03:34:47 reworked the big proposal for better readability (did not add anything) https://github.com/monero-project/monero/issues/6456 03:53:43 Aw man, I helped out with Schnorr-based Janus mitigations too... 03:53:56 * sarang is devastated 04:14:01 a tragic death to be sure 10:20:38 https://github.com/monero-project/monero-site/issues/913#issuecomment-633499445 12:42:11 I published this crate https://crates.io/crates/nazgul it can do CLSAG, MLSAG etc. DLSAG soon to come. Uses Ristretto curve, and any 512-bit hashing function. 13:27:35 nazgul is dope name 13:39:35 endogenic: thanks 14:52:52 Nice! Glad to see more implementations of these constructions 15:48:39 I've drafted some notes on the recent traceability preprint that I plan to send the authors: https://gist.github.com/SarangNoether/25f8222bee7020325c6dcc60ec3239e2 15:48:45 Comments/corrections are welcome 15:49:21 Here is the code they used for the Monero analysis: https://github.com/erwa/monero-tracing 15:50:35 As far as the Zcash analysis goes, they only looked at essentially the same data range as earlier work, so it's not really possible to draw any more recent conclusions about that 15:50:56 For the Monero data, I don't think their claim about the effectiveness of the output selection tiem distribution is supported by their experiment 15:51:38 They sent transactions between researchers and looked at how the selections were indexed (using an age-based indexing) 15:51:58 but they don't identify the time distribution they used for the transactions themselves 15:52:33 This seems to implicitly assume that their spend patterns match those of the chain, but they don't provide any details on whether this is true 15:53:35 As an extreme thought experiment, suppose they waited a month between spends for their experiments... then the true spends would _never_ be the most recent, and their method would conclude that the guess-newest heuristic is 0% effective anymore 15:55:32 However, I'm interested to look at the analysis code and see if there are specific transaction characteristics that can be drawn from the results 16:01:51 I'll change the note about the age indexing being not a true time distribution... I suppose it sort of is, perhaps with confusing wording 16:02:15 and FWIW that indexing _is_ a way to examine that heuristic, but not with the method of sending transactions that they used 16:02:28 I'll clarify that particular paragraph in the note 16:06:24 Updated 16:08:12 I think it's important to encourage these student researchers, since checking earlier analysis is useful and important 16:08:42 and getting timely feedback is a key part of why the preprint system has value IMO 16:08:56 (that being said, it seems like a lot of media doesn't properly appreciate what a preprint _is_) 16:12:07 Any other thoughts on my draft response? 16:30:51 looks well done 16:31:12 the notes of thanks and encouragement are a particularly good touch 16:32:08 and I suppose getting early feedback is the point of publishing a preprint. will be good to see how they incorporate your responses 16:33:05 Yeah, that feedback looks great, sarang 16:33:33 Yeah; it's too bad that a lot of the response I've seen seems to assume the paper is comparing _current_ Monero use with _current_ Zcash use, but that's not the case at all 16:33:40 Glad to see a good response going back to them, as I hope more and more people will attempt to publish work on Monero! 16:33:56 Hopefully they’re incorporate the feedback and do some more analysis of Zcash, as that was certainly lacking 16:34:15 The biggest hurdle for Zcash seems to be that all the analysis tooling was Sprout-specific 16:34:31 and Sapling tx structure is different 16:34:39 the note about zcash public txn volume - looks to me like it holds true 16:34:51 they're still only at < 70txs/day shielded 16:35:06 Right, but did they actually look into that? It doesn't appear so 16:35:19 Whether or not it's the case, it isn't supported by the data they looked at 16:35:33 ok 16:36:20 I'm super interested to look into their code and see what information can be gained about discernible transactions in recent data 16:37:48 Chain reactions from zero-mixin can't apply anymore, so any reduction in anonymity set from purely on-chain data would have to come from some of the more complex set-theoretic stuff that MRL-0007 looks at 16:38:14 that paper found exactly 5 outputs, and they appear to be from a paper that was running an experiment on common rings 16:40:51 I do hope the authors remove the stuff with the time heuristic experiment 16:41:35 that conclusion doesn't make any sense 16:42:33 Do you mean that the percentage that can be deduced via the metric is off? 16:42:40 Or merely the presented method/approach is wrong? 16:42:53 I don't think they can draw _any_ conclusion about the percentage at all from that method 16:43:02 Ah ok 16:43:18 So the approach is flawed and thus the result can’t be trusted either way 16:43:19 They made a few dozen transactions between their own wallets and looked at whether the true spend was the newest in the selection or not 16:43:22 Good to know 16:43:31 Imagine if they'd waited a month between such transactions 16:43:59 The true spend would never appear as the newest in the ring, and the method would conclude that the heuristic applies 0% of the time 16:44:12 but all that says is that they probably didn't have the same spend patterns as the typical user 16:44:45 the true spend would never be newest? because they're spending a month-old output? 