- 
waki4ever Why does the Saviour of NASA take a group achievement award and present it as a proof of individual glory?  twitter.com/hyc_symas/status/1203709575226183683
- 
ErCiccione[m] I can ban people and delete messages on matrix side. if you want to give me OP on freenode too i can control both from matrix (or with my freenode account linked to this matrix account) 
- 
ErCiccione[m] test 
- 
sgp_ Delegated RingCT: faster anonymous transactions 
- 
sgp_ 
- 
sgp_ "We present a modification to RingCT protocol with stealth addresses that makes it compatible with Delegated Proof of Stake based consensus mechanisms called Delegated RingCT. Our scheme has two building blocks: a customised version of an Integrated Signature and Encryption scheme composed of a public key encryption scheme and two signature schemes (a digital signature and a linkable ring signature); and 
- 
sgp_ non-interactive zero knowledge proofs. We give a description of the scheme, security proofs and a prototype implementation whose benchmarking is discussed. Although Delegated RingCT does not have the same degree of anonymity as other RingCT constructions, we argue that the benefits that the compatibility with DPoS consensus mechanisms brings constitute a reasonable trade-off for being able to develop an 
- 
sgp_ anonymous decentralised cryptocurrency faster and more scalable than existing ones." 
- 
LyzaL interesting cause I didn't even know RingCT was incompatible with PoS heh 
- 
UkoeHB__ thanks for sharing sgp_ 
- 
mikerah[m] DPoS is generally a dead-end from the perspective of most PoS enthusiast 
- 
mikerah[m] I would need to read the paper to see how they define DPoS before I write it off 
- 
moneromooo I was thinking about fake output selection, and whether an alternative selection algorithm would be better: 
- 
moneromooo Divide the chain into N (= ring size) windows, then pick an output in each window. 
- 
moneromooo Window size is calculated from 0 to current, based on the gamma distribution. 
- 
moneromooo So a very wide window from 0, and very narrow windows near the most recent outputs. 
- 
moneromooo A fake out would not be picked for the window in which the real output lies. 
- 
moneromooo This should still match the gamma distribution I think, and yet would prevent silly degenerate picks. 
- 
moneromooo ie, every ring would have an old output, for instance. 
- 
moneromooo And the nice thing is that we could start enforcing this in consensus. 
- 
moneromooo Would such a scheme introduce statistical issues ? 
- 
sech1 Well, statistically it wouldn't be random picked gamma distribution 
- 
sech1 because sometimes it doesn't have old outputs and it's normal 
- 
sech1 I mean, if you make a bar chart of selected output's frequencies it will look like gamma. But more detailed statistical tests will show it's not gamma 
- 
sech1 It effectively reduces the sets of fake outputs to choose from from all "gamma-like" to only certain "gamma-like" sets 
- 
sech1 I think it reduces the efficiency of rings 
- 
moneromooo Do we care about "detailed statistical tests will show it's not gamma" ? If so, why ? 
- 
moneromooo Why do you think it reduces the efficiency of rings ? 
- 
sech1 They can uncover the real output with higher probability 
- 
moneromooo How ? 
- 
sech1 It depends on how you select outputs in each window. I doubt uniform distribution will be enough 
- 
sech1 You'll need to do analysis for each window and adjust distribution to preserve ring efficiency 
- 
moneromooo Yes, uniform would be bad, at least for old windows. 
- 
sech1 So if an attacker knows that real outputs in some window are most often in a certain part of it, they can exclude outputs which are not in that part 
- 
moneromooo Well, AFAICT that's not an argument against the system, just an argument against something I did not suggest. 
- 
moneromooo It'd be the same now, if you use uniform distribition, it'd be shit. We just... don't. 
- 
moneromooo I'm just interested in knowing whether picking one in every window would make it better or worse. 
- 
sech1 this could work with proper distribution curves for each window and have the same level of security 
- 
sech1 This is my uneducated cryptography amateur opinion ^^^ 
- 
sech1 I think it should satisfy the following: if an output is N blocks old, it should appear in a ring with the same probability as the real output of the same age. Regardless if you use selection windows or not. 
