HomeCoinsMonero (XMR)Logs for the MRL Assembly Held on 2020-05-06 | Monero

Logs for the MRL Assembly Held on 2020-05-06 | Monero

- Advertisement -

Logs for the MRL Assembly Held on 2020-05-06

Posted by: asymptotically / Sarang

<sarang> All righty! Time for the weekly analysis assembly
<sarang> As at all times, we start with GREETINGS
<ArticMine> Hello
<UkoeHB_> hello
<atoc> hello
<sarang> Let’s transfer on to ROUNDTABLE
<sarang> Any analysis of curiosity that folk want to share?
<sarang> I can share just a few issues, I suppose
<sarang> I labored up a PR to replace how keys are encrypted in reminiscence
<sarang> This has follow-on results to how they’re saved on disk, and I am making some further updates to enhance the present unit exams and add others
<sarang> and I am ending up a take a look at implementation of Arcturus, the extension of Triptych that gives higher proof sizes
<sarang> I might like to find out precisely what the timing variations are, since preliminary estimates prompt that Arcturus and Triptych can be very shut
<kenshamir[m]> Sorry if I’ve missed this; are there any comparisons for Arcturus, Triptych and CLSAG ?
<sgp_> good day
<sarang> And kenshamir[m]: I’ve comparisons for CLSAG and Triptych, however it will add precise implementation information for Arcturus when completed
<kenshamir[m]> Oh proper, very cool
<sarang> The dimensions information is already recognized, FWIW
<sarang> However the Arcturus timing was at all times an estimate primarily based on operation counts
<sarang> It is completely different sufficient in the way it handles transactions that I might wish to know for positive
<kenshamir[m]> concretely?
<kenshamir[m]> Is there a hyperlink for it?
<sarang> The dimensions/timing information?
<kenshamir[m]> Yeah, the dimensions information
<sarang> Yeah, let me pull it up
<kenshamir[m]> In all probability is probably not that useful for Monero, however there’s a new paper out on an endomorphism that lets you compute aG + bH sooner in variable time
<sarang> Web page 11: https://eprint.iacr.org/2020/312.pdf
<kenshamir[m]> Hyperlink : https://eprint.iacr.org/2020/454.pdf
<kenshamir[m]> Thanks
<sarang> Anyway, that is what I needed to share
<sarang> Does anybody else have analysis of curiosity?
<UkoeHB_> what is the gist of your encryption replace?
<sarang> The in-memory encryption of keys was being accomplished with a chacha stream that was XORed with keys, as an alternative of simply encrypting the keys with chacha instantly
<sarang> This PR makes this alteration
<sarang> The present unit exams for pockets and key encryption additionally get some updates
<UkoeHB_> ah fascinating
<sarang> It additionally transitions outdated encrypted keys to the brand new format, which wants higher testing that I am nonetheless engaged on
<sarang> Appears fairly quiet at this time!
<sarang> We may at all times finish early if there is not extra that must be mentioned…
<sgp_> I’ve nothing so as to add besides to remind folks that I nonetheless need coinbase outputs to be prevented fully in non-coinbase-spend rings :p
<sarang> You imply the concept a hoop containing a coinbase output should have all coinbase outputs, proper?
<sarang> sgp_: are you able to briefly recap your rationale, to make sure everyone seems to be on the identical web page?
<sgp_> sure that concept
<sgp_> rationale is that no regular customers spend coinbase outputs
<sgp_> even individuals who mine on mining swimming pools by no means spend coinbase outputs
<sgp_> so the choice of these is markedly completely different from anticipated consumer spend conduct
<sarang> After I thought of this earlier, I used to be involved that it kind of kicks the can down the highway one hop on the graph
<sgp_> separating these will improve the efficient ringsize for many (>99%) customers by 10-20%
<sgp_> sarang: it kicks the can down the highway, but it surely’s nonetheless MUCH higher
<ArticMine> Attention-grabbing
<sarang> And that if a heuristic was “this coinbase in all probability is not the true signer” beforehand, it will turn into “this output that got here from a coinbase ring in all probability is not the true signer” as a considerably weaker heuristic
<sarang> Yeah, I believe it is higher however would not completely get rid of it
<sarang> If it had been carried out, there would must be a call on what choice distribution to make use of, which ought to in all probability be primarily based on a transparent-chain evaluation at minimal
<sgp_> it is nonetheless primarily one set of transactions separated (one ring signature? I am struggling to clarify this merely and in addition precisely)
<sarang> to see if it matches the general distribution
<ArticMine> The thought is that an ouput from a mining pool is way extra prone to e spent by a traditional consumer
<sgp_> principally the actual spend of the after-coinbase output would look the identical as a number of transactions that choose this output because the decoys
<sarang> Yeah
<sarang> Does my assertion concerning the evaluation for a distribution make sense?
<ArticMine> I agree it mitigates however doesn’t utterly get rid of the danger
<sgp_> however now this accounts for the conduct that the consumer may simply be a miner on a mining pool, for instance
<sgp_> which is vastly broader
<sarang> However it’s true that proper now, the spend patterns of coinbase vs non-coinbase are assumed to be the identical by the choice algorithm
<sarang> It will be very fascinating to see that distribution for coinbase-only
