Home Coins Monero (XMR) Logs for the MRL Assembly Held on 2020-06-10 | Monero

Logs for the MRL Assembly Held on 2020-06-10 | Monero

Logs for the MRL Assembly Held on 2020-06-10

Posted by: asymptotically / Sarang

<sarang> OK, nearly time to begin the assembly
<sarang> First, greetings!
<ArticMine> Hello
<sgp_> good day
<Isthmus> Heya
<sarang> I suppose we are able to transfer to the roundtable, the place anybody is welcome to share analysis of curiosity
<sarang> Does anybody need to go first?
<sarang> If not, I can share a couple of issues
<sarang> Teserakt has despatched me a draft of their evaluation of the CLSAG preprint
<monerobux> Take a look at failed
<sarang> dangerous bot
<sarang> The draft report signifies they didn’t discover any main points with the development, however they’d some feedback and recommendations on the formalization that I am working to replace
<sarang> This should not lead to any adjustments to the code
<sarang> Individually from this, I began engaged on some output merging evaluation on the Monero chain
<h4sh3d[m]> Howdy
<sarang> I’ve preliminary knowledge however am nonetheless checking it for a couple of questions I’ve
<sarang> I am going to put up a plot right here, however be aware that it shouldn’t be relied on till checked extra completely
<sarang> https://usercontent.irccloud-cdn.com/file/EHmFolZV/data_all.png
<sarang> An evidence…
<sarang> I search for “zero-hop” doable merges, the place outputs from the identical supply transaction seem in separate rings in a later vacation spot transaction, and filter solely by post-CT confidential transactions
<sarang> Then, for every such doable merge, I have a look at the peak distinction of the supply and vacation spot transaction, and plot them right here
<sarang> The x-axis represents block peak distinction, and the y-axis is fractional prevalence (be aware the log scale!)
<kiwi_87> Hello. What you consider interoperability on Monero?
<sarang> kiwi_87: one sec
<Isthmus> 👀
<Isthmus> Very attention-grabbing
<sarang> https://usercontent.irccloud-cdn.com/file/UPSZyk6P/data_1k.png
<sarang> Right here is similar knowledge, however zoomed (and rescaled) to the low finish of the x-axis
<sarang> Now, these are solely doable merges; there is no good ground-truth knowledge set on chain for post-CT confidential transactions
<atoc> hello
<sarang> So I’ll run a simulation utilizing the identical enter/output construction and the present decoy choice algorithm
<sarang> and see if/the place the distributions diverge
<sarang> kiwi_87: what do you imply by interoperability
<sarang> Oh, and for this knowledge… about 2.3% of post-CT confidential transactions contained at the least one doable merge
<sarang> (this knowledge exhibits all such doable merges, not only a distinctive one from every transaction)
<Isthmus> @sarang if you wish to go deep into the Bayesian weeds, might calculate the likelihood (all the time optimistic, however various in magnitude) {that a} pair(+) of those ring members can be chosen collectively if sampled from the usual algo
<UkoeHB_> Isthmus: do you recall what quantity of transactions do not use the usual gamma distribution (roughly)?
<sarang> UkoeHB_: be aware that that is _all_ post-CT confidential transactions, no matter possible choice technique
<sarang> I did a filter for that however could have a minor indexing concern that threw off the information
<sarang> Isthmus: yeah, I thought of that too (however did not run the evaluation)
<sarang> The distribution distinction is meant to present a really tough thought of how non-ideal this distribution is
<ArticMine> The opposite query is ring measurement
<Isthmus> @UkoeHB_ as of Konferenco (final June) about 1% of transactions used clearly uniform choice algorithm
<Isthmus> I have never up to date the evaluation pipeline, so cannot converse to latest months.
<UkoeHB_> ah if sarang is already filtering these out it is not an enormous deal
<sarang> I am not in the mean time
<sarang> That is all post-CT confidential transactions
<Isthmus> @sarang what are you coding this in? I’ve python code to strip these out
<sarang> That is Python as effectively
<sarang> Should you can hyperlink the code that’d be nice, or I can write one thing up
<sarang> However uniform choice appears most unlikely to trigger the lengthy tail
<sarang> Anyway, that is the beginning of study that I hope will probably be helpful to tell safer output choice
<UkoeHB_> very cool thanks for you effort sarang 🙂
<sarang> As soon as I confirm this indexing concern, I am going to put up each the evaluation code and the information set
<Isthmus> https://www.irccloud.com/pastebin/BChX6gR9/
<sarang> I can not put up _all_ the information (block, transaction, ring, …) since it is too huge for GitHub
