00:21:30 <mikerah[m]> Has the monero research lab looked into PIR in some capacity?
00:22:24 <mikerah[m]> I have been thinking about and researching PIR for over 9 months now and at my company we have a roadmap to attempt an implementation for 3 other blockchain systems and are deciding on a fourth
00:22:51 <mikerah[m]> We are deciding between Monero and Zcash based on the funding available and have been following both projects for a few years now
00:23:48 <mikerah[m]> Based on my experience in the Monero community, there is a higher chance and much better accountability around open-ended research projects that are funded by the Monero Community Funding System.
00:24:20 <mikerah[m]> Currently Zcash's funding situation for project has been sketchy for years and it's not only gotten worst with the events of the past weekend.
01:01:17 <hyc> lol. anybody who even gives zcash a 2nd thought isn't thinking clearly.
01:07:29 <mikerah[m]> The tech is really good, especially halo 2.
01:07:43 <mikerah[m]> I just don't think they care about security and privacy like Sarah says
01:08:22 <UkoeHB__> mikerah[m]: I am not sure the value of PIR. If the goal is to reduce bandwidth for a wallet-centric node, it can't be easily done... because you have to download every single output anyway in order to scan for owned outputs.
01:08:46 <UkoeHB__> Plus such a node may want to download all key images to check for double spends
01:09:24 <mikerah[m]> Why couldn't the node do both? I.e. download all key images for double spends and enable Monero light clients to fetch the outputs that they own?
01:10:03 <UkoeHB__> you have to compute a Diffie-Hellman exchange on every on-chain output to identify owned outputs
01:10:24 <UkoeHB__> they can't be obtained remotely with any trivial approach
01:11:38 <UkoeHB__> here is my attempt to sketch out a Monero light node: https://github.com/monero-project/research-lab/issues/69
01:18:00 <UkoeHB__> unless I am misunderstanding something about what you want to accomplish...
01:29:39 <hyc> "The tech is really good" "don't think they care about security and privacy" - these two statements are irreconcilable. the tech isn't as good as they say it is.
01:30:04 <hyc> they would have to care a lot more about privacy for it to actually be that good.
01:30:59 <hyc> when they launched in 2016 everyone was saying "the tech is really good" about zk-snarks too. it was a lie back then too.
01:31:46 <UkoeHB__> the tech is pretty fancy at least
01:31:50 <hyc> "fool me once, shame on you"
01:33:53 <mikerah[m]> @hyc: What are your practical qualms about zk-snarks? Do you simply disagree with its instantiation in Zcash or are you skeptical of zk-snarks in general?
01:34:18 <hyc> the trusted setup has always been a threat hanging over it, of course
01:34:50 <hyc> but as a practical matter, it was unusable. Joe Average couldn't run it. exchanges couldn't afford the CPU resources to support Zaddrs
01:36:01 <mikerah[m]> <hyc ""The tech is really good" "don't"> Halo and Halo 2 have improved upon the state of the art in recursive composition systems without trusted setups. The main goal was indeed to provide better privacy and security. However, the team's other actions surround it (namely pre-anouncing Orchard and claiming that it can be finished by June 2021) is an example of not really caring about both of those things
01:36:01 <mikerah[m]> considering that it's a new system that hasn't even been peer-reviewed yet!
01:36:45 <hyc> is that so different from when they launched with zk-snarks? over-promise, under-deliver
01:36:53 <hyc> launch with poorly understood tech
01:37:11 <mikerah[m]> <hyc "but as a practical matter, it wa"> But in general, there are applications that use zk-snarks that are usable. The main reasonable it's hard to run Zcash is based on their protocol and the circuits needed in a SNARK to implement it.
01:37:47 <hyc> that's just a lame excuse. the system they launched couldn't deliver what they promised.
01:37:53 <hyc> that's the bottom line.
01:38:38 <hyc> the poor quality coding is just ... icing on the top
01:39:18 <mikerah[m]> <UkoeHB__ "unless I am misunderstanding som"> I'm what I'm thinking is highly dependent on where PIR is used. I'm thinking that light nodes would use PIR to request those outputs and then find some way to do a local decryption. But as you say, since that local decryption is already being done, what's the point of PIR?
01:40:13 <UkoeHB__> the problem is they have to get _all the outputs_
01:40:23 <hyc> that's unavoidable, yes
01:41:13 <hyc> there are no shortcuts. if there was a way to accelerate identifying which outputs are of interest to you, then that means there's a way to trace all outputs.
01:41:39 <mikerah[m]> <hyc "launch with poorly understood te"> If I recall correctly, Zerocash and Zerocoin were accepted at highly regarded cryptography conferences/journals and the initial Zk-snarks scheme they used was peer-reviewed as well. So, the academic community understood the tech well. It's main the OSS communities that didn't and still don't
01:42:23 <hyc> Zerocoin was accepted and *abandoned* by the zerocash team, to develop the zerocash protocol. zerocoin isn't worthy of any further mention.
