UkoeHB whoa, your Mechanics-of-MobileCoin paper is incredible. how did you find time for that?!

If you've looked at it in detail, then you probably can answer that question: what, if anything, can intel do if there were malicious and/or compromised ?

i only just found a link to the paper a couple of hours ago, and scan read some of it. I am by no means endorsing MobileCoin :)

it is a very interesting approach though

and exactly as you say, relies on Intel not being malcious/incompetent

It looks like you thought I was asking you. I was asking UkoeHB.

ah ok

there is an interesting philosophical question that I think their approach raises. Which is: even if SGX presents a serious risk, does that mean it should not be used as part of a defense-in-depth strategy?

the idea of asking a remote node to scan for outputs with a private view key that only their private enclave can have visiblity of is fascinating

selsta interesting, yes i'd imagine they'd allow for a higher-security option for people that wanted to store more than just toy-money

selsta based on my extremely limited understanding of how SGX works, I think it is possible to get an intel-authenticated attestation from a remote cpu that a certain public key can be used to encrypt code and data that only that secure enclave can see/process, and then for a wallet to then send the private view key in a secure way to that remote secure enclave for some compute-intensive EC

scanning work to be done

but of course, there could be implementation flaws, intentional backdoors, or a man-in-the-middle attack where intel's leaked keys are used to attest that an insecure enclave is really a secure enclave

i'm not entirely clear about how the intel authentication part works

they contracted me since september, hired me a couple weeks ago

<selsta> Or does this have to be done on a protocol level? <= if protocol level = blockchain level, then almost certainly not.

yes

Am I missing several lines from selsta here... two replies but nohting from selsta...

re: Intel malicious/compromised

1. they can read MobileCoin's transaction graph (i.e. see all ring members)

2. they can censor new enclaves issued by MobileCoin Foundation/related to MobileCoin (would compromise the integrity of their SGX product line - ruin their reputation)

3. in an extreme case, they could build a 0-day into the SGX software to replace enclave contents with their own code (very hard in many ways, but possible)

4. Fog lets users find their owned outputs (like MyMonero, except instead of private-view-key-custody they read encrypted tags containing users' public view keys, then sort and store). Enclaves are used so the Fog operator can't see the view public keys. If enclaves broken, then output:user groupings would be known.

yeah I don't see selsta commenting either

grr

Fog ?

it's this service thing that lets mobile be more efficient

So, intel can pierce ring signatures, and syncers can't verify those rings signatures. Is that correct ?

Basically MyMonero with view keys stored in a secure enclave

ring signatures are still real - you just can see them if enclaves broken

it's a step above MyMonero because operator doesn't see amounts

why?

Real, but they're dumped after going through SGX, no ? So syncers don't see them ?

syncers don't see them correct

selsta: outputs have enc(pub view key) attached, Fog then groups outputs:pub_view_key, and user collects them

So it doesn't look like an improvement.

Fog on top of Monero would be nice

Except in "lightweightness".

For a more trustless LWS

it's a probabilistic improvement: what's the probability that an enclave is breached 'right now' and contents being read

It cannot be improvement since if that probbility is 0%, you get "intel cannot spy", which is what monero has. And that does not remove "syncers cannot check".

the spy thing isn't right

intel can't see more than every monero node can now

yeah ^

syncers cannot check is potentially valid though

So reading the tx graph (point 1) is wrong ? Or did I misinterpret it ?

I think basically point 3 above

yeah I have a whole section on the 'validation framework, and beyond' in my last chapter - not release...

moneromooo tx graph = what is public in monero right now

in my view the tx graph includes all decoys

OK

So it boils down to preventing syncers from verifying, and instead having a proof it was checked by intel.

I guess it does become more and more interesting for large ring sizes.

Assumign this proof doesn't also grow superlinearly.

Why don't they keep the signatures, and let syncers choose whether they want to download/verify or not ?

the proof is on a pub key owned by the enclave - the enclave signs validated block contents with that key

(which is what we do)

OK, if it's whole blocks, then it seems it must scale well.

I don't think signature contents can be preserved without losing forward secrecy

block contents*

so who can run a validator node?

Anyone with an SGX-capable CPU, in theory

Not sure how you actually join consensus, though, and there is no monetary reward for validation.

There are no docs for doing so ATM

Just a support email to reach out to if you want to become a validator.

oh gawd

Only altruistic validators will join as their is no game-theoretic incentive to draw decentralization of validators.

UkoeHB the SGX has an asymmetric keypair that is supposed to be unique to that particular CPU, right? so does Intel just provide an Intel-signed signature once as part of the chip manufacturing process, which then later you can use to check that the per-CPU secure enclave public key you're looking at is really from a "secure" intel chip? So there is a well-known intel public key published

somewhere that we need to rely on not being compromized?

Unless the foundation chooses to subsidize them directly or they collect fees (that isn't clear how fees are collected/used)

Fees are currently quite high ($0.65 flat fee per TX, 0.01MOB), so fees could be substantial if they are split between validators somehow and not just burned.

so you can sybil the validator network and print money?

Idk, it isn't clear.

I would doubt it, there is no mention of fees being collected by validators that I could find.

heh, how's that sgx thing work with VMs?

well no, if no one else except validators actually check the integrity of transactions .. i guess i just really don't understand the stellar consensus protocol

it works, but attestation can be wonky

if the per-CPU keypair is created using the same manufacturing technique that yubikeys use, then the pain threat is intel misusing/having a compromised signing key

main* threat

or maybe they just have a back-door that allows them to exfiltrate it

My largest obvious issue with mobilecoin are insta mined supply and the distribution. That has been quite intransparent (almost shady), but that is off topic for this channel.

agreed

<selsta "My largest obvious issue with mo"> Yeah, technically it makes some tradeoffs that could be OK for the specific use-case (even if I dislike the trust model).