<kiwi_87> @sarang, I imply the interoperability, if it may be made between Monero and different chains, there can be extra room for the adoption of XMR. I find out about this from the truth that Bitcoin is getting into Ethereum community with the quantity that’s method bigger than which on the layer 2 of Bitcoin. It helps BTC to hitch the DeFi and improve the adoption for
<kiwi_87> such crypto. Similar factor may occur with XMR, don’t you assume?
<sarang> However I can put up the ensuing doable merges, that are of affordable measurement
<sarang> Thanks Isthmus
<Isthmus> https://usercontent.irccloud-cdn.com/file/fZgJlX2o/image.png
<sarang> kiwi_87: working between Monero and different chains is surprisingly tough, and even moreso if the objective is to keep up uniformity of transactions
<Isthmus> https://usercontent.irccloud-cdn.com/file/aQVzvAAq/image.png
<sarang> Isthmus: what are these plots?
<Isthmus> Let ring_member_ages be an array of ring member ages [0.5d, 0.7d, …]
<Isthmus> offset-corrected median age = median(ring_member_ages – min(ring_member_ages)
<Isthmus> The proper decoy algorithm produces OCMA’s round 100 – 10000 blocks
<Isthmus> I used 370000 as a conservative “absurdity restrict”
<sarang> Small pattern => excessive variance, I assume?
<Isthmus> May also should do with undeniable fact that algo reacts to txn vol adjustments
<Isthmus> Anyhow, something above 10^5 is suspect
<Isthmus> Pink line is 370000 blolcks
<Isthmus> Something above that’s completely not from the proper decoy algo
<sarang> Inspecting the distribution with that filter will probably be very attention-grabbing
<Isthmus> And normally, after I spot checked, have been as a result of obvious uniform decoy selectioin algo
<sarang> I might count on that it would not change a lot, however I like being confirmed incorrect
<sarang> Every other hypothesis concerning the results of those picks? (simply curious)
<Isthmus> Hmm, I am within the Bayesian evaluation, which can inform us whether or not this can be a novelty with 10% predictive energy, or a damning inform with 95% predictive energy
<sarang> Oh and Isthmus: what transactions does this account for? The complete chain?
<Isthmus> From introduction of RingCT till Konferenco
<sarang> Does it filter out non-CT transactions after the CT cutoff?
<sarang> These are low amount, however are nonetheless current
<sarang> and have very completely different collection of course
<Isthmus> I often ignore non-RingCT since I am extra concerned about optimizing present privateness than learning historic easter eggs
<sarang> yeah
<Isthmus> I am going to should work my method again within the evaluation pipeline to examine
<sarang> I additionally filtered these within the plots above
<Isthmus> Sorry, by “ignore” RingCT, I imply “exclude them from my knowledge set earlier than analyzing”
<sarang> roger
<Isthmus> s/RingCT/non-RingCT
<monerobux> Isthmus meant to say: Sorry, by “ignore” non-RingCT, I imply “exclude them from my knowledge set earlier than analyzing”
<sarang> Oh, and I may need talked about this final week (do not recall), however I am nonetheless working with these CMU pupil researchers to substantiate some up to date deducibility evaluation
<sarang> They plan to revise their preprint as soon as once more
<sarang> That is particularly good provided that their “30% traceable” (or no matter it was) conclusion relating to spend age heuristics is wrong
<kiwi_87> @sarang. Yeah I do know it’s the toughest half. Really our analysis at Incognito undertaking is presently on this course.
<kiwi_87> We’ve the thought of constructing a privateness chain studying the expertise from Monero, thus permitting the excessive stage of privateness for the chain.
<kiwi_87> Then construct a Portal connecting to Monero with a gaggle of decentralized custodians holding & releasing XMR when customers moving into & going out the layer 2. The identical design might be utilized to BTC, which brings XMR & BTC to the identical privateness layer.
<kiwi_87> What do you guys all assume?
<sarang> This is likely to be a greater dialog for after the assembly kiwi_87 if it primarily issues analysis for one more undertaking
<sarang> Except the group disagrees
<moneromooo> Not this silent a part of the group.
<sarang> Have been there every other questions on the deducibility or output merging knowledge?
<sarang> If not, does anybody else want to current analysis of curiosity for this group?
<Isthmus> @kiwi_87 cool, I like seeing a majority of these initiatives. 👍
<h4sh3d[m]> I may give some updates concerning the swap
<sarang> Please do
<sarang> (this can be related to you kiwi_87)
<h4sh3d[m]> I began engaged on it, I plan to have an up to date model of the paper subsequent week
<h4sh3d[m]> So, the thought continues to be the identical as earlier than