- 
sech1 The task then becomes choosing curves for each window to satisfy it 
- 
sech1 and choosing window sizes 
- 
tevador what we really need is a larger ring size 
- 
gingeropolous ^^^ 
- 
sech1 and same probabilities of real and fake outputs too 
- 
sech1 because skew in probabilities reduces effective ring size 
- 
hyc sure, and slicing outputs into windows is a step to ensure uniform probabilities in each window 
- 
sech1 btw how was the current gamma distribution obtained? From BTC blockchain data? 
- 
moneromooo IIRC from known spends pre-rct. Not 100% sure. 
- 
sech1 BTC spending patterns are quite different. They have mixers "for privacy" doing lots of transactions and they don't exist in XMR. 
- 
moneromooo The Miller et al paper compared it with bitcoin, it was a similar shape. 
- 
moneromooo Though differnet params. It's not clear to me how chain age would have changed monero's. 
- 
sech1 My gut feeling says it should be a simple shape with just a few parameters to reflect real world spending 
- 
gingeropolous I'd put forward that the enforcement of selection should be prioritized or given greater weight in this decision 
- 
sech1 It's impossible to enforce random selection 
- 
sech1 only selection windows probably 
- 
sech1 
- 
gingeropolous deterministic *is* possible. ppl just don't like the burden it puts on things 
- 
sech1 how are you going to make it deterministic without disclosing which output is real? 
- 
sech1 I think the answer to this question will be worth a scientific paper :D 
- 
gingeropolous i forget. i feel like its been bandied about here. perhaps in lounge. 
- 
moneromooo One idea is to have a PRNG seeded of, say, the key image and the current height. Generate data, maybe N times. You can then offset the whpole thing so one output falls onto the real out. Inc;ude height and offset in the ring. 
- 
gingeropolous could even smoosh that together with the window thing to make it even easier, less brute forcing maybe 
- 
moneromooo If the offset is large, it skews the whole distribution though, so N might need to be large. 
- 
sech1 that won't work 
- 
moneromooo Seed off key image + height + user seed, if you want to roll N times. 
- 
moneromooo Why ? 
- 
sech1 it means that first N-1 times didn't fall on the real output 
- 
sech1 which will exclude all the outputs that it fell on 
- 
sech1 which I suppose is almost all outputs on the blockchain 
- 
moneromooo The Nth one probably will not fall on the real out either. 
- 
moneromooo That's why you have an offset. 
- 
moneromooo Granted, you might be able to make statistical guesses. 
- 
sech1 hmm, offset leaks some bits of data anyway 
- 
moneromooo It does, but you don't have to select the smallest offset. 
- 
moneromooo Though the smallest it is, the closer to the original distribution your picks are. 
- 
moneromooo Anyway, shall we pause on this for the meeting ? 
- 
sech1 you could just run PRNG with random 64-bit seeds every time until one of outputs is yours 
- 
sech1 then it shouldn't leak any data about the real output 
- 
moneromooo That'd take a *long* time when you spend old outs. 
- 
moneromooo But also, large offset -> more likely to spend an old out... 
- 
moneromooo Though you can have the wallet select large offset on purpose when spending a recent out. 
- 
moneromooo It's got a number of unclear possible leaks though, agreed. 
- 
gingeropolous larger ringsize would help 
- 
moneromooo Does anyone here want to have a meeting ? 
- 
moneromooo If so, please go ahead if you have something to talk about :) 
- 
sech1 that creates a problem of transactions that are generated offline 
- 
sech1 they can't use latest blocks obviously 
- 
moneromooo Well, looks like noone today. 
- 
moneromooo As for offline txes, it's the same as now, right ? 
- 
sech1 yes, same. But with deterministic generation you'll have to include the exact blockchain height used in the tx 
- 
sech1 which is another bit of information not present today 
- 
moneromooo Yes. Might be a way around that though. Like quantizing a bit and having the verifier try a few heights around the claimed height. 
- 
moneromooo Around some of it anyway. 
