-
lawrenceyan
Zero Knowledge from Multi-Party Computation
-
lawrenceyan
-
Loca422
For a community that prides itself on manipulating people, you can't manage a single guy that spends most of his time in his underpants :D
-
sgp_
ArticMine: this is the best chart I can find with performance increases
cdn.arstechnica.net/wp-content/uplo…pective.mt-gen-on-gen-1440x1080.png
-
sgp_
still, this is only for the fastest, not really "fastest for under $200", "fastest in-stock", etc
-
binaryFate
There is a convenient measure for storage vs. price, like GB/$. Is there anything vaguely similar published but for computing power?
-
sgp_
I'm thinking multithread passmark score / $, adjusted for inflation
-
sgp_
meeting in 50 mins here
-
sgp_
-
sgp_
by best interpretation of that chart is that it's closer to a ~25-50% increase in performance/price, though others may interpret differently
-
sgp_
eg: just look at the Ryzen 5 1600 on both charts
-
sgp_
cost $155 before, $150 today
-
binaryFate
-
binaryFate
not that the numbers make specific sense to me. Feel free to use/edit.
-
sgp_
darn, google sheets doesn't support boxplots natively
-
sgp_
.time
-
sgp_
that doesn't work apparently anymore haha
-
sgp_
but it is not 17 UTC
-
sgp_
s/not/now
-
sgp_
Monero Research Lab meeting time
-
sgp_
Greetings
-
sgp_
ping sarang moneromooo SerHack ArticMine binaryFate
-
sgp_
knaccc
-
sarang
hi
-
sgp_
dEBRUYNE
-
sgp_
needmoney90
-
sgp_
it's been a while since the last meeting, hope everyone is doing okay :)
-
sgp_
-
sgp_
I'm going to proceed and hope other people perk up
-
sgp_
1. Bulletproofs+ audit(s)
-
sgp_
this is the most pressing matter
-
sgp_
-
sgp_
it's been 3 weeks since they opened the proposal
-
sgp_
sarang: you had questions, were those answered sufficiently?
-
sarang
They were! The scope is broad so it really comes down to perceived community value
-
sgp_
in the last community meeting, they wanted to wait for a decision here before moving the CCS or not
-
sgp_
sarang: can you expand on what you mean by "the scope is so broad"?
-
sarang
Well they intend to do review of the preprint, review of our code, and also compare to some other implementations
-
sarang
Which is great to have!
-
sarang
I happen to think it's a good value, but this is not my call
-
sgp_
which part is the most "overkill" perhaps, the comparison?
-
sarang
I don't want to call it overkill
-
sarang
But if we had to choose something to nix, I'd say that
-
sgp_
understood
-
sarang
That being said, higher assurance is always a good thing
-
sgp_
the scope seems relatively reasonable to me since they are proposing 1 month of work
-
sgp_
if there's value in the comparison in your opinion, it seems reasonable to include
-
sgp_
do people feel comfortable with just this one audit, or should we also hunt down others?
-
sarang
sgp_: I think that the value is good for the proposed cost
-
sarang
If it had inflated the price too much, perhaps that'd be a different story
-
sgp_
and do we generally feel comfortable in these auditors' competencies?
-
sarang
I can't personally vouch for them, but they do have good work out there
-
sgp_
okay, so signs point to suggesting this is moved as-is
-
Isthmus
+1
-
sarang
I don't have any particular qualms, FWIW
-
Isthmus
Best case scenario, they are good team and we receive solid audit. Worst case scenario, an audit can't make things worse :- )
-
dEBRUYNE
False sense of security is a drawback I'd argue
-
sgp_
well, worst case they give an audit that looks good and gives undeserved confidence
-
dEBRUYNE
(in case of a bad audit)
-
dEBRUYNE
I'd still prefer to have a second team looking at it, even if the scope isn't that broad
-
dEBRUYNE
Especially since we're touching delicate parts of the code
-
sgp_
should we be looking for other auditors now, or later after reviewing the report?
-
sarang
Perhaps having another limited-scope audit?
