-
dEBRUYNE
-
dEBRUYNE
Was posted here before I think, but figured it wouldn't hurt to post again
-
dEBRUYNE
May inspire some ideas
-
fort3hlulz
Thanks for sharing that :) Pretty cool stuff they're doing
-
fort3hlulz
My biggest concern is distinguishability of transactions causing some issues, and the whole Chainlink/oracle portion
-
fort3hlulz
But cool to see their idea come to fruition on a Monero-chain
-
sarang
Interesting application of CLSAG, for sure
-
sarang
We mentioned exchange rates in the original version of the preprint
-
sarang
Haven was the project that had contacted me about that aspect of CLSAG math
-
sarang
I'll have to take a look at the code they link to see if that's what they have finished implementing, or if it's something else
-
sarang
fort3hlulz: if they're using the CLSAG-based exchange method invented in the original preprint, what non-uniformity are they introducing?
-
fort3hlulz
It's still visible if a transaction is merely XHV, or if it's an exchange transaction
-
sarang
The whole point of our construction is that amounts are still hidden during the exchange
-
fort3hlulz
so wouldn't you end up with two "pools" of anonymity/TX type?
-
fort3hlulz
Yes for sure
-
fort3hlulz
Amounts are hidden, but the transactions still stand out as exchange TXs
-
sarang
It's not clear to me if this is in fact the method they are using
-
sarang
No, not necessarily
-
sarang
One method, the one we built in CLSAG, uses two separate commitments within each output
-
sarang
and whether or not a transaction actually "moves value" is hidden
-
fort3hlulz
-
fort3hlulz
That should be the new code
-
sarang
It's worth noting that this part of the preprint remains entirely unreviewed; we removed it from later drafts in order to focus the preprint on the basic security model
-
sarang
But again, not clear if this is the method they're using
-
sarang
The current CLSAG audit won't be reviewing that application
-
fort3hlulz
explorer.stagenet.havenprotocol.org if you want to view the transactions
-
fort3hlulz
The stagenet is the current place where exchanges are happening
-
sarang
ok
-
fort3hlulz
It's blocked on my work network so I can't dig into it right now lol
-
sarang
I'll take a look at the code and see if I can determine what method they decided to use
-
sarang
I'm just speculating here based on some questions their team had on how the CLSAG math/code worked
-
fort3hlulz
sweet, obviously no pressure but I'm always curious for your thoughts :)
-
sarang
On the CLSAG-exchange method? I'm a coauthor on its preprint, so I think it's pretty nifty =p
-
fort3hlulz
yeah :D
-
sarang
But AFAIK nobody has/had yet implemented it outside of proof-of-concept stuff
-
sarang
If it's the method they used, I hope they seek external review
-
sarang
I had advised this when they asked, since the method could be flawed
-
sarang
We listed it as a side application, but did not study it in detail
-
sarang
Looks like they do have CLSAG functions in the code
-
sarang
and they look to be essentially unchanged from the Monero code that's currently under review
-
sarang
Along with some extra functionality to handle confidential multiple asset types
-
sarang
Hmm, separate range proofs though, if I'm reading it correctly
-
sarang
If they can establish a common range requirement, they could aggregate those and save a ton of space
-
sarang
probably at the expense of a bit more complex logic
-
sarang
I wonder if/how they adjust the fee structure to account for this
-
dEBRUYNE
sarang: Would it be worthwhile to spin this part into a new paper that can be reviewed separately?
-
sarang
It certainly could
-
sarang
A full treatment would require a new security model, which would itself be interesting
-
sarang
Since now you have an added goal of ensuring proper soundness of value across the asset commitments
-
sarang
There's always the question of how to set the exchange rate, which this project appears to be doing via some kind of pricing oracle
-
sarang
That rate can't inherently be handled by the cryptography; it has to come from somewhere, whether fixed in the protocol or via an external source (and that would be outside the security model)
-
dEBRUYNE
Yes, it basically does not solve the oracle problem
-
wowario[m]
they are pulling pricing from
feeds.chain.link
-
sarang
In what way?
-
sarang
Is that a single-source point of failure?
-
wowario[m]
exchange rates
-
wowario[m]
not sure how they call it a "decentralized" oracle service
-
sarang
No, I mean suppose that service were compromised
-
sarang
Is it the only source of rate data?
-
wowario[m]
-
wowario[m]
it seems so
-
sarang
I see
-
sarang
I further wonder how the network verifies the rates of previous transactions were correct
-
sarang
Does the oracle need to be available for historical data forever?