- 
Isthmus This is why NRL anchors ring member statistics off the youngest ring member rather than the block it was included on 
- 
Isthmus So that delayed broadcast isn’t a problem 
- 
sech1 right now if we see that the youngest ring member is 100 blocks old we can't tell if it was online or offline transaction 
- 
sech1 but with included generation height it will be pretty obvious 
- 
sech1 online transactions get mined in 1-2 blocks time 
- 
Isthmus Yep, that's exactly why we key off an intrinsic data point (height of youngest ring member) rather than extrinsic 
- 
Isthmus (such as the height at which the transaction was included) 
- 
sgp_ sounds like an argument for binning. there's a good amount of research on binning 
- 
sgp_ what's the motivation for this discussion again? are there wallets using different selection algorithms again? 
- 
moneromooo Some asshole spamming the network with non standard picks. 
- 
sgp_ got it 
- 
sgp_ in what way are they doing that? all old picks? 
- 
hyc the opposite - all new 
- 
sech1 Link to any example tx of these picks? 
- 
sgp_ why would someone even do that other than just to be annoying? 
- 
hyc sgp: bingo 
- 
sgp_ they don't learn any additional info compared to spamming with the correct algo 
- 
hyc it lets them point to any arbitrary recent txn and say "look how trivially this can be de-anon'd" because it uses all outputs that he spammed already 
- 
hyc it doesn't need to be an effective attack, it only needs to be FUD. 
- 
sgp_ well that's an output control problem, isn't the selection change unnecessary? 
- 
sech1 This attack is only effective at supporting miners :P 
- 
sgp_ if anything, all it does it warn users that someone is trying to conduct an output control attack 
- 
sgp_ and then someone can create a lower bound for the magnitude 
- 
sech1 but it must last for months before it gets efficient 
- 
sech1 because standard pick algorithm chooses old outputs too 
- 
hyc seems like it's been going a week or two already 
- 
sgp_ sech1: I argue it's effective enough just to share FUD after a week 
- 
sech1 and if there's 2 independent (or even competing) entities doing this, it won't work at all 
- 
sgp_ they need to have enough outputs of course 
- 
hyc tx rate is double what it was ~2 weeks ago 
- 
sgp_ but if they are looking to FUD only one transaction, not terribly difficult 
- 
hyc that seems like a significant amount for this purpose 
- 
sech1 0.25 XMR/day to spam 15000 transactions 
- 
sgp_ I say FUD in this case only because they probably only need to make a non-verifiable educated guess to FUD 
- 
sgp_ anyone have an idea of the magnitude? I have a bunch of tools to test 
- 
hyc if he owns 50% of txs (and outputs) for the past week, that's a pretty solid starting point 
- 
sech1 well, it jumped from 15k to 27k per day on Sunday 
- 
sech1 which was unusual 
- 
sech1 I think it started on Sunday 
- 
sech1 
- 
hyc likely, yeah 
- 
sgp_ if someone can show the data on what % of those transactions use unusual rings, please let me know 
- 
sech1 
- 
sech1 ring members selected only from the last 3 days 
- 
moneromooo townforge.net//dist/output-age-output-last-month.xz (50 MB, has the last month's txes along with output ages) 
 
- 
moneromooo Telltale is when the first ring member has a number of a few thousand. 
- 
moneromooo (which means the oldest output is only a few days old) 
- 
sgp_ looking 
- 
moneromooo You can ignore the "out" lines here. 
- 
moneromooo Columns for hte "tx" lines are height, txid, ring size, then 11 output ages in blocks. 
- 
moneromooo Last one being 14-20 is also a likely giveaway. 
- 
sgp_ okay, thank you 
- 
sech1 I see a lot such transactions even in month old blocks in that file 
- 
ArticMine tevador: what we really need is a larger ring size <---- Let us quantify this. For a ring size of 25 what would be the size of a 2 in 2 out tx after factoring in BP+? 
- 
hyc not too surprising, given how long attacks have been ongoing 
- 
moneromooo I can give anyone interested the source to the program that generates these. 5 GB output so I can't upload that in any sane timeline. 
- 
sgp_ I'm still trying to filter the data from the download 
- 
sgp_ it's difficult to say exactly how effective the attack is at identifying all of the outputs, since I would need to know how many normal transactions have at least one output older than x days 
- 
sech1 moneromooo can you prepare the similar file for May 2019 when there was no attack (presumably) and a lot of legit transactions 
- 
moneromooo Yes. 
