:19 <Isthmus> I don't really think much about "plausible deniability," since it's an artificial construct that will vary by every jurisdiction and decade. My only interest is in statistical obfuscation.
02:18:09 <sarang> Janus is about subaddress faking, not decoy selection
02:18:21 <sarang> And uniform selection is a terrible option
02:18:35 <derpy_bridge> <[keybase] unseddd>: basically, if we can measure the effects of uniform random distribution on selection, and it is found to not break anything, lets use uniform random
02:18:35 <sarang> Under all but the simplest risk assumptions
02:19:01 <sarang> Uniform selection doesn't break anything except statistical expectations of spend ages
02:19:02 <derpy_bridge> <[keybase] unseddd>: why terrible?
02:19:12 <sarang> Because it basically gives away the likely signer
02:19:35 <sarang> And an adversary can use that to weight the likely true tx graph
02:19:43 <derpy_bridge> <[keybase] unseddd>: statistics that cannot be verified, or even measured, on the current chain?
02:20:03 <sarang> No but they can be used as part of broader graph techniques
02:20:13 <sarang> And they're a really good heuristic
02:20:59 <derpy_bridge> <[keybase] unseddd>: giving away the likely signer is disasterous, if that really is the effect, definitely no uniform random
02:22:33 <derpy_bridge> <[keybase] unseddd>: good heuristic based only on unspent early txes right? am misunderstanding something? create a turnstyle-like protocol, and remove the ability to perform those heuristics. problem solved, no?
02:25:32 <sarang> That's not really the point
02:25:59 <sarang> The point is that we know how users tend to spend outputs based on other chains and early Monero data
02:26:41 <derpy_bridge> <[keybase] unseddd>: thought removing heuristics was the point, where have gone wrong?
02:27:13 <sarang> Selecting decoys according to expected spend patterns is the mitigation to this heuristic
02:27:32 <sarang> That's exactly why we use the algorithm we do
02:27:41 <sarang> And continue to iterate on it
02:28:37 <derpy_bridge> <[keybase] unseddd>: right, just trying to think of a more permanent solution, so you do not have the technical debt going forward
02:28:53 <sarang> How is it technical debt
02:29:08 <sarang> I don't really follow
02:29:57 <derpy_bridge> <[keybase] unseddd>: having to continually update a selection algo based on best-guesses and heuristics sounds like technical debt to me
02:29:58 <gingeropolous> yeah, the output selection doesn't create technical debt afaict.
02:30:24 <gingeropolous> its more like a technical burden
02:30:51 <hyc> a lot of aspects of security are continually moving targets
02:30:56 <derpy_bridge> <[keybase] unseddd>: burden == debt ...
02:31:10 <sarang> It's not ideal, but it is a consequence of ring signatures
02:31:31 <gingeropolous> well yeah, semantics
02:31:32 <hyc> you can't really pick a single algorithm and carve it into stone. it'd be like the maginot line, someone will walk around it.
02:31:53 <gingeropolous> simple answer is ringsize a bajillion
02:32:03 <sarang> The goal is transaction uniformity, which depends in part on usage patterns
02:32:15 <sarang> We need to adapt to them as best we can
02:32:29 <sarang> This is part of it
02:33:15 <derpy_bridge> <[keybase] unseddd>: hyc: get that security, and the fight for privacy is ever-moving, just tring to think of things that will make Monero have to move less in this particular direction. totally understand that i do not comprehend the full picture yet
02:33:56 <gingeropolous> those are good thoughts to have. less human hands the better
02:33:56 <sarang> There are techniques like binning that can apply better at larger ring size
02:34:26 <sarang> These have the added advantage of reducing communication complexity
02:35:09 <derpy_bridge> <[keybase] unseddd>: sarang: are those ring sizes practical?
02:35:19 <sarang> That's the current goal
02:35:25 <sarang> We're getting there
02:36:11 <derpy_bridge> <[keybase] unseddd>: ok awesome! then will direct my attention there :)
02:36:18 <sarang> I assure you it is not an easy problem to solve
02:36:47 <gingeropolous> nonsense! just put it on a blockchain!
02:36:58 <sarang> Brilliant
02:37:17 <derpy_bridge> <[keybase] unseddd>: no, wouldn't think it is, but at willing to throw some braincells at it
02:37:24 <sarang> Please do
02:37:43 <sarang> Nobody has totally solved it yet
02:38:33 <derpy_bridge> <[keybase] unseddd>: is there a tracking issue for ongoing efforts?
02:39:28 <hyc> the current effort is in CLSAG isn't it?
02:40:26 <sarang> Clsag is more of a stopgap
02:40:52 <derpy_bridge> <[keybase] unseddd>: oh, so CLSAG and it's successors would enable large enough ring sizes for binning?
02:41:07 <sarang> Other efforts include Ommiring, Triptych, Lelantus, RCT 3, Arcturus
02:41:19 <sarang> Clsag would not
02:41:38 <sarang> Some are externally developed, others are in house
02:45:41 <derpy_bridge> <[keybase] unseddd>: sarang: is there a paper(s) or description of the binning technique you mentioned?
02:48:15 <gingeropolous> unsedd, https://eprint.iacr.org/2019/186.pdf
02:48:22 <gingeropolous> i think thats the reference
02:49:20 <sarang> https://petsymposium.org/2018/files/papers/issue3/popets-2018-0025.pdf
02:51:25 <gingeropolous> woops
03:00:40 <derpy_bridge> <[keybase] unseddd>: gingeropolous, sarang: many thanks :)
03:29:18 <derpy_bridge> <[keybase] unseddd>: yeah, that paper makes it obvious that uniform distribution is terrible for input selection. sorry for wasting time suggesting it
04:25:15 <derpy_bridge> <[keybase] unseddd>: would be interesting to re-run the POPETS18 analysis using most current chain data, see if their results still hold. still need to read the IACR paper
07:48:39 <derpy_bridge> <[keybase] unseddd>: by re-running the analysis, only mean using the current 11-mixin with Gaussian distribution, and compare with say 11-mixin, (3,4)-bin binning strategy
07:51:56 <derpy_bridge> <[keybase] unseddd>: the 7-mixin, 4-bin gives 4.0 min-untraceability in the POPETS18 paper, so curious to see if the 11-mixin, 4-bin strategy gets close to ideal 1/11 chance of 100% traceability