-
wowario[m]
-
wowario[m]
"We plan to add additional decentralized pricing oracles in the future"
-
sarang
Or do verifiers assume that accepted transactions used a valid oracle?
-
sarang
I know very little about the use of price oracles in practice
-
sarang
I have so many questions
-
wowario[m]
it is a single point of failure
-
sarang
I mean for past transactions
-
sarang
Suppose in a year, I want to spin up a Haven node
-
sarang
My client needs to verify transactions
-
sarang
It sees that transactions have an exchange rate
-
sarang
How does it know whether or not that rate was valid at that time?
-
sarang
Does it need to query the oracle for historical data?
-
sarang
Or does it assume that the transaction is deep enough into the chain that it "must be" correct?
-
sarang
To be fair, Monero clients make assumptions relating to old range proofs (they aren't checked by default, but _absolutely_ can be on request)
-
sarang
If you need historical data and the oracle doesn't do this for whatever reason, then you have to trust the chain alone and can't verify externally
-
sarang
Maybe this is considered an acceptable risk; I dunno
-
wowario[m]
-
sarang
o_0
-
wowario[m]
looks very hacky
-
sarang
-
sarang
That seems very risky
-
sarang
depending on their trust model
-
sarang
-
sarang
Which isn't necessarily a big risk on its own
-
sarang
This is basically what Monero does for pre-bulletproofs range verification
-
fluffypony
it doesn't verify historical price darta
-
fluffypony
*data
-
sarang
?
-
fluffypony
it just assumes it was correct at the time
-
sarang
Did I misread?
-
fluffypony
"why would a miner lie to us"
-
fluffypony
oh wait you're correct
-
fluffypony
sorry I'm reading backlog down
-
fluffypony
so then it's still SPF
-
sarang
My understanding is that "full mode" uses the historical oracle
-
sarang
Historical Oracle would be a great band name
-
» sarang goes to start a band
-
fluffypony
lol
-
fluffypony
yeah
-
fluffypony
or a Dr. Seuss book
-
» fluffypony goes to write a book
-
sarang
will fund
-
sarang
Anyway, dEBRUYNE asked if it's worth writing a paper that elaborates the exchange idea that suraeNoether and RandomRun and I included in our early CLSAG drafts... the reason we didn't do that already is because it assumes some kind of exchange data that we assumed would not be acceptable for the Monero use case
-
sarang
I am certainly interested from an academic perspective
-
sarang
Any results of the CLSAG audit should _not_ be taken to mean any kind of review of this exchange idea, which is not in the most recent preprint version and is not being audited in any way
-
sarang
We don't make any claims about the security of the exchange idea
-
sarang
It could be safe; it could also be very flawed
-
sarang
It'd make a cool separate preprint :)
-
sarang
I have an idea for a security model that I suspect would be easy to build into security proofs with Triptych
-
sarang
more complex for CLSAG (which doesn't share the same properties that Triptych does as a zkp system)
-
moneromooo
Can't the exchange rate be something like... Alice says <= x, Bob, says >= y, the protocol accepts any compatible constraint and uses (x+y)/2 ? No need for oracle then, it's by mutual agreement.
-
moneromooo
(It does require x and y to be public, but a public rate oracle is also public)
-
sarang
Protocol can do whatever it wants... but Alice and Bob could collude and build whatever they like, which seems like a bad idea
-
moneromooo
Why would it be a bad idea ?
-
moneromooo
I *assume* this is about an exchange protocol. We *want* Alice and Bob to collude, no ?
-
sgp_
decentralized oracles don't seem to solve the problem of decentralized prices to me. They seem to simply change the trust from one person to another, which in many cases seems unnecessary to me, or isn't really an improvement. But "decentralized" prices are sexy I guess
-
fluffypony
the way I think about decentralised oracles is that I'd maybe trust them if it was like 50+ academic institutions / non-profits around the world
-
fluffypony
but most of the decentralised oracle experiments are based on "we'll pay you not to lie" which seems more like "we'll pay you not to lie unless a better offer comes along"
-
sarang
It feels similar to the idea of "trusted setup"
-
sarang
where you rely on some level of non-collusion
-
sarang
and honesty
-
fluffypony
yes
-
fluffypony
which might be fine for coffee-grade transactions, I dunno
-
sarang
All comes down to your trust/risk model
-
Inge-
is the TL; DR; that haven stablecoin is a pipe dream?
-
sarang
IMO it's all relative to your risk model
-
sarang
If you're cool with their idea of a price oracle, it may be suitable for you
-
sarang
If you are not, then it may not be
-
sarang
Same with things relating to trusted setups... if you're willing to offload that risk, it may be ok for you
-
sarang
Same with things relating to supply auditing
-
sarang
etc.