- 
sgp_ for one arbitrary ring to be compromised each day with ringsize 11, that would require oversight of 38% of outputs distributed uniformly 
- 
sgp_ actually that's assuming all 1-in, so that's not actually quite true. Actually less than 38% then 
- 
sgp_ and if there's a higher % of recent outputs controlled (as in this case), then as long as they have outputs past a reasonable window, they would also need control of fewer total outputs 
- 
Inge- <+moneromooo> Some asshole spamming the network with non standard picks. <-- any numbers on how many of the transactions are like this? 
- 
moneromooo 14-20 is actually pretty common overall. So not a sign. 
- 
moneromooo 
- 
sgp_ I have some rough data coming up soon with the last month numbers (not May 2019's) 
- 
Isthmus Hmm, I know that with a (2+)-in transaction, I can reference the same output in multiple rings 
- 
Isthmus But can I also make a single ring that references the same output 11 times? 
- 
Isthmus Mathematically I don't see why it wouldn't work 
- 
sgp_ Yes I think 
- 
Isthmus That'd be some good FUD material 
- 
sgp_ The main harm is to the sender of the tx in that case 
- 
Isthmus Correct, it would be modifying your software to shoot your own foot 
- 
Isthmus Which seems on brand for certain trolls 
- 
moneromooo You can't use the same output more than once in a ring. 
- 
moneromooo You can still do plenty of other dumb things though. 
- 
sech11 
- 
sech11 This is the age of the oldest output in a ring (normalized, Y-axis is in promille) 
- 
sech11 I mean 1/1000 
- 
moneromooo Matches the tx rate almost doubling. 
- 
sech1 No, it's normalized 
- 
sech1 I divided by the total number of txs and then multiplied numbers by 1000 
- 
sech1 So it shifted towards younger outputs in the last month 
- 
moneromooo Well, almost twice the ratio of very recent, no ? 
- 
sech1 and there's also a peak at ~186 days 
- 
sech1 yes, 2 times more very recent outputs 
- 
sgp_ For the last month, about 15% of txs have their max decoy block height less than 10000 blocks 
- 
sgp_ s/decoy/output 
- 
sgp_ Half have their oldest output less than 60000 blocks old 
- 
sgp_ Those are rings actually, not txs 
- 
sgp_ I only see about 3000 rings with max age less than 1000 blocks 
- 
sgp_ Which is ~0.3% 
- 
sgp_ sech1: are we getting different numbers on those? 
- 
sech1 I don't know, I need to rewrite my script to count it 
- 
sech1 For the last month, I have half rings with oldest output less than 61*720 = 43920 blocks 
- 
sech1 For May 2019, it's 107*720 = 77040 blocks 
- 
sech1 
- 
moneromooo It's weird. I can see your images, but I can't see most others from imgur, I get a "you need JS" page... 
- 
sech1 It's direct links to static images 
- 
sech1 Where in the codebase is the output selection algorithm? 
- 
moneromooo wallet2.cpp, grep for "gamma". 
- 
moneromooo Ignore the triangular distribution stuff, it's only used for pre-rct now. 
- 
sech1 gamma_picker class? 
- 
moneromooo Yes. 
- 
sech1 blocks_to_consider is limited to 1 year? What if someone spends older output? 
- 
moneromooo No idea. I don't remember that. Let me read code... 
- 
sech1 nevermind, it's a limiting parameter 
- 
sech1 it's only used to calculate average output time 
- 
sech1 *not a limiting parameter 
- 
sgp_ sech1: y axis is %*10? 
- 
sech1 sgp_ yes 
- 
sech1 per mille (1/1000) 
- 
sech1 moneromooo well, that explains more younger outputs in the last month. The gamma_picker is skewed to younger outputs if number of txs was growing in the last year, which it did 
- 
sech1 average_output_time and logic around it assumes that tx flow was constant 
- 
moneromooo Does it explain such a large shift ? 
- 
sech1 well, we did have more than 2 times fewer transactions a year ago:  bitinfocharts.com/comparison/monero-transactions.html#1y
- 
moneromooo Shift from two weeks ago. 
- 
moneromooo Sustained. 
