-
mikerah[m]
Has the monero research lab looked into PIR in some capacity?
-
mikerah[m]
I have been thinking about and researching PIR for over 9 months now and at my company we have a roadmap to attempt an implementation for 3 other blockchain systems and are deciding on a fourth
-
mikerah[m]
We are deciding between Monero and Zcash based on the funding available and have been following both projects for a few years now
-
mikerah[m]
Based on my experience in the Monero community, there is a higher chance and much better accountability around open-ended research projects that are funded by the Monero Community Funding System.
-
mikerah[m]
Currently Zcash's funding situation for project has been sketchy for years and it's not only gotten worst with the events of the past weekend.
-
hyc
lol. anybody who even gives zcash a 2nd thought isn't thinking clearly.
-
mikerah[m]
The tech is really good, especially halo 2.
-
mikerah[m]
I just don't think they care about security and privacy like Sarah says
-
UkoeHB__
mikerah[m]: I am not sure the value of PIR. If the goal is to reduce bandwidth for a wallet-centric node, it can't be easily done... because you have to download every single output anyway in order to scan for owned outputs.
-
UkoeHB__
Plus such a node may want to download all key images to check for double spends
-
mikerah[m]
Why couldn't the node do both? I.e. download all key images for double spends and enable Monero light clients to fetch the outputs that they own?
-
UkoeHB__
you have to compute a Diffie-Hellman exchange on every on-chain output to identify owned outputs
-
UkoeHB__
they can't be obtained remotely with any trivial approach
-
UkoeHB__
here is my attempt to sketch out a Monero light node:
monero-project/research-lab #69
-
UkoeHB__
unless I am misunderstanding something about what you want to accomplish...
-
hyc
"The tech is really good" "don't think they care about security and privacy" - these two statements are irreconcilable. the tech isn't as good as they say it is.
-
hyc
they would have to care a lot more about privacy for it to actually be that good.
-
hyc
when they launched in 2016 everyone was saying "the tech is really good" about zk-snarks too. it was a lie back then too.
-
UkoeHB__
the tech is pretty fancy at least
-
hyc
"fool me once, shame on you"
-
mikerah[m]
@hyc: What are your practical qualms about zk-snarks? Do you simply disagree with its instantiation in Zcash or are you skeptical of zk-snarks in general?
-
hyc
the trusted setup has always been a threat hanging over it, of course
-
hyc
but as a practical matter, it was unusable. Joe Average couldn't run it. exchanges couldn't afford the CPU resources to support Zaddrs
-
mikerah[m]
<hyc ""The tech is really good" "don't"> Halo and Halo 2 have improved upon the state of the art in recursive composition systems without trusted setups. The main goal was indeed to provide better privacy and security. However, the team's other actions surround it (namely pre-anouncing Orchard and claiming that it can be finished by June 2021) is an example of not really caring about both of those things
-
mikerah[m]
considering that it's a new system that hasn't even been peer-reviewed yet!
-
hyc
is that so different from when they launched with zk-snarks? over-promise, under-deliver
-
hyc
launch with poorly understood tech
-
mikerah[m]
<hyc "but as a practical matter, it wa"> But in general, there are applications that use zk-snarks that are usable. The main reasonable it's hard to run Zcash is based on their protocol and the circuits needed in a SNARK to implement it.
-
hyc
that's just a lame excuse. the system they launched couldn't deliver what they promised.
-
hyc
that's the bottom line.
-
hyc
the poor quality coding is just ... icing on the top
-
mikerah[m]
<UkoeHB__ "unless I am misunderstanding som"> I'm what I'm thinking is highly dependent on where PIR is used. I'm thinking that light nodes would use PIR to request those outputs and then find some way to do a local decryption. But as you say, since that local decryption is already being done, what's the point of PIR?
-
UkoeHB__
the problem is they have to get _all the outputs_
-
hyc
that's unavoidable, yes
-
hyc
there are no shortcuts. if there was a way to accelerate identifying which outputs are of interest to you, then that means there's a way to trace all outputs.