-
sarang
All designs imply risk
-
sgp_
-
sarang
"enter Sarang Noether" sounds so badass
-
sarang
I had also hypothesized that coinbase spend-age distribution patterns would differ from non-coinbase
-
sarang
Also worth noting that there's no a priori expectation (AFAIK) that suggests the spend distributions _should_ be gamme distributions
-
sarang
they just happen to agree
-
sarang
s/gamme/gamma
-
monerobux
sarang meant to say: Also worth noting that there's no a priori expectation (AFAIK) that suggests the spend distributions _should_ be gamma distributions
-
sarang
good bot
-
sarang
Has anyone investigated the verification hit for doing a coinbase-only ring check during sync?
-
wowario[m]
sgp_: your comments here still valid?
wownero/wownero #101
-
sarang
The current selection algorithm no longer selects coinbase outputs "too often" relative to other outputs as it used to
-
sarang
The selection algorithm takes block density into account
-
sarang
It was addressed after some observations that the Miller method was non-optimal as originally presented
-
sgp_
Well, "too often" imo = "one or more"
-
sarang
?
-
sarang
I only mean in terms of block density
-
sgp_
You can probably ignore the comment on 12/27
-
moneromooo
What is a coinbase-only ring check ?
-
sarang
A hypothetical consensus rule that a ring may contain either (a) only coinbase outputs; or (b) only non-coinbase outputs
-
sgp_
wowario[m]: the more elegant consensus rule is simply "rings can either be all-coinbase or all-no-coinbase"
-
sarang
I've expressed my concern previously about this
-
sgp_
When spending from a wallet, if spending coinbase, select all coinbase for that ring. If not spending coinbase, then don't select any coinbase for that ring
-
sgp_
The consensus rule enforces this wallet behavior
-
scoobybejesus
If coinbase-only rings will stick out anyway, perhaps their ring size could be made higher
-
sarang
The marginal benefit of this is unknown
-
sarang
AFAIK the extent of plausible deniability has not been formally tested
-
sgp_
scoobybejesus: I've definitely thought about this, but it's tough when most pool hashrate doesn't care and makes info public anyways
-
moneromooo
Such a test could be made to have negligible extra runtime, if we change the db to store an extra byte per output.
-
sgp_
It used to be so visible you'd need ringsize 45 to protect the real input with at least 1 non-discernable decoy 99% of the time
-
moneromooo
It currently stores 2 keys and 2 64 bit values, so... 80 bytes, for comparison.
-
moneromooo
We could also cheat and store height on 63 bits. No extra size, but some juggling in various places.
-
hyc
adding 1 byte would be awkward, breaking data alignment in the DB
-
UkoeHB_
Haven.. how in the world would an exchange rate develop if the amount of coins you receive is pegged to the exchange rate?! It's circular...
-
UkoeHB_
hyc the view tag idea would add 1 byte per tx
monero-project/research-lab #73 does that seem like a problem?
-
hyc
not really a problem per se
-
hyc
but if current data values are 80 bytes, and keys are 8 or 32 bytes, then all data is currently perfectly 8-byte aligned, which helps performance
-
hyc
adding 1 byte to data will in fact add 2 bytes, because LMDB always keeps all records at least 2-byte aligned
-
moneromooo
Transactions are variable size already in the db. The per output tx is not.
-
UkoeHB_
ah yeah 1 byte per output
-
sarang
-
sarang
0_0
-
» sarang reads on...
-
midipoet
quite like the sound of zk-WIP
-
sarang
The improvement in size is intriguing, if it still retains the desired security properties
-
sgp_
seems like a relatively marginal improvement? 2.5 KN -> 2.4 KB
-
sgp_
s/KN/KB
-
monerobux
sgp_ meant to say: seems like a relatively marginal improvement? 2.5 KB -> 2.4 KB
-
sgp_
What's QuisQuis?
-
sarang
It's an idea that came out of UCL (and possible collaborators) for a privacy-preserving account-based ledger
-
sarang
Meiklejohn et al., IIRC
-
sarang
-
sarang
Yep, UCL _and_ collaborators
-
sgp_
also table 2 suggests this bulletproofs+ trades some verification time for faster prover time, which ideally I'd rather have the other way
-
sarang
I need to examine batch verification in greater detail
-
sarang
Single proof vs. batch proof is an important detail
-
sgp_
is agg size batching?