-
dEBRUYNE
I'd say before
-
sarang
Just the proposed code
-
sgp_
I don't see this in any case being a blocker on moving the current audit
-
dEBRUYNE
I think another 'just code' audit would be fine
-
Isthmus
+1 sgp
-
ErCiccione[m]
Another audit only for the code sounds like a good idea
-
sgp_
dEBRUYNE sarang Isthmus: any recommendations on how to reach out to others for the code-only audit?
-
sgp_
should we just cold email Quarkslab, Kudelski, etc?
-
dEBRUYNE
Through OSTIF I guess?
-
gingeropolous
+1 for second audit.
-
dEBRUYNE
They acted as intermediary in the past
-
Isthmus
Who have we engaged with previously, and would they be a good fit for this?
-
sgp_
fwiw, the Monero Audit workgroup was unimpressed with their assistance last time
-
hyc
we have gone thru OSTIF to the auditors
-
dEBRUYNE
sgp_: Of OSTIF, that is?
-
sgp_
yes
-
dEBRUYNE
I guess reaching out through OSTIF creates a sense of goodwill, but afaik it also increases the price
-
hyc
what were the problems? things were pretty smooth for the randomx work
-
sgp_
1) we probably didn't actually get a cheaper rate, 2) the conversations usually resulted in more confusion, not less
-
sgp_
and yes they want 10%
-
hyc
ok
-
sgp_
sarang: do you have email contacts for everyone we have worked with in the past?
-
sarang
I do, yes
-
dEBRUYNE
To maintain proper relations I think it would be better to consult OSTIF, but that's my personal opinion
-
sgp_
okay, anyone against starting there by contacting them with our desired project and scope? sarang I can handle more of the email communication to save you time
-
gingeropolous
and I thought ostif was necessary because the auditors have to work with some corporate entity of somekind
-
sgp_
gingeropolous: I'm not sure, if they need an entity, we can reconsider
-
dEBRUYNE
I think that's mostly for tax reasons, not sure
-
sgp_
tax reasons would be for the benefit of the donors
-
gingeropolous
k. but yeah, thats a good starting point.
-
sgp_
okay, it's my recommendation we start there
-
sgp_
any other comments on this topic?
-
sgp_
in summary: move the CCS, and then look for a second, narrower audit
-
sarang
Cool
-
sarang
We can specifically limit the code scope
-
sgp_
sarang: please contact me after so we can get the emails out
-
sgp_
if anyone wants to help with the audit workgroup, please DM me
-
sarang
can do
-
sgp_
okay, next topic
-
sgp_
Triptych / Arcturus
-
sgp_
first important question on my end:
-
sgp_
is Arcturus out? is there anything that could change/happen to make us feel comfortable with this?
-
sarang
Well, there is a Rust implementation, which is pretty great
-
sarang
But AFAIK no other review
-
sgp_
(I'm afk for a few, emergency sorry)
-
dEBRUYNE
Not sure what is withholding us from starting to work on implementing Triptych
-
dEBRUYNE
I think people already reconciled the fact that multisig would require a bit more of a complex implementation
-
Isthmus
gl sgp
-
Isthmus
@sarang is the rust implementation public?
-
» Isthmus wants to poke through the repo
-
sarang
It is!
-
sarang
-
sgp_
half back
-
Isthmus
Thanks @sarang
-
sgp_
is there any way we would run with something like this though?
-
sgp_
there's that one assumption
-
sarang
Arcturus is inherently riskier, given its novel assumption
-
Isthmus
Oh yea, what's the non-standard assumption? I don't quite recall
-
sgp_
how can we reduce risk?