-
mikerah[m]
<hyc "launch with poorly understood te"> If I recall correctly, Zerocash and Zerocoin were accepted at highly regarded cryptography conferences/journals and the initial Zk-snarks scheme they used was peer-reviewed as well. So, the academic community understood the tech well. It's main the OSS communities that didn't and still don't
-
hyc
Zerocoin was accepted and *abandoned* by the zerocash team, to develop the zerocash protocol. zerocoin isn't worthy of any further mention.
-
mikerah[m]
I only mentioned for completeness
-
mikerah[m]
* I only mentioned it for completeness
-
hyc
as for the OSS communities not understanding it - the zerocash paper was written in 2014 and they claimed it to already have production-ready code.
-
hyc
-
hyc
"In Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude >more efficient than the less-anonymous Zerocoin "
-
hyc
yet it still took them until 2016 to launch, with much worse real world performance
-
hyc
are you telling me the OSS community had to reimplement it from scratch?
-
hyc
why did it take 2 years if they already had such a good existing implementation?
-
hyc
or maybe, just maybe, the stuff the academics had peer-reviewed didn't actually work as well as they claimed?
-
mikerah[m]
<hyc "are you telling me the OSS commu"> Calling the ECC the OSS community is wrong. They were the ones that implemented the new stuff not open source devs. A lot of the early OSS devs left because they were being ignored.
-
hyc
ok.
-
mikerah[m]
<hyc "or maybe, just maybe, the stuff "> This is way more common than you would think. The incentives of academia, especially in CS, is to publish a lot and have code that does the basics in terms of benchmarking and then never open source the code.
-
hyc
either way, that whole "ecosystem" is garbage
-
mikerah[m]
-
hyc
yes that's common in academia, and it's a crime. research that's unreproducible. what kind of peer-review is that
-
mikerah[m]
Anyway, UkoeHB__ Do you have any other resources on what the current light node infra is in Monero? I would like to take a deeper look
-
hyc
hm, a collection of primitives? is anyone using it for production work?
-
hyc
you're going to have to tweak your terminology. light node doesn't make a lot of sense, I think you mean light wallet?
-
mikerah[m]
<hyc "you're going to have to tweak yo"> I use light node and light client interchangably. Light wallet is different. Light wallets depend on a light node to provide a storage and bandwidth efficient interface to a full node (or sets of full nodes)
-
hyc
ok
-
jwinterm
there isn't really a "light node" per se, although there are pruned nodes, which can function as nodes for light wallets
-
jwinterm
chops blockchain size on disk from 90 GB to 30 GB or so
-
hyc
btw pruning was a misnomer, it's actually sharding. "pruned" nodes discard 7/8 of the chain data
-
mikerah[m]
<hyc "hm, a collection of primitives? "> Don't think so. The folks that I know who are using zk-snarks in production simply write their own libraries or fork the zcash libraries
-
mikerah[m]
<hyc "btw pruning was a misnomer, it's"> By sharding, do you mean DB sharding?
-
hyc
it's not implemented in the DB engine
-
hyc
but it is sharding
-
hyc
across a random set of 8 nodes you will get the complete blockchain
-
hyc
each of those "pruned" nodes carries a disjoint 1/8th slice of the whole
-
mikerah[m]
<hyc "each of those "pruned" nodes car"> Is there a mechanism by which they decide which 1/8 to keep?
-
hyc
when you enable pruning it randomly selects which slice
-
hyc
there is no coordination across the network. we just rely on the PRNGs to give a uniform distribution across the network
-
UkoeHB__
I think since users have to download all the outputs anyway there isn't much interest in a 'light node' which only validates headers
-
mikerah[m]
So for Monero's usecase, finding a way to efficiently download and verify which outputs a light wallet owns is more important than enabling light wallets to query full nodes privately?
-
mikerah[m]
It would be nice to have a set of open research/implementation questions that Monero has.
-
UkoeHB__
I'd say yes
-
UkoeHB__
-
hyc
what do you mean "query full nodes privately" ?
-
mikerah[m]
So, think of a blockchain like bitcoin or ethereum that are transparent. Private queries in that case means that full nodes will not be able to tell what blocks you are interested in. All they would do is simply answer your query using some PIR protocol
-
mikerah[m]
In the case of monero, everything is hidden by default. So, privately in this context is a bit murky as UkoeHB__ has said
-
jakoson0
Look on the bright side. At least you don't need to obsess over signs of life from FUK now.