<kiwi_87> @sarang yeah certain. I’ll speak extra about what we’re doing within the after-meeting time. Nonetheless, I believe interoperability on XMR may very well be a really shiny approach to improve the Monero adoption. Would love to speak to different researchers who’re additionally diving in the identical course
<h4sh3d[m]> cut up the monero spending key in two halfs, and “promote” one half or the opposite on the bitcoin chain relying if the swap success or not
<sarang> through multisig, I assume
<sarang> “You get the even bytes, and I hold the odd bytes!”
<h4sh3d[m]> Sure, type of. Earlier than there was the generic zkp for the hash preimage
<kiwi_87> @Isthmus certain. Would like to share extra within the after-meeting time. Now let’s make the convo laser-focused on Monero
<sarang> h4sh3d[m]: however you are changing with a cross-group DL equivalence proof through facet channel, right?
<kiwi_87> @h4sh3d[m] would love to listen to about this. Actually need to know what’s happening there with the cryptography problem. Please replace us 😀
<h4sh3d[m]> Now, by combining dl equality throughout group + ECDSA one-time VES, we should always be capable of obtain the identical
<h4sh3d[m]> ECDSA one-time VES: https://github.com/LLFourn/one-time-VES/blob/master/main.pdf
<h4sh3d[m]> (it is an ECDSA “adaptor signatures”)
<sarang> Remind me: does this strategy assume/require any specific timelock functionality on the Monero facet?
<sarang> In that case, to what extent?
<h4sh3d[m]> No, nothing is required on the Monero facet, that is the cool half
<sarang> OK, thanks
<sarang> Monero helps a quite simple timelock in fact
<sarang> however it’s kind of inconsistent in the mean time, and apparently occasionally used
<sarang> so if it have been required, this might current a uniformity concern
<h4sh3d[m]> We create an handle the place Spend = Spend_alice + Spend_bob (identical for view)
<Spend, View> corresponding handle
<sarang> Does the handle protocol have points with key cancellation?
<h4sh3d[m]> Every participant has his personal half, and one will get the second
<sarang> Or is there precommitment to handle elements?
<h4sh3d[m]> Unsure if I perceive what you imply by key cancellation
<sarang> Should you hand me part of a key, possibly I maliciously generate my very own “key” such that the sum is any worth I need
<h4sh3d[m]> Ah sure, I thought of that
<sarang> If that is problematic, we are able to every decide to our key parts first, after which examine that the keys obtained match the commitments
<sarang> it ensures that neither occasion change their thoughts
<sarang> Provides a communication spherical
<sarang> There are different strategies involving random-oracle linear combos too, relying on what you want
<h4sh3d[m]> I believed concerning the commit, however that additionally imply you do not know your right “half” (solely the destiantion priv/pub), and with out priv half, you aren’t capable of proceed the protocol
<sarang> However sorry, I am digressing right here
<>different cryptos, we’ll want extra atomic swap designs and Portal designs connecting layer 2 and Monero chain
<h4sh3d[m]> No, it is a good one
<sarang> kiwi_87: let’s talk about after the assembly
<sarang> h4sh3d[m]: okay, so long as it is both not crucial or taken care of through a communication spherical, I suppose
<sarang> However actually value a detailed eye after the paper is up to date
<h4sh3d[m]> after we get the handle, and the initialization part is finished (with zkp dl equality e.g.), one ship Monero into it
<kiwi_87> @sarang certain
<h4sh3d[m]> on the finish, Alice or Bob, will be taught the complete personal spend key = priv_spend_alice + priv_spend_bob
<h4sh3d[m]> So no, nothing fancy required on the Monero facet
<atoc> good
<h4sh3d[m]> You’ll import the complete keys in you pockets and do a daily transaction
<sarang> Positively stay up for seeing the up to date paper h4sh3d[m]!
<atoc> identical
<h4sh3d[m]> (keys which might be generated withou a seed and a derivation perform, so pockets should assist “uncooked” keys)
<h4sh3d[m]> Proper now, I am within the one-time VES paper, and your MRL-0010 one
<sarang> obtained it
<h4sh3d[m]> * I am finished, thanks on your inputs
<sarang> I would replace MRL-0010 to specify that the Pedersen turbines want an unknown DL relationship
<sarang> Apparently that wasn’t listed particularly, however is usually true for Pedersen dedication safety
<sarang> Within the curiosity of time, have been there every other analysis subjects that should be offered earlier than the hour is up?
<Isthmus> Fast replace: I’m actually glad to share that we’re formally starting our audit of monero’s safety and privateness mechanisms towards algorithms that may very well be exploited by hypothetical quantum adversaries. Thanks to all people who contributed suggestions or funds to our CCS 🙏
<Isthmus> Step one is a formalizing our adversary mannequin and enumerating of mechanisms of curiosity.