-
sgp_
or is that not really possible
-
sarang
Time and solid peer review
-
dEBRUYNE
A break would have pretty catastrophic ramifications
-
sarang
But "review" of an assumption is much different than review of an implementation
-
sarang
correct
-
dEBRUYNE
I argue it would be prudent to 'play it safe' and opt for Triptych
-
gingeropolous
aye
-
dEBRUYNE
The differences are not large enough to warrant choosing an implementation that relies on a novel assumption
-
gingeropolous
double aye
-
sgp_
is anyone here interested in arctutus at all then
-
sgp_
or should we stop talking about it
-
sgp_
personally, I would feel okay with a really good review of it
-
ArticMine
Sorry I am late. My take on Arcturus is that the assumption risk will take time. So it can be implemented after Triptych
-
Isthmus
That all seems reasonable
-
» Isthmus nods in general agreement
-
sgp_
okay, anyone not in favor of focusing entirely on triptych for now?
-
moneromooo
Do those two share most code ?
-
sarang
The structure is similar
-
sgp_
sarang: ^
-
sarang
But there are significant internal differences still
-
sgp_
for the record, who is for focusing entirely on triptych
-
ArticMine
I am
-
sethsimmons
<sgp_ "for the record, who is for focus"> I am as well.
-
moneromooo
I'd say yes, on balance. Not a huge preference.
-
dEBRUYNE
Triptych is my preference
-
» dEBRUYNE brb
-
sethsimmons
Lets focus on the clearest next step and then think more about Arcturus later if needed.
-
sethsimmons
Not enough clear wins in Arcturus to offset the novel assumptions IMO.
-
sgp_
my guess is that we will never use Arcuturus since ideally there will be a bigger breakthrough in a few years
-
sarang
FWIW the key image structure is identical between the two anyway
-
sethsimmons
Most likely, and thats not a bad thing I don't think.
-
sarang
So an output migration between them is not needed
-
sarang
Very similarly to how we did MLSAG->CLSAG
-
sethsimmons
Triptych is a large step forward and will buy a lot of time for the next arms race.
-
sarang
Output migration _is_ needed from CLSAG->{Arcturus,Triptych}
-
sgp_
okay, so for triptych, what is the next step
-
sgp_
funding for sarang?
-
sarang
Is multisig important?
-
sgp_
oh good point
-
sgp_
quick vote
-
sarang
Big remaining issues are output set binning/selection/representation, output migration concerns, and multisig if applicable
-
ArticMine
I say yes
-
moneromooo
It is.
-
sethsimmons
<sarang "Is multisig important?"> Does Arcturus not cause the same issues as Triptych?
-
sarang
The prove/verify code is already present and working
-
ErCiccione[m]
it is, yes
-
sarang
Multisig code is not, and is highly nontrivial
-
sgp_
Is lack of current hardware wallet support for multisig wallets a blocker, yes/no
-
moneromooo
No.
-
ArticMine
No
-
sethsimmons
no.
-
sgp_
I also think no
-
sethsimmons
It's such a tiny, tiny percentage of users
-
sethsimmons
Better to drastically improve the default privacy assumptions for all users than delay for a tiny subset of those users.
-
sarang
To be clear, we do have a way to handle multisig, but it requires additional code and library support for more general group structures (RSA groups)
-
sarang
I do not have the expertise in hardware device limitations to know the extent to which this is reasonable on those devices
-
sethsimmons
Does that need a HF to implement?
-
sarang
Multisig? No
-
sethsimmons
Or could it be added after the initial Triptych implementation?
-
sarang
You can't tell if a txn uses multisig
-
sarang
It's entirely separate
-
sethsimmons
Ah, ok, that makes it much clearer than to forgo blocking on multisig
-
ArticMine
Then I suggest the route is to get Multisig working on triptych
-
sethsimmons
Can focus on initial imp then pivot to musig after.