16:45:10 Yeah, and the default selection algorithm is based on deducible/known spend patterns, which skew newer 16:45:32 They'll get skewed results if their spend patterns don't match typical spend patterns 16:45:40 but what is the spend pattern of a typical user? 16:45:45 Good question :) 16:45:51 We can only infer it, as Miller et al. did 16:45:55 They used two methods 16:46:09 1. Deducible Monero spends from things like chain reactions (which don't apply anymore) 16:46:15 2. Spend patterns from the Bitcoin chain 16:46:47 The two distributions matched reasonably well, so those parameters were used for the current selection (with some weight modifications applied to account for block density variation) 16:47:33 So anyway, what the preprint's plot shows is that the researchers probably spent outputs more quickly than the expected distribution 16:47:53 So it means that guess-newest is 40% effective _against their spend pattern for the experiment_ 16:48:04 that all sounds ridiculously non-rigorous. I mean, the populations are different and have different use cases for their coins 16:48:17 hyc: you mean the BTC method? 16:48:20 yeah 16:48:43 The goal seemed to be two-fold 16:48:54 I didn’t even think about that they were only analyzing their own spend patterns, but not those of any other users 0.o 16:49:00 One goal was to see if earlier BTC data seemed to match the distribution of early known Monero spends 16:49:13 Another was to project the BTC analysis forward in time to see if it still held 16:49:22 Both answers were "yes, reasonably well" 16:49:35 ok 16:49:45 fort3hlulz: yeah, they made transactions between themselves, so they knew what was spent 16:50:00 hyc: it's non-ideal, but IMO a reasonable way to get a distribution 16:50:22 hard to imagine that will continue to hold. majority of BTC action seems to be speculation, XMR seems to be DNM commerce 16:50:25 Yeah makes sense, I just came away (for some reason) thinking they were comparing it to chain-data, but they were just comparing it to the takeaways of moser et al, which isn’t anything new or chain-based 16:51:41 hyc: also note that without other data, it's not possible to confirm such a distribution heuristic for a particular transaction anyway 16:51:57 right 16:53:56 The data that would be checkable is anything to do with set-theoretic combinations of ring members 16:54:02 since that's not heuristic 16:54:31 But they have a lot of different scripts and tools in the repo, and I'm trying to make sense of the workflow to check/reproduce the results 16:54:47 what, just exhaustive enumeration of ring members? 16:55:25 There are a few algorithms to extend unions of rings outwards and look for spent subsets 16:55:32 (IIRC one paper called these "closed sets" or something similar) 16:55:46 Such sets are known to be spent 16:56:11 The blackball tool does one version of this, but I haven't seen its results in a while 16:56:27 The latest data I've seen is from MRL-0007, which ended its dataset in late 2018 16:57:01 It's a generalization of chain reaction that also accounts for repeated rings, etc. 16:57:16 and fully captures the idea of spent sets (absent external information, of course) 16:58:25 FWIW you can always maliciously try to pack your own rings to build these sets, and the computation to detect complex set arrangements gets pretty crazy pretty fast 16:58:42 but you could also just broadcast your own spend data anyway... 16:59:01 so it's unclear what benefit you'd really get from the former method anyway 17:05:01 One paper suggested the idea that adversaries could collude blindly by building malicious set combinations 17:05:16 but that seems to require that the adversaries all have the computational power to detect these 17:05:40 and at that point, they could just use a side channel and avoid all the unnecessary computation 17:16:10 something that binaryFate mentioned in another channel, a significant portion of btc txs now are probably various mixing wallets and services 17:17:24 I take that to mean that the btc spend pattern has changed from what it was 17:17:44 no idea how significant that is 17:18:20 Well, uptick on that is probably post-Miller 17:18:35 but I haven't seen an updated BTC spend-age plot 17:20:45 But that would probably be something to keep in mind if the Monero default selection distribution parameters are updated in the future 17:21:16 as they'd presumably need to be updated in a NUMS fashion to avoid tomfoolery 17:21:57 sgp_ probably has a better idea of mixer use over time, since chain analysis companies are so interested in that kind of data 17:22:19 I just realized NUMS also stands for "Number up my sleeve"... 17:23:55 o_0 17:26:59 @UkoeHB_ I finally read #6456 and I am very strongly in favor. Thanks for the massive effort to study, redesign, and document this monster overhaul :- ) 17:27:06 Nice writeup sarang 17:27:31 thanks sgp_ 17:28:33 What do you need mixer use over time data for? 17:29:01 Yes, @sarang the response to preprint is very well done. Constructive, concise, not "proof left to the reader", appropriately encouraging, etc. 17:30:19 The tx_supplement "enforced TLV" would preclude additional unknown tags, right? 17:30:49 So it's always enforced (N keys, Janus, view), nothing more, nothing less 17:31:51 But then the tx_extra version of "enforced TLV" permits anything, as long as the tags are in the right order? 18:04:14 sgp_: if BTC spend-age distributions are found to have changed post-Miller, it might be interesting to see if there are correlations to things like increased use of mixing transactions 18:04:24 merely a curiosity 18:05:11 They are up in general but still tiny 18:05:58 roger 18:06:27 * Isthmus moved questions to GitHub comment 20:14:10 sarang is this the kind of plot you are looking for? https://chart-studio.plotly.com/~unchained/37.embed