<Isthmus> Proper now the assault floor checklist appears like {Ring Signatures, RingCT, One-time “Stealth” Addresses, Pubkey derivation, Forge quantities?, Bulletproofs, RandomX proof-of-work, Block / Transaction hashing}.
<Isthmus> Please recommend different items that you simply’d wish to see audited. :- )
<Isthmus> Earlier I used to be wanting on the pockets technology schematic shared to Reddit, and it has me pondering visible methods to speak outcomes. https://www.reddit.com/r/Monero/comments/gy0m1u/i_made_an_infographic_on_how_a_monero_wallet_is/
<monerobux> [REDDIT] I made an infographic on how a Monero pockets is generated. Can you discover any errors? (https://i.redd.it/tv98m10mbd351.png) to r/Monero | 163 factors (100.0%) | 18 feedback | Posted by Krakataua314 | Created at 2020-06-06 – 22:42:54
<Isthmus> https://i.redd.it/tv98m10mbd351.png
<Isthmus> For instance, the ed25519 scalarmult (used for personal view key → public viewkey) is a one-way perform for conventional computer systems (assuming hardness of the discrete log downside) however might be reversed in the event you can apply Shor’s algorithm.
<Isthmus> So maybe this may very well be visually annotated with directional arrow for conventional adversaries and bidirectional arrow for hypothetical quantum adversaries. Would that be an intuitive strategy?
<sarang> I like that concept
<sarang> that is very intelligent
<sarang> Are you able to remind us of the anticipated timeline Isthmus?
<Isthmus> Shall be engaged on this full time for the following Three months
<sarang> (with the understanding that analysis usually takes surprising twists)
<Isthmus> Part 1 must be fast
<sarang> The scope was modified to focus much less on deliverable code, proper?
<sarang> And extra on strong understanding, doable mitigations and related work, and communication?
<Isthmus> Simply setting the stage for our object of examine and attacker, hoping to have a primary “remaining draft” of that finished by subsequent MRL assembly
<sarang> Oh good
<Isthmus> Yep
<sarang> That’ll be nice to see
<Isthmus> After which working systemically by way of the cross sections
<Isthmus> (desk the place every column is a quantum adversary and every row is a chunk of Monero tech)
<Isthmus> My guess is that we’ll be capable of fill 80% of the squares in 20% of the time
<Isthmus> After which 20% of the squares will take 80% of the time
<sarang> Do you count on that the ultimate outcomes will probably be appropriate for broader distribution? Wish to journals, refereed conferences, or just IACR archive?
<Isthmus> All through this whole undertaking, the group will obtain updates through the weekly #monero-research-lab conferences. Throughout part Three nevertheless, a number of particular paperwork (the important thing deliverables from this analysis) will probably be freely revealed
<Isthmus> 1. Person-friendly writeup: This community-facing writeup will present an approachable rationalization of how hypothetical quantum computer systems could influence Monero, and doable future mitigations. The writeup ought to decrease FUD and supply the context that these vulnerabilities apply to nearly all cryptocurrencies (not solely Monero).
<Isthmus> 2. Technical documentation: An MRL place paper to distill key info for (present and future) researchers and builders. The writeup ought to formally describe vulnerabilities, and spotlight potential methods and options, noting their tradeoffs. Code snippets could also be included if applicable for pedagogical functions or readability.
<Isthmus> 3. Non-technical 1-pager: An ELI5 / TL;DR abstract will probably be offered for journalists, Monero Outreach, and many others. This blurb will talk about dangers and myths with no technical jargon, with key takeaways {that a} broad viewers will respect.
<Isthmus> (Outcomes and updates will probably be additionally disseminated through Twitter threads, Reddit posts, and Breaking Monero movies.)
<Isthmus> And yea, hopefully we are able to get a paper or two out of this
<Isthmus> A lot of the analysis will probably be broadly relevant
<sarang> Nice!
<atoc> Good
<sarang> Getting a greater sense of analysis tendencies on this course, even when not presently relevant, will probably be intriguing to see
<sarang> e.g. there are many concepts for post-quantum constructions, however there are typically large limitations in effectivity that render them unusable
<atoc> btw Isthmus, this can be off matter however are you able to speak slightly extra concerning the Perception program?
<sarang> OK, we’re nearly out of time
<sarang> atoc: maybe for proper after the assembly?
<atoc> sure
<sarang> Are there every other final questions or feedback about these analysis subjects earlier than adjourning?
<sarang> If not, because of everybody for attending and collaborating!