-
sarang
Sure, but if the answer is "Triptych multisig cannot work on our limited hardware devices" then that could be a blocker
-
sethsimmons
Or if there are resources work on them in parallel
-
sgp_
it's not a blocker
-
sarang
OK, just wanted to make it clear that it could be the case that multisig will never practically work on those devices
-
sgp_
screw current hardware wallet support for multisig wallets
-
ArticMine
Not every user has to use the limited hardware
-
sarang
I don't know enough to say for sure
-
sgp_
very worthy tradeoff
-
Lyza
yeah as long as multisig works I don't think HW devices are essential, and besides they'll likely catch up at some point
-
sarang
Note that the multisig approach is based on known techniques, but would warrant additional scrutiny and review
-
sarang
I have some basic code demonstrating it in Python
-
sarang
(usual DANGER DANGER disclaimer that research code is not reviewed and unsuitable for production use)
-
sgp_
okay, so what are the immediate next steps
-
ArticMine
The proper process of scrutiny and review has to be followed but I do see a clear part here
-
sarang
-
ArticMine
path
-
sarang
^ that's the code and algorithm descriptions
-
dEBRUYNE
ArticMine: I think sarang means that multisig for 'normal' devices is possible (albeit sophisticated and complex)
-
dEBRUYNE
But is ruled out for hardware wallets (devices)
-
dEBRUYNE
E.g. Ledger & Trezor
-
ArticMine
Which is fine
-
sarang
Not necessarily ruled out... but would require a lot of other plumbing
-
sarang
Again, I don't have the expertise to make that conclusion
-
ArticMine
Since not all users need to use hardware wallets
-
dEBRUYNE
There is arguably little benefit currently to pursuing Triptych multisig for hw wallet devices
-
dEBRUYNE
ArticMine: And they would be able to use a 'standard' Ledger / Trezor Monero wallet with Triptych
-
ArticMine
That is my point
-
moneromooo
I don't think we need to care whether it's doable atm. Just add triptych, then software MS, then people from ledger/trezor will work out whether they can. If not, tough.
-
sgp_
yeah pretty much
-
Lyza
+1
-
sgp_
so what's next for adding triptych
-
sgp_
what needs to happen first
-
sarang
Analysis and decisions around output selection and representation and binning
-
sarang
Review
-
sarang
Consensus code
-
sarang
Multisig, if desired (lots of work on this one)
-
moneromooo
With the caveat that, while designing software MS, if two implementation options are equally possible but one is thought to be much easier on hw, that gives it a better chance of being chosen, ceteris paribus.
-
sgp_
output selection is an area for potential improvement, but could theoretically be implemented with current alo right?
-
sgp_
s/slo/algo
-
ArticMine
Multisig for regular hardware
-
sarang
If you're selecting large output sets, using binning has many benefits, including size
-
sarang
You don't want to do individual representations of each output, presumably...
-
dEBRUYNE
sarang: And I guess a way of funding too
-
sgp_
sarang: I see output selection as a side optimization project
-
sgp_
not as a blocker
-
moneromooo
I'd be interested in partial caching of crypto ops with binning, to cut off some constant from O(N) in verification time.
-
moneromooo
If at all possible.
-
sarang
Depends how you bin, but sure
-
sarang
And we can reuse output sets between Triptych proofs in the same transaction (my analysis numbers assume this)
-
sgp_
when you say "review" do you mean an audit of the paper? audit of the code? both?
-
sarang
I'd say both
-
sarang
Dedicated peer review in addition to academic peer review provides higher assurance
-
sarang
Especially for something relatively new like this
-
sgp_
the code for consensus and output selection are separate areas of code, correct?
-
dEBRUYNE
We can just ask the audit team if a widened scope is possible
-
sarang
sgp_: probably/hopefully :D
-
sgp_
I think that's a super important detail to know :)
-
sgp_
since if together, then selection is a blocker
-
sarang
I mean, binning should have consensus elements in some cases, to avoid miner stuffing
-
sgp_
if separate, then we can start with that code now
-
gingeropolous
it should be possible to migrate to triptych and still allow those users that have pre-existing multisig setup to migrate as well?
-
sarang
gingeropolous: no
-
sarang
that's an important point about multisig
-
ArticMine
We need a grandparent period for that
-
sgp_
huh?
-
sgp_
this wouldn't kill the previous multisig funds after a period
-
sgp_
they just would have to spend to a new wallet on triptych
-
sarang
Existing non-multig operations would continue to work just fine
-
dEBRUYNE
Yeah it's like going from non-RCT to RCT outputs
-
sgp_
oh one quick compatibility question
-
sgp_
suppose I make a multisig wallet today and publish the normal 4 address
-
sgp_
what if someone sends tripytch outputs to that address
-
sgp_
are those recoverable?
