Logs for the MRL Assembly Held on 2020-06-24
June 24, 2020
<sarang> First, GREETINGS
<sarang> All proper, on to ROUNDTABLE, the place anybody is welcome to share analysis of curiosity
<sarang> Who want to go first?
<Isthmus> Replace on quantum audit, right here is our preliminary evaluation present vulnerabilities. (Outcomes topic to vary as analysis progresses!)
<Isthmus> It is form of a blended bag, tbh.
<sarang> To be anticipated, I suppose
<sarang> There are numerous elements of curiosity
<Isthmus> Our reliance on DLP is the most important weak spot proper, as anticipated
<Isthmus> That is all on that, any Q’s?
<sarang> By “ring signatures” I assume you imply a quantum adversary figuring out signing indices by way of key photos?
<Isthmus> Yea (or by way of any mechanism)
<Isthmus> Oh, one factor that we began questioning about
<Isthmus> If you happen to’re making a multisig transactions and one of many signers has a quantum laptop, can they achieve any additional details about their co-signers
<sarang> Effectively, you possibly can simply derive the entire non-public key
<sarang> if that is what you imply
<Isthmus> Yea. I would like to sit down down with ZtM2 to determine what’s handed round, and what needs to be unknown, simply crossed my thoughts yesterdy
<sarang> That is level
<sarang> I do not assume anybody had particularly talked about the multisig course of through the planning levels of your evaluation
<Isthmus> Yea, we simply added it. Will in all probability notice 1 or 2 extra features to test all through the following few weeks
<Isthmus> Maintain dropping us your concepts :- )
<sarang> Are there explicit assumptions made about whether or not or not the adversary has a public key already?
<sarang> e.g. the adversary suspects a selected tackle as a vacation spot
<Isthmus> I am assuming that the adversary is a co-signer on the multisig transaction. They’d know the general public key with or and not using a quantum laptop, proper?
<Isthmus> [erm, well we can consider the adversary both ways, this is just what I had been wondering about yesterday]
<sarang> I imply basically, sorry
<sarang> Not particular to multisig
<Isthmus> Ah yea, quantum laptop together with your public key and quantum laptop with out your public key are two adversary fashions which can be thought-about individually.
<Isthmus> Although TBH the primary one is fairly (sadly) straightforward
<Isthmus> Public key –> [shor’s algorithm] –> non-public key –> init pockets –> sport over
<sgp_> sorry I am late
<sarang> And never even “your” public key
<sarang> However simply a given transcation on chain
<sarang> If the adversary’s purpose is to determine as a lot as attainable about keys, addresses, and so on.
<sarang> Sending pockets tackle, receiving pockets tackle, and so on.
<Isthmus> Yea, if an outdoor observer plucks a transaction at random from the blockchain, with no additional data, what can they confirm about 1) the sender, 2) the transaction, 3) the recipient
<sarang> Proper. After which what can they be taught if they’ve an thought of attainable addresses
<sarang> I assume that there’s (or might be) a extra particular write-up with particulars on what pertains to this chart?
<UkoeHB_> Earlier I argued you may brute pressure output quantities if the DLP is damaged (assuming recipient tackle is unknown), nevertheless I will retract that. Output quantities are information-theoretically safe.
17:23:44 * Isthmus makes a observe
<Isthmus> Yeah, it will all be within the analysis writeup, and extra intuitive components might be included within the common viewers writeup
<sarang> The rest to contemplate about your evaluation at this level Isthmus?
<Isthmus> We had been fascinated with some medium articles all through, only for good measure
<Isthmus> Nope, that is all on the quantum finish for now
<sarang> OK nice!
<Isthmus> I began happening a rabbit gap of subliminal channels this morning, however will save these ideas for later
<sarang> Did anybody else want to current analysis of curiosity?
<UkoeHB_> This implies even when each DLP and hash preimage are damaged, there shouldn’t be a solution to extract the recipient’s tackle from an output.
