i hate reviews like that. they basically want to see the work done, but don't want to do it themselves or pay to have someone do it

its like no buddy, review the work done

bro

irccloud

wat?

hey

yeah irccloud is kil

for like 6 hours now ._.

you're the second person I know that used an alternate client lol

looks like upstream issue

<sarang> Meeting here at 17:00 UTC (about an hour from now)

<sarang> I'll be using this mattermost account since IRCCloud shat the bed

<sarang> (will verify the account is legitimate once IRCCloud comes back online)

.time

Meeting in 20?

.time

good bot

<sarang> aye

<sarang> All right, we'll get started with the meeting in just a few minutes

<sarang> The usual agenda: monero-project/meta #482

<sarang> Note that since IRCCloud is down, some people may be using other accounts... so be aware

<sarang> (e.g. I am using a mattermost account, but will verify its legitimacy once IRCCloud returns)

<sarang> As always, take with a grain of salt anyone claiming an identity from an unusual account

<sarang> OK, time to get started!

<sarang> As usual, GREETINGS first

<sarang> hello

Hi

<sgp_> Hi

<sarang> We may have lower attendance than usual, since many people use IRCCloud and it's currently down

<sarang> But we can move along to ROUNDTABLE, where anyone is welcome to share research of interest with the group

<sarang> Does anyone wish to go first?

I can share a quick update

<sarang> Go ahead, account claiming to be Isthmus!

We examined a few mechanisms that were suggested at last week’s meeting. Triptych is not secure against Shor’s algorithm, as expected. Also, Keccak/chacha20 might run into issues with the Bernstein–Vazirani algorithm (hidden linear function problem).

We’re starting to turn our attention from problems towards solutions, and we’re working through a lot of recent literature (h/t reading suggestions from surae).

I’m amazed at some of the recent improvements. A few years ago, any post-quantum cryptography was laughably unwieldy. TB-scale keys, absurd verification times, etc.

Today’s crypto schemes are less painful by a few orders of magnitude. Check out this paper highlighted by surae - MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol

MatRiCT supports ring sizes of around 64, verification time around 25 ms, 4 kB keys, 31 kB signatures. Not stellar, but could be much worse!

Anyways, over the next week we’ll dig into some more modern schemes and I’ll report back here about the most relevant prospects.

<sarang> Impressive numbers from that abstract

Oh actually, looking at the tables, ring size 64 might be closer to 40 ms verification

<sarang> Not really suitable size-wise, compared to today's signatures, but not bad overall

<sarang> thanks

Anyways, that's all from me. More info next week, same bat time, same bat channel

<sarang> Great, thanks for the update, possibly-Isthmus :)

Still there within a 10 year range of Nielsen's Law of Internet Bandwidth which is a factor of ~57x

This is really interesting

ooh

<sarang> I wonder how widely those estimates apply

<sarang> e.g. in the United States, network providers charge absurd amounts of money for often terrible service

<sarang> So for the average user, "possible" bandwidth is likely not "actual" bandwidth

The trend is pretty accurate, from my own experience in Canada

Probably the same curve, just with a time lag

1.5x a year compounded

<sarang> It may also be dangerous to assume that capabilities for "high-end users" (as the article says) are sufficient for basing protocol decisions on

<sarang> Then you start to run the risk of alienating entire groups of users

<sarang> and centralizing services around high-capacity entities

Actually the cost difference between high end and low end is narrowing

especially for consumer accounts

<sarang> I can share a few research items now

<sarang> I sent an updated CLSAG security model and linkable anonymity theorem/proof to the reviewers, who said the changes address their concerns

<sarang> We're trying to determine the best way to include these changes in a follow-up report

<sarang> They want to keep the original report mostly untouched, but I also think it's important to make clear what updates were made, and how those updates affect their conclusions

<sarang> After all, that's the point of the review

<sarang> The current IACR version of the preprint contains all the updates so far: eprint.iacr.org/2019/654

<sarang> Separately from this, PoPETs reviewers for Triptych and Arcturus suggested those preprints may be better suited for workshop submission due to their content and scope

<sarang> One reviewer for Arcturus claimed to have found a way to break the hardness assumption, but their supposed counterexample doesn't work... I don't think they tested it, or perhaps they didn't fully read through all the requirements of the assumption

<sarang> Arcturus is still technically under PoPETs consideration and can't be submitted elsewhere yet, but Triptych can

<sarang> I'm finalizing it for submission to an ESORICS workshop whose deadline is July 10

<sarang> Unfortunately CLSAG is far too long for ESORICS, but could be submitted to PoPETs at their next deadline; however, I fear it will be rejected for being too incremental

<sarang> Scaling it back to the ESORICS limit would basically nix all the security model improvements, and then the reviewers would probably (rightly) complain that such a security model is too weak

<sarang> So I don't think it's possible to win on that front :/

<sarang> Preprint submission is not a fun game

<sarang> Anyway, those are my updates

<sarang> Once again, I wish there were a Journal of Incremental Cryptography =p

<sarang> Does anyone else wish to share anything?

Encouragements to whoever "sarang" is for the submission work ^_^

<sarang> heh, thanks :)

<sarang> I wish there were better news on the submission front :/

<sarang> But the gist of the Triptych initial reviews seemed to be "this is an incremental improvement that appears not to have major flaws" and that's something

<sarang> Comments on Arcturus certainly addressed that an untested hardness assumption carries additional risk that may be offset by its benefits

<sarang> and that's a very valid point

<sarang> But at least the supposed counterexample doesn't appear valid (not that this demonstrates it's secure!)

<sarang> Since Arcturus is still under consideration, there's a rebuttal period where I can directly address reviewer comments

<sarang> (for Triptych, there is no such period available)

<sarang> I'll post the counterexample as a paste later, to have someone else verify my conclusion

<sarang> IIRC the rebuttal period ends around July 19 or so

<sarang> OK, if there isn't anything else to share, we can move to ACTION ITEMS for the upcoming week

<sarang> I'll continue to work with the CLSAG reviewers on the preprint side of things; they are still working on the code part of their review (which was delayed)

<sarang> Additionally, I'll finalize the Triptych submission to the ESORICS workshop, and send off some comments/questions for the Arcturus PoPETs rebuttal period

<sarang> If there's time, I'll continue with some output merging analysis using my new analysis toolkit

<sarang> Anyone else?

<sarang> Oh, and there's a lot of lit review that I wish to catch up on

<sarang> Righto, in that case, we can adjourn!

<sarang> Thanks to everyone for attending

<sarang> Can someone post meeting logs to the GitHub agenda issue? I usually do so via IRCCloud, which is not available

<sarang> Or paste them and I can format for GitHub

<sarang> Ah nvm, monerologs.net has an export feature

<sgp_> nice :)

<sarang> Logs posted

<sarang> FYI this is an interesting update to the Lelantus security model: zcoin.io/papers/lelantusv2.pdf

<sarang> Not sure if I had posted the link earlier

<sarang> This version is not the same as the current IACR archive version

Hooray, it's back

FWIW the xmrmatterbridge user sarang was me

<[keybase] kaylasu>: few months ago my retarded ass still thought that sarang and surae was the same someone, anyways good thing u validating ur identity over xmrmatterbridge, always tough to deal with impersonations and whatnot