-
sarang
I believe you'd need all parties to use a trusted operation to do so (but it's possible)
-
sarang
it's really a question of trust
-
sarang
The new multisig operation does not require that trust
-
sarang
I'd need to review the specifics of this to be sure
-
ArticMine
That is why I suggest a period of time for the transition
-
sgp_
for clarification, suppose this is a 2/3 multisig wallet
-
sgp_
do you need the support of 2 or 3 people
-
sarang
I believe you need just the 2 people, but they can't spend it without a trusted operation
-
sgp_
ArticMine: this isn't solved with a transition period afaict
-
sgp_
what is a trusted operation?
-
sarang
They'd have to recover the output private key in a way that means they both know it
-
sarang
As opposed to the non-trusted way, in which they don't learn the other party's share of it
-
sarang
This is because of an inversion operation that's the cause of all this multisig tomfoolery
-
sarang
and cannot be avoided AFAICT (this is present in other constructions like Arcturus, RCT3, Omniring)
-
sarang
It's because they need to construct the key image, which uses this inversion
-
ArticMine
So there is a one time issue
-
sgp_
let me repeat this back to make sure I understand
-
sarang
Yes, but could be very important
-
ArticMine
To clarify this issue does not occur going from Triptych to Arcturus
-
sgp_
in order to recover triptych funds sent to a pre-triptych multisig wallet, they would need to reconstruct the private key in such a way that all parties who participated would learn the full spend key (and thus could independently send all funds from that wallet, including both clsag and triptych outputs)
-
sgp_
so put another way:
-
sarang
Yes
-
sgp_
the wallet would need to be "converted" from a multisig wallet to a non-multisig wallet first
-
sarang
That's a good way of wording it, yes
-
sgp_
okay, I understand now :D
-
sarang
It's super annoying and could be very problematic for users, I know
-
ArticMine
but the conversion only requires the same number of signature as the original multi sig
-
ArticMine
Correct?
-
sarang
ArticMine: yes
-
sarang
I've thought a lot about ways to avoid this inversion stuff, but it's pretty baked in to a lot of the math of this and similar constructions
-
sgp_
I think this is something that needs to be approached with care, but is still okay to proceed with care
-
sgp_
this is why a transition period doesn't solve ArticMine:
-
sgp_
wallets will either receive clsag or triptych outputs
-
sgp_
this "conversion" needs to be done when the very first triptych output is received
-
sgp_
we may have one more option however, sarang what do you think of this:
-
sgp_
first, can clsag multisig wallets spend clsag outputs (only) and make new triptych outputs in a non-trusted way?
-
ArticMine
What happen in reverse a CLSAG output sent to a Triptych multisig wallet?
-
sarang
sgp_: yes
-
sarang
The construction of outputs is identical in both cases
-
sarang
The only difference is how key images are computed, which has implications for spends
-
UkoeHB__
sarang I may be missing something, at which step in
monero-project/research-lab #72 is the full private spend key known to participants?
-
sgp_
okay, so we have one other option perhaps that's inelegant
-
sgp_
we could change the addresses to be detectable to the sender that it's a newer triptych wallet and perhaps also only allow sending of triptych outputs to those on the wallet side
-
sarang
Sorry, I have to take off unfortunately
-
sarang
This meeting went much longer than I had expected
-
u29601mg6ba93j[m
<sarang "Sorry, I have to take off unfort"> Thanks for your participation. Speaking for myself I learned a lot from your answers
-
ArticMine
I propose we reconvene is a week
-
ArticMine
in
-
sgp_
yeah this was super useful I think
-
gingeropolous
indeed.
-
ArticMine
Ok next meeting?
-
dEBRUYNE
Same time next week?
-
ArticMine
That was my suggestion
-
dEBRUYNE
Sounds good to me