<Isthmus> That is an enormous reduction, or else we might recursively apply Shor’s algorithm and transfer ahead by the transaction tree breaking everyone’s wallets
<sarang> I will share just a few issues
<sarang> This is a time-windowed CDF of spend age: https://usercontent.irccloud-cdn.com/file/5EccXpmE/cdf_window.png
<sarang> Nonetheless tracks the gamma distribution fairly nicely, however there are variations over time (pre-CT)
<sarang> Associated to this, I posted my tracing code: https://github.com/SarangNoether/skunkworks/tree/tracing
<sarang> It now helps iterative updates, which can be helpful
<sarang> Unrelated to this, I am nonetheless working with the CLSAG auditors
<sarang> I rewrote the proof for Theorem 1 that relates unforgeability to non-slanderability, and it now addresses the auditors’ options
<sarang> There are a bunch of different non-security-related updates to it
<sarang> and I am now within the strategy of overhauling the linkability anonymity proof to make use of a greater hardness assumption and methodology, which is a tedious course of
<sarang> however I feel that can tackle their feedback and be a stronger consequence
<sarang> The auditors’ conclusion is that the development appears safe, and that the safety mannequin appears acceptable to the use case
<sarang> This was the general purpose of the audit; options regarding presentation, formality, and so on. are very helpful for later submission, however do not seem security-related
<UkoeHB_> Sounds just like the audit is shifting alongside nicely
<sarang> It’s! The code evaluate portion has not begun but, however there aren’t any adjustments in code to be made on account of the preprint audit at this level
<sarang> Any questions on these analysis matters?
<sarang> OK, did anybody else have something to share earlier than we transfer on?
<sarang> If not, we are able to transfer on to ACTION ITEMS for the approaching week
<sarang> I might be ending up this linkable anonymity overhaul and incorporating it into the preprint, which can full the updates wanted for the auditors
<sarang> As soon as that is executed, I will get the preprint in a submittable state
<sarang> Anybody else?
<sgp_> I will be opening a GitHub situation for segregating coinbase outputs into coinbase-only rings
<sarang> It is a good time to debate this, with an upcoming community improve for CLSAG in some unspecified time in the future
<sgp_> yeah I feel so too
<sarang> particularly given the spend-age knowledge
<sarang> I might nonetheless like to see the corresponding knowledge for bitcoin
<sarang> however I haven’t got that dataset
<sarang> all of the Monero knowledge is essentially pre-CT due to deducibility
<sarang> and any post-CT deducible knowledge spends previous funds and is subsequently principally ineffective for these sorts of distributions
<sgp_> I have been fairly clear that I feel this BTC knowledge could be good however is not essential to make this alteration
<sarang> OK, anything earlier than we adjourn?
<UkoeHB_> Isthmus I’ve to stroll again my walkback (sorry for the interruption sarang). You may positively brute pressure it if the DLP and hash preimage are damaged. Info-theoretic safety means nothing within the face of brute forcing all prospects (64 bits price). You’d 1) get the DLP of generator H and the dedication C, 2) decide an quantity, 3) compute the attainable derivation to scalar, 4) get its hash preimage,
<UkoeHB_> 4a) use the important thing sequence of bits from the preimage to check the encoded quantity and solely proceed if it matches the guessed quantity (most unlikely to match if the guessed quantity is not right) 5) use the important thing sequence of bits from the preimage to compute the one time tackle derivation to scalar, 6) subtract it from the one time tackle non-public key to get the nominal non-public spend key, 7) get the DLP of the
<UkoeHB_> preimage key with respect to the tx pub key to get the nominal non-public view key, 8) check if the spend key can produce the view key immediately (regular tackle) or if any cheap sub tackle index can be utilized to extract a spend key that produces the view key, 9) repeat 2-Eight till you get a match (step 4a will in all probability catch most mistaken guesses). Let’s blame this mishap on a stray synapse.
<sarang> IIRC preimage on keccak is one thing like O(2^100) or so
<sarang> however I might should test on that
<Isthmus> Unrelated: Does ZtM2 discuss variable sorts or simply math? Making an attempt to determine if charges are uint64 or what
<UkoeHB_> They’re varints, which I point out in part 6.Three footnote iirc
<Isthmus> Ah, good. Thanks!
<sarang> Righto, let’s go forward and adjourn because it’s now 18:00 UTC
<sarang> Because of everybody for collaborating!
Submit tags : Dev Diaries, Cryptography, Monero Analysis Lab