-
UkoeHB_
reworked the big proposal for better readability (did not add anything)
monero-project/monero #6456
-
sarang
Aw man, I helped out with Schnorr-based Janus mitigations too...
-
» sarang is devastated
-
UkoeHB_
a tragic death to be sure
-
ErCiccione[m]
-
maybefbi
I published this crate
crates.io/crates/nazgul it can do CLSAG, MLSAG etc. DLSAG soon to come. Uses Ristretto curve, and any 512-bit hashing function.
-
endogenic
nazgul is dope name
-
maybefbi
endogenic: thanks
-
sarang
Nice! Glad to see more implementations of these constructions
-
sarang
I've drafted some notes on the recent traceability preprint that I plan to send the authors:
gist.github.com/SarangNoether/25f8222bee7020325c6dcc60ec3239e2
-
sarang
Comments/corrections are welcome
-
sarang
Here is the code they used for the Monero analysis:
github.com/erwa/monero-tracing
-
sarang
As far as the Zcash analysis goes, they only looked at essentially the same data range as earlier work, so it's not really possible to draw any more recent conclusions about that
-
sarang
For the Monero data, I don't think their claim about the effectiveness of the output selection tiem distribution is supported by their experiment
-
sarang
They sent transactions between researchers and looked at how the selections were indexed (using an age-based indexing)
-
sarang
but they don't identify the time distribution they used for the transactions themselves
-
sarang
This seems to implicitly assume that their spend patterns match those of the chain, but they don't provide any details on whether this is true
-
sarang
As an extreme thought experiment, suppose they waited a month between spends for their experiments... then the true spends would _never_ be the most recent, and their method would conclude that the guess-newest heuristic is 0% effective anymore
-
sarang
However, I'm interested to look at the analysis code and see if there are specific transaction characteristics that can be drawn from the results
-
sarang
I'll change the note about the age indexing being not a true time distribution... I suppose it sort of is, perhaps with confusing wording
-
sarang
and FWIW that indexing _is_ a way to examine that heuristic, but not with the method of sending transactions that they used
-
sarang
I'll clarify that particular paragraph in the note
-
sarang
Updated
-
sarang
I think it's important to encourage these student researchers, since checking earlier analysis is useful and important
-
sarang
and getting timely feedback is a key part of why the preprint system has value IMO
-
sarang
(that being said, it seems like a lot of media doesn't properly appreciate what a preprint _is_)
-
sarang
Any other thoughts on my draft response?
-
hyc
looks well done
-
hyc
the notes of thanks and encouragement are a particularly good touch
-
hyc
and I suppose getting early feedback is the point of publishing a preprint. will be good to see how they incorporate your responses
-
fort3hlulz
Yeah, that feedback looks great, sarang
-
sarang
Yeah; it's too bad that a lot of the response I've seen seems to assume the paper is comparing _current_ Monero use with _current_ Zcash use, but that's not the case at all
-
fort3hlulz
Glad to see a good response going back to them, as I hope more and more people will attempt to publish work on Monero!
-
fort3hlulz
Hopefully they’re incorporate the feedback and do some more analysis of Zcash, as that was certainly lacking
-
sarang
The biggest hurdle for Zcash seems to be that all the analysis tooling was Sprout-specific
-
sarang
and Sapling tx structure is different
-
hyc
the note about zcash public txn volume - looks to me like it holds true
-
hyc
they're still only at < 70txs/day shielded
-
sarang
Right, but did they actually look into that? It doesn't appear so
-
sarang
Whether or not it's the case, it isn't supported by the data they looked at
-
hyc
ok
-
sarang
I'm super interested to look into their code and see what information can be gained about discernible transactions in recent data
-
sarang
Chain reactions from zero-mixin can't apply anymore, so any reduction in anonymity set from purely on-chain data would have to come from some of the more complex set-theoretic stuff that MRL-0007 looks at
-
sarang
that paper found exactly 5 outputs, and they appear to be from a paper that was running an experiment on common rings
-
sarang
I do hope the authors remove the stuff with the time heuristic experiment
-
sarang
that conclusion doesn't make any sense
-
fort3hlulz
Do you mean that the percentage that can be deduced via the metric is off?
-
fort3hlulz
Or merely the presented method/approach is wrong?
-
sarang
I don't think they can draw _any_ conclusion about the percentage at all from that method
-
fort3hlulz
Ah ok
-
fort3hlulz
So the approach is flawed and thus the result can’t be trusted either way
-
sarang
They made a few dozen transactions between their own wallets and looked at whether the true spend was the newest in the selection or not
-
fort3hlulz
Good to know
-
sarang
Imagine if they'd waited a month between such transactions
-
sarang
The true spend would never appear as the newest in the ring, and the method would conclude that the heuristic applies 0% of the time
-
sarang
but all that says is that they probably didn't have the same spend patterns as the typical user
-
hyc
the true spend would never be newest? because they're spending a month-old output?
-
sarang
Yeah, and the default selection algorithm is based on deducible/known spend patterns, which skew newer
-
sarang
They'll get skewed results if their spend patterns don't match typical spend patterns
-
hyc
but what is the spend pattern of a typical user?