01:42:40 <mikerah[m]> I only mentioned for completeness
01:42:45 <mikerah[m]>  * I only mentioned it for completeness
01:43:58 <hyc> as for the OSS communities not understanding it - the zerocash paper was written in 2014 and they claimed it to already have production-ready code.
01:44:12 <hyc> http://zerocoin.org/talks_and_press
01:44:24 <hyc> "In Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude >more efficient than the less-anonymous Zerocoin "
01:44:41 <hyc> yet it still took them until 2016 to launch, with much worse real world performance
01:44:53 <hyc> are you telling me the OSS community had to reimplement it from scratch?
01:45:05 <hyc> why did it take 2 years if they already had such a good existing implementation?
01:45:30 <hyc> or maybe, just maybe, the stuff the academics had peer-reviewed didn't actually work as well as they claimed?
01:46:29 <mikerah[m]> <hyc "are you telling me the OSS commu"> Calling the ECC the OSS community is wrong. They were the ones that implemented the new stuff not open source devs. A lot of the early OSS devs left because they were being ignored.
01:47:07 <hyc> ok.
01:47:16 <mikerah[m]> <hyc "or maybe, just maybe, the stuff "> This is way more common than you would think. The incentives of academia, especially in CS, is to publish a lot and have code that does the basics in terms of benchmarking and then never open source the code.
01:47:24 <hyc> either way, that whole "ecosystem" is garbage
01:47:57 <mikerah[m]> Have you seen: https://github.com/arkworks-rs
01:48:25 <hyc> yes that's common in academia, and it's a crime. research that's unreproducible. what kind of peer-review is that
01:49:29 <mikerah[m]> Anyway, UkoeHB__ Do you have any other resources on what the current light node infra is in Monero? I would like to take a deeper look
01:49:36 <hyc> hm, a collection of primitives? is anyone using it for production work?
01:51:08 <hyc> you're going to have to tweak your terminology. light node doesn't make a lot of sense, I think you mean light wallet?
01:52:27 <mikerah[m]> <hyc "you're going to have to tweak yo"> I use light node and light client interchangably. Light wallet is different. Light wallets depend on a light node to provide a storage and bandwidth efficient interface to a full node (or sets of full nodes)
01:53:06 <hyc> ok
01:53:13 <jwinterm> there isn't really a "light node" per se, although there are pruned nodes, which can function as nodes for light wallets
01:53:30 <jwinterm> chops blockchain size on disk from 90 GB to 30 GB or so
01:54:47 <hyc> btw pruning was a misnomer, it's actually sharding. "pruned" nodes discard 7/8 of the chain data
01:55:01 <mikerah[m]> <hyc "hm, a collection of primitives? "> Don't think so. The folks that I know who are using zk-snarks in production simply write their own libraries or fork the zcash libraries
01:55:30 <mikerah[m]> <hyc "btw pruning was a misnomer, it's"> By sharding, do you mean DB sharding?
01:55:46 <hyc> it's not implemented in the DB engine
01:55:50 <hyc> but it is sharding
01:56:04 <hyc> across a random set of 8 nodes you will get the complete blockchain
01:56:44 <hyc> each of those "pruned" nodes carries a disjoint 1/8th slice of the whole
01:59:47 <mikerah[m]> <hyc "each of those "pruned" nodes car"> Is there a mechanism by which they decide which 1/8 to keep?
02:00:07 <hyc> when you enable pruning it randomly selects which slice
02:00:48 <hyc> there is no coordination across the network. we just rely on the PRNGs to give a uniform distribution across the network
02:08:51 <UkoeHB__> I think since users have to download all the outputs anyway there isn't much interest in a 'light node' which only validates headers
02:11:13 <mikerah[m]> So for Monero's usecase, finding a way to efficiently download and verify which outputs a light wallet owns is more important than enabling light wallets to query full nodes privately?
02:11:40 <mikerah[m]> It would be nice to have a set of open research/implementation questions that Monero has.
02:11:46 <UkoeHB__> I'd say yes
02:12:09 <UkoeHB__> there is https://github.com/monero-project/research-lab/issues
02:12:11 <hyc> what do you mean "query full nodes privately" ?
03:08:07 <mikerah[m]> So, think of a blockchain like bitcoin or ethereum that are transparent. Private queries in that case means that full nodes will not be able to tell what blocks you are interested in. All they would do is simply answer your query using some PIR protocol
03:08:53 <mikerah[m]> In the case of monero, everything is hidden by default. So, privately in this context is a bit murky as UkoeHB__ has said
18:03:03 <jakoson0> Look on the bright side. At least you don't need to obsess over signs of life from FUK now.