- 
sgp_ this data doesn't scream "different selection algo used by large spammer" to me 
- 
sech1 It's not a simple math to estimate the effect of this transaction growth on output selection as it is now 
- 
sgp_ right, and other user behavior would change it too 
- 
sech1 on the other hand, transaction growth will skew real spending to younger outputs too, so I think gamma_picker logic is correct here 
- 
moneromooo I was kinda confusing tx volume and output age. The sustained shift that feels like a good outlier is the number of txes. 
- 
sgp_ based on the conversation earlier, I assumed something like 20% of new txs used outputs all less than 10000 blocks 
- 
needmoney90 Any value in popping up a site that you send Monero to as a 'donation', and it persistently sends transactions with those funds in a forward secret way while deleting its prior keys? 
- 
needmoney90 Stopgap measure, in the event of a suspected attack, you can dump some funds in and add a base level of known secure txes 
- 
sgp_ not amazing if the behavior is predictable somehow 
- 
sgp_ handling timing would be kinda difficult 
- 
needmoney90 Worth looking into? 
- 
sgp_ imo not really 
- 
sgp_ I'm worried that cheap transactions is one vulnerability here. They don't need to be extremely expensive, but even $0.01 per would help keep rando trolls away 
- 
sech1 bad idea to spam the chain with useless transactions for eternity 
- 
sech1 it's already approaching 100 GB 
- 
sgp_ at the moment transactions are basically free at ~$0.002 
- 
sgp_ so only ~$1k for 15000 tx/day 
- 
sgp_ for a month 
- 
sgp_ ArticMine: what's keeping us from increasing the base fee? 
- 
gingeropolous obvi the fact that monero's gonna be worth 9 kajillion dollars tomorrow. 
- 
gingeropolous what about lowering the 300kb thingy 
- 
jwinterm need to use chainlink to tie base rate to usd value 
- 
jwinterm clearly 
- 
sgp_ Monero could 100x vs USD and the base fee would still be cheap 
- 
sgp_ Well, maybe reasonable not SUPER cheap 
- 
jwinterm $0.20 seems reasonable to me 
- 
sech1 $13100 per XMR seems also reasonable to me :P 
- 
midipoet Be funny if we then found out that XMR price is always relative to transaction fee cost, as opposed to the other way around. 
- 
hyc in comparisons to other "privacy" coins that I see frequently posted, XMR seems to already have the most expensive fees of the class 
- 
sgp_ hyc: yeah but those have even less use. ZEC's z2z fees are artificially low 
- 
sgp_ my gut feeling is that the base fees should be 10x higher 
- 
sech1 you want a contentious fork? 
- 
sech1 it's too late to increase fees 
- 
sgp_ well I know it would take a fork to increase base fees, but we could change next hardfork with bp+ if there's a reason to 
- 
sgp_ not sure where contentious fork comes from 
- 
sech1 contentious because users will not want higher fees without a very good reason. 
- 
sethsimmons Yeah.I don’t know how well that would go over unless we have clear data that an attack is ongoing. 
- 
sethsimmons Low fees are a big selling point for people and one of the most frequent “pros” brought up. 
- 
sethsimmons The best way to combat flooding attacks is to get more people to use Monero 😉 
- 
sech1 they're low now, but on the scale of a few years price will go up a lot and fees won't be low anymore 
- 
hyc we're at something like 1/4th of ATH in XMR/USD. 4x for fees doesn't seem huge 
- 
sgp_ I honestly don't think a fee bump to a reasonable number will be contentious, especially if it's supported better than the current base fee 
- 
sgp_ like, will people REALLY walk away if fees go up to $0.01 
- 
sgp_ I just don't want to take fee increases off the table, that's all. *If* we should do one, then we should do one 
- 
sethsimmons There just needs to be a clear reason with supporting data 
- 
sethsimmons Especially since it will likely need to be rolled back later on because its based on fiat value 
- 
sethsimmons If it could be made decentralized like dynamic block size that is one thing, but relying on devs/Core to change fees at will is a road I’m not a huge fan of. 
- 
sethsimmons And will bring heavy “centralized” FUD for some good reason 
- 
sethsimmons I doubt it would actually be a contentious hard fork 
- 
thrmo the current fee was set exactly like that though sethsimmons 
- 
thrmo fees will always be a contentious point/change until we can develop a new model 
- 
thrmo *better model 
- 
sethsimmons Yes I understand, and that’s why I’m not opposed to a change with clear data to back up the necessity. 
