-
sarang
Reminder that today's research meeting is at 17:00 UTC
-
sarang
.time
-
monerobux
2020-05-20 - 15:56:43
-
sarang
about one hour from now
-
sarang
-
sarang
We'll get started in just a couple of minutes
-
sarang
OK, let's begin
-
sarang
!
-
sarang
GREETINGS
-
sarang
hello
-
sgp_
hello
-
dEBRUYNE
hi
-
» sarang will wait a bit for others to arrive
-
xmrmatterbridge
<telapongo23> Hi guys, just eavesdropping here :-D
-
» Isthmus waves
-
hyc
hello
-
sarang
Let's move to ROUNDTABLE, where anyone is welcome to share research topics of interest
-
sarang
Who wishes to share something? (I saw Isthmus just posted to the agenda issue)
-
ArticMine
Hi
-
sarang
I suppose that I can share a few items
-
sarang
First, I'll review some Arcturus numbers, some of which were presented last week
-
sarang
Recall that Arcturus is a modification of Triptych that needs only one proof per transaction, instead of one proof per spend
-
h4sh3d[m]
Hi
-
sarang
(making it similar to RCT3's update and Omniring)
-
sarang
I'll link some plots...
-
sarang
-
sarang
-
sarang
-
sarang
You can see the improvement as the number of inputs increases
-
sarang
From last week, I'll re-post the timing data...
-
sarang
-
sarang
-
sarang
Related to this, I've been working on the Arcturus transaction security model, which uses an Omniring-style balance game/definition and applies it to the combination of Arcturus proofs and Bulletproof range proofs
-
sarang
I'll post that update when I've finished typesetting it and reorganizing the preprint on IACR
-
sarang
(but it's still in progress!)
-
sarang
Any questions for me on this material?
-
hyc
Arcturus seems to blow away the other sig mechs
-
fort3hlulz
What's the main drawback(s) of Arcturus compared to other sig mechs?
-
fort3hlulz
Seems like a clear win, but maybe there is something I'm missing.
-
sarang
The RCT3 update beats it for overall size (when looking at the whole chain), but that does very poorly in verification due to input padding
-
sarang
Arcturus relies on a nonstandard cryptographic hardness assumption
-
hyc
what are the implications of being nonstandard? needs further proofs?
-
sarang
You can see the full-chain comparative estimates on page 12 of the Arcturus IACR preprint:
eprint.iacr.org/2020/312.pdf
-
sarang
note that in Figure 3, RCT3 wins, but in Figure 4, it loses
-
sarang
(size vs time)
-
sarang
It would need external study to see if it can either be reduced to more standard assumption, broken, or considered/tested enough to be considered reasonable
-
sarang
Triptych does not have this limitation, and relies on only standard assumptions
-
sarang
I'm submitting it to conference proceedings in the hope that it will get some quality review
-
sarang
so I want to update the security model prior to that deadline at the end of this month
-
hyc
the win on time is huge
-
sarang
FWIW both Triptych and Arcturus are very similar for verification time
-
sarang
that's because of how generators are batched similarly in both approaches
-
hyc
triptych appears to be a constant factor larger in size
-
hyc
well, nearly.
-
sarang
It requires multiple proofs, and has some extra elements included (e.g. commitment offsets)
-
sarang
Arcturus is a single proof, and does not require any commitment offsets
-
sarang
(it does have proof elements that scale with the number of spends, but does so pretty darn well)
-
hyc
at least all of the size plots are linear, no silly exponential growth
-
hyc
probably an obvious statement but I would choose to optimize time
-
sarang
In that case, Triptych and Arcturus are essentially comparable
-
sarang
with small variations relating to how balances are checked
-
sarang
and these variations disappear at higher ring sizes anyway
-
hyc
and Triptych requires no nonstandard assumptions
-
sarang
Nope
-
Isthmus
"with small variations relating to how balances are checked" < ah thanks, I was wondering about this
-
sarang
I could probably add the Arcturus-style balance security definition to Triptych as well
-
sarang
Isthmus: balance checks in MLSAG/CLSAG/Triptych are identical... sum the commitment offsets and outputs to zero
-
sarang
In Arcturus it's built in to the proving system directly
-
sarang
At high ring sizes, the offset-based balance check is overshadowed by the large number of group operations required for the rest of the verification process
-
hyc
this is some great stuff. Arcturus still grows in size more slowly than Triptych,
-
sarang
At low ring sizes, they're more comparable and the difference is notable
-
sarang
Yeah
-
sarang
Its per-spend elements scale better
-
sarang
What's nifty is they both use the same underlying Groth-style cryptographic plumbing, but in different ways
-
sarang
(this is the same plumbing that Lelantus uses)
-
sarang
Anyway, I've taken up enough of the roundtable time for one day!