<sgp_> solely solo miners can spend coinbase outputs. Miners on mining swimming pools may also spend from-coinbase outputs
<sarang> proper
<sgp_> so whereas it kicks the can down the highway, by way of sensible conduct, it is a evening and day enchancment
<sarang> I am going to ping Isthmus right here, since his group has entry to this kind of information for different chains
<sgp_> dialogue on this concept has been blended for years. I might wish to see this really accomplished
<sgp_> 10-20% higher efficient ringsizes simply with smarter choice
<ArticMine> It’s a vital mitigation of the difficulty. I don’t see a transparent draw back to this.
<sgp_> draw back is to folks which are working non-public swimming pools. They successfully have to “churn” as soon as by circuitously sending the coinbase outputs to folks
<sgp_> I believe this can be a small tradeoff
<sarang> I believe it is an enchancment, offered it would not introduce surprising or unintended penalties to the choice distribution, and relies on distribution information from recognized spends the place cheap (e.g. Bitcoin)
<zkao> hoi, can somebody consider how sound this ECDSA adaptor signature is? https://joinmarket.me/blog/blog/schnorrless-scriptless-scripts/ if these ECDSA adaptor signature works, it seems just like the atomic swap may be accomplished utilizing a scheme just like the prompt by andytoshi-sarang (equal discrete logs), blended with the sport principle from h4sh3d’s proposal: all recreation principle on bitcoin script (forcing gamers to behave or
<sgp_> I agree with that caveat, although I need to add my very own caveat that I do not see how it may be worse
<zkao> lose), and no want for monero refund. so it ought to work on monero at this time.
<sarang> zkao: I did not invent that cross-group discrete log thought; it was andytoshi
<zkao> sure, i do know, u proposed
<sarang> sgp_: if the coinbase-only choice distribution finally ends up being very completely different to the general distribution, it will introduce a heuristic for coinbase true signers
<sarang> and for all we all know, it may very well be a really completely different distribution in that miners/swimming pools spend instantly or one thing
<sgp_> fortunately then we will strategy coinbase with its personal algo
<sgp_> which we will not do now
<sarang> The non-coinbase distribution may very well be simply modified to easily redraw if it chooses a coinbase
<sgp_> if these are literally very completely different spend patterns, then the likelihood for elevated privateness is even larger
<sgp_> since we will deal with them individually, not collectively
<sarang> The coinbase distribution would merely be some mounted choice distribution on block order, that does not have to do the shuffling methodology we do now
<sarang> sgp_: proper
<sgp_> my intestine suggests coinbase spends are faster on common
<sgp_> however Bitcoin information can be nice for that ofc
<sarang> Proper
<sarang> Hopefully somebody like Isthmus’s group can get that information, since they’ve quick access to the dataset AFAIK
<sgp_> I nonetheless help avoiding coinbase with the silly methodology of re-selecting a coinbase is chosen, although enhancements could make that higher. I see even this silly mannequin as an incremental enchancment
<sgp_> *if a coinbase is chosen
<sgp_> what I am making an attempt to say is that the information on Bitcoin ought to assist make the choices higher, however that they aren’t conditions to modify since it could’t be worse than it already is in my eyes
<sarang> If there have been no recognized distribution from Bitcoin and so forth., what choice for coinbase-only would you counsel?
<sarang> Reselect-on-coinbase appears fairly for non-coinbase rings, however there nonetheless would must be a selected choice distribution for coinbase-only rings
<sgp_> similar as present in all probability? I agree that is not preferrred
<sarang> Nicely, the present one takes block density under consideration, and that is not related for coinbase-only
<sgp_> maintaining in thoughts most public swimming pools publish this information brazenly anyway
<sgp_> so frankly the coinbase rings can be vulnerable to loads of public information inflicting a excessive proportion of heuristically lifeless outputs
<sgp_> within the worst of circumstances I say ~90% of of the hashrate accounted for by public swimming pools sharing coinbase information, so ringsize 11 would not actually assist with that in the most effective of circumstances
<sgp_> *I noticed ~90%
<sarang> Nicely, at that time you could possibly _almost_ counsel eradicating the requirement for nontrivial rings in coinbase-only in any respect
<sarang> *altogether
<sarang> If the thought is that evaluation may reveal true signers in an enormous variety of circumstances anyway
<sgp_> there is a push for swimming pools to not share this information, however I agree that within the present case, coinbase rings must be thought of to supply near-zero safety
<sgp_> actually any coinbase spend. within the present scenario, they’re nonetheless heuristically lifeless, simply unfold throughout regular customers’ transactions
<sarang> Hmm, we’re a bit over time
<sgp_> yeah we will finish
<sarang> Let’s transfer to ACTION ITEMS after which proceed dialogue
<sarang> I’ve some unit exams replace to make for the important thing encryption PR, and hopefully can get Arcturus code working in C++ with the timing information that I need
<sarang> Another updates, motion gadgets, and so forth. earlier than we adjourn?
<sarang> If not, adjourned!
<sarang> Logs can be posted shortly