- 
hyc re: higher fees - would not be a major attack disincentive, if the attacker also holds significant hashrate 
- 
hyc higher fees just puts more money in their pocket 
- 
sgp_ sure 
- 
thrmo that's a different attack vector though and harder to pull off hyc 
- 
hyc ... or attacker is getting dev donations from mining software that's in common use ... 
- 
thrmo his software is less and less used these days, afaik 
- 
hyc good to hear 
- 
sethsimmons 😬 
- 
thrmo that's what you get when you antagonize an entire community I guess. 
- 
sethsimmons Good 
- 
sarang Important to note that an attacker who spams outputs could use that data to reduce effective anon set of honest transactions 
- 
sarang And having a common non-standard characteristic could be used as a way to make this spam set public 
- 
thrmo I think that's his plan 
- 
hyc yes, that's been the underlying assumption in this whole discussion 
- 
sarang OK, just had jumped in, hadn't followed everything 
- 
sarang Quite the interesting set of attacks recently 
- 
sethsimmons Is this actually an ongoing attack? 
- 
hyc yes 
- 
sgp_ besides the adjusted selection algo which ended up being less clear, is there any other indication that an attack is being conducted? just the tx increase? 
- 
hyc tx increase, output selection 
- 
sethsimmons We know the TX increase is an attack and not related to DNMs being Monero-only now as a general rule + speculative load? 
- 
hyc tx rate ~doubled on Sunday, 15K to 27K 
- 
hyc are you aware of any DNM announcements (comparable to alphabay 2016) that would account for such a jump? 
- 
sgp_ you all were discussing that looking back, you were concerned for about a month though right? 
- 
hyc we were remarking on it, but maybe not yet concerned. 
- 
hyc but there's no way these new txns are legit, with their weird output selection 
- 
sethsimmons A large portion of the new transactions have flawed decoy selection? 
- 
sethsimmons We have been averaging ~20k transactions for a while now, with a major dip around the fork of course. 
- 
sgp_ sarang: without special software. any reason why we would see such a change in the output selection? The real-time selection may decrease with more outputs generated recently, but would block time be unaffected? Or is the block time shortened because it selects by output not by block?  i.imgur.com/yhHx0ca.png
 
- 
sethsimmons There was no recent DNM announcement that would double TX count overnight, but 27k is not that far off of our recent ATHs of ~20k multiple times. 
- 
sech1 fun fact: you need only 600 kh/s to mine fees for 25k transactions/day 
- 
sethsimmons <sethsimmons "There was no recent DNM announce"> This also coincides with a large increase in Monero price, so could have been organic + DNM usage + speculative 
- 
sethsimmons <sgp_ "sarang: without special software"> What percentage of these transactions have an abnormal decoy selection? 
- 
sgp_ sarang: is the selection by block (so we should expect this to not change with increased # of txs), or is it more per output and thus would expect to narrow with more activity? 
- 
sgp_ if I recall correctly it's closer to the former? 
- 
sech1 selection is per output 
- 
sech1 but it's quantized to a random output in a block after selecting output index 
- 
sgp_ so we should expect an increase in # of txs to select more outputs from more recent blocks, as we see here? 
- 
sech1 yes 
- 
sech1 as long as number of txs grows 
- 
hyc so can that explain the selection we're currently seeing? 
- 
hyc seems like a weakness in the selection algo, should be counting blocks 
- 
hyc (tho I recall that was a weakness before, when most blocks were empty) 
- 
sech1 "on the other hand, transaction growth will skew real spending to younger outputs too, so I think gamma_picker logic is correct here" 
- 
sech1 what we need to do is to run gamma_picker 1,000,000 times for example to add a reference line to  i.imgur.com/kmqlkDf.png
- 
hyc probably should return to a block-based algo, but weighted so that empty blocks don't count 
- 
sgp_ makes sense, agree sech1 
- 
sgp_ thanks for the explanation 
- 
sgp_ I think if fuk specifically was to spam, they are more likely to do so with an unmodified algo 
- 
sgp_ just because anything else is more effort with no benefit 
- 
sethsimmons *and makes the attack much easier to detect 
- 
Inge- could be other actors dipping their toes in.