-
sarang
I use the term "aggregation" to refer to generating a single proof demonstrating range on multiple commitments
-
sarang
and "batching" to refer to verification of multiple indendent proofs at the same time in a way that combines the computational complexity of common generators
-
sarang
They are not the same thing
-
sarang
Aggregation has size benefits
-
sarang
Batching has time benefits
-
moneromooo
It'd be interesting to see if that new method can do aggregation without power of 2.
-
sarang
Doesn't appear so
-
sarang
That's surprisingly subtle and tricky
-
UkoeHB_
it sounds like they shave off 96 bytes per proof; the initial claim is a bit misleading
-
sarang
I have at least one method, but it doesn't work as well as you'd like
-
UkoeHB_
also, our 2-out range proof is 736 bytes, which isn't listed on their table so I'm not sure how direct the size comparison is
-
sarang
Since dEBRUYNE posted to r/Monero: the usual disclaimer that preprint neither require nor expect any formal peer review
-
UkoeHB_
32x8 is 800 bytes, and our 4-out range proof is 800 bytes so maybe that's appropriate to look at
-
sarang
Anyone can submit a preprint; preprint server editors perform minimal editorial review that does not examine accuracy of results
-
sarang
(this seems to be an ongoing issue with "reporting" of technical material)
-
UkoeHB_
so at 4-out tx (according to their numbers): 12% size reduction from 800->704 bytes, and 0.8% verification increase for a single proof 4.51 -> 4.55 ms
-
UkoeHB_
although maybe the 64x series is more accurate.. anyway Ill stop typing :p
-
sarang
-
monerobux
[REDDIT] 'Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger' (
eprint.iacr.org/2020/735) to r/Monero | 5 points (100.0%) | 2 comments | Posted by dEBRUYNE_1 | Created at 2020-06-18 - 19:19:40
-
sarang
I'm getting pretty sick and tired of terrible reporting on preprints
-
sarang
so I'll probably continue to increase my disclaimers on them whenever I see them
-
sarang
when you see "preprint", think "PDF that someone uploaded"
-
sgp_
lol
-
sgp_
"Google Drive for PDFs only"
-
sarang
-____-
-
sarang
Good preprint servers do a cursory editorial review, but only for apparent relevance
-
sarang
IACR does this
-
sarang
as does arXiv
-
sarang
but if you see "a study shows..." there's a _very_ good chance it's a preprint
-
sarang
and therefore shitty reporting
-
sarang
I have increasingly little patience for this poor reporting
-
sarang
"preprint" means neither "accurate" or "inaccurate"
-
midipoet
why can't they just watermark the preprint with something like, I don't know "preprint"
-
sarang
would this matter in practice?
-
sarang
I've seen medical preprint archives have specific disclaimers and warnings for reports that appear to go unheeded
-
sarang
"a study" means absolutely nothing, apparently
-
sarang
Preprint archvies are a double-edged sword
-
sarang
They're of huge value to experts
-
sarang
and (IMO) huge risk to non-experts
-
sarang
Heck, even experts fall into the trap of assuming preprint results are correct without external verification
-
sarang
It's an easy trap to fall into
-
midipoet
to be honest, I think it's a shit-show, but it seems a "thing". Instapost-research
-
hyc
well, presumably the reputational damage from publishing invalid results is enough to motivate some diligence in the authors
-
sarang
To be clear, I think having preprint archives is a benefit to research
-
sarang
If all research had to wait for peer review to be posted anywhere, there would be a large body of work that never sees the light of day
-
sarang
and not for specific lack of quality
-
sarang
"Just get accepted to a journal/conference" is highly nontrivial, and could take months or years
-
sarang
I _love_ that I can see up-to-date work as it's done
-
sarang
but you have to take it with a large spoonful of salt
-
midipoet
no, I totally understand the benefit, but just wonder about how it weighs up against the negatives.
-
sarang
but it's frustrating to see reporting that does not appreciate the spectrum of the review process
-
midipoet
like it's essentially just a message board for research. Which is great. But it is being read as a message board for knowledge.
-
midipoet
Which is troublesome
-
sarang
This is not the fault of the preprint archives
-
sarang
Their acceptance criteria are easy to find
-
sarang
this is the fault of poor reporting
-
sarang
which is also easy to find
-
moneromooo
"Knows how to operate an FTP client"
-
sarang
It's come to the point where if I see a news article about "a study" without a direct link to the paper or preprint, I assume it's full of shit and ignore it
-
midipoet
There is nothing more annoying these days then a reference without a source hyperlink.
-
midipoet
addicted to the semantic web
-
sarang
Yeah, surely the internet has advanced to the point where a hyperlink is possible