Publish tags : Dev Diaries, Cryptography, Monero Analysis Lab

Supply hyperlink

- Advertisement -
Mr Bitcointehttps://www.bitcointe.com/
“Fact You Need To Know About Cryptocurrency - The first Bitcoin purchase was for pizza.” ― Mohsin Jameel

Most Popular

Bitcoin (BTC) $ 43,956.00
Ethereum (ETH) $ 3,179.57
Tether (USDT) $ 1.00
Bitcoin Cash (BCH) $ 341.63
Litecoin (LTC) $ 138.18
EOS (EOS) $ 2.66
OKB (OKB) $ 23.15
Tezos (XTZ) $ 4.51
LEO Token (LEO) $ 6.35
Cardano (ADA) $ 1.18
Monero (XMR) $ 183.24
Stellar (XLM) $ 0.237974
Chainlink (LINK) $ 18.15
Huobi Token (HT) $ 10.00
TRON (TRX) $ 0.069792
USD Coin (USDC) $ 1.00
Dash (DASH) $ 113.48
NEO (NEO) $ 24.89
IOTA (MIOTA) $ 0.9901
NEM (XEM) $ 0.11835
Zcash (ZEC) $ 125.79
Maker (MKR) $ 2,210.95
Pax Dollar (USDP) $ 0.999848
Ethereum Classic (ETC) $ 35.45
VeChain (VET) $ 0.066041
TrueUSD (TUSD) $ 1.00
FTX Token (FTT) $ 47.18
KuCoin Token (KCS) $ 20.69
Waves (WAVES) $ 11.52