-
sarang
Good question :)
-
sarang
We can only infer it, as Miller et al. did
-
sarang
They used two methods
-
sarang
1. Deducible Monero spends from things like chain reactions (which don't apply anymore)
-
sarang
2. Spend patterns from the Bitcoin chain
-
sarang
The two distributions matched reasonably well, so those parameters were used for the current selection (with some weight modifications applied to account for block density variation)
-
sarang
So anyway, what the preprint's plot shows is that the researchers probably spent outputs more quickly than the expected distribution
-
sarang
So it means that guess-newest is 40% effective _against their spend pattern for the experiment_
-
hyc
that all sounds ridiculously non-rigorous. I mean, the populations are different and have different use cases for their coins
-
sarang
hyc: you mean the BTC method?
-
hyc
yeah
-
sarang
The goal seemed to be two-fold
-
fort3hlulz
I didn’t even think about that they were only analyzing their own spend patterns, but not those of any other users 0.o
-
sarang
One goal was to see if earlier BTC data seemed to match the distribution of early known Monero spends
-
sarang
Another was to project the BTC analysis forward in time to see if it still held
-
sarang
Both answers were "yes, reasonably well"
-
hyc
ok
-
sarang
fort3hlulz: yeah, they made transactions between themselves, so they knew what was spent
-
sarang
hyc: it's non-ideal, but IMO a reasonable way to get a distribution
-
hyc
hard to imagine that will continue to hold. majority of BTC action seems to be speculation, XMR seems to be DNM commerce
-
fort3hlulz
Yeah makes sense, I just came away (for some reason) thinking they were comparing it to chain-data, but they were just comparing it to the takeaways of moser et al, which isn’t anything new or chain-based
-
sarang
hyc: also note that without other data, it's not possible to confirm such a distribution heuristic for a particular transaction anyway
-
hyc
right
-
sarang
The data that would be checkable is anything to do with set-theoretic combinations of ring members
-
sarang
since that's not heuristic
-
sarang
But they have a lot of different scripts and tools in the repo, and I'm trying to make sense of the workflow to check/reproduce the results
-
hyc
what, just exhaustive enumeration of ring members?
-
sarang
There are a few algorithms to extend unions of rings outwards and look for spent subsets
-
sarang
(IIRC one paper called these "closed sets" or something similar)
-
sarang
Such sets are known to be spent
-
sarang
The blackball tool does one version of this, but I haven't seen its results in a while
-
sarang
The latest data I've seen is from MRL-0007, which ended its dataset in late 2018
-
sarang
It's a generalization of chain reaction that also accounts for repeated rings, etc.
-
sarang
and fully captures the idea of spent sets (absent external information, of course)
-
sarang
FWIW you can always maliciously try to pack your own rings to build these sets, and the computation to detect complex set arrangements gets pretty crazy pretty fast
-
sarang
but you could also just broadcast your own spend data anyway...
-
sarang
so it's unclear what benefit you'd really get from the former method anyway
-
sarang
One paper suggested the idea that adversaries could collude blindly by building malicious set combinations
-
sarang
but that seems to require that the adversaries all have the computational power to detect these
-
sarang
and at that point, they could just use a side channel and avoid all the unnecessary computation
-
niocbrrrrrr
something that binaryFate mentioned in another channel, a significant portion of btc txs now are probably various mixing wallets and services
-
niocbrrrrrr
I take that to mean that the btc spend pattern has changed from what it was
-
niocbrrrrrr
no idea how significant that is
-
sarang
Well, uptick on that is probably post-Miller
-
sarang
but I haven't seen an updated BTC spend-age plot
-
sarang
But that would probably be something to keep in mind if the Monero default selection distribution parameters are updated in the future
-
sarang
as they'd presumably need to be updated in a NUMS fashion to avoid tomfoolery
-
sarang
sgp_ probably has a better idea of mixer use over time, since chain analysis companies are so interested in that kind of data
-
moneromooo
I just realized NUMS also stands for "Number up my sleeve"...
-
sarang
o_0
-
Isthmus
@UkoeHB_ I finally read #6456 and I am very strongly in favor. Thanks for the massive effort to study, redesign, and document this monster overhaul :- )
-
sgp_
Nice writeup sarang
-
sarang
thanks sgp_
-
sgp_
What do you need mixer use over time data for?
-
Isthmus
Yes, @sarang the response to preprint is very well done. Constructive, concise, not "proof left to the reader", appropriately encouraging, etc.
-
Isthmus
The tx_supplement "enforced TLV" would preclude additional unknown tags, right?
-
Isthmus
So it's always enforced (N keys, Janus, view), nothing more, nothing less
-
Isthmus
But then the tx_extra version of "enforced TLV" permits anything, as long as the tags are in the right order?
-
sarang
sgp_: if BTC spend-age distributions are found to have changed post-Miller, it might be interesting to see if there are correlations to things like increased use of mixing transactions
-
sarang
merely a curiosity
-
sgp_
They are up in general but still tiny
-
sarang
roger
-
» Isthmus moved questions to GitHub comment
-
TheCharlatan
sarang is this the kind of plot you are looking for?
chart-studio.plotly.com/~unchained/37.embed