Submit tags : Dev Diaries, Cryptography, Monero Analysis Lab

Supply hyperlink

- Advertisement -
Mr Bitcointe
Mr Bitcointehttps://www.bitcointe.com/
“Fact You Need To Know About Cryptocurrency - The first Bitcoin purchase was for pizza.” ― Mohsin Jameel
USD - United States Dollar

Most Popular

Crypto-Fueled Market Openbazaar to Close Shop Unless OB1 Raises Community Funding

On September 25, the creators of the decentralized marketplace, Openbazaar, announced that unless the project can gather community funding, the supporting services...

Cryptojacking: A Rising Threat to All Internet Users

The cryptocurrency revolution steadily marches on. While it has yet to completely reshape the financial and other systems of everyday life, crypto...

Tether’s Stablecoin Dominance Drops Below 80% as Audit Controversy Lingers On

The total volume of stablecoins in circulation is closing in on the $20 billion mark, while the market-leading coin, USDT’s share of...

Crypto lending rates are low and DeFi is not competition says Nexo co-founder

Much has been said about attractive interest rates offered by popular crypto lending platforms like BlockFi, Celsius Network and Nexo. However, there are...
Bitcoin (BTC) $ 10,651.99
Ethereum (ETH) $ 351.92
XRP (XRP) $ 0.239691
Tether (USDT) $ 0.999980
Bitcoin Cash (BCH) $ 218.77
Bitcoin SV (BSV) $ 162.16
Litecoin (LTC) $ 45.44
EOS (EOS) $ 2.55
Binance Coin (BNB) $ 26.12
OKB (OKB) $ 6.19
Tezos (XTZ) $ 2.14
LEO Token (LEO) $ 1.24
Cardano (ADA) $ 0.095527
Monero (XMR) $ 95.16
Stellar (XLM) $ 0.072208
Chainlink (LINK) $ 10.24
Huobi Token (HT) $ 4.58
TRON (TRX) $ 0.026309
USD Coin (USDC) $ 0.999184
Dash (DASH) $ 67.95
NEO (NEO) $ 20.93
IOTA (MIOTA) $ 0.254448
NEM (XEM) $ 0.118968
Zcash (ZEC) $ 54.48
Maker (MKR) $ 496.35
Paxos Standard (PAX) $ 1.00
Ethereum Classic (ETC) $ 5.46
VeChain (VET) $ 0.012425
TrueUSD (TUSD) $ 0.999382
FTX Token (FTT) $ 3.61
KuCoin Shares (KCS) $ 0.899051
Waves (WAVES) $ 2.45