That's not the biggest issue at this point, but am definitely curious if any of their work could be helpful to Monero now or in the future, especially as a base/starting point for a Rust implementation.

knaccc: there is a bit more to it than that

because they want to blacklist compromised devices

UkoeHB oh so you're supposed to connect to an intel site somewhere to find revocations? and how have devices become compromised?!

idk if there exist compromised devices, but they want to blacklist them if they are discovered

basically Intel will stop attesting to data provided by enclaves on compromised devices

each new piece of data must get its own Intel signature

Is there a difference between "miner" and "validator" ?

there are no miners - it was a premine

*all* premined ?

100% baby

That can't be right...

It is

yes, stellar consensus protocol + mining = no one has done it afaik

Even bytecoin was 80%...

UkoeHB whoaaaa, so you need to constantly talk to an intel server somewhere to get attestations every time you want to execute a different kind of code in the secure enclave of a particular cpu?!

15% has been sold at least so far, but 100% was mined in the genesis block.

jesus... so it's an outright scam basically. I assumed the premine was a few percent or so.

Page 133

Stellar is also 100% premined ?

Not sure

I don't think so but its been years since I dug into them.

Forgot they existed TBH

knaccc: not quite, you just attest to a public key, then anyone can open a communication channel with the enclave

UkoeHB oh ok, that's more reasonable, thanks for explaining. Btw am in awe of your paper-writing talents, as always :)

hah thanks :) I think they are slowly getting better over the years

<moneromooo "Stellar is also 100% premined ?"> stellar started with 100 billion lumens and there is 1% inflation

still can't beliee anyone would look at anybody's proprietary security mechanisms as acceptable. for anything.

rupee[m]: how do they mint new coins?

i'm not that familiar with it actually, but from searching the web I found:

"The Stellar distributed network has a built-in, fixed, nominal inflation mechanism. New lumens are added to the network at the rate of 1% each year. Each week, the protocol distributes these lumens to any account that gets over .05% of the “votes” from other accounts in the network."

from here: medium.com/blockchain-manchester/ho…r-inflationary-rewards-3c7df9090c24

"Basically every week, once you are setup to receive inflationary rewards, you account will be debited with XLM. Distribution of inflation and any fees used on the network is based on the voting power you possess, the number of votes is based on the number of Lumens, XLM, you own. The minimum amount of you need to vote is 0.05% of all Lumens in existence which for most XLM owners will mean joining a pool which

many will also charge you for the privilege e.g. 10% of any rewards earned."

some kind of staking?

yes, all non-mining protocols require premine because mining is also a way to distribute coins afaict

sry, scrollback.

self-perpetuating wealth. if you bought into the ICO, you keep earning coins in perpetuity

doesn't sound like it'd yield very broad distribution

its just central banking 2.0

if you control the money, you control the votes, and if you control the votes, you control the money. wcgw?

yeah

what do they call it? byzantine agreement?

scp uses the 'federated byzantine agreement model'

aka the Central Banking Model. i wonder if the central banking model could actually be called that

?

i just wonder if you actually compared the two approaches, how similar they'd be

quite different I imagine

I dunno. The central banks decide and reach a consensus on what the money supply should be.

but i guess mobilecoin doesn't think of itself as a money, just a payment platform ... ?

mobilecoin has thoughts? has ai come that far? alternate universe?

mobilecoin was created to fund signal, didn't whtshisface already state that explicitly? moxie or whoever?

"I started MobileCoin to fund Signal. That’s it."

and "once the dust settles" MobileCoin intends to not own many coins

that almost implies to me that the intention is for the transaction fees to go to either MobileCoin or Signal (in addition to the money they raise from selling the coins)

wouldn't be a very sustained funding model if they stop bringing in revenue once all the coins are sold

Who decides the transaction fee rate? I read it's 0.01 MOB right now but they are planning to reduce it

Foundation I guess

I would assume they either forgot to change it or didn't expect the pump to go so well

someone opened a 200mill USD short position when the price was like 4$ - didn't end well for them

UkoeHB: do you know why the circulating supply is not known? and mobilecoin also said they might will not share that info?

might not*

can't say - contract

I wonder if that "short position" was one of the founders just tryiing to lock in their gains in case the price crashed on announcement

or to lock in profits despite having some sort of restrictions on their ability to sell their pre-sale coins

well they lost all their collateral (probably 400-600mill +)

why would someone bet so massively against it. seems more likely to me they were trying to lock in profit and then got caught without enough collateral to finance the hedge

actually probably not that much - I think they just had to pay back interest, which was maybe 40-100mill usd max

Why is Mobilecoin discussed in here?

It's an ICO is it not?

Does that discussion belong here?

it's a new implementation of RingCT and other technology that monero uses (developed). Perhaps there are concepts we can learn from their code

Started out discussing the technical approaches

But devolved a bit

Personally, I would like to see monero have view keys that reveal both incoming and outgoing transactions if it can be done in a way that doesn't damage the privacy of users in a meaningful way

I suspect that will give MOB an advantage when trying to get listed on exchanges

we tried to figure it out here: monero-project/research-lab #58

It's devolved quite a bit indeed, but I am not a moderator, so perhaps it's legit convo for MRL channel.

no, thanks for getting the conversation back on track.

Outgoing view keys are tricky to do in a way that can't be gamed

It's straightforward as a convenience feature, but implies a certain level of trust in keyholders

I believe someone proposed a way. Named... Kingsomething. It was on github.

Aha: monero-project/monero #1070

ye

but heavy