-
sarang
Does anyone else have research they wish to share?
-
Isthmus
TheCharlatan updated the encrypted unlock time research proposal with sarang's timing data:
github.com/insight-decentralized-co…us-lab/monero_encrypted_unlock_time
-
sarang
s/Tryptich/Triptych/
-
Isthmus
(based on feedback at previous MRL meeting, and input from sarang)
-
Isthmus
Also, experimenting with a new application for surae's seashell avatars project. Essentially, each transaction fingerprint (behavior or metadata) is compared against the behavior of the core software and assigned a 0 if matching or 1 if deviating.
-
Isthmus
Looping over fingerprints creates a fingerprint string that is ingested to produce a visual hash. These could be added to a research blockchain explorer so that it's easier to tell at a glance which transactions must have been generated by custom software.
-
sarang
I'm glad the 3-CLSAG and 3-Triptych data was useful!
-
Isthmus
For example, the first image shows the avatar for transactions that are from (or mimic) the core GUI/CLI, which has fingerprint ...0000
-
Isthmus
-
Isthmus
The secnd image shows the avatar for transactions that included a juvenile ring member and thus produce a different signature (...0010)
-
Isthmus
the bottom image shows the avatar for transactions that included a juvenile ring member and thus produce a different signature (...0010)
-
Isthmus
-
Isthmus
(note that this particular issue was fixed in recent update)
-
Isthmus
Anyways, still very early toy/prototype
-
sarang
So the hash inputs are individually set bits? 1 = "basically the same as standard", 0 = "different enough"
-
sarang
and this is done over different characteristics to build the input string?
-
Isthmus
Yep
-
» Isthmus pauses to clarify wording
-
Isthmus
0 = "the core wallet would construct a transaction in this way"
-
Isthmus
1 = "the core wallet would never construct a transaction this way"
-
Isthmus
e.g. the juvenile spend example
-
sarang
got it
-
Isthmus
Will spice it up a bit though, surae comments "The skin of the shells could be fractals dependent on the hash input visualized in 2d with *color schemes* selected from families of pleasing color triples based on hash input..."
-
UkoeHB_
What's a juvenile ring member,
-
UkoeHB_
?
-
Isthmus
Any transaction that includes a ring that includes a ring member less than 10 blocks old (based on the time it was mined)
-
Isthmus
-
UkoeHB_
ah
-
Isthmus
The core wallet has observed a 10-block lock time, so they must have been generated by custom software
-
Isthmus
But now it's a consensus rule
-
sarang
To what extent does the visual fingerprint identify the extent to which the transaction is nonstandard?
-
sarang
e.g. can you look at a fingerprint and see "oof, this transaction is _very_ nonstandard!"
-
sarang
(obviously the Hamming weight of the input will tell you this by inspection)
-
Isthmus
No, since the visual hash function is appropriately unstable
-
UkoeHB_
You could look at the fingerprint string itself to see how different, since more 1s = more different
-
sarang
That's what I mean by the Hamming weight
-
Isthmus
aaaactually if the hamming weigh was used to select the colorscale......
-
Isthmus
Then it could be intuitively accomplished
-
Isthmus
if colorscale(0) is greenish
-
sarang
At that point, what's the usefulness of the fingerprint shape?
-
sgp_
going all the way back to the unlock time proposal, I still think the tradeoffs aren't worth it
-
Isthmus
Because 0010 and 0001 are different
-
sarang
True
-
sarang
So it really only tells you if the actual strings are different
-
sarang
I guess I figured the "more useful" component in general might be the Hamming weight
-
sarang
since one goal is to minimize it
-
Isthmus
It depends if 'degree of wrongness' is important
-
UkoeHB_
I agree sgp_ it feels quite expensive
-
Isthmus
From my perspective, 0010, 0001, and 0011 are 3 distinct signatures
-
Isthmus
Even though 0011 is more worse :- P
-
UkoeHB_
ArticMine: how is it going with your penalty/fee proposal?
-
sarang
While we wait to see if ArticMine is around, were there any other questions on the material Isthmus presented?
-
sgp_
none about the presented material, but I eventually have a question for Isthmus about the coinbase vs non-coinbase spend distributions
-
Isthmus
Hey @sgp_ what do you have in mind? :- )
-
sarang
I would also be interested to see that for BTC
-
sgp_
heelo Isthmus :)
-
sgp_
s/heelo/hello
-
monerobux
sgp_ meant to say: hello Isthmus :)
-
sgp_
I really want to segregate coinbase outputs form other outputs
-
sgp_
to do this, I ideally would like to know what the independent spend distributions are for these two categories of outputs
-
sgp_
my suspicion is that coinbase outputs are spent faster on average
-
Isthmus
We can ascertain this by subtracting the reference distribution from the observed ensemble distribution
-
Isthmus
And split it by type:
-
Isthmus
distribution(coinbase inclusion in rings) - reference_distribution
-
Isthmus
distribution(non-coinbase inclusion in rings) - reference_distribution
-
Isthmus
I think @binaryFate was going to present this type of analysis at Konferenco, though I don't know if was split up by output type (non/coinbaase)
-
sarang
Having a direct measurement from something like BTC would be very helpful regardless
-
sarang
ideally to follow the Miller et al. idea of comparing known-estimated Monero behavior to BTC
-
Isthmus
I'll see about extracting true BTC spend times from Google's BigQuery dataset
-
sarang
That'd be great
-
Isthmus
There's probably some way to do it in a clever SQL one-liner
-
Isthmus
But I can do it in 20 lines!
-
Isthmus
:- P
-
sarang
Separately, it would also be interesting to see how/if overall BTC spend times have changed since Miller et al.'s paper
-
sarang
They used two different large groups of blocks
-
sgp_
we need to have some selection for the coinbase-only rings in any case, though if the results show that the distributions are different, then that's even more reason to segregate
-
Isthmus
"if the results show that the distributions are different, then that's even more reason to segregate" << this
-
sgp_
note I still support coinbase-only rings even if the distributions are exactly the same :p
-
sarang
In the interest of time, were there any other topics to be brought up before moving on?
-
sgp_
that's all fro me, thanks Isthmus
-
sgp_
*from
-
UkoeHB_
Any new comments on the Tx Supplement proposal?
-
sarang
Restructuring for uniformity and Janus mitigation seems useful and reasonable to me, FWIW
-
sgp_
agreed
-
sgp_
costs are small
-
sarang
Especially with the savings from CLSAG
-
Isthmus
I'm in favor. Uniformity is the whole point.
-
ArticMine
UkoeHB_ It is almost done. I held it back to give ti ore thought especially with COVID-19 which is a perfect scenario for the issue
-
ArticMine
I should have this in the next two weeks
-
UkoeHB_
Cool thanks :)
-
sarang
OK, with the last few minutes of the hour, let's get to ACTION ITEMS
-
sarang
I would like to finish the update of the Arcturus security model, to get the updated preprint submitted for review
-
sarang
And will be discussing the CLSAG audit with Teserakt
-
sarang
Anyone else?
-
UkoeHB_
In the tx supplement proposal I recommend moving to sorted TLV in the extra field. However, it's not completely solved. One option is to retain 'restricted tags' for core features (e.g. encrypted payment IDs, miner nonce). Are restricted tags worthwhile or too hands-on?
-
sarang
Well, certain tags would be required by consensus... can you refresh us on your definitions here?
-
UkoeHB_
Moving to restricted tags might force more uniformity out of pool implementations, since there would be a fixed miner nonce size. However, they could just move their unique nonces to unrestricted tags.
-
UkoeHB_
Only encrypted payment IDs would remain in the extra field after the update
-
UkoeHB_
And miner extra nonce
-
UkoeHB_
So not much consensus left
-
sarang
Oh, TLV for _extra only_... of course
-
sarang
nvm
-
sarang
I was thinking about fields in general, which is not correct
-
UkoeHB_
With a restricted miner nonce we (probably I) could release a miner nonce guideline for pool implementer to reference
-
UkoeHB_
If it's easy enough then hopefully most pools and solominers would be indistinguishable on-chain
-
sarang
OK, any other questions, topics, or action items before we adjourn?
-
h4sh3d[m]
I posted a proposal for the atomic swap, feedback are welcome
-
sarang
Link?
-
h4sh3d[m]
-
sarang
thanks
-
sarang
All right, let's adjourn in the interest of time (and for log posting purposes). Thanks to everyone for attending!
-
UkoeHB_
And, if there is some kind of community expectation for pools to be uniform then there may be enough pressure for it to materialize..
-
sarang
Logs will be posted shortly to the agenda issue, as usual
-
UkoeHB_
Thanks sarang
-
sarang
Discussions can of course continue!
-
h4sh3d[m]
Thanks
-
sarang
I just need a cutoff for posting them
-
UkoeHB_
Thinking about pools publishing blocks.. Any miner can parse their pool's blobs and recognize when a block from their pool is mined into the chain, since the miner tx will be the same. This means pools would have to generate unique timestamps and miner tx pub keys for each worker, in addition to unique miner nonces (perhaps making the miner nonce redundant).
-
UkoeHB_
i.e. if pools were to stop publishing blocks in order to remove most/all fingerprinting from coin base
-
UkoeHB_
It's doable